SOURCES (LINUX_2_6): linux-2.6-grsec_full.patch - updated for http...

mguevara mguevara at pld-linux.org
Tue Jun 5 01:06:15 CEST 2007 

Author: mguevara                     Date: Mon Jun  4 23:06:15 2007 GMT
Module: SOURCES                       Tag: LINUX_2_6
---- Log message:
- updated for http://www.grsecurity.net/~spender/grsecurity-2.1.10-2.6.21.3-200706041811.patch

---- Files affected:
SOURCES:
   linux-2.6-grsec_full.patch (1.1.2.8 -> 1.1.2.9) 

---- Diffs:

================================================================
Index: SOURCES/linux-2.6-grsec_full.patch
diff -u SOURCES/linux-2.6-grsec_full.patch:1.1.2.8 SOURCES/linux-2.6-grsec_full.patch:1.1.2.9
--- SOURCES/linux-2.6-grsec_full.patch:1.1.2.8	Tue Jun  5 00:09:14 2007
+++ SOURCES/linux-2.6-grsec_full.patch	Tue Jun  5 01:06:10 2007
@@ -14125,8 +14125,27 @@
  		proc_root_kcore->proc_fops = &proc_kcore_operations;
 diff -urNp linux-2.6.21.3/fs/proc/proc_sysctl.c linux-2.6.21.3/fs/proc/proc_sysctl.c
 --- linux-2.6.21.3/fs/proc/proc_sysctl.c	2007-04-25 23:08:32.000000000 -0400
-+++ linux-2.6.21.3/fs/proc/proc_sysctl.c	2007-06-04 11:34:37.000000000 -0400
-@@ -305,6 +305,7 @@ end_instantiate:
++++ linux-2.6.21.3/fs/proc/proc_sysctl.c	2007-06-04 17:58:24.000000000 -0400
+@@ -7,6 +7,8 @@
+ #include <linux/security.h>
+ #include "internal.h"
+ 
++extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
++
+ static struct dentry_operations proc_sys_dentry_operations;
+ static const struct file_operations proc_sys_file_operations;
+ static struct inode_operations proc_sys_inode_operations;
+@@ -151,6 +153,9 @@ static struct dentry *proc_sys_lookup(st
+ 	if (!table)
+ 		goto out;
+ 
++	if (!gr_handle_sysctl(table, 001))
++		goto out;
++
+ 	err = ERR_PTR(-ENOMEM);
+ 	inode = proc_sys_make_inode(dir, table);
+ 	if (!inode)
+@@ -305,6 +310,7 @@ end_instantiate:
  		ino= find_inode_number(dir, &qname);
  	if (!ino)
  		ino = 1;
@@ -14134,6 +14153,55 @@
  	return filldir(dirent, qname.name, qname.len, filp->f_pos, ino, type);
  }
  
+@@ -358,6 +364,9 @@ static int proc_sys_readdir(struct file 
+ 			if (pos < filp->f_pos)
+ 				continue;
+ 
++			if (!gr_handle_sysctl(table, 001))
++				continue;
++
+ 			if (proc_sys_fill_cache(filp, dirent, filldir, table) < 0)
+ 				goto out;
+ 			filp->f_pos = pos + 1;
+@@ -420,6 +429,30 @@ out:
+ 	return error;
+ }
+ 
++/* Eric Biederman is to blame */
++static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
++{
++	int error = 0;
++	struct ctl_table_header *head;
++	struct ctl_table *table;
++
++	table = do_proc_sys_lookup(dentry->d_parent, &dentry->d_name, &head);
++	/* Has the sysctl entry disappeared on us? */
++	if (!table)
++		goto out;
++
++	if (!gr_handle_sysctl(table, 001)) {
++		error = -ENOENT;
++		goto out;
++	}
++
++out:
++	sysctl_head_finish(head);
++
++	generic_fillattr(dentry->d_inode, stat);
++
++	return error;
++}
+ static int proc_sys_setattr(struct dentry *dentry, struct iattr *attr)
+ {
+ 	struct inode *inode = dentry->d_inode;
+@@ -451,6 +484,7 @@ static struct inode_operations proc_sys_
+ 	.lookup		= proc_sys_lookup,
+ 	.permission	= proc_sys_permission,
+ 	.setattr	= proc_sys_setattr,
++	.getattr	= proc_sys_getattr,
+ };
+ 
+ static int proc_sys_revalidate(struct dentry *dentry, struct nameidata *nd)
 diff -urNp linux-2.6.21/fs/proc/root.c linux-2.6.21/fs/proc/root.c
 --- linux-2.6.21/fs/proc/root.c	2007-04-25 23:08:32.000000000 -0400
 +++ linux-2.6.21/fs/proc/root.c	2007-04-29 23:02:11.000000000 -0400
@@ -14661,7 +14729,7 @@
 diff -urNp linux-2.6.21/grsecurity/gracl.c linux-2.6.21/grsecurity/gracl.c
 --- linux-2.6.21/grsecurity/gracl.c	1969-12-31 19:00:00.000000000 -0500
 +++ linux-2.6.21/grsecurity/gracl.c	2007-04-29 23:39:37.000000000 -0400
-@@ -0,0 +1,3610 @@
+@@ -0,0 +1,3624 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -16346,7 +16414,9 @@
 +
 +	spin_lock(&dcache_lock);
 +
-+	if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt)) {
++	if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
++		/* ignore Eric Biederman */
++	    IS_PRIVATE(l_dentry->d_inode))) {
 +		retval = fakefs_obj;
 +		goto out;
 +	}
@@ -16468,6 +16538,17 @@
 +}
 +
 +static void
++gr_log_learn_sysctl(const struct task_struct *task, const char *path, const __u32 mode)
++{
++	security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
++		       task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
++		       task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
++		       1, 1, path, (unsigned long) mode, NIPQUAD(task->signal->curr_ip));
++
++	return;
++}
++
++static void
 +gr_log_learn_id_change(const struct task_struct *task, const char type, const unsigned int real, 
 +		       const unsigned int effective, const unsigned int fs)
 +{
@@ -17893,14 +17974,15 @@
 +
 +	path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
 +
-+	/* it's only a read if it's an actual entry, not a dir
++	/* it's only a read/write if it's an actual entry, not a dir
 +	   (which are opened for readdir)
 +	*/
-+	if (op & 004 && table->child == NULL)
-+		mode |= GR_READ;
-+	if (op & 002)
-+		mode |= GR_WRITE;
-+
++	if (table->child == NULL) {
++		if (op & 004)
++			mode |= GR_READ;
++		if (op & 002)
++			mode |= GR_WRITE;
++	}
 +	/* convert the requested sysctl entry into a pathname */
 +
 +	for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
@@ -17942,20 +18024,16 @@
 +
 +		new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
 +
-+		err = path_lookup(path, LOOKUP_FOLLOW, &nd);
-+		if (err)
-+			goto out;
 +		err = new_mode;
-+		gr_log_learn(current, nd.dentry, nd.mnt, new_mode);
-+		path_release(&nd);
-+	} else if ((err & mode) != mode && !(err & GR_SUPPRESS)) {
++		gr_log_learn_sysctl(current, path, new_mode);
++	} else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
 +		gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
 +			       path, (mode & GR_READ) ? " reading" : "",
 +			       (mode & GR_WRITE) ? " writing" : "");
 +		err = 0;
 +	} else if ((err & mode) != mode) {
 +		err = 0;
-+	} else if (((err & mode) == mode) && (err & GR_AUDITS)) {
++	} else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
 +		gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
 +			       path, (mode & GR_READ) ? " reading" : "",
 +			       (mode & GR_WRITE) ? " writing" : "");
@@ -18220,6 +18298,10 @@
 +		return 1;
 +
 +	if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
++		return 1;
++
++	/* ignore Eric Biederman */
++	if (IS_PRIVATE(dentry->d_inode))
 +		return 1;
 +
 +	subj = task->acl;
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/SOURCES/linux-2.6-grsec_full.patch?r1=1.1.2.8&r2=1.1.2.9&f=u

More information about the pld-cvs-commit mailing list