SOURCES (LINUX_2_6): kernel-grsec_fixes.patch - CAP_DAC_ better pr...

Wed, 07 May 2008 04:15:46 -0700 

Author: zbyniu                       Date: Wed May  7 11:15:36 2008 GMT
Module: SOURCES                       Tag: LINUX_2_6
---- Log message:
- CAP_DAC_ better precision

---- Files affected:
SOURCES:
   kernel-grsec_fixes.patch (1.1.4.5 -> 1.1.4.6) 

---- Diffs:

================================================================
Index: SOURCES/kernel-grsec_fixes.patch
diff -u SOURCES/kernel-grsec_fixes.patch:1.1.4.5 
SOURCES/kernel-grsec_fixes.patch:1.1.4.6
--- SOURCES/kernel-grsec_fixes.patch:1.1.4.5    Thu Apr 17 03:31:00 2008
+++ SOURCES/kernel-grsec_fixes.patch    Wed May  7 13:15:31 2008
@@ -1,9 +1,10 @@
 netlink
 no-stack-protector
+cap_dac*
 diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c
 --- a/grsecurity/gracl_cap.c   2007-12-01 00:54:57.312774500 +0000
 +++ c/grsecurity/gracl_cap.c   2007-12-01 01:09:34.923621750 +0000
-@@ -110,3 +110,17 @@ gr_is_capable_nolog(const int cap)
+@@ -110,3 +110,20 @@ gr_is_capable_nolog(const int cap)
        return 0;
  }
 
@@ -13,11 +14,14 @@
 +      struct task_struct *p;
 +
 +      if (gr_acl_is_enabled()) {
-+              rcu_read_lock();
++              read_lock(&tasklist_lock);
 +              p = find_task_by_pid(pid);
-+              if (p)
++              if (p) {
++                      task_lock(p);
 +                      gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, p, 
captab_log[cap]);
-+              rcu_read_unlock();
++                      task_unlock(p);
++              }
++              read_unlock(&tasklist_lock);
 +      }
 +      return;
 +}
@@ -92,6 +96,87 @@
  }
  
 ===
+=== cap_dac_ succession with capable_nolog
+===
+diff -upr a/fs./namei.c a/fs/namei.c
+--- a/fs./namei.c      2008-04-05 01:23:49.741310000 +0200
++++ a/fs/namei.c       2008-04-05 14:36:39.350275977 +0200
+@@ -215,6 +215,13 @@ int generic_permission(struct inode *ino
+ 
+  check_capabilities:
+       /*
++       * Searching includes executable on directories, else just read.
++       */
++      if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
++              if (capable_nolog(CAP_DAC_OVERRIDE) || 
capable(CAP_DAC_READ_SEARCH))
++                      return 0;
++
++      /*
+        * Read/write DACs are always overridable.
+        * Executable DACs are overridable if at least one exec bit is set.
+        */
+@@ -223,13 +230,6 @@ int generic_permission(struct inode *ino
+               if (capable(CAP_DAC_OVERRIDE))
+                       return 0;
+ 
+-      /*
+-       * Searching includes executable on directories, else just read.
+-       */
+-      if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
+-              if (capable(CAP_DAC_READ_SEARCH))
+-                      return 0;
+-
+       return -EACCES;
+ }
+ 
+@@ -498,13 +498,13 @@ static int exec_permission_lite(struct i
+       if (mode & MAY_EXEC)
+               goto ok;
+ 
+-      if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE))
++      if (S_ISDIR(inode->i_mode) && capable_nolog(CAP_DAC_OVERRIDE))
+               goto ok;
+ 
+-      if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_OVERRIDE))
++      if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH))
+               goto ok;
+ 
+-      if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH))
++      if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE))
+               goto ok;
+ 
+       return -EACCES;
+Tylko w fs: namei.c~
+diff -upr a/fs./xfs/xfs_inode.c a/fs/xfs/xfs_inode.c
+--- a/fs./xfs/xfs_inode.c      2008-04-05 01:23:48.241413000 +0200
++++ a/fs/xfs/xfs_inode.c       2008-04-05 14:55:58.270625942 +0200
+@@ -3663,20 +3663,16 @@ xfs_iaccess(
+        * Read/write DACs are always overridable.
+        * Executable DACs are overridable if at least one exec bit is set.
+        */
++      if ((orgmode == S_IRUSR) ||
++          (S_ISDIR(inode->i_mode) && (!(orgmode & S_IWUSR))))
++              if (capable_nolog(CAP_DAC_OVERRIDE) || capable_cred(cr, 
CAP_DAC_READ_SEARCH))
++                      return 0;
++
+       if (!(orgmode & S_IXUSR) ||
+           (inode->i_mode & S_IXUGO) || S_ISDIR(inode->i_mode))
+               if (capable_cred(cr, CAP_DAC_OVERRIDE))
+                       return 0;
+ 
+-      if ((orgmode == S_IRUSR) ||
+-          (S_ISDIR(inode->i_mode) && (!(orgmode & S_IWUSR)))) {
+-              if (capable_cred(cr, CAP_DAC_READ_SEARCH))
+-                      return 0;
+-#ifdef        NOISE
+-              cmn_err(CE_NOTE, "Ick: mode=%o, orgmode=%o", mode, orgmode);
+-#endif        /* NOISE */
+-              return XFS_ERROR(EACCES);
+-      }
+       return XFS_ERROR(EACCES);
+ }
+ 
+===
 === check if -fno-stack-protector is accessible
 ===
 --- linux-2.6.24/arch/x86/kernel/Makefile_64~  2008-04-16 21:15:48.278373002 
+0000
================================================================

---- CVS-web:
    
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-grsec_fixes.patch?r1=1.1.4.5&r2=1.1.4.6&f=u

_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit

Reply via email to