diff -urN --exclude-from=diff-exclude linux-2.4.28-grsec/Documentation/Configure.help linux-2.4.28-grsec-port/Documentation/Configure.help --- linux-2.4.28-grsec/Documentation/Configure.help 2005-01-24 21:21:37.000000000 +0000 +++ linux-2.4.28-grsec-port/Documentation/Configure.help 2005-01-24 21:27:07.000000000 +0000 @@ -23903,16 +23903,16 @@ NOTE: you can use the 'chpax' or 'paxctl' utilities to control this feature on a per file basis. -Deny writing to /dev/kmem, /dev/mem, and /dev/port +Deny writing to /dev/kmem and /dev/mem CONFIG_GRKERNSEC_KMEM If you say Y here, /dev/kmem and /dev/mem won't be allowed to be written to via mmap or otherwise to modify the running kernel. - /dev/port will also not be allowed to be opened. If you have module - support disabled, enabling this will close up four ways that are - currently used to insert malicious code into the running kernel. - Even with all these features enabled, we still highly recommend that - you use the RBAC system, as it is still possible for an attacker to - modify the running kernel through privileged I/O granted by ioperm/iopl. + If you have module support disabled, enabling this, along with /dev/port + (below) will close up four ways that are currently used to insert + malicious code into the running kernel. Even with all these features + enabled, we still highly recommend that you use the RBAC system, as it + is still possible for an attacker to modify the running kernel + through privileged I/O granted by ioperm/iopl. If you are not using XFree86, you may be able to stop this additional case by enabling the 'Disable privileged I/O' option. Though nothing legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem, @@ -23922,6 +23922,13 @@ It is highly recommended that you say Y here if you meet all the conditions above. +Deny access to /dev/port +CONFIG_GRKERNSEC_PORT + If you say Y here, /dev/port will not be able to be opened. This option + is normally used in conjunction with /dev/kmem (above). It is seperated + here because it breaks certain utilities (for example, kbdrate). + Is is highly recommended that you say Y here. + Disable privileged I/O CONFIG_GRKERNSEC_IO If you say Y here, all ioperm and iopl calls will return an error. diff -urN --exclude-from=diff-exclude linux-2.4.28-grsec/drivers/char/mem.c linux-2.4.28-grsec-port/drivers/char/mem.c --- linux-2.4.28-grsec/drivers/char/mem.c 2005-01-24 21:21:37.000000000 +0000 +++ linux-2.4.28-grsec-port/drivers/char/mem.c 2005-01-24 21:21:59.000000000 +0000 @@ -562,7 +562,7 @@ static int open_port(struct inode * inode, struct file * filp) { -#ifdef CONFIG_GRKERNSEC_KMEM +#ifdef CONFIG_GRKERNSEC_PORT gr_handle_open_port(); return -EPERM; #endif diff -urN --exclude-from=diff-exclude linux-2.4.28-grsec/grsecurity/Config.in linux-2.4.28-grsec-port/grsecurity/Config.in --- linux-2.4.28-grsec/grsecurity/Config.in 2005-01-24 21:21:37.000000000 +0000 +++ linux-2.4.28-grsec-port/grsecurity/Config.in 2005-01-24 21:21:59.000000000 +0000 @@ -27,6 +27,7 @@ define_bool CONFIG_GRKERNSEC_CHROOT_SYSCTL n define_bool CONFIG_GRKERNSEC_PROC_USERGROUP n define_bool CONFIG_GRKERNSEC_KMEM n +define_bool CONFIG_GRKERNSEC_PORT n define_bool CONFIG_GRKERNSEC_PROC_ADD n define_bool CONFIG_GRKERNSEC_CHROOT_CHMOD n define_bool CONFIG_GRKERNSEC_CHROOT_NICE n @@ -173,6 +174,7 @@ define_bool CONFIG_GRKERNSEC_PROC_USERGROUP y define_int CONFIG_GRKERNSEC_PROC_GID 10 define_bool CONFIG_GRKERNSEC_KMEM y +define_bool CONFIG_GRKERNSEC_PORT y define_bool CONFIG_GRKERNSEC_RESLOG y define_bool CONFIG_GRKERNSEC_RANDNET y define_bool CONFIG_GRKERNSEC_RANDISN y @@ -295,7 +297,8 @@ fi fi -bool 'Deny writing to /dev/kmem, /dev/mem, and /dev/port' CONFIG_GRKERNSEC_KMEM +bool 'Deny writing to /dev/kmem and /dev/mem' CONFIG_GRKERNSEC_KMEM +bool 'Deny access to /dev/port' CONFIG_GRKERNSEC_PORT if [ "$CONFIG_X86" = "y" ]; then bool 'Disable privileged I/O' CONFIG_GRKERNSEC_IO if [ "$CONFIG_GRKERNSEC_IO" = "y" ]; then