]>
Commit | Line | Data |
---|---|---|
81232c11 | 1 | netlink |
38804522 | 2 | cap_dac* |
81232c11 | 3 | diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c |
4 | --- a/grsecurity/gracl_cap.c 2007-12-01 00:54:57.312774500 +0000 | |
5 | +++ c/grsecurity/gracl_cap.c 2007-12-01 01:09:34.923621750 +0000 | |
c6e93d2a | 6 | @@ -110,3 +110,19 @@ gr_is_capable_nolog(const int cap) |
81232c11 | 7 | return 0; |
8 | } | |
795ad1b0 | 9 | |
81232c11 | 10 | +void |
795ad1b0 | 11 | +gr_log_cap_pid(const int cap, const pid_t pid) |
81232c11 | 12 | +{ |
795ad1b0 | 13 | + struct task_struct *p; |
14 | + | |
15 | + if (gr_acl_is_enabled()) { | |
38804522 | 16 | + read_lock(&tasklist_lock); |
c6e93d2a | 17 | + p = find_task_by_vpid(pid); |
38804522 | 18 | + if (p) { |
c6e93d2a | 19 | + get_task_struct(p); |
795ad1b0 | 20 | + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, p, captab_log[cap]); |
38804522 | 21 | + } |
22 | + read_unlock(&tasklist_lock); | |
795ad1b0 | 23 | + } |
81232c11 | 24 | + return; |
25 | +} | |
795ad1b0 | 26 | --- a/grsecurity/grsec_sock.c 2008-03-24 00:24:22.482633101 +0100 |
27 | +++ c/grsecurity/grsec_sock.c 2008-03-24 00:27:01.971671763 +0100 | |
c6e93d2a | 28 | @@ -251,23 +251,26 @@ __u32 |
795ad1b0 | 29 | gr_cap_rtnetlink(struct sock *sock) |
81232c11 | 30 | { |
31 | #ifdef CONFIG_GRKERNSEC | |
32 | + struct acl_subject_label *curracl; | |
c6e93d2a | 33 | + kernel_cap_t cap_dropp = __cap_empty_set, cap_mask = __cap_empty_set; |
81232c11 | 34 | + |
c6e93d2a | 35 | if (!gr_acl_is_enabled()) |
36 | return current->cap_effective; | |
b2ee8b1e | 37 | - else if (sock->sk_protocol == NETLINK_ISCSI && |
38 | - cap_raised(current->cap_effective, CAP_SYS_ADMIN) && | |
39 | - gr_task_is_capable(current, CAP_SYS_ADMIN)) | |
40 | - return current->cap_effective; | |
41 | - else if (sock->sk_protocol == NETLINK_AUDIT && | |
42 | - cap_raised(current->cap_effective, CAP_AUDIT_WRITE) && | |
43 | - gr_task_is_capable(current, CAP_AUDIT_WRITE) && | |
44 | - cap_raised(current->cap_effective, CAP_AUDIT_CONTROL) && | |
45 | - gr_task_is_capable(current, CAP_AUDIT_CONTROL)) | |
46 | - return current->cap_effective; | |
81232c11 | 47 | - else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) && |
48 | - gr_task_is_capable(current, CAP_NET_ADMIN)) | |
49 | - return current->cap_effective; | |
50 | - else | |
c6e93d2a | 51 | - return __cap_empty_set; |
81232c11 | 52 | + else { |
53 | + curracl = current->acl; | |
54 | + | |
c6e93d2a | 55 | + cap_dropp = curracl->cap_lower; |
81232c11 | 56 | + cap_mask = curracl->cap_mask; |
57 | + | |
58 | + while ((curracl = curracl->parent_subject)) { | |
c6e93d2a | 59 | + cap_dropp = cap_combine(cap_dropp, |
60 | + cap_intersect(curracl->cap_lower, | |
61 | + cap_drop(cap_mask, curracl->cap_mask))); | |
62 | + cap_mask = cap_combine(cap_mask, curracl->cap_mask); | |
81232c11 | 63 | + } |
c6e93d2a | 64 | + return cap_drop(current->cap_effective, |
65 | + cap_intersect(cap_dropp, cap_mask)); | |
81232c11 | 66 | + } |
67 | #else | |
68 | return current->cap_effective; | |
69 | #endif | |
70 | diff -upr a/include/linux/grsecurity.h c/include/linux/grsecurity.h | |
71 | --- a/include/linux/grsecurity.h 2007-12-01 00:54:57.224769000 +0000 | |
72 | +++ c/include/linux/grsecurity.h 2007-12-01 01:09:34.923621750 +0000 | |
795ad1b0 | 73 | @@ -76,6 +76,7 @@ void gr_log_semrm(const uid_t uid, const |
81232c11 | 74 | void gr_log_shmget(const int err, const int shmflg, const size_t size); |
75 | void gr_log_shmrm(const uid_t uid, const uid_t cuid); | |
76 | void gr_log_textrel(struct vm_area_struct *vma); | |
795ad1b0 | 77 | +void gr_log_cap_pid(const int cap, pid_t pid); |
81232c11 | 78 | |
79 | int gr_handle_follow_link(const struct inode *parent, | |
80 | const struct inode *inode, | |
81 | diff -upr a/security/commoncap.c c/security/commoncap.c | |
82 | --- a/security/commoncap.c 2007-12-01 00:54:57.300773750 +0000 | |
83 | +++ c/security/commoncap.c 2007-12-01 01:09:34.923621750 +0000 | |
795ad1b0 | 84 | @@ -55,8 +55,12 @@ |
81232c11 | 85 | |
86 | int cap_netlink_recv(struct sk_buff *skb, int cap) | |
87 | { | |
88 | - if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) | |
89 | + if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) { | |
90 | +#ifdef CONFIG_GRKERNSEC | |
795ad1b0 | 91 | + gr_log_cap_pid(cap, NETLINK_CREDS(skb)->pid); |
81232c11 | 92 | +#endif |
93 | return -EPERM; | |
94 | + } | |
95 | return 0; | |
96 | } | |
97 | ||
38804522 | 98 | === |
99 | === cap_dac_ succession with capable_nolog | |
100 | === | |
101 | diff -upr a/fs./namei.c a/fs/namei.c | |
102 | --- a/fs./namei.c 2008-04-05 01:23:49.741310000 +0200 | |
103 | +++ a/fs/namei.c 2008-04-05 14:36:39.350275977 +0200 | |
104 | @@ -215,6 +215,13 @@ int generic_permission(struct inode *ino | |
105 | ||
106 | check_capabilities: | |
107 | /* | |
108 | + * Searching includes executable on directories, else just read. | |
109 | + */ | |
110 | + if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE))) | |
111 | + if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH)) | |
112 | + return 0; | |
113 | + | |
114 | + /* | |
115 | * Read/write DACs are always overridable. | |
116 | * Executable DACs are overridable if at least one exec bit is set. | |
117 | */ | |
118 | @@ -223,13 +230,6 @@ int generic_permission(struct inode *ino | |
119 | if (capable(CAP_DAC_OVERRIDE)) | |
120 | return 0; | |
121 | ||
122 | - /* | |
123 | - * Searching includes executable on directories, else just read. | |
124 | - */ | |
125 | - if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE))) | |
126 | - if (capable(CAP_DAC_READ_SEARCH)) | |
127 | - return 0; | |
128 | - | |
129 | return -EACCES; | |
130 | } | |
131 | ||
132 | @@ -498,13 +498,13 @@ static int exec_permission_lite(struct i | |
133 | if (mode & MAY_EXEC) | |
134 | goto ok; | |
135 | ||
136 | - if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE)) | |
137 | + if (S_ISDIR(inode->i_mode) && capable_nolog(CAP_DAC_OVERRIDE)) | |
138 | goto ok; | |
139 | ||
140 | - if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_OVERRIDE)) | |
141 | + if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH)) | |
142 | goto ok; | |
143 | ||
144 | - if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH)) | |
145 | + if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE)) | |
146 | goto ok; | |
147 | ||
148 | return -EACCES; | |
6632ffe7 AM |
149 | |
150 | --- linux-2.6.27/arch/powerpc/include/asm/kmap_types.h.org 2008-11-02 22:06:42.000000000 +0000 | |
151 | +++ linux-2.6.27/arch/powerpc/include/asm/kmap_types.h 2008-11-02 22:05:35.000000000 +0000 | |
152 | @@ -26,6 +26,7 @@ | |
153 | KM_SOFTIRQ1, | |
154 | KM_PPC_SYNC_PAGE, | |
155 | KM_PPC_SYNC_ICACHE, | |
156 | + KM_CLEARPAGE, | |
157 | KM_TYPE_NR | |
158 | }; | |
159 |