27 |
fs/Config.in | 3 +++ |
fs/Config.in | 3 +++ |
28 |
fs/exec.c | 12 +++++++++++- |
fs/exec.c | 12 +++++++++++- |
29 |
fs/fcntl.c | 4 ++++ |
fs/fcntl.c | 4 ++++ |
30 |
fs/ioctl.c | 10 ++++++++++ |
fs/ioctl.c | 6 ++++++ |
31 |
fs/namei.c | 37 +++++++++++++++++++++++++++++++++++++ |
fs/namei.c | 36 ++++++++++++++++++++++++++++++++++++ |
32 |
fs/namespace.c | 32 +++++++++++++++++++++++++++++++- |
fs/namespace.c | 19 ++++++++++++++++++- |
33 |
fs/open.c | 27 +++++++++++++++++++++++++++ |
fs/open.c | 27 +++++++++++++++++++++++++++ |
34 |
fs/proc/proc_misc.c | 1 + |
fs/proc/proc_misc.c | 1 + |
35 |
include/linux/sched.h | 14 ++++++++++++++ |
include/linux/sched.h | 14 ++++++++++++++ |
48 |
net/ipv6/udp.c | 14 +++++++++++++- |
net/ipv6/udp.c | 14 +++++++++++++- |
49 |
net/socket.c | 23 +++++++++++++++++++++-- |
net/socket.c | 23 +++++++++++++++++++++-- |
50 |
net/unix/af_unix.c | 4 ++++ |
net/unix/af_unix.c | 4 ++++ |
51 |
46 files changed, 342 insertions(+), 13 deletions(-) |
46 files changed, 324 insertions(+), 13 deletions(-) |
52 |
|
|
53 |
--- linux-2.4.34.6.orig/Makefile |
--- linux-2.4.34.6.orig/Makefile |
54 |
+++ linux-2.4.34.6/Makefile |
+++ linux-2.4.34.6/Makefile |
573 |
error = 0; |
error = 0; |
574 |
lock_kernel(); |
lock_kernel(); |
575 |
switch (cmd) { |
switch (cmd) { |
|
@@ -112,6 +118,10 @@ asmlinkage long sys_ioctl(unsigned int f |
|
|
error = -ENOTTY; |
|
|
break; |
|
|
default: |
|
|
+ if (!ccs_capable(CCS_SYS_IOCTL)) { |
|
|
+ error = -EPERM; |
|
|
+ break; |
|
|
+ } |
|
|
error = -ENOTTY; |
|
|
if (S_ISREG(filp->f_dentry->d_inode->i_mode)) |
|
|
error = file_ioctl(filp, cmd, arg); |
|
576 |
--- linux-2.4.34.6.orig/fs/namei.c |
--- linux-2.4.34.6.orig/fs/namei.c |
577 |
+++ linux-2.4.34.6/fs/namei.c |
+++ linux-2.4.34.6/fs/namei.c |
578 |
@@ -28,6 +28,9 @@ |
@@ -28,6 +28,9 @@ |
585 |
/* [Feb-1997 T. Schoebel-Theuer] |
/* [Feb-1997 T. Schoebel-Theuer] |
586 |
* Fundamental changes in the pathname lookup mechanisms (namei) |
* Fundamental changes in the pathname lookup mechanisms (namei) |
587 |
* were necessary because of omirr. The reason is that omirr needs |
* were necessary because of omirr. The reason is that omirr needs |
588 |
@@ -988,6 +991,7 @@ exit_lock: |
@@ -1053,6 +1056,9 @@ do_last: |
|
return error; |
|
|
} |
|
|
|
|
|
+#include <linux/ccsecurity_vfs.h> |
|
|
/* |
|
|
* open_namei() |
|
|
* |
|
|
@@ -1053,6 +1057,9 @@ do_last: |
|
589 |
|
|
590 |
/* Negative dentry, just create the file */ |
/* Negative dentry, just create the file */ |
591 |
if (!dentry->d_inode) { |
if (!dentry->d_inode) { |
595 |
error = vfs_create(dir->d_inode, dentry, |
error = vfs_create(dir->d_inode, dentry, |
596 |
mode & ~current->fs->umask); |
mode & ~current->fs->umask); |
597 |
up(&dir->d_inode->i_sem); |
up(&dir->d_inode->i_sem); |
598 |
@@ -1139,6 +1146,11 @@ ok: |
@@ -1139,6 +1145,11 @@ ok: |
599 |
goto exit; |
goto exit; |
600 |
} |
} |
601 |
|
|
607 |
/* |
/* |
608 |
* Ensure there are no outstanding leases on the file. |
* Ensure there are no outstanding leases on the file. |
609 |
*/ |
*/ |
610 |
@@ -1277,6 +1289,7 @@ asmlinkage long sys_mknod(const char * f |
@@ -1277,6 +1288,7 @@ asmlinkage long sys_mknod(const char * f |
611 |
|
|
612 |
if (S_ISDIR(mode)) |
if (S_ISDIR(mode)) |
613 |
return -EPERM; |
return -EPERM; |
615 |
tmp = getname(filename); |
tmp = getname(filename); |
616 |
if (IS_ERR(tmp)) |
if (IS_ERR(tmp)) |
617 |
return PTR_ERR(tmp); |
return PTR_ERR(tmp); |
618 |
@@ -1289,6 +1302,9 @@ asmlinkage long sys_mknod(const char * f |
@@ -1289,6 +1301,9 @@ asmlinkage long sys_mknod(const char * f |
619 |
|
|
620 |
mode &= ~current->fs->umask; |
mode &= ~current->fs->umask; |
621 |
if (!IS_ERR(dentry)) { |
if (!IS_ERR(dentry)) { |
625 |
switch (mode & S_IFMT) { |
switch (mode & S_IFMT) { |
626 |
case 0: case S_IFREG: |
case 0: case S_IFREG: |
627 |
error = vfs_create(nd.dentry->d_inode,dentry,mode); |
error = vfs_create(nd.dentry->d_inode,dentry,mode); |
628 |
@@ -1355,6 +1371,9 @@ asmlinkage long sys_mkdir(const char * p |
@@ -1355,6 +1370,9 @@ asmlinkage long sys_mkdir(const char * p |
629 |
dentry = lookup_create(&nd, 1); |
dentry = lookup_create(&nd, 1); |
630 |
error = PTR_ERR(dentry); |
error = PTR_ERR(dentry); |
631 |
if (!IS_ERR(dentry)) { |
if (!IS_ERR(dentry)) { |
635 |
error = vfs_mkdir(nd.dentry->d_inode, dentry, |
error = vfs_mkdir(nd.dentry->d_inode, dentry, |
636 |
mode & ~current->fs->umask); |
mode & ~current->fs->umask); |
637 |
dput(dentry); |
dput(dentry); |
638 |
@@ -1464,6 +1483,9 @@ asmlinkage long sys_rmdir(const char * p |
@@ -1464,6 +1482,9 @@ asmlinkage long sys_rmdir(const char * p |
639 |
dentry = lookup_hash(&nd.last, nd.dentry); |
dentry = lookup_hash(&nd.last, nd.dentry); |
640 |
error = PTR_ERR(dentry); |
error = PTR_ERR(dentry); |
641 |
if (!IS_ERR(dentry)) { |
if (!IS_ERR(dentry)) { |
645 |
error = vfs_rmdir(nd.dentry->d_inode, dentry); |
error = vfs_rmdir(nd.dentry->d_inode, dentry); |
646 |
dput(dentry); |
dput(dentry); |
647 |
} |
} |
648 |
@@ -1533,6 +1555,9 @@ asmlinkage long sys_unlink(const char * |
@@ -1533,6 +1554,9 @@ asmlinkage long sys_unlink(const char * |
649 |
/* Why not before? Because we want correct error value */ |
/* Why not before? Because we want correct error value */ |
650 |
if (nd.last.name[nd.last.len]) |
if (nd.last.name[nd.last.len]) |
651 |
goto slashes; |
goto slashes; |
655 |
error = vfs_unlink(nd.dentry->d_inode, dentry); |
error = vfs_unlink(nd.dentry->d_inode, dentry); |
656 |
exit2: |
exit2: |
657 |
dput(dentry); |
dput(dentry); |
658 |
@@ -1597,6 +1622,9 @@ asmlinkage long sys_symlink(const char * |
@@ -1597,6 +1621,9 @@ asmlinkage long sys_symlink(const char * |
659 |
dentry = lookup_create(&nd, 0); |
dentry = lookup_create(&nd, 0); |
660 |
error = PTR_ERR(dentry); |
error = PTR_ERR(dentry); |
661 |
if (!IS_ERR(dentry)) { |
if (!IS_ERR(dentry)) { |
665 |
error = vfs_symlink(nd.dentry->d_inode, dentry, from); |
error = vfs_symlink(nd.dentry->d_inode, dentry, from); |
666 |
dput(dentry); |
dput(dentry); |
667 |
} |
} |
668 |
@@ -1683,6 +1711,10 @@ asmlinkage long sys_link(const char * ol |
@@ -1683,6 +1710,10 @@ asmlinkage long sys_link(const char * ol |
669 |
new_dentry = lookup_create(&nd, 0); |
new_dentry = lookup_create(&nd, 0); |
670 |
error = PTR_ERR(new_dentry); |
error = PTR_ERR(new_dentry); |
671 |
if (!IS_ERR(new_dentry)) { |
if (!IS_ERR(new_dentry)) { |
676 |
error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry); |
error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry); |
677 |
dput(new_dentry); |
dput(new_dentry); |
678 |
} |
} |
679 |
@@ -1913,12 +1945,17 @@ static inline int do_rename(const char * |
@@ -1913,12 +1944,17 @@ static inline int do_rename(const char * |
680 |
error = PTR_ERR(new_dentry); |
error = PTR_ERR(new_dentry); |
681 |
if (IS_ERR(new_dentry)) |
if (IS_ERR(new_dentry)) |
682 |
goto exit4; |
goto exit4; |
715 |
|
|
716 |
/* |
/* |
717 |
* If we may have to abort operations to get out of this |
* If we may have to abort operations to get out of this |
718 |
@@ -365,6 +370,8 @@ asmlinkage long sys_umount(char * name, |
@@ -516,7 +521,7 @@ static int do_loopback(struct nameidata |
|
{ |
|
|
struct nameidata nd; |
|
|
int retval; |
|
|
+ if (!ccs_capable(CCS_SYS_UMOUNT)) |
|
|
+ return -EPERM; |
|
|
|
|
|
retval = __user_walk(name, LOOKUP_POSITIVE|LOOKUP_FOLLOW, &nd); |
|
|
if (retval) |
|
|
@@ -500,6 +507,9 @@ static int do_loopback(struct nameidata |
|
|
down_write(¤t->namespace->sem); |
|
|
err = -EINVAL; |
|
|
if (check_mnt(nd->mnt) && (!recurse || check_mnt(old_nd.mnt))) { |
|
|
+ err = -EPERM; |
|
|
+ if (ccs_may_mount(nd)) |
|
|
+ goto out; |
|
|
err = -ENOMEM; |
|
|
if (recurse) |
|
|
mnt = copy_tree(old_nd.mnt, old_nd.dentry); |
|
|
@@ -516,7 +526,7 @@ static int do_loopback(struct nameidata |
|
719 |
} else |
} else |
720 |
mntput(mnt); |
mntput(mnt); |
721 |
} |
} |
724 |
up_write(¤t->namespace->sem); |
up_write(¤t->namespace->sem); |
725 |
path_release(&old_nd); |
path_release(&old_nd); |
726 |
return err; |
return err; |
727 |
@@ -570,6 +580,10 @@ static int do_move_mount(struct nameidat |
@@ -700,6 +705,7 @@ static int copy_mount_options (const voi |
|
if (!check_mnt(nd->mnt) || !check_mnt(old_nd.mnt)) |
|
|
goto out; |
|
|
|
|
|
+ err = -EPERM; |
|
|
+ if (ccs_may_mount(nd)) |
|
|
+ goto out; |
|
|
+ |
|
|
err = -ENOENT; |
|
|
down(&nd->dentry->d_inode->i_zombie); |
|
|
if (IS_DEADDIR(nd->dentry->d_inode)) |
|
|
@@ -641,6 +655,10 @@ static int do_add_mount(struct nameidata |
|
|
if (nd->mnt->mnt_sb == mnt->mnt_sb && nd->mnt->mnt_root == nd->dentry) |
|
|
goto unlock; |
|
|
|
|
|
+ err = -EPERM; |
|
|
+ if (ccs_may_mount(nd)) |
|
|
+ goto unlock; |
|
|
+ |
|
|
mnt->mnt_flags = mnt_flags; |
|
|
err = graft_tree(mnt, nd); |
|
|
unlock: |
|
|
@@ -700,6 +718,7 @@ static int copy_mount_options (const voi |
|
728 |
long do_mount(char * dev_name, char * dir_name, char *type_page, |
long do_mount(char * dev_name, char * dir_name, char *type_page, |
729 |
unsigned long flags, void *data_page) |
unsigned long flags, void *data_page) |
730 |
{ |
{ |
732 |
struct nameidata nd; |
struct nameidata nd; |
733 |
int retval = 0; |
int retval = 0; |
734 |
int mnt_flags = 0; |
int mnt_flags = 0; |
735 |
@@ -732,6 +751,11 @@ long do_mount(char * dev_name, char * di |
@@ -732,6 +738,11 @@ long do_mount(char * dev_name, char * di |
736 |
if (retval) |
if (retval) |
737 |
return retval; |
return retval; |
738 |
|
|
744 |
if (flags & MS_REMOUNT) |
if (flags & MS_REMOUNT) |
745 |
retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags, |
retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags, |
746 |
data_page); |
data_page); |
747 |
@@ -742,6 +766,7 @@ long do_mount(char * dev_name, char * di |
@@ -742,6 +753,7 @@ long do_mount(char * dev_name, char * di |
748 |
else |
else |
749 |
retval = do_add_mount(&nd, type_page, flags, mnt_flags, |
retval = do_add_mount(&nd, type_page, flags, mnt_flags, |
750 |
dev_name, data_page); |
dev_name, data_page); |
752 |
path_release(&nd); |
path_release(&nd); |
753 |
return retval; |
return retval; |
754 |
} |
} |
755 |
@@ -925,6 +950,11 @@ asmlinkage long sys_pivot_root(const cha |
@@ -925,6 +937,11 @@ asmlinkage long sys_pivot_root(const cha |
756 |
if (error) |
if (error) |
757 |
goto out1; |
goto out1; |
758 |
|
|
779 |
if (error) |
if (error) |
780 |
goto dput_and_out; |
goto dput_and_out; |
781 |
|
|
782 |
+ error = ccs_truncate_permission(nd.dentry, nd.mnt, length, 0); |
+ error = ccs_truncate_permission(nd.dentry, nd.mnt); |
783 |
+ if (!error) |
+ if (!error) |
784 |
+ |
+ |
785 |
error = locks_verify_truncate(inode, NULL, length); |
error = locks_verify_truncate(inode, NULL, length); |
789 |
if (IS_APPEND(inode)) |
if (IS_APPEND(inode)) |
790 |
goto out_putf; |
goto out_putf; |
791 |
|
|
792 |
+ error = ccs_truncate_permission(dentry, file->f_vfsmnt, length, 0); |
+ error = ccs_truncate_permission(dentry, file->f_vfsmnt); |
793 |
+ if (error) |
+ if (error) |
794 |
+ goto out_putf; |
+ goto out_putf; |
795 |
error = locks_verify_truncate(inode, file, length); |
error = locks_verify_truncate(inode, file, length); |
877 |
entry->proc_fops = &ppc_htab_operations; |
entry->proc_fops = &ppc_htab_operations; |
878 |
} |
} |
879 |
#endif |
#endif |
880 |
+ printk(KERN_INFO "Hook version: 2.4.34.6 2010/07/21\n"); |
+ printk(KERN_INFO "Hook version: 2.4.34.6 2010/07/26\n"); |
881 |
} |
} |
882 |
--- linux-2.4.34.6.orig/include/linux/sched.h |
--- linux-2.4.34.6.orig/include/linux/sched.h |
883 |
+++ linux-2.4.34.6/include/linux/sched.h |
+++ linux-2.4.34.6/include/linux/sched.h |