SOURCES (LINUX_2_6): linux-2.6-grsec_full.patch - pldized (vserver...
zbyniu
zbyniu at pld-linux.org
Tue Mar 25 22:40:27 CET 2008
Author: zbyniu Date: Tue Mar 25 21:40:27 2008 GMT
Module: SOURCES Tag: LINUX_2_6
---- Log message:
- pldized (vserver & tuxonice)
---- Files affected:
SOURCES:
linux-2.6-grsec_full.patch (1.1.2.29 -> 1.1.2.30)
---- Diffs:
================================================================
Index: SOURCES/linux-2.6-grsec_full.patch
diff -u SOURCES/linux-2.6-grsec_full.patch:1.1.2.29 SOURCES/linux-2.6-grsec_full.patch:1.1.2.30
--- SOURCES/linux-2.6-grsec_full.patch:1.1.2.29 Tue Mar 25 22:38:28 2008
+++ SOURCES/linux-2.6-grsec_full.patch Tue Mar 25 22:40:21 2008
@@ -39,9 +39,9 @@
--- linux-2.6.24.4/arch/alpha/kernel/ptrace.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/arch/alpha/kernel/ptrace.c 2008-03-21 01:42:48.000000000 -0400
@@ -15,6 +15,7 @@
- #include <linux/slab.h>
#include <linux/security.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -436,9 +436,9 @@
--- linux-2.6.24.4/arch/ia64/kernel/ptrace.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/arch/ia64/kernel/ptrace.c 2008-03-21 01:42:48.000000000 -0400
@@ -17,6 +17,7 @@
- #include <linux/security.h>
#include <linux/audit.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
@@ -486,9 +486,9 @@
--- linux-2.6.24.4/arch/ia64/mm/fault.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/arch/ia64/mm/fault.c 2008-03-21 01:42:48.000000000 -0400
@@ -10,6 +10,7 @@
- #include <linux/interrupt.h>
#include <linux/kprobes.h>
#include <linux/kdebug.h>
+ #include <linux/vs_memory.h>
+#include <linux/binfmts.h>
#include <asm/pgtable.h>
@@ -2049,9 +2049,9 @@
--- linux-2.6.24.4/arch/sparc/kernel/ptrace.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/arch/sparc/kernel/ptrace.c 2008-03-21 01:42:48.000000000 -0400
@@ -19,6 +19,7 @@
- #include <linux/smp_lock.h>
#include <linux/security.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
@@ -2443,9 +2443,9 @@
--- linux-2.6.24.4/arch/sparc64/kernel/ptrace.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/arch/sparc64/kernel/ptrace.c 2008-03-21 01:42:48.000000000 -0400
@@ -22,6 +22,7 @@
- #include <linux/seccomp.h>
#include <linux/audit.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/asi.h>
@@ -14755,9 +14755,9 @@
--- linux-2.6.24.4/fs/binfmt_aout.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/fs/binfmt_aout.c 2008-03-21 01:42:49.000000000 -0400
@@ -24,6 +24,7 @@
- #include <linux/binfmts.h>
#include <linux/personality.h>
#include <linux/init.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
#include <asm/system.h>
@@ -14836,9 +14836,9 @@
--- linux-2.6.24.4/fs/binfmt_elf.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/fs/binfmt_elf.c 2008-03-21 01:42:49.000000000 -0400
@@ -39,10 +39,16 @@
- #include <linux/random.h>
#include <linux/elf.h>
#include <linux/utsname.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
+
#include <asm/uaccess.h>
@@ -16096,14 +16096,14 @@
--- linux-2.6.24.4/fs/ext3/balloc.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/fs/ext3/balloc.c 2008-03-21 01:42:49.000000000 -0400
@@ -1359,7 +1359,7 @@ static int ext3_has_free_blocks(struct e
+ DLIMIT_ADJUST_BLOCK(sb, dx_current_tag(), &free_blocks, &root_blocks);
- free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
- root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
-- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
-+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
+ cond = (free_blocks < root_blocks + 1 &&
+- !capable(CAP_SYS_RESOURCE) &&
++ !capable_nolog(CAP_SYS_RESOURCE) &&
sbi->s_resuid != current->fsuid &&
- (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
- return 0;
+ (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid)));
+
diff -urNp linux-2.6.24.4/fs/ext3/namei.c linux-2.6.24.4/fs/ext3/namei.c
--- linux-2.6.24.4/fs/ext3/namei.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/fs/ext3/namei.c 2008-03-21 01:42:49.000000000 -0400
@@ -16137,14 +16137,14 @@
--- linux-2.6.24.4/fs/ext4/balloc.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/fs/ext4/balloc.c 2008-03-21 01:42:49.000000000 -0400
@@ -1479,7 +1479,7 @@ static int ext4_has_free_blocks(struct e
+ DLIMIT_ADJUST_BLOCK(sb, dx_current_tag(), &free_blocks, &root_blocks);
- free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
- root_blocks = ext4_r_blocks_count(sbi->s_es);
-- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
-+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
+ cond = (free_blocks < root_blocks + 1 &&
+- !capable(CAP_SYS_RESOURCE) &&
++ !capable_nolog(CAP_SYS_RESOURCE) &&
sbi->s_resuid != current->fsuid &&
- (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
- return 0;
+ (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid)));
+
diff -urNp linux-2.6.24.4/fs/ext4/namei.c linux-2.6.24.4/fs/ext4/namei.c
--- linux-2.6.24.4/fs/ext4/namei.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/fs/ext4/namei.c 2008-03-21 01:42:49.000000000 -0400
@@ -16164,9 +16164,9 @@
--- linux-2.6.24.4/fs/fcntl.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/fs/fcntl.c 2008-03-21 01:42:49.000000000 -0400
@@ -19,6 +19,7 @@
- #include <linux/signal.h>
#include <linux/rcupdate.h>
#include <linux/pid_namespace.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/poll.h>
@@ -16461,9 +16461,9 @@
--- linux-2.6.24.4/fs/namei.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/fs/namei.c 2008-03-21 01:42:49.000000000 -0400
@@ -30,6 +30,7 @@
- #include <linux/capability.h>
- #include <linux/file.h>
- #include <linux/fcntl.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vs_cowbl.h>
+ #include <linux/vs_context.h>
+#include <linux/grsecurity.h>
#include <asm/namei.h>
#include <asm/uaccess.h>
@@ -16629,7 +16629,7 @@
+
if (!IS_POSIXACL(nd.dentry->d_inode))
mode &= ~current->fs->umask;
- error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
+ error = vfs_mkdir(nd.dentry->d_inode, dentry, mode, &nd);
+
+ if (!error)
+ gr_handle_create(dentry, nd.mnt);
@@ -16662,7 +16662,7 @@
+ goto dput_exit2;
+ }
+ }
- error = vfs_rmdir(nd.dentry->d_inode, dentry);
+ error = vfs_rmdir(nd.dentry->d_inode, dentry, &nd);
+ if (!error && (saved_dev || saved_ino))
+ gr_handle_delete(saved_ino, saved_dev);
+dput_exit2:
@@ -16698,10 +16698,10 @@
+ error = -EACCES;
+
atomic_inc(&inode->i_count);
-- error = vfs_unlink(nd.dentry->d_inode, dentry);
+- error = vfs_unlink(nd.dentry->d_inode, dentry, &nd);
+ }
+ if (!error)
-+ error = vfs_unlink(nd.dentry->d_inode, dentry);
++ error = vfs_unlink(nd.dentry->d_inode, dentry, &nd);
+ if (!error && (saved_ino || saved_dev))
+ gr_handle_delete(saved_ino, saved_dev);
exit2:
@@ -16716,7 +16716,7 @@
+ goto out_dput_unlock;
+ }
+
- error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO);
+ error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO, &nd);
+
+ if (!error)
+ gr_handle_create(dentry, nd.mnt);
@@ -16742,7 +16742,7 @@
+ goto out_unlock_dput;
+ }
+
- error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
+ error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry, &nd);
+
+ if (!error)
+ gr_handle_create(new_dentry, nd.mnt);
@@ -16772,9 +16772,9 @@
--- linux-2.6.24.4/fs/namespace.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/fs/namespace.c 2008-03-21 01:42:49.000000000 -0400
@@ -25,6 +25,7 @@
- #include <linux/security.h>
- #include <linux/mount.h>
- #include <linux/ramfs.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vserver/space.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
@@ -17167,9 +17167,9 @@
--- linux-2.6.24.4/fs/open.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/fs/open.c 2008-03-21 01:42:49.000000000 -0400
@@ -27,6 +27,7 @@
- #include <linux/rcupdate.h>
- #include <linux/audit.h>
- #include <linux/falloc.h>
+ #include <linux/vs_dlimit.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vs_cowbl.h>
+#include <linux/grsecurity.h>
int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
@@ -17279,15 +17279,6 @@
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
error = notify_change(nd.dentry, &newattrs);
-@@ -631,7 +680,7 @@ asmlinkage long sys_chmod(const char __u
- return sys_fchmodat(AT_FDCWD, filename, mode);
- }
-
--static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
-+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
- {
- struct inode * inode;
- int error;
@@ -648,6 +697,12 @@ static int chown_common(struct dentry *
error = -EPERM;
if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
@@ -17301,42 +17292,6 @@
newattrs.ia_valid = ATTR_CTIME;
if (user != (uid_t) -1) {
newattrs.ia_valid |= ATTR_UID;
-@@ -675,7 +730,7 @@ asmlinkage long sys_chown(const char __u
- error = user_path_walk(filename, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.dentry, user, group);
-+ error = chown_common(nd.dentry, user, group, nd.mnt);
- path_release(&nd);
- out:
- return error;
-@@ -695,7 +750,7 @@ asmlinkage long sys_fchownat(int dfd, co
- error = __user_walk_fd(dfd, filename, follow, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.dentry, user, group);
-+ error = chown_common(nd.dentry, user, group, nd.mnt);
- path_release(&nd);
- out:
- return error;
-@@ -709,7 +764,7 @@ asmlinkage long sys_lchown(const char __
- error = user_path_walk_link(filename, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.dentry, user, group);
-+ error = chown_common(nd.dentry, user, group, nd.mnt);
- path_release(&nd);
- out:
- return error;
-@@ -728,7 +783,7 @@ asmlinkage long sys_fchown(unsigned int
-
- dentry = file->f_path.dentry;
- audit_inode(NULL, dentry);
-- error = chown_common(dentry, user, group);
-+ error = chown_common(dentry, user, group, file->f_vfsmnt);
- fput(file);
- out:
- return error;
@@ -939,6 +994,7 @@ repeat:
* N.B. For clone tasks sharing a files structure, this test
* will limit the total number of files that can be opened.
@@ -17474,9 +17429,9 @@
--- linux-2.6.24.4/fs/proc/base.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/fs/proc/base.c 2008-03-21 01:42:49.000000000 -0400
@@ -76,6 +76,8 @@
- #include <linux/oom.h>
- #include <linux/elf.h>
#include <linux/pid_namespace.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_network.h>
+#include <linux/grsecurity.h>
+
#include "internal.h"
@@ -17670,9 +17625,9 @@
out:
@@ -2250,6 +2310,9 @@ static const struct pid_entry tgid_base_
- #ifdef CONFIG_TASK_IO_ACCOUNTING
INF("io", S_IRUGO, pid_io_accounting),
#endif
+ INF("nsproxy", S_IRUGO, pid_nsproxy),
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+ INF("ipaddr", S_IRUSR, pid_ipaddr),
+#endif
@@ -17709,7 +17664,7 @@
@@ -2486,6 +2560,9 @@ int proc_pid_readdir(struct file * filp,
{
unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
- struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
+ struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ struct task_struct *tmp = current;
+#endif
@@ -17753,9 +17708,9 @@
--- linux-2.6.24.4/fs/proc/internal.h 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/fs/proc/internal.h 2008-03-21 01:42:49.000000000 -0400
@@ -52,6 +52,9 @@ extern int proc_tid_stat(struct task_str
- extern int proc_tgid_stat(struct task_struct *, char *);
extern int proc_pid_status(struct task_struct *, char *);
extern int proc_pid_statm(struct task_struct *, char *);
+ extern int proc_pid_nsproxy(struct task_struct *, char *);
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+extern int proc_pid_ipaddr(struct task_struct*,char*);
+#endif
@@ -17936,6 +17891,7 @@
+#else
proc_bus = proc_mkdir("bus", NULL);
+#endif
+ proc_vx_init();
proc_sys_init();
}
@@ -18300,9 +18256,9 @@
--- linux-2.6.24.4/fs/utimes.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/fs/utimes.c 2008-03-21 01:42:49.000000000 -0400
@@ -6,6 +6,7 @@
- #include <linux/sched.h>
- #include <linux/stat.h>
#include <linux/utime.h>
+ #include <linux/mount.h>
+ #include <linux/vs_cowbl.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
@@ -18315,7 +18271,7 @@
struct inode *inode;
struct iattr newattrs;
struct file *f = NULL;
-@@ -78,12 +80,14 @@ long do_utimes(int dfd, char __user *fil
+@@ -78,6 +80,7 @@ long do_utimes(int dfd, char __user *fil
if (!f)
goto out;
dentry = f->f_path.dentry;
@@ -18323,8 +18279,9 @@
} else {
error = __user_walk_fd(dfd, filename, (flags & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW, &nd);
if (error)
- goto out;
-
+@@ -86,6 +90,7 @@ long do_utimes(int dfd, char __user *fil
+ if (error)
+ goto dput_and_out;
dentry = nd.dentry;
+ mnt = nd.mnt;
}
@@ -28442,7 +28399,7 @@
movl %0, %3\n" \
insn "\n" \
-"2: lock ; cmpxchgl %3, %2\n\
-+"2: "lock ; cmpxchgl %3, %%es:%2\n\
++"2: lock ; cmpxchgl %3, %%es:%2\n\
jnz 1b\n\
-3: .section .fixup,\"ax\"\n\
+3: pushl %%ss\n\
@@ -31407,23 +31364,27 @@
sys_close(fd);
if (len <= 0 || len == 32 || buf[len - 1] != '\n')
goto fail;
-@@ -145,8 +147,8 @@ dev_t name_to_dev_t(char *name)
- int part;
+@@ -145,12 +145,12 @@ dev_t name_to_dev_t(char *name)
+ int part, mount_result;
#ifdef CONFIG_SYSFS
- int mkdir_err = sys_mkdir("/sys", 0700);
-- if (sys_mount("sysfs", "/sys", "sysfs", 0, NULL) < 0)
+ int mkdir_err = sys_mkdir((char __user *)"/sys", 0700);
-+ if (sys_mount((char __user *)"sysfs", (char __user *)"/sys", (char __user *)"sysfs", 0, NULL) < 0)
+ /*
+ * When changing resume parameter for TuxOnIce, sysfs may
+ * already be mounted.
+ */
+- mount_result = sys_mount("sysfs", "/sys", "sysfs", 0, NULL);
++ mount_result = sys_mount((char __user *)"sysfs", (char __user *)"/sys", (char __user *)"sysfs", 0, NULL);
+ if (mount_result < 0 && mount_result != -EBUSY)
goto out;
#endif
-
@@ -198,10 +200,10 @@ dev_t name_to_dev_t(char *name)
- res = try_name(s, part);
done:
#ifdef CONFIG_SYSFS
-- sys_umount("/sys", 0);
-+ sys_umount((char __user *)"/sys", 0);
+ if (mount_result >= 0)
+- sys_umount("/sys", 0);
++ sys_umount((char __user *)"/sys", 0);
out:
if (!mkdir_err)
- sys_rmdir("/sys");
@@ -31710,9 +31671,9 @@
--- linux-2.6.24.4/ipc/msg.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/ipc/msg.c 2008-03-21 01:42:50.000000000 -0400
@@ -36,6 +36,7 @@
- #include <linux/seq_file.h>
#include <linux/rwsem.h>
#include <linux/nsproxy.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/current.h>
@@ -31750,9 +31711,9 @@
--- linux-2.6.24.4/ipc/sem.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/ipc/sem.c 2008-03-21 01:42:50.000000000 -0400
@@ -82,6 +82,7 @@
- #include <linux/seq_file.h>
- #include <linux/rwsem.h>
#include <linux/nsproxy.h>
+ #include <linux/vs_base.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -31790,9 +31751,9 @@
--- linux-2.6.24.4/ipc/shm.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/ipc/shm.c 2008-03-21 01:42:50.000000000 -0400
@@ -38,6 +38,7 @@
- #include <linux/rwsem.h>
- #include <linux/nsproxy.h>
#include <linux/mount.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -31895,14 +31856,14 @@
--- linux-2.6.24.4/kernel/capability.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/kernel/capability.c 2008-03-21 01:42:50.000000000 -0400
@@ -13,6 +13,7 @@
- #include <linux/security.h>
#include <linux/syscalls.h>
#include <linux/pid_namespace.h>
+ #include <linux/vs_context.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
/*
-@@ -233,15 +234,25 @@ out:
+@@ -233,13 +234,22 @@ out:
int __capable(struct task_struct *t, int cap)
{
@@ -31923,8 +31884,10 @@
+ return 0;
+}
+
+ #include <linux/vserver/base.h>
int capable(int cap)
{
+@@ -252,3 +262,4 @@ int capable(int cap)
return __capable(current, cap);
}
EXPORT_SYMBOL(capable);
@@ -31953,9 +31916,9 @@
--- linux-2.6.24.4/kernel/exit.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/kernel/exit.c 2008-03-24 00:05:10.000000000 -0400
@@ -44,6 +44,11 @@
- #include <linux/resource.h>
- #include <linux/blkdev.h>
- #include <linux/task_io_accounting_ops.h>
+ #include <linux/vs_network.h>
+ #include <linux/vs_pid.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
+
+#ifdef CONFIG_GRKERNSEC
@@ -32037,9 +32000,9 @@
--- linux-2.6.24.4/kernel/fork.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/kernel/fork.c 2008-03-21 01:42:50.000000000 -0400
@@ -51,6 +51,7 @@
- #include <linux/random.h>
- #include <linux/tty.h>
- #include <linux/proc_fs.h>
+ #include <linux/vs_limit.h>
+ #include <linux/vs_memory.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
@@ -32132,15 +32095,15 @@
}
@@ -1015,6 +1042,9 @@ static struct task_struct *copy_process(
+ DEBUG_LOCKS_WARN_ON(!p->hardirqs_enabled);
DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
#endif
- retval = -EAGAIN;
+
+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0);
+
- if (atomic_read(&p->user->processes) >=
- p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
+ init_vx_info(&p->vx_info, current->vx_info);
+ init_nx_info(&p->nx_info, current->nx_info);
+
@@ -1169,6 +1199,8 @@ static struct task_struct *copy_process(
if (clone_flags & CLONE_THREAD)
p->tgid = current->tgid;
@@ -32859,9 +32822,9 @@
--- linux-2.6.24.4/kernel/pid.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/kernel/pid.c 2008-03-21 01:42:50.000000000 -0400
@@ -35,6 +35,7 @@
- #include <linux/pid_namespace.h>
- #include <linux/init_task.h>
#include <linux/syscalls.h>
+ #include <linux/vs_pid.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
#define pid_hashfn(nr, ns) \
@@ -32926,9 +32889,9 @@
--- linux-2.6.24.4/kernel/printk.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/kernel/printk.c 2008-03-21 01:42:50.000000000 -0400
@@ -33,6 +33,7 @@
- #include <linux/bootmem.h>
#include <linux/syscalls.h>
#include <linux/jiffies.h>
+ #include <linux/vs_cvirt.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -32949,9 +32912,9 @@
--- linux-2.6.24.4/kernel/ptrace.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/kernel/ptrace.c 2008-03-21 01:42:50.000000000 -0400
@@ -20,6 +20,7 @@
- #include <linux/signal.h>
#include <linux/audit.h>
#include <linux/pid_namespace.h>
+ #include <linux/vs_context.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
@@ -33057,9 +33020,9 @@
--- linux-2.6.24.4/kernel/sched.c 2008-03-24 00:34:43.000000000 -0400
+++ linux-2.6.24.4/kernel/sched.c 2008-03-24 00:29:41.000000000 -0400
@@ -63,6 +63,7 @@
- #include <linux/reciprocal_div.h>
- #include <linux/unistd.h>
#include <linux/pagemap.h>
+ #include <linux/vs_sched.h>
+ #include <linux/vs_cvirt.h>
+#include <linux/grsecurity.h>
#include <asm/tlb.h>
@@ -33080,7 +33043,7 @@
- if (increment < 0 && !can_nice(current, nice))
+ if (increment < 0 && (!can_nice(current, nice) ||
+ gr_handle_chroot_nice()))
- return -EPERM;
+ return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
retval = security_task_setnice(current, nice);
@@ -5396,7 +5398,7 @@ static struct ctl_table sd_ctl_dir[] = {
@@ -33426,7 +33389,7 @@
@@ -88,6 +89,9 @@ asmlinkage long sys_stime(time_t __user
return err;
- do_settimeofday(&tv);
+ vx_settimeofday(&tv);
+
+ gr_log_timechange();
+
@@ -34210,9 +34173,9 @@
--- linux-2.6.24.4/mm/mlock.c 2008-02-25 19:20:20.000000000 -0500
+++ linux-2.6.24.4/mm/mlock.c 2008-03-21 01:42:50.000000000 -0400
@@ -12,6 +12,7 @@
- #include <linux/syscalls.h>
#include <linux/sched.h>
#include <linux/module.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
int can_do_mlock(void)
@@ -34242,7 +34205,7 @@
+ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/linux-2.6-grsec_full.patch?r1=1.1.2.29&r2=1.1.2.30&f=u
More information about the pld-cvs-commit
mailing list