trunk/2.6.18/4454_grsec-2.1.9-2.6.18.2-io-kmem-sysctl.patch

From: Alexander Gabert <gaberta@fh-trier.de>

This patch reworks the logic behind GRKERNSEC_IO and GRKERNSEC_KMEM, making it less
intrusive and adding support for sysctl.

The original patch is based on the work of Peter S. Mazinger (ps dot m at gmx dot net)
and Nedd Ludd <solar@gentoo.org>.

Acked-by: Christian Heim <phreak@gentoo.org>


Index: linux-2.6.18/arch/i386/kernel/ioport.c
===================================================================
--- linux-2.6.18.orig/arch/i386/kernel/ioport.c
+++ linux-2.6.18/arch/i386/kernel/ioport.c
@@ -65,18 +65,21 @@ asmlinkage long sys_ioperm(unsigned long
 
        if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
                return -EINVAL;
-#ifdef CONFIG_GRKERNSEC_IO
+
        if (turn_on) {
-               gr_handle_ioperm();
+#ifdef CONFIG_GRKERNSEC_IO
+               if (!grsec_lock || (grsec_lock && grsec_enable_secure_io)) {
 #else
-       if (turn_on && !capable(CAP_SYS_RAWIO))
+               if (grsec_enable_secure_io) {
 #endif
-               return -EPERM;
-#ifdef CONFIG_GRKERNSEC_IO
+                       gr_handle_ioperm();
+                       return -EPERM;
+               } else if (!capable(CAP_SYS_RAWIO)) {
+                       return -EPERM;
+               }
        }
-#endif
-       /*
-        * If it's the first ioperm() call in this thread's lifetime, set the
+
+        /* If it's the first ioperm() call in this thread's lifetime, set the
         * IO bitmap up. ioperm() is much less timing critical than clone(),
         * this is why we delay this operation until now:
         */
@@ -152,13 +155,17 @@ asmlinkage long sys_iopl(unsigned long u
        /* Trying to gain more privileges? */
        if (level > old) {
 #ifdef CONFIG_GRKERNSEC_IO
-               gr_handle_iopl();
-               return -EPERM;
+               if (!grsec_lock || (grsec_lock && grsec_enable_secure_io)) {
 #else
-               if (!capable(CAP_SYS_RAWIO))
-                       return -EPERM;
+               if (grsec_enable_secure_io) {
 #endif
+                       gr_handle_iopl();
+                       return -EPERM;
+               } else if (!capable(CAP_SYS_RAWIO)) {
+                       return -EPERM;
+               }
        }
+
        t->iopl = level << 12;
        regs->eflags = (regs->eflags & ~X86_EFLAGS_IOPL) | t->iopl;
        set_iopl_mask(t->iopl);
Index: linux-2.6.18/drivers/char/mem.c
===================================================================
--- linux-2.6.18.orig/drivers/char/mem.c
+++ linux-2.6.18/drivers/char/mem.c
@@ -179,9 +179,13 @@ static ssize_t write_mem(struct file * f
                return -EFAULT;
 
 #ifdef CONFIG_GRKERNSEC_KMEM
-       gr_handle_mem_write();
-       return -EPERM;
+       if (!grsec_lock || (grsec_lock && grsec_enable_secure_kmem)) {
+#else
+       if (grsec_enable_secure_kmem) {
 #endif
+               gr_handle_mem_write();
+               return -EPERM;
+       }
 
        written = 0;
 
@@ -260,9 +264,13 @@ static int mmap_mem(struct file * file, 
                                                 vma->vm_page_prot);
 
 #ifdef CONFIG_GRKERNSEC_KMEM
-       if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
-               return -EPERM;
+       if (!grsec_lock || (grsec_lock && grsec_enable_secure_kmem)) {
+#else
+       if (grsec_enable_secure_kmem) {
 #endif
+               if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
+                       return -EPERM;
+       }
 
        /* Remap-pfn-range will mark the range VM_IO and VM_RESERVED */
        if (remap_pfn_range(vma,
@@ -492,9 +500,13 @@ static ssize_t write_kmem(struct file * 
        char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
 
 #ifdef CONFIG_GRKERNSEC_KMEM
-       gr_handle_kmem_write();
-       return -EPERM;
+       if (!grsec_lock || (grsec_lock && grsec_enable_secure_kmem)) {
+#else
+       if (grsec_enable_secure_kmem) {
 #endif
+               gr_handle_kmem_write();
+               return -EPERM;
+       }
 
        if (p < (unsigned long) high_memory) {
 
@@ -802,9 +814,13 @@ static loff_t memory_lseek(struct file *
 static int open_port(struct inode * inode, struct file * filp)
 {
 #ifdef CONFIG_GRKERNSEC_KMEM
-       gr_handle_open_port();
-       return -EPERM;
+       if (!grsec_lock || (grsec_lock && grsec_enable_secure_kmem)) {
+#else
+       if (grsec_enable_secure_kmem) {
 #endif
+               gr_handle_open_port();
+               return -EPERM;
+       }
 
        return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
 }
Index: linux-2.6.18/grsecurity/grsec_init.c
===================================================================
--- linux-2.6.18.orig/grsecurity/grsec_init.c
+++ linux-2.6.18/grsecurity/grsec_init.c
@@ -46,6 +46,8 @@ int grsec_enable_socket_client;
 int grsec_socket_client_gid;
 int grsec_enable_socket_server;
 int grsec_socket_server_gid;
+int grsec_enable_secure_io;
+int grsec_enable_secure_kmem;
 int grsec_resource_logging;
 int grsec_lock;
 
@@ -230,6 +232,12 @@ grsecurity_init(void)
        grsec_enable_socket_server = 1;
        grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
 #endif
+#ifdef CONFIG_GRKERNSEC_IO
+       grsec_enable_secure_io = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_KMEM
+       grsec_enable_secure_kmem = 1;
+#endif
 #endif
 
        return;
Index: linux-2.6.18/grsecurity/grsec_sysctl.c
===================================================================
--- linux-2.6.18.orig/grsecurity/grsec_sysctl.c
+++ linux-2.6.18/grsecurity/grsec_sysctl.c
@@ -36,7 +36,7 @@ GS_CHROOT_SYSCTL, GS_TPE, GS_TPE_GID, GS
 GS_RANDPID, GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT,
 GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID,
 GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC, GS_DMSG,
-GS_TEXTREL, GS_FINDTASK, GS_SHM, GS_LOCK, GS_MODSTOP, GS_RESLOG};
+GS_TEXTREL, GS_FINDTASK, GS_SHM, GS_IO, GS_KMEM, GS_LOCK, GS_MODSTOP, GS_RESLOG};
 
 
 ctl_table grsecurity_table[] = {
@@ -431,6 +431,26 @@ ctl_table grsecurity_table[] = {
                .proc_handler   = &proc_dointvec,
        },
 #endif
+#ifdef CONFIG_GRKERNSEC_IO
+       {
+               .ctl_name       = GS_IO,
+               .procname       = "secure_io",
+               .data           = &grsec_enable_secure_io,
+               .maxlen         = sizeof(int),
+               .mode           = 0600,
+               .proc_handler   = &proc_dointvec,
+       },
+#endif
+#ifdef CONFIG_GRKERNSEC_KMEM
+       {
+               .ctl_name       = GS_KMEM,
+               .procname       = "secure_kmem",
+               .data           = &grsec_enable_secure_kmem,
+               .maxlen         = sizeof(int),
+               .mode           = 0600,
+               .proc_handler   = &proc_dointvec,
+       },
+#endif
        {
                .ctl_name       = GS_LOCK,
                .procname       = "grsec_lock",
Index: linux-2.6.18/include/linux/grsecurity.h
===================================================================
--- linux-2.6.18.orig/include/linux/grsecurity.h
+++ linux-2.6.18/include/linux/grsecurity.h
@@ -188,6 +188,8 @@ extern int gr_handle_mem_mmap(const unsi
 extern unsigned long pax_get_random_long(void);
 #define get_random_long() pax_get_random_long()
 
+extern int grsec_enable_secure_io;
+extern int grsec_enable_secure_kmem;
 extern int grsec_enable_dmesg;
 extern int grsec_enable_randsrc;
 extern int grsec_enable_shm;
1	From: Alexander Gabert <gaberta@fh-trier.de>
2
3	This patch reworks the logic behind GRKERNSEC_IO and GRKERNSEC_KMEM, making it less
4	intrusive and adding support for sysctl.
5
6	The original patch is based on the work of Peter S. Mazinger (ps dot m at gmx dot net)
7	and Nedd Ludd <solar@gentoo.org>.
8
9	Acked-by: Christian Heim <phreak@gentoo.org>
10
11
12	Index: linux-2.6.18/arch/i386/kernel/ioport.c
13	===================================================================
14	--- linux-2.6.18.orig/arch/i386/kernel/ioport.c
15	+++ linux-2.6.18/arch/i386/kernel/ioport.c
16	@@ -65,18 +65,21 @@ asmlinkage long sys_ioperm(unsigned long
17
18	if ((from + num <= from) \|\| (from + num > IO_BITMAP_BITS))
19	return -EINVAL;
20	-#ifdef CONFIG_GRKERNSEC_IO
21	+
22	if (turn_on) {
23	- gr_handle_ioperm();
24	+#ifdef CONFIG_GRKERNSEC_IO
25	+ if (!grsec_lock \|\| (grsec_lock && grsec_enable_secure_io)) {
26	#else
27	- if (turn_on && !capable(CAP_SYS_RAWIO))
28	+ if (grsec_enable_secure_io) {
29	#endif
30	- return -EPERM;
31	-#ifdef CONFIG_GRKERNSEC_IO
32	+ gr_handle_ioperm();
33	+ return -EPERM;
34	+ } else if (!capable(CAP_SYS_RAWIO)) {
35	+ return -EPERM;
36	+ }
37	}
38	-#endif
39	- /*
40	- * If it's the first ioperm() call in this thread's lifetime, set the
41	+
42	+ /* If it's the first ioperm() call in this thread's lifetime, set the
43	* IO bitmap up. ioperm() is much less timing critical than clone(),
44	* this is why we delay this operation until now:
45	*/
46	@@ -152,13 +155,17 @@ asmlinkage long sys_iopl(unsigned long u
47	/* Trying to gain more privileges? */
48	if (level > old) {
49	#ifdef CONFIG_GRKERNSEC_IO
50	- gr_handle_iopl();
51	- return -EPERM;
52	+ if (!grsec_lock \|\| (grsec_lock && grsec_enable_secure_io)) {
53	#else
54	- if (!capable(CAP_SYS_RAWIO))
55	- return -EPERM;
56	+ if (grsec_enable_secure_io) {
57	#endif
58	+ gr_handle_iopl();
59	+ return -EPERM;
60	+ } else if (!capable(CAP_SYS_RAWIO)) {
61	+ return -EPERM;
62	+ }
63	}
64	+
65	t->iopl = level << 12;
66	regs->eflags = (regs->eflags & ~X86_EFLAGS_IOPL) \| t->iopl;
67	set_iopl_mask(t->iopl);
68	Index: linux-2.6.18/drivers/char/mem.c
69	===================================================================
70	--- linux-2.6.18.orig/drivers/char/mem.c
71	+++ linux-2.6.18/drivers/char/mem.c
72	@@ -179,9 +179,13 @@ static ssize_t write_mem(struct file * f
73	return -EFAULT;
74
75	#ifdef CONFIG_GRKERNSEC_KMEM
76	- gr_handle_mem_write();
77	- return -EPERM;
78	+ if (!grsec_lock \|\| (grsec_lock && grsec_enable_secure_kmem)) {
79	+#else
80	+ if (grsec_enable_secure_kmem) {
81	#endif
82	+ gr_handle_mem_write();
83	+ return -EPERM;
84	+ }
85
86	written = 0;
87
88	@@ -260,9 +264,13 @@ static int mmap_mem(struct file * file,
89	vma->vm_page_prot);
90
91	#ifdef CONFIG_GRKERNSEC_KMEM
92	- if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
93	- return -EPERM;
94	+ if (!grsec_lock \|\| (grsec_lock && grsec_enable_secure_kmem)) {
95	+#else
96	+ if (grsec_enable_secure_kmem) {
97	#endif
98	+ if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
99	+ return -EPERM;
100	+ }
101
102	/* Remap-pfn-range will mark the range VM_IO and VM_RESERVED */
103	if (remap_pfn_range(vma,
104	@@ -492,9 +500,13 @@ static ssize_t write_kmem(struct file *
105	char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
106
107	#ifdef CONFIG_GRKERNSEC_KMEM
108	- gr_handle_kmem_write();
109	- return -EPERM;
110	+ if (!grsec_lock \|\| (grsec_lock && grsec_enable_secure_kmem)) {
111	+#else
112	+ if (grsec_enable_secure_kmem) {
113	#endif
114	+ gr_handle_kmem_write();
115	+ return -EPERM;
116	+ }
117
118	if (p < (unsigned long) high_memory) {
119
120	@@ -802,9 +814,13 @@ static loff_t memory_lseek(struct file *
121	static int open_port(struct inode * inode, struct file * filp)
122	{
123	#ifdef CONFIG_GRKERNSEC_KMEM
124	- gr_handle_open_port();
125	- return -EPERM;
126	+ if (!grsec_lock \|\| (grsec_lock && grsec_enable_secure_kmem)) {
127	+#else
128	+ if (grsec_enable_secure_kmem) {
129	#endif
130	+ gr_handle_open_port();
131	+ return -EPERM;
132	+ }
133
134	return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
135	}
136	Index: linux-2.6.18/grsecurity/grsec_init.c
137	===================================================================
138	--- linux-2.6.18.orig/grsecurity/grsec_init.c
139	+++ linux-2.6.18/grsecurity/grsec_init.c
140	@@ -46,6 +46,8 @@ int grsec_enable_socket_client;
141	int grsec_socket_client_gid;
142	int grsec_enable_socket_server;
143	int grsec_socket_server_gid;
144	+int grsec_enable_secure_io;
145	+int grsec_enable_secure_kmem;
146	int grsec_resource_logging;
147	int grsec_lock;
148
149	@@ -230,6 +232,12 @@ grsecurity_init(void)
150	grsec_enable_socket_server = 1;
151	grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
152	#endif
153	+#ifdef CONFIG_GRKERNSEC_IO
154	+ grsec_enable_secure_io = 1;
155	+#endif
156	+#ifdef CONFIG_GRKERNSEC_KMEM
157	+ grsec_enable_secure_kmem = 1;
158	+#endif
159	#endif
160
161	return;
162	Index: linux-2.6.18/grsecurity/grsec_sysctl.c
163	===================================================================
164	--- linux-2.6.18.orig/grsecurity/grsec_sysctl.c
165	+++ linux-2.6.18/grsecurity/grsec_sysctl.c
166	@@ -36,7 +36,7 @@ GS_CHROOT_SYSCTL, GS_TPE, GS_TPE_GID, GS
167	GS_RANDPID, GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT,
168	GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID,
169	GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC, GS_DMSG,
170	-GS_TEXTREL, GS_FINDTASK, GS_SHM, GS_LOCK, GS_MODSTOP, GS_RESLOG};
171	+GS_TEXTREL, GS_FINDTASK, GS_SHM, GS_IO, GS_KMEM, GS_LOCK, GS_MODSTOP, GS_RESLOG};
172
173
174	ctl_table grsecurity_table[] = {
175	@@ -431,6 +431,26 @@ ctl_table grsecurity_table[] = {
176	.proc_handler = &proc_dointvec,
177	},
178	#endif
179	+#ifdef CONFIG_GRKERNSEC_IO
180	+ {
181	+ .ctl_name = GS_IO,
182	+ .procname = "secure_io",
183	+ .data = &grsec_enable_secure_io,
184	+ .maxlen = sizeof(int),
185	+ .mode = 0600,
186	+ .proc_handler = &proc_dointvec,
187	+ },
188	+#endif
189	+#ifdef CONFIG_GRKERNSEC_KMEM
190	+ {
191	+ .ctl_name = GS_KMEM,
192	+ .procname = "secure_kmem",
193	+ .data = &grsec_enable_secure_kmem,
194	+ .maxlen = sizeof(int),
195	+ .mode = 0600,
196	+ .proc_handler = &proc_dointvec,
197	+ },
198	+#endif
199	{
200	.ctl_name = GS_LOCK,
201	.procname = "grsec_lock",
202	Index: linux-2.6.18/include/linux/grsecurity.h
203	===================================================================
204	--- linux-2.6.18.orig/include/linux/grsecurity.h
205	+++ linux-2.6.18/include/linux/grsecurity.h
206	@@ -188,6 +188,8 @@ extern int gr_handle_mem_mmap(const unsi
207	extern unsigned long pax_get_random_long(void);
208	#define get_random_long() pax_get_random_long()
209
210	+extern int grsec_enable_secure_io;
211	+extern int grsec_enable_secure_kmem;
212	extern int grsec_enable_dmesg;
213	extern int grsec_enable_randsrc;
214	extern int grsec_enable_shm;