1 |
commit: e05eddec51d22c65f66a5fbd829c3f2af91db509 |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Dec 21 21:10:17 2011 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Dec 21 21:10:17 2011 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=e05eddec |
7 |
|
8 |
RSBAC: bump to patch-linux-3.1.5-rsbac-1.4.6.diff |
9 |
|
10 |
--- |
11 |
3.0.8/0000_README | 56 - |
12 |
3.0.8/1007_linux-3.0.8.patch | 1472 --------------- |
13 |
3.1.5/0000_README | 8 + |
14 |
.../4500_patch-linux-3.1.5-rsbac-1.4.6.diff | 1933 +++++++++++--------- |
15 |
4 files changed, 1078 insertions(+), 2391 deletions(-) |
16 |
|
17 |
diff --git a/3.0.8/0000_README b/3.0.8/0000_README |
18 |
deleted file mode 100644 |
19 |
index 9cfe0c0..0000000 |
20 |
--- a/3.0.8/0000_README |
21 |
+++ /dev/null |
22 |
@@ -1,56 +0,0 @@ |
23 |
-README |
24 |
------------------------------------------------------------------------------ |
25 |
- |
26 |
-Individual Patch Descriptions: |
27 |
------------------------------------------------------------------------------ |
28 |
-Patch: 1007_linux-3.0.8.patch |
29 |
-From: http://www.kernel.org |
30 |
-Desc: Linux 3.0.8 |
31 |
- |
32 |
-Patch: 4420_grsecurity-2.2.2-3.0.8-201110250925.patch |
33 |
-From: http://www.grsecurity.net |
34 |
-Desc: hardened-sources base patch from upstream grsecurity |
35 |
- |
36 |
-Patch: 4421_grsec-remove-localversion-grsec.patch |
37 |
-From: Kerin Millar <kerframil@×××××.com> |
38 |
-Desc: Removes grsecurity's localversion-grsec file |
39 |
- |
40 |
-Patch: 4422_grsec-mute-warnings.patch |
41 |
-From: Alexander Gabert <gaberta@××××××××.de> |
42 |
- Gordon Malm <gengor@g.o> |
43 |
-Desc: Removes verbose compile warning settings from grsecurity, restores |
44 |
- mainline Linux kernel behavior |
45 |
- |
46 |
-Patch: 4423_grsec-remove-protected-paths.patch |
47 |
-From: Anthony G. Basile <blueness@g.o> |
48 |
-Desc: Removes chmod statements from grsecurity/Makefile |
49 |
- |
50 |
-Patch: 4425_grsec-pax-without-grsec.patch |
51 |
-From: Gordon Malm <gengor@g.o> |
52 |
-Desc: Allows PaX features to be selected without enabling GRKERNSEC |
53 |
- |
54 |
-Patch: 4430_grsec-kconfig-default-gids.patch |
55 |
-From: Kerin Millar <kerframil@×××××.com> |
56 |
-Desc: Sets sane(r) default GIDs on various grsecurity group-dependent |
57 |
- features |
58 |
- |
59 |
-Patch: 4435_grsec-kconfig-gentoo.patch |
60 |
-From: Gordon Malm <gengor@g.o> |
61 |
- Kerin Millar <kerframil@×××××.com> |
62 |
- Anthony G. Basile <blueness@g.o> |
63 |
-Desc: Adds Hardened Gentoo [server/workstation/virtualization] security levels, |
64 |
- sets Hardened Gentoo [workstation] as default |
65 |
- |
66 |
-Patch: 4440_selinux-avc_audit-log-curr_ip.patch |
67 |
-From: Gordon Malm <gengor@g.o> |
68 |
- Anthony G. Basile <blueness@g.o> |
69 |
-Desc: Configurable option to add src IP address to SELinux log messages |
70 |
- |
71 |
-Patch: 4445_disable-compat_vdso.patch |
72 |
-From: Gordon Malm <gengor@g.o> |
73 |
- Kerin Millar <kerframil@×××××.com> |
74 |
-Desc: Disables VDSO_COMPAT operation completely |
75 |
- |
76 |
-Patch: 4500_rsbac.patch |
77 |
-From: Amon Ott <ao@×××××.org> |
78 |
-Desc: RSBAC patch from http://www.rsbac.org/ |
79 |
|
80 |
diff --git a/3.0.8/1007_linux-3.0.8.patch b/3.0.8/1007_linux-3.0.8.patch |
81 |
deleted file mode 100644 |
82 |
index 62a4bb6..0000000 |
83 |
--- a/3.0.8/1007_linux-3.0.8.patch |
84 |
+++ /dev/null |
85 |
@@ -1,1472 +0,0 @@ |
86 |
-diff --git a/Makefile b/Makefile |
87 |
-index 11c4249..9f6e3cd 100644 |
88 |
---- a/Makefile |
89 |
-+++ b/Makefile |
90 |
-@@ -1,6 +1,6 @@ |
91 |
- VERSION = 3 |
92 |
- PATCHLEVEL = 0 |
93 |
--SUBLEVEL = 7 |
94 |
-+SUBLEVEL = 8 |
95 |
- EXTRAVERSION = |
96 |
- NAME = Sneaky Weasel |
97 |
- |
98 |
-diff --git a/arch/arm/kernel/perf_event_v7.c b/arch/arm/kernel/perf_event_v7.c |
99 |
-index 4960686..4372763 100644 |
100 |
---- a/arch/arm/kernel/perf_event_v7.c |
101 |
-+++ b/arch/arm/kernel/perf_event_v7.c |
102 |
-@@ -264,8 +264,8 @@ static const unsigned armv7_a9_perf_map[PERF_COUNT_HW_MAX] = { |
103 |
- [PERF_COUNT_HW_CPU_CYCLES] = ARMV7_PERFCTR_CPU_CYCLES, |
104 |
- [PERF_COUNT_HW_INSTRUCTIONS] = |
105 |
- ARMV7_PERFCTR_INST_OUT_OF_RENAME_STAGE, |
106 |
-- [PERF_COUNT_HW_CACHE_REFERENCES] = ARMV7_PERFCTR_COHERENT_LINE_HIT, |
107 |
-- [PERF_COUNT_HW_CACHE_MISSES] = ARMV7_PERFCTR_COHERENT_LINE_MISS, |
108 |
-+ [PERF_COUNT_HW_CACHE_REFERENCES] = ARMV7_PERFCTR_DCACHE_ACCESS, |
109 |
-+ [PERF_COUNT_HW_CACHE_MISSES] = ARMV7_PERFCTR_DCACHE_REFILL, |
110 |
- [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = ARMV7_PERFCTR_PC_WRITE, |
111 |
- [PERF_COUNT_HW_BRANCH_MISSES] = ARMV7_PERFCTR_PC_BRANCH_MIS_PRED, |
112 |
- [PERF_COUNT_HW_BUS_CYCLES] = ARMV7_PERFCTR_CLOCK_CYCLES, |
113 |
-diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c |
114 |
-index c19571c..4a4eba5 100644 |
115 |
---- a/arch/arm/mm/init.c |
116 |
-+++ b/arch/arm/mm/init.c |
117 |
-@@ -473,6 +473,13 @@ static void __init free_unused_memmap(struct meminfo *mi) |
118 |
- */ |
119 |
- bank_start = min(bank_start, |
120 |
- ALIGN(prev_bank_end, PAGES_PER_SECTION)); |
121 |
-+#else |
122 |
-+ /* |
123 |
-+ * Align down here since the VM subsystem insists that the |
124 |
-+ * memmap entries are valid from the bank start aligned to |
125 |
-+ * MAX_ORDER_NR_PAGES. |
126 |
-+ */ |
127 |
-+ bank_start = round_down(bank_start, MAX_ORDER_NR_PAGES); |
128 |
- #endif |
129 |
- /* |
130 |
- * If we had a previous bank, and there is a space |
131 |
-diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c |
132 |
-index 3032644..87488b9 100644 |
133 |
---- a/arch/x86/mm/init.c |
134 |
-+++ b/arch/x86/mm/init.c |
135 |
-@@ -63,9 +63,8 @@ static void __init find_early_table_space(unsigned long end, int use_pse, |
136 |
- #ifdef CONFIG_X86_32 |
137 |
- /* for fixmap */ |
138 |
- tables += roundup(__end_of_fixed_addresses * sizeof(pte_t), PAGE_SIZE); |
139 |
-- |
140 |
-- good_end = max_pfn_mapped << PAGE_SHIFT; |
141 |
- #endif |
142 |
-+ good_end = max_pfn_mapped << PAGE_SHIFT; |
143 |
- |
144 |
- base = memblock_find_in_range(start, good_end, tables, PAGE_SIZE); |
145 |
- if (base == MEMBLOCK_ERROR) |
146 |
-diff --git a/crypto/ghash-generic.c b/crypto/ghash-generic.c |
147 |
-index be44256..7835b8f 100644 |
148 |
---- a/crypto/ghash-generic.c |
149 |
-+++ b/crypto/ghash-generic.c |
150 |
-@@ -67,6 +67,9 @@ static int ghash_update(struct shash_desc *desc, |
151 |
- struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm); |
152 |
- u8 *dst = dctx->buffer; |
153 |
- |
154 |
-+ if (!ctx->gf128) |
155 |
-+ return -ENOKEY; |
156 |
-+ |
157 |
- if (dctx->bytes) { |
158 |
- int n = min(srclen, dctx->bytes); |
159 |
- u8 *pos = dst + (GHASH_BLOCK_SIZE - dctx->bytes); |
160 |
-@@ -119,6 +122,9 @@ static int ghash_final(struct shash_desc *desc, u8 *dst) |
161 |
- struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm); |
162 |
- u8 *buf = dctx->buffer; |
163 |
- |
164 |
-+ if (!ctx->gf128) |
165 |
-+ return -ENOKEY; |
166 |
-+ |
167 |
- ghash_flush(ctx, dctx); |
168 |
- memcpy(dst, buf, GHASH_BLOCK_SIZE); |
169 |
- |
170 |
-diff --git a/drivers/firewire/sbp2.c b/drivers/firewire/sbp2.c |
171 |
-index 41841a3..17cef86 100644 |
172 |
---- a/drivers/firewire/sbp2.c |
173 |
-+++ b/drivers/firewire/sbp2.c |
174 |
-@@ -1198,6 +1198,10 @@ static int sbp2_remove(struct device *dev) |
175 |
- { |
176 |
- struct fw_unit *unit = fw_unit(dev); |
177 |
- struct sbp2_target *tgt = dev_get_drvdata(&unit->device); |
178 |
-+ struct sbp2_logical_unit *lu; |
179 |
-+ |
180 |
-+ list_for_each_entry(lu, &tgt->lu_list, link) |
181 |
-+ cancel_delayed_work_sync(&lu->work); |
182 |
- |
183 |
- sbp2_target_put(tgt); |
184 |
- return 0; |
185 |
-diff --git a/drivers/gpu/drm/radeon/atom.c b/drivers/gpu/drm/radeon/atom.c |
186 |
-index ebdb0fd..9a0aee2 100644 |
187 |
---- a/drivers/gpu/drm/radeon/atom.c |
188 |
-+++ b/drivers/gpu/drm/radeon/atom.c |
189 |
-@@ -277,7 +277,12 @@ static uint32_t atom_get_src_int(atom_exec_context *ctx, uint8_t attr, |
190 |
- case ATOM_ARG_FB: |
191 |
- idx = U8(*ptr); |
192 |
- (*ptr)++; |
193 |
-- val = gctx->scratch[((gctx->fb_base + idx) / 4)]; |
194 |
-+ if ((gctx->fb_base + (idx * 4)) > gctx->scratch_size_bytes) { |
195 |
-+ DRM_ERROR("ATOM: fb read beyond scratch region: %d vs. %d\n", |
196 |
-+ gctx->fb_base + (idx * 4), gctx->scratch_size_bytes); |
197 |
-+ val = 0; |
198 |
-+ } else |
199 |
-+ val = gctx->scratch[(gctx->fb_base / 4) + idx]; |
200 |
- if (print) |
201 |
- DEBUG("FB[0x%02X]", idx); |
202 |
- break; |
203 |
-@@ -531,7 +536,11 @@ static void atom_put_dst(atom_exec_context *ctx, int arg, uint8_t attr, |
204 |
- case ATOM_ARG_FB: |
205 |
- idx = U8(*ptr); |
206 |
- (*ptr)++; |
207 |
-- gctx->scratch[((gctx->fb_base + idx) / 4)] = val; |
208 |
-+ if ((gctx->fb_base + (idx * 4)) > gctx->scratch_size_bytes) { |
209 |
-+ DRM_ERROR("ATOM: fb write beyond scratch region: %d vs. %d\n", |
210 |
-+ gctx->fb_base + (idx * 4), gctx->scratch_size_bytes); |
211 |
-+ } else |
212 |
-+ gctx->scratch[(gctx->fb_base / 4) + idx] = val; |
213 |
- DEBUG("FB[0x%02X]", idx); |
214 |
- break; |
215 |
- case ATOM_ARG_PLL: |
216 |
-@@ -1367,11 +1376,13 @@ int atom_allocate_fb_scratch(struct atom_context *ctx) |
217 |
- |
218 |
- usage_bytes = firmware_usage->asFirmwareVramReserveInfo[0].usFirmwareUseInKb * 1024; |
219 |
- } |
220 |
-+ ctx->scratch_size_bytes = 0; |
221 |
- if (usage_bytes == 0) |
222 |
- usage_bytes = 20 * 1024; |
223 |
- /* allocate some scratch memory */ |
224 |
- ctx->scratch = kzalloc(usage_bytes, GFP_KERNEL); |
225 |
- if (!ctx->scratch) |
226 |
- return -ENOMEM; |
227 |
-+ ctx->scratch_size_bytes = usage_bytes; |
228 |
- return 0; |
229 |
- } |
230 |
-diff --git a/drivers/gpu/drm/radeon/atom.h b/drivers/gpu/drm/radeon/atom.h |
231 |
-index a589a55..93cfe20 100644 |
232 |
---- a/drivers/gpu/drm/radeon/atom.h |
233 |
-+++ b/drivers/gpu/drm/radeon/atom.h |
234 |
-@@ -137,6 +137,7 @@ struct atom_context { |
235 |
- int cs_equal, cs_above; |
236 |
- int io_mode; |
237 |
- uint32_t *scratch; |
238 |
-+ int scratch_size_bytes; |
239 |
- }; |
240 |
- |
241 |
- extern int atom_debug; |
242 |
-diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c |
243 |
-index b7f0726..e2b2d78 100644 |
244 |
---- a/drivers/gpu/drm/ttm/ttm_bo.c |
245 |
-+++ b/drivers/gpu/drm/ttm/ttm_bo.c |
246 |
-@@ -392,10 +392,12 @@ static int ttm_bo_handle_move_mem(struct ttm_buffer_object *bo, |
247 |
- * Create and bind a ttm if required. |
248 |
- */ |
249 |
- |
250 |
-- if (!(new_man->flags & TTM_MEMTYPE_FLAG_FIXED) && (bo->ttm == NULL)) { |
251 |
-- ret = ttm_bo_add_ttm(bo, false); |
252 |
-- if (ret) |
253 |
-- goto out_err; |
254 |
-+ if (!(new_man->flags & TTM_MEMTYPE_FLAG_FIXED)) { |
255 |
-+ if (bo->ttm == NULL) { |
256 |
-+ ret = ttm_bo_add_ttm(bo, false); |
257 |
-+ if (ret) |
258 |
-+ goto out_err; |
259 |
-+ } |
260 |
- |
261 |
- ret = ttm_tt_set_placement_caching(bo->ttm, mem->placement); |
262 |
- if (ret) |
263 |
-diff --git a/drivers/gpu/drm/ttm/ttm_bo_util.c b/drivers/gpu/drm/ttm/ttm_bo_util.c |
264 |
-index 77dbf40..ae3c6f5 100644 |
265 |
---- a/drivers/gpu/drm/ttm/ttm_bo_util.c |
266 |
-+++ b/drivers/gpu/drm/ttm/ttm_bo_util.c |
267 |
-@@ -635,13 +635,13 @@ int ttm_bo_move_accel_cleanup(struct ttm_buffer_object *bo, |
268 |
- if (ret) |
269 |
- return ret; |
270 |
- |
271 |
-- ttm_bo_free_old_node(bo); |
272 |
- if ((man->flags & TTM_MEMTYPE_FLAG_FIXED) && |
273 |
- (bo->ttm != NULL)) { |
274 |
- ttm_tt_unbind(bo->ttm); |
275 |
- ttm_tt_destroy(bo->ttm); |
276 |
- bo->ttm = NULL; |
277 |
- } |
278 |
-+ ttm_bo_free_old_node(bo); |
279 |
- } else { |
280 |
- /** |
281 |
- * This should help pipeline ordinary buffer moves. |
282 |
-diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h |
283 |
-index a756ee6..c946d90 100644 |
284 |
---- a/drivers/hid/hid-ids.h |
285 |
-+++ b/drivers/hid/hid-ids.h |
286 |
-@@ -568,6 +568,9 @@ |
287 |
- #define USB_DEVICE_ID_SAMSUNG_IR_REMOTE 0x0001 |
288 |
- #define USB_DEVICE_ID_SAMSUNG_WIRELESS_KBD_MOUSE 0x0600 |
289 |
- |
290 |
-+#define USB_VENDOR_ID_SIGMA_MICRO 0x1c4f |
291 |
-+#define USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD 0x0002 |
292 |
-+ |
293 |
- #define USB_VENDOR_ID_SKYCABLE 0x1223 |
294 |
- #define USB_DEVICE_ID_SKYCABLE_WIRELESS_PRESENTER 0x3F07 |
295 |
- |
296 |
-diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c |
297 |
-index 0ec91c1..56d0539 100644 |
298 |
---- a/drivers/hid/hid-magicmouse.c |
299 |
-+++ b/drivers/hid/hid-magicmouse.c |
300 |
-@@ -501,9 +501,17 @@ static int magicmouse_probe(struct hid_device *hdev, |
301 |
- } |
302 |
- report->size = 6; |
303 |
- |
304 |
-+ /* |
305 |
-+ * Some devices repond with 'invalid report id' when feature |
306 |
-+ * report switching it into multitouch mode is sent to it. |
307 |
-+ * |
308 |
-+ * This results in -EIO from the _raw low-level transport callback, |
309 |
-+ * but there seems to be no other way of switching the mode. |
310 |
-+ * Thus the super-ugly hacky success check below. |
311 |
-+ */ |
312 |
- ret = hdev->hid_output_raw_report(hdev, feature, sizeof(feature), |
313 |
- HID_FEATURE_REPORT); |
314 |
-- if (ret != sizeof(feature)) { |
315 |
-+ if (ret != -EIO && ret != sizeof(feature)) { |
316 |
- hid_err(hdev, "unable to request touch data (%d)\n", ret); |
317 |
- goto err_stop_hw; |
318 |
- } |
319 |
-diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c |
320 |
-index 621959d..4bdb5d4 100644 |
321 |
---- a/drivers/hid/usbhid/hid-quirks.c |
322 |
-+++ b/drivers/hid/usbhid/hid-quirks.c |
323 |
-@@ -89,6 +89,7 @@ static const struct hid_blacklist { |
324 |
- |
325 |
- { USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_MULTI_TOUCH, HID_QUIRK_MULTI_INPUT }, |
326 |
- { USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_WIRELESS, HID_QUIRK_MULTI_INPUT }, |
327 |
-+ { USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD, HID_QUIRK_NO_INIT_REPORTS }, |
328 |
- { 0, 0 } |
329 |
- }; |
330 |
- |
331 |
-diff --git a/drivers/hwmon/w83627ehf.c b/drivers/hwmon/w83627ehf.c |
332 |
-index f2b377c..36d7f27 100644 |
333 |
---- a/drivers/hwmon/w83627ehf.c |
334 |
-+++ b/drivers/hwmon/w83627ehf.c |
335 |
-@@ -390,7 +390,7 @@ temp_from_reg(u16 reg, s16 regval) |
336 |
- { |
337 |
- if (is_word_sized(reg)) |
338 |
- return LM75_TEMP_FROM_REG(regval); |
339 |
-- return regval * 1000; |
340 |
-+ return ((s8)regval) * 1000; |
341 |
- } |
342 |
- |
343 |
- static inline u16 |
344 |
-@@ -398,7 +398,8 @@ temp_to_reg(u16 reg, long temp) |
345 |
- { |
346 |
- if (is_word_sized(reg)) |
347 |
- return LM75_TEMP_TO_REG(temp); |
348 |
-- return DIV_ROUND_CLOSEST(SENSORS_LIMIT(temp, -127000, 128000), 1000); |
349 |
-+ return (s8)DIV_ROUND_CLOSEST(SENSORS_LIMIT(temp, -127000, 128000), |
350 |
-+ 1000); |
351 |
- } |
352 |
- |
353 |
- /* Some of analog inputs have internal scaling (2x), 8mV is ADC LSB */ |
354 |
-@@ -1715,7 +1716,8 @@ static void w83627ehf_device_remove_files(struct device *dev) |
355 |
- } |
356 |
- |
357 |
- /* Get the monitoring functions started */ |
358 |
--static inline void __devinit w83627ehf_init_device(struct w83627ehf_data *data) |
359 |
-+static inline void __devinit w83627ehf_init_device(struct w83627ehf_data *data, |
360 |
-+ enum kinds kind) |
361 |
- { |
362 |
- int i; |
363 |
- u8 tmp, diode; |
364 |
-@@ -1746,10 +1748,16 @@ static inline void __devinit w83627ehf_init_device(struct w83627ehf_data *data) |
365 |
- w83627ehf_write_value(data, W83627EHF_REG_VBAT, tmp | 0x01); |
366 |
- |
367 |
- /* Get thermal sensor types */ |
368 |
-- diode = w83627ehf_read_value(data, W83627EHF_REG_DIODE); |
369 |
-+ switch (kind) { |
370 |
-+ case w83627ehf: |
371 |
-+ diode = w83627ehf_read_value(data, W83627EHF_REG_DIODE); |
372 |
-+ break; |
373 |
-+ default: |
374 |
-+ diode = 0x70; |
375 |
-+ } |
376 |
- for (i = 0; i < 3; i++) { |
377 |
- if ((tmp & (0x02 << i))) |
378 |
-- data->temp_type[i] = (diode & (0x10 << i)) ? 1 : 2; |
379 |
-+ data->temp_type[i] = (diode & (0x10 << i)) ? 1 : 3; |
380 |
- else |
381 |
- data->temp_type[i] = 4; /* thermistor */ |
382 |
- } |
383 |
-@@ -2016,7 +2024,7 @@ static int __devinit w83627ehf_probe(struct platform_device *pdev) |
384 |
- } |
385 |
- |
386 |
- /* Initialize the chip */ |
387 |
-- w83627ehf_init_device(data); |
388 |
-+ w83627ehf_init_device(data, sio_data->kind); |
389 |
- |
390 |
- data->vrm = vid_which_vrm(); |
391 |
- superio_enter(sio_data->sioreg); |
392 |
-diff --git a/drivers/media/video/uvc/uvc_entity.c b/drivers/media/video/uvc/uvc_entity.c |
393 |
-index 48fea37..29e2399 100644 |
394 |
---- a/drivers/media/video/uvc/uvc_entity.c |
395 |
-+++ b/drivers/media/video/uvc/uvc_entity.c |
396 |
-@@ -49,7 +49,7 @@ static int uvc_mc_register_entity(struct uvc_video_chain *chain, |
397 |
- if (remote == NULL) |
398 |
- return -EINVAL; |
399 |
- |
400 |
-- source = (UVC_ENTITY_TYPE(remote) != UVC_TT_STREAMING) |
401 |
-+ source = (UVC_ENTITY_TYPE(remote) == UVC_TT_STREAMING) |
402 |
- ? (remote->vdev ? &remote->vdev->entity : NULL) |
403 |
- : &remote->subdev.entity; |
404 |
- if (source == NULL) |
405 |
-diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c |
406 |
-index d347116..1658575 100644 |
407 |
---- a/drivers/platform/x86/samsung-laptop.c |
408 |
-+++ b/drivers/platform/x86/samsung-laptop.c |
409 |
-@@ -601,6 +601,16 @@ static struct dmi_system_id __initdata samsung_dmi_table[] = { |
410 |
- .callback = dmi_check_cb, |
411 |
- }, |
412 |
- { |
413 |
-+ .ident = "N150/N210/N220", |
414 |
-+ .matches = { |
415 |
-+ DMI_MATCH(DMI_SYS_VENDOR, |
416 |
-+ "SAMSUNG ELECTRONICS CO., LTD."), |
417 |
-+ DMI_MATCH(DMI_PRODUCT_NAME, "N150/N210/N220"), |
418 |
-+ DMI_MATCH(DMI_BOARD_NAME, "N150/N210/N220"), |
419 |
-+ }, |
420 |
-+ .callback = dmi_check_cb, |
421 |
-+ }, |
422 |
-+ { |
423 |
- .ident = "N150/N210/N220/N230", |
424 |
- .matches = { |
425 |
- DMI_MATCH(DMI_SYS_VENDOR, |
426 |
-diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c |
427 |
-index fc7e57b..53e7d72 100644 |
428 |
---- a/fs/cifs/cifsfs.c |
429 |
-+++ b/fs/cifs/cifsfs.c |
430 |
-@@ -566,6 +566,12 @@ cifs_get_root(struct smb_vol *vol, struct super_block *sb) |
431 |
- struct inode *dir = dentry->d_inode; |
432 |
- struct dentry *child; |
433 |
- |
434 |
-+ if (!dir) { |
435 |
-+ dput(dentry); |
436 |
-+ dentry = ERR_PTR(-ENOENT); |
437 |
-+ break; |
438 |
-+ } |
439 |
-+ |
440 |
- /* skip separators */ |
441 |
- while (*s == sep) |
442 |
- s++; |
443 |
-@@ -581,10 +587,6 @@ cifs_get_root(struct smb_vol *vol, struct super_block *sb) |
444 |
- mutex_unlock(&dir->i_mutex); |
445 |
- dput(dentry); |
446 |
- dentry = child; |
447 |
-- if (!dentry->d_inode) { |
448 |
-- dput(dentry); |
449 |
-- dentry = ERR_PTR(-ENOENT); |
450 |
-- } |
451 |
- } while (!IS_ERR(dentry)); |
452 |
- _FreeXid(xid); |
453 |
- kfree(full_path); |
454 |
-diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c |
455 |
-index 168a80f..5cb8614 100644 |
456 |
---- a/fs/fuse/dev.c |
457 |
-+++ b/fs/fuse/dev.c |
458 |
-@@ -258,10 +258,14 @@ void fuse_queue_forget(struct fuse_conn *fc, struct fuse_forget_link *forget, |
459 |
- forget->forget_one.nlookup = nlookup; |
460 |
- |
461 |
- spin_lock(&fc->lock); |
462 |
-- fc->forget_list_tail->next = forget; |
463 |
-- fc->forget_list_tail = forget; |
464 |
-- wake_up(&fc->waitq); |
465 |
-- kill_fasync(&fc->fasync, SIGIO, POLL_IN); |
466 |
-+ if (fc->connected) { |
467 |
-+ fc->forget_list_tail->next = forget; |
468 |
-+ fc->forget_list_tail = forget; |
469 |
-+ wake_up(&fc->waitq); |
470 |
-+ kill_fasync(&fc->fasync, SIGIO, POLL_IN); |
471 |
-+ } else { |
472 |
-+ kfree(forget); |
473 |
-+ } |
474 |
- spin_unlock(&fc->lock); |
475 |
- } |
476 |
- |
477 |
-diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h |
478 |
-index d685752..4e7f64b 100644 |
479 |
---- a/fs/hfsplus/hfsplus_fs.h |
480 |
-+++ b/fs/hfsplus/hfsplus_fs.h |
481 |
-@@ -13,6 +13,7 @@ |
482 |
- #include <linux/fs.h> |
483 |
- #include <linux/mutex.h> |
484 |
- #include <linux/buffer_head.h> |
485 |
-+#include <linux/blkdev.h> |
486 |
- #include "hfsplus_raw.h" |
487 |
- |
488 |
- #define DBG_BNODE_REFS 0x00000001 |
489 |
-@@ -110,7 +111,9 @@ struct hfsplus_vh; |
490 |
- struct hfs_btree; |
491 |
- |
492 |
- struct hfsplus_sb_info { |
493 |
-+ void *s_vhdr_buf; |
494 |
- struct hfsplus_vh *s_vhdr; |
495 |
-+ void *s_backup_vhdr_buf; |
496 |
- struct hfsplus_vh *s_backup_vhdr; |
497 |
- struct hfs_btree *ext_tree; |
498 |
- struct hfs_btree *cat_tree; |
499 |
-@@ -258,6 +261,15 @@ struct hfsplus_readdir_data { |
500 |
- struct hfsplus_cat_key key; |
501 |
- }; |
502 |
- |
503 |
-+/* |
504 |
-+ * Find minimum acceptible I/O size for an hfsplus sb. |
505 |
-+ */ |
506 |
-+static inline unsigned short hfsplus_min_io_size(struct super_block *sb) |
507 |
-+{ |
508 |
-+ return max_t(unsigned short, bdev_logical_block_size(sb->s_bdev), |
509 |
-+ HFSPLUS_SECTOR_SIZE); |
510 |
-+} |
511 |
-+ |
512 |
- #define hfs_btree_open hfsplus_btree_open |
513 |
- #define hfs_btree_close hfsplus_btree_close |
514 |
- #define hfs_btree_write hfsplus_btree_write |
515 |
-@@ -436,8 +448,8 @@ int hfsplus_compare_dentry(const struct dentry *parent, |
516 |
- /* wrapper.c */ |
517 |
- int hfsplus_read_wrapper(struct super_block *); |
518 |
- int hfs_part_find(struct super_block *, sector_t *, sector_t *); |
519 |
--int hfsplus_submit_bio(struct block_device *bdev, sector_t sector, |
520 |
-- void *data, int rw); |
521 |
-+int hfsplus_submit_bio(struct super_block *sb, sector_t sector, |
522 |
-+ void *buf, void **data, int rw); |
523 |
- |
524 |
- /* time macros */ |
525 |
- #define __hfsp_mt2ut(t) (be32_to_cpu(t) - 2082844800U) |
526 |
-diff --git a/fs/hfsplus/part_tbl.c b/fs/hfsplus/part_tbl.c |
527 |
-index 40ad88c..eb355d8 100644 |
528 |
---- a/fs/hfsplus/part_tbl.c |
529 |
-+++ b/fs/hfsplus/part_tbl.c |
530 |
-@@ -88,11 +88,12 @@ static int hfs_parse_old_pmap(struct super_block *sb, struct old_pmap *pm, |
531 |
- return -ENOENT; |
532 |
- } |
533 |
- |
534 |
--static int hfs_parse_new_pmap(struct super_block *sb, struct new_pmap *pm, |
535 |
-- sector_t *part_start, sector_t *part_size) |
536 |
-+static int hfs_parse_new_pmap(struct super_block *sb, void *buf, |
537 |
-+ struct new_pmap *pm, sector_t *part_start, sector_t *part_size) |
538 |
- { |
539 |
- struct hfsplus_sb_info *sbi = HFSPLUS_SB(sb); |
540 |
- int size = be32_to_cpu(pm->pmMapBlkCnt); |
541 |
-+ int buf_size = hfsplus_min_io_size(sb); |
542 |
- int res; |
543 |
- int i = 0; |
544 |
- |
545 |
-@@ -107,11 +108,14 @@ static int hfs_parse_new_pmap(struct super_block *sb, struct new_pmap *pm, |
546 |
- if (++i >= size) |
547 |
- return -ENOENT; |
548 |
- |
549 |
-- res = hfsplus_submit_bio(sb->s_bdev, |
550 |
-- *part_start + HFS_PMAP_BLK + i, |
551 |
-- pm, READ); |
552 |
-- if (res) |
553 |
-- return res; |
554 |
-+ pm = (struct new_pmap *)((u8 *)pm + HFSPLUS_SECTOR_SIZE); |
555 |
-+ if ((u8 *)pm - (u8 *)buf >= buf_size) { |
556 |
-+ res = hfsplus_submit_bio(sb, |
557 |
-+ *part_start + HFS_PMAP_BLK + i, |
558 |
-+ buf, (void **)&pm, READ); |
559 |
-+ if (res) |
560 |
-+ return res; |
561 |
-+ } |
562 |
- } while (pm->pmSig == cpu_to_be16(HFS_NEW_PMAP_MAGIC)); |
563 |
- |
564 |
- return -ENOENT; |
565 |
-@@ -124,15 +128,15 @@ static int hfs_parse_new_pmap(struct super_block *sb, struct new_pmap *pm, |
566 |
- int hfs_part_find(struct super_block *sb, |
567 |
- sector_t *part_start, sector_t *part_size) |
568 |
- { |
569 |
-- void *data; |
570 |
-+ void *buf, *data; |
571 |
- int res; |
572 |
- |
573 |
-- data = kmalloc(HFSPLUS_SECTOR_SIZE, GFP_KERNEL); |
574 |
-- if (!data) |
575 |
-+ buf = kmalloc(hfsplus_min_io_size(sb), GFP_KERNEL); |
576 |
-+ if (!buf) |
577 |
- return -ENOMEM; |
578 |
- |
579 |
-- res = hfsplus_submit_bio(sb->s_bdev, *part_start + HFS_PMAP_BLK, |
580 |
-- data, READ); |
581 |
-+ res = hfsplus_submit_bio(sb, *part_start + HFS_PMAP_BLK, |
582 |
-+ buf, &data, READ); |
583 |
- if (res) |
584 |
- goto out; |
585 |
- |
586 |
-@@ -141,13 +145,13 @@ int hfs_part_find(struct super_block *sb, |
587 |
- res = hfs_parse_old_pmap(sb, data, part_start, part_size); |
588 |
- break; |
589 |
- case HFS_NEW_PMAP_MAGIC: |
590 |
-- res = hfs_parse_new_pmap(sb, data, part_start, part_size); |
591 |
-+ res = hfs_parse_new_pmap(sb, buf, data, part_start, part_size); |
592 |
- break; |
593 |
- default: |
594 |
- res = -ENOENT; |
595 |
- break; |
596 |
- } |
597 |
- out: |
598 |
-- kfree(data); |
599 |
-+ kfree(buf); |
600 |
- return res; |
601 |
- } |
602 |
-diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c |
603 |
-index 84a47b7..c3a76fd 100644 |
604 |
---- a/fs/hfsplus/super.c |
605 |
-+++ b/fs/hfsplus/super.c |
606 |
-@@ -197,17 +197,17 @@ int hfsplus_sync_fs(struct super_block *sb, int wait) |
607 |
- write_backup = 1; |
608 |
- } |
609 |
- |
610 |
-- error2 = hfsplus_submit_bio(sb->s_bdev, |
611 |
-+ error2 = hfsplus_submit_bio(sb, |
612 |
- sbi->part_start + HFSPLUS_VOLHEAD_SECTOR, |
613 |
-- sbi->s_vhdr, WRITE_SYNC); |
614 |
-+ sbi->s_vhdr_buf, NULL, WRITE_SYNC); |
615 |
- if (!error) |
616 |
- error = error2; |
617 |
- if (!write_backup) |
618 |
- goto out; |
619 |
- |
620 |
-- error2 = hfsplus_submit_bio(sb->s_bdev, |
621 |
-+ error2 = hfsplus_submit_bio(sb, |
622 |
- sbi->part_start + sbi->sect_count - 2, |
623 |
-- sbi->s_backup_vhdr, WRITE_SYNC); |
624 |
-+ sbi->s_backup_vhdr_buf, NULL, WRITE_SYNC); |
625 |
- if (!error) |
626 |
- error2 = error; |
627 |
- out: |
628 |
-@@ -251,8 +251,8 @@ static void hfsplus_put_super(struct super_block *sb) |
629 |
- hfs_btree_close(sbi->ext_tree); |
630 |
- iput(sbi->alloc_file); |
631 |
- iput(sbi->hidden_dir); |
632 |
-- kfree(sbi->s_vhdr); |
633 |
-- kfree(sbi->s_backup_vhdr); |
634 |
-+ kfree(sbi->s_vhdr_buf); |
635 |
-+ kfree(sbi->s_backup_vhdr_buf); |
636 |
- unload_nls(sbi->nls); |
637 |
- kfree(sb->s_fs_info); |
638 |
- sb->s_fs_info = NULL; |
639 |
-@@ -508,8 +508,8 @@ out_close_cat_tree: |
640 |
- out_close_ext_tree: |
641 |
- hfs_btree_close(sbi->ext_tree); |
642 |
- out_free_vhdr: |
643 |
-- kfree(sbi->s_vhdr); |
644 |
-- kfree(sbi->s_backup_vhdr); |
645 |
-+ kfree(sbi->s_vhdr_buf); |
646 |
-+ kfree(sbi->s_backup_vhdr_buf); |
647 |
- out_unload_nls: |
648 |
- unload_nls(sbi->nls); |
649 |
- unload_nls(nls); |
650 |
-diff --git a/fs/hfsplus/wrapper.c b/fs/hfsplus/wrapper.c |
651 |
-index 4ac88ff..7b8112d 100644 |
652 |
---- a/fs/hfsplus/wrapper.c |
653 |
-+++ b/fs/hfsplus/wrapper.c |
654 |
-@@ -31,25 +31,67 @@ static void hfsplus_end_io_sync(struct bio *bio, int err) |
655 |
- complete(bio->bi_private); |
656 |
- } |
657 |
- |
658 |
--int hfsplus_submit_bio(struct block_device *bdev, sector_t sector, |
659 |
-- void *data, int rw) |
660 |
-+/* |
661 |
-+ * hfsplus_submit_bio - Perfrom block I/O |
662 |
-+ * @sb: super block of volume for I/O |
663 |
-+ * @sector: block to read or write, for blocks of HFSPLUS_SECTOR_SIZE bytes |
664 |
-+ * @buf: buffer for I/O |
665 |
-+ * @data: output pointer for location of requested data |
666 |
-+ * @rw: direction of I/O |
667 |
-+ * |
668 |
-+ * The unit of I/O is hfsplus_min_io_size(sb), which may be bigger than |
669 |
-+ * HFSPLUS_SECTOR_SIZE, and @buf must be sized accordingly. On reads |
670 |
-+ * @data will return a pointer to the start of the requested sector, |
671 |
-+ * which may not be the same location as @buf. |
672 |
-+ * |
673 |
-+ * If @sector is not aligned to the bdev logical block size it will |
674 |
-+ * be rounded down. For writes this means that @buf should contain data |
675 |
-+ * that starts at the rounded-down address. As long as the data was |
676 |
-+ * read using hfsplus_submit_bio() and the same buffer is used things |
677 |
-+ * will work correctly. |
678 |
-+ */ |
679 |
-+int hfsplus_submit_bio(struct super_block *sb, sector_t sector, |
680 |
-+ void *buf, void **data, int rw) |
681 |
- { |
682 |
- DECLARE_COMPLETION_ONSTACK(wait); |
683 |
- struct bio *bio; |
684 |
- int ret = 0; |
685 |
-+ unsigned int io_size; |
686 |
-+ loff_t start; |
687 |
-+ int offset; |
688 |
-+ |
689 |
-+ /* |
690 |
-+ * Align sector to hardware sector size and find offset. We |
691 |
-+ * assume that io_size is a power of two, which _should_ |
692 |
-+ * be true. |
693 |
-+ */ |
694 |
-+ io_size = hfsplus_min_io_size(sb); |
695 |
-+ start = (loff_t)sector << HFSPLUS_SECTOR_SHIFT; |
696 |
-+ offset = start & (io_size - 1); |
697 |
-+ sector &= ~((io_size >> HFSPLUS_SECTOR_SHIFT) - 1); |
698 |
- |
699 |
- bio = bio_alloc(GFP_NOIO, 1); |
700 |
- bio->bi_sector = sector; |
701 |
-- bio->bi_bdev = bdev; |
702 |
-+ bio->bi_bdev = sb->s_bdev; |
703 |
- bio->bi_end_io = hfsplus_end_io_sync; |
704 |
- bio->bi_private = &wait; |
705 |
- |
706 |
-- /* |
707 |
-- * We always submit one sector at a time, so bio_add_page must not fail. |
708 |
-- */ |
709 |
-- if (bio_add_page(bio, virt_to_page(data), HFSPLUS_SECTOR_SIZE, |
710 |
-- offset_in_page(data)) != HFSPLUS_SECTOR_SIZE) |
711 |
-- BUG(); |
712 |
-+ if (!(rw & WRITE) && data) |
713 |
-+ *data = (u8 *)buf + offset; |
714 |
-+ |
715 |
-+ while (io_size > 0) { |
716 |
-+ unsigned int page_offset = offset_in_page(buf); |
717 |
-+ unsigned int len = min_t(unsigned int, PAGE_SIZE - page_offset, |
718 |
-+ io_size); |
719 |
-+ |
720 |
-+ ret = bio_add_page(bio, virt_to_page(buf), len, page_offset); |
721 |
-+ if (ret != len) { |
722 |
-+ ret = -EIO; |
723 |
-+ goto out; |
724 |
-+ } |
725 |
-+ io_size -= len; |
726 |
-+ buf = (u8 *)buf + len; |
727 |
-+ } |
728 |
- |
729 |
- submit_bio(rw, bio); |
730 |
- wait_for_completion(&wait); |
731 |
-@@ -57,8 +99,9 @@ int hfsplus_submit_bio(struct block_device *bdev, sector_t sector, |
732 |
- if (!bio_flagged(bio, BIO_UPTODATE)) |
733 |
- ret = -EIO; |
734 |
- |
735 |
-+out: |
736 |
- bio_put(bio); |
737 |
-- return ret; |
738 |
-+ return ret < 0 ? ret : 0; |
739 |
- } |
740 |
- |
741 |
- static int hfsplus_read_mdb(void *bufptr, struct hfsplus_wd *wd) |
742 |
-@@ -147,17 +190,17 @@ int hfsplus_read_wrapper(struct super_block *sb) |
743 |
- } |
744 |
- |
745 |
- error = -ENOMEM; |
746 |
-- sbi->s_vhdr = kmalloc(HFSPLUS_SECTOR_SIZE, GFP_KERNEL); |
747 |
-- if (!sbi->s_vhdr) |
748 |
-+ sbi->s_vhdr_buf = kmalloc(hfsplus_min_io_size(sb), GFP_KERNEL); |
749 |
-+ if (!sbi->s_vhdr_buf) |
750 |
- goto out; |
751 |
-- sbi->s_backup_vhdr = kmalloc(HFSPLUS_SECTOR_SIZE, GFP_KERNEL); |
752 |
-- if (!sbi->s_backup_vhdr) |
753 |
-+ sbi->s_backup_vhdr_buf = kmalloc(hfsplus_min_io_size(sb), GFP_KERNEL); |
754 |
-+ if (!sbi->s_backup_vhdr_buf) |
755 |
- goto out_free_vhdr; |
756 |
- |
757 |
- reread: |
758 |
-- error = hfsplus_submit_bio(sb->s_bdev, |
759 |
-- part_start + HFSPLUS_VOLHEAD_SECTOR, |
760 |
-- sbi->s_vhdr, READ); |
761 |
-+ error = hfsplus_submit_bio(sb, part_start + HFSPLUS_VOLHEAD_SECTOR, |
762 |
-+ sbi->s_vhdr_buf, (void **)&sbi->s_vhdr, |
763 |
-+ READ); |
764 |
- if (error) |
765 |
- goto out_free_backup_vhdr; |
766 |
- |
767 |
-@@ -186,9 +229,9 @@ reread: |
768 |
- goto reread; |
769 |
- } |
770 |
- |
771 |
-- error = hfsplus_submit_bio(sb->s_bdev, |
772 |
-- part_start + part_size - 2, |
773 |
-- sbi->s_backup_vhdr, READ); |
774 |
-+ error = hfsplus_submit_bio(sb, part_start + part_size - 2, |
775 |
-+ sbi->s_backup_vhdr_buf, |
776 |
-+ (void **)&sbi->s_backup_vhdr, READ); |
777 |
- if (error) |
778 |
- goto out_free_backup_vhdr; |
779 |
- |
780 |
-@@ -232,9 +275,9 @@ reread: |
781 |
- return 0; |
782 |
- |
783 |
- out_free_backup_vhdr: |
784 |
-- kfree(sbi->s_backup_vhdr); |
785 |
-+ kfree(sbi->s_backup_vhdr_buf); |
786 |
- out_free_vhdr: |
787 |
-- kfree(sbi->s_vhdr); |
788 |
-+ kfree(sbi->s_vhdr_buf); |
789 |
- out: |
790 |
- return error; |
791 |
- } |
792 |
-diff --git a/fs/xfs/linux-2.6/xfs_linux.h b/fs/xfs/linux-2.6/xfs_linux.h |
793 |
-index 8633521..8731516 100644 |
794 |
---- a/fs/xfs/linux-2.6/xfs_linux.h |
795 |
-+++ b/fs/xfs/linux-2.6/xfs_linux.h |
796 |
-@@ -70,6 +70,8 @@ |
797 |
- #include <linux/ctype.h> |
798 |
- #include <linux/writeback.h> |
799 |
- #include <linux/capability.h> |
800 |
-+#include <linux/kthread.h> |
801 |
-+#include <linux/freezer.h> |
802 |
- #include <linux/list_sort.h> |
803 |
- |
804 |
- #include <asm/page.h> |
805 |
-diff --git a/fs/xfs/linux-2.6/xfs_super.c b/fs/xfs/linux-2.6/xfs_super.c |
806 |
-index a1a881e..347cae9 100644 |
807 |
---- a/fs/xfs/linux-2.6/xfs_super.c |
808 |
-+++ b/fs/xfs/linux-2.6/xfs_super.c |
809 |
-@@ -1412,37 +1412,35 @@ xfs_fs_fill_super( |
810 |
- sb->s_time_gran = 1; |
811 |
- set_posix_acl_flag(sb); |
812 |
- |
813 |
-- error = xfs_syncd_init(mp); |
814 |
-- if (error) |
815 |
-- goto out_filestream_unmount; |
816 |
-- |
817 |
- xfs_inode_shrinker_register(mp); |
818 |
- |
819 |
- error = xfs_mountfs(mp); |
820 |
- if (error) |
821 |
-- goto out_syncd_stop; |
822 |
-+ goto out_filestream_unmount; |
823 |
-+ |
824 |
-+ error = xfs_syncd_init(mp); |
825 |
-+ if (error) |
826 |
-+ goto out_unmount; |
827 |
- |
828 |
- root = igrab(VFS_I(mp->m_rootip)); |
829 |
- if (!root) { |
830 |
- error = ENOENT; |
831 |
-- goto fail_unmount; |
832 |
-+ goto out_syncd_stop; |
833 |
- } |
834 |
- if (is_bad_inode(root)) { |
835 |
- error = EINVAL; |
836 |
-- goto fail_vnrele; |
837 |
-+ goto out_syncd_stop; |
838 |
- } |
839 |
- sb->s_root = d_alloc_root(root); |
840 |
- if (!sb->s_root) { |
841 |
- error = ENOMEM; |
842 |
-- goto fail_vnrele; |
843 |
-+ goto out_iput; |
844 |
- } |
845 |
- |
846 |
- return 0; |
847 |
- |
848 |
-- out_syncd_stop: |
849 |
-- xfs_inode_shrinker_unregister(mp); |
850 |
-- xfs_syncd_stop(mp); |
851 |
- out_filestream_unmount: |
852 |
-+ xfs_inode_shrinker_unregister(mp); |
853 |
- xfs_filestream_unmount(mp); |
854 |
- out_free_sb: |
855 |
- xfs_freesb(mp); |
856 |
-@@ -1456,17 +1454,12 @@ xfs_fs_fill_super( |
857 |
- out: |
858 |
- return -error; |
859 |
- |
860 |
-- fail_vnrele: |
861 |
-- if (sb->s_root) { |
862 |
-- dput(sb->s_root); |
863 |
-- sb->s_root = NULL; |
864 |
-- } else { |
865 |
-- iput(root); |
866 |
-- } |
867 |
-- |
868 |
-- fail_unmount: |
869 |
-- xfs_inode_shrinker_unregister(mp); |
870 |
-+ out_iput: |
871 |
-+ iput(root); |
872 |
-+ out_syncd_stop: |
873 |
- xfs_syncd_stop(mp); |
874 |
-+ out_unmount: |
875 |
-+ xfs_inode_shrinker_unregister(mp); |
876 |
- |
877 |
- /* |
878 |
- * Blow away any referenced inode in the filestreams cache. |
879 |
-@@ -1667,24 +1660,13 @@ xfs_init_workqueues(void) |
880 |
- */ |
881 |
- xfs_syncd_wq = alloc_workqueue("xfssyncd", WQ_CPU_INTENSIVE, 8); |
882 |
- if (!xfs_syncd_wq) |
883 |
-- goto out; |
884 |
-- |
885 |
-- xfs_ail_wq = alloc_workqueue("xfsail", WQ_CPU_INTENSIVE, 8); |
886 |
-- if (!xfs_ail_wq) |
887 |
-- goto out_destroy_syncd; |
888 |
-- |
889 |
-+ return -ENOMEM; |
890 |
- return 0; |
891 |
-- |
892 |
--out_destroy_syncd: |
893 |
-- destroy_workqueue(xfs_syncd_wq); |
894 |
--out: |
895 |
-- return -ENOMEM; |
896 |
- } |
897 |
- |
898 |
- STATIC void |
899 |
- xfs_destroy_workqueues(void) |
900 |
- { |
901 |
-- destroy_workqueue(xfs_ail_wq); |
902 |
- destroy_workqueue(xfs_syncd_wq); |
903 |
- } |
904 |
- |
905 |
-diff --git a/fs/xfs/quota/xfs_dquot_item.c b/fs/xfs/quota/xfs_dquot_item.c |
906 |
-index 9e0e2fa..8126fc2 100644 |
907 |
---- a/fs/xfs/quota/xfs_dquot_item.c |
908 |
-+++ b/fs/xfs/quota/xfs_dquot_item.c |
909 |
-@@ -183,13 +183,14 @@ xfs_qm_dqunpin_wait( |
910 |
- * search the buffer cache can be a time consuming thing, and AIL lock is a |
911 |
- * spinlock. |
912 |
- */ |
913 |
--STATIC void |
914 |
-+STATIC bool |
915 |
- xfs_qm_dquot_logitem_pushbuf( |
916 |
- struct xfs_log_item *lip) |
917 |
- { |
918 |
- struct xfs_dq_logitem *qlip = DQUOT_ITEM(lip); |
919 |
- struct xfs_dquot *dqp = qlip->qli_dquot; |
920 |
- struct xfs_buf *bp; |
921 |
-+ bool ret = true; |
922 |
- |
923 |
- ASSERT(XFS_DQ_IS_LOCKED(dqp)); |
924 |
- |
925 |
-@@ -201,17 +202,20 @@ xfs_qm_dquot_logitem_pushbuf( |
926 |
- if (completion_done(&dqp->q_flush) || |
927 |
- !(lip->li_flags & XFS_LI_IN_AIL)) { |
928 |
- xfs_dqunlock(dqp); |
929 |
-- return; |
930 |
-+ return true; |
931 |
- } |
932 |
- |
933 |
- bp = xfs_incore(dqp->q_mount->m_ddev_targp, qlip->qli_format.qlf_blkno, |
934 |
- dqp->q_mount->m_quotainfo->qi_dqchunklen, XBF_TRYLOCK); |
935 |
- xfs_dqunlock(dqp); |
936 |
- if (!bp) |
937 |
-- return; |
938 |
-+ return true; |
939 |
- if (XFS_BUF_ISDELAYWRITE(bp)) |
940 |
- xfs_buf_delwri_promote(bp); |
941 |
-+ if (XFS_BUF_ISPINNED(bp)) |
942 |
-+ ret = false; |
943 |
- xfs_buf_relse(bp); |
944 |
-+ return ret; |
945 |
- } |
946 |
- |
947 |
- /* |
948 |
-diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c |
949 |
-index 7b7e005..a7342e8 100644 |
950 |
---- a/fs/xfs/xfs_buf_item.c |
951 |
-+++ b/fs/xfs/xfs_buf_item.c |
952 |
-@@ -632,7 +632,7 @@ xfs_buf_item_push( |
953 |
- * the xfsbufd to get this buffer written. We have to unlock the buffer |
954 |
- * to allow the xfsbufd to write it, too. |
955 |
- */ |
956 |
--STATIC void |
957 |
-+STATIC bool |
958 |
- xfs_buf_item_pushbuf( |
959 |
- struct xfs_log_item *lip) |
960 |
- { |
961 |
-@@ -646,6 +646,7 @@ xfs_buf_item_pushbuf( |
962 |
- |
963 |
- xfs_buf_delwri_promote(bp); |
964 |
- xfs_buf_relse(bp); |
965 |
-+ return true; |
966 |
- } |
967 |
- |
968 |
- STATIC void |
969 |
-diff --git a/fs/xfs/xfs_inode_item.c b/fs/xfs/xfs_inode_item.c |
970 |
-index b1e88d5..391044c 100644 |
971 |
---- a/fs/xfs/xfs_inode_item.c |
972 |
-+++ b/fs/xfs/xfs_inode_item.c |
973 |
-@@ -713,13 +713,14 @@ xfs_inode_item_committed( |
974 |
- * marked delayed write. If that's the case, we'll promote it and that will |
975 |
- * allow the caller to write the buffer by triggering the xfsbufd to run. |
976 |
- */ |
977 |
--STATIC void |
978 |
-+STATIC bool |
979 |
- xfs_inode_item_pushbuf( |
980 |
- struct xfs_log_item *lip) |
981 |
- { |
982 |
- struct xfs_inode_log_item *iip = INODE_ITEM(lip); |
983 |
- struct xfs_inode *ip = iip->ili_inode; |
984 |
- struct xfs_buf *bp; |
985 |
-+ bool ret = true; |
986 |
- |
987 |
- ASSERT(xfs_isilocked(ip, XFS_ILOCK_SHARED)); |
988 |
- |
989 |
-@@ -730,7 +731,7 @@ xfs_inode_item_pushbuf( |
990 |
- if (completion_done(&ip->i_flush) || |
991 |
- !(lip->li_flags & XFS_LI_IN_AIL)) { |
992 |
- xfs_iunlock(ip, XFS_ILOCK_SHARED); |
993 |
-- return; |
994 |
-+ return true; |
995 |
- } |
996 |
- |
997 |
- bp = xfs_incore(ip->i_mount->m_ddev_targp, iip->ili_format.ilf_blkno, |
998 |
-@@ -738,10 +739,13 @@ xfs_inode_item_pushbuf( |
999 |
- |
1000 |
- xfs_iunlock(ip, XFS_ILOCK_SHARED); |
1001 |
- if (!bp) |
1002 |
-- return; |
1003 |
-+ return true; |
1004 |
- if (XFS_BUF_ISDELAYWRITE(bp)) |
1005 |
- xfs_buf_delwri_promote(bp); |
1006 |
-+ if (XFS_BUF_ISPINNED(bp)) |
1007 |
-+ ret = false; |
1008 |
- xfs_buf_relse(bp); |
1009 |
-+ return ret; |
1010 |
- } |
1011 |
- |
1012 |
- /* |
1013 |
-diff --git a/fs/xfs/xfs_trans.c b/fs/xfs/xfs_trans.c |
1014 |
-index c83f63b..efc147f 100644 |
1015 |
---- a/fs/xfs/xfs_trans.c |
1016 |
-+++ b/fs/xfs/xfs_trans.c |
1017 |
-@@ -1426,6 +1426,7 @@ xfs_trans_committed( |
1018 |
- static inline void |
1019 |
- xfs_log_item_batch_insert( |
1020 |
- struct xfs_ail *ailp, |
1021 |
-+ struct xfs_ail_cursor *cur, |
1022 |
- struct xfs_log_item **log_items, |
1023 |
- int nr_items, |
1024 |
- xfs_lsn_t commit_lsn) |
1025 |
-@@ -1434,7 +1435,7 @@ xfs_log_item_batch_insert( |
1026 |
- |
1027 |
- spin_lock(&ailp->xa_lock); |
1028 |
- /* xfs_trans_ail_update_bulk drops ailp->xa_lock */ |
1029 |
-- xfs_trans_ail_update_bulk(ailp, log_items, nr_items, commit_lsn); |
1030 |
-+ xfs_trans_ail_update_bulk(ailp, cur, log_items, nr_items, commit_lsn); |
1031 |
- |
1032 |
- for (i = 0; i < nr_items; i++) |
1033 |
- IOP_UNPIN(log_items[i], 0); |
1034 |
-@@ -1452,6 +1453,13 @@ xfs_log_item_batch_insert( |
1035 |
- * as an iclog write error even though we haven't started any IO yet. Hence in |
1036 |
- * this case all we need to do is IOP_COMMITTED processing, followed by an |
1037 |
- * IOP_UNPIN(aborted) call. |
1038 |
-+ * |
1039 |
-+ * The AIL cursor is used to optimise the insert process. If commit_lsn is not |
1040 |
-+ * at the end of the AIL, the insert cursor avoids the need to walk |
1041 |
-+ * the AIL to find the insertion point on every xfs_log_item_batch_insert() |
1042 |
-+ * call. This saves a lot of needless list walking and is a net win, even |
1043 |
-+ * though it slightly increases that amount of AIL lock traffic to set it up |
1044 |
-+ * and tear it down. |
1045 |
- */ |
1046 |
- void |
1047 |
- xfs_trans_committed_bulk( |
1048 |
-@@ -1463,8 +1471,13 @@ xfs_trans_committed_bulk( |
1049 |
- #define LOG_ITEM_BATCH_SIZE 32 |
1050 |
- struct xfs_log_item *log_items[LOG_ITEM_BATCH_SIZE]; |
1051 |
- struct xfs_log_vec *lv; |
1052 |
-+ struct xfs_ail_cursor cur; |
1053 |
- int i = 0; |
1054 |
- |
1055 |
-+ spin_lock(&ailp->xa_lock); |
1056 |
-+ xfs_trans_ail_cursor_last(ailp, &cur, commit_lsn); |
1057 |
-+ spin_unlock(&ailp->xa_lock); |
1058 |
-+ |
1059 |
- /* unpin all the log items */ |
1060 |
- for (lv = log_vector; lv; lv = lv->lv_next ) { |
1061 |
- struct xfs_log_item *lip = lv->lv_item; |
1062 |
-@@ -1493,7 +1506,9 @@ xfs_trans_committed_bulk( |
1063 |
- /* |
1064 |
- * Not a bulk update option due to unusual item_lsn. |
1065 |
- * Push into AIL immediately, rechecking the lsn once |
1066 |
-- * we have the ail lock. Then unpin the item. |
1067 |
-+ * we have the ail lock. Then unpin the item. This does |
1068 |
-+ * not affect the AIL cursor the bulk insert path is |
1069 |
-+ * using. |
1070 |
- */ |
1071 |
- spin_lock(&ailp->xa_lock); |
1072 |
- if (XFS_LSN_CMP(item_lsn, lip->li_lsn) > 0) |
1073 |
-@@ -1507,7 +1522,7 @@ xfs_trans_committed_bulk( |
1074 |
- /* Item is a candidate for bulk AIL insert. */ |
1075 |
- log_items[i++] = lv->lv_item; |
1076 |
- if (i >= LOG_ITEM_BATCH_SIZE) { |
1077 |
-- xfs_log_item_batch_insert(ailp, log_items, |
1078 |
-+ xfs_log_item_batch_insert(ailp, &cur, log_items, |
1079 |
- LOG_ITEM_BATCH_SIZE, commit_lsn); |
1080 |
- i = 0; |
1081 |
- } |
1082 |
-@@ -1515,7 +1530,11 @@ xfs_trans_committed_bulk( |
1083 |
- |
1084 |
- /* make sure we insert the remainder! */ |
1085 |
- if (i) |
1086 |
-- xfs_log_item_batch_insert(ailp, log_items, i, commit_lsn); |
1087 |
-+ xfs_log_item_batch_insert(ailp, &cur, log_items, i, commit_lsn); |
1088 |
-+ |
1089 |
-+ spin_lock(&ailp->xa_lock); |
1090 |
-+ xfs_trans_ail_cursor_done(ailp, &cur); |
1091 |
-+ spin_unlock(&ailp->xa_lock); |
1092 |
- } |
1093 |
- |
1094 |
- /* |
1095 |
-diff --git a/fs/xfs/xfs_trans.h b/fs/xfs/xfs_trans.h |
1096 |
-index 06a9759..53597f4 100644 |
1097 |
---- a/fs/xfs/xfs_trans.h |
1098 |
-+++ b/fs/xfs/xfs_trans.h |
1099 |
-@@ -350,7 +350,7 @@ typedef struct xfs_item_ops { |
1100 |
- void (*iop_unlock)(xfs_log_item_t *); |
1101 |
- xfs_lsn_t (*iop_committed)(xfs_log_item_t *, xfs_lsn_t); |
1102 |
- void (*iop_push)(xfs_log_item_t *); |
1103 |
-- void (*iop_pushbuf)(xfs_log_item_t *); |
1104 |
-+ bool (*iop_pushbuf)(xfs_log_item_t *); |
1105 |
- void (*iop_committing)(xfs_log_item_t *, xfs_lsn_t); |
1106 |
- } xfs_item_ops_t; |
1107 |
- |
1108 |
-diff --git a/fs/xfs/xfs_trans_ail.c b/fs/xfs/xfs_trans_ail.c |
1109 |
-index 5fc2380..a4c281b 100644 |
1110 |
---- a/fs/xfs/xfs_trans_ail.c |
1111 |
-+++ b/fs/xfs/xfs_trans_ail.c |
1112 |
-@@ -28,8 +28,6 @@ |
1113 |
- #include "xfs_trans_priv.h" |
1114 |
- #include "xfs_error.h" |
1115 |
- |
1116 |
--struct workqueue_struct *xfs_ail_wq; /* AIL workqueue */ |
1117 |
-- |
1118 |
- #ifdef DEBUG |
1119 |
- /* |
1120 |
- * Check that the list is sorted as it should be. |
1121 |
-@@ -272,9 +270,9 @@ xfs_trans_ail_cursor_clear( |
1122 |
- } |
1123 |
- |
1124 |
- /* |
1125 |
-- * Return the item in the AIL with the current lsn. |
1126 |
-- * Return the current tree generation number for use |
1127 |
-- * in calls to xfs_trans_next_ail(). |
1128 |
-+ * Initialise the cursor to the first item in the AIL with the given @lsn. |
1129 |
-+ * This searches the list from lowest LSN to highest. Pass a @lsn of zero |
1130 |
-+ * to initialise the cursor to the first item in the AIL. |
1131 |
- */ |
1132 |
- xfs_log_item_t * |
1133 |
- xfs_trans_ail_cursor_first( |
1134 |
-@@ -300,31 +298,97 @@ out: |
1135 |
- } |
1136 |
- |
1137 |
- /* |
1138 |
-- * splice the log item list into the AIL at the given LSN. |
1139 |
-+ * Initialise the cursor to the last item in the AIL with the given @lsn. |
1140 |
-+ * This searches the list from highest LSN to lowest. If there is no item with |
1141 |
-+ * the value of @lsn, then it sets the cursor to the last item with an LSN lower |
1142 |
-+ * than @lsn. |
1143 |
-+ */ |
1144 |
-+static struct xfs_log_item * |
1145 |
-+__xfs_trans_ail_cursor_last( |
1146 |
-+ struct xfs_ail *ailp, |
1147 |
-+ xfs_lsn_t lsn) |
1148 |
-+{ |
1149 |
-+ xfs_log_item_t *lip; |
1150 |
-+ |
1151 |
-+ list_for_each_entry_reverse(lip, &ailp->xa_ail, li_ail) { |
1152 |
-+ if (XFS_LSN_CMP(lip->li_lsn, lsn) <= 0) |
1153 |
-+ return lip; |
1154 |
-+ } |
1155 |
-+ return NULL; |
1156 |
-+} |
1157 |
-+ |
1158 |
-+/* |
1159 |
-+ * Initialise the cursor to the last item in the AIL with the given @lsn. |
1160 |
-+ * This searches the list from highest LSN to lowest. |
1161 |
-+ */ |
1162 |
-+struct xfs_log_item * |
1163 |
-+xfs_trans_ail_cursor_last( |
1164 |
-+ struct xfs_ail *ailp, |
1165 |
-+ struct xfs_ail_cursor *cur, |
1166 |
-+ xfs_lsn_t lsn) |
1167 |
-+{ |
1168 |
-+ xfs_trans_ail_cursor_init(ailp, cur); |
1169 |
-+ cur->item = __xfs_trans_ail_cursor_last(ailp, lsn); |
1170 |
-+ return cur->item; |
1171 |
-+} |
1172 |
-+ |
1173 |
-+/* |
1174 |
-+ * splice the log item list into the AIL at the given LSN. We splice to the |
1175 |
-+ * tail of the given LSN to maintain insert order for push traversals. The |
1176 |
-+ * cursor is optional, allowing repeated updates to the same LSN to avoid |
1177 |
-+ * repeated traversals. |
1178 |
- */ |
1179 |
- static void |
1180 |
- xfs_ail_splice( |
1181 |
-- struct xfs_ail *ailp, |
1182 |
-- struct list_head *list, |
1183 |
-- xfs_lsn_t lsn) |
1184 |
-+ struct xfs_ail *ailp, |
1185 |
-+ struct xfs_ail_cursor *cur, |
1186 |
-+ struct list_head *list, |
1187 |
-+ xfs_lsn_t lsn) |
1188 |
- { |
1189 |
-- xfs_log_item_t *next_lip; |
1190 |
-+ struct xfs_log_item *lip = cur ? cur->item : NULL; |
1191 |
-+ struct xfs_log_item *next_lip; |
1192 |
- |
1193 |
-- /* If the list is empty, just insert the item. */ |
1194 |
-- if (list_empty(&ailp->xa_ail)) { |
1195 |
-- list_splice(list, &ailp->xa_ail); |
1196 |
-- return; |
1197 |
-+ /* |
1198 |
-+ * Get a new cursor if we don't have a placeholder or the existing one |
1199 |
-+ * has been invalidated. |
1200 |
-+ */ |
1201 |
-+ if (!lip || (__psint_t)lip & 1) { |
1202 |
-+ lip = __xfs_trans_ail_cursor_last(ailp, lsn); |
1203 |
-+ |
1204 |
-+ if (!lip) { |
1205 |
-+ /* The list is empty, so just splice and return. */ |
1206 |
-+ if (cur) |
1207 |
-+ cur->item = NULL; |
1208 |
-+ list_splice(list, &ailp->xa_ail); |
1209 |
-+ return; |
1210 |
-+ } |
1211 |
- } |
1212 |
- |
1213 |
-- list_for_each_entry_reverse(next_lip, &ailp->xa_ail, li_ail) { |
1214 |
-- if (XFS_LSN_CMP(next_lip->li_lsn, lsn) <= 0) |
1215 |
-- break; |
1216 |
-+ /* |
1217 |
-+ * Our cursor points to the item we want to insert _after_, so we have |
1218 |
-+ * to update the cursor to point to the end of the list we are splicing |
1219 |
-+ * in so that it points to the correct location for the next splice. |
1220 |
-+ * i.e. before the splice |
1221 |
-+ * |
1222 |
-+ * lsn -> lsn -> lsn + x -> lsn + x ... |
1223 |
-+ * ^ |
1224 |
-+ * | cursor points here |
1225 |
-+ * |
1226 |
-+ * After the splice we have: |
1227 |
-+ * |
1228 |
-+ * lsn -> lsn -> lsn -> lsn -> .... -> lsn -> lsn + x -> lsn + x ... |
1229 |
-+ * ^ ^ |
1230 |
-+ * | cursor points here | needs to move here |
1231 |
-+ * |
1232 |
-+ * So we set the cursor to the last item in the list to be spliced |
1233 |
-+ * before we execute the splice, resulting in the cursor pointing to |
1234 |
-+ * the correct item after the splice occurs. |
1235 |
-+ */ |
1236 |
-+ if (cur) { |
1237 |
-+ next_lip = list_entry(list->prev, struct xfs_log_item, li_ail); |
1238 |
-+ cur->item = next_lip; |
1239 |
- } |
1240 |
-- |
1241 |
-- ASSERT(&next_lip->li_ail == &ailp->xa_ail || |
1242 |
-- XFS_LSN_CMP(next_lip->li_lsn, lsn) <= 0); |
1243 |
-- |
1244 |
-- list_splice_init(list, &next_lip->li_ail); |
1245 |
-+ list_splice(list, &lip->li_ail); |
1246 |
- } |
1247 |
- |
1248 |
- /* |
1249 |
-@@ -340,16 +404,10 @@ xfs_ail_delete( |
1250 |
- xfs_trans_ail_cursor_clear(ailp, lip); |
1251 |
- } |
1252 |
- |
1253 |
--/* |
1254 |
-- * xfs_ail_worker does the work of pushing on the AIL. It will requeue itself |
1255 |
-- * to run at a later time if there is more work to do to complete the push. |
1256 |
-- */ |
1257 |
--STATIC void |
1258 |
--xfs_ail_worker( |
1259 |
-- struct work_struct *work) |
1260 |
-+static long |
1261 |
-+xfsaild_push( |
1262 |
-+ struct xfs_ail *ailp) |
1263 |
- { |
1264 |
-- struct xfs_ail *ailp = container_of(to_delayed_work(work), |
1265 |
-- struct xfs_ail, xa_work); |
1266 |
- xfs_mount_t *mp = ailp->xa_mount; |
1267 |
- struct xfs_ail_cursor *cur = &ailp->xa_cursors; |
1268 |
- xfs_log_item_t *lip; |
1269 |
-@@ -412,8 +470,13 @@ xfs_ail_worker( |
1270 |
- |
1271 |
- case XFS_ITEM_PUSHBUF: |
1272 |
- XFS_STATS_INC(xs_push_ail_pushbuf); |
1273 |
-- IOP_PUSHBUF(lip); |
1274 |
-- ailp->xa_last_pushed_lsn = lsn; |
1275 |
-+ |
1276 |
-+ if (!IOP_PUSHBUF(lip)) { |
1277 |
-+ stuck++; |
1278 |
-+ flush_log = 1; |
1279 |
-+ } else { |
1280 |
-+ ailp->xa_last_pushed_lsn = lsn; |
1281 |
-+ } |
1282 |
- push_xfsbufd = 1; |
1283 |
- break; |
1284 |
- |
1285 |
-@@ -425,7 +488,6 @@ xfs_ail_worker( |
1286 |
- |
1287 |
- case XFS_ITEM_LOCKED: |
1288 |
- XFS_STATS_INC(xs_push_ail_locked); |
1289 |
-- ailp->xa_last_pushed_lsn = lsn; |
1290 |
- stuck++; |
1291 |
- break; |
1292 |
- |
1293 |
-@@ -486,20 +548,6 @@ out_done: |
1294 |
- /* We're past our target or empty, so idle */ |
1295 |
- ailp->xa_last_pushed_lsn = 0; |
1296 |
- |
1297 |
-- /* |
1298 |
-- * We clear the XFS_AIL_PUSHING_BIT first before checking |
1299 |
-- * whether the target has changed. If the target has changed, |
1300 |
-- * this pushes the requeue race directly onto the result of the |
1301 |
-- * atomic test/set bit, so we are guaranteed that either the |
1302 |
-- * the pusher that changed the target or ourselves will requeue |
1303 |
-- * the work (but not both). |
1304 |
-- */ |
1305 |
-- clear_bit(XFS_AIL_PUSHING_BIT, &ailp->xa_flags); |
1306 |
-- smp_rmb(); |
1307 |
-- if (XFS_LSN_CMP(ailp->xa_target, target) == 0 || |
1308 |
-- test_and_set_bit(XFS_AIL_PUSHING_BIT, &ailp->xa_flags)) |
1309 |
-- return; |
1310 |
-- |
1311 |
- tout = 50; |
1312 |
- } else if (XFS_LSN_CMP(lsn, target) >= 0) { |
1313 |
- /* |
1314 |
-@@ -522,9 +570,30 @@ out_done: |
1315 |
- tout = 20; |
1316 |
- } |
1317 |
- |
1318 |
-- /* There is more to do, requeue us. */ |
1319 |
-- queue_delayed_work(xfs_syncd_wq, &ailp->xa_work, |
1320 |
-- msecs_to_jiffies(tout)); |
1321 |
-+ return tout; |
1322 |
-+} |
1323 |
-+ |
1324 |
-+static int |
1325 |
-+xfsaild( |
1326 |
-+ void *data) |
1327 |
-+{ |
1328 |
-+ struct xfs_ail *ailp = data; |
1329 |
-+ long tout = 0; /* milliseconds */ |
1330 |
-+ |
1331 |
-+ while (!kthread_should_stop()) { |
1332 |
-+ if (tout && tout <= 20) |
1333 |
-+ __set_current_state(TASK_KILLABLE); |
1334 |
-+ else |
1335 |
-+ __set_current_state(TASK_INTERRUPTIBLE); |
1336 |
-+ schedule_timeout(tout ? |
1337 |
-+ msecs_to_jiffies(tout) : MAX_SCHEDULE_TIMEOUT); |
1338 |
-+ |
1339 |
-+ try_to_freeze(); |
1340 |
-+ |
1341 |
-+ tout = xfsaild_push(ailp); |
1342 |
-+ } |
1343 |
-+ |
1344 |
-+ return 0; |
1345 |
- } |
1346 |
- |
1347 |
- /* |
1348 |
-@@ -559,8 +628,9 @@ xfs_ail_push( |
1349 |
- */ |
1350 |
- smp_wmb(); |
1351 |
- xfs_trans_ail_copy_lsn(ailp, &ailp->xa_target, &threshold_lsn); |
1352 |
-- if (!test_and_set_bit(XFS_AIL_PUSHING_BIT, &ailp->xa_flags)) |
1353 |
-- queue_delayed_work(xfs_syncd_wq, &ailp->xa_work, 0); |
1354 |
-+ smp_wmb(); |
1355 |
-+ |
1356 |
-+ wake_up_process(ailp->xa_task); |
1357 |
- } |
1358 |
- |
1359 |
- /* |
1360 |
-@@ -645,6 +715,7 @@ xfs_trans_unlocked_item( |
1361 |
- void |
1362 |
- xfs_trans_ail_update_bulk( |
1363 |
- struct xfs_ail *ailp, |
1364 |
-+ struct xfs_ail_cursor *cur, |
1365 |
- struct xfs_log_item **log_items, |
1366 |
- int nr_items, |
1367 |
- xfs_lsn_t lsn) __releases(ailp->xa_lock) |
1368 |
-@@ -674,7 +745,7 @@ xfs_trans_ail_update_bulk( |
1369 |
- list_add(&lip->li_ail, &tmp); |
1370 |
- } |
1371 |
- |
1372 |
-- xfs_ail_splice(ailp, &tmp, lsn); |
1373 |
-+ xfs_ail_splice(ailp, cur, &tmp, lsn); |
1374 |
- |
1375 |
- if (!mlip_changed) { |
1376 |
- spin_unlock(&ailp->xa_lock); |
1377 |
-@@ -794,9 +865,18 @@ xfs_trans_ail_init( |
1378 |
- ailp->xa_mount = mp; |
1379 |
- INIT_LIST_HEAD(&ailp->xa_ail); |
1380 |
- spin_lock_init(&ailp->xa_lock); |
1381 |
-- INIT_DELAYED_WORK(&ailp->xa_work, xfs_ail_worker); |
1382 |
-+ |
1383 |
-+ ailp->xa_task = kthread_run(xfsaild, ailp, "xfsaild/%s", |
1384 |
-+ ailp->xa_mount->m_fsname); |
1385 |
-+ if (IS_ERR(ailp->xa_task)) |
1386 |
-+ goto out_free_ailp; |
1387 |
-+ |
1388 |
- mp->m_ail = ailp; |
1389 |
- return 0; |
1390 |
-+ |
1391 |
-+out_free_ailp: |
1392 |
-+ kmem_free(ailp); |
1393 |
-+ return ENOMEM; |
1394 |
- } |
1395 |
- |
1396 |
- void |
1397 |
-@@ -805,6 +885,6 @@ xfs_trans_ail_destroy( |
1398 |
- { |
1399 |
- struct xfs_ail *ailp = mp->m_ail; |
1400 |
- |
1401 |
-- cancel_delayed_work_sync(&ailp->xa_work); |
1402 |
-+ kthread_stop(ailp->xa_task); |
1403 |
- kmem_free(ailp); |
1404 |
- } |
1405 |
-diff --git a/fs/xfs/xfs_trans_priv.h b/fs/xfs/xfs_trans_priv.h |
1406 |
-index 6b164e9..fe2e3cb 100644 |
1407 |
---- a/fs/xfs/xfs_trans_priv.h |
1408 |
-+++ b/fs/xfs/xfs_trans_priv.h |
1409 |
-@@ -64,24 +64,19 @@ struct xfs_ail_cursor { |
1410 |
- */ |
1411 |
- struct xfs_ail { |
1412 |
- struct xfs_mount *xa_mount; |
1413 |
-+ struct task_struct *xa_task; |
1414 |
- struct list_head xa_ail; |
1415 |
- xfs_lsn_t xa_target; |
1416 |
- struct xfs_ail_cursor xa_cursors; |
1417 |
- spinlock_t xa_lock; |
1418 |
-- struct delayed_work xa_work; |
1419 |
- xfs_lsn_t xa_last_pushed_lsn; |
1420 |
-- unsigned long xa_flags; |
1421 |
- }; |
1422 |
- |
1423 |
--#define XFS_AIL_PUSHING_BIT 0 |
1424 |
-- |
1425 |
- /* |
1426 |
- * From xfs_trans_ail.c |
1427 |
- */ |
1428 |
-- |
1429 |
--extern struct workqueue_struct *xfs_ail_wq; /* AIL workqueue */ |
1430 |
-- |
1431 |
- void xfs_trans_ail_update_bulk(struct xfs_ail *ailp, |
1432 |
-+ struct xfs_ail_cursor *cur, |
1433 |
- struct xfs_log_item **log_items, int nr_items, |
1434 |
- xfs_lsn_t lsn) __releases(ailp->xa_lock); |
1435 |
- static inline void |
1436 |
-@@ -90,7 +85,7 @@ xfs_trans_ail_update( |
1437 |
- struct xfs_log_item *lip, |
1438 |
- xfs_lsn_t lsn) __releases(ailp->xa_lock) |
1439 |
- { |
1440 |
-- xfs_trans_ail_update_bulk(ailp, &lip, 1, lsn); |
1441 |
-+ xfs_trans_ail_update_bulk(ailp, NULL, &lip, 1, lsn); |
1442 |
- } |
1443 |
- |
1444 |
- void xfs_trans_ail_delete_bulk(struct xfs_ail *ailp, |
1445 |
-@@ -111,10 +106,13 @@ xfs_lsn_t xfs_ail_min_lsn(struct xfs_ail *ailp); |
1446 |
- void xfs_trans_unlocked_item(struct xfs_ail *, |
1447 |
- xfs_log_item_t *); |
1448 |
- |
1449 |
--struct xfs_log_item *xfs_trans_ail_cursor_first(struct xfs_ail *ailp, |
1450 |
-+struct xfs_log_item * xfs_trans_ail_cursor_first(struct xfs_ail *ailp, |
1451 |
-+ struct xfs_ail_cursor *cur, |
1452 |
-+ xfs_lsn_t lsn); |
1453 |
-+struct xfs_log_item * xfs_trans_ail_cursor_last(struct xfs_ail *ailp, |
1454 |
- struct xfs_ail_cursor *cur, |
1455 |
- xfs_lsn_t lsn); |
1456 |
--struct xfs_log_item *xfs_trans_ail_cursor_next(struct xfs_ail *ailp, |
1457 |
-+struct xfs_log_item * xfs_trans_ail_cursor_next(struct xfs_ail *ailp, |
1458 |
- struct xfs_ail_cursor *cur); |
1459 |
- void xfs_trans_ail_cursor_done(struct xfs_ail *ailp, |
1460 |
- struct xfs_ail_cursor *cur); |
1461 |
-diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c |
1462 |
-index c8008dd..640ded8 100644 |
1463 |
---- a/kernel/posix-cpu-timers.c |
1464 |
-+++ b/kernel/posix-cpu-timers.c |
1465 |
-@@ -274,9 +274,7 @@ void thread_group_cputimer(struct task_struct *tsk, struct task_cputime *times) |
1466 |
- struct task_cputime sum; |
1467 |
- unsigned long flags; |
1468 |
- |
1469 |
-- spin_lock_irqsave(&cputimer->lock, flags); |
1470 |
- if (!cputimer->running) { |
1471 |
-- cputimer->running = 1; |
1472 |
- /* |
1473 |
- * The POSIX timer interface allows for absolute time expiry |
1474 |
- * values through the TIMER_ABSTIME flag, therefore we have |
1475 |
-@@ -284,8 +282,11 @@ void thread_group_cputimer(struct task_struct *tsk, struct task_cputime *times) |
1476 |
- * it. |
1477 |
- */ |
1478 |
- thread_group_cputime(tsk, &sum); |
1479 |
-+ spin_lock_irqsave(&cputimer->lock, flags); |
1480 |
-+ cputimer->running = 1; |
1481 |
- update_gt_cputime(&cputimer->cputime, &sum); |
1482 |
-- } |
1483 |
-+ } else |
1484 |
-+ spin_lock_irqsave(&cputimer->lock, flags); |
1485 |
- *times = cputimer->cputime; |
1486 |
- spin_unlock_irqrestore(&cputimer->lock, flags); |
1487 |
- } |
1488 |
-diff --git a/kernel/sys.c b/kernel/sys.c |
1489 |
-index 5c942cf..f88dadc 100644 |
1490 |
---- a/kernel/sys.c |
1491 |
-+++ b/kernel/sys.c |
1492 |
-@@ -1135,7 +1135,7 @@ DECLARE_RWSEM(uts_sem); |
1493 |
- static int override_release(char __user *release, int len) |
1494 |
- { |
1495 |
- int ret = 0; |
1496 |
-- char buf[len]; |
1497 |
-+ char buf[65]; |
1498 |
- |
1499 |
- if (current->personality & UNAME26) { |
1500 |
- char *rest = UTS_RELEASE; |
1501 |
-diff --git a/mm/migrate.c b/mm/migrate.c |
1502 |
-index 666e4e6..14d0a6a 100644 |
1503 |
---- a/mm/migrate.c |
1504 |
-+++ b/mm/migrate.c |
1505 |
-@@ -120,10 +120,10 @@ static int remove_migration_pte(struct page *new, struct vm_area_struct *vma, |
1506 |
- |
1507 |
- ptep = pte_offset_map(pmd, addr); |
1508 |
- |
1509 |
-- if (!is_swap_pte(*ptep)) { |
1510 |
-- pte_unmap(ptep); |
1511 |
-- goto out; |
1512 |
-- } |
1513 |
-+ /* |
1514 |
-+ * Peek to check is_swap_pte() before taking ptlock? No, we |
1515 |
-+ * can race mremap's move_ptes(), which skips anon_vma lock. |
1516 |
-+ */ |
1517 |
- |
1518 |
- ptl = pte_lockptr(mm, pmd); |
1519 |
- } |
1520 |
-diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c |
1521 |
-index 4680b1e..373e14f 100644 |
1522 |
---- a/net/x25/af_x25.c |
1523 |
-+++ b/net/x25/af_x25.c |
1524 |
-@@ -295,7 +295,8 @@ static struct sock *x25_find_listener(struct x25_address *addr, |
1525 |
- * Found a listening socket, now check the incoming |
1526 |
- * call user data vs this sockets call user data |
1527 |
- */ |
1528 |
-- if(skb->len > 0 && x25_sk(s)->cudmatchlength > 0) { |
1529 |
-+ if (x25_sk(s)->cudmatchlength > 0 && |
1530 |
-+ skb->len >= x25_sk(s)->cudmatchlength) { |
1531 |
- if((memcmp(x25_sk(s)->calluserdata.cuddata, |
1532 |
- skb->data, |
1533 |
- x25_sk(s)->cudmatchlength)) == 0) { |
1534 |
-diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c |
1535 |
-index 486f6de..981b6fd 100644 |
1536 |
---- a/sound/pci/hda/hda_intel.c |
1537 |
-+++ b/sound/pci/hda/hda_intel.c |
1538 |
-@@ -2352,6 +2352,7 @@ static struct snd_pci_quirk position_fix_list[] __devinitdata = { |
1539 |
- SND_PCI_QUIRK(0x1028, 0x01cc, "Dell D820", POS_FIX_LPIB), |
1540 |
- SND_PCI_QUIRK(0x1028, 0x01de, "Dell Precision 390", POS_FIX_LPIB), |
1541 |
- SND_PCI_QUIRK(0x1028, 0x01f6, "Dell Latitude 131L", POS_FIX_LPIB), |
1542 |
-+ SND_PCI_QUIRK(0x1028, 0x02c6, "Dell Inspiron 1010", POS_FIX_LPIB), |
1543 |
- SND_PCI_QUIRK(0x1028, 0x0470, "Dell Inspiron 1120", POS_FIX_LPIB), |
1544 |
- SND_PCI_QUIRK(0x103c, 0x306d, "HP dv3", POS_FIX_LPIB), |
1545 |
- SND_PCI_QUIRK(0x1043, 0x813d, "ASUS P5AD2", POS_FIX_LPIB), |
1546 |
-diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c |
1547 |
-index 7bbc5f2..cf1fa36 100644 |
1548 |
---- a/sound/pci/hda/patch_conexant.c |
1549 |
-+++ b/sound/pci/hda/patch_conexant.c |
1550 |
-@@ -3097,6 +3097,7 @@ static const struct snd_pci_quirk cxt5066_cfg_tbl[] = { |
1551 |
- SND_PCI_QUIRK(0x17aa, 0x21c5, "Thinkpad Edge 13", CXT5066_THINKPAD), |
1552 |
- SND_PCI_QUIRK(0x17aa, 0x21c6, "Thinkpad Edge 13", CXT5066_ASUS), |
1553 |
- SND_PCI_QUIRK(0x17aa, 0x215e, "Lenovo Thinkpad", CXT5066_THINKPAD), |
1554 |
-+ SND_PCI_QUIRK(0x17aa, 0x21cf, "Lenovo T520 & W520", CXT5066_AUTO), |
1555 |
- SND_PCI_QUIRK(0x17aa, 0x21da, "Lenovo X220", CXT5066_THINKPAD), |
1556 |
- SND_PCI_QUIRK(0x17aa, 0x21db, "Lenovo X220-tablet", CXT5066_THINKPAD), |
1557 |
- SND_PCI_QUIRK(0x17aa, 0x3a0d, "Lenovo U350", CXT5066_ASUS), |
1558 |
|
1559 |
diff --git a/3.1.5/0000_README b/3.1.5/0000_README |
1560 |
new file mode 100644 |
1561 |
index 0000000..dc91a63 |
1562 |
--- /dev/null |
1563 |
+++ b/3.1.5/0000_README |
1564 |
@@ -0,0 +1,8 @@ |
1565 |
+README |
1566 |
+----------------------------------------------------------------------------- |
1567 |
+ |
1568 |
+Individual Patch Descriptions: |
1569 |
+----------------------------------------------------------------------------- |
1570 |
+Patch: 4500_patch-linux-3.1.5-rsbac-1.4.6.diff |
1571 |
+From: Amon Ott <ao@×××××.org> |
1572 |
+Desc: RSBAC patch from http://www.rsbac.org/ |
1573 |
|
1574 |
diff --git a/3.0.8/4500_rsbac.patch b/3.1.5/4500_patch-linux-3.1.5-rsbac-1.4.6.diff |
1575 |
similarity index 99% |
1576 |
rename from 3.0.8/4500_rsbac.patch |
1577 |
rename to 3.1.5/4500_patch-linux-3.1.5-rsbac-1.4.6.diff |
1578 |
index d4cb64b..bfb3bd1 100644 |
1579 |
--- a/3.0.8/4500_rsbac.patch |
1580 |
+++ b/3.1.5/4500_patch-linux-3.1.5-rsbac-1.4.6.diff |
1581 |
@@ -25,12 +25,20 @@ index 0000000..7e08278 |
1582 |
+Amon Ott <ao@×××××.org> |
1583 |
diff --git a/Documentation/rsbac/Changes b/Documentation/rsbac/Changes |
1584 |
new file mode 100644 |
1585 |
-index 0000000..751a60d |
1586 |
+index 0000000..8217276 |
1587 |
--- /dev/null |
1588 |
+++ b/Documentation/rsbac/Changes |
1589 |
-@@ -0,0 +1,675 @@ |
1590 |
+@@ -0,0 +1,683 @@ |
1591 |
+RSBAC Changes |
1592 |
+------------- |
1593 |
++1.4.6: |
1594 |
++ - Port everything to kernel 3.1.5 |
1595 |
++ - Show process name and parent when logging PROCESS target accesses |
1596 |
++ - Add RSBAC syscalls to get and set UM password history size per |
1597 |
++ user. |
1598 |
++ - Do not allow to set attributes for FD targets with |
1599 |
++ sys_rsbac_set_attr() |
1600 |
++ |
1601 |
+1.4.5: |
1602 |
+ - Fix symlink's stat() call to return the real symlink size |
1603 |
+ Fixes program that would assert on stat->s_size being the same size as when using readlink() |
1604 |
@@ -1555,10 +1563,10 @@ index 0000000..10d6b8b |
1605 |
+rsbac-admin tools. These are basically the same modules that are built if |
1606 |
+you enabled building of sample modules in kernel config. |
1607 |
diff --git a/MAINTAINERS b/MAINTAINERS |
1608 |
-index 187282d..d71f5f5 100644 |
1609 |
+index e608038..7a1e27e 100644 |
1610 |
--- a/MAINTAINERS |
1611 |
+++ b/MAINTAINERS |
1612 |
-@@ -5352,6 +5352,13 @@ F: include/linux/rose.h |
1613 |
+@@ -5441,6 +5441,13 @@ F: include/linux/rose.h |
1614 |
F: include/net/rose.h |
1615 |
F: net/rose/ |
1616 |
|
1617 |
@@ -1573,7 +1581,7 @@ index 187282d..d71f5f5 100644 |
1618 |
M: "John W. Linville" <linville@×××××××××.com> |
1619 |
L: linux-wireless@×××××××××××.org |
1620 |
diff --git a/Makefile b/Makefile |
1621 |
-index 9f6e3cd..a432f4b 100644 |
1622 |
+index 94ab2ad..a2ce3ff 100644 |
1623 |
--- a/Makefile |
1624 |
+++ b/Makefile |
1625 |
@@ -681,6 +681,13 @@ export KBUILD_IMAGE ?= vmlinux |
1626 |
@@ -1677,7 +1685,7 @@ index e2af5eb..1e45259 100644 |
1627 |
switch (request) { |
1628 |
/* When I and D space are separate, these will need to be fixed. */ |
1629 |
diff --git a/arch/arm/include/asm/unistd.h b/arch/arm/include/asm/unistd.h |
1630 |
-index 2c04ed5..fb999d3 100644 |
1631 |
+index c60a294..4978995 100644 |
1632 |
--- a/arch/arm/include/asm/unistd.h |
1633 |
+++ b/arch/arm/include/asm/unistd.h |
1634 |
@@ -248,7 +248,12 @@ |
1635 |
@@ -1695,7 +1703,7 @@ index 2c04ed5..fb999d3 100644 |
1636 |
#define __NR_readahead (__NR_SYSCALL_BASE+225) |
1637 |
#define __NR_setxattr (__NR_SYSCALL_BASE+226) |
1638 |
diff --git a/arch/arm/kernel/calls.S b/arch/arm/kernel/calls.S |
1639 |
-index 80f7896..5e354d3 100644 |
1640 |
+index 9943e9e..cba188b 100644 |
1641 |
--- a/arch/arm/kernel/calls.S |
1642 |
+++ b/arch/arm/kernel/calls.S |
1643 |
@@ -232,7 +232,11 @@ |
1644 |
@@ -1711,10 +1719,10 @@ index 80f7896..5e354d3 100644 |
1645 |
/* 225 */ CALL(ABI(sys_readahead, sys_oabi_readahead)) |
1646 |
CALL(sys_setxattr) |
1647 |
diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c |
1648 |
-index 5e1e541..ea7a4ab 100644 |
1649 |
+index c9d11ea..9432520 100644 |
1650 |
--- a/arch/arm/kernel/process.c |
1651 |
+++ b/arch/arm/kernel/process.c |
1652 |
-@@ -445,6 +445,10 @@ pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) |
1653 |
+@@ -450,6 +450,10 @@ pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) |
1654 |
{ |
1655 |
struct pt_regs regs; |
1656 |
|
1657 |
@@ -1725,7 +1733,7 @@ index 5e1e541..ea7a4ab 100644 |
1658 |
memset(®s, 0, sizeof(regs)); |
1659 |
|
1660 |
regs.ARM_r4 = (unsigned long)arg; |
1661 |
-@@ -454,7 +458,12 @@ pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) |
1662 |
+@@ -459,7 +463,12 @@ pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) |
1663 |
regs.ARM_pc = (unsigned long)kernel_thread_helper; |
1664 |
regs.ARM_cpsr = regs.ARM_r7 | PSR_I_BIT; |
1665 |
|
1666 |
@@ -1758,7 +1766,7 @@ index ef5a2a0..ae0c932 100644 |
1667 |
EXPORT_SYMBOL(kernel_thread); |
1668 |
|
1669 |
diff --git a/arch/blackfin/kernel/process.c b/arch/blackfin/kernel/process.c |
1670 |
-index 6a660fa..cf065bb 100644 |
1671 |
+index 6a80a9e..3650435 100644 |
1672 |
--- a/arch/blackfin/kernel/process.c |
1673 |
+++ b/arch/blackfin/kernel/process.c |
1674 |
@@ -127,8 +127,13 @@ pid_t kernel_thread(int (*fn) (void *), void *arg, unsigned long flags) |
1675 |
@@ -1777,7 +1785,7 @@ index 6a660fa..cf065bb 100644 |
1676 |
EXPORT_SYMBOL(kernel_thread); |
1677 |
|
1678 |
diff --git a/arch/cris/arch-v10/kernel/entry.S b/arch/cris/arch-v10/kernel/entry.S |
1679 |
-index 1161883..c96da47 100644 |
1680 |
+index 592fbe9..0360b7f 100644 |
1681 |
--- a/arch/cris/arch-v10/kernel/entry.S |
1682 |
+++ b/arch/cris/arch-v10/kernel/entry.S |
1683 |
@@ -825,7 +825,11 @@ sys_call_table: |
1684 |
@@ -1934,7 +1942,7 @@ index af56501..98608b3 100644 |
1685 |
BLANK(); |
1686 |
DEFINE(IA64_CPUINFO_NSEC_PER_CYC_OFFSET, |
1687 |
diff --git a/arch/ia64/kernel/entry.S b/arch/ia64/kernel/entry.S |
1688 |
-index 97dd2ab..fbfe83c 100644 |
1689 |
+index 198c753..c8f006a 100644 |
1690 |
--- a/arch/ia64/kernel/entry.S |
1691 |
+++ b/arch/ia64/kernel/entry.S |
1692 |
@@ -1758,6 +1758,9 @@ sys_call_table: |
1693 |
@@ -2099,7 +2107,7 @@ index 6cf4bd6..ae5dc84 100644 |
1694 |
+#endif |
1695 |
+ |
1696 |
diff --git a/arch/m68k/kernel/process_no.c b/arch/m68k/kernel/process_no.c |
1697 |
-index 9b86ad1..237324d 100644 |
1698 |
+index 69c1803..f387c82 100644 |
1699 |
--- a/arch/m68k/kernel/process_no.c |
1700 |
+++ b/arch/m68k/kernel/process_no.c |
1701 |
@@ -121,7 +121,11 @@ void show_regs(struct pt_regs * regs) |
1702 |
@@ -2128,10 +2136,10 @@ index 9b86ad1..237324d 100644 |
1703 |
} |
1704 |
EXPORT_SYMBOL(kernel_thread); |
1705 |
diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c |
1706 |
-index d2112d3..bc0f34e 100644 |
1707 |
+index b30cb25..9bbec68 100644 |
1708 |
--- a/arch/mips/kernel/process.c |
1709 |
+++ b/arch/mips/kernel/process.c |
1710 |
-@@ -234,6 +234,7 @@ static void __noreturn kernel_thread_helper(void *arg, int (*fn)(void *)) |
1711 |
+@@ -233,6 +233,7 @@ static void __noreturn kernel_thread_helper(void *arg, int (*fn)(void *)) |
1712 |
long kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) |
1713 |
{ |
1714 |
struct pt_regs regs; |
1715 |
@@ -2139,7 +2147,7 @@ index d2112d3..bc0f34e 100644 |
1716 |
|
1717 |
memset(®s, 0, sizeof(regs)); |
1718 |
|
1719 |
-@@ -249,7 +250,12 @@ long kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) |
1720 |
+@@ -248,7 +249,12 @@ long kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) |
1721 |
#endif |
1722 |
|
1723 |
/* Ok, create the new process.. */ |
1724 |
@@ -2154,7 +2162,7 @@ index d2112d3..bc0f34e 100644 |
1725 |
|
1726 |
/* |
1727 |
diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S |
1728 |
-index 99e656e..82923de 100644 |
1729 |
+index 865bc7a..beba92f 100644 |
1730 |
--- a/arch/mips/kernel/scall32-o32.S |
1731 |
+++ b/arch/mips/kernel/scall32-o32.S |
1732 |
@@ -456,7 +456,11 @@ einval: li v0, -ENOSYS |
1733 |
@@ -2170,7 +2178,7 @@ index 99e656e..82923de 100644 |
1734 |
sys sys_readahead 5 |
1735 |
sys sys_setxattr 5 |
1736 |
diff --git a/arch/mips/kernel/scall64-64.S b/arch/mips/kernel/scall64-64.S |
1737 |
-index fb0575f..18b9954 100644 |
1738 |
+index fb7334b..55139c0 100644 |
1739 |
--- a/arch/mips/kernel/scall64-64.S |
1740 |
+++ b/arch/mips/kernel/scall64-64.S |
1741 |
@@ -303,7 +303,11 @@ sys_call_table: |
1742 |
@@ -2186,7 +2194,7 @@ index fb0575f..18b9954 100644 |
1743 |
PTR sys_readahead |
1744 |
PTR sys_setxattr /* 5180 */ |
1745 |
diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S |
1746 |
-index 4a387de..40598f9 100644 |
1747 |
+index 1d81316..54fc4d5 100644 |
1748 |
--- a/arch/mips/kernel/scall64-o32.S |
1749 |
+++ b/arch/mips/kernel/scall64-o32.S |
1750 |
@@ -424,7 +424,11 @@ sys_call_table: |
1751 |
@@ -2220,26 +2228,16 @@ index 28eec31..2e8973f 100644 |
1752 |
EXPORT_SYMBOL(kernel_thread); |
1753 |
|
1754 |
diff --git a/arch/parisc/kernel/process.c b/arch/parisc/kernel/process.c |
1755 |
-index 4b4b918..c954f2e 100644 |
1756 |
+index 4b4b918..822e4f1 100644 |
1757 |
--- a/arch/parisc/kernel/process.c |
1758 |
+++ b/arch/parisc/kernel/process.c |
1759 |
-@@ -170,13 +170,22 @@ EXPORT_SYMBOL(pm_power_off); |
1760 |
- extern pid_t __kernel_thread(int (*fn)(void *), void *arg, unsigned long flags); |
1761 |
- pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) |
1762 |
- { |
1763 |
-+#ifdef CONFIG_RSBAC |
1764 |
-+ pid_t rsbac_retval; |
1765 |
-+#endif |
1766 |
- |
1767 |
- /* |
1768 |
- * FIXME: Once we are sure we don't need any debug here, |
1769 |
+@@ -176,7 +176,12 @@ pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) |
1770 |
* kernel_thread can become a #define. |
1771 |
*/ |
1772 |
|
1773 |
+ /* Ok, create the new process.. */ |
1774 |
+#ifdef CONFIG_RSBAC |
1775 |
-+ rsbac_retval = __kernel_thread(fn, arg, flags | CLONE_KTHREAD); |
1776 |
-+ return rsbac_retval; |
1777 |
++ return __kernel_thread(fn, arg, flags | CLONE_KTHREAD); |
1778 |
+#else |
1779 |
return __kernel_thread(fn, arg, flags); |
1780 |
+#endif |
1781 |
@@ -2247,7 +2245,7 @@ index 4b4b918..c954f2e 100644 |
1782 |
EXPORT_SYMBOL(kernel_thread); |
1783 |
|
1784 |
diff --git a/arch/parisc/kernel/syscall_table.S b/arch/parisc/kernel/syscall_table.S |
1785 |
-index e66366f..680336c 100644 |
1786 |
+index 3735abd..97347de 100644 |
1787 |
--- a/arch/parisc/kernel/syscall_table.S |
1788 |
+++ b/arch/parisc/kernel/syscall_table.S |
1789 |
@@ -407,6 +407,9 @@ |
1790 |
@@ -2261,7 +2259,7 @@ index e66366f..680336c 100644 |
1791 |
ENTRY_SAME(eventfd2) /* 310 */ |
1792 |
ENTRY_SAME(epoll_create1) |
1793 |
diff --git a/arch/powerpc/include/asm/systbl.h b/arch/powerpc/include/asm/systbl.h |
1794 |
-index f6736b7..6133b35 100644 |
1795 |
+index fa0d27a..3ef73e0 100644 |
1796 |
--- a/arch/powerpc/include/asm/systbl.h |
1797 |
+++ b/arch/powerpc/include/asm/systbl.h |
1798 |
@@ -227,7 +227,11 @@ SYSCALL_SPU(fremovexattr) |
1799 |
@@ -2292,10 +2290,10 @@ index b8b3f59..0838a51 100644 |
1800 |
#define __NR_tuxcall 225 |
1801 |
#ifndef __powerpc64__ |
1802 |
diff --git a/arch/powerpc/kernel/asm-offsets.c b/arch/powerpc/kernel/asm-offsets.c |
1803 |
-index 36e1c8a..caabc4d 100644 |
1804 |
+index 5f078bc..9f176b3 100644 |
1805 |
--- a/arch/powerpc/kernel/asm-offsets.c |
1806 |
+++ b/arch/powerpc/kernel/asm-offsets.c |
1807 |
-@@ -312,6 +312,9 @@ int main(void) |
1808 |
+@@ -313,6 +313,9 @@ int main(void) |
1809 |
#endif |
1810 |
DEFINE(CLONE_VM, CLONE_VM); |
1811 |
DEFINE(CLONE_UNTRACED, CLONE_UNTRACED); |
1812 |
@@ -2322,7 +2320,7 @@ index 998a100..d86df96 100644 |
1813 |
li r0,__NR_clone |
1814 |
sc |
1815 |
diff --git a/arch/powerpc/kernel/misc_64.S b/arch/powerpc/kernel/misc_64.S |
1816 |
-index e89df59..c5a752a 100644 |
1817 |
+index 616921e..9f8aeb4 100644 |
1818 |
--- a/arch/powerpc/kernel/misc_64.S |
1819 |
+++ b/arch/powerpc/kernel/misc_64.S |
1820 |
@@ -422,7 +422,11 @@ _GLOBAL(kernel_thread) |
1821 |
@@ -2367,7 +2365,7 @@ index 541a750..e1e8a62 100644 |
1822 |
EXPORT_SYMBOL(kernel_thread); |
1823 |
|
1824 |
diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c |
1825 |
-index ef86ad2..ad9f572 100644 |
1826 |
+index 5804cfa..455478a 100644 |
1827 |
--- a/arch/s390/kernel/ptrace.c |
1828 |
+++ b/arch/s390/kernel/ptrace.c |
1829 |
@@ -35,6 +35,8 @@ |
1830 |
@@ -2450,7 +2448,7 @@ index 210c1ca..d0493ec 100644 |
1831 |
EXPORT_SYMBOL(kernel_thread); |
1832 |
|
1833 |
diff --git a/arch/sh/kernel/syscalls_32.S b/arch/sh/kernel/syscalls_32.S |
1834 |
-index 39b051d..6b64f7a 100644 |
1835 |
+index 293e39c..008bdca 100644 |
1836 |
--- a/arch/sh/kernel/syscalls_32.S |
1837 |
+++ b/arch/sh/kernel/syscalls_32.S |
1838 |
@@ -239,7 +239,11 @@ ENTRY(sys_call_table) |
1839 |
@@ -2466,7 +2464,7 @@ index 39b051d..6b64f7a 100644 |
1840 |
.long sys_readahead /* 225 */ |
1841 |
.long sys_setxattr |
1842 |
diff --git a/arch/sh/kernel/syscalls_64.S b/arch/sh/kernel/syscalls_64.S |
1843 |
-index 089c4d8..c1db16f 100644 |
1844 |
+index ceb34b9..a577dfc 100644 |
1845 |
--- a/arch/sh/kernel/syscalls_64.S |
1846 |
+++ b/arch/sh/kernel/syscalls_64.S |
1847 |
@@ -276,7 +276,11 @@ sys_call_table: |
1848 |
@@ -2499,10 +2497,10 @@ index 6260d5d..2d5b076 100644 |
1849 |
#ifdef __32bit_syscall_numbers__ |
1850 |
/* Sparc 32-bit only has the "setresuid32", "getresuid32" variants, |
1851 |
diff --git a/arch/sparc/kernel/process_32.c b/arch/sparc/kernel/process_32.c |
1852 |
-index c8cc461..28ea016 100644 |
1853 |
+index f793742..af327b1 100644 |
1854 |
--- a/arch/sparc/kernel/process_32.c |
1855 |
+++ b/arch/sparc/kernel/process_32.c |
1856 |
-@@ -679,9 +679,14 @@ pid_t kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) |
1857 |
+@@ -678,9 +678,14 @@ pid_t kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) |
1858 |
/* Notreached by child. */ |
1859 |
"1: mov %%o0, %0\n\t" : |
1860 |
"=r" (retval) : |
1861 |
@@ -2518,10 +2516,10 @@ index c8cc461..28ea016 100644 |
1862 |
} |
1863 |
EXPORT_SYMBOL(kernel_thread); |
1864 |
diff --git a/arch/sparc/kernel/process_64.c b/arch/sparc/kernel/process_64.c |
1865 |
-index c158a95..eb31c7f 100644 |
1866 |
+index d959cd0..dc40d9b 100644 |
1867 |
--- a/arch/sparc/kernel/process_64.c |
1868 |
+++ b/arch/sparc/kernel/process_64.c |
1869 |
-@@ -646,7 +646,11 @@ pid_t kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) |
1870 |
+@@ -643,7 +643,11 @@ pid_t kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) |
1871 |
/* Notreached by child. */ |
1872 |
"1:" : |
1873 |
"=r" (retval) : |
1874 |
@@ -2622,7 +2620,7 @@ index 96ee50a..83bf9b0 100644 |
1875 |
case PTRACE_PEEKUSR: |
1876 |
ret = (addr != 0) ? -EIO : 0; |
1877 |
diff --git a/arch/sparc/kernel/systbls_32.S b/arch/sparc/kernel/systbls_32.S |
1878 |
-index 6e492d5..742c50b 100644 |
1879 |
+index 09d8ec4..75c21ac 100644 |
1880 |
--- a/arch/sparc/kernel/systbls_32.S |
1881 |
+++ b/arch/sparc/kernel/systbls_32.S |
1882 |
@@ -48,7 +48,11 @@ sys_call_table: |
1883 |
@@ -2638,7 +2636,7 @@ index 6e492d5..742c50b 100644 |
1884 |
/*170*/ .long sys_lsetxattr, sys_fsetxattr, sys_getxattr, sys_lgetxattr, sys_getdents |
1885 |
/*175*/ .long sys_setsid, sys_fchdir, sys_fgetxattr, sys_listxattr, sys_llistxattr |
1886 |
diff --git a/arch/sparc/kernel/systbls_64.S b/arch/sparc/kernel/systbls_64.S |
1887 |
-index f566518..4631842 100644 |
1888 |
+index edbec45..07cb12f 100644 |
1889 |
--- a/arch/sparc/kernel/systbls_64.S |
1890 |
+++ b/arch/sparc/kernel/systbls_64.S |
1891 |
@@ -50,7 +50,11 @@ sys_call_table32: |
1892 |
@@ -2654,7 +2652,7 @@ index f566518..4631842 100644 |
1893 |
/*170*/ .word sys32_lsetxattr, sys32_fsetxattr, sys_getxattr, sys_lgetxattr, compat_sys_getdents |
1894 |
.word sys_setsid, sys_fchdir, sys32_fgetxattr, sys_listxattr, sys_llistxattr |
1895 |
diff --git a/arch/um/kernel/process.c b/arch/um/kernel/process.c |
1896 |
-index fab4371..2787392 100644 |
1897 |
+index 21c1ae7..796e7f4 100644 |
1898 |
--- a/arch/um/kernel/process.c |
1899 |
+++ b/arch/um/kernel/process.c |
1900 |
@@ -74,7 +74,11 @@ int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) |
1901 |
@@ -2670,7 +2668,7 @@ index fab4371..2787392 100644 |
1902 |
return pid; |
1903 |
} |
1904 |
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S |
1905 |
-index c1870dd..08d73c9 100644 |
1906 |
+index 54edb207..895a206 100644 |
1907 |
--- a/arch/x86/ia32/ia32entry.S |
1908 |
+++ b/arch/x86/ia32/ia32entry.S |
1909 |
@@ -726,7 +726,11 @@ ia32_sys_call_table: |
1910 |
@@ -2700,7 +2698,7 @@ index 593485b..21f9477 100644 |
1911 |
#define __NR_readahead 225 |
1912 |
#define __NR_setxattr 226 |
1913 |
diff --git a/arch/x86/include/asm/unistd_64.h b/arch/x86/include/asm/unistd_64.h |
1914 |
-index 705bf13..1a4897f 100644 |
1915 |
+index 2010405..7fbae21 100644 |
1916 |
--- a/arch/x86/include/asm/unistd_64.h |
1917 |
+++ b/arch/x86/include/asm/unistd_64.h |
1918 |
@@ -431,7 +431,14 @@ __SYSCALL(__NR_afs_syscall, sys_ni_syscall) |
1919 |
@@ -2799,7 +2797,7 @@ index 8c96897..524e039 100644 |
1920 |
t->iopl = level << 12; |
1921 |
set_iopl_mask(t->iopl); |
1922 |
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c |
1923 |
-index e1ba8cb..630e58a 100644 |
1924 |
+index e7e3b01..128ffdb 100644 |
1925 |
--- a/arch/x86/kernel/process.c |
1926 |
+++ b/arch/x86/kernel/process.c |
1927 |
@@ -276,6 +276,10 @@ int kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) |
1928 |
@@ -2827,10 +2825,10 @@ index e1ba8cb..630e58a 100644 |
1929 |
EXPORT_SYMBOL(kernel_thread); |
1930 |
|
1931 |
diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c |
1932 |
-index ca6f7ab..e2e7e23 100644 |
1933 |
+index f693e44..a0ef1a1 100644 |
1934 |
--- a/arch/x86/kernel/process_64.c |
1935 |
+++ b/arch/x86/kernel/process_64.c |
1936 |
-@@ -56,6 +56,12 @@ asmlinkage extern void ret_from_fork(void); |
1937 |
+@@ -57,6 +57,12 @@ asmlinkage extern void ret_from_fork(void); |
1938 |
DEFINE_PER_CPU(unsigned long, old_rsp); |
1939 |
static DEFINE_PER_CPU(unsigned char, is_idle); |
1940 |
|
1941 |
@@ -2844,7 +2842,7 @@ index ca6f7ab..e2e7e23 100644 |
1942 |
|
1943 |
void idle_notifier_register(struct notifier_block *n) |
1944 |
diff --git a/arch/x86/kernel/syscall_table_32.S b/arch/x86/kernel/syscall_table_32.S |
1945 |
-index fbb0a04..f94ac61 100644 |
1946 |
+index bc19be3..63a703d 100644 |
1947 |
--- a/arch/x86/kernel/syscall_table_32.S |
1948 |
+++ b/arch/x86/kernel/syscall_table_32.S |
1949 |
@@ -222,7 +222,11 @@ ENTRY(sys_call_table) |
1950 |
@@ -2955,19 +2953,19 @@ index 1124cd2..0852ffd 100644 |
1951 |
case BLKFLSBUF: |
1952 |
if (!capable(CAP_SYS_ADMIN)) |
1953 |
diff --git a/drivers/block/loop.c b/drivers/block/loop.c |
1954 |
-index 2ebacf0..77b0aba 100644 |
1955 |
+index 4720c7a..0fc0685 100644 |
1956 |
--- a/drivers/block/loop.c |
1957 |
+++ b/drivers/block/loop.c |
1958 |
@@ -78,6 +78,8 @@ |
1959 |
- |
1960 |
+ #include <linux/miscdevice.h> |
1961 |
#include <asm/uaccess.h> |
1962 |
|
1963 |
+#include <rsbac/hooks.h> |
1964 |
+ |
1965 |
- static LIST_HEAD(loop_devices); |
1966 |
- static DEFINE_MUTEX(loop_devices_mutex); |
1967 |
+ static DEFINE_IDR(loop_index_idr); |
1968 |
+ static DEFINE_MUTEX(loop_index_mutex); |
1969 |
|
1970 |
-@@ -825,6 +827,12 @@ static int loop_set_fd(struct loop_device *lo, fmode_t mode, |
1971 |
+@@ -818,6 +820,12 @@ static int loop_set_fd(struct loop_device *lo, fmode_t mode, |
1972 |
int error; |
1973 |
loff_t size; |
1974 |
|
1975 |
@@ -2980,7 +2978,7 @@ index 2ebacf0..77b0aba 100644 |
1976 |
/* This is safe, since we have a reference from open(). */ |
1977 |
__module_get(THIS_MODULE); |
1978 |
|
1979 |
-@@ -886,6 +894,46 @@ static int loop_set_fd(struct loop_device *lo, fmode_t mode, |
1980 |
+@@ -879,6 +887,46 @@ static int loop_set_fd(struct loop_device *lo, fmode_t mode, |
1981 |
if (!(mode & FMODE_WRITE)) |
1982 |
lo_flags |= LO_FLAGS_READ_ONLY; |
1983 |
|
1984 |
@@ -3027,7 +3025,7 @@ index 2ebacf0..77b0aba 100644 |
1985 |
set_device_ro(bdev, (lo_flags & LO_FLAGS_READ_ONLY) != 0); |
1986 |
|
1987 |
lo->lo_blocksize = lo_blocksize; |
1988 |
-@@ -992,6 +1040,12 @@ static int loop_clr_fd(struct loop_device *lo, struct block_device *bdev) |
1989 |
+@@ -985,6 +1033,12 @@ static int loop_clr_fd(struct loop_device *lo, struct block_device *bdev) |
1990 |
struct file *filp = lo->lo_backing_file; |
1991 |
gfp_t gfp = lo->old_gfp_mask; |
1992 |
|
1993 |
@@ -3040,7 +3038,7 @@ index 2ebacf0..77b0aba 100644 |
1994 |
if (lo->lo_state != Lo_bound) |
1995 |
return -ENXIO; |
1996 |
|
1997 |
-@@ -1001,6 +1055,44 @@ static int loop_clr_fd(struct loop_device *lo, struct block_device *bdev) |
1998 |
+@@ -994,6 +1048,44 @@ static int loop_clr_fd(struct loop_device *lo, struct block_device *bdev) |
1999 |
if (filp == NULL) |
2000 |
return -EINVAL; |
2001 |
|
2002 |
@@ -3337,10 +3335,10 @@ index 43db715..ec958c5 100644 |
2003 |
NULL, /* y */ |
2004 |
&sysrq_ftrace_dump_op, /* z */ |
2005 |
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c |
2006 |
-index b6f92d3..f06464b 100644 |
2007 |
+index 1a890e2..5d0c72a 100644 |
2008 |
--- a/drivers/tty/tty_io.c |
2009 |
+++ b/drivers/tty/tty_io.c |
2010 |
-@@ -105,6 +105,8 @@ |
2011 |
+@@ -106,6 +106,8 @@ |
2012 |
#include <linux/kmod.h> |
2013 |
#include <linux/nsproxy.h> |
2014 |
|
2015 |
@@ -3349,7 +3347,7 @@ index b6f92d3..f06464b 100644 |
2016 |
#undef TTY_DEBUG_HANGUP |
2017 |
|
2018 |
#define TTY_PARANOIA_CHECK 1 |
2019 |
-@@ -2056,10 +2058,33 @@ static int tiocsti(struct tty_struct *tty, char __user *p) |
2020 |
+@@ -2080,10 +2082,33 @@ static int tiocsti(struct tty_struct *tty, char __user *p) |
2021 |
char ch, mbz = 0; |
2022 |
struct tty_ldisc *ld; |
2023 |
|
2024 |
@@ -3456,7 +3454,7 @@ index 53f2442..e9eff1e 100644 |
2025 |
#ifdef TIOCGETP |
2026 |
case TIOCGETP: |
2027 |
diff --git a/fs/exec.c b/fs/exec.c |
2028 |
-index 044c13f..36499fc 100644 |
2029 |
+index 25dcbe5..0b3ec45 100644 |
2030 |
--- a/fs/exec.c |
2031 |
+++ b/fs/exec.c |
2032 |
@@ -61,6 +61,8 @@ |
2033 |
@@ -3547,7 +3545,7 @@ index 044c13f..36499fc 100644 |
2034 |
fput(file); |
2035 |
out: |
2036 |
return error; |
2037 |
-@@ -789,6 +845,13 @@ struct file *open_exec(const char *name) |
2038 |
+@@ -782,6 +838,13 @@ struct file *open_exec(const char *name) |
2039 |
|
2040 |
fsnotify_open(file); |
2041 |
|
2042 |
@@ -3561,9 +3559,9 @@ index 044c13f..36499fc 100644 |
2043 |
err = deny_write_access(file); |
2044 |
if (err) |
2045 |
goto exit; |
2046 |
-@@ -1436,6 +1499,12 @@ static int do_execve_common(const char *filename, |
2047 |
- bool clear_in_exec; |
2048 |
+@@ -1461,6 +1524,12 @@ static int do_execve_common(const char *filename, |
2049 |
int retval; |
2050 |
+ const struct cred *cred = current_cred(); |
2051 |
|
2052 |
+#ifdef CONFIG_RSBAC |
2053 |
+ union rsbac_target_id_t rsbac_target_id; |
2054 |
@@ -3571,10 +3569,10 @@ index 044c13f..36499fc 100644 |
2055 |
+ union rsbac_attribute_value_t rsbac_attribute_value; |
2056 |
+#endif |
2057 |
+ |
2058 |
- retval = unshare_files(&displaced); |
2059 |
- if (retval) |
2060 |
- goto out_ret; |
2061 |
-@@ -1478,6 +1547,26 @@ static int do_execve_common(const char *filename, |
2062 |
+ /* |
2063 |
+ * We move the actual failure in case of RLIMIT_NPROC excess from |
2064 |
+ * set*uid() to execve() because too many poorly written programs |
2065 |
+@@ -1519,6 +1588,26 @@ static int do_execve_common(const char *filename, |
2066 |
if ((retval = bprm->envc) < 0) |
2067 |
goto out; |
2068 |
|
2069 |
@@ -3601,7 +3599,7 @@ index 044c13f..36499fc 100644 |
2070 |
retval = prepare_binprm(bprm); |
2071 |
if (retval < 0) |
2072 |
goto out; |
2073 |
-@@ -1503,6 +1592,25 @@ static int do_execve_common(const char *filename, |
2074 |
+@@ -1544,6 +1633,25 @@ static int do_execve_common(const char *filename, |
2075 |
current->fs->in_exec = 0; |
2076 |
current->in_execve = 0; |
2077 |
acct_update_integrals(current); |
2078 |
@@ -3717,7 +3715,7 @@ index f81e250..48be9f3 100644 |
2079 |
|
2080 |
switch (cmd) { |
2081 |
diff --git a/fs/ext2/namei.c b/fs/ext2/namei.c |
2082 |
-index ed5c5d4..b4050ed 100644 |
2083 |
+index 761fde8..360b78d 100644 |
2084 |
--- a/fs/ext2/namei.c |
2085 |
+++ b/fs/ext2/namei.c |
2086 |
@@ -37,6 +37,8 @@ |
2087 |
@@ -3729,7 +3727,7 @@ index ed5c5d4..b4050ed 100644 |
2088 |
static inline int ext2_add_nondir(struct dentry *dentry, struct inode *inode) |
2089 |
{ |
2090 |
int err = ext2_add_link(dentry, inode); |
2091 |
-@@ -284,6 +286,11 @@ static int ext2_unlink(struct inode * dir, struct dentry *dentry) |
2092 |
+@@ -280,6 +282,11 @@ static int ext2_unlink(struct inode * dir, struct dentry *dentry) |
2093 |
if (err) |
2094 |
goto out; |
2095 |
|
2096 |
@@ -3741,7 +3739,7 @@ index ed5c5d4..b4050ed 100644 |
2097 |
inode->i_ctime = dir->i_ctime; |
2098 |
inode_dec_link_count(inode); |
2099 |
err = 0; |
2100 |
-@@ -344,6 +351,12 @@ static int ext2_rename (struct inode * old_dir, struct dentry * old_dentry, |
2101 |
+@@ -340,6 +347,12 @@ static int ext2_rename (struct inode * old_dir, struct dentry * old_dentry, |
2102 |
new_de = ext2_find_entry (new_dir, &new_dentry->d_name, &new_page); |
2103 |
if (!new_de) |
2104 |
goto out_dir; |
2105 |
@@ -3755,7 +3753,7 @@ index ed5c5d4..b4050ed 100644 |
2106 |
new_inode->i_ctime = CURRENT_TIME_SEC; |
2107 |
if (dir_de) |
2108 |
diff --git a/fs/ext3/ioctl.c b/fs/ext3/ioctl.c |
2109 |
-index f4090bd..410113d 100644 |
2110 |
+index c7f4394..b6ad308 100644 |
2111 |
--- a/fs/ext3/ioctl.c |
2112 |
+++ b/fs/ext3/ioctl.c |
2113 |
@@ -17,6 +17,11 @@ |
2114 |
@@ -3855,10 +3853,10 @@ index f4090bd..410113d 100644 |
2115 |
|
2116 |
switch (cmd) { |
2117 |
diff --git a/fs/ext3/namei.c b/fs/ext3/namei.c |
2118 |
-index e5a7111..b2b4e50 100644 |
2119 |
+index 0629e09..ef78a97 100644 |
2120 |
--- a/fs/ext3/namei.c |
2121 |
+++ b/fs/ext3/namei.c |
2122 |
-@@ -41,6 +41,8 @@ |
2123 |
+@@ -42,6 +42,8 @@ |
2124 |
#include "xattr.h" |
2125 |
#include "acl.h" |
2126 |
|
2127 |
@@ -3867,7 +3865,7 @@ index e5a7111..b2b4e50 100644 |
2128 |
/* |
2129 |
* define how far ahead to read directories while searching them. |
2130 |
*/ |
2131 |
-@@ -2163,6 +2165,19 @@ static int ext3_unlink(struct inode * dir, struct dentry *dentry) |
2132 |
+@@ -2162,6 +2164,19 @@ static int ext3_unlink(struct inode * dir, struct dentry *dentry) |
2133 |
|
2134 |
inode = dentry->d_inode; |
2135 |
|
2136 |
@@ -3911,7 +3909,7 @@ index e5a7111..b2b4e50 100644 |
2137 |
retval = ext3_journal_get_write_access(handle, new_bh); |
2138 |
if (retval) |
2139 |
diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c |
2140 |
-index 808c554..8577f87 100644 |
2141 |
+index f18bfe3..3b41dd0 100644 |
2142 |
--- a/fs/ext4/ioctl.c |
2143 |
+++ b/fs/ext4/ioctl.c |
2144 |
@@ -18,12 +18,93 @@ |
2145 |
@@ -4009,7 +4007,7 @@ index 808c554..8577f87 100644 |
2146 |
|
2147 |
switch (cmd) { |
2148 |
diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c |
2149 |
-index 458a394..0f22f61 100644 |
2150 |
+index 50c7294..89a815e 100644 |
2151 |
--- a/fs/ext4/namei.c |
2152 |
+++ b/fs/ext4/namei.c |
2153 |
@@ -41,6 +41,9 @@ |
2154 |
@@ -4022,7 +4020,7 @@ index 458a394..0f22f61 100644 |
2155 |
/* |
2156 |
* define how far ahead to read directories while searching them. |
2157 |
*/ |
2158 |
-@@ -2216,6 +2219,19 @@ static int ext4_unlink(struct inode *dir, struct dentry *dentry) |
2159 |
+@@ -2206,6 +2209,19 @@ static int ext4_unlink(struct inode *dir, struct dentry *dentry) |
2160 |
|
2161 |
inode = dentry->d_inode; |
2162 |
|
2163 |
@@ -4042,7 +4040,7 @@ index 458a394..0f22f61 100644 |
2164 |
retval = -EIO; |
2165 |
if (le32_to_cpu(de->inode) != inode->i_ino) |
2166 |
goto end_unlink; |
2167 |
-@@ -2473,6 +2489,21 @@ static int ext4_rename(struct inode *old_dir, struct dentry *old_dentry, |
2168 |
+@@ -2463,6 +2479,21 @@ static int ext4_rename(struct inode *old_dir, struct dentry *old_dentry, |
2169 |
if (retval) |
2170 |
goto end_rename; |
2171 |
} else { |
2172 |
@@ -4065,7 +4063,7 @@ index 458a394..0f22f61 100644 |
2173 |
retval = ext4_journal_get_write_access(handle, new_bh); |
2174 |
if (retval) |
2175 |
diff --git a/fs/fat/namei_msdos.c b/fs/fat/namei_msdos.c |
2176 |
-index 3b222da..92c2bfa 100644 |
2177 |
+index 66e83b8..030f654 100644 |
2178 |
--- a/fs/fat/namei_msdos.c |
2179 |
+++ b/fs/fat/namei_msdos.c |
2180 |
@@ -9,6 +9,7 @@ |
2181 |
@@ -4076,7 +4074,7 @@ index 3b222da..92c2bfa 100644 |
2182 |
#include "fat.h" |
2183 |
|
2184 |
/* Characters that are undesirable in an MS-DOS file name */ |
2185 |
-@@ -432,6 +433,9 @@ static int msdos_unlink(struct inode *dir, struct dentry *dentry) |
2186 |
+@@ -423,6 +424,9 @@ static int msdos_unlink(struct inode *dir, struct dentry *dentry) |
2187 |
clear_nlink(inode); |
2188 |
inode->i_ctime = CURRENT_TIME_SEC; |
2189 |
fat_detach(inode); |
2190 |
@@ -4086,7 +4084,7 @@ index 3b222da..92c2bfa 100644 |
2191 |
out: |
2192 |
unlock_super(sb); |
2193 |
if (!err) |
2194 |
-@@ -525,6 +529,11 @@ static int do_msdos_rename(struct inode *old_dir, unsigned char *old_name, |
2195 |
+@@ -516,6 +520,11 @@ static int do_msdos_rename(struct inode *old_dir, unsigned char *old_name, |
2196 |
} |
2197 |
new_dir->i_version++; |
2198 |
|
2199 |
@@ -4099,7 +4097,7 @@ index 3b222da..92c2bfa 100644 |
2200 |
fat_attach(old_inode, new_i_pos); |
2201 |
if (is_hid) |
2202 |
diff --git a/fs/fat/namei_vfat.c b/fs/fat/namei_vfat.c |
2203 |
-index 20b4ea5..9775564 100644 |
2204 |
+index bb3f29c..a217b34 100644 |
2205 |
--- a/fs/fat/namei_vfat.c |
2206 |
+++ b/fs/fat/namei_vfat.c |
2207 |
@@ -21,6 +21,7 @@ |
2208 |
@@ -4110,7 +4108,7 @@ index 20b4ea5..9775564 100644 |
2209 |
#include "fat.h" |
2210 |
|
2211 |
/* |
2212 |
-@@ -860,6 +861,10 @@ static int vfat_unlink(struct inode *dir, struct dentry *dentry) |
2213 |
+@@ -858,6 +859,10 @@ static int vfat_unlink(struct inode *dir, struct dentry *dentry) |
2214 |
if (err) |
2215 |
goto out; |
2216 |
|
2217 |
@@ -4121,7 +4119,7 @@ index 20b4ea5..9775564 100644 |
2218 |
err = fat_remove_entries(dir, &sinfo); /* and releases bh */ |
2219 |
if (err) |
2220 |
goto out; |
2221 |
-@@ -956,6 +961,11 @@ static int vfat_rename(struct inode *old_dir, struct dentry *old_dentry, |
2222 |
+@@ -954,6 +959,11 @@ static int vfat_rename(struct inode *old_dir, struct dentry *old_dentry, |
2223 |
if (err) |
2224 |
goto out; |
2225 |
} |
2226 |
@@ -4229,7 +4227,7 @@ index 1d9b9fc..9f55d27 100644 |
2227 |
if (error == -ENOIOCTLCMD) |
2228 |
error = -EINVAL; |
2229 |
diff --git a/fs/ioprio.c b/fs/ioprio.c |
2230 |
-index 7da2a06..c255e3d 100644 |
2231 |
+index 7da2a06..c652f8e 100644 |
2232 |
--- a/fs/ioprio.c |
2233 |
+++ b/fs/ioprio.c |
2234 |
@@ -26,6 +26,7 @@ |
2235 |
@@ -4240,14 +4238,16 @@ index 7da2a06..c255e3d 100644 |
2236 |
#include <linux/pid_namespace.h> |
2237 |
|
2238 |
int set_task_ioprio(struct task_struct *task, int ioprio) |
2239 |
-@@ -82,6 +83,25 @@ SYSCALL_DEFINE3(ioprio_set, int, which, int, who, int, ioprio) |
2240 |
+@@ -82,6 +83,26 @@ SYSCALL_DEFINE3(ioprio_set, int, which, int, who, int, ioprio) |
2241 |
struct pid *pgrp; |
2242 |
int ret; |
2243 |
|
2244 |
+#ifdef CONFIG_RSBAC |
2245 |
+ union rsbac_target_id_t rsbac_target_id; |
2246 |
+ union rsbac_attribute_value_t rsbac_attribute_value; |
2247 |
++#endif |
2248 |
+ |
2249 |
++#ifdef CONFIG_RSBAC |
2250 |
+ rsbac_pr_debug(aef, "calling ADF\n"); |
2251 |
+ rsbac_target_id.scd = ST_priority; |
2252 |
+ rsbac_attribute_value.priority = ioprio; |
2253 |
@@ -4257,8 +4257,7 @@ index 7da2a06..c255e3d 100644 |
2254 |
+ T_SCD, |
2255 |
+ rsbac_target_id, |
2256 |
+ A_priority, |
2257 |
-+ rsbac_attribute_value)) |
2258 |
-+ { |
2259 |
++ rsbac_attribute_value)) { |
2260 |
+ return -EPERM; |
2261 |
+ } |
2262 |
+#endif |
2263 |
@@ -4266,14 +4265,16 @@ index 7da2a06..c255e3d 100644 |
2264 |
switch (class) { |
2265 |
case IOPRIO_CLASS_RT: |
2266 |
if (!capable(CAP_SYS_ADMIN)) |
2267 |
-@@ -156,6 +176,25 @@ static int get_task_ioprio(struct task_struct *p) |
2268 |
+@@ -156,6 +177,26 @@ static int get_task_ioprio(struct task_struct *p) |
2269 |
{ |
2270 |
int ret; |
2271 |
|
2272 |
+#ifdef CONFIG_RSBAC |
2273 |
+ union rsbac_target_id_t rsbac_target_id; |
2274 |
+ union rsbac_attribute_value_t rsbac_attribute_value; |
2275 |
++#endif |
2276 |
+ |
2277 |
++#ifdef CONFIG_RSBAC |
2278 |
+ rsbac_pr_debug(aef, "calling ADF\n"); |
2279 |
+ rsbac_target_id.scd = ST_priority; |
2280 |
+ rsbac_attribute_value.dummy = 0; |
2281 |
@@ -4283,8 +4284,7 @@ index 7da2a06..c255e3d 100644 |
2282 |
+ T_SCD, |
2283 |
+ rsbac_target_id, |
2284 |
+ A_none, |
2285 |
-+ rsbac_attribute_value)) |
2286 |
-+ { |
2287 |
++ rsbac_attribute_value)) { |
2288 |
+ return -EPERM; |
2289 |
+ } |
2290 |
+#endif |
2291 |
@@ -4309,7 +4309,7 @@ index 2d71094..608951e 100644 |
2292 |
transaction->t_tid); |
2293 |
|
2294 |
diff --git a/fs/jfs/namei.c b/fs/jfs/namei.c |
2295 |
-index eaaf2b5..c79b6be 100644 |
2296 |
+index e17545e..03825fb 100644 |
2297 |
--- a/fs/jfs/namei.c |
2298 |
+++ b/fs/jfs/namei.c |
2299 |
@@ -33,6 +33,8 @@ |
2300 |
@@ -4334,7 +4334,7 @@ index eaaf2b5..c79b6be 100644 |
2301 |
IWRITE_LOCK(ip, RDWRLOCK_NORMAL); |
2302 |
|
2303 |
tid = txBegin(dip->i_sb, 0); |
2304 |
-@@ -1145,6 +1153,10 @@ static int jfs_rename(struct inode *old_dir, struct dentry *old_dentry, |
2305 |
+@@ -1144,6 +1152,10 @@ static int jfs_rename(struct inode *old_dir, struct dentry *old_dentry, |
2306 |
goto out3; |
2307 |
} |
2308 |
} else if (new_ip) { |
2309 |
@@ -4345,23 +4345,8 @@ index eaaf2b5..c79b6be 100644 |
2310 |
IWRITE_LOCK(new_ip, RDWRLOCK_NORMAL); |
2311 |
/* Init inode for quota operations. */ |
2312 |
dquot_initialize(new_ip); |
2313 |
-diff --git a/fs/libfs.c b/fs/libfs.c |
2314 |
-index 275ca474..2e02b31 100644 |
2315 |
---- a/fs/libfs.c |
2316 |
-+++ b/fs/libfs.c |
2317 |
-@@ -16,6 +16,10 @@ |
2318 |
- |
2319 |
- #include <asm/uaccess.h> |
2320 |
- |
2321 |
-+#ifdef CONFIG_RSBAC |
2322 |
-+#include <rsbac/aci.h> |
2323 |
-+#endif |
2324 |
-+ |
2325 |
- static inline int simple_positive(struct dentry *dentry) |
2326 |
- { |
2327 |
- return dentry->d_inode && !d_unhashed(dentry); |
2328 |
diff --git a/fs/locks.c b/fs/locks.c |
2329 |
-index b286539..fd78ad6 100644 |
2330 |
+index 703f545..86106cf 100644 |
2331 |
--- a/fs/locks.c |
2332 |
+++ b/fs/locks.c |
2333 |
@@ -129,6 +129,8 @@ |
2334 |
@@ -4373,7 +4358,7 @@ index b286539..fd78ad6 100644 |
2335 |
#define IS_POSIX(fl) (fl->fl_flags & FL_POSIX) |
2336 |
#define IS_FLOCK(fl) (fl->fl_flags & FL_FLOCK) |
2337 |
#define IS_LEASE(fl) (fl->fl_flags & FL_LEASE) |
2338 |
-@@ -1608,6 +1610,12 @@ SYSCALL_DEFINE2(flock, unsigned int, fd, unsigned int, cmd) |
2339 |
+@@ -1587,6 +1589,12 @@ SYSCALL_DEFINE2(flock, unsigned int, fd, unsigned int, cmd) |
2340 |
int can_sleep, unlock; |
2341 |
int error; |
2342 |
|
2343 |
@@ -4386,7 +4371,7 @@ index b286539..fd78ad6 100644 |
2344 |
error = -EBADF; |
2345 |
filp = fget(fd); |
2346 |
if (!filp) |
2347 |
-@@ -1621,6 +1629,39 @@ SYSCALL_DEFINE2(flock, unsigned int, fd, unsigned int, cmd) |
2348 |
+@@ -1600,6 +1608,39 @@ SYSCALL_DEFINE2(flock, unsigned int, fd, unsigned int, cmd) |
2349 |
!(filp->f_mode & (FMODE_READ|FMODE_WRITE))) |
2350 |
goto out_putf; |
2351 |
|
2352 |
@@ -4426,7 +4411,7 @@ index b286539..fd78ad6 100644 |
2353 |
error = flock_make_lock(filp, &lock, cmd); |
2354 |
if (error) |
2355 |
goto out_putf; |
2356 |
-@@ -1706,6 +1747,12 @@ int fcntl_getlk(struct file *filp, struct flock __user *l) |
2357 |
+@@ -1685,6 +1726,12 @@ int fcntl_getlk(struct file *filp, struct flock __user *l) |
2358 |
struct flock flock; |
2359 |
int error; |
2360 |
|
2361 |
@@ -4439,7 +4424,7 @@ index b286539..fd78ad6 100644 |
2362 |
error = -EFAULT; |
2363 |
if (copy_from_user(&flock, l, sizeof(flock))) |
2364 |
goto out; |
2365 |
-@@ -1717,6 +1764,33 @@ int fcntl_getlk(struct file *filp, struct flock __user *l) |
2366 |
+@@ -1696,6 +1743,33 @@ int fcntl_getlk(struct file *filp, struct flock __user *l) |
2367 |
if (error) |
2368 |
goto out; |
2369 |
|
2370 |
@@ -4473,7 +4458,7 @@ index b286539..fd78ad6 100644 |
2371 |
error = vfs_test_lock(filp, &file_lock); |
2372 |
if (error) |
2373 |
goto out; |
2374 |
-@@ -1812,6 +1886,12 @@ int fcntl_setlk(unsigned int fd, struct file *filp, unsigned int cmd, |
2375 |
+@@ -1791,6 +1865,12 @@ int fcntl_setlk(unsigned int fd, struct file *filp, unsigned int cmd, |
2376 |
struct file *f; |
2377 |
int error; |
2378 |
|
2379 |
@@ -4486,7 +4471,7 @@ index b286539..fd78ad6 100644 |
2380 |
if (file_lock == NULL) |
2381 |
return -ENOLCK; |
2382 |
|
2383 |
-@@ -1840,6 +1920,39 @@ again: |
2384 |
+@@ -1819,6 +1899,39 @@ again: |
2385 |
file_lock->fl_flags |= FL_SLEEP; |
2386 |
} |
2387 |
|
2388 |
@@ -4526,7 +4511,7 @@ index b286539..fd78ad6 100644 |
2389 |
error = -EBADF; |
2390 |
switch (flock.l_type) { |
2391 |
case F_RDLCK: |
2392 |
-@@ -1891,6 +2004,12 @@ int fcntl_getlk64(struct file *filp, struct flock64 __user *l) |
2393 |
+@@ -1870,6 +1983,12 @@ int fcntl_getlk64(struct file *filp, struct flock64 __user *l) |
2394 |
struct flock64 flock; |
2395 |
int error; |
2396 |
|
2397 |
@@ -4539,7 +4524,7 @@ index b286539..fd78ad6 100644 |
2398 |
error = -EFAULT; |
2399 |
if (copy_from_user(&flock, l, sizeof(flock))) |
2400 |
goto out; |
2401 |
-@@ -1902,6 +2021,33 @@ int fcntl_getlk64(struct file *filp, struct flock64 __user *l) |
2402 |
+@@ -1881,6 +2000,33 @@ int fcntl_getlk64(struct file *filp, struct flock64 __user *l) |
2403 |
if (error) |
2404 |
goto out; |
2405 |
|
2406 |
@@ -4573,7 +4558,7 @@ index b286539..fd78ad6 100644 |
2407 |
error = vfs_test_lock(filp, &file_lock); |
2408 |
if (error) |
2409 |
goto out; |
2410 |
-@@ -1930,6 +2076,12 @@ int fcntl_setlk64(unsigned int fd, struct file *filp, unsigned int cmd, |
2411 |
+@@ -1909,6 +2055,12 @@ int fcntl_setlk64(unsigned int fd, struct file *filp, unsigned int cmd, |
2412 |
struct file *f; |
2413 |
int error; |
2414 |
|
2415 |
@@ -4586,7 +4571,7 @@ index b286539..fd78ad6 100644 |
2416 |
if (file_lock == NULL) |
2417 |
return -ENOLCK; |
2418 |
|
2419 |
-@@ -1975,6 +2127,39 @@ again: |
2420 |
+@@ -1954,6 +2106,39 @@ again: |
2421 |
goto out; |
2422 |
} |
2423 |
|
2424 |
@@ -4665,18 +4650,18 @@ index 6e6777f..99a755f 100644 |
2425 |
new_inode->i_ctime = CURRENT_TIME_SEC; |
2426 |
if (dir_de) |
2427 |
diff --git a/fs/namei.c b/fs/namei.c |
2428 |
-index b456c7a..3a0dc19 100644 |
2429 |
+index 3d15072..fd0652f 100644 |
2430 |
--- a/fs/namei.c |
2431 |
+++ b/fs/namei.c |
2432 |
-@@ -33,6 +33,7 @@ |
2433 |
- #include <linux/device_cgroup.h> |
2434 |
+@@ -34,6 +34,7 @@ |
2435 |
#include <linux/fs_struct.h> |
2436 |
+ #include <linux/posix_acl.h> |
2437 |
#include <asm/uaccess.h> |
2438 |
+#include <rsbac/hooks.h> |
2439 |
|
2440 |
#include "internal.h" |
2441 |
|
2442 |
-@@ -270,6 +271,11 @@ int inode_permission(struct inode *inode, int mask) |
2443 |
+@@ -344,6 +345,11 @@ int inode_permission(struct inode *inode, int mask) |
2444 |
{ |
2445 |
int retval; |
2446 |
|
2447 |
@@ -4685,10 +4670,10 @@ index b456c7a..3a0dc19 100644 |
2448 |
+ return 0; |
2449 |
+#endif |
2450 |
+ |
2451 |
- if (mask & MAY_WRITE) { |
2452 |
+ if (unlikely(mask & MAY_WRITE)) { |
2453 |
umode_t mode = inode->i_mode; |
2454 |
|
2455 |
-@@ -680,6 +686,11 @@ follow_link(struct path *link, struct nameidata *nd, void **p) |
2456 |
+@@ -630,6 +636,11 @@ follow_link(struct path *link, struct nameidata *nd, void **p) |
2457 |
int error; |
2458 |
struct dentry *dentry = link->dentry; |
2459 |
|
2460 |
@@ -4700,7 +4685,7 @@ index b456c7a..3a0dc19 100644 |
2461 |
BUG_ON(nd->flags & LOOKUP_RCU); |
2462 |
|
2463 |
if (link->mnt == nd->path.mnt) |
2464 |
-@@ -703,14 +714,49 @@ follow_link(struct path *link, struct nameidata *nd, void **p) |
2465 |
+@@ -653,14 +664,49 @@ follow_link(struct path *link, struct nameidata *nd, void **p) |
2466 |
return error; |
2467 |
} |
2468 |
|
2469 |
@@ -4751,9 +4736,9 @@ index b456c7a..3a0dc19 100644 |
2470 |
else if (nd->last_type == LAST_BIND) { |
2471 |
nd->flags |= LOOKUP_JUMPED; |
2472 |
nd->inode = nd->path.dentry->d_inode; |
2473 |
-@@ -1356,6 +1402,11 @@ static int link_path_walk(const char *name, struct nameidata *nd) |
2474 |
+@@ -1384,6 +1430,11 @@ static int link_path_walk(const char *name, struct nameidata *nd) |
2475 |
+ struct path next; |
2476 |
int err; |
2477 |
- unsigned int lookup_flags = nd->flags; |
2478 |
|
2479 |
+#ifdef CONFIG_RSBAC |
2480 |
+ union rsbac_target_id_t rsbac_target_id; |
2481 |
@@ -4763,8 +4748,8 @@ index b456c7a..3a0dc19 100644 |
2482 |
while (*name=='/') |
2483 |
name++; |
2484 |
if (!*name) |
2485 |
-@@ -1371,9 +1422,35 @@ static int link_path_walk(const char *name, struct nameidata *nd) |
2486 |
- nd->flags |= LOOKUP_CONTINUE; |
2487 |
+@@ -1397,9 +1448,35 @@ static int link_path_walk(const char *name, struct nameidata *nd) |
2488 |
+ int type; |
2489 |
|
2490 |
err = may_lookup(nd); |
2491 |
+#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART |
2492 |
@@ -4799,7 +4784,7 @@ index b456c7a..3a0dc19 100644 |
2493 |
this.name = name; |
2494 |
c = *(const unsigned char *)name; |
2495 |
|
2496 |
-@@ -1438,6 +1515,24 @@ last_component: |
2497 |
+@@ -1462,6 +1539,24 @@ last_component: |
2498 |
return 0; |
2499 |
} |
2500 |
terminate_walk(nd); |
2501 |
@@ -4824,7 +4809,7 @@ index b456c7a..3a0dc19 100644 |
2502 |
return err; |
2503 |
} |
2504 |
|
2505 |
-@@ -1672,10 +1767,38 @@ static struct dentry *__lookup_hash(struct qstr *name, |
2506 |
+@@ -1702,10 +1797,38 @@ static struct dentry *__lookup_hash(struct qstr *name, |
2507 |
struct dentry *dentry; |
2508 |
int err; |
2509 |
|
2510 |
@@ -4839,7 +4824,7 @@ index b456c7a..3a0dc19 100644 |
2511 |
+ else |
2512 |
+#endif |
2513 |
+ |
2514 |
- err = exec_permission(inode, 0); |
2515 |
+ err = inode_permission(inode, MAY_EXEC); |
2516 |
if (err) |
2517 |
return ERR_PTR(err); |
2518 |
|
2519 |
@@ -4863,7 +4848,7 @@ index b456c7a..3a0dc19 100644 |
2520 |
/* |
2521 |
* Don't bother with __d_lookup: callers are for creat as |
2522 |
* well as unlink, so a lot of the time it would cost |
2523 |
-@@ -1747,6 +1870,71 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len) |
2524 |
+@@ -1803,6 +1926,97 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len) |
2525 |
return __lookup_hash(&this, base, NULL); |
2526 |
} |
2527 |
|
2528 |
@@ -4886,8 +4871,34 @@ index b456c7a..3a0dc19 100644 |
2529 |
+ */ |
2530 |
+ dentry = d_lookup(base, name); |
2531 |
+ |
2532 |
-+ if (dentry && (dentry->d_flags & DCACHE_OP_REVALIDATE)) |
2533 |
-+ dentry = do_revalidate(dentry, nd); |
2534 |
++ if (dentry && d_need_lookup(dentry)) { |
2535 |
++ /* |
2536 |
++ * __lookup_hash is called with the parent dir's i_mutex already |
2537 |
++ * held, so we are good to go here. |
2538 |
++ */ |
2539 |
++ dentry = d_inode_lookup(base, dentry, nd); |
2540 |
++ if (IS_ERR(dentry)) |
2541 |
++ return dentry; |
2542 |
++ } |
2543 |
++ |
2544 |
++ if (dentry && (dentry->d_flags & DCACHE_OP_REVALIDATE)) { |
2545 |
++ int status = d_revalidate(dentry, nd); |
2546 |
++ if (unlikely(status <= 0)) { |
2547 |
++ /* |
2548 |
++ * The dentry failed validation. |
2549 |
++ * If d_revalidate returned 0 attempt to invalidate |
2550 |
++ * the dentry otherwise d_revalidate is asking us |
2551 |
++ * to return a fail status. |
2552 |
++ */ |
2553 |
++ if (status < 0) { |
2554 |
++ dput(dentry); |
2555 |
++ return ERR_PTR(status); |
2556 |
++ } else if (!d_invalidate(dentry)) { |
2557 |
++ dput(dentry); |
2558 |
++ dentry = NULL; |
2559 |
++ } |
2560 |
++ } |
2561 |
++ } |
2562 |
+ |
2563 |
+ if (!dentry) |
2564 |
+ dentry = d_alloc_and_lookup(base, name, nd); |
2565 |
@@ -4932,10 +4943,10 @@ index b456c7a..3a0dc19 100644 |
2566 |
+EXPORT_SYMBOL(rsbac_lookup_one_len); |
2567 |
+#endif |
2568 |
+ |
2569 |
- int user_path_at(int dfd, const char __user *name, unsigned flags, |
2570 |
- struct path *path) |
2571 |
+ int user_path_at_empty(int dfd, const char __user *name, unsigned flags, |
2572 |
+ struct path *path, int *empty) |
2573 |
{ |
2574 |
-@@ -1833,6 +2021,11 @@ static int may_delete(struct inode *dir,struct dentry *victim,int isdir) |
2575 |
+@@ -1895,6 +2109,11 @@ static int may_delete(struct inode *dir,struct dentry *victim,int isdir) |
2576 |
BUG_ON(victim->d_parent->d_inode != dir); |
2577 |
audit_inode_child(victim, dir); |
2578 |
|
2579 |
@@ -4947,7 +4958,7 @@ index b456c7a..3a0dc19 100644 |
2580 |
error = inode_permission(dir, MAY_WRITE | MAY_EXEC); |
2581 |
if (error) |
2582 |
return error; |
2583 |
-@@ -1869,6 +2062,12 @@ static inline int may_create(struct inode *dir, struct dentry *child) |
2584 |
+@@ -1931,6 +2150,12 @@ static inline int may_create(struct inode *dir, struct dentry *child) |
2585 |
return -EEXIST; |
2586 |
if (IS_DEADDIR(dir)) |
2587 |
return -ENOENT; |
2588 |
@@ -4960,7 +4971,7 @@ index b456c7a..3a0dc19 100644 |
2589 |
return inode_permission(dir, MAY_WRITE | MAY_EXEC); |
2590 |
} |
2591 |
|
2592 |
-@@ -1919,6 +2118,14 @@ int vfs_create(struct inode *dir, struct dentry *dentry, int mode, |
2593 |
+@@ -1981,6 +2206,14 @@ int vfs_create(struct inode *dir, struct dentry *dentry, int mode, |
2594 |
{ |
2595 |
int error = may_create(dir, dentry); |
2596 |
|
2597 |
@@ -4975,7 +4986,7 @@ index b456c7a..3a0dc19 100644 |
2598 |
if (error) |
2599 |
return error; |
2600 |
|
2601 |
-@@ -1929,9 +2136,52 @@ int vfs_create(struct inode *dir, struct dentry *dentry, int mode, |
2602 |
+@@ -1991,9 +2224,52 @@ int vfs_create(struct inode *dir, struct dentry *dentry, int mode, |
2603 |
error = security_inode_create(dir, dentry, mode); |
2604 |
if (error) |
2605 |
return error; |
2606 |
@@ -5029,7 +5040,7 @@ index b456c7a..3a0dc19 100644 |
2607 |
return error; |
2608 |
} |
2609 |
|
2610 |
-@@ -1966,6 +2216,12 @@ static int may_open(struct path *path, int acc_mode, int flag) |
2611 |
+@@ -2028,6 +2304,12 @@ static int may_open(struct path *path, int acc_mode, int flag) |
2612 |
break; |
2613 |
} |
2614 |
|
2615 |
@@ -5042,7 +5053,7 @@ index b456c7a..3a0dc19 100644 |
2616 |
error = inode_permission(inode, acc_mode); |
2617 |
if (error) |
2618 |
return error; |
2619 |
-@@ -2051,6 +2307,14 @@ static struct file *do_last(struct nameidata *nd, struct path *path, |
2620 |
+@@ -2096,6 +2378,14 @@ static struct file *do_last(struct nameidata *nd, struct path *path, |
2621 |
struct file *filp; |
2622 |
int error; |
2623 |
|
2624 |
@@ -5057,7 +5068,7 @@ index b456c7a..3a0dc19 100644 |
2625 |
nd->flags &= ~LOOKUP_PARENT; |
2626 |
nd->flags |= op->intent; |
2627 |
|
2628 |
-@@ -2198,6 +2462,70 @@ ok: |
2629 |
+@@ -2254,6 +2544,68 @@ ok: |
2630 |
want_write = 1; |
2631 |
} |
2632 |
common: |
2633 |
@@ -5099,18 +5110,16 @@ index b456c7a..3a0dc19 100644 |
2634 |
+ if (open_flag & O_APPEND) |
2635 |
+ rsbac_adf_req = R_APPEND_OPEN; |
2636 |
+ else |
2637 |
-+ if ((open_flag & FMODE_WRITE) && (open_flag & FMODE_READ)) |
2638 |
++ if ((open_flag & O_RDWR) || ((open_flag & O_WRONLY) && (open_flag & O_RDONLY))) |
2639 |
+ rsbac_adf_req = R_READ_WRITE_OPEN; |
2640 |
+ else |
2641 |
-+ if (open_flag & FMODE_WRITE) |
2642 |
++ if (open_flag & O_WRONLY) |
2643 |
+ rsbac_adf_req = R_WRITE_OPEN; |
2644 |
+ else |
2645 |
-+ if (open_flag & FMODE_READ) { |
2646 |
-+ if (rsbac_target == T_DIR) |
2647 |
-+ rsbac_adf_req = R_READ; |
2648 |
-+ else |
2649 |
-+ rsbac_adf_req = R_READ_OPEN; |
2650 |
-+ } |
2651 |
++ if (rsbac_target == T_DIR) |
2652 |
++ rsbac_adf_req = R_READ; |
2653 |
++ else |
2654 |
++ rsbac_adf_req = R_READ_OPEN; |
2655 |
+ if ((rsbac_adf_req != R_NONE) && (rsbac_target != T_NONE)) { |
2656 |
+ rsbac_attribute_value.open_flag = open_flag; |
2657 |
+ if (!rsbac_adf_request(rsbac_adf_req, |
2658 |
@@ -5128,13 +5137,13 @@ index b456c7a..3a0dc19 100644 |
2659 |
error = may_open(&nd->path, acc_mode, open_flag); |
2660 |
if (error) |
2661 |
goto exit; |
2662 |
-@@ -2221,6 +2549,24 @@ common: |
2663 |
+@@ -2277,6 +2629,24 @@ common: |
2664 |
out: |
2665 |
if (want_write) |
2666 |
mnt_drop_write(nd->path.mnt); |
2667 |
+ |
2668 |
+#ifdef CONFIG_RSBAC |
2669 |
-+ if ((rsbac_adf_req != R_NONE) && (rsbac_target != T_NONE)) { |
2670 |
++ if (!PTR_ERR(filp) && (rsbac_adf_req != R_NONE) && (rsbac_target != T_NONE)) { |
2671 |
+ rsbac_new_target_id.dummy = 0; |
2672 |
+ if (rsbac_adf_set_attr(rsbac_adf_req, |
2673 |
+ task_pid(current), |
2674 |
@@ -5153,7 +5162,7 @@ index b456c7a..3a0dc19 100644 |
2675 |
path_put(&nd->path); |
2676 |
return filp; |
2677 |
|
2678 |
-@@ -2240,6 +2586,10 @@ static struct file *path_openat(int dfd, const char *pathname, |
2679 |
+@@ -2296,6 +2666,10 @@ static struct file *path_openat(int dfd, const char *pathname, |
2680 |
struct file *filp; |
2681 |
struct path path; |
2682 |
int error; |
2683 |
@@ -5164,7 +5173,7 @@ index b456c7a..3a0dc19 100644 |
2684 |
|
2685 |
filp = get_empty_filp(); |
2686 |
if (!filp) |
2687 |
-@@ -2268,6 +2618,25 @@ static struct file *path_openat(int dfd, const char *pathname, |
2688 |
+@@ -2324,6 +2698,25 @@ static struct file *path_openat(int dfd, const char *pathname, |
2689 |
path_put(&nd->path); |
2690 |
filp = ERR_PTR(-ELOOP); |
2691 |
break; |
2692 |
@@ -5190,7 +5199,7 @@ index b456c7a..3a0dc19 100644 |
2693 |
} |
2694 |
nd->flags |= LOOKUP_PARENT; |
2695 |
nd->flags &= ~(LOOKUP_OPEN|LOOKUP_CREATE|LOOKUP_EXCL); |
2696 |
-@@ -2384,6 +2753,13 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) |
2697 |
+@@ -2451,6 +2844,13 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) |
2698 |
{ |
2699 |
int error = may_create(dir, dentry); |
2700 |
|
2701 |
@@ -5204,7 +5213,7 @@ index b456c7a..3a0dc19 100644 |
2702 |
if (error) |
2703 |
return error; |
2704 |
|
2705 |
-@@ -2402,9 +2778,57 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) |
2706 |
+@@ -2469,9 +2869,57 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) |
2707 |
if (error) |
2708 |
return error; |
2709 |
|
2710 |
@@ -5263,7 +5272,7 @@ index b456c7a..3a0dc19 100644 |
2711 |
return error; |
2712 |
} |
2713 |
|
2714 |
-@@ -2489,6 +2913,12 @@ int vfs_mkdir(struct inode *dir, struct dentry *dentry, int mode) |
2715 |
+@@ -2548,6 +2996,12 @@ int vfs_mkdir(struct inode *dir, struct dentry *dentry, int mode) |
2716 |
{ |
2717 |
int error = may_create(dir, dentry); |
2718 |
|
2719 |
@@ -5276,7 +5285,7 @@ index b456c7a..3a0dc19 100644 |
2720 |
if (error) |
2721 |
return error; |
2722 |
|
2723 |
-@@ -2500,9 +2930,48 @@ int vfs_mkdir(struct inode *dir, struct dentry *dentry, int mode) |
2724 |
+@@ -2559,9 +3013,48 @@ int vfs_mkdir(struct inode *dir, struct dentry *dentry, int mode) |
2725 |
if (error) |
2726 |
return error; |
2727 |
|
2728 |
@@ -5326,7 +5335,7 @@ index b456c7a..3a0dc19 100644 |
2729 |
return error; |
2730 |
} |
2731 |
|
2732 |
-@@ -2576,6 +3045,12 @@ int vfs_rmdir(struct inode *dir, struct dentry *dentry) |
2733 |
+@@ -2626,6 +3119,12 @@ int vfs_rmdir(struct inode *dir, struct dentry *dentry) |
2734 |
{ |
2735 |
int error = may_delete(dir, dentry, 1); |
2736 |
|
2737 |
@@ -5339,7 +5348,7 @@ index b456c7a..3a0dc19 100644 |
2738 |
if (error) |
2739 |
return error; |
2740 |
|
2741 |
-@@ -2583,6 +3058,24 @@ int vfs_rmdir(struct inode *dir, struct dentry *dentry) |
2742 |
+@@ -2633,6 +3132,24 @@ int vfs_rmdir(struct inode *dir, struct dentry *dentry) |
2743 |
return -EPERM; |
2744 |
|
2745 |
dget(dentry); |
2746 |
@@ -5364,7 +5373,7 @@ index b456c7a..3a0dc19 100644 |
2747 |
mutex_lock(&dentry->d_inode->i_mutex); |
2748 |
|
2749 |
error = -EBUSY; |
2750 |
-@@ -2606,6 +3099,24 @@ out: |
2751 |
+@@ -2656,6 +3173,24 @@ out: |
2752 |
dput(dentry); |
2753 |
if (!error) |
2754 |
d_delete(dentry); |
2755 |
@@ -5389,7 +5398,7 @@ index b456c7a..3a0dc19 100644 |
2756 |
return error; |
2757 |
} |
2758 |
|
2759 |
-@@ -2671,6 +3182,13 @@ int vfs_unlink(struct inode *dir, struct dentry *dentry) |
2760 |
+@@ -2721,6 +3256,13 @@ int vfs_unlink(struct inode *dir, struct dentry *dentry) |
2761 |
{ |
2762 |
int error = may_delete(dir, dentry, 0); |
2763 |
|
2764 |
@@ -5403,7 +5412,7 @@ index b456c7a..3a0dc19 100644 |
2765 |
if (error) |
2766 |
return error; |
2767 |
|
2768 |
-@@ -2683,9 +3201,58 @@ int vfs_unlink(struct inode *dir, struct dentry *dentry) |
2769 |
+@@ -2733,9 +3275,58 @@ int vfs_unlink(struct inode *dir, struct dentry *dentry) |
2770 |
else { |
2771 |
error = security_inode_unlink(dir, dentry); |
2772 |
if (!error) { |
2773 |
@@ -5462,7 +5471,7 @@ index b456c7a..3a0dc19 100644 |
2774 |
} |
2775 |
} |
2776 |
mutex_unlock(&dentry->d_inode->i_mutex); |
2777 |
-@@ -2780,6 +3347,12 @@ int vfs_symlink(struct inode *dir, struct dentry *dentry, const char *oldname) |
2778 |
+@@ -2830,6 +3421,12 @@ int vfs_symlink(struct inode *dir, struct dentry *dentry, const char *oldname) |
2779 |
{ |
2780 |
int error = may_create(dir, dentry); |
2781 |
|
2782 |
@@ -5475,7 +5484,7 @@ index b456c7a..3a0dc19 100644 |
2783 |
if (error) |
2784 |
return error; |
2785 |
|
2786 |
-@@ -2790,9 +3363,48 @@ int vfs_symlink(struct inode *dir, struct dentry *dentry, const char *oldname) |
2787 |
+@@ -2840,9 +3437,48 @@ int vfs_symlink(struct inode *dir, struct dentry *dentry, const char *oldname) |
2788 |
if (error) |
2789 |
return error; |
2790 |
|
2791 |
@@ -5525,7 +5534,7 @@ index b456c7a..3a0dc19 100644 |
2792 |
return error; |
2793 |
} |
2794 |
|
2795 |
-@@ -2848,6 +3460,12 @@ int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_de |
2796 |
+@@ -2891,6 +3527,12 @@ int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_de |
2797 |
struct inode *inode = old_dentry->d_inode; |
2798 |
int error; |
2799 |
|
2800 |
@@ -5538,7 +5547,7 @@ index b456c7a..3a0dc19 100644 |
2801 |
if (!inode) |
2802 |
return -ENOENT; |
2803 |
|
2804 |
-@@ -2872,6 +3490,32 @@ int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_de |
2805 |
+@@ -2915,6 +3557,32 @@ int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_de |
2806 |
if (error) |
2807 |
return error; |
2808 |
|
2809 |
@@ -5571,7 +5580,7 @@ index b456c7a..3a0dc19 100644 |
2810 |
mutex_lock(&inode->i_mutex); |
2811 |
/* Make sure we don't allow creating hardlink to an unlinked file */ |
2812 |
if (inode->i_nlink == 0) |
2813 |
-@@ -2993,11 +3637,27 @@ static int vfs_rename_dir(struct inode *old_dir, struct dentry *old_dentry, |
2814 |
+@@ -3029,11 +3697,27 @@ static int vfs_rename_dir(struct inode *old_dir, struct dentry *old_dentry, |
2815 |
int error = 0; |
2816 |
struct inode *target = new_dentry->d_inode; |
2817 |
|
2818 |
@@ -5599,7 +5608,7 @@ index b456c7a..3a0dc19 100644 |
2819 |
error = inode_permission(old_dentry->d_inode, MAY_WRITE); |
2820 |
if (error) |
2821 |
return error; |
2822 |
-@@ -3007,6 +3667,74 @@ static int vfs_rename_dir(struct inode *old_dir, struct dentry *old_dentry, |
2823 |
+@@ -3043,6 +3727,74 @@ static int vfs_rename_dir(struct inode *old_dir, struct dentry *old_dentry, |
2824 |
if (error) |
2825 |
return error; |
2826 |
|
2827 |
@@ -5674,7 +5683,7 @@ index b456c7a..3a0dc19 100644 |
2828 |
dget(new_dentry); |
2829 |
if (target) |
2830 |
mutex_lock(&target->i_mutex); |
2831 |
-@@ -3029,23 +3757,134 @@ out: |
2832 |
+@@ -3065,23 +3817,135 @@ out: |
2833 |
if (target) |
2834 |
mutex_unlock(&target->i_mutex); |
2835 |
dput(new_dentry); |
2836 |
@@ -5738,6 +5747,8 @@ index b456c7a..3a0dc19 100644 |
2837 |
if (error) |
2838 |
return error; |
2839 |
|
2840 |
+ dget(new_dentry); |
2841 |
++ |
2842 |
+#ifdef CONFIG_RSBAC |
2843 |
+ rsbac_pr_debug(aef, "[sys_rename()]: calling ADF\n"); |
2844 |
+ rsbac_target = T_FILE; |
2845 |
@@ -5758,8 +5769,8 @@ index b456c7a..3a0dc19 100644 |
2846 |
+ rsbac_target, |
2847 |
+ rsbac_target_id, |
2848 |
+ A_new_dir_dentry_p, |
2849 |
-+ rsbac_attribute_value)) |
2850 |
-+ { |
2851 |
++ rsbac_attribute_value)) { |
2852 |
++ dput(new_dentry); |
2853 |
+ return -EPERM; |
2854 |
+ } |
2855 |
+ if (new_dir != old_dir) { |
2856 |
@@ -5774,6 +5785,7 @@ index b456c7a..3a0dc19 100644 |
2857 |
+ rsbac_target_id2, |
2858 |
+ A_none, |
2859 |
+ rsbac_attribute_value2)) { |
2860 |
++ dput(new_dentry); |
2861 |
+ return -EPERM; |
2862 |
+ } |
2863 |
+ } |
2864 |
@@ -5798,20 +5810,18 @@ index b456c7a..3a0dc19 100644 |
2865 |
+ rsbac_target2, |
2866 |
+ rsbac_target_id2, |
2867 |
+ A_nlink, |
2868 |
-+ rsbac_attribute_value2)) |
2869 |
-+ { |
2870 |
++ rsbac_attribute_value2)) { |
2871 |
++ dput(new_dentry); |
2872 |
+ return -EPERM; |
2873 |
+ } |
2874 |
+ } |
2875 |
+#endif |
2876 |
+ |
2877 |
- dget(new_dentry); |
2878 |
-+ |
2879 |
+ target = new_dentry->d_inode; |
2880 |
if (target) |
2881 |
mutex_lock(&target->i_mutex); |
2882 |
|
2883 |
-@@ -3061,6 +3900,35 @@ static int vfs_rename_other(struct inode *old_dir, struct dentry *old_dentry, |
2884 |
+@@ -3097,6 +3961,35 @@ static int vfs_rename_other(struct inode *old_dir, struct dentry *old_dentry, |
2885 |
dont_mount(new_dentry); |
2886 |
if (!(old_dir->i_sb->s_type->fs_flags & FS_RENAME_DOES_D_MOVE)) |
2887 |
d_move(old_dentry, new_dentry); |
2888 |
@@ -5847,7 +5857,7 @@ index b456c7a..3a0dc19 100644 |
2889 |
out: |
2890 |
if (target) |
2891 |
mutex_unlock(&target->i_mutex); |
2892 |
-@@ -3208,6 +4076,9 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna |
2893 |
+@@ -3244,6 +4137,9 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna |
2894 |
int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link) |
2895 |
{ |
2896 |
int len; |
2897 |
@@ -5857,7 +5867,7 @@ index b456c7a..3a0dc19 100644 |
2898 |
|
2899 |
len = PTR_ERR(link); |
2900 |
if (IS_ERR(link)) |
2901 |
-@@ -3216,8 +4087,20 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c |
2902 |
+@@ -3252,6 +4148,17 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c |
2903 |
len = strlen(link); |
2904 |
if (len > (unsigned) buflen) |
2905 |
len = buflen; |
2906 |
@@ -5874,12 +5884,9 @@ index b456c7a..3a0dc19 100644 |
2907 |
+#endif |
2908 |
if (copy_to_user(buffer, link, len)) |
2909 |
len = -EFAULT; |
2910 |
-+ |
2911 |
out: |
2912 |
- return len; |
2913 |
- } |
2914 |
diff --git a/fs/namespace.c b/fs/namespace.c |
2915 |
-index fe59bd1..497c7be 100644 |
2916 |
+index e5e1c7d..1b35322 100644 |
2917 |
--- a/fs/namespace.c |
2918 |
+++ b/fs/namespace.c |
2919 |
@@ -33,6 +33,7 @@ |
2920 |
@@ -5945,7 +5952,7 @@ index fe59bd1..497c7be 100644 |
2921 |
return mnt; |
2922 |
} |
2923 |
EXPORT_SYMBOL_GPL(vfs_kern_mount); |
2924 |
-@@ -1266,6 +1294,11 @@ static int do_umount(struct vfsmount *mnt, int flags) |
2925 |
+@@ -1267,6 +1295,11 @@ static int do_umount(struct vfsmount *mnt, int flags) |
2926 |
int retval; |
2927 |
LIST_HEAD(umount_list); |
2928 |
|
2929 |
@@ -5957,7 +5964,7 @@ index fe59bd1..497c7be 100644 |
2930 |
retval = security_sb_umount(mnt, flags); |
2931 |
if (retval) |
2932 |
return retval; |
2933 |
-@@ -1296,6 +1329,46 @@ static int do_umount(struct vfsmount *mnt, int flags) |
2934 |
+@@ -1297,6 +1330,46 @@ static int do_umount(struct vfsmount *mnt, int flags) |
2935 |
return -EAGAIN; |
2936 |
} |
2937 |
|
2938 |
@@ -6004,7 +6011,7 @@ index fe59bd1..497c7be 100644 |
2939 |
/* |
2940 |
* If we may have to abort operations to get out of this |
2941 |
* mount, and they will themselves hold resources we must |
2942 |
-@@ -1345,6 +1418,17 @@ static int do_umount(struct vfsmount *mnt, int flags) |
2943 |
+@@ -1346,6 +1419,17 @@ static int do_umount(struct vfsmount *mnt, int flags) |
2944 |
retval = 0; |
2945 |
} |
2946 |
br_write_unlock(vfsmount_lock); |
2947 |
@@ -6022,7 +6029,7 @@ index fe59bd1..497c7be 100644 |
2948 |
up_write(&namespace_sem); |
2949 |
release_mounts(&umount_list); |
2950 |
return retval; |
2951 |
-@@ -1753,6 +1837,13 @@ static int do_loopback(struct path *path, char *old_name, |
2952 |
+@@ -1754,6 +1838,13 @@ static int do_loopback(struct path *path, char *old_name, |
2953 |
struct path old_path; |
2954 |
struct vfsmount *mnt = NULL; |
2955 |
int err = mount_is_safe(path); |
2956 |
@@ -6036,21 +6043,15 @@ index fe59bd1..497c7be 100644 |
2957 |
if (err) |
2958 |
return err; |
2959 |
if (!old_name || !*old_name) |
2960 |
-@@ -1765,6 +1856,88 @@ static int do_loopback(struct path *path, char *old_name, |
2961 |
+@@ -1766,6 +1857,57 @@ static int do_loopback(struct path *path, char *old_name, |
2962 |
if (err) |
2963 |
goto out; |
2964 |
|
2965 |
+#ifdef CONFIG_RSBAC |
2966 |
+ rsbac_pr_debug(aef, "[do_loopback() [sys_mount()]]: calling ADF for DIR\n"); |
2967 |
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28) |
2968 |
+ rsbac_target_id.dir.device = old_path.dentry->d_sb->s_dev; |
2969 |
+ rsbac_target_id.dir.inode = old_path.dentry->d_inode->i_ino; |
2970 |
+ rsbac_target_id.dir.dentry_p = old_path.dentry; |
2971 |
-+#else |
2972 |
-+ rsbac_target_id.dir.device = nd->path.dentry->d_sb->s_dev; |
2973 |
-+ rsbac_target_id.dir.inode = nd->path.dentry->d_inode->i_ino; |
2974 |
-+ rsbac_target_id.dir.dentry_p = nd->path.dentry; |
2975 |
-+#endif |
2976 |
+ rsbac_attribute_value.mode = recurse; |
2977 |
+ if (!rsbac_adf_request(R_MOUNT, |
2978 |
+ task_pid(current), |
2979 |
@@ -6063,52 +6064,27 @@ index fe59bd1..497c7be 100644 |
2980 |
+ goto out2; |
2981 |
+ } |
2982 |
+ rsbac_pr_debug(aef, "[do_mount() [sys_mount()]]: calling ADF for DEV\n"); |
2983 |
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28) |
2984 |
+ if(S_ISBLK(old_path.dentry->d_inode->i_mode)) |
2985 |
-+#else |
2986 |
-+ if(S_ISBLK(old_nd.path.dentry->d_inode->i_mode)) |
2987 |
-+#endif |
2988 |
+ { |
2989 |
+ rsbac_target = T_DEV; |
2990 |
+ rsbac_target_id.dev.type = D_block; |
2991 |
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28) |
2992 |
+ rsbac_target_id.dev.major = RSBAC_MAJOR(old_path.dentry->d_sb->s_dev); |
2993 |
+ rsbac_target_id.dev.minor = RSBAC_MINOR(old_path.dentry->d_sb->s_dev); |
2994 |
-+#else |
2995 |
-+ rsbac_target_id.dev.major = RSBAC_MAJOR(old_nd.path.dentry->d_sb->s_dev); |
2996 |
-+ rsbac_target_id.dev.minor = RSBAC_MINOR(old_nd.path.dentry->d_sb->s_dev); |
2997 |
-+#endif |
2998 |
+ } |
2999 |
+ else |
3000 |
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28) |
3001 |
+ if(S_ISDIR(old_path.dentry->d_inode->i_mode)) |
3002 |
-+#else |
3003 |
-+ if(S_ISDIR(old_nd.path.dentry->d_inode->i_mode)) |
3004 |
-+#endif |
3005 |
+ { |
3006 |
+ rsbac_target = T_DIR; |
3007 |
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28) |
3008 |
+ rsbac_target_id.dir.device = old_path.dentry->d_sb->s_dev; |
3009 |
+ rsbac_target_id.dir.inode = old_path.dentry->d_inode->i_ino; |
3010 |
+ rsbac_target_id.dir.dentry_p = old_path.dentry; |
3011 |
-+#else |
3012 |
-+ rsbac_target_id.dir.device = old_nd.path.dentry->d_sb->s_dev; |
3013 |
-+ rsbac_target_id.dir.inode = old_nd.path.dentry->d_inode->i_ino; |
3014 |
-+ rsbac_target_id.dir.dentry_p = old_nd.path.dentry; |
3015 |
-+#endif |
3016 |
+ } |
3017 |
+ else |
3018 |
+ { |
3019 |
+ rsbac_target = T_FILE; |
3020 |
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28) |
3021 |
+ rsbac_target_id.file.device = old_path.dentry->d_sb->s_dev; |
3022 |
+ rsbac_target_id.file.inode = old_path.dentry->d_inode->i_ino; |
3023 |
+ rsbac_target_id.file.dentry_p = old_path.dentry; |
3024 |
-+#else |
3025 |
-+ rsbac_target_id.file.device = old_nd.path.dentry->d_sb->s_dev; |
3026 |
-+ rsbac_target_id.file.inode = old_nd.path.dentry->d_inode->i_ino; |
3027 |
-+ rsbac_target_id.file.dentry_p = old_nd.path.dentry; |
3028 |
-+#endif |
3029 |
+ } |
3030 |
+ if (!rsbac_adf_request(R_MOUNT, |
3031 |
+ task_pid(current), |
3032 |
@@ -6125,7 +6101,7 @@ index fe59bd1..497c7be 100644 |
3033 |
err = -EINVAL; |
3034 |
if (IS_MNT_UNBINDABLE(old_path.mnt)) |
3035 |
goto out2; |
3036 |
-@@ -1792,6 +1965,12 @@ out2: |
3037 |
+@@ -1793,6 +1935,12 @@ out2: |
3038 |
release_mounts(&umount_list); |
3039 |
out: |
3040 |
path_put(&old_path); |
3041 |
@@ -6138,7 +6114,7 @@ index fe59bd1..497c7be 100644 |
3042 |
return err; |
3043 |
} |
3044 |
|
3045 |
-@@ -1823,6 +2002,11 @@ static int do_remount(struct path *path, int flags, int mnt_flags, |
3046 |
+@@ -1824,6 +1972,11 @@ static int do_remount(struct path *path, int flags, int mnt_flags, |
3047 |
int err; |
3048 |
struct super_block *sb = path->mnt->mnt_sb; |
3049 |
|
3050 |
@@ -6150,21 +6126,15 @@ index fe59bd1..497c7be 100644 |
3051 |
if (!capable(CAP_SYS_ADMIN)) |
3052 |
return -EPERM; |
3053 |
|
3054 |
-@@ -1836,6 +2020,40 @@ static int do_remount(struct path *path, int flags, int mnt_flags, |
3055 |
+@@ -1837,6 +1990,34 @@ static int do_remount(struct path *path, int flags, int mnt_flags, |
3056 |
if (err) |
3057 |
return err; |
3058 |
|
3059 |
+#ifdef CONFIG_RSBAC |
3060 |
+ rsbac_pr_debug(aef, "[do_mount() [sys_mount()]]: calling ADF for DIR\n"); |
3061 |
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28) |
3062 |
+ rsbac_target_id.dir.device = path->dentry->d_sb->s_dev; |
3063 |
+ rsbac_target_id.dir.inode = path->dentry->d_inode->i_ino; |
3064 |
+ rsbac_target_id.dir.dentry_p = path->dentry; |
3065 |
-+#else |
3066 |
-+ rsbac_target_id.dir.device = nd->path.dentry->d_sb->s_dev; |
3067 |
-+ rsbac_target_id.dir.inode = nd->path.dentry->d_inode->i_ino; |
3068 |
-+ rsbac_target_id.dir.dentry_p = nd->path.dentry; |
3069 |
-+#endif |
3070 |
+ rsbac_attribute_value.mode = flags; |
3071 |
+ if (!rsbac_adf_request(R_MOUNT, |
3072 |
+ task_pid(current), |
3073 |
@@ -6191,7 +6161,7 @@ index fe59bd1..497c7be 100644 |
3074 |
down_write(&sb->s_umount); |
3075 |
if (flags & MS_BIND) |
3076 |
err = change_mount_flags(path->mnt, flags); |
3077 |
-@@ -1871,6 +2089,12 @@ static int do_move_mount(struct path *path, char *old_name) |
3078 |
+@@ -1872,6 +2053,12 @@ static int do_move_mount(struct path *path, char *old_name) |
3079 |
struct path old_path, parent_path; |
3080 |
struct vfsmount *p; |
3081 |
int err = 0; |
3082 |
@@ -6204,21 +6174,15 @@ index fe59bd1..497c7be 100644 |
3083 |
if (!capable(CAP_SYS_ADMIN)) |
3084 |
return -EPERM; |
3085 |
if (!old_name || !*old_name) |
3086 |
-@@ -1883,6 +2107,75 @@ static int do_move_mount(struct path *path, char *old_name) |
3087 |
+@@ -1884,6 +2071,61 @@ static int do_move_mount(struct path *path, char *old_name) |
3088 |
if (err < 0) |
3089 |
goto out; |
3090 |
|
3091 |
+#ifdef CONFIG_RSBAC |
3092 |
+ rsbac_pr_debug(aef, "[do_mount() [sys_mount()]]: calling ADF for UMOUNT on old DIR\n"); |
3093 |
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28) |
3094 |
+ rsbac_target_id.dir.device = old_path.dentry->d_sb->s_dev; |
3095 |
+ rsbac_target_id.dir.inode = old_path.dentry->d_inode->i_ino; |
3096 |
+ rsbac_target_id.dir.dentry_p = old_path.dentry; |
3097 |
-+#else |
3098 |
-+ rsbac_target_id.dir.device = old_nd.path.dentry->d_sb->s_dev; |
3099 |
-+ rsbac_target_id.dir.inode = old_nd.path.dentry->d_inode->i_ino; |
3100 |
-+ rsbac_target_id.dir.dentry_p = old_nd.path.dentry; |
3101 |
-+#endif |
3102 |
+ rsbac_attribute_value.dummy = 0; |
3103 |
+ if (!rsbac_adf_request(R_UMOUNT, |
3104 |
+ task_pid(current), |
3105 |
@@ -6227,7 +6191,7 @@ index fe59bd1..497c7be 100644 |
3106 |
+ A_none, |
3107 |
+ rsbac_attribute_value)) { |
3108 |
+ err = -EPERM; |
3109 |
-+ goto out; |
3110 |
++ goto out1; |
3111 |
+ } |
3112 |
+ rsbac_pr_debug(aef, "[do_mount() [sys_mount()]]: calling ADF for MOUNT on new DIR\n"); |
3113 |
+ rsbac_target_id.dir.device = path->dentry->d_sb->s_dev; |
3114 |
@@ -6239,29 +6203,22 @@ index fe59bd1..497c7be 100644 |
3115 |
+ T_DIR, |
3116 |
+ rsbac_target_id, |
3117 |
+ A_none, |
3118 |
-+ rsbac_attribute_value)) |
3119 |
-+ { |
3120 |
++ rsbac_attribute_value)) { |
3121 |
+ err = -EPERM; |
3122 |
-+ goto out; |
3123 |
++ goto out1; |
3124 |
+ } |
3125 |
+ rsbac_pr_debug(aef, "[do_mount() [sys_mount()]]: calling ADF for UMOUNT on DEV\n"); |
3126 |
+ rsbac_target_id.dev.type = D_block; |
3127 |
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28) |
3128 |
+ rsbac_target_id.dev.major = RSBAC_MAJOR(old_path.dentry->d_sb->s_dev); |
3129 |
+ rsbac_target_id.dev.minor = RSBAC_MINOR(old_path.dentry->d_sb->s_dev); |
3130 |
-+#else |
3131 |
-+ rsbac_target_id.dev.major = RSBAC_MAJOR(old_nd.path.dentry->d_sb->s_dev); |
3132 |
-+ rsbac_target_id.dev.minor = RSBAC_MINOR(old_nd.path.dentry->d_sb->s_dev); |
3133 |
-+#endif |
3134 |
+ if (!rsbac_adf_request(R_UMOUNT, |
3135 |
+ task_pid(current), |
3136 |
+ T_DEV, |
3137 |
+ rsbac_target_id, |
3138 |
+ A_none, |
3139 |
-+ rsbac_attribute_value)) |
3140 |
-+ { |
3141 |
++ rsbac_attribute_value)) { |
3142 |
+ err = -EPERM; |
3143 |
-+ goto out; |
3144 |
++ goto out1; |
3145 |
+ } |
3146 |
+ rsbac_pr_debug(aef, "[do_mount() [sys_mount()]]: calling ADF for MOUNT on DEV\n"); |
3147 |
+ if (!rsbac_adf_request(R_MOUNT, |
3148 |
@@ -6269,10 +6226,9 @@ index fe59bd1..497c7be 100644 |
3149 |
+ T_DEV, |
3150 |
+ rsbac_target_id, |
3151 |
+ A_none, |
3152 |
-+ rsbac_attribute_value)) |
3153 |
-+ { |
3154 |
++ rsbac_attribute_value)) { |
3155 |
+ err = -EPERM; |
3156 |
-+ goto out; |
3157 |
++ goto out1; |
3158 |
+ } |
3159 |
+#endif |
3160 |
+ |
3161 |
@@ -6280,7 +6236,7 @@ index fe59bd1..497c7be 100644 |
3162 |
err = -EINVAL; |
3163 |
if (!check_mnt(path->mnt) || !check_mnt(old_path.mnt)) |
3164 |
goto out1; |
3165 |
-@@ -1922,6 +2215,10 @@ static int do_move_mount(struct path *path, char *old_name) |
3166 |
+@@ -1923,6 +2165,10 @@ static int do_move_mount(struct path *path, char *old_name) |
3167 |
if (err) |
3168 |
goto out1; |
3169 |
|
3170 |
@@ -6291,7 +6247,7 @@ index fe59bd1..497c7be 100644 |
3171 |
/* if the mount is moved, it should no longer be expire |
3172 |
* automatically */ |
3173 |
list_del_init(&old_path.mnt->mnt_expire); |
3174 |
-@@ -1980,12 +2277,50 @@ static int do_add_mount(struct vfsmount *newmnt, struct path *path, int mnt_flag |
3175 |
+@@ -1981,12 +2227,50 @@ static int do_add_mount(struct vfsmount *newmnt, struct path *path, int mnt_flag |
3176 |
{ |
3177 |
int err; |
3178 |
|
3179 |
@@ -6342,7 +6298,7 @@ index fe59bd1..497c7be 100644 |
3180 |
err = -EINVAL; |
3181 |
if (!(mnt_flags & MNT_SHRINKABLE) && !check_mnt(path->mnt)) |
3182 |
goto unlock; |
3183 |
-@@ -2560,6 +2895,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, |
3184 |
+@@ -2561,6 +2845,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, |
3185 |
struct path new, old, parent_path, root_parent, root; |
3186 |
int error; |
3187 |
|
3188 |
@@ -6354,7 +6310,7 @@ index fe59bd1..497c7be 100644 |
3189 |
if (!capable(CAP_SYS_ADMIN)) |
3190 |
return -EPERM; |
3191 |
|
3192 |
-@@ -2580,6 +2920,42 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, |
3193 |
+@@ -2581,6 +2870,42 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, |
3194 |
if (error) |
3195 |
goto out3; |
3196 |
|
3197 |
@@ -6397,7 +6353,7 @@ index fe59bd1..497c7be 100644 |
3198 |
error = -EINVAL; |
3199 |
if (IS_MNT_SHARED(old.mnt) || |
3200 |
IS_MNT_SHARED(new.mnt->mnt_parent) || |
3201 |
-@@ -2656,6 +3032,10 @@ static void __init init_mount_tree(void) |
3202 |
+@@ -2657,6 +2982,10 @@ static void __init init_mount_tree(void) |
3203 |
if (IS_ERR(mnt)) |
3204 |
panic("Can't create rootfs"); |
3205 |
|
3206 |
@@ -6409,7 +6365,7 @@ index fe59bd1..497c7be 100644 |
3207 |
if (IS_ERR(ns)) |
3208 |
panic("Can't allocate initial namespace"); |
3209 |
diff --git a/fs/open.c b/fs/open.c |
3210 |
-index b52cf01..8c7bc7f 100644 |
3211 |
+index f711921..897375c 100644 |
3212 |
--- a/fs/open.c |
3213 |
+++ b/fs/open.c |
3214 |
@@ -33,16 +33,52 @@ |
3215 |
@@ -6732,65 +6688,9 @@ index b52cf01..8c7bc7f 100644 |
3216 |
set_fs_root(current->fs, &path); |
3217 |
error = 0; |
3218 |
dput_and_out: |
3219 |
-@@ -454,6 +658,12 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd, mode_t, mode) |
3220 |
- int err = -EBADF; |
3221 |
+@@ -452,9 +656,50 @@ static int chmod_common(struct path *path, umode_t mode) |
3222 |
struct iattr newattrs; |
3223 |
- |
3224 |
-+#ifdef CONFIG_RSBAC |
3225 |
-+ enum rsbac_target_t rsbac_target; |
3226 |
-+ union rsbac_target_id_t rsbac_target_id; |
3227 |
-+ union rsbac_attribute_value_t rsbac_attribute_value; |
3228 |
-+#endif |
3229 |
-+ |
3230 |
- file = fget(fd); |
3231 |
- if (!file) |
3232 |
- goto out; |
3233 |
-@@ -466,6 +676,42 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd, mode_t, mode) |
3234 |
- err = mnt_want_write_file(file); |
3235 |
- if (err) |
3236 |
- goto out_putf; |
3237 |
-+ |
3238 |
-+#ifdef CONFIG_RSBAC |
3239 |
-+ rsbac_pr_debug(aef, "calling ADF\n"); |
3240 |
-+ rsbac_target = T_FILE; |
3241 |
-+ rsbac_target_id.file.device = inode->i_sb->s_dev; |
3242 |
-+ rsbac_target_id.file.inode = inode->i_ino; |
3243 |
-+ rsbac_target_id.file.dentry_p = dentry; |
3244 |
-+ if (S_ISDIR(inode->i_mode)) |
3245 |
-+ rsbac_target = T_DIR; |
3246 |
-+ else if (S_ISFIFO(inode->i_mode)) |
3247 |
-+ rsbac_target = T_FIFO; |
3248 |
-+ else if (S_ISLNK(inode->i_mode)) |
3249 |
-+ rsbac_target = T_SYMLINK; |
3250 |
-+ else if (S_ISSOCK(inode->i_mode)) { |
3251 |
-+ if(inode->i_sb->s_magic == SOCKFS_MAGIC) { |
3252 |
-+ rsbac_target = T_IPC; |
3253 |
-+ rsbac_target_id.ipc.type = I_anonunix; |
3254 |
-+ rsbac_target_id.ipc.id.id_nr = inode->i_ino; |
3255 |
-+ } else { |
3256 |
-+ rsbac_target = T_UNIXSOCK; |
3257 |
-+ } |
3258 |
-+ } |
3259 |
-+ rsbac_attribute_value.mode = mode; |
3260 |
-+ if (!rsbac_adf_request(R_MODIFY_PERMISSIONS_DATA, |
3261 |
-+ task_pid(current), |
3262 |
-+ rsbac_target, |
3263 |
-+ rsbac_target_id, |
3264 |
-+ A_mode, |
3265 |
-+ rsbac_attribute_value)) |
3266 |
-+ { |
3267 |
-+ err = -EPERM; |
3268 |
-+ mnt_drop_write(file->f_path.mnt); |
3269 |
-+ goto out_putf; |
3270 |
-+ } |
3271 |
-+#endif |
3272 |
-+ |
3273 |
- mutex_lock(&inode->i_mutex); |
3274 |
- err = security_path_chmod(dentry, file->f_vfsmnt, mode); |
3275 |
- if (err) |
3276 |
-@@ -491,6 +737,12 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, const char __user *, filename, mode_t, mode) |
3277 |
int error; |
3278 |
- struct iattr newattrs; |
3279 |
|
3280 |
+#ifdef CONFIG_RSBAC |
3281 |
+ enum rsbac_target_t rsbac_target; |
3282 |
@@ -6798,19 +6698,16 @@ index b52cf01..8c7bc7f 100644 |
3283 |
+ union rsbac_attribute_value_t rsbac_attribute_value; |
3284 |
+#endif |
3285 |
+ |
3286 |
- error = user_path_at(dfd, filename, LOOKUP_FOLLOW, &path); |
3287 |
- if (error) |
3288 |
- goto out; |
3289 |
-@@ -499,6 +751,41 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, const char __user *, filename, mode_t, mode) |
3290 |
- error = mnt_want_write(path.mnt); |
3291 |
+ error = mnt_want_write(path->mnt); |
3292 |
if (error) |
3293 |
- goto dput_and_out; |
3294 |
+ return error; |
3295 |
++ |
3296 |
+#ifdef CONFIG_RSBAC |
3297 |
+ rsbac_pr_debug(aef, "calling ADF\n"); |
3298 |
+ rsbac_target = T_FILE; |
3299 |
+ rsbac_target_id.file.device = inode->i_sb->s_dev; |
3300 |
+ rsbac_target_id.file.inode = inode->i_ino; |
3301 |
-+ rsbac_target_id.file.dentry_p = path.dentry; |
3302 |
++ rsbac_target_id.file.dentry_p = path->dentry; |
3303 |
+ if (S_ISDIR(inode->i_mode)) |
3304 |
+ rsbac_target = T_DIR; |
3305 |
+ else if (S_ISFIFO(inode->i_mode)) |
3306 |
@@ -6834,16 +6731,15 @@ index b52cf01..8c7bc7f 100644 |
3307 |
+ A_mode, |
3308 |
+ rsbac_attribute_value)) |
3309 |
+ { |
3310 |
-+ error = -EPERM; |
3311 |
-+ mnt_drop_write(path.mnt); |
3312 |
-+ goto dput_and_out; |
3313 |
++ mnt_drop_write(path->mnt); |
3314 |
++ return -EPERM; |
3315 |
+ } |
3316 |
+#endif |
3317 |
+ |
3318 |
mutex_lock(&inode->i_mutex); |
3319 |
- error = security_path_chmod(path.dentry, path.mnt, mode); |
3320 |
+ error = security_path_chmod(path->dentry, path->mnt, mode); |
3321 |
if (error) |
3322 |
-@@ -528,6 +815,36 @@ static int chown_common(struct path *path, uid_t user, gid_t group) |
3323 |
+@@ -506,6 +751,38 @@ static int chown_common(struct path *path, uid_t user, gid_t group) |
3324 |
int error; |
3325 |
struct iattr newattrs; |
3326 |
|
3327 |
@@ -6851,7 +6747,9 @@ index b52cf01..8c7bc7f 100644 |
3328 |
+ enum rsbac_target_t rsbac_target; |
3329 |
+ union rsbac_target_id_t rsbac_target_id; |
3330 |
+ union rsbac_attribute_value_t rsbac_attribute_value; |
3331 |
++#endif |
3332 |
+ |
3333 |
++#ifdef CONFIG_RSBAC |
3334 |
+ rsbac_pr_debug(aef, "[sys_*chown]: calling ADF\n"); |
3335 |
+ rsbac_target = T_FILE; |
3336 |
+ if (S_ISDIR(inode->i_mode)) |
3337 |
@@ -6880,7 +6778,7 @@ index b52cf01..8c7bc7f 100644 |
3338 |
newattrs.ia_valid = ATTR_CTIME; |
3339 |
if (user != (uid_t) -1) { |
3340 |
newattrs.ia_valid |= ATTR_UID; |
3341 |
-@@ -1060,11 +1377,92 @@ int filp_close(struct file *filp, fl_owner_t id) |
3342 |
+@@ -1038,11 +1315,92 @@ int filp_close(struct file *filp, fl_owner_t id) |
3343 |
{ |
3344 |
int retval = 0; |
3345 |
|
3346 |
@@ -6973,7 +6871,7 @@ index b52cf01..8c7bc7f 100644 |
3347 |
if (filp->f_op && filp->f_op->flush) |
3348 |
retval = filp->f_op->flush(filp, id); |
3349 |
|
3350 |
-@@ -1072,6 +1470,26 @@ int filp_close(struct file *filp, fl_owner_t id) |
3351 |
+@@ -1050,6 +1408,26 @@ int filp_close(struct file *filp, fl_owner_t id) |
3352 |
dnotify_flush(filp, id); |
3353 |
locks_remove_posix(filp, id); |
3354 |
} |
3355 |
@@ -7001,7 +6899,7 @@ index b52cf01..8c7bc7f 100644 |
3356 |
return retval; |
3357 |
} |
3358 |
diff --git a/fs/pipe.c b/fs/pipe.c |
3359 |
-index da42f7d..c142429 100644 |
3360 |
+index 0e0be1d..967dcdec 100644 |
3361 |
--- a/fs/pipe.c |
3362 |
+++ b/fs/pipe.c |
3363 |
@@ -24,6 +24,8 @@ |
3364 |
@@ -7348,7 +7246,7 @@ index da42f7d..c142429 100644 |
3365 |
return retval; |
3366 |
} |
3367 |
|
3368 |
-@@ -798,6 +1047,27 @@ pipe_read_open(struct inode *inode, struct file *filp) |
3369 |
+@@ -798,6 +1047,29 @@ pipe_read_open(struct inode *inode, struct file *filp) |
3370 |
{ |
3371 |
int ret = -ENOENT; |
3372 |
|
3373 |
@@ -7356,7 +7254,9 @@ index da42f7d..c142429 100644 |
3374 |
+ union rsbac_target_id_t rsbac_target_id; |
3375 |
+ union rsbac_target_id_t rsbac_new_target_id; |
3376 |
+ union rsbac_attribute_value_t rsbac_attribute_value; |
3377 |
++#endif |
3378 |
+ |
3379 |
++#ifdef CONFIG_RSBAC |
3380 |
+ rsbac_pr_debug(aef, "calling ADF\n"); |
3381 |
+ rsbac_target_id.ipc.type = I_anonpipe; |
3382 |
+ rsbac_target_id.ipc.id.id_nr = inode->i_ino; |
3383 |
@@ -7376,7 +7276,7 @@ index da42f7d..c142429 100644 |
3384 |
mutex_lock(&inode->i_mutex); |
3385 |
|
3386 |
if (inode->i_pipe) { |
3387 |
-@@ -807,6 +1077,22 @@ pipe_read_open(struct inode *inode, struct file *filp) |
3388 |
+@@ -807,6 +1079,22 @@ pipe_read_open(struct inode *inode, struct file *filp) |
3389 |
|
3390 |
mutex_unlock(&inode->i_mutex); |
3391 |
|
3392 |
@@ -7399,7 +7299,7 @@ index da42f7d..c142429 100644 |
3393 |
return ret; |
3394 |
} |
3395 |
|
3396 |
-@@ -815,6 +1101,29 @@ pipe_write_open(struct inode *inode, struct file *filp) |
3397 |
+@@ -815,6 +1103,29 @@ pipe_write_open(struct inode *inode, struct file *filp) |
3398 |
{ |
3399 |
int ret = -ENOENT; |
3400 |
|
3401 |
@@ -7429,7 +7329,7 @@ index da42f7d..c142429 100644 |
3402 |
mutex_lock(&inode->i_mutex); |
3403 |
|
3404 |
if (inode->i_pipe) { |
3405 |
-@@ -824,6 +1133,22 @@ pipe_write_open(struct inode *inode, struct file *filp) |
3406 |
+@@ -824,6 +1135,22 @@ pipe_write_open(struct inode *inode, struct file *filp) |
3407 |
|
3408 |
mutex_unlock(&inode->i_mutex); |
3409 |
|
3410 |
@@ -7452,7 +7352,7 @@ index da42f7d..c142429 100644 |
3411 |
return ret; |
3412 |
} |
3413 |
|
3414 |
-@@ -832,6 +1157,28 @@ pipe_rdwr_open(struct inode *inode, struct file *filp) |
3415 |
+@@ -832,6 +1159,30 @@ pipe_rdwr_open(struct inode *inode, struct file *filp) |
3416 |
{ |
3417 |
int ret = -ENOENT; |
3418 |
|
3419 |
@@ -7460,7 +7360,9 @@ index da42f7d..c142429 100644 |
3420 |
+ union rsbac_target_id_t rsbac_target_id; |
3421 |
+ union rsbac_target_id_t rsbac_new_target_id; |
3422 |
+ union rsbac_attribute_value_t rsbac_attribute_value; |
3423 |
++#endif |
3424 |
+ |
3425 |
++#ifdef CONFIG_RSBAC |
3426 |
+ rsbac_pr_debug(aef, "calling ADF\n"); |
3427 |
+ rsbac_target_id.ipc.type = I_anonpipe; |
3428 |
+ rsbac_target_id.ipc.id.id_nr = inode->i_ino; |
3429 |
@@ -7481,7 +7383,7 @@ index da42f7d..c142429 100644 |
3430 |
mutex_lock(&inode->i_mutex); |
3431 |
|
3432 |
if (inode->i_pipe) { |
3433 |
-@@ -844,6 +1191,23 @@ pipe_rdwr_open(struct inode *inode, struct file *filp) |
3434 |
+@@ -844,6 +1195,23 @@ pipe_rdwr_open(struct inode *inode, struct file *filp) |
3435 |
|
3436 |
mutex_unlock(&inode->i_mutex); |
3437 |
|
3438 |
@@ -7505,7 +7407,7 @@ index da42f7d..c142429 100644 |
3439 |
return ret; |
3440 |
} |
3441 |
|
3442 |
-@@ -993,6 +1357,12 @@ struct file *create_write_pipe(int flags) |
3443 |
+@@ -993,6 +1361,12 @@ struct file *create_write_pipe(int flags) |
3444 |
struct path path; |
3445 |
struct qstr name = { .name = "" }; |
3446 |
|
3447 |
@@ -7518,7 +7420,7 @@ index da42f7d..c142429 100644 |
3448 |
err = -ENFILE; |
3449 |
inode = get_pipe_inode(); |
3450 |
if (!inode) |
3451 |
-@@ -1015,6 +1385,24 @@ struct file *create_write_pipe(int flags) |
3452 |
+@@ -1015,6 +1389,24 @@ struct file *create_write_pipe(int flags) |
3453 |
f->f_flags = O_WRONLY | (flags & O_NONBLOCK); |
3454 |
f->f_version = 0; |
3455 |
|
3456 |
@@ -7543,7 +7445,7 @@ index da42f7d..c142429 100644 |
3457 |
return f; |
3458 |
|
3459 |
err_dentry: |
3460 |
-@@ -1056,6 +1444,27 @@ int do_pipe_flags(int *fd, int flags) |
3461 |
+@@ -1056,6 +1448,27 @@ int do_pipe_flags(int *fd, int flags) |
3462 |
int error; |
3463 |
int fdw, fdr; |
3464 |
|
3465 |
@@ -7572,7 +7474,7 @@ index da42f7d..c142429 100644 |
3466 |
return -EINVAL; |
3467 |
|
3468 |
diff --git a/fs/proc/array.c b/fs/proc/array.c |
3469 |
-index 9b45ee8..dad3882 100644 |
3470 |
+index 3a1dafd..d0c628b 100644 |
3471 |
--- a/fs/proc/array.c |
3472 |
+++ b/fs/proc/array.c |
3473 |
@@ -85,6 +85,7 @@ |
3474 |
@@ -7680,7 +7582,7 @@ index 9b45ee8..dad3882 100644 |
3475 |
size = task_statm(mm, &shared, &text, &data, &resident); |
3476 |
mmput(mm); |
3477 |
diff --git a/fs/proc/base.c b/fs/proc/base.c |
3478 |
-index 5bff4c6..a34447d 100644 |
3479 |
+index 5eb0206..4361341 100644 |
3480 |
--- a/fs/proc/base.c |
3481 |
+++ b/fs/proc/base.c |
3482 |
@@ -87,6 +87,7 @@ |
3483 |
@@ -8113,7 +8015,7 @@ index 5bff4c6..a34447d 100644 |
3484 |
if (!task->mm) { |
3485 |
err = -EINVAL; |
3486 |
goto err_task_lock; |
3487 |
-@@ -1259,8 +1559,30 @@ static ssize_t proc_loginuid_read(struct file * file, char __user * buf, |
3488 |
+@@ -1258,8 +1558,30 @@ static ssize_t proc_loginuid_read(struct file * file, char __user * buf, |
3489 |
ssize_t length; |
3490 |
char tmpbuf[TMPBUFLEN]; |
3491 |
|
3492 |
@@ -8144,7 +8046,7 @@ index 5bff4c6..a34447d 100644 |
3493 |
length = scnprintf(tmpbuf, TMPBUFLEN, "%u", |
3494 |
audit_get_loginuid(task)); |
3495 |
put_task_struct(task); |
3496 |
-@@ -1275,6 +1597,11 @@ static ssize_t proc_loginuid_write(struct file * file, const char __user * buf, |
3497 |
+@@ -1274,6 +1596,11 @@ static ssize_t proc_loginuid_write(struct file * file, const char __user * buf, |
3498 |
ssize_t length; |
3499 |
uid_t loginuid; |
3500 |
|
3501 |
@@ -8156,7 +8058,7 @@ index 5bff4c6..a34447d 100644 |
3502 |
if (!capable(CAP_AUDIT_CONTROL)) |
3503 |
return -EPERM; |
3504 |
|
3505 |
-@@ -1292,6 +1619,25 @@ static ssize_t proc_loginuid_write(struct file * file, const char __user * buf, |
3506 |
+@@ -1291,6 +1618,25 @@ static ssize_t proc_loginuid_write(struct file * file, const char __user * buf, |
3507 |
/* No partial writes. */ |
3508 |
return -EINVAL; |
3509 |
} |
3510 |
@@ -8182,7 +8084,7 @@ index 5bff4c6..a34447d 100644 |
3511 |
page = (char*)__get_free_page(GFP_TEMPORARY); |
3512 |
if (!page) |
3513 |
return -ENOMEM; |
3514 |
-@@ -1586,10 +1932,30 @@ static int proc_exe_link(struct inode *inode, struct path *exe_path) |
3515 |
+@@ -1585,10 +1931,30 @@ static int proc_exe_link(struct inode *inode, struct path *exe_path) |
3516 |
struct task_struct *task; |
3517 |
struct mm_struct *mm; |
3518 |
struct file *exe_file; |
3519 |
@@ -8213,7 +8115,7 @@ index 5bff4c6..a34447d 100644 |
3520 |
mm = get_task_mm(task); |
3521 |
put_task_struct(task); |
3522 |
if (!mm) |
3523 |
-@@ -1908,6 +2274,30 @@ static int proc_fd_info(struct inode *inode, struct path *path, char *info) |
3524 |
+@@ -1907,6 +2273,30 @@ static int proc_fd_info(struct inode *inode, struct path *path, char *info) |
3525 |
struct file *file; |
3526 |
int fd = proc_fd(inode); |
3527 |
|
3528 |
@@ -8244,7 +8146,7 @@ index 5bff4c6..a34447d 100644 |
3529 |
if (task) { |
3530 |
files = get_files_struct(task); |
3531 |
put_task_struct(task); |
3532 |
-@@ -3007,6 +3397,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, struct |
3533 |
+@@ -3014,6 +3404,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, struct |
3534 |
unsigned tgid; |
3535 |
struct pid_namespace *ns; |
3536 |
|
3537 |
@@ -8256,7 +8158,7 @@ index 5bff4c6..a34447d 100644 |
3538 |
result = proc_base_lookup(dir, dentry); |
3539 |
if (!IS_ERR(result) || PTR_ERR(result) != -ENOENT) |
3540 |
goto out; |
3541 |
-@@ -3024,6 +3419,22 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, struct |
3542 |
+@@ -3031,6 +3426,22 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, struct |
3543 |
if (!task) |
3544 |
goto out; |
3545 |
|
3546 |
@@ -8279,7 +8181,7 @@ index 5bff4c6..a34447d 100644 |
3547 |
result = proc_pid_instantiate(dir, dentry, task, NULL); |
3548 |
put_task_struct(task); |
3549 |
out: |
3550 |
-@@ -3091,6 +3502,10 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) |
3551 |
+@@ -3098,6 +3509,10 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) |
3552 |
struct task_struct *reaper; |
3553 |
struct tgid_iter iter; |
3554 |
struct pid_namespace *ns; |
3555 |
@@ -8290,7 +8192,7 @@ index 5bff4c6..a34447d 100644 |
3556 |
|
3557 |
if (filp->f_pos >= PID_MAX_LIMIT + TGID_OFFSET) |
3558 |
goto out_no_task; |
3559 |
-@@ -3112,6 +3527,23 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) |
3560 |
+@@ -3119,6 +3534,23 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) |
3561 |
for (iter = next_tgid(ns, iter); |
3562 |
iter.task; |
3563 |
iter.tgid += 1, iter = next_tgid(ns, iter)) { |
3564 |
@@ -8314,7 +8216,7 @@ index 5bff4c6..a34447d 100644 |
3565 |
filp->f_pos = iter.tgid + TGID_OFFSET; |
3566 |
if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) { |
3567 |
put_task_struct(iter.task); |
3568 |
-@@ -3259,6 +3691,10 @@ static struct dentry *proc_task_lookup(struct inode *dir, struct dentry * dentry |
3569 |
+@@ -3266,6 +3698,10 @@ static struct dentry *proc_task_lookup(struct inode *dir, struct dentry * dentry |
3570 |
struct task_struct *leader = get_proc_task(dir); |
3571 |
unsigned tid; |
3572 |
struct pid_namespace *ns; |
3573 |
@@ -8325,7 +8227,7 @@ index 5bff4c6..a34447d 100644 |
3574 |
|
3575 |
if (!leader) |
3576 |
goto out_no_task; |
3577 |
-@@ -3278,6 +3714,20 @@ static struct dentry *proc_task_lookup(struct inode *dir, struct dentry * dentry |
3578 |
+@@ -3285,6 +3721,20 @@ static struct dentry *proc_task_lookup(struct inode *dir, struct dentry * dentry |
3579 |
if (!same_thread_group(leader, task)) |
3580 |
goto out_drop_task; |
3581 |
|
3582 |
@@ -8388,7 +8290,7 @@ index d245cb2..6de900e 100644 |
3583 |
kcore_update_ram(); |
3584 |
if (i_size_read(inode) != proc_root_kcore->size) { |
3585 |
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c |
3586 |
-index 5afaa58..57379a1 100644 |
3587 |
+index c7d4ee6..1905197 100644 |
3588 |
--- a/fs/proc/task_mmu.c |
3589 |
+++ b/fs/proc/task_mmu.c |
3590 |
@@ -16,6 +16,7 @@ |
3591 |
@@ -8470,7 +8372,7 @@ index 980de54..efbcee0 100644 |
3592 |
if (priv) { |
3593 |
priv->pid = proc_pid(inode); |
3594 |
diff --git a/fs/quota/quota.c b/fs/quota/quota.c |
3595 |
-index b34bdb2..ae55b0b 100644 |
3596 |
+index 10b6be3..6a1e4ce 100644 |
3597 |
--- a/fs/quota/quota.c |
3598 |
+++ b/fs/quota/quota.c |
3599 |
@@ -16,12 +16,18 @@ |
3600 |
@@ -8555,7 +8457,7 @@ index b34bdb2..ae55b0b 100644 |
3601 |
|
3602 |
return security_quotactl(cmd, type, id, sb); |
3603 |
diff --git a/fs/read_write.c b/fs/read_write.c |
3604 |
-index 5520f8a..ff3750f 100644 |
3605 |
+index 179f1c3..1055cd3 100644 |
3606 |
--- a/fs/read_write.c |
3607 |
+++ b/fs/read_write.c |
3608 |
@@ -17,6 +17,12 @@ |
3609 |
@@ -8571,7 +8473,7 @@ index 5520f8a..ff3750f 100644 |
3610 |
#include <asm/uaccess.h> |
3611 |
#include <asm/unistd.h> |
3612 |
|
3613 |
-@@ -267,7 +273,7 @@ int rw_verify_area(int read_write, struct file *file, loff_t *ppos, size_t count |
3614 |
+@@ -309,7 +315,7 @@ int rw_verify_area(int read_write, struct file *file, loff_t *ppos, size_t count |
3615 |
return count > MAX_RW_COUNT ? MAX_RW_COUNT : count; |
3616 |
} |
3617 |
|
3618 |
@@ -8580,7 +8482,7 @@ index 5520f8a..ff3750f 100644 |
3619 |
{ |
3620 |
set_current_state(TASK_UNINTERRUPTIBLE); |
3621 |
if (!kiocbIsKicked(iocb)) |
3622 |
-@@ -307,6 +313,10 @@ ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos) |
3623 |
+@@ -349,6 +355,10 @@ ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos) |
3624 |
{ |
3625 |
ssize_t ret; |
3626 |
|
3627 |
@@ -8591,7 +8493,7 @@ index 5520f8a..ff3750f 100644 |
3628 |
if (!(file->f_mode & FMODE_READ)) |
3629 |
return -EBADF; |
3630 |
if (!file->f_op || (!file->f_op->read && !file->f_op->aio_read)) |
3631 |
-@@ -317,6 +327,12 @@ ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos) |
3632 |
+@@ -359,6 +369,12 @@ ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos) |
3633 |
ret = rw_verify_area(READ, file, pos, count); |
3634 |
if (ret >= 0) { |
3635 |
count = ret; |
3636 |
@@ -8604,7 +8506,7 @@ index 5520f8a..ff3750f 100644 |
3637 |
if (file->f_op->read) |
3638 |
ret = file->f_op->read(file, buf, count, pos); |
3639 |
else |
3640 |
-@@ -324,6 +340,9 @@ ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos) |
3641 |
+@@ -366,6 +382,9 @@ ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos) |
3642 |
if (ret > 0) { |
3643 |
fsnotify_access(file); |
3644 |
add_rchar(current, ret); |
3645 |
@@ -8614,7 +8516,7 @@ index 5520f8a..ff3750f 100644 |
3646 |
} |
3647 |
inc_syscr(current); |
3648 |
} |
3649 |
-@@ -363,6 +382,10 @@ ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_ |
3650 |
+@@ -405,6 +424,10 @@ ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_ |
3651 |
{ |
3652 |
ssize_t ret; |
3653 |
|
3654 |
@@ -8625,7 +8527,7 @@ index 5520f8a..ff3750f 100644 |
3655 |
if (!(file->f_mode & FMODE_WRITE)) |
3656 |
return -EBADF; |
3657 |
if (!file->f_op || (!file->f_op->write && !file->f_op->aio_write)) |
3658 |
-@@ -373,6 +396,12 @@ ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_ |
3659 |
+@@ -415,6 +438,12 @@ ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_ |
3660 |
ret = rw_verify_area(WRITE, file, pos, count); |
3661 |
if (ret >= 0) { |
3662 |
count = ret; |
3663 |
@@ -8638,7 +8540,7 @@ index 5520f8a..ff3750f 100644 |
3664 |
if (file->f_op->write) |
3665 |
ret = file->f_op->write(file, buf, count, pos); |
3666 |
else |
3667 |
-@@ -380,6 +409,10 @@ ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_ |
3668 |
+@@ -422,6 +451,10 @@ ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_ |
3669 |
if (ret > 0) { |
3670 |
fsnotify_modify(file); |
3671 |
add_wchar(current, ret); |
3672 |
@@ -8649,7 +8551,7 @@ index 5520f8a..ff3750f 100644 |
3673 |
} |
3674 |
inc_syscw(current); |
3675 |
} |
3676 |
-@@ -657,6 +690,11 @@ static ssize_t do_readv_writev(int type, struct file *file, |
3677 |
+@@ -699,6 +732,11 @@ static ssize_t do_readv_writev(int type, struct file *file, |
3678 |
io_fn_t fn; |
3679 |
iov_fn_t fnv; |
3680 |
|
3681 |
@@ -8661,7 +8563,7 @@ index 5520f8a..ff3750f 100644 |
3682 |
if (!file->f_op) { |
3683 |
ret = -EINVAL; |
3684 |
goto out; |
3685 |
-@@ -672,6 +710,19 @@ static ssize_t do_readv_writev(int type, struct file *file, |
3686 |
+@@ -714,6 +752,19 @@ static ssize_t do_readv_writev(int type, struct file *file, |
3687 |
if (ret < 0) |
3688 |
goto out; |
3689 |
|
3690 |
@@ -8681,7 +8583,7 @@ index 5520f8a..ff3750f 100644 |
3691 |
fnv = NULL; |
3692 |
if (type == READ) { |
3693 |
fn = file->f_op->read; |
3694 |
-@@ -696,6 +747,12 @@ out: |
3695 |
+@@ -738,6 +789,12 @@ out: |
3696 |
else |
3697 |
fsnotify_modify(file); |
3698 |
} |
3699 |
@@ -8694,7 +8596,7 @@ index 5520f8a..ff3750f 100644 |
3700 |
return ret; |
3701 |
} |
3702 |
|
3703 |
-@@ -832,6 +889,15 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos, |
3704 |
+@@ -874,6 +931,15 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos, |
3705 |
ssize_t retval; |
3706 |
int fput_needed_in, fput_needed_out, fl; |
3707 |
|
3708 |
@@ -8710,7 +8612,7 @@ index 5520f8a..ff3750f 100644 |
3709 |
/* |
3710 |
* Get input file, and verify that it is ok.. |
3711 |
*/ |
3712 |
-@@ -852,6 +918,29 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos, |
3713 |
+@@ -894,6 +960,29 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos, |
3714 |
goto fput_in; |
3715 |
count = retval; |
3716 |
|
3717 |
@@ -8740,7 +8642,7 @@ index 5520f8a..ff3750f 100644 |
3718 |
/* |
3719 |
* Get output file, and verify that it is ok.. |
3720 |
*/ |
3721 |
-@@ -869,6 +958,28 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos, |
3722 |
+@@ -911,6 +1000,28 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos, |
3723 |
goto fput_out; |
3724 |
count = retval; |
3725 |
|
3726 |
@@ -8769,7 +8671,7 @@ index 5520f8a..ff3750f 100644 |
3727 |
if (!max) |
3728 |
max = min(in_inode->i_sb->s_maxbytes, out_inode->i_sb->s_maxbytes); |
3729 |
|
3730 |
-@@ -903,6 +1014,11 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos, |
3731 |
+@@ -945,6 +1056,11 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos, |
3732 |
if (*ppos > max) |
3733 |
retval = -EOVERFLOW; |
3734 |
|
3735 |
@@ -8934,7 +8836,7 @@ index 356f715..62bf4f4 100644 |
3736 |
buf.error = 0; |
3737 |
|
3738 |
diff --git a/fs/reiserfs/namei.c b/fs/reiserfs/namei.c |
3739 |
-index 1186626..5d091ce 100644 |
3740 |
+index ef39232..03b8ca9 100644 |
3741 |
--- a/fs/reiserfs/namei.c |
3742 |
+++ b/fs/reiserfs/namei.c |
3743 |
@@ -18,6 +18,7 @@ |
3744 |
@@ -8970,10 +8872,10 @@ index 1186626..5d091ce 100644 |
3745 |
|
3746 |
copy_item_head(&new_entry_ih, get_ih(&new_entry_path)); |
3747 |
diff --git a/fs/reiserfs/xattr.c b/fs/reiserfs/xattr.c |
3748 |
-index d780896..166430b 100644 |
3749 |
+index 6bc346c..ac9382c 100644 |
3750 |
--- a/fs/reiserfs/xattr.c |
3751 |
+++ b/fs/reiserfs/xattr.c |
3752 |
-@@ -981,6 +981,10 @@ static const struct dentry_operations xattr_lookup_poison_ops = { |
3753 |
+@@ -951,6 +951,10 @@ static const struct dentry_operations xattr_lookup_poison_ops = { |
3754 |
.d_revalidate = xattr_hide_revalidate, |
3755 |
}; |
3756 |
|
3757 |
@@ -8984,7 +8886,7 @@ index d780896..166430b 100644 |
3758 |
int reiserfs_lookup_privroot(struct super_block *s) |
3759 |
{ |
3760 |
struct dentry *dentry; |
3761 |
-@@ -1025,8 +1029,13 @@ int reiserfs_xattr_init(struct super_block *s, int mount_flags) |
3762 |
+@@ -995,8 +999,13 @@ int reiserfs_xattr_init(struct super_block *s, int mount_flags) |
3763 |
reiserfs_mutex_lock_safe(&privroot->d_inode->i_mutex, s); |
3764 |
if (!REISERFS_SB(s)->xattr_root) { |
3765 |
struct dentry *dentry; |
3766 |
@@ -8999,7 +8901,7 @@ index d780896..166430b 100644 |
3767 |
REISERFS_SB(s)->xattr_root = dentry; |
3768 |
else |
3769 |
diff --git a/fs/stat.c b/fs/stat.c |
3770 |
-index 9610391..d36f8f1 100644 |
3771 |
+index 8806b89..2d3c3d3 100644 |
3772 |
--- a/fs/stat.c |
3773 |
+++ b/fs/stat.c |
3774 |
@@ -18,8 +18,19 @@ |
3775 |
@@ -9022,25 +8924,27 @@ index 9610391..d36f8f1 100644 |
3776 |
stat->dev = inode->i_sb->s_dev; |
3777 |
stat->ino = inode->i_ino; |
3778 |
stat->mode = inode->i_mode; |
3779 |
-@@ -30,6 +41,17 @@ void generic_fillattr(struct inode *inode, struct kstat *stat) |
3780 |
- stat->atime = inode->i_atime; |
3781 |
- stat->mtime = inode->i_mtime; |
3782 |
- stat->ctime = inode->i_ctime; |
3783 |
+@@ -27,6 +38,19 @@ void generic_fillattr(struct inode *inode, struct kstat *stat) |
3784 |
+ stat->uid = inode->i_uid; |
3785 |
+ stat->gid = inode->i_gid; |
3786 |
+ stat->rdev = inode->i_rdev; |
3787 |
+ |
3788 |
+#ifdef CONFIG_RSBAC_SYM_REDIR |
3789 |
+ if (S_ISLNK(inode->i_mode)) { |
3790 |
+ rsbac_name = rsbac_symlink_redirect(inode, "", 0); |
3791 |
-+ if (rsbac_name) |
3792 |
++ if (rsbac_name) { |
3793 |
+ len = strlen(rsbac_name); |
3794 |
++ kfree(rsbac_name); |
3795 |
++ } |
3796 |
+ stat->size = i_size_read(inode) + len; |
3797 |
+ } |
3798 |
+ else |
3799 |
+#endif |
3800 |
+ |
3801 |
stat->size = i_size_read(inode); |
3802 |
- stat->blocks = inode->i_blocks; |
3803 |
- stat->blksize = (1 << inode->i_blkbits); |
3804 |
-@@ -42,10 +64,51 @@ int vfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) |
3805 |
+ stat->atime = inode->i_atime; |
3806 |
+ stat->mtime = inode->i_mtime; |
3807 |
+@@ -42,10 +66,51 @@ int vfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) |
3808 |
struct inode *inode = dentry->d_inode; |
3809 |
int retval; |
3810 |
|
3811 |
@@ -9092,9 +8996,9 @@ index 9610391..d36f8f1 100644 |
3812 |
if (inode->i_op->getattr) |
3813 |
return inode->i_op->getattr(mnt, dentry, stat); |
3814 |
|
3815 |
-@@ -297,6 +360,11 @@ SYSCALL_DEFINE4(readlinkat, int, dfd, const char __user *, pathname, |
3816 |
- struct path path; |
3817 |
+@@ -296,6 +361,11 @@ SYSCALL_DEFINE4(readlinkat, int, dfd, const char __user *, pathname, |
3818 |
int error; |
3819 |
+ int empty = 0; |
3820 |
|
3821 |
+#ifdef CONFIG_RSBAC |
3822 |
+ union rsbac_target_id_t rsbac_target_id; |
3823 |
@@ -9104,7 +9008,7 @@ index 9610391..d36f8f1 100644 |
3824 |
if (bufsiz <= 0) |
3825 |
return -EINVAL; |
3826 |
|
3827 |
-@@ -308,6 +376,24 @@ SYSCALL_DEFINE4(readlinkat, int, dfd, const char __user *, pathname, |
3828 |
+@@ -307,6 +377,24 @@ SYSCALL_DEFINE4(readlinkat, int, dfd, const char __user *, pathname, |
3829 |
if (inode->i_op->readlink) { |
3830 |
error = security_inode_readlink(path.dentry); |
3831 |
if (!error) { |
3832 |
@@ -9130,7 +9034,7 @@ index 9610391..d36f8f1 100644 |
3833 |
error = inode->i_op->readlink(path.dentry, |
3834 |
buf, bufsiz); |
3835 |
diff --git a/fs/statfs.c b/fs/statfs.c |
3836 |
-index 8244924..039e6ca 100644 |
3837 |
+index 9cf04a1..d978425 100644 |
3838 |
--- a/fs/statfs.c |
3839 |
+++ b/fs/statfs.c |
3840 |
@@ -8,6 +8,8 @@ |
3841 |
@@ -9313,7 +9217,7 @@ index ba653f3..0c8e4d7 100644 |
3842 |
error = notify_change(path->dentry, &newattrs); |
3843 |
mutex_unlock(&inode->i_mutex); |
3844 |
diff --git a/fs/xattr.c b/fs/xattr.c |
3845 |
-index f060663..fb94ce1 100644 |
3846 |
+index f060663..5a6aaa9 100644 |
3847 |
--- a/fs/xattr.c |
3848 |
+++ b/fs/xattr.c |
3849 |
@@ -20,6 +20,7 @@ |
3850 |
@@ -9324,7 +9228,7 @@ index f060663..fb94ce1 100644 |
3851 |
|
3852 |
/* |
3853 |
* Check permissions for extended attribute access. This is a bit complicated |
3854 |
-@@ -121,6 +122,38 @@ vfs_setxattr(struct dentry *dentry, const char *name, const void *value, |
3855 |
+@@ -121,6 +122,36 @@ vfs_setxattr(struct dentry *dentry, const char *name, const void *value, |
3856 |
{ |
3857 |
struct inode *inode = dentry->d_inode; |
3858 |
int error; |
3859 |
@@ -9334,7 +9238,6 @@ index f060663..fb94ce1 100644 |
3860 |
+ union rsbac_attribute_value_t rsbac_attribute_value; |
3861 |
+#endif |
3862 |
+ |
3863 |
-+ |
3864 |
+#ifdef CONFIG_RSBAC |
3865 |
+ rsbac_pr_debug(aef, "[sys_*setxattr()]: calling ADF\n"); |
3866 |
+ rsbac_target = T_FILE; |
3867 |
@@ -9356,14 +9259,13 @@ index f060663..fb94ce1 100644 |
3868 |
+ rsbac_target_id, |
3869 |
+ A_none, |
3870 |
+ rsbac_attribute_value)) { |
3871 |
-+ error = -EPERM; |
3872 |
-+ goto out; |
3873 |
++ return -EPERM; |
3874 |
+ } |
3875 |
+#endif |
3876 |
|
3877 |
error = xattr_permission(inode, name, MAY_WRITE); |
3878 |
if (error) |
3879 |
-@@ -172,6 +205,12 @@ vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size) |
3880 |
+@@ -172,6 +203,12 @@ vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size) |
3881 |
struct inode *inode = dentry->d_inode; |
3882 |
int error; |
3883 |
|
3884 |
@@ -9376,7 +9278,7 @@ index f060663..fb94ce1 100644 |
3885 |
error = xattr_permission(inode, name, MAY_READ); |
3886 |
if (error) |
3887 |
return error; |
3888 |
-@@ -180,6 +219,33 @@ vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size) |
3889 |
+@@ -180,6 +217,31 @@ vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size) |
3890 |
if (error) |
3891 |
return error; |
3892 |
|
3893 |
@@ -9400,26 +9302,27 @@ index f060663..fb94ce1 100644 |
3894 |
+ rsbac_target, |
3895 |
+ rsbac_target_id, |
3896 |
+ A_none, |
3897 |
-+ rsbac_attribute_value)) |
3898 |
-+ { |
3899 |
-+ error = -EPERM; |
3900 |
-+ return error; |
3901 |
++ rsbac_attribute_value)) { |
3902 |
++ return -EPERM; |
3903 |
+ } |
3904 |
+#endif |
3905 |
+ |
3906 |
if (!strncmp(name, XATTR_SECURITY_PREFIX, |
3907 |
XATTR_SECURITY_PREFIX_LEN)) { |
3908 |
const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; |
3909 |
-@@ -206,7 +272,36 @@ ssize_t |
3910 |
+@@ -206,10 +268,41 @@ ssize_t |
3911 |
vfs_listxattr(struct dentry *d, char *list, size_t size) |
3912 |
{ |
3913 |
ssize_t error; |
3914 |
-- |
3915 |
+#ifdef CONFIG_RSBAC |
3916 |
+ enum rsbac_target_t rsbac_target; |
3917 |
+ union rsbac_target_id_t rsbac_target_id; |
3918 |
+ union rsbac_attribute_value_t rsbac_attribute_value; |
3919 |
+#endif |
3920 |
+ |
3921 |
+ error = security_inode_listxattr(d); |
3922 |
+ if (error) |
3923 |
+ return error; |
3924 |
+ |
3925 |
+#ifdef CONFIG_RSBAC |
3926 |
+ rsbac_pr_debug(aef, "[sys_*listxattr()]: calling ADF\n"); |
3927 |
@@ -9445,10 +9348,11 @@ index f060663..fb94ce1 100644 |
3928 |
+ return -EPERM; |
3929 |
+ } |
3930 |
+#endif |
3931 |
- error = security_inode_listxattr(d); |
3932 |
- if (error) |
3933 |
- return error; |
3934 |
-@@ -228,6 +323,12 @@ vfs_removexattr(struct dentry *dentry, const char *name) |
3935 |
++ |
3936 |
+ error = -EOPNOTSUPP; |
3937 |
+ if (d->d_inode->i_op->listxattr) { |
3938 |
+ error = d->d_inode->i_op->listxattr(d, list, size); |
3939 |
+@@ -228,6 +321,12 @@ vfs_removexattr(struct dentry *dentry, const char *name) |
3940 |
struct inode *inode = dentry->d_inode; |
3941 |
int error; |
3942 |
|
3943 |
@@ -9461,7 +9365,7 @@ index f060663..fb94ce1 100644 |
3944 |
if (!inode->i_op->removexattr) |
3945 |
return -EOPNOTSUPP; |
3946 |
|
3947 |
-@@ -239,6 +340,33 @@ vfs_removexattr(struct dentry *dentry, const char *name) |
3948 |
+@@ -239,6 +338,31 @@ vfs_removexattr(struct dentry *dentry, const char *name) |
3949 |
if (error) |
3950 |
return error; |
3951 |
|
3952 |
@@ -9485,21 +9389,19 @@ index f060663..fb94ce1 100644 |
3953 |
+ rsbac_target, |
3954 |
+ rsbac_target_id, |
3955 |
+ A_none, |
3956 |
-+ rsbac_attribute_value)) |
3957 |
-+ { |
3958 |
-+ error = -EPERM; |
3959 |
-+ return error; |
3960 |
++ rsbac_attribute_value)) { |
3961 |
++ return -EPERM; |
3962 |
+ } |
3963 |
+#endif |
3964 |
+ |
3965 |
mutex_lock(&inode->i_mutex); |
3966 |
error = inode->i_op->removexattr(dentry, name); |
3967 |
mutex_unlock(&inode->i_mutex); |
3968 |
-diff --git a/fs/xfs/linux-2.6/xfs_iops.c b/fs/xfs/linux-2.6/xfs_iops.c |
3969 |
-index d44d92c..231c000 100644 |
3970 |
---- a/fs/xfs/linux-2.6/xfs_iops.c |
3971 |
-+++ b/fs/xfs/linux-2.6/xfs_iops.c |
3972 |
-@@ -49,6 +49,8 @@ |
3973 |
+diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c |
3974 |
+index 474920b..53f939f 100644 |
3975 |
+--- a/fs/xfs/xfs_iops.c |
3976 |
++++ b/fs/xfs/xfs_iops.c |
3977 |
+@@ -50,6 +50,8 @@ |
3978 |
#include <linux/fiemap.h> |
3979 |
#include <linux/slab.h> |
3980 |
|
3981 |
@@ -9508,7 +9410,7 @@ index d44d92c..231c000 100644 |
3982 |
/* |
3983 |
* Bring the timestamps in the XFS inode uptodate. |
3984 |
* |
3985 |
-@@ -330,6 +332,10 @@ xfs_vn_unlink( |
3986 |
+@@ -339,6 +341,10 @@ xfs_vn_unlink( |
3987 |
struct xfs_name name; |
3988 |
int error; |
3989 |
|
3990 |
@@ -9519,7 +9421,7 @@ index d44d92c..231c000 100644 |
3991 |
xfs_dentry_to_name(&name, dentry); |
3992 |
|
3993 |
error = -xfs_remove(XFS_I(dir), &name, XFS_I(dentry->d_inode)); |
3994 |
-@@ -391,10 +397,34 @@ xfs_vn_rename( |
3995 |
+@@ -400,10 +406,34 @@ xfs_vn_rename( |
3996 |
struct inode *new_inode = ndentry->d_inode; |
3997 |
struct xfs_name oname; |
3998 |
struct xfs_name nname; |
3999 |
@@ -9555,7 +9457,7 @@ index d44d92c..231c000 100644 |
4000 |
XFS_I(ndir), &nname, new_inode ? |
4001 |
XFS_I(new_inode) : NULL); |
4002 |
diff --git a/include/linux/sched.h b/include/linux/sched.h |
4003 |
-index 4ef452b..cdaf6b4 100644 |
4004 |
+index 41d0237..c6374f4 100644 |
4005 |
--- a/include/linux/sched.h |
4006 |
+++ b/include/linux/sched.h |
4007 |
@@ -29,6 +29,9 @@ |
4008 |
@@ -9591,7 +9493,7 @@ index 4ef452b..cdaf6b4 100644 |
4009 |
|
4010 |
/* |
4011 |
* These are the constant used to fake the fixed-point load-average |
4012 |
-@@ -2206,6 +2217,13 @@ static inline void mmdrop(struct mm_struct * mm) |
4013 |
+@@ -2225,6 +2236,13 @@ static inline void mmdrop(struct mm_struct * mm) |
4014 |
|
4015 |
/* mmput gets rid of the mappings and all user-space */ |
4016 |
extern void mmput(struct mm_struct *); |
4017 |
@@ -9605,7 +9507,7 @@ index 4ef452b..cdaf6b4 100644 |
4018 |
/* Grab a reference to a task's mm, if it is not already going away */ |
4019 |
extern struct mm_struct *get_task_mm(struct task_struct *task); |
4020 |
/* Remove the current tasks stale references to the old mm_struct */ |
4021 |
-@@ -2233,7 +2251,12 @@ extern int disallow_signal(int); |
4022 |
+@@ -2252,7 +2270,12 @@ extern int disallow_signal(int); |
4023 |
extern int do_execve(const char *, |
4024 |
const char __user * const __user *, |
4025 |
const char __user * const __user *, struct pt_regs *); |
4026 |
@@ -12831,17 +12733,17 @@ index 0000000..0a7aa68 |
4027 |
+#endif |
4028 |
diff --git a/include/rsbac/adf_main.h b/include/rsbac/adf_main.h |
4029 |
new file mode 100644 |
4030 |
-index 0000000..b09fb9e |
4031 |
+index 0000000..ffba0b8 |
4032 |
--- /dev/null |
4033 |
+++ b/include/rsbac/adf_main.h |
4034 |
-@@ -0,0 +1,835 @@ |
4035 |
+@@ -0,0 +1,836 @@ |
4036 |
+/************************************ */ |
4037 |
+/* Rule Set Based Access Control */ |
4038 |
-+/* Author and (c) 1999-2009: */ |
4039 |
++/* Author and (c) 1999-2010: */ |
4040 |
+/* Amon Ott <ao@×××××.org> */ |
4041 |
+/* Data Structs etc. for Access */ |
4042 |
+/* Control Decision Facility */ |
4043 |
-+/* Last modified: 26/Mar/2009 */ |
4044 |
++/* Last modified: 21/May/2010 */ |
4045 |
+/************************************ */ |
4046 |
+ |
4047 |
+#ifndef __RSBAC_ADF_MAIN_H |
4048 |
@@ -13225,6 +13127,7 @@ index 0000000..b09fb9e |
4049 |
+ ((rsbac_request_vector_t) 1 << R_CLONE) | \ |
4050 |
+ ((rsbac_request_vector_t) 1 << R_CREATE) | \ |
4051 |
+ ((rsbac_request_vector_t) 1 << R_EXECUTE) | \ |
4052 |
++ ((rsbac_request_vector_t) 1 << R_CONNECT) | \ |
4053 |
+ ((rsbac_request_vector_t) 1 << R_BIND) ) |
4054 |
+#endif |
4055 |
+ |
4056 |
@@ -22776,7 +22679,7 @@ index c0851a8..e08e25f 100644 |
4057 |
+ |
4058 |
} |
4059 |
diff --git a/init/main.c b/init/main.c |
4060 |
-index d7211fa..1e384f5 100644 |
4061 |
+index 03b408d..962030e 100644 |
4062 |
--- a/init/main.c |
4063 |
+++ b/init/main.c |
4064 |
@@ -75,6 +75,8 @@ |
4065 |
@@ -22788,7 +22691,7 @@ index d7211fa..1e384f5 100644 |
4066 |
#ifdef CONFIG_X86_LOCAL_APIC |
4067 |
#include <asm/smp.h> |
4068 |
#endif |
4069 |
-@@ -606,6 +608,9 @@ asmlinkage void __init start_kernel(void) |
4070 |
+@@ -617,6 +619,9 @@ asmlinkage void __init start_kernel(void) |
4071 |
key_init(); |
4072 |
security_init(); |
4073 |
dbg_late_init(); |
4074 |
@@ -23095,7 +22998,7 @@ index 7385de2..84c9e1b 100644 |
4075 |
msq->q_qnum--; |
4076 |
msq->q_rtime = get_seconds(); |
4077 |
diff --git a/ipc/sem.c b/ipc/sem.c |
4078 |
-index e68a8f5..c3a2636 100644 |
4079 |
+index c8e00f8..730685c 100644 |
4080 |
--- a/ipc/sem.c |
4081 |
+++ b/ipc/sem.c |
4082 |
@@ -89,6 +89,7 @@ |
4083 |
@@ -23165,7 +23068,7 @@ index e68a8f5..c3a2636 100644 |
4084 |
return sma->sem_perm.id; |
4085 |
} |
4086 |
|
4087 |
-@@ -854,6 +893,12 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, |
4088 |
+@@ -848,6 +887,12 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, |
4089 |
int nsems; |
4090 |
struct list_head tasks; |
4091 |
|
4092 |
@@ -23178,7 +23081,7 @@ index e68a8f5..c3a2636 100644 |
4093 |
sma = sem_lock_check(ns, semid); |
4094 |
if (IS_ERR(sma)) |
4095 |
return PTR_ERR(sma); |
4096 |
-@@ -894,12 +939,49 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, |
4097 |
+@@ -888,12 +933,50 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, |
4098 |
} |
4099 |
} |
4100 |
|
4101 |
@@ -23194,8 +23097,9 @@ index e68a8f5..c3a2636 100644 |
4102 |
+ A_none, |
4103 |
+ rsbac_attribute_value)) |
4104 |
+ { |
4105 |
++ sem_unlock(sma); |
4106 |
+ err = -EPERM; |
4107 |
-+ goto out_unlock; |
4108 |
++ goto out_free; |
4109 |
+ } |
4110 |
+#endif |
4111 |
+ |
4112 |
@@ -23228,7 +23132,7 @@ index e68a8f5..c3a2636 100644 |
4113 |
goto out_free; |
4114 |
} |
4115 |
case SETALL: |
4116 |
-@@ -923,6 +1005,23 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, |
4117 |
+@@ -917,6 +1000,23 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, |
4118 |
goto out_free; |
4119 |
} |
4120 |
|
4121 |
@@ -23252,7 +23156,7 @@ index e68a8f5..c3a2636 100644 |
4122 |
for (i = 0; i < nsems; i++) { |
4123 |
if (sem_io[i] > SEMVMX) { |
4124 |
sem_putref(sma); |
4125 |
-@@ -946,6 +1045,24 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, |
4126 |
+@@ -940,6 +1040,24 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, |
4127 |
un->semadj[i] = 0; |
4128 |
} |
4129 |
sma->sem_ctime = get_seconds(); |
4130 |
@@ -23277,7 +23181,7 @@ index e68a8f5..c3a2636 100644 |
4131 |
/* maybe some queued-up processes were waiting for this */ |
4132 |
do_smart_update(sma, NULL, 0, 0, &tasks); |
4133 |
err = 0; |
4134 |
-@@ -981,6 +1098,23 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, |
4135 |
+@@ -975,6 +1093,23 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, |
4136 |
if (val > SEMVMX || val < 0) |
4137 |
goto out_unlock; |
4138 |
|
4139 |
@@ -23301,7 +23205,7 @@ index e68a8f5..c3a2636 100644 |
4140 |
assert_spin_locked(&sma->sem_perm.lock); |
4141 |
list_for_each_entry(un, &sma->list_id, list_id) |
4142 |
un->semadj[semnum] = 0; |
4143 |
-@@ -1043,6 +1177,12 @@ static int semctl_down(struct ipc_namespace *ns, int semid, |
4144 |
+@@ -1037,6 +1172,12 @@ static int semctl_down(struct ipc_namespace *ns, int semid, |
4145 |
struct semid64_ds semid64; |
4146 |
struct kern_ipc_perm *ipcp; |
4147 |
|
4148 |
@@ -23314,7 +23218,7 @@ index e68a8f5..c3a2636 100644 |
4149 |
if(cmd == IPC_SET) { |
4150 |
if (copy_semid_from_user(&semid64, arg.buf, version)) |
4151 |
return -EFAULT; |
4152 |
-@@ -1061,9 +1201,90 @@ static int semctl_down(struct ipc_namespace *ns, int semid, |
4153 |
+@@ -1055,9 +1196,90 @@ static int semctl_down(struct ipc_namespace *ns, int semid, |
4154 |
|
4155 |
switch(cmd){ |
4156 |
case IPC_RMID: |
4157 |
@@ -23405,16 +23309,8 @@ index e68a8f5..c3a2636 100644 |
4158 |
ipc_update_perm(&semid64.sem_perm, ipcp); |
4159 |
sma->sem_ctime = get_seconds(); |
4160 |
break; |
4161 |
-@@ -1475,7 +1696,6 @@ SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops, |
4162 |
- * If queue.status != -EINTR we are woken up by another process. |
4163 |
- * Leave without unlink_queue(), but with sem_unlock(). |
4164 |
- */ |
4165 |
-- |
4166 |
- if (error != -EINTR) { |
4167 |
- goto out_unlock_free; |
4168 |
- } |
4169 |
diff --git a/ipc/shm.c b/ipc/shm.c |
4170 |
-index ab3385a..e157eab 100644 |
4171 |
+index 02ecf2c..b784fb9 100644 |
4172 |
--- a/ipc/shm.c |
4173 |
+++ b/ipc/shm.c |
4174 |
@@ -44,6 +44,8 @@ |
4175 |
@@ -23426,7 +23322,7 @@ index ab3385a..e157eab 100644 |
4176 |
struct shm_file_data { |
4177 |
int id; |
4178 |
struct ipc_namespace *ns; |
4179 |
-@@ -84,6 +86,11 @@ void shm_init_ns(struct ipc_namespace *ns) |
4180 |
+@@ -85,6 +87,11 @@ void shm_init_ns(struct ipc_namespace *ns) |
4181 |
*/ |
4182 |
static void do_shm_rmid(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp) |
4183 |
{ |
4184 |
@@ -23438,7 +23334,7 @@ index ab3385a..e157eab 100644 |
4185 |
struct shmid_kernel *shp; |
4186 |
shp = container_of(ipcp, struct shmid_kernel, shm_perm); |
4187 |
|
4188 |
-@@ -92,8 +99,25 @@ static void do_shm_rmid(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp) |
4189 |
+@@ -93,8 +100,25 @@ static void do_shm_rmid(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp) |
4190 |
/* Do not find it any more */ |
4191 |
shp->shm_perm.key = IPC_PRIVATE; |
4192 |
shm_unlock(shp); |
4193 |
@@ -23465,7 +23361,7 @@ index ab3385a..e157eab 100644 |
4194 |
} |
4195 |
|
4196 |
#ifdef CONFIG_IPC_NS |
4197 |
-@@ -173,6 +197,10 @@ static void shm_open(struct vm_area_struct *vma) |
4198 |
+@@ -187,6 +211,10 @@ static void shm_open(struct vm_area_struct *vma) |
4199 |
*/ |
4200 |
static void shm_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp) |
4201 |
{ |
4202 |
@@ -23476,7 +23372,7 @@ index ab3385a..e157eab 100644 |
4203 |
ns->shm_tot -= (shp->shm_segsz + PAGE_SIZE - 1) >> PAGE_SHIFT; |
4204 |
shm_rmid(ns, shp); |
4205 |
shm_unlock(shp); |
4206 |
-@@ -183,6 +211,14 @@ static void shm_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp) |
4207 |
+@@ -197,6 +225,14 @@ static void shm_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp) |
4208 |
shp->mlock_user); |
4209 |
fput (shp->shm_file); |
4210 |
security_shm_free(shp); |
4211 |
@@ -23491,7 +23387,7 @@ index ab3385a..e157eab 100644 |
4212 |
ipc_rcu_putref(shp); |
4213 |
} |
4214 |
|
4215 |
-@@ -199,6 +235,28 @@ static void shm_close(struct vm_area_struct *vma) |
4216 |
+@@ -230,6 +266,28 @@ static void shm_close(struct vm_area_struct *vma) |
4217 |
struct shmid_kernel *shp; |
4218 |
struct ipc_namespace *ns = sfd->ns; |
4219 |
|
4220 |
@@ -23520,7 +23416,7 @@ index ab3385a..e157eab 100644 |
4221 |
down_write(&shm_ids(ns).rw_mutex); |
4222 |
/* remove from the list of attaches of the shm segment */ |
4223 |
shp = shm_lock(ns, sfd->id); |
4224 |
-@@ -349,6 +407,12 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) |
4225 |
+@@ -456,6 +514,12 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) |
4226 |
int id; |
4227 |
vm_flags_t acctflag = 0; |
4228 |
|
4229 |
@@ -23533,7 +23429,7 @@ index ab3385a..e157eab 100644 |
4230 |
if (size < SHMMIN || size > ns->shm_ctlmax) |
4231 |
return -EINVAL; |
4232 |
|
4233 |
-@@ -359,6 +423,23 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) |
4234 |
+@@ -466,6 +530,23 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) |
4235 |
if (!shp) |
4236 |
return -ENOMEM; |
4237 |
|
4238 |
@@ -23557,7 +23453,7 @@ index ab3385a..e157eab 100644 |
4239 |
shp->shm_perm.key = key; |
4240 |
shp->shm_perm.mode = (shmflg & S_IRWXUGO); |
4241 |
shp->mlock_user = NULL; |
4242 |
-@@ -413,6 +494,23 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) |
4243 |
+@@ -521,6 +602,23 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) |
4244 |
ns->shm_tot += numpages; |
4245 |
error = shp->shm_perm.id; |
4246 |
shm_unlock(shp); |
4247 |
@@ -23581,7 +23477,7 @@ index ab3385a..e157eab 100644 |
4248 |
return error; |
4249 |
|
4250 |
no_id: |
4251 |
-@@ -657,6 +755,11 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf) |
4252 |
+@@ -765,6 +863,11 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf) |
4253 |
int err, version; |
4254 |
struct ipc_namespace *ns; |
4255 |
|
4256 |
@@ -23593,7 +23489,7 @@ index ab3385a..e157eab 100644 |
4257 |
if (cmd < 0 || shmid < 0) { |
4258 |
err = -EINVAL; |
4259 |
goto out; |
4260 |
-@@ -806,7 +909,41 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf) |
4261 |
+@@ -914,7 +1017,41 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf) |
4262 |
goto out; |
4263 |
} |
4264 |
case IPC_RMID: |
4265 |
@@ -23610,7 +23506,7 @@ index ab3385a..e157eab 100644 |
4266 |
+ A_none, |
4267 |
+ rsbac_attribute_value)) { |
4268 |
+ err = -EPERM; |
4269 |
-+ goto out_unlock; |
4270 |
++ goto out; |
4271 |
+ } |
4272 |
+#endif |
4273 |
+ |
4274 |
@@ -23628,14 +23524,14 @@ index ab3385a..e157eab 100644 |
4275 |
+ A_none, |
4276 |
+ rsbac_attribute_value)) { |
4277 |
+ err = -EPERM; |
4278 |
-+ goto out_unlock; |
4279 |
++ goto out; |
4280 |
+ } |
4281 |
+#endif |
4282 |
+ |
4283 |
err = shmctl_down(ns, shmid, cmd, buf, version); |
4284 |
return err; |
4285 |
default: |
4286 |
-@@ -842,6 +979,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr) |
4287 |
+@@ -950,6 +1087,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr) |
4288 |
struct path path; |
4289 |
fmode_t f_mode; |
4290 |
|
4291 |
@@ -23649,7 +23545,7 @@ index ab3385a..e157eab 100644 |
4292 |
err = -EINVAL; |
4293 |
if (shmid < 0) |
4294 |
goto out; |
4295 |
-@@ -896,6 +1040,26 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr) |
4296 |
+@@ -1004,6 +1148,26 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr) |
4297 |
if (err) |
4298 |
goto out_unlock; |
4299 |
|
4300 |
@@ -23676,7 +23572,7 @@ index ab3385a..e157eab 100644 |
4301 |
path = shp->shm_file->f_path; |
4302 |
path_get(&path); |
4303 |
shp->shm_nattch++; |
4304 |
-@@ -958,6 +1122,26 @@ out_nattch: |
4305 |
+@@ -1065,6 +1229,26 @@ out_nattch: |
4306 |
up_write(&shm_ids(ns).rw_mutex); |
4307 |
|
4308 |
out: |
4309 |
@@ -23843,7 +23739,7 @@ index 283c529..4744298 100644 |
4310 |
} |
4311 |
EXPORT_SYMBOL(ns_capable); |
4312 |
diff --git a/kernel/exit.c b/kernel/exit.c |
4313 |
-index f2b321b..0cd2461 100644 |
4314 |
+index 2913b35..014688b 100644 |
4315 |
--- a/kernel/exit.c |
4316 |
+++ b/kernel/exit.c |
4317 |
@@ -57,6 +57,8 @@ |
4318 |
@@ -23855,7 +23751,7 @@ index f2b321b..0cd2461 100644 |
4319 |
static void exit_mm(struct task_struct * tsk); |
4320 |
|
4321 |
static void __unhash_process(struct task_struct *p, bool group_dead) |
4322 |
-@@ -904,6 +906,11 @@ NORET_TYPE void do_exit(long code) |
4323 |
+@@ -895,6 +897,11 @@ NORET_TYPE void do_exit(long code) |
4324 |
struct task_struct *tsk = current; |
4325 |
int group_dead; |
4326 |
|
4327 |
@@ -23866,9 +23762,9 @@ index f2b321b..0cd2461 100644 |
4328 |
+ |
4329 |
profile_task_exit(tsk); |
4330 |
|
4331 |
- WARN_ON(atomic_read(&tsk->fs_excl)); |
4332 |
-@@ -992,6 +999,23 @@ NORET_TYPE void do_exit(long code) |
4333 |
- exit_sem(tsk); |
4334 |
+ WARN_ON(blk_needs_flush_plug(tsk)); |
4335 |
+@@ -983,6 +990,23 @@ NORET_TYPE void do_exit(long code) |
4336 |
+ exit_shm(tsk); |
4337 |
exit_files(tsk); |
4338 |
exit_fs(tsk); |
4339 |
+ |
4340 |
@@ -23892,10 +23788,10 @@ index f2b321b..0cd2461 100644 |
4341 |
exit_thread(); |
4342 |
|
4343 |
diff --git a/kernel/fork.c b/kernel/fork.c |
4344 |
-index 0276c30..6fd2ea3 100644 |
4345 |
+index 8e6b6f4..ecf9453 100644 |
4346 |
--- a/kernel/fork.c |
4347 |
+++ b/kernel/fork.c |
4348 |
-@@ -75,6 +75,8 @@ |
4349 |
+@@ -74,6 +74,8 @@ |
4350 |
#include <asm/cacheflush.h> |
4351 |
#include <asm/tlbflush.h> |
4352 |
|
4353 |
@@ -23904,7 +23800,7 @@ index 0276c30..6fd2ea3 100644 |
4354 |
#include <trace/events/sched.h> |
4355 |
|
4356 |
/* |
4357 |
-@@ -572,6 +574,27 @@ void mmput(struct mm_struct *mm) |
4358 |
+@@ -573,6 +575,27 @@ void mmput(struct mm_struct *mm) |
4359 |
} |
4360 |
EXPORT_SYMBOL_GPL(mmput); |
4361 |
|
4362 |
@@ -23932,7 +23828,7 @@ index 0276c30..6fd2ea3 100644 |
4363 |
/* |
4364 |
* We added or removed a vma mapping the executable. The vmas are only mapped |
4365 |
* during exec and are not mapped with the mmap system call. |
4366 |
-@@ -1454,7 +1477,12 @@ struct task_struct * __cpuinit fork_idle(int cpu) |
4367 |
+@@ -1468,7 +1491,12 @@ struct task_struct * __cpuinit fork_idle(int cpu) |
4368 |
* It copies the process, and if successful kick-starts |
4369 |
* it and waits for it to finish using the VM if required. |
4370 |
*/ |
4371 |
@@ -23945,7 +23841,7 @@ index 0276c30..6fd2ea3 100644 |
4372 |
unsigned long stack_start, |
4373 |
struct pt_regs *regs, |
4374 |
unsigned long stack_size, |
4375 |
-@@ -1465,6 +1493,31 @@ long do_fork(unsigned long clone_flags, |
4376 |
+@@ -1479,6 +1507,31 @@ long do_fork(unsigned long clone_flags, |
4377 |
int trace = 0; |
4378 |
long nr; |
4379 |
|
4380 |
@@ -23977,7 +23873,7 @@ index 0276c30..6fd2ea3 100644 |
4381 |
/* |
4382 |
* Do some preliminary argument and permissions checking before we |
4383 |
* actually start allocating stuff |
4384 |
-@@ -1518,6 +1571,33 @@ long do_fork(unsigned long clone_flags, |
4385 |
+@@ -1543,6 +1596,33 @@ long do_fork(unsigned long clone_flags, |
4386 |
*/ |
4387 |
p->flags &= ~PF_STARTING; |
4388 |
|
4389 |
@@ -24010,7 +23906,7 @@ index 0276c30..6fd2ea3 100644 |
4390 |
+ |
4391 |
wake_up_new_task(p); |
4392 |
|
4393 |
- tracehook_report_clone_complete(trace, regs, |
4394 |
+ /* forking complete and child started to run, tell ptracer */ |
4395 |
diff --git a/kernel/groups.c b/kernel/groups.c |
4396 |
index 1cc476d..f4c198f 100644 |
4397 |
--- a/kernel/groups.c |
4398 |
@@ -24105,7 +24001,7 @@ index 079f1d3..5279edbb 100644 |
4399 |
if (!iter) |
4400 |
return -ENOMEM; |
4401 |
diff --git a/kernel/kexec.c b/kernel/kexec.c |
4402 |
-index 8d814cb..cea8bf6 100644 |
4403 |
+index 296fbc8..973a1ce 100644 |
4404 |
--- a/kernel/kexec.c |
4405 |
+++ b/kernel/kexec.c |
4406 |
@@ -41,6 +41,8 @@ |
4407 |
@@ -24149,7 +24045,7 @@ index 8d814cb..cea8bf6 100644 |
4408 |
* Verify we have a legal set of flags |
4409 |
* This leaves us room for future extensions. |
4410 |
diff --git a/kernel/module.c b/kernel/module.c |
4411 |
-index 795bdc7..57a8e56 100644 |
4412 |
+index 04379f92..0293ae0 100644 |
4413 |
--- a/kernel/module.c |
4414 |
+++ b/kernel/module.c |
4415 |
@@ -59,6 +59,8 @@ |
4416 |
@@ -24173,7 +24069,7 @@ index 795bdc7..57a8e56 100644 |
4417 |
if (!capable(CAP_SYS_MODULE) || modules_disabled) |
4418 |
return -EPERM; |
4419 |
|
4420 |
-@@ -787,6 +794,18 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user, |
4421 |
+@@ -787,6 +794,19 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user, |
4422 |
|
4423 |
if (mutex_lock_interruptible(&module_mutex) != 0) |
4424 |
return -EINTR; |
4425 |
@@ -24187,12 +24083,13 @@ index 795bdc7..57a8e56 100644 |
4426 |
+ rsbac_target_id, |
4427 |
+ A_mod_name, |
4428 |
+ rsbac_attribute_value)) |
4429 |
-+ return -EPERM; |
4430 |
++ ret = -EPERM; |
4431 |
++ goto out; |
4432 |
+#endif |
4433 |
|
4434 |
mod = find_module(name); |
4435 |
if (!mod) { |
4436 |
-@@ -2886,10 +2905,28 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, |
4437 |
+@@ -2952,10 +2972,28 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, |
4438 |
struct module *mod; |
4439 |
int ret = 0; |
4440 |
|
4441 |
@@ -24222,7 +24119,7 @@ index 795bdc7..57a8e56 100644 |
4442 |
mod = load_module(umod, len, uargs); |
4443 |
if (IS_ERR(mod)) |
4444 |
diff --git a/kernel/printk.c b/kernel/printk.c |
4445 |
-index 084982f..744348b 100644 |
4446 |
+index 28a40d8..7f2f9c6 100644 |
4447 |
--- a/kernel/printk.c |
4448 |
+++ b/kernel/printk.c |
4449 |
@@ -44,6 +44,8 @@ |
4450 |
@@ -24234,7 +24131,7 @@ index 084982f..744348b 100644 |
4451 |
/* |
4452 |
* Architectures can override it: |
4453 |
*/ |
4454 |
-@@ -334,6 +336,11 @@ int do_syslog(int type, char __user *buf, int len, bool from_file) |
4455 |
+@@ -336,6 +338,11 @@ int do_syslog(int type, char __user *buf, int len, bool from_file) |
4456 |
char c; |
4457 |
int error; |
4458 |
|
4459 |
@@ -24246,7 +24143,7 @@ index 084982f..744348b 100644 |
4460 |
error = check_syslog_permissions(type, from_file); |
4461 |
if (error) |
4462 |
goto out; |
4463 |
-@@ -342,6 +349,46 @@ int do_syslog(int type, char __user *buf, int len, bool from_file) |
4464 |
+@@ -344,6 +351,46 @@ int do_syslog(int type, char __user *buf, int len, bool from_file) |
4465 |
if (error) |
4466 |
return error; |
4467 |
|
4468 |
@@ -24294,19 +24191,19 @@ index 084982f..744348b 100644 |
4469 |
case SYSLOG_ACTION_CLOSE: /* Close log */ |
4470 |
break; |
4471 |
diff --git a/kernel/ptrace.c b/kernel/ptrace.c |
4472 |
-index 2df1157..ee07125 100644 |
4473 |
+index a70d2a5..8b08f72 100644 |
4474 |
--- a/kernel/ptrace.c |
4475 |
+++ b/kernel/ptrace.c |
4476 |
-@@ -25,6 +25,8 @@ |
4477 |
- #include <linux/hw_breakpoint.h> |
4478 |
- |
4479 |
+@@ -32,6 +32,8 @@ static int ptrace_trapping_sleep_fn(void *flags) |
4480 |
+ return 0; |
4481 |
+ } |
4482 |
|
4483 |
+#include <rsbac/hooks.h> |
4484 |
+ |
4485 |
/* |
4486 |
* ptrace a task: make the debugger its new parent and |
4487 |
* move it to the ptrace list. |
4488 |
-@@ -273,10 +275,31 @@ static int ptrace_traceme(void) |
4489 |
+@@ -325,10 +327,32 @@ static int ptrace_traceme(void) |
4490 |
{ |
4491 |
int ret = -EPERM; |
4492 |
|
4493 |
@@ -24321,24 +24218,25 @@ index 2df1157..ee07125 100644 |
4494 |
ret = security_ptrace_traceme(current->parent); |
4495 |
+ |
4496 |
+#ifdef CONFIG_RSBAC |
4497 |
-+ rsbac_pr_debug(aef, "[sys_ptrace] calling ADF\n"); |
4498 |
-+ rsbac_target_id.process = task_pid(current); |
4499 |
-+ rsbac_attribute_value.trace_request = PTRACE_TRACEME; |
4500 |
-+ if (!rsbac_adf_request(R_TRACE, |
4501 |
-+ task_pid(current), |
4502 |
-+ T_PROCESS, |
4503 |
-+ rsbac_target_id, |
4504 |
-+ A_trace_request, |
4505 |
-+ rsbac_attribute_value)) |
4506 |
-+ { |
4507 |
-+ ret = -EPERM; |
4508 |
-+ } |
4509 |
++ if (!ret) { |
4510 |
++ rsbac_pr_debug(aef, "[sys_ptrace] calling ADF\n"); |
4511 |
++ rsbac_target_id.process = task_pid(current); |
4512 |
++ rsbac_attribute_value.trace_request = PTRACE_TRACEME; |
4513 |
++ if (!rsbac_adf_request(R_TRACE, |
4514 |
++ task_pid(current), |
4515 |
++ T_PROCESS, |
4516 |
++ rsbac_target_id, |
4517 |
++ A_trace_request, |
4518 |
++ rsbac_attribute_value)) { |
4519 |
++ ret = -EPERM; |
4520 |
++ } |
4521 |
++ } |
4522 |
+#endif |
4523 |
+ |
4524 |
/* |
4525 |
* Check PF_EXITING to ensure ->real_parent has not passed |
4526 |
* exit_ptrace(). Otherwise we don't report the error but |
4527 |
-@@ -748,6 +771,11 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr, |
4528 |
+@@ -858,6 +882,11 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr, |
4529 |
struct task_struct *child; |
4530 |
long ret; |
4531 |
|
4532 |
@@ -24350,7 +24248,7 @@ index 2df1157..ee07125 100644 |
4533 |
if (request == PTRACE_TRACEME) { |
4534 |
ret = ptrace_traceme(); |
4535 |
if (!ret) |
4536 |
-@@ -755,6 +783,27 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr, |
4537 |
+@@ -865,6 +894,27 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr, |
4538 |
goto out; |
4539 |
} |
4540 |
|
4541 |
@@ -24379,19 +24277,19 @@ index 2df1157..ee07125 100644 |
4542 |
if (IS_ERR(child)) { |
4543 |
ret = PTR_ERR(child); |
4544 |
diff --git a/kernel/sched.c b/kernel/sched.c |
4545 |
-index 063d7a4..eac68f1 100644 |
4546 |
+index b50b0f0..2b1c280 100644 |
4547 |
--- a/kernel/sched.c |
4548 |
+++ b/kernel/sched.c |
4549 |
-@@ -76,6 +76,8 @@ |
4550 |
- #include <asm/irq_regs.h> |
4551 |
- #include <asm/mutex.h> |
4552 |
+@@ -79,6 +79,8 @@ |
4553 |
+ #include <asm/paravirt.h> |
4554 |
+ #endif |
4555 |
|
4556 |
+#include <rsbac/hooks.h> |
4557 |
+ |
4558 |
#include "sched_cpupri.h" |
4559 |
#include "workqueue_sched.h" |
4560 |
#include "sched_autogroup.h" |
4561 |
-@@ -4936,6 +4938,10 @@ int can_nice(const struct task_struct *p, const int nice) |
4562 |
+@@ -4966,6 +4968,10 @@ int can_nice(const struct task_struct *p, const int nice) |
4563 |
SYSCALL_DEFINE1(nice, int, increment) |
4564 |
{ |
4565 |
long nice, retval; |
4566 |
@@ -24402,7 +24300,7 @@ index 063d7a4..eac68f1 100644 |
4567 |
|
4568 |
/* |
4569 |
* Setpriority might change our priority at the same moment. |
4570 |
-@@ -4956,6 +4962,23 @@ SYSCALL_DEFINE1(nice, int, increment) |
4571 |
+@@ -4986,6 +4992,23 @@ SYSCALL_DEFINE1(nice, int, increment) |
4572 |
if (increment < 0 && !can_nice(current, nice)) |
4573 |
return -EPERM; |
4574 |
|
4575 |
@@ -24426,7 +24324,7 @@ index 063d7a4..eac68f1 100644 |
4576 |
retval = security_task_setnice(current, nice); |
4577 |
if (retval) |
4578 |
return retval; |
4579 |
-@@ -5245,6 +5268,12 @@ do_sched_setscheduler(pid_t pid, int policy, struct sched_param __user *param) |
4580 |
+@@ -5275,6 +5298,12 @@ do_sched_setscheduler(pid_t pid, int policy, struct sched_param __user *param) |
4581 |
struct task_struct *p; |
4582 |
int retval; |
4583 |
|
4584 |
@@ -24439,7 +24337,7 @@ index 063d7a4..eac68f1 100644 |
4585 |
if (!param || pid < 0) |
4586 |
return -EINVAL; |
4587 |
if (copy_from_user(&lparam, param, sizeof(struct sched_param))) |
4588 |
-@@ -5253,8 +5282,31 @@ do_sched_setscheduler(pid_t pid, int policy, struct sched_param __user *param) |
4589 |
+@@ -5283,8 +5312,31 @@ do_sched_setscheduler(pid_t pid, int policy, struct sched_param __user *param) |
4590 |
rcu_read_lock(); |
4591 |
retval = -ESRCH; |
4592 |
p = find_process_by_pid(pid); |
4593 |
@@ -24472,7 +24370,7 @@ index 063d7a4..eac68f1 100644 |
4594 |
rcu_read_unlock(); |
4595 |
|
4596 |
return retval; |
4597 |
-@@ -5295,9 +5347,36 @@ SYSCALL_DEFINE1(sched_getscheduler, pid_t, pid) |
4598 |
+@@ -5325,9 +5377,36 @@ SYSCALL_DEFINE1(sched_getscheduler, pid_t, pid) |
4599 |
struct task_struct *p; |
4600 |
int retval; |
4601 |
|
4602 |
@@ -24509,7 +24407,7 @@ index 063d7a4..eac68f1 100644 |
4603 |
retval = -ESRCH; |
4604 |
rcu_read_lock(); |
4605 |
p = find_process_by_pid(pid); |
4606 |
-@@ -5322,9 +5401,36 @@ SYSCALL_DEFINE2(sched_getparam, pid_t, pid, struct sched_param __user *, param) |
4607 |
+@@ -5352,9 +5431,36 @@ SYSCALL_DEFINE2(sched_getparam, pid_t, pid, struct sched_param __user *, param) |
4608 |
struct task_struct *p; |
4609 |
int retval; |
4610 |
|
4611 |
@@ -24546,7 +24444,7 @@ index 063d7a4..eac68f1 100644 |
4612 |
rcu_read_lock(); |
4613 |
p = find_process_by_pid(pid); |
4614 |
retval = -ESRCH; |
4615 |
-@@ -5352,6 +5458,12 @@ out_unlock: |
4616 |
+@@ -5382,6 +5488,12 @@ out_unlock: |
4617 |
|
4618 |
long sched_setaffinity(pid_t pid, const struct cpumask *in_mask) |
4619 |
{ |
4620 |
@@ -24559,7 +24457,7 @@ index 063d7a4..eac68f1 100644 |
4621 |
cpumask_var_t cpus_allowed, new_mask; |
4622 |
struct task_struct *p; |
4623 |
int retval; |
4624 |
-@@ -5386,6 +5498,28 @@ long sched_setaffinity(pid_t pid, const struct cpumask *in_mask) |
4625 |
+@@ -5416,6 +5528,28 @@ long sched_setaffinity(pid_t pid, const struct cpumask *in_mask) |
4626 |
if (retval) |
4627 |
goto out_unlock; |
4628 |
|
4629 |
@@ -24588,7 +24486,7 @@ index 063d7a4..eac68f1 100644 |
4630 |
cpuset_cpus_allowed(p, cpus_allowed); |
4631 |
cpumask_and(new_mask, in_mask, cpus_allowed); |
4632 |
again: |
4633 |
-@@ -5451,6 +5585,32 @@ long sched_getaffinity(pid_t pid, struct cpumask *mask) |
4634 |
+@@ -5481,6 +5615,32 @@ long sched_getaffinity(pid_t pid, struct cpumask *mask) |
4635 |
struct task_struct *p; |
4636 |
unsigned long flags; |
4637 |
int retval; |
4638 |
@@ -24621,7 +24519,7 @@ index 063d7a4..eac68f1 100644 |
4639 |
|
4640 |
get_online_cpus(); |
4641 |
rcu_read_lock(); |
4642 |
-@@ -5776,9 +5936,36 @@ SYSCALL_DEFINE2(sched_rr_get_interval, pid_t, pid, |
4643 |
+@@ -5806,9 +5966,36 @@ SYSCALL_DEFINE2(sched_rr_get_interval, pid_t, pid, |
4644 |
int retval; |
4645 |
struct timespec t; |
4646 |
|
4647 |
@@ -24659,7 +24557,7 @@ index 063d7a4..eac68f1 100644 |
4648 |
rcu_read_lock(); |
4649 |
p = find_process_by_pid(pid); |
4650 |
diff --git a/kernel/signal.c b/kernel/signal.c |
4651 |
-index 415d85d..1a34f05 100644 |
4652 |
+index 291c970..e621b09 100644 |
4653 |
--- a/kernel/signal.c |
4654 |
+++ b/kernel/signal.c |
4655 |
@@ -37,6 +37,8 @@ |
4656 |
@@ -24671,7 +24569,7 @@ index 415d85d..1a34f05 100644 |
4657 |
/* |
4658 |
* SLAB caches for signal bits. |
4659 |
*/ |
4660 |
-@@ -744,6 +746,11 @@ static int check_kill_permission(int sig, struct siginfo *info, |
4661 |
+@@ -789,6 +791,11 @@ static int check_kill_permission(int sig, struct siginfo *info, |
4662 |
struct pid *sid; |
4663 |
int error; |
4664 |
|
4665 |
@@ -24683,7 +24581,7 @@ index 415d85d..1a34f05 100644 |
4666 |
if (!valid_signal(sig)) |
4667 |
return -EINVAL; |
4668 |
|
4669 |
-@@ -770,6 +777,23 @@ static int check_kill_permission(int sig, struct siginfo *info, |
4670 |
+@@ -815,6 +822,23 @@ static int check_kill_permission(int sig, struct siginfo *info, |
4671 |
} |
4672 |
} |
4673 |
|
4674 |
@@ -24708,10 +24606,10 @@ index 415d85d..1a34f05 100644 |
4675 |
} |
4676 |
|
4677 |
diff --git a/kernel/sys.c b/kernel/sys.c |
4678 |
-index f88dadc..fa611da 100644 |
4679 |
+index 1dbbe69..791bbbc 100644 |
4680 |
--- a/kernel/sys.c |
4681 |
+++ b/kernel/sys.c |
4682 |
-@@ -54,6 +54,8 @@ |
4683 |
+@@ -53,6 +53,8 @@ |
4684 |
#include <asm/io.h> |
4685 |
#include <asm/unistd.h> |
4686 |
|
4687 |
@@ -24720,7 +24618,7 @@ index f88dadc..fa611da 100644 |
4688 |
#ifndef SET_UNALIGN_CTL |
4689 |
# define SET_UNALIGN_CTL(a,b) (-EINVAL) |
4690 |
#endif |
4691 |
-@@ -178,6 +180,12 @@ SYSCALL_DEFINE3(setpriority, int, which, int, who, int, niceval) |
4692 |
+@@ -177,6 +179,12 @@ SYSCALL_DEFINE3(setpriority, int, which, int, who, int, niceval) |
4693 |
int error = -EINVAL; |
4694 |
struct pid *pgrp; |
4695 |
|
4696 |
@@ -24733,7 +24631,7 @@ index f88dadc..fa611da 100644 |
4697 |
if (which > PRIO_USER || which < PRIO_PROCESS) |
4698 |
goto out; |
4699 |
|
4700 |
-@@ -188,6 +196,38 @@ SYSCALL_DEFINE3(setpriority, int, which, int, who, int, niceval) |
4701 |
+@@ -187,6 +195,39 @@ SYSCALL_DEFINE3(setpriority, int, which, int, who, int, niceval) |
4702 |
if (niceval > 19) |
4703 |
niceval = 19; |
4704 |
|
4705 |
@@ -24763,7 +24661,8 @@ index f88dadc..fa611da 100644 |
4706 |
+ rsbac_attribute_value)) |
4707 |
+ { |
4708 |
+ rcu_read_unlock(); |
4709 |
-+ return -EPERM; |
4710 |
++ error = -EPERM; |
4711 |
++ goto out; |
4712 |
+ } |
4713 |
+ rcu_read_unlock(); |
4714 |
+ } |
4715 |
@@ -24772,7 +24671,7 @@ index f88dadc..fa611da 100644 |
4716 |
rcu_read_lock(); |
4717 |
read_lock(&tasklist_lock); |
4718 |
switch (which) { |
4719 |
-@@ -401,6 +441,11 @@ SYSCALL_DEFINE4(reboot, int, magic1, int, magic2, unsigned int, cmd, |
4720 |
+@@ -431,6 +472,11 @@ SYSCALL_DEFINE4(reboot, int, magic1, int, magic2, unsigned int, cmd, |
4721 |
char buffer[256]; |
4722 |
int ret = 0; |
4723 |
|
4724 |
@@ -24784,7 +24683,7 @@ index f88dadc..fa611da 100644 |
4725 |
/* We only trust the superuser with rebooting the system. */ |
4726 |
if (!capable(CAP_SYS_BOOT)) |
4727 |
return -EPERM; |
4728 |
-@@ -419,6 +464,21 @@ SYSCALL_DEFINE4(reboot, int, magic1, int, magic2, unsigned int, cmd, |
4729 |
+@@ -449,6 +495,21 @@ SYSCALL_DEFINE4(reboot, int, magic1, int, magic2, unsigned int, cmd, |
4730 |
if ((cmd == LINUX_REBOOT_CMD_POWER_OFF) && !pm_power_off) |
4731 |
cmd = LINUX_REBOOT_CMD_HALT; |
4732 |
|
4733 |
@@ -24806,7 +24705,7 @@ index f88dadc..fa611da 100644 |
4734 |
mutex_lock(&reboot_mutex); |
4735 |
switch (cmd) { |
4736 |
case LINUX_REBOOT_CMD_RESTART: |
4737 |
-@@ -524,18 +584,66 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid) |
4738 |
+@@ -554,18 +615,66 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid) |
4739 |
|
4740 |
retval = -EPERM; |
4741 |
if (rgid != (gid_t) -1) { |
4742 |
@@ -24875,7 +24774,7 @@ index f88dadc..fa611da 100644 |
4743 |
new->egid = egid; |
4744 |
else |
4745 |
goto error; |
4746 |
-@@ -564,16 +672,68 @@ SYSCALL_DEFINE1(setgid, gid_t, gid) |
4747 |
+@@ -594,16 +703,68 @@ SYSCALL_DEFINE1(setgid, gid_t, gid) |
4748 |
struct cred *new; |
4749 |
int retval; |
4750 |
|
4751 |
@@ -24946,7 +24845,7 @@ index f88dadc..fa611da 100644 |
4752 |
else |
4753 |
goto error; |
4754 |
|
4755 |
-@@ -627,6 +787,12 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid) |
4756 |
+@@ -664,6 +825,12 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid) |
4757 |
struct cred *new; |
4758 |
int retval; |
4759 |
|
4760 |
@@ -24959,7 +24858,7 @@ index f88dadc..fa611da 100644 |
4761 |
new = prepare_creds(); |
4762 |
if (!new) |
4763 |
return -ENOMEM; |
4764 |
-@@ -660,11 +826,114 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid) |
4765 |
+@@ -697,11 +864,106 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid) |
4766 |
new->suid = new->euid; |
4767 |
new->fsuid = new->euid; |
4768 |
|
4769 |
@@ -25007,14 +24906,6 @@ index f88dadc..fa611da 100644 |
4770 |
+#endif |
4771 |
+#endif |
4772 |
+ |
4773 |
-+ if (ruid != (uid_t) -1) { |
4774 |
-+ new->uid = ruid; |
4775 |
-+ if (old->uid != ruid && |
4776 |
-+ old->euid != ruid && |
4777 |
-+ !capable(CAP_SETUID)) |
4778 |
-+ goto error; |
4779 |
-+ } |
4780 |
-+ |
4781 |
retval = security_task_fix_setuid(new, old, LSM_SETID_RE); |
4782 |
if (retval < 0) |
4783 |
goto error; |
4784 |
@@ -25075,7 +24966,7 @@ index f88dadc..fa611da 100644 |
4785 |
|
4786 |
error: |
4787 |
abort_creds(new); |
4788 |
-@@ -688,11 +957,55 @@ SYSCALL_DEFINE1(setuid, uid_t, uid) |
4789 |
+@@ -725,11 +987,59 @@ SYSCALL_DEFINE1(setuid, uid_t, uid) |
4790 |
struct cred *new; |
4791 |
int retval; |
4792 |
|
4793 |
@@ -25105,9 +24996,9 @@ index f88dadc..fa611da 100644 |
4794 |
+ T_PROCESS, |
4795 |
+ rsbac_target_id, |
4796 |
+ A_owner, |
4797 |
-+ rsbac_attribute_value)) |
4798 |
-+ { |
4799 |
-+ return -EPERM; |
4800 |
++ rsbac_attribute_value)) { |
4801 |
++ retval = -EPERM; |
4802 |
++ goto error; |
4803 |
+ } |
4804 |
+#ifdef CONFIG_RSBAC_DAC_OWNER |
4805 |
+ rsbac_pr_debug(aef, "calling ADF for euid\n"); |
4806 |
@@ -25116,22 +25007,26 @@ index f88dadc..fa611da 100644 |
4807 |
+ T_PROCESS, |
4808 |
+ rsbac_target_id, |
4809 |
+ A_owner, |
4810 |
-+ rsbac_attribute_value)) |
4811 |
-+ return -EPERM; |
4812 |
++ rsbac_attribute_value)) { |
4813 |
++ retval = -EPERM; |
4814 |
++ goto error; |
4815 |
++ } |
4816 |
+ rsbac_pr_debug(aef, "calling ADF for fsuid\n"); |
4817 |
+ if (!rsbac_adf_request(R_CHANGE_DAC_FS_OWNER, |
4818 |
+ task_pid(current), |
4819 |
+ T_PROCESS, |
4820 |
+ rsbac_target_id, |
4821 |
+ A_owner, |
4822 |
-+ rsbac_attribute_value)) |
4823 |
-+ return -EPERM; |
4824 |
++ rsbac_attribute_value)) { |
4825 |
++ retval = -EPERM; |
4826 |
++ goto error; |
4827 |
++ } |
4828 |
+#endif |
4829 |
+#endif |
4830 |
retval = -EPERM; |
4831 |
if (nsown_capable(CAP_SETUID)) { |
4832 |
new->suid = new->uid = uid; |
4833 |
-@@ -711,7 +1024,53 @@ SYSCALL_DEFINE1(setuid, uid_t, uid) |
4834 |
+@@ -748,7 +1058,53 @@ SYSCALL_DEFINE1(setuid, uid_t, uid) |
4835 |
if (retval < 0) |
4836 |
goto error; |
4837 |
|
4838 |
@@ -25186,7 +25081,7 @@ index f88dadc..fa611da 100644 |
4839 |
|
4840 |
error: |
4841 |
abort_creds(new); |
4842 |
-@@ -729,6 +1088,12 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) |
4843 |
+@@ -766,6 +1122,12 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) |
4844 |
struct cred *new; |
4845 |
int retval; |
4846 |
|
4847 |
@@ -25199,7 +25094,7 @@ index f88dadc..fa611da 100644 |
4848 |
new = prepare_creds(); |
4849 |
if (!new) |
4850 |
return -ENOMEM; |
4851 |
-@@ -748,6 +1113,46 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) |
4852 |
+@@ -785,6 +1147,51 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) |
4853 |
goto error; |
4854 |
} |
4855 |
|
4856 |
@@ -25214,8 +25109,10 @@ index f88dadc..fa611da 100644 |
4857 |
+ T_PROCESS, |
4858 |
+ rsbac_target_id, |
4859 |
+ A_owner, |
4860 |
-+ rsbac_attribute_value)) |
4861 |
-+ return -EPERM; |
4862 |
++ rsbac_attribute_value)) { |
4863 |
++ retval = -EPERM; |
4864 |
++ goto error; |
4865 |
++ } |
4866 |
+ } |
4867 |
+#ifdef CONFIG_RSBAC_DAC_OWNER |
4868 |
+ if(euid != (uid_t) -1) { |
4869 |
@@ -25228,25 +25125,28 @@ index f88dadc..fa611da 100644 |
4870 |
+ T_PROCESS, |
4871 |
+ rsbac_target_id, |
4872 |
+ A_owner, |
4873 |
-+ rsbac_attribute_value)) |
4874 |
-+ return -EPERM; |
4875 |
++ rsbac_attribute_value)) { |
4876 |
++ retval = -EPERM; |
4877 |
++ goto error; |
4878 |
++ } |
4879 |
+ rsbac_pr_debug(aef, "calling ADF for fsuid\n"); |
4880 |
+ if(!rsbac_adf_request(R_CHANGE_DAC_FS_OWNER, |
4881 |
+ task_pid(current), |
4882 |
+ T_PROCESS, |
4883 |
+ rsbac_target_id, |
4884 |
+ A_owner, |
4885 |
-+ rsbac_attribute_value)) |
4886 |
-+ return -EPERM; |
4887 |
++ rsbac_attribute_value)) { |
4888 |
++ retval = -EPERM; |
4889 |
++ goto error; |
4890 |
++ } |
4891 |
+ } |
4892 |
+#endif |
4893 |
+#endif |
4894 |
+ |
4895 |
-+ |
4896 |
if (ruid != (uid_t) -1) { |
4897 |
new->uid = ruid; |
4898 |
if (ruid != old->uid) { |
4899 |
-@@ -766,7 +1171,58 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) |
4900 |
+@@ -803,7 +1210,58 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) |
4901 |
if (retval < 0) |
4902 |
goto error; |
4903 |
|
4904 |
@@ -25306,7 +25206,7 @@ index f88dadc..fa611da 100644 |
4905 |
|
4906 |
error: |
4907 |
abort_creds(new); |
4908 |
-@@ -794,6 +1250,11 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) |
4909 |
+@@ -831,6 +1289,11 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) |
4910 |
struct cred *new; |
4911 |
int retval; |
4912 |
|
4913 |
@@ -25318,7 +25218,7 @@ index f88dadc..fa611da 100644 |
4914 |
new = prepare_creds(); |
4915 |
if (!new) |
4916 |
return -ENOMEM; |
4917 |
-@@ -812,10 +1273,44 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) |
4918 |
+@@ -849,10 +1312,50 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) |
4919 |
goto error; |
4920 |
} |
4921 |
|
4922 |
@@ -25333,8 +25233,10 @@ index f88dadc..fa611da 100644 |
4923 |
+ T_PROCESS, |
4924 |
+ rsbac_target_id, |
4925 |
+ A_group, |
4926 |
-+ rsbac_attribute_value)) |
4927 |
-+ return -EPERM; |
4928 |
++ rsbac_attribute_value)) { |
4929 |
++ retval = -EPERM; |
4930 |
++ goto error; |
4931 |
++ } |
4932 |
+#endif |
4933 |
new->gid = rgid; |
4934 |
- if (egid != (gid_t) -1) |
4935 |
@@ -25350,22 +25252,26 @@ index f88dadc..fa611da 100644 |
4936 |
+ T_PROCESS, |
4937 |
+ rsbac_target_id, |
4938 |
+ A_group, |
4939 |
-+ rsbac_attribute_value)) |
4940 |
-+ return -EPERM; |
4941 |
++ rsbac_attribute_value)) { |
4942 |
++ retval = -EPERM; |
4943 |
++ goto error; |
4944 |
++ } |
4945 |
+ if (!rsbac_adf_request(R_CHANGE_DAC_FS_GROUP, |
4946 |
+ task_pid(current), |
4947 |
+ T_PROCESS, |
4948 |
+ rsbac_target_id, |
4949 |
+ A_group, |
4950 |
-+ rsbac_attribute_value)) |
4951 |
-+ return -EPERM; |
4952 |
++ rsbac_attribute_value)) { |
4953 |
++ retval = -EPERM; |
4954 |
++ goto error; |
4955 |
++ } |
4956 |
+#endif |
4957 |
new->egid = egid; |
4958 |
+ } |
4959 |
if (sgid != (gid_t) -1) |
4960 |
new->sgid = sgid; |
4961 |
new->fsgid = new->egid; |
4962 |
-@@ -852,12 +1347,30 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) |
4963 |
+@@ -889,12 +1392,32 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) |
4964 |
struct cred *new; |
4965 |
uid_t old_fsuid; |
4966 |
|
4967 |
@@ -25390,13 +25296,15 @@ index f88dadc..fa611da 100644 |
4968 |
+ T_PROCESS, |
4969 |
+ rsbac_target_id, |
4970 |
+ A_owner, |
4971 |
-+ rsbac_attribute_value)) |
4972 |
++ rsbac_attribute_value)) { |
4973 |
++ abort_creds(new); |
4974 |
+ return old_fsuid; |
4975 |
++ } |
4976 |
+#endif |
4977 |
if (uid == old->uid || uid == old->euid || |
4978 |
uid == old->suid || uid == old->fsuid || |
4979 |
nsown_capable(CAP_SETUID)) { |
4980 |
-@@ -873,6 +1386,25 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) |
4981 |
+@@ -910,6 +1433,25 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) |
4982 |
|
4983 |
change_okay: |
4984 |
commit_creds(new); |
4985 |
@@ -25422,7 +25330,7 @@ index f88dadc..fa611da 100644 |
4986 |
return old_fsuid; |
4987 |
} |
4988 |
|
4989 |
-@@ -885,12 +1417,29 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid) |
4990 |
+@@ -922,12 +1464,31 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid) |
4991 |
struct cred *new; |
4992 |
gid_t old_fsgid; |
4993 |
|
4994 |
@@ -25446,13 +25354,15 @@ index f88dadc..fa611da 100644 |
4995 |
+ T_PROCESS, |
4996 |
+ rsbac_target_id, |
4997 |
+ A_group, |
4998 |
-+ rsbac_attribute_value)) |
4999 |
++ rsbac_attribute_value)) { |
5000 |
++ abort_creds(new); |
5001 |
+ return old_fsgid; |
5002 |
++ } |
5003 |
+#endif |
5004 |
if (gid == old->gid || gid == old->egid || |
5005 |
gid == old->sgid || gid == old->fsgid || |
5006 |
nsown_capable(CAP_SETGID)) { |
5007 |
-@@ -955,6 +1504,11 @@ SYSCALL_DEFINE2(setpgid, pid_t, pid, pid_t, pgid) |
5008 |
+@@ -992,6 +1553,11 @@ SYSCALL_DEFINE2(setpgid, pid_t, pid, pid_t, pgid) |
5009 |
struct pid *pgrp; |
5010 |
int err; |
5011 |
|
5012 |
@@ -25464,13 +25374,12 @@ index f88dadc..fa611da 100644 |
5013 |
if (!pid) |
5014 |
pid = task_pid_vnr(group_leader); |
5015 |
if (!pgid) |
5016 |
-@@ -963,6 +1517,24 @@ SYSCALL_DEFINE2(setpgid, pid_t, pid, pid_t, pgid) |
5017 |
+@@ -1000,6 +1566,21 @@ SYSCALL_DEFINE2(setpgid, pid_t, pid, pid_t, pgid) |
5018 |
return -EINVAL; |
5019 |
rcu_read_lock(); |
5020 |
|
5021 |
+#ifdef CONFIG_RSBAC |
5022 |
+ rsbac_pr_debug(aef, "calling ADF\n"); |
5023 |
-+ rcu_read_lock(); |
5024 |
+ rsbac_target_id.process = find_pid_ns(pid, &init_pid_ns); |
5025 |
+ rsbac_attribute_value.dummy = 0; |
5026 |
+ if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA, |
5027 |
@@ -25478,18 +25387,16 @@ index f88dadc..fa611da 100644 |
5028 |
+ T_PROCESS, |
5029 |
+ rsbac_target_id, |
5030 |
+ A_none, |
5031 |
-+ rsbac_attribute_value)) |
5032 |
-+ { |
5033 |
++ rsbac_attribute_value)) { |
5034 |
+ rcu_read_unlock(); |
5035 |
+ return -EPERM; |
5036 |
+ } |
5037 |
-+ rcu_read_unlock(); |
5038 |
+#endif |
5039 |
+ |
5040 |
/* From this point forward we keep holding onto the tasklist lock |
5041 |
* so that our parent does not change from under us. -DaveM |
5042 |
*/ |
5043 |
-@@ -1029,6 +1601,11 @@ SYSCALL_DEFINE1(getpgid, pid_t, pid) |
5044 |
+@@ -1066,6 +1647,11 @@ SYSCALL_DEFINE1(getpgid, pid_t, pid) |
5045 |
if (!pid) |
5046 |
grp = task_pgrp(current); |
5047 |
else { |
5048 |
@@ -25501,7 +25408,7 @@ index f88dadc..fa611da 100644 |
5049 |
retval = -ESRCH; |
5050 |
p = find_task_by_vpid(pid); |
5051 |
if (!p) |
5052 |
-@@ -1037,6 +1614,22 @@ SYSCALL_DEFINE1(getpgid, pid_t, pid) |
5053 |
+@@ -1074,6 +1660,22 @@ SYSCALL_DEFINE1(getpgid, pid_t, pid) |
5054 |
if (!grp) |
5055 |
goto out; |
5056 |
|
5057 |
@@ -25524,7 +25431,7 @@ index f88dadc..fa611da 100644 |
5058 |
retval = security_task_getpgid(p); |
5059 |
if (retval) |
5060 |
goto out; |
5061 |
-@@ -1066,6 +1659,11 @@ SYSCALL_DEFINE1(getsid, pid_t, pid) |
5062 |
+@@ -1103,6 +1705,11 @@ SYSCALL_DEFINE1(getsid, pid_t, pid) |
5063 |
if (!pid) |
5064 |
sid = task_session(current); |
5065 |
else { |
5066 |
@@ -25536,7 +25443,7 @@ index f88dadc..fa611da 100644 |
5067 |
retval = -ESRCH; |
5068 |
p = find_task_by_vpid(pid); |
5069 |
if (!p) |
5070 |
-@@ -1074,6 +1672,22 @@ SYSCALL_DEFINE1(getsid, pid_t, pid) |
5071 |
+@@ -1111,6 +1718,22 @@ SYSCALL_DEFINE1(getsid, pid_t, pid) |
5072 |
if (!sid) |
5073 |
goto out; |
5074 |
|
5075 |
@@ -25559,7 +25466,7 @@ index f88dadc..fa611da 100644 |
5076 |
retval = security_task_getsid(p); |
5077 |
if (retval) |
5078 |
goto out; |
5079 |
-@@ -1235,11 +1849,32 @@ SYSCALL_DEFINE2(sethostname, char __user *, name, int, len) |
5080 |
+@@ -1272,11 +1895,32 @@ SYSCALL_DEFINE2(sethostname, char __user *, name, int, len) |
5081 |
int errno; |
5082 |
char tmp[__NEW_UTS_LEN]; |
5083 |
|
5084 |
@@ -25592,7 +25499,7 @@ index f88dadc..fa611da 100644 |
5085 |
down_write(&uts_sem); |
5086 |
errno = -EFAULT; |
5087 |
if (!copy_from_user(tmp, name, len)) { |
5088 |
-@@ -1285,11 +1920,31 @@ SYSCALL_DEFINE2(setdomainname, char __user *, name, int, len) |
5089 |
+@@ -1322,11 +1966,31 @@ SYSCALL_DEFINE2(setdomainname, char __user *, name, int, len) |
5090 |
int errno; |
5091 |
char tmp[__NEW_UTS_LEN]; |
5092 |
|
5093 |
@@ -25624,7 +25531,7 @@ index f88dadc..fa611da 100644 |
5094 |
down_write(&uts_sem); |
5095 |
errno = -EFAULT; |
5096 |
if (!copy_from_user(tmp, name, len)) { |
5097 |
-@@ -1380,6 +2035,12 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource, |
5098 |
+@@ -1417,6 +2081,12 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource, |
5099 |
struct rlimit *rlim; |
5100 |
int retval = 0; |
5101 |
|
5102 |
@@ -25637,7 +25544,7 @@ index f88dadc..fa611da 100644 |
5103 |
if (resource >= RLIM_NLIMITS) |
5104 |
return -EINVAL; |
5105 |
if (new_rlim) { |
5106 |
-@@ -1405,6 +2066,25 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource, |
5107 |
+@@ -1442,6 +2112,23 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource, |
5108 |
if (new_rlim->rlim_max > rlim->rlim_max && |
5109 |
!capable(CAP_SYS_RESOURCE)) |
5110 |
retval = -EPERM; |
5111 |
@@ -25654,16 +25561,14 @@ index f88dadc..fa611da 100644 |
5112 |
+ rsbac_target_id, |
5113 |
+ A_rlimit, |
5114 |
+ rsbac_attribute_value)) |
5115 |
-+ { |
5116 |
-+ return -EPERM; |
5117 |
-+ } |
5118 |
++ retval = -EPERM; |
5119 |
+ } |
5120 |
+#endif |
5121 |
+ |
5122 |
if (!retval) |
5123 |
retval = security_task_setrlimit(tsk->group_leader, |
5124 |
resource, new_rlim); |
5125 |
-@@ -1426,6 +2106,22 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource, |
5126 |
+@@ -1463,6 +2150,22 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource, |
5127 |
} |
5128 |
task_unlock(tsk->group_leader); |
5129 |
|
5130 |
@@ -25687,7 +25592,7 @@ index f88dadc..fa611da 100644 |
5131 |
* RLIMIT_CPU handling. Note that the kernel fails to return an error |
5132 |
* code if it rejected the user's attempt to set RLIMIT_CPU. This is a |
5133 |
diff --git a/kernel/sysctl.c b/kernel/sysctl.c |
5134 |
-index f175d98..ca6cc38 100644 |
5135 |
+index 11d65b5..ef6fe69 100644 |
5136 |
--- a/kernel/sysctl.c |
5137 |
+++ b/kernel/sysctl.c |
5138 |
@@ -61,6 +61,8 @@ |
5139 |
@@ -25699,7 +25604,7 @@ index f175d98..ca6cc38 100644 |
5140 |
#ifdef CONFIG_X86 |
5141 |
#include <asm/nmi.h> |
5142 |
#include <asm/stacktrace.h> |
5143 |
-@@ -1715,11 +1717,33 @@ int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op) |
5144 |
+@@ -1710,11 +1712,33 @@ int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op) |
5145 |
{ |
5146 |
int mode; |
5147 |
|
5148 |
@@ -25734,7 +25639,7 @@ index f175d98..ca6cc38 100644 |
5149 |
} |
5150 |
|
5151 |
diff --git a/kernel/time.c b/kernel/time.c |
5152 |
-index 8e8dc6d..6d8e6b2 100644 |
5153 |
+index d776062..70beee5 100644 |
5154 |
--- a/kernel/time.c |
5155 |
+++ b/kernel/time.c |
5156 |
@@ -41,6 +41,8 @@ |
5157 |
@@ -26043,7 +25948,7 @@ index 048260c..cc6be1b 100644 |
5158 |
|
5159 |
down_write(¤t->mm->mmap_sem); |
5160 |
diff --git a/mm/mmap.c b/mm/mmap.c |
5161 |
-index d49736f..e0e23ac 100644 |
5162 |
+index a65efd4..18b038e 100644 |
5163 |
--- a/mm/mmap.c |
5164 |
+++ b/mm/mmap.c |
5165 |
@@ -34,6 +34,7 @@ |
5166 |
@@ -26054,7 +25959,7 @@ index d49736f..e0e23ac 100644 |
5167 |
#include <asm/mmu_context.h> |
5168 |
|
5169 |
#include "internal.h" |
5170 |
-@@ -957,6 +958,12 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, |
5171 |
+@@ -949,6 +950,12 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, |
5172 |
int error; |
5173 |
unsigned long reqprot = prot; |
5174 |
|
5175 |
@@ -26067,7 +25972,7 @@ index d49736f..e0e23ac 100644 |
5176 |
/* |
5177 |
* Does the application expect PROT_READ to imply PROT_EXEC? |
5178 |
* |
5179 |
-@@ -1081,6 +1088,33 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, |
5180 |
+@@ -1073,6 +1080,33 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr, |
5181 |
if (error) |
5182 |
return error; |
5183 |
|
5184 |
@@ -26193,7 +26098,7 @@ index 5a688a2..30b739d 100644 |
5185 |
return error; |
5186 |
} |
5187 |
diff --git a/mm/swapfile.c b/mm/swapfile.c |
5188 |
-index ff8dc1a..7d76e2a 100644 |
5189 |
+index 17bc224..a62363e 100644 |
5190 |
--- a/mm/swapfile.c |
5191 |
+++ b/mm/swapfile.c |
5192 |
@@ -36,6 +36,7 @@ |
5193 |
@@ -26272,7 +26177,7 @@ index ff8dc1a..7d76e2a 100644 |
5194 |
mapping = victim->f_mapping; |
5195 |
prev = -1; |
5196 |
spin_lock(&swap_lock); |
5197 |
-@@ -2031,9 +2083,28 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags) |
5198 |
+@@ -2022,9 +2074,28 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags) |
5199 |
struct page *page = NULL; |
5200 |
struct inode *inode = NULL; |
5201 |
|
5202 |
@@ -26301,7 +26206,7 @@ index ff8dc1a..7d76e2a 100644 |
5203 |
p = alloc_swap_info(); |
5204 |
if (IS_ERR(p)) |
5205 |
return PTR_ERR(p); |
5206 |
-@@ -2066,6 +2137,45 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags) |
5207 |
+@@ -2057,6 +2128,45 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags) |
5208 |
} |
5209 |
|
5210 |
inode = mapping->host; |
5211 |
@@ -26348,7 +26253,7 @@ index ff8dc1a..7d76e2a 100644 |
5212 |
error = claim_swapfile(p, inode); |
5213 |
if (unlikely(error)) |
5214 |
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c |
5215 |
-index 6f156c1..cd588d6 100644 |
5216 |
+index 1d420f6..173d67e 100644 |
5217 |
--- a/net/bridge/br_if.c |
5218 |
+++ b/net/bridge/br_if.c |
5219 |
@@ -23,6 +23,8 @@ |
5220 |
@@ -26360,7 +26265,7 @@ index 6f156c1..cd588d6 100644 |
5221 |
#include "br_private.h" |
5222 |
|
5223 |
/* |
5224 |
-@@ -322,6 +324,11 @@ int br_add_if(struct net_bridge *br, struct net_device *dev) |
5225 |
+@@ -323,6 +325,11 @@ int br_add_if(struct net_bridge *br, struct net_device *dev) |
5226 |
int err = 0; |
5227 |
bool changed_addr; |
5228 |
|
5229 |
@@ -26372,7 +26277,7 @@ index 6f156c1..cd588d6 100644 |
5230 |
/* Don't allow bridging non-ethernet like devices */ |
5231 |
if ((dev->flags & IFF_LOOPBACK) || |
5232 |
dev->type != ARPHRD_ETHER || dev->addr_len != ETH_ALEN) |
5233 |
-@@ -335,6 +342,34 @@ int br_add_if(struct net_bridge *br, struct net_device *dev) |
5234 |
+@@ -336,6 +343,34 @@ int br_add_if(struct net_bridge *br, struct net_device *dev) |
5235 |
if (br_port_exists(dev)) |
5236 |
return -EBUSY; |
5237 |
|
5238 |
@@ -26407,9 +26312,9 @@ index 6f156c1..cd588d6 100644 |
5239 |
/* No bridging devices that dislike that (e.g. wireless) */ |
5240 |
if (dev->priv_flags & IFF_DONT_BRIDGE) |
5241 |
return -EOPNOTSUPP; |
5242 |
-@@ -422,10 +457,45 @@ int br_del_if(struct net_bridge *br, struct net_device *dev) |
5243 |
- { |
5244 |
+@@ -424,10 +459,45 @@ int br_del_if(struct net_bridge *br, struct net_device *dev) |
5245 |
struct net_bridge_port *p; |
5246 |
+ bool changed_addr; |
5247 |
|
5248 |
+#ifdef CONFIG_RSBAC_NET |
5249 |
+ union rsbac_target_id_t rsbac_target_id; |
5250 |
@@ -26454,7 +26359,7 @@ index 6f156c1..cd588d6 100644 |
5251 |
|
5252 |
spin_lock_bh(&br->lock); |
5253 |
diff --git a/net/core/dev.c b/net/core/dev.c |
5254 |
-index 9c58c1e..5f6d626 100644 |
5255 |
+index ae5cf2d..3dbe64e 100644 |
5256 |
--- a/net/core/dev.c |
5257 |
+++ b/net/core/dev.c |
5258 |
@@ -134,6 +134,8 @@ |
5259 |
@@ -26466,7 +26371,7 @@ index 9c58c1e..5f6d626 100644 |
5260 |
#include "net-sysfs.h" |
5261 |
|
5262 |
/* Instead of increasing this, you should create a hash table. */ |
5263 |
-@@ -4926,6 +4928,11 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5264 |
+@@ -4944,6 +4946,11 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5265 |
int ret; |
5266 |
char *colon; |
5267 |
|
5268 |
@@ -26478,7 +26383,7 @@ index 9c58c1e..5f6d626 100644 |
5269 |
/* One special case: SIOCGIFCONF takes ifconf argument |
5270 |
and requires shared lock, because it sleeps writing |
5271 |
to user space. |
5272 |
-@@ -4945,10 +4952,20 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5273 |
+@@ -4963,10 +4970,20 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5274 |
|
5275 |
ifr.ifr_name[IFNAMSIZ-1] = 0; |
5276 |
|
5277 |
@@ -26499,7 +26404,7 @@ index 9c58c1e..5f6d626 100644 |
5278 |
/* |
5279 |
* See which interface the caller is talking about. |
5280 |
*/ |
5281 |
-@@ -4968,6 +4985,21 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5282 |
+@@ -4986,6 +5003,21 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5283 |
case SIOCGIFMAP: |
5284 |
case SIOCGIFINDEX: |
5285 |
case SIOCGIFTXQLEN: |
5286 |
@@ -26521,7 +26426,7 @@ index 9c58c1e..5f6d626 100644 |
5287 |
dev_load(net, ifr.ifr_name); |
5288 |
rcu_read_lock(); |
5289 |
ret = dev_ifsioc_locked(net, &ifr, cmd); |
5290 |
-@@ -5045,6 +5077,21 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5291 |
+@@ -5063,6 +5095,21 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5292 |
case SIOCSHWTSTAMP: |
5293 |
if (!capable(CAP_NET_ADMIN)) |
5294 |
return -EPERM; |
5295 |
@@ -26543,7 +26448,7 @@ index 9c58c1e..5f6d626 100644 |
5296 |
/* fall through */ |
5297 |
case SIOCBONDSLAVEINFOQUERY: |
5298 |
case SIOCBONDINFOQUERY: |
5299 |
-@@ -5070,6 +5117,21 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5300 |
+@@ -5088,6 +5135,21 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5301 |
if (cmd == SIOCWANDEV || |
5302 |
(cmd >= SIOCDEVPRIVATE && |
5303 |
cmd <= SIOCDEVPRIVATE + 15)) { |
5304 |
@@ -26566,7 +26471,7 @@ index 9c58c1e..5f6d626 100644 |
5305 |
rtnl_lock(); |
5306 |
ret = dev_ifsioc(net, &ifr, cmd); |
5307 |
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c |
5308 |
-index f39ef5c..85d66cc 100644 |
5309 |
+index 27071ee..fe0cb26 100644 |
5310 |
--- a/net/core/fib_rules.c |
5311 |
+++ b/net/core/fib_rules.c |
5312 |
@@ -15,6 +15,7 @@ |
5313 |
@@ -26645,7 +26550,7 @@ index f39ef5c..85d66cc 100644 |
5314 |
list_for_each_entry(rule, &ops->rules_list, list) { |
5315 |
if (frh->action && (frh->action != rule->action)) |
5316 |
continue; |
5317 |
-@@ -530,6 +571,25 @@ static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule, |
5318 |
+@@ -533,6 +574,25 @@ static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule, |
5319 |
{ |
5320 |
struct nlmsghdr *nlh; |
5321 |
struct fib_rule_hdr *frh; |
5322 |
@@ -26672,10 +26577,10 @@ index f39ef5c..85d66cc 100644 |
5323 |
nlh = nlmsg_put(skb, pid, seq, type, sizeof(*frh), flags); |
5324 |
if (nlh == NULL) |
5325 |
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c |
5326 |
-index 1b74d3b..56ed72a 100644 |
5327 |
+index 96a164a..e339b59 100644 |
5328 |
--- a/net/ipv4/arp.c |
5329 |
+++ b/net/ipv4/arp.c |
5330 |
-@@ -124,6 +124,8 @@ EXPORT_SYMBOL(clip_tbl_hook); |
5331 |
+@@ -123,6 +123,8 @@ EXPORT_SYMBOL(clip_tbl_hook); |
5332 |
|
5333 |
#include <linux/netfilter_arp.h> |
5334 |
|
5335 |
@@ -26684,7 +26589,7 @@ index 1b74d3b..56ed72a 100644 |
5336 |
/* |
5337 |
* Interface to generic neighbour cache. |
5338 |
*/ |
5339 |
-@@ -1205,15 +1207,32 @@ int arp_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5340 |
+@@ -1172,15 +1174,32 @@ int arp_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5341 |
struct arpreq r; |
5342 |
struct net_device *dev = NULL; |
5343 |
|
5344 |
@@ -26717,7 +26622,7 @@ index 1b74d3b..56ed72a 100644 |
5345 |
break; |
5346 |
default: |
5347 |
return -EINVAL; |
5348 |
-@@ -1241,6 +1260,24 @@ int arp_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5349 |
+@@ -1208,6 +1227,24 @@ int arp_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5350 |
err = -EINVAL; |
5351 |
if ((r.arp_flags & ATF_COM) && r.arp_ha.sa_family != dev->type) |
5352 |
goto out; |
5353 |
@@ -26743,7 +26648,7 @@ index 1b74d3b..56ed72a 100644 |
5354 |
err = -ENODEV; |
5355 |
goto out; |
5356 |
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c |
5357 |
-index 4155abc..a703e15 100644 |
5358 |
+index bc19bd0..3722291 100644 |
5359 |
--- a/net/ipv4/devinet.c |
5360 |
+++ b/net/ipv4/devinet.c |
5361 |
@@ -66,6 +66,8 @@ |
5362 |
@@ -26767,7 +26672,7 @@ index 4155abc..a703e15 100644 |
5363 |
ASSERT_RTNL(); |
5364 |
|
5365 |
err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv4_policy); |
5366 |
-@@ -554,6 +561,38 @@ static int inet_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg |
5367 |
+@@ -554,6 +561,37 @@ static int inet_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg |
5368 |
goto errout; |
5369 |
} |
5370 |
|
5371 |
@@ -26797,7 +26702,6 @@ index 4155abc..a703e15 100644 |
5372 |
+ rsbac_target_id, |
5373 |
+ A_none, |
5374 |
+ rsbac_attribute_value)) { |
5375 |
-+ __in_dev_put(in_dev); |
5376 |
+ err = -EPERM; |
5377 |
+ goto errout; |
5378 |
+ } |
5379 |
@@ -26806,7 +26710,7 @@ index 4155abc..a703e15 100644 |
5380 |
for (ifap = &in_dev->ifa_list; (ifa = *ifap) != NULL; |
5381 |
ifap = &ifa->ifa_next) { |
5382 |
if (tb[IFA_LOCAL] && |
5383 |
-@@ -586,6 +625,11 @@ static struct in_ifaddr *rtm_to_ifaddr(struct net *net, struct nlmsghdr *nlh) |
5384 |
+@@ -586,6 +624,11 @@ static struct in_ifaddr *rtm_to_ifaddr(struct net *net, struct nlmsghdr *nlh) |
5385 |
struct in_device *in_dev; |
5386 |
int err; |
5387 |
|
5388 |
@@ -26818,7 +26722,7 @@ index 4155abc..a703e15 100644 |
5389 |
err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv4_policy); |
5390 |
if (err < 0) |
5391 |
goto errout; |
5392 |
-@@ -605,6 +649,37 @@ static struct in_ifaddr *rtm_to_ifaddr(struct net *net, struct nlmsghdr *nlh) |
5393 |
+@@ -605,6 +648,37 @@ static struct in_ifaddr *rtm_to_ifaddr(struct net *net, struct nlmsghdr *nlh) |
5394 |
if (in_dev == NULL) |
5395 |
goto errout; |
5396 |
|
5397 |
@@ -26856,7 +26760,7 @@ index 4155abc..a703e15 100644 |
5398 |
ifa = inet_alloc_ifa(); |
5399 |
if (ifa == NULL) |
5400 |
/* |
5401 |
-@@ -695,6 +770,12 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5402 |
+@@ -695,6 +769,12 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5403 |
int ret = -EFAULT; |
5404 |
int tryaddrmatch = 0; |
5405 |
|
5406 |
@@ -26869,7 +26773,7 @@ index 4155abc..a703e15 100644 |
5407 |
/* |
5408 |
* Fetch the caller's info block into kernel space |
5409 |
*/ |
5410 |
-@@ -703,6 +784,11 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5411 |
+@@ -703,6 +783,11 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5412 |
goto out; |
5413 |
ifr.ifr_name[IFNAMSIZ - 1] = 0; |
5414 |
|
5415 |
@@ -26881,7 +26785,7 @@ index 4155abc..a703e15 100644 |
5416 |
/* save original address for comparison */ |
5417 |
memcpy(&sin_orig, sin, sizeof(*sin)); |
5418 |
|
5419 |
-@@ -710,6 +796,11 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5420 |
+@@ -710,6 +795,11 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5421 |
if (colon) |
5422 |
*colon = 0; |
5423 |
|
5424 |
@@ -26893,7 +26797,7 @@ index 4155abc..a703e15 100644 |
5425 |
dev_load(net, ifr.ifr_name); |
5426 |
|
5427 |
switch (cmd) { |
5428 |
-@@ -724,12 +815,19 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5429 |
+@@ -724,12 +814,19 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5430 |
tryaddrmatch = (sin_orig.sin_family == AF_INET); |
5431 |
memset(sin, 0, sizeof(*sin)); |
5432 |
sin->sin_family = AF_INET; |
5433 |
@@ -26913,7 +26817,7 @@ index 4155abc..a703e15 100644 |
5434 |
break; |
5435 |
case SIOCSIFADDR: /* Set interface address (and family) */ |
5436 |
case SIOCSIFBRDADDR: /* Set the broadcast address */ |
5437 |
-@@ -741,6 +839,9 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5438 |
+@@ -741,6 +838,9 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5439 |
ret = -EINVAL; |
5440 |
if (sin->sin_family != AF_INET) |
5441 |
goto out; |
5442 |
@@ -26923,7 +26827,7 @@ index 4155abc..a703e15 100644 |
5443 |
break; |
5444 |
default: |
5445 |
ret = -EINVAL; |
5446 |
-@@ -754,6 +855,21 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5447 |
+@@ -754,6 +854,21 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg) |
5448 |
if (!dev) |
5449 |
goto done; |
5450 |
|
5451 |
@@ -26946,7 +26850,7 @@ index 4155abc..a703e15 100644 |
5452 |
*colon = ':'; |
5453 |
|
5454 |
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c |
5455 |
-index 2252471..0255d53 100644 |
5456 |
+index 92fc5f6..55430a8 100644 |
5457 |
--- a/net/ipv4/fib_frontend.c |
5458 |
+++ b/net/ipv4/fib_frontend.c |
5459 |
@@ -46,6 +46,8 @@ |
5460 |
@@ -27055,7 +26959,7 @@ index 2252471..0255d53 100644 |
5461 |
if (tb == NULL) { |
5462 |
err = -ENOBUFS; |
5463 |
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c |
5464 |
-index 3267d38..164395a 100644 |
5465 |
+index 389a2e6..eae9fa7 100644 |
5466 |
--- a/net/ipv4/inet_diag.c |
5467 |
+++ b/net/ipv4/inet_diag.c |
5468 |
@@ -34,6 +34,8 @@ |
5469 |
@@ -27100,7 +27004,7 @@ index 3267d38..164395a 100644 |
5470 |
INET_DIAG_REQ_BYTECODE); |
5471 |
if (attr == NULL || |
5472 |
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c |
5473 |
-index f81af8d..02fd1cf 100644 |
5474 |
+index 58e8791..c82d09d 100644 |
5475 |
--- a/net/ipv4/ipmr.c |
5476 |
+++ b/net/ipv4/ipmr.c |
5477 |
@@ -66,6 +66,8 @@ |
5478 |
@@ -27268,19 +27172,19 @@ index 24e556e..27c35d3 100644 |
5479 |
case IPT_SO_SET_REPLACE: |
5480 |
ret = do_replace(sock_net(sk), user, len); |
5481 |
diff --git a/net/ipv4/route.c b/net/ipv4/route.c |
5482 |
-index 75ef66f..6318a39 100644 |
5483 |
+index 05ac666c..c324972 100644 |
5484 |
--- a/net/ipv4/route.c |
5485 |
+++ b/net/ipv4/route.c |
5486 |
-@@ -110,6 +110,8 @@ |
5487 |
- #endif |
5488 |
+@@ -111,6 +111,8 @@ |
5489 |
+ #include <net/atmclip.h> |
5490 |
#include <net/secure_seq.h> |
5491 |
|
5492 |
+#include <rsbac/hooks.h> |
5493 |
+ |
5494 |
#define RT_FL_TOS(oldflp4) \ |
5495 |
- ((u32)(oldflp4->flowi4_tos & (IPTOS_RT_MASK | RTO_ONLINK))) |
5496 |
+ ((oldflp4)->flowi4_tos & (IPTOS_RT_MASK | RTO_ONLINK)) |
5497 |
|
5498 |
-@@ -2891,6 +2893,27 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void |
5499 |
+@@ -2979,6 +2981,27 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void |
5500 |
int mark; |
5501 |
struct sk_buff *skb; |
5502 |
|
5503 |
@@ -27309,7 +27213,7 @@ index 75ef66f..6318a39 100644 |
5504 |
if (err < 0) |
5505 |
goto errout; |
5506 |
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c |
5507 |
-index bb2c523..a468c81 100644 |
5508 |
+index a69d44f..0ad5d09 100644 |
5509 |
--- a/net/sched/cls_api.c |
5510 |
+++ b/net/sched/cls_api.c |
5511 |
@@ -31,6 +31,8 @@ |
5512 |
@@ -27377,7 +27281,7 @@ index bb2c523..a468c81 100644 |
5513 |
return skb->len; |
5514 |
dev = __dev_get_by_index(net, tcm->tcm_ifindex); |
5515 |
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c |
5516 |
-index 6b86276..128368d 100644 |
5517 |
+index dca6c1a..6fd628d 100644 |
5518 |
--- a/net/sched/sch_api.c |
5519 |
+++ b/net/sched/sch_api.c |
5520 |
@@ -35,6 +35,8 @@ |
5521 |
@@ -27601,7 +27505,7 @@ index 6b86276..128368d 100644 |
5522 |
t = 0; |
5523 |
|
5524 |
diff --git a/net/socket.c b/net/socket.c |
5525 |
-index 1ad42d3..d4bc79a 100644 |
5526 |
+index ffe92ca..5c20917 100644 |
5527 |
--- a/net/socket.c |
5528 |
+++ b/net/socket.c |
5529 |
@@ -89,6 +89,14 @@ |
5530 |
@@ -28065,7 +27969,7 @@ index 1ad42d3..d4bc79a 100644 |
5531 |
+ rsbac_target_id, |
5532 |
+ A_sock_type, |
5533 |
+ rsbac_attribute_value)) { |
5534 |
-+ rsbac_pr_debug(aef, "[sys_socketcall()]: ADF returned NOT_GRANTED\n"); |
5535 |
++ rsbac_pr_debug(aef, "sys_listen() [sys_socketcall()]: ADF returned NOT_GRANTED\n"); |
5536 |
+ fput_light(sock->file, fput_needed); |
5537 |
+ return -EPERM; |
5538 |
+ } |
5539 |
@@ -28548,7 +28452,7 @@ index 1ad42d3..d4bc79a 100644 |
5540 |
if (level == SOL_SOCKET) |
5541 |
err = |
5542 |
sock_getsockopt(sock, level, optname, optval, |
5543 |
-@@ -1854,11 +2592,82 @@ SYSCALL_DEFINE2(shutdown, int, fd, int, how) |
5544 |
+@@ -1854,11 +2592,84 @@ SYSCALL_DEFINE2(shutdown, int, fd, int, how) |
5545 |
int err, fput_needed; |
5546 |
struct socket *sock; |
5547 |
|
5548 |
@@ -28566,42 +28470,44 @@ index 1ad42d3..d4bc79a 100644 |
5549 |
err = security_socket_shutdown(sock, how); |
5550 |
+ |
5551 |
+#ifdef CONFIG_RSBAC |
5552 |
-+ rsbac_pr_debug(aef, "[sys_socketcall()]: calling ADF\n"); |
5553 |
-+ if (sock->ops->family == AF_UNIX) { |
5554 |
-+ if (sock->file |
5555 |
-+ && sock->file->f_dentry |
5556 |
-+ && sock->file->f_dentry->d_inode) { |
5557 |
-+ if (sock->file->f_dentry->d_sb->s_magic == SOCKFS_MAGIC) { |
5558 |
-+ rsbac_target = T_IPC; |
5559 |
-+ rsbac_target_id.ipc.type = I_anonunix; |
5560 |
-+ rsbac_target_id.ipc.id.id_nr = sock->file->f_dentry->d_inode->i_ino; |
5561 |
-+ } else { |
5562 |
-+ rsbac_target = T_UNIXSOCK; |
5563 |
-+ rsbac_target_id.unixsock.device = sock->file->f_dentry->d_sb->s_dev; |
5564 |
-+ rsbac_target_id.unixsock.inode = sock->file->f_dentry->d_inode->i_ino; |
5565 |
-+ rsbac_target_id.unixsock.dentry_p = sock->file->f_dentry; |
5566 |
++ if (!err) { |
5567 |
++ rsbac_pr_debug(aef, "[sys_socketcall()]: calling ADF\n"); |
5568 |
++ if (sock->ops->family == AF_UNIX) { |
5569 |
++ if (sock->file |
5570 |
++ && sock->file->f_dentry |
5571 |
++ && sock->file->f_dentry->d_inode) { |
5572 |
++ if (sock->file->f_dentry->d_sb->s_magic == SOCKFS_MAGIC) { |
5573 |
++ rsbac_target = T_IPC; |
5574 |
++ rsbac_target_id.ipc.type = I_anonunix; |
5575 |
++ rsbac_target_id.ipc.id.id_nr = sock->file->f_dentry->d_inode->i_ino; |
5576 |
++ } else { |
5577 |
++ rsbac_target = T_UNIXSOCK; |
5578 |
++ rsbac_target_id.unixsock.device = sock->file->f_dentry->d_sb->s_dev; |
5579 |
++ rsbac_target_id.unixsock.inode = sock->file->f_dentry->d_inode->i_ino; |
5580 |
++ rsbac_target_id.unixsock.dentry_p = sock->file->f_dentry; |
5581 |
++ } |
5582 |
+ } |
5583 |
+ } |
5584 |
-+ } |
5585 |
+#ifdef CONFIG_RSBAC_NET_OBJ |
5586 |
-+ else { |
5587 |
-+ rsbac_target = T_NETOBJ; |
5588 |
-+ rsbac_target_id.netobj.sock_p = sock; |
5589 |
-+ rsbac_target_id.netobj.local_addr = NULL; |
5590 |
-+ rsbac_target_id.netobj.local_len = 0; |
5591 |
-+ rsbac_target_id.netobj.remote_addr = NULL; |
5592 |
-+ rsbac_target_id.netobj.remote_len = 0; |
5593 |
-+ } |
5594 |
++ else { |
5595 |
++ rsbac_target = T_NETOBJ; |
5596 |
++ rsbac_target_id.netobj.sock_p = sock; |
5597 |
++ rsbac_target_id.netobj.local_addr = NULL; |
5598 |
++ rsbac_target_id.netobj.local_len = 0; |
5599 |
++ rsbac_target_id.netobj.remote_addr = NULL; |
5600 |
++ rsbac_target_id.netobj.remote_len = 0; |
5601 |
++ } |
5602 |
+#endif |
5603 |
-+ rsbac_attribute_value.sock_type = sock->type; |
5604 |
-+ if ((rsbac_target != T_NONE) |
5605 |
-+ && !rsbac_adf_request(R_NET_SHUTDOWN, |
5606 |
-+ task_pid(current), |
5607 |
-+ rsbac_target, |
5608 |
-+ rsbac_target_id, |
5609 |
-+ A_sock_type, |
5610 |
-+ rsbac_attribute_value)) { |
5611 |
-+ err = -EPERM; |
5612 |
++ rsbac_attribute_value.sock_type = sock->type; |
5613 |
++ if ((rsbac_target != T_NONE) |
5614 |
++ && !rsbac_adf_request(R_NET_SHUTDOWN, |
5615 |
++ task_pid(current), |
5616 |
++ rsbac_target, |
5617 |
++ rsbac_target_id, |
5618 |
++ A_sock_type, |
5619 |
++ rsbac_attribute_value)) { |
5620 |
++ err = -EPERM; |
5621 |
++ } |
5622 |
+ } |
5623 |
+#endif |
5624 |
+ |
5625 |
@@ -28631,7 +28537,7 @@ index 1ad42d3..d4bc79a 100644 |
5626 |
fput_light(sock->file, fput_needed); |
5627 |
} |
5628 |
return err; |
5629 |
-@@ -2534,6 +3343,10 @@ static int __init sock_init(void) |
5630 |
+@@ -2534,6 +3345,10 @@ static int __init sock_init(void) |
5631 |
if (err) |
5632 |
goto out_fs; |
5633 |
sock_mnt = kern_mount(&sock_fs_type); |
5634 |
@@ -28643,7 +28549,7 @@ index 1ad42d3..d4bc79a 100644 |
5635 |
err = PTR_ERR(sock_mnt); |
5636 |
goto out_mount; |
5637 |
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c |
5638 |
-index 0722a25..8cb4965 100644 |
5639 |
+index ec68e1c..d18a8c3 100644 |
5640 |
--- a/net/unix/af_unix.c |
5641 |
+++ b/net/unix/af_unix.c |
5642 |
@@ -115,6 +115,8 @@ |
5643 |
@@ -28745,7 +28651,7 @@ index 0722a25..8cb4965 100644 |
5644 |
out: mutex_unlock(&u->readlock); |
5645 |
return err; |
5646 |
} |
5647 |
-@@ -815,6 +875,12 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) |
5648 |
+@@ -816,6 +876,12 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) |
5649 |
struct unix_address *addr; |
5650 |
struct hlist_head *list; |
5651 |
|
5652 |
@@ -28758,7 +28664,7 @@ index 0722a25..8cb4965 100644 |
5653 |
err = -EINVAL; |
5654 |
if (sunaddr->sun_family != AF_UNIX) |
5655 |
goto out; |
5656 |
-@@ -835,6 +901,31 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) |
5657 |
+@@ -836,6 +902,31 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) |
5658 |
if (u->addr) |
5659 |
goto out_up; |
5660 |
|
5661 |
@@ -28790,9 +28696,9 @@ index 0722a25..8cb4965 100644 |
5662 |
err = -ENOMEM; |
5663 |
addr = kmalloc(sizeof(*addr)+addr_len, GFP_KERNEL); |
5664 |
if (!addr) |
5665 |
-@@ -861,6 +952,11 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) |
5666 |
+@@ -858,6 +949,11 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) |
5667 |
if (IS_ERR(dentry)) |
5668 |
- goto out_mknod_unlock; |
5669 |
+ goto out_mknod_parent; |
5670 |
|
5671 |
+#ifdef CONFIG_RSBAC |
5672 |
+ /* RSBAC add: set credentials so connect and send can copy them */ |
5673 |
@@ -28802,7 +28708,7 @@ index 0722a25..8cb4965 100644 |
5674 |
/* |
5675 |
* All right, let's create it. |
5676 |
*/ |
5677 |
-@@ -895,6 +991,21 @@ out_mknod_drop_write: |
5678 |
+@@ -892,6 +988,21 @@ out_mknod_drop_write: |
5679 |
} |
5680 |
|
5681 |
list = &unix_socket_table[addr->hash]; |
5682 |
@@ -28823,8 +28729,8 @@ index 0722a25..8cb4965 100644 |
5683 |
+ |
5684 |
} else { |
5685 |
list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)]; |
5686 |
- u->dentry = nd.path.dentry; |
5687 |
-@@ -960,6 +1071,14 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, |
5688 |
+ u->dentry = path.dentry; |
5689 |
+@@ -956,6 +1067,14 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, |
5690 |
unsigned hash; |
5691 |
int err; |
5692 |
|
5693 |
@@ -28839,7 +28745,7 @@ index 0722a25..8cb4965 100644 |
5694 |
if (addr->sa_family != AF_UNSPEC) { |
5695 |
err = unix_mkname(sunaddr, alen, &hash); |
5696 |
if (err < 0) |
5697 |
-@@ -975,6 +1094,46 @@ restart: |
5698 |
+@@ -971,6 +1090,46 @@ restart: |
5699 |
if (!other) |
5700 |
goto out; |
5701 |
|
5702 |
@@ -28886,7 +28792,7 @@ index 0722a25..8cb4965 100644 |
5703 |
unix_state_double_lock(sk, other); |
5704 |
|
5705 |
/* Apparently VFS overslept socket death. Retry. */ |
5706 |
-@@ -1015,6 +1174,23 @@ restart: |
5707 |
+@@ -1011,6 +1170,23 @@ restart: |
5708 |
unix_peer(sk) = other; |
5709 |
unix_state_double_unlock(sk, other); |
5710 |
} |
5711 |
@@ -28905,12 +28811,12 @@ index 0722a25..8cb4965 100644 |
5712 |
+ rsbac_printk(KERN_WARNING |
5713 |
+ "unix_dgram_connect() [sys_connect() [sys_socketcall()]]: rsbac_adf_set_attr() returned error\n"); |
5714 |
+ } |
5715 |
-+ #endif |
5716 |
++#endif |
5717 |
+ |
5718 |
return 0; |
5719 |
|
5720 |
out_unlock: |
5721 |
-@@ -1060,6 +1236,15 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, |
5722 |
+@@ -1056,6 +1232,15 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, |
5723 |
int err; |
5724 |
long timeo; |
5725 |
|
5726 |
@@ -28926,7 +28832,7 @@ index 0722a25..8cb4965 100644 |
5727 |
err = unix_mkname(sunaddr, addr_len, &hash); |
5728 |
if (err < 0) |
5729 |
goto out; |
5730 |
-@@ -1094,6 +1279,48 @@ restart: |
5731 |
+@@ -1090,6 +1275,48 @@ restart: |
5732 |
if (!other) |
5733 |
goto out; |
5734 |
|
5735 |
@@ -28975,7 +28881,7 @@ index 0722a25..8cb4965 100644 |
5736 |
/* Latch state of peer */ |
5737 |
unix_state_lock(other); |
5738 |
|
5739 |
-@@ -1165,6 +1392,55 @@ restart: |
5740 |
+@@ -1161,6 +1388,55 @@ restart: |
5741 |
goto out_unlock; |
5742 |
} |
5743 |
|
5744 |
@@ -29031,7 +28937,7 @@ index 0722a25..8cb4965 100644 |
5745 |
/* The way is open! Fastly set all the necessary fields... */ |
5746 |
|
5747 |
sock_hold(sk); |
5748 |
-@@ -1204,6 +1480,51 @@ restart: |
5749 |
+@@ -1200,6 +1476,53 @@ restart: |
5750 |
spin_unlock(&other->sk_receive_queue.lock); |
5751 |
unix_state_unlock(other); |
5752 |
other->sk_data_ready(other, 0); |
5753 |
@@ -29065,6 +28971,7 @@ index 0722a25..8cb4965 100644 |
5754 |
+ rsbac_printk(KERN_WARNING |
5755 |
+ "unix_stream_connect() [sys_connect() [sys_socketcall()]]: rsbac_adf_set_attr() returned error\n"); |
5756 |
+#ifdef CONFIG_RSBAC_NET |
5757 |
++#ifdef CONFIG_RSBAC_DEBUG |
5758 |
+ if ( rsbac_debug_aef_net |
5759 |
+ && sk->sk_socket |
5760 |
+ && newsk->sk_socket |
5761 |
@@ -29077,13 +28984,14 @@ index 0722a25..8cb4965 100644 |
5762 |
+ other->sk_socket->file->f_dentry->d_inode->i_ino); |
5763 |
+ } |
5764 |
+#endif |
5765 |
++#endif |
5766 |
+ } |
5767 |
+#endif |
5768 |
+ |
5769 |
sock_put(other); |
5770 |
return 0; |
5771 |
|
5772 |
-@@ -1256,6 +1577,11 @@ static int unix_accept(struct socket *sock, struct socket *newsock, int flags) |
5773 |
+@@ -1252,6 +1575,11 @@ static int unix_accept(struct socket *sock, struct socket *newsock, int flags) |
5774 |
if (sk->sk_state != TCP_LISTEN) |
5775 |
goto out; |
5776 |
|
5777 |
@@ -29095,10 +29003,11 @@ index 0722a25..8cb4965 100644 |
5778 |
/* If socket state is TCP_LISTEN it cannot change (for now...), |
5779 |
* so that no locks are necessary. |
5780 |
*/ |
5781 |
-@@ -1275,6 +1601,19 @@ static int unix_accept(struct socket *sock, struct socket *newsock, int flags) |
5782 |
+@@ -1271,6 +1599,21 @@ static int unix_accept(struct socket *sock, struct socket *newsock, int flags) |
5783 |
/* attach accepted sock to socket */ |
5784 |
unix_state_lock(tsk); |
5785 |
newsock->state = SS_CONNECTED; |
5786 |
++ |
5787 |
+#ifdef CONFIG_RSBAC |
5788 |
+ /* copy dentry and mnt, if there */ |
5789 |
+ if (unix_sk(sk)->dentry) { |
5790 |
@@ -29112,10 +29021,11 @@ index 0722a25..8cb4965 100644 |
5791 |
+ } |
5792 |
+ } |
5793 |
+#endif |
5794 |
++ |
5795 |
sock_graft(tsk, newsock); |
5796 |
unix_state_unlock(tsk); |
5797 |
return 0; |
5798 |
-@@ -1416,6 +1755,14 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock, |
5799 |
+@@ -1412,6 +1755,14 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock, |
5800 |
struct scm_cookie tmp_scm; |
5801 |
int max_level; |
5802 |
|
5803 |
@@ -29130,7 +29040,7 @@ index 0722a25..8cb4965 100644 |
5804 |
if (NULL == siocb->scm) |
5805 |
siocb->scm = &tmp_scm; |
5806 |
wait_for_unix_gc(); |
5807 |
-@@ -1525,6 +1872,55 @@ restart: |
5808 |
+@@ -1521,6 +1872,55 @@ restart: |
5809 |
goto out_unlock; |
5810 |
} |
5811 |
|
5812 |
@@ -29178,7 +29088,7 @@ index 0722a25..8cb4965 100644 |
5813 |
+ rsbac_attribute, |
5814 |
+ rsbac_attribute_value)) { |
5815 |
+ err = -EPERM; |
5816 |
-+ goto out_free; |
5817 |
++ goto out_unlock; |
5818 |
+ } |
5819 |
+ } |
5820 |
+#endif |
5821 |
@@ -29186,7 +29096,7 @@ index 0722a25..8cb4965 100644 |
5822 |
if (unix_peer(other) != sk && unix_recvq_full(other)) { |
5823 |
if (!timeo) { |
5824 |
err = -EAGAIN; |
5825 |
-@@ -1549,6 +1945,24 @@ restart: |
5826 |
+@@ -1545,6 +1945,24 @@ restart: |
5827 |
other->sk_data_ready(other, len); |
5828 |
sock_put(other); |
5829 |
scm_destroy(siocb->scm); |
5830 |
@@ -29211,7 +29121,7 @@ index 0722a25..8cb4965 100644 |
5831 |
return len; |
5832 |
|
5833 |
out_unlock: |
5834 |
-@@ -1576,6 +1990,14 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock, |
5835 |
+@@ -1572,6 +1990,14 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock, |
5836 |
bool fds_sent = false; |
5837 |
int max_level; |
5838 |
|
5839 |
@@ -29226,7 +29136,7 @@ index 0722a25..8cb4965 100644 |
5840 |
if (NULL == siocb->scm) |
5841 |
siocb->scm = &tmp_scm; |
5842 |
wait_for_unix_gc(); |
5843 |
-@@ -1600,6 +2022,55 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock, |
5844 |
+@@ -1596,6 +2022,55 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock, |
5845 |
if (sk->sk_shutdown & SEND_SHUTDOWN) |
5846 |
goto pipe_err; |
5847 |
|
5848 |
@@ -29282,7 +29192,7 @@ index 0722a25..8cb4965 100644 |
5849 |
while (sent < len) { |
5850 |
/* |
5851 |
* Optimisation for the fact that under 0.01% of X |
5852 |
-@@ -1667,6 +2138,23 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock, |
5853 |
+@@ -1663,6 +2138,23 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock, |
5854 |
scm_destroy(siocb->scm); |
5855 |
siocb->scm = NULL; |
5856 |
|
5857 |
@@ -29306,7 +29216,7 @@ index 0722a25..8cb4965 100644 |
5858 |
return sent; |
5859 |
|
5860 |
pipe_err_free: |
5861 |
-@@ -1679,6 +2167,24 @@ pipe_err: |
5862 |
+@@ -1675,6 +2167,24 @@ pipe_err: |
5863 |
out_err: |
5864 |
scm_destroy(siocb->scm); |
5865 |
siocb->scm = NULL; |
5866 |
@@ -29331,7 +29241,7 @@ index 0722a25..8cb4965 100644 |
5867 |
return sent ? : err; |
5868 |
} |
5869 |
|
5870 |
-@@ -1736,10 +2242,78 @@ static int unix_dgram_recvmsg(struct kiocb *iocb, struct socket *sock, |
5871 |
+@@ -1732,10 +2242,78 @@ static int unix_dgram_recvmsg(struct kiocb *iocb, struct socket *sock, |
5872 |
struct sk_buff *skb; |
5873 |
int err; |
5874 |
|
5875 |
@@ -29410,7 +29320,7 @@ index 0722a25..8cb4965 100644 |
5876 |
msg->msg_namelen = 0; |
5877 |
|
5878 |
err = mutex_lock_interruptible(&u->readlock); |
5879 |
-@@ -1812,6 +2386,24 @@ out_free: |
5880 |
+@@ -1808,6 +2386,24 @@ out_free: |
5881 |
out_unlock: |
5882 |
mutex_unlock(&u->readlock); |
5883 |
out: |
5884 |
@@ -29435,7 +29345,7 @@ index 0722a25..8cb4965 100644 |
5885 |
return err; |
5886 |
} |
5887 |
|
5888 |
-@@ -1864,6 +2456,14 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock, |
5889 |
+@@ -1860,6 +2456,14 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock, |
5890 |
int err = 0; |
5891 |
long timeo; |
5892 |
|
5893 |
@@ -29450,7 +29360,7 @@ index 0722a25..8cb4965 100644 |
5894 |
err = -EINVAL; |
5895 |
if (sk->sk_state != TCP_ESTABLISHED) |
5896 |
goto out; |
5897 |
-@@ -1872,6 +2472,66 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock, |
5898 |
+@@ -1868,6 +2472,66 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock, |
5899 |
if (flags&MSG_OOB) |
5900 |
goto out; |
5901 |
|
5902 |
@@ -29517,7 +29427,7 @@ index 0722a25..8cb4965 100644 |
5903 |
target = sock_rcvlowat(sk, flags&MSG_WAITALL, size); |
5904 |
timeo = sock_rcvtimeo(sk, flags&MSG_DONTWAIT); |
5905 |
|
5906 |
-@@ -1995,6 +2655,23 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock, |
5907 |
+@@ -1991,6 +2655,23 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock, |
5908 |
mutex_unlock(&u->readlock); |
5909 |
scm_recv(sock, msg, siocb->scm, flags); |
5910 |
out: |
5911 |
@@ -35448,7 +35358,7 @@ index 0000000..84fd7d8 |
5912 |
+} |
5913 |
diff --git a/rsbac/adf/adf_main.c b/rsbac/adf/adf_main.c |
5914 |
new file mode 100644 |
5915 |
-index 0000000..09df74f |
5916 |
+index 0000000..49e9e23 |
5917 |
--- /dev/null |
5918 |
+++ b/rsbac/adf/adf_main.c |
5919 |
@@ -0,0 +1,3394 @@ |
5920 |
@@ -38149,8 +38059,8 @@ index 0000000..09df74f |
5921 |
+ } |
5922 |
+#endif |
5923 |
+ |
5924 |
-+ if(may_sync) |
5925 |
-+ err = generic_file_fsync(&file, 1); |
5926 |
++ if(may_sync && (dentry_p->d_inode->i_size > 0)) |
5927 |
++ err = generic_file_fsync(&file, 0, dentry_p->d_inode->i_size - 1, 1); |
5928 |
+ |
5929 |
+ rsbac_kfree(buffer); |
5930 |
+ } |
5931 |
@@ -41164,10 +41074,10 @@ index 0000000..002f0b7 |
5932 |
+endif |
5933 |
diff --git a/rsbac/adf/daz/daz_main.c b/rsbac/adf/daz/daz_main.c |
5934 |
new file mode 100644 |
5935 |
-index 0000000..a5bdebb |
5936 |
+index 0000000..991838d |
5937 |
--- /dev/null |
5938 |
+++ b/rsbac/adf/daz/daz_main.c |
5939 |
-@@ -0,0 +1,1150 @@ |
5940 |
+@@ -0,0 +1,1167 @@ |
5941 |
+/*************************************************** */ |
5942 |
+/* Rule Set Based Access Control */ |
5943 |
+/* Implementation of the Access Control Decision */ |
5944 |
@@ -41274,6 +41184,8 @@ index 0000000..a5bdebb |
5945 |
+ union rsbac_target_id_t i_tid; |
5946 |
+ |
5947 |
+ /* reset scanned status for file */ |
5948 |
++ rsbac_pr_debug(adf_daz, "pid %u (%.15s), resetting scanned status!\n", |
5949 |
++ current->pid, current->comm); |
5950 |
+ i_tid.file=file; |
5951 |
+ i_attr_val1.daz_scanned = DAZ_unscanned; |
5952 |
+ if(rsbac_set_attr(SW_DAZ, |
5953 |
@@ -41516,6 +41428,10 @@ index 0000000..a5bdebb |
5954 |
+ return -1; |
5955 |
+ rsbac_get_full_path(dfs->extra_data->dentry, dfs->extra_data->full_filename, DAZ_MAX_FILENAME); |
5956 |
+ |
5957 |
++ rsbac_pr_debug(adf_daz, "pid %u (%.15s), file is %s!\n", |
5958 |
++ current->pid, current->comm, |
5959 |
++ dfs->extra_data->full_filename); |
5960 |
++ |
5961 |
+ /* find the actual value of the length */ |
5962 |
+ dfs->extra_data->full_filename_length = strlen(dfs->extra_data->full_filename); |
5963 |
+ |
5964 |
@@ -42030,6 +41946,8 @@ index 0000000..a5bdebb |
5965 |
+ return GRANTED; |
5966 |
+#endif |
5967 |
+ |
5968 |
++ rsbac_pr_debug(adf_daz, "pid %u (%.15s), scanning required!\n", |
5969 |
++ current->pid, current->comm); |
5970 |
+ xp_id.pid = current->pid; |
5971 |
+ xp_id.file = NULL; |
5972 |
+ |
5973 |
@@ -42078,6 +41996,8 @@ index 0000000..a5bdebb |
5974 |
+ } |
5975 |
+ } |
5976 |
+#endif |
5977 |
++ rsbac_pr_debug(adf_daz, "pid %u (%.15s), dazuko_sys_pre() result is %i\n", |
5978 |
++ current->pid, current->comm, error); |
5979 |
+ } |
5980 |
+ else |
5981 |
+ { |
5982 |
@@ -42087,14 +42007,21 @@ index 0000000..a5bdebb |
5983 |
+ |
5984 |
+ dazuko_file_struct_cleanup(&dfs); |
5985 |
+ } |
5986 |
++ if(error == 2) |
5987 |
++ return DO_NOT_CARE; |
5988 |
++ if(error == 0) { |
5989 |
++ rsbac_pr_debug(adf_daz, "pid %u (%.15s), file clean!\n", |
5990 |
++ current->pid, current->comm); |
5991 |
++ return GRANTED; |
5992 |
++ } else { |
5993 |
++ rsbac_pr_debug(adf_daz, "pid %u (%.15s), file infected!\n", |
5994 |
++ current->pid, current->comm); |
5995 |
++ return NOT_GRANTED; |
5996 |
++ } |
5997 |
+ } |
5998 |
-+ |
5999 |
-+ if(error == 2) |
6000 |
-+ return DO_NOT_CARE; |
6001 |
-+ if(error == 0) |
6002 |
-+ return GRANTED; |
6003 |
-+ else |
6004 |
-+ return NOT_GRANTED; |
6005 |
++ rsbac_pr_debug(adf_daz, "pid %u (%.15s), dazuko_sys_check() result is %i\n", |
6006 |
++ current->pid, current->comm, check_error); |
6007 |
++ return DO_NOT_CARE; |
6008 |
+} /* end of rsbac_adf_request_daz() */ |
6009 |
+ |
6010 |
+ |
6011 |
@@ -42998,15 +42925,15 @@ index 0000000..3519be9 |
6012 |
+#endif |
6013 |
diff --git a/rsbac/adf/daz/dazuko_xp.c b/rsbac/adf/daz/dazuko_xp.c |
6014 |
new file mode 100644 |
6015 |
-index 0000000..ee81ab9 |
6016 |
+index 0000000..cc9265b |
6017 |
--- /dev/null |
6018 |
+++ b/rsbac/adf/daz/dazuko_xp.c |
6019 |
-@@ -0,0 +1,2902 @@ |
6020 |
+@@ -0,0 +1,2903 @@ |
6021 |
+/* DazukoXP. Allow cross platform file access control for 3rd-party applications. |
6022 |
+ Written by John Ogness <jogness@×××××××.de> |
6023 |
+ |
6024 |
+ Copyright (c) 2002, 2003, 2004 H+BEDV Datentechnik GmbH |
6025 |
-+ Copyright (c) 2004-2010 Amon Ott <ao@×××××.org> |
6026 |
++ Copyright (c) 2004-2011 Amon Ott <ao@×××××.org> |
6027 |
+ |
6028 |
+ All rights reserved. |
6029 |
+ |
6030 |
@@ -43038,6 +42965,9 @@ index 0000000..ee81ab9 |
6031 |
+ POSSIBILITY OF SUCH DAMAGE. |
6032 |
+*/ |
6033 |
+ |
6034 |
++#include <rsbac/types.h> |
6035 |
++#include <rsbac/debug.h> |
6036 |
++ |
6037 |
+#include "dazuko_platform.h" |
6038 |
+ |
6039 |
+#include "dazuko_xp.h" |
6040 |
@@ -43750,7 +43680,7 @@ index 0000000..ee81ab9 |
6041 |
+ struct slot_list *sl; |
6042 |
+ int i; |
6043 |
+ |
6044 |
-+ DPRINT(("dazuko: dazuko_register_daemon() [%d]\n", did->unique)); |
6045 |
++ rsbac_pr_debug(adf_daz, "Registering daemon %s [%d]\n", reg_name, did->unique); |
6046 |
+ |
6047 |
+ if (did == NULL || reg_name == NULL) |
6048 |
+ return XP_ERROR_PERMISSION; |
6049 |
@@ -43892,9 +43822,7 @@ index 0000000..ee81ab9 |
6050 |
+ /* the daemon is registered, but not yet |
6051 |
+ * ready to receive files */ |
6052 |
+ __dazuko_change_slot_state(s, DAZUKO_FREE, DAZUKO_FREE); |
6053 |
-+ |
6054 |
-+ DPRINT(("dazuko: slot[%d] assigned to daemon %d\n", s->id, s->did.unique)); |
6055 |
-+ |
6056 |
++ rsbac_pr_debug(adf_daz, "slot[%d] assigned to daemon %s [%d]", s->id, reg_name, did->unique); |
6057 |
+ call_xp_up(&(s->mutex)); |
6058 |
+/* UP */ |
6059 |
+ |
6060 |
@@ -45582,18 +45510,18 @@ index 0000000..ee81ab9 |
6061 |
+ /* will need to scan if ON_CLOSE_MODIFIED is in the mask too */ |
6062 |
+ |
6063 |
+ if ((SCAN_ON_CLOSE || SCAN_ON_CLOSE_MODIFIED) == 0) |
6064 |
-+ return -1; |
6065 |
++ return -2; |
6066 |
+ break; |
6067 |
+ |
6068 |
+ default: |
6069 |
+ if ((access_mask & event) == 0) |
6070 |
-+ return -1; |
6071 |
++ return -3; |
6072 |
+ break; |
6073 |
+ } |
6074 |
+ |
6075 |
+ /* do we have any daemons? */ |
6076 |
+ if (call_xp_atomic_read(&active) <= 0) |
6077 |
-+ return -1; |
6078 |
++ return -4; |
6079 |
+ |
6080 |
+ /* should daemons be allowed this event without a scan? */ |
6081 |
+ if (daemon_is_allowed) |
6082 |
@@ -45603,7 +45531,7 @@ index 0000000..ee81ab9 |
6083 |
+ /* this is one of our daemons, so we will report as |
6084 |
+ * as if this event was not in the mask */ |
6085 |
+ |
6086 |
-+ return -1; |
6087 |
++ return -5; |
6088 |
+ } |
6089 |
+ } |
6090 |
+ |
6091 |
@@ -47109,19 +47037,19 @@ index 0000000..7efcd46 |
6092 |
+ |
6093 |
diff --git a/rsbac/adf/jail/jail_main.c b/rsbac/adf/jail/jail_main.c |
6094 |
new file mode 100644 |
6095 |
-index 0000000..67bc197 |
6096 |
+index 0000000..0c838ee |
6097 |
--- /dev/null |
6098 |
+++ b/rsbac/adf/jail/jail_main.c |
6099 |
-@@ -0,0 +1,1278 @@ |
6100 |
+@@ -0,0 +1,1395 @@ |
6101 |
+/**************************************************** */ |
6102 |
+/* Rule Set Based Access Control */ |
6103 |
+/* Implementation of the Access Control Decision */ |
6104 |
+/* Facility (ADF) - Authorization module */ |
6105 |
+/* File: rsbac/adf/jail/jail_main.c */ |
6106 |
+/* */ |
6107 |
-+/* Author and (c) 1999-2010: Amon Ott <ao@×××××.org> */ |
6108 |
++/* Author and (c) 1999-2011: Amon Ott <ao@×××××.org> */ |
6109 |
+/* */ |
6110 |
-+/* Last modified: 14/Sep/2010 */ |
6111 |
++/* Last modified: 17/Oct/2011 */ |
6112 |
+/**************************************************** */ |
6113 |
+ |
6114 |
+#include <linux/string.h> |
6115 |
@@ -47326,7 +47254,7 @@ index 0000000..67bc197 |
6116 |
+ || ( |
6117 |
+ (jail_flags & |
6118 |
+ JAIL_allow_inet_localhost) |
6119 |
-+ && (addr->sin_addr.s_addr == |
6120 |
++ && (addr->sin_addr.s_addr == |
6121 |
+ RSBAC_JAIL_LOCALHOST) |
6122 |
+ ) |
6123 |
+#if defined(CONFIG_RSBAC_JAIL_NET_ADJUST) |
6124 |
@@ -47363,7 +47291,7 @@ index 0000000..67bc197 |
6125 |
+ || ( |
6126 |
+ (jail_flags & |
6127 |
+ JAIL_allow_inet_localhost) |
6128 |
-+ && |
6129 |
++ && |
6130 |
+ ((inet_sk(tid.netobj.sock_p->sk)-> |
6131 |
+ inet_saddr == RSBAC_JAIL_LOCALHOST) |
6132 |
+ || ( |
6133 |
@@ -48308,83 +48236,200 @@ index 0000000..67bc197 |
6134 |
+ } |
6135 |
+ |
6136 |
+ case R_CREATE: |
6137 |
-+ if (target == T_IPC) { |
6138 |
-+ /* Get jail_id from process */ |
6139 |
-+ i_tid.process = caller_pid; |
6140 |
-+ if (rsbac_get_attr(SW_JAIL, |
6141 |
-+ T_PROCESS, |
6142 |
-+ i_tid, |
6143 |
-+ A_jail_id, |
6144 |
-+ &i_attr_val1, FALSE)) { |
6145 |
-+ rsbac_ds_get_error |
6146 |
-+ ("rsbac_adf_set_attr_jail()", |
6147 |
-+ A_jail_id); |
6148 |
-+ return (-RSBAC_EREADFAILED); |
6149 |
-+ } |
6150 |
-+ /* Set jail_id for new IPC */ |
6151 |
-+ if (rsbac_set_attr(SW_JAIL, |
6152 |
-+ T_IPC, |
6153 |
-+ tid, A_jail_id, i_attr_val1)) { |
6154 |
-+ rsbac_ds_set_error |
6155 |
-+ ("rsbac_adf_set_attr_jail()", |
6156 |
-+ A_jail_id); |
6157 |
-+ return (-RSBAC_EWRITEFAILED); |
6158 |
-+ } |
6159 |
-+ return 0; |
6160 |
-+ } |
6161 |
-+ /* fall through */ |
6162 |
++ switch (target) { |
6163 |
++ case T_IPC: |
6164 |
++ /* Get jail_id from process */ |
6165 |
++ i_tid.process = caller_pid; |
6166 |
++ if (rsbac_get_attr(SW_JAIL, |
6167 |
++ T_PROCESS, |
6168 |
++ i_tid, |
6169 |
++ A_jail_id, |
6170 |
++ &i_attr_val1, FALSE)) { |
6171 |
++ rsbac_ds_get_error |
6172 |
++ ("rsbac_adf_set_attr_jail()", |
6173 |
++ A_jail_id); |
6174 |
++ return -RSBAC_EREADFAILED; |
6175 |
++ } |
6176 |
++ if (i_attr_val1.jail_id) { |
6177 |
++ /* Set jail_id for new IPC */ |
6178 |
++ if (rsbac_set_attr(SW_JAIL, |
6179 |
++ T_IPC, |
6180 |
++ tid, A_jail_id, i_attr_val1)) { |
6181 |
++ rsbac_ds_set_error |
6182 |
++ ("rsbac_adf_set_attr_jail()", |
6183 |
++ A_jail_id); |
6184 |
++ return -RSBAC_EWRITEFAILED; |
6185 |
++ } |
6186 |
++ } |
6187 |
++ return 0; |
6188 |
+ |
6189 |
+#ifdef CONFIG_RSBAC_JAIL_NET_ADJUST |
6190 |
-+ case R_BIND: |
6191 |
-+ if (target != T_NETOBJ) |
6192 |
-+ return 0; |
6193 |
-+ if (!tid.netobj.sock_p) { |
6194 |
-+ rsbac_printk(KERN_WARNING |
6195 |
-+ "rsbac_adf_set_attr_jail(): NULL sock_p!\n"); |
6196 |
-+ return 0; |
6197 |
++ case T_NETOBJ: |
6198 |
++ if (!tid.netobj.sock_p) { |
6199 |
++ rsbac_printk(KERN_WARNING |
6200 |
++ "rsbac_adf_set_attr_jail(): NULL sock_p!\n"); |
6201 |
++ return 0; |
6202 |
++ } |
6203 |
++ if (!tid.netobj.sock_p->ops) { |
6204 |
++ return 0; |
6205 |
++ } |
6206 |
++ switch (tid.netobj.sock_p->ops->family) { |
6207 |
++ case AF_INET: |
6208 |
++ i_tid.process = caller_pid; |
6209 |
++ if ((err = rsbac_get_attr(SW_JAIL, |
6210 |
++ T_PROCESS, |
6211 |
++ i_tid, |
6212 |
++ A_jail_ip, |
6213 |
++ &i_attr_val1, TRUE))) { |
6214 |
++ rsbac_ds_get_error |
6215 |
++ ("rsbac_adf_set_attr_jail()", |
6216 |
++ A_jail_ip); |
6217 |
++ return -RSBAC_EREADFAILED; |
6218 |
++ } |
6219 |
++ if (i_attr_val1.jail_ip == INADDR_ANY) |
6220 |
++ return 0; |
6221 |
++ if ((err = rsbac_get_attr(SW_JAIL, |
6222 |
++ T_PROCESS, |
6223 |
++ i_tid, |
6224 |
++ A_jail_flags, |
6225 |
++ &i_attr_val2, TRUE))) { |
6226 |
++ rsbac_ds_get_error |
6227 |
++ ("rsbac_adf_set_attr_jail()", |
6228 |
++ A_jail_flags); |
6229 |
++ return -RSBAC_EREADFAILED; |
6230 |
++ } |
6231 |
++ if (i_attr_val2. |
6232 |
++ jail_flags & JAIL_auto_adjust_inet_any) { |
6233 |
++ inet_sk(tid.netobj.sock_p->sk)->inet_rcv_saddr = |
6234 |
++ i_attr_val1.jail_ip; |
6235 |
++ inet_sk(tid.netobj.sock_p->sk)->inet_saddr = |
6236 |
++ i_attr_val1.jail_ip; |
6237 |
++ } |
6238 |
++ return 0; |
6239 |
++ |
6240 |
++ default: |
6241 |
++ break; |
6242 |
++ } |
6243 |
++#endif |
6244 |
++ |
6245 |
++ default: |
6246 |
++ return 0; |
6247 |
+ } |
6248 |
-+ if (!tid.netobj.sock_p->ops) { |
6249 |
-+ return 0; |
6250 |
++ |
6251 |
++ case R_BIND: |
6252 |
++ switch (target) { |
6253 |
++ case T_IPC: |
6254 |
++ /* Get jail_id from process */ |
6255 |
++ i_tid.process = caller_pid; |
6256 |
++ if (rsbac_get_attr(SW_JAIL, |
6257 |
++ T_PROCESS, |
6258 |
++ i_tid, |
6259 |
++ A_jail_id, |
6260 |
++ &i_attr_val1, FALSE)) { |
6261 |
++ rsbac_ds_get_error |
6262 |
++ ("rsbac_adf_set_attr_jail()", |
6263 |
++ A_jail_id); |
6264 |
++ return -RSBAC_EREADFAILED; |
6265 |
++ } |
6266 |
++ if (i_attr_val1.jail_id) { |
6267 |
++ /* Set jail_id for new IPC */ |
6268 |
++ if (rsbac_set_attr(SW_JAIL, |
6269 |
++ T_IPC, |
6270 |
++ tid, A_jail_id, i_attr_val1)) { |
6271 |
++ rsbac_ds_set_error |
6272 |
++ ("rsbac_adf_set_attr_jail()", |
6273 |
++ A_jail_id); |
6274 |
++ return -RSBAC_EWRITEFAILED; |
6275 |
++ } |
6276 |
++ } |
6277 |
++ return 0; |
6278 |
++ |
6279 |
++#ifdef CONFIG_RSBAC_JAIL_NET_ADJUST |
6280 |
++ case T_NETOBJ: |
6281 |
++ if (!tid.netobj.sock_p) { |
6282 |
++ rsbac_printk(KERN_WARNING |
6283 |
++ "rsbac_adf_set_attr_jail(): NULL sock_p!\n"); |
6284 |
++ return 0; |
6285 |
++ } |
6286 |
++ if (!tid.netobj.sock_p->ops) { |
6287 |
++ return 0; |
6288 |
++ } |
6289 |
++ switch (tid.netobj.sock_p->ops->family) { |
6290 |
++ case AF_INET: |
6291 |
++ i_tid.process = caller_pid; |
6292 |
++ if ((err = rsbac_get_attr(SW_JAIL, |
6293 |
++ T_PROCESS, |
6294 |
++ i_tid, |
6295 |
++ A_jail_ip, |
6296 |
++ &i_attr_val1, TRUE))) { |
6297 |
++ rsbac_ds_get_error |
6298 |
++ ("rsbac_adf_set_attr_jail()", |
6299 |
++ A_jail_ip); |
6300 |
++ return -RSBAC_EREADFAILED; |
6301 |
++ } |
6302 |
++ if (i_attr_val1.jail_ip == INADDR_ANY) |
6303 |
++ return 0; |
6304 |
++ if ((err = rsbac_get_attr(SW_JAIL, |
6305 |
++ T_PROCESS, |
6306 |
++ i_tid, |
6307 |
++ A_jail_flags, |
6308 |
++ &i_attr_val2, TRUE))) { |
6309 |
++ rsbac_ds_get_error |
6310 |
++ ("rsbac_adf_set_attr_jail()", |
6311 |
++ A_jail_flags); |
6312 |
++ return -RSBAC_EREADFAILED; |
6313 |
++ } |
6314 |
++ if (i_attr_val2. |
6315 |
++ jail_flags & JAIL_auto_adjust_inet_any) { |
6316 |
++ inet_sk(tid.netobj.sock_p->sk)->inet_rcv_saddr = |
6317 |
++ i_attr_val1.jail_ip; |
6318 |
++ inet_sk(tid.netobj.sock_p->sk)->inet_saddr = |
6319 |
++ i_attr_val1.jail_ip; |
6320 |
++ } |
6321 |
++ return 0; |
6322 |
++ |
6323 |
++ default: |
6324 |
++ break; |
6325 |
++ } |
6326 |
++#endif |
6327 |
++ default: |
6328 |
++ return 0; |
6329 |
+ } |
6330 |
-+ switch (tid.netobj.sock_p->ops->family) { |
6331 |
-+ case AF_INET: |
6332 |
-+ i_tid.process = caller_pid; |
6333 |
-+ if ((err = rsbac_get_attr(SW_JAIL, |
6334 |
-+ T_PROCESS, |
6335 |
-+ i_tid, |
6336 |
-+ A_jail_ip, |
6337 |
-+ &i_attr_val1, TRUE))) { |
6338 |
-+ rsbac_ds_get_error |
6339 |
-+ ("rsbac_adf_set_attr_jail()", |
6340 |
-+ A_jail_ip); |
6341 |
-+ return -RSBAC_EREADFAILED; |
6342 |
-+ } |
6343 |
-+ if (i_attr_val1.jail_ip == INADDR_ANY) |
6344 |
++ |
6345 |
++ case R_CONNECT: |
6346 |
++ switch (target) { |
6347 |
++ case T_IPC: |
6348 |
++ if (new_target != T_IPC) |
6349 |
++ return 0; |
6350 |
++ /* Get jail_id from old IPC */ |
6351 |
++ i_tid.process = caller_pid; |
6352 |
++ if (rsbac_get_attr(SW_JAIL, |
6353 |
++ T_IPC, |
6354 |
++ tid, |
6355 |
++ A_jail_id, |
6356 |
++ &i_attr_val1, FALSE)) { |
6357 |
++ rsbac_ds_get_error |
6358 |
++ ("rsbac_adf_set_attr_jail()", |
6359 |
++ A_jail_id); |
6360 |
++ return -RSBAC_EREADFAILED; |
6361 |
++ } |
6362 |
++ if (i_attr_val1.jail_id) { |
6363 |
++ /* Set jail_id for new IPC */ |
6364 |
++ if (rsbac_set_attr(SW_JAIL, |
6365 |
++ T_IPC, |
6366 |
++ new_tid, A_jail_id, i_attr_val1)) { |
6367 |
++ rsbac_ds_set_error |
6368 |
++ ("rsbac_adf_set_attr_jail()", |
6369 |
++ A_jail_id); |
6370 |
++ return -RSBAC_EWRITEFAILED; |
6371 |
++ } |
6372 |
++ } |
6373 |
+ return 0; |
6374 |
-+ if ((err = rsbac_get_attr(SW_JAIL, |
6375 |
-+ T_PROCESS, |
6376 |
-+ i_tid, |
6377 |
-+ A_jail_flags, |
6378 |
-+ &i_attr_val2, TRUE))) { |
6379 |
-+ rsbac_ds_get_error |
6380 |
-+ ("rsbac_adf_set_attr_jail()", |
6381 |
-+ A_jail_flags); |
6382 |
-+ return -RSBAC_EREADFAILED; |
6383 |
-+ } |
6384 |
-+ if (i_attr_val2. |
6385 |
-+ jail_flags & JAIL_auto_adjust_inet_any) { |
6386 |
-+ inet_sk(tid.netobj.sock_p->sk)->inet_rcv_saddr = |
6387 |
-+ i_attr_val1.jail_ip; |
6388 |
-+ inet_sk(tid.netobj.sock_p->sk)->inet_saddr = |
6389 |
-+ i_attr_val1.jail_ip; |
6390 |
-+ } |
6391 |
-+ return 0; |
6392 |
+ |
6393 |
-+ default: |
6394 |
-+ break; |
6395 |
++ default: |
6396 |
++ return 0; |
6397 |
+ } |
6398 |
-+#endif |
6399 |
-+ return 0; |
6400 |
++ |
6401 |
+ default: |
6402 |
+ return 0; |
6403 |
+ } |
6404 |
@@ -61193,10 +61238,10 @@ index 0000000..e9c0162 |
6405 |
+endif |
6406 |
diff --git a/rsbac/adf/rc/rc_main.c b/rsbac/adf/rc/rc_main.c |
6407 |
new file mode 100644 |
6408 |
-index 0000000..55e4bb0a |
6409 |
+index 0000000..58d48c0 |
6410 |
--- /dev/null |
6411 |
+++ b/rsbac/adf/rc/rc_main.c |
6412 |
-@@ -0,0 +1,2983 @@ |
6413 |
+@@ -0,0 +1,3153 @@ |
6414 |
+/*************************************************** */ |
6415 |
+/* Rule Set Based Access Control */ |
6416 |
+/* Implementation of the Access Control Decision */ |
6417 |
@@ -61205,7 +61250,7 @@ index 0000000..55e4bb0a |
6418 |
+/* */ |
6419 |
+/* Author and (c) 1999-2011: Amon Ott <ao@×××××.org> */ |
6420 |
+/* */ |
6421 |
-+/* Last modified: 12/Jul/2011 */ |
6422 |
++/* Last modified: 29/Nov/2011 */ |
6423 |
+/*************************************************** */ |
6424 |
+ |
6425 |
+#include <linux/string.h> |
6426 |
@@ -61477,7 +61522,9 @@ index 0000000..55e4bb0a |
6427 |
+ i_rc_subtid, RI_type_comp_scd, request)) { |
6428 |
+ return GRANTED; |
6429 |
+ } else { |
6430 |
++#if defined(CONFIG_RSBAC_RC_LEARN) || defined(CONFIG_RSBAC_DEBUG) |
6431 |
+ char tmp[RSBAC_MAXNAMELEN]; |
6432 |
++#endif |
6433 |
+ |
6434 |
+#if defined(CONFIG_RSBAC_RC_LEARN) |
6435 |
+ if (rsbac_rc_learn) { |
6436 |
@@ -61833,10 +61880,12 @@ index 0000000..55e4bb0a |
6437 |
+ i_rc_subtid, i_rc_item, request)) |
6438 |
+ return GRANTED; |
6439 |
+ else { |
6440 |
++#ifdef CONFIG_RSBAC_DEBUG |
6441 |
+ char tmp[RSBAC_MAXNAMELEN]; |
6442 |
+ rsbac_pr_debug(adf_rc, "rc_role is %i, rc_type is %i, request is %s -> NOT_GRANTED!\n", |
6443 |
+ i_attr_val1.rc_role, type, |
6444 |
+ get_rc_special_right_name(tmp, request)); |
6445 |
++#endif |
6446 |
+ return NOT_GRANTED; |
6447 |
+ } |
6448 |
+} |
6449 |
@@ -63222,9 +63271,68 @@ index 0000000..55e4bb0a |
6450 |
+ } |
6451 |
+ |
6452 |
+ |
6453 |
-+#if defined(CONFIG_RSBAC_NET) |
6454 |
+ case R_BIND: |
6455 |
+ switch (target) { |
6456 |
++ case T_IPC: |
6457 |
++ /* check, whether we may create IPC of def_ipc_create_type */ |
6458 |
++ /* get rc_role from process */ |
6459 |
++ i_tid.process = caller_pid; |
6460 |
++ if ((err = rsbac_get_attr(SW_RC, T_PROCESS, |
6461 |
++ i_tid, |
6462 |
++ A_rc_role, |
6463 |
++ &i_attr_val1, FALSE))) { |
6464 |
++ rsbac_pr_get_error(A_rc_role); |
6465 |
++ return NOT_GRANTED; |
6466 |
++ } |
6467 |
++ /* get def_ipc_create_type of role */ |
6468 |
++ i_rc_tid.role = i_attr_val1.rc_role; |
6469 |
++ if ((err = rsbac_rc_get_item(0, |
6470 |
++ RT_ROLE, |
6471 |
++ i_rc_tid, |
6472 |
++ i_rc_tid, |
6473 |
++ RI_def_ipc_create_type, |
6474 |
++ &i_rc_item_val1, |
6475 |
++ NULL))) { |
6476 |
++ rsbac_rc_pr_get_error |
6477 |
++ (RI_def_ipc_create_type); |
6478 |
++ return NOT_GRANTED; |
6479 |
++ } |
6480 |
++ switch (i_rc_item_val1.type_id) { |
6481 |
++ case RC_type_no_create: |
6482 |
++ rsbac_pr_debug(adf_rc, "pid %u (%.15s), owner %u, rc_role %u, def_ipc_create_type no_create, request CREATE -> NOT_GRANTED!\n", |
6483 |
++ pid_nr(caller_pid), current->comm, |
6484 |
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,29) |
6485 |
++ current_uid(), |
6486 |
++#else |
6487 |
++ current->uid, |
6488 |
++#endif |
6489 |
++ i_attr_val1.rc_role); |
6490 |
++ return NOT_GRANTED; |
6491 |
++ |
6492 |
++ case RC_type_use_new_role_def_create: |
6493 |
++ /* error - complain and return error */ |
6494 |
++ rsbac_printk(KERN_WARNING "rsbac_adf_request_rc(): invalid type use_new_role_def_create in def_ipc_create_type of role %i!\n", |
6495 |
++ i_attr_val1.rc_role); |
6496 |
++ return NOT_GRANTED; |
6497 |
++ |
6498 |
++ case RC_type_inherit_parent: |
6499 |
++ case RC_type_inherit_process: |
6500 |
++ case RC_type_use_fd: |
6501 |
++ /* error - complain and return error */ |
6502 |
++ rsbac_printk(KERN_WARNING "rsbac_adf_request_rc(): invalid type inherit_parent in def_ipc_create_type of role %i!\n", |
6503 |
++ i_attr_val1.rc_role); |
6504 |
++ return NOT_GRANTED; |
6505 |
++ |
6506 |
++ default: |
6507 |
++ /* check, whether role has CREATE right to new type */ |
6508 |
++ /* get type_comp_ipc of role */ |
6509 |
++ i_rc_subtid.type = i_rc_item_val1.type_id; |
6510 |
++ return rc_check_create(caller_pid, |
6511 |
++ target, |
6512 |
++ i_rc_tid, |
6513 |
++ i_rc_subtid, |
6514 |
++ RI_type_comp_ipc); |
6515 |
++ } |
6516 |
+#if defined(CONFIG_RSBAC_RC_NET_DEV_PROT) |
6517 |
+ case T_NETDEV: |
6518 |
+ return check_comp_rc |
6519 |
@@ -63241,7 +63349,6 @@ index 0000000..55e4bb0a |
6520 |
+ default: |
6521 |
+ return DO_NOT_CARE; |
6522 |
+ } |
6523 |
-+#endif |
6524 |
+ |
6525 |
+ case R_IOCTL: |
6526 |
+ switch (target) { |
6527 |
@@ -64136,6 +64243,114 @@ index 0000000..55e4bb0a |
6528 |
+ default: |
6529 |
+ return 0; |
6530 |
+ } |
6531 |
++ case R_BIND: |
6532 |
++ switch (target) { |
6533 |
++ case T_IPC: |
6534 |
++ /* get rc_role from process */ |
6535 |
++ i_tid.process = caller_pid; |
6536 |
++ if ((err = rsbac_get_attr(SW_RC, T_PROCESS, |
6537 |
++ i_tid, |
6538 |
++ A_rc_role, |
6539 |
++ &i_attr_val1, FALSE))) { |
6540 |
++ rsbac_pr_get_error(A_rc_role); |
6541 |
++ return -RSBAC_EREADFAILED; |
6542 |
++ } |
6543 |
++ /* get def_ipc_create_type of role */ |
6544 |
++ i_rc_tid.role = i_attr_val1.rc_role; |
6545 |
++ if ((err = rsbac_rc_get_item(0, |
6546 |
++ RT_ROLE, |
6547 |
++ i_rc_tid, |
6548 |
++ i_rc_tid, |
6549 |
++ RI_def_ipc_create_type, |
6550 |
++ &i_rc_item_val1, |
6551 |
++ NULL))) { |
6552 |
++ rsbac_rc_pr_get_error |
6553 |
++ (RI_def_ipc_create_type); |
6554 |
++ return -RSBAC_EREADFAILED; |
6555 |
++ } |
6556 |
++ switch (i_rc_item_val1.type_id) { |
6557 |
++ case RC_type_no_create: |
6558 |
++ return -RSBAC_EDECISIONMISMATCH; |
6559 |
++ break; |
6560 |
++ |
6561 |
++ case RC_type_use_new_role_def_create: |
6562 |
++ /* error - complain and return error */ |
6563 |
++ rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_rc(): invalid type use_new_role_def_create in def_ipc_create_type of role %i!\n", |
6564 |
++ i_attr_val1.rc_role); |
6565 |
++ return -RSBAC_EINVALIDVALUE; |
6566 |
++ |
6567 |
++ case RC_type_inherit_parent: |
6568 |
++ case RC_type_inherit_process: |
6569 |
++ /* error - complain and return error */ |
6570 |
++ rsbac_printk(KERN_WARNING "rsbac_adf_set_attr_rc(): invalid type inherit_parent in def_ipc_create_type of role %i!\n", |
6571 |
++ i_attr_val1.rc_role); |
6572 |
++ return -RSBAC_EINVALIDVALUE; |
6573 |
++ |
6574 |
++ default: |
6575 |
++ /* set rc_type for ipc target */ |
6576 |
++ i_attr_val1.rc_type = |
6577 |
++ i_rc_item_val1.type_id; |
6578 |
++ /* get type from target */ |
6579 |
++ if ((err = rsbac_get_attr(SW_RC, |
6580 |
++ target, |
6581 |
++ tid, |
6582 |
++ A_rc_type, |
6583 |
++ &i_attr_val2, |
6584 |
++ FALSE))) { |
6585 |
++ rsbac_pr_get_error(A_rc_type); |
6586 |
++ return -RSBAC_EREADFAILED; |
6587 |
++ } |
6588 |
++ /* set it for new target, if different */ |
6589 |
++ if (i_attr_val1.rc_type != |
6590 |
++ i_attr_val2.rc_type) { |
6591 |
++ if ((err = |
6592 |
++ rsbac_set_attr(SW_RC, target, |
6593 |
++ tid, A_rc_type, |
6594 |
++ i_attr_val1))) |
6595 |
++ { |
6596 |
++ rsbac_pr_set_error |
6597 |
++ (A_rc_type); |
6598 |
++ return -RSBAC_EWRITEFAILED; |
6599 |
++ } |
6600 |
++ } |
6601 |
++ } |
6602 |
++ return 0; |
6603 |
++ |
6604 |
++ /* all other cases are unknown */ |
6605 |
++ default: |
6606 |
++ return 0; |
6607 |
++ } |
6608 |
++ |
6609 |
++ case R_CONNECT: |
6610 |
++ switch (target) { |
6611 |
++ case T_IPC: |
6612 |
++ if (new_target == T_IPC) { |
6613 |
++ /* get type from old target */ |
6614 |
++ i_tid.process = caller_pid; |
6615 |
++ if ((err = rsbac_get_attr(SW_RC, T_IPC, |
6616 |
++ tid, |
6617 |
++ A_rc_type, |
6618 |
++ &i_attr_val1, FALSE))) { |
6619 |
++ rsbac_pr_get_error(A_rc_role); |
6620 |
++ return -RSBAC_EREADFAILED; |
6621 |
++ } |
6622 |
++ /* set rc_type for new ipc target, if not 0 */ |
6623 |
++ if (i_attr_val1.rc_type) { |
6624 |
++ if ((err = rsbac_set_attr(SW_RC, T_IPC, |
6625 |
++ new_tid, A_rc_type, |
6626 |
++ i_attr_val1))) { |
6627 |
++ rsbac_pr_set_error(A_rc_type); |
6628 |
++ return -RSBAC_EWRITEFAILED; |
6629 |
++ } |
6630 |
++ } |
6631 |
++ } |
6632 |
++ return 0; |
6633 |
++ |
6634 |
++ /* all other cases are unknown */ |
6635 |
++ default: |
6636 |
++ return 0; |
6637 |
++ } |
6638 |
++ |
6639 |
+ default: |
6640 |
+ return 0; |
6641 |
+ } |
6642 |
@@ -66068,14 +66283,15 @@ index 0000000..93d0328 |
6643 |
+ |
6644 |
diff --git a/rsbac/adf/reg/modules_off.c b/rsbac/adf/reg/modules_off.c |
6645 |
new file mode 100644 |
6646 |
-index 0000000..c6f8042 |
6647 |
+index 0000000..e19a488 |
6648 |
--- /dev/null |
6649 |
+++ b/rsbac/adf/reg/modules_off.c |
6650 |
-@@ -0,0 +1,106 @@ |
6651 |
+@@ -0,0 +1,90 @@ |
6652 |
+/* |
6653 |
+ * RSBAC REG decision module kproc_hide. Disabling kernel modules support. |
6654 |
+ * |
6655 |
-+ * Author and (c) 2004 Michal Purzynski <albeiro@×××××.org> |
6656 |
++ * Author and (c) 2004 Michal Purzynski <michal@×××××.org> |
6657 |
++ * Adjusted 2011 Amon Ott <ao@×××××.org> |
6658 |
+ */ |
6659 |
+ |
6660 |
+#include <linux/module.h> |
6661 |
@@ -66098,9 +66314,6 @@ index 0000000..c6f8042 |
6662 |
+ |
6663 |
+static long handle = 9999991; |
6664 |
+ |
6665 |
-+static rsbac_inode_nr_t inode_nr = 0; |
6666 |
-+static kdev_t device_nr = 0; |
6667 |
-+ |
6668 |
+/**** Decision Functions ****/ |
6669 |
+ |
6670 |
+static int request_func (enum rsbac_adf_request_t request, |
6671 |
@@ -66115,14 +66328,6 @@ index 0000000..c6f8042 |
6672 |
+ case R_ADD_TO_KERNEL: |
6673 |
+ case R_REMOVE_FROM_KERNEL: |
6674 |
+ return NOT_GRANTED; |
6675 |
-+ case R_GET_STATUS_DATA: |
6676 |
-+ switch (target) { |
6677 |
-+ case T_FILE: |
6678 |
-+ if (tid.file.device == device_nr && tid.file.inode == inode_nr) |
6679 |
-+ return NOT_GRANTED; |
6680 |
-+ default: |
6681 |
-+ return DO_NOT_CARE; |
6682 |
-+ } |
6683 |
+ default: |
6684 |
+ return DO_NOT_CARE; |
6685 |
+ } |
6686 |
@@ -66134,12 +66339,6 @@ index 0000000..c6f8042 |
6687 |
+{ |
6688 |
+ |
6689 |
+ struct rsbac_reg_entry_t entry; |
6690 |
-+ struct nameidata nd; |
6691 |
-+ |
6692 |
-+ path_lookup("/proc/modules", 0, &nd); |
6693 |
-+ device_nr = nd.path.dentry->d_sb->s_dev; |
6694 |
-+ inode_nr = nd.path.dentry->d_inode->i_ino; |
6695 |
-+ path_put(&nd.path); |
6696 |
+ |
6697 |
+ rsbac_printk(KERN_INFO "RSBAC REG decision module modules_off: Initializing.\n"); |
6698 |
+ |
6699 |
@@ -68954,10 +69153,10 @@ index 0000000..926a336 |
6700 |
+ |
6701 |
diff --git a/rsbac/data_structures/aci_data_structures.c b/rsbac/data_structures/aci_data_structures.c |
6702 |
new file mode 100644 |
6703 |
-index 0000000..3296c53 |
6704 |
+index 0000000..3515076 |
6705 |
--- /dev/null |
6706 |
+++ b/rsbac/data_structures/aci_data_structures.c |
6707 |
-@@ -0,0 +1,14476 @@ |
6708 |
+@@ -0,0 +1,14457 @@ |
6709 |
+/*************************************************** */ |
6710 |
+/* Rule Set Based Access Control */ |
6711 |
+/* Implementation of ACI data structures */ |
6712 |
@@ -68965,7 +69164,7 @@ index 0000000..3296c53 |
6713 |
+/* (some smaller parts copied from fs/namei.c */ |
6714 |
+/* and others) */ |
6715 |
+/* */ |
6716 |
-+/* Last modified: 12/Jul/2011 */ |
6717 |
++/* Last modified: 17/Oct/2011 */ |
6718 |
+/*************************************************** */ |
6719 |
+ |
6720 |
+#include <linux/types.h> |
6721 |
@@ -69020,6 +69219,7 @@ index 0000000..3296c53 |
6722 |
+#include <linux/kdev_t.h> |
6723 |
+ |
6724 |
+#define FUSE_SUPER_MAGIC 0x65735546 |
6725 |
++#define CEPH_SUPER_MAGIC 0x00c36400 |
6726 |
+ |
6727 |
+#ifdef CONFIG_RSBAC_MAC |
6728 |
+#include <rsbac/mac.h> |
6729 |
@@ -69300,7 +69500,8 @@ index 0000000..3296c53 |
6730 |
+ || (sb_p->s_magic == SMB_SUPER_MAGIC) |
6731 |
+ || (sb_p->s_magic == ISOFS_SUPER_MAGIC) |
6732 |
+ || (sb_p->s_magic == OCFS2_SUPER_MAGIC) |
6733 |
-+ || (sb_p->s_magic == FUSE_SUPER_MAGIC)) |
6734 |
++ || (sb_p->s_magic == FUSE_SUPER_MAGIC) |
6735 |
++ || (sb_p->s_magic == CEPH_SUPER_MAGIC)) |
6736 |
+ return FALSE; |
6737 |
+ else |
6738 |
+ return TRUE; |
6739 |
@@ -70589,7 +70790,7 @@ index 0000000..3296c53 |
6740 |
+ tmperr = rsbac_list_register_hashed(RSBAC_LIST_VERSION, |
6741 |
+ &device_p->handles.rc, |
6742 |
+ info_p, |
6743 |
-+ RSBAC_LIST_PERSIST | (RSBAC_MAJOR(kdev) ? RSBAC_LIST_OWN_SLAB : 0) | |
6744 |
++ RSBAC_LIST_PERSIST | RSBAC_LIST_OWN_SLAB | |
6745 |
+ RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE, |
6746 |
+ NULL, |
6747 |
+ NULL, &def_rc_fd_aci, |
6748 |
@@ -71462,16 +71663,8 @@ index 0000000..3296c53 |
6749 |
+ new_dir_p = |
6750 |
+ dget(new_file_dentry_p->d_parent); |
6751 |
+ double_lock(new_dir_p, old_dir_p); |
6752 |
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,34) |
6753 |
+ dquot_initialize(old_dir_p->d_inode); |
6754 |
+ dquot_initialize(new_dir_p->d_inode); |
6755 |
-+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,30) |
6756 |
-+ vfs_dq_init(old_dir_p->d_inode); |
6757 |
-+ vfs_dq_init(new_dir_p->d_inode); |
6758 |
-+#else |
6759 |
-+ DQUOT_INIT(old_dir_p->d_inode); |
6760 |
-+ DQUOT_INIT(new_dir_p->d_inode); |
6761 |
-+#endif |
6762 |
+ /* try to rename file in rsbac dir */ |
6763 |
+ /* rsbac_pr_debug(write, "calling rename function\n"); */ |
6764 |
+ err = |
6765 |
@@ -71536,14 +71729,7 @@ index 0000000..3296c53 |
6766 |
+ old_dir_p = |
6767 |
+ lock_parent |
6768 |
+ (file_dentry_p); |
6769 |
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,34) |
6770 |
+ dquot_initialize(old_dir_p->d_inode); |
6771 |
-+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,30) |
6772 |
-+ vfs_dq_init(old_dir_p->d_inode); |
6773 |
-+#else |
6774 |
-+ DQUOT_INIT(old_dir_p-> |
6775 |
-+ d_inode); |
6776 |
-+#endif |
6777 |
+ err = -ENOENT; |
6778 |
+ err = |
6779 |
+ dir_dentry_p-> |
6780 |
@@ -71629,13 +71815,7 @@ index 0000000..3296c53 |
6781 |
+ } |
6782 |
+ /* try to create file in rsbac dir */ |
6783 |
+ /* rsbac_pr_debug(write, "calling create function\n"); */ |
6784 |
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,34) |
6785 |
+ dquot_initialize(ldir_dentry_p->d_inode); |
6786 |
-+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,30) |
6787 |
-+ vfs_dq_init(ldir_dentry_p->d_inode); |
6788 |
-+#else |
6789 |
-+ DQUOT_INIT(ldir_dentry_p->d_inode); |
6790 |
-+#endif |
6791 |
+ err = |
6792 |
+ dir_dentry_p->d_inode->i_op->create(ldir_dentry_p-> |
6793 |
+ d_inode, |
6794 |
@@ -83436,10 +83616,10 @@ index 0000000..3296c53 |
6795 |
+} |
6796 |
diff --git a/rsbac/data_structures/acl_data_structures.c b/rsbac/data_structures/acl_data_structures.c |
6797 |
new file mode 100644 |
6798 |
-index 0000000..65714b914 |
6799 |
+index 0000000..6f71257 |
6800 |
--- /dev/null |
6801 |
+++ b/rsbac/data_structures/acl_data_structures.c |
6802 |
-@@ -0,0 +1,8392 @@ |
6803 |
+@@ -0,0 +1,8398 @@ |
6804 |
+/*************************************************** */ |
6805 |
+/* Rule Set Based Access Control */ |
6806 |
+/* Implementation of ACL data structures */ |
6807 |
@@ -88118,7 +88298,9 @@ index 0000000..65714b914 |
6808 |
+ int err = 0; |
6809 |
+ struct rsbac_acl_device_list_item_t *device_p; |
6810 |
+ struct rsbac_acl_entry_desc_t desc; |
6811 |
++#ifdef CONFIG_RSBAC_DEBUG |
6812 |
+ char tmp[RSBAC_MAXNAMELEN]; |
6813 |
++#endif |
6814 |
+ rsbac_acl_rights_vector_t mask; |
6815 |
+ int srcu_idx; |
6816 |
+ |
6817 |
@@ -88494,7 +88676,9 @@ index 0000000..65714b914 |
6818 |
+ union rsbac_target_id_t tid) |
6819 |
+{ |
6820 |
+ int err = 0; |
6821 |
++#ifdef CONFIG_RSBAC_DEBUG |
6822 |
+ char tmp[RSBAC_MAXNAMELEN]; |
6823 |
++#endif |
6824 |
+ struct rsbac_acl_device_list_item_t *device_p; |
6825 |
+ int srcu_idx; |
6826 |
+ |
6827 |
@@ -89482,7 +89666,9 @@ index 0000000..65714b914 |
6828 |
+ rsbac_acl_rights_vector_t mask) |
6829 |
+{ |
6830 |
+ int err = 0; |
6831 |
++#ifdef CONFIG_RSBAC_DEBUG |
6832 |
+ char tmp[80]; |
6833 |
++#endif |
6834 |
+ struct rsbac_acl_device_list_item_t *device_p; |
6835 |
+ int srcu_idx; |
6836 |
+ |
6837 |
@@ -124617,10 +124803,10 @@ index 0000000..738fb52 |
6838 |
+ |
6839 |
diff --git a/rsbac/help/getname.c b/rsbac/help/getname.c |
6840 |
new file mode 100644 |
6841 |
-index 0000000..e435580 |
6842 |
+index 0000000..9dbfd88 |
6843 |
--- /dev/null |
6844 |
+++ b/rsbac/help/getname.c |
6845 |
-@@ -0,0 +1,1821 @@ |
6846 |
+@@ -0,0 +1,1834 @@ |
6847 |
+/************************************* */ |
6848 |
+/* Rule Set Based Access Control */ |
6849 |
+/* Author and (c) 1999-2009: */ |
6850 |
@@ -126153,8 +126339,21 @@ index 0000000..e435580 |
6851 |
+ case T_PROCESS: |
6852 |
+ if(target_type_name) |
6853 |
+ strcpy(target_type_name, "PROCESS"); |
6854 |
-+ if (target_id_name) |
6855 |
-+ sprintf(target_id_name, "%u", pid_nr(tid.process)); |
6856 |
++ if (target_id_name) { |
6857 |
++ struct task_struct *task_p; |
6858 |
++ |
6859 |
++ read_lock(&tasklist_lock); |
6860 |
++ task_p = pid_task(tid.process, PIDTYPE_PID); |
6861 |
++ if (task_p) { |
6862 |
++ if(task_p->parent) |
6863 |
++ sprintf(target_id_name, "%u(%s,parent=%u(%s))", task_p->pid, task_p->comm, task_p->parent->pid, task_p->parent->comm); |
6864 |
++ else |
6865 |
++ sprintf(target_id_name, "%u(%s)", task_p->pid, task_p->comm); |
6866 |
++ } |
6867 |
++ else |
6868 |
++ sprintf(target_id_name, "%u", pid_nr(tid.process)); |
6869 |
++ read_unlock(&tasklist_lock); |
6870 |
++ } |
6871 |
+ break; |
6872 |
+ case T_GROUP: |
6873 |
+ if(target_type_name) |
6874 |
@@ -129332,16 +129531,16 @@ index 0000000..9faf4f2 |
6875 |
+} |
6876 |
diff --git a/rsbac/help/syscalls.c b/rsbac/help/syscalls.c |
6877 |
new file mode 100644 |
6878 |
-index 0000000..120db4d |
6879 |
+index 0000000..5204b1e |
6880 |
--- /dev/null |
6881 |
+++ b/rsbac/help/syscalls.c |
6882 |
-@@ -0,0 +1,8724 @@ |
6883 |
+@@ -0,0 +1,8732 @@ |
6884 |
+/*************************************************** */ |
6885 |
+/* Rule Set Based Access Control */ |
6886 |
+/* Implementation of RSBAC general system calls */ |
6887 |
+/* Author and (C) 1999-2011: Amon Ott <ao@×××××.org> */ |
6888 |
+/* */ |
6889 |
-+/* Last modified: 12/Jul/2011 */ |
6890 |
++/* Last modified: 17/Oct/2011 */ |
6891 |
+/*************************************************** */ |
6892 |
+ |
6893 |
+#include <rsbac/types.h> |
6894 |
@@ -129993,6 +130192,14 @@ index 0000000..120db4d |
6895 |
+#endif |
6896 |
+ break; |
6897 |
+ |
6898 |
++ case T_FD: |
6899 |
++ case T_FILE: |
6900 |
++ case T_DIR: |
6901 |
++ case T_FIFO: |
6902 |
++ case T_SYMLINK: |
6903 |
++ case T_UNIXSOCK: |
6904 |
++ return -RSBAC_EINVALIDTARGET; |
6905 |
++ |
6906 |
+ default: |
6907 |
+ break; |
6908 |
+ } |