Author: shadzik Date: Sun Mar 29 21:16:42 2009 GMT Module: SOURCES Tag: Titanium ---- Log message: - fixed
---- Files affected: SOURCES: kernel-desktop-grsec-minimal.patch (1.8.4.1 -> 1.8.4.2) ---- Diffs: ================================================================ Index: SOURCES/kernel-desktop-grsec-minimal.patch diff -u SOURCES/kernel-desktop-grsec-minimal.patch:1.8.4.1 SOURCES/kernel-desktop-grsec-minimal.patch:1.8.4.2 --- SOURCES/kernel-desktop-grsec-minimal.patch:1.8.4.1 Sun Mar 29 22:27:22 2009 +++ SOURCES/kernel-desktop-grsec-minimal.patch Sun Mar 29 23:16:36 2009 @@ -1,7 +1,18 @@ -diff -urNp linux-2.6.26.orig/drivers/char/keyboard.c linux-2.6.26/drivers/char/keyboard.c ---- linux-2.6.26.orig/drivers/char/keyboard.c 2008-09-01 11:43:37.000000000 +0200 -+++ linux-2.6.26/drivers/char/keyboard.c 2008-09-02 12:17:21.000000000 +0200 -@@ -633,6 +633,16 @@ static void k_spec(struct vc_data *vc, u +diff -Nru linux-2.6.29/arch/sparc/Makefile linux-2.6.29-grsec/arch/sparc/Makefile +--- linux-2.6.29/arch/sparc/Makefile 2009-03-24 00:12:14.000000000 +0100 ++++ linux-2.6.29-grsec/arch/sparc/Makefile 2009-03-29 22:55:48.646121675 +0200 +@@ -72,6 +72,7 @@ + + core-y += arch/sparc/kernel/ + core-y += arch/sparc/mm/ arch/sparc/math-emu/ ++core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/ + + libs-y += arch/sparc/prom/ + libs-y += arch/sparc/lib/ +diff -Nru linux-2.6.29/drivers/char/keyboard.c linux-2.6.29-grsec/drivers/char/keyboard.c +--- linux-2.6.29/drivers/char/keyboard.c 2009-03-24 00:12:14.000000000 +0100 ++++ linux-2.6.29-grsec/drivers/char/keyboard.c 2009-03-29 22:55:48.612631221 +0200 +@@ -635,6 +635,16 @@ kbd->kbdmode == VC_MEDIUMRAW) && value != KVAL(K_SAK)) return; /* SAK is allowed even in raw mode */ @@ -18,10 +29,10 @@ fn_handler[value](vc); } -diff -urNp linux-2.6.26.orig/drivers/pci/proc.c linux-2.6.26/drivers/pci/proc.c ---- linux-2.6.26.orig/drivers/pci/proc.c 2008-09-01 11:43:47.000000000 +0200 -+++ linux-2.6.26/drivers/pci/proc.c 2008-09-02 12:17:21.000000000 +0200 -@@ -472,7 +472,16 @@ static const struct file_operations proc +diff -Nru linux-2.6.29/drivers/pci/proc.c linux-2.6.29-grsec/drivers/pci/proc.c +--- linux-2.6.29/drivers/pci/proc.c 2009-03-24 00:12:14.000000000 +0100 ++++ linux-2.6.29-grsec/drivers/pci/proc.c 2009-03-29 22:55:48.612631221 +0200 +@@ -480,7 +480,16 @@ static int __init pci_proc_init(void) { struct pci_dev *dev = NULL; @@ -38,29 +49,76 @@ proc_create("devices", 0, proc_bus_pci_dir, &proc_bus_pci_dev_operations); proc_initialized = 1; -diff -urNp linux-2.6.26.orig/fs/Kconfig linux-2.6.26/fs/Kconfig ---- linux-2.6.26.orig/fs/proc/Kconfig 2008-09-01 11:43:58.000000000 +0200 -+++ linux-2.6.26/fs/proc/Kconfig 2008-09-02 12:17:21.000000000 +0200 -@@ -926,12 +926,12 @@ config PROC_FS +diff -Nru linux-2.6.29/fs/namei.c linux-2.6.29-grsec/fs/namei.c +--- linux-2.6.29/fs/namei.c 2009-03-24 00:12:14.000000000 +0100 ++++ linux-2.6.29-grsec/fs/namei.c 2009-03-29 22:55:48.646121675 +0200 +@@ -32,6 +32,7 @@ + #include <linux/fcntl.h> + #include <linux/device_cgroup.h> + #include <asm/uaccess.h> ++#include <linux/grsecurity.h> - config PROC_KCORE - bool "/proc/kcore support" if !ARM -- depends on PROC_FS && MMU -+ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD + #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE]) - config PROC_VMCORE - bool "/proc/vmcore support (EXPERIMENTAL)" -- depends on PROC_FS && CRASH_DUMP -- default y -+ depends on PROC_FS && CRASH_DUMP && !GRKERNSEC -+ default n - help - Exports the dump image of crashed kernel in ELF format. +@@ -653,6 +654,13 @@ + err = security_inode_follow_link(path->dentry, nd); + if (err) + goto loop; ++ ++ if (gr_handle_follow_link(path->dentry->d_parent->d_inode, ++ path->dentry->d_inode, path->dentry)) { ++ err = -EACCES; ++ goto loop; ++ } ++ + current->link_count++; + current->total_link_count++; + nd->depth++; +@@ -1730,6 +1738,12 @@ + /* + * It already exists. + */ ++ ++ if (gr_handle_fifo(path.dentry, dir, flag, acc_mode)) { ++ error = -EACCES; ++ goto exit_mutex_unlock; ++ } ++ + mutex_unlock(&dir->d_inode->i_mutex); + audit_inode(pathname, path.dentry); -diff -urNp linux-2.6.26.orig/fs/proc/array.c linux-2.6.26/fs/proc/array.c ---- linux-2.6.26.orig/fs/proc/array.c 2008-09-01 11:43:59.000000000 +0200 -+++ linux-2.6.26/fs/proc/array.c 2008-09-02 12:17:21.000000000 +0200 -@@ -639,3 +639,10 @@ int proc_pid_statm(struct seq_file *m, s +@@ -1815,6 +1829,13 @@ + error = security_inode_follow_link(path.dentry, &nd); + if (error) + goto exit_dput; ++ ++ if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode, ++ path.dentry)) { ++ error = -EACCES; ++ goto exit_dput; ++ } ++ + error = __do_follow_link(&path, &nd); + if (error) { + /* Does someone understand code flow here? Or it is only +@@ -2450,6 +2471,13 @@ + error = PTR_ERR(new_dentry); + if (IS_ERR(new_dentry)) + goto out_unlock; ++ ++ if (gr_handle_hardlink(old_path.dentry, old_path.dentry->d_inode, ++ old_path.dentry->d_inode->i_mode, to)) { ++ error = -EACCES; ++ goto out_dput; ++ } ++ + error = mnt_want_write(nd.path.mnt); + if (error) + goto out_dput; +diff -Nru linux-2.6.29/fs/proc/array.c linux-2.6.29-grsec/fs/proc/array.c +--- linux-2.6.29/fs/proc/array.c 2009-03-24 00:12:14.000000000 +0100 ++++ linux-2.6.29-grsec/fs/proc/array.c 2009-03-29 22:55:48.612631221 +0200 +@@ -529,3 +529,10 @@ return 0; } @@ -71,23 +129,159 @@ + return sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip)); +} +#endif -diff -urNp linux-2.6.26.orig/fs/proc/inode.c linux-2.6.26/fs/proc/inode.c ---- linux-2.6.26.orig/fs/proc/inode.c 2008-09-01 11:43:59.000000000 +0200 -+++ linux-2.6.26/fs/proc/inode.c 2008-09-02 12:17:21.000000000 +0200 -@@ -403,7 +403,11 @@ struct inode *proc_get_inode(struct supe - if (de->mode) { - inode->i_mode = de->mode; - inode->i_uid = de->uid; +diff -Nru linux-2.6.29/fs/proc/base.c linux-2.6.29-grsec/fs/proc/base.c +--- linux-2.6.29/fs/proc/base.c 2009-03-24 00:12:14.000000000 +0100 ++++ linux-2.6.29-grsec/fs/proc/base.c 2009-03-29 23:02:57.774010127 +0200 +@@ -80,6 +80,7 @@ + #include <linux/oom.h> + #include <linux/elf.h> + #include <linux/pid_namespace.h> ++#include <linux/grsecurity.h> + #include "internal.h" + + /* NOTE: +@@ -1473,6 +1474,9 @@ + struct inode *inode = dentry->d_inode; + struct task_struct *task; + const struct cred *cred; ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) ++ const struct cred *tmp = current_cred(); ++#endif + + generic_fillattr(inode, stat); + +@@ -1481,11 +1485,27 @@ + stat->gid = 0; + task = pid_task(proc_pid(inode), PIDTYPE_PID); + if (task) { ++ cred = __task_cred(task); ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) ++ && (!tmp->uid || (tmp->uid == cred->uid) +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; ++ || in_group_p(CONFIG_GRKERNSEC_PROC_GID) ++#endif ++ ) ++#endif + if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || ++#ifdef CONFIG_GRKERNSEC_PROC_USER ++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) || ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) ++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) || ++#endif + task_dumpable(task)) { +- cred = __task_cred(task); + stat->uid = cred->euid; ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP ++ stat->gid = CONFIG_GRKERNSEC_PROC_GID; +#else - inode->i_gid = de->gid; + stat->gid = cred->egid; +#endif } - if (de->vx_flags) - PROC_I(inode)->vx_flags = de->vx_flags; ---- linux-2.6.26.orig/fs/proc/cmdline.c 2008-12-25 00:26:37.000000000 +0100 -+++ linux-2.6.26/fs/proc/cmdline.c 2009-01-02 17:46:34.278247774 +0100 + } + rcu_read_unlock(); +@@ -1517,11 +1537,20 @@ + + if (task) { + if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || ++#ifdef CONFIG_GRKERNSEC_PROC_USER ++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) || ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) ++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) || ++#endif + task_dumpable(task)) { + rcu_read_lock(); + cred = __task_cred(task); + inode->i_uid = cred->euid; ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP ++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; ++#else + inode->i_gid = cred->egid; ++#endif + rcu_read_unlock(); + } else { + inode->i_uid = 0; +@@ -1894,12 +1923,19 @@ + static int proc_fd_permission(struct inode *inode, int mask) + { + int rv; ++ struct task_struct *task; + + rv = generic_permission(inode, mask, NULL); +- if (rv == 0) +- return 0; ++ + if (task_pid(current) == proc_pid(inode)) + rv = 0; ++ ++ task = get_proc_task(inode); ++ if (task == NULL) ++ return rv; ++ ++ put_task_struct(task); ++ + return rv; + } + +@@ -2685,7 +2721,14 @@ + if (!inode) + goto out; + ++#ifdef CONFIG_GRKERNSEC_PROC_USER ++ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR; ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) ++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; ++ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP; ++#else + inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO; ++#endif + inode->i_op = &proc_tgid_base_inode_operations; + inode->i_fop = &proc_tgid_base_operations; + inode->i_flags|=S_IMMUTABLE; +@@ -2792,6 +2835,10 @@ + { + unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY; + struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode); ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) ++ const struct cred *tmp = current_cred(); ++ const struct cred *itercred; ++#endif + struct tgid_iter iter; + struct pid_namespace *ns; + +@@ -2810,6 +2857,20 @@ + for (iter = next_tgid(ns, iter); + iter.task; + iter.tgid += 1, iter = next_tgid(ns, iter)) { ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) ++ itercred = __task_cred(iter.task); ++#endif ++ if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task) ++ #if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) ++ || (tmp->uid && (itercred->uid != tmp->uid) ++ #ifdef CONFIG_GRKERNSEC_PROC_USERGROUP ++ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID) ++ #endif ++ ) ++#endif ++ ) ++ continue; ++ + filp->f_pos = iter.tgid + TGID_OFFSET; + if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) { + put_task_struct(iter.task); +@@ -2891,6 +2952,9 @@ + #ifdef CONFIG_TASK_IO_ACCOUNTING + INF("io", S_IRUGO, proc_tid_io_accounting), + #endif ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR ++ INF("ipaddr", S_IRUSR, pid_ipaddr), ++#endif + }; + + static int proc_tid_base_readdir(struct file * filp, +diff -Nru linux-2.6.29/fs/proc/cmdline.c linux-2.6.29-grsec/fs/proc/cmdline.c +--- linux-2.6.29/fs/proc/cmdline.c 2009-03-24 00:12:14.000000000 +0100 ++++ linux-2.6.29-grsec/fs/proc/cmdline.c 2009-03-29 22:55:48.616329143 +0200 @@ -23,7 +23,15 @@ static int __init proc_cmdline_init(void) @@ -105,8 +299,9 @@ return 0; } module_init(proc_cmdline_init); ---- linux-2.6.26.orig/fs/proc/devices.c 2008-12-25 00:26:37.000000000 +0100 -+++ linux-2.6.26/fs/proc/devices.c 2009-01-02 17:43:00.758269666 +0100 +diff -Nru linux-2.6.29/fs/proc/devices.c linux-2.6.29-grsec/fs/proc/devices.c +--- linux-2.6.29/fs/proc/devices.c 2009-03-24 00:12:14.000000000 +0100 ++++ linux-2.6.29-grsec/fs/proc/devices.c 2009-03-29 22:55:48.616329143 +0200 @@ -64,7 +64,13 @@ static int __init proc_devices_init(void) @@ -122,8 +317,56 @@ return 0; } module_init(proc_devices_init); ---- linux-2.6.26.orig/fs/proc/kcore.c 2008-12-25 00:26:37.000000000 +0100 -+++ linux-2.6.26/fs/proc/kcore.c 2009-01-02 17:45:03.714922801 +0100 +diff -Nru linux-2.6.29/fs/proc/inode.c linux-2.6.29-grsec/fs/proc/inode.c +--- linux-2.6.29/fs/proc/inode.c 2009-03-24 00:12:14.000000000 +0100 ++++ linux-2.6.29-grsec/fs/proc/inode.c 2009-03-29 22:55:48.612631221 +0200 +@@ -463,7 +463,11 @@ + if (de->mode) { + inode->i_mode = de->mode; + inode->i_uid = de->uid; ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP ++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; ++#else + inode->i_gid = de->gid; ++#endif + } + if (de->size) + inode->i_size = de->size; +diff -Nru linux-2.6.29/fs/proc/internal.h linux-2.6.29-grsec/fs/proc/internal.h +--- linux-2.6.29/fs/proc/internal.h 2009-03-24 00:12:14.000000000 +0100 ++++ linux-2.6.29-grsec/fs/proc/internal.h 2009-03-29 22:55:48.649464378 +0200 +@@ -51,6 +51,9 @@ + struct pid *pid, struct task_struct *task); + extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns, + struct pid *pid, struct task_struct *task); ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR ++extern int proc_pid_ipaddr(struct task_struct *task, char *buffer); ++#endif + extern loff_t mem_lseek(struct file *file, loff_t offset, int orig); + + extern const struct file_operations proc_maps_operations; +diff -Nru linux-2.6.29/fs/proc/Kconfig linux-2.6.29-grsec/fs/proc/Kconfig +--- linux-2.6.29/fs/proc/Kconfig 2009-03-24 00:12:14.000000000 +0100 ++++ linux-2.6.29-grsec/fs/proc/Kconfig 2009-03-29 22:55:48.612631221 +0200 +@@ -30,12 +30,12 @@ + + config PROC_KCORE + bool "/proc/kcore support" if !ARM +- depends on PROC_FS && MMU ++ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD + + config PROC_VMCORE + bool "/proc/vmcore support (EXPERIMENTAL)" +- depends on PROC_FS && CRASH_DUMP +- default y ++ depends on PROC_FS && CRASH_DUMP && !GRKERNSEC ++ default n + help + Exports the dump image of crashed kernel in ELF format. + +diff -Nru linux-2.6.29/fs/proc/kcore.c linux-2.6.29-grsec/fs/proc/kcore.c +--- linux-2.6.29/fs/proc/kcore.c 2009-03-24 00:12:14.000000000 +0100 ++++ linux-2.6.29-grsec/fs/proc/kcore.c 2009-03-29 22:55:48.616329143 +0200 @@ -404,10 +404,12 @@ static int __init proc_kcore_init(void) @@ -137,10 +380,10 @@ return 0; } module_init(proc_kcore_init); -diff -urNp linux-2.6.26.orig/fs/proc/root.c linux-2.6.26/fs/proc/root.c ---- linux-2.6.26.orig/fs/proc/root.c 2008-09-01 11:43:59.000000000 +0200 -+++ linux-2.6.26/fs/proc/root.c 2008-09-02 12:17:21.000000000 +0200 -@@ -139,7 +139,15 @@ void __init proc_root_init(void) +diff -Nru linux-2.6.29/fs/proc/root.c linux-2.6.29-grsec/fs/proc/root.c +--- linux-2.6.29/fs/proc/root.c 2009-03-24 00:12:14.000000000 +0100 ++++ linux-2.6.29-grsec/fs/proc/root.c 2009-03-29 22:55:48.616329143 +0200 +@@ -134,7 +134,15 @@ #ifdef CONFIG_PROC_DEVICETREE proc_device_tree_init(); #endif @@ -154,11 +397,11 @@ proc_mkdir("bus", NULL); +#endif proc_sys_init(); - proc_vx_init(); } -diff -urNp linux-2.6.26.orig/grsecurity/grsec_disabled.c linux-2.6.26/grsecurity/grsec_disabled.c ---- linux-2.6.26.orig/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.26/grsecurity/grsec_disabled.c 2008-09-02 12:17:21.000000000 +0200 + +diff -Nru linux-2.6.29/grsecurity/grsec_disabled.c linux-2.6.29-grsec/grsecurity/grsec_disabled.c +--- linux-2.6.29/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.29-grsec/grsecurity/grsec_disabled.c 2009-03-29 22:55:48.616329143 +0200 @@ -0,0 +1,6 @@ +void +grsecurity_init(void) @@ -166,10 +409,10 @@ + return; +} + -diff -urNp linux-2.6.26.orig/grsecurity/grsec_fifo.c linux-2.6.26/grsecurity/grsec_fifo.c ---- linux-2.6.26.orig/grsecurity/grsec_fifo.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.26/grsecurity/grsec_fifo.c 2008-09-02 12:17:21.000000000 +0200 -@@ -0,0 +1,20 @@ +diff -Nru linux-2.6.29/grsecurity/grsec_fifo.c linux-2.6.29-grsec/grsecurity/grsec_fifo.c +--- linux-2.6.29/grsecurity/grsec_fifo.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.29-grsec/grsecurity/grsec_fifo.c 2009-03-29 22:55:48.616329143 +0200 +@@ -0,0 +1,21 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/fs.h> @@ -181,18 +424,19 @@ + const struct dentry *dir, const int flag, const int acc_mode) +{ +#ifdef CONFIG_GRKERNSEC_FIFO ++ const struct cred *cred = current_cred(); + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) && + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) && + (dentry->d_inode->i_uid != dir->d_inode->i_uid) && -+ (current->fsuid != dentry->d_inode->i_uid)) { ++ (cred->fsuid != dentry->d_inode->i_uid)) { + return -EACCES; + } +#endif + return 0; +} -diff -urNp linux-2.6.26.orig/grsecurity/grsec_init.c linux-2.6.26/grsecurity/grsec_init.c ---- linux-2.6.26.orig/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.26/grsecurity/grsec_init.c 2008-09-02 12:17:21.000000000 +0200 +diff -Nru linux-2.6.29/grsecurity/grsec_init.c linux-2.6.29-grsec/grsecurity/grsec_init.c +--- linux-2.6.29/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.29-grsec/grsecurity/grsec_init.c 2009-03-29 22:55:48.616329143 +0200 @@ -0,0 +1,29 @@ +#include <linux/kernel.h> +#include <linux/sched.h> @@ -223,10 +467,10 @@ + + return; +} -diff -urNp linux-2.6.26.orig/grsecurity/grsec_link.c linux-2.6.26/grsecurity/grsec_link.c ---- linux-2.6.26.orig/grsecurity/grsec_link.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.26/grsecurity/grsec_link.c 2008-09-02 12:17:21.000000000 +0200 -@@ -0,0 +1,37 @@ +diff -Nru linux-2.6.29/grsecurity/grsec_link.c linux-2.6.29-grsec/grsecurity/grsec_link.c +--- linux-2.6.29/grsecurity/grsec_link.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.29-grsec/grsecurity/grsec_link.c 2009-03-29 22:55:48.616329143 +0200 +@@ -0,0 +1,39 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/fs.h> @@ -239,9 +483,10 @@ + const struct dentry *dentry, const struct vfsmount *mnt) +{ +#ifdef CONFIG_GRKERNSEC_LINK ++ const struct cred *cred = current_cred(); + if (grsec_enable_link && S_ISLNK(inode->i_mode) && + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) && -+ (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) { ++ (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) { + return -EACCES; + } +#endif @@ -254,19 +499,20 @@ + struct inode *inode, const int mode, const char *to) +{ +#ifdef CONFIG_GRKERNSEC_LINK -+ if (grsec_enable_link && current->fsuid != inode->i_uid && ++ const struct cred *cred = current_cred(); ++ if (grsec_enable_link && cred->fsuid != inode->i_uid && + (!S_ISREG(mode) || (mode & S_ISUID) || + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) || + (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) && -+ !capable(CAP_FOWNER) && current->uid) { ++ !capable(CAP_FOWNER) && cred->uid) { + return -EPERM; + } +#endif + return 0; +} -diff -urNp linux-2.6.26.orig/grsecurity/grsec_sock.c linux-2.6.26/grsecurity/grsec_sock.c ---- linux-2.6.26.orig/grsecurity/grsec_sock.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.26/grsecurity/grsec_sock.c 2008-09-02 12:17:21.000000000 +0200 +diff -Nru linux-2.6.29/grsecurity/grsec_sock.c linux-2.6.29-grsec/grsecurity/grsec_sock.c +--- linux-2.6.29/grsecurity/grsec_sock.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.29-grsec/grsecurity/grsec_sock.c 2009-03-29 22:55:48.616329143 +0200 @@ -0,0 +1,170 @@ +#include <linux/kernel.h> +#include <linux/module.h> @@ -438,9 +684,9 @@ + return; +} + -diff -urNp linux-2.6.26.orig/grsecurity/grsec_sysctl.c linux-2.6.26/grsecurity/grsec_sysctl.c ---- linux-2.6.26.orig/grsecurity/grsec_sysctl.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.26/grsecurity/grsec_sysctl.c 2008-09-02 12:17:21.000000000 +0200 +diff -Nru linux-2.6.29/grsecurity/grsec_sysctl.c linux-2.6.29-grsec/grsecurity/grsec_sysctl.c +--- linux-2.6.29/grsecurity/grsec_sysctl.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.29-grsec/grsecurity/grsec_sysctl.c 2009-03-29 22:55:48.616329143 +0200 @@ -0,0 +1,52 @@ +#include <linux/kernel.h> +#include <linux/sched.h> @@ -494,9 +740,9 @@ + { .ctl_name = 0 } +}; +#endif -diff -urNp linux-2.6.26.orig/grsecurity/Kconfig linux-2.6.26/grsecurity/Kconfig ---- linux-2.6.26.orig/grsecurity/Kconfig 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.26/grsecurity/Kconfig 2008-09-02 12:17:21.000000000 +0200 +diff -Nru linux-2.6.29/grsecurity/Kconfig linux-2.6.29-grsec/grsecurity/Kconfig +--- linux-2.6.29/grsecurity/Kconfig 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.29-grsec/grsecurity/Kconfig 2009-03-29 22:55:48.616329143 +0200 @@ -0,0 +1,123 @@ +# +# grecurity configuration @@ -621,9 +867,9 @@ + the sysctl entries. + +endmenu -diff -urNp linux-2.6.26.orig/grsecurity/Makefile linux-2.6.26/grsecurity/Makefile ---- linux-2.6.26.orig/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.26/grsecurity/Makefile 2008-09-02 12:17:21.000000000 +0200 +diff -Nru linux-2.6.29/grsecurity/Makefile linux-2.6.29-grsec/grsecurity/Makefile +--- linux-2.6.29/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.29-grsec/grsecurity/Makefile 2009-03-29 22:55:48.616329143 +0200 @@ -0,0 +1,11 @@ +# All code in this directory and various hooks inserted throughout the kernel +# are copyright Brad Spengler, and released under the GPL v2 or higher @@ -636,9 +882,9 @@ +obj-y += grsec_disabled.o +endif + -diff -urNp linux-2.6.26.orig/include/linux/grinternal.h linux-2.6.26/include/linux/grinternal.h ---- linux-2.6.26.orig/include/linux/grinternal.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.26/include/linux/grinternal.h 2008-09-02 12:17:21.000000000 +0200 +diff -Nru linux-2.6.29/include/linux/grinternal.h linux-2.6.29-grsec/include/linux/grinternal.h +--- linux-2.6.29/include/linux/grinternal.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.29-grsec/include/linux/grinternal.h 2009-03-29 22:55:48.639297786 +0200 @@ -0,0 +1,14 @@ +#ifndef __GRINTERNAL_H +#define __GRINTERNAL_H @@ -654,9 +900,9 @@ +#endif + +#endif -diff -urNp linux-2.6.26.orig/include/linux/grsecurity.h linux-2.6.26/include/linux/grsecurity.h ---- linux-2.6.26.orig/include/linux/grsecurity.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.26/include/linux/grsecurity.h 2008-09-02 12:17:21.000000000 +0200 +diff -Nru linux-2.6.29/include/linux/grsecurity.h linux-2.6.29-grsec/include/linux/grsecurity.h +--- linux-2.6.29/include/linux/grsecurity.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.29-grsec/include/linux/grsecurity.h 2009-03-29 22:55:48.639297786 +0200 @@ -0,0 +1,18 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H @@ -676,10 +922,10 @@ + const int mode, const char *to); + +#endif -diff -urNp linux-2.6.26.orig/include/linux/sched.h linux-2.6.26/include/linux/sched.h ---- linux-2.6.26.orig/include/linux/sched.h 2008-09-01 11:43:34.000000000 +0200 -+++ linux-2.6.26/include/linux/sched.h 2008-09-02 12:17:21.000000000 +0200 -@@ -544,6 +544,15 @@ struct signal_struct { +diff -Nru linux-2.6.29/include/linux/sched.h linux-2.6.29-grsec/include/linux/sched.h +--- linux-2.6.29/include/linux/sched.h 2009-03-24 00:12:14.000000000 +0100 ++++ linux-2.6.29-grsec/include/linux/sched.h 2009-03-29 22:55:48.639297786 +0200 +@@ -605,6 +605,15 @@ unsigned audit_tty; struct tty_audit_buf *tty_audit_buf; #endif @@ -695,10 +941,10 @@ }; /* Context switch must be unlocked if interrupts are to be enabled */ -diff -urNp linux-2.6.26.orig/include/linux/sysctl.h linux-2.6.26/include/linux/sysctl.h ---- linux-2.6.26.orig/include/linux/sysctl.h 2008-09-01 11:43:34.000000000 +0200 -+++ linux-2.6.26/include/linux/sysctl.h 2008-09-02 12:17:21.000000000 +0200 -@@ -165,8 +165,11 @@ enum +diff -Nru linux-2.6.29/include/linux/sysctl.h linux-2.6.29-grsec/include/linux/sysctl.h +--- linux-2.6.29/include/linux/sysctl.h 2009-03-24 00:12:14.000000000 +0100 <<Diff was trimmed, longer than 597 lines>> ---- CVS-web: http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/kernel-desktop-grsec-minimal.patch?r1=1.8.4.1&r2=1.8.4.2&f=u _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit