SOURCES (LINUX_2_6): linux-2.6-grsec-minimal.patch - updated for l...

baggins baggins at pld-linux.org
Tue Jan 2 16:26:40 CET 2007 

Author: baggins                      Date: Tue Jan  2 15:26:40 2007 GMT
Module: SOURCES                       Tag: LINUX_2_6
---- Log message:
- updated for linux 2.6.19.1

---- Files affected:
SOURCES:
   linux-2.6-grsec-minimal.patch (1.1.2.18 -> 1.1.2.19) 

---- Diffs:

================================================================
Index: SOURCES/linux-2.6-grsec-minimal.patch
diff -u SOURCES/linux-2.6-grsec-minimal.patch:1.1.2.18 SOURCES/linux-2.6-grsec-minimal.patch:1.1.2.19
--- SOURCES/linux-2.6-grsec-minimal.patch:1.1.2.18	Fri Nov  3 18:52:35 2006
+++ SOURCES/linux-2.6-grsec-minimal.patch	Tue Jan  2 16:26:35 2007
@@ -39,7 +39,7 @@
 +	}
 +#endif
 +
- 	fn_handler[value](vc, regs);
+ 	fn_handler[value](vc);
  }
  
 diff -urNp linux-2.6.16.2/drivers/pci/proc.c linux-2.6.16.2-grsec/drivers/pci/proc.c
@@ -126,22 +126,22 @@
  	error = __do_follow_link(&path, nd);
  	if (error) {
  		/* Does someone understand code flow here? Or it is only
-@@ -2251,8 +2273,14 @@
- 	new_dentry = lookup_create(&nd, 0);
+@@ -2326,7 +2454,16 @@ asmlinkage long sys_linkat(int olddfd, c
  	error = PTR_ERR(new_dentry);
- 	if (!IS_ERR(new_dentry)) {
--		error = vfs_link(old_nd.dentry, nd.dentry->d_inode,
--			new_dentry, &nd);
-+		error = 0;
-+		if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt,
-+				       old_nd.dentry->d_inode,
-+				       old_nd.dentry->d_inode->i_mode, to))
-+			error = -EPERM;
-+		if (!error)
-+			error = vfs_link(old_nd.dentry, nd.dentry->d_inode,
-+				new_dentry, &nd);
- 		dput(new_dentry);
- 	}
+ 	if (IS_ERR(new_dentry))
+ 		goto out_unlock;
++
++	if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt,
++			       old_nd.dentry->d_inode,
++			       old_nd.dentry->d_inode->i_mode, to)) {
++		error = -EACCES;
++		goto out_unlock_dput;
++	}
++
+ 	error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry, &nd);
++out_unlock_dput:
+ 	dput(new_dentry);
+ out_unlock:
  	mutex_unlock(&nd.dentry->d_inode->i_mutex);
 diff -urN linux-2.6.16.2/fs/proc/array.c linux-2.6.16.2-grsec/fs/proc/array.c
 --- linux-2.6.16.2/fs/proc/array.c	2006-04-07 18:56:47.000000000 +0200
@@ -192,7 +192,7 @@
 diff -urN linux-2.6.16.2/fs/proc/proc_misc.c linux-2.6.16.2-grsec/fs/proc/proc_misc.c
 --- linux-2.6.16.2/fs/proc/proc_misc.c	2006-04-07 18:56:47.000000000 +0200
 +++ linux-2.6.16.2-grsec/fs/proc/proc_misc.c	2006-04-11 17:44:40.109709500 +0200
-@@ -708,6 +708,10 @@
+@@ -670,6 +670,10 @@ void create_seq_entry(char *name, mode_t
  void __init proc_misc_init(void)
  {
  	struct proc_dir_entry *entry;
@@ -203,7 +203,7 @@
  	static struct {
  		char *name;
  		int (*read_proc)(char*,char**,off_t,int,int*,void*);
-@@ -723,7 +725,9 @@
+@@ -685,7 +687,9 @@ void __init proc_misc_init(void)
  		{"stram",	stram_read_proc},
  #endif
  		{"filesystems",	filesystems_read_proc},
@@ -213,7 +213,7 @@
  		{"locks",	locks_read_proc},
  		{"execdomains",	execdomains_read_proc},
  		{NULL,}
-@@ -708,19 +712,37 @@
+@@ -693,13 +697,26 @@ void __init proc_misc_init(void)
  	for (p = simple_ones; p->name; p++)
  		create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
  
@@ -232,14 +232,15 @@
  	entry = create_proc_entry("kmsg", S_IRUSR, &proc_root);
  	if (entry)
  		entry->proc_fops = &proc_kmsg_operations;
-+
 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
 +	create_seq_entry("devices", gr_mode, &proc_devinfo_operations);
 +#else
  	create_seq_entry("devices", 0, &proc_devinfo_operations);
 +#endif
  	create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
+ #ifdef CONFIG_BLOCK
  	create_seq_entry("partitions", 0, &proc_partitions_operations);
+@@ -707,7 +724,11 @@ void __init proc_misc_init(void)
  	create_seq_entry("stat", 0, &proc_stat_operations);
  	create_seq_entry("interrupts", 0, &proc_interrupts_operations);
  #ifdef CONFIG_SLAB
@@ -251,7 +252,7 @@
  #ifdef CONFIG_DEBUG_SLAB_LEAK
  	create_seq_entry("slab_allocators", 0 ,&proc_slabstats_operations);
  #endif
-@@ -705,7 +726,7 @@ void __init proc_misc_init(void)
+@@ -724,7 +745,7 @@ void __init proc_misc_init(void)
  #ifdef CONFIG_SCHEDSTATS
  	create_seq_entry("schedstat", 0, &proc_schedstat_operations);
  #endif
@@ -996,21 +997,29 @@
 --- linux-2.6.16.2/kernel/exit.c	2006-04-07 18:56:47.000000000 +0200
 +++ linux-2.6.16.2-grsec/kernel/exit.c	2006-04-11 17:44:40.125710500 +0200
 @@ -36,6 +36,7 @@
- #include <linux/pipe_fs_i.h>
  #include <linux/audit.h> /* for audit_free() */
  #include <linux/resource.h>
+ #include <linux/blkdev.h>
 +#include <linux/grsecurity.h>
  #include <linux/vs_limit.h>
  #include <linux/vs_context.h>
  #include <linux/vs_network.h>
-@@ -97,6 +98,7 @@
- 		}
- 		if (tsk == sig->curr_target)
- 			sig->curr_target = next_thread(tsk);
-+		gr_del_task_from_ip_table(tsk);
- 		/*
- 		 * Accumulate here the counters for all threads but the
- 		 * group leader as they die, so they can be added into
+@@ -118,6 +123,7 @@ static void __exit_signal(struct task_st
+ 
+ 	__unhash_process(tsk);
+ 
++	gr_del_task_from_ip_table(tsk);
+ 	tsk->signal = NULL;
+ 	tsk->sighand = NULL;
+ 	spin_unlock(&sighand->siglock);
+@@ -914,6 +942,7 @@ fastcall NORET_TYPE void do_exit(long co
+ 	if (group_dead)
+ 		acct_process();
+ 	exit_sem(tsk);
++	gr_shm_exit(tsk);
+ 	__exit_files(tsk);
+ 	__exit_fs(tsk);
+ 	exit_thread();
 diff -urNp linux-2.6.18/kernel/kallsyms.c linux-2.6.18/kernel/kallsyms.c
 --- linux-2.6.18/kernel/kallsyms.c	2006-09-19 23:42:06.000000000 -0400
 +++ linux-2.6.18/kernel/kallsyms.c	2006-09-22 20:45:04.000000000 -0400
@@ -1179,27 +1188,7 @@
 diff -urN linux-2.6.18/fs/proc/base.c linux-2.6.18-grsec/fs/proc/base.c
 --- linux-2.6.18/fs/proc/base.c.orig	2006-11-03 18:27:40.112510768 +0100
 +++ linux-2.6.18/fs/proc/base.c	2006-11-03 18:42:56.408212648 +0100
-@@ -141,6 +141,9 @@
- #ifdef CONFIG_AUDITSYSCALL
- 	PROC_TGID_LOGINUID,
- #endif
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+	PROC_TGID_IPADDR,
-+#endif
- 	PROC_TGID_OOM_SCORE,
- 	PROC_TGID_OOM_ADJUST,
- 	PROC_TID_INO,
-@@ -227,6 +230,9 @@
- 	E(PROC_TGID_EXE,       "exe",     S_IFLNK|S_IRWXUGO),
- 	E(PROC_TGID_MOUNTS,    "mounts",  S_IFREG|S_IRUGO),
- 	E(PROC_TGID_MOUNTSTATS, "mountstats", S_IFREG|S_IRUSR),
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+	E(PROC_TGID_IPADDR,	"ipaddr",  S_IFREG|S_IRUSR),
-+#endif
- #ifdef CONFIG_MMU
- 	E(PROC_TGID_SMAPS,     "smaps",   S_IFREG|S_IRUGO),
- #endif
-@@ -1341,7 +1347,11 @@
+@@ -969,7 +969,11 @@ static struct inode *proc_pid_make_inode
  	if (task_dumpable(task)) {
  		inode->i_uid = task->euid;
  		inode->i_gid = task->egid;
@@ -1211,49 +1200,30 @@
  	/* procfs is xid tagged */
  	inode->i_tag = (tag_t)vx_task_xid(task);
  	security_task_to_inode(task, inode);
-@@ -1375,9 +1385,20 @@
+@@ -985,17 +992,38 @@ static int pid_getattr(struct vfsmount *
  {
  	struct inode *inode = dentry->d_inode;
- 	struct task_struct *task = get_proc_task(inode);
+ 	struct task_struct *task;
 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
 +	struct task_struct *tmp = current;
 +#endif
- 	int ret = 0;
++
+ 	generic_fillattr(inode, stat);
  
+ 	rcu_read_lock();
+ 	stat->uid = 0;
+ 	stat->gid = 0;
+ 	task = pid_task(proc_pid(inode), PIDTYPE_PID);
 -	if (task) {
 +	if (task
-+	#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+		&& (!tmp->uid || (tmp->uid == task->uid)
-+	#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+		|| in_group_p(CONFIG_GRKERNSEC_PROC_GID)
-+	#endif
-+		)
-+	#endif
-+	) {
- 		int pid = (inode->i_ino >> 16) & 0xFFFF;
- 
- 		if (!proc_pid_visible(task, pid))
-@@ -1385,9 +1406,17 @@
- 
- 		ret = 1;
- 		if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
-+	#ifdef CONFIG_GRKERNSEC_PROC_USER
-+		(inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
-+	#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+		(inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
-+	#endif
- 		    task_dumpable(task)) {
- 			inode->i_uid = task->euid;
- 			inode->i_gid = task->egid;
-+	#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+	#endif
- 		} else {
- 			inode->i_uid = 0;
- 			inode->i_gid = 0;
-@@ -1416,9 +1445,17 @@
- 	task = pid_task(proc_pid(inode), PIDTYPE_PID);
- 	if (task) {
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	    && (!tmp->uid || (tmp->uid == task->uid)
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++	    || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++#endif
++	    )
++#endif
++	    ) {
  		if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
 +#ifdef CONFIG_GRKERNSEC_PROC_USER
 +		    (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
@@ -1262,111 +1232,82 @@
 +#endif
  		    task_dumpable(task)) {
  			stat->uid = task->euid;
- 			stat->gid = task->egid;
 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
 +			stat->gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ 			stat->gid = task->egid;
 +#endif
  		}
  	}
  	rcu_read_unlock();
-@@ -1757,6 +1794,12 @@
- 			inode->i_fop = &proc_info_file_operations;
- 			ei->op.proc_read = proc_pid_status;
- 			break;
+@@ -1025,9 +1053,18 @@ static int pid_revalidate(struct dentry 
+ 	struct task_struct *task = get_proc_task(inode);
+ 	if (task) {
+ 		if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++		    (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++		    (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
++#endif
+ 		    task_dumpable(task)) {
+ 			inode->i_uid = task->euid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++			inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ 			inode->i_gid = task->egid;
++#endif
+ 		} else {
+ 			inode->i_uid = 0;
+ 			inode->i_gid = 0;
+@@ -1791,6 +1833,9 @@ static struct pid_entry tgid_base_stuff[
+ #ifdef CONFIG_AUDITSYSCALL
+ 	REG("loginuid",   S_IWUSR|S_IRUGO, loginuid),
+ #endif
 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+		case PROC_TGID_IPADDR:
-+			inode->i_fop = &proc_info_file_operations;
-+			ei->op.proc_read = proc_pid_ipaddr;
-+			break;
-+#endif
- 		case PROC_TID_STAT:
- 			inode->i_fop = &proc_info_file_operations;
- 			ei->op.proc_read = proc_tid_stat;
-@@ -2117,7 +2160,14 @@
++	INF("ipaddr",	  S_IRUSR, pid_ipaddr),
++#endif
+ };
+ 
+ static int proc_tgid_base_readdir(struct file * filp,
+@@ -1893,7 +1938,14 @@ struct dentry *proc_pid_instantiate(stru
  	if (!inode)
- 		goto out_put_task;
+ 		goto out;
  
 +#ifdef CONFIG_GRKERNSEC_PROC_USER
 +	inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
 +	inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+	inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP;
++	inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
 +#else
  	inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
 +#endif
  	inode->i_op = &proc_tgid_base_inode_operations;
  	inode->i_fop = &proc_tgid_base_operations;
  	inode->i_flags|=S_IMMUTABLE;
-@@ -2213,12 +2263,27 @@
- static struct task_struct *first_tgid(int tgid, unsigned int nr)
+@@ -1992,6 +2048,9 @@ int proc_pid_readdir(struct file * filp,
  {
- 	struct task_struct *pos;
-+	#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+		struct task_struct *tmp = current;
-+	#endif
- 	rcu_read_lock();
- 	if (tgid && nr) {
- 		pos = find_proc_task_by_pid(tgid);
-+		if (pos
-+	#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+			&& (tmp->uid && (pos->uid != tmp->uid)
-+	#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			&& !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
-+	#endif
-+			)
-+	#endif
-+		)
-+			goto not_found;
-+
- 		if (pos && thread_group_leader(pos))
- 			goto found;
- 	}
-+	not_found:
- 	/* If nr exceeds the number of processes get out quickly */
- 	pos = NULL;
- 	if (nr && nr >= nr_processes())
-@@ -2233,6 +2298,16 @@
- 			pos = NULL;
- 			goto done;
- 		}
-+		if (pos
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+		    && (tmp->uid && (pos->uid != tmp->uid)
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			&& !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
-+#endif
-+			)
-+#endif
-+		)
-+			nr++;
- 	}
- found:
- 	get_task_struct(pos);
-@@ -2270,6 +2345,9 @@
- {
- 	char buf[PROC_NUMBUF];
  	unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
+ 	struct task_struct *reaper = get_proc_task_real(filp->f_dentry->d_inode);
 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
 +	struct task_struct *tmp = current;
 +#endif
  	struct task_struct *task;
  	int tgid;
  
-@@ -2292,6 +2370,17 @@
- 	     task = next_tgid(task), filp->f_pos++) {
- 		int len;
- 		ino_t ino;
+@@ -2009,6 +2068,16 @@ int proc_pid_readdir(struct file * filp,
+ 	     task;
+ 	     put_task_struct(task), task = next_tgid(tgid + 1)) {
+ 		tgid = task->pid;
 +
 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
 +		if (tmp->uid && (task->uid != tmp->uid)
 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			&& !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++		        && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
 +#endif
-+		) {
++		)
 +			continue;
-+		}
 +#endif
 +
- 		tgid = vx_map_tgid(task->pid);
- 		if (!proc_pid_visible(task, tgid))
- 			continue;
+ 		filp->f_pos = tgid + TGID_OFFSET;
+ 		if (proc_pid_fill_cache(filp, dirent, filldir, task, tgid) < 0) {
+ 			put_task_struct(task);
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/SOURCES/linux-2.6-grsec-minimal.patch?r1=1.1.2.18&r2=1.1.2.19&f=u

More information about the pld-cvs-commit mailing list