diff -urN --exclude-from=diff-exclude linux-2.4.26-leo/Documentation/Configure.help linux-2.4.26-leoport/Documentation/Configure.help --- linux-2.4.26-leo/Documentation/Configure.help 2004-06-22 20:53:45.000000000 +0100 +++ linux-2.4.26-leoport/Documentation/Configure.help 2004-06-22 20:59:00.000000000 +0100 @@ -23682,16 +23682,16 @@ NOTE: you can use the 'chpax' or 'paxctl' utilities to control this feature on a per file basis. -Deny writing to /dev/kmem, /dev/mem, and /dev/port +Deny writing to /dev/kmem and /dev/mem CONFIG_GRKERNSEC_KMEM If you say Y here, /dev/kmem and /dev/mem won't be allowed to be written to via mmap or otherwise to modify the running kernel. - /dev/port will also not be allowed to be opened. If you have module - support disabled, enabling this will close up four ways that are - currently used to insert malicious code into the running kernel. - Even with all these features enabled, we still highly recommend that - you use the ACL system, as it is still possible for an attacker to - modify the running kernel through privileged I/O granted by ioperm/iopl. + If you have module support disabled, enabling this, along with /dev/port + (below) will close up four ways that are currently used to insert + malicious code into the running kernel. Even with all these features + enabled, we still highly recommend that you use the ACL system, as it + is still possible for an attacker to modify the running kernel + through privileged I/O granted by ioperm/iopl. If you are not using XFree86, you may be able to stop this additional case by enabling the 'Disable privileged I/O' option. Though nothing legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem, @@ -23703,6 +23703,13 @@ It is highly recommended that you say Y here if you meet all the conditions above. +Deny access to /dev/port +CONFIG_GRKERNSEC_PORT + If you say Y here, /dev/port will not be able to be opened. This option + is normally used in conjunction with /dev/kmem (above). It is seperated + here because it breaks certain utilities (for example, kbdrate). + Is is highly recommended that you say Y here. + Disable privileged I/O CONFIG_GRKERNSEC_IO If you say Y here, all ioperm and iopl calls will return an error. diff -urN --exclude-from=diff-exclude linux-2.4.26-leo/drivers/char/mem.c linux-2.4.26-leoport/drivers/char/mem.c --- linux-2.4.26-leo/drivers/char/mem.c 2004-06-22 20:53:46.000000000 +0100 +++ linux-2.4.26-leoport/drivers/char/mem.c 2004-06-22 20:59:00.000000000 +0100 @@ -562,7 +562,7 @@ static int open_port(struct inode * inode, struct file * filp) { -#ifdef CONFIG_GRKERNSEC_KMEM +#ifdef CONFIG_GRKERNSEC_PORT gr_handle_open_port(); return -EPERM; #endif diff -urN --exclude-from=diff-exclude linux-2.4.26-leo/grsecurity/Config.in linux-2.4.26-leoport/grsecurity/Config.in --- linux-2.4.26-leo/grsecurity/Config.in 2004-06-22 20:53:47.000000000 +0100 +++ linux-2.4.26-leoport/grsecurity/Config.in 2004-06-22 20:59:48.000000000 +0100 @@ -25,6 +25,7 @@ define_bool CONFIG_GRKERNSEC_CHROOT_SYSCTL n define_bool CONFIG_GRKERNSEC_PROC_USERGROUP n define_bool CONFIG_GRKERNSEC_KMEM n +define_bool CONFIG_GRKERNSEC_PORT n define_bool CONFIG_GRKERNSEC_PROC_ADD n define_bool CONFIG_GRKERNSEC_CHROOT_CHMOD n define_bool CONFIG_GRKERNSEC_CHROOT_NICE n @@ -167,6 +168,7 @@ define_bool CONFIG_GRKERNSEC_PROC_USERGROUP y define_int CONFIG_GRKERNSEC_PROC_GID 10 define_bool CONFIG_GRKERNSEC_KMEM y +define_bool CONFIG_GRKERNSEC_PORT y define_bool CONFIG_GRKERNSEC_RESLOG y define_bool CONFIG_GRKERNSEC_RANDNET y define_bool CONFIG_GRKERNSEC_RANDISN y @@ -277,7 +279,8 @@ fi fi -bool 'Deny writing to /dev/kmem, /dev/mem, and /dev/port' CONFIG_GRKERNSEC_KMEM +bool 'Deny writing to /dev/kmem and /dev/mem' CONFIG_GRKERNSEC_KMEM +bool 'Deny access to /dev/port' CONFIG_GRKERNSEC_PORT if [ "$CONFIG_X86" = "y" ]; then bool 'Disable privileged I/O' CONFIG_GRKERNSEC_IO if [ "$CONFIG_GRKERNSEC_IO" = "y" ]; then