[packages/kernel.git] / kernel-grsec_fixes.patch

netlink
cap_dac*
diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c
--- a/grsecurity/gracl_cap.c	2007-12-01 00:54:57.312774500 +0000
+++ c/grsecurity/gracl_cap.c	2007-12-01 01:09:34.923621750 +0000
@@ -110,3 +110,19 @@ gr_is_capable_nolog(const int cap)
 	return 0;
 }

+void
+gr_log_cap_pid(const int cap, const pid_t pid)
+{
+	struct task_struct *p;
+
+	if (gr_acl_is_enabled()) {
+		read_lock(&tasklist_lock);
+		p = find_task_by_vpid(pid);
+		if (p) {
+			get_task_struct(p);
+			gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, p, captab_log[cap]);
+		}
+		read_unlock(&tasklist_lock);
+	}
+	return;
+}
--- a/grsecurity/grsec_sock.c	2008-03-24 00:24:22.482633101 +0100
+++ c/grsecurity/grsec_sock.c	2008-03-24 00:27:01.971671763 +0100
@@ -247,23 +247,26 @@
 gr_cap_rtnetlink(struct sock *sock)
 {
 #ifdef CONFIG_GRKERNSEC
+	struct acl_subject_label *curracl;
+	kernel_cap_t cap_dropp = __cap_empty_set, cap_mask = __cap_empty_set;
+
 	if (!gr_acl_is_enabled())
 		return current_cap();
-	else if (sock->sk_protocol == NETLINK_ISCSI &&
-		 cap_raised(current_cap(), CAP_SYS_ADMIN) &&
-		 gr_is_capable(CAP_SYS_ADMIN))
-		return current_cap();
-	else if (sock->sk_protocol == NETLINK_AUDIT &&
-		 cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
-		 gr_is_capable(CAP_AUDIT_WRITE) &&
-		 cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
-		 gr_is_capable(CAP_AUDIT_CONTROL))
-		return current_cap();
-	else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
-		 gr_is_capable(CAP_NET_ADMIN))
-		return current_cap();
-	else
-		return __cap_empty_set;
+	else {
+		curracl = current->acl;
+
+		cap_dropp  = curracl->cap_lower;
+		cap_mask = curracl->cap_mask;
+
+		while ((curracl = curracl->parent_subject)) {
+			cap_dropp = cap_combine(cap_dropp,
+					cap_intersect(curracl->cap_lower,
+						cap_drop(cap_mask, curracl->cap_mask)));
+			cap_mask = cap_combine(cap_mask, curracl->cap_mask);
+		}
+		return cap_drop(current_cap(),
+				cap_intersect(cap_dropp, cap_mask));
+	}
 #else
 	return current_cap();
 #endif
diff -upr a/include/linux/grsecurity.h c/include/linux/grsecurity.h
--- a/include/linux/grsecurity.h	2007-12-01 00:54:57.224769000 +0000
+++ c/include/linux/grsecurity.h	2007-12-01 01:09:34.923621750 +0000
@@ -76,6 +76,7 @@ void gr_log_semrm(const uid_t uid, const
 void gr_log_shmget(const int err, const int shmflg, const size_t size);
 void gr_log_shmrm(const uid_t uid, const uid_t cuid);
 void gr_log_textrel(struct vm_area_struct *vma);
+void gr_log_cap_pid(const int cap, pid_t pid);
 
 int gr_handle_follow_link(const struct inode *parent,
 				 const struct inode *inode,
diff -upr a/security/commoncap.c c/security/commoncap.c
--- a/security/commoncap.c	2007-12-01 00:54:57.300773750 +0000
+++ c/security/commoncap.c	2007-12-01 01:09:34.923621750 +0000
@@ -55,8 +55,12 @@
 
 int cap_netlink_recv(struct sk_buff *skb, int cap)
 {
-	if (!cap_raised(NETLINK_CB(skb).eff_cap, cap))
+	if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) {
+#ifdef CONFIG_GRKERNSEC
+		gr_log_cap_pid(cap, NETLINK_CREDS(skb)->pid);
+#endif
 		return -EPERM;
+	}
 	return 0;
 }
 
--- linux-2.6.30/kernel/vserver/context.c~	2009-07-31 12:07:52.365267958 +0200
+++ linux-2.6.30/kernel/vserver/context.c	2009-07-31 12:43:04.991723596 +0200
@@ -122,7 +122,7 @@
 	// preconfig fs entries
 	for (index = 0; index < VX_SPACES; index++) {
 		write_lock(&init_fs.lock);
-		init_fs.users++;
+		atomic_inc(&init_fs.users);
 		write_unlock(&init_fs.lock);
 		new->vx_fs[index] = &init_fs;
 	}
@@ -196,7 +196,7 @@
 
 		fs = xchg(&vxi->vx_fs[index], NULL);
 		write_lock(&fs->lock);
-		kill = !--fs->users;
+		kill = !atomic_dec_return(&fs->users);
 		write_unlock(&fs->lock);
 		if (kill)
 			free_fs_struct(fs);
--- linux-2.6.30/kernel/vserver/space.c~	2009-07-31 12:07:52.398601243 +0200
+++ linux-2.6.30/kernel/vserver/space.c	2009-07-31 12:47:48.638394441 +0200
@@ -220,7 +220,7 @@
 	if (mask & CLONE_FS) {
 		write_lock(&fs_cur->lock);
 		current->fs = fs;
-		kill = !--fs_cur->users;
+		kill = !atomic_dec_return(&fs_cur->users);
 		write_unlock(&fs_cur->lock);
 	}
 
@@ -278,7 +278,7 @@
 	if (mask & CLONE_FS) {
 		write_lock(&fs_vxi->lock);
 		vxi->vx_fs[index] = fs;
-		kill = !--fs_vxi->users;
+		kill = !atomic_dec_return(&fs_vxi->users);
 		write_unlock(&fs_vxi->lock);
 	}
 
--- linux-2.6.28/fs/proc/Kconfig~       2008-11-20 23:26:34.000000000 +0100
+++ linux-2.6.28/fs/proc/Kconfig        2008-12-01 20:37:12.000000000 +0100
@@ -59,8 +59,8 @@
 	  limited in memory.
 
 config PROC_PAGE_MONITOR
- 	default n
-	depends on PROC_FS && MMU && !GRKERNSEC
+ 	default y
+	depends on PROC_FS && MMU
 	bool "Enable /proc page monitoring" if EMBEDDED
  	help
 	  Various /proc files exist to monitor process memory utilization:

--- linux-2.6.32/fs/fuse/dev.c~	2009-12-16 16:17:39.332389382 +0100
+++ linux-2.6.32/fs/fuse/dev.c	2009-12-16 16:38:16.242858865 +0100
@@ -831,6 +831,7 @@
 	spin_unlock(&fc->lock);
 	return err;
 }
+EXPORT_SYMBOL_GPL(fuse_dev_read);
 
 static int fuse_notify_poll(struct fuse_conn *fc, unsigned int size,
 			    struct fuse_copy_state *cs)
@@ -1093,6 +1094,7 @@
 	fuse_copy_finish(&cs);
 	return err;
 }
+EXPORT_SYMBOL_GPL(fuse_dev_write);
 
 unsigned fuse_dev_poll(struct file *file, poll_table *wait)
 {
@@ -1112,6 +1114,7 @@
 
 	return mask;
 }
+EXPORT_SYMBOL_GPL(fuse_dev_poll);
 
 /*
  * Abort all requests on the given list (pending or processing)
@@ -1229,6 +1232,7 @@
 	/* No locking - fasync_helper does its own locking */
 	return fasync_helper(fd, file, on, &fc->fasync);
 }
+EXPORT_SYMBOL_GPL(fuse_dev_fasync);
 
 const struct file_operations fuse_dev_operations = {
 	.owner		= THIS_MODULE,
Commit	Line	Data
2380c486 JR	1	netlink
	2	cap_dac*
	3	diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c
	4	--- a/grsecurity/gracl_cap.c 2007-12-01 00:54:57.312774500 +0000
	5	+++ c/grsecurity/gracl_cap.c 2007-12-01 01:09:34.923621750 +0000
	6	@@ -110,3 +110,19 @@ gr_is_capable_nolog(const int cap)
	7	return 0;
	8	}
	9
	10	+void
	11	+gr_log_cap_pid(const int cap, const pid_t pid)
	12	+{
	13	+ struct task_struct *p;
	14	+
	15	+ if (gr_acl_is_enabled()) {
	16	+ read_lock(&tasklist_lock);
	17	+ p = find_task_by_vpid(pid);
	18	+ if (p) {
	19	+ get_task_struct(p);
	20	+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, p, captab_log[cap]);
	21	+ }
	22	+ read_unlock(&tasklist_lock);
	23	+ }
	24	+ return;
	25	+}
	26	--- a/grsecurity/grsec_sock.c 2008-03-24 00:24:22.482633101 +0100
	27	+++ c/grsecurity/grsec_sock.c 2008-03-24 00:27:01.971671763 +0100
	28	@@ -247,23 +247,26 @@
	29	gr_cap_rtnetlink(struct sock *sock)
	30	{
	31	#ifdef CONFIG_GRKERNSEC
	32	+ struct acl_subject_label *curracl;
	33	+ kernel_cap_t cap_dropp = __cap_empty_set, cap_mask = __cap_empty_set;
	34	+
	35	if (!gr_acl_is_enabled())
	36	return current_cap();
	37	- else if (sock->sk_protocol == NETLINK_ISCSI &&
	38	- cap_raised(current_cap(), CAP_SYS_ADMIN) &&
	39	- gr_is_capable(CAP_SYS_ADMIN))
	40	- return current_cap();
	41	- else if (sock->sk_protocol == NETLINK_AUDIT &&
	42	- cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
	43	- gr_is_capable(CAP_AUDIT_WRITE) &&
	44	- cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
	45	- gr_is_capable(CAP_AUDIT_CONTROL))
	46	- return current_cap();
	47	- else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
	48	- gr_is_capable(CAP_NET_ADMIN))
	49	- return current_cap();
	50	- else
	51	- return __cap_empty_set;
	52	+ else {
	53	+ curracl = current->acl;
	54	+
	55	+ cap_dropp = curracl->cap_lower;
	56	+ cap_mask = curracl->cap_mask;
	57	+
	58	+ while ((curracl = curracl->parent_subject)) {
	59	+ cap_dropp = cap_combine(cap_dropp,
	60	+ cap_intersect(curracl->cap_lower,
	61	+ cap_drop(cap_mask, curracl->cap_mask)));
	62	+ cap_mask = cap_combine(cap_mask, curracl->cap_mask);
	63	+ }
	64	+ return cap_drop(current_cap(),
65	+ cap_intersect(cap_dropp, cap_mask));
66	+ }
67	#else
68	return current_cap();
69	#endif
70	diff -upr a/include/linux/grsecurity.h c/include/linux/grsecurity.h
71	--- a/include/linux/grsecurity.h 2007-12-01 00:54:57.224769000 +0000
72	+++ c/include/linux/grsecurity.h 2007-12-01 01:09:34.923621750 +0000
73	@@ -76,6 +76,7 @@ void gr_log_semrm(const uid_t uid, const
74	void gr_log_shmget(const int err, const int shmflg, const size_t size);
75	void gr_log_shmrm(const uid_t uid, const uid_t cuid);
76	void gr_log_textrel(struct vm_area_struct *vma);
77	+void gr_log_cap_pid(const int cap, pid_t pid);
78
79	int gr_handle_follow_link(const struct inode *parent,
80	const struct inode *inode,
81	diff -upr a/security/commoncap.c c/security/commoncap.c
82	--- a/security/commoncap.c 2007-12-01 00:54:57.300773750 +0000
83	+++ c/security/commoncap.c 2007-12-01 01:09:34.923621750 +0000
84	@@ -55,8 +55,12 @@
85
86	int cap_netlink_recv(struct sk_buff *skb, int cap)
87	{
88	- if (!cap_raised(NETLINK_CB(skb).eff_cap, cap))
89	+ if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) {
90	+#ifdef CONFIG_GRKERNSEC
91	+ gr_log_cap_pid(cap, NETLINK_CREDS(skb)->pid);
92	+#endif
93	return -EPERM;
94	+ }
95	return 0;
96	}
97
d1ac4147 AM	98	--- linux-2.6.30/kernel/vserver/context.c~ 2009-07-31 12:07:52.365267958 +0200
	99	+++ linux-2.6.30/kernel/vserver/context.c 2009-07-31 12:43:04.991723596 +0200
	100	@@ -122,7 +122,7 @@
	101	// preconfig fs entries
	102	for (index = 0; index < VX_SPACES; index++) {
	103	write_lock(&init_fs.lock);
	104	- init_fs.users++;
	105	+ atomic_inc(&init_fs.users);
	106	write_unlock(&init_fs.lock);
	107	new->vx_fs[index] = &init_fs;
	108	}
	109	@@ -196,7 +196,7 @@
	110
	111	fs = xchg(&vxi->vx_fs[index], NULL);
	112	write_lock(&fs->lock);
	113	- kill = !--fs->users;
	114	+ kill = !atomic_dec_return(&fs->users);
	115	write_unlock(&fs->lock);
	116	if (kill)
	117	free_fs_struct(fs);
	118	--- linux-2.6.30/kernel/vserver/space.c~ 2009-07-31 12:07:52.398601243 +0200
	119	+++ linux-2.6.30/kernel/vserver/space.c 2009-07-31 12:47:48.638394441 +0200
	120	@@ -220,7 +220,7 @@
	121	if (mask & CLONE_FS) {
	122	write_lock(&fs_cur->lock);
	123	current->fs = fs;
	124	- kill = !--fs_cur->users;
	125	+ kill = !atomic_dec_return(&fs_cur->users);
	126	write_unlock(&fs_cur->lock);
	127	}
	128
	129	@@ -278,7 +278,7 @@
	130	if (mask & CLONE_FS) {
	131	write_lock(&fs_vxi->lock);
	132	vxi->vx_fs[index] = fs;
	133	- kill = !--fs_vxi->users;
	134	+ kill = !atomic_dec_return(&fs_vxi->users);
	135	write_unlock(&fs_vxi->lock);
	136	}
	137
35254aaf AM	138	--- linux-2.6.28/fs/proc/Kconfig~ 2008-11-20 23:26:34.000000000 +0100
	139	+++ linux-2.6.28/fs/proc/Kconfig 2008-12-01 20:37:12.000000000 +0100
	140	@@ -59,8 +59,8 @@
	141	limited in memory.
	142
	143	config PROC_PAGE_MONITOR
	144	- default n
	145	- depends on PROC_FS && MMU && !GRKERNSEC
	146	+ default y
	147	+ depends on PROC_FS && MMU
	148	bool "Enable /proc page monitoring" if EMBEDDED
	149	help
	150	Various /proc files exist to monitor process memory utilization:
	151
0f110665 AM	152	--- linux-2.6.32/fs/fuse/dev.c~ 2009-12-16 16:17:39.332389382 +0100
	153	+++ linux-2.6.32/fs/fuse/dev.c 2009-12-16 16:38:16.242858865 +0100
	154	@@ -831,6 +831,7 @@
	155	spin_unlock(&fc->lock);
	156	return err;
	157	}
	158	+EXPORT_SYMBOL_GPL(fuse_dev_read);
	159
	160	static int fuse_notify_poll(struct fuse_conn *fc, unsigned int size,
	161	struct fuse_copy_state *cs)
	162	@@ -1093,6 +1094,7 @@
	163	fuse_copy_finish(&cs);
	164	return err;
	165	}
	166	+EXPORT_SYMBOL_GPL(fuse_dev_write);
	167
	168	unsigned fuse_dev_poll(struct file file, poll_table wait)
	169	{
	170	@@ -1112,6 +1114,7 @@
	171
	172	return mask;
	173	}
	174	+EXPORT_SYMBOL_GPL(fuse_dev_poll);
	175
	176	/*
	177	* Abort all requests on the given list (pending or processing)
	178	@@ -1229,6 +1232,7 @@
	179	/* No locking - fasync_helper does its own locking */
	180	return fasync_helper(fd, file, on, &fc->fasync);
	181	}
	182	+EXPORT_SYMBOL_GPL(fuse_dev_fasync);
	183
	184	const struct file_operations fuse_dev_operations = {
	185	.owner = THIS_MODULE,