/[linux-patches]/hardened/2.6/trunk/2.6.19/4453_grsec-2.1.9-2.6.19-io-kmem-sysctl.patch
Gentoo

Diff of /hardened/2.6/trunk/2.6.19/4453_grsec-2.1.9-2.6.19-io-kmem-sysctl.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

hardened/2.6/trunk/2.6.19/4452_grsec-2.1.9-2.6.19-io-kmem-sysctl.patch Revision 751 hardened/2.6/trunk/2.6.19/4453_grsec-2.1.9-2.6.19-io-kmem-sysctl.patch Revision 755
10intrusive and adding support for sysctl. 10intrusive and adding support for sysctl.
11 11
12The original patch is based on the work of Peter S. Mazinger (ps dot m at gmx dot net) 12The original patch is based on the work of Peter S. Mazinger (ps dot m at gmx dot net)
13and Nedd Ludd <solar@gentoo.org>. 13and Nedd Ludd <solar@gentoo.org>.
14 14
15Index: linux-2.6.18/arch/i386/kernel/ioport.c 15Index: linux-2.6.19/arch/i386/kernel/ioport.c
16=================================================================== 16===================================================================
17--- linux-2.6.18.orig/arch/i386/kernel/ioport.c 17--- linux-2.6.19.orig/arch/i386/kernel/ioport.c
18+++ linux-2.6.18/arch/i386/kernel/ioport.c 18+++ linux-2.6.19/arch/i386/kernel/ioport.c
19@@ -65,18 +65,21 @@ asmlinkage long sys_ioperm(unsigned long 19@@ -65,18 +65,21 @@ asmlinkage long sys_ioperm(unsigned long
20 20
21 if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) 21 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
22 return -EINVAL; 22 return -EINVAL;
23-#ifdef CONFIG_GRKERNSEC_IO 23-#ifdef CONFIG_GRKERNSEC_IO
66 } 66 }
67+ 67+
68 t->iopl = level << 12; 68 t->iopl = level << 12;
69 regs->eflags = (regs->eflags & ~X86_EFLAGS_IOPL) | t->iopl; 69 regs->eflags = (regs->eflags & ~X86_EFLAGS_IOPL) | t->iopl;
70 set_iopl_mask(t->iopl); 70 set_iopl_mask(t->iopl);
71Index: linux-2.6.18/drivers/char/mem.c 71Index: linux-2.6.19/drivers/char/mem.c
72=================================================================== 72===================================================================
73--- linux-2.6.18.orig/drivers/char/mem.c 73--- linux-2.6.19.orig/drivers/char/mem.c
74+++ linux-2.6.18/drivers/char/mem.c 74+++ linux-2.6.19/drivers/char/mem.c
75@@ -179,9 +179,13 @@ static ssize_t write_mem(struct file * f 75@@ -180,9 +180,13 @@ static ssize_t write_mem(struct file * f
76 return -EFAULT; 76 return -EFAULT;
77 77
78 #ifdef CONFIG_GRKERNSEC_KMEM 78 #ifdef CONFIG_GRKERNSEC_KMEM
79- gr_handle_mem_write(); 79- gr_handle_mem_write();
80- return -EPERM; 80- return -EPERM;
86+ return -EPERM; 86+ return -EPERM;
87+ } 87+ }
88 88
89 written = 0; 89 written = 0;
90 90
91@@ -260,9 +264,13 @@ static int mmap_mem(struct file * file, 91@@ -286,9 +290,13 @@ static int mmap_mem(struct file * file,
92 vma->vm_page_prot); 92 return -ENOSYS;
93 93
94 #ifdef CONFIG_GRKERNSEC_KMEM 94 #ifdef CONFIG_GRKERNSEC_KMEM
95- if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma)) 95- if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
96- return -EPERM; 96- return -EPERM;
97+ if (!grsec_lock || (grsec_lock && grsec_enable_secure_kmem)) { 97+ if (!grsec_lock || (grsec_lock && grsec_enable_secure_kmem)) {
100 #endif 100 #endif
101+ if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma)) 101+ if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
102+ return -EPERM; 102+ return -EPERM;
103+ } 103+ }
104 104
105 /* Remap-pfn-range will mark the range VM_IO and VM_RESERVED */ 105 vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
106 if (remap_pfn_range(vma, 106 size,
107@@ -492,9 +500,13 @@ static ssize_t write_kmem(struct file * 107@@ -522,9 +530,13 @@ static ssize_t write_kmem(struct file *
108 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ 108 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
109 109
110 #ifdef CONFIG_GRKERNSEC_KMEM 110 #ifdef CONFIG_GRKERNSEC_KMEM
111- gr_handle_kmem_write(); 111- gr_handle_kmem_write();
112- return -EPERM; 112- return -EPERM;
118+ return -EPERM; 118+ return -EPERM;
119+ } 119+ }
120 120
121 if (p < (unsigned long) high_memory) { 121 if (p < (unsigned long) high_memory) {
122 122
123@@ -802,9 +814,13 @@ static loff_t memory_lseek(struct file * 123@@ -832,9 +844,13 @@ static loff_t memory_lseek(struct file *
124 static int open_port(struct inode * inode, struct file * filp) 124 static int open_port(struct inode * inode, struct file * filp)
125 { 125 {
126 #ifdef CONFIG_GRKERNSEC_KMEM 126 #ifdef CONFIG_GRKERNSEC_KMEM
127- gr_handle_open_port(); 127- gr_handle_open_port();
128- return -EPERM; 128- return -EPERM;
134+ return -EPERM; 134+ return -EPERM;
135+ } 135+ }
136 136
137 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM; 137 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
138 } 138 }
139Index: linux-2.6.18/grsecurity/grsec_init.c 139Index: linux-2.6.19/grsecurity/grsec_init.c
140=================================================================== 140===================================================================
141--- linux-2.6.18.orig/grsecurity/grsec_init.c 141--- linux-2.6.19.orig/grsecurity/grsec_init.c
142+++ linux-2.6.18/grsecurity/grsec_init.c 142+++ linux-2.6.19/grsecurity/grsec_init.c
143@@ -46,6 +46,8 @@ int grsec_enable_socket_client; 143@@ -46,6 +46,8 @@ int grsec_enable_socket_client;
144 int grsec_socket_client_gid; 144 int grsec_socket_client_gid;
145 int grsec_enable_socket_server; 145 int grsec_enable_socket_server;
146 int grsec_socket_server_gid; 146 int grsec_socket_server_gid;
147+int grsec_enable_secure_io; 147+int grsec_enable_secure_io;
160+ grsec_enable_secure_kmem = 1; 160+ grsec_enable_secure_kmem = 1;
161+#endif 161+#endif
162 #endif 162 #endif
163 163
164 return; 164 return;
165Index: linux-2.6.18/grsecurity/grsec_sysctl.c 165Index: linux-2.6.19/grsecurity/grsec_sysctl.c
166=================================================================== 166===================================================================
167--- linux-2.6.18.orig/grsecurity/grsec_sysctl.c 167--- linux-2.6.19.orig/grsecurity/grsec_sysctl.c
168+++ linux-2.6.18/grsecurity/grsec_sysctl.c 168+++ linux-2.6.19/grsecurity/grsec_sysctl.c
169@@ -36,7 +36,7 @@ GS_CHROOT_SYSCTL, GS_TPE, GS_TPE_GID, GS 169@@ -36,7 +36,7 @@ GS_CHROOT_SYSCTL, GS_TPE, GS_TPE_GID, GS
170 GS_RANDPID, GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT, 170 GS_RANDPID, GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT,
171 GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID, 171 GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID,
172 GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC, GS_DMSG, 172 GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC, GS_DMSG,
173-GS_TEXTREL, GS_FINDTASK, GS_SHM, GS_LOCK, GS_MODSTOP, GS_RESLOG}; 173-GS_TEXTREL, GS_FINDTASK, GS_SHM, GS_LOCK, GS_MODSTOP, GS_RESLOG};
174+GS_TEXTREL, GS_FINDTASK, GS_SHM, GS_IO, GS_KMEM, GS_LOCK, GS_MODSTOP, GS_RESLOG}; 174+GS_TEXTREL, GS_FINDTASK, GS_SHM, GS_IO, GS_KMEM, GS_LOCK, GS_MODSTOP, GS_RESLOG};
175 175
176 176
200+ }, 200+ },
201+#endif 201+#endif
202 { 202 {
203 .ctl_name = GS_LOCK, 203 .ctl_name = GS_LOCK,
204 .procname = "grsec_lock", 204 .procname = "grsec_lock",
205Index: linux-2.6.18/include/linux/grsecurity.h 205Index: linux-2.6.19/include/linux/grsecurity.h
206=================================================================== 206===================================================================
207--- linux-2.6.18.orig/include/linux/grsecurity.h 207--- linux-2.6.19.orig/include/linux/grsecurity.h
208+++ linux-2.6.18/include/linux/grsecurity.h 208+++ linux-2.6.19/include/linux/grsecurity.h
209@@ -188,6 +188,8 @@ extern int gr_handle_mem_mmap(const unsi 209@@ -188,6 +188,8 @@ extern int gr_handle_mem_mmap(const unsi
210 extern unsigned long pax_get_random_long(void); 210 extern unsigned long pax_get_random_long(void);
211 #define get_random_long() pax_get_random_long() 211 #define get_random_long() pax_get_random_long()
212 212
213+extern int grsec_enable_secure_io; 213+extern int grsec_enable_secure_io;

Legend:
Removed from v.751  
changed lines
  Added in v.755

  ViewVC Help
Powered by ViewVC 1.1.20