SOURCES (LINUX_2_6_22): linux-2.6-grsec-common.patch - better inte...

Wed Dec 12 13:48:41 CET 2007

Author: zbyniu                       Date: Wed Dec 12 12:48:41 2007 GMT
Module: SOURCES                       Tag: LINUX_2_6_22
---- Log message:
- better interactions between grsec and vserver

---- Files affected:
SOURCES:
   linux-2.6-grsec-common.patch (1.1.2.2.2.3 -> 1.1.2.2.2.3.2.1) 

---- Diffs:

================================================================
Index: SOURCES/linux-2.6-grsec-common.patch
diff -u SOURCES/linux-2.6-grsec-common.patch:1.1.2.2.2.3 SOURCES/linux-2.6-grsec-common.patch:1.1.2.2.2.3.2.1

--- SOURCES/linux-2.6-grsec-common.patch:1.1.2.2.2.3	Fri Aug 24 00:30:59 2007
+++ SOURCES/linux-2.6-grsec-common.patch	Wed Dec 12 13:48:36 2007
@@ -22,3 +22,62 @@
  #include <linux/grsecurity.h>
  #include <linux/grinternal.h>
  #include <linux/gracl.h>
+===
+=== analogous as capable()
+===
+--- a/kernel/capability.c~	2007-12-11 00:46:02.000000000 +0100
++++ a/kernel/capability.c	2007-12-11 01:35:00.244481500 +0100
+@@ -253,6 +253,8 @@ int __capable(struct task_struct *t, int
+ }
+ int capable_nolog(int cap)
+ {
++	if (vs_check_bit(VXC_CAP_MASK, cap) && !vx_mcaps(1L << cap))
++		return 0;
+ 	if ((security_capable(current, cap) == 0) && gr_is_capable_nolog(cap)) {
+ 		current->flags |= PF_SUPERPRIV;
+ 		return 1;
+===
+=== let vserver block signals before grsec
+===
+--- a/kernel/signal.c	2007-10-02 00:08:49.954483500 +0200
++++ b/kernel/signal.c	2007-10-02 00:24:31.969355750 +0200
+@@ -539,11 +539,11 @@ static int check_kill_permission(int sig
+ 		return error;
+ 
+ 	error = -EPERM;
+-	if ((((sig != SIGCONT) ||
++	if (((sig != SIGCONT) ||
+ 		(process_session(current) != process_session(t)))
+ 	    && (current->euid ^ t->suid) && (current->euid ^ t->uid)
+ 	    && (current->uid ^ t->suid) && (current->uid ^ t->uid)
+-	    && !capable(CAP_KILL)) || gr_handle_signal(t, sig))
++	    && !capable(CAP_KILL))
+ 		return error;
+ 
+ 	error = -ESRCH;
+@@ -553,6 +553,11 @@ static int check_kill_permission(int sig
+ 			sig, info, t, vx_task_xid(t), t->pid, current->xid);
+ 		return error;
+ 	}
++
++	error = -EPERM;
++	if (gr_handle_signal(t, sig))
++		return error;
++
+ skip:
+ 	return security_task_kill(t, info, sig, 0);
+ }
+===
+=== vserver netlink protection
+===
+--- a/security/commoncap.c~	2007-12-10 23:52:36.000000000 +0100
++++ a/security/commoncap.c	2007-12-11 01:43:04.426741000 +0100
+@@ -27,7 +27,7 @@
+ 
+ int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
+ {
+-	cap_t(NETLINK_CB(skb).eff_cap) = gr_cap_rtnetlink();
++	cap_t(NETLINK_CB(skb).eff_cap) = gr_cap_rtnetlink() & vx_mbcap(cap_effective);
+ 	return 0;
+ }
+ 
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/linux-2.6-grsec-common.patch?r1=1.1.2.2.2.3&r2=1.1.2.2.2.3.2.1&f=u

