Author: shadzik Date: Sun Mar 29 21:16:42 2009 GMT
Module: SOURCES Tag: Titanium
---- Log message:
- fixed
---- Files affected:
SOURCES:
kernel-desktop-grsec-minimal.patch (1.8.4.1 -> 1.8.4.2)
---- Diffs:
================================================================
Index: SOURCES/kernel-desktop-grsec-minimal.patch
diff -u SOURCES/kernel-desktop-grsec-minimal.patch:1.8.4.1
SOURCES/kernel-desktop-grsec-minimal.patch:1.8.4.2
--- SOURCES/kernel-desktop-grsec-minimal.patch:1.8.4.1 Sun Mar 29 22:27:22 2009
+++ SOURCES/kernel-desktop-grsec-minimal.patch Sun Mar 29 23:16:36 2009
@@ -1,7 +1,18 @@
-diff -urNp linux-2.6.26.orig/drivers/char/keyboard.c
linux-2.6.26/drivers/char/keyboard.c
---- linux-2.6.26.orig/drivers/char/keyboard.c 2008-09-01 11:43:37.000000000
+0200
-+++ linux-2.6.26/drivers/char/keyboard.c 2008-09-02 12:17:21.000000000
+0200
-@@ -633,6 +633,16 @@ static void k_spec(struct vc_data *vc, u
+diff -Nru linux-2.6.29/arch/sparc/Makefile
linux-2.6.29-grsec/arch/sparc/Makefile
+--- linux-2.6.29/arch/sparc/Makefile 2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29-grsec/arch/sparc/Makefile 2009-03-29 22:55:48.646121675
+0200
+@@ -72,6 +72,7 @@
+
+ core-y += arch/sparc/kernel/
+ core-y += arch/sparc/mm/ arch/sparc/math-emu/
++core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
grsecurity/
+
+ libs-y += arch/sparc/prom/
+ libs-y += arch/sparc/lib/
+diff -Nru linux-2.6.29/drivers/char/keyboard.c
linux-2.6.29-grsec/drivers/char/keyboard.c
+--- linux-2.6.29/drivers/char/keyboard.c 2009-03-24 00:12:14.000000000
+0100
++++ linux-2.6.29-grsec/drivers/char/keyboard.c 2009-03-29 22:55:48.612631221
+0200
+@@ -635,6 +635,16 @@
kbd->kbdmode == VC_MEDIUMRAW) &&
value != KVAL(K_SAK))
return; /* SAK is allowed even in raw mode */
@@ -18,10 +29,10 @@
fn_handler[value](vc);
}
-diff -urNp linux-2.6.26.orig/drivers/pci/proc.c linux-2.6.26/drivers/pci/proc.c
---- linux-2.6.26.orig/drivers/pci/proc.c 2008-09-01 11:43:47.000000000
+0200
-+++ linux-2.6.26/drivers/pci/proc.c 2008-09-02 12:17:21.000000000 +0200
-@@ -472,7 +472,16 @@ static const struct file_operations proc
+diff -Nru linux-2.6.29/drivers/pci/proc.c linux-2.6.29-grsec/drivers/pci/proc.c
+--- linux-2.6.29/drivers/pci/proc.c 2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29-grsec/drivers/pci/proc.c 2009-03-29 22:55:48.612631221
+0200
+@@ -480,7 +480,16 @@
static int __init pci_proc_init(void)
{
struct pci_dev *dev = NULL;
@@ -38,29 +49,76 @@
proc_create("devices", 0, proc_bus_pci_dir,
&proc_bus_pci_dev_operations);
proc_initialized = 1;
-diff -urNp linux-2.6.26.orig/fs/Kconfig linux-2.6.26/fs/Kconfig
---- linux-2.6.26.orig/fs/proc/Kconfig 2008-09-01 11:43:58.000000000 +0200
-+++ linux-2.6.26/fs/proc/Kconfig 2008-09-02 12:17:21.000000000 +0200
-@@ -926,12 +926,12 @@ config PROC_FS
+diff -Nru linux-2.6.29/fs/namei.c linux-2.6.29-grsec/fs/namei.c
+--- linux-2.6.29/fs/namei.c 2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29-grsec/fs/namei.c 2009-03-29 22:55:48.646121675 +0200
+@@ -32,6 +32,7 @@
+ #include <linux/fcntl.h>
+ #include <linux/device_cgroup.h>
+ #include <asm/uaccess.h>
++#include <linux/grsecurity.h>
- config PROC_KCORE
- bool "/proc/kcore support" if !ARM
-- depends on PROC_FS && MMU
-+ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
+ #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
- config PROC_VMCORE
- bool "/proc/vmcore support (EXPERIMENTAL)"
-- depends on PROC_FS && CRASH_DUMP
-- default y
-+ depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
-+ default n
- help
- Exports the dump image of crashed kernel in ELF format.
+@@ -653,6 +654,13 @@
+ err = security_inode_follow_link(path->dentry, nd);
+ if (err)
+ goto loop;
++
++ if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
++ path->dentry->d_inode, path->dentry)) {
++ err = -EACCES;
++ goto loop;
++ }
++
+ current->link_count++;
+ current->total_link_count++;
+ nd->depth++;
+@@ -1730,6 +1738,12 @@
+ /*
+ * It already exists.
+ */
++
++ if (gr_handle_fifo(path.dentry, dir, flag, acc_mode)) {
++ error = -EACCES;
++ goto exit_mutex_unlock;
++ }
++
+ mutex_unlock(&dir->d_inode->i_mutex);
+ audit_inode(pathname, path.dentry);
-diff -urNp linux-2.6.26.orig/fs/proc/array.c linux-2.6.26/fs/proc/array.c
---- linux-2.6.26.orig/fs/proc/array.c 2008-09-01 11:43:59.000000000 +0200
-+++ linux-2.6.26/fs/proc/array.c 2008-09-02 12:17:21.000000000 +0200
-@@ -639,3 +639,10 @@ int proc_pid_statm(struct seq_file *m, s
+@@ -1815,6 +1829,13 @@
+ error = security_inode_follow_link(path.dentry, &nd);
+ if (error)
+ goto exit_dput;
++
++ if (gr_handle_follow_link(path.dentry->d_parent->d_inode,
path.dentry->d_inode,
++ path.dentry)) {
++ error = -EACCES;
++ goto exit_dput;
++ }
++
+ error = __do_follow_link(&path, &nd);
+ if (error) {
+ /* Does someone understand code flow here? Or it is only
+@@ -2450,6 +2471,13 @@
+ error = PTR_ERR(new_dentry);
+ if (IS_ERR(new_dentry))
+ goto out_unlock;
++
++ if (gr_handle_hardlink(old_path.dentry, old_path.dentry->d_inode,
++ old_path.dentry->d_inode->i_mode, to)) {
++ error = -EACCES;
++ goto out_dput;
++ }
++
+ error = mnt_want_write(nd.path.mnt);
+ if (error)
+ goto out_dput;
+diff -Nru linux-2.6.29/fs/proc/array.c linux-2.6.29-grsec/fs/proc/array.c
+--- linux-2.6.29/fs/proc/array.c 2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29-grsec/fs/proc/array.c 2009-03-29 22:55:48.612631221 +0200
+@@ -529,3 +529,10 @@
return 0;
}
@@ -71,23 +129,159 @@
+ return sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
+}
+#endif
-diff -urNp linux-2.6.26.orig/fs/proc/inode.c linux-2.6.26/fs/proc/inode.c
---- linux-2.6.26.orig/fs/proc/inode.c 2008-09-01 11:43:59.000000000 +0200
-+++ linux-2.6.26/fs/proc/inode.c 2008-09-02 12:17:21.000000000 +0200
-@@ -403,7 +403,11 @@ struct inode *proc_get_inode(struct supe
- if (de->mode) {
- inode->i_mode = de->mode;
- inode->i_uid = de->uid;
+diff -Nru linux-2.6.29/fs/proc/base.c linux-2.6.29-grsec/fs/proc/base.c
+--- linux-2.6.29/fs/proc/base.c 2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29-grsec/fs/proc/base.c 2009-03-29 23:02:57.774010127 +0200
+@@ -80,6 +80,7 @@
+ #include <linux/oom.h>
+ #include <linux/elf.h>
+ #include <linux/pid_namespace.h>
++#include <linux/grsecurity.h>
+ #include "internal.h"
+
+ /* NOTE:
+@@ -1473,6 +1474,9 @@
+ struct inode *inode = dentry->d_inode;
+ struct task_struct *task;
+ const struct cred *cred;
++#if defined(CONFIG_GRKERNSEC_PROC_USER) ||
defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ const struct cred *tmp = current_cred();
++#endif
+
+ generic_fillattr(inode, stat);
+
+@@ -1481,11 +1485,27 @@
+ stat->gid = 0;
+ task = pid_task(proc_pid(inode), PIDTYPE_PID);
+ if (task) {
++ cred = __task_cred(task);
++#if defined(CONFIG_GRKERNSEC_PROC_USER) ||
defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ && (!tmp->uid || (tmp->uid == cred->uid)
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++#endif
++ )
++#endif
+ if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
++#endif
+ task_dumpable(task)) {
+- cred = __task_cred(task);
+ stat->uid = cred->euid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
+#else
- inode->i_gid = de->gid;
+ stat->gid = cred->egid;
+#endif
}
- if (de->vx_flags)
- PROC_I(inode)->vx_flags = de->vx_flags;
---- linux-2.6.26.orig/fs/proc/cmdline.c 2008-12-25 00:26:37.000000000
+0100
-+++ linux-2.6.26/fs/proc/cmdline.c 2009-01-02 17:46:34.278247774 +0100
+ }
+ rcu_read_unlock();
+@@ -1517,11 +1537,20 @@
+
+ if (task) {
+ if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
++#endif
+ task_dumpable(task)) {
+ rcu_read_lock();
+ cred = __task_cred(task);
+ inode->i_uid = cred->euid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ inode->i_gid = cred->egid;
++#endif
+ rcu_read_unlock();
+ } else {
+ inode->i_uid = 0;
+@@ -1894,12 +1923,19 @@
+ static int proc_fd_permission(struct inode *inode, int mask)
+ {
+ int rv;
++ struct task_struct *task;
+
+ rv = generic_permission(inode, mask, NULL);
+- if (rv == 0)
+- return 0;
++
+ if (task_pid(current) == proc_pid(inode))
+ rv = 0;
++
++ task = get_proc_task(inode);
++ if (task == NULL)
++ return rv;
++
++ put_task_struct(task);
++
+ return rv;
+ }
+
+@@ -2685,7 +2721,14 @@
+ if (!inode)
+ goto out;
+
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
++#else
+ inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
++#endif
+ inode->i_op = &proc_tgid_base_inode_operations;
+ inode->i_fop = &proc_tgid_base_operations;
+ inode->i_flags|=S_IMMUTABLE;
+@@ -2792,6 +2835,10 @@
+ {
+ unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
+ struct task_struct *reaper =
get_proc_task(filp->f_path.dentry->d_inode);
++#if defined(CONFIG_GRKERNSEC_PROC_USER) ||
defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ const struct cred *tmp = current_cred();
++ const struct cred *itercred;
++#endif
+ struct tgid_iter iter;
+ struct pid_namespace *ns;
+
+@@ -2810,6 +2857,20 @@
+ for (iter = next_tgid(ns, iter);
+ iter.task;
+ iter.tgid += 1, iter = next_tgid(ns, iter)) {
++#if defined(CONFIG_GRKERNSEC_PROC_USER) ||
defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ itercred = __task_cred(iter.task);
++#endif
++ if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
++ #if defined(CONFIG_GRKERNSEC_PROC_USER) ||
defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ || (tmp->uid && (itercred->uid != tmp->uid)
++ #ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++ #endif
++ )
++#endif
++ )
++ continue;
++
+ filp->f_pos = iter.tgid + TGID_OFFSET;
+ if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
+ put_task_struct(iter.task);
+@@ -2891,6 +2952,9 @@
+ #ifdef CONFIG_TASK_IO_ACCOUNTING
+ INF("io", S_IRUGO, proc_tid_io_accounting),
+ #endif
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++ INF("ipaddr", S_IRUSR, pid_ipaddr),
++#endif
+ };
+
+ static int proc_tid_base_readdir(struct file * filp,
+diff -Nru linux-2.6.29/fs/proc/cmdline.c linux-2.6.29-grsec/fs/proc/cmdline.c
+--- linux-2.6.29/fs/proc/cmdline.c 2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29-grsec/fs/proc/cmdline.c 2009-03-29 22:55:48.616329143
+0200
@@ -23,7 +23,15 @@
static int __init proc_cmdline_init(void)
@@ -105,8 +299,9 @@
return 0;
}
module_init(proc_cmdline_init);
---- linux-2.6.26.orig/fs/proc/devices.c 2008-12-25 00:26:37.000000000
+0100
-+++ linux-2.6.26/fs/proc/devices.c 2009-01-02 17:43:00.758269666 +0100
+diff -Nru linux-2.6.29/fs/proc/devices.c linux-2.6.29-grsec/fs/proc/devices.c
+--- linux-2.6.29/fs/proc/devices.c 2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29-grsec/fs/proc/devices.c 2009-03-29 22:55:48.616329143
+0200
@@ -64,7 +64,13 @@
static int __init proc_devices_init(void)
@@ -122,8 +317,56 @@
return 0;
}
module_init(proc_devices_init);
---- linux-2.6.26.orig/fs/proc/kcore.c 2008-12-25 00:26:37.000000000 +0100
-+++ linux-2.6.26/fs/proc/kcore.c 2009-01-02 17:45:03.714922801 +0100
+diff -Nru linux-2.6.29/fs/proc/inode.c linux-2.6.29-grsec/fs/proc/inode.c
+--- linux-2.6.29/fs/proc/inode.c 2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29-grsec/fs/proc/inode.c 2009-03-29 22:55:48.612631221 +0200
+@@ -463,7 +463,11 @@
+ if (de->mode) {
+ inode->i_mode = de->mode;
+ inode->i_uid = de->uid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ inode->i_gid = de->gid;
++#endif
+ }
+ if (de->size)
+ inode->i_size = de->size;
+diff -Nru linux-2.6.29/fs/proc/internal.h linux-2.6.29-grsec/fs/proc/internal.h
+--- linux-2.6.29/fs/proc/internal.h 2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29-grsec/fs/proc/internal.h 2009-03-29 22:55:48.649464378
+0200
+@@ -51,6 +51,9 @@
+ struct pid *pid, struct task_struct *task);
+ extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
+ struct pid *pid, struct task_struct *task);
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
++#endif
+ extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
+
+ extern const struct file_operations proc_maps_operations;
+diff -Nru linux-2.6.29/fs/proc/Kconfig linux-2.6.29-grsec/fs/proc/Kconfig
+--- linux-2.6.29/fs/proc/Kconfig 2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29-grsec/fs/proc/Kconfig 2009-03-29 22:55:48.612631221 +0200
+@@ -30,12 +30,12 @@
+
+ config PROC_KCORE
+ bool "/proc/kcore support" if !ARM
+- depends on PROC_FS && MMU
++ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
+
+ config PROC_VMCORE
+ bool "/proc/vmcore support (EXPERIMENTAL)"
+- depends on PROC_FS && CRASH_DUMP
+- default y
++ depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
++ default n
+ help
+ Exports the dump image of crashed kernel in ELF format.
+
+diff -Nru linux-2.6.29/fs/proc/kcore.c linux-2.6.29-grsec/fs/proc/kcore.c
+--- linux-2.6.29/fs/proc/kcore.c 2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29-grsec/fs/proc/kcore.c 2009-03-29 22:55:48.616329143 +0200
@@ -404,10 +404,12 @@
static int __init proc_kcore_init(void)
@@ -137,10 +380,10 @@
return 0;
}
module_init(proc_kcore_init);
-diff -urNp linux-2.6.26.orig/fs/proc/root.c linux-2.6.26/fs/proc/root.c
---- linux-2.6.26.orig/fs/proc/root.c 2008-09-01 11:43:59.000000000 +0200
-+++ linux-2.6.26/fs/proc/root.c 2008-09-02 12:17:21.000000000 +0200
-@@ -139,7 +139,15 @@ void __init proc_root_init(void)
+diff -Nru linux-2.6.29/fs/proc/root.c linux-2.6.29-grsec/fs/proc/root.c
+--- linux-2.6.29/fs/proc/root.c 2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29-grsec/fs/proc/root.c 2009-03-29 22:55:48.616329143 +0200
+@@ -134,7 +134,15 @@
#ifdef CONFIG_PROC_DEVICETREE
proc_device_tree_init();
#endif
@@ -154,11 +397,11 @@
proc_mkdir("bus", NULL);
+#endif
proc_sys_init();
- proc_vx_init();
}
-diff -urNp linux-2.6.26.orig/grsecurity/grsec_disabled.c
linux-2.6.26/grsecurity/grsec_disabled.c
---- linux-2.6.26.orig/grsecurity/grsec_disabled.c 1970-01-01
01:00:00.000000000 +0100
-+++ linux-2.6.26/grsecurity/grsec_disabled.c 2008-09-02 12:17:21.000000000
+0200
+
+diff -Nru linux-2.6.29/grsecurity/grsec_disabled.c
linux-2.6.29-grsec/grsecurity/grsec_disabled.c
+--- linux-2.6.29/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000
+0100
++++ linux-2.6.29-grsec/grsecurity/grsec_disabled.c 2009-03-29
22:55:48.616329143 +0200
@@ -0,0 +1,6 @@
+void
+grsecurity_init(void)
@@ -166,10 +409,10 @@
+ return;
+}
+
-diff -urNp linux-2.6.26.orig/grsecurity/grsec_fifo.c
linux-2.6.26/grsecurity/grsec_fifo.c
---- linux-2.6.26.orig/grsecurity/grsec_fifo.c 1970-01-01 01:00:00.000000000
+0100
-+++ linux-2.6.26/grsecurity/grsec_fifo.c 2008-09-02 12:17:21.000000000
+0200
-@@ -0,0 +1,20 @@
+diff -Nru linux-2.6.29/grsecurity/grsec_fifo.c
linux-2.6.29-grsec/grsecurity/grsec_fifo.c
+--- linux-2.6.29/grsecurity/grsec_fifo.c 1970-01-01 01:00:00.000000000
+0100
++++ linux-2.6.29-grsec/grsecurity/grsec_fifo.c 2009-03-29 22:55:48.616329143
+0200
+@@ -0,0 +1,21 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/fs.h>
@@ -181,18 +424,19 @@
+ const struct dentry *dir, const int flag, const int acc_mode)
+{
+#ifdef CONFIG_GRKERNSEC_FIFO
++ const struct cred *cred = current_cred();
+ if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
+ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
+ (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
-+ (current->fsuid != dentry->d_inode->i_uid)) {
++ (cred->fsuid != dentry->d_inode->i_uid)) {
+ return -EACCES;
+ }
+#endif
+ return 0;
+}
-diff -urNp linux-2.6.26.orig/grsecurity/grsec_init.c
linux-2.6.26/grsecurity/grsec_init.c
---- linux-2.6.26.orig/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000
+0100
-+++ linux-2.6.26/grsecurity/grsec_init.c 2008-09-02 12:17:21.000000000
+0200
+diff -Nru linux-2.6.29/grsecurity/grsec_init.c
linux-2.6.29-grsec/grsecurity/grsec_init.c
+--- linux-2.6.29/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000
+0100
++++ linux-2.6.29-grsec/grsecurity/grsec_init.c 2009-03-29 22:55:48.616329143
+0200
@@ -0,0 +1,29 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
@@ -223,10 +467,10 @@
+
+ return;
+}
-diff -urNp linux-2.6.26.orig/grsecurity/grsec_link.c
linux-2.6.26/grsecurity/grsec_link.c
---- linux-2.6.26.orig/grsecurity/grsec_link.c 1970-01-01 01:00:00.000000000
+0100
-+++ linux-2.6.26/grsecurity/grsec_link.c 2008-09-02 12:17:21.000000000
+0200
-@@ -0,0 +1,37 @@
+diff -Nru linux-2.6.29/grsecurity/grsec_link.c
linux-2.6.29-grsec/grsecurity/grsec_link.c
+--- linux-2.6.29/grsecurity/grsec_link.c 1970-01-01 01:00:00.000000000
+0100
++++ linux-2.6.29-grsec/grsecurity/grsec_link.c 2009-03-29 22:55:48.616329143
+0200
+@@ -0,0 +1,39 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/fs.h>
@@ -239,9 +483,10 @@
+ const struct dentry *dentry, const struct vfsmount *mnt)
+{
+#ifdef CONFIG_GRKERNSEC_LINK
++ const struct cred *cred = current_cred();
+ if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
+ (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
-+ (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) {
++ (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
+ return -EACCES;
+ }
+#endif
@@ -254,19 +499,20 @@
+ struct inode *inode, const int mode, const char *to)
+{
+#ifdef CONFIG_GRKERNSEC_LINK
-+ if (grsec_enable_link && current->fsuid != inode->i_uid &&
++ const struct cred *cred = current_cred();
++ if (grsec_enable_link && cred->fsuid != inode->i_uid &&
+ (!S_ISREG(mode) || (mode & S_ISUID) ||
+ ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
+ (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
-+ !capable(CAP_FOWNER) && current->uid) {
++ !capable(CAP_FOWNER) && cred->uid) {
+ return -EPERM;
+ }
+#endif
+ return 0;
+}
-diff -urNp linux-2.6.26.orig/grsecurity/grsec_sock.c
linux-2.6.26/grsecurity/grsec_sock.c
---- linux-2.6.26.orig/grsecurity/grsec_sock.c 1970-01-01 01:00:00.000000000
+0100
-+++ linux-2.6.26/grsecurity/grsec_sock.c 2008-09-02 12:17:21.000000000
+0200
+diff -Nru linux-2.6.29/grsecurity/grsec_sock.c
linux-2.6.29-grsec/grsecurity/grsec_sock.c
+--- linux-2.6.29/grsecurity/grsec_sock.c 1970-01-01 01:00:00.000000000
+0100
++++ linux-2.6.29-grsec/grsecurity/grsec_sock.c 2009-03-29 22:55:48.616329143
+0200
@@ -0,0 +1,170 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
@@ -438,9 +684,9 @@
+ return;
+}
+
-diff -urNp linux-2.6.26.orig/grsecurity/grsec_sysctl.c
linux-2.6.26/grsecurity/grsec_sysctl.c
---- linux-2.6.26.orig/grsecurity/grsec_sysctl.c 1970-01-01
01:00:00.000000000 +0100
-+++ linux-2.6.26/grsecurity/grsec_sysctl.c 2008-09-02 12:17:21.000000000
+0200
+diff -Nru linux-2.6.29/grsecurity/grsec_sysctl.c
linux-2.6.29-grsec/grsecurity/grsec_sysctl.c
+--- linux-2.6.29/grsecurity/grsec_sysctl.c 1970-01-01 01:00:00.000000000
+0100
++++ linux-2.6.29-grsec/grsecurity/grsec_sysctl.c 2009-03-29
22:55:48.616329143 +0200
@@ -0,0 +1,52 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
@@ -494,9 +740,9 @@
+ { .ctl_name = 0 }
+};
+#endif
-diff -urNp linux-2.6.26.orig/grsecurity/Kconfig linux-2.6.26/grsecurity/Kconfig
---- linux-2.6.26.orig/grsecurity/Kconfig 1970-01-01 01:00:00.000000000
+0100
-+++ linux-2.6.26/grsecurity/Kconfig 2008-09-02 12:17:21.000000000 +0200
+diff -Nru linux-2.6.29/grsecurity/Kconfig linux-2.6.29-grsec/grsecurity/Kconfig
+--- linux-2.6.29/grsecurity/Kconfig 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.29-grsec/grsecurity/Kconfig 2009-03-29 22:55:48.616329143
+0200
@@ -0,0 +1,123 @@
+#
+# grecurity configuration
@@ -621,9 +867,9 @@
+ the sysctl entries.
+
+endmenu
-diff -urNp linux-2.6.26.orig/grsecurity/Makefile
linux-2.6.26/grsecurity/Makefile
---- linux-2.6.26.orig/grsecurity/Makefile 1970-01-01 01:00:00.000000000
+0100
-+++ linux-2.6.26/grsecurity/Makefile 2008-09-02 12:17:21.000000000 +0200
+diff -Nru linux-2.6.29/grsecurity/Makefile
linux-2.6.29-grsec/grsecurity/Makefile
+--- linux-2.6.29/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.29-grsec/grsecurity/Makefile 2009-03-29 22:55:48.616329143
+0200
@@ -0,0 +1,11 @@
+# All code in this directory and various hooks inserted throughout the kernel
+# are copyright Brad Spengler, and released under the GPL v2 or higher
@@ -636,9 +882,9 @@
+obj-y += grsec_disabled.o
+endif
+
-diff -urNp linux-2.6.26.orig/include/linux/grinternal.h
linux-2.6.26/include/linux/grinternal.h
---- linux-2.6.26.orig/include/linux/grinternal.h 1970-01-01
01:00:00.000000000 +0100
-+++ linux-2.6.26/include/linux/grinternal.h 2008-09-02 12:17:21.000000000
+0200
+diff -Nru linux-2.6.29/include/linux/grinternal.h
linux-2.6.29-grsec/include/linux/grinternal.h
+--- linux-2.6.29/include/linux/grinternal.h 1970-01-01 01:00:00.000000000
+0100
++++ linux-2.6.29-grsec/include/linux/grinternal.h 2009-03-29
22:55:48.639297786 +0200
@@ -0,0 +1,14 @@
+#ifndef __GRINTERNAL_H
+#define __GRINTERNAL_H
@@ -654,9 +900,9 @@
+#endif
+
+#endif
-diff -urNp linux-2.6.26.orig/include/linux/grsecurity.h
linux-2.6.26/include/linux/grsecurity.h
---- linux-2.6.26.orig/include/linux/grsecurity.h 1970-01-01
01:00:00.000000000 +0100
-+++ linux-2.6.26/include/linux/grsecurity.h 2008-09-02 12:17:21.000000000
+0200
+diff -Nru linux-2.6.29/include/linux/grsecurity.h
linux-2.6.29-grsec/include/linux/grsecurity.h
+--- linux-2.6.29/include/linux/grsecurity.h 1970-01-01 01:00:00.000000000
+0100
++++ linux-2.6.29-grsec/include/linux/grsecurity.h 2009-03-29
22:55:48.639297786 +0200
@@ -0,0 +1,18 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
@@ -676,10 +922,10 @@
+ const int mode, const char *to);
+
+#endif
-diff -urNp linux-2.6.26.orig/include/linux/sched.h
linux-2.6.26/include/linux/sched.h
---- linux-2.6.26.orig/include/linux/sched.h 2008-09-01 11:43:34.000000000
+0200
-+++ linux-2.6.26/include/linux/sched.h 2008-09-02 12:17:21.000000000 +0200
-@@ -544,6 +544,15 @@ struct signal_struct {
+diff -Nru linux-2.6.29/include/linux/sched.h
linux-2.6.29-grsec/include/linux/sched.h
+--- linux-2.6.29/include/linux/sched.h 2009-03-24 00:12:14.000000000 +0100
++++ linux-2.6.29-grsec/include/linux/sched.h 2009-03-29 22:55:48.639297786
+0200
+@@ -605,6 +605,15 @@
unsigned audit_tty;
struct tty_audit_buf *tty_audit_buf;
#endif
@@ -695,10 +941,10 @@
};
/* Context switch must be unlocked if interrupts are to be enabled */
-diff -urNp linux-2.6.26.orig/include/linux/sysctl.h
linux-2.6.26/include/linux/sysctl.h
---- linux-2.6.26.orig/include/linux/sysctl.h 2008-09-01 11:43:34.000000000
+0200
-+++ linux-2.6.26/include/linux/sysctl.h 2008-09-02 12:17:21.000000000
+0200
-@@ -165,8 +165,11 @@ enum
+diff -Nru linux-2.6.29/include/linux/sysctl.h
linux-2.6.29-grsec/include/linux/sysctl.h
+--- linux-2.6.29/include/linux/sysctl.h 2009-03-24 00:12:14.000000000
+0100
<<Diff was trimmed, longer than 597 lines>>
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-desktop-grsec-minimal.patch?r1=1.8.4.1&r2=1.8.4.2&f=u
_______________________________________________
pld-cvs-commit mailing list
pld-cvs-commit@lists.pld-linux.org
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
