| 18 |
fs/fcntl.c | 4 ++++ |
fs/fcntl.c | 4 ++++ |
| 19 |
fs/ioctl.c | 5 +++++ |
fs/ioctl.c | 5 +++++ |
| 20 |
fs/namei.c | 31 ++++++++++++++++++++++++++++++- |
fs/namei.c | 31 ++++++++++++++++++++++++++++++- |
| 21 |
fs/namespace.c | 23 +++++++++++++++++++++++ |
fs/namespace.c | 22 ++++++++++++++++++++++ |
| 22 |
fs/open.c | 26 ++++++++++++++++++++++++++ |
fs/open.c | 28 ++++++++++++++++++++++++++++ |
| 23 |
fs/proc/proc_misc.c | 1 + |
fs/proc/proc_misc.c | 1 + |
| 24 |
include/linux/init_task.h | 9 +++++++++ |
include/linux/init_task.h | 9 +++++++++ |
| 25 |
include/linux/sched.h | 6 ++++++ |
include/linux/sched.h | 6 ++++++ |
| 45 |
net/unix/af_unix.c | 4 ++++ |
net/unix/af_unix.c | 4 ++++ |
| 46 |
security/Kconfig | 2 ++ |
security/Kconfig | 2 ++ |
| 47 |
security/Makefile | 3 +++ |
security/Makefile | 3 +++ |
| 48 |
43 files changed, 277 insertions(+), 3 deletions(-) |
43 files changed, 278 insertions(+), 3 deletions(-) |
| 49 |
|
|
| 50 |
--- linux-2.6.21.7.orig/arch/alpha/kernel/ptrace.c |
--- linux-2.6.21.7.orig/arch/alpha/kernel/ptrace.c |
| 51 |
+++ linux-2.6.21.7/arch/alpha/kernel/ptrace.c |
+++ linux-2.6.21.7/arch/alpha/kernel/ptrace.c |
| 515 |
|
|
| 516 |
/* spinlock for vfsmount related operations, inplace of dcache_lock */ |
/* spinlock for vfsmount related operations, inplace of dcache_lock */ |
| 517 |
__cacheline_aligned_in_smp DEFINE_SPINLOCK(vfsmount_lock); |
__cacheline_aligned_in_smp DEFINE_SPINLOCK(vfsmount_lock); |
| 518 |
@@ -545,6 +546,9 @@ static int do_umount(struct vfsmount *mn |
@@ -542,6 +543,8 @@ static int do_umount(struct vfsmount *mn |
| 519 |
|
LIST_HEAD(umount_list); |
| 520 |
|
|
| 521 |
|
retval = security_sb_umount(mnt, flags); |
| 522 |
|
+ if (!retval) |
| 523 |
|
+ retval = ccs_umount_permission(mnt, flags); |
| 524 |
if (retval) |
if (retval) |
| 525 |
return retval; |
return retval; |
| 526 |
|
|
| 527 |
+ if (ccs_may_umount(mnt)) |
@@ -633,6 +636,8 @@ asmlinkage long sys_umount(char __user * |
|
+ return -EPERM; |
|
|
+ |
|
|
/* |
|
|
* Allow userspace to request a mountpoint be expired rather than |
|
|
* unmounting unconditionally. Unmount only happens if: |
|
|
@@ -633,6 +637,8 @@ asmlinkage long sys_umount(char __user * |
|
| 528 |
{ |
{ |
| 529 |
struct nameidata nd; |
struct nameidata nd; |
| 530 |
int retval; |
int retval; |
| 533 |
|
|
| 534 |
retval = __user_walk(name, LOOKUP_FOLLOW, &nd); |
retval = __user_walk(name, LOOKUP_FOLLOW, &nd); |
| 535 |
if (retval) |
if (retval) |
| 536 |
@@ -917,6 +923,9 @@ static int do_loopback(struct nameidata |
@@ -917,6 +922,9 @@ static int do_loopback(struct nameidata |
| 537 |
|
|
| 538 |
if (!check_mnt(nd->mnt) || !check_mnt(old_nd.mnt)) |
if (!check_mnt(nd->mnt) || !check_mnt(old_nd.mnt)) |
| 539 |
goto out; |
goto out; |
| 543 |
|
|
| 544 |
err = -ENOMEM; |
err = -ENOMEM; |
| 545 |
if (recurse) |
if (recurse) |
| 546 |
@@ -1002,6 +1011,9 @@ static int do_move_mount(struct nameidat |
@@ -1002,6 +1010,9 @@ static int do_move_mount(struct nameidat |
| 547 |
if (!check_mnt(nd->mnt) || !check_mnt(old_nd.mnt)) |
if (!check_mnt(nd->mnt) || !check_mnt(old_nd.mnt)) |
| 548 |
goto out; |
goto out; |
| 549 |
|
|
| 550 |
+ err = -EPERM; |
+ err = -EPERM; |
| 551 |
+ if (ccs_may_umount(old_nd.mnt) || ccs_may_mount(nd)) |
+ if (ccs_may_mount(nd)) |
| 552 |
+ goto out; |
+ goto out; |
| 553 |
err = -ENOENT; |
err = -ENOENT; |
| 554 |
mutex_lock(&nd->dentry->d_inode->i_mutex); |
mutex_lock(&nd->dentry->d_inode->i_mutex); |
| 555 |
if (IS_DEADDIR(nd->dentry->d_inode)) |
if (IS_DEADDIR(nd->dentry->d_inode)) |
| 556 |
@@ -1103,6 +1115,9 @@ int do_add_mount(struct vfsmount *newmnt |
@@ -1103,6 +1114,9 @@ int do_add_mount(struct vfsmount *newmnt |
| 557 |
err = -EINVAL; |
err = -EINVAL; |
| 558 |
if (S_ISLNK(newmnt->mnt_root->d_inode->i_mode)) |
if (S_ISLNK(newmnt->mnt_root->d_inode->i_mode)) |
| 559 |
goto unlock; |
goto unlock; |
| 563 |
|
|
| 564 |
newmnt->mnt_flags = mnt_flags; |
newmnt->mnt_flags = mnt_flags; |
| 565 |
if ((err = graft_tree(newmnt, nd))) |
if ((err = graft_tree(newmnt, nd))) |
| 566 |
@@ -1394,6 +1409,10 @@ long do_mount(char *dev_name, char *dir_ |
@@ -1376,6 +1390,7 @@ int copy_mount_options(const void __user |
| 567 |
if (data_page) |
long do_mount(char *dev_name, char *dir_name, char *type_page, |
| 568 |
((char *)data_page)[PAGE_SIZE - 1] = 0; |
unsigned long flags, void *data_page) |
| 569 |
|
{ |
| 570 |
+ retval = ccs_mount_permission(dev_name, dir_name, type_page, &flags); |
+ const unsigned long original_flags = flags; |
| 571 |
+ if (retval) |
struct nameidata nd; |
| 572 |
+ return retval; |
int retval = 0; |
| 573 |
+ |
int mnt_flags = 0; |
| 574 |
/* Separate the per-mountpoint flags */ |
@@ -1417,6 +1432,9 @@ long do_mount(char *dev_name, char *dir_ |
| 575 |
if (flags & MS_NOSUID) |
return retval; |
| 576 |
mnt_flags |= MNT_NOSUID; |
|
| 577 |
@@ -1686,6 +1705,8 @@ asmlinkage long sys_pivot_root(const cha |
retval = security_sb_mount(dev_name, &nd, type_page, flags, data_page); |
| 578 |
|
+ if (!retval) |
| 579 |
|
+ retval = ccs_mount_permission(dev_name, &nd, type_page, |
| 580 |
|
+ original_flags, data_page); |
| 581 |
|
if (retval) |
| 582 |
|
goto dput_out; |
| 583 |
|
|
| 584 |
|
@@ -1686,6 +1704,8 @@ asmlinkage long sys_pivot_root(const cha |
| 585 |
|
|
| 586 |
if (!capable(CAP_SYS_ADMIN)) |
if (!capable(CAP_SYS_ADMIN)) |
| 587 |
return -EPERM; |
return -EPERM; |
| 590 |
|
|
| 591 |
lock_kernel(); |
lock_kernel(); |
| 592 |
|
|
| 593 |
@@ -1702,6 +1723,8 @@ asmlinkage long sys_pivot_root(const cha |
@@ -1702,6 +1722,8 @@ asmlinkage long sys_pivot_root(const cha |
| 594 |
goto out1; |
goto out1; |
| 595 |
|
|
| 596 |
error = security_sb_pivotroot(&old_nd, &new_nd); |
error = security_sb_pivotroot(&old_nd, &new_nd); |
| 695 |
error = chown_common(dentry, user, group); |
error = chown_common(dentry, user, group); |
| 696 |
fput(file); |
fput(file); |
| 697 |
out: |
out: |
| 698 |
@@ -1085,6 +1109,8 @@ EXPORT_SYMBOL(sys_close); |
@@ -756,7 +780,9 @@ static struct file *do_filp_open(int dfd |
| 699 |
|
if ((namei_flags+1) & O_ACCMODE) |
| 700 |
|
namei_flags++; |
| 701 |
|
|
| 702 |
|
+ ccs_save_open_mode(flags); |
| 703 |
|
error = open_namei(dfd, filename, namei_flags, mode, &nd); |
| 704 |
|
+ ccs_clear_open_mode(); |
| 705 |
|
if (!error) |
| 706 |
|
return nameidata_to_filp(&nd, flags); |
| 707 |
|
|
| 708 |
|
@@ -1085,6 +1111,8 @@ EXPORT_SYMBOL(sys_close); |
| 709 |
*/ |
*/ |
| 710 |
asmlinkage long sys_vhangup(void) |
asmlinkage long sys_vhangup(void) |
| 711 |
{ |
{ |
| 720 |
entry->proc_fops = &proc_sysrq_trigger_operations; |
entry->proc_fops = &proc_sysrq_trigger_operations; |
| 721 |
} |
} |
| 722 |
#endif |
#endif |
| 723 |
+ printk(KERN_INFO "Hook version: 2.6.21.7 2009/08/20\n"); |
+ printk(KERN_INFO "Hook version: 2.6.21.7 2009/09/10\n"); |
| 724 |
} |
} |
| 725 |
--- linux-2.6.21.7.orig/include/linux/init_task.h |
--- linux-2.6.21.7.orig/include/linux/init_task.h |
| 726 |
+++ linux-2.6.21.7/include/linux/init_task.h |
+++ linux-2.6.21.7/include/linux/init_task.h |
TOMOYO
Parent Directory
Revision Log
Patch