]>
Commit | Line | Data |
---|---|---|
d4f3ea00 | 1 | --- linux-2.6.20/grsecurity/gracl_shm.c~ 2007-03-24 04:54:27.000000000 +0100 |
2 | +++ linux-2.6.20/grsecurity/gracl_shm.c 2007-03-24 04:55:46.332159000 +0100 | |
3 | @@ -6,6 +6,7 @@ | |
4 | #include <linux/gracl.h> | |
5 | #include <linux/grsecurity.h> | |
6 | #include <linux/grinternal.h> | |
7 | +#include <linux/vs_pid.h> | |
8 | ||
9 | int | |
10 | gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid, | |
01664f41 | 11 | --- linux-2.6.20/localversion-grsec 2007-03-24 04:54:27.000000000 +0100 |
12 | +++ /dev/null 2007-03-24 05:05:10.455414500 +0100 | |
d4f3ea00 | 13 | @@ -1 +0,0 @@ |
14 | --grsec | |
15 | --- linux-2.6.20/grsecurity/grsec_sock.c~ 2007-03-24 05:38:40.000000000 +0100 | |
16 | +++ linux-2.6.20/grsecurity/grsec_sock.c 2007-03-24 05:47:11.347998750 +0100 | |
17 | @@ -7,6 +7,7 @@ | |
18 | #include <linux/ip.h> | |
19 | #include <net/sock.h> | |
20 | #include <net/inet_sock.h> | |
21 | +#include <linux/vs_context.h> | |
22 | #include <linux/grsecurity.h> | |
23 | #include <linux/grinternal.h> | |
24 | #include <linux/gracl.h> | |
73e74065 | 25 | === |
26 | === analogous as capable() | |
27 | === | |
28 | --- a/kernel/capability.c~ 2007-12-11 00:46:02.000000000 +0100 | |
29 | +++ a/kernel/capability.c 2007-12-11 01:35:00.244481500 +0100 | |
30 | @@ -253,6 +253,8 @@ int __capable(struct task_struct *t, int | |
31 | } | |
32 | int capable_nolog(int cap) | |
33 | { | |
34 | + if (vs_check_bit(VXC_CAP_MASK, cap) && !vx_mcaps(1L << cap)) | |
35 | + return 0; | |
0e00d418 | 36 | if (has_capability(current, cap) && gr_is_capable_nolog(cap)) { |
73e74065 | 37 | current->flags |= PF_SUPERPRIV; |
38 | return 1; | |
39 | === | |
40 | === let vserver block signals before grsec | |
41 | === | |
203f7a21 | 42 | --- a/kernel/signal.c 2007-10-02 00:08:49.954483500 +0200 |
43 | +++ b/kernel/signal.c 2007-10-02 00:24:31.969355750 +0200 | |
73e74065 | 44 | @@ -553,6 +553,11 @@ static int check_kill_permission(int sig |
45 | sig, info, t, vx_task_xid(t), t->pid, current->xid); | |
46 | return error; | |
47 | } | |
48 | + | |
49 | + error = -EPERM; | |
50 | + if (gr_handle_signal(t, sig)) | |
51 | + return error; | |
52 | + | |
53 | skip: | |
54 | return security_task_kill(t, info, sig, 0); | |
55 | } | |
56 | === | |
57 | === vserver netlink protection | |
58 | === | |
59 | --- a/security/commoncap.c~ 2007-12-10 23:52:36.000000000 +0100 | |
60 | +++ a/security/commoncap.c 2007-12-11 01:43:04.426741000 +0100 | |
61 | @@ -27,7 +27,7 @@ | |
62 | ||
63 | int cap_netlink_send(struct sock *sk, struct sk_buff *skb) | |
64 | { | |
2e61a8dd | 65 | - NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk); |
66 | + NETLINK_CB(skb).eff_cap = cap_intersect(gr_cap_rtnetlink(sk), vx_mbcaps(current->cap_effective)); | |
73e74065 | 67 | return 0; |
68 | } | |
69 | ||
0e00d418 | 70 | === |
71 | === vserver hooks in cap_capable_nolog | |
72 | === | |
73 | --- i/security/commoncap.c1 2008-10-28 21:28:07.873037469 +0100 | |
74 | +++ i/security/commoncap.c 2008-10-28 21:36:20.429660261 +0100 | |
75 | @@ -76,8 +76,14 @@ int cap_capable (struct task_struct *tsk | |
065882fc | 76 | |
0e00d418 | 77 | int cap_capable_nolog (struct task_struct *tsk, int cap) |
78 | { | |
79 | + struct vx_info *vxi = tsk->vx_info; | |
80 | + /* special case SETUP */ /* co to jest? - zbyniu */ | |
81 | + if (vx_info_flags(vxi, VXF_STATE_SETUP, 0) && | |
82 | + cap_raised(tsk->cap_effective, cap)) | |
83 | + return 0; | |
84 | + | |
85 | /* tsk = current for all callers */ | |
86 | - if (cap_raised(tsk->cap_effective, cap) && gr_is_capable_nolog(cap)) | |
87 | + if (vx_cap_raised(vxi, tsk->cap_effective, cap) && gr_is_capable_nolog(cap)) | |
88 | return 0; | |
065882fc | 89 | |
0e00d418 | 90 | return -EPERM; |