| 9 |
fs/compat.c | 3 ++- |
fs/compat.c | 3 ++- |
| 10 |
fs/compat_ioctl.c | 3 +++ |
fs/compat_ioctl.c | 3 +++ |
| 11 |
fs/exec.c | 12 +++++++++++- |
fs/exec.c | 12 +++++++++++- |
| 12 |
fs/fcntl.c | 4 ++++ |
fs/fcntl.c | 5 +++++ |
| 13 |
fs/ioctl.c | 3 +++ |
fs/ioctl.c | 3 +++ |
| 14 |
fs/namei.c | 34 +++++++++++++++++++++++++++++++++- |
fs/namei.c | 34 +++++++++++++++++++++++++++++++++- |
| 15 |
fs/namespace.c | 9 +++++++++ |
fs/namespace.c | 9 +++++++++ |
| 35 |
net/ipv6/raw.c | 12 +++++++++--- |
net/ipv6/raw.c | 12 +++++++++--- |
| 36 |
net/ipv6/udp.c | 9 ++++++++- |
net/ipv6/udp.c | 9 ++++++++- |
| 37 |
net/socket.c | 22 ++++++++++++++++++++++ |
net/socket.c | 22 ++++++++++++++++++++++ |
| 38 |
net/unix/af_unix.c | 7 +++++++ |
net/unix/af_unix.c | 9 +++++++++ |
| 39 |
security/Kconfig | 2 ++ |
security/Kconfig | 2 ++ |
| 40 |
security/Makefile | 3 +++ |
security/Makefile | 3 +++ |
| 41 |
36 files changed, 254 insertions(+), 11 deletions(-) |
36 files changed, 257 insertions(+), 11 deletions(-) |
| 42 |
|
|
| 43 |
--- linux-2.6.25.20-0.7.orig/arch/ia64/ia32/sys_ia32.c |
--- linux-2.6.25.20-0.7.orig/arch/ia64/ia32/sys_ia32.c |
| 44 |
+++ linux-2.6.25.20-0.7/arch/ia64/ia32/sys_ia32.c |
+++ linux-2.6.25.20-0.7/arch/ia64/ia32/sys_ia32.c |
| 206 |
|
|
| 207 |
void set_close_on_exec(unsigned int fd, int flag) |
void set_close_on_exec(unsigned int fd, int flag) |
| 208 |
{ |
{ |
| 209 |
@@ -217,6 +218,9 @@ static int setfl(int fd, struct file * f |
@@ -397,6 +398,8 @@ asmlinkage long sys_fcntl(unsigned int f |
| 210 |
if (((arg ^ filp->f_flags) & O_APPEND) && IS_APPEND(inode)) |
goto out; |
|
return -EPERM; |
|
| 211 |
|
|
| 212 |
+ if (((arg ^ filp->f_flags) & O_APPEND) && ccs_rewrite_permission(filp)) |
err = security_file_fcntl(filp, cmd, arg); |
| 213 |
+ return -EPERM; |
+ if (!err) |
| 214 |
+ |
+ err = ccs_fcntl_permission(filp, cmd, arg); |
| 215 |
/* O_NOATIME can only be set by the owner or superuser */ |
if (err) { |
| 216 |
if ((arg & O_NOATIME) && !(filp->f_flags & O_NOATIME)) |
fput(filp); |
| 217 |
if (!is_owner_or_cap(inode)) |
return err; |
| 218 |
|
@@ -421,6 +424,8 @@ asmlinkage long sys_fcntl64(unsigned int |
| 219 |
|
goto out; |
| 220 |
|
|
| 221 |
|
err = security_file_fcntl(filp, cmd, arg); |
| 222 |
|
+ if (!err) |
| 223 |
|
+ err = ccs_fcntl_permission(filp, cmd, arg); |
| 224 |
|
if (err) { |
| 225 |
|
fput(filp); |
| 226 |
|
return err; |
| 227 |
--- linux-2.6.25.20-0.7.orig/fs/ioctl.c |
--- linux-2.6.25.20-0.7.orig/fs/ioctl.c |
| 228 |
+++ linux-2.6.25.20-0.7/fs/ioctl.c |
+++ linux-2.6.25.20-0.7/fs/ioctl.c |
| 229 |
@@ -15,6 +15,7 @@ |
@@ -15,6 +15,7 @@ |
| 1149 |
err = vfs_mknod(nd.path.dentry->d_inode, dentry, nd.path.mnt, |
err = vfs_mknod(nd.path.dentry->d_inode, dentry, nd.path.mnt, |
| 1150 |
mode, 0); |
mode, 0); |
| 1151 |
if (err) |
if (err) |
| 1152 |
@@ -1654,6 +1658,9 @@ static int unix_dgram_recvmsg(struct kio |
@@ -1641,6 +1645,7 @@ static int unix_dgram_recvmsg(struct kio |
| 1153 |
|
|
| 1154 |
|
mutex_lock(&u->readlock); |
| 1155 |
|
|
| 1156 |
|
+retry: |
| 1157 |
|
skb = skb_recv_datagram(sk, flags, noblock, &err); |
| 1158 |
|
if (!skb) { |
| 1159 |
|
unix_state_lock(sk); |
| 1160 |
|
@@ -1654,6 +1659,10 @@ static int unix_dgram_recvmsg(struct kio |
| 1161 |
|
|
| 1162 |
wake_up_interruptible_sync(&u->peer_wait); |
wake_up_interruptible_sync(&u->peer_wait); |
| 1163 |
|
|
| 1164 |
+ err = ccs_socket_post_recvmsg_permission(sk, skb); |
+ if (ccs_socket_post_recvmsg_permission(sk, skb)) { |
| 1165 |
+ if (err) |
+ skb_kill_datagram(sk, skb, flags); |
| 1166 |
+ goto out_free; |
+ goto retry; |
| 1167 |
|
+ } |
| 1168 |
if (msg->msg_name) |
if (msg->msg_name) |
| 1169 |
unix_copy_addr(msg, skb->sk); |
unix_copy_addr(msg, skb->sk); |
| 1170 |
|
|
TOMOYO
Parent Directory
Revision Log
Patch