SOURCES (LINUX_2_6): linux-2.6-grsec-minimal.patch - updated to gr...
baggins
baggins at pld-linux.org
Tue Apr 11 19:46:30 CEST 2006
Author: baggins Date: Tue Apr 11 17:46:30 2006 GMT
Module: SOURCES Tag: LINUX_2_6
---- Log message:
- updated to grsecurity-2.1.9-2.6.16.2
- added sysctl setting support
---- Files affected:
SOURCES:
linux-2.6-grsec-minimal.patch (1.1.2.3 -> 1.1.2.4)
---- Diffs:
================================================================
Index: SOURCES/linux-2.6-grsec-minimal.patch
diff -u SOURCES/linux-2.6-grsec-minimal.patch:1.1.2.3 SOURCES/linux-2.6-grsec-minimal.patch:1.1.2.4
--- SOURCES/linux-2.6-grsec-minimal.patch:1.1.2.3 Tue Nov 15 02:00:12 2005
+++ SOURCES/linux-2.6-grsec-minimal.patch Tue Apr 11 19:46:25 2006
@@ -1,8 +1,20 @@
-diff -urN linux-2.6.12.6/drivers/char/keyboard.c linux-2.6.12.6-gr-minimal/drivers/char/keyboard.c
---- linux-2.6.12.6/drivers/char/keyboard.c 2005-08-30 14:50:44.362019968 +0200
-+++ linux-2.6.12.6-gr-minimal/drivers/char/keyboard.c 2005-08-30 16:55:16.698334512 +0200
-@@ -608,6 +608,16 @@
- kbd->kbdmode == VC_MEDIUMRAW) &&
+diff -urN linux-2.6.16.2/Makefile linux-2.6.16.2-grsec/Makefile
+--- linux-2.6.16.2/Makefile 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/Makefile 2006-04-11 17:44:40.069707000 +0200
+@@ -556,7 +556,7 @@
+
+
+ ifeq ($(KBUILD_EXTMOD),)
+-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
++core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
+
+ vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
+ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
+diff -urN linux-2.6.16.2/drivers/char/keyboard.c linux-2.6.16.2-grsec/drivers/char/keyboard.c
+--- linux-2.6.16.2/drivers/char/keyboard.c 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/drivers/char/keyboard.c 2006-04-11 17:44:40.073707250 +0200
+@@ -607,6 +607,16 @@
+ kbd->kbdmode == VC_MEDIUMRAW) &&
value != KVAL(K_SAK))
return; /* SAK is allowed even in raw mode */
+
@@ -18,9 +30,9 @@
fn_handler[value](vc, regs);
}
-diff -urN linux-2.6.12.6/drivers/pci/proc.c linux-2.6.12.6-gr-minimal/drivers/pci/proc.c
---- linux-2.6.12.6/drivers/pci/proc.c 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/drivers/pci/proc.c 2005-08-30 16:55:16.748326912 +0200
+diff -urN linux-2.6.16.2/drivers/pci/proc.c linux-2.6.16.2-grsec/drivers/pci/proc.c
+--- linux-2.6.16.2/drivers/pci/proc.c 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/drivers/pci/proc.c 2006-04-11 17:44:40.073707250 +0200
@@ -569,7 +569,15 @@
static void legacy_proc_init(void)
@@ -53,10 +65,10 @@
entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
if (entry)
entry->proc_fops = &proc_bus_pci_dev_operations;
-diff -urN linux-2.6.12.6/fs/Kconfig linux-2.6.12.6-gr-minimal/fs/Kconfig
---- linux-2.6.12.6/fs/Kconfig 2005-08-30 14:50:48.897330496 +0200
-+++ linux-2.6.12.6-gr-minimal/fs/Kconfig 2005-08-30 16:55:16.787320984 +0200
-@@ -819,7 +819,7 @@
+diff -urN linux-2.6.16.2/fs/Kconfig linux-2.6.16.2-grsec/fs/Kconfig
+--- linux-2.6.16.2/fs/Kconfig 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/Kconfig 2006-04-11 17:44:40.073707250 +0200
+@@ -794,7 +794,7 @@
config PROC_KCORE
bool "/proc/kcore support" if !ARM
@@ -65,89 +77,78 @@
config PROC_VMCORE
bool "/proc/vmcore support (EXPERIMENTAL)"
-diff -urN linux-2.6.12.6/fs/namei.c linux-2.6.12.6-gr-minimal/fs/namei.c
---- linux-2.6.12.6/fs/namei.c 2005-08-30 14:50:44.000074992 +0200
-+++ linux-2.6.12.6-gr-minimal/fs/namei.c 2005-08-30 15:01:26.561724968 +0200
-@@ -541,6 +541,18 @@
+diff -urN linux-2.6.16.2/fs/namei.c linux-2.6.16.2-grsec/fs/namei.c
+--- linux-2.6.16.2/fs/namei.c 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/namei.c 2006-04-11 18:10:35.961452750 +0200
+@@ -32,6 +32,7 @@
+ #include <linux/file.h>
+ #include <linux/fcntl.h>
+ #include <linux/namei.h>
++#include <linux/grsecurity.h>
+ #include <asm/namei.h>
+ #include <asm/uaccess.h>
+
+@@ -608,6 +609,13 @@
err = security_inode_follow_link(path->dentry, nd);
if (err)
goto loop;
+
-+#ifdef CONFIG_GRKERNSEC_LINK
-+ if (S_ISLNK(path->dentry->d_inode->i_mode) &&
-+ (path->dentry->d_parent->d_inode->i_mode & S_ISVTX) &&
-+ (path->dentry->d_parent->d_inode->i_uid != path->dentry->d_inode->i_uid) &&
-+ (path->dentry->d_parent->d_inode->i_mode & S_IWOTH) &&
-+ (current->fsuid != path->dentry->d_inode->i_uid)) {
++ if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
++ path->dentry->d_inode, path->dentry, nd->mnt)) {
+ err = -EACCES;
+ goto loop;
+ }
-+#endif
+
current->link_count++;
current->total_link_count++;
nd->depth++;
-@@ -1487,6 +1499,16 @@
+@@ -1647,6 +1655,13 @@
/*
* It already exists.
*/
-+#ifdef CONFIG_GRKERNSEC_FIFO
-+ if (S_ISFIFO(path.dentry->d_inode->i_mode) &&
-+ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
-+ (path.dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
-+ (current->fsuid != path.dentry->d_inode->i_uid)) {
-+ up(&dir->d_inode->i_sem);
++
++ if (gr_handle_fifo(path.dentry, nd->mnt, dir, flag, acc_mode)) {
++ mutex_unlock(&dir->d_inode->i_mutex);
+ error = -EACCES;
+ goto exit_dput;
+ }
-+#endif
- up(&dir->d_inode->i_sem);
++
+ mutex_unlock(&dir->d_inode->i_mutex);
error = -EEXIST;
-@@ -1544,6 +1566,18 @@
+@@ -1700,6 +1715,13 @@
error = security_inode_follow_link(path.dentry, nd);
if (error)
goto exit_dput;
+
-+#ifdef CONFIG_GRKERNSEC_LINK
-+ if (S_ISLNK(path.dentry->d_inode->i_mode) &&
-+ (path.dentry->d_parent->d_inode->i_mode & S_ISVTX) &&
-+ (path.dentry->d_parent->d_inode->i_uid != path.dentry->d_inode->i_uid) &&
-+ (path.dentry->d_parent->d_inode->i_mode & S_IWOTH) &&
-+ (current->fsuid != path.dentry->d_inode->i_uid)) {
++ if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
++ path.dentry, nd->mnt)) {
+ error = -EACCES;
+ goto exit_dput;
+ }
-+#endif
+
error = __do_follow_link(&path, nd);
if (error)
return error;
-@@ -2046,7 +2080,19 @@
+@@ -2251,7 +2273,13 @@
new_dentry = lookup_create(&nd, 0);
error = PTR_ERR(new_dentry);
if (!IS_ERR(new_dentry)) {
- error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
-+#ifdef CONFIG_GRKERNSEC_LINK
+ error = 0;
-+ if (current->fsuid != old_nd.dentry->d_inode->i_uid &&
-+ (!S_ISREG(old_nd.dentry->d_inode->i_mode) ||
-+ (old_nd.dentry->d_inode->i_mode & S_ISUID) ||
-+ ((old_nd.dentry->d_inode->i_mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
-+ (generic_permission(old_nd.dentry->d_inode, MAY_READ | MAY_WRITE, NULL))) &&
-+ !capable(CAP_FOWNER) && current->uid) {
++ if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt,
++ old_nd.dentry->d_inode,
++ old_nd.dentry->d_inode->i_mode, to))
+ error = -EPERM;
-+ }
+ if (!error)
-+#endif
+ error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
dput(new_dentry);
}
- up(&nd.dentry->d_inode->i_sem);
-diff -urN linux-2.6.12.6/fs/proc/array.c linux-2.6.12.6-gr-minimal/fs/proc/array.c
---- linux-2.6.12.6/fs/proc/array.c 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/fs/proc/array.c 2005-08-30 16:55:16.799319160 +0200
-@@ -482,3 +482,14 @@
+ mutex_unlock(&nd.dentry->d_inode->i_mutex);
+diff -urN linux-2.6.16.2/fs/proc/array.c linux-2.6.16.2-grsec/fs/proc/array.c
+--- linux-2.6.16.2/fs/proc/array.c 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/proc/array.c 2006-04-11 17:44:40.077707500 +0200
+@@ -488,3 +488,14 @@
return sprintf(buffer,"%d %d %d %d %d %d %d\n",
size, resident, shared, text, lib, data, 0);
}
@@ -162,10 +163,10 @@
+}
+#endif
+
-diff -urN linux-2.6.12.6/fs/proc/base.c linux-2.6.12.6-gr-minimal/fs/proc/base.c
---- linux-2.6.12.6/fs/proc/base.c 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/fs/proc/base.c 2005-08-30 16:55:16.803318552 +0200
-@@ -83,6 +83,9 @@
+diff -urN linux-2.6.16.2/fs/proc/base.c linux-2.6.16.2-grsec/fs/proc/base.c
+--- linux-2.6.16.2/fs/proc/base.c 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/proc/base.c 2006-04-11 17:44:40.077707500 +0200
+@@ -124,6 +124,9 @@
#ifdef CONFIG_AUDITSYSCALL
PROC_TGID_LOGINUID,
#endif
@@ -175,17 +176,17 @@
PROC_TGID_OOM_SCORE,
PROC_TGID_OOM_ADJUST,
PROC_TID_INO,
-@@ -152,6 +155,9 @@
+@@ -201,6 +204,9 @@
E(PROC_TGID_ROOT, "root", S_IFLNK|S_IRWXUGO),
E(PROC_TGID_EXE, "exe", S_IFLNK|S_IRWXUGO),
E(PROC_TGID_MOUNTS, "mounts", S_IFREG|S_IRUGO),
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+ E(PROC_TGID_IPADDR, "ipaddr", S_IFREG|S_IRUSR),
++ E(PROC_TGID_IPADDR, "ipaddr", S_IFREG|S_IRUSR),
+#endif
#ifdef CONFIG_MMU
- E(PROC_TGID_SMAPS, "smaps", S_IFDIR|S_IRUGO),
+ E(PROC_TGID_SMAPS, "smaps", S_IFREG|S_IRUGO),
#endif
-@@ -1149,6 +1155,9 @@
+@@ -1330,6 +1336,9 @@
inode->i_uid = task->euid;
inode->i_gid = task->egid;
}
@@ -195,7 +196,7 @@
security_task_to_inode(task, inode);
out:
-@@ -1177,7 +1186,9 @@
+@@ -1358,7 +1367,9 @@
if (pid_alive(task)) {
if (proc_type(inode) == PROC_TGID_INO || proc_type(inode) == PROC_TID_INO || task_dumpable(task)) {
inode->i_uid = task->euid;
@@ -205,7 +206,7 @@
} else {
inode->i_uid = 0;
inode->i_gid = 0;
-@@ -1500,6 +1511,12 @@
+@@ -1681,6 +1692,12 @@
inode->i_fop = &proc_info_file_operations;
ei->op.proc_read = proc_pid_status;
break;
@@ -218,7 +219,7 @@
case PROC_TID_STAT:
inode->i_fop = &proc_info_file_operations;
ei->op.proc_read = proc_tid_stat;
-@@ -1792,6 +1809,17 @@
+@@ -1985,6 +2002,17 @@
if (!task)
goto out;
@@ -236,14 +237,14 @@
inode = proc_pid_make_inode(dir->i_sb, task, PROC_TGID_INO);
-@@ -1799,7 +1827,15 @@
+@@ -1992,7 +2020,15 @@
put_task_struct(task);
goto out;
}
+
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
-+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP;
+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
+#else
@@ -252,7 +253,7 @@
inode->i_op = &proc_tgid_base_inode_operations;
inode->i_fop = &proc_tgid_base_operations;
inode->i_flags|=S_IMMUTABLE;
-@@ -1891,6 +1927,9 @@
+@@ -2084,6 +2120,9 @@
static int get_tgid_list(int index, unsigned long version, unsigned int *tgids)
{
struct task_struct *p;
@@ -262,7 +263,7 @@
int nr_tgids = 0;
index--;
-@@ -1911,6 +1950,14 @@
+@@ -2104,6 +2143,14 @@
int tgid = p->pid;
if (!pid_alive(p))
continue;
@@ -277,10 +278,10 @@
if (--index >= 0)
continue;
tgids[nr_tgids] = tgid;
-diff -urN linux-2.6.12.6/fs/proc/inode.c linux-2.6.12.6-gr-minimal/fs/proc/inode.c
---- linux-2.6.12.6/fs/proc/inode.c 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/fs/proc/inode.c 2005-08-30 16:55:16.804318400 +0200
-@@ -163,7 +163,11 @@
+diff -urN linux-2.6.16.2/fs/proc/inode.c linux-2.6.16.2-grsec/fs/proc/inode.c
+--- linux-2.6.16.2/fs/proc/inode.c 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/proc/inode.c 2006-04-11 17:44:40.077707500 +0200
+@@ -168,7 +168,11 @@
if (de->mode) {
inode->i_mode = de->mode;
inode->i_uid = de->uid;
@@ -292,9 +293,9 @@
}
if (de->size)
inode->i_size = de->size;
-diff -urN linux-2.6.12.6/fs/proc/internal.h linux-2.6.12.6-gr-minimal/fs/proc/internal.h
---- linux-2.6.12.6/fs/proc/internal.h 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/fs/proc/internal.h 2005-08-30 16:55:16.804318400 +0200
+diff -urN linux-2.6.16.2/fs/proc/internal.h linux-2.6.16.2-grsec/fs/proc/internal.h
+--- linux-2.6.16.2/fs/proc/internal.h 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/proc/internal.h 2006-04-11 17:44:40.077707500 +0200
@@ -36,6 +36,9 @@
extern int proc_tgid_stat(struct task_struct *, char *);
extern int proc_pid_status(struct task_struct *, char *);
@@ -303,12 +304,12 @@
+extern int proc_pid_ipaddr(struct task_struct*,char*);
+#endif
- static inline struct task_struct *proc_task(struct inode *inode)
- {
-diff -urN linux-2.6.12.6/fs/proc/proc_misc.c linux-2.6.12.6-gr-minimal/fs/proc/proc_misc.c
---- linux-2.6.12.6/fs/proc/proc_misc.c 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/fs/proc/proc_misc.c 2005-08-30 16:55:16.806318096 +0200
-@@ -552,6 +552,8 @@
+ void free_proc_entry(struct proc_dir_entry *de);
+
+diff -urN linux-2.6.16.2/fs/proc/proc_misc.c linux-2.6.16.2-grsec/fs/proc/proc_misc.c
+--- linux-2.6.16.2/fs/proc/proc_misc.c 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/proc/proc_misc.c 2006-04-11 17:44:40.109709500 +0200
+@@ -708,6 +708,8 @@
void __init proc_misc_init(void)
{
struct proc_dir_entry *entry;
@@ -317,13 +318,9 @@
static struct {
char *name;
int (*read_proc)(char*,char**,off_t,int,int*,void*);
-@@ -566,9 +568,13 @@
- #ifdef CONFIG_STRAM_PROC
+@@ -723,7 +725,9 @@
{"stram", stram_read_proc},
#endif
-+#ifndef CONFIG_GRKERNSEC_PROC_ADD
- {"devices", devices_read_proc},
-+#endif
{"filesystems", filesystems_read_proc},
+#ifndef CONFIG_GRKERNSEC_PROC_ADD
{"cmdline", cmdline_read_proc},
@@ -331,31 +328,41 @@
{"locks", locks_read_proc},
{"execdomains", execdomains_read_proc},
{NULL,}
-@@ -576,6 +582,16 @@
+@@ -731,31 +735,49 @@
for (p = simple_ones; p->name; p++)
create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+ gr_mode = S_IRUSR;
-+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ gr_mode = S_IRUSR | S_IRGRP;
+#endif
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
-+ create_proc_read_entry("devices", gr_mode, NULL, &devices_read_proc, NULL);
+ create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL);
+#endif
+
proc_symlink("mounts", NULL, "self/mounts");
/* And now for trickier ones */
-@@ -586,18 +602,22 @@
+ entry = create_proc_entry("kmsg", S_IRUSR, &proc_root);
+ if (entry)
+ entry->proc_fops = &proc_kmsg_operations;
++
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++ create_seq_entry("devices", gr_mode, &proc_devinfo_operations);
++#else
+ create_seq_entry("devices", 0, &proc_devinfo_operations);
++#endif
+ create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
create_seq_entry("partitions", 0, &proc_partitions_operations);
create_seq_entry("stat", 0, &proc_stat_operations);
create_seq_entry("interrupts", 0, &proc_interrupts_operations);
+ #ifdef CONFIG_SLAB
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+ create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
+#else
create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
+ #endif
+#endif
create_seq_entry("buddyinfo",S_IRUGO, &fragmentation_file_operations);
create_seq_entry("vmstat",S_IRUGO, &proc_vmstat_file_operations);
@@ -373,16 +380,16 @@
proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
if (proc_root_kcore) {
proc_root_kcore->proc_fops = &proc_kcore_operations;
-diff -urN linux-2.6.12.6/fs/proc/root.c linux-2.6.12.6-gr-minimal/fs/proc/root.c
---- linux-2.6.12.6/fs/proc/root.c 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/fs/proc/root.c 2005-08-30 16:55:16.807317944 +0200
-@@ -52,7 +52,13 @@
+diff -urN linux-2.6.16.2/fs/proc/root.c linux-2.6.16.2-grsec/fs/proc/root.c
+--- linux-2.6.16.2/fs/proc/root.c 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/proc/root.c 2006-04-11 17:44:40.113709750 +0200
+@@ -53,7 +53,13 @@
return;
}
proc_misc_init();
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, NULL);
-+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
+#else
proc_net = proc_mkdir("net", NULL);
@@ -390,14 +397,14 @@
proc_net_stat = proc_mkdir("net/stat", NULL);
#ifdef CONFIG_SYSVIPC
-@@ -76,7 +82,15 @@
+@@ -77,7 +83,15 @@
#ifdef CONFIG_PROC_DEVICETREE
proc_device_tree_init();
#endif
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
-+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
+#endif
+#else
@@ -405,115 +412,11 @@
+#endif
}
- static struct dentry *proc_root_lookup(struct inode * dir, struct dentry * dentry, struct nameidata *nd)
-diff -urN linux-2.6.12.6/include/linux/sched.h linux-2.6.12.6-gr-minimal/include/linux/sched.h
---- linux-2.6.12.6/include/linux/sched.h 2005-08-30 14:50:44.008073776 +0200
-+++ linux-2.6.12.6-gr-minimal/include/linux/sched.h 2005-08-30 16:57:22.493210784 +0200
-@@ -365,6 +365,13 @@
- struct key *session_keyring; /* keyring inherited over fork */
- struct key *process_keyring; /* keyring private to this process */
- #endif
-+#ifdef CONFIG_GRKERNSEC
-+ u32 curr_ip;
-+ u32 gr_saddr;
-+ u32 gr_daddr;
-+ u16 gr_sport;
-+ u16 gr_dport;
-+#endif
- };
-
- /* Context switch must be unlocked if interrupts are to be enabled */
-diff -urN linux-2.6.12.6/kernel/signal.c linux-2.6.12.6-gr-minimal/kernel/signal.c
---- linux-2.6.12.6/kernel/signal.c 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/kernel/signal.c 2005-08-30 16:53:56.488528256 +0200
-@@ -318,6 +318,9 @@
- spin_unlock_irqrestore(&t->sighand->siglock, flags);
- }
-
-+#ifdef CONFIG_GRKERNSEC
-+extern void gr_del_task_from_ip_table(struct task_struct *task);
-+#endif
- /*
- * This function expects the tasklist_lock write-locked.
- */
-@@ -356,6 +357,9 @@
- posix_cpu_timers_exit_group(tsk);
- if (tsk == sig->curr_target)
- sig->curr_target = next_thread(tsk);
-+#ifdef CONFIG_GRKERNSEC
-+ gr_del_task_from_ip_table(tsk);
-+#endif
- tsk->signal = NULL;
- spin_unlock(&sighand->siglock);
- flush_sigqueue(&sig->shared_pending);
-diff -urN linux-2.6.12.6/net/ipv4/tcp_ipv4.c linux-2.6.12.6-gr-minimal/net/ipv4/tcp_ipv4.c
---- linux-2.6.12.6/net/ipv4/tcp_ipv4.c 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/net/ipv4/tcp_ipv4.c 2005-08-30 16:53:51.152339480 +0200
-@@ -647,6 +647,10 @@
- inet->dport);
- }
-
-+#ifdef CONFIG_GRKERNSEC
-+extern void gr_add_to_task_ip_table(struct task_struct *task);
-+extern void gr_del_task_from_ip_table(struct task_struct *task);
-+#endif
- /*
- * Bind a port for a connect operation and hash it.
- */
-@@ -717,6 +719,15 @@
- }
- spin_unlock(&head->lock);
-
-+#ifdef CONFIG_GRKERNSEC
-+ gr_del_task_from_ip_table(current);
-+ current->signal->gr_saddr = inet_sk(sk)->rcv_saddr;
-+ current->signal->gr_daddr = inet_sk(sk)->daddr;
-+ current->signal->gr_sport = inet_sk(sk)->sport;
-+ current->signal->gr_dport = inet_sk(sk)->dport;
-+ gr_add_to_task_ip_table(current);
-+#endif
-+
- if (tw) {
- tcp_tw_deschedule(tw);
- tcp_tw_put(tw);
-diff -urN linux-2.6.12.6/net/socket.c linux-2.6.12.6-gr-minimal/net/socket.c
---- linux-2.6.12.6/net/socket.c 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/net/socket.c 2005-08-30 16:53:54.382848368 +0200
-@@ -81,6 +81,7 @@
- #include <linux/compat.h>
- #include <linux/kmod.h>
- #include <linux/audit.h>
-+#include <linux/in.h>
-
- #ifdef CONFIG_NET_RADIO
- #include <linux/wireless.h> /* Note : will define WIRELESS_EXT */
-@@ -94,6 +95,9 @@
- #include <net/sock.h>
- #include <linux/netfilter.h>
-
-+#ifdef CONFIG_GRKERNSEC
-+extern void gr_attach_curr_ip(const struct sock *sk);
-+#endif
- static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
- static ssize_t sock_aio_read(struct kiocb *iocb, char __user *buf,
- size_t size, loff_t pos);
-@@ -1384,6 +1386,9 @@
- goto out_release;
-
- security_socket_post_accept(sock, newsock);
-+#ifdef CONFIG_GRKERNSEC
-+ gr_attach_curr_ip(newsock->sk);
-+#endif
-
- out_put:
- sockfd_put(sock);
-diff -urN linux-2.6.12.6/security/Kconfig linux-2.6.12.6-gr-minimal/security/Kconfig
---- linux-2.6.12.6/security/Kconfig 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/security/Kconfig 2005-08-30 16:55:16.808317792 +0200
-@@ -87,5 +87,99 @@
-
- source security/selinux/Kconfig
-
+ static int proc_root_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat
+diff -urN linux-2.6.16.2/grsecurity/Kconfig linux-2.6.16.2-grsec/grsecurity/Kconfig
+--- linux-2.6.16.2/grsecurity/Kconfig 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.16.2-grsec/grsecurity/Kconfig 2006-04-11 19:03:04.020561250 +0200
+@@ -0,0 +1,135 @@
+#
+# grecurity configuration
+#
@@ -522,6 +425,8 @@
+
+config GRKERNSEC
+ bool "Grsecurity"
++ select CRYPTO
++ select CRYPTO_SHA256
+ help
+ If you say Y here, you will be able to configure many features
+ that will enhance the security of your system. It is highly
@@ -574,17 +479,6 @@
+ /proc that keep normal users from viewing device information and
+ slabinfo information that could be useful for exploits.
+
-+config GRKERNSEC_PROC_IPADDR
-+ bool "/proc/<pid>/ipaddr support"
-+ help
-+ If you say Y here, a new entry will be added to each /proc/<pid>
-+ directory that contains the IP address of the person using the task.
-+ The IP is carried across local TCP and AF_UNIX stream sockets.
-+ This information can be useful for IDS/IPSes to perform remote response
-+ to a local attack. The entry is readable by only the owner of the
-+ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
-+ the RBAC system), and thus does not create privacy concerns.
-+
+config GRKERNSEC_LINK
+ bool "Linking restrictions"
+ help
@@ -606,43 +500,266 @@
+
+endmenu
+
-+endmenu
++config GRKERNSEC_PROC_IPADDR
++ depends on GRKERNSEC
++ bool "/proc/<pid>/ipaddr support"
++ help
++ If you say Y here, a new entry will be added to each /proc/<pid>
++ directory that contains the IP address of the person using the task.
++ The IP is carried across local TCP and AF_UNIX stream sockets.
++ This information can be useful for IDS/IPSes to perform remote response
++ to a local attack. The entry is readable by only the owner of the
++ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
++ the RBAC system), and thus does not create privacy concerns.
+
- endmenu
-
-diff -urN linux-2.6.12.6/security/Makefile linux-2.6.12.6-gr-minimal/security/Makefile
---- linux-2.6.12.6/security/Makefile 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/security/Makefile 2005-08-30 16:57:57.950820408 +0200
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/SOURCES/linux-2.6-grsec-minimal.patch?r1=1.1.2.3&r2=1.1.2.4&f=u
More information about the pld-cvs-commit
mailing list