33 |
kernel/sysctl.c | 11 +++++++++++ |
kernel/sysctl.c | 11 +++++++++++ |
34 |
kernel/time.c | 7 +++++++ |
kernel/time.c | 7 +++++++ |
35 |
net/ipv4/inet_connection_sock.c | 3 +++ |
net/ipv4/inet_connection_sock.c | 3 +++ |
36 |
net/ipv4/raw.c | 4 ++++ |
net/ipv4/raw.c | 12 +++++++++--- |
37 |
net/ipv4/tcp_ipv4.c | 3 +++ |
net/ipv4/tcp_ipv4.c | 3 +++ |
38 |
net/ipv4/udp.c | 10 +++++++++- |
net/ipv4/udp.c | 16 ++++++++++++++-- |
39 |
net/ipv6/raw.c | 4 ++++ |
net/ipv6/raw.c | 12 +++++++++--- |
40 |
net/ipv6/tcp_ipv6.c | 5 +++++ |
net/ipv6/tcp_ipv6.c | 5 +++++ |
41 |
net/ipv6/udp.c | 8 ++++++++ |
net/ipv6/udp.c | 14 +++++++++++++- |
42 |
net/socket.c | 23 ++++++++++++++++++++--- |
net/socket.c | 23 ++++++++++++++++++++--- |
43 |
net/unix/af_unix.c | 4 ++++ |
net/unix/af_unix.c | 4 ++++ |
44 |
security/Kconfig | 2 ++ |
security/Kconfig | 2 ++ |
45 |
security/Makefile | 3 +++ |
security/Makefile | 3 +++ |
46 |
41 files changed, 281 insertions(+), 10 deletions(-) |
41 files changed, 301 insertions(+), 18 deletions(-) |
47 |
|
|
48 |
--- linux-2.6.15-55.84.orig/arch/alpha/kernel/ptrace.c |
--- linux-2.6.15-55.84.orig/arch/alpha/kernel/ptrace.c |
49 |
+++ linux-2.6.15-55.84/arch/alpha/kernel/ptrace.c |
+++ linux-2.6.15-55.84/arch/alpha/kernel/ptrace.c |
678 |
if (entry) |
if (entry) |
679 |
entry->proc_fops = &proc_sysrq_trigger_operations; |
entry->proc_fops = &proc_sysrq_trigger_operations; |
680 |
#endif |
#endif |
681 |
+ printk(KERN_INFO "Hook version: 2.6.15-55.84 2010/06/04\n"); |
+ printk(KERN_INFO "Hook version: 2.6.15-55.84 2010/07/21\n"); |
682 |
} |
} |
683 |
--- linux-2.6.15-55.84.orig/include/linux/init_task.h |
--- linux-2.6.15-55.84.orig/include/linux/init_task.h |
684 |
+++ linux-2.6.15-55.84/include/linux/init_task.h |
+++ linux-2.6.15-55.84/include/linux/init_task.h |
1041 |
|
|
1042 |
struct hlist_head raw_v4_htable[RAWV4_HTABLE_SIZE]; |
struct hlist_head raw_v4_htable[RAWV4_HTABLE_SIZE]; |
1043 |
DEFINE_RWLOCK(raw_v4_lock); |
DEFINE_RWLOCK(raw_v4_lock); |
1044 |
@@ -591,6 +592,9 @@ static int raw_recvmsg(struct kiocb *ioc |
@@ -588,9 +589,14 @@ static int raw_recvmsg(struct kiocb *ioc |
|
skb = skb_recv_datagram(sk, flags, noblock, &err); |
|
|
if (!skb) |
|
1045 |
goto out; |
goto out; |
1046 |
+ err = ccs_socket_recvmsg_permission(sk, skb, flags); |
} |
1047 |
+ if (err) |
|
1048 |
+ goto out; |
- skb = skb_recv_datagram(sk, flags, noblock, &err); |
1049 |
|
- if (!skb) |
1050 |
|
- goto out; |
1051 |
|
+ for (;;) { |
1052 |
|
+ skb = skb_recv_datagram(sk, flags, noblock, &err); |
1053 |
|
+ if (!skb) |
1054 |
|
+ goto out; |
1055 |
|
+ if (!ccs_socket_post_recvmsg_permission(sk, skb)) |
1056 |
|
+ break; |
1057 |
|
+ skb_kill_datagram(sk, skb, flags); |
1058 |
|
+ } |
1059 |
|
|
1060 |
copied = skb->len; |
copied = skb->len; |
1061 |
if (len < copied) { |
if (len < copied) { |
1106 |
if (!udp_lport_inuse(result)) |
if (!udp_lport_inuse(result)) |
1107 |
break; |
break; |
1108 |
} |
} |
1109 |
@@ -798,7 +803,10 @@ try_again: |
@@ -784,6 +789,7 @@ static int udp_recvmsg(struct kiocb *ioc |
1110 |
|
struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name; |
1111 |
|
struct sk_buff *skb; |
1112 |
|
int copied, err; |
1113 |
|
+ _Bool update_stat; |
1114 |
|
|
1115 |
|
/* |
1116 |
|
* Check any passed addresses |
1117 |
|
@@ -798,7 +804,12 @@ try_again: |
1118 |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
1119 |
if (!skb) |
if (!skb) |
1120 |
goto out; |
goto out; |
1121 |
- |
- |
1122 |
+ err = ccs_socket_recvmsg_permission(sk, skb, flags); |
+ if (ccs_socket_post_recvmsg_permission(sk, skb)) { |
1123 |
+ if (err) |
+ update_stat = 0; |
1124 |
+ goto out; |
+ goto csum_copy_err; |
1125 |
|
+ } |
1126 |
|
+ update_stat = 1; |
1127 |
+ |
+ |
1128 |
copied = skb->len - sizeof(struct udphdr); |
copied = skb->len - sizeof(struct udphdr); |
1129 |
if (copied > len) { |
if (copied > len) { |
1130 |
copied = len; |
copied = len; |
1131 |
|
@@ -846,7 +857,8 @@ out: |
1132 |
|
return err; |
1133 |
|
|
1134 |
|
csum_copy_err: |
1135 |
|
- UDP_INC_STATS_BH(UDP_MIB_INERRORS); |
1136 |
|
+ if (update_stat) |
1137 |
|
+ UDP_INC_STATS_BH(UDP_MIB_INERRORS); |
1138 |
|
|
1139 |
|
/* Clear queue. */ |
1140 |
|
if (flags&MSG_PEEK) { |
1141 |
--- linux-2.6.15-55.84.orig/net/ipv6/raw.c |
--- linux-2.6.15-55.84.orig/net/ipv6/raw.c |
1142 |
+++ linux-2.6.15-55.84/net/ipv6/raw.c |
+++ linux-2.6.15-55.84/net/ipv6/raw.c |
1143 |
@@ -56,6 +56,7 @@ |
@@ -56,6 +56,7 @@ |
1148 |
|
|
1149 |
struct hlist_head raw_v6_htable[RAWV6_HTABLE_SIZE]; |
struct hlist_head raw_v6_htable[RAWV6_HTABLE_SIZE]; |
1150 |
DEFINE_RWLOCK(raw_v6_lock); |
DEFINE_RWLOCK(raw_v6_lock); |
1151 |
@@ -387,6 +388,9 @@ static int rawv6_recvmsg(struct kiocb *i |
@@ -384,9 +385,14 @@ static int rawv6_recvmsg(struct kiocb *i |
1152 |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
if (flags & MSG_ERRQUEUE) |
1153 |
if (!skb) |
return ipv6_recv_error(sk, msg, len); |
1154 |
goto out; |
|
1155 |
+ err = ccs_socket_recvmsg_permission(sk, skb, flags); |
- skb = skb_recv_datagram(sk, flags, noblock, &err); |
1156 |
+ if (err) |
- if (!skb) |
1157 |
+ goto out; |
- goto out; |
1158 |
|
+ for (;;) { |
1159 |
|
+ skb = skb_recv_datagram(sk, flags, noblock, &err); |
1160 |
|
+ if (!skb) |
1161 |
|
+ goto out; |
1162 |
|
+ if (!ccs_socket_post_recvmsg_permission(sk, skb)) |
1163 |
|
+ break; |
1164 |
|
+ skb_kill_datagram(sk, skb, flags); |
1165 |
|
+ } |
1166 |
|
|
1167 |
copied = skb->len; |
copied = skb->len; |
1168 |
if (copied > len) { |
if (copied > len) { |
1222 |
if (!udp_lport_inuse(result)) |
if (!udp_lport_inuse(result)) |
1223 |
break; |
break; |
1224 |
} |
} |
1225 |
@@ -237,6 +242,9 @@ try_again: |
@@ -226,6 +231,7 @@ static int udpv6_recvmsg(struct kiocb *i |
1226 |
|
struct sk_buff *skb; |
1227 |
|
size_t copied; |
1228 |
|
int err; |
1229 |
|
+ _Bool update_stat; |
1230 |
|
|
1231 |
|
if (addr_len) |
1232 |
|
*addr_len=sizeof(struct sockaddr_in6); |
1233 |
|
@@ -237,6 +243,11 @@ try_again: |
1234 |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
1235 |
if (!skb) |
if (!skb) |
1236 |
goto out; |
goto out; |
1237 |
+ err = ccs_socket_recvmsg_permission(sk, skb, flags); |
+ if (ccs_socket_post_recvmsg_permission(sk, skb)) { |
1238 |
+ if (err) |
+ update_stat = 0; |
1239 |
+ goto out; |
+ goto csum_copy_err; |
1240 |
|
+ } |
1241 |
|
+ update_stat = 1; |
1242 |
|
|
1243 |
copied = skb->len - sizeof(struct udphdr); |
copied = skb->len - sizeof(struct udphdr); |
1244 |
if (copied > len) { |
if (copied > len) { |
1245 |
|
@@ -316,7 +327,8 @@ csum_copy_err: |
1246 |
|
skb_free_datagram(sk, skb); |
1247 |
|
|
1248 |
|
if (flags & MSG_DONTWAIT) { |
1249 |
|
- UDP6_INC_STATS_USER(UDP_MIB_INERRORS); |
1250 |
|
+ if (update_stat) |
1251 |
|
+ UDP6_INC_STATS_USER(UDP_MIB_INERRORS); |
1252 |
|
return -EAGAIN; |
1253 |
|
} |
1254 |
|
goto try_again; |
1255 |
--- linux-2.6.15-55.84.orig/net/socket.c |
--- linux-2.6.15-55.84.orig/net/socket.c |
1256 |
+++ linux-2.6.15-55.84/net/socket.c |
+++ linux-2.6.15-55.84/net/socket.c |
1257 |
@@ -97,6 +97,8 @@ |
@@ -97,6 +97,8 @@ |
1305 |
err=sock->ops->listen(sock, backlog); |
err=sock->ops->listen(sock, backlog); |
1306 |
sockfd_put(sock); |
sockfd_put(sock); |
1307 |
} |
} |
1308 |
@@ -1382,6 +1392,11 @@ SYSCALL_DEFINE3(accept, int, fd, struct |
@@ -1361,6 +1371,7 @@ SYSCALL_DEFINE3(accept, int, fd, struct |
1309 |
|
if (!sock) |
1310 |
|
goto out; |
1311 |
|
|
1312 |
|
+retry: |
1313 |
|
err = -ENFILE; |
1314 |
|
if (!(newsock = sock_alloc())) |
1315 |
|
goto out_put; |
1316 |
|
@@ -1382,6 +1393,10 @@ SYSCALL_DEFINE3(accept, int, fd, struct |
1317 |
if (err < 0) |
if (err < 0) |
1318 |
goto out_release; |
goto out_release; |
1319 |
|
|
1320 |
+ if (ccs_socket_accept_permission(newsock, |
+ if (ccs_socket_post_accept_permission(sock, newsock)) { |
1321 |
+ (struct sockaddr *) address)) { |
+ sock_release(newsock); |
1322 |
+ err = -ECONNABORTED; /* Hope less harmful than -EPERM. */ |
+ goto retry; |
|
+ goto out_release; |
|
1323 |
+ } |
+ } |
1324 |
if (upeer_sockaddr) { |
if (upeer_sockaddr) { |
1325 |
if(newsock->ops->getname(newsock, (struct sockaddr *)address, &len, 2)<0) { |
if(newsock->ops->getname(newsock, (struct sockaddr *)address, &len, 2)<0) { |