packages (Titanium): kernel-bare-vserver/linux-2.6-grsec-vs-minimal.patch -...
hawk
hawk at pld-linux.org
Thu Feb 25 22:41:11 CET 2010
Author: hawk Date: Thu Feb 25 21:41:11 2010 GMT
Module: packages Tag: Titanium
---- Log message:
- updated grsecurity/Kconfig, fixed fs/proc/base.c, adjusted and recreated
for vserver patched kernel
---- Files affected:
packages/kernel-bare-vserver:
linux-2.6-grsec-vs-minimal.patch (1.1.2.8.2.15 -> 1.1.2.8.2.16)
---- Diffs:
================================================================
Index: packages/kernel-bare-vserver/linux-2.6-grsec-vs-minimal.patch
diff -u packages/kernel-bare-vserver/linux-2.6-grsec-vs-minimal.patch:1.1.2.8.2.15 packages/kernel-bare-vserver/linux-2.6-grsec-vs-minimal.patch:1.1.2.8.2.16
--- packages/kernel-bare-vserver/linux-2.6-grsec-vs-minimal.patch:1.1.2.8.2.15 Thu Feb 25 19:38:55 2010
+++ packages/kernel-bare-vserver/linux-2.6-grsec-vs-minimal.patch Thu Feb 25 22:41:06 2010
@@ -1,6 +1,6 @@
diff -urNp linux-2.6.32.9/arch/sparc/Makefile linux-2.6.32.9/arch/sparc/Makefile
---- linux-2.6.32.9/arch/sparc/Makefile 2010-02-09 07:57:19.000000000 -0500
-+++ linux-2.6.32.9/arch/sparc/Makefile 2010-02-23 17:09:53.091669311 -0500
+--- linux-2.6.32.9/arch/sparc/Makefile 2010-02-25 20:13:59.579045959 +0100
++++ linux-2.6.32.9/arch/sparc/Makefile 2010-02-25 20:23:36.975085587 +0100
@@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
# Export what is needed by arch/sparc/boot/Makefile
export VMLINUX_INIT VMLINUX_MAIN
@@ -10,228 +10,433 @@
VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
VMLINUX_MAIN += $(drivers-y) $(net-y)
-diff -urNp linux-2.6.32.9/Makefile linux-2.6.32.9/Makefile
---- linux-2.6.32.9/Makefile 2010-02-23 17:04:11.556067453 -0500
-+++ linux-2.6.32.9/Makefile 2010-02-23 17:09:53.343560823 -0500
-@@ -644,7 +644,7 @@ export mod_strip_cmd
-
-
- ifeq ($(KBUILD_EXTMOD),)
--core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
-+core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
-
- vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
- $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
-diff -urNp linux-2.6.32.9/grsecurity/Makefile linux-2.6.32.9/grsecurity/Makefile
---- linux-2.6.32.9/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.9/grsecurity/Makefile 2010-02-23 17:09:53.308131663 -0500
-@@ -0,0 +1,11 @@
-+# All code in this directory and various hooks inserted throughout the kernel
-+# are copyright Brad Spengler - Open Source Security, Inc., and released
-+# under the GPL v2 or higher
-+
-+obj-y = grsec_fifo.o grsec_sock.o grsec_sysctl.o grsec_link.o
+diff -urNp linux-2.6.32.9/drivers/char/keyboard.c linux-2.6.32.9/drivers/char/keyboard.c
+--- linux-2.6.32.9/drivers/char/keyboard.c 2010-02-25 20:14:17.008419188 +0100
++++ linux-2.6.32.9/drivers/char/keyboard.c 2010-02-25 20:23:36.991904837 +0100
+@@ -635,6 +635,16 @@ static void k_spec(struct vc_data *vc, u
+ kbd->kbdmode == VC_MEDIUMRAW) &&
+ value != KVAL(K_SAK))
+ return; /* SAK is allowed even in raw mode */
+
-+obj-$(CONFIG_GRKERNSEC) += grsec_init.o
++#if defined(CONFIG_GRKERNSEC_PROC)
++ {
++ void *func = fn_handler[value];
++ if (func == fn_show_state || func == fn_show_ptregs ||
++ func == fn_show_mem)
++ return;
++ }
++#endif
+
-+ifndef CONFIG_GRKERNSEC
-+obj-y += grsec_disabled.o
-+endif
-diff -urNp linux-2.6.27.4/security/Kconfig linux-2.6.27.4/security/Kconfig
---- linux-2.6.27.4/security/Kconfig 2008-10-22 17:38:01.000000000 -0400
-+++ linux-2.6.27.4/security/Kconfig 2008-10-27 22:57:19.000000000 -0400
-@@ -4,6 +4,8 @@
-
- menu "Security options"
+ fn_handler[value](vc);
+ }
-+source grsecurity/Kconfig
-+
- config KEYS
- bool "Enable access key retention support"
- help
-diff -urNp linux-2.6.32.9/grsecurity/Kconfig linux-2.6.32.9/grsecurity/Kconfig
---- linux-2.6.32.9/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.9/grsecurity/Kconfig 2010-02-23 17:09:53.308131663 -0500
-@@ -0,0 +1,100 @@
-+#
-+# grecurity configuration
-+#
-+
-+menu "Grsecurity"
-+
-+config GRKERNSEC_PROC
-+ bool "Proc restrictions"
-+ help
-+ If you say Y here, the permissions of the /proc filesystem
-+ will be altered to enhance system security and privacy. You MUST
-+ choose either a user only restriction or a user and group restriction.
-+ Depending upon the option you choose, you can either restrict users to
-+ see only the processes they themselves run, or choose a group that can
-+ view all processes and files normally restricted to root if you choose
-+ the "restrict to user only" option. NOTE: If you're running identd as
-+ a non-root user, you will have to run it as the group you specify here.
+diff -urNp linux-2.6.32.9/drivers/pci/proc.c linux-2.6.32.9/drivers/pci/proc.c
+--- linux-2.6.32.9/drivers/pci/proc.c 2010-02-25 20:14:53.945498856 +0100
++++ linux-2.6.32.9/drivers/pci/proc.c 2010-02-25 20:23:36.991904837 +0100
+@@ -480,7 +480,16 @@ static const struct file_operations proc
+ static int __init pci_proc_init(void)
+ {
+ struct pci_dev *dev = NULL;
+
-+config GRKERNSEC_PROC_USER
-+ bool "Restrict /proc to user only"
-+ depends on GRKERNSEC_PROC
-+ help
-+ If you say Y here, non-root users will only be able to view their own
-+ processes, and restricts them from viewing network-related information,
-+ and viewing kernel symbol and module information.
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
++#endif
++#else
+ proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
++#endif
+ proc_create("devices", 0, proc_bus_pci_dir,
+ &proc_bus_pci_dev_operations);
+ proc_initialized = 1;
+diff -urNp linux-2.6.32.9/fs/namei.c linux-2.6.32.9/fs/namei.c
+--- linux-2.6.32.9/fs/namei.c 2010-02-25 20:15:31.426076417 +0100
++++ linux-2.6.32.9/fs/namei.c 2010-02-25 20:23:36.981697288 +0100
+@@ -755,6 +755,13 @@ static inline int do_follow_link(struct
+ err = security_inode_follow_link(path->dentry, nd);
+ if (err)
+ goto loop;
+
-+config GRKERNSEC_PROC_USERGROUP
-+ bool "Allow special group"
-+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
-+ help
-+ If you say Y here, you will be able to select a group that will be
-+ able to view all processes, network-related information, and
-+ kernel and symbol information. This option is useful if you want
-+ to run identd as a non-root user.
++ if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
++ path->dentry->d_inode, path->dentry, nd->path.mnt)) {
++ err = -EACCES;
++ goto loop;
++ }
+
-+config GRKERNSEC_PROC_GID
-+ int "GID for special group"
-+ depends on GRKERNSEC_PROC_USERGROUP
-+ default 1001
+ current->link_count++;
+ current->total_link_count++;
+ nd->depth++;
+@@ -1898,6 +1905,12 @@ do_last:
+ /*
+ * It already exists.
+ */
+
-+config GRKERNSEC_PROC_ADD
-+ bool "Additional restrictions"
-+ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
-+ help
-+ If you say Y here, additional restrictions will be placed on
-+ /proc that keep normal users from viewing device information and
-+ slabinfo information that could be useful for exploits.
++ if (gr_handle_fifo(path.dentry, nd.path.mnt, dir, flag, acc_mode)) {
++ error = -EACCES;
++ goto exit_mutex_unlock;
++ }
+
-+config GRKERNSEC_LINK
-+ bool "Linking restrictions"
-+ help
-+ If you say Y here, /tmp race exploits will be prevented, since users
-+ will no longer be able to follow symlinks owned by other users in
-+ world-writable +t directories (i.e. /tmp), unless the owner of the
-+ symlink is the owner of the directory. users will also not be
-+ able to hardlink to files they do not own. If the sysctl option is
-+ enabled, a sysctl option with name "linking_restrictions" is created.
+ mutex_unlock(&dir->d_inode->i_mutex);
+ audit_inode(pathname, path.dentry);
+
+@@ -2009,6 +2022,13 @@ do_link:
+ error = security_inode_follow_link(path.dentry, &nd);
+ if (error)
+ goto exit_dput;
+
-+config GRKERNSEC_FIFO
-+ bool "FIFO restrictions"
-+ help
-+ If you say Y here, users will not be able to write to FIFOs they don't
-+ own in world-writable +t directories (i.e. /tmp), unless the owner of
-+ the FIFO is the same owner of the directory it's held in. If the sysctl
-+ option is enabled, a sysctl option with name "fifo_restrictions" is
-+ created.
++ if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
++ path.dentry, nd.path.mnt)) {
++ error = -EACCES;
++ goto exit_dput;
++ }
+
-+config GRKERNSEC_DMESG
-+ bool "Dmesg(8) restriction"
-+ help
-+ If you say Y here, non-root users will not be able to use dmesg(8)
-+ to view up to the last 4kb of messages in the kernel's log buffer.
-+ If the sysctl option is enabled, a sysctl option with name "dmesg" is
-+ created.
+ error = __do_follow_link(&path, &nd);
+ if (error) {
+ /* Does someone understand code flow here? Or it is only
+@@ -2654,6 +2674,14 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
+ error = PTR_ERR(new_dentry);
+ if (IS_ERR(new_dentry))
+ goto out_unlock;
+
-+config GRKERNSEC_SYSCTL
-+ bool "Sysctl support"
-+ help
-+ If you say Y here, you will be able to change the options that
-+ grsecurity runs with at bootup, without having to recompile your
-+ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
-+ to enable (1) or disable (0) various features. All the sysctl entries
-+ are mutable until the "grsec_lock" entry is set to a non-zero value.
-+ All features enabled in the kernel configuration are disabled at boot
-+ if you do not say Y to the "Turn on features by default" option.
-+ All options should be set at startup, and the grsec_lock entry should
-+ be set to a non-zero value after all the options are set.
-+ *THIS IS EXTREMELY IMPORTANT*
++ if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
++ old_path.dentry->d_inode,
++ old_path.dentry->d_inode->i_mode, to)) {
++ error = -EACCES;
++ goto out_dput;
++ }
+
-+config GRKERNSEC_SYSCTL_ON
-+ bool "Turn on features by default"
-+ depends on GRKERNSEC_SYSCTL
-+ help
-+ If you say Y here, instead of having all features enabled in the
-+ kernel configuration disabled at boot time, the features will be
-+ enabled at boot time. It is recommended you say Y here unless
-+ there is some reason you would want all sysctl-tunable features to
-+ be disabled by default. As mentioned elsewhere, it is important
-+ to enable the grsec_lock entry once you have finished modifying
-+ the sysctl entries.
-diff -urNp linux-2.6.32.9/include/linux/security.h linux-2.6.32.9/include/linux/security.h
---- linux-2.6.32.9/include/linux/security.h 2010-02-09 07:57:19.000000000 -0500
-+++ linux-2.6.32.9/include/linux/security.h 2010-02-23 17:09:53.320537081 -0500
-@@ -34,6 +34,7 @@
- #include <linux/key.h>
- #include <linux/xfrm.h>
- #include <linux/gfp.h>
-+#include <linux/grsecurity.h>
- #include <net/flow.h>
+ error = mnt_want_write(nd.path.mnt);
+ if (error)
+ goto out_dput;
+diff -urNp linux-2.6.32.9/fs/proc/array.c linux-2.6.32.9/fs/proc/array.c
+--- linux-2.6.32.9/fs/proc/array.c 2010-02-25 20:15:33.905286575 +0100
++++ linux-2.6.32.9/fs/proc/array.c 2010-02-25 20:23:36.991904837 +0100
+@@ -679,3 +679,10 @@ int proc_pid_statm(struct seq_file *m, s
- /* Maximum number of letters for an LSM name string */
-diff -urNp linux-2.6.32.9/include/linux/grinternal.h linux-2.6.32.9/include/linux/grinternal.h
---- linux-2.6.32.9/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.9/include/linux/grinternal.h 2010-02-23 17:09:53.311553777 -0500
-@@ -0,0 +1,14 @@
-+#ifndef __GRINTERNAL_H
-+#define __GRINTERNAL_H
-+
-+#ifdef CONFIG_GRKERNSEC
+ return 0;
+ }
+
-+#include <linux/fs.h>
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++int proc_pid_ipaddr(struct task_struct *task, char *buffer)
++{
++ return sprintf(buffer, "%pI4\n", &task->signal->curr_ip);
++}
++#endif
+diff -urNp linux-2.6.32.9/fs/proc/base.c linux-2.6.32.9/fs/proc/base.c
+--- linux-2.6.32.9/fs/proc/base.c 2010-02-25 20:15:33.908620148 +0100
++++ linux-2.6.32.9/fs/proc/base.c 2010-02-25 22:19:25.208430293 +0100
+@@ -104,6 +104,22 @@ struct pid_entry {
+ union proc_op op;
+ };
+
++struct getdents_callback {
++ struct linux_dirent __user * current_dir;
++ struct linux_dirent __user * previous;
++ struct file * file;
++ int count;
++ int error;
++};
+
-+extern int grsec_enable_link;
-+extern int grsec_enable_fifo;
-+extern int grsec_lock;
++static int gr_fake_filldir(void * __buf, const char *name, int namlen,
++ loff_t offset, u64 ino, unsigned int d_type)
++{
++ struct getdents_callback * buf = (struct getdents_callback *) __buf;
++ buf->error = -EINVAL;
++ return 0;
++}
+
+ #define NOD(NAME, MODE, IOP, FOP, OP) { \
+ .name = (NAME), \
+ .len = sizeof(NAME) - 1, \
+@@ -1462,7 +1478,11 @@ static struct inode *proc_pid_make_inode
+ rcu_read_lock();
+ cred = __task_cred(task);
+ inode->i_uid = cred->euid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ inode->i_gid = cred->egid;
+#endif
-+
+ rcu_read_unlock();
+ }
+ /* procfs is xid tagged */
+@@ -1482,6 +1502,9 @@ static int pid_getattr(struct vfsmount *
+ struct inode *inode = dentry->d_inode;
+ struct task_struct *task;
+ const struct cred *cred;
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ const struct cred *tmpcred = current_cred();
+#endif
-diff -urNp linux-2.6.32.9/include/linux/grsecurity.h linux-2.6.32.9/include/linux/grsecurity.h
---- linux-2.6.32.9/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.9/include/linux/grsecurity.h 2010-02-23 17:09:53.311553777 -0500
-@@ -0,0 +1,24 @@
-+#ifndef GR_SECURITY_H
-+#define GR_SECURITY_H
-+#include <linux/fs.h>
-+#include <linux/fs_struct.h>
-+#include <linux/binfmts.h>
-+
-+void gr_del_task_from_ip_table(struct task_struct *p);
-+
-+int gr_handle_follow_link(const struct inode *parent,
-+ const struct inode *inode,
-+ const struct dentry *dentry,
-+ const struct vfsmount *mnt);
-+int gr_handle_fifo(const struct dentry *dentry,
-+ const struct vfsmount *mnt,
-+ const struct dentry *dir, const int flag,
-+ const int acc_mode);
-+int gr_handle_hardlink(const struct dentry *dentry,
-+ const struct vfsmount *mnt,
-+ struct inode *inode,
-+ const int mode, const char *to);
-+
-+extern int grsec_enable_dmesg;
-+
+
+ generic_fillattr(inode, stat);
+
+@@ -1490,11 +1513,27 @@ static int pid_getattr(struct vfsmount *
+ stat->gid = 0;
+ task = pid_task(proc_pid(inode), PIDTYPE_PID);
+ if (task) {
++ cred = __task_cred(task);
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ if (!tmpcred->uid || (tmpcred->uid == cred->uid)
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
+#endif
-diff -urNp linux-2.6.32.9/include/linux/sched.h linux-2.6.32.9/include/linux/sched.h
---- linux-2.6.32.9/include/linux/sched.h 2010-02-23 17:04:12.651619895 -0500
-+++ linux-2.6.32.9/include/linux/sched.h 2010-02-23 17:09:53.320537081 -0500
-@@ -664,6 +665,15 @@ struct signal_struct {
- struct tty_audit_buf *tty_audit_buf;
++ )
++#endif
+ if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
++#endif
+ task_dumpable(task)) {
+- cred = __task_cred(task);
+ stat->uid = cred->euid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ stat->gid = cred->egid;
++#endif
+ }
+ }
+ rcu_read_unlock();
+@@ -1526,11 +1565,20 @@ static int pid_revalidate(struct dentry
+
+ if (task) {
+ if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
++#endif
+ task_dumpable(task)) {
+ rcu_read_lock();
+ cred = __task_cred(task);
+ inode->i_uid = cred->euid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ inode->i_gid = cred->egid;
++#endif
+ rcu_read_unlock();
+ } else {
+ inode->i_uid = 0;
+@@ -2708,7 +2756,14 @@ static struct dentry *proc_pid_instantia
+ if (!inode)
+ goto out;
+
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
++#else
+ inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
++#endif
+ inode->i_op = &proc_tgid_base_inode_operations;
+ inode->i_fop = &proc_tgid_base_operations;
+ inode->i_flags|=S_IMMUTABLE;
+@@ -2815,6 +2870,11 @@ int proc_pid_readdir(struct file * filp,
+ {
+ unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
+ struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ const struct cred *tmpcred = current_cred();
++ const struct cred *itercred;
++#endif
++ filldir_t __filldir = filldir;
+ struct tgid_iter iter;
+ struct pid_namespace *ns;
+
+@@ -2833,10 +2893,27 @@ int proc_pid_readdir(struct file * filp,
+ for (iter = next_tgid(ns, iter);
+ iter.task;
+ iter.tgid += 1, iter = next_tgid(ns, iter)) {
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ rcu_read_lock();
++ itercred = __task_cred(iter.task);
++ if (
++ (tmpcred->uid && (itercred->uid != tmpcred->uid)
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++#endif
++ )
++#endif
++ )
++ __filldir = &gr_fake_filldir;
++ else
++ __filldir = filldir;
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ rcu_read_unlock();
++#endif
+ filp->f_pos = iter.tgid + TGID_OFFSET;
+ if (!vx_proc_task_visible(iter.task))
+ continue;
+- if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
++ if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
+ put_task_struct(iter.task);
+ goto out;
+ }
+@@ -2916,6 +2993,9 @@ static const struct pid_entry tid_base_s
+ #ifdef CONFIG_TASK_IO_ACCOUNTING
+ INF("io", S_IRUGO, proc_tid_io_accounting),
#endif
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++ INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
++#endif
+ };
-+#ifdef CONFIG_GRKERNSEC
-+ u32 curr_ip;
-+ u32 gr_saddr;
-+ u32 gr_daddr;
-+ u16 gr_sport;
-+ u16 gr_dport;
-+ u8 used_accept:1;
+ static int proc_tid_base_readdir(struct file * filp,
+diff -urNp linux-2.6.32.9/fs/proc/cmdline.c linux-2.6.32.9/fs/proc/cmdline.c
+--- linux-2.6.32.9/fs/proc/cmdline.c 2010-02-25 20:15:33.905286575 +0100
++++ linux-2.6.32.9/fs/proc/cmdline.c 2010-02-25 20:23:36.991904837 +0100
+@@ -23,7 +23,11 @@ static const struct file_operations cmdl
+
+ static int __init proc_cmdline_init(void)
+ {
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++ proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
++#else
+ proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
++#endif
+ return 0;
+ }
+ module_init(proc_cmdline_init);
+diff -urNp linux-2.6.32.9/fs/proc/devices.c linux-2.6.32.9/fs/proc/devices.c
+--- linux-2.6.32.9/fs/proc/devices.c 2010-02-25 20:15:33.905286575 +0100
++++ linux-2.6.32.9/fs/proc/devices.c 2010-02-25 20:23:36.991904837 +0100
+@@ -64,7 +64,11 @@ static const struct file_operations proc
+
+ static int __init proc_devices_init(void)
+ {
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++ proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
++#else
+ proc_create("devices", 0, NULL, &proc_devinfo_operations);
++#endif
+ return 0;
+ }
+ module_init(proc_devices_init);
+diff -urNp linux-2.6.32.9/fs/proc/inode.c linux-2.6.32.9/fs/proc/inode.c
+--- linux-2.6.32.9/fs/proc/inode.c 2010-02-25 20:15:33.905286575 +0100
++++ linux-2.6.32.9/fs/proc/inode.c 2010-02-25 20:23:36.991904837 +0100
+@@ -457,7 +457,11 @@ struct inode *proc_get_inode(struct supe
+ if (de->mode) {
+ inode->i_mode = de->mode;
+ inode->i_uid = de->uid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ inode->i_gid = de->gid;
++#endif
+ }
+ if (de->vx_flags)
+ PROC_I(inode)->vx_flags = de->vx_flags;
+diff -urNp linux-2.6.32.9/fs/proc/internal.h linux-2.6.32.9/fs/proc/internal.h
+--- linux-2.6.32.9/fs/proc/internal.h 2010-02-25 20:15:33.905286575 +0100
++++ linux-2.6.32.9/fs/proc/internal.h 2010-02-25 20:23:36.995238172 +0100
+@@ -55,6 +55,9 @@ extern int proc_pid_statm(struct seq_fil
+ extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
+ struct pid *pid, struct task_struct *task);
+
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
++#endif
+ extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
+
+ extern const struct file_operations proc_maps_operations;
+diff -urNp linux-2.6.32.9/fs/proc/kcore.c linux-2.6.32.9/fs/proc/kcore.c
+--- linux-2.6.32.9/fs/proc/kcore.c 2010-02-25 20:15:33.905286575 +0100
++++ linux-2.6.32.9/fs/proc/kcore.c 2010-02-25 20:23:36.995238172 +0100
+@@ -541,6 +541,9 @@ read_kcore(struct file *file, char __use
+
+ static int open_kcore(struct inode *inode, struct file *filp)
+ {
++#if defined(CONFIG_GRKERNSEC_PROC_ADD)
++ return -EPERM;
++#endif
+ if (!capable(CAP_SYS_RAWIO))
+ return -EPERM;
+ if (kcore_need_update)
+diff -urNp linux-2.6.32.9/fs/proc/proc_net.c linux-2.6.32.9/fs/proc/proc_net.c
+--- linux-2.6.32.9/fs/proc/proc_net.c 2010-02-25 20:15:33.905286575 +0100
++++ linux-2.6.32.9/fs/proc/proc_net.c 2010-02-25 20:23:36.995238172 +0100
+@@ -104,6 +104,17 @@ static struct net *get_proc_task_net(str
+ struct task_struct *task;
+ struct nsproxy *ns;
+ struct net *net = NULL;
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ const struct cred *cred = current_cred();
+#endif
+
- int oom_adj; /* OOM kill score adjustment (bit shift) */
- };
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ if (cred->fsuid)
++ return net;
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
++ return net;
++#endif
+ rcu_read_lock();
+ task = pid_task(proc_pid(dir), PIDTYPE_PID);
+diff -urNp linux-2.6.32.9/fs/proc/root.c linux-2.6.32.9/fs/proc/root.c
+--- linux-2.6.32.9/fs/proc/root.c 2010-02-25 20:15:33.905286575 +0100
++++ linux-2.6.32.9/fs/proc/root.c 2010-02-25 20:23:36.995238172 +0100
+@@ -139,7 +139,15 @@ void __init proc_root_init(void)
+ #ifdef CONFIG_PROC_DEVICETREE
+ proc_device_tree_init();
+ #endif
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
++#endif
++#else
+ proc_mkdir("bus", NULL);
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel-bare-vserver/linux-2.6-grsec-vs-minimal.patch?r1=1.1.2.8.2.15&r2=1.1.2.8.2.16&f=u
More information about the pld-cvs-commit
mailing list