34 |
kernel/time.c | 7 +++++++ |
kernel/time.c | 7 +++++++ |
35 |
net/ipv4/inet_connection_sock.c | 3 +++ |
net/ipv4/inet_connection_sock.c | 3 +++ |
36 |
net/ipv4/inet_hashtables.c | 3 +++ |
net/ipv4/inet_hashtables.c | 3 +++ |
37 |
net/ipv4/raw.c | 4 ++++ |
net/ipv4/raw.c | 12 +++++++++--- |
38 |
net/ipv4/udp.c | 10 +++++++++- |
net/ipv4/udp.c | 16 ++++++++++++++-- |
39 |
net/ipv6/inet6_hashtables.c | 5 ++++- |
net/ipv6/inet6_hashtables.c | 5 ++++- |
40 |
net/ipv6/raw.c | 4 ++++ |
net/ipv6/raw.c | 12 +++++++++--- |
41 |
net/ipv6/udp.c | 8 ++++++++ |
net/ipv6/udp.c | 14 +++++++++++++- |
42 |
net/socket.c | 23 ++++++++++++++++++++--- |
net/socket.c | 23 ++++++++++++++++++++--- |
43 |
net/unix/af_unix.c | 4 ++++ |
net/unix/af_unix.c | 4 ++++ |
44 |
security/Kconfig | 2 ++ |
security/Kconfig | 2 ++ |
45 |
security/Makefile | 3 +++ |
security/Makefile | 3 +++ |
46 |
41 files changed, 284 insertions(+), 11 deletions(-) |
41 files changed, 304 insertions(+), 19 deletions(-) |
47 |
|
|
48 |
--- linux-2.6.16-76.55vl4.orig/arch/alpha/kernel/ptrace.c |
--- linux-2.6.16-76.55vl4.orig/arch/alpha/kernel/ptrace.c |
49 |
+++ linux-2.6.16-76.55vl4/arch/alpha/kernel/ptrace.c |
+++ linux-2.6.16-76.55vl4/arch/alpha/kernel/ptrace.c |
689 |
if (entry) |
if (entry) |
690 |
entry->proc_fops = &proc_sysrq_trigger_operations; |
entry->proc_fops = &proc_sysrq_trigger_operations; |
691 |
#endif |
#endif |
692 |
+ printk(KERN_INFO "Hook version: 2.6.16-76.55vl4 2010/04/12\n"); |
+ printk(KERN_INFO "Hook version: 2.6.16-76.55vl4 2010/07/21\n"); |
693 |
} |
} |
694 |
--- linux-2.6.16-76.55vl4.orig/include/linux/init_task.h |
--- linux-2.6.16-76.55vl4.orig/include/linux/init_task.h |
695 |
+++ linux-2.6.16-76.55vl4/include/linux/init_task.h |
+++ linux-2.6.16-76.55vl4/include/linux/init_task.h |
1071 |
|
|
1072 |
struct hlist_head raw_v4_htable[RAWV4_HTABLE_SIZE]; |
struct hlist_head raw_v4_htable[RAWV4_HTABLE_SIZE]; |
1073 |
DEFINE_RWLOCK(raw_v4_lock); |
DEFINE_RWLOCK(raw_v4_lock); |
1074 |
@@ -592,6 +593,9 @@ static int raw_recvmsg(struct kiocb *ioc |
@@ -589,9 +590,14 @@ static int raw_recvmsg(struct kiocb *ioc |
|
skb = skb_recv_datagram(sk, flags, noblock, &err); |
|
|
if (!skb) |
|
1075 |
goto out; |
goto out; |
1076 |
+ err = ccs_socket_recvmsg_permission(sk, skb, flags); |
} |
1077 |
+ if (err) |
|
1078 |
+ goto out; |
- skb = skb_recv_datagram(sk, flags, noblock, &err); |
1079 |
|
- if (!skb) |
1080 |
|
- goto out; |
1081 |
|
+ for (;;) { |
1082 |
|
+ skb = skb_recv_datagram(sk, flags, noblock, &err); |
1083 |
|
+ if (!skb) |
1084 |
|
+ goto out; |
1085 |
|
+ if (!ccs_socket_post_recvmsg_permission(sk, skb)) |
1086 |
|
+ break; |
1087 |
|
+ skb_kill_datagram(sk, skb, flags); |
1088 |
|
+ } |
1089 |
|
|
1090 |
copied = skb->len; |
copied = skb->len; |
1091 |
if (len < copied) { |
if (len < copied) { |
1117 |
if (!udp_lport_inuse(result)) |
if (!udp_lport_inuse(result)) |
1118 |
break; |
break; |
1119 |
} |
} |
1120 |
@@ -799,7 +804,10 @@ try_again: |
@@ -785,6 +790,7 @@ static int udp_recvmsg(struct kiocb *ioc |
1121 |
|
struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name; |
1122 |
|
struct sk_buff *skb; |
1123 |
|
int copied, err; |
1124 |
|
+ _Bool update_stat; |
1125 |
|
|
1126 |
|
/* |
1127 |
|
* Check any passed addresses |
1128 |
|
@@ -799,7 +805,12 @@ try_again: |
1129 |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
1130 |
if (!skb) |
if (!skb) |
1131 |
goto out; |
goto out; |
1132 |
- |
- |
1133 |
+ err = ccs_socket_recvmsg_permission(sk, skb, flags); |
+ if (ccs_socket_post_recvmsg_permission(sk, skb)) { |
1134 |
+ if (err) |
+ update_stat = 0; |
1135 |
+ goto out; |
+ goto csum_copy_err; |
1136 |
|
+ } |
1137 |
|
+ update_stat = 1; |
1138 |
+ |
+ |
1139 |
copied = skb->len - sizeof(struct udphdr); |
copied = skb->len - sizeof(struct udphdr); |
1140 |
if (copied > len) { |
if (copied > len) { |
1141 |
copied = len; |
copied = len; |
1142 |
|
@@ -847,7 +858,8 @@ out: |
1143 |
|
return err; |
1144 |
|
|
1145 |
|
csum_copy_err: |
1146 |
|
- UDP_INC_STATS_BH(UDP_MIB_INERRORS); |
1147 |
|
+ if (update_stat) |
1148 |
|
+ UDP_INC_STATS_BH(UDP_MIB_INERRORS); |
1149 |
|
|
1150 |
|
skb_kill_datagram(sk, skb, flags); |
1151 |
|
|
1152 |
--- linux-2.6.16-76.55vl4.orig/net/ipv6/inet6_hashtables.c |
--- linux-2.6.16-76.55vl4.orig/net/ipv6/inet6_hashtables.c |
1153 |
+++ linux-2.6.16-76.55vl4/net/ipv6/inet6_hashtables.c |
+++ linux-2.6.16-76.55vl4/net/ipv6/inet6_hashtables.c |
1154 |
@@ -22,6 +22,7 @@ |
@@ -22,6 +22,7 @@ |
1187 |
|
|
1188 |
struct hlist_head raw_v6_htable[RAWV6_HTABLE_SIZE]; |
struct hlist_head raw_v6_htable[RAWV6_HTABLE_SIZE]; |
1189 |
DEFINE_RWLOCK(raw_v6_lock); |
DEFINE_RWLOCK(raw_v6_lock); |
1190 |
@@ -387,6 +388,9 @@ static int rawv6_recvmsg(struct kiocb *i |
@@ -384,9 +385,14 @@ static int rawv6_recvmsg(struct kiocb *i |
1191 |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
if (flags & MSG_ERRQUEUE) |
1192 |
if (!skb) |
return ipv6_recv_error(sk, msg, len); |
1193 |
goto out; |
|
1194 |
+ err = ccs_socket_recvmsg_permission(sk, skb, flags); |
- skb = skb_recv_datagram(sk, flags, noblock, &err); |
1195 |
+ if (err) |
- if (!skb) |
1196 |
+ goto out; |
- goto out; |
1197 |
|
+ for (;;) { |
1198 |
|
+ skb = skb_recv_datagram(sk, flags, noblock, &err); |
1199 |
|
+ if (!skb) |
1200 |
|
+ goto out; |
1201 |
|
+ if (!ccs_socket_post_recvmsg_permission(sk, skb)) |
1202 |
|
+ break; |
1203 |
|
+ skb_kill_datagram(sk, skb, flags); |
1204 |
|
+ } |
1205 |
|
|
1206 |
copied = skb->len; |
copied = skb->len; |
1207 |
if (copied > len) { |
if (copied > len) { |
1233 |
if (!udp_lport_inuse(result)) |
if (!udp_lport_inuse(result)) |
1234 |
break; |
break; |
1235 |
} |
} |
1236 |
@@ -238,6 +243,9 @@ try_again: |
@@ -227,6 +232,7 @@ static int udpv6_recvmsg(struct kiocb *i |
1237 |
|
struct sk_buff *skb; |
1238 |
|
size_t copied; |
1239 |
|
int err; |
1240 |
|
+ _Bool update_stat; |
1241 |
|
|
1242 |
|
if (addr_len) |
1243 |
|
*addr_len=sizeof(struct sockaddr_in6); |
1244 |
|
@@ -238,6 +244,11 @@ try_again: |
1245 |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
1246 |
if (!skb) |
if (!skb) |
1247 |
goto out; |
goto out; |
1248 |
+ err = ccs_socket_recvmsg_permission(sk, skb, flags); |
+ if (ccs_socket_post_recvmsg_permission(sk, skb)) { |
1249 |
+ if (err) |
+ update_stat = 0; |
1250 |
+ goto out; |
+ goto csum_copy_err; |
1251 |
|
+ } |
1252 |
|
+ update_stat = 1; |
1253 |
|
|
1254 |
copied = skb->len - sizeof(struct udphdr); |
copied = skb->len - sizeof(struct udphdr); |
1255 |
if (copied > len) { |
if (copied > len) { |
1256 |
|
@@ -304,7 +315,8 @@ csum_copy_err: |
1257 |
|
skb_kill_datagram(sk, skb, flags); |
1258 |
|
|
1259 |
|
if (flags & MSG_DONTWAIT) { |
1260 |
|
- UDP6_INC_STATS_USER(UDP_MIB_INERRORS); |
1261 |
|
+ if (update_stat) |
1262 |
|
+ UDP6_INC_STATS_USER(UDP_MIB_INERRORS); |
1263 |
|
return -EAGAIN; |
1264 |
|
} |
1265 |
|
goto try_again; |
1266 |
--- linux-2.6.16-76.55vl4.orig/net/socket.c |
--- linux-2.6.16-76.55vl4.orig/net/socket.c |
1267 |
+++ linux-2.6.16-76.55vl4/net/socket.c |
+++ linux-2.6.16-76.55vl4/net/socket.c |
1268 |
@@ -97,6 +97,8 @@ |
@@ -97,6 +97,8 @@ |
1316 |
err=sock->ops->listen(sock, backlog); |
err=sock->ops->listen(sock, backlog); |
1317 |
sockfd_put(sock); |
sockfd_put(sock); |
1318 |
} |
} |
1319 |
@@ -1383,6 +1393,11 @@ asmlinkage long sys_accept(int fd, struc |
@@ -1362,6 +1372,7 @@ asmlinkage long sys_accept(int fd, struc |
1320 |
|
if (!sock) |
1321 |
|
goto out; |
1322 |
|
|
1323 |
|
+retry: |
1324 |
|
err = -ENFILE; |
1325 |
|
if (!(newsock = sock_alloc())) |
1326 |
|
goto out_put; |
1327 |
|
@@ -1383,6 +1394,10 @@ asmlinkage long sys_accept(int fd, struc |
1328 |
if (err < 0) |
if (err < 0) |
1329 |
goto out_release; |
goto out_release; |
1330 |
|
|
1331 |
+ if (ccs_socket_accept_permission(newsock, |
+ if (ccs_socket_post_accept_permission(sock, newsock)) { |
1332 |
+ (struct sockaddr *) address)) { |
+ sock_release(newsock); |
1333 |
+ err = -ECONNABORTED; /* Hope less harmful than -EPERM. */ |
+ goto retry; |
|
+ goto out_release; |
|
1334 |
+ } |
+ } |
1335 |
if (upeer_sockaddr) { |
if (upeer_sockaddr) { |
1336 |
if(newsock->ops->getname(newsock, (struct sockaddr *)address, &len, 2)<0) { |
if(newsock->ops->getname(newsock, (struct sockaddr *)address, &len, 2)<0) { |