SOURCES (LINUX_2_6): linux-2.6-grsec-minimal.patch - recreated fro...

hawk hawk at pld-linux.org
Tue May 6 11:15:31 CEST 2008


Author: hawk                         Date: Tue May  6 09:15:31 2008 GMT
Module: SOURCES                       Tag: LINUX_2_6
---- Log message:
- recreated from grsecurity-2.1.11-2.6.24.5-200804211829.patch.gz
- removed GRKERNSEC_SHM leftovers
- adjusted for vserver patched kernel

---- Files affected:
SOURCES:
   linux-2.6-grsec-minimal.patch (1.1.2.27 -> 1.1.2.28) 

---- Diffs:

================================================================
Index: SOURCES/linux-2.6-grsec-minimal.patch
diff -u SOURCES/linux-2.6-grsec-minimal.patch:1.1.2.27 SOURCES/linux-2.6-grsec-minimal.patch:1.1.2.28
--- SOURCES/linux-2.6-grsec-minimal.patch:1.1.2.27	Tue Apr  8 23:52:38 2008
+++ SOURCES/linux-2.6-grsec-minimal.patch	Tue May  6 11:15:26 2008
@@ -1,7 +1,7 @@
-diff -urNp linux-2.6.16.2/arch/sparc/Makefile linux-2.6.16.2/arch/sparc/Makefile
---- linux-2.6.16.2/arch/sparc/Makefile	2006-04-07 12:56:47.000000000 -0400
-+++ linux-2.6.16.2/arch/sparc/Makefile	2006-04-09 21:23:54.000000000 -0400
-@@ -34,7 +34,7 @@ libs-y += arch/sparc/prom/ arch/sparc/li
+diff -urNp linux-2.6.24.5/arch/sparc/Makefile linux-2.6.24.5/arch/sparc/Makefile
+--- linux-2.6.24.5/arch/sparc/Makefile	2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/arch/sparc/Makefile	2008-03-26 20:21:07.000000000 -0400
+@@ -36,7 +36,7 @@ drivers-$(CONFIG_OPROFILE)	+= arch/sparc
  # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-)
  INIT_Y		:= $(patsubst %/, %/built-in.o, $(init-y))
  CORE_Y		:= $(core-y)
@@ -10,10 +10,10 @@
  CORE_Y		:= $(patsubst %/, %/built-in.o, $(CORE_Y))
  DRIVERS_Y	:= $(patsubst %/, %/built-in.o, $(drivers-y))
  NET_Y		:= $(patsubst %/, %/built-in.o, $(net-y))
-diff -urN linux-2.6.16.2/Makefile linux-2.6.16.2-grsec/Makefile
---- linux-2.6.16.2/Makefile	2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/Makefile	2006-04-11 17:44:40.069707000 +0200
-@@ -556,7 +556,7 @@
+diff -urNp linux-2.6.24.5/Makefile linux-2.6.24.5/Makefile
+--- linux-2.6.24.5/Makefile	2008-04-17 20:05:17.000000000 -0400
++++ linux-2.6.24.5/Makefile	2008-04-17 20:05:00.000000000 -0400
+@@ -597,7 +597,7 @@ export mod_strip_cmd
  
  
  ifeq ($(KBUILD_EXTMOD),)
@@ -22,10 +22,10 @@
  
  vmlinux-dirs	:= $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
  		     $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
-diff -urN linux-2.6.16.2/drivers/char/keyboard.c linux-2.6.16.2-grsec/drivers/char/keyboard.c
---- linux-2.6.16.2/drivers/char/keyboard.c	2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/drivers/char/keyboard.c	2006-04-11 17:44:40.073707250 +0200
-@@ -607,6 +607,16 @@
+diff -urNp linux-2.6.24.5/drivers/char/keyboard.c linux-2.6.24.5/drivers/char/keyboard.c
+--- linux-2.6.24.5/drivers/char/keyboard.c	2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/drivers/char/keyboard.c	2008-03-26 20:21:08.000000000 -0400
+@@ -631,6 +631,16 @@ static void k_spec(struct vc_data *vc, u
  	     kbd->kbdmode == VC_MEDIUMRAW) &&
  	     value != KVAL(K_SAK))
  		return;		/* SAK is allowed even in raw mode */
@@ -42,9 +42,9 @@
  	fn_handler[value](vc);
  }
  
-diff -urNp linux-2.6.16.2/drivers/pci/proc.c linux-2.6.16.2-grsec/drivers/pci/proc.c
---- linux-2.6.16.2/drivers/pci/proc.c	2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/drivers/pci/proc.c	2006-04-11 17:44:40.073707250 +0200
+diff -urNp linux-2.6.24.5/drivers/pci/proc.c linux-2.6.24.5/drivers/pci/proc.c
+--- linux-2.6.24.5/drivers/pci/proc.c	2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/drivers/pci/proc.c	2008-03-26 20:21:08.000000000 -0400
 @@ -467,7 +467,15 @@ static int __init pci_proc_init(void)
  {
  	struct proc_dir_entry *entry;
@@ -61,10 +61,10 @@
  	entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
  	if (entry)
  		entry->proc_fops = &proc_bus_pci_dev_operations;
-diff -urNp linux-2.6.16.2/fs/Kconfig linux-2.6.16.2-grsec/fs/Kconfig
---- linux-2.6.16.2/fs/Kconfig	2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/fs/Kconfig	2006-04-11 17:44:40.073707250 +0200
-@@ -817,7 +817,7 @@ config PROC_FS
+diff -urNp linux-2.6.24.5/fs/Kconfig linux-2.6.24.5/fs/Kconfig
+--- linux-2.6.24.5/fs/Kconfig	2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/Kconfig	2008-03-26 20:21:08.000000000 -0400
+@@ -937,7 +937,7 @@ config PROC_FS
  
  config PROC_KCORE
  	bool "/proc/kcore support" if !ARM
@@ -73,18 +73,18 @@
  
  config PROC_VMCORE
          bool "/proc/vmcore support (EXPERIMENTAL)"
-diff -urN linux-2.6.16.2/fs/namei.c linux-2.6.16.2-grsec/fs/namei.c
---- linux-2.6.16.2/fs/namei.c	2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/fs/namei.c	2006-04-11 18:10:35.961452750 +0200
-@@ -32,6 +32,7 @@
- #include <linux/vserver/debug.h>
+diff -urNp linux-2.6.24.5/fs/namei.c linux-2.6.24.5/fs/namei.c
+--- linux-2.6.24.5/fs/namei.c	2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/namei.c	2008-03-26 20:21:08.000000000 -0400
+@@ -37,6 +37,7 @@
  #include <linux/vs_cowbl.h>
+ #include <linux/vs_device.h>
  #include <linux/vs_context.h>
 +#include <linux/grsecurity.h>
  #include <asm/namei.h>
  #include <asm/uaccess.h>
  
-@@ -608,6 +609,13 @@
+@@ -689,6 +690,13 @@ static inline int do_follow_link(struct 
  	err = security_inode_follow_link(path->dentry, nd);
  	if (err)
  		goto loop;
@@ -98,7 +98,7 @@
  	current->link_count++;
  	current->total_link_count++;
  	nd->depth++;
-@@ -1647,6 +1655,13 @@
+@@ -1856,6 +1864,13 @@ do_last:
  	/*
  	 * It already exists.
  	 */
@@ -110,9 +110,9 @@
 +	}
 +
  	mutex_unlock(&dir->d_inode->i_mutex);
- 	audit_inode_update(path.dentry->d_inode);
+ 	audit_inode(pathname, path.dentry);
  
-@@ -1700,6 +1715,13 @@
+@@ -1927,6 +1942,13 @@ do_link:
  	error = security_inode_follow_link(path.dentry, nd);
  	if (error)
  		goto exit_dput;
@@ -126,7 +126,7 @@
  	error = __do_follow_link(&path, nd);
  	if (error) {
  		/* Does someone understand code flow here? Or it is only
-@@ -2326,7 +2454,16 @@ asmlinkage long sys_linkat(int olddfd, c
+@@ -2509,7 +2531,16 @@ asmlinkage long sys_linkat(int olddfd, c
  	error = PTR_ERR(new_dentry);
  	if (IS_ERR(new_dentry))
  		goto out_unlock;
@@ -143,11 +143,11 @@
  	dput(new_dentry);
  out_unlock:
  	mutex_unlock(&nd.dentry->d_inode->i_mutex);
-diff -urN linux-2.6.16.2/fs/proc/array.c linux-2.6.16.2-grsec/fs/proc/array.c
---- linux-2.6.16.2/fs/proc/array.c	2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/fs/proc/array.c	2006-04-11 17:44:40.077707500 +0200
-@@ -488,3 +488,14 @@
- 	return sprintf(buffer,"%d %d %d %d %d %d %d\n",
+diff -urNp linux-2.6.24.5/fs/proc/array.c linux-2.6.24.5/fs/proc/array.c
+--- linux-2.6.24.5/fs/proc/array.c	2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/proc/array.c	2008-03-26 20:21:08.000000000 -0400
+@@ -629,3 +629,14 @@ int proc_pid_statm(struct task_struct *t
+ 	return sprintf(buffer, "%d %d %d %d %d %d %d\n",
  		       size, resident, shared, text, lib, data, 0);
  }
 +
@@ -161,10 +161,10 @@
 +}
 +#endif
 +
-diff -urNp linux-2.6.16.2/fs/proc/inode.c linux-2.6.16.2-grsec/fs/proc/inode.c
---- linux-2.6.16.2/fs/proc/inode.c	2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/fs/proc/inode.c	2006-04-11 17:44:40.077707500 +0200
-@@ -166,7 +166,11 @@ struct inode *proc_get_inode(struct supe
+diff -urNp linux-2.6.24.5/fs/proc/inode.c linux-2.6.24.5/fs/proc/inode.c
+--- linux-2.6.24.5/fs/proc/inode.c	2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/proc/inode.c	2008-03-26 20:21:08.000000000 -0400
+@@ -411,7 +411,11 @@ struct inode *proc_get_inode(struct supe
  		if (de->mode) {
  			inode->i_mode = de->mode;
  			inode->i_uid = de->uid;
@@ -176,10 +176,10 @@
  		}
  		if (de->vx_flags)
  			PROC_I(inode)->vx_flags = de->vx_flags;
-diff -urNp linux-2.6.16.2/fs/proc/internal.h linux-2.6.16.2-grsec/fs/proc/internal.h
---- linux-2.6.16.2/fs/proc/internal.h	2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/fs/proc/internal.h	2006-04-11 17:44:40.077707500 +0200
-@@ -36,6 +36,9 @@ extern int proc_tid_stat(struct task_str
+diff -urNp linux-2.6.24.5/fs/proc/internal.h linux-2.6.24.5/fs/proc/internal.h
+--- linux-2.6.24.5/fs/proc/internal.h	2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/proc/internal.h	2008-03-26 20:21:08.000000000 -0400
+@@ -54,6 +54,9 @@ extern int proc_tgid_stat(struct task_st
  extern int proc_pid_status(struct task_struct *, char *);
  extern int proc_pid_statm(struct task_struct *, char *);
  extern int proc_pid_nsproxy(struct task_struct *, char *);
@@ -187,12 +187,12 @@
 +extern int proc_pid_ipaddr(struct task_struct*,char*);
 +#endif
  
- extern struct file_operations proc_maps_operations;
- extern struct file_operations proc_numa_maps_operations;
-diff -urN linux-2.6.16.2/fs/proc/proc_misc.c linux-2.6.16.2-grsec/fs/proc/proc_misc.c
---- linux-2.6.16.2/fs/proc/proc_misc.c	2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/fs/proc/proc_misc.c	2006-04-11 17:44:40.109709500 +0200
-@@ -667,6 +667,8 @@ void create_seq_entry(char *name, mode_t
+ extern const struct file_operations proc_maps_operations;
+ extern const struct file_operations proc_numa_maps_operations;
+diff -urNp linux-2.6.24.5/fs/proc/proc_misc.c linux-2.6.24.5/fs/proc/proc_misc.c
+--- linux-2.6.24.5/fs/proc/proc_misc.c	2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/proc/proc_misc.c	2008-03-26 20:21:08.000000000 -0400
+@@ -707,6 +707,8 @@ void create_seq_entry(char *name, mode_t
  
  void __init proc_misc_init(void)
  {
@@ -201,7 +201,7 @@
  	static struct {
  		char *name;
  		int (*read_proc)(char*,char**,off_t,int,int*,void*);
-@@ -685,7 +687,9 @@ void __init proc_misc_init(void)
+@@ -722,13 +724,24 @@ void __init proc_misc_init(void)
  		{"stram",	stram_read_proc},
  #endif
  		{"filesystems",	filesystems_read_proc},
@@ -211,7 +211,6 @@
  		{"execdomains",	execdomains_read_proc},
  		{NULL,}
  	};
-@@ -735,6 +735,15 @@ void __init proc_misc_init(void) 
  	for (p = simple_ones; p->name; p++)
  		create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
  
@@ -227,7 +226,7 @@
  	proc_symlink("mounts", NULL, "self/mounts");
  
  	/* And now for trickier ones */
-@@ -743,7 +752,11 @@
+@@ -741,7 +754,11 @@ void __init proc_misc_init(void)
  	}
  #endif
  	create_seq_entry("locks", 0, &proc_locks_operations);
@@ -239,11 +238,11 @@
  	create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
  #ifdef CONFIG_BLOCK
  	create_seq_entry("partitions", 0, &proc_partitions_operations);
-@@ -707,7 +724,11 @@ void __init proc_misc_init(void)
+@@ -749,7 +766,11 @@ void __init proc_misc_init(void)
  	create_seq_entry("stat", 0, &proc_stat_operations);
  	create_seq_entry("interrupts", 0, &proc_interrupts_operations);
  #ifdef CONFIG_SLABINFO
-+#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKRENSEC_PROC_ADD
 +	create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
 +#else
  	create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
@@ -251,7 +250,7 @@
  #ifdef CONFIG_DEBUG_SLAB_LEAK
  	create_seq_entry("slab_allocators", 0 ,&proc_slabstats_operations);
  #endif
-@@ -724,7 +745,7 @@ void __init proc_misc_init(void)
+@@ -767,7 +788,7 @@ void __init proc_misc_init(void)
  #ifdef CONFIG_SCHEDSTATS
  	create_seq_entry("schedstat", 0, &proc_schedstat_operations);
  #endif
@@ -260,10 +259,10 @@
  	proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
  	if (proc_root_kcore) {
  		proc_root_kcore->proc_fops = &proc_kcore_operations;
-diff -urN linux-2.6.16.2/fs/proc/root.c linux-2.6.16.2-grsec/fs/proc/root.c
---- linux-2.6.16.2/fs/proc/root.c	2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/fs/proc/root.c	2006-04-11 17:44:40.113709750 +0200
-@@ -77,7 +83,15 @@
+diff -urNp linux-2.6.24.5/fs/proc/root.c linux-2.6.24.5/fs/proc/root.c
+--- linux-2.6.24.5/fs/proc/root.c	2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/proc/root.c	2008-03-26 20:21:08.000000000 -0400
+@@ -140,7 +140,15 @@ void __init proc_root_init(void)
  #ifdef CONFIG_PROC_DEVICETREE
  	proc_device_tree_init();
  #endif
@@ -277,12 +276,12 @@
  	proc_bus = proc_mkdir("bus", NULL);
 +#endif
  	proc_vx_init();
+ 	proc_sys_init();
  }
- 
-diff -urN linux-2.6.16.2/grsecurity/Kconfig linux-2.6.16.2-grsec/grsecurity/Kconfig
---- linux-2.6.16.2/grsecurity/Kconfig	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.16.2-grsec/grsecurity/Kconfig	2006-04-11 19:03:04.020561250 +0200
-@@ -0,0 +1,135 @@
+diff -urNp linux-2.6.24.5/grsecurity/Kconfig linux-2.6.24.5/grsecurity/Kconfig
+--- linux-2.6.24.5/grsecurity/Kconfig	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/grsecurity/Kconfig	2008-03-26 20:21:09.000000000 -0400
+@@ -0,0 +1,123 @@
 +#
 +# grecurity configuration
 +#
@@ -293,6 +292,8 @@
 +	bool "Grsecurity"
 +	select CRYPTO
 +	select CRYPTO_SHA256
++	select SECURITY
++	select SECURITY_CAPABILITIES
 +	help
 +	  If you say Y here, you will be able to configure many features
 +	  that will enhance the security of your system.  It is highly
@@ -367,7 +368,6 @@
 +endmenu
 +
 +config GRKERNSEC_PROC_IPADDR
-+	depends on GRKERNSEC
 +	bool "/proc/<pid>/ipaddr support"
 +	help
 +	  If you say Y here, a new entry will be added to each /proc/<pid>
@@ -378,20 +378,7 @@
 +	  process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
 +	  the RBAC system), and thus does not create privacy concerns.
 +
-+config GRKERNSEC_SHM
-+	depends on GRKERNSEC
-+	bool "Destroy unused shared memory"
-+	depends on SYSVIPC
-+	help
-+	  If you say Y here, shared memory will be destroyed when no one is
-+	  attached to it.  Otherwise, resources involved with the shared
-+	  memory can be used up and not be associated with any process (as the
-+	  shared memory still exists, and the creating process has exited).  If
-+	  the sysctl option is enabled, a sysctl option with name
-+	  "destroy_unused_shm" is created.
-+
 +config GRKERNSEC_SYSCTL
-+	depends on GRKERNSEC && SYSCTL
 +	bool "Sysctl support"
 +	help
 +	  If you say Y here, you will be able to change the options that
@@ -418,9 +405,9 @@
 +	  the sysctl entries.
 +
 +endmenu
-diff -urN linux-2.6.16.2/grsecurity/Makefile linux-2.6.16.2-grsec/grsecurity/Makefile
---- linux-2.6.16.2/grsecurity/Makefile	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.16.2-grsec/grsecurity/Makefile	2006-04-11 19:03:17.509404250 +0200
+diff -urNp linux-2.6.24.5/grsecurity/Makefile linux-2.6.24.5/grsecurity/Makefile
+--- linux-2.6.24.5/grsecurity/Makefile	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/grsecurity/Makefile	2008-03-26 20:21:09.000000000 -0400
 @@ -0,0 +1,11 @@
 +# All code in this directory and various hooks inserted throughout the kernel
 +# are copyright Brad Spengler, and released under the GPL v2 or higher
@@ -433,19 +420,20 @@
 +obj-y += grsec_disabled.o
 +endif
 +
-diff -urN linux-2.6.16.2/grsecurity/grsec_disabled.c linux-2.6.16.2-grsec/grsecurity/grsec_disabled.c
---- linux-2.6.16.2/grsecurity/grsec_disabled.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.16.2-grsec/grsecurity/grsec_disabled.c	2006-04-11 17:44:40.113709750 +0200
-@@ -0,0 +1,5 @@
+diff -urNp linux-2.6.24.5/grsecurity/grsec_disabled.c linux-2.6.24.5/grsecurity/grsec_disabled.c
+--- linux-2.6.24.5/grsecurity/grsec_disabled.c	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/grsecurity/grsec_disabled.c	2008-03-26 20:21:09.000000000 -0400
+@@ -0,0 +1,6 @@
 +void
 +grsecurity_init(void)
 +{
 +	return;
 +}
-diff -urN linux-2.6.16.2/grsecurity/grsec_fifo.c linux-2.6.16.2-grsec/grsecurity/grsec_fifo.c
---- linux-2.6.16.2/grsecurity/grsec_fifo.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.16.2-grsec/grsecurity/grsec_fifo.c	2006-04-11 19:04:02.872239250 +0200
-@@ -0,0 +1,20 @@
++
+diff -urNp linux-2.6.24.5/grsecurity/grsec_fifo.c linux-2.6.24.5/grsecurity/grsec_fifo.c
+--- linux-2.6.24.5/grsecurity/grsec_fifo.c	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/grsecurity/grsec_fifo.c	2008-03-26 20:21:09.000000000 -0400
+@@ -0,0 +1,21 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/fs.h>
@@ -461,15 +449,16 @@
 +	    !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
 +	    (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
 +	    (current->fsuid != dentry->d_inode->i_uid)) {
++		if (!generic_permission(dentry->d_inode, acc_mode, NULL))
 +		return -EACCES;
 +	}
 +#endif
 +	return 0;
 +}
-diff -urN linux-2.6.16.2/grsecurity/grsec_init.c linux-2.6.16.2-grsec/grsecurity/grsec_init.c
---- linux-2.6.16.2/grsecurity/grsec_init.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.16.2-grsec/grsecurity/grsec_init.c	2006-04-11 19:04:24.693603000 +0200
-@@ -0,0 +1,33 @@
+diff -urNp linux-2.6.24.5/grsecurity/grsec_init.c linux-2.6.24.5/grsecurity/grsec_init.c
+--- linux-2.6.24.5/grsecurity/grsec_init.c	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/grsecurity/grsec_init.c	2008-03-26 20:21:09.000000000 -0400
+@@ -0,0 +1,29 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/mm.h>
@@ -478,7 +467,6 @@
 +#include <linux/vmalloc.h>
 +#include <linux/percpu.h>
 +
-+int grsec_enable_shm;
 +int grsec_enable_link;
 +int grsec_enable_fifo;
 +int grsec_lock;
@@ -490,9 +478,6 @@
 +#ifndef CONFIG_GRKERNSEC_SYSCTL
 +	grsec_lock = 1;
 +#endif
-+#ifdef CONFIG_GRKERNSEC_SHM
-+	grsec_enable_shm = 1;
-+#endif
 +#ifdef CONFIG_GRKERNSEC_LINK
 +	grsec_enable_link = 1;
 +#endif
@@ -503,9 +488,9 @@
 +
 +	return;
 +}
-diff -urN linux-2.6.16.2/grsecurity/grsec_link.c linux-2.6.16.2-grsec/grsecurity/grsec_link.c
---- linux-2.6.16.2/grsecurity/grsec_link.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.16.2-grsec/grsecurity/grsec_link.c	2006-04-11 19:04:40.258575750 +0200
+diff -urNp linux-2.6.24.5/grsecurity/grsec_link.c linux-2.6.24.5/grsecurity/grsec_link.c
+--- linux-2.6.24.5/grsecurity/grsec_link.c	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/grsecurity/grsec_link.c	2008-03-26 20:21:09.000000000 -0400
 @@ -0,0 +1,37 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
@@ -544,10 +529,10 @@
 +#endif
 +	return 0;
 +}
-diff -urN linux-2.6.16.2/grsecurity/grsec_sock.c linux-2.6.16.2-grsec/grsecurity/grsec_sock.c
---- linux-2.6.16.2/grsecurity/grsec_sock.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.16.2-grsec/grsecurity/grsec_sock.c	2006-04-11 19:20:18.301199750 +0200
-@@ -0,0 +1,164 @@
+diff -urNp linux-2.6.24.5/grsecurity/grsec_sock.c linux-2.6.24.5/grsecurity/grsec_sock.c
+--- linux-2.6.24.5/grsecurity/grsec_sock.c	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/grsecurity/grsec_sock.c	2008-03-26 20:21:09.000000000 -0400
+@@ -0,0 +1,167 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -662,7 +647,7 @@
 +	newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
 +	if (newent == NULL)
 +		return;
-+	
++	/* no bh lock needed since we are called with bh disabled */
 +	spin_lock(&gr_conn_table_lock);
 +	gr_del_task_from_ip_table_nolock(sig);
 +	sig->gr_saddr = inet->rcv_saddr;
@@ -697,25 +682,28 @@
 +
 +	set = current->signal;
 +
-+	spin_lock(&gr_conn_table_lock);
++	spin_lock_bh(&gr_conn_table_lock);
 +	p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
 +				    inet->dport, inet->sport);
 +	if (unlikely(p != NULL)) {
 +		set->curr_ip = p->curr_ip;
++		set->used_accept = 1;
 +		gr_del_task_from_ip_table_nolock(p);
-+		spin_unlock(&gr_conn_table_lock);
++		spin_unlock_bh(&gr_conn_table_lock);
 +		return;
 +	}
-+	spin_unlock(&gr_conn_table_lock);
++	spin_unlock_bh(&gr_conn_table_lock);
 +
 +	set->curr_ip = inet->daddr;
++	set->used_accept = 1;
 +#endif
 +	return;
 +}
-diff -urN linux-2.6.16.2/grsecurity/grsec_sysctl.c linux-2.6.16.2-grsec/grsecurity/grsec_sysctl.c
---- linux-2.6.16.2/grsecurity/grsec_sysctl.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.16.2-grsec/grsecurity/grsec_sysctl.c	2006-04-11 19:04:50.363207250 +0200
-@@ -0,0 +1,65 @@
++
+diff -urNp linux-2.6.24.5/grsecurity/grsec_sysctl.c linux-2.6.24.5/grsecurity/grsec_sysctl.c
+--- linux-2.6.24.5/grsecurity/grsec_sysctl.c	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/grsecurity/grsec_sysctl.c	2008-03-26 20:21:09.000000000 -0400
+@@ -0,0 +1,52 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/sysctl.h>
@@ -734,14 +722,11 @@
 +}
 +
 +#if defined(CONFIG_GRKERNSEC_SYSCTL)
-+enum {GS_LINK=1, GS_FIFO, GS_SHM, GS_LOCK};
-+
-+
 +ctl_table grsecurity_table[] = {
 +#ifdef CONFIG_GRKERNSEC_SYSCTL
 +#ifdef CONFIG_GRKERNSEC_LINK
 +	{
-+		.ctl_name	= GS_LINK,
++		.ctl_name	= CTL_UNNUMBERED,
 +		.procname	= "linking_restrictions",
 +		.data		= &grsec_enable_link,
 +		.maxlen		= sizeof(int),
@@ -751,7 +736,7 @@
 +#endif
 +#ifdef CONFIG_GRKERNSEC_FIFO
 +	{
-+		.ctl_name	= GS_FIFO,
++		.ctl_name	= CTL_UNNUMBERED,
 +		.procname	= "fifo_restrictions",
 +		.data		= &grsec_enable_fifo,
 +		.maxlen		= sizeof(int),
@@ -759,18 +744,8 @@
 +		.proc_handler	= &proc_dointvec,
 +	},
 +#endif
-+#ifdef CONFIG_GRKERNSEC_SHM
-+	{
-+		.ctl_name	= GS_SHM,
-+		.procname	= "destroy_unused_shm",
-+		.data		= &grsec_enable_shm,
-+		.maxlen		= sizeof(int),
-+		.mode		= 0600,
-+		.proc_handler	= &proc_dointvec,
-+	},
-+#endif
 +	{
-+		.ctl_name	= GS_LOCK,
++		.ctl_name	= CTL_UNNUMBERED,
 +		.procname	= "grsec_lock",
 +		.data		= &grsec_lock,
 +		.maxlen		= sizeof(int),
@@ -781,10 +756,10 @@
 +	{ .ctl_name = 0 }
 +};
 +#endif
-diff -urN linux-2.6.16.2/include/linux/grinternal.h linux-2.6.16.2-grsec/include/linux/grinternal.h
---- linux-2.6.16.2/include/linux/grinternal.h	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.16.2-grsec/include/linux/grinternal.h	2006-04-11 19:03:34.734480750 +0200
-@@ -0,0 +1,15 @@
+diff -urNp linux-2.6.24.5/include/linux/grinternal.h linux-2.6.24.5/include/linux/grinternal.h
+--- linux-2.6.24.5/include/linux/grinternal.h	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/include/linux/grinternal.h	2008-03-26 20:21:09.000000000 -0400
+@@ -0,0 +1,14 @@
 +#ifndef __GRINTERNAL_H
 +#define __GRINTERNAL_H
 +
@@ -794,176 +769,75 @@
 +
 +extern int grsec_enable_link;
 +extern int grsec_enable_fifo;
-+extern int grsec_enable_shm;
 +extern int grsec_lock;
 +
 +#endif
 +
 +#endif
-diff -urN linux-2.6.16.2/include/linux/grsecurity.h linux-2.6.16.2-grsec/include/linux/grsecurity.h
---- linux-2.6.16.2/include/linux/grsecurity.h	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.16.2-grsec/include/linux/grsecurity.h	2006-04-11 18:06:03.000000000 +0200
-@@ -0,0 +1,34 @@
+diff -urNp linux-2.6.24.5/include/linux/grsecurity.h linux-2.6.24.5/include/linux/grsecurity.h
+--- linux-2.6.24.5/include/linux/grsecurity.h	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/include/linux/grsecurity.h	2008-03-26 20:21:09.000000000 -0400
+@@ -0,0 +1,21 @@
 +#ifndef GR_SECURITY_H
 +#define GR_SECURITY_H
 +#include <linux/fs.h>
 +#include <linux/binfmts.h>
 +
-+extern void gr_del_task_from_ip_table(struct task_struct *p);
++void gr_del_task_from_ip_table(struct task_struct *p);
 +
-+extern int gr_handle_follow_link(const struct inode *parent,
++int gr_handle_follow_link(const struct inode *parent,
 +				 const struct inode *inode,
 +				 const struct dentry *dentry,
 +				 const struct vfsmount *mnt);
-+extern int gr_handle_fifo(const struct dentry *dentry,
++int gr_handle_fifo(const struct dentry *dentry,
 +			  const struct vfsmount *mnt,
 +			  const struct dentry *dir, const int flag,
 +			  const int acc_mode);
-+extern int gr_handle_hardlink(const struct dentry *dentry,
++int gr_handle_hardlink(const struct dentry *dentry,
 +			      const struct vfsmount *mnt,
 +			      struct inode *inode,
 +			      const int mode, const char *to);
 +
-+#ifdef CONFIG_SYSVIPC
-+extern void gr_shm_exit(struct task_struct *task);
-+#else
-+static inline void gr_shm_exit(struct task_struct *task)
-+{
-+	return;
-+}
 +#endif
-+
-+#ifdef CONFIG_GRKERNSEC
-+extern int grsec_enable_shm;
-+#endif
-+
-+#endif
-diff -urNp linux-2.6.16.2/include/linux/sched.h linux-2.6.16.2-grsec/include/linux/sched.h
---- linux-2.6.16.2/include/linux/sched.h	2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/include/linux/sched.h	2006-04-11 19:14:15.574530750 +0200
-@@ -474,6 +474,13 @@ struct signal_struct {
- 	spinlock_t stats_lock;
- 	struct taskstats *stats;
+diff -urNp linux-2.6.24.5/include/linux/sched.h linux-2.6.24.5/include/linux/sched.h
+--- linux-2.6.24.5/include/linux/sched.h	2008-04-17 20:05:17.000000000 -0400
++++ linux-2.6.24.5/include/linux/sched.h	2008-04-17 20:05:01.000000000 -0400
+@@ -510,6 +510,15 @@ struct signal_struct {
+ 	unsigned audit_tty;
<<Diff was trimmed, longer than 597 lines>>

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/linux-2.6-grsec-minimal.patch?r1=1.1.2.27&r2=1.1.2.28&f=u



More information about the pld-cvs-commit mailing list