SOURCES (LINUX_2_6): linux-2.6-grsec-minimal.patch - updated for 2...

zbyniu zbyniu at pld-linux.org
Tue Jan 22 00:14:51 CET 2008


Author: zbyniu                       Date: Mon Jan 21 23:14:51 2008 GMT
Module: SOURCES                       Tag: LINUX_2_6
---- Log message:
- updated for 2.6.24rc8

---- Files affected:
SOURCES:
   linux-2.6-grsec-minimal.patch (1.1.2.24 -> 1.1.2.25) 

---- Diffs:

================================================================
Index: SOURCES/linux-2.6-grsec-minimal.patch
diff -u SOURCES/linux-2.6-grsec-minimal.patch:1.1.2.24 SOURCES/linux-2.6-grsec-minimal.patch:1.1.2.25
--- SOURCES/linux-2.6-grsec-minimal.patch:1.1.2.24	Tue Oct  9 16:11:46 2007
+++ SOURCES/linux-2.6-grsec-minimal.patch	Tue Jan 22 00:14:46 2008
@@ -77,9 +77,9 @@
 --- linux-2.6.16.2/fs/namei.c	2006-04-07 18:56:47.000000000 +0200
 +++ linux-2.6.16.2-grsec/fs/namei.c	2006-04-11 18:10:35.961452750 +0200
 @@ -32,6 +32,7 @@
- #include <linux/vs_tag.h>
  #include <linux/vserver/debug.h>
  #include <linux/vs_cowbl.h>
+ #include <linux/vs_context.h>
 +#include <linux/grsecurity.h>
  #include <asm/namei.h>
  #include <asm/uaccess.h>
@@ -180,9 +180,9 @@
 --- linux-2.6.16.2/fs/proc/internal.h	2006-04-07 18:56:47.000000000 +0200
 +++ linux-2.6.16.2-grsec/fs/proc/internal.h	2006-04-11 17:44:40.077707500 +0200
 @@ -36,6 +36,9 @@ extern int proc_tid_stat(struct task_str
- extern int proc_tgid_stat(struct task_struct *, char *);
  extern int proc_pid_status(struct task_struct *, char *);
  extern int proc_pid_statm(struct task_struct *, char *);
+ extern int proc_pid_nsproxy(struct task_struct *, char *);
 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
 +extern int proc_pid_ipaddr(struct task_struct*,char*);
 +#endif
@@ -208,9 +208,9 @@
 +#ifndef CONFIG_GRKERNSEC_PROC_ADD
  		{"cmdline",	cmdline_read_proc},
 +#endif
- 		{"locks",	locks_read_proc},
  		{"execdomains",	execdomains_read_proc},
  		{NULL,}
+ 	};
 @@ -735,6 +735,15 @@ void __init proc_misc_init(void) 
  	for (p = simple_ones; p->name; p++)
  		create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
@@ -228,9 +228,9 @@
  
  	/* And now for trickier ones */
 @@ -743,7 +752,11 @@
- 	if (entry)
- 		entry->proc_fops = &proc_kmsg_operations;
+ 	}
  #endif
+ 	create_seq_entry("locks", 0, &proc_locks_operations);
 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
 +	create_seq_entry("devices", gr_mode, &proc_devinfo_operations);
 +#else
@@ -242,7 +242,7 @@
 @@ -707,7 +724,11 @@ void __init proc_misc_init(void)
  	create_seq_entry("stat", 0, &proc_stat_operations);
  	create_seq_entry("interrupts", 0, &proc_interrupts_operations);
- #ifdef CONFIG_SLAB
+ #ifdef CONFIG_SLABINFO
 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
 +	create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
 +#else
@@ -263,20 +263,6 @@
 diff -urN linux-2.6.16.2/fs/proc/root.c linux-2.6.16.2-grsec/fs/proc/root.c
 --- linux-2.6.16.2/fs/proc/root.c	2006-04-07 18:56:47.000000000 +0200
 +++ linux-2.6.16.2-grsec/fs/proc/root.c	2006-04-11 17:44:40.113709750 +0200
-@@ -53,7 +53,13 @@
- 		return;
- 	}
- 	proc_misc_init();
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+	proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, NULL);
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+	proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
-+#else
- 	proc_net = proc_mkdir("net", NULL);
-+#endif
- 	proc_net_stat = proc_mkdir("net/stat", NULL);
- 
- #ifdef CONFIG_SYSVIPC
 @@ -77,7 +83,15 @@
  #ifdef CONFIG_PROC_DEVICETREE
  	proc_device_tree_init();
@@ -997,9 +983,9 @@
 --- linux-2.6.16.2/kernel/exit.c	2006-04-07 18:56:47.000000000 +0200
 +++ linux-2.6.16.2-grsec/kernel/exit.c	2006-04-11 17:44:40.125710500 +0200
 @@ -36,6 +36,7 @@
+ #include <linux/resource.h>
  #include <linux/blkdev.h>
  #include <linux/task_io_accounting_ops.h>
- #include <linux/freezer.h>
 +#include <linux/grsecurity.h>
  #include <linux/vs_limit.h>
  #include <linux/vs_context.h>
@@ -1187,10 +1173,10 @@
  config KEYS
  	bool "Enable access key retention support"
  	help
-diff -urN linux-2.6.18/fs/proc/base.c linux-2.6.18-grsec/fs/proc/base.c
---- linux-2.6.18/fs/proc/base.c.orig	2006-11-03 18:27:40.112510768 +0100
-+++ linux-2.6.18/fs/proc/base.c	2006-11-03 18:42:56.408212648 +0100
-@@ -969,7 +969,11 @@ static struct inode *proc_pid_make_inode
+diff -urN linux-2.6.24-rc8/fs/proc/base.c linux-2.6.24-rc8/fs/proc/base.c
+--- linux-2.6.24-rc8/fs/proc/base.c	2008-01-22 00:05:52.571622750 +0100
++++ linux-2.6.24-rc8/fs/proc/base.c	2008-01-22 00:08:58.871265750 +0100
+@@ -1205,7 +1205,11 @@ static struct inode *proc_pid_make_inode
  	if (task_dumpable(task)) {
  		inode->i_uid = task->euid;
  		inode->i_gid = task->egid;
@@ -1202,7 +1188,7 @@
  	/* procfs is xid tagged */
  	inode->i_tag = (tag_t)vx_task_xid(task);
  	security_task_to_inode(task, inode);
-@@ -985,17 +992,38 @@ static int pid_getattr(struct vfsmount *
+@@ -1222,17 +1226,38 @@ static int pid_getattr(struct vfsmount *
  {
  	struct inode *inode = dentry->d_inode;
  	struct task_struct *task;
@@ -1242,7 +1228,7 @@
  		}
  	}
  	rcu_read_unlock();
-@@ -1025,9 +1053,18 @@ static int pid_revalidate(struct dentry 
+@@ -1262,9 +1287,18 @@ static int pid_revalidate(struct dentry 
  	struct task_struct *task = get_proc_task(inode);
  	if (task) {
  		if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
@@ -1261,20 +1247,46 @@
  		} else {
  			inode->i_uid = 0;
  			inode->i_gid = 0;
-@@ -1791,6 +1833,9 @@ static struct pid_entry tgid_base_stuff[
- #ifdef CONFIG_AUDITSYSCALL
- 	REG("loginuid",   S_IWUSR|S_IRUGO, loginuid),
+@@ -2503,6 +2537,9 @@ int proc_pid_readdir(struct file * filp,
+ {
+ 	unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
+ 	struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	struct task_struct *tmp = current;
++#endif
+ 	struct tgid_iter iter;
+ 	struct pid_namespace *ns;
+ 
+@@ -2524,6 +2561,15 @@ int proc_pid_readdir(struct file * filp,
+ 		filp->f_pos = iter.tgid + TGID_OFFSET;
+ 		if (!vx_proc_task_visible(iter.task))
+ 			continue;
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++		if (tmp->uid && (iter.task->uid != tmp->uid)
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++				&& !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++#endif
++		   )
++			continue;
++#endif
++
+ 		if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
+ 			put_task_struct(iter.task);
+ 			goto out;
+@@ -2588,6 +2634,9 @@ static const struct pid_entry tid_base_s
+ #ifdef CONFIG_FAULT_INJECTION
+ 	REG("make-it-fail", S_IRUGO|S_IWUSR, fault_inject),
  #endif
 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
 +	INF("ipaddr",	  S_IRUSR, pid_ipaddr),
 +#endif
  };
  
- static int proc_tgid_base_readdir(struct file * filp,
-@@ -1893,7 +1938,14 @@ struct dentry *proc_pid_instantiate(stru
+ static int proc_tid_base_readdir(struct file * filp,
+@@ -2622,7 +2671,14 @@ static struct dentry *proc_task_instanti
+ 
  	if (!inode)
  		goto out;
- 
 +#ifdef CONFIG_GRKERNSEC_PROC_USER
 +	inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
@@ -1283,33 +1295,22 @@
 +#else
  	inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
 +#endif
- 	inode->i_op = &proc_tgid_base_inode_operations;
- 	inode->i_fop = &proc_tgid_base_operations;
+ 	inode->i_op = &proc_tid_base_inode_operations;
+ 	inode->i_fop = &proc_tid_base_operations;
  	inode->i_flags|=S_IMMUTABLE;
-@@ -1992,6 +2048,9 @@ int proc_pid_readdir(struct file * filp,
+--- linux-2.6.24-rc8/fs/proc/proc_net.c	2008-01-16 05:22:48.000000000 +0100
++++ linux-2.6.24-rc8/fs/proc/proc_net.c	2008-01-21 23:29:18.874525250 +0100
+@@ -110,7 +110,13 @@
+ 
+ int __init proc_net_init(void)
  {
- 	unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
- 	struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+	struct task_struct *tmp = current;
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++	shadow_pde = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, NULL);
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	shadow_pde = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
++#else  
+ 	shadow_pde = proc_mkdir("net", NULL);
 +#endif
- 	struct task_struct *task;
- 	int tgid;
+ 	shadow_pde->shadow_proc = proc_net_shadow;
  
-@@ -2009,6 +2068,16 @@ int proc_pid_readdir(struct file * filp,
- 	     task;
- 	     put_task_struct(task), task = next_tgid(tgid + 1)) {
- 		tgid = task->pid;
-+
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+		if (tmp->uid && (task->uid != tmp->uid)
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+		        && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
-+#endif
-+		)
-+			continue;
-+#endif
-+
- 		filp->f_pos = tgid + TGID_OFFSET;
- 		if (proc_pid_fill_cache(filp, dirent, filldir, task, tgid) < 0) {
- 			put_task_struct(task);
+ 	return register_pernet_subsys(&proc_net_ns_ops);
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/linux-2.6-grsec-minimal.patch?r1=1.1.2.24&r2=1.1.2.25&f=u



More information about the pld-cvs-commit mailing list