- updated for 2.6.32.56

[packages/kernel.git] / kernel-grsec_fixes.patch

diff --git a/kernel-grsec_fixes.patch b/kernel-grsec_fixes.patch
index 995fa76eca7404116c3a33cfee7c30cac5fdea3a..12fe2311effc6d533f1b7029cf130c258cfbfce6 100644 (file)
--- a/kernel-grsec_fixes.patch
+++ b/kernel-grsec_fixes.patch
@@ -25,7 +25,7 @@ diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c
 +}
 --- a/grsecurity/grsec_sock.c  2008-03-24 00:24:22.482633101 +0100
 +++ c/grsecurity/grsec_sock.c  2008-03-24 00:27:01.971671763 +0100
-@@ -247,23 +247,26 @@
+@@ -247,25 +247,26 @@
  gr_cap_rtnetlink(struct sock *sock)
  {
  #ifdef CONFIG_GRKERNSEC
@@ -45,7 +45,9 @@ diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c
 -               gr_is_capable(CAP_AUDIT_CONTROL))
 -              return current_cap();
 -      else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
--               gr_is_capable(CAP_NET_ADMIN))
+-               ((sock->sk_protocol == NETLINK_ROUTE) ? 
+-                gr_is_capable_nolog(CAP_NET_ADMIN) : 
+-                gr_is_capable(CAP_NET_ADMIN)))
 -              return current_cap();
 -      else
 -              return __cap_empty_set;
@@ -71,9 +73,9 @@ diff -upr a/include/linux/grsecurity.h c/include/linux/grsecurity.h
 --- a/include/linux/grsecurity.h       2007-12-01 00:54:57.224769000 +0000
 +++ c/include/linux/grsecurity.h       2007-12-01 01:09:34.923621750 +0000
 @@ -76,6 +76,7 @@ void gr_log_semrm(const uid_t uid, const
- void gr_log_shmget(const int err, const int shmflg, const size_t size);
- void gr_log_shmrm(const uid_t uid, const uid_t cuid);
  void gr_log_textrel(struct vm_area_struct *vma);
+ void gr_log_rwxmmap(struct file *file);
+ void gr_log_rwxmprotect(struct file *file);
 +void gr_log_cap_pid(const int cap, pid_t pid);
  
  int gr_handle_follow_link(const struct inode *parent,
@@ -95,55 +97,56 @@ diff -upr a/security/commoncap.c c/security/commoncap.c
        return 0;
  }
  
-===
-=== cap_dac_ succession with capable_nolog
-===
-diff -upr a/fs./namei.c a/fs/namei.c
---- a/fs./namei.c      2008-04-05 01:23:49.741310000 +0200
-+++ a/fs/namei.c       2008-04-05 14:36:39.350275977 +0200
-@@ -215,6 +215,13 @@ int generic_permission(struct inode *ino
+--- linux-2.6.30/kernel/vserver/context.c~     2009-07-31 12:07:52.365267958 +0200
++++ linux-2.6.30/kernel/vserver/context.c      2009-07-31 12:43:04.991723596 +0200
+@@ -122,7 +122,7 @@
+       // preconfig fs entries
+       for (index = 0; index < VX_SPACES; index++) {
+               write_lock(&init_fs.lock);
+-              init_fs.users++;
++              atomic_inc(&init_fs.users);
+               write_unlock(&init_fs.lock);
+               new->vx_fs[index] = &init_fs;
+       }
+@@ -196,7 +196,7 @@
  
-  check_capabilities:
-       /*
-+       * Searching includes executable on directories, else just read.
-+       */
-+      if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
-+              if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
-+                      return 0;
-+
-+      /*
-        * Read/write DACs are always overridable.
-        * Executable DACs are overridable if at least one exec bit is set.
-        */
-@@ -223,13 +230,6 @@ int generic_permission(struct inode *ino
-               if (capable(CAP_DAC_OVERRIDE))
-                       return 0;
- 
--      /*
--       * Searching includes executable on directories, else just read.
--       */
--      if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
--              if (capable(CAP_DAC_READ_SEARCH))
--                      return 0;
--
-       return -EACCES;
- }
+               fs = xchg(&vxi->vx_fs[index], NULL);
+               write_lock(&fs->lock);
+-              kill = !--fs->users;
++              kill = !atomic_dec_return(&fs->users);
+               write_unlock(&fs->lock);
+               if (kill)
+                       free_fs_struct(fs);
+--- linux-2.6.30/kernel/vserver/space.c~       2009-07-31 12:07:52.398601243 +0200
++++ linux-2.6.30/kernel/vserver/space.c        2009-07-31 12:47:48.638394441 +0200
+@@ -220,7 +220,7 @@
+       if (mask & CLONE_FS) {
+               write_lock(&fs_cur->lock);
+               current->fs = fs;
+-              kill = !--fs_cur->users;
++              kill = !atomic_dec_return(&fs_cur->users);
+               write_unlock(&fs_cur->lock);
+       }
  
-@@ -498,13 +498,13 @@ static int exec_permission_lite(struct i
-       if (mode & MAY_EXEC)
-               goto ok;
+@@ -278,7 +278,7 @@
+       if (mask & CLONE_FS) {
+               write_lock(&fs_vxi->lock);
+               vxi->vx_fs[index] = fs;
+-              kill = !--fs_vxi->users;
++              kill = !atomic_dec_return(&fs_vxi->users);
+               write_unlock(&fs_vxi->lock);
+       }
  
--      if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE))
-+      if (S_ISDIR(inode->i_mode) && capable_nolog(CAP_DAC_OVERRIDE))
-               goto ok;
+--- linux-2.6.28/fs/proc/Kconfig~       2008-11-20 23:26:34.000000000 +0100
++++ linux-2.6.28/fs/proc/Kconfig        2008-12-01 20:37:12.000000000 +0100
+@@ -59,8 +59,8 @@
+         limited in memory.
  
--      if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_OVERRIDE))
-+      if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH))
-               goto ok;
- 
--      if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH))
-+      if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE))
-               goto ok;
- 
-       return -EACCES;
-
+ config PROC_PAGE_MONITOR
+-      default n
+-      depends on PROC_FS && MMU && !GRKERNSEC
++      default y
++      depends on PROC_FS && MMU
+       bool "Enable /proc page monitoring" if EMBEDDED
+       help
+         Various /proc files exist to monitor process memory utilization: