SOURCES: kernel-desktop-grsec-minimal.patch (NEW) - minimal grsec, ...

sparky sparky at pld-linux.org
Mon May 1 18:19:55 CEST 2006


Author: sparky                       Date: Mon May  1 16:19:55 2006 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- minimal grsec, copied linux-2.6-grsec-minimal.patch @ LINUX_2_6

---- Files affected:
SOURCES:
   kernel-desktop-grsec-minimal.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/kernel-desktop-grsec-minimal.patch
diff -u /dev/null SOURCES/kernel-desktop-grsec-minimal.patch:1.1
--- /dev/null	Mon May  1 18:19:55 2006
+++ SOURCES/kernel-desktop-grsec-minimal.patch	Mon May  1 18:19:50 2006
@@ -0,0 +1,1298 @@
+diff -urNp linux-2.6.16.2/arch/sparc/Makefile linux-2.6.16.2/arch/sparc/Makefile
+--- linux-2.6.16.2/arch/sparc/Makefile	2006-04-07 12:56:47.000000000 -0400
++++ linux-2.6.16.2/arch/sparc/Makefile	2006-04-09 21:23:54.000000000 -0400
+@@ -34,7 +34,7 @@ libs-y += arch/sparc/prom/ arch/sparc/li
+ # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-)
+ INIT_Y		:= $(patsubst %/, %/built-in.o, $(init-y))
+ CORE_Y		:= $(core-y)
+-CORE_Y		+= kernel/ mm/ fs/ ipc/ security/ crypto/ block/
++CORE_Y		+= kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
+ CORE_Y		:= $(patsubst %/, %/built-in.o, $(CORE_Y))
+ DRIVERS_Y	:= $(patsubst %/, %/built-in.o, $(drivers-y))
+ NET_Y		:= $(patsubst %/, %/built-in.o, $(net-y))
+diff -urN linux-2.6.16.2/Makefile linux-2.6.16.2-grsec/Makefile
+--- linux-2.6.16.2/Makefile	2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/Makefile	2006-04-11 17:44:40.069707000 +0200
+@@ -556,7 +556,7 @@
+ 
+ 
+ ifeq ($(KBUILD_EXTMOD),)
+-core-y		+= kernel/ mm/ fs/ ipc/ security/ crypto/ block/
++core-y		+= kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
+ 
+ vmlinux-dirs	:= $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
+ 		     $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
+diff -urN linux-2.6.16.2/drivers/char/keyboard.c linux-2.6.16.2-grsec/drivers/char/keyboard.c
+--- linux-2.6.16.2/drivers/char/keyboard.c	2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/drivers/char/keyboard.c	2006-04-11 17:44:40.073707250 +0200
+@@ -607,6 +607,16 @@
+ 	     kbd->kbdmode == VC_MEDIUMRAW) &&
+ 	     value != KVAL(K_SAK))
+ 		return;		/* SAK is allowed even in raw mode */
++
++#if defined(CONFIG_GRKERNSEC_PROC)
++	{
++		void *func = fn_handler[value];
++		if (func == fn_show_state || func == fn_show_ptregs ||
++		    func == fn_show_mem)
++			return;
++	}
++#endif
++
+ 	fn_handler[value](vc, regs);
+ }
+ 
+diff -urN linux-2.6.16.2/drivers/pci/proc.c linux-2.6.16.2-grsec/drivers/pci/proc.c
+--- linux-2.6.16.2/drivers/pci/proc.c	2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/drivers/pci/proc.c	2006-04-11 17:44:40.073707250 +0200
+@@ -569,7 +569,15 @@
+ 
+ static void legacy_proc_init(void)
+ {
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++	struct proc_dir_entry * entry = create_proc_entry("pci", S_IRUSR, NULL);
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++	struct proc_dir_entry * entry = create_proc_entry("pci", S_IRUSR | S_IRGRP, NULL);
++#endif
++#else
+ 	struct proc_dir_entry * entry = create_proc_entry("pci", 0, NULL);
++#endif
+ 	if (entry)
+ 		entry->proc_fops = &proc_pci_operations;
+ }
+@@ -598,7 +606,15 @@
+ {
+ 	struct proc_dir_entry *entry;
+ 	struct pci_dev *dev = NULL;
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++	proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++	proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
++#endif
++#else
+ 	proc_bus_pci_dir = proc_mkdir("pci", proc_bus);
++#endif
+ 	entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
+ 	if (entry)
+ 		entry->proc_fops = &proc_bus_pci_dev_operations;
+diff -urN linux-2.6.16.2/fs/Kconfig linux-2.6.16.2-grsec/fs/Kconfig
+--- linux-2.6.16.2/fs/Kconfig	2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/Kconfig	2006-04-11 17:44:40.073707250 +0200
+@@ -794,7 +794,7 @@
+ 
+ config PROC_KCORE
+ 	bool "/proc/kcore support" if !ARM
+-	depends on PROC_FS && MMU
++	depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
+ 
+ config PROC_VMCORE
+         bool "/proc/vmcore support (EXPERIMENTAL)"
+diff -urN linux-2.6.16.2/fs/namei.c linux-2.6.16.2-grsec/fs/namei.c
+--- linux-2.6.16.2/fs/namei.c	2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/namei.c	2006-04-11 18:10:35.961452750 +0200
+@@ -32,6 +32,7 @@
+ #include <linux/file.h>
+ #include <linux/fcntl.h>
+ #include <linux/namei.h>
++#include <linux/grsecurity.h>
+ #include <asm/namei.h>
+ #include <asm/uaccess.h>
+ 
+@@ -608,6 +609,13 @@
+ 	err = security_inode_follow_link(path->dentry, nd);
+ 	if (err)
+ 		goto loop;
++
++	if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
++				  path->dentry->d_inode, path->dentry, nd->mnt)) {
++		err = -EACCES;
++		goto loop;
++	}
++
+ 	current->link_count++;
+ 	current->total_link_count++;
+ 	nd->depth++;
+@@ -1647,6 +1655,13 @@
+ 	/*
+ 	 * It already exists.
+ 	 */
++
++	if (gr_handle_fifo(path.dentry, nd->mnt, dir, flag, acc_mode)) {
++		mutex_unlock(&dir->d_inode->i_mutex);
++		error = -EACCES;
++		goto exit_dput;
++	}
++
+ 	mutex_unlock(&dir->d_inode->i_mutex);
+ 
+ 	error = -EEXIST;
+@@ -1700,6 +1715,13 @@
+ 	error = security_inode_follow_link(path.dentry, nd);
+ 	if (error)
+ 		goto exit_dput;
++
++	if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
++				  path.dentry, nd->mnt)) {
++		error = -EACCES;
++		goto exit_dput;
++	}
++
+ 	error = __do_follow_link(&path, nd);
+ 	if (error)
+ 		return error;
+@@ -2251,7 +2273,13 @@
+ 	new_dentry = lookup_create(&nd, 0);
+ 	error = PTR_ERR(new_dentry);
+ 	if (!IS_ERR(new_dentry)) {
+-		error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
++		error = 0;
++		if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt,
++				       old_nd.dentry->d_inode,
++				       old_nd.dentry->d_inode->i_mode, to))
++			error = -EPERM;
++		if (!error)
++			error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
+ 		dput(new_dentry);
+ 	}
+ 	mutex_unlock(&nd.dentry->d_inode->i_mutex);
+diff -urN linux-2.6.16.2/fs/proc/array.c linux-2.6.16.2-grsec/fs/proc/array.c
+--- linux-2.6.16.2/fs/proc/array.c	2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/proc/array.c	2006-04-11 17:44:40.077707500 +0200
+@@ -488,3 +488,14 @@
+ 	return sprintf(buffer,"%d %d %d %d %d %d %d\n",
+ 		       size, resident, shared, text, lib, data, 0);
+ }
++
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++int proc_pid_ipaddr(struct task_struct *task, char * buffer)
++{
++	int len;
++
++	len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
++	return len;
++}
++#endif
++
+diff -urN linux-2.6.16.2/fs/proc/base.c linux-2.6.16.2-grsec/fs/proc/base.c
+--- linux-2.6.16.2/fs/proc/base.c	2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/proc/base.c	2006-04-11 17:44:40.077707500 +0200
+@@ -124,6 +124,9 @@
+ #ifdef CONFIG_AUDITSYSCALL
+ 	PROC_TGID_LOGINUID,
+ #endif
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++	PROC_TGID_IPADDR,
++#endif
+ 	PROC_TGID_OOM_SCORE,
+ 	PROC_TGID_OOM_ADJUST,
+ 	PROC_TID_INO,
+@@ -201,6 +204,9 @@
+ 	E(PROC_TGID_ROOT,      "root",    S_IFLNK|S_IRWXUGO),
+ 	E(PROC_TGID_EXE,       "exe",     S_IFLNK|S_IRWXUGO),
+ 	E(PROC_TGID_MOUNTS,    "mounts",  S_IFREG|S_IRUGO),
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++	E(PROC_TGID_IPADDR,     "ipaddr",  S_IFREG|S_IRUSR),
++#endif
+ #ifdef CONFIG_MMU
+ 	E(PROC_TGID_SMAPS,     "smaps",   S_IFREG|S_IRUGO),
+ #endif
+@@ -1330,6 +1336,9 @@
+ 		inode->i_uid = task->euid;
+ 		inode->i_gid = task->egid;
+ 	}
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++	inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#endif
+ 	security_task_to_inode(task, inode);
+ 
+ out:
+@@ -1358,7 +1367,9 @@
+ 	if (pid_alive(task)) {
+ 		if (proc_type(inode) == PROC_TGID_INO || proc_type(inode) == PROC_TID_INO || task_dumpable(task)) {
+ 			inode->i_uid = task->euid;
++#ifndef CONFIG_GRKERNSEC_PROC_USERGROUP
+ 			inode->i_gid = task->egid;
++#endif
+ 		} else {
+ 			inode->i_uid = 0;
+ 			inode->i_gid = 0;
+@@ -1681,6 +1692,12 @@
+ 			inode->i_fop = &proc_info_file_operations;
+ 			ei->op.proc_read = proc_pid_status;
+ 			break;
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++		case PROC_TGID_IPADDR:
++			inode->i_fop = &proc_info_file_operations;
++			ei->op.proc_read = proc_pid_ipaddr;
++			break;
++#endif
+ 		case PROC_TID_STAT:
+ 			inode->i_fop = &proc_info_file_operations;
+ 			ei->op.proc_read = proc_tid_stat;
+@@ -1985,6 +2002,17 @@
+ 	if (!task)
+ 		goto out;
+ 
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	if (current->uid && (task->uid != current->uid)
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++	    && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++#endif
++	) {
++		put_task_struct(task);
++		goto out;
++	}
++#endif
++
+ 	inode = proc_pid_make_inode(dir->i_sb, task, PROC_TGID_INO);
+ 
+ 
+@@ -1992,7 +2020,15 @@
+ 		put_task_struct(task);
+ 		goto out;
+ 	}
++
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++	inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP;
++	inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ 	inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
++#endif
+ 	inode->i_op = &proc_tgid_base_inode_operations;
+ 	inode->i_fop = &proc_tgid_base_operations;
+ 	inode->i_flags|=S_IMMUTABLE;
+@@ -2084,6 +2120,9 @@
+ static int get_tgid_list(int index, unsigned long version, unsigned int *tgids)
+ {
+ 	struct task_struct *p;
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	struct task_struct *tmp = current;
++#endif
+ 	int nr_tgids = 0;
+ 
+ 	index--;
+@@ -2104,6 +2143,14 @@
+ 		int tgid = p->pid;
+ 		if (!pid_alive(p))
+ 			continue;
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++		if (tmp->uid && (p->uid != tmp->uid)
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++		    && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++#endif
++		)
++			continue;
++#endif
+ 		if (--index >= 0)
+ 			continue;
+ 		tgids[nr_tgids] = tgid;
+diff -urN linux-2.6.16.2/fs/proc/inode.c linux-2.6.16.2-grsec/fs/proc/inode.c
+--- linux-2.6.16.2/fs/proc/inode.c	2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/proc/inode.c	2006-04-11 17:44:40.077707500 +0200
+@@ -168,7 +168,11 @@
+ 		if (de->mode) {
+ 			inode->i_mode = de->mode;
+ 			inode->i_uid = de->uid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++			inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ 			inode->i_gid = de->gid;
++#endif
+ 		}
+ 		if (de->size)
+ 			inode->i_size = de->size;
+diff -urN linux-2.6.16.2/fs/proc/internal.h linux-2.6.16.2-grsec/fs/proc/internal.h
+--- linux-2.6.16.2/fs/proc/internal.h	2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/proc/internal.h	2006-04-11 17:44:40.077707500 +0200
+@@ -36,6 +36,9 @@
+ extern int proc_tgid_stat(struct task_struct *, char *);
+ extern int proc_pid_status(struct task_struct *, char *);
+ extern int proc_pid_statm(struct task_struct *, char *);
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++extern int proc_pid_ipaddr(struct task_struct*,char*);
++#endif
+ 
+ void free_proc_entry(struct proc_dir_entry *de);
+ 
+diff -urN linux-2.6.16.2/fs/proc/proc_misc.c linux-2.6.16.2-grsec/fs/proc/proc_misc.c
+--- linux-2.6.16.2/fs/proc/proc_misc.c	2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/proc/proc_misc.c	2006-04-11 17:44:40.109709500 +0200
+@@ -708,6 +708,8 @@
+ void __init proc_misc_init(void)
+ {
+ 	struct proc_dir_entry *entry;
++	int gr_mode = 0;
++
+ 	static struct {
+ 		char *name;
+ 		int (*read_proc)(char*,char**,off_t,int,int*,void*);
+@@ -723,7 +725,9 @@
+ 		{"stram",	stram_read_proc},
+ #endif
+ 		{"filesystems",	filesystems_read_proc},
++#ifndef CONFIG_GRKERNSEC_PROC_ADD
+ 		{"cmdline",	cmdline_read_proc},
++#endif
+ 		{"locks",	locks_read_proc},
+ 		{"execdomains",	execdomains_read_proc},
+ 		{NULL,}
+@@ -731,31 +735,49 @@
+ 	for (p = simple_ones; p->name; p++)
+ 		create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
+ 
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++	gr_mode = S_IRUSR;
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	gr_mode = S_IRUSR | S_IRGRP;
++#endif
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++	create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL);
++#endif
++
+ 	proc_symlink("mounts", NULL, "self/mounts");
+ 
+ 	/* And now for trickier ones */
+ 	entry = create_proc_entry("kmsg", S_IRUSR, &proc_root);
+ 	if (entry)
+ 		entry->proc_fops = &proc_kmsg_operations;
++
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++	create_seq_entry("devices", gr_mode, &proc_devinfo_operations);
++#else
+ 	create_seq_entry("devices", 0, &proc_devinfo_operations);
++#endif
+ 	create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
+ 	create_seq_entry("partitions", 0, &proc_partitions_operations);
+ 	create_seq_entry("stat", 0, &proc_stat_operations);
+ 	create_seq_entry("interrupts", 0, &proc_interrupts_operations);
+ #ifdef CONFIG_SLAB
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++	create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
++#else
+ 	create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
+ #endif
++#endif
+ 	create_seq_entry("buddyinfo",S_IRUGO, &fragmentation_file_operations);
+ 	create_seq_entry("vmstat",S_IRUGO, &proc_vmstat_file_operations);
+ 	create_seq_entry("zoneinfo",S_IRUGO, &proc_zoneinfo_file_operations);
+ 	create_seq_entry("diskstats", 0, &proc_diskstats_operations);
+ #ifdef CONFIG_MODULES
+-	create_seq_entry("modules", 0, &proc_modules_operations);
++	create_seq_entry("modules", gr_mode, &proc_modules_operations);
+ #endif
+ #ifdef CONFIG_SCHEDSTATS
+ 	create_seq_entry("schedstat", 0, &proc_schedstat_operations);
+ #endif
+-#ifdef CONFIG_PROC_KCORE
++#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
+ 	proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
+ 	if (proc_root_kcore) {
+ 		proc_root_kcore->proc_fops = &proc_kcore_operations;
+diff -urN linux-2.6.16.2/fs/proc/root.c linux-2.6.16.2-grsec/fs/proc/root.c
+--- linux-2.6.16.2/fs/proc/root.c	2006-04-07 18:56:47.000000000 +0200
++++ linux-2.6.16.2-grsec/fs/proc/root.c	2006-04-11 17:44:40.113709750 +0200
+@@ -53,7 +53,13 @@
+ 		return;
+ 	}
+ 	proc_misc_init();
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++	proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, NULL);
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
++#else
+ 	proc_net = proc_mkdir("net", NULL);
++#endif
+ 	proc_net_stat = proc_mkdir("net/stat", NULL);
+ 
+ #ifdef CONFIG_SYSVIPC
+@@ -77,7 +83,15 @@
+ #ifdef CONFIG_PROC_DEVICETREE
+ 	proc_device_tree_init();
+ #endif
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++	proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
++#endif
++#else
+ 	proc_bus = proc_mkdir("bus", NULL);
++#endif
+ }
+ 
+ static int proc_root_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat
+diff -urN linux-2.6.16.2/grsecurity/Kconfig linux-2.6.16.2-grsec/grsecurity/Kconfig
+--- linux-2.6.16.2/grsecurity/Kconfig	1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.16.2-grsec/grsecurity/Kconfig	2006-04-11 19:03:04.020561250 +0200
+@@ -0,0 +1,135 @@
++#
++# grecurity configuration
++#
++
++menu "Grsecurity"
++
++config GRKERNSEC
++	bool "Grsecurity"
++	select CRYPTO
++	select CRYPTO_SHA256
++	help
++	  If you say Y here, you will be able to configure many features
++	  that will enhance the security of your system.  It is highly
++	  recommended that you say Y here and read through the help
++	  for each option so that you fully understand the features and
++	  can evaluate their usefulness for your machine.
++
++menu "Filesystem Protections"
++depends on GRKERNSEC
++
++config GRKERNSEC_PROC
++	bool "Proc restrictions"
++	help
++	  If you say Y here, the permissions of the /proc filesystem
++	  will be altered to enhance system security and privacy.  You MUST
++  	  choose either a user only restriction or a user and group restriction.
++	  Depending upon the option you choose, you can either restrict users to
++	  see only the processes they themselves run, or choose a group that can
++	  view all processes and files normally restricted to root if you choose
++	  the "restrict to user only" option.  NOTE: If you're running identd as
++	  a non-root user, you will have to run it as the group you specify here.
++
++config GRKERNSEC_PROC_USER
++	bool "Restrict /proc to user only"
++	depends on GRKERNSEC_PROC
++	help
++	  If you say Y here, non-root users will only be able to view their own
++	  processes, and restricts them from viewing network-related information,
++	  and viewing kernel symbol and module information.
++
++config GRKERNSEC_PROC_USERGROUP
++	bool "Allow special group"
++	depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
++	help
++	  If you say Y here, you will be able to select a group that will be
++	  able to view all processes, network-related information, and
++	  kernel and symbol information.  This option is useful if you want
++	  to run identd as a non-root user.
++
++config GRKERNSEC_PROC_GID
++	int "GID for special group"
++	depends on GRKERNSEC_PROC_USERGROUP
++	default 1001
++
++config GRKERNSEC_PROC_ADD
++	bool "Additional restrictions"
++	depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
++	help
++	  If you say Y here, additional restrictions will be placed on
++	  /proc that keep normal users from viewing device information and 
++	  slabinfo information that could be useful for exploits.
++
++config GRKERNSEC_LINK
++	bool "Linking restrictions"
++	help
++	  If you say Y here, /tmp race exploits will be prevented, since users
++	  will no longer be able to follow symlinks owned by other users in
++	  world-writable +t directories (i.e. /tmp), unless the owner of the
++	  symlink is the owner of the directory. users will also not be
++	  able to hardlink to files they do not own.  If the sysctl option is
++	  enabled, a sysctl option with name "linking_restrictions" is created.
++
++config GRKERNSEC_FIFO
++	bool "FIFO restrictions"
++	help
++	  If you say Y here, users will not be able to write to FIFOs they don't
++	  own in world-writable +t directories (i.e. /tmp), unless the owner of
++	  the FIFO is the same owner of the directory it's held in.  If the sysctl
++	  option is enabled, a sysctl option with name "fifo_restrictions" is
++	  created.
++
++endmenu
++
++config GRKERNSEC_PROC_IPADDR
++	depends on GRKERNSEC
++	bool "/proc/<pid>/ipaddr support"
++	help
++	  If you say Y here, a new entry will be added to each /proc/<pid>
++	  directory that contains the IP address of the person using the task.
++	  The IP is carried across local TCP and AF_UNIX stream sockets.
++	  This information can be useful for IDS/IPSes to perform remote response
++	  to a local attack.  The entry is readable by only the owner of the
++	  process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
++	  the RBAC system), and thus does not create privacy concerns.
++
++config GRKERNSEC_SHM
++	depends on GRKERNSEC
++	bool "Destroy unused shared memory"
++	depends on SYSVIPC
++	help
++	  If you say Y here, shared memory will be destroyed when no one is
++	  attached to it.  Otherwise, resources involved with the shared
++	  memory can be used up and not be associated with any process (as the
++	  shared memory still exists, and the creating process has exited).  If
++	  the sysctl option is enabled, a sysctl option with name
++	  "destroy_unused_shm" is created.
++
++config GRKERNSEC_SYSCTL
++	depends on GRKERNSEC && SYSCTL
++	bool "Sysctl support"
++	help
++	  If you say Y here, you will be able to change the options that
++	  grsecurity runs with at bootup, without having to recompile your
++	  kernel.  You can echo values to files in /proc/sys/kernel/grsecurity
++	  to enable (1) or disable (0) various features.  All the sysctl entries
++	  are mutable until the "grsec_lock" entry is set to a non-zero value.
++	  All features enabled in the kernel configuration are disabled at boot
++	  if you do not say Y to the "Turn on features by default" option.
++	  All options should be set at startup, and the grsec_lock entry should
++	  be set to a non-zero value after all the options are set.
++	  *THIS IS EXTREMELY IMPORTANT*
++
++config GRKERNSEC_SYSCTL_ON
++	bool "Turn on features by default"
++	depends on GRKERNSEC_SYSCTL
++	help
++	  If you say Y here, instead of having all features enabled in the
++	  kernel configuration disabled at boot time, the features will be
++	  enabled at boot time.  It is recommended you say Y here unless
++	  there is some reason you would want all sysctl-tunable features to
++	  be disabled by default.  As mentioned elsewhere, it is important
++	  to enable the grsec_lock entry once you have finished modifying
++	  the sysctl entries.
++
++endmenu
+diff -urN linux-2.6.16.2/grsecurity/Makefile linux-2.6.16.2-grsec/grsecurity/Makefile
+--- linux-2.6.16.2/grsecurity/Makefile	1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.16.2-grsec/grsecurity/Makefile	2006-04-11 19:03:17.509404250 +0200
+@@ -0,0 +1,11 @@
++# All code in this directory and various hooks inserted throughout the kernel
++# are copyright Brad Spengler, and released under the GPL v2 or higher
++
++obj-y = grsec_fifo.o grsec_sock.o grsec_sysctl.o grsec_link.o
++
++obj-$(CONFIG_GRKERNSEC) += grsec_init.o
++
++ifndef CONFIG_GRKERNSEC
++obj-y += grsec_disabled.o
++endif
++
+diff -urN linux-2.6.16.2/grsecurity/grsec_disabled.c linux-2.6.16.2-grsec/grsecurity/grsec_disabled.c
+--- linux-2.6.16.2/grsecurity/grsec_disabled.c	1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.16.2-grsec/grsecurity/grsec_disabled.c	2006-04-11 17:44:40.113709750 +0200
+@@ -0,0 +1,63 @@
++#include <linux/kernel.h>
++#include <linux/module.h>
++#include <linux/config.h>
++#include <linux/sched.h>
++#include <linux/file.h>
++#include <linux/fs.h>
<<Diff was trimmed, longer than 597 lines>>


More information about the pld-cvs-commit mailing list