SOURCES (Titanium): kernel-desktop-grsec-minimal.patch - try to fix /proc i...
shadzik
shadzik at pld-linux.org
Mon Mar 30 05:20:20 CEST 2009
Author: shadzik Date: Mon Mar 30 03:20:20 2009 GMT
Module: SOURCES Tag: Titanium
---- Log message:
- try to fix /proc issues
---- Files affected:
SOURCES:
kernel-desktop-grsec-minimal.patch (1.8.4.3 -> 1.8.4.4)
---- Diffs:
================================================================
Index: SOURCES/kernel-desktop-grsec-minimal.patch
diff -u SOURCES/kernel-desktop-grsec-minimal.patch:1.8.4.3 SOURCES/kernel-desktop-grsec-minimal.patch:1.8.4.4
--- SOURCES/kernel-desktop-grsec-minimal.patch:1.8.4.3 Sun Mar 29 23:44:42 2009
+++ SOURCES/kernel-desktop-grsec-minimal.patch Mon Mar 30 05:20:14 2009
@@ -115,291 +115,6 @@
error = mnt_want_write(nd.path.mnt);
if (error)
goto out_dput;
-diff -Nru linux-2.6.29-orig/fs/proc/array.c linux-2.6.29/fs/proc/array.c
---- linux-2.6.29-orig/fs/proc/array.c 2009-03-24 00:12:14.000000000 +0100
-+++ linux-2.6.29/fs/proc/array.c 2009-03-29 23:34:04.450058682 +0200
-@@ -529,3 +529,10 @@
-
- return 0;
- }
-+
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+int proc_pid_ipaddr(struct task_struct *task, char *buffer)
-+{
-+ return sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
-+}
-+#endif
-diff -Nru linux-2.6.29-orig/fs/proc/base.c linux-2.6.29/fs/proc/base.c
---- linux-2.6.29-orig/fs/proc/base.c 2009-03-24 00:12:14.000000000 +0100
-+++ linux-2.6.29/fs/proc/base.c 2009-03-29 23:42:59.660794909 +0200
-@@ -80,6 +80,7 @@
- #include <linux/oom.h>
- #include <linux/elf.h>
- #include <linux/pid_namespace.h>
-+#include <linux/grsecurity.h>
- #include "internal.h"
-
- /* NOTE:
-@@ -1473,6 +1474,9 @@
- struct inode *inode = dentry->d_inode;
- struct task_struct *task;
- const struct cred *cred;
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ const struct cred *tmp = current_cred();
-+#endif
-
- generic_fillattr(inode, stat);
-
-@@ -1480,12 +1484,29 @@
- stat->uid = 0;
- stat->gid = 0;
- task = pid_task(proc_pid(inode), PIDTYPE_PID);
-- if (task) {
-+ cred = __task_cred(task);
-+ if (task
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ && (!tmp->uid || (tmp->uid == cred->uid)
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
-+#endif
-+ )
-+#endif
-+ ) {
- if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
-+#endif
- task_dumpable(task)) {
-- cred = __task_cred(task);
- stat->uid = cred->euid;
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
-+#else
- stat->gid = cred->egid;
-+#endif
- }
- }
- rcu_read_unlock();
-@@ -1517,11 +1538,20 @@
-
- if (task) {
- if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
-+#endif
- task_dumpable(task)) {
- rcu_read_lock();
- cred = __task_cred(task);
- inode->i_uid = cred->euid;
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+#else
- inode->i_gid = cred->egid;
-+#endif
- rcu_read_unlock();
- } else {
- inode->i_uid = 0;
-@@ -1894,12 +1924,19 @@
- static int proc_fd_permission(struct inode *inode, int mask)
- {
- int rv;
-+ struct task_struct *task;
-
- rv = generic_permission(inode, mask, NULL);
-- if (rv == 0)
-- return 0;
-+
- if (task_pid(current) == proc_pid(inode))
- rv = 0;
-+
-+ task = get_proc_task(inode);
-+ if (task == NULL)
-+ return rv;
-+
-+ put_task_struct(task);
-+
- return rv;
- }
-
-@@ -2685,7 +2722,14 @@
- if (!inode)
- goto out;
-
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
-+#else
- inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
-+#endif
- inode->i_op = &proc_tgid_base_inode_operations;
- inode->i_fop = &proc_tgid_base_operations;
- inode->i_flags|=S_IMMUTABLE;
-@@ -2792,6 +2836,10 @@
- {
- unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
- struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ const struct cred *tmp = current_cred();
-+ const struct cred *itercred;
-+#endif
- struct tgid_iter iter;
- struct pid_namespace *ns;
-
-@@ -2810,6 +2858,18 @@
- for (iter = next_tgid(ns, iter);
- iter.task;
- iter.tgid += 1, iter = next_tgid(ns, iter)) {
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ itercred = __task_cred(iter.task);
-+#endif
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ if (tmp->uid && (itercred->uid != tmp->uid)
-+ #ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
-+ #endif
-+ )
-+#endif
-+ continue;
-+
- filp->f_pos = iter.tgid + TGID_OFFSET;
- if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
- put_task_struct(iter.task);
-@@ -2891,6 +2951,9 @@
- #ifdef CONFIG_TASK_IO_ACCOUNTING
- INF("io", S_IRUGO, proc_tid_io_accounting),
- #endif
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+ INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
-+#endif
- };
-
- static int proc_tid_base_readdir(struct file * filp,
-diff -Nru linux-2.6.29-orig/fs/proc/cmdline.c linux-2.6.29/fs/proc/cmdline.c
---- linux-2.6.29-orig/fs/proc/cmdline.c 2009-03-24 00:12:14.000000000 +0100
-+++ linux-2.6.29/fs/proc/cmdline.c 2009-03-29 23:34:04.452349599 +0200
-@@ -23,7 +23,15 @@
-
- static int __init proc_cmdline_init(void)
- {
-- proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
-+ int gr_mode = 0;
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ gr_mode = S_IRUSR;
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ gr_mode = S_IRUSR | S_IRGRP;
-+#endif
-+#ifdef CONFIG_GRKERNSEC_PROC_ADD
-+ proc_create("cmdline", gr_mode, NULL, &cmdline_proc_fops);
-+#endif
- return 0;
- }
- module_init(proc_cmdline_init);
-diff -Nru linux-2.6.29-orig/fs/proc/devices.c linux-2.6.29/fs/proc/devices.c
---- linux-2.6.29-orig/fs/proc/devices.c 2009-03-24 00:12:14.000000000 +0100
-+++ linux-2.6.29/fs/proc/devices.c 2009-03-29 23:34:04.452349599 +0200
-@@ -64,7 +64,13 @@
-
- static int __init proc_devices_init(void)
- {
-- proc_create("devices", 0, NULL, &proc_devinfo_operations);
-+ int gr_mode = 0;
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ gr_mode = S_IRUSR;
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ gr_mode = S_IRUSR | S_IRGRP;
-+#endif
-+ proc_create("devices", gr_mode, NULL, &proc_devinfo_operations);
- return 0;
- }
- module_init(proc_devices_init);
-diff -Nru linux-2.6.29-orig/fs/proc/inode.c linux-2.6.29/fs/proc/inode.c
---- linux-2.6.29-orig/fs/proc/inode.c 2009-03-24 00:12:14.000000000 +0100
-+++ linux-2.6.29/fs/proc/inode.c 2009-03-29 23:34:04.452349599 +0200
-@@ -463,7 +463,11 @@
- if (de->mode) {
- inode->i_mode = de->mode;
- inode->i_uid = de->uid;
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+#else
- inode->i_gid = de->gid;
-+#endif
- }
- if (de->size)
- inode->i_size = de->size;
-diff -Nru linux-2.6.29-orig/fs/proc/internal.h linux-2.6.29/fs/proc/internal.h
---- linux-2.6.29-orig/fs/proc/internal.h 2009-03-24 00:12:14.000000000 +0100
-+++ linux-2.6.29/fs/proc/internal.h 2009-03-29 23:34:04.452349599 +0200
-@@ -51,6 +51,9 @@
- struct pid *pid, struct task_struct *task);
- extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
- struct pid *pid, struct task_struct *task);
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
-+#endif
- extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
-
- extern const struct file_operations proc_maps_operations;
-diff -Nru linux-2.6.29-orig/fs/proc/Kconfig linux-2.6.29/fs/proc/Kconfig
---- linux-2.6.29-orig/fs/proc/Kconfig 2009-03-24 00:12:14.000000000 +0100
-+++ linux-2.6.29/fs/proc/Kconfig 2009-03-29 23:34:04.452349599 +0200
-@@ -30,12 +30,12 @@
-
- config PROC_KCORE
- bool "/proc/kcore support" if !ARM
-- depends on PROC_FS && MMU
-+ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
-
- config PROC_VMCORE
- bool "/proc/vmcore support (EXPERIMENTAL)"
-- depends on PROC_FS && CRASH_DUMP
-- default y
-+ depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
-+ default n
- help
- Exports the dump image of crashed kernel in ELF format.
-
-diff -Nru linux-2.6.29-orig/fs/proc/kcore.c linux-2.6.29/fs/proc/kcore.c
---- linux-2.6.29-orig/fs/proc/kcore.c 2009-03-24 00:12:14.000000000 +0100
-+++ linux-2.6.29/fs/proc/kcore.c 2009-03-29 23:34:04.452349599 +0200
-@@ -404,10 +404,12 @@
-
- static int __init proc_kcore_init(void)
- {
-+#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
- proc_root_kcore = proc_create("kcore", S_IRUSR, NULL, &proc_kcore_operations);
- if (proc_root_kcore)
- proc_root_kcore->size =
- (size_t)high_memory - PAGE_OFFSET + PAGE_SIZE;
-+#endif
- return 0;
- }
- module_init(proc_kcore_init);
-diff -Nru linux-2.6.29-orig/fs/proc/root.c linux-2.6.29/fs/proc/root.c
---- linux-2.6.29-orig/fs/proc/root.c 2009-03-24 00:12:14.000000000 +0100
-+++ linux-2.6.29/fs/proc/root.c 2009-03-29 23:34:04.452349599 +0200
-@@ -134,7 +134,15 @@
- #ifdef CONFIG_PROC_DEVICETREE
- proc_device_tree_init();
- #endif
-+#ifdef CONFIG_GRKERNSEC_PROC_ADD
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
-+#endif
-+#else
- proc_mkdir("bus", NULL);
-+#endif
- proc_sys_init();
- }
-
diff -Nru linux-2.6.29-orig/grsecurity/grsec_disabled.c linux-2.6.29/grsecurity/grsec_disabled.c
--- linux-2.6.29-orig/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.29/grsecurity/grsec_disabled.c 2009-03-29 23:34:04.452349599 +0200
@@ -1170,3 +885,560 @@
config KEYS
bool "Enable access key retention support"
help
+diff -urNp linux-2.6.29/fs/proc/array.c linux-2.6.29/fs/proc/array.c
+--- linux-2.6.29/fs/proc/array.c 2009-03-23 19:12:14.000000000 -0400
++++ linux-2.6.29/fs/proc/array.c 2009-03-28 14:26:20.000000000 -0400
+@@ -320,6 +320,21 @@ static inline void task_context_switch_c
+ p->nivcsw);
+ }
+
++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
++static inline void task_pax(struct seq_file *m, struct task_struct *p)
++{
++ if (p->mm)
++ seq_printf(m, "PaX:\t%c%c%c%c%c\n",
++ p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
++ p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
++ p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
++ p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
++ p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
++ else
++ seq_printf(m, "PaX:\t-----\n");
++}
++#endif
++
+ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
+ struct pid *pid, struct task_struct *task)
+ {
+@@ -339,9 +354,20 @@ int proc_pid_status(struct seq_file *m,
+ task_show_regs(m, task);
+ #endif
+ task_context_switch_counts(m, task);
++
++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
++ task_pax(m, task);
++#endif
++
+ return 0;
+ }
+
++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
++#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
++ (_mm->pax_flags & MF_PAX_RANDMMAP || \
++ _mm->pax_flags & MF_PAX_SEGMEXEC))
++#endif
++
+ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
+ struct pid *pid, struct task_struct *task, int whole)
+ {
+@@ -434,6 +460,19 @@ static int do_task_stat(struct seq_file
+ gtime = task_gtime(task);
+ }
+
++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
++ if (PAX_RAND_FLAGS(mm)) {
++ eip = 0;
++ esp = 0;
++ wchan = 0;
++ }
++#endif
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++ wchan = 0;
++ eip =0;
++ esp =0;
++#endif
++
+ /* scale priority and nice values from timeslices to -20..20 */
+ /* to make it look like a "normal" Unix priority/nice value */
+ priority = task_prio(task);
+@@ -474,9 +513,15 @@ static int do_task_stat(struct seq_file
+ vsize,
+ mm ? get_mm_rss(mm) : 0,
+ rsslim,
++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
++ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
++ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
++ PAX_RAND_FLAGS(mm) ? 0 : (mm ? mm->start_stack : 0),
++#else
+ mm ? mm->start_code : 0,
+ mm ? mm->end_code : 0,
+ mm ? mm->start_stack : 0,
++#endif
+ esp,
+ eip,
+ /* The signal information here is obsolete.
+@@ -529,3 +574,10 @@ int proc_pid_statm(struct seq_file *m, s
+
+ return 0;
+ }
++
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++int proc_pid_ipaddr(struct task_struct *task, char *buffer)
++{
++ return sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
++}
++#endif
+diff -urNp linux-2.6.29/fs/proc/base.c linux-2.6.29/fs/proc/base.c
+--- linux-2.6.29/fs/proc/base.c 2009-03-23 19:12:14.000000000 -0400
++++ linux-2.6.29/fs/proc/base.c 2009-03-28 14:26:20.000000000 -0400
+@@ -225,6 +225,9 @@
+ if (task == current)
+ return 0;
+
++ if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
++ return -EPERM;
++
+ /*
+ * If current is actively ptrace'ing, and would also be
+ * permitted to freshly attach with ptrace now, permit it.
+@@ -302,12 +305,26 @@
+ return res;
+ }
+
++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
++#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
++ (_mm->pax_flags & MF_PAX_RANDMMAP || \
++ _mm->pax_flags & MF_PAX_SEGMEXEC))
++#endif
++
+ static int proc_pid_auxv(struct task_struct *task, char *buffer)
+ {
+ int res = 0;
+ struct mm_struct *mm = get_task_mm(task);
+ if (mm) {
+ unsigned int nwords = 0;
++
++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
++ if (PAX_RAND_FLAGS(mm)) {
++ mmput(mm);
++ return res;
++ }
++#endif
++
+ do {
+ nwords += 2;
+ } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
+@@ -533,7 +550,7 @@
+ return count;
+ }
+
+-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
++#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
+ static int proc_pid_syscall(struct task_struct *task, char *buffer)
+ {
+ long nr;
+@@ -1457,7 +1474,11 @@
+ rcu_read_lock();
+ cred = __task_cred(task);
+ inode->i_uid = cred->euid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ inode->i_gid = cred->egid;
++#endif
+ rcu_read_unlock();
+ }
+ /* procfs is xid tagged */
+@@ -1477,6 +1498,9 @@
+ struct inode *inode = dentry->d_inode;
+ struct task_struct *task;
+ const struct cred *cred;
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ const struct cred *tmpcred = current_cred();
++#endif
+
+ generic_fillattr(inode, stat);
+
+@@ -1484,12 +1508,34 @@
+ stat->uid = 0;
+ stat->gid = 0;
+ task = pid_task(proc_pid(inode), PIDTYPE_PID);
++
++ if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
++ rcu_read_unlock();
++ return -ENOENT;
++ }
++
+ if (task) {
++ cred = __task_cred(task);
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ if (!tmpcred->uid || (tmpcred->uid == cred->uid)
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++#endif
++ )
++#endif
+ if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
++#endif
+ task_dumpable(task)) {
+- cred = __task_cred(task);
+ stat->uid = cred->euid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ stat->gid = cred->egid;
++#endif
+ }
+ }
+ rcu_read_unlock();
+@@ -1521,11 +1567,20 @@
+
+ if (task) {
+ if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
++#endif
+ task_dumpable(task)) {
+ rcu_read_lock();
+ cred = __task_cred(task);
+ inode->i_uid = cred->euid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ inode->i_gid = cred->egid;
++#endif
+ rcu_read_unlock();
+ } else {
+ inode->i_uid = 0;
+@@ -1898,12 +1953,22 @@
+ static int proc_fd_permission(struct inode *inode, int mask)
+ {
+ int rv;
++ struct task_struct *task;
+
+ rv = generic_permission(inode, mask, NULL);
+- if (rv == 0)
+- return 0;
++
+ if (task_pid(current) == proc_pid(inode))
+ rv = 0;
++
++ task = get_proc_task(inode);
++ if (task == NULL)
++ return rv;
++
++ if (gr_acl_handle_procpidmem(task))
++ rv = -EACCES;
++
++ put_task_struct(task);
++
+ return rv;
+ }
+
+@@ -2019,6 +2084,9 @@
+ !memcmp(dentry->d_name.name, "ninfo", 5)))
+ goto out;
+
++ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
++ goto out;
++
+ /*
+ * Yes, it does not scale. And it should not. Don't add
+ * new entries into /proc/<tgid>/ without very good reasons.
+@@ -2063,6 +2131,9 @@
+ if (!task)
+ goto out_no_task;
+
++ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
++ goto out;
++
+ ret = 0;
+ i = filp->f_pos;
+ switch (i) {
+@@ -2423,6 +2494,9 @@
+ if (p > last)
+ goto out;
+
++ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
++ goto out;
++
+ error = proc_base_instantiate(dir, dentry, task, p);
+
+ out:
+@@ -2512,7 +2586,7 @@
+ #ifdef CONFIG_SCHED_DEBUG
+ REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
+ #endif
+-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
++#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
+ INF("syscall", S_IRUSR, proc_pid_syscall),
+ #endif
+ INF("cmdline", S_IRUGO, proc_pid_cmdline),
+@@ -2702,7 +2776,14 @@
+ if (!inode)
+ goto out;
+
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
++#else
+ inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-desktop-grsec-minimal.patch?r1=1.8.4.3&r2=1.8.4.4&f=u
More information about the pld-cvs-commit
mailing list