packages: kernel/grsec/3.0/grsec-2.2.2-3.0.8-201110250925.patch (NEW) - for...
arekm
arekm at pld-linux.org
Thu Nov 10 08:36:05 CET 2011
Author: arekm Date: Thu Nov 10 07:36:05 2011 GMT
Module: packages Tag: HEAD
---- Log message:
- for 3.0.8
---- Files affected:
packages/kernel/grsec/3.0:
grsec-2.2.2-3.0.8-201110250925.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: packages/kernel/grsec/3.0/grsec-2.2.2-3.0.8-201110250925.patch
diff -u /dev/null packages/kernel/grsec/3.0/grsec-2.2.2-3.0.8-201110250925.patch:1.1
--- /dev/null Thu Nov 10 08:36:05 2011
+++ packages/kernel/grsec/3.0/grsec-2.2.2-3.0.8-201110250925.patch Thu Nov 10 08:36:00 2011
@@ -0,0 +1,214 @@
+--- kernel-grsec_full.patch.org 2011-10-25 15:43:51.000000000 +0200
++++ kernel-grsec_full.patch 2011-11-10 08:35:17.427926273 +0100
+@@ -11438,9 +11438,9 @@
+ @@ -186,7 +186,7 @@ void dump_stack(void)
+
+ bp = stack_frame(current, NULL);
+- printk("Pid: %d, comm: %.20s %s %s %.*s\n",
+-- current->pid, current->comm, print_tainted(),
+-+ task_pid_nr(current), current->comm, print_tainted(),
++ printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
++- current->pid, current->comm, current->xid, print_tainted(),
+++ task_pid_nr(current), current->comm, current->xid, print_tainted(),
+ init_utsname()->release,
+ (int)strcspn(init_utsname()->version, " "),
+ init_utsname()->version);
+@@ -15135,9 +15135,9 @@
+ @@ -106,7 +123,7 @@ void show_regs_common(void)
+
+ printk(KERN_CONT "\n");
+- printk(KERN_DEFAULT "Pid: %d, comm: %.20s %s %s %.*s",
+-- current->pid, current->comm, print_tainted(),
+-+ task_pid_nr(current), current->comm, print_tainted(),
++ printk(KERN_DEFAULT "Pid: %d, xid: #%u, comm: %.20s %s %s %.*s",
++- current->pid, current->xid, current->comm, print_tainted(),
+++ task_pid_nr(current), current->xid, current->comm, print_tainted(),
+ init_utsname()->release,
+ (int)strcspn(init_utsname()->version, " "),
+ init_utsname()->version);
+@@ -43772,9 +43772,9 @@
+ #include <linux/slab.h>
+ #include <linux/fs_struct.h>
+ +#include <linux/grsecurity.h>
++ #include <linux/vserver/global.h>
+ #include "internal.h"
+
+- static inline void path_get_longterm(struct path *path)
+ @@ -31,6 +32,7 @@ void set_fs_root(struct fs_struct *fs, s
+ old_root = fs->root;
+ fs->root = *path;
+@@ -45907,9 +45907,9 @@
+ #endif
+ #ifdef CONFIG_SCHEDSTATS
+ @@ -2857,6 +2973,9 @@ static const struct pid_entry tgid_base_
+- #ifdef CONFIG_HARDWALL
+ INF("hardwall", S_IRUGO, proc_pid_hardwall),
+ #endif
++ ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
+ +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+ + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
+ +#endif
+@@ -45982,11 +45982,11 @@
+ + rcu_read_unlock();
+ +#endif
+ filp->f_pos = iter.tgid + TGID_OFFSET;
++ if (!vx_proc_task_visible(iter.task))
++ continue;
+ - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
+ + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
+ put_task_struct(iter.task);
+- goto out;
+- }
+ @@ -3141,7 +3298,7 @@ static const struct pid_entry tid_base_s
+ REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
+ #endif
+@@ -46097,9 +46097,9 @@
+ +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+ +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
+ +#endif
+- extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
++ extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
++ struct pid *pid, struct task_struct *task);
+
+- extern const struct file_operations proc_maps_operations;
+ diff -urNp linux-3.0.8/fs/proc/Kconfig linux-3.0.8/fs/proc/Kconfig
+ --- linux-3.0.8/fs/proc/Kconfig 2011-07-21 22:17:23.000000000 -0400
+ +++ linux-3.0.8/fs/proc/Kconfig 2011-08-23 21:48:14.000000000 -0400
+@@ -60087,10 +60087,10 @@
+ static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
+ mode_t mode, struct proc_dir_entry *base,
+ read_proc_t *read_proc, void * data)
+-@@ -258,7 +271,7 @@ union proc_op {
+- int (*proc_show)(struct seq_file *m,
+- struct pid_namespace *ns, struct pid *pid,
+- struct task_struct *task);
++@@ -278,7 +278,7 @@ union proc_op {
++ int (*proc_vs_read)(char *page);
++ int (*proc_vxi_read)(struct vx_info *vxi, char *page);
++ int (*proc_nxi_read)(struct nx_info *nxi, char *page);
+ -};
+ +} __no_const;
+
+@@ -62651,15 +62651,15 @@
+ new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
+ if (!new)
+ return NULL;
+-@@ -287,6 +295,8 @@ struct cred *prepare_creds(void)
+- const struct cred *old;
++@@ -268,6 +268,8 @@ struct cred *__prepare_creds(const struc
++ {
+ struct cred *new;
+
+ + pax_track_stack();
+ +
+- validate_process_creds();
+-
+ new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
++ if (!new)
++ return NULL;
+ @@ -333,6 +343,8 @@ struct cred *prepare_exec_creds(void)
+ struct thread_group_cred *tgcred = NULL;
+ struct cred *new;
+@@ -63296,13 +63296,15 @@
+ return 0;
+ }
+
+-@@ -1104,12 +1142,16 @@ static struct task_struct *copy_process(
+- DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
+- #endif
+- retval = -EAGAIN;
+-+
++@@ -1156,15 +1156,18 @@ static struct task_struct *copy_process(
++ init_vx_info(&p->vx_info, current_vx_info());
++ init_nx_info(&p->nx_info, current_nx_info());
++
+ + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
+ +
++ retval = -EAGAIN;
++ if (!vx_nproc_avail(1))
++ goto bad_fork_free;
+ if (atomic_read(&p->real_cred->user->processes) >=
+ task_rlimit(p, RLIMIT_NPROC)) {
+ - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
+@@ -64746,8 +64748,8 @@
+ + struct task_struct *task;
+ +
+ rcu_lockdep_assert(rcu_read_lock_held());
+-- return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
+-+ task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
++- return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
+++ task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
+ +
+ + if (gr_pid_is_chrooted(task))
+ + return NULL;
+@@ -64973,7 +64975,7 @@
+ +#endif
+ +
+ if (syslog_action_restricted(type)) {
+- if (capable(CAP_SYSLOG))
++ if (vx_capable(CAP_SYSLOG, VXC_SYSLOG))
+ return 0;
+ /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
+ if (capable(CAP_SYS_ADMIN)) {
+@@ -65717,7 +65719,7 @@
+ - if (increment < 0 && !can_nice(current, nice))
+ + if (increment < 0 && (!can_nice(current, nice) ||
+ + gr_handle_chroot_nice()))
+- return -EPERM;
++ return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
+
+ retval = security_task_setnice(current, nice);
+ @@ -5097,6 +5102,7 @@ recheck:
+@@ -65786,10 +65788,11 @@
+ if (is_global_init(tsk))
+ return 1;
+ if (handler != SIG_IGN && handler != SIG_DFL)
+-@@ -770,6 +773,13 @@ static int check_kill_permission(int sig
+- }
++@@ -797,6 +797,14 @@
++ sig, info, t, vx_task_xid(t), t->pid, current->xid);
++ return error;
+ }
+-
+++
+ + /* allow glibc communication via tgkill to other threads in our
+ + thread group */
+ + if ((info == SEND_SIG_NOINFO || info->si_code != SI_TKILL ||
+@@ -65797,9 +65800,9 @@
+ + && gr_handle_signal(t, sig))
+ + return -EPERM;
+ +
++ /* skip: */
+ return security_task_kill(t, info, sig, 0);
+ }
+-
+ @@ -1092,7 +1102,7 @@ __group_send_sig_info(int sig, struct si
+ return send_signal(sig, info, p, 1);
+ }
+@@ -72547,13 +72550,13 @@
+ #include <net/inet_connection_sock.h>
+ #include <net/inet_hashtables.h>
+ #include <net/secure_seq.h>
++ #include <net/route.h>
+ #include <net/ip.h>
+
+ +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
+ +
+ /*
+ * Allocate and initialize a new local port bind bucket.
+- * The bindhash mutex for snum's hash chain must be held here.
+ @@ -530,6 +533,8 @@ ok:
+ twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
+ spin_unlock(&head->lock);
+@@ -73359,9 +73362,9 @@
+ +extern int grsec_enable_blackhole;
+ +#endif
+ +
+- int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
++ int ipv6_rcv_saddr_equal(const struct sock *sk1, const struct sock *sk2)
+ {
+- const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
++ const struct in6_addr *sk1_rcv_saddr6 = &inet6_sk(sk1)->rcv_saddr;
+ @@ -548,7 +552,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
+
+ return 0;
================================================================
More information about the pld-cvs-commit
mailing list