[packages/kernel.git] / kernel-grsec_fixes.patch

netlink
cap_dac*
diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c
--- a/grsecurity/gracl_cap.c	2007-12-01 00:54:57.312774500 +0000
+++ c/grsecurity/gracl_cap.c	2007-12-01 01:09:34.923621750 +0000
@@ -110,3 +110,19 @@ gr_is_capable_nolog(const int cap)
 	return 0;
 }

+void
+gr_log_cap_pid(const int cap, const pid_t pid)
+{
+	struct task_struct *p;
+
+	if (gr_acl_is_enabled()) {
+		read_lock(&tasklist_lock);
+		p = find_task_by_vpid(pid);
+		if (p) {
+			get_task_struct(p);
+			gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, p, captab_log[cap]);
+		}
+		read_unlock(&tasklist_lock);
+	}
+	return;
+}
--- a/grsecurity/grsec_sock.c	2008-03-24 00:24:22.482633101 +0100
+++ c/grsecurity/grsec_sock.c	2008-03-24 00:27:01.971671763 +0100
@@ -247,25 +247,26 @@
 gr_cap_rtnetlink(struct sock *sock)
 {
 #ifdef CONFIG_GRKERNSEC
+	struct acl_subject_label *curracl;
+	kernel_cap_t cap_dropp = __cap_empty_set, cap_mask = __cap_empty_set;
+
 	if (!gr_acl_is_enabled())
 		return current_cap();
-	else if (sock->sk_protocol == NETLINK_ISCSI &&
-		 cap_raised(current_cap(), CAP_SYS_ADMIN) &&
-		 gr_is_capable(CAP_SYS_ADMIN))
-		return current_cap();
-	else if (sock->sk_protocol == NETLINK_AUDIT &&
-		 cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
-		 gr_is_capable(CAP_AUDIT_WRITE) &&
-		 cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
-		 gr_is_capable(CAP_AUDIT_CONTROL))
-		return current_cap();
-	else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
-		 ((sock->sk_protocol == NETLINK_ROUTE) ? 
-		  gr_is_capable_nolog(CAP_NET_ADMIN) : 
-		  gr_is_capable(CAP_NET_ADMIN)))
-		return current_cap();
-	else
-		return __cap_empty_set;
+	else {
+		curracl = current->acl;
+
+		cap_dropp  = curracl->cap_lower;
+		cap_mask = curracl->cap_mask;
+
+		while ((curracl = curracl->parent_subject)) {
+			cap_dropp = cap_combine(cap_dropp,
+					cap_intersect(curracl->cap_lower,
+						cap_drop(cap_mask, curracl->cap_mask)));
+			cap_mask = cap_combine(cap_mask, curracl->cap_mask);
+		}
+		return cap_drop(current_cap(),
+				cap_intersect(cap_dropp, cap_mask));
+	}
 #else
 	return current_cap();
 #endif
--- linux-2.6.35/include/linux/grsecurity.h~	2010-10-20 21:01:00.758532744 +0200
+++ linux-2.6.35/include/linux/grsecurity.h	2010-10-20 21:03:27.556754795 +0200
@@ -78,6 +78,7 @@
 void gr_log_textrel(struct vm_area_struct *vma);
 void gr_log_rwxmmap(struct file *file);
 void gr_log_rwxmprotect(struct file *file);
+void gr_log_cap_pid(const int cap, pid_t pid);
 
 int gr_handle_follow_link(const struct inode *parent,
 				 const struct inode *inode,
diff -upr a/security/commoncap.c c/security/commoncap.c
--- a/security/commoncap.c	2007-12-01 00:54:57.300773750 +0000
+++ c/security/commoncap.c	2007-12-01 01:09:34.923621750 +0000
@@ -55,8 +55,12 @@
 
 int cap_netlink_recv(struct sk_buff *skb, int cap)
 {
-	if (!cap_raised(NETLINK_CB(skb).eff_cap, cap))
+	if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) {
+#ifdef CONFIG_GRKERNSEC
+		gr_log_cap_pid(cap, NETLINK_CREDS(skb)->pid);
+#endif
 		return -EPERM;
+	}
 	return 0;
 }
 
--- linux-2.6.30/kernel/vserver/context.c~	2009-07-31 12:07:52.365267958 +0200
+++ linux-2.6.30/kernel/vserver/context.c	2009-07-31 12:43:04.991723596 +0200
@@ -122,7 +122,7 @@
 	// preconfig fs entries
 	for (index = 0; index < VX_SPACES; index++) {
 		spin_lock(&init_fs.lock);
-		init_fs.users++;
+		atomic_inc(&init_fs.users);
 		spin_unlock(&init_fs.lock);
 		new->vx_fs[index] = &init_fs;
 	}
@@ -197,7 +197,7 @@
 
 		fs = xchg(&vxi->vx_fs[index], NULL);
 		spin_lock(&fs->lock);
-		kill = !--fs->users;
+		kill = !atomic_dec_return(&fs->users);
 		spin_unlock(&fs->lock);
 		if (kill)
 			free_fs_struct(fs);
--- linux-2.6.30/kernel/vserver/space.c~	2009-07-31 12:07:52.398601243 +0200
+++ linux-2.6.30/kernel/vserver/space.c	2009-07-31 12:47:48.638394441 +0200
@@ -220,7 +220,7 @@
 	if (mask & CLONE_FS) {
 		write_lock(&fs_cur->lock);
 		current->fs = fs;
-		kill = !--fs_cur->users;
+		kill = !atomic_dec_return(&fs_cur->users);
 		spin_unlock(&fs_cur->lock);
 	}
 
@@ -278,7 +278,7 @@
 	if (mask & CLONE_FS) {
 		spin_lock(&fs_vxi->lock);
 		space->vx_fs = fs;
-		kill = !--fs_vxi->users;
+		kill = !atomic_dec_return(&fs_vxi->users);
 		spin_unlock(&fs_vxi->lock);
 	}
 
--- linux-2.6.28/fs/proc/Kconfig~       2008-11-20 23:26:34.000000000 +0100
+++ linux-2.6.28/fs/proc/Kconfig        2008-12-01 20:37:12.000000000 +0100
@@ -59,8 +59,8 @@
 	  limited in memory.
 
 config PROC_PAGE_MONITOR
- 	default n
-	depends on PROC_FS && MMU && !GRKERNSEC
+ 	default y
+	depends on PROC_FS && MMU
 	bool "Enable /proc page monitoring" if EMBEDDED
  	help
 	  Various /proc files exist to monitor process memory utilization:
--- linux-2.6.34/net/socket.c~	2010-07-06 15:35:03.398523320 +0200
+++ linux-2.6.34/net/socket.c	2010-07-06 15:35:26.021020905 +0200
@@ -1573,12 +1573,6 @@
 	newsock->type = sock->type;
 	newsock->ops = sock->ops;
 
-	if (gr_handle_sock_server_other(sock->sk)) {
-		err = -EPERM;
-		sock_release(newsock);
-		goto out_put;
-	}
-
 	err = gr_search_accept(sock);
 	if (err) {
 		sock_release(newsock);

--- linux-2.6.37/include/linux/slab.h~	2011-01-17 11:48:00.934382737 +0100
+++ linux-2.6.37/include/linux/slab.h	2011-01-17 12:38:01.843508841 +0100
@@ -344,7 +344,7 @@
 #define kmalloc(x, y)					\
 ({							\
 	void *___retval;				\
-	intoverflow_t ___x = (intoverflow_t)x;		\
+	intoverflow_t ___x = (intoverflow_t)(x);		\
 	if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
 		___retval = NULL;			\
 	else						\
@@ -355,7 +355,7 @@
 #define kmalloc_node(x, y, z)					\
 ({								\
 	void *___retval;					\
-	intoverflow_t ___x = (intoverflow_t)x;			\
+	intoverflow_t ___x = (intoverflow_t)(x);			\
 	if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
 		___retval = NULL;				\
 	else							\
@@ -366,7 +366,7 @@
 #define kzalloc(x, y)					\
 ({							\
 	void *___retval;				\
-	intoverflow_t ___x = (intoverflow_t)x;		\
+	intoverflow_t ___x = (intoverflow_t)(x);		\
 	if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
 		___retval = NULL;			\
 	else						\
Commit	Line	Data
2380c486 JR	1	netlink
	2	cap_dac*
	3	diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c
	4	--- a/grsecurity/gracl_cap.c 2007-12-01 00:54:57.312774500 +0000
	5	+++ c/grsecurity/gracl_cap.c 2007-12-01 01:09:34.923621750 +0000
192cf7ff	6	@@ -110,3 +110,19 @@ gr_is_capable_nolog(const int cap)
2380c486 JR	7	return 0;
	8	}
	9
	10	+void
	11	+gr_log_cap_pid(const int cap, const pid_t pid)
	12	+{
	13	+ struct task_struct *p;
	14	+
	15	+ if (gr_acl_is_enabled()) {
	16	+ read_lock(&tasklist_lock);
	17	+ p = find_task_by_vpid(pid);
	18	+ if (p) {
	19	+ get_task_struct(p);
	20	+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, p, captab_log[cap]);
	21	+ }
	22	+ read_unlock(&tasklist_lock);
	23	+ }
	24	+ return;
	25	+}
	26	--- a/grsecurity/grsec_sock.c 2008-03-24 00:24:22.482633101 +0100
	27	+++ c/grsecurity/grsec_sock.c 2008-03-24 00:27:01.971671763 +0100
9390b158	28	@@ -247,25 +247,26 @@
2380c486 JR	29	gr_cap_rtnetlink(struct sock *sock)
	30	{
	31	#ifdef CONFIG_GRKERNSEC
	32	+ struct acl_subject_label *curracl;
	33	+ kernel_cap_t cap_dropp = __cap_empty_set, cap_mask = __cap_empty_set;
	34	+
	35	if (!gr_acl_is_enabled())
	36	return current_cap();
	37	- else if (sock->sk_protocol == NETLINK_ISCSI &&
	38	- cap_raised(current_cap(), CAP_SYS_ADMIN) &&
	39	- gr_is_capable(CAP_SYS_ADMIN))
	40	- return current_cap();
	41	- else if (sock->sk_protocol == NETLINK_AUDIT &&
	42	- cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
	43	- gr_is_capable(CAP_AUDIT_WRITE) &&
	44	- cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
	45	- gr_is_capable(CAP_AUDIT_CONTROL))
	46	- return current_cap();
	47	- else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
9390b158	48	- ((sock->sk_protocol == NETLINK_ROUTE) ?
	49	- gr_is_capable_nolog(CAP_NET_ADMIN) :
	50	- gr_is_capable(CAP_NET_ADMIN)))
2380c486 JR	51	- return current_cap();
	52	- else
	53	- return __cap_empty_set;
	54	+ else {
	55	+ curracl = current->acl;
	56	+
	57	+ cap_dropp = curracl->cap_lower;
	58	+ cap_mask = curracl->cap_mask;
	59	+
	60	+ while ((curracl = curracl->parent_subject)) {
	61	+ cap_dropp = cap_combine(cap_dropp,
	62	+ cap_intersect(curracl->cap_lower,
	63	+ cap_drop(cap_mask, curracl->cap_mask)));
	64	+ cap_mask = cap_combine(cap_mask, curracl->cap_mask);
	65	+ }
	66	+ return cap_drop(current_cap(),
	67	+ cap_intersect(cap_dropp, cap_mask));
	68	+ }
	69	#else
	70	return current_cap();
	71	#endif
0db8bb3b AM	72	--- linux-2.6.35/include/linux/grsecurity.h~ 2010-10-20 21:01:00.758532744 +0200
	73	+++ linux-2.6.35/include/linux/grsecurity.h 2010-10-20 21:03:27.556754795 +0200
	74	@@ -78,6 +78,7 @@
2380c486	75	void gr_log_textrel(struct vm_area_struct *vma);
0db8bb3b AM	76	void gr_log_rwxmmap(struct file *file);
0db8bb3b AM	77	void gr_log_rwxmprotect(struct file *file);
2380c486 JR	78	+void gr_log_cap_pid(const int cap, pid_t pid);
	79
	80	int gr_handle_follow_link(const struct inode *parent,
	81	const struct inode *inode,
	82	diff -upr a/security/commoncap.c c/security/commoncap.c
	83	--- a/security/commoncap.c 2007-12-01 00:54:57.300773750 +0000
	84	+++ c/security/commoncap.c 2007-12-01 01:09:34.923621750 +0000
	85	@@ -55,8 +55,12 @@
	86
	87	int cap_netlink_recv(struct sk_buff *skb, int cap)
	88	{
	89	- if (!cap_raised(NETLINK_CB(skb).eff_cap, cap))
	90	+ if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) {
	91	+#ifdef CONFIG_GRKERNSEC
	92	+ gr_log_cap_pid(cap, NETLINK_CREDS(skb)->pid);
	93	+#endif
	94	return -EPERM;
	95	+ }
	96	return 0;
	97	}
	98
d1ac4147 AM	99	--- linux-2.6.30/kernel/vserver/context.c~ 2009-07-31 12:07:52.365267958 +0200
	100	+++ linux-2.6.30/kernel/vserver/context.c 2009-07-31 12:43:04.991723596 +0200
	101	@@ -122,7 +122,7 @@
	102	// preconfig fs entries
	103	for (index = 0; index < VX_SPACES; index++) {
adc1caaa	104	spin_lock(&init_fs.lock);
d1ac4147 AM	105	- init_fs.users++;
d1ac4147 AM	106	+ atomic_inc(&init_fs.users);
adc1caaa	107	spin_unlock(&init_fs.lock);
d1ac4147 AM	108	new->vx_fs[index] = &init_fs;
d1ac4147 AM	109	}
adc1caaa	110	@@ -197,7 +197,7 @@
d1ac4147 AM	111
d1ac4147 AM	112	fs = xchg(&vxi->vx_fs[index], NULL);
adc1caaa	113	spin_lock(&fs->lock);
d1ac4147 AM	114	- kill = !--fs->users;
d1ac4147 AM	115	+ kill = !atomic_dec_return(&fs->users);
adc1caaa	116	spin_unlock(&fs->lock);
d1ac4147 AM	117	if (kill)
	118	free_fs_struct(fs);
	119	--- linux-2.6.30/kernel/vserver/space.c~ 2009-07-31 12:07:52.398601243 +0200
	120	+++ linux-2.6.30/kernel/vserver/space.c 2009-07-31 12:47:48.638394441 +0200
	121	@@ -220,7 +220,7 @@
	122	if (mask & CLONE_FS) {
	123	write_lock(&fs_cur->lock);
	124	current->fs = fs;
	125	- kill = !--fs_cur->users;
	126	+ kill = !atomic_dec_return(&fs_cur->users);
adc1caaa	127	spin_unlock(&fs_cur->lock);
d1ac4147 AM	128	}
	129
	130	@@ -278,7 +278,7 @@
	131	if (mask & CLONE_FS) {
a701070e AM	132	spin_lock(&fs_vxi->lock);
a701070e AM	133	space->vx_fs = fs;
d1ac4147 AM	134	- kill = !--fs_vxi->users;
d1ac4147 AM	135	+ kill = !atomic_dec_return(&fs_vxi->users);
adc1caaa	136	spin_unlock(&fs_vxi->lock);
d1ac4147 AM	137	}
d1ac4147 AM	138
35254aaf AM	139	--- linux-2.6.28/fs/proc/Kconfig~ 2008-11-20 23:26:34.000000000 +0100
	140	+++ linux-2.6.28/fs/proc/Kconfig 2008-12-01 20:37:12.000000000 +0100
	141	@@ -59,8 +59,8 @@
	142	limited in memory.
	143
	144	config PROC_PAGE_MONITOR
	145	- default n
	146	- depends on PROC_FS && MMU && !GRKERNSEC
	147	+ default y
	148	+ depends on PROC_FS && MMU
	149	bool "Enable /proc page monitoring" if EMBEDDED
	150	help
	151	Various /proc files exist to monitor process memory utilization:
f5fc3f52 AM	152	--- linux-2.6.34/net/socket.c~ 2010-07-06 15:35:03.398523320 +0200
f5fc3f52 AM	153	+++ linux-2.6.34/net/socket.c 2010-07-06 15:35:26.021020905 +0200
2ec0a0a8	154	@@ -1573,12 +1573,6 @@
a6bb676c AM	155	newsock->type = sock->type;
	156	newsock->ops = sock->ops;
	157
	158	- if (gr_handle_sock_server_other(sock->sk)) {
	159	- err = -EPERM;
	160	- sock_release(newsock);
	161	- goto out_put;
	162	- }
a6bb676c	163	-
f5fc3f52 AM	164	err = gr_search_accept(sock);
	165	if (err) {
	166	sock_release(newsock);
b8a8d479	167
cc9217c1 AM	168	--- linux-2.6.37/include/linux/slab.h~ 2011-01-17 11:48:00.934382737 +0100
	169	+++ linux-2.6.37/include/linux/slab.h 2011-01-17 12:38:01.843508841 +0100
	170	@@ -344,7 +344,7 @@
	171	#define kmalloc(x, y) \
	172	({ \
	173	void *___retval; \
	174	- intoverflow_t ___x = (intoverflow_t)x; \
	175	+ intoverflow_t ___x = (intoverflow_t)(x); \
	176	if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
	177	___retval = NULL; \
	178	else \
	179	@@ -355,7 +355,7 @@
	180	#define kmalloc_node(x, y, z) \
	181	({ \
	182	void *___retval; \
	183	- intoverflow_t ___x = (intoverflow_t)x; \
	184	+ intoverflow_t ___x = (intoverflow_t)(x); \
	185	if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
	186	___retval = NULL; \
	187	else \
	188	@@ -366,7 +366,7 @@
	189	#define kzalloc(x, y) \
	190	({ \
	191	void *___retval; \
	192	- intoverflow_t ___x = (intoverflow_t)x; \
	193	+ intoverflow_t ___x = (intoverflow_t)(x); \
	194	if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
	195	___retval = NULL; \
	196	else \