4 diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c
5 --- a/grsecurity/gracl_cap.c 2007-12-01 00:54:57.312774500 +0000
6 +++ c/grsecurity/gracl_cap.c 2007-12-01 01:09:34.923621750 +0000
7 @@ -110,3 +110,20 @@ gr_is_capable_nolog(const int cap)
12 +gr_log_cap_pid(const int cap, const pid_t pid)
14 + struct task_struct *p;
16 + if (gr_acl_is_enabled()) {
17 + read_lock(&tasklist_lock);
18 + p = find_task_by_pid(pid);
21 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, p, captab_log[cap]);
24 + read_unlock(&tasklist_lock);
28 --- a/grsecurity/grsec_sock.c 2008-03-24 00:24:22.482633101 +0100
29 +++ c/grsecurity/grsec_sock.c 2008-03-24 00:27:01.971671763 +0100
30 @@ -251,23 +251,24 @@ __u32
31 gr_cap_rtnetlink(struct sock *sock)
33 #ifdef CONFIG_GRKERNSEC
34 + struct acl_subject_label *curracl;
35 + __u32 cap_drop = 0, cap_mask = 0;
37 if (!gr_acl_is_enabled())
38 return current->cap_effective;
39 - else if (sock->sk_protocol == NETLINK_ISCSI &&
40 - cap_raised(current->cap_effective, CAP_SYS_ADMIN) &&
41 - gr_task_is_capable(current, CAP_SYS_ADMIN))
42 - return current->cap_effective;
43 - else if (sock->sk_protocol == NETLINK_AUDIT &&
44 - cap_raised(current->cap_effective, CAP_AUDIT_WRITE) &&
45 - gr_task_is_capable(current, CAP_AUDIT_WRITE) &&
46 - cap_raised(current->cap_effective, CAP_AUDIT_CONTROL) &&
47 - gr_task_is_capable(current, CAP_AUDIT_CONTROL))
48 - return current->cap_effective;
49 - else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) &&
50 - gr_task_is_capable(current, CAP_NET_ADMIN))
51 - return current->cap_effective;
55 + curracl = current->acl;
57 + cap_drop = curracl->cap_lower;
58 + cap_mask = curracl->cap_mask;
60 + while ((curracl = curracl->parent_subject)) {
61 + cap_drop |= curracl->cap_lower & \
62 + (cap_mask & ~curracl->cap_mask);
63 + cap_mask |= curracl->cap_mask;
65 + return (current->cap_effective & ~(cap_drop & cap_mask));
68 return current->cap_effective;
70 diff -upr a/include/linux/grsecurity.h c/include/linux/grsecurity.h
71 --- a/include/linux/grsecurity.h 2007-12-01 00:54:57.224769000 +0000
72 +++ c/include/linux/grsecurity.h 2007-12-01 01:09:34.923621750 +0000
73 @@ -76,6 +76,7 @@ void gr_log_semrm(const uid_t uid, const
74 void gr_log_shmget(const int err, const int shmflg, const size_t size);
75 void gr_log_shmrm(const uid_t uid, const uid_t cuid);
76 void gr_log_textrel(struct vm_area_struct *vma);
77 +void gr_log_cap_pid(const int cap, pid_t pid);
79 int gr_handle_follow_link(const struct inode *parent,
80 const struct inode *inode,
81 diff -upr a/security/commoncap.c c/security/commoncap.c
82 --- a/security/commoncap.c 2007-12-01 00:54:57.300773750 +0000
83 +++ c/security/commoncap.c 2007-12-01 01:09:34.923621750 +0000
86 int cap_netlink_recv(struct sk_buff *skb, int cap)
88 - if (!cap_raised(NETLINK_CB(skb).eff_cap, cap))
89 + if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) {
90 +#ifdef CONFIG_GRKERNSEC
91 + gr_log_cap_pid(cap, NETLINK_CREDS(skb)->pid);
99 === cap_dac_ succession with capable_nolog
101 diff -upr a/fs./namei.c a/fs/namei.c
102 --- a/fs./namei.c 2008-04-05 01:23:49.741310000 +0200
103 +++ a/fs/namei.c 2008-04-05 14:36:39.350275977 +0200
104 @@ -215,6 +215,13 @@ int generic_permission(struct inode *ino
108 + * Searching includes executable on directories, else just read.
110 + if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
111 + if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
115 * Read/write DACs are always overridable.
116 * Executable DACs are overridable if at least one exec bit is set.
118 @@ -223,13 +230,6 @@ int generic_permission(struct inode *ino
119 if (capable(CAP_DAC_OVERRIDE))
123 - * Searching includes executable on directories, else just read.
125 - if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
126 - if (capable(CAP_DAC_READ_SEARCH))
132 @@ -498,13 +498,13 @@ static int exec_permission_lite(struct i
136 - if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE))
137 + if (S_ISDIR(inode->i_mode) && capable_nolog(CAP_DAC_OVERRIDE))
140 - if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_OVERRIDE))
141 + if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH))
144 - if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH))
145 + if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE))
150 diff -upr a/fs./xfs/xfs_inode.c a/fs/xfs/xfs_inode.c
151 --- a/fs./xfs/xfs_inode.c 2008-04-05 01:23:48.241413000 +0200
152 +++ a/fs/xfs/xfs_inode.c 2008-04-05 14:55:58.270625942 +0200
153 @@ -3663,20 +3663,16 @@ xfs_iaccess(
154 * Read/write DACs are always overridable.
155 * Executable DACs are overridable if at least one exec bit is set.
157 + if ((orgmode == S_IRUSR) ||
158 + (S_ISDIR(inode->i_mode) && (!(orgmode & S_IWUSR))))
159 + if (capable_nolog(CAP_DAC_OVERRIDE) || capable_cred(cr, CAP_DAC_READ_SEARCH))
162 if (!(orgmode & S_IXUSR) ||
163 (inode->i_mode & S_IXUGO) || S_ISDIR(inode->i_mode))
164 if (capable_cred(cr, CAP_DAC_OVERRIDE))
167 - if ((orgmode == S_IRUSR) ||
168 - (S_ISDIR(inode->i_mode) && (!(orgmode & S_IWUSR)))) {
169 - if (capable_cred(cr, CAP_DAC_READ_SEARCH))
172 - cmn_err(CE_NOTE, "Ick: mode=%o, orgmode=%o", mode, orgmode);
174 - return XFS_ERROR(EACCES);
176 return XFS_ERROR(EACCES);
180 === check if -fno-stack-protector is accessible
182 --- linux-2.6.24/arch/x86/kernel/Makefile_64~ 2008-04-16 21:15:48.278373002 +0000
183 +++ linux-2.6.24/arch/x86/kernel/Makefile_64 2008-04-16 21:18:33.833661431 +0000
188 -CFLAGS_vsyscall_64.o := $(PROFILING) -g0 -fno-stack-protector
189 -CFLAGS_hpet.o := -fno-stack-protector
190 -CFLAGS_tsc_64.o := -fno-stack-protector
191 +nostackp := $(call cc-option, -fno-stack-protector)
192 +CFLAGS_vsyscall_64.o := $(PROFILING) -g0 $(nostackp)
193 +CFLAGS_hpet.o := $(nostackp)
194 +CFLAGS_tsc_64.o := $(nostackp)