[grsec] Patch for CONFIG_NET=n
Robert Beeporbop
rbeeporbop at yahoo.com
Tue May 24 03:20:39 EDT 2011
I patched linux 2.6.38.6 with the grsecurity patch, and then configured the kernel with no networking support. Below is a patch to make that work... I have also attempted to patch the kernel with both the grsecurity patch and the xen dom0 patch (from http://code.google.com/p/gentoo-xen-kernel/downloads/list), there are some problems... If anyone has a patch for this, please forward it on! I have started merging, so if this isn't already done, I will have a patch for this eventually. I am moving to 2.6.39, and there are a few problems with the xen dom0 patch as well.
After this, I am going to reduce the Linux kernel down to the bare minimum, whacking entire kernel subsystems if possible, to make a hardened xen dom0 "monitor". And, implement some in-kernel framebuffer mirroring routines so that networking is not necessary to access domU framebuffers locally. If anyone has any interest in this, or has done any related work, please tell me! I'm going to work on it anyways, though I'll probably go faster if others are interested, and especially if others are willing to help...
Rob
--- linux-2.6.38.6/grsecurity/Makefile 2011-05-05 00:00:00.000000000 0000
+++ linux-2.6.38.6-grsec/grsecurity/Makefile 2011-05-05 02:45:19.000000000 0000
@@ -10,11 +10,15 @@
grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
-obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
gracl_learn.o grsec_log.o
obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
+ifdef CONFIG_NET
+obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
+endif
+
ifndef CONFIG_GRKERNSEC
obj-y += grsec_disabled.o
endif
diff -ur linux-2.6.38.6/grsecurity/gracl.c linux-2.6.38.6-grsec/grsecurity/gracl.c
--- linux-2.6.38.6/grsecurity/gracl.c 2011-05-05 00:00:00.000000000 0000
+++ linux-2.6.38.6-grsec/grsecurity/gracl.c 2011-05-05 00:00:00.000000000 0000
@@ -73,7 +73,10 @@
static unsigned int gr_auth_attempts = 0;
static unsigned long gr_auth_expires = 0UL;
+#ifdef CONFIG_NET
extern struct vfsmount *sock_mnt;
+#endif
+
extern struct vfsmount *pipe_mnt;
extern struct vfsmount *shm_mnt;
#ifdef CONFIG_HUGETLBFS
@@ -1827,7 +1830,11 @@
write_seqlock(&rename_lock);
br_read_lock(vfsmount_lock);
- if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt || mnt == sock_mnt ||
+
+ if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt ||
+#ifdef CONFIG_NET
+ mnt == sock_mnt ||
+#endif
#ifdef CONFIG_HUGETLBFS
(mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
#endif
More information about the grsecurity
mailing list