15 |
fs/compat.c | 9 ++++++++- |
fs/compat.c | 9 ++++++++- |
16 |
fs/exec.c | 12 +++++++++++- |
fs/exec.c | 12 +++++++++++- |
17 |
fs/fcntl.c | 4 ++++ |
fs/fcntl.c | 4 ++++ |
18 |
fs/ioctl.c | 5 +++++ |
fs/ioctl.c | 3 +++ |
19 |
fs/namei.c | 32 ++++++++++++++++++++++++++++++++ |
fs/namei.c | 31 +++++++++++++++++++++++++++++++ |
20 |
fs/namespace.c | 21 ++++++++++++++++++++- |
fs/namespace.c | 9 +++++++++ |
21 |
fs/open.c | 27 +++++++++++++++++++++++++++ |
fs/open.c | 27 +++++++++++++++++++++++++++ |
22 |
fs/proc/proc_misc.c | 1 + |
fs/proc/proc_misc.c | 1 + |
23 |
include/linux/init_task.h | 9 +++++++++ |
include/linux/init_task.h | 9 +++++++++ |
34 |
kernel/time.c | 7 +++++++ |
kernel/time.c | 7 +++++++ |
35 |
net/ipv4/inet_connection_sock.c | 3 +++ |
net/ipv4/inet_connection_sock.c | 3 +++ |
36 |
net/ipv4/inet_hashtables.c | 3 +++ |
net/ipv4/inet_hashtables.c | 3 +++ |
37 |
net/ipv4/raw.c | 4 ++++ |
net/ipv4/raw.c | 12 +++++++++--- |
38 |
net/ipv4/udp.c | 10 +++++++++- |
net/ipv4/udp.c | 16 ++++++++++++++-- |
39 |
net/ipv6/inet6_hashtables.c | 5 ++++- |
net/ipv6/inet6_hashtables.c | 5 ++++- |
40 |
net/ipv6/raw.c | 4 ++++ |
net/ipv6/raw.c | 12 +++++++++--- |
41 |
net/ipv6/udp.c | 8 ++++++++ |
net/ipv6/udp.c | 14 +++++++++++++- |
42 |
net/socket.c | 23 +++++++++++++++++++++-- |
net/socket.c | 24 ++++++++++++++++++++++-- |
43 |
net/unix/af_unix.c | 4 ++++ |
net/unix/af_unix.c | 9 +++++++++ |
44 |
security/Kconfig | 2 ++ |
security/Kconfig | 2 ++ |
45 |
security/Makefile | 3 +++ |
security/Makefile | 3 +++ |
46 |
41 files changed, 282 insertions(+), 9 deletions(-) |
41 files changed, 294 insertions(+), 16 deletions(-) |
47 |
|
|
48 |
--- linux-2.6.18-26etch2.orig/arch/alpha/kernel/ptrace.c |
--- linux-2.6.18-26etch2.orig/arch/alpha/kernel/ptrace.c |
49 |
+++ linux-2.6.18-26etch2/arch/alpha/kernel/ptrace.c |
+++ linux-2.6.18-26etch2/arch/alpha/kernel/ptrace.c |
350 |
|
|
351 |
static long do_ioctl(struct file *filp, unsigned int cmd, |
static long do_ioctl(struct file *filp, unsigned int cmd, |
352 |
unsigned long arg) |
unsigned long arg) |
353 |
@@ -23,6 +24,8 @@ static long do_ioctl(struct file *filp, |
@@ -167,6 +168,8 @@ asmlinkage long sys_ioctl(unsigned int f |
|
|
|
|
if (!filp->f_op) |
|
|
goto out; |
|
|
+ if (!ccs_capable(CCS_SYS_IOCTL)) |
|
|
+ return -EPERM; |
|
|
|
|
|
if (filp->f_op->unlocked_ioctl) { |
|
|
error = filp->f_op->unlocked_ioctl(filp, cmd, arg); |
|
|
@@ -167,6 +170,8 @@ asmlinkage long sys_ioctl(unsigned int f |
|
354 |
goto out; |
goto out; |
355 |
|
|
356 |
error = security_file_ioctl(filp, cmd, arg); |
error = security_file_ioctl(filp, cmd, arg); |
382 |
/* |
/* |
383 |
* Ensure there are no outstanding leases on the file. |
* Ensure there are no outstanding leases on the file. |
384 |
*/ |
*/ |
385 |
@@ -1567,6 +1574,7 @@ int may_open(struct nameidata *nd, int a |
@@ -1650,6 +1657,9 @@ do_last: |
|
return 0; |
|
|
} |
|
|
|
|
|
+#include <linux/ccsecurity_vfs.h> |
|
|
/* |
|
|
* open_namei() |
|
|
* |
|
|
@@ -1650,6 +1658,9 @@ do_last: |
|
386 |
if (!path.dentry->d_inode) { |
if (!path.dentry->d_inode) { |
387 |
if (!IS_POSIXACL(dir->d_inode)) |
if (!IS_POSIXACL(dir->d_inode)) |
388 |
mode &= ~current->fs->umask; |
mode &= ~current->fs->umask; |
392 |
error = vfs_create(dir->d_inode, path.dentry, mode, nd); |
error = vfs_create(dir->d_inode, path.dentry, mode, nd); |
393 |
mutex_unlock(&dir->d_inode->i_mutex); |
mutex_unlock(&dir->d_inode->i_mutex); |
394 |
dput(nd->dentry); |
dput(nd->dentry); |
395 |
@@ -1848,6 +1859,9 @@ asmlinkage long sys_mknodat(int dfd, con |
@@ -1848,6 +1858,9 @@ asmlinkage long sys_mknodat(int dfd, con |
396 |
if (!IS_POSIXACL(nd.dentry->d_inode)) |
if (!IS_POSIXACL(nd.dentry->d_inode)) |
397 |
mode &= ~current->fs->umask; |
mode &= ~current->fs->umask; |
398 |
if (!IS_ERR(dentry)) { |
if (!IS_ERR(dentry)) { |
402 |
switch (mode & S_IFMT) { |
switch (mode & S_IFMT) { |
403 |
case 0: case S_IFREG: |
case 0: case S_IFREG: |
404 |
error = vfs_create(nd.dentry->d_inode,dentry,mode,&nd); |
error = vfs_create(nd.dentry->d_inode,dentry,mode,&nd); |
405 |
@@ -1921,6 +1935,9 @@ asmlinkage long sys_mkdirat(int dfd, con |
@@ -1921,6 +1934,9 @@ asmlinkage long sys_mkdirat(int dfd, con |
406 |
if (!IS_ERR(dentry)) { |
if (!IS_ERR(dentry)) { |
407 |
if (!IS_POSIXACL(nd.dentry->d_inode)) |
if (!IS_POSIXACL(nd.dentry->d_inode)) |
408 |
mode &= ~current->fs->umask; |
mode &= ~current->fs->umask; |
412 |
error = vfs_mkdir(nd.dentry->d_inode, dentry, mode); |
error = vfs_mkdir(nd.dentry->d_inode, dentry, mode); |
413 |
dput(dentry); |
dput(dentry); |
414 |
} |
} |
415 |
@@ -2029,6 +2046,9 @@ static long do_rmdir(int dfd, const char |
@@ -2029,6 +2045,9 @@ static long do_rmdir(int dfd, const char |
416 |
dentry = lookup_hash(&nd); |
dentry = lookup_hash(&nd); |
417 |
error = PTR_ERR(dentry); |
error = PTR_ERR(dentry); |
418 |
if (!IS_ERR(dentry)) { |
if (!IS_ERR(dentry)) { |
422 |
error = vfs_rmdir(nd.dentry->d_inode, dentry); |
error = vfs_rmdir(nd.dentry->d_inode, dentry); |
423 |
dput(dentry); |
dput(dentry); |
424 |
} |
} |
425 |
@@ -2109,6 +2129,9 @@ static long do_unlinkat(int dfd, const c |
@@ -2109,6 +2128,9 @@ static long do_unlinkat(int dfd, const c |
426 |
inode = dentry->d_inode; |
inode = dentry->d_inode; |
427 |
if (inode) |
if (inode) |
428 |
atomic_inc(&inode->i_count); |
atomic_inc(&inode->i_count); |
432 |
error = vfs_unlink(nd.dentry->d_inode, dentry); |
error = vfs_unlink(nd.dentry->d_inode, dentry); |
433 |
exit2: |
exit2: |
434 |
dput(dentry); |
dput(dentry); |
435 |
@@ -2187,6 +2210,9 @@ asmlinkage long sys_symlinkat(const char |
@@ -2187,6 +2209,9 @@ asmlinkage long sys_symlinkat(const char |
436 |
dentry = lookup_create(&nd, 0); |
dentry = lookup_create(&nd, 0); |
437 |
error = PTR_ERR(dentry); |
error = PTR_ERR(dentry); |
438 |
if (!IS_ERR(dentry)) { |
if (!IS_ERR(dentry)) { |
442 |
error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO); |
error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO); |
443 |
dput(dentry); |
dput(dentry); |
444 |
} |
} |
445 |
@@ -2281,6 +2307,9 @@ asmlinkage long sys_linkat(int olddfd, c |
@@ -2281,6 +2306,9 @@ asmlinkage long sys_linkat(int olddfd, c |
446 |
new_dentry = lookup_create(&nd, 0); |
new_dentry = lookup_create(&nd, 0); |
447 |
error = PTR_ERR(new_dentry); |
error = PTR_ERR(new_dentry); |
448 |
if (!IS_ERR(new_dentry)) { |
if (!IS_ERR(new_dentry)) { |
452 |
error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry); |
error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry); |
453 |
dput(new_dentry); |
dput(new_dentry); |
454 |
} |
} |
455 |
@@ -2507,6 +2536,9 @@ static int do_rename(int olddfd, const c |
@@ -2507,6 +2535,9 @@ static int do_rename(int olddfd, const c |
456 |
if (new_dentry == trap) |
if (new_dentry == trap) |
457 |
goto exit5; |
goto exit5; |
458 |
|
|
481 |
if (retval) |
if (retval) |
482 |
return retval; |
return retval; |
483 |
|
|
484 |
@@ -641,6 +644,8 @@ asmlinkage long sys_umount(char __user * |
@@ -1384,6 +1387,7 @@ int copy_mount_options(const void __user |
|
{ |
|
|
struct nameidata nd; |
|
|
int retval; |
|
|
+ if (!ccs_capable(CCS_SYS_UMOUNT)) |
|
|
+ return -EPERM; |
|
|
|
|
|
retval = __user_walk(name, LOOKUP_FOLLOW, &nd); |
|
|
if (retval) |
|
|
@@ -925,6 +930,9 @@ static int do_loopback(struct nameidata |
|
|
|
|
|
if (!check_mnt(nd->mnt) || !check_mnt(old_nd.mnt)) |
|
|
goto out; |
|
|
+ err = -EPERM; |
|
|
+ if (ccs_may_mount(nd)) |
|
|
+ goto out; |
|
|
|
|
|
err = -ENOMEM; |
|
|
if (recurse) |
|
|
@@ -1009,7 +1017,9 @@ static int do_move_mount(struct nameidat |
|
|
err = -EINVAL; |
|
|
if (!check_mnt(nd->mnt) || !check_mnt(old_nd.mnt)) |
|
|
goto out; |
|
|
- |
|
|
+ err = -EPERM; |
|
|
+ if (ccs_may_mount(nd)) |
|
|
+ goto out; |
|
|
err = -ENOENT; |
|
|
mutex_lock(&nd->dentry->d_inode->i_mutex); |
|
|
if (IS_DEADDIR(nd->dentry->d_inode)) |
|
|
@@ -1111,6 +1121,9 @@ int do_add_mount(struct vfsmount *newmnt |
|
|
err = -EINVAL; |
|
|
if (S_ISLNK(newmnt->mnt_root->d_inode->i_mode)) |
|
|
goto unlock; |
|
|
+ err = -EPERM; |
|
|
+ if (ccs_may_mount(nd)) |
|
|
+ goto unlock; |
|
|
|
|
|
newmnt->mnt_flags = mnt_flags; |
|
|
if ((err = graft_tree(newmnt, nd))) |
|
|
@@ -1384,6 +1397,7 @@ int copy_mount_options(const void __user |
|
485 |
long do_mount(char *dev_name, char *dir_name, char *type_page, |
long do_mount(char *dev_name, char *dir_name, char *type_page, |
486 |
unsigned long flags, void *data_page) |
unsigned long flags, void *data_page) |
487 |
{ |
{ |
489 |
struct nameidata nd; |
struct nameidata nd; |
490 |
int retval = 0; |
int retval = 0; |
491 |
int mnt_flags = 0; |
int mnt_flags = 0; |
492 |
@@ -1423,6 +1437,9 @@ long do_mount(char *dev_name, char *dir_ |
@@ -1423,6 +1427,9 @@ long do_mount(char *dev_name, char *dir_ |
493 |
return retval; |
return retval; |
494 |
|
|
495 |
retval = security_sb_mount(dev_name, &nd, type_page, flags, data_page); |
retval = security_sb_mount(dev_name, &nd, type_page, flags, data_page); |
499 |
if (retval) |
if (retval) |
500 |
goto dput_out; |
goto dput_out; |
501 |
|
|
502 |
@@ -1707,6 +1724,8 @@ asmlinkage long sys_pivot_root(const cha |
@@ -1707,6 +1714,8 @@ asmlinkage long sys_pivot_root(const cha |
503 |
goto out1; |
goto out1; |
504 |
|
|
505 |
error = security_sb_pivotroot(&old_nd, &new_nd); |
error = security_sb_pivotroot(&old_nd, &new_nd); |
522 |
if (error) |
if (error) |
523 |
goto dput_and_out; |
goto dput_and_out; |
524 |
|
|
525 |
+ error = ccs_truncate_permission(nd.dentry, nd.mnt, length, 0); |
+ error = ccs_truncate_permission(nd.dentry, nd.mnt); |
526 |
+ if (!error) |
+ if (!error) |
527 |
error = locks_verify_truncate(inode, NULL, length); |
error = locks_verify_truncate(inode, NULL, length); |
528 |
if (!error) { |
if (!error) { |
531 |
if (IS_APPEND(inode)) |
if (IS_APPEND(inode)) |
532 |
goto out_putf; |
goto out_putf; |
533 |
|
|
534 |
+ error = ccs_truncate_permission(dentry, file->f_vfsmnt, length, 0); |
+ error = ccs_truncate_permission(dentry, file->f_vfsmnt); |
535 |
+ if (error) |
+ if (error) |
536 |
+ goto out_putf; |
+ goto out_putf; |
537 |
error = locks_verify_truncate(inode, file, length); |
error = locks_verify_truncate(inode, file, length); |
628 |
if (entry) |
if (entry) |
629 |
entry->proc_fops = &proc_sysrq_trigger_operations; |
entry->proc_fops = &proc_sysrq_trigger_operations; |
630 |
#endif |
#endif |
631 |
+ printk(KERN_INFO "Hook version: 2.6.18-26etch2 2010/04/12\n"); |
+ printk(KERN_INFO "Hook version: 2.6.18-26etch2 2010/08/23\n"); |
632 |
} |
} |
633 |
--- linux-2.6.18-26etch2.orig/include/linux/init_task.h |
--- linux-2.6.18-26etch2.orig/include/linux/init_task.h |
634 |
+++ linux-2.6.18-26etch2/include/linux/init_task.h |
+++ linux-2.6.18-26etch2/include/linux/init_task.h |
1010 |
|
|
1011 |
struct hlist_head raw_v4_htable[RAWV4_HTABLE_SIZE]; |
struct hlist_head raw_v4_htable[RAWV4_HTABLE_SIZE]; |
1012 |
DEFINE_RWLOCK(raw_v4_lock); |
DEFINE_RWLOCK(raw_v4_lock); |
1013 |
@@ -592,6 +593,9 @@ static int raw_recvmsg(struct kiocb *ioc |
@@ -589,9 +590,14 @@ static int raw_recvmsg(struct kiocb *ioc |
|
skb = skb_recv_datagram(sk, flags, noblock, &err); |
|
|
if (!skb) |
|
1014 |
goto out; |
goto out; |
1015 |
+ err = ccs_socket_recvmsg_permission(sk, skb, flags); |
} |
1016 |
+ if (err) |
|
1017 |
+ goto out; |
- skb = skb_recv_datagram(sk, flags, noblock, &err); |
1018 |
|
- if (!skb) |
1019 |
|
- goto out; |
1020 |
|
+ for (;;) { |
1021 |
|
+ skb = skb_recv_datagram(sk, flags, noblock, &err); |
1022 |
|
+ if (!skb) |
1023 |
|
+ goto out; |
1024 |
|
+ if (!ccs_socket_post_recvmsg_permission(sk, skb)) |
1025 |
|
+ break; |
1026 |
|
+ skb_kill_datagram(sk, skb, flags); |
1027 |
|
+ } |
1028 |
|
|
1029 |
copied = skb->len; |
copied = skb->len; |
1030 |
if (len < copied) { |
if (len < copied) { |
1056 |
if (!udp_lport_inuse(result)) |
if (!udp_lport_inuse(result)) |
1057 |
break; |
break; |
1058 |
} |
} |
1059 |
@@ -796,7 +801,10 @@ try_again: |
@@ -782,6 +787,7 @@ static int udp_recvmsg(struct kiocb *ioc |
1060 |
|
struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name; |
1061 |
|
struct sk_buff *skb; |
1062 |
|
int copied, err; |
1063 |
|
+ _Bool update_stat; |
1064 |
|
|
1065 |
|
/* |
1066 |
|
* Check any passed addresses |
1067 |
|
@@ -796,7 +802,12 @@ try_again: |
1068 |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
1069 |
if (!skb) |
if (!skb) |
1070 |
goto out; |
goto out; |
1071 |
- |
- |
1072 |
+ err = ccs_socket_recvmsg_permission(sk, skb, flags); |
+ if (ccs_socket_post_recvmsg_permission(sk, skb)) { |
1073 |
+ if (err) |
+ update_stat = 0; |
1074 |
+ goto out; |
+ goto csum_copy_err; |
1075 |
|
+ } |
1076 |
|
+ update_stat = 1; |
1077 |
+ |
+ |
1078 |
copied = skb->len - sizeof(struct udphdr); |
copied = skb->len - sizeof(struct udphdr); |
1079 |
if (copied > len) { |
if (copied > len) { |
1080 |
copied = len; |
copied = len; |
1081 |
|
@@ -844,7 +855,8 @@ out: |
1082 |
|
return err; |
1083 |
|
|
1084 |
|
csum_copy_err: |
1085 |
|
- UDP_INC_STATS_BH(UDP_MIB_INERRORS); |
1086 |
|
+ if (update_stat) |
1087 |
|
+ UDP_INC_STATS_BH(UDP_MIB_INERRORS); |
1088 |
|
|
1089 |
|
skb_kill_datagram(sk, skb, flags); |
1090 |
|
|
1091 |
--- linux-2.6.18-26etch2.orig/net/ipv6/inet6_hashtables.c |
--- linux-2.6.18-26etch2.orig/net/ipv6/inet6_hashtables.c |
1092 |
+++ linux-2.6.18-26etch2/net/ipv6/inet6_hashtables.c |
+++ linux-2.6.18-26etch2/net/ipv6/inet6_hashtables.c |
1093 |
@@ -21,6 +21,7 @@ |
@@ -21,6 +21,7 @@ |
1126 |
|
|
1127 |
struct hlist_head raw_v6_htable[RAWV6_HTABLE_SIZE]; |
struct hlist_head raw_v6_htable[RAWV6_HTABLE_SIZE]; |
1128 |
DEFINE_RWLOCK(raw_v6_lock); |
DEFINE_RWLOCK(raw_v6_lock); |
1129 |
@@ -387,6 +388,9 @@ static int rawv6_recvmsg(struct kiocb *i |
@@ -384,9 +385,14 @@ static int rawv6_recvmsg(struct kiocb *i |
1130 |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
if (flags & MSG_ERRQUEUE) |
1131 |
if (!skb) |
return ipv6_recv_error(sk, msg, len); |
1132 |
goto out; |
|
1133 |
+ err = ccs_socket_recvmsg_permission(sk, skb, flags); |
- skb = skb_recv_datagram(sk, flags, noblock, &err); |
1134 |
+ if (err) |
- if (!skb) |
1135 |
+ goto out; |
- goto out; |
1136 |
|
+ for (;;) { |
1137 |
|
+ skb = skb_recv_datagram(sk, flags, noblock, &err); |
1138 |
|
+ if (!skb) |
1139 |
|
+ goto out; |
1140 |
|
+ if (!ccs_socket_post_recvmsg_permission(sk, skb)) |
1141 |
|
+ break; |
1142 |
|
+ skb_kill_datagram(sk, skb, flags); |
1143 |
|
+ } |
1144 |
|
|
1145 |
copied = skb->len; |
copied = skb->len; |
1146 |
if (copied > len) { |
if (copied > len) { |
1172 |
if (!udp_lport_inuse(result)) |
if (!udp_lport_inuse(result)) |
1173 |
break; |
break; |
1174 |
} |
} |
1175 |
@@ -237,6 +242,9 @@ try_again: |
@@ -226,6 +231,7 @@ static int udpv6_recvmsg(struct kiocb *i |
1176 |
|
struct sk_buff *skb; |
1177 |
|
size_t copied; |
1178 |
|
int err; |
1179 |
|
+ _Bool update_stat; |
1180 |
|
|
1181 |
|
if (addr_len) |
1182 |
|
*addr_len=sizeof(struct sockaddr_in6); |
1183 |
|
@@ -237,6 +243,11 @@ try_again: |
1184 |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
skb = skb_recv_datagram(sk, flags, noblock, &err); |
1185 |
if (!skb) |
if (!skb) |
1186 |
goto out; |
goto out; |
1187 |
+ err = ccs_socket_recvmsg_permission(sk, skb, flags); |
+ if (ccs_socket_post_recvmsg_permission(sk, skb)) { |
1188 |
+ if (err) |
+ update_stat = 0; |
1189 |
+ goto out; |
+ goto csum_copy_err; |
1190 |
|
+ } |
1191 |
|
+ update_stat = 1; |
1192 |
|
|
1193 |
copied = skb->len - sizeof(struct udphdr); |
copied = skb->len - sizeof(struct udphdr); |
1194 |
if (copied > len) { |
if (copied > len) { |
1195 |
|
@@ -303,7 +314,8 @@ csum_copy_err: |
1196 |
|
skb_kill_datagram(sk, skb, flags); |
1197 |
|
|
1198 |
|
if (flags & MSG_DONTWAIT) { |
1199 |
|
- UDP6_INC_STATS_USER(UDP_MIB_INERRORS); |
1200 |
|
+ if (update_stat) |
1201 |
|
+ UDP6_INC_STATS_USER(UDP_MIB_INERRORS); |
1202 |
|
return -EAGAIN; |
1203 |
|
} |
1204 |
|
goto try_again; |
1205 |
--- linux-2.6.18-26etch2.orig/net/socket.c |
--- linux-2.6.18-26etch2.orig/net/socket.c |
1206 |
+++ linux-2.6.18-26etch2/net/socket.c |
+++ linux-2.6.18-26etch2/net/socket.c |
1207 |
@@ -94,6 +94,8 @@ |
@@ -94,6 +94,8 @@ |
1255 |
err = sock->ops->listen(sock, backlog); |
err = sock->ops->listen(sock, backlog); |
1256 |
|
|
1257 |
fput_light(sock->file, fput_needed); |
fput_light(sock->file, fput_needed); |
1258 |
@@ -1434,6 +1446,11 @@ asmlinkage long sys_accept(int fd, struc |
@@ -1402,6 +1414,7 @@ asmlinkage long sys_accept(int fd, struc |
1259 |
|
if (!sock) |
1260 |
|
goto out; |
1261 |
|
|
1262 |
|
+retry: |
1263 |
|
err = -ENFILE; |
1264 |
|
if (!(newsock = sock_alloc())) |
1265 |
|
goto out_put; |
1266 |
|
@@ -1434,6 +1447,11 @@ asmlinkage long sys_accept(int fd, struc |
1267 |
if (err < 0) |
if (err < 0) |
1268 |
goto out_fd; |
goto out_fd; |
1269 |
|
|
1270 |
+ if (ccs_socket_accept_permission(newsock, |
+ if (ccs_socket_post_accept_permission(sock, newsock)) { |
1271 |
+ (struct sockaddr *) address)) { |
+ fput(newfile); |
1272 |
+ err = -ECONNABORTED; /* Hope less harmful than -EPERM. */ |
+ put_unused_fd(newfd); |
1273 |
+ goto out_fd; |
+ goto retry; |
1274 |
+ } |
+ } |
1275 |
if (upeer_sockaddr) { |
if (upeer_sockaddr) { |
1276 |
if(newsock->ops->getname(newsock, (struct sockaddr *)address, &len, 2)<0) { |
if(newsock->ops->getname(newsock, (struct sockaddr *)address, &len, 2)<0) { |
1277 |
err = -ECONNABORTED; |
err = -ECONNABORTED; |
1278 |
@@ -1488,9 +1505,11 @@ asmlinkage long sys_connect(int fd, stru |
@@ -1488,9 +1506,11 @@ asmlinkage long sys_connect(int fd, stru |
1279 |
goto out_put; |
goto out_put; |
1280 |
|
|
1281 |
err = security_socket_connect(sock, (struct sockaddr *)address, addrlen); |
err = security_socket_connect(sock, (struct sockaddr *)address, addrlen); |
1308 |
err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0); |
err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0); |
1309 |
if (err) |
if (err) |
1310 |
goto out_mknod_dput; |
goto out_mknod_dput; |
1311 |
|
@@ -1574,12 +1578,17 @@ static int unix_dgram_recvmsg(struct kio |
1312 |
|
|
1313 |
|
mutex_lock(&u->readlock); |
1314 |
|
|
1315 |
|
+retry: |
1316 |
|
skb = skb_recv_datagram(sk, flags, noblock, &err); |
1317 |
|
if (!skb) |
1318 |
|
goto out_unlock; |
1319 |
|
|
1320 |
|
wake_up_interruptible(&u->peer_wait); |
1321 |
|
|
1322 |
|
+ if (ccs_socket_post_recvmsg_permission(sk, skb)) { |
1323 |
|
+ skb_kill_datagram(sk, skb, flags); |
1324 |
|
+ goto retry; |
1325 |
|
+ } |
1326 |
|
if (msg->msg_name) |
1327 |
|
unix_copy_addr(msg, skb->sk); |
1328 |
|
|
1329 |
--- linux-2.6.18-26etch2.orig/security/Kconfig |
--- linux-2.6.18-26etch2.orig/security/Kconfig |
1330 |
+++ linux-2.6.18-26etch2/security/Kconfig |
+++ linux-2.6.18-26etch2/security/Kconfig |
1331 |
@@ -107,5 +107,7 @@ config SECURITY_SECLVL |
@@ -107,5 +107,7 @@ config SECURITY_SECLVL |