diff -Nru gradm2-3.0~201311242038/COPYING gradm2-3.0~201401282126/COPYING --- gradm2-3.0~201311242038/COPYING 1970-01-01 00:00:00.000000000 +0000 +++ gradm2-3.0~201401282126/COPYING 2014-01-29 02:25:05.000000000 +0000 @@ -0,0 +1,280 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS diff -Nru gradm2-3.0~201311242038/COPYRIGHT gradm2-3.0~201401282126/COPYRIGHT --- gradm2-3.0~201311242038/COPYRIGHT 1970-01-01 00:00:00.000000000 +0000 +++ gradm2-3.0~201401282126/COPYRIGHT 2014-01-29 02:25:05.000000000 +0000 @@ -0,0 +1,16 @@ +gradm - Userland grsecurity RBAC administration and policy analysis utility +Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + http://www.grsecurity.net spender@grsecurity.net + +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License version 2 +as published by the Free Software Foundation. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. diff -Nru gradm2-3.0~201311242038/Makefile gradm2-3.0~201401282126/Makefile --- gradm2-3.0~201311242038/Makefile 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/Makefile 2014-01-29 02:25:05.000000000 +0000 @@ -1,8 +1,9 @@ ############################################################################## -# gradm (c) 2002-2013 - Brad Spengler, Open Source Security Inc. # +# gradm (c) 2002-2014 - Brad Spengler, Open Source Security Inc. # # http://www.grsecurity.net # #----------------------------------------------------------------------------# -# gradm is licensed under the GNU GPL v2 or higher http://www.gnu.org # +# gradm is licensed under the GNU GPL v2 only http://www.gnu.org # +# see COPYRIGHT and LICENSE files for more information # ############################################################################## GRADM_BIN=gradm diff -Nru gradm2-3.0~201311242038/debian/changelog gradm2-3.0~201401282126/debian/changelog --- gradm2-3.0~201311242038/debian/changelog 2013-12-28 14:27:32.000000000 +0000 +++ gradm2-3.0~201401282126/debian/changelog 2014-01-29 17:30:03.000000000 +0000 @@ -1,3 +1,10 @@ +gradm2 (3.0~201401282126-1) unstable; urgency=low + + * New upstream release. + * Update patches. + + -- Laszlo Boszormenyi (GCS) Wed, 29 Jan 2014 17:59:19 +0100 + gradm2 (3.0~201311242038-1) unstable; urgency=low * New upstream release. diff -Nru gradm2-3.0~201311242038/debian/patches/01-do_not_conflict_with_gradm.patch gradm2-3.0~201401282126/debian/patches/01-do_not_conflict_with_gradm.patch --- gradm2-3.0~201311242038/debian/patches/01-do_not_conflict_with_gradm.patch 2013-09-19 08:16:26.000000000 +0000 +++ gradm2-3.0~201401282126/debian/patches/01-do_not_conflict_with_gradm.patch 2014-01-29 17:19:58.000000000 +0000 @@ -1,15 +1,15 @@ Description: prevent previous conflict with gradm Previously gradm was in the archive, both administering grsecurity, but for - 2.4.x and 2.6.x+ kernels. Carry on the naming, even when gradm is gone. -Author: Laszlo Boszormenyi (GCS) -Last-Update: <2012-06-09> + 2.4.x, 2.6.x+ and 3.x+ kernels. Carry on the naming, even when gradm is gone. +Author: Laszlo Boszormenyi (GCS) +Last-Update: 2014-01-29 --- ---- gradm2-2.9~201202232055.orig/Makefile -+++ gradm2-2.9~201202232055/Makefile -@@ -5,9 +5,9 @@ - # gradm is licensed under the GNU GPL v2 or higher http://www.gnu.org # +--- gradm2-3.0~201401282126.orig/Makefile ++++ gradm2-3.0~201401282126/Makefile +@@ -6,9 +6,9 @@ + # see COPYRIGHT and LICENSE files for more information # ############################################################################## -GRADM_BIN=gradm @@ -20,9 +20,9 @@ LLEX=/usr/bin/lex FLEX=/usr/bin/flex ---- gradm2-2.9~201202232055.orig/gradm_analyze.c -+++ gradm2-2.9~201202232055/gradm_analyze.c -@@ -225,7 +225,7 @@ check_learning(struct role_acl *role) +--- gradm2-3.0~201401282126.orig/gradm_analyze.c ++++ gradm2-3.0~201401282126/gradm_analyze.c +@@ -250,7 +250,7 @@ check_learning(struct role_acl *role) "Warning: You have enabled learning on the role " "%s. You have not used -L on the command " "line however. If you wish to use learning " @@ -31,7 +31,7 @@ "Otherwise, remove the learning flag on this role.\n", role->rolename); errs_found++; -@@ -238,7 +238,7 @@ check_learning(struct role_acl *role) +@@ -263,7 +263,7 @@ check_learning(struct role_acl *role) "learning on the subject for %s in role " "%s. You have not used -L on the command " "line however. If you wish to use learning " @@ -40,7 +40,7 @@ "Otherwise, remove the learning flag on this subject.\n", tmp->filename, role->rolename); errs_found++; -@@ -597,7 +597,7 @@ check_role_transitions(void) +@@ -622,7 +622,7 @@ check_role_transitions(void) if (role->transitions && !(role->roletype & (GR_ROLE_SPECIAL | GR_ROLE_AUTH))) { fprintf(stderr, "Error in role %s: a transition to a special role exists, " "but the \"G\" flag is not present on the role to grant it " @@ -49,7 +49,7 @@ role->rolename); errors++; } -@@ -809,9 +809,9 @@ analyze_acls(void) +@@ -834,9 +834,9 @@ analyze_acls(void) errs_found++; } @@ -61,7 +61,7 @@ errs_found++; } -@@ -821,7 +821,7 @@ analyze_acls(void) +@@ -846,7 +846,7 @@ analyze_acls(void) "holds shell configurations for the root user. " "If writing is allowed to this directory, an attacker " "could modify your $PATH environment to fool you " @@ -70,8 +70,8 @@ role->rolename); errs_found++; } ---- gradm2-2.9~201202232055.orig/gradm_defs.h -+++ gradm2-2.9~201202232055/gradm_defs.h +--- gradm2-3.0~201401282126.orig/gradm_defs.h ++++ gradm2-3.0~201401282126/gradm_defs.h @@ -2,12 +2,12 @@ #define __GRADM_DEFS_H @@ -88,8 +88,8 @@ #define GR_POLICY_PATH GRSEC_DIR "/policy" #define GR_PW_PATH GRSEC_DIR "/pw" #define GR_LEARN_CONFIG_PATH GRSEC_DIR "/learn_config" ---- gradm2-2.9~201202232055.orig/policy -+++ gradm2-2.9~201202232055/policy +--- gradm2-3.0~201401282126.orig/policy ++++ gradm2-3.0~201401282126/policy @@ -5,14 +5,14 @@ # roles do not have. In particular, this role bypasses the # additional ptrace restrictions @@ -108,7 +108,7 @@ # T -> Enable TPE for this role # l -> Enable learning for this role # P -> Use PAM authentication for this role. -@@ -100,7 +100,7 @@ +@@ -102,7 +102,7 @@ # all accesses of this subject and anything it executes to be placed # in this subject, and inheritance flags added to executable objects # in this subject @@ -117,7 +117,7 @@ # s -> enable AT_SECURE when entering this subject # (enables the same environment sanitization that occurs in glibc # upon execution of a suid binary) -@@ -184,15 +184,15 @@ +@@ -188,15 +188,15 @@ # # To learn on a given role, add l to the role mode # For both of these, to enable learning, enable the system like: @@ -137,7 +137,7 @@ # # New PaX flag format (replaces PaX subject flags): # PaX flags can be forced on or off, regardless of the flags on the -@@ -244,11 +244,11 @@ +@@ -248,11 +248,11 @@ define grsec_denied { /boot h @@ -151,7 +151,7 @@ /proc/kcore h /proc/slabinfo h /proc/modules h -@@ -293,10 +293,10 @@ subject /sbin/shutdown rvkao +@@ -297,10 +297,10 @@ subject /sbin/shutdown rvkao /dev/initctl rwf /run/initctl rwf @@ -164,7 +164,7 @@ role admin sA subject / rvka -@@ -349,7 +349,7 @@ subject / +@@ -353,7 +353,7 @@ subject / $grsec_denied # if sshd needs to be restarted, it can be done through the admin role @@ -173,7 +173,7 @@ /usr/sbin/sshd -CAP_KILL -@@ -393,7 +393,7 @@ subject /usr/sbin/sshd dpo +@@ -397,7 +397,7 @@ subject /usr/sbin/sshd dpo /dev/tty rw /dev/tty? rw /etc r diff -Nru gradm2-3.0~201311242038/debian/patches/02-handle_nostrip_deb_build_options.patch gradm2-3.0~201401282126/debian/patches/02-handle_nostrip_deb_build_options.patch --- gradm2-3.0~201311242038/debian/patches/02-handle_nostrip_deb_build_options.patch 2013-09-19 08:27:16.000000000 +0000 +++ gradm2-3.0~201401282126/debian/patches/02-handle_nostrip_deb_build_options.patch 2014-01-29 17:21:13.000000000 +0000 @@ -6,7 +6,7 @@ --- gradm2-2.9.1~201309161709.orig/Makefile +++ gradm2-2.9.1~201309161709/Makefile -@@ -23,7 +23,11 @@ MKNOD=/bin/mknod +@@ -24,7 +24,11 @@ MKNOD=/bin/mknod #CC=/usr/bin/diet /usr/bin/gcc CC=/usr/bin/gcc FIND=/usr/bin/find diff -Nru gradm2-3.0~201311242038/debian/patches/10-build_with_fpic.patch gradm2-3.0~201401282126/debian/patches/10-build_with_fpic.patch --- gradm2-3.0~201311242038/debian/patches/10-build_with_fpic.patch 2013-09-19 09:13:51.000000000 +0000 +++ gradm2-3.0~201401282126/debian/patches/10-build_with_fpic.patch 2014-01-29 17:23:19.000000000 +0000 @@ -1,13 +1,13 @@ Description: add -fPIC for hardening compilation . Author: Laszlo Boszormenyi (GCS) -Last-Update: 2013-09-19 +Last-Update: 2014-01-29 --- ---- gradm2-2.9.1~201309161709.orig/Makefile -+++ gradm2-2.9.1~201309161709/Makefile -@@ -29,7 +29,7 @@ else +--- gradm2-3.0~201401282126.orig/Makefile ++++ gradm2-3.0~201401282126/Makefile +@@ -30,7 +30,7 @@ else STRIP=/bin/true endif LIBS := $(shell if [ "`uname -m`" != "sparc64" -a "`uname -m`" != "x86_64" ]; then echo "-lfl" ; else echo "" ; fi) diff -Nru gradm2-3.0~201311242038/debian/patches/11-do_not_empty_ldflags.patch gradm2-3.0~201401282126/debian/patches/11-do_not_empty_ldflags.patch --- gradm2-3.0~201311242038/debian/patches/11-do_not_empty_ldflags.patch 2013-09-19 08:57:53.000000000 +0000 +++ gradm2-3.0~201401282126/debian/patches/11-do_not_empty_ldflags.patch 2014-01-29 17:29:28.000000000 +0000 @@ -2,8 +2,8 @@ Upstream clears LDFLAGS for an unknown reason, preventing hardened compilation. Disable this. . -Author: Laszlo Boszormenyi (GCS) -Last-Update: <2012-06-21> +Author: Laszlo Boszormenyi (GCS) +Last-Update: 2012-06-21 --- diff -Nru gradm2-3.0~201311242038/debian/patches/12-use_CPPFLAGS_for_hardening.patch gradm2-3.0~201401282126/debian/patches/12-use_CPPFLAGS_for_hardening.patch --- gradm2-3.0~201311242038/debian/patches/12-use_CPPFLAGS_for_hardening.patch 2013-09-19 08:48:57.000000000 +0000 +++ gradm2-3.0~201401282126/debian/patches/12-use_CPPFLAGS_for_hardening.patch 2014-01-29 17:29:38.000000000 +0000 @@ -1,6 +1,6 @@ Description: use CPPFLAGS in Makefile Add CPPFLAGS to Makefile to build with hardening enabled. -Author: Laszlo Boszormenyi (GCS) +Author: Laszlo Boszormenyi (GCS) Last-Update: 2013-03-16 --- diff -Nru gradm2-3.0~201311242038/debian/patches/15-update-selinux-path.patch gradm2-3.0~201401282126/debian/patches/15-update-selinux-path.patch --- gradm2-3.0~201311242038/debian/patches/15-update-selinux-path.patch 2013-09-19 09:49:45.000000000 +0000 +++ gradm2-3.0~201401282126/debian/patches/15-update-selinux-path.patch 2014-01-29 17:02:01.000000000 +0000 @@ -9,7 +9,7 @@ --- gradm2-2.9.1~201309161709.orig/gradm_adm.c +++ gradm2-2.9.1~201309161709/gradm_adm.c -@@ -171,7 +171,7 @@ add_gradm_pam_acl(struct role_acl *role) +@@ -208,7 +208,7 @@ add_gradm_pam_acl(struct role_acl *role) ADD_OBJ("/dev/urandom", "r"); ADD_OBJ("/proc", ""); ADD_OBJ("/proc/filesystems", "r"); @@ -20,7 +20,7 @@ ADD_OBJ("/dev/tty?", "rw"); --- gradm2-2.9.1~201309161709.orig/policy +++ gradm2-2.9.1~201309161709/policy -@@ -406,7 +406,7 @@ subject /usr/sbin/sshd dpo +@@ -410,7 +410,7 @@ subject /usr/sbin/sshd dpo /proc/kcore h /proc/sys h /proc/sys/kernel/ngroups_max r diff -Nru gradm2-3.0~201311242038/gradm.h gradm2-3.0~201401282126/gradm.h --- gradm2-3.0~201311242038/gradm.h 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm.h 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #ifndef GRADM_H #define GRADM_H #include diff -Nru gradm2-3.0~201311242038/gradm.l gradm2-3.0~201401282126/gradm.l --- gradm2-3.0~201311242038/gradm.l 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm.l 2014-01-29 02:25:05.000000000 +0000 @@ -1,4 +1,24 @@ %{ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" #include "gradm.tab.h" @@ -122,7 +142,7 @@ gradmerror("invalid pathname error"); return SUBJ_NAME; } -[TKCAOtolhpkvdbriasx]+ { +[TKCAOtolhpkvdbriasxZ]+ { gradmlval.num = proc_subject_mode_conv(yytext); return SUBJ_MODE; } @@ -395,7 +415,7 @@ gradmerror("invalid pathname error"); return OBJ_NAME; } -[rwxahitmlLFRWXAIMcCdDspof]+ { +[rwxahitmlLFRWXAIMcCdDspofZ]+ { gradmlval.num = proc_object_mode_conv(yytext); return OBJ_MODE; } diff -Nru gradm2-3.0~201311242038/gradm.y gradm2-3.0~201401282126/gradm.y --- gradm2-3.0~201311242038/gradm.y 2013-11-25 01:35:58.000000000 +0000 +++ gradm2-3.0~201401282126/gradm.y 2014-01-29 02:25:05.000000000 +0000 @@ -1,4 +1,25 @@ %{ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + + #include "gradm.h" extern int gradmlex(void); diff -Nru gradm2-3.0~201311242038/gradm_adm.c gradm2-3.0~201401282126/gradm_adm.c --- gradm2-3.0~201311242038/gradm_adm.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_adm.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" #define ADD_OBJ(x, y) \ @@ -67,11 +87,22 @@ char *gradm_name; struct ip_acl ip; struct protoent *proto; + char *gradm_path; + char *grpam_path; find_gradm_path(gradm_realpath); gradm_name = gr_strdup(gradm_realpath); - if (gr_enable && strcmp(gradm_name, GRADM_PATH)) { + + if (bikeshedding_detected()) { + gradm_path = get_bikeshedded_path(GRADM_PATH); + grpam_path = get_bikeshedded_path(GRPAM_PATH); + } else { + gradm_path = GRADM_PATH; + grpam_path = GRPAM_PATH; + } + + if (gr_enable && strcmp(gradm_name, gradm_path)) { printf("You are attempting to use a gradm binary other " "than the installed version. Depending on your " "policy, you could be locking yourself out of " @@ -122,7 +153,7 @@ ADD_OBJ("/lib64", "rx"); ADD_OBJ("/usr/lib64", "rx"); ADD_OBJ(gradm_name, "x"); - ADD_OBJ(GRPAM_PATH, "x"); + ADD_OBJ(grpam_path, "x"); add_cap_acl(current_subject, "-CAP_ALL", NULL); add_cap_acl(current_subject, "+CAP_IPC_LOCK", NULL); @@ -135,8 +166,14 @@ { struct ip_acl ip; struct protoent *proto; + char *grpam_path; + + if (bikeshedding_detected()) + grpam_path = get_bikeshedded_path(GRPAM_PATH); + else + grpam_path = GRPAM_PATH; - add_proc_subject_acl(role, GRPAM_PATH, proc_subject_mode_conv("ado"), 0); + add_proc_subject_acl(role, grpam_path, proc_subject_mode_conv("ado"), 0); ADD_OBJ(GRDEV_PATH, "w"); @@ -189,7 +226,7 @@ ADD_OBJ("/usr/lib32", "rx"); ADD_OBJ("/lib64", "rx"); ADD_OBJ("/usr/lib64", "rx"); - ADD_OBJ(GRPAM_PATH, "x"); + ADD_OBJ(grpam_path, "x"); add_cap_acl(current_subject, "-CAP_ALL", NULL); add_cap_acl(current_subject, "+CAP_IPC_LOCK", NULL); @@ -218,20 +255,26 @@ { struct stat fstat; struct ip_acl ip; + char *grlearn_path; + + if (bikeshedding_detected()) + grlearn_path = get_bikeshedded_path(GRLEARN_PATH); + else + grlearn_path = GRLEARN_PATH; - if (stat(GRLEARN_PATH, &fstat)) { - fprintf(stderr, "%s does not exist. Please reinstall gradm.\n", GRLEARN_PATH); + if (stat(grlearn_path, &fstat)) { + fprintf(stderr, "%s does not exist. Please reinstall gradm.\n", grlearn_path); exit(EXIT_FAILURE); } - add_proc_subject_acl(role, GRLEARN_PATH, proc_subject_mode_conv("hpado"), 0); + add_proc_subject_acl(role, grlearn_path, proc_subject_mode_conv("hpado"), 0); memset(&ip, 0, sizeof (ip)); add_ip_acl(current_subject, GR_IP_CONNECT, &ip); add_ip_acl(current_subject, GR_IP_BIND, &ip); ADD_OBJ("/", "h"); - ADD_OBJ(GRLEARN_PATH, "x"); + ADD_OBJ(grlearn_path, "x"); add_cap_acl(current_subject, "-CAP_ALL", NULL); diff -Nru gradm2-3.0~201311242038/gradm_analyze.c gradm2-3.0~201401282126/gradm_analyze.c --- gradm2-3.0~201311242038/gradm_analyze.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_analyze.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" struct file_acl *get_exact_matching_object(struct proc_acl *subject, const char *filename) @@ -161,6 +181,7 @@ for (sym = symlinks; sym; sym = sym->next) { char buf[PATH_MAX]; + struct stat64 src_st, dst_st; memset(&buf, 0, sizeof (buf)); if (!realpath(sym->obj->filename, buf)) @@ -170,10 +191,14 @@ if (!strcmp(buf, "/proc/self")) continue; - tmpf = get_exact_matching_object(sym->subj, buf); - if (tmpf == NULL) { - fprintf(stdout, "Warning: object does not exist in role %s, subject %s for the target of the symlink object %s specified on line %lu of %s.\n", - sym->role->rolename, sym->subj->filename, sym->obj->filename, sym->lineno, sym->policy_file); + tmpf = get_matching_object(sym->subj, buf); + if (tmpf->mode != sym->obj->mode) { + fprintf(stdout, "Warning: permission for symlink %s in role %s, subject %s does not match that of its matching target object %s. Symlink is specified on line %lu of %s.\n", + sym->obj->filename, sym->role->rolename, sym->subj->filename, tmpf->filename, sym->lineno, sym->policy_file); + } + else if (!lstat64(buf, &dst_st) && !lstat64(sym->obj->filename, &src_st) && src_st.st_uid != dst_st.st_uid) { + fprintf(stdout, "Warning: owner of symlink %s in role %s, subject %s does not match that of its target %s. Symlink is specified on line %lu of %s.\n", + sym->obj->filename, sym->role->rolename, sym->subj->filename, buf, sym->lineno, sym->policy_file); } } diff -Nru gradm2-3.0~201311242038/gradm_arg.c gradm2-3.0~201401282126/gradm_arg.c --- gradm2-3.0~201311242038/gradm_arg.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_arg.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,11 +1,41 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" static void show_version(void) { - printf("gradm v%s\n" - "Licensed under the GNU General Public License (GPL) version 2 or higher\n" - "Copyright 2002-2013 - Brad Spengler, Open Source Security, Inc.\n", GR_VERSION); + printf("gradm v%s - grsecurity RBAC administration and policy analysis utility\n" + "Copyright 2002-2014 - Brad Spengler, Open Source Security, Inc.\n" + "Email: spender@grsecurity.net\n\n" + "This program is free software: you can redistribute it and/or modify\n" + "it under the terms of the GNU General Public License version 2 as published\n" + "by the Free Software Foundation.\n\n" + "This program is distributed in the hope that it will be useful,\n" + "but WITHOUT ANY WARRANTY; without even the implied warranty of\n" + "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n" + "GNU General Public License for more details.\n\n" + "You should have received a copy of the GNU General Public License\n" + "along with this program. If not, see .\n\n" + , GR_VERSION); exit(EXIT_SUCCESS); } @@ -13,7 +43,7 @@ show_help(void) { printf("gradm %s\n" - "grsecurity administration program\n\n" + "grsecurity RBAC administration and policy analysis utility\n\n" "Usage: gradm [option] ... \n\n" "Examples:\n" " gradm -P\n" @@ -51,7 +81,7 @@ " Authenticates to a special role through PAM\n" " -V, --verbose Display verbose policy statistics when enabling system\n" " -h, --help Display this help\n" - " -v, --version Display version information\n", + " -v, --version Display version and GPLv2 license information\n", GR_VERSION); exit(EXIT_SUCCESS); diff -Nru gradm2-3.0~201311242038/gradm_cap.c gradm2-3.0~201401282126/gradm_cap.c --- gradm2-3.0~201311242038/gradm_cap.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_cap.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" struct capability_set capability_list[] = { diff -Nru gradm2-3.0~201311242038/gradm_defs.h gradm2-3.0~201401282126/gradm_defs.h --- gradm2-3.0~201311242038/gradm_defs.h 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_defs.h 2014-01-29 02:25:05.000000000 +0000 @@ -184,7 +184,8 @@ GR_NOPTRACE = 0x00200000, GR_SUPPRESS = 0x00400000, GR_NOLEARN = 0x00800000, - GR_INIT_TRANSFER= 0x01000000 + GR_INIT_TRANSFER= 0x01000000, + GR_OBJ_REPLACE = 0x02000000 }; enum { @@ -228,7 +229,8 @@ GR_KERNELAUTH = 0x00020000, GR_ATSECURE = 0x00040000, GR_SHMEXEC = 0x00080000, - GR_GLOBANCHOR = 0x00100000 + GR_GLOBANCHOR = 0x00100000, + GR_SUBJ_REPLACE = 0x00200000 }; enum { @@ -426,7 +428,7 @@ struct gr_hash_struct *hash; struct gr_learn_file_node *subject_list; struct gr_learn_ip_node *allowed_ips; -}; +}; struct gr_learn_group_node { struct gr_learn_group_node *prev; diff -Nru gradm2-3.0~201311242038/gradm_fulllearn.c gradm2-3.0~201401282126/gradm_fulllearn.c --- gradm2-3.0~201311242038/gradm_fulllearn.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_fulllearn.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" extern struct gr_learn_file_node **cachednode; diff -Nru gradm2-3.0~201311242038/gradm_fulllearn_pass1.l gradm2-3.0~201401282126/gradm_fulllearn_pass1.l --- gradm2-3.0~201311242038/gradm_fulllearn_pass1.l 2013-11-25 01:35:58.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_fulllearn_pass1.l 2014-01-29 02:25:05.000000000 +0000 @@ -1,4 +1,24 @@ %{ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" #include "fulllearn_pass1.tab.h" diff -Nru gradm2-3.0~201311242038/gradm_fulllearn_pass1.y gradm2-3.0~201401282126/gradm_fulllearn_pass1.y --- gradm2-3.0~201311242038/gradm_fulllearn_pass1.y 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_fulllearn_pass1.y 2014-01-29 02:25:05.000000000 +0000 @@ -1,4 +1,24 @@ %{ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" extern int fulllearn_pass1lex(void); diff -Nru gradm2-3.0~201311242038/gradm_fulllearn_pass2.l gradm2-3.0~201401282126/gradm_fulllearn_pass2.l --- gradm2-3.0~201311242038/gradm_fulllearn_pass2.l 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_fulllearn_pass2.l 2014-01-29 02:25:05.000000000 +0000 @@ -1,4 +1,24 @@ %{ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" #include "fulllearn_pass2.tab.h" diff -Nru gradm2-3.0~201311242038/gradm_fulllearn_pass2.y gradm2-3.0~201401282126/gradm_fulllearn_pass2.y --- gradm2-3.0~201311242038/gradm_fulllearn_pass2.y 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_fulllearn_pass2.y 2014-01-29 02:25:05.000000000 +0000 @@ -1,4 +1,24 @@ %{ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" extern int fulllearn_pass2lex(void); diff -Nru gradm2-3.0~201311242038/gradm_fulllearn_pass3.y gradm2-3.0~201401282126/gradm_fulllearn_pass3.y --- gradm2-3.0~201311242038/gradm_fulllearn_pass3.y 2013-11-25 01:35:58.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_fulllearn_pass3.y 2014-01-29 02:25:05.000000000 +0000 @@ -1,4 +1,24 @@ %{ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" extern int fulllearn_pass3lex(void); diff -Nru gradm2-3.0~201311242038/gradm_func.h gradm2-3.0~201401282126/gradm_func.h --- gradm2-3.0~201311242038/gradm_func.h 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_func.h 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #ifndef __GRADM_FUNC_H #define __GRADM_FUNC_H @@ -78,6 +98,7 @@ void sort_file_list(struct gr_hash_struct *hash); struct gr_learn_file_node *match_file_node(struct gr_learn_file_node *base, const char *filename); struct gr_learn_file_tmp_node *conv_filename_to_struct(const char *filename, u_int32_t mode); +struct gr_hash_struct *create_hash_table(int type); void match_role(struct gr_learn_group_node *grouplist, uid_t uid, gid_t gid, struct gr_learn_group_node **group, struct gr_learn_user_node **user); struct gr_learn_ip_node * find_insert_ip(struct gr_learn_ip_node **base, u_int32_t ip); void conv_mode_to_str(u_int32_t mode, char *modestr, unsigned short len); @@ -187,6 +208,8 @@ int get_canonical_inodev(const char *name, ino_t *ino, u_int32_t *dev, int *is_symlink); void init_res_table(void); +int bikeshedding_detected(void); +char *get_bikeshedded_path(const char *path); #ifdef GRADM_DEBUG void check_file_node_list_integrity(struct gr_learn_file_node **filelist); diff -Nru gradm2-3.0~201311242038/gradm_globals.c gradm2-3.0~201401282126/gradm_globals.c --- gradm2-3.0~201311242038/gradm_globals.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_globals.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" struct glob_file *glob_files_head; diff -Nru gradm2-3.0~201311242038/gradm_human.c gradm2-3.0~201401282126/gradm_human.c --- gradm2-3.0~201311242038/gradm_human.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_human.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" static struct role_name_table { diff -Nru gradm2-3.0~201311242038/gradm_learn.c gradm2-3.0~201401282126/gradm_learn.c --- gradm2-3.0~201311242038/gradm_learn.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_learn.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" struct gr_learn_role_entry *default_role_entry; diff -Nru gradm2-3.0~201311242038/gradm_learn_pass1.l gradm2-3.0~201401282126/gradm_learn_pass1.l --- gradm2-3.0~201311242038/gradm_learn_pass1.l 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_learn_pass1.l 2014-01-29 02:25:05.000000000 +0000 @@ -1,4 +1,24 @@ %{ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" #include "learn_pass1.tab.h" diff -Nru gradm2-3.0~201311242038/gradm_learn_pass1.y gradm2-3.0~201401282126/gradm_learn_pass1.y --- gradm2-3.0~201311242038/gradm_learn_pass1.y 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_learn_pass1.y 2014-01-29 02:25:05.000000000 +0000 @@ -1,4 +1,24 @@ %{ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" extern int learn_pass1lex(void); diff -Nru gradm2-3.0~201311242038/gradm_learn_pass2.l gradm2-3.0~201401282126/gradm_learn_pass2.l --- gradm2-3.0~201311242038/gradm_learn_pass2.l 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_learn_pass2.l 2014-01-29 02:25:05.000000000 +0000 @@ -1,4 +1,24 @@ %{ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" #include "learn_pass2.tab.h" diff -Nru gradm2-3.0~201311242038/gradm_learn_pass2.y gradm2-3.0~201401282126/gradm_learn_pass2.y --- gradm2-3.0~201311242038/gradm_learn_pass2.y 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_learn_pass2.y 2014-01-29 02:25:05.000000000 +0000 @@ -1,4 +1,24 @@ %{ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" extern int learn_pass2lex(void); diff -Nru gradm2-3.0~201311242038/gradm_lib.c gradm2-3.0~201401282126/gradm_lib.c --- gradm2-3.0~201311242038/gradm_lib.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_lib.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,5 +1,43 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" +int bikeshedding_detected(void) +{ + struct stat64 st; + + if (!lstat64("/sbin", &st) && S_ISLNK(st.st_mode)) + return 1; + return 0; +} + +char *get_bikeshedded_path(const char *path) +{ + unsigned int len = strlen(path); + char *buf = gr_alloc(len + strlen("/usr") + 1); + strcpy(buf, "/usr"); + strcat(buf, path); + return buf; +} + char *get_anchor(const char *filename) { char *basepoint = gr_strdup(filename); @@ -307,8 +345,6 @@ return NULL; } -struct gr_hash_struct *create_hash_table(int type); - static struct gr_hash_struct *mount_hash; struct gr_learn_file_tmp_node *conv_filename_to_struct(const char *filename, u_int32_t mode) diff -Nru gradm2-3.0~201311242038/gradm_misc.c gradm2-3.0~201401282126/gradm_misc.c --- gradm2-3.0~201311242038/gradm_misc.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_misc.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" extern FILE *grlearn_configin; diff -Nru gradm2-3.0~201311242038/gradm_nest.c gradm2-3.0~201401282126/gradm_nest.c --- gradm2-3.0~201311242038/gradm_nest.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_nest.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" void diff -Nru gradm2-3.0~201311242038/gradm_net.c gradm2-3.0~201401282126/gradm_net.c --- gradm2-3.0~201311242038/gradm_net.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_net.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" struct family_set sock_families[] = { diff -Nru gradm2-3.0~201311242038/gradm_newlearn.c gradm2-3.0~201401282126/gradm_newlearn.c --- gradm2-3.0~201311242038/gradm_newlearn.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_newlearn.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" struct gr_learn_file_node *cachednode = NULL; diff -Nru gradm2-3.0~201311242038/gradm_opt.c gradm2-3.0~201401282126/gradm_opt.c --- gradm2-3.0~201311242038/gradm_opt.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_opt.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" static void diff -Nru gradm2-3.0~201311242038/gradm_pam.c gradm2-3.0~201401282126/gradm_pam.c --- gradm2-3.0~201311242038/gradm_pam.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_pam.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. It constitutes the PAM-based authentication of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include #include #include diff -Nru gradm2-3.0~201311242038/gradm_parse.c gradm2-3.0~201401282126/gradm_parse.c --- gradm2-3.0~201311242038/gradm_parse.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_parse.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" extern FILE *gradmin; @@ -283,31 +303,40 @@ static struct file_acl * is_proc_object_dupe(struct proc_acl *subject, struct file_acl *object) { - struct file_acl *tmp; + struct file_acl *tmp = NULL; tmp = lookup_acl_object_by_name(subject, object->filename); - if (tmp) - return tmp; - tmp = lookup_acl_object(subject, object); - if (tmp) - return tmp; + if (tmp == NULL) + tmp = lookup_acl_object(subject, object); + else { + /* found a match by filename, handle 'Z' flag here */ + if (object->mode & GR_OBJ_REPLACE) + tmp->mode = object->mode &~ GR_OBJ_REPLACE; + } - return NULL; + return tmp; } static struct proc_acl * is_proc_subject_dupe(struct role_acl *role, struct proc_acl *subject) { - struct proc_acl *tmp; + struct proc_acl *tmp = NULL; tmp = lookup_acl_subject_by_name(role, subject->filename); - if (tmp) - return tmp; - tmp = lookup_acl_subject(role, subject); - if (tmp) - return tmp; + if (tmp == NULL) + tmp = lookup_acl_subject(role, subject); + else { + /* found a match by filename, handle 'Z' flag here */ + if (subject->mode & GR_SUBJ_REPLACE) { + // FIXME: we leak allocations here + memcpy(tmp, subject, sizeof(struct proc_acl)); + tmp->mode = subject->mode &~ GR_SUBJ_REPLACE; + tmp->hash = create_hash_table(GR_HASH_OBJECT); + current_subject = tmp; + } + } - return NULL; + return tmp; } int @@ -512,12 +541,7 @@ struct file_acl ftmp; for_each_file_object(tmp, subject) { - if (!stat64(tmp->filename, &fstat)) { - ftmp.inode = fstat.st_ino; - if (is_24_kernel) - ftmp.dev = MKDEV_24(MAJOR_24(fstat.st_dev), MINOR_24(fstat.st_dev)); - else - ftmp.dev = MKDEV_26(MAJOR_26(fstat.st_dev), MINOR_26(fstat.st_dev)); + if (get_canonical_inodev(tmp->filename, &ftmp.inode, &ftmp.dev, NULL)) { if (ftmp.inode == filp2->inode && ftmp.dev == filp2->dev) fprintf(stderr, "%s (due to symlinking/hardlinking)\n", tmp->filename); } else if (!strcmp(tmp->filename, filp2->filename)) { @@ -552,8 +576,8 @@ } newlen = strlen(pwd->pw_dir) + strlen(filename) - 5 + 1; - - newfilename = (char *)gr_alloc( newlen); + + newfilename = (char *)gr_alloc(newlen); if (!newfilename) { fprintf(stderr, "Out of memory.\n"); @@ -653,7 +677,7 @@ return 1; } } else if ((p2 = is_proc_object_dupe(subject, p))) { - if (p2->mode == p->mode) + if (p2->mode == mode) return 1; fprintf(stderr, "Duplicate object found for \"%s\"" " in role %s, subject %s, on line %lu of %s.\n" @@ -711,29 +735,25 @@ if (!strncmp(filename, "$HOME", 5)) filename = parse_homedir(filename); + p = (struct proc_acl *) gr_alloc(sizeof (struct proc_acl)); + // FIXME: for subjects we currently follow symlinks - if (stat(filename, &fstat)) { + if (!get_canonical_inodev(filename, &p->inode, &p->dev, NULL)) { dfile = add_deleted_file(filename); - fstat.st_ino = dfile->ino; - fstat.st_dev = 0; + p->inode = dfile->ino; + p->dev = 0; mode |= GR_DELETED; } - p = (struct proc_acl *) gr_alloc(sizeof (struct proc_acl)); - if (!strcmp(filename, "/") && !(flag & GR_FFAKE)) role->root_label = p; p->filename = filename; p->mode = mode; - if (is_24_kernel) - p->dev = MKDEV_24(MAJOR_24(fstat.st_dev), MINOR_24(fstat.st_dev)); - else - p->dev = MKDEV_26(MAJOR_26(fstat.st_dev), MINOR_26(fstat.st_dev)); - p->inode = fstat.st_ino; - if (!(flag & GR_FFAKE) && (p2 = is_proc_subject_dupe(role, p))) { + if (mode & GR_SUBJ_REPLACE) + return 1; fprintf(stderr, "Duplicate subject found for \"%s\"" " in role %s, on line %lu of %s.\n" "\"%s\" references the same object as \"%s\"" @@ -871,6 +891,9 @@ case 'O': retmode |= GR_IGNORE; break; + case 'Z': + retmode |= GR_SUBJ_REPLACE; + break; case 'o': retmode |= GR_OVERRIDE; break; @@ -965,6 +988,9 @@ case 'l': retmode |= GR_LINK; break; + case 'Z': + retmode |= GR_OBJ_REPLACE; + break; case 'F': retmode |= GR_AUDIT_FIND; break; diff -Nru gradm2-3.0~201311242038/gradm_pax.c gradm2-3.0~201401282126/gradm_pax.c --- gradm2-3.0~201311242038/gradm_pax.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_pax.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" struct paxflag_set paxflag_list[] = { diff -Nru gradm2-3.0~201311242038/gradm_pw.c gradm2-3.0~201401282126/gradm_pw.c --- gradm2-3.0~201311242038/gradm_pw.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_pw.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" void diff -Nru gradm2-3.0~201311242038/gradm_replace.c gradm2-3.0~201401282126/gradm_replace.c --- gradm2-3.0~201311242038/gradm_replace.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_replace.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" typedef struct _replace_string_entry diff -Nru gradm2-3.0~201311242038/gradm_res.c gradm2-3.0~201401282126/gradm_res.c --- gradm2-3.0~201311242038/gradm_res.c 2013-11-25 01:35:58.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_res.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" /* fix broken glibc installs */ diff -Nru gradm2-3.0~201311242038/gradm_sha256.c gradm2-3.0~201401282126/gradm_sha256.c --- gradm2-3.0~201311242038/gradm_sha256.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_sha256.c 2014-01-29 02:25:05.000000000 +0000 @@ -3,15 +3,24 @@ /* digest-sha256.c,v 1.13 2002/10/02 22:02:08 hvr Exp $ * * SHA-256 code by Jean-Luc Cooke . - * + * * Glue code originally by Andrew McDonald and Alan Smithee, mailed * to maintainer on pulped trees. * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2, or (at your option) any - * later version. + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ typedef struct { diff -Nru gradm2-3.0~201311242038/gradm_sym.c gradm2-3.0~201401282126/gradm_sym.c --- gradm2-3.0~201311242038/gradm_sym.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/gradm_sym.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" struct object_variable { diff -Nru gradm2-3.0~201311242038/grlearn.c gradm2-3.0~201401282126/grlearn.c --- gradm2-3.0~201311242038/grlearn.c 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/grlearn.c 2014-01-29 02:25:05.000000000 +0000 @@ -1,3 +1,23 @@ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" #include @@ -57,7 +77,7 @@ signal(sig, SIG_IGN); if (fd2 >= 0) ignore_ret = write(fd2, writebuf, writep - writebuf); - exit(0); + exit(0); } int stop_daemon(void) @@ -82,7 +102,6 @@ return 0; } - int write_pid_log(pid_t pid) { @@ -92,6 +111,12 @@ char pathname[PATH_MAX] = {0}; char procname[64] = {0}; int ignore_ret; + char *grlearn_path; + + if (bikeshedding_detected()) + grlearn_path = get_bikeshedded_path(GRLEARN_PATH); + else + grlearn_path = GRLEARN_PATH; if (!stat(GR_LEARN_PID_PATH, &fstat)) { fd = open(GR_LEARN_PID_PATH, O_RDONLY); @@ -110,13 +135,13 @@ snprintf(procname, sizeof(procname) - 1, "/proc/%d/exe", learn_pid); if (readlink(procname, pathname, PATH_MAX - 1) < 0) goto start; - if (strcmp(pathname, GRLEARN_PATH)) + if (strcmp(pathname, grlearn_path)) goto start; fprintf(stdout, "Learning daemon possibly running already...killing process.\n"); kill(learn_pid, 15); } -start: +start: fd = open(GR_LEARN_PID_PATH, O_WRONLY | O_CREAT | O_EXCL, S_IRUSR | S_IWUSR); if (fd < 0) { @@ -183,7 +208,7 @@ return; } - + char * rewrite_learn_entry(char *p) { int i; @@ -252,10 +277,10 @@ if (argc != 2) return 1; - + if (!strcmp(argv[1], "-stop")) return stop_daemon(); - + signal(SIGTERM, term_handler); parse_learn2_config(); diff -Nru gradm2-3.0~201311242038/grlearn2_config.y gradm2-3.0~201401282126/grlearn2_config.y --- gradm2-3.0~201311242038/grlearn2_config.y 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/grlearn2_config.y 2014-01-29 02:25:05.000000000 +0000 @@ -1,4 +1,24 @@ %{ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" extern int grlearn_configlex(void); extern void add_always_reduce(char *str); diff -Nru gradm2-3.0~201311242038/grlearn_config.l gradm2-3.0~201401282126/grlearn_config.l --- gradm2-3.0~201311242038/grlearn_config.l 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/grlearn_config.l 2014-01-29 02:25:05.000000000 +0000 @@ -1,4 +1,24 @@ %{ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" #ifdef IS_GRLEARN #include "grlearn2_config.tab.h" diff -Nru gradm2-3.0~201311242038/grlearn_config.y gradm2-3.0~201401282126/grlearn_config.y --- gradm2-3.0~201311242038/grlearn_config.y 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/grlearn_config.y 2014-01-29 02:25:05.000000000 +0000 @@ -1,4 +1,24 @@ %{ +/* + * Copyright (C) 2002-2014 Bradley Spengler, Open Source Security, Inc. + * http://www.grsecurity.net spender@grsecurity.net + * + * This file is part of gradm. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + #include "gradm.h" extern int grlearn_configlex(void); %} diff -Nru gradm2-3.0~201311242038/policy gradm2-3.0~201401282126/policy --- gradm2-3.0~201311242038/policy 2013-11-25 01:35:57.000000000 +0000 +++ gradm2-3.0~201401282126/policy 2014-01-29 02:25:05.000000000 +0000 @@ -90,6 +90,8 @@ # to transfer the privilege of the persistent role; only valid # within a persistent role. Transfer only occurs when the file is # opened for writing +# Z -> tells gradm to ignore earlier object of the same name and use this +# one instead # # new subject modes: # O -> disable "writable library" restrictions for this task @@ -105,7 +107,9 @@ # (enables the same environment sanitization that occurs in glibc # upon execution of a suid binary) # x -> allows executable anonymous shared memory for this subject -# +# Z -> tells gradm to ignore earlier subject of the same path and use this +# one instead + # user/group transitions: # You may now specify what users and groups a given subject can # transition to. This can be done on an inclusive or exclusive basis.