]>
Commit | Line | Data |
---|---|---|
2380c486 JR |
1 | netlink |
2 | cap_dac* | |
3 | diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c | |
4 | --- a/grsecurity/gracl_cap.c 2007-12-01 00:54:57.312774500 +0000 | |
5 | +++ c/grsecurity/gracl_cap.c 2007-12-01 01:09:34.923621750 +0000 | |
6 | @@ -110,3 +110,19 @@ gr_is_capable_nolog(const int cap) | |
7 | return 0; | |
8 | } | |
9 | ||
10 | +void | |
11 | +gr_log_cap_pid(const int cap, const pid_t pid) | |
12 | +{ | |
13 | + struct task_struct *p; | |
14 | + | |
15 | + if (gr_acl_is_enabled()) { | |
16 | + read_lock(&tasklist_lock); | |
17 | + p = find_task_by_vpid(pid); | |
18 | + if (p) { | |
19 | + get_task_struct(p); | |
20 | + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, p, captab_log[cap]); | |
21 | + } | |
22 | + read_unlock(&tasklist_lock); | |
23 | + } | |
24 | + return; | |
25 | +} | |
26 | --- a/grsecurity/grsec_sock.c 2008-03-24 00:24:22.482633101 +0100 | |
27 | +++ c/grsecurity/grsec_sock.c 2008-03-24 00:27:01.971671763 +0100 | |
28 | @@ -247,23 +247,26 @@ | |
29 | gr_cap_rtnetlink(struct sock *sock) | |
30 | { | |
31 | #ifdef CONFIG_GRKERNSEC | |
32 | + struct acl_subject_label *curracl; | |
33 | + kernel_cap_t cap_dropp = __cap_empty_set, cap_mask = __cap_empty_set; | |
34 | + | |
35 | if (!gr_acl_is_enabled()) | |
36 | return current_cap(); | |
37 | - else if (sock->sk_protocol == NETLINK_ISCSI && | |
38 | - cap_raised(current_cap(), CAP_SYS_ADMIN) && | |
39 | - gr_is_capable(CAP_SYS_ADMIN)) | |
40 | - return current_cap(); | |
41 | - else if (sock->sk_protocol == NETLINK_AUDIT && | |
42 | - cap_raised(current_cap(), CAP_AUDIT_WRITE) && | |
43 | - gr_is_capable(CAP_AUDIT_WRITE) && | |
44 | - cap_raised(current_cap(), CAP_AUDIT_CONTROL) && | |
45 | - gr_is_capable(CAP_AUDIT_CONTROL)) | |
46 | - return current_cap(); | |
47 | - else if (cap_raised(current_cap(), CAP_NET_ADMIN) && | |
48 | - gr_is_capable(CAP_NET_ADMIN)) | |
49 | - return current_cap(); | |
50 | - else | |
51 | - return __cap_empty_set; | |
52 | + else { | |
53 | + curracl = current->acl; | |
54 | + | |
55 | + cap_dropp = curracl->cap_lower; | |
56 | + cap_mask = curracl->cap_mask; | |
57 | + | |
58 | + while ((curracl = curracl->parent_subject)) { | |
59 | + cap_dropp = cap_combine(cap_dropp, | |
60 | + cap_intersect(curracl->cap_lower, | |
61 | + cap_drop(cap_mask, curracl->cap_mask))); | |
62 | + cap_mask = cap_combine(cap_mask, curracl->cap_mask); | |
63 | + } | |
64 | + return cap_drop(current_cap(), | |
65 | + cap_intersect(cap_dropp, cap_mask)); | |
66 | + } | |
67 | #else | |
68 | return current_cap(); | |
69 | #endif | |
70 | diff -upr a/include/linux/grsecurity.h c/include/linux/grsecurity.h | |
71 | --- a/include/linux/grsecurity.h 2007-12-01 00:54:57.224769000 +0000 | |
72 | +++ c/include/linux/grsecurity.h 2007-12-01 01:09:34.923621750 +0000 | |
73 | @@ -76,6 +76,7 @@ void gr_log_semrm(const uid_t uid, const | |
74 | void gr_log_shmget(const int err, const int shmflg, const size_t size); | |
75 | void gr_log_shmrm(const uid_t uid, const uid_t cuid); | |
76 | void gr_log_textrel(struct vm_area_struct *vma); | |
77 | +void gr_log_cap_pid(const int cap, pid_t pid); | |
78 | ||
79 | int gr_handle_follow_link(const struct inode *parent, | |
80 | const struct inode *inode, | |
81 | diff -upr a/security/commoncap.c c/security/commoncap.c | |
82 | --- a/security/commoncap.c 2007-12-01 00:54:57.300773750 +0000 | |
83 | +++ c/security/commoncap.c 2007-12-01 01:09:34.923621750 +0000 | |
84 | @@ -55,8 +55,12 @@ | |
85 | ||
86 | int cap_netlink_recv(struct sk_buff *skb, int cap) | |
87 | { | |
88 | - if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) | |
89 | + if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) { | |
90 | +#ifdef CONFIG_GRKERNSEC | |
91 | + gr_log_cap_pid(cap, NETLINK_CREDS(skb)->pid); | |
92 | +#endif | |
93 | return -EPERM; | |
94 | + } | |
95 | return 0; | |
96 | } | |
97 | ||
d1ac4147 AM |
98 | --- linux-2.6.30/kernel/vserver/context.c~ 2009-07-31 12:07:52.365267958 +0200 |
99 | +++ linux-2.6.30/kernel/vserver/context.c 2009-07-31 12:43:04.991723596 +0200 | |
100 | @@ -122,7 +122,7 @@ | |
101 | // preconfig fs entries | |
102 | for (index = 0; index < VX_SPACES; index++) { | |
103 | write_lock(&init_fs.lock); | |
104 | - init_fs.users++; | |
105 | + atomic_inc(&init_fs.users); | |
106 | write_unlock(&init_fs.lock); | |
107 | new->vx_fs[index] = &init_fs; | |
108 | } | |
109 | @@ -196,7 +196,7 @@ | |
110 | ||
111 | fs = xchg(&vxi->vx_fs[index], NULL); | |
112 | write_lock(&fs->lock); | |
113 | - kill = !--fs->users; | |
114 | + kill = !atomic_dec_return(&fs->users); | |
115 | write_unlock(&fs->lock); | |
116 | if (kill) | |
117 | free_fs_struct(fs); | |
118 | --- linux-2.6.30/kernel/vserver/space.c~ 2009-07-31 12:07:52.398601243 +0200 | |
119 | +++ linux-2.6.30/kernel/vserver/space.c 2009-07-31 12:47:48.638394441 +0200 | |
120 | @@ -220,7 +220,7 @@ | |
121 | if (mask & CLONE_FS) { | |
122 | write_lock(&fs_cur->lock); | |
123 | current->fs = fs; | |
124 | - kill = !--fs_cur->users; | |
125 | + kill = !atomic_dec_return(&fs_cur->users); | |
126 | write_unlock(&fs_cur->lock); | |
127 | } | |
128 | ||
129 | @@ -278,7 +278,7 @@ | |
130 | if (mask & CLONE_FS) { | |
131 | write_lock(&fs_vxi->lock); | |
132 | vxi->vx_fs[index] = fs; | |
133 | - kill = !--fs_vxi->users; | |
134 | + kill = !atomic_dec_return(&fs_vxi->users); | |
135 | write_unlock(&fs_vxi->lock); | |
136 | } | |
137 | ||
35254aaf AM |
138 | --- linux-2.6.28/fs/proc/Kconfig~ 2008-11-20 23:26:34.000000000 +0100 |
139 | +++ linux-2.6.28/fs/proc/Kconfig 2008-12-01 20:37:12.000000000 +0100 | |
140 | @@ -59,8 +59,8 @@ | |
141 | limited in memory. | |
142 | ||
143 | config PROC_PAGE_MONITOR | |
144 | - default n | |
145 | - depends on PROC_FS && MMU && !GRKERNSEC | |
146 | + default y | |
147 | + depends on PROC_FS && MMU | |
148 | bool "Enable /proc page monitoring" if EMBEDDED | |
149 | help | |
150 | Various /proc files exist to monitor process memory utilization: | |
151 | ||
0f110665 AM |
152 | --- linux-2.6.32/fs/fuse/dev.c~ 2009-12-16 16:17:39.332389382 +0100 |
153 | +++ linux-2.6.32/fs/fuse/dev.c 2009-12-16 16:38:16.242858865 +0100 | |
154 | @@ -831,6 +831,7 @@ | |
155 | spin_unlock(&fc->lock); | |
156 | return err; | |
157 | } | |
158 | +EXPORT_SYMBOL_GPL(fuse_dev_read); | |
159 | ||
160 | static int fuse_notify_poll(struct fuse_conn *fc, unsigned int size, | |
161 | struct fuse_copy_state *cs) | |
162 | @@ -1093,6 +1094,7 @@ | |
163 | fuse_copy_finish(&cs); | |
164 | return err; | |
165 | } | |
166 | +EXPORT_SYMBOL_GPL(fuse_dev_write); | |
167 | ||
168 | unsigned fuse_dev_poll(struct file *file, poll_table *wait) | |
169 | { | |
170 | @@ -1112,6 +1114,7 @@ | |
171 | ||
172 | return mask; | |
173 | } | |
174 | +EXPORT_SYMBOL_GPL(fuse_dev_poll); | |
175 | ||
176 | /* | |
177 | * Abort all requests on the given list (pending or processing) | |
178 | @@ -1229,6 +1232,7 @@ | |
179 | /* No locking - fasync_helper does its own locking */ | |
180 | return fasync_helper(fd, file, on, &fc->fasync); | |
181 | } | |
182 | +EXPORT_SYMBOL_GPL(fuse_dev_fasync); | |
183 | ||
184 | const struct file_operations fuse_dev_operations = { | |
185 | .owner = THIS_MODULE, |