packages (LINUX_2_6_32): kernel/kernel-grsec_full.patch - http://grsecurity...
hawk
hawk at pld-linux.org
Thu May 3 14:03:47 CEST 2012
Author: hawk Date: Thu May 3 12:03:47 2012 GMT
Module: packages Tag: LINUX_2_6_32
---- Log message:
- http://grsecurity.net/~spender/grsecurity-2.9-2.6.32.59-201204272005.patch
---- Files affected:
packages/kernel:
kernel-grsec_full.patch (1.29.2.12 -> 1.29.2.13)
---- Diffs:
================================================================
Index: packages/kernel/kernel-grsec_full.patch
diff -u packages/kernel/kernel-grsec_full.patch:1.29.2.12 packages/kernel/kernel-grsec_full.patch:1.29.2.13
--- packages/kernel/kernel-grsec_full.patch:1.29.2.12 Thu Apr 19 15:12:02 2012
+++ packages/kernel/kernel-grsec_full.patch Thu May 3 14:03:30 2012
@@ -213,7 +213,7 @@
M: Liam Girdwood <lrg at slimlogic.co.uk>
M: Mark Brown <broonie at opensource.wolfsonmicro.com>
diff --git a/Makefile b/Makefile
-index 3a9a721..e5a22f7 100644
+index 3a9a721..683dc09 100644
--- a/Makefile
+++ b/Makefile
@@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -248,15 +248,17 @@
include/linux/version.h headers_% \
kernelrelease kernelversion
-@@ -526,6 +527,53 @@ else
+@@ -526,6 +527,55 @@ else
KBUILD_CFLAGS += -O2
endif
+ifndef DISABLE_PAX_PLUGINS
+ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCC)" "$(CC)"), y)
+ifndef DISABLE_PAX_CONSTIFY_PLUGIN
++ifndef CONFIG_UML
+CONSTIFY_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN
+endif
++endif
+ifdef CONFIG_PAX_MEMORY_STACKLEAK
+STACKLEAK_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -DSTACKLEAK_PLUGIN
+STACKLEAK_PLUGIN_CFLAGS += -fplugin-arg-stackleak_plugin-track-lowest-sp=100
@@ -302,7 +304,7 @@
include $(srctree)/arch/$(SRCARCH)/Makefile
ifneq ($(CONFIG_FRAME_WARN),0)
-@@ -647,7 +695,7 @@ export mod_strip_cmd
+@@ -647,7 +697,7 @@ export mod_strip_cmd
ifeq ($(KBUILD_EXTMOD),)
@@ -311,7 +313,7 @@
vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
$(core-y) $(core-m) $(drivers-y) $(drivers-m) \
-@@ -868,6 +916,8 @@ vmlinux.o: $(modpost-init) $(vmlinux-main) FORCE
+@@ -868,6 +918,8 @@ vmlinux.o: $(modpost-init) $(vmlinux-main) FORCE
# The actual objects are generated when descending,
# make sure no implicit rule kicks in
@@ -320,7 +322,7 @@
$(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ;
# Handle descending into subdirectories listed in $(vmlinux-dirs)
-@@ -877,7 +927,7 @@ $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ;
+@@ -877,7 +929,7 @@ $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ;
# Error messages still appears in the original language
PHONY += $(vmlinux-dirs)
@@ -329,7 +331,7 @@
$(Q)$(MAKE) $(build)=$@
# Build the kernel release string
-@@ -986,6 +1036,7 @@ prepare0: archprepare FORCE
+@@ -986,6 +1038,7 @@ prepare0: archprepare FORCE
$(Q)$(MAKE) $(build)=. missing-syscalls
# All the preparing..
@@ -337,7 +339,7 @@
prepare: prepare0
# The asm symlink changes when $(ARCH) changes.
-@@ -1127,6 +1178,8 @@ all: modules
+@@ -1127,6 +1180,8 @@ all: modules
# using awk while concatenating to the final file.
PHONY += modules
@@ -346,7 +348,7 @@
modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux)
$(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order
@$(kecho) ' Building modules, stage 2.';
-@@ -1136,7 +1189,7 @@ modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux)
+@@ -1136,7 +1191,7 @@ modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux)
# Target to prepare building external modules
PHONY += modules_prepare
@@ -355,7 +357,7 @@
# Target to install modules
PHONY += modules_install
-@@ -1201,7 +1254,7 @@ MRPROPER_FILES += .config .config.old include/asm .version .old_version \
+@@ -1201,7 +1256,7 @@ MRPROPER_FILES += .config .config.old include/asm .version .old_version \
include/linux/autoconf.h include/linux/version.h \
include/linux/utsrelease.h \
include/linux/bounds.h include/asm*/asm-offsets.h \
@@ -364,7 +366,7 @@
# clean - Delete most, but leave enough to build external modules
#
-@@ -1245,7 +1298,7 @@ distclean: mrproper
+@@ -1245,7 +1300,7 @@ distclean: mrproper
@find $(srctree) $(RCS_FIND_IGNORE) \
\( -name '*.orig' -o -name '*.rej' -o -name '*~' \
-o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
@@ -373,7 +375,7 @@
-o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \
-type f -print | xargs rm -f
-@@ -1292,6 +1345,7 @@ help:
+@@ -1292,6 +1347,7 @@ help:
@echo ' modules_prepare - Set up for building external modules'
@echo ' tags/TAGS - Generate tags file for editors'
@echo ' cscope - Generate cscope index'
@@ -381,7 +383,7 @@
@echo ' kernelrelease - Output the release version string'
@echo ' kernelversion - Output the version stored in Makefile'
@echo ' headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH'; \
-@@ -1393,6 +1447,8 @@ PHONY += $(module-dirs) modules
+@@ -1393,6 +1449,8 @@ PHONY += $(module-dirs) modules
$(module-dirs): crmodverdir $(objtree)/Module.symvers
$(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
@@ -390,7 +392,7 @@
modules: $(module-dirs)
@$(kecho) ' Building modules, stage 2.';
$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
-@@ -1448,7 +1504,7 @@ endif # KBUILD_EXTMOD
+@@ -1448,7 +1506,7 @@ endif # KBUILD_EXTMOD
quiet_cmd_tags = GEN $@
cmd_tags = $(CONFIG_SHELL) $(srctree)/scripts/tags.sh $@
@@ -399,7 +401,7 @@
$(call cmd,tags)
# Scripts to check various things for consistency
-@@ -1513,17 +1569,21 @@ else
+@@ -1513,17 +1571,21 @@ else
target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
endif
@@ -425,7 +427,7 @@
$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
%.symtypes: %.c prepare scripts FORCE
$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
-@@ -1533,11 +1593,15 @@ endif
+@@ -1533,11 +1595,15 @@ endif
$(cmd_crmodverdir)
$(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
$(build)=$(build-dir)
@@ -752,7 +754,7 @@
select HAVE_KRETPROBES if (HAVE_KPROBES)
select HAVE_FUNCTION_TRACER if (!XIP_KERNEL)
diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h
-index d0daeab..99ab713 100644
+index d0daeab..8d7cb84 100644
--- a/arch/arm/include/asm/atomic.h
+++ b/arch/arm/include/asm/atomic.h
@@ -15,6 +15,10 @@
@@ -830,7 +832,7 @@
+#ifdef CONFIG_PAX_REFCOUNT
+" bvc 3f\n"
+" mov %0, %1\n"
-+"2: bkpt 0xf103\n"
++"2: bkpt 0xf103\n"
+"3:\n"
+#endif
+
@@ -5938,6 +5940,16 @@
extra-y := head_$(BITS).o
extra-y += init_task.o
+diff --git a/arch/sparc/kernel/ds.c b/arch/sparc/kernel/ds.c
+index 4a700f4..6a831bd 100644
+--- a/arch/sparc/kernel/ds.c
++++ b/arch/sparc/kernel/ds.c
+@@ -1242,4 +1242,4 @@ static int __init ds_init(void)
+ return vio_register_driver(&ds_driver);
+ }
+
+-subsys_initcall(ds_init);
++fs_initcall(ds_init);
diff --git a/arch/sparc/kernel/iommu.c b/arch/sparc/kernel/iommu.c
index 7690cc2..ece64c9 100644
--- a/arch/sparc/kernel/iommu.c
@@ -6108,6 +6120,32 @@
(void *) gp->tpc,
(void *) gp->o7,
(void *) gp->i7,
+diff --git a/arch/sparc/kernel/rtrap_64.S b/arch/sparc/kernel/rtrap_64.S
+index fd3cee4..cc4b1ff 100644
+--- a/arch/sparc/kernel/rtrap_64.S
++++ b/arch/sparc/kernel/rtrap_64.S
+@@ -20,11 +20,6 @@
+
+ .text
+ .align 32
+-__handle_softirq:
+- call do_softirq
+- nop
+- ba,a,pt %xcc, __handle_softirq_continue
+- nop
+ __handle_preemption:
+ call schedule
+ wrpr %g0, RTRAP_PSTATE, %pstate
+@@ -159,9 +154,7 @@ rtrap:
+ cmp %l1, 0
+
+ /* mm/ultra.S:xcall_report_regs KNOWS about this load. */
+- bne,pn %icc, __handle_softirq
+ ldx [%sp + PTREGS_OFF + PT_V9_TSTATE], %l1
+-__handle_softirq_continue:
+ rtrap_xcall:
+ sethi %hi(0xf << 20), %l4
+ and %l1, %l4, %l4
diff --git a/arch/sparc/kernel/sigutil_64.c b/arch/sparc/kernel/sigutil_64.c
index 6edc4e5..06a69b4 100644
--- a/arch/sparc/kernel/sigutil_64.c
@@ -15592,9 +15630,9 @@
@@ -180,7 +180,7 @@ void dump_stack(void)
#endif
- printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
-- current->pid, current->comm, current->xid, print_tainted(),
-+ task_pid_nr(current), current->comm, current->xid, print_tainted(),
+ printk("Pid: %d, comm: %.20s %s %s %.*s\n",
+- current->pid, current->comm, print_tainted(),
++ task_pid_nr(current), current->comm, print_tainted(),
init_utsname()->release,
(int)strcspn(init_utsname()->version, " "),
init_utsname()->version);
@@ -20211,9 +20249,9 @@
@@ -170,7 +170,7 @@ void __show_regs(struct pt_regs *regs, int all)
if (!board)
board = "";
- printk(KERN_INFO "Pid: %d, comm: %.20s xid: #%u %s %s %.*s %s\n",
-- current->pid, current->comm, current->xid, print_tainted(),
-+ task_pid_nr(current), current->comm, current->xid, print_tainted(),
+ printk(KERN_INFO "Pid: %d, comm: %.20s %s %s %.*s %s\n",
+- current->pid, current->comm, print_tainted(),
++ task_pid_nr(current), current->comm, print_tainted(),
init_utsname()->release,
(int)strcspn(init_utsname()->version, " "),
init_utsname()->version, board);
@@ -22613,18 +22651,10 @@
sptep, *sptep, write_pt);
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index 7c6e63e..1b7dac1 100644
+index 7c6e63e..c5d92c1 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
-@@ -2240,6 +2240,7 @@ static int rdmsr_interception(struct vcpu_svm *svm, struct kvm_run *kvm_run)
- return 1;
- }
-
-+static int svm_set_msr(struct kvm_vcpu *vcpu, unsigned ecx, u64 data) __size_overflow(3);
- static int svm_set_msr(struct kvm_vcpu *vcpu, unsigned ecx, u64 data)
- {
- struct vcpu_svm *svm = to_svm(vcpu);
-@@ -2486,7 +2487,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
+@@ -2486,7 +2486,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
int cpu = raw_smp_processor_id();
struct svm_cpu_data *svm_data = per_cpu(svm_data, cpu);
@@ -22636,7 +22666,7 @@
load_TR_desc();
}
-@@ -2947,7 +2952,7 @@ static bool svm_gb_page_enable(void)
+@@ -2947,7 +2951,7 @@ static bool svm_gb_page_enable(void)
return true;
}
@@ -65219,9 +65249,9 @@
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -31,6 +31,7 @@
+ #include <linux/random.h>
#include <linux/elf.h>
#include <linux/utsname.h>
- #include <linux/vs_memory.h>
+#include <linux/xattr.h>
#include <asm/uaccess.h>
#include <asm/param.h>
@@ -68540,9 +68570,9 @@
--- a/fs/fs_struct.c
+++ b/fs/fs_struct.c
@@ -4,6 +4,7 @@
+ #include <linux/path.h>
#include <linux/slab.h>
#include <linux/fs_struct.h>
- #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
/*
@@ -69564,7 +69594,7 @@
for (loop = 0; loop < pagevec->nr; loop++) {
diff --git a/fs/fscache/stats.c b/fs/fscache/stats.c
-index 46435f3..8cddf18 100644
+index 46435f3a..8cddf18 100644
--- a/fs/fscache/stats.c
+++ b/fs/fscache/stats.c
@@ -18,95 +18,95 @@
@@ -70297,7 +70327,7 @@
index ba36e93..3153fce 100644
--- a/fs/libfs.c
+++ b/fs/libfs.c
-@@ -157,14 +157,22 @@ int dcache_readdir(struct file * filp, void * dirent, filldir_t filldir)
+@@ -157,12 +157,20 @@ int dcache_readdir(struct file * filp, void * dirent, filldir_t filldir)
for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
struct dentry *next;
@@ -70307,8 +70337,6 @@
next = list_entry(p, struct dentry, d_u.d_child);
if (d_unhashed(next) || !next->d_inode)
continue;
- if (filter && !filter(next))
- continue;
spin_unlock(&dcache_lock);
- if (filldir(dirent, next->d_name.name,
@@ -70365,7 +70393,7 @@
index a8794f2..4041e55 100644
--- a/fs/locks.c
+++ b/fs/locks.c
-@@ -145,12 +145,30 @@ static LIST_HEAD(blocked_list);
+@@ -145,10 +145,28 @@ static LIST_HEAD(blocked_list);
static struct kmem_cache *filelock_cache __read_mostly;
@@ -70385,8 +70413,6 @@
/* Allocate an empty lock structure. */
static struct file_lock *locks_alloc_lock(void)
{
- if (!vx_locks_avail(1))
- return NULL;
- return kmem_cache_alloc(filelock_cache, GFP_KERNEL);
+ struct file_lock *fl = kmem_cache_alloc(filelock_cache, GFP_KERNEL);
+
@@ -70397,7 +70423,7 @@
}
void locks_release_private(struct file_lock *fl)
-@@ -183,18 +201,10 @@ void locks_init_lock(struct file_lock *fl)
+@@ -183,17 +201,9 @@ void locks_init_lock(struct file_lock *fl)
INIT_LIST_HEAD(&fl->fl_link);
INIT_LIST_HEAD(&fl->fl_block);
init_waitqueue_head(&fl->fl_wait);
@@ -70412,7 +70438,6 @@
- fl->fl_start = fl->fl_end = 0;
fl->fl_ops = NULL;
fl->fl_lmops = NULL;
- fl->fl_xid = -1;
+ locks_init_lock_always(fl);
}
@@ -71485,7 +71510,7 @@
error = 0;
dput_and_out:
path_put(&path);
-@@ -596,70 +618,60 @@ out:
+@@ -596,66 +618,57 @@ out:
return error;
}
@@ -71565,10 +71590,6 @@
error = user_path_at(dfd, filename, LOOKUP_FOLLOW, &path);
- if (error)
- goto out;
--
-- error = cow_check_and_break(&path);
-- if (error)
-- goto dput_and_out;
- inode = path.dentry->d_inode;
-
- error = mnt_want_write(path.mnt);
@@ -71586,10 +71607,7 @@
- path_put(&path);
-out:
+ if (!error) {
-+ error = cow_check_and_break(&path);
-+ if (!error) {
-+ error = chmod_common(&path, mode);
-+ }
++ error = chmod_common(&path, mode);
+ path_put(&path);
+ }
return error;
@@ -71613,29 +71631,29 @@
if (user != (uid_t) -1) {
newattrs.ia_valid |= ATTR_UID;
@@ -700,7 +716,7 @@ SYSCALL_DEFINE3(chown, const char __user *, filename, uid_t, user, gid_t, group)
- error = cow_check_and_break(&path);
- if (!error)
- #endif
-- error = chown_common(path.dentry, user, group);
-+ error = chown_common(path.dentry, user, group, path.mnt);
+ error = mnt_want_write(path.mnt);
+ if (error)
+ goto out_release;
+- error = chown_common(path.dentry, user, group);
++ error = chown_common(path.dentry, user, group, path.mnt);
mnt_drop_write(path.mnt);
out_release:
path_put(&path);
@@ -725,7 +741,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, const char __user *, filename, uid_t, user,
- error = cow_check_and_break(&path);
- if (!error)
- #endif
-- error = chown_common(path.dentry, user, group);
-+ error = chown_common(path.dentry, user, group, path.mnt);
+ error = mnt_want_write(path.mnt);
+ if (error)
+ goto out_release;
+- error = chown_common(path.dentry, user, group);
++ error = chown_common(path.dentry, user, group, path.mnt);
mnt_drop_write(path.mnt);
out_release:
path_put(&path);
@@ -744,7 +760,7 @@ SYSCALL_DEFINE3(lchown, const char __user *, filename, uid_t, user, gid_t, group
- error = cow_check_and_break(&path);
- if (!error)
- #endif
-- error = chown_common(path.dentry, user, group);
-+ error = chown_common(path.dentry, user, group, path.mnt);
+ error = mnt_want_write(path.mnt);
+ if (error)
+ goto out_release;
+- error = chown_common(path.dentry, user, group);
++ error = chown_common(path.dentry, user, group, path.mnt);
mnt_drop_write(path.mnt);
out_release:
path_put(&path);
@@ -72405,11 +72423,11 @@
INF("io", S_IRUSR, proc_tgid_io_accounting),
#endif
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+ INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
++ INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
+#endif
- ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
};
+ static int proc_tgid_base_readdir(struct file * filp,
@@ -2735,7 +2867,14 @@ static struct dentry *proc_pid_instantiate(struct inode *dir,
if (!inode)
goto out;
@@ -72473,8 +72491,6 @@
+ rcu_read_unlock();
+#endif
filp->f_pos = iter.tgid + TGID_OFFSET;
- if (!vx_proc_task_visible(iter.task))
- continue;
- if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
+ if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
put_task_struct(iter.task);
@@ -72590,14 +72606,14 @@
+++ b/fs/proc/internal.h
@@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task);
- extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
+ extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task);
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
+#endif
-
extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
+ extern const struct file_operations proc_maps_operations;
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
index b442dac..aab29cb 100644
--- a/fs/proc/kcore.c
@@ -73202,7 +73218,7 @@
reiserfs_check_lock_depth(inode->i_sb, "readdir");
diff --git a/fs/reiserfs/do_balan.c b/fs/reiserfs/do_balan.c
-index 128d3f7..8840d44 100644
+index 128d3f7c..8840d44 100644
--- a/fs/reiserfs/do_balan.c
+++ b/fs/reiserfs/do_balan.c
@@ -2058,7 +2058,7 @@ void do_balance(struct tree_balance *tb, /* tree_balance structure */
@@ -85796,9 +85812,6 @@
+ void (* const clear_inode) (struct inode *);
+ void (* const umount_begin) (struct super_block *);
-- void (*sync_inodes)(struct super_block *sb,
-+ void (* const sync_inodes)(struct super_block *sb,
- struct writeback_control *wbc);
- int (*show_options)(struct seq_file *, struct vfsmount *);
- int (*show_stats)(struct seq_file *, struct vfsmount *);
+ int (* const show_options)(struct seq_file *, struct vfsmount *);
@@ -87993,9 +88006,9 @@
mode_t mode, struct proc_dir_entry *base,
read_proc_t *read_proc, void * data)
@@ -256,7 +269,7 @@ union proc_op {
- int (*proc_vs_read)(char *page);
- int (*proc_vxi_read)(struct vx_info *vxi, char *page);
- int (*proc_nxi_read)(struct nx_info *nxi, char *page);
+ int (*proc_show)(struct seq_file *m,
+ struct pid_namespace *ns, struct pid *pid,
+ struct task_struct *task);
-};
+} __no_const;
@@ -88869,6 +88882,27 @@
__SONET_ITEMS
#undef __HANDLE_ITEM
};
+diff --git a/include/linux/stddef.h b/include/linux/stddef.h
+index 6a40c76..1747b67 100644
+--- a/include/linux/stddef.h
++++ b/include/linux/stddef.h
+@@ -3,14 +3,10 @@
+
+ #include <linux/compiler.h>
+
++#ifdef __KERNEL__
++
+ #undef NULL
+-#if defined(__cplusplus)
+-#define NULL 0
+-#else
+ #define NULL ((void *)0)
+-#endif
+-
+-#ifdef __KERNEL__
+
+ enum {
+ false = 0,
diff --git a/include/linux/sunrpc/cache.h b/include/linux/sunrpc/cache.h
index 6f52b4d..5500323 100644
--- a/include/linux/sunrpc/cache.h
@@ -91566,12 +91600,10 @@
return 0;
}
-@@ -1033,14 +1060,18 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+@@ -1033,12 +1060,16 @@ static struct task_struct *copy_process(unsigned long clone_flags,
DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
#endif
retval = -EAGAIN;
- if (!vx_nproc_avail(1))
- goto bad_fork_cleanup_vm;
+
+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
+
@@ -91581,7 +91613,7 @@
- p->real_cred->user != INIT_USER)
+ if (p->real_cred->user != INIT_USER &&
+ !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
- goto bad_fork_cleanup_vm;
+ goto bad_fork_free;
}
+ current->flags &= ~PF_NPROC_EXCEEDED;
@@ -93410,10 +93442,10 @@
*/
struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
{
-- return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
+- return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
+ struct task_struct *task;
+
-+ task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
++ task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
+
+ if (gr_pid_is_chrooted(task))
+ return NULL;
@@ -93687,15 +93719,15 @@
index 4cade47..4d17900 100644
--- a/kernel/printk.c
+++ b/kernel/printk.c
-@@ -35,6 +35,7 @@
+@@ -33,6 +33,7 @@
+ #include <linux/bootmem.h>
#include <linux/syscalls.h>
#include <linux/kexec.h>
- #include <linux/vs_cvirt.h>
+#include <linux/syslog.h>
#include <asm/uaccess.h>
-@@ -259,29 +260,21 @@ static inline void boot_delay_msec(void)
+@@ -256,38 +257,30 @@ static inline void boot_delay_msec(void)
}
#endif
@@ -93720,7 +93752,7 @@
unsigned i, j, limit, count;
int do_clear = 0;
char c;
- int error;
+ int error = 0;
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/packages/kernel/kernel-grsec_full.patch?r1=1.29.2.12&r2=1.29.2.13
More information about the pld-cvs-commit
mailing list