SOURCES (LINUX_2_6): linux-2.6-grsec-minimal.patch - recreated fro...
hawk
hawk at pld-linux.org
Tue May 6 11:15:31 CEST 2008
Author: hawk Date: Tue May 6 09:15:31 2008 GMT
Module: SOURCES Tag: LINUX_2_6
---- Log message:
- recreated from grsecurity-2.1.11-2.6.24.5-200804211829.patch.gz
- removed GRKERNSEC_SHM leftovers
- adjusted for vserver patched kernel
---- Files affected:
SOURCES:
linux-2.6-grsec-minimal.patch (1.1.2.27 -> 1.1.2.28)
---- Diffs:
================================================================
Index: SOURCES/linux-2.6-grsec-minimal.patch
diff -u SOURCES/linux-2.6-grsec-minimal.patch:1.1.2.27 SOURCES/linux-2.6-grsec-minimal.patch:1.1.2.28
--- SOURCES/linux-2.6-grsec-minimal.patch:1.1.2.27 Tue Apr 8 23:52:38 2008
+++ SOURCES/linux-2.6-grsec-minimal.patch Tue May 6 11:15:26 2008
@@ -1,7 +1,7 @@
-diff -urNp linux-2.6.16.2/arch/sparc/Makefile linux-2.6.16.2/arch/sparc/Makefile
---- linux-2.6.16.2/arch/sparc/Makefile 2006-04-07 12:56:47.000000000 -0400
-+++ linux-2.6.16.2/arch/sparc/Makefile 2006-04-09 21:23:54.000000000 -0400
-@@ -34,7 +34,7 @@ libs-y += arch/sparc/prom/ arch/sparc/li
+diff -urNp linux-2.6.24.5/arch/sparc/Makefile linux-2.6.24.5/arch/sparc/Makefile
+--- linux-2.6.24.5/arch/sparc/Makefile 2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/arch/sparc/Makefile 2008-03-26 20:21:07.000000000 -0400
+@@ -36,7 +36,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
# Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-)
INIT_Y := $(patsubst %/, %/built-in.o, $(init-y))
CORE_Y := $(core-y)
@@ -10,10 +10,10 @@
CORE_Y := $(patsubst %/, %/built-in.o, $(CORE_Y))
DRIVERS_Y := $(patsubst %/, %/built-in.o, $(drivers-y))
NET_Y := $(patsubst %/, %/built-in.o, $(net-y))
-diff -urN linux-2.6.16.2/Makefile linux-2.6.16.2-grsec/Makefile
---- linux-2.6.16.2/Makefile 2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/Makefile 2006-04-11 17:44:40.069707000 +0200
-@@ -556,7 +556,7 @@
+diff -urNp linux-2.6.24.5/Makefile linux-2.6.24.5/Makefile
+--- linux-2.6.24.5/Makefile 2008-04-17 20:05:17.000000000 -0400
++++ linux-2.6.24.5/Makefile 2008-04-17 20:05:00.000000000 -0400
+@@ -597,7 +597,7 @@ export mod_strip_cmd
ifeq ($(KBUILD_EXTMOD),)
@@ -22,10 +22,10 @@
vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
$(core-y) $(core-m) $(drivers-y) $(drivers-m) \
-diff -urN linux-2.6.16.2/drivers/char/keyboard.c linux-2.6.16.2-grsec/drivers/char/keyboard.c
---- linux-2.6.16.2/drivers/char/keyboard.c 2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/drivers/char/keyboard.c 2006-04-11 17:44:40.073707250 +0200
-@@ -607,6 +607,16 @@
+diff -urNp linux-2.6.24.5/drivers/char/keyboard.c linux-2.6.24.5/drivers/char/keyboard.c
+--- linux-2.6.24.5/drivers/char/keyboard.c 2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/drivers/char/keyboard.c 2008-03-26 20:21:08.000000000 -0400
+@@ -631,6 +631,16 @@ static void k_spec(struct vc_data *vc, u
kbd->kbdmode == VC_MEDIUMRAW) &&
value != KVAL(K_SAK))
return; /* SAK is allowed even in raw mode */
@@ -42,9 +42,9 @@
fn_handler[value](vc);
}
-diff -urNp linux-2.6.16.2/drivers/pci/proc.c linux-2.6.16.2-grsec/drivers/pci/proc.c
---- linux-2.6.16.2/drivers/pci/proc.c 2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/drivers/pci/proc.c 2006-04-11 17:44:40.073707250 +0200
+diff -urNp linux-2.6.24.5/drivers/pci/proc.c linux-2.6.24.5/drivers/pci/proc.c
+--- linux-2.6.24.5/drivers/pci/proc.c 2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/drivers/pci/proc.c 2008-03-26 20:21:08.000000000 -0400
@@ -467,7 +467,15 @@ static int __init pci_proc_init(void)
{
struct proc_dir_entry *entry;
@@ -61,10 +61,10 @@
entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
if (entry)
entry->proc_fops = &proc_bus_pci_dev_operations;
-diff -urNp linux-2.6.16.2/fs/Kconfig linux-2.6.16.2-grsec/fs/Kconfig
---- linux-2.6.16.2/fs/Kconfig 2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/fs/Kconfig 2006-04-11 17:44:40.073707250 +0200
-@@ -817,7 +817,7 @@ config PROC_FS
+diff -urNp linux-2.6.24.5/fs/Kconfig linux-2.6.24.5/fs/Kconfig
+--- linux-2.6.24.5/fs/Kconfig 2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/Kconfig 2008-03-26 20:21:08.000000000 -0400
+@@ -937,7 +937,7 @@ config PROC_FS
config PROC_KCORE
bool "/proc/kcore support" if !ARM
@@ -73,18 +73,18 @@
config PROC_VMCORE
bool "/proc/vmcore support (EXPERIMENTAL)"
-diff -urN linux-2.6.16.2/fs/namei.c linux-2.6.16.2-grsec/fs/namei.c
---- linux-2.6.16.2/fs/namei.c 2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/fs/namei.c 2006-04-11 18:10:35.961452750 +0200
-@@ -32,6 +32,7 @@
- #include <linux/vserver/debug.h>
+diff -urNp linux-2.6.24.5/fs/namei.c linux-2.6.24.5/fs/namei.c
+--- linux-2.6.24.5/fs/namei.c 2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/namei.c 2008-03-26 20:21:08.000000000 -0400
+@@ -37,6 +37,7 @@
#include <linux/vs_cowbl.h>
+ #include <linux/vs_device.h>
#include <linux/vs_context.h>
+#include <linux/grsecurity.h>
#include <asm/namei.h>
#include <asm/uaccess.h>
-@@ -608,6 +609,13 @@
+@@ -689,6 +690,13 @@ static inline int do_follow_link(struct
err = security_inode_follow_link(path->dentry, nd);
if (err)
goto loop;
@@ -98,7 +98,7 @@
current->link_count++;
current->total_link_count++;
nd->depth++;
-@@ -1647,6 +1655,13 @@
+@@ -1856,6 +1864,13 @@ do_last:
/*
* It already exists.
*/
@@ -110,9 +110,9 @@
+ }
+
mutex_unlock(&dir->d_inode->i_mutex);
- audit_inode_update(path.dentry->d_inode);
+ audit_inode(pathname, path.dentry);
-@@ -1700,6 +1715,13 @@
+@@ -1927,6 +1942,13 @@ do_link:
error = security_inode_follow_link(path.dentry, nd);
if (error)
goto exit_dput;
@@ -126,7 +126,7 @@
error = __do_follow_link(&path, nd);
if (error) {
/* Does someone understand code flow here? Or it is only
-@@ -2326,7 +2454,16 @@ asmlinkage long sys_linkat(int olddfd, c
+@@ -2509,7 +2531,16 @@ asmlinkage long sys_linkat(int olddfd, c
error = PTR_ERR(new_dentry);
if (IS_ERR(new_dentry))
goto out_unlock;
@@ -143,11 +143,11 @@
dput(new_dentry);
out_unlock:
mutex_unlock(&nd.dentry->d_inode->i_mutex);
-diff -urN linux-2.6.16.2/fs/proc/array.c linux-2.6.16.2-grsec/fs/proc/array.c
---- linux-2.6.16.2/fs/proc/array.c 2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/fs/proc/array.c 2006-04-11 17:44:40.077707500 +0200
-@@ -488,3 +488,14 @@
- return sprintf(buffer,"%d %d %d %d %d %d %d\n",
+diff -urNp linux-2.6.24.5/fs/proc/array.c linux-2.6.24.5/fs/proc/array.c
+--- linux-2.6.24.5/fs/proc/array.c 2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/proc/array.c 2008-03-26 20:21:08.000000000 -0400
+@@ -629,3 +629,14 @@ int proc_pid_statm(struct task_struct *t
+ return sprintf(buffer, "%d %d %d %d %d %d %d\n",
size, resident, shared, text, lib, data, 0);
}
+
@@ -161,10 +161,10 @@
+}
+#endif
+
-diff -urNp linux-2.6.16.2/fs/proc/inode.c linux-2.6.16.2-grsec/fs/proc/inode.c
---- linux-2.6.16.2/fs/proc/inode.c 2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/fs/proc/inode.c 2006-04-11 17:44:40.077707500 +0200
-@@ -166,7 +166,11 @@ struct inode *proc_get_inode(struct supe
+diff -urNp linux-2.6.24.5/fs/proc/inode.c linux-2.6.24.5/fs/proc/inode.c
+--- linux-2.6.24.5/fs/proc/inode.c 2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/proc/inode.c 2008-03-26 20:21:08.000000000 -0400
+@@ -411,7 +411,11 @@ struct inode *proc_get_inode(struct supe
if (de->mode) {
inode->i_mode = de->mode;
inode->i_uid = de->uid;
@@ -176,10 +176,10 @@
}
if (de->vx_flags)
PROC_I(inode)->vx_flags = de->vx_flags;
-diff -urNp linux-2.6.16.2/fs/proc/internal.h linux-2.6.16.2-grsec/fs/proc/internal.h
---- linux-2.6.16.2/fs/proc/internal.h 2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/fs/proc/internal.h 2006-04-11 17:44:40.077707500 +0200
-@@ -36,6 +36,9 @@ extern int proc_tid_stat(struct task_str
+diff -urNp linux-2.6.24.5/fs/proc/internal.h linux-2.6.24.5/fs/proc/internal.h
+--- linux-2.6.24.5/fs/proc/internal.h 2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/proc/internal.h 2008-03-26 20:21:08.000000000 -0400
+@@ -54,6 +54,9 @@ extern int proc_tgid_stat(struct task_st
extern int proc_pid_status(struct task_struct *, char *);
extern int proc_pid_statm(struct task_struct *, char *);
extern int proc_pid_nsproxy(struct task_struct *, char *);
@@ -187,12 +187,12 @@
+extern int proc_pid_ipaddr(struct task_struct*,char*);
+#endif
- extern struct file_operations proc_maps_operations;
- extern struct file_operations proc_numa_maps_operations;
-diff -urN linux-2.6.16.2/fs/proc/proc_misc.c linux-2.6.16.2-grsec/fs/proc/proc_misc.c
---- linux-2.6.16.2/fs/proc/proc_misc.c 2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/fs/proc/proc_misc.c 2006-04-11 17:44:40.109709500 +0200
-@@ -667,6 +667,8 @@ void create_seq_entry(char *name, mode_t
+ extern const struct file_operations proc_maps_operations;
+ extern const struct file_operations proc_numa_maps_operations;
+diff -urNp linux-2.6.24.5/fs/proc/proc_misc.c linux-2.6.24.5/fs/proc/proc_misc.c
+--- linux-2.6.24.5/fs/proc/proc_misc.c 2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/proc/proc_misc.c 2008-03-26 20:21:08.000000000 -0400
+@@ -707,6 +707,8 @@ void create_seq_entry(char *name, mode_t
void __init proc_misc_init(void)
{
@@ -201,7 +201,7 @@
static struct {
char *name;
int (*read_proc)(char*,char**,off_t,int,int*,void*);
-@@ -685,7 +687,9 @@ void __init proc_misc_init(void)
+@@ -722,13 +724,24 @@ void __init proc_misc_init(void)
{"stram", stram_read_proc},
#endif
{"filesystems", filesystems_read_proc},
@@ -211,7 +211,6 @@
{"execdomains", execdomains_read_proc},
{NULL,}
};
-@@ -735,6 +735,15 @@ void __init proc_misc_init(void)
for (p = simple_ones; p->name; p++)
create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
@@ -227,7 +226,7 @@
proc_symlink("mounts", NULL, "self/mounts");
/* And now for trickier ones */
-@@ -743,7 +752,11 @@
+@@ -741,7 +754,11 @@ void __init proc_misc_init(void)
}
#endif
create_seq_entry("locks", 0, &proc_locks_operations);
@@ -239,11 +238,11 @@
create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
#ifdef CONFIG_BLOCK
create_seq_entry("partitions", 0, &proc_partitions_operations);
-@@ -707,7 +724,11 @@ void __init proc_misc_init(void)
+@@ -749,7 +766,11 @@ void __init proc_misc_init(void)
create_seq_entry("stat", 0, &proc_stat_operations);
create_seq_entry("interrupts", 0, &proc_interrupts_operations);
#ifdef CONFIG_SLABINFO
-+#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKRENSEC_PROC_ADD
+ create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
+#else
create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
@@ -251,7 +250,7 @@
#ifdef CONFIG_DEBUG_SLAB_LEAK
create_seq_entry("slab_allocators", 0 ,&proc_slabstats_operations);
#endif
-@@ -724,7 +745,7 @@ void __init proc_misc_init(void)
+@@ -767,7 +788,7 @@ void __init proc_misc_init(void)
#ifdef CONFIG_SCHEDSTATS
create_seq_entry("schedstat", 0, &proc_schedstat_operations);
#endif
@@ -260,10 +259,10 @@
proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
if (proc_root_kcore) {
proc_root_kcore->proc_fops = &proc_kcore_operations;
-diff -urN linux-2.6.16.2/fs/proc/root.c linux-2.6.16.2-grsec/fs/proc/root.c
---- linux-2.6.16.2/fs/proc/root.c 2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/fs/proc/root.c 2006-04-11 17:44:40.113709750 +0200
-@@ -77,7 +83,15 @@
+diff -urNp linux-2.6.24.5/fs/proc/root.c linux-2.6.24.5/fs/proc/root.c
+--- linux-2.6.24.5/fs/proc/root.c 2008-03-24 14:49:18.000000000 -0400
++++ linux-2.6.24.5/fs/proc/root.c 2008-03-26 20:21:08.000000000 -0400
+@@ -140,7 +140,15 @@ void __init proc_root_init(void)
#ifdef CONFIG_PROC_DEVICETREE
proc_device_tree_init();
#endif
@@ -277,12 +276,12 @@
proc_bus = proc_mkdir("bus", NULL);
+#endif
proc_vx_init();
+ proc_sys_init();
}
-
-diff -urN linux-2.6.16.2/grsecurity/Kconfig linux-2.6.16.2-grsec/grsecurity/Kconfig
---- linux-2.6.16.2/grsecurity/Kconfig 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.16.2-grsec/grsecurity/Kconfig 2006-04-11 19:03:04.020561250 +0200
-@@ -0,0 +1,135 @@
+diff -urNp linux-2.6.24.5/grsecurity/Kconfig linux-2.6.24.5/grsecurity/Kconfig
+--- linux-2.6.24.5/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/grsecurity/Kconfig 2008-03-26 20:21:09.000000000 -0400
+@@ -0,0 +1,123 @@
+#
+# grecurity configuration
+#
@@ -293,6 +292,8 @@
+ bool "Grsecurity"
+ select CRYPTO
+ select CRYPTO_SHA256
++ select SECURITY
++ select SECURITY_CAPABILITIES
+ help
+ If you say Y here, you will be able to configure many features
+ that will enhance the security of your system. It is highly
@@ -367,7 +368,6 @@
+endmenu
+
+config GRKERNSEC_PROC_IPADDR
-+ depends on GRKERNSEC
+ bool "/proc/<pid>/ipaddr support"
+ help
+ If you say Y here, a new entry will be added to each /proc/<pid>
@@ -378,20 +378,7 @@
+ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
+ the RBAC system), and thus does not create privacy concerns.
+
-+config GRKERNSEC_SHM
-+ depends on GRKERNSEC
-+ bool "Destroy unused shared memory"
-+ depends on SYSVIPC
-+ help
-+ If you say Y here, shared memory will be destroyed when no one is
-+ attached to it. Otherwise, resources involved with the shared
-+ memory can be used up and not be associated with any process (as the
-+ shared memory still exists, and the creating process has exited). If
-+ the sysctl option is enabled, a sysctl option with name
-+ "destroy_unused_shm" is created.
-+
+config GRKERNSEC_SYSCTL
-+ depends on GRKERNSEC && SYSCTL
+ bool "Sysctl support"
+ help
+ If you say Y here, you will be able to change the options that
@@ -418,9 +405,9 @@
+ the sysctl entries.
+
+endmenu
-diff -urN linux-2.6.16.2/grsecurity/Makefile linux-2.6.16.2-grsec/grsecurity/Makefile
---- linux-2.6.16.2/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.16.2-grsec/grsecurity/Makefile 2006-04-11 19:03:17.509404250 +0200
+diff -urNp linux-2.6.24.5/grsecurity/Makefile linux-2.6.24.5/grsecurity/Makefile
+--- linux-2.6.24.5/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/grsecurity/Makefile 2008-03-26 20:21:09.000000000 -0400
@@ -0,0 +1,11 @@
+# All code in this directory and various hooks inserted throughout the kernel
+# are copyright Brad Spengler, and released under the GPL v2 or higher
@@ -433,19 +420,20 @@
+obj-y += grsec_disabled.o
+endif
+
-diff -urN linux-2.6.16.2/grsecurity/grsec_disabled.c linux-2.6.16.2-grsec/grsecurity/grsec_disabled.c
---- linux-2.6.16.2/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.16.2-grsec/grsecurity/grsec_disabled.c 2006-04-11 17:44:40.113709750 +0200
-@@ -0,0 +1,5 @@
+diff -urNp linux-2.6.24.5/grsecurity/grsec_disabled.c linux-2.6.24.5/grsecurity/grsec_disabled.c
+--- linux-2.6.24.5/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/grsecurity/grsec_disabled.c 2008-03-26 20:21:09.000000000 -0400
+@@ -0,0 +1,6 @@
+void
+grsecurity_init(void)
+{
+ return;
+}
-diff -urN linux-2.6.16.2/grsecurity/grsec_fifo.c linux-2.6.16.2-grsec/grsecurity/grsec_fifo.c
---- linux-2.6.16.2/grsecurity/grsec_fifo.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.16.2-grsec/grsecurity/grsec_fifo.c 2006-04-11 19:04:02.872239250 +0200
-@@ -0,0 +1,20 @@
++
+diff -urNp linux-2.6.24.5/grsecurity/grsec_fifo.c linux-2.6.24.5/grsecurity/grsec_fifo.c
+--- linux-2.6.24.5/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/grsecurity/grsec_fifo.c 2008-03-26 20:21:09.000000000 -0400
+@@ -0,0 +1,21 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/fs.h>
@@ -461,15 +449,16 @@
+ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
+ (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
+ (current->fsuid != dentry->d_inode->i_uid)) {
++ if (!generic_permission(dentry->d_inode, acc_mode, NULL))
+ return -EACCES;
+ }
+#endif
+ return 0;
+}
-diff -urN linux-2.6.16.2/grsecurity/grsec_init.c linux-2.6.16.2-grsec/grsecurity/grsec_init.c
---- linux-2.6.16.2/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.16.2-grsec/grsecurity/grsec_init.c 2006-04-11 19:04:24.693603000 +0200
-@@ -0,0 +1,33 @@
+diff -urNp linux-2.6.24.5/grsecurity/grsec_init.c linux-2.6.24.5/grsecurity/grsec_init.c
+--- linux-2.6.24.5/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/grsecurity/grsec_init.c 2008-03-26 20:21:09.000000000 -0400
+@@ -0,0 +1,29 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/mm.h>
@@ -478,7 +467,6 @@
+#include <linux/vmalloc.h>
+#include <linux/percpu.h>
+
-+int grsec_enable_shm;
+int grsec_enable_link;
+int grsec_enable_fifo;
+int grsec_lock;
@@ -490,9 +478,6 @@
+#ifndef CONFIG_GRKERNSEC_SYSCTL
+ grsec_lock = 1;
+#endif
-+#ifdef CONFIG_GRKERNSEC_SHM
-+ grsec_enable_shm = 1;
-+#endif
+#ifdef CONFIG_GRKERNSEC_LINK
+ grsec_enable_link = 1;
+#endif
@@ -503,9 +488,9 @@
+
+ return;
+}
-diff -urN linux-2.6.16.2/grsecurity/grsec_link.c linux-2.6.16.2-grsec/grsecurity/grsec_link.c
---- linux-2.6.16.2/grsecurity/grsec_link.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.16.2-grsec/grsecurity/grsec_link.c 2006-04-11 19:04:40.258575750 +0200
+diff -urNp linux-2.6.24.5/grsecurity/grsec_link.c linux-2.6.24.5/grsecurity/grsec_link.c
+--- linux-2.6.24.5/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/grsecurity/grsec_link.c 2008-03-26 20:21:09.000000000 -0400
@@ -0,0 +1,37 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
@@ -544,10 +529,10 @@
+#endif
+ return 0;
+}
-diff -urN linux-2.6.16.2/grsecurity/grsec_sock.c linux-2.6.16.2-grsec/grsecurity/grsec_sock.c
---- linux-2.6.16.2/grsecurity/grsec_sock.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.16.2-grsec/grsecurity/grsec_sock.c 2006-04-11 19:20:18.301199750 +0200
-@@ -0,0 +1,164 @@
+diff -urNp linux-2.6.24.5/grsecurity/grsec_sock.c linux-2.6.24.5/grsecurity/grsec_sock.c
+--- linux-2.6.24.5/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/grsecurity/grsec_sock.c 2008-03-26 20:21:09.000000000 -0400
+@@ -0,0 +1,167 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -662,7 +647,7 @@
+ newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
+ if (newent == NULL)
+ return;
-+
++ /* no bh lock needed since we are called with bh disabled */
+ spin_lock(&gr_conn_table_lock);
+ gr_del_task_from_ip_table_nolock(sig);
+ sig->gr_saddr = inet->rcv_saddr;
@@ -697,25 +682,28 @@
+
+ set = current->signal;
+
-+ spin_lock(&gr_conn_table_lock);
++ spin_lock_bh(&gr_conn_table_lock);
+ p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
+ inet->dport, inet->sport);
+ if (unlikely(p != NULL)) {
+ set->curr_ip = p->curr_ip;
++ set->used_accept = 1;
+ gr_del_task_from_ip_table_nolock(p);
-+ spin_unlock(&gr_conn_table_lock);
++ spin_unlock_bh(&gr_conn_table_lock);
+ return;
+ }
-+ spin_unlock(&gr_conn_table_lock);
++ spin_unlock_bh(&gr_conn_table_lock);
+
+ set->curr_ip = inet->daddr;
++ set->used_accept = 1;
+#endif
+ return;
+}
-diff -urN linux-2.6.16.2/grsecurity/grsec_sysctl.c linux-2.6.16.2-grsec/grsecurity/grsec_sysctl.c
---- linux-2.6.16.2/grsecurity/grsec_sysctl.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.16.2-grsec/grsecurity/grsec_sysctl.c 2006-04-11 19:04:50.363207250 +0200
-@@ -0,0 +1,65 @@
++
+diff -urNp linux-2.6.24.5/grsecurity/grsec_sysctl.c linux-2.6.24.5/grsecurity/grsec_sysctl.c
+--- linux-2.6.24.5/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/grsecurity/grsec_sysctl.c 2008-03-26 20:21:09.000000000 -0400
+@@ -0,0 +1,52 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/sysctl.h>
@@ -734,14 +722,11 @@
+}
+
+#if defined(CONFIG_GRKERNSEC_SYSCTL)
-+enum {GS_LINK=1, GS_FIFO, GS_SHM, GS_LOCK};
-+
-+
+ctl_table grsecurity_table[] = {
+#ifdef CONFIG_GRKERNSEC_SYSCTL
+#ifdef CONFIG_GRKERNSEC_LINK
+ {
-+ .ctl_name = GS_LINK,
++ .ctl_name = CTL_UNNUMBERED,
+ .procname = "linking_restrictions",
+ .data = &grsec_enable_link,
+ .maxlen = sizeof(int),
@@ -751,7 +736,7 @@
+#endif
+#ifdef CONFIG_GRKERNSEC_FIFO
+ {
-+ .ctl_name = GS_FIFO,
++ .ctl_name = CTL_UNNUMBERED,
+ .procname = "fifo_restrictions",
+ .data = &grsec_enable_fifo,
+ .maxlen = sizeof(int),
@@ -759,18 +744,8 @@
+ .proc_handler = &proc_dointvec,
+ },
+#endif
-+#ifdef CONFIG_GRKERNSEC_SHM
-+ {
-+ .ctl_name = GS_SHM,
-+ .procname = "destroy_unused_shm",
-+ .data = &grsec_enable_shm,
-+ .maxlen = sizeof(int),
-+ .mode = 0600,
-+ .proc_handler = &proc_dointvec,
-+ },
-+#endif
+ {
-+ .ctl_name = GS_LOCK,
++ .ctl_name = CTL_UNNUMBERED,
+ .procname = "grsec_lock",
+ .data = &grsec_lock,
+ .maxlen = sizeof(int),
@@ -781,10 +756,10 @@
+ { .ctl_name = 0 }
+};
+#endif
-diff -urN linux-2.6.16.2/include/linux/grinternal.h linux-2.6.16.2-grsec/include/linux/grinternal.h
---- linux-2.6.16.2/include/linux/grinternal.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.16.2-grsec/include/linux/grinternal.h 2006-04-11 19:03:34.734480750 +0200
-@@ -0,0 +1,15 @@
+diff -urNp linux-2.6.24.5/include/linux/grinternal.h linux-2.6.24.5/include/linux/grinternal.h
+--- linux-2.6.24.5/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/include/linux/grinternal.h 2008-03-26 20:21:09.000000000 -0400
+@@ -0,0 +1,14 @@
+#ifndef __GRINTERNAL_H
+#define __GRINTERNAL_H
+
@@ -794,176 +769,75 @@
+
+extern int grsec_enable_link;
+extern int grsec_enable_fifo;
-+extern int grsec_enable_shm;
+extern int grsec_lock;
+
+#endif
+
+#endif
-diff -urN linux-2.6.16.2/include/linux/grsecurity.h linux-2.6.16.2-grsec/include/linux/grsecurity.h
---- linux-2.6.16.2/include/linux/grsecurity.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.16.2-grsec/include/linux/grsecurity.h 2006-04-11 18:06:03.000000000 +0200
-@@ -0,0 +1,34 @@
+diff -urNp linux-2.6.24.5/include/linux/grsecurity.h linux-2.6.24.5/include/linux/grsecurity.h
+--- linux-2.6.24.5/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.24.5/include/linux/grsecurity.h 2008-03-26 20:21:09.000000000 -0400
+@@ -0,0 +1,21 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
+#include <linux/binfmts.h>
+
-+extern void gr_del_task_from_ip_table(struct task_struct *p);
++void gr_del_task_from_ip_table(struct task_struct *p);
+
-+extern int gr_handle_follow_link(const struct inode *parent,
++int gr_handle_follow_link(const struct inode *parent,
+ const struct inode *inode,
+ const struct dentry *dentry,
+ const struct vfsmount *mnt);
-+extern int gr_handle_fifo(const struct dentry *dentry,
++int gr_handle_fifo(const struct dentry *dentry,
+ const struct vfsmount *mnt,
+ const struct dentry *dir, const int flag,
+ const int acc_mode);
-+extern int gr_handle_hardlink(const struct dentry *dentry,
++int gr_handle_hardlink(const struct dentry *dentry,
+ const struct vfsmount *mnt,
+ struct inode *inode,
+ const int mode, const char *to);
+
-+#ifdef CONFIG_SYSVIPC
-+extern void gr_shm_exit(struct task_struct *task);
-+#else
-+static inline void gr_shm_exit(struct task_struct *task)
-+{
-+ return;
-+}
+#endif
-+
-+#ifdef CONFIG_GRKERNSEC
-+extern int grsec_enable_shm;
-+#endif
-+
-+#endif
-diff -urNp linux-2.6.16.2/include/linux/sched.h linux-2.6.16.2-grsec/include/linux/sched.h
---- linux-2.6.16.2/include/linux/sched.h 2006-04-07 18:56:47.000000000 +0200
-+++ linux-2.6.16.2-grsec/include/linux/sched.h 2006-04-11 19:14:15.574530750 +0200
-@@ -474,6 +474,13 @@ struct signal_struct {
- spinlock_t stats_lock;
- struct taskstats *stats;
+diff -urNp linux-2.6.24.5/include/linux/sched.h linux-2.6.24.5/include/linux/sched.h
+--- linux-2.6.24.5/include/linux/sched.h 2008-04-17 20:05:17.000000000 -0400
++++ linux-2.6.24.5/include/linux/sched.h 2008-04-17 20:05:01.000000000 -0400
+@@ -510,6 +510,15 @@ struct signal_struct {
+ unsigned audit_tty;
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/linux-2.6-grsec-minimal.patch?r1=1.1.2.27&r2=1.1.2.28&f=u
More information about the pld-cvs-commit
mailing list