3 diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c
4 --- a/grsecurity/gracl_cap.c 2007-12-01 00:54:57.312774500 +0000
5 +++ c/grsecurity/gracl_cap.c 2007-12-01 01:09:34.923621750 +0000
6 @@ -110,3 +110,19 @@ gr_is_capable_nolog(const int cap)
11 +gr_log_cap_pid(const int cap, const pid_t pid)
13 + struct task_struct *p;
15 + if (gr_acl_is_enabled()) {
16 + read_lock(&tasklist_lock);
17 + p = find_task_by_vpid(pid);
20 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, p, captab_log[cap]);
22 + read_unlock(&tasklist_lock);
26 --- a/grsecurity/grsec_sock.c 2008-03-24 00:24:22.482633101 +0100
27 +++ c/grsecurity/grsec_sock.c 2008-03-24 00:27:01.971671763 +0100
29 gr_cap_rtnetlink(struct sock *sock)
31 #ifdef CONFIG_GRKERNSEC
32 + struct acl_subject_label *curracl;
33 + kernel_cap_t cap_dropp = __cap_empty_set, cap_mask = __cap_empty_set;
35 if (!gr_acl_is_enabled())
37 - else if (sock->sk_protocol == NETLINK_ISCSI &&
38 - cap_raised(current_cap(), CAP_SYS_ADMIN) &&
39 - gr_is_capable(CAP_SYS_ADMIN))
40 - return current_cap();
41 - else if (sock->sk_protocol == NETLINK_AUDIT &&
42 - cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
43 - gr_is_capable(CAP_AUDIT_WRITE) &&
44 - cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
45 - gr_is_capable(CAP_AUDIT_CONTROL))
46 - return current_cap();
47 - else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
48 - ((sock->sk_protocol == NETLINK_ROUTE) ?
49 - gr_is_capable_nolog(CAP_NET_ADMIN) :
50 - gr_is_capable(CAP_NET_ADMIN)))
51 - return current_cap();
53 - return __cap_empty_set;
55 + curracl = current->acl;
57 + cap_dropp = curracl->cap_lower;
58 + cap_mask = curracl->cap_mask;
60 + while ((curracl = curracl->parent_subject)) {
61 + cap_dropp = cap_combine(cap_dropp,
62 + cap_intersect(curracl->cap_lower,
63 + cap_drop(cap_mask, curracl->cap_mask)));
64 + cap_mask = cap_combine(cap_mask, curracl->cap_mask);
66 + return cap_drop(current_cap(),
67 + cap_intersect(cap_dropp, cap_mask));
72 --- linux-2.6.35/include/linux/grsecurity.h~ 2010-10-20 21:01:00.758532744 +0200
73 +++ linux-2.6.35/include/linux/grsecurity.h 2010-10-20 21:03:27.556754795 +0200
75 void gr_log_textrel(struct vm_area_struct *vma);
76 void gr_log_rwxmmap(struct file *file);
77 void gr_log_rwxmprotect(struct file *file);
78 +void gr_log_cap_pid(const int cap, pid_t pid);
80 int gr_handle_follow_link(const struct inode *parent,
81 const struct inode *inode,
82 diff -upr a/security/commoncap.c c/security/commoncap.c
83 --- a/security/commoncap.c 2007-12-01 00:54:57.300773750 +0000
84 +++ c/security/commoncap.c 2007-12-01 01:09:34.923621750 +0000
87 int cap_netlink_recv(struct sk_buff *skb, int cap)
89 - if (!cap_raised(NETLINK_CB(skb).eff_cap, cap))
90 + if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) {
91 +#ifdef CONFIG_GRKERNSEC
92 + gr_log_cap_pid(cap, NETLINK_CREDS(skb)->pid);
99 --- linux-2.6.30/kernel/vserver/context.c~ 2009-07-31 12:07:52.365267958 +0200
100 +++ linux-2.6.30/kernel/vserver/context.c 2009-07-31 12:43:04.991723596 +0200
102 // preconfig fs entries
103 for (index = 0; index < VX_SPACES; index++) {
104 spin_lock(&init_fs.lock);
106 + atomic_inc(&init_fs.users);
107 spin_unlock(&init_fs.lock);
108 new->vx_fs[index] = &init_fs;
112 fs = xchg(&vxi->vx_fs[index], NULL);
113 spin_lock(&fs->lock);
114 - kill = !--fs->users;
115 + kill = !atomic_dec_return(&fs->users);
116 spin_unlock(&fs->lock);
119 --- linux-2.6.30/kernel/vserver/space.c~ 2009-07-31 12:07:52.398601243 +0200
120 +++ linux-2.6.30/kernel/vserver/space.c 2009-07-31 12:47:48.638394441 +0200
122 if (mask & CLONE_FS) {
123 write_lock(&fs_cur->lock);
125 - kill = !--fs_cur->users;
126 + kill = !atomic_dec_return(&fs_cur->users);
127 spin_unlock(&fs_cur->lock);
131 if (mask & CLONE_FS) {
132 write_lock(&fs_vxi->lock);
133 vxi->vx_fs[index] = fs;
134 - kill = !--fs_vxi->users;
135 + kill = !atomic_dec_return(&fs_vxi->users);
136 spin_unlock(&fs_vxi->lock);
139 --- linux-2.6.28/fs/proc/Kconfig~ 2008-11-20 23:26:34.000000000 +0100
140 +++ linux-2.6.28/fs/proc/Kconfig 2008-12-01 20:37:12.000000000 +0100
144 config PROC_PAGE_MONITOR
146 - depends on PROC_FS && MMU && !GRKERNSEC
148 + depends on PROC_FS && MMU
149 bool "Enable /proc page monitoring" if EMBEDDED
151 Various /proc files exist to monitor process memory utilization:
152 --- linux-2.6.34/net/socket.c~ 2010-07-06 15:35:03.398523320 +0200
153 +++ linux-2.6.34/net/socket.c 2010-07-06 15:35:26.021020905 +0200
154 @@ -1573,12 +1573,6 @@
155 newsock->type = sock->type;
156 newsock->ops = sock->ops;
158 - if (gr_handle_sock_server_other(sock->sk)) {
160 - sock_release(newsock);
164 err = gr_search_accept(sock);
166 sock_release(newsock);