--- /dev/null
+--- kernel-grsec_full.patch.org 2011-11-19 01:16:51.000000000 +0100
++++ kernel-grsec_full.patch 2011-11-19 09:35:43.719999727 +0100
+@@ -11523,9 +11523,9 @@
+ @@ -186,7 +186,7 @@ void dump_stack(void)
+
+ bp = stack_frame(current, NULL);
+- printk("Pid: %d, comm: %.20s %s %s %.*s\n",
+-- current->pid, current->comm, print_tainted(),
+-+ task_pid_nr(current), current->comm, print_tainted(),
++ printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
++- current->pid, current->comm, current->xid, print_tainted(),
+++ task_pid_nr(current), current->comm, current->xid, print_tainted(),
+ init_utsname()->release,
+ (int)strcspn(init_utsname()->version, " "),
+ init_utsname()->version);
+@@ -15195,9 +15195,9 @@
+ @@ -106,7 +123,7 @@ void show_regs_common(void)
+
+ printk(KERN_CONT "\n");
+- printk(KERN_DEFAULT "Pid: %d, comm: %.20s %s %s %.*s",
+-- current->pid, current->comm, print_tainted(),
+-+ task_pid_nr(current), current->comm, print_tainted(),
++ printk(KERN_DEFAULT "Pid: %d, xid: #%u, comm: %.20s %s %s %.*s",
++- current->pid, current->xid, current->comm, print_tainted(),
+++ task_pid_nr(current), current->xid, current->comm, print_tainted(),
+ init_utsname()->release,
+ (int)strcspn(init_utsname()->version, " "),
+ init_utsname()->version);
+@@ -43698,9 +43698,9 @@
+ --- linux-3.1.1/fs/fs_struct.c 2011-11-11 15:19:27.000000000 -0500
+ +++ linux-3.1.1/fs/fs_struct.c 2011-11-16 18:40:29.000000000 -0500
+ @@ -4,6 +4,7 @@
+- #include <linux/path.h>
+ #include <linux/slab.h>
+ #include <linux/fs_struct.h>
++ #include <linux/vserver/global.h>
+ +#include <linux/grsecurity.h>
+ #include "internal.h"
+
+@@ -45794,9 +45794,9 @@
+ #endif
+ #ifdef CONFIG_SCHEDSTATS
+ @@ -2864,6 +2979,9 @@ static const struct pid_entry tgid_base_
+- #ifdef CONFIG_HARDWALL
+ INF("hardwall", S_IRUGO, proc_pid_hardwall),
+ #endif
++ ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
+ +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+ + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
+ +#endif
+@@ -45845,7 +45845,7 @@
+ struct tgid_iter iter;
+ struct pid_namespace *ns;
+
+-@@ -3119,8 +3256,27 @@ int proc_pid_readdir(struct file * filp,
++@@ -3119,10 +3257,29 @@ int proc_pid_readdir(struct file * filp,
+ for (iter = next_tgid(ns, iter);
+ iter.task;
+ iter.tgid += 1, iter = next_tgid(ns, iter)) {
+@@ -45869,6 +45869,8 @@
+ + rcu_read_unlock();
+ +#endif
+ filp->f_pos = iter.tgid + TGID_OFFSET;
++ if (!vx_proc_task_visible(iter.task))
++ continue;
+ - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
+ + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
+ put_task_struct(iter.task);
+@@ -45977,10 +45979,11 @@
+ diff -urNp linux-3.1.1/fs/proc/internal.h linux-3.1.1/fs/proc/internal.h
+ --- linux-3.1.1/fs/proc/internal.h 2011-11-11 15:19:27.000000000 -0500
+ +++ linux-3.1.1/fs/proc/internal.h 2011-11-16 18:40:29.000000000 -0500
+-@@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
++@@ -54,7 +54,9 @@ extern int proc_pid_statm(struct seq_fil
+ struct pid *pid, struct task_struct *task);
+- extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
++ extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
+ struct pid *pid, struct task_struct *task);
++-
+ +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+ +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
+ +#endif
+@@ -59990,10 +59993,10 @@
+ static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
+ mode_t mode, struct proc_dir_entry *base,
+ read_proc_t *read_proc, void * data)
+-@@ -258,7 +271,7 @@ union proc_op {
+- int (*proc_show)(struct seq_file *m,
+- struct pid_namespace *ns, struct pid *pid,
+- struct task_struct *task);
++@@ -278,7 +291,7 @@ union proc_op {
++ int (*proc_vs_read)(char *page);
++ int (*proc_vxi_read)(struct vx_info *vxi, char *page);
++ int (*proc_nxi_read)(struct nx_info *nxi, char *page);
+ -};
+ +} __no_const;
+
+@@ -62570,15 +62573,15 @@
+ new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
+ if (!new)
+ return NULL;
+-@@ -287,6 +295,8 @@ struct cred *prepare_creds(void)
+- const struct cred *old;
+- struct cred *new;
++@@ -303,6 +311,8 @@ error:
+
++ struct cred *prepare_creds(void)
++ {
+ + pax_track_stack();
+ +
+ validate_process_creds();
+
+- new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
++ return __prepare_creds(current->cred);
+ @@ -333,6 +343,8 @@ struct cred *prepare_exec_creds(void)
+ struct thread_group_cred *tgcred = NULL;
+ struct cred *new;
+@@ -63172,7 +63175,7 @@
+ }
+
+ static inline int mm_alloc_pgd(struct mm_struct *mm)
+-@@ -837,13 +874,14 @@ static int copy_fs(unsigned long clone_f
++@@ -837,12 +874,13 @@ static int copy_fs(unsigned long clone_f
+ spin_unlock(&fs->lock);
+ return -EAGAIN;
+ }
+@@ -63188,16 +63191,16 @@
+ return 0;
+ }
+
+-@@ -1105,6 +1143,9 @@ static struct task_struct *copy_process(
+- DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
+- #endif
++@@ -1158,6 +1158,9 @@ static struct task_struct *copy_process(
++ init_nx_info(&p->nx_info, current_nx_info());
++
+ retval = -EAGAIN;
+ +
+ + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
+ +
++ if (!vx_nproc_avail(1))
++ goto bad_fork_free;
+ if (atomic_read(&p->real_cred->user->processes) >=
+- task_rlimit(p, RLIMIT_NPROC)) {
+- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
+ @@ -1264,6 +1305,8 @@ static struct task_struct *copy_process(
+ if (clone_flags & CLONE_THREAD)
+ p->tgid = current->tgid;
+@@ -64629,8 +64632,8 @@
+ + struct task_struct *task;
+ +
+ rcu_lockdep_assert(rcu_read_lock_held());
+-- return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
+-+ task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
++- return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
+++ task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
+ +
+ + if (gr_pid_is_chrooted(task))
+ + return NULL;
+@@ -65594,7 +65597,7 @@
+ - if (increment < 0 && !can_nice(current, nice))
+ + if (increment < 0 && (!can_nice(current, nice) ||
+ + gr_handle_chroot_nice()))
+- return -EPERM;
++ return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
+
+ retval = security_task_setnice(current, nice);
+ @@ -5127,6 +5132,7 @@ recheck:
+@@ -65663,9 +65666,9 @@
+ if (is_global_init(tsk))
+ return 1;
+ if (handler != SIG_IGN && handler != SIG_DFL)
+-@@ -815,6 +818,13 @@ static int check_kill_permission(int sig
+- }
+- }
++@@ -833,6 +836,13 @@ static int check_kill_permission(int sig
++ if (t->pid == 1 && current->xid)
++ return error;
+
+ + /* allow glibc communication via tgkill to other threads in our
+ + thread group */
+@@ -65674,9 +65677,9 @@
+ + && gr_handle_signal(t, sig))
+ + return -EPERM;
+ +
+- return security_task_kill(t, info, sig, 0);
+- }
+-
++ error = -ESRCH;
++ /* FIXME: we shouldn't return ESRCH ever, to avoid
++ loops, maybe ENOENT or EACCES? */
+ @@ -1165,7 +1175,7 @@ __group_send_sig_info(int sig, struct si
+ return send_signal(sig, info, p, 1);
+ }
+@@ -72430,7 +72433,7 @@
+ diff -urNp linux-3.1.1/net/ipv4/inet_hashtables.c linux-3.1.1/net/ipv4/inet_hashtables.c
+ --- linux-3.1.1/net/ipv4/inet_hashtables.c 2011-11-11 15:19:27.000000000 -0500
+ +++ linux-3.1.1/net/ipv4/inet_hashtables.c 2011-11-16 18:40:44.000000000 -0500
+-@@ -18,12 +18,15 @@
++@@ -18,13 +18,16 @@
+ #include <linux/sched.h>
+ #include <linux/slab.h>
+ #include <linux/wait.h>
+@@ -72439,6 +72442,7 @@
+ #include <net/inet_connection_sock.h>
+ #include <net/inet_hashtables.h>
+ #include <net/secure_seq.h>
++ #include <net/route.h>
+ #include <net/ip.h>
+
+ +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
+@@ -73250,9 +73254,9 @@
+ +extern int grsec_enable_blackhole;
+ +#endif
+ +
+- int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
++ int ipv6_rcv_saddr_equal(const struct sock *sk1, const struct sock *sk2)
+ {
+- const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
++ const struct in6_addr *sk1_rcv_saddr6 = &inet6_sk(sk1)->rcv_saddr;
+ @@ -548,7 +552,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
+
+ return 0;
projects / packages / kernel.git / commitdiff