kernel-grsec_fixes.patch

   1 netlink
   2 cap_dac*
   3 diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c
   4 --- a/grsecurity/gracl_cap.c    2007-12-01 00:54:57.312774500 +0000
   5 +++ c/grsecurity/gracl_cap.c    2007-12-01 01:09:34.923621750 +0000
   6 @@ -110,3 +110,19 @@ gr_is_capable_nolog(const int cap)
   7         return 0;
   8  }
   9
  10 +void
  11 +gr_log_cap_pid(const int cap, const pid_t pid)
  12 +{
  13 +       struct task_struct *p;
  14 +
  15 +       if (gr_acl_is_enabled()) {
  16 +               read_lock(&tasklist_lock);
  17 +               p = find_task_by_vpid(pid);
  18 +               if (p) {
  19 +                       get_task_struct(p);
  20 +                       gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, p, captab_log[cap]);
  21 +               }
  22 +               read_unlock(&tasklist_lock);
  23 +       }
  24 +       return;
  25 +}
  26 --- a/grsecurity/grsec_sock.c   2008-03-24 00:24:22.482633101 +0100
  27 +++ c/grsecurity/grsec_sock.c   2008-03-24 00:27:01.971671763 +0100
  28 @@ -251,23 +251,26 @@ __u32
  29  gr_cap_rtnetlink(struct sock *sock)
  30  {
  31  #ifdef CONFIG_GRKERNSEC
  32 +       struct acl_subject_label *curracl;
  33 +       kernel_cap_t cap_dropp = __cap_empty_set, cap_mask = __cap_empty_set;
  34 +
  35         if (!gr_acl_is_enabled())
  36                 return current->cap_effective;
  37 -       else if (sock->sk_protocol == NETLINK_ISCSI &&
  38 -                cap_raised(current->cap_effective, CAP_SYS_ADMIN) &&
  39 -                gr_task_is_capable(current, CAP_SYS_ADMIN))
  40 -               return current->cap_effective;
  41 -       else if (sock->sk_protocol == NETLINK_AUDIT &&
  42 -                cap_raised(current->cap_effective, CAP_AUDIT_WRITE) &&
  43 -                gr_task_is_capable(current, CAP_AUDIT_WRITE) &&
  44 -                cap_raised(current->cap_effective, CAP_AUDIT_CONTROL) &&
  45 -                gr_task_is_capable(current, CAP_AUDIT_CONTROL))
  46 -               return current->cap_effective;
  47 -       else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) &&
  48 -                gr_task_is_capable(current, CAP_NET_ADMIN))
  49 -               return current->cap_effective;
  50 -       else
  51 -               return __cap_empty_set;
  52 +       else {
  53 +               curracl = current->acl;
  54 +
  55 +               cap_dropp  = curracl->cap_lower;
  56 +               cap_mask = curracl->cap_mask;
  57 +
  58 +               while ((curracl = curracl->parent_subject)) {
  59 +                       cap_dropp = cap_combine(cap_dropp,
  60 +                                   cap_intersect(curracl->cap_lower,
  61 +                                   cap_drop(cap_mask, curracl->cap_mask)));
  62 +                       cap_mask = cap_combine(cap_mask, curracl->cap_mask);
  63 +               }
  64 +               return cap_drop(current->cap_effective,
  65 +                               cap_intersect(cap_dropp, cap_mask));
  66 +       }
  67  #else
  68         return current->cap_effective;
  69  #endif
  70 diff -upr a/include/linux/grsecurity.h c/include/linux/grsecurity.h
  71 --- a/include/linux/grsecurity.h        2007-12-01 00:54:57.224769000 +0000
  72 +++ c/include/linux/grsecurity.h        2007-12-01 01:09:34.923621750 +0000
  73 @@ -76,6 +76,7 @@ void gr_log_semrm(const uid_t uid, const
  74  void gr_log_shmget(const int err, const int shmflg, const size_t size);
  75  void gr_log_shmrm(const uid_t uid, const uid_t cuid);
  76  void gr_log_textrel(struct vm_area_struct *vma);
  77 +void gr_log_cap_pid(const int cap, pid_t pid);
  78
  79  int gr_handle_follow_link(const struct inode *parent,
  80                                  const struct inode *inode,
  81 diff -upr a/security/commoncap.c c/security/commoncap.c
  82 --- a/security/commoncap.c      2007-12-01 00:54:57.300773750 +0000
  83 +++ c/security/commoncap.c      2007-12-01 01:09:34.923621750 +0000
  84 @@ -55,8 +55,12 @@
  85
  86  int cap_netlink_recv(struct sk_buff *skb, int cap)
  87  {
  88 -       if (!cap_raised(NETLINK_CB(skb).eff_cap, cap))
  89 +       if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) {
  90 +#ifdef CONFIG_GRKERNSEC
  91 +               gr_log_cap_pid(cap, NETLINK_CREDS(skb)->pid);
  92 +#endif
  93                 return -EPERM;
  94 +       }
  95         return 0;
  96  }
  97
  98 ===
  99 === cap_dac_ succession with capable_nolog
 100 ===
 101 diff -upr a/fs./namei.c a/fs/namei.c
 102 --- a/fs./namei.c       2008-04-05 01:23:49.741310000 +0200
 103 +++ a/fs/namei.c        2008-04-05 14:36:39.350275977 +0200
 104 @@ -215,6 +215,13 @@ int generic_permission(struct inode *ino
 105
 106   check_capabilities:
 107         /*
 108 +        * Searching includes executable on directories, else just read.
 109 +        */
 110 +       if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
 111 +               if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
 112 +                       return 0;
 113 +
 114 +       /*
 115          * Read/write DACs are always overridable.
 116          * Executable DACs are overridable if at least one exec bit is set.
 117          */
 118 @@ -223,13 +230,6 @@ int generic_permission(struct inode *ino
 119                 if (capable(CAP_DAC_OVERRIDE))
 120                         return 0;
 121
 122 -       /*
 123 -        * Searching includes executable on directories, else just read.
 124 -        */
 125 -       if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
 126 -               if (capable(CAP_DAC_READ_SEARCH))
 127 -                       return 0;
 128 -
 129         return -EACCES;
 130  }
 131
 132 @@ -498,13 +498,13 @@ static int exec_permission_lite(struct i
 133         if (mode & MAY_EXEC)
 134                 goto ok;
 135
 136 -       if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE))
 137 +       if (S_ISDIR(inode->i_mode) && capable_nolog(CAP_DAC_OVERRIDE))
 138                 goto ok;
 139
 140 -       if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_OVERRIDE))
 141 +       if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH))
 142                 goto ok;
 143
 144 -       if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH))
 145 +       if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE))
 146                 goto ok;
 147
 148         return -EACCES;
 149
 150 --- linux-2.6.27/arch/powerpc/include/asm/kmap_types.h.org      2008-11-02 22:06:42.000000000 +0000
 151 +++ linux-2.6.27/arch/powerpc/include/asm/kmap_types.h  2008-11-02 22:05:35.000000000 +0000
 152 @@ -26,6 +26,7 @@
 153         KM_SOFTIRQ1,
 154         KM_PPC_SYNC_PAGE,
 155         KM_PPC_SYNC_ICACHE,
 156 +       KM_CLEARPAGE,
 157         KM_TYPE_NR
 158  };
 159