SOURCES (LINUX_2_6): kernel-grsec_fixes.patch - CAP_DAC_ better pr...

[zbyniu]

Author: zbyniu                       Date: Wed May  7 11:15:36 2008 GMT
Module: SOURCES                       Tag: LINUX_2_6
---- Log message:
- CAP_DAC_ better precision

---- Files affected:
SOURCES:
   kernel-grsec_fixes.patch (1.1.4.5 -> 1.1.4.6) 

---- Diffs:

================================================================
Index: SOURCES/kernel-grsec_fixes.patch
diff -u SOURCES/kernel-grsec_fixes.patch:1.1.4.5 SOURCES/kernel-grsec_fixes.patch:1.1.4.6
--- SOURCES/kernel-grsec_fixes.patch:1.1.4.5	Thu Apr 17 03:31:00 2008
+++ SOURCES/kernel-grsec_fixes.patch	Wed May  7 13:15:31 2008
@@ -1,9 +1,10 @@
 netlink
 no-stack-protector
+cap_dac*
 diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c
 --- a/grsecurity/gracl_cap.c	2007-12-01 00:54:57.312774500 +0000
 +++ c/grsecurity/gracl_cap.c	2007-12-01 01:09:34.923621750 +0000
-@@ -110,3 +110,17 @@ gr_is_capable_nolog(const int cap)
+@@ -110,3 +110,20 @@ gr_is_capable_nolog(const int cap)
  	return 0;
  }
 
@@ -13,11 +14,14 @@
 +	struct task_struct *p;
 +
 +	if (gr_acl_is_enabled()) {
-+		rcu_read_lock();
++		read_lock(&tasklist_lock);
 +		p = find_task_by_pid(pid);
-+		if (p)
++		if (p) {
++			task_lock(p);
 +			gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, p, captab_log[cap]);
-+		rcu_read_unlock();
++			task_unlock(p);
++		}
++		read_unlock(&tasklist_lock);
 +	}
 +	return;
 +}
@@ -92,6 +96,87 @@
  }
  
 ===
+=== cap_dac_ succession with capable_nolog
+===
+diff -upr a/fs./namei.c a/fs/namei.c
+--- a/fs./namei.c	2008-04-05 01:23:49.741310000 +0200
++++ a/fs/namei.c	2008-04-05 14:36:39.350275977 +0200
+@@ -215,6 +215,13 @@ int generic_permission(struct inode *ino
+ 
+  check_capabilities:
+ 	/*
++	 * Searching includes executable on directories, else just read.
++	 */
++	if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
++		if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
++			return 0;
++
++	/*
+ 	 * Read/write DACs are always overridable.
+ 	 * Executable DACs are overridable if at least one exec bit is set.
+ 	 */
+@@ -223,13 +230,6 @@ int generic_permission(struct inode *ino
+ 		if (capable(CAP_DAC_OVERRIDE))
+ 			return 0;
+ 
+-	/*
+-	 * Searching includes executable on directories, else just read.
+-	 */
+-	if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
+-		if (capable(CAP_DAC_READ_SEARCH))
+-			return 0;
+-
+ 	return -EACCES;
+ }
+ 
+@@ -498,13 +498,13 @@ static int exec_permission_lite(struct i
+ 	if (mode & MAY_EXEC)
+ 		goto ok;
+ 
+-	if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE))
++	if (S_ISDIR(inode->i_mode) && capable_nolog(CAP_DAC_OVERRIDE))
+ 		goto ok;
+ 
+-	if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_OVERRIDE))
++	if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH))
+ 		goto ok;
+ 
+-	if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH))
++	if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE))
+ 		goto ok;
+ 
+ 	return -EACCES;
+Tylko w fs: namei.c~
+diff -upr a/fs./xfs/xfs_inode.c a/fs/xfs/xfs_inode.c
+--- a/fs./xfs/xfs_inode.c	2008-04-05 01:23:48.241413000 +0200
++++ a/fs/xfs/xfs_inode.c	2008-04-05 14:55:58.270625942 +0200
+@@ -3663,20 +3663,16 @@ xfs_iaccess(
+ 	 * Read/write DACs are always overridable.
+ 	 * Executable DACs are overridable if at least one exec bit is set.
+ 	 */
++	if ((orgmode == S_IRUSR) ||
++	    (S_ISDIR(inode->i_mode) && (!(orgmode & S_IWUSR))))
++		if (capable_nolog(CAP_DAC_OVERRIDE) || capable_cred(cr, CAP_DAC_READ_SEARCH))
++			return 0;
++
+ 	if (!(orgmode & S_IXUSR) ||
+ 	    (inode->i_mode & S_IXUGO) || S_ISDIR(inode->i_mode))
+ 		if (capable_cred(cr, CAP_DAC_OVERRIDE))
+ 			return 0;
+ 
+-	if ((orgmode == S_IRUSR) ||
+-	    (S_ISDIR(inode->i_mode) && (!(orgmode & S_IWUSR)))) {
+-		if (capable_cred(cr, CAP_DAC_READ_SEARCH))
+-			return 0;
+-#ifdef	NOISE
+-		cmn_err(CE_NOTE, "Ick: mode=%o, orgmode=%o", mode, orgmode);
+-#endif	/* NOISE */
+-		return XFS_ERROR(EACCES);
+-	}
+ 	return XFS_ERROR(EACCES);
+ }
+ 
+===
 === check if -fno-stack-protector is accessible
 ===
 --- linux-2.6.24/arch/x86/kernel/Makefile_64~	2008-04-16 21:15:48.278373002 +0000
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-grsec_fixes.patch?r1=1.1.4.5&r2=1.1.4.6&f=u