diff -urP linux-2.2.19-ow3/Documentation/Configure.help linux-2.2.19-hap-4/Docume ntation/Configure.help --- linux-2.2.19-ow3/Documentation/Configure.help Sat Oct 20 01:47:18 2001 +++ linux-2.2.19-hap-4/Documentation/Configure.help Sat Oct 20 01:52:39 2001 @@ -13707,6 +13707,17 @@ same as that of the directory or the FIFO is opened without the O_CREAT flag. +Allow links/pipes in non-world-writable +t dirs +CONFIG_SECURE_NOTSOMUCH + This makes the checks that CONFIG_SECURE_LINK and CONFIG_SECURE_PIPE + perform a little less restrictive. Namely, links/pipes will work + again in +t directories if the directory is not world-writable. Most + sticky directories (such as /tmp) *are* world-writable, but you may + have other +t directories which are not (to make safe group-writable + shared upload directories, for instance). Say Y only if you have had + problems using the CONFIG_SECURE_LINK or CONFIG_SECURE_PIPE options + and you think you need this. + Restricted /proc CONFIG_SECURE_PROC This option restricts the permissions on directories in /proc so @@ -13718,6 +13729,13 @@ disables dmesg(8) for the users. You might want to use this on an ISP shell server where privacy is an issue. +Unofficial bugfixes +CONFIG_SECURE_BUGFIX + Currently this fixes the following bug: + * stracing an unreadable binary (ie mode 111). Note that there + are still ways to get around this at least on x86. + Say Y here unless you know you shouldn't. + Special handling of fd 0, 1, and 2 CONFIG_SECURE_FD_0_1_2 File descriptors 0, 1, and 2 have a special meaning for the C library @@ -13759,6 +13777,70 @@ Note that this feature will do you no good unless you also configure your resource limits (in particular, RLIMIT_AS and RLIMIT_NPROC). Most systems don't need this. + +Extra logging of unusual events +CONFIG_SECURE_LOGGING + This turns on some extra kernel logging. Right now this includes: + * some extra verbosity in the network layer (reporting about arp cache + changes, and complaining if someone tries to route through us and + we're not a router) + * also causes some packets that used to be dropped silently to get + whined about + * logs of who/what/when the system time changes + * logs when/why forks fail + * logs certain "lethal" signals: SIGSEGV, SIGBUS, SIGABRT, SIGILL + This is of limited use, and has some extra overhead, but isn't likely + to cause any problems. + +Paranoid networking +CONFIG_SECURE_NETWORK + This turns on some extra paranoia in tcp and udp net code. + Currently it does (or tries to): + * warns on packets to unserved UDP ports + * warns on packets to unserved TCP ports + * optionally, denies such packets (CONFIG_SECURE_NET_SBD) + * warns & denies TCP packets with invalid combinations of flags + * adds extra info to all IPFW log lines: + * length of TCP & data / UDP as well as IP length + * print TCP ACK and SEQ numbers in addition to IP ids + * prints all TCP flags set (Syn, Ack, Fin, Urg, etc) + It also hopefully banishes a longstanding bug with IPFW/IPchains + log printing when under heavy IO, where different printk'ed lines + step on each other/get truncated, etc. + Say Y unless you think it's breaking stuff (or you don't want the + log volume, which will be high on a busy server). + +Blackhole networking +CONFIG_SECURE_NET_SBD + When CONFIG_SECURE_NETWORK is enabled, this disables the usual + behavior of responding to unsolicited/"unserved" TCP packets with + a TCP RST, and to unserved UDP packets with an ICMP port-unreach. + Note that the UDP behavior is superfluous (can be easily done with + ipchains rules) but there's no convenient, desirable way to block + the RSTs other than this. This is recommended for personal systems + and low-volume servers. However, it is rude and breaks RFCs, so + it should be left off (the default behavior) for most systems, + unless you are *really* paranoid. + +Restricted chroot +CONFIG_SECURE_CHROOT + This causes chroot processes to be a bit more restricted. Processes + which are already in a chroot(2)ed jail now cannot: + * chroot(2) again + * mknod(2) a character or block device + * mount(2) new/remounted filesystems + * ptrace(2) processes outside their jail + * kill(2) processes outside their jail (except sending SIGCHLD to parent) + These are a _few_ of the ways that a root-priv'ed process can break + out of a chrooted jail. They are not all of them. Basically, if + someone has root in a chrooted jail, no can defend -- they've got you. + But, this may help you detect the most common things such an intruder + would do. The only way to win is not to play, however -- don't let + anything in a chrooted jail get root! Simple, right? ;) + This may break systems that use initrd, as that implies an original + chroot. Or not -- the "is this process chrooted" test compares the + root of the current process to that of init; this may not break under + initrd (I have no initrd'd boxes on which to test). # # A couple of things I keep forgetting: diff -urP linux-2.2.19-ow3/Makefile linux-2.2.19-hap-4/Makefile --- linux-2.2.19-ow3/Makefile Sun Mar 25 11:39:55 2001 +++ linux-2.2.19-hap-4/Makefile Sat Oct 20 01:52:39 2001 @@ -1,7 +1,7 @@ VERSION = 2 PATCHLEVEL = 2 SUBLEVEL = 19 -EXTRAVERSION = +EXTRAVERSION = -hap-3 ARCH := $(shell uname -m | sed -e s/i.86/i386/ -e s/sun4u/sparc64/ -e s/arm.*/ar m/ -e s/sa110/arm/) diff -urP linux-2.2.19-ow3/arch/alpha/defconfig linux-2.2.19-hap-4/arch/alpha/def config --- linux-2.2.19-ow3/arch/alpha/defconfig Sat Oct 20 01:47:18 2001 +++ linux-2.2.19-hap-4/arch/alpha/defconfig Sat Oct 20 01:52:39 2001 @@ -332,10 +332,15 @@ # CONFIG_SECURE_LINK=y CONFIG_SECURE_FIFO=y -# CONFIG_SECURE_PROC is not set +CONFIG_SECURE_NOTSOMUCH=y +CONFIG_SECURE_PROC=y CONFIG_SECURE_FD_0_1_2=y CONFIG_SECURE_RLIMIT_NPROC=y # CONFIG_SECURE_SHM is not set +CONFIG_SECURE_LOGGING=y +CONFIG_SECURE_NETWORK=y +# CONFIG_SECURE_NET_SBD is not set +CONFIG_SECURE_CHROOT=y # # Kernel hacking diff -urP linux-2.2.19-ow3/arch/alpha/kernel/ptrace.c linux-2.2.19-hap-4/arch/alp ha/kernel/ptrace.c --- linux-2.2.19-ow3/arch/alpha/kernel/ptrace.c Sun Mar 25 11:31:46 2001 +++ linux-2.2.19-hap-4/arch/alpha/kernel/ptrace.c Sat Oct 20 01:52:39 2001 @@ -520,7 +520,11 @@ struct task_struct *child; unsigned long tmp; long ret; - +#ifdef CONFIG_SECURE_CHROOT + struct task_struct * hap_init_task; + + hap_init_task = task[smp_num_cpus] ? : task[0]; /* find task for init */ +#endif lock_kernel(); DBG(DBG_MEM, ("request=%ld pid=%ld addr=0x%lx data=0x%lx\n", request, pid, addr, data)); @@ -555,6 +559,29 @@ /* the same process cannot be attached many times */ if (child->flags & PF_PTRACED) goto out; +#ifdef CONFIG_SECURE_CHROOT + if (!( (current->fs->root->d_inode->i_dev == + hap_init_task->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + hap_init_task->fs->root->d_inode->i_ino) ) && + !( (current->fs->root->d_inode->i_dev == + child->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + child->fs->root->d_inode->i_ino) ) ) { + /* + * This process is chrooted; don't let it ptrace + * any process not in the same jail with it + */ + security_alert("denied ptrace of %s[%d] within chrooted " + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d ", + "ptraces from a chrooted process", + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino, current->comm, current->pid, + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid ); + goto out; + } +#endif child->flags |= PF_PTRACED; if (child->p_pptr != current) { REMOVE_LINKS(child); diff -urP linux-2.2.19-ow3/arch/arm/defconfig linux-2.2.19-hap-4/arch/arm/defconf ig --- linux-2.2.19-ow3/arch/arm/defconfig Sat Oct 20 01:47:18 2001 +++ linux-2.2.19-hap-4/arch/arm/defconfig Sat Oct 20 01:52:39 2001 @@ -487,10 +487,16 @@ # CONFIG_SECURE_LINK=y CONFIG_SECURE_FIFO=y -# CONFIG_SECURE_PROC is not set +CONFIG_SECURE_NOTSOMUCH=y +CONFIG_SECURE_PROC=y CONFIG_SECURE_FD_0_1_2=y CONFIG_SECURE_RLIMIT_NPROC=y # CONFIG_SECURE_SHM is not set +CONFIG_SECURE_BUGFIX=y +CONFIG_SECURE_LOGGING=y +CONFIG_SECURE_NETWORK=y +# CONFIG_SECURE_NET_SBD is not set +CONFIG_SECURE_CHROOT=y # # Kernel hacking diff -urP linux-2.2.19-ow3/arch/arm/kernel/ptrace.c linux-2.2.19-hap-4/arch/arm/k ernel/ptrace.c --- linux-2.2.19-ow3/arch/arm/kernel/ptrace.c Sun Mar 25 11:37:29 2001 +++ linux-2.2.19-hap-4/arch/arm/kernel/ptrace.c Sat Oct 20 01:52:39 2001 @@ -794,7 +794,11 @@ { struct task_struct *child; int ret; +#ifdef CONFIG_SECURE_CHROOT + struct task_struct * hap_init_task; + hap_init_task = task[smp_num_cpus] ? : task[0]; /* find task for init */ +#endif lock_kernel(); ret = -EPERM; if (request == PTRACE_TRACEME) { @@ -828,6 +832,29 @@ /* the same process cannot be attached many times */ if (child->flags & PF_PTRACED) goto out; +#ifdef CONFIG_SECURE_CHROOT + if (!( (current->fs->root->d_inode->i_dev == + hap_init_task->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + hap_init_task->fs->root->d_inode->i_ino) ) && + !( (current->fs->root->d_inode->i_dev == + child->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + child->fs->root->d_inode->i_ino) ) ) { + /* + * This process is chrooted; don't let it ptrace + * any process not in the same jail with it + */ + security_alert("denied ptrace of %s[%d] within chrooted " + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d ", + "ptraces from a chrooted process", + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino, current->comm, current->pid, + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid ); + goto out; + } +#endif child->flags |= PF_PTRACED; if (child->p_pptr != current) { diff -urP linux-2.2.19-ow3/arch/i386/defconfig linux-2.2.19-hap-4/arch/i386/defco nfig --- linux-2.2.19-ow3/arch/i386/defconfig Sat Oct 20 01:47:18 2001 +++ linux-2.2.19-hap-4/arch/i386/defconfig Sat Oct 20 01:52:39 2001 @@ -426,10 +426,16 @@ CONFIG_SECURE_STACK_SMART=y CONFIG_SECURE_LINK=y CONFIG_SECURE_FIFO=y -# CONFIG_SECURE_PROC is not set +CONFIG_SECURE_NOTSOMUCH=y +CONFIG_SECURE_PROC=y CONFIG_SECURE_FD_0_1_2=y CONFIG_SECURE_RLIMIT_NPROC=y # CONFIG_SECURE_SHM is not set +CONFIG_SECURE_BUGFIX=y +CONFIG_SECURE_LOGGING=y +CONFIG_SECURE_NETWORK=y +# CONFIG_SECURE_NET_SBD is not set +CONFIG_SECURE_CHROOT=y # # Kernel hacking diff -urP linux-2.2.19-ow3/arch/i386/kernel/ptrace.c linux-2.2.19-hap-4/arch/i386 /kernel/ptrace.c --- linux-2.2.19-ow3/arch/i386/kernel/ptrace.c Sun Mar 25 11:31:45 2001 +++ linux-2.2.19-hap-4/arch/i386/kernel/ptrace.c Sat Oct 20 01:52:39 2001 @@ -389,7 +389,11 @@ struct user * dummy = NULL; unsigned long flags; int i, ret; +#ifdef CONFIG_SECURE_CHROOT + struct task_struct * hap_init_task; + hap_init_task = task[smp_num_cpus] ? : task[0]; /* find task for init */ +#endif lock_kernel(); ret = -EPERM; if (request == PTRACE_TRACEME) { @@ -425,6 +429,29 @@ /* the same process cannot be attached many times */ if (child->flags & PF_PTRACED) goto out; +#ifdef CONFIG_SECURE_CHROOT + if (!( (current->fs->root->d_inode->i_dev == + hap_init_task->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + hap_init_task->fs->root->d_inode->i_ino) ) && + !( (current->fs->root->d_inode->i_dev == + child->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + child->fs->root->d_inode->i_ino) ) ) { + /* + * This process is chrooted; don't let it ptrace + * any process not in the same jail with it + */ + security_alert("denied ptrace of %s[%d] within chrooted " + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d ", + "ptraces from a chrooted process", + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino, current->comm, current->pid, + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid ); + goto out; + } +#endif child->flags |= PF_PTRACED; write_lock_irqsave(&tasklist_lock, flags); diff -urP linux-2.2.19-ow3/arch/i386/kernel/traps.c linux-2.2.19-hap-4/arch/i386/ kernel/traps.c --- linux-2.2.19-ow3/arch/i386/kernel/traps.c Sat Oct 20 01:47:18 2001 +++ linux-2.2.19-hap-4/arch/i386/kernel/traps.c Sat Oct 20 01:52:39 2001 @@ -401,11 +401,13 @@ */ if ((addr & 0xFF800000) == 0xBF800000 || (addr >= PAGE_OFFSET - _STK_LIM && addr < PAGE_OFFSET)) - security_alert("return onto stack running as " - "UID %d, EUID %d, process %s:%d", + security_alert("return onto stack by %s[%d], UID %d, " + "EUID %d, parent %s[%d], UID %d, EUID %d", "returns onto stack", - current->uid, current->euid, - current->comm, current->pid); + current->comm, current->pid, current->uid, + current->euid, current->p_pptr->comm, + current->p_pptr->pid, current->p_pptr->uid, + current->p_pptr->euid); } #ifdef CONFIG_SECURE_STACK_SMART diff -urP linux-2.2.19-ow3/arch/m68k/defconfig linux-2.2.19-hap-4/arch/m68k/defco nfig --- linux-2.2.19-ow3/arch/m68k/defconfig Sat Oct 20 01:47:18 2001 +++ linux-2.2.19-hap-4/arch/m68k/defconfig Sat Oct 20 01:52:39 2001 @@ -242,10 +242,15 @@ # CONFIG_SECURE_LINK=y CONFIG_SECURE_FIFO=y -# CONFIG_SECURE_PROC is not set +CONFIG_SECURE_NOTSOMUCH=y +CONFIG_SECURE_PROC=y CONFIG_SECURE_FD_0_1_2=y CONFIG_SECURE_RLIMIT_NPROC=y # CONFIG_SECURE_SHM is not set +CONFIG_SECURE_LOGGING=y +CONFIG_SECURE_NETWORK=y +# CONFIG_SECURE_NET_SBD is not set +CONFIG_SECURE_CHROOT=y # # Kernel hacking diff -urP linux-2.2.19-ow3/arch/m68k/kernel/ptrace.c linux-2.2.19-hap-4/arch/m68k /kernel/ptrace.c --- linux-2.2.19-ow3/arch/m68k/kernel/ptrace.c Sun Mar 25 11:31:50 2001 +++ linux-2.2.19-hap-4/arch/m68k/kernel/ptrace.c Sat Oct 20 01:52:39 2001 @@ -315,7 +315,11 @@ struct task_struct *child; unsigned long flags; int ret; +#ifdef CONFIG_SECURE_CHROOT + struct task_struct * hap_init_task; + hap_init_task = task[smp_num_cpus] ? : task[0]; /* find task for init */ +#endif lock_kernel(); ret = -EPERM; if (request == PTRACE_TRACEME) { @@ -351,6 +355,29 @@ /* the same process cannot be attached many times */ if (child->flags & PF_PTRACED) goto out; +#ifdef CONFIG_SECURE_CHROOT + if (!( (current->fs->root->d_inode->i_dev == + hap_init_task->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + hap_init_task->fs->root->d_inode->i_ino) ) && + !( (current->fs->root->d_inode->i_dev == + child->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + child->fs->root->d_inode->i_ino) ) ) { + /* + * This process is chrooted; don't let it ptrace + * any process not in the same jail with it + */ + security_alert("denied ptrace of %s[%d] within chrooted " + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d ", + "ptraces from a chrooted process", + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino, current->comm, current->pid, + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid ); + goto out; + } +#endif child->flags |= PF_PTRACED; write_lock_irqsave(&tasklist_lock, flags); diff -urP linux-2.2.19-ow3/arch/mips/defconfig linux-2.2.19-hap-4/arch/mips/defco nfig --- linux-2.2.19-ow3/arch/mips/defconfig Sat Oct 20 01:47:18 2001 +++ linux-2.2.19-hap-4/arch/mips/defconfig Sat Oct 20 01:52:39 2001 @@ -368,10 +368,15 @@ # CONFIG_SECURE_LINK=y CONFIG_SECURE_FIFO=y -# CONFIG_SECURE_PROC is not set +CONFIG_SECURE_NOTSOMUCH=y +CONFIG_SECURE_PROC=y CONFIG_SECURE_FD_0_1_2=y CONFIG_SECURE_RLIMIT_NPROC=y # CONFIG_SECURE_SHM is not set +CONFIG_SECURE_LOGGING=y +CONFIG_SECURE_NETWORK=y +# CONFIG_SECURE_NET_SBD is not set +CONFIG_SECURE_CHROOT=y # # Kernel hacking diff -urP linux-2.2.19-ow3/arch/mips/kernel/ptrace.c linux-2.2.19-hap-4/arch/mips /kernel/ptrace.c --- linux-2.2.19-ow3/arch/mips/kernel/ptrace.c Sun Mar 25 11:31:48 2001 +++ linux-2.2.19-hap-4/arch/mips/kernel/ptrace.c Sat Oct 20 01:52:39 2001 @@ -261,7 +261,11 @@ struct task_struct *child; unsigned int flags; int res; +#ifdef CONFIG_SECURE_CHROOT + struct task_struct * hap_init_task; + hap_init_task = task[smp_num_cpus] ? : task[0]; /* find task for init */ +#endif lock_kernel(); #if 0 printk("ptrace(r=%d,pid=%d,addr=%08lx,data=%08lx)\n", @@ -308,6 +312,29 @@ /* the same process cannot be attached many times */ if (child->flags & PF_PTRACED) goto out; +#ifdef CONFIG_SECURE_CHROOT + if (!( (current->fs->root->d_inode->i_dev == + hap_init_task->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + hap_init_task->fs->root->d_inode->i_ino) ) && + !( (current->fs->root->d_inode->i_dev == + child->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + child->fs->root->d_inode->i_ino) ) ) { + /* + * This process is chrooted; don't let it ptrace + * any process not in the same jail with it + */ + security_alert("denied ptrace of %s[%d] within chrooted " + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d ", + "ptraces from a chrooted process", + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino, current->comm, current->pid, + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid ); + goto out; + } +#endif child->flags |= PF_PTRACED; write_lock_irqsave(&tasklist_lock, flags); diff -urP linux-2.2.19-ow3/arch/ppc/defconfig linux-2.2.19-hap-4/arch/ppc/defconf ig --- linux-2.2.19-ow3/arch/ppc/defconfig Sat Oct 20 01:47:18 2001 +++ linux-2.2.19-hap-4/arch/ppc/defconfig Sat Oct 20 01:52:39 2001 @@ -498,10 +498,15 @@ # CONFIG_SECURE_LINK=y CONFIG_SECURE_FIFO=y -# CONFIG_SECURE_PROC is not set +CONFIG_SECURE_NOTSOMUCH=y +CONFIG_SECURE_PROC=y CONFIG_SECURE_FD_0_1_2=y CONFIG_SECURE_RLIMIT_NPROC=y # CONFIG_SECURE_SHM is not set +CONFIG_SECURE_LOGGING=y +CONFIG_SECURE_NETWORK=y +# CONFIG_SECURE_NET_SBD is not set +CONFIG_SECURE_CHROOT=y # # Kernel hacking diff -urP linux-2.2.19-ow3/arch/ppc/kernel/ptrace.c linux-2.2.19-hap-4/arch/ppc/k ernel/ptrace.c --- linux-2.2.19-ow3/arch/ppc/kernel/ptrace.c Sun Mar 25 11:31:49 2001 +++ linux-2.2.19-hap-4/arch/ppc/kernel/ptrace.c Sat Oct 20 01:52:39 2001 @@ -337,7 +337,11 @@ struct task_struct *child; int ret = -EPERM; unsigned long flags; +#ifdef CONFIG_SECURE_CHROOT + struct task_struct * hap_init_task; + hap_init_task = task[smp_num_cpus] ? : task[0]; /* find task for init */ +#endif lock_kernel(); if (request == PTRACE_TRACEME) { /* are we already being traced? */ @@ -372,6 +376,29 @@ /* the same process cannot be attached many times */ if (child->flags & PF_PTRACED) goto out; +#ifdef CONFIG_SECURE_CHROOT + if (!( (current->fs->root->d_inode->i_dev == + hap_init_task->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + hap_init_task->fs->root->d_inode->i_ino) ) && + !( (current->fs->root->d_inode->i_dev == + child->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + child->fs->root->d_inode->i_ino) ) ) { + /* + * This process is chrooted; don't let it ptrace + * any process not in the same jail with it + */ + security_alert("denied ptrace of %s[%d] within chrooted " + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d ", + "ptraces from a chrooted process", + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino, current->comm, current->pid, + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid ); + goto out; + } +#endif child->flags |= PF_PTRACED; write_lock_irqsave(&tasklist_lock, flags); diff -urP linux-2.2.19-ow3/arch/s390/defconfig linux-2.2.19-hap-4/arch/s390/defco nfig --- linux-2.2.19-ow3/arch/s390/defconfig Sat Oct 20 01:47:18 2001 +++ linux-2.2.19-hap-4/arch/s390/defconfig Sat Oct 20 01:52:39 2001 @@ -163,10 +163,15 @@ # CONFIG_SECURE_LINK=y CONFIG_SECURE_FIFO=y -# CONFIG_SECURE_PROC is not set +CONFIG_SECURE_NOTSOMUCH=y +CONFIG_SECURE_PROC=y CONFIG_SECURE_FD_0_1_2=y CONFIG_SECURE_RLIMIT_NPROC=y # CONFIG_SECURE_SHM is not set +CONFIG_SECURE_LOGGING=y +CONFIG_SECURE_NETWORK=y +# CONFIG_SECURE_NET_SBD is not set +CONFIG_SECURE_CHROOT=y # # Kernel hacking diff -urP linux-2.2.19-ow3/arch/s390/kernel/ptrace.c linux-2.2.19-hap-4/arch/s390 /kernel/ptrace.c --- linux-2.2.19-ow3/arch/s390/kernel/ptrace.c Sun Mar 25 11:31:55 2001 +++ linux-2.2.19-hap-4/arch/s390/kernel/ptrace.c Sat Oct 20 01:52:39 2001 @@ -431,6 +431,11 @@ int ret = -EPERM; unsigned long tmp; ptrace_area parea; +#ifdef CONFIG_SECURE_CHROOT + struct task_struct * hap_init_task; + + hap_init_task = task[smp_num_cpus] ? : task[0]; /* find task for init */ +#endif lock_kernel(); if (request == PTRACE_TRACEME) { @@ -461,6 +466,29 @@ /* the same process cannot be attached many times */ if (child->flags & PF_PTRACED) goto out; +#ifdef CONFIG_SECURE_CHROOT + if (!( (current->fs->root->d_inode->i_dev == + hap_init_task->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + hap_init_task->fs->root->d_inode->i_ino) ) && + !( (current->fs->root->d_inode->i_dev == + child->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + child->fs->root->d_inode->i_ino) ) ) { + /* + * This process is chrooted; don't let it ptrace + * any process not in the same jail with it + */ + security_alert("denied ptrace of %s[%d] within chrooted " + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d ", + "ptraces from a chrooted process", + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino, current->comm, current->pid, + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid ); + goto out; + } +#endif child->flags |= PF_PTRACED; if (child->p_pptr != current) { diff -urP linux-2.2.19-ow3/arch/sparc/defconfig linux-2.2.19-hap-4/arch/sparc/def config --- linux-2.2.19-ow3/arch/sparc/defconfig Sat Oct 20 01:47:18 2001 +++ linux-2.2.19-hap-4/arch/sparc/defconfig Sat Oct 20 01:52:39 2001 @@ -339,10 +339,15 @@ # CONFIG_SECURE_LINK=y CONFIG_SECURE_FIFO=y -# CONFIG_SECURE_PROC is not set +CONFIG_SECURE_NOTSOMUCH=y +CONFIG_SECURE_PROC=y CONFIG_SECURE_FD_0_1_2=y CONFIG_SECURE_RLIMIT_NPROC=y # CONFIG_SECURE_SHM is not set +CONFIG_SECURE_LOGGING=y +CONFIG_SECURE_NETWORK=y +# CONFIG_SECURE_NET_SBD is not set +CONFIG_SECURE_CHROOT=y # # Kernel hacking diff -urP linux-2.2.19-ow3/arch/sparc/kernel/ptrace.c linux-2.2.19-hap-4/arch/spa rc/kernel/ptrace.c --- linux-2.2.19-ow3/arch/sparc/kernel/ptrace.c Sun Mar 25 11:31:47 2001 +++ linux-2.2.19-hap-4/arch/sparc/kernel/ptrace.c Sat Oct 20 01:52:39 2001 @@ -514,7 +514,11 @@ unsigned long data = regs->u_regs[UREG_I3]; unsigned long addr2 = regs->u_regs[UREG_I4]; struct task_struct *child; +#ifdef CONFIG_SECURE_CHROOT + struct task_struct * hap_init_task; + hap_init_task = task[smp_num_cpus] ? : task[0]; /* find task for init */ +#endif lock_kernel(); #ifdef DEBUG_PTRACE { @@ -582,6 +586,30 @@ pt_error_return(regs, EPERM); goto out; } +#ifdef CONFIG_SECURE_CHROOT + if (!( (current->fs->root->d_inode->i_dev == + hap_init_task->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + hap_init_task->fs->root->d_inode->i_ino) ) && + !( (current->fs->root->d_inode->i_dev == + child->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + child->fs->root->d_inode->i_ino) ) ) { + /* + * This process is chrooted; don't let it ptrace + * any process not in the same jail with it + */ + security_alert("denied ptrace of %s[%d] within chrooted " + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d ", + "ptraces from a chrooted process", + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino, current->comm, current->pid, + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid ); + pt_error_return(regs, EPERM); + goto out; + } +#endif child->flags |= PF_PTRACED; write_lock_irqsave(&tasklist_lock, flags); if(child->p_pptr != current) { diff -urP linux-2.2.19-ow3/arch/sparc64/defconfig linux-2.2.19-hap-4/arch/sparc64 /defconfig --- linux-2.2.19-ow3/arch/sparc64/defconfig Sat Oct 20 01:47:18 2001 +++ linux-2.2.19-hap-4/arch/sparc64/defconfig Sat Oct 20 01:52:39 2001 @@ -390,10 +390,15 @@ # CONFIG_SECURE_LINK=y CONFIG_SECURE_FIFO=y -# CONFIG_SECURE_PROC is not set +CONFIG_SECURE_NOTSOMUCH=y +CONFIG_SECURE_PROC=y CONFIG_SECURE_FD_0_1_2=y CONFIG_SECURE_RLIMIT_NPROC=y # CONFIG_SECURE_SHM is not set +CONFIG_SECURE_LOGGING=y +CONFIG_SECURE_NETWORK=y +# CONFIG_SECURE_NET_SBD is not set +CONFIG_SECURE_CHROOT=y # # Watchdog diff -urP linux-2.2.19-ow3/arch/sparc64/kernel/ptrace.c linux-2.2.19-hap-4/arch/s parc64/kernel/ptrace.c --- linux-2.2.19-ow3/arch/sparc64/kernel/ptrace.c Sun Mar 25 11:31:53 2001 +++ linux-2.2.19-hap-4/arch/sparc64/kernel/ptrace.c Sat Oct 20 01:52:39 2001 @@ -543,7 +543,11 @@ unsigned long data = regs->u_regs[UREG_I3]; unsigned long addr2 = regs->u_regs[UREG_I4]; struct task_struct *child; +#ifdef CONFIG_SECURE_CHROOT + struct task_struct * hap_init_task; + hap_init_task = task[smp_num_cpus] ? : task[0]; /* find task for init */ +#endif if (current->tss.flags & SPARC_FLAG_32BIT) { addr &= 0xffffffffUL; data &= 0xffffffffUL; @@ -620,6 +624,30 @@ pt_error_return(regs, EPERM); goto out; } +#ifdef CONFIG_SECURE_CHROOT + if (!( (current->fs->root->d_inode->i_dev == + hap_init_task->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + hap_init_task->fs->root->d_inode->i_ino) ) && + !( (current->fs->root->d_inode->i_dev == + child->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + child->fs->root->d_inode->i_ino) ) ) { + /* + * This process is chrooted; don't let it ptrace + * any process not in the same jail with it + */ + security_alert("denied ptrace of %s[%d] within chrooted " + "jail [%s]:%lu by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d ", + "ptraces from a chrooted process", + child->comm, child->pid, kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino, current->comm, current->pid, + current->uid, current->euid, current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid ); + pt_error_return(regs, EPERM); + goto out; + } +#endif child->flags |= PF_PTRACED; write_lock_irqsave(&tasklist_lock, flags); if(child->p_pptr != current) { diff -urP linux-2.2.19-ow3/fs/exec.c linux-2.2.19-hap-4/fs/exec.c --- linux-2.2.19-ow3/fs/exec.c Sat Oct 20 01:47:18 2001 +++ linux-2.2.19-hap-4/fs/exec.c Sat Oct 20 01:52:39 2001 @@ -762,6 +762,22 @@ return retval; #endif } +#ifdef CONFIG_SECURE_BUGFIX + /* ptraced executables must be readable */ + if (current->flags & PF_PTRACED) { + if ((retval = permission(bprm->dentry->d_inode, MAY_READ)) != 0) { +#ifdef CONFIG_SECURE_LOGGING + security_alert("refused ptrace of unreadable executable % s " + "by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", + "unreadable executables ptraced", + bprm->filename, current->comm, current->pid, current->uid, current->euid, + current->p_pptr->comm, current->p_pptr->pid, current->p_pptr->uid, + current->p_pptr->euid); +#endif + return retval; + } + } +#endif memset(bprm->buf,0,sizeof(bprm->buf)); return read_exec(bprm->dentry,0,bprm->buf,128,1); @@ -930,6 +946,29 @@ int retval; int i; +#ifdef CONFIG_SECURE_CHROOT + struct task_struct * hap_init_task; + + hap_init_task = task[smp_num_cpus] ? : task[0]; /* find task for init */ + + if (!( (current->fs->root->d_inode->i_dev == + hap_init_task->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + hap_init_task->fs->root->d_inode->i_ino) ) ) { + /* + * This process is in a chrooted jail; log everything it exec's + */ + security_alert("exec of %s within chrooted jail [%s]:%lu by " + "%s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d" , + "execs from a chrooted process", + filename, kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino,current->comm, + current->pid,current->uid, current->euid, + current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid ); + } +#endif /* CONFIG_SECURE_CHROOT */ + #ifdef CONFIG_SECURE_RLIMIT_NPROC /* * This check is similar to that done in kernel/fork.c, except that we diff -urP linux-2.2.19-ow3/fs/namei.c linux-2.2.19-hap-4/fs/namei.c --- linux-2.2.19-ow3/fs/namei.c Sat Oct 20 01:47:18 2001 +++ linux-2.2.19-hap-4/fs/namei.c Sat Oct 20 01:52:39 2001 @@ -306,18 +306,28 @@ if (S_ISLNK(inode->i_mode) && (base->d_inode->i_mode & S_ISVTX) && inode->i_uid != base->d_inode->i_uid && +#ifdef CONFIG_SECURE_NOTSOMUCH + /* + * Let this happen as long as the +t dir is + * not world-writable. + */ + (base->d_inode->i_mode & S_IWOTH) && +#endif current->fsuid != inode->i_uid) { - security_alert("not followed symlink of %d.%d " - "by UID %d, EUID %d, process %s:%d", + security_alert("not followed symlink of [%s]:%lu " + "owned by %d.%d by %s[%d], UID %d, " + "EUID %d, parent %s[%d], UID %d, EUID %d" , "symlinks not followed", - inode->i_uid, inode->i_gid, - current->uid, current->euid, - current->comm, current->pid); + kdevname(inode->i_dev), inode->i_ino, + inode->i_uid, inode->i_gid, current->comm , + current->pid, current->uid, current->euid , + current->p_pptr->comm, current->p_pptr->p id, + current->p_pptr->uid, current->p_pptr->eu id); dput(dentry); dput(base); return ERR_PTR(-EACCES); } -#endif +#endif /* CONFIG_SECURE_LINK */ if (current->need_resched) { current->state = TASK_RUNNING; @@ -761,19 +771,28 @@ if (S_ISFIFO(inode->i_mode) && !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) && inode->i_uid != dir->d_inode->i_uid && +#ifdef CONFIG_SECURE_NOTSOMUCH + /* + * Let this happen as long as the +t dir isn't world-writable + */ + (dir->d_inode->i_mode & S_IWOTH) && +#endif current->fsuid != inode->i_uid) { if (!permission(inode, acc_mode)) - security_alert("denied writing FIFO of %d.%d " - "by UID %d, EUID %d, process %s:%d", + security_alert("denied writing FIFO [%s]:%lu owned " + "by %d.%d by %s[%d], UID %d, EUID %d, parent " + "%s[%d], UID %d, EUID %d", "writes into a FIFO denied", - inode->i_uid, inode->i_gid, - current->uid, current->euid, - current->comm, current->pid); + kdevname(inode->i_dev), inode->i_ino, + inode->i_uid, inode->i_gid, current->comm, + current->pid, current->uid, current->euid, + current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid); error = -EACCES; unlock_dir(dir); goto exit; } -#endif +#endif /* CONFIG_SECURE_FIFO */ /* * Somebody might have created the file while we @@ -914,6 +933,11 @@ { int error; char * tmp; + struct dentry * dentry; +#ifdef CONFIG_SECURE_CHROOT + struct task_struct * hap_init_task; + char hap_dev_mode; +#endif lock_kernel(); error = -EPERM; @@ -932,7 +956,47 @@ tmp = getname(filename); error = PTR_ERR(tmp); if (!IS_ERR(tmp)) { - struct dentry * dentry = do_mknod(tmp,mode,dev); +#ifdef CONFIG_SECURE_CHROOT + if (!S_ISFIFO(mode)) { + /* find task for init */ + hap_init_task = task[smp_num_cpus] ? : task[0]; + + if (!( (current->fs->root->d_inode->i_dev == + hap_init_task->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + hap_init_task->fs->root->d_inode->i_ino) ) ) { + /* + * This process is in a chrooted jail; don't let it + * make a raw device through which to break out (by + * double-mounting an fs, reading kmem, kybd, etc) + */ + switch (mode & S_IFMT) { + case S_IFREG: hap_dev_mode = 'r'; break; + case S_IFCHR: hap_dev_mode = 'c'; break; + case S_IFBLK: hap_dev_mode = 'b'; break; + case S_IFSOCK: hap_dev_mode = 's'; break; + default: hap_dev_mode = 'u'; + } + security_alert("refused attempt to mknod %c:[%s] (%s) " + "from chrooted jail [%s]:%lu owned by %d.%d by " + "%s[%d], UID %d, EUID %d, parent %s[%d], UID " + "%d, EUID %d", + "chrooted mknods denied", + hap_dev_mode, kdevname(dev), tmp, + kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino, + current->fs->root->d_inode->i_uid, + current->fs->root->d_inode->i_gid, current->comm, + current->pid, current->uid, current->euid, + current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid); + putname(tmp); + error = -EPERM; + goto out; + } + } +#endif + dentry = do_mknod(tmp,mode,dev); putname(tmp); error = PTR_ERR(dentry); if (!IS_ERR(dentry)) { @@ -1263,13 +1327,21 @@ ((inode->i_mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) || (error = permission(inode, MAY_READ | MAY_WRITE))) && !capable(CAP_FOWNER) && +#ifdef CONFIG_SECURE_NOTSOMUCH + /* + * Let users hard link to files in their group. + */ + current->fsgid != inode->i_gid && +#endif current->uid) { - security_alert("denied hard link to %d.%d " - "for UID %d, EUID %d, process %s:%d", + security_alert("denied hard link to [%s]:%lu owned by %d.%d " + "by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", "hard links denied", + kdevname(inode->i_dev), inode->i_ino, inode->i_uid, inode->i_gid, - current->uid, current->euid, - current->comm, current->pid); + current->comm, current->pid, current->uid, current->euid, + current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid); goto exit_lock; } #endif diff -urP linux-2.2.19-ow3/fs/open.c linux-2.2.19-hap-4/fs/open.c --- linux-2.2.19-ow3/fs/open.c Sun Mar 25 11:37:38 2001 +++ linux-2.2.19-hap-4/fs/open.c Sat Oct 20 01:52:39 2001 @@ -396,6 +396,10 @@ int error; struct inode *inode; struct dentry *dentry, *tmp; +#ifdef CONFIG_SECURE_CHROOT + struct task_struct * hap_init_task; + char * hap_new_chroot_path; +#endif lock_kernel(); @@ -417,11 +421,61 @@ error = -EPERM; if (!capable(CAP_SYS_CHROOT)) goto dput_and_out; +#ifdef CONFIG_SECURE_CHROOT + + hap_init_task = task[smp_num_cpus] ? : task[0]; /* find task for init */ + + if (!( (current->fs->root->d_inode->i_dev == + hap_init_task->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + hap_init_task->fs->root->d_inode->i_ino) ) ) { + /* + * This process is already in a chrooted jail; don't let it chroot out. + */ + if (IS_ERR(hap_new_chroot_path = getname(filename))) + hap_new_chroot_path = "[err]"; + security_alert("refused attempt to chroot from [%s]:%lu to " + "[%s]:%lu (%s) owned by %d.%d, process %s[%d], UID %d, " + "EUID %d, parent %s[%d], UID %d, EUID %d", + "double chroots denied", + kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino, + kdevname(inode->i_dev), inode->i_ino, hap_new_chroot_path, + inode->i_uid, inode->i_gid, + current->comm, current->pid, current->uid, current->euid, + current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid); + putname(hap_new_chroot_path); + error = -EPERM; + goto dput_and_out; + } +#endif /* exchange dentries */ tmp = current->fs->root; current->fs->root = dentry; dentry = tmp; +#ifdef CONFIG_SECURE_CHROOT + /* drop various dangerous capabilities when chrooting + * note init is exempt for initrd-type games */ + if (current->pid && current->pid > 1) { + cap_lower(current->cap_permitted, + CAP_FOWNER & CAP_SETPCAP & CAP_LINUX_IMMUTABLE & + CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & + CAP_SYS_PACCT & CAP_SYS_ADMIN & CAP_SYS_BOOT & + CAP_SYS_RESOURCE & CAP_SYS_TIME & CAP_SYS_TTY_CONFIG); + cap_lower(current->cap_inheritable, + CAP_FOWNER & CAP_SETPCAP & CAP_LINUX_IMMUTABLE & + CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & + CAP_SYS_PACCT & CAP_SYS_ADMIN & CAP_SYS_BOOT & + CAP_SYS_RESOURCE & CAP_SYS_TIME & CAP_SYS_TTY_CONFIG); + cap_lower(current->cap_effective, + CAP_FOWNER & CAP_SETPCAP & CAP_LINUX_IMMUTABLE & + CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & + CAP_SYS_PACCT & CAP_SYS_ADMIN & CAP_SYS_BOOT & + CAP_SYS_RESOURCE & CAP_SYS_TIME & CAP_SYS_TTY_CONFIG); + } +#endif error = 0; dput_and_out: @@ -438,6 +492,9 @@ struct file * file; int err = -EBADF; struct iattr newattrs; +#ifdef CONFIG_SECURE_CHROOT + struct task_struct * hap_init_task; +#endif lock_kernel(); file = fget(fd); @@ -458,6 +515,36 @@ goto out_putf; if (mode == (mode_t) -1) mode = inode->i_mode; +#ifdef CONFIG_SECURE_CHROOT + if ((mode & S_ISUID) || (mode & S_ISGID)) { + hap_init_task = task[smp_num_cpus] ? : task[0]; /* find task for init */ + + if (!( (current->fs->root->d_inode->i_dev == + hap_init_task->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + hap_init_task->fs->root->d_inode->i_ino) ) ) { + /* + * This process is chrooted; don't let it turn on the set[ug]id b its. + */ + security_alert("refused attempt to fchmod +s [%s]:%lu " + "owned by %d.%d to mode 0%07o from chrooted jail " + "[%s]:%lu owned by %d.%d by %s[%d], UID %d, EUID " + "%d, parent %s[%d], UID %d, EUID %d", + "chrooted fchmod +s's denied", + kdevname(inode->i_dev), inode->i_ino, + inode->i_uid, inode->i_gid, mode, + kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino, + current->fs->root->d_inode->i_uid, + current->fs->root->d_inode->i_gid, current->comm, + current->pid, current->uid, current->euid, + current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid); + err = -EPERM; + goto out_putf; + } + } +#endif newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; err = notify_change(dentry, &newattrs); @@ -475,6 +562,10 @@ struct inode * inode; int error; struct iattr newattrs; +#ifdef CONFIG_SECURE_CHROOT + struct task_struct * hap_init_task; + char * hap_chmod_filename; +#endif lock_kernel(); dentry = namei(filename); @@ -494,6 +585,39 @@ if (mode == (mode_t) -1) mode = inode->i_mode; +#ifdef CONFIG_SECURE_CHROOT + if ((mode & S_ISUID) || (mode & S_ISGID)) { + hap_init_task = task[smp_num_cpus] ? : task[0]; /* find task for init */ + + if (!( (current->fs->root->d_inode->i_dev == + hap_init_task->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + hap_init_task->fs->root->d_inode->i_ino) ) ) { + /* + * This process is chrooted; don't let it turn on the set[gu]id b its. + */ + if (IS_ERR(hap_chmod_filename = getname(filename))) + hap_chmod_filename = "[err]"; + security_alert("refused attempt to chmod +s [%s]:%lu " + "(%s) owned by %d.%d to mode 0%07o from chrooted " + "jail [%s]:%lu owned by %d.%d by %s[%d], UID %d, " + "EUID %d, parent %s[%d], UID %d, EUID %d", + "chrooted chmod +s's denied", + kdevname(inode->i_dev), inode->i_ino, hap_chmod_filen ame, + inode->i_uid, inode->i_gid, mode, + kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino, + current->fs->root->d_inode->i_uid, + current->fs->root->d_inode->i_gid, current->comm, + current->pid, current->uid, current->euid, + current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid); + putname(hap_chmod_filename); + error = -EPERM; + goto dput_and_out; + } + } +#endif newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; error = notify_change(dentry, &newattrs); diff -urP linux-2.2.19-ow3/fs/super.c linux-2.2.19-hap-4/fs/super.c --- linux-2.2.19-ow3/fs/super.c Sun Mar 25 11:30:58 2001 +++ linux-2.2.19-hap-4/fs/super.c Sat Oct 20 01:52:39 2001 @@ -36,6 +36,10 @@ #include #endif +#ifdef CONFIG_SECURE_CHROOT +#include +#endif + /* * We use a semaphore to synchronize all mount/umount * activity - imagine the mess if we have a race between @@ -1045,10 +1049,48 @@ unsigned long flags = 0; unsigned long page = 0; struct file dummy; /* allows read-write or read-only flag */ +#ifdef CONFIG_SECURE_CHROOT + struct task_struct * hap_init_task; + char * hap_mount_dev; + char * hap_mount_path; +#endif lock_kernel(); if (!capable(CAP_SYS_ADMIN)) goto out; +#ifdef CONFIG_SECURE_CHROOT + hap_init_task = task[smp_num_cpus] ? : task[0]; /* find task for init */ + + if (!( (current->fs->root->d_inode->i_dev == + hap_init_task->fs->root->d_inode->i_dev) && + (current->fs->root->d_inode->i_ino == + hap_init_task->fs->root->d_inode->i_ino) ) ) { + /* + * This process is in a chrooted jail; don't let it (re)mount any filesys tems. + */ + if(IS_ERR(hap_mount_dev = getname(dev_name))) + hap_mount_dev = "nodev"; + if(IS_ERR(hap_mount_path = getname(dir_name))) + hap_mount_path = "[err]"; + security_alert("refused attempt to mount [%s] as %s " + "from chrooted jail [%s]:%lu owned by %d.%d by " + "%s[%d], UID %d, EUID %d, parent %s[%d], UID " + "%d, EUID %d", + "chrooted mounts denied", + hap_mount_dev, hap_mount_path, + kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino, + current->fs->root->d_inode->i_uid, + current->fs->root->d_inode->i_gid, current->comm, current->pi d, + current->uid, current->euid, current->p_pptr->comm, + current->p_pptr->pid, current->p_pptr->uid, + current->p_pptr->euid); + putname(hap_mount_dev); + putname(hap_mount_path); + retval = -EPERM; + goto out; + } +#endif if ((new_flags & (MS_MGC_MSK | MS_REMOUNT)) == (MS_MGC_VAL | MS_REMOUNT)) { retval = copy_mount_options (data, &page); diff -urP linux-2.2.19-ow3/include/linux/kernel.h linux-2.2.19-hap-4/include/linu x/kernel.h --- linux-2.2.19-ow3/include/linux/kernel.h Sat Oct 20 01:47:18 2001 +++ linux-2.2.19-hap-4/include/linux/kernel.h Sat Oct 20 01:52:39 2001 @@ -89,14 +89,14 @@ \ spin_lock(&security_alert_lock); \ \ -/* Make sure at least one minute passed since the last warning logged */ \ - if (!warning_time || jiffies - warning_time > 60 * HZ) { \ +/* Make sure at least one second passed since the last warning logged */ \ + if (!warning_time || jiffies - warning_time > HZ) { \ warning_time = jiffies; no_flood_yet = 1; \ - printk(KERN_ALERT "Security: " normal_msg "\n", ## args); \ + printk(KERN_WARNING "Security: " normal_msg "\n", ## args); \ } else if (no_flood_yet) { \ warning_time = jiffies; no_flood_yet = 0; \ - printk(KERN_ALERT "Security: more " flood_msg \ - ", logging disabled for a minute\n"); \ + printk(KERN_WARNING "Security: more " flood_msg \ + ", logging disabled for one second\n"); \ } \ \ spin_unlock(&security_alert_lock); \ diff -urP linux-2.2.19-ow3/include/linux/tasks.h linux-2.2.19-hap-4/include/linux /tasks.h --- linux-2.2.19-ow3/include/linux/tasks.h Sun Mar 25 11:31:03 2001 +++ linux-2.2.19-hap-4/include/linux/tasks.h Sat Oct 20 01:52:39 2001 @@ -11,7 +11,7 @@ #define NR_CPUS 1 #endif -#define NR_TASKS 512 /* On x86 Max about 4000 */ +#define NR_TASKS 2048 /* On x86 Max about 4000 */ #define MAX_TASKS_PER_USER (NR_TASKS/2) #define MIN_TASKS_LEFT_FOR_ROOT 4 diff -urP linux-2.2.19-ow3/include/net/dst.h linux-2.2.19-hap-4/include/net/dst.h --- linux-2.2.19-ow3/include/net/dst.h Sun Mar 25 11:31:07 2001 +++ linux-2.2.19-hap-4/include/net/dst.h Sat Oct 20 01:52:39 2001 @@ -16,7 +16,11 @@ * 1 - rare events and bugs (default) * 2 - trace mode. */ -#define RT_CACHE_DEBUG 0 +#ifdef CONFIG_SECURE_LOGGING +#define RT_CACHE_DEBUG 1 +#else +#define RT_CACHE_DEBUG 0 +#endif #define DST_GC_MIN (1*HZ) #define DST_GC_INC (5*HZ) diff -urP linux-2.2.19-ow3/kernel/fork.c linux-2.2.19-hap-4/kernel/fork.c --- linux-2.2.19-ow3/kernel/fork.c Sat Oct 20 01:47:18 2001 +++ linux-2.2.19-hap-4/kernel/fork.c Sat Oct 20 01:52:39 2001 @@ -746,6 +746,15 @@ free_uid(p); bad_fork_free: free_task_struct(p); +#ifdef CONFIG_SECURE_LOGGING + security_alert("fork failure errno %d by %s[%d], UID %d, EUID %d, " + "parent %s[%d], UID %d, EUID %d", + "fork failures", + retval, current->comm, current->pid, + current->uid, current->euid, + current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid); +#endif goto bad_fork; } diff -urP linux-2.2.19-ow3/kernel/signal.c linux-2.2.19-hap-4/kernel/signal.c --- linux-2.2.19-ow3/kernel/signal.c Sun Mar 25 11:37:40 2001 +++ linux-2.2.19-hap-4/kernel/signal.c Sat Oct 20 01:52:39 2001 @@ -254,6 +254,9 @@ { unsigned long flags; int ret; +#ifdef CONFIG_SECURE_CHROOT + struct task_struct * hap_init_task; +#endif #if DEBUG_SIG printk("SIG queue (%s:%d): %d ", t->comm, t->pid, sig); @@ -270,13 +273,68 @@ && (current->uid ^ t->suid) && (current->uid ^ t->uid) && !capable(CAP_KILL)) goto out_nolock; - - /* The null signal is a permissions and process existance probe. - No signal is actually delivered. Same goes for zombies. - We have to grab the spinlock now so that we do not race + /* We have to grab the spinlock now so that we do not race with flush_signals. */ - ret = 0; spin_lock_irqsave(&t->sigmask_lock, flags); + +#ifdef CONFIG_SECURE_CHROOT + /* + * chrooted processes can only send signals to other processes in + * the same jail, with the exception that they can send SIGALRM and + * SIGIO to any process, and SIGCHLD to their parent, regardless. + */ + hap_init_task = task[smp_num_cpus] ? : task[0]; /* find task for init */ + if ( /* noop for 'signal zero' */ + sig && + + /* be careful not to deref a null pointer later */ + t->pid && t->fs && t->fs->root && t->fs->root->d_inode && t->p_pp tr && + current->pid && current->fs && current->fs->root && + current->fs->root->d_inode && current->p_pptr && + hap_init_task && hap_init_task->pid && hap_init_task->fs && + hap_init_task->fs->root && hap_init_task->fs->root->d_inode && + + /* real work starting: check if signal is "mostly harmless" */ + !( sig == SIGALRM || sig == SIGIO || + + /* check if current is not chrooted */ + (current->fs->root->d_inode->i_dev == + hap_init_task->fs->root->d_inode->i_dev && + current->fs->root->d_inode->i_ino == + hap_init_task->fs->root->d_inode->i_ino) || + + /* else check if current && target are under same chroot */ + (t->fs->root->d_inode->i_dev == + current->fs->root->d_inode->i_dev && + t->fs->root->d_inode->i_ino == + current->fs->root->d_inode->i_ino) || + + /* else check if child is sending parent SIGCHILD */ + (t->pid == current->p_pptr->pid && sig == SIGCHLD) ) ) { + + /* Note: if target is init, its parent is task 0 */ + security_alert("refused signal %d out of chrooted jail [%s]:%lu " + "owned by %d.%d by %s[%d], UID %d, EUID %d, parent " + "%s[%d], UID %d, EUID %d to %s[%d], UID %d, EUID %d with " + "root [%s]:%lu owned by %d.%d, parent %s[%d], UID %d, EUI D %d", + "refused signals", + sig, kdevname(current->fs->root->d_inode->i_dev), + current->fs->root->d_inode->i_ino, current->fs->root->d_i node->i_uid, + current->fs->root->d_inode->i_gid, current->comm, + current->pid, current->uid, current->euid, current->p_ppt r->comm, + current->p_pptr->pid, current->p_pptr->uid, current->p_pp tr->euid, + t->comm, t->pid, t->uid, t->euid, kdevname(t->fs->root->d _inode->i_dev), + t->fs->root->d_inode->i_ino, t->fs->root->d_inode->i_uid, + t->fs->root->d_inode->i_gid, t->p_pptr->comm, t->p_pptr-> pid, + t->p_pptr->uid, t->p_pptr->euid); + spin_unlock_irqrestore(&t->sigmask_lock, flags); + goto out_nolock; + } + +#endif + ret = 0; + /* The null signal is a permissions and process existance probe. + No signal is actually delivered. Same goes for zombies. */ if (!sig || !t->sig) { spin_unlock_irqrestore(&t->sigmask_lock, flags); goto out_nolock; @@ -301,6 +359,34 @@ /* Inflict this corner case with recalculations, not mainline */ recalc_sigpending(t); break; +#if CONFIG_SECURE_LOGGING + case SIGSEGV: case SIGILL: case SIGABRT: case SIGBUS: +#ifdef __i386__ + security_alert("signal %d (%s addr 0x%08lx) sent to " + "%s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d, " + "by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", + "signal warnings", + sig, (t->tss.error_code & 2) ? "write" : "read or execute ", + t->tss.cr2, + t->comm, t->pid, t->uid, t->euid, t->p_pptr->comm, + t->p_pptr->pid, t->p_pptr->uid, t->p_pptr->euid, + current->comm, current->pid, current->uid, current->euid, + current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid); +#else + security_alert("signal %d sent to " + "%s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d, " + "by %s[%d], UID %d, EUID %d, parent %s[%d], UID %d, EUID %d", + "signal warnings", + sig, + t->comm, t->pid, t->uid, t->euid, t->p_pptr->comm, + t->p_pptr->pid, t->p_pptr->uid, t->p_pptr->euid, + current->comm, current->pid, current->uid, current->euid, + current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid); +#endif + break; +#endif } /* Optimize away the signal, if it's a signal that can be diff -urP linux-2.2.19-ow3/kernel/time.c linux-2.2.19-hap-4/kernel/time.c --- linux-2.2.19-ow3/kernel/time.c Sun Mar 25 11:31:02 2001 +++ linux-2.2.19-hap-4/kernel/time.c Sat Oct 20 01:52:39 2001 @@ -108,6 +108,14 @@ time_maxerror = NTP_PHASE_LIMIT; time_esterror = NTP_PHASE_LIMIT; write_unlock_irq(&xtime_lock); +#ifdef CONFIG_SECURE_LOGGING + security_alert("time set by %s[%d], UID %d, EUID %d, parent %s[%d], " + "UID %d, EUID %d", + "time sets", + current->comm, current->pid, current->uid, current->euid, + current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid); +#endif return 0; } @@ -184,6 +192,14 @@ * globally block out interrupts when it runs. */ do_settimeofday(tv); +#ifdef CONFIG_SECURE_LOGGING + security_alert("time set by %s[%d], UID %d, EUID %d, parent %s[%d], " + "UID %d, EUID %d", + "time sets", + current->comm, current->pid, current->uid, current->euid, + current->p_pptr->comm, current->p_pptr->pid, + current->p_pptr->uid, current->p_pptr->euid); +#endif } return 0; } diff -urP linux-2.2.19-ow3/net/core/utils.c linux-2.2.19-hap-4/net/core/utils.c --- linux-2.2.19-ow3/net/core/utils.c Sun Mar 25 11:31:12 2001 +++ linux-2.2.19-hap-4/net/core/utils.c Sat Oct 20 01:52:39 2001 @@ -35,12 +35,21 @@ net_random(); } +#ifdef CONFIG_SECURE_LOGGING +int net_msg_cost = HZ; +#else int net_msg_cost = 5*HZ; +#endif int net_msg_burst = 10*5*HZ; /* +#ifdef CONFIG_SECURE_LOGGING + * This enforces a rate limit: not more than one kernel message + * every 1secs to make a denial-of-service attack harder. +#else * This enforces a rate limit: not more than one kernel message * every 5secs to make a denial-of-service attack impossible. +#endif * * All warning printk()s should be guarded by this function. */ diff -urP linux-2.2.19-ow3/net/ipv4/ip_fw.c linux-2.2.19-hap-4/net/ipv4/ip_fw.c --- linux-2.2.19-ow3/net/ipv4/ip_fw.c Sun Mar 25 11:31:12 2001 +++ linux-2.2.19-hap-4/net/ipv4/ip_fw.c Sat Oct 20 01:52:39 2001 @@ -416,34 +416,83 @@ __u32 *opt = (__u32 *) (ip + 1); int opti; - if (f) - { + if (f) { +#ifdef CONFIG_SECURE_NETWORK + /* log any accepted packet at kern.debug instead of kern.info */ + if (f->simplebranch==FW_ACCEPT || + f->simplebranch==FW_REDIRECT || + f->simplebranch==FW_MASQUERADE) + printk(KERN_DEBUG "Packet log: %s ",chainlabel); + else +#endif printk(KERN_INFO "Packet log: %s ",chainlabel); - printk("%s ",branchname(f->branch,f->simplebranch)); if (f->simplebranch==FW_REDIRECT) printk("%d ",f->ipfw.fw_redirpt); } +#ifdef CONFIG_SECURE_NETWORK + if (ip->protocol == IPPROTO_TCP + && !(ip->frag_off & __constant_htons(IP_OFFSET))) { + struct tcphdr *tcp = (struct tcphdr *)((__u32 *)ip + ip->ihl); + printk("%s PROTO=TCP %d.%d.%d.%d:%hu %d.%d.%d.%d:%hu " + "L=%hu:%hu:%hu S=0x%2.2hX I=%hu:%u:%u F=0x%4.4hX " + "T=%hu %c%c%c%c%c%c", + ifname, + NIPQUAD(ip->saddr), src_port, + NIPQUAD(ip->daddr), dst_port, + ntohs(ip->tot_len), ntohs(ip->tot_len) - ip->ihl*4, + ntohs(ip->tot_len) - ip->ihl*4 - tcp->doff*4, + ip->tos, ntohs(ip->id), ntohl(tcp->seq), + ntohl(tcp->ack_seq), ip->frag_off, ip->ttl, + tcp->ack ? 'A' : '.', + tcp->syn ? 'S' : '.', + tcp->fin ? 'F' : '.', + tcp->rst ? 'R' : '.', + tcp->psh ? 'P' : '.', + tcp->urg ? 'U' : '.' ); + } else if (ip->protocol == IPPROTO_UDP + && !(ip->frag_off & __constant_htons(IP_OFFSET))) { + struct udphdr *udp = (struct udphdr *)((__u32 *)ip + ip->ihl); + printk("%s PROTO=UDP %d.%d.%d.%d:%hu %d.%d.%d.%d:%hu " + "L=%hu:%u S=0x%2.2hX I=%hu F=0x%4.4hX T=%hu", + ifname, + NIPQUAD(ip->saddr), src_port, + NIPQUAD(ip->daddr), dst_port, + ntohs(ip->tot_len), ntohs(udp->len), + ip->tos, ntohs(ip->id), ip->frag_off, ip->ttl); + } else if (ip->protocol == IPPROTO_ICMP + && !(ip->frag_off & __constant_htons(IP_OFFSET))) { + struct icmphdr *icmp = (struct icmphdr *)((__u32 *)ip + ip->ihl); + printk("%s PROTO=ICMP/%d:%d %d.%d.%d.%d %d.%d.%d.%d L=%hu " + "S=0x%2.2hX I=%hu:%hu:%hu F=0x%4.4hX T=%hu", + ifname, icmp->type, icmp->code, + NIPQUAD(ip->saddr), + NIPQUAD(ip->daddr), + ntohs(ip->tot_len), ip->tos, + ntohs(ip->id), ntohs(icmp->un.echo.id), + ntohs(icmp->un.echo.sequence), + ip->frag_off, ip->ttl); + } else { +#endif printk("%s PROTO=%d %d.%d.%d.%d:%hu %d.%d.%d.%d:%hu" " L=%hu S=0x%2.2hX I=%hu F=0x%4.4hX T=%hu", ifname, ip->protocol, - (ntohl(ip->saddr)>>24)&0xFF, - (ntohl(ip->saddr)>>16)&0xFF, - (ntohl(ip->saddr)>>8)&0xFF, - (ntohl(ip->saddr))&0xFF, - src_port, - (ntohl(ip->daddr)>>24)&0xFF, - (ntohl(ip->daddr)>>16)&0xFF, - (ntohl(ip->daddr)>>8)&0xFF, - (ntohl(ip->daddr))&0xFF, - dst_port, + NIPQUAD(ip->saddr), src_port, + NIPQUAD(ip->daddr), dst_port, ntohs(ip->tot_len), ip->tos, ntohs(ip->id), ntohs(ip->frag_off), ip->ttl); +#ifdef CONFIG_SECURE_NETWORK + } +#endif for (opti = 0; opti < (ip->ihl - sizeof(struct iphdr) / 4); opti++) printk(" O=0x%8.8X", *opt++); +#ifdef CONFIG_SECURE_NETWORK + printk(" (#%d)\n", count); +#else printk(" %s(#%d)\n", syn ? "SYN " : /* "PENANCE" */ "", count); +#endif } /* function for checking chain labels for user space. */ diff -urP linux-2.2.19-ow3/net/ipv4/route.c linux-2.2.19-hap-4/net/ipv4/route.c --- linux-2.2.19-ow3/net/ipv4/route.c Sun Mar 25 11:37:41 2001 +++ linux-2.2.19-hap-4/net/ipv4/route.c Sat Oct 20 01:52:39 2001 @@ -715,12 +715,20 @@ return; reject_redirect: +#ifdef CONFIG_SECURE_LOGGING + security_alert("redirect from %d.%d.%d.%d/%s to %d.%d.%d.%d ignored; " + "path = %d.%d.%d.%d -> %d.%d.%d.%d, tos %02x\n", + "redirects ignored", + NIPQUAD(old_gw), dev->name, NIPQUAD(new_gw), + NIPQUAD(saddr), NIPQUAD(daddr), tos); +#else #ifdef CONFIG_IP_ROUTE_VERBOSE if (IN_DEV_LOG_MARTIANS(in_dev) && net_ratelimit()) printk(KERN_INFO "Redirect from %X/%s to %X ignored." "Path = %X -> %X, tos %02x\n", ntohl(old_gw), dev->name, ntohl(new_gw), ntohl(saddr), ntohl(daddr), tos); +#endif #endif } diff -urP linux-2.2.19-ow3/net/ipv4/tcp_ipv4.c linux-2.2.19-hap-4/net/ipv4/tcp_ip v4.c --- linux-2.2.19-ow3/net/ipv4/tcp_ipv4.c Sun Mar 25 11:37:41 2001 +++ linux-2.2.19-hap-4/net/ipv4/tcp_ipv4.c Sat Oct 20 01:52:39 2001 @@ -1747,6 +1747,14 @@ len < (th->doff * 4)) goto bad_packet; +#ifdef CONFIG_SECURE_NETWORK + /* Throw out packets with clearly bogus flags. */ + if ( ! (th->ack || th->syn || th->rst) || + (th->fin && (th->syn || th->rst) ) || + (th->rst && (th->syn || th->urg) ) || + (th->syn && th->urg) ) + goto tcp_bad_flags; +#endif #ifdef CONFIG_IP_TRANSPARENT_PROXY if (IPCB(skb)->redirport) sk = tcp_v4_proxy_lookup(th->dest, skb->nh.iph->saddr, th->source , @@ -1762,7 +1770,11 @@ } #endif if (!sk) +#ifdef CONFIG_SECURE_NETWORK + goto tcp_unserved; +#else goto no_tcp_socket; +#endif if(!ipsec_sk_policy(sk,skb)) goto discard_it; @@ -1780,6 +1792,52 @@ __skb_queue_tail(&sk->back_log, skb); return 0; +#ifdef CONFIG_SECURE_NETWORK + +tcp_bad_flags: + if(net_ratelimit()) + printk(KERN_INFO + "Packet log: badflag DENY %s PROTO=TCP %d.%d.%d.%d:%d " + "%d.%d.%d.%d:%d L=%hu:%u:%u S=0x%2.2hX I=%hu:%u:%u " + "T=%hu %c%c%c%c%c%c\n", + skb->dev->name, NIPQUAD(skb->nh.iph->saddr), ntohs(th->source), + NIPQUAD(skb->nh.iph->daddr), ntohs(th->dest), + ntohs(skb->nh.iph->tot_len), skb->len, skb->len - th->doff*4, + skb->nh.iph->tos, ntohs(skb->nh.iph->id), ntohl(th->seq), + ntohl(th->ack_seq), skb->nh.iph->ttl, + th->ack ? 'A' : '.', + th->syn ? 'S' : '.', + th->fin ? 'F' : '.', + th->rst ? 'R' : '.', + th->psh ? 'P' : '.', + th->urg ? 'U' : '.' ); + /* + * This will cause tcp_send_reset to *not* send. + */ + th->rst=1; + goto no_tcp_socket; + +tcp_unserved: + if(net_ratelimit()) + printk(KERN_INFO + "Packet log: unserved DENY %s PROTO=TCP %d.%d.%d.%d:%d " + "%d.%d.%d.%d:%d L=%hu:%u:%u S=0x%2.2hX " + "I=%hu:%u:%u T=%hu %c%c%c%c%c%c\n", + skb->dev->name, NIPQUAD(skb->nh.iph->saddr), ntohs(th->source), + NIPQUAD(skb->nh.iph->daddr), ntohs(th->dest), + ntohs(skb->nh.iph->tot_len), skb->len, skb->len - th->doff*4, + skb->nh.iph->tos, ntohs(skb->nh.iph->id), ntohl(th->seq), + ntohl(th->ack_seq), skb->nh.iph->ttl, + th->ack ? 'A' : '.', + th->syn ? 'S' : '.', + th->fin ? 'F' : '.', + th->rst ? 'R' : '.', + th->psh ? 'P' : '.', + th->urg ? 'U' : '.' ); +#ifdef CONFIG_SECURE_NET_SBD + th->rst=1; +#endif +#endif /* CONFIG_SECURE_NETWORK */ no_tcp_socket: tcp_v4_send_reset(skb); diff -urP linux-2.2.19-ow3/net/ipv4/udp.c linux-2.2.19-hap-4/net/ipv4/udp.c --- linux-2.2.19-ow3/net/ipv4/udp.c Sun Mar 25 11:37:41 2001 +++ linux-2.2.19-hap-4/net/ipv4/udp.c Sat Oct 20 01:52:39 2001 @@ -1137,6 +1137,14 @@ goto csum_error; #endif udp_statistics.UdpNoPorts++; +#ifdef CONFIG_SECURE_NETWORK + /* + * This will cause a message for _every_ UDP packet we didn't + * ask for, _including_ broadcasts. If you don't care about + * broadcasts, move the following line inside the if { .. } below . + */ + goto udp_unserved_port; +#else icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); /* @@ -1145,9 +1153,29 @@ */ kfree_skb(skb); return(0); +#endif } udp_deliver(sk, skb); return 0; + +#ifdef CONFIG_SECURE_NETWORK + +udp_unserved_port: + if(net_ratelimit()) + printk( KERN_INFO + "Packet log: unserved DENY %s PROTO=UDP %d.%d.%d.%d:%d %d.%d.%d.% d:%d " + "L=%hu:%u S=0x%2.2hX I=%hu T=%hu\n", + skb->dev->name, NIPQUAD(saddr), ntohs(uh->source), + NIPQUAD(daddr), ntohs(uh->dest), ntohs(skb->nh.iph->tot_len), + ntohs(uh->len), skb->nh.iph->tos, ntohs(skb->nh.iph->id), + skb->nh.iph->ttl); +#ifndef CONFIG_SECURE_NET_SBD + icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); +#endif + skb->sk = NULL; + kfree_skb(skb); + return(0); +#endif /* CONFIG_SECURE_NETWORK */ csum_error: /* diff -urP linux-2.2.19-ow3/security/Common.in linux-2.2.19-hap-4/security/Common. in --- linux-2.2.19-ow3/security/Common.in Sat Oct 20 01:47:18 2001 +++ linux-2.2.19-hap-4/security/Common.in Sat Oct 20 01:52:39 2001 @@ -4,9 +4,19 @@ bool 'Restricted links in /tmp' CONFIG_SECURE_LINK bool 'Restricted FIFOs in /tmp' CONFIG_SECURE_FIFO +if [ "$CONFIG_SECURE_LINK" = "y" -o "CONFIG_SECURE_FIFO" = "y" ]; then + bool 'Allow links/fifos in non-world-writable +t dirs' CONFIG_SECURE_NOTS OMUCH +fi bool 'Restricted /proc' CONFIG_SECURE_PROC bool 'Special handling of fd 0, 1, and 2' CONFIG_SECURE_FD_0_1_2 bool 'Enforce RLIMIT_NPROC on execve(2)' CONFIG_SECURE_RLIMIT_NPROC if [ "$CONFIG_SYSVIPC" = "y" ]; then bool 'Destroy shared memory segments not in use' CONFIG_SECURE_SHM fi +bool 'Unofficial bugfixes' CONFIG_SECURE_BUGFIX +bool 'Extra logging of unusual events' CONFIG_SECURE_LOGGING +bool 'Paranoid networking' CONFIG_SECURE_NETWORK +if [ "$CONFIG_SECURE_NETWORK" = "y" ]; then + bool 'Blackhole networking' CONFIG_SECURE_NET_SBD +fi +bool 'Restricted chroot' CONFIG_SECURE_CHROOT