Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/src/kernel/hardened-patches/hardened-patches-2.6-7.1
diff options
context:
space:
mode:
authorBrandon Hale <tseng@gentoo.org>2004-06-29 21:12:40 +0000
committerBrandon Hale <tseng@gentoo.org>2004-06-29 21:12:40 +0000
commitff6cc5d67db9c553d7783e2de5f1e6c48b82a8c8 (patch)
treee89b02f16c0f6ce0c8c48986099a58e9f1f444ea /src/kernel/hardened-patches/hardened-patches-2.6-7.1
parentupdate grsec patch to 0629 (diff)
downloadgentoo-ff6cc5d67db9c553d7783e2de5f1e6c48b82a8c8.tar.gz
gentoo-ff6cc5d67db9c553d7783e2de5f1e6c48b82a8c8.tar.bz2
gentoo-ff6cc5d67db9c553d7783e2de5f1e6c48b82a8c8.zip
update modules_off patch
Diffstat (limited to 'src/kernel/hardened-patches/hardened-patches-2.6-7.1')
-rw-r--r--src/kernel/hardened-patches/hardened-patches-2.6-7.1/0000_README9
-rw-r--r--src/kernel/hardened-patches/hardened-patches-2.6-7.1/2005_modules_off-2.6.3.patch75
-rw-r--r--src/kernel/hardened-patches/hardened-patches-2.6-7.1/2005_modules_off-2.6.7.patch224
3 files changed, 226 insertions, 82 deletions
diff --git a/src/kernel/hardened-patches/hardened-patches-2.6-7.1/0000_README b/src/kernel/hardened-patches/hardened-patches-2.6-7.1/0000_README
index e3e31d890c..c42e592134 100644
--- a/src/kernel/hardened-patches/hardened-patches-2.6-7.1/0000_README
+++ b/src/kernel/hardened-patches/hardened-patches-2.6-7.1/0000_README
@@ -20,7 +20,7 @@ Invididual Patch Descriptions:
-------------------------------------------------------------------------------
Patch: 1000_grsecurity-2.0.1-2.6.7.patch
from: Brad Spengler, http://grsecurity.net
-desc: GRSecurity for 2.6.7
+desc: GRSecurity for 2.6.7, prerelease pulled 29-Jun-2004 15:41
Patch: 1300_linux-2.6.4-selinux-hooks.patch
from: Joshua Brindle <method@gentoo.org>
@@ -34,7 +34,7 @@ Patch: 1310_linux-2.6.5-extra_sec_ops.patch
from: Joshua Brindle <method@gentoo.org>
desc: Adds additional secondary ops to selinux
-Patch: 2005_modules_off-2.6.3.patch
+Patch: 2005_modules_off-2.6.7.patch
from: Michal Purzynski <albeiro@zeus.polsl.gliwice.pl>
desc: Support for disabling module loading via sysctl
@@ -42,11 +42,6 @@ Patch: 2010_tcp-stealth-2.6.7.patch
from: Updated for 2.6.7 by Michal Purzynski <albeiro@zeus.polsl.gliwice.pl>
desc: Stealth TCP features
-Patch: 2015_tcp-nmap-freak.patch
-from: Updated for 2.6.7 by Michal Purzynski <albeiro@zeus.polsl.gliwice.pl>
-desc: More stealth TCP features, targetted blocking nmap syn/fin scan
-and OS detection
-
Patch: 3000_netdev-random-core-2.6.7.patch
from: Michal Purzynski <albeiro@zeus.polsl.gliwice.pl>
desc: Core functionality for netdev random
diff --git a/src/kernel/hardened-patches/hardened-patches-2.6-7.1/2005_modules_off-2.6.3.patch b/src/kernel/hardened-patches/hardened-patches-2.6-7.1/2005_modules_off-2.6.3.patch
deleted file mode 100644
index 73d9f8c411..0000000000
--- a/src/kernel/hardened-patches/hardened-patches-2.6-7.1/2005_modules_off-2.6.3.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-diff -uprN -X dontdiff linux-2.6.3-vanilla/fs/proc/proc_misc.c modules_off/linux-2.6.3-modules_off/fs/proc/proc_misc.c
---- linux-2.6.3-vanilla/fs/proc/proc_misc.c 2004-02-18 04:57:16.000000000 +0100
-+++ modules_off/linux-2.6.3-modules_off/fs/proc/proc_misc.c 2004-03-09 19:10:10.016286832 +0100
-@@ -70,6 +70,7 @@ extern int get_locks_status (char *, cha
- #ifdef CONFIG_SGI_DS1286
- extern int get_ds1286_status(char *);
- #endif
-+extern int module_loading_enabled;
-
- static int proc_calc_metrics(char *page, char **start, off_t off,
- int count, int *eof, int len)
-@@ -334,9 +335,31 @@ static int modules_open(struct inode *in
- {
- return seq_open(file, &modules_op);
- }
-+
-+static int modules_write(struct file *file, const char __user *buf,
-+ size_t count, loff_t *ppos)
-+{
-+ char tmp[4];
-+
-+ if (!count)
-+ return -EINVAL;
-+ if (count > 4)
-+ count = 4;
-+ if (copy_from_user(&tmp[0], buf, count))
-+ return -EFAULT;
-+ if (tmp[0]=='o') {
-+ printk(KERN_INFO "Disabled module (un)loading\n");
-+ module_loading_enabled = 0;
-+ }
-+
-+ return count;
-+
-+}
-+
- static struct file_operations proc_modules_operations = {
- .open = modules_open,
- .read = seq_read,
-+ .write = modules_write,
- .llseek = seq_lseek,
- .release = seq_release,
- };
-diff -uprN -X dontdiff linux-2.6.3-vanilla/kernel/module.c modules_off/linux-2.6.3-modules_off/kernel/module.c
---- linux-2.6.3-vanilla/kernel/module.c 2004-02-18 04:58:48.000000000 +0100
-+++ modules_off/linux-2.6.3-modules_off/kernel/module.c 2004-03-09 18:47:10.709973264 +0100
-@@ -53,6 +53,8 @@
- #define symbol_is(literal, string) \
- (strcmp(MODULE_SYMBOL_PREFIX literal, (string)) == 0)
-
-+int module_loading_enabled = 1;
-+
- /* Protects module list */
- static spinlock_t modlist_lock = SPIN_LOCK_UNLOCKED;
-
-@@ -667,6 +669,9 @@ sys_delete_module(const char __user *nam
-
- if (!capable(CAP_SYS_MODULE))
- return -EPERM;
-+
-+ if (!module_loading_enabled)
-+ return -ENOSYS;
-
- if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
- return -EFAULT;
-@@ -1720,6 +1725,9 @@ sys_init_module(void __user *umod,
- /* Must have permission */
- if (!capable(CAP_SYS_MODULE))
- return -EPERM;
-+
-+ if (!module_loading_enabled)
-+ return -ENOSYS;
-
- /* Only one module load at a time, please */
- if (down_interruptible(&module_mutex) != 0)
diff --git a/src/kernel/hardened-patches/hardened-patches-2.6-7.1/2005_modules_off-2.6.7.patch b/src/kernel/hardened-patches/hardened-patches-2.6-7.1/2005_modules_off-2.6.7.patch
new file mode 100644
index 0000000000..dbe3240ffe
--- /dev/null
+++ b/src/kernel/hardened-patches/hardened-patches-2.6-7.1/2005_modules_off-2.6.7.patch
@@ -0,0 +1,224 @@
+diff -uprN -X dontdiff linux-2.6.7/fs/proc/proc_misc.c linux-2.6.7-modules_off/fs/proc/proc_misc.c
+--- linux-2.6.7/fs/proc/proc_misc.c 2004-06-16 07:18:58.000000000 +0200
++++ linux-2.6.7-modules_off/fs/proc/proc_misc.c 2004-06-23 18:44:19.000000000 +0200
+@@ -70,6 +70,7 @@ extern int get_locks_status (char *, cha
+ #ifdef CONFIG_SGI_DS1286
+ extern int get_ds1286_status(char *);
+ #endif
++extern int module_loading_enabled;
+
+ static int proc_calc_metrics(char *page, char **start, off_t off,
+ int count, int *eof, int len)
+@@ -332,11 +333,41 @@ static struct file_operations proc_disks
+ extern struct seq_operations modules_op;
+ static int modules_open(struct inode *inode, struct file *file)
+ {
++#ifdef CONFIG_MODULES_OFF
++ if (!module_loading_enabled)
++ return -ENOSYS;
++#endif
+ return seq_open(file, &modules_op);
+ }
++
++#ifdef CONFIG_MODULES_OFF
++static int modules_write(struct file *file, const char __user *buf,
++ size_t count, loff_t *ppos)
++{
++ char tmp[4];
++
++ if (!count)
++ return -EINVAL;
++ if (count > 4)
++ count = 4;
++ if (copy_from_user(&tmp[0], buf, count))
++ return -EFAULT;
++ if (tmp[0]=='o') {
++ printk(KERN_INFO "Disabled module (un)loading\n");
++ module_loading_enabled = 0;
++ }
++
++ return count;
++
++}
++#endif
++
+ static struct file_operations proc_modules_operations = {
+ .open = modules_open,
+ .read = seq_read,
++#ifdef CONFIG_MODULES_OFF
++ .write = modules_write,
++#endif
+ .llseek = seq_lseek,
+ .release = seq_release,
+ };
+diff -uprN -X dontdiff linux-2.6.7/kernel/module.c linux-2.6.7-modules_off/kernel/module.c
+--- linux-2.6.7/kernel/module.c 2004-06-16 07:19:43.000000000 +0200
++++ linux-2.6.7-modules_off/kernel/module.c 2004-06-23 18:50:55.000000000 +0200
+@@ -55,6 +55,10 @@
+ #define symbol_is(literal, string) \
+ (strcmp(MODULE_SYMBOL_PREFIX literal, (string)) == 0)
+
++#ifdef CONFIG_MODULES_OFF
++int module_loading_enabled = 1;
++#endif
++
+ /* Protects module list */
+ static spinlock_t modlist_lock = SPIN_LOCK_UNLOCKED;
+
+@@ -389,7 +393,9 @@ static int add_attribute(struct module *
+ a->attr.owner = mod;
+ a->attr.mode = kp->perm;
+ a->param = kp;
++#ifndef CONFIG_MODULES_OFF_SYSFS
+ retval = sysfs_create_file(&mod->mkobj->kobj, &a->attr);
++#endif
+ if (!retval)
+ mod->mkobj->num_attributes++;
+ return retval;
+@@ -563,6 +569,11 @@ sys_delete_module(const char __user *nam
+
+ if (!capable(CAP_SYS_MODULE))
+ return -EPERM;
++
++#ifdef CONFIG_MODULES_OFF
++ if (!module_loading_enabled)
++ return -ENOSYS;
++#endif
+
+ if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
+ return -EFAULT;
+@@ -687,6 +698,7 @@ static int refcnt_get_fn(char *buffer, s
+ return sprintf(buffer, "%u", module_refcount(mod)-1);
+ }
+
++#ifndef CONFIG_MODULES_OFF_SYSFS
+ static inline int sysfs_unload_setup(struct module *mod)
+ {
+ mod->refcnt_param.name = "refcnt";
+@@ -695,6 +707,7 @@ static inline int sysfs_unload_setup(str
+
+ return add_attribute(mod, &mod->refcnt_param);
+ }
++#endif
+
+ #else /* !CONFIG_MODULE_UNLOAD */
+ static void print_unload_info(struct seq_file *m, struct module *mod)
+@@ -722,10 +735,13 @@ sys_delete_module(const char *name_user,
+ return -ENOSYS;
+ }
+
++#ifndef CONFIG_MODULES_OFF_SYSFS
+ static inline int sysfs_unload_setup(struct module *mod)
+ {
+ return 0;
+ }
++#endif
++
+ #endif /* CONFIG_MODULE_UNLOAD */
+
+ #ifdef CONFIG_OBSOLETE_MODPARM
+@@ -1018,10 +1034,12 @@ static ssize_t module_attr_store(struct
+ return err;
+ }
+
++#ifndef CONFIG_MODULES_OFF_SYSFS
+ static struct sysfs_ops module_sysfs_ops = {
+ .show = module_attr_show,
+ .store = module_attr_store,
+ };
++#endif
+
+ static void module_kobj_release(struct kobject *kobj)
+ {
+@@ -1029,11 +1047,14 @@ static void module_kobj_release(struct k
+ }
+
+ static struct kobj_type module_ktype = {
++#ifndef CONFIG_MODULES_OFF_SYSFS
+ .sysfs_ops = &module_sysfs_ops,
++#endif
+ .release = &module_kobj_release,
+ };
+ static decl_subsys(module, &module_ktype, NULL);
+
++#ifndef CONFIG_MODULES_OFF_SYSFS
+ static int mod_sysfs_setup(struct module *mod,
+ struct kernel_param *kparam,
+ unsigned int num_params)
+@@ -1081,12 +1102,15 @@ out:
+ kfree(mod->mkobj);
+ return err;
+ }
++#endif
+
+ static void mod_kobject_remove(struct module *mod)
+ {
+ unsigned int i;
+ for (i = 0; i < mod->mkobj->num_attributes; i++)
+- sysfs_remove_file(&mod->mkobj->kobj,&mod->mkobj->attr[i].attr);
++#ifndef CONFIG_MODULES_OFF_SYSFS
++sysfs_remove_file(&mod->mkobj->kobj,&mod->mkobj->attr[i].attr);
++#endif
+ /* Calls module_kobj_release */
+ kobject_unregister(&mod->mkobj->kobj);
+ }
+@@ -1705,11 +1729,13 @@ static struct module *load_module(void _
+ / sizeof(struct kernel_param),
+ NULL);
+ }
++#ifndef CONFIG_MODULES_OFF_SYSFS
+ err = mod_sysfs_setup(mod,
+ (struct kernel_param *)
+ sechdrs[setupindex].sh_addr,
+ sechdrs[setupindex].sh_size
+ / sizeof(struct kernel_param));
++#endif
+ if (err < 0)
+ goto arch_cleanup;
+
+@@ -1754,6 +1780,11 @@ sys_init_module(void __user *umod,
+ /* Must have permission */
+ if (!capable(CAP_SYS_MODULE))
+ return -EPERM;
++
++#ifdef CONFIG_MODULES_OFF
++ if (!module_loading_enabled)
++ return -ENOSYS;
++#endif
+
+ /* Only one module load at a time, please */
+ if (down_interruptible(&module_mutex) != 0)
+diff -uprN -X dontdiff linux-2.6.7/Makefile linux-2.6.7-modules_off/Makefile
+--- linux-2.6.7/Makefile 2004-06-16 07:19:37.000000000 +0200
++++ linux-2.6.7-modules_off/Makefile 2004-06-23 17:59:52.000000000 +0200
+@@ -1,7 +1,7 @@
+ VERSION = 2
+ PATCHLEVEL = 6
+ SUBLEVEL = 7
+-EXTRAVERSION =
++EXTRAVERSION = -modules_off
+ NAME=Zonked Quokka
+
+ # *DOCUMENTATION*
+diff -uprN -X dontdiff linux-2.6.7/security/Kconfig linux-2.6.7-modules_off/security/Kconfig
+--- linux-2.6.7/security/Kconfig 2004-06-16 07:19:42.000000000 +0200
++++ linux-2.6.7-modules_off/security/Kconfig 2004-06-23 18:41:56.000000000 +0200
+@@ -4,6 +4,18 @@
+
+ menu "Security options"
+
++config MODULES_OFF
++ bool "Modules off"
++ help
++ It makes possible to dissable modules loading, unloading and listing
++ after issuing 'echo off >/proc/modules'
++
++config MODULES_OFF_SYSFS
++ bool "Hide /sys/module"
++ depends on MODULES_OFF
++ help
++ Hide /sys/module dir to prevent from reading information about loaded modules.
++
+ config SECURITY
+ bool "Enable different security models"
+ help