SOURCES (LINUX_2_6): linux-2.6-grsec_full.patch - vserver related ...
mguevara
mguevara at pld-linux.org
Fri May 4 13:33:35 CEST 2007
Author: mguevara Date: Fri May 4 11:33:35 2007 GMT
Module: SOURCES Tag: LINUX_2_6
---- Log message:
- vserver related changes
---- Files affected:
SOURCES:
linux-2.6-grsec_full.patch (1.1.2.3 -> 1.1.2.4)
---- Diffs:
================================================================
Index: SOURCES/linux-2.6-grsec_full.patch
diff -u SOURCES/linux-2.6-grsec_full.patch:1.1.2.3 SOURCES/linux-2.6-grsec_full.patch:1.1.2.4
--- SOURCES/linux-2.6-grsec_full.patch:1.1.2.3 Thu May 3 14:48:36 2007
+++ SOURCES/linux-2.6-grsec_full.patch Fri May 4 13:33:29 2007
@@ -39,9 +39,9 @@
--- linux-2.6.21/arch/alpha/kernel/ptrace.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/arch/alpha/kernel/ptrace.c 2007-04-29 22:41:26.000000000 -0400
@@ -15,6 +15,7 @@
- #include <linux/slab.h>
#include <linux/security.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -6835,9 +6835,9 @@
--- linux-2.6.21/arch/ia64/kernel/ptrace.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/arch/ia64/kernel/ptrace.c 2007-04-29 22:41:26.000000000 -0400
@@ -17,6 +17,7 @@
- #include <linux/security.h>
#include <linux/audit.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
@@ -6885,9 +6885,9 @@
--- linux-2.6.21/arch/ia64/mm/fault.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/arch/ia64/mm/fault.c 2007-04-30 17:07:41.000000000 -0400
@@ -10,6 +10,7 @@
- #include <linux/smp_lock.h>
#include <linux/interrupt.h>
#include <linux/kprobes.h>
+ #include <linux/vs_memory.h>
+#include <linux/binfmts.h>
#include <asm/pgtable.h>
@@ -8555,9 +8555,9 @@
--- linux-2.6.21/arch/sparc/kernel/ptrace.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/arch/sparc/kernel/ptrace.c 2007-04-29 22:41:26.000000000 -0400
@@ -19,6 +19,7 @@
- #include <linux/smp_lock.h>
#include <linux/security.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
@@ -8950,9 +8950,9 @@
--- linux-2.6.21/arch/sparc64/kernel/ptrace.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/arch/sparc64/kernel/ptrace.c 2007-04-29 22:41:26.000000000 -0400
@@ -22,6 +22,7 @@
- #include <linux/seccomp.h>
#include <linux/audit.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/asi.h>
@@ -11649,9 +11649,9 @@
--- linux-2.6.21/fs/binfmt_aout.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/fs/binfmt_aout.c 2007-04-30 17:07:42.000000000 -0400
@@ -24,6 +24,7 @@
- #include <linux/binfmts.h>
#include <linux/personality.h>
#include <linux/init.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
#include <asm/system.h>
@@ -11733,9 +11733,9 @@
--- linux-2.6.21/fs/binfmt_elf.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/fs/binfmt_elf.c 2007-04-30 17:07:42.000000000 -0400
@@ -39,10 +39,16 @@
- #include <linux/syscalls.h>
#include <linux/random.h>
#include <linux/elf.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
+
#include <asm/uaccess.h>
@@ -12553,9 +12553,9 @@
--- linux-2.6.21/fs/exec.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/fs/exec.c 2007-04-30 17:18:13.000000000 -0400
@@ -50,6 +50,8 @@
- #include <linux/tsacct_kern.h>
#include <linux/cn_proc.h>
#include <linux/audit.h>
+ #include <linux/vs_memory.h>
+#include <linux/random.h>
+#include <linux/grsecurity.h>
@@ -12638,7 +12638,7 @@
down_write(&mm->mmap_sem);
{
mpnt->vm_mm = mm;
-@@ -429,13 +470,50 @@ int setup_arg_pages(struct linux_binprm
+@@ -429,14 +470,51 @@ int setup_arg_pages(struct linux_binprm
else
mpnt->vm_flags = VM_STACK_FLAGS;
mpnt->vm_flags |= mm->def_flags;
@@ -12662,7 +12662,8 @@
+
return ret;
}
- mm->stack_vm = mm->total_vm = vma_pages(mpnt);
+ vx_vmpages_sub(mm, mm->total_vm - vma_pages(mpnt));
+ mm->stack_vm = mm->total_vm;
+
+#ifdef CONFIG_PAX_SEGMEXEC
+ if (mpnt_m) {
@@ -12942,15 +12943,15 @@
diff -urNp linux-2.6.21/fs/ext3/balloc.c linux-2.6.21/fs/ext3/balloc.c
--- linux-2.6.21/fs/ext3/balloc.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/fs/ext3/balloc.c 2007-04-29 22:41:27.000000000 -0400
-@@ -1359,7 +1359,7 @@ static int ext3_has_free_blocks(struct e
+@@ -1373,7 +1373,7 @@ static int ext3_has_free_blocks(struct e
+ DLIMIT_ADJUST_BLOCK(sb, dx_current_tag(), &free_blocks, &root_blocks);
- free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
- root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
-- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
-+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
+ cond = (free_blocks < root_blocks + 1 &&
+- !capable(CAP_SYS_RESOURCE) &&
++ !capable_nolog(CAP_SYS_RESOURCE) &&
sbi->s_resuid != current->fsuid &&
- (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
- return 0;
+ (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid)));
+
diff -urNp linux-2.6.21/fs/ext3/xattr.c linux-2.6.21/fs/ext3/xattr.c
--- linux-2.6.21/fs/ext3/xattr.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/fs/ext3/xattr.c 2007-04-30 17:07:43.000000000 -0400
@@ -12968,22 +12969,22 @@
diff -urNp linux-2.6.21/fs/ext4/balloc.c linux-2.6.21/fs/ext4/balloc.c
--- linux-2.6.21/fs/ext4/balloc.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/fs/ext4/balloc.c 2007-04-29 22:41:27.000000000 -0400
-@@ -1376,7 +1376,7 @@ static int ext4_has_free_blocks(struct e
+@@ -1390,7 +1390,7 @@ static int ext4_has_free_blocks(struct s
+ DLIMIT_ADJUST_BLOCK(sb, dx_current_tag(), &free_blocks, &root_blocks);
- free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
- root_blocks = ext4_r_blocks_count(sbi->s_es);
-- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
-+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
+ cond = (free_blocks < root_blocks + 1 &&
+- !capable(CAP_SYS_RESOURCE) &&
++ !capable_nolog(CAP_SYS_RESOURCE) &&
sbi->s_resuid != current->fsuid &&
- (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
- return 0;
+ (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid)));
+
diff -urNp linux-2.6.21/fs/fcntl.c linux-2.6.21/fs/fcntl.c
--- linux-2.6.21/fs/fcntl.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/fs/fcntl.c 2007-04-29 22:41:27.000000000 -0400
@@ -18,6 +18,7 @@
- #include <linux/ptrace.h>
#include <linux/signal.h>
#include <linux/rcupdate.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/poll.h>
@@ -13051,9 +13052,9 @@
--- linux-2.6.21/fs/namei.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/fs/namei.c 2007-04-29 22:41:27.000000000 -0400
@@ -32,6 +32,7 @@
- #include <linux/file.h>
- #include <linux/fcntl.h>
- #include <linux/namei.h>
+ #include <linux/vs_base.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vs_cowbl.h>
+#include <linux/grsecurity.h>
#include <asm/namei.h>
#include <asm/uaccess.h>
@@ -13210,7 +13211,7 @@
+
if (!IS_POSIXACL(nd.dentry->d_inode))
mode &= ~current->fs->umask;
- error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
+ error = vfs_mkdir(nd.dentry->d_inode, dentry, mode, &nd);
+
+ if (!error)
+ gr_handle_create(dentry, nd.mnt);
@@ -13243,7 +13244,7 @@
+ goto dput_exit2;
+ }
+ }
- error = vfs_rmdir(nd.dentry->d_inode, dentry);
+ error = vfs_rmdir(nd.dentry->d_inode, dentry, &nd);
+ if (!error && (saved_dev || saved_ino))
+ gr_handle_delete(saved_ino, saved_dev);
+dput_exit2:
@@ -13279,10 +13280,10 @@
+ error = -EACCES;
+
atomic_inc(&inode->i_count);
-- error = vfs_unlink(nd.dentry->d_inode, dentry);
+- error = vfs_unlink(nd.dentry->d_inode, dentry, &nd);
+ }
+ if (!error)
-+ error = vfs_unlink(nd.dentry->d_inode, dentry);
++ error = vfs_unlink(nd.dentry->d_inode, dentry, &nd);
+ if (!error && (saved_ino || saved_dev))
+ gr_handle_delete(saved_ino, saved_dev);
exit2:
@@ -13297,7 +13298,7 @@
+ goto out_dput_unlock;
+ }
+
- error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO);
+ error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO, &nd);
+
+ if (!error)
+ gr_handle_create(dentry, nd.mnt);
@@ -13323,7 +13324,7 @@
+ goto out_unlock_dput;
+ }
+
- error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
+ error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry, &nd);
+
+ if (!error)
+ gr_handle_create(new_dentry, nd.mnt);
@@ -13353,9 +13354,9 @@
--- linux-2.6.21/fs/namespace.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/fs/namespace.c 2007-04-29 22:41:27.000000000 -0400
@@ -25,6 +25,7 @@
- #include <linux/security.h>
- #include <linux/mount.h>
- #include <linux/ramfs.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vserver/space.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
@@ -13439,9 +13440,9 @@
--- linux-2.6.21/fs/open.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/fs/open.c 2007-04-29 22:41:27.000000000 -0400
@@ -27,6 +27,7 @@
- #include <linux/syscalls.h>
- #include <linux/rcupdate.h>
- #include <linux/audit.h>
+ #include <linux/vs_dlimit.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vs_cowbl.h>
+#include <linux/grsecurity.h>
int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
@@ -13551,15 +13552,6 @@
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
error = notify_change(nd.dentry, &newattrs);
-@@ -568,7 +617,7 @@ asmlinkage long sys_chmod(const char __u
- return sys_fchmodat(AT_FDCWD, filename, mode);
- }
-
--static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
-+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
- {
- struct inode * inode;
- int error;
@@ -585,6 +634,12 @@ static int chown_common(struct dentry *
error = -EPERM;
if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
@@ -13573,42 +13565,6 @@
newattrs.ia_valid = ATTR_CTIME;
if (user != (uid_t) -1) {
newattrs.ia_valid |= ATTR_UID;
-@@ -611,7 +666,7 @@ asmlinkage long sys_chown(const char __u
- error = user_path_walk(filename, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.dentry, user, group);
-+ error = chown_common(nd.dentry, user, group, nd.mnt);
- path_release(&nd);
- out:
- return error;
-@@ -631,7 +686,7 @@ asmlinkage long sys_fchownat(int dfd, co
- error = __user_walk_fd(dfd, filename, follow, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.dentry, user, group);
-+ error = chown_common(nd.dentry, user, group, nd.mnt);
- path_release(&nd);
- out:
- return error;
-@@ -645,7 +700,7 @@ asmlinkage long sys_lchown(const char __
- error = user_path_walk_link(filename, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.dentry, user, group);
-+ error = chown_common(nd.dentry, user, group, nd.mnt);
- path_release(&nd);
- out:
- return error;
-@@ -664,7 +719,7 @@ asmlinkage long sys_fchown(unsigned int
-
- dentry = file->f_path.dentry;
- audit_inode(NULL, dentry->d_inode);
-- error = chown_common(dentry, user, group);
-+ error = chown_common(dentry, user, group, file->f_vfsmnt);
- fput(file);
- out:
- return error;
@@ -871,6 +926,7 @@ repeat:
* N.B. For clone tasks sharing a files structure, this test
* will limit the total number of files that can be opened.
@@ -13742,13 +13698,13 @@
--- linux-2.6.21/fs/proc/base.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/fs/proc/base.c 2007-04-29 22:41:27.000000000 -0400
@@ -73,6 +73,7 @@
- #include <linux/poll.h>
- #include <linux/nsproxy.h>
#include <linux/oom.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_network.h>
+#include <linux/grsecurity.h>
+
#include "internal.h"
- /* NOTE:
@@ -194,7 +195,7 @@ static int proc_root_link(struct inode *
(task->parent == current && \
(task->ptrace & PT_PTRACED) && \
@@ -13968,7 +13924,7 @@
@@ -2078,6 +2157,9 @@ int proc_pid_readdir(struct file * filp,
{
unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
- struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
+ struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ struct task_struct *tmp = current;
+#endif
@@ -14123,9 +14079,9 @@
+#else
proc_bus = proc_mkdir("bus", NULL);
+#endif
+ proc_vx_init();
proc_sys_init();
}
-
diff -urNp linux-2.6.21/fs/proc/task_mmu.c linux-2.6.21/fs/proc/task_mmu.c
--- linux-2.6.21/fs/proc/task_mmu.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/fs/proc/task_mmu.c 2007-04-30 17:07:43.000000000 -0400
@@ -14461,9 +14417,9 @@
--- linux-2.6.21/fs/utimes.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/fs/utimes.c 2007-04-29 22:41:27.000000000 -0400
@@ -4,6 +4,7 @@
- #include <linux/namei.h>
- #include <linux/sched.h>
#include <linux/utime.h>
+ #include <linux/mount.h>
+ #include <linux/vs_cowbl.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
@@ -27254,9 +27210,9 @@
--- linux-2.6.21/ipc/msg.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/ipc/msg.c 2007-04-29 22:41:28.000000000 -0400
@@ -36,6 +36,7 @@
- #include <linux/seq_file.h>
#include <linux/mutex.h>
#include <linux/nsproxy.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/current.h>
@@ -27282,9 +27238,9 @@
--- linux-2.6.21/ipc/sem.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/ipc/sem.c 2007-04-29 22:41:28.000000000 -0400
@@ -83,6 +83,7 @@
- #include <linux/seq_file.h>
- #include <linux/mutex.h>
#include <linux/nsproxy.h>
+ #include <linux/vs_base.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -27311,9 +27267,9 @@
--- linux-2.6.21/ipc/shm.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/ipc/shm.c 2007-04-29 23:12:21.000000000 -0400
@@ -38,6 +38,7 @@
- #include <linux/mutex.h>
- #include <linux/nsproxy.h>
#include <linux/mount.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -27445,9 +27401,9 @@
--- linux-2.6.21/kernel/capability.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/kernel/capability.c 2007-04-29 22:41:28.000000000 -0400
@@ -12,6 +12,7 @@
- #include <linux/module.h>
#include <linux/security.h>
#include <linux/syscalls.h>
+ #include <linux/vs_context.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -27508,9 +27464,9 @@
--- linux-2.6.21/kernel/exit.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/kernel/exit.c 2007-04-29 22:41:30.000000000 -0400
@@ -42,6 +42,11 @@
- #include <linux/audit.h> /* for audit_free() */
- #include <linux/resource.h>
- #include <linux/blkdev.h>
+ #include <linux/vs_network.h>
+ #include <linux/vs_pid.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
+
+#ifdef CONFIG_GRKERNSEC
@@ -27590,9 +27546,9 @@
--- linux-2.6.21/kernel/fork.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/kernel/fork.c 2007-04-30 17:07:43.000000000 -0400
@@ -49,6 +49,7 @@
- #include <linux/delayacct.h>
- #include <linux/taskstats_kern.h>
- #include <linux/random.h>
+ #include <linux/vs_limit.h>
+ #include <linux/vs_memory.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
@@ -27627,15 +27583,15 @@
if (likely(!mm_alloc_pgd(mm))) {
@@ -993,6 +994,9 @@ static struct task_struct *copy_process(
- DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
- #endif
+ }
+
retval = -EAGAIN;
+
+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0);
+
- if (atomic_read(&p->user->processes) >=
- p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
+ if (!vx_nproc_avail(1))
+ goto bad_fork_cleanup_vm;
+
@@ -1128,6 +1132,8 @@ static struct task_struct *copy_process(
if (retval)
goto bad_fork_cleanup_namespaces;
@@ -28207,9 +28163,9 @@
--- linux-2.6.21/kernel/pid.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/kernel/pid.c 2007-04-30 17:07:43.000000000 -0400
@@ -27,6 +27,7 @@
- #include <linux/bootmem.h>
#include <linux/hash.h>
#include <linux/pid_namespace.h>
+ #include <linux/vs_pid.h>
+#include <linux/grsecurity.h>
#define pid_hashfn(nr) hash_long((unsigned long)nr, pidhash_shift)
@@ -28223,22 +28179,15 @@
int pid_max_min = RESERVED_PIDS + 1;
int pid_max_max = PID_MAX_LIMIT;
-@@ -304,7 +305,14 @@ struct task_struct * fastcall pid_task(s
- */
- struct task_struct *find_task_by_pid_type(int type, int nr)
- {
-- return pid_task(find_pid(nr), type);
-+ struct task_struct *task;
-+
-+ task = pid_task(find_pid(nr), type);
-+
+@@ -318,6 +319,8 @@ struct task_struct *find_task_by_pid_typ
+ /* maybe VS_WATCH_P in the future? */
+ !vx_check(task->xid, VS_WATCH|VS_IDENT))
+ return NULL;
+ if (gr_pid_is_chrooted(task))
+ return NULL;
-+
-+ return task;
+ return task;
}
- EXPORT_SYMBOL(find_task_by_pid_type);
diff -urNp linux-2.6.21/kernel/posix-cpu-timers.c linux-2.6.21/kernel/posix-cpu-timers.c
--- linux-2.6.21/kernel/posix-cpu-timers.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/kernel/posix-cpu-timers.c 2007-04-29 22:41:30.000000000 -0400
@@ -28274,9 +28223,9 @@
--- linux-2.6.21/kernel/printk.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/kernel/printk.c 2007-04-29 22:41:30.000000000 -0400
@@ -32,6 +32,7 @@
- #include <linux/syscalls.h>
#include <linux/jiffies.h>
#include <linux/suspend.h>
+ #include <linux/vs_cvirt.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -28297,9 +28246,9 @@
--- linux-2.6.21/kernel/ptrace.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/kernel/ptrace.c 2007-04-29 22:41:30.000000000 -0400
@@ -18,6 +18,7 @@
- #include <linux/ptrace.h>
#include <linux/security.h>
#include <linux/signal.h>
+ #include <linux/vs_context.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
@@ -28398,7 +28347,7 @@
- if (increment < 0 && !can_nice(current, nice))
+ if (increment < 0 && (!can_nice(current, nice) ||
+ gr_handle_chroot_nice()))
- return -EPERM;
+ return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
retval = security_task_setnice(current, nice);
diff -urNp linux-2.6.21/kernel/signal.c linux-2.6.21/kernel/signal.c
@@ -28410,21 +28359,25 @@
#include <linux/pid_namespace.h>
+#include <linux/grsecurity.h>
#include <linux/nsproxy.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_pid.h>
+@@ -596,11 +597,11 @@ static int check_kill_permission(int sig
+ sig, info, t, vx_task_xid(t), t->pid);
- #include <asm/param.h>
-@@ -609,16 +610,18 @@ static int check_kill_permission(int sig
- return error;
error = -EPERM;
- if ((info == SEND_SIG_NOINFO || (!is_si_special(info) && SI_FROMUSER(info)))
-- && ((sig != SIGCONT) ||
-+ && ((((sig != SIGCONT) ||
+- if (((sig != SIGCONT) ||
++ if ((((sig != SIGCONT) ||
(process_session(current) != process_session(t)))
&& (current->euid ^ t->suid) && (current->euid ^ t->uid)
&& (current->uid ^ t->suid) && (current->uid ^ t->uid)
- && !capable(CAP_KILL))
-+ && !capable(CAP_KILL)) || gr_handle_signal(t, sig)))
++ && !capable(CAP_KILL)) || gr_handle_signal(t, sig))
return error;
+ error = -ESRCH;
+@@ -612,8 +613,10 @@ static int check_kill_permission(int sig
+ }
+ skip:
error = security_task_kill(t, info, sig, 0);
- if (!error)
+ if (!error) {
@@ -28684,7 +28637,7 @@
@@ -93,6 +94,9 @@ asmlinkage long sys_stime(time_t __user
return err;
- do_settimeofday(&tv);
+ vx_settimeofday(&tv);
+
+ gr_log_timechange();
+
@@ -29131,9 +29084,9 @@
--- linux-2.6.21/mm/mlock.c 2007-04-25 23:08:32.000000000 -0400
+++ linux-2.6.21/mm/mlock.c 2007-04-30 17:07:43.000000000 -0400
@@ -10,44 +10,46 @@
- #include <linux/mm.h>
#include <linux/mempolicy.h>
#include <linux/syscalls.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
+static int __mlock_fixup(struct vm_area_struct *vma, struct vm_area_struct **prev,
@@ -29217,7 +29170,7 @@
@@ -66,6 +73,48 @@ success:
}
- mm->locked_vm -= pages;
+ vx_vmlocked_sub(mm, pages);
+
+#ifdef CONFIG_PAX_SEGMEXEC
+ if (vma->vm_flags & VM_MIRROR)
@@ -29311,9 +29264,9 @@
ret = -ENOMEM;
+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
+ if (!vx_vmlocked_avail(current->mm, current->mm->total_vm))
+ goto out;
if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
- capable(CAP_IPC_LOCK))
- ret = do_mlockall(flags);
diff -urNp linux-2.6.21/mm/mmap.c linux-2.6.21/mm/mmap.c
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/SOURCES/linux-2.6-grsec_full.patch?r1=1.1.2.3&r2=1.1.2.4&f=u
More information about the pld-cvs-commit
mailing list