SOURCES (LINUX_2_6): grsecurity-2.1.9-2.6.19.1.patch - work in pro...
mguevara
mguevara at pld-linux.org
Sat Dec 16 01:29:09 CET 2006
Author: mguevara Date: Sat Dec 16 00:29:09 2006 GMT
Module: SOURCES Tag: LINUX_2_6
---- Log message:
- work in progress
- still open:
2 out of 5 hunks FAILED -- saving rejects to file net/unix/af_unix.c.rej
2 out of 5 hunks FAILED -- saving rejects to file security/commoncap.c.rej
1 out of 2 hunks FAILED -- saving rejects to file security/dummy.c.rej
---- Files affected:
SOURCES:
grsecurity-2.1.9-2.6.19.1.patch (1.1.2.2 -> 1.1.2.3)
---- Diffs:
================================================================
Index: SOURCES/grsecurity-2.1.9-2.6.19.1.patch
diff -u SOURCES/grsecurity-2.1.9-2.6.19.1.patch:1.1.2.2 SOURCES/grsecurity-2.1.9-2.6.19.1.patch:1.1.2.3
--- SOURCES/grsecurity-2.1.9-2.6.19.1.patch:1.1.2.2 Fri Dec 15 17:13:19 2006
+++ SOURCES/grsecurity-2.1.9-2.6.19.1.patch Sat Dec 16 01:29:04 2006
@@ -24923,6 +24923,7 @@
#include <linux/seq_file.h>
#include <linux/mutex.h>
#include <linux/nsproxy.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/current.h>
@@ -24948,9 +24949,10 @@
--- linux-2.6.19.1/ipc/sem.c 2006-11-29 16:57:37.000000000 -0500
+++ linux-2.6.19.1/ipc/sem.c 2006-12-03 15:16:26.000000000 -0500
@@ -83,6 +83,7 @@
- #include <linux/seq_file.h>
#include <linux/mutex.h>
#include <linux/nsproxy.h>
+ #include <linux/vs_base.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -24977,9 +24979,9 @@
--- linux-2.6.19.1/ipc/shm.c 2006-11-29 16:57:37.000000000 -0500
+++ linux-2.6.19.1/ipc/shm.c 2006-12-03 15:16:26.000000000 -0500
@@ -37,6 +37,7 @@
- #include <linux/seq_file.h>
- #include <linux/mutex.h>
#include <linux/nsproxy.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -25117,9 +25119,9 @@
--- linux-2.6.19.1/kernel/capability.c 2006-11-29 16:57:37.000000000 -0500
+++ linux-2.6.19.1/kernel/capability.c 2006-12-03 15:16:26.000000000 -0500
@@ -12,6 +12,7 @@
- #include <linux/module.h>
#include <linux/security.h>
#include <linux/syscalls.h>
+ #include <linux/vs_context.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -25180,9 +25182,9 @@
--- linux-2.6.19.1/kernel/exit.c 2006-11-29 16:57:37.000000000 -0500
+++ linux-2.6.19.1/kernel/exit.c 2006-12-03 15:16:26.000000000 -0500
@@ -41,6 +41,11 @@
- #include <linux/audit.h> /* for audit_free() */
- #include <linux/resource.h>
- #include <linux/blkdev.h>
+ #include <linux/vs_limit.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_network.h>
+#include <linux/grsecurity.h>
+
+#ifdef CONFIG_GRKERNSEC
@@ -25262,9 +25264,9 @@
--- linux-2.6.19.1/kernel/fork.c 2006-11-29 16:57:37.000000000 -0500
+++ linux-2.6.19.1/kernel/fork.c 2006-12-03 15:16:26.000000000 -0500
@@ -48,6 +48,7 @@
- #include <linux/delayacct.h>
- #include <linux/taskstats_kern.h>
- #include <linux/random.h>
+ #include <linux/vs_network.h>
+ #include <linux/vs_limit.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
@@ -25299,9 +25301,9 @@
if (likely(!mm_alloc_pgd(mm))) {
@@ -990,6 +991,9 @@ static struct task_struct *copy_process(
- DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
- #endif
- retval = -EAGAIN;
+ if (!vx_nproc_avail(1))
+ goto bad_fork_cleanup_vm;
+
+
+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0);
+
@@ -25844,9 +25846,9 @@
--- linux-2.6.19.1/kernel/pid.c 2006-11-29 16:57:37.000000000 -0500
+++ linux-2.6.19.1/kernel/pid.c 2006-12-03 15:16:26.000000000 -0500
@@ -27,6 +27,7 @@
- #include <linux/bootmem.h>
#include <linux/hash.h>
#include <linux/pspace.h>
+ #include <linux/vs_pid.h>
+#include <linux/grsecurity.h>
#define pid_hashfn(nr) hash_long((unsigned long)nr, pidhash_shift)
@@ -25871,13 +25873,17 @@
if (pid >= pid_max)
pid = RESERVED_PIDS;
offset = pid & BITS_PER_PAGE_MASK;
-@@ -299,7 +302,14 @@ struct task_struct * fastcall pid_task(s
+@@ -299,11 +302,18 @@ struct task_struct * fastcall pid_task(s
*/
struct task_struct *find_task_by_pid_type(int type, int nr)
{
++ struct task_struct *task;
++
+ if (type == PIDTYPE_PID)
+ nr = vx_rmap_pid(nr);
+ else if (type == PIDTYPE_REALPID)
+ type = PIDTYPE_PID;
- return pid_task(find_pid(nr), type);
-+ struct task_struct *task;
-+
+ task = pid_task(find_pid(nr), type);
+
+ if (gr_pid_is_chrooted(task))
@@ -25931,9 +25937,9 @@
--- linux-2.6.19.1/kernel/printk.c 2006-11-29 16:57:37.000000000 -0500
+++ linux-2.6.19.1/kernel/printk.c 2006-12-03 15:16:26.000000000 -0500
@@ -32,6 +32,7 @@
- #include <linux/bootmem.h>
#include <linux/syscalls.h>
#include <linux/jiffies.h>
+ #include <linux/vs_cvirt.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -25954,9 +25960,9 @@
--- linux-2.6.19.1/kernel/ptrace.c 2006-11-29 16:57:37.000000000 -0500
+++ linux-2.6.19.1/kernel/ptrace.c 2006-12-03 15:16:26.000000000 -0500
@@ -18,6 +18,7 @@
- #include <linux/ptrace.h>
#include <linux/security.h>
#include <linux/signal.h>
+ #include <linux/vs_context.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
@@ -26037,26 +26043,26 @@
- if (increment < 0 && !can_nice(current, nice))
+ if (increment < 0 && (!can_nice(current, nice) ||
+ gr_handle_chroot_nice()))
- return -EPERM;
+ return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
retval = security_task_setnice(current, nice);
diff -urNp linux-2.6.19.1/kernel/signal.c linux-2.6.19.1/kernel/signal.c
--- linux-2.6.19.1/kernel/signal.c 2006-11-29 16:57:37.000000000 -0500
+++ linux-2.6.19.1/kernel/signal.c 2006-12-03 15:16:26.000000000 -0500
@@ -23,6 +23,7 @@
- #include <linux/ptrace.h>
- #include <linux/signal.h>
#include <linux/capability.h>
+ #include <linux/vs_context.h>
+ #include <linux/freezer.h>
+#include <linux/grsecurity.h>
#include <asm/param.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
-@@ -581,16 +582,18 @@ static int check_kill_permission(int sig
- return error;
+@@ -581,11 +582,11 @@ static int check_kill_permission(int sig
+ goto skip;
+
error = -EPERM;
- if ((info == SEND_SIG_NOINFO || (!is_si_special(info) && SI_FROMUSER(info)))
-- && ((sig != SIGCONT) ||
-+ && ((((sig != SIGCONT) ||
+- if (((sig != SIGCONT) ||
++ if (((((sig != SIGCONT) ||
(current->signal->session != t->signal->session))
&& (current->euid ^ t->suid) && (current->euid ^ t->uid)
&& (current->uid ^ t->suid) && (current->uid ^ t->uid)
@@ -26064,6 +26070,10 @@
+ && !capable(CAP_KILL)) || gr_handle_signal(t, sig)))
return error;
+ error = -ESRCH;
+@@ -604,8 +605,10 @@ static int check_kill_permission(int sig
+ }
+ skip:
error = security_task_kill(t, info, sig, 0);
- if (!error)
+ if (!error) {
@@ -26288,7 +26298,7 @@
@@ -93,6 +94,9 @@ asmlinkage long sys_stime(time_t __user
return err;
- do_settimeofday(&tv);
+ vx_settimeofday(&tv);
+
+ gr_log_timechange();
+
@@ -26719,9 +26729,9 @@
--- linux-2.6.19.1/mm/mlock.c 2006-11-29 16:57:37.000000000 -0500
+++ linux-2.6.19.1/mm/mlock.c 2006-12-03 15:16:26.000000000 -0500
@@ -10,14 +10,85 @@
- #include <linux/mm.h>
#include <linux/mempolicy.h>
#include <linux/syscalls.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
+static int __mlock_fixup(struct vm_area_struct *vma, struct vm_area_struct **prev,
@@ -26843,7 +26853,7 @@
- ret = make_pages_present(start, end);
- }
-
-- vma->vm_mm->locked_vm -= pages;
+- vx_vmlocked_sub(vma->vm_mm, pages);
out:
if (ret == -ENOMEM)
ret = -EAGAIN;
@@ -26895,9 +26905,9 @@
ret = -ENOMEM;
+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
- if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
+ if (!vx_vmlocked_avail(current->mm, current->mm->total_vm))
capable(CAP_IPC_LOCK))
- ret = do_mlockall(flags);
+ ret = do_mlockall(flags);
diff -urNp linux-2.6.19.1/mm/mmap.c linux-2.6.19.1/mm/mmap.c
--- linux-2.6.19.1/mm/mmap.c 2006-11-29 16:57:37.000000000 -0500
+++ linux-2.6.19.1/mm/mmap.c 2006-12-03 15:16:26.000000000 -0500
================================================================
---- CVS-web:
http://cvs.pld-linux.org/SOURCES/grsecurity-2.1.9-2.6.19.1.patch?r1=1.1.2.2&r2=1.1.2.3&f=u
More information about the pld-cvs-commit
mailing list