SOURCES (Titanium): linux-2.6-grsec-vs-minimal.patch - minimal grsecurity c...

hawk hawk at pld-linux.org
Fri Nov 7 14:30:51 CET 2008


Author: hawk                         Date: Fri Nov  7 13:30:51 2008 GMT
Module: SOURCES                       Tag: Titanium
---- Log message:
- minimal grsecurity created from scratch for 2.6.27.x kernels

---- Files affected:
SOURCES:
   linux-2.6-grsec-vs-minimal.patch (1.1.2.8.2.10 -> 1.1.2.8.2.11) 

---- Diffs:

================================================================
Index: SOURCES/linux-2.6-grsec-vs-minimal.patch
diff -u SOURCES/linux-2.6-grsec-vs-minimal.patch:1.1.2.8.2.10 SOURCES/linux-2.6-grsec-vs-minimal.patch:1.1.2.8.2.11
--- SOURCES/linux-2.6-grsec-vs-minimal.patch:1.1.2.8.2.10	Tue Sep  2 15:38:18 2008
+++ SOURCES/linux-2.6-grsec-vs-minimal.patch	Fri Nov  7 14:30:45 2008
@@ -1,7 +1,7 @@
-diff -urNp linux-2.6.26.orig/arch/sparc/Makefile linux-2.6.26/arch/sparc/Makefile
---- linux-2.6.26.orig/arch/sparc/Makefile	2008-09-01 11:44:21.000000000 +0200
-+++ linux-2.6.26/arch/sparc/Makefile	2008-09-02 12:17:21.000000000 +0200
-@@ -36,7 +36,7 @@ drivers-$(CONFIG_OPROFILE)	+= arch/sparc
+diff -urNp linux-2.6.27.4/arch/sparc/Makefile linux-2.6.27.4/arch/sparc/Makefile
+--- linux-2.6.27.4/arch/sparc/Makefile	2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/arch/sparc/Makefile	2008-10-25 12:03:06.000000000 -0400
+@@ -37,7 +37,7 @@ drivers-$(CONFIG_OPROFILE)	+= arch/sparc
  # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-)
  INIT_Y		:= $(patsubst %/, %/built-in.o, $(init-y))
  CORE_Y		:= $(core-y)
@@ -10,10 +10,10 @@
  CORE_Y		:= $(patsubst %/, %/built-in.o, $(CORE_Y))
  DRIVERS_Y	:= $(patsubst %/, %/built-in.o, $(drivers-y))
  NET_Y		:= $(patsubst %/, %/built-in.o, $(net-y))
-diff -urNp linux-2.6.26.orig/drivers/char/keyboard.c linux-2.6.26/drivers/char/keyboard.c
---- linux-2.6.26.orig/drivers/char/keyboard.c	2008-09-01 11:43:37.000000000 +0200
-+++ linux-2.6.26/drivers/char/keyboard.c	2008-09-02 12:17:21.000000000 +0200
-@@ -633,6 +633,16 @@ static void k_spec(struct vc_data *vc, u
+diff -urNp linux-2.6.27.4/drivers/char/keyboard.c linux-2.6.27.4/drivers/char/keyboard.c
+--- linux-2.6.27.4/drivers/char/keyboard.c	2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/drivers/char/keyboard.c	2008-10-27 22:36:17.000000000 -0400
+@@ -635,6 +635,16 @@ static void k_spec(struct vc_data *vc, u
  	     kbd->kbdmode == VC_MEDIUMRAW) &&
  	     value != KVAL(K_SAK))
  		return;		/* SAK is allowed even in raw mode */
@@ -30,10 +30,10 @@
  	fn_handler[value](vc);
  }
  
-diff -urNp linux-2.6.26.orig/drivers/pci/proc.c linux-2.6.26/drivers/pci/proc.c
---- linux-2.6.26.orig/drivers/pci/proc.c	2008-09-01 11:43:47.000000000 +0200
-+++ linux-2.6.26/drivers/pci/proc.c	2008-09-02 12:17:21.000000000 +0200
-@@ -472,7 +472,16 @@ static const struct file_operations proc
+diff -urNp linux-2.6.27.4/drivers/pci/proc.c linux-2.6.27.4/drivers/pci/proc.c
+--- linux-2.6.27.4/drivers/pci/proc.c	2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/drivers/pci/proc.c	2008-10-25 12:03:06.000000000 -0400
+@@ -470,7 +470,16 @@ static const struct file_operations proc
  static int __init pci_proc_init(void)
  {
  	struct pci_dev *dev = NULL;
@@ -50,43 +50,25 @@
  	proc_create("devices", 0, proc_bus_pci_dir,
  		    &proc_bus_pci_dev_operations);
  	proc_initialized = 1;
-diff -urNp linux-2.6.26.orig/fs/Kconfig linux-2.6.26/fs/Kconfig
---- linux-2.6.26.orig/fs/Kconfig	2008-09-01 11:43:58.000000000 +0200
-+++ linux-2.6.26/fs/Kconfig	2008-09-02 12:17:21.000000000 +0200
-@@ -926,12 +926,12 @@ config PROC_FS
- 
- config PROC_KCORE
- 	bool "/proc/kcore support" if !ARM
--	depends on PROC_FS && MMU
-+	depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
- 
- config PROC_VMCORE
-         bool "/proc/vmcore support (EXPERIMENTAL)"
--        depends on PROC_FS && EXPERIMENTAL && CRASH_DUMP
--	default y
-+        depends on PROC_FS && EXPERIMENTAL && CRASH_DUMP && !GRKERNSEC
-+	default n
-         help
-         Exports the dump image of crashed kernel in ELF format.
- 
-diff -urNp linux-2.6.26.orig/fs/namei.c linux-2.6.26/fs/namei.c
---- linux-2.6.26.orig/fs/namei.c	2008-09-01 11:43:59.000000000 +0200
-+++ linux-2.6.26/fs/namei.c	2008-09-02 12:17:21.000000000 +0200
-@@ -38,6 +38,7 @@
- #include <linux/vs_cowbl.h>
- #include <linux/vs_device.h>
- #include <linux/vs_context.h>
+diff -urNp linux-2.6.27.4/fs/namei.c linux-2.6.27.4/fs/namei.c
+--- linux-2.6.27.4/fs/namei.c	2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/fs/namei.c	2008-10-27 22:36:18.000000000 -0400
+@@ -31,6 +31,8 @@
+ #include <linux/file.h>
+ #include <linux/fcntl.h>
+ #include <linux/device_cgroup.h>
 +#include <linux/grsecurity.h>
- #include <asm/namei.h>
++
  #include <asm/uaccess.h>
  
-@@ -740,6 +741,13 @@ static inline int do_follow_link(struct 
+ #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
+@@ -677,6 +679,13 @@ static inline int do_follow_link(struct 
  	err = security_inode_follow_link(path->dentry, nd);
  	if (err)
  		goto loop;
 +
 +	if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
-+				  path->dentry->d_inode, path->dentry)) {
++				  path->dentry->d_inode, path->dentry, nd->path.mnt)) {
 +		err = -EACCES;
 +		goto loop;
 +	}
@@ -94,12 +76,12 @@
  	current->link_count++;
  	current->total_link_count++;
  	nd->depth++;
-@@ -1925,6 +1933,12 @@ do_last:
+@@ -1759,6 +1794,12 @@ do_last:
  	/*
  	 * It already exists.
  	 */
 +
-+	if (gr_handle_fifo(path.dentry, dir, flag, acc_mode)) {
++	if (gr_handle_fifo(path.dentry, nd.path.mnt, dir, flag, acc_mode)) {
 +		error = -EACCES;
 +		goto exit_mutex_unlock;
 +	}
@@ -107,13 +89,13 @@
  	mutex_unlock(&dir->d_inode->i_mutex);
  	audit_inode(pathname, path.dentry);
  
-@@ -2028,6 +2042,13 @@ do_link:
+@@ -1843,6 +1892,13 @@ do_link:
  	error = security_inode_follow_link(path.dentry, &nd);
  	if (error)
  		goto exit_dput;
 +
 +	if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
-+				  path.dentry)) {
++				  path.dentry, nd.path.mnt)) {
 +		error = -EACCES;
 +		goto exit_dput;
 +	}
@@ -121,13 +103,14 @@
  	error = __do_follow_link(&path, &nd);
  	if (error) {
  		/* Does someone understand code flow here? Or it is only
-@@ -2669,6 +2690,13 @@ asmlinkage long sys_linkat(int olddfd, c
+@@ -2453,6 +2572,14 @@ asmlinkage long sys_linkat(int olddfd, c
  	error = PTR_ERR(new_dentry);
  	if (IS_ERR(new_dentry))
  		goto out_unlock;
 +
-+	if (gr_handle_hardlink(old_nd.path.dentry, old_nd.path.dentry->d_inode,
-+			       old_nd.path.dentry->d_inode->i_mode, to)) {
++	if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
++			       old_path.dentry->d_inode,
++			       old_path.dentry->d_inode->i_mode, to)) {
 +		error = -EACCES;
 +		goto out_dput;
 +	}
@@ -135,10 +118,10 @@
  	error = mnt_want_write(nd.path.mnt);
  	if (error)
  		goto out_dput;
-diff -urNp linux-2.6.26.orig/fs/proc/array.c linux-2.6.26/fs/proc/array.c
---- linux-2.6.26.orig/fs/proc/array.c	2008-09-01 11:43:59.000000000 +0200
-+++ linux-2.6.26/fs/proc/array.c	2008-09-02 12:17:21.000000000 +0200
-@@ -639,3 +639,10 @@ int proc_pid_statm(struct seq_file *m, s
+diff -urNp linux-2.6.27.4/fs/proc/array.c linux-2.6.27.4/fs/proc/array.c
+--- linux-2.6.27.4/fs/proc/array.c	2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/fs/proc/array.c	2008-10-27 22:36:18.000000000 -0400
+@@ -524,3 +569,10 @@ int proc_pid_statm(struct seq_file *m, s
  
  	return 0;
  }
@@ -149,13 +132,13 @@
 +	return sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
 +}
 +#endif
-diff -urNp linux-2.6.26.orig/fs/proc/base.c linux-2.6.26/fs/proc/base.c
---- linux-2.6.26.orig/fs/proc/base.c	2008-09-01 11:43:59.000000000 +0200
-+++ linux-2.6.26/fs/proc/base.c	2008-09-02 12:23:45.000000000 +0200
+diff -urNp linux-2.6.27.4/fs/proc/base.c linux-2.6.27.4/fs/proc/base.c
+--- linux-2.6.27.4/fs/proc/base.c	2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/fs/proc/base.c	2008-10-27 22:36:18.000000000 -0400
 @@ -79,6 +79,8 @@
+ #include <linux/oom.h>
+ #include <linux/elf.h>
  #include <linux/pid_namespace.h>
- #include <linux/vs_context.h>
- #include <linux/vs_network.h>
 +#include <linux/grsecurity.h>
 +
  #include "internal.h"
@@ -170,7 +153,7 @@
  EXPORT_SYMBOL(maps_protect);
  
  static struct fs_struct *get_fs_struct(struct task_struct *task)
-@@ -307,9 +312,9 @@ static int proc_pid_auxv(struct task_str
+@@ -312,9 +317,9 @@ static int proc_pid_auxv(struct task_str
  	struct mm_struct *mm = get_task_mm(task);
  	if (mm) {
  		unsigned int nwords = 0;
@@ -182,7 +165,7 @@
  		res = nwords * sizeof(mm->saved_auxv[0]);
  		if (res > PAGE_SIZE)
  			res = PAGE_SIZE;
-@@ -1412,7 +1417,11 @@ static struct inode *proc_pid_make_inode
+@@ -1437,7 +1442,11 @@ static struct inode *proc_pid_make_inode
  	inode->i_gid = 0;
  	if (task_dumpable(task)) {
  		inode->i_uid = task->euid;
@@ -192,9 +175,9 @@
  		inode->i_gid = task->egid;
 +#endif
  	}
- 	/* procfs is xid tagged */
- 	inode->i_tag = (tag_t)vx_task_xid(task);
-@@ -1430,17 +1439,39 @@ static int pid_getattr(struct vfsmount *
+ 	security_task_to_inode(task, inode);
+ 
+@@ -1453,17 +1462,39 @@ static int pid_getattr(struct vfsmount *
  {
  	struct inode *inode = dentry->d_inode;
  	struct task_struct *task;
@@ -235,7 +218,7 @@
  		}
  	}
  	rcu_read_unlock();
-@@ -1468,11 +1505,21 @@ static int pid_revalidate(struct dentry 
+@@ -1491,11 +1528,21 @@ static int pid_revalidate(struct dentry 
  {
  	struct inode *inode = dentry->d_inode;
  	struct task_struct *task = get_proc_task(inode);
@@ -257,8 +240,8 @@
  		} else {
  			inode->i_uid = 0;
  			inode->i_gid = 0;
-@@ -1841,12 +1888,19 @@ static int proc_fd_permission(struct ino
- 				struct nameidata *nd)
+@@ -1863,12 +1910,19 @@ static const struct file_operations proc
+ static int proc_fd_permission(struct inode *inode, int mask)
  {
  	int rv;
 +	struct task_struct *task;
@@ -279,7 +262,17 @@
  	return rv;
  }
  
-@@ -2617,7 +2683,14 @@ static struct dentry *proc_pid_instantia
+@@ -2518,6 +2584,9 @@ static const struct pid_entry tgid_base_
+ #ifdef CONFIG_TASK_IO_ACCOUNTING
+ 	INF("io",	S_IRUGO, tgid_io_accounting),
+ #endif
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++	INF("ipaddr",	  S_IRUSR, pid_ipaddr),
++#endif
+ };
+ 
+ static int proc_tgid_base_readdir(struct file * filp,
+@@ -2647,7 +2716,14 @@ static struct dentry *proc_pid_instantia
  	if (!inode)
  		goto out;
  
@@ -294,17 +287,17 @@
  	inode->i_op = &proc_tgid_base_inode_operations;
  	inode->i_fop = &proc_tgid_base_operations;
  	inode->i_flags|=S_IMMUTABLE;
-@@ -2724,6 +2801,9 @@ int proc_pid_readdir(struct file * filp,
+@@ -2754,6 +2834,9 @@ int proc_pid_readdir(struct file * filp,
  {
  	unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
- 	struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
+ 	struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
 +	struct task_struct *tmp = current;
 +#endif
  	struct tgid_iter iter;
  	struct pid_namespace *ns;
  
-@@ -2742,6 +2822,15 @@ int proc_pid_readdir(struct file * filp,
+@@ -2772,6 +2855,15 @@ int proc_pid_readdir(struct file * filp,
  	for (iter = next_tgid(ns, iter);
  	     iter.task;
  	     iter.tgid += 1, iter = next_tgid(ns, iter)) {
@@ -318,22 +311,12 @@
 +			continue;
 +
  		filp->f_pos = iter.tgid + TGID_OFFSET;
- 		if (!vx_proc_task_visible(iter.task))
- 			continue;
-@@ -2815,6 +2906,9 @@ static const struct pid_entry tid_base_s
- #ifdef CONFIG_FAULT_INJECTION
- 	REG("make-it-fail", S_IRUGO|S_IWUSR, fault_inject),
- #endif
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+	INF("ipaddr",	  S_IRUSR, pid_ipaddr),
-+#endif
- };
- 
- static int proc_tid_base_readdir(struct file * filp,
-diff -urNp linux-2.6.26.orig/fs/proc/inode.c linux-2.6.26/fs/proc/inode.c
---- linux-2.6.26.orig/fs/proc/inode.c	2008-09-01 11:43:59.000000000 +0200
-+++ linux-2.6.26/fs/proc/inode.c	2008-09-02 12:17:21.000000000 +0200
-@@ -403,7 +403,11 @@ struct inode *proc_get_inode(struct supe
+ 		if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
+ 			put_task_struct(iter.task);
+diff -urNp linux-2.6.27.4/fs/proc/inode.c linux-2.6.27.4/fs/proc/inode.c
+--- linux-2.6.27.4/fs/proc/inode.c	2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/fs/proc/inode.c	2008-10-25 12:03:07.000000000 -0400
+@@ -467,7 +467,11 @@ struct inode *proc_get_inode(struct supe
  		if (de->mode) {
  			inode->i_mode = de->mode;
  			inode->i_uid = de->uid;
@@ -343,25 +326,44 @@
  			inode->i_gid = de->gid;
 +#endif
  		}
- 		if (de->vx_flags)
- 			PROC_I(inode)->vx_flags = de->vx_flags;
-diff -urNp linux-2.6.26.orig/fs/proc/internal.h linux-2.6.26/fs/proc/internal.h
---- linux-2.6.26.orig/fs/proc/internal.h	2008-09-01 11:43:59.000000000 +0200
-+++ linux-2.6.26/fs/proc/internal.h	2008-09-02 12:17:21.000000000 +0200
-@@ -58,6 +58,9 @@ extern int proc_pid_statm(struct seq_fil
+ 		if (de->size)
+ 			inode->i_size = de->size;
+diff -urNp linux-2.6.27.4/fs/proc/internal.h linux-2.6.27.4/fs/proc/internal.h
+--- linux-2.6.27.4/fs/proc/internal.h	2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/fs/proc/internal.h	2008-10-25 12:03:07.000000000 -0400
+@@ -55,6 +55,9 @@ extern int proc_pid_status(struct seq_fi
  				struct pid *pid, struct task_struct *task);
- extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
+ extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
  				struct pid *pid, struct task_struct *task);
 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
 +#endif
- 
  extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
  
-diff -urNp linux-2.6.26.orig/fs/proc/proc_misc.c linux-2.6.26/fs/proc/proc_misc.c
---- linux-2.6.26.orig/fs/proc/proc_misc.c	2008-09-01 11:43:59.000000000 +0200
-+++ linux-2.6.26/fs/proc/proc_misc.c	2008-09-02 12:17:21.000000000 +0200
-@@ -851,6 +851,8 @@ struct proc_dir_entry *proc_root_kcore;
+ extern const struct file_operations proc_maps_operations;
+diff -urNp linux-2.6.27.4/fs/proc/Kconfig linux-2.6.27.4/fs/proc/Kconfig
+--- linux-2.6.27.4/fs/proc/Kconfig	2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/fs/proc/Kconfig	2008-10-25 12:20:56.000000000 -0400
+@@ -30,12 +30,12 @@ config PROC_FS
+ 
+ config PROC_KCORE
+ 	bool "/proc/kcore support" if !ARM
+-	depends on PROC_FS && MMU
++	depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
+ 
+ config PROC_VMCORE
+         bool "/proc/vmcore support (EXPERIMENTAL)"
+-        depends on PROC_FS && CRASH_DUMP
+-	default y
++        depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
++	default n
+         help
+         Exports the dump image of crashed kernel in ELF format.
+ 
+diff -urNp linux-2.6.27.4/fs/proc/proc_misc.c linux-2.6.27.4/fs/proc/proc_misc.c
+--- linux-2.6.27.4/fs/proc/proc_misc.c	2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/fs/proc/proc_misc.c	2008-10-25 12:03:07.000000000 -0400
+@@ -860,6 +860,8 @@ struct proc_dir_entry *proc_root_kcore;
  
  void __init proc_misc_init(void)
  {
@@ -370,7 +372,7 @@
  	static struct {
  		char *name;
  		int (*read_proc)(char*,char**,off_t,int,int*,void*);
-@@ -866,13 +868,24 @@ void __init proc_misc_init(void)
+@@ -875,13 +877,24 @@ void __init proc_misc_init(void)
  		{"stram",	stram_read_proc},
  #endif
  		{"filesystems",	filesystems_read_proc},
@@ -395,7 +397,7 @@
  	proc_symlink("mounts", NULL, "self/mounts");
  
  	/* And now for trickier ones */
-@@ -880,14 +893,18 @@ void __init proc_misc_init(void)
+@@ -889,14 +902,18 @@ void __init proc_misc_init(void)
  	proc_create("kmsg", S_IRUSR, NULL, &proc_kmsg_operations);
  #endif
  	proc_create("locks", 0, NULL, &proc_locks_operations);
@@ -415,7 +417,7 @@
  	proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
  #ifdef CONFIG_DEBUG_SLAB_LEAK
  	proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
-@@ -909,7 +926,7 @@ void __init proc_misc_init(void)
+@@ -918,7 +935,7 @@ void __init proc_misc_init(void)
  #ifdef CONFIG_SCHEDSTATS
  	proc_create("schedstat", 0, NULL, &proc_schedstat_operations);
  #endif
@@ -424,10 +426,28 @@
  	proc_root_kcore = proc_create("kcore", S_IRUSR, NULL, &proc_kcore_operations);
  	if (proc_root_kcore)
  		proc_root_kcore->size =
-diff -urNp linux-2.6.26.orig/fs/proc/root.c linux-2.6.26/fs/proc/root.c
---- linux-2.6.26.orig/fs/proc/root.c	2008-09-01 11:43:59.000000000 +0200
-+++ linux-2.6.26/fs/proc/root.c	2008-09-02 12:17:21.000000000 +0200
-@@ -139,7 +139,15 @@ void __init proc_root_init(void)
+diff -urNp linux-2.6.27.4/fs/proc/proc_net.c linux-2.6.27.4/fs/proc/proc_net.c
+--- linux-2.6.27.4/fs/proc/proc_net.c	2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/fs/proc/proc_net.c	2008-10-25 12:03:07.000000000 -0400
+@@ -106,6 +106,14 @@ static struct net *get_proc_task_net(str
+ 	struct nsproxy *ns;
+ 	struct net *net = NULL;
+ 
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++	if (current->fsuid)
++		return net;
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	if (current->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
++		return net;
++#endif
++
+ 	rcu_read_lock();
+ 	task = pid_task(proc_pid(dir), PIDTYPE_PID);
+ 	if (task != NULL) {
+diff -urNp linux-2.6.27.4/fs/proc/root.c linux-2.6.27.4/fs/proc/root.c
+--- linux-2.6.27.4/fs/proc/root.c	2008-10-22 17:38:01.000000000 -0400
++++ linux-2.6.27.4/fs/proc/root.c	2008-10-25 12:03:07.000000000 -0400
+@@ -135,7 +135,15 @@ void __init proc_root_init(void)
  #ifdef CONFIG_PROC_DEVICETREE
  	proc_device_tree_init();
  #endif
@@ -441,11 +461,11 @@
  	proc_mkdir("bus", NULL);
 +#endif
  	proc_sys_init();
- 	proc_vx_init();
  }
-diff -urNp linux-2.6.26.orig/grsecurity/grsec_disabled.c linux-2.6.26/grsecurity/grsec_disabled.c
---- linux-2.6.26.orig/grsecurity/grsec_disabled.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.26/grsecurity/grsec_disabled.c	2008-09-02 12:17:21.000000000 +0200
+ 
+diff -urNp linux-2.6.27.4/grsecurity/grsec_disabled.c linux-2.6.27.4/grsecurity/grsec_disabled.c
+--- linux-2.6.27.4/grsecurity/grsec_disabled.c	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.27.4/grsecurity/grsec_disabled.c	2008-10-25 12:03:07.000000000 -0400
 @@ -0,0 +1,6 @@
 +void
 +grsecurity_init(void)
@@ -453,9 +473,9 @@
 +	return;
 +}
 +
-diff -urNp linux-2.6.26.orig/grsecurity/grsec_fifo.c linux-2.6.26/grsecurity/grsec_fifo.c
---- linux-2.6.26.orig/grsecurity/grsec_fifo.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.26/grsecurity/grsec_fifo.c	2008-09-02 12:17:21.000000000 +0200
+diff -urNp linux-2.6.27.4/grsecurity/grsec_fifo.c linux-2.6.27.4/grsecurity/grsec_fifo.c
+--- linux-2.6.27.4/grsecurity/grsec_fifo.c	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.27.4/grsecurity/grsec_fifo.c	2008-10-25 12:03:07.000000000 -0400
 @@ -0,0 +1,20 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
@@ -477,10 +497,10 @@
 +#endif
 +	return 0;
 +}
-diff -urNp linux-2.6.26.orig/grsecurity/grsec_init.c linux-2.6.26/grsecurity/grsec_init.c
---- linux-2.6.26.orig/grsecurity/grsec_init.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.26/grsecurity/grsec_init.c	2008-09-02 12:17:21.000000000 +0200
-@@ -0,0 +1,29 @@
+diff -urNp linux-2.6.27.4/grsecurity/grsec_init.c linux-2.6.27.4/grsecurity/grsec_init.c
+--- linux-2.6.27.4/grsecurity/grsec_init.c	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.27.4/grsecurity/grsec_init.c	2008-10-25 12:03:07.000000000 -0400
+@@ -0,0 +1,32 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/mm.h>
@@ -503,6 +523,9 @@
 +#ifdef CONFIG_GRKERNSEC_LINK
 +	grsec_enable_link = 1;
 +#endif
++#ifdef CONFIG_GRKERNSEC_DMESG
++	grsec_enable_dmesg = 1;
++#endif
 +#ifdef CONFIG_GRKERNSEC_FIFO
 +	grsec_enable_fifo = 1;
 +#endif
@@ -510,9 +533,9 @@
 +
 +	return;
 +}
-diff -urNp linux-2.6.26.orig/grsecurity/grsec_link.c linux-2.6.26/grsecurity/grsec_link.c
---- linux-2.6.26.orig/grsecurity/grsec_link.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.26/grsecurity/grsec_link.c	2008-09-02 12:17:21.000000000 +0200
+diff -urNp linux-2.6.27.4/grsecurity/grsec_link.c linux-2.6.27.4/grsecurity/grsec_link.c
+--- linux-2.6.27.4/grsecurity/grsec_link.c	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.27.4/grsecurity/grsec_link.c	2008-10-25 12:03:07.000000000 -0400
 @@ -0,0 +1,37 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
@@ -551,10 +574,10 @@
 +#endif
 +	return 0;
 +}
-diff -urNp linux-2.6.26.orig/grsecurity/grsec_sock.c linux-2.6.26/grsecurity/grsec_sock.c
---- linux-2.6.26.orig/grsecurity/grsec_sock.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.26/grsecurity/grsec_sock.c	2008-09-02 12:17:21.000000000 +0200
-@@ -0,0 +1,170 @@
+diff -urNp linux-2.6.27.4/grsecurity/grsec_sock.c linux-2.6.27.4/grsecurity/grsec_sock.c
+--- linux-2.6.27.4/grsecurity/grsec_sock.c	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.27.4/grsecurity/grsec_sock.c	2008-10-28 01:32:07.000000000 -0400
+@@ -0,0 +1,169 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -575,7 +598,7 @@
 +};
 +
 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
-+spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED;
++DEFINE_SPINLOCK(gr_conn_table_lock);
 +
 +extern const char * gr_socktype_to_name(unsigned char type);
 +extern const char * gr_proto_to_name(unsigned char proto);
@@ -724,10 +747,9 @@
 +#endif
 +	return;
 +}
-+
-diff -urNp linux-2.6.26.orig/grsecurity/grsec_sysctl.c linux-2.6.26/grsecurity/grsec_sysctl.c
---- linux-2.6.26.orig/grsecurity/grsec_sysctl.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.26/grsecurity/grsec_sysctl.c	2008-09-02 12:17:21.000000000 +0200
+diff -urNp linux-2.6.27.4/grsecurity/grsec_sysctl.c linux-2.6.27.4/grsecurity/grsec_sysctl.c
+--- linux-2.6.27.4/grsecurity/grsec_sysctl.c	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.27.4/grsecurity/grsec_sysctl.c	2008-10-25 13:42:27.000000000 -0400
 @@ -0,0 +1,52 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
@@ -739,7 +761,7 @@
 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
 +{
 +#ifdef CONFIG_GRKERNSEC_SYSCTL
-+	if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) {
++	if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
 +		return -EACCES;
 +	}
 +#endif
@@ -781,10 +803,10 @@
 +	{ .ctl_name = 0 }
 +};
 +#endif
-diff -urNp linux-2.6.26.orig/grsecurity/Kconfig linux-2.6.26/grsecurity/Kconfig
---- linux-2.6.26.orig/grsecurity/Kconfig	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.26/grsecurity/Kconfig	2008-09-02 12:17:21.000000000 +0200
-@@ -0,0 +1,123 @@
+diff -urNp linux-2.6.27.4/grsecurity/Kconfig linux-2.6.27.4/grsecurity/Kconfig
+--- linux-2.6.27.4/grsecurity/Kconfig	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.27.4/grsecurity/Kconfig	2008-10-25 12:03:07.000000000 -0400
+@@ -0,0 +1,128 @@
 +#
 +# grecurity configuration
 +#
@@ -868,19 +890,11 @@
 +	  option is enabled, a sysctl option with name "fifo_restrictions" is
 +	  created.
 +
-+config GRKERNSEC_PROC_IPADDR
-+	bool "/proc/<pid>/ipaddr support"
-+	help
-+	  If you say Y here, a new entry will be added to each /proc/<pid>
-+	  directory that contains the IP address of the person using the task.
-+	  The IP is carried across local TCP and AF_UNIX stream sockets.
-+	  This information can be useful for IDS/IPSes to perform remote response
-+	  to a local attack.  The entry is readable by only the owner of the
-+	  process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
-+	  the RBAC system), and thus does not create privacy concerns.
-+
 +endmenu
 +
++menu "Sysctl support"
++depends on GRKERNSEC && SYSCTL
++
 +config GRKERNSEC_SYSCTL
 +	bool "Sysctl support"
 +	help
@@ -908,9 +922,22 @@
 +	  the sysctl entries.
 +
 +endmenu
-diff -urNp linux-2.6.26.orig/grsecurity/Makefile linux-2.6.26/grsecurity/Makefile
---- linux-2.6.26.orig/grsecurity/Makefile	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.26/grsecurity/Makefile	2008-09-02 12:17:21.000000000 +0200
++
++config GRKERNSEC_PROC_IPADDR
++	bool "/proc/<pid>/ipaddr support"
++	help
++	  If you say Y here, a new entry will be added to each /proc/<pid>
++	  directory that contains the IP address of the person using the task.
++	  The IP is carried across local TCP and AF_UNIX stream sockets.
++	  This information can be useful for IDS/IPSes to perform remote response
++	  to a local attack.  The entry is readable by only the owner of the
++	  process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
++	  the RBAC system), and thus does not create privacy concerns.
++
++endmenu
+diff -urNp linux-2.6.27.4/grsecurity/Makefile linux-2.6.27.4/grsecurity/Makefile
+--- linux-2.6.27.4/grsecurity/Makefile	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.27.4/grsecurity/Makefile	2008-10-25 12:03:07.000000000 -0400
<<Diff was trimmed, longer than 597 lines>>

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/linux-2.6-grsec-vs-minimal.patch?r1=1.1.2.8.2.10&r2=1.1.2.8.2.11&f=u



More information about the pld-cvs-commit mailing list