[packages/kernel.git] / kernel-grsec_fixes.patch

netlink
cap_dac*
diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c
--- a/grsecurity/gracl_cap.c	2007-12-01 00:54:57.312774500 +0000
+++ c/grsecurity/gracl_cap.c	2007-12-01 01:09:34.923621750 +0000
@@ -110,3 +110,19 @@ gr_is_capable_nolog(const int cap)
 	return 0;
 }

+void
+gr_log_cap_pid(const int cap, const pid_t pid)
+{
+	struct task_struct *p;
+
+	if (gr_acl_is_enabled()) {
+		read_lock(&tasklist_lock);
+		p = find_task_by_vpid(pid);
+		if (p) {
+			get_task_struct(p);
+			gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, p, captab_log[cap]);
+		}
+		read_unlock(&tasklist_lock);
+	}
+	return;
+}
--- a/grsecurity/grsec_sock.c	2008-03-24 00:24:22.482633101 +0100
+++ c/grsecurity/grsec_sock.c	2008-03-24 00:27:01.971671763 +0100
@@ -251,23 +251,26 @@ __u32
 gr_cap_rtnetlink(struct sock *sock)
 {
 #ifdef CONFIG_GRKERNSEC
+	struct acl_subject_label *curracl;
+	kernel_cap_t cap_dropp = __cap_empty_set, cap_mask = __cap_empty_set;
+
	if (!gr_acl_is_enabled())
		return current->cap_effective;
-	else if (sock->sk_protocol == NETLINK_ISCSI &&
-		 cap_raised(current->cap_effective, CAP_SYS_ADMIN) &&
-		 gr_task_is_capable(current, CAP_SYS_ADMIN))
-		return current->cap_effective;
-	else if (sock->sk_protocol == NETLINK_AUDIT &&
-		 cap_raised(current->cap_effective, CAP_AUDIT_WRITE) &&
-		 gr_task_is_capable(current, CAP_AUDIT_WRITE) &&
-		 cap_raised(current->cap_effective, CAP_AUDIT_CONTROL) &&
-		 gr_task_is_capable(current, CAP_AUDIT_CONTROL))
-		return current->cap_effective;
-	else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) &&
-		 gr_task_is_capable(current, CAP_NET_ADMIN))
-		return current->cap_effective;
-	else
-		return __cap_empty_set;
+	else {
+		curracl = current->acl;
+
+		cap_dropp  = curracl->cap_lower;
+		cap_mask = curracl->cap_mask;
+
+		while ((curracl = curracl->parent_subject)) {
+			cap_dropp = cap_combine(cap_dropp,
+				    cap_intersect(curracl->cap_lower,
+				    cap_drop(cap_mask, curracl->cap_mask)));
+			cap_mask = cap_combine(cap_mask, curracl->cap_mask);
+		}
+		return cap_drop(current->cap_effective,
+				cap_intersect(cap_dropp, cap_mask));
+	}
 #else
 	return current->cap_effective;
 #endif
diff -upr a/include/linux/grsecurity.h c/include/linux/grsecurity.h
--- a/include/linux/grsecurity.h	2007-12-01 00:54:57.224769000 +0000
+++ c/include/linux/grsecurity.h	2007-12-01 01:09:34.923621750 +0000
@@ -76,6 +76,7 @@ void gr_log_semrm(const uid_t uid, const
 void gr_log_shmget(const int err, const int shmflg, const size_t size);
 void gr_log_shmrm(const uid_t uid, const uid_t cuid);
 void gr_log_textrel(struct vm_area_struct *vma);
+void gr_log_cap_pid(const int cap, pid_t pid);
 
 int gr_handle_follow_link(const struct inode *parent,
 				 const struct inode *inode,
diff -upr a/security/commoncap.c c/security/commoncap.c
--- a/security/commoncap.c	2007-12-01 00:54:57.300773750 +0000
+++ c/security/commoncap.c	2007-12-01 01:09:34.923621750 +0000
@@ -55,8 +55,12 @@
 
 int cap_netlink_recv(struct sk_buff *skb, int cap)
 {
-	if (!cap_raised(NETLINK_CB(skb).eff_cap, cap))
+	if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) {
+#ifdef CONFIG_GRKERNSEC
+		gr_log_cap_pid(cap, NETLINK_CREDS(skb)->pid);
+#endif
 		return -EPERM;
+	}
 	return 0;
 }
 
===
=== cap_dac_ succession with capable_nolog
===
diff -upr a/fs./namei.c a/fs/namei.c
--- a/fs./namei.c	2008-04-05 01:23:49.741310000 +0200
+++ a/fs/namei.c	2008-04-05 14:36:39.350275977 +0200
@@ -215,6 +215,13 @@ int generic_permission(struct inode *ino
 
  check_capabilities:
 	/*
+	 * Searching includes executable on directories, else just read.
+	 */
+	if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
+		if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
+			return 0;
+
+	/*
 	 * Read/write DACs are always overridable.
 	 * Executable DACs are overridable if at least one exec bit is set.
 	 */
@@ -223,13 +230,6 @@ int generic_permission(struct inode *ino
 		if (capable(CAP_DAC_OVERRIDE))
 			return 0;
 
-	/*
-	 * Searching includes executable on directories, else just read.
-	 */
-	if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
-		if (capable(CAP_DAC_READ_SEARCH))
-			return 0;
-
 	return -EACCES;
 }
 
@@ -498,13 +498,13 @@ static int exec_permission_lite(struct i
 	if (mode & MAY_EXEC)
 		goto ok;
 
-	if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE))
+	if (S_ISDIR(inode->i_mode) && capable_nolog(CAP_DAC_OVERRIDE))
 		goto ok;
 
-	if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_OVERRIDE))
+	if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH))
 		goto ok;
 
-	if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH))
+	if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE))
 		goto ok;
 
 	return -EACCES;

--- linux-2.6.27/arch/powerpc/include/asm/kmap_types.h.org	2008-11-02 22:06:42.000000000 +0000
+++ linux-2.6.27/arch/powerpc/include/asm/kmap_types.h	2008-11-02 22:05:35.000000000 +0000
@@ -26,6 +26,7 @@
 	KM_SOFTIRQ1,
 	KM_PPC_SYNC_PAGE,
 	KM_PPC_SYNC_ICACHE,
+	KM_CLEARPAGE,
 	KM_TYPE_NR
 };
Commit	Line	Data
81232c11	1	netlink
38804522	2	cap_dac*
81232c11	3	diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c
	4	--- a/grsecurity/gracl_cap.c 2007-12-01 00:54:57.312774500 +0000
	5	+++ c/grsecurity/gracl_cap.c 2007-12-01 01:09:34.923621750 +0000
c6e93d2a	6	@@ -110,3 +110,19 @@ gr_is_capable_nolog(const int cap)
81232c11	7	return 0;
81232c11	8	}
795ad1b0	9
81232c11	10	+void
795ad1b0	11	+gr_log_cap_pid(const int cap, const pid_t pid)
81232c11	12	+{
795ad1b0	13	+ struct task_struct *p;
	14	+
	15	+ if (gr_acl_is_enabled()) {
38804522	16	+ read_lock(&tasklist_lock);
c6e93d2a	17	+ p = find_task_by_vpid(pid);
38804522	18	+ if (p) {
c6e93d2a	19	+ get_task_struct(p);
795ad1b0	20	+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, p, captab_log[cap]);
38804522	21	+ }
38804522	22	+ read_unlock(&tasklist_lock);
795ad1b0	23	+ }
81232c11	24	+ return;
81232c11	25	+}
795ad1b0	26	--- a/grsecurity/grsec_sock.c 2008-03-24 00:24:22.482633101 +0100
795ad1b0	27	+++ c/grsecurity/grsec_sock.c 2008-03-24 00:27:01.971671763 +0100
c6e93d2a	28	@@ -251,23 +251,26 @@ __u32
795ad1b0	29	gr_cap_rtnetlink(struct sock *sock)
81232c11	30	{
	31	#ifdef CONFIG_GRKERNSEC
	32	+ struct acl_subject_label *curracl;
c6e93d2a	33	+ kernel_cap_t cap_dropp = __cap_empty_set, cap_mask = __cap_empty_set;
81232c11	34	+
c6e93d2a	35	if (!gr_acl_is_enabled())
c6e93d2a	36	return current->cap_effective;
b2ee8b1e	37	- else if (sock->sk_protocol == NETLINK_ISCSI &&
	38	- cap_raised(current->cap_effective, CAP_SYS_ADMIN) &&
	39	- gr_task_is_capable(current, CAP_SYS_ADMIN))
	40	- return current->cap_effective;
	41	- else if (sock->sk_protocol == NETLINK_AUDIT &&
	42	- cap_raised(current->cap_effective, CAP_AUDIT_WRITE) &&
	43	- gr_task_is_capable(current, CAP_AUDIT_WRITE) &&
	44	- cap_raised(current->cap_effective, CAP_AUDIT_CONTROL) &&
	45	- gr_task_is_capable(current, CAP_AUDIT_CONTROL))
	46	- return current->cap_effective;
81232c11	47	- else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) &&
	48	- gr_task_is_capable(current, CAP_NET_ADMIN))
	49	- return current->cap_effective;
	50	- else
c6e93d2a	51	- return __cap_empty_set;
81232c11	52	+ else {
	53	+ curracl = current->acl;
	54	+
c6e93d2a	55	+ cap_dropp = curracl->cap_lower;
81232c11	56	+ cap_mask = curracl->cap_mask;
	57	+
	58	+ while ((curracl = curracl->parent_subject)) {
c6e93d2a	59	+ cap_dropp = cap_combine(cap_dropp,
	60	+ cap_intersect(curracl->cap_lower,
	61	+ cap_drop(cap_mask, curracl->cap_mask)));
	62	+ cap_mask = cap_combine(cap_mask, curracl->cap_mask);
81232c11	63	+ }
c6e93d2a	64	+ return cap_drop(current->cap_effective,
c6e93d2a	65	+ cap_intersect(cap_dropp, cap_mask));
81232c11	66	+ }
	67	#else
	68	return current->cap_effective;
	69	#endif
	70	diff -upr a/include/linux/grsecurity.h c/include/linux/grsecurity.h
	71	--- a/include/linux/grsecurity.h 2007-12-01 00:54:57.224769000 +0000
	72	+++ c/include/linux/grsecurity.h 2007-12-01 01:09:34.923621750 +0000
795ad1b0	73	@@ -76,6 +76,7 @@ void gr_log_semrm(const uid_t uid, const
81232c11	74	void gr_log_shmget(const int err, const int shmflg, const size_t size);
	75	void gr_log_shmrm(const uid_t uid, const uid_t cuid);
	76	void gr_log_textrel(struct vm_area_struct *vma);
795ad1b0	77	+void gr_log_cap_pid(const int cap, pid_t pid);
81232c11	78
	79	int gr_handle_follow_link(const struct inode *parent,
	80	const struct inode *inode,
	81	diff -upr a/security/commoncap.c c/security/commoncap.c
	82	--- a/security/commoncap.c 2007-12-01 00:54:57.300773750 +0000
	83	+++ c/security/commoncap.c 2007-12-01 01:09:34.923621750 +0000
795ad1b0	84	@@ -55,8 +55,12 @@
81232c11	85
	86	int cap_netlink_recv(struct sk_buff *skb, int cap)
	87	{
	88	- if (!cap_raised(NETLINK_CB(skb).eff_cap, cap))
	89	+ if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) {
	90	+#ifdef CONFIG_GRKERNSEC
795ad1b0	91	+ gr_log_cap_pid(cap, NETLINK_CREDS(skb)->pid);
81232c11	92	+#endif
	93	return -EPERM;
	94	+ }
	95	return 0;
	96	}
	97
38804522	98	===
	99	=== cap_dac_ succession with capable_nolog
	100	===
	101	diff -upr a/fs./namei.c a/fs/namei.c
	102	--- a/fs./namei.c 2008-04-05 01:23:49.741310000 +0200
	103	+++ a/fs/namei.c 2008-04-05 14:36:39.350275977 +0200
	104	@@ -215,6 +215,13 @@ int generic_permission(struct inode *ino
	105
	106	check_capabilities:
	107	/*
	108	+ * Searching includes executable on directories, else just read.
	109	+ */
	110	+ if (mask == MAY_READ \|\| (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
	111	+ if (capable_nolog(CAP_DAC_OVERRIDE) \|\| capable(CAP_DAC_READ_SEARCH))
	112	+ return 0;
	113	+
	114	+ /*
	115	* Read/write DACs are always overridable.
	116	* Executable DACs are overridable if at least one exec bit is set.
	117	*/
	118	@@ -223,13 +230,6 @@ int generic_permission(struct inode *ino
	119	if (capable(CAP_DAC_OVERRIDE))
	120	return 0;
	121
	122	- /*
	123	- * Searching includes executable on directories, else just read.
	124	- */
	125	- if (mask == MAY_READ \|\| (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
	126	- if (capable(CAP_DAC_READ_SEARCH))
	127	- return 0;
	128	-
	129	return -EACCES;
	130	}
	131
	132	@@ -498,13 +498,13 @@ static int exec_permission_lite(struct i
	133	if (mode & MAY_EXEC)
	134	goto ok;
	135
	136	- if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE))
	137	+ if (S_ISDIR(inode->i_mode) && capable_nolog(CAP_DAC_OVERRIDE))
	138	goto ok;
	139
	140	- if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_OVERRIDE))
	141	+ if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH))
	142	goto ok;
	143
	144	- if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH))
	145	+ if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE))
	146	goto ok;
	147
	148	return -EACCES;
6632ffe7 AM	149
	150	--- linux-2.6.27/arch/powerpc/include/asm/kmap_types.h.org 2008-11-02 22:06:42.000000000 +0000
	151	+++ linux-2.6.27/arch/powerpc/include/asm/kmap_types.h 2008-11-02 22:05:35.000000000 +0000
	152	@@ -26,6 +26,7 @@
	153	KM_SOFTIRQ1,
	154	KM_PPC_SYNC_PAGE,
	155	KM_PPC_SYNC_ICACHE,
	156	+ KM_CLEARPAGE,
	157	KM_TYPE_NR
	158	};
	159