diff options
-rw-r--r-- | kernel-ratten/config-2.6.15-bs | 10 | ||||
-rwxr-xr-x | kernel-ratten/kernel-ratten.SlackBuild | 13 | ||||
-rw-r--r-- | kernel-ratten/rt-lsm-0.8.7-kernel.patch | 223 |
3 files changed, 233 insertions, 13 deletions
diff --git a/kernel-ratten/config-2.6.15-bs b/kernel-ratten/config-2.6.15-bs index f5fdcc0c..db7a6f32 100644 --- a/kernel-ratten/config-2.6.15-bs +++ b/kernel-ratten/config-2.6.15-bs @@ -1,7 +1,7 @@ # # Automatically generated make config: don't edit # Linux kernel version: 2.6.15 -# Tue Oct 17 12:32:36 2006 +# Tue Oct 17 13:22:51 2006 # CONFIG_X86_64=y CONFIG_64BIT=y @@ -1201,10 +1201,12 @@ CONFIG_SND_AC97_BUS=m CONFIG_SND_TIMER=m CONFIG_SND_PCM=m CONFIG_SND_RAWMIDI=m -# CONFIG_SND_SEQUENCER is not set +CONFIG_SND_SEQUENCER=m +# CONFIG_SND_SEQ_DUMMY is not set CONFIG_SND_OSSEMUL=y CONFIG_SND_MIXER_OSS=m CONFIG_SND_PCM_OSS=m +CONFIG_SND_SEQUENCER_OSS=y # CONFIG_SND_RTCTIMER is not set # CONFIG_SND_VERBOSE_PRINTK is not set # CONFIG_SND_DEBUG is not set @@ -1215,6 +1217,7 @@ CONFIG_SND_GENERIC_DRIVER=y # CONFIG_SND_MPU401_UART=m # CONFIG_SND_DUMMY is not set +# CONFIG_SND_VIRMIDI is not set # CONFIG_SND_MTPAV is not set CONFIG_SND_SERIAL_U16550=m CONFIG_SND_MPU401=m @@ -1254,7 +1257,7 @@ CONFIG_SND_MPU401=m # CONFIG_SND_ES1968 is not set # CONFIG_SND_MAESTRO3 is not set # CONFIG_SND_FM801 is not set -# CONFIG_SND_ICE1712 is not set +CONFIG_SND_ICE1712=m # CONFIG_SND_ICE1724 is not set # CONFIG_SND_INTEL8X0 is not set # CONFIG_SND_INTEL8X0M is not set @@ -1622,6 +1625,7 @@ CONFIG_SECURITY=y CONFIG_SECURITY_CAPABILITIES=m # CONFIG_SECURITY_ROOTPLUG is not set # CONFIG_SECURITY_SECLVL is not set +CONFIG_SECURITY_REALTIME=m CONFIG_SECURITY_SELINUX=y # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DISABLE is not set diff --git a/kernel-ratten/kernel-ratten.SlackBuild b/kernel-ratten/kernel-ratten.SlackBuild index f5c1cd03..ba3c5cf2 100755 --- a/kernel-ratten/kernel-ratten.SlackBuild +++ b/kernel-ratten/kernel-ratten.SlackBuild @@ -30,8 +30,9 @@ KERNEL_VERSION="2.6.15" EXTRAVERSION="" ARCH="x86_64" BUILD="1rha" -PATCHSET="bs" +PATCHSET="bs-rt" PATCH_VERSION="3.1.6-2.6.15" +REALTIME_PATCH="rt-lsm-0.8.7-kernel.patch" TMP=${TMP:=/tmp} SRC_DIR=${SRC:=$CWD} SPLASH="/etc/bootsplash/themes/Slack-Black-Tux/config/bootsplash-1024x768.cfg" @@ -91,6 +92,7 @@ elif [ ! -z "$PATCHSET" ]; then fi mv Makefile.tmp Makefile +patch -p1 < $CWD/$REALTIME_PATCH patch -p1 < $SRC_DIR/$PATCH make oldconfig @@ -147,15 +149,6 @@ splash -s -f $SPLASH > $PKG/boot/initrd.gz cd $PKG makepkg -c y -l y $REPOS/$PACKAGE-$VERSION-$ARCH-$BUILD.tgz -cat << EOCAT -Please check if you need to build or install the following modules: - - realtime-lsm - shfs - -Have a nice day. -EOCAT - if [ "$CLEANUP" == "yes" ]; then rm -rf $TMP fi diff --git a/kernel-ratten/rt-lsm-0.8.7-kernel.patch b/kernel-ratten/rt-lsm-0.8.7-kernel.patch new file mode 100644 index 00000000..194aecfd --- /dev/null +++ b/kernel-ratten/rt-lsm-0.8.7-kernel.patch @@ -0,0 +1,223 @@ +diff -puN /dev/null Documentation/realtime-lsm.txt +--- /dev/null 2003-09-15 06:40:47.000000000 -0700 ++++ 25-akpm/Documentation/realtime-lsm.txt 2005-02-06 00:32:52.000000000 -0800 +@@ -0,0 +1,39 @@ ++ ++ Realtime Linux Security Module ++ ++ ++This Linux Security Module (LSM) enables realtime capabilities. It ++was written by Torben Hohn and Jack O'Quin, under the provisions of ++the GPL (see the COPYING file). We make no warranty concerning the ++safety, security or even stability of your system when using it. But, ++we will fix problems if you report them. ++ ++Once the LSM has been installed and the kernel for which it was built ++is running, the root user can load it and pass parameters as follows: ++ ++ # modprobe realtime any=1 ++ ++ Any program can request realtime privileges. This allows any local ++ user to crash the system by hogging the CPU in a tight loop or ++ locking down too much memory. But, it is simple to administer. :-) ++ ++ # modprobe realtime gid=29 ++ ++ All users belonging to group 29 and programs that are setgid to that ++ group have realtime privileges. Use any group number you like. A ++ `gid' of -1 disables group access. ++ ++ # modprobe realtime mlock=0 ++ ++ Grants realtime scheduling privileges without the ability to lock ++ memory using mlock() or mlockall() system calls. This option can be ++ used in conjunction with any of the other options. ++ ++After the module is loaded, its parameters can be changed dynamically ++via sysfs. ++ ++ # echo 1 > /sys/module/realtime/parameters/any ++ # echo 29 > /sys/module/realtime/parameters/gid ++ # echo 1 > /sys/module/realtime/parameters/mlock ++ ++Jack O'Quin, joq@joq.us +diff -puN security/Kconfig~rt-lsm security/Kconfig +--- 25/security/Kconfig~rt-lsm 2005-02-06 00:32:52.000000000 -0800 ++++ 25-akpm/security/Kconfig 2005-02-06 00:32:52.000000000 -0800 +@@ -85,6 +85,17 @@ config SECURITY_SECLVL + + If you are unsure how to answer this question, answer N. + ++config SECURITY_REALTIME ++ tristate "Realtime Capabilities" ++ depends on SECURITY && SECURITY_CAPABILITIES!=y ++ default n ++ help ++ This module selectively grants realtime privileges ++ controlled by parameters set at load time or via files in ++ /sys/module/realtime/parameters. ++ ++ If you are unsure how to answer this question, answer N. ++ + source security/selinux/Kconfig + + endmenu +diff -puN security/Makefile~rt-lsm security/Makefile +--- 25/security/Makefile~rt-lsm 2005-02-06 00:32:52.000000000 -0800 ++++ 25-akpm/security/Makefile 2005-02-06 00:32:52.000000000 -0800 +@@ -17,3 +17,4 @@ obj-$(CONFIG_SECURITY_SELINUX) += selin + obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o + obj-$(CONFIG_SECURITY_ROOTPLUG) += commoncap.o root_plug.o + obj-$(CONFIG_SECURITY_SECLVL) += seclvl.o ++obj-$(CONFIG_SECURITY_REALTIME) += commoncap.o realtime.o +diff -puN /dev/null security/realtime.c +--- /dev/null 2003-09-15 06:40:47.000000000 -0700 ++++ 25-akpm/security/realtime.c 2005-02-06 00:32:52.000000000 -0800 +@@ -0,0 +1,146 @@ ++/* ++ * Realtime Capabilities Linux Security Module ++ * ++ * Copyright (C) 2003 Torben Hohn ++ * Copyright (C) 2003-2005 Jack O'Quin ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ */ ++ ++#include <linux/module.h> ++#include <linux/security.h> ++ ++#define RT_LSM "Realtime LSM " /* syslog module name prefix */ ++#define RT_ERR "Realtime: " /* syslog error message prefix */ ++ ++#include <linux/vermagic.h> ++MODULE_INFO(vermagic,VERMAGIC_STRING); ++ ++/* module parameters ++ * ++ * These values could change at any time due to some process writing ++ * a new value in /sys/module/realtime/parameters. This is OK, ++ * because each is referenced only once in each function call. ++ * Nothing depends on parameters having the same value every time. ++ */ ++ ++/* if TRUE, any process is realtime */ ++static int rt_any; ++module_param_named(any, rt_any, int, 0644); ++MODULE_PARM_DESC(any, " grant realtime privileges to any process."); ++ ++/* realtime group id, or NO_GROUP */ ++static int rt_gid = -1; ++module_param_named(gid, rt_gid, int, 0644); ++MODULE_PARM_DESC(gid, " the group ID with access to realtime privileges."); ++ ++/* enable mlock() privileges */ ++static int rt_mlock = 1; ++module_param_named(mlock, rt_mlock, int, 0644); ++MODULE_PARM_DESC(mlock, " enable memory locking privileges."); ++ ++/* helper function for testing group membership */ ++static inline int gid_ok(int gid) ++{ ++ if (gid == -1) ++ return 0; ++ ++ if (gid == current->gid) ++ return 1; ++ ++ return in_egroup_p(gid); ++} ++ ++static void realtime_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) ++{ ++ cap_bprm_apply_creds(bprm, unsafe); ++ ++ /* If a non-zero `any' parameter was specified, we grant ++ * realtime privileges to every process. If the `gid' ++ * parameter was specified and it matches the group id of the ++ * executable, of the current process or any supplementary ++ * groups, we grant realtime capabilites. ++ */ ++ ++ if (rt_any || gid_ok(rt_gid)) { ++ cap_raise(current->cap_effective, CAP_SYS_NICE); ++ if (rt_mlock) { ++ cap_raise(current->cap_effective, CAP_IPC_LOCK); ++ } ++ } ++} ++ ++static struct security_operations capability_ops = { ++ .ptrace = cap_ptrace, ++ .capget = cap_capget, ++ .capset_check = cap_capset_check, ++ .capset_set = cap_capset_set, ++ .capable = cap_capable, ++ .netlink_send = cap_netlink_send, ++ .netlink_recv = cap_netlink_recv, ++ .bprm_apply_creds = realtime_bprm_apply_creds, ++ .bprm_set_security = cap_bprm_set_security, ++ .bprm_secureexec = cap_bprm_secureexec, ++ .task_post_setuid = cap_task_post_setuid, ++ .task_reparent_to_init = cap_task_reparent_to_init, ++ .syslog = cap_syslog, ++ .vm_enough_memory = cap_vm_enough_memory, ++}; ++ ++#define MY_NAME __stringify(KBUILD_MODNAME) ++ ++static int secondary; /* flag to keep track of how we were registered */ ++ ++static int __init realtime_init(void) ++{ ++ /* register ourselves with the security framework */ ++ if (register_security(&capability_ops)) { ++ ++ /* try registering with primary module */ ++ if (mod_reg_security(MY_NAME, &capability_ops)) { ++ printk(KERN_INFO RT_ERR "Failure registering " ++ "capabilities with primary security module.\n"); ++ printk(KERN_INFO RT_ERR "Is kernel configured " ++ "with CONFIG_SECURITY_CAPABILITIES=m?\n"); ++ return -EINVAL; ++ } ++ secondary = 1; ++ } ++ ++ if (rt_any) ++ printk(KERN_INFO RT_LSM ++ "initialized (all groups, mlock=%d)\n", rt_mlock); ++ else if (rt_gid == -1) ++ printk(KERN_INFO RT_LSM ++ "initialized (no groups, mlock=%d)\n", rt_mlock); ++ else ++ printk(KERN_INFO RT_LSM ++ "initialized (group %d, mlock=%d)\n", rt_gid, rt_mlock); ++ ++ return 0; ++} ++ ++static void __exit realtime_exit(void) ++{ ++ /* remove ourselves from the security framework */ ++ if (secondary) { ++ if (mod_unreg_security(MY_NAME, &capability_ops)) ++ printk(KERN_INFO RT_ERR "Failure unregistering " ++ "capabilities with primary module.\n"); ++ ++ } else if (unregister_security(&capability_ops)) { ++ printk(KERN_INFO RT_ERR ++ "Failure unregistering capabilities with the kernel\n"); ++ } ++ printk(KERN_INFO "Realtime Capability LSM exiting\n"); ++} ++ ++security_initcall(realtime_init); ++module_exit(realtime_exit); ++ ++MODULE_DESCRIPTION("Realtime Capabilities Security Module"); ++MODULE_LICENSE("GPL"); +_ |