SOURCES (LINUX_2_6): linux-2.6-grsec_full.patch - changes for our ...
zbyniu
zbyniu at pld-linux.org
Fri Aug 10 20:39:22 CEST 2007
Author: zbyniu Date: Fri Aug 10 18:39:22 2007 GMT
Module: SOURCES Tag: LINUX_2_6
---- Log message:
- changes for our kernel, not tested
---- Files affected:
SOURCES:
linux-2.6-grsec_full.patch (1.1.2.11 -> 1.1.2.12)
---- Diffs:
================================================================
Index: SOURCES/linux-2.6-grsec_full.patch
diff -u SOURCES/linux-2.6-grsec_full.patch:1.1.2.11 SOURCES/linux-2.6-grsec_full.patch:1.1.2.12
--- SOURCES/linux-2.6-grsec_full.patch:1.1.2.11 Fri Aug 10 20:31:05 2007
+++ SOURCES/linux-2.6-grsec_full.patch Fri Aug 10 20:39:17 2007
@@ -38,16 +38,16 @@
diff -urNp linux-2.6.22.1/arch/alpha/kernel/ptrace.c linux-2.6.22.1/arch/alpha/kernel/ptrace.c
--- linux-2.6.22.1/arch/alpha/kernel/ptrace.c 2007-07-10 14:56:30.000000000 -0400
+++ linux-2.6.22.1/arch/alpha/kernel/ptrace.c 2007-08-02 11:09:14.000000000 -0400
-@@ -15,6 +15,7 @@
- #include <linux/slab.h>
+@@ -16,6 +16,7 @@
#include <linux/security.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/pgtable.h>
-@@ -283,6 +284,9 @@ do_sys_ptrace(long request, long pid, lo
- goto out_notsk;
+@@ -289,6 +290,9 @@ do_sys_ptrace(long request, long pid, lo
+ goto out;
}
+ if (gr_handle_ptrace(child, request))
@@ -5823,10 +5823,10 @@
diff -urNp linux-2.6.22.1/arch/i386/mm/fault.c linux-2.6.22.1/arch/i386/mm/fault.c
--- linux-2.6.22.1/arch/i386/mm/fault.c 2007-07-10 14:56:30.000000000 -0400
+++ linux-2.6.22.1/arch/i386/mm/fault.c 2007-08-02 11:45:43.000000000 -0400
-@@ -25,10 +25,14 @@
- #include <linux/kprobes.h>
+@@ -26,10 +26,14 @@
#include <linux/uaccess.h>
#include <linux/kdebug.h>
+ #include <linux/suspend.h>
+#include <linux/unistd.h>
+#include <linux/compiler.h>
+#include <linux/binfmts.h>
@@ -7500,10 +7500,10 @@
diff -urNp linux-2.6.22.1/arch/ia64/kernel/ptrace.c linux-2.6.22.1/arch/ia64/kernel/ptrace.c
--- linux-2.6.22.1/arch/ia64/kernel/ptrace.c 2007-07-10 14:56:30.000000000 -0400
+++ linux-2.6.22.1/arch/ia64/kernel/ptrace.c 2007-08-02 11:09:14.000000000 -0400
-@@ -17,6 +17,7 @@
- #include <linux/security.h>
+@@ -18,6 +18,7 @@
#include <linux/audit.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
@@ -7550,10 +7550,10 @@
diff -urNp linux-2.6.22.1/arch/ia64/mm/fault.c linux-2.6.22.1/arch/ia64/mm/fault.c
--- linux-2.6.22.1/arch/ia64/mm/fault.c 2007-07-10 14:56:30.000000000 -0400
+++ linux-2.6.22.1/arch/ia64/mm/fault.c 2007-08-02 11:38:45.000000000 -0400
-@@ -10,6 +10,7 @@
- #include <linux/interrupt.h>
+@@ -11,6 +11,7 @@
#include <linux/kprobes.h>
#include <linux/kdebug.h>
+ #include <linux/vs_memory.h>
+#include <linux/binfmts.h>
#include <asm/pgtable.h>
@@ -9115,10 +9115,10 @@
diff -urNp linux-2.6.22.1/arch/sparc/kernel/ptrace.c linux-2.6.22.1/arch/sparc/kernel/ptrace.c
--- linux-2.6.22.1/arch/sparc/kernel/ptrace.c 2007-07-10 14:56:30.000000000 -0400
+++ linux-2.6.22.1/arch/sparc/kernel/ptrace.c 2007-08-02 11:09:14.000000000 -0400
-@@ -19,6 +19,7 @@
- #include <linux/smp_lock.h>
+@@ -20,6 +20,7 @@
#include <linux/security.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
@@ -9495,25 +9495,13 @@
BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
-diff -urNp linux-2.6.22.1/arch/sparc64/kernel/Makefile linux-2.6.22.1/arch/sparc64/kernel/Makefile
---- linux-2.6.22.1/arch/sparc64/kernel/Makefile 2007-07-10 14:56:30.000000000 -0400
-+++ linux-2.6.22.1/arch/sparc64/kernel/Makefile 2007-08-02 11:38:46.000000000 -0400
-@@ -3,7 +3,7 @@
- #
-
- EXTRA_AFLAGS := -ansi
--EXTRA_CFLAGS := -Werror
-+#EXTRA_CFLAGS := -Werror
-
- extra-y := head.o init_task.o vmlinux.lds
-
diff -urNp linux-2.6.22.1/arch/sparc64/kernel/ptrace.c linux-2.6.22.1/arch/sparc64/kernel/ptrace.c
--- linux-2.6.22.1/arch/sparc64/kernel/ptrace.c 2007-07-10 14:56:30.000000000 -0400
+++ linux-2.6.22.1/arch/sparc64/kernel/ptrace.c 2007-08-02 11:09:14.000000000 -0400
-@@ -22,6 +22,7 @@
- #include <linux/seccomp.h>
+@@ -23,6 +23,7 @@
#include <linux/audit.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/asi.h>
@@ -10347,8 +10335,8 @@
default: /* 3: write, present */
/* fall through */
@@ -502,7 +532,14 @@ bad_area_nosemaphore:
- tsk->comm, tsk->pid, address, regs->rip,
- regs->rsp, error_code);
+ tsk->comm, tsk->pid, tsk->xid, address,
+ regs->rip, regs->rsp, error_code);
}
-
+
@@ -12224,10 +12212,10 @@
diff -urNp linux-2.6.22.1/fs/binfmt_aout.c linux-2.6.22.1/fs/binfmt_aout.c
--- linux-2.6.22.1/fs/binfmt_aout.c 2007-07-10 14:56:30.000000000 -0400
+++ linux-2.6.22.1/fs/binfmt_aout.c 2007-08-02 11:38:47.000000000 -0400
-@@ -24,6 +24,7 @@
- #include <linux/binfmts.h>
+@@ -25,6 +25,7 @@
#include <linux/personality.h>
#include <linux/init.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
#include <asm/system.h>
@@ -12309,9 +12297,9 @@
--- linux-2.6.22.1/fs/binfmt_elf.c 2007-07-10 14:56:30.000000000 -0400
+++ linux-2.6.22.1/fs/binfmt_elf.c 2007-08-02 11:38:47.000000000 -0400
@@ -39,10 +39,16 @@
- #include <linux/random.h>
#include <linux/elf.h>
#include <linux/utsname.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
+
#include <asm/uaccess.h>
@@ -13194,16 +13182,16 @@
diff -urNp linux-2.6.22.1/fs/exec.c linux-2.6.22.1/fs/exec.c
--- linux-2.6.22.1/fs/exec.c 2007-07-10 14:56:30.000000000 -0400
+++ linux-2.6.22.1/fs/exec.c 2007-08-02 11:44:13.000000000 -0400
-@@ -51,6 +51,8 @@
- #include <linux/cn_proc.h>
+@@ -52,6 +52,8 @@
#include <linux/audit.h>
#include <linux/signalfd.h>
+ #include <linux/vs_memory.h>
+#include <linux/random.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/mmu_context.h>
-@@ -69,6 +71,15 @@ EXPORT_SYMBOL(suid_dumpable);
+@@ -70,6 +72,15 @@ EXPORT_SYMBOL(suid_dumpable);
static struct linux_binfmt *formats;
static DEFINE_RWLOCK(binfmt_lock);
@@ -13219,7 +13207,7 @@
int register_binfmt(struct linux_binfmt * fmt)
{
struct linux_binfmt ** tmp = &formats;
-@@ -308,7 +319,7 @@ EXPORT_SYMBOL(copy_strings_kernel);
+@@ -309,7 +320,7 @@ EXPORT_SYMBOL(copy_strings_kernel);
*
* vma->vm_mm->mmap_sem is held for writing.
*/
@@ -13228,7 +13216,7 @@
struct page *page, unsigned long address)
{
struct mm_struct *mm = vma->vm_mm;
-@@ -326,6 +337,12 @@ void install_arg_page(struct vm_area_str
+@@ -327,6 +338,12 @@ void install_arg_page(struct vm_area_str
pte_unmap_unlock(pte, ptl);
goto out;
}
@@ -13241,7 +13229,7 @@
inc_mm_counter(mm, anon_rss);
lru_cache_add_active(page);
set_pte_at(mm, address, pte, pte_mkdirty(pte_mkwrite(mk_pte(
-@@ -334,10 +351,42 @@ void install_arg_page(struct vm_area_str
+@@ -335,10 +352,42 @@ void install_arg_page(struct vm_area_str
pte_unmap_unlock(pte, ptl);
/* no need for flush_tlb */
@@ -13285,7 +13273,7 @@
}
#define EXTRA_STACK_VM_PAGES 20 /* random */
-@@ -352,6 +401,10 @@ int setup_arg_pages(struct linux_binprm
+@@ -353,6 +402,10 @@ int setup_arg_pages(struct linux_binprm
int i, ret;
long arg_size;
@@ -13296,7 +13284,7 @@
#ifdef CONFIG_STACK_GROWSUP
/* Move the argument and environment strings to the bottom of the
* stack space.
-@@ -434,26 +487,48 @@ int setup_arg_pages(struct linux_binprm
+@@ -435,7 +488,7 @@ int setup_arg_pages(struct linux_binprm
else
mpnt->vm_flags = VM_STACK_FLAGS;
mpnt->vm_flags |= mm->def_flags;
@@ -13305,10 +13293,11 @@
if ((ret = insert_vm_struct(mm, mpnt))) {
up_write(&mm->mmap_sem);
kmem_cache_free(vm_area_cachep, mpnt);
- return ret;
- }
+@@ -445,17 +498,38 @@ int setup_arg_pages(struct linux_binprm
mm->stack_vm = mm->total_vm = vma_pages(mpnt);
-+
+ }
+
+- for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
+#ifdef CONFIG_PAX_SEGMEXEC
+ mpnt_m = pax_find_mirror_vma(mpnt);
+ if (mpnt_m) {
@@ -13317,9 +13306,6 @@
+ }
+#endif
+
- }
-
-- for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
+ for (i = 0 ; i < MAX_ARG_PAGES ; i++, stack_base += PAGE_SIZE) {
struct page *page = bprm->page[i];
- if (page) {
@@ -13354,7 +13340,7 @@
}
EXPORT_SYMBOL(setup_arg_pages);
-@@ -489,7 +564,7 @@ struct file *open_exec(const char *name)
+@@ -491,7 +565,7 @@ struct file *open_exec(const char *name)
file = ERR_PTR(-EACCES);
if (!(nd.mnt->mnt_flags & MNT_NOEXEC) &&
S_ISREG(inode->i_mode)) {
@@ -13363,7 +13349,7 @@
file = ERR_PTR(err);
if (!err) {
file = nameidata_to_filp(&nd, O_RDONLY);
-@@ -1156,6 +1231,11 @@ int do_execve(char * filename,
+@@ -1158,6 +1232,11 @@ int do_execve(char * filename,
struct file *file;
int retval;
int i;
@@ -13375,7 +13361,7 @@
retval = -ENOMEM;
bprm = kzalloc(sizeof(*bprm), GFP_KERNEL);
-@@ -1167,10 +1247,29 @@ int do_execve(char * filename,
+@@ -1169,10 +1248,29 @@ int do_execve(char * filename,
if (IS_ERR(file))
goto out_kfree;
@@ -13405,7 +13391,7 @@
bprm->file = file;
bprm->filename = filename;
bprm->interp = filename;
-@@ -1212,8 +1311,38 @@ int do_execve(char * filename,
+@@ -1214,8 +1312,38 @@ int do_execve(char * filename,
if (retval < 0)
goto out;
@@ -13444,7 +13430,7 @@
free_arg_pages(bprm);
/* execve success */
-@@ -1223,6 +1352,14 @@ int do_execve(char * filename,
+@@ -1225,6 +1353,14 @@ int do_execve(char * filename,
return retval;
}
@@ -13459,7 +13445,7 @@
out:
/* Something went wrong, return the inode and free the argument pages*/
for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
-@@ -1386,6 +1523,114 @@ out:
+@@ -1388,6 +1524,114 @@ out:
return ispipe;
}
@@ -13574,7 +13560,7 @@
static void zap_process(struct task_struct *start)
{
struct task_struct *t;
-@@ -1528,6 +1773,10 @@ int do_coredump(long signr, int exit_cod
+@@ -1530,6 +1774,10 @@ int do_coredump(long signr, int exit_cod
*/
clear_thread_flag(TIF_SIGPENDING);
@@ -13588,7 +13574,7 @@
diff -urNp linux-2.6.22.1/fs/ext2/balloc.c linux-2.6.22.1/fs/ext2/balloc.c
--- linux-2.6.22.1/fs/ext2/balloc.c 2007-07-10 14:56:30.000000000 -0400
+++ linux-2.6.22.1/fs/ext2/balloc.c 2007-08-02 11:09:15.000000000 -0400
-@@ -111,7 +111,7 @@ static int reserve_blocks(struct super_b
+@@ -114,7 +114,7 @@ static int reserve_blocks(struct super_b
if (free_blocks < count)
count = free_blocks;
@@ -13597,22 +13583,10 @@
sbi->s_resuid != current->fsuid &&
(sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
/*
-diff -urNp linux-2.6.22.1/fs/ext3/balloc.c linux-2.6.22.1/fs/ext3/balloc.c
---- linux-2.6.22.1/fs/ext3/balloc.c 2007-07-10 14:56:30.000000000 -0400
-+++ linux-2.6.22.1/fs/ext3/balloc.c 2007-08-02 11:09:15.000000000 -0400
-@@ -1359,7 +1359,7 @@ static int ext3_has_free_blocks(struct e
-
- free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
- root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
-- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
-+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
- sbi->s_resuid != current->fsuid &&
- (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
- return 0;
diff -urNp linux-2.6.22.1/fs/ext3/xattr.c linux-2.6.22.1/fs/ext3/xattr.c
--- linux-2.6.22.1/fs/ext3/xattr.c 2007-07-10 14:56:30.000000000 -0400
+++ linux-2.6.22.1/fs/ext3/xattr.c 2007-08-02 11:38:47.000000000 -0400
-@@ -89,8 +89,8 @@
+@@ -90,8 +90,8 @@
printk("\n"); \
} while (0)
#else
@@ -13623,30 +13597,18 @@
#endif
static void ext3_xattr_cache_insert(struct buffer_head *);
-diff -urNp linux-2.6.22.1/fs/ext4/balloc.c linux-2.6.22.1/fs/ext4/balloc.c
---- linux-2.6.22.1/fs/ext4/balloc.c 2007-07-10 14:56:30.000000000 -0400
-+++ linux-2.6.22.1/fs/ext4/balloc.c 2007-08-02 11:09:15.000000000 -0400
-@@ -1376,7 +1376,7 @@ static int ext4_has_free_blocks(struct e
-
- free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
- root_blocks = ext4_r_blocks_count(sbi->s_es);
-- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
-+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
- sbi->s_resuid != current->fsuid &&
- (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
- return 0;
diff -urNp linux-2.6.22.1/fs/fcntl.c linux-2.6.22.1/fs/fcntl.c
--- linux-2.6.22.1/fs/fcntl.c 2007-07-10 14:56:30.000000000 -0400
+++ linux-2.6.22.1/fs/fcntl.c 2007-08-02 11:09:15.000000000 -0400
@@ -18,6 +18,7 @@
- #include <linux/ptrace.h>
#include <linux/signal.h>
#include <linux/rcupdate.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/poll.h>
#include <asm/siginfo.h>
-@@ -63,6 +64,7 @@ static int locate_fd(struct files_struct
+@@ -64,6 +65,7 @@ static int locate_fd(struct files_struct
struct fdtable *fdt;
error = -EINVAL;
@@ -13661,7 +13623,7 @@
+ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
if (newfd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
goto out;
-
+ if (!vx_files_avail(1))
@@ -140,6 +143,8 @@ asmlinkage long sys_dup2(unsigned int ol
struct files_struct * files = current->files;
struct fdtable *fdt;
@@ -13709,9 +13671,9 @@
--- linux-2.6.22.1/fs/namei.c 2007-07-10 14:56:30.000000000 -0400
+++ linux-2.6.22.1/fs/namei.c 2007-08-02 11:09:15.000000000 -0400
@@ -31,6 +31,7 @@
- #include <linux/file.h>
- #include <linux/fcntl.h>
- #include <linux/namei.h>
+ #include <linux/vs_base.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vs_cowbl.h>
+#include <linux/grsecurity.h>
#include <asm/namei.h>
#include <asm/uaccess.h>
@@ -13868,7 +13830,7 @@
+
if (!IS_POSIXACL(nd.dentry->d_inode))
mode &= ~current->fs->umask;
- error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
+ error = vfs_mkdir(nd.dentry->d_inode, dentry, mode, &nd);
+
+ if (!error)
+ gr_handle_create(dentry, nd.mnt);
@@ -13901,7 +13863,7 @@
+ goto dput_exit2;
+ }
+ }
- error = vfs_rmdir(nd.dentry->d_inode, dentry);
+ error = vfs_rmdir(nd.dentry->d_inode, dentry, &nd);
+ if (!error && (saved_dev || saved_ino))
+ gr_handle_delete(saved_ino, saved_dev);
+dput_exit2:
@@ -13937,10 +13899,10 @@
+ error = -EACCES;
+
atomic_inc(&inode->i_count);
-- error = vfs_unlink(nd.dentry->d_inode, dentry);
+- error = vfs_unlink(nd.dentry->d_inode, dentry, &nd);
+ }
+ if (!error)
-+ error = vfs_unlink(nd.dentry->d_inode, dentry);
++ error = vfs_unlink(nd.dentry->d_inode, dentry, &nd);
+ if (!error && (saved_ino || saved_dev))
+ gr_handle_delete(saved_ino, saved_dev);
exit2:
@@ -13955,7 +13917,7 @@
+ goto out_dput_unlock;
+ }
+
- error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO);
+ error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO, &nd);
+
+ if (!error)
+ gr_handle_create(dentry, nd.mnt);
@@ -13981,7 +13943,7 @@
+ goto out_unlock_dput;
+ }
+
- error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
+ error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry, &nd);
+
+ if (!error)
+ gr_handle_create(new_dentry, nd.mnt);
@@ -14011,9 +13973,9 @@
--- linux-2.6.22.1/fs/namespace.c 2007-07-10 14:56:30.000000000 -0400
+++ linux-2.6.22.1/fs/namespace.c 2007-08-02 11:09:15.000000000 -0400
@@ -25,6 +25,7 @@
- #include <linux/security.h>
- #include <linux/mount.h>
- #include <linux/ramfs.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vserver/space.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
@@ -14403,9 +14365,9 @@
--- linux-2.6.22.1/fs/open.c 2007-07-10 14:56:30.000000000 -0400
+++ linux-2.6.22.1/fs/open.c 2007-08-02 11:09:15.000000000 -0400
@@ -26,6 +26,7 @@
- #include <linux/syscalls.h>
- #include <linux/rcupdate.h>
- #include <linux/audit.h>
+ #include <linux/vs_dlimit.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vs_cowbl.h>
+#include <linux/grsecurity.h>
int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
@@ -14515,15 +14477,6 @@
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
error = notify_change(nd.dentry, &newattrs);
-@@ -570,7 +619,7 @@ asmlinkage long sys_chmod(const char __u
- return sys_fchmodat(AT_FDCWD, filename, mode);
- }
-
--static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
-+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
- {
- struct inode * inode;
- int error;
@@ -587,6 +636,12 @@ static int chown_common(struct dentry *
error = -EPERM;
if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
@@ -14537,42 +14490,6 @@
newattrs.ia_valid = ATTR_CTIME;
if (user != (uid_t) -1) {
newattrs.ia_valid |= ATTR_UID;
-@@ -613,7 +668,7 @@ asmlinkage long sys_chown(const char __u
- error = user_path_walk(filename, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.dentry, user, group);
-+ error = chown_common(nd.dentry, user, group, nd.mnt);
- path_release(&nd);
- out:
- return error;
-@@ -633,7 +688,7 @@ asmlinkage long sys_fchownat(int dfd, co
- error = __user_walk_fd(dfd, filename, follow, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.dentry, user, group);
-+ error = chown_common(nd.dentry, user, group, nd.mnt);
- path_release(&nd);
- out:
- return error;
-@@ -647,7 +702,7 @@ asmlinkage long sys_lchown(const char __
- error = user_path_walk_link(filename, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.dentry, user, group);
-+ error = chown_common(nd.dentry, user, group, nd.mnt);
- path_release(&nd);
- out:
- return error;
-@@ -666,7 +721,7 @@ asmlinkage long sys_fchown(unsigned int
-
- dentry = file->f_path.dentry;
- audit_inode(NULL, dentry->d_inode);
-- error = chown_common(dentry, user, group);
-+ error = chown_common(dentry, user, group, file->f_vfsmnt);
- fput(file);
- out:
- return error;
@@ -873,6 +928,7 @@ repeat:
* N.B. For clone tasks sharing a files structure, this test
* will limit the total number of files that can be opened.
@@ -14706,13 +14623,13 @@
--- linux-2.6.22.1/fs/proc/base.c 2007-07-10 14:56:30.000000000 -0400
+++ linux-2.6.22.1/fs/proc/base.c 2007-08-02 11:38:47.000000000 -0400
@@ -73,6 +73,7 @@
- #include <linux/poll.h>
- #include <linux/nsproxy.h>
#include <linux/oom.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_network.h>
+#include <linux/grsecurity.h>
+
#include "internal.h"
- /* NOTE:
@@ -123,7 +124,7 @@ struct pid_entry {
NULL, &proc_info_file_operations, \
{ .proc_read = &proc_##OTYPE } )
@@ -14770,7 +14687,7 @@
goto out;
copied = -ENOMEM;
-@@ -1047,7 +1050,11 @@ static struct inode *proc_pid_make_inode
+@@ -1050,7 +1053,11 @@ static struct inode *proc_pid_make_inode
inode->i_gid = 0;
if (task_dumpable(task)) {
inode->i_uid = task->euid;
@@ -14780,8 +14697,8 @@
inode->i_gid = task->egid;
+#endif
}
- security_task_to_inode(task, inode);
-
+ /* procfs is xid tagged */
+ inode->i_tag = (tag_t)vx_task_xid(task);
@@ -1063,17 +1070,45 @@ static int pid_getattr(struct vfsmount *
{
struct inode *inode = dentry->d_inode;
@@ -14884,8 +14801,8 @@
if (!files)
goto out;
@@ -1595,6 +1651,9 @@ static struct dentry *proc_pident_lookup
- if (!task)
- goto out_no_task;
+ !memcmp(dentry->d_name.name, "ninfo", 5)))
+ goto out;
+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
+ goto out;
@@ -14953,7 +14870,7 @@
@@ -2208,6 +2287,9 @@ int proc_pid_readdir(struct file * filp,
{
unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
- struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
+ struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ struct task_struct *tmp = current;
+#endif
@@ -14977,8 +14894,8 @@
+ continue;
+
filp->f_pos = tgid + TGID_OFFSET;
- if (proc_pid_fill_cache(filp, dirent, filldir, task, tgid) < 0) {
- put_task_struct(task);
+ if (!vx_proc_task_visible(task))
+ continue;
diff -urNp linux-2.6.22.1/fs/proc/inode.c linux-2.6.22.1/fs/proc/inode.c
--- linux-2.6.22.1/fs/proc/inode.c 2007-07-10 14:56:30.000000000 -0400
+++ linux-2.6.22.1/fs/proc/inode.c 2007-08-02 11:09:15.000000000 -0400
@@ -14992,8 +14909,8 @@
inode->i_gid = de->gid;
+#endif
}
- if (de->size)
- inode->i_size = de->size;
+ if (de->vx_flags)
+ PROC_I(inode)->vx_flags = de->vx_flags;
diff -urNp linux-2.6.22.1/fs/proc/internal.h linux-2.6.22.1/fs/proc/internal.h
--- linux-2.6.22.1/fs/proc/internal.h 2007-07-10 14:56:30.000000000 -0400
+++ linux-2.6.22.1/fs/proc/internal.h 2007-08-02 11:09:15.000000000 -0400
@@ -15152,7 +15069,7 @@
diff -urNp linux-2.6.22.1/fs/proc/root.c linux-2.6.22.1/fs/proc/root.c
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/SOURCES/linux-2.6-grsec_full.patch?r1=1.1.2.11&r2=1.1.2.12&f=u
More information about the pld-cvs-commit
mailing list