packages (Titanium): kernel-desktop/kernel-desktop-grsec-minimal.patch - up...

shadzik shadzik at pld-linux.org
Thu Jun 25 11:26:35 CEST 2009


Author: shadzik                      Date: Thu Jun 25 09:26:35 2009 GMT
Module: packages                      Tag: Titanium
---- Log message:
- updated for 2.6.30

---- Files affected:
packages/kernel-desktop:
   kernel-desktop-grsec-minimal.patch (1.8.4.5 -> 1.8.4.6) 

---- Diffs:

================================================================
Index: packages/kernel-desktop/kernel-desktop-grsec-minimal.patch
diff -u packages/kernel-desktop/kernel-desktop-grsec-minimal.patch:1.8.4.5 packages/kernel-desktop/kernel-desktop-grsec-minimal.patch:1.8.4.6
--- packages/kernel-desktop/kernel-desktop-grsec-minimal.patch:1.8.4.5	Mon Mar 30 23:02:14 2009
+++ packages/kernel-desktop/kernel-desktop-grsec-minimal.patch	Thu Jun 25 11:26:29 2009
@@ -129,157 +129,6 @@
 +	return sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
 +}
 +#endif
-diff -Nru linux-2.6.29-orig/fs/proc/base.c linux-2.6.29/fs/proc/base.c
---- linux-2.6.29-orig/fs/proc/base.c	2009-03-24 00:12:14.000000000 +0100
-+++ linux-2.6.29/fs/proc/base.c	2009-03-29 23:42:59.660794909 +0200
-@@ -80,6 +80,7 @@
- #include <linux/oom.h>
- #include <linux/elf.h>
- #include <linux/pid_namespace.h>
-+#include <linux/grsecurity.h>
- #include "internal.h"
- 
- /* NOTE:
-@@ -1473,6 +1474,9 @@
- 	struct inode *inode = dentry->d_inode;
- 	struct task_struct *task;
- 	const struct cred *cred;
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+	const struct cred *tmp = current_cred();
-+#endif
- 
- 	generic_fillattr(inode, stat);
- 
-@@ -1480,12 +1484,29 @@
- 	stat->uid = 0;
- 	stat->gid = 0;
- 	task = pid_task(proc_pid(inode), PIDTYPE_PID);
--	if (task) {
-+	cred = __task_cred(task);
-+	if (task
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+		&& (!tmp->uid || (tmp->uid == cred->uid)
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+		|| in_group_p(CONFIG_GRKERNSEC_PROC_GID)
-+#endif
-+		)
-+#endif
-+	   ) {
- 		if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+		(inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+		(inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
-+#endif
- 		    task_dumpable(task)) {
--			cred = __task_cred(task);
- 			stat->uid = cred->euid;
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			stat->gid = CONFIG_GRKERNSEC_PROC_GID;
-+#else
- 			stat->gid = cred->egid;
-+#endif
- 		}
- 	}
- 	rcu_read_unlock();
-@@ -1517,11 +1538,20 @@
- 
- 	if (task) {
- 		if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+		(inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+		(inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
-+#endif
- 		    task_dumpable(task)) {
- 			rcu_read_lock();
- 			cred = __task_cred(task);
- 			inode->i_uid = cred->euid;
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+#else
- 			inode->i_gid = cred->egid;
-+#endif
- 			rcu_read_unlock();
- 		} else {
- 			inode->i_uid = 0;
-@@ -1894,12 +1924,19 @@
- static int proc_fd_permission(struct inode *inode, int mask)
- {
- 	int rv;
-+	struct task_struct *task;
- 
- 	rv = generic_permission(inode, mask, NULL);
--	if (rv == 0)
--		return 0;
-+
- 	if (task_pid(current) == proc_pid(inode))
- 		rv = 0;
-+
-+	task = get_proc_task(inode);
-+	if (task == NULL)
-+		return rv;
-+
-+	put_task_struct(task);
-+
- 	return rv;
- }
- 
-@@ -2685,7 +2722,14 @@
- 	if (!inode)
- 		goto out;
- 
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+	inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+	inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+	inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
-+#else
- 	inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
-+#endif
- 	inode->i_op = &proc_tgid_base_inode_operations;
- 	inode->i_fop = &proc_tgid_base_operations;
- 	inode->i_flags|=S_IMMUTABLE;
-@@ -2792,6 +2836,10 @@
- {
- 	unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
- 	struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+	const struct cred *tmp = current_cred();
-+	const struct cred *itercred;
-+#endif
- 	struct tgid_iter iter;
- 	struct pid_namespace *ns;
- 
-@@ -2810,6 +2858,18 @@
- 	for (iter = next_tgid(ns, iter);
- 	     iter.task;
- 	     iter.tgid += 1, iter = next_tgid(ns, iter)) {
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+	itercred = __task_cred(iter.task);
-+#endif
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+	if (tmp->uid && (itercred->uid != tmp->uid)
-+			#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			&& !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
-+			#endif
-+	)
-+#endif
-+		continue;
-+
- 		filp->f_pos = iter.tgid + TGID_OFFSET;
- 		if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
- 			put_task_struct(iter.task);
-@@ -2891,6 +2951,9 @@
- #ifdef CONFIG_TASK_IO_ACCOUNTING
- 	INF("io",	S_IRUGO, proc_tid_io_accounting),
- #endif
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+	INF("ipaddr",	  S_IRUSR, proc_pid_ipaddr),
-+#endif
- };
- 
- static int proc_tid_base_readdir(struct file * filp,
 diff -Nru linux-2.6.29-orig/fs/proc/cmdline.c linux-2.6.29/fs/proc/cmdline.c
 --- linux-2.6.29-orig/fs/proc/cmdline.c	2009-03-24 00:12:14.000000000 +0100
 +++ linux-2.6.29/fs/proc/cmdline.c	2009-03-29 23:34:04.452349599 +0200
@@ -1130,9 +979,170 @@
  		if (tw) {
  			inet_twsk_deschedule(tw, death_row);
  			inet_twsk_put(tw);
-diff -Nru linux-2.6.29-orig/net/socket.c linux-2.6.29/net/socket.c
---- linux-2.6.29-orig/net/socket.c	2009-03-24 00:12:14.000000000 +0100
-+++ linux-2.6.29/net/socket.c	2009-03-29 23:34:04.463807910 +0200
+diff -Nru linux-2.6.29-orig/security/Kconfig linux-2.6.29/security/Kconfig
+--- linux-2.6.29-orig/security/Kconfig	2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29/security/Kconfig	2009-03-29 23:34:04.463807910 +0200
+@@ -4,6 +4,8 @@
+ 
+ menu "Security options"
+ 
++source grsecurity/Kconfig
++
+ config KEYS
+ 	bool "Enable access key retention support"
+ 	help
+--- linux-2.6.30/fs/proc/base.c.orig	2009-06-10 05:05:27.000000000 +0200
++++ linux-2.6.30/fs/proc/base.c	2009-06-25 11:17:28.184996926 +0200
+@@ -81,6 +81,7 @@
+ #include <linux/elf.h>
+ #include <linux/pid_namespace.h>
+ #include <linux/fs_struct.h>
++#include <lonux/grsecurity.h>
+ #include "internal.h"
+ 
+ /* NOTE:
+@@ -1459,6 +1460,9 @@
+ 	struct inode *inode = dentry->d_inode;
+ 	struct task_struct *task;
+ 	const struct cred *cred;
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	const struct cred *tmp = current_cred();
++#endif
+ 
+ 	generic_fillattr(inode, stat);
+ 
+@@ -1466,12 +1470,29 @@
+ 	stat->uid = 0;
+ 	stat->gid = 0;
+ 	task = pid_task(proc_pid(inode), PIDTYPE_PID);
+-	if (task) {
++	cred = __task_cred(task);
++	if (task
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++		&& (!tmp->uid || (tmp->uid == cred->uid)
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++		|| in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++#endif
++		)
++#endif
++	   ) {
+ 		if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++		(inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++		(inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
++#endif
+ 		    task_dumpable(task)) {
+-			cred = __task_cred(task);
+ 			stat->uid = cred->euid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++			stat->gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ 			stat->gid = cred->egid;
++#endif
+ 		}
+ 	}
+ 	rcu_read_unlock();
+@@ -1503,11 +1524,20 @@
+ 
+ 	if (task) {
+ 		if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++		(inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++		(inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
++#endif
+ 		    task_dumpable(task)) {
+ 			rcu_read_lock();
+ 			cred = __task_cred(task);
+ 			inode->i_uid = cred->euid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++			inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ 			inode->i_gid = cred->egid;
++#endif
+ 			rcu_read_unlock();
+ 		} else {
+ 			inode->i_uid = 0;
+@@ -1880,12 +1910,19 @@
+ static int proc_fd_permission(struct inode *inode, int mask)
+ {
+ 	int rv;
++	struct task_struct *task;
+ 
+ 	rv = generic_permission(inode, mask, NULL);
+-	if (rv == 0)
+-		return 0;
++
+ 	if (task_pid(current) == proc_pid(inode))
+ 		rv = 0;
++
++	task = get_proc_task(inode);
++	if (task == NULL)
++		return rv;
++
++	put_task_struct(task);
++
+ 	return rv;
+ }
+ 
+@@ -2671,7 +2708,14 @@
+ 	if (!inode)
+ 		goto out;
+ 
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++	inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++	inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
++#else
+ 	inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
++#endif
+ 	inode->i_op = &proc_tgid_base_inode_operations;
+ 	inode->i_fop = &proc_tgid_base_operations;
+ 	inode->i_flags|=S_IMMUTABLE;
+@@ -2778,6 +2822,10 @@
+ {
+ 	unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
+ 	struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	const struct cred *tmp = current_cred();
++	const struct cred *itercred;
++#endif
+ 	struct tgid_iter iter;
+ 	struct pid_namespace *ns;
+ 
+@@ -2796,6 +2844,18 @@
+ 	for (iter = next_tgid(ns, iter);
+ 	     iter.task;
+ 	     iter.tgid += 1, iter = next_tgid(ns, iter)) {
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	itercred = __task_cred(iter.task);
++#endif
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++	if (tmp->uid && (itercred->uid != tmp->uid)
++			#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++			&& !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++			#endif
++	)
++#endif
++		continue;
++
+ 		filp->f_pos = iter.tgid + TGID_OFFSET;
+ 		if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
+ 			put_task_struct(iter.task);
+@@ -2877,6 +2937,9 @@
+ #ifdef CONFIG_TASK_IO_ACCOUNTING
+ 	INF("io",	S_IRUGO, proc_tid_io_accounting),
+ #endif
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++	INF("ipaddr",	  S_IRUSR, proc_pid_ipaddr),
++#endif
+ };
+ 
+ static int proc_tid_base_readdir(struct file * filp,
+--- linux-2.6.30/net/socket.c.orig	2009-06-10 05:05:27.000000000 +0200
++++ linux-2.6.30/net/socket.c	2009-06-25 11:21:18.914153098 +0200
 @@ -86,6 +86,7 @@
  #include <linux/audit.h>
  #include <linux/wireless.h>
@@ -1150,23 +1160,11 @@
  static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
  static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
  			 unsigned long nr_segs, loff_t pos);
-@@ -1486,6 +1489,7 @@
- 	err = newfd;
+@@ -1510,6 +1513,7 @@
+ 		goto out_fd_simple;
  
- 	security_socket_post_accept(sock, newsock);
+ 	err = security_socket_accept(sock, newsock);
 +	gr_attach_curr_ip(newsock->sk);
+ 	if (err)
+ 		goto out_fd;
  
- out_put:
- 	fput_light(sock->file, fput_needed);
-diff -Nru linux-2.6.29-orig/security/Kconfig linux-2.6.29/security/Kconfig
---- linux-2.6.29-orig/security/Kconfig	2009-03-24 00:12:14.000000000 +0100
-+++ linux-2.6.29/security/Kconfig	2009-03-29 23:34:04.463807910 +0200
-@@ -4,6 +4,8 @@
- 
- menu "Security options"
- 
-+source grsecurity/Kconfig
-+
- config KEYS
- 	bool "Enable access key retention support"
- 	help
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel-desktop/kernel-desktop-grsec-minimal.patch?r1=1.8.4.5&r2=1.8.4.6&f=u



More information about the pld-cvs-commit mailing list