[packages/kernel.git] / kernel-grsec_fixes.patch

netlink
cap_dac*
diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c
--- a/grsecurity/gracl_cap.c	2007-12-01 00:54:57.312774500 +0000
+++ c/grsecurity/gracl_cap.c	2007-12-01 01:09:34.923621750 +0000
@@ -110,3 +110,19 @@ gr_is_capable_nolog(const int cap)
 	return 0;
 }

+void
+gr_log_cap_pid(const int cap, const pid_t pid)
+{
+	struct task_struct *p;
+
+	if (gr_acl_is_enabled()) {
+		read_lock(&tasklist_lock);
+		p = find_task_by_vpid(pid);
+		if (p) {
+			get_task_struct(p);
+			gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, p, captab_log[cap]);
+		}
+		read_unlock(&tasklist_lock);
+	}
+	return;
+}
--- linux-2.6.35/include/linux/grsecurity.h~	2010-10-20 21:01:00.758532744 +0200
+++ linux-2.6.35/include/linux/grsecurity.h	2010-10-20 21:03:27.556754795 +0200
@@ -78,6 +78,7 @@
 void gr_log_textrel(struct vm_area_struct *vma);
 void gr_log_rwxmmap(struct file *file);
 void gr_log_rwxmprotect(struct file *file);
+void gr_log_cap_pid(const int cap, pid_t pid);
 
 int gr_handle_follow_link(const struct inode *parent,
 				 const struct inode *inode,
diff -upr a/security/commoncap.c c/security/commoncap.c
--- a/security/commoncap.c	2007-12-01 00:54:57.300773750 +0000
+++ c/security/commoncap.c	2007-12-01 01:09:34.923621750 +0000
@@ -55,8 +55,12 @@
 
 int cap_netlink_recv(struct sk_buff *skb, int cap)
 {
-	if (!cap_raised(current_cap(), cap) || !gr_is_capable(cap))
+	if (!cap_raised(current_cap(), cap) || !gr_is_capable(cap)) {
+#ifdef CONFIG_GRKERNSEC
+		gr_log_cap_pid(cap, NETLINK_CREDS(skb)->pid);
+#endif
 		return -EPERM;
+	}
 	return 0;
 }
 
--- linux-2.6.30/kernel/vserver/context.c~	2009-07-31 12:07:52.365267958 +0200
+++ linux-2.6.30/kernel/vserver/context.c	2009-07-31 12:43:04.991723596 +0200
@@ -122,7 +122,7 @@
 	// preconfig fs entries
 	for (index = 0; index < VX_SPACES; index++) {
 		spin_lock(&init_fs.lock);
-		init_fs.users++;
+		atomic_inc(&init_fs.users);
 		spin_unlock(&init_fs.lock);
 		new->vx_fs[index] = &init_fs;
 	}
@@ -197,7 +197,7 @@
 
 		fs = xchg(&vxi->vx_fs[index], NULL);
 		spin_lock(&fs->lock);
-		kill = !--fs->users;
+		kill = !atomic_dec_return(&fs->users);
 		spin_unlock(&fs->lock);
 		if (kill)
 			free_fs_struct(fs);
--- linux-2.6.30/kernel/vserver/space.c~	2009-07-31 12:07:52.398601243 +0200
+++ linux-2.6.30/kernel/vserver/space.c	2009-07-31 12:47:48.638394441 +0200
@@ -220,7 +220,7 @@
 	if (mask & CLONE_FS) {
 		write_lock(&fs_cur->lock);
 		current->fs = fs;
-		kill = !--fs_cur->users;
+		kill = !atomic_dec_return(&fs_cur->users);
 		spin_unlock(&fs_cur->lock);
 	}
 
@@ -278,7 +278,7 @@
 	if (mask & CLONE_FS) {
 		spin_lock(&fs_vxi->lock);
 		space->vx_fs = fs;
-		kill = !--fs_vxi->users;
+		kill = !atomic_dec_return(&fs_vxi->users);
 		spin_unlock(&fs_vxi->lock);
 	}
 
--- linux-2.6.28/fs/proc/Kconfig~       2008-11-20 23:26:34.000000000 +0100
+++ linux-2.6.28/fs/proc/Kconfig        2008-12-01 20:37:12.000000000 +0100
@@ -59,8 +59,8 @@
 	  limited in memory.
 
 config PROC_PAGE_MONITOR
- 	default n
-	depends on PROC_FS && MMU && !GRKERNSEC
+ 	default y
+	depends on PROC_FS && MMU
 	bool "Enable /proc page monitoring" if EXPERT
  	help
 	  Various /proc files exist to monitor process memory utilization:
--- linux-2.6.34/net/socket.c~	2010-07-06 15:35:03.398523320 +0200
+++ linux-2.6.34/net/socket.c	2010-07-06 15:35:26.021020905 +0200
@@ -1573,12 +1573,6 @@
 	newsock->type = sock->type;
 	newsock->ops = sock->ops;
 
-	if (gr_handle_sock_server_other(sock->sk)) {
-		err = -EPERM;
-		sock_release(newsock);
-		goto out_put;
-	}
-
 	err = gr_search_accept(sock);
 	if (err) {
 		sock_release(newsock);


--- linux-3.0/include/linux/vermagic.h~	2011-10-14 19:55:36.000000000 +0200
+++ linux-3.0/include/linux/vermagic.h	2011-10-16 15:45:11.251098590 +0200
@@ -33,7 +33,7 @@
 #endif
 
 #ifdef CONSTIFY_PLUGIN
-#define MODULE_CONSTIFY_PLUGIN "CONSTIFY_PLUGIN "
+#define MODULE_CONSTIFY_PLUGIN ""
 #else
 #define MODULE_CONSTIFY_PLUGIN ""
 #endif
--- linux-3.1/kernel/fork.c.org	2011-11-17 20:43:03.561319929 +0100
+++ linux-3.1/kernel/fork.c	2011-11-17 20:44:09.022832196 +0100
@@ -1704,7 +1704,7 @@
 		return 0;
 
 	/* don't need lock here; in the worst case we'll do useless copy */
-	if (fs->users == 1)
+	if (atomic_read(&fs->users) == 1)
 		return 0;
 
 	*new_fsp = copy_fs_struct(fs);
@@ -1793,7 +1793,7 @@
 			fs = current->fs;
 			spin_lock(&fs->lock);
 			current->fs = new_fs;
-			if (--fs->users)
+			if (atomic_dec_return(&fs->users))
 				new_fs = NULL;
 			else
 				new_fs = fs;
Commit	Line	Data
2380c486 JR	1	netlink
	2	cap_dac*
	3	diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c
	4	--- a/grsecurity/gracl_cap.c 2007-12-01 00:54:57.312774500 +0000
	5	+++ c/grsecurity/gracl_cap.c 2007-12-01 01:09:34.923621750 +0000
192cf7ff	6	@@ -110,3 +110,19 @@ gr_is_capable_nolog(const int cap)
2380c486 JR	7	return 0;
	8	}
	9
	10	+void
	11	+gr_log_cap_pid(const int cap, const pid_t pid)
	12	+{
	13	+ struct task_struct *p;
	14	+
	15	+ if (gr_acl_is_enabled()) {
	16	+ read_lock(&tasklist_lock);
	17	+ p = find_task_by_vpid(pid);
	18	+ if (p) {
	19	+ get_task_struct(p);
	20	+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, p, captab_log[cap]);
	21	+ }
	22	+ read_unlock(&tasklist_lock);
	23	+ }
	24	+ return;
	25	+}
0db8bb3b AM	26	--- linux-2.6.35/include/linux/grsecurity.h~ 2010-10-20 21:01:00.758532744 +0200
	27	+++ linux-2.6.35/include/linux/grsecurity.h 2010-10-20 21:03:27.556754795 +0200
	28	@@ -78,6 +78,7 @@
2380c486	29	void gr_log_textrel(struct vm_area_struct *vma);
0db8bb3b AM	30	void gr_log_rwxmmap(struct file *file);
0db8bb3b AM	31	void gr_log_rwxmprotect(struct file *file);
2380c486 JR	32	+void gr_log_cap_pid(const int cap, pid_t pid);
	33
	34	int gr_handle_follow_link(const struct inode *parent,
	35	const struct inode *inode,
	36	diff -upr a/security/commoncap.c c/security/commoncap.c
	37	--- a/security/commoncap.c 2007-12-01 00:54:57.300773750 +0000
	38	+++ c/security/commoncap.c 2007-12-01 01:09:34.923621750 +0000
	39	@@ -55,8 +55,12 @@
	40
	41	int cap_netlink_recv(struct sk_buff *skb, int cap)
	42	{
5ef30c1f AM	43	- if (!cap_raised(current_cap(), cap) \|\| !gr_is_capable(cap))
5ef30c1f AM	44	+ if (!cap_raised(current_cap(), cap) \|\| !gr_is_capable(cap)) {
2380c486 JR	45	+#ifdef CONFIG_GRKERNSEC
	46	+ gr_log_cap_pid(cap, NETLINK_CREDS(skb)->pid);
	47	+#endif
	48	return -EPERM;
	49	+ }
	50	return 0;
	51	}
	52
d1ac4147 AM	53	--- linux-2.6.30/kernel/vserver/context.c~ 2009-07-31 12:07:52.365267958 +0200
	54	+++ linux-2.6.30/kernel/vserver/context.c 2009-07-31 12:43:04.991723596 +0200
	55	@@ -122,7 +122,7 @@
	56	// preconfig fs entries
	57	for (index = 0; index < VX_SPACES; index++) {
adc1caaa	58	spin_lock(&init_fs.lock);
d1ac4147 AM	59	- init_fs.users++;
d1ac4147 AM	60	+ atomic_inc(&init_fs.users);
adc1caaa	61	spin_unlock(&init_fs.lock);
d1ac4147 AM	62	new->vx_fs[index] = &init_fs;
d1ac4147 AM	63	}
adc1caaa	64	@@ -197,7 +197,7 @@
d1ac4147 AM	65
d1ac4147 AM	66	fs = xchg(&vxi->vx_fs[index], NULL);
adc1caaa	67	spin_lock(&fs->lock);
d1ac4147 AM	68	- kill = !--fs->users;
d1ac4147 AM	69	+ kill = !atomic_dec_return(&fs->users);
adc1caaa	70	spin_unlock(&fs->lock);
d1ac4147 AM	71	if (kill)
	72	free_fs_struct(fs);
	73	--- linux-2.6.30/kernel/vserver/space.c~ 2009-07-31 12:07:52.398601243 +0200
	74	+++ linux-2.6.30/kernel/vserver/space.c 2009-07-31 12:47:48.638394441 +0200
	75	@@ -220,7 +220,7 @@
	76	if (mask & CLONE_FS) {
	77	write_lock(&fs_cur->lock);
	78	current->fs = fs;
	79	- kill = !--fs_cur->users;
	80	+ kill = !atomic_dec_return(&fs_cur->users);
adc1caaa	81	spin_unlock(&fs_cur->lock);
d1ac4147 AM	82	}
	83
	84	@@ -278,7 +278,7 @@
	85	if (mask & CLONE_FS) {
a701070e AM	86	spin_lock(&fs_vxi->lock);
a701070e AM	87	space->vx_fs = fs;
d1ac4147 AM	88	- kill = !--fs_vxi->users;
d1ac4147 AM	89	+ kill = !atomic_dec_return(&fs_vxi->users);
adc1caaa	90	spin_unlock(&fs_vxi->lock);
d1ac4147 AM	91	}
d1ac4147 AM	92
35254aaf AM	93	--- linux-2.6.28/fs/proc/Kconfig~ 2008-11-20 23:26:34.000000000 +0100
	94	+++ linux-2.6.28/fs/proc/Kconfig 2008-12-01 20:37:12.000000000 +0100
	95	@@ -59,8 +59,8 @@
	96	limited in memory.
	97
	98	config PROC_PAGE_MONITOR
	99	- default n
	100	- depends on PROC_FS && MMU && !GRKERNSEC
	101	+ default y
	102	+ depends on PROC_FS && MMU
410dbfd4	103	bool "Enable /proc page monitoring" if EXPERT
35254aaf AM	104	help
35254aaf AM	105	Various /proc files exist to monitor process memory utilization:
f5fc3f52 AM	106	--- linux-2.6.34/net/socket.c~ 2010-07-06 15:35:03.398523320 +0200
f5fc3f52 AM	107	+++ linux-2.6.34/net/socket.c 2010-07-06 15:35:26.021020905 +0200
2ec0a0a8	108	@@ -1573,12 +1573,6 @@
a6bb676c AM	109	newsock->type = sock->type;
	110	newsock->ops = sock->ops;
	111
	112	- if (gr_handle_sock_server_other(sock->sk)) {
	113	- err = -EPERM;
	114	- sock_release(newsock);
	115	- goto out_put;
	116	- }
a6bb676c	117	-
f5fc3f52 AM	118	err = gr_search_accept(sock);
	119	if (err) {
	120	sock_release(newsock);
b8a8d479	121
f69274b4	122
e0470645 AM	123	--- linux-3.0/include/linux/vermagic.h~ 2011-10-14 19:55:36.000000000 +0200
	124	+++ linux-3.0/include/linux/vermagic.h 2011-10-16 15:45:11.251098590 +0200
	125	@@ -33,7 +33,7 @@
	126	#endif
	127
	128	#ifdef CONSTIFY_PLUGIN
	129	-#define MODULE_CONSTIFY_PLUGIN "CONSTIFY_PLUGIN "
	130	+#define MODULE_CONSTIFY_PLUGIN ""
	131	#else
	132	#define MODULE_CONSTIFY_PLUGIN ""
	133	#endif
ff18af08 AM	134	--- linux-3.1/kernel/fork.c.org 2011-11-17 20:43:03.561319929 +0100
	135	+++ linux-3.1/kernel/fork.c 2011-11-17 20:44:09.022832196 +0100
	136	@@ -1704,7 +1704,7 @@
	137	return 0;
	138
	139	/* don't need lock here; in the worst case we'll do useless copy */
	140	- if (fs->users == 1)
	141	+ if (atomic_read(&fs->users) == 1)
	142	return 0;
	143
	144	*new_fsp = copy_fs_struct(fs);
	145	@@ -1793,7 +1793,7 @@
	146	fs = current->fs;
	147	spin_lock(&fs->lock);
	148	current->fs = new_fs;
	149	- if (--fs->users)
	150	+ if (atomic_dec_return(&fs->users))
	151	new_fs = NULL;
	152	else
	153	new_fs = fs;