Patch for CONFIG_NET=n

Discuss and suggest new grsecurity features

Patch for CONFIG_NET=n

Postby rbeeporbop » Tue May 24, 2011 7:10 pm

Thanks for all the developers of grsecurity!

I patched linux with the grsecurity patch, and then configured the kernel with no networking support. Below is a patch to make that work... I have also attempted to patch the kernel with both the grsecurity patch and the xen dom0 patch (from ... loads/list), there are some problems... If anyone has a patch for this, please forward it on! I have started merging, so if this isn't already done, I will have a patch for this eventually. I am moving to 2.6.39, and there are a few problems with the xen dom0 patch as well.

After this, I am going to reduce the Linux kernel down to the bare minimum, whacking entire kernel subsystems if possible, to make a hardened xen dom0 "monitor". And, implement some in-kernel framebuffer mirroring routines so that networking is not necessary to access domU framebuffers locally. If anyone has any interest in this, or has done any related work, please tell me! I'm going to work on it anyways, though I'll probably go faster if others are interested, and especially if others are willing to help...


--- linux- 2011-05-05 00:00:00.000000000 0000
+++ linux- 2011-05-05 02:45:19.000000000 0000
@@ -10,11 +10,15 @@
grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o

-obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
gracl_learn.o grsec_log.o
obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o

+obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
obj-y += grsec_disabled.o
diff -ur linux- linux-
--- linux- 2011-05-05 00:00:00.000000000 0000
+++ linux- 2011-05-05 00:00:00.000000000 0000
@@ -73,7 +73,10 @@
static unsigned int gr_auth_attempts = 0;
static unsigned long gr_auth_expires = 0UL;

+#ifdef CONFIG_NET
extern struct vfsmount *sock_mnt;
extern struct vfsmount *pipe_mnt;
extern struct vfsmount *shm_mnt;
@@ -1827,7 +1830,11 @@

- if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt || mnt == sock_mnt ||
+ if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt ||
+#ifdef CONFIG_NET
+ mnt == sock_mnt ||
(mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
Posts: 1
Joined: Tue May 24, 2011 7:07 pm

Return to grsecurity development