SOURCES (LINUX_2_6): linux-2.6-grsec_full.patch - pldized (vserver...
zbyniu
zbyniu at pld-linux.org
Mon Feb 25 23:50:51 CET 2008
Author: zbyniu Date: Mon Feb 25 22:50:51 2008 GMT
Module: SOURCES Tag: LINUX_2_6
---- Log message:
- pldized (vserver and tuxonice related)
---- Files affected:
SOURCES:
linux-2.6-grsec_full.patch (1.1.2.25 -> 1.1.2.26)
---- Diffs:
================================================================
Index: SOURCES/linux-2.6-grsec_full.patch
diff -u SOURCES/linux-2.6-grsec_full.patch:1.1.2.25 SOURCES/linux-2.6-grsec_full.patch:1.1.2.26
--- SOURCES/linux-2.6-grsec_full.patch:1.1.2.25 Mon Feb 25 23:44:38 2008
+++ SOURCES/linux-2.6-grsec_full.patch Mon Feb 25 23:50:45 2008
@@ -39,9 +39,9 @@
--- linux-2.6.24.2/arch/alpha/kernel/ptrace.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/arch/alpha/kernel/ptrace.c 2008-02-13 18:27:54.000000000 -0500
@@ -15,6 +15,7 @@
- #include <linux/slab.h>
#include <linux/security.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -436,9 +436,9 @@
--- linux-2.6.24.2/arch/ia64/kernel/ptrace.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/arch/ia64/kernel/ptrace.c 2008-02-13 18:27:54.000000000 -0500
@@ -17,6 +17,7 @@
- #include <linux/security.h>
#include <linux/audit.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
@@ -486,9 +486,9 @@
--- linux-2.6.24.2/arch/ia64/mm/fault.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/arch/ia64/mm/fault.c 2008-02-13 18:27:54.000000000 -0500
@@ -10,6 +10,7 @@
- #include <linux/interrupt.h>
#include <linux/kprobes.h>
#include <linux/kdebug.h>
+ #include <linux/vs_memory.h>
+#include <linux/binfmts.h>
#include <asm/pgtable.h>
@@ -2049,9 +2049,9 @@
--- linux-2.6.24.2/arch/sparc/kernel/ptrace.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/arch/sparc/kernel/ptrace.c 2008-02-13 18:27:54.000000000 -0500
@@ -19,6 +19,7 @@
- #include <linux/smp_lock.h>
#include <linux/security.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
@@ -2427,25 +2427,13 @@
BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
-diff -urNp linux-2.6.24.2/arch/sparc64/kernel/Makefile linux-2.6.24.2/arch/sparc64/kernel/Makefile
---- linux-2.6.24.2/arch/sparc64/kernel/Makefile 2008-02-11 00:51:11.000000000 -0500
-+++ linux-2.6.24.2/arch/sparc64/kernel/Makefile 2008-02-13 18:27:54.000000000 -0500
-@@ -3,7 +3,7 @@
- #
-
- EXTRA_AFLAGS := -ansi
--EXTRA_CFLAGS := -Werror
-+#EXTRA_CFLAGS := -Werror
-
- extra-y := head.o init_task.o vmlinux.lds
-
diff -urNp linux-2.6.24.2/arch/sparc64/kernel/ptrace.c linux-2.6.24.2/arch/sparc64/kernel/ptrace.c
--- linux-2.6.24.2/arch/sparc64/kernel/ptrace.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/arch/sparc64/kernel/ptrace.c 2008-02-13 18:27:54.000000000 -0500
@@ -22,6 +22,7 @@
- #include <linux/seccomp.h>
#include <linux/audit.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/asi.h>
@@ -14663,9 +14651,9 @@
--- linux-2.6.24.2/fs/binfmt_aout.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/fs/binfmt_aout.c 2008-02-13 18:27:56.000000000 -0500
@@ -24,6 +24,7 @@
- #include <linux/binfmts.h>
#include <linux/personality.h>
#include <linux/init.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
#include <asm/system.h>
@@ -14744,9 +14732,9 @@
--- linux-2.6.24.2/fs/binfmt_elf.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/fs/binfmt_elf.c 2008-02-13 18:27:56.000000000 -0500
@@ -39,10 +39,21 @@
- #include <linux/random.h>
#include <linux/elf.h>
#include <linux/utsname.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
+
#include <asm/uaccess.h>
@@ -15996,15 +15984,23 @@
diff -urNp linux-2.6.24.2/fs/ext3/balloc.c linux-2.6.24.2/fs/ext3/balloc.c
--- linux-2.6.24.2/fs/ext3/balloc.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/fs/ext3/balloc.c 2008-02-13 18:27:56.000000000 -0500
-@@ -1359,7 +1359,7 @@ static int ext3_has_free_blocks(struct e
+@@ -1373,14 +1373,14 @@ static int ext3_has_free_blocks(struct s
+ DLIMIT_ADJUST_BLOCK(sb, dx_current_tag(), &free_blocks, &root_blocks);
- free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
- root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
-- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
-+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
+ cond = (free_blocks < root_blocks + 1 &&
+- !capable(CAP_SYS_RESOURCE) &&
++ !capable_nolog(CAP_SYS_RESOURCE) &&
sbi->s_resuid != current->fsuid &&
- (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
- return 0;
+ (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid)));
+
+ vxdprintk(VXD_CBIT(dlim, 3),
+ "ext3_has_free_blocks(%p): %llu<%llu+1, %c, %u!=%u r=%d",
+ sb, free_blocks, root_blocks,
+- !capable(CAP_SYS_RESOURCE)?'1':'0',
++ !capable_nolog(CAP_SYS_RESOURCE)?'1':'0',
+ sbi->s_resuid, current->fsuid, cond?0:1);
+
+ return (cond ? 0 : 1);
diff -urNp linux-2.6.24.2/fs/ext3/namei.c linux-2.6.24.2/fs/ext3/namei.c
--- linux-2.6.24.2/fs/ext3/namei.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/fs/ext3/namei.c 2008-02-13 18:27:56.000000000 -0500
@@ -16037,15 +16033,23 @@
diff -urNp linux-2.6.24.2/fs/ext4/balloc.c linux-2.6.24.2/fs/ext4/balloc.c
--- linux-2.6.24.2/fs/ext4/balloc.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/fs/ext4/balloc.c 2008-02-13 18:27:56.000000000 -0500
-@@ -1479,7 +1479,7 @@ static int ext4_has_free_blocks(struct e
+@@ -1493,14 +1493,14 @@ static int ext4_has_free_blocks(struct s
+ DLIMIT_ADJUST_BLOCK(sb, dx_current_tag(), &free_blocks, &root_blocks);
- free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
- root_blocks = ext4_r_blocks_count(sbi->s_es);
-- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
-+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
+ cond = (free_blocks < root_blocks + 1 &&
+- !capable(CAP_SYS_RESOURCE) &&
++ !capable_nolog(CAP_SYS_RESOURCE) &&
sbi->s_resuid != current->fsuid &&
- (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
- return 0;
+ (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid)));
+
+ vxdprintk(VXD_CBIT(dlim, 3),
+ "ext4_has_free_blocks(%p): %llu<%llu+1, %c, %u!=%u r=%d",
+ sb, free_blocks, root_blocks,
+- !capable(CAP_SYS_RESOURCE)?'1':'0',
++ !capable_nolog(CAP_SYS_RESOURCE)?'1':'0',
+ sbi->s_resuid, current->fsuid, cond?0:1);
+
+ return (cond ? 0 : 1);
diff -urNp linux-2.6.24.2/fs/ext4/namei.c linux-2.6.24.2/fs/ext4/namei.c
--- linux-2.6.24.2/fs/ext4/namei.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/fs/ext4/namei.c 2008-02-13 18:27:56.000000000 -0500
@@ -16065,9 +16069,9 @@
--- linux-2.6.24.2/fs/fcntl.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/fs/fcntl.c 2008-02-13 18:27:56.000000000 -0500
@@ -19,6 +19,7 @@
- #include <linux/signal.h>
#include <linux/rcupdate.h>
#include <linux/pid_namespace.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/poll.h>
@@ -16362,9 +16366,9 @@
--- linux-2.6.24.2/fs/namei.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/fs/namei.c 2008-02-13 18:27:56.000000000 -0500
@@ -30,6 +30,7 @@
- #include <linux/capability.h>
- #include <linux/file.h>
- #include <linux/fcntl.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vs_cowbl.h>
+ #include <linux/vs_context.h>
+#include <linux/grsecurity.h>
#include <asm/namei.h>
#include <asm/uaccess.h>
@@ -16530,7 +16534,7 @@
+
if (!IS_POSIXACL(nd.dentry->d_inode))
mode &= ~current->fs->umask;
- error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
+ error = vfs_mkdir(nd.dentry->d_inode, dentry, mode, &nd);
+
+ if (!error)
+ gr_handle_create(dentry, nd.mnt);
@@ -16563,7 +16567,7 @@
+ goto dput_exit2;
+ }
+ }
- error = vfs_rmdir(nd.dentry->d_inode, dentry);
+ error = vfs_rmdir(nd.dentry->d_inode, dentry, &nd);
+ if (!error && (saved_dev || saved_ino))
+ gr_handle_delete(saved_ino, saved_dev);
+dput_exit2:
@@ -16599,10 +16603,10 @@
+ error = -EACCES;
+
atomic_inc(&inode->i_count);
-- error = vfs_unlink(nd.dentry->d_inode, dentry);
+- error = vfs_unlink(nd.dentry->d_inode, dentry, &nd);
+ }
+ if (!error)
-+ error = vfs_unlink(nd.dentry->d_inode, dentry);
++ error = vfs_unlink(nd.dentry->d_inode, dentry, &nd);
+ if (!error && (saved_ino || saved_dev))
+ gr_handle_delete(saved_ino, saved_dev);
exit2:
@@ -16617,7 +16621,7 @@
+ goto out_dput_unlock;
+ }
+
- error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO);
+ error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO, &nd);
+
+ if (!error)
+ gr_handle_create(dentry, nd.mnt);
@@ -16643,7 +16647,7 @@
+ goto out_unlock_dput;
+ }
+
- error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
+ error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry, &nd);
+
+ if (!error)
+ gr_handle_create(new_dentry, nd.mnt);
@@ -16673,9 +16677,9 @@
--- linux-2.6.24.2/fs/namespace.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/fs/namespace.c 2008-02-13 18:27:56.000000000 -0500
@@ -25,6 +25,7 @@
- #include <linux/security.h>
- #include <linux/mount.h>
- #include <linux/ramfs.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vserver/space.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
@@ -17068,9 +17072,9 @@
--- linux-2.6.24.2/fs/open.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/fs/open.c 2008-02-13 18:27:56.000000000 -0500
@@ -27,6 +27,7 @@
- #include <linux/rcupdate.h>
- #include <linux/audit.h>
- #include <linux/falloc.h>
+ #include <linux/vs_dlimit.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vs_cowbl.h>
+#include <linux/grsecurity.h>
int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
@@ -17180,15 +17184,6 @@
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
error = notify_change(nd.dentry, &newattrs);
-@@ -631,7 +680,7 @@ asmlinkage long sys_chmod(const char __u
- return sys_fchmodat(AT_FDCWD, filename, mode);
- }
-
--static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
-+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
- {
- struct inode * inode;
- int error;
@@ -648,6 +697,12 @@ static int chown_common(struct dentry *
error = -EPERM;
if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
@@ -17202,42 +17197,6 @@
newattrs.ia_valid = ATTR_CTIME;
if (user != (uid_t) -1) {
newattrs.ia_valid |= ATTR_UID;
-@@ -675,7 +730,7 @@ asmlinkage long sys_chown(const char __u
- error = user_path_walk(filename, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.dentry, user, group);
-+ error = chown_common(nd.dentry, user, group, nd.mnt);
- path_release(&nd);
- out:
- return error;
-@@ -695,7 +750,7 @@ asmlinkage long sys_fchownat(int dfd, co
- error = __user_walk_fd(dfd, filename, follow, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.dentry, user, group);
-+ error = chown_common(nd.dentry, user, group, nd.mnt);
- path_release(&nd);
- out:
- return error;
-@@ -709,7 +764,7 @@ asmlinkage long sys_lchown(const char __
- error = user_path_walk_link(filename, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.dentry, user, group);
-+ error = chown_common(nd.dentry, user, group, nd.mnt);
- path_release(&nd);
- out:
- return error;
-@@ -728,7 +783,7 @@ asmlinkage long sys_fchown(unsigned int
-
- dentry = file->f_path.dentry;
- audit_inode(NULL, dentry);
-- error = chown_common(dentry, user, group);
-+ error = chown_common(dentry, user, group, file->f_vfsmnt);
- fput(file);
- out:
- return error;
@@ -939,6 +994,7 @@ repeat:
* N.B. For clone tasks sharing a files structure, this test
* will limit the total number of files that can be opened.
@@ -17375,9 +17334,9 @@
--- linux-2.6.24.2/fs/proc/base.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/fs/proc/base.c 2008-02-13 18:27:56.000000000 -0500
@@ -76,6 +76,8 @@
- #include <linux/oom.h>
- #include <linux/elf.h>
#include <linux/pid_namespace.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_network.h>
+#include <linux/grsecurity.h>
+
#include "internal.h"
@@ -17571,9 +17530,9 @@
out:
@@ -2250,6 +2310,9 @@ static const struct pid_entry tgid_base_
- #ifdef CONFIG_TASK_IO_ACCOUNTING
INF("io", S_IRUGO, pid_io_accounting),
#endif
+ INF("nsproxy", S_IRUGO, pid_nsproxy),
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+ INF("ipaddr", S_IRUSR, pid_ipaddr),
+#endif
@@ -17610,7 +17569,7 @@
@@ -2486,6 +2560,9 @@ int proc_pid_readdir(struct file * filp,
{
unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
- struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
+ struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ struct task_struct *tmp = current;
+#endif
@@ -17633,8 +17592,8 @@
+ continue;
+
filp->f_pos = iter.tgid + TGID_OFFSET;
- if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
- put_task_struct(iter.task);
+ if (!vx_proc_task_visible(iter.task))
+ continue;
diff -urNp linux-2.6.24.2/fs/proc/inode.c linux-2.6.24.2/fs/proc/inode.c
--- linux-2.6.24.2/fs/proc/inode.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/fs/proc/inode.c 2008-02-13 18:27:56.000000000 -0500
@@ -17648,15 +17607,15 @@
inode->i_gid = de->gid;
+#endif
}
- if (de->size)
- inode->i_size = de->size;
+ if (de->vx_flags)
+ PROC_I(inode)->vx_flags = de->vx_flags;
diff -urNp linux-2.6.24.2/fs/proc/internal.h linux-2.6.24.2/fs/proc/internal.h
--- linux-2.6.24.2/fs/proc/internal.h 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/fs/proc/internal.h 2008-02-13 18:27:56.000000000 -0500
@@ -52,6 +52,9 @@ extern int proc_tid_stat(struct task_str
- extern int proc_tgid_stat(struct task_struct *, char *);
extern int proc_pid_status(struct task_struct *, char *);
extern int proc_pid_statm(struct task_struct *, char *);
+ extern int proc_pid_nsproxy(struct task_struct *, char *);
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+extern int proc_pid_ipaddr(struct task_struct*,char*);
+#endif
@@ -17837,9 +17796,9 @@
+#else
proc_bus = proc_mkdir("bus", NULL);
+#endif
+ proc_vx_init();
proc_sys_init();
}
-
diff -urNp linux-2.6.24.2/fs/proc/task_mmu.c linux-2.6.24.2/fs/proc/task_mmu.c
--- linux-2.6.24.2/fs/proc/task_mmu.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/fs/proc/task_mmu.c 2008-02-13 18:27:56.000000000 -0500
@@ -18201,9 +18160,9 @@
--- linux-2.6.24.2/fs/utimes.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/fs/utimes.c 2008-02-13 18:27:56.000000000 -0500
@@ -6,6 +6,7 @@
- #include <linux/sched.h>
- #include <linux/stat.h>
#include <linux/utime.h>
+ #include <linux/mount.h>
+ #include <linux/vs_cowbl.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
@@ -18216,7 +18175,7 @@
struct inode *inode;
struct iattr newattrs;
struct file *f = NULL;
-@@ -78,12 +80,14 @@ long do_utimes(int dfd, char __user *fil
+@@ -78,6 +80,7 @@ long do_utimes(int dfd, char __user *fil
if (!f)
goto out;
dentry = f->f_path.dentry;
@@ -18224,8 +18183,9 @@
} else {
error = __user_walk_fd(dfd, filename, (flags & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW, &nd);
if (error)
- goto out;
-
+@@ -86,6 +90,7 @@ long do_utimes(int dfd, char __user *fil
+ if (error)
+ goto dput_and_out;
dentry = nd.dentry;
+ mnt = nd.mnt;
}
@@ -31281,23 +31241,27 @@
sys_close(fd);
if (len <= 0 || len == 32 || buf[len - 1] != '\n')
goto fail;
-@@ -145,8 +147,8 @@ dev_t name_to_dev_t(char *name)
- int part;
+@@ -145,12 +145,12 @@ dev_t name_to_dev_t(char *name)
+ int part, mount_result;
#ifdef CONFIG_SYSFS
- int mkdir_err = sys_mkdir("/sys", 0700);
-- if (sys_mount("sysfs", "/sys", "sysfs", 0, NULL) < 0)
+ int mkdir_err = sys_mkdir((char __user *)"/sys", 0700);
-+ if (sys_mount((char __user *)"sysfs", (char __user *)"/sys", (char __user *)"sysfs", 0, NULL) < 0)
+ /*
+ * When changing resume parameter for TuxOnIce, sysfs may
+ * already be mounted.
+ */
+- mount_result = sys_mount("sysfs", "/sys", "sysfs", 0, NULL);
++ mount_result = sys_mount((char __user *)"sysfs", (char __user *)"/sys", (char __user *)"sysfs", 0, NULL);
+ if (mount_result < 0 && mount_result != -EBUSY)
goto out;
#endif
-
@@ -198,10 +200,10 @@ dev_t name_to_dev_t(char *name)
- res = try_name(s, part);
done:
#ifdef CONFIG_SYSFS
-- sys_umount("/sys", 0);
-+ sys_umount((char __user *)"/sys", 0);
+ if (mount_result >= 0)
+- sys_umount("/sys", 0);
++ sys_umount((char __user *)"/sys", 0);
out:
if (!mkdir_err)
- sys_rmdir("/sys");
@@ -31584,9 +31548,9 @@
--- linux-2.6.24.2/ipc/msg.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/ipc/msg.c 2008-02-13 18:27:56.000000000 -0500
@@ -36,6 +36,7 @@
- #include <linux/seq_file.h>
#include <linux/rwsem.h>
#include <linux/nsproxy.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/current.h>
@@ -31624,9 +31588,9 @@
--- linux-2.6.24.2/ipc/sem.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/ipc/sem.c 2008-02-13 18:27:56.000000000 -0500
@@ -82,6 +82,7 @@
- #include <linux/seq_file.h>
- #include <linux/rwsem.h>
#include <linux/nsproxy.h>
+ #include <linux/vs_base.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -31664,9 +31628,9 @@
--- linux-2.6.24.2/ipc/shm.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/ipc/shm.c 2008-02-13 18:27:56.000000000 -0500
@@ -38,6 +38,7 @@
- #include <linux/rwsem.h>
- #include <linux/nsproxy.h>
#include <linux/mount.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -31764,14 +31728,14 @@
--- linux-2.6.24.2/kernel/capability.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/kernel/capability.c 2008-02-13 18:27:56.000000000 -0500
@@ -13,6 +13,7 @@
- #include <linux/security.h>
#include <linux/syscalls.h>
#include <linux/pid_namespace.h>
+ #include <linux/vs_context.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
/*
-@@ -233,15 +234,25 @@ out:
+@@ -233,13 +234,22 @@ out:
int __capable(struct task_struct *t, int cap)
{
@@ -31792,8 +31756,10 @@
+ return 0;
+}
+
+ #include <linux/vserver/base.h>
int capable(int cap)
{
+@@ -252,3 +262,4 @@ int capable(int cap)
return __capable(current, cap);
}
EXPORT_SYMBOL(capable);
@@ -31822,9 +31788,9 @@
--- linux-2.6.24.2/kernel/exit.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/kernel/exit.c 2008-02-13 18:27:56.000000000 -0500
@@ -44,6 +44,11 @@
- #include <linux/resource.h>
- #include <linux/blkdev.h>
- #include <linux/task_io_accounting_ops.h>
+ #include <linux/vs_network.h>
+ #include <linux/vs_pid.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
+
+#ifdef CONFIG_GRKERNSEC
@@ -31906,9 +31872,9 @@
--- linux-2.6.24.2/kernel/fork.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/kernel/fork.c 2008-02-13 18:27:56.000000000 -0500
@@ -51,6 +51,7 @@
- #include <linux/random.h>
- #include <linux/tty.h>
- #include <linux/proc_fs.h>
+ #include <linux/vs_limit.h>
+ #include <linux/vs_memory.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
@@ -32001,15 +31967,15 @@
}
@@ -1015,6 +1042,9 @@ static struct task_struct *copy_process(
+ DEBUG_LOCKS_WARN_ON(!p->hardirqs_enabled);
DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
#endif
- retval = -EAGAIN;
+
+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0);
+
- if (atomic_read(&p->user->processes) >=
- p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
+ init_vx_info(&p->vx_info, current->vx_info);
+ init_nx_info(&p->nx_info, current->nx_info);
+
@@ -1169,6 +1199,8 @@ static struct task_struct *copy_process(
if (clone_flags & CLONE_THREAD)
p->tgid = current->tgid;
@@ -32728,9 +32694,9 @@
--- linux-2.6.24.2/kernel/pid.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/kernel/pid.c 2008-02-13 18:27:56.000000000 -0500
@@ -35,6 +35,7 @@
- #include <linux/pid_namespace.h>
- #include <linux/init_task.h>
#include <linux/syscalls.h>
+ #include <linux/vs_pid.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
#define pid_hashfn(nr, ns) \
@@ -32795,9 +32761,9 @@
--- linux-2.6.24.2/kernel/printk.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/kernel/printk.c 2008-02-13 18:27:56.000000000 -0500
@@ -33,6 +33,7 @@
- #include <linux/bootmem.h>
#include <linux/syscalls.h>
#include <linux/jiffies.h>
+ #include <linux/vs_cvirt.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -32818,9 +32784,9 @@
--- linux-2.6.24.2/kernel/ptrace.c 2008-02-11 00:51:11.000000000 -0500
+++ linux-2.6.24.2/kernel/ptrace.c 2008-02-13 18:27:56.000000000 -0500
@@ -20,6 +20,7 @@
- #include <linux/signal.h>
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/linux-2.6-grsec_full.patch?r1=1.1.2.25&r2=1.1.2.26&f=u
More information about the pld-cvs-commit
mailing list