SOURCES: linux-2.6-vs2.1-grsec-minimal.patch (NEW) - minimal grsec...
baggins
baggins at pld-linux.org
Tue Apr 11 20:17:41 CEST 2006
Author: baggins Date: Tue Apr 11 18:17:41 2006 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- minimal grsec over vserver
---- Files affected:
SOURCES:
linux-2.6-vs2.1-grsec-minimal.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/linux-2.6-vs2.1-grsec-minimal.patch
diff -u /dev/null SOURCES/linux-2.6-vs2.1-grsec-minimal.patch:1.1
--- /dev/null Tue Apr 11 20:17:41 2006
+++ SOURCES/linux-2.6-vs2.1-grsec-minimal.patch Tue Apr 11 20:17:36 2006
@@ -0,0 +1,1286 @@
+diff -urN linux-2.6.16.2/Makefile linux-2.6.16.2-grsec/Makefile
+--- linux-2.6.16.2/Makefile 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/Makefile 2006-04-11 17:44:40.069707000 +0200
+@@ -556,7 +556,7 @@
+
+
+ ifeq ($(KBUILD_EXTMOD),)
+-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
++core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
+
+ vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
+ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
+diff -urN linux-2.6.16.2/drivers/char/keyboard.c linux-2.6.16.2-grsec/drivers/char/keyboard.c
+--- linux-2.6.16.2/drivers/char/keyboard.c 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/drivers/char/keyboard.c 2006-04-11 17:44:40.073707250 +0200
+@@ -607,6 +607,16 @@
+ kbd->kbdmode == VC_MEDIUMRAW) &&
+ value != KVAL(K_SAK))
+ return; /* SAK is allowed even in raw mode */
++
++#if defined(CONFIG_GRKERNSEC_PROC)
++ {
++ void *func = fn_handler[value];
++ if (func == fn_show_state || func == fn_show_ptregs ||
++ func == fn_show_mem)
++ return;
++ }
++#endif
++
+ fn_handler[value](vc, regs);
+ }
+
+diff -urN linux-2.6.16.2/drivers/pci/proc.c linux-2.6.16.2-grsec/drivers/pci/proc.c
+--- linux-2.6.16.2/drivers/pci/proc.c 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/drivers/pci/proc.c 2006-04-11 17:44:40.073707250 +0200
+@@ -569,7 +569,15 @@
+
+ static void legacy_proc_init(void)
+ {
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ struct proc_dir_entry * entry = create_proc_entry("pci", S_IRUSR, NULL);
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++ struct proc_dir_entry * entry = create_proc_entry("pci", S_IRUSR | S_IRGRP, NULL);
++#endif
++#else
+ struct proc_dir_entry * entry = create_proc_entry("pci", 0, NULL);
++#endif
+ if (entry)
+ entry->proc_fops = &proc_pci_operations;
+ }
+@@ -598,7 +606,15 @@
+ {
+ struct proc_dir_entry *entry;
+ struct pci_dev *dev = NULL;
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
++#endif
++#else
+ proc_bus_pci_dir = proc_mkdir("pci", proc_bus);
++#endif
+ entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
+ if (entry)
+ entry->proc_fops = &proc_bus_pci_dev_operations;
+diff -urN linux-2.6.16.2/fs/Kconfig linux-2.6.16.2-grsec/fs/Kconfig
+--- linux-2.6.16.2/fs/Kconfig 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/Kconfig 2006-04-11 17:44:40.073707250 +0200
+@@ -794,7 +794,7 @@
+
+ config PROC_KCORE
+ bool "/proc/kcore support" if !ARM
+- depends on PROC_FS && MMU
++ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
+
+ config PROC_VMCORE
+ bool "/proc/vmcore support (EXPERIMENTAL)"
+diff -urN linux-2.6.16.2/fs/namei.c linux-2.6.16.2-grsec/fs/namei.c
+--- linux-2.6.16.2/fs/namei.c 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/namei.c 2006-04-11 18:10:35.961452750 +0200
+@@ -32,6 +32,7 @@
+ #include <linux/file.h>
+ #include <linux/fcntl.h>
+ #include <linux/namei.h>
++#include <linux/grsecurity.h>
+ #include <asm/namei.h>
+ #include <asm/uaccess.h>
+
+@@ -608,6 +609,13 @@
+ err = security_inode_follow_link(path->dentry, nd);
+ if (err)
+ goto loop;
++
++ if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
++ path->dentry->d_inode, path->dentry, nd->mnt)) {
++ err = -EACCES;
++ goto loop;
++ }
++
+ current->link_count++;
+ current->total_link_count++;
+ nd->depth++;
+@@ -1647,6 +1655,13 @@
+ /*
+ * It already exists.
+ */
++
++ if (gr_handle_fifo(path.dentry, nd->mnt, dir, flag, acc_mode)) {
++ mutex_unlock(&dir->d_inode->i_mutex);
++ error = -EACCES;
++ goto exit_dput;
++ }
++
+ mutex_unlock(&dir->d_inode->i_mutex);
+
+ error = -EEXIST;
+@@ -1700,6 +1715,13 @@
+ error = security_inode_follow_link(path.dentry, nd);
+ if (error)
+ goto exit_dput;
++
++ if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
++ path.dentry, nd->mnt)) {
++ error = -EACCES;
++ goto exit_dput;
++ }
++
+ error = __do_follow_link(&path, nd);
+ if (error)
+ return error;
+@@ -2251,7 +2273,13 @@
+ new_dentry = lookup_create(&nd, 0);
+ error = PTR_ERR(new_dentry);
+ if (!IS_ERR(new_dentry)) {
+- error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
++ error = 0;
++ if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt,
++ old_nd.dentry->d_inode,
++ old_nd.dentry->d_inode->i_mode, to))
++ error = -EPERM;
++ if (!error)
++ error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
+ dput(new_dentry);
+ }
+ mutex_unlock(&nd.dentry->d_inode->i_mutex);
+diff -urN linux-2.6.16.2/fs/proc/array.c linux-2.6.16.2-grsec/fs/proc/array.c
+--- linux-2.6.16.2/fs/proc/array.c 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/proc/array.c 2006-04-11 17:44:40.077707500 +0200
+@@ -488,3 +488,14 @@
+ return sprintf(buffer,"%d %d %d %d %d %d %d\n",
+ size, resident, shared, text, lib, data, 0);
+ }
++
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++int proc_pid_ipaddr(struct task_struct *task, char * buffer)
++{
++ int len;
++
++ len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
++ return len;
++}
++#endif
++
+diff -urN linux-2.6.16.2/fs/proc/base.c linux-2.6.16.2-grsec/fs/proc/base.c
+--- linux-2.6.16.2/fs/proc/base.c 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/proc/base.c 2006-04-11 17:44:40.077707500 +0200
+@@ -124,6 +124,9 @@
+ #ifdef CONFIG_AUDITSYSCALL
+ PROC_TGID_LOGINUID,
+ #endif
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++ PROC_TGID_IPADDR,
++#endif
+ PROC_TGID_OOM_SCORE,
+ PROC_TGID_OOM_ADJUST,
+ PROC_TID_INO,
+@@ -201,6 +204,9 @@
+ E(PROC_TGID_ROOT, "root", S_IFLNK|S_IRWXUGO),
+ E(PROC_TGID_EXE, "exe", S_IFLNK|S_IRWXUGO),
+ E(PROC_TGID_MOUNTS, "mounts", S_IFREG|S_IRUGO),
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++ E(PROC_TGID_IPADDR, "ipaddr", S_IFREG|S_IRUSR),
++#endif
+ #ifdef CONFIG_MMU
+ E(PROC_TGID_SMAPS, "smaps", S_IFREG|S_IRUGO),
+ #endif
+@@ -1330,6 +1336,9 @@
+ inode->i_uid = task->euid;
+ inode->i_gid = task->egid;
+ }
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#endif
+ security_task_to_inode(task, inode);
+
+ out:
+@@ -1358,7 +1367,9 @@
+ if (pid_alive(task)) {
+ if (proc_type(inode) == PROC_TGID_INO || proc_type(inode) == PROC_TID_INO || task_dumpable(task)) {
+ inode->i_uid = task->euid;
++#ifndef CONFIG_GRKERNSEC_PROC_USERGROUP
+ inode->i_gid = task->egid;
++#endif
+ } else {
+ inode->i_uid = 0;
+ inode->i_gid = 0;
+@@ -1681,6 +1692,12 @@
+ inode->i_fop = &proc_info_file_operations;
+ ei->op.proc_read = proc_pid_status;
+ break;
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++ case PROC_TGID_IPADDR:
++ inode->i_fop = &proc_info_file_operations;
++ ei->op.proc_read = proc_pid_ipaddr;
++ break;
++#endif
+ case PROC_TID_STAT:
+ inode->i_fop = &proc_info_file_operations;
+ ei->op.proc_read = proc_tid_stat;
+@@ -1985,6 +2002,17 @@
+ if (!task)
+ goto out;
+
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ if (current->uid && (task->uid != current->uid)
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++#endif
++ ) {
++ put_task_struct(task);
++ goto out;
++ }
++#endif
++
+ inode = proc_pid_make_inode(dir->i_sb, task, PROC_TGID_INO);
+
+
+@@ -1992,7 +2020,15 @@
+ put_task_struct(task);
+ goto out;
+ }
++
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP;
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
++#endif
+ inode->i_op = &proc_tgid_base_inode_operations;
+ inode->i_fop = &proc_tgid_base_operations;
+ inode->i_flags|=S_IMMUTABLE;
+@@ -2084,6 +2120,9 @@
+ static int get_tgid_list(int index, unsigned long version, unsigned int *tgids)
+ {
+ struct task_struct *p;
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ struct task_struct *tmp = current;
++#endif
+ int nr_tgids = 0;
+
+ index--;
+@@ -2104,6 +2143,14 @@
+ int tgid = p->pid;
+ if (!pid_alive(p))
+ continue;
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ if (tmp->uid && (p->uid != tmp->uid)
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++#endif
++ )
++ continue;
++#endif
+ if (--index >= 0)
+ continue;
+ tgids[nr_tgids] = tgid;
+diff -urN linux-2.6.16.2/fs/proc/inode.c linux-2.6.16.2-grsec/fs/proc/inode.c
+--- linux-2.6.16.2/fs/proc/inode.c 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/proc/inode.c 2006-04-11 17:44:40.077707500 +0200
+@@ -168,7 +168,11 @@
+ if (de->mode) {
+ inode->i_mode = de->mode;
+ inode->i_uid = de->uid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ inode->i_gid = de->gid;
++#endif
+ }
+ if (de->size)
+ inode->i_size = de->size;
+diff -urN linux-2.6.16.2/fs/proc/internal.h linux-2.6.16.2-grsec/fs/proc/internal.h
+--- linux-2.6.16.2/fs/proc/internal.h 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/proc/internal.h 2006-04-11 17:44:40.077707500 +0200
+@@ -36,6 +36,9 @@
+ extern int proc_tgid_stat(struct task_struct *, char *);
+ extern int proc_pid_status(struct task_struct *, char *);
+ extern int proc_pid_statm(struct task_struct *, char *);
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++extern int proc_pid_ipaddr(struct task_struct*,char*);
++#endif
+
+ void free_proc_entry(struct proc_dir_entry *de);
+
+diff -urN linux-2.6.16.2/fs/proc/proc_misc.c linux-2.6.16.2-grsec/fs/proc/proc_misc.c
+--- linux-2.6.16.2/fs/proc/proc_misc.c 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/proc/proc_misc.c 2006-04-11 17:44:40.109709500 +0200
+@@ -708,6 +708,8 @@
+ void __init proc_misc_init(void)
+ {
+ struct proc_dir_entry *entry;
++ int gr_mode = 0;
++
+ static struct {
+ char *name;
+ int (*read_proc)(char*,char**,off_t,int,int*,void*);
+@@ -723,7 +725,9 @@
+ {"stram", stram_read_proc},
+ #endif
+ {"filesystems", filesystems_read_proc},
++#ifndef CONFIG_GRKERNSEC_PROC_ADD
+ {"cmdline", cmdline_read_proc},
++#endif
+ {"locks", locks_read_proc},
+ {"execdomains", execdomains_read_proc},
+ {NULL,}
+@@ -731,31 +735,49 @@
+ for (p = simple_ones; p->name; p++)
+ create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
+
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ gr_mode = S_IRUSR;
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ gr_mode = S_IRUSR | S_IRGRP;
++#endif
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++ create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL);
++#endif
++
+ proc_symlink("mounts", NULL, "self/mounts");
+
+ /* And now for trickier ones */
+ entry = create_proc_entry("kmsg", S_IRUSR, &proc_root);
+ if (entry)
+ entry->proc_fops = &proc_kmsg_operations;
++
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++ create_seq_entry("devices", gr_mode, &proc_devinfo_operations);
++#else
+ create_seq_entry("devices", 0, &proc_devinfo_operations);
++#endif
+ create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
+ create_seq_entry("partitions", 0, &proc_partitions_operations);
+ create_seq_entry("stat", 0, &proc_stat_operations);
+ create_seq_entry("interrupts", 0, &proc_interrupts_operations);
+ #ifdef CONFIG_SLAB
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++ create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
++#else
+ create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
+ #endif
++#endif
+ create_seq_entry("buddyinfo",S_IRUGO, &fragmentation_file_operations);
+ create_seq_entry("vmstat",S_IRUGO, &proc_vmstat_file_operations);
+ create_seq_entry("zoneinfo",S_IRUGO, &proc_zoneinfo_file_operations);
+ create_seq_entry("diskstats", 0, &proc_diskstats_operations);
+ #ifdef CONFIG_MODULES
+- create_seq_entry("modules", 0, &proc_modules_operations);
++ create_seq_entry("modules", gr_mode, &proc_modules_operations);
+ #endif
+ #ifdef CONFIG_SCHEDSTATS
+ create_seq_entry("schedstat", 0, &proc_schedstat_operations);
+ #endif
+-#ifdef CONFIG_PROC_KCORE
++#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
+ proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
+ if (proc_root_kcore) {
+ proc_root_kcore->proc_fops = &proc_kcore_operations;
+diff -urN linux-2.6.16.2/fs/proc/root.c linux-2.6.16.2-grsec/fs/proc/root.c
+--- linux-2.6.16.2/fs/proc/root.c 2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/proc/root.c 2006-04-11 17:44:40.113709750 +0200
+@@ -53,7 +53,13 @@
+ return;
+ }
+ proc_misc_init();
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, NULL);
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
++#else
+ proc_net = proc_mkdir("net", NULL);
++#endif
+ proc_net_stat = proc_mkdir("net/stat", NULL);
+
+ #ifdef CONFIG_SYSVIPC
+@@ -77,7 +83,15 @@
+ #ifdef CONFIG_PROC_DEVICETREE
+ proc_device_tree_init();
+ #endif
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
++#endif
++#else
+ proc_bus = proc_mkdir("bus", NULL);
++#endif
+ }
+
+ static int proc_root_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat
+diff -urN linux-2.6.16.2/grsecurity/Kconfig linux-2.6.16.2-grsec/grsecurity/Kconfig
+--- linux-2.6.16.2/grsecurity/Kconfig 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.16.2-grsec/grsecurity/Kconfig 2006-04-11 19:03:04.020561250 +0200
+@@ -0,0 +1,135 @@
++#
++# grecurity configuration
++#
++
++menu "Grsecurity"
++
++config GRKERNSEC
++ bool "Grsecurity"
++ select CRYPTO
++ select CRYPTO_SHA256
++ help
++ If you say Y here, you will be able to configure many features
++ that will enhance the security of your system. It is highly
++ recommended that you say Y here and read through the help
++ for each option so that you fully understand the features and
++ can evaluate their usefulness for your machine.
++
++menu "Filesystem Protections"
++depends on GRKERNSEC
++
++config GRKERNSEC_PROC
++ bool "Proc restrictions"
++ help
++ If you say Y here, the permissions of the /proc filesystem
++ will be altered to enhance system security and privacy. You MUST
++ choose either a user only restriction or a user and group restriction.
++ Depending upon the option you choose, you can either restrict users to
++ see only the processes they themselves run, or choose a group that can
++ view all processes and files normally restricted to root if you choose
++ the "restrict to user only" option. NOTE: If you're running identd as
++ a non-root user, you will have to run it as the group you specify here.
++
++config GRKERNSEC_PROC_USER
++ bool "Restrict /proc to user only"
++ depends on GRKERNSEC_PROC
++ help
++ If you say Y here, non-root users will only be able to view their own
++ processes, and restricts them from viewing network-related information,
++ and viewing kernel symbol and module information.
++
++config GRKERNSEC_PROC_USERGROUP
++ bool "Allow special group"
++ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
++ help
++ If you say Y here, you will be able to select a group that will be
++ able to view all processes, network-related information, and
++ kernel and symbol information. This option is useful if you want
++ to run identd as a non-root user.
++
++config GRKERNSEC_PROC_GID
++ int "GID for special group"
++ depends on GRKERNSEC_PROC_USERGROUP
++ default 1001
++
++config GRKERNSEC_PROC_ADD
++ bool "Additional restrictions"
++ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
++ help
++ If you say Y here, additional restrictions will be placed on
++ /proc that keep normal users from viewing device information and
++ slabinfo information that could be useful for exploits.
++
++config GRKERNSEC_LINK
++ bool "Linking restrictions"
++ help
++ If you say Y here, /tmp race exploits will be prevented, since users
++ will no longer be able to follow symlinks owned by other users in
++ world-writable +t directories (i.e. /tmp), unless the owner of the
++ symlink is the owner of the directory. users will also not be
++ able to hardlink to files they do not own. If the sysctl option is
++ enabled, a sysctl option with name "linking_restrictions" is created.
++
++config GRKERNSEC_FIFO
++ bool "FIFO restrictions"
++ help
++ If you say Y here, users will not be able to write to FIFOs they don't
++ own in world-writable +t directories (i.e. /tmp), unless the owner of
++ the FIFO is the same owner of the directory it's held in. If the sysctl
++ option is enabled, a sysctl option with name "fifo_restrictions" is
++ created.
++
++endmenu
++
++config GRKERNSEC_PROC_IPADDR
++ depends on GRKERNSEC
++ bool "/proc/<pid>/ipaddr support"
++ help
++ If you say Y here, a new entry will be added to each /proc/<pid>
++ directory that contains the IP address of the person using the task.
++ The IP is carried across local TCP and AF_UNIX stream sockets.
++ This information can be useful for IDS/IPSes to perform remote response
++ to a local attack. The entry is readable by only the owner of the
++ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
++ the RBAC system), and thus does not create privacy concerns.
++
++config GRKERNSEC_SHM
++ depends on GRKERNSEC
++ bool "Destroy unused shared memory"
++ depends on SYSVIPC
++ help
++ If you say Y here, shared memory will be destroyed when no one is
++ attached to it. Otherwise, resources involved with the shared
++ memory can be used up and not be associated with any process (as the
++ shared memory still exists, and the creating process has exited). If
++ the sysctl option is enabled, a sysctl option with name
++ "destroy_unused_shm" is created.
++
++config GRKERNSEC_SYSCTL
++ depends on GRKERNSEC && SYSCTL
++ bool "Sysctl support"
++ help
++ If you say Y here, you will be able to change the options that
++ grsecurity runs with at bootup, without having to recompile your
++ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
++ to enable (1) or disable (0) various features. All the sysctl entries
++ are mutable until the "grsec_lock" entry is set to a non-zero value.
++ All features enabled in the kernel configuration are disabled at boot
++ if you do not say Y to the "Turn on features by default" option.
++ All options should be set at startup, and the grsec_lock entry should
++ be set to a non-zero value after all the options are set.
++ *THIS IS EXTREMELY IMPORTANT*
++
++config GRKERNSEC_SYSCTL_ON
++ bool "Turn on features by default"
++ depends on GRKERNSEC_SYSCTL
++ help
++ If you say Y here, instead of having all features enabled in the
++ kernel configuration disabled at boot time, the features will be
++ enabled at boot time. It is recommended you say Y here unless
++ there is some reason you would want all sysctl-tunable features to
++ be disabled by default. As mentioned elsewhere, it is important
++ to enable the grsec_lock entry once you have finished modifying
++ the sysctl entries.
++
++endmenu
+diff -urN linux-2.6.16.2/grsecurity/Makefile linux-2.6.16.2-grsec/grsecurity/Makefile
+--- linux-2.6.16.2/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.16.2-grsec/grsecurity/Makefile 2006-04-11 19:03:17.509404250 +0200
+@@ -0,0 +1,11 @@
++# All code in this directory and various hooks inserted throughout the kernel
++# are copyright Brad Spengler, and released under the GPL v2 or higher
++
++obj-y = grsec_fifo.o grsec_sock.o grsec_sysctl.o grsec_link.o
++
++obj-$(CONFIG_GRKERNSEC) += grsec_init.o
++
++ifndef CONFIG_GRKERNSEC
++obj-y += grsec_disabled.o
++endif
++
+diff -urN linux-2.6.16.2/grsecurity/grsec_disabled.c linux-2.6.16.2-grsec/grsecurity/grsec_disabled.c
+--- linux-2.6.16.2/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.16.2-grsec/grsecurity/grsec_disabled.c 2006-04-11 17:44:40.113709750 +0200
+@@ -0,0 +1,63 @@
++#include <linux/kernel.h>
++#include <linux/module.h>
++#include <linux/config.h>
++#include <linux/sched.h>
++#include <linux/file.h>
++#include <linux/fs.h>
++#include <linux/kdev_t.h>
++#include <linux/net.h>
++#include <linux/in.h>
++#include <linux/ip.h>
++#include <linux/skbuff.h>
++#include <linux/sysctl.h>
++
++#ifdef CONFIG_SYSCTL
++__u32
++gr_handle_sysctl(const struct ctl_table * table, __u32 mode)
++{
++ return mode;
<<Diff was trimmed, longer than 597 lines>>
More information about the pld-cvs-commit
mailing list