diff options
Diffstat (limited to 'src/kernel/hardened-patches/hardened-patches-2.6-7.1/1300_linux-2.6.4-selinux-hooks.patch')
| -rw-r--r-- | src/kernel/hardened-patches/hardened-patches-2.6-7.1/1300_linux-2.6.4-selinux-hooks.patch | 137 |
1 files changed, 137 insertions, 0 deletions
diff --git a/src/kernel/hardened-patches/hardened-patches-2.6-7.1/1300_linux-2.6.4-selinux-hooks.patch b/src/kernel/hardened-patches/hardened-patches-2.6-7.1/1300_linux-2.6.4-selinux-hooks.patch new file mode 100644 index 0000000000..ce033764f6 --- /dev/null +++ b/src/kernel/hardened-patches/hardened-patches-2.6-7.1/1300_linux-2.6.4-selinux-hooks.patch @@ -0,0 +1,137 @@ +diff -urN linux-2.4.24-hardened-r1.orig/security/selinux/hooks.c linux-2.4.24-hardened-r1/security/selinux/hooks.c +--- linux-2.4.24-hardened-r1.orig/security/selinux/hooks.c 2004-02-22 23:03:26.000000000 -0600 ++++ linux-2.4.24-hardened-r1/security/selinux/hooks.c 2004-02-22 23:46:53.000000000 -0600 +@@ -3190,6 +3190,68 @@ + return size; + } + ++#ifdef CONFIG_PAX_HOOK_ACL_FLAGS ++static void avc_pax_set_flags(struct linux_binprm * bprm) ++{ ++ struct inode_security_struct *isec; ++ unsigned long flags = 0; ++ int rc; ++ ++ char *scontext; ++ u32 scontext_len; ++ ++ /* ++ * get the security struct from the inode of the file ++ * since the bprm security struct will just point to ++ * the user running the binary ++ */ ++ struct inode *inode = bprm->file->f_dentry->d_inode; ++ isec = inode->i_security; ++ ++ rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__PAGEEXEC, &isec->avcr,NULL); ++ if (!rc) { ++ flags |= PF_PAX_PAGEEXEC; ++ } ++ rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__EMUTRAMP, &isec->avcr, NULL); ++ if (!rc) { ++ flags |= PF_PAX_EMUTRAMP; ++ } ++ rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__RANDEXEC, &isec->avcr, NULL); ++ if (!rc) { ++ flags |= PF_PAX_RANDEXEC; ++ } ++ rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__MPROTECT, &isec->avcr, NULL); ++ if (!rc) { ++ flags |= PF_PAX_MPROTECT; ++ } ++ rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__RANDMMAP, &isec->avcr, NULL); ++ if (!rc) { ++ flags |= PF_PAX_RANDMMAP; ++ } ++ rc = avc_has_perm(isec->sid, isec->sid, SECCLASS_PAX, PAX__SEGMEXEC, &isec->avcr, NULL); ++ if (!rc) { ++ flags |= PF_PAX_SEGMEXEC; ++ } ++ ++ if (selinux_enforcing) { ++ /* pull all the pax flags in current */ ++ current->flags &= ~(PF_PAX_PAGEEXEC | PF_PAX_EMUTRAMP | PF_PAX_MPROTECT | PF_PAX_RANDMMAP | PF_PAX_RANDEXEC | PF_PAX_SEGMEXEC); ++ /* and add ours */ ++ current->flags |= flags; ++ ++ if (pax_check_flags(¤t->flags) < 0) { ++ security_sid_to_context(isec->sid, &scontext, &scontext_len); ++ printk(KERN_WARNING "avc: PaX flags overridden to %lx for %s (%s)\n", ++ current->flags, ++ scontext, ++ bprm->filename); ++ kfree(scontext); ++ } ++ } ++} ++#endif /* CONFIG_PAX_HOOK_ACL_FLAGS */ ++ ++ + struct security_operations selinux_ops = { + .ptrace = selinux_ptrace, + .capget = selinux_capget, +@@ -3370,6 +3432,11 @@ + { + printk(KERN_INFO "SELinux: Completing initialization.\n"); + ++ #ifdef CONFIG_PAX_HOOK_ACL_FLAGS ++ printk(KERN_INFO "SELinux: Setting PaX callback function.\n"); ++ pax_set_flags_func = avc_pax_set_flags; ++ #endif ++ + /* Set up any superblocks initialized prior to the policy load. */ + printk(KERN_INFO "SELinux: Setting up existing superblocks.\n"); + spin_lock(&sb_security_lock); +diff -urN linux-2.4.24-hardened-r1.orig/security/selinux/include/av_perm_to_string.h linux-2.4.24-hardened-r1/security/selinux/include/av_perm_to_string.h +--- linux-2.4.24-hardened-r1.orig/security/selinux/include/av_perm_to_string.h 2004-02-22 23:03:26.000000000 -0600 ++++ linux-2.4.24-hardened-r1/security/selinux/include/av_perm_to_string.h 2004-02-20 16:50:39.000000000 -0600 +@@ -114,6 +120,12 @@ + { SECCLASS_PASSWD, PASSWD__PASSWD, "passwd" }, + { SECCLASS_PASSWD, PASSWD__CHFN, "chfn" }, + { SECCLASS_PASSWD, PASSWD__CHSH, "chsh" }, ++ { SECCLASS_PAX, PAX__PAGEEXEC, "pageexec" }, ++ { SECCLASS_PAX, PAX__EMUTRAMP, "emutramp" }, ++ { SECCLASS_PAX, PAX__MPROTECT, "mprotect" }, ++ { SECCLASS_PAX, PAX__RANDMMAP, "randmmap" }, ++ { SECCLASS_PAX, PAX__RANDEXEC, "randexec" }, ++ { SECCLASS_PAX, PAX__SEGMEXEC, "segmexec" }, + }; + + +diff -urN linux-2.4.24-hardened-r1.orig/security/selinux/include/av_permissions.h linux-2.4.24-hardened-r1/security/selinux/include/av_permissions.h +--- linux-2.4.24-hardened-r1.orig/security/selinux/include/av_permissions.h 2004-02-22 23:03:26.000000000 -0600 ++++ linux-2.4.24-hardened-r1/security/selinux/include/av_permissions.h 2004-02-20 16:50:40.000000000 -0600 +@@ -546,5 +554,12 @@ + #define PASSWD__CHFN 0x00000002UL + #define PASSWD__CHSH 0x00000004UL + ++#define PAX__PAGEEXEC 0x00000001UL ++#define PAX__EMUTRAMP 0x00000002UL ++#define PAX__MPROTECT 0x00000004UL ++#define PAX__RANDMMAP 0x00000008UL ++#define PAX__RANDEXEC 0x00000010UL ++#define PAX__SEGMEXEC 0x00000020UL ++ + + /* FLASK */ +diff -urN linux-2.4.24-hardened-r1.orig/security/selinux/include/class_to_string.h linux-2.4.24-hardened-r1/security/selinux/include/class_to_string.h +--- linux-2.4.24-hardened-r1.orig/security/selinux/include/class_to_string.h 2004-02-22 23:03:26.000000000 -0600 ++++ linux-2.4.24-hardened-r1/security/selinux/include/class_to_string.h 2004-02-20 16:50:40.000000000 -0600 +@@ -35,5 +35,6 @@ + "shm", + "ipc", + "passwd", ++ "pax", + }; + +diff -urN linux-2.4.24-hardened-r1.orig/security/selinux/include/flask.h linux-2.4.24-hardened-r1/security/selinux/include/flask.h +--- linux-2.4.24-hardened-r1.orig/security/selinux/include/flask.h 2004-02-22 23:03:26.000000000 -0600 ++++ linux-2.4.24-hardened-r1/security/selinux/include/flask.h 2004-02-20 16:50:41.000000000 -0600 +@@ -35,6 +35,7 @@ + #define SECCLASS_SHM 28 + #define SECCLASS_IPC 29 + #define SECCLASS_PASSWD 30 ++#define SECCLASS_PAX 31 + + /* + * Security identifier indices for initial entities |