packages (Titanium): kernel-desktop/kernel-desktop-grsec-minimal.patch - up...
shadzik
shadzik at pld-linux.org
Thu Jun 25 11:26:35 CEST 2009
Author: shadzik Date: Thu Jun 25 09:26:35 2009 GMT
Module: packages Tag: Titanium
---- Log message:
- updated for 2.6.30
---- Files affected:
packages/kernel-desktop:
kernel-desktop-grsec-minimal.patch (1.8.4.5 -> 1.8.4.6)
---- Diffs:
================================================================
Index: packages/kernel-desktop/kernel-desktop-grsec-minimal.patch
diff -u packages/kernel-desktop/kernel-desktop-grsec-minimal.patch:1.8.4.5 packages/kernel-desktop/kernel-desktop-grsec-minimal.patch:1.8.4.6
--- packages/kernel-desktop/kernel-desktop-grsec-minimal.patch:1.8.4.5 Mon Mar 30 23:02:14 2009
+++ packages/kernel-desktop/kernel-desktop-grsec-minimal.patch Thu Jun 25 11:26:29 2009
@@ -129,157 +129,6 @@
+ return sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
+}
+#endif
-diff -Nru linux-2.6.29-orig/fs/proc/base.c linux-2.6.29/fs/proc/base.c
---- linux-2.6.29-orig/fs/proc/base.c 2009-03-24 00:12:14.000000000 +0100
-+++ linux-2.6.29/fs/proc/base.c 2009-03-29 23:42:59.660794909 +0200
-@@ -80,6 +80,7 @@
- #include <linux/oom.h>
- #include <linux/elf.h>
- #include <linux/pid_namespace.h>
-+#include <linux/grsecurity.h>
- #include "internal.h"
-
- /* NOTE:
-@@ -1473,6 +1474,9 @@
- struct inode *inode = dentry->d_inode;
- struct task_struct *task;
- const struct cred *cred;
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ const struct cred *tmp = current_cred();
-+#endif
-
- generic_fillattr(inode, stat);
-
-@@ -1480,12 +1484,29 @@
- stat->uid = 0;
- stat->gid = 0;
- task = pid_task(proc_pid(inode), PIDTYPE_PID);
-- if (task) {
-+ cred = __task_cred(task);
-+ if (task
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ && (!tmp->uid || (tmp->uid == cred->uid)
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
-+#endif
-+ )
-+#endif
-+ ) {
- if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
-+#endif
- task_dumpable(task)) {
-- cred = __task_cred(task);
- stat->uid = cred->euid;
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
-+#else
- stat->gid = cred->egid;
-+#endif
- }
- }
- rcu_read_unlock();
-@@ -1517,11 +1538,20 @@
-
- if (task) {
- if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
-+#endif
- task_dumpable(task)) {
- rcu_read_lock();
- cred = __task_cred(task);
- inode->i_uid = cred->euid;
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+#else
- inode->i_gid = cred->egid;
-+#endif
- rcu_read_unlock();
- } else {
- inode->i_uid = 0;
-@@ -1894,12 +1924,19 @@
- static int proc_fd_permission(struct inode *inode, int mask)
- {
- int rv;
-+ struct task_struct *task;
-
- rv = generic_permission(inode, mask, NULL);
-- if (rv == 0)
-- return 0;
-+
- if (task_pid(current) == proc_pid(inode))
- rv = 0;
-+
-+ task = get_proc_task(inode);
-+ if (task == NULL)
-+ return rv;
-+
-+ put_task_struct(task);
-+
- return rv;
- }
-
-@@ -2685,7 +2722,14 @@
- if (!inode)
- goto out;
-
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
-+#else
- inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
-+#endif
- inode->i_op = &proc_tgid_base_inode_operations;
- inode->i_fop = &proc_tgid_base_operations;
- inode->i_flags|=S_IMMUTABLE;
-@@ -2792,6 +2836,10 @@
- {
- unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
- struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ const struct cred *tmp = current_cred();
-+ const struct cred *itercred;
-+#endif
- struct tgid_iter iter;
- struct pid_namespace *ns;
-
-@@ -2810,6 +2858,18 @@
- for (iter = next_tgid(ns, iter);
- iter.task;
- iter.tgid += 1, iter = next_tgid(ns, iter)) {
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ itercred = __task_cred(iter.task);
-+#endif
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ if (tmp->uid && (itercred->uid != tmp->uid)
-+ #ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
-+ #endif
-+ )
-+#endif
-+ continue;
-+
- filp->f_pos = iter.tgid + TGID_OFFSET;
- if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
- put_task_struct(iter.task);
-@@ -2891,6 +2951,9 @@
- #ifdef CONFIG_TASK_IO_ACCOUNTING
- INF("io", S_IRUGO, proc_tid_io_accounting),
- #endif
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+ INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
-+#endif
- };
-
- static int proc_tid_base_readdir(struct file * filp,
diff -Nru linux-2.6.29-orig/fs/proc/cmdline.c linux-2.6.29/fs/proc/cmdline.c
--- linux-2.6.29-orig/fs/proc/cmdline.c 2009-03-24 00:12:14.000000000 +0100
+++ linux-2.6.29/fs/proc/cmdline.c 2009-03-29 23:34:04.452349599 +0200
@@ -1130,9 +979,170 @@
if (tw) {
inet_twsk_deschedule(tw, death_row);
inet_twsk_put(tw);
-diff -Nru linux-2.6.29-orig/net/socket.c linux-2.6.29/net/socket.c
---- linux-2.6.29-orig/net/socket.c 2009-03-24 00:12:14.000000000 +0100
-+++ linux-2.6.29/net/socket.c 2009-03-29 23:34:04.463807910 +0200
+diff -Nru linux-2.6.29-orig/security/Kconfig linux-2.6.29/security/Kconfig
+--- linux-2.6.29-orig/security/Kconfig 2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29/security/Kconfig 2009-03-29 23:34:04.463807910 +0200
+@@ -4,6 +4,8 @@
+
+ menu "Security options"
+
++source grsecurity/Kconfig
++
+ config KEYS
+ bool "Enable access key retention support"
+ help
+--- linux-2.6.30/fs/proc/base.c.orig 2009-06-10 05:05:27.000000000 +0200
++++ linux-2.6.30/fs/proc/base.c 2009-06-25 11:17:28.184996926 +0200
+@@ -81,6 +81,7 @@
+ #include <linux/elf.h>
+ #include <linux/pid_namespace.h>
+ #include <linux/fs_struct.h>
++#include <lonux/grsecurity.h>
+ #include "internal.h"
+
+ /* NOTE:
+@@ -1459,6 +1460,9 @@
+ struct inode *inode = dentry->d_inode;
+ struct task_struct *task;
+ const struct cred *cred;
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ const struct cred *tmp = current_cred();
++#endif
+
+ generic_fillattr(inode, stat);
+
+@@ -1466,12 +1470,29 @@
+ stat->uid = 0;
+ stat->gid = 0;
+ task = pid_task(proc_pid(inode), PIDTYPE_PID);
+- if (task) {
++ cred = __task_cred(task);
++ if (task
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ && (!tmp->uid || (tmp->uid == cred->uid)
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++#endif
++ )
++#endif
++ ) {
+ if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
++#endif
+ task_dumpable(task)) {
+- cred = __task_cred(task);
+ stat->uid = cred->euid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ stat->gid = cred->egid;
++#endif
+ }
+ }
+ rcu_read_unlock();
+@@ -1503,11 +1524,20 @@
+
+ if (task) {
+ if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
++#endif
+ task_dumpable(task)) {
+ rcu_read_lock();
+ cred = __task_cred(task);
+ inode->i_uid = cred->euid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ inode->i_gid = cred->egid;
++#endif
+ rcu_read_unlock();
+ } else {
+ inode->i_uid = 0;
+@@ -1880,12 +1910,19 @@
+ static int proc_fd_permission(struct inode *inode, int mask)
+ {
+ int rv;
++ struct task_struct *task;
+
+ rv = generic_permission(inode, mask, NULL);
+- if (rv == 0)
+- return 0;
++
+ if (task_pid(current) == proc_pid(inode))
+ rv = 0;
++
++ task = get_proc_task(inode);
++ if (task == NULL)
++ return rv;
++
++ put_task_struct(task);
++
+ return rv;
+ }
+
+@@ -2671,7 +2708,14 @@
+ if (!inode)
+ goto out;
+
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
++#else
+ inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
++#endif
+ inode->i_op = &proc_tgid_base_inode_operations;
+ inode->i_fop = &proc_tgid_base_operations;
+ inode->i_flags|=S_IMMUTABLE;
+@@ -2778,6 +2822,10 @@
+ {
+ unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
+ struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ const struct cred *tmp = current_cred();
++ const struct cred *itercred;
++#endif
+ struct tgid_iter iter;
+ struct pid_namespace *ns;
+
+@@ -2796,6 +2844,18 @@
+ for (iter = next_tgid(ns, iter);
+ iter.task;
+ iter.tgid += 1, iter = next_tgid(ns, iter)) {
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ itercred = __task_cred(iter.task);
++#endif
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ if (tmp->uid && (itercred->uid != tmp->uid)
++ #ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++ #endif
++ )
++#endif
++ continue;
++
+ filp->f_pos = iter.tgid + TGID_OFFSET;
+ if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
+ put_task_struct(iter.task);
+@@ -2877,6 +2937,9 @@
+ #ifdef CONFIG_TASK_IO_ACCOUNTING
+ INF("io", S_IRUGO, proc_tid_io_accounting),
+ #endif
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++ INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
++#endif
+ };
+
+ static int proc_tid_base_readdir(struct file * filp,
+--- linux-2.6.30/net/socket.c.orig 2009-06-10 05:05:27.000000000 +0200
++++ linux-2.6.30/net/socket.c 2009-06-25 11:21:18.914153098 +0200
@@ -86,6 +86,7 @@
#include <linux/audit.h>
#include <linux/wireless.h>
@@ -1150,23 +1160,11 @@
static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
unsigned long nr_segs, loff_t pos);
-@@ -1486,6 +1489,7 @@
- err = newfd;
+@@ -1510,6 +1513,7 @@
+ goto out_fd_simple;
- security_socket_post_accept(sock, newsock);
+ err = security_socket_accept(sock, newsock);
+ gr_attach_curr_ip(newsock->sk);
+ if (err)
+ goto out_fd;
- out_put:
- fput_light(sock->file, fput_needed);
-diff -Nru linux-2.6.29-orig/security/Kconfig linux-2.6.29/security/Kconfig
---- linux-2.6.29-orig/security/Kconfig 2009-03-24 00:12:14.000000000 +0100
-+++ linux-2.6.29/security/Kconfig 2009-03-29 23:34:04.463807910 +0200
-@@ -4,6 +4,8 @@
-
- menu "Security options"
-
-+source grsecurity/Kconfig
-+
- config KEYS
- bool "Enable access key retention support"
- help
================================================================
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel-desktop/kernel-desktop-grsec-minimal.patch?r1=1.8.4.5&r2=1.8.4.6&f=u
More information about the pld-cvs-commit
mailing list