* [gentoo-commits] proj/hardened-patchset:master commit in: 3.12.6/
@ 2013-12-31 19:38 Anthony G. Basile
0 siblings, 0 replies; 2+ messages in thread
From: Anthony G. Basile @ 2013-12-31 19:38 UTC (permalink / raw
To: gentoo-commits
commit: 895b4e7fd913d74bc4edcc9f8b63dd29d46651d8
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Tue Dec 31 19:39:15 2013 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Tue Dec 31 19:39:15 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=895b4e7f
Grsec/PaX: 3.0-3.12.6-201312301223
---
3.12.6/0000_README | 2 +-
... 4420_grsecurity-3.0-3.12.6-201312301223.patch} | 99 ++++++++++++++++++----
3.12.6/4450_grsec-kconfig-default-gids.patch | 12 +--
3.12.6/4465_selinux-avc_audit-log-curr_ip.patch | 2 +-
4 files changed, 89 insertions(+), 26 deletions(-)
diff --git a/3.12.6/0000_README b/3.12.6/0000_README
index 55926d8..9a0fb55 100644
--- a/3.12.6/0000_README
+++ b/3.12.6/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.0-3.12.6-201312262020.patch
+Patch: 4420_grsecurity-3.0-3.12.6-201312301223.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch b/3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch
similarity index 99%
rename from 3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch
rename to 3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch
index 639a445..a396411 100644
--- a/3.12.6/4420_grsecurity-3.0-3.12.6-201312262020.patch
+++ b/3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch
@@ -60943,6 +60943,22 @@ index 651d09a..60c73ae 100644
/*
* base.c
+diff --git a/fs/proc/interrupts.c b/fs/proc/interrupts.c
+index 05029c0..7ea1987 100644
+--- a/fs/proc/interrupts.c
++++ b/fs/proc/interrupts.c
+@@ -47,7 +47,11 @@ static const struct file_operations proc_interrupts_operations = {
+
+ static int __init proc_interrupts_init(void)
+ {
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++ proc_create_grsec("interrupts", 0, NULL, &proc_interrupts_operations);
++#else
+ proc_create("interrupts", 0, NULL, &proc_interrupts_operations);
++#endif
+ return 0;
+ }
+ module_init(proc_interrupts_init);
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
index 06ea155..9a798c7 100644
--- a/fs/proc/kcore.c
@@ -61292,6 +61308,22 @@ index 6b6a993..807cccc 100644
if (!IS_ERR(s))
kfree(s);
}
+diff --git a/fs/proc/stat.c b/fs/proc/stat.c
+index 1cf86c0..5668e11 100644
+--- a/fs/proc/stat.c
++++ b/fs/proc/stat.c
+@@ -218,7 +218,11 @@ static const struct file_operations proc_stat_operations = {
+
+ static int __init proc_stat_init(void)
+ {
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++ proc_create_grsec("stat", 0, NULL, &proc_stat_operations);
++#else
+ proc_create("stat", 0, NULL, &proc_stat_operations);
++#endif
+ return 0;
+ }
+ module_init(proc_stat_init);
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 390bdab..83c1e8a 100644
--- a/fs/proc/task_mmu.c
@@ -62471,10 +62503,10 @@ index 2b8952d..a60c6be 100644
kfree(s);
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..04e9889
+index 0000000..5b2538b
--- /dev/null
+++ b/grsecurity/Kconfig
-@@ -0,0 +1,1112 @@
+@@ -0,0 +1,1116 @@
+#
+# grecurity configuration
+#
@@ -63270,15 +63302,19 @@ index 0000000..04e9889
+ a sysctl option with name "consistent_setxid" is created.
+
+config GRKERNSEC_HARDEN_IPC
-+ bool "Disallow access to world-accessible IPC objects"
++ bool "Disallow access to overly-permissive IPC objects"
+ default y if GRKERNSEC_CONFIG_AUTO
+ depends on SYSVIPC
+ help
-+ If you say Y here, access to overly-permissive IPC (shared memory,
-+ message queues, and semaphores) will be denied for processes whose
-+ effective user or group would not grant them permission. It's a
-+ common error to grant too much permission to these objects, with
-+ impact ranging from denial of service and information leaking to
++ If you say Y here, access to overly-permissive IPC objects (shared
++ memory, message queues, and semaphores) will be denied for processes
++ given the following criteria beyond normal permission checks:
++ 1) If the IPC object is world-accessible and the euid doesn't match
++ that of the creator or current uid for the IPC object
++ 2) If the IPC object is group-accessible and the egid doesn't
++ match that of the creator or current gid for the IPC object
++ It's a common error to grant too much permission to these objects,
++ with impact ranging from denial of service and information leaking to
+ privilege escalation. This feature was developed in response to
+ research by Tim Brown:
+ http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
@@ -71471,10 +71507,10 @@ index 0000000..a88e901
+}
diff --git a/grsecurity/grsec_ipc.c b/grsecurity/grsec_ipc.c
new file mode 100644
-index 0000000..f365de0
+index 0000000..78d1680
--- /dev/null
+++ b/grsecurity/grsec_ipc.c
-@@ -0,0 +1,22 @@
+@@ -0,0 +1,48 @@
+#include <linux/kernel.h>
+#include <linux/mm.h>
+#include <linux/sched.h>
@@ -71488,10 +71524,36 @@ index 0000000..f365de0
+gr_ipc_permitted(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, int requested_mode, int granted_mode)
+{
+#ifdef CONFIG_GRKERNSEC_HARDEN_IPC
-+ int write = (requested_mode & 00002);
++ int write;
++ int orig_granted_mode;
++ kuid_t euid;
++ kgid_t egid;
+
-+ if (grsec_enable_harden_ipc && !(requested_mode & ~granted_mode & 0007) && !ns_capable_nolog(ns->user_ns, CAP_IPC_OWNER)) {
-+ gr_log_str2_int(GR_DONT_AUDIT, GR_IPC_DENIED_MSG, write ? "write" : "read", write ? "writ" : "read", GR_GLOBAL_UID(ipcp->cuid));
++ if (!grsec_enable_harden_ipc)
++ return 0;
++
++ euid = current_euid();
++ egid = current_egid();
++
++ write = requested_mode & 00002;
++ orig_granted_mode = ipcp->mode;
++
++ if (uid_eq(euid, ipcp->cuid) || uid_eq(euid, ipcp->uid))
++ orig_granted_mode >>= 6;
++ else {
++ /* if likely wrong permissions, lock to user */
++ if (orig_granted_mode & 0007)
++ orig_granted_mode = 0;
++ /* otherwise do a egid-only check */
++ else if (gid_eq(egid, ipcp->cgid) || gid_eq(egid, ipcp->gid))
++ orig_granted_mode >>= 3;
++ /* otherwise, no access */
++ else
++ orig_granted_mode = 0;
++ }
++ if (!(requested_mode & ~granted_mode & 0007) && (requested_mode & ~orig_granted_mode & 0007) &&
++ !ns_capable_nolog(ns->user_ns, CAP_IPC_OWNER)) {
++ gr_log_str_int(GR_DONT_AUDIT, GR_IPC_DENIED_MSG, write ? "write" : "read", GR_GLOBAL_UID(ipcp->cuid));
+ return 0;
+ }
+#endif
@@ -75995,7 +76057,7 @@ index 0000000..d25522e
+#endif
diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
new file mode 100644
-index 0000000..2b07594
+index 0000000..195cbe4
--- /dev/null
+++ b/include/linux/grmsg.h
@@ -0,0 +1,115 @@
@@ -76113,7 +76175,7 @@ index 0000000..2b07594
+#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "
+#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for "
+#define GR_BRUTE_SUID_MSG "bruteforce prevention initiated due to crash of %.950s against uid %u, banning suid/sgid execs for %u minutes. Please investigate the crash report for "
-+#define GR_IPC_DENIED_MSG "denied %s of globally-%sable IPC with creator uid %u by "
++#define GR_IPC_DENIED_MSG "denied %s of overly-permissive IPC object with creator uid %u by "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
index 0000000..d8b5b48
@@ -81460,7 +81522,7 @@ index 7a51443..3a257d8 100644
ipc_unlock_object(&shp->shm_perm);
rcu_read_unlock();
diff --git a/ipc/util.c b/ipc/util.c
-index 7684f41..f7da711 100644
+index 7684f41..5bf1880 100644
--- a/ipc/util.c
+++ b/ipc/util.c
@@ -71,6 +71,8 @@ struct ipc_proc_iface {
@@ -81472,11 +81534,12 @@ index 7684f41..f7da711 100644
static void ipc_memory_notifier(struct work_struct *work)
{
ipcns_notify(IPCNS_MEMCHANGED);
-@@ -560,6 +562,9 @@ int ipcperms(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, short flag)
+@@ -560,6 +562,10 @@ int ipcperms(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, short flag)
granted_mode >>= 6;
else if (in_group_p(ipcp->cgid) || in_group_p(ipcp->gid))
granted_mode >>= 3;
-+ else if (!gr_ipc_permitted(ns, ipcp, requested_mode, granted_mode))
++
++ if (!gr_ipc_permitted(ns, ipcp, requested_mode, granted_mode))
+ return -1;
+
/* is there some bit set in requested_mode but not in granted_mode? */
diff --git a/3.12.6/4450_grsec-kconfig-default-gids.patch b/3.12.6/4450_grsec-kconfig-default-gids.patch
index aa9d567..cdd1703 100644
--- a/3.12.6/4450_grsec-kconfig-default-gids.patch
+++ b/3.12.6/4450_grsec-kconfig-default-gids.patch
@@ -16,7 +16,7 @@ from shooting themselves in the foot.
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400
+++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400
-@@ -621,7 +621,7 @@
+@@ -626,7 +626,7 @@
config GRKERNSEC_AUDIT_GID
int "GID for auditing"
depends on GRKERNSEC_AUDIT_GROUP
@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
config GRKERNSEC_EXECLOG
bool "Exec logging"
-@@ -848,7 +848,7 @@
+@@ -857,7 +857,7 @@
config GRKERNSEC_TPE_UNTRUSTED_GID
int "GID for TPE-untrusted users"
depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*enabled* for. If the sysctl option is enabled, a sysctl option
-@@ -857,7 +857,7 @@
+@@ -866,7 +866,7 @@
config GRKERNSEC_TPE_TRUSTED_GID
int "GID for TPE-trusted users"
depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*disabled* for. If the sysctl option is enabled, a sysctl option
-@@ -950,7 +950,7 @@
+@@ -959,7 +959,7 @@
config GRKERNSEC_SOCKET_ALL_GID
int "GID to deny all sockets for"
depends on GRKERNSEC_SOCKET_ALL
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable socket access for. Remember to
add the users you want socket access disabled for to the GID
-@@ -971,7 +971,7 @@
+@@ -980,7 +980,7 @@
config GRKERNSEC_SOCKET_CLIENT_GID
int "GID to deny client sockets for"
depends on GRKERNSEC_SOCKET_CLIENT
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable client socket access for.
Remember to add the users you want client socket access disabled for to
-@@ -989,7 +989,7 @@
+@@ -998,7 +998,7 @@
config GRKERNSEC_SOCKET_SERVER_GID
int "GID to deny server sockets for"
depends on GRKERNSEC_SOCKET_SERVER
diff --git a/3.12.6/4465_selinux-avc_audit-log-curr_ip.patch b/3.12.6/4465_selinux-avc_audit-log-curr_ip.patch
index 6490fca..04ec3fb 100644
--- a/3.12.6/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.12.6/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
+++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400
-@@ -1084,6 +1084,27 @@
+@@ -1093,6 +1093,27 @@
menu "Logging Options"
depends on GRKERNSEC
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] proj/hardened-patchset:master commit in: 3.12.6/
@ 2014-01-04 15:18 Anthony G. Basile
0 siblings, 0 replies; 2+ messages in thread
From: Anthony G. Basile @ 2014-01-04 15:18 UTC (permalink / raw
To: gentoo-commits
commit: b7b6c63d4ed778e1e1588005c377e93c69eb0283
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sat Jan 4 15:08:35 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sat Jan 4 15:08:35 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=b7b6c63d
Grsec/PaX: 3.0-3.12.6-201401021726
---
3.12.6/0000_README | 2 +-
... 4420_grsecurity-3.0-3.12.6-201401021726.patch} | 184 ++++++++++++---------
2 files changed, 110 insertions(+), 76 deletions(-)
diff --git a/3.12.6/0000_README b/3.12.6/0000_README
index 9a0fb55..0c79077 100644
--- a/3.12.6/0000_README
+++ b/3.12.6/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.0-3.12.6-201312301223.patch
+Patch: 4420_grsecurity-3.0-3.12.6-201401021726.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch b/3.12.6/4420_grsecurity-3.0-3.12.6-201401021726.patch
similarity index 99%
rename from 3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch
rename to 3.12.6/4420_grsecurity-3.0-3.12.6-201401021726.patch
index a396411..e1b8944 100644
--- a/3.12.6/4420_grsecurity-3.0-3.12.6-201312301223.patch
+++ b/3.12.6/4420_grsecurity-3.0-3.12.6-201401021726.patch
@@ -45673,43 +45673,40 @@ index f4a18f5..ff2463c 100644
int retval = -ENOMEM;
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
-index 7128cfd..db7c65b 100644
+index 7128cfd..6fdc261 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
-@@ -634,6 +634,10 @@ pci_write_config(struct file* filp, struct kobject *kobj,
+@@ -634,6 +634,9 @@ pci_write_config(struct file* filp, struct kobject *kobj,
loff_t init_off = off;
u8 *data = (u8*) buf;
-+#ifdef CONFIG_GRKERNSEC_KMEM
-+ return -EPERM;
-+#endif
++ if (!capable(CAP_SYS_RAWIO))
++ return -EPERM;
+
if (off > dev->cfg_size)
return 0;
if (off + count > dev->cfg_size) {
-@@ -940,6 +944,10 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
+@@ -940,6 +943,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
resource_size_t start, end;
int i;
-+#ifdef CONFIG_GRKERNSEC_KMEM
-+ return -EPERM;
-+#endif
++ if (!capable(CAP_SYS_RAWIO))
++ return -EPERM;
+
for (i = 0; i < PCI_ROM_RESOURCE; i++)
if (res == &pdev->resource[i])
break;
-@@ -1047,6 +1055,10 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj,
- struct bin_attribute *attr, char *buf,
- loff_t off, size_t count)
- {
-+#ifdef CONFIG_GRKERNSEC_KMEM
-+ return -EPERM;
-+#endif
-+
- return pci_resource_io(filp, kobj, attr, buf, off, count, true);
- }
+@@ -997,6 +1003,9 @@ pci_resource_io(struct file *filp, struct kobject *kobj,
+ unsigned long port = off;
+ int i;
-@@ -1083,7 +1095,7 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine)
++ if (!capable(CAP_SYS_RAWIO))
++ return -EPERM;
++
+ for (i = 0; i < PCI_ROM_RESOURCE; i++)
+ if (res == &pdev->resource[i])
+ break;
+@@ -1083,7 +1092,7 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine)
{
/* allocate attribute structure, piggyback attribute name */
int name_len = write_combine ? 13 : 10;
@@ -45718,7 +45715,7 @@ index 7128cfd..db7c65b 100644
int retval;
res_attr = kzalloc(sizeof(*res_attr) + name_len, GFP_ATOMIC);
-@@ -1268,7 +1280,7 @@ static struct device_attribute reset_attr = __ATTR(reset, 0200, NULL, reset_stor
+@@ -1268,7 +1277,7 @@ static struct device_attribute reset_attr = __ATTR(reset, 0200, NULL, reset_stor
static int pci_create_capabilities_sysfs(struct pci_dev *dev)
{
int retval;
@@ -45727,7 +45724,7 @@ index 7128cfd..db7c65b 100644
/* If the device has VPD, try to expose it in sysfs. */
if (dev->vpd) {
-@@ -1315,7 +1327,7 @@ int __must_check pci_create_sysfs_dev_files (struct pci_dev *pdev)
+@@ -1315,7 +1324,7 @@ int __must_check pci_create_sysfs_dev_files (struct pci_dev *pdev)
{
int retval;
int rom_size = 0;
@@ -45780,43 +45777,20 @@ index 7ef0f86..17b710f 100644
/* No printks while decoding is disabled! */
if (!dev->mmio_always_on) {
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
-index cdc7836..2e0eb94 100644
+index cdc7836..0c964c9 100644
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
-@@ -117,6 +117,10 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof
+@@ -117,6 +117,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof
int size = dev->cfg_size;
int cnt;
-+#ifdef CONFIG_GRKERNSEC_KMEM
-+ return -EPERM;
-+#endif
++ if (!capable(CAP_SYS_RAWIO))
++ return -EPERM;
+
if (pos >= size)
return 0;
if (nbytes >= size)
-@@ -196,6 +200,10 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd,
- #endif /* HAVE_PCI_MMAP */
- int ret = 0;
-
-+#ifdef CONFIG_GRKERNSEC_KMEM
-+ return -EPERM;
-+#endif
-+
- switch (cmd) {
- case PCIIOC_CONTROLLER:
- ret = pci_domain_nr(dev->bus);
-@@ -234,6 +242,10 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
- struct pci_filp_private *fpriv = file->private_data;
- int i, ret;
-
-+#ifdef CONFIG_GRKERNSEC_KMEM
-+ return -EPERM;
-+#endif
-+
- if (!capable(CAP_SYS_RAWIO))
- return -EPERM;
-
-@@ -434,7 +446,16 @@ static const struct file_operations proc_bus_pci_dev_operations = {
+@@ -434,7 +437,16 @@ static const struct file_operations proc_bus_pci_dev_operations = {
static int __init pci_proc_init(void)
{
struct pci_dev *dev = NULL;
@@ -45833,21 +45807,6 @@ index cdc7836..2e0eb94 100644
proc_create("devices", 0, proc_bus_pci_dir,
&proc_bus_pci_dev_operations);
proc_initialized = 1;
-diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
-index e1c1ec5..bef4210 100644
---- a/drivers/pci/syscall.c
-+++ b/drivers/pci/syscall.c
-@@ -92,6 +92,10 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
- u32 dword;
- int err = 0;
-
-+#ifdef CONFIG_GRKERNSEC_KMEM
-+ return -EPERM
-+#endif
-+
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
-
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
index 19c313b..ed28b38 100644
--- a/drivers/platform/x86/asus-wmi.c
@@ -61309,21 +61268,96 @@ index 6b6a993..807cccc 100644
kfree(s);
}
diff --git a/fs/proc/stat.c b/fs/proc/stat.c
-index 1cf86c0..5668e11 100644
+index 1cf86c0..f61473c 100644
--- a/fs/proc/stat.c
+++ b/fs/proc/stat.c
-@@ -218,7 +218,11 @@ static const struct file_operations proc_stat_operations = {
+@@ -11,6 +11,7 @@
+ #include <linux/irqnr.h>
+ #include <asm/cputime.h>
+ #include <linux/tick.h>
++#include <linux/grsecurity.h>
- static int __init proc_stat_init(void)
- {
+ #ifndef arch_irq_stat_cpu
+ #define arch_irq_stat_cpu(cpu) 0
+@@ -87,13 +88,28 @@ static int show_stat(struct seq_file *p, void *v)
+ u64 sum_softirq = 0;
+ unsigned int per_softirq_sums[NR_SOFTIRQS] = {0};
+ struct timespec boottime;
++ int unrestricted = 1;
++
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
-+ proc_create_grsec("stat", 0, NULL, &proc_stat_operations);
-+#else
- proc_create("stat", 0, NULL, &proc_stat_operations);
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ if (!uid_eq(current_uid(), GLOBAL_ROOT_UID)
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ && !in_group_p(grsec_proc_gid)
+#endif
- return 0;
- }
- module_init(proc_stat_init);
++ )
++ unrestricted = 0;
++#endif
++#endif
+
+ user = nice = system = idle = iowait =
+ irq = softirq = steal = 0;
+ guest = guest_nice = 0;
+ getboottime(&boottime);
+ jif = boottime.tv_sec;
++ if (!unrestricted)
++ jif = 0;
+
++ if (unrestricted) {
+ for_each_possible_cpu(i) {
+ user += kcpustat_cpu(i).cpustat[CPUTIME_USER];
+ nice += kcpustat_cpu(i).cpustat[CPUTIME_NICE];
+@@ -116,6 +132,7 @@ static int show_stat(struct seq_file *p, void *v)
+ }
+ }
+ sum += arch_irq_stat();
++ }
+
+ seq_puts(p, "cpu ");
+ seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user));
+@@ -131,6 +148,7 @@ static int show_stat(struct seq_file *p, void *v)
+ seq_putc(p, '\n');
+
+ for_each_online_cpu(i) {
++ if (unrestricted) {
+ /* Copy values here to work around gcc-2.95.3, gcc-2.96 */
+ user = kcpustat_cpu(i).cpustat[CPUTIME_USER];
+ nice = kcpustat_cpu(i).cpustat[CPUTIME_NICE];
+@@ -142,6 +160,7 @@ static int show_stat(struct seq_file *p, void *v)
+ steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
+ guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
+ guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
++ }
+ seq_printf(p, "cpu%d", i);
+ seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user));
+ seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(nice));
+@@ -159,7 +178,7 @@ static int show_stat(struct seq_file *p, void *v)
+
+ /* sum again ? it could be updated? */
+ for_each_irq_nr(j)
+- seq_put_decimal_ull(p, ' ', kstat_irqs(j));
++ seq_put_decimal_ull(p, ' ', unrestricted ? kstat_irqs(j) : 0ULL);
+
+ seq_printf(p,
+ "\nctxt %llu\n"
+@@ -167,11 +186,11 @@ static int show_stat(struct seq_file *p, void *v)
+ "processes %lu\n"
+ "procs_running %lu\n"
+ "procs_blocked %lu\n",
+- nr_context_switches(),
+- (unsigned long)jif,
+- total_forks,
+- nr_running(),
+- nr_iowait());
++ unrestricted ? nr_context_switches() : 0ULL,
++ unrestricted ? (unsigned long)jif : 0UL,
++ unrestricted ? total_forks : 0UL,
++ unrestricted ? nr_running() : 0UL,
++ unrestricted ? nr_iowait() : 0UL);
+
+ seq_printf(p, "softirq %llu", (unsigned long long)sum_softirq);
+
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 390bdab..83c1e8a 100644
--- a/fs/proc/task_mmu.c
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-01-04 15:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-01-04 15:18 [gentoo-commits] proj/hardened-patchset:master commit in: 3.12.6/ Anthony G. Basile
-- strict thread matches above, loose matches on Subject: below --
2013-12-31 19:38 Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox