SOURCES (Titanium): kernel-desktop-grsec-minimal.patch - reverted

shadzik shadzik at pld-linux.org
Mon Mar 30 23:02:20 CEST 2009


Author: shadzik                      Date: Mon Mar 30 21:02:20 2009 GMT
Module: SOURCES                       Tag: Titanium
---- Log message:
- reverted

---- Files affected:
SOURCES:
   kernel-desktop-grsec-minimal.patch (1.8.4.4 -> 1.8.4.5) 

---- Diffs:

================================================================
Index: SOURCES/kernel-desktop-grsec-minimal.patch
diff -u SOURCES/kernel-desktop-grsec-minimal.patch:1.8.4.4 SOURCES/kernel-desktop-grsec-minimal.patch:1.8.4.5
--- SOURCES/kernel-desktop-grsec-minimal.patch:1.8.4.4	Mon Mar 30 05:20:14 2009
+++ SOURCES/kernel-desktop-grsec-minimal.patch	Mon Mar 30 23:02:14 2009
@@ -115,6 +115,291 @@
  	error = mnt_want_write(nd.path.mnt);
  	if (error)
  		goto out_dput;
+diff -Nru linux-2.6.29-orig/fs/proc/array.c linux-2.6.29/fs/proc/array.c
+--- linux-2.6.29-orig/fs/proc/array.c	2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29/fs/proc/array.c	2009-03-29 23:34:04.450058682 +0200
+@@ -529,3 +529,10 @@
+ 
+ 	return 0;
+ }
++
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++int proc_pid_ipaddr(struct task_struct *task, char *buffer)
++{
++	return sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
++}
++#endif
+diff -Nru linux-2.6.29-orig/fs/proc/base.c linux-2.6.29/fs/proc/base.c
+--- linux-2.6.29-orig/fs/proc/base.c	2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29/fs/proc/base.c	2009-03-29 23:42:59.660794909 +0200
+@@ -80,6 +80,7 @@
+ #include <linux/oom.h>
+ #include <linux/elf.h>
+ #include <linux/pid_namespace.h>
++#include <linux/grsecurity.h>
+ #include "internal.h"
+ 
+ /* NOTE:
+@@ -1473,6 +1474,9 @@
+ 	struct inode *inode = dentry->d_inode;
+ 	struct task_struct *task;
+ 	const struct cred *cred;
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	const struct cred *tmp = current_cred();
++#endif
+ 
+ 	generic_fillattr(inode, stat);
+ 
+@@ -1480,12 +1484,29 @@
+ 	stat->uid = 0;
+ 	stat->gid = 0;
+ 	task = pid_task(proc_pid(inode), PIDTYPE_PID);
+-	if (task) {
++	cred = __task_cred(task);
++	if (task
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++		&& (!tmp->uid || (tmp->uid == cred->uid)
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++		|| in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++#endif
++		)
++#endif
++	   ) {
+ 		if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++		(inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++		(inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
++#endif
+ 		    task_dumpable(task)) {
+-			cred = __task_cred(task);
+ 			stat->uid = cred->euid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++			stat->gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ 			stat->gid = cred->egid;
++#endif
+ 		}
+ 	}
+ 	rcu_read_unlock();
+@@ -1517,11 +1538,20 @@
+ 
+ 	if (task) {
+ 		if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++		(inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++		(inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
++#endif
+ 		    task_dumpable(task)) {
+ 			rcu_read_lock();
+ 			cred = __task_cred(task);
+ 			inode->i_uid = cred->euid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++			inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ 			inode->i_gid = cred->egid;
++#endif
+ 			rcu_read_unlock();
+ 		} else {
+ 			inode->i_uid = 0;
+@@ -1894,12 +1924,19 @@
+ static int proc_fd_permission(struct inode *inode, int mask)
+ {
+ 	int rv;
++	struct task_struct *task;
+ 
+ 	rv = generic_permission(inode, mask, NULL);
+-	if (rv == 0)
+-		return 0;
++
+ 	if (task_pid(current) == proc_pid(inode))
+ 		rv = 0;
++
++	task = get_proc_task(inode);
++	if (task == NULL)
++		return rv;
++
++	put_task_struct(task);
++
+ 	return rv;
+ }
+ 
+@@ -2685,7 +2722,14 @@
+ 	if (!inode)
+ 		goto out;
+ 
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++	inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++	inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
++#else
+ 	inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
++#endif
+ 	inode->i_op = &proc_tgid_base_inode_operations;
+ 	inode->i_fop = &proc_tgid_base_operations;
+ 	inode->i_flags|=S_IMMUTABLE;
+@@ -2792,6 +2836,10 @@
+ {
+ 	unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
+ 	struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	const struct cred *tmp = current_cred();
++	const struct cred *itercred;
++#endif
+ 	struct tgid_iter iter;
+ 	struct pid_namespace *ns;
+ 
+@@ -2810,6 +2858,18 @@
+ 	for (iter = next_tgid(ns, iter);
+ 	     iter.task;
+ 	     iter.tgid += 1, iter = next_tgid(ns, iter)) {
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	itercred = __task_cred(iter.task);
++#endif
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	if (tmp->uid && (itercred->uid != tmp->uid)
++			#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++			&& !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++			#endif
++	)
++#endif
++		continue;
++
+ 		filp->f_pos = iter.tgid + TGID_OFFSET;
+ 		if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
+ 			put_task_struct(iter.task);
+@@ -2891,6 +2951,9 @@
+ #ifdef CONFIG_TASK_IO_ACCOUNTING
+ 	INF("io",	S_IRUGO, proc_tid_io_accounting),
+ #endif
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++	INF("ipaddr",	  S_IRUSR, proc_pid_ipaddr),
++#endif
+ };
+ 
+ static int proc_tid_base_readdir(struct file * filp,
+diff -Nru linux-2.6.29-orig/fs/proc/cmdline.c linux-2.6.29/fs/proc/cmdline.c
+--- linux-2.6.29-orig/fs/proc/cmdline.c	2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29/fs/proc/cmdline.c	2009-03-29 23:34:04.452349599 +0200
+@@ -23,7 +23,15 @@
+ 
+ static int __init proc_cmdline_init(void)
+ {
+-	proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
++	int gr_mode = 0;
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++	gr_mode = S_IRUSR;
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	gr_mode = S_IRUSR | S_IRGRP;
++#endif
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++	proc_create("cmdline", gr_mode, NULL, &cmdline_proc_fops);
++#endif
+ 	return 0;
+ }
+ module_init(proc_cmdline_init);
+diff -Nru linux-2.6.29-orig/fs/proc/devices.c linux-2.6.29/fs/proc/devices.c
+--- linux-2.6.29-orig/fs/proc/devices.c	2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29/fs/proc/devices.c	2009-03-29 23:34:04.452349599 +0200
+@@ -64,7 +64,13 @@
+ 
+ static int __init proc_devices_init(void)
+ {
+-	proc_create("devices", 0, NULL, &proc_devinfo_operations);
++	int gr_mode = 0;
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++	gr_mode = S_IRUSR;
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	gr_mode = S_IRUSR | S_IRGRP;
++#endif
++	proc_create("devices", gr_mode, NULL, &proc_devinfo_operations);
+ 	return 0;
+ }
+ module_init(proc_devices_init);
+diff -Nru linux-2.6.29-orig/fs/proc/inode.c linux-2.6.29/fs/proc/inode.c
+--- linux-2.6.29-orig/fs/proc/inode.c	2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29/fs/proc/inode.c	2009-03-29 23:34:04.452349599 +0200
+@@ -463,7 +463,11 @@
+ 		if (de->mode) {
+ 			inode->i_mode = de->mode;
+ 			inode->i_uid = de->uid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++			inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ 			inode->i_gid = de->gid;
++#endif
+ 		}
+ 		if (de->size)
+ 			inode->i_size = de->size;
+diff -Nru linux-2.6.29-orig/fs/proc/internal.h linux-2.6.29/fs/proc/internal.h
+--- linux-2.6.29-orig/fs/proc/internal.h	2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29/fs/proc/internal.h	2009-03-29 23:34:04.452349599 +0200
+@@ -51,6 +51,9 @@
+ 				struct pid *pid, struct task_struct *task);
+ extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
+ 				struct pid *pid, struct task_struct *task);
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
++#endif
+ extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
+ 
+ extern const struct file_operations proc_maps_operations;
+diff -Nru linux-2.6.29-orig/fs/proc/Kconfig linux-2.6.29/fs/proc/Kconfig
+--- linux-2.6.29-orig/fs/proc/Kconfig	2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29/fs/proc/Kconfig	2009-03-29 23:34:04.452349599 +0200
+@@ -30,12 +30,12 @@
+ 
+ config PROC_KCORE
+ 	bool "/proc/kcore support" if !ARM
+-	depends on PROC_FS && MMU
++	depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
+ 
+ config PROC_VMCORE
+         bool "/proc/vmcore support (EXPERIMENTAL)"
+-        depends on PROC_FS && CRASH_DUMP
+-	default y
++        depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
++	default n
+         help
+         Exports the dump image of crashed kernel in ELF format.
+ 
+diff -Nru linux-2.6.29-orig/fs/proc/kcore.c linux-2.6.29/fs/proc/kcore.c
+--- linux-2.6.29-orig/fs/proc/kcore.c	2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29/fs/proc/kcore.c	2009-03-29 23:34:04.452349599 +0200
+@@ -404,10 +404,12 @@
+ 
+ static int __init proc_kcore_init(void)
+ {
++#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
+ 	proc_root_kcore = proc_create("kcore", S_IRUSR, NULL, &proc_kcore_operations);
+ 	if (proc_root_kcore)
+ 		proc_root_kcore->size =
+ 				(size_t)high_memory - PAGE_OFFSET + PAGE_SIZE;
++#endif
+ 	return 0;
+ }
+ module_init(proc_kcore_init);
+diff -Nru linux-2.6.29-orig/fs/proc/root.c linux-2.6.29/fs/proc/root.c
+--- linux-2.6.29-orig/fs/proc/root.c	2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29/fs/proc/root.c	2009-03-29 23:34:04.452349599 +0200
+@@ -134,7 +134,15 @@
+ #ifdef CONFIG_PROC_DEVICETREE
+ 	proc_device_tree_init();
+ #endif
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++	proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
++#endif
++#else
+ 	proc_mkdir("bus", NULL);
++#endif
+ 	proc_sys_init();
+ }
+ 
 diff -Nru linux-2.6.29-orig/grsecurity/grsec_disabled.c linux-2.6.29/grsecurity/grsec_disabled.c
 --- linux-2.6.29-orig/grsecurity/grsec_disabled.c	1970-01-01 01:00:00.000000000 +0100
 +++ linux-2.6.29/grsecurity/grsec_disabled.c	2009-03-29 23:34:04.452349599 +0200
@@ -885,560 +1170,3 @@
  config KEYS
  	bool "Enable access key retention support"
  	help
-diff -urNp linux-2.6.29/fs/proc/array.c linux-2.6.29/fs/proc/array.c
---- linux-2.6.29/fs/proc/array.c	2009-03-23 19:12:14.000000000 -0400
-+++ linux-2.6.29/fs/proc/array.c	2009-03-28 14:26:20.000000000 -0400
-@@ -320,6 +320,21 @@ static inline void task_context_switch_c
- 			p->nivcsw);
- }
- 
-+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
-+static inline void task_pax(struct seq_file *m, struct task_struct *p)
-+{
-+	if (p->mm)
-+		seq_printf(m, "PaX:\t%c%c%c%c%c\n",
-+			   p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
-+			   p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
-+			   p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
-+			   p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
-+			   p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
-+	else
-+		seq_printf(m, "PaX:\t-----\n");
-+}
-+#endif
-+
- int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
- 			struct pid *pid, struct task_struct *task)
- {
-@@ -339,9 +354,20 @@ int proc_pid_status(struct seq_file *m, 
- 	task_show_regs(m, task);
- #endif
- 	task_context_switch_counts(m, task);
-+
-+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
-+	task_pax(m, task);
-+#endif
-+
- 	return 0;
- }
- 
-+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
-+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
-+			     (_mm->pax_flags & MF_PAX_RANDMMAP || \
-+			      _mm->pax_flags & MF_PAX_SEGMEXEC))
-+#endif
-+
- static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
- 			struct pid *pid, struct task_struct *task, int whole)
- {
-@@ -434,6 +460,19 @@ static int do_task_stat(struct seq_file 
- 		gtime = task_gtime(task);
- 	}
- 
-+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
-+	if (PAX_RAND_FLAGS(mm)) {
-+		eip = 0;
-+		esp = 0;
-+		wchan = 0;
-+	}
-+#endif
-+#ifdef CONFIG_GRKERNSEC_HIDESYM
-+	wchan = 0;
-+	eip =0;
-+	esp =0;
-+#endif
-+
- 	/* scale priority and nice values from timeslices to -20..20 */
- 	/* to make it look like a "normal" Unix priority/nice value  */
- 	priority = task_prio(task);
-@@ -474,9 +513,15 @@ static int do_task_stat(struct seq_file 
- 		vsize,
- 		mm ? get_mm_rss(mm) : 0,
- 		rsslim,
-+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
-+		PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
-+		PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
-+		PAX_RAND_FLAGS(mm) ? 0 : (mm ? mm->start_stack : 0),
-+#else
- 		mm ? mm->start_code : 0,
- 		mm ? mm->end_code : 0,
- 		mm ? mm->start_stack : 0,
-+#endif
- 		esp,
- 		eip,
- 		/* The signal information here is obsolete.
-@@ -529,3 +574,10 @@ int proc_pid_statm(struct seq_file *m, s
- 
- 	return 0;
- }
-+
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+int proc_pid_ipaddr(struct task_struct *task, char *buffer)
-+{
-+	return sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
-+}
-+#endif
-diff -urNp linux-2.6.29/fs/proc/base.c linux-2.6.29/fs/proc/base.c
---- linux-2.6.29/fs/proc/base.c	2009-03-23 19:12:14.000000000 -0400
-+++ linux-2.6.29/fs/proc/base.c	2009-03-28 14:26:20.000000000 -0400
-@@ -225,6 +225,9 @@
- 	if (task == current)
- 		return 0;
- 
-+	if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
-+		return -EPERM;
-+
- 	/*
- 	 * If current is actively ptrace'ing, and would also be
- 	 * permitted to freshly attach with ptrace now, permit it.
-@@ -302,12 +305,26 @@
- 	return res;
- }
- 
-+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
-+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
-+			     (_mm->pax_flags & MF_PAX_RANDMMAP || \
-+			      _mm->pax_flags & MF_PAX_SEGMEXEC))
-+#endif
-+
- static int proc_pid_auxv(struct task_struct *task, char *buffer)
- {
- 	int res = 0;
- 	struct mm_struct *mm = get_task_mm(task);
- 	if (mm) {
- 		unsigned int nwords = 0;
-+
-+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
-+		if (PAX_RAND_FLAGS(mm)) {
-+			mmput(mm);
-+			return res;
-+		}
-+#endif
-+
- 		do {
- 			nwords += 2;
- 		} while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
-@@ -533,7 +550,7 @@
- 	return count;
- }
- 
--#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
-+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
- static int proc_pid_syscall(struct task_struct *task, char *buffer)
- {
- 	long nr;
-@@ -1457,7 +1474,11 @@
- 		rcu_read_lock();
- 		cred = __task_cred(task);
- 		inode->i_uid = cred->euid;
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+		inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+#else
- 		inode->i_gid = cred->egid;
-+#endif
- 		rcu_read_unlock();
- 	}
- 	/* procfs is xid tagged */
-@@ -1477,6 +1498,9 @@
- 	struct inode *inode = dentry->d_inode;
- 	struct task_struct *task;
- 	const struct cred *cred;
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+	const struct cred *tmpcred = current_cred();
-+#endif
- 
- 	generic_fillattr(inode, stat);
- 
-@@ -1484,12 +1508,34 @@
- 	stat->uid = 0;
- 	stat->gid = 0;
- 	task = pid_task(proc_pid(inode), PIDTYPE_PID);
-+
-+	if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
-+		rcu_read_unlock();
-+		return -ENOENT;
-+	}
-+
- 	if (task) {
-+		cred = __task_cred(task);
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+		if (!tmpcred->uid || (tmpcred->uid == cred->uid)
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+		    || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
-+#endif
-+		)
-+#endif
- 		if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+		    (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+		    (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
-+#endif
- 		    task_dumpable(task)) {
--			cred = __task_cred(task);
- 			stat->uid = cred->euid;
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			stat->gid = CONFIG_GRKERNSEC_PROC_GID;
-+#else
- 			stat->gid = cred->egid;
-+#endif
- 		}
- 	}
- 	rcu_read_unlock();
-@@ -1521,11 +1567,20 @@
- 
- 	if (task) {
- 		if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+		    (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+		    (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
-+#endif
- 		    task_dumpable(task)) {
- 			rcu_read_lock();
- 			cred = __task_cred(task);
- 			inode->i_uid = cred->euid;
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+#else
- 			inode->i_gid = cred->egid;
-+#endif
- 			rcu_read_unlock();
- 		} else {
- 			inode->i_uid = 0;
-@@ -1898,12 +1953,22 @@
- static int proc_fd_permission(struct inode *inode, int mask)
- {
- 	int rv;
-+	struct task_struct *task;
- 
- 	rv = generic_permission(inode, mask, NULL);
--	if (rv == 0)
--		return 0;
-+
- 	if (task_pid(current) == proc_pid(inode))
- 		rv = 0;
-+
-+	task = get_proc_task(inode);
-+	if (task == NULL)
-+		return rv;
-+
-+	if (gr_acl_handle_procpidmem(task))
-+		rv = -EACCES;
-+
-+	put_task_struct(task);
-+
- 	return rv;
- }
- 
-@@ -2019,6 +2084,9 @@
- 		!memcmp(dentry->d_name.name, "ninfo", 5)))
- 		goto out;
- 
-+	if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
-+		goto out;
-+
- 	/*
- 	 * Yes, it does not scale. And it should not. Don't add
- 	 * new entries into /proc/<tgid>/ without very good reasons.
-@@ -2063,6 +2131,9 @@
- 	if (!task)
- 		goto out_no_task;
- 
-+	if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
-+		goto out;
-+
- 	ret = 0;
- 	i = filp->f_pos;
- 	switch (i) {
-@@ -2423,6 +2494,9 @@
- 	if (p > last)
- 		goto out;
- 
-+	if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
-+		goto out;
-+
- 	error = proc_base_instantiate(dir, dentry, task, p);
- 
- out:
-@@ -2512,7 +2586,7 @@
- #ifdef CONFIG_SCHED_DEBUG
- 	REG("sched",      S_IRUGO|S_IWUSR, proc_pid_sched_operations),
- #endif
--#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
-+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
- 	INF("syscall",    S_IRUSR, proc_pid_syscall),
- #endif
- 	INF("cmdline",    S_IRUGO, proc_pid_cmdline),
-@@ -2702,7 +2776,14 @@
- 	if (!inode)
- 		goto out;
- 
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+	inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+	inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+	inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
-+#else
- 	inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
<<Diff was trimmed, longer than 597 lines>>

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-desktop-grsec-minimal.patch?r1=1.8.4.4&r2=1.8.4.5&f=u



More information about the pld-cvs-commit mailing list