]>
Commit | Line | Data |
---|---|---|
2380c486 JR |
1 | netlink |
2 | cap_dac* | |
3 | diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c | |
4 | --- a/grsecurity/gracl_cap.c 2007-12-01 00:54:57.312774500 +0000 | |
5 | +++ c/grsecurity/gracl_cap.c 2007-12-01 01:09:34.923621750 +0000 | |
192cf7ff | 6 | @@ -110,3 +110,19 @@ gr_is_capable_nolog(const int cap) |
2380c486 JR |
7 | return 0; |
8 | } | |
9 | ||
10 | +void | |
11 | +gr_log_cap_pid(const int cap, const pid_t pid) | |
12 | +{ | |
13 | + struct task_struct *p; | |
14 | + | |
15 | + if (gr_acl_is_enabled()) { | |
16 | + read_lock(&tasklist_lock); | |
17 | + p = find_task_by_vpid(pid); | |
18 | + if (p) { | |
19 | + get_task_struct(p); | |
20 | + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, p, captab_log[cap]); | |
21 | + } | |
22 | + read_unlock(&tasklist_lock); | |
23 | + } | |
24 | + return; | |
25 | +} | |
26 | --- a/grsecurity/grsec_sock.c 2008-03-24 00:24:22.482633101 +0100 | |
27 | +++ c/grsecurity/grsec_sock.c 2008-03-24 00:27:01.971671763 +0100 | |
9390b158 | 28 | @@ -247,25 +247,26 @@ |
2380c486 JR |
29 | gr_cap_rtnetlink(struct sock *sock) |
30 | { | |
31 | #ifdef CONFIG_GRKERNSEC | |
32 | + struct acl_subject_label *curracl; | |
33 | + kernel_cap_t cap_dropp = __cap_empty_set, cap_mask = __cap_empty_set; | |
34 | + | |
35 | if (!gr_acl_is_enabled()) | |
36 | return current_cap(); | |
37 | - else if (sock->sk_protocol == NETLINK_ISCSI && | |
38 | - cap_raised(current_cap(), CAP_SYS_ADMIN) && | |
39 | - gr_is_capable(CAP_SYS_ADMIN)) | |
40 | - return current_cap(); | |
41 | - else if (sock->sk_protocol == NETLINK_AUDIT && | |
42 | - cap_raised(current_cap(), CAP_AUDIT_WRITE) && | |
43 | - gr_is_capable(CAP_AUDIT_WRITE) && | |
44 | - cap_raised(current_cap(), CAP_AUDIT_CONTROL) && | |
45 | - gr_is_capable(CAP_AUDIT_CONTROL)) | |
46 | - return current_cap(); | |
47 | - else if (cap_raised(current_cap(), CAP_NET_ADMIN) && | |
9390b158 | 48 | - ((sock->sk_protocol == NETLINK_ROUTE) ? |
49 | - gr_is_capable_nolog(CAP_NET_ADMIN) : | |
50 | - gr_is_capable(CAP_NET_ADMIN))) | |
2380c486 JR |
51 | - return current_cap(); |
52 | - else | |
53 | - return __cap_empty_set; | |
54 | + else { | |
55 | + curracl = current->acl; | |
56 | + | |
57 | + cap_dropp = curracl->cap_lower; | |
58 | + cap_mask = curracl->cap_mask; | |
59 | + | |
60 | + while ((curracl = curracl->parent_subject)) { | |
61 | + cap_dropp = cap_combine(cap_dropp, | |
62 | + cap_intersect(curracl->cap_lower, | |
63 | + cap_drop(cap_mask, curracl->cap_mask))); | |
64 | + cap_mask = cap_combine(cap_mask, curracl->cap_mask); | |
65 | + } | |
66 | + return cap_drop(current_cap(), | |
67 | + cap_intersect(cap_dropp, cap_mask)); | |
68 | + } | |
69 | #else | |
70 | return current_cap(); | |
71 | #endif | |
0db8bb3b AM |
72 | --- linux-2.6.35/include/linux/grsecurity.h~ 2010-10-20 21:01:00.758532744 +0200 |
73 | +++ linux-2.6.35/include/linux/grsecurity.h 2010-10-20 21:03:27.556754795 +0200 | |
74 | @@ -78,6 +78,7 @@ | |
2380c486 | 75 | void gr_log_textrel(struct vm_area_struct *vma); |
0db8bb3b AM |
76 | void gr_log_rwxmmap(struct file *file); |
77 | void gr_log_rwxmprotect(struct file *file); | |
2380c486 JR |
78 | +void gr_log_cap_pid(const int cap, pid_t pid); |
79 | ||
80 | int gr_handle_follow_link(const struct inode *parent, | |
81 | const struct inode *inode, | |
82 | diff -upr a/security/commoncap.c c/security/commoncap.c | |
83 | --- a/security/commoncap.c 2007-12-01 00:54:57.300773750 +0000 | |
84 | +++ c/security/commoncap.c 2007-12-01 01:09:34.923621750 +0000 | |
85 | @@ -55,8 +55,12 @@ | |
86 | ||
87 | int cap_netlink_recv(struct sk_buff *skb, int cap) | |
88 | { | |
89 | - if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) | |
90 | + if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) { | |
91 | +#ifdef CONFIG_GRKERNSEC | |
92 | + gr_log_cap_pid(cap, NETLINK_CREDS(skb)->pid); | |
93 | +#endif | |
94 | return -EPERM; | |
95 | + } | |
96 | return 0; | |
97 | } | |
98 | ||
d1ac4147 AM |
99 | --- linux-2.6.30/kernel/vserver/context.c~ 2009-07-31 12:07:52.365267958 +0200 |
100 | +++ linux-2.6.30/kernel/vserver/context.c 2009-07-31 12:43:04.991723596 +0200 | |
101 | @@ -122,7 +122,7 @@ | |
102 | // preconfig fs entries | |
103 | for (index = 0; index < VX_SPACES; index++) { | |
adc1caaa | 104 | spin_lock(&init_fs.lock); |
d1ac4147 AM |
105 | - init_fs.users++; |
106 | + atomic_inc(&init_fs.users); | |
adc1caaa | 107 | spin_unlock(&init_fs.lock); |
d1ac4147 AM |
108 | new->vx_fs[index] = &init_fs; |
109 | } | |
adc1caaa | 110 | @@ -197,7 +197,7 @@ |
d1ac4147 AM |
111 | |
112 | fs = xchg(&vxi->vx_fs[index], NULL); | |
adc1caaa | 113 | spin_lock(&fs->lock); |
d1ac4147 AM |
114 | - kill = !--fs->users; |
115 | + kill = !atomic_dec_return(&fs->users); | |
adc1caaa | 116 | spin_unlock(&fs->lock); |
d1ac4147 AM |
117 | if (kill) |
118 | free_fs_struct(fs); | |
119 | --- linux-2.6.30/kernel/vserver/space.c~ 2009-07-31 12:07:52.398601243 +0200 | |
120 | +++ linux-2.6.30/kernel/vserver/space.c 2009-07-31 12:47:48.638394441 +0200 | |
121 | @@ -220,7 +220,7 @@ | |
122 | if (mask & CLONE_FS) { | |
123 | write_lock(&fs_cur->lock); | |
124 | current->fs = fs; | |
125 | - kill = !--fs_cur->users; | |
126 | + kill = !atomic_dec_return(&fs_cur->users); | |
adc1caaa | 127 | spin_unlock(&fs_cur->lock); |
d1ac4147 AM |
128 | } |
129 | ||
130 | @@ -278,7 +278,7 @@ | |
131 | if (mask & CLONE_FS) { | |
a701070e AM |
132 | spin_lock(&fs_vxi->lock); |
133 | space->vx_fs = fs; | |
d1ac4147 AM |
134 | - kill = !--fs_vxi->users; |
135 | + kill = !atomic_dec_return(&fs_vxi->users); | |
adc1caaa | 136 | spin_unlock(&fs_vxi->lock); |
d1ac4147 AM |
137 | } |
138 | ||
35254aaf AM |
139 | --- linux-2.6.28/fs/proc/Kconfig~ 2008-11-20 23:26:34.000000000 +0100 |
140 | +++ linux-2.6.28/fs/proc/Kconfig 2008-12-01 20:37:12.000000000 +0100 | |
141 | @@ -59,8 +59,8 @@ | |
142 | limited in memory. | |
143 | ||
144 | config PROC_PAGE_MONITOR | |
145 | - default n | |
146 | - depends on PROC_FS && MMU && !GRKERNSEC | |
147 | + default y | |
148 | + depends on PROC_FS && MMU | |
149 | bool "Enable /proc page monitoring" if EMBEDDED | |
150 | help | |
151 | Various /proc files exist to monitor process memory utilization: | |
f5fc3f52 AM |
152 | --- linux-2.6.34/net/socket.c~ 2010-07-06 15:35:03.398523320 +0200 |
153 | +++ linux-2.6.34/net/socket.c 2010-07-06 15:35:26.021020905 +0200 | |
2ec0a0a8 | 154 | @@ -1573,12 +1573,6 @@ |
a6bb676c AM |
155 | newsock->type = sock->type; |
156 | newsock->ops = sock->ops; | |
157 | ||
158 | - if (gr_handle_sock_server_other(sock->sk)) { | |
159 | - err = -EPERM; | |
160 | - sock_release(newsock); | |
161 | - goto out_put; | |
162 | - } | |
a6bb676c | 163 | - |
f5fc3f52 AM |
164 | err = gr_search_accept(sock); |
165 | if (err) { | |
166 | sock_release(newsock); | |
b8a8d479 | 167 | |
cc9217c1 AM |
168 | --- linux-2.6.37/include/linux/slab.h~ 2011-01-17 11:48:00.934382737 +0100 |
169 | +++ linux-2.6.37/include/linux/slab.h 2011-01-17 12:38:01.843508841 +0100 | |
170 | @@ -344,7 +344,7 @@ | |
171 | #define kmalloc(x, y) \ | |
172 | ({ \ | |
173 | void *___retval; \ | |
174 | - intoverflow_t ___x = (intoverflow_t)x; \ | |
175 | + intoverflow_t ___x = (intoverflow_t)(x); \ | |
176 | if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\ | |
177 | ___retval = NULL; \ | |
178 | else \ | |
179 | @@ -355,7 +355,7 @@ | |
180 | #define kmalloc_node(x, y, z) \ | |
181 | ({ \ | |
182 | void *___retval; \ | |
183 | - intoverflow_t ___x = (intoverflow_t)x; \ | |
184 | + intoverflow_t ___x = (intoverflow_t)(x); \ | |
185 | if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\ | |
186 | ___retval = NULL; \ | |
187 | else \ | |
188 | @@ -366,7 +366,7 @@ | |
189 | #define kzalloc(x, y) \ | |
190 | ({ \ | |
191 | void *___retval; \ | |
192 | - intoverflow_t ___x = (intoverflow_t)x; \ | |
193 | + intoverflow_t ___x = (intoverflow_t)(x); \ | |
194 | if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\ | |
195 | ___retval = NULL; \ | |
196 | else \ |