| 27 |
fs/Config.in | 3 +++ |
fs/Config.in | 3 +++ |
| 28 |
fs/exec.c | 12 +++++++++++- |
fs/exec.c | 12 +++++++++++- |
| 29 |
fs/fcntl.c | 4 ++++ |
fs/fcntl.c | 4 ++++ |
| 30 |
fs/ioctl.c | 10 ++++++++++ |
fs/ioctl.c | 6 ++++++ |
| 31 |
fs/namei.c | 37 +++++++++++++++++++++++++++++++++++++ |
fs/namei.c | 36 ++++++++++++++++++++++++++++++++++++ |
| 32 |
fs/namespace.c | 32 +++++++++++++++++++++++++++++++- |
fs/namespace.c | 19 ++++++++++++++++++- |
| 33 |
fs/open.c | 27 +++++++++++++++++++++++++++ |
fs/open.c | 27 +++++++++++++++++++++++++++ |
| 34 |
fs/proc/proc_misc.c | 1 + |
fs/proc/proc_misc.c | 1 + |
| 35 |
include/linux/sched.h | 14 ++++++++++++++ |
include/linux/sched.h | 14 ++++++++++++++ |
| 48 |
net/ipv6/udp.c | 14 +++++++++++++- |
net/ipv6/udp.c | 14 +++++++++++++- |
| 49 |
net/socket.c | 23 +++++++++++++++++++++-- |
net/socket.c | 23 +++++++++++++++++++++-- |
| 50 |
net/unix/af_unix.c | 4 ++++ |
net/unix/af_unix.c | 4 ++++ |
| 51 |
46 files changed, 342 insertions(+), 13 deletions(-) |
46 files changed, 324 insertions(+), 13 deletions(-) |
| 52 |
|
|
| 53 |
--- linux-2.4.34.6.orig/Makefile |
--- linux-2.4.34.6.orig/Makefile |
| 54 |
+++ linux-2.4.34.6/Makefile |
+++ linux-2.4.34.6/Makefile |
| 573 |
error = 0; |
error = 0; |
| 574 |
lock_kernel(); |
lock_kernel(); |
| 575 |
switch (cmd) { |
switch (cmd) { |
|
@@ -112,6 +118,10 @@ asmlinkage long sys_ioctl(unsigned int f |
|
|
error = -ENOTTY; |
|
|
break; |
|
|
default: |
|
|
+ if (!ccs_capable(CCS_SYS_IOCTL)) { |
|
|
+ error = -EPERM; |
|
|
+ break; |
|
|
+ } |
|
|
error = -ENOTTY; |
|
|
if (S_ISREG(filp->f_dentry->d_inode->i_mode)) |
|
|
error = file_ioctl(filp, cmd, arg); |
|
| 576 |
--- linux-2.4.34.6.orig/fs/namei.c |
--- linux-2.4.34.6.orig/fs/namei.c |
| 577 |
+++ linux-2.4.34.6/fs/namei.c |
+++ linux-2.4.34.6/fs/namei.c |
| 578 |
@@ -28,6 +28,9 @@ |
@@ -28,6 +28,9 @@ |
| 585 |
/* [Feb-1997 T. Schoebel-Theuer] |
/* [Feb-1997 T. Schoebel-Theuer] |
| 586 |
* Fundamental changes in the pathname lookup mechanisms (namei) |
* Fundamental changes in the pathname lookup mechanisms (namei) |
| 587 |
* were necessary because of omirr. The reason is that omirr needs |
* were necessary because of omirr. The reason is that omirr needs |
| 588 |
@@ -988,6 +991,7 @@ exit_lock: |
@@ -1053,6 +1056,9 @@ do_last: |
|
return error; |
|
|
} |
|
|
|
|
|
+#include <linux/ccsecurity_vfs.h> |
|
|
/* |
|
|
* open_namei() |
|
|
* |
|
|
@@ -1053,6 +1057,9 @@ do_last: |
|
| 589 |
|
|
| 590 |
/* Negative dentry, just create the file */ |
/* Negative dentry, just create the file */ |
| 591 |
if (!dentry->d_inode) { |
if (!dentry->d_inode) { |
| 595 |
error = vfs_create(dir->d_inode, dentry, |
error = vfs_create(dir->d_inode, dentry, |
| 596 |
mode & ~current->fs->umask); |
mode & ~current->fs->umask); |
| 597 |
up(&dir->d_inode->i_sem); |
up(&dir->d_inode->i_sem); |
| 598 |
@@ -1139,6 +1146,11 @@ ok: |
@@ -1139,6 +1145,11 @@ ok: |
| 599 |
goto exit; |
goto exit; |
| 600 |
} |
} |
| 601 |
|
|
| 607 |
/* |
/* |
| 608 |
* Ensure there are no outstanding leases on the file. |
* Ensure there are no outstanding leases on the file. |
| 609 |
*/ |
*/ |
| 610 |
@@ -1277,6 +1289,7 @@ asmlinkage long sys_mknod(const char * f |
@@ -1277,6 +1288,7 @@ asmlinkage long sys_mknod(const char * f |
| 611 |
|
|
| 612 |
if (S_ISDIR(mode)) |
if (S_ISDIR(mode)) |
| 613 |
return -EPERM; |
return -EPERM; |
| 615 |
tmp = getname(filename); |
tmp = getname(filename); |
| 616 |
if (IS_ERR(tmp)) |
if (IS_ERR(tmp)) |
| 617 |
return PTR_ERR(tmp); |
return PTR_ERR(tmp); |
| 618 |
@@ -1289,6 +1302,9 @@ asmlinkage long sys_mknod(const char * f |
@@ -1289,6 +1301,9 @@ asmlinkage long sys_mknod(const char * f |
| 619 |
|
|
| 620 |
mode &= ~current->fs->umask; |
mode &= ~current->fs->umask; |
| 621 |
if (!IS_ERR(dentry)) { |
if (!IS_ERR(dentry)) { |
| 625 |
switch (mode & S_IFMT) { |
switch (mode & S_IFMT) { |
| 626 |
case 0: case S_IFREG: |
case 0: case S_IFREG: |
| 627 |
error = vfs_create(nd.dentry->d_inode,dentry,mode); |
error = vfs_create(nd.dentry->d_inode,dentry,mode); |
| 628 |
@@ -1355,6 +1371,9 @@ asmlinkage long sys_mkdir(const char * p |
@@ -1355,6 +1370,9 @@ asmlinkage long sys_mkdir(const char * p |
| 629 |
dentry = lookup_create(&nd, 1); |
dentry = lookup_create(&nd, 1); |
| 630 |
error = PTR_ERR(dentry); |
error = PTR_ERR(dentry); |
| 631 |
if (!IS_ERR(dentry)) { |
if (!IS_ERR(dentry)) { |
| 635 |
error = vfs_mkdir(nd.dentry->d_inode, dentry, |
error = vfs_mkdir(nd.dentry->d_inode, dentry, |
| 636 |
mode & ~current->fs->umask); |
mode & ~current->fs->umask); |
| 637 |
dput(dentry); |
dput(dentry); |
| 638 |
@@ -1464,6 +1483,9 @@ asmlinkage long sys_rmdir(const char * p |
@@ -1464,6 +1482,9 @@ asmlinkage long sys_rmdir(const char * p |
| 639 |
dentry = lookup_hash(&nd.last, nd.dentry); |
dentry = lookup_hash(&nd.last, nd.dentry); |
| 640 |
error = PTR_ERR(dentry); |
error = PTR_ERR(dentry); |
| 641 |
if (!IS_ERR(dentry)) { |
if (!IS_ERR(dentry)) { |
| 645 |
error = vfs_rmdir(nd.dentry->d_inode, dentry); |
error = vfs_rmdir(nd.dentry->d_inode, dentry); |
| 646 |
dput(dentry); |
dput(dentry); |
| 647 |
} |
} |
| 648 |
@@ -1533,6 +1555,9 @@ asmlinkage long sys_unlink(const char * |
@@ -1533,6 +1554,9 @@ asmlinkage long sys_unlink(const char * |
| 649 |
/* Why not before? Because we want correct error value */ |
/* Why not before? Because we want correct error value */ |
| 650 |
if (nd.last.name[nd.last.len]) |
if (nd.last.name[nd.last.len]) |
| 651 |
goto slashes; |
goto slashes; |
| 655 |
error = vfs_unlink(nd.dentry->d_inode, dentry); |
error = vfs_unlink(nd.dentry->d_inode, dentry); |
| 656 |
exit2: |
exit2: |
| 657 |
dput(dentry); |
dput(dentry); |
| 658 |
@@ -1597,6 +1622,9 @@ asmlinkage long sys_symlink(const char * |
@@ -1597,6 +1621,9 @@ asmlinkage long sys_symlink(const char * |
| 659 |
dentry = lookup_create(&nd, 0); |
dentry = lookup_create(&nd, 0); |
| 660 |
error = PTR_ERR(dentry); |
error = PTR_ERR(dentry); |
| 661 |
if (!IS_ERR(dentry)) { |
if (!IS_ERR(dentry)) { |
| 665 |
error = vfs_symlink(nd.dentry->d_inode, dentry, from); |
error = vfs_symlink(nd.dentry->d_inode, dentry, from); |
| 666 |
dput(dentry); |
dput(dentry); |
| 667 |
} |
} |
| 668 |
@@ -1683,6 +1711,10 @@ asmlinkage long sys_link(const char * ol |
@@ -1683,6 +1710,10 @@ asmlinkage long sys_link(const char * ol |
| 669 |
new_dentry = lookup_create(&nd, 0); |
new_dentry = lookup_create(&nd, 0); |
| 670 |
error = PTR_ERR(new_dentry); |
error = PTR_ERR(new_dentry); |
| 671 |
if (!IS_ERR(new_dentry)) { |
if (!IS_ERR(new_dentry)) { |
| 676 |
error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry); |
error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry); |
| 677 |
dput(new_dentry); |
dput(new_dentry); |
| 678 |
} |
} |
| 679 |
@@ -1913,12 +1945,17 @@ static inline int do_rename(const char * |
@@ -1913,12 +1944,17 @@ static inline int do_rename(const char * |
| 680 |
error = PTR_ERR(new_dentry); |
error = PTR_ERR(new_dentry); |
| 681 |
if (IS_ERR(new_dentry)) |
if (IS_ERR(new_dentry)) |
| 682 |
goto exit4; |
goto exit4; |
| 715 |
|
|
| 716 |
/* |
/* |
| 717 |
* If we may have to abort operations to get out of this |
* If we may have to abort operations to get out of this |
| 718 |
@@ -365,6 +370,8 @@ asmlinkage long sys_umount(char * name, |
@@ -516,7 +521,7 @@ static int do_loopback(struct nameidata |
|
{ |
|
|
struct nameidata nd; |
|
|
int retval; |
|
|
+ if (!ccs_capable(CCS_SYS_UMOUNT)) |
|
|
+ return -EPERM; |
|
|
|
|
|
retval = __user_walk(name, LOOKUP_POSITIVE|LOOKUP_FOLLOW, &nd); |
|
|
if (retval) |
|
|
@@ -500,6 +507,9 @@ static int do_loopback(struct nameidata |
|
|
down_write(¤t->namespace->sem); |
|
|
err = -EINVAL; |
|
|
if (check_mnt(nd->mnt) && (!recurse || check_mnt(old_nd.mnt))) { |
|
|
+ err = -EPERM; |
|
|
+ if (ccs_may_mount(nd)) |
|
|
+ goto out; |
|
|
err = -ENOMEM; |
|
|
if (recurse) |
|
|
mnt = copy_tree(old_nd.mnt, old_nd.dentry); |
|
|
@@ -516,7 +526,7 @@ static int do_loopback(struct nameidata |
|
| 719 |
} else |
} else |
| 720 |
mntput(mnt); |
mntput(mnt); |
| 721 |
} |
} |
| 724 |
up_write(¤t->namespace->sem); |
up_write(¤t->namespace->sem); |
| 725 |
path_release(&old_nd); |
path_release(&old_nd); |
| 726 |
return err; |
return err; |
| 727 |
@@ -570,6 +580,10 @@ static int do_move_mount(struct nameidat |
@@ -700,6 +705,7 @@ static int copy_mount_options (const voi |
|
if (!check_mnt(nd->mnt) || !check_mnt(old_nd.mnt)) |
|
|
goto out; |
|
|
|
|
|
+ err = -EPERM; |
|
|
+ if (ccs_may_mount(nd)) |
|
|
+ goto out; |
|
|
+ |
|
|
err = -ENOENT; |
|
|
down(&nd->dentry->d_inode->i_zombie); |
|
|
if (IS_DEADDIR(nd->dentry->d_inode)) |
|
|
@@ -641,6 +655,10 @@ static int do_add_mount(struct nameidata |
|
|
if (nd->mnt->mnt_sb == mnt->mnt_sb && nd->mnt->mnt_root == nd->dentry) |
|
|
goto unlock; |
|
|
|
|
|
+ err = -EPERM; |
|
|
+ if (ccs_may_mount(nd)) |
|
|
+ goto unlock; |
|
|
+ |
|
|
mnt->mnt_flags = mnt_flags; |
|
|
err = graft_tree(mnt, nd); |
|
|
unlock: |
|
|
@@ -700,6 +718,7 @@ static int copy_mount_options (const voi |
|
| 728 |
long do_mount(char * dev_name, char * dir_name, char *type_page, |
long do_mount(char * dev_name, char * dir_name, char *type_page, |
| 729 |
unsigned long flags, void *data_page) |
unsigned long flags, void *data_page) |
| 730 |
{ |
{ |
| 732 |
struct nameidata nd; |
struct nameidata nd; |
| 733 |
int retval = 0; |
int retval = 0; |
| 734 |
int mnt_flags = 0; |
int mnt_flags = 0; |
| 735 |
@@ -732,6 +751,11 @@ long do_mount(char * dev_name, char * di |
@@ -732,6 +738,11 @@ long do_mount(char * dev_name, char * di |
| 736 |
if (retval) |
if (retval) |
| 737 |
return retval; |
return retval; |
| 738 |
|
|
| 744 |
if (flags & MS_REMOUNT) |
if (flags & MS_REMOUNT) |
| 745 |
retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags, |
retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags, |
| 746 |
data_page); |
data_page); |
| 747 |
@@ -742,6 +766,7 @@ long do_mount(char * dev_name, char * di |
@@ -742,6 +753,7 @@ long do_mount(char * dev_name, char * di |
| 748 |
else |
else |
| 749 |
retval = do_add_mount(&nd, type_page, flags, mnt_flags, |
retval = do_add_mount(&nd, type_page, flags, mnt_flags, |
| 750 |
dev_name, data_page); |
dev_name, data_page); |
| 752 |
path_release(&nd); |
path_release(&nd); |
| 753 |
return retval; |
return retval; |
| 754 |
} |
} |
| 755 |
@@ -925,6 +950,11 @@ asmlinkage long sys_pivot_root(const cha |
@@ -925,6 +937,11 @@ asmlinkage long sys_pivot_root(const cha |
| 756 |
if (error) |
if (error) |
| 757 |
goto out1; |
goto out1; |
| 758 |
|
|
| 779 |
if (error) |
if (error) |
| 780 |
goto dput_and_out; |
goto dput_and_out; |
| 781 |
|
|
| 782 |
+ error = ccs_truncate_permission(nd.dentry, nd.mnt, length, 0); |
+ error = ccs_truncate_permission(nd.dentry, nd.mnt); |
| 783 |
+ if (!error) |
+ if (!error) |
| 784 |
+ |
+ |
| 785 |
error = locks_verify_truncate(inode, NULL, length); |
error = locks_verify_truncate(inode, NULL, length); |
| 789 |
if (IS_APPEND(inode)) |
if (IS_APPEND(inode)) |
| 790 |
goto out_putf; |
goto out_putf; |
| 791 |
|
|
| 792 |
+ error = ccs_truncate_permission(dentry, file->f_vfsmnt, length, 0); |
+ error = ccs_truncate_permission(dentry, file->f_vfsmnt); |
| 793 |
+ if (error) |
+ if (error) |
| 794 |
+ goto out_putf; |
+ goto out_putf; |
| 795 |
error = locks_verify_truncate(inode, file, length); |
error = locks_verify_truncate(inode, file, length); |
| 877 |
entry->proc_fops = &ppc_htab_operations; |
entry->proc_fops = &ppc_htab_operations; |
| 878 |
} |
} |
| 879 |
#endif |
#endif |
| 880 |
+ printk(KERN_INFO "Hook version: 2.4.34.6 2010/07/21\n"); |
+ printk(KERN_INFO "Hook version: 2.4.34.6 2010/07/26\n"); |
| 881 |
} |
} |
| 882 |
--- linux-2.4.34.6.orig/include/linux/sched.h |
--- linux-2.4.34.6.orig/include/linux/sched.h |
| 883 |
+++ linux-2.4.34.6/include/linux/sched.h |
+++ linux-2.4.34.6/include/linux/sched.h |
TOMOYO
Parent Directory
Revision Log
Patch