Brooklyn/grsecurity/grsec_ipc.c

#include <linux/kernel.h>
#include <linux/mm.h>
#include <linux/sched.h>
#include <linux/file.h>
#include <linux/ipc.h>
#include <linux/ipc_namespace.h>
#include <linux/grsecurity.h>
#include <linux/grinternal.h>

int
gr_ipc_permitted(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, int requested_mode, int granted_mode)
{
#ifdef CONFIG_GRKERNSEC_HARDEN_IPC
	int write;
	int orig_granted_mode;
	kuid_t euid;
	kgid_t egid;

	if (!grsec_enable_harden_ipc)
		return 1;

	euid = current_euid();
	egid = current_egid();

	write = requested_mode & 00002;
	orig_granted_mode = ipcp->mode;

	if (uid_eq(euid, ipcp->cuid) || uid_eq(euid, ipcp->uid))
		orig_granted_mode >>= 6;
	else {
		/* if likely wrong permissions, lock to user */
		if (orig_granted_mode & 0007)
			orig_granted_mode = 0;
		/* otherwise do a egid-only check */
		else if (gid_eq(egid, ipcp->cgid) || gid_eq(egid, ipcp->gid))
			orig_granted_mode >>= 3;
		/* otherwise, no access */
		else
			orig_granted_mode = 0;
	}
	if (!(requested_mode & ~granted_mode & 0007) && (requested_mode & ~orig_granted_mode & 0007) &&
	    !ns_capable_noaudit(ns->user_ns, CAP_IPC_OWNER)) {
		gr_log_str_int(GR_DONT_AUDIT, GR_IPC_DENIED_MSG, write ? "write" : "read", GR_GLOBAL_UID(ipcp->cuid));
		return 0;
	}
#endif
	return 1;
}
Auto exploit mitigation feature * 0day explit mitigation * Memory corruption prevention * Privilege escalation prevention * Buffer over flow prevention * File System corruption defense * Thread escape prevention This may very well be the most intensive inclusion to BrooklynR. This will not be part of an x86 suite nor it will be released as tool kit. The security core toolkit will remain part of kernel base. 2021-11-13 04:26:51 +00:00			`#include <linux/kernel.h>`
			`#include <linux/mm.h>`
			`#include <linux/sched.h>`
			`#include <linux/file.h>`
			`#include <linux/ipc.h>`
			`#include <linux/ipc_namespace.h>`
			`#include <linux/grsecurity.h>`
			`#include <linux/grinternal.h>`

			`int`
			`gr_ipc_permitted(struct ipc_namespace ns, struct kern_ipc_perm ipcp, int requested_mode, int granted_mode)`
			`{`
			`#ifdef CONFIG_GRKERNSEC_HARDEN_IPC`
			`int write;`
			`int orig_granted_mode;`
			`kuid_t euid;`
			`kgid_t egid;`

			`if (!grsec_enable_harden_ipc)`
			`return 1;`

			`euid = current_euid();`
			`egid = current_egid();`

			`write = requested_mode & 00002;`
			`orig_granted_mode = ipcp->mode;`

			`if (uid_eq(euid, ipcp->cuid) \|\| uid_eq(euid, ipcp->uid))`
			`orig_granted_mode >>= 6;`
			`else {`
			`/* if likely wrong permissions, lock to user */`
			`if (orig_granted_mode & 0007)`
			`orig_granted_mode = 0;`
			`/* otherwise do a egid-only check */`
			`else if (gid_eq(egid, ipcp->cgid) \|\| gid_eq(egid, ipcp->gid))`
			`orig_granted_mode >>= 3;`
			`/* otherwise, no access */`
			`else`
			`orig_granted_mode = 0;`
			`}`
			`if (!(requested_mode & ~granted_mode & 0007) && (requested_mode & ~orig_granted_mode & 0007) &&`
			`!ns_capable_noaudit(ns->user_ns, CAP_IPC_OWNER)) {`
			`gr_log_str_int(GR_DONT_AUDIT, GR_IPC_DENIED_MSG, write ? "write" : "read", GR_GLOBAL_UID(ipcp->cuid));`
			`return 0;`
			`}`
			`#endif`
			`return 1;`
			`}`