kernel-grsec_fixes.patch

   1 netlink
   2 cap_dac*
   3 diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c
   4 --- a/grsecurity/gracl_cap.c    2007-12-01 00:54:57.312774500 +0000
   5 +++ c/grsecurity/gracl_cap.c    2007-12-01 01:09:34.923621750 +0000
   6 @@ -110,3 +110,19 @@ gr_is_capable_nolog(const int cap)
   7         return 0;
   8  }
   9
  10 +void
  11 +gr_log_cap_pid(const int cap, const pid_t pid)
  12 +{
  13 +       struct task_struct *p;
  14 +
  15 +       if (gr_acl_is_enabled()) {
  16 +               read_lock(&tasklist_lock);
  17 +               p = find_task_by_vpid(pid);
  18 +               if (p) {
  19 +                       get_task_struct(p);
  20 +                       gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, p, captab_log[cap]);
  21 +               }
  22 +               read_unlock(&tasklist_lock);
  23 +       }
  24 +       return;
  25 +}
  26 --- a/grsecurity/grsec_sock.c   2008-03-24 00:24:22.482633101 +0100
  27 +++ c/grsecurity/grsec_sock.c   2008-03-24 00:27:01.971671763 +0100
  28 @@ -247,25 +247,26 @@
  29  gr_cap_rtnetlink(struct sock *sock)
  30  {
  31  #ifdef CONFIG_GRKERNSEC
  32 +       struct acl_subject_label *curracl;
  33 +       kernel_cap_t cap_dropp = __cap_empty_set, cap_mask = __cap_empty_set;
  34 +
  35         if (!gr_acl_is_enabled())
  36                 return current_cap();
  37 -       else if (sock->sk_protocol == NETLINK_ISCSI &&
  38 -                cap_raised(current_cap(), CAP_SYS_ADMIN) &&
  39 -                gr_is_capable(CAP_SYS_ADMIN))
  40 -               return current_cap();
  41 -       else if (sock->sk_protocol == NETLINK_AUDIT &&
  42 -                cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
  43 -                gr_is_capable(CAP_AUDIT_WRITE) &&
  44 -                cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
  45 -                gr_is_capable(CAP_AUDIT_CONTROL))
  46 -               return current_cap();
  47 -       else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
  48 -                ((sock->sk_protocol == NETLINK_ROUTE) ?
  49 -                 gr_is_capable_nolog(CAP_NET_ADMIN) :
  50 -                 gr_is_capable(CAP_NET_ADMIN)))
  51 -               return current_cap();
  52 -       else
  53 -               return __cap_empty_set;
  54 +       else {
  55 +               curracl = current->acl;
  56 +
  57 +               cap_dropp  = curracl->cap_lower;
  58 +               cap_mask = curracl->cap_mask;
  59 +
  60 +               while ((curracl = curracl->parent_subject)) {
  61 +                       cap_dropp = cap_combine(cap_dropp,
  62 +                                       cap_intersect(curracl->cap_lower,
  63 +                                               cap_drop(cap_mask, curracl->cap_mask)));
  64 +                       cap_mask = cap_combine(cap_mask, curracl->cap_mask);
  65 +               }
  66 +               return cap_drop(current_cap(),
  67 +                               cap_intersect(cap_dropp, cap_mask));
  68 +       }
  69  #else
  70         return current_cap();
  71  #endif
  72 --- linux-2.6.35/include/linux/grsecurity.h~    2010-10-20 21:01:00.758532744 +0200
  73 +++ linux-2.6.35/include/linux/grsecurity.h     2010-10-20 21:03:27.556754795 +0200
  74 @@ -78,6 +78,7 @@
  75  void gr_log_textrel(struct vm_area_struct *vma);
  76  void gr_log_rwxmmap(struct file *file);
  77  void gr_log_rwxmprotect(struct file *file);
  78 +void gr_log_cap_pid(const int cap, pid_t pid);
  79
  80  int gr_handle_follow_link(const struct inode *parent,
  81                                  const struct inode *inode,
  82 diff -upr a/security/commoncap.c c/security/commoncap.c
  83 --- a/security/commoncap.c      2007-12-01 00:54:57.300773750 +0000
  84 +++ c/security/commoncap.c      2007-12-01 01:09:34.923621750 +0000
  85 @@ -55,8 +55,12 @@
  86
  87  int cap_netlink_recv(struct sk_buff *skb, int cap)
  88  {
  89 -       if (!cap_raised(NETLINK_CB(skb).eff_cap, cap))
  90 +       if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) {
  91 +#ifdef CONFIG_GRKERNSEC
  92 +               gr_log_cap_pid(cap, NETLINK_CREDS(skb)->pid);
  93 +#endif
  94                 return -EPERM;
  95 +       }
  96         return 0;
  97  }
  98
  99 --- linux-2.6.30/kernel/vserver/context.c~      2009-07-31 12:07:52.365267958 +0200
 100 +++ linux-2.6.30/kernel/vserver/context.c       2009-07-31 12:43:04.991723596 +0200
 101 @@ -122,7 +122,7 @@
 102         // preconfig fs entries
 103         for (index = 0; index < VX_SPACES; index++) {
 104                 spin_lock(&init_fs.lock);
 105 -               init_fs.users++;
 106 +               atomic_inc(&init_fs.users);
 107                 spin_unlock(&init_fs.lock);
 108                 new->vx_fs[index] = &init_fs;
 109         }
 110 @@ -197,7 +197,7 @@
 111
 112                 fs = xchg(&vxi->vx_fs[index], NULL);
 113                 spin_lock(&fs->lock);
 114 -               kill = !--fs->users;
 115 +               kill = !atomic_dec_return(&fs->users);
 116                 spin_unlock(&fs->lock);
 117                 if (kill)
 118                         free_fs_struct(fs);
 119 --- linux-2.6.30/kernel/vserver/space.c~        2009-07-31 12:07:52.398601243 +0200
 120 +++ linux-2.6.30/kernel/vserver/space.c 2009-07-31 12:47:48.638394441 +0200
 121 @@ -220,7 +220,7 @@
 122         if (mask & CLONE_FS) {
 123                 write_lock(&fs_cur->lock);
 124                 current->fs = fs;
 125 -               kill = !--fs_cur->users;
 126 +               kill = !atomic_dec_return(&fs_cur->users);
 127                 spin_unlock(&fs_cur->lock);
 128         }
 129
 130 @@ -278,7 +278,7 @@
 131         if (mask & CLONE_FS) {
 132                 write_lock(&fs_vxi->lock);
 133                 vxi->vx_fs[index] = fs;
 134 -               kill = !--fs_vxi->users;
 135 +               kill = !atomic_dec_return(&fs_vxi->users);
 136                 spin_unlock(&fs_vxi->lock);
 137         }
 138
 139 --- linux-2.6.28/fs/proc/Kconfig~       2008-11-20 23:26:34.000000000 +0100
 140 +++ linux-2.6.28/fs/proc/Kconfig        2008-12-01 20:37:12.000000000 +0100
 141 @@ -59,8 +59,8 @@
 142           limited in memory.
 143
 144  config PROC_PAGE_MONITOR
 145 -       default n
 146 -       depends on PROC_FS && MMU && !GRKERNSEC
 147 +       default y
 148 +       depends on PROC_FS && MMU
 149         bool "Enable /proc page monitoring" if EMBEDDED
 150         help
 151           Various /proc files exist to monitor process memory utilization:
 152 --- linux-2.6.34/net/socket.c~  2010-07-06 15:35:03.398523320 +0200
 153 +++ linux-2.6.34/net/socket.c   2010-07-06 15:35:26.021020905 +0200
 154 @@ -1573,12 +1573,6 @@
 155         newsock->type = sock->type;
 156         newsock->ops = sock->ops;
 157
 158 -       if (gr_handle_sock_server_other(sock->sk)) {
 159 -               err = -EPERM;
 160 -               sock_release(newsock);
 161 -               goto out_put;
 162 -       }
 163 -
 164         err = gr_search_accept(sock);
 165         if (err) {
 166                 sock_release(newsock);
 167