(メッセージはありません)
@@ -1,6 +1,6 @@ | ||
1 | -This is TOMOYO Linux patch for kernel 3.10.56. | |
1 | +This is TOMOYO Linux patch for kernel 3.10.58. | |
2 | 2 | |
3 | -Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.10.56.tar.xz | |
3 | +Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.10.58.tar.xz | |
4 | 4 | --- |
5 | 5 | fs/exec.c | 2 |
6 | 6 | fs/open.c | 2 |
@@ -28,8 +28,8 @@ | ||
28 | 28 | security/security.c | 107 ++++++++++++++++++++++++++++++++++++++++------ |
29 | 29 | 24 files changed, 235 insertions(+), 37 deletions(-) |
30 | 30 | |
31 | ---- linux-3.10.56.orig/fs/exec.c | |
32 | -+++ linux-3.10.56/fs/exec.c | |
31 | +--- linux-3.10.58.orig/fs/exec.c | |
32 | ++++ linux-3.10.58/fs/exec.c | |
33 | 33 | @@ -1540,7 +1540,7 @@ static int do_execve_common(const char * |
34 | 34 | if (retval < 0) |
35 | 35 | goto out; |
@@ -39,8 +39,8 @@ | ||
39 | 39 | if (retval < 0) |
40 | 40 | goto out; |
41 | 41 | |
42 | ---- linux-3.10.56.orig/fs/open.c | |
43 | -+++ linux-3.10.56/fs/open.c | |
42 | +--- linux-3.10.58.orig/fs/open.c | |
43 | ++++ linux-3.10.58/fs/open.c | |
44 | 44 | @@ -1023,6 +1023,8 @@ EXPORT_SYMBOL(sys_close); |
45 | 45 | */ |
46 | 46 | SYSCALL_DEFINE0(vhangup) |
@@ -50,8 +50,8 @@ | ||
50 | 50 | if (capable(CAP_SYS_TTY_CONFIG)) { |
51 | 51 | tty_vhangup_self(); |
52 | 52 | return 0; |
53 | ---- linux-3.10.56.orig/fs/proc/version.c | |
54 | -+++ linux-3.10.56/fs/proc/version.c | |
53 | +--- linux-3.10.58.orig/fs/proc/version.c | |
54 | ++++ linux-3.10.58/fs/proc/version.c | |
55 | 55 | @@ -32,3 +32,10 @@ static int __init proc_version_init(void |
56 | 56 | return 0; |
57 | 57 | } |
@@ -59,12 +59,12 @@ | ||
59 | 59 | + |
60 | 60 | +static int __init ccs_show_version(void) |
61 | 61 | +{ |
62 | -+ printk(KERN_INFO "Hook version: 3.10.56 2014/10/06\n"); | |
62 | ++ printk(KERN_INFO "Hook version: 3.10.58 2014/10/20\n"); | |
63 | 63 | + return 0; |
64 | 64 | +} |
65 | 65 | +module_init(ccs_show_version); |
66 | ---- linux-3.10.56.orig/include/linux/init_task.h | |
67 | -+++ linux-3.10.56/include/linux/init_task.h | |
66 | +--- linux-3.10.58.orig/include/linux/init_task.h | |
67 | ++++ linux-3.10.58/include/linux/init_task.h | |
68 | 68 | @@ -155,6 +155,14 @@ extern struct task_group root_task_group |
69 | 69 | |
70 | 70 | #define INIT_TASK_COMM "swapper" |
@@ -88,8 +88,8 @@ | ||
88 | 88 | } |
89 | 89 | |
90 | 90 | |
91 | ---- linux-3.10.56.orig/include/linux/sched.h | |
92 | -+++ linux-3.10.56/include/linux/sched.h | |
91 | +--- linux-3.10.58.orig/include/linux/sched.h | |
92 | ++++ linux-3.10.58/include/linux/sched.h | |
93 | 93 | @@ -4,6 +4,8 @@ |
94 | 94 | #include <uapi/linux/sched.h> |
95 | 95 |
@@ -110,8 +110,8 @@ | ||
110 | 110 | }; |
111 | 111 | |
112 | 112 | /* Future-safe accessor for struct task_struct's cpus_allowed. */ |
113 | ---- linux-3.10.56.orig/include/linux/security.h | |
114 | -+++ linux-3.10.56/include/linux/security.h | |
113 | +--- linux-3.10.58.orig/include/linux/security.h | |
114 | ++++ linux-3.10.58/include/linux/security.h | |
115 | 115 | @@ -52,6 +52,7 @@ struct msg_queue; |
116 | 116 | struct xattr; |
117 | 117 | struct xfrm_sec_ctx; |
@@ -313,8 +313,8 @@ | ||
313 | 313 | } |
314 | 314 | #endif /* CONFIG_SECURITY_PATH */ |
315 | 315 | |
316 | ---- linux-3.10.56.orig/include/net/ip.h | |
317 | -+++ linux-3.10.56/include/net/ip.h | |
316 | +--- linux-3.10.58.orig/include/net/ip.h | |
317 | ++++ linux-3.10.58/include/net/ip.h | |
318 | 318 | @@ -205,6 +205,8 @@ extern void inet_get_local_port_range(in |
319 | 319 | extern unsigned long *sysctl_local_reserved_ports; |
320 | 320 | static inline int inet_is_reserved_local_port(int port) |
@@ -324,8 +324,8 @@ | ||
324 | 324 | return test_bit(port, sysctl_local_reserved_ports); |
325 | 325 | } |
326 | 326 | |
327 | ---- linux-3.10.56.orig/kernel/fork.c | |
328 | -+++ linux-3.10.56/kernel/fork.c | |
327 | +--- linux-3.10.58.orig/kernel/fork.c | |
328 | ++++ linux-3.10.58/kernel/fork.c | |
329 | 329 | @@ -242,6 +242,7 @@ void __put_task_struct(struct task_struc |
330 | 330 | delayacct_tsk_free(tsk); |
331 | 331 | put_signal_struct(tsk->signal); |
@@ -337,7 +337,7 @@ | ||
337 | 337 | @@ -1325,6 +1326,9 @@ static struct task_struct *copy_process( |
338 | 338 | retval = audit_alloc(p); |
339 | 339 | if (retval) |
340 | - goto bad_fork_cleanup_policy; | |
340 | + goto bad_fork_cleanup_perf; | |
341 | 341 | + retval = ccs_alloc_task_security(p); |
342 | 342 | + if (retval) |
343 | 343 | + goto bad_fork_cleanup_audit; |
@@ -349,11 +349,11 @@ | ||
349 | 349 | bad_fork_cleanup_audit: |
350 | 350 | audit_free(p); |
351 | 351 | + ccs_free_task_security(p); |
352 | + bad_fork_cleanup_perf: | |
353 | + perf_event_free_task(p); | |
352 | 354 | bad_fork_cleanup_policy: |
353 | - perf_event_free_task(p); | |
354 | - #ifdef CONFIG_NUMA | |
355 | ---- linux-3.10.56.orig/kernel/kexec.c | |
356 | -+++ linux-3.10.56/kernel/kexec.c | |
355 | +--- linux-3.10.58.orig/kernel/kexec.c | |
356 | ++++ linux-3.10.58/kernel/kexec.c | |
357 | 357 | @@ -37,6 +37,7 @@ |
358 | 358 | #include <asm/uaccess.h> |
359 | 359 | #include <asm/io.h> |
@@ -371,8 +371,8 @@ | ||
371 | 371 | |
372 | 372 | /* |
373 | 373 | * Verify we have a legal set of flags |
374 | ---- linux-3.10.56.orig/kernel/module.c | |
375 | -+++ linux-3.10.56/kernel/module.c | |
374 | +--- linux-3.10.58.orig/kernel/module.c | |
375 | ++++ linux-3.10.58/kernel/module.c | |
376 | 376 | @@ -63,6 +63,7 @@ |
377 | 377 | #include <linux/fips.h> |
378 | 378 | #include <uapi/linux/module.h> |
@@ -399,8 +399,8 @@ | ||
399 | 399 | |
400 | 400 | return 0; |
401 | 401 | } |
402 | ---- linux-3.10.56.orig/kernel/ptrace.c | |
403 | -+++ linux-3.10.56/kernel/ptrace.c | |
402 | +--- linux-3.10.58.orig/kernel/ptrace.c | |
403 | ++++ linux-3.10.58/kernel/ptrace.c | |
404 | 404 | @@ -998,6 +998,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l |
405 | 405 | { |
406 | 406 | struct task_struct *child; |
@@ -425,8 +425,8 @@ | ||
425 | 425 | |
426 | 426 | if (request == PTRACE_TRACEME) { |
427 | 427 | ret = ptrace_traceme(); |
428 | ---- linux-3.10.56.orig/kernel/sched/core.c | |
429 | -+++ linux-3.10.56/kernel/sched/core.c | |
428 | +--- linux-3.10.58.orig/kernel/sched/core.c | |
429 | ++++ linux-3.10.58/kernel/sched/core.c | |
430 | 430 | @@ -3732,6 +3732,8 @@ int can_nice(const struct task_struct *p |
431 | 431 | SYSCALL_DEFINE1(nice, int, increment) |
432 | 432 | { |
@@ -436,8 +436,8 @@ | ||
436 | 436 | |
437 | 437 | /* |
438 | 438 | * Setpriority might change our priority at the same moment. |
439 | ---- linux-3.10.56.orig/kernel/signal.c | |
440 | -+++ linux-3.10.56/kernel/signal.c | |
439 | +--- linux-3.10.58.orig/kernel/signal.c | |
440 | ++++ linux-3.10.58/kernel/signal.c | |
441 | 441 | @@ -2909,6 +2909,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s |
442 | 442 | SYSCALL_DEFINE2(kill, pid_t, pid, int, sig) |
443 | 443 | { |
@@ -483,8 +483,8 @@ | ||
483 | 483 | |
484 | 484 | return do_send_specific(tgid, pid, sig, info); |
485 | 485 | } |
486 | ---- linux-3.10.56.orig/kernel/sys.c | |
487 | -+++ linux-3.10.56/kernel/sys.c | |
486 | +--- linux-3.10.58.orig/kernel/sys.c | |
487 | ++++ linux-3.10.58/kernel/sys.c | |
488 | 488 | @@ -186,6 +186,10 @@ SYSCALL_DEFINE3(setpriority, int, which, |
489 | 489 | |
490 | 490 | if (which > PRIO_USER || which < PRIO_PROCESS) |
@@ -523,8 +523,8 @@ | ||
523 | 523 | |
524 | 524 | down_write(&uts_sem); |
525 | 525 | errno = -EFAULT; |
526 | ---- linux-3.10.56.orig/kernel/time/ntp.c | |
527 | -+++ linux-3.10.56/kernel/time/ntp.c | |
526 | +--- linux-3.10.58.orig/kernel/time/ntp.c | |
527 | ++++ linux-3.10.58/kernel/time/ntp.c | |
528 | 528 | @@ -16,6 +16,7 @@ |
529 | 529 | #include <linux/mm.h> |
530 | 530 | #include <linux/module.h> |
@@ -558,8 +558,8 @@ | ||
558 | 558 | |
559 | 559 | return 0; |
560 | 560 | } |
561 | ---- linux-3.10.56.orig/net/ipv4/raw.c | |
562 | -+++ linux-3.10.56/net/ipv4/raw.c | |
561 | +--- linux-3.10.58.orig/net/ipv4/raw.c | |
562 | ++++ linux-3.10.58/net/ipv4/raw.c | |
563 | 563 | @@ -700,6 +700,10 @@ static int raw_recvmsg(struct kiocb *ioc |
564 | 564 | skb = skb_recv_datagram(sk, flags, noblock, &err); |
565 | 565 | if (!skb) |
@@ -571,8 +571,8 @@ | ||
571 | 571 | |
572 | 572 | copied = skb->len; |
573 | 573 | if (len < copied) { |
574 | ---- linux-3.10.56.orig/net/ipv4/udp.c | |
575 | -+++ linux-3.10.56/net/ipv4/udp.c | |
574 | +--- linux-3.10.58.orig/net/ipv4/udp.c | |
575 | ++++ linux-3.10.58/net/ipv4/udp.c | |
576 | 576 | @@ -1218,6 +1218,10 @@ try_again: |
577 | 577 | &peeked, &off, &err); |
578 | 578 | if (!skb) |
@@ -584,8 +584,8 @@ | ||
584 | 584 | |
585 | 585 | ulen = skb->len - sizeof(struct udphdr); |
586 | 586 | copied = len; |
587 | ---- linux-3.10.56.orig/net/ipv6/raw.c | |
588 | -+++ linux-3.10.56/net/ipv6/raw.c | |
587 | +--- linux-3.10.58.orig/net/ipv6/raw.c | |
588 | ++++ linux-3.10.58/net/ipv6/raw.c | |
589 | 589 | @@ -468,6 +468,10 @@ static int rawv6_recvmsg(struct kiocb *i |
590 | 590 | skb = skb_recv_datagram(sk, flags, noblock, &err); |
591 | 591 | if (!skb) |
@@ -597,8 +597,8 @@ | ||
597 | 597 | |
598 | 598 | copied = skb->len; |
599 | 599 | if (copied > len) { |
600 | ---- linux-3.10.56.orig/net/ipv6/udp.c | |
601 | -+++ linux-3.10.56/net/ipv6/udp.c | |
600 | +--- linux-3.10.58.orig/net/ipv6/udp.c | |
601 | ++++ linux-3.10.58/net/ipv6/udp.c | |
602 | 602 | @@ -384,6 +384,10 @@ try_again: |
603 | 603 | &peeked, &off, &err); |
604 | 604 | if (!skb) |
@@ -610,8 +610,8 @@ | ||
610 | 610 | |
611 | 611 | ulen = skb->len - sizeof(struct udphdr); |
612 | 612 | copied = len; |
613 | ---- linux-3.10.56.orig/net/socket.c | |
614 | -+++ linux-3.10.56/net/socket.c | |
613 | +--- linux-3.10.58.orig/net/socket.c | |
614 | ++++ linux-3.10.58/net/socket.c | |
615 | 615 | @@ -1611,6 +1611,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct |
616 | 616 | if (err < 0) |
617 | 617 | goto out_fd; |
@@ -623,8 +623,8 @@ | ||
623 | 623 | if (upeer_sockaddr) { |
624 | 624 | if (newsock->ops->getname(newsock, (struct sockaddr *)&address, |
625 | 625 | &len, 2) < 0) { |
626 | ---- linux-3.10.56.orig/net/unix/af_unix.c | |
627 | -+++ linux-3.10.56/net/unix/af_unix.c | |
626 | +--- linux-3.10.58.orig/net/unix/af_unix.c | |
627 | ++++ linux-3.10.58/net/unix/af_unix.c | |
628 | 628 | @@ -1816,6 +1816,10 @@ static int unix_dgram_recvmsg(struct kio |
629 | 629 | wake_up_interruptible_sync_poll(&u->peer_wait, |
630 | 630 | POLLOUT | POLLWRNORM | POLLWRBAND); |
@@ -636,8 +636,8 @@ | ||
636 | 636 | if (msg->msg_name) |
637 | 637 | unix_copy_addr(msg, skb->sk); |
638 | 638 | |
639 | ---- linux-3.10.56.orig/security/Kconfig | |
640 | -+++ linux-3.10.56/security/Kconfig | |
639 | +--- linux-3.10.58.orig/security/Kconfig | |
640 | ++++ linux-3.10.58/security/Kconfig | |
641 | 641 | @@ -167,5 +167,7 @@ config DEFAULT_SECURITY |
642 | 642 | default "yama" if DEFAULT_SECURITY_YAMA |
643 | 643 | default "" if DEFAULT_SECURITY_DAC |
@@ -646,8 +646,8 @@ | ||
646 | 646 | + |
647 | 647 | endmenu |
648 | 648 | |
649 | ---- linux-3.10.56.orig/security/Makefile | |
650 | -+++ linux-3.10.56/security/Makefile | |
649 | +--- linux-3.10.58.orig/security/Makefile | |
650 | ++++ linux-3.10.58/security/Makefile | |
651 | 651 | @@ -28,3 +28,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c |
652 | 652 | # Object integrity file lists |
653 | 653 | subdir-$(CONFIG_INTEGRITY) += integrity |
@@ -655,8 +655,8 @@ | ||
655 | 655 | + |
656 | 656 | +subdir-$(CONFIG_CCSECURITY) += ccsecurity |
657 | 657 | +obj-$(CONFIG_CCSECURITY) += ccsecurity/built-in.o |
658 | ---- linux-3.10.56.orig/security/security.c | |
659 | -+++ linux-3.10.56/security/security.c | |
658 | +--- linux-3.10.58.orig/security/security.c | |
659 | ++++ linux-3.10.58/security/security.c | |
660 | 660 | @@ -202,7 +202,10 @@ int security_syslog(int type) |
661 | 661 | |
662 | 662 | int security_settime(const struct timespec *ts, const struct timezone *tz) |
@@ -1,6 +1,6 @@ | ||
1 | -This is TOMOYO Linux patch for kernel 3.12.29. | |
1 | +This is TOMOYO Linux patch for kernel 3.12.30. | |
2 | 2 | |
3 | -Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.12.29.tar.xz | |
3 | +Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.12.30.tar.xz | |
4 | 4 | --- |
5 | 5 | fs/exec.c | 2 |
6 | 6 | fs/open.c | 2 |
@@ -29,9 +29,9 @@ | ||
29 | 29 | security/security.c | 107 ++++++++++++++++++++++++++++++++++++++++------ |
30 | 30 | 25 files changed, 236 insertions(+), 37 deletions(-) |
31 | 31 | |
32 | ---- linux-3.12.29.orig/fs/exec.c | |
33 | -+++ linux-3.12.29/fs/exec.c | |
34 | -@@ -1434,7 +1434,7 @@ static int exec_binprm(struct linux_binp | |
32 | +--- linux-3.12.30.orig/fs/exec.c | |
33 | ++++ linux-3.12.30/fs/exec.c | |
34 | +@@ -1437,7 +1437,7 @@ static int exec_binprm(struct linux_binp | |
35 | 35 | old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent)); |
36 | 36 | rcu_read_unlock(); |
37 | 37 |
@@ -40,8 +40,8 @@ | ||
40 | 40 | if (ret >= 0) { |
41 | 41 | trace_sched_process_exec(current, old_pid, bprm); |
42 | 42 | ptrace_event(PTRACE_EVENT_EXEC, old_vpid); |
43 | ---- linux-3.12.29.orig/fs/open.c | |
44 | -+++ linux-3.12.29/fs/open.c | |
43 | +--- linux-3.12.30.orig/fs/open.c | |
44 | ++++ linux-3.12.30/fs/open.c | |
45 | 45 | @@ -1050,6 +1050,8 @@ EXPORT_SYMBOL(sys_close); |
46 | 46 | */ |
47 | 47 | SYSCALL_DEFINE0(vhangup) |
@@ -51,8 +51,8 @@ | ||
51 | 51 | if (capable(CAP_SYS_TTY_CONFIG)) { |
52 | 52 | tty_vhangup_self(); |
53 | 53 | return 0; |
54 | ---- linux-3.12.29.orig/fs/proc/version.c | |
55 | -+++ linux-3.12.29/fs/proc/version.c | |
54 | +--- linux-3.12.30.orig/fs/proc/version.c | |
55 | ++++ linux-3.12.30/fs/proc/version.c | |
56 | 56 | @@ -32,3 +32,10 @@ static int __init proc_version_init(void |
57 | 57 | return 0; |
58 | 58 | } |
@@ -60,12 +60,12 @@ | ||
60 | 60 | + |
61 | 61 | +static int __init ccs_show_version(void) |
62 | 62 | +{ |
63 | -+ printk(KERN_INFO "Hook version: 3.12.29 2014/10/06\n"); | |
63 | ++ printk(KERN_INFO "Hook version: 3.12.30 2014/10/20\n"); | |
64 | 64 | + return 0; |
65 | 65 | +} |
66 | 66 | +module_init(ccs_show_version); |
67 | ---- linux-3.12.29.orig/include/linux/init_task.h | |
68 | -+++ linux-3.12.29/include/linux/init_task.h | |
67 | +--- linux-3.12.30.orig/include/linux/init_task.h | |
68 | ++++ linux-3.12.30/include/linux/init_task.h | |
69 | 69 | @@ -155,6 +155,14 @@ extern struct task_group root_task_group |
70 | 70 | |
71 | 71 | #define INIT_TASK_COMM "swapper" |
@@ -89,8 +89,8 @@ | ||
89 | 89 | } |
90 | 90 | |
91 | 91 | |
92 | ---- linux-3.12.29.orig/include/linux/sched.h | |
93 | -+++ linux-3.12.29/include/linux/sched.h | |
92 | +--- linux-3.12.30.orig/include/linux/sched.h | |
93 | ++++ linux-3.12.30/include/linux/sched.h | |
94 | 94 | @@ -4,6 +4,8 @@ |
95 | 95 | #include <uapi/linux/sched.h> |
96 | 96 |
@@ -100,7 +100,7 @@ | ||
100 | 100 | struct sched_param { |
101 | 101 | int sched_priority; |
102 | 102 | }; |
103 | -@@ -1413,6 +1415,10 @@ struct task_struct { | |
103 | +@@ -1420,6 +1422,10 @@ struct task_struct { | |
104 | 104 | unsigned int sequential_io; |
105 | 105 | unsigned int sequential_io_avg; |
106 | 106 | #endif |
@@ -111,8 +111,8 @@ | ||
111 | 111 | }; |
112 | 112 | |
113 | 113 | /* Future-safe accessor for struct task_struct's cpus_allowed. */ |
114 | ---- linux-3.12.29.orig/include/linux/security.h | |
115 | -+++ linux-3.12.29/include/linux/security.h | |
114 | +--- linux-3.12.30.orig/include/linux/security.h | |
115 | ++++ linux-3.12.30/include/linux/security.h | |
116 | 116 | @@ -53,6 +53,7 @@ struct msg_queue; |
117 | 117 | struct xattr; |
118 | 118 | struct xfrm_sec_ctx; |
@@ -314,8 +314,8 @@ | ||
314 | 314 | } |
315 | 315 | #endif /* CONFIG_SECURITY_PATH */ |
316 | 316 | |
317 | ---- linux-3.12.29.orig/include/net/ip.h | |
318 | -+++ linux-3.12.29/include/net/ip.h | |
317 | +--- linux-3.12.30.orig/include/net/ip.h | |
318 | ++++ linux-3.12.30/include/net/ip.h | |
319 | 319 | @@ -215,6 +215,8 @@ extern void inet_get_local_port_range(in |
320 | 320 | extern unsigned long *sysctl_local_reserved_ports; |
321 | 321 | static inline int inet_is_reserved_local_port(int port) |
@@ -325,9 +325,9 @@ | ||
325 | 325 | return test_bit(port, sysctl_local_reserved_ports); |
326 | 326 | } |
327 | 327 | |
328 | ---- linux-3.12.29.orig/kernel/fork.c | |
329 | -+++ linux-3.12.29/kernel/fork.c | |
330 | -@@ -242,6 +242,7 @@ void __put_task_struct(struct task_struc | |
328 | +--- linux-3.12.30.orig/kernel/fork.c | |
329 | ++++ linux-3.12.30/kernel/fork.c | |
330 | +@@ -244,6 +244,7 @@ void __put_task_struct(struct task_struc | |
331 | 331 | delayacct_tsk_free(tsk); |
332 | 332 | put_signal_struct(tsk->signal); |
333 | 333 |
@@ -335,7 +335,7 @@ | ||
335 | 335 | if (!profile_handoff_task(tsk)) |
336 | 336 | free_task(tsk); |
337 | 337 | } |
338 | -@@ -1327,6 +1328,9 @@ static struct task_struct *copy_process( | |
338 | +@@ -1332,6 +1333,9 @@ static struct task_struct *copy_process( | |
339 | 339 | retval = audit_alloc(p); |
340 | 340 | if (retval) |
341 | 341 | goto bad_fork_cleanup_policy; |
@@ -345,7 +345,7 @@ | ||
345 | 345 | /* copy all the process information */ |
346 | 346 | retval = copy_semundo(clone_flags, p); |
347 | 347 | if (retval) |
348 | -@@ -1527,6 +1531,7 @@ bad_fork_cleanup_semundo: | |
348 | +@@ -1532,6 +1536,7 @@ bad_fork_cleanup_semundo: | |
349 | 349 | exit_sem(p); |
350 | 350 | bad_fork_cleanup_audit: |
351 | 351 | audit_free(p); |
@@ -353,8 +353,8 @@ | ||
353 | 353 | bad_fork_cleanup_policy: |
354 | 354 | perf_event_free_task(p); |
355 | 355 | #ifdef CONFIG_NUMA |
356 | ---- linux-3.12.29.orig/kernel/kexec.c | |
357 | -+++ linux-3.12.29/kernel/kexec.c | |
356 | +--- linux-3.12.30.orig/kernel/kexec.c | |
357 | ++++ linux-3.12.30/kernel/kexec.c | |
358 | 358 | @@ -37,6 +37,7 @@ |
359 | 359 | #include <asm/uaccess.h> |
360 | 360 | #include <asm/io.h> |
@@ -372,8 +372,8 @@ | ||
372 | 372 | |
373 | 373 | /* |
374 | 374 | * Verify we have a legal set of flags |
375 | ---- linux-3.12.29.orig/kernel/module.c | |
376 | -+++ linux-3.12.29/kernel/module.c | |
375 | +--- linux-3.12.30.orig/kernel/module.c | |
376 | ++++ linux-3.12.30/kernel/module.c | |
377 | 377 | @@ -63,6 +63,7 @@ |
378 | 378 | #include <linux/fips.h> |
379 | 379 | #include <uapi/linux/module.h> |
@@ -400,8 +400,8 @@ | ||
400 | 400 | |
401 | 401 | return 0; |
402 | 402 | } |
403 | ---- linux-3.12.29.orig/kernel/ptrace.c | |
404 | -+++ linux-3.12.29/kernel/ptrace.c | |
403 | +--- linux-3.12.30.orig/kernel/ptrace.c | |
404 | ++++ linux-3.12.30/kernel/ptrace.c | |
405 | 405 | @@ -1038,6 +1038,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l |
406 | 406 | { |
407 | 407 | struct task_struct *child; |
@@ -426,8 +426,8 @@ | ||
426 | 426 | |
427 | 427 | if (request == PTRACE_TRACEME) { |
428 | 428 | ret = ptrace_traceme(); |
429 | ---- linux-3.12.29.orig/kernel/reboot.c | |
430 | -+++ linux-3.12.29/kernel/reboot.c | |
429 | +--- linux-3.12.30.orig/kernel/reboot.c | |
430 | ++++ linux-3.12.30/kernel/reboot.c | |
431 | 431 | @@ -16,6 +16,7 @@ |
432 | 432 | #include <linux/syscalls.h> |
433 | 433 | #include <linux/syscore_ops.h> |
@@ -445,8 +445,8 @@ | ||
445 | 445 | |
446 | 446 | /* |
447 | 447 | * If pid namespaces are enabled and the current task is in a child |
448 | ---- linux-3.12.29.orig/kernel/sched/core.c | |
449 | -+++ linux-3.12.29/kernel/sched/core.c | |
448 | +--- linux-3.12.30.orig/kernel/sched/core.c | |
449 | ++++ linux-3.12.30/kernel/sched/core.c | |
450 | 450 | @@ -3148,6 +3148,8 @@ int can_nice(const struct task_struct *p |
451 | 451 | SYSCALL_DEFINE1(nice, int, increment) |
452 | 452 | { |
@@ -456,8 +456,8 @@ | ||
456 | 456 | |
457 | 457 | /* |
458 | 458 | * Setpriority might change our priority at the same moment. |
459 | ---- linux-3.12.29.orig/kernel/signal.c | |
460 | -+++ linux-3.12.29/kernel/signal.c | |
459 | +--- linux-3.12.30.orig/kernel/signal.c | |
460 | ++++ linux-3.12.30/kernel/signal.c | |
461 | 461 | @@ -2909,6 +2909,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s |
462 | 462 | SYSCALL_DEFINE2(kill, pid_t, pid, int, sig) |
463 | 463 | { |
@@ -503,8 +503,8 @@ | ||
503 | 503 | |
504 | 504 | return do_send_specific(tgid, pid, sig, info); |
505 | 505 | } |
506 | ---- linux-3.12.29.orig/kernel/sys.c | |
507 | -+++ linux-3.12.29/kernel/sys.c | |
506 | +--- linux-3.12.30.orig/kernel/sys.c | |
507 | ++++ linux-3.12.30/kernel/sys.c | |
508 | 508 | @@ -172,6 +172,10 @@ SYSCALL_DEFINE3(setpriority, int, which, |
509 | 509 | |
510 | 510 | if (which > PRIO_USER || which < PRIO_PROCESS) |
@@ -534,8 +534,8 @@ | ||
534 | 534 | |
535 | 535 | down_write(&uts_sem); |
536 | 536 | errno = -EFAULT; |
537 | ---- linux-3.12.29.orig/kernel/time/ntp.c | |
538 | -+++ linux-3.12.29/kernel/time/ntp.c | |
537 | +--- linux-3.12.30.orig/kernel/time/ntp.c | |
538 | ++++ linux-3.12.30/kernel/time/ntp.c | |
539 | 539 | @@ -16,6 +16,7 @@ |
540 | 540 | #include <linux/mm.h> |
541 | 541 | #include <linux/module.h> |
@@ -569,8 +569,8 @@ | ||
569 | 569 | |
570 | 570 | return 0; |
571 | 571 | } |
572 | ---- linux-3.12.29.orig/net/ipv4/raw.c | |
573 | -+++ linux-3.12.29/net/ipv4/raw.c | |
572 | +--- linux-3.12.30.orig/net/ipv4/raw.c | |
573 | ++++ linux-3.12.30/net/ipv4/raw.c | |
574 | 574 | @@ -702,6 +702,10 @@ static int raw_recvmsg(struct kiocb *ioc |
575 | 575 | skb = skb_recv_datagram(sk, flags, noblock, &err); |
576 | 576 | if (!skb) |
@@ -582,8 +582,8 @@ | ||
582 | 582 | |
583 | 583 | copied = skb->len; |
584 | 584 | if (len < copied) { |
585 | ---- linux-3.12.29.orig/net/ipv4/udp.c | |
586 | -+++ linux-3.12.29/net/ipv4/udp.c | |
585 | +--- linux-3.12.30.orig/net/ipv4/udp.c | |
586 | ++++ linux-3.12.30/net/ipv4/udp.c | |
587 | 587 | @@ -1220,6 +1220,10 @@ try_again: |
588 | 588 | &peeked, &off, &err); |
589 | 589 | if (!skb) |
@@ -595,8 +595,8 @@ | ||
595 | 595 | |
596 | 596 | ulen = skb->len - sizeof(struct udphdr); |
597 | 597 | copied = len; |
598 | ---- linux-3.12.29.orig/net/ipv6/raw.c | |
599 | -+++ linux-3.12.29/net/ipv6/raw.c | |
598 | +--- linux-3.12.30.orig/net/ipv6/raw.c | |
599 | ++++ linux-3.12.30/net/ipv6/raw.c | |
600 | 600 | @@ -475,6 +475,10 @@ static int rawv6_recvmsg(struct kiocb *i |
601 | 601 | skb = skb_recv_datagram(sk, flags, noblock, &err); |
602 | 602 | if (!skb) |
@@ -608,8 +608,8 @@ | ||
608 | 608 | |
609 | 609 | copied = skb->len; |
610 | 610 | if (copied > len) { |
611 | ---- linux-3.12.29.orig/net/ipv6/udp.c | |
612 | -+++ linux-3.12.29/net/ipv6/udp.c | |
611 | +--- linux-3.12.30.orig/net/ipv6/udp.c | |
612 | ++++ linux-3.12.30/net/ipv6/udp.c | |
613 | 613 | @@ -385,6 +385,10 @@ try_again: |
614 | 614 | &peeked, &off, &err); |
615 | 615 | if (!skb) |
@@ -621,8 +621,8 @@ | ||
621 | 621 | |
622 | 622 | ulen = skb->len - sizeof(struct udphdr); |
623 | 623 | copied = len; |
624 | ---- linux-3.12.29.orig/net/socket.c | |
625 | -+++ linux-3.12.29/net/socket.c | |
624 | +--- linux-3.12.30.orig/net/socket.c | |
625 | ++++ linux-3.12.30/net/socket.c | |
626 | 626 | @@ -1619,6 +1619,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct |
627 | 627 | if (err < 0) |
628 | 628 | goto out_fd; |
@@ -634,8 +634,8 @@ | ||
634 | 634 | if (upeer_sockaddr) { |
635 | 635 | if (newsock->ops->getname(newsock, (struct sockaddr *)&address, |
636 | 636 | &len, 2) < 0) { |
637 | ---- linux-3.12.29.orig/net/unix/af_unix.c | |
638 | -+++ linux-3.12.29/net/unix/af_unix.c | |
637 | +--- linux-3.12.30.orig/net/unix/af_unix.c | |
638 | ++++ linux-3.12.30/net/unix/af_unix.c | |
639 | 639 | @@ -1809,6 +1809,10 @@ static int unix_dgram_recvmsg(struct kio |
640 | 640 | wake_up_interruptible_sync_poll(&u->peer_wait, |
641 | 641 | POLLOUT | POLLWRNORM | POLLWRBAND); |
@@ -647,8 +647,8 @@ | ||
647 | 647 | if (msg->msg_name) |
648 | 648 | unix_copy_addr(msg, skb->sk); |
649 | 649 | |
650 | ---- linux-3.12.29.orig/security/Kconfig | |
651 | -+++ linux-3.12.29/security/Kconfig | |
650 | +--- linux-3.12.30.orig/security/Kconfig | |
651 | ++++ linux-3.12.30/security/Kconfig | |
652 | 652 | @@ -167,5 +167,7 @@ config DEFAULT_SECURITY |
653 | 653 | default "yama" if DEFAULT_SECURITY_YAMA |
654 | 654 | default "" if DEFAULT_SECURITY_DAC |
@@ -657,8 +657,8 @@ | ||
657 | 657 | + |
658 | 658 | endmenu |
659 | 659 | |
660 | ---- linux-3.12.29.orig/security/Makefile | |
661 | -+++ linux-3.12.29/security/Makefile | |
660 | +--- linux-3.12.30.orig/security/Makefile | |
661 | ++++ linux-3.12.30/security/Makefile | |
662 | 662 | @@ -28,3 +28,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c |
663 | 663 | # Object integrity file lists |
664 | 664 | subdir-$(CONFIG_INTEGRITY) += integrity |
@@ -666,8 +666,8 @@ | ||
666 | 666 | + |
667 | 667 | +subdir-$(CONFIG_CCSECURITY) += ccsecurity |
668 | 668 | +obj-$(CONFIG_CCSECURITY) += ccsecurity/built-in.o |
669 | ---- linux-3.12.29.orig/security/security.c | |
670 | -+++ linux-3.12.29/security/security.c | |
669 | +--- linux-3.12.30.orig/security/security.c | |
670 | ++++ linux-3.12.30/security/security.c | |
671 | 671 | @@ -203,7 +203,10 @@ int security_syslog(int type) |
672 | 672 | |
673 | 673 | int security_settime(const struct timespec *ts, const struct timezone *tz) |
@@ -1,6 +1,6 @@ | ||
1 | -This is TOMOYO Linux patch for kernel 3.14.20. | |
1 | +This is TOMOYO Linux patch for kernel 3.14.22. | |
2 | 2 | |
3 | -Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.14.20.tar.xz | |
3 | +Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.14.22.tar.xz | |
4 | 4 | --- |
5 | 5 | fs/exec.c | 2 |
6 | 6 | fs/open.c | 2 |
@@ -29,9 +29,9 @@ | ||
29 | 29 | security/security.c | 107 ++++++++++++++++++++++++++++++++++++++++------ |
30 | 30 | 25 files changed, 236 insertions(+), 37 deletions(-) |
31 | 31 | |
32 | ---- linux-3.14.20.orig/fs/exec.c | |
33 | -+++ linux-3.14.20/fs/exec.c | |
34 | -@@ -1423,7 +1423,7 @@ static int exec_binprm(struct linux_binp | |
32 | +--- linux-3.14.22.orig/fs/exec.c | |
33 | ++++ linux-3.14.22/fs/exec.c | |
34 | +@@ -1426,7 +1426,7 @@ static int exec_binprm(struct linux_binp | |
35 | 35 | old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent)); |
36 | 36 | rcu_read_unlock(); |
37 | 37 |
@@ -40,8 +40,8 @@ | ||
40 | 40 | if (ret >= 0) { |
41 | 41 | audit_bprm(bprm); |
42 | 42 | trace_sched_process_exec(current, old_pid, bprm); |
43 | ---- linux-3.14.20.orig/fs/open.c | |
44 | -+++ linux-3.14.20/fs/open.c | |
43 | +--- linux-3.14.22.orig/fs/open.c | |
44 | ++++ linux-3.14.22/fs/open.c | |
45 | 45 | @@ -1070,6 +1070,8 @@ EXPORT_SYMBOL(sys_close); |
46 | 46 | */ |
47 | 47 | SYSCALL_DEFINE0(vhangup) |
@@ -51,8 +51,8 @@ | ||
51 | 51 | if (capable(CAP_SYS_TTY_CONFIG)) { |
52 | 52 | tty_vhangup_self(); |
53 | 53 | return 0; |
54 | ---- linux-3.14.20.orig/fs/proc/version.c | |
55 | -+++ linux-3.14.20/fs/proc/version.c | |
54 | +--- linux-3.14.22.orig/fs/proc/version.c | |
55 | ++++ linux-3.14.22/fs/proc/version.c | |
56 | 56 | @@ -32,3 +32,10 @@ static int __init proc_version_init(void |
57 | 57 | return 0; |
58 | 58 | } |
@@ -60,12 +60,12 @@ | ||
60 | 60 | + |
61 | 61 | +static int __init ccs_show_version(void) |
62 | 62 | +{ |
63 | -+ printk(KERN_INFO "Hook version: 3.14.20 2014/10/06\n"); | |
63 | ++ printk(KERN_INFO "Hook version: 3.14.22 2014/10/20\n"); | |
64 | 64 | + return 0; |
65 | 65 | +} |
66 | 66 | +fs_initcall(ccs_show_version); |
67 | ---- linux-3.14.20.orig/include/linux/init_task.h | |
68 | -+++ linux-3.14.20/include/linux/init_task.h | |
67 | +--- linux-3.14.22.orig/include/linux/init_task.h | |
68 | ++++ linux-3.14.22/include/linux/init_task.h | |
69 | 69 | @@ -164,6 +164,14 @@ extern struct task_group root_task_group |
70 | 70 | # define INIT_RT_MUTEXES(tsk) |
71 | 71 | #endif |
@@ -89,8 +89,8 @@ | ||
89 | 89 | } |
90 | 90 | |
91 | 91 | |
92 | ---- linux-3.14.20.orig/include/linux/sched.h | |
93 | -+++ linux-3.14.20/include/linux/sched.h | |
92 | +--- linux-3.14.22.orig/include/linux/sched.h | |
93 | ++++ linux-3.14.22/include/linux/sched.h | |
94 | 94 | @@ -4,6 +4,8 @@ |
95 | 95 | #include <uapi/linux/sched.h> |
96 | 96 |
@@ -100,7 +100,7 @@ | ||
100 | 100 | struct sched_param { |
101 | 101 | int sched_priority; |
102 | 102 | }; |
103 | -@@ -1581,6 +1583,10 @@ struct task_struct { | |
103 | +@@ -1588,6 +1590,10 @@ struct task_struct { | |
104 | 104 | unsigned int sequential_io; |
105 | 105 | unsigned int sequential_io_avg; |
106 | 106 | #endif |
@@ -111,8 +111,8 @@ | ||
111 | 111 | }; |
112 | 112 | |
113 | 113 | /* Future-safe accessor for struct task_struct's cpus_allowed. */ |
114 | ---- linux-3.14.20.orig/include/linux/security.h | |
115 | -+++ linux-3.14.20/include/linux/security.h | |
114 | +--- linux-3.14.22.orig/include/linux/security.h | |
115 | ++++ linux-3.14.22/include/linux/security.h | |
116 | 116 | @@ -53,6 +53,7 @@ struct msg_queue; |
117 | 117 | struct xattr; |
118 | 118 | struct xfrm_sec_ctx; |
@@ -314,8 +314,8 @@ | ||
314 | 314 | } |
315 | 315 | #endif /* CONFIG_SECURITY_PATH */ |
316 | 316 | |
317 | ---- linux-3.14.20.orig/include/net/ip.h | |
318 | -+++ linux-3.14.20/include/net/ip.h | |
317 | +--- linux-3.14.22.orig/include/net/ip.h | |
318 | ++++ linux-3.14.22/include/net/ip.h | |
319 | 319 | @@ -217,6 +217,8 @@ void inet_get_local_port_range(struct ne |
320 | 320 | extern unsigned long *sysctl_local_reserved_ports; |
321 | 321 | static inline int inet_is_reserved_local_port(int port) |
@@ -325,9 +325,9 @@ | ||
325 | 325 | return test_bit(port, sysctl_local_reserved_ports); |
326 | 326 | } |
327 | 327 | |
328 | ---- linux-3.14.20.orig/kernel/fork.c | |
329 | -+++ linux-3.14.20/kernel/fork.c | |
330 | -@@ -242,6 +242,7 @@ void __put_task_struct(struct task_struc | |
328 | +--- linux-3.14.22.orig/kernel/fork.c | |
329 | ++++ linux-3.14.22/kernel/fork.c | |
330 | +@@ -244,6 +244,7 @@ void __put_task_struct(struct task_struc | |
331 | 331 | delayacct_tsk_free(tsk); |
332 | 332 | put_signal_struct(tsk->signal); |
333 | 333 |
@@ -335,10 +335,10 @@ | ||
335 | 335 | if (!profile_handoff_task(tsk)) |
336 | 336 | free_task(tsk); |
337 | 337 | } |
338 | -@@ -1324,6 +1325,9 @@ static struct task_struct *copy_process( | |
338 | +@@ -1329,6 +1330,9 @@ static struct task_struct *copy_process( | |
339 | 339 | retval = audit_alloc(p); |
340 | 340 | if (retval) |
341 | - goto bad_fork_cleanup_policy; | |
341 | + goto bad_fork_cleanup_perf; | |
342 | 342 | + retval = ccs_alloc_task_security(p); |
343 | 343 | + if (retval) |
344 | 344 | + goto bad_fork_cleanup_audit; |
@@ -345,16 +345,16 @@ | ||
345 | 345 | /* copy all the process information */ |
346 | 346 | retval = copy_semundo(clone_flags, p); |
347 | 347 | if (retval) |
348 | -@@ -1522,6 +1526,7 @@ bad_fork_cleanup_semundo: | |
348 | +@@ -1527,6 +1531,7 @@ bad_fork_cleanup_semundo: | |
349 | 349 | exit_sem(p); |
350 | 350 | bad_fork_cleanup_audit: |
351 | 351 | audit_free(p); |
352 | 352 | + ccs_free_task_security(p); |
353 | + bad_fork_cleanup_perf: | |
354 | + perf_event_free_task(p); | |
353 | 355 | bad_fork_cleanup_policy: |
354 | - perf_event_free_task(p); | |
355 | - #ifdef CONFIG_NUMA | |
356 | ---- linux-3.14.20.orig/kernel/kexec.c | |
357 | -+++ linux-3.14.20/kernel/kexec.c | |
356 | +--- linux-3.14.22.orig/kernel/kexec.c | |
357 | ++++ linux-3.14.22/kernel/kexec.c | |
358 | 358 | @@ -37,6 +37,7 @@ |
359 | 359 | #include <asm/uaccess.h> |
360 | 360 | #include <asm/io.h> |
@@ -372,8 +372,8 @@ | ||
372 | 372 | |
373 | 373 | /* |
374 | 374 | * Verify we have a legal set of flags |
375 | ---- linux-3.14.20.orig/kernel/module.c | |
376 | -+++ linux-3.14.20/kernel/module.c | |
375 | +--- linux-3.14.22.orig/kernel/module.c | |
376 | ++++ linux-3.14.22/kernel/module.c | |
377 | 377 | @@ -63,6 +63,7 @@ |
378 | 378 | #include <linux/fips.h> |
379 | 379 | #include <uapi/linux/module.h> |
@@ -400,8 +400,8 @@ | ||
400 | 400 | |
401 | 401 | return 0; |
402 | 402 | } |
403 | ---- linux-3.14.20.orig/kernel/ptrace.c | |
404 | -+++ linux-3.14.20/kernel/ptrace.c | |
403 | +--- linux-3.14.22.orig/kernel/ptrace.c | |
404 | ++++ linux-3.14.22/kernel/ptrace.c | |
405 | 405 | @@ -1038,6 +1038,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l |
406 | 406 | { |
407 | 407 | struct task_struct *child; |
@@ -426,8 +426,8 @@ | ||
426 | 426 | |
427 | 427 | if (request == PTRACE_TRACEME) { |
428 | 428 | ret = ptrace_traceme(); |
429 | ---- linux-3.14.20.orig/kernel/reboot.c | |
430 | -+++ linux-3.14.20/kernel/reboot.c | |
429 | +--- linux-3.14.22.orig/kernel/reboot.c | |
430 | ++++ linux-3.14.22/kernel/reboot.c | |
431 | 431 | @@ -16,6 +16,7 @@ |
432 | 432 | #include <linux/syscalls.h> |
433 | 433 | #include <linux/syscore_ops.h> |
@@ -445,8 +445,8 @@ | ||
445 | 445 | |
446 | 446 | /* |
447 | 447 | * If pid namespaces are enabled and the current task is in a child |
448 | ---- linux-3.14.20.orig/kernel/sched/core.c | |
449 | -+++ linux-3.14.20/kernel/sched/core.c | |
448 | +--- linux-3.14.22.orig/kernel/sched/core.c | |
449 | ++++ linux-3.14.22/kernel/sched/core.c | |
450 | 450 | @@ -3065,6 +3065,8 @@ int can_nice(const struct task_struct *p |
451 | 451 | SYSCALL_DEFINE1(nice, int, increment) |
452 | 452 | { |
@@ -456,8 +456,8 @@ | ||
456 | 456 | |
457 | 457 | /* |
458 | 458 | * Setpriority might change our priority at the same moment. |
459 | ---- linux-3.14.20.orig/kernel/signal.c | |
460 | -+++ linux-3.14.20/kernel/signal.c | |
459 | +--- linux-3.14.22.orig/kernel/signal.c | |
460 | ++++ linux-3.14.22/kernel/signal.c | |
461 | 461 | @@ -2909,6 +2909,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s |
462 | 462 | SYSCALL_DEFINE2(kill, pid_t, pid, int, sig) |
463 | 463 | { |
@@ -503,8 +503,8 @@ | ||
503 | 503 | |
504 | 504 | return do_send_specific(tgid, pid, sig, info); |
505 | 505 | } |
506 | ---- linux-3.14.20.orig/kernel/sys.c | |
507 | -+++ linux-3.14.20/kernel/sys.c | |
506 | +--- linux-3.14.22.orig/kernel/sys.c | |
507 | ++++ linux-3.14.22/kernel/sys.c | |
508 | 508 | @@ -171,6 +171,10 @@ SYSCALL_DEFINE3(setpriority, int, which, |
509 | 509 | |
510 | 510 | if (which > PRIO_USER || which < PRIO_PROCESS) |
@@ -534,8 +534,8 @@ | ||
534 | 534 | |
535 | 535 | down_write(&uts_sem); |
536 | 536 | errno = -EFAULT; |
537 | ---- linux-3.14.20.orig/kernel/time/ntp.c | |
538 | -+++ linux-3.14.20/kernel/time/ntp.c | |
537 | +--- linux-3.14.22.orig/kernel/time/ntp.c | |
538 | ++++ linux-3.14.22/kernel/time/ntp.c | |
539 | 539 | @@ -16,6 +16,7 @@ |
540 | 540 | #include <linux/mm.h> |
541 | 541 | #include <linux/module.h> |
@@ -569,8 +569,8 @@ | ||
569 | 569 | |
570 | 570 | return 0; |
571 | 571 | } |
572 | ---- linux-3.14.20.orig/net/ipv4/raw.c | |
573 | -+++ linux-3.14.20/net/ipv4/raw.c | |
572 | +--- linux-3.14.22.orig/net/ipv4/raw.c | |
573 | ++++ linux-3.14.22/net/ipv4/raw.c | |
574 | 574 | @@ -704,6 +704,10 @@ static int raw_recvmsg(struct kiocb *ioc |
575 | 575 | skb = skb_recv_datagram(sk, flags, noblock, &err); |
576 | 576 | if (!skb) |
@@ -582,8 +582,8 @@ | ||
582 | 582 | |
583 | 583 | copied = skb->len; |
584 | 584 | if (len < copied) { |
585 | ---- linux-3.14.20.orig/net/ipv4/udp.c | |
586 | -+++ linux-3.14.20/net/ipv4/udp.c | |
585 | +--- linux-3.14.22.orig/net/ipv4/udp.c | |
586 | ++++ linux-3.14.22/net/ipv4/udp.c | |
587 | 587 | @@ -1242,6 +1242,10 @@ try_again: |
588 | 588 | &peeked, &off, &err); |
589 | 589 | if (!skb) |
@@ -595,8 +595,8 @@ | ||
595 | 595 | |
596 | 596 | ulen = skb->len - sizeof(struct udphdr); |
597 | 597 | copied = len; |
598 | ---- linux-3.14.20.orig/net/ipv6/raw.c | |
599 | -+++ linux-3.14.20/net/ipv6/raw.c | |
598 | +--- linux-3.14.22.orig/net/ipv6/raw.c | |
599 | ++++ linux-3.14.22/net/ipv6/raw.c | |
600 | 600 | @@ -478,6 +478,10 @@ static int rawv6_recvmsg(struct kiocb *i |
601 | 601 | skb = skb_recv_datagram(sk, flags, noblock, &err); |
602 | 602 | if (!skb) |
@@ -608,8 +608,8 @@ | ||
608 | 608 | |
609 | 609 | copied = skb->len; |
610 | 610 | if (copied > len) { |
611 | ---- linux-3.14.20.orig/net/ipv6/udp.c | |
612 | -+++ linux-3.14.20/net/ipv6/udp.c | |
611 | +--- linux-3.14.22.orig/net/ipv6/udp.c | |
612 | ++++ linux-3.14.22/net/ipv6/udp.c | |
613 | 613 | @@ -403,6 +403,10 @@ try_again: |
614 | 614 | &peeked, &off, &err); |
615 | 615 | if (!skb) |
@@ -621,8 +621,8 @@ | ||
621 | 621 | |
622 | 622 | ulen = skb->len - sizeof(struct udphdr); |
623 | 623 | copied = len; |
624 | ---- linux-3.14.20.orig/net/socket.c | |
625 | -+++ linux-3.14.20/net/socket.c | |
624 | +--- linux-3.14.22.orig/net/socket.c | |
625 | ++++ linux-3.14.22/net/socket.c | |
626 | 626 | @@ -1633,6 +1633,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct |
627 | 627 | if (err < 0) |
628 | 628 | goto out_fd; |
@@ -634,8 +634,8 @@ | ||
634 | 634 | if (upeer_sockaddr) { |
635 | 635 | if (newsock->ops->getname(newsock, (struct sockaddr *)&address, |
636 | 636 | &len, 2) < 0) { |
637 | ---- linux-3.14.20.orig/net/unix/af_unix.c | |
638 | -+++ linux-3.14.20/net/unix/af_unix.c | |
637 | +--- linux-3.14.22.orig/net/unix/af_unix.c | |
638 | ++++ linux-3.14.22/net/unix/af_unix.c | |
639 | 639 | @@ -1811,6 +1811,10 @@ static int unix_dgram_recvmsg(struct kio |
640 | 640 | wake_up_interruptible_sync_poll(&u->peer_wait, |
641 | 641 | POLLOUT | POLLWRNORM | POLLWRBAND); |
@@ -647,8 +647,8 @@ | ||
647 | 647 | if (msg->msg_name) |
648 | 648 | unix_copy_addr(msg, skb->sk); |
649 | 649 | |
650 | ---- linux-3.14.20.orig/security/Kconfig | |
651 | -+++ linux-3.14.20/security/Kconfig | |
650 | +--- linux-3.14.22.orig/security/Kconfig | |
651 | ++++ linux-3.14.22/security/Kconfig | |
652 | 652 | @@ -167,5 +167,7 @@ config DEFAULT_SECURITY |
653 | 653 | default "yama" if DEFAULT_SECURITY_YAMA |
654 | 654 | default "" if DEFAULT_SECURITY_DAC |
@@ -657,8 +657,8 @@ | ||
657 | 657 | + |
658 | 658 | endmenu |
659 | 659 | |
660 | ---- linux-3.14.20.orig/security/Makefile | |
661 | -+++ linux-3.14.20/security/Makefile | |
660 | +--- linux-3.14.22.orig/security/Makefile | |
661 | ++++ linux-3.14.22/security/Makefile | |
662 | 662 | @@ -27,3 +27,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c |
663 | 663 | # Object integrity file lists |
664 | 664 | subdir-$(CONFIG_INTEGRITY) += integrity |
@@ -666,8 +666,8 @@ | ||
666 | 666 | + |
667 | 667 | +subdir-$(CONFIG_CCSECURITY) += ccsecurity |
668 | 668 | +obj-$(CONFIG_CCSECURITY) += ccsecurity/built-in.o |
669 | ---- linux-3.14.20.orig/security/security.c | |
670 | -+++ linux-3.14.20/security/security.c | |
669 | +--- linux-3.14.22.orig/security/security.c | |
670 | ++++ linux-3.14.22/security/security.c | |
671 | 671 | @@ -203,7 +203,10 @@ int security_syslog(int type) |
672 | 672 | |
673 | 673 | int security_settime(const struct timespec *ts, const struct timezone *tz) |
@@ -1,6 +1,6 @@ | ||
1 | -This is TOMOYO Linux patch for kernel 3.16.4. | |
1 | +This is TOMOYO Linux patch for kernel 3.16.6. | |
2 | 2 | |
3 | -Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.16.4.tar.xz | |
3 | +Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.16.6.tar.xz | |
4 | 4 | --- |
5 | 5 | fs/exec.c | 2 |
6 | 6 | fs/open.c | 2 |
@@ -29,8 +29,8 @@ | ||
29 | 29 | security/security.c | 111 +++++++++++++++++++++++++++++++++++++++++----- |
30 | 30 | 25 files changed, 252 insertions(+), 37 deletions(-) |
31 | 31 | |
32 | ---- linux-3.16.4.orig/fs/exec.c | |
33 | -+++ linux-3.16.4/fs/exec.c | |
32 | +--- linux-3.16.6.orig/fs/exec.c | |
33 | ++++ linux-3.16.6/fs/exec.c | |
34 | 34 | @@ -1412,7 +1412,7 @@ static int exec_binprm(struct linux_binp |
35 | 35 | old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent)); |
36 | 36 | rcu_read_unlock(); |
@@ -40,8 +40,8 @@ | ||
40 | 40 | if (ret >= 0) { |
41 | 41 | audit_bprm(bprm); |
42 | 42 | trace_sched_process_exec(current, old_pid, bprm); |
43 | ---- linux-3.16.4.orig/fs/open.c | |
44 | -+++ linux-3.16.4/fs/open.c | |
43 | +--- linux-3.16.6.orig/fs/open.c | |
44 | ++++ linux-3.16.6/fs/open.c | |
45 | 45 | @@ -1071,6 +1071,8 @@ EXPORT_SYMBOL(sys_close); |
46 | 46 | */ |
47 | 47 | SYSCALL_DEFINE0(vhangup) |
@@ -51,8 +51,8 @@ | ||
51 | 51 | if (capable(CAP_SYS_TTY_CONFIG)) { |
52 | 52 | tty_vhangup_self(); |
53 | 53 | return 0; |
54 | ---- linux-3.16.4.orig/fs/proc/version.c | |
55 | -+++ linux-3.16.4/fs/proc/version.c | |
54 | +--- linux-3.16.6.orig/fs/proc/version.c | |
55 | ++++ linux-3.16.6/fs/proc/version.c | |
56 | 56 | @@ -32,3 +32,10 @@ static int __init proc_version_init(void |
57 | 57 | return 0; |
58 | 58 | } |
@@ -60,12 +60,12 @@ | ||
60 | 60 | + |
61 | 61 | +static int __init ccs_show_version(void) |
62 | 62 | +{ |
63 | -+ printk(KERN_INFO "Hook version: 3.16.4 2014/10/06\n"); | |
63 | ++ printk(KERN_INFO "Hook version: 3.16.6 2014/10/20\n"); | |
64 | 64 | + return 0; |
65 | 65 | +} |
66 | 66 | +fs_initcall(ccs_show_version); |
67 | ---- linux-3.16.4.orig/include/linux/init_task.h | |
68 | -+++ linux-3.16.4/include/linux/init_task.h | |
67 | +--- linux-3.16.6.orig/include/linux/init_task.h | |
68 | ++++ linux-3.16.6/include/linux/init_task.h | |
69 | 69 | @@ -164,6 +164,14 @@ extern struct task_group root_task_group |
70 | 70 | # define INIT_RT_MUTEXES(tsk) |
71 | 71 | #endif |
@@ -89,8 +89,8 @@ | ||
89 | 89 | } |
90 | 90 | |
91 | 91 | |
92 | ---- linux-3.16.4.orig/include/linux/sched.h | |
93 | -+++ linux-3.16.4/include/linux/sched.h | |
92 | +--- linux-3.16.6.orig/include/linux/sched.h | |
93 | ++++ linux-3.16.6/include/linux/sched.h | |
94 | 94 | @@ -6,6 +6,8 @@ |
95 | 95 | #include <linux/sched/prio.h> |
96 | 96 |
@@ -111,8 +111,8 @@ | ||
111 | 111 | }; |
112 | 112 | |
113 | 113 | /* Future-safe accessor for struct task_struct's cpus_allowed. */ |
114 | ---- linux-3.16.4.orig/include/linux/security.h | |
115 | -+++ linux-3.16.4/include/linux/security.h | |
114 | +--- linux-3.16.6.orig/include/linux/security.h | |
115 | ++++ linux-3.16.6/include/linux/security.h | |
116 | 116 | @@ -53,6 +53,7 @@ struct msg_queue; |
117 | 117 | struct xattr; |
118 | 118 | struct xfrm_sec_ctx; |
@@ -324,8 +324,8 @@ | ||
324 | 324 | } |
325 | 325 | #endif /* CONFIG_SECURITY_PATH */ |
326 | 326 | |
327 | ---- linux-3.16.4.orig/include/net/ip.h | |
328 | -+++ linux-3.16.4/include/net/ip.h | |
327 | +--- linux-3.16.6.orig/include/net/ip.h | |
328 | ++++ linux-3.16.6/include/net/ip.h | |
329 | 329 | @@ -211,6 +211,8 @@ void inet_get_local_port_range(struct ne |
330 | 330 | #ifdef CONFIG_SYSCTL |
331 | 331 | static inline int inet_is_local_reserved_port(struct net *net, int port) |
@@ -344,8 +344,8 @@ | ||
344 | 344 | return 0; |
345 | 345 | } |
346 | 346 | #endif |
347 | ---- linux-3.16.4.orig/kernel/fork.c | |
348 | -+++ linux-3.16.4/kernel/fork.c | |
347 | +--- linux-3.16.6.orig/kernel/fork.c | |
348 | ++++ linux-3.16.6/kernel/fork.c | |
349 | 349 | @@ -246,6 +246,7 @@ void __put_task_struct(struct task_struc |
350 | 350 | delayacct_tsk_free(tsk); |
351 | 351 | put_signal_struct(tsk->signal); |
@@ -357,7 +357,7 @@ | ||
357 | 357 | @@ -1327,6 +1328,9 @@ static struct task_struct *copy_process( |
358 | 358 | retval = audit_alloc(p); |
359 | 359 | if (retval) |
360 | - goto bad_fork_cleanup_policy; | |
360 | + goto bad_fork_cleanup_perf; | |
361 | 361 | + retval = ccs_alloc_task_security(p); |
362 | 362 | + if (retval) |
363 | 363 | + goto bad_fork_cleanup_audit; |
@@ -369,11 +369,11 @@ | ||
369 | 369 | bad_fork_cleanup_audit: |
370 | 370 | audit_free(p); |
371 | 371 | + ccs_free_task_security(p); |
372 | + bad_fork_cleanup_perf: | |
373 | + perf_event_free_task(p); | |
372 | 374 | bad_fork_cleanup_policy: |
373 | - perf_event_free_task(p); | |
374 | - #ifdef CONFIG_NUMA | |
375 | ---- linux-3.16.4.orig/kernel/kexec.c | |
376 | -+++ linux-3.16.4/kernel/kexec.c | |
375 | +--- linux-3.16.6.orig/kernel/kexec.c | |
376 | ++++ linux-3.16.6/kernel/kexec.c | |
377 | 377 | @@ -39,6 +39,7 @@ |
378 | 378 | #include <asm/uaccess.h> |
379 | 379 | #include <asm/io.h> |
@@ -391,8 +391,8 @@ | ||
391 | 391 | |
392 | 392 | /* |
393 | 393 | * Verify we have a legal set of flags |
394 | ---- linux-3.16.4.orig/kernel/module.c | |
395 | -+++ linux-3.16.4/kernel/module.c | |
394 | +--- linux-3.16.6.orig/kernel/module.c | |
395 | ++++ linux-3.16.6/kernel/module.c | |
396 | 396 | @@ -63,6 +63,7 @@ |
397 | 397 | #include <linux/fips.h> |
398 | 398 | #include <uapi/linux/module.h> |
@@ -419,8 +419,8 @@ | ||
419 | 419 | |
420 | 420 | return 0; |
421 | 421 | } |
422 | ---- linux-3.16.4.orig/kernel/ptrace.c | |
423 | -+++ linux-3.16.4/kernel/ptrace.c | |
422 | +--- linux-3.16.6.orig/kernel/ptrace.c | |
423 | ++++ linux-3.16.6/kernel/ptrace.c | |
424 | 424 | @@ -1038,6 +1038,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l |
425 | 425 | { |
426 | 426 | struct task_struct *child; |
@@ -445,8 +445,8 @@ | ||
445 | 445 | |
446 | 446 | if (request == PTRACE_TRACEME) { |
447 | 447 | ret = ptrace_traceme(); |
448 | ---- linux-3.16.4.orig/kernel/reboot.c | |
449 | -+++ linux-3.16.4/kernel/reboot.c | |
448 | +--- linux-3.16.6.orig/kernel/reboot.c | |
449 | ++++ linux-3.16.6/kernel/reboot.c | |
450 | 450 | @@ -16,6 +16,7 @@ |
451 | 451 | #include <linux/syscalls.h> |
452 | 452 | #include <linux/syscore_ops.h> |
@@ -464,8 +464,8 @@ | ||
464 | 464 | |
465 | 465 | /* |
466 | 466 | * If pid namespaces are enabled and the current task is in a child |
467 | ---- linux-3.16.4.orig/kernel/sched/core.c | |
468 | -+++ linux-3.16.4/kernel/sched/core.c | |
467 | +--- linux-3.16.6.orig/kernel/sched/core.c | |
468 | ++++ linux-3.16.6/kernel/sched/core.c | |
469 | 469 | @@ -3097,6 +3097,8 @@ int can_nice(const struct task_struct *p |
470 | 470 | SYSCALL_DEFINE1(nice, int, increment) |
471 | 471 | { |
@@ -475,8 +475,8 @@ | ||
475 | 475 | |
476 | 476 | /* |
477 | 477 | * Setpriority might change our priority at the same moment. |
478 | ---- linux-3.16.4.orig/kernel/signal.c | |
479 | -+++ linux-3.16.4/kernel/signal.c | |
478 | +--- linux-3.16.6.orig/kernel/signal.c | |
479 | ++++ linux-3.16.6/kernel/signal.c | |
480 | 480 | @@ -2886,6 +2886,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s |
481 | 481 | SYSCALL_DEFINE2(kill, pid_t, pid, int, sig) |
482 | 482 | { |
@@ -522,8 +522,8 @@ | ||
522 | 522 | |
523 | 523 | return do_send_specific(tgid, pid, sig, info); |
524 | 524 | } |
525 | ---- linux-3.16.4.orig/kernel/sys.c | |
526 | -+++ linux-3.16.4/kernel/sys.c | |
525 | +--- linux-3.16.6.orig/kernel/sys.c | |
526 | ++++ linux-3.16.6/kernel/sys.c | |
527 | 527 | @@ -171,6 +171,10 @@ SYSCALL_DEFINE3(setpriority, int, which, |
528 | 528 | |
529 | 529 | if (which > PRIO_USER || which < PRIO_PROCESS) |
@@ -553,8 +553,8 @@ | ||
553 | 553 | |
554 | 554 | down_write(&uts_sem); |
555 | 555 | errno = -EFAULT; |
556 | ---- linux-3.16.4.orig/kernel/time/ntp.c | |
557 | -+++ linux-3.16.4/kernel/time/ntp.c | |
556 | +--- linux-3.16.6.orig/kernel/time/ntp.c | |
557 | ++++ linux-3.16.6/kernel/time/ntp.c | |
558 | 558 | @@ -16,6 +16,7 @@ |
559 | 559 | #include <linux/mm.h> |
560 | 560 | #include <linux/module.h> |
@@ -588,8 +588,8 @@ | ||
588 | 588 | |
589 | 589 | return 0; |
590 | 590 | } |
591 | ---- linux-3.16.4.orig/net/ipv4/raw.c | |
592 | -+++ linux-3.16.4/net/ipv4/raw.c | |
591 | +--- linux-3.16.6.orig/net/ipv4/raw.c | |
592 | ++++ linux-3.16.6/net/ipv4/raw.c | |
593 | 593 | @@ -704,6 +704,10 @@ static int raw_recvmsg(struct kiocb *ioc |
594 | 594 | skb = skb_recv_datagram(sk, flags, noblock, &err); |
595 | 595 | if (!skb) |
@@ -601,8 +601,8 @@ | ||
601 | 601 | |
602 | 602 | copied = skb->len; |
603 | 603 | if (len < copied) { |
604 | ---- linux-3.16.4.orig/net/ipv4/udp.c | |
605 | -+++ linux-3.16.4/net/ipv4/udp.c | |
604 | +--- linux-3.16.6.orig/net/ipv4/udp.c | |
605 | ++++ linux-3.16.6/net/ipv4/udp.c | |
606 | 606 | @@ -1281,6 +1281,10 @@ try_again: |
607 | 607 | &peeked, &off, &err); |
608 | 608 | if (!skb) |
@@ -614,8 +614,8 @@ | ||
614 | 614 | |
615 | 615 | ulen = skb->len - sizeof(struct udphdr); |
616 | 616 | copied = len; |
617 | ---- linux-3.16.4.orig/net/ipv6/raw.c | |
618 | -+++ linux-3.16.4/net/ipv6/raw.c | |
617 | +--- linux-3.16.6.orig/net/ipv6/raw.c | |
618 | ++++ linux-3.16.6/net/ipv6/raw.c | |
619 | 619 | @@ -478,6 +478,10 @@ static int rawv6_recvmsg(struct kiocb *i |
620 | 620 | skb = skb_recv_datagram(sk, flags, noblock, &err); |
621 | 621 | if (!skb) |
@@ -627,8 +627,8 @@ | ||
627 | 627 | |
628 | 628 | copied = skb->len; |
629 | 629 | if (copied > len) { |
630 | ---- linux-3.16.4.orig/net/ipv6/udp.c | |
631 | -+++ linux-3.16.4/net/ipv6/udp.c | |
630 | +--- linux-3.16.6.orig/net/ipv6/udp.c | |
631 | ++++ linux-3.16.6/net/ipv6/udp.c | |
632 | 632 | @@ -403,6 +403,10 @@ try_again: |
633 | 633 | &peeked, &off, &err); |
634 | 634 | if (!skb) |
@@ -640,8 +640,8 @@ | ||
640 | 640 | |
641 | 641 | ulen = skb->len - sizeof(struct udphdr); |
642 | 642 | copied = len; |
643 | ---- linux-3.16.4.orig/net/socket.c | |
644 | -+++ linux-3.16.4/net/socket.c | |
643 | +--- linux-3.16.6.orig/net/socket.c | |
644 | ++++ linux-3.16.6/net/socket.c | |
645 | 645 | @@ -1634,6 +1634,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct |
646 | 646 | if (err < 0) |
647 | 647 | goto out_fd; |
@@ -653,8 +653,8 @@ | ||
653 | 653 | if (upeer_sockaddr) { |
654 | 654 | if (newsock->ops->getname(newsock, (struct sockaddr *)&address, |
655 | 655 | &len, 2) < 0) { |
656 | ---- linux-3.16.4.orig/net/unix/af_unix.c | |
657 | -+++ linux-3.16.4/net/unix/af_unix.c | |
656 | +--- linux-3.16.6.orig/net/unix/af_unix.c | |
657 | ++++ linux-3.16.6/net/unix/af_unix.c | |
658 | 658 | @@ -1817,6 +1817,10 @@ static int unix_dgram_recvmsg(struct kio |
659 | 659 | wake_up_interruptible_sync_poll(&u->peer_wait, |
660 | 660 | POLLOUT | POLLWRNORM | POLLWRBAND); |
@@ -666,8 +666,8 @@ | ||
666 | 666 | if (msg->msg_name) |
667 | 667 | unix_copy_addr(msg, skb->sk); |
668 | 668 | |
669 | ---- linux-3.16.4.orig/security/Kconfig | |
670 | -+++ linux-3.16.4/security/Kconfig | |
669 | +--- linux-3.16.6.orig/security/Kconfig | |
670 | ++++ linux-3.16.6/security/Kconfig | |
671 | 671 | @@ -167,5 +167,7 @@ config DEFAULT_SECURITY |
672 | 672 | default "yama" if DEFAULT_SECURITY_YAMA |
673 | 673 | default "" if DEFAULT_SECURITY_DAC |
@@ -676,8 +676,8 @@ | ||
676 | 676 | + |
677 | 677 | endmenu |
678 | 678 | |
679 | ---- linux-3.16.4.orig/security/Makefile | |
680 | -+++ linux-3.16.4/security/Makefile | |
679 | +--- linux-3.16.6.orig/security/Makefile | |
680 | ++++ linux-3.16.6/security/Makefile | |
681 | 681 | @@ -27,3 +27,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c |
682 | 682 | # Object integrity file lists |
683 | 683 | subdir-$(CONFIG_INTEGRITY) += integrity |
@@ -685,8 +685,8 @@ | ||
685 | 685 | + |
686 | 686 | +subdir-$(CONFIG_CCSECURITY) += ccsecurity |
687 | 687 | +obj-$(CONFIG_CCSECURITY) += ccsecurity/ |
688 | ---- linux-3.16.4.orig/security/security.c | |
689 | -+++ linux-3.16.4/security/security.c | |
688 | +--- linux-3.16.6.orig/security/security.c | |
689 | ++++ linux-3.16.6/security/security.c | |
690 | 690 | @@ -203,7 +203,10 @@ int security_syslog(int type) |
691 | 691 | |
692 | 692 | int security_settime(const struct timespec *ts, const struct timezone *tz) |
@@ -0,0 +1,974 @@ | ||
1 | +This is TOMOYO Linux patch for kernel 3.18-rc1. | |
2 | + | |
3 | +Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/testing/linux-3.18-rc1.tar.xz | |
4 | +--- | |
5 | + fs/exec.c | 2 | |
6 | + fs/open.c | 2 | |
7 | + fs/proc/version.c | 7 ++ | |
8 | + include/linux/init_task.h | 9 +++ | |
9 | + include/linux/sched.h | 6 ++ | |
10 | + include/linux/security.h | 65 ++++++++++++++++---------- | |
11 | + include/net/ip.h | 4 + | |
12 | + kernel/fork.c | 5 ++ | |
13 | + kernel/kexec.c | 3 + | |
14 | + kernel/module.c | 5 ++ | |
15 | + kernel/ptrace.c | 10 ++++ | |
16 | + kernel/reboot.c | 3 + | |
17 | + kernel/sched/core.c | 2 | |
18 | + kernel/signal.c | 10 ++++ | |
19 | + kernel/sys.c | 8 +++ | |
20 | + kernel/time/ntp.c | 8 +++ | |
21 | + net/ipv4/raw.c | 4 + | |
22 | + net/ipv4/udp.c | 4 + | |
23 | + net/ipv6/raw.c | 4 + | |
24 | + net/ipv6/udp.c | 4 + | |
25 | + net/socket.c | 4 + | |
26 | + net/unix/af_unix.c | 4 + | |
27 | + security/Kconfig | 2 | |
28 | + security/Makefile | 3 + | |
29 | + security/security.c | 111 +++++++++++++++++++++++++++++++++++++++++----- | |
30 | + 25 files changed, 252 insertions(+), 37 deletions(-) | |
31 | + | |
32 | +--- linux-3.18-rc1.orig/fs/exec.c | |
33 | ++++ linux-3.18-rc1/fs/exec.c | |
34 | +@@ -1413,7 +1413,7 @@ static int exec_binprm(struct linux_binp | |
35 | + old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent)); | |
36 | + rcu_read_unlock(); | |
37 | + | |
38 | +- ret = search_binary_handler(bprm); | |
39 | ++ ret = ccs_search_binary_handler(bprm); | |
40 | + if (ret >= 0) { | |
41 | + audit_bprm(bprm); | |
42 | + trace_sched_process_exec(current, old_pid, bprm); | |
43 | +--- linux-3.18-rc1.orig/fs/open.c | |
44 | ++++ linux-3.18-rc1/fs/open.c | |
45 | +@@ -1071,6 +1071,8 @@ EXPORT_SYMBOL(sys_close); | |
46 | + */ | |
47 | + SYSCALL_DEFINE0(vhangup) | |
48 | + { | |
49 | ++ if (!ccs_capable(CCS_SYS_VHANGUP)) | |
50 | ++ return -EPERM; | |
51 | + if (capable(CAP_SYS_TTY_CONFIG)) { | |
52 | + tty_vhangup_self(); | |
53 | + return 0; | |
54 | +--- linux-3.18-rc1.orig/fs/proc/version.c | |
55 | ++++ linux-3.18-rc1/fs/proc/version.c | |
56 | +@@ -32,3 +32,10 @@ static int __init proc_version_init(void | |
57 | + return 0; | |
58 | + } | |
59 | + fs_initcall(proc_version_init); | |
60 | ++ | |
61 | ++static int __init ccs_show_version(void) | |
62 | ++{ | |
63 | ++ printk(KERN_INFO "Hook version: 3.18-rc1 2014/10/20\n"); | |
64 | ++ return 0; | |
65 | ++} | |
66 | ++fs_initcall(ccs_show_version); | |
67 | +--- linux-3.18-rc1.orig/include/linux/init_task.h | |
68 | ++++ linux-3.18-rc1/include/linux/init_task.h | |
69 | +@@ -166,6 +166,14 @@ extern struct task_group root_task_group | |
70 | + # define INIT_RT_MUTEXES(tsk) | |
71 | + #endif | |
72 | + | |
73 | ++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY) | |
74 | ++#define INIT_CCSECURITY \ | |
75 | ++ .ccs_domain_info = NULL, \ | |
76 | ++ .ccs_flags = 0, | |
77 | ++#else | |
78 | ++#define INIT_CCSECURITY | |
79 | ++#endif | |
80 | ++ | |
81 | + /* | |
82 | + * INIT_TASK is used to set up the first task table, touch at | |
83 | + * your own risk!. Base=0, limit=0x1fffff (=2MB) | |
84 | +@@ -237,6 +245,7 @@ extern struct task_group root_task_group | |
85 | + INIT_CPUSET_SEQ(tsk) \ | |
86 | + INIT_RT_MUTEXES(tsk) \ | |
87 | + INIT_VTIME(tsk) \ | |
88 | ++ INIT_CCSECURITY \ | |
89 | + } | |
90 | + | |
91 | + | |
92 | +--- linux-3.18-rc1.orig/include/linux/sched.h | |
93 | ++++ linux-3.18-rc1/include/linux/sched.h | |
94 | +@@ -6,6 +6,8 @@ | |
95 | + #include <linux/sched/prio.h> | |
96 | + | |
97 | + | |
98 | ++struct ccs_domain_info; | |
99 | ++ | |
100 | + struct sched_param { | |
101 | + int sched_priority; | |
102 | + }; | |
103 | +@@ -1661,6 +1663,10 @@ struct task_struct { | |
104 | + unsigned int sequential_io; | |
105 | + unsigned int sequential_io_avg; | |
106 | + #endif | |
107 | ++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY) | |
108 | ++ struct ccs_domain_info *ccs_domain_info; | |
109 | ++ u32 ccs_flags; | |
110 | ++#endif | |
111 | + }; | |
112 | + | |
113 | + /* Future-safe accessor for struct task_struct's cpus_allowed. */ | |
114 | +--- linux-3.18-rc1.orig/include/linux/security.h | |
115 | ++++ linux-3.18-rc1/include/linux/security.h | |
116 | +@@ -53,6 +53,7 @@ struct msg_queue; | |
117 | + struct xattr; | |
118 | + struct xfrm_sec_ctx; | |
119 | + struct mm_struct; | |
120 | ++#include <linux/ccsecurity.h> | |
121 | + | |
122 | + /* Maximum number of letters for an LSM name string */ | |
123 | + #define SECURITY_NAME_MAX 10 | |
124 | +@@ -1985,7 +1986,10 @@ static inline int security_syslog(int ty | |
125 | + static inline int security_settime(const struct timespec *ts, | |
126 | + const struct timezone *tz) | |
127 | + { | |
128 | +- return cap_settime(ts, tz); | |
129 | ++ int error = cap_settime(ts, tz); | |
130 | ++ if (!error && !ccs_capable(CCS_SYS_SETTIME)) | |
131 | ++ error = -EPERM; | |
132 | ++ return error; | |
133 | + } | |
134 | + | |
135 | + static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) | |
136 | +@@ -2054,18 +2058,18 @@ static inline int security_sb_mount(cons | |
137 | + const char *type, unsigned long flags, | |
138 | + void *data) | |
139 | + { | |
140 | +- return 0; | |
141 | ++ return ccs_mount_permission(dev_name, path, type, flags, data); | |
142 | + } | |
143 | + | |
144 | + static inline int security_sb_umount(struct vfsmount *mnt, int flags) | |
145 | + { | |
146 | +- return 0; | |
147 | ++ return ccs_umount_permission(mnt, flags); | |
148 | + } | |
149 | + | |
150 | + static inline int security_sb_pivotroot(struct path *old_path, | |
151 | + struct path *new_path) | |
152 | + { | |
153 | +- return 0; | |
154 | ++ return ccs_pivot_root_permission(old_path, new_path); | |
155 | + } | |
156 | + | |
157 | + static inline int security_sb_set_mnt_opts(struct super_block *sb, | |
158 | +@@ -2204,7 +2208,7 @@ static inline int security_inode_setattr | |
159 | + static inline int security_inode_getattr(struct vfsmount *mnt, | |
160 | + struct dentry *dentry) | |
161 | + { | |
162 | +- return 0; | |
163 | ++ return ccs_getattr_permission(mnt, dentry); | |
164 | + } | |
165 | + | |
166 | + static inline int security_inode_setxattr(struct dentry *dentry, | |
167 | +@@ -2280,7 +2284,7 @@ static inline void security_file_free(st | |
168 | + static inline int security_file_ioctl(struct file *file, unsigned int cmd, | |
169 | + unsigned long arg) | |
170 | + { | |
171 | +- return 0; | |
172 | ++ return ccs_ioctl_permission(file, cmd, arg); | |
173 | + } | |
174 | + | |
175 | + static inline int security_mmap_file(struct file *file, unsigned long prot, | |
176 | +@@ -2309,7 +2313,7 @@ static inline int security_file_lock(str | |
177 | + static inline int security_file_fcntl(struct file *file, unsigned int cmd, | |
178 | + unsigned long arg) | |
179 | + { | |
180 | +- return 0; | |
181 | ++ return ccs_fcntl_permission(file, cmd, arg); | |
182 | + } | |
183 | + | |
184 | + static inline void security_file_set_fowner(struct file *file) | |
185 | +@@ -2332,7 +2336,7 @@ static inline int security_file_receive( | |
186 | + static inline int security_file_open(struct file *file, | |
187 | + const struct cred *cred) | |
188 | + { | |
189 | +- return 0; | |
190 | ++ return ccs_open_permission(file); | |
191 | + } | |
192 | + | |
193 | + static inline int security_task_create(unsigned long clone_flags) | |
194 | +@@ -2696,7 +2700,7 @@ static inline int security_unix_may_send | |
195 | + static inline int security_socket_create(int family, int type, | |
196 | + int protocol, int kern) | |
197 | + { | |
198 | +- return 0; | |
199 | ++ return ccs_socket_create_permission(family, type, protocol); | |
200 | + } | |
201 | + | |
202 | + static inline int security_socket_post_create(struct socket *sock, | |
203 | +@@ -2711,19 +2715,19 @@ static inline int security_socket_bind(s | |
204 | + struct sockaddr *address, | |
205 | + int addrlen) | |
206 | + { | |
207 | +- return 0; | |
208 | ++ return ccs_socket_bind_permission(sock, address, addrlen); | |
209 | + } | |
210 | + | |
211 | + static inline int security_socket_connect(struct socket *sock, | |
212 | + struct sockaddr *address, | |
213 | + int addrlen) | |
214 | + { | |
215 | +- return 0; | |
216 | ++ return ccs_socket_connect_permission(sock, address, addrlen); | |
217 | + } | |
218 | + | |
219 | + static inline int security_socket_listen(struct socket *sock, int backlog) | |
220 | + { | |
221 | +- return 0; | |
222 | ++ return ccs_socket_listen_permission(sock); | |
223 | + } | |
224 | + | |
225 | + static inline int security_socket_accept(struct socket *sock, | |
226 | +@@ -2735,7 +2739,7 @@ static inline int security_socket_accept | |
227 | + static inline int security_socket_sendmsg(struct socket *sock, | |
228 | + struct msghdr *msg, int size) | |
229 | + { | |
230 | +- return 0; | |
231 | ++ return ccs_socket_sendmsg_permission(sock, msg, size); | |
232 | + } | |
233 | + | |
234 | + static inline int security_socket_recvmsg(struct socket *sock, | |
235 | +@@ -2980,44 +2984,47 @@ int security_path_chmod(struct path *pat | |
236 | + int security_path_chown(struct path *path, kuid_t uid, kgid_t gid); | |
237 | + int security_path_chroot(struct path *path); | |
238 | + #else /* CONFIG_SECURITY_PATH */ | |
239 | ++ | |
240 | ++#include <linux/path.h> | |
241 | ++ | |
242 | + static inline int security_path_unlink(struct path *dir, struct dentry *dentry) | |
243 | + { | |
244 | +- return 0; | |
245 | ++ return ccs_unlink_permission(dentry, dir->mnt); | |
246 | + } | |
247 | + | |
248 | + static inline int security_path_mkdir(struct path *dir, struct dentry *dentry, | |
249 | + umode_t mode) | |
250 | + { | |
251 | +- return 0; | |
252 | ++ return ccs_mkdir_permission(dentry, dir->mnt, mode); | |
253 | + } | |
254 | + | |
255 | + static inline int security_path_rmdir(struct path *dir, struct dentry *dentry) | |
256 | + { | |
257 | +- return 0; | |
258 | ++ return ccs_rmdir_permission(dentry, dir->mnt); | |
259 | + } | |
260 | + | |
261 | + static inline int security_path_mknod(struct path *dir, struct dentry *dentry, | |
262 | + umode_t mode, unsigned int dev) | |
263 | + { | |
264 | +- return 0; | |
265 | ++ return ccs_mknod_permission(dentry, dir->mnt, mode, dev); | |
266 | + } | |
267 | + | |
268 | + static inline int security_path_truncate(struct path *path) | |
269 | + { | |
270 | +- return 0; | |
271 | ++ return ccs_truncate_permission(path->dentry, path->mnt); | |
272 | + } | |
273 | + | |
274 | + static inline int security_path_symlink(struct path *dir, struct dentry *dentry, | |
275 | + const char *old_name) | |
276 | + { | |
277 | +- return 0; | |
278 | ++ return ccs_symlink_permission(dentry, dir->mnt, old_name); | |
279 | + } | |
280 | + | |
281 | + static inline int security_path_link(struct dentry *old_dentry, | |
282 | + struct path *new_dir, | |
283 | + struct dentry *new_dentry) | |
284 | + { | |
285 | +- return 0; | |
286 | ++ return ccs_link_permission(old_dentry, new_dentry, new_dir->mnt); | |
287 | + } | |
288 | + | |
289 | + static inline int security_path_rename(struct path *old_dir, | |
290 | +@@ -3026,22 +3033,32 @@ static inline int security_path_rename(s | |
291 | + struct dentry *new_dentry, | |
292 | + unsigned int flags) | |
293 | + { | |
294 | +- return 0; | |
295 | ++ /* | |
296 | ++ * Not using RENAME_EXCHANGE here in order to avoid KABI breakage | |
297 | ++ * by doing "#include <uapi/linux/fs.h>" . | |
298 | ++ */ | |
299 | ++ if (flags & (1 << 1)) { | |
300 | ++ int err = ccs_rename_permission(new_dentry, old_dentry, | |
301 | ++ old_dir->mnt); | |
302 | ++ if (err) | |
303 | ++ return err; | |
304 | ++ } | |
305 | ++ return ccs_rename_permission(old_dentry, new_dentry, new_dir->mnt); | |
306 | + } | |
307 | + | |
308 | + static inline int security_path_chmod(struct path *path, umode_t mode) | |
309 | + { | |
310 | +- return 0; | |
311 | ++ return ccs_chmod_permission(path->dentry, path->mnt, mode); | |
312 | + } | |
313 | + | |
314 | + static inline int security_path_chown(struct path *path, kuid_t uid, kgid_t gid) | |
315 | + { | |
316 | +- return 0; | |
317 | ++ return ccs_chown_permission(path->dentry, path->mnt, uid, gid); | |
318 | + } | |
319 | + | |
320 | + static inline int security_path_chroot(struct path *path) | |
321 | + { | |
322 | +- return 0; | |
323 | ++ return ccs_chroot_permission(path); | |
324 | + } | |
325 | + #endif /* CONFIG_SECURITY_PATH */ | |
326 | + | |
327 | +--- linux-3.18-rc1.orig/include/net/ip.h | |
328 | ++++ linux-3.18-rc1/include/net/ip.h | |
329 | +@@ -214,6 +214,8 @@ void inet_get_local_port_range(struct ne | |
330 | + #ifdef CONFIG_SYSCTL | |
331 | + static inline int inet_is_local_reserved_port(struct net *net, int port) | |
332 | + { | |
333 | ++ if (ccs_lport_reserved(port)) | |
334 | ++ return 1; | |
335 | + if (!net->ipv4.sysctl_local_reserved_ports) | |
336 | + return 0; | |
337 | + return test_bit(port, net->ipv4.sysctl_local_reserved_ports); | |
338 | +@@ -227,6 +229,8 @@ static inline bool sysctl_dev_name_is_al | |
339 | + #else | |
340 | + static inline int inet_is_local_reserved_port(struct net *net, int port) | |
341 | + { | |
342 | ++ if (ccs_lport_reserved(port)) | |
343 | ++ return 1; | |
344 | + return 0; | |
345 | + } | |
346 | + #endif | |
347 | +--- linux-3.18-rc1.orig/kernel/fork.c | |
348 | ++++ linux-3.18-rc1/kernel/fork.c | |
349 | +@@ -246,6 +246,7 @@ void __put_task_struct(struct task_struc | |
350 | + delayacct_tsk_free(tsk); | |
351 | + put_signal_struct(tsk->signal); | |
352 | + | |
353 | ++ ccs_free_task_security(tsk); | |
354 | + if (!profile_handoff_task(tsk)) | |
355 | + free_task(tsk); | |
356 | + } | |
357 | +@@ -1369,6 +1370,9 @@ static struct task_struct *copy_process( | |
358 | + goto bad_fork_cleanup_perf; | |
359 | + /* copy all the process information */ | |
360 | + shm_init_task(p); | |
361 | ++ retval = ccs_alloc_task_security(p); | |
362 | ++ if (retval) | |
363 | ++ goto bad_fork_cleanup_audit; | |
364 | + retval = copy_semundo(clone_flags, p); | |
365 | + if (retval) | |
366 | + goto bad_fork_cleanup_audit; | |
367 | +@@ -1572,6 +1576,7 @@ bad_fork_cleanup_semundo: | |
368 | + exit_sem(p); | |
369 | + bad_fork_cleanup_audit: | |
370 | + audit_free(p); | |
371 | ++ ccs_free_task_security(p); | |
372 | + bad_fork_cleanup_perf: | |
373 | + perf_event_free_task(p); | |
374 | + bad_fork_cleanup_policy: | |
375 | +--- linux-3.18-rc1.orig/kernel/kexec.c | |
376 | ++++ linux-3.18-rc1/kernel/kexec.c | |
377 | +@@ -41,6 +41,7 @@ | |
378 | + #include <asm/uaccess.h> | |
379 | + #include <asm/io.h> | |
380 | + #include <asm/sections.h> | |
381 | ++#include <linux/ccsecurity.h> | |
382 | + | |
383 | + #include <crypto/hash.h> | |
384 | + #include <crypto/sha.h> | |
385 | +@@ -1249,6 +1250,8 @@ SYSCALL_DEFINE4(kexec_load, unsigned lon | |
386 | + /* We only trust the superuser with rebooting the system. */ | |
387 | + if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) | |
388 | + return -EPERM; | |
389 | ++ if (!ccs_capable(CCS_SYS_KEXEC_LOAD)) | |
390 | ++ return -EPERM; | |
391 | + | |
392 | + /* | |
393 | + * Verify we have a legal set of flags | |
394 | +--- linux-3.18-rc1.orig/kernel/module.c | |
395 | ++++ linux-3.18-rc1/kernel/module.c | |
396 | +@@ -62,6 +62,7 @@ | |
397 | + #include <linux/bsearch.h> | |
398 | + #include <uapi/linux/module.h> | |
399 | + #include "module-internal.h" | |
400 | ++#include <linux/ccsecurity.h> | |
401 | + | |
402 | + #define CREATE_TRACE_POINTS | |
403 | + #include <trace/events/module.h> | |
404 | +@@ -809,6 +810,8 @@ SYSCALL_DEFINE2(delete_module, const cha | |
405 | + | |
406 | + if (!capable(CAP_SYS_MODULE) || modules_disabled) | |
407 | + return -EPERM; | |
408 | ++ if (!ccs_capable(CCS_USE_KERNEL_MODULE)) | |
409 | ++ return -EPERM; | |
410 | + | |
411 | + if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0) | |
412 | + return -EFAULT; | |
413 | +@@ -3092,6 +3095,8 @@ static int may_init_module(void) | |
414 | + { | |
415 | + if (!capable(CAP_SYS_MODULE) || modules_disabled) | |
416 | + return -EPERM; | |
417 | ++ if (!ccs_capable(CCS_USE_KERNEL_MODULE)) | |
418 | ++ return -EPERM; | |
419 | + | |
420 | + return 0; | |
421 | + } | |
422 | +--- linux-3.18-rc1.orig/kernel/ptrace.c | |
423 | ++++ linux-3.18-rc1/kernel/ptrace.c | |
424 | +@@ -1032,6 +1032,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l | |
425 | + { | |
426 | + struct task_struct *child; | |
427 | + long ret; | |
428 | ++ { | |
429 | ++ const int rc = ccs_ptrace_permission(request, pid); | |
430 | ++ if (rc) | |
431 | ++ return rc; | |
432 | ++ } | |
433 | + | |
434 | + if (request == PTRACE_TRACEME) { | |
435 | + ret = ptrace_traceme(); | |
436 | +@@ -1179,6 +1184,11 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_lo | |
437 | + { | |
438 | + struct task_struct *child; | |
439 | + long ret; | |
440 | ++ { | |
441 | ++ const int rc = ccs_ptrace_permission(request, pid); | |
442 | ++ if (rc) | |
443 | ++ return rc; | |
444 | ++ } | |
445 | + | |
446 | + if (request == PTRACE_TRACEME) { | |
447 | + ret = ptrace_traceme(); | |
448 | +--- linux-3.18-rc1.orig/kernel/reboot.c | |
449 | ++++ linux-3.18-rc1/kernel/reboot.c | |
450 | +@@ -16,6 +16,7 @@ | |
451 | + #include <linux/syscalls.h> | |
452 | + #include <linux/syscore_ops.h> | |
453 | + #include <linux/uaccess.h> | |
454 | ++#include <linux/ccsecurity.h> | |
455 | + | |
456 | + /* | |
457 | + * this indicates whether you can reboot with ctrl-alt-del: the default is yes | |
458 | +@@ -295,6 +296,8 @@ SYSCALL_DEFINE4(reboot, int, magic1, int | |
459 | + magic2 != LINUX_REBOOT_MAGIC2B && | |
460 | + magic2 != LINUX_REBOOT_MAGIC2C)) | |
461 | + return -EINVAL; | |
462 | ++ if (!ccs_capable(CCS_SYS_REBOOT)) | |
463 | ++ return -EPERM; | |
464 | + | |
465 | + /* | |
466 | + * If pid namespaces are enabled and the current task is in a child | |
467 | +--- linux-3.18-rc1.orig/kernel/sched/core.c | |
468 | ++++ linux-3.18-rc1/kernel/sched/core.c | |
469 | +@@ -3160,6 +3160,8 @@ int can_nice(const struct task_struct *p | |
470 | + SYSCALL_DEFINE1(nice, int, increment) | |
471 | + { | |
472 | + long nice, retval; | |
473 | ++ if (!ccs_capable(CCS_SYS_NICE)) | |
474 | ++ return -EPERM; | |
475 | + | |
476 | + /* | |
477 | + * Setpriority might change our priority at the same moment. | |
478 | +--- linux-3.18-rc1.orig/kernel/signal.c | |
479 | ++++ linux-3.18-rc1/kernel/signal.c | |
480 | +@@ -2886,6 +2886,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s | |
481 | + SYSCALL_DEFINE2(kill, pid_t, pid, int, sig) | |
482 | + { | |
483 | + struct siginfo info; | |
484 | ++ if (ccs_kill_permission(pid, sig)) | |
485 | ++ return -EPERM; | |
486 | + | |
487 | + info.si_signo = sig; | |
488 | + info.si_errno = 0; | |
489 | +@@ -2954,6 +2956,8 @@ SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid | |
490 | + /* This is only valid for single tasks */ | |
491 | + if (pid <= 0 || tgid <= 0) | |
492 | + return -EINVAL; | |
493 | ++ if (ccs_tgkill_permission(tgid, pid, sig)) | |
494 | ++ return -EPERM; | |
495 | + | |
496 | + return do_tkill(tgid, pid, sig); | |
497 | + } | |
498 | +@@ -2970,6 +2974,8 @@ SYSCALL_DEFINE2(tkill, pid_t, pid, int, | |
499 | + /* This is only valid for single tasks */ | |
500 | + if (pid <= 0) | |
501 | + return -EINVAL; | |
502 | ++ if (ccs_tkill_permission(pid, sig)) | |
503 | ++ return -EPERM; | |
504 | + | |
505 | + return do_tkill(0, pid, sig); | |
506 | + } | |
507 | +@@ -2986,6 +2992,8 @@ static int do_rt_sigqueueinfo(pid_t pid, | |
508 | + return -EPERM; | |
509 | + } | |
510 | + info->si_signo = sig; | |
511 | ++ if (ccs_sigqueue_permission(pid, sig)) | |
512 | ++ return -EPERM; | |
513 | + | |
514 | + /* POSIX.1b doesn't mention process groups. */ | |
515 | + return kill_proc_info(sig, info, pid); | |
516 | +@@ -3036,6 +3044,8 @@ static int do_rt_tgsigqueueinfo(pid_t tg | |
517 | + return -EPERM; | |
518 | + } | |
519 | + info->si_signo = sig; | |
520 | ++ if (ccs_tgsigqueue_permission(tgid, pid, sig)) | |
521 | ++ return -EPERM; | |
522 | + | |
523 | + return do_send_specific(tgid, pid, sig, info); | |
524 | + } | |
525 | +--- linux-3.18-rc1.orig/kernel/sys.c | |
526 | ++++ linux-3.18-rc1/kernel/sys.c | |
527 | +@@ -171,6 +171,10 @@ SYSCALL_DEFINE3(setpriority, int, which, | |
528 | + | |
529 | + if (which > PRIO_USER || which < PRIO_PROCESS) | |
530 | + goto out; | |
531 | ++ if (!ccs_capable(CCS_SYS_NICE)) { | |
532 | ++ error = -EPERM; | |
533 | ++ goto out; | |
534 | ++ } | |
535 | + | |
536 | + /* normalize: avoid signed division (rounding problems) */ | |
537 | + error = -ESRCH; | |
538 | +@@ -1207,6 +1211,8 @@ SYSCALL_DEFINE2(sethostname, char __user | |
539 | + | |
540 | + if (len < 0 || len > __NEW_UTS_LEN) | |
541 | + return -EINVAL; | |
542 | ++ if (!ccs_capable(CCS_SYS_SETHOSTNAME)) | |
543 | ++ return -EPERM; | |
544 | + down_write(&uts_sem); | |
545 | + errno = -EFAULT; | |
546 | + if (!copy_from_user(tmp, name, len)) { | |
547 | +@@ -1257,6 +1263,8 @@ SYSCALL_DEFINE2(setdomainname, char __us | |
548 | + return -EPERM; | |
549 | + if (len < 0 || len > __NEW_UTS_LEN) | |
550 | + return -EINVAL; | |
551 | ++ if (!ccs_capable(CCS_SYS_SETHOSTNAME)) | |
552 | ++ return -EPERM; | |
553 | + | |
554 | + down_write(&uts_sem); | |
555 | + errno = -EFAULT; | |
556 | +--- linux-3.18-rc1.orig/kernel/time/ntp.c | |
557 | ++++ linux-3.18-rc1/kernel/time/ntp.c | |
558 | +@@ -16,6 +16,7 @@ | |
559 | + #include <linux/mm.h> | |
560 | + #include <linux/module.h> | |
561 | + #include <linux/rtc.h> | |
562 | ++#include <linux/ccsecurity.h> | |
563 | + | |
564 | + #include "tick-internal.h" | |
565 | + #include "ntp_internal.h" | |
566 | +@@ -616,10 +617,15 @@ int ntp_validate_timex(struct timex *txc | |
567 | + if (!(txc->modes & ADJ_OFFSET_READONLY) && | |
568 | + !capable(CAP_SYS_TIME)) | |
569 | + return -EPERM; | |
570 | ++ if (!(txc->modes & ADJ_OFFSET_READONLY) && | |
571 | ++ !ccs_capable(CCS_SYS_SETTIME)) | |
572 | ++ return -EPERM; | |
573 | + } else { | |
574 | + /* In order to modify anything, you gotta be super-user! */ | |
575 | + if (txc->modes && !capable(CAP_SYS_TIME)) | |
576 | + return -EPERM; | |
577 | ++ if (txc->modes && !ccs_capable(CCS_SYS_SETTIME)) | |
578 | ++ return -EPERM; | |
579 | + /* | |
580 | + * if the quartz is off by more than 10% then | |
581 | + * something is VERY wrong! | |
582 | +@@ -632,6 +638,8 @@ int ntp_validate_timex(struct timex *txc | |
583 | + | |
584 | + if ((txc->modes & ADJ_SETOFFSET) && (!capable(CAP_SYS_TIME))) | |
585 | + return -EPERM; | |
586 | ++ if ((txc->modes & ADJ_SETOFFSET) && !ccs_capable(CCS_SYS_SETTIME)) | |
587 | ++ return -EPERM; | |
588 | + | |
589 | + return 0; | |
590 | + } | |
591 | +--- linux-3.18-rc1.orig/net/ipv4/raw.c | |
592 | ++++ linux-3.18-rc1/net/ipv4/raw.c | |
593 | +@@ -711,6 +711,10 @@ static int raw_recvmsg(struct kiocb *ioc | |
594 | + skb = skb_recv_datagram(sk, flags, noblock, &err); | |
595 | + if (!skb) | |
596 | + goto out; | |
597 | ++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) { | |
598 | ++ err = -EAGAIN; /* Hope less harmful than -EPERM. */ | |
599 | ++ goto out; | |
600 | ++ } | |
601 | + | |
602 | + copied = skb->len; | |
603 | + if (len < copied) { | |
604 | +--- linux-3.18-rc1.orig/net/ipv4/udp.c | |
605 | ++++ linux-3.18-rc1/net/ipv4/udp.c | |
606 | +@@ -1261,6 +1261,10 @@ try_again: | |
607 | + &peeked, &off, &err); | |
608 | + if (!skb) | |
609 | + goto out; | |
610 | ++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) { | |
611 | ++ err = -EAGAIN; /* Hope less harmful than -EPERM. */ | |
612 | ++ goto out; | |
613 | ++ } | |
614 | + | |
615 | + ulen = skb->len - sizeof(struct udphdr); | |
616 | + copied = len; | |
617 | +--- linux-3.18-rc1.orig/net/ipv6/raw.c | |
618 | ++++ linux-3.18-rc1/net/ipv6/raw.c | |
619 | +@@ -478,6 +478,10 @@ static int rawv6_recvmsg(struct kiocb *i | |
620 | + skb = skb_recv_datagram(sk, flags, noblock, &err); | |
621 | + if (!skb) | |
622 | + goto out; | |
623 | ++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) { | |
624 | ++ err = -EAGAIN; /* Hope less harmful than -EPERM. */ | |
625 | ++ goto out; | |
626 | ++ } | |
627 | + | |
628 | + copied = skb->len; | |
629 | + if (copied > len) { | |
630 | +--- linux-3.18-rc1.orig/net/ipv6/udp.c | |
631 | ++++ linux-3.18-rc1/net/ipv6/udp.c | |
632 | +@@ -402,6 +402,10 @@ try_again: | |
633 | + &peeked, &off, &err); | |
634 | + if (!skb) | |
635 | + goto out; | |
636 | ++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) { | |
637 | ++ err = -EAGAIN; /* Hope less harmful than -EPERM. */ | |
638 | ++ goto out; | |
639 | ++ } | |
640 | + | |
641 | + ulen = skb->len - sizeof(struct udphdr); | |
642 | + copied = len; | |
643 | +--- linux-3.18-rc1.orig/net/socket.c | |
644 | ++++ linux-3.18-rc1/net/socket.c | |
645 | +@@ -1640,6 +1640,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct | |
646 | + if (err < 0) | |
647 | + goto out_fd; | |
648 | + | |
649 | ++ if (ccs_socket_post_accept_permission(sock, newsock)) { | |
650 | ++ err = -EAGAIN; /* Hope less harmful than -EPERM. */ | |
651 | ++ goto out_fd; | |
652 | ++ } | |
653 | + if (upeer_sockaddr) { | |
654 | + if (newsock->ops->getname(newsock, (struct sockaddr *)&address, | |
655 | + &len, 2) < 0) { | |
656 | +--- linux-3.18-rc1.orig/net/unix/af_unix.c | |
657 | ++++ linux-3.18-rc1/net/unix/af_unix.c | |
658 | +@@ -1817,6 +1817,10 @@ static int unix_dgram_recvmsg(struct kio | |
659 | + wake_up_interruptible_sync_poll(&u->peer_wait, | |
660 | + POLLOUT | POLLWRNORM | POLLWRBAND); | |
661 | + | |
662 | ++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) { | |
663 | ++ err = -EAGAIN; /* Hope less harmful than -EPERM. */ | |
664 | ++ goto out_unlock; | |
665 | ++ } | |
666 | + if (msg->msg_name) | |
667 | + unix_copy_addr(msg, skb->sk); | |
668 | + | |
669 | +--- linux-3.18-rc1.orig/security/Kconfig | |
670 | ++++ linux-3.18-rc1/security/Kconfig | |
671 | +@@ -167,5 +167,7 @@ config DEFAULT_SECURITY | |
672 | + default "yama" if DEFAULT_SECURITY_YAMA | |
673 | + default "" if DEFAULT_SECURITY_DAC | |
674 | + | |
675 | ++source security/ccsecurity/Kconfig | |
676 | ++ | |
677 | + endmenu | |
678 | + | |
679 | +--- linux-3.18-rc1.orig/security/Makefile | |
680 | ++++ linux-3.18-rc1/security/Makefile | |
681 | +@@ -27,3 +27,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c | |
682 | + # Object integrity file lists | |
683 | + subdir-$(CONFIG_INTEGRITY) += integrity | |
684 | + obj-$(CONFIG_INTEGRITY) += integrity/ | |
685 | ++ | |
686 | ++subdir-$(CONFIG_CCSECURITY) += ccsecurity | |
687 | ++obj-$(CONFIG_CCSECURITY) += ccsecurity/ | |
688 | +--- linux-3.18-rc1.orig/security/security.c | |
689 | ++++ linux-3.18-rc1/security/security.c | |
690 | +@@ -203,7 +203,10 @@ int security_syslog(int type) | |
691 | + | |
692 | + int security_settime(const struct timespec *ts, const struct timezone *tz) | |
693 | + { | |
694 | +- return security_ops->settime(ts, tz); | |
695 | ++ int error = security_ops->settime(ts, tz); | |
696 | ++ if (!error && !ccs_capable(CCS_SYS_SETTIME)) | |
697 | ++ error = -EPERM; | |
698 | ++ return error; | |
699 | + } | |
700 | + | |
701 | + int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) | |
702 | +@@ -280,17 +283,27 @@ int security_sb_statfs(struct dentry *de | |
703 | + int security_sb_mount(const char *dev_name, struct path *path, | |
704 | + const char *type, unsigned long flags, void *data) | |
705 | + { | |
706 | +- return security_ops->sb_mount(dev_name, path, type, flags, data); | |
707 | ++ int error = security_ops->sb_mount(dev_name, path, type, flags, data); | |
708 | ++ if (!error) | |
709 | ++ error = ccs_mount_permission(dev_name, path, type, flags, | |
710 | ++ data); | |
711 | ++ return error; | |
712 | + } | |
713 | + | |
714 | + int security_sb_umount(struct vfsmount *mnt, int flags) | |
715 | + { | |
716 | +- return security_ops->sb_umount(mnt, flags); | |
717 | ++ int error = security_ops->sb_umount(mnt, flags); | |
718 | ++ if (!error) | |
719 | ++ error = ccs_umount_permission(mnt, flags); | |
720 | ++ return error; | |
721 | + } | |
722 | + | |
723 | + int security_sb_pivotroot(struct path *old_path, struct path *new_path) | |
724 | + { | |
725 | +- return security_ops->sb_pivotroot(old_path, new_path); | |
726 | ++ int error = security_ops->sb_pivotroot(old_path, new_path); | |
727 | ++ if (!error) | |
728 | ++ error = ccs_pivot_root_permission(old_path, new_path); | |
729 | ++ return error; | |
730 | + } | |
731 | + | |
732 | + int security_sb_set_mnt_opts(struct super_block *sb, | |
733 | +@@ -387,31 +400,47 @@ EXPORT_SYMBOL(security_old_inode_init_se | |
734 | + int security_path_mknod(struct path *dir, struct dentry *dentry, umode_t mode, | |
735 | + unsigned int dev) | |
736 | + { | |
737 | ++ int error; | |
738 | + if (unlikely(IS_PRIVATE(dir->dentry->d_inode))) | |
739 | + return 0; | |
740 | ++ error = ccs_mknod_permission(dentry, dir->mnt, mode, dev); | |
741 | ++ if (error) | |
742 | ++ return error; | |
743 | + return security_ops->path_mknod(dir, dentry, mode, dev); | |
744 | + } | |
745 | + EXPORT_SYMBOL(security_path_mknod); | |
746 | + | |
747 | + int security_path_mkdir(struct path *dir, struct dentry *dentry, umode_t mode) | |
748 | + { | |
749 | ++ int error; | |
750 | + if (unlikely(IS_PRIVATE(dir->dentry->d_inode))) | |
751 | + return 0; | |
752 | ++ error = ccs_mkdir_permission(dentry, dir->mnt, mode); | |
753 | ++ if (error) | |
754 | ++ return error; | |
755 | + return security_ops->path_mkdir(dir, dentry, mode); | |
756 | + } | |
757 | + EXPORT_SYMBOL(security_path_mkdir); | |
758 | + | |
759 | + int security_path_rmdir(struct path *dir, struct dentry *dentry) | |
760 | + { | |
761 | ++ int error; | |
762 | + if (unlikely(IS_PRIVATE(dir->dentry->d_inode))) | |
763 | + return 0; | |
764 | ++ error = ccs_rmdir_permission(dentry, dir->mnt); | |
765 | ++ if (error) | |
766 | ++ return error; | |
767 | + return security_ops->path_rmdir(dir, dentry); | |
768 | + } | |
769 | + | |
770 | + int security_path_unlink(struct path *dir, struct dentry *dentry) | |
771 | + { | |
772 | ++ int error; | |
773 | + if (unlikely(IS_PRIVATE(dir->dentry->d_inode))) | |
774 | + return 0; | |
775 | ++ error = ccs_unlink_permission(dentry, dir->mnt); | |
776 | ++ if (error) | |
777 | ++ return error; | |
778 | + return security_ops->path_unlink(dir, dentry); | |
779 | + } | |
780 | + EXPORT_SYMBOL(security_path_unlink); | |
781 | +@@ -419,16 +448,24 @@ EXPORT_SYMBOL(security_path_unlink); | |
782 | + int security_path_symlink(struct path *dir, struct dentry *dentry, | |
783 | + const char *old_name) | |
784 | + { | |
785 | ++ int error; | |
786 | + if (unlikely(IS_PRIVATE(dir->dentry->d_inode))) | |
787 | + return 0; | |
788 | ++ error = ccs_symlink_permission(dentry, dir->mnt, old_name); | |
789 | ++ if (error) | |
790 | ++ return error; | |
791 | + return security_ops->path_symlink(dir, dentry, old_name); | |
792 | + } | |
793 | + | |
794 | + int security_path_link(struct dentry *old_dentry, struct path *new_dir, | |
795 | + struct dentry *new_dentry) | |
796 | + { | |
797 | ++ int error; | |
798 | + if (unlikely(IS_PRIVATE(old_dentry->d_inode))) | |
799 | + return 0; | |
800 | ++ error = ccs_link_permission(old_dentry, new_dentry, new_dir->mnt); | |
801 | ++ if (error) | |
802 | ++ return error; | |
803 | + return security_ops->path_link(old_dentry, new_dir, new_dentry); | |
804 | + } | |
805 | + | |
806 | +@@ -436,6 +473,7 @@ int security_path_rename(struct path *ol | |
807 | + struct path *new_dir, struct dentry *new_dentry, | |
808 | + unsigned int flags) | |
809 | + { | |
810 | ++ int error; | |
811 | + if (unlikely(IS_PRIVATE(old_dentry->d_inode) || | |
812 | + (new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode)))) | |
813 | + return 0; | |
814 | +@@ -445,8 +483,15 @@ int security_path_rename(struct path *ol | |
815 | + old_dir, old_dentry); | |
816 | + if (err) | |
817 | + return err; | |
818 | ++ err = ccs_rename_permission(new_dentry, old_dentry, | |
819 | ++ old_dir->mnt); | |
820 | ++ if (err) | |
821 | ++ return err; | |
822 | + } | |
823 | + | |
824 | ++ error = ccs_rename_permission(old_dentry, new_dentry, new_dir->mnt); | |
825 | ++ if (error) | |
826 | ++ return error; | |
827 | + return security_ops->path_rename(old_dir, old_dentry, new_dir, | |
828 | + new_dentry); | |
829 | + } | |
830 | +@@ -454,27 +499,42 @@ EXPORT_SYMBOL(security_path_rename); | |
831 | + | |
832 | + int security_path_truncate(struct path *path) | |
833 | + { | |
834 | ++ int error; | |
835 | + if (unlikely(IS_PRIVATE(path->dentry->d_inode))) | |
836 | + return 0; | |
837 | ++ error = ccs_truncate_permission(path->dentry, path->mnt); | |
838 | ++ if (error) | |
839 | ++ return error; | |
840 | + return security_ops->path_truncate(path); | |
841 | + } | |
842 | + | |
843 | + int security_path_chmod(struct path *path, umode_t mode) | |
844 | + { | |
845 | ++ int error; | |
846 | + if (unlikely(IS_PRIVATE(path->dentry->d_inode))) | |
847 | + return 0; | |
848 | ++ error = ccs_chmod_permission(path->dentry, path->mnt, mode); | |
849 | ++ if (error) | |
850 | ++ return error; | |
851 | + return security_ops->path_chmod(path, mode); | |
852 | + } | |
853 | + | |
854 | + int security_path_chown(struct path *path, kuid_t uid, kgid_t gid) | |
855 | + { | |
856 | ++ int error; | |
857 | + if (unlikely(IS_PRIVATE(path->dentry->d_inode))) | |
858 | + return 0; | |
859 | ++ error = ccs_chown_permission(path->dentry, path->mnt, uid, gid); | |
860 | ++ if (error) | |
861 | ++ return error; | |
862 | + return security_ops->path_chown(path, uid, gid); | |
863 | + } | |
864 | + | |
865 | + int security_path_chroot(struct path *path) | |
866 | + { | |
867 | ++ int error = ccs_chroot_permission(path); | |
868 | ++ if (error) | |
869 | ++ return error; | |
870 | + return security_ops->path_chroot(path); | |
871 | + } | |
872 | + #endif | |
873 | +@@ -587,9 +647,13 @@ EXPORT_SYMBOL_GPL(security_inode_setattr | |
874 | + | |
875 | + int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) | |
876 | + { | |
877 | ++ int error; | |
878 | + if (unlikely(IS_PRIVATE(dentry->d_inode))) | |
879 | + return 0; | |
880 | +- return security_ops->inode_getattr(mnt, dentry); | |
881 | ++ error = security_ops->inode_getattr(mnt, dentry); | |
882 | ++ if (!error) | |
883 | ++ error = ccs_getattr_permission(mnt, dentry); | |
884 | ++ return error; | |
885 | + } | |
886 | + | |
887 | + int security_inode_setxattr(struct dentry *dentry, const char *name, | |
888 | +@@ -706,7 +770,10 @@ void security_file_free(struct file *fil | |
889 | + | |
890 | + int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg) | |
891 | + { | |
892 | +- return security_ops->file_ioctl(file, cmd, arg); | |
893 | ++ int error = security_ops->file_ioctl(file, cmd, arg); | |
894 | ++ if (!error) | |
895 | ++ error = ccs_ioctl_permission(file, cmd, arg); | |
896 | ++ return error; | |
897 | + } | |
898 | + | |
899 | + static inline unsigned long mmap_prot(struct file *file, unsigned long prot) | |
900 | +@@ -772,7 +839,10 @@ int security_file_lock(struct file *file | |
901 | + | |
902 | + int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg) | |
903 | + { | |
904 | +- return security_ops->file_fcntl(file, cmd, arg); | |
905 | ++ int error = security_ops->file_fcntl(file, cmd, arg); | |
906 | ++ if (!error) | |
907 | ++ error = ccs_fcntl_permission(file, cmd, arg); | |
908 | ++ return error; | |
909 | + } | |
910 | + | |
911 | + void security_file_set_fowner(struct file *file) | |
912 | +@@ -796,6 +866,8 @@ int security_file_open(struct file *file | |
913 | + int ret; | |
914 | + | |
915 | + ret = security_ops->file_open(file, cred); | |
916 | ++ if (!ret) | |
917 | ++ ret = ccs_open_permission(file); | |
918 | + if (ret) | |
919 | + return ret; | |
920 | + | |
921 | +@@ -1146,7 +1218,10 @@ EXPORT_SYMBOL(security_unix_may_send); | |
922 | + | |
923 | + int security_socket_create(int family, int type, int protocol, int kern) | |
924 | + { | |
925 | +- return security_ops->socket_create(family, type, protocol, kern); | |
926 | ++ int error = security_ops->socket_create(family, type, protocol, kern); | |
927 | ++ if (!error) | |
928 | ++ error = ccs_socket_create_permission(family, type, protocol); | |
929 | ++ return error; | |
930 | + } | |
931 | + | |
932 | + int security_socket_post_create(struct socket *sock, int family, | |
933 | +@@ -1158,17 +1233,26 @@ int security_socket_post_create(struct s | |
934 | + | |
935 | + int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) | |
936 | + { | |
937 | +- return security_ops->socket_bind(sock, address, addrlen); | |
938 | ++ int error = security_ops->socket_bind(sock, address, addrlen); | |
939 | ++ if (!error) | |
940 | ++ error = ccs_socket_bind_permission(sock, address, addrlen); | |
941 | ++ return error; | |
942 | + } | |
943 | + | |
944 | + int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) | |
945 | + { | |
946 | +- return security_ops->socket_connect(sock, address, addrlen); | |
947 | ++ int error = security_ops->socket_connect(sock, address, addrlen); | |
948 | ++ if (!error) | |
949 | ++ error = ccs_socket_connect_permission(sock, address, addrlen); | |
950 | ++ return error; | |
951 | + } | |
952 | + | |
953 | + int security_socket_listen(struct socket *sock, int backlog) | |
954 | + { | |
955 | +- return security_ops->socket_listen(sock, backlog); | |
956 | ++ int error = security_ops->socket_listen(sock, backlog); | |
957 | ++ if (!error) | |
958 | ++ error = ccs_socket_listen_permission(sock); | |
959 | ++ return error; | |
960 | + } | |
961 | + | |
962 | + int security_socket_accept(struct socket *sock, struct socket *newsock) | |
963 | +@@ -1178,7 +1262,10 @@ int security_socket_accept(struct socket | |
964 | + | |
965 | + int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size) | |
966 | + { | |
967 | +- return security_ops->socket_sendmsg(sock, msg, size); | |
968 | ++ int error = security_ops->socket_sendmsg(sock, msg, size); | |
969 | ++ if (!error) | |
970 | ++ error = ccs_socket_sendmsg_permission(sock, msg, size); | |
971 | ++ return error; | |
972 | + } | |
973 | + | |
974 | + int security_socket_recvmsg(struct socket *sock, struct msghdr *msg, |
@@ -1,6 +1,6 @@ | ||
1 | -This is TOMOYO Linux patch for kernel 3.17. | |
1 | +This is TOMOYO Linux patch for kernel 3.17.1. | |
2 | 2 | |
3 | -Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.17.tar.xz | |
3 | +Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.17.1.tar.xz | |
4 | 4 | --- |
5 | 5 | fs/exec.c | 2 |
6 | 6 | fs/open.c | 2 |
@@ -29,8 +29,8 @@ | ||
29 | 29 | security/security.c | 111 +++++++++++++++++++++++++++++++++++++++++----- |
30 | 30 | 25 files changed, 252 insertions(+), 37 deletions(-) |
31 | 31 | |
32 | ---- linux-3.17.orig/fs/exec.c | |
33 | -+++ linux-3.17/fs/exec.c | |
32 | +--- linux-3.17.1.orig/fs/exec.c | |
33 | ++++ linux-3.17.1/fs/exec.c | |
34 | 34 | @@ -1408,7 +1408,7 @@ static int exec_binprm(struct linux_binp |
35 | 35 | old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent)); |
36 | 36 | rcu_read_unlock(); |
@@ -40,8 +40,8 @@ | ||
40 | 40 | if (ret >= 0) { |
41 | 41 | audit_bprm(bprm); |
42 | 42 | trace_sched_process_exec(current, old_pid, bprm); |
43 | ---- linux-3.17.orig/fs/open.c | |
44 | -+++ linux-3.17/fs/open.c | |
43 | +--- linux-3.17.1.orig/fs/open.c | |
44 | ++++ linux-3.17.1/fs/open.c | |
45 | 45 | @@ -1071,6 +1071,8 @@ EXPORT_SYMBOL(sys_close); |
46 | 46 | */ |
47 | 47 | SYSCALL_DEFINE0(vhangup) |
@@ -51,8 +51,8 @@ | ||
51 | 51 | if (capable(CAP_SYS_TTY_CONFIG)) { |
52 | 52 | tty_vhangup_self(); |
53 | 53 | return 0; |
54 | ---- linux-3.17.orig/fs/proc/version.c | |
55 | -+++ linux-3.17/fs/proc/version.c | |
54 | +--- linux-3.17.1.orig/fs/proc/version.c | |
55 | ++++ linux-3.17.1/fs/proc/version.c | |
56 | 56 | @@ -32,3 +32,10 @@ static int __init proc_version_init(void |
57 | 57 | return 0; |
58 | 58 | } |
@@ -60,12 +60,12 @@ | ||
60 | 60 | + |
61 | 61 | +static int __init ccs_show_version(void) |
62 | 62 | +{ |
63 | -+ printk(KERN_INFO "Hook version: 3.17 2014/10/06\n"); | |
63 | ++ printk(KERN_INFO "Hook version: 3.17.1 2014/10/20\n"); | |
64 | 64 | + return 0; |
65 | 65 | +} |
66 | 66 | +fs_initcall(ccs_show_version); |
67 | ---- linux-3.17.orig/include/linux/init_task.h | |
68 | -+++ linux-3.17/include/linux/init_task.h | |
67 | +--- linux-3.17.1.orig/include/linux/init_task.h | |
68 | ++++ linux-3.17.1/include/linux/init_task.h | |
69 | 69 | @@ -157,6 +157,14 @@ extern struct task_group root_task_group |
70 | 70 | # define INIT_RT_MUTEXES(tsk) |
71 | 71 | #endif |
@@ -89,8 +89,8 @@ | ||
89 | 89 | } |
90 | 90 | |
91 | 91 | |
92 | ---- linux-3.17.orig/include/linux/sched.h | |
93 | -+++ linux-3.17/include/linux/sched.h | |
92 | +--- linux-3.17.1.orig/include/linux/sched.h | |
93 | ++++ linux-3.17.1/include/linux/sched.h | |
94 | 94 | @@ -6,6 +6,8 @@ |
95 | 95 | #include <linux/sched/prio.h> |
96 | 96 |
@@ -111,8 +111,8 @@ | ||
111 | 111 | }; |
112 | 112 | |
113 | 113 | /* Future-safe accessor for struct task_struct's cpus_allowed. */ |
114 | ---- linux-3.17.orig/include/linux/security.h | |
115 | -+++ linux-3.17/include/linux/security.h | |
114 | +--- linux-3.17.1.orig/include/linux/security.h | |
115 | ++++ linux-3.17.1/include/linux/security.h | |
116 | 116 | @@ -53,6 +53,7 @@ struct msg_queue; |
117 | 117 | struct xattr; |
118 | 118 | struct xfrm_sec_ctx; |
@@ -324,8 +324,8 @@ | ||
324 | 324 | } |
325 | 325 | #endif /* CONFIG_SECURITY_PATH */ |
326 | 326 | |
327 | ---- linux-3.17.orig/include/net/ip.h | |
328 | -+++ linux-3.17/include/net/ip.h | |
327 | +--- linux-3.17.1.orig/include/net/ip.h | |
328 | ++++ linux-3.17.1/include/net/ip.h | |
329 | 329 | @@ -212,6 +212,8 @@ void inet_get_local_port_range(struct ne |
330 | 330 | #ifdef CONFIG_SYSCTL |
331 | 331 | static inline int inet_is_local_reserved_port(struct net *net, int port) |
@@ -344,8 +344,8 @@ | ||
344 | 344 | return 0; |
345 | 345 | } |
346 | 346 | #endif |
347 | ---- linux-3.17.orig/kernel/fork.c | |
348 | -+++ linux-3.17/kernel/fork.c | |
347 | +--- linux-3.17.1.orig/kernel/fork.c | |
348 | ++++ linux-3.17.1/kernel/fork.c | |
349 | 349 | @@ -246,6 +246,7 @@ void __put_task_struct(struct task_struc |
350 | 350 | delayacct_tsk_free(tsk); |
351 | 351 | put_signal_struct(tsk->signal); |
@@ -372,8 +372,8 @@ | ||
372 | 372 | bad_fork_cleanup_perf: |
373 | 373 | perf_event_free_task(p); |
374 | 374 | bad_fork_cleanup_policy: |
375 | ---- linux-3.17.orig/kernel/kexec.c | |
376 | -+++ linux-3.17/kernel/kexec.c | |
375 | +--- linux-3.17.1.orig/kernel/kexec.c | |
376 | ++++ linux-3.17.1/kernel/kexec.c | |
377 | 377 | @@ -41,6 +41,7 @@ |
378 | 378 | #include <asm/uaccess.h> |
379 | 379 | #include <asm/io.h> |
@@ -391,8 +391,8 @@ | ||
391 | 391 | |
392 | 392 | /* |
393 | 393 | * Verify we have a legal set of flags |
394 | ---- linux-3.17.orig/kernel/module.c | |
395 | -+++ linux-3.17/kernel/module.c | |
394 | +--- linux-3.17.1.orig/kernel/module.c | |
395 | ++++ linux-3.17.1/kernel/module.c | |
396 | 396 | @@ -62,6 +62,7 @@ |
397 | 397 | #include <linux/bsearch.h> |
398 | 398 | #include <uapi/linux/module.h> |
@@ -419,8 +419,8 @@ | ||
419 | 419 | |
420 | 420 | return 0; |
421 | 421 | } |
422 | ---- linux-3.17.orig/kernel/ptrace.c | |
423 | -+++ linux-3.17/kernel/ptrace.c | |
422 | +--- linux-3.17.1.orig/kernel/ptrace.c | |
423 | ++++ linux-3.17.1/kernel/ptrace.c | |
424 | 424 | @@ -1032,6 +1032,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l |
425 | 425 | { |
426 | 426 | struct task_struct *child; |
@@ -445,8 +445,8 @@ | ||
445 | 445 | |
446 | 446 | if (request == PTRACE_TRACEME) { |
447 | 447 | ret = ptrace_traceme(); |
448 | ---- linux-3.17.orig/kernel/reboot.c | |
449 | -+++ linux-3.17/kernel/reboot.c | |
448 | +--- linux-3.17.1.orig/kernel/reboot.c | |
449 | ++++ linux-3.17.1/kernel/reboot.c | |
450 | 450 | @@ -16,6 +16,7 @@ |
451 | 451 | #include <linux/syscalls.h> |
452 | 452 | #include <linux/syscore_ops.h> |
@@ -464,8 +464,8 @@ | ||
464 | 464 | |
465 | 465 | /* |
466 | 466 | * If pid namespaces are enabled and the current task is in a child |
467 | ---- linux-3.17.orig/kernel/sched/core.c | |
468 | -+++ linux-3.17/kernel/sched/core.c | |
467 | +--- linux-3.17.1.orig/kernel/sched/core.c | |
468 | ++++ linux-3.17.1/kernel/sched/core.c | |
469 | 469 | @@ -3119,6 +3119,8 @@ int can_nice(const struct task_struct *p |
470 | 470 | SYSCALL_DEFINE1(nice, int, increment) |
471 | 471 | { |
@@ -475,8 +475,8 @@ | ||
475 | 475 | |
476 | 476 | /* |
477 | 477 | * Setpriority might change our priority at the same moment. |
478 | ---- linux-3.17.orig/kernel/signal.c | |
479 | -+++ linux-3.17/kernel/signal.c | |
478 | +--- linux-3.17.1.orig/kernel/signal.c | |
479 | ++++ linux-3.17.1/kernel/signal.c | |
480 | 480 | @@ -2886,6 +2886,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s |
481 | 481 | SYSCALL_DEFINE2(kill, pid_t, pid, int, sig) |
482 | 482 | { |
@@ -522,8 +522,8 @@ | ||
522 | 522 | |
523 | 523 | return do_send_specific(tgid, pid, sig, info); |
524 | 524 | } |
525 | ---- linux-3.17.orig/kernel/sys.c | |
526 | -+++ linux-3.17/kernel/sys.c | |
525 | +--- linux-3.17.1.orig/kernel/sys.c | |
526 | ++++ linux-3.17.1/kernel/sys.c | |
527 | 527 | @@ -171,6 +171,10 @@ SYSCALL_DEFINE3(setpriority, int, which, |
528 | 528 | |
529 | 529 | if (which > PRIO_USER || which < PRIO_PROCESS) |
@@ -553,8 +553,8 @@ | ||
553 | 553 | |
554 | 554 | down_write(&uts_sem); |
555 | 555 | errno = -EFAULT; |
556 | ---- linux-3.17.orig/kernel/time/ntp.c | |
557 | -+++ linux-3.17/kernel/time/ntp.c | |
556 | +--- linux-3.17.1.orig/kernel/time/ntp.c | |
557 | ++++ linux-3.17.1/kernel/time/ntp.c | |
558 | 558 | @@ -16,6 +16,7 @@ |
559 | 559 | #include <linux/mm.h> |
560 | 560 | #include <linux/module.h> |
@@ -588,8 +588,8 @@ | ||
588 | 588 | |
589 | 589 | return 0; |
590 | 590 | } |
591 | ---- linux-3.17.orig/net/ipv4/raw.c | |
592 | -+++ linux-3.17/net/ipv4/raw.c | |
591 | +--- linux-3.17.1.orig/net/ipv4/raw.c | |
592 | ++++ linux-3.17.1/net/ipv4/raw.c | |
593 | 593 | @@ -711,6 +711,10 @@ static int raw_recvmsg(struct kiocb *ioc |
594 | 594 | skb = skb_recv_datagram(sk, flags, noblock, &err); |
595 | 595 | if (!skb) |
@@ -601,8 +601,8 @@ | ||
601 | 601 | |
602 | 602 | copied = skb->len; |
603 | 603 | if (len < copied) { |
604 | ---- linux-3.17.orig/net/ipv4/udp.c | |
605 | -+++ linux-3.17/net/ipv4/udp.c | |
604 | +--- linux-3.17.1.orig/net/ipv4/udp.c | |
605 | ++++ linux-3.17.1/net/ipv4/udp.c | |
606 | 606 | @@ -1260,6 +1260,10 @@ try_again: |
607 | 607 | &peeked, &off, &err); |
608 | 608 | if (!skb) |
@@ -614,8 +614,8 @@ | ||
614 | 614 | |
615 | 615 | ulen = skb->len - sizeof(struct udphdr); |
616 | 616 | copied = len; |
617 | ---- linux-3.17.orig/net/ipv6/raw.c | |
618 | -+++ linux-3.17/net/ipv6/raw.c | |
617 | +--- linux-3.17.1.orig/net/ipv6/raw.c | |
618 | ++++ linux-3.17.1/net/ipv6/raw.c | |
619 | 619 | @@ -478,6 +478,10 @@ static int rawv6_recvmsg(struct kiocb *i |
620 | 620 | skb = skb_recv_datagram(sk, flags, noblock, &err); |
621 | 621 | if (!skb) |
@@ -627,8 +627,8 @@ | ||
627 | 627 | |
628 | 628 | copied = skb->len; |
629 | 629 | if (copied > len) { |
630 | ---- linux-3.17.orig/net/ipv6/udp.c | |
631 | -+++ linux-3.17/net/ipv6/udp.c | |
630 | +--- linux-3.17.1.orig/net/ipv6/udp.c | |
631 | ++++ linux-3.17.1/net/ipv6/udp.c | |
632 | 632 | @@ -402,6 +402,10 @@ try_again: |
633 | 633 | &peeked, &off, &err); |
634 | 634 | if (!skb) |
@@ -640,8 +640,8 @@ | ||
640 | 640 | |
641 | 641 | ulen = skb->len - sizeof(struct udphdr); |
642 | 642 | copied = len; |
643 | ---- linux-3.17.orig/net/socket.c | |
644 | -+++ linux-3.17/net/socket.c | |
643 | +--- linux-3.17.1.orig/net/socket.c | |
644 | ++++ linux-3.17.1/net/socket.c | |
645 | 645 | @@ -1642,6 +1642,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct |
646 | 646 | if (err < 0) |
647 | 647 | goto out_fd; |
@@ -653,8 +653,8 @@ | ||
653 | 653 | if (upeer_sockaddr) { |
654 | 654 | if (newsock->ops->getname(newsock, (struct sockaddr *)&address, |
655 | 655 | &len, 2) < 0) { |
656 | ---- linux-3.17.orig/net/unix/af_unix.c | |
657 | -+++ linux-3.17/net/unix/af_unix.c | |
656 | +--- linux-3.17.1.orig/net/unix/af_unix.c | |
657 | ++++ linux-3.17.1/net/unix/af_unix.c | |
658 | 658 | @@ -1817,6 +1817,10 @@ static int unix_dgram_recvmsg(struct kio |
659 | 659 | wake_up_interruptible_sync_poll(&u->peer_wait, |
660 | 660 | POLLOUT | POLLWRNORM | POLLWRBAND); |
@@ -666,8 +666,8 @@ | ||
666 | 666 | if (msg->msg_name) |
667 | 667 | unix_copy_addr(msg, skb->sk); |
668 | 668 | |
669 | ---- linux-3.17.orig/security/Kconfig | |
670 | -+++ linux-3.17/security/Kconfig | |
669 | +--- linux-3.17.1.orig/security/Kconfig | |
670 | ++++ linux-3.17.1/security/Kconfig | |
671 | 671 | @@ -167,5 +167,7 @@ config DEFAULT_SECURITY |
672 | 672 | default "yama" if DEFAULT_SECURITY_YAMA |
673 | 673 | default "" if DEFAULT_SECURITY_DAC |
@@ -676,8 +676,8 @@ | ||
676 | 676 | + |
677 | 677 | endmenu |
678 | 678 | |
679 | ---- linux-3.17.orig/security/Makefile | |
680 | -+++ linux-3.17/security/Makefile | |
679 | +--- linux-3.17.1.orig/security/Makefile | |
680 | ++++ linux-3.17.1/security/Makefile | |
681 | 681 | @@ -27,3 +27,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c |
682 | 682 | # Object integrity file lists |
683 | 683 | subdir-$(CONFIG_INTEGRITY) += integrity |
@@ -685,8 +685,8 @@ | ||
685 | 685 | + |
686 | 686 | +subdir-$(CONFIG_CCSECURITY) += ccsecurity |
687 | 687 | +obj-$(CONFIG_CCSECURITY) += ccsecurity/ |
688 | ---- linux-3.17.orig/security/security.c | |
689 | -+++ linux-3.17/security/security.c | |
688 | +--- linux-3.17.1.orig/security/security.c | |
689 | ++++ linux-3.17.1/security/security.c | |
690 | 690 | @@ -203,7 +203,10 @@ int security_syslog(int type) |
691 | 691 | |
692 | 692 | int security_settime(const struct timespec *ts, const struct timezone *tz) |
@@ -0,0 +1,86 @@ | ||
1 | +Index: trunk/1.8.x/ccs-tools/usr_sbin/editpolicy_optimizer.c | |
2 | +=================================================================== | |
3 | +--- trunk/1.8.x/ccs-tools/usr_sbin/editpolicy_optimizer.c (revision 6333) | |
4 | ++++ trunk/1.8.x/ccs-tools/usr_sbin/editpolicy_optimizer.c (working copy) | |
5 | +@@ -257,6 +257,42 @@ | |
6 | + buffer = cp + 1; | |
7 | + } | |
8 | + w[4] = buffer; | |
9 | ++ if (index != CCS_DIRECTIVE_FILE_EXECUTE) | |
10 | ++ return; | |
11 | ++ if (ccs_domain_def(buffer)) { | |
12 | ++ char *cp = strchr(buffer, ' '); | |
13 | ++ w[1] = buffer; | |
14 | ++ w[4] = ""; | |
15 | ++ if (!cp) | |
16 | ++ return; | |
17 | ++ while (*cp) { | |
18 | ++ if (*cp++ != ' ' || *cp++ == '/') | |
19 | ++ continue; | |
20 | ++ cp -= 2; | |
21 | ++ break; | |
22 | ++ } | |
23 | ++ if (!*cp) | |
24 | ++ return; | |
25 | ++ *cp = '\0'; | |
26 | ++ w[4] = cp + 1; | |
27 | ++ } else { | |
28 | ++ char *cp = strchr(buffer, ' '); | |
29 | ++ if (cp) | |
30 | ++ *cp = '\0'; | |
31 | ++ if (ccs_correct_path(buffer) || !strcmp(buffer, "keep") || | |
32 | ++ !strcmp(buffer, "reset") || | |
33 | ++ !strcmp(buffer, "initialize") || | |
34 | ++ !strcmp(buffer, "child") || !strcmp(buffer, "parent")) { | |
35 | ++ w[1] = buffer; | |
36 | ++ if (cp) | |
37 | ++ w[4] = cp + 1; | |
38 | ++ else | |
39 | ++ w[4] = ""; | |
40 | ++ return; | |
41 | ++ } | |
42 | ++ if (cp) | |
43 | ++ *cp = ' '; | |
44 | ++ } | |
45 | + } | |
46 | + | |
47 | + /** | |
48 | +@@ -375,23 +411,20 @@ | |
49 | + continue; | |
50 | + ccs_tokenize(line, d, d_index); | |
51 | + /* Compare condition part. */ | |
52 | +- if (strcmp(s[4], d[4])) | |
53 | ++ if (s[4][0] && strcmp(s[4], d[4])) | |
54 | + continue; | |
55 | + /* Compare non condition word. */ | |
56 | +- if (0) { | |
57 | +- FILE *fp = fopen("/tmp/log", "a+"); | |
58 | +- int i; | |
59 | +- for (i = 0; i < 5; i++) { | |
60 | +- fprintf(fp, "s[%d]='%s'\n", i, s[i]); | |
61 | +- fprintf(fp, "d[%d]='%s'\n", i, d[i]); | |
62 | +- } | |
63 | +- fclose(fp); | |
64 | +- } | |
65 | + switch (d_index) { | |
66 | + struct ccs_path_info sarg; | |
67 | + struct ccs_path_info darg; | |
68 | + char c; | |
69 | + int len; | |
70 | ++ case CCS_DIRECTIVE_FILE_EXECUTE: | |
71 | ++ if (!ccs_compare_path(s[0], d[0])) | |
72 | ++ continue; | |
73 | ++ if (strcmp(s[1], d[1])) | |
74 | ++ continue; | |
75 | ++ break; | |
76 | + case CCS_DIRECTIVE_FILE_MKBLOCK: | |
77 | + case CCS_DIRECTIVE_FILE_MKCHAR: | |
78 | + if (!ccs_compare_number(s[3], d[3]) || | |
79 | +@@ -409,7 +442,6 @@ | |
80 | + if (!ccs_compare_number(s[1], d[1])) | |
81 | + continue; | |
82 | + /* fall through */ | |
83 | +- case CCS_DIRECTIVE_FILE_EXECUTE: | |
84 | + case CCS_DIRECTIVE_FILE_READ: | |
85 | + case CCS_DIRECTIVE_FILE_WRITE: | |
86 | + case CCS_DIRECTIVE_FILE_UNLINK: |