/[linux-patches]/hardened/2.6/trunk/2.6.18/4454_grsec-2.1.9-2.6.18.2-io-kmem-sysctl.patch
Gentoo

Contents of /hardened/2.6/trunk/2.6.18/4454_grsec-2.1.9-2.6.18.2-io-kmem-sysctl.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 740 - (show annotations) (download)
Wed Dec 6 20:25:57 2006 UTC (7 years, 4 months ago) by phreak
File size: 6333 byte(s)
Adding credit to Ned Ludd and Peter S. Mazinger.
1 From: Alexander Gabert <gaberta@fh-trier.de>
2
3 This patch reworks the logic behind GRKERNSEC_IO and GRKERNSEC_KMEM, making it less
4 intrusive and adding support for sysctl.
5
6 The original patch is based on the work of Peter S. Mazinger (ps dot m at gmx dot net)
7 and Nedd Ludd <solar@gentoo.org>.
8
9 Acked-by: Christian Heim <phreak@gentoo.org>
10
11
12 Index: linux-2.6.18/arch/i386/kernel/ioport.c
13 ===================================================================
14 --- linux-2.6.18.orig/arch/i386/kernel/ioport.c
15 +++ linux-2.6.18/arch/i386/kernel/ioport.c
16 @@ -65,18 +65,21 @@ asmlinkage long sys_ioperm(unsigned long
17
18 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
19 return -EINVAL;
20 -#ifdef CONFIG_GRKERNSEC_IO
21 +
22 if (turn_on) {
23 - gr_handle_ioperm();
24 +#ifdef CONFIG_GRKERNSEC_IO
25 + if (!grsec_lock || (grsec_lock && grsec_enable_secure_io)) {
26 #else
27 - if (turn_on && !capable(CAP_SYS_RAWIO))
28 + if (grsec_enable_secure_io) {
29 #endif
30 - return -EPERM;
31 -#ifdef CONFIG_GRKERNSEC_IO
32 + gr_handle_ioperm();
33 + return -EPERM;
34 + } else if (!capable(CAP_SYS_RAWIO)) {
35 + return -EPERM;
36 + }
37 }
38 -#endif
39 - /*
40 - * If it's the first ioperm() call in this thread's lifetime, set the
41 +
42 + /* If it's the first ioperm() call in this thread's lifetime, set the
43 * IO bitmap up. ioperm() is much less timing critical than clone(),
44 * this is why we delay this operation until now:
45 */
46 @@ -152,13 +155,17 @@ asmlinkage long sys_iopl(unsigned long u
47 /* Trying to gain more privileges? */
48 if (level > old) {
49 #ifdef CONFIG_GRKERNSEC_IO
50 - gr_handle_iopl();
51 - return -EPERM;
52 + if (!grsec_lock || (grsec_lock && grsec_enable_secure_io)) {
53 #else
54 - if (!capable(CAP_SYS_RAWIO))
55 - return -EPERM;
56 + if (grsec_enable_secure_io) {
57 #endif
58 + gr_handle_iopl();
59 + return -EPERM;
60 + } else if (!capable(CAP_SYS_RAWIO)) {
61 + return -EPERM;
62 + }
63 }
64 +
65 t->iopl = level << 12;
66 regs->eflags = (regs->eflags & ~X86_EFLAGS_IOPL) | t->iopl;
67 set_iopl_mask(t->iopl);
68 Index: linux-2.6.18/drivers/char/mem.c
69 ===================================================================
70 --- linux-2.6.18.orig/drivers/char/mem.c
71 +++ linux-2.6.18/drivers/char/mem.c
72 @@ -179,9 +179,13 @@ static ssize_t write_mem(struct file * f
73 return -EFAULT;
74
75 #ifdef CONFIG_GRKERNSEC_KMEM
76 - gr_handle_mem_write();
77 - return -EPERM;
78 + if (!grsec_lock || (grsec_lock && grsec_enable_secure_kmem)) {
79 +#else
80 + if (grsec_enable_secure_kmem) {
81 #endif
82 + gr_handle_mem_write();
83 + return -EPERM;
84 + }
85
86 written = 0;
87
88 @@ -260,9 +264,13 @@ static int mmap_mem(struct file * file,
89 vma->vm_page_prot);
90
91 #ifdef CONFIG_GRKERNSEC_KMEM
92 - if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
93 - return -EPERM;
94 + if (!grsec_lock || (grsec_lock && grsec_enable_secure_kmem)) {
95 +#else
96 + if (grsec_enable_secure_kmem) {
97 #endif
98 + if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
99 + return -EPERM;
100 + }
101
102 /* Remap-pfn-range will mark the range VM_IO and VM_RESERVED */
103 if (remap_pfn_range(vma,
104 @@ -492,9 +500,13 @@ static ssize_t write_kmem(struct file *
105 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
106
107 #ifdef CONFIG_GRKERNSEC_KMEM
108 - gr_handle_kmem_write();
109 - return -EPERM;
110 + if (!grsec_lock || (grsec_lock && grsec_enable_secure_kmem)) {
111 +#else
112 + if (grsec_enable_secure_kmem) {
113 #endif
114 + gr_handle_kmem_write();
115 + return -EPERM;
116 + }
117
118 if (p < (unsigned long) high_memory) {
119
120 @@ -802,9 +814,13 @@ static loff_t memory_lseek(struct file *
121 static int open_port(struct inode * inode, struct file * filp)
122 {
123 #ifdef CONFIG_GRKERNSEC_KMEM
124 - gr_handle_open_port();
125 - return -EPERM;
126 + if (!grsec_lock || (grsec_lock && grsec_enable_secure_kmem)) {
127 +#else
128 + if (grsec_enable_secure_kmem) {
129 #endif
130 + gr_handle_open_port();
131 + return -EPERM;
132 + }
133
134 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
135 }
136 Index: linux-2.6.18/grsecurity/grsec_init.c
137 ===================================================================
138 --- linux-2.6.18.orig/grsecurity/grsec_init.c
139 +++ linux-2.6.18/grsecurity/grsec_init.c
140 @@ -46,6 +46,8 @@ int grsec_enable_socket_client;
141 int grsec_socket_client_gid;
142 int grsec_enable_socket_server;
143 int grsec_socket_server_gid;
144 +int grsec_enable_secure_io;
145 +int grsec_enable_secure_kmem;
146 int grsec_resource_logging;
147 int grsec_lock;
148
149 @@ -230,6 +232,12 @@ grsecurity_init(void)
150 grsec_enable_socket_server = 1;
151 grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
152 #endif
153 +#ifdef CONFIG_GRKERNSEC_IO
154 + grsec_enable_secure_io = 1;
155 +#endif
156 +#ifdef CONFIG_GRKERNSEC_KMEM
157 + grsec_enable_secure_kmem = 1;
158 +#endif
159 #endif
160
161 return;
162 Index: linux-2.6.18/grsecurity/grsec_sysctl.c
163 ===================================================================
164 --- linux-2.6.18.orig/grsecurity/grsec_sysctl.c
165 +++ linux-2.6.18/grsecurity/grsec_sysctl.c
166 @@ -36,7 +36,7 @@ GS_CHROOT_SYSCTL, GS_TPE, GS_TPE_GID, GS
167 GS_RANDPID, GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT,
168 GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID,
169 GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC, GS_DMSG,
170 -GS_TEXTREL, GS_FINDTASK, GS_SHM, GS_LOCK, GS_MODSTOP, GS_RESLOG};
171 +GS_TEXTREL, GS_FINDTASK, GS_SHM, GS_IO, GS_KMEM, GS_LOCK, GS_MODSTOP, GS_RESLOG};
172
173
174 ctl_table grsecurity_table[] = {
175 @@ -431,6 +431,26 @@ ctl_table grsecurity_table[] = {
176 .proc_handler = &proc_dointvec,
177 },
178 #endif
179 +#ifdef CONFIG_GRKERNSEC_IO
180 + {
181 + .ctl_name = GS_IO,
182 + .procname = "secure_io",
183 + .data = &grsec_enable_secure_io,
184 + .maxlen = sizeof(int),
185 + .mode = 0600,
186 + .proc_handler = &proc_dointvec,
187 + },
188 +#endif
189 +#ifdef CONFIG_GRKERNSEC_KMEM
190 + {
191 + .ctl_name = GS_KMEM,
192 + .procname = "secure_kmem",
193 + .data = &grsec_enable_secure_kmem,
194 + .maxlen = sizeof(int),
195 + .mode = 0600,
196 + .proc_handler = &proc_dointvec,
197 + },
198 +#endif
199 {
200 .ctl_name = GS_LOCK,
201 .procname = "grsec_lock",
202 Index: linux-2.6.18/include/linux/grsecurity.h
203 ===================================================================
204 --- linux-2.6.18.orig/include/linux/grsecurity.h
205 +++ linux-2.6.18/include/linux/grsecurity.h
206 @@ -188,6 +188,8 @@ extern int gr_handle_mem_mmap(const unsi
207 extern unsigned long pax_get_random_long(void);
208 #define get_random_long() pax_get_random_long()
209
210 +extern int grsec_enable_secure_io;
211 +extern int grsec_enable_secure_kmem;
212 extern int grsec_enable_dmesg;
213 extern int grsec_enable_randsrc;
214 extern int grsec_enable_shm;

  ViewVC Help
Powered by ViewVC 1.1.20