SOURCES (LINUX_2_6_20): grsecurity-2.1.10-2.6.20.3.patch - updated...
zbyniu
zbyniu at pld-linux.org
Sat Mar 24 05:15:54 CET 2007
Author: zbyniu Date: Sat Mar 24 04:15:54 2007 GMT
Module: SOURCES Tag: LINUX_2_6_20
---- Log message:
- updated for our kernel, not tested
---- Files affected:
SOURCES:
grsecurity-2.1.10-2.6.20.3.patch (1.1.2.1 -> 1.1.2.2)
---- Diffs:
================================================================
Index: SOURCES/grsecurity-2.1.10-2.6.20.3.patch
diff -u SOURCES/grsecurity-2.1.10-2.6.20.3.patch:1.1.2.1 SOURCES/grsecurity-2.1.10-2.6.20.3.patch:1.1.2.2
--- SOURCES/grsecurity-2.1.10-2.6.20.3.patch:1.1.2.1 Sat Mar 24 05:12:22 2007
+++ SOURCES/grsecurity-2.1.10-2.6.20.3.patch Sat Mar 24 05:15:48 2007
@@ -38,16 +38,16 @@
diff -urNp linux-2.6.20.3/arch/alpha/kernel/ptrace.c linux-2.6.20.3/arch/alpha/kernel/ptrace.c
--- linux-2.6.20.3/arch/alpha/kernel/ptrace.c 2007-03-13 14:27:08.000000000 -0400
+++ linux-2.6.20.3/arch/alpha/kernel/ptrace.c 2007-03-23 08:11:18.000000000 -0400
-@@ -15,6 +15,7 @@
- #include <linux/slab.h>
+@@ -16,6 +16,7 @@
#include <linux/security.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/pgtable.h>
@@ -283,6 +284,9 @@ do_sys_ptrace(long request, long pid, lo
- goto out_notsk;
+ goto out;
}
+ if (gr_handle_ptrace(child, request))
@@ -3393,7 +3393,7 @@
#ifdef CONFIG_EISA
#include <linux/ioport.h>
-@@ -66,12 +67,7 @@ asmlinkage int system_call(void);
+@@ -68,12 +69,7 @@ asmlinkage int system_call(void);
/* Do we ignore FPU interrupts ? */
char ignore_fpu_irq = 0;
@@ -3416,7 +3416,7 @@
ops->address(data, addr);
}
#endif
-@@ -295,7 +291,7 @@ void show_registers(struct pt_regs *regs
+@@ -297,7 +293,7 @@ void show_registers(struct pt_regs *regs
esp = (unsigned long) (®s->esp);
savesegment(ss, ss);
@@ -3433,8 +3433,8 @@
- regs->xds & 0xffff, regs->xes & 0xffff, ss);
+ printk(KERN_EMERG "ds: %04x es: %04x gs: %04x ss: %04x\n",
+ regs->xds & 0xffff, regs->xes & 0xffff, regs->xgs & 0xffff, ss);
- printk(KERN_EMERG "Process %.*s (pid: %d, ti=%p task=%p task.ti=%p)",
- TASK_COMM_LEN, current->comm, current->pid,
+ printk(KERN_EMERG "Process %.*s (pid: %d[#%u], ti=%p task=%p task.ti=%p)",
+ TASK_COMM_LEN, current->comm, current->pid, current->xid,
current_thread_info(), current, current->thread_info);
@@ -332,11 +328,11 @@ void show_registers(struct pt_regs *regs
@@ -6818,10 +6818,10 @@
diff -urNp linux-2.6.20.3/arch/ia64/kernel/ptrace.c linux-2.6.20.3/arch/ia64/kernel/ptrace.c
--- linux-2.6.20.3/arch/ia64/kernel/ptrace.c 2007-03-13 14:27:08.000000000 -0400
+++ linux-2.6.20.3/arch/ia64/kernel/ptrace.c 2007-03-23 08:11:18.000000000 -0400
-@@ -17,6 +17,7 @@
- #include <linux/security.h>
+@@ -18,6 +18,7 @@
#include <linux/audit.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
@@ -6869,14 +6869,14 @@
--- linux-2.6.20.3/arch/ia64/mm/fault.c 2007-03-13 14:27:08.000000000 -0400
+++ linux-2.6.20.3/arch/ia64/mm/fault.c 2007-03-23 08:10:06.000000000 -0400
@@ -10,6 +10,7 @@
- #include <linux/smp_lock.h>
#include <linux/interrupt.h>
#include <linux/kprobes.h>
+ #include <linux/vs_memory.h>
+#include <linux/binfmts.h>
#include <asm/pgtable.h>
#include <asm/processor.h>
-@@ -85,6 +86,23 @@ mapped_kernel_page_is_present (unsigned
+@@ -86,6 +87,23 @@ mapped_kernel_page_is_present (unsigned
return pte_present(pte);
}
@@ -6900,7 +6900,7 @@
void __kprobes
ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
{
-@@ -152,9 +170,23 @@ ia64_do_page_fault (unsigned long addres
+@@ -153,9 +171,23 @@ ia64_do_page_fault (unsigned long addres
mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
| (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
@@ -8533,10 +8533,10 @@
diff -urNp linux-2.6.20.3/arch/sparc/kernel/ptrace.c linux-2.6.20.3/arch/sparc/kernel/ptrace.c
--- linux-2.6.20.3/arch/sparc/kernel/ptrace.c 2007-03-13 14:27:08.000000000 -0400
+++ linux-2.6.20.3/arch/sparc/kernel/ptrace.c 2007-03-23 08:11:18.000000000 -0400
-@@ -19,6 +19,7 @@
- #include <linux/smp_lock.h>
+@@ -20,6 +20,7 @@
#include <linux/security.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
@@ -8940,10 +8940,10 @@
diff -urNp linux-2.6.20.3/arch/sparc64/kernel/ptrace.c linux-2.6.20.3/arch/sparc64/kernel/ptrace.c
--- linux-2.6.20.3/arch/sparc64/kernel/ptrace.c 2007-03-13 14:27:08.000000000 -0400
+++ linux-2.6.20.3/arch/sparc64/kernel/ptrace.c 2007-03-23 08:11:31.000000000 -0400
-@@ -22,6 +22,7 @@
- #include <linux/seccomp.h>
+@@ -23,6 +23,7 @@
#include <linux/audit.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/asi.h>
@@ -11616,10 +11616,10 @@
diff -urNp linux-2.6.20.3/fs/binfmt_aout.c linux-2.6.20.3/fs/binfmt_aout.c
--- linux-2.6.20.3/fs/binfmt_aout.c 2007-03-13 14:27:08.000000000 -0400
+++ linux-2.6.20.3/fs/binfmt_aout.c 2007-03-23 08:11:31.000000000 -0400
-@@ -24,6 +24,7 @@
- #include <linux/binfmts.h>
+@@ -25,6 +25,7 @@
#include <linux/personality.h>
#include <linux/init.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
#include <asm/system.h>
@@ -11700,10 +11700,10 @@
diff -urNp linux-2.6.20.3/fs/binfmt_elf.c linux-2.6.20.3/fs/binfmt_elf.c
--- linux-2.6.20.3/fs/binfmt_elf.c 2007-03-13 14:27:08.000000000 -0400
+++ linux-2.6.20.3/fs/binfmt_elf.c 2007-03-23 08:11:31.000000000 -0400
-@@ -39,10 +39,16 @@
- #include <linux/syscalls.h>
+@@ -40,10 +40,16 @@
#include <linux/random.h>
#include <linux/elf.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
+
#include <asm/uaccess.h>
@@ -12617,16 +12617,16 @@
diff -urNp linux-2.6.20.3/fs/exec.c linux-2.6.20.3/fs/exec.c
--- linux-2.6.20.3/fs/exec.c 2007-03-13 14:27:08.000000000 -0400
+++ linux-2.6.20.3/fs/exec.c 2007-03-23 08:25:38.000000000 -0400
-@@ -50,6 +50,8 @@
- #include <linux/tsacct_kern.h>
+@@ -51,6 +51,8 @@
#include <linux/cn_proc.h>
#include <linux/audit.h>
+ #include <linux/vs_memory.h>
+#include <linux/random.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/mmu_context.h>
-@@ -68,6 +70,15 @@ EXPORT_SYMBOL(suid_dumpable);
+@@ -69,6 +71,15 @@ EXPORT_SYMBOL(suid_dumpable);
static struct linux_binfmt *formats;
static DEFINE_RWLOCK(binfmt_lock);
@@ -12686,7 +12686,7 @@
#ifdef CONFIG_STACK_GROWSUP
/* Move the argument and environment strings to the bottom of the
* stack space.
-@@ -405,11 +436,19 @@ int setup_arg_pages(struct linux_binprm
+@@ -406,11 +437,19 @@ int setup_arg_pages(struct linux_binprm
bprm->loader += stack_base;
bprm->exec += stack_base;
@@ -12708,7 +12708,7 @@
down_write(&mm->mmap_sem);
{
-@@ -431,13 +470,50 @@ int setup_arg_pages(struct linux_binprm
+@@ -432,14 +471,51 @@ int setup_arg_pages(struct linux_binprm
else
mpnt->vm_flags = VM_STACK_FLAGS;
mpnt->vm_flags |= mm->def_flags;
@@ -12732,7 +12732,8 @@
+
return ret;
}
- mm->stack_vm = mm->total_vm = vma_pages(mpnt);
+ vx_vmpages_sub(mm, mm->total_vm - vma_pages(mpnt));
+ mm->stack_vm = mm->total_vm;
+
+#ifdef CONFIG_PAX_SEGMEXEC
+ if (mpnt_m) {
@@ -12760,7 +12761,7 @@
}
for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
-@@ -445,6 +521,14 @@ int setup_arg_pages(struct linux_binprm
+@@ -545,6 +621,14 @@ int setup_arg_pages(struct linux_binprm
if (page) {
bprm->page[i] = NULL;
install_arg_page(mpnt, page, stack_base);
@@ -13012,15 +13013,15 @@
diff -urNp linux-2.6.20.3/fs/ext3/balloc.c linux-2.6.20.3/fs/ext3/balloc.c
--- linux-2.6.20.3/fs/ext3/balloc.c 2007-03-13 14:27:08.000000000 -0400
+++ linux-2.6.20.3/fs/ext3/balloc.c 2007-03-23 08:11:31.000000000 -0400
-@@ -1359,7 +1359,7 @@ static int ext3_has_free_blocks(struct e
+@@ -1373,7 +1373,7 @@ static int ext3_has_free_blocks(struct e
+ DLIMIT_ADJUST_BLOCK(sb, dx_current_tag(), &free_blocks, &root_blocks);
- free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
- root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
-- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
-+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
+ cond = (free_blocks < root_blocks + 1 &&
+- !capable(CAP_SYS_RESOURCE) &&
++ !capable_nolog(CAP_SYS_RESOURCE) &&
sbi->s_resuid != current->fsuid &&
- (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
- return 0;
+ (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid)));
+
diff -urNp linux-2.6.20.3/fs/ext3/xattr.c linux-2.6.20.3/fs/ext3/xattr.c
--- linux-2.6.20.3/fs/ext3/xattr.c 2007-03-13 14:27:08.000000000 -0400
+++ linux-2.6.20.3/fs/ext3/xattr.c 2007-03-23 08:10:06.000000000 -0400
@@ -13038,22 +13039,22 @@
diff -urNp linux-2.6.20.3/fs/ext4/balloc.c linux-2.6.20.3/fs/ext4/balloc.c
--- linux-2.6.20.3/fs/ext4/balloc.c 2007-03-13 14:27:08.000000000 -0400
+++ linux-2.6.20.3/fs/ext4/balloc.c 2007-03-23 08:11:31.000000000 -0400
-@@ -1376,7 +1376,7 @@ static int ext4_has_free_blocks(struct e
+@@ -1390,7 +1390,7 @@ static int ext4_has_free_blocks(struct s
+ DLIMIT_ADJUST_BLOCK(sb, dx_current_tag(), &free_blocks, &root_blocks);
- free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
- root_blocks = ext4_r_blocks_count(sbi->s_es);
-- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
-+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
+ cond = (free_blocks < root_blocks + 1 &&
+- !capable(CAP_SYS_RESOURCE) &&
++ !capable_nolog(CAP_SYS_RESOURCE) &&
sbi->s_resuid != current->fsuid &&
- (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
- return 0;
+ (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid)));
+
diff -urNp linux-2.6.20.3/fs/fcntl.c linux-2.6.20.3/fs/fcntl.c
--- linux-2.6.20.3/fs/fcntl.c 2007-03-13 14:27:08.000000000 -0400
+++ linux-2.6.20.3/fs/fcntl.c 2007-03-23 08:11:31.000000000 -0400
-@@ -18,6 +18,7 @@
- #include <linux/ptrace.h>
+@@ -19,6 +19,7 @@
#include <linux/signal.h>
#include <linux/rcupdate.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/poll.h>
@@ -13121,9 +13122,9 @@
--- linux-2.6.20.3/fs/namei.c 2007-03-13 14:27:08.000000000 -0400
+++ linux-2.6.20.3/fs/namei.c 2007-03-23 08:11:31.000000000 -0400
@@ -32,6 +32,7 @@
- #include <linux/file.h>
- #include <linux/fcntl.h>
- #include <linux/namei.h>
+ #include <linux/vs_base.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vs_cowbl.h>
+#include <linux/grsecurity.h>
#include <asm/namei.h>
#include <asm/uaccess.h>
@@ -13280,7 +13281,7 @@
+
if (!IS_POSIXACL(nd.dentry->d_inode))
mode &= ~current->fs->umask;
- error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
+ error = vfs_mkdir(nd.dentry->d_inode, dentry, mode, &nd);
+
+ if (!error)
+ gr_handle_create(dentry, nd.mnt);
@@ -13313,7 +13314,7 @@
+ goto dput_exit2;
+ }
+ }
- error = vfs_rmdir(nd.dentry->d_inode, dentry);
+ error = vfs_rmdir(nd.dentry->d_inode, dentry, &nd);
+ if (!error && (saved_dev || saved_ino))
+ gr_handle_delete(saved_ino, saved_dev);
+dput_exit2:
@@ -13349,10 +13350,10 @@
+ error = -EACCES;
+
atomic_inc(&inode->i_count);
-- error = vfs_unlink(nd.dentry->d_inode, dentry);
+- error = vfs_unlink(nd.dentry->d_inode, dentry, &nd);
+ }
+ if (!error)
-+ error = vfs_unlink(nd.dentry->d_inode, dentry);
++ error = vfs_unlink(nd.dentry->d_inode, dentry, &nd);
+ if (!error && (saved_ino || saved_dev))
+ gr_handle_delete(saved_ino, saved_dev);
exit2:
@@ -13367,7 +13368,7 @@
+ goto out_dput_unlock;
+ }
+
- error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO);
+ error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO, &nd);
+
+ if (!error)
+ gr_handle_create(dentry, nd.mnt);
@@ -13393,7 +13394,7 @@
+ goto out_unlock_dput;
+ }
+
- error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
+ error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry, &nd);
+
+ if (!error)
+ gr_handle_create(new_dentry, nd.mnt);
@@ -13423,9 +13424,9 @@
--- linux-2.6.20.3/fs/namespace.c 2007-03-13 14:27:08.000000000 -0400
+++ linux-2.6.20.3/fs/namespace.c 2007-03-23 08:11:31.000000000 -0400
@@ -25,6 +25,7 @@
- #include <linux/security.h>
- #include <linux/mount.h>
- #include <linux/ramfs.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vserver/space.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
@@ -13509,9 +13510,9 @@
--- linux-2.6.20.3/fs/open.c 2007-03-13 14:27:08.000000000 -0400
+++ linux-2.6.20.3/fs/open.c 2007-03-23 08:11:31.000000000 -0400
@@ -27,6 +27,7 @@
- #include <linux/syscalls.h>
- #include <linux/rcupdate.h>
- #include <linux/audit.h>
+ #include <linux/vs_dlimit.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vs_cowbl.h>
+#include <linux/grsecurity.h>
int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
@@ -13527,7 +13528,7 @@
newattrs.ia_valid = ATTR_SIZE | time_attrs;
if (filp) {
@@ -398,6 +402,9 @@ asmlinkage long sys_faccessat(int dfd, c
- if(IS_RDONLY(nd.dentry->d_inode))
+ if(IS_RDONLY(nd.dentry->d_inode) || MNT_IS_RDONLY(nd.mnt))
res = -EROFS;
+ if (!res && !gr_acl_handle_access(nd.dentry, nd.mnt, mode))
@@ -13621,16 +13622,7 @@
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
error = notify_change(nd.dentry, &newattrs);
-@@ -568,7 +617,7 @@ asmlinkage long sys_chmod(const char __u
- return sys_fchmodat(AT_FDCWD, filename, mode);
- }
-
--static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
-+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
- {
- struct inode * inode;
- int error;
-@@ -585,6 +634,12 @@ static int chown_common(struct dentry *
+@@ -595,6 +644,12 @@ static int chown_common(struct dentry *
error = -EPERM;
if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
goto out;
@@ -13643,42 +13635,6 @@
newattrs.ia_valid = ATTR_CTIME;
if (user != (uid_t) -1) {
newattrs.ia_valid |= ATTR_UID;
-@@ -611,7 +666,7 @@ asmlinkage long sys_chown(const char __u
- error = user_path_walk(filename, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.dentry, user, group);
-+ error = chown_common(nd.dentry, user, group, nd.mnt);
- path_release(&nd);
- out:
- return error;
-@@ -631,7 +686,7 @@ asmlinkage long sys_fchownat(int dfd, co
- error = __user_walk_fd(dfd, filename, follow, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.dentry, user, group);
-+ error = chown_common(nd.dentry, user, group, nd.mnt);
- path_release(&nd);
- out:
- return error;
-@@ -645,7 +700,7 @@ asmlinkage long sys_lchown(const char __
- error = user_path_walk_link(filename, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.dentry, user, group);
-+ error = chown_common(nd.dentry, user, group, nd.mnt);
- path_release(&nd);
- out:
- return error;
-@@ -664,7 +719,7 @@ asmlinkage long sys_fchown(unsigned int
-
- dentry = file->f_path.dentry;
- audit_inode(NULL, dentry->d_inode);
-- error = chown_common(dentry, user, group);
-+ error = chown_common(dentry, user, group, file->f_vfsmnt);
- fput(file);
- out:
- return error;
@@ -871,6 +926,7 @@ repeat:
* N.B. For clone tasks sharing a files structure, this test
* will limit the total number of files that can be opened.
@@ -13812,13 +13768,13 @@
--- linux-2.6.20.3/fs/proc/base.c 2007-03-13 14:27:08.000000000 -0400
+++ linux-2.6.20.3/fs/proc/base.c 2007-03-23 08:11:31.000000000 -0400
@@ -73,6 +73,7 @@
- #include <linux/poll.h>
- #include <linux/nsproxy.h>
#include <linux/oom.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_network.h>
+#include <linux/grsecurity.h>
+
#include "internal.h"
- /* NOTE:
@@ -194,7 +195,7 @@ static int proc_root_link(struct inode *
(task->parent == current && \
(task->ptrace & PT_PTRACED) && \
@@ -13855,7 +13811,7 @@
goto out;
copied = -ENOMEM;
-@@ -1032,7 +1035,11 @@ static struct inode *proc_pid_make_inode
+@@ -1035,7 +1038,11 @@ static struct inode *proc_pid_make_inode
inode->i_gid = 0;
if (task_dumpable(task)) {
inode->i_uid = task->euid;
@@ -13865,8 +13821,8 @@
inode->i_gid = task->egid;
+#endif
}
- security_task_to_inode(task, inode);
-
+ /* procfs is xid tagged */
+ inode->i_tag = (tag_t)vx_task_xid(task);
@@ -1048,17 +1055,45 @@ static int pid_getattr(struct vfsmount *
{
struct inode *inode = dentry->d_inode;
@@ -13914,17 +13870,20 @@
}
}
rcu_read_unlock();
-@@ -1086,11 +1121,26 @@ static int pid_revalidate(struct dentry
- {
- struct inode *inode = dentry->d_inode;
+@@ -1093,15 +1127,29 @@ static int pid_revalidate(struct dentry
struct task_struct *task = get_proc_task(inode);
-+
+ int ret = 0;
+
+ if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
+ put_task_struct(task);
+ goto out;
+ }
+
if (task) {
+ if (!vx_proc_task_visible(task))
+ goto out_put;
+
+ ret = 1;
if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
@@ -13941,14 +13900,15 @@
} else {
inode->i_uid = 0;
inode->i_gid = 0;
-@@ -1100,6 +1150,7 @@ static int pid_revalidate(struct dentry
+@@ -1111,6 +1159,8 @@ static int pid_revalidate(struct dentry
+ out_put:
put_task_struct(task);
- return 1;
}
++
+out:
- d_drop(dentry);
- return 0;
- }
+ if (!ret)
+ d_drop(dentry);
+ return ret;
@@ -1336,6 +1387,9 @@ static struct dentry *proc_lookupfd(stru
if (fd == ~0U)
goto out;
@@ -13968,8 +13928,8 @@
files = get_files_struct(p);
if (!files)
goto out;
-@@ -1467,6 +1523,9 @@ static struct dentry *proc_pident_lookup
- if (!task)
+@@ -1486,6 +1542,9 @@ static struct dentry *proc_pident_lookup
+ !memcmp(dentry->d_name.name, "ninfo", 5)))
goto out_no_task;
+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
@@ -13978,7 +13938,7 @@
/*
* Yes, it does not scale. And it should not. Don't add
* new entries into /proc/<tgid>/ without very good reasons.
-@@ -1512,6 +1571,9 @@ static int proc_pident_readdir(struct fi
+@@ -1531,6 +1590,9 @@ static int proc_pident_readdir(struct fi
if (!task)
goto out_no_task;
@@ -14023,7 +13983,7 @@
inode->i_op = &proc_tgid_base_inode_operations;
inode->i_fop = &proc_tgid_base_operations;
inode->i_flags|=S_IMMUTABLE;
-@@ -2025,7 +2100,11 @@ struct dentry *proc_pid_lookup(struct in
+@@ -2049,7 +2124,11 @@ struct dentry *proc_pid_lookup(struct in
if (!task)
goto out;
@@ -14038,7 +13998,7 @@
@@ -2083,6 +2162,9 @@ int proc_pid_readdir(struct file * filp,
{
unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
- struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
+ struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ struct task_struct *tmp = current;
+#endif
@@ -14193,9 +14153,9 @@
+#else
proc_bus = proc_mkdir("bus", NULL);
+#endif
+ proc_vx_init();
}
- static int proc_root_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat
diff -urNp linux-2.6.20.3/fs/proc/task_mmu.c linux-2.6.20.3/fs/proc/task_mmu.c
--- linux-2.6.20.3/fs/proc/task_mmu.c 2007-03-13 14:27:08.000000000 -0400
+++ linux-2.6.20.3/fs/proc/task_mmu.c 2007-03-23 08:21:11.000000000 -0400
@@ -14530,10 +14490,10 @@
diff -urNp linux-2.6.20.3/fs/utimes.c linux-2.6.20.3/fs/utimes.c
--- linux-2.6.20.3/fs/utimes.c 2007-03-13 14:27:08.000000000 -0400
+++ linux-2.6.20.3/fs/utimes.c 2007-03-23 08:11:31.000000000 -0400
-@@ -4,6 +4,7 @@
- #include <linux/namei.h>
+@@ -5,6 +5,7 @@
#include <linux/sched.h>
#include <linux/utime.h>
+ #include <linux/vs_cowbl.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
@@ -21684,14 +21644,14 @@
+{
+#ifdef CONFIG_GRKERNSEC
+ if (!gr_acl_is_enabled())
-+ return current->cap_effective;
-+ else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) &&
++ return vx_mbcap(cap_effective);;
++ else if (cap_raised(vx_mbcap(cap_effective);, CAP_NET_ADMIN) &&
+ gr_task_is_capable(current, CAP_NET_ADMIN))
-+ return current->cap_effective;
++ vx_mbcap(cap_effective);;
+ else
+ return 0;
+#else
-+ return current->cap_effective;
++ vx_mbcap(cap_effective);
+#endif
+}
diff -urNp linux-2.6.20.3/grsecurity/grsec_sysctl.c linux-2.6.20.3/grsecurity/grsec_sysctl.c
@@ -23590,7 +23550,7 @@
+#ifdef CONFIG_PAX_SEGMEXEC
+#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
+#else
- #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
+ #define ELF_ET_DYN_BASE ((TASK_UNMAPPED_BASE) * 2)
+#endif
+
+#ifdef CONFIG_PAX_ASLR
@@ -27020,30 +26980,6 @@
sys_close(fd);
if (len <= 0 || len == 32 || buf[len - 1] != '\n')
goto fail;
-@@ -142,8 +144,8 @@ dev_t name_to_dev_t(char *name)
- int part;
-
- #ifdef CONFIG_SYSFS
-- int mkdir_err = sys_mkdir("/sys", 0700);
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/SOURCES/grsecurity-2.1.10-2.6.20.3.patch?r1=1.1.2.1&r2=1.1.2.2&f=u
More information about the pld-cvs-commit
mailing list