diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index c4aa354..7c774c9 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -2103,6 +2103,8 @@ and is between 256 and 4096 characters. It is defined in the file ramdisk_size= [RAM] Sizes of RAM disks in kilobytes See Documentation/blockdev/ramdisk.txt. + rbac_disable= Set to 1 to disable the grsecurity RBAC system + rcupdate.blimit= [KNL,BOOT] Set maximum number of finished RCU callbacks to process in one batch. diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig index 417e256..0929f4c 100644 --- a/grsecurity/Kconfig +++ b/grsecurity/Kconfig @@ -370,6 +370,12 @@ config GRKERNSEC_NO_RBAC and processes when loadable module support and /dev/[k]mem have been locked down. +config GRKERNSEC_RBAC_TOGGLE + bool "Disable RBAC system boot option" + help + If you say Y here, you have the option to say rbac_disable=1 on the kernel + command line, denying access to the /dev/grsec device. + config GRKERNSEC_ACL_HIDEKERN bool "Hide kernel processes" help diff --git a/grsecurity/gracl_learn.c b/grsecurity/gracl_learn.c index 67dd9ba..d58358c 100644 --- a/grsecurity/gracl_learn.c +++ b/grsecurity/gracl_learn.c @@ -16,6 +16,10 @@ extern int gr_acl_is_enabled(void); static DECLARE_WAIT_QUEUE_HEAD(learn_wait); static int gr_learn_attached; +#ifdef CONFIG_GRKERNSEC_RBAC_TOGGLE +extern unsigned int grsec_rbac_disable; +#endif + /* use a 512k buffer */ #define LEARN_BUFFER_SIZE (512 * 1024) @@ -148,6 +152,11 @@ gr_add_learn_entry(const char *fmt, ...) static int open_learn(struct inode *inode, struct file *file) { +#ifdef CONFIG_GRKERNSEC_RBAC_TOGGLE + if (grsec_rbac_disable) + return -EPERM; +#endif + if (file->f_mode & FMODE_READ && gr_learn_attached) return -EBUSY; if (file->f_mode & FMODE_READ) { diff --git a/init/main.c b/init/main.c index 0659ba4..89742ab 100644 --- a/init/main.c +++ b/init/main.c @@ -213,6 +213,17 @@ static int __init setup_pax_softmode(char *str) __setup("pax_softmode=", setup_pax_softmode); #endif +#ifdef CONFIG_GRKERNSEC_RBAC_TOGGLE +unsigned int grsec_rbac_disable; + +static int __init setup_grsec_rbac_disable(char *str) +{ + get_option(&str, &grsec_rbac_disable); + return 1; +} +__setup("rbac_disable=", setup_grsec_rbac_disable); +#endif + static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, }; char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, }; static const char *panic_later, *panic_param;