Author: arekm Date: Sun Mar 29 19:10:19 2009 GMT Module: SOURCES Tag: LINUX_2_6 ---- Log message: - updated
---- Files affected: SOURCES: kernel-grsec_fixes.patch (1.1.4.9 -> 1.1.4.10) ---- Diffs: ================================================================ Index: SOURCES/kernel-grsec_fixes.patch diff -u SOURCES/kernel-grsec_fixes.patch:1.1.4.9 SOURCES/kernel-grsec_fixes.patch:1.1.4.10 --- SOURCES/kernel-grsec_fixes.patch:1.1.4.9 Fri Jan 23 16:42:14 2009 +++ SOURCES/kernel-grsec_fixes.patch Sun Mar 29 21:10:14 2009 @@ -25,28 +25,28 @@ +} --- a/grsecurity/grsec_sock.c 2008-03-24 00:24:22.482633101 +0100 +++ c/grsecurity/grsec_sock.c 2008-03-24 00:27:01.971671763 +0100 -@@ -251,23 +251,26 @@ __u32 +@@ -247,23 +247,26 @@ gr_cap_rtnetlink(struct sock *sock) { #ifdef CONFIG_GRKERNSEC + struct acl_subject_label *curracl; + kernel_cap_t cap_dropp = __cap_empty_set, cap_mask = __cap_empty_set; + - if (!gr_acl_is_enabled()) - return current->cap_effective; + if (!gr_acl_is_enabled()) + return current_cap(); - else if (sock->sk_protocol == NETLINK_ISCSI && -- cap_raised(current->cap_effective, CAP_SYS_ADMIN) && -- gr_task_is_capable(current, CAP_SYS_ADMIN)) -- return current->cap_effective; +- cap_raised(current_cap(), CAP_SYS_ADMIN) && +- gr_is_capable(CAP_SYS_ADMIN)) +- return current_cap(); - else if (sock->sk_protocol == NETLINK_AUDIT && -- cap_raised(current->cap_effective, CAP_AUDIT_WRITE) && -- gr_task_is_capable(current, CAP_AUDIT_WRITE) && -- cap_raised(current->cap_effective, CAP_AUDIT_CONTROL) && -- gr_task_is_capable(current, CAP_AUDIT_CONTROL)) -- return current->cap_effective; -- else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) && -- gr_task_is_capable(current, CAP_NET_ADMIN)) -- return current->cap_effective; +- cap_raised(current_cap(), CAP_AUDIT_WRITE) && +- gr_is_capable(CAP_AUDIT_WRITE) && +- cap_raised(current_cap(), CAP_AUDIT_CONTROL) && +- gr_is_capable(CAP_AUDIT_CONTROL)) +- return current_cap(); +- else if (cap_raised(current_cap(), CAP_NET_ADMIN) && +- gr_is_capable(CAP_NET_ADMIN)) +- return current_cap(); - else - return __cap_empty_set; + else { @@ -57,15 +57,15 @@ + + while ((curracl = curracl->parent_subject)) { + cap_dropp = cap_combine(cap_dropp, -+ cap_intersect(curracl->cap_lower, -+ cap_drop(cap_mask, curracl->cap_mask))); ++ cap_intersect(curracl->cap_lower, ++ cap_drop(cap_mask, curracl->cap_mask))); + cap_mask = cap_combine(cap_mask, curracl->cap_mask); + } + return cap_drop(current->cap_effective, + cap_intersect(cap_dropp, cap_mask)); + } #else - return current->cap_effective; + return current_cap(); #endif diff -upr a/include/linux/grsecurity.h c/include/linux/grsecurity.h --- a/include/linux/grsecurity.h 2007-12-01 00:54:57.224769000 +0000 ================================================================ ---- CVS-web: http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-grsec_fixes.patch?r1=1.1.4.9&r2=1.1.4.10&f=u _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit