XFS + grsec

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Postby Sleight of Mind » Mon Aug 25, 2003 11:00 am

let's wait for a non-rc 2.4.22 grsec release first shall we. I know the grsecurity-1.9.12-2.4.22 patch (against 2.4.22-rc2) will probably work for 2.4.22 final (with some lines offset maybe) but i won't merge grsec and xfs until it's really final. Same for XFS, let's just give em a few more days to catch up with 2.4.22 completely (yes, i know there has been a 2.4.22+xfs bitkeeper tree for quite some time).
Sleight of Mind
 
Posts: 92
Joined: Tue Apr 08, 2003 10:41 am

Postby NagyZ » Mon Aug 25, 2003 11:02 am

well, xfs 1.3 is out, it's stable, 2.4.22 is out, it's stable.. wondering about grsec 1.9.12 if there will be. spender?
NagyZ
 
Posts: 2
Joined: Mon Aug 25, 2003 10:21 am

Postby Sleight of Mind » Fri Sep 05, 2003 7:33 am

here's grsecurity-1.9.12-2.4.22-xfs:
    -latest CVS snapshot from SGI
    -1.9.12 grsec patch

Patch is a bit smaller now because i removed DMAPI, POSIX ACL and kdb support from XFS, since i don't use those and doubt anyone does. Patch was tested and is working.
Sleight of Mind
 
Posts: 92
Joined: Tue Apr 08, 2003 10:41 am

Postby msi » Tue Dec 02, 2003 4:31 pm

gibts das auch mal für 2.4.23?

edit:
here is the english version: (sorry, im used to write in german ;)

can you please write a patch for 2.4.23 too?
Last edited by msi on Wed Dec 03, 2003 4:08 pm, edited 1 time in total.
msi
 
Posts: 29
Joined: Fri Sep 13, 2002 2:37 pm

Postby Sleight of Mind » Tue Dec 02, 2003 6:16 pm

apply in this order:

ftp://oss.sgi.com/projects/xfs/patches/ ... t-only.bz2
ftp://oss.sgi.com/projects/xfs/patches/ ... kernel.bz2
http://www.grsecurity.net/grsecurity-1. ... 4.23.patch

After that only one reject will occur. Fix using:
Code: Select all
cp fs/Makefile fs/Makefile.orig
sed 's/buffer.o dquot.o/buffer.o dquot.o exec.o/g' fs/Makefile.orig > fs/Makefile


Then configure your kernel and compile the usual way. I suggest copying the config from a 2.4.22-xfs-grsec kernel and running make oldconfig afterwards. Since my time is quite limited atm i do not have time to put a nice and clean downloadable patch somewhere. This will have to do for the time being ;)
Sleight of Mind
 
Posts: 92
Joined: Tue Apr 08, 2003 10:41 am

2.4.24, xfs, grsec and ACL

Postby phoemix » Thu Jan 08, 2004 4:32 am

is there a patch exists for .24 ?
the ACL part of XFS would be also very useful, it's one of the main things that I use XFS for.
the .23 patches are applies for .24 but there is a few rejects for the ACL part.
phoemix
 
Posts: 3
Joined: Thu Jan 08, 2004 4:29 am

Postby Sleight of Mind » Thu Jan 08, 2004 8:03 am

just use the patch-2.4.24 (incremental patch from kernel.org) on your current tree and you should be fine. Just the main Makefile will reject.
Sleight of Mind
 
Posts: 92
Joined: Tue Apr 08, 2003 10:41 am

Postby phoemix » Thu Jan 08, 2004 8:40 am

but that still won't contain the XFS ACL support, and i excacly need that feature(yes, i'm sure, checkd the conifig).
phoemix
 
Posts: 3
Joined: Thu Jan 08, 2004 4:29 am

Postby akorn » Sun Jan 11, 2004 7:06 am

Get the 'split' patches from oss.sgi.com and apply them in the order the README specifies. The only place where you have to actually think a bit in resolving the rejects would be fs/namei.c, and that's easy enough...

A diff between the grsec-2.0-rc4 and the grsec-2.0-rc4+xfs acl version looks like this:

Code: Select all
--- fs/namei.c  (revision 2)
+++ fs/namei.c  (revision 5)
@@ -1072,6 +1072,8 @@
 
        /* Negative dentry, just create the file */
        if (!dentry->d_inode) {
+               if (!IS_POSIXACL(dir->d_inode))
+                       mode &= ~current->fs->umask;
                if (gr_handle_chroot_chmod(dentry, nd->mnt, mode)) {
                        error = -EACCES;
                        up(&dir->d_inode->i_sem);
@@ -1083,8 +1085,7 @@
                        goto exit_dput;
                }
 
-               error = vfs_create(dir->d_inode, dentry,
-                                  mode & ~current->fs->umask);
+               error = vfs_create(dir->d_inode, dentry, mode);
                if (!error)
                        gr_handle_create(dentry, nd->mnt);
 
@@ -1347,7 +1348,8 @@
        dentry = lookup_create(&nd, 0);
        error = PTR_ERR(dentry);
 
-       mode &= ~current->fs->umask;
+       if (!IS_POSIXACL(nd.dentry->d_inode))
+               mode &= ~current->fs->umask;
        if (!IS_ERR(dentry)) {
                if (gr_handle_chroot_mknod(dentry, nd.mnt, mode) ||
                    gr_handle_chroot_chmod(dentry, nd.mnt, mode)) {
@@ -1434,13 +1436,13 @@
                error = PTR_ERR(dentry);
                if (!IS_ERR(dentry)) {
                        error = 0;
-
+                       if (!IS_POSIXACL(nd.dentry->d_inode))
+                               mode &= ~current->fs->umask;
                        if (!gr_acl_handle_mkdir(dentry, nd.dentry, nd.mnt))
                                error = -EACCES;
 
                        if(!error)
-                               error = vfs_mkdir(nd.dentry->d_inode, dentry,
-                                         mode & ~current->fs->umask);
+                               error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
                        if(!error)
                                gr_handle_create(dentry, nd.mnt);
akorn
 
Posts: 8
Joined: Sat Dec 27, 2003 8:21 am

2.4.24+ grsec + xfs(acl)

Postby phoemix » Sun Jan 11, 2004 11:28 am

try this one:
http://members.animehq.hu/~einon/2424-xfs-gr.diff.bz2
a friend of mine made it.
phoemix
 
Posts: 3
Joined: Thu Jan 08, 2004 4:29 am

linux-2.4.24-ib1

Postby IB » Sun Jan 18, 2004 4:41 pm

Please, visit our page:

http://www.ibnet.pl/index.en.html

if your're interested in patch for linux-2.4.24 including:

snapshot-xfs-2.4.23-2003-12-01_00:33_UTC
grsec-2.0-rc4-2.4.23

Regards,
IB staff
IB
 
Posts: 1
Joined: Sun Jan 18, 2004 4:33 pm

Previous

Return to grsecurity support