grsec with no socket server group blocks bind but we allow accept

author Arkadiusz Miśkiewicz <arekm@maven.pl>

Tue, 6 Jul 2010 12:53:42 +0000 (12:53 +0000)

committer cvs2git <feedback@pld-linux.org>

Sun, 24 Jun 2012 12:13:13 +0000 (12:13 +0000)
author Arkadiusz Miśkiewicz <arekm@maven.pl>
Tue, 6 Jul 2010 12:53:42 +0000 (12:53 +0000)
committer cvs2git <feedback@pld-linux.org>
Sun, 24 Jun 2012 12:13:13 +0000 (12:13 +0000)
diff --git a/kernel-grsec_fixes.patch b/kernel-grsec_fixes.patch

index c14da5bd21acc0e4dab8711e3444a567599ee07d..cd07fe94168ee73cc1df0cbfdb6c92d4f3913f3f 100644 (file)
--- a/kernel-grsec_fixes.patch
+++ b/kernel-grsec_fixes.patch
@@ -172,3 +172,24 @@ diff -upr a/security/commoncap.c c/security/commoncap.c
         spin_unlock(&dev->count_lock);
         return can_switch;
   }
+--- linux-2.6.34/net/socket.c~ 2010-07-06 13:40:05.892545375 +0200
++++ linux-2.6.34/net/socket.c  2010-07-06 14:53:01.074608654 +0200
+@@ -1573,18 +1573,6 @@
+       newsock->type = sock->type;
+       newsock->ops = sock->ops;
+ 
+-      if (gr_handle_sock_server_other(sock->sk)) {
+-              err = -EPERM;
+-              sock_release(newsock);
+-              goto out_put;
+-      }
+-
+-      err = gr_search_accept(sock);
+-      if (err) {
+-              sock_release(newsock);
+-              goto out_put;
+-      }
+-
+       /*
+        * We don't need try_module_get here, as the listening socket (sock)
+        * has the protocol module (sock->ops->owner) held.
author	Arkadiusz Miśkiewicz <arekm@maven.pl>
	Tue, 6 Jul 2010 12:53:42 +0000 (12:53 +0000)
committer	cvs2git <feedback@pld-linux.org>
	Sun, 24 Jun 2012 12:13:13 +0000 (12:13 +0000)