From b79bc5844ea42652036122d615aad66a83d9f933 Mon Sep 17 00:00:00 2001 From: zbyniu Date: Mon, 19 May 2008 10:03:53 +0000 Subject: [PATCH] - pldized Changed files: kernel-grsec_full.patch -> 1.1.2.35 linux-2.6-grsec_full.patch -> 1.1.2.35 --- kernel-grsec_full.patch | 289 ++++++++++++++++--------------------- linux-2.6-grsec_full.patch | 289 ++++++++++++++++--------------------- 2 files changed, 252 insertions(+), 326 deletions(-) diff --git a/kernel-grsec_full.patch b/kernel-grsec_full.patch index e6fe34b7..d1b1828d 100644 --- a/kernel-grsec_full.patch +++ b/kernel-grsec_full.patch @@ -39,9 +39,9 @@ diff -urNp linux-2.6.25.4/arch/alpha/kernel/ptrace.c linux-2.6.25.4/arch/alpha/k --- linux-2.6.25.4/arch/alpha/kernel/ptrace.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/arch/alpha/kernel/ptrace.c 2008-05-18 13:33:13.000000000 -0400 @@ -15,6 +15,7 @@ - #include #include #include + #include +#include #include @@ -465,9 +465,9 @@ diff -urNp linux-2.6.25.4/arch/ia64/mm/fault.c linux-2.6.25.4/arch/ia64/mm/fault --- linux-2.6.25.4/arch/ia64/mm/fault.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/arch/ia64/mm/fault.c 2008-05-18 13:33:14.000000000 -0400 @@ -10,6 +10,7 @@ - #include #include #include + #include +#include #include @@ -9437,7 +9437,7 @@ diff -urNp linux-2.6.25.4/arch/x86/mm/extable.c linux-2.6.25.4/arch/x86/mm/extab #ifdef CONFIG_PNPBIOS - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) { -+ if (unlikely(!(regs->eflags & VM_MASK) && SEGMENT_IS_PNP_CODE(regs->cs))) { ++ if (unlikely(!(regs->flags & VM_MASK) && SEGMENT_IS_PNP_CODE(regs->cs))) { extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp; extern u32 pnp_bios_is_utter_crap; pnp_bios_is_utter_crap = 1; @@ -9445,9 +9445,9 @@ diff -urNp linux-2.6.25.4/arch/x86/mm/fault.c linux-2.6.25.4/arch/x86/mm/fault.c --- linux-2.6.25.4/arch/x86/mm/fault.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/arch/x86/mm/fault.c 2008-05-18 13:33:15.000000000 -0400 @@ -25,6 +25,9 @@ - #include #include #include + #include +#include +#include +#include @@ -13603,9 +13603,9 @@ diff -urNp linux-2.6.25.4/fs/binfmt_aout.c linux-2.6.25.4/fs/binfmt_aout.c --- linux-2.6.25.4/fs/binfmt_aout.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/binfmt_aout.c 2008-05-18 13:33:16.000000000 -0400 @@ -24,6 +24,7 @@ - #include #include #include + #include +#include #include @@ -13684,9 +13684,9 @@ diff -urNp linux-2.6.25.4/fs/binfmt_elf.c linux-2.6.25.4/fs/binfmt_elf.c --- linux-2.6.25.4/fs/binfmt_elf.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/binfmt_elf.c 2008-05-18 13:33:16.000000000 -0400 @@ -39,10 +39,16 @@ - #include #include #include + #include +#include + #include @@ -14803,15 +14803,15 @@ diff -urNp linux-2.6.25.4/fs/ext2/balloc.c linux-2.6.25.4/fs/ext2/balloc.c diff -urNp linux-2.6.25.4/fs/ext3/balloc.c linux-2.6.25.4/fs/ext3/balloc.c --- linux-2.6.25.4/fs/ext3/balloc.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/ext3/balloc.c 2008-05-18 13:33:16.000000000 -0400 -@@ -1421,7 +1421,7 @@ static int ext3_has_free_blocks(struct e +@@ -1359,7 +1359,7 @@ static int ext3_has_free_blocks(struct e + DLIMIT_ADJUST_BLOCK(sb, dx_current_tag(), &free_blocks, &root_blocks); - free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter); - root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count); -- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) && -+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) && + cond = (free_blocks < root_blocks + 1 && +- !capable(CAP_SYS_RESOURCE) && ++ !capable_nolog(CAP_SYS_RESOURCE) && sbi->s_resuid != current->fsuid && - (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) { - return 0; + (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))); + diff -urNp linux-2.6.25.4/fs/ext3/namei.c linux-2.6.25.4/fs/ext3/namei.c --- linux-2.6.25.4/fs/ext3/namei.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/ext3/namei.c 2008-05-18 13:33:16.000000000 -0400 @@ -14844,15 +14844,15 @@ diff -urNp linux-2.6.25.4/fs/ext3/xattr.c linux-2.6.25.4/fs/ext3/xattr.c diff -urNp linux-2.6.25.4/fs/ext4/balloc.c linux-2.6.25.4/fs/ext4/balloc.c --- linux-2.6.25.4/fs/ext4/balloc.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/ext4/balloc.c 2008-05-18 13:33:16.000000000 -0400 -@@ -1557,7 +1557,7 @@ static int ext4_has_free_blocks(struct e +@@ -1479,7 +1479,7 @@ static int ext4_has_free_blocks(struct e + DLIMIT_ADJUST_BLOCK(sb, dx_current_tag(), &free_blocks, &root_blocks); - free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter); - root_blocks = ext4_r_blocks_count(sbi->s_es); -- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) && -+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) && + cond = (free_blocks < root_blocks + 1 && +- !capable(CAP_SYS_RESOURCE) && ++ !capable_nolog(CAP_SYS_RESOURCE) && sbi->s_resuid != current->fsuid && - (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) { - return 0; + (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))); + diff -urNp linux-2.6.25.4/fs/ext4/namei.c linux-2.6.25.4/fs/ext4/namei.c --- linux-2.6.25.4/fs/ext4/namei.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/ext4/namei.c 2008-05-18 13:33:16.000000000 -0400 @@ -14872,9 +14872,9 @@ diff -urNp linux-2.6.25.4/fs/fcntl.c linux-2.6.25.4/fs/fcntl.c --- linux-2.6.25.4/fs/fcntl.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/fcntl.c 2008-05-18 13:33:16.000000000 -0400 @@ -19,6 +19,7 @@ - #include #include #include + #include +#include #include @@ -15169,9 +15169,9 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c --- linux-2.6.25.4/fs/namei.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/namei.c 2008-05-18 13:33:16.000000000 -0400 @@ -30,6 +30,7 @@ - #include - #include - #include + #include + #include + #include +#include #include #include @@ -15332,7 +15332,7 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c + if (!IS_POSIXACL(nd.path.dentry->d_inode)) mode &= ~current->fs->umask; - error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode); + error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode, &nd); + + if (!error) + gr_handle_create(dentry, nd.path.mnt); @@ -15366,7 +15366,7 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c + } + } + - error = vfs_rmdir(nd.path.dentry->d_inode, dentry); + error = vfs_rmdir(nd.path.dentry->d_inode, dentry, &nd); + if (!error && (saved_dev || saved_ino)) + gr_handle_delete(saved_ino, saved_dev); +dput_exit2: @@ -15402,16 +15402,16 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c + error = -EACCES; + atomic_inc(&inode->i_count); -- error = vfs_unlink(nd.path.dentry->d_inode, dentry); +- error = vfs_unlink(nd.path.dentry->d_inode, dentry, &nd); + } + if (!error) -+ error = vfs_unlink(nd.path.dentry->d_inode, dentry); ++ error = vfs_unlink(nd.path.dentry->d_inode, dentry, &nd); + if (!error && (saved_ino || saved_dev)) + gr_handle_delete(saved_ino, saved_dev); exit2: dput(dentry); } -@@ -2313,7 +2428,17 @@ asmlinkage long sys_symlinkat(const char +@@ -2313,8 +2428,18 @@ asmlinkage long sys_symlinkat(const char if (IS_ERR(dentry)) goto out_unlock; @@ -15420,7 +15420,8 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c + goto out_dput_unlock; + } + - error = vfs_symlink(nd.path.dentry->d_inode, dentry, from, S_IALLUGO); + error = vfs_symlink(nd.path.dentry->d_inode, dentry, from, + S_IALLUGO, &nd); + + if (!error) + gr_handle_create(dentry, nd.path.mnt); @@ -15429,7 +15430,7 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c dput(dentry); out_unlock: mutex_unlock(&nd.path.dentry->d_inode->i_mutex); -@@ -2408,7 +2533,26 @@ asmlinkage long sys_linkat(int olddfd, c +@@ -2408,8 +2533,27 @@ asmlinkage long sys_linkat(int olddfd, c error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) goto out_unlock; @@ -15447,7 +15448,8 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c + goto out_unlock_dput; + } + - error = vfs_link(old_nd.path.dentry, nd.path.dentry->d_inode, new_dentry); + error = vfs_link(old_nd.path.dentry, nd.path.dentry->d_inode, + new_dentry, &nd); + + if (!error) + gr_handle_create(new_dentry, nd.path.mnt); @@ -15478,9 +15480,9 @@ diff -urNp linux-2.6.25.4/fs/namespace.c linux-2.6.25.4/fs/namespace.c --- linux-2.6.25.4/fs/namespace.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/namespace.c 2008-05-18 13:33:16.000000000 -0400 @@ -26,6 +26,7 @@ - #include - #include - #include + #include + #include + #include +#include #include #include @@ -15849,9 +15851,9 @@ diff -urNp linux-2.6.25.4/fs/open.c linux-2.6.25.4/fs/open.c --- linux-2.6.25.4/fs/open.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/open.c 2008-05-18 13:33:16.000000000 -0400 @@ -27,6 +27,7 @@ - #include - #include - #include + #include + #include + #include +#include int vfs_statfs(struct dentry *dentry, struct kstatfs *buf) @@ -15961,15 +15963,6 @@ diff -urNp linux-2.6.25.4/fs/open.c linux-2.6.25.4/fs/open.c newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; error = notify_change(nd.path.dentry, &newattrs); -@@ -627,7 +676,7 @@ asmlinkage long sys_chmod(const char __u - return sys_fchmodat(AT_FDCWD, filename, mode); - } - --static int chown_common(struct dentry * dentry, uid_t user, gid_t group) -+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt) - { - struct inode * inode; - int error; @@ -644,6 +693,12 @@ static int chown_common(struct dentry * error = -EPERM; if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) @@ -15983,42 +15976,6 @@ diff -urNp linux-2.6.25.4/fs/open.c linux-2.6.25.4/fs/open.c newattrs.ia_valid = ATTR_CTIME; if (user != (uid_t) -1) { newattrs.ia_valid |= ATTR_UID; -@@ -671,7 +726,7 @@ asmlinkage long sys_chown(const char __u - error = user_path_walk(filename, &nd); - if (error) - goto out; -- error = chown_common(nd.path.dentry, user, group); -+ error = chown_common(nd.path.dentry, user, group, nd.path.mnt); - path_put(&nd.path); - out: - return error; -@@ -691,7 +746,7 @@ asmlinkage long sys_fchownat(int dfd, co - error = __user_walk_fd(dfd, filename, follow, &nd); - if (error) - goto out; -- error = chown_common(nd.path.dentry, user, group); -+ error = chown_common(nd.path.dentry, user, group, nd.path.mnt); - path_put(&nd.path); - out: - return error; -@@ -705,7 +760,7 @@ asmlinkage long sys_lchown(const char __ - error = user_path_walk_link(filename, &nd); - if (error) - goto out; -- error = chown_common(nd.path.dentry, user, group); -+ error = chown_common(nd.path.dentry, user, group, nd.path.mnt); - path_put(&nd.path); - out: - return error; -@@ -724,7 +779,7 @@ asmlinkage long sys_fchown(unsigned int - - dentry = file->f_path.dentry; - audit_inode(NULL, dentry); -- error = chown_common(dentry, user, group); -+ error = chown_common(dentry, user, group, file->f_path.mnt); - fput(file); - out: - return error; @@ -948,6 +1003,7 @@ repeat: * N.B. For clone tasks sharing a files structure, this test * will limit the total number of files that can be opened. @@ -16073,7 +16030,7 @@ diff -urNp linux-2.6.25.4/fs/proc/array.c linux-2.6.25.4/fs/proc/array.c +} +#endif + - int proc_pid_status(struct seq_file *m, struct pid_namespace *ns, + int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task) { @@ -327,6 +342,11 @@ int proc_pid_status(struct seq_file *m, @@ -16155,9 +16112,9 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c --- linux-2.6.25.4/fs/proc/base.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/proc/base.c 2008-05-18 13:33:16.000000000 -0400 @@ -76,6 +76,8 @@ - #include - #include #include + #include + #include +#include + #include "internal.h" @@ -16221,8 +16178,8 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c inode->i_gid = task->egid; +#endif } - security_task_to_inode(task, inode); - + /* procfs is xid tagged */ + inode->i_tag = (tag_t)vx_task_xid(task); @@ -1304,17 +1310,45 @@ static int pid_getattr(struct vfsmount * { struct inode *inode = dentry->d_inode; @@ -16324,9 +16281,9 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task)) + goto out; + - /* - * Yes, it does not scale. And it should not. Don't add - * new entries into /proc// without very good reasons. + /* TODO: maybe we can come up with a generic approach? */ + if (task_vx_flags(task, VXF_HIDE_VINFO, 0) && + (dentry->d_name.len == 5) && @@ -1877,6 +1934,9 @@ static int proc_pident_readdir(struct fi if (!task) goto out_no_task; @@ -16348,9 +16305,9 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c out: @@ -2350,6 +2413,9 @@ static const struct pid_entry tgid_base_ - #ifdef CONFIG_TASK_IO_ACCOUNTING INF("io", S_IRUGO, pid_io_accounting), #endif + ONE("nsproxy", S_IRUGO, pid_nsproxy), +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR + INF("ipaddr", S_IRUSR, pid_ipaddr), +#endif @@ -16387,7 +16344,7 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c @@ -2587,6 +2664,9 @@ int proc_pid_readdir(struct file * filp, { unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY; - struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode); + struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode); +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + struct task_struct *tmp = current; +#endif @@ -16410,8 +16367,8 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c + continue; + filp->f_pos = iter.tgid + TGID_OFFSET; - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) { - put_task_struct(iter.task); + if (!vx_proc_task_visible(iter.task)) + continue; diff -urNp linux-2.6.25.4/fs/proc/inode.c linux-2.6.25.4/fs/proc/inode.c --- linux-2.6.25.4/fs/proc/inode.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/proc/inode.c 2008-05-18 13:33:16.000000000 -0400 @@ -16425,22 +16382,22 @@ diff -urNp linux-2.6.25.4/fs/proc/inode.c linux-2.6.25.4/fs/proc/inode.c inode->i_gid = de->gid; +#endif } - if (de->size) - inode->i_size = de->size; + if (de->vx_flags) + PROC_I(inode)->vx_flags = de->vx_flags; diff -urNp linux-2.6.25.4/fs/proc/internal.h linux-2.6.25.4/fs/proc/internal.h --- linux-2.6.25.4/fs/proc/internal.h 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/proc/internal.h 2008-05-18 13:33:16.000000000 -0400 @@ -57,6 +57,10 @@ extern int proc_pid_status(struct seq_fi struct pid *pid, struct task_struct *task); - extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, + extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task); +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR +extern int proc_pid_ipaddr(struct seq_file *m, struct pid_namespace *ns, + struct pid *pid, struct task_struct *task); +#endif + extern loff_t mem_lseek(struct file *file, loff_t offset, int orig); - extern const struct file_operations proc_maps_operations; diff -urNp linux-2.6.25.4/fs/proc/proc_misc.c linux-2.6.25.4/fs/proc/proc_misc.c --- linux-2.6.25.4/fs/proc/proc_misc.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/proc/proc_misc.c 2008-05-18 13:33:16.000000000 -0400 @@ -16616,9 +16573,9 @@ diff -urNp linux-2.6.25.4/fs/proc/root.c linux-2.6.25.4/fs/proc/root.c +#else proc_bus = proc_mkdir("bus", NULL); +#endif + proc_vx_init(); proc_sys_init(); } - diff -urNp linux-2.6.25.4/fs/proc/task_mmu.c linux-2.6.25.4/fs/proc/task_mmu.c --- linux-2.6.25.4/fs/proc/task_mmu.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/proc/task_mmu.c 2008-05-18 13:33:16.000000000 -0400 @@ -16979,9 +16936,9 @@ diff -urNp linux-2.6.25.4/fs/utimes.c linux-2.6.25.4/fs/utimes.c --- linux-2.6.25.4/fs/utimes.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/utimes.c 2008-05-18 13:33:16.000000000 -0400 @@ -7,6 +7,7 @@ - #include - #include #include + #include + #include +#include #include #include @@ -16994,7 +16951,7 @@ diff -urNp linux-2.6.25.4/fs/utimes.c linux-2.6.25.4/fs/utimes.c struct inode *inode; struct iattr newattrs; struct file *f = NULL; -@@ -84,12 +86,14 @@ long do_utimes(int dfd, char __user *fil +@@ -84,6 +86,7 @@ long do_utimes(int dfd, char __user *fil if (!f) goto out; dentry = f->f_path.dentry; @@ -17002,8 +16959,9 @@ diff -urNp linux-2.6.25.4/fs/utimes.c linux-2.6.25.4/fs/utimes.c } else { error = __user_walk_fd(dfd, filename, (flags & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW, &nd); if (error) - goto out; - +@@ -90,6 +93,7 @@ long do_utimes(int dfd, char __user *fil + if (error) + goto dput_and_out; dentry = nd.path.dentry; + mnt = nd.path.mnt; } @@ -30157,9 +30115,9 @@ diff -urNp linux-2.6.25.4/ipc/msg.c linux-2.6.25.4/ipc/msg.c --- linux-2.6.25.4/ipc/msg.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/ipc/msg.c 2008-05-18 13:33:17.000000000 -0400 @@ -37,6 +37,7 @@ - #include #include #include + #include +#include #include @@ -30197,9 +30155,9 @@ diff -urNp linux-2.6.25.4/ipc/sem.c linux-2.6.25.4/ipc/sem.c --- linux-2.6.25.4/ipc/sem.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/ipc/sem.c 2008-05-18 13:33:17.000000000 -0400 @@ -83,6 +83,7 @@ - #include - #include #include + #include + #include +#include #include @@ -30237,9 +30195,9 @@ diff -urNp linux-2.6.25.4/ipc/shm.c linux-2.6.25.4/ipc/shm.c --- linux-2.6.25.4/ipc/shm.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/ipc/shm.c 2008-05-18 13:33:17.000000000 -0400 @@ -39,6 +39,7 @@ - #include - #include #include + #include + #include +#include #include @@ -30342,14 +30300,14 @@ diff -urNp linux-2.6.25.4/kernel/capability.c linux-2.6.25.4/kernel/capability.c --- linux-2.6.25.4/kernel/capability.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/kernel/capability.c 2008-05-18 13:33:17.000000000 -0400 @@ -13,6 +13,7 @@ - #include #include #include + #include +#include #include /* -@@ -328,15 +329,25 @@ out: +@@ -331,13 +332,22 @@ out: int __capable(struct task_struct *t, int cap) { @@ -30370,8 +30328,10 @@ diff -urNp linux-2.6.25.4/kernel/capability.c linux-2.6.25.4/kernel/capability.c + return 0; +} + + #include int capable(int cap) { +@@ -347,3 +357,4 @@ int capable(int cap) return __capable(current, cap); } EXPORT_SYMBOL(capable); @@ -30421,9 +30381,9 @@ diff -urNp linux-2.6.25.4/kernel/exit.c linux-2.6.25.4/kernel/exit.c --- linux-2.6.25.4/kernel/exit.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/kernel/exit.c 2008-05-18 13:33:17.000000000 -0400 @@ -44,6 +44,11 @@ - #include - #include - #include + #include + #include + #include +#include + +#ifdef CONFIG_GRKERNSEC @@ -30505,9 +30465,9 @@ diff -urNp linux-2.6.25.4/kernel/fork.c linux-2.6.25.4/kernel/fork.c --- linux-2.6.25.4/kernel/fork.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/kernel/fork.c 2008-05-18 13:33:17.000000000 -0400 @@ -53,6 +53,7 @@ - #include - #include - #include + #include + #include + #include +#include #include @@ -30530,8 +30490,8 @@ diff -urNp linux-2.6.25.4/kernel/fork.c linux-2.6.25.4/kernel/fork.c + mm->free_area_cache = oldmm->free_area_cache; + mm->cached_hole_size = oldmm->cached_hole_size; mm->map_count = 0; - cpus_clear(mm->cpu_vm_mask); - mm->mm_rb = RB_ROOT; + __set_mm_counter(mm, file_rss, 0); + __set_mm_counter(mm, anon_rss, 0); @@ -264,6 +265,7 @@ static int dup_mmap(struct mm_struct *mm tmp->vm_flags &= ~VM_LOCKED; tmp->vm_mm = mm; @@ -30591,15 +30551,15 @@ diff -urNp linux-2.6.25.4/kernel/fork.c linux-2.6.25.4/kernel/fork.c } @@ -1046,6 +1073,9 @@ static struct task_struct *copy_process( + DEBUG_LOCKS_WARN_ON(!p->hardirqs_enabled); DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled); #endif - retval = -EAGAIN; + + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0); + - if (atomic_read(&p->user->processes) >= - p->signal->rlim[RLIMIT_NPROC].rlim_cur) { - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) && + init_vx_info(&p->vx_info, current->vx_info); + init_nx_info(&p->nx_info, current->nx_info); + @@ -1212,6 +1242,8 @@ static struct task_struct *copy_process( if (clone_flags & CLONE_THREAD) p->tgid = current->tgid; @@ -31321,9 +31281,9 @@ diff -urNp linux-2.6.25.4/kernel/pid.c linux-2.6.25.4/kernel/pid.c --- linux-2.6.25.4/kernel/pid.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/kernel/pid.c 2008-05-18 13:33:17.000000000 -0400 @@ -35,6 +35,7 @@ - #include - #include #include + #include + #include +#include #define pid_hashfn(nr, ns) \ @@ -31388,16 +31348,16 @@ diff -urNp linux-2.6.25.4/kernel/printk.c linux-2.6.25.4/kernel/printk.c --- linux-2.6.25.4/kernel/printk.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/kernel/printk.c 2008-05-18 13:33:17.000000000 -0400 @@ -32,6 +32,7 @@ - #include #include #include + #include +#include #include @@ -299,6 +300,11 @@ int do_syslog(int type, char __user *buf char c; - int error = 0; + int error; +#ifdef CONFIG_GRKERNSEC_DMESG + if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN)) @@ -31411,9 +31371,9 @@ diff -urNp linux-2.6.25.4/kernel/ptrace.c linux-2.6.25.4/kernel/ptrace.c --- linux-2.6.25.4/kernel/ptrace.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/kernel/ptrace.c 2008-05-18 13:33:17.000000000 -0400 @@ -21,6 +21,7 @@ - #include #include #include + #include +#include #include @@ -31431,8 +31391,8 @@ diff -urNp linux-2.6.25.4/kernel/ptrace.c linux-2.6.25.4/kernel/ptrace.c - if (!dumpable && !capable(CAP_SYS_PTRACE)) + if (!dumpable && !capable_nolog(CAP_SYS_PTRACE)) return -EPERM; - - return security_ptrace(current, task); + if (!vx_check(task->xid, VS_ADMIN_P|VS_IDENT)) + return -EPERM; @@ -203,7 +204,7 @@ repeat: /* Go */ @@ -31501,9 +31461,9 @@ diff -urNp linux-2.6.25.4/kernel/sched.c linux-2.6.25.4/kernel/sched.c --- linux-2.6.25.4/kernel/sched.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/kernel/sched.c 2008-05-18 13:33:17.000000000 -0400 @@ -66,6 +66,7 @@ - #include - #include #include + #include + #include +#include #include @@ -31515,7 +31475,7 @@ diff -urNp linux-2.6.25.4/kernel/sched.c linux-2.6.25.4/kernel/sched.c - if (increment < 0 && !can_nice(current, nice)) + if (increment < 0 && (!can_nice(current, nice) || + gr_handle_chroot_nice())) - return -EPERM; + return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM; retval = security_task_setnice(current, nice); @@ -5741,7 +5743,7 @@ static struct ctl_table sd_ctl_dir[] = { @@ -31545,8 +31505,8 @@ diff -urNp linux-2.6.25.4/kernel/signal.c linux-2.6.25.4/kernel/signal.c #include +#include #include - - #include + #include + #include @@ -540,7 +541,9 @@ static int check_kill_permission(int sig && (current->euid ^ t->suid) && (current->euid ^ t->uid) && (current->uid ^ t->suid) && (current->uid ^ t->uid) @@ -31557,7 +31517,7 @@ diff -urNp linux-2.6.25.4/kernel/signal.c linux-2.6.25.4/kernel/signal.c + return error; } - return security_task_kill(t, info, sig, 0); + error = -ESRCH; @@ -757,7 +760,7 @@ static int __init setup_print_fatal_sign __setup("print-fatal-signals=", setup_print_fatal_signals); @@ -31931,7 +31891,7 @@ diff -urNp linux-2.6.25.4/kernel/time.c linux-2.6.25.4/kernel/time.c @@ -90,6 +91,9 @@ asmlinkage long sys_stime(time_t __user return err; - do_settimeofday(&tv); + vx_settimeofday(&tv); + + gr_log_timechange(); + @@ -32685,9 +32645,9 @@ diff -urNp linux-2.6.25.4/mm/mlock.c linux-2.6.25.4/mm/mlock.c --- linux-2.6.25.4/mm/mlock.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/mm/mlock.c 2008-05-18 13:33:17.000000000 -0400 @@ -12,6 +12,7 @@ - #include #include #include + #include +#include int can_do_mlock(void) @@ -32717,7 +32677,7 @@ diff -urNp linux-2.6.25.4/mm/mlock.c linux-2.6.25.4/mm/mlock.c + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1); if ((locked <= lock_limit) || capable(CAP_IPC_LOCK)) error = do_mlock(start, len, 1); - up_write(¤t->mm->mmap_sem); + out: @@ -173,10 +186,10 @@ asmlinkage long sys_munlock(unsigned lon static int do_mlockall(int flags) { @@ -32749,9 +32709,9 @@ diff -urNp linux-2.6.25.4/mm/mlock.c linux-2.6.25.4/mm/mlock.c ret = -ENOMEM; + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1); + if (!vx_vmlocked_avail(current->mm, current->mm->total_vm)) + goto out; if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) || - capable(CAP_IPC_LOCK)) - ret = do_mlockall(flags); diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c --- linux-2.6.25.4/mm/mmap.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/mm/mmap.c 2008-05-18 13:33:17.000000000 -0400 @@ -33170,11 +33130,11 @@ diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c + } out: - mm->total_vm += len >> PAGE_SHIFT; + vx_vmpages_add(mm, len >> PAGE_SHIFT); vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT); + track_exec_limit(mm, addr, addr + len, vm_flags); if (vm_flags & VM_LOCKED) { - mm->locked_vm += len >> PAGE_SHIFT; + vx_vmlocked_add(mm, len >> PAGE_SHIFT); make_pages_present(addr, addr + len); @@ -1217,6 +1379,12 @@ unmap_and_free_vma: unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); @@ -33507,9 +33467,9 @@ diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c + } +#endif + - mm->total_vm -= nrpages; + vx_vmpages_sub(mm, nrpages); if (vma->vm_flags & VM_LOCKED) - mm->locked_vm -= nrpages; + vx_vmlocked_sub(mm, nrpages); @@ -1768,6 +2035,16 @@ detach_vmas_to_be_unmapped(struct mm_str insertion_point = (prev ? &prev->vm_next : &mm->mmap); @@ -33754,7 +33714,7 @@ diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c if (locked > lock_limit && !capable(CAP_IPC_LOCK)) return -EAGAIN; } -@@ -1978,22 +2389,22 @@ unsigned long do_brk(unsigned long addr, +@@ -1978,23 +2389,23 @@ unsigned long do_brk(unsigned long addr, /* * Clear old maps. this also does some error checking for us */ @@ -33776,8 +33736,10 @@ diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c if (mm->map_count > sysctl_max_map_count) return -ENOMEM; -- if (security_vm_enough_memory(len >> PAGE_SHIFT)) -+ if (security_vm_enough_memory(charged)) +- if (security_vm_enough_memory(len >> PAGE_SHIFT) || +- !vx_vmpages_avail(mm, len >> PAGE_SHIFT)) ++ if (security_vm_enough_memory(charged) || ++ !vx_vmpages_avail(mm, charged)) return -ENOMEM; /* Can we just expand an old private anonymous mapping? */ @@ -33815,11 +33777,11 @@ diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c +#endif + out: -- mm->total_vm += len >> PAGE_SHIFT; -+ mm->total_vm += charged; +- vx_vmpages_add(mm, len >> PAGE_SHIFT); ++ vx_vmpages_add(mm, charged); if (flags & VM_LOCKED) { -- mm->locked_vm += len >> PAGE_SHIFT; -+ mm->locked_vm += charged; +- vx_vmlocked_add(mm, len >> PAGE_SHIFT); ++ vx_vmlocked_add(mm, charged); make_pages_present(addr, addr + len); } + track_exec_limit(mm, addr, addr + len, flags); @@ -34618,7 +34580,7 @@ diff -urNp linux-2.6.25.4/net/ipv4/inet_connection_sock.c linux-2.6.25.4/net/ipv diff -urNp linux-2.6.25.4/net/ipv4/inet_hashtables.c linux-2.6.25.4/net/ipv4/inet_hashtables.c --- linux-2.6.25.4/net/ipv4/inet_hashtables.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/net/ipv4/inet_hashtables.c 2008-05-18 13:33:17.000000000 -0400 -@@ -18,11 +18,14 @@ +@@ -18,12 +18,15 @@ #include #include #include @@ -34626,6 +34588,7 @@ diff -urNp linux-2.6.25.4/net/ipv4/inet_hashtables.c linux-2.6.25.4/net/ipv4/ine #include #include + #include #include +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet); @@ -35113,9 +35076,9 @@ diff -urNp linux-2.6.25.4/net/unix/af_unix.c linux-2.6.25.4/net/unix/af_unix.c --- linux-2.6.25.4/net/unix/af_unix.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/net/unix/af_unix.c 2008-05-18 13:33:17.000000000 -0400 @@ -116,6 +116,7 @@ - #include - #include #include + #include + #include +#include static struct hlist_head unix_socket_table[UNIX_HASH_SIZE + 1]; @@ -35157,7 +35120,7 @@ diff -urNp linux-2.6.25.4/net/unix/af_unix.c linux-2.6.25.4/net/unix/af_unix.c + goto out_mknod_dput; + } + - err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0); + err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0, NULL); if (err) goto out_mknod_dput; + @@ -35210,9 +35173,9 @@ diff -urNp linux-2.6.25.4/security/commoncap.c linux-2.6.25.4/security/commoncap --- linux-2.6.25.4/security/commoncap.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/security/commoncap.c 2008-05-18 13:33:17.000000000 -0400 @@ -24,15 +24,18 @@ - #include #include #include + #include +#include /* Global security state */ @@ -35224,7 +35187,7 @@ diff -urNp linux-2.6.25.4/security/commoncap.c linux-2.6.25.4/security/commoncap + int cap_netlink_send(struct sock *sk, struct sk_buff *skb) { -- NETLINK_CB(skb).eff_cap = current->cap_effective; +- NETLINK_CB(skb).eff_cap = vx_mbcaps(current->cap_effective); + NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk); return 0; } @@ -35233,8 +35196,8 @@ diff -urNp linux-2.6.25.4/security/commoncap.c linux-2.6.25.4/security/commoncap int cap_capable (struct task_struct *tsk, int cap) { /* Derived from include/linux/sched.h:capable. */ -- if (cap_raised(tsk->cap_effective, cap)) -+ if (cap_raised (tsk->cap_effective, cap)) +- if (vx_cap_raised(vxi, tsk->cap_effective, cap)) ++ if (vx_cap_raised (vxi, tsk->cap_effective, cap)) + return 0; + return -EPERM; +} @@ -35242,7 +35205,7 @@ diff -urNp linux-2.6.25.4/security/commoncap.c linux-2.6.25.4/security/commoncap +int cap_capable_nolog (struct task_struct *tsk, int cap) +{ + /* tsk = current for all callers */ -+ if (cap_raised(tsk->cap_effective, cap) && gr_is_capable_nolog(cap)) ++ if (vx_cap_raised(tsk->vx_info, tsk->cap_effective, cap) && gr_is_capable_nolog(cap)) return 0; return -EPERM; } @@ -35282,9 +35245,9 @@ diff -urNp linux-2.6.25.4/security/dummy.c linux-2.6.25.4/security/dummy.c --- linux-2.6.25.4/security/dummy.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/security/dummy.c 2008-05-18 13:33:17.000000000 -0400 @@ -27,6 +27,7 @@ - #include #include #include + #include +#include static int dummy_ptrace (struct task_struct *parent, struct task_struct *child) diff --git a/linux-2.6-grsec_full.patch b/linux-2.6-grsec_full.patch index e6fe34b7..d1b1828d 100644 --- a/linux-2.6-grsec_full.patch +++ b/linux-2.6-grsec_full.patch @@ -39,9 +39,9 @@ diff -urNp linux-2.6.25.4/arch/alpha/kernel/ptrace.c linux-2.6.25.4/arch/alpha/k --- linux-2.6.25.4/arch/alpha/kernel/ptrace.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/arch/alpha/kernel/ptrace.c 2008-05-18 13:33:13.000000000 -0400 @@ -15,6 +15,7 @@ - #include #include #include + #include +#include #include @@ -465,9 +465,9 @@ diff -urNp linux-2.6.25.4/arch/ia64/mm/fault.c linux-2.6.25.4/arch/ia64/mm/fault --- linux-2.6.25.4/arch/ia64/mm/fault.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/arch/ia64/mm/fault.c 2008-05-18 13:33:14.000000000 -0400 @@ -10,6 +10,7 @@ - #include #include #include + #include +#include #include @@ -9437,7 +9437,7 @@ diff -urNp linux-2.6.25.4/arch/x86/mm/extable.c linux-2.6.25.4/arch/x86/mm/extab #ifdef CONFIG_PNPBIOS - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) { -+ if (unlikely(!(regs->eflags & VM_MASK) && SEGMENT_IS_PNP_CODE(regs->cs))) { ++ if (unlikely(!(regs->flags & VM_MASK) && SEGMENT_IS_PNP_CODE(regs->cs))) { extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp; extern u32 pnp_bios_is_utter_crap; pnp_bios_is_utter_crap = 1; @@ -9445,9 +9445,9 @@ diff -urNp linux-2.6.25.4/arch/x86/mm/fault.c linux-2.6.25.4/arch/x86/mm/fault.c --- linux-2.6.25.4/arch/x86/mm/fault.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/arch/x86/mm/fault.c 2008-05-18 13:33:15.000000000 -0400 @@ -25,6 +25,9 @@ - #include #include #include + #include +#include +#include +#include @@ -13603,9 +13603,9 @@ diff -urNp linux-2.6.25.4/fs/binfmt_aout.c linux-2.6.25.4/fs/binfmt_aout.c --- linux-2.6.25.4/fs/binfmt_aout.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/binfmt_aout.c 2008-05-18 13:33:16.000000000 -0400 @@ -24,6 +24,7 @@ - #include #include #include + #include +#include #include @@ -13684,9 +13684,9 @@ diff -urNp linux-2.6.25.4/fs/binfmt_elf.c linux-2.6.25.4/fs/binfmt_elf.c --- linux-2.6.25.4/fs/binfmt_elf.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/binfmt_elf.c 2008-05-18 13:33:16.000000000 -0400 @@ -39,10 +39,16 @@ - #include #include #include + #include +#include + #include @@ -14803,15 +14803,15 @@ diff -urNp linux-2.6.25.4/fs/ext2/balloc.c linux-2.6.25.4/fs/ext2/balloc.c diff -urNp linux-2.6.25.4/fs/ext3/balloc.c linux-2.6.25.4/fs/ext3/balloc.c --- linux-2.6.25.4/fs/ext3/balloc.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/ext3/balloc.c 2008-05-18 13:33:16.000000000 -0400 -@@ -1421,7 +1421,7 @@ static int ext3_has_free_blocks(struct e +@@ -1359,7 +1359,7 @@ static int ext3_has_free_blocks(struct e + DLIMIT_ADJUST_BLOCK(sb, dx_current_tag(), &free_blocks, &root_blocks); - free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter); - root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count); -- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) && -+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) && + cond = (free_blocks < root_blocks + 1 && +- !capable(CAP_SYS_RESOURCE) && ++ !capable_nolog(CAP_SYS_RESOURCE) && sbi->s_resuid != current->fsuid && - (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) { - return 0; + (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))); + diff -urNp linux-2.6.25.4/fs/ext3/namei.c linux-2.6.25.4/fs/ext3/namei.c --- linux-2.6.25.4/fs/ext3/namei.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/ext3/namei.c 2008-05-18 13:33:16.000000000 -0400 @@ -14844,15 +14844,15 @@ diff -urNp linux-2.6.25.4/fs/ext3/xattr.c linux-2.6.25.4/fs/ext3/xattr.c diff -urNp linux-2.6.25.4/fs/ext4/balloc.c linux-2.6.25.4/fs/ext4/balloc.c --- linux-2.6.25.4/fs/ext4/balloc.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/ext4/balloc.c 2008-05-18 13:33:16.000000000 -0400 -@@ -1557,7 +1557,7 @@ static int ext4_has_free_blocks(struct e +@@ -1479,7 +1479,7 @@ static int ext4_has_free_blocks(struct e + DLIMIT_ADJUST_BLOCK(sb, dx_current_tag(), &free_blocks, &root_blocks); - free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter); - root_blocks = ext4_r_blocks_count(sbi->s_es); -- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) && -+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) && + cond = (free_blocks < root_blocks + 1 && +- !capable(CAP_SYS_RESOURCE) && ++ !capable_nolog(CAP_SYS_RESOURCE) && sbi->s_resuid != current->fsuid && - (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) { - return 0; + (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))); + diff -urNp linux-2.6.25.4/fs/ext4/namei.c linux-2.6.25.4/fs/ext4/namei.c --- linux-2.6.25.4/fs/ext4/namei.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/ext4/namei.c 2008-05-18 13:33:16.000000000 -0400 @@ -14872,9 +14872,9 @@ diff -urNp linux-2.6.25.4/fs/fcntl.c linux-2.6.25.4/fs/fcntl.c --- linux-2.6.25.4/fs/fcntl.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/fcntl.c 2008-05-18 13:33:16.000000000 -0400 @@ -19,6 +19,7 @@ - #include #include #include + #include +#include #include @@ -15169,9 +15169,9 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c --- linux-2.6.25.4/fs/namei.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/namei.c 2008-05-18 13:33:16.000000000 -0400 @@ -30,6 +30,7 @@ - #include - #include - #include + #include + #include + #include +#include #include #include @@ -15332,7 +15332,7 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c + if (!IS_POSIXACL(nd.path.dentry->d_inode)) mode &= ~current->fs->umask; - error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode); + error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode, &nd); + + if (!error) + gr_handle_create(dentry, nd.path.mnt); @@ -15366,7 +15366,7 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c + } + } + - error = vfs_rmdir(nd.path.dentry->d_inode, dentry); + error = vfs_rmdir(nd.path.dentry->d_inode, dentry, &nd); + if (!error && (saved_dev || saved_ino)) + gr_handle_delete(saved_ino, saved_dev); +dput_exit2: @@ -15402,16 +15402,16 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c + error = -EACCES; + atomic_inc(&inode->i_count); -- error = vfs_unlink(nd.path.dentry->d_inode, dentry); +- error = vfs_unlink(nd.path.dentry->d_inode, dentry, &nd); + } + if (!error) -+ error = vfs_unlink(nd.path.dentry->d_inode, dentry); ++ error = vfs_unlink(nd.path.dentry->d_inode, dentry, &nd); + if (!error && (saved_ino || saved_dev)) + gr_handle_delete(saved_ino, saved_dev); exit2: dput(dentry); } -@@ -2313,7 +2428,17 @@ asmlinkage long sys_symlinkat(const char +@@ -2313,8 +2428,18 @@ asmlinkage long sys_symlinkat(const char if (IS_ERR(dentry)) goto out_unlock; @@ -15420,7 +15420,8 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c + goto out_dput_unlock; + } + - error = vfs_symlink(nd.path.dentry->d_inode, dentry, from, S_IALLUGO); + error = vfs_symlink(nd.path.dentry->d_inode, dentry, from, + S_IALLUGO, &nd); + + if (!error) + gr_handle_create(dentry, nd.path.mnt); @@ -15429,7 +15430,7 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c dput(dentry); out_unlock: mutex_unlock(&nd.path.dentry->d_inode->i_mutex); -@@ -2408,7 +2533,26 @@ asmlinkage long sys_linkat(int olddfd, c +@@ -2408,8 +2533,27 @@ asmlinkage long sys_linkat(int olddfd, c error = PTR_ERR(new_dentry); if (IS_ERR(new_dentry)) goto out_unlock; @@ -15447,7 +15448,8 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c + goto out_unlock_dput; + } + - error = vfs_link(old_nd.path.dentry, nd.path.dentry->d_inode, new_dentry); + error = vfs_link(old_nd.path.dentry, nd.path.dentry->d_inode, + new_dentry, &nd); + + if (!error) + gr_handle_create(new_dentry, nd.path.mnt); @@ -15478,9 +15480,9 @@ diff -urNp linux-2.6.25.4/fs/namespace.c linux-2.6.25.4/fs/namespace.c --- linux-2.6.25.4/fs/namespace.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/namespace.c 2008-05-18 13:33:16.000000000 -0400 @@ -26,6 +26,7 @@ - #include - #include - #include + #include + #include + #include +#include #include #include @@ -15849,9 +15851,9 @@ diff -urNp linux-2.6.25.4/fs/open.c linux-2.6.25.4/fs/open.c --- linux-2.6.25.4/fs/open.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/open.c 2008-05-18 13:33:16.000000000 -0400 @@ -27,6 +27,7 @@ - #include - #include - #include + #include + #include + #include +#include int vfs_statfs(struct dentry *dentry, struct kstatfs *buf) @@ -15961,15 +15963,6 @@ diff -urNp linux-2.6.25.4/fs/open.c linux-2.6.25.4/fs/open.c newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; error = notify_change(nd.path.dentry, &newattrs); -@@ -627,7 +676,7 @@ asmlinkage long sys_chmod(const char __u - return sys_fchmodat(AT_FDCWD, filename, mode); - } - --static int chown_common(struct dentry * dentry, uid_t user, gid_t group) -+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt) - { - struct inode * inode; - int error; @@ -644,6 +693,12 @@ static int chown_common(struct dentry * error = -EPERM; if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) @@ -15983,42 +15976,6 @@ diff -urNp linux-2.6.25.4/fs/open.c linux-2.6.25.4/fs/open.c newattrs.ia_valid = ATTR_CTIME; if (user != (uid_t) -1) { newattrs.ia_valid |= ATTR_UID; -@@ -671,7 +726,7 @@ asmlinkage long sys_chown(const char __u - error = user_path_walk(filename, &nd); - if (error) - goto out; -- error = chown_common(nd.path.dentry, user, group); -+ error = chown_common(nd.path.dentry, user, group, nd.path.mnt); - path_put(&nd.path); - out: - return error; -@@ -691,7 +746,7 @@ asmlinkage long sys_fchownat(int dfd, co - error = __user_walk_fd(dfd, filename, follow, &nd); - if (error) - goto out; -- error = chown_common(nd.path.dentry, user, group); -+ error = chown_common(nd.path.dentry, user, group, nd.path.mnt); - path_put(&nd.path); - out: - return error; -@@ -705,7 +760,7 @@ asmlinkage long sys_lchown(const char __ - error = user_path_walk_link(filename, &nd); - if (error) - goto out; -- error = chown_common(nd.path.dentry, user, group); -+ error = chown_common(nd.path.dentry, user, group, nd.path.mnt); - path_put(&nd.path); - out: - return error; -@@ -724,7 +779,7 @@ asmlinkage long sys_fchown(unsigned int - - dentry = file->f_path.dentry; - audit_inode(NULL, dentry); -- error = chown_common(dentry, user, group); -+ error = chown_common(dentry, user, group, file->f_path.mnt); - fput(file); - out: - return error; @@ -948,6 +1003,7 @@ repeat: * N.B. For clone tasks sharing a files structure, this test * will limit the total number of files that can be opened. @@ -16073,7 +16030,7 @@ diff -urNp linux-2.6.25.4/fs/proc/array.c linux-2.6.25.4/fs/proc/array.c +} +#endif + - int proc_pid_status(struct seq_file *m, struct pid_namespace *ns, + int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task) { @@ -327,6 +342,11 @@ int proc_pid_status(struct seq_file *m, @@ -16155,9 +16112,9 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c --- linux-2.6.25.4/fs/proc/base.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/proc/base.c 2008-05-18 13:33:16.000000000 -0400 @@ -76,6 +76,8 @@ - #include - #include #include + #include + #include +#include + #include "internal.h" @@ -16221,8 +16178,8 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c inode->i_gid = task->egid; +#endif } - security_task_to_inode(task, inode); - + /* procfs is xid tagged */ + inode->i_tag = (tag_t)vx_task_xid(task); @@ -1304,17 +1310,45 @@ static int pid_getattr(struct vfsmount * { struct inode *inode = dentry->d_inode; @@ -16324,9 +16281,9 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task)) + goto out; + - /* - * Yes, it does not scale. And it should not. Don't add - * new entries into /proc// without very good reasons. + /* TODO: maybe we can come up with a generic approach? */ + if (task_vx_flags(task, VXF_HIDE_VINFO, 0) && + (dentry->d_name.len == 5) && @@ -1877,6 +1934,9 @@ static int proc_pident_readdir(struct fi if (!task) goto out_no_task; @@ -16348,9 +16305,9 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c out: @@ -2350,6 +2413,9 @@ static const struct pid_entry tgid_base_ - #ifdef CONFIG_TASK_IO_ACCOUNTING INF("io", S_IRUGO, pid_io_accounting), #endif + ONE("nsproxy", S_IRUGO, pid_nsproxy), +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR + INF("ipaddr", S_IRUSR, pid_ipaddr), +#endif @@ -16387,7 +16344,7 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c @@ -2587,6 +2664,9 @@ int proc_pid_readdir(struct file * filp, { unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY; - struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode); + struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode); +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + struct task_struct *tmp = current; +#endif @@ -16410,8 +16367,8 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c + continue; + filp->f_pos = iter.tgid + TGID_OFFSET; - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) { - put_task_struct(iter.task); + if (!vx_proc_task_visible(iter.task)) + continue; diff -urNp linux-2.6.25.4/fs/proc/inode.c linux-2.6.25.4/fs/proc/inode.c --- linux-2.6.25.4/fs/proc/inode.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/proc/inode.c 2008-05-18 13:33:16.000000000 -0400 @@ -16425,22 +16382,22 @@ diff -urNp linux-2.6.25.4/fs/proc/inode.c linux-2.6.25.4/fs/proc/inode.c inode->i_gid = de->gid; +#endif } - if (de->size) - inode->i_size = de->size; + if (de->vx_flags) + PROC_I(inode)->vx_flags = de->vx_flags; diff -urNp linux-2.6.25.4/fs/proc/internal.h linux-2.6.25.4/fs/proc/internal.h --- linux-2.6.25.4/fs/proc/internal.h 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/proc/internal.h 2008-05-18 13:33:16.000000000 -0400 @@ -57,6 +57,10 @@ extern int proc_pid_status(struct seq_fi struct pid *pid, struct task_struct *task); - extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, + extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task); +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR +extern int proc_pid_ipaddr(struct seq_file *m, struct pid_namespace *ns, + struct pid *pid, struct task_struct *task); +#endif + extern loff_t mem_lseek(struct file *file, loff_t offset, int orig); - extern const struct file_operations proc_maps_operations; diff -urNp linux-2.6.25.4/fs/proc/proc_misc.c linux-2.6.25.4/fs/proc/proc_misc.c --- linux-2.6.25.4/fs/proc/proc_misc.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/proc/proc_misc.c 2008-05-18 13:33:16.000000000 -0400 @@ -16616,9 +16573,9 @@ diff -urNp linux-2.6.25.4/fs/proc/root.c linux-2.6.25.4/fs/proc/root.c +#else proc_bus = proc_mkdir("bus", NULL); +#endif + proc_vx_init(); proc_sys_init(); } - diff -urNp linux-2.6.25.4/fs/proc/task_mmu.c linux-2.6.25.4/fs/proc/task_mmu.c --- linux-2.6.25.4/fs/proc/task_mmu.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/proc/task_mmu.c 2008-05-18 13:33:16.000000000 -0400 @@ -16979,9 +16936,9 @@ diff -urNp linux-2.6.25.4/fs/utimes.c linux-2.6.25.4/fs/utimes.c --- linux-2.6.25.4/fs/utimes.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/fs/utimes.c 2008-05-18 13:33:16.000000000 -0400 @@ -7,6 +7,7 @@ - #include - #include #include + #include + #include +#include #include #include @@ -16994,7 +16951,7 @@ diff -urNp linux-2.6.25.4/fs/utimes.c linux-2.6.25.4/fs/utimes.c struct inode *inode; struct iattr newattrs; struct file *f = NULL; -@@ -84,12 +86,14 @@ long do_utimes(int dfd, char __user *fil +@@ -84,6 +86,7 @@ long do_utimes(int dfd, char __user *fil if (!f) goto out; dentry = f->f_path.dentry; @@ -17002,8 +16959,9 @@ diff -urNp linux-2.6.25.4/fs/utimes.c linux-2.6.25.4/fs/utimes.c } else { error = __user_walk_fd(dfd, filename, (flags & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW, &nd); if (error) - goto out; - +@@ -90,6 +93,7 @@ long do_utimes(int dfd, char __user *fil + if (error) + goto dput_and_out; dentry = nd.path.dentry; + mnt = nd.path.mnt; } @@ -30157,9 +30115,9 @@ diff -urNp linux-2.6.25.4/ipc/msg.c linux-2.6.25.4/ipc/msg.c --- linux-2.6.25.4/ipc/msg.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/ipc/msg.c 2008-05-18 13:33:17.000000000 -0400 @@ -37,6 +37,7 @@ - #include #include #include + #include +#include #include @@ -30197,9 +30155,9 @@ diff -urNp linux-2.6.25.4/ipc/sem.c linux-2.6.25.4/ipc/sem.c --- linux-2.6.25.4/ipc/sem.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/ipc/sem.c 2008-05-18 13:33:17.000000000 -0400 @@ -83,6 +83,7 @@ - #include - #include #include + #include + #include +#include #include @@ -30237,9 +30195,9 @@ diff -urNp linux-2.6.25.4/ipc/shm.c linux-2.6.25.4/ipc/shm.c --- linux-2.6.25.4/ipc/shm.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/ipc/shm.c 2008-05-18 13:33:17.000000000 -0400 @@ -39,6 +39,7 @@ - #include - #include #include + #include + #include +#include #include @@ -30342,14 +30300,14 @@ diff -urNp linux-2.6.25.4/kernel/capability.c linux-2.6.25.4/kernel/capability.c --- linux-2.6.25.4/kernel/capability.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/kernel/capability.c 2008-05-18 13:33:17.000000000 -0400 @@ -13,6 +13,7 @@ - #include #include #include + #include +#include #include /* -@@ -328,15 +329,25 @@ out: +@@ -331,13 +332,22 @@ out: int __capable(struct task_struct *t, int cap) { @@ -30370,8 +30328,10 @@ diff -urNp linux-2.6.25.4/kernel/capability.c linux-2.6.25.4/kernel/capability.c + return 0; +} + + #include int capable(int cap) { +@@ -347,3 +357,4 @@ int capable(int cap) return __capable(current, cap); } EXPORT_SYMBOL(capable); @@ -30421,9 +30381,9 @@ diff -urNp linux-2.6.25.4/kernel/exit.c linux-2.6.25.4/kernel/exit.c --- linux-2.6.25.4/kernel/exit.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/kernel/exit.c 2008-05-18 13:33:17.000000000 -0400 @@ -44,6 +44,11 @@ - #include - #include - #include + #include + #include + #include +#include + +#ifdef CONFIG_GRKERNSEC @@ -30505,9 +30465,9 @@ diff -urNp linux-2.6.25.4/kernel/fork.c linux-2.6.25.4/kernel/fork.c --- linux-2.6.25.4/kernel/fork.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/kernel/fork.c 2008-05-18 13:33:17.000000000 -0400 @@ -53,6 +53,7 @@ - #include - #include - #include + #include + #include + #include +#include #include @@ -30530,8 +30490,8 @@ diff -urNp linux-2.6.25.4/kernel/fork.c linux-2.6.25.4/kernel/fork.c + mm->free_area_cache = oldmm->free_area_cache; + mm->cached_hole_size = oldmm->cached_hole_size; mm->map_count = 0; - cpus_clear(mm->cpu_vm_mask); - mm->mm_rb = RB_ROOT; + __set_mm_counter(mm, file_rss, 0); + __set_mm_counter(mm, anon_rss, 0); @@ -264,6 +265,7 @@ static int dup_mmap(struct mm_struct *mm tmp->vm_flags &= ~VM_LOCKED; tmp->vm_mm = mm; @@ -30591,15 +30551,15 @@ diff -urNp linux-2.6.25.4/kernel/fork.c linux-2.6.25.4/kernel/fork.c } @@ -1046,6 +1073,9 @@ static struct task_struct *copy_process( + DEBUG_LOCKS_WARN_ON(!p->hardirqs_enabled); DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled); #endif - retval = -EAGAIN; + + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0); + - if (atomic_read(&p->user->processes) >= - p->signal->rlim[RLIMIT_NPROC].rlim_cur) { - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) && + init_vx_info(&p->vx_info, current->vx_info); + init_nx_info(&p->nx_info, current->nx_info); + @@ -1212,6 +1242,8 @@ static struct task_struct *copy_process( if (clone_flags & CLONE_THREAD) p->tgid = current->tgid; @@ -31321,9 +31281,9 @@ diff -urNp linux-2.6.25.4/kernel/pid.c linux-2.6.25.4/kernel/pid.c --- linux-2.6.25.4/kernel/pid.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/kernel/pid.c 2008-05-18 13:33:17.000000000 -0400 @@ -35,6 +35,7 @@ - #include - #include #include + #include + #include +#include #define pid_hashfn(nr, ns) \ @@ -31388,16 +31348,16 @@ diff -urNp linux-2.6.25.4/kernel/printk.c linux-2.6.25.4/kernel/printk.c --- linux-2.6.25.4/kernel/printk.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/kernel/printk.c 2008-05-18 13:33:17.000000000 -0400 @@ -32,6 +32,7 @@ - #include #include #include + #include +#include #include @@ -299,6 +300,11 @@ int do_syslog(int type, char __user *buf char c; - int error = 0; + int error; +#ifdef CONFIG_GRKERNSEC_DMESG + if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN)) @@ -31411,9 +31371,9 @@ diff -urNp linux-2.6.25.4/kernel/ptrace.c linux-2.6.25.4/kernel/ptrace.c --- linux-2.6.25.4/kernel/ptrace.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/kernel/ptrace.c 2008-05-18 13:33:17.000000000 -0400 @@ -21,6 +21,7 @@ - #include #include #include + #include +#include #include @@ -31431,8 +31391,8 @@ diff -urNp linux-2.6.25.4/kernel/ptrace.c linux-2.6.25.4/kernel/ptrace.c - if (!dumpable && !capable(CAP_SYS_PTRACE)) + if (!dumpable && !capable_nolog(CAP_SYS_PTRACE)) return -EPERM; - - return security_ptrace(current, task); + if (!vx_check(task->xid, VS_ADMIN_P|VS_IDENT)) + return -EPERM; @@ -203,7 +204,7 @@ repeat: /* Go */ @@ -31501,9 +31461,9 @@ diff -urNp linux-2.6.25.4/kernel/sched.c linux-2.6.25.4/kernel/sched.c --- linux-2.6.25.4/kernel/sched.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/kernel/sched.c 2008-05-18 13:33:17.000000000 -0400 @@ -66,6 +66,7 @@ - #include - #include #include + #include + #include +#include #include @@ -31515,7 +31475,7 @@ diff -urNp linux-2.6.25.4/kernel/sched.c linux-2.6.25.4/kernel/sched.c - if (increment < 0 && !can_nice(current, nice)) + if (increment < 0 && (!can_nice(current, nice) || + gr_handle_chroot_nice())) - return -EPERM; + return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM; retval = security_task_setnice(current, nice); @@ -5741,7 +5743,7 @@ static struct ctl_table sd_ctl_dir[] = { @@ -31545,8 +31505,8 @@ diff -urNp linux-2.6.25.4/kernel/signal.c linux-2.6.25.4/kernel/signal.c #include +#include #include - - #include + #include + #include @@ -540,7 +541,9 @@ static int check_kill_permission(int sig && (current->euid ^ t->suid) && (current->euid ^ t->uid) && (current->uid ^ t->suid) && (current->uid ^ t->uid) @@ -31557,7 +31517,7 @@ diff -urNp linux-2.6.25.4/kernel/signal.c linux-2.6.25.4/kernel/signal.c + return error; } - return security_task_kill(t, info, sig, 0); + error = -ESRCH; @@ -757,7 +760,7 @@ static int __init setup_print_fatal_sign __setup("print-fatal-signals=", setup_print_fatal_signals); @@ -31931,7 +31891,7 @@ diff -urNp linux-2.6.25.4/kernel/time.c linux-2.6.25.4/kernel/time.c @@ -90,6 +91,9 @@ asmlinkage long sys_stime(time_t __user return err; - do_settimeofday(&tv); + vx_settimeofday(&tv); + + gr_log_timechange(); + @@ -32685,9 +32645,9 @@ diff -urNp linux-2.6.25.4/mm/mlock.c linux-2.6.25.4/mm/mlock.c --- linux-2.6.25.4/mm/mlock.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/mm/mlock.c 2008-05-18 13:33:17.000000000 -0400 @@ -12,6 +12,7 @@ - #include #include #include + #include +#include int can_do_mlock(void) @@ -32717,7 +32677,7 @@ diff -urNp linux-2.6.25.4/mm/mlock.c linux-2.6.25.4/mm/mlock.c + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1); if ((locked <= lock_limit) || capable(CAP_IPC_LOCK)) error = do_mlock(start, len, 1); - up_write(¤t->mm->mmap_sem); + out: @@ -173,10 +186,10 @@ asmlinkage long sys_munlock(unsigned lon static int do_mlockall(int flags) { @@ -32749,9 +32709,9 @@ diff -urNp linux-2.6.25.4/mm/mlock.c linux-2.6.25.4/mm/mlock.c ret = -ENOMEM; + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1); + if (!vx_vmlocked_avail(current->mm, current->mm->total_vm)) + goto out; if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) || - capable(CAP_IPC_LOCK)) - ret = do_mlockall(flags); diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c --- linux-2.6.25.4/mm/mmap.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/mm/mmap.c 2008-05-18 13:33:17.000000000 -0400 @@ -33170,11 +33130,11 @@ diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c + } out: - mm->total_vm += len >> PAGE_SHIFT; + vx_vmpages_add(mm, len >> PAGE_SHIFT); vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT); + track_exec_limit(mm, addr, addr + len, vm_flags); if (vm_flags & VM_LOCKED) { - mm->locked_vm += len >> PAGE_SHIFT; + vx_vmlocked_add(mm, len >> PAGE_SHIFT); make_pages_present(addr, addr + len); @@ -1217,6 +1379,12 @@ unmap_and_free_vma: unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); @@ -33507,9 +33467,9 @@ diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c + } +#endif + - mm->total_vm -= nrpages; + vx_vmpages_sub(mm, nrpages); if (vma->vm_flags & VM_LOCKED) - mm->locked_vm -= nrpages; + vx_vmlocked_sub(mm, nrpages); @@ -1768,6 +2035,16 @@ detach_vmas_to_be_unmapped(struct mm_str insertion_point = (prev ? &prev->vm_next : &mm->mmap); @@ -33754,7 +33714,7 @@ diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c if (locked > lock_limit && !capable(CAP_IPC_LOCK)) return -EAGAIN; } -@@ -1978,22 +2389,22 @@ unsigned long do_brk(unsigned long addr, +@@ -1978,23 +2389,23 @@ unsigned long do_brk(unsigned long addr, /* * Clear old maps. this also does some error checking for us */ @@ -33776,8 +33736,10 @@ diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c if (mm->map_count > sysctl_max_map_count) return -ENOMEM; -- if (security_vm_enough_memory(len >> PAGE_SHIFT)) -+ if (security_vm_enough_memory(charged)) +- if (security_vm_enough_memory(len >> PAGE_SHIFT) || +- !vx_vmpages_avail(mm, len >> PAGE_SHIFT)) ++ if (security_vm_enough_memory(charged) || ++ !vx_vmpages_avail(mm, charged)) return -ENOMEM; /* Can we just expand an old private anonymous mapping? */ @@ -33815,11 +33777,11 @@ diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c +#endif + out: -- mm->total_vm += len >> PAGE_SHIFT; -+ mm->total_vm += charged; +- vx_vmpages_add(mm, len >> PAGE_SHIFT); ++ vx_vmpages_add(mm, charged); if (flags & VM_LOCKED) { -- mm->locked_vm += len >> PAGE_SHIFT; -+ mm->locked_vm += charged; +- vx_vmlocked_add(mm, len >> PAGE_SHIFT); ++ vx_vmlocked_add(mm, charged); make_pages_present(addr, addr + len); } + track_exec_limit(mm, addr, addr + len, flags); @@ -34618,7 +34580,7 @@ diff -urNp linux-2.6.25.4/net/ipv4/inet_connection_sock.c linux-2.6.25.4/net/ipv diff -urNp linux-2.6.25.4/net/ipv4/inet_hashtables.c linux-2.6.25.4/net/ipv4/inet_hashtables.c --- linux-2.6.25.4/net/ipv4/inet_hashtables.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/net/ipv4/inet_hashtables.c 2008-05-18 13:33:17.000000000 -0400 -@@ -18,11 +18,14 @@ +@@ -18,12 +18,15 @@ #include #include #include @@ -34626,6 +34588,7 @@ diff -urNp linux-2.6.25.4/net/ipv4/inet_hashtables.c linux-2.6.25.4/net/ipv4/ine #include #include + #include #include +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet); @@ -35113,9 +35076,9 @@ diff -urNp linux-2.6.25.4/net/unix/af_unix.c linux-2.6.25.4/net/unix/af_unix.c --- linux-2.6.25.4/net/unix/af_unix.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/net/unix/af_unix.c 2008-05-18 13:33:17.000000000 -0400 @@ -116,6 +116,7 @@ - #include - #include #include + #include + #include +#include static struct hlist_head unix_socket_table[UNIX_HASH_SIZE + 1]; @@ -35157,7 +35120,7 @@ diff -urNp linux-2.6.25.4/net/unix/af_unix.c linux-2.6.25.4/net/unix/af_unix.c + goto out_mknod_dput; + } + - err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0); + err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0, NULL); if (err) goto out_mknod_dput; + @@ -35210,9 +35173,9 @@ diff -urNp linux-2.6.25.4/security/commoncap.c linux-2.6.25.4/security/commoncap --- linux-2.6.25.4/security/commoncap.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/security/commoncap.c 2008-05-18 13:33:17.000000000 -0400 @@ -24,15 +24,18 @@ - #include #include #include + #include +#include /* Global security state */ @@ -35224,7 +35187,7 @@ diff -urNp linux-2.6.25.4/security/commoncap.c linux-2.6.25.4/security/commoncap + int cap_netlink_send(struct sock *sk, struct sk_buff *skb) { -- NETLINK_CB(skb).eff_cap = current->cap_effective; +- NETLINK_CB(skb).eff_cap = vx_mbcaps(current->cap_effective); + NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk); return 0; } @@ -35233,8 +35196,8 @@ diff -urNp linux-2.6.25.4/security/commoncap.c linux-2.6.25.4/security/commoncap int cap_capable (struct task_struct *tsk, int cap) { /* Derived from include/linux/sched.h:capable. */ -- if (cap_raised(tsk->cap_effective, cap)) -+ if (cap_raised (tsk->cap_effective, cap)) +- if (vx_cap_raised(vxi, tsk->cap_effective, cap)) ++ if (vx_cap_raised (vxi, tsk->cap_effective, cap)) + return 0; + return -EPERM; +} @@ -35242,7 +35205,7 @@ diff -urNp linux-2.6.25.4/security/commoncap.c linux-2.6.25.4/security/commoncap +int cap_capable_nolog (struct task_struct *tsk, int cap) +{ + /* tsk = current for all callers */ -+ if (cap_raised(tsk->cap_effective, cap) && gr_is_capable_nolog(cap)) ++ if (vx_cap_raised(tsk->vx_info, tsk->cap_effective, cap) && gr_is_capable_nolog(cap)) return 0; return -EPERM; } @@ -35282,9 +35245,9 @@ diff -urNp linux-2.6.25.4/security/dummy.c linux-2.6.25.4/security/dummy.c --- linux-2.6.25.4/security/dummy.c 2008-05-15 11:00:12.000000000 -0400 +++ linux-2.6.25.4/security/dummy.c 2008-05-18 13:33:17.000000000 -0400 @@ -27,6 +27,7 @@ - #include #include #include + #include +#include static int dummy_ptrace (struct task_struct *parent, struct task_struct *child) -- 2.44.0