HAP-Linux is a collection of security related patches which are designed to be applied after Solar Designers Openwall patches are installed. Changes include some extra information in the printks, and the ability to allow hard links to files you don't own which are in your group, and the ability to follow links & pipes in +t directories if they are not world-writable. This is useful for getting various daemons to run chrooted as a non-root user, and some secure drop- directory stuff.
b56be54ffa14a72c217268c5e8fbef7e7d5ef5c7b7e401d0e35686b428f6ffd2diff -urP linux-2.2.26-ow1/Documentation/Configure.help linux-2.2.26-hap1/Documentation/Configure.help
--- linux-2.2.26-ow1/Documentation/Configure.help 2004-04-27 22:27:27.000000000 -0400
+++ linux-2.2.26-hap1/Documentation/Configure.help 2004-04-27 22:43:38.000000000 -0400
@@ -15317,6 +15317,17 @@
same as that of the directory or the FIFO is opened without the
O_CREAT flag.
+Allow links/pipes in non-world-writable +t dirs
+CONFIG_SECURE_NOTSOMUCH
+ This makes the checks that CONFIG_SECURE_LINK and CONFIG_SECURE_PIPE
+ perform a little less restrictive. Namely, links/pipes will work
+ again in +t directories if the directory is not world-writable. Most
+ sticky directories (such as /tmp) *are* world-writable, but you may
+ have other +t directories which are not (to make safe group-writable
+ shared upload directories, for instance). Say Y only if you have had
+ problems using the CONFIG_SECURE_LINK or CONFIG_SECURE_PIPE options
+ and you think you need this.
+
Restricted /proc
CONFIG_SECURE_PROC
This option restricts the permissions on directories in /proc so
@@ -15328,6 +15339,13 @@
disables dmesg(8) for the users. You might want to use this on an ISP
shell server where privacy is an issue.
+Unofficial bugfixes
+CONFIG_SECURE_BUGFIX
+ Currently this fixes the following bug:
+ * stracing an unreadable binary (ie mode 111). Note that there
+ are still ways to get around this at least on x86.
+ Say Y here unless you know you shouldn't.
+
Special handling of fd 0, 1, and 2
CONFIG_SECURE_FD_0_1_2
File descriptors 0, 1, and 2 have a special meaning for the C library
@@ -15370,6 +15388,102 @@
your resource limits (in particular, RLIMIT_AS and RLIMIT_NPROC). Most
systems don't need this.
+Extra logging of unusual events
+CONFIG_SECURE_LOGGING
+ This turns on some extra kernel logging. Right now this includes:
+ * some extra verbosity in the network layer (reporting about arp cache
+ changes, and complaining if someone tries to route through us and
+ we're not a router)
+ * also causes some packets that used to be dropped silently to get
+ whined about
+ * logs of who/what/when the system time changes
+ * logs when/why forks fail
+ * logs certain "lethal" signals: SIGSEGV, SIGBUS, SIGABRT, SIGILL
+ This is of limited use, and has some extra overhead, but isn't likely
+ to cause any problems.
+
+Paranoid networking
+CONFIG_SECURE_NETWORK
+ This turns on some extra paranoia in tcp and udp net code.
+ Currently it does (or tries to):
+ * warns on packets to unserved UDP ports
+ * warns on packets to unserved TCP ports
+ * optionally, denies such packets (CONFIG_SECURE_NET_SBD)
+ * warns & denies TCP packets with invalid combinations of flags
+ * adds extra info to all IPFW log lines:
+ * length of TCP & data / UDP as well as IP length
+ * print TCP ACK and SEQ numbers in addition to IP ids
+ * prints all TCP flags set (Syn, Ack, Fin, Urg, etc)
+ It also hopefully banishes a longstanding bug with IPFW/IPchains
+ log printing when under heavy IO, where different printk'ed lines
+ step on each other/get truncated, etc.
+ Say Y unless you think it's breaking stuff (or you don't want the
+ log volume, which will be high on a busy server).
+
+Blackhole networking
+CONFIG_SECURE_NET_SBD
+ When CONFIG_SECURE_NETWORK is enabled, this disables the usual
+ behavior of responding to unsolicited/"unserved" TCP packets with
+ a TCP RST, and to unserved UDP packets with an ICMP port-unreach.
+ Note that the UDP behavior is superfluous (can be easily done with
+ ipchains rules) but there's no convenient, desirable way to block
+ the RSTs other than this. This is recommended for personal systems
+ and low-volume servers. However, it is rude and breaks RFCs, so
+ it should be left off (the default behavior) for most systems,
+ unless you are *really* paranoid.
+
+Restricted chroot
+CONFIG_SECURE_CHROOT
+ This causes chroot processes to be a bit more restricted. Processes
+ which are already in a chroot(2)ed jail now cannot:
+ * chroot(2) again
+ * mknod(2) a character or block device
+ * mount(2) new/remounted filesystems
+ * ptrace(2) processes outside their jail
+ * kill(2) processes outside their jail (except sending SIGCHLD to parent)
+ These are a _few_ of the ways that a root-priv'ed process can break
+ out of a chrooted jail. They are not all of them. Basically, if
+ someone has root in a chrooted jail, no can defend -- they've got you.
+ But, this may help you detect the most common things such an intruder
+ would do. The only way to win is not to play, however -- don't let
+ anything in a chrooted jail get root! Simple, right? ;)
+ This may break systems that use initrd, as that implies an original
+ chroot. Or not -- the "is this process chrooted" test compares the
+ root of the current process to that of init; this may not break under
+ initrd (I have no initrd'd boxes on which to test).
+
+Restricted ptrace
+CONFIG_SECURE_TRACE
+ When enabled this disables system call tracing (ptrace) entirely for
+ non-root users. It also prevents tracing syscalls the kernel itself
+ makes, which can confuse some programs such as strace. When this
+ option is set, CONFIG_SECURE_TRACE_USERGROUP can be used to enable
+ ptrace/strace for only certain users.
+ This option will also cause the logging of any *allowed* ptrace calls.
+
+Restricted ptrace usergroup
+CONFIG_SECURE_TRACE_USERGROUP
+ Use this option to allow tracing by a special group (defaults to 0).
+ Users in this group (or processes with this group as egid) can use
+ the ptrace system call--but only against their own processes, unless
+ they are root. The allowed group can be changed at runtime when
+ CONFIG_SECURE_SYSCTL is enabled, by
+ echo XX > /proc/sys/kernel/security/trace_gid
+ For a number of boring reasons, the recommended way to use this is to
+ create a dedicated 'ptrace' group, put only trusted users in it, and
+ chgrp ptrace /usr/bin/strace; chmod 2110 /usr/bin/strace
+ (And do the same for other ptrace-using apps they need to run.)
+
+Security Sysctl
+CONFIG_SECURE_SYSCTL
+ If you say Y here, you will be able to change security options that
+ without having to recompile your kernel. You can echo values to
+ files in /proc/sys/kernel/security to enable (1) or disable (0) various
+ features or change runtime configurables like the ptrace-allow group.
+ All features are enabled by default (and default to root-only).
+ Please note that this option could reduce the effectiveness of the
+ added security policy.
+
#
# A couple of things I keep forgetting:
# capitalize: AppleTalk, Ethernet, DOS, DMA, FAT, FTP, Internet,
diff -urP linux-2.2.26-ow1/Makefile linux-2.2.26-hap1/Makefile
--- linux-2.2.26-ow1/Makefile 2004-04-27 22:27:27.000000000 -0400
+++ linux-2.2.26-hap1/Makefile 2004-04-27 22:43:38.000000000 -0400
@@ -1,7 +1,7 @@
VERSION = 2
PATCHLEVEL = 2
SUBLEVEL = 26
-EXTRAVERSION = -ow1
+EXTRAVERSION = -ow1-hap1
ARCH := $(shell uname -m | sed -e s/i.86/i386/ -e s/sun4u/sparc64/ -e s/arm.*/arm/ -e s/sa110/arm/)
diff -urP linux-2.2.26-ow1/arch/alpha/defconfig linux-2.2.26-hap1/arch/alpha/defconfig
--- linux-2.2.26-ow1/arch/alpha/defconfig 2004-04-27 22:27:27.000000000 -0400
+++ linux-2.2.26-hap1/arch/alpha/defconfig 2004-04-27 22:43:38.000000000 -0400
@@ -333,10 +333,15 @@
#
CONFIG_SECURE_LINK=y
CONFIG_SECURE_FIFO=y
-# CONFIG_SECURE_PROC is not set
+CONFIG_SECURE_NOTSOMUCH=y
+CONFIG_SECURE_PROC=y
CONFIG_SECURE_FD_0_1_2=y
CONFIG_SECURE_RLIMIT_NPROC=y
# CONFIG_SECURE_SHM is not set
+CONFIG_SECURE_LOGGING=y
+CONFIG_SECURE_NETWORK=y
+# CONFIG_SECURE_NET_SBD is not set
+CONFIG_SECURE_CHROOT=y
#
# Kernel hacking
diff -urP linux-2.2.26-ow1/arch/alpha/kernel/ptrace.c linux-2.2.26-hap1/arch/alpha/kernel/ptrace.c
--- linux-2.2.26-ow1/arch/alpha/kernel/ptrace.c 2001-11-02 11:39:05.000000000 -0500
+++ linux-2.2.26-hap1/arch/alpha/kernel/ptrace.c 2004-04-27 22:43:38.000000000 -0400
@@ -517,6 +517,9 @@
sys_ptrace(long request, long pid, long addr, long data,
int a4, int a5, struct pt_regs regs)
{
+#ifdef CONFIG_SECURE_TRACE
+ extern int sysctl_security_trace, sysctl_security_trace_gid;
+#endif
struct task_struct *child;
unsigned long tmp;
long ret;
@@ -555,6 +558,54 @@
/* the same process cannot be attached many times */
if (child->ptrace & PT_PTRACED)
goto out;
+#ifdef CONFIG_SECURE_CHROOT
+ if (!(hap_same_root_as_init(current)) &&
+ !(hap_same_root(current, child)) ) {
+ /*
+ * This process is chrooted; don't let it ptrace
+ * any process not in the same jail with it
+ */
+ security_alert("denied ptrace of %s[%d] within chrooted "
+ "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d",
+ "ptraces from a chrooted process",
+ child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev),
+ current->fs->root->d_inode->i_ino, current->comm, current->pid,
+ current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid );
+ goto out;
+ }
+#endif
+#ifdef CONFIG_SECURE_TRACE
+ if (sysctl_security_trace && current->uid
+#ifdef CONFIG_SECURE_TRACE_USERGROUP
+ && current->egid != sysctl_security_trace_gid
+#endif
+ ) {
+ security_alert("denied ptrace of %s[%d] by %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "ptrace attempts",
+ child->comm, child->pid, current->comm,
+ current->pid, current->uid,
+ current->euid, current->gid,
+ current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid,
+ current->p_pptr->euid, current->p_pptr->gid,
+ current->p_pptr->egid );
+ goto out;
+ }
+ security_alert("ptrace of %s[%d] by %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "ptraces",
+ child->comm, child->pid, current->comm,
+ current->pid, current->uid,
+ current->euid, current->gid,
+ current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid,
+ current->p_pptr->euid, current->p_pptr->gid,
+ current->p_pptr->egid );
+#endif
child->ptrace |= PT_PTRACED;
if (child->p_pptr != current) {
REMOVE_LINKS(child);
@@ -684,11 +735,18 @@
}
asmlinkage void
-syscall_trace(void)
+syscall_trace(int unused)
{
+#ifdef CONFIG_SECURE_TRACE
+ struct pt_regs *regs = (struct pt_regs *) &unused;
+#endif
if ((current->ptrace & (PT_PTRACED|PT_TRACESYS))
!= (PT_PTRACED|PT_TRACESYS))
return;
+#ifdef CONFIG_SECURE_TRACE
+ if (!user_mode(regs))
+ return; /* Don't trace the kernel's syscalls */
+#endif
current->exit_code = SIGTRAP;
current->state = TASK_STOPPED;
notify_parent(current, SIGCHLD);
diff -urP linux-2.2.26-ow1/arch/arm/defconfig linux-2.2.26-hap1/arch/arm/defconfig
--- linux-2.2.26-ow1/arch/arm/defconfig 2004-04-27 22:27:27.000000000 -0400
+++ linux-2.2.26-hap1/arch/arm/defconfig 2004-04-27 22:43:38.000000000 -0400
@@ -488,10 +488,16 @@
#
CONFIG_SECURE_LINK=y
CONFIG_SECURE_FIFO=y
-# CONFIG_SECURE_PROC is not set
+CONFIG_SECURE_NOTSOMUCH=y
+CONFIG_SECURE_PROC=y
CONFIG_SECURE_FD_0_1_2=y
CONFIG_SECURE_RLIMIT_NPROC=y
# CONFIG_SECURE_SHM is not set
+CONFIG_SECURE_BUGFIX=y
+CONFIG_SECURE_LOGGING=y
+CONFIG_SECURE_NETWORK=y
+# CONFIG_SECURE_NET_SBD is not set
+CONFIG_SECURE_CHROOT=y
#
# Kernel hacking
diff -urP linux-2.2.26-ow1/arch/arm/kernel/ptrace.c linux-2.2.26-hap1/arch/arm/kernel/ptrace.c
--- linux-2.2.26-ow1/arch/arm/kernel/ptrace.c 2001-11-02 11:39:05.000000000 -0500
+++ linux-2.2.26-hap1/arch/arm/kernel/ptrace.c 2004-04-27 22:43:38.000000000 -0400
@@ -792,6 +792,9 @@
asmlinkage int sys_ptrace(long request, long pid, long addr, long data)
{
+#ifdef CONFIG_SECURE_TRACE
+ extern int sysctl_security_trace, sysctl_security_trace_gid;
+#endif
struct task_struct *child;
int ret;
@@ -828,6 +831,54 @@
/* the same process cannot be attached many times */
if (child->ptrace & PT_PTRACED)
goto out;
+#ifdef CONFIG_SECURE_CHROOT
+ if (!(hap_same_root_as_init(current)) &&
+ !(hap_same_root(current, child)) ) {
+ /*
+ * This process is chrooted; don't let it ptrace
+ * any process not in the same jail with it
+ */
+ security_alert("denied ptrace of %s[%d] within chrooted "
+ "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d",
+ "ptraces from a chrooted process",
+ child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev),
+ current->fs->root->d_inode->i_ino, current->comm, current->pid,
+ current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid );
+ goto out;
+ }
+#endif
+#ifdef CONFIG_SECURE_TRACE
+ if (sysctl_security_trace && current->uid
+#ifdef CONFIG_SECURE_TRACE_USERGROUP
+ && current->egid != sysctl_security_trace_gid
+#endif
+ ) {
+ security_alert("denied ptrace of %s[%d] by %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "ptrace attempts",
+ child->comm, child->pid, current->comm,
+ current->pid, current->uid,
+ current->euid, current->gid,
+ current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid,
+ current->p_pptr->euid, current->p_pptr->gid,
+ current->p_pptr->egid );
+ goto out;
+ }
+ security_alert("ptrace of %s[%d] by %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "ptraces",
+ child->comm, child->pid, current->comm,
+ current->pid, current->uid,
+ current->euid, current->gid,
+ current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid,
+ current->p_pptr->euid, current->p_pptr->gid,
+ current->p_pptr->egid );
+#endif
child->ptrace |= PT_PTRACED;
if (child->p_pptr != current) {
@@ -855,12 +906,19 @@
return ret;
}
-asmlinkage void syscall_trace(void)
+asmlinkage void syscall_trace(int unused)
{
+#ifdef CONFIG_SECURE_TRACE
+ struct pt_regs *regs = (struct pt_regs *) &unused;
+#endif
if ((current->ptrace & (PT_PTRACED|PT_TRACESYS))
!= (PT_PTRACED|PT_TRACESYS))
return;
current->exit_code = SIGTRAP;
+#ifdef CONFIG_SECURE_TRACE
+ if (!user_mode(regs))
+ return; /* Don't trace the kernel's syscalls */
+#endif
current->state = TASK_STOPPED;
notify_parent(current, SIGCHLD);
schedule();
diff -urP linux-2.2.26-ow1/arch/i386/defconfig linux-2.2.26-hap1/arch/i386/defconfig
--- linux-2.2.26-ow1/arch/i386/defconfig 2004-04-27 22:27:27.000000000 -0400
+++ linux-2.2.26-hap1/arch/i386/defconfig 2004-04-27 22:43:38.000000000 -0400
@@ -427,11 +427,17 @@
CONFIG_SECURE_STACK_SMART=y
CONFIG_SECURE_LINK=y
CONFIG_SECURE_FIFO=y
-# CONFIG_SECURE_PROC is not set
+CONFIG_SECURE_NOTSOMUCH=y
+CONFIG_SECURE_PROC=y
CONFIG_SECURE_FD_0_1_2=y
CONFIG_SECURE_RLIMIT_NPROC=y
# CONFIG_SECURE_SHM is not set
-
+CONFIG_SECURE_BUGFIX=y
+CONFIG_SECURE_LOGGING=y
+CONFIG_SECURE_NETWORK=y
+# CONFIG_SECURE_NET_SBD is not set
+CONFIG_SECURE_CHROOT=y
+CONFIG_SECURE_TRACE=y
#
# Kernel hacking
#
diff -urP linux-2.2.26-ow1/arch/i386/kernel/ptrace.c linux-2.2.26-hap1/arch/i386/kernel/ptrace.c
--- linux-2.2.26-ow1/arch/i386/kernel/ptrace.c 2001-11-02 11:39:05.000000000 -0500
+++ linux-2.2.26-hap1/arch/i386/kernel/ptrace.c 2004-04-27 22:43:38.000000000 -0400
@@ -385,6 +385,9 @@
asmlinkage int sys_ptrace(long request, long pid, long addr, long data)
{
+#ifdef CONFIG_SECURE_TRACE
+ extern int sysctl_security_trace, sysctl_security_trace_gid;
+#endif
struct task_struct *child;
struct user * dummy = NULL;
unsigned long flags;
@@ -425,6 +428,54 @@
/* the same process cannot be attached many times */
if (child->ptrace & PT_PTRACED)
goto out;
+#ifdef CONFIG_SECURE_CHROOT
+ if (!(hap_same_root_as_init(current)) &&
+ !(hap_same_root(current, child)) ) {
+ /*
+ * This process is chrooted; don't let it ptrace
+ * any process not in the same jail with it
+ */
+ security_alert("denied ptrace of %s[%d] within chrooted "
+ "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d",
+ "ptraces from a chrooted process",
+ child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev),
+ current->fs->root->d_inode->i_ino, current->comm, current->pid,
+ current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid );
+ goto out;
+ }
+#endif
+#ifdef CONFIG_SECURE_TRACE
+ if (sysctl_security_trace && current->uid
+#ifdef CONFIG_SECURE_TRACE_USERGROUP
+ && current->egid != sysctl_security_trace_gid
+#endif
+ ) {
+ security_alert("denied ptrace of %s[%d] by %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "ptrace attempts",
+ child->comm, child->pid, current->comm,
+ current->pid, current->uid,
+ current->euid, current->gid,
+ current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid,
+ current->p_pptr->euid, current->p_pptr->gid,
+ current->p_pptr->egid );
+ goto out;
+ }
+ security_alert("ptrace of %s[%d] by %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "ptraces",
+ child->comm, child->pid, current->comm,
+ current->pid, current->uid,
+ current->euid, current->gid,
+ current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid,
+ current->p_pptr->euid, current->p_pptr->gid,
+ current->p_pptr->egid );
+#endif
child->ptrace |= PT_PTRACED;
write_lock_irqsave(&tasklist_lock, flags);
@@ -708,11 +759,18 @@
return ret;
}
-asmlinkage void syscall_trace(void)
+asmlinkage void syscall_trace(int unused)
{
+#ifdef CONFIG_SECURE_TRACE
+ struct pt_regs *regs = (struct pt_regs *) &unused;
+#endif
if ((current->ptrace & (PT_PTRACED|PT_TRACESYS))
!= (PT_PTRACED|PT_TRACESYS))
return;
+#ifdef CONFIG_SECURE_TRACE
+ if (!user_mode(regs))
+ return; /* Don't trace the kernel's syscalls */
+#endif
current->exit_code = SIGTRAP;
current->state = TASK_STOPPED;
notify_parent(current, SIGCHLD);
diff -urP linux-2.2.26-ow1/arch/i386/kernel/traps.c linux-2.2.26-hap1/arch/i386/kernel/traps.c
--- linux-2.2.26-ow1/arch/i386/kernel/traps.c 2004-04-27 22:27:27.000000000 -0400
+++ linux-2.2.26-hap1/arch/i386/kernel/traps.c 2004-04-27 22:43:38.000000000 -0400
@@ -407,13 +407,13 @@
*/
if ((addr & 0xFF800000) == 0xBF800000 ||
(addr >= PAGE_OFFSET - _STK_LIM && addr < PAGE_OFFSET))
- security_alert("return onto stack "
- "from 0x%08lx to 0x%08lx running as "
- "UID %d, EUID %d, process %s:%d",
+ security_alert("return onto stack from 0x%08lx to 0x%08lx by "
+ "%s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d",
"returns onto stack",
- regs->eip, addr,
- current->uid, current->euid,
- current->comm, current->pid);
+ regs->eip, addr, current->comm, current->pid, current->uid,
+ current->euid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid,
+ current->p_pptr->euid);
}
#ifdef CONFIG_SECURE_STACK_SMART
diff -urP linux-2.2.26-ow1/arch/m68k/defconfig linux-2.2.26-hap1/arch/m68k/defconfig
--- linux-2.2.26-ow1/arch/m68k/defconfig 2004-04-27 22:27:27.000000000 -0400
+++ linux-2.2.26-hap1/arch/m68k/defconfig 2004-04-27 22:43:38.000000000 -0400
@@ -243,10 +243,15 @@
#
CONFIG_SECURE_LINK=y
CONFIG_SECURE_FIFO=y
-# CONFIG_SECURE_PROC is not set
+CONFIG_SECURE_NOTSOMUCH=y
+CONFIG_SECURE_PROC=y
CONFIG_SECURE_FD_0_1_2=y
CONFIG_SECURE_RLIMIT_NPROC=y
# CONFIG_SECURE_SHM is not set
+CONFIG_SECURE_LOGGING=y
+CONFIG_SECURE_NETWORK=y
+# CONFIG_SECURE_NET_SBD is not set
+CONFIG_SECURE_CHROOT=y
#
# Kernel hacking
diff -urP linux-2.2.26-ow1/arch/m68k/kernel/ptrace.c linux-2.2.26-hap1/arch/m68k/kernel/ptrace.c
--- linux-2.2.26-ow1/arch/m68k/kernel/ptrace.c 2001-11-02 11:39:05.000000000 -0500
+++ linux-2.2.26-hap1/arch/m68k/kernel/ptrace.c 2004-04-27 22:43:38.000000000 -0400
@@ -312,6 +312,9 @@
asmlinkage int sys_ptrace(long request, long pid, long addr, long data)
{
+#ifdef CONFIG_SECURE_TRACE
+ extern int sysctl_security_trace, sysctl_security_trace_gid;
+#endif
struct task_struct *child;
unsigned long flags;
int ret;
@@ -351,6 +354,54 @@
/* the same process cannot be attached many times */
if (child->ptrace & PT_PTRACED)
goto out;
+#ifdef CONFIG_SECURE_CHROOT
+ if (!(hap_same_root_as_init(current)) &&
+ !(hap_same_root(current, child)) ) {
+ /*
+ * This process is chrooted; don't let it ptrace
+ * any process not in the same jail with it
+ */
+ security_alert("denied ptrace of %s[%d] within chrooted "
+ "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d",
+ "ptraces from a chrooted process",
+ child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev),
+ current->fs->root->d_inode->i_ino, current->comm, current->pid,
+ current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid );
+ goto out;
+ }
+#endif
+#ifdef CONFIG_SECURE_TRACE
+ if (sysctl_security_trace && current->uid
+#ifdef CONFIG_SECURE_TRACE_USERGROUP
+ && current->egid != sysctl_security_trace_gid
+#endif
+ ) {
+ security_alert("denied ptrace of %s[%d] by %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "ptrace attempts",
+ child->comm, child->pid, current->comm,
+ current->pid, current->uid,
+ current->euid, current->gid,
+ current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid,
+ current->p_pptr->euid, current->p_pptr->gid,
+ current->p_pptr->egid );
+ goto out;
+ }
+ security_alert("ptrace of %s[%d] by %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "ptraces",
+ child->comm, child->pid, current->comm,
+ current->pid, current->uid,
+ current->euid, current->gid,
+ current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid,
+ current->p_pptr->euid, current->p_pptr->gid,
+ current->p_pptr->egid );
+#endif
child->ptrace |= PT_PTRACED;
write_lock_irqsave(&tasklist_lock, flags);
@@ -604,13 +655,20 @@
return ret;
}
-asmlinkage void syscall_trace(void)
+asmlinkage void syscall_trace(int unused)
{
+#ifdef CONFIG_SECURE_TRACE
+ struct pt_regs *regs = (struct pt_regs *) &unused;
+#endif
lock_kernel();
if ((current->ptrace & (PT_PTRACED|PT_TRACESYS))
!= (PT_PTRACED|PT_TRACESYS))
goto out;
current->exit_code = SIGTRAP;
+#ifdef CONFIG_SECURE_TRACE
+ if (!user_mode(regs))
+ return; /* Don't trace the kernel's syscalls */
+#endif
current->state = TASK_STOPPED;
notify_parent(current, SIGCHLD);
schedule();
diff -urP linux-2.2.26-ow1/arch/mips/defconfig linux-2.2.26-hap1/arch/mips/defconfig
--- linux-2.2.26-ow1/arch/mips/defconfig 2004-04-27 22:27:27.000000000 -0400
+++ linux-2.2.26-hap1/arch/mips/defconfig 2004-04-27 22:43:38.000000000 -0400
@@ -369,10 +369,15 @@
#
CONFIG_SECURE_LINK=y
CONFIG_SECURE_FIFO=y
-# CONFIG_SECURE_PROC is not set
+CONFIG_SECURE_NOTSOMUCH=y
+CONFIG_SECURE_PROC=y
CONFIG_SECURE_FD_0_1_2=y
CONFIG_SECURE_RLIMIT_NPROC=y
# CONFIG_SECURE_SHM is not set
+CONFIG_SECURE_LOGGING=y
+CONFIG_SECURE_NETWORK=y
+# CONFIG_SECURE_NET_SBD is not set
+CONFIG_SECURE_CHROOT=y
#
# Kernel hacking
diff -urP linux-2.2.26-ow1/arch/mips/kernel/ptrace.c linux-2.2.26-hap1/arch/mips/kernel/ptrace.c
--- linux-2.2.26-ow1/arch/mips/kernel/ptrace.c 2001-11-02 11:39:05.000000000 -0500
+++ linux-2.2.26-hap1/arch/mips/kernel/ptrace.c 2004-04-27 22:43:38.000000000 -0400
@@ -258,6 +258,9 @@
asmlinkage int sys_ptrace(long request, long pid, long addr, long data)
{
+#ifdef CONFIG_SECURE_TRACE
+ extern int sysctl_security_trace, sysctl_security_trace_gid;
+#endif
struct task_struct *child;
unsigned int flags;
int res;
@@ -308,6 +311,54 @@
/* the same process cannot be attached many times */
if (child->ptrace & PT_PTRACED)
goto out;
+#ifdef CONFIG_SECURE_CHROOT
+ if (!(hap_same_root_as_init(current)) &&
+ !(hap_same_root(current, child)) ) {
+ /*
+ * This process is chrooted; don't let it ptrace
+ * any process not in the same jail with it
+ */
+ security_alert("denied ptrace of %s[%d] within chrooted "
+ "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d",
+ "ptraces from a chrooted process",
+ child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev),
+ current->fs->root->d_inode->i_ino, current->comm, current->pid,
+ current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid );
+ goto out;
+ }
+#endif
+#ifdef CONFIG_SECURE_TRACE
+ if (sysctl_security_trace && current->uid
+#ifdef CONFIG_SECURE_TRACE_USERGROUP
+ && current->egid != sysctl_security_trace_gid
+#endif
+ ) {
+ security_alert("denied ptrace of %s[%d] by %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "ptrace attempts",
+ child->comm, child->pid, current->comm,
+ current->pid, current->uid,
+ current->euid, current->gid,
+ current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid,
+ current->p_pptr->euid, current->p_pptr->gid,
+ current->p_pptr->egid );
+ goto out;
+ }
+ security_alert("ptrace of %s[%d] by %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "ptraces",
+ child->comm, child->pid, current->comm,
+ current->pid, current->uid,
+ current->euid, current->gid,
+ current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid,
+ current->p_pptr->euid, current->p_pptr->gid,
+ current->p_pptr->egid );
+#endif
child->ptrace |= PT_PTRACED;
write_lock_irqsave(&tasklist_lock, flags);
@@ -520,11 +571,18 @@
return res;
}
-asmlinkage void syscall_trace(void)
+asmlinkage void syscall_trace(int unused)
{
+#ifdef CONFIG_SECURE_TRACE
+ struct pt_regs *regs = (struct pt_regs *) &unused;
+#endif
if ((current->ptrace & (PT_PTRACED|PT_TRACESYS))
!= (PT_PTRACED|PT_TRACESYS))
return;
+#ifdef CONFIG_SECURE_TRACE
+ if (!user_mode(regs))
+ return; /* Don't trace the kernel's syscalls */
+#endif
current->exit_code = SIGTRAP;
current->state = TASK_STOPPED;
notify_parent(current, SIGCHLD);
diff -urP linux-2.2.26-ow1/arch/ppc/defconfig linux-2.2.26-hap1/arch/ppc/defconfig
--- linux-2.2.26-ow1/arch/ppc/defconfig 2004-04-27 22:27:27.000000000 -0400
+++ linux-2.2.26-hap1/arch/ppc/defconfig 2004-04-27 22:43:38.000000000 -0400
@@ -499,10 +499,15 @@
#
CONFIG_SECURE_LINK=y
CONFIG_SECURE_FIFO=y
-# CONFIG_SECURE_PROC is not set
+CONFIG_SECURE_NOTSOMUCH=y
+CONFIG_SECURE_PROC=y
CONFIG_SECURE_FD_0_1_2=y
CONFIG_SECURE_RLIMIT_NPROC=y
# CONFIG_SECURE_SHM is not set
+CONFIG_SECURE_LOGGING=y
+CONFIG_SECURE_NETWORK=y
+# CONFIG_SECURE_NET_SBD is not set
+CONFIG_SECURE_CHROOT=y
#
# Kernel hacking
diff -urP linux-2.2.26-ow1/arch/ppc/kernel/ptrace.c linux-2.2.26-hap1/arch/ppc/kernel/ptrace.c
--- linux-2.2.26-ow1/arch/ppc/kernel/ptrace.c 2001-11-02 11:39:05.000000000 -0500
+++ linux-2.2.26-hap1/arch/ppc/kernel/ptrace.c 2004-04-27 22:43:38.000000000 -0400
@@ -334,6 +334,9 @@
asmlinkage int sys_ptrace(long request, long pid, long addr, long data)
{
+#ifdef CONFIG_SECURE_TRACE
+ extern int sysctl_security_trace, sysctl_security_trace_gid;
+#endif
struct task_struct *child;
int ret = -EPERM;
unsigned long flags;
@@ -372,6 +375,54 @@
/* the same process cannot be attached many times */
if (child->ptrace & PT_PTRACED)
goto out;
+#ifdef CONFIG_SECURE_CHROOT
+ if (!(hap_same_root_as_init(current)) &&
+ !(hap_same_root(current, child)) ) {
+ /*
+ * This process is chrooted; don't let it ptrace
+ * any process not in the same jail with it
+ */
+ security_alert("denied ptrace of %s[%d] within chrooted "
+ "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d",
+ "ptraces from a chrooted process",
+ child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev),
+ current->fs->root->d_inode->i_ino, current->comm, current->pid,
+ current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid );
+ goto out;
+ }
+#endif
+#ifdef CONFIG_SECURE_TRACE
+ if (sysctl_security_trace && current->uid
+#ifdef CONFIG_SECURE_TRACE_USERGROUP
+ && current->egid != sysctl_security_trace_gid
+#endif
+ ) {
+ security_alert("denied ptrace of %s[%d] by %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "ptrace attempts",
+ child->comm, child->pid, current->comm,
+ current->pid, current->uid,
+ current->euid, current->gid,
+ current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid,
+ current->p_pptr->euid, current->p_pptr->gid,
+ current->p_pptr->egid );
+ goto out;
+ }
+ security_alert("ptrace of %s[%d] by %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "ptraces",
+ child->comm, child->pid, current->comm,
+ current->pid, current->uid,
+ current->euid, current->gid,
+ current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid,
+ current->p_pptr->euid, current->p_pptr->gid,
+ current->p_pptr->egid );
+#endif
child->ptrace |= PT_PTRACED;
write_lock_irqsave(&tasklist_lock, flags);
@@ -539,11 +590,18 @@
return ret;
}
-asmlinkage void syscall_trace(void)
+asmlinkage void syscall_trace(int unused)
{
+#ifdef CONFIG_SECURE_TRACE
+ struct pt_regs *regs = (struct pt_regs *) &unused;
+#endif
if ((current->ptrace & (PT_PTRACED|PT_TRACESYS))
!= (PT_PTRACED|PT_TRACESYS))
return;
+#ifdef CONFIG_SECURE_TRACE
+ if (!user_mode(regs))
+ return; /* Don't trace the kernel's syscalls */
+#endif
current->exit_code = SIGTRAP;
current->state = TASK_STOPPED;
notify_parent(current, SIGCHLD);
diff -urP linux-2.2.26-ow1/arch/s390/defconfig linux-2.2.26-hap1/arch/s390/defconfig
--- linux-2.2.26-ow1/arch/s390/defconfig 2004-04-27 22:27:27.000000000 -0400
+++ linux-2.2.26-hap1/arch/s390/defconfig 2004-04-27 22:43:38.000000000 -0400
@@ -195,10 +195,15 @@
#
CONFIG_SECURE_LINK=y
CONFIG_SECURE_FIFO=y
-# CONFIG_SECURE_PROC is not set
+CONFIG_SECURE_NOTSOMUCH=y
+CONFIG_SECURE_PROC=y
CONFIG_SECURE_FD_0_1_2=y
CONFIG_SECURE_RLIMIT_NPROC=y
# CONFIG_SECURE_SHM is not set
+CONFIG_SECURE_LOGGING=y
+CONFIG_SECURE_NETWORK=y
+# CONFIG_SECURE_NET_SBD is not set
+CONFIG_SECURE_CHROOT=y
#
# Kernel hacking
diff -urP linux-2.2.26-ow1/arch/s390/kernel/ptrace.c linux-2.2.26-hap1/arch/s390/kernel/ptrace.c
--- linux-2.2.26-ow1/arch/s390/kernel/ptrace.c 2001-11-02 11:39:06.000000000 -0500
+++ linux-2.2.26-hap1/arch/s390/kernel/ptrace.c 2004-04-27 22:43:38.000000000 -0400
@@ -427,6 +427,9 @@
asmlinkage int sys_ptrace(long request, long pid, long addr, long data)
{
+#ifdef CONFIG_SECURE_TRACE
+ extern int sysctl_security_trace, sysctl_security_trace_gid;
+#endif
struct task_struct *child;
int ret = -EPERM;
unsigned long tmp;
@@ -461,6 +464,54 @@
/* the same process cannot be attached many times */
if (child->ptrace & PT_PTRACED)
goto out;
+#ifdef CONFIG_SECURE_CHROOT
+ if (!(hap_same_root_as_init(current)) &&
+ !(hap_same_root(current, child)) ) {
+ /*
+ * This process is chrooted; don't let it ptrace
+ * any process not in the same jail with it
+ */
+ security_alert("denied ptrace of %s[%d] within chrooted "
+ "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d",
+ "ptraces from a chrooted process",
+ child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev),
+ current->fs->root->d_inode->i_ino, current->comm, current->pid,
+ current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid );
+ goto out;
+ }
+#endif
+#ifdef CONFIG_SECURE_TRACE
+ if (sysctl_security_trace && current->uid
+#ifdef CONFIG_SECURE_TRACE_USERGROUP
+ && current->egid != sysctl_security_trace_gid
+#endif
+ ) {
+ security_alert("denied ptrace of %s[%d] by %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "ptrace attempts",
+ child->comm, child->pid, current->comm,
+ current->pid, current->uid,
+ current->euid, current->gid,
+ current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid,
+ current->p_pptr->euid, current->p_pptr->gid,
+ current->p_pptr->egid );
+ goto out;
+ }
+ security_alert("ptrace of %s[%d] by %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "ptraces",
+ child->comm, child->pid, current->comm,
+ current->pid, current->uid,
+ current->euid, current->gid,
+ current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid,
+ current->p_pptr->euid, current->p_pptr->gid,
+ current->p_pptr->egid );
+#endif
child->ptrace |= PT_PTRACED;
if (child->p_pptr != current)
{
@@ -590,12 +641,19 @@
return ret;
}
-asmlinkage void syscall_trace(void)
+asmlinkage void syscall_trace(int unused)
{
+#ifdef CONFIG_SECURE_TRACE
+ struct pt_regs *regs = (struct pt_regs *) &unused;
+#endif
lock_kernel();
if ((current->ptrace & (PT_PTRACED|PT_TRACESYS))
!= (PT_PTRACED|PT_TRACESYS))
goto out;
+#ifdef CONFIG_SECURE_TRACE
+ if (!user_mode(regs))
+ return; /* Don't trace the kernel's syscalls */
+#endif
current->exit_code = SIGTRAP;
current->state = TASK_STOPPED;
notify_parent(current, SIGCHLD);
diff -urP linux-2.2.26-ow1/arch/sparc/defconfig linux-2.2.26-hap1/arch/sparc/defconfig
--- linux-2.2.26-ow1/arch/sparc/defconfig 2004-04-27 22:27:27.000000000 -0400
+++ linux-2.2.26-hap1/arch/sparc/defconfig 2004-04-27 22:43:38.000000000 -0400
@@ -340,10 +340,15 @@
#
CONFIG_SECURE_LINK=y
CONFIG_SECURE_FIFO=y
-# CONFIG_SECURE_PROC is not set
+CONFIG_SECURE_NOTSOMUCH=y
+CONFIG_SECURE_PROC=y
CONFIG_SECURE_FD_0_1_2=y
CONFIG_SECURE_RLIMIT_NPROC=y
# CONFIG_SECURE_SHM is not set
+CONFIG_SECURE_LOGGING=y
+CONFIG_SECURE_NETWORK=y
+# CONFIG_SECURE_NET_SBD is not set
+CONFIG_SECURE_CHROOT=y
#
# Kernel hacking
diff -urP linux-2.2.26-ow1/arch/sparc/kernel/ptrace.c linux-2.2.26-hap1/arch/sparc/kernel/ptrace.c
--- linux-2.2.26-ow1/arch/sparc/kernel/ptrace.c 2001-11-02 11:39:06.000000000 -0500
+++ linux-2.2.26-hap1/arch/sparc/kernel/ptrace.c 2004-04-27 22:43:38.000000000 -0400
@@ -508,6 +508,9 @@
asmlinkage void do_ptrace(struct pt_regs *regs)
{
+#ifdef CONFIG_SECURE_TRACE
+ extern int sysctl_security_trace, sysctl_security_trace_gid;
+#endif
unsigned long request = regs->u_regs[UREG_I0];
unsigned long pid = regs->u_regs[UREG_I1];
unsigned long addr = regs->u_regs[UREG_I2];
@@ -582,6 +585,55 @@
pt_error_return(regs, EPERM);
goto out;
}
+#ifdef CONFIG_SECURE_CHROOT
+ if (!(hap_same_root_as_init(current)) &&
+ !(hap_same_root(current, child)) ) {
+ /*
+ * This process is chrooted; don't let it ptrace
+ * any process not in the same jail with it
+ */
+ security_alert("denied ptrace of %s[%d] within chrooted "
+ "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d",
+ "ptraces from a chrooted process",
+ child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev),
+ current->fs->root->d_inode->i_ino, current->comm, current->pid,
+ current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid );
+ pt_error_return(regs, EPERM);
+ goto out;
+ }
+#endif
+#ifdef CONFIG_SECURE_TRACE
+ if (sysctl_security_trace && current->uid
+#ifdef CONFIG_SECURE_TRACE_USERGROUP
+ && current->egid != sysctl_security_trace_gid
+#endif
+ ) {
+ security_alert("denied ptrace of %s[%d] by %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "ptrace attempts",
+ child->comm, child->pid, current->comm,
+ current->pid, current->uid,
+ current->euid, current->gid,
+ current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid,
+ current->p_pptr->euid, current->p_pptr->gid,
+ current->p_pptr->egid );
+ goto out;
+ }
+ security_alert("ptrace of %s[%d] by %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "ptraces",
+ child->comm, child->pid, current->comm,
+ current->pid, current->uid,
+ current->euid, current->gid,
+ current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid,
+ current->p_pptr->euid, current->p_pptr->gid,
+ current->p_pptr->egid );
+#endif
child->ptrace |= PT_PTRACED;
write_lock_irqsave(&tasklist_lock, flags);
if(child->p_pptr != current) {
@@ -922,14 +974,21 @@
unlock_kernel();
}
-asmlinkage void syscall_trace(void)
+asmlinkage void syscall_trace(int unused)
{
+#ifdef CONFIG_SECURE_TRACE
+ struct pt_regs *regs = (struct pt_regs *) &unused;
+#endif
#ifdef DEBUG_PTRACE
printk("%s [%d]: syscall_trace\n", current->comm, current->pid);
#endif
if ((current->ptrace & (PT_PTRACED|PT_TRACESYS))
!= (PT_PTRACED|PT_TRACESYS))
return;
+#ifdef CONFIG_SECURE_TRACE
+ if (!user_mode(regs))
+ return; /* Don't trace the kernel's syscalls */
+#endif
current->exit_code = SIGTRAP;
current->state = TASK_STOPPED;
current->tss.flags ^= MAGIC_CONSTANT;
diff -urP linux-2.2.26-ow1/arch/sparc64/defconfig linux-2.2.26-hap1/arch/sparc64/defconfig
--- linux-2.2.26-ow1/arch/sparc64/defconfig 2004-04-27 22:27:27.000000000 -0400
+++ linux-2.2.26-hap1/arch/sparc64/defconfig 2004-04-27 22:43:38.000000000 -0400
@@ -391,10 +391,15 @@
#
CONFIG_SECURE_LINK=y
CONFIG_SECURE_FIFO=y
-# CONFIG_SECURE_PROC is not set
+CONFIG_SECURE_NOTSOMUCH=y
+CONFIG_SECURE_PROC=y
CONFIG_SECURE_FD_0_1_2=y
CONFIG_SECURE_RLIMIT_NPROC=y
# CONFIG_SECURE_SHM is not set
+CONFIG_SECURE_LOGGING=y
+CONFIG_SECURE_NETWORK=y
+# CONFIG_SECURE_NET_SBD is not set
+CONFIG_SECURE_CHROOT=y
#
# Watchdog
diff -urP linux-2.2.26-ow1/arch/sparc64/kernel/ptrace.c linux-2.2.26-hap1/arch/sparc64/kernel/ptrace.c
--- linux-2.2.26-ow1/arch/sparc64/kernel/ptrace.c 2001-11-02 11:39:06.000000000 -0500
+++ linux-2.2.26-hap1/arch/sparc64/kernel/ptrace.c 2004-04-27 22:43:38.000000000 -0400
@@ -537,6 +537,9 @@
asmlinkage void do_ptrace(struct pt_regs *regs)
{
+#ifdef CONFIG_SECURE_TRACE
+ extern int sysctl_security_trace, sysctl_security_trace_gid;
+#endif
int request = regs->u_regs[UREG_I0];
pid_t pid = regs->u_regs[UREG_I1];
unsigned long addr = regs->u_regs[UREG_I2];
@@ -620,6 +623,55 @@
pt_error_return(regs, EPERM);
goto out;
}
+#ifdef CONFIG_SECURE_CHROOT
+ if (!(hap_same_root_as_init(current)) &&
+ !(hap_same_root(current, child)) ) {
+ /*
+ * This process is chrooted; don't let it ptrace
+ * any process not in the same jail with it
+ */
+ security_alert("denied ptrace of %s[%d] within chrooted "
+ "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d",
+ "ptraces from a chrooted process",
+ child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev),
+ current->fs->root->d_inode->i_ino, current->comm, current->pid,
+ current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid );
+ pt_error_return(regs, EPERM);
+ goto out;
+ }
+#endif
+#ifdef CONFIG_SECURE_TRACE
+ if (sysctl_security_trace && current->uid
+#ifdef CONFIG_SECURE_TRACE_USERGROUP
+ && current->egid != sysctl_security_trace_gid
+#endif
+ ) {
+ security_alert("denied ptrace of %s[%d] by %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "ptrace attempts",
+ child->comm, child->pid, current->comm,
+ current->pid, current->uid,
+ current->euid, current->gid,
+ current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid,
+ current->p_pptr->euid, current->p_pptr->gid,
+ current->p_pptr->egid );
+ goto out;
+ }
+ security_alert("ptrace of %s[%d] by %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "ptraces",
+ child->comm, child->pid, current->comm,
+ current->pid, current->uid,
+ current->euid, current->gid,
+ current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid,
+ current->p_pptr->euid, current->p_pptr->gid,
+ current->p_pptr->egid );
+#endif
child->ptrace |= PT_PTRACED;
write_lock_irqsave(&tasklist_lock, flags);
if(child->p_pptr != current) {
@@ -1134,14 +1186,21 @@
unlock_kernel();
}
-asmlinkage void syscall_trace(void)
+asmlinkage void syscall_trace(int unused)
{
+#ifdef CONFIG_SECURE_TRACE
+ struct pt_regs *regs = (struct pt_regs *) &unused;
+#endif
#ifdef DEBUG_PTRACE
printk("%s [%d]: syscall_trace\n", current->comm, current->pid);
#endif
if ((current->ptrace & (PT_PTRACED|PT_TRACESYS))
!= (PT_PTRACED|PT_TRACESYS))
return;
+#ifdef CONFIG_SECURE_TRACE
+ if (!user_mode(regs))
+ return; /* Don't trace the kernel's syscalls */
+#endif
current->exit_code = SIGTRAP;
current->state = TASK_STOPPED;
current->tss.flags ^= MAGIC_CONSTANT;
diff -urP linux-2.2.26-ow1/fs/exec.c linux-2.2.26-hap1/fs/exec.c
--- linux-2.2.26-ow1/fs/exec.c 2004-04-27 22:27:27.000000000 -0400
+++ linux-2.2.26-hap1/fs/exec.c 2004-04-27 22:43:38.000000000 -0400
@@ -674,6 +674,9 @@
*/
int prepare_binprm(struct linux_binprm *bprm)
{
+#ifdef CONFIG_SECURE_TRACE
+ extern int sysctl_security_trace, sysctl_security_trace_gid;
+#endif
int mode;
int retval,id_change,cap_raised;
struct inode * inode = bprm->dentry->d_inode;
@@ -778,7 +781,55 @@
return retval;
#endif
}
-
+/* Total mess of ifdef's follow. */
+#if defined(CONFIG_SECURE_BUGFIX) || defined(CONFIG_SECURE_TRACE)
+ /* ptraced executables must be readable */
+ if (current->ptrace & PT_PTRACED) {
+#ifdef CONFIG_SECURE_TRACE
+ if (sysctl_security_trace && current->uid
+#ifdef CONFIG_SECURE_TRACE_USERGROUP
+ && current->egid != sysctl_security_trace_gid
+#endif
+ ) {
+ security_alert("denied ptrace of %s by %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "ptrace attempts",
+ bprm->filename, current->comm, current->pid, current->uid,
+ current->euid, current->gid, current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid, current->p_pptr->euid,
+ current->p_pptr->gid, current->p_pptr->egid);
+ return -EPERM;
+ }
+#endif /* CONFIG_SECURE_TRACE */
+#ifdef CONFIG_SECURE_BUGFIX
+ if ((retval = permission(bprm->dentry->d_inode, MAY_READ)) != 0) {
+#ifdef CONFIG_SECURE_LOGGING
+ security_alert("refused ptrace of unreadable executable %s by "
+ "%s[%d], UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "unreadable executables ptraced",
+ bprm->filename, current->comm, current->pid, current->uid,
+ current->euid, current->gid, current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid, current->p_pptr->euid,
+ current->p_pptr->gid, current->p_pptr->egid);
+#endif /* CONFIG_SECURE_LOGGING */
+ return -EPERM;
+ }
+#endif /* CONFIG_SECURE_BUGFIX */
+#ifdef CONFIG_SECURE_TRACE
+ /* log all permitted ptrace's */
+ security_alert("ptrace of %s by %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d, parent %s[%d], "
+ "UID/EUID %d/%d, GID/EGID %d/%d",
+ "ptraces",
+ bprm->filename, current->comm, current->pid, current->uid,
+ current->euid, current->gid, current->egid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid, current->p_pptr->euid,
+ current->p_pptr->gid, current->p_pptr->egid);
+#endif /* CONFIG_SECURE_TRACE */
+ }
+#endif /* CONFIG_SECURE_BUGFIX || CONFIG_SECURE_TRACE */
memset(bprm->buf,0,sizeof(bprm->buf));
return read_exec(bprm->dentry,0,bprm->buf,128,1);
}
@@ -946,6 +997,22 @@
int retval;
int i;
+#ifdef CONFIG_SECURE_CHROOT
+ if (!(hap_same_root_as_init(current))) {
+ /*
+ * This process is in a chrooted jail; log everything it exec's
+ */
+ security_alert("exec of %s within chrooted jail [%s]:%lu by "
+ "%s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d",
+ "execs from a chrooted process",
+ filename, kdevname(current->fs->root->d_inode->i_dev),
+ current->fs->root->d_inode->i_ino,current->comm,
+ current->pid,current->uid, current->euid,
+ current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid );
+ }
+#endif /* CONFIG_SECURE_CHROOT */
+
#ifdef CONFIG_SECURE_RLIMIT_NPROC
/*
* This check is similar to that done in kernel/fork.c, except that we
diff -urP linux-2.2.26-ow1/fs/namei.c linux-2.2.26-hap1/fs/namei.c
--- linux-2.2.26-ow1/fs/namei.c 2004-04-27 22:27:27.000000000 -0400
+++ linux-2.2.26-hap1/fs/namei.c 2004-04-27 22:43:38.000000000 -0400
@@ -306,18 +306,28 @@
if (S_ISLNK(inode->i_mode) &&
(base->d_inode->i_mode & S_ISVTX) &&
inode->i_uid != base->d_inode->i_uid &&
+#ifdef CONFIG_SECURE_NOTSOMUCH
+ /*
+ * Let this happen as long as the +t dir is
+ * not world-writable.
+ */
+ (base->d_inode->i_mode & S_IWOTH) &&
+#endif
current->fsuid != inode->i_uid) {
- security_alert("not followed symlink of %d.%d "
- "by UID %d, EUID %d, process %s:%d",
+ security_alert("not followed symlink of [%s]:%lu "
+ "owned by %d.%d by %s[%d], UID %d, "
+ "EUID %d, parent %s[%d], UID %d, EUID %d",
"symlinks not followed",
- inode->i_uid, inode->i_gid,
- current->uid, current->euid,
- current->comm, current->pid);
+ kdevname(inode->i_dev), inode->i_ino,
+ inode->i_uid, inode->i_gid, current->comm,
+ current->pid, current->uid, current->euid,
+ current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid);
dput(dentry);
dput(base);
return ERR_PTR(-EACCES);
}
-#endif
+#endif /* CONFIG_SECURE_LINK */
if (current->need_resched) {
current->state = TASK_RUNNING;
@@ -756,19 +766,28 @@
if (S_ISFIFO(inode->i_mode) && !(flag & O_EXCL) &&
(dir->d_inode->i_mode & S_ISVTX) &&
inode->i_uid != dir->d_inode->i_uid &&
+#ifdef CONFIG_SECURE_NOTSOMUCH
+ /*
+ * Let this happen as long as the +t dir isn't world-writable
+ */
+ (dir->d_inode->i_mode & S_IWOTH) &&
+#endif
current->fsuid != inode->i_uid) {
if (!permission(inode, acc_mode))
- security_alert("denied writing FIFO of %d.%d "
- "by UID %d, EUID %d, process %s:%d",
+ security_alert("denied writing FIFO [%s]:%lu owned "
+ "by %d.%d by %s[%d], UID %d, EUID %d, parent "
+ "%s[%d], UID %d, EUID %d",
"writes into a FIFO denied",
- inode->i_uid, inode->i_gid,
- current->uid, current->euid,
- current->comm, current->pid);
+ kdevname(inode->i_dev), inode->i_ino,
+ inode->i_uid, inode->i_gid, current->comm,
+ current->pid, current->uid, current->euid,
+ current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid);
error = -EACCES;
unlock_dir(dir);
goto exit;
}
-#endif
+#endif /* CONFIG_SECURE_FIFO */
/*
* Somebody might have created the file while we
@@ -909,6 +928,10 @@
{
int error;
char * tmp;
+ struct dentry * dentry;
+#ifdef CONFIG_SECURE_CHROOT
+ char hap_dev_mode;
+#endif
lock_kernel();
error = -EPERM;
@@ -927,7 +950,41 @@
tmp = getname(filename);
error = PTR_ERR(tmp);
if (!IS_ERR(tmp)) {
- struct dentry * dentry = do_mknod(tmp,mode,dev);
+#ifdef CONFIG_SECURE_CHROOT
+ if (!S_ISFIFO(mode)) {
+ if (!(hap_same_root_as_init(current))) {
+ /*
+ * This process is in a chrooted jail; don't let it
+ * make a raw device through which to break out (by
+ * double-mounting an fs, reading kmem, kybd, etc)
+ */
+ switch (mode & S_IFMT) {
+ case S_IFREG: hap_dev_mode = 'r'; break;
+ case S_IFCHR: hap_dev_mode = 'c'; break;
+ case S_IFBLK: hap_dev_mode = 'b'; break;
+ case S_IFSOCK: hap_dev_mode = 's'; break;
+ default: hap_dev_mode = 'u';
+ }
+ security_alert("refused attempt to mknod %c:[%s] (%s) "
+ "from chrooted jail [%s]:%lu owned by %d.%d by "
+ "%s[%d], UID %d, EUID %d, parent %s[%d], UID "
+ "%d, EUID %d",
+ "chrooted mknods denied",
+ hap_dev_mode, kdevname(dev), tmp,
+ kdevname(current->fs->root->d_inode->i_dev),
+ current->fs->root->d_inode->i_ino,
+ current->fs->root->d_inode->i_uid,
+ current->fs->root->d_inode->i_gid, current->comm,
+ current->pid, current->uid, current->euid,
+ current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid);
+ putname(tmp);
+ error = -EPERM;
+ goto out;
+ }
+ }
+#endif
+ dentry = do_mknod(tmp,mode,dev);
putname(tmp);
error = PTR_ERR(dentry);
if (!IS_ERR(dentry)) {
@@ -1258,13 +1315,21 @@
((inode->i_mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
(error = permission(inode, MAY_READ | MAY_WRITE))) &&
!capable(CAP_FOWNER) &&
+#ifdef CONFIG_SECURE_NOTSOMUCH
+ /*
+ * Let users hard link to files in their group.
+ */
+ current->fsgid != inode->i_gid &&
+#endif
current->uid) {
- security_alert("denied hard link to %d.%d "
- "for UID %d, EUID %d, process %s:%d",
+ security_alert("denied hard link to [%s]:%lu owned by %d.%d "
+ "by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d",
"hard links denied",
+ kdevname(inode->i_dev), inode->i_ino,
inode->i_uid, inode->i_gid,
- current->uid, current->euid,
- current->comm, current->pid);
+ current->comm, current->pid, current->uid, current->euid,
+ current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid);
goto exit_lock;
}
#endif
diff -urP linux-2.2.26-ow1/fs/open.c linux-2.2.26-hap1/fs/open.c
--- linux-2.2.26-ow1/fs/open.c 2001-11-02 11:39:08.000000000 -0500
+++ linux-2.2.26-hap1/fs/open.c 2004-04-27 22:43:38.000000000 -0400
@@ -12,6 +12,14 @@
#include <asm/uaccess.h>
+#ifdef CONFIG_SECURE_CHROOT
+#define HAP_CHROOT_CAP_DROP_MASK ( \
+ CAP_TO_MASK(CAP_FOWNER) | CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
+ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | CAP_TO_MASK(CAP_SYS_PACCT) | \
+ CAP_TO_MASK(CAP_SYS_ADMIN) | CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_RESOURCE) | \
+ CAP_TO_MASK(CAP_SYS_TTY_CONFIG))
+#endif
+
asmlinkage int sys_statfs(const char * path, struct statfs * buf)
{
struct dentry * dentry;
@@ -402,6 +410,9 @@
int error;
struct inode *inode;
struct dentry *dentry, *tmp;
+#ifdef CONFIG_SECURE_CHROOT
+ char * hap_new_chroot_path;
+#endif
lock_kernel();
@@ -423,11 +434,74 @@
error = -EPERM;
if (!capable(CAP_SYS_CHROOT))
goto dput_and_out;
-
+#ifdef CONFIG_SECURE_CHROOT
+ if (!(hap_same_root_as_init(current))) {
+ /*
+ * This process is already in a chrooted jail; don't let it chroot out.
+ */
+ if (IS_ERR(hap_new_chroot_path = getname(filename)))
+ hap_new_chroot_path = "[err]";
+ security_alert("refused attempt to chroot from [%s]:%lu to "
+ "[%s]:%lu (%s) owned by %d.%d, process %s[%d], UID %d, "
+ "EUID %d, parent %s[%d], UID %d, EUID %d",
+ "double chroots denied",
+ kdevname(current->fs->root->d_inode->i_dev),
+ current->fs->root->d_inode->i_ino,
+ kdevname(inode->i_dev), inode->i_ino, hap_new_chroot_path,
+ inode->i_uid, inode->i_gid,
+ current->comm, current->pid, current->uid, current->euid,
+ current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid);
+ putname(hap_new_chroot_path);
+ error = -EPERM;
+ goto dput_and_out;
+ }
+#endif
+#ifdef CONFIG_SECURE_CHROOT
+ /*
+ * Warn on any file descriptors to directories; can be used
+ * to fchdir out of chroot. Could force these closed if we
+ * were reasonably sure that wouldn't trigger *other* bugs.
+ */
+ if (current->files) {
+ struct dentry *t_dentry;
+ struct inode *t_inode;
+ struct file *t_file;
+ int i;
+ for (i = 0; i < current->files->max_fds; i++ ) {
+ if (!(t_file = current->files->fd[i])) continue;
+ if (!(t_dentry = t_file->f_dentry)) continue;
+ if (!(t_inode = t_dentry->d_inode)) continue;
+ if (S_ISDIR(t_inode->i_mode)) {
+ security_alert("warning: directory fd %d [%s]:%lu still open during "
+ "chroot to [%s]:%lu owned by %d.%d by %s[%d], UID %d, EUID %d, "
+ "parent %s[%d], UID %d, EUID %d",
+ "dir fds still open during chroot",
+ i, kdevname(t_inode->i_dev), t_inode->i_ino,
+ kdevname(inode->i_dev), inode->i_ino,
+ inode->i_uid, inode->i_gid, current->comm, current->pid,
+ current->uid, current->euid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid, current->p_pptr->euid);
+ /* sys_close(i); */
+ }
+ }
+ }
+#endif
/* exchange dentries */
tmp = current->fs->root;
current->fs->root = dentry;
dentry = tmp;
+#ifdef CONFIG_SECURE_CHROOT
+ /*
+ * drop various dangerous capabilities when chrooting
+ * note init is exempt for initrd-type games
+ */
+ if (current->pid && current->pid > 1) {
+ cap_drop(current->cap_permitted, HAP_CHROOT_CAP_DROP_MASK);
+ cap_drop(current->cap_inheritable, HAP_CHROOT_CAP_DROP_MASK);
+ cap_drop(current->cap_effective, HAP_CHROOT_CAP_DROP_MASK);
+ }
+#endif
error = 0;
dput_and_out:
@@ -464,6 +538,31 @@
goto out_putf;
if (mode == (mode_t) -1)
mode = inode->i_mode;
+#ifdef CONFIG_SECURE_CHROOT
+ if ((mode & S_ISUID) || (mode & S_ISGID)) {
+ if (!(hap_same_root_as_init(current))) {
+ /*
+ * This process is chrooted; don't let it turn on the set[ug]id bits.
+ */
+ security_alert("refused attempt to fchmod +s [%s]:%lu "
+ "owned by %d.%d to mode 0%07o from chrooted jail "
+ "[%s]:%lu owned by %d.%d by %s[%d], UID %d, EUID "
+ "%d, parent %s[%d], UID %d, EUID %d",
+ "chrooted fchmod +s's denied",
+ kdevname(inode->i_dev), inode->i_ino,
+ inode->i_uid, inode->i_gid, mode,
+ kdevname(current->fs->root->d_inode->i_dev),
+ current->fs->root->d_inode->i_ino,
+ current->fs->root->d_inode->i_uid,
+ current->fs->root->d_inode->i_gid, current->comm,
+ current->pid, current->uid, current->euid,
+ current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid);
+ err = -EPERM;
+ goto out_putf;
+ }
+ }
+#endif
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
err = notify_change(dentry, &newattrs);
@@ -481,6 +580,9 @@
struct inode * inode;
int error;
struct iattr newattrs;
+#ifdef CONFIG_SECURE_CHROOT
+ char * hap_chmod_filename;
+#endif
lock_kernel();
dentry = namei(filename);
@@ -500,6 +602,34 @@
if (mode == (mode_t) -1)
mode = inode->i_mode;
+#ifdef CONFIG_SECURE_CHROOT
+ if ((mode & S_ISUID) || (mode & S_ISGID)) {
+ if (!(hap_same_root_as_init(current))) {
+ /*
+ * This process is chrooted; don't let it turn on the set[gu]id bits.
+ */
+ if (IS_ERR(hap_chmod_filename = getname(filename)))
+ hap_chmod_filename = "[err]";
+ security_alert("refused attempt to chmod +s [%s]:%lu "
+ "(%s) owned by %d.%d to mode 0%07o from chrooted "
+ "jail [%s]:%lu owned by %d.%d by %s[%d], UID %d, "
+ "EUID %d, parent %s[%d], UID %d, EUID %d",
+ "chrooted chmod +s's denied",
+ kdevname(inode->i_dev), inode->i_ino, hap_chmod_filename,
+ inode->i_uid, inode->i_gid, mode,
+ kdevname(current->fs->root->d_inode->i_dev),
+ current->fs->root->d_inode->i_ino,
+ current->fs->root->d_inode->i_uid,
+ current->fs->root->d_inode->i_gid, current->comm,
+ current->pid, current->uid, current->euid,
+ current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid);
+ putname(hap_chmod_filename);
+ error = -EPERM;
+ goto dput_and_out;
+ }
+ }
+#endif
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
error = notify_change(dentry, &newattrs);
diff -urP linux-2.2.26-ow1/fs/super.c linux-2.2.26-hap1/fs/super.c
--- linux-2.2.26-ow1/fs/super.c 2001-11-02 11:39:08.000000000 -0500
+++ linux-2.2.26-hap1/fs/super.c 2004-04-27 22:43:38.000000000 -0400
@@ -36,6 +36,10 @@
#include <linux/kmod.h>
#endif
+#ifdef CONFIG_SECURE_CHROOT
+#include <linux/sched.h>
+#endif
+
/*
* We use a semaphore to synchronize all mount/umount
* activity - imagine the mess if we have a race between
@@ -1045,10 +1049,42 @@
unsigned long flags = 0;
unsigned long page = 0;
struct file dummy; /* allows read-write or read-only flag */
+#ifdef CONFIG_SECURE_CHROOT
+ char * hap_mount_dev;
+ char * hap_mount_path;
+#endif
lock_kernel();
if (!capable(CAP_SYS_ADMIN))
goto out;
+#ifdef CONFIG_SECURE_CHROOT
+ if (!(hap_same_root_as_init(current))) {
+ /*
+ * This process is in a chrooted jail; don't let it (re)mount any filesystems.
+ */
+ if(IS_ERR(hap_mount_dev = getname(dev_name)))
+ hap_mount_dev = "nodev";
+ if(IS_ERR(hap_mount_path = getname(dir_name)))
+ hap_mount_path = "[err]";
+ security_alert("refused attempt to mount [%s] as %s "
+ "from chrooted jail [%s]:%lu owned by %d.%d by "
+ "%s[%d], UID %d, EUID %d, parent %s[%d], UID "
+ "%d, EUID %d",
+ "chrooted mounts denied",
+ hap_mount_dev, hap_mount_path,
+ kdevname(current->fs->root->d_inode->i_dev),
+ current->fs->root->d_inode->i_ino,
+ current->fs->root->d_inode->i_uid,
+ current->fs->root->d_inode->i_gid, current->comm, current->pid,
+ current->uid, current->euid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid,
+ current->p_pptr->euid);
+ putname(hap_mount_dev);
+ putname(hap_mount_path);
+ retval = -EPERM;
+ goto out;
+ }
+#endif
if ((new_flags &
(MS_MGC_MSK | MS_REMOUNT)) == (MS_MGC_VAL | MS_REMOUNT)) {
retval = copy_mount_options (data, &page);
diff -urP linux-2.2.26-ow1/include/linux/kernel.h linux-2.2.26-hap1/include/linux/kernel.h
--- linux-2.2.26-ow1/include/linux/kernel.h 2004-04-27 22:27:27.000000000 -0400
+++ linux-2.2.26-hap1/include/linux/kernel.h 2004-04-27 22:43:38.000000000 -0400
@@ -89,19 +89,34 @@
\
spin_lock(&security_alert_lock); \
\
-/* Make sure at least one minute passed since the last warning logged */ \
- if (!warning_time || jiffies - warning_time > 60 * HZ) { \
+/* Make sure at least one second passed since the last warning logged */ \
+ if (!warning_time || jiffies - warning_time > HZ) { \
warning_time = jiffies; no_flood_yet = 1; \
- printk(KERN_ALERT "Security: " normal_msg "\n", ## args); \
+ printk(KERN_WARNING "Security: " normal_msg "\n", ## args); \
} else if (no_flood_yet) { \
warning_time = jiffies; no_flood_yet = 0; \
- printk(KERN_ALERT "Security: more " flood_msg \
- ", logging disabled for a minute\n"); \
+ printk(KERN_WARNING "Security: more " flood_msg \
+ ", logging disabled for one second\n"); \
} \
\
spin_unlock(&security_alert_lock); \
})
+#ifdef CONFIG_SECURE_CHROOT
+#define hap_same_root(haptask1, haptask2) \
+ /* if root devices and inodes match, processes share a \
+ * common root (neither, or both together, are chrooted) */ \
+ ((haptask1->fs->root->d_inode->i_dev == \
+ haptask2->fs->root->d_inode->i_dev) && \
+ (haptask1->fs->root->d_inode->i_ino == \
+ haptask2->fs->root->d_inode->i_ino) )
+
+#define hap_same_root_as_init(haptask) \
+ /* compare the given process to init */ \
+ hap_same_root(haptask, \
+ (task[smp_num_cpus] ? : task[0])) /* voodoo */
+#endif /* CONFIG_SECURE_CHROOT */
+
#endif /* __KERNEL__ */
#define SI_LOAD_SHIFT 16
diff -urP linux-2.2.26-ow1/include/linux/securebits.h linux-2.2.26-hap1/include/linux/securebits.h
--- linux-2.2.26-ow1/include/linux/securebits.h 2001-03-25 11:31:05.000000000 -0500
+++ linux-2.2.26-hap1/include/linux/securebits.h 2004-04-27 22:43:38.000000000 -0400
@@ -6,7 +6,7 @@
extern unsigned securebits;
/* When set UID 0 has no special privileges. When unset, we support
- inheritance of root-permissions and suid-root executablew under
+ inheritance of root-permissions and suid-root executable under
compatibility mode. We raise the effective and inheritable bitmasks
*of the executable file* if the effective uid of the new process is
0. If the real uid is 0, we raise the inheritable bitmask of the
diff -urP linux-2.2.26-ow1/include/linux/sysctl.h linux-2.2.26-hap1/include/linux/sysctl.h
--- linux-2.2.26-ow1/include/linux/sysctl.h 2004-04-08 16:22:17.000000000 -0400
+++ linux-2.2.26-hap1/include/linux/sysctl.h 2004-04-27 22:43:38.000000000 -0400
@@ -107,7 +107,8 @@
KERN_SHMALL=41, /* int: maximum size of shared memory */
KERN_SPARC_STOP_A=44, /* int: Sparc Stop-A enable */
KERN_HOTPLUG=49, /* string: path to hotplug policy agent */
- KERN_IEEE_EMULATION_WARNINGS=50 /* int: unimplemented ieee instructions */
+ KERN_IEEE_EMULATION_WARNINGS=50, /* int: unimplemented ieee instructions */
+ KERN_SECURITY=51 /* Security */
};
diff -urP linux-2.2.26-ow1/include/linux/tasks.h linux-2.2.26-hap1/include/linux/tasks.h
--- linux-2.2.26-ow1/include/linux/tasks.h 2001-03-25 11:31:03.000000000 -0500
+++ linux-2.2.26-hap1/include/linux/tasks.h 2004-04-27 22:43:38.000000000 -0400
@@ -11,7 +11,7 @@
#define NR_CPUS 1
#endif
-#define NR_TASKS 512 /* On x86 Max about 4000 */
+#define NR_TASKS 2048 /* On x86 Max about 4000 */
#define MAX_TASKS_PER_USER (NR_TASKS/2)
#define MIN_TASKS_LEFT_FOR_ROOT 4
diff -urP linux-2.2.26-ow1/include/net/dst.h linux-2.2.26-hap1/include/net/dst.h
--- linux-2.2.26-ow1/include/net/dst.h 2001-03-25 11:31:07.000000000 -0500
+++ linux-2.2.26-hap1/include/net/dst.h 2004-04-27 22:43:38.000000000 -0400
@@ -16,7 +16,11 @@
* 1 - rare events and bugs (default)
* 2 - trace mode.
*/
-#define RT_CACHE_DEBUG 0
+#ifdef CONFIG_SECURE_LOGGING
+#define RT_CACHE_DEBUG 1
+#else
+#define RT_CACHE_DEBUG 0
+#endif
#define DST_GC_MIN (1*HZ)
#define DST_GC_INC (5*HZ)
diff -urP linux-2.2.26-ow1/kernel/capability.c linux-2.2.26-hap1/kernel/capability.c
--- linux-2.2.26-ow1/kernel/capability.c 2001-03-25 11:31:02.000000000 -0500
+++ linux-2.2.26-hap1/kernel/capability.c 2004-04-27 22:43:38.000000000 -0400
@@ -188,6 +188,19 @@
goto out;
}
+#ifdef CONFIG_SECURE_CHROOT
+ if (!(hap_same_root_as_init(current)) &&
+ !(hap_same_root(current, target)) ) {
+ security_alert("denied capset of %s[%d] within chrooted jail [%s]:%lu "
+ "by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d",
+ "capsets from a chrooted process",
+ target->comm, target->pid, kdevname(current->fs->root->d_inode->i_dev),
+ current->fs->root->d_inode->i_ino, current->comm, current->pid,
+ current->uid, current->euid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid, current->p_pptr->euid );
+ goto out;
+ }
+#endif
/* having verified that the proposed changes are legal,
we now put them into effect. */
error = 0;
diff -urP linux-2.2.26-ow1/kernel/fork.c linux-2.2.26-hap1/kernel/fork.c
--- linux-2.2.26-ow1/kernel/fork.c 2004-04-27 22:27:28.000000000 -0400
+++ linux-2.2.26-hap1/kernel/fork.c 2004-04-27 22:43:38.000000000 -0400
@@ -746,6 +746,15 @@
free_uid(p);
bad_fork_free:
free_task_struct(p);
+#ifdef CONFIG_SECURE_LOGGING
+ security_alert("fork failure errno %d by %s[%d], UID %d, EUID %d, "
+ "parent %s[%d], UID %d, EUID %d",
+ "fork failures",
+ retval, current->comm, current->pid,
+ current->uid, current->euid,
+ current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid);
+#endif
goto bad_fork;
}
diff -urP linux-2.2.26-ow1/kernel/signal.c linux-2.2.26-hap1/kernel/signal.c
--- linux-2.2.26-ow1/kernel/signal.c 2001-11-02 11:39:16.000000000 -0500
+++ linux-2.2.26-hap1/kernel/signal.c 2004-04-27 22:43:38.000000000 -0400
@@ -254,6 +254,9 @@
{
unsigned long flags;
int ret;
+#ifdef CONFIG_SECURE_CHROOT
+ struct task_struct * hap_init_task;
+#endif
#if DEBUG_SIG
printk("SIG queue (%s:%d): %d ", t->comm, t->pid, sig);
@@ -270,13 +273,67 @@
&& (current->uid ^ t->suid) && (current->uid ^ t->uid)
&& !capable(CAP_KILL))
goto out_nolock;
-
- /* The null signal is a permissions and process existance probe.
- No signal is actually delivered. Same goes for zombies.
- We have to grab the spinlock now so that we do not race
+ /* We have to grab the spinlock now so that we do not race
with flush_signals. */
- ret = 0;
spin_lock_irqsave(&t->sigmask_lock, flags);
+
+#ifdef CONFIG_SECURE_CHROOT
+ /*
+ * chrooted processes can only send signals to other processes in
+ * the same jail, with the exception that they can send SIGALRM and
+ * SIGIO to any process, and SIGCHLD to their parent, regardless.
+ */
+ /*
+ * this is still needed with the hap_same_root macros because we
+ * have to check init's task struct to be careful not to deref a
+ * null pointer later
+ */
+ hap_init_task = task[smp_num_cpus] ? : task[0]; /* find task for init */
+ if ( /* noop for 'signal zero' */
+ sig &&
+
+ /* be careful not to deref a null pointer later */
+ t->pid && t->fs && t->fs->root && t->fs->root->d_inode && t->p_pptr &&
+ current->pid && current->fs && current->fs->root &&
+ current->fs->root->d_inode && current->p_pptr &&
+ hap_init_task && hap_init_task->pid && hap_init_task->fs &&
+ hap_init_task->fs->root && hap_init_task->fs->root->d_inode &&
+
+ /* real work starting: check if signal is "mostly harmless" */
+ !( sig == SIGALRM || sig == SIGIO ||
+
+ /* check if current is not chrooted */
+ (hap_same_root_as_init(current)) ||
+
+ /* else check if current && target are under same chroot */
+ (hap_same_root(t, current)) ||
+
+ /* else check if child is sending parent SIGCHILD */
+ (t->pid == current->p_pptr->pid && sig == SIGCHLD) ) ) {
+
+ /* Note: if target is init, its parent is task 0 */
+ security_alert("refused signal %d out of chrooted jail [%s]:%lu "
+ "owned by %d.%d by %s[%d], UID %d, EUID %d, parent "
+ "%s[%d], UID %d, EUID %d to %s[%d], UID %d, EUID %d with "
+ "root [%s]:%lu owned by %d.%d, parent %s[%d], UID %d, EUID %d",
+ "refused signals",
+ sig, kdevname(current->fs->root->d_inode->i_dev),
+ current->fs->root->d_inode->i_ino, current->fs->root->d_inode->i_uid,
+ current->fs->root->d_inode->i_gid, current->comm,
+ current->pid, current->uid, current->euid, current->p_pptr->comm,
+ current->p_pptr->pid, current->p_pptr->uid, current->p_pptr->euid,
+ t->comm, t->pid, t->uid, t->euid, kdevname(t->fs->root->d_inode->i_dev),
+ t->fs->root->d_inode->i_ino, t->fs->root->d_inode->i_uid,
+ t->fs->root->d_inode->i_gid, t->p_pptr->comm, t->p_pptr->pid,
+ t->p_pptr->uid, t->p_pptr->euid);
+ spin_unlock_irqrestore(&t->sigmask_lock, flags);
+ goto out_nolock;
+ }
+
+#endif
+ ret = 0;
+ /* The null signal is a permissions and process existance probe.
+ No signal is actually delivered. Same goes for zombies. */
if (!sig || !t->sig) {
spin_unlock_irqrestore(&t->sigmask_lock, flags);
goto out_nolock;
@@ -301,6 +358,59 @@
/* Inflict this corner case with recalculations, not mainline */
recalc_sigpending(t);
break;
+#if CONFIG_SECURE_LOGGING
+ case SIGSEGV: case SIGILL: case SIGABRT: case SIGBUS:
+#ifdef __i386__
+ if (t->uid && t->euid && current->uid && current->euid)
+ security_alert("signal %d (%s addr 0x%08lx) sent (unprivileged) to "
+ "%s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d, "
+ "by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d",
+ "signal warnings for unprivileged processes",
+ sig, (t->tss.error_code & 2) ? "write" : "read or execute",
+ t->tss.cr2,
+ t->comm, t->pid, t->uid, t->euid, t->p_pptr->comm,
+ t->p_pptr->pid, t->p_pptr->uid, t->p_pptr->euid,
+ current->comm, current->pid, current->uid, current->euid,
+ current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid);
+ else
+ security_alert("signal %d (%s addr 0x%08lx) sent (privileged) to "
+ "%s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d, "
+ "by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d",
+ "signal warnings for privileged processes",
+ sig, (t->tss.error_code & 2) ? "write" : "read or execute",
+ t->tss.cr2,
+ t->comm, t->pid, t->uid, t->euid, t->p_pptr->comm,
+ t->p_pptr->pid, t->p_pptr->uid, t->p_pptr->euid,
+ current->comm, current->pid, current->uid, current->euid,
+ current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid);
+#else
+ if (t->uid && t->euid && current->uid && current->euid)
+ security_alert("signal %d sent (unprivileged) to "
+ "%s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d, "
+ "by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d",
+ "signal warnings for unprivileged processes",
+ sig,
+ t->comm, t->pid, t->uid, t->euid, t->p_pptr->comm,
+ t->p_pptr->pid, t->p_pptr->uid, t->p_pptr->euid,
+ current->comm, current->pid, current->uid, current->euid,
+ current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid);
+ else
+ security_alert("signal %d sent (privileged) to "
+ "%s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d, "
+ "by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d",
+ "signal warnings for privileged processes",
+ sig,
+ t->comm, t->pid, t->uid, t->euid, t->p_pptr->comm,
+ t->p_pptr->pid, t->p_pptr->uid, t->p_pptr->euid,
+ current->comm, current->pid, current->uid, current->euid,
+ current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid);
+#endif
+ break;
+#endif
}
/* Optimize away the signal, if it's a signal that can be
diff -urP linux-2.2.26-ow1/kernel/sysctl.c linux-2.2.26-hap1/kernel/sysctl.c
--- linux-2.2.26-ow1/kernel/sysctl.c 2002-09-16 12:26:33.000000000 -0400
+++ linux-2.2.26-hap1/kernel/sysctl.c 2004-04-27 22:43:38.000000000 -0400
@@ -96,12 +96,20 @@
static ctl_table fs_table[];
static ctl_table debug_table[];
static ctl_table dev_table[];
-
+static ctl_table security_table[];
/* /proc declarations: */
#ifdef CONFIG_PROC_FS
+/* Keep these here reguardless if CONFIG_SECURE_SYSCTL is defined or not */
+int sysctl_security = 1;
+int sysctl_security_trace = 1;
+
+#ifdef CONFIG_SECURE_TRACE
+int sysctl_security_trace_gid = 0;
+#endif
+
static ssize_t proc_readsys(struct file *, char *, size_t, loff_t *);
static ssize_t proc_writesys(struct file *, const char *, size_t, loff_t *);
static int proc_sys_permission(struct inode *, int);
@@ -251,6 +259,18 @@
&sysctl_ieee_emulation_warnings,sizeof(int),0644,NULL,&proc_dointvec},
#endif
#endif
+ {KERN_SECURITY, "security", NULL, 0, 0550, security_table},
+ {0}
+};
+
+enum {SEC_TRACE=1, SEC_TRACE_GID , SEC_SYSCTL};
+static ctl_table security_table[] = {
+ {SEC_TRACE, "trace", &sysctl_security_trace, sizeof (int),
+ 0640, NULL, &proc_dointvec},
+#ifdef CONFIG_SECURE_TRACE_USERGROUP
+ {SEC_TRACE_GID, "trace_gid", &sysctl_security_trace_gid, sizeof (int),
+ 0640, NULL, &proc_dointvec},
+#endif
{0}
};
diff -urP linux-2.2.26-ow1/kernel/time.c linux-2.2.26-hap1/kernel/time.c
--- linux-2.2.26-ow1/kernel/time.c 2001-03-25 11:31:02.000000000 -0500
+++ linux-2.2.26-hap1/kernel/time.c 2004-04-27 22:43:38.000000000 -0400
@@ -108,6 +108,14 @@
time_maxerror = NTP_PHASE_LIMIT;
time_esterror = NTP_PHASE_LIMIT;
write_unlock_irq(&xtime_lock);
+#ifdef CONFIG_SECURE_LOGGING
+ security_alert("time set by %s[%d], UID %d, EUID %d, parent %s[%d], "
+ "UID %d, EUID %d",
+ "time sets",
+ current->comm, current->pid, current->uid, current->euid,
+ current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid);
+#endif
return 0;
}
@@ -184,6 +192,14 @@
* globally block out interrupts when it runs.
*/
do_settimeofday(tv);
+#ifdef CONFIG_SECURE_LOGGING
+ security_alert("time set by %s[%d], UID %d, EUID %d, parent %s[%d], "
+ "UID %d, EUID %d",
+ "time sets",
+ current->comm, current->pid, current->uid, current->euid,
+ current->p_pptr->comm, current->p_pptr->pid,
+ current->p_pptr->uid, current->p_pptr->euid);
+#endif
}
return 0;
}
diff -urP linux-2.2.26-ow1/net/core/utils.c linux-2.2.26-hap1/net/core/utils.c
--- linux-2.2.26-ow1/net/core/utils.c 2001-03-25 11:31:12.000000000 -0500
+++ linux-2.2.26-hap1/net/core/utils.c 2004-04-27 22:43:38.000000000 -0400
@@ -35,12 +35,21 @@
net_random();
}
+#ifdef CONFIG_SECURE_LOGGING
+int net_msg_cost = HZ;
+#else
int net_msg_cost = 5*HZ;
+#endif
int net_msg_burst = 10*5*HZ;
/*
+#ifdef CONFIG_SECURE_LOGGING
+ * This enforces a rate limit: not more than one kernel message
+ * every 1secs to make a denial-of-service attack harder.
+#else
* This enforces a rate limit: not more than one kernel message
* every 5secs to make a denial-of-service attack impossible.
+#endif
*
* All warning printk()s should be guarded by this function.
*/
diff -urP linux-2.2.26-ow1/net/ipv4/ip_fw.c linux-2.2.26-hap1/net/ipv4/ip_fw.c
--- linux-2.2.26-ow1/net/ipv4/ip_fw.c 2002-09-16 12:26:34.000000000 -0400
+++ linux-2.2.26-hap1/net/ipv4/ip_fw.c 2004-04-27 22:43:38.000000000 -0400
@@ -416,34 +416,83 @@
__u32 *opt = (__u32 *) (ip + 1);
int opti;
- if (f)
- {
+ if (f) {
+#ifdef CONFIG_SECURE_NETWORK
+ /* log any accepted packet at kern.debug instead of kern.info */
+ if (f->simplebranch==FW_ACCEPT ||
+ f->simplebranch==FW_REDIRECT ||
+ f->simplebranch==FW_MASQUERADE)
+ printk(KERN_DEBUG "Packet log: %s ",chainlabel);
+ else
+#endif
printk(KERN_INFO "Packet log: %s ",chainlabel);
-
printk("%s ",branchname(f->branch,f->simplebranch));
if (f->simplebranch==FW_REDIRECT)
printk("%d ",f->ipfw.fw_redirpt);
}
+#ifdef CONFIG_SECURE_NETWORK
+ if (ip->protocol == IPPROTO_TCP
+ && !(ip->frag_off & __constant_htons(IP_OFFSET))) {
+ struct tcphdr *tcp = (struct tcphdr *)((__u32 *)ip + ip->ihl);
+ printk("%s PROTO=TCP %d.%d.%d.%d:%hu %d.%d.%d.%d:%hu "
+ "L=%hu:%hu:%hu S=0x%2.2hX I=%hu:%u:%u F=0x%4.4hX "
+ "T=%hu %c%c%c%c%c%c",
+ ifname,
+ NIPQUAD(ip->saddr), src_port,
+ NIPQUAD(ip->daddr), dst_port,
+ ntohs(ip->tot_len), ntohs(ip->tot_len) - ip->ihl*4,
+ ntohs(ip->tot_len) - ip->ihl*4 - tcp->doff*4,
+ ip->tos, ntohs(ip->id), ntohl(tcp->seq),
+ ntohl(tcp->ack_seq), ip->frag_off, ip->ttl,
+ tcp->ack ? 'A' : '.',
+ tcp->syn ? 'S' : '.',
+ tcp->fin ? 'F' : '.',
+ tcp->rst ? 'R' : '.',
+ tcp->psh ? 'P' : '.',
+ tcp->urg ? 'U' : '.' );
+ } else if (ip->protocol == IPPROTO_UDP
+ && !(ip->frag_off & __constant_htons(IP_OFFSET))) {
+ struct udphdr *udp = (struct udphdr *)((__u32 *)ip + ip->ihl);
+ printk("%s PROTO=UDP %d.%d.%d.%d:%hu %d.%d.%d.%d:%hu "
+ "L=%hu:%u S=0x%2.2hX I=%hu F=0x%4.4hX T=%hu",
+ ifname,
+ NIPQUAD(ip->saddr), src_port,
+ NIPQUAD(ip->daddr), dst_port,
+ ntohs(ip->tot_len), ntohs(udp->len),
+ ip->tos, ntohs(ip->id), ip->frag_off, ip->ttl);
+ } else if (ip->protocol == IPPROTO_ICMP
+ && !(ip->frag_off & __constant_htons(IP_OFFSET))) {
+ struct icmphdr *icmp = (struct icmphdr *)((__u32 *)ip + ip->ihl);
+ printk("%s PROTO=ICMP/%d:%d %d.%d.%d.%d %d.%d.%d.%d L=%hu "
+ "S=0x%2.2hX I=%hu:%hu:%hu F=0x%4.4hX T=%hu",
+ ifname, icmp->type, icmp->code,
+ NIPQUAD(ip->saddr),
+ NIPQUAD(ip->daddr),
+ ntohs(ip->tot_len), ip->tos,
+ ntohs(ip->id), ntohs(icmp->un.echo.id),
+ ntohs(icmp->un.echo.sequence),
+ ip->frag_off, ip->ttl);
+ } else {
+#endif
printk("%s PROTO=%d %d.%d.%d.%d:%hu %d.%d.%d.%d:%hu"
" L=%hu S=0x%2.2hX I=%hu F=0x%4.4hX T=%hu",
ifname, ip->protocol,
- (ntohl(ip->saddr)>>24)&0xFF,
- (ntohl(ip->saddr)>>16)&0xFF,
- (ntohl(ip->saddr)>>8)&0xFF,
- (ntohl(ip->saddr))&0xFF,
- src_port,
- (ntohl(ip->daddr)>>24)&0xFF,
- (ntohl(ip->daddr)>>16)&0xFF,
- (ntohl(ip->daddr)>>8)&0xFF,
- (ntohl(ip->daddr))&0xFF,
- dst_port,
+ NIPQUAD(ip->saddr), src_port,
+ NIPQUAD(ip->daddr), dst_port,
ntohs(ip->tot_len), ip->tos, ntohs(ip->id),
ntohs(ip->frag_off), ip->ttl);
+#ifdef CONFIG_SECURE_NETWORK
+ }
+#endif
for (opti = 0; opti < (ip->ihl - sizeof(struct iphdr) / 4); opti++)
printk(" O=0x%8.8X", *opt++);
+#ifdef CONFIG_SECURE_NETWORK
+ printk(" (#%d)\n", count);
+#else
printk(" %s(#%d)\n", syn ? "SYN " : /* "PENANCE" */ "", count);
+#endif
}
/* function for checking chain labels for user space. */
diff -urP linux-2.2.26-ow1/net/ipv4/route.c linux-2.2.26-hap1/net/ipv4/route.c
--- linux-2.2.26-ow1/net/ipv4/route.c 2004-04-08 16:22:17.000000000 -0400
+++ linux-2.2.26-hap1/net/ipv4/route.c 2004-04-27 22:43:38.000000000 -0400
@@ -727,6 +727,13 @@
return;
reject_redirect:
+#ifdef CONFIG_SECURE_LOGGING
+ security_alert("redirect from %d.%d.%d.%d/%s to %d.%d.%d.%d ignored; "
+ "path = %d.%d.%d.%d -> %d.%d.%d.%d, tos %02x\n",
+ "redirects ignored",
+ NIPQUAD(old_gw), dev->name, NIPQUAD(new_gw),
+ NIPQUAD(saddr), NIPQUAD(daddr), tos);
+#else
#ifdef CONFIG_IP_ROUTE_VERBOSE
if (IN_DEV_LOG_MARTIANS(in_dev) && net_ratelimit())
printk(KERN_INFO "Redirect from %X/%s to %X ignored."
@@ -734,6 +741,7 @@
ntohl(old_gw), dev->name, ntohl(new_gw),
ntohl(saddr), ntohl(daddr), tos);
#endif
+#endif
}
static struct dst_entry *ipv4_negative_advice(struct dst_entry *dst)
diff -urP linux-2.2.26-ow1/net/ipv4/tcp_ipv4.c linux-2.2.26-hap1/net/ipv4/tcp_ipv4.c
--- linux-2.2.26-ow1/net/ipv4/tcp_ipv4.c 2003-03-05 09:47:02.000000000 -0500
+++ linux-2.2.26-hap1/net/ipv4/tcp_ipv4.c 2004-04-27 22:43:38.000000000 -0400
@@ -1750,6 +1750,14 @@
len < (th->doff * 4))
goto bad_packet;
+#ifdef CONFIG_SECURE_NETWORK
+ /* Throw out packets with clearly bogus flags. */
+ if ( ! (th->ack || th->syn || th->rst) ||
+ (th->fin && (th->syn || th->rst) ) ||
+ (th->rst && (th->syn || th->urg) ) ||
+ (th->syn && th->urg) )
+ goto tcp_bad_flags;
+#endif
#ifdef CONFIG_IP_TRANSPARENT_PROXY
if (IPCB(skb)->redirport)
sk = tcp_v4_proxy_lookup(th->dest, skb->nh.iph->saddr, th->source,
@@ -1765,7 +1773,11 @@
}
#endif
if (!sk)
+#ifdef CONFIG_SECURE_NETWORK
+ goto tcp_unserved;
+#else
goto no_tcp_socket;
+#endif
if(!ipsec_sk_policy(sk,skb))
goto discard_it;
@@ -1783,6 +1795,52 @@
__skb_queue_tail(&sk->back_log, skb);
return 0;
+#ifdef CONFIG_SECURE_NETWORK
+
+tcp_bad_flags:
+ if(net_ratelimit())
+ printk(KERN_INFO
+ "Packet log: badflag DENY %s PROTO=TCP %d.%d.%d.%d:%d "
+ "%d.%d.%d.%d:%d L=%hu:%u:%u S=0x%2.2hX I=%hu:%u:%u "
+ "T=%hu %c%c%c%c%c%c\n",
+ skb->dev->name, NIPQUAD(skb->nh.iph->saddr), ntohs(th->source),
+ NIPQUAD(skb->nh.iph->daddr), ntohs(th->dest),
+ ntohs(skb->nh.iph->tot_len), skb->len, skb->len - th->doff*4,
+ skb->nh.iph->tos, ntohs(skb->nh.iph->id), ntohl(th->seq),
+ ntohl(th->ack_seq), skb->nh.iph->ttl,
+ th->ack ? 'A' : '.',
+ th->syn ? 'S' : '.',
+ th->fin ? 'F' : '.',
+ th->rst ? 'R' : '.',
+ th->psh ? 'P' : '.',
+ th->urg ? 'U' : '.' );
+ /*
+ * This will cause tcp_send_reset to *not* send.
+ */
+ th->rst=1;
+ goto no_tcp_socket;
+
+tcp_unserved:
+ if(net_ratelimit())
+ printk(KERN_INFO
+ "Packet log: unserved DENY %s PROTO=TCP %d.%d.%d.%d:%d "
+ "%d.%d.%d.%d:%d L=%hu:%u:%u S=0x%2.2hX "
+ "I=%hu:%u:%u T=%hu %c%c%c%c%c%c\n",
+ skb->dev->name, NIPQUAD(skb->nh.iph->saddr), ntohs(th->source),
+ NIPQUAD(skb->nh.iph->daddr), ntohs(th->dest),
+ ntohs(skb->nh.iph->tot_len), skb->len, skb->len - th->doff*4,
+ skb->nh.iph->tos, ntohs(skb->nh.iph->id), ntohl(th->seq),
+ ntohl(th->ack_seq), skb->nh.iph->ttl,
+ th->ack ? 'A' : '.',
+ th->syn ? 'S' : '.',
+ th->fin ? 'F' : '.',
+ th->rst ? 'R' : '.',
+ th->psh ? 'P' : '.',
+ th->urg ? 'U' : '.' );
+#ifdef CONFIG_SECURE_NET_SBD
+ th->rst=1;
+#endif
+#endif /* CONFIG_SECURE_NETWORK */
no_tcp_socket:
tcp_v4_send_reset(skb);
diff -urP linux-2.2.26-ow1/net/ipv4/udp.c linux-2.2.26-hap1/net/ipv4/udp.c
--- linux-2.2.26-ow1/net/ipv4/udp.c 2001-03-25 11:37:41.000000000 -0500
+++ linux-2.2.26-hap1/net/ipv4/udp.c 2004-04-27 22:43:38.000000000 -0400
@@ -1137,6 +1137,14 @@
goto csum_error;
#endif
udp_statistics.UdpNoPorts++;
+#ifdef CONFIG_SECURE_NETWORK
+ /*
+ * This will cause a message for _every_ UDP packet we didn't
+ * ask for, _including_ broadcasts. If you don't care about
+ * broadcasts, move the following line inside the if { .. } below.
+ */
+ goto udp_unserved_port;
+#else
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
/*
@@ -1145,10 +1153,30 @@
*/
kfree_skb(skb);
return(0);
+#endif
}
udp_deliver(sk, skb);
return 0;
+#ifdef CONFIG_SECURE_NETWORK
+
+udp_unserved_port:
+ if(net_ratelimit())
+ printk( KERN_INFO
+ "Packet log: unserved DENY %s PROTO=UDP %d.%d.%d.%d:%d %d.%d.%d.%d:%d "
+ "L=%hu:%u S=0x%2.2hX I=%hu T=%hu\n",
+ skb->dev->name, NIPQUAD(saddr), ntohs(uh->source),
+ NIPQUAD(daddr), ntohs(uh->dest), ntohs(skb->nh.iph->tot_len),
+ ntohs(uh->len), skb->nh.iph->tos, ntohs(skb->nh.iph->id),
+ skb->nh.iph->ttl);
+#ifndef CONFIG_SECURE_NET_SBD
+ icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+#endif
+ skb->sk = NULL;
+ kfree_skb(skb);
+ return(0);
+#endif /* CONFIG_SECURE_NETWORK */
+
csum_error:
/*
* RFC1122: OK. Discards the bad packet silently (as far as
diff -urP linux-2.2.26-ow1/security/Common.in linux-2.2.26-hap1/security/Common.in
--- linux-2.2.26-ow1/security/Common.in 2004-04-27 22:27:28.000000000 -0400
+++ linux-2.2.26-hap1/security/Common.in 2004-04-27 22:43:38.000000000 -0400
@@ -4,9 +4,26 @@
bool 'Restricted links in /tmp' CONFIG_SECURE_LINK
bool 'Restricted FIFOs in /tmp' CONFIG_SECURE_FIFO
+if [ "$CONFIG_SECURE_LINK" = "y" -o "CONFIG_SECURE_FIFO" = "y" ]; then
+ bool 'Allow links/fifos in non-world-writable +t dirs' CONFIG_SECURE_NOTSOMUCH
+fi
bool 'Restricted /proc' CONFIG_SECURE_PROC
bool 'Special handling of fd 0, 1, and 2' CONFIG_SECURE_FD_0_1_2
bool 'Enforce RLIMIT_NPROC on execve(2)' CONFIG_SECURE_RLIMIT_NPROC
if [ "$CONFIG_SYSVIPC" = "y" ]; then
bool 'Destroy shared memory segments not in use' CONFIG_SECURE_SHM
fi
+bool 'Unofficial bugfixes' CONFIG_SECURE_BUGFIX
+bool 'Extra logging of unusual events' CONFIG_SECURE_LOGGING
+bool 'Paranoid networking' CONFIG_SECURE_NETWORK
+if [ "$CONFIG_SECURE_NETWORK" = "y" ]; then
+ bool 'Blackhole networking' CONFIG_SECURE_NET_SBD
+fi
+bool 'Restricted chroot' CONFIG_SECURE_CHROOT
+bool 'Restricted ptrace' CONFIG_SECURE_TRACE
+if [ "$CONFIG_SECURE_TRACE" = "y" ]; then
+ bool ' Allow special group' CONFIG_SECURE_TRACE_USERGROUP
+fi
+if [ "$CONFIG_SYSCTL" = "y" ]; then
+ bool 'Security Sysctl Support' CONFIG_SECURE_SYSCTL
+fi
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed