From f87f46a4b736917e557907e70268f47533e48a72 Mon Sep 17 00:00:00 2001 From: André Fabian Silva Delgado Date: Tue, 25 Feb 2014 01:30:27 -0200 Subject: linux-libre-grsec: add module-blacklist.conf, sysctl.conf and known-exploit-detection.patch on source line --- kernels/linux-libre-grsec/PKGBUILD | 12 +- kernels/linux-libre-grsec/config.i686 | 2 +- .../known-exploit-detection.patch | 410 ++++++++++----------- 3 files changed, 208 insertions(+), 216 deletions(-) diff --git a/kernels/linux-libre-grsec/PKGBUILD b/kernels/linux-libre-grsec/PKGBUILD index 1bc252caf..e17657146 100644 --- a/kernels/linux-libre-grsec/PKGBUILD +++ b/kernels/linux-libre-grsec/PKGBUILD @@ -41,11 +41,14 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn '0006-rpc_pipe-fix-cleanup-of-dummy-gssd-directory-when-no.patch' '0001-syscalls.h-use-gcc-alias-instead-of-assembler-aliase.patch' 'i8042-fix-aliases.patch' + 'module-blacklist.conf' + 'sysctl.conf' + 'known-exploit-detection.patch' "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.xz") md5sums=('98a8e803e0ed08557f3cdd4d56b0ddc1' '3659d30b1d06dd5b7874ae04c946863b' '0022d89a923e5e871ba53db1f969e46e' - 'c7dae5d3fbb294ea14e67915ac86a37a' + '21da34d98cc007a78a11660863537c0d' 'd4b95575b9cc32b7ba4ad8624972ddf9' '5f66bed97a5c37e48eb2f71b2d354b9a' '2967cecc3af9f954ccc822fd63dca6ff' @@ -61,6 +64,9 @@ md5sums=('98a8e803e0ed08557f3cdd4d56b0ddc1' 'a724515b350b29c53f20e631c6cf9a14' 'e6fa278c092ad83780e2dd0568e24ca6' '93dbf73af819b77f03453a9c6de2bb47' + 'f93ef6157fbb23820bd5ae08fd3f451e' + '0db7629711f4ed76bd1f9da9f97bc4ea' + 'cb789bf97bc65fd4cf240d99df9c24c0' 'ac92b702b8497d2be14f96e077a7f48f') if [ "$CARCH" != "mips64el" ]; then # don't use the Loongson-specific patches on non-mips64el arches. @@ -118,6 +124,10 @@ prepare() { # Fix i8042 aliases patch -p1 -i "${srcdir}/i8042-fix-aliases.patch" + # add known exploit detection patch + # http://lkml.org/lkml/2013/12/12/358 + patch -Np1 -i "${srcdir}/known-exploit-detection.patch" + if [ "$CARCH" == "mips64el" ]; then sed -i "s|^EXTRAVERSION.*|EXTRAVERSION =-libre-grsec|" Makefile sed -r "s|^( SUBLEVEL = ).*|\1$_sublevel|" \ diff --git a/kernels/linux-libre-grsec/config.i686 b/kernels/linux-libre-grsec/config.i686 index 5bbdedd4a..07840923d 100644 --- a/kernels/linux-libre-grsec/config.i686 +++ b/kernels/linux-libre-grsec/config.i686 @@ -497,7 +497,7 @@ CONFIG_KEXEC=y CONFIG_PHYSICAL_START=0x1000000 CONFIG_RELOCATABLE=y CONFIG_X86_NEED_RELOCS=y -CONFIG_PHYSICAL_ALIGN=0x100000 +CONFIG_PHYSICAL_ALIGN=0x1000000 CONFIG_HOTPLUG_CPU=y # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set # CONFIG_DEBUG_HOTPLUG_CPU0 is not set diff --git a/kernels/linux-libre-grsec/known-exploit-detection.patch b/kernels/linux-libre-grsec/known-exploit-detection.patch index 4837a9ce5..7629b4d85 100644 --- a/kernels/linux-libre-grsec/known-exploit-detection.patch +++ b/kernels/linux-libre-grsec/known-exploit-detection.patch @@ -1,147 +1,29 @@ -diff --git a/include/linux/exploit.h b/include/linux/exploit.h -new file mode 100644 -index 0000000..a8df72a ---- /dev/null -+++ b/include/linux/exploit.h -@@ -0,0 +1,23 @@ -+#ifndef _LINUX_EXPLOIT_H -+#define _LINUX_EXPLOIT_H -+ -+#ifdef CONFIG_EXPLOIT_DETECTION -+extern void _exploit(const char *id); -+ -+#define exploit_on(cond, id) \ -+ do { \ -+ if (unlikely(cond)) \ -+ _exploit(id); \ -+ } while (0) -+ -+#else -+ -+#define exploit_on(cond, id) \ -+ do { \ -+ } while (0) -+ -+#endif -+ -+#define exploit(id) exploit_on(true, id) -+ -+#endif -diff --git a/security/Kconfig b/security/Kconfig -index e9c6ac7..a828dfb 100644 ---- a/security/Kconfig -+++ b/security/Kconfig -@@ -167,5 +167,17 @@ config DEFAULT_SECURITY - default "yama" if DEFAULT_SECURITY_YAMA - default "" if DEFAULT_SECURITY_DAC - --endmenu -+config EXPLOIT_DETECTION -+ bool "Known exploit detection" -+ depends on PRINTK -+ default y -+ help -+ This option enables the detection of users/programs who attempt to -+ break into the kernel using publicly known (past) exploits. -+ -+ Upon detection, a message will be printed in the kernel log. - -+ The runtime overhead of enabling this option is extremely small, so -+ you are recommended to say Y. -+ -+endmenu -diff --git a/security/Makefile b/security/Makefile -index c26c81e..d152a1d 100644 ---- a/security/Makefile -+++ b/security/Makefile -@@ -28,3 +28,5 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o - # Object integrity file lists - subdir-$(CONFIG_INTEGRITY) += integrity - obj-$(CONFIG_INTEGRITY) += integrity/built-in.o -+ -+obj-$(CONFIG_EXPLOIT_DETECTION) += exploit.o -diff --git a/security/exploit.c b/security/exploit.c -new file mode 100644 -index 0000000..a732613 ---- /dev/null -+++ b/security/exploit.c -@@ -0,0 +1,28 @@ -+#include +diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c +index 3432443..f5af562 100644 +--- a/arch/x86/kernel/msr.c ++++ b/arch/x86/kernel/msr.c +@@ -38,6 +38,7 @@ + #include + #include + #include +#include -+#include -+#include -+#include -+ -+void _exploit(const char *id) -+{ -+ /* -+ * This function needs to be super defensive/conservative, since -+ * userspace can easily get to it from several different contexts. -+ * We don't want it to become an attack vector in itself! -+ * -+ * We can assume that we're in process context, but spinlocks may -+ * be held, etc. -+ */ -+ -+ struct task_struct *task = current; -+ pid_t pid = task_pid_nr(task); -+ uid_t uid = from_kuid(&init_user_ns, current_uid()); -+ char comm[sizeof(task->comm)]; -+ -+ get_task_comm(comm, task); -+ -+ pr_warn_ratelimited("warning: possible %s exploit attempt by pid=%u uid=%u comm=%s\n", -+ id, pid, uid, comm); -+} -+EXPORT_SYMBOL(_exploit); -diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h -index 75cef3f..65811d4 100644 ---- a/include/uapi/linux/audit.h -+++ b/include/uapi/linux/audit.h -@@ -131,6 +131,7 @@ - #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */ - #define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */ - #define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */ -+#define AUDIT_ANOM_EXPLOIT 1703 /* Known exploit attempt */ - #define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */ - #define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */ - #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */ -diff --git a/security/exploit.c b/security/exploit.c -index a732613..3d8ee5b 100644 ---- a/security/exploit.c -+++ b/security/exploit.c -@@ -1,3 +1,4 @@ -+#include - #include - #include - #include -@@ -19,9 +20,24 @@ void _exploit(const char *id) - pid_t pid = task_pid_nr(task); - uid_t uid = from_kuid(&init_user_ns, current_uid()); - char comm[sizeof(task->comm)]; -+#ifdef CONFIG_AUDIT -+ struct audit_buffer *ab; -+#endif - get_task_comm(comm, task); + #include + #include +@@ -184,8 +185,10 @@ static int msr_open(struct inode *inode, struct file *file) + unsigned int cpu = iminor(file_inode(file)); + struct cpuinfo_x86 *c; -+#ifdef CONFIG_AUDIT -+ ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_ANOM_EXPLOIT); -+ if (ab) { -+ audit_log_format(ab, "exploit id=%s pid=%u uid=%u auid=%u ses=%u comm=", -+ id, pid, uid, -+ from_kuid(&init_user_ns, audit_get_loginuid(task)), -+ audit_get_sessionid(task)); -+ audit_log_untrustedstring(ab, comm); -+ audit_log_end(ab); +- if (!capable(CAP_SYS_RAWIO)) ++ if (!capable(CAP_SYS_RAWIO)) { ++ exploit("CVE-2013-0268"); + return -EPERM; + } -+#endif -+ - pr_warn_ratelimited("warning: possible %s exploit attempt by pid=%u uid=%u comm=%s\n", - id, pid, uid, comm); - } + + if (cpu >= nr_cpu_ids || !cpu_online(cpu)) + return -ENXIO; /* No such CPU */ diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -index bf34577..48490c1 100644 +index ee52ddd..be4c296 100644 --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c @@ -32,6 +32,7 @@ @@ -150,9 +32,9 @@ index bf34577..48490c1 100644 #include +#include - struct eb_objects { - struct list_head objects; -@@ -785,8 +786,10 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec, + #define __EXEC_OBJECT_HAS_PIN (1<<31) + #define __EXEC_OBJECT_HAS_FENCE (1<<30) +@@ -878,8 +879,10 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec, * the worst case where we need to allocate the entire * relocation tree as a single array. */ @@ -164,30 +46,6 @@ index bf34577..48490c1 100644 relocs_total += exec[i].relocation_count; length = exec[i].relocation_count * -diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index 88458fa..fad04f1 100644 ---- a/arch/x86/kernel/msr.c -+++ b/arch/x86/kernel/msr.c -@@ -37,6 +37,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -174,8 +175,10 @@ static int msr_open(struct inode *inode, struct file *file) - unsigned int cpu = iminor(file_inode(file)); - struct cpuinfo_x86 *c; - -- if (!capable(CAP_SYS_RAWIO)) -+ if (!capable(CAP_SYS_RAWIO)) { -+ exploit("CVE-2013-0268"); - return -EPERM; -+ } - - if (cpu >= nr_cpu_ids || !cpu_online(cpu)) - return -ENXIO; /* No such CPU */ diff --git a/fs/hfs/trans.c b/fs/hfs/trans.c index b1ce4c7..2fe83f0 100644 --- a/fs/hfs/trans.c @@ -212,50 +70,6 @@ index b1ce4c7..2fe83f0 100644 dst = out; dstlen = HFS_MAX_NAMELEN; if (nls_io) { -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index 13fb113..df7a51a 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -22,6 +22,7 @@ - #include - #include - #include -+#include - - static struct kmem_cache *user_ns_cachep __read_mostly; - -@@ -806,11 +807,15 @@ static bool new_idmap_permitted(const struct file *file, - kuid_t uid = make_kuid(ns->parent, id); - if (uid_eq(uid, file->f_cred->fsuid)) - return true; -+ -+ exploit_on(uid_eq(uid, current_fsuid()), "CVE-2013-1959"); - } - else if (cap_setid == CAP_SETGID) { - kgid_t gid = make_kgid(ns->parent, id); - if (gid_eq(gid, file->f_cred->fsgid)) - return true; -+ -+ exploit_on(gid_eq(gid, current_fsgid()), "CVE-2013-1959"); - } - } - -@@ -822,9 +827,12 @@ static bool new_idmap_permitted(const struct file *file, - * (CAP_SETUID or CAP_SETGID) over the parent user namespace. - * And the opener of the id file also had the approprpiate capability. - */ -- if (ns_capable(ns->parent, cap_setid) && -- file_ns_capable(file, ns->parent, cap_setid)) -- return true; -+ if (ns_capable(ns->parent, cap_setid)) { -+ if (file_ns_capable(file, ns->parent, cap_setid)) -+ return true; -+ -+ exploit("CVE-2013-1959"); -+ } - - return false; - } diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c index 968ce41..5f47a1a 100644 --- a/fs/hfsplus/catalog.c @@ -304,8 +118,49 @@ index 4a4fea0..2d5e283 100644 err = -EIO; goto out; } +diff --git a/include/linux/exploit.h b/include/linux/exploit.h +new file mode 100644 +index 0000000..a8df72a +--- /dev/null ++++ b/include/linux/exploit.h +@@ -0,0 +1,23 @@ ++#ifndef _LINUX_EXPLOIT_H ++#define _LINUX_EXPLOIT_H ++ ++#ifdef CONFIG_EXPLOIT_DETECTION ++extern void _exploit(const char *id); ++ ++#define exploit_on(cond, id) \ ++ do { \ ++ if (unlikely(cond)) \ ++ _exploit(id); \ ++ } while (0) ++ ++#else ++ ++#define exploit_on(cond, id) \ ++ do { \ ++ } while (0) ++ ++#endif ++ ++#define exploit(id) exploit_on(true, id) ++ ++#endif +diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h +index 44b05a0..0a820b4 100644 +--- a/include/uapi/linux/audit.h ++++ b/include/uapi/linux/audit.h +@@ -134,6 +134,7 @@ + #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */ + #define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */ + #define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */ ++#define AUDIT_ANOM_EXPLOIT 1703 /* Known exploit attempt */ + #define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */ + #define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */ + #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */ diff --git a/kernel/events/core.c b/kernel/events/core.c -index 953c143..32b9383 100644 +index 11b21f0..a881843 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -39,6 +39,7 @@ @@ -316,7 +171,7 @@ index 953c143..32b9383 100644 #include "internal.h" -@@ -5721,6 +5722,7 @@ static void sw_perf_event_destroy(struct perf_event *event) +@@ -5772,6 +5773,7 @@ static void sw_perf_event_destroy(struct perf_event *event) static int perf_swevent_init(struct perf_event *event) { u64 event_id = event->attr.config; @@ -324,8 +179,52 @@ index 953c143..32b9383 100644 if (event->attr.type != PERF_TYPE_SOFTWARE) return -ENOENT; +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index 583473e..4614b6e 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + static struct kmem_cache *user_ns_cachep __read_mostly; + +@@ -827,11 +828,15 @@ static bool new_idmap_permitted(const struct file *file, + kuid_t uid = make_kuid(ns->parent, id); + if (uid_eq(uid, file->f_cred->fsuid)) + return true; ++ ++ exploit_on(uid_eq(uid, current_fsuid()), "CVE-2013-1959"); + } + else if (cap_setid == CAP_SETGID) { + kgid_t gid = make_kgid(ns->parent, id); + if (gid_eq(gid, file->f_cred->fsgid)) + return true; ++ ++ exploit_on(gid_eq(gid, current_fsgid()), "CVE-2013-1959"); + } + } + +@@ -843,9 +848,12 @@ static bool new_idmap_permitted(const struct file *file, + * (CAP_SETUID or CAP_SETGID) over the parent user namespace. + * And the opener of the id file also had the approprpiate capability. + */ +- if (ns_capable(ns->parent, cap_setid) && +- file_ns_capable(file, ns->parent, cap_setid)) +- return true; ++ if (ns_capable(ns->parent, cap_setid)) { ++ if (file_ns_capable(file, ns->parent, cap_setid)) ++ return true; ++ ++ exploit("CVE-2013-1959"); ++ } + + return false; + } diff --git a/net/core/sock.c b/net/core/sock.c -index 0b39e7a..c16246f 100644 +index 997c88b..5fc9f05 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -117,6 +117,7 @@ @@ -336,7 +235,7 @@ index 0b39e7a..c16246f 100644 #include -@@ -1753,8 +1754,10 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len, +@@ -1758,8 +1759,10 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len, int i; err = -EMSGSIZE; @@ -348,3 +247,86 @@ index 0b39e7a..c16246f 100644 timeo = sock_sndtimeo(sk, noblock); while (!skb) { +diff --git a/security/Kconfig b/security/Kconfig +index 0ebde71..9afec5d 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -1120,5 +1120,17 @@ config DEFAULT_SECURITY + default "yama" if DEFAULT_SECURITY_YAMA + default "" if DEFAULT_SECURITY_DAC + +-endmenu ++config EXPLOIT_DETECTION ++ bool "Known exploit detection" ++ depends on PRINTK ++ default y ++ help ++ This option enables the detection of users/programs who attempt to ++ break into the kernel using publicly known (past) exploits. + ++ Upon detection, a message will be printed in the kernel log. ++ ++ The runtime overhead of enabling this option is extremely small, so ++ you are recommended to say Y. ++ ++endmenu +diff --git a/security/Makefile b/security/Makefile +index a5918e0..abc70cd 100644 +--- a/security/Makefile ++++ b/security/Makefile +@@ -27,3 +27,5 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o + # Object integrity file lists + subdir-$(CONFIG_INTEGRITY) += integrity + obj-$(CONFIG_INTEGRITY) += integrity/built-in.o ++ ++obj-$(CONFIG_EXPLOIT_DETECTION) += exploit.o +diff --git a/security/exploit.c b/security/exploit.c +new file mode 100644 +index 0000000..3d8ee5b +--- /dev/null ++++ b/security/exploit.c +@@ -0,0 +1,44 @@ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++void _exploit(const char *id) ++{ ++ /* ++ * This function needs to be super defensive/conservative, since ++ * userspace can easily get to it from several different contexts. ++ * We don't want it to become an attack vector in itself! ++ * ++ * We can assume that we're in process context, but spinlocks may ++ * be held, etc. ++ */ ++ ++ struct task_struct *task = current; ++ pid_t pid = task_pid_nr(task); ++ uid_t uid = from_kuid(&init_user_ns, current_uid()); ++ char comm[sizeof(task->comm)]; ++#ifdef CONFIG_AUDIT ++ struct audit_buffer *ab; ++#endif ++ ++ get_task_comm(comm, task); ++ ++#ifdef CONFIG_AUDIT ++ ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_ANOM_EXPLOIT); ++ if (ab) { ++ audit_log_format(ab, "exploit id=%s pid=%u uid=%u auid=%u ses=%u comm=", ++ id, pid, uid, ++ from_kuid(&init_user_ns, audit_get_loginuid(task)), ++ audit_get_sessionid(task)); ++ audit_log_untrustedstring(ab, comm); ++ audit_log_end(ab); ++ } ++#endif ++ ++ pr_warn_ratelimited("warning: possible %s exploit attempt by pid=%u uid=%u comm=%s\n", ++ id, pid, uid, comm); ++} ++EXPORT_SYMBOL(_exploit); -- cgit v1.2.3-54-g00ecf