SOURCES (LINUX_2_6): linux-2.6-grsec_full.patch - changes for vs2....
zbyniu
zbyniu at pld-linux.org
Thu Sep 20 15:49:24 CEST 2007
Author: zbyniu Date: Thu Sep 20 13:49:24 2007 GMT
Module: SOURCES Tag: LINUX_2_6
---- Log message:
- changes for vs2.3.0.22; cleanups
---- Files affected:
SOURCES:
linux-2.6-grsec_full.patch (1.1.2.20 -> 1.1.2.21)
---- Diffs:
================================================================
Index: SOURCES/linux-2.6-grsec_full.patch
diff -u SOURCES/linux-2.6-grsec_full.patch:1.1.2.20 SOURCES/linux-2.6-grsec_full.patch:1.1.2.21
--- SOURCES/linux-2.6-grsec_full.patch:1.1.2.20 Sat Sep 8 17:59:23 2007
+++ SOURCES/linux-2.6-grsec_full.patch Thu Sep 20 15:49:19 2007
@@ -2611,7 +2611,7 @@
/*
@@ -306,7 +308,7 @@ void show_regs(struct pt_regs * regs)
- printk("EIP: %04x:[<%08lx>] CPU: %d\n",0xffff & regs->xcs,regs->eip, smp_processor_id());
+ 0xffff & regs->xcs,regs->eip, smp_processor_id());
print_symbol("EIP is at %s\n", regs->eip);
- if (user_mode_vm(regs))
@@ -9337,7 +9337,7 @@
#include <asm/pgtable.h>
#include <asm/system.h>
@@ -303,6 +304,11 @@ asmlinkage void do_ptrace(struct pt_regs
- goto out;
+ goto out_tsk;
}
+ if (gr_handle_ptrace(child, request)) {
@@ -9720,7 +9720,7 @@
#include <asm/asi.h>
#include <asm/pgtable.h>
@@ -216,6 +217,11 @@ asmlinkage void do_ptrace(struct pt_regs
- goto out;
+ goto out_tsk;
}
+ if (gr_handle_ptrace(child, (long)request)) {
@@ -14312,7 +14312,7 @@
+
if (flags & MS_REMOUNT)
retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags,
- data_page);
+ data_page, tag);
@@ -1441,6 +1452,9 @@ long do_mount(char *dev_name, char *dir_
dev_name, data_page);
dput_out:
@@ -14356,10 +14356,10 @@
+ struct nfs4_exception exception = {0, 0};
int err;
do {
- err = _nfs4_do_open_reclaim(sp, state, dentry);
+ err = _nfs4_do_open_reclaim(ctx, state);
@@ -538,7 +538,7 @@ static int _nfs4_open_delegation_recall(
- int nfs4_open_delegation_recall(struct dentry *dentry, struct nfs4_state *state)
+ int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
{
- struct nfs4_exception exception = { };
+ struct nfs4_exception exception = {0, 0};
@@ -14667,7 +14667,7 @@
newattrs.ia_valid = ATTR_SIZE | time_attrs;
if (filp) {
@@ -400,6 +404,9 @@ asmlinkage long sys_faccessat(int dfd, c
- if(IS_RDONLY(nd.dentry->d_inode))
+ if(IS_RDONLY(nd.dentry->d_inode) || MNT_IS_RDONLY(nd.mnt))
res = -EROFS;
+ if (!res && !gr_acl_handle_access(nd.dentry, nd.mnt, mode))
@@ -14810,7 +14810,7 @@
--- linux-2.6.22.1/fs/proc/array.c 2007-07-10 14:56:30.000000000 -0400
+++ linux-2.6.22.1/fs/proc/array.c 2007-08-02 11:38:47.000000000 -0400
@@ -291,6 +291,21 @@ static inline char *task_cap(struct task
- cap_t(p->cap_effective));
+ (unsigned)vx_info_mbcap(vxi, p->cap_effective));
}
+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
@@ -15030,17 +15030,22 @@
}
}
rcu_read_unlock();
-@@ -1101,11 +1136,26 @@ static int pid_revalidate(struct dentry
+@@ -1101,6 +1136,12 @@ static int pid_revalidate(struct dentry
{
struct inode *inode = dentry->d_inode;
struct task_struct *task = get_proc_task(inode);
+
+ if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
+ put_task_struct(task);
-+ goto out;
++ goto drop;
+ }
+
if (task) {
+ unsigned pid = name_to_int(dentry);
+ if (pid != ~0U && pid != vx_map_pid(task->pid)) {
+@@ -1151,9 +1194,18 @@ static int pid_revalidate(struct dentry
+ }
+
if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
@@ -15057,15 +15062,7 @@
} else {
inode->i_uid = 0;
inode->i_gid = 0;
-@@ -1115,6 +1165,7 @@ static int pid_revalidate(struct dentry
- put_task_struct(task);
- return 1;
- }
-+out:
- d_drop(dentry);
- return 0;
- }
-@@ -1371,6 +1422,9 @@ static struct dentry *proc_lookupfd_comm
+@@ -1371,6 +1435,9 @@ static struct dentry *proc_lookupfd_comm
if (fd == ~0U)
goto out;
@@ -30179,7 +30176,7 @@
#include <linux/compat.h>
#include <linux/syscalls.h>
@@ -641,6 +642,12 @@ static int set_one_prio(struct task_stru
- error = -EACCES;
+ error = -EACCES;
goto out;
}
+
@@ -30192,7 +30189,7 @@
if (no_nice) {
error = no_nice;
@@ -697,10 +704,10 @@ asmlinkage long sys_setpriority(int whic
- if ((who != current->uid) && !(user = find_user(who)))
+ !(user = find_user(vx_current_xid(), who)))
goto out_unlock; /* No processes for this user */
- do_each_thread(g, p)
@@ -30205,7 +30202,7 @@
free_uid(user); /* For find_user() */
break;
@@ -759,13 +766,13 @@ asmlinkage long sys_getpriority(int whic
- if ((who != current->uid) && !(user = find_user(who)))
+ !(user = find_user(vx_current_xid(), who)))
goto out_unlock; /* No processes for this user */
- do_each_thread(g, p)
@@ -33271,9 +33268,9 @@
--- linux-2.6.22.1/net/ipv4/udp.c 2007-07-10 14:56:30.000000000 -0400
+++ linux-2.6.22.1/net/ipv4/udp.c 2007-08-02 11:28:52.000000000 -0400
@@ -97,12 +97,19 @@
+ #include <linux/skbuff.h>
#include <linux/proc_fs.h>
#include <linux/seq_file.h>
- // #include <linux/vs_inet.h>
+#include <linux/grsecurity.h>
#include <net/icmp.h>
#include <net/route.h>
@@ -33443,8 +33440,8 @@
#include <asm/uaccess.h>
#include <asm/unistd.h>
@@ -93,6 +94,21 @@
- #include <net/sock.h>
- #include <linux/netfilter.h>
+ #include <linux/vs_inet.h>
+ #include <linux/vs_inet6.h>
+extern void gr_attach_curr_ip(const struct sock *sk);
+extern int gr_handle_sock_all(const int family, const int type,
================================================================
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/linux-2.6-grsec_full.patch?r1=1.1.2.20&r2=1.1.2.21&f=u
More information about the pld-cvs-commit
mailing list