diff -urN linux/Documentation/Configure.help linux/Documentation/Configure.help --- linux/Documentation/Configure.help Mon Feb 25 14:37:51 2002 +++ linux/Documentation/Configure.help Fri Mar 1 08:28:00 2002 @@ -2404,6 +2404,20 @@ If you want to compile it as a module, say M here and read . If unsure, say `N'. +stealth networking support +CONFIG_IP_NF_MATCH_STEALTH + Enabling this option will drop all syn packets coming to unserved tcp + ports as well as all packets coming to unserved udp ports. If you + are using your system to route any type of packets (ie. via NAT) + you should put this module at the end of your ruleset, since it will + drop packets that aren't going to ports that are listening on your + machine itself, it doesn't take into account that the packet might be + destined for someone on your internal network if you're using NAT for + instance. + + If you want to compile it as a module, say M here and read + Documentation/modules.txt. If unsure, say `N'. + MAC address match support CONFIG_IP_NF_MATCH_MAC MAC matching allows you to match packets based on the source @@ -19946,6 +19960,828 @@ - "Area6" if it is connected to Area 6 (0x18000000) "Area6" will work for most boards. For ADX, select "Area5". + +Grsecurity +CONFIG_GRKERNSEC + If you say Y here, you will be able to configure many features that + will enhance the security of your system. It is highly recommended + that you say Y here and read through the help for each option so + you fully understand what it's doing and can evaluate its usefulness + for your machine. + +Additional security levels +CONFIG_GRKERNSEC_LOW + + Low additional security + ----------------------------------------------------------------------- + If you choose this option, several of the grsecurity options will + be enabled that will give you greater protection against a number + of attacks, while assuring that none of your software will have any + conflicts with the additional security measures. If you run a lot of + unusual software, or you are having problems with the higher security + levels, you should say Y here. With this option, the following features + are enabled: + + linking restrictions + fifo restrictions + secure fds + random pids + enforcing nproc on execve() + restricted dmesg + random ip ids + enforced chdir("/") on chroot + secure keymap loading + + Medium additional security + ----------------------------------------------------------------------- + If you say Y here, several features in addition to those included in the + low additional security level will be enabled. These features provide + even more security to your system, though in rare cases they may + be incompatible with very old or poorly written software. If you + enable this option, make sure that your auth service (identd) is + running as gid 10 (usually group wheel). With this option the following + features (in addition to those provided in the low additional security + level) will be enabled: + + random tcp source ports + altered ping ids + failed fork logging + time change logging + signal logging + deny mounts in chroot + deny double chrooting + deny mknod in chroot + /proc restrictions with special gid set to 10 (usually wheel) + pax's random mmap + + High additional security + ---------------------------------------------------------------------- + If you say Y here, many of the features of grsecurity will be enabled, + that will protect you against virtually all kinds of attacks against + your system. The much hightened security comes at a cost of an + increased chance of incompatabilities with rare software on your + machine. It is highly recommended that you view + and read about each option. Since + this security level enabled PaX, you should also view + and read about the PaX project. While + you are there, download chpax.c and run chpax -p on binaries that cause + problems with PaX. Also remember that since the /proc restrictions are + enabled, you must run your identd as group wheel (gid 10). The + grsecurity ACL system is also enabled in this level. To learn how to + correctly configure it, view the ACL documentation on + . This security level enables the following + features in addition to those listed in the low and medium security + levels: + + grsecurity ACL system + additional /proc restrictions + signal restrictions in chroot + chmod restrictions in chroot + no ptrace in chroot + priority restrictions in chroot + PaX - random mmap, noexec on all memory pages, restricted mprotect + fixed mmap restrictions + mount/unmount/remount logging + restricted ptrace (only root and users in group wheel (gid 10) are + allowed to ptrace) + +Customized additional security +CONFIG_GRKERNSEC_CUSTOM + If you say Y here, you will be able to configure every grsecurity + option, which allows you to enable many more features that aren't + covered in the basic security levels. These additional features include + TPE, socket restrictions, and the sysctl system for grsecurity. It is + advised that you read through the help for each option to determine its + usefulness in your situation. + +OpenWall Non-executable Stack +CONFIG_GRKERNSEC_STACK + If you say Y here, your system will not allow execution of + code on the stack, making buffer overflow exploitation more difficult. + The code for this protection is taken from the Openwall patch for + linux 2.2 by Solar Designer. You can view his projects at + . + Exploits against your machine with this protection will have to dabble + in more obscure methods of exploitation(bss,got,heap..) + +Gcc trampoline support +CONFIG_GRKERNSEC_STACK_GCC + If you say Y here, the system will support trampoline code along + with the stack protection. If you do not have any programs on + your system that require this (glibc 2.0 users must say YES to + this option) you may say no here. + +PaX protection +CONFIG_GRKERNSEC_PAX + By design the IA-32 architecture does not allow for protecting + memory pages against execution, i.e. if a page is readable (such + as the stack or heap) it is also executable. There is a well + known exploit technique that makes use of this fact and a common + programming mistake where an attacker can introduce executable + code of his choice somewhere in the attacked program's memory + (typically the stack or the heap) and then execute it. If the + attacked program was running with different (typically higher) + privileges than that of the attacker, then he can elevate his + own privilege level (e.g. get a root shell, write to files for + which he does not have write access to, etc). + + Since the implementation is software based, it comes with a + performance impact, you should evaluate your system carefully + before deciding to use this feature on production systems. + + Enabling this feature will enforce the non-executable flag on + memory pages thereby making it harder to execute 'foreign' code + in a program. This will also break programs that rely on the + old behaviour and expect that dynamically allocated memory via + the malloc() family of functions is executable (which it is not). + Notable examples are the XFree86 4.x server, the java runtime + and wine. + + NOTE: you can use the 'chpax' utility to enable/disable this + feature on a per file basis. chpax is available at + + +Emulate trampolines +CONFIG_GRKERNSEC_PAX_EMUTRAMP + There are some programs and libraries that for one reason or + another attempt to execute special small code snippets from + non-executable memory pages. Most notable examples are the + signal handler return code generated by the kernel itself and + the GCC trampolines. + + If you enabled CONFIG_GRKERNSEC_PAX then such programs will no + longer work under your kernel. As a remedy you can say Y here + and use the 'chpax' utility to enable trampoline emulation for + the affected programs yet still have the protection provided by + CONFIG_GRKERNSEC_PAX. Alternatively you can say N here and use + the 'chpax' utility to disable CONFIG_GRKERNSEC_PAX for the + affected files. chpax is available at + + + NOTE: enabling this feature *may* open up a loophole in the + protection provided by CONFIG_GRKERNSEC_PAX that an attacker + could abuse. Therefore the best solution is to not have any + files on your system that would require this option. This can + be achieved by not using libc5 (which relies on the kernel + signal handler return code) and not using or rewriting programs + that make use of the nested function implementation of GCC. + Skilled users can just fix GCC itself so that it implements + nested function calls in a way that does not interfere with PaX. + +Restrict mprotect() +CONFIG_GRKERNSEC_PAX_MPROTECT + Enabling this option will prevent programs from changing the + executable status of memory pages that were not originally + created as executable. The kernel will also prevent programs + from making read-only executable pages writable again. + + You should say Y here to complete the protection provided by + the enforcement of the PAGE_EXEC flag (CONFIG_GRKERNSEC_PAX). + + NOTE: you can use the 'chpax' utility to enable/disable this + feature on a per file basis. chpax is available at + + +Randomize mmap() base +CONFIG_GRKERNSEC_PAX_RANDMMAP + By saying Y here the kernel will somewhat randomize the address + space layout of programs at each execution (the top of the stack, the + base address for mmap() requests that do not specify one themselves + and the base address of dynamic ELF executables). + + As a result all dynamically loaded libraries will appear at random + addresses and therefore be harder to exploit by a technique where + an attacker attempts to execute library code for his purposes + (e.g. spawn a shell from an exploited program that is running at + an elevated privilege level). + + Furthermore, if a program is relinked as a dynamic ELF file, its + base address layout will be randomized as well, completing the full + randomization of the address space. Attacking such programs becomes + a guess game. + + It is strongly recommended to say Y here even if CONFIG_GRKERNSEC_PAX + is not enabled as address space layout randomization has negligible + impact on performance yet it provides a very effective protection. + + NOTE: you can use the 'chpax' utility to enable/disable this + feature on a per file basis. chpax is available at + + +Read-only kernel memory +CONFIG_GRKERNSEC_KMEM + If you say Y here, root will not be able to modify the contents of + kernel memory. If module support is removed in addition to enabling + this option, the ability of an attacker to insert foreign code into + a running kernel is removed. + +Fixed mmap restrictions +CONFIG_GRKERNSEC_MMAPFIXED + If you say Y here, it will be impossible for an attacker to bypass the + PaX buffer overflow protection by mmaping an executable memory region + with a specific address set. + +Proc Restrictions +CONFIG_GRKERNSEC_PROC + If you say Y here, the permissions of the /proc filesystem + will be altered to enhance system security and privacy. Depending + upon the options you choose, you can either restrict users to see + only the processes they themselves run, or choose a group that can + view all processes and files normally restricted to root if you choose + the "restrict to user only" option. NOTE: If you're running identd as + a non-root user, you will have to run it as the group you specify here. + +Restrict /proc to user only +CONFIG_GRKERNSEC_PROC_USER + If you say Y here, non-root users will only be able to view their own + processes, and restricts them from viewing network-related information, + and viewing kernel symbol and module information. + +Restrict /proc to user and group +CONFIG_GRKERNSEC_PROC_USERGROUP + If you say Y here, you will be able to select a group that will be + able to view all processes, network-related information, and + kernel and symbol information. This option is useful if you want + to run identd as a non-root user. + +Additional proc restrictions +CONFIG_GRKERNSEC_PROC_ADD + If you say Y here, additional restrictions will be placed on + /proc that keep normal users from viewing cpu and device information. + +Dmesg(8) Restriction +CONFIG_GRKERNSEC_DMESG + If you say Y here, non-root users will not be able to use dmesg(8) + to view up to the last 4kb of messages in the kernel's log buffer. + If the sysctl option is enabled, a sysctl option with name "dmesg" is + created. + +Linking restrictions +CONFIG_GRKERNSEC_LINK + If you say Y here, /tmp race exploits will be prevented, since users + will no longer be able to follow symlinks owned by other users in + world-writeable +t directories (i.e. /tmp), unless the owner of the + symlink is the owner of the directory. users will also not be + able to hardlink to files they do not own. If the sysctl option is + enabled, a sysctl option with name "linking_restrictions" is created. + +FIFO restrictions +CONFIG_GRKERNSEC_FIFO + If you say Y here, users will not be able to write to FIFOs they don't + own in world-writeable +t directories (i.e. /tmp), unless the owner of + the FIFO is the same owner of the directory it's held in. If the sysctl + option is enabled, a sysctl option with name "fifo_restrictions" is + created. + +Secure file descriptors +CONFIG_GRKERNSEC_FD + If you say Y here, binaries will be protected from data spoofing + attacks (eg. making a program read /etc/shadow). The patches do this + by opening up /dev/null to any of the stdin, stdout, stderr file descriptors + for binaries that are open. If the sysctl option is enabled, a sysctl + option with name "secure_fds" is created. + +Exec process limiting +CONFIG_GRKERNSEC_EXECVE + If you say Y here, users with a resource limit on processes will + have the value checked during execve() calls. The current system + only checks the system limit during fork() calls. If the sysctl option + is enabled, a sysctl option with name "execve_limiting" is created. + +Fork-bombing protection +CONFIG_GRKERNSEC_FORKBOMB + If you say Y here, you will be able to configure a group to add to users + on your system that you want to be unable to fork-bomb the system. + You will be able to specify a maximum process limit for the user and + set a rate limit for all forks under their uid. (Fork-bombing is a + tactic used by attackers that can be enacted in two ways, (1) loading + up thousands of processes until the system can't take any more (this + method can be stopped outside of the kernel with PAM, however we place + protection for it in the kernel to be more complete and reduce overhead), + and (2), by forking processes at a rapid rate, and then killing them + off, which cannot be protected against in the same way at tactic 1) + The rate limit is specified in forks allowed per second. Set this + limit low enough to stop tactic 2, but high enough to allow for + normal operation. The protection will kill the offending process. + If the sysctl option is enabled, a sysctl option with name + "fork_bomb_prot" is created. + +Max processes for fork-bomb protection +CONFIG_GRKERNSEC_FORKBOMB_MAX + Here you can configure the maximum number of processes users in the + fork-bomb protected group can run. I would not recommend setting a + value lower than 8, since some programs like man(1) spawn up to 8 + processes to run. The default value should be fine for most purposes. + If the sysctl option is enabled, a sysctl option with name + "fork_bomb_max" is created. + +Forks allowed per second +CONFIG_GRKERNSEC_FORKBOMB_SEC + Here you can specify the maximum number of forks allowed per second. + You don't want to set this value too low, or else you'll hinder + normal operation of your system. The default value should be fine for + most users. If the sysctl option is enabled, a sysctl option with name + "fork_bomb_sec" is created. + +Group for fork-bomb protection +CONFIG_GRKERNSEC_FORKBOMB_GID + Here you can choose the GID to enable fork-bomb protection for. + Remember to add the users you want protection enabled for to the GID + specified here. If the sysctl option is enabled, whatever you choose + here won't matter. You'll have to specify the GID in your bootup + script by echoing the GID to the proper /proc entry. View the help + on the sysctl option for more information. If the sysctl option is + enabled, a sysctl option with name "fork_bomb_gid" is created. + +Single group for auditing +CONFIG_GRKERNSEC_AUDIT_GROUP + If you say Y here, the exec, chdir, (un)mount, and ipc logging features + will only operate on a group you specify. This option is recommended + if you only want to watch certain users instead of having a large + amount of logs from the entire system. If the sysctl option is enabled, + a sysctl option with name "audit_group" is created. + +GID for auditing +CONFIG_GRKERNSEC_AUDIT_GID + Here you can choose the GID that will be the target of kernel auditing. + Remember to add the users you want to log to the GID specified here. + If the sysctl option is enabled, whatever you choose here won't matter. + You'll have to specify the GID in your bootup script by echoing the GID + to the proper /proc entry. View the help on the sysctl option for more + information. If the sysctl option is enabled, a sysctl option with name + "audit_gid" is created. + +Chdir logging +CONFIG_GRKERNSEC_AUDIT_CHDIR + If you say Y here, all chdir() calls will be logged. If the sysctl + option is enabled, a sysctl option with name "audit_chdir" is created. + +(Un)Mount logging +CONFIG_GRKERNSEC_AUDIT_MOUNT + If you say Y here, all mounts and unmounts will be logged. If the + sysctl option is enabled, a sysctl option with name "audit_mount" is + created. + +IPC logging +CONFIG_GRKERNSEC_AUDIT_IPC + If you say Y here, creation and removal of message queues, semaphores, + and shared memory will be logged. If the sysctl option is enabled, a + sysctl option with name "audit_ipc" is created. + +Exec logging +CONFIG_GRKERNSEC_EXECLOG + If you say Y here, all execve() calls will be logged (since the + other exec*() calls are frontends to execve(), all execution + will be logged). Useful for shell-servers that like to keep track + of their users. If the sysctl option is enabled, a sysctl option with + name "exec_logging" is created. + WARNING: This option when enabled will produce a LOT of logs, especially + on an active system. + +Set*id logging +CONFIG_GRKERNSEC_SUID + If you say Y here, all set*id() calls will be logged. Such information + could be useful when detecting a possible intrusion attempt. This + option can produce a lot of logs on an active system. If the sysctl + option is enabled, a sysctl option with name "suid_logging" is created. + +Log set*ids to root +CONFIG_GRKERNSEC_SUID_ROOT + If you say Y here, only set*id() calls where a user is changing to the + gid or uid of the root user will be logged. Such information + could be useful when detecting a possible intrusion attempt. This + option will produce less logs than logging all calls. If the sysctl + option is enabled, a sysctl option with name "suid_root_logging" is + created. + +Altered default IPC permissions +CONFIG_GRKERNSEC_IPC + If you say Y here, the default permissions for IPC objects will be + set based on the filesystem umask of the user creating the object. + By default linux sets the permissions to ugo+rwx, which can be + a security problem if the application doesn't explicitly set the + permissions of the IPC object. Since this change affects programs + using IPC, it might break some programs that are expecting the + default permission behavior. It is known to break Apache 1.3.22. + +Signal logging +CONFIG_GRKERNSEC_SIGNAL + If you say Y here, certain important signals will be logged, such as + SIGSEGV, which will as a result inform you of when a error in a program + occurred, which in some cases could mean a possible exploit attempt. + If the sysctl option is enabled, a sysctl option with name + "signal_logging" is created. + +BSD-style coredumps +CONFIG_GRKERNSEC_COREDUMP + If you say Y here, linux will use a style similar to BSD for + coredumps, core.processname. Not a security feature, just + a useful one. If the sysctl option is enabled, a sysctl option with + name "coredump" is created. + +Fork failure logging +CONFIG_GRKERNSEC_FORKFAIL + If you say Y here, all failed fork() attempts will be logged. + This could suggest a fork bomb, or someone attempting to overstep + their process limit. If the sysctl option is enabled, a sysctl option + with name "forkfail_logging" is created. + +Time change logging +CONFIG_GRKERNSEC_TIME + If you say Y here, any changes of the system clock will be logged. + If the sysctl option is enabled, a sysctl option with name + "timechange_logging" is created. + +Secure keymap loading +CONFIG_GRKERNSEC_KBMAP + If you say Y here, KDSKBENT and KDSKBSENT ioctl calls being + called by unprivileged users will be denied. If you answer N, + everyone with access to the console will be able to modify keyboard + bindings. If the sysctl option is enabled, a sysctl option with name + "secure_kbmap" is created. + +Chroot jail restrictions +CONFIG_GRKERNSEC_CHROOT + If you say Y here, you will be able to choose several options that will + make breaking out of a chrooted jail much more difficult. If you + encounter no software incompatibilities with the following options, it + is recommended that you enable each one. + +Restricted signals in chroot +CONFIG_GRKERNSEC_CHROOT_SIG + If you say Y here, processes inside a chroot will not be able to send + signals outside of the chroot. The only signals allowed are null + signals which perform no action, and the parent process sending + a certain signal to its child. If the sysctl option is enabled, a + sysctl option with name "chroot_restrict_sigs" is created. + +Deny mounts in chroot +CONFIG_GRKERNSEC_CHROOT_MOUNT + If you say Y here, processes inside a chroot will not be able to + mount or remount filesystems. If the sysctl option is enabled, a + sysctl option with name "chroot_deny_mount" is created. + +Deny double-chroots +CONFIG_GRKERNSEC_CHROOT_DOUBLE + If you say Y here, processes inside a chroot will not be able to chroot + again. This is a widely used method of breaking out of a chroot jail + and should not be allowed. If the sysctl option is enabled, a sysctl + option with name "chroot_deny_chroot" is created. + +Enforce chdir("/") on all chroots +CONFIG_GRKERNSEC_CHROOT_CHDIR + If you say Y here, the current working directory of all newly-chrooted + applications will be set to the the root directory of the chroot. + The man page on chroot(2) states: + Note that this call does not change the current working + directory, so that `.' can be outside the tree rooted at + `/'. In particular, the super-user can escape from a + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. + + It is recommended that you say Y here, since it's not known to break + any software. If the sysctl option is enabled, a sysctl option with + name "chroot_enforce_chdir" is created. + +Deny (f)chmod +s in chroot +CONFIG_GRKERNSEC_CHROOT_CHMOD + If you say Y here, processes inside a chroot will not be able to chmod + or fchmod files to make them have suid or sgid bits. This protects + against another published method of breaking a chroot. If the sysctl + option is enabled, a sysctl option with name "chroot_deny_chmod" is + created. + +Deny mknod in chroot +CONFIG_GRKERNSEC_CHROOT_MKNOD + If you say Y here, processes inside a chroot will not be allowed to + mknod. The problem with using mknod inside a chroot is that it + would allow an attacker to create a device entry that is the same + as one on the physical root of your system, which could range from + anyhing from the console device to a device for your harddrive (which + they could then use to wipe the drive or steal data). It is recommended + that you say Y here, unless you run into software incompatibilities. + If the sysctl option is enabled, a sysctl option with name + "chroot_deny_mknod" is created. + +Deny ptraces in chroot +CONFIG_GRKERNSEC_CHROOT_PTRACE + If you say Y here, processes inside a chroot will not be able to ptrace + other processes. Ptracing a process allows one to attach and alter the + flow of execution for the process. It is strongly recommended that you + say Y here. If the sysctl option is enabled, a sysctl option with name + "chroot_deny_ptrace" is created. + +Restrict priority changes in chroot +CONFIG_GRKERNSEC_CHROOT_NICE + If you say Y here, processes inside a chroot will not be able to raise + the priority of processes in the chroot, or alter the priority of + processes outside the chroot. This provides more security than simply + removing CAP_SYS_NICE from the process' capability set. If the + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice" + is created. + +Log all execs within chroot +CONFIG_GRKERNSEC_CHROOT_EXECLOG + If you say Y here, all executions inside a chroot jail will be logged + to syslog. If the sysctl option is enabled, a sysctl option with name + "chroot_execlog" is created. + +Chroot jail capability restrictions +CONFIG_GRKERNSEC_CHROOT_CAPS + If you say Y here, the capabilities on all root processes within a + chroot jail will be lowered to stop module insertion, raw i/o, + system and net admin tasks, rebooting the system, modifying immutable + files, and changing the system time. This is left an option because it + can break some apps. Disable this if your chrooted apps are having + problems performing those kinds of tasks. If the sysctl option is + enabled, a sysctl option with name "chroot_caps" is created. + +Trusted path execution +CONFIG_GRKERNSEC_TPE + If you say Y here, you will be able to choose a gid to add to the + supplementary groups of users you want to mark as "untrusted." + These users will not be able to execute any files that are not in + root-owned directories writeable only by root. If the sysctl option + is enabled, a sysctl option with name "tpe" is created. + +Group for trusted path execution +CONFIG_GRKERNSEC_TPE_GID + Here you can choose the GID to enable trusted path protection for. + Remember to add the users you want protection enabled for to the GID + specified here. If the sysctl option is enabled, whatever you choose + here won't matter. You'll have to specify the GID in your bootup + script by echoing the GID to the proper /proc entry. View the help + on the sysctl option for more information. If the sysctl option is + enabled, a sysctl option with name "tpe_gid" is created. + +Partially restrict non-root users +CONFIG_GRKERNSEC_TPE_ALL + If you say Y here, All non-root users other than the ones in the + group specified in the main TPE option will only be allowed to + execute files in directories they own that are not group or + world-writeable, or in directories owned by root and writeable only by + root. If the sysctl option is enabled, a sysctl option with name + "tpe_restrict_all" is created. + +Trusted path execution glibc protection +CONFIG_GRKERNSEC_TPE_GLIBC + If you say Y here, all non-root users executing any files while + glibc specific environment variables such as LD_PRELOAD are set, + will have their environment cleared of these variables, since they + could be used to evade the trusted path execution protection. It also + protects against evasion through executing the dynamic linker to run a + rogue binary. It is recommended you say Y here also. If the sysctl + option is enabled, a sysctl option with name "tpe_glibc" is created. + +Ptrace logging +CONFIG_GRKERNSEC_AUDIT_PTRACE + If you say Y here, all successful ptraces will be logged. Ptraces are + special operations performed when programs like strace or gdb are run. + They have also been the focus of some kernel vulnerabilities. If the + sysctl option is enabled, a sysctl option with name "audit_ptrace" is + created. + +Restricted ptrace +CONFIG_GRKERNSEC_PTRACE + If you say Y here, no one but root will be able to ptrace processes. + Tracing syscalls inside the kernel will also be disabled. If the + sysctl option is enabled, a sysctl option with name "restrict_ptrace" + is created. + +Allow ptrace for group +CONFIG_GRKERNSEC_PTRACE_GROUP + If you say Y here, you will be able to choose a GID of whose users + will be able to ptrace. If the sysctl option is enabled, a sysctl + option with name "allow_ptrace_group" is created. + +GID for ptrace +CONFIG_GRKERNSEC_PTRACE_GID + Here you can choose the GID of whose users will be able to ptrace. + Remember to add the users you want ptrace enabled for to the GID + specified here. If the sysctl option is enabled, whatever you choose + here won't matter. You'll have to specify the GID in your bootup + script by echoing the GID to the proper /proc entry. View the help + on the sysctl option for more information. If the sysctl option is + enabled, a sysctl option with name "ptrace_gid" is created. + +Randomized PIDs +CONFIG_GRKERNSEC_RANDPID + If you say Y here, all PIDs created on the system will be + pseudo-randomly generated. This is extremely effective along + with the /proc restrictions to disallow an attacker from guessing + pids of daemons, etc. PIDs are also used in some cases as part + of a naming system for temporary files, so this option would keep + those filenames from being predicted as well. We also use code + to make sure that PID numbers aren't reused too soon. If the sysctl + option is enabled, a sysctl option with name "rand_pids" is created. + +Limit uid/gid changes to root +CONFIG_GRKERNSEC_TTYROOT + If you say Y here, you will be able choose from three option that + will allow you to restrict access to the root account by console + type. These options should only be enabled if you are sure of what + you're doing. Also note that they only apply to processes that have + ttys, which generally involves some kind of user-interaction. The + options are basically in place to keep users on a system who have a + (stolen) password for root from using it unless their console + credentials match. + +Deny physical consoles (tty) +CONFIG_GRKERNSEC_TTYROOT_PHYS + If you say Y here, access to root from physical consoles will be + denied. This is only recommended for rare cases where you will + never need to be physically at the machine. If the sysctl option + is enabled, a sysctl option with name "deny_phys_root" is created. + +Deny serial consoles (ttyS) +CONFIG_GRKERNSEC_TTYROOT_SERIAL + If you say Y here, access to root from serial consoles will be + denied. Most people can say Y here, since most don't use serial + devices for their console access. If you are unsure, say N. If + the sysctl option is enabled, a sysctl option with name + "deny_serial_root" is created. + +Deny pseudo consoles (pty) +CONFIG_GRKERNSEC_TTYROOT_PSEUDO + If you say Y here, access to root from pseudo consoles will be + denied. Pseudo consoles include consoles from telnet, ssh, or any other + kind of interactive shell initiated from the network. Pseudo consoles + also include any terminals you use in XFree86. If you will only be + accessing the machine for root access from the physical console, you + can say Y here. Only say Y here if you're sure of what you're doing. + If the sysctl option is enabled, a sysctl option with name + "deny_pseudo_root" is created. + +Randomized IP IDs +CONFIG_GRKERNSEC_RANDID + If you say Y here, all the id field on all outgoing packets + will be randomized. This hinders os fingerprinters and + keeps your machine from being used as a bounce for an untraceable + portscan. Ids are used for fragmented packets, fragments belonging + to the same packet have the same id. By default linux only + increments the id value on each packet sent to an individual host. + We use a port of the OpenBSD random ip id code to achieve the + randomness, while keeping the possibility of id duplicates to + near none. If the sysctl option is enabled, a sysctl option with name + "rand_ip_ids" is created. + +Randomized TCP source ports +CONFIG_GRKERNSEC_RANDSRC + If you say Y here, situations where a source port is generated on the + fly for the TCP protocol (ie. with connect() ) will be altered so that + the source port is generated at random, instead of a simple incrementing + algorithm. If the sysctl option is enabled, a sysctl option with name + "rand_tcp_src_ports" is created. + +Randomized RPC XIDs +CONFIG_GRKERNSEC_RANDRPC + If you say Y here, the method of determining XIDs for RPC requests will + be randomized, instead of using linux's default behavior of simply + incrementing the XID. If you want your RPC connections to be more + secure, say Y here. If the sysctl option is enabled, a sysctl option + with name "rand_rpc" is created. + +Altered Ping IDs +CONFIG_GRKERNSEC_RANDPING + If you say Y here, the way Linux handles echo replies will be changed + so that the reply uses an ID equal to the ID of the echo request. + This will help in confusing OS detection. If the sysctl option is + enabled, a sysctl option with name "altered_pings" is created. + +Randomized TTL +CONFIG_GRKERNSEC_RANDTTL + If you say Y here, your TTL (time to live) for packets will be set at + random, with a base of the sysctl ttl default, to further confuse OS + detection. If the sysctl option is enabled, a sysctl option with name + "rand_ttl" is created. + +Socket restrictions +CONFIG_GRKERNSEC_SOCKET + If you say Y here, you will be able to choose from several options. + If you assign a GID on your system and add it to the supplementary + groups of users you want to restrict socket access to, this patch + will perform up to three things, based on the option(s) you choose. + +Deny all socket access +CONFIG_GRKERNSEC_SOCKET_ALL + If you say Y here, you will be able to choose a GID of whose users will + be unable to connect to other hosts from your machine or run server + applications from your machine. If the sysctl option is enabled, a + sysctl option with name "socket_all" is created. + +Group for disabled socket access +CONFIG_GRKERNSEC_SOCKET_ALL_GID + Here you can choose the GID to disable socket access for. Remember to + add the users you want socket access disabled for to the GID + specified here. If the sysctl option is enabled, whatever you choose + here won't matter. You'll have to specify the GID in your bootup + script by echoing the GID to the proper /proc entry. View the help + on the sysctl option for more information. If the sysctl option is + enabled, a sysctl option with name "socket_all_gid" is created. + +Deny all client socket access +CONFIG_GRKERNSEC_SOCKET_CLIENT + If you say Y here, you will be able to choose a GID of whose users will + be unable to connect to other hosts from your machine, but will be + able to run servers. If this option is enabled, all users in the group + you specify will have to use passive mode when initiating ftp transfers + from the shell on your machine. If the sysctl option is enabled, a + sysctl option with name "socket_client" is created. + +Group for disabled client socket access +CONFIG_GRKERNSEC_SOCKET_CLIENT_GID + Here you can choose the GID to disable client socket access for. + Remember to add the users you want client socket access disabled for to + the GID specified here. If the sysctl option is enabled, whatever you + choose here won't matter. You'll have to specify the GID in your bootup + script by echoing the GID to the proper /proc entry. View the help + on the sysctl option for more information. If the sysctl option is + enabled, a sysctl option with name "socket_client_gid" is created. + +Deny all server socket access +CONFIG_GRKERNSEC_SOCKET_SERVER + If you say Y here, you will be able to choose a GID of whose users will + be unable to run server applications from your machine. If the sysctl + option is enabled, a sysctl option with name "socket_server" is created. + +Group for disabled server socket access +CONFIG_GRKERNSEC_SOCKET_SERVER_GID + Here you can choose the GID to disable server socket access for. + Remember to add the users you want server socket access disabled for to + the GID specified here. If the sysctl option is enabled, whatever you + choose here won't matter. You'll have to specify the GID in your bootup + script by echoing the GID to the proper /proc entry. View the help + on the sysctl option for more information. If the sysctl option is + enabled, a sysctl option with name "socket_server_gid" is created. + +Sysctl support +CONFIG_GRKERNSEC_SYSCTL + If you say Y here, you will be able to change the options that + grsecurity runs with at bootup, without having to recompile your + kernel. You can echo values to files in /proc/sys/kernel/grsecurity + to enable (1) or disable (0) various features. All the sysctl entries + are mutable until the "grsec_lock" entry is set to a non-zero value. + All features are disabled by default. Please note that this option could + reduce the effectiveness of the added security of this patch if an ACL + system is not put in place. Your init scripts should be read-only, and + root should not have access to adding modules or performing raw i/o + operations. All options should be set at startup, and the grsec_lock + entry should be set to a non-zero value after all the options are set. + *THIS IS EXTREMELY IMPORTANT* + +Grsecurity ACL System +CONFIG_GRKERNSEC_ACL + If you say Y here, you enable the Access Control List system for + grsecurity. Unlike many other popular ACL systems, it allows both + process and file ACLs. To use the ACL system, you must also download the + userspace code and documentation off the grsecurity website: + You will then need to run gradm setup to set + your password and create your config files. + +Denied capability logging +CONFIG_GRKERNSEC_ACL_CAPLOG + If you say Y here, logs will be produced when a root-owned process does + not have a needed capability raised in his set. This information is + useful when creating ACLs for your system. + +Seconds in between log messages +CONFIG_GRKERNSEC_FLOODTIME + This option allows you to enforce the number of seconds between + grsecurity log messages. The default should be suitable for most + people, however, if you choose to change it, choose a value small enough + to allow informative logs to be produced, but large enough to + prevent flooding. + +ACL Debugging Messages +CONFIG_GR_DEBUG + This option allows the grsecurity ACL system to print debugging messages + as an aid to finding problems in your ACL sets. + +Extra ACL Debugging Messages +CONFIG_GR_SUPERDEBUG + This option allows you to enable additional debugging messages that can + also help you in finding problems in your ACL sets or to gain a better + understanding of the internal workings of the ACL system. + +Path to gradm +CONFIG_GRADM_PATH + This should be set to the path of the gradm binary installed on your + system. If gradm is not yet installed on your system, download + gradm from and follow the directions in the + README. + +Maximum tries before password lockout +CONFIG_GR_MAXTRIES + This option enforces the maximum number of times a user can attempt + to authorize themselves with the grsecurity ACL system before being + denied the ability to attempt authorization again for a specified time. + The lower the number, the harder it will be to brute-force a password. + +Time to wait after max password tries, in seconds +CONFIG_GR_TIMEOUT + This option specifies the time the user must wait after attempting to + authorize to the ACL system with the maximum number of invalid + passwords. The higher the number, the harder it will be to brute-force + a password. # # m68k-specific kernel options diff -urN linux/Makefile linux/Makefile --- linux/Makefile Mon Feb 25 14:37:52 2002 +++ linux/Makefile Mon Feb 25 16:09:27 2002 @@ -1,7 +1,7 @@ VERSION = 2 PATCHLEVEL = 4 SUBLEVEL = 18 -EXTRAVERSION = +EXTRAVERSION = -grsec-1.9.4 KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION) diff -urN linux/arch/alpha/config.in linux/arch/alpha/config.in --- linux/arch/alpha/config.in Tue Nov 20 18:49:31 2001 +++ linux/arch/alpha/config.in Mon Feb 25 16:09:02 2002 @@ -393,3 +393,12 @@ fi endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/arm/config.in linux/arch/arm/config.in --- linux/arch/arm/config.in Fri Nov 9 16:58:02 2001 +++ linux/arch/arm/config.in Mon Feb 25 16:09:02 2002 @@ -606,3 +606,12 @@ dep_bool ' Kernel low-level debugging messages via footbridge serial port' CONFIG_DEBUG_DC21285_PORT $CONFIG_DEBUG_LL $CONFIG_FOOTBRIDGE dep_bool ' kernel low-level debugging messages via UART2' CONFIG_DEBUG_CLPS711X_UART2 $CONFIG_DEBUG_LL $CONFIG_ARCH_CLPS711X endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/cris/config.in linux/arch/cris/config.in --- linux/arch/cris/config.in Mon Feb 25 14:37:52 2002 +++ linux/arch/cris/config.in Mon Feb 25 16:09:02 2002 @@ -254,3 +254,12 @@ int ' Profile shift count' CONFIG_PROFILE_SHIFT 2 fi endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/i386/config.in linux/arch/i386/config.in --- linux/arch/i386/config.in Mon Feb 25 14:37:52 2002 +++ linux/arch/i386/config.in Mon Feb 25 16:09:02 2002 @@ -425,3 +425,12 @@ fi endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/i386/kernel/entry.S linux/arch/i386/kernel/entry.S --- linux/arch/i386/kernel/entry.S Mon Feb 25 14:37:53 2002 +++ linux/arch/i386/kernel/entry.S Mon Feb 25 16:09:02 2002 @@ -45,6 +45,7 @@ #include #include #include +#include EBX = 0x00 ECX = 0x04 @@ -381,8 +382,52 @@ jmp error_code ENTRY(page_fault) +#ifdef CONFIG_GRKERNSEC_PAX + ALIGN + pushl $ SYMBOL_NAME(pax_do_page_fault) + pushl %ds + pushl %eax + xorl %eax,%eax + pushl %ebp + pushl %edi + pushl %esi + pushl %edx + decl %eax # eax = -1 + pushl %ecx + pushl %ebx + cld + movl %es,%ecx + movl ORIG_EAX(%esp), %esi # get the error code + movl ES(%esp), %edi # get the function address + movl %eax, ORIG_EAX(%esp) + movl %ecx, ES(%esp) + movl %esp,%edx + pushl %esi # push the error code + pushl %edx # push the pt_regs pointer + movl $(__KERNEL_DS),%edx + movl %edx,%ds + movl %edx,%es + GET_CURRENT(%ebx) + call *%edi + addl $8,%esp + decl %eax + jnz ret_from_exception + + popl %ebx + popl %ecx + popl %edx + popl %esi + popl %edi + popl %ebp + popl %eax + popl %ds + popl %es + addl $4,%esp + jmp system_call +#else pushl $ SYMBOL_NAME(do_page_fault) jmp error_code +#endif ENTRY(machine_check) pushl $0 diff -urN linux/arch/i386/kernel/head.S linux/arch/i386/kernel/head.S --- linux/arch/i386/kernel/head.S Mon Feb 25 14:37:53 2002 +++ linux/arch/i386/kernel/head.S Mon Feb 25 16:09:02 2002 @@ -433,7 +433,11 @@ .quad 0x0000000000000000 /* not used */ .quad 0x00cf9a000000ffff /* 0x10 kernel 4GB code at 0x00000000 */ .quad 0x00cf92000000ffff /* 0x18 kernel 4GB data at 0x00000000 */ +#ifdef CONFIG_GRKERNSEC_STACK + .quad 0x00cbfa000000f7ff /* 0x23 user 3GB-8MB code at 0 */ +#else .quad 0x00cffa000000ffff /* 0x23 user 4GB code at 0x00000000 */ +#endif .quad 0x00cff2000000ffff /* 0x2b user 4GB data at 0x00000000 */ .quad 0x0000000000000000 /* not used */ .quad 0x0000000000000000 /* not used */ diff -urN linux/arch/i386/kernel/ptrace.c linux/arch/i386/kernel/ptrace.c --- linux/arch/i386/kernel/ptrace.c Wed Nov 21 13:42:41 2001 +++ linux/arch/i386/kernel/ptrace.c Mon Feb 25 16:09:02 2002 @@ -21,6 +21,10 @@ #include #include +#if defined(CONFIG_GRKERNSEC_CHROOT_PTRACE) || defined(CONFIG_GRKERNSEC_PTRACE) \ + || defined(CONFIG_GRKERNSEC_AUDIT_PTRACE) +#include +#endif /* * does not yet catch signals sent when the child dies. * in exit.c or in signal.c. @@ -177,6 +181,40 @@ if (pid == 1) /* you may not mess with init */ goto out_tsk; +#ifdef CONFIG_GRKERNSEC_PTRACE + if(grsec_enable_ptrace && current->uid +#ifdef CONFIG_GRKERNSEC_PTRACE_GROUP + && ((grsec_enable_ptrace_group && !in_group_p(grsec_ptrace_gid)) + || !grsec_enable_ptrace_group) +#endif + ) { + security_alert("denied ptrace of (%.16s:%d) by " DEFAULTSECMSG, + "denied ptraces", child->comm, child->pid, DEFAULTSECARGS); + goto out_tsk; + } +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE + if(grsec_enable_audit_ptrace +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP + && grsec_enable_group && in_group_p(grsec_audit_gid) +#endif + ) { + printk(KERN_INFO "grsec: ptrace of (%.16s:%d) by " DEFAULTSECMSG "\n", + child->comm, child->pid, DEFAULTSECARGS); + } +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_PTRACE + if(grsec_enable_chroot_ptrace && proc_is_chrooted(current) && + have_same_root(current,child)) { + security_alert("denied ptrace of process(%.16s:%d) within chroot jail " + "(%.32s:%lu) by " DEFAULTSECMSG, + "ptrace from chroot", + child->comm,child->pid,kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino, + DEFAULTSECARGS); + goto out_tsk; + } +#endif if (request == PTRACE_ATTACH) { ret = ptrace_attach(child); goto out_tsk; @@ -439,11 +477,23 @@ return ret; } +#ifdef CONFIG_GRKERNSEC_PTRACE +asmlinkage void syscall_trace(int unused) +#else asmlinkage void syscall_trace(void) +#endif { +#ifdef CONFIG_GRKERNSEC_PTRACE + struct pt_regs *regs = (struct pt_regs *) &unused; +#endif + if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) != (PT_PTRACED|PT_TRACESYS)) return; +#ifdef CONFIG_GRKERNSEC_PTRACE + if(!user_mode(regs)) + return; +#endif /* the 0x80 provides a way for the tracing parent to distinguish between a syscall stop and SIGTRAP delivery */ current->exit_code = SIGTRAP | ((current->ptrace & PT_TRACESYSGOOD) diff -urN linux/arch/i386/kernel/signal.c linux/arch/i386/kernel/signal.c --- linux/arch/i386/kernel/signal.c Mon Feb 25 14:37:53 2002 +++ linux/arch/i386/kernel/signal.c Mon Feb 25 16:09:02 2002 @@ -7,6 +7,7 @@ * 2000-06-20 Pentium III FXSR, SSE support by Gareth Hughes */ +#include #include #include #include @@ -421,11 +422,15 @@ if (ka->sa.sa_flags & SA_RESTORER) { err |= __put_user(ka->sa.sa_restorer, &frame->pretcode); } else { +#ifdef CONFIG_GRKERNSEC_STACK + err |= __put_user(MAGIC_SIGRETURN, &frame->pretcode); +#else err |= __put_user(frame->retcode, &frame->pretcode); /* This is popl %eax ; movl $,%eax ; int $0x80 */ err |= __put_user(0xb858, (short *)(frame->retcode+0)); err |= __put_user(__NR_sigreturn, (int *)(frame->retcode+2)); err |= __put_user(0x80cd, (short *)(frame->retcode+6)); +#endif } if (err) @@ -496,11 +501,15 @@ if (ka->sa.sa_flags & SA_RESTORER) { err |= __put_user(ka->sa.sa_restorer, &frame->pretcode); } else { +#ifdef CONFIG_GRKERNSEC_STACK + err |= __put_user(MAGIC_RT_SIGRETURN, &frame->pretcode); +#else err |= __put_user(frame->retcode, &frame->pretcode); /* This is movl $,%eax ; int $0x80 */ err |= __put_user(0xb8, (char *)(frame->retcode+0)); err |= __put_user(__NR_rt_sigreturn, (int *)(frame->retcode+1)); err |= __put_user(0x80cd, (short *)(frame->retcode+5)); +#endif } if (err) @@ -557,6 +566,18 @@ regs->eip -= 2; } } + +#ifdef CONFIG_GRKERNSEC_PAX + /* PaX: clean up as our trace attempt became obsolete */ + if ((current->flags & PF_PAX_PAGEEXEC) && (current->ptrace & PT_PAX_TRACE)) { + if (!(current->ptrace & PT_PAX_OLDTF)) { + regs->eflags &= ~TF_MASK; + } + current->ptrace &= ~(PT_PAX_TRACE | PT_PAX_KEEPTF | PT_PAX_OLDTF); + current->thread.pax_faults.eip = 0; + current->thread.pax_faults.count = 0; + } +#endif /* Set up the stack frame */ if (ka->sa.sa_flags & SA_SIGINFO) diff -urN linux/arch/i386/kernel/traps.c linux/arch/i386/kernel/traps.c --- linux/arch/i386/kernel/traps.c Sun Sep 30 15:26:08 2001 +++ linux/arch/i386/kernel/traps.c Mon Feb 25 16:09:02 2002 @@ -49,6 +49,9 @@ #include #include +#ifdef CONFIG_GRKERNSEC_STACK +#include +#endif asmlinkage int system_call(void); asmlinkage void lcall7(void); @@ -348,14 +351,183 @@ DO_ERROR(12, SIGBUS, "stack segment", stack_segment) DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, get_cr2()) +#if defined(CONFIG_GRKERNSEC_STACK) && defined(CONFIG_GRKERNSEC_STACK_GCC) +static unsigned long *get_reg(struct pt_regs *regs, unsigned char regnum) +{ + switch (regnum) { + case 0: return ®s->eax; + case 1: return ®s->ecx; + case 2: return ®s->edx; + case 3: return ®s->ebx; + case 4: return ®s->esp; + case 5: return ®s->ebp; + case 6: return ®s->esi; + case 7: return ®s->edi; + } + return NULL; +} +static unsigned long get_modrm(struct pt_regs *regs, int *err) +{ + unsigned char modrm, sib; + signed char rel8; + unsigned long rel32; + int size, regnum, scale; + unsigned long index, base, addr, value; + + *err |= __get_user(modrm, (unsigned char *)(regs->eip + 1)); + size = 2; + regnum = modrm & 7; + addr = *get_reg(regs, regnum); + if (regnum == 4 && (modrm & 0xC0) != 0xC0) { + *err |= __get_user(sib, (unsigned char *)(regs->eip + 2)); + size = 3; + scale = sib >> 6; + index = *get_reg(regs, (sib >> 3) & 7); + base = *get_reg(regs, sib & 7); + addr = base + (index << scale); + } + + switch (modrm & 0xC0) { + case 0x00: + if (regnum == 5) { + *err |= __get_user(addr, + (unsigned long *)(regs->eip + 2)); + size = 6; + } + *err |= __get_user(value, (unsigned long *)addr); + break; + + case 0x40: + *err |= __get_user(rel8, (signed char *)(regs->eip + size)); + size++; + addr += rel8; + *err |= __get_user(value, (unsigned long *)addr); + break; + + case 0x80: + *err |= __get_user(rel32, (unsigned long *)(regs->eip + size)); + size += 4; + addr += rel32; + *err |= __get_user(value, (unsigned long *)addr); + break; + + case 0xC0: + default: + value = addr; + } + + if (*err) return 0; + regs->eip += size; + return value; +} +#endif asmlinkage void do_general_protection(struct pt_regs * regs, long error_code) { +#ifdef CONFIG_GRKERNSEC_STACK + unsigned long addr; +#ifdef CONFIG_GRKERNSEC_STACK_GCC + unsigned char insn; + int err, count; +#endif +#endif if (regs->eflags & VM_MASK) goto gp_in_vm86; if (!(regs->xcs & 3)) goto gp_in_kernel; +#ifdef CONFIG_GRKERNSEC_STACK +/* Check if it was return from a signal handler */ + if ((regs->xcs & 0xFFFF) == __USER_CS) + if (*(unsigned char *)regs->eip == 0xC3) + if (!__get_user(addr, (unsigned long *)regs->esp)) { + if ((addr & 0xFFFFFFFE) == MAGIC_SIGRETURN) { +/* Call sys_sigreturn() or sys_rt_sigreturn() to restore the context */ + regs->esp += 8; + __asm__("movl %3,%%esi\n\t" + "subl %1,%%esp\n\t" + "movl %2,%%ecx\n\t" + "movl %%esp,%%edi\n\t" + "rep; movsl\n\t" + "testl $1,%4\n\t" + "jnz 1f\n\t" + "call sys_sigreturn\n\t" + "leal %3,%%edi\n\t" + "jmp 2f\n\t" + "1:\n\t" + "call sys_rt_sigreturn\n\t" + "leal %3,%%edi\n\t" + "2:\n\t" + "addl %1,%%edi\n\t" + "movl %%esp,%%esi\n\t" + "movl %2,%%ecx\n\t" + "movl (%%edi),%%edi\n\t" + "rep; movsl\n\t" + "movl %%esi,%%esp" + : +/* %eax is returned separately */ + "=a" (regs->eax) + : + "i" (sizeof(*regs)), + "i" (sizeof(*regs) >> 2), + "m" (regs), + "r" (addr) + : + "cx", "dx", "si", "di", "cc", "memory"); + return; + } +/* + * * Check if we're returning to the stack area, which is only likely to happen + * * when attempting to exploit a buffer overflow. + * */ + if ((addr & 0xFF800000) == 0xBF800000 || + (addr >= PAGE_OFFSET - _STK_LIM && addr < PAGE_OFFSET)) + security_alert("return onto stack by " DEFAULTSECMSG, + "returns onto stack", DEFAULTSECARGS); + } + +#ifdef CONFIG_GRKERNSEC_STACK_GCC +/* Check if it could have been a trampoline call */ + if ((regs->xcs & 0xFFFF) == __USER_CS) + if (*(unsigned char *)regs->eip == 0xFF) + if (!__get_user(insn, (unsigned char *)(regs->eip + 1))) + if ((insn & 0x38) == 0x10 && insn != 0xD4) { /* call mod r/m */ +/* First, emulate the call */ + err = 0; + addr = get_modrm(regs, &err); + if (!err) { + regs->esp -= 4; + err = __put_user(regs->eip, (unsigned long *)regs->esp); + regs->eip = addr; + } +/* Then, start emulating the trampoline itself */ + count = 0; + while (!err && !__get_user(insn, (unsigned char *)regs->eip++)) + if ((insn & 0xF8) == 0xB8) { /* movl imm32,%reg */ +/* We only have 8 GP registers, no reason to initialize one twice */ + if (count++ >= 8) break; + err |= __get_user(addr, (unsigned long *)regs->eip); + regs->eip += 4; + *get_reg(regs, insn & 7) = addr; + } else + if (insn == 0xFF) { + err |= __get_user(insn, (unsigned char *)regs->eip); + if ((insn & 0xF8) == 0xE0) { /* jmp *%reg */ + regs->eip = *get_reg(regs, insn & 7); + if (err) break; else return; + } + break; + } else + if (insn == 0xE9) { /* jmp rel32 */ + err |= __get_user(addr, (unsigned long *)regs->eip); + if (err) break; + regs->eip += 4 + addr; + return; + } else + break; + } +#endif +#endif current->thread.error_code = error_code; current->thread.trap_no = 13; force_sig(SIGSEGV, current); @@ -452,6 +624,10 @@ inb(0x71); /* dummy */ } +#ifdef CONFIG_GRKERNSEC_PAX +void pax_handle_ptes(struct task_struct *tsk); +#endif + /* * Our handling of the processor debug registers is non-trivial. * We do not clear them on entry and exit from the kernel. Therefore @@ -482,6 +658,22 @@ __asm__ __volatile__("movl %%db6,%0" : "=r" (condition)); +#ifdef CONFIG_GRKERNSEC_PAX + /* PaX: clean up */ + if ((tsk->flags & PF_PAX_PAGEEXEC) && (condition & DR_STEP) && (tsk->ptrace & PT_PAX_TRACE)) { + tsk->ptrace &= ~PT_PAX_TRACE; + pax_handle_ptes(tsk); + if (!(tsk->ptrace & PT_PAX_KEEPTF) && !(tsk->ptrace & PT_PAX_OLDTF)) + regs->eflags &= ~TF_MASK; + tsk->ptrace &= ~PT_PAX_KEEPTF; + if (!(tsk->ptrace & PT_PAX_OLDTF)) { + condition &= ~DR_STEP; + if (!(condition & (DR_TRAP0|DR_TRAP1|DR_TRAP2|DR_TRAP3))) + return; + } + tsk->ptrace &= ~PT_PAX_OLDTF; + } +#endif /* Mask out spurious debug traps due to lazy DR7 setting */ if (condition & (DR_TRAP0|DR_TRAP1|DR_TRAP2|DR_TRAP3)) { if (!tsk->thread.debugreg[7]) diff -urN linux/arch/i386/mm/fault.c linux/arch/i386/mm/fault.c --- linux/arch/i386/mm/fault.c Mon Feb 25 14:37:53 2002 +++ linux/arch/i386/mm/fault.c Mon Feb 25 16:09:02 2002 @@ -4,6 +4,7 @@ * Copyright (C) 1995 Linus Torvalds */ +#include #include #include #include @@ -19,6 +20,9 @@ #include #include #include /* For unblank_screen() */ +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_RANDMMAP) +#include +#endif #include #include @@ -144,23 +148,31 @@ * bit 1 == 0 means read, 1 means write * bit 2 == 0 means kernel, 1 means user-mode */ +#ifdef CONFIG_GRKERNSEC_PAX +asmlinkage void do_page_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address) +#else asmlinkage void do_page_fault(struct pt_regs *regs, unsigned long error_code) +#endif { struct task_struct *tsk; struct mm_struct *mm; struct vm_area_struct * vma; +#ifndef CONFIG_GRKERNSEC_PAX unsigned long address; +#endif unsigned long page; unsigned long fixup; int write; siginfo_t info; +#ifndef CONFIG_GRKERNSEC_PAX /* get the address */ __asm__("movl %%cr2,%0":"=r" (address)); /* It's safe to allow irq's after cr2 has been saved */ if (regs->eflags & X86_EFLAGS_IF) local_irq_enable(); +#endif tsk = current; @@ -218,21 +230,37 @@ good_area: info.si_code = SEGV_ACCERR; write = 0; +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + switch (error_code & 7) { +#else switch (error_code & 3) { +#endif default: /* 3: write, present */ #ifdef TEST_VERIFY_AREA if (regs->cs == KERNEL_CS) printk("WP fault at %08lx\n", regs->eip); #endif /* fall through */ +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + case 7: /* PaX: write, present, some protection violation */ +#endif case 2: /* write, not present */ +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + case 6: +#endif if (!(vma->vm_flags & VM_WRITE)) goto bad_area; write++; break; case 1: /* read, present */ goto bad_area; +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + case 5: /* PaX: read, present, protection violation */ +#endif case 0: /* read, not present */ +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + case 4: +#endif if (!(vma->vm_flags & (VM_READ | VM_EXEC))) goto bad_area; } @@ -407,3 +435,441 @@ return; } } +#ifdef CONFIG_GRKERNSEC_PAX +/* PaX: called with the page_table_lock spinlock held */ +static inline pte_t * pax_get_pte(struct mm_struct *mm, unsigned long address) +{ + pgd_t *pgd; + pmd_t *pmd; + + pgd = pgd_offset(mm, address); + if (!pgd || !pgd_present(*pgd)) + return 0; + pmd = pmd_offset(pgd, address); + if (!pmd || !pmd_present(*pmd)) + return 0; + return pte_offset(pmd, address); +} + +/* + * PaX: decide what to do with offenders + * + * returns 0 when access should be allowed + * 1 when task should be killed + * 2 when sigreturn trampoline was detected + * 3 when rt_sigreturn trampoline was detected + * 4 when gcc trampoline was detected + */ +static int pax_handle_read_fault(struct pt_regs *regs, unsigned long address) +{ + static unsigned char trans[8] = {6, 1, 2, 0, 13, 5, 3, 4}; + int err; + +#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP + if (!(current->flags & PF_PAX_EMUTRAMP)) + return 1; + + { /* PaX: sigreturn emulation */ + unsigned char pop, mov; + unsigned short sys; + unsigned long nr; + + err = __get_user(pop, (unsigned char *)(regs->eip)); + err |= __get_user(mov, (unsigned char *)(regs->eip + 1)); + err |= __get_user(nr, (unsigned long *)(regs->eip + 2)); + err |= __get_user(sys, (unsigned short *)(regs->eip + 6)); + + if (!err) { + if (pop == 0x58 && + mov == 0xb8 && + nr == __NR_sigreturn && + sys == 0x80cd) + { + regs->esp += 4; + regs->eax = nr; + regs->eip += 8; + return 2; + } + } + } + + { /* PaX: rt_sigreturn emulation */ + unsigned char mov; + unsigned short sys; + unsigned long nr; + + err = __get_user(mov, (unsigned char *)(regs->eip)); + err |= __get_user(nr, (unsigned long *)(regs->eip + 1)); + err |= __get_user(sys, (unsigned short *)(regs->eip + 5)); + + if (!err) { + if (mov == 0xb8 && + nr == __NR_rt_sigreturn && + sys == 0x80cd) + { + regs->eax = nr; + regs->eip += 7; + return 3; + } + } + } + + { /* PaX: gcc trampoline emulation #1 */ + unsigned char mov1, mov2; + unsigned short jmp; + unsigned long addr1, addr2, ret; + + err = __get_user(mov1, (unsigned char *)(regs->eip)); + err |= __get_user(addr1, (unsigned long *)(regs->eip + 1)); + err |= __get_user(mov2, (unsigned char *)(regs->eip + 5)); + err |= __get_user(addr2, (unsigned long *)(regs->eip + 6)); + err |= __get_user(jmp, (unsigned short *)(regs->eip + 10)); + err |= __get_user(ret, (unsigned long *)(regs->esp)); + + if (!err) { + unsigned short call; + + err = __get_user(call, (unsigned short *)(ret-2)); + if (!err) { + if ((mov1 & 0xF8) == 0xB8 && + (mov2 & 0xF8) == 0xB8 && + (mov1 & 0x07) != (mov2 & 0x07) && + (jmp & 0xF8FF) == 0xE0FF && + (mov2 & 0x07) == ((jmp>>8) & 0x07) && + (call & 0xF8FF) == 0xD0FF && + (regs->eip == ((unsigned long*)regs)[trans[(call>>8) & 0x07]])) + { + ((unsigned long *)regs)[trans[mov1 & 0x07]] = addr1; + ((unsigned long *)regs)[trans[mov2 & 0x07]] = addr2; + regs->eip = addr2; + return 4; + } + } + } + } + + { /* PaX: gcc trampoline emulation #2 */ + unsigned char mov, jmp; + unsigned long addr1, addr2, ret; + + err = __get_user(mov, (unsigned char *)(regs->eip)); + err |= __get_user(addr1, (unsigned long *)(regs->eip + 1)); + err |= __get_user(jmp, (unsigned char *)(regs->eip + 5)); + err |= __get_user(addr2, (unsigned long *)(regs->eip + 6)); + err |= __get_user(ret, (unsigned long *)(regs->esp)); + + if (!err) { + unsigned short call; + + err = __get_user(call, (unsigned short *)(ret-2)); + if (!err) { + if ((mov & 0xF8) == 0xB8 && + jmp == 0xE9 && + (call & 0xF8FF) == 0xD0FF && + (regs->eip == ((unsigned long*)regs)[trans[(call>>8) & 0x07]])) + { + ((unsigned long *)regs)[trans[mov & 0x07]] = addr1; + regs->eip += addr2 + 10; + return 4; + } + } + } + } +#endif + + return 1; /* PaX in action */ +} + +static int pax_handle_opcode(struct task_struct *tsk, struct pt_regs *regs) +{ + unsigned long opsize = 1; + unsigned long opsize_override = 0; + unsigned long i; + + if (regs->eflags & TF_MASK) + tsk->ptrace |= PT_PAX_OLDTF; + else + tsk->ptrace &= ~PT_PAX_OLDTF; + tsk->ptrace &= ~PT_PAX_KEEPTF; + + for (i=0; i<15; i++) { + unsigned char opcode; + if (__get_user(opcode, (unsigned char*)(regs->eip+i))) + break; + switch (opcode) { + case 0x26: + case 0x2E: + case 0x36: + case 0x3E: + case 0x64: + case 0x65: + case 0x67: + case 0xF0: + case 0xF2: + case 0xF3: + break; + + case 0x66: + opsize_override = 1; + break; + + case 0x9C: /* PUSHF */ + if (opsize ^ opsize_override) { + __put_user(regs->eflags & 0x00FCFFFFul, (unsigned long*)(regs->esp-4)); + regs->esp -= 4; + } else { + __put_user(regs->eflags, (unsigned short*)(regs->esp-2)); + regs->esp -= 2; + } + regs->eip += i + 1; + return 1; + + case 0x9D: /* POPF */ + case 0xCF: /* IRET */ + tsk->ptrace |= PT_PAX_KEEPTF; + return 0; + + default: + return 0; + } + } + return 0; +} + +static inline void pax_handle_pte(struct mm_struct *mm, unsigned long address) +{ + pte_t *pte; + pte = pax_get_pte(mm, address); + if (pte) { + set_pte(pte, pte_exprotect(*pte)); + __flush_tlb_one(address); + } +} + +#define PAX_SPIN_COUNT 256 + +void pax_handle_ptes(struct task_struct *tsk) +{ + struct mm_struct *mm; + + mm = tsk->mm; + spin_lock(&mm->page_table_lock); + switch (tsk->thread.pax_faults.count) { + default: + printk(KERN_ERR "PAX: wtf: %s:%d, %ld\n", tsk->comm, tsk->pid, tsk->thread.pax_faults.count); + break; + + case PAX_SPIN_COUNT+4: + pax_handle_pte(mm, tsk->thread.pax_faults.addresses[3]); + + case PAX_SPIN_COUNT+3: + pax_handle_pte(mm, tsk->thread.pax_faults.addresses[2]); + + case PAX_SPIN_COUNT+2: + pax_handle_pte(mm, tsk->thread.pax_faults.addresses[1]); + + case PAX_SPIN_COUNT+1: + pax_handle_pte(mm, tsk->thread.pax_faults.addresses[0]); + } + spin_unlock(&mm->page_table_lock); + tsk->thread.pax_faults.eip = 0; + tsk->thread.pax_faults.count = 0; +} + +/* + * PaX: handle the extra page faults or pass it down to the original handler + * + * returns 0 when nothing special was detected + * 1 when sigreturn trampoline (syscall) has to be emulated + */ +asmlinkage int pax_do_page_fault(struct pt_regs *regs, unsigned long error_code) +{ + struct task_struct *tsk = current; + struct mm_struct *mm = current->mm; + unsigned long address; + pte_t *pte; + unsigned char pte_mask = _PAGE_ACCESSED | _PAGE_USER; + int ret; + unsigned long i; + + __asm__("movl %%cr2,%0":"=r" (address)); + + /* It's safe to allow irq's after cr2 has been saved */ + if (regs->eflags & X86_EFLAGS_IF) + local_irq_enable(); + + if ((error_code & 5) != 5 || address >= TASK_SIZE || regs->xcs != __USER_CS || (VM_MASK & regs->eflags)) + goto chain; + + /* PaX: it's our fault, let's handle it if we can */ + + if (error_code == 7) { + pte_mask |= _PAGE_DIRTY; + /* PaX: take a look at read faults before acquiring any locks */ + } else if (regs->eip == address) { /* read/instruction fetch attempt from a protected page in user mode */ + ret = pax_handle_read_fault(regs, address); + switch (ret) { + case 4: + tsk->thread.pax_faults.eip = 0; + tsk->thread.pax_faults.count = 0; + return 0; + + case 3: + case 2: + tsk->thread.pax_faults.eip = 0; + tsk->thread.pax_faults.count = 0; + return 1; + + default: + case 1: { + char* buffer = (char*)__get_free_page(GFP_KERNEL); + char* path=NULL; + + if (buffer) { + struct vm_area_struct* vma; + + down_read(&mm->mmap_sem); + vma = mm->mmap; + while (vma) { + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) { + break; + } + vma = vma->vm_next; + } + if (vma) + path = d_path(vma->vm_file->f_dentry, vma->vm_file->f_vfsmnt, buffer, PAGE_SIZE); + up_read(&mm->mmap_sem); + } + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, EIP: %08lX, ESP: %08lX\n", path, tsk->comm, tsk->pid, tsk->uid, tsk->euid, regs->eip, regs->esp); + if (buffer) free_page((unsigned long)buffer); + printk(KERN_ERR "PAX: bytes at EIP: "); + for (i = 0; i < 20; i++) { + unsigned char c; + if (__get_user(c, (unsigned char*)(regs->eip+i))) { + printk("."); + break; + } + printk("%02x ", c); + } + printk("\n"); + + tsk->thread.pax_faults.eip = 0; + tsk->thread.pax_faults.count = 0; + tsk->ptrace &= ~(PT_PAX_TRACE | PT_PAX_KEEPTF | PT_PAX_OLDTF); + regs->eflags &= ~TF_MASK; + tsk->thread.cr2 = address; + tsk->thread.error_code = error_code; + tsk->thread.trap_no = 14; + force_sig(SIGKILL,tsk); + return 0; + } + + case 0: + } + } + + spin_lock(&mm->page_table_lock); + pte = pax_get_pte(mm, address); + if (!pte || !(pte_val(*pte) & _PAGE_PRESENT) || pte_exec(*pte)) { + spin_unlock(&mm->page_table_lock); + goto chain; + } + + if ((error_code == 7) && !pte_write(*pte)) { /* write attempt to a protected page in user mode */ + spin_unlock(&mm->page_table_lock); + goto chain; + } + + /* + * PaX: fill DTLB with user rights and retry + */ + if (regs->eip != tsk->thread.pax_faults.eip) { /* detect DTLB trashing */ + tsk->thread.pax_faults.eip = regs->eip; + tsk->thread.pax_faults.count = 0; + +pax_emu: + __asm__ __volatile__ ( + "orb %2,%1\n" + "invlpg %0\n" + "testb $0,%0\n" + "xorb %3,%1\n" + : + : "m" (*(char*)address), "m" (*(char*)pte) , "r" (pte_mask) , "i" (_PAGE_USER) + : "memory", "cc"); + spin_unlock(&mm->page_table_lock); + return 0; + } + + if (tsk->thread.pax_faults.count < PAX_SPIN_COUNT) { + ++tsk->thread.pax_faults.count; + goto pax_emu; + } + spin_unlock(&mm->page_table_lock); + + if (tsk->thread.pax_faults.count == PAX_SPIN_COUNT) { + if (pax_handle_opcode(tsk, regs)) { + tsk->thread.pax_faults.eip = 0; + tsk->thread.pax_faults.count = 0; + tsk->ptrace &= ~(PT_PAX_TRACE | PT_PAX_KEEPTF | PT_PAX_OLDTF); + return 0; + } else { + ++tsk->thread.pax_faults.count; + } + } + + if (tsk->thread.pax_faults.count > PAX_SPIN_COUNT+1+3) { + printk(KERN_ERR "PAX: preventing DoS: %s:%d, EIP: %08lX, ESP: %08lX\n", tsk->comm, tsk->pid, regs->eip, regs->esp); + printk(KERN_ERR "PAX: bytes at EIP: "); + for (i = 0; i < 20; i++) { + unsigned char c; + if (__get_user(c, (unsigned char*)(regs->eip+i))) { + printk("."); + break; + } + printk("%02x ", c); + } + printk("\n"); + + tsk->thread.pax_faults.eip = 0; + tsk->thread.pax_faults.count = 0; + tsk->ptrace &= ~(PT_PAX_TRACE | PT_PAX_KEEPTF | PT_PAX_OLDTF); + regs->eflags &= ~TF_MASK; + tsk->thread.cr2 = address; + tsk->thread.error_code = error_code; + tsk->thread.trap_no = 14; + force_sig(SIGKILL,tsk); + return 0; + } + + spin_lock(&mm->page_table_lock); + pte = pax_get_pte(mm, address); + if (pte) { + set_pte(pte, pte_mkexec(*pte)); + __flush_tlb_one(address); + tsk->thread.pax_faults.addresses[tsk->thread.pax_faults.count-PAX_SPIN_COUNT-1] = address; + ++tsk->thread.pax_faults.count; + } + spin_unlock(&mm->page_table_lock); + tsk->ptrace |= PT_PAX_TRACE; + regs->eflags |= TF_MASK; + +#if 0 + if (tsk->thread.pax_faults.count > PAX_SPIN_COUNT+1+1) { + printk(KERN_ERR "PAX: DTLB trashing, level %ld: %s:%d," + "EIP: %08lX, ESP: %08lX, cr2: %08lX\n", + tsk->thread.pax_faults.count - (PAX_SPIN_COUNT+1), + tsk->comm, tsk->pid, regs->eip, regs->esp, address); + printk(KERN_ERR "PAX: DTLB trashing, %08lX, %08lX, %08lX\n", + tsk->thread.pax_faults.addresses[0], + tsk->thread.pax_faults.addresses[1], + tsk->thread.pax_faults.addresses[2]); + } +#endif + return 0; + +chain: + do_page_fault(regs, error_code, address); + return 0; +} +#endif + diff -urN linux/arch/i386/mm/init.c linux/arch/i386/mm/init.c --- linux/arch/i386/mm/init.c Fri Dec 21 12:41:53 2001 +++ linux/arch/i386/mm/init.c Mon Feb 25 16:09:02 2002 @@ -400,7 +400,11 @@ pmd = pmd_offset(pgd, vaddr); pte = pte_offset(pmd, vaddr); old_pte = *pte; +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + *pte = mk_pte_phys(0, PAGE_READONLY_EXEC); +#else *pte = mk_pte_phys(0, PAGE_READONLY); +#endif local_flush_tlb(); boot_cpu_data.wp_works_ok = do_test_wp_bit(vaddr); diff -urN linux/arch/ia64/config.in linux/arch/ia64/config.in --- linux/arch/ia64/config.in Fri Nov 9 17:26:17 2001 +++ linux/arch/ia64/config.in Mon Feb 25 16:09:02 2002 @@ -276,3 +276,12 @@ fi endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/m68k/config.in linux/arch/m68k/config.in --- linux/arch/m68k/config.in Mon Jun 11 22:15:27 2001 +++ linux/arch/m68k/config.in Mon Feb 25 16:09:02 2002 @@ -546,3 +546,12 @@ #bool 'Debug kmalloc/kfree' CONFIG_DEBUG_MALLOC bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/mips/config.in linux/arch/mips/config.in --- linux/arch/mips/config.in Mon Oct 15 16:41:34 2001 +++ linux/arch/mips/config.in Mon Feb 25 16:09:02 2002 @@ -520,3 +520,12 @@ bool 'Run uncached' CONFIG_MIPS_UNCACHED fi endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/mips64/config.in linux/arch/mips64/config.in --- linux/arch/mips64/config.in Sun Sep 9 13:43:02 2001 +++ linux/arch/mips64/config.in Mon Feb 25 16:09:02 2002 @@ -276,3 +276,12 @@ bool 'Run uncached' CONFIG_MIPS_UNCACHED fi endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/parisc/config.in linux/arch/parisc/config.in --- linux/arch/parisc/config.in Tue Apr 17 20:19:25 2001 +++ linux/arch/parisc/config.in Mon Feb 25 16:09:02 2002 @@ -208,3 +208,11 @@ bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ endmenu +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/ppc/config.in linux/arch/ppc/config.in --- linux/arch/ppc/config.in Mon Feb 25 14:37:55 2002 +++ linux/arch/ppc/config.in Mon Feb 25 16:09:02 2002 @@ -400,3 +400,12 @@ bool 'Include kgdb kernel debugger' CONFIG_KGDB bool 'Include xmon kernel debugger' CONFIG_XMON endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/s390/config.in linux/arch/s390/config.in --- linux/arch/s390/config.in Mon Feb 25 14:37:56 2002 +++ linux/arch/s390/config.in Mon Feb 25 16:09:02 2002 @@ -73,3 +73,11 @@ bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ endmenu +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/s390x/config.in linux/arch/s390x/config.in --- linux/arch/s390x/config.in Mon Feb 25 14:37:56 2002 +++ linux/arch/s390x/config.in Mon Feb 25 16:09:02 2002 @@ -77,3 +77,11 @@ bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ endmenu +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/sh/config.in linux/arch/sh/config.in --- linux/arch/sh/config.in Mon Feb 25 14:37:56 2002 +++ linux/arch/sh/config.in Mon Feb 25 16:09:02 2002 @@ -386,3 +386,12 @@ bool 'Early printk support' CONFIG_SH_EARLY_PRINTK fi endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/sparc/config.in linux/arch/sparc/config.in --- linux/arch/sparc/config.in Mon Jun 11 22:15:27 2001 +++ linux/arch/sparc/config.in Mon Feb 25 16:09:02 2002 @@ -266,3 +266,12 @@ bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/arch/sparc64/config.in linux/arch/sparc64/config.in --- linux/arch/sparc64/config.in Fri Dec 21 12:41:53 2001 +++ linux/arch/sparc64/config.in Mon Feb 25 16:09:02 2002 @@ -306,3 +306,12 @@ fi endmenu + +mainmenu_option next_comment +comment 'Grsecurity' +bool 'Grsecurity' CONFIG_GRKERNSEC +if [ "$CONFIG_GRKERNSEC" = "y" ]; then + source grsecurity/Config.in +fi +endmenu + diff -urN linux/drivers/char/mem.c linux/drivers/char/mem.c --- linux/drivers/char/mem.c Fri Dec 21 12:41:54 2001 +++ linux/drivers/char/mem.c Mon Feb 25 16:09:02 2002 @@ -25,6 +25,9 @@ #include #include #include +#ifdef CONFIG_GRKERNSEC_KMEM +#include +#endif #ifdef CONFIG_I2C extern int i2c_init_all(void); @@ -46,6 +49,12 @@ const char * buf, size_t count, loff_t *ppos) { ssize_t written; +#ifdef CONFIG_GRKERNSEC_KMEM + security_alert("attempted write to read-only kernel memory by " + DEFAULTSECMSG, "attempted kernel writes", + DEFAULTSECARGS); + return -EPERM; +#endif written = 0; #if defined(__sparc__) || defined(__mc68000__) @@ -200,9 +209,21 @@ /* * Don't dump addresses that are not real memory to a core file. */ +#ifdef CONFIG_GRKERNSEC_PAX + if (offset >= __pa(high_memory) || (file->f_flags & O_SYNC)) { +#else if (offset >= __pa(high_memory) || (file->f_flags & O_SYNC)) +#endif vma->vm_flags |= VM_IO; +#ifdef CONFIG_GRKERNSEC_PAX + /* it turned out to be device memory (eg. video RAM), don't apply PaX */ + if ((current->flags & PF_PAX_PAGEEXEC) &&!(vma->vm_flags & VM_EXEC)) { + vma->vm_flags |= VM_EXEC | VM_MAYEXEC; + vma->vm_page_prot = protection_map[vma->vm_flags & 0x0f]; + } + } +#endif if (remap_page_range(vma->vm_start, offset, vma->vm_end-vma->vm_start, vma->vm_page_prot)) return -EAGAIN; @@ -291,7 +312,9 @@ wrote = (unsigned long) high_memory - p; wrote = do_write_mem(file, (void*)p, p, buf, wrote, ppos); - +#ifdef CONFIG_GRKERNSEC_KMEM + if(wrote == -EPERM) return -EPERM; +#endif p += wrote; buf += wrote; count -= wrote; @@ -401,8 +424,12 @@ count = size; zap_page_range(mm, addr, count); +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + zeromap_page_range(addr, count, vma->vm_page_prot); +#else zeromap_page_range(addr, count, PAGE_COPY); +#endif size -= count; buf += count; addr += count; diff -urN linux/drivers/char/vt.c linux/drivers/char/vt.c --- linux/drivers/char/vt.c Fri Nov 16 13:08:28 2001 +++ linux/drivers/char/vt.c Mon Feb 25 16:09:02 2002 @@ -37,6 +37,10 @@ #include #endif /* CONFIG_FB_COMPAT_XPMAC */ +#ifdef CONFIG_GRKERNSEC_KBMAP +#include +#endif + char vt_dont_switch; extern struct tty_driver console_driver; @@ -177,7 +181,11 @@ val = (i ? K_HOLE : K_NOSUCHMAP); return put_user(val, &user_kbe->kb_value); case KDSKBENT: +#ifdef CONFIG_GRKERNSEC_KBMAP + if (!perm || (grsec_enable_kbmap && !suser())) +#else if (!perm) +#endif return -EPERM; if (!i && v == K_NOSUCHMAP) { /* disallocate map */ @@ -298,7 +306,11 @@ return -EFAULT; return ((p && *p) ? -EOVERFLOW : 0); case KDSKBSENT: +#ifdef CONFIG_GRKERNSEC_KBMAP + if (!perm || (grsec_enable_kbmap && !suser())) +#else if (!perm) +#endif return -EPERM; q = func_table[i]; diff -urN linux/drivers/ieee1394/video1394.c linux/drivers/ieee1394/video1394.c --- linux/drivers/ieee1394/video1394.c Mon Feb 25 14:37:58 2002 +++ linux/drivers/ieee1394/video1394.c Mon Feb 25 16:09:02 2002 @@ -843,7 +843,11 @@ pos=(unsigned long) d->buf; while (size > 0) { page = kvirt_to_pa(pos); +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) +#else if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) +#endif return -EAGAIN; start+=PAGE_SIZE; pos+=PAGE_SIZE; diff -urN linux/drivers/media/video/bttv-driver.c linux/drivers/media/video/bttv-driver.c --- linux/drivers/media/video/bttv-driver.c Mon Feb 25 14:37:58 2002 +++ linux/drivers/media/video/bttv-driver.c Mon Feb 25 16:09:02 2002 @@ -2052,7 +2052,11 @@ pos=(unsigned long) btv->fbuffer; while (size > 0) { page = kvirt_to_pa(pos); +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) +#else if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) +#endif return -EAGAIN; start+=PAGE_SIZE; pos+=PAGE_SIZE; diff -urN linux/drivers/media/video/cpia.c linux/drivers/media/video/cpia.c --- linux/drivers/media/video/cpia.c Thu Oct 25 16:53:47 2001 +++ linux/drivers/media/video/cpia.c Mon Feb 25 16:09:02 2002 @@ -3005,7 +3005,11 @@ pos = (unsigned long)(cam->frame_buf); while (size > 0) { page = kvirt_to_pa(pos); +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) { +#else if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) { +#endif up(&cam->busy_lock); return -EAGAIN; } diff -urN linux/drivers/media/video/meye.c linux/drivers/media/video/meye.c --- linux/drivers/media/video/meye.c Fri Dec 21 12:41:54 2001 +++ linux/drivers/media/video/meye.c Mon Feb 25 16:09:02 2002 @@ -1263,7 +1263,11 @@ while (size > 0) { page = kvirt_to_pa(pos); +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) { +#else if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) { +#endif up(&meye.lock); return -EAGAIN; } diff -urN linux/drivers/media/video/planb.c linux/drivers/media/video/planb.c --- linux/drivers/media/video/planb.c Mon Feb 25 14:37:58 2002 +++ linux/drivers/media/video/planb.c Mon Feb 25 16:09:02 2002 @@ -2008,7 +2008,11 @@ } for (i = 0; i < pb->rawbuf_size; i++) { if (remap_page_range(start, virt_to_phys((void *)pb->rawbuf[i]), +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + PAGE_SIZE, PAGE_SHARED_EXEC)) +#else PAGE_SIZE, PAGE_SHARED)) +#endif return -EAGAIN; start += PAGE_SIZE; if (size <= PAGE_SIZE) diff -urN linux/drivers/media/video/zr36067.c linux/drivers/media/video/zr36067.c --- linux/drivers/media/video/zr36067.c Mon Feb 25 14:37:58 2002 +++ linux/drivers/media/video/zr36067.c Mon Feb 25 16:09:02 2002 @@ -4322,7 +4322,11 @@ frag_tab[2 * j]; page = virt_to_phys(bus_to_virt(pos)); /* should just be pos on i386 */ if (remap_page_range +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + (start, page, todo, PAGE_SHARED_EXEC)) { +#else (start, page, todo, PAGE_SHARED)) { +#endif printk(KERN_ERR "%s: zoran_mmap(V4L): remap_page_range failed\n", zr->name); @@ -4363,7 +4367,11 @@ ("V4L remap page range %d 0x%lx %ld to 0x%lx\n", i, page, todo, start)); if (remap_page_range +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + (start, page, todo, PAGE_SHARED_EXEC)) { +#else (start, page, todo, PAGE_SHARED)) { +#endif printk(KERN_ERR "%s: zoran_mmap(V4L): remap_page_range failed\n", zr->name); diff -urN linux/drivers/media/video/zr36120.c linux/drivers/media/video/zr36120.c --- linux/drivers/media/video/zr36120.c Mon Feb 25 14:37:58 2002 +++ linux/drivers/media/video/zr36120.c Mon Feb 25 16:09:02 2002 @@ -1484,7 +1484,11 @@ pos = (unsigned long)ztv->fbuffer; while (size>0) { unsigned long page = virt_to_phys((void*)pos); +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) +#else if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) +#endif return -EAGAIN; start += PAGE_SIZE; pos += PAGE_SIZE; diff -urN linux/drivers/pci/proc.c linux/drivers/pci/proc.c --- linux/drivers/pci/proc.c Fri Nov 16 21:38:39 2001 +++ linux/drivers/pci/proc.c Mon Feb 25 16:09:02 2002 @@ -6,6 +6,7 @@ * Copyright (c) 1997--1999 Martin Mares */ +#include #include #include #include @@ -562,7 +563,15 @@ pci_for_each_dev(dev) { pci_proc_attach_device(dev); } +#ifdef CONFIG_GRKERNSEC_PROC_ADD +#ifdef CONFIG_GRKERNSEC_PROC_USER + entry = create_proc_entry("pci", S_IRUSR, NULL); +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + entry = create_proc_entry("pci", S_IRUSR | S_IRGRP, NULL); +#endif +#else entry = create_proc_entry("pci", 0, NULL); +#endif if (entry) entry->proc_fops = &proc_pci_operations; } diff -urN linux/drivers/usb/ov511.c linux/drivers/usb/ov511.c --- linux/drivers/usb/ov511.c Mon Feb 25 14:38:07 2002 +++ linux/drivers/usb/ov511.c Mon Feb 25 16:11:46 2002 @@ -5578,7 +5578,11 @@ pos = (unsigned long)ov511->fbuf; while (size > 0) { page = kvirt_to_pa(pos); +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) { +#else if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) { +#endif up(&ov511->lock); return -EAGAIN; } diff -urN linux/drivers/usb/pwc-if.c linux/drivers/usb/pwc-if.c --- linux/drivers/usb/pwc-if.c Mon Feb 25 14:38:07 2002 +++ linux/drivers/usb/pwc-if.c Mon Feb 25 16:09:02 2002 @@ -1593,7 +1593,11 @@ pos = (unsigned long)pdev->image_data; while (size > 0) { page = kvirt_to_pa(pos); +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) +#else if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) +#endif return -EAGAIN; start += PAGE_SIZE; diff -urN linux/drivers/usb/se401.c linux/drivers/usb/se401.c --- linux/drivers/usb/se401.c Fri Sep 14 17:27:10 2001 +++ linux/drivers/usb/se401.c Mon Feb 25 16:09:02 2002 @@ -1374,7 +1374,11 @@ pos = (unsigned long)se401->fbuf; while (size > 0) { page = kvirt_to_pa(pos); +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) { +#else if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) { +#endif up(&se401->lock); return -EAGAIN; } diff -urN linux/drivers/usb/stv680.c linux/drivers/usb/stv680.c --- linux/drivers/usb/stv680.c Mon Feb 25 14:38:07 2002 +++ linux/drivers/usb/stv680.c Sun Mar 3 16:34:08 2002 @@ -1450,7 +1450,11 @@ pos = (unsigned long) stv680->fbuf; while (size > 0) { page = kvirt_to_pa (pos); +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + if (remap_page_range (start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) { +#else if (remap_page_range (start, page, PAGE_SIZE, PAGE_SHARED)) { +#endif up (&stv680->lock); return -EAGAIN; } diff -urN linux/drivers/usb/usbvideo.c linux/drivers/usb/usbvideo.c --- linux/drivers/usb/usbvideo.c Thu Oct 11 02:42:46 2001 +++ linux/drivers/usb/usbvideo.c Mon Feb 25 16:09:02 2002 @@ -1199,7 +1199,11 @@ pos = (unsigned long) uvd->fbuf; while (size > 0) { page = usbvideo_kvirt_to_pa(pos); +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) +#else if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) +#endif return -EAGAIN; start += PAGE_SIZE; diff -urN linux/drivers/usb/vicam.c linux/drivers/usb/vicam.c --- linux/drivers/usb/vicam.c Mon Feb 25 14:38:07 2002 +++ linux/drivers/usb/vicam.c Sun Mar 3 16:11:14 2002 @@ -691,7 +691,11 @@ pos = (unsigned long)vicam->fbuf; while (size > 0) { page = kvirt_to_pa(pos); +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) { +#else if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) { +#endif up(&vicam->sem); return -EAGAIN; } diff -urN linux/fs/binfmt_aout.c linux/fs/binfmt_aout.c --- linux/fs/binfmt_aout.c Fri Nov 2 20:39:20 2001 +++ linux/fs/binfmt_aout.c Mon Feb 25 16:09:02 2002 @@ -5,6 +5,7 @@ */ #include +#include #include #include @@ -307,6 +308,25 @@ current->mm->mmap = NULL; compute_creds(bprm); current->flags &= ~PF_FORKNOEXEC; +#ifdef CONFIG_GRKERNSEC_STACK + if (N_FLAGS(ex) & F_STACKEXEC) current->flags |= PF_STACKEXEC; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) + current->flags |= PF_PAX_PAGEEXEC; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP + if (N_FLAGS(ex) & F_PAX_EMUTRAMP) + current->flags |= PF_PAX_EMUTRAMP; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT + if (!(N_FLAGS(ex) & F_PAX_MPROTECT)) + current->flags |= PF_PAX_MPROTECT; +#endif + #ifdef __sparc__ if (N_MAGIC(ex) == NMAGIC) { loff_t pos = fd_offset; @@ -393,7 +413,11 @@ down_write(¤t->mm->mmap_sem); error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data, +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + PROT_READ | PROT_WRITE, +#else PROT_READ | PROT_WRITE | PROT_EXEC, +#endif MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE, fd_offset + ex.a_text); up_write(¤t->mm->mmap_sem); diff -urN linux/fs/binfmt_elf.c linux/fs/binfmt_elf.c --- linux/fs/binfmt_elf.c Mon Feb 25 14:38:08 2002 +++ linux/fs/binfmt_elf.c Mon Feb 25 16:09:02 2002 @@ -11,6 +11,7 @@ #include +#include #include #include #include @@ -33,6 +34,9 @@ #include #include #include +#if defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) || defined(CONFIG_GRKERNSEC_PAX) +#include +#endif #include #include @@ -73,7 +77,10 @@ #define ELF_PAGEOFFSET(_v) ((_v) & (ELF_MIN_ALIGN-1)) #define ELF_PAGEALIGN(_v) (((_v) + ELF_MIN_ALIGN - 1) & ~(ELF_MIN_ALIGN - 1)) -static struct linux_binfmt elf_format = { +#ifndef CONFIG_GRKERNSEC_STACK +static +#endif +struct linux_binfmt elf_format = { NULL, THIS_MODULE, load_elf_binary, load_elf_library, elf_core_dump, ELF_EXEC_PAGESIZE }; @@ -154,6 +161,11 @@ u_platform = u_platform - ((current->pid % 64) << 7); #endif +#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP + if (current->flags & PF_PAX_RANDMMAP) + u_platform -= (current->mm->delta_stack & ~PAGE_MASK); +#endif + /* * Force 16 byte _final_ alignment here for generality. */ @@ -595,7 +607,49 @@ current->mm->end_data = 0; current->mm->end_code = 0; current->mm->mmap = NULL; +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + current->mm->delta_mmap = 0; + current->mm->delta_exec = 0; + current->mm->delta_stack = 0; +#endif current->flags &= ~PF_FORKNOEXEC; + +#ifdef CONFIG_GRKERNSEC_STACK + if (elf_ex.e_flags & EF_STACKEXEC) + current->flags |= PF_STACKEXEC; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX + if (!(elf_ex.e_flags & EF_PAX_PAGEEXEC)) + current->flags |= PF_PAX_PAGEEXEC; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP + if (elf_ex.e_flags & EF_PAX_EMUTRAMP) + current->flags |= PF_PAX_EMUTRAMP; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT + if (!(elf_ex.e_flags & EF_PAX_MPROTECT)) + current->flags |= PF_PAX_MPROTECT; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP + if (!(elf_ex.e_flags & EF_PAX_RANDMMAP)) { + unsigned short delta; + current->flags |= PF_PAX_RANDMMAP; + + get_random_bytes(&delta, sizeof(delta)); + current->mm->delta_mmap = (unsigned long)delta << PAGE_SHIFT; + + get_random_bytes(&delta, sizeof(delta)); + current->mm->delta_exec = (unsigned long)delta << PAGE_SHIFT; + + get_random_bytes(&delta, sizeof(delta)); + current->mm->delta_stack = (unsigned long)delta << 4; + } +#endif + elf_entry = (unsigned long) elf_ex.e_entry; /* Do this so that we can load the interpreter, if need be. We will @@ -646,6 +700,13 @@ base, as well as whatever program they might try to exec. This is because the brk will follow the loader, and is not movable. */ load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr); +#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP + /* PaX: randomize base address at the default exe base if requested */ + if (current->flags | PF_PAX_RANDMMAP) { + load_bias = ELF_PAGESTART(0x08048000 - vaddr + current->mm->delta_exec); + } +#endif + } error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, elf_prot, elf_flags); diff -urN linux/fs/exec.c linux/fs/exec.c --- linux/fs/exec.c Fri Dec 21 12:41:55 2001 +++ linux/fs/exec.c Sat Mar 2 12:35:45 2002 @@ -48,6 +48,20 @@ int core_uses_pid; +#if defined(CONFIG_GRKERNSEC_FD) || defined(CONFIG_GRKERNSEC_EXECVE) ||\ + defined(CONFIG_GRKERNSEC_COREDUMP)||defined(CONFIG_GRKERNSEC_TPE) ||\ + defined(CONFIG_GRKERNSEC_CHROOT_EXECLOG) || \ + defined(CONFIG_GRKERNSEC_EXECLOG) ||\ + defined(CONFIG_GRKERNSEC_PTRACE) || defined(CONFIG_GRKERNSEC_ACL) ||\ + defined(CONFIG_GRKERNSEC_AUDIT_PTRACE) +#include +#endif + +#ifdef CONFIG_GRKERNSEC_FD +#include +extern struct file_operations def_chr_fops; +#endif + static struct linux_binfmt *formats; static rwlock_t binfmt_lock = RW_LOCK_UNLOCKED; @@ -278,7 +292,12 @@ lru_cache_add(page); flush_dcache_page(page); flush_page_to_ram(page); +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + set_pte(pte, pte_mkdirty(pte_mkwrite(mk_pte(page, + (tsk->flags & PF_PAX_PAGEEXEC)?PAGE_COPY_NOEXEC:PAGE_COPY_EXEC)))); +#else set_pte(pte, pte_mkdirty(pte_mkwrite(mk_pte(page, PAGE_COPY)))); +#endif tsk->mm->rss++; spin_unlock(&tsk->mm->page_table_lock); @@ -299,6 +318,12 @@ stack_base = STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE; +#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP + if (current->flags & PF_PAX_RANDMMAP) + stack_base = PAGE_MASK & (stack_base - current->mm->delta_stack); + +#endif + bprm->p += stack_base; if (bprm->loader) bprm->loader += stack_base; @@ -312,9 +337,15 @@ { mpnt->vm_mm = current->mm; mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p; +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + mpnt->vm_end = stack_base + MAX_ARG_PAGES*PAGE_SIZE; + mpnt->vm_page_prot = (current->flags & PF_PAX_PAGEEXEC)?PAGE_COPY_NOEXEC:PAGE_COPY_EXEC; + mpnt->vm_flags = (current->flags & PF_PAX_PAGEEXEC)?VM_STACK_FLAGS:(VM_STACK_FLAGS|VM_EXEC|VM_MAYEXEC); +#else mpnt->vm_end = STACK_TOP; mpnt->vm_page_prot = PAGE_COPY; mpnt->vm_flags = VM_STACK_FLAGS; +#endif mpnt->vm_ops = NULL; mpnt->vm_pgoff = 0; mpnt->vm_file = NULL; @@ -473,6 +504,67 @@ if (atomic_dec_and_test(&oldsig->count)) kmem_cache_free(sigact_cachep, oldsig); } +#ifdef CONFIG_GRKERNSEC_FD +static inline int tweak_fd_open_null(struct linux_binprm *bprm) +{ + struct inode *i; + struct dentry *d; + struct file *f; + + if(!(i = get_empty_inode())) + return -ENOMEM; + if(!(d = dget(d_alloc_root(i)))) { + iput(i); + return -ENOMEM; + } + if(!(f = get_empty_filp())) { + dput(d); + iput(i); + return -ENFILE; + } + i->i_uid = current->fsuid; + i->i_gid = current->fsgid; + i->i_blksize = PAGE_SIZE; + i->i_blocks = 0; + i->i_atime = i->i_mtime = i->i_ctime = CURRENT_TIME; + i->i_state = I_DIRTY; + init_special_inode(i, S_IFCHR | S_IRUGO | S_IWUGO, MKDEV(MEM_MAJOR,3)); + + f->f_flags = O_RDWR; + f->f_mode = FMODE_READ | FMODE_WRITE; + f->f_dentry = d; + f->f_op = i->i_fop; + f->f_pos = 0; + f->f_reada = 0; + f->f_vfsmnt = mntget(child_reaper->fs->rootmnt); + f->f_op->open(i,f); + bprm->tweak_fd_null = f; + + return 0; +} + +static int tweak_fd_0_1_2(struct linux_binprm *bprm) +{ + int fd,new,retval; + + for(fd=0;fd<=2;fd++) { + if(current->files->fd[fd]) continue; + if((new = get_unused_fd()) != fd) { + if(new >= 0) put_unused_fd(new); + return -EMFILE; + } + if(bprm->tweak_fd_null) + atomic_inc(&bprm->tweak_fd_null->f_count); + else + if((retval = tweak_fd_open_null(bprm))) + return retval; + + fd_install(fd,bprm->tweak_fd_null); + bprm->tweak_fd_mask |= 1 << fd; + } + return 0; +} +#endif /* * These functions flushes out all traces of the currently running executable @@ -563,6 +655,25 @@ current->comm[i++] = ch; } current->comm[i] = '\0'; +#ifdef CONFIG_GRKERNSEC_STACK + current->flags &= ~PF_STACKEXEC; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX + current->flags &= ~PF_PAX_PAGEEXEC; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP + current->flags &= ~PF_PAX_EMUTRAMP; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT + current->flags &= ~PF_PAX_MPROTECT; +#endif + +#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP + current->flags &= ~PF_PAX_RANDMMAP; +#endif flush_thread(); @@ -580,6 +691,10 @@ flush_signal_handlers(current); flush_old_files(current->files); +#ifdef CONFIG_GRKERNSEC_FD + if(grsec_enable_fd) + return tweak_fd_0_1_2(bprm); +#endif return 0; mmap_failed: @@ -660,7 +775,34 @@ if (bprm->e_uid == 0) cap_set_full(bprm->cap_effective); } - +#ifdef CONFIG_GRKERNSEC_PTRACE + if (current->ptrace & PT_PTRACED){ + if(current->uid && grsec_enable_ptrace +#ifdef CONFIG_GRKERNSEC_PTRACE_GROUP + && ((grsec_enable_ptrace_group && !in_group_p(grsec_ptrace_gid)) + || !grsec_enable_ptrace_group) +#endif + ) { + security_alert("denied ptrace of [%.32s:%lu] (%s) by " DEFAULTSECMSG, + "denied ptraces", kdevname(bprm->file->f_dentry->d_inode->i_dev), + bprm->file->f_dentry->d_inode->i_ino, bprm->filename, + DEFAULTSECARGS); + return -EPERM; + } + } +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE + if (grsec_enable_audit_ptrace && (current->ptrace & PT_PTRACED) +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP + && grsec_enable_group && in_group_p(grsec_audit_gid) +#endif + ) { + printk(KERN_INFO "grsec: ptrace of [%.32s:%lu] (%s) by " DEFAULTSECMSG "\n", + kdevname(bprm->file->f_dentry->d_inode->i_dev), + bprm->file->f_dentry->d_inode->i_ino, bprm->filename, + DEFAULTSECARGS); + } +#endif memset(bprm->buf,0,BINPRM_BUF_SIZE); return kernel_read(bprm->file,0,bprm->buf,BINPRM_BUF_SIZE); } @@ -708,6 +850,9 @@ current->cap_permitted); } } +#ifdef CONFIG_GRKERNSEC_FD + if (grsec_enable_fd) tweak_fd_0_1_2(bprm); +#endif do_unlock = 1; } @@ -849,6 +994,45 @@ return retval; } +#if defined(CONFIG_GRKERNSEC_ACL) || defined(CONFIG_GRKERNSEC_TPE_GLIBC) + +#define MAXBADGLIBCVARS 7 +static struct badglibcvars { + const char *name; + const short len; +} badglibcvar[] = { + {"LD_PRELOAD", 10}, + {"LD_LIBRARY_PATH", 15}, + {"LD_ORIGIN_PATH", 14}, + {"LD_DEBUG_OUTPUT", 15}, + {"LD_PROFILE", 10}, + {"LD_AOUT_LIBRARY_PATH", 20}, + {"LD_AOUT_PRELOAD", 15} +}; + +static inline int gr_unsetenv(char **envpp, struct linux_binprm *bprmo) +{ + int i,ret=0; + char **envpo = envpp; + while(*envpo != NULL) { + for(i = 0;if_dentry->d_inode->i_dev), + file->f_dentry->d_inode->i_ino, grarg, DEFAULTSECARGS); + } +#endif + retval = copy_strings_kernel(1, &bprm.filename, &bprm); if (retval < 0) goto out; bprm.exec = bprm.p; + +#ifdef CONFIG_GRKERNSEC_ACL + if(current->pid < 2) /* Init is the parent process, so its + acl lock is NOT initialized on fork. + see its exec in init/main.c */ + current->acl_lock = RW_LOCK_UNLOCKED; + + if(gr_set_proc_label(file->f_dentry,filename, + file->f_vfsmnt)) + { + if(file->f_dentry && file->f_dentry->d_inode) + security_alert("could not set acl for %ld %d", + "acl set failures", + file->f_dentry->d_inode->i_ino, + file->f_dentry->d_inode->i_dev); + retval = -EACCES; + goto out; + } +#ifndef CONFIG_GRKERNSEC_TPE_GLIBC + else { + if(current->acl) { + badenvs = gr_unsetenv(envp,&bprm); + if(badenvs) + security_alert("exec of %.32s by " DEFAULTSECMSG + " attempted to use " + "%d malicious environment(s)", + "malicious environments", + filename, DEFAULTSECARGS, badenvs); + } + } +#endif +#endif + + retval = copy_strings(bprm.envc, envp, &bprm); if (retval < 0) goto out; @@ -904,9 +1237,15 @@ goto out; retval = search_binary_handler(&bprm,regs); - if (retval >= 0) +#ifdef CONFIG_GRKERNSEC_ACL + if(current->acl) + gr_set_caps(); +#endif /* search_binary_handler ends up calling compute_creds() which sets + caps initially...bleh...can't have it overwriting our hard work */ + if (retval >= 0) { /* execve success */ return retval; + } out: /* Something went wrong, return the inode and free the argument pages*/ @@ -920,6 +1259,13 @@ __free_page(page); } +#ifdef CONFIG_GRKERNSEC_FD + if(grsec_enable_fd && bprm.tweak_fd_mask) { + for(i=0;i<=2;i++) + if(bprm.tweak_fd_mask & (1 << i)) + (void)sys_close(i); + } +#endif return retval; } @@ -952,7 +1298,14 @@ goto fail; memcpy(corename,"core.", 5); +#ifdef CONFIG_GRKERNSEC_COREDUMP + if(grsec_enable_coredump) + memcpy(corename+5,current->comm,sizeof(current->comm)); + else + corename[4] = '\0'; +#else corename[4] = '\0'; +#endif if (core_uses_pid || atomic_read(¤t->mm->mm_users) != 1) sprintf(&corename[4], ".%d", current->pid); file = filp_open(corename, O_CREAT | 2 | O_NOFOLLOW, 0600); @@ -970,7 +1323,11 @@ goto close_fail; if (!file->f_op->write) goto close_fail; +#ifdef CONFIG_GRKERNSEC_ACL + if (do_truncate(file->f_dentry, 0, file->f_vfsmnt) != 0) +#else if (do_truncate(file->f_dentry, 0) != 0) +#endif goto close_fail; retval = binfmt->core_dump(signr, regs, file); diff -urN linux/fs/namei.c linux/fs/namei.c --- linux/fs/namei.c Mon Feb 25 14:38:09 2002 +++ linux/fs/namei.c Tue Mar 5 08:22:48 2002 @@ -26,6 +26,11 @@ #include #include +#if defined(CONFIG_GRKERNSEC_LINK) || defined(CONFIG_GRKERNSEC_FIFO) ||\ + defined(CONFIG_GRKERNSEC_CHROOT_MKNOD) || defined(CONFIG_GRKERNSEC_ACL) +#include +#endif + #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE]) /* [Feb-1997 T. Schoebel-Theuer] @@ -343,6 +348,27 @@ current->state = TASK_RUNNING; schedule(); } + +#ifdef CONFIG_GRKERNSEC_LINK + if(grsec_enable_link && S_ISLNK(dentry->d_inode->i_mode) && + (dentry->d_parent->d_inode->i_mode & S_ISVTX) && + dentry->d_parent->d_inode->i_uid != dentry->d_inode->i_uid && + (dentry->d_parent->d_inode->i_mode & S_IWOTH) && + current->fsuid != dentry->d_inode->i_uid) { + security_alert("not following symlink (%.30s/%.30s) of [%.32s]:%lu owned by %d.%d " + "by " DEFAULTSECMSG,"symlinks not followed", + dentry->d_parent->d_name.name, + dentry->d_name.name, + kdevname(dentry->d_inode->i_dev), + dentry->d_inode->i_ino, + dentry->d_inode->i_uid, + dentry->d_inode->i_gid, + DEFAULTSECARGS); + path_release(nd); + return -EACCES; + } +#endif + current->link_count++; current->total_link_count++; UPDATE_ATIME(dentry->d_inode); @@ -626,6 +652,24 @@ else if (this.len == 2 && this.name[1] == '.') nd->last_type = LAST_DOTDOT; return_base: +#ifdef CONFIG_GRKERNSEC_ACL + if( ( (gr_check_hidden_file(nd->dentry,nd->mnt)) + == GR_DENY) ) + { + security_alert("attempt to access hidden file " + "with inode %ld dev %d by " + DEFAULTSECMSG, + "hidden file access attempts", + nd->dentry->d_inode->i_ino, + nd->dentry->d_inode->i_dev, DEFAULTSECARGS); + err = -ENOENT; /*Fake that its not there*/ + if(dentry != nd->dentry) + dput(dentry); + path_release(nd); + goto return_err; + } +#endif + return 0; out_dput: dput(dentry); @@ -956,6 +1000,22 @@ return error; } + +#ifdef CONFIG_GRKERNSEC_ACL + +static __inline__ __u16 to_grflags(const int mode) +{ + __u16 retval = 0; + if(mode & O_APPEND) + retval |= GR_APPEND; + else if(mode & FMODE_WRITE) + retval |= GR_WRITE; + if(mode & FMODE_READ) + retval |= GR_READ; + return retval; +} +#endif + /* * open_namei() * @@ -977,6 +1037,33 @@ struct dentry *dentry; struct dentry *dir; int count = 0; +#ifdef CONFIG_GRKERNSEC_ACL + int gr_flag; + + + if(path_init(pathname,lookup_flags(flag),nd)) + error = path_walk(pathname,nd); + + gr_flag = to_grflags(flag); + + if( !error && nd->dentry && nd->dentry->d_inode && + (gr_search_file(nd->dentry,gr_flag,nd->mnt)) + == GR_DENY) + { + security_alert("attempt to open %.1024s for %s%s" + "by " DEFAULTSECMSG, + "file open attempts", pathname, gr_flag & GR_READ ? "reading " + : "", gr_flag & GR_WRITE ? "writing " : gr_flag & GR_APPEND ? + "append " : "", + DEFAULTSECARGS); + error = -EACCES; + path_release(nd); + goto exit; + } + if(!error) + path_release(nd); +#endif + acc_mode = ACC_MODE(flag); @@ -1001,6 +1088,7 @@ return error; /* + * dput(dentry) * We have the parent and last component. First of all, check * that we are not asked to creat(2) an obvious directory - that * will not do. @@ -1022,6 +1110,19 @@ /* Negative dentry, just create the file */ if (!dentry->d_inode) { +#ifdef CONFIG_GRKERNSEC_ACL + + gr_flag |= GR_WRITE; /* Creating a file is + * write operation + * at the least */ + if((gr_check_create(dentry,nd->dentry,nd->mnt,gr_flag)) + == GR_DENY) + { + up(&dir->d_inode->i_sem); + error = -EACCES; + goto exit_dput; + } +#endif error = vfs_create(dir->d_inode, dentry, mode & ~current->fs->umask); up(&dir->d_inode->i_sem); @@ -1032,6 +1133,9 @@ /* Don't check for write permission, don't truncate */ acc_mode = 0; flag &= ~O_TRUNC; +#ifdef CONFIG_GRKERNSEC_ACL + gr_handle_create(pathname,nd); +#endif goto ok; } @@ -1084,6 +1188,21 @@ * actually live on the filesystem itself, and as such you * can write to them even if the filesystem is read-only. */ +#ifdef CONFIG_GRKERNSEC_FIFO + if (grsec_enable_fifo && + S_ISFIFO(inode->i_mode) && !(flag & O_EXCL) && + (dentry->d_parent->d_inode->i_mode & S_ISVTX) && + (inode->i_uid != dentry->d_parent->d_inode->i_uid) && + (current->fsuid != inode->i_uid)) { + security_alert("denied writing FIFO (%.32s/%.32s) of %d.%d " + "by " DEFAULTSECMSG, + "writes into a FIFO denied",dentry->d_parent->d_name.name,dentry->d_name.name, + inode->i_uid, inode->i_gid, + DEFAULTSECARGS); + error = -EACCES; + goto exit; + } +#endif if (S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) { flag &= ~O_TRUNC; } else if (S_ISBLK(inode->i_mode) || S_ISCHR(inode->i_mode)) { @@ -1127,7 +1246,11 @@ if (!error) { DQUOT_INIT(inode); +#ifdef CONFIG_GRKERNSEC_ACL + error = do_truncate(dentry,0,nd->mnt); +#else error = do_truncate(dentry, 0); +#endif } put_write_access(inode); if (error) @@ -1158,6 +1281,24 @@ * stored in nd->last.name and we will have to putname() it when we * are done. Procfs-like symlinks just set LAST_BIND. */ +#ifdef CONFIG_GRKERNSEC_LINK + if(grsec_enable_link && S_ISLNK(dentry->d_inode->i_mode) && + (dentry->d_parent->d_inode->i_mode & S_ISVTX) && + dentry->d_parent->d_inode->i_uid != dentry->d_inode->i_uid && + (dentry->d_parent->d_inode->i_mode & S_IWOTH) && + current->fsuid != dentry->d_inode->i_uid) { + security_alert("not following symlink (%.30s/%.30s) [%.32s]:%lu of %d.%d " + "by " DEFAULTSECMSG,"symlinks not followed", + dentry->d_parent->d_name.name, dentry->d_name.name, + kdevname(dentry->d_inode->i_dev), + dentry->d_inode->i_ino, dentry->d_inode->i_uid, + dentry->d_inode->i_gid, + DEFAULTSECARGS); + error = -EACCES; + goto exit_dput; + } +#endif + UPDATE_ATIME(dentry->d_inode); error = dentry->d_inode->i_op->follow_link(dentry, nd); dput(dentry); @@ -1242,6 +1383,9 @@ struct dentry * dentry; struct nameidata nd; +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD + char grdevmode; +#endif if (S_ISDIR(mode)) return -EPERM; tmp = getname(filename); @@ -1257,6 +1401,38 @@ mode &= ~current->fs->umask; if (!IS_ERR(dentry)) { +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && proc_is_chrooted(current)) { + switch (mode & S_IFMT) { + case S_IFREG: grdevmode = 'r'; break; + case S_IFCHR: grdevmode = 'c'; break; + case S_IFBLK: grdevmode = 'b'; break; + case S_IFSOCK: grdevmode = 's'; break; + default: grdevmode = 'u'; + } + security_alert("refused attempt to mknod(%c:%.32s) (%.30s) from chroot() jail (%s:%lu) " + "owned by %d %d by " DEFAULTSECMSG, + "mknods in chroot denied",grdevmode,kdevname(dev),tmp, + kdevname(current->fs->root->d_inode->i_dev),current->fs->root->d_inode->i_ino, + current->fs->root->d_inode->i_uid,current->fs->root->d_inode->i_gid, + DEFAULTSECARGS); + error = -EPERM; + dput(dentry); + goto out_dput; + } +#endif +#ifdef CONFIG_GRKERNSEC_ACL + if( ( (gr_search_file(nd.dentry,GR_WRITE,nd.mnt)) == GR_DENY) ) + { + security_alert("attempt to mknod %.1024s (dev %d) by " + DEFAULTSECMSG, "mknod attempts", filename, dev, + DEFAULTSECARGS); + error = -EACCES; + dput(dentry); + goto out_dput; + } +#endif + switch (mode & S_IFMT) { case 0: case S_IFREG: error = vfs_create(nd.dentry->d_inode,dentry,mode); @@ -1270,8 +1446,20 @@ default: error = -EINVAL; } +#ifdef CONFIG_GRKERNSEC_ACL + if(!error) + { + struct nameidata newfile = { + dentry : dentry, + mnt : nd.mnt + }; + + gr_handle_create(tmp,&newfile); + } +#endif dput(dentry); } +out_dput: up(&nd.dentry->d_inode->i_sem); path_release(&nd); out: @@ -1324,8 +1512,35 @@ dentry = lookup_create(&nd, 1); error = PTR_ERR(dentry); if (!IS_ERR(dentry)) { +#ifdef CONFIG_GRKERNSEC_ACL + error = 0; + + if(gr_check_create(dentry,nd.dentry,nd.mnt,GR_WRITE) == + GR_DENY) + { + security_alert("attempt to mkdir %.1024s by " + DEFAULTSECMSG, "mkdir attempts", + pathname, DEFAULTSECARGS); + error = -EACCES; + + } + if(!error) +#endif + error = vfs_mkdir(nd.dentry->d_inode, dentry, mode & ~current->fs->umask); +#ifdef CONFIG_GRKERNSEC_ACL + if(!error) + { + struct nameidata temp = + { + dentry : dentry, + mnt : nd.mnt + }; + gr_handle_create(pathname,&temp); + } +#endif + dput(dentry); } up(&nd.dentry->d_inode->i_sem); @@ -1407,6 +1622,10 @@ char * name; struct dentry *dentry; struct nameidata nd; +#ifdef CONFIG_GRKERNSEC_ACL + ino_t saved_ino = 0; + kdev_t saved_dev = 0; +#endif name = getname(pathname); if(IS_ERR(name)) @@ -1432,7 +1651,30 @@ dentry = lookup_hash(&nd.last, nd.dentry); error = PTR_ERR(dentry); if (!IS_ERR(dentry)) { - error = vfs_rmdir(nd.dentry->d_inode, dentry); +#ifdef CONFIG_GRKERNSEC_ACL + error = 0; + if(dentry->d_inode) + { + saved_ino = dentry->d_inode->i_ino; + saved_dev = dentry->d_inode->i_dev; + } + if( ( (gr_search_file(dentry,GR_WRITE,nd.mnt)) == GR_DENY)) + { + security_alert("attempt to rmdir %.1024s by " + DEFAULTSECMSG, "rmdir attempts", + pathname, + DEFAULTSECARGS); + error = -EACCES; + } + if(!error) + { +#endif + error = vfs_rmdir(nd.dentry->d_inode, dentry); +#ifdef CONFIG_GRKERNSEC_ACL + if(!error && (saved_dev || saved_ino)) + gr_handle_delete(saved_ino,saved_dev); + } +#endif dput(dentry); } up(&nd.dentry->d_inode->i_sem); @@ -1476,6 +1718,10 @@ char * name; struct dentry *dentry; struct nameidata nd; +#ifdef CONFIG_GRKERNSEC_ACL + ino_t saved_ino = 0; + kdev_t saved_dev = 0; +#endif name = getname(pathname); if(IS_ERR(name)) @@ -1495,7 +1741,32 @@ /* Why not before? Because we want correct error value */ if (nd.last.name[nd.last.len]) goto slashes; - error = vfs_unlink(nd.dentry->d_inode, dentry); +#ifdef CONFIG_GRKERNSEC_ACL + error = 0; + if(dentry->d_inode) + { + saved_ino = dentry->d_inode->i_ino; + saved_dev = dentry->d_inode->i_dev; + } + if( ( (gr_search_file(dentry,GR_WRITE, nd.mnt)) == GR_DENY)) + { + security_alert("attempt to unlink %.1024s by " DEFAULTSECMSG, + "unlink attempts", + name, DEFAULTSECARGS); + error = -EACCES; + } + if(!error) + { +#endif + + error = vfs_unlink(nd.dentry->d_inode, dentry); +#ifdef CONFIG_GRKERNSEC_ACL + } + if(!error && (saved_ino || saved_dev)) + { + gr_handle_delete(saved_ino,saved_dev); + } +#endif exit2: dput(dentry); } @@ -1560,7 +1831,21 @@ dentry = lookup_create(&nd, 0); error = PTR_ERR(dentry); if (!IS_ERR(dentry)) { - error = vfs_symlink(nd.dentry->d_inode, dentry, from); +#ifdef CONFIG_GRKERNSEC_ACL + error = 0; + if( gr_search_file(nd.dentry,GR_WRITE,nd.mnt) + == GR_DENY) + { + security_alert("attempt to symlink %.1024s" + "to %.1024s by " DEFAULTSECMSG, + "symlink attempts", + from, to, DEFAULTSECARGS); + error = -EACCES; + } + + if(!error) +#endif + error = vfs_symlink(nd.dentry->d_inode, dentry, from); dput(dentry); } up(&nd.dentry->d_inode->i_sem); @@ -1651,6 +1936,39 @@ new_dentry = lookup_create(&nd, 0); error = PTR_ERR(new_dentry); if (!IS_ERR(new_dentry)) { +#if defined(CONFIG_GRKERNSEC_LINK) || defined(CONFIG_GRKERNSEC_ACL) + error = 0; +#ifdef CONFIG_GRKERNSEC_LINK + if(grsec_enable_link) { + if(current->fsuid != old_nd.dentry->d_inode->i_uid && + (!S_ISREG(old_nd.dentry->d_inode->i_mode) || + (old_nd.dentry->d_inode->i_mode & S_ISUID) || + ((old_nd.dentry->d_inode->i_mode & (S_ISGID | S_IXGRP)) == + (S_ISGID | S_IXGRP)) || (error = permission(old_nd.dentry->d_inode, + MAY_READ | MAY_WRITE))) && !capable(CAP_FOWNER) + && current->uid) { + security_alert("denied hardlink of %.30s (owned by %d.%d) to %.30s for " + DEFAULTSECMSG, "denied hardlinks",oldname,old_nd.dentry->d_inode->i_uid, + old_nd.dentry->d_inode->i_gid,newname,DEFAULTSECARGS); + error = -EPERM; + } + } + if(!error) +#endif +#ifdef CONFIG_GRKERNSEC_ACL + if( gr_search_file(old_nd.dentry,GR_WRITE,old_nd.mnt) + == GR_DENY || gr_search_file(nd.dentry, + GR_WRITE,nd.mnt) == GR_DENY) + { + security_alert("attempt to link %.1024s to %.1024s by " + DEFAULTSECMSG, "attempted links", oldname, newname, + DEFAULTSECARGS); + error = -EPERM; + } + if(!error) +#endif +#endif + error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry); dput(new_dentry); } @@ -1889,10 +2207,42 @@ if (IS_ERR(new_dentry)) goto exit4; +#ifdef CONFIG_GRKERNSEC_ACL + error = 0; + if(!new_dentry->d_inode) + { + if(gr_check_create(new_dentry,newnd.dentry,newnd.mnt,GR_WRITE) + == GR_DENY || gr_search_file(old_dentry, + GR_WRITE,oldnd.mnt) == GR_DENY) + { + security_alert("attempt to rename %.1024s to %.1024s " + "by " DEFAULTSECMSG, "rename attempts", + oldname,newname,DEFAULTSECARGS); + error = -EACCES; + } + } + + else if( gr_search_file(old_dentry,GR_WRITE,oldnd.mnt) == GR_DENY + || gr_search_file(new_dir,GR_WRITE,newnd.mnt) + == GR_DENY) + { + security_alert("attempt to rename %.1024s to %.1024s by " + DEFAULTSECMSG, "rename attempts", + oldname, newname, + DEFAULTSECARGS); + error = -EACCES; + } + if(!error) { +#endif + + lock_kernel(); error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry); unlock_kernel(); +#ifdef CONFIG_GRKERNSEC_ACL + } +#endif dput(new_dentry); exit4: diff -urN linux/fs/namespace.c linux/fs/namespace.c --- linux/fs/namespace.c Mon Feb 25 14:38:09 2002 +++ linux/fs/namespace.c Mon Feb 25 16:09:02 2002 @@ -16,6 +16,10 @@ #include #include #include +#if defined(CONFIG_GRKERNSEC_CHROOT_MOUNT) || defined(CONFIG_GRKERNSEC_AUDIT_MOUNT) +#include +#include +#endif #include @@ -327,6 +331,10 @@ if (!(sb->s_flags & MS_RDONLY)) { lock_kernel(); retval = do_remount_sb(sb, MS_RDONLY, 0); +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT + if(grsec_enable_mount && (retval >= 0)) + printk(KERN_INFO "grsec: remount of %.30s by " DEFAULTSECMSG "\n",mnt->mnt_devname, DEFAULTSECARGS); +#endif unlock_kernel(); } up_write(&sb->s_umount); @@ -353,6 +361,10 @@ } spin_unlock(&dcache_lock); up(&mount_sem); +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT + if(grsec_enable_mount && (retval >= 0)) + printk(KERN_INFO "grsec: unmount of %.30s by " DEFAULTSECMSG "\n",mnt->mnt_devname, DEFAULTSECARGS); +#endif return retval; } @@ -735,6 +747,18 @@ if (retval) return retval; +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) { + security_alert("denied attempt to mount (%.30s) as %.64s from chroot jail (%.32s:%lu) " + "of %d.%d by " DEFAULTSECMSG, "denied mounts in chroot", + dev_name,dir_name, kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino,current->fs->root->d_inode->i_uid, + current->fs->root->d_inode->i_gid, DEFAULTSECARGS); + retval = -EPERM; + path_release(&nd); + return retval; + } +#endif if (flags & MS_REMOUNT) retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags, data_page); @@ -746,6 +770,11 @@ retval = do_add_mount(&nd, type_page, flags, mnt_flags, dev_name, data_page); path_release(&nd); + +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT + if(grsec_enable_mount && (retval >= 0)) + printk(KERN_INFO "grsec: mount %.30s to %.64s by " DEFAULTSECMSG "\n",dev_name,dir_name, DEFAULTSECARGS); +#endif return retval; } diff -urN linux/fs/open.c linux/fs/open.c --- linux/fs/open.c Fri Oct 12 16:48:42 2001 +++ linux/fs/open.c Tue Mar 5 15:28:54 2002 @@ -18,8 +18,33 @@ #include +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE)||\ + defined(CONFIG_GRKERNSEC_CHROOT_CAPS) ||\ + defined(CONFIG_GRKERNSEC_CHROOT_CHMOD) ||\ + defined(CONFIG_GRKERNSEC_CHROOT_CHDIR) ||\ + defined(CONFIG_GRKERNSEC_AUDIT_CHDIR) ||\ + defined(CONFIG_GRKERNSEC_ACL) +#include +#endif + + #define special_file(m) (S_ISCHR(m)||S_ISBLK(m)||S_ISFIFO(m)||S_ISSOCK(m)) +#ifdef CONFIG_GRKERNSEC_ACL +static int conv_flags(int p) +{ + int retval = LOOKUP_FOLLOW|LOOKUP_POSITIVE; + if(p & O_NOFOLLOW) + retval &= ~LOOKUP_FOLLOW; + if( (p & (O_CREAT|O_EXCL)) == (O_CREAT | O_EXCL)) + retval &= ~LOOKUP_FOLLOW; + if(p & O_DIRECTORY) + retval |= LOOKUP_DIRECTORY; + return retval; +} +#endif + + int vfs_statfs(struct super_block *sb, struct statfs *buf) { int retval = -ENODEV; @@ -71,7 +96,11 @@ return error; } +#ifdef CONFIG_GRKERNSEC_ACL +int do_truncate(struct dentry *dentry, loff_t length, struct vfsmount *mnt) +#else int do_truncate(struct dentry *dentry, loff_t length) +#endif { struct inode *inode = dentry->d_inode; int error; @@ -81,6 +110,17 @@ if (length < 0) return -EINVAL; +#ifdef CONFIG_GRKERNSEC_ACL + if( ( (gr_search_file(dentry,GR_WRITE,mnt)) == GR_DENY)) { + security_alert("attempted to truncate file with inode %ld dev " + "%d by " DEFAULTSECMSG, "file truncate attempts", + dentry->d_inode->i_ino, + dentry->d_inode->i_dev, DEFAULTSECARGS); + return -EACCES; + } +#endif + + down(&inode->i_sem); newattrs.ia_size = length; newattrs.ia_valid = ATTR_SIZE | ATTR_CTIME; @@ -139,7 +179,11 @@ error = locks_verify_truncate(inode, NULL, length); if (!error) { DQUOT_INIT(inode); +#ifdef CONFIG_GRKERNSEC_ACL + error = do_truncate(nd.dentry, length, nd.mnt); +#else error = do_truncate(nd.dentry, length); +#endif } put_write_access(inode); @@ -191,7 +235,11 @@ error = locks_verify_truncate(inode, file, length); if (!error) +#ifdef CONFIG_GRKERNSEC_ACL + error = do_truncate(dentry, length, file->f_vfsmnt); +#else error = do_truncate(dentry, length); +#endif out_putf: fput(file); out: @@ -245,6 +293,20 @@ if (IS_RDONLY(inode)) goto dput_and_out; +#ifdef CONFIG_GRKERNSEC_ACL + if( ( (gr_search_file(nd.dentry,GR_WRITE,nd.mnt)) == GR_DENY)) + { + security_alert("attempted to change access time for file" + "with inode %ld dev %d by " DEFAULTSECMSG, + "file access time change attempts", + nd.dentry->d_inode->i_ino, + nd.dentry->d_inode->i_dev, DEFAULTSECARGS); + error = -EACCES; + goto dput_and_out; + } +#endif + + /* Don't worry, the checks are done in inode_change_ok() */ newattrs.ia_valid = ATTR_CTIME | ATTR_MTIME | ATTR_ATIME; if (times) { @@ -290,6 +352,20 @@ if (IS_RDONLY(inode)) goto dput_and_out; +#ifdef CONFIG_GRKERNSEC_ACL + if( ( (gr_search_file(nd.dentry,GR_WRITE,nd.mnt)) == GR_DENY)) + { + security_alert("attempted to change access time for file with" + "inode %ld dev %d by " DEFAULTSECMSG, + "file access time change attempts", + nd.dentry->d_inode->i_ino, + nd.dentry->d_inode->i_dev, DEFAULTSECARGS); + error = -EACCES; + goto dput_and_out; + } +#endif + + /* Don't worry, the checks are done in inode_change_ok() */ newattrs.ia_valid = ATTR_CTIME | ATTR_MTIME | ATTR_ATIME; if (utimes) { @@ -341,11 +417,26 @@ res = user_path_walk(filename, &nd); if (!res) { + res = permission(nd.dentry->d_inode, mode); /* SuS v2 requires we report a read only fs too */ if(!res && (mode & S_IWOTH) && IS_RDONLY(nd.dentry->d_inode) && !special_file(nd.dentry->d_inode->i_mode)) res = -EROFS; +#ifdef CONFIG_GRKERNSEC_ACL + + if( !res && ( (gr_search_file(nd.dentry,GR_READ,nd.mnt)) + == GR_DENY)) + { + security_alert("attempted to access file with inode %ld dev " + "%d by " DEFAULTSECMSG, "file access attempts", + nd.dentry->d_inode->i_ino, + nd.dentry->d_inode->i_dev, DEFAULTSECARGS); + path_release(&nd); + res = -EACCES; + } +#endif + path_release(&nd); } @@ -378,6 +469,26 @@ if (error) goto dput_and_out; +#ifdef CONFIG_GRKERNSEC_ACL + if( ( (gr_search_file(nd.dentry,GR_READ,nd.mnt)) == GR_DENY)) + { + security_alert("Attempted to chdir to directory with inode %ld dev " + "%d by " DEFAULTSECMSG, "chdir attempts", + nd.dentry->d_inode->i_ino, + nd.dentry->d_inode->i_dev, DEFAULTSECARGS); + error = -EACCES; + goto dput_and_out; + } +#endif + +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR + if( +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP + grsec_enable_group && in_group_p(grsec_audit_gid) && +#endif + grsec_enable_chdir) + printk(KERN_INFO "grsec: chdir(\"%.64s\") by " DEFAULTSECMSG "\n", filename, DEFAULTSECARGS); +#endif set_fs_pwd(current->fs, nd.mnt, nd.dentry); dput_and_out: @@ -408,6 +519,28 @@ goto out_putf; error = permission(inode, MAY_EXEC); + +#ifdef CONFIG_GRKERNSEC_ACL + if( ( (gr_search_file(file->f_dentry,GR_READ,file->f_vfsmnt)) + == GR_DENY)) + { + security_alert("attempted to fchdir to directory with inode %ld dev " + "%d by " DEFAULTSECMSG, + "fchdir attempts", + file->f_dentry->d_inode->i_ino, + file->f_dentry->d_inode->i_dev, DEFAULTSECARGS); + error = -EACCES; + } +#endif + +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR + if( +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP + grsec_enable_group && in_group_p(grsec_audit_gid) && +#endif + grsec_enable_chdir && !error) + printk(KERN_INFO "grsec: fchdir(%d) to %.64s by " DEFAULTSECMSG "\n", fd, dentry->d_name.name, DEFAULTSECARGS); +#endif if (!error) set_fs_pwd(current->fs, mnt, dentry); out_putf: @@ -441,9 +574,39 @@ error = -EPERM; if (!capable(CAP_SYS_CHROOT)) goto dput_and_out; +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE + if(grsec_enable_chroot_double && proc_is_chrooted(current)) { + security_alert("denied attempt to chroot() from (%.32s:%lu) to (%.30s)" + ", process " DEFAULTSECMSG, + "double chroot() denied", + kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino,name, + DEFAULTSECARGS); + goto dput_and_out; + } +#endif set_fs_root(current->fs, nd.mnt, nd.dentry); set_fs_altroot(); +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS + if(grsec_enable_chroot_caps && proc_is_chrooted(current) && (current->pid > 1)) { + cap_lower(current->cap_permitted,CAP_LINUX_IMMUTABLE & + CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & CAP_SYS_PACCT & + CAP_SYS_ADMIN & CAP_SYS_BOOT & CAP_SYS_TIME & CAP_NET_RAW & + CAP_SYS_TTY_CONFIG); + cap_lower(current->cap_inheritable,CAP_LINUX_IMMUTABLE & + CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & CAP_SYS_PACCT & + CAP_SYS_ADMIN & CAP_SYS_BOOT & CAP_SYS_TIME & CAP_NET_RAW & + CAP_SYS_TTY_CONFIG); + cap_lower(current->cap_effective,CAP_LINUX_IMMUTABLE & + CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & CAP_SYS_PACCT & + CAP_SYS_ADMIN & CAP_SYS_BOOT & CAP_SYS_TIME & CAP_NET_RAW & + CAP_SYS_TTY_CONFIG); + } +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR + if (grsec_enable_chroot_chdir) set_fs_pwd(current->fs, nd.mnt, nd.dentry); +#endif error = 0; dput_and_out: path_release(&nd); @@ -472,8 +635,37 @@ err = -EPERM; if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) goto out_putf; + +#ifdef CONFIG_GRKERNSEC_ACL + if( ( (gr_search_file(dentry,GR_WRITE,file->f_vfsmnt)) == GR_DENY)) + { + security_alert("Attempt to fchmod program with inode %ld dev %d " + "by " DEFAULTSECMSG, "fchmod attempts", + dentry->d_inode->i_ino, + dentry->d_inode->i_dev, DEFAULTSECARGS); + + err = -EACCES; + goto out_putf; + } +#endif + if (mode == (mode_t) -1) mode = inode->i_mode; +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD + if(grsec_enable_chroot_chmod && ((mode & S_ISUID) || (mode & S_ISGID)) + && proc_is_chrooted(current)) { + security_alert("denied attempt to fchmod +s (%.32s:%lu) owned by %d.%d to mode 0%07o " + "from chroot jail (%.32s:%lu) of %d.%d by " + DEFAULTSECMSG, + "denied fchmod +s in chroot", + kdevname(inode->i_dev),inode->i_ino,inode->i_uid,inode->i_gid,mode, + kdevname(current->fs->root->d_inode->i_dev),current->fs->root->d_inode->i_ino, + current->fs->root->d_inode->i_uid,current->fs->root->d_inode->i_gid, + DEFAULTSECARGS); + err = -EPERM; + goto out_putf; + } +#endif newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; err = notify_change(dentry, &newattrs); @@ -504,8 +696,35 @@ if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) goto dput_and_out; +#ifdef CONFIG_GRKERNSEC_ACL + if( ( (gr_search_file(nd.dentry,GR_WRITE,nd.mnt)) == GR_DENY)) + { + security_alert("Attempt to chmod file %1024s by " + DEFAULTSECMSG, "chmod attempts", + filename, DEFAULTSECARGS); + error = -EACCES; + goto dput_and_out; + } +#endif + + if (mode == (mode_t) -1) mode = inode->i_mode; +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD + if (grsec_enable_chroot_chmod && ((mode & S_ISUID) || (mode & S_ISGID)) + && proc_is_chrooted(current)) { + security_alert("denied attempt to chmod +s (%.32s:%lu) (%.30s) owned by %d.%d to mode 0%07o " + "from chroot jail (%.32s:%lu) of %d.%d by " + DEFAULTSECMSG,"denied chmod +s in chroot", + kdevname(inode->i_dev),inode->i_ino,filename,inode->i_uid,inode->i_gid, + mode,kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino,current->fs->root->d_inode->i_uid, + current->fs->root->d_inode->i_gid, + DEFAULTSECARGS); + error = -EPERM; + goto dput_and_out; + } +#endif newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; error = notify_change(nd.dentry, &newattrs); @@ -516,7 +735,11 @@ return error; } +#ifdef CONFIG_GRKERNSEC_ACL +static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt) +#else static int chown_common(struct dentry * dentry, uid_t user, gid_t group) +#endif { struct inode * inode; int error; @@ -533,6 +756,18 @@ error = -EPERM; if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) goto out; +#ifdef CONFIG_GRKERNSEC_ACL + if( ( (gr_search_file(dentry,GR_WRITE,mnt)) == GR_DENY)) + { + security_alert("Attempt to chown file with inode %ld dev %d " + "to %d.%d by " DEFAULTSECMSG, "chown attempts", + dentry->d_inode->i_ino,dentry->d_inode->i_dev, + user, group, DEFAULTSECARGS); + error = -EACCES; + goto out; + } +#endif + if (user == (uid_t) -1) user = inode->i_uid; if (group == (gid_t) -1) @@ -583,7 +818,11 @@ error = user_path_walk(filename, &nd); if (!error) { +#ifdef CONFIG_GRKERNSEC_ACL + error = chown_common(nd.dentry, user, group, nd.mnt); +#else error = chown_common(nd.dentry, user, group); +#endif path_release(&nd); } return error; @@ -596,7 +835,11 @@ error = user_path_walk_link(filename, &nd); if (!error) { +#ifdef CONFIG_GRKERNSEC_ACL + error = chown_common(nd.dentry, user, group, nd.mnt); +#else error = chown_common(nd.dentry, user, group); +#endif path_release(&nd); } return error; @@ -610,7 +853,12 @@ file = fget(fd); if (file) { +#ifdef CONFIG_GRKERNSEC_ACL + error = chown_common(file->f_dentry, user, + group, file->f_vfsmnt); +#else error = chown_common(file->f_dentry, user, group); +#endif fput(file); } return error; @@ -632,8 +880,11 @@ */ struct file *filp_open(const char * filename, int flags, int mode) { - int namei_flags, error; + int namei_flags, error = 0; struct nameidata nd; +#ifdef CONFIG_GRKERNSEC_ACL + struct nameidata test; +#endif namei_flags = flags; if ((namei_flags+1) & O_ACCMODE) @@ -641,6 +892,28 @@ if (namei_flags & O_TRUNC) namei_flags |= 2; +#ifdef CONFIG_GRKERNSEC_ACL + if( (path_init(filename,conv_flags(namei_flags),&test)) ) + error = path_walk(filename,&test); + if((gr_status & GR_READY) && !error + && S_ISBLK(test.dentry->d_inode->i_mode) + && !capable(CAP_SYS_RAWIO)) + { + security_alert("Attempt to open block device " + "%ld %d with " + "insuffificent capabilities by process " + DEFAULTSECMSG, + "attempt to access block devices", + test.dentry->d_inode->i_ino, + test.dentry->d_inode->i_dev, + DEFAULTSECARGS); + error = -EACCES; + path_release(&test); + return ERR_PTR(error); + } + if(!error) + path_release(&test); +#endif error = open_namei(filename, namei_flags, mode, &nd); if (!error) return dentry_open(nd.dentry, nd.mnt, flags); diff -urN linux/fs/proc/base.c linux/fs/proc/base.c --- linux/fs/proc/base.c Mon Feb 25 14:38:09 2002 +++ linux/fs/proc/base.c Mon Feb 25 16:09:02 2002 @@ -24,6 +24,10 @@ #include #include +#ifdef CONFIG_GRKERNSEC_ACL +#include +#endif + /* * For hysterical raisins we keep the same inumbers as in the old procfs. * Feel free to change the macro below - just keep the range distinct from @@ -669,7 +673,11 @@ inode->i_gid = 0; if (ino == PROC_PID_INO || task_dumpable(task)) { inode->i_uid = task->euid; +#ifndef CONFIG_GRKERNSEC_PROC_USERGROUP inode->i_gid = task->egid; +#else + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; +#endif } out: @@ -972,13 +980,28 @@ if (!task) goto out; +#ifdef CONFIG_GRKERNSEC_ACL + if(gr_check_hidden_task(task)) + { + free_task_struct(task); + goto out; + } +#endif + + inode = proc_pid_make_inode(dir->i_sb, task, PROC_PID_INO); free_task_struct(task); if (!inode) goto out; +#ifdef CONFIG_GRKERNSEC_PROC_USER + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR; +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP; +#else inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO; +#endif inode->i_op = &proc_base_inode_operations; inode->i_fop = &proc_base_operations; inode->i_nlink = 3; @@ -1018,8 +1041,13 @@ int pid = p->pid; if (!pid) continue; +#ifdef CONFIG_GRKERNSEC_ACL + if(gr_check_hidden_task(p)) + continue; +#endif if (--index >= 0) continue; + pids[nr_pids] = pid; nr_pids++; if (nr_pids >= PROC_MAXPIDS) diff -urN linux/fs/proc/generic.c linux/fs/proc/generic.c --- linux/fs/proc/generic.c Fri Sep 7 13:53:59 2001 +++ linux/fs/proc/generic.c Mon Feb 25 16:09:02 2002 @@ -491,6 +491,22 @@ return ent; } +#ifdef CONFIG_GRKERNSEC_PROC +struct proc_dir_entry *proc_priv_mkdir(const char *name, mode_t mode, struct proc_dir_entry *parent) +{ + struct proc_dir_entry *ent; + + ent = proc_create(&parent, name, mode, 2); + if (ent) { + ent->proc_fops = &proc_dir_operations; + ent->proc_iops = &proc_dir_inode_operations; + + proc_register(parent, ent); + } + return ent; +} +#endif + struct proc_dir_entry *create_proc_entry(const char *name, mode_t mode, struct proc_dir_entry *parent) { diff -urN linux/fs/proc/inode.c linux/fs/proc/inode.c --- linux/fs/proc/inode.c Sat Nov 17 14:24:32 2001 +++ linux/fs/proc/inode.c Mon Feb 25 16:09:02 2002 @@ -152,7 +152,11 @@ if (de->mode) { inode->i_mode = de->mode; inode->i_uid = de->uid; +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; +#else inode->i_gid = de->gid; +#endif } if (de->size) inode->i_size = de->size; diff -urN linux/fs/proc/proc_misc.c linux/fs/proc/proc_misc.c --- linux/fs/proc/proc_misc.c Wed Nov 21 00:29:09 2001 +++ linux/fs/proc/proc_misc.c Mon Feb 25 16:09:02 2002 @@ -507,39 +507,93 @@ {"meminfo", meminfo_read_proc}, {"version", version_read_proc}, #ifdef CONFIG_MODULES +#ifndef CONFIG_GRKERNSEC_PROC {"modules", modules_read_proc}, #endif +#endif {"stat", kstat_read_proc}, +#ifndef CONFIG_GRKERNSEC_PROC_ADD {"devices", devices_read_proc}, +#endif {"partitions", partitions_read_proc}, #if !defined(CONFIG_ARCH_S390) +#ifndef CONFIG_GRKERNSEC_PROC_ADD {"interrupts", interrupts_read_proc}, #endif +#endif {"filesystems", filesystems_read_proc}, +#ifndef CONFIG_GRKERNSEC_PROC_ADD {"dma", dma_read_proc}, {"ioports", ioports_read_proc}, {"cmdline", cmdline_read_proc}, +#endif #ifdef CONFIG_SGI_DS1286 {"rtc", ds1286_read_proc}, #endif {"locks", locks_read_proc}, {"swaps", swaps_read_proc}, +#ifndef CONFIG_GRKERNSEC_PROC_ADD {"iomem", memory_read_proc}, +#endif {"execdomains", execdomains_read_proc}, {NULL,} }; for (p = simple_ones; p->name; p++) create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL); +#if defined(CONFIG_GRKERNSEC_PROC) && defined(CONFIG_MODULES) +#ifdef CONFIG_GRKERNSEC_PROC_USER + create_proc_read_entry("modules", S_IRUSR, NULL, &modules_read_proc, NULL); +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + create_proc_read_entry("modules", S_IRUSR | S_IRGRP, NULL, &modules_read_proc, NULL); +#endif +#endif +#ifdef CONFIG_GRKERNSEC_PROC_ADD +#ifdef CONFIG_GRKERNSEC_PROC_USER + create_proc_read_entry("devices", S_IRUSR, NULL, &devices_read_proc, NULL); + create_proc_read_entry("dma", S_IRUSR, NULL, &dma_read_proc, NULL); + create_proc_read_entry("ioports", S_IRUSR, NULL, &ioports_read_proc, NULL); + create_proc_read_entry("cmdline", S_IRUSR, NULL, &cmdline_read_proc, NULL); + create_proc_read_entry("iomem", S_IRUSR, NULL, &memory_read_proc, NULL); +#if !defined(CONFIG_ARCH_S390) + create_proc_read_entry("interrupts", S_IRUSR, NULL, &interrupts_read_proc, NULL); +#endif +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + create_proc_read_entry("devices", S_IRUSR | S_IRGRP, NULL, &devices_read_proc, NULL); + create_proc_read_entry("dma", S_IRUSR | S_IRGRP, NULL, &dma_read_proc, NULL); + create_proc_read_entry("ioports", S_IRUSR | S_IRGRP, NULL, &ioports_read_proc, NULL); + create_proc_read_entry("cmdline", S_IRUSR | S_IRGRP, NULL, &cmdline_read_proc, NULL); + create_proc_read_entry("iomem", S_IRUSR | S_IRGRP, NULL, &memory_read_proc, NULL); +#if !defined(CONFIG_ARCH_S390) + create_proc_read_entry("interrupts", S_IRUSR | S_IRGRP, NULL, &interrupts_read_proc, NULL); +#endif +#endif +#endif /* And now for trickier ones */ entry = create_proc_entry("kmsg", S_IRUSR, &proc_root); if (entry) entry->proc_fops = &proc_kmsg_operations; create_seq_entry("mounts", 0, &proc_mounts_operations); + +#ifdef CONFIG_GRKERNSEC_PROC_ADD +#ifdef CONFIG_GRKERNSEC_PROC_USER + create_seq_entry("cpuinfo", S_IRUSR, &proc_cpuinfo_operations); +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + create_seq_entry("cpuinfo", S_IRUSR | S_IRGRP, &proc_cpuinfo_operations); +#endif +#else create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations); +#endif + #ifdef CONFIG_MODULES +#ifdef CONFIG_GRKERNSEC_PROC_USER + create_seq_entry("ksyms", S_IRUSR, &proc_ksyms_operations); +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + create_seq_entry("ksyms", S_IRUSR | S_IRGRP, &proc_ksyms_operations); +#else create_seq_entry("ksyms", 0, &proc_ksyms_operations); #endif +#endif proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL); if (proc_root_kcore) { proc_root_kcore->proc_fops = &proc_kcore_operations; @@ -561,7 +615,15 @@ entry->proc_fops = &ppc_htab_operations; } #endif +#ifdef CONFIG_GRKERNSEC_PROC_ADD +#ifdef CONFIG_GRKERNSEC_PROC_USER + entry = create_proc_read_entry("slabinfo", S_IWUSR | S_IRUSR, NULL, +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + entry = create_proc_read_entry("slabinfo", S_IWUSR | S_IRUSR | S_IRGRP, NULL, +#endif +#else entry = create_proc_read_entry("slabinfo", S_IWUSR | S_IRUGO, NULL, +#endif slabinfo_read_proc, NULL); if (entry) entry->write_proc = slabinfo_write_proc; diff -urN linux/fs/proc/proc_tty.c linux/fs/proc/proc_tty.c --- linux/fs/proc/proc_tty.c Fri Apr 21 18:17:57 2000 +++ linux/fs/proc/proc_tty.c Mon Feb 25 16:09:02 2002 @@ -174,7 +174,13 @@ if (!proc_mkdir("tty", 0)) return; proc_tty_ldisc = proc_mkdir("tty/ldisc", 0); +#ifdef CONFIG_GRKERNSEC_PROC_USER + proc_tty_driver = proc_priv_mkdir("tty/driver", S_IFDIR|S_IRUSR|S_IXUSR, 0); +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + proc_tty_driver = proc_priv_mkdir("tty/driver", S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP, 0); +#else proc_tty_driver = proc_mkdir("tty/driver", 0); +#endif create_proc_read_entry("tty/ldiscs", 0, 0, tty_ldiscs_read_proc,NULL); create_proc_read_entry("tty/drivers", 0, 0, tty_drivers_read_proc,NULL); diff -urN linux/fs/proc/root.c linux/fs/proc/root.c --- linux/fs/proc/root.c Sat Oct 20 22:14:42 2001 +++ linux/fs/proc/root.c Mon Feb 25 16:09:02 2002 @@ -37,13 +37,25 @@ return; } proc_misc_init(); +#ifdef CONFIG_GRKERNSEC_PROC_USER + proc_net = proc_priv_mkdir("net", S_IFDIR|S_IRUSR|S_IXUSR, 0); +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + proc_net = proc_priv_mkdir("net", S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP, 0); +#else proc_net = proc_mkdir("net", 0); +#endif #ifdef CONFIG_SYSVIPC proc_mkdir("sysvipc", 0); #endif #ifdef CONFIG_SYSCTL +#ifdef CONFIG_GRKERNSEC_PROC_USER + proc_sys_root = proc_priv_mkdir("sys", S_IFDIR|S_IRUSR|S_IXUSR, 0); +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + proc_sys_root = proc_priv_mkdir("sys", S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP, 0); +#else proc_sys_root = proc_mkdir("sys", 0); #endif +#endif #if defined(CONFIG_BINFMT_MISC) || defined(CONFIG_BINFMT_MISC_MODULE) proc_mkdir("sys/fs", 0); proc_mkdir("sys/fs/binfmt_misc", 0); @@ -61,7 +73,16 @@ #ifdef CONFIG_PPC_RTAS proc_rtas_init(); #endif + +#ifdef CONFIG_GRKERNSEC_PROC_ADD +#ifdef CONFIG_GRKERNSEC_PROC_USER + proc_bus = proc_priv_mkdir("bus", S_IFDIR|S_IRUSR|S_IXUSR, 0); +#elif CONFIG_GRKERNSEC_PROC_USERGROUP + proc_bus = proc_priv_mkdir("bus", S_IFDIR|S_IRUSR|S_IXUSR|S_IXGRP|S_IRGRP, 0); +#endif +#else proc_bus = proc_mkdir("bus", 0); +#endif } static struct dentry *proc_root_lookup(struct inode * dir, struct dentry * dentry) @@ -132,6 +153,9 @@ EXPORT_SYMBOL(proc_symlink); EXPORT_SYMBOL(proc_mknod); EXPORT_SYMBOL(proc_mkdir); +#ifdef CONFIG_GRKERNSEC_PROC +EXPORT_SYMBOL(proc_priv_mkdir); +#endif EXPORT_SYMBOL(create_proc_entry); EXPORT_SYMBOL(remove_proc_entry); EXPORT_SYMBOL(proc_root); diff -urN linux/fs/readdir.c linux/fs/readdir.c --- linux/fs/readdir.c Sun Aug 12 17:59:08 2001 +++ linux/fs/readdir.c Mon Feb 25 16:09:02 2002 @@ -13,6 +13,10 @@ #include +#ifdef CONFIG_GRKERNSEC_ACL +#include +#endif + int vfs_readdir(struct file *file, filldir_t filler, void *buf) { struct inode *inode = file->f_dentry->d_inode; @@ -120,6 +124,10 @@ struct readdir_callback { struct old_linux_dirent * dirent; int count; +#ifdef CONFIG_GRKERNSEC_ACL + struct dentry *dentry; + struct vfsmount *mnt; +#endif }; static int fillonedir(void * __buf, const char * name, int namlen, loff_t offset, @@ -127,9 +135,26 @@ { struct readdir_callback * buf = (struct readdir_callback *) __buf; struct old_linux_dirent * dirent; +#ifdef CONFIG_GRKERNSEC_ACL + ino_t old_ino; +#endif if (buf->count) return -EINVAL; +#ifdef CONFIG_GRKERNSEC_ACL + if(buf->dentry && buf->dentry->d_inode) + { + old_ino = buf->dentry->d_inode->i_ino; + buf->dentry->d_inode->i_ino = ino; + if( gr_check_hidden_file(buf->dentry,buf->mnt) == GR_DENY) + { + buf->dentry->d_inode->i_ino = old_ino; + return 0; + } + buf->dentry->d_inode->i_ino = ino; + } +#endif + buf->count++; dirent = buf->dirent; put_user(ino, &dirent->d_ino); @@ -153,6 +178,10 @@ buf.count = 0; buf.dirent = dirent; +#ifdef CONFIG_GRKERNSEC_ACL + buf.dentry = file->f_dentry; + buf.mnt = file->f_vfsmnt; +#endif error = vfs_readdir(file, fillonedir, &buf); if (error >= 0) @@ -181,6 +210,10 @@ struct linux_dirent * previous; int count; int error; +#ifdef CONFIG_GRKERNSEC_ACL + struct dentry *dentry; + struct vfsmount *mnt; +#endif }; static int filldir(void * __buf, const char * name, int namlen, loff_t offset, @@ -189,10 +222,26 @@ struct linux_dirent * dirent; struct getdents_callback * buf = (struct getdents_callback *) __buf; int reclen = ROUND_UP(NAME_OFFSET(dirent) + namlen + 1); +#ifdef CONFIG_GRKERNSEC_ACL + ino_t old_ino; +#endif buf->error = -EINVAL; /* only used if we fail.. */ if (reclen > buf->count) return -EINVAL; +#ifdef CONFIG_GRKERNSEC_ACL + if(buf->dentry && buf->dentry->d_inode) + { + old_ino = buf->dentry->d_inode->i_ino; + buf->dentry->d_inode->i_ino = ino; + if( gr_check_hidden_file(buf->dentry,buf->mnt) == GR_DENY) + { + buf->dentry->d_inode->i_ino = old_ino; + return 0; + } + buf->dentry->d_inode->i_ino = old_ino; + } +#endif dirent = buf->previous; if (dirent) put_user(offset, &dirent->d_off); @@ -224,6 +273,10 @@ buf.previous = NULL; buf.count = count; buf.error = 0; +#ifdef CONFIG_GRKERNSEC_ACL + buf.dentry = file->f_dentry; + buf.mnt = file->f_vfsmnt; +#endif error = vfs_readdir(file, filldir, &buf); if (error < 0) @@ -259,6 +312,10 @@ struct linux_dirent64 * previous; int count; int error; +#ifdef CONFIG_GRKERNSEC_ACL + struct dentry *dentry; + struct vfsmount *mnt; +#endif }; static int filldir64(void * __buf, const char * name, int namlen, loff_t offset, @@ -268,9 +325,27 @@ struct getdents_callback64 * buf = (struct getdents_callback64 *) __buf; int reclen = ROUND_UP64(NAME_OFFSET(dirent) + namlen + 1); +#ifdef CONFIG_GRKERNSEC_ACL + ino_t old_ino; +#endif buf->error = -EINVAL; /* only used if we fail.. */ if (reclen > buf->count) return -EINVAL; +#ifdef CONFIG_GRKERNSEC_ACL + if(buf->dentry && buf->dentry->d_inode) + { + old_ino = buf->dentry->d_inode->i_ino; + buf->dentry->d_inode->i_ino = ino; + if((gr_check_hidden_file(buf->dentry,buf->mnt)) == GR_DENY) { + buf->dentry->d_inode->i_ino = old_ino; + return 0; + } + buf->dentry->d_inode->i_ino = old_ino; + } +#endif + + + dirent = buf->previous; if (dirent) { d.d_off = offset; @@ -307,6 +382,11 @@ buf.previous = NULL; buf.count = count; buf.error = 0; +#ifdef CONFIG_GRKERNSEC_ACL + buf.mnt = file->f_vfsmnt; + buf.dentry = file->f_dentry; +#endif + error = vfs_readdir(file, filldir64, &buf); if (error < 0) diff -urN linux/grsecurity/Config.in linux/grsecurity/Config.in --- linux/grsecurity/Config.in Wed Dec 31 19:00:00 1969 +++ linux/grsecurity/Config.in Mon Mar 4 20:27:58 2002 @@ -0,0 +1,306 @@ +choice 'Security level' \ + "Low CONFIG_GRKERNSEC_LOW \ + Medium CONFIG_GRKERNSEC_MID \ + High CONFIG_GRKERNSEC_HI \ + Customized CONFIG_GRKERNSEC_CUSTOM" Customized +if [ "$CONFIG_GRKERNSEC_LOW" = "y" ]; then +define_bool CONFIG_GRKERNSEC_RANDSRC n +define_bool CONFIG_GRKERNSEC_RANDRPC n +define_bool CONFIG_GRKERNSEC_RANDPING n +define_bool CONFIG_GRKERNSEC_FORKFAIL n +define_bool CONFIG_GRKERNSEC_TIME n +define_bool CONFIG_GRKERNSEC_SIGNAL n +define_bool CONFIG_GRKERNSEC_CHROOT_MOUNT n +define_bool CONFIG_GRKERNSEC_CHROOT_DOUBLE n +define_bool CONFIG_GRKERNSEC_CHROOT_MKNOD n +define_bool CONFIG_GRKERNSEC_PROC n +define_bool CONFIG_GRKERNSEC_CHROOT_CAPS n +define_bool CONFIG_GRKERNSEC_PROC_USERGROUP n +if [ "$CONFIG_X86" = "y" ]; then +define_bool CONFIG_GRKERNSEC_PAX_RANDMMAP n +fi +define_bool CONFIG_GRKERNSEC_KMEM n +define_bool CONFIG_GRKERNSEC_ACL n +define_bool CONFIG_GRKERNSEC_PROC_ADD n +define_bool CONFIG_GRKERNSEC_CHROOT_SIG n +define_bool CONFIG_GRKERNSEC_CHROOT_CHMOD n +define_bool CONFIG_GRKERNSEC_CHROOT_NICE n +if [ "$CONFIG_X86" = "y" ]; then +define_bool CONFIG_GRKERNSEC_PAX_RANDMMAP n +define_bool CONFIG_GRKERNSEC_PAX n +define_bool CONFIG_GRKERNSEC_PAX_MPROTECT n +define_bool CONFIG_GRKERNSEC_MMAPFIXED n +define_bool CONFIG_GRKERNSEC_CHROOT_PTRACE n +define_bool CONFIG_GRKERNSEC_AUDIT_PTRACE n +fi +define_bool CONFIG_GRKERNSEC_AUDIT_MOUNT n +define_bool CONFIG_GRKERNSEC_PTRACE n +define_bool CONFIG_GRKERNSEC_PTRACE_GROUP n + +define_int CONFIG_GRKERNSEC_FLOODTIME 30 +define_bool CONFIG_GRKERNSEC_LINK y +define_bool CONFIG_GRKERNSEC_FIFO y +define_bool CONFIG_GRKERNSEC_FD y +define_bool CONFIG_GRKERNSEC_KBMAP y +define_bool CONFIG_GRKERNSEC_RANDPID y +define_bool CONFIG_GRKERNSEC_EXECVE y +define_bool CONFIG_GRKERNSEC_DMESG y +define_bool CONFIG_GRKERNSEC_RANDID y +define_bool CONFIG_GRKERNSEC_CHROOT_CHDIR y +fi +if [ "$CONFIG_GRKERNSEC_MID" = "y" ]; then +define_bool CONFIG_GRKERNSEC_KMEM n +define_bool CONFIG_GRKERNSEC_ACL n +define_bool CONFIG_GRKERNSEC_PROC_ADD n +define_bool CONFIG_GRKERNSEC_CHROOT_SIG n +define_bool CONFIG_GRKERNSEC_CHROOT_CHMOD n +define_bool CONFIG_GRKERNSEC_CHROOT_NICE n +if [ "$CONFIG_X86" = "y" ]; then +define_bool CONFIG_GRKERNSEC_PAX n +define_bool CONFIG_GRKERNSEC_PAX_MPROTECT n +define_bool CONFIG_GRKERNSEC_MMAPFIXED n +define_bool CONFIG_GRKERNSEC_CHROOT_PTRACE n +define_bool CONFIG_GRKERNSEC_AUDIT_PTRACE n +fi +define_bool CONFIG_GRKERNSEC_AUDIT_MOUNT n +define_bool CONFIG_GRKERNSEC_PTRACE n +define_bool CONFIG_GRKERNSEC_PTRACE_GROUP n +define_bool CONFIG_GRKERNSEC_CHROOT_CAPS n + +define_int CONFIG_GRKERNSEC_FLOODTIME 30 +define_bool CONFIG_GRKERNSEC_LINK y +define_bool CONFIG_GRKERNSEC_FIFO y +define_bool CONFIG_GRKERNSEC_FD y +define_bool CONFIG_GRKERNSEC_KBMAP y +define_bool CONFIG_GRKERNSEC_RANDPID y +define_bool CONFIG_GRKERNSEC_EXECVE y +define_bool CONFIG_GRKERNSEC_DMESG y +define_bool CONFIG_GRKERNSEC_RANDID y +define_bool CONFIG_GRKERNSEC_RANDSRC y +define_bool CONFIG_GRKERNSEC_RANDRPC y +define_bool CONFIG_GRKERNSEC_RANDPING y +define_bool CONFIG_GRKERNSEC_FORKFAIL y +define_bool CONFIG_GRKERNSEC_TIME y +define_bool CONFIG_GRKERNSEC_SIGNAL y +define_bool CONFIG_GRKERNSEC_CHROOT y +define_bool CONFIG_GRKERNSEC_CHROOT_MOUNT y +define_bool CONFIG_GRKERNSEC_CHROOT_DOUBLE y +define_bool CONFIG_GRKERNSEC_CHROOT_CHDIR y +define_bool CONFIG_GRKERNSEC_CHROOT_MKNOD y +define_bool CONFIG_GRKERNSEC_PROC y +define_bool CONFIG_GRKERNSEC_PROC_USERGROUP y +define_int CONFIG_GRKERNSEC_PROC_GID 10 +if [ "$CONFIG_X86" = "y" ]; then +define_bool CONFIG_GRKERNSEC_PAX_RANDMMAP y +fi +fi +if [ "$CONFIG_GRKERNSEC_HI" = "y" ]; then +define_int CONFIG_GRKERNSEC_FLOODTIME 30 +define_bool CONFIG_GRKERNSEC_LINK y +define_bool CONFIG_GRKERNSEC_FIFO y +define_bool CONFIG_GRKERNSEC_FD y +define_bool CONFIG_GRKERNSEC_KBMAP y +define_bool CONFIG_GRKERNSEC_RANDPID y +define_bool CONFIG_GRKERNSEC_EXECVE y +define_bool CONFIG_GRKERNSEC_DMESG y +define_bool CONFIG_GRKERNSEC_RANDID y +define_bool CONFIG_GRKERNSEC_RANDSRC y +define_bool CONFIG_GRKERNSEC_RANDRPC y +define_bool CONFIG_GRKERNSEC_RANDPING y +define_bool CONFIG_GRKERNSEC_FORKFAIL y +define_bool CONFIG_GRKERNSEC_TIME y +define_bool CONFIG_GRKERNSEC_SIGNAL y +define_bool CONFIG_GRKERNSEC_CHROOT_MOUNT y +define_bool CONFIG_GRKERNSEC_CHROOT_DOUBLE y +define_bool CONFIG_GRKERNSEC_CHROOT_CHDIR y +define_bool CONFIG_GRKERNSEC_CHROOT_MKNOD y +define_bool CONFIG_GRKERNSEC_CHROOT_CAPS y +define_bool CONFIG_GRKERNSEC_PROC y +define_bool CONFIG_GRKERNSEC_PROC_USERGROUP y +define_int CONFIG_GRKERNSEC_PROC_GID 10 +define_bool CONFIG_GRKERNSEC_KMEM y +define_bool CONFIG_GRKERNSEC_ACL y +define_string CONFIG_GRADM_PATH "/sbin/gradm" +define_int CONFIG_GR_MAXTRIES 3 +define_int CONFIG_GR_TIMEOUT 30 +define_bool CONFIG_GRKERNSEC_PROC_ADD y +define_bool CONFIG_GRKERNSEC_CHROOT_SIG y +define_bool CONFIG_GRKERNSEC_CHROOT_CHMOD y +define_bool CONFIG_GRKERNSEC_CHROOT_NICE y +if [ "$CONFIG_X86" = "y" ]; then +define_bool CONFIG_GRKERNSEC_PAX_RANDMMAP y +define_bool CONFIG_GRKERNSEC_PAX y +define_bool CONFIG_GRKERNSEC_PAX_MPROTECT y +define_bool CONFIG_GRKERNSEC_MMAPFIXED y +define_bool CONFIG_GRKERNSEC_CHROOT_PTRACE y +define_bool CONFIG_GRKERNSEC_AUDIT_PTRACE y +fi +define_bool CONFIG_GRKERNSEC_AUDIT_MOUNT y +define_bool CONFIG_GRKERNSEC_PTRACE y +define_bool CONFIG_GRKERNSEC_PTRACE_GROUP y +define_int CONFIG_GRKERNSEC_PTRACE_GID 10 +fi +if [ "$CONFIG_GRKERNSEC_CUSTOM" = "y" ]; then +mainmenu_option next_comment +comment 'Buffer Overflow Protection' +if [ "$CONFIG_X86" = "y" ]; then +if [ "$CONFIG_GRKERNSEC_PAX" != "y" ]; then +bool 'Openwall non-executable stack' CONFIG_GRKERNSEC_STACK +if [ "$CONFIG_GRKERNSEC_STACK" != "n" ]; then +bool ' Gcc trampoline support' CONFIG_GRKERNSEC_STACK_GCC +fi +fi +if [ "$CONFIG_GRKERNSEC_STACK" != "y" ]; then +bool 'PaX protection' CONFIG_GRKERNSEC_PAX +if [ "$CONFIG_GRKERNSEC_PAX" = "y" ]; then + bool ' Emulate trampolines' CONFIG_GRKERNSEC_PAX_EMUTRAMP + bool ' Restrict mprotect()' CONFIG_GRKERNSEC_PAX_MPROTECT + bool 'Fixed mmap restrictions' CONFIG_GRKERNSEC_MMAPFIXED +fi + bool 'Randomize mmap() base' CONFIG_GRKERNSEC_PAX_RANDMMAP +fi +fi +bool 'Read-only kernel memory' CONFIG_GRKERNSEC_KMEM +endmenu +mainmenu_option next_comment +comment 'Access Control Lists' + bool 'Grsecurity ACL system' CONFIG_GRKERNSEC_ACL +if [ "$CONFIG_GRKERNSEC_ACL" = "y" ]; then + bool 'ACL Debugging Messages' CONFIG_GR_DEBUG + if [ "$CONFIG_GR_DEBUG" = "y" ]; then + bool 'Extra ACL Debugging Messages' CONFIG_GR_SUPERDEBUG + fi + bool 'Denied capability logging' CONFIG_GRKERNSEC_ACL_CAPLOG + string 'Path to gradm' CONFIG_GRADM_PATH "/sbin/gradm" + int 'Maximum tries before password lockout' CONFIG_GR_MAXTRIES 3 + int 'Time to wait after max password tries, in seconds' CONFIG_GR_TIMEOUT 30 +fi +endmenu +mainmenu_option next_comment +comment 'Filesystem Protections' +bool 'Proc restrictions' CONFIG_GRKERNSEC_PROC +if [ "$CONFIG_GRKERNSEC_PROC" != "n" ]; then +bool ' Restrict to user only' CONFIG_GRKERNSEC_PROC_USER +if [ "$CONFIG_GRKERNSEC_PROC_USER" = "y" ]; then +bool ' Additional restrictions' CONFIG_GRKERNSEC_PROC_ADD +fi +if [ "$CONFIG_GRKERNSEC_PROC_USER" != "y" ]; then +bool ' Allow special group' CONFIG_GRKERNSEC_PROC_USERGROUP +if [ "$CONFIG_GRKERNSEC_PROC_USERGROUP" != "n" ]; then +int ' GID for special group' CONFIG_GRKERNSEC_PROC_GID 1001 +bool ' Additional restrictions' CONFIG_GRKERNSEC_PROC_ADD +fi +fi +fi +bool 'Linking restrictions' CONFIG_GRKERNSEC_LINK +bool 'FIFO restrictions' CONFIG_GRKERNSEC_FIFO +bool 'Secure file descriptors' CONFIG_GRKERNSEC_FD +bool 'Chroot jail restrictions' CONFIG_GRKERNSEC_CHROOT +if [ "$CONFIG_GRKERNSEC_CHROOT" != "n" ]; then +bool ' Restricted signals' CONFIG_GRKERNSEC_CHROOT_SIG +bool ' Deny mounts' CONFIG_GRKERNSEC_CHROOT_MOUNT +bool ' Deny double-chroots' CONFIG_GRKERNSEC_CHROOT_DOUBLE +bool ' Enforce chdir("/") on all chroots' CONFIG_GRKERNSEC_CHROOT_CHDIR +bool ' Deny (f)chmod +s' CONFIG_GRKERNSEC_CHROOT_CHMOD +bool ' Deny mknod' CONFIG_GRKERNSEC_CHROOT_MKNOD +if [ "$CONFIG_X86" != "n" ]; then +bool ' Deny ptraces' CONFIG_GRKERNSEC_CHROOT_PTRACE +fi +bool ' Restrict priority changes' CONFIG_GRKERNSEC_CHROOT_NICE +fi +bool 'Capability restrictions within chroot' CONFIG_GRKERNSEC_CHROOT_CAPS +bool 'Secure keymap loading' CONFIG_GRKERNSEC_KBMAP +endmenu +mainmenu_option next_comment +comment 'Kernel Auditing' +bool 'Single group for auditing' CONFIG_GRKERNSEC_AUDIT_GROUP +if [ "$CONFIG_GRKERNSEC_AUDIT_GROUP" != "n" ]; then +int ' GID for auditing' CONFIG_GRKERNSEC_AUDIT_GID 1007 +fi +bool 'Exec logging' CONFIG_GRKERNSEC_EXECLOG +bool 'Log execs within chroot' CONFIG_GRKERNSEC_CHROOT_EXECLOG +bool 'Chdir logging' CONFIG_GRKERNSEC_AUDIT_CHDIR +bool '(Un)Mount logging' CONFIG_GRKERNSEC_AUDIT_MOUNT +bool 'IPC logging' CONFIG_GRKERNSEC_AUDIT_IPC +if [ "$CONFIG_X86" != "n" ]; then +bool 'Ptrace logging' CONFIG_GRKERNSEC_AUDIT_PTRACE +fi +bool 'Signal logging' CONFIG_GRKERNSEC_SIGNAL +bool 'Fork failure logging' CONFIG_GRKERNSEC_FORKFAIL +if [ "$CONFIG_GRKERNSEC_SUID_ROOT" != "y" ]; then +bool 'Set*id logging' CONFIG_GRKERNSEC_SUID +fi +if [ "$CONFIG_GRKERNSEC_SUID" != "y" ]; then +bool 'Log set*ids to root' CONFIG_GRKERNSEC_SUID_ROOT +fi +bool 'Time change logging' CONFIG_GRKERNSEC_TIME +endmenu +mainmenu_option next_comment +comment 'Executable Protections' +bool 'Exec process limiting' CONFIG_GRKERNSEC_EXECVE +bool 'Dmesg(8) restriction' CONFIG_GRKERNSEC_DMESG +bool 'Randomized PIDs' CONFIG_GRKERNSEC_RANDPID +bool 'Altered default IPC permissions' CONFIG_GRKERNSEC_IPC +bool 'Limit uid/gid changes to root' CONFIG_GRKERNSEC_TTYROOT +if [ "$CONFIG_GRKERNSEC_TTYROOT" != "n" ]; then +bool ' Deny physical consoles (tty)' CONFIG_GRKERNSEC_TTYROOT_PHYS +bool ' Deny serial consoles (ttyS)' CONFIG_GRKERNSEC_TTYROOT_SERIAL +bool ' Deny pseudo consoles (pty)' CONFIG_GRKERNSEC_TTYROOT_PSEUDO +fi +bool 'Fork-bomb protection' CONFIG_GRKERNSEC_FORKBOMB +if [ "$CONFIG_GRKERNSEC_FORKBOMB" != "n" ]; then +int ' GID for restricted users' CONFIG_GRKERNSEC_FORKBOMB_GID 1006 +int ' Forks allowed per second' CONFIG_GRKERNSEC_FORKBOMB_SEC 40 +int ' Maximum processes allowed' CONFIG_GRKERNSEC_FORKBOMB_MAX 20 +fi +bool 'Trusted path execution' CONFIG_GRKERNSEC_TPE +if [ "$CONFIG_GRKERNSEC_TPE" != "n" ]; then +bool ' Glibc protection' CONFIG_GRKERNSEC_TPE_GLIBC +bool ' Partially restrict non-root users' CONFIG_GRKERNSEC_TPE_ALL +int ' GID for untrusted users:' CONFIG_GRKERNSEC_TPE_GID 1005 +fi +if [ "$CONFIG_X86" != "n" ]; then +bool 'Restricted ptrace' CONFIG_GRKERNSEC_PTRACE +if [ "$CONFIG_GRKERNSEC_PTRACE" != "n" ]; then +bool ' Allow ptrace for group' CONFIG_GRKERNSEC_PTRACE_GROUP +if [ "$CONFIG_GRKERNSEC_PTRACE_GROUP" != "n" ]; then +int ' GID for ptrace' CONFIG_GRKERNSEC_PTRACE_GID 1008 +fi +fi +fi +endmenu +mainmenu_option next_comment +comment 'Network Protections' +bool 'Randomized IP IDs' CONFIG_GRKERNSEC_RANDID +bool 'Randomized TCP source ports' CONFIG_GRKERNSEC_RANDSRC +bool 'Randomized RPC XIDs' CONFIG_GRKERNSEC_RANDRPC +bool 'Altered Ping IDs' CONFIG_GRKERNSEC_RANDPING +bool 'Randomized TTL' CONFIG_GRKERNSEC_RANDTTL +bool 'Socket restrictions' CONFIG_GRKERNSEC_SOCKET +if [ "$CONFIG_GRKERNSEC_SOCKET" != "n" ]; then +bool ' Deny any sockets to group' CONFIG_GRKERNSEC_SOCKET_ALL +if [ "$CONFIG_GRKERNSEC_SOCKET_ALL" != "n" ]; then +int ' GID to deny all sockets for:' CONFIG_GRKERNSEC_SOCKET_ALL_GID 1004 +fi +bool ' Deny client sockets to group' CONFIG_GRKERNSEC_SOCKET_CLIENT +if [ "$CONFIG_GRKERNSEC_SOCKET_CLIENT" != "n" ]; then +int ' GID to deny client sockets for:' CONFIG_GRKERNSEC_SOCKET_CLIENT_GID 1003 +fi +bool ' Deny server sockets to group' CONFIG_GRKERNSEC_SOCKET_SERVER +if [ "$CONFIG_GRKERNSEC_SOCKET_SERVER" != "n" ]; then +int ' GID to deny server sockets for:' CONFIG_GRKERNSEC_SOCKET_SERVER_GID 1002 +fi +fi +endmenu +if [ "$CONFIG_SYSCTL" != "n" ]; then +mainmenu_option next_comment +comment 'Sysctl support' +bool 'Sysctl support' CONFIG_GRKERNSEC_SYSCTL +endmenu +fi +mainmenu_option next_comment +comment 'Miscellaneous Features' +int 'Seconds in between log messages(minimum)' CONFIG_GRKERNSEC_FLOODTIME 30 +bool 'BSD-style coredumps' CONFIG_GRKERNSEC_COREDUMP +endmenu +fi diff -urN linux/include/asm-i386/a.out.h linux/include/asm-i386/a.out.h --- linux/include/asm-i386/a.out.h Fri Jun 16 14:33:06 1995 +++ linux/include/asm-i386/a.out.h Tue Mar 5 15:24:42 2002 @@ -19,8 +19,12 @@ #ifdef __KERNEL__ +#ifdef CONFIG_GRKERNSEC_STACK +#define STACK_TOP ((current->flags & PF_STACKEXEC) ? TASK_SIZE - _STK_LIM : TASK_SIZE) +#else #define STACK_TOP TASK_SIZE +#endif #endif #endif /* __A_OUT_GNU_H__ */ diff -urN linux/include/asm-i386/pgtable.h linux/include/asm-i386/pgtable.h --- linux/include/asm-i386/pgtable.h Thu Nov 22 14:46:19 2001 +++ linux/include/asm-i386/pgtable.h Tue Mar 5 15:24:42 2002 @@ -192,9 +192,26 @@ #define _PAGE_CHG_MASK (PTE_MASK | _PAGE_ACCESSED | _PAGE_DIRTY) #define PAGE_NONE __pgprot(_PAGE_PROTNONE | _PAGE_ACCESSED) + +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) +#define PAGE_SHARED_EXEC __pgprot(_PAGE_PRESENT | _PAGE_RW |_PAGE_USER |_PAGE_ACCESSED) +#define PAGE_COPY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED) +#define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED) +#else #define PAGE_SHARED __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED) #define PAGE_COPY __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED) #define PAGE_READONLY __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED) +#endif + +#ifdef CONFIG_GRKERNSEC_PAX +#define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_ACCESSED) +#define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_ACCESSED) +#define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_ACCESSED) +#else +#define PAGE_SHARED_NOEXEC PAGE_SHARED_EXEC +#define PAGE_COPY_NOEXEC PAGE_COPY_EXEC +#define PAGE_READONLY_NOEXEC PAGE_READONLY_EXEC +#endif #define __PAGE_KERNEL \ (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED) @@ -228,6 +245,15 @@ * This is the closest we can get.. */ #define __P000 PAGE_NONE +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) +#define __P001 PAGE_READONLY_NOEXEC +#define __P010 PAGE_COPY_NOEXEC +#define __P011 PAGE_COPY_NOEXEC +#define __P100 PAGE_READONLY_EXEC +#define __P101 PAGE_READONLY_EXEC +#define __P110 PAGE_COPY_EXEC +#define __P111 PAGE_COPY_EXEC +#else #define __P001 PAGE_READONLY #define __P010 PAGE_COPY #define __P011 PAGE_COPY @@ -235,8 +261,18 @@ #define __P101 PAGE_READONLY #define __P110 PAGE_COPY #define __P111 PAGE_COPY +#endif #define __S000 PAGE_NONE +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) +#define __S001 PAGE_READONLY_NOEXEC +#define __S010 PAGE_SHARED_NOEXEC +#define __S011 PAGE_SHARED_NOEXEC +#define __S100 PAGE_READONLY_EXEC +#define __S101 PAGE_READONLY_EXEC +#define __S110 PAGE_SHARED_EXEC +#define __S111 PAGE_SHARED_EXEC +#else #define __S001 PAGE_READONLY #define __S010 PAGE_SHARED #define __S011 PAGE_SHARED @@ -244,6 +280,7 @@ #define __S101 PAGE_READONLY #define __S110 PAGE_SHARED #define __S111 PAGE_SHARED +#endif /* * Define this if things work differently on an i386 and an i486: diff -urN linux/include/asm-i386/processor.h linux/include/asm-i386/processor.h --- linux/include/asm-i386/processor.h Thu Nov 22 14:46:19 2001 +++ linux/include/asm-i386/processor.h Tue Mar 5 15:24:42 2002 @@ -267,11 +267,25 @@ */ #define TASK_SIZE (PAGE_OFFSET) +#ifdef CONFIG_GRKERNSEC_STACK +#define MAGIC_SIGRETURN (PAGE_OFFSET + 0xDE0000) +#define MAGIC_RT_SIGRETURN (PAGE_OFFSET + 0xDE0001) +#endif /* This decides where the kernel will search for a free chunk of vm * space during mmap's. */ +#ifdef CONFIG_GRKERNSEC_STACK +extern struct linux_binfmt elf_format; +#define TASK_UNMAPPED_BASE(size) ( \ + current->binfmt == &elf_format && \ + !(current->flags & PF_STACKEXEC) && \ + (size) < 0x00ef0000UL \ + ? 0x00110000UL \ + : TASK_SIZE / 3 ) +#else #define TASK_UNMAPPED_BASE (TASK_SIZE / 3) +#endif /* * Size of io_bitmap in longwords: 32 is ports 0-0x3ff. */ @@ -362,6 +376,14 @@ unsigned long __cacheline_filler[5]; }; +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) +struct pax_fault_info { + unsigned long eip; + unsigned long addresses[4]; + unsigned long count; +}; +#endif + struct thread_struct { unsigned long esp0; unsigned long eip; @@ -372,6 +394,11 @@ unsigned long debugreg[8]; /* %%db0-7 debug registers */ /* fault info */ unsigned long cr2, trap_no, error_code; +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) +/* PaX fault info */ + struct pax_fault_info pax_faults; +#endif + /* floating point info */ union i387_union i387; /* virtual 86 mode info */ @@ -383,6 +410,18 @@ unsigned long io_bitmap[IO_BITMAP_SIZE+1]; }; +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) +#define INIT_THREAD { \ + 0, \ + 0, 0, 0, 0, \ + { [0 ... 7] = 0 }, /* debugging registers */ \ + 0, 0, 0, \ + {0, {0}, 0}, /* PaX fault info */ \ + { { 0, }, }, /* 387 state */ \ + 0,0,0,0,0,0, \ + 0,{~0,} /* io permissions */ \ +} +#else #define INIT_THREAD { \ 0, \ 0, 0, 0, 0, \ @@ -392,6 +431,7 @@ 0,0,0,0,0,0, \ 0,{~0,} /* io permissions */ \ } +#endif #define INIT_TSS { \ 0,0, /* back_link, __blh */ \ diff -urN linux/include/linux/a.out.h linux/include/linux/a.out.h --- linux/include/linux/a.out.h Thu Nov 22 14:46:18 2001 +++ linux/include/linux/a.out.h Tue Mar 5 15:24:42 2002 @@ -37,6 +37,14 @@ M_MIPS2 = 152 /* MIPS R6000/R4000 binary */ }; +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) +/* Constants for the N_FLAGS field */ +#define F_PAX_PAGEEXEC 1 /* Enforce PAGE_EXEC */ +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */ +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */ +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */ +#endif + #if !defined (N_MAGIC) #define N_MAGIC(exec) ((exec).a_info & 0xffff) #endif @@ -57,6 +65,9 @@ ((exec).a_info = \ ((exec).a_info&0x00ffffff) | (((flags) & 0xff) << 24)) +#ifdef CONFIG_GRKERNSEC_STACK +#define F_STACKEXEC 1 +#endif /* Code indicating object file or impure executable. */ #define OMAGIC 0407 /* Code indicating pure executable. */ diff -urN linux/include/linux/binfmts.h linux/include/linux/binfmts.h --- linux/include/linux/binfmts.h Thu Nov 22 14:46:19 2001 +++ linux/include/linux/binfmts.h Tue Mar 5 15:24:42 2002 @@ -1,6 +1,7 @@ #ifndef _LINUX_BINFMTS_H #define _LINUX_BINFMTS_H +#include #include #include @@ -30,6 +31,10 @@ int argc, envc; char * filename; /* Name of binary */ unsigned long loader, exec; +#ifdef CONFIG_GRKERNSEC_FD + int tweak_fd_mask; + struct file *tweak_fd_null; +#endif }; /* diff -urN linux/include/linux/dcache.h linux/include/linux/dcache.h --- linux/include/linux/dcache.h Thu Nov 22 14:46:18 2001 +++ linux/include/linux/dcache.h Tue Mar 5 15:24:42 2002 @@ -124,6 +124,10 @@ */ #define DCACHE_REFERENCED 0x0008 /* Recently used, don't discard. */ +#define OBJECT_LEVEL_1 0x00010000 +#define OBJECT_LEVEL_2 0x00020000 +#define OBJECT_LEVEL_BITS (OBJECT_LEVEL_1 | OBJECT_LEVEL_2) + extern spinlock_t dcache_lock; /** diff -urN linux/include/linux/elf.h linux/include/linux/elf.h --- linux/include/linux/elf.h Thu Nov 22 14:48:29 2001 +++ linux/include/linux/elf.h Tue Mar 5 15:26:32 2002 @@ -87,6 +87,9 @@ */ #define EM_ALPHA 0x9026 +#ifdef CONFIG_GRKERNSEC_STACK +#define EF_STACKEXEC 1 +#endif /* * This is the old interim value for S/390 architecture */ @@ -255,6 +258,13 @@ #define R_MIPS_LOVENDOR 100 #define R_MIPS_HIVENDOR 127 +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) +/* Constants for the e_flags field */ +#define EF_PAX_PAGEEXEC 1 /* 0: Enforce PAGE_EXEC */ +#define EF_PAX_EMUTRAMP 2 /* 0: Emulate trampolines */ +#define EF_PAX_MPROTECT 4 /* 0: Restrict mprotect() */ +#define EF_PAX_RANDMMAP 8 /* 0: Randomize mmap() base */ +#endif /* * Sparc ELF relocation types diff -urN linux/include/linux/fs.h linux/include/linux/fs.h --- linux/include/linux/fs.h Mon Feb 25 14:38:13 2002 +++ linux/include/linux/fs.h Tue Mar 5 15:24:42 2002 @@ -1048,7 +1048,11 @@ asmlinkage long sys_open(const char *, int, int); asmlinkage long sys_close(unsigned int); /* yes, it's really unsigned */ +#ifdef CONFIG_GRKERNSEC_ACL +extern int do_truncate(struct dentry *, loff_t start, struct vfsmount *); +#else extern int do_truncate(struct dentry *, loff_t start); +#endif extern struct file *filp_open(const char *, int, int); extern struct file * dentry_open(struct dentry *, struct vfsmount *, int); diff -urN linux/include/linux/gracl.h linux/include/linux/gracl.h --- linux/include/linux/gracl.h Wed Dec 31 19:00:00 1969 +++ linux/include/linux/gracl.h Tue Mar 5 08:24:16 2002 @@ -0,0 +1,265 @@ +#ifndef GR_ACL_H +#define GR_ACL_H +#endif +#include +#include + +/* * * * * * * * * * * * * * * * * * * * * + * GrSecurity ACL System + * Main header file + * Purpose: define most gracl data structures + * * * * * * * * * * * * * * * * * * * * */ + +/* Major status information */ + +#define GR_VERSION "grsecurity 2.0" + +enum +{ + + SHUTDOWN = 0, + ENABLE = 1, + CHCAPS = 2, + AUTH = 3, + GOD = 4, + RELOAD = 5, + + /* Number of capabilities + * see include/linux/capability.h */ + CAP_COUNT = 30 +}; + +/* Internal status definitions + * gr_set_proc_label() in kernel/gracl.c + * */ +enum +{ + GR_SET_INHERIT, + GR_SET_AUTH, + GR_SET_PROC +}; + +/* Password setup definitions + * kernel/grhash.c */ +enum +{ + GR_PW_LEN = 129, + GR_SHA_SIZE = 20, + GR_EXTRA_LEN = 1025 +}; + +/* Begin Data Structures */ + + + +struct admin_pw +{ + char pw[GR_PW_LEN]; + char extra[GR_EXTRA_LEN]; + __u8 sum[GR_SHA_SIZE]; /* 160-bit SHA hash of the password*/ + __u8 mode; /* On/Off/Restart*/ +}; + +struct file_label +{ + ino_t inode; + kdev_t device; + __u32 mode; +}; + +/* Begin TBD */ +#if 0 +struct socket_label +{ + unsigned int port; + __u8 mode:1; /* Connect or Bind */ +}; + +struct id_label +{ + __u32 id; + __u8 id_type:1; /* UID or GID */ + __u8 mode; /* execlog/ptrace/etc.*/ + + struct mac_socket * sockets; +}; +#endif +/* end TBD */ + +struct file_db +{ + struct file_label * file_hash; + unsigned long file_size; + unsigned long file_used; +}; + + +struct proc_subject_label +{ + ino_t inode; + kdev_t device; + __u16 mode; + kernel_cap_t cap_raise; + kernel_cap_t cap_lower; + kernel_cap_t cap_raise_inherit; + kernel_cap_t cap_lower_inherit; + /* Keeps track of the capabilities to raise and lower. + * Have to store it this way because users my change the default + * capabilities, and we want to change with them(but still + * keep our custom raised/lowered caps) */ + unsigned long pos; + /* .. used for process object + hashing. Position (i.e. + subject acl number 1..n) */ +}; + + +struct proc_object_label +{ + ino_t inode; + kdev_t device; + __u16 mode; + unsigned long parent_pos; +}; + +struct name_entry +{ + ino_t inode; + kdev_t device; + __u8 mode; + char * name; +}; + +struct proc_subject_db +{ + struct proc_subject_label * proc_hash; + unsigned long proc_size; + unsigned long proc_used; +}; + +struct proc_object_db +{ + struct proc_object_label * proc_hash; + unsigned long proc_size; + unsigned long proc_used; +}; + +struct name_db +{ + struct name_entry * name_hash; + unsigned long name_size; + unsigned long name_used; +}; + +struct temp_file_label +{ + ino_t inode; + kdev_t device; + __u32 mode; +}; + +struct proc_info +{ + ino_t inode; + kdev_t device; + unsigned long pos; +}; + +struct temp_socket_label +{ + unsigned int port; + __u8 mode; +}; + +struct label_info +{ + ino_t inode; + kdev_t device; +}; + + + + +struct cap_entry +{ + char * capname; + kernel_cap_t capval; +}; + +struct capset +{ + struct cap_entry table[CAP_COUNT]; +}; + +/* End Data Structures Section */ + +static __inline__ unsigned long fhash(const ino_t ino,const kdev_t dev, + const unsigned long sz) +{ +return (ino ^ (dev * 797) ) % sz; +} + +static __inline__ unsigned long phash(const ino_t ino, const kdev_t dev, + const unsigned long parent_pos, const unsigned long sz) +{ + /* Okay...parent_pos is the subject acl # (0..n-1 for n subject acls) + * We reuse fhash here for the parent_pos portion of phash() for + * simplicity's sake */ + return ( fhash(ino,dev,~0UL) ^ fhash((ino_t)(parent_pos),0,~0UL) ) + % sz; +} + +static __inline__ unsigned long nhash(const char * name, const unsigned long sz) +{ + return full_name_hash(name,strlen(name)) % sz; +} + + + + + + +/* * * * * * * * * * * * * * * * * * * * + * From this point on, the header + * file for the SHA-1 algorithm + * is defined. This is slightly + * adapted from gnupg. All errors + * are mine, all features are theirs:). + * That is why there is a style + * difference. See kernel/grhash.c + * * * * * * * * * * * * * * * * * * * */ + + + + + + +/* Begin SHA hash section */ +#define GR_SHA1HANDSOFF /* Copies data before messing with it. */ + +struct gr_SHA1_CTX { + unsigned long state[5]; + unsigned long count[2]; + unsigned char buffer[64]; +}; + +#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) + +/* blk0() and blk() perform the initial expand. */ +/* I got the idea of expanding during the round function from SSLeay */ +#ifdef __LITTLE_ENDIAN +#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \ + |(rol(block->l[i],8)&0x00FF00FF)) +#else +#define blk0(i) block->l[i] +#endif /* __LITTLE_ENDIAN */ +#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \ + ^block->l[(i+2)&15]^block->l[i&15],1)) + + /* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */ +#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30); +#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30); +#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30); +#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30); +#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30); +/* End SHA hash section */ diff -urN linux/include/linux/grdefs.h linux/include/linux/grdefs.h --- linux/include/linux/grdefs.h Wed Dec 31 19:00:00 1969 +++ linux/include/linux/grdefs.h Tue Mar 5 08:24:03 2002 @@ -0,0 +1,162 @@ + +/* Begin Status/Return value declarations */ + +enum +{ + GR_ALLOW = 1, + GR_NOTFOUND = -1, + GR_DENY = 0 +}; + +/* Begin GrSecurity status declarations */ + +enum +{ + GR_READY = 0x01, + GR_1ST = 0x02, + GR_LOADING = 0x04, + GR_PROCFULL = 0x08, + /* Out of memory: Process label tables can no + longer have entries added*/ + GR_NAMEFULL = 0x10, + GR_FILEFULL = 0x20, + GR_STATUS_INIT = GR_1ST +}; + +/* Table Size Defaults (in the form of 2^GR_TABLE_SIZE). Since + * our tables are dynamic, this is just the starting point, set to + * a reasonable value for the predicted number of MAC labels */ +enum +{ + GR_TABLE_SIZE = 8 /* 256 entries by default */ +}; + + +/* Begin ACL declarations */ +enum +{ + GR_READ = 0x01, + GR_APPEND = 0x02, + GR_WRITE = 0x04, + GR_EXEC = 0x08, + GR_HIDDEN = 0x10, + GR_OVERRIDE = 0x20, /* Override File ACL, useful for proc only*/ + GR_PROTECTED = 0x40, + GR_EXISTS = 0x80, /* ACL exists....since our hash table + will have blank entries */ + GR_DELETED = 0x100, + GR_NONEXISTANT = 0x40000000 /* fs/namei.c + * Used to indicate that the file + * we are opening is nonexistant so we + * should examine its parent + * for acl rules */ +}; + +/* File Label declarations (right now used in case we need to combine + * any of preceding flags....like we do for GR_PROC_WRITE below) */ +enum +{ + GR_FILE_READ = GR_READ, + GR_FILE_APPEND = GR_APPEND, + GR_FILE_WRITE = (GR_WRITE | GR_APPEND), + GR_FILE_EXEC = GR_EXEC, + GR_FILE_HIDDEN = GR_HIDDEN +}; + +/* Process label declarations */ + +enum +{ + GR_PROC_READ = GR_READ, + GR_PROC_APPEND = GR_APPEND, + GR_PROC_WRITE = (GR_WRITE|GR_APPEND), + /* write access implies append access*/ + GR_PROC_EXEC = GR_EXEC, + GR_PROC_ACCESS = GR_HIDDEN, + GR_PROC_OVERRIDE = GR_OVERRIDE, + GR_PROC_HIDDEN = GR_HIDDEN, + /* Hidden, unkillable(except by init) process. + * Good for hiding your IDSes / logging daemons:)*/ + GR_PROC_PROTECTED = GR_PROTECTED, + GR_INHERIT = 0x400, + /* Children inherit parent's process acls*/ + GR_AUTH = 0x100, + /* Require secondary authentication before execution*/ + GR_AUTH_IF_ROOT = 0x800, + /* Require secondary authentication IF the user has root privileges */ + GR_PROC_INHERIT = GR_INHERIT, + GR_PROC_AUTH = GR_AUTH, + GR_PROC_AUTH_IF_ROOT = GR_AUTH_IF_ROOT, + GR_PROC_KILL = 0x1000, + GR_PROC_VIEW = 0x2000, + GR_PROC_EXTRA = (GR_PROC_OVERRIDE|GR_PROC_INHERIT|GR_PROC_AUTH) + /* Extra things that must be checked after a search*/ +}; + +/* To be implemented : ID based rulesets */ + +enum +{ + GR_UID = 0x01, + GR_GID = 0x02, + /* for ID acls(to distinguish between UID and GID) */ + GR_ALL = 0x04, + /* for the 1 UID or GID * ACL the user is allowed to set */ + GR_ID_TPE = 0x01, + GR_ID_FORKBOMB = 0x02, + GR_ID_PTRACE = 0x04, + GR_ID_EXECLOG = 0x08 +}; + + +enum +{ + /* For ID acls using ports. Specifies whether a port + * is for binding or connecting */ + GR_SOCKET_BIND = 0x01, + GR_SOCKET_CONNECT = 0x02 +}; + +/* Name hash table declarations. Used when mapping filename->inode/dev + * and to tell whether a particular inode/dev/filename triplet has + * a process subject, process label, and/or file label assigned to it */ +enum +{ + GR_NAME_PROC_SUBJECT = 0x01, + GR_NAME_PROC_OBJECT = 0x02, + GR_NAME_FILE = 0x04 +}; + + +/* If we have an acl for a file that did not exist at initialization, + * set the inode/dev pair to something that will not conflict with + * anything else (since device 0 is the NULL device we're fine :) */ +enum +{ + GR_NOFILE_INODE = 42, + GR_NOFILE_DEVICE = 0 +}; + +#define PROC_CONF "/etc/grsec/proc.acl" +#define FILE_CONF "/etc/grsec/file.acl" +#define PW_CONF "/etc/grsec/pw" +#define ID_CONF "/etc/grsec/id.acl" + + +#define GRADM_ACL CONFIG_GRADM_PATH " fxi" +#define GODMODE_ACL "/ frwxoi" + +enum +{ + SET_AUTH = 1, + SET_INHERIT = 2, + SET_PROC = 3 +}; + +enum +{ + PROC_SUBJ_LABEL_OFFSET = 2 +/* The first two labels, position 0 and 1, are authentication and god modes + * respectively, therefore all added process subject labels must begin + * at offset 2 */ +}; diff -urN linux/include/linux/grhash.h linux/include/linux/grhash.h --- linux/include/linux/grhash.h Wed Dec 31 19:00:00 1969 +++ linux/include/linux/grhash.h Fri Mar 1 08:34:29 2002 @@ -0,0 +1,4 @@ +extern void gr_SHA1Init(struct gr_SHA1_CTX *context); +extern void gr_SHA1Update(struct gr_SHA1_CTX *context, unsigned char *data,unsigned int len); +extern void gr_SHA1Final(unsigned char digest[20],struct gr_SHA1_CTX *context); +extern int chkpw(struct admin_pw *entry); diff -urN linux/include/linux/grsecurity.h linux/include/linux/grsecurity.h --- linux/include/linux/grsecurity.h Wed Dec 31 19:00:00 1969 +++ linux/include/linux/grsecurity.h Tue Mar 5 15:24:42 2002 @@ -0,0 +1,142 @@ +/* * * * * * * * * * * * * * * * * * * * + * Main GrSecurity header file + * * * * * * * * * * * * * * * * * * * */ + +/* Because this header file is used by the other sections of the kernel + * it defines external functions. The actual code in kernel/gracl.c + * uses include/linux/gracl.h. We make sure that that code ignores our + * extern declarations to avoid conflicts */ + +#ifndef GR_ACL_H + +#include +#include +#include + +extern int gr_disable; +extern unsigned long gr_status; +extern int gr_check_hidden_file(struct dentry *dentry, struct vfsmount *mnt); +extern int gr_search_file(struct dentry *dentry, __u16 mode, struct vfsmount *mnt); +extern int gr_search_id(uid_t uid, gid_t gid, __u8 mode); +extern int gr_search_socket(uid_t uid, gid_t gid, __u8 mode, unsigned int port); +extern int gr_set_proc_label(struct dentry *dentry,char *filename, struct vfsmount *mnt); +extern int gr_check_hidden_task(struct task_struct *tsk); +extern int gr_check_protected_task(struct task_struct *tsk); +extern int gr_copy_label(struct task_struct *tsk); +extern int gr_in_auth_mode(void *acl); +extern int gr_proc_handler(ctl_table *table,int write, struct file *filp, void *buffer, size_t *lenp); +extern void gr_handle_delete(const ino_t ino, const kdev_t dev); +extern void gr_handle_create(const char * filename, const struct nameidata *nd); +extern void gr_set_caps(void); +extern int gr_check_create(struct dentry * new_dentry, struct dentry * parent, + struct vfsmount *mnt, __u16 mode); +#endif + +extern spinlock_t task_capability_lock; + +extern __u16 ip_randomid(void); + +extern int grsec_enable_link; +extern int grsec_enable_fifo; +extern int grsec_enable_fd; +extern int grsec_enable_execve; +extern int grsec_enable_forkbomb; +extern int grsec_forkbomb_gid; +extern int grsec_forkbomb_sec; +extern int grsec_forkbomb_max; +extern int grsec_enable_execlog; +extern int grsec_enable_suid; +extern int grsec_enable_suid_root; +extern int grsec_enable_signal; +extern int grsec_enable_coredump; +extern int grsec_enable_forkfail; +extern int grsec_enable_time; +extern int grsec_enable_kbmap; +extern int grsec_enable_dmesg; +extern int grsec_enable_chroot_sig; +extern int grsec_enable_chroot_mount; +extern int grsec_enable_chroot_double; +extern int grsec_enable_chroot_chdir; +extern int grsec_enable_chroot_chmod; +extern int grsec_enable_chroot_mknod; +extern int grsec_enable_chroot_ptrace; +extern int grsec_enable_chroot_nice; +extern int grsec_enable_chroot_execlog; +extern int grsec_enable_chroot_caps; +extern int grsec_enable_tpe; +extern int grsec_tpe_gid; +extern int grsec_enable_tpe_glibc; +extern int grsec_enable_tpe_all; +extern int grsec_enable_ptrace; +extern int grsec_enable_ptrace_group; +extern int grsec_ptrace_gid; +extern int grsec_enable_sidcaps; +extern int grsec_enable_randpid; +extern int grsec_enable_randid; +extern int grsec_enable_randsrc; +extern int grsec_enable_randrpc; +extern int grsec_enable_randping; +extern int grsec_enable_randttl; +extern int grsec_enable_socket_all; +extern int grsec_socket_all_gid; +extern int grsec_enable_socket_client; +extern int grsec_socket_client_gid; +extern int grsec_enable_socket_server; +extern int grsec_socket_server_gid; +extern int grsec_enable_serial_deny; +extern int grsec_enable_phys_deny; +extern int grsec_enable_pseudo_deny; +extern int grsec_enable_ipc; +extern int grsec_audit_gid; +extern int grsec_enable_group; +extern int grsec_enable_audit_ipc; +extern int grsec_enable_audit_ptrace; +extern int grsec_enable_mount; +extern int grsec_enable_chdir; +extern int grsec_lock; + +extern const char *captab_log[30]; +extern struct task_struct *child_reaper; + +#define proc_is_chrooted(tsk_a) ((tsk_a->fs->root->d_inode->i_dev != \ + child_reaper->fs->root->d_inode->i_dev) || \ + (tsk_a->fs->root->d_inode->i_ino != \ + child_reaper->fs->root->d_inode->i_ino)) + +#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs->root->d_inode->i_dev == \ + tsk_b->fs->root->d_inode->i_dev) && \ + (tsk_a->fs->root->d_inode->i_ino == \ + tsk_b->fs->root->d_inode->i_ino)) + +#define DEFAULTSECMSG "(%.16s:%d) UID(%d) EUID(%d), parent (%.16s:%d) " \ + "UID(%d) EUID(%d)" + +#define DEFAULTSECARGS current->comm, current->pid, current->uid, \ + current->euid, current->p_pptr->comm, \ + current->p_pptr->pid, current->p_pptr->uid, \ + current->p_pptr->euid + +#define CHROOTLONGCHECK t->pid && t->fs && t->fs->root && \ + t->fs->root->d_inode && t->p_pptr && \ + current->pid && current->fs && current->fs->root && \ + current->fs->root->d_inode && \ + current->p_pptr && child_reaper && child_reaper->pid && \ + child_reaper->fs && child_reaper->fs->root && \ + child_reaper->fs->root->d_inode && \ + grsec_enable_chroot_sig + +#define is_tty_allowed_for_setid(t_uid,t_uid2,t_uid3,f_name) \ + if(current->tty && (!t_uid || !t_uid2 || !t_uid3) && \ + ((grsec_enable_serial_deny && \ + (current->tty->driver.type == TTY_DRIVER_TYPE_SERIAL)) || \ + (grsec_enable_pseudo_deny && \ + (current->tty->driver.type == TTY_DRIVER_TYPE_PTY)) || \ + (grsec_enable_phys_deny && \ + (current->tty->driver.type == TTY_DRIVER_TYPE_CONSOLE))) \ + ) { \ + security_alert("attempted " f_name " root on " \ + "illegal console by " DEFAULTSECMSG, \ + "attempted " f_name " roots", \ + DEFAULTSECARGS); \ + return -EPERM; \ + } diff -urN linux/include/linux/kernel.h linux/include/linux/kernel.h --- linux/include/linux/kernel.h Mon Feb 25 14:38:13 2002 +++ linux/include/linux/kernel.h Tue Mar 5 15:24:42 2002 @@ -127,6 +127,29 @@ ((unsigned char *)&addr)[2], \ ((unsigned char *)&addr)[3] +#if !defined(CONFIG_GR_DEBUG) && defined(CONFIG_GRKERNSEC) +#define security_alert(normal_msg,flood_msg,args...) \ +({ \ + static unsigned long warning_time = 0, no_flood_yet = 0; \ + static spinlock_t security_alert_lock = SPIN_LOCK_UNLOCKED; \ + \ + spin_lock(&security_alert_lock); \ + if(!warning_time || jiffies - warning_time > CONFIG_GRKERNSEC_FLOODTIME * HZ) { \ + warning_time = jiffies; no_flood_yet = 1; \ + printk(KERN_ALERT "grsec: " normal_msg "\n", ## args); \ + } else if (no_flood_yet) { \ + warning_time = jiffies; no_flood_yet = 0; \ + printk(KERN_ALERT "grsec: more " flood_msg \ + ", logging disabled for %d seconds\n",CONFIG_GRKERNSEC_FLOODTIME); \ + } \ + \ + spin_unlock(&security_alert_lock); \ +}) +#else +#define security_alert(normal_msg, flood_msg, args...) \ +printk(KERN_INFO normal_msg "\n", ## args) +#endif + #define HIPQUAD(addr) \ ((unsigned char *)&addr)[3], \ ((unsigned char *)&addr)[2], \ diff -urN linux/include/linux/mm.h linux/include/linux/mm.h --- linux/include/linux/mm.h Fri Dec 21 12:42:03 2001 +++ linux/include/linux/mm.h Tue Mar 5 15:24:42 2002 @@ -103,7 +103,11 @@ #define VM_DONTEXPAND 0x00040000 /* Cannot expand with mremap() */ #define VM_RESERVED 0x00080000 /* Don't unmap it from swap_out */ +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) +#define VM_STACK_FLAGS 0x00000133 +#else #define VM_STACK_FLAGS 0x00000177 +#endif #define VM_READHINTMASK (VM_SEQ_READ | VM_RAND_READ) #define VM_ClearReadHint(v) (v)->vm_flags &= ~VM_READHINTMASK diff -urN linux/include/linux/proc_fs.h linux/include/linux/proc_fs.h --- linux/include/linux/proc_fs.h Thu Nov 22 14:46:23 2001 +++ linux/include/linux/proc_fs.h Tue Mar 5 15:24:49 2002 @@ -137,6 +137,9 @@ extern struct proc_dir_entry *proc_mknod(const char *,mode_t, struct proc_dir_entry *,kdev_t); extern struct proc_dir_entry *proc_mkdir(const char *,struct proc_dir_entry *); +#ifdef CONFIG_GRKERNSEC_PROC +extern struct proc_dir_entry *proc_priv_mkdir(const char *, mode_t mode, struct proc_dir_entry *); +#endif static inline struct proc_dir_entry *create_proc_read_entry(const char *name, mode_t mode, struct proc_dir_entry *base, diff -urN linux/include/linux/sched.h linux/include/linux/sched.h --- linux/include/linux/sched.h Fri Dec 21 12:42:03 2001 +++ linux/include/linux/sched.h Tue Mar 5 15:24:42 2002 @@ -29,6 +29,7 @@ struct exec_domain; + /* * cloning flags: */ @@ -225,6 +226,12 @@ unsigned long cpu_vm_mask; unsigned long swap_address; +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) + unsigned long delta_mmap; /* PaX: randomized offset */ + unsigned long delta_exec; /* PaX: randomized offset */ + unsigned long delta_stack; /* PaX: randomized offset */ +#endif + unsigned dumpable:1; /* Architecture-specific MM context */ @@ -278,6 +285,14 @@ extern struct user_struct root_user; #define INIT_USER (&root_user) +#ifdef CONFIG_GRKERNSEC_ACL +struct proc_label_info +{ + ino_t inode; + kdev_t device; +}; +#endif + struct task_struct { /* * offsets of these are hardcoded elsewhere - touch with care @@ -401,6 +416,12 @@ int (*notifier)(void *priv); void *notifier_data; sigset_t *notifier_mask; + +#ifdef CONFIG_GRKERNSEC_ACL + volatile void * acl; + struct proc_label_info proc_info; + rwlock_t acl_lock; +#endif /* Thread group tracking */ u32 parent_exec_id; @@ -430,6 +451,13 @@ #define PF_USEDFPU 0x00100000 /* task used FPU this quantum (SMP) */ +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) +#define PF_PAX_PAGEEXEC 0x01000000 /* PaX: Enforce PAGE_EXEC */ +#define PF_PAX_EMUTRAMP 0x02000000 /* PaX: Emulate trampolines */ +#define PF_PAX_MPROTECT 0x04000000 /* PaX: Restrict mprotect() */ +#define PF_PAX_RANDMMAP 0x08000000 /* PaX: Randomize mmap() base */ +#endif + /* * Ptrace flags */ @@ -437,9 +465,19 @@ #define PT_PTRACED 0x00000001 #define PT_TRACESYS 0x00000002 #define PT_DTRACE 0x00000004 /* delayed trace (used on m68k, i386) */ +#ifdef CONFIG_GRKERNSEC_STACK +#define PF_STACKEXEC 0x01000000 +#endif #define PT_TRACESYSGOOD 0x00000008 #define PT_PTRACE_CAP 0x00000010 /* ptracer can follow suid-exec */ +#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) +/* PaX: for handling DTLB trashing */ +#define PT_PAX_TRACE 0x00000020 +#define PT_PAX_KEEPTF 0x00000040 +#define PT_PAX_OLDTF 0x00000080 +#endif + /* * Limit the stack by to some sane default: root can always * increase this limit if needed.. 8MB seems reasonable. @@ -460,6 +498,52 @@ * INIT_TASK is used to set up the first task table, touch at * your own risk!. Base=0, limit=0x1fffff (=2MB) */ +#ifdef CONFIG_GRKERNSEC_ACL +#define INIT_TASK(tsk) \ +{ \ + state: 0, \ + flags: 0, \ + sigpending: 0, \ + addr_limit: KERNEL_DS, \ + exec_domain: &default_exec_domain, \ + lock_depth: -1, \ + counter: DEF_COUNTER, \ + nice: DEF_NICE, \ + policy: SCHED_OTHER, \ + mm: NULL, \ + active_mm: &init_mm, \ + cpus_runnable: -1, \ + cpus_allowed: -1, \ + run_list: LIST_HEAD_INIT(tsk.run_list), \ + next_task: &tsk, \ + prev_task: &tsk, \ + p_opptr: &tsk, \ + p_pptr: &tsk, \ + thread_group: LIST_HEAD_INIT(tsk.thread_group), \ + wait_chldexit: __WAIT_QUEUE_HEAD_INITIALIZER(tsk.wait_chldexit),\ + real_timer: { \ + function: it_real_fn \ + }, \ + cap_effective: CAP_INIT_EFF_SET, \ + cap_inheritable: CAP_INIT_INH_SET, \ + cap_permitted: CAP_FULL_SET, \ + keep_capabilities: 0, \ + rlim: INIT_RLIMITS, \ + user: INIT_USER, \ + comm: "swapper", \ + thread: INIT_THREAD, \ + fs: &init_fs, \ + files: &init_files, \ + sigmask_lock: SPIN_LOCK_UNLOCKED, \ + sig: &init_signals, \ + pending: { NULL, &tsk.pending.head, {{0}}}, \ + blocked: {{0}}, \ + alloc_lock: SPIN_LOCK_UNLOCKED, \ + journal_info: NULL, \ + acl: NULL, \ + acl_lock: RW_LOCK_UNLOCKED, \ +} +#else #define INIT_TASK(tsk) \ { \ state: 0, \ @@ -500,8 +584,12 @@ pending: { NULL, &tsk.pending.head, {{0}}}, \ blocked: {{0}}, \ alloc_lock: SPIN_LOCK_UNLOCKED, \ - journal_info: NULL, \ + journal_info: NULL, \ } +#endif + + + #ifndef INIT_TASK_SIZE @@ -723,6 +811,10 @@ return 0; } +#ifdef CONFIG_GRKERNSEC_ACL_CAPLOG +extern const char *captab_log[30]; +#endif + /* * capable() checks for a particular capability. * New privilege checks should use this interface, rather than suser() or @@ -740,6 +832,16 @@ current->flags |= PF_SUPERPRIV; return 1; } +#ifdef CONFIG_GRKERNSEC_ACL_CAPLOG + if(!current->euid) + printk(KERN_INFO "grsec: %s not raised for " + "(%.16s:%d) UID(%d) EUID(%d), parent (%.16s:%d) " + "UID(%d) EUID(%d)\n", captab_log[cap], + current->comm, current->pid, current->uid, + current->euid, current->p_pptr->comm, + current->p_pptr->pid, current->p_pptr->uid, + current->p_pptr->euid); +#endif return 0; } @@ -919,9 +1021,9 @@ rootmnt = mntget(current->fs->rootmnt); root = dget(current->fs->root); read_unlock(¤t->fs->lock); - spin_lock(&dcache_lock); +// spin_lock(&dcache_lock); res = __d_path(dentry, vfsmnt, root, rootmnt, buf, buflen); - spin_unlock(&dcache_lock); +// spin_unlock(&dcache_lock); dput(root); mntput(rootmnt); return res; diff -urN linux/include/linux/spinlock.h linux/include/linux/spinlock.h --- linux/include/linux/spinlock.h Thu Nov 22 14:46:19 2001 +++ linux/include/linux/spinlock.h Tue Mar 5 15:24:42 2002 @@ -41,7 +41,7 @@ #elif !defined(spin_lock_init) /* !SMP and spin_lock_init not previously defined (e.g. by including asm/spinlock.h */ -#define DEBUG_SPINLOCKS 0 /* 0 == no debugging, 1 == maintain lock state, 2 == full debug */ +#define DEBUG_SPINLOCKS 0 /* 0 == no debugging, 1 == maintain lock state, 2 == full debug */ #if (DEBUG_SPINLOCKS < 1) diff -urN linux/include/linux/sysctl.h linux/include/linux/sysctl.h --- linux/include/linux/sysctl.h Mon Nov 26 08:29:17 2001 +++ linux/include/linux/sysctl.h Tue Mar 5 15:24:42 2002 @@ -124,6 +124,7 @@ KERN_CORE_USES_PID=52, /* int: use core or core.%pid */ KERN_TAINTED=53, /* int: various kernel tainted flags */ KERN_CADPID=54, /* int: PID of the process to notify on CAD */ + KERN_GRSECURITY=68, /* grsecurity */ }; diff -urN linux/include/net/inetpeer.h linux/include/net/inetpeer.h --- linux/include/net/inetpeer.h Mon Feb 25 14:38:13 2002 +++ linux/include/net/inetpeer.h Tue Mar 5 15:26:27 2002 @@ -14,6 +14,11 @@ #include #include #include +#include +#ifdef CONFIG_GRKERNSEC_RANDID +extern int grsec_enable_randid; +extern __u16 ip_randomid(void); +#endif struct inet_peer { @@ -58,6 +63,11 @@ __u16 id; spin_lock_bh(&inet_peer_idlock); +#ifdef CONFIG_GRKERNSEC_RANDID + if(grsec_enable_randid) + id = htons(ip_randomid()); + else +#endif id = p->ip_id_count++; spin_unlock_bh(&inet_peer_idlock); return id; diff -urN linux/include/net/ip.h linux/include/net/ip.h --- linux/include/net/ip.h Thu Nov 22 14:47:15 2001 +++ linux/include/net/ip.h Tue Mar 5 15:26:27 2002 @@ -196,6 +196,11 @@ * does not change, they drop every other packet in * a TCP stream using header compression. */ +#ifdef CONFIG_GRKERNSEC_RANDID + if(grsec_enable_randid) + iph->id = htons(ip_randomid()); + else +#endif iph->id = ((sk && sk->daddr) ? htons(sk->protinfo.af_inet.id++) : 0); } else __ip_select_ident(iph, dst); diff -urN linux/init/main.c linux/init/main.c --- linux/init/main.c Mon Feb 25 14:38:13 2002 +++ linux/init/main.c Mon Feb 25 16:09:02 2002 @@ -69,6 +69,11 @@ #include #endif +#ifdef CONFIG_GRKERNSEC_ACL +#include +#endif + + /* * Versions of gcc older than that listed below may actually compile * and link okay, but the end product can have subtle run time bugs. @@ -110,6 +115,12 @@ extern void perfmon_init(void); #endif +#ifdef CONFIG_GRKERNSEC_ACL +static __init int gr_setup(char *line); +#endif + + + /* * Boot command-line arguments */ @@ -310,6 +321,20 @@ } __setup("root=", root_dev_setup); + +#ifdef CONFIG_GRKERNSEC_ACL +static int __init gr_setup(char *str) +{ +#ifdef CONFIG_GR_DEBUG + security_alert("gracl: got %.3s at startup","",str); +#endif + if( *str == '0' || ( !(strcmp(str,"off")) ) ) + gr_disable = 1; + return 1; +} +__setup("gracl",gr_setup); +#endif + static int __init checksetup(char *line) { diff -urN linux/ipc/msg.c linux/ipc/msg.c --- linux/ipc/msg.c Fri Sep 14 17:17:00 2001 +++ linux/ipc/msg.c Mon Feb 25 16:09:02 2002 @@ -23,6 +23,9 @@ #include #include #include +#if defined(CONFIG_GRKERNSEC_IPC) || defined(CONFIG_GRKERNSEC_AUDIT_IPC) +#include +#endif #include "util.h" /* sysctl: */ @@ -127,7 +130,14 @@ kfree(msq); return -ENOSPC; } +#ifdef CONFIG_GRKERNSEC_IPC + if(grsec_enable_ipc) + msq->q_perm.mode = (msgflg & ~current->fs->umask); + else + msq->q_perm.mode = (msgflg & S_IRWXUGO); +#else msq->q_perm.mode = (msgflg & S_IRWXUGO); +#endif msq->q_perm.key = key; msq->q_stime = msq->q_rtime = 0; @@ -326,6 +336,16 @@ msg_unlock(id); } up(&msg_ids.sem); + +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + if( +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP + grsec_enable_group && in_group_p(grsec_audit_gid) && +#endif + grsec_enable_audit_ipc && (ret >= 0) && (msgflg & IPC_CREAT)) + printk(KERN_INFO "grsec: message queue created by " DEFAULTSECMSG "\n", DEFAULTSECARGS); +#endif + return ret; } @@ -545,8 +565,17 @@ ipcp->uid = setbuf.uid; ipcp->gid = setbuf.gid; +#ifdef CONFIG_GRKERNSEC_IPC + if(grsec_enable_ipc) + ipcp->mode = (ipcp->mode & ~current->fs->umask) | + (~current->fs->umask & setbuf.mode); + else + ipcp->mode = (ipcp->mode & ~S_IRWXUGO) | + (S_IRWXUGO & setbuf.mode); +#else ipcp->mode = (ipcp->mode & ~S_IRWXUGO) | (S_IRWXUGO & setbuf.mode); +#endif msq->q_ctime = CURRENT_TIME; /* sleeping receivers might be excluded by * stricter permissions. @@ -560,6 +589,14 @@ break; } case IPC_RMID: +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + if( +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP + grsec_enable_group && in_group_p(grsec_audit_gid) && +#endif + grsec_enable_audit_ipc) + printk(KERN_INFO "grsec: message queue of uid:%d euid:%d removed by " DEFAULTSECMSG "\n", ipcp->uid,ipcp->cuid, DEFAULTSECARGS); +#endif freeque (msqid); break; } diff -urN linux/ipc/sem.c linux/ipc/sem.c --- linux/ipc/sem.c Sun Sep 30 15:26:42 2001 +++ linux/ipc/sem.c Mon Feb 25 16:09:02 2002 @@ -63,6 +63,9 @@ #include #include #include +#if defined(CONFIG_GRKERNSEC_IPC) || defined(CONFIG_GRKERNSEC_AUDIT_IPC) +#include +#endif #include "util.h" @@ -135,7 +138,14 @@ } used_sems += nsems; +#ifdef CONFIG_GRKERNSEC_IPC + if(grsec_enable_ipc) + sma->sem_perm.mode = (semflg & ~current->fs->umask); + else + sma->sem_perm.mode = (semflg & S_IRWXUGO); +#else sma->sem_perm.mode = (semflg & S_IRWXUGO); +#endif sma->sem_perm.key = key; sma->sem_base = (struct sem *) &sma[1]; @@ -181,6 +191,15 @@ } up(&sem_ids.sem); + +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + if( +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP + grsec_enable_group && in_group_p(grsec_audit_gid) && +#endif + grsec_enable_audit_ipc && (err >= 0) && (semflg & IPC_CREAT)) + printk(KERN_INFO "grsec: semaphore created by " DEFAULTSECMSG "\n", DEFAULTSECARGS); +#endif return err; } @@ -727,14 +746,31 @@ switch(cmd){ case IPC_RMID: +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + if( +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP + grsec_enable_group && in_group_p(grsec_audit_gid) && +#endif + grsec_enable_audit_ipc) + printk(KERN_INFO "grsec: semaphore of uid:%d euid:%d removed by " DEFAULTSECMSG "\n", ipcp->uid, ipcp->cuid, DEFAULTSECARGS); +#endif freeary(semid); err = 0; break; case IPC_SET: ipcp->uid = setbuf.uid; ipcp->gid = setbuf.gid; +#ifdef CONFIG_GRKERNSEC_IPC + if(grsec_enable_ipc) + ipcp->mode = (ipcp->mode & ~current->fs->umask) + | (setbuf.mode & ~current->fs->umask); + else + ipcp->mode = (ipcp->mode & ~S_IRWXUGO) + | (setbuf.mode & S_IRWXUGO); +#else ipcp->mode = (ipcp->mode & ~S_IRWXUGO) | (setbuf.mode & S_IRWXUGO); +#endif sma->sem_ctime = CURRENT_TIME; sem_unlock(semid); err = 0; diff -urN linux/ipc/shm.c linux/ipc/shm.c --- linux/ipc/shm.c Fri Dec 21 12:42:04 2001 +++ linux/ipc/shm.c Mon Feb 25 16:09:02 2002 @@ -23,6 +23,9 @@ #include #include #include +#if defined(CONFIG_GRKERNSEC_IPC) || defined(CONFIG_GRKERNSEC_AUDIT_IPC) +#include +#endif #include "util.h" @@ -202,7 +205,14 @@ if(id == -1) goto no_id; shp->shm_perm.key = key; +#ifdef CONFIG_GRKERNSEC_IPC + if(grsec_enable_ipc) + shp->shm_flags = (shmflg & ~current->fs->umask); + else + shp->shm_flags = (shmflg & S_IRWXUGO); +#else shp->shm_flags = (shmflg & S_IRWXUGO); +#endif shp->shm_cprid = current->pid; shp->shm_lprid = 0; shp->shm_atim = shp->shm_dtim = 0; @@ -252,6 +262,15 @@ shm_unlock(id); } up(&shm_ids.sem); + +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + if( +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP + grsec_enable_group && in_group_p(grsec_audit_gid) && +#endif + grsec_enable_audit_ipc && (err >= 0) && (shmflg & IPC_CREAT)) + printk(KERN_INFO "grsec: shared memory of size %d created by " DEFAULTSECMSG "\n", size, DEFAULTSECARGS); +#endif return err; } @@ -507,6 +526,16 @@ err=-EPERM; goto out_unlock_up; } +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + if( +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP + grsec_enable_group && in_group_p(grsec_audit_gid) && +#endif + grsec_enable_audit_ipc && !err) + printk(KERN_INFO "grsec: shared memory of uid:%d euid:%d removed by " DEFAULTSECMSG "\n", shp->shm_perm.uid, shp->shm_perm.cuid, DEFAULTSECARGS); +#endif + + if (shp->shm_nattch){ shp->shm_flags |= SHM_DEST; /* Do not find it any more */ @@ -541,8 +570,17 @@ shp->shm_perm.uid = setbuf.uid; shp->shm_perm.gid = setbuf.gid; +#ifdef CONFIG_GRKERNSEC_IPC + if(grsec_enable_ipc) + shp->shm_flags = (shp->shm_flags & ~current->fs->umask) + | (setbuf.mode & ~current->fs->umask); + else + shp->shm_flags = (shp->shm_flags & ~S_IRWXUGO) + | (setbuf.mode & S_IRWXUGO); +#else shp->shm_flags = (shp->shm_flags & ~S_IRWXUGO) | (setbuf.mode & S_IRWXUGO); +#endif shp->shm_ctim = CURRENT_TIME; break; } diff -urN linux/kernel/Makefile linux/kernel/Makefile --- linux/kernel/Makefile Mon Sep 17 00:22:40 2001 +++ linux/kernel/Makefile Mon Feb 25 16:09:02 2002 @@ -14,11 +14,12 @@ obj-y = sched.o dma.o fork.o exec_domain.o panic.o printk.o \ module.o exit.o itimer.o info.o time.o softirq.o resource.o \ sysctl.o acct.o capability.o ptrace.o timer.o user.o \ - signal.o sys.o kmod.o context.o + signal.o sys.o grsecurity.o kmod.o context.o obj-$(CONFIG_UID16) += uid16.o obj-$(CONFIG_MODULES) += ksyms.o obj-$(CONFIG_PM) += pm.o +obj-$(CONFIG_GRKERNSEC_ACL) += gracl.o grhash.o ifneq ($(CONFIG_IA64),y) # According to Alan Modra , the -fno-omit-frame-pointer is diff -urN linux/kernel/fork.c linux/kernel/fork.c --- linux/kernel/fork.c Mon Feb 25 14:38:13 2002 +++ linux/kernel/fork.c Mon Feb 25 16:09:02 2002 @@ -21,6 +21,11 @@ #include #include +#if defined(CONFIG_GRKERNSEC_FORKFAIL)||defined(CONFIG_GRKERNSEC_RANDPID) \ + || defined(CONFIG_GRKERNSEC_FORKBOMB) || defined(CONFIG_GRKERNSEC_ACL) +#include +#endif + #include #include #include @@ -92,32 +97,62 @@ spin_lock(&lastpid_lock); if((++last_pid) & 0xffff8000) { +#ifdef CONFIG_GRKERNSEC_RANDPID + if(!grsec_enable_randpid || (current->p_pptr->pid < 1)) +#endif last_pid = 300; /* Skip daemons etc. */ goto inside; } - if(last_pid >= next_safe) { + if(last_pid >= +#ifdef CONFIG_GRKERNSEC_RANDPID + (grsec_enable_randpid && (current->p_pptr->pid >= 1))?2: +#endif + next_safe) { inside: +#ifdef CONFIG_GRKERNSEC_RANDPID + if(!grsec_enable_randpid || (current->p_pptr->pid < 1)) +#endif next_safe = PID_MAX; read_lock(&tasklist_lock); repeat: +#ifdef CONFIG_GRKERNSEC_RANDPID + if (grsec_enable_randpid && (current->p_pptr->pid >= 1)) { + do { + last_pid = ip_randomid() % PID_MAX; + } while (last_pid <= 1); + } +#endif + for_each_task(p) { if(p->pid == last_pid || p->pgrp == last_pid || p->tgid == last_pid || p->session == last_pid) { - if(++last_pid >= next_safe) { + if( +#ifdef CONFIG_GRKERNSEC_RANDPID + (!grsec_enable_randpid || + (current->p_pptr->pid < 1)) && +#endif + ++last_pid >= next_safe) { if(last_pid & 0xffff8000) last_pid = 300; next_safe = PID_MAX; } goto repeat; } +#ifdef CONFIG_GRKERNSEC_RANDPID + if(!grsec_enable_randpid || + (current->p_pptr->pid < 1)){ +#endif if(p->pid > last_pid && next_safe > p->pid) next_safe = p->pid; if(p->pgrp > last_pid && next_safe > p->pgrp) next_safe = p->pgrp; if(p->session > last_pid && next_safe > p->session) next_safe = p->session; +#ifdef CONFIG_GRKERNSEC_RANDPID + } +#endif } read_unlock(&tasklist_lock); } @@ -568,6 +603,39 @@ int retval; struct task_struct *p; struct completion vfork; +#ifdef CONFIG_GRKERNSEC_FORKBOMB + int fork_user; + int sec_forks = 0; + int user_tasks = 0; + unsigned long curr_time = jiffies; + +fork_user = current->uid; +if(grsec_enable_forkbomb) { +if(in_group_p(grsec_forkbomb_gid) && fork_user){ + read_lock(&tasklist_lock); + for_each_task(p) + { + if ((p->uid) == fork_user) + { + user_tasks++; + if ( (curr_time - (p->start_time)) <= 100) + sec_forks++; + } + } + read_unlock(&tasklist_lock); + + if (user_tasks >= grsec_forkbomb_max){ + security_alert("max process limit reached with " + DEFAULTSECMSG,"max proc limits reached",DEFAULTSECARGS); + return(kill_pg(current->pgrp,SIGKILL,0)); + } else if (sec_forks >= grsec_forkbomb_sec){ + security_alert("fork rate-limit reached with " + DEFAULTSECMSG,"fork rate-limits reached", DEFAULTSECARGS); + return(kill_pg(current->pgrp,SIGKILL,0)); + } +} +} +#endif retval = -EPERM; @@ -671,6 +739,11 @@ goto bad_fork_cleanup_fs; if (copy_mm(clone_flags, p)) goto bad_fork_cleanup_sighand; +#if CONFIG_GRKERNSEC_ACL + if (gr_copy_label(p)) + goto bad_fork_cleanup_sighand; +#endif + retval = copy_thread(0, clone_flags, stack_start, stack_size, p, regs); if (retval) goto bad_fork_cleanup_mm; @@ -757,6 +830,11 @@ free_uid(p->user); bad_fork_free: free_task_struct(p); +#ifdef CONFIG_GRKERNSEC_FORKFAIL + if(grsec_enable_forkfail) + security_alert("failed fork with errno %d by " DEFAULTSECMSG, + "failed forks",retval, DEFAULTSECARGS); +#endif goto fork_out; } diff -urN linux/kernel/gracl.c linux/kernel/gracl.c --- linux/kernel/gracl.c Wed Dec 31 19:00:00 1969 +++ linux/kernel/gracl.c Tue Mar 5 08:22:48 2002 @@ -0,0 +1,2415 @@ +/* + * linux/kernel/gracl.c + * Copyright Michael Dalton, 2000, 2001, 2002 + * + */ + +/* + * Reimplemented pretty much everything. dynamic hash tables rock. + * 2/23/2001 - + */ + +/* The ACLs here can be thought of as a lattice of + * type, program, and UID/GID. When attempting to access + * X, we check X's restrction(file restrictions for file labels, + * in later versions, socket/port restrictions for their respective type), + * as well as the program accessing X's restrctions, and the user running + * that program's restrction. + * So for X, P(X), and U(X) where P(X) is the process running X and + * U(X) is the User running P(X), + * Permission Check(X) && Permission Check(P(X)) && Permission Check(U(X)) + * must all succeed for the action to be allowed. See documentation + * for more information:). */ + + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static struct proc_subject_db proc_subj_set; +static struct proc_object_db proc_obj_set; +static struct file_db file_set; +static struct name_db name_set; + + +static rwlock_t gr_list_lock = RW_LOCK_UNLOCKED; + +unsigned long gr_status = GR_STATUS_INIT; + +int gr_disable = 0; + +struct admin_pw pwent; +static struct capset caplist = +{ + { + { "CAP_CHOWN", CAP_CHOWN}, + { "CAP_DAC_OVERRIDE",CAP_DAC_OVERRIDE}, + { "CAP_DAC_READ_SEARCH",CAP_DAC_READ_SEARCH}, + { "CAP_FOWNER", CAP_FOWNER}, + { "CAP_FSETID", CAP_FSETID}, + { "CAP_FS_MASK",CAP_FS_MASK}, + { "CAP_KILL", CAP_KILL}, + { "CAP_SETGID", CAP_SETGID}, + { "CAP_SETUID", CAP_SETUID}, + { "CAP_SETPCAP", CAP_SETPCAP}, + { "CAP_LINUX_IMMUTABLE", CAP_LINUX_IMMUTABLE}, + { "CAP_NET_BIND_SERVICE", CAP_NET_BIND_SERVICE}, + { "CAP_NET_BROADCAST", CAP_NET_BROADCAST}, + { "CAP_NET_ADMIN", CAP_NET_ADMIN}, + { "CAP_NET_RAW", CAP_NET_RAW}, + { "CAP_IPC_LOCK", CAP_IPC_LOCK}, + { "CAP_IPC_OWNER", CAP_IPC_OWNER}, + { "CAP_SYS_MODULE", CAP_SYS_MODULE}, + { "CAP_SYS_RAWIO", CAP_SYS_RAWIO}, + { "CAP_SYS_CHROOT", CAP_SYS_CHROOT}, + { "CAP_SYS_PTRACE", CAP_SYS_PTRACE}, + { "CAP_SYS_PACCT", CAP_SYS_PACCT}, + { "CAP_SYS_ADMIN", CAP_SYS_ADMIN}, + { "CAP_SYS_BOOT", CAP_SYS_BOOT}, + { "CAP_SYS_NICE", CAP_SYS_NICE}, + { "CAP_SYS_RESOURCE", CAP_SYS_RESOURCE}, + { "CAP_SYS_TIME", CAP_SYS_TIME}, + { "CAP_SYS_TTY_CONFIG", CAP_SYS_TTY_CONFIG}, + { "CAP_MKNOD", CAP_MKNOD}, + { "CAP_LEASE", CAP_LEASE} + } +}; + + + +static struct proc_subject_label god = + { + inode : 1, + mode: GR_PROC_KILL + |GR_PROC_VIEW, + cap_raise: CAP_FULL_SET, + + }; +static struct proc_subject_label auth = + { + inode: 2, + pos: 1 + }; + +extern kdev_t ROOT_DEV; + +static unsigned long table_sizes [] = +{ + 1,2,3,7,13,31,61,127, + 251,509,1021,2039,4093,8191,16381,32749, + 65521,131071,262139,524287,1048573,2097143, + 4194301,8388593,16777213,33554393,67108859, + 134217689,268435399,536870909,1073741789, + 2147483647 + +}; + +/* The table_sizes array maps requests for tables of size 2^0 through 2^31 + * Starting at 2^2 all requests are met with prime numbers. We stop at 2^31 + * for sanity's sake, and since most machines use 32-bit words. Extending + * this to 64-bit words would be trivial. After a request for tables of + * 2^31 in size, we simply return the previous table size * 2. For + * empirical information on this, see Algorithms in C, Vol. 3 + * (Sedgewick, 606) which details a setup with dynamic hash tables and + * linear probing, much like our setup. Notice that our prime number + * sizes are table_sizes[n] is the prime number closest to but < 2^n + * For example table_sizes[7] = 127 and 2^7 = 128 */ + + +static void realloc_proc_object_table(unsigned long pwr); +static void realloc_proc_subject_table(unsigned long pwr); +static void realloc_file_table(unsigned long pwr); +static void realloc_name_table(unsigned long pwr); +#ifdef CONFIG_GR_SUPERDEBUG +static void list_procs(void); +static void list_files(void); +static void list_names(void); +#endif + +static __inline__ struct proc_subject_label * lookup_proc_subj_label(const + ino_t ino, const kdev_t dev) +{ + struct proc_subject_label * match = + &proc_subj_set.proc_hash[fhash(ino,dev,proc_subj_set.proc_size)]; + while(match->inode != ino || match->device !=dev) + { + match += 1 % proc_subj_set.proc_size; + if(!(match->mode & GR_EXISTS)) break; + } + return ( (match->inode == ino) && (match->device == dev) ) + ? match : NULL; +} + + +static __inline__ struct proc_object_label * lookup_proc_obj_label(const + ino_t ino, const kdev_t dev, const unsigned long parent_pos) +{ + struct proc_object_label * match = + &proc_obj_set.proc_hash[phash(ino,dev,parent_pos, + proc_obj_set.proc_size)]; + while(match->inode != ino || match->device != dev + || match->parent_pos != parent_pos) + { + match += 1 % proc_obj_set.proc_size; + if(!(match->mode & GR_EXISTS)) break; + } + return ( (match->inode == ino) && (match->device == dev) + && (match->parent_pos == parent_pos) )? match : NULL; +} + + +static __inline__ struct file_label * lookup_file_label(const ino_t ino, + const kdev_t dev) +{ + struct file_label * match = + &file_set.file_hash[fhash(ino,dev,file_set.file_size)]; + while(match->inode != ino || match->device !=dev) + { + match += 1 % file_set.file_size; + if(!(match->mode & GR_EXISTS)) break; + } + return ( (match->inode == ino) && (match->device == dev) ) + ? match : NULL; +} + +static __inline__ struct name_entry * lookup_name_entry(const char * name) +{ + struct name_entry * match = + &name_set.name_hash[nhash(name,name_set.name_size)]; + while( (match->mode & GR_EXISTS) && (strcmp(match->name,name)) != 0) + { + match += 1 % name_set.name_size; + } + if(!match->name) return NULL; + return ( (strcmp(name,match->name)) == 0 ) ? match : NULL; +} + +static int insert_proc_obj_label(struct proc_object_label *obj, + const char * conffile, unsigned int linenum) +{ + static int reallocs; /* the bss is set to 0 on boot..no need to do = 0 */ + struct proc_object_label * curr = + &proc_obj_set.proc_hash[phash(obj->inode,obj->device, + obj->parent_pos,proc_obj_set.proc_size)]; + unsigned long old_size = proc_obj_set.proc_size; + while(curr->mode & GR_EXISTS) + { +#ifdef CONFIG_GR_DEBUG + static int once = 0; + if(!once) + { + security_alert("Hey, I had a process object label collision(I am %ld " + "%d)","",obj->inode,obj->device); + once = 1; + } +#endif + if(curr->inode == obj->inode && curr->device == obj->device + && curr->parent_pos == obj->parent_pos) + { + security_alert("Duplicate entries in config file %s" + " at line %d","duplicate entries", + conffile,linenum); + return 1; + } + curr = ++curr > &proc_obj_set.proc_hash[proc_obj_set.proc_size-1] + ? proc_obj_set.proc_hash : curr; + } + curr->inode = obj->inode; + curr->device = obj->device; + curr->mode = obj->mode; + curr->parent_pos = obj->parent_pos; + if(++proc_obj_set.proc_used >= (proc_obj_set.proc_size / 2)) + { + realloc_proc_object_table(GR_TABLE_SIZE + ++reallocs); + if(proc_obj_set.proc_size == old_size) + { + /* Hey..the reallocation failed..we're out of memory + * so we are unable to add any more process MAC labels*/ + gr_status |= GR_PROCFULL; + } + } + + return 0; + +} + + +static int insert_proc_subj_label(struct proc_subject_label *obj, + const char * conffile, unsigned int linenum) +{ + static int reallocs; + struct proc_subject_label * curr = + &proc_subj_set.proc_hash[fhash(obj->inode,obj->device, + proc_subj_set.proc_size)]; + unsigned long old_size = proc_subj_set.proc_size; + while(curr->mode & GR_EXISTS) + { +#ifdef CONFIG_GR_DEBUG + security_alert("Hey, I had a process subject label collision(I am %ld " + "%d )","",curr->inode,curr->device); +#endif + if(curr->inode == obj->inode && curr->device == obj->device) + { + security_alert("Duplicate entries in config file %s " + "at line %d","duplicate entries", + conffile,linenum); + return 1; + } + + curr = ++curr > &proc_subj_set.proc_hash + [proc_subj_set.proc_size-1] ? proc_subj_set.proc_hash : curr; + } + curr->inode = obj->inode; + curr->device = obj->device; + curr->cap_raise = obj->cap_raise; + curr->cap_lower = obj->cap_lower; + curr->cap_raise_inherit = obj->cap_raise_inherit; + curr->cap_lower_inherit = obj->cap_lower_inherit; + curr->mode = obj->mode; + curr->pos = obj->pos; + if(++proc_subj_set.proc_used >= (proc_subj_set.proc_size / 2)) + { + realloc_proc_subject_table(GR_TABLE_SIZE + ++reallocs); + if(proc_subj_set.proc_size == old_size) + gr_status |= GR_PROCFULL; + } + + return 0; + +} + +static int insert_file_label(struct file_label *obj, const char * conffile, + unsigned int linenum) +{ + static int reallocs; + struct file_label * curr = + &file_set.file_hash[fhash(obj->inode,obj->device, + file_set.file_size)]; + unsigned long old_size = file_set.file_size; + while(curr->mode & GR_EXISTS) + { +#ifdef CONFIG_GR_DEBUG + security_alert("Hey, I had a file label collision(I am %ld %d )","", + curr->inode,curr->device); +#endif + if(curr->inode == obj->inode && curr->device == obj->device) + { + security_alert("Duplicate entries in config file %s" + " at line %d","duplicate entries", + conffile,linenum); + return 1; + } + curr = ++curr > &file_set.file_hash[file_set.file_size - 1] ? + file_set.file_hash : curr; + } + curr->inode = obj->inode; + curr->device = obj->device; + curr->mode = obj->mode; + + if(++file_set.file_used >= (file_set.file_size / 2)) + { + realloc_file_table(GR_TABLE_SIZE + ++reallocs); + if(file_set.file_size == old_size) + gr_status |= GR_FILEFULL; + } + return 0; +} + + +static int insert_name_entry(char *name, ino_t ino,kdev_t dev, __u8 mode) + +{ + static int reallocs; + struct name_entry * curr = + &name_set.name_hash[nhash(name,name_set.name_size)]; + unsigned long old_size = name_set.name_size; + while(curr->mode & GR_EXISTS) + { + if(!(strcmp(name,curr->name))) break; +#ifdef CONFIG_GR_DEBUG + security_alert("Hey, I had a name entry collision(I am %s and " + "I collided with %s)","", + name,curr->name); +#endif + curr = ++curr > &name_set.name_hash[name_set.name_size - 1] ? + name_set.name_hash : curr; + } + + /* Duplicate entries are actually expected here..the same filename + * might be associated with a process subject acl and a file acl + * for instance */ + + curr->inode = ino; + curr->device = dev; + curr->mode |= mode; + if(!curr->name) + { + curr->name = kmalloc(strlen(name) + 1,GFP_KERNEL); + if(!curr->name) return 1; + strncpy(curr->name,name,strlen(name)+1); + curr->name[strlen(name)] = '\0'; + } + + if((++name_set.name_used >= name_set.name_size / 2)) + { + realloc_name_table(GR_TABLE_SIZE + ++reallocs); + if(name_set.name_size == old_size) + gr_status |= GR_NAMEFULL; + } + return 0; +} + + + +/* Create a table(requesting size close to 2^pwr entrie of member size) + * and replace the current table size with the new one. + * We use prime table sizes until we reach the bounds of 32-bit word machines + * Once we reach there we simply double the table size */ + + +static void * create_table(unsigned long pwr, unsigned long * len, unsigned long member) +{ + void * newtable; + if(pwr > (sizeof(table_sizes)/sizeof(table_sizes[0]) - 1)) + { + newtable = kmalloc((*len) * 2 * member,GFP_KERNEL); + *len = (*len) * 2; + } + else + { + newtable = kmalloc(table_sizes[pwr] * member,GFP_KERNEL); + *len = table_sizes[pwr]; + } + return newtable; +} + + +static void realloc_proc_object_table(unsigned long pwr) +{ + struct proc_object_label * oldtable = proc_obj_set.proc_hash; + unsigned long oldlen = proc_obj_set.proc_size; + int i; + + proc_obj_set.proc_hash = (struct proc_object_label *) create_table(pwr, + &proc_obj_set.proc_size, + sizeof(struct proc_object_label)); + if(!proc_obj_set.proc_hash) + { + proc_obj_set.proc_hash = oldtable; + proc_obj_set.proc_size = oldlen; + return; + } + memset(proc_obj_set.proc_hash,0, + (sizeof(struct proc_object_label) * (proc_obj_set.proc_size))); + for(i = 0; i < oldlen; i++) + { + if(oldtable[i].mode & GR_EXISTS) + { + insert_proc_obj_label(&oldtable[i],"error",0); + } + } + + kfree(oldtable); + return; +} + + +static void realloc_proc_subject_table(unsigned long pwr) +{ + struct proc_subject_label * oldtable = proc_subj_set.proc_hash; + unsigned long oldlen = proc_subj_set.proc_size; + int i; + + + proc_subj_set.proc_hash = (struct proc_subject_label *) create_table(pwr,&proc_subj_set.proc_size,sizeof(struct proc_subject_label)); + if(!proc_subj_set.proc_hash) + { + proc_subj_set.proc_hash = oldtable; + proc_subj_set.proc_size = oldlen; + return; + } + + memset(proc_subj_set.proc_hash,0, + (sizeof(struct proc_subject_label) * (proc_subj_set.proc_size))); + for(i = 0; i < oldlen; i++) + if(oldtable[i].mode & GR_EXISTS) + { + insert_proc_subj_label(&oldtable[i],"error",0); + } + kfree(oldtable); + return; +} + +static void realloc_file_table(unsigned long pwr) +{ + struct file_label * oldtable = file_set.file_hash; + unsigned long oldlen = file_set.file_size; + int i; + + + file_set.file_hash = (struct file_label *) create_table(pwr, + &file_set.file_size,sizeof(struct file_label)); + if(!file_set.file_hash) + { + file_set.file_hash = oldtable; + file_set.file_size = oldlen; + return; + } + + memset(file_set.file_hash,0, + (sizeof(struct file_label) * (file_set.file_size))); + for(i = 0; i < oldlen; i++) + if(oldtable[i].mode & GR_EXISTS) + { + insert_file_label(&oldtable[i],"error",0); + } + kfree(oldtable); + return; +} + + +static void realloc_name_table(unsigned long pwr) +{ + struct name_entry * oldtable = name_set.name_hash; + unsigned long oldlen = name_set.name_size; + int i; + + + name_set.name_hash = (struct name_entry *) create_table(pwr, + &name_set.name_size,sizeof(struct name_entry)); + if(!name_set.name_hash) + { + name_set.name_hash = oldtable; + name_set.name_size = oldlen; + return; + } + + memset(name_set.name_hash,0, + (sizeof(struct name_entry) * (name_set.name_size))); + for(i = 0; i < oldlen; i++) + if(oldtable[i].mode & GR_EXISTS) + { + insert_name_entry(oldtable[i].name,oldtable[i].inode, + oldtable[i].device,oldtable[i].mode); + kfree(oldtable[i].name); + } + kfree(oldtable); + return; +} + + +#ifdef CONFIG_GR_SUPERDEBUG + +static void list_names(void) +{ + int i; + struct name_entry * curr; + + for(i = 0; i < name_set.name_size;i++) + { + curr = &name_set.name_hash[i]; + if( curr->mode & GR_EXISTS) + security_alert("Name Entry pos %d has inode %ld dev %d " + "mode %x name %s","",i,curr->inode, + curr->device,curr->mode,curr->name); + } +} + +static void list_files(void) +{ + int i; + struct file_label *curr; + for(i=0;imode & GR_EXISTS) + security_alert("File ACL pos %d has inode %ld dev %d mode %x","", + i,curr->inode,curr->device, + curr->mode); + } +} + +static void list_procs(void) +{ + int i; + struct proc_subject_label * curr; + struct proc_object_label *curr2; + for(i = 0; i < proc_subj_set.proc_size; i++) + { + curr = &proc_subj_set.proc_hash[i]; + if(curr->mode & GR_EXISTS) + security_alert("MAC Subject pos %d has inode %ld dev %d " + "mode %x pos %ld","",i,curr->inode, + curr->device, + curr->mode,curr->pos); + } + for(i = 0; i < proc_obj_set.proc_size;i++) + { + curr2 = &proc_obj_set.proc_hash[i]; + if(curr2->mode & GR_EXISTS) + security_alert("MAC Object pos %d has inode %ld dev %d mode %x" + " parent %ld","",i,curr2->inode,curr2->device,curr2->mode, + curr2->parent_pos); + } + + +} + + +#else +#define list_procs() do {} while(0); +#define list_files() do{} while(0); +#endif + +/* * * * * * * * * * * * * * * * * * * * * * * * * * * + * Config file management + * Yikes! If anyone has cleanup ideas I'd love to hear em + * * * * * * * * * * * * * * * * * * * * * * * * * * */ + + +static kernel_cap_t cap_conv(char *p) +{ + kernel_cap_t cap; + int i; + char tmp; + char *q; + cap_t(cap) = 0; + if(!p) return cap; + if( (q = memscan(p,'\n',strlen(p))) != p + strlen(p)) + *q = '\0'; + + while(isspace(*p)) p++; + if( (strncmp(p,"CAP",3)) != 0) + goto out; + + q = p; + while(!isspace(*q) && (*q != '\0')) q++; + tmp = *q; + *q = '\0'; + + for(i=0;if_op->read)) ) + { + security_alert("Could not open config file %.1024s", + "config file open errors", + PW_CONF); + return 1; + } + filp->f_pos = 0; + set_fs(KERNEL_DS); + retval = filp->f_op->read(filp,pwent.sum,sizeof(pwent.sum)/sizeof(pwent.sum[0]), + &filp->f_pos); + set_fs(old_fs); + if(retval != sizeof(pwent.sum)/sizeof(pwent.sum[0])) + { + security_alert("Invalid pw entry detected, got %d wanted %d", + "password file errors", + retval,sizeof(pwent.sum)); + retval = 1; + } else retval = 0; + filp_close(filp,NULL); + return retval; +} + +static int add_file_label(char *line, const char *conffile, unsigned int linenum) +{ + char *p, *q; + struct nameidata filedata; + int working = 1; + int null_perms = 0; + struct file_label curr; + + if( (p = memscan(line,'/',strlen(line))) == line + strlen(line) ) + { + if(is_blank(line)) + return 0; + else { + security_alert("Could not find a '/' in \"%.1024s\" of" + " line %d in config %.128s","",line, + linenum,conffile); + return 0; + } + + } + + q = p; + while(!isspace(*q)) + { + if(*q == '\0') { + null_perms = 1; + break; + } + q++; + } + + *q++ = '\0'; + + if(path_init(p,LOOKUP_FOLLOW|LOOKUP_POSITIVE,&filedata)) + if(path_walk(p,&filedata)) + { + security_alert("Unable to locate file %.1024s on line %d of %s","",p,linenum, conffile); + return 0; + } + curr.inode = filedata.dentry->d_inode->i_ino; + curr.device = filedata.dentry->d_inode->i_dev; + curr.mode = GR_EXISTS; + + if(null_perms) goto create; + + while(isspace(*q)) q++; + + while(working) { + switch(*q) { + case 'r' : + curr.mode |= GR_FILE_READ; + q++; + break; + case 'h' : + curr.mode |= GR_FILE_HIDDEN; + q++; + break; + case 'a' : + curr.mode |= GR_FILE_APPEND; + q++; + break; + case 'w' : + curr.mode |= GR_FILE_WRITE; + q++; + break; + case 'x': + curr.mode |= GR_FILE_EXEC; + q++; + break; + default: /* if anything else, the '\0' at the end of the line will hit here and cause us to terminate, so it won't go on indefinately and start accessing memory it shouldn't*/ + working = 0; + break; + } + } +#ifdef CONFIG_GR_DEBUG +// security_alert("Adding File ACL %ld %d mode %x","", +// curr.inode,curr.device,curr.mode); +#endif +create: + if(!(gr_status & GR_NAMEFULL)) + insert_name_entry(p,curr.inode,curr.device, GR_EXISTS|GR_NAME_FILE); + insert_file_label(&curr,conffile,linenum); + path_release(&filedata); + return 0; +} + + + + +static int add_proc_obj_label(char *line, struct proc_info *parent, const char *conffile, unsigned int linenum) +{ + char *p, *q, *tmp; + struct nameidata nd; + int working = 1; + int null_perms = 0; + struct proc_object_label curr; + + if ((p = memscan (line,'/',strlen(line))) == (line+strlen(line))) { + if( (p = memscan(line,'+',strlen(line)) ) != line + strlen(line) ) { + struct proc_subject_label *match = + lookup_proc_subj_label(parent->inode, parent->device); + if(match) + { + q = p; + p++; + while(*q != 'i' && *q != '\0') + q++; + if(*q == 'i') + match->cap_raise_inherit |= + cap_conv(p); + + match->cap_raise |= cap_conv(p); + } + return 0; + } else if ( (p = memscan(line,'-',strlen(line)) ) != + line + strlen(line) ) { + struct proc_subject_label *match = + lookup_proc_subj_label(parent->inode, + parent->device); + if(match) + { + q = p; + p++; + while(*q != 'i' && *q != '\0') + q++; + if(*q == 'i') + match->cap_lower_inherit |= + cap_conv(p); + + match->cap_lower |= cap_conv(p); + } + return 0; + } else if(is_blank(line)) + return 0; + else { + security_alert("Could not find a '/' in \"%.1024s\" of" + " line %d in config %.128s","",line, + linenum,conffile); + return 0; + } + } + + + q = p; + while(!(isspace(*q)) ) + { + if(*q == '\0') { + null_perms = 1; + break; + } + q++; + } + *q = '\0'; + tmp = q; + q++; + + if(path_init(p,LOOKUP_FOLLOW|LOOKUP_POSITIVE,&nd)) + if(path_walk(p,&nd)) + { + security_alert("Unable to locate file %.1024s on line %d of %s","",p,linenum, conffile); + return 0; + } + + curr.inode = nd.dentry->d_inode->i_ino; + curr.device = nd.dentry->d_inode->i_dev; + curr.parent_pos = parent->pos; + curr.mode = GR_EXISTS; + + if(null_perms) goto create; + + while(isspace(*q)) q++; + + while(working) { + switch(*q) { + case 'r' : + curr.mode |= GR_PROC_READ; + q++; + break; + case 'w' : + curr.mode |= GR_PROC_WRITE; + q++; + break; + case 'x' : + curr.mode |= GR_PROC_EXEC; + q++; + break; + case 'a' : + curr.mode |= GR_PROC_APPEND; + q++; + break; + case 'f': + curr.mode |= GR_PROC_ACCESS; + q++; + break; + case 'o': + curr.mode |= GR_PROC_OVERRIDE; + q++; + break; + case 'u' : + curr.mode |= GR_PROC_AUTH; + q++; + break; + case 'R' : + curr.mode |= GR_PROC_AUTH_IF_ROOT; + q++; + break; + case 'i' : + curr.mode |= GR_PROC_INHERIT; + q++; + break; + default: + working = 0; + break; + } + } +#ifdef CONFIG_GR_DEBUG + security_alert("About to insert Object %ld %d %.1024s mode %x parent %ld", "", + curr.inode,curr.device,line,curr.mode,curr.parent_pos); +#endif +create: + if(!(gr_status & GR_NAMEFULL)) + insert_name_entry(p,curr.inode,curr.device, + GR_EXISTS|GR_NAME_PROC_OBJECT); + insert_proc_obj_label(&curr,conffile,linenum); + path_release(&nd); + if(!null_perms) + *tmp = ' '; + return 0; +} + +static int add_proc_subj_label(char * line, struct proc_info * currinfo, const char *conffile, unsigned int linenum) +{ + char *p, *q; + struct nameidata filed; + struct dentry * file; + int working; + struct proc_subject_label curr; + + if ((p = memscan (line,'/',strlen(line))) == (line+strlen(line))) + { + if(is_blank(line)) + return 1; + else + { + security_alert("Could not find a '/' in \"%.1024s\"" + " of line %d in config %.128s","", + line,linenum,conffile); + return 1; + } + } + + q = p; + + while(!isspace(*q)) + { + if(*q == '\0') return 1; + q++; + } + + *q++ = '\0'; + + if(path_init(p,LOOKUP_FOLLOW|LOOKUP_POSITIVE,&filed) ) + if(path_walk(p,&filed)) + { + security_alert("Add file error for file %.1024s","",p); + return 1; + } + file = filed.dentry; + curr.mode = GR_EXISTS; + currinfo->inode = curr.inode = file->d_inode->i_ino; + currinfo->device = curr.device = file->d_inode->i_dev; + curr.pos = currinfo->pos; + + while(isspace(*q)) q++; + working = 1; + while(working) + { + switch(*q) + { + case 'p': + curr.mode |= GR_PROC_PROTECTED; + q++; + break; + case 'h': + curr.mode |= GR_PROC_HIDDEN; + q++; + break; + case 'k': + curr.mode |= GR_PROC_KILL; + q++; + break; + case 'v' : + curr.mode |= GR_PROC_VIEW; + q++; + break; + default: + working = 0; + } + } + curr.cap_raise = CAP_EMPTY_SET; + curr.cap_lower = CAP_EMPTY_SET; + curr.cap_raise_inherit = CAP_EMPTY_SET; + curr.cap_lower_inherit = CAP_EMPTY_SET; +#ifdef CONFIG_GR_DEBUG + security_alert("Added program (full entry) with inode %ld dev %d " + "mode %x line %.1024s", "", + curr.inode,curr.device,curr.mode,line); +#endif + if(!(gr_status & GR_NAMEFULL)) + insert_name_entry(p,curr.inode,curr.device, + GR_EXISTS|GR_NAME_PROC_SUBJECT); + insert_proc_subj_label(&curr,conffile,linenum); + path_release(&filed); + return 0; +} + + + +static int add_line(char *line, int type, const char *conffile, unsigned int linenum) +{ + static int mode; + char *p; + + static struct proc_info currinfo = + { + pos: PROC_SUBJ_LABEL_OFFSET + }; + + /* mode = 0 : we are ready for a new program acl + * mode = 1 : we are in the middle of reading a program acl*/ + switch(type) + { + case 1 : if(gr_status & GR_FILEFULL) + return 0; + else + return add_file_label(line,conffile,linenum); + break; + case 0 : break; /* handled below*/ + default: security_alert("Unknown type %d passed","",type); + return 1; + break; + } + + if(gr_status & GR_PROCFULL) + return 0; + if(!mode) + { +#ifdef CONFIG_GR_DEBUG + security_alert("Adding process subject label %s","",line); +#endif + if( !(add_proc_subj_label(line,&currinfo,conffile,linenum)) ) + mode = 1; + return 0; + } + + else if( (p=memscan(line,'}',strlen(line))) != (line + strlen(line)) ) + { +#ifdef CONFIG_GR_DEBUG + security_alert("Finishing process subject label (%s)","",line); +#endif + currinfo.pos++; + mode = 0; + return 0; + } else + { + if( (p = memscan(line,'{',strlen(line))) != + (line + strlen(line))) + *p = ' '; + /* Replace the { with a ' ' so that it will be ignored by + * add_proc_obj_label. Reason is for lines like + * { where an acl and a { are on the same line */ +#ifdef CONFIG_GR_DEBUG + security_alert("Adding process object label %s","",line); +#endif + return add_proc_obj_label(line,&currinfo,conffile,linenum); + } +} + +static int init_variables(void) +{ + struct proc_info authinfo = + { + inode : auth.inode, + device: auth.device, + pos: auth.pos + }; + + struct proc_info godinfo = + { + inode: god.inode, + device: god.device, + pos: god.pos + }; + + + file_set.file_hash = create_table(GR_TABLE_SIZE, + &file_set.file_size, + sizeof(struct file_label)); + proc_subj_set.proc_hash = create_table(GR_TABLE_SIZE, + &proc_subj_set.proc_size, + sizeof(struct proc_subject_label)); + proc_obj_set.proc_hash = create_table(GR_TABLE_SIZE, + &proc_obj_set.proc_size, + sizeof(struct proc_object_label)); + name_set.name_hash = create_table(GR_TABLE_SIZE, + &name_set.name_size, + sizeof(struct name_entry)); + memset(file_set.file_hash,0,sizeof(struct file_label) * + file_set.file_size); + memset(proc_subj_set.proc_hash,0,sizeof(struct proc_subject_label) * + proc_subj_set.proc_size); + memset(proc_obj_set.proc_hash,0,sizeof(struct proc_object_label) * + proc_obj_set.proc_size); + memset(name_set.name_hash,0,sizeof(struct name_entry) * + name_set.name_size); + + proc_subj_set.proc_used = proc_obj_set.proc_used = + file_set.file_used = name_set.name_used = 0; + + if(!proc_subj_set.proc_hash || !proc_obj_set.proc_hash + || !file_set.file_hash || !name_set.name_hash) + return 1; + + if(insert_proc_subj_label(&god,"boot_conf",1)) + return 1; + else if(insert_proc_subj_label(&auth,"boot_conf",2)) + return 1; + else if( (add_proc_obj_label(GRADM_ACL,&authinfo,"boot_conf",1)) ) + return 1; + else if( (add_proc_obj_label(GODMODE_ACL,&godinfo,"boot_conf", 2)) ) + return 1; + else if( (add_proc_obj_label("/etc/ld.so.preload r",&authinfo, "boot_conf", 3)) ) + return 1; + else if( (add_proc_obj_label("/etc/ld.so.conf r",&authinfo, "boot_conf", 4)) ) + return 1; + else if( (add_proc_obj_label("/lib rxi",&authinfo, "boot_conf", 5)) ) + return 1; + else if( (add_proc_obj_label("/usr/lib rxi",&authinfo, "boot_conf",6)) ) + return 1; + else if( (add_proc_obj_label("/usr/local/lib rxi",&authinfo, "boot_conf", 7))) + return 1; + else if( (add_proc_obj_label("/dev/tty rw",&authinfo,"boot_conf",8))) + return 1; + else if( (add_proc_obj_label("/proc/sys/kernel/grsecurity w",&authinfo,"boot_conf",9))) + return 1; + + /* The Authentication mode will take over before execve() completes. + * There it must allow programs access to their libraries. The + * programs will need to perform terminal i/o at least to inform + * the user that they are in authentication mode, although + * the user can do nothing but exec gradm. If there is some + * executable in any of the lib directories and the attacker + * manages to execute them, it matters not because this restrictive + * authentication acl is inherited. */ + return 0; +} + +static void free_variables(void) +{ + kfree(proc_subj_set.proc_hash); + kfree(proc_obj_set.proc_hash); + kfree(file_set.file_hash); + kfree(name_set.name_hash); +} + + +static int conf_parse(const char *conffile,const int type) +{ + /* Purpose: open and read from gracl config file */ + struct file *filp; + int bytes_read = 0, end = 0, obv_fatal = 0; + unsigned int linenum = 0; + char buffer[1024]; + char *filepos = NULL,*memscanp = NULL; + mm_segment_t old_fs = get_fs(); + filepos = buffer; + filp = filp_open(conffile, O_RDONLY, O_RDONLY); + if( (filp == NULL) || !filp->f_op->read || IS_ERR(filp) ) + { + security_alert("Could not open config file %.1024s","",conffile); + + obv_fatal = 1; + return obv_fatal; + } else if ( filp->f_op->read == NULL ) + { + fput(filp); + obv_fatal = 2; + return obv_fatal; + } + filp->f_pos = 0; + /* end error checking, now for the real work */ + while ( ! end ) + { + filepos = buffer; + /* if current task isn't from the kernel, we'll + have a current->addr_limit.seg that isn't 0xFFFFFFFF + + and we can't have that */ + set_fs(KERNEL_DS); + bytes_read = filp->f_op->read (filp,buffer, + (sizeof(buffer)/sizeof(buffer[0])), + &filp->f_pos); + filp->f_pos -= bytes_read; + set_fs(old_fs); + if(bytes_read < (sizeof(buffer)/sizeof(buffer[0])) ) { + end = 1; + filepos[bytes_read++] = '\n'; /* make sure it ends on a '\n' */ + } + + while ( bytes_read > 0 && ( memscanp = + memscan(filepos,'\n',bytes_read) ) != + filepos + bytes_read ) + { + linenum++; + *memscanp++ = '\0' ; + filp->f_pos += (int) (memscanp - filepos); + bytes_read -= (int) (memscanp - filepos); + /* necessary for later strlen()'s...*/ + if(!is_valid_line(filepos)) { + security_alert("Invalid line in %s line %d", "", conffile, linenum); + return 1; + } else { + if( (*filepos != '#')) + if(add_line(filepos,type,conffile,linenum)) + return 1; + } + filepos = memscanp; /* next area to search .. */ + } + } + filp_close(filp,NULL); + return obv_fatal; +} + +static int grsecurity_init(void) +{ + int error = 0; + + gr_status &= ~(GR_PROCFULL|GR_FILEFULL|GR_NAMEFULL); + + if(init_variables() ) + { + security_alert("init_variables() failed for %s","",GR_VERSION); + error = -1; + } + else if(add_pw_conf()) + { + security_alert("add_pw_conf() failed for %s","",GR_VERSION); + error = -2; + } + else if (conf_parse(PROC_CONF,0)) + { + security_alert("conf_parse(%s) failed for %s","",PROC_CONF, + GR_VERSION); + error = -3; + } + else if(conf_parse(FILE_CONF,1)) + { + security_alert("conf_parse(%s) failed for %s","",FILE_CONF, + GR_VERSION); + error = -4; + } + //else if(conf_parse(ID_CONF,2)) + // error = -5; + + if(!error) + { + struct task_struct * task; + +#ifdef CONFIG_GR_SUPERDEBUG + list_procs(); + list_files(); + list_names(); +#endif + + spin_lock(&task_capability_lock); + read_lock(&tasklist_lock); + for_each_task(task) + { + struct proc_subject_label * curr = NULL; + + if(task->acl != &god + && task->acl != &auth) + { + write_lock(&task->acl_lock); + if(task->proc_info.inode >= PROC_SUBJ_LABEL_OFFSET + || task->proc_info.device >= + PROC_SUBJ_LABEL_OFFSET) + curr = lookup_proc_subj_label( + task->proc_info.inode, + task->proc_info.device); + if(curr) + { + + task->acl = curr; + task->cap_permitted = + cap_intersect(task->cap_permitted, + cap_bset); + task->cap_permitted = + cap_combine(task->cap_permitted, + curr->cap_raise); + task->cap_permitted = + cap_drop(task->cap_permitted, + curr->cap_lower) ; + task->cap_effective = + task->cap_permitted; + task->cap_inheritable = + cap_combine(task->cap_inheritable, curr->cap_raise_inherit); + + task->cap_inheritable = + cap_drop(task->cap_inheritable, curr->cap_lower_inherit); + +#ifdef CONFIG_GR_DEBUG + security_alert("Applied ACL to already " + "running process %s(%d):%ld %d" + ,"",task->comm,task->pid, + curr->inode, + curr->device); + +#endif + } else { + task->acl = NULL; + task->cap_permitted = + cap_intersect(cap_bset, + task->cap_permitted); + task->cap_effective = + cap_intersect(cap_bset, + task->cap_effective); + task->cap_inheritable = + cap_intersect(cap_bset, + task->cap_inheritable); + } + write_unlock(&task->acl_lock); + } + } + read_unlock(&tasklist_lock); + spin_unlock(&task_capability_lock); + gr_status |= GR_READY; + }else { + security_alert("Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use gracl=off from your boot loader","error loading acls",GR_VERSION); + } + return error; +} + +/* * * * * * * * * * * * * * * * * * * * * * * + * Begin Misc Section + * * * * * * * * * * * * * * * * * * * * * * */ + +/* Searching stuff, program exit cleanup, and sysctl parsing */ + + +static __inline__ int do_file_label_search(struct temp_file_label *curr) +{ + struct file_label * match = lookup_file_label(curr->inode,curr->device); + if(!match || (match->mode & GR_DELETED)) return GR_NOTFOUND; + if((match->mode & curr->mode) == curr->mode) + { +#ifdef CONFIG_GR_DEBUG + // security_alert("Program %s allowed for file with inode %ld %d" + // " by file label", + // "",current->comm,curr->inode,curr->device); +#endif + return GR_ALLOW; + } + else + { +#ifdef CONFIG_GR_DEBUG + if(!(curr->mode & GR_HIDDEN)) + { + security_alert("Program %s denied for file with inode " + "%ld %d by file label(requested %x," + "allowed %x)","", current->comm, + curr->inode,curr->device,curr->mode, + match->mode); + } +#endif + return GR_DENY; + } +} + +static __inline__ int do_proc_acl_search(struct proc_subject_label *proc,struct temp_file_label *curr) +{ + + struct proc_object_label * match = + lookup_proc_obj_label(curr->inode,curr->device,proc->pos); + + if(!match || (match->mode & GR_DELETED)) return GR_NOTFOUND; + if( (match->mode & curr->mode) == curr->mode) + { +#ifdef CONFIG_GR_DEBUG + // security_alert("Program %s allowed for file with inode %ld %d" + // " by program label", + // "",current->comm,curr->inode,curr->device); +#endif + curr->mode |= (match->mode & GR_PROC_EXTRA); + return GR_ALLOW; + } + else + { +#ifdef CONFIG_GR_DEBUG + security_alert("Program %s denied for file with inode %ld %d" + " by program label(wanted %x got %x)", + "",current->comm,match->inode,match->device, + curr->mode,match->mode); +#endif + return GR_DENY; + } +} + +static __inline__ struct proc_subject_label * do_find_proc(struct proc_subject_label *curr) +{ + + struct proc_subject_label * retval = + lookup_proc_subj_label(curr->inode,curr->device); + if(retval && !(retval->mode & GR_DELETED) ) + return retval; + return NULL; +} + + + + + +static __inline__ int chk_proc_obj_labels(struct dentry * dentry, struct temp_file_label *searchval, struct vfsmount *mnt) +{ + struct dentry *curr = dentry; + int retval = GR_NOTFOUND; + struct nameidata tmp = {NULL, NULL}; + struct vfsmount *parent; + struct proc_subject_label *curracl = (struct proc_subject_label *) current->acl; + +loop : + spin_lock(&dcache_lock); + do + { + if(!curr || !curr->d_inode) break; + searchval->inode = curr->d_inode->i_ino; + searchval->device = curr->d_inode->i_dev; + read_lock(&gr_list_lock); + retval = do_proc_acl_search(curracl,searchval); + read_unlock(&gr_list_lock); + if(curr->d_inode == curr->d_parent->d_inode) break; + curr = curr->d_parent; + } while( (curr) && (retval == GR_NOTFOUND) ); + + spin_unlock(&dcache_lock); + + if(retval == GR_NOTFOUND && curr->d_inode && curr->d_inode->i_dev != + ROOT_DEV ) + { + if(tmp.mnt) + { + if(tmp.mnt == tmp.mnt->mnt_parent) goto exit; + } + else if(mnt == mnt->mnt_parent) goto exit; + + + if(!tmp.mnt) + { + tmp.mnt = mnt->mnt_parent; + tmp.dentry = dget(mnt->mnt_mountpoint); + + } + + else + { + parent = tmp.mnt->mnt_parent; + dput(tmp.dentry); + tmp.dentry = dget(tmp.mnt->mnt_mountpoint); + mntput(tmp.mnt); + tmp.mnt = parent; + } + mntget(tmp.mnt); + curr = tmp.dentry; + goto loop; + } +exit: + if(tmp.mnt) mntput(tmp.mnt); + if(tmp.dentry) dput(tmp.dentry); + + return retval == GR_NOTFOUND ? GR_DENY : retval; + /* if its not in a program's ACL list it should be denied */ + +} + +static __inline__ int chk_file_labels(struct dentry * dentry, struct temp_file_label *searchval, struct vfsmount *mnt) +{ + struct dentry *curr = dentry; + int retval = GR_NOTFOUND; + struct vfsmount *parent; + struct nameidata tmp = {NULL,NULL}; + + +loop: + spin_lock(&dcache_lock); + do + { + if(!curr || !curr->d_inode) break; + searchval->inode = curr->d_inode->i_ino; + searchval->device = curr->d_inode->i_dev; + read_lock(&gr_list_lock); + retval = do_file_label_search(searchval); + read_unlock(&gr_list_lock); + if(curr->d_inode == curr->d_parent->d_inode) break; + curr = curr->d_parent; + } while( (curr) && (retval == GR_NOTFOUND) ); + + spin_unlock(&dcache_lock); + + if(retval == GR_NOTFOUND && curr->d_inode && curr->d_inode->i_dev + != ROOT_DEV ) + { + if(tmp.mnt) + { + if(tmp.mnt == tmp.mnt->mnt_parent) goto exit; + } + else if(mnt == mnt->mnt_parent) goto exit; + if(!tmp.mnt) + { + tmp.mnt = mnt->mnt_parent; + tmp.dentry = dget(mnt->mnt_mountpoint); + + } + + else + { + parent = tmp.mnt->mnt_parent; + dput(tmp.dentry); + tmp.dentry = dget(tmp.mnt->mnt_mountpoint); + mntput(tmp.mnt); + tmp.mnt = parent; + } + mntget(tmp.mnt); + curr = tmp.dentry; + goto loop; + } +exit: + if(tmp.mnt) mntput(tmp.mnt); + if(tmp.dentry) dput(tmp.dentry); + + return retval; +} + +static struct proc_subject_label * chk_proc_subj_labels(struct dentry *dentry, + struct vfsmount *mnt) +{ + struct vfsmount *parent; + struct nameidata tmp = {NULL, NULL}; + struct proc_subject_label curracl, *retval = NULL; + struct dentry *curr = dentry; + +loop: + spin_lock(&dcache_lock); + do + { + + if(!curr->d_inode) break; + curracl.inode = curr->d_inode->i_ino; + curracl.device = curr->d_inode->i_dev; + read_lock(&gr_list_lock); + retval = do_find_proc(&curracl); + read_unlock(&gr_list_lock); + if(curr->d_inode == curr->d_parent->d_inode) break; + curr = curr->d_parent; + } while( (curr) && (!retval) ); + + spin_unlock(&dcache_lock); + + if(!retval && curr->d_inode && curr->d_inode->i_dev != ROOT_DEV) + { + if(tmp.mnt) + { + if(tmp.mnt == tmp.mnt->mnt_parent) + goto exit; + } + else if(mnt == mnt->mnt_parent) + goto exit; + + if(!tmp.mnt) + { + tmp.mnt = mnt->mnt_parent; + tmp.dentry = dget(mnt->mnt_mountpoint); + + } + + else + { + parent = tmp.mnt->mnt_parent; + dput(tmp.dentry); + tmp.dentry = dget(tmp.mnt->mnt_mountpoint); + mntput(tmp.mnt); + tmp.mnt = parent; + } + mntget(tmp.mnt); + curr = tmp.dentry; + goto loop; + } +exit: + if(tmp.mnt) mntput(tmp.mnt); + if(tmp.dentry) dput(tmp.dentry); + + return retval; + +} + + +static int __inline__ chk_inherit(struct dentry *dentry, struct vfsmount *mnt) +{ + struct temp_file_label temp; + temp.mode = GR_PROC_INHERIT; + if( (chk_proc_obj_labels(dentry,&temp,mnt)) == GR_ALLOW) + return 1; + return 0; +} + +static int __inline__ chk_auth(struct dentry *dentry, struct vfsmount *mnt) +{ + struct temp_file_label temp; + temp.mode = GR_PROC_AUTH; + if( (chk_proc_obj_labels(dentry,&temp,mnt)) == GR_ALLOW) + return 1; + else if(!current->uid || !current->gid || !current->euid + || !current->egid || !current->suid || !current->sgid + || !current->fsuid || !current->fsgid) + { + temp.mode = GR_PROC_AUTH_IF_ROOT; + if( (chk_proc_obj_labels(dentry,&temp,mnt)) == GR_ALLOW) + return 1; + } + return 0; +} + + + + + +int gr_check_hidden_file(struct dentry *dentry, struct vfsmount *mnt) +{ + /* This has to be done a little differently than a normal search. + * If a file "allows" hidden access it is hidden, and thus requires + * a process that has hidden file access capabilities to access it. + * If the file acl denies hidden access/has no acl then no proc acl + * check is needed*/ + struct temp_file_label searchval; + int retval = GR_ALLOW; + if((gr_status & GR_READY) && dentry && mnt) + { + searchval.mode = GR_HIDDEN; + + if( (chk_file_labels(dentry,&searchval,mnt)) == GR_ALLOW) + { + if(current->acl) + { + read_lock(¤t->acl_lock); + retval = chk_proc_obj_labels(dentry,&searchval + ,mnt); + read_unlock(¤t->acl_lock); + } + else retval = GR_DENY; + } + } + return retval; +} + +int gr_search_file(struct dentry *dentry, __u16 mode, struct vfsmount *mnt); +/* I will fix this later brad, bah, I'm tired :D */ + +int gr_check_create(struct dentry * new_dentry, struct dentry * parent, + struct vfsmount * mnt, __u16 mode) +{ + struct name_entry * match; + struct proc_object_label * matchpo; + struct file_label * matchf; + int retval = GR_NOTFOUND; + char * buffer; + char * pathname; + + if(!(gr_status & GR_READY)) return GR_ALLOW; + + buffer = (char *) get_free_page(GFP_KERNEL); + if(!buffer) return GR_DENY; /* OOM : can't let anything get through */ + + pathname = d_path(new_dentry,mnt,buffer,PAGE_SIZE); + + read_lock(&gr_list_lock); + + match = lookup_name_entry(pathname); + + if(!match || !(match->mode & GR_EXISTS)) + { + free_page((unsigned long)buffer); + goto check_parent; + } + + if(current->acl && (match->mode & GR_NAME_PROC_OBJECT)) + { + struct proc_subject_label * curracl; + read_lock(¤t->acl_lock); + curracl = (struct proc_subject_label *) current->acl; + if(curracl && ( (matchpo = + lookup_proc_obj_label(match->inode,match->device, + curracl->pos) ) != NULL) ) + { + if((matchpo->mode & mode) != mode) + { + read_unlock(¤t->acl_lock); + read_unlock(&gr_list_lock); + retval = GR_DENY; + goto exit; + } else retval = GR_ALLOW; + } + read_unlock(¤t->acl_lock); + } + + if( (match->mode & GR_NAME_FILE) && ( + (matchf = lookup_file_label(match->inode,match->device)) + != NULL) ) + { + if((matchf->mode & mode) != mode) + { + read_unlock(&gr_list_lock); + retval = GR_DENY; + goto exit; + } else retval = GR_ALLOW; + } +check_parent: + read_unlock(&gr_list_lock); + if(retval != GR_NOTFOUND) goto exit; + + retval = gr_search_file(parent,mode,mnt); + +exit: + free_page((unsigned long)buffer); + return retval; +} + + +int gr_check_hidden_task(struct task_struct * task) +{ + struct proc_subject_label * acl; + int retval = 0; + if( (gr_status & GR_READY) && task->acl) + { + read_lock(&task->acl_lock); + acl = (struct proc_subject_label *) task->acl; + if(acl && (acl->mode & GR_PROC_HIDDEN)) + { + struct proc_subject_label * curracl; + if(current->acl) + { + read_lock(¤t->acl_lock); + curracl = (struct proc_subject_label *) + current->acl; + if(!curracl || !(curracl->mode & GR_PROC_VIEW)) + { + retval = 1; + } + read_unlock(¤t->acl_lock); + } else retval = 1; + } + read_unlock(&task->acl_lock); + } + return retval; +} + +int gr_check_protected_task(struct task_struct *tsk) +{ + int retval = 0; + + if( (gr_status & GR_READY) && tsk) + { + struct proc_subject_label *acl; + if(tsk->acl) + { + read_lock(&tsk->acl_lock); + acl = (struct proc_subject_label *) tsk->acl; + if(acl && (acl->mode & GR_PROC_PROTECTED)) + { + if(current->acl) + { + struct proc_subject_label * curracl; + read_lock(¤t->acl_lock); + curracl = (struct proc_subject_label *) + current->acl; + if(!curracl || !(curracl->mode & + GR_PROC_KILL)) + retval = 1; + read_unlock(¤t->acl_lock); + } else retval = 1; + + } + read_unlock(&tsk->acl_lock); + } + + } + return retval; +} + + +int gr_search_file(struct dentry *dentry, __u16 mode, struct vfsmount *mnt) +{ + int proc_retval = GR_NOTFOUND, file_retval = GR_NOTFOUND; + int retval = GR_ALLOW; + if(gr_status & GR_READY) + { + if(dentry && dentry->d_inode && mnt) + { + struct temp_file_label searchval; + + searchval.mode = mode; + if(current->acl) + { + read_lock(¤t->acl_lock); + if(!current->acl) + { + read_unlock(¤t->acl_lock); + goto file_checks; + } + /* Okay..slight race condition but + * nothing truly significant. current->acl + * could change in between check and read_lock, + * but its change would only reflect the + * current status of the process AND + * we read lock before we do any work, + * so its rather insignificant */ + + if( ( proc_retval = + chk_proc_obj_labels(dentry, + &searchval, mnt) ) + == GR_DENY) + { + retval = GR_DENY; + goto out_unlock; + } + } + + if( (proc_retval == GR_ALLOW) && + (searchval.mode & GR_PROC_OVERRIDE)) + { + retval = GR_ALLOW; + goto out_unlock; + } + searchval.mode &= ~GR_PROC_EXTRA; +file_checks: + + if( (file_retval = chk_file_labels(dentry,&searchval, + mnt)) == GR_DENY) + { + retval = GR_DENY; + goto out_unlock; + } + + if( (proc_retval != file_retval) + || (proc_retval == GR_NOTFOUND)) + { + retval = GR_ALLOW; + goto out_unlock; + } + } else + goto out; + /* hmm we got passed something funky.. + better safe than sorry */ + } else + goto out; +out_unlock: + if(current->acl) + read_unlock(¤t->acl_lock); + +out: return retval; /* Else both returned GR_NOTFOUND..must be the default*/ +} + +__inline__ int gr_copy_label(struct task_struct *tsk) +{ + /* We don't need to lock task...because task is being created + * in do_fork() so it can't be modified anywhere else as it has + * yet to be a true process. see kernel/fork.c + * Also pointer assignmetn is atomic, either current->acl will + * be there or be NULL, there is no reason to lock*/ + tsk->acl = current->acl; + tsk->acl_lock = RW_LOCK_UNLOCKED; + read_lock(&tasklist_lock); + if(current->p_pptr->acl) + { + struct proc_subject_label * acl; + read_lock(¤t->p_pptr->acl_lock); + acl = (struct proc_subject_label *) current->acl; + if(acl && (acl->cap_raise_inherit || acl->cap_lower_inherit)) + { + tsk->cap_effective |= acl->cap_raise_inherit; + tsk->cap_permitted |= acl->cap_raise_inherit; + tsk->cap_inheritable |= acl->cap_raise_inherit; + tsk->cap_effective &= ~acl->cap_lower_inherit; + tsk->cap_permitted &= ~acl->cap_lower_inherit; + tsk->cap_inheritable &= ~acl->cap_lower_inherit; + } + read_unlock(¤t->p_pptr->acl_lock); + } + read_unlock(&tasklist_lock); + return 0; +} + + + +static int do_auth(struct task_struct *tsk) +{ +#define GR_AUTH_MSG "Authorize yourself to GrSecurity please\n" + + char *p = GR_AUTH_MSG; + int ret = 0; + if(!(tsk->tty) || (!tsk->tty->driver.write)) + { + ret = 1; + goto out; + } + tsk->tty->driver.write(tsk->tty,0,p,strlen(p)); + tsk->acl = (void *)&auth; + + +out: + return ret; +} + + +static unsigned long do_set_proc_label(struct dentry * dentry, struct vfsmount * mnt, int mode) +{ + switch(mode) + { + case GR_SET_AUTH: + return chk_auth(dentry,mnt); + break; + case GR_SET_INHERIT: + return chk_inherit(dentry,mnt); + break; + case GR_SET_PROC: + return (unsigned long) chk_proc_subj_labels(dentry,mnt); + break; + } + return 0; +} + + +static int do_inherit(struct task_struct *tsk) +{ + return 0; + /* Note: for copying due to fork() we use the code the gracl code in + * kernel/fork.c. If we're inheriting then our current ACL + * (that of the program calling execve) is the ACL we inherit, + * so no work needs to be done. Just return success + */ +} + + +int gr_set_proc_label(struct dentry *dentry,char *filename, struct vfsmount *mnt) +{ + struct task_struct *tsk = current; + int retval = 0; + + if(dentry && dentry->d_inode) + { + tsk->proc_info.inode = dentry->d_inode->i_ino; + tsk->proc_info.device = dentry->d_inode->i_dev; + } + + else + { + tsk->proc_info.inode = GR_NOFILE_INODE; + tsk->proc_info.device = GR_NOFILE_DEVICE; + } + + read_lock(&gr_list_lock); + + if( (gr_status & GR_READY) && dentry && mnt) + { + struct proc_subject_label *curracl; + + + curracl = (struct proc_subject_label *) tsk->acl; + if(curracl) + { + + if(do_set_proc_label(dentry,mnt,GR_SET_INHERIT)) + { + read_unlock(&gr_list_lock); + return do_inherit(tsk); + } + + else if(do_set_proc_label(dentry,mnt,GR_SET_AUTH)) + { + read_unlock(&gr_list_lock); + return do_auth(tsk); + } + } + tsk->acl = (struct proc_subject_label *) + do_set_proc_label(dentry, + mnt,GR_SET_PROC); + + } else tsk->acl = NULL; + + read_unlock(&gr_list_lock); + + return retval; +} + +void gr_set_caps(void) +{ + if(gr_status & GR_READY) + { + read_lock(&gr_list_lock); + + if(current->acl) + { + struct proc_subject_label * curracl = + (struct proc_subject_label *) current->acl; + current->cap_permitted = cap_combine( + current->cap_permitted, + curracl->cap_raise); + current->cap_permitted = cap_drop( + current->cap_permitted, + curracl->cap_lower); + current->cap_effective = + current->cap_permitted; + current->cap_inheritable = cap_combine( + current->cap_inheritable, curracl->cap_raise_inherit); + current->cap_inheritable = cap_drop( + current->cap_inheritable, curracl->cap_lower_inherit); + + } + + read_unlock(&gr_list_lock); + } +} + +int gr_in_auth_mode(void * acl) +{ + return (acl == &auth); +} + +void gr_handle_delete(const ino_t ino, const kdev_t dev) +{ + struct file_label *matchf; + struct proc_object_label *matchpo; + struct proc_subject_label *matchps; + unsigned long i; + + if(! (gr_status & GR_READY) ) return; + + + read_lock(&gr_list_lock); + + if( (matchf = lookup_file_label(ino,dev) ) != NULL ) + { +#ifdef CONFIG_GR_DEBUG + security_alert("File acl %ld %d deleted","",ino,dev); +#endif + matchf->mode |= GR_DELETED; + } + + for(i = 0; i < proc_subj_set.proc_used; i++) + { + if( (matchpo = lookup_proc_obj_label(ino,dev, + (unsigned long)i) ) != NULL) + { +#ifdef CONFIG_GR_DEBUG + security_alert("Proc Obj acl %ld %d pos %ld deleted","",ino,dev,i); +#endif + matchpo->mode |= GR_DELETED; + } + } + + if( (matchps = lookup_proc_subj_label(ino,dev) ) != NULL) + { +#ifdef CONFIG_GR_DEBUG + security_alert("Proc subj acl %ld %d deleted","",ino,dev); +#endif + matchps->mode |= GR_DELETED; + } + + read_unlock(&gr_list_lock); +} + +static __inline__ void move_proc_obj_label(struct proc_object_label *po, + const ino_t newino, const kdev_t newdev) +{ + struct proc_object_label insert = + { + inode: newino, + device: newdev, + mode: po->mode & ~GR_DELETED, + parent_pos: po->parent_pos + }; + + po->mode &= ~GR_EXISTS; + proc_obj_set.proc_used--; + insert_proc_obj_label(&insert,"error",0); + +} + + +static __inline__ void move_proc_subj_label(struct proc_subject_label *ps, + const ino_t newino, const kdev_t newdev) +{ + struct task_struct *p; + struct proc_subject_label insert = + { + inode: newino, + device: newdev, + mode: ps->mode & ~GR_DELETED, + cap_raise: ps->cap_raise, + cap_lower: ps->cap_lower, + cap_raise_inherit: ps->cap_raise_inherit, + cap_lower_inherit: ps->cap_lower_inherit, + pos: ps->pos + }; + + ps->mode &= ~GR_EXISTS; + proc_subj_set.proc_used--; + insert_proc_subj_label(&insert,"error",0); + read_lock(&tasklist_lock); + for_each_task(p) + { + if(p->acl == ps) + { + write_lock(&p->acl_lock); + if(p->acl == ps) + p->acl = lookup_proc_subj_label(newino,newdev); + write_unlock(&p->acl_lock); + } + } + read_unlock(&tasklist_lock); +} + + +static __inline__ void move_file_label(struct file_label *f, + const ino_t newino, const kdev_t newdev) +{ + struct file_label insert = + { + inode: newino, + device: newdev, + mode: f->mode & ~GR_DELETED, + }; + + f->mode &= ~GR_EXISTS; + file_set.file_used--; + insert_file_label(&insert,"error",0); +} + + +void gr_handle_create(const char * filename, const struct nameidata *nd) +{ + struct name_entry * matchn; + struct proc_subject_label * matchps; + struct proc_object_label * matchpo; + struct file_label * matchf; + unsigned long i; + char * pathbuf; + char * pathname; + + + if(!(gr_status & GR_READY)) return; + + if ( (pathbuf = (char * ) __get_free_page(GFP_KERNEL)) == NULL) + return; + + pathname = d_path(nd->dentry,nd->mnt,pathbuf,PAGE_SIZE); + + matchn = lookup_name_entry(pathname); + + if(matchn) + { + write_lock(&gr_list_lock); + if(matchn->mode & GR_NAME_PROC_SUBJECT) + { + if( (matchps = lookup_proc_subj_label(matchn->inode, + matchn->device) ) != NULL) + { +#ifdef CONFIG_GR_DEBUG + security_alert("Process Subj ACL %.1024s " + "recreated","",filename); +#endif + move_proc_subj_label(matchps, + nd->dentry->d_inode->i_ino, + nd->dentry->d_inode->i_dev); + } + } + + if(matchn->mode & GR_NAME_FILE) + { + if( (matchf = lookup_file_label(matchn->inode, + matchn->device) ) != NULL) + { +#ifdef CONFIG_GR_DEBUG + security_alert("File ACL %.1024s recreated", + "",filename); +#endif + move_file_label(matchf, + nd->dentry->d_inode->i_ino, + nd->dentry->d_inode->i_dev); + } + } + + for(i = 0; i < proc_subj_set.proc_used; i++) + { + if( (matchpo = lookup_proc_obj_label(matchn->inode, + matchn->device,i) ) != NULL) + { +#ifdef CONFIG_GR_DEBUG + security_alert("Process Obj ACL %.1024s pos %ld " + "recreated","",filename,i); +#endif + move_proc_obj_label(matchpo, + nd->dentry->d_inode->i_ino, + nd->dentry->d_inode->i_dev); + } + } + matchn->inode = nd->dentry->d_inode->i_ino; + matchn->device = nd->dentry->d_inode->i_dev; + write_unlock(&gr_list_lock); + } + free_page((unsigned long)pathbuf); +} + + + + + + +static int chcaps(struct admin_pw *entry) +{ + char *p = entry->extra; + char *q; + char *mode; + + p[GR_EXTRA_LEN-1] = '\0'; /* take no chances*/ + while( (q = memscan(p,'\n',strlen(p))) != p + strlen(p)) + { + mode = p++; + *q++ = '\0'; + switch(*mode) { + case '+' : + cap_bset |= cap_t(cap_conv(p)); + break; + case '-' : + cap_bset &= ~cap_t(cap_conv(p)); + break; + default: + break; + } + p = q; + } +#ifdef CONFIG_GR_DEBUG + security_alert("cap bset is now %x","",cap_bset); +#endif + + return 0; +} + +static int grsecurity_reload(void) +{ + proc_subj_set.proc_size = proc_obj_set.proc_size = + file_set.file_size = name_set.name_size = 0; + free_variables(); + return grsecurity_init(); +} + +/* The following variables are needed for timer manipulation */ +static struct timer_list gr_badpw; +static int failures = 0; +static int during_wait = 0; + +static void gr_timer(unsigned long ignored) +{ + failures = 0; + during_wait = 0; + del_timer(&gr_badpw); +} + +int gr_proc_handler(ctl_table *table, int write, struct file *filp, void *buffer, size_t *lenp) +{ + /* This is the main todo. simply I allow disabling gracl only + * at bootup(after its turned on). I don't have time today to + * impelement a good pw scheme. The first thing I do when I get back is to do that. + */ + struct admin_pw *usermode = (struct admin_pw *) buffer; + int error = sizeof(struct admin_pw); + + if(*lenp != sizeof(struct admin_pw)) + { + security_alert("Proc handler: being fed garbage %d byte send %d required","more garbage",*lenp,sizeof(struct admin_pw)); + return -EINVAL; + } + if(during_wait) return -EPERM; + switch (usermode->mode) + { + case SHUTDOWN: + if(gr_status & GR_READY) + { + if(!(chkpw(usermode))) + { + security_alert("shutdown auth success for " + DEFAULTSECMSG,"shutdown successes",DEFAULTSECARGS); + gr_status &= ~GR_READY; + break; + } else + error = -EPERM; + } + break; + case ENABLE: + if(gr_disable) + { + security_alert("%s at boot time, ignoring load request","attempts to load gracl when disabled on boot time",GR_VERSION); + break; + } + else if(gr_status & GR_1ST) + { + if(grsecurity_init()) + error = -EINVAL; + security_alert("Loaded %s","loaded " + "grsecurity",GR_VERSION); + gr_status &= ~GR_1ST; + break; + } + else + { + security_alert("%.32s already loaded, re-enabling","",GR_VERSION); + gr_status |= GR_READY; + break; + } + + case CHCAPS : + if(gr_status & GR_1ST) + { + if(grsecurity_init()) + error = -EINVAL; + if(!error) + security_alert("Loaded %s","loaded " + "grsecurity",GR_VERSION); + } + + if( ( (gr_status & GR_READY) && !(chkpw(usermode)) ) + || (gr_status & GR_1ST)) + { + if(gr_status & GR_1ST) + gr_status &= ~GR_1ST; + + if(!(chcaps(usermode))) + { + security_alert("successful capability change by " + DEFAULTSECMSG, "cap changes", + DEFAULTSECARGS); + } else + error = -EPERM; + } + + break; + + case GOD: + if(gr_status & GR_READY) + { + if(!(chkpw(usermode))) + { + security_alert("successful change to admin mode by " + DEFAULTSECMSG,"", + DEFAULTSECARGS); + spin_lock(&task_capability_lock); + read_lock(&tasklist_lock); + if(current->p_pptr) + { + current->p_pptr->acl = (void *) + &god; + current->p_pptr->cap_effective = + current->p_pptr-> + cap_permitted = + CAP_FULL_SET; + } + read_unlock(&tasklist_lock); + spin_unlock(&task_capability_lock); + } + else + error = -EPERM; + } + break; + + case RELOAD: + if(gr_status & GR_READY) + { + if(!(chkpw(usermode))) + { + security_alert("reload of gracl performed by" + DEFAULTSECMSG,"", + DEFAULTSECARGS); + if(grsecurity_reload()) + gr_status &= ~GR_READY; + } + else + error = -EPERM; + } + break; + + case AUTH: + if(gr_status & GR_READY) + { + if(!(chkpw(usermode)) ) + { + security_alert("successful authentication by " + DEFAULTSECMSG, "", + DEFAULTSECARGS); + read_lock(&tasklist_lock); + if(current->p_pptr) + { + current->p_pptr->acl = NULL; + } + read_unlock(&tasklist_lock); + /* The parent invoked gradm, it is the + * task that we must deal with */ + } + else + error = -EPERM; + } + break; + + default: + security_alert("Invalid value %d by " DEFAULTSECMSG, "", + usermode->mode, DEFAULTSECARGS); + break; + } + + if(error < 0) + { + failures++; + if(failures > CONFIG_GR_MAXTRIES) + { + security_alert("Maximum pw attempts reached (%d), locking " + "password authentication","password attempt failed",CONFIG_GR_MAXTRIES); + init_timer(&gr_badpw); + gr_badpw.data = 0; + gr_badpw.function = gr_timer; + gr_badpw.expires = jiffies + CONFIG_GR_TIMEOUT*HZ; + add_timer(&gr_badpw); + during_wait = 1; + } + } + + return error; +} diff -urN linux/kernel/grhash.c linux/kernel/grhash.c --- linux/kernel/grhash.c Wed Dec 31 19:00:00 1969 +++ linux/kernel/grhash.c Fri Mar 1 08:34:11 2002 @@ -0,0 +1,160 @@ +#include +#include +#include +#include +#include + +/* +Modified for use in OPM by Michael Dalton +Modified for kerneli by Andrew McDonald +from: + +SHA-1 in C +By Steve Reid +100% Public Domain +Available from: +ftp://ftp.zedz.net/pub/crypto/crypto/HASH/sha/sha1.c + +Test Vectors (from FIPS PUB 180-1) +"abc" + A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D +"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" + 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1 +A million repetitions of "a" + 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F +*/ + + +extern struct admin_pw pwent; + +void gr_SHA1Transform(unsigned long state[5], unsigned char buffer[64]) +{ + unsigned long a, b, c, d, e; + typedef union { + unsigned char c[64]; + unsigned long l[16]; + } CHAR64LONG16; + CHAR64LONG16* block; +#ifdef SHA1HANDSOFF + static unsigned char workspace[64]; + block = (CHAR64LONG16*)workspace; + memcpy(block, buffer, 64); +#else + block = (CHAR64LONG16*)buffer; +#endif + /* Copy context->state[] to working vars */ + a = state[0]; + b = state[1]; + c = state[2]; + d = state[3]; + e = state[4]; + /* 4 rounds of 20 operations each. Loop unrolled. */ + R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); + R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); + R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); + R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); + R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); + R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); + R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); + R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); + R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); + R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); + R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); + R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); + R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); + R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); + R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); + R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); + R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); + R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); + R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); + R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); + /* Add the working vars back into context.state[] */ + state[0] += a; + state[1] += b; + state[2] += c; + state[3] += d; + state[4] += e; + /* Wipe variables */ + a = b = c = d = e = 0; +} + + +/* SHA1Init - Initialize new context */ + +void gr_SHA1Init(struct gr_SHA1_CTX* context) +{ + /* SHA1 initialization constants */ + context->state[0] = 0x67452301; + context->state[1] = 0xEFCDAB89; + context->state[2] = 0x98BADCFE; + context->state[3] = 0x10325476; + context->state[4] = 0xC3D2E1F0; + context->count[0] = context->count[1] = 0; +} + + +/* Run your data through this. */ + +void gr_SHA1Update(struct gr_SHA1_CTX* context, unsigned char* data, unsigned int len) +{ + unsigned int i, j; + + j = (context->count[0] >> 3) & 63; + if ((context->count[0] += len << 3) < (len << 3)) context->count[1]++; + context->count[1] += (len >> 29); + if ((j + len) > 63) { + memcpy(&context->buffer[j], data, (i = 64-j)); + gr_SHA1Transform(context->state, context->buffer); + for ( ; i + 63 < len; i += 64) { + gr_SHA1Transform(context->state, &data[i]); + } + j = 0; + } + else i = 0; + memcpy(&context->buffer[j], &data[i], len - i); +} + + +/* Add padding and return the message digest. */ + +void gr_SHA1Final(unsigned char digest[20], struct gr_SHA1_CTX* context) +{ + unsigned long i, j; + unsigned char finalcount[8]; + + for (i = 0; i < 8; i++) { + finalcount[i] = (unsigned char)((context->count[(i >= 4 ? 0 : 1)] + >> ((3-(i & 3)) * 8) ) & 255); + /* Endian independent */ + } + gr_SHA1Update(context, (unsigned char *)"\200", 1); + while ((context->count[0] & 504) != 448) { + gr_SHA1Update(context, (unsigned char *)"\0", 1); + } + gr_SHA1Update(context, finalcount, 8); /* Should cause a SHA1Transform() */ + for (i = 0; i < 20; i++) { + digest[i] = (unsigned char) + ((context->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255); + } + /* Wipe variables */ + i = j = 0; + memset(context->buffer, 0, 64); + memset(context->state, 0, 20); + memset(context->count, 0, 8); + memset(&finalcount, 0, 8); +#ifdef GR_SHA1HANDSOFF /* make SHA1Transform overwrite it's own static vars */ + gr_SHA1Transform(context->state, context->buffer); +#endif +} + +int chkpw(struct admin_pw *entry) +{ + struct gr_SHA1_CTX context; + char *pos = memscan(entry->pw,'\n',strlen(entry->pw)); + if(pos != entry->pw + strlen(entry->pw)) *pos = '\0'; + gr_SHA1Init(&context); + gr_SHA1Update(&context,entry->pw,strlen(entry->pw)); + gr_SHA1Final(entry->sum,&context); + return memcmp(pwent.sum,entry->sum,GR_SHA_SIZE); +} diff -urN linux/kernel/grsecurity.c linux/kernel/grsecurity.c --- linux/kernel/grsecurity.c Wed Dec 31 19:00:00 1969 +++ linux/kernel/grsecurity.c Mon Feb 25 16:09:02 2002 @@ -0,0 +1,346 @@ +#include +#include + +#ifdef CONFIG_GRKERNSEC_SYSCTL +#ifdef CONFIG_GRKERNSEC_LINK +int grsec_enable_link = 0; +#endif +#ifdef CONFIG_GRKERNSEC_DMESG +int grsec_enable_dmesg = 0; +#endif +#ifdef CONFIG_GRKERNSEC_FIFO +int grsec_enable_fifo = 0; +#endif +#ifdef CONFIG_GRKERNSEC_FD +int grsec_enable_fd = 0; +#endif +#ifdef CONFIG_GRKERNSEC_EXECVE +int grsec_enable_execve = 0; +#endif +#ifdef CONFIG_GRKERNSEC_FORKBOMB +int grsec_enable_forkbomb = 0; +int grsec_forkbomb_gid = 0; +int grsec_forkbomb_sec = 0; +int grsec_forkbomb_max = 0; +#endif +#ifdef CONFIG_GRKERNSEC_EXECLOG +int grsec_enable_execlog = 0; +#endif +#ifdef CONFIG_GRKERNSEC_IPC +int grsec_enable_ipc = 0; +#endif +#ifdef CONFIG_GRKERNSEC_SUID +int grsec_enable_suid = 0; +#endif +#ifdef CONFIG_GRKERNSEC_SUID_ROOT +int grsec_enable_suid_root = 0; +#endif +#ifdef CONFIG_GRKERNSEC_SIGNAL +int grsec_enable_signal = 0; +#endif +#ifdef CONFIG_GRKERNSEC_COREDUMP +int grsec_enable_coredump = 0; +#endif +#ifdef CONFIG_GRKERNSEC_FORKFAIL +int grsec_enable_forkfail = 0; +#endif +#ifdef CONFIG_GRKERNSEC_TIME +int grsec_enable_time = 0; +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP +int grsec_enable_group = 0; +int grsec_audit_gid = 0; +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR +int grsec_enable_chdir = 0; +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE +int grsec_enable_audit_ptrace = 0; +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC +int grsec_enable_audit_ipc = 0; +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT +int grsec_enable_mount = 0; +#endif +#ifdef CONFIG_GRKERNSEC_KBMAP +int grsec_enable_kbmap = 0; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_SIG +int grsec_enable_chroot_sig = 0; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT +int grsec_enable_chroot_mount = 0; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE +int grsec_enable_chroot_double = 0; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR +int grsec_enable_chroot_chdir = 0; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD +int grsec_enable_chroot_chmod = 0; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD +int grsec_enable_chroot_mknod = 0; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_PTRACE +int grsec_enable_chroot_ptrace = 0; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE +int grsec_enable_chroot_nice = 0; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG +int grsec_enable_chroot_execlog = 0; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS +int grsec_enable_chroot_caps = 0; +#endif +#ifdef CONFIG_GRKERNSEC_TPE +int grsec_enable_tpe = 0; +int grsec_tpe_gid = 0; +#ifdef CONFIG_GRKERNSEC_TPE_GLIBC +int grsec_enable_tpe_glibc = 0; +#endif +#ifdef CONFIG_GRKERNSEC_TPE_ALL +int grsec_enable_tpe_all = 0; +#endif +#endif +#ifdef CONFIG_GRKERNSEC_PTRACE +int grsec_enable_ptrace = 0; +#ifdef CONFIG_GRKERNSEC_PTRACE_GROUP +int grsec_enable_ptrace_group = 0; +int grsec_ptrace_gid = 0; +#endif +#endif +#ifdef CONFIG_GRKERNSEC_RANDPID +int grsec_enable_randpid = 0; +#endif +#ifdef CONFIG_GRKERNSEC_TTYROOT +int grsec_enable_phys_deny = 0; +int grsec_enable_pseudo_deny = 0; +int grsec_enable_serial_deny = 0; +#endif +#ifdef CONFIG_GRKERNSEC_RANDID +int grsec_enable_randid = 0; +#endif +#ifdef CONFIG_GRKERNSEC_RANDSRC +int grsec_enable_randsrc = 0; +#endif +#ifdef CONFIG_GRKERNSEC_RANDRPC +int grsec_enable_randrpc = 0; +#endif +#ifdef CONFIG_GRKERNSEC_RANDPING +int grsec_enable_randping = 0; +#endif +#ifdef CONFIG_GRKERNSEC_RANDTTL +int grsec_enable_randttl = 0; +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL +int grsec_enable_socket_all = 0; +int grsec_socket_all_gid = 0; +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT +int grsec_enable_socket_client = 0; +int grsec_socket_client_gid = 0; +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER +int grsec_enable_socket_server = 0; +int grsec_socket_server_gid = 0; +#endif +int grsec_lock = 0; +#else +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP +int grsec_enable_group = 1; +int grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID; +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR +int grsec_enable_chdir = 1; +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE +int grsec_enable_audit_ptrace = 1; +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC +int grsec_enable_audit_ipc = 1; +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT +int grsec_enable_mount = 1; +#endif +#ifdef CONFIG_GRKERNSEC_LINK +int grsec_enable_link = 1; +#endif +#ifdef CONFIG_GRKERNSEC_DMESG +int grsec_enable_dmesg = 1; +#endif +#ifdef CONFIG_GRKERNSEC_FIFO +int grsec_enable_fifo = 1; +#endif +#ifdef CONFIG_GRKERNSEC_FD +int grsec_enable_fd = 1; +#endif +#ifdef CONFIG_GRKERNSEC_EXECVE +int grsec_enable_execve = 1; +#endif +#ifdef CONFIG_GRKERNSEC_FORKBOMB +int grsec_enable_forkbomb = 1; +int grsec_forkbomb_gid = CONFIG_GRKERNSEC_FORKBOMB_GID; +int grsec_forkbomb_sec = CONFIG_GRKERNSEC_FORKBOMB_SEC; +int grsec_forkbomb_max = CONFIG_GRKERNSEC_FORKBOMB_MAX; +#endif +#ifdef CONFIG_GRKERNSEC_EXECLOG +int grsec_enable_execlog = 1; +#endif +#ifdef CONFIG_GRKERNSEC_IPC +int grsec_enable_ipc = 1; +#endif +#ifdef CONFIG_GRKERNSEC_SUID +int grsec_enable_suid = 1; +#endif +#ifdef CONFIG_GRKERNSEC_SUID_ROOT +int grsec_enable_suid_root = 1; +#endif +#ifdef CONFIG_GRKERNSEC_SIGNAL +int grsec_enable_signal = 1; +#endif +#ifdef CONFIG_GRKERNSEC_COREDUMP +int grsec_enable_coredump = 1; +#endif +#ifdef CONFIG_GRKERNSEC_FORKFAIL +int grsec_enable_forkfail = 1; +#endif +#ifdef CONFIG_GRKERNSEC_TIME +int grsec_enable_time = 1; +#endif +#ifdef CONFIG_GRKERNSEC_KBMAP +int grsec_enable_kbmap = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_SIG +int grsec_enable_chroot_sig = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT +int grsec_enable_chroot_mount = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE +int grsec_enable_chroot_double = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR +int grsec_enable_chroot_chdir = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD +int grsec_enable_chroot_chmod = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD +int grsec_enable_chroot_mknod = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_PTRACE +int grsec_enable_chroot_ptrace = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE +int grsec_enable_chroot_nice = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG +int grsec_enable_chroot_execlog = 1; +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS +int grsec_enable_chroot_caps = 1; +#endif +#ifdef CONFIG_GRKERNSEC_TPE +int grsec_enable_tpe = 1; +int grsec_tpe_gid= CONFIG_GRKERNSEC_TPE_GID; +#ifdef CONFIG_GRKERNSEC_TPE_GLIBC +int grsec_enable_tpe_glibc = 1; +#endif +#ifdef CONFIG_GRKERNSEC_TPE_ALL +int grsec_enable_tpe_all = 1; +#endif +#endif +#ifdef CONFIG_GRKERNSEC_PTRACE +int grsec_enable_ptrace = 1; +#ifdef CONFIG_GRKERNSEC_PTRACE_GROUP +int grsec_enable_ptrace_group = 1; +int grsec_ptrace_gid = CONFIG_GRKERNSEC_PTRACE_GID; +#endif +#endif +#ifdef CONFIG_GRKERNSEC_RANDPID +int grsec_enable_randpid = 1; +#endif +#ifdef CONFIG_GRKERNSEC_TTYROOT +#ifdef CONFIG_GRKERNSEC_TTYROOT_SERIAL +int grsec_enable_serial_deny = 1; +#else +int grsec_enable_serial_deny = 0; +#endif +#ifdef CONFIG_GRKERNSEC_TTYROOT_PHYS +int grsec_enable_phys_deny = 1; +#else +int grsec_enable_phys_deny = 0; +#endif +#ifdef CONFIG_GRKERNSEC_TTYROOT_PSEUDO +int grsec_enable_pseudo_deny = 1; +#else +int grsec_enable_pseudo_deny = 0; +#endif +#endif +#ifdef CONFIG_GRKERNSEC_RANDID +int grsec_enable_randid = 1; +#endif +#ifdef CONFIG_GRKERNSEC_RANDSRC +int grsec_enable_randsrc = 1; +#endif +#ifdef CONFIG_GRKERNSEC_RANDRPC +int grsec_enable_randrpc = 1; +#endif +#ifdef CONFIG_GRKERNSEC_RANDPING +int grsec_enable_randping = 1; +#endif +#ifdef CONFIG_GRKERNSEC_RANDTTL +int grsec_enable_randttl = 1; +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL +int grsec_enable_socket_all = 1; +int grsec_socket_all_gid= CONFIG_GRKERNSEC_SOCKET_ALL_GID; +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT +int grsec_enable_socket_client = 1; +int grsec_socket_client_gid= CONFIG_GRKERNSEC_SOCKET_CLIENT_GID; +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER +int grsec_enable_socket_server = 1; +int grsec_socket_server_gid= CONFIG_GRKERNSEC_SOCKET_SERVER_GID; +#endif +#endif + +const char *captab_log[30] = { + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_FS_MASK", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE" +}; + + diff -urN linux/kernel/ksyms.c linux/kernel/ksyms.c --- linux/kernel/ksyms.c Mon Feb 25 14:38:13 2002 +++ linux/kernel/ksyms.c Sat Mar 2 15:32:49 2002 @@ -559,3 +559,8 @@ EXPORT_SYMBOL(tasklist_lock); EXPORT_SYMBOL(pidhash); + +#ifdef CONFIG_GRKERNSEC_ACL_CAPLOG +#include +EXPORT_SYMBOL(captab_log); +#endif diff -urN linux/kernel/printk.c linux/kernel/printk.c --- linux/kernel/printk.c Mon Feb 25 14:38:13 2002 +++ linux/kernel/printk.c Mon Feb 25 16:09:02 2002 @@ -26,6 +26,9 @@ #include #include /* For in_interrupt() */ #include +#ifdef CONFIG_GRKERNSEC_DMESG +#include +#endif #include @@ -294,6 +297,11 @@ asmlinkage long sys_syslog(int type, char * buf, int len) { +#ifdef CONFIG_GRKERNSEC_DMESG + if (!capable(CAP_SYS_ADMIN) && grsec_enable_dmesg) + return -EPERM; + else +#endif if ((type != 3) && !capable(CAP_SYS_ADMIN)) return -EPERM; return do_syslog(type, buf, len); diff -urN linux/kernel/sched.c linux/kernel/sched.c --- linux/kernel/sched.c Fri Dec 21 12:42:04 2001 +++ linux/kernel/sched.c Mon Feb 25 16:09:02 2002 @@ -32,6 +32,9 @@ #include #include +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE +#include +#endif extern void timer_bh(void); extern void tqueue_bh(void); @@ -874,6 +877,14 @@ return -EPERM; if (increment < -40) increment = -40; +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE + if(grsec_enable_chroot_nice && proc_is_chrooted(current)){ + security_alert("attempted priority change by " + DEFAULTSECMSG, "attempted priority changes", + DEFAULTSECARGS); + return -EPERM; + } +#endif } if (increment > 40) increment = 40; diff -urN linux/kernel/signal.c linux/kernel/signal.c --- linux/kernel/signal.c Wed Nov 21 19:26:27 2001 +++ linux/kernel/signal.c Mon Feb 25 16:09:02 2002 @@ -16,6 +16,12 @@ #include +#if defined(CONFIG_GRKERNSEC_SIGNAL) || defined(CONFIG_GRKERNSEC_CHROOT_SIG) \ +|| defined(CONFIG_GRKERNSEC_ACL) +#include +#include +#endif + /* * SLAB caches for signal bits. */ @@ -526,8 +532,37 @@ goto out_nolock; spin_lock_irqsave(&t->sigmask_lock, flags); +#ifdef CONFIG_GRKERNSEC_CHROOT_SIG + if(CHROOTLONGCHECK && + !( sig == SIGALRM || sig == SIGIO || !proc_is_chrooted(current) || + have_same_root(current,t) || + (t->pid == current->p_pptr->pid && sig == SIGCHLD) ) ) { + security_alert("denied signal %d out of chroot jail (%.32s:%lu) of %d.%d " + "by " DEFAULTSECMSG " to " DEFAULTSECMSG, + "denied signals in chroot",sig,kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino,current->fs->root->d_inode->i_uid, + current->fs->root->d_inode->i_gid,DEFAULTSECARGS, + t->comm,t->pid,t->uid,t->euid,t->p_pptr->comm, + t->p_pptr->pid,t->p_pptr->uid,t->p_pptr->euid); + goto out; + } +#endif handle_stop_signal(sig, t); - +#ifdef CONFIG_GRKERNSEC_SIGNAL + if(grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) || + (sig == SIGABRT) || (sig == SIGBUS))) { + if(t->pid == current->pid) { + security_alert("signal %d sent to " DEFAULTSECMSG,"signal warnings",sig, + t->comm,t->pid,t->uid,t->euid,t->p_pptr->comm,t->p_pptr->pid, + t->p_pptr->uid,t->p_pptr->euid); + } else { + security_alert("signal %d sent to " DEFAULTSECMSG " by " + DEFAULTSECMSG, "signal warnings", + sig,t->comm,t->pid,t->uid,t->euid,t->p_pptr->comm,t->p_pptr->pid, + t->p_pptr->uid,t->p_pptr->euid, DEFAULTSECARGS); + } + } +#endif /* Optimize away the signal, if it's a signal that can be handled immediately (ie non-blocked and untraced) and that is ignored (either explicitly or by default). */ @@ -592,6 +627,9 @@ retval = -ESRCH; read_lock(&tasklist_lock); for_each_task(p) { +#ifdef CONFIG_GRKERNSEC_ACL + if( !(gr_check_protected_task(p)) || current->pid == 1) +#endif if (p->pgrp == pgrp) { int err = send_sig_info(sig, info, p); if (retval) @@ -619,6 +657,9 @@ retval = -ESRCH; read_lock(&tasklist_lock); for_each_task(p) { +#ifdef CONFIG_GRKERNSEC_ACL + if( !(gr_check_protected_task(p)) || current->pid == 1) +#endif if (p->leader && p->session == sess) { int err = send_sig_info(sig, info, p); if (retval) @@ -640,6 +681,9 @@ p = find_task_by_pid(pid); error = -ESRCH; if (p) +#ifdef CONFIG_GRKERNSEC_ACL + if( !(gr_check_protected_task(p)) || current->pid == 1) +#endif error = send_sig_info(sig, info, p); read_unlock(&tasklist_lock); return error; @@ -663,6 +707,9 @@ read_lock(&tasklist_lock); for_each_task(p) { +#ifdef CONFIG_GRKERNSEC_ACL + if(!(gr_check_protected_task(p) || current->pid == 1)) +#endif if (p->pid > 1 && p != current) { int err = send_sig_info(sig, info, p); ++count; diff -urN linux/kernel/sys.c linux/kernel/sys.c --- linux/kernel/sys.c Mon Feb 25 14:38:13 2002 +++ linux/kernel/sys.c Mon Feb 25 16:09:02 2002 @@ -4,6 +4,7 @@ * Copyright (C) 1991, 1992 Linus Torvalds */ +#include #include #include #include @@ -18,6 +19,12 @@ #include #include +#if defined(CONFIG_GRKERNSEC_SUID) ||\ + defined(CONFIG_GRKERNSEC_SUID_ROOT) ||\ + defined(CONFIG_GRKERNSEC_TTYROOT) || defined(CONFIG_GRKERNSEC_CHROOT_NICE) +#include +#endif + /* * this is where the system-wide overflow UID and GID are defined, for * architectures that now have 32-bit UID/GID but didn't in the past @@ -220,6 +227,15 @@ } if (error == -ESRCH) error = 0; +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE + if(grsec_enable_chroot_nice && (!have_same_root(p,current) + || (have_same_root(p,current) && (niceval < p->nice) && proc_is_chrooted(current)))) { + security_alert("attempted priority change of " + "process (%.16s:%d) by " DEFAULTSECMSG, + "attempted priority changes",p->comm,p->pid,DEFAULTSECARGS); + return -ESRCH; /* be stealthy */ + } +#endif if (niceval < p->nice && !capable(CAP_SYS_NICE)) error = -EACCES; else @@ -380,6 +396,20 @@ int new_rgid = old_rgid; int new_egid = old_egid; +#ifdef CONFIG_GRKERNSEC_TTYROOT + is_tty_allowed_for_setid(rgid,egid,1,"setregid"); +#endif + +#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT) +#ifdef CONFIG_GRKERNSEC_SUID_ROOT + if(grsec_enable_suid_root && current->uid && (!rgid || !egid)) +#else + if(grsec_enable_suid) +#endif + printk(KERN_INFO "grsec: setregid(rgid=%d/egid=%d) by " DEFAULTSECMSG + "\n",rgid,egid, DEFAULTSECARGS); +#endif + if (rgid != (gid_t) -1) { if ((old_rgid == rgid) || (current->egid==rgid) || @@ -421,6 +451,20 @@ { int old_egid = current->egid; +#ifdef CONFIG_GRKERNSEC_TTYROOT + is_tty_allowed_for_setid(gid,1,1,"setgid"); +#endif + +#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT) +#ifdef CONFIG_GRKERNSEC_SUID_ROOT + if(grsec_enable_suid_root && current->uid && !gid) +#else + if(grsec_enable_suid) +#endif + printk(KERN_INFO "grsec: setgid(%d) by " DEFAULTSECMSG "\n",gid, + DEFAULTSECARGS); +#endif + if (capable(CAP_SETGID)) { if(old_egid != gid) @@ -540,6 +584,20 @@ new_euid = old_euid = current->euid; old_suid = current->suid; +#ifdef CONFIG_GRKERNSEC_TTYROOT + is_tty_allowed_for_setid(ruid,euid,1,"setreuid"); +#endif + +#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT) +#ifdef CONFIG_GRKERNSEC_SUID_ROOT + if(grsec_enable_suid_root && current->uid && (!ruid || !euid)) +#else + if(grsec_enable_suid) +#endif + printk(KERN_INFO "grsec: setreuid(ruid=%d/euid=%d) by " DEFAULTSECMSG + "\n",ruid,euid, DEFAULTSECARGS); +#endif + if (ruid != (uid_t) -1) { new_ruid = ruid; if ((old_ruid != ruid) && @@ -599,7 +657,20 @@ old_ruid = new_ruid = current->uid; old_suid = current->suid; new_suid = old_suid; - + +#ifdef CONFIG_GRKERNSEC_TTYROOT + is_tty_allowed_for_setid(uid,1,1,"setuid"); +#endif + +#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT) +#ifdef CONFIG_GRKERNSEC_SUID_ROOT + if(grsec_enable_suid_root && current->uid && !uid) +#else + if(grsec_enable_suid) +#endif + printk(KERN_INFO "grsec: setuid(%d) by " DEFAULTSECMSG "\n", uid, + DEFAULTSECARGS); +#endif if (capable(CAP_SETUID)) { if (uid != old_ruid && set_user(uid, old_euid != uid) < 0) return -EAGAIN; @@ -633,6 +704,20 @@ int old_euid = current->euid; int old_suid = current->suid; +#ifdef CONFIG_GRKERNSEC_TTYROOT + is_tty_allowed_for_setid(ruid,euid,suid,"setresuid"); +#endif + +#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT) +#ifdef CONFIG_GRKERNSEC_SUID_ROOT + if(grsec_enable_suid_root && current->uid && (!ruid || !euid || !suid)) +#else + if(grsec_enable_suid) +#endif + printk(KERN_INFO "grsec: setresuid(ruid=%d/suid=%d/euid=%d) by " + DEFAULTSECMSG "\n", ruid, suid, euid, DEFAULTSECARGS); +#endif + if (!capable(CAP_SETUID)) { if ((ruid != (uid_t) -1) && (ruid != current->uid) && (ruid != current->euid) && (ruid != current->suid)) @@ -683,6 +768,20 @@ */ asmlinkage long sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid) { +#ifdef CONFIG_GRKERNSEC_TTYROOT + is_tty_allowed_for_setid(rgid,egid,sgid,"setresgid"); +#endif + +#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT) +#ifdef CONFIG_GRKERNSEC_SUID_ROOT + if(grsec_enable_suid_root && current->uid && (!rgid || !egid || !sgid)) +#else + if(grsec_enable_suid) +#endif + printk(KERN_INFO "grsec: setresgid(rgid=%d/sgid=%d/egid=%d) by " + DEFAULTSECMSG "\n", rgid, sgid, egid, DEFAULTSECARGS); +#endif + if (!capable(CAP_SETGID)) { if ((rgid != (gid_t) -1) && (rgid != current->gid) && (rgid != current->egid) && (rgid != current->sgid)) @@ -732,6 +831,20 @@ { int old_fsuid; +#ifdef CONFIG_GRKERNSEC_TTYROOT + is_tty_allowed_for_setid(uid,1,1,"setfsuid"); +#endif + +#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT) +#ifdef CONFIG_GRKERNSEC_SUID_ROOT + if(grsec_enable_suid_root && current->uid && !uid) +#else + if(grsec_enable_suid) +#endif + printk(KERN_INFO "grsec: setfsuid(%d) by " DEFAULTSECMSG "\n", uid, + DEFAULTSECARGS); +#endif + old_fsuid = current->fsuid; if (uid == current->uid || uid == current->euid || uid == current->suid || uid == current->fsuid || @@ -774,6 +887,20 @@ { int old_fsgid; +#ifdef CONFIG_GRKERNSEC_TTYROOT + is_tty_allowed_for_setid(gid,1,1,"setfsgid"); +#endif + +#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT) +#ifdef CONFIG_GRKERNSEC_SUID_ROOT + if(grsec_enable_suid_root && current->uid && !gid) +#else + if(grsec_enable_suid) +#endif + printk(KERN_INFO "grsec: setfsgid(%d) by " DEFAULTSECMSG "\n", gid, + DEFAULTSECARGS); +#endif + old_fsgid = current->fsgid; if (gid == current->gid || gid == current->egid || gid == current->sgid || gid == current->fsgid || @@ -971,6 +1098,11 @@ return -EINVAL; if(copy_from_user(current->groups, grouplist, gidsetsize * sizeof(gid_t))) return -EFAULT; + +#ifdef CONFIG_GRKERNSEC_SUID + if(grsec_enable_suid) + printk(KERN_INFO "grsec: setgroups by " DEFAULTSECMSG "\n", DEFAULTSECARGS); +#endif current->ngroups = gidsetsize; return 0; } diff -urN linux/kernel/sysctl.c linux/kernel/sysctl.c --- linux/kernel/sysctl.c Fri Dec 21 12:42:04 2001 +++ linux/kernel/sysctl.c Mon Feb 25 16:09:02 2002 @@ -38,6 +38,7 @@ #endif #if defined(CONFIG_SYSCTL) +#include /* External variables not in a header file. */ extern int panic_timeout; @@ -117,6 +118,9 @@ static ctl_table debug_table[]; static ctl_table dev_table[]; extern ctl_table random_table[]; +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ACL) +static ctl_table grsecurity_table[]; +#endif /* /proc declarations: */ @@ -256,8 +260,259 @@ {KERN_S390_USER_DEBUG_LOGGING,"userprocess_debug", &sysctl_userprocess_debug,sizeof(int),0644,NULL,&proc_dointvec}, #endif +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ACL) + {KERN_GRSECURITY, "grsecurity", NULL, 0, 0500, grsecurity_table}, +#endif + {0} +}; + +#if !defined(CONFIG_GRKERNSEC_SYSCTL) && defined(CONFIG_GRKERNSEC_ACL) +enum +{ + GS_ACL = 1 +}; + +static ctl_table grsecurity_table[] = { + {GS_ACL,"acl", NULL, sizeof(int), 0600, NULL, &gr_proc_handler}, + {0} +}; +#endif + +#ifdef CONFIG_GRKERNSEC_SYSCTL +enum {GS_LINK=1,GS_FIFO, GS_FD, GS_EXECVE, GS_FORK, +GS_FORK_GID, GS_FORK_SEC, GS_FORK_MAX, GS_EXECLOG, +GS_SUID, GS_SUID_ROOT, GS_SIGNAL, GS_COREDUMP, GS_FORKFAIL, +GS_TIME, GS_KBMAP, GS_CHROOT_SIG, GS_CHROOT_MNT, +GS_CHROOT_DBL, GS_CHROOT_CD, GS_CHROOT_CM, GS_CHROOT_MK, GS_CHROOT_PT, +GS_CHROOT_NI, GS_CHROOT_EXECLOG, GS_CHROOT_CAPS, GS_TPE, GS_TPE_GID, +GS_TPE_GLIBC, GS_TPE_ALL, GS_PTRACE, GS_PTRACE_GRP, GS_PTRACE_GID, +GS_SIDCAPS, GS_RANDPID, GS_RANDID, GS_RANDSRC, GS_RANDPING, GS_RANDTTL, +GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT, +GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID, GS_IPC, +GS_TTY, GS_TTYS, GS_PTY, GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC, +GS_APTC, GS_DMSG, GS_RANDRPC, GS_ACL, GS_LOCK}; + +static ctl_table grsecurity_table[] = { +#ifdef CONFIG_GRKERNSEC_LINK + {GS_LINK, "linking_restrictions", &grsec_enable_link, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_FIFO + {GS_FIFO, "fifo_restrictions", &grsec_enable_fifo, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_FD + {GS_FD, "secure_fds", &grsec_enable_fd, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_EXECVE + {GS_EXECVE, "execve_limiting", &grsec_enable_execve, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_FORKBOMB + {GS_FORK, "fork_bomb_prot", &grsec_enable_forkbomb, sizeof (int), + 0600, NULL, &proc_dointvec}, + {GS_FORK_GID, "fork_bomb_gid", &grsec_forkbomb_gid, sizeof (int), + 0600, NULL, &proc_dointvec}, + {GS_FORK_SEC, "fork_bomb_sec", &grsec_forkbomb_sec, sizeof (int), + 0600, NULL, &proc_dointvec}, + {GS_FORK_MAX, "fork_bomb_max", &grsec_forkbomb_max, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_EXECLOG + {GS_EXECLOG, "exec_logging", &grsec_enable_execlog, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_SUID + {GS_SUID, "suid_logging", &grsec_enable_suid, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_SUID_ROOT + {GS_SUID_ROOT, "suid_root_logging", &grsec_enable_suid_root, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_SIGNAL + {GS_SIGNAL, "signal_logging", &grsec_enable_signal, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_COREDUMP + {GS_COREDUMP, "coredump", &grsec_enable_coredump, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_FORKFAIL + {GS_FORKFAIL, "forkfail_logging", &grsec_enable_forkfail, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_TIME + {GS_TIME, "timechange_logging", &grsec_enable_time, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_KBMAP + {GS_KBMAP, "secure_kbmap", &grsec_enable_kbmap, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_SIG + {GS_CHROOT_SIG, "chroot_restrict_sigs", &grsec_enable_chroot_sig, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT + {GS_CHROOT_MNT, "chroot_deny_mount", &grsec_enable_chroot_mount, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE + {GS_CHROOT_DBL, "chroot_deny_chroot", &grsec_enable_chroot_double, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR + {GS_CHROOT_CD, "chroot_deny_chdir", &grsec_enable_chroot_chdir, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD + {GS_CHROOT_CM, "chroot_deny_chmod", &grsec_enable_chroot_chmod, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD + {GS_CHROOT_MK, "chroot_deny_mknod", &grsec_enable_chroot_mknod, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_PTRACE + {GS_CHROOT_PT, "chroot_deny_ptrace", &grsec_enable_chroot_ptrace, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE + {GS_CHROOT_NI, "chroot_restrict_nice", &grsec_enable_chroot_nice, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG + {GS_CHROOT_EXECLOG, "chroot_execlog", + &grsec_enable_chroot_execlog, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS + {GS_CHROOT_CAPS, "chroot_caps", &grsec_enable_chroot_caps, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_TPE + {GS_TPE, "tpe", &grsec_enable_tpe, sizeof (int), + 0600, NULL, &proc_dointvec}, + {GS_TPE_GID, "tpe_gid", &grsec_tpe_gid, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_TPE_GLIBC + {GS_TPE_GLIBC, "tpe_glibc", &grsec_enable_tpe_glibc, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_TPE_ALL + {GS_TPE_ALL, "tpe_restrict_all", &grsec_enable_tpe_all, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_PTRACE + {GS_PTRACE, "restrict_ptrace", &grsec_enable_ptrace, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_PTRACE_GROUP + {GS_PTRACE_GRP, "allow_ptrace_group", &grsec_enable_ptrace_group, sizeof (int), + 0600, NULL, &proc_dointvec}, + {GS_PTRACE_GID, "ptrace_gid", &grsec_ptrace_gid, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_RANDPID + {GS_RANDPID, "rand_pids", &grsec_enable_randpid, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_RANDID + {GS_RANDID, "rand_ip_ids", &grsec_enable_randid, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_RANDSRC + {GS_RANDSRC, "rand_tcp_src_ports", &grsec_enable_randsrc, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_RANDPING + {GS_RANDPING, "altered_pings", &grsec_enable_randping, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_RANDTTL + {GS_RANDTTL, "rand_ttl", &grsec_enable_randttl, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL + {GS_SOCKET_ALL, "socket_all", &grsec_enable_socket_all, sizeof (int), + 0600, NULL, &proc_dointvec}, + {GS_SOCKET_ALL_GID, "socket_all_gid", + &grsec_socket_all_gid, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT + {GS_SOCKET_CLIENT, "socket_client", + &grsec_enable_socket_client, sizeof (int), + 0600, NULL, &proc_dointvec}, + {GS_SOCKET_CLIENT_GID, "socket_client_gid", + &grsec_socket_client_gid, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER + {GS_SOCKET_SERVER, "socket_server", + &grsec_enable_socket_server, sizeof (int), + 0600, NULL, &proc_dointvec}, + {GS_SOCKET_SERVER_GID, "socket_server_gid", + &grsec_socket_server_gid, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_IPC + {GS_IPC, "alt_ipc_perms", &grsec_enable_ipc, sizeof (int), 0600, + NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_TTYROOT + {GS_TTY, "deny_phys_root", + &grsec_enable_phys_deny, sizeof (int), + 0600, NULL, &proc_dointvec}, + {GS_TTYS, "deny_serial_root", + &grsec_enable_serial_deny, sizeof (int), + 0600, NULL, &proc_dointvec}, + {GS_PTY, "deny_pseudo_root", + &grsec_enable_pseudo_deny, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP + {GS_GROUP, "audit_group", &grsec_enable_group, sizeof (int), + 0600, NULL, &proc_dointvec}, + {GS_GID, "audit_gid", + &grsec_audit_gid, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR + {GS_ACHDIR, "audit_chdir", &grsec_enable_chdir, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT + {GS_AMOUNT, "audit_mount", &grsec_enable_mount, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_IPC + {GS_AIPC, "audit_ipc", &grsec_enable_audit_ipc, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE + {GS_APTC, "audit_ptrace", &grsec_enable_audit_ptrace, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_DMESG + {GS_AIPC, "dmesg", &grsec_enable_dmesg, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_RANDRPC + {GS_RANDRPC, "rand_rpc", &grsec_enable_randrpc, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_GRKERNSEC_ACL + {GS_ACL,"acl", NULL, sizeof(int), 0600, NULL, &gr_proc_handler}, +#endif + {GS_LOCK, "grsec_lock", &grsec_lock, sizeof (int), 0600, NULL, + &proc_dointvec}, {0} }; +#endif static ctl_table vm_table[] = { {VM_BDFLUSH, "bdflush", &bdf_prm, 9*sizeof(int), 0644, NULL, @@ -828,6 +1083,17 @@ } i = (int *) table->data; +#ifdef CONFIG_GRKERNSEC_SYSCTL + if(table->de->parent->name && strlen(table->de->parent->name) == 10) { + if((!strcmp(table->de->parent->name, "grsecurity")) && grsec_lock && write) { + security_alert("attempt to modify grsecurity " + "sysctl value: %.32s by " DEFAULTSECMSG, + "attempted sysctl changes", table->de->name, + DEFAULTSECARGS); + return -EACCES; + } + } +#endif vleft = table->maxlen / sizeof(int); left = *lenp; diff -urN linux/kernel/time.c linux/kernel/time.c --- linux/kernel/time.c Mon Feb 25 14:38:13 2002 +++ linux/kernel/time.c Mon Feb 25 16:09:02 2002 @@ -29,6 +29,9 @@ #include #include +#ifdef CONFIG_GRKERNSEC_TIME +#include +#endif /* * The timezone where the local system is located. Used as a default by some @@ -87,6 +90,11 @@ time_maxerror = NTP_PHASE_LIMIT; time_esterror = NTP_PHASE_LIMIT; write_unlock_irq(&xtime_lock); +#ifdef CONFIG_GRKERNSEC_TIME + if(grsec_enable_time) + security_alert("time set by " DEFAULTSECMSG, "time sets", + DEFAULTSECARGS); +#endif return 0; } @@ -163,6 +171,11 @@ * globally block out interrupts when it runs. */ do_settimeofday(tv); +#ifdef CONFIG_GRKERNSEC_TIME + if(grsec_enable_time) + security_alert("time set by " DEFAULTSECMSG, "time sets", + DEFAULTSECARGS); +#endif } return 0; } diff -urN linux/mm/mmap.c linux/mm/mmap.c --- linux/mm/mmap.c Mon Feb 25 14:38:14 2002 +++ linux/mm/mmap.c Mon Mar 4 18:31:12 2002 @@ -14,9 +14,14 @@ #include #include #include +#include #include #include +#if defined(CONFIG_GRKERNSEC_MMAPFIXED) || defined(CONFIG_GRKERNSEC_TPE_GLIBC) \ + || defined(CONFIG_GRKERNSEC_ACL) +#include +#endif /* * WARNING: the debugging will use recursive algorithms so never enable this @@ -419,7 +424,9 @@ /* Obtain the address to map to. we verify (or select) it and ensure * that it represents a valid section of the address space. */ + addr = get_unmapped_area(file, addr, len, pgoff, flags); + if (addr & ~PAGE_MASK) return addr; @@ -429,6 +436,23 @@ */ vm_flags = calc_vm_flags(prot,flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; +#ifdef CONFIG_GRKERNSEC_PAX + if (current->flags & PF_PAX_PAGEEXEC) { + if (flags & MAP_GROWSDOWN) + vm_flags &= ~VM_EXEC; + +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT + if ((current->flags & PF_PAX_MPROTECT) && !(prot & PROT_EXEC)) + vm_flags &= ~VM_MAYEXEC; + if ((current->flags & PF_PAX_MPROTECT) && (flags & MAP_GROWSDOWN)) + vm_flags &= ~VM_MAYEXEC; +#endif + + } else { + if (prot & (PROT_READ | PROT_WRITE)) /* they imply PROT_EXEC on IA-32 */ + vm_flags |= VM_EXEC; + } +#endif /* mlock MCL_FUTURE? */ if (vm_flags & VM_LOCKED) { unsigned long locked = mm->locked_vm << PAGE_SHIFT; @@ -476,6 +500,50 @@ break; } } +#ifdef CONFIG_GRKERNSEC_MMAPFIXED + if ((current->pid > 1) && (current->flags & PF_PAX_PAGEEXEC) && (!file) && (flags & MAP_FIXED) && (prot & PROT_EXEC)) { + security_alert("Attempted loading of shellcode via mmap by " DEFAULTSECMSG, "attempted mmaps", DEFAULTSECARGS); + return -EACCES; + } +#endif +#ifdef CONFIG_GRKERNSEC_TPE_GLIBC + if(grsec_enable_tpe_glibc) { +#ifdef CONFIG_GRKERNSEC_TPE_ALL + if(grsec_enable_tpe_all?current->uid:in_group_p(grsec_tpe_gid)) { +#else + if(in_group_p(grsec_tpe_gid)) { +#endif + if(file && (prot & PROT_EXEC) && + ((file->f_dentry->d_parent->d_inode->i_uid) || + (!(file->f_dentry->d_parent->d_inode->i_uid) && + ((file->f_dentry->d_parent->d_inode->i_mode & S_IWGRP) || + (file->f_dentry->d_parent->d_inode->i_mode & S_IWOTH))))) { + security_alert("denied exec of %.32s by " + DEFAULTSECMSG " reason: tried to mmap binary", + "denied execs", file->f_dentry->d_name.name, + DEFAULTSECARGS); + return -EACCES; + goto out; + } + } + } +#endif +#ifdef CONFIG_GRKERNSEC_ACL + if(file && ( !gr_in_auth_mode((void *)current->acl)) ) + if( (gr_search_file(file->f_dentry,GR_EXEC,file->f_vfsmnt)) + == GR_DENY) + { + if(prot & PROT_EXEC) { + security_alert("attempt to mmap %ld %d executable" + "by " DEFAULTSECMSG,"mmap exec attempts", + file->f_dentry->d_inode->i_ino, + file->f_dentry->d_inode->i_dev, + DEFAULTSECARGS); + return -EACCES; + } else + vm_flags &= ~VM_MAYEXEC; + } +#endif /* Clear old maps */ error = -ENOMEM; @@ -601,7 +669,20 @@ (!vma || addr + len <= vma->vm_start)) return addr; } +#if defined(CONFIG_GRKERNSEC_STACK) + addr = TASK_UNMAPPED_BASE(len); + addr = PAGE_ALIGN(TASK_UNMAPPED_BASE(len)); +#else + addr = TASK_UNMAPPED_BASE; addr = PAGE_ALIGN(TASK_UNMAPPED_BASE); +#endif + + +#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP + /* PaX: randomize base address if requested */ + if (current->flags & PF_PAX_RANDMMAP) + addr += current->mm->delta_mmap; +#endif for (vma = find_vma(current->mm, addr); ; vma = vma->vm_next) { /* At this point: (!vma || addr < vma->vm_end). */ @@ -1050,6 +1131,18 @@ MAP_FIXED|MAP_PRIVATE) | mm->def_flags; flags |= VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; + +#ifdef CONFIG_GRKERNSEC_PAX + if (current->flags & PF_PAX_PAGEEXEC) { + flags &= ~VM_EXEC; + +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT + if (current->flags & PF_PAX_MPROTECT) + flags &= ~VM_MAYEXEC; +#endif + } +#endif + /* Can we just expand an old anonymous mapping? */ if (rb_parent && vma_merge(mm, prev, rb_parent, addr, addr + len, flags)) diff -urN linux/mm/mprotect.c linux/mm/mprotect.c --- linux/mm/mprotect.c Mon Sep 17 18:30:23 2001 +++ linux/mm/mprotect.c Tue Feb 26 22:56:25 2002 @@ -300,6 +300,12 @@ goto out; } +#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */ + if ((current->flags & PF_PAX_MPROTECT) && (prot & PROT_WRITE) && (vma->vm_flags & VM_MAYEXEC)) { + newflags &= ~VM_MAYWRITE; + } +#endif if (vma->vm_end > end) { error = mprotect_fixup(vma, &prev, nstart, end, newflags); goto out; diff -urN linux/net/ipv4/Makefile linux/net/ipv4/Makefile --- linux/net/ipv4/Makefile Fri Dec 21 12:42:05 2001 +++ linux/net/ipv4/Makefile Mon Feb 25 16:09:02 2002 @@ -13,7 +13,7 @@ obj-y := utils.o route.o inetpeer.o proc.o protocol.o \ ip_input.o ip_fragment.o ip_forward.o ip_options.o \ - ip_output.o ip_sockglue.o \ + ip_id.o ip_output.o ip_sockglue.o \ tcp.o tcp_input.o tcp_output.o tcp_timer.o tcp_ipv4.o tcp_minisocks.o \ tcp_diag.o raw.o udp.o arp.o icmp.o devinet.o af_inet.o igmp.o \ sysctl_net_ipv4.o fib_frontend.o fib_semantics.o fib_hash.o diff -urN linux/net/ipv4/af_inet.c linux/net/ipv4/af_inet.c --- linux/net/ipv4/af_inet.c Fri Dec 21 12:42:05 2001 +++ linux/net/ipv4/af_inet.c Mon Feb 25 16:09:02 2002 @@ -84,6 +84,10 @@ #include #include +#if defined(CONFIG_GRKERNSEC_RANDTTL) || defined(CONFIG_GRKERNSEC_RANDID) +#include +#endif + #include #include @@ -374,7 +378,14 @@ else sk->protinfo.af_inet.pmtudisc = IP_PMTUDISC_WANT; +#ifdef CONFIG_GRKERNSEC_RANDID + if(grsec_enable_randid) + sk->protinfo.af_inet.id = htons(ip_randomid()); + else + sk->protinfo.af_inet.id = 0; +#else sk->protinfo.af_inet.id = 0; +#endif sock_init_data(sock,sk); @@ -386,8 +397,13 @@ sk->backlog_rcv = sk->prot->backlog_rcv; +#ifdef CONFIG_GRKERNSEC_RANDTTL +if(grsec_enable_randttl){ + sk->protinfo.af_inet.ttl = sysctl_ip_default_ttl + + (jiffies % (256 - sysctl_ip_default_ttl)); +} else +#endif sk->protinfo.af_inet.ttl = sysctl_ip_default_ttl; - sk->protinfo.af_inet.mc_loop = 1; sk->protinfo.af_inet.mc_ttl = 1; sk->protinfo.af_inet.mc_index = 0; diff -urN linux/net/ipv4/icmp.c linux/net/ipv4/icmp.c --- linux/net/ipv4/icmp.c Mon Feb 25 14:38:14 2002 +++ linux/net/ipv4/icmp.c Mon Feb 25 16:09:02 2002 @@ -91,6 +91,10 @@ #include #include +#ifdef CONFIG_GRKERNSEC_RANDPING +#include +#endif + /* * Build xmit assembly blocks */ @@ -738,6 +742,11 @@ icmp_param.data.icmph=*skb->h.icmph; icmp_param.data.icmph.type=ICMP_ECHOREPLY; +#ifdef CONFIG_GRKERNSEC_RANDPING + if(grsec_enable_randping) + icmp_param.data.icmph.un.echo.id = + skb->h.icmph->un.echo.id; +#endif icmp_param.skb=skb; icmp_param.offset=0; icmp_param.data_len=skb->len; diff -urN linux/net/ipv4/ip_gre.c linux/net/ipv4/ip_gre.c --- linux/net/ipv4/ip_gre.c Tue Oct 30 18:08:12 2001 +++ linux/net/ipv4/ip_gre.c Mon Feb 25 16:09:03 2002 @@ -28,6 +28,9 @@ #include #include #include +#ifdef CONFIG_GRKERNSEC_RANDTTL +#include +#endif #include #include @@ -849,6 +852,12 @@ iph->ttl = ((struct ipv6hdr*)old_iph)->hop_limit; #endif else +#ifdef CONFIG_GRKERNSEC_RANDTTL + if(grsec_enable_randttl){ + iph->ttl = sysctl_ip_default_ttl + + (jiffies % (256 - sysctl_ip_default_ttl)); + } else +#endif iph->ttl = sysctl_ip_default_ttl; } diff -urN linux/net/ipv4/ip_id.c linux/net/ipv4/ip_id.c --- linux/net/ipv4/ip_id.c Wed Dec 31 19:00:00 1969 +++ linux/net/ipv4/ip_id.c Mon Feb 25 16:09:03 2002 @@ -0,0 +1,146 @@ +/* + * This code is based on OpenBSD's ip_id.c, by Niels Provos. + * Ported to Linux 2.2 by Salvatore Sanfilippo. + * Ported to Linux 2.4 by Brad Spengler. + * + * 26-10-1999: Ported from OpenBSD's ip_id.c version 1.2 + * (previous versions seems to be predictable + * after David Wagner's auditing) + * Salvatore Sanfilippo + * + * TODO: + * - Make this code SMP safe + */ + +/* + * Copyright 1998 Niels Provos + * All rights reserved. + * Theo de Raadt came up with the idea of using + * such a mathematical system to generate more random (yet non-repeating) + * ids to solve the resolver/named problem. But Niels designed the + * actual system based on the constraints. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer, + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Niels Provos. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +#include +#include +#include +#include + +#define RU_OUT 180 +#define RU_MAX 30000 +#define RU_GEN 2 +#define RU_N 32749 +#define RU_AGEN 7 +#define RU_M 31104 +#define PFAC_N 3 +const static __u16 pfacts[PFAC_N] = { 2,3,2729 }; + +static __u16 ru_x; +static __u16 ru_seed, ru_seed2; +static __u16 ru_a, ru_b; +static __u16 ru_g; +static __u16 ru_counter = 0; +static __u16 ru_msb = 0; +static __u32 ru_reseed; +static __u32 tmp; + +static __u16 pmod(u_int16_t, u_int16_t, u_int16_t); +static void ip_initid (void); +__u16 ip_randomip (void); + +static __u16 pmod(__u16 gen, __u16 exp, __u16 mod) { + __u16 s, t, u; + + s = 1; + t = gen; + u = exp; + + while(u) { + if (u & 1) + s = (s*t) % mod; + u >>=1; + t = (t*t) % mod; + } + return(s); +} + +static void ip_initid (void) { + __u16 j, i; + int noprime = 1; + + get_random_bytes((void *) &tmp, sizeof(tmp)); + ru_x = (tmp & 0xFFFF) % RU_M; + ru_seed = (tmp >> 16) & 0x7FFF; + get_random_bytes((void *) &tmp, sizeof(tmp)); + ru_seed2 = tmp & 0x7FFF; + + get_random_bytes((void *) &tmp, sizeof(tmp)); + + ru_b = (tmp & 0xfffe) | 1; + ru_a = pmod(RU_AGEN, (tmp >> 16) & 0xfffe, RU_M); + while (ru_b % 3 == 0) + ru_b += 2; + + get_random_bytes((void *) &tmp, sizeof(tmp)); + j = tmp % RU_N; + tmp = tmp >> 16; + + while(noprime) { + for (i=0; i=PFAC_N) + noprime = 0; + else + j = (j+1) % RU_N; + } + + ru_g = pmod(RU_GEN,j,RU_N); + ru_counter = 0; + ru_reseed = jiffies + (RU_OUT * HZ); + ru_msb = ru_msb == 0x8000 ? 0 : 0x8000; +} + +__u16 ip_randomid (void) { + int i, n; + + if (ru_counter >= RU_MAX || jiffies > ru_reseed) + ip_initid(); + + if (!tmp) + get_random_bytes((void *) &tmp, sizeof(tmp)); + + n = tmp & 0x3; tmp = tmp >> 2; + if (ru_counter + n >= RU_MAX) + ip_initid(); + for (i=0; i <= n; i++) + ru_x = (ru_a*ru_x + ru_b) % RU_M; + ru_counter += i; + + return (ru_seed ^ pmod(ru_g,ru_seed2 ^ ru_x, RU_N)) | ru_msb; +} diff -urN linux/net/ipv4/ip_output.c linux/net/ipv4/ip_output.c --- linux/net/ipv4/ip_output.c Wed Oct 17 17:16:39 2001 +++ linux/net/ipv4/ip_output.c Mon Feb 25 16:09:03 2002 @@ -77,6 +77,9 @@ #include #include #include +#ifdef CONFIG_GRKERNSEC_RANDID +#include +#endif /* * Shall we try to damage output packets if routing dev changes? @@ -510,6 +513,12 @@ * Begin outputting the bytes. */ +#ifdef CONFIG_GRKERNSEC_RANDID + if(grsec_enable_randid){ + id = htons(ip_randomid()); + sk->protinfo.af_inet.id = id; + } else +#endif id = sk->protinfo.af_inet.id++; do { diff -urN linux/net/ipv4/ip_sockglue.c linux/net/ipv4/ip_sockglue.c --- linux/net/ipv4/ip_sockglue.c Tue Oct 30 18:08:12 2001 +++ linux/net/ipv4/ip_sockglue.c Mon Feb 25 16:09:03 2002 @@ -42,6 +42,9 @@ #include #include +#ifdef CONFIG_GRKERNSEC_RANDTTL +#include +#endif #define IP_CMSG_PKTINFO 1 #define IP_CMSG_TTL 2 @@ -492,8 +495,15 @@ case IP_TTL: if (optlen<1) goto e_inval; - if(val==-1) + if(val==-1) { +#ifdef CONFIG_GRKERNSEC_RANDTTL + if(grsec_enable_randttl){ + val = sysctl_ip_default_ttl + + (jiffies % (256 - sysctl_ip_default_ttl)); + } else +#endif val = sysctl_ip_default_ttl; + } if(val<1||val>255) goto e_inval; sk->protinfo.af_inet.ttl=val; diff -urN linux/net/ipv4/netfilter/Config.in linux/net/ipv4/netfilter/Config.in --- linux/net/ipv4/netfilter/Config.in Mon Feb 25 14:38:14 2002 +++ linux/net/ipv4/netfilter/Config.in Mon Feb 25 16:09:03 2002 @@ -25,6 +25,7 @@ dep_tristate ' LENGTH match support' CONFIG_IP_NF_MATCH_LENGTH $CONFIG_IP_NF_IPTABLES dep_tristate ' TTL match support' CONFIG_IP_NF_MATCH_TTL $CONFIG_IP_NF_IPTABLES dep_tristate ' tcpmss match support' CONFIG_IP_NF_MATCH_TCPMSS $CONFIG_IP_NF_IPTABLES + dep_tristate ' stealth match support' CONFIG_IP_NF_MATCH_STEALTH $CONFIG_IP_NF_IPTABLES if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then dep_tristate ' Connection state match support' CONFIG_IP_NF_MATCH_STATE $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES fi diff -urN linux/net/ipv4/netfilter/Makefile linux/net/ipv4/netfilter/Makefile --- linux/net/ipv4/netfilter/Makefile Mon Feb 25 14:38:14 2002 +++ linux/net/ipv4/netfilter/Makefile Mon Feb 25 16:09:03 2002 @@ -64,6 +64,7 @@ obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o +obj-$(CONFIG_IP_NF_MATCH_STEALTH) += ipt_stealth.o # targets obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o diff -urN linux/net/ipv4/netfilter/ipt_stealth.c linux/net/ipv4/netfilter/ipt_stealth.c --- linux/net/ipv4/netfilter/ipt_stealth.c Wed Dec 31 19:00:00 1969 +++ linux/net/ipv4/netfilter/ipt_stealth.c Mon Feb 25 16:09:03 2002 @@ -0,0 +1,102 @@ +/* Kernel module to add stealth support. + * + * Copyright (C) 2002 Brad Spengler + * + */ + +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#include + +MODULE_LICENSE("GPL"); + +#define TH_FIN 0x01 +#define TH_SYN 0x02 +#define TH_RST 0x04 +#define TH_ACK 0x10 +#define TH_ECE 0x40 +#define TH_CWR 0x80 + +extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif); + +static int +match(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, + const void *matchinfo, + int offset, + const void *hdr, + u_int16_t datalen, + int *hotdrop) +{ + struct iphdr *ip = skb->nh.iph; + struct iphdr *udpip = (struct iphdr*)skb->data; + struct udphdr *uh = (struct udphdr*)(skb->data+(udpip->ihl<<2)); + struct tcphdr *th = (struct tcphdr*)(skb->data+(ip->ihl<<2)); + struct sock *sk = NULL; + u_int8_t tcpflags; + + if(ip->protocol == IPPROTO_TCP) { + tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR)); + if(tcpflags & TH_SYN) + sk = tcp_v4_lookup_listener(ip->daddr, ntohs(th->dest), ((struct rtable*)skb->dst)->rt_iif); + } else if(ip->protocol == IPPROTO_UDP) + sk = udp_v4_lookup(udpip->saddr, uh->source, udpip->daddr, uh->dest, skb->dev->ifindex); + else + return 0; + + if(sk != NULL) + return 0; + else + return 1; +} + +/* Called when user tries to insert an entry of this type. */ +static int +checkentry(const char *tablename, + const struct ipt_ip *ip, + void *matchinfo, + unsigned int matchsize, + unsigned int hook_mask) +{ + if (matchsize != IPT_ALIGN(0)) + return 0; + + if((ip->proto == IPPROTO_TCP && !(ip->invflags & IPT_INV_PROTO)) || + ((ip->proto == IPPROTO_UDP) && !(ip->invflags & IPT_INV_PROTO))) + return 1; + + + printk("stealth: Only works on TCP and UDP\n"); + return 0; +} + + +static struct ipt_match stealth_match += { { NULL, NULL }, "stealth", &match, &checkentry, NULL, THIS_MODULE }; + +static int __init init(void) +{ + return ipt_register_match(&stealth_match); +} + +static void __exit fini(void) +{ + ipt_unregister_match(&stealth_match); +} + +module_init(init); +module_exit(fini); diff -urN linux/net/ipv4/tcp_ipv4.c linux/net/ipv4/tcp_ipv4.c --- linux/net/ipv4/tcp_ipv4.c Mon Feb 25 14:38:14 2002 +++ linux/net/ipv4/tcp_ipv4.c Mon Feb 25 16:09:03 2002 @@ -63,6 +63,11 @@ #include #include +#if defined(CONFIG_GRKERNSEC_RANDID)||defined(CONFIG_GRKERNSEC_RANDSRC) +#include +#endif + + extern int sysctl_ip_dynaddr; /* Check TCP sequence numbers in ICMP packets. */ @@ -211,9 +216,20 @@ spin_lock(&tcp_portalloc_lock); rover = tcp_port_rover; +#ifdef CONFIG_GRKERNSEC_RANDSRC + do { + if(grsec_enable_randsrc) { + rover = low + (ip_randomid() % (high - low)); + } else { + rover++; + if ((rover < low) || (rover > high)) + rover = low; + } +#else do { rover++; if ((rover < low) || (rover > high)) rover = low; +#endif head = &tcp_bhash[tcp_bhashfn(rover)]; spin_lock(&head->lock); for (tb = head->chain; tb; tb = tb->next) @@ -725,6 +741,11 @@ tp->ext_header_len = 0; if (sk->protinfo.af_inet.opt) tp->ext_header_len = sk->protinfo.af_inet.opt->optlen; +#ifdef CONFIG_GRKERNSEC_RANDID + if(grsec_enable_randid) + sk->protinfo.af_inet.id = htons(ip_randomid()); + else +#endif sk->protinfo.af_inet.id = tp->write_seq^jiffies; tp->mss_clamp = 536; @@ -1450,6 +1471,11 @@ newtp->ext_header_len = 0; if (newsk->protinfo.af_inet.opt) newtp->ext_header_len = newsk->protinfo.af_inet.opt->optlen; +#ifdef CONFIG_GRKERNSEC_RANDID + if(grsec_enable_randid) + newsk->protinfo.af_inet.id = htons(ip_randomid()); + else +#endif newsk->protinfo.af_inet.id = newtp->write_seq^jiffies; tcp_sync_mss(newsk, dst->pmtu); diff -urN linux/net/ipv4/udp.c linux/net/ipv4/udp.c --- linux/net/ipv4/udp.c Mon Feb 25 14:38:14 2002 +++ linux/net/ipv4/udp.c Mon Feb 25 16:09:03 2002 @@ -94,6 +94,9 @@ #include #include +#ifdef CONFIG_GRKERNSEC_RANDID +#include +#endif /* * Snmp MIB for the UDP layer */ @@ -738,6 +741,12 @@ sk->daddr = rt->rt_dst; sk->dport = usin->sin_port; sk->state = TCP_ESTABLISHED; + +#ifdef CONFIG_GRKERNSEC_RANDID + if(grsec_enable_randid) + sk->protinfo.af_inet.id = htons(ip_randomid()); + else +#endif sk->protinfo.af_inet.id = jiffies; sk_dst_set(sk, &rt->u.dst); diff -urN linux/net/netsyms.c linux/net/netsyms.c --- linux/net/netsyms.c Mon Feb 25 14:38:14 2002 +++ linux/net/netsyms.c Fri Mar 1 08:18:09 2002 @@ -588,4 +588,31 @@ EXPORT_SYMBOL(net_call_rx_atomic); EXPORT_SYMBOL(softnet_data); +#if defined(CONFIG_IP_NF_MATCH_STEALTH) || defined(CONFIG_IP_NF_MATCH_STEALTH_MODULE) +extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif); +#if !defined (CONFIG_IPV6_MODULE) && !defined (CONFIG_KHTTPD) && !defined (CONFIG_KHTTPD_MODULE) +EXPORT_SYMBOL(tcp_v4_lookup_listener); +#endif +EXPORT_SYMBOL(udp_v4_lookup); +#endif + +#if defined(CONFIG_GRKERNSEC_RANDID) || defined(CONFIG_GRKERNSEC_RANDTTL) ||\ + defined(CONFIG_GRKERNSEC_RANDSRC) || defined(CONFIG_GRKERNSEC_RANDPID) ||\ + defined(CONFIG_GRKERNSEC_RANDRPC) +#include +EXPORT_SYMBOL(ip_randomid); +#endif +#ifdef CONFIG_GRKERNSEC_RANDID +EXPORT_SYMBOL(grsec_enable_randid); +#endif +#ifdef CONFIG_GRKERNSEC_RANDSRC +EXPORT_SYMBOL(grsec_enable_randsrc); +#endif +#ifdef CONFIG_GRKERNSEC_RANDTTL +EXPORT_SYMBOL(grsec_enable_randttl); +#endif +#ifdef CONFIG_GRKERNSEC_RANDRPC +EXPORT_SYMBOL(grsec_enable_randrpc); +#endif + #endif /* CONFIG_NET */ diff -urN linux/net/socket.c linux/net/socket.c --- linux/net/socket.c Fri Dec 21 12:42:06 2001 +++ linux/net/socket.c Mon Feb 25 16:09:03 2002 @@ -85,6 +85,13 @@ #include #include +#if defined(CONFIG_GRKERNSEC_SOCKET_ALL)||\ + defined(CONFIG_GRKERNSEC_SOCKET_CLIENT)||\ + defined(CONFIG_GRKERNSEC_SOCKET_SERVER) +#include +#endif + + static int sock_no_open(struct inode *irrelevant, struct file *dontcare); static loff_t sock_lseek(struct file *file, loff_t offset, int whence); static ssize_t sock_read(struct file *file, char *buf, @@ -912,6 +919,16 @@ int retval; struct socket *sock; +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL + if(grsec_enable_socket_all && + (in_group_p(grsec_socket_all_gid)) && (family != AF_UNIX) && (family != AF_LOCAL)){ + security_alert("attempted socket(%d,%d,%d) by " + DEFAULTSECMSG,"attempted sockets",family,type,protocol, + DEFAULTSECARGS); + retval = -EACCES; + goto out; + } +#endif retval = sock_create(family, type, protocol, &sock); if (retval < 0) goto out; @@ -1009,6 +1026,14 @@ char address[MAX_SOCK_ADDR]; int err; +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER + if(grsec_enable_socket_server && + (in_group_p(grsec_socket_server_gid)) && umyaddr && (umyaddr->sa_family != AF_UNIX) && (umyaddr->sa_family != AF_LOCAL)){ + security_alert("attempted bind() by " DEFAULTSECMSG, + "attempted binds", DEFAULTSECARGS); + return -EACCES; + } +#endif if((sock = sockfd_lookup(fd,&err))!=NULL) { if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0) @@ -1117,6 +1142,16 @@ char address[MAX_SOCK_ADDR]; int err; +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT + if(grsec_enable_socket_client && + (in_group_p(grsec_socket_client_gid)) && uservaddr && (uservaddr->sa_family != AF_UNIX) && (uservaddr->sa_family != AF_LOCAL)){ + security_alert("attempted connect() to fd %d by " + DEFAULTSECMSG, "attempted connects", fd, + DEFAULTSECARGS); + err = -EACCES; + goto out; + } +#endif sock = sockfd_lookup(fd, &err); if (!sock) goto out; diff -urN linux/net/sunrpc/xprt.c linux/net/sunrpc/xprt.c --- linux/net/sunrpc/xprt.c Fri Dec 21 12:42:06 2001 +++ linux/net/sunrpc/xprt.c Mon Feb 25 16:09:03 2002 @@ -65,6 +65,9 @@ #include #include +#ifdef CONFIG_GRKERNSEC_RANDRPC +#include +#endif /* Following value should be > 32k + RPC overhead */ #define XPRT_MIN_WRITE_SPACE (35000 + SOCK_MIN_WRITE_SPACE) @@ -1383,7 +1386,14 @@ req->rq_timeout = xprt->timeout; req->rq_task = task; req->rq_xprt = xprt; +#ifdef CONFIG_GRKERNSEC_RANDRPC + if(grsec_enable_randrpc) + req->rq_xid = ip_randomid() * ip_randomid(); + else + req->rq_xid = xid++; +#else req->rq_xid = xid++; +#endif if (!xid) xid++; }