SOURCES (LINUX_2_6): linux-2.6-grsec_full.patch - changes for our ...

zbyniu zbyniu at pld-linux.org
Fri Aug 10 20:39:22 CEST 2007


Author: zbyniu                       Date: Fri Aug 10 18:39:22 2007 GMT
Module: SOURCES                       Tag: LINUX_2_6
---- Log message:
- changes for our kernel, not tested

---- Files affected:
SOURCES:
   linux-2.6-grsec_full.patch (1.1.2.11 -> 1.1.2.12) 

---- Diffs:

================================================================
Index: SOURCES/linux-2.6-grsec_full.patch
diff -u SOURCES/linux-2.6-grsec_full.patch:1.1.2.11 SOURCES/linux-2.6-grsec_full.patch:1.1.2.12
--- SOURCES/linux-2.6-grsec_full.patch:1.1.2.11	Fri Aug 10 20:31:05 2007
+++ SOURCES/linux-2.6-grsec_full.patch	Fri Aug 10 20:39:17 2007
@@ -38,16 +38,16 @@
 diff -urNp linux-2.6.22.1/arch/alpha/kernel/ptrace.c linux-2.6.22.1/arch/alpha/kernel/ptrace.c
 --- linux-2.6.22.1/arch/alpha/kernel/ptrace.c	2007-07-10 14:56:30.000000000 -0400
 +++ linux-2.6.22.1/arch/alpha/kernel/ptrace.c	2007-08-02 11:09:14.000000000 -0400
-@@ -15,6 +15,7 @@
- #include <linux/slab.h>
+@@ -16,6 +16,7 @@
  #include <linux/security.h>
  #include <linux/signal.h>
+ #include <linux/vs_base.h>
 +#include <linux/grsecurity.h>
  
  #include <asm/uaccess.h>
  #include <asm/pgtable.h>
-@@ -283,6 +284,9 @@ do_sys_ptrace(long request, long pid, lo
- 		goto out_notsk;
+@@ -289,6 +290,9 @@ do_sys_ptrace(long request, long pid, lo
+ 		goto out;
  	}
  
 +	if (gr_handle_ptrace(child, request))
@@ -5823,10 +5823,10 @@
 diff -urNp linux-2.6.22.1/arch/i386/mm/fault.c linux-2.6.22.1/arch/i386/mm/fault.c
 --- linux-2.6.22.1/arch/i386/mm/fault.c	2007-07-10 14:56:30.000000000 -0400
 +++ linux-2.6.22.1/arch/i386/mm/fault.c	2007-08-02 11:45:43.000000000 -0400
-@@ -25,10 +25,14 @@
- #include <linux/kprobes.h>
+@@ -26,10 +26,14 @@
  #include <linux/uaccess.h>
  #include <linux/kdebug.h>
+ #include <linux/suspend.h>
 +#include <linux/unistd.h>
 +#include <linux/compiler.h>
 +#include <linux/binfmts.h>
@@ -7500,10 +7500,10 @@
 diff -urNp linux-2.6.22.1/arch/ia64/kernel/ptrace.c linux-2.6.22.1/arch/ia64/kernel/ptrace.c
 --- linux-2.6.22.1/arch/ia64/kernel/ptrace.c	2007-07-10 14:56:30.000000000 -0400
 +++ linux-2.6.22.1/arch/ia64/kernel/ptrace.c	2007-08-02 11:09:14.000000000 -0400
-@@ -17,6 +17,7 @@
- #include <linux/security.h>
+@@ -18,6 +18,7 @@
  #include <linux/audit.h>
  #include <linux/signal.h>
+ #include <linux/vs_base.h>
 +#include <linux/grsecurity.h>
  
  #include <asm/pgtable.h>
@@ -7550,10 +7550,10 @@
 diff -urNp linux-2.6.22.1/arch/ia64/mm/fault.c linux-2.6.22.1/arch/ia64/mm/fault.c
 --- linux-2.6.22.1/arch/ia64/mm/fault.c	2007-07-10 14:56:30.000000000 -0400
 +++ linux-2.6.22.1/arch/ia64/mm/fault.c	2007-08-02 11:38:45.000000000 -0400
-@@ -10,6 +10,7 @@
- #include <linux/interrupt.h>
+@@ -11,6 +11,7 @@
  #include <linux/kprobes.h>
  #include <linux/kdebug.h>
+ #include <linux/vs_memory.h>
 +#include <linux/binfmts.h>
  
  #include <asm/pgtable.h>
@@ -9115,10 +9115,10 @@
 diff -urNp linux-2.6.22.1/arch/sparc/kernel/ptrace.c linux-2.6.22.1/arch/sparc/kernel/ptrace.c
 --- linux-2.6.22.1/arch/sparc/kernel/ptrace.c	2007-07-10 14:56:30.000000000 -0400
 +++ linux-2.6.22.1/arch/sparc/kernel/ptrace.c	2007-08-02 11:09:14.000000000 -0400
-@@ -19,6 +19,7 @@
- #include <linux/smp_lock.h>
+@@ -20,6 +20,7 @@
  #include <linux/security.h>
  #include <linux/signal.h>
+ #include <linux/vs_base.h>
 +#include <linux/grsecurity.h>
  
  #include <asm/pgtable.h>
@@ -9495,25 +9495,13 @@
  	BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
  	page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
  
-diff -urNp linux-2.6.22.1/arch/sparc64/kernel/Makefile linux-2.6.22.1/arch/sparc64/kernel/Makefile
---- linux-2.6.22.1/arch/sparc64/kernel/Makefile	2007-07-10 14:56:30.000000000 -0400
-+++ linux-2.6.22.1/arch/sparc64/kernel/Makefile	2007-08-02 11:38:46.000000000 -0400
-@@ -3,7 +3,7 @@
- #
- 
- EXTRA_AFLAGS := -ansi
--EXTRA_CFLAGS := -Werror
-+#EXTRA_CFLAGS := -Werror
- 
- extra-y		:= head.o init_task.o vmlinux.lds
- 
 diff -urNp linux-2.6.22.1/arch/sparc64/kernel/ptrace.c linux-2.6.22.1/arch/sparc64/kernel/ptrace.c
 --- linux-2.6.22.1/arch/sparc64/kernel/ptrace.c	2007-07-10 14:56:30.000000000 -0400
 +++ linux-2.6.22.1/arch/sparc64/kernel/ptrace.c	2007-08-02 11:09:14.000000000 -0400
-@@ -22,6 +22,7 @@
- #include <linux/seccomp.h>
+@@ -23,6 +23,7 @@
  #include <linux/audit.h>
  #include <linux/signal.h>
+ #include <linux/vs_base.h>
 +#include <linux/grsecurity.h>
  
  #include <asm/asi.h>
@@ -10347,8 +10335,8 @@
  		default:	/* 3: write, present */
  			/* fall through */
 @@ -502,7 +532,14 @@ bad_area_nosemaphore:
- 					tsk->comm, tsk->pid, address, regs->rip,
- 					regs->rsp, error_code);
+ 					tsk->comm, tsk->pid, tsk->xid, address,
+ 					regs->rip, regs->rsp, error_code);
  		}
 -       
 +
@@ -12224,10 +12212,10 @@
 diff -urNp linux-2.6.22.1/fs/binfmt_aout.c linux-2.6.22.1/fs/binfmt_aout.c
 --- linux-2.6.22.1/fs/binfmt_aout.c	2007-07-10 14:56:30.000000000 -0400
 +++ linux-2.6.22.1/fs/binfmt_aout.c	2007-08-02 11:38:47.000000000 -0400
-@@ -24,6 +24,7 @@
- #include <linux/binfmts.h>
+@@ -25,6 +25,7 @@
  #include <linux/personality.h>
  #include <linux/init.h>
+ #include <linux/vs_memory.h>
 +#include <linux/grsecurity.h>
  
  #include <asm/system.h>
@@ -12309,9 +12297,9 @@
 --- linux-2.6.22.1/fs/binfmt_elf.c	2007-07-10 14:56:30.000000000 -0400
 +++ linux-2.6.22.1/fs/binfmt_elf.c	2007-08-02 11:38:47.000000000 -0400
 @@ -39,10 +39,16 @@
- #include <linux/random.h>
  #include <linux/elf.h>
  #include <linux/utsname.h>
+ #include <linux/vs_memory.h>
 +#include <linux/grsecurity.h>
 +
  #include <asm/uaccess.h>
@@ -13194,16 +13182,16 @@
 diff -urNp linux-2.6.22.1/fs/exec.c linux-2.6.22.1/fs/exec.c
 --- linux-2.6.22.1/fs/exec.c	2007-07-10 14:56:30.000000000 -0400
 +++ linux-2.6.22.1/fs/exec.c	2007-08-02 11:44:13.000000000 -0400
-@@ -51,6 +51,8 @@
- #include <linux/cn_proc.h>
+@@ -52,6 +52,8 @@
  #include <linux/audit.h>
  #include <linux/signalfd.h>
+ #include <linux/vs_memory.h>
 +#include <linux/random.h>
 +#include <linux/grsecurity.h>
  
  #include <asm/uaccess.h>
  #include <asm/mmu_context.h>
-@@ -69,6 +71,15 @@ EXPORT_SYMBOL(suid_dumpable);
+@@ -70,6 +72,15 @@ EXPORT_SYMBOL(suid_dumpable);
  static struct linux_binfmt *formats;
  static DEFINE_RWLOCK(binfmt_lock);
  
@@ -13219,7 +13207,7 @@
  int register_binfmt(struct linux_binfmt * fmt)
  {
  	struct linux_binfmt ** tmp = &formats;
-@@ -308,7 +319,7 @@ EXPORT_SYMBOL(copy_strings_kernel);
+@@ -309,7 +320,7 @@ EXPORT_SYMBOL(copy_strings_kernel);
   *
   * vma->vm_mm->mmap_sem is held for writing.
   */
@@ -13228,7 +13216,7 @@
  			struct page *page, unsigned long address)
  {
  	struct mm_struct *mm = vma->vm_mm;
-@@ -326,6 +337,12 @@ void install_arg_page(struct vm_area_str
+@@ -327,6 +338,12 @@ void install_arg_page(struct vm_area_str
  		pte_unmap_unlock(pte, ptl);
  		goto out;
  	}
@@ -13241,7 +13229,7 @@
  	inc_mm_counter(mm, anon_rss);
  	lru_cache_add_active(page);
  	set_pte_at(mm, address, pte, pte_mkdirty(pte_mkwrite(mk_pte(
-@@ -334,10 +351,42 @@ void install_arg_page(struct vm_area_str
+@@ -335,10 +352,42 @@ void install_arg_page(struct vm_area_str
  	pte_unmap_unlock(pte, ptl);
  
  	/* no need for flush_tlb */
@@ -13285,7 +13273,7 @@
  }
  
  #define EXTRA_STACK_VM_PAGES	20	/* random */
-@@ -352,6 +401,10 @@ int setup_arg_pages(struct linux_binprm 
+@@ -353,6 +402,10 @@ int setup_arg_pages(struct linux_binprm 
  	int i, ret;
  	long arg_size;
  
@@ -13296,7 +13284,7 @@
  #ifdef CONFIG_STACK_GROWSUP
  	/* Move the argument and environment strings to the bottom of the
  	 * stack space.
-@@ -434,26 +487,48 @@ int setup_arg_pages(struct linux_binprm 
+@@ -435,7 +488,7 @@ int setup_arg_pages(struct linux_binprm 
  		else
  			mpnt->vm_flags = VM_STACK_FLAGS;
  		mpnt->vm_flags |= mm->def_flags;
@@ -13305,10 +13293,11 @@
  		if ((ret = insert_vm_struct(mm, mpnt))) {
  			up_write(&mm->mmap_sem);
  			kmem_cache_free(vm_area_cachep, mpnt);
- 			return ret;
- 		}
+@@ -445,17 +498,38 @@ int setup_arg_pages(struct linux_binprm 		
  		mm->stack_vm = mm->total_vm = vma_pages(mpnt);
-+
+ 	}
+ 
+-	for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
 +#ifdef CONFIG_PAX_SEGMEXEC
 +		mpnt_m = pax_find_mirror_vma(mpnt);
 +		if (mpnt_m) {
@@ -13317,9 +13306,6 @@
 +		}
 +#endif
 +
- 	}
- 
--	for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
 +	for (i = 0 ; i < MAX_ARG_PAGES ; i++, stack_base += PAGE_SIZE) {
  		struct page *page = bprm->page[i];
 -		if (page) {
@@ -13354,7 +13340,7 @@
  }
  
  EXPORT_SYMBOL(setup_arg_pages);
-@@ -489,7 +564,7 @@ struct file *open_exec(const char *name)
+@@ -491,7 +565,7 @@ struct file *open_exec(const char *name)
  		file = ERR_PTR(-EACCES);
  		if (!(nd.mnt->mnt_flags & MNT_NOEXEC) &&
  		    S_ISREG(inode->i_mode)) {
@@ -13363,7 +13349,7 @@
  			file = ERR_PTR(err);
  			if (!err) {
  				file = nameidata_to_filp(&nd, O_RDONLY);
-@@ -1156,6 +1231,11 @@ int do_execve(char * filename,
+@@ -1158,6 +1232,11 @@ int do_execve(char * filename,
  	struct file *file;
  	int retval;
  	int i;
@@ -13375,7 +13361,7 @@
  
  	retval = -ENOMEM;
  	bprm = kzalloc(sizeof(*bprm), GFP_KERNEL);
-@@ -1167,10 +1247,29 @@ int do_execve(char * filename,
+@@ -1169,10 +1248,29 @@ int do_execve(char * filename,
  	if (IS_ERR(file))
  		goto out_kfree;
  
@@ -13405,7 +13391,7 @@
  	bprm->file = file;
  	bprm->filename = filename;
  	bprm->interp = filename;
-@@ -1212,8 +1311,38 @@ int do_execve(char * filename,
+@@ -1214,8 +1312,38 @@ int do_execve(char * filename,
  	if (retval < 0)
  		goto out;
  
@@ -13444,7 +13430,7 @@
  		free_arg_pages(bprm);
  
  		/* execve success */
-@@ -1223,6 +1352,14 @@ int do_execve(char * filename,
+@@ -1225,6 +1353,14 @@ int do_execve(char * filename,
  		return retval;
  	}
  
@@ -13459,7 +13445,7 @@
  out:
  	/* Something went wrong, return the inode and free the argument pages*/
  	for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
-@@ -1386,6 +1523,114 @@ out:
+@@ -1388,6 +1524,114 @@ out:
  	return ispipe;
  }
  
@@ -13574,7 +13560,7 @@
  static void zap_process(struct task_struct *start)
  {
  	struct task_struct *t;
-@@ -1528,6 +1773,10 @@ int do_coredump(long signr, int exit_cod
+@@ -1530,6 +1774,10 @@ int do_coredump(long signr, int exit_cod
  	 */
  	clear_thread_flag(TIF_SIGPENDING);
  
@@ -13588,7 +13574,7 @@
 diff -urNp linux-2.6.22.1/fs/ext2/balloc.c linux-2.6.22.1/fs/ext2/balloc.c
 --- linux-2.6.22.1/fs/ext2/balloc.c	2007-07-10 14:56:30.000000000 -0400
 +++ linux-2.6.22.1/fs/ext2/balloc.c	2007-08-02 11:09:15.000000000 -0400
-@@ -111,7 +111,7 @@ static int reserve_blocks(struct super_b
+@@ -114,7 +114,7 @@ static int reserve_blocks(struct super_b
  	if (free_blocks < count)
  		count = free_blocks;
  
@@ -13597,22 +13583,10 @@
  	    sbi->s_resuid != current->fsuid &&
  	    (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
  		/*
-diff -urNp linux-2.6.22.1/fs/ext3/balloc.c linux-2.6.22.1/fs/ext3/balloc.c
---- linux-2.6.22.1/fs/ext3/balloc.c	2007-07-10 14:56:30.000000000 -0400
-+++ linux-2.6.22.1/fs/ext3/balloc.c	2007-08-02 11:09:15.000000000 -0400
-@@ -1359,7 +1359,7 @@ static int ext3_has_free_blocks(struct e
- 
- 	free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
- 	root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
--	if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
-+	if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
- 		sbi->s_resuid != current->fsuid &&
- 		(sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
- 		return 0;
 diff -urNp linux-2.6.22.1/fs/ext3/xattr.c linux-2.6.22.1/fs/ext3/xattr.c
 --- linux-2.6.22.1/fs/ext3/xattr.c	2007-07-10 14:56:30.000000000 -0400
 +++ linux-2.6.22.1/fs/ext3/xattr.c	2007-08-02 11:38:47.000000000 -0400
-@@ -89,8 +89,8 @@
+@@ -90,8 +90,8 @@
  		printk("\n"); \
  	} while (0)
  #else
@@ -13623,30 +13597,18 @@
  #endif
  
  static void ext3_xattr_cache_insert(struct buffer_head *);
-diff -urNp linux-2.6.22.1/fs/ext4/balloc.c linux-2.6.22.1/fs/ext4/balloc.c
---- linux-2.6.22.1/fs/ext4/balloc.c	2007-07-10 14:56:30.000000000 -0400
-+++ linux-2.6.22.1/fs/ext4/balloc.c	2007-08-02 11:09:15.000000000 -0400
-@@ -1376,7 +1376,7 @@ static int ext4_has_free_blocks(struct e
- 
- 	free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
- 	root_blocks = ext4_r_blocks_count(sbi->s_es);
--	if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
-+	if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
- 		sbi->s_resuid != current->fsuid &&
- 		(sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
- 		return 0;
 diff -urNp linux-2.6.22.1/fs/fcntl.c linux-2.6.22.1/fs/fcntl.c
 --- linux-2.6.22.1/fs/fcntl.c	2007-07-10 14:56:30.000000000 -0400
 +++ linux-2.6.22.1/fs/fcntl.c	2007-08-02 11:09:15.000000000 -0400
 @@ -18,6 +18,7 @@
- #include <linux/ptrace.h>
  #include <linux/signal.h>
  #include <linux/rcupdate.h>
+ #include <linux/vs_limit.h>
 +#include <linux/grsecurity.h>
  
  #include <asm/poll.h>
  #include <asm/siginfo.h>
-@@ -63,6 +64,7 @@ static int locate_fd(struct files_struct
+@@ -64,6 +65,7 @@ static int locate_fd(struct files_struct
  	struct fdtable *fdt;
  
  	error = -EINVAL;
@@ -13661,7 +13623,7 @@
 +	gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
  	if (newfd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
  		goto out;
- 
+ 	if (!vx_files_avail(1))
 @@ -140,6 +143,8 @@ asmlinkage long sys_dup2(unsigned int ol
  	struct files_struct * files = current->files;
  	struct fdtable *fdt;
@@ -13709,9 +13671,9 @@
 --- linux-2.6.22.1/fs/namei.c	2007-07-10 14:56:30.000000000 -0400
 +++ linux-2.6.22.1/fs/namei.c	2007-08-02 11:09:15.000000000 -0400
 @@ -31,6 +31,7 @@
- #include <linux/file.h>
- #include <linux/fcntl.h>
- #include <linux/namei.h>
+ #include <linux/vs_base.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vs_cowbl.h>
 +#include <linux/grsecurity.h>
  #include <asm/namei.h>
  #include <asm/uaccess.h>
@@ -13868,7 +13830,7 @@
 +
  	if (!IS_POSIXACL(nd.dentry->d_inode))
  		mode &= ~current->fs->umask;
- 	error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
+ 	error = vfs_mkdir(nd.dentry->d_inode, dentry, mode, &nd);
 +
 +	if (!error)
 +		gr_handle_create(dentry, nd.mnt);
@@ -13901,7 +13863,7 @@
 +			goto dput_exit2;
 +		}
 +	}
- 	error = vfs_rmdir(nd.dentry->d_inode, dentry);
+ 	error = vfs_rmdir(nd.dentry->d_inode, dentry, &nd);
 +	if (!error && (saved_dev || saved_ino))
 +		gr_handle_delete(saved_ino, saved_dev);
 +dput_exit2:
@@ -13937,10 +13899,10 @@
 +				error = -EACCES;
 +
  			atomic_inc(&inode->i_count);
--		error = vfs_unlink(nd.dentry->d_inode, dentry);
+-		error = vfs_unlink(nd.dentry->d_inode, dentry, &nd);
 +		}
 +		if (!error)
-+			error = vfs_unlink(nd.dentry->d_inode, dentry);
++			error = vfs_unlink(nd.dentry->d_inode, dentry, &nd);
 +		if (!error && (saved_ino || saved_dev))
 +			gr_handle_delete(saved_ino, saved_dev);
  	exit2:
@@ -13955,7 +13917,7 @@
 +		goto out_dput_unlock;
 +	}
 +
- 	error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO);
+ 	error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO, &nd);
 +
 +	if (!error)
 +		gr_handle_create(dentry, nd.mnt);
@@ -13981,7 +13943,7 @@
 +		goto out_unlock_dput;
 +	}
 +
- 	error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
+ 	error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry, &nd);
 +
 +	if (!error)
 +		gr_handle_create(new_dentry, nd.mnt);
@@ -14011,9 +13973,9 @@
 --- linux-2.6.22.1/fs/namespace.c	2007-07-10 14:56:30.000000000 -0400
 +++ linux-2.6.22.1/fs/namespace.c	2007-08-02 11:09:15.000000000 -0400
 @@ -25,6 +25,7 @@
- #include <linux/security.h>
- #include <linux/mount.h>
- #include <linux/ramfs.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vserver/space.h>
+ #include <linux/vserver/global.h>
 +#include <linux/grsecurity.h>
  #include <asm/uaccess.h>
  #include <asm/unistd.h>
@@ -14403,9 +14365,9 @@
 --- linux-2.6.22.1/fs/open.c	2007-07-10 14:56:30.000000000 -0400
 +++ linux-2.6.22.1/fs/open.c	2007-08-02 11:09:15.000000000 -0400
 @@ -26,6 +26,7 @@
- #include <linux/syscalls.h>
- #include <linux/rcupdate.h>
- #include <linux/audit.h>
+ #include <linux/vs_dlimit.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vs_cowbl.h>
 +#include <linux/grsecurity.h>
  
  int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
@@ -14515,15 +14477,6 @@
  	newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
  	newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
  	error = notify_change(nd.dentry, &newattrs);
-@@ -570,7 +619,7 @@ asmlinkage long sys_chmod(const char __u
- 	return sys_fchmodat(AT_FDCWD, filename, mode);
- }
- 
--static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
-+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
- {
- 	struct inode * inode;
- 	int error;
 @@ -587,6 +636,12 @@ static int chown_common(struct dentry * 
  	error = -EPERM;
  	if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
@@ -14537,42 +14490,6 @@
  	newattrs.ia_valid =  ATTR_CTIME;
  	if (user != (uid_t) -1) {
  		newattrs.ia_valid |= ATTR_UID;
-@@ -613,7 +668,7 @@ asmlinkage long sys_chown(const char __u
- 	error = user_path_walk(filename, &nd);
- 	if (error)
- 		goto out;
--	error = chown_common(nd.dentry, user, group);
-+	error = chown_common(nd.dentry, user, group, nd.mnt);
- 	path_release(&nd);
- out:
- 	return error;
-@@ -633,7 +688,7 @@ asmlinkage long sys_fchownat(int dfd, co
- 	error = __user_walk_fd(dfd, filename, follow, &nd);
- 	if (error)
- 		goto out;
--	error = chown_common(nd.dentry, user, group);
-+	error = chown_common(nd.dentry, user, group, nd.mnt);
- 	path_release(&nd);
- out:
- 	return error;
-@@ -647,7 +702,7 @@ asmlinkage long sys_lchown(const char __
- 	error = user_path_walk_link(filename, &nd);
- 	if (error)
- 		goto out;
--	error = chown_common(nd.dentry, user, group);
-+	error = chown_common(nd.dentry, user, group, nd.mnt);
- 	path_release(&nd);
- out:
- 	return error;
-@@ -666,7 +721,7 @@ asmlinkage long sys_fchown(unsigned int 
- 
- 	dentry = file->f_path.dentry;
- 	audit_inode(NULL, dentry->d_inode);
--	error = chown_common(dentry, user, group);
-+	error = chown_common(dentry, user, group, file->f_vfsmnt);
- 	fput(file);
- out:
- 	return error;
 @@ -873,6 +928,7 @@ repeat:
  	 * N.B. For clone tasks sharing a files structure, this test
  	 * will limit the total number of files that can be opened.
@@ -14706,13 +14623,13 @@
 --- linux-2.6.22.1/fs/proc/base.c	2007-07-10 14:56:30.000000000 -0400
 +++ linux-2.6.22.1/fs/proc/base.c	2007-08-02 11:38:47.000000000 -0400
 @@ -73,6 +73,7 @@
- #include <linux/poll.h>
- #include <linux/nsproxy.h>
  #include <linux/oom.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_network.h>
 +#include <linux/grsecurity.h>
+ 
  #include "internal.h"
  
- /* NOTE:
 @@ -123,7 +124,7 @@ struct pid_entry {
  		NULL, &proc_info_file_operations,	\
  		{ .proc_read = &proc_##OTYPE } )
@@ -14770,7 +14687,7 @@
  		goto out;
  
  	copied = -ENOMEM;
-@@ -1047,7 +1050,11 @@ static struct inode *proc_pid_make_inode
+@@ -1050,7 +1053,11 @@ static struct inode *proc_pid_make_inode
  	inode->i_gid = 0;
  	if (task_dumpable(task)) {
  		inode->i_uid = task->euid;
@@ -14780,8 +14697,8 @@
  		inode->i_gid = task->egid;
 +#endif
  	}
- 	security_task_to_inode(task, inode);
- 
+ 	/* procfs is xid tagged */
+ 	inode->i_tag = (tag_t)vx_task_xid(task);
 @@ -1063,17 +1070,45 @@ static int pid_getattr(struct vfsmount *
  {
  	struct inode *inode = dentry->d_inode;
@@ -14884,8 +14801,8 @@
  			if (!files)
  				goto out;
 @@ -1595,6 +1651,9 @@ static struct dentry *proc_pident_lookup
- 	if (!task)
- 		goto out_no_task;
+ 		!memcmp(dentry->d_name.name, "ninfo", 5)))
+ 		goto out;
  
 +	if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
 +		goto out;
@@ -14953,7 +14870,7 @@
 @@ -2208,6 +2287,9 @@ int proc_pid_readdir(struct file * filp,
  {
  	unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
- 	struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
+ 	struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
 +	struct task_struct *tmp = current;
 +#endif
@@ -14977,8 +14894,8 @@
 +			continue;
 +
  		filp->f_pos = tgid + TGID_OFFSET;
- 		if (proc_pid_fill_cache(filp, dirent, filldir, task, tgid) < 0) {
- 			put_task_struct(task);
+ 		if (!vx_proc_task_visible(task))
+ 			continue;
 diff -urNp linux-2.6.22.1/fs/proc/inode.c linux-2.6.22.1/fs/proc/inode.c
 --- linux-2.6.22.1/fs/proc/inode.c	2007-07-10 14:56:30.000000000 -0400
 +++ linux-2.6.22.1/fs/proc/inode.c	2007-08-02 11:09:15.000000000 -0400
@@ -14992,8 +14909,8 @@
  			inode->i_gid = de->gid;
 +#endif
  		}
- 		if (de->size)
- 			inode->i_size = de->size;
+ 		if (de->vx_flags)
+ 			PROC_I(inode)->vx_flags = de->vx_flags;
 diff -urNp linux-2.6.22.1/fs/proc/internal.h linux-2.6.22.1/fs/proc/internal.h
 --- linux-2.6.22.1/fs/proc/internal.h	2007-07-10 14:56:30.000000000 -0400
 +++ linux-2.6.22.1/fs/proc/internal.h	2007-08-02 11:09:15.000000000 -0400
@@ -15152,7 +15069,7 @@
 diff -urNp linux-2.6.22.1/fs/proc/root.c linux-2.6.22.1/fs/proc/root.c
<<Diff was trimmed, longer than 597 lines>>

---- CVS-web:
    http://cvs.pld-linux.org/SOURCES/linux-2.6-grsec_full.patch?r1=1.1.2.11&r2=1.1.2.12&f=u



More information about the pld-cvs-commit mailing list