Qortal
/
Brooklyn
mirror of https://github.com/Qortal/Brooklyn
3
0
Fork 1
Code Issues Projects Releases Wiki Activity
QortalOS Brooklyn for Raspberry Pi 4
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
240 Commits
1 Branch
22 Tags
720 MiB
Tree: b48c9cc972
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b48c9cc972'
${ noResults }
Brooklyn/grsecurity/grsec_init.c

295 lines
8.0 KiB
Raw Normal View History Unescape

Auto exploit mitigation feature * 0day explit mitigation * Memory corruption prevention * Privilege escalation prevention * Buffer over flow prevention * File System corruption defense * Thread escape prevention This may very well be the most intensive inclusion to BrooklynR. This will not be part of an x86 suite nor it will be released as tool kit. The security core toolkit will remain part of kernel base.
3 years ago
#include <linux/kernel.h>
#include <linux/sched.h>
#include <linux/mm.h>
#include <linux/gracl.h>
#include <linux/slab.h>
#include <linux/vmalloc.h>
#include <linux/percpu.h>
#include <linux/module.h>
int grsec_enable_ptrace_readexec __read_only;
int grsec_enable_setxid __read_only;
int grsec_enable_symlinkown __read_only;
kgid_t grsec_symlinkown_gid __read_only;
int grsec_enable_brute __read_only;
int grsec_enable_link __read_only;
int grsec_enable_dmesg __read_only;
int grsec_enable_harden_ptrace __read_only;
int grsec_enable_harden_ipc __read_only;
int grsec_enable_fifo __read_only;
int grsec_enable_execlog __read_only;
int grsec_enable_signal __read_only;
int grsec_enable_forkfail __read_only;
int grsec_enable_audit_ptrace __read_only;
int grsec_enable_time __read_only;
int grsec_enable_group __read_only;
kgid_t grsec_audit_gid __read_only;
int grsec_enable_chdir __read_only;
int grsec_enable_mount __read_only;
int grsec_enable_rofs __read_only;
int grsec_deny_new_usb __read_only;
int grsec_enable_chroot_findtask __read_only;
int grsec_enable_chroot_mount __read_only;
int grsec_enable_chroot_shmat __read_only;
int grsec_enable_chroot_fchdir __read_only;
int grsec_enable_chroot_double __read_only;
int grsec_enable_chroot_pivot __read_only;
int grsec_enable_chroot_chdir __read_only;
int grsec_enable_chroot_chmod __read_only;
int grsec_enable_chroot_mknod __read_only;
int grsec_enable_chroot_nice __read_only;
int grsec_enable_chroot_execlog __read_only;
int grsec_enable_chroot_caps __read_only;
int grsec_enable_chroot_rename __read_only;
int grsec_enable_chroot_sysctl __read_only;
int grsec_enable_chroot_unix __read_only;
int grsec_enable_tpe __read_only;
kgid_t grsec_tpe_gid __read_only;
int grsec_enable_blackhole __read_only;
#ifdef CONFIG_IPV6_MODULE
EXPORT_SYMBOL_GPL(grsec_enable_blackhole);
#endif
int grsec_lastack_retries __read_only;
int grsec_enable_tpe_all __read_only;
int grsec_enable_tpe_invert __read_only;
int grsec_enable_socket_all __read_only;
kgid_t grsec_socket_all_gid __read_only;
int grsec_enable_socket_client __read_only;
kgid_t grsec_socket_client_gid __read_only;
int grsec_enable_socket_server __read_only;
kgid_t grsec_socket_server_gid __read_only;
int grsec_resource_logging __read_only;
int grsec_disable_privio __read_only;
int grsec_enable_log_rwxmaps __read_only;
int grsec_enable_harden_tty __read_only;
int grsec_lock __read_only;
DEFINE_SPINLOCK(grsec_alert_lock);
unsigned long grsec_alert_wtime = 0;
unsigned long grsec_alert_fyet = 0;
DEFINE_SPINLOCK(grsec_audit_lock);
DEFINE_RWLOCK(grsec_exec_file_lock);
char *gr_shared_page[4];
char *gr_alert_log_fmt;
char *gr_audit_log_fmt;
char *gr_alert_log_buf;
char *gr_audit_log_buf;
extern struct gr_arg *gr_usermode;
extern unsigned char *gr_system_salt;
extern unsigned char *gr_system_sum;
void __init
grsecurity_init(void)
{
int j;
/* create the per-cpu shared pages */
#ifdef CONFIG_X86
memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
#endif
for (j = 0; j < 4; j++) {
gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
if (gr_shared_page[j] == NULL) {
panic("Unable to allocate grsecurity shared page");
return;
}
}
/* allocate log buffers */
gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
if (!gr_alert_log_fmt) {
panic("Unable to allocate grsecurity alert log format buffer");
return;
}
gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
if (!gr_audit_log_fmt) {
panic("Unable to allocate grsecurity audit log format buffer");
return;
}
gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
if (!gr_alert_log_buf) {
panic("Unable to allocate grsecurity alert log buffer");
return;
}
gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
if (!gr_audit_log_buf) {
panic("Unable to allocate grsecurity audit log buffer");
return;
}
/* allocate memory for authentication structure */
gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
panic("Unable to allocate grsecurity authentication structure");
return;
}
#ifdef CONFIG_GRKERNSEC_IO
#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
grsec_disable_privio = 1;
#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
grsec_disable_privio = 1;
#else
grsec_disable_privio = 0;
#endif
#endif
#ifdef CONFIG_GRKERNSEC_TPE_INVERT
/* for backward compatibility, tpe_invert always defaults to on if
enabled in the kernel
*/
grsec_enable_tpe_invert = 1;
#endif
#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
#ifndef CONFIG_GRKERNSEC_SYSCTL
grsec_lock = 1;
#endif
#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
grsec_enable_log_rwxmaps = 1;
#endif
#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
grsec_enable_group = 1;
grsec_audit_gid = KGIDT_INIT(CONFIG_GRKERNSEC_AUDIT_GID);
#endif
#ifdef CONFIG_GRKERNSEC_PTRACE_READEXEC
grsec_enable_ptrace_readexec = 1;
#endif
#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
grsec_enable_chdir = 1;
#endif
#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
grsec_enable_harden_ptrace = 1;
#endif
#ifdef CONFIG_GRKERNSEC_HARDEN_IPC
grsec_enable_harden_ipc = 1;
#endif
#ifdef CONFIG_GRKERNSEC_HARDEN_TTY
grsec_enable_harden_tty = 1;
#endif
#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
grsec_enable_mount = 1;
#endif
#ifdef CONFIG_GRKERNSEC_LINK
grsec_enable_link = 1;
#endif
#ifdef CONFIG_GRKERNSEC_BRUTE
grsec_enable_brute = 1;
#endif
#ifdef CONFIG_GRKERNSEC_DMESG
grsec_enable_dmesg = 1;
#endif
#ifdef CONFIG_GRKERNSEC_BLACKHOLE
grsec_enable_blackhole = 1;
grsec_lastack_retries = 4;
#endif
#ifdef CONFIG_GRKERNSEC_FIFO
grsec_enable_fifo = 1;
#endif
#ifdef CONFIG_GRKERNSEC_EXECLOG
grsec_enable_execlog = 1;
#endif
#ifdef CONFIG_GRKERNSEC_SETXID
grsec_enable_setxid = 1;
#endif
#ifdef CONFIG_GRKERNSEC_SIGNAL
grsec_enable_signal = 1;
#endif
#ifdef CONFIG_GRKERNSEC_FORKFAIL
grsec_enable_forkfail = 1;
#endif
#ifdef CONFIG_GRKERNSEC_TIME
grsec_enable_time = 1;
#endif
#ifdef CONFIG_GRKERNSEC_RESLOG
grsec_resource_logging = 1;
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
grsec_enable_chroot_findtask = 1;
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
grsec_enable_chroot_unix = 1;
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
grsec_enable_chroot_mount = 1;
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
grsec_enable_chroot_fchdir = 1;
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
grsec_enable_chroot_shmat = 1;
#endif
#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
grsec_enable_audit_ptrace = 1;
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
grsec_enable_chroot_double = 1;
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
grsec_enable_chroot_pivot = 1;
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
grsec_enable_chroot_chdir = 1;
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
grsec_enable_chroot_chmod = 1;
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
grsec_enable_chroot_mknod = 1;
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
grsec_enable_chroot_nice = 1;
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
grsec_enable_chroot_execlog = 1;
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
grsec_enable_chroot_caps = 1;
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
grsec_enable_chroot_rename = 1;
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
grsec_enable_chroot_sysctl = 1;
#endif
#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
grsec_enable_symlinkown = 1;
grsec_symlinkown_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SYMLINKOWN_GID);
#endif
#ifdef CONFIG_GRKERNSEC_TPE
grsec_enable_tpe = 1;
grsec_tpe_gid = KGIDT_INIT(CONFIG_GRKERNSEC_TPE_GID);
#ifdef CONFIG_GRKERNSEC_TPE_ALL
grsec_enable_tpe_all = 1;
#endif
#endif
#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
grsec_enable_socket_all = 1;
grsec_socket_all_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_ALL_GID);
#endif
#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
grsec_enable_socket_client = 1;
grsec_socket_client_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_CLIENT_GID);
#endif
#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
grsec_enable_socket_server = 1;
grsec_socket_server_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_SERVER_GID);
#endif
#endif
#ifdef CONFIG_GRKERNSEC_DENYUSB_FORCE
grsec_deny_new_usb = 1;
#endif
return;
}