9 |
fs/compat.c | 3 ++- |
fs/compat.c | 3 ++- |
10 |
fs/compat_ioctl.c | 3 +++ |
fs/compat_ioctl.c | 3 +++ |
11 |
fs/exec.c | 12 +++++++++++- |
fs/exec.c | 12 +++++++++++- |
12 |
fs/fcntl.c | 4 ++++ |
fs/fcntl.c | 5 +++++ |
13 |
fs/ioctl.c | 3 +++ |
fs/ioctl.c | 3 +++ |
14 |
fs/namei.c | 34 +++++++++++++++++++++++++++++++++- |
fs/namei.c | 34 +++++++++++++++++++++++++++++++++- |
15 |
fs/namespace.c | 9 +++++++++ |
fs/namespace.c | 9 +++++++++ |
35 |
net/ipv6/raw.c | 12 +++++++++--- |
net/ipv6/raw.c | 12 +++++++++--- |
36 |
net/ipv6/udp.c | 9 ++++++++- |
net/ipv6/udp.c | 9 ++++++++- |
37 |
net/socket.c | 22 ++++++++++++++++++++++ |
net/socket.c | 22 ++++++++++++++++++++++ |
38 |
net/unix/af_unix.c | 7 +++++++ |
net/unix/af_unix.c | 9 +++++++++ |
39 |
security/Kconfig | 2 ++ |
security/Kconfig | 2 ++ |
40 |
security/Makefile | 3 +++ |
security/Makefile | 3 +++ |
41 |
36 files changed, 254 insertions(+), 11 deletions(-) |
36 files changed, 257 insertions(+), 11 deletions(-) |
42 |
|
|
43 |
--- linux-2.6.25.20-0.7.orig/arch/ia64/ia32/sys_ia32.c |
--- linux-2.6.25.20-0.7.orig/arch/ia64/ia32/sys_ia32.c |
44 |
+++ linux-2.6.25.20-0.7/arch/ia64/ia32/sys_ia32.c |
+++ linux-2.6.25.20-0.7/arch/ia64/ia32/sys_ia32.c |
206 |
|
|
207 |
void set_close_on_exec(unsigned int fd, int flag) |
void set_close_on_exec(unsigned int fd, int flag) |
208 |
{ |
{ |
209 |
@@ -217,6 +218,9 @@ static int setfl(int fd, struct file * f |
@@ -397,6 +398,8 @@ asmlinkage long sys_fcntl(unsigned int f |
210 |
if (((arg ^ filp->f_flags) & O_APPEND) && IS_APPEND(inode)) |
goto out; |
|
return -EPERM; |
|
211 |
|
|
212 |
+ if (((arg ^ filp->f_flags) & O_APPEND) && ccs_rewrite_permission(filp)) |
err = security_file_fcntl(filp, cmd, arg); |
213 |
+ return -EPERM; |
+ if (!err) |
214 |
+ |
+ err = ccs_fcntl_permission(filp, cmd, arg); |
215 |
/* O_NOATIME can only be set by the owner or superuser */ |
if (err) { |
216 |
if ((arg & O_NOATIME) && !(filp->f_flags & O_NOATIME)) |
fput(filp); |
217 |
if (!is_owner_or_cap(inode)) |
return err; |
218 |
|
@@ -421,6 +424,8 @@ asmlinkage long sys_fcntl64(unsigned int |
219 |
|
goto out; |
220 |
|
|
221 |
|
err = security_file_fcntl(filp, cmd, arg); |
222 |
|
+ if (!err) |
223 |
|
+ err = ccs_fcntl_permission(filp, cmd, arg); |
224 |
|
if (err) { |
225 |
|
fput(filp); |
226 |
|
return err; |
227 |
--- linux-2.6.25.20-0.7.orig/fs/ioctl.c |
--- linux-2.6.25.20-0.7.orig/fs/ioctl.c |
228 |
+++ linux-2.6.25.20-0.7/fs/ioctl.c |
+++ linux-2.6.25.20-0.7/fs/ioctl.c |
229 |
@@ -15,6 +15,7 @@ |
@@ -15,6 +15,7 @@ |
1149 |
err = vfs_mknod(nd.path.dentry->d_inode, dentry, nd.path.mnt, |
err = vfs_mknod(nd.path.dentry->d_inode, dentry, nd.path.mnt, |
1150 |
mode, 0); |
mode, 0); |
1151 |
if (err) |
if (err) |
1152 |
@@ -1654,6 +1658,9 @@ static int unix_dgram_recvmsg(struct kio |
@@ -1641,6 +1645,7 @@ static int unix_dgram_recvmsg(struct kio |
1153 |
|
|
1154 |
|
mutex_lock(&u->readlock); |
1155 |
|
|
1156 |
|
+retry: |
1157 |
|
skb = skb_recv_datagram(sk, flags, noblock, &err); |
1158 |
|
if (!skb) { |
1159 |
|
unix_state_lock(sk); |
1160 |
|
@@ -1654,6 +1659,10 @@ static int unix_dgram_recvmsg(struct kio |
1161 |
|
|
1162 |
wake_up_interruptible_sync(&u->peer_wait); |
wake_up_interruptible_sync(&u->peer_wait); |
1163 |
|
|
1164 |
+ err = ccs_socket_post_recvmsg_permission(sk, skb); |
+ if (ccs_socket_post_recvmsg_permission(sk, skb)) { |
1165 |
+ if (err) |
+ skb_kill_datagram(sk, skb, flags); |
1166 |
+ goto out_free; |
+ goto retry; |
1167 |
|
+ } |
1168 |
if (msg->msg_name) |
if (msg->msg_name) |
1169 |
unix_copy_addr(msg, skb->sk); |
unix_copy_addr(msg, skb->sk); |
1170 |
|
|