kernel-grsec-common.patch

   1 --- linux-2.6.20/grsecurity/gracl_shm.c~        2007-03-24 04:54:27.000000000 +0100
   2 +++ linux-2.6.20/grsecurity/gracl_shm.c 2007-03-24 04:55:46.332159000 +0100
   3 @@ -6,6 +6,7 @@
   4  #include <linux/gracl.h>
   5  #include <linux/grsecurity.h>
   6  #include <linux/grinternal.h>
   7 +#include <linux/vs_pid.h>
   8
   9  int
  10  gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
  11 --- linux-2.6.20/localversion-grsec     2007-03-24 04:54:27.000000000 +0100
  12 +++ /dev/null   2007-03-24 05:05:10.455414500 +0100
  13 @@ -1 +0,0 @@
  14 --grsec
  15 --- linux-2.6.20/grsecurity/grsec_sock.c~       2007-03-24 05:38:40.000000000 +0100
  16 +++ linux-2.6.20/grsecurity/grsec_sock.c        2007-03-24 05:47:11.347998750 +0100
  17 @@ -7,6 +7,7 @@
  18  #include <linux/ip.h>
  19  #include <net/sock.h>
  20  #include <net/inet_sock.h>
  21 +#include <linux/vs_context.h>
  22  #include <linux/grsecurity.h>
  23  #include <linux/grinternal.h>
  24  #include <linux/gracl.h>
  25 ===
  26 === analogous as capable()
  27 ===
  28 --- a/kernel/capability.c~      2007-12-11 00:46:02.000000000 +0100
  29 +++ a/kernel/capability.c       2007-12-11 01:35:00.244481500 +0100
  30 @@ -253,6 +253,8 @@ int __capable(struct task_struct *t, int
  31  }
  32  int capable_nolog(int cap)
  33  {
  34 +       if (vs_check_bit(VXC_CAP_MASK, cap) && !vx_mcaps(1L << cap))
  35 +               return 0;
  36         if (has_capability(current, cap) && gr_is_capable_nolog(cap)) {
  37                 current->flags |= PF_SUPERPRIV;
  38                 return 1;
  39 ===
  40 === let vserver block signals before grsec
  41 ===
  42 --- a/kernel/signal.c  2007-10-02 00:08:49.954483500 +0200
  43 +++ b/kernel/signal.c  2007-10-02 00:24:31.969355750 +0200
  44 @@ -553,6 +553,11 @@ static int check_kill_permission(int sig
  45                         sig, info, t, vx_task_xid(t), t->pid, current->xid);
  46                 return error;
  47         }
  48 +
  49 +       error = -EPERM;
  50 +       if (gr_handle_signal(t, sig))
  51 +               return error;
  52 +
  53  skip:
  54         return security_task_kill(t, info, sig, 0);
  55  }
  56 ===
  57 === vserver netlink protection
  58 ===
  59 --- a/security/commoncap.c~     2007-12-10 23:52:36.000000000 +0100
  60 +++ a/security/commoncap.c      2007-12-11 01:43:04.426741000 +0100
  61 @@ -27,7 +27,7 @@
  62
  63  int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
  64  {
  65 -       NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
  66 +       NETLINK_CB(skb).eff_cap = cap_intersect(gr_cap_rtnetlink(sk), vx_mbcaps(current->cap_effective));
  67         return 0;
  68  }
  69
  70 ===
  71 === vserver hooks in cap_capable_nolog
  72 ===
  73 --- i/security/commoncap.c1     2008-10-28 21:28:07.873037469 +0100
  74 +++ i/security/commoncap.c      2008-10-28 21:36:20.429660261 +0100
  75 @@ -76,8 +76,14 @@ int cap_capable (struct task_struct *tsk
  76
  77  int cap_capable_nolog (struct task_struct *tsk, int cap)
  78  {
  79 +       struct vx_info *vxi = tsk->vx_info;
  80 +       /* special case SETUP */  /* co to jest? - zbyniu */
  81 +       if (vx_info_flags(vxi, VXF_STATE_SETUP, 0) &&
  82 +               cap_raised(tsk->cap_effective, cap))
  83 +               return 0;
  84 +
  85         /* tsk = current for all callers */
  86 -       if (cap_raised(tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
  87 +       if (vx_cap_raised(vxi, tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
  88                 return 0;
  89
  90         return -EPERM;