--- a/fs/proc/internal.h
+++ b/fs/proc/internal.h
@@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
+ extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task);
- extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
- struct pid *pid, struct task_struct *task);
+
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
+#endif
mode_t mode, struct proc_dir_entry *base,
read_proc_t *read_proc, void * data)
@@ -258,7 +271,7 @@ union proc_op {
- int (*proc_show)(struct seq_file *m,
- struct pid_namespace *ns, struct pid *pid,
- struct task_struct *task);
+ int (*proc_vs_read)(char *page);
+ int (*proc_vxi_read)(struct vx_info *vxi, char *page);
+ int (*proc_nxi_read)(struct nx_info *nxi, char *page);
-};
+} __no_const;
}
@@ -1105,6 +1143,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
- DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
- #endif
+ init_nx_info(&p->nx_info, current_nx_info());
+
retval = -EAGAIN;
+
+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
+
- if (atomic_read(&p->real_cred->user->processes) >=
- task_rlimit(p, RLIMIT_NPROC)) {
- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
+ if (!vx_nproc_avail(1))
+ goto bad_fork_free;
+ if (atomic_read(&p->real_cred->user->process) >=
@@ -1264,6 +1305,8 @@ static struct task_struct *copy_process(unsigned long clone_flags,
if (clone_flags & CLONE_THREAD)
p->tgid = current->tgid;
+ struct task_struct *task;
+
rcu_lockdep_assert(rcu_read_lock_held());
-- return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
-+ task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
+- return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
++ task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
+
+ if (gr_pid_is_chrooted(task))
+ return NULL;
- if (increment < 0 && !can_nice(current, nice))
+ if (increment < 0 && (!can_nice(current, nice) ||
+ gr_handle_chroot_nice()))
- return -EPERM;
+ return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
retval = security_task_setnice(current, nice);
@@ -5127,6 +5132,7 @@ recheck:
return 1;
if (handler != SIG_IGN && handler != SIG_DFL)
@@ -815,6 +818,13 @@ static int check_kill_permission(int sig, struct siginfo *info,
- }
+ return error;
}
-
+ /* skip: */
+ /* allow glibc communication via tgkill to other threads in our
+ thread group */
+ if ((info == SEND_SIG_NOINFO || info->si_code != SI_TKILL ||
index 984ec65..97ac518 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
-@@ -18,12 +18,15 @@
+@@ -18,13 +18,16 @@
#include <linux/sched.h>
#include <linux/slab.h>
#include <linux/wait.h>
#include <net/inet_connection_sock.h>
#include <net/inet_hashtables.h>
#include <net/secure_seq.h>
+ #include <net/route.h>
#include <net/ip.h>
+extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
+extern int grsec_enable_blackhole;
+#endif
+
- int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
+ int ipv6_rcv_saddr_equal(const struct sock *sk1, const struct sock *sk2)
{
- const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
+ const struct in6_addr *sk1_rcv_saddr6 = &inet6_sk(sk1)->rcv_saddr;
@@ -548,7 +552,7 @@ int udpv6_queue_rcv_skb(struct sock * sk, struct sk_buff *skb)
return 0;