]>
Commit | Line | Data |
---|---|---|
2380c486 JR |
1 | netlink |
2 | cap_dac* | |
3 | diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c | |
4 | --- a/grsecurity/gracl_cap.c 2007-12-01 00:54:57.312774500 +0000 | |
5 | +++ c/grsecurity/gracl_cap.c 2007-12-01 01:09:34.923621750 +0000 | |
192cf7ff | 6 | @@ -110,3 +110,19 @@ gr_is_capable_nolog(const int cap) |
2380c486 JR |
7 | return 0; |
8 | } | |
9 | ||
10 | +void | |
11 | +gr_log_cap_pid(const int cap, const pid_t pid) | |
12 | +{ | |
13 | + struct task_struct *p; | |
14 | + | |
15 | + if (gr_acl_is_enabled()) { | |
16 | + read_lock(&tasklist_lock); | |
17 | + p = find_task_by_vpid(pid); | |
18 | + if (p) { | |
19 | + get_task_struct(p); | |
20 | + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, p, captab_log[cap]); | |
21 | + } | |
22 | + read_unlock(&tasklist_lock); | |
23 | + } | |
24 | + return; | |
25 | +} | |
0db8bb3b AM |
26 | --- linux-2.6.35/include/linux/grsecurity.h~ 2010-10-20 21:01:00.758532744 +0200 |
27 | +++ linux-2.6.35/include/linux/grsecurity.h 2010-10-20 21:03:27.556754795 +0200 | |
28 | @@ -78,6 +78,7 @@ | |
2380c486 | 29 | void gr_log_textrel(struct vm_area_struct *vma); |
0db8bb3b AM |
30 | void gr_log_rwxmmap(struct file *file); |
31 | void gr_log_rwxmprotect(struct file *file); | |
2380c486 JR |
32 | +void gr_log_cap_pid(const int cap, pid_t pid); |
33 | ||
34 | int gr_handle_follow_link(const struct inode *parent, | |
35 | const struct inode *inode, | |
36 | diff -upr a/security/commoncap.c c/security/commoncap.c | |
37 | --- a/security/commoncap.c 2007-12-01 00:54:57.300773750 +0000 | |
38 | +++ c/security/commoncap.c 2007-12-01 01:09:34.923621750 +0000 | |
39 | @@ -55,8 +55,12 @@ | |
40 | ||
41 | int cap_netlink_recv(struct sk_buff *skb, int cap) | |
42 | { | |
5ef30c1f AM |
43 | - if (!cap_raised(current_cap(), cap) || !gr_is_capable(cap)) |
44 | + if (!cap_raised(current_cap(), cap) || !gr_is_capable(cap)) { | |
2380c486 JR |
45 | +#ifdef CONFIG_GRKERNSEC |
46 | + gr_log_cap_pid(cap, NETLINK_CREDS(skb)->pid); | |
47 | +#endif | |
48 | return -EPERM; | |
49 | + } | |
50 | return 0; | |
51 | } | |
52 | ||
d1ac4147 AM |
53 | --- linux-2.6.30/kernel/vserver/context.c~ 2009-07-31 12:07:52.365267958 +0200 |
54 | +++ linux-2.6.30/kernel/vserver/context.c 2009-07-31 12:43:04.991723596 +0200 | |
55 | @@ -122,7 +122,7 @@ | |
56 | // preconfig fs entries | |
57 | for (index = 0; index < VX_SPACES; index++) { | |
adc1caaa | 58 | spin_lock(&init_fs.lock); |
d1ac4147 AM |
59 | - init_fs.users++; |
60 | + atomic_inc(&init_fs.users); | |
adc1caaa | 61 | spin_unlock(&init_fs.lock); |
d1ac4147 AM |
62 | new->vx_fs[index] = &init_fs; |
63 | } | |
adc1caaa | 64 | @@ -197,7 +197,7 @@ |
d1ac4147 AM |
65 | |
66 | fs = xchg(&vxi->vx_fs[index], NULL); | |
adc1caaa | 67 | spin_lock(&fs->lock); |
d1ac4147 AM |
68 | - kill = !--fs->users; |
69 | + kill = !atomic_dec_return(&fs->users); | |
adc1caaa | 70 | spin_unlock(&fs->lock); |
d1ac4147 AM |
71 | if (kill) |
72 | free_fs_struct(fs); | |
73 | --- linux-2.6.30/kernel/vserver/space.c~ 2009-07-31 12:07:52.398601243 +0200 | |
74 | +++ linux-2.6.30/kernel/vserver/space.c 2009-07-31 12:47:48.638394441 +0200 | |
75 | @@ -220,7 +220,7 @@ | |
76 | if (mask & CLONE_FS) { | |
77 | write_lock(&fs_cur->lock); | |
78 | current->fs = fs; | |
79 | - kill = !--fs_cur->users; | |
80 | + kill = !atomic_dec_return(&fs_cur->users); | |
adc1caaa | 81 | spin_unlock(&fs_cur->lock); |
d1ac4147 AM |
82 | } |
83 | ||
84 | @@ -278,7 +278,7 @@ | |
85 | if (mask & CLONE_FS) { | |
a701070e AM |
86 | spin_lock(&fs_vxi->lock); |
87 | space->vx_fs = fs; | |
d1ac4147 AM |
88 | - kill = !--fs_vxi->users; |
89 | + kill = !atomic_dec_return(&fs_vxi->users); | |
adc1caaa | 90 | spin_unlock(&fs_vxi->lock); |
d1ac4147 AM |
91 | } |
92 | ||
35254aaf AM |
93 | --- linux-2.6.28/fs/proc/Kconfig~ 2008-11-20 23:26:34.000000000 +0100 |
94 | +++ linux-2.6.28/fs/proc/Kconfig 2008-12-01 20:37:12.000000000 +0100 | |
95 | @@ -59,8 +59,8 @@ | |
96 | limited in memory. | |
97 | ||
98 | config PROC_PAGE_MONITOR | |
99 | - default n | |
100 | - depends on PROC_FS && MMU && !GRKERNSEC | |
101 | + default y | |
102 | + depends on PROC_FS && MMU | |
410dbfd4 | 103 | bool "Enable /proc page monitoring" if EXPERT |
35254aaf AM |
104 | help |
105 | Various /proc files exist to monitor process memory utilization: | |
f5fc3f52 AM |
106 | --- linux-2.6.34/net/socket.c~ 2010-07-06 15:35:03.398523320 +0200 |
107 | +++ linux-2.6.34/net/socket.c 2010-07-06 15:35:26.021020905 +0200 | |
2ec0a0a8 | 108 | @@ -1573,12 +1573,6 @@ |
a6bb676c AM |
109 | newsock->type = sock->type; |
110 | newsock->ops = sock->ops; | |
111 | ||
112 | - if (gr_handle_sock_server_other(sock->sk)) { | |
113 | - err = -EPERM; | |
114 | - sock_release(newsock); | |
115 | - goto out_put; | |
116 | - } | |
a6bb676c | 117 | - |
f5fc3f52 AM |
118 | err = gr_search_accept(sock); |
119 | if (err) { | |
120 | sock_release(newsock); | |
b8a8d479 | 121 | |
f69274b4 | 122 | |
e0470645 AM |
123 | --- linux-3.0/include/linux/vermagic.h~ 2011-10-14 19:55:36.000000000 +0200 |
124 | +++ linux-3.0/include/linux/vermagic.h 2011-10-16 15:45:11.251098590 +0200 | |
125 | @@ -33,7 +33,7 @@ | |
126 | #endif | |
127 | ||
128 | #ifdef CONSTIFY_PLUGIN | |
129 | -#define MODULE_CONSTIFY_PLUGIN "CONSTIFY_PLUGIN " | |
130 | +#define MODULE_CONSTIFY_PLUGIN "" | |
131 | #else | |
132 | #define MODULE_CONSTIFY_PLUGIN "" | |
133 | #endif | |
ff18af08 AM |
134 | --- linux-3.1/kernel/fork.c.org 2011-11-17 20:43:03.561319929 +0100 |
135 | +++ linux-3.1/kernel/fork.c 2011-11-17 20:44:09.022832196 +0100 | |
136 | @@ -1704,7 +1704,7 @@ | |
137 | return 0; | |
138 | ||
139 | /* don't need lock here; in the worst case we'll do useless copy */ | |
140 | - if (fs->users == 1) | |
141 | + if (atomic_read(&fs->users) == 1) | |
142 | return 0; | |
143 | ||
144 | *new_fsp = copy_fs_struct(fs); | |
145 | @@ -1793,7 +1793,7 @@ | |
146 | fs = current->fs; | |
147 | spin_lock(&fs->lock); | |
148 | current->fs = new_fs; | |
149 | - if (--fs->users) | |
150 | + if (atomic_dec_return(&fs->users)) | |
151 | new_fs = NULL; | |
152 | else | |
153 | new_fs = fs; |