diff -Nru linux-2.4.25-grsec-1.9.14/arch/i386/kernel/ioport.c linux-2.4.25-grsec-1.9.14-textrel-sio/arch/i386/kernel/ioport.c --- linux-2.4.25-grsec-1.9.14/arch/i386/kernel/ioport.c 2004-02-22 21:29:34.000000000 -0500 +++ linux-2.4.25-grsec-1.9.14-textrel-sio/arch/i386/kernel/ioport.c 2004-02-22 20:37:21.000000000 -0500 @@ -60,16 +60,15 @@ if ((from + num <= from) || (from + num > IO_BITMAP_SIZE*32)) return -EINVAL; -#ifdef CONFIG_GRKERNSEC_IO + if (grsec_enable_secure_io) { if (turn_on) { gr_handle_ioperm(); -#else + return -EPERM; + } else if (turn_on && !capable(CAP_SYS_RAWIO)) -#endif return -EPERM; -#ifdef CONFIG_GRKERNSEC_IO } -#endif + /* * If it's the first ioperm() call in this thread's lifetime, set the * IO bitmap up. ioperm() is much less timing critical than clone(), @@ -118,13 +117,12 @@ return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { -#ifdef CONFIG_GRKERNSEC_IO + if (grsec_enable_secure_io) { gr_handle_iopl(); return -EPERM; -#else + } else if (!capable(CAP_SYS_RAWIO)) return -EPERM; -#endif } regs->eflags = (regs->eflags & 0xffffcfff) | (level << 12); return 0; diff -Nru linux-2.4.25-grsec-1.9.14/grsecurity/Config.in linux-2.4.25-grsec-1.9.14-textrel-sio/grsecurity/Config.in --- linux-2.4.25-grsec-1.9.14/grsecurity/Config.in 2004-02-22 21:29:34.000000000 -0500 +++ linux-2.4.25-grsec-1.9.14-textrel-sio/grsecurity/Config.in 2004-02-22 20:37:21.000000000 -0500 @@ -1,3 +1,4 @@ +define_bool CONFIG_GRKERNSEC_AUDIT_TEXTREL y define_bool CONFIG_CRYPTO y define_bool CONFIG_CRYPTO_SHA256 y choice 'Security level' \ @@ -341,6 +342,7 @@ bool 'Signal logging' CONFIG_GRKERNSEC_SIGNAL bool 'Fork failure logging' CONFIG_GRKERNSEC_FORKFAIL bool 'Time change logging' CONFIG_GRKERNSEC_TIME +bool 'ELF text relocations logging' CONFIG_GRKERNSEC_AUDIT_TEXTREL endmenu mainmenu_option next_comment comment 'Executable Protections' diff -Nru linux-2.4.25-grsec-1.9.14/grsecurity/Makefile linux-2.4.25-grsec-1.9.14-textrel-sio/grsecurity/Makefile --- linux-2.4.25-grsec-1.9.14/grsecurity/Makefile 2004-02-22 21:29:34.000000000 -0500 +++ linux-2.4.25-grsec-1.9.14-textrel-sio/grsecurity/Makefile 2004-02-22 20:37:21.000000000 -0500 @@ -20,4 +20,6 @@ obj-y += grsec_disabled.o endif +obj-y += grsec_textrel.o + include $(TOPDIR)/Rules.make diff -Nru linux-2.4.25-grsec-1.9.14/grsecurity/grsec_init.c linux-2.4.25-grsec-1.9.14-textrel-sio/grsecurity/grsec_init.c --- linux-2.4.25-grsec-1.9.14/grsecurity/grsec_init.c 2004-02-22 21:29:34.000000000 -0500 +++ linux-2.4.25-grsec-1.9.14-textrel-sio/grsecurity/grsec_init.c 2004-02-22 20:37:21.000000000 -0500 @@ -46,6 +46,8 @@ int grsec_socket_client_gid; int grsec_enable_socket_server; int grsec_socket_server_gid; +int grsec_enable_secure_io; +int grsec_enable_audit_textrel; int grsec_lock; spinlock_t grsec_alert_lock = SPIN_LOCK_UNLOCKED; @@ -85,6 +87,9 @@ #ifndef CONFIG_GRKERNSEC_SYSCTL grsec_lock = 1; +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL + grsec_enable_audit_textrel = 1; +#endif #ifdef CONFIG_GRKERNSEC_AUDIT_GROUP grsec_enable_group = 1; grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID; @@ -198,6 +203,9 @@ grsec_enable_socket_server = 1; grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID; #endif +#ifdef CONFIG_GRKERNSEC_IO + grsec_enable_secure_io = 1; +#endif #endif return; diff -Nru linux-2.4.25-grsec-1.9.14/grsecurity/grsec_textrel.c linux-2.4.25-grsec-1.9.14-textrel-sio/grsecurity/grsec_textrel.c --- linux-2.4.25-grsec-1.9.14/grsecurity/grsec_textrel.c 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.25-grsec-1.9.14-textrel-sio/grsecurity/grsec_textrel.c 2004-02-22 20:37:21.000000000 -0500 @@ -0,0 +1,17 @@ +#include +#include +#include +#include +#include + +void +gr_log_textrel(struct vm_area_struct * vma) +{ +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL + if (grsec_enable_audit_textrel) + security_audit(GR_TEXTREL_AUDIT_MSG, + vma->vm_start, vma->vm_pgoff, + DEFAULTSECARGS); +#endif + return; +} diff -Nru linux-2.4.25-grsec-1.9.14/include/linux/grmsg.h linux-2.4.25-grsec-1.9.14-textrel-sio/include/linux/grmsg.h --- linux-2.4.25-grsec-1.9.14/include/linux/grmsg.h 2004-02-22 21:29:34.000000000 -0500 +++ linux-2.4.25-grsec-1.9.14-textrel-sio/include/linux/grmsg.h 2004-02-22 20:37:21.000000000 -0500 @@ -97,3 +97,4 @@ #define GR_SHM_AUDIT_MSG "shared memory of size %d created by " DEFAULTSECMSG #define GR_SHMR_AUDIT_MSG "shared memory of uid:%d euid:%d removed by " DEFAULTSECMSG #define GR_RESOURCE_MSG "attempted resource overstep by requesting %lu for %.16s against limit %lu by " DEFAULTSECMSG +#define GR_TEXTREL_AUDIT_MSG "textrel VMA:0x%08lx 0x%08lx in " DEFAULTSECMSG diff -Nru linux-2.4.25-grsec-1.9.14/include/linux/grsecurity.h linux-2.4.25-grsec-1.9.14-textrel-sio/include/linux/grsecurity.h --- linux-2.4.25-grsec-1.9.14/include/linux/grsecurity.h 2004-02-22 21:29:34.000000000 -0500 +++ linux-2.4.25-grsec-1.9.14-textrel-sio/include/linux/grsecurity.h 2004-02-22 20:37:21.000000000 -0500 @@ -48,7 +48,7 @@ extern void gr_log_semrm(const uid_t uid, const uid_t cuid); extern void gr_log_shmget(const int err, const int shmflg, const size_t size); extern void gr_log_shmrm(const uid_t uid, const uid_t cuid); - +extern void gr_log_textrel(struct vm_area_struct * vma); extern int gr_handle_follow_link(const struct inode *parent, const struct inode *inode, const struct dentry *dentry, @@ -164,6 +164,8 @@ extern int grsec_enable_randisn; extern int grsec_enable_randsrc; extern int grsec_enable_randrpc; +extern int grsec_enable_secure_io; +extern int grsec_enable_audit_textrel; #endif #endif diff -Nru linux-2.4.25-grsec-1.9.14/kernel/sysctl.c linux-2.4.25-grsec-1.9.14-textrel-sio/kernel/sysctl.c --- linux-2.4.25-grsec-1.9.14/kernel/sysctl.c 2004-02-22 21:29:34.000000000 -0500 +++ linux-2.4.25-grsec-1.9.14-textrel-sio/kernel/sysctl.c 2004-02-22 20:37:21.000000000 -0500 @@ -309,7 +309,7 @@ }; #ifdef CONFIG_GRKERNSEC -enum {GS_ACL=1, GS_LINK, GS_FIFO, GS_EXECVE, GS_EXECLOG, GS_SIGNAL, +enum {GS_ACL=1, GS_TEXTREL, GS_LINK, GS_FIFO, GS_EXECVE, GS_EXECLOG, GS_SIGNAL, GS_FORKFAIL, GS_TIME, GS_CHROOT_SHMAT, GS_CHROOT_UNIX, GS_CHROOT_MNT, GS_CHROOT_FCHDIR, GS_CHROOT_DBL, GS_CHROOT_PVT, GS_CHROOT_CD, GS_CHROOT_CM, GS_CHROOT_MK, GS_CHROOT_NI, GS_CHROOT_EXECLOG, GS_CHROOT_CAPS, @@ -318,11 +318,15 @@ GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT, GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID, GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC, GS_DMSG, GS_RANDRPC, -GS_FINDTASK, GS_LOCK}; +GS_FINDTASK, GS_IO, GS_LOCK}; static ctl_table grsecurity_table[] = { {GS_ACL,"acl", NULL, sizeof(int), 0600, NULL, &gr_proc_handler}, #ifdef CONFIG_GRKERNSEC_SYSCTL +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL + {GS_TEXTREL, "audit_textrel", &grsec_enable_audit_textrel, sizeof (int), + 0600, NULL, &proc_dointvec}, +#endif #ifdef CONFIG_GRKERNSEC_LINK {GS_LINK, "linking_restrictions", &grsec_enable_link, sizeof (int), 0600, NULL, &proc_dointvec}, @@ -484,6 +488,10 @@ {GS_FINDTASK, "chroot_findtask", &grsec_enable_chroot_findtask, sizeof (int), 0600, NULL, &proc_dointvec}, #endif +#ifdef CONFIG_GRKERNSEC_IO + {GS_IO, "secure_io", &grsec_enable_secure_io, + sizeof (int), 0600, NULL, &proc_dointvec}, +#endif {GS_LOCK, "grsec_lock", &grsec_lock, sizeof (int), 0600, NULL, &proc_dointvec}, #endif diff -Nru linux-2.4.25-grsec-1.9.14/makefile.sed linux-2.4.25-grsec-1.9.14-textrel-sio/makefile.sed --- linux-2.4.25-grsec-1.9.14/makefile.sed 1969-12-31 19:00:00.000000000 -0500 +++ linux-2.4.25-grsec-1.9.14-textrel-sio/makefile.sed 2004-02-22 20:37:21.000000000 -0500 @@ -0,0 +1 @@ +grep System.map Makefile | sed s:"sort > System.map":"sort > System.map \&\& chmod 600 System.map \&\& find . -name '*.o' | xargs -n1 chmod go-r":g diff -Nru linux-2.4.25-grsec-1.9.14/mm/mprotect.c linux-2.4.25-grsec-1.9.14-textrel-sio/mm/mprotect.c --- linux-2.4.25-grsec-1.9.14/mm/mprotect.c 2004-02-22 21:29:34.000000000 -0500 +++ linux-2.4.25-grsec-1.9.14-textrel-sio/mm/mprotect.c 2004-02-22 20:37:21.000000000 -0500 @@ -369,6 +369,7 @@ return; if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) { vma->vm_flags |= VM_MAYWRITE | VM_MAYNOTWRITE; + gr_log_textrel(vma); return; } i++;