Author: shadzik Date: Sun Mar 29 20:27:28 2009 GMT Module: SOURCES Tag: Titanium ---- Log message: - updated for .29
---- Files affected: SOURCES: kernel-desktop-grsec-minimal.patch (1.8 -> 1.8.4.1) ---- Diffs: ================================================================ Index: SOURCES/kernel-desktop-grsec-minimal.patch diff -u SOURCES/kernel-desktop-grsec-minimal.patch:1.8 SOURCES/kernel-desktop-grsec-minimal.patch:1.8.4.1 --- SOURCES/kernel-desktop-grsec-minimal.patch:1.8 Sat Nov 18 02:19:32 2006 +++ SOURCES/kernel-desktop-grsec-minimal.patch Sun Mar 29 22:27:22 2009 @@ -1,28 +1,7 @@ ---- linux-2.6.18.orig/Makefile 2006-11-18 01:09:45.000000000 +0000 -+++ linux-2.6.18.grsec-minimal/Makefile 2006-11-18 01:11:02.000000000 +0000 -@@ -552,7 +552,7 @@ - - - ifeq ($(KBUILD_EXTMOD),) --core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ -+core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/ - - vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \ - $(core-y) $(core-m) $(drivers-y) $(drivers-m) \ ---- linux-2.6.18.orig/arch/sparc/Makefile 2006-09-20 03:42:06.000000000 +0000 -+++ linux-2.6.18.grsec-minimal/arch/sparc/Makefile 2006-11-18 01:11:02.000000000 +0000 -@@ -34,7 +34,7 @@ - # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-) - INIT_Y := $(patsubst %/, %/built-in.o, $(init-y)) - CORE_Y := $(core-y) --CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ -+CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/ - CORE_Y := $(patsubst %/, %/built-in.o, $(CORE_Y)) - DRIVERS_Y := $(patsubst %/, %/built-in.o, $(drivers-y)) - NET_Y := $(patsubst %/, %/built-in.o, $(net-y)) ---- linux-2.6.18.orig/drivers/char/keyboard.c 2006-09-20 03:42:06.000000000 +0000 -+++ linux-2.6.18.grsec-minimal/drivers/char/keyboard.c 2006-11-18 01:11:02.000000000 +0000 -@@ -618,6 +618,16 @@ +diff -urNp linux-2.6.26.orig/drivers/char/keyboard.c linux-2.6.26/drivers/char/keyboard.c +--- linux-2.6.26.orig/drivers/char/keyboard.c 2008-09-01 11:43:37.000000000 +0200 ++++ linux-2.6.26/drivers/char/keyboard.c 2008-09-02 12:17:21.000000000 +0200 +@@ -633,6 +633,16 @@ static void k_spec(struct vc_data *vc, u kbd->kbdmode == VC_MEDIUMRAW) && value != KVAL(K_SAK)) return; /* SAK is allowed even in raw mode */ @@ -36,30 +15,33 @@ + } +#endif + - fn_handler[value](vc, regs); + fn_handler[value](vc); } ---- linux-2.6.18.orig/drivers/pci/proc.c 2006-09-20 03:42:06.000000000 +0000 -+++ linux-2.6.18.grsec-minimal/drivers/pci/proc.c 2006-11-18 01:11:02.000000000 +0000 -@@ -467,7 +467,15 @@ +diff -urNp linux-2.6.26.orig/drivers/pci/proc.c linux-2.6.26/drivers/pci/proc.c +--- linux-2.6.26.orig/drivers/pci/proc.c 2008-09-01 11:43:47.000000000 +0200 ++++ linux-2.6.26/drivers/pci/proc.c 2008-09-02 12:17:21.000000000 +0200 +@@ -472,7 +472,16 @@ static const struct file_operations proc + static int __init pci_proc_init(void) { - struct proc_dir_entry *entry; struct pci_dev *dev = NULL; ++ +#ifdef CONFIG_GRKERNSEC_PROC_ADD +#ifdef CONFIG_GRKERNSEC_PROC_USER -+ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus); ++ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL); +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) -+ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus); ++ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL); +#endif +#else - proc_bus_pci_dir = proc_mkdir("pci", proc_bus); + proc_bus_pci_dir = proc_mkdir("bus/pci", NULL); +#endif - entry = create_proc_entry("devices", 0, proc_bus_pci_dir); - if (entry) - entry->proc_fops = &proc_bus_pci_dev_operations; ---- linux-2.6.18.orig/fs/Kconfig 2006-09-20 03:42:06.000000000 +0000 -+++ linux-2.6.18.grsec-minimal/fs/Kconfig 2006-11-18 01:11:02.000000000 +0000 -@@ -817,7 +817,7 @@ + proc_create("devices", 0, proc_bus_pci_dir, + &proc_bus_pci_dev_operations); + proc_initialized = 1; +diff -urNp linux-2.6.26.orig/fs/Kconfig linux-2.6.26/fs/Kconfig +--- linux-2.6.26.orig/fs/proc/Kconfig 2008-09-01 11:43:58.000000000 +0200 ++++ linux-2.6.26/fs/proc/Kconfig 2008-09-02 12:17:21.000000000 +0200 +@@ -926,12 +926,12 @@ config PROC_FS config PROC_KCORE bool "/proc/kcore support" if !ARM @@ -68,277 +50,31 @@ config PROC_VMCORE bool "/proc/vmcore support (EXPERIMENTAL)" ---- linux-2.6.18.orig/fs/namei.c 2006-09-20 03:42:06.000000000 +0000 -+++ linux-2.6.18.grsec-minimal/fs/namei.c 2006-11-18 01:11:02.000000000 +0000 -@@ -32,6 +32,7 @@ - #include <linux/file.h> - #include <linux/fcntl.h> - #include <linux/namei.h> -+#include <linux/grsecurity.h> - #include <asm/namei.h> - #include <asm/uaccess.h> +- depends on PROC_FS && CRASH_DUMP +- default y ++ depends on PROC_FS && CRASH_DUMP && !GRKERNSEC ++ default n + help + Exports the dump image of crashed kernel in ELF format. + +diff -urNp linux-2.6.26.orig/fs/proc/array.c linux-2.6.26/fs/proc/array.c +--- linux-2.6.26.orig/fs/proc/array.c 2008-09-01 11:43:59.000000000 +0200 ++++ linux-2.6.26/fs/proc/array.c 2008-09-02 12:17:21.000000000 +0200 +@@ -639,3 +639,10 @@ int proc_pid_statm(struct seq_file *m, s -@@ -618,6 +619,13 @@ - err = security_inode_follow_link(path->dentry, nd); - if (err) - goto loop; -+ -+ if (gr_handle_follow_link(path->dentry->d_parent->d_inode, -+ path->dentry->d_inode, path->dentry, nd->mnt)) { -+ err = -EACCES; -+ goto loop; -+ } -+ - current->link_count++; - current->total_link_count++; - nd->depth++; -@@ -1665,6 +1673,13 @@ - /* - * It already exists. - */ -+ -+ if (gr_handle_fifo(path.dentry, nd->mnt, dir, flag, acc_mode)) { -+ mutex_unlock(&dir->d_inode->i_mutex); -+ error = -EACCES; -+ goto exit_dput; -+ } -+ - mutex_unlock(&dir->d_inode->i_mutex); - audit_inode_update(path.dentry->d_inode); - -@@ -1720,6 +1735,13 @@ - error = security_inode_follow_link(path.dentry, nd); - if (error) - goto exit_dput; -+ -+ if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode, -+ path.dentry, nd->mnt)) { -+ error = -EACCES; -+ goto exit_dput; -+ } -+ - error = __do_follow_link(&path, nd); - if (error) { - /* Does someone understand code flow here? Or it is only -@@ -2281,7 +2303,14 @@ - new_dentry = lookup_create(&nd, 0); - error = PTR_ERR(new_dentry); - if (!IS_ERR(new_dentry)) { -- error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry); -+ error = 0; -+ if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt, -+ old_nd.dentry->d_inode, -+ old_nd.dentry->d_inode->i_mode, to)) -+ error = -EPERM; -+ if (!error) -+ error = vfs_link(old_nd.dentry, nd.dentry->d_inode, -+ new_dentry); - dput(new_dentry); - } - mutex_unlock(&nd.dentry->d_inode->i_mutex); ---- linux-2.6.18.orig/fs/proc/array.c 2006-11-18 01:09:47.000000000 +0000 -+++ linux-2.6.18.grsec-minimal/fs/proc/array.c 2006-11-18 01:11:02.000000000 +0000 -@@ -486,3 +486,14 @@ - return sprintf(buffer,"%d %d %d %d %d %d %d\n", - size, resident, shared, text, lib, data, 0); + return 0; } + +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR -+int proc_pid_ipaddr(struct task_struct *task, char * buffer) ++int proc_pid_ipaddr(struct task_struct *task, char *buffer) +{ -+ int len; -+ -+ len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip)); -+ return len; ++ return sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip)); +} +#endif -+ ---- linux-2.6.18.orig/fs/proc/base.c 2006-09-20 03:42:06.000000000 +0000 -+++ linux-2.6.18.grsec-minimal/fs/proc/base.c 2006-11-18 01:11:02.000000000 +0000 -@@ -136,6 +136,9 @@ - #ifdef CONFIG_AUDITSYSCALL - PROC_TGID_LOGINUID, - #endif -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR -+ PROC_TGID_IPADDR, -+#endif - PROC_TGID_OOM_SCORE, - PROC_TGID_OOM_ADJUST, - PROC_TID_INO, -@@ -220,6 +223,9 @@ - E(PROC_TGID_EXE, "exe", S_IFLNK|S_IRWXUGO), - E(PROC_TGID_MOUNTS, "mounts", S_IFREG|S_IRUGO), - E(PROC_TGID_MOUNTSTATS, "mountstats", S_IFREG|S_IRUSR), -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR -+ E(PROC_TGID_IPADDR, "ipaddr", S_IFREG|S_IRUSR), -+#endif - #ifdef CONFIG_MMU - E(PROC_TGID_SMAPS, "smaps", S_IFREG|S_IRUGO), - #endif -@@ -1321,6 +1327,9 @@ - if (task_dumpable(task)) { - inode->i_uid = task->euid; - inode->i_gid = task->egid; -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; -+#endif - } - security_task_to_inode(task, inode); - -@@ -1353,11 +1362,30 @@ - { - struct inode *inode = dentry->d_inode; - struct task_struct *task = get_proc_task(inode); -- if (task) { -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) -+ struct task_struct *tmp = current; -+#endif -+ if (task -+ #if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) -+ && (!tmp->uid || (tmp->uid == task->uid) -+ #ifdef CONFIG_GRKERNSEC_PROC_USERGROUP -+ || in_group_p(CONFIG_GRKERNSEC_PROC_GID) -+ #endif -+ ) -+ #endif -+ ) { - if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || -+ #ifdef CONFIG_GRKERNSEC_PROC_USER -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) || -+ #elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) || -+ #endif - task_dumpable(task)) { - inode->i_uid = task->euid; - inode->i_gid = task->egid; -+ #ifdef CONFIG_GRKERNSEC_PROC_USERGROUP -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; -+ #endif - } else { - inode->i_uid = 0; - inode->i_gid = 0; -@@ -1383,9 +1411,17 @@ - task = pid_task(proc_pid(inode), PIDTYPE_PID); - if (task) { - if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || -+#ifdef CONFIG_GRKERNSEC_PROC_USER -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) || -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) || -+#endif - task_dumpable(task)) { - stat->uid = task->euid; - stat->gid = task->egid; -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP -+ stat->gid = CONFIG_GRKERNSEC_PROC_GID; -+#endif - } - } - rcu_read_unlock(); -@@ -1721,6 +1757,12 @@ - inode->i_fop = &proc_info_file_operations; - ei->op.proc_read = proc_pid_status; - break; -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR -+ case PROC_TGID_IPADDR: -+ inode->i_fop = &proc_info_file_operations; -+ ei->op.proc_read = proc_pid_ipaddr; -+ break; -+#endif - case PROC_TID_STAT: - inode->i_fop = &proc_info_file_operations; - ei->op.proc_read = proc_tid_stat; -@@ -2061,7 +2103,14 @@ - if (!inode) - goto out_put_task; - -+#ifdef CONFIG_GRKERNSEC_PROC_USER -+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR; -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; -+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP; -+#else - inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO; -+#endif - inode->i_op = &proc_tgid_base_inode_operations; - inode->i_fop = &proc_tgid_base_operations; - inode->i_flags|=S_IMMUTABLE; -@@ -2155,12 +2204,27 @@ - static struct task_struct *first_tgid(int tgid, unsigned int nr) - { - struct task_struct *pos; -+ #if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) -+ struct task_struct *tmp = current; -+ #endif - rcu_read_lock(); - if (tgid && nr) { - pos = find_task_by_pid(tgid); -+ if (pos -+ #if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) -+ && (tmp->uid && (pos->uid != tmp->uid) -+ #ifdef CONFIG_GRKERNSEC_PROC_USERGROUP -+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID) -+ #endif -+ ) -+ #endif -+ ) -+ goto not_found; -+ - if (pos && thread_group_leader(pos)) - goto found; - } -+ not_found: - /* If nr exceeds the number of processes get out quickly */ - pos = NULL; - if (nr && nr >= nr_processes()) -@@ -2175,6 +2239,16 @@ - pos = NULL; - goto done; - } -+ if (pos -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) -+ && (tmp->uid && (pos->uid != tmp->uid) -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP -+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID) -+#endif -+ ) -+#endif -+ ) -+ nr++; - } - found: - get_task_struct(pos); -@@ -2212,6 +2286,9 @@ - { - char buf[PROC_NUMBUF]; - unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY; -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) -+ struct task_struct *tmp = current; -+#endif - struct task_struct *task; - int tgid; - -@@ -2234,6 +2311,17 @@ - task = next_tgid(task), filp->f_pos++) { - int len; - ino_t ino; -+ -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) -+ if (tmp->uid && (task->uid != tmp->uid) -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP -+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID) -+#endif -+ ) { -+ continue; -+ } -+#endif -+ - tgid = task->pid; - len = snprintf(buf, sizeof(buf), "%d", tgid); - ino = fake_ino(tgid, PROC_TGID_INO); ---- linux-2.6.18.orig/fs/proc/inode.c 2006-09-20 03:42:06.000000000 +0000 -+++ linux-2.6.18.grsec-minimal/fs/proc/inode.c 2006-11-18 01:11:02.000000000 +0000 -@@ -166,7 +166,11 @@ +diff -urNp linux-2.6.26.orig/fs/proc/inode.c linux-2.6.26/fs/proc/inode.c +--- linux-2.6.26.orig/fs/proc/inode.c 2008-09-01 11:43:59.000000000 +0200 ++++ linux-2.6.26/fs/proc/inode.c 2008-09-02 12:17:21.000000000 +0200 +@@ -403,7 +403,11 @@ struct inode *proc_get_inode(struct supe if (de->mode) { inode->i_mode = de->mode; inode->i_uid = de->uid; @@ -348,284 +84,91 @@ inode->i_gid = de->gid; +#endif } - if (de->size) - inode->i_size = de->size; ---- linux-2.6.18.orig/fs/proc/internal.h 2006-09-20 03:42:06.000000000 +0000 -+++ linux-2.6.18.grsec-minimal/fs/proc/internal.h 2006-11-18 01:11:02.000000000 +0000 -@@ -36,6 +36,9 @@ - extern int proc_tgid_stat(struct task_struct *, char *); - extern int proc_pid_status(struct task_struct *, char *); - extern int proc_pid_statm(struct task_struct *, char *); -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR -+extern int proc_pid_ipaddr(struct task_struct*,char*); -+#endif + if (de->vx_flags) + PROC_I(inode)->vx_flags = de->vx_flags; +--- linux-2.6.26.orig/fs/proc/cmdline.c 2008-12-25 00:26:37.000000000 +0100 ++++ linux-2.6.26/fs/proc/cmdline.c 2009-01-02 17:46:34.278247774 +0100 +@@ -23,7 +23,15 @@ - extern struct file_operations proc_maps_operations; - extern struct file_operations proc_numa_maps_operations; ---- linux-2.6.18.orig/fs/proc/proc_misc.c 2006-09-20 03:42:06.000000000 +0000 -+++ linux-2.6.18.grsec-minimal/fs/proc/proc_misc.c 2006-11-18 01:11:02.000000000 +0000 -@@ -655,6 +655,10 @@ - void __init proc_misc_init(void) + static int __init proc_cmdline_init(void) { - struct proc_dir_entry *entry; -+#ifdef CONFIG_GRKERNSEC_PROC +- proc_create("cmdline", 0, NULL, &cmdline_proc_fops); + int gr_mode = 0; -+#endif -+ - static struct { - char *name; - int (*read_proc)(char*,char**,off_t,int,int*,void*); -@@ -670,7 +674,9 @@ - {"stram", stram_read_proc}, - #endif - {"filesystems", filesystems_read_proc}, -+#ifndef CONFIG_GRKERNSEC_PROC_ADD - {"cmdline", cmdline_read_proc}, -+#endif - {"locks", locks_read_proc}, - {"execdomains", execdomains_read_proc}, - {NULL,} -@@ -678,19 +684,37 @@ - for (p = simple_ones; p->name; p++) - create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL); - +#ifdef CONFIG_GRKERNSEC_PROC_USER + gr_mode = S_IRUSR; +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + gr_mode = S_IRUSR | S_IRGRP; +#endif +#ifdef CONFIG_GRKERNSEC_PROC_ADD -+ create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL); ++ proc_create("cmdline", gr_mode, NULL, &cmdline_proc_fops); +#endif -+ - proc_symlink("mounts", NULL, "self/mounts"); + return 0; + } + module_init(proc_cmdline_init); +--- linux-2.6.26.orig/fs/proc/devices.c 2008-12-25 00:26:37.000000000 +0100 ++++ linux-2.6.26/fs/proc/devices.c 2009-01-02 17:43:00.758269666 +0100 +@@ -64,7 +64,13 @@ - /* And now for trickier ones */ - entry = create_proc_entry("kmsg", S_IRUSR, &proc_root); - if (entry) - entry->proc_fops = &proc_kmsg_operations; -+ -+#ifdef CONFIG_GRKERNSEC_PROC_ADD -+ create_seq_entry("devices", gr_mode, &proc_devinfo_operations); -+#else - create_seq_entry("devices", 0, &proc_devinfo_operations); -+#endif - create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations); - create_seq_entry("partitions", 0, &proc_partitions_operations); - create_seq_entry("stat", 0, &proc_stat_operations); - create_seq_entry("interrupts", 0, &proc_interrupts_operations); - #ifdef CONFIG_SLAB -+#ifdef CONFIG_GRKERNSEC_PROC_ADD -+ create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations); -+#else - create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations); -+#endif - #ifdef CONFIG_DEBUG_SLAB_LEAK - create_seq_entry("slab_allocators", 0 ,&proc_slabstats_operations); - #endif -@@ -705,7 +729,7 @@ - #ifdef CONFIG_SCHEDSTATS - create_seq_entry("schedstat", 0, &proc_schedstat_operations); - #endif --#ifdef CONFIG_PROC_KCORE -+#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD) - proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL); - if (proc_root_kcore) { - proc_root_kcore->proc_fops = &proc_kcore_operations; ---- linux-2.6.18.orig/fs/proc/root.c 2006-09-20 03:42:06.000000000 +0000 -+++ linux-2.6.18.grsec-minimal/fs/proc/root.c 2006-11-18 01:11:02.000000000 +0000 -@@ -52,7 +52,13 @@ - return; - } - proc_misc_init(); + static int __init proc_devices_init(void) + { +- proc_create("devices", 0, NULL, &proc_devinfo_operations); ++ int gr_mode = 0; +#ifdef CONFIG_GRKERNSEC_PROC_USER -+ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, NULL); ++ gr_mode = S_IRUSR; +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) -+ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL); -+#else - proc_net = proc_mkdir("net", NULL); ++ gr_mode = S_IRUSR | S_IRGRP; +#endif - proc_net_stat = proc_mkdir("net/stat", NULL); ++ proc_create("devices", gr_mode, NULL, &proc_devinfo_operations); + return 0; + } + module_init(proc_devices_init); +--- linux-2.6.26.orig/fs/proc/kcore.c 2008-12-25 00:26:37.000000000 +0100 ++++ linux-2.6.26/fs/proc/kcore.c 2009-01-02 17:45:03.714922801 +0100 +@@ -404,10 +404,12 @@ - #ifdef CONFIG_SYSVIPC -@@ -76,7 +82,15 @@ + static int __init proc_kcore_init(void) + { ++#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD) + proc_root_kcore = proc_create("kcore", S_IRUSR, NULL, &proc_kcore_operations); + if (proc_root_kcore) + proc_root_kcore->size = + (size_t)high_memory - PAGE_OFFSET + PAGE_SIZE; ++#endif + return 0; + } + module_init(proc_kcore_init); +diff -urNp linux-2.6.26.orig/fs/proc/root.c linux-2.6.26/fs/proc/root.c +--- linux-2.6.26.orig/fs/proc/root.c 2008-09-01 11:43:59.000000000 +0200 ++++ linux-2.6.26/fs/proc/root.c 2008-09-02 12:17:21.000000000 +0200 +@@ -139,7 +139,15 @@ void __init proc_root_init(void) #ifdef CONFIG_PROC_DEVICETREE proc_device_tree_init(); #endif +#ifdef CONFIG_GRKERNSEC_PROC_ADD +#ifdef CONFIG_GRKERNSEC_PROC_USER -+ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL); ++ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL); +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) -+ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL); ++ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL); +#endif +#else - proc_bus = proc_mkdir("bus", NULL); + proc_mkdir("bus", NULL); +#endif + proc_sys_init(); + proc_vx_init(); } - - static int proc_root_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat ---- linux-2.6.18.orig/grsecurity/Kconfig 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.18.grsec-minimal/grsecurity/Kconfig 2006-11-18 01:11:02.000000000 +0000 -@@ -0,0 +1,135 @@ -+# -+# grecurity configuration -+# -+ -+menu "Grsecurity" -+ -+config GRKERNSEC -+ bool "Grsecurity" -+ select CRYPTO -+ select CRYPTO_SHA256 -+ help -+ If you say Y here, you will be able to configure many features -+ that will enhance the security of your system. It is highly -+ recommended that you say Y here and read through the help -+ for each option so that you fully understand the features and -+ can evaluate their usefulness for your machine. -+ -+menu "Filesystem Protections" -+depends on GRKERNSEC -+ -+config GRKERNSEC_PROC -+ bool "Proc restrictions" -+ help -+ If you say Y here, the permissions of the /proc filesystem -+ will be altered to enhance system security and privacy. You MUST -+ choose either a user only restriction or a user and group restriction. -+ Depending upon the option you choose, you can either restrict users to -+ see only the processes they themselves run, or choose a group that can -+ view all processes and files normally restricted to root if you choose -+ the "restrict to user only" option. NOTE: If you're running identd as -+ a non-root user, you will have to run it as the group you specify here. -+ -+config GRKERNSEC_PROC_USER -+ bool "Restrict /proc to user only" -+ depends on GRKERNSEC_PROC -+ help -+ If you say Y here, non-root users will only be able to view their own -+ processes, and restricts them from viewing network-related information, -+ and viewing kernel symbol and module information. -+ -+config GRKERNSEC_PROC_USERGROUP -+ bool "Allow special group" -+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER -+ help -+ If you say Y here, you will be able to select a group that will be <<Diff was trimmed, longer than 597 lines>> ---- CVS-web: http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-desktop-grsec-minimal.patch?r1=1.8&r2=1.8.4.1&f=u _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit