packages (LINUX_3_0): kernel/kernel-grsec_full.patch - patched for vserver
arekm
arekm at pld-linux.org
Fri Nov 18 11:48:05 CET 2011
Author: arekm Date: Fri Nov 18 10:48:05 2011 GMT
Module: packages Tag: LINUX_3_0
---- Log message:
- patched for vserver
---- Files affected:
packages/kernel:
kernel-grsec_full.patch (1.85.2.3 -> 1.85.2.4)
---- Diffs:
================================================================
Index: packages/kernel/kernel-grsec_full.patch
diff -u packages/kernel/kernel-grsec_full.patch:1.85.2.3 packages/kernel/kernel-grsec_full.patch:1.85.2.4
--- packages/kernel/kernel-grsec_full.patch:1.85.2.3 Fri Nov 18 11:45:30 2011
+++ packages/kernel/kernel-grsec_full.patch Fri Nov 18 11:47:58 2011
@@ -11438,9 +11438,9 @@
@@ -186,7 +186,7 @@ void dump_stack(void)
bp = stack_frame(current, NULL);
- printk("Pid: %d, comm: %.20s %s %s %.*s\n",
-- current->pid, current->comm, print_tainted(),
-+ task_pid_nr(current), current->comm, print_tainted(),
+ printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
+- current->pid, current->comm, current->xid, print_tainted(),
++ task_pid_nr(current), current->comm, current->xid, print_tainted(),
init_utsname()->release,
(int)strcspn(init_utsname()->version, " "),
init_utsname()->version);
@@ -15135,9 +15135,9 @@
@@ -106,7 +123,7 @@ void show_regs_common(void)
printk(KERN_CONT "\n");
- printk(KERN_DEFAULT "Pid: %d, comm: %.20s %s %s %.*s",
-- current->pid, current->comm, print_tainted(),
-+ task_pid_nr(current), current->comm, print_tainted(),
+ printk(KERN_DEFAULT "Pid: %d, xid: #%u, comm: %.20s %s %s %.*s",
+- current->pid, current->xid, current->comm, print_tainted(),
++ task_pid_nr(current), current->xid, current->comm, print_tainted(),
init_utsname()->release,
(int)strcspn(init_utsname()->version, " "),
init_utsname()->version);
@@ -43772,9 +43772,9 @@
#include <linux/slab.h>
#include <linux/fs_struct.h>
+#include <linux/grsecurity.h>
+ #include <linux/vserver/global.h>
#include "internal.h"
- static inline void path_get_longterm(struct path *path)
@@ -31,6 +32,7 @@ void set_fs_root(struct fs_struct *fs, s
old_root = fs->root;
fs->root = *path;
@@ -45905,9 +45905,9 @@
#endif
#ifdef CONFIG_SCHEDSTATS
@@ -2865,6 +2981,9 @@ static const struct pid_entry tgid_base_
- #ifdef CONFIG_HARDWALL
INF("hardwall", S_IRUGO, proc_pid_hardwall),
#endif
+ ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+ INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
+#endif
@@ -45980,11 +45980,11 @@
+ rcu_read_unlock();
+#endif
filp->f_pos = iter.tgid + TGID_OFFSET;
+ if (!vx_proc_task_visible(iter.task))
+ continue;
- if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
+ if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
put_task_struct(iter.task);
- goto out;
- }
@@ -3149,7 +3306,7 @@ static const struct pid_entry tid_base_s
REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
#endif
@@ -46095,9 +46095,9 @@
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
+#endif
- extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
+ extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
+ struct pid *pid, struct task_struct *task);
- extern const struct file_operations proc_maps_operations;
diff -urNp linux-3.0.9/fs/proc/Kconfig linux-3.0.9/fs/proc/Kconfig
--- linux-3.0.9/fs/proc/Kconfig 2011-11-11 13:12:24.000000000 -0500
+++ linux-3.0.9/fs/proc/Kconfig 2011-11-15 20:02:59.000000000 -0500
@@ -60092,10 +60092,10 @@
static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
mode_t mode, struct proc_dir_entry *base,
read_proc_t *read_proc, void * data)
-@@ -258,7 +271,7 @@ union proc_op {
- int (*proc_show)(struct seq_file *m,
- struct pid_namespace *ns, struct pid *pid,
- struct task_struct *task);
+@@ -278,7 +278,7 @@ union proc_op {
+ int (*proc_vs_read)(char *page);
+ int (*proc_vxi_read)(struct vx_info *vxi, char *page);
+ int (*proc_nxi_read)(struct nx_info *nxi, char *page);
-};
+} __no_const;
@@ -62656,15 +62656,15 @@
new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
if (!new)
return NULL;
-@@ -287,6 +295,8 @@ struct cred *prepare_creds(void)
- const struct cred *old;
+@@ -268,6 +268,8 @@ struct cred *__prepare_creds(const struc
+ {
struct cred *new;
+ pax_track_stack();
+
- validate_process_creds();
-
new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
+ if (!new)
+ return NULL;
@@ -333,6 +343,8 @@ struct cred *prepare_exec_creds(void)
struct thread_group_cred *tgcred = NULL;
struct cred *new;
@@ -63301,13 +63301,15 @@
return 0;
}
-@@ -1104,12 +1142,16 @@ static struct task_struct *copy_process(
- DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
- #endif
- retval = -EAGAIN;
-+
+@@ -1156,15 +1156,18 @@ static struct task_struct *copy_process(
+ init_vx_info(&p->vx_info, current_vx_info());
+ init_nx_info(&p->nx_info, current_nx_info());
+
+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
+
+ retval = -EAGAIN;
+ if (!vx_nproc_avail(1))
+ goto bad_fork_free;
if (atomic_read(&p->real_cred->user->processes) >=
task_rlimit(p, RLIMIT_NPROC)) {
- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
@@ -64751,8 +64753,8 @@
+ struct task_struct *task;
+
rcu_lockdep_assert(rcu_read_lock_held());
-- return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
-+ task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
+- return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
++ task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
+
+ if (gr_pid_is_chrooted(task))
+ return NULL;
@@ -64978,7 +64980,7 @@
+#endif
+
if (syslog_action_restricted(type)) {
- if (capable(CAP_SYSLOG))
+ if (vx_capable(CAP_SYSLOG, VXC_SYSLOG))
return 0;
/* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
if (capable(CAP_SYS_ADMIN)) {
@@ -65722,7 +65724,7 @@
- if (increment < 0 && !can_nice(current, nice))
+ if (increment < 0 && (!can_nice(current, nice) ||
+ gr_handle_chroot_nice()))
- return -EPERM;
+ return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
retval = security_task_setnice(current, nice);
@@ -5097,6 +5102,7 @@ recheck:
@@ -65791,10 +65793,11 @@
if (is_global_init(tsk))
return 1;
if (handler != SIG_IGN && handler != SIG_DFL)
-@@ -770,6 +773,13 @@ static int check_kill_permission(int sig
- }
+@@ -797,6 +797,14 @@
+ sig, info, t, vx_task_xid(t), t->pid, current->xid);
+ return error;
}
-
++
+ /* allow glibc communication via tgkill to other threads in our
+ thread group */
+ if ((info == SEND_SIG_NOINFO || info->si_code != SI_TKILL ||
@@ -65802,9 +65805,9 @@
+ && gr_handle_signal(t, sig))
+ return -EPERM;
+
+ /* skip: */
return security_task_kill(t, info, sig, 0);
}
-
@@ -1092,7 +1102,7 @@ __group_send_sig_info(int sig, struct si
return send_signal(sig, info, p, 1);
}
@@ -72552,13 +72555,13 @@
#include <net/inet_connection_sock.h>
#include <net/inet_hashtables.h>
#include <net/secure_seq.h>
+ #include <net/route.h>
#include <net/ip.h>
+extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
+
/*
* Allocate and initialize a new local port bind bucket.
- * The bindhash mutex for snum's hash chain must be held here.
@@ -530,6 +533,8 @@ ok:
twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
spin_unlock(&head->lock);
@@ -73364,9 +73367,9 @@
+extern int grsec_enable_blackhole;
+#endif
+
- int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
+ int ipv6_rcv_saddr_equal(const struct sock *sk1, const struct sock *sk2)
{
- const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
+ const struct in6_addr *sk1_rcv_saddr6 = &inet6_sk(sk1)->rcv_saddr;
@@ -548,7 +552,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
return 0;
================================================================
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel/kernel-grsec_full.patch?r1=1.85.2.3&r2=1.85.2.4&f=u
More information about the pld-cvs-commit
mailing list