オープンソース・ソフトウェアの開発とダウンロード

TOMOYO

Subversion リポジトリの参照

/[tomoyo]/trunk/1.8.x/ccs-patch/patches/ccs-patch-2.4.34.diff

Annotation of /trunk/1.8.x/ccs-patch/patches/ccs-patch-2.4.34.diff

Parent Directory Parent Directory | Revision Log Revision Log

Revision 4049 - (hide annotations) (download) (as text)
Thu Oct 7 07:14:01 2010 UTC (13 years, 7 months ago) by kumaneko
File MIME type: text/x-diff
File size: 41581 byte(s) 
Merge branches/ccs-patch/ into trunk/1.8.x/ccs-patch/
1 kumaneko 1498 This is TOMOYO Linux patch for kernel 2.4.34.6.
2 kumaneko 869
3 kumaneko 1498 Source code for this patch is http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.34.6.tar.bz2
4 kumaneko 862 ---
5 kumaneko 3502 Makefile | 8 ++++++++
6 kumaneko 2858 arch/alpha/kernel/ptrace.c | 3 +++
7     arch/arm/kernel/ptrace.c | 3 +++
8     arch/cris/kernel/ptrace.c | 3 +++
9     arch/i386/kernel/ptrace.c | 3 +++
10     arch/ia64/ia32/sys_ia32.c | 3 +++
11     arch/ia64/kernel/ptrace.c | 3 +++
12     arch/m68k/kernel/ptrace.c | 3 +++
13     arch/mips/kernel/ptrace.c | 3 +++
14     arch/mips64/kernel/ptrace.c | 5 +++++
15     arch/parisc/kernel/ptrace.c | 3 +++
16     arch/ppc/kernel/ptrace.c | 3 +++
17     arch/ppc64/kernel/ptrace.c | 3 +++
18     arch/ppc64/kernel/ptrace32.c | 3 +++
19     arch/s390/kernel/ptrace.c | 3 +++
20     arch/s390x/kernel/ptrace.c | 3 +++
21     arch/sh/kernel/ptrace.c | 3 +++
22     arch/sh64/kernel/ptrace.c | 3 +++
23     arch/sparc/kernel/ptrace.c | 5 +++++
24     arch/sparc64/kernel/ptrace.c | 5 +++++
25     arch/x86_64/ia32/ptrace32.c | 3 +++
26     arch/x86_64/kernel/ptrace.c | 3 +++
27     fs/Config.in | 3 +++
28     fs/exec.c | 12 +++++++++++-
29 kumaneko 4049 fs/fcntl.c | 5 +++++
30 kumaneko 3854 fs/ioctl.c | 6 ++++++
31     fs/namei.c | 36 ++++++++++++++++++++++++++++++++++++
32 kumaneko 3856 fs/namespace.c | 17 +++++++++++++++++
33 kumaneko 3464 fs/open.c | 27 +++++++++++++++++++++++++++
34 kumaneko 2858 fs/proc/proc_misc.c | 1 +
35 kumaneko 2926 include/linux/sched.h | 14 ++++++++++++++
36     kernel/kmod.c | 5 +++++
37 kumaneko 2858 kernel/module.c | 7 +++++++
38     kernel/sched.c | 3 +++
39 kumaneko 2869 kernel/signal.c | 7 +++++++
40 kumaneko 2858 kernel/sys.c | 9 +++++++++
41     kernel/sysctl.c | 13 ++++++++++++-
42     kernel/time.c | 7 +++++++
43 kumaneko 3831 net/ipv4/raw.c | 12 +++++++++---
44 kumaneko 2858 net/ipv4/tcp_ipv4.c | 5 +++++
45 kumaneko 3831 net/ipv4/udp.c | 14 +++++++++++++-
46     net/ipv6/raw.c | 12 +++++++++---
47 kumaneko 2858 net/ipv6/tcp_ipv6.c | 3 +++
48 kumaneko 3831 net/ipv6/udp.c | 14 +++++++++++++-
49 kumaneko 3075 net/socket.c | 23 +++++++++++++++++++++--
50 kumaneko 3916 net/unix/af_unix.c | 9 +++++++++
51 kumaneko 4049 46 files changed, 329 insertions(+), 12 deletions(-)
52 kumaneko 862
53 kumaneko 3502 --- linux-2.4.34.6.orig/Makefile
54     +++ linux-2.4.34.6/Makefile
55     @@ -135,6 +135,14 @@ NETWORKS =net/network.o
56    
57     LIBS =$(TOPDIR)/lib/lib.a
58     SUBDIRS =kernel drivers mm fs net ipc lib crypto
59     +ifdef CONFIG_CCSECURITY
60     +SUBDIRS += security/ccsecurity
61     +ifdef CONFIG_CCSECURITY_LKM
62     +CORE_FILES += security/ccsecurity/load_policy.o
63     +else
64     +CORE_FILES += security/ccsecurity/ccsecurity.o
65     +endif
66     +endif
67    
68     DRIVERS-n :=
69     DRIVERS-y :=
70 kumaneko 1498 --- linux-2.4.34.6.orig/arch/alpha/kernel/ptrace.c
71     +++ linux-2.4.34.6/arch/alpha/kernel/ptrace.c
72 kumaneko 2796 @@ -18,6 +18,7 @@
73 kumaneko 863 #include <asm/pgtable.h>
74     #include <asm/system.h>
75     #include <asm/fpu.h>
76 kumaneko 2859 +#include <linux/ccsecurity.h>
77 kumaneko 863
78     #include "proto.h"
79    
80 kumaneko 2796 @@ -251,6 +252,8 @@ sys_ptrace(long request, long pid, long
81 kumaneko 863 {
82     struct task_struct *child;
83     long ret;
84 kumaneko 3111 + if (ccs_ptrace_permission(request, pid))
85 kumaneko 1151 + return -EPERM;
86 kumaneko 863
87     lock_kernel();
88     DBG(DBG_MEM, ("request=%ld pid=%ld addr=0x%lx data=0x%lx\n",
89 kumaneko 1498 --- linux-2.4.34.6.orig/arch/arm/kernel/ptrace.c
90     +++ linux-2.4.34.6/arch/arm/kernel/ptrace.c
91 kumaneko 2796 @@ -22,6 +22,7 @@
92 kumaneko 863 #include <asm/uaccess.h>
93     #include <asm/pgtable.h>
94     #include <asm/system.h>
95 kumaneko 2859 +#include <linux/ccsecurity.h>
96 kumaneko 863
97     #include "ptrace.h"
98    
99 kumaneko 2796 @@ -695,6 +696,8 @@ asmlinkage int sys_ptrace(long request,
100 kumaneko 863 {
101     struct task_struct *child;
102     int ret;
103 kumaneko 3111 + if (ccs_ptrace_permission(request, pid))
104 kumaneko 1151 + return -EPERM;
105 kumaneko 863
106     lock_kernel();
107     ret = -EPERM;
108 kumaneko 1498 --- linux-2.4.34.6.orig/arch/cris/kernel/ptrace.c
109     +++ linux-2.4.34.6/arch/cris/kernel/ptrace.c
110 kumaneko 2796 @@ -48,6 +48,7 @@
111 kumaneko 863 #include <asm/pgtable.h>
112     #include <asm/system.h>
113     #include <asm/processor.h>
114 kumaneko 2859 +#include <linux/ccsecurity.h>
115 kumaneko 863
116     /*
117     * does not yet catch signals sent when the child dies.
118 kumaneko 2796 @@ -104,6 +105,8 @@ asmlinkage int sys_ptrace(long request,
119 kumaneko 863 {
120     struct task_struct *child;
121     int ret;
122 kumaneko 3111 + if (ccs_ptrace_permission(request, pid))
123 kumaneko 1151 + return -EPERM;
124 kumaneko 863
125     lock_kernel();
126     ret = -EPERM;
127 kumaneko 1498 --- linux-2.4.34.6.orig/arch/i386/kernel/ptrace.c
128     +++ linux-2.4.34.6/arch/i386/kernel/ptrace.c
129 kumaneko 2796 @@ -20,6 +20,7 @@
130 kumaneko 863 #include <asm/processor.h>
131     #include <asm/i387.h>
132     #include <asm/debugreg.h>
133 kumaneko 2859 +#include <linux/ccsecurity.h>
134 kumaneko 863
135     /*
136     * does not yet catch signals sent when the child dies.
137 kumaneko 2796 @@ -152,6 +153,8 @@ asmlinkage int sys_ptrace(long request,
138 kumaneko 863 struct task_struct *child;
139     struct user * dummy = NULL;
140     int i, ret;
141 kumaneko 3111 + if (ccs_ptrace_permission(request, pid))
142 kumaneko 1151 + return -EPERM;
143 kumaneko 863
144     lock_kernel();
145     ret = -EPERM;
146 kumaneko 1498 --- linux-2.4.34.6.orig/arch/ia64/ia32/sys_ia32.c
147     +++ linux-2.4.34.6/arch/ia64/ia32/sys_ia32.c
148 kumaneko 2796 @@ -57,6 +57,7 @@
149 kumaneko 1187 #include <net/scm.h>
150     #include <net/sock.h>
151     #include <asm/ia32.h>
152 kumaneko 2859 +#include <linux/ccsecurity.h>
153 kumaneko 1187
154     #define DEBUG 0
155    
156 kumaneko 2796 @@ -3131,6 +3132,8 @@ sys32_ptrace (int request, pid_t pid, un
157 kumaneko 1187 struct task_struct *child;
158     unsigned int value, tmp;
159     long i, ret;
160 kumaneko 3111 + if (ccs_ptrace_permission(request, pid))
161 kumaneko 1187 + return -EPERM;
162    
163     lock_kernel();
164     if (request == PTRACE_TRACEME) {
165 kumaneko 1498 --- linux-2.4.34.6.orig/arch/ia64/kernel/ptrace.c
166     +++ linux-2.4.34.6/arch/ia64/kernel/ptrace.c
167 kumaneko 2796 @@ -27,6 +27,7 @@
168 kumaneko 863 #ifdef CONFIG_PERFMON
169     #include <asm/perfmon.h>
170     #endif
171 kumaneko 2859 +#include <linux/ccsecurity.h>
172 kumaneko 863
173     #define offsetof(type,field) ((unsigned long) &((type *) 0)->field)
174    
175 kumaneko 2796 @@ -1273,6 +1274,8 @@ sys_ptrace (long request, pid_t pid, uns
176 kumaneko 863 struct task_struct *child;
177     struct switch_stack *sw;
178     long ret;
179 kumaneko 3111 + if (ccs_ptrace_permission(request, pid))
180 kumaneko 1151 + return -EPERM;
181 kumaneko 863
182     lock_kernel();
183     ret = -EPERM;
184 kumaneko 1498 --- linux-2.4.34.6.orig/arch/m68k/kernel/ptrace.c
185     +++ linux-2.4.34.6/arch/m68k/kernel/ptrace.c
186 kumaneko 2796 @@ -25,6 +25,7 @@
187 kumaneko 863 #include <asm/pgtable.h>
188     #include <asm/system.h>
189     #include <asm/processor.h>
190 kumaneko 2859 +#include <linux/ccsecurity.h>
191 kumaneko 863
192     /*
193     * does not yet catch signals sent when the child dies.
194 kumaneko 2796 @@ -104,6 +105,8 @@ asmlinkage int sys_ptrace(long request,
195 kumaneko 863 {
196     struct task_struct *child;
197     int ret;
198 kumaneko 3111 + if (ccs_ptrace_permission(request, pid))
199 kumaneko 1151 + return -EPERM;
200 kumaneko 863
201     lock_kernel();
202     ret = -EPERM;
203 kumaneko 1498 --- linux-2.4.34.6.orig/arch/mips/kernel/ptrace.c
204     +++ linux-2.4.34.6/arch/mips/kernel/ptrace.c
205 kumaneko 2796 @@ -28,6 +28,7 @@
206 kumaneko 863 #include <asm/bootinfo.h>
207     #include <asm/cpu.h>
208     #include <asm/fpu.h>
209 kumaneko 2859 +#include <linux/ccsecurity.h>
210 kumaneko 863
211     /*
212     * Called by kernel/ptrace.c when detaching..
213 kumaneko 2796 @@ -43,6 +44,8 @@ asmlinkage int sys_ptrace(long request,
214 kumaneko 863 {
215     struct task_struct *child;
216     int ret;
217 kumaneko 3111 + if (ccs_ptrace_permission(request, pid))
218 kumaneko 1151 + return -EPERM;
219 kumaneko 863
220     lock_kernel();
221     #if 0
222 kumaneko 1498 --- linux-2.4.34.6.orig/arch/mips64/kernel/ptrace.c
223     +++ linux-2.4.34.6/arch/mips64/kernel/ptrace.c
224 kumaneko 2796 @@ -30,6 +30,7 @@
225 kumaneko 863 #include <asm/system.h>
226     #include <asm/uaccess.h>
227     #include <asm/bootinfo.h>
228 kumaneko 2859 +#include <linux/ccsecurity.h>
229 kumaneko 863
230     /*
231     * Called by kernel/ptrace.c when detaching..
232 kumaneko 2796 @@ -49,6 +50,8 @@ asmlinkage int sys32_ptrace(int request,
233 kumaneko 863 {
234     struct task_struct *child;
235     int ret;
236 kumaneko 3111 + if (ccs_ptrace_permission(request, pid))
237 kumaneko 1151 + return -EPERM;
238 kumaneko 863
239     lock_kernel();
240     ret = -EPERM;
241 kumaneko 2796 @@ -288,6 +291,8 @@ asmlinkage int sys_ptrace(long request,
242 kumaneko 863 {
243     struct task_struct *child;
244     int ret;
245 kumaneko 3111 + if (ccs_ptrace_permission(request, pid))
246 kumaneko 1151 + return -EPERM;
247 kumaneko 863
248     lock_kernel();
249     #if 0
250 kumaneko 1498 --- linux-2.4.34.6.orig/arch/parisc/kernel/ptrace.c
251     +++ linux-2.4.34.6/arch/parisc/kernel/ptrace.c
252 kumaneko 2796 @@ -21,6 +21,7 @@
253 kumaneko 863 #include <asm/system.h>
254     #include <asm/processor.h>
255     #include <asm/offset.h>
256 kumaneko 2859 +#include <linux/ccsecurity.h>
257 kumaneko 863
258     /* These are used in entry.S, syscall_restore_rfi. We need to record the
259     * current stepping mode somewhere other than in PSW, because there is no
260 kumaneko 2796 @@ -94,6 +95,8 @@ long sys_ptrace(long request, pid_t pid,
261 kumaneko 863 #ifdef DEBUG_PTRACE
262     long oaddr=addr, odata=data;
263     #endif
264 kumaneko 3111 + if (ccs_ptrace_permission(request, pid))
265 kumaneko 1151 + return -EPERM;
266 kumaneko 863
267     lock_kernel();
268     ret = -EPERM;
269 kumaneko 1498 --- linux-2.4.34.6.orig/arch/ppc/kernel/ptrace.c
270     +++ linux-2.4.34.6/arch/ppc/kernel/ptrace.c
271 kumaneko 2796 @@ -29,6 +29,7 @@
272 kumaneko 863 #include <asm/page.h>
273     #include <asm/pgtable.h>
274     #include <asm/system.h>
275 kumaneko 2859 +#include <linux/ccsecurity.h>
276 kumaneko 863
277     /*
278     * Set of msr bits that gdb can change on behalf of a process.
279 kumaneko 2796 @@ -171,6 +172,8 @@ int sys_ptrace(long request, long pid, l
280 kumaneko 863 {
281     struct task_struct *child;
282     int ret = -EPERM;
283 kumaneko 3111 + if (ccs_ptrace_permission(request, pid))
284 kumaneko 1151 + return -EPERM;
285 kumaneko 863
286     lock_kernel();
287     if (request == PTRACE_TRACEME) {
288 kumaneko 1498 --- linux-2.4.34.6.orig/arch/ppc64/kernel/ptrace.c
289     +++ linux-2.4.34.6/arch/ppc64/kernel/ptrace.c
290 kumaneko 2796 @@ -30,6 +30,7 @@
291 kumaneko 863 #include <asm/page.h>
292     #include <asm/pgtable.h>
293     #include <asm/system.h>
294 kumaneko 2859 +#include <linux/ccsecurity.h>
295 kumaneko 863
296     /*
297     * Set of msr bits that gdb can change on behalf of a process.
298 kumaneko 2796 @@ -120,6 +121,8 @@ int sys_ptrace(long request, long pid, l
299 kumaneko 863 {
300     struct task_struct *child;
301     int ret = -EPERM;
302 kumaneko 3111 + if (ccs_ptrace_permission(request, pid))
303 kumaneko 1151 + return -EPERM;
304 kumaneko 863
305     lock_kernel();
306     if (request == PTRACE_TRACEME) {
307 kumaneko 1498 --- linux-2.4.34.6.orig/arch/ppc64/kernel/ptrace32.c
308     +++ linux-2.4.34.6/arch/ppc64/kernel/ptrace32.c
309 kumaneko 2796 @@ -30,6 +30,7 @@
310 kumaneko 1187 #include <asm/page.h>
311     #include <asm/pgtable.h>
312     #include <asm/system.h>
313 kumaneko 2859 +#include <linux/ccsecurity.h>
314 kumaneko 1187
315     #ifdef CONFIG_ALTIVEC
316     /*
317 kumaneko 2796 @@ -121,6 +122,8 @@ int sys32_ptrace(long request, long pid,
318 kumaneko 1187 {
319     struct task_struct *child;
320     int ret = -EPERM;
321 kumaneko 3111 + if (ccs_ptrace_permission(request, pid))
322 kumaneko 1187 + return -EPERM;
323    
324     lock_kernel();
325     if (request == PTRACE_TRACEME) {
326 kumaneko 1498 --- linux-2.4.34.6.orig/arch/s390/kernel/ptrace.c
327     +++ linux-2.4.34.6/arch/s390/kernel/ptrace.c
328 kumaneko 2796 @@ -37,6 +37,7 @@
329 kumaneko 863 #include <asm/pgalloc.h>
330     #include <asm/system.h>
331     #include <asm/uaccess.h>
332 kumaneko 2859 +#include <linux/ccsecurity.h>
333 kumaneko 863
334    
335     void FixPerRegisters(struct task_struct *task)
336 kumaneko 2796 @@ -221,6 +222,8 @@ asmlinkage int sys_ptrace(long request,
337 kumaneko 863 unsigned long tmp;
338     int copied;
339     ptrace_area parea;
340 kumaneko 3111 + if (ccs_ptrace_permission(request, pid))
341 kumaneko 1151 + return -EPERM;
342 kumaneko 863
343     lock_kernel();
344     if (request == PTRACE_TRACEME)
345 kumaneko 1498 --- linux-2.4.34.6.orig/arch/s390x/kernel/ptrace.c
346     +++ linux-2.4.34.6/arch/s390x/kernel/ptrace.c
347 kumaneko 2796 @@ -43,6 +43,7 @@
348 kumaneko 863 #else
349     #define parent_31bit 0
350     #endif
351 kumaneko 2859 +#include <linux/ccsecurity.h>
352 kumaneko 863
353    
354     void FixPerRegisters(struct task_struct *task)
355 kumaneko 2796 @@ -431,6 +432,8 @@ asmlinkage int sys_ptrace(long request,
356 kumaneko 863 #define sizeof_parent_long 8
357     #define dataptr (u8 *)&data
358     #endif
359 kumaneko 3111 + if (ccs_ptrace_permission(request, pid))
360 kumaneko 1151 + return -EPERM;
361 kumaneko 863 lock_kernel();
362     if (request == PTRACE_TRACEME)
363     {
364 kumaneko 1498 --- linux-2.4.34.6.orig/arch/sh/kernel/ptrace.c
365     +++ linux-2.4.34.6/arch/sh/kernel/ptrace.c
366 kumaneko 2796 @@ -26,6 +26,7 @@
367 kumaneko 863 #include <asm/system.h>
368     #include <asm/processor.h>
369     #include <asm/mmu_context.h>
370 kumaneko 2859 +#include <linux/ccsecurity.h>
371 kumaneko 863
372     /*
373     * does not yet catch signals sent when the child dies.
374 kumaneko 2796 @@ -144,6 +145,8 @@ asmlinkage int sys_ptrace(long request,
375 kumaneko 863 struct task_struct *child, *tsk = current;
376     struct user * dummy = NULL;
377     int ret;
378 kumaneko 3111 + if (ccs_ptrace_permission(request, pid))
379 kumaneko 1151 + return -EPERM;
380 kumaneko 863
381     lock_kernel();
382     ret = -EPERM;
383 kumaneko 1498 --- linux-2.4.34.6.orig/arch/sh64/kernel/ptrace.c
384     +++ linux-2.4.34.6/arch/sh64/kernel/ptrace.c
385 kumaneko 2796 @@ -32,6 +32,7 @@
386 kumaneko 863 #include <asm/system.h>
387     #include <asm/processor.h>
388     #include <asm/mmu_context.h>
389 kumaneko 2859 +#include <linux/ccsecurity.h>
390 kumaneko 863
391     /* This mask defines the bits of the SR which the user is not allowed to
392     change, which are everything except S, Q, M, PR, SZ, FR. */
393 kumaneko 2796 @@ -122,6 +123,8 @@ asmlinkage int sys_ptrace(long request,
394 kumaneko 863 {
395     struct task_struct *child, *tsk = current;
396     int ret;
397 kumaneko 3111 + if (ccs_ptrace_permission(request, pid))
398 kumaneko 1151 + return -EPERM;
399 kumaneko 863
400     lock_kernel();
401     ret = -EPERM;
402 kumaneko 1498 --- linux-2.4.34.6.orig/arch/sparc/kernel/ptrace.c
403     +++ linux-2.4.34.6/arch/sparc/kernel/ptrace.c
404 kumaneko 2796 @@ -21,6 +21,7 @@
405 kumaneko 863 #include <asm/pgtable.h>
406     #include <asm/system.h>
407     #include <asm/uaccess.h>
408 kumaneko 2859 +#include <linux/ccsecurity.h>
409 kumaneko 863
410     #define MAGIC_CONSTANT 0x80000000
411    
412 kumaneko 2796 @@ -262,6 +263,10 @@ asmlinkage void do_ptrace(struct pt_regs
413 kumaneko 863 unsigned long data = regs->u_regs[UREG_I3];
414     unsigned long addr2 = regs->u_regs[UREG_I4];
415     struct task_struct *child;
416 kumaneko 3111 + if (ccs_ptrace_permission(request, pid)) {
417 kumaneko 877 + pt_error_return(regs, EPERM);
418     + return;
419     + }
420 kumaneko 863
421     lock_kernel();
422     #ifdef DEBUG_PTRACE
423 kumaneko 1498 --- linux-2.4.34.6.orig/arch/sparc64/kernel/ptrace.c
424     +++ linux-2.4.34.6/arch/sparc64/kernel/ptrace.c
425 kumaneko 2796 @@ -26,6 +26,7 @@
426 kumaneko 863 #include <asm/psrcompat.h>
427     #include <asm/visasm.h>
428     #include <asm/spitfire.h>
429 kumaneko 2859 +#include <linux/ccsecurity.h>
430 kumaneko 863
431     #define MAGIC_CONSTANT 0x80000000
432    
433 kumaneko 2796 @@ -108,6 +109,10 @@ asmlinkage void do_ptrace(struct pt_regs
434 kumaneko 863 unsigned long data = regs->u_regs[UREG_I3];
435     unsigned long addr2 = regs->u_regs[UREG_I4];
436     struct task_struct *child;
437 kumaneko 3111 + if (ccs_ptrace_permission(request, pid)) {
438 kumaneko 877 + pt_error_return(regs, EPERM);
439     + return;
440     + }
441 kumaneko 863
442     if (current->thread.flags & SPARC_FLAG_32BIT) {
443     addr &= 0xffffffffUL;
444 kumaneko 1498 --- linux-2.4.34.6.orig/arch/x86_64/ia32/ptrace32.c
445     +++ linux-2.4.34.6/arch/x86_64/ia32/ptrace32.c
446 kumaneko 2796 @@ -24,6 +24,7 @@
447 kumaneko 1187 #include <asm/i387.h>
448     #include <asm/fpu32.h>
449     #include <linux/mm.h>
450 kumaneko 2859 +#include <linux/ccsecurity.h>
451 kumaneko 1187
452     /* determines which flags the user has access to. */
453     /* 1 = access 0 = no access */
454 kumaneko 2796 @@ -203,6 +204,8 @@ asmlinkage long sys32_ptrace(long reques
455 kumaneko 1187 struct pt_regs *childregs;
456     int ret;
457     __u32 val;
458 kumaneko 3111 + if (ccs_ptrace_permission(request, pid))
459 kumaneko 1187 + return -EPERM;
460    
461     switch (request) {
462     case PTRACE_TRACEME:
463 kumaneko 1498 --- linux-2.4.34.6.orig/arch/x86_64/kernel/ptrace.c
464     +++ linux-2.4.34.6/arch/x86_64/kernel/ptrace.c
465 kumaneko 2796 @@ -22,6 +22,7 @@
466 kumaneko 863 #include <asm/processor.h>
467     #include <asm/i387.h>
468     #include <asm/debugreg.h>
469 kumaneko 2859 +#include <linux/ccsecurity.h>
470 kumaneko 863
471     /*
472     * does not yet catch signals sent when the child dies.
473 kumaneko 2796 @@ -180,6 +181,8 @@ asmlinkage long sys_ptrace(long request,
474 kumaneko 863 struct task_struct *child;
475     struct user * dummy = NULL;
476     long i, ret;
477 kumaneko 3111 + if (ccs_ptrace_permission(request, pid))
478 kumaneko 1151 + return -EPERM;
479 kumaneko 863
480     /* This lock_kernel fixes a subtle race with suid exec */
481     lock_kernel();
482 kumaneko 1498 --- linux-2.4.34.6.orig/fs/Config.in
483     +++ linux-2.4.34.6/fs/Config.in
484 kumaneko 111 @@ -176,4 +176,7 @@ comment 'Partition Types'
485     source fs/partitions/Config.in
486     endmenu
487     source fs/nls/Config.in
488     +
489 kumaneko 2886 endmenu
490     +
491 kumaneko 2858 +source security/ccsecurity/Config.in
492 kumaneko 1498 --- linux-2.4.34.6.orig/fs/exec.c
493     +++ linux-2.4.34.6/fs/exec.c
494 kumaneko 2796 @@ -48,6 +48,8 @@
495 kumaneko 111 #include <linux/kmod.h>
496     #endif
497    
498 kumaneko 2859 +#include <linux/ccsecurity.h>
499 kumaneko 111 +
500     int core_uses_pid;
501     char core_pattern[65] = "core";
502     int core_setuid_ok = 0;
503 kumaneko 2796 @@ -125,6 +127,10 @@ asmlinkage long sys_uselib(const char *
504 kumaneko 111 if (error)
505     goto exit;
506    
507 kumaneko 2922 + error = ccs_uselib_permission(nd.dentry, nd.mnt);
508 kumaneko 1151 + if (error)
509     + goto exit;
510 kumaneko 111 +
511     file = dentry_open(nd.dentry, nd.mnt, O_RDONLY);
512     error = PTR_ERR(file);
513     if (IS_ERR(file))
514 kumaneko 2796 @@ -389,6 +395,9 @@ struct file *open_exec(const char *name)
515 kumaneko 115 int err = permission(inode, MAY_EXEC);
516     if (!err && !(inode->i_mode & 0111))
517     err = -EACCES;
518 kumaneko 2306 + if (!err)
519 kumaneko 2922 + err = ccs_open_exec_permission(nd.dentry,
520 kumaneko 2306 + nd.mnt);
521 kumaneko 115 file = ERR_PTR(err);
522     if (!err) {
523     file = dentry_open(nd.dentry, nd.mnt, O_RDONLY);
524 kumaneko 2796 @@ -978,7 +987,8 @@ int do_execve(char * filename, char ** a
525 kumaneko 115 if (retval < 0)
526 kumaneko 111 goto out;
527    
528 kumaneko 115 - retval = search_binary_handler(&bprm,regs);
529 kumaneko 2300 + retval = ccs_search_binary_handler(&bprm, regs);
530 kumaneko 111 +
531     if (retval >= 0)
532     /* execve success */
533     return retval;
534 kumaneko 1498 --- linux-2.4.34.6.orig/fs/fcntl.c
535     +++ linux-2.4.34.6/fs/fcntl.c
536 kumaneko 2796 @@ -16,6 +16,7 @@
537 kumaneko 111 #include <asm/poll.h>
538     #include <asm/siginfo.h>
539     #include <asm/uaccess.h>
540 kumaneko 2859 +#include <linux/ccsecurity.h>
541 kumaneko 111
542     extern int sock_fcntl (struct file *, unsigned int cmd, unsigned long arg);
543     extern int fcntl_setlease(unsigned int fd, struct file *filp, long arg);
544 kumaneko 4049 @@ -346,6 +347,8 @@ asmlinkage long sys_fcntl(unsigned int f
545     if (!filp)
546     goto out;
547 kumaneko 111
548 kumaneko 4049 + err = ccs_fcntl_permission(filp, cmd, arg);
549     + if (!err)
550     err = do_fcntl(fd, cmd, arg, filp);
551    
552     fput(filp);
553     @@ -364,6 +367,8 @@ asmlinkage long sys_fcntl64(unsigned int
554     if (!filp)
555     goto out;
556    
557     + err = ccs_fcntl_permission(filp, cmd, arg);
558     + if (!err)
559     switch (cmd) {
560     case F_GETLK64:
561     err = fcntl_getlk64(fd, (struct flock64 *) arg);
562 kumaneko 1498 --- linux-2.4.34.6.orig/fs/ioctl.c
563     +++ linux-2.4.34.6/fs/ioctl.c
564 kumaneko 2796 @@ -10,6 +10,7 @@
565 kumaneko 111
566     #include <asm/uaccess.h>
567     #include <asm/ioctls.h>
568 kumaneko 2859 +#include <linux/ccsecurity.h>
569 kumaneko 111
570     static int file_ioctl(struct file *filp,unsigned int cmd,unsigned long arg)
571     {
572 kumaneko 2796 @@ -55,6 +56,11 @@ asmlinkage long sys_ioctl(unsigned int f
573 kumaneko 2279 filp = fget(fd);
574     if (!filp)
575     goto out;
576 kumaneko 2922 + error = ccs_ioctl_permission(filp, cmd, arg);
577 kumaneko 2283 + if (error) {
578     + fput(filp);
579 kumaneko 2279 + goto out;
580 kumaneko 2283 + }
581 kumaneko 2279 error = 0;
582     lock_kernel();
583     switch (cmd) {
584 kumaneko 1498 --- linux-2.4.34.6.orig/fs/namei.c
585     +++ linux-2.4.34.6/fs/namei.c
586 kumaneko 2796 @@ -28,6 +28,9 @@
587 kumaneko 111
588     #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
589    
590 kumaneko 2859 +#include <linux/ccsecurity.h>
591 kumaneko 111 +#include <linux/module.h>
592     +
593     /* [Feb-1997 T. Schoebel-Theuer]
594     * Fundamental changes in the pathname lookup mechanisms (namei)
595     * were necessary because of omirr. The reason is that omirr needs
596 kumaneko 3854 @@ -1053,6 +1056,9 @@ do_last:
597 kumaneko 111
598     /* Negative dentry, just create the file */
599     if (!dentry->d_inode) {
600 kumaneko 2922 + error = ccs_mknod_permission(dir->d_inode, dentry, nd->mnt,
601     + mode & ~current->fs->umask, 0);
602 kumaneko 1151 + if (!error)
603 kumaneko 111 error = vfs_create(dir->d_inode, dentry,
604     mode & ~current->fs->umask);
605     up(&dir->d_inode->i_sem);
606 kumaneko 3854 @@ -1139,6 +1145,11 @@ ok:
607 kumaneko 111 goto exit;
608     }
609    
610 kumaneko 1151 + /* includes O_APPEND and O_TRUNC checks */
611 kumaneko 2922 + error = ccs_open_permission(dentry, nd->mnt, flag);
612 kumaneko 1151 + if (error)
613     + goto exit;
614 kumaneko 111 +
615     /*
616     * Ensure there are no outstanding leases on the file.
617     */
618 kumaneko 3854 @@ -1277,6 +1288,7 @@ asmlinkage long sys_mknod(const char * f
619 kumaneko 111
620     if (S_ISDIR(mode))
621     return -EPERM;
622     +
623     tmp = getname(filename);
624     if (IS_ERR(tmp))
625     return PTR_ERR(tmp);
626 kumaneko 3854 @@ -1289,6 +1301,9 @@ asmlinkage long sys_mknod(const char * f
627 kumaneko 2297
628     mode &= ~current->fs->umask;
629 kumaneko 111 if (!IS_ERR(dentry)) {
630 kumaneko 2922 + error = ccs_mknod_permission(nd.dentry->d_inode, dentry,
631     + nd.mnt, mode, dev);
632 kumaneko 2297 + if (!error)
633 kumaneko 111 switch (mode & S_IFMT) {
634     case 0: case S_IFREG:
635     error = vfs_create(nd.dentry->d_inode,dentry,mode);
636 kumaneko 3854 @@ -1355,6 +1370,9 @@ asmlinkage long sys_mkdir(const char * p
637 kumaneko 111 dentry = lookup_create(&nd, 1);
638     error = PTR_ERR(dentry);
639     if (!IS_ERR(dentry)) {
640 kumaneko 2922 + error = ccs_mkdir_permission(nd.dentry->d_inode,
641     + dentry, nd.mnt, mode);
642 kumaneko 1151 + if (!error)
643 kumaneko 111 error = vfs_mkdir(nd.dentry->d_inode, dentry,
644     mode & ~current->fs->umask);
645     dput(dentry);
646 kumaneko 3854 @@ -1464,6 +1482,9 @@ asmlinkage long sys_rmdir(const char * p
647 kumaneko 111 dentry = lookup_hash(&nd.last, nd.dentry);
648     error = PTR_ERR(dentry);
649     if (!IS_ERR(dentry)) {
650 kumaneko 2922 + error = ccs_rmdir_permission(nd.dentry->d_inode, dentry,
651     + nd.mnt);
652 kumaneko 1151 + if (!error)
653 kumaneko 111 error = vfs_rmdir(nd.dentry->d_inode, dentry);
654     dput(dentry);
655     }
656 kumaneko 3854 @@ -1533,6 +1554,9 @@ asmlinkage long sys_unlink(const char *
657 kumaneko 111 /* Why not before? Because we want correct error value */
658     if (nd.last.name[nd.last.len])
659     goto slashes;
660 kumaneko 2922 + error = ccs_unlink_permission(nd.dentry->d_inode, dentry,
661     + nd.mnt);
662 kumaneko 2297 + if (!error)
663 kumaneko 111 error = vfs_unlink(nd.dentry->d_inode, dentry);
664     exit2:
665     dput(dentry);
666 kumaneko 3854 @@ -1597,6 +1621,9 @@ asmlinkage long sys_symlink(const char *
667 kumaneko 111 dentry = lookup_create(&nd, 0);
668     error = PTR_ERR(dentry);
669     if (!IS_ERR(dentry)) {
670 kumaneko 2922 + error = ccs_symlink_permission(nd.dentry->d_inode,
671     + dentry, nd.mnt, from);
672 kumaneko 1151 + if (!error)
673 kumaneko 111 error = vfs_symlink(nd.dentry->d_inode, dentry, from);
674     dput(dentry);
675     }
676 kumaneko 3854 @@ -1683,6 +1710,10 @@ asmlinkage long sys_link(const char * ol
677 kumaneko 111 new_dentry = lookup_create(&nd, 0);
678     error = PTR_ERR(new_dentry);
679     if (!IS_ERR(new_dentry)) {
680 kumaneko 2922 + error = ccs_link_permission(old_nd.dentry,
681     + nd.dentry->d_inode,
682     + new_dentry, nd.mnt);
683 kumaneko 1151 + if (!error)
684 kumaneko 111 error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
685     dput(new_dentry);
686     }
687 kumaneko 3854 @@ -1913,12 +1944,17 @@ static inline int do_rename(const char *
688 kumaneko 111 error = PTR_ERR(new_dentry);
689     if (IS_ERR(new_dentry))
690     goto exit4;
691 kumaneko 2922 + error = ccs_rename_permission(old_dir->d_inode, old_dentry,
692     + new_dir->d_inode, new_dentry, newnd.mnt);
693 kumaneko 2297 + if (error)
694     + goto exit5;
695 kumaneko 111
696     lock_kernel();
697     error = vfs_rename(old_dir->d_inode, old_dentry,
698 kumaneko 2297 new_dir->d_inode, new_dentry);
699     unlock_kernel();
700    
701     +exit5:
702     dput(new_dentry);
703     exit4:
704     dput(old_dentry);
705 kumaneko 1498 --- linux-2.4.34.6.orig/fs/namespace.c
706     +++ linux-2.4.34.6/fs/namespace.c
707 kumaneko 2859 @@ -21,6 +21,8 @@
708 kumaneko 111 #include <linux/seq_file.h>
709     #include <linux/namespace.h>
710    
711 kumaneko 2859 +#include <linux/ccsecurity.h>
712 kumaneko 111 +
713     struct vfsmount *do_kern_mount(const char *type, int flags, char *name, void *data);
714     int do_remount_sb(struct super_block *sb, int flags, void * data);
715     void kill_super(struct super_block *sb);
716 kumaneko 3052 @@ -290,6 +292,9 @@ static int do_umount(struct vfsmount *mn
717 kumaneko 111 {
718     struct super_block * sb = mnt->mnt_sb;
719     int retval = 0;
720 kumaneko 3052 + retval = ccs_umount_permission(mnt, flags);
721     + if (retval)
722     + return retval;
723 kumaneko 111
724     /*
725     * If we may have to abort operations to get out of this
726 kumaneko 3854 @@ -700,6 +705,7 @@ static int copy_mount_options (const voi
727 kumaneko 3052 long do_mount(char * dev_name, char * dir_name, char *type_page,
728     unsigned long flags, void *data_page)
729     {
730     + const unsigned long original_flags = flags;
731     struct nameidata nd;
732     int retval = 0;
733     int mnt_flags = 0;
734 kumaneko 3854 @@ -732,6 +738,11 @@ long do_mount(char * dev_name, char * di
735 kumaneko 3052 if (retval)
736     return retval;
737 kumaneko 115
738 kumaneko 3584 + retval = ccs_mount_permission(dev_name, &nd, type_page, original_flags,
739     + data_page);
740 kumaneko 1151 + if (retval)
741 kumaneko 3052 + goto out;
742 kumaneko 111 +
743 kumaneko 3052 if (flags & MS_REMOUNT)
744     retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags,
745     data_page);
746 kumaneko 3854 @@ -742,6 +753,7 @@ long do_mount(char * dev_name, char * di
747 kumaneko 3052 else
748     retval = do_add_mount(&nd, type_page, flags, mnt_flags,
749     dev_name, data_page);
750     + out:
751     path_release(&nd);
752     return retval;
753     }
754 kumaneko 3854 @@ -925,6 +937,11 @@ asmlinkage long sys_pivot_root(const cha
755 kumaneko 141 if (error)
756     goto out1;
757    
758 kumaneko 3584 + error = ccs_pivot_root_permission(&old_nd, &new_nd);
759 kumaneko 141 + if (error) {
760     + path_release(&old_nd);
761     + goto out1;
762     + }
763     read_lock(&current->fs->lock);
764     user_nd.mnt = mntget(current->fs->rootmnt);
765     user_nd.dentry = dget(current->fs->root);
766 kumaneko 1498 --- linux-2.4.34.6.orig/fs/open.c
767     +++ linux-2.4.34.6/fs/open.c
768 kumaneko 2859 @@ -20,6 +20,8 @@
769 kumaneko 111
770     #define special_file(m) (S_ISCHR(m)||S_ISBLK(m)||S_ISFIFO(m)||S_ISSOCK(m))
771    
772 kumaneko 2859 +#include <linux/ccsecurity.h>
773 kumaneko 111 +
774     int vfs_statfs(struct super_block *sb, struct statfs *buf)
775     {
776     int retval = -ENODEV;
777 kumaneko 2859 @@ -162,6 +164,9 @@ static inline long do_sys_truncate(const
778 kumaneko 111 if (error)
779     goto dput_and_out;
780    
781 kumaneko 3854 + error = ccs_truncate_permission(nd.dentry, nd.mnt);
782 kumaneko 1151 + if (!error)
783 kumaneko 111 +
784     error = locks_verify_truncate(inode, NULL, length);
785     if (!error) {
786     DQUOT_INIT(inode);
787 kumaneko 2922 @@ -215,6 +220,9 @@ static inline long do_sys_ftruncate(unsi
788 kumaneko 111 if (IS_APPEND(inode))
789     goto out_putf;
790    
791 kumaneko 3854 + error = ccs_truncate_permission(dentry, file->f_vfsmnt);
792 kumaneko 1163 + if (error)
793     + goto out_putf;
794 kumaneko 111 error = locks_verify_truncate(inode, file, length);
795     if (!error)
796     error = do_truncate(dentry, length);
797 kumaneko 3464 @@ -464,6 +472,8 @@ asmlinkage long sys_chroot(const char *
798 kumaneko 141 error = -EPERM;
799     if (!capable(CAP_SYS_CHROOT))
800     goto dput_and_out;
801 kumaneko 3584 + if (ccs_chroot_permission(&nd))
802 kumaneko 1151 + goto dput_and_out;
803 kumaneko 141
804 kumaneko 111 set_fs_root(current->fs, nd.mnt, nd.dentry);
805     set_fs_altroot();
806 kumaneko 3464 @@ -495,6 +505,9 @@ asmlinkage long sys_fchmod(unsigned int
807 kumaneko 2869 err = -EPERM;
808     if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
809     goto out_putf;
810     + err = ccs_chmod_permission(dentry, file->f_vfsmnt, mode);
811     + if (err)
812     + goto out_putf;
813     if (mode == (mode_t) -1)
814     mode = inode->i_mode;
815     newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
816 kumaneko 3464 @@ -526,6 +539,9 @@ asmlinkage long sys_chmod(const char * f
817 kumaneko 2869 error = -EPERM;
818     if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
819     goto dput_and_out;
820     + error = ccs_chmod_permission(nd.dentry, nd.mnt, mode);
821     + if (error)
822     + goto dput_and_out;
823    
824     if (mode == (mode_t) -1)
825     mode = inode->i_mode;
826 kumaneko 3464 @@ -606,6 +622,8 @@ asmlinkage long sys_chown(const char * f
827 kumaneko 2869
828     error = user_path_walk(filename, &nd);
829     if (!error) {
830     + error = ccs_chown_permission(nd.dentry, nd.mnt, user, group);
831     + if (!error)
832     error = chown_common(nd.dentry, user, group);
833     path_release(&nd);
834     }
835 kumaneko 3464 @@ -619,6 +637,8 @@ asmlinkage long sys_lchown(const char *
836 kumaneko 2869
837     error = user_path_walk_link(filename, &nd);
838     if (!error) {
839     + error = ccs_chown_permission(nd.dentry, nd.mnt, user, group);
840     + if (!error)
841     error = chown_common(nd.dentry, user, group);
842     path_release(&nd);
843     }
844 kumaneko 3464 @@ -633,6 +653,9 @@ asmlinkage long sys_fchown(unsigned int
845 kumaneko 2869
846     file = fget(fd);
847     if (file) {
848     + error = ccs_chown_permission(file->f_dentry, file->f_vfsmnt,
849     + user, group);
850     + if (!error)
851     error = chown_common(file->f_dentry, user, group);
852     fput(file);
853     }
854 kumaneko 3464 @@ -664,7 +687,9 @@ struct file *filp_open(const char * file
855 kumaneko 2950 if (namei_flags & O_TRUNC)
856     namei_flags |= 2;
857    
858     + ccs_save_open_mode(flags);
859     error = open_namei(filename, namei_flags, mode, &nd);
860     + ccs_clear_open_mode();
861     if (!error)
862     return dentry_open(nd.dentry, nd.mnt, flags);
863    
864 kumaneko 3464 @@ -895,6 +920,8 @@ out_unlock:
865 kumaneko 111 */
866     asmlinkage long sys_vhangup(void)
867     {
868 kumaneko 2282 + if (!ccs_capable(CCS_SYS_VHANGUP))
869 kumaneko 1151 + return -EPERM;
870 kumaneko 111 if (capable(CAP_SYS_TTY_CONFIG)) {
871     tty_vhangup(current->tty);
872     return 0;
873 kumaneko 1498 --- linux-2.4.34.6.orig/fs/proc/proc_misc.c
874     +++ linux-2.4.34.6/fs/proc/proc_misc.c
875 kumaneko 2796 @@ -670,4 +670,5 @@ void __init proc_misc_init(void)
876 kumaneko 111 entry->proc_fops = &ppc_htab_operations;
877     }
878     #endif
879 kumaneko 3914 + printk(KERN_INFO "Hook version: 2.4.34.6 2010/08/23\n");
880 kumaneko 111 }
881 kumaneko 1498 --- linux-2.4.34.6.orig/include/linux/sched.h
882     +++ linux-2.4.34.6/include/linux/sched.h
883 kumaneko 3141 @@ -123,6 +123,15 @@ struct completion;
884 kumaneko 111
885 kumaneko 3141 #ifdef __KERNEL__
886 kumaneko 111
887 kumaneko 2926 +#ifdef CONFIG_CCSECURITY
888 kumaneko 2282 +struct ccs_domain_info;
889 kumaneko 2926 +#define INIT_CCSECURITY \
890     + .ccs_domain_info = NULL, \
891     + .ccs_flags = 0,
892     +#else
893     +#define INIT_CCSECURITY
894     +#endif
895 kumaneko 111 +
896 kumaneko 3141 #include <linux/spinlock.h>
897    
898 kumaneko 111 /*
899 kumaneko 2926 @@ -415,6 +424,10 @@ struct task_struct {
900 kumaneko 111
901     /* journalling filesystem info */
902     void *journal_info;
903 kumaneko 2926 +#ifdef CONFIG_CCSECURITY
904 kumaneko 2282 + struct ccs_domain_info *ccs_domain_info;
905     + u32 ccs_flags;
906 kumaneko 2926 +#endif
907 kumaneko 111 };
908    
909     /*
910 kumaneko 2926 @@ -510,6 +523,7 @@ extern struct exec_domain default_exec_d
911 kumaneko 111 blocked: {{0}}, \
912     alloc_lock: SPIN_LOCK_UNLOCKED, \
913     journal_info: NULL, \
914 kumaneko 2926 + INIT_CCSECURITY \
915 kumaneko 111 }
916    
917    
918 kumaneko 1498 --- linux-2.4.34.6.orig/kernel/kmod.c
919     +++ linux-2.4.34.6/kernel/kmod.c
920 kumaneko 2926 @@ -134,6 +134,11 @@ int exec_usermodehelper(char *program_pa
921 kumaneko 111 /* Allow execve args to be in kernel space. */
922     set_fs(KERNEL_DS);
923    
924 kumaneko 2926 +#ifdef CONFIG_CCSECURITY
925 kumaneko 2282 + current->ccs_domain_info = NULL;
926     + current->ccs_flags = 0;
927 kumaneko 2926 +#endif
928 kumaneko 111 +
929     /* Go, go, go... */
930     if (execve(program_path, argv, envp) < 0)
931     return -errno;
932 kumaneko 1498 --- linux-2.4.34.6.orig/kernel/module.c
933     +++ linux-2.4.34.6/kernel/module.c
934 kumaneko 2796 @@ -10,6 +10,7 @@
935 kumaneko 111 #include <linux/slab.h>
936     #include <linux/kmod.h>
937     #include <linux/seq_file.h>
938 kumaneko 2859 +#include <linux/ccsecurity.h>
939 kumaneko 111
940     /*
941     * Originally by Anonymous (as far as I know...)
942 kumaneko 2796 @@ -298,6 +299,8 @@ sys_create_module(const char *name_user,
943 kumaneko 111
944     if (!capable(CAP_SYS_MODULE))
945     return -EPERM;
946 kumaneko 2282 + if (!ccs_capable(CCS_USE_KERNEL_MODULE))
947 kumaneko 1151 + return -EPERM;
948 kumaneko 111 lock_kernel();
949     if ((namelen = get_mod_name(name_user, &name)) < 0) {
950     error = namelen;
951 kumaneko 2796 @@ -353,6 +356,8 @@ sys_init_module(const char *name_user, s
952 kumaneko 111
953     if (!capable(CAP_SYS_MODULE))
954     return -EPERM;
955 kumaneko 2282 + if (!ccs_capable(CCS_USE_KERNEL_MODULE))
956 kumaneko 1151 + return -EPERM;
957 kumaneko 111 lock_kernel();
958     if ((namelen = get_mod_name(name_user, &name)) < 0) {
959     error = namelen;
960 kumaneko 2796 @@ -614,6 +619,8 @@ sys_delete_module(const char *name_user)
961 kumaneko 111
962     if (!capable(CAP_SYS_MODULE))
963     return -EPERM;
964 kumaneko 2282 + if (!ccs_capable(CCS_USE_KERNEL_MODULE))
965 kumaneko 1151 + return -EPERM;
966 kumaneko 111
967     lock_kernel();
968     if (name_user) {
969 kumaneko 1498 --- linux-2.4.34.6.orig/kernel/sched.c
970     +++ linux-2.4.34.6/kernel/sched.c
971 kumaneko 2796 @@ -32,6 +32,7 @@
972 kumaneko 111
973     #include <asm/uaccess.h>
974     #include <asm/mmu_context.h>
975 kumaneko 2859 +#include <linux/ccsecurity.h>
976 kumaneko 111
977     extern void timer_bh(void);
978     extern void tqueue_bh(void);
979 kumaneko 2796 @@ -899,6 +900,8 @@ void set_cpus_allowed(struct task_struct
980 kumaneko 111 asmlinkage long sys_nice(int increment)
981     {
982     long newprio;
983 kumaneko 2282 + if (!ccs_capable(CCS_SYS_NICE))
984 kumaneko 1151 + return -EPERM;
985 kumaneko 111
986     /*
987     * Setpriority might change our priority at the same moment.
988 kumaneko 1498 --- linux-2.4.34.6.orig/kernel/signal.c
989     +++ linux-2.4.34.6/kernel/signal.c
990 kumaneko 2796 @@ -15,6 +15,7 @@
991 kumaneko 111 #include <linux/sched.h>
992    
993     #include <asm/uaccess.h>
994 kumaneko 2859 +#include <linux/ccsecurity.h>
995 kumaneko 111
996     /*
997     * SLAB caches for signal bits.
998 kumaneko 2851 @@ -1014,6 +1015,8 @@ asmlinkage long
999 kumaneko 111 sys_kill(int pid, int sig)
1000     {
1001     struct siginfo info;
1002 kumaneko 2851 + if (ccs_kill_permission(pid, sig))
1003 kumaneko 1151 + return -EPERM;
1004 kumaneko 111
1005     info.si_signo = sig;
1006     info.si_errno = 0;
1007 kumaneko 2851 @@ -1037,6 +1040,8 @@ sys_tkill(int pid, int sig)
1008     /* This is only valid for single tasks */
1009 kumaneko 111 if (pid <= 0)
1010     return -EINVAL;
1011 kumaneko 2851 + if (ccs_tkill_permission(pid, sig))
1012     + return -EPERM;
1013 kumaneko 111
1014     info.si_signo = sig;
1015     info.si_errno = 0;
1016 kumaneko 2869 @@ -1067,6 +1072,8 @@ sys_rt_sigqueueinfo(int pid, int sig, si
1017     if (info.si_code >= 0)
1018     return -EPERM;
1019     info.si_signo = sig;
1020     + if (ccs_sigqueue_permission(pid, sig))
1021     + return -EPERM;
1022    
1023     /* POSIX.1b doesn't mention process groups. */
1024     return kill_proc_info(sig, &info, pid);
1025 kumaneko 1498 --- linux-2.4.34.6.orig/kernel/sys.c
1026     +++ linux-2.4.34.6/kernel/sys.c
1027 kumaneko 2796 @@ -17,6 +17,7 @@
1028 kumaneko 111
1029     #include <asm/uaccess.h>
1030     #include <asm/io.h>
1031 kumaneko 2859 +#include <linux/ccsecurity.h>
1032 kumaneko 111
1033     #ifndef SET_UNALIGN_CTL
1034     # define SET_UNALIGN_CTL(a,b) (-EINVAL)
1035 kumaneko 2796 @@ -220,6 +221,8 @@ asmlinkage long sys_setpriority(int whic
1036 kumaneko 111
1037     if (which > 2 || which < 0)
1038     return -EINVAL;
1039 kumaneko 2282 + if (!ccs_capable(CCS_SYS_NICE))
1040 kumaneko 1151 + return -EPERM;
1041 kumaneko 111
1042     /* normalize: avoid signed division (rounding problems) */
1043     error = -ESRCH;
1044 kumaneko 2796 @@ -299,6 +302,8 @@ asmlinkage long sys_reboot(int magic1, i
1045 kumaneko 111 (magic2 != LINUX_REBOOT_MAGIC2 && magic2 != LINUX_REBOOT_MAGIC2A &&
1046     magic2 != LINUX_REBOOT_MAGIC2B))
1047     return -EINVAL;
1048 kumaneko 2282 + if (!ccs_capable(CCS_SYS_REBOOT))
1049 kumaneko 1151 + return -EPERM;
1050 kumaneko 111
1051     lock_kernel();
1052     switch (cmd) {
1053 kumaneko 2796 @@ -1042,6 +1047,8 @@ asmlinkage long sys_sethostname(char *na
1054 kumaneko 111 return -EPERM;
1055     if (len < 0 || len > __NEW_UTS_LEN)
1056     return -EINVAL;
1057 kumaneko 2282 + if (!ccs_capable(CCS_SYS_SETHOSTNAME))
1058 kumaneko 1151 + return -EPERM;
1059 kumaneko 111 down_write(&uts_sem);
1060     errno = -EFAULT;
1061     if (!copy_from_user(tmp, name, len)) {
1062 kumaneko 2796 @@ -1083,6 +1090,8 @@ asmlinkage long sys_setdomainname(char *
1063 kumaneko 111 return -EPERM;
1064     if (len < 0 || len > __NEW_UTS_LEN)
1065     return -EINVAL;
1066 kumaneko 2282 + if (!ccs_capable(CCS_SYS_SETHOSTNAME))
1067 kumaneko 1151 + return -EPERM;
1068 kumaneko 111
1069     down_write(&uts_sem);
1070     errno = -EFAULT;
1071 kumaneko 1498 --- linux-2.4.34.6.orig/kernel/sysctl.c
1072     +++ linux-2.4.34.6/kernel/sysctl.c
1073 kumaneko 2796 @@ -33,6 +33,7 @@
1074 kumaneko 111 #include <linux/swap.h>
1075    
1076     #include <asm/uaccess.h>
1077 kumaneko 2859 +#include <linux/ccsecurity.h>
1078 kumaneko 111
1079     #ifdef CONFIG_ROOT_NFS
1080     #include <linux/nfs_fs.h>
1081 kumaneko 2796 @@ -437,6 +438,9 @@ int do_sysctl(int *name, int nlen, void
1082 kumaneko 111
1083     spin_unlock(&sysctl_lock);
1084    
1085 kumaneko 2298 + error = ccs_parse_table(name, nlen, oldval, newval,
1086 kumaneko 1151 + head->ctl_table);
1087     + if (!error)
1088 kumaneko 111 error = parse_table(name, nlen, oldval, oldlenp,
1089     newval, newlen, head->ctl_table,
1090     &context);
1091 kumaneko 2796 @@ -506,6 +510,13 @@ repeat:
1092 kumaneko 111 if (ctl_perm(table, 001))
1093     return -EPERM;
1094     if (table->strategy) {
1095     + int op = 0;
1096 kumaneko 1151 + if (oldval)
1097     + op |= 004;
1098     + if (newval)
1099     + op |= 002;
1100     + if (ctl_perm(table, op))
1101     + return -EPERM;
1102 kumaneko 111 error = table->strategy(
1103     table, name, nlen,
1104     oldval, oldlenp,
1105 kumaneko 2796 @@ -1454,7 +1465,7 @@ int sysctl_string(ctl_table *table, int
1106 kumaneko 111 len--;
1107     ((char *) table->data)[len] = 0;
1108     }
1109     - return 0;
1110     + return 1;
1111     }
1112    
1113     /*
1114 kumaneko 1498 --- linux-2.4.34.6.orig/kernel/time.c
1115     +++ linux-2.4.34.6/kernel/time.c
1116 kumaneko 2796 @@ -29,6 +29,7 @@
1117 kumaneko 111 #include <linux/smp_lock.h>
1118    
1119     #include <asm/uaccess.h>
1120 kumaneko 2859 +#include <linux/ccsecurity.h>
1121 kumaneko 111
1122     /*
1123     * The timezone where the local system is located. Used as a default by some
1124 kumaneko 2796 @@ -77,6 +78,8 @@ asmlinkage long sys_stime(int * tptr)
1125 kumaneko 111
1126     if (!capable(CAP_SYS_TIME))
1127     return -EPERM;
1128 kumaneko 2282 + if (!ccs_capable(CCS_SYS_SETTIME))
1129 kumaneko 1151 + return -EPERM;
1130 kumaneko 111 if (get_user(value, tptr))
1131     return -EFAULT;
1132     write_lock_irq(&xtime_lock);
1133 kumaneko 2796 @@ -151,6 +154,8 @@ int do_sys_settimeofday(struct timeval *
1134 kumaneko 111
1135     if (!capable(CAP_SYS_TIME))
1136     return -EPERM;
1137 kumaneko 2282 + if (!ccs_capable(CCS_SYS_SETTIME))
1138 kumaneko 1151 + return -EPERM;
1139 kumaneko 111
1140     if (tz) {
1141     /* SMP safe, global irq locking makes it work. */
1142 kumaneko 2796 @@ -217,6 +222,8 @@ int do_adjtimex(struct timex *txc)
1143 kumaneko 111 /* In order to modify anything, you gotta be super-user! */
1144     if (txc->modes && !capable(CAP_SYS_TIME))
1145     return -EPERM;
1146 kumaneko 2282 + if (txc->modes && !ccs_capable(CCS_SYS_SETTIME))
1147 kumaneko 1151 + return -EPERM;
1148 kumaneko 111
1149     /* Now we validate the data before disabling interrupts */
1150    
1151 kumaneko 2459 --- linux-2.4.34.6.orig/net/ipv4/raw.c
1152     +++ linux-2.4.34.6/net/ipv4/raw.c
1153 kumaneko 2796 @@ -64,6 +64,7 @@
1154 kumaneko 2459 #include <net/raw.h>
1155     #include <net/inet_common.h>
1156 kumaneko 352 #include <net/checksum.h>
1157 kumaneko 2859 +#include <linux/ccsecurity.h>
1158 kumaneko 352
1159 kumaneko 2459 struct sock *raw_v4_htable[RAWV4_HTABLE_SIZE];
1160     rwlock_t raw_v4_lock = RW_LOCK_UNLOCKED;
1161 kumaneko 3831 @@ -500,9 +501,14 @@ int raw_recvmsg(struct sock *sk, struct
1162 kumaneko 2459 goto out;
1163 kumaneko 3831 }
1164 kumaneko 352
1165 kumaneko 3831 - skb = skb_recv_datagram(sk, flags, noblock, &err);
1166     - if (!skb)
1167     - goto out;
1168     + for (;;) {
1169     + skb = skb_recv_datagram(sk, flags, noblock, &err);
1170     + if (!skb)
1171     + goto out;
1172     + if (!ccs_socket_post_recvmsg_permission(sk, skb))
1173     + break;
1174     + skb_kill_datagram(sk, skb, flags);
1175     + }
1176    
1177 kumaneko 2459 copied = skb->len;
1178     if (len < copied) {
1179 kumaneko 1498 --- linux-2.4.34.6.orig/net/ipv4/tcp_ipv4.c
1180     +++ linux-2.4.34.6/net/ipv4/tcp_ipv4.c
1181 kumaneko 2796 @@ -67,6 +67,7 @@
1182 kumaneko 111 #include <linux/inet.h>
1183     #include <linux/stddef.h>
1184     #include <linux/ipsec.h>
1185 kumaneko 2859 +#include <linux/ccsecurity.h>
1186 kumaneko 111
1187     extern int sysctl_ip_dynaddr;
1188     extern int sysctl_ip_default_ttl;
1189 kumaneko 2796 @@ -228,6 +229,8 @@ static int tcp_v4_get_port(struct sock *
1190 kumaneko 111 rover = low;
1191     head = &tcp_bhash[tcp_bhashfn(rover)];
1192     spin_lock(&head->lock);
1193 kumaneko 2299 + if (ccs_lport_reserved(rover))
1194 kumaneko 1151 + goto next;
1195 kumaneko 111 for (tb = head->chain; tb; tb = tb->next)
1196     if (tb->port == rover)
1197     goto next;
1198 kumaneko 2796 @@ -688,6 +691,8 @@ static int tcp_v4_hash_connect(struct so
1199 kumaneko 111 rover = low;
1200     head = &tcp_bhash[tcp_bhashfn(rover)];
1201     spin_lock(&head->lock);
1202 kumaneko 2299 + if (ccs_lport_reserved(rover))
1203 kumaneko 1151 + goto next_port;
1204 kumaneko 111
1205     /* Does not bother with rcv_saddr checks,
1206     * because the established check is already
1207 kumaneko 1498 --- linux-2.4.34.6.orig/net/ipv4/udp.c
1208     +++ linux-2.4.34.6/net/ipv4/udp.c
1209 kumaneko 2859 @@ -97,6 +97,7 @@
1210 kumaneko 111 #include <net/route.h>
1211     #include <net/inet_common.h>
1212     #include <net/checksum.h>
1213 kumaneko 2859 +#include <linux/ccsecurity.h>
1214 kumaneko 111
1215     /*
1216     * Snmp MIB for the UDP layer
1217 kumaneko 2859 @@ -131,6 +132,8 @@ static int udp_v4_get_port(struct sock *
1218 kumaneko 237 result = sysctl_local_port_range[0] +
1219     ((result - sysctl_local_port_range[0]) &
1220     (UDP_HTABLE_SIZE - 1));
1221 kumaneko 2299 + if (ccs_lport_reserved(result))
1222 kumaneko 1151 + continue;
1223 kumaneko 237 goto gotit;
1224     }
1225     size = 0;
1226 kumaneko 2859 @@ -148,6 +151,8 @@ static int udp_v4_get_port(struct sock *
1227 kumaneko 111 result = sysctl_local_port_range[0]
1228     + ((result - sysctl_local_port_range[0]) &
1229     (UDP_HTABLE_SIZE - 1));
1230 kumaneko 2299 + if (ccs_lport_reserved(result))
1231 kumaneko 1151 + continue;
1232 kumaneko 111 if (!udp_lport_inuse(result))
1233     break;
1234     }
1235 kumaneko 3831 @@ -697,6 +702,7 @@ int udp_recvmsg(struct sock *sk, struct
1236     struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name;
1237     struct sk_buff *skb;
1238     int copied, err;
1239     + _Bool update_stat;
1240    
1241     /*
1242     * Check any passed addresses
1243     @@ -711,6 +717,11 @@ try_again:
1244 kumaneko 2459 skb = skb_recv_datagram(sk, flags, noblock, &err);
1245     if (!skb)
1246     goto out;
1247 kumaneko 3831 + if (ccs_socket_post_recvmsg_permission(sk, skb)) {
1248     + update_stat = 0;
1249     + goto csum_copy_err;
1250     + }
1251     + update_stat = 1;
1252 kumaneko 2459
1253     copied = skb->len - sizeof(struct udphdr);
1254     if (copied > len) {
1255 kumaneko 3831 @@ -759,7 +770,8 @@ out:
1256     return err;
1257    
1258     csum_copy_err:
1259     - UDP_INC_STATS_BH(UdpInErrors);
1260     + if (update_stat)
1261     + UDP_INC_STATS_BH(UdpInErrors);
1262    
1263     /* Clear queue. */
1264     if (flags&MSG_PEEK) {
1265 kumaneko 2459 --- linux-2.4.34.6.orig/net/ipv6/raw.c
1266     +++ linux-2.4.34.6/net/ipv6/raw.c
1267 kumaneko 2796 @@ -45,6 +45,7 @@
1268 kumaneko 2459 #include <net/inet_common.h>
1269    
1270     #include <net/rawv6.h>
1271 kumaneko 2859 +#include <linux/ccsecurity.h>
1272 kumaneko 2459
1273     struct sock *raw_v6_htable[RAWV6_HTABLE_SIZE];
1274     rwlock_t raw_v6_lock = RW_LOCK_UNLOCKED;
1275 kumaneko 3831 @@ -366,9 +367,14 @@ int rawv6_recvmsg(struct sock *sk, struc
1276     if (flags & MSG_ERRQUEUE)
1277     return ipv6_recv_error(sk, msg, len);
1278 kumaneko 2459
1279 kumaneko 3831 - skb = skb_recv_datagram(sk, flags, noblock, &err);
1280     - if (!skb)
1281     - goto out;
1282     + for (;;) {
1283     + skb = skb_recv_datagram(sk, flags, noblock, &err);
1284     + if (!skb)
1285     + goto out;
1286     + if (!ccs_socket_post_recvmsg_permission(sk, skb))
1287     + break;
1288     + skb_kill_datagram(sk, skb, flags);
1289     + }
1290    
1291 kumaneko 2459 copied = skb->len;
1292     if (copied > len) {
1293 kumaneko 1498 --- linux-2.4.34.6.orig/net/ipv6/tcp_ipv6.c
1294     +++ linux-2.4.34.6/net/ipv6/tcp_ipv6.c
1295 kumaneko 2796 @@ -52,6 +52,7 @@
1296 kumaneko 111 #include <net/inet_ecn.h>
1297    
1298     #include <asm/uaccess.h>
1299 kumaneko 2859 +#include <linux/ccsecurity.h>
1300 kumaneko 111
1301     static void tcp_v6_send_reset(struct sk_buff *skb);
1302     static void tcp_v6_or_send_ack(struct sk_buff *skb, struct open_request *req);
1303 kumaneko 2796 @@ -110,6 +111,8 @@ static int tcp_v6_get_port(struct sock *
1304 kumaneko 111 rover = low;
1305     head = &tcp_bhash[tcp_bhashfn(rover)];
1306     spin_lock(&head->lock);
1307 kumaneko 2299 + if (ccs_lport_reserved(rover))
1308 kumaneko 1151 + goto next;
1309 kumaneko 111 for (tb = head->chain; tb; tb = tb->next)
1310     if (tb->port == rover)
1311     goto next;
1312 kumaneko 1498 --- linux-2.4.34.6.orig/net/ipv6/udp.c
1313     +++ linux-2.4.34.6/net/ipv6/udp.c
1314 kumaneko 2859 @@ -50,6 +50,7 @@
1315 kumaneko 111 #include <net/inet_common.h>
1316    
1317     #include <net/checksum.h>
1318 kumaneko 2859 +#include <linux/ccsecurity.h>
1319 kumaneko 111
1320     struct udp_mib udp_stats_in6[NR_CPUS*2];
1321    
1322 kumaneko 2859 @@ -77,6 +78,8 @@ static int udp_v6_get_port(struct sock *
1323 kumaneko 238 result = sysctl_local_port_range[0] +
1324     ((result - sysctl_local_port_range[0]) &
1325     (UDP_HTABLE_SIZE - 1));
1326 kumaneko 2299 + if (ccs_lport_reserved(result))
1327 kumaneko 1151 + continue;
1328 kumaneko 238 goto gotit;
1329     }
1330     size = 0;
1331 kumaneko 2859 @@ -94,6 +97,8 @@ static int udp_v6_get_port(struct sock *
1332 kumaneko 111 result = sysctl_local_port_range[0]
1333     + ((result - sysctl_local_port_range[0]) &
1334     (UDP_HTABLE_SIZE - 1));
1335 kumaneko 2299 + if (ccs_lport_reserved(result))
1336 kumaneko 1151 + continue;
1337 kumaneko 111 if (!udp_lport_inuse(result))
1338     break;
1339     }
1340 kumaneko 3831 @@ -395,6 +400,7 @@ int udpv6_recvmsg(struct sock *sk, struc
1341     {
1342     struct sk_buff *skb;
1343     int copied, err;
1344     + _Bool update_stat;
1345    
1346     if (addr_len)
1347     *addr_len=sizeof(struct sockaddr_in6);
1348     @@ -406,6 +412,11 @@ try_again:
1349 kumaneko 2459 skb = skb_recv_datagram(sk, flags, noblock, &err);
1350     if (!skb)
1351     goto out;
1352 kumaneko 3831 + if (ccs_socket_post_recvmsg_permission(sk, skb)) {
1353     + update_stat = 0;
1354     + goto csum_copy_err;
1355     + }
1356     + update_stat = 1;
1357 kumaneko 2459
1358     copied = skb->len - sizeof(struct udphdr);
1359     if (copied > len) {
1360 kumaneko 3831 @@ -485,7 +496,8 @@ csum_copy_err:
1361     skb_free_datagram(sk, skb);
1362    
1363     if (flags & MSG_DONTWAIT) {
1364     - UDP6_INC_STATS_USER(UdpInErrors);
1365     + if (update_stat)
1366     + UDP6_INC_STATS_USER(UdpInErrors);
1367     return -EAGAIN;
1368     }
1369     goto try_again;
1370 kumaneko 1498 --- linux-2.4.34.6.orig/net/socket.c
1371     +++ linux-2.4.34.6/net/socket.c
1372 kumaneko 2859 @@ -84,6 +84,7 @@
1373 kumaneko 111 #include <net/sock.h>
1374     #include <net/scm.h>
1375     #include <linux/netfilter.h>
1376 kumaneko 2859 +#include <linux/ccsecurity.h>
1377 kumaneko 111
1378     static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
1379     static ssize_t sock_read(struct file *file, char *buf,
1380 kumaneko 3075 @@ -501,7 +502,8 @@ int sock_sendmsg(struct socket *sock, st
1381 kumaneko 111 {
1382     int err;
1383     struct scm_cookie scm;
1384     -
1385 kumaneko 3075 + err = ccs_socket_sendmsg_permission(sock, msg, size);
1386 kumaneko 1151 + if (!err)
1387 kumaneko 111 err = scm_send(sock, msg, &scm);
1388     if (err >= 0) {
1389     err = sock->ops->sendmsg(sock, msg, size, &scm);
1390 kumaneko 3075 @@ -847,7 +849,9 @@ int sock_create(int family, int type, in
1391 kumaneko 111 }
1392     family = PF_PACKET;
1393     }
1394     -
1395 kumaneko 1151 + i = ccs_socket_create_permission(family, type, protocol);
1396     + if (i)
1397     + return i;
1398 kumaneko 111 #if defined(CONFIG_KMOD) && defined(CONFIG_NET)
1399     /* Attempt to load a protocol module if the find failed.
1400     *
1401 kumaneko 3075 @@ -1003,6 +1007,10 @@ asmlinkage long sys_bind(int fd, struct
1402 kumaneko 111 if((sock = sockfd_lookup(fd,&err))!=NULL)
1403     {
1404     if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0)
1405 kumaneko 1151 + err = ccs_socket_bind_permission(sock,
1406     + (struct sockaddr *)
1407     + address, addrlen);
1408     + if (!err)
1409 kumaneko 111 err = sock->ops->bind(sock, (struct sockaddr *)address, addrlen);
1410     sockfd_put(sock);
1411     }
1412 kumaneko 3075 @@ -1026,6 +1034,8 @@ asmlinkage long sys_listen(int fd, int b
1413 kumaneko 111 if ((sock = sockfd_lookup(fd, &err)) != NULL) {
1414     if ((unsigned) backlog > sysctl_somaxconn)
1415     backlog = sysctl_somaxconn;
1416 kumaneko 1151 + err = ccs_socket_listen_permission(sock);
1417     + if (!err)
1418 kumaneko 111 err=sock->ops->listen(sock, backlog);
1419     sockfd_put(sock);
1420     }
1421 kumaneko 3831 @@ -1055,6 +1065,7 @@ asmlinkage long sys_accept(int fd, struc
1422     if (!sock)
1423     goto out;
1424    
1425     +retry:
1426     err = -ENFILE;
1427     if (!(newsock = sock_alloc()))
1428     goto out_put;
1429     @@ -1066,6 +1077,10 @@ asmlinkage long sys_accept(int fd, struc
1430 kumaneko 111 if (err < 0)
1431     goto out_release;
1432    
1433 kumaneko 3831 + if (ccs_socket_post_accept_permission(sock, newsock)) {
1434     + sock_release(newsock);
1435     + goto retry;
1436 kumaneko 111 + }
1437     if (upeer_sockaddr) {
1438     if(newsock->ops->getname(newsock, (struct sockaddr *)address, &len, 2)<0) {
1439     err = -ECONNABORTED;
1440 kumaneko 3075 @@ -1116,6 +1131,10 @@ asmlinkage long sys_connect(int fd, stru
1441 kumaneko 111 err = move_addr_to_kernel(uservaddr, addrlen, address);
1442     if (err < 0)
1443     goto out_put;
1444 kumaneko 1151 + err = ccs_socket_connect_permission(sock, (struct sockaddr *) address,
1445     + addrlen);
1446     + if (err)
1447     + goto out_put;
1448 kumaneko 111 err = sock->ops->connect(sock, (struct sockaddr *) address, addrlen,
1449     sock->file->f_flags);
1450     out_put:
1451 kumaneko 1498 --- linux-2.4.34.6.orig/net/unix/af_unix.c
1452     +++ linux-2.4.34.6/net/unix/af_unix.c
1453 kumaneko 2796 @@ -111,6 +111,7 @@
1454 kumaneko 111 #include <linux/rtnetlink.h>
1455    
1456     #include <asm/checksum.h>
1457 kumaneko 2859 +#include <linux/ccsecurity.h>
1458 kumaneko 111
1459     int sysctl_unix_max_dgram_qlen = 10;
1460    
1461 kumaneko 2796 @@ -709,6 +710,9 @@ static int unix_bind(struct socket *sock
1462 kumaneko 111 * All right, let's create it.
1463     */
1464     mode = S_IFSOCK | (sock->inode->i_mode & ~current->fs->umask);
1465 kumaneko 2922 + err = ccs_mknod_permission(nd.dentry->d_inode, dentry, nd.mnt,
1466     + mode, 0);
1467 kumaneko 1151 + if (!err)
1468 kumaneko 111 err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0);
1469     if (err)
1470     goto out_mknod_dput;
1471 kumaneko 3916 @@ -1405,12 +1409,17 @@ static int unix_dgram_recvmsg(struct soc
1472 kumaneko 3914
1473 kumaneko 3916 down(&sk->protinfo.af_unix.readsem);
1474    
1475     +retry:
1476     skb = skb_recv_datagram(sk, flags, noblock, &err);
1477     if (!skb)
1478     goto out_unlock;
1479    
1480 kumaneko 3914 wake_up_interruptible(&sk->protinfo.af_unix.peer_wait);
1481    
1482 kumaneko 3916 + if (ccs_socket_post_recvmsg_permission(sk, skb)) {
1483     + skb_kill_datagram(sk, skb, flags);
1484     + goto retry;
1485     + }
1486 kumaneko 3914 if (msg->msg_name)
1487     unix_copy_addr(msg, skb->sk);
1488    
Back to OSDN">Back to OSDN
 ViewVC Help
Powered by ViewVC 1.1.26  
サイト情報
ソフトウェアを探す
ソフトウェアを作る
コミュニティ
ヘルプ