SOURCES (LINUX_2_6): grsecurity-2.1.9-2.6.18.patch - adjusted for ...
hawk
hawk at pld-linux.org
Mon Oct 9 13:03:58 CEST 2006
Author: hawk Date: Mon Oct 9 11:03:58 2006 GMT
Module: SOURCES Tag: LINUX_2_6
---- Log message:
- adjusted for vserver patched kernel
---- Files affected:
SOURCES:
grsecurity-2.1.9-2.6.18.patch (1.1.2.3 -> 1.1.2.4)
---- Diffs:
================================================================
Index: SOURCES/grsecurity-2.1.9-2.6.18.patch
diff -u SOURCES/grsecurity-2.1.9-2.6.18.patch:1.1.2.3 SOURCES/grsecurity-2.1.9-2.6.18.patch:1.1.2.4
--- SOURCES/grsecurity-2.1.9-2.6.18.patch:1.1.2.3 Mon Oct 9 08:37:58 2006
+++ SOURCES/grsecurity-2.1.9-2.6.18.patch Mon Oct 9 13:03:52 2006
@@ -5820,9 +5820,9 @@
--- linux-2.6.18/arch/ia64/kernel/ptrace.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/arch/ia64/kernel/ptrace.c 2006-09-22 20:04:35.000000000 -0400
@@ -17,6 +17,7 @@
- #include <linux/security.h>
#include <linux/audit.h>
#include <linux/signal.h>
+ #include <linux/vs_pid.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
@@ -5870,9 +5870,9 @@
--- linux-2.6.18/arch/ia64/mm/fault.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/arch/ia64/mm/fault.c 2006-09-22 20:45:03.000000000 -0400
@@ -10,6 +10,7 @@
- #include <linux/smp_lock.h>
#include <linux/interrupt.h>
#include <linux/kprobes.h>
+ #include <linux/vs_memory.h>
+#include <linux/binfmts.h>
#include <asm/pgtable.h>
@@ -9390,9 +9390,9 @@
--- linux-2.6.18/fs/binfmt_aout.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/fs/binfmt_aout.c 2006-09-22 20:45:04.000000000 -0400
@@ -24,6 +24,7 @@
- #include <linux/binfmts.h>
#include <linux/personality.h>
#include <linux/init.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
#include <asm/system.h>
@@ -9474,9 +9474,9 @@
--- linux-2.6.18/fs/binfmt_elf.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/fs/binfmt_elf.c 2006-09-22 20:45:04.000000000 -0400
@@ -39,10 +39,16 @@
- #include <linux/syscalls.h>
- #include <linux/random.h>
#include <linux/elf.h>
+ #include <linux/vs_memory.h>
+ #include <linux/vs_cvirt.h>
+#include <linux/grsecurity.h>
+
#include <asm/uaccess.h>
@@ -10327,9 +10327,9 @@
--- linux-2.6.18/fs/exec.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/fs/exec.c 2006-09-22 22:13:47.000000000 -0400
@@ -49,6 +49,8 @@
- #include <linux/acct.h>
- #include <linux/cn_proc.h>
#include <linux/audit.h>
+ #include <linux/vs_memory.h>
+ #include <linux/vs_cvirt.h>
+#include <linux/random.h>
+#include <linux/grsecurity.h>
@@ -10417,7 +10417,7 @@
down_write(&mm->mmap_sem);
{
-@@ -430,13 +469,50 @@ int setup_arg_pages(struct linux_binprm
+@@ -430,14 +469,51 @@ int setup_arg_pages(struct linux_binprm
else
mpnt->vm_flags = VM_STACK_FLAGS;
mpnt->vm_flags |= mm->def_flags;
@@ -10441,7 +10441,8 @@
+
return ret;
}
- mm->stack_vm = mm->total_vm = vma_pages(mpnt);
+ vx_vmpages_sub(mm, mm->total_vm - vma_pages(mpnt));
+ mm->stack_vm = mm->total_vm;
+
+#ifdef CONFIG_PAX_SEGMEXEC
+ if (mpnt_m) {
@@ -10724,9 +10725,9 @@
--- linux-2.6.18/fs/fcntl.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/fs/fcntl.c 2006-09-22 20:04:35.000000000 -0400
@@ -18,6 +18,7 @@
- #include <linux/ptrace.h>
#include <linux/signal.h>
#include <linux/rcupdate.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/poll.h>
@@ -10746,7 +10747,7 @@
+ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
if (newfd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
goto out;
-
+ if (!vx_files_avail(1))
@@ -141,6 +144,8 @@ asmlinkage long sys_dup2(unsigned int ol
struct files_struct * files = current->files;
struct fdtable *fdt;
@@ -10782,9 +10783,9 @@
--- linux-2.6.18/fs/namei.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/fs/namei.c 2006-09-22 20:04:35.000000000 -0400
@@ -32,6 +32,7 @@
- #include <linux/file.h>
- #include <linux/fcntl.h>
- #include <linux/namei.h>
+ #include <linux/vserver/inode.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vserver/debug.h>
+#include <linux/grsecurity.h>
#include <asm/namei.h>
#include <asm/uaccess.h>
@@ -10929,20 +10930,22 @@
dput(dentry);
}
mutex_unlock(&nd.dentry->d_inode->i_mutex);
-@@ -1919,9 +1996,19 @@ asmlinkage long sys_mkdirat(int dfd, con
+@@ -1919,10 +1996,20 @@ asmlinkage long sys_mkdirat(int dfd, con
dentry = lookup_create(&nd, 1);
error = PTR_ERR(dentry);
if (!IS_ERR(dentry)) {
+ error = 0;
if (!IS_POSIXACL(nd.dentry->d_inode))
mode &= ~current->fs->umask;
-- error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
+- error = vfs_mkdir(nd.dentry->d_inode, dentry,
+- mode, &nd);
+
+ if (!gr_acl_handle_mkdir(dentry, nd.dentry, nd.mnt))
+ error = -EACCES;
+
+ if (!error)
-+ error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
++ error = vfs_mkdir(nd.dentry->d_inode, dentry,
++ mode, &nd);
+
+ if (!error)
+ gr_handle_create(dentry, nd.mnt);
@@ -10963,7 +10966,7 @@
dentry = lookup_hash(&nd);
error = PTR_ERR(dentry);
if (!IS_ERR(dentry)) {
-- error = vfs_rmdir(nd.dentry->d_inode, dentry);
+- error = vfs_rmdir(nd.dentry->d_inode, dentry, &nd);
+ error = 0;
+ if (dentry->d_inode) {
+ if (dentry->d_inode->i_nlink <= 1) {
@@ -10976,7 +10979,7 @@
+ }
+
+ if (!error)
-+ error = vfs_rmdir(nd.dentry->d_inode, dentry);
++ error = vfs_rmdir(nd.dentry->d_inode, dentry, &nd);
+ if (!error && (saved_dev || saved_ino))
+ gr_handle_delete(saved_ino, saved_dev);
dput(dentry);
@@ -11011,37 +11014,39 @@
+ error = -EACCES;
+
atomic_inc(&inode->i_count);
-- error = vfs_unlink(nd.dentry->d_inode, dentry);
+- error = vfs_unlink(nd.dentry->d_inode, dentry, &nd);
+ }
+ if (!error)
-+ error = vfs_unlink(nd.dentry->d_inode, dentry);
++ error = vfs_unlink(nd.dentry->d_inode, dentry, &nd);
+ if (!error && (saved_ino || saved_dev))
+ gr_handle_delete(saved_ino, saved_dev);
exit2:
dput(dentry);
}
-@@ -2187,7 +2305,15 @@ asmlinkage long sys_symlinkat(const char
+@@ -2187,8 +2305,15 @@ asmlinkage long sys_symlinkat(const char
dentry = lookup_create(&nd, 0);
error = PTR_ERR(dentry);
if (!IS_ERR(dentry)) {
-- error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO);
+- error = vfs_symlink(nd.dentry->d_inode, dentry,
+- from, S_IALLUGO, &nd);
+ error = 0;
+ if (!gr_acl_handle_symlink(dentry, nd.dentry, nd.mnt, from))
+ error = -EACCES;
+
+ if (!error)
-+ error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO);
-+
++ error = vfs_symlink(nd.dentry->d_inode, dentry,
++ from, S_IALLUGO, &nd);
+ if (!error)
+ gr_handle_create(dentry, nd.mnt);
dput(dentry);
}
mutex_unlock(&nd.dentry->d_inode->i_mutex);
-@@ -2281,7 +2407,20 @@ asmlinkage long sys_linkat(int olddfd, c
+@@ -2281,8 +2407,20 @@ asmlinkage long sys_linkat(int olddfd, c
new_dentry = lookup_create(&nd, 0);
error = PTR_ERR(new_dentry);
if (!IS_ERR(new_dentry)) {
-- error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
+- error = vfs_link(old_nd.dentry, nd.dentry->d_inode,
+- new_dentry, &nd);
+ error = 0;
+ if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt,
+ old_nd.dentry->d_inode,
@@ -11051,8 +11056,8 @@
+ old_nd.dentry, old_nd.mnt, to))
+ error = -EACCES;
+ if (!error)
-+ error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
-+
++ error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry,
++ &nd);
+ if (!error)
+ gr_handle_create(new_dentry, nd.mnt);
+
@@ -11081,9 +11086,9 @@
--- linux-2.6.18/fs/namespace.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/fs/namespace.c 2006-09-22 20:04:35.000000000 -0400
@@ -22,6 +22,8 @@
- #include <linux/namei.h>
- #include <linux/security.h>
#include <linux/mount.h>
+ #include <linux/vserver/namespace.h>
+ #include <linux/vserver/tag.h>
+#include <linux/sched.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -11144,9 +11149,9 @@
--- linux-2.6.18/fs/open.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/fs/open.c 2006-09-22 20:15:13.000000000 -0400
@@ -28,6 +28,7 @@
- #include <linux/syscalls.h>
- #include <linux/rcupdate.h>
- #include <linux/audit.h>
+ #include <linux/vs_limit.h>
+ #include <linux/vs_dlimit.h>
+ #include <linux/vserver/tag.h>
+#include <linux/grsecurity.h>
#include <asm/unistd.h>
@@ -11283,15 +11288,6 @@
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
error = notify_change(nd.dentry, &newattrs);
-@@ -695,7 +757,7 @@ asmlinkage long sys_chmod(const char __u
- return sys_fchmodat(AT_FDCWD, filename, mode);
- }
-
--static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
-+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
- {
- struct inode * inode;
- int error;
@@ -712,6 +774,12 @@ static int chown_common(struct dentry *
error = -EPERM;
if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
@@ -11305,42 +11301,6 @@
newattrs.ia_valid = ATTR_CTIME;
if (user != (uid_t) -1) {
newattrs.ia_valid |= ATTR_UID;
-@@ -737,7 +805,7 @@ asmlinkage long sys_chown(const char __u
-
- error = user_path_walk(filename, &nd);
- if (!error) {
-- error = chown_common(nd.dentry, user, group);
-+ error = chown_common(nd.dentry, user, group, nd.mnt);
- path_release(&nd);
- }
- return error;
-@@ -756,7 +824,7 @@ asmlinkage long sys_fchownat(int dfd, co
- follow = (flag & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW;
- error = __user_walk_fd(dfd, filename, follow, &nd);
- if (!error) {
-- error = chown_common(nd.dentry, user, group);
-+ error = chown_common(nd.dentry, user, group, nd.mnt);
- path_release(&nd);
- }
- out:
-@@ -770,7 +838,7 @@ asmlinkage long sys_lchown(const char __
-
- error = user_path_walk_link(filename, &nd);
- if (!error) {
-- error = chown_common(nd.dentry, user, group);
-+ error = chown_common(nd.dentry, user, group, nd.mnt);
- path_release(&nd);
- }
- return error;
-@@ -787,7 +855,7 @@ asmlinkage long sys_fchown(unsigned int
- struct dentry * dentry;
- dentry = file->f_dentry;
- audit_inode(NULL, dentry->d_inode);
-- error = chown_common(dentry, user, group);
-+ error = chown_common(dentry, user, group, file->f_vfsmnt);
- fput(file);
- }
- return error;
@@ -995,6 +1063,7 @@ repeat:
* N.B. For clone tasks sharing a files structure, this test
* will limit the total number of files that can be opened.
@@ -11474,9 +11434,9 @@
--- linux-2.6.18/fs/proc/base.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/fs/proc/base.c 2006-09-30 15:58:34.000000000 -0400
@@ -71,6 +71,7 @@
- #include <linux/cpuset.h>
- #include <linux/audit.h>
- #include <linux/poll.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_network.h>
+ #include <linux/vs_pid.h>
+#include <linux/grsecurity.h>
#include "internal.h"
@@ -11555,18 +11515,19 @@
+#endif
}
+
+ /* procfs is xid tagged */
+ inode->i_tag = (tag_t)vx_task_xid(task);
security_task_to_inode(task, inode);
-
- out:
-@@ -1353,11 +1368,31 @@ static int pid_revalidate(struct dentry
+@@ -1353,18 +1368,37 @@ static int pid_revalidate(struct dentry
{
struct inode *inode = dentry->d_inode;
struct task_struct *task = get_proc_task(inode);
-- if (task) {
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ struct task_struct *tmp = current;
+#endif
-+
+ int ret = 0;
+
+- if (task) {
+ if (task &&
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ (!tmp->uid || (tmp->uid == task->uid)
@@ -11576,6 +11537,11 @@
+ ) &&
+#endif
+ !gr_check_hidden_task(task)) {
+ ret = 1;
+ /* discard wrong fakeinit */
+ if (!vx_check(vx_task_xid(task), VX_IDENT))
+ goto out_drop;
+
if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
@@ -11726,7 +11692,7 @@
+ continue;
+ }
+
- tgid = task->pid;
+ tgid = vx_map_tgid(task->pid);
len = snprintf(buf, sizeof(buf), "%d", tgid);
ino = fake_ino(tgid, PROC_TGID_INO);
diff -urNp linux-2.6.18/fs/proc/inode.c linux-2.6.18/fs/proc/inode.c
@@ -11855,9 +11821,9 @@
+#else
proc_bus = proc_mkdir("bus", NULL);
+#endif
+ proc_vx_init();
}
- static int proc_root_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat
diff -urNp linux-2.6.18/fs/proc/task_mmu.c linux-2.6.18/fs/proc/task_mmu.c
--- linux-2.6.18/fs/proc/task_mmu.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/fs/proc/task_mmu.c 2006-09-22 20:45:04.000000000 -0400
@@ -21339,9 +21305,9 @@
that it will "exec", and that there is sufficient room for the brk. */
+#ifdef CONFIG_PAX_SEGMEXEC
-+#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
++#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
+#else
- #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
+ #define ELF_ET_DYN_BASE ((TASK_UNMAPPED_BASE) * 2)
+#endif
+
+#ifdef CONFIG_PAX_ASLR
@@ -24522,9 +24488,9 @@
--- linux-2.6.18/ipc/sem.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/ipc/sem.c 2006-09-22 20:04:35.000000000 -0400
@@ -78,6 +78,7 @@
- #include <linux/capability.h>
#include <linux/seq_file.h>
#include <linux/mutex.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -24552,9 +24518,9 @@
--- linux-2.6.18/ipc/shm.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/ipc/shm.c 2006-09-22 20:04:35.000000000 -0400
@@ -32,6 +32,7 @@
- #include <linux/ptrace.h>
- #include <linux/seq_file.h>
#include <linux/mutex.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -24677,9 +24643,9 @@
--- linux-2.6.18/kernel/capability.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/kernel/capability.c 2006-09-22 20:04:35.000000000 -0400
@@ -12,6 +12,7 @@
- #include <linux/module.h>
#include <linux/security.h>
#include <linux/syscalls.h>
+ #include <linux/vs_pid.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -24740,9 +24706,9 @@
--- linux-2.6.18/kernel/exit.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/kernel/exit.c 2006-09-22 20:21:45.000000000 -0400
@@ -38,6 +38,11 @@
- #include <linux/pipe_fs_i.h>
- #include <linux/audit.h> /* for audit_free() */
- #include <linux/resource.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_network.h>
+ #include <linux/vs_pid.h>
+#include <linux/grsecurity.h>
+
+#ifdef CONFIG_GRKERNSEC
@@ -24822,9 +24788,9 @@
--- linux-2.6.18/kernel/fork.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/kernel/fork.c 2006-09-22 20:45:04.000000000 -0400
@@ -45,6 +45,7 @@
- #include <linux/cn_proc.h>
- #include <linux/delayacct.h>
- #include <linux/taskstats_kern.h>
+ #include <linux/vs_network.h>
+ #include <linux/vs_limit.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
@@ -24849,11 +24815,10 @@
mm->cached_hole_size = ~0UL;
if (likely(!mm_alloc_pgd(mm))) {
-@@ -980,6 +981,9 @@ static struct task_struct *copy_process(
- DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
- #endif
- retval = -EAGAIN;
-+
+@@ -980,6 +981,8 @@ static struct task_struct *copy_process(
+ if (!vx_nproc_avail(1))
+ goto bad_fork_cleanup_vm;
+
+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0);
+
if (atomic_read(&p->user->processes) >=
@@ -25392,9 +25357,9 @@
--- linux-2.6.18/kernel/pid.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/kernel/pid.c 2006-09-22 22:23:55.000000000 -0400
@@ -26,6 +26,7 @@
- #include <linux/init.h>
#include <linux/bootmem.h>
#include <linux/hash.h>
+ #include <linux/vs_pid.h>
+#include <linux/grsecurity.h>
#define pid_hashfn(nr) hash_long((unsigned long)nr, pidhash_shift)
@@ -25410,13 +25375,17 @@
if (pid >= pid_max)
pid = RESERVED_PIDS;
offset = pid & BITS_PER_PAGE_MASK;
-@@ -269,7 +272,14 @@ struct task_struct * fastcall pid_task(s
+@@ -272,11 +274,18 @@ struct task_struct * fastcall pid_task(s
*/
struct task_struct *find_task_by_pid_type(int type, int nr)
{
-- return pid_task(find_pid(nr), type);
+ struct task_struct *task;
-+
++
+ if (type == PIDTYPE_PID)
+ nr = vx_rmap_pid(nr);
+ if (type == PIDTYPE_REALPID)
+ type = PIDTYPE_PID;
+- return pid_task(find_pid(nr), type);
+ task = pid_task(find_pid(nr), type);
+
+ if (gr_pid_is_chrooted(task))
@@ -25439,9 +25408,9 @@
--- linux-2.6.18/kernel/posix-cpu-timers.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/kernel/posix-cpu-timers.c 2006-09-22 20:04:35.000000000 -0400
@@ -6,6 +6,7 @@
- #include <linux/posix-timers.h>
#include <asm/uaccess.h>
#include <linux/errno.h>
+ #include <linux/vs_pid.h>
+#include <linux/grsecurity.h>
static int check_clock(const clockid_t which_clock)
@@ -25458,9 +25427,9 @@
--- linux-2.6.18/kernel/printk.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/kernel/printk.c 2006-09-22 20:04:35.000000000 -0400
@@ -31,6 +31,7 @@
- #include <linux/security.h>
- #include <linux/bootmem.h>
#include <linux/syscalls.h>
+ #include <linux/vs_context.h>
+ #include <linux/vserver/cvirt.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -25481,9 +25450,9 @@
--- linux-2.6.18/kernel/ptrace.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/kernel/ptrace.c 2006-09-22 20:19:31.000000000 -0400
@@ -18,6 +18,7 @@
- #include <linux/ptrace.h>
#include <linux/security.h>
#include <linux/signal.h>
+ #include <linux/vs_pid.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
@@ -25564,26 +25533,26 @@
- if (increment < 0 && !can_nice(current, nice))
+ if (increment < 0 && (!can_nice(current, nice) ||
+ gr_handle_chroot_nice()))
- return -EPERM;
+ return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
retval = security_task_setnice(current, nice);
diff -urNp linux-2.6.18/kernel/signal.c linux-2.6.18/kernel/signal.c
--- linux-2.6.18/kernel/signal.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/kernel/signal.c 2006-09-22 20:25:59.000000000 -0400
@@ -23,6 +23,7 @@
- #include <linux/ptrace.h>
#include <linux/signal.h>
#include <linux/capability.h>
+ #include <linux/vs_pid.h>
+#include <linux/grsecurity.h>
#include <asm/param.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
-@@ -576,16 +577,18 @@ static int check_kill_permission(int sig
- return error;
+@@ -582,11 +583,11 @@ static int check_kill_permission(int sig
+ (!is_si_special(info) && SI_FROMUSER(info)));
+
error = -EPERM;
- if ((info == SEND_SIG_NOINFO || (!is_si_special(info) && SI_FROMUSER(info)))
-- && ((sig != SIGCONT) ||
-+ && ((((sig != SIGCONT) ||
+- if (user && ((sig != SIGCONT) ||
++ if (user && ((((sig != SIGCONT) ||
(current->signal->session != t->signal->session))
&& (current->euid ^ t->suid) && (current->euid ^ t->uid)
&& (current->uid ^ t->suid) && (current->uid ^ t->uid)
@@ -25591,15 +25560,7 @@
+ && !capable(CAP_KILL)) || gr_handle_signal(t, sig)))
return error;
- error = security_task_kill(t, info, sig, 0);
-- if (!error)
-+ if (!error) {
- audit_signal_info(sig, t); /* Let audit system see the signal */
-+ gr_log_signal(sig, t);
-+ }
- return error;
- }
-
+ error = -ESRCH;
@@ -763,7 +766,7 @@ out_set:
(((sig) < SIGRTMIN) && sigismember(&(sigptr)->signal, (sig)))
@@ -25624,9 +25585,9 @@
--- linux-2.6.18/kernel/sys.c 2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18/kernel/sys.c 2006-09-22 20:45:04.000000000 -0400
@@ -28,6 +28,7 @@
- #include <linux/tty.h>
- #include <linux/signal.h>
#include <linux/cn_proc.h>
+ #include <linux/vs_cvirt.h>
+ #include <linux/vs_pid.h>
+#include <linux/grsecurity.h>
#include <linux/compat.h>
@@ -25807,7 +25768,7 @@
@@ -93,6 +94,9 @@ asmlinkage long sys_stime(time_t __user
return err;
- do_settimeofday(&tv);
+ vx_settimeofday(&tv);
+
+ gr_log_timechange();
+
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/SOURCES/grsecurity-2.1.9-2.6.18.patch?r1=1.1.2.3&r2=1.1.2.4&f=u
More information about the pld-cvs-commit
mailing list