1 |
This is TOMOYO Linux patch for kernel 3.14.27. |
This is TOMOYO Linux patch for kernel 3.14.28. |
2 |
|
|
3 |
Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.14.27.tar.xz |
Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.14.28.tar.xz |
4 |
--- |
--- |
5 |
fs/exec.c | 2 |
fs/exec.c | 2 |
6 |
fs/open.c | 2 |
fs/open.c | 2 |
29 |
security/security.c | 107 ++++++++++++++++++++++++++++++++++++++++------ |
security/security.c | 107 ++++++++++++++++++++++++++++++++++++++++------ |
30 |
25 files changed, 236 insertions(+), 37 deletions(-) |
25 files changed, 236 insertions(+), 37 deletions(-) |
31 |
|
|
32 |
--- linux-3.14.27.orig/fs/exec.c |
--- linux-3.14.28.orig/fs/exec.c |
33 |
+++ linux-3.14.27/fs/exec.c |
+++ linux-3.14.28/fs/exec.c |
34 |
@@ -1426,7 +1426,7 @@ static int exec_binprm(struct linux_binp |
@@ -1426,7 +1426,7 @@ static int exec_binprm(struct linux_binp |
35 |
old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent)); |
old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent)); |
36 |
rcu_read_unlock(); |
rcu_read_unlock(); |
40 |
if (ret >= 0) { |
if (ret >= 0) { |
41 |
audit_bprm(bprm); |
audit_bprm(bprm); |
42 |
trace_sched_process_exec(current, old_pid, bprm); |
trace_sched_process_exec(current, old_pid, bprm); |
43 |
--- linux-3.14.27.orig/fs/open.c |
--- linux-3.14.28.orig/fs/open.c |
44 |
+++ linux-3.14.27/fs/open.c |
+++ linux-3.14.28/fs/open.c |
45 |
@@ -1070,6 +1070,8 @@ EXPORT_SYMBOL(sys_close); |
@@ -1070,6 +1070,8 @@ EXPORT_SYMBOL(sys_close); |
46 |
*/ |
*/ |
47 |
SYSCALL_DEFINE0(vhangup) |
SYSCALL_DEFINE0(vhangup) |
51 |
if (capable(CAP_SYS_TTY_CONFIG)) { |
if (capable(CAP_SYS_TTY_CONFIG)) { |
52 |
tty_vhangup_self(); |
tty_vhangup_self(); |
53 |
return 0; |
return 0; |
54 |
--- linux-3.14.27.orig/fs/proc/version.c |
--- linux-3.14.28.orig/fs/proc/version.c |
55 |
+++ linux-3.14.27/fs/proc/version.c |
+++ linux-3.14.28/fs/proc/version.c |
56 |
@@ -32,3 +32,10 @@ static int __init proc_version_init(void |
@@ -32,3 +32,10 @@ static int __init proc_version_init(void |
57 |
return 0; |
return 0; |
58 |
} |
} |
60 |
+ |
+ |
61 |
+static int __init ccs_show_version(void) |
+static int __init ccs_show_version(void) |
62 |
+{ |
+{ |
63 |
+ printk(KERN_INFO "Hook version: 3.14.27 2014/12/22\n"); |
+ printk(KERN_INFO "Hook version: 3.14.28 2015/01/12\n"); |
64 |
+ return 0; |
+ return 0; |
65 |
+} |
+} |
66 |
+fs_initcall(ccs_show_version); |
+fs_initcall(ccs_show_version); |
67 |
--- linux-3.14.27.orig/include/linux/init_task.h |
--- linux-3.14.28.orig/include/linux/init_task.h |
68 |
+++ linux-3.14.27/include/linux/init_task.h |
+++ linux-3.14.28/include/linux/init_task.h |
69 |
@@ -164,6 +164,14 @@ extern struct task_group root_task_group |
@@ -164,6 +164,14 @@ extern struct task_group root_task_group |
70 |
# define INIT_RT_MUTEXES(tsk) |
# define INIT_RT_MUTEXES(tsk) |
71 |
#endif |
#endif |
89 |
} |
} |
90 |
|
|
91 |
|
|
92 |
--- linux-3.14.27.orig/include/linux/sched.h |
--- linux-3.14.28.orig/include/linux/sched.h |
93 |
+++ linux-3.14.27/include/linux/sched.h |
+++ linux-3.14.28/include/linux/sched.h |
94 |
@@ -4,6 +4,8 @@ |
@@ -4,6 +4,8 @@ |
95 |
#include <uapi/linux/sched.h> |
#include <uapi/linux/sched.h> |
96 |
|
|
111 |
}; |
}; |
112 |
|
|
113 |
/* Future-safe accessor for struct task_struct's cpus_allowed. */ |
/* Future-safe accessor for struct task_struct's cpus_allowed. */ |
114 |
--- linux-3.14.27.orig/include/linux/security.h |
--- linux-3.14.28.orig/include/linux/security.h |
115 |
+++ linux-3.14.27/include/linux/security.h |
+++ linux-3.14.28/include/linux/security.h |
116 |
@@ -53,6 +53,7 @@ struct msg_queue; |
@@ -53,6 +53,7 @@ struct msg_queue; |
117 |
struct xattr; |
struct xattr; |
118 |
struct xfrm_sec_ctx; |
struct xfrm_sec_ctx; |
314 |
} |
} |
315 |
#endif /* CONFIG_SECURITY_PATH */ |
#endif /* CONFIG_SECURITY_PATH */ |
316 |
|
|
317 |
--- linux-3.14.27.orig/include/net/ip.h |
--- linux-3.14.28.orig/include/net/ip.h |
318 |
+++ linux-3.14.27/include/net/ip.h |
+++ linux-3.14.28/include/net/ip.h |
319 |
@@ -217,6 +217,8 @@ void inet_get_local_port_range(struct ne |
@@ -217,6 +217,8 @@ void inet_get_local_port_range(struct ne |
320 |
extern unsigned long *sysctl_local_reserved_ports; |
extern unsigned long *sysctl_local_reserved_ports; |
321 |
static inline int inet_is_reserved_local_port(int port) |
static inline int inet_is_reserved_local_port(int port) |
325 |
return test_bit(port, sysctl_local_reserved_ports); |
return test_bit(port, sysctl_local_reserved_ports); |
326 |
} |
} |
327 |
|
|
328 |
--- linux-3.14.27.orig/kernel/fork.c |
--- linux-3.14.28.orig/kernel/fork.c |
329 |
+++ linux-3.14.27/kernel/fork.c |
+++ linux-3.14.28/kernel/fork.c |
330 |
@@ -244,6 +244,7 @@ void __put_task_struct(struct task_struc |
@@ -244,6 +244,7 @@ void __put_task_struct(struct task_struc |
331 |
delayacct_tsk_free(tsk); |
delayacct_tsk_free(tsk); |
332 |
put_signal_struct(tsk->signal); |
put_signal_struct(tsk->signal); |
353 |
bad_fork_cleanup_perf: |
bad_fork_cleanup_perf: |
354 |
perf_event_free_task(p); |
perf_event_free_task(p); |
355 |
bad_fork_cleanup_policy: |
bad_fork_cleanup_policy: |
356 |
--- linux-3.14.27.orig/kernel/kexec.c |
--- linux-3.14.28.orig/kernel/kexec.c |
357 |
+++ linux-3.14.27/kernel/kexec.c |
+++ linux-3.14.28/kernel/kexec.c |
358 |
@@ -37,6 +37,7 @@ |
@@ -37,6 +37,7 @@ |
359 |
#include <asm/uaccess.h> |
#include <asm/uaccess.h> |
360 |
#include <asm/io.h> |
#include <asm/io.h> |
372 |
|
|
373 |
/* |
/* |
374 |
* Verify we have a legal set of flags |
* Verify we have a legal set of flags |
375 |
--- linux-3.14.27.orig/kernel/module.c |
--- linux-3.14.28.orig/kernel/module.c |
376 |
+++ linux-3.14.27/kernel/module.c |
+++ linux-3.14.28/kernel/module.c |
377 |
@@ -63,6 +63,7 @@ |
@@ -63,6 +63,7 @@ |
378 |
#include <linux/fips.h> |
#include <linux/fips.h> |
379 |
#include <uapi/linux/module.h> |
#include <uapi/linux/module.h> |
400 |
|
|
401 |
return 0; |
return 0; |
402 |
} |
} |
403 |
--- linux-3.14.27.orig/kernel/ptrace.c |
--- linux-3.14.28.orig/kernel/ptrace.c |
404 |
+++ linux-3.14.27/kernel/ptrace.c |
+++ linux-3.14.28/kernel/ptrace.c |
405 |
@@ -1038,6 +1038,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l |
@@ -1038,6 +1038,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l |
406 |
{ |
{ |
407 |
struct task_struct *child; |
struct task_struct *child; |
426 |
|
|
427 |
if (request == PTRACE_TRACEME) { |
if (request == PTRACE_TRACEME) { |
428 |
ret = ptrace_traceme(); |
ret = ptrace_traceme(); |
429 |
--- linux-3.14.27.orig/kernel/reboot.c |
--- linux-3.14.28.orig/kernel/reboot.c |
430 |
+++ linux-3.14.27/kernel/reboot.c |
+++ linux-3.14.28/kernel/reboot.c |
431 |
@@ -16,6 +16,7 @@ |
@@ -16,6 +16,7 @@ |
432 |
#include <linux/syscalls.h> |
#include <linux/syscalls.h> |
433 |
#include <linux/syscore_ops.h> |
#include <linux/syscore_ops.h> |
445 |
|
|
446 |
/* |
/* |
447 |
* If pid namespaces are enabled and the current task is in a child |
* If pid namespaces are enabled and the current task is in a child |
448 |
--- linux-3.14.27.orig/kernel/sched/core.c |
--- linux-3.14.28.orig/kernel/sched/core.c |
449 |
+++ linux-3.14.27/kernel/sched/core.c |
+++ linux-3.14.28/kernel/sched/core.c |
450 |
@@ -3069,6 +3069,8 @@ int can_nice(const struct task_struct *p |
@@ -3069,6 +3069,8 @@ int can_nice(const struct task_struct *p |
451 |
SYSCALL_DEFINE1(nice, int, increment) |
SYSCALL_DEFINE1(nice, int, increment) |
452 |
{ |
{ |
456 |
|
|
457 |
/* |
/* |
458 |
* Setpriority might change our priority at the same moment. |
* Setpriority might change our priority at the same moment. |
459 |
--- linux-3.14.27.orig/kernel/signal.c |
--- linux-3.14.28.orig/kernel/signal.c |
460 |
+++ linux-3.14.27/kernel/signal.c |
+++ linux-3.14.28/kernel/signal.c |
461 |
@@ -2909,6 +2909,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s |
@@ -2909,6 +2909,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s |
462 |
SYSCALL_DEFINE2(kill, pid_t, pid, int, sig) |
SYSCALL_DEFINE2(kill, pid_t, pid, int, sig) |
463 |
{ |
{ |
503 |
|
|
504 |
return do_send_specific(tgid, pid, sig, info); |
return do_send_specific(tgid, pid, sig, info); |
505 |
} |
} |
506 |
--- linux-3.14.27.orig/kernel/sys.c |
--- linux-3.14.28.orig/kernel/sys.c |
507 |
+++ linux-3.14.27/kernel/sys.c |
+++ linux-3.14.28/kernel/sys.c |
508 |
@@ -171,6 +171,10 @@ SYSCALL_DEFINE3(setpriority, int, which, |
@@ -171,6 +171,10 @@ SYSCALL_DEFINE3(setpriority, int, which, |
509 |
|
|
510 |
if (which > PRIO_USER || which < PRIO_PROCESS) |
if (which > PRIO_USER || which < PRIO_PROCESS) |
534 |
|
|
535 |
down_write(&uts_sem); |
down_write(&uts_sem); |
536 |
errno = -EFAULT; |
errno = -EFAULT; |
537 |
--- linux-3.14.27.orig/kernel/time/ntp.c |
--- linux-3.14.28.orig/kernel/time/ntp.c |
538 |
+++ linux-3.14.27/kernel/time/ntp.c |
+++ linux-3.14.28/kernel/time/ntp.c |
539 |
@@ -16,6 +16,7 @@ |
@@ -16,6 +16,7 @@ |
540 |
#include <linux/mm.h> |
#include <linux/mm.h> |
541 |
#include <linux/module.h> |
#include <linux/module.h> |
569 |
|
|
570 |
return 0; |
return 0; |
571 |
} |
} |
572 |
--- linux-3.14.27.orig/net/ipv4/raw.c |
--- linux-3.14.28.orig/net/ipv4/raw.c |
573 |
+++ linux-3.14.27/net/ipv4/raw.c |
+++ linux-3.14.28/net/ipv4/raw.c |
574 |
@@ -704,6 +704,10 @@ static int raw_recvmsg(struct kiocb *ioc |
@@ -704,6 +704,10 @@ static int raw_recvmsg(struct kiocb *ioc |
575 |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
576 |
if (!skb) |
if (!skb) |
582 |
|
|
583 |
copied = skb->len; |
copied = skb->len; |
584 |
if (len < copied) { |
if (len < copied) { |
585 |
--- linux-3.14.27.orig/net/ipv4/udp.c |
--- linux-3.14.28.orig/net/ipv4/udp.c |
586 |
+++ linux-3.14.27/net/ipv4/udp.c |
+++ linux-3.14.28/net/ipv4/udp.c |
587 |
@@ -1242,6 +1242,10 @@ try_again: |
@@ -1242,6 +1242,10 @@ try_again: |
588 |
&peeked, &off, &err); |
&peeked, &off, &err); |
589 |
if (!skb) |
if (!skb) |
595 |
|
|
596 |
ulen = skb->len - sizeof(struct udphdr); |
ulen = skb->len - sizeof(struct udphdr); |
597 |
copied = len; |
copied = len; |
598 |
--- linux-3.14.27.orig/net/ipv6/raw.c |
--- linux-3.14.28.orig/net/ipv6/raw.c |
599 |
+++ linux-3.14.27/net/ipv6/raw.c |
+++ linux-3.14.28/net/ipv6/raw.c |
600 |
@@ -478,6 +478,10 @@ static int rawv6_recvmsg(struct kiocb *i |
@@ -478,6 +478,10 @@ static int rawv6_recvmsg(struct kiocb *i |
601 |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
602 |
if (!skb) |
if (!skb) |
608 |
|
|
609 |
copied = skb->len; |
copied = skb->len; |
610 |
if (copied > len) { |
if (copied > len) { |
611 |
--- linux-3.14.27.orig/net/ipv6/udp.c |
--- linux-3.14.28.orig/net/ipv6/udp.c |
612 |
+++ linux-3.14.27/net/ipv6/udp.c |
+++ linux-3.14.28/net/ipv6/udp.c |
613 |
@@ -403,6 +403,10 @@ try_again: |
@@ -403,6 +403,10 @@ try_again: |
614 |
&peeked, &off, &err); |
&peeked, &off, &err); |
615 |
if (!skb) |
if (!skb) |
621 |
|
|
622 |
ulen = skb->len - sizeof(struct udphdr); |
ulen = skb->len - sizeof(struct udphdr); |
623 |
copied = len; |
copied = len; |
624 |
--- linux-3.14.27.orig/net/socket.c |
--- linux-3.14.28.orig/net/socket.c |
625 |
+++ linux-3.14.27/net/socket.c |
+++ linux-3.14.28/net/socket.c |
626 |
@@ -1633,6 +1633,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct |
@@ -1633,6 +1633,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct |
627 |
if (err < 0) |
if (err < 0) |
628 |
goto out_fd; |
goto out_fd; |
634 |
if (upeer_sockaddr) { |
if (upeer_sockaddr) { |
635 |
if (newsock->ops->getname(newsock, (struct sockaddr *)&address, |
if (newsock->ops->getname(newsock, (struct sockaddr *)&address, |
636 |
&len, 2) < 0) { |
&len, 2) < 0) { |
637 |
--- linux-3.14.27.orig/net/unix/af_unix.c |
--- linux-3.14.28.orig/net/unix/af_unix.c |
638 |
+++ linux-3.14.27/net/unix/af_unix.c |
+++ linux-3.14.28/net/unix/af_unix.c |
639 |
@@ -1811,6 +1811,10 @@ static int unix_dgram_recvmsg(struct kio |
@@ -1811,6 +1811,10 @@ static int unix_dgram_recvmsg(struct kio |
640 |
wake_up_interruptible_sync_poll(&u->peer_wait, |
wake_up_interruptible_sync_poll(&u->peer_wait, |
641 |
POLLOUT | POLLWRNORM | POLLWRBAND); |
POLLOUT | POLLWRNORM | POLLWRBAND); |
647 |
if (msg->msg_name) |
if (msg->msg_name) |
648 |
unix_copy_addr(msg, skb->sk); |
unix_copy_addr(msg, skb->sk); |
649 |
|
|
650 |
--- linux-3.14.27.orig/security/Kconfig |
--- linux-3.14.28.orig/security/Kconfig |
651 |
+++ linux-3.14.27/security/Kconfig |
+++ linux-3.14.28/security/Kconfig |
652 |
@@ -167,5 +167,7 @@ config DEFAULT_SECURITY |
@@ -167,5 +167,7 @@ config DEFAULT_SECURITY |
653 |
default "yama" if DEFAULT_SECURITY_YAMA |
default "yama" if DEFAULT_SECURITY_YAMA |
654 |
default "" if DEFAULT_SECURITY_DAC |
default "" if DEFAULT_SECURITY_DAC |
657 |
+ |
+ |
658 |
endmenu |
endmenu |
659 |
|
|
660 |
--- linux-3.14.27.orig/security/Makefile |
--- linux-3.14.28.orig/security/Makefile |
661 |
+++ linux-3.14.27/security/Makefile |
+++ linux-3.14.28/security/Makefile |
662 |
@@ -27,3 +27,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c |
@@ -27,3 +27,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c |
663 |
# Object integrity file lists |
# Object integrity file lists |
664 |
subdir-$(CONFIG_INTEGRITY) += integrity |
subdir-$(CONFIG_INTEGRITY) += integrity |
666 |
+ |
+ |
667 |
+subdir-$(CONFIG_CCSECURITY) += ccsecurity |
+subdir-$(CONFIG_CCSECURITY) += ccsecurity |
668 |
+obj-$(CONFIG_CCSECURITY) += ccsecurity/built-in.o |
+obj-$(CONFIG_CCSECURITY) += ccsecurity/built-in.o |
669 |
--- linux-3.14.27.orig/security/security.c |
--- linux-3.14.28.orig/security/security.c |
670 |
+++ linux-3.14.27/security/security.c |
+++ linux-3.14.28/security/security.c |
671 |
@@ -203,7 +203,10 @@ int security_syslog(int type) |
@@ -203,7 +203,10 @@ int security_syslog(int type) |
672 |
|
|
673 |
int security_settime(const struct timespec *ts, const struct timezone *tz) |
int security_settime(const struct timespec *ts, const struct timezone *tz) |