4 diff -urp a/grsecurity/gracl.c c/grsecurity/gracl.c
5 --- a/grsecurity/gracl.c 2007-12-10 23:52:36.040492750 +0100
6 +++ c/grsecurity/gracl.c 2007-12-11 00:32:38.094611750 +0100
7 @@ -329,7 +329,7 @@ to_gr_audit(const __u32 reqmode)
8 /* masks off auditable permission flags, then shifts them to create
9 auditing flags, and adds the special case of append auditing if
10 we're requesting write */
11 - return (((reqmode & GR_AUDIT_READ) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
12 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
15 struct acl_subject_label *
16 @@ -519,6 +519,35 @@ lookup_name_entry(const char *name)
20 +static struct name_entry *
21 +lookup_name_entry_create(const char *name)
23 + unsigned int len = strlen(name);
24 + unsigned int key = full_name_hash(name, len);
25 + unsigned int index = key % name_set.n_size;
26 + struct name_entry *match;
28 + match = name_set.n_hash[index];
30 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
32 + match = match->next;
34 + if (match && match->deleted)
37 + match = name_set.n_hash[index];
39 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
41 + match = match->next;
43 + if (match && !match->deleted)
49 static struct inodev_entry *
50 lookup_inodev_entry(const ino_t ino, const dev_t dev)
52 @@ -584,7 +613,7 @@ insert_acl_role_label(struct acl_role_la
56 -insert_name_entry(char *name, const ino_t inode, const dev_t device)
57 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
59 struct name_entry **curr, *nentry;
60 struct inodev_entry *ientry;
61 @@ -613,6 +642,7 @@ insert_name_entry(char *name, const ino_
62 nentry->inode = inode;
63 nentry->device = device;
65 + nentry->deleted = deleted;
68 curr = &name_set.n_hash[index];
69 @@ -975,7 +1005,7 @@ copy_user_objs(struct acl_object_label *
71 insert_acl_obj_label(o_tmp, subj);
72 if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
74 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
77 ret = copy_user_glob(o_tmp);
78 @@ -1270,7 +1300,7 @@ do_copy_user_subj(struct acl_subject_lab
81 if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
83 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
84 return ERR_PTR(-ENOMEM);
87 @@ -1969,7 +1999,7 @@ gr_check_create(const struct dentry * ne
90 path = gr_to_filename_rbac(new_dentry, mnt);
91 - match = lookup_name_entry(path);
92 + match = lookup_name_entry_create(path);
96 @@ -2334,7 +2364,7 @@ gr_set_proc_label(const struct dentry *d
100 -do_handle_delete(const ino_t ino, const dev_t dev)
101 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
103 struct acl_object_label *matchpo;
104 struct acl_subject_label *matchps;
105 @@ -2355,18 +2385,23 @@ do_handle_delete(const ino_t ino, const
106 matchps->mode |= GR_DELETED;
107 FOR_EACH_ROLE_END(role,i)
109 + inodev->nentry->deleted = 1;
115 gr_handle_delete(const ino_t ino, const dev_t dev)
117 + struct inodev_entry *inodev;
119 if (unlikely(!(gr_status & GR_READY)))
122 write_lock(&gr_inode_lock);
123 - if (unlikely((unsigned long)lookup_inodev_entry(ino, dev)))
124 - do_handle_delete(ino, dev);
125 + inodev = lookup_inodev_entry(ino, dev);
126 + if (inodev != NULL)
127 + do_handle_delete(inodev, ino, dev);
128 write_unlock(&gr_inode_lock);
131 @@ -2460,11 +2495,12 @@ update_inodev_entry(const ino_t oldinode
132 match = inodev_set.i_hash[index];
134 while (match && (match->nentry->inode != oldinode ||
135 - match->nentry->device != olddevice))
136 + match->nentry->device != olddevice || !match->nentry->deleted))
139 if (match && (match->nentry->inode == oldinode)
140 - && (match->nentry->device == olddevice)) {
141 + && (match->nentry->device == olddevice) &&
142 + match->nentry->deleted) {
143 if (match->prev == NULL) {
144 inodev_set.i_hash[index] = match->next;
145 if (match->next != NULL)
146 @@ -2478,6 +2514,7 @@ update_inodev_entry(const ino_t oldinode
148 match->nentry->inode = newinode;
149 match->nentry->device = newdevice;
150 + match->nentry->deleted = 0;
152 insert_inodev_entry(match);
154 @@ -2546,6 +2583,7 @@ gr_handle_rename(struct inode *old_dir,
155 struct vfsmount *mnt, const __u8 replace)
157 struct name_entry *matchn;
158 + struct inodev_entry *inodev;
160 if (unlikely(!(gr_status & GR_READY)))
162 @@ -2559,17 +2597,17 @@ gr_handle_rename(struct inode *old_dir,
164 write_lock(&gr_inode_lock);
165 if (unlikely(replace && new_dentry->d_inode)) {
166 - if (unlikely(lookup_inodev_entry(new_dentry->d_inode->i_ino,
167 - new_dentry->d_inode->i_sb->s_dev) &&
168 - (old_dentry->d_inode->i_nlink <= 1)))
169 - do_handle_delete(new_dentry->d_inode->i_ino,
170 + inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
171 + new_dentry->d_inode->i_sb->s_dev);
172 + if (inodev != NULL && (new_dentry->d_inode->i_nlink<= 1))
173 + do_handle_delete(inodev, new_dentry->d_inode->i_ino,
174 new_dentry->d_inode->i_sb->s_dev);
177 - if (unlikely(lookup_inodev_entry(old_dentry->d_inode->i_ino,
178 - old_dentry->d_inode->i_sb->s_dev) &&
179 - (old_dentry->d_inode->i_nlink <= 1)))
180 - do_handle_delete(old_dentry->d_inode->i_ino,
181 + inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
182 + old_dentry->d_inode->i_sb->s_dev);
183 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
184 + do_handle_delete(inodev, old_dentry->d_inode->i_ino,
185 old_dentry->d_inode->i_sb->s_dev);
187 if (unlikely((unsigned long)matchn))
188 diff -urp a/include/linux/gracl.h c/include/linux/gracl.h
189 --- a/include/linux/gracl.h 2007-12-10 23:52:36.116497500 +0100
190 +++ c/include/linux/gracl.h 2007-12-11 00:31:52.947790250 +0100
191 @@ -52,6 +52,7 @@ struct name_entry {
196 struct name_entry *prev;
197 struct name_entry *next;
199 diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c
200 --- a/grsecurity/gracl_cap.c 2007-12-01 00:54:57.312774500 +0000
201 +++ c/grsecurity/gracl_cap.c 2007-12-01 01:09:34.923621750 +0000
202 @@ -111,3 +111,10 @@ gr_is_capable_nolog(const int cap)
207 +gr_log_cap_x(const int cap)
209 + if (gr_acl_is_enabled())
210 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, current, captab_log[cap]);
213 diff -upr a/grsecurity/grsec_sock.c c/grsecurity/grsec_sock.c
214 --- a/grsecurity/grsec_sock.c 2007-12-01 00:54:57.316774750 +0000
215 +++ c/grsecurity/grsec_sock.c 2007-12-01 01:09:34.923621750 +0000
216 @@ -251,13 +251,24 @@ __u32
217 gr_cap_rtnetlink(void)
219 #ifdef CONFIG_GRKERNSEC
220 + struct acl_subject_label *curracl;
221 + __u32 cap_drop = 0, cap_mask = 0;
223 if (!gr_acl_is_enabled())
224 return current->cap_effective;
225 - else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) &&
226 - gr_task_is_capable(current, CAP_NET_ADMIN))
227 - return current->cap_effective;
231 + curracl = current->acl;
233 + cap_drop = curracl->cap_lower;
234 + cap_mask = curracl->cap_mask;
236 + while ((curracl = curracl->parent_subject)) {
237 + cap_drop |= curracl->cap_lower & \
238 + (cap_mask & ~curracl->cap_mask);
239 + cap_mask |= curracl->cap_mask;
241 + return (current->cap_effective & ~(cap_drop & cap_mask));
244 return current->cap_effective;
246 diff -upr a/include/linux/grsecurity.h c/include/linux/grsecurity.h
247 --- a/include/linux/grsecurity.h 2007-12-01 00:54:57.224769000 +0000
248 +++ c/include/linux/grsecurity.h 2007-12-01 01:09:34.923621750 +0000
249 @@ -62,6 +62,7 @@ void gr_log_semrm(const uid_t uid, const
250 void gr_log_shmget(const int err, const int shmflg, const size_t size);
251 void gr_log_shmrm(const uid_t uid, const uid_t cuid);
252 void gr_log_textrel(struct vm_area_struct *vma);
253 +void gr_log_cap_x(const int cap);
255 int gr_handle_follow_link(const struct inode *parent,
256 const struct inode *inode,
257 diff -upr a/security/commoncap.c c/security/commoncap.c
258 --- a/security/commoncap.c 2007-12-01 00:54:57.300773750 +0000
259 +++ c/security/commoncap.c 2007-12-01 01:09:34.923621750 +0000
260 @@ -35,8 +35,10 @@ EXPORT_SYMBOL(cap_netlink_send);
262 int cap_netlink_recv(struct sk_buff *skb, int cap)
264 - if (!cap_raised(NETLINK_CB(skb).eff_cap, cap))
265 + if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) {