mirror of
https://github.com/Qortal/Brooklyn.git
synced 2025-01-30 23:02:18 +00:00
2a709f28fa
* 0day explit mitigation * Memory corruption prevention * Privilege escalation prevention * Buffer over flow prevention * File System corruption defense * Thread escape prevention This may very well be the most intensive inclusion to BrooklynR. This will not be part of an x86 suite nor it will be released as tool kit. The security core toolkit will remain part of kernel base.
295 lines
8.0 KiB
C
295 lines
8.0 KiB
C
#include <linux/kernel.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/mm.h>
|
|
#include <linux/gracl.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/vmalloc.h>
|
|
#include <linux/percpu.h>
|
|
#include <linux/module.h>
|
|
|
|
int grsec_enable_ptrace_readexec __read_only;
|
|
int grsec_enable_setxid __read_only;
|
|
int grsec_enable_symlinkown __read_only;
|
|
kgid_t grsec_symlinkown_gid __read_only;
|
|
int grsec_enable_brute __read_only;
|
|
int grsec_enable_link __read_only;
|
|
int grsec_enable_dmesg __read_only;
|
|
int grsec_enable_harden_ptrace __read_only;
|
|
int grsec_enable_harden_ipc __read_only;
|
|
int grsec_enable_fifo __read_only;
|
|
int grsec_enable_execlog __read_only;
|
|
int grsec_enable_signal __read_only;
|
|
int grsec_enable_forkfail __read_only;
|
|
int grsec_enable_audit_ptrace __read_only;
|
|
int grsec_enable_time __read_only;
|
|
int grsec_enable_group __read_only;
|
|
kgid_t grsec_audit_gid __read_only;
|
|
int grsec_enable_chdir __read_only;
|
|
int grsec_enable_mount __read_only;
|
|
int grsec_enable_rofs __read_only;
|
|
int grsec_deny_new_usb __read_only;
|
|
int grsec_enable_chroot_findtask __read_only;
|
|
int grsec_enable_chroot_mount __read_only;
|
|
int grsec_enable_chroot_shmat __read_only;
|
|
int grsec_enable_chroot_fchdir __read_only;
|
|
int grsec_enable_chroot_double __read_only;
|
|
int grsec_enable_chroot_pivot __read_only;
|
|
int grsec_enable_chroot_chdir __read_only;
|
|
int grsec_enable_chroot_chmod __read_only;
|
|
int grsec_enable_chroot_mknod __read_only;
|
|
int grsec_enable_chroot_nice __read_only;
|
|
int grsec_enable_chroot_execlog __read_only;
|
|
int grsec_enable_chroot_caps __read_only;
|
|
int grsec_enable_chroot_rename __read_only;
|
|
int grsec_enable_chroot_sysctl __read_only;
|
|
int grsec_enable_chroot_unix __read_only;
|
|
int grsec_enable_tpe __read_only;
|
|
kgid_t grsec_tpe_gid __read_only;
|
|
int grsec_enable_blackhole __read_only;
|
|
#ifdef CONFIG_IPV6_MODULE
|
|
EXPORT_SYMBOL_GPL(grsec_enable_blackhole);
|
|
#endif
|
|
int grsec_lastack_retries __read_only;
|
|
int grsec_enable_tpe_all __read_only;
|
|
int grsec_enable_tpe_invert __read_only;
|
|
int grsec_enable_socket_all __read_only;
|
|
kgid_t grsec_socket_all_gid __read_only;
|
|
int grsec_enable_socket_client __read_only;
|
|
kgid_t grsec_socket_client_gid __read_only;
|
|
int grsec_enable_socket_server __read_only;
|
|
kgid_t grsec_socket_server_gid __read_only;
|
|
int grsec_resource_logging __read_only;
|
|
int grsec_disable_privio __read_only;
|
|
int grsec_enable_log_rwxmaps __read_only;
|
|
int grsec_enable_harden_tty __read_only;
|
|
int grsec_lock __read_only;
|
|
|
|
DEFINE_SPINLOCK(grsec_alert_lock);
|
|
unsigned long grsec_alert_wtime = 0;
|
|
unsigned long grsec_alert_fyet = 0;
|
|
|
|
DEFINE_SPINLOCK(grsec_audit_lock);
|
|
|
|
DEFINE_RWLOCK(grsec_exec_file_lock);
|
|
|
|
char *gr_shared_page[4];
|
|
|
|
char *gr_alert_log_fmt;
|
|
char *gr_audit_log_fmt;
|
|
char *gr_alert_log_buf;
|
|
char *gr_audit_log_buf;
|
|
|
|
extern struct gr_arg *gr_usermode;
|
|
extern unsigned char *gr_system_salt;
|
|
extern unsigned char *gr_system_sum;
|
|
|
|
void __init
|
|
grsecurity_init(void)
|
|
{
|
|
int j;
|
|
/* create the per-cpu shared pages */
|
|
|
|
#ifdef CONFIG_X86
|
|
memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
|
|
#endif
|
|
|
|
for (j = 0; j < 4; j++) {
|
|
gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
|
|
if (gr_shared_page[j] == NULL) {
|
|
panic("Unable to allocate grsecurity shared page");
|
|
return;
|
|
}
|
|
}
|
|
|
|
/* allocate log buffers */
|
|
gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
|
|
if (!gr_alert_log_fmt) {
|
|
panic("Unable to allocate grsecurity alert log format buffer");
|
|
return;
|
|
}
|
|
gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
|
|
if (!gr_audit_log_fmt) {
|
|
panic("Unable to allocate grsecurity audit log format buffer");
|
|
return;
|
|
}
|
|
gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
|
|
if (!gr_alert_log_buf) {
|
|
panic("Unable to allocate grsecurity alert log buffer");
|
|
return;
|
|
}
|
|
gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
|
|
if (!gr_audit_log_buf) {
|
|
panic("Unable to allocate grsecurity audit log buffer");
|
|
return;
|
|
}
|
|
|
|
/* allocate memory for authentication structure */
|
|
gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
|
|
gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
|
|
gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
|
|
|
|
if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
|
|
panic("Unable to allocate grsecurity authentication structure");
|
|
return;
|
|
}
|
|
|
|
#ifdef CONFIG_GRKERNSEC_IO
|
|
#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
|
|
grsec_disable_privio = 1;
|
|
#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
|
|
grsec_disable_privio = 1;
|
|
#else
|
|
grsec_disable_privio = 0;
|
|
#endif
|
|
#endif
|
|
|
|
#ifdef CONFIG_GRKERNSEC_TPE_INVERT
|
|
/* for backward compatibility, tpe_invert always defaults to on if
|
|
enabled in the kernel
|
|
*/
|
|
grsec_enable_tpe_invert = 1;
|
|
#endif
|
|
|
|
#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
|
|
#ifndef CONFIG_GRKERNSEC_SYSCTL
|
|
grsec_lock = 1;
|
|
#endif
|
|
|
|
#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
|
|
grsec_enable_log_rwxmaps = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
|
|
grsec_enable_group = 1;
|
|
grsec_audit_gid = KGIDT_INIT(CONFIG_GRKERNSEC_AUDIT_GID);
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_PTRACE_READEXEC
|
|
grsec_enable_ptrace_readexec = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
|
|
grsec_enable_chdir = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
|
|
grsec_enable_harden_ptrace = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_HARDEN_IPC
|
|
grsec_enable_harden_ipc = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_HARDEN_TTY
|
|
grsec_enable_harden_tty = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
|
|
grsec_enable_mount = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_LINK
|
|
grsec_enable_link = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_BRUTE
|
|
grsec_enable_brute = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_DMESG
|
|
grsec_enable_dmesg = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_BLACKHOLE
|
|
grsec_enable_blackhole = 1;
|
|
grsec_lastack_retries = 4;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_FIFO
|
|
grsec_enable_fifo = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_EXECLOG
|
|
grsec_enable_execlog = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_SETXID
|
|
grsec_enable_setxid = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_SIGNAL
|
|
grsec_enable_signal = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_FORKFAIL
|
|
grsec_enable_forkfail = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_TIME
|
|
grsec_enable_time = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_RESLOG
|
|
grsec_resource_logging = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
|
|
grsec_enable_chroot_findtask = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
|
|
grsec_enable_chroot_unix = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
|
|
grsec_enable_chroot_mount = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
|
|
grsec_enable_chroot_fchdir = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
|
|
grsec_enable_chroot_shmat = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
|
|
grsec_enable_audit_ptrace = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
|
|
grsec_enable_chroot_double = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
|
|
grsec_enable_chroot_pivot = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
|
|
grsec_enable_chroot_chdir = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
|
|
grsec_enable_chroot_chmod = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
|
|
grsec_enable_chroot_mknod = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
|
|
grsec_enable_chroot_nice = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
|
|
grsec_enable_chroot_execlog = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
|
|
grsec_enable_chroot_caps = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
|
|
grsec_enable_chroot_rename = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
|
|
grsec_enable_chroot_sysctl = 1;
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
|
|
grsec_enable_symlinkown = 1;
|
|
grsec_symlinkown_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SYMLINKOWN_GID);
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_TPE
|
|
grsec_enable_tpe = 1;
|
|
grsec_tpe_gid = KGIDT_INIT(CONFIG_GRKERNSEC_TPE_GID);
|
|
#ifdef CONFIG_GRKERNSEC_TPE_ALL
|
|
grsec_enable_tpe_all = 1;
|
|
#endif
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
|
|
grsec_enable_socket_all = 1;
|
|
grsec_socket_all_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_ALL_GID);
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
|
|
grsec_enable_socket_client = 1;
|
|
grsec_socket_client_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_CLIENT_GID);
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
|
|
grsec_enable_socket_server = 1;
|
|
grsec_socket_server_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_SERVER_GID);
|
|
#endif
|
|
#endif
|
|
#ifdef CONFIG_GRKERNSEC_DENYUSB_FORCE
|
|
grsec_deny_new_usb = 1;
|
|
#endif
|
|
|
|
return;
|
|
}
|