packages (LINUX_2_6_32): kernel/kernel-grsec_full.patch - updated for vserv...
hawk
hawk at pld-linux.org
Thu Mar 8 20:50:23 CET 2012
Author: hawk Date: Thu Mar 8 19:50:23 2012 GMT
Module: packages Tag: LINUX_2_6_32
---- Log message:
- updated for vserver patched kernel
---- Files affected:
packages/kernel:
kernel-grsec_full.patch (1.29.2.9 -> 1.29.2.10)
---- Diffs:
================================================================
Index: packages/kernel/kernel-grsec_full.patch
diff -u packages/kernel/kernel-grsec_full.patch:1.29.2.9 packages/kernel/kernel-grsec_full.patch:1.29.2.10
--- packages/kernel/kernel-grsec_full.patch:1.29.2.9 Thu Mar 8 14:42:54 2012
+++ packages/kernel/kernel-grsec_full.patch Thu Mar 8 20:50:07 2012
@@ -14562,9 +14562,9 @@
@@ -180,7 +180,7 @@ void dump_stack(void)
#endif
- printk("Pid: %d, comm: %.20s %s %s %.*s\n",
-- current->pid, current->comm, print_tainted(),
-+ task_pid_nr(current), current->comm, print_tainted(),
+ printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
+- current->pid, current->comm, current->xid, print_tainted(),
++ task_pid_nr(current), current->comm, current->xid, print_tainted(),
init_utsname()->release,
(int)strcspn(init_utsname()->version, " "),
init_utsname()->version);
@@ -19068,9 +19068,9 @@
@@ -170,7 +170,7 @@ void __show_regs(struct pt_regs *regs, int all)
if (!board)
board = "";
- printk(KERN_INFO "Pid: %d, comm: %.20s %s %s %.*s %s\n",
-- current->pid, current->comm, print_tainted(),
-+ task_pid_nr(current), current->comm, print_tainted(),
+ printk(KERN_INFO "Pid: %d, comm: %.20s xid: #%u %s %s %.*s %s\n",
+- current->pid, current->comm, current->xid, print_tainted(),
++ task_pid_nr(current), current->comm, current->xid, print_tainted(),
init_utsname()->release,
(int)strcspn(init_utsname()->version, " "),
init_utsname()->version, board);
@@ -46627,9 +46627,9 @@
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -31,6 +31,7 @@
- #include <linux/random.h>
#include <linux/elf.h>
#include <linux/utsname.h>
+ #include <linux/vs_memory.h>
+#include <linux/xattr.h>
#include <asm/uaccess.h>
#include <asm/param.h>
@@ -49946,9 +49946,9 @@
--- a/fs/fs_struct.c
+++ b/fs/fs_struct.c
@@ -4,6 +4,7 @@
- #include <linux/path.h>
#include <linux/slab.h>
#include <linux/fs_struct.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
/*
@@ -51703,7 +51703,7 @@
index ba36e93..3153fce 100644
--- a/fs/libfs.c
+++ b/fs/libfs.c
-@@ -157,12 +157,20 @@ int dcache_readdir(struct file * filp, void * dirent, filldir_t filldir)
+@@ -157,14 +157,22 @@ int dcache_readdir(struct file * filp, void * dirent, filldir_t filldir)
for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
struct dentry *next;
@@ -51713,6 +51713,8 @@
next = list_entry(p, struct dentry, d_u.d_child);
if (d_unhashed(next) || !next->d_inode)
continue;
+ if (filter && !filter(next))
+ continue;
spin_unlock(&dcache_lock);
- if (filldir(dirent, next->d_name.name,
@@ -51769,7 +51771,7 @@
index a8794f2..4041e55 100644
--- a/fs/locks.c
+++ b/fs/locks.c
-@@ -145,10 +145,28 @@ static LIST_HEAD(blocked_list);
+@@ -145,12 +145,30 @@ static LIST_HEAD(blocked_list);
static struct kmem_cache *filelock_cache __read_mostly;
@@ -51789,6 +51791,8 @@
/* Allocate an empty lock structure. */
static struct file_lock *locks_alloc_lock(void)
{
+ if (!vx_locks_avail(1))
+ return NULL;
- return kmem_cache_alloc(filelock_cache, GFP_KERNEL);
+ struct file_lock *fl = kmem_cache_alloc(filelock_cache, GFP_KERNEL);
+
@@ -51799,7 +51803,7 @@
}
void locks_release_private(struct file_lock *fl)
-@@ -183,17 +201,9 @@ void locks_init_lock(struct file_lock *fl)
+@@ -183,18 +201,10 @@ void locks_init_lock(struct file_lock *fl)
INIT_LIST_HEAD(&fl->fl_link);
INIT_LIST_HEAD(&fl->fl_block);
init_waitqueue_head(&fl->fl_wait);
@@ -51814,6 +51818,7 @@
- fl->fl_start = fl->fl_end = 0;
fl->fl_ops = NULL;
fl->fl_lmops = NULL;
+ fl->fl_xid = -1;
+ locks_init_lock_always(fl);
}
@@ -52852,7 +52857,7 @@
error = 0;
dput_and_out:
path_put(&path);
-@@ -596,66 +618,57 @@ out:
+@@ -596,70 +618,60 @@ out:
return error;
}
@@ -52932,6 +52937,10 @@
error = user_path_at(dfd, filename, LOOKUP_FOLLOW, &path);
- if (error)
- goto out;
+-
+- error = cow_check_and_break(&path);
+- if (error)
+- goto dput_and_out;
- inode = path.dentry->d_inode;
-
- error = mnt_want_write(path.mnt);
@@ -52949,7 +52958,10 @@
- path_put(&path);
-out:
+ if (!error) {
-+ error = chmod_common(&path, mode);
++ error = cow_check_and_break(&path);
++ if (!error) {
++ error = chmod_common(&path, mode);
++ }
+ path_put(&path);
+ }
return error;
@@ -52973,29 +52985,29 @@
if (user != (uid_t) -1) {
newattrs.ia_valid |= ATTR_UID;
@@ -700,7 +716,7 @@ SYSCALL_DEFINE3(chown, const char __user *, filename, uid_t, user, gid_t, group)
- error = mnt_want_write(path.mnt);
- if (error)
- goto out_release;
-- error = chown_common(path.dentry, user, group);
-+ error = chown_common(path.dentry, user, group, path.mnt);
+ error = cow_check_and_break(&path);
+ if (!error)
+ #endif
+- error = chown_common(path.dentry, user, group);
++ error = chown_common(path.dentry, user, group, path.mnt);
mnt_drop_write(path.mnt);
out_release:
path_put(&path);
@@ -725,7 +741,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, const char __user *, filename, uid_t, user,
- error = mnt_want_write(path.mnt);
- if (error)
- goto out_release;
-- error = chown_common(path.dentry, user, group);
-+ error = chown_common(path.dentry, user, group, path.mnt);
+ error = cow_check_and_break(&path);
+ if (!error)
+ #endif
+- error = chown_common(path.dentry, user, group);
++ error = chown_common(path.dentry, user, group, path.mnt);
mnt_drop_write(path.mnt);
out_release:
path_put(&path);
@@ -744,7 +760,7 @@ SYSCALL_DEFINE3(lchown, const char __user *, filename, uid_t, user, gid_t, group
- error = mnt_want_write(path.mnt);
- if (error)
- goto out_release;
-- error = chown_common(path.dentry, user, group);
-+ error = chown_common(path.dentry, user, group, path.mnt);
+ error = cow_check_and_break(&path);
+ if (!error)
+ #endif
+- error = chown_common(path.dentry, user, group);
++ error = chown_common(path.dentry, user, group, path.mnt);
mnt_drop_write(path.mnt);
out_release:
path_put(&path);
@@ -53765,11 +53777,11 @@
INF("io", S_IRUSR, proc_tgid_io_accounting),
#endif
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+ INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
++ INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
+#endif
+ ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
};
- static int proc_tgid_base_readdir(struct file * filp,
@@ -2735,7 +2867,14 @@ static struct dentry *proc_pid_instantiate(struct inode *dir,
if (!inode)
goto out;
@@ -53833,6 +53845,8 @@
+ rcu_read_unlock();
+#endif
filp->f_pos = iter.tgid + TGID_OFFSET;
+ if (!vx_proc_task_visible(iter.task))
+ continue;
- if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
+ if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
put_task_struct(iter.task);
@@ -53948,14 +53962,14 @@
+++ b/fs/proc/internal.h
@@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task);
- extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
+ extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task);
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
+#endif
+
extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
- extern const struct file_operations proc_maps_operations;
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
index b442dac..aab29cb 100644
--- a/fs/proc/kcore.c
@@ -67069,6 +67083,9 @@
+ void (* const clear_inode) (struct inode *);
+ void (* const umount_begin) (struct super_block *);
+- void (*sync_inodes)(struct super_block *sb,
++ void (* const sync_inodes)(struct super_block *sb,
+ struct writeback_control *wbc);
- int (*show_options)(struct seq_file *, struct vfsmount *);
- int (*show_stats)(struct seq_file *, struct vfsmount *);
+ int (* const show_options)(struct seq_file *, struct vfsmount *);
@@ -69199,9 +69216,9 @@
mode_t mode, struct proc_dir_entry *base,
read_proc_t *read_proc, void * data)
@@ -256,7 +269,7 @@ union proc_op {
- int (*proc_show)(struct seq_file *m,
- struct pid_namespace *ns, struct pid *pid,
- struct task_struct *task);
+ int (*proc_vs_read)(char *page);
+ int (*proc_vxi_read)(struct vx_info *vxi, char *page);
+ int (*proc_nxi_read)(struct nx_info *nxi, char *page);
-};
+} __no_const;
@@ -72678,10 +72695,12 @@
return 0;
}
-@@ -1033,12 +1060,16 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+@@ -1033,14 +1060,18 @@ static struct task_struct *copy_process(unsigned long clone_flags,
DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
#endif
retval = -EAGAIN;
+ if (!vx_nproc_avail(1))
+ goto bad_fork_cleanup_vm;
+
+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
+
@@ -72691,7 +72710,7 @@
- p->real_cred->user != INIT_USER)
+ if (p->real_cred->user != INIT_USER &&
+ !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
- goto bad_fork_free;
+ goto bad_fork_cleanup_vm;
}
+ current->flags &= ~PF_NPROC_EXCEEDED;
@@ -74507,10 +74526,10 @@
*/
struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
{
-- return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
+- return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
+ struct task_struct *task;
+
-+ task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
++ task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
+
+ if (gr_pid_is_chrooted(task))
+ return NULL;
@@ -74784,15 +74803,15 @@
index 4cade47..4d17900 100644
--- a/kernel/printk.c
+++ b/kernel/printk.c
-@@ -33,6 +33,7 @@
- #include <linux/bootmem.h>
+@@ -35,6 +35,7 @@
#include <linux/syscalls.h>
#include <linux/kexec.h>
+ #include <linux/vs_cvirt.h>
+#include <linux/syslog.h>
#include <asm/uaccess.h>
-@@ -256,38 +257,30 @@ static inline void boot_delay_msec(void)
+@@ -259,29 +260,21 @@ static inline void boot_delay_msec(void)
}
#endif
@@ -74817,7 +74836,7 @@
unsigned i, j, limit, count;
int do_clear = 0;
char c;
- int error = 0;
+ int error;
- error = security_syslog(type);
+#ifdef CONFIG_GRKERNSEC_DMESG
@@ -74831,19 +74850,22 @@
if (error)
return error;
+@@ -301,11 +294,11 @@ int do_syslog(int type, char __user *buf
+ return vx_do_syslog(type, buf, len);
+
switch (type) {
- case 0: /* Close log */
-+ case SYSLOG_ACTION_CLOSE: /* Close log */
++ case SYSLOG_ACTION_CLOSE: /* Close log */
break;
- case 1: /* Open log */
-+ case SYSLOG_ACTION_OPEN: /* Open log */
++ case SYSLOG_ACTION_OPEN: /* Open log */
break;
- case 2: /* Read from log */
-+ case SYSLOG_ACTION_READ: /* Read from log */
- error = -EINVAL;
- if (!buf || len < 0)
- goto out;
-@@ -318,10 +311,12 @@ int do_syslog(int type, char __user *buf, int len)
++ case SYSLOG_ACTION_READ: /* Read from log */
+ error = wait_event_interruptible(log_wait,
+ (log_start - log_end));
+ if (error)
+@@ -326,10 +319,12 @@ int do_syslog(int type, char __user *buf
if (!error)
error = i;
break;
@@ -74855,10 +74877,10 @@
- case 3: /* Read last kernel messages */
+ /* Read last kernel messages */
+ case SYSLOG_ACTION_READ_ALL:
- error = -EINVAL;
- if (!buf || len < 0)
- goto out;
-@@ -374,21 +369,25 @@ int do_syslog(int type, char __user *buf, int len)
+ count = len;
+ if (count > log_buf_len)
+ count = log_buf_len;
+@@ -372,21 +367,25 @@ int do_syslog(int type, char __user *buf
}
}
break;
@@ -74888,7 +74910,7 @@
error = -EINVAL;
if (len < 1 || len > 8)
goto out;
-@@ -399,10 +398,12 @@ int do_syslog(int type, char __user *buf, int len)
+@@ -397,10 +396,12 @@ int do_syslog(int type, char __user *buf
saved_console_loglevel = -1;
error = 0;
break;
@@ -74903,7 +74925,7 @@
error = log_buf_len;
break;
default:
-@@ -415,7 +416,7 @@ out:
+@@ -413,7 +414,7 @@ out:
SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len)
{
@@ -75597,7 +75619,7 @@
- if (increment < 0 && !can_nice(current, nice))
+ if (increment < 0 && (!can_nice(current, nice) ||
+ gr_handle_chroot_nice()))
- return -EPERM;
+ return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
retval = security_task_setnice(current, nice);
@@ -8774,7 +8794,7 @@ static void init_sched_groups_power(int cpu, struct sched_domain *sd)
@@ -75657,9 +75679,9 @@
return 1;
if (handler != SIG_IGN && handler != SIG_DFL)
@@ -627,6 +630,13 @@ static int check_kill_permission(int sig, struct siginfo *info,
- }
+ return error;
}
-
+ skip:
+ /* allow glibc communication via tgkill to other threads in our
+ thread group */
+ if ((info == SEND_SIG_NOINFO || info->si_code != SI_TKILL ||
@@ -77873,7 +77895,7 @@
* We enter with non-exclusive mmap_sem (to exclude vma changes,
* but allow concurrent faults), and pte mapped but not yet locked.
* We return with mmap_sem still held, but pte unmapped and unlocked.
-@@ -2674,27 +2864,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2674,30 +2864,27 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
unsigned long address, pte_t *page_table, pmd_t *pmd,
unsigned int flags)
{
@@ -77883,7 +77905,10 @@
pte_t entry;
- pte_unmap(page_table);
--
+
+ if (!vx_rss_avail(mm, 1))
+ goto oom;
+
- /* Check if we need to add a guard page to the stack */
- if (check_stack_guard_page(vma, address) < 0)
- return VM_FAULT_SIGBUS;
@@ -78291,9 +78316,9 @@
if (!(flags & MCL_CURRENT))
newflags &= ~VM_LOCKED;
@@ -570,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
- lock_limit >>= PAGE_SHIFT;
-
ret = -ENOMEM;
+ if(!vx_vmlocked_avail(current->mm, current->mm->total_vm))
+ goto out;
+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
capable(CAP_IPC_LOCK))
@@ -79182,9 +79207,9 @@
+ }
+#endif
+
- mm->total_vm -= nrpages;
+ // mm->total_vm -= nrpages;
+ vx_vmpages_sub(mm, nrpages);
vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
- vma = remove_vma(vma);
@@ -1813,6 +2104,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
insertion_point = (prev ? &prev->vm_next : &mm->mmap);
vma->vm_prev = NULL;
@@ -79435,11 +79460,11 @@
if (mm->map_count > sysctl_max_map_count)
return -ENOMEM;
-- if (security_vm_enough_memory(len >> PAGE_SHIFT))
-+ if (security_vm_enough_memory(charged))
+- if (security_vm_enough_memory(len >> PAGE_SHIFT) ||
++ if (security_vm_enough_memory(charged) ||
+ !vx_vmpages_avail(mm, len >> PAGE_SHIFT))
return -ENOMEM;
- /* Can we just expand an old private anonymous mapping? */
@@ -2066,7 +2467,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
*/
vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
@@ -79449,16 +79474,18 @@
return -ENOMEM;
}
-@@ -2078,11 +2479,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
- vma->vm_page_prot = vm_get_page_prot(flags);
+@@ -2078,13 +2479,14 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
vma_link(mm, vma, prev, rb_link, rb_parent);
out:
-- mm->total_vm += len >> PAGE_SHIFT;
-+ mm->total_vm += charged;
+ // mm->total_vm += len >> PAGE_SHIFT;
+- vx_vmpages_add(mm, len >> PAGE_SHIFT);
++ vx_vmpages_add(mm, charged);
+
if (flags & VM_LOCKED) {
if (!mlock_vma_pages_range(vma, addr, addr + len))
-- mm->locked_vm += (len >> PAGE_SHIFT);
-+ mm->locked_vm += charged;
+ // mm->locked_vm += (len >> PAGE_SHIFT);
+- vx_vmlocked_add(mm, len >> PAGE_SHIFT);
++ vx_vmlocked_add(mm, charged);
}
+ track_exec_limit(mm, addr, addr + len, flags);
return addr;
@@ -81934,7 +81961,7 @@
index d717267..56de7e7 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
-@@ -18,12 +18,15 @@
+@@ -18,13 +18,16 @@
#include <linux/sched.h>
#include <linux/slab.h>
#include <linux/wait.h>
@@ -81943,6 +81970,7 @@
#include <net/inet_connection_sock.h>
#include <net/inet_hashtables.h>
#include <net/secure_seq.h>
+ #include <net/route.h>
#include <net/ip.h>
+extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
@@ -85991,9 +86019,9 @@
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -27,6 +27,8 @@
- #include <linux/sched.h>
#include <linux/prctl.h>
#include <linux/securebits.h>
+ #include <linux/vs_context.h>
+#include <linux/syslog.h>
+#include <net/sock.h>
@@ -86012,7 +86040,7 @@
+#ifdef CONFIG_NET
+ NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
+#else
- NETLINK_CB(skb).eff_cap = current_cap();
+ NETLINK_CB(skb).eff_cap = vx_mbcaps(current_cap());
+#endif
+
return 0;
@@ -86028,7 +86056,7 @@
if (cred->uid != 0) {
if (bprm->cap_effective)
return 1;
-@@ -956,13 +970,18 @@ error:
+@@ -956,14 +970,18 @@ error:
/**
* cap_syslog - Determine whether syslog function is permitted
* @type: Function requested
@@ -86040,12 +86068,13 @@
-int cap_syslog(int type)
+int cap_syslog(int type, bool from_file)
{
-- if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN))
+- if ((type != 3 && type != 10) &&
+- !vx_capable(CAP_SYS_ADMIN, VXC_SYSLOG))
+ /* /proc/kmsg can open be opened by CAP_SYS_ADMIN */
+ if (type != SYSLOG_ACTION_OPEN && from_file)
+ return 0;
+ if ((type != SYSLOG_ACTION_READ_ALL &&
-+ type != SYSLOG_ACTION_SIZE_BUFFER) && !capable(CAP_SYS_ADMIN))
++ type != SYSLOG_ACTION_SIZE_BUFFER) && !vx_capable(CAP_SYS_ADMIN, VXC_SYSLOG))
return -EPERM;
return 0;
}
================================================================
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel/kernel-grsec_full.patch?r1=1.29.2.9&r2=1.29.2.10&f=u
More information about the pld-cvs-commit
mailing list