12 |
arch/sparc/kernel/ptrace.c | 5 +++++ |
arch/sparc/kernel/ptrace.c | 5 +++++ |
13 |
arch/sparc64/kernel/ptrace.c | 5 +++++ |
arch/sparc64/kernel/ptrace.c | 5 +++++ |
14 |
arch/x86_64/ia32/ptrace32.c | 3 +++ |
arch/x86_64/ia32/ptrace32.c | 3 +++ |
|
fs/attr.c | 5 +++++ |
|
15 |
fs/compat.c | 9 ++++++++- |
fs/compat.c | 9 ++++++++- |
16 |
fs/exec.c | 11 ++++++++++- |
fs/exec.c | 11 ++++++++++- |
17 |
fs/fcntl.c | 4 ++++ |
fs/fcntl.c | 4 ++++ |
40 |
net/ipv6/inet6_hashtables.c | 3 +++ |
net/ipv6/inet6_hashtables.c | 3 +++ |
41 |
net/ipv6/raw.c | 4 ++++ |
net/ipv6/raw.c | 4 ++++ |
42 |
net/ipv6/udp.c | 4 ++++ |
net/ipv6/udp.c | 4 ++++ |
43 |
net/socket.c | 23 +++++++++++++++++++++++ |
net/socket.c | 21 +++++++++++++++++++++ |
44 |
net/unix/af_unix.c | 4 ++++ |
net/unix/af_unix.c | 4 ++++ |
45 |
security/Kconfig | 2 ++ |
security/Kconfig | 2 ++ |
46 |
security/Makefile | 3 +++ |
security/Makefile | 3 +++ |
47 |
43 files changed, 278 insertions(+), 3 deletions(-) |
42 files changed, 271 insertions(+), 3 deletions(-) |
48 |
|
|
49 |
--- linux-2.6.21.7.orig/arch/alpha/kernel/ptrace.c |
--- linux-2.6.21.7.orig/arch/alpha/kernel/ptrace.c |
50 |
+++ linux-2.6.21.7/arch/alpha/kernel/ptrace.c |
+++ linux-2.6.21.7/arch/alpha/kernel/ptrace.c |
60 |
unsigned long tmp; |
unsigned long tmp; |
61 |
size_t copied; |
size_t copied; |
62 |
long ret; |
long ret; |
63 |
+ if (!ccs_capable(CCS_SYS_PTRACE)) |
+ if (ccs_ptrace_permission(request, pid)) |
64 |
+ return -EPERM; |
+ return -EPERM; |
65 |
|
|
66 |
lock_kernel(); |
lock_kernel(); |
79 |
struct task_struct *child; |
struct task_struct *child; |
80 |
unsigned int value, tmp; |
unsigned int value, tmp; |
81 |
long i, ret; |
long i, ret; |
82 |
+ if (!ccs_capable(CCS_SYS_PTRACE)) |
+ if (ccs_ptrace_permission(request, pid)) |
83 |
+ return -EPERM; |
+ return -EPERM; |
84 |
|
|
85 |
lock_kernel(); |
lock_kernel(); |
98 |
struct task_struct *child; |
struct task_struct *child; |
99 |
struct switch_stack *sw; |
struct switch_stack *sw; |
100 |
long ret; |
long ret; |
101 |
+ if (!ccs_capable(CCS_SYS_PTRACE)) |
+ if (ccs_ptrace_permission(request, pid)) |
102 |
+ return -EPERM; |
+ return -EPERM; |
103 |
|
|
104 |
lock_kernel(); |
lock_kernel(); |
117 |
{ |
{ |
118 |
struct task_struct *child; |
struct task_struct *child; |
119 |
int ret; |
int ret; |
120 |
+ if (!ccs_capable(CCS_SYS_PTRACE)) |
+ if (ccs_ptrace_permission(request, pid)) |
121 |
+ return -EPERM; |
+ return -EPERM; |
122 |
|
|
123 |
lock_kernel(); |
lock_kernel(); |
136 |
{ |
{ |
137 |
struct task_struct *child; |
struct task_struct *child; |
138 |
int ret; |
int ret; |
139 |
+ if (!ccs_capable(CCS_SYS_PTRACE)) |
+ if (ccs_ptrace_permission(request, pid)) |
140 |
+ return -EPERM; |
+ return -EPERM; |
141 |
|
|
142 |
#if 0 |
#if 0 |
155 |
{ |
{ |
156 |
struct task_struct *child; |
struct task_struct *child; |
157 |
int ret; |
int ret; |
158 |
+ if (!ccs_capable(CCS_SYS_PTRACE)) |
+ if (ccs_ptrace_permission(request, pid)) |
159 |
+ return -EPERM; |
+ return -EPERM; |
160 |
|
|
161 |
lock_kernel(); |
lock_kernel(); |
174 |
struct task_struct *child; |
struct task_struct *child; |
175 |
int ret; |
int ret; |
176 |
|
|
177 |
+ if (!ccs_capable(CCS_SYS_PTRACE)) |
+ if (ccs_ptrace_permission(request, pid)) |
178 |
+ return -EPERM; |
+ return -EPERM; |
179 |
lock_kernel(); |
lock_kernel(); |
180 |
if (request == PTRACE_TRACEME) { |
if (request == PTRACE_TRACEME) { |
193 |
unsigned long addr2 = regs->u_regs[UREG_I4]; |
unsigned long addr2 = regs->u_regs[UREG_I4]; |
194 |
struct task_struct *child; |
struct task_struct *child; |
195 |
int ret; |
int ret; |
196 |
+ if (!ccs_capable(CCS_SYS_PTRACE)) { |
+ if (ccs_ptrace_permission(request, pid)) { |
197 |
+ pt_error_return(regs, EPERM); |
+ pt_error_return(regs, EPERM); |
198 |
+ return; |
+ return; |
199 |
+ } |
+ } |
214 |
unsigned long addr2 = regs->u_regs[UREG_I4]; |
unsigned long addr2 = regs->u_regs[UREG_I4]; |
215 |
struct task_struct *child; |
struct task_struct *child; |
216 |
int ret; |
int ret; |
217 |
+ if (!ccs_capable(CCS_SYS_PTRACE)) { |
+ if (ccs_ptrace_permission(request, pid)) { |
218 |
+ pt_error_return(regs, EPERM); |
+ pt_error_return(regs, EPERM); |
219 |
+ return; |
+ return; |
220 |
+ } |
+ } |
235 |
void __user *datap = compat_ptr(data); |
void __user *datap = compat_ptr(data); |
236 |
int ret; |
int ret; |
237 |
__u32 val; |
__u32 val; |
238 |
+ if (!ccs_capable(CCS_SYS_PTRACE)) |
+ if (ccs_ptrace_permission(request, pid)) |
239 |
+ return -EPERM; |
+ return -EPERM; |
240 |
|
|
241 |
switch (request) { |
switch (request) { |
242 |
case PTRACE_TRACEME: |
case PTRACE_TRACEME: |
|
--- linux-2.6.21.7.orig/fs/attr.c |
|
|
+++ linux-2.6.21.7/fs/attr.c |
|
|
@@ -15,6 +15,7 @@ |
|
|
#include <linux/fcntl.h> |
|
|
#include <linux/quotaops.h> |
|
|
#include <linux/security.h> |
|
|
+#include <linux/ccsecurity.h> |
|
|
|
|
|
/* Taken over from the old code... */ |
|
|
|
|
|
@@ -146,11 +147,15 @@ int notify_change(struct dentry * dentry |
|
|
if (inode->i_op && inode->i_op->setattr) { |
|
|
error = security_inode_setattr(dentry, attr); |
|
|
if (!error) |
|
|
+ error = ccs_setattr_permission(dentry, attr); |
|
|
+ if (!error) |
|
|
error = inode->i_op->setattr(dentry, attr); |
|
|
} else { |
|
|
error = inode_change_ok(inode, attr); |
|
|
if (!error) |
|
|
error = security_inode_setattr(dentry, attr); |
|
|
+ if (!error) |
|
|
+ error = ccs_setattr_permission(dentry, attr); |
|
|
if (!error) { |
|
|
if ((ia_valid & ATTR_UID && attr->ia_uid != inode->i_uid) || |
|
|
(ia_valid & ATTR_GID && attr->ia_gid != inode->i_gid)) |
|
243 |
--- linux-2.6.21.7.orig/fs/compat.c |
--- linux-2.6.21.7.orig/fs/compat.c |
244 |
+++ linux-2.6.21.7/fs/compat.c |
+++ linux-2.6.21.7/fs/compat.c |
245 |
@@ -56,6 +56,7 @@ |
@@ -56,6 +56,7 @@ |
693 |
entry->proc_fops = &proc_sysrq_trigger_operations; |
entry->proc_fops = &proc_sysrq_trigger_operations; |
694 |
} |
} |
695 |
#endif |
#endif |
696 |
+ printk(KERN_INFO "Hook version: 2.6.21.7 2009/09/10\n"); |
+ printk(KERN_INFO "Hook version: 2.6.21.7 2009/10/20\n"); |
697 |
} |
} |
698 |
--- linux-2.6.21.7.orig/include/linux/init_task.h |
--- linux-2.6.21.7.orig/include/linux/init_task.h |
699 |
+++ linux-2.6.21.7/include/linux/init_task.h |
+++ linux-2.6.21.7/include/linux/init_task.h |
836 |
/* |
/* |
837 |
* This lock_kernel fixes a subtle race with suid exec |
* This lock_kernel fixes a subtle race with suid exec |
838 |
*/ |
*/ |
839 |
+ if (!ccs_capable(CCS_SYS_PTRACE)) |
+ if (ccs_ptrace_permission(request, pid)) |
840 |
+ return -EPERM; |
+ return -EPERM; |
841 |
lock_kernel(); |
lock_kernel(); |
842 |
if (request == PTRACE_TRACEME) { |
if (request == PTRACE_TRACEME) { |
1195 |
static int sock_no_open(struct inode *irrelevant, struct file *dontcare); |
static int sock_no_open(struct inode *irrelevant, struct file *dontcare); |
1196 |
static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov, |
static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov, |
1197 |
unsigned long nr_segs, loff_t pos); |
unsigned long nr_segs, loff_t pos); |
1198 |
@@ -547,6 +549,10 @@ static inline int __sock_sendmsg(struct |
@@ -547,6 +549,8 @@ static inline int __sock_sendmsg(struct |
1199 |
si->size = size; |
si->size = size; |
1200 |
|
|
1201 |
err = security_socket_sendmsg(sock, msg, size); |
err = security_socket_sendmsg(sock, msg, size); |
1202 |
+ if (!err) |
+ if (!err) |
1203 |
+ err = ccs_socket_sendmsg_permission(sock, (struct sockaddr *) |
+ err = ccs_socket_sendmsg_permission(sock, msg, size); |
|
+ msg->msg_name, |
|
|
+ msg->msg_namelen); |
|
1204 |
if (err) |
if (err) |
1205 |
return err; |
return err; |
1206 |
|
|
1207 |
@@ -1071,6 +1077,8 @@ static int __sock_create(int family, int |
@@ -1071,6 +1075,8 @@ static int __sock_create(int family, int |
1208 |
} |
} |
1209 |
|
|
1210 |
err = security_socket_create(family, type, protocol, kern); |
err = security_socket_create(family, type, protocol, kern); |
1213 |
if (err) |
if (err) |
1214 |
return err; |
return err; |
1215 |
|
|
1216 |
@@ -1299,6 +1307,11 @@ asmlinkage long sys_bind(int fd, struct |
@@ -1299,6 +1305,11 @@ asmlinkage long sys_bind(int fd, struct |
1217 |
(struct sockaddr *)address, |
(struct sockaddr *)address, |
1218 |
addrlen); |
addrlen); |
1219 |
if (!err) |
if (!err) |
1225 |
err = sock->ops->bind(sock, |
err = sock->ops->bind(sock, |
1226 |
(struct sockaddr *) |
(struct sockaddr *) |
1227 |
address, addrlen); |
address, addrlen); |
1228 |
@@ -1328,6 +1341,8 @@ asmlinkage long sys_listen(int fd, int b |
@@ -1328,6 +1339,8 @@ asmlinkage long sys_listen(int fd, int b |
1229 |
|
|
1230 |
err = security_socket_listen(sock, backlog); |
err = security_socket_listen(sock, backlog); |
1231 |
if (!err) |
if (!err) |
1234 |
err = sock->ops->listen(sock, backlog); |
err = sock->ops->listen(sock, backlog); |
1235 |
|
|
1236 |
fput_light(sock->file, fput_needed); |
fput_light(sock->file, fput_needed); |
1237 |
@@ -1391,6 +1406,11 @@ asmlinkage long sys_accept(int fd, struc |
@@ -1391,6 +1404,11 @@ asmlinkage long sys_accept(int fd, struc |
1238 |
if (err < 0) |
if (err < 0) |
1239 |
goto out_fd; |
goto out_fd; |
1240 |
|
|
1246 |
if (upeer_sockaddr) { |
if (upeer_sockaddr) { |
1247 |
if (newsock->ops->getname(newsock, (struct sockaddr *)address, |
if (newsock->ops->getname(newsock, (struct sockaddr *)address, |
1248 |
&len, 2) < 0) { |
&len, 2) < 0) { |
1249 |
@@ -1453,6 +1473,9 @@ asmlinkage long sys_connect(int fd, stru |
@@ -1453,6 +1471,9 @@ asmlinkage long sys_connect(int fd, stru |
1250 |
|
|
1251 |
err = |
err = |
1252 |
security_socket_connect(sock, (struct sockaddr *)address, addrlen); |
security_socket_connect(sock, (struct sockaddr *)address, addrlen); |