1 |
This is TOMOYO Linux patch for kernel 3.17.7. |
This is TOMOYO Linux patch for kernel 3.17.8. |
2 |
|
|
3 |
Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.17.7.tar.xz |
Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.17.8.tar.xz |
4 |
--- |
--- |
5 |
fs/exec.c | 2 |
fs/exec.c | 2 |
6 |
fs/open.c | 2 |
fs/open.c | 2 |
29 |
security/security.c | 111 +++++++++++++++++++++++++++++++++++++++++----- |
security/security.c | 111 +++++++++++++++++++++++++++++++++++++++++----- |
30 |
25 files changed, 252 insertions(+), 37 deletions(-) |
25 files changed, 252 insertions(+), 37 deletions(-) |
31 |
|
|
32 |
--- linux-3.17.7.orig/fs/exec.c |
--- linux-3.17.8.orig/fs/exec.c |
33 |
+++ linux-3.17.7/fs/exec.c |
+++ linux-3.17.8/fs/exec.c |
34 |
@@ -1408,7 +1408,7 @@ static int exec_binprm(struct linux_binp |
@@ -1408,7 +1408,7 @@ static int exec_binprm(struct linux_binp |
35 |
old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent)); |
old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent)); |
36 |
rcu_read_unlock(); |
rcu_read_unlock(); |
40 |
if (ret >= 0) { |
if (ret >= 0) { |
41 |
audit_bprm(bprm); |
audit_bprm(bprm); |
42 |
trace_sched_process_exec(current, old_pid, bprm); |
trace_sched_process_exec(current, old_pid, bprm); |
43 |
--- linux-3.17.7.orig/fs/open.c |
--- linux-3.17.8.orig/fs/open.c |
44 |
+++ linux-3.17.7/fs/open.c |
+++ linux-3.17.8/fs/open.c |
45 |
@@ -1071,6 +1071,8 @@ EXPORT_SYMBOL(sys_close); |
@@ -1071,6 +1071,8 @@ EXPORT_SYMBOL(sys_close); |
46 |
*/ |
*/ |
47 |
SYSCALL_DEFINE0(vhangup) |
SYSCALL_DEFINE0(vhangup) |
51 |
if (capable(CAP_SYS_TTY_CONFIG)) { |
if (capable(CAP_SYS_TTY_CONFIG)) { |
52 |
tty_vhangup_self(); |
tty_vhangup_self(); |
53 |
return 0; |
return 0; |
54 |
--- linux-3.17.7.orig/fs/proc/version.c |
--- linux-3.17.8.orig/fs/proc/version.c |
55 |
+++ linux-3.17.7/fs/proc/version.c |
+++ linux-3.17.8/fs/proc/version.c |
56 |
@@ -32,3 +32,10 @@ static int __init proc_version_init(void |
@@ -32,3 +32,10 @@ static int __init proc_version_init(void |
57 |
return 0; |
return 0; |
58 |
} |
} |
60 |
+ |
+ |
61 |
+static int __init ccs_show_version(void) |
+static int __init ccs_show_version(void) |
62 |
+{ |
+{ |
63 |
+ printk(KERN_INFO "Hook version: 3.17.7 2014/12/22\n"); |
+ printk(KERN_INFO "Hook version: 3.17.8 2015/01/12\n"); |
64 |
+ return 0; |
+ return 0; |
65 |
+} |
+} |
66 |
+fs_initcall(ccs_show_version); |
+fs_initcall(ccs_show_version); |
67 |
--- linux-3.17.7.orig/include/linux/init_task.h |
--- linux-3.17.8.orig/include/linux/init_task.h |
68 |
+++ linux-3.17.7/include/linux/init_task.h |
+++ linux-3.17.8/include/linux/init_task.h |
69 |
@@ -157,6 +157,14 @@ extern struct task_group root_task_group |
@@ -157,6 +157,14 @@ extern struct task_group root_task_group |
70 |
# define INIT_RT_MUTEXES(tsk) |
# define INIT_RT_MUTEXES(tsk) |
71 |
#endif |
#endif |
89 |
} |
} |
90 |
|
|
91 |
|
|
92 |
--- linux-3.17.7.orig/include/linux/sched.h |
--- linux-3.17.8.orig/include/linux/sched.h |
93 |
+++ linux-3.17.7/include/linux/sched.h |
+++ linux-3.17.8/include/linux/sched.h |
94 |
@@ -6,6 +6,8 @@ |
@@ -6,6 +6,8 @@ |
95 |
#include <linux/sched/prio.h> |
#include <linux/sched/prio.h> |
96 |
|
|
111 |
}; |
}; |
112 |
|
|
113 |
/* Future-safe accessor for struct task_struct's cpus_allowed. */ |
/* Future-safe accessor for struct task_struct's cpus_allowed. */ |
114 |
--- linux-3.17.7.orig/include/linux/security.h |
--- linux-3.17.8.orig/include/linux/security.h |
115 |
+++ linux-3.17.7/include/linux/security.h |
+++ linux-3.17.8/include/linux/security.h |
116 |
@@ -53,6 +53,7 @@ struct msg_queue; |
@@ -53,6 +53,7 @@ struct msg_queue; |
117 |
struct xattr; |
struct xattr; |
118 |
struct xfrm_sec_ctx; |
struct xfrm_sec_ctx; |
324 |
} |
} |
325 |
#endif /* CONFIG_SECURITY_PATH */ |
#endif /* CONFIG_SECURITY_PATH */ |
326 |
|
|
327 |
--- linux-3.17.7.orig/include/net/ip.h |
--- linux-3.17.8.orig/include/net/ip.h |
328 |
+++ linux-3.17.7/include/net/ip.h |
+++ linux-3.17.8/include/net/ip.h |
329 |
@@ -212,6 +212,8 @@ void inet_get_local_port_range(struct ne |
@@ -212,6 +212,8 @@ void inet_get_local_port_range(struct ne |
330 |
#ifdef CONFIG_SYSCTL |
#ifdef CONFIG_SYSCTL |
331 |
static inline int inet_is_local_reserved_port(struct net *net, int port) |
static inline int inet_is_local_reserved_port(struct net *net, int port) |
344 |
return 0; |
return 0; |
345 |
} |
} |
346 |
#endif |
#endif |
347 |
--- linux-3.17.7.orig/kernel/fork.c |
--- linux-3.17.8.orig/kernel/fork.c |
348 |
+++ linux-3.17.7/kernel/fork.c |
+++ linux-3.17.8/kernel/fork.c |
349 |
@@ -246,6 +246,7 @@ void __put_task_struct(struct task_struc |
@@ -246,6 +246,7 @@ void __put_task_struct(struct task_struc |
350 |
delayacct_tsk_free(tsk); |
delayacct_tsk_free(tsk); |
351 |
put_signal_struct(tsk->signal); |
put_signal_struct(tsk->signal); |
372 |
bad_fork_cleanup_perf: |
bad_fork_cleanup_perf: |
373 |
perf_event_free_task(p); |
perf_event_free_task(p); |
374 |
bad_fork_cleanup_policy: |
bad_fork_cleanup_policy: |
375 |
--- linux-3.17.7.orig/kernel/kexec.c |
--- linux-3.17.8.orig/kernel/kexec.c |
376 |
+++ linux-3.17.7/kernel/kexec.c |
+++ linux-3.17.8/kernel/kexec.c |
377 |
@@ -41,6 +41,7 @@ |
@@ -41,6 +41,7 @@ |
378 |
#include <asm/uaccess.h> |
#include <asm/uaccess.h> |
379 |
#include <asm/io.h> |
#include <asm/io.h> |
391 |
|
|
392 |
/* |
/* |
393 |
* Verify we have a legal set of flags |
* Verify we have a legal set of flags |
394 |
--- linux-3.17.7.orig/kernel/module.c |
--- linux-3.17.8.orig/kernel/module.c |
395 |
+++ linux-3.17.7/kernel/module.c |
+++ linux-3.17.8/kernel/module.c |
396 |
@@ -62,6 +62,7 @@ |
@@ -62,6 +62,7 @@ |
397 |
#include <linux/bsearch.h> |
#include <linux/bsearch.h> |
398 |
#include <uapi/linux/module.h> |
#include <uapi/linux/module.h> |
419 |
|
|
420 |
return 0; |
return 0; |
421 |
} |
} |
422 |
--- linux-3.17.7.orig/kernel/ptrace.c |
--- linux-3.17.8.orig/kernel/ptrace.c |
423 |
+++ linux-3.17.7/kernel/ptrace.c |
+++ linux-3.17.8/kernel/ptrace.c |
424 |
@@ -1032,6 +1032,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l |
@@ -1032,6 +1032,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l |
425 |
{ |
{ |
426 |
struct task_struct *child; |
struct task_struct *child; |
445 |
|
|
446 |
if (request == PTRACE_TRACEME) { |
if (request == PTRACE_TRACEME) { |
447 |
ret = ptrace_traceme(); |
ret = ptrace_traceme(); |
448 |
--- linux-3.17.7.orig/kernel/reboot.c |
--- linux-3.17.8.orig/kernel/reboot.c |
449 |
+++ linux-3.17.7/kernel/reboot.c |
+++ linux-3.17.8/kernel/reboot.c |
450 |
@@ -16,6 +16,7 @@ |
@@ -16,6 +16,7 @@ |
451 |
#include <linux/syscalls.h> |
#include <linux/syscalls.h> |
452 |
#include <linux/syscore_ops.h> |
#include <linux/syscore_ops.h> |
464 |
|
|
465 |
/* |
/* |
466 |
* If pid namespaces are enabled and the current task is in a child |
* If pid namespaces are enabled and the current task is in a child |
467 |
--- linux-3.17.7.orig/kernel/sched/core.c |
--- linux-3.17.8.orig/kernel/sched/core.c |
468 |
+++ linux-3.17.7/kernel/sched/core.c |
+++ linux-3.17.8/kernel/sched/core.c |
469 |
@@ -3123,6 +3123,8 @@ int can_nice(const struct task_struct *p |
@@ -3123,6 +3123,8 @@ int can_nice(const struct task_struct *p |
470 |
SYSCALL_DEFINE1(nice, int, increment) |
SYSCALL_DEFINE1(nice, int, increment) |
471 |
{ |
{ |
475 |
|
|
476 |
/* |
/* |
477 |
* Setpriority might change our priority at the same moment. |
* Setpriority might change our priority at the same moment. |
478 |
--- linux-3.17.7.orig/kernel/signal.c |
--- linux-3.17.8.orig/kernel/signal.c |
479 |
+++ linux-3.17.7/kernel/signal.c |
+++ linux-3.17.8/kernel/signal.c |
480 |
@@ -2886,6 +2886,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s |
@@ -2886,6 +2886,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s |
481 |
SYSCALL_DEFINE2(kill, pid_t, pid, int, sig) |
SYSCALL_DEFINE2(kill, pid_t, pid, int, sig) |
482 |
{ |
{ |
522 |
|
|
523 |
return do_send_specific(tgid, pid, sig, info); |
return do_send_specific(tgid, pid, sig, info); |
524 |
} |
} |
525 |
--- linux-3.17.7.orig/kernel/sys.c |
--- linux-3.17.8.orig/kernel/sys.c |
526 |
+++ linux-3.17.7/kernel/sys.c |
+++ linux-3.17.8/kernel/sys.c |
527 |
@@ -171,6 +171,10 @@ SYSCALL_DEFINE3(setpriority, int, which, |
@@ -171,6 +171,10 @@ SYSCALL_DEFINE3(setpriority, int, which, |
528 |
|
|
529 |
if (which > PRIO_USER || which < PRIO_PROCESS) |
if (which > PRIO_USER || which < PRIO_PROCESS) |
553 |
|
|
554 |
down_write(&uts_sem); |
down_write(&uts_sem); |
555 |
errno = -EFAULT; |
errno = -EFAULT; |
556 |
--- linux-3.17.7.orig/kernel/time/ntp.c |
--- linux-3.17.8.orig/kernel/time/ntp.c |
557 |
+++ linux-3.17.7/kernel/time/ntp.c |
+++ linux-3.17.8/kernel/time/ntp.c |
558 |
@@ -16,6 +16,7 @@ |
@@ -16,6 +16,7 @@ |
559 |
#include <linux/mm.h> |
#include <linux/mm.h> |
560 |
#include <linux/module.h> |
#include <linux/module.h> |
588 |
|
|
589 |
return 0; |
return 0; |
590 |
} |
} |
591 |
--- linux-3.17.7.orig/net/ipv4/raw.c |
--- linux-3.17.8.orig/net/ipv4/raw.c |
592 |
+++ linux-3.17.7/net/ipv4/raw.c |
+++ linux-3.17.8/net/ipv4/raw.c |
593 |
@@ -711,6 +711,10 @@ static int raw_recvmsg(struct kiocb *ioc |
@@ -711,6 +711,10 @@ static int raw_recvmsg(struct kiocb *ioc |
594 |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
595 |
if (!skb) |
if (!skb) |
601 |
|
|
602 |
copied = skb->len; |
copied = skb->len; |
603 |
if (len < copied) { |
if (len < copied) { |
604 |
--- linux-3.17.7.orig/net/ipv4/udp.c |
--- linux-3.17.8.orig/net/ipv4/udp.c |
605 |
+++ linux-3.17.7/net/ipv4/udp.c |
+++ linux-3.17.8/net/ipv4/udp.c |
606 |
@@ -1260,6 +1260,10 @@ try_again: |
@@ -1260,6 +1260,10 @@ try_again: |
607 |
&peeked, &off, &err); |
&peeked, &off, &err); |
608 |
if (!skb) |
if (!skb) |
614 |
|
|
615 |
ulen = skb->len - sizeof(struct udphdr); |
ulen = skb->len - sizeof(struct udphdr); |
616 |
copied = len; |
copied = len; |
617 |
--- linux-3.17.7.orig/net/ipv6/raw.c |
--- linux-3.17.8.orig/net/ipv6/raw.c |
618 |
+++ linux-3.17.7/net/ipv6/raw.c |
+++ linux-3.17.8/net/ipv6/raw.c |
619 |
@@ -478,6 +478,10 @@ static int rawv6_recvmsg(struct kiocb *i |
@@ -478,6 +478,10 @@ static int rawv6_recvmsg(struct kiocb *i |
620 |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
621 |
if (!skb) |
if (!skb) |
627 |
|
|
628 |
copied = skb->len; |
copied = skb->len; |
629 |
if (copied > len) { |
if (copied > len) { |
630 |
--- linux-3.17.7.orig/net/ipv6/udp.c |
--- linux-3.17.8.orig/net/ipv6/udp.c |
631 |
+++ linux-3.17.7/net/ipv6/udp.c |
+++ linux-3.17.8/net/ipv6/udp.c |
632 |
@@ -402,6 +402,10 @@ try_again: |
@@ -402,6 +402,10 @@ try_again: |
633 |
&peeked, &off, &err); |
&peeked, &off, &err); |
634 |
if (!skb) |
if (!skb) |
640 |
|
|
641 |
ulen = skb->len - sizeof(struct udphdr); |
ulen = skb->len - sizeof(struct udphdr); |
642 |
copied = len; |
copied = len; |
643 |
--- linux-3.17.7.orig/net/socket.c |
--- linux-3.17.8.orig/net/socket.c |
644 |
+++ linux-3.17.7/net/socket.c |
+++ linux-3.17.8/net/socket.c |
645 |
@@ -1642,6 +1642,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct |
@@ -1642,6 +1642,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct |
646 |
if (err < 0) |
if (err < 0) |
647 |
goto out_fd; |
goto out_fd; |
653 |
if (upeer_sockaddr) { |
if (upeer_sockaddr) { |
654 |
if (newsock->ops->getname(newsock, (struct sockaddr *)&address, |
if (newsock->ops->getname(newsock, (struct sockaddr *)&address, |
655 |
&len, 2) < 0) { |
&len, 2) < 0) { |
656 |
--- linux-3.17.7.orig/net/unix/af_unix.c |
--- linux-3.17.8.orig/net/unix/af_unix.c |
657 |
+++ linux-3.17.7/net/unix/af_unix.c |
+++ linux-3.17.8/net/unix/af_unix.c |
658 |
@@ -1817,6 +1817,10 @@ static int unix_dgram_recvmsg(struct kio |
@@ -1817,6 +1817,10 @@ static int unix_dgram_recvmsg(struct kio |
659 |
wake_up_interruptible_sync_poll(&u->peer_wait, |
wake_up_interruptible_sync_poll(&u->peer_wait, |
660 |
POLLOUT | POLLWRNORM | POLLWRBAND); |
POLLOUT | POLLWRNORM | POLLWRBAND); |
666 |
if (msg->msg_name) |
if (msg->msg_name) |
667 |
unix_copy_addr(msg, skb->sk); |
unix_copy_addr(msg, skb->sk); |
668 |
|
|
669 |
--- linux-3.17.7.orig/security/Kconfig |
--- linux-3.17.8.orig/security/Kconfig |
670 |
+++ linux-3.17.7/security/Kconfig |
+++ linux-3.17.8/security/Kconfig |
671 |
@@ -167,5 +167,7 @@ config DEFAULT_SECURITY |
@@ -167,5 +167,7 @@ config DEFAULT_SECURITY |
672 |
default "yama" if DEFAULT_SECURITY_YAMA |
default "yama" if DEFAULT_SECURITY_YAMA |
673 |
default "" if DEFAULT_SECURITY_DAC |
default "" if DEFAULT_SECURITY_DAC |
676 |
+ |
+ |
677 |
endmenu |
endmenu |
678 |
|
|
679 |
--- linux-3.17.7.orig/security/Makefile |
--- linux-3.17.8.orig/security/Makefile |
680 |
+++ linux-3.17.7/security/Makefile |
+++ linux-3.17.8/security/Makefile |
681 |
@@ -27,3 +27,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c |
@@ -27,3 +27,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c |
682 |
# Object integrity file lists |
# Object integrity file lists |
683 |
subdir-$(CONFIG_INTEGRITY) += integrity |
subdir-$(CONFIG_INTEGRITY) += integrity |
685 |
+ |
+ |
686 |
+subdir-$(CONFIG_CCSECURITY) += ccsecurity |
+subdir-$(CONFIG_CCSECURITY) += ccsecurity |
687 |
+obj-$(CONFIG_CCSECURITY) += ccsecurity/ |
+obj-$(CONFIG_CCSECURITY) += ccsecurity/ |
688 |
--- linux-3.17.7.orig/security/security.c |
--- linux-3.17.8.orig/security/security.c |
689 |
+++ linux-3.17.7/security/security.c |
+++ linux-3.17.8/security/security.c |
690 |
@@ -203,7 +203,10 @@ int security_syslog(int type) |
@@ -203,7 +203,10 @@ int security_syslog(int type) |
691 |
|
|
692 |
int security_settime(const struct timespec *ts, const struct timezone *tz) |
int security_settime(const struct timespec *ts, const struct timezone *tz) |