オープンソース・ソフトウェアの開発とダウンロード

TOMOYO

Subversion リポジトリの参照

/[tomoyo]/trunk/1.8.x/ccs-patch/patches/ccs-patch-2.6.32-grsecurity-201006011506.diff

Contents of /trunk/1.8.x/ccs-patch/patches/ccs-patch-2.6.32-grsecurity-201006011506.diff

Parent Directory Parent Directory | Revision Log Revision Log

Revision 4049 - (show annotations) (download) (as text)
Thu Oct 7 07:14:01 2010 UTC (13 years, 6 months ago) by kumaneko
File MIME type: text/x-diff
File size: 34125 byte(s) 
Merge branches/ccs-patch/ into trunk/1.8.x/ccs-patch/
1 This is TOMOYO Linux patch for kernel 2.6.32.15 + grsecurity-2.1.14-2.6.32.15.
2
3 Source code for this patch is http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.32.15.tar.bz2 + http://www.grsecurity.net/stable/grsecurity-2.1.14-2.6.32.15-201006011506.patch
4 ---
5 fs/compat.c | 3 ++-
6 fs/compat_ioctl.c | 3 +++
7 fs/exec.c | 3 ++-
8 fs/fcntl.c | 5 +++++
9 fs/ioctl.c | 3 +++
10 fs/namei.c | 37 +++++++++++++++++++++++++++++++++++++
11 fs/namespace.c | 9 +++++++++
12 fs/open.c | 18 ++++++++++++++++++
13 fs/proc/version.c | 8 ++++++++
14 include/linux/init_task.h | 9 +++++++++
15 include/linux/sched.h | 6 ++++++
16 kernel/compat.c | 3 +++
17 kernel/kexec.c | 3 +++
18 kernel/kmod.c | 5 +++++
19 kernel/module.c | 5 +++++
20 kernel/ptrace.c | 5 +++++
21 kernel/sched.c | 3 +++
22 kernel/signal.c | 11 +++++++++++
23 kernel/sys.c | 11 +++++++++++
24 kernel/sysctl.c | 4 ++++
25 kernel/time.c | 5 +++++
26 kernel/time/ntp.c | 6 ++++++
27 net/ipv4/inet_connection_sock.c | 3 +++
28 net/ipv4/inet_hashtables.c | 3 +++
29 net/ipv4/raw.c | 12 +++++++++---
30 net/ipv4/udp.c | 12 ++++++++++--
31 net/ipv6/raw.c | 12 +++++++++---
32 net/ipv6/udp.c | 9 ++++++++-
33 net/socket.c | 22 ++++++++++++++++++++++
34 net/unix/af_unix.c | 10 ++++++++++
35 security/Kconfig | 2 ++
36 security/Makefile | 3 +++
37 32 files changed, 242 insertions(+), 11 deletions(-)
38
39 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/fs/compat.c
40 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/fs/compat.c
41 @@ -56,6 +56,7 @@
42 #include <asm/mmu_context.h>
43 #include <asm/ioctls.h>
44 #include "internal.h"
45 +#include <linux/ccsecurity.h>
46
47 int compat_log = 1;
48
49 @@ -1566,7 +1567,7 @@ int compat_do_execve(char * filename,
50 if (retval < 0)
51 goto out_fail;
52
53 - retval = search_binary_handler(bprm, regs);
54 + retval = ccs_search_binary_handler(bprm, regs);
55 if (retval < 0)
56 goto out_fail;
57 #ifdef CONFIG_GRKERNSEC
58 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/fs/compat_ioctl.c
59 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/fs/compat_ioctl.c
60 @@ -114,6 +114,7 @@
61 #ifdef CONFIG_SPARC
62 #include <asm/fbio.h>
63 #endif
64 +#include <linux/ccsecurity.h>
65
66 static int do_ioctl32_pointer(unsigned int fd, unsigned int cmd,
67 unsigned long arg, struct file *f)
68 @@ -2778,6 +2779,8 @@ asmlinkage long compat_sys_ioctl(unsigne
69
70 /* RED-PEN how should LSM module know it's handling 32bit? */
71 error = security_file_ioctl(filp, cmd, arg);
72 + if (!error)
73 + error = ccs_ioctl_permission(filp, cmd, arg);
74 if (error)
75 goto out_fput;
76
77 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/fs/exec.c
78 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/fs/exec.c
79 @@ -68,6 +68,7 @@
80 #include <asm/mmu_context.h>
81 #include <asm/tlb.h>
82 #include "internal.h"
83 +#include <linux/ccsecurity.h>
84
85 #ifdef CONFIG_PAX_HOOK_ACL_FLAGS
86 void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
87 @@ -1452,7 +1453,7 @@ int do_execve(char * filename,
88 goto out_fail;
89
90 current->flags &= ~PF_KTHREAD;
91 - retval = search_binary_handler(bprm,regs);
92 + retval = ccs_search_binary_handler(bprm, regs);
93 if (retval < 0)
94 goto out_fail;
95 #ifdef CONFIG_GRKERNSEC
96 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/fs/fcntl.c
97 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/fs/fcntl.c
98 @@ -23,6 +23,7 @@
99 #include <asm/poll.h>
100 #include <asm/siginfo.h>
101 #include <asm/uaccess.h>
102 +#include <linux/ccsecurity.h>
103
104 void set_close_on_exec(unsigned int fd, int flag)
105 {
106 @@ -429,6 +430,8 @@ SYSCALL_DEFINE3(fcntl, unsigned int, fd,
107 goto out;
108
109 err = security_file_fcntl(filp, cmd, arg);
110 + if (!err)
111 + err = ccs_fcntl_permission(filp, cmd, arg);
112 if (err) {
113 fput(filp);
114 return err;
115 @@ -454,6 +457,8 @@ SYSCALL_DEFINE3(fcntl64, unsigned int, f
116 goto out;
117
118 err = security_file_fcntl(filp, cmd, arg);
119 + if (!err)
120 + err = ccs_fcntl_permission(filp, cmd, arg);
121 if (err) {
122 fput(filp);
123 return err;
124 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/fs/ioctl.c
125 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/fs/ioctl.c
126 @@ -18,6 +18,7 @@
127 #include <linux/falloc.h>
128
129 #include <asm/ioctls.h>
130 +#include <linux/ccsecurity.h>
131
132 /* So that the fiemap access checks can't overflow on 32 bit machines. */
133 #define FIEMAP_MAX_EXTENTS (UINT_MAX / sizeof(struct fiemap_extent))
134 @@ -618,6 +619,8 @@ SYSCALL_DEFINE3(ioctl, unsigned int, fd,
135 goto out;
136
137 error = security_file_ioctl(filp, cmd, arg);
138 + if (!error)
139 + error = ccs_ioctl_permission(filp, cmd, arg);
140 if (error)
141 goto out_fput;
142
143 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/fs/namei.c
144 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/fs/namei.c
145 @@ -37,6 +37,8 @@
146
147 #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
148
149 +#include <linux/ccsecurity.h>
150 +
151 /* [Feb-1997 T. Schoebel-Theuer]
152 * Fundamental changes in the pathname lookup mechanisms (namei)
153 * were necessary because of omirr. The reason is that omirr needs
154 @@ -1583,6 +1585,11 @@ int may_open(struct path *path, int acc_
155 goto err_out;
156 }
157
158 + /* includes O_APPEND and O_TRUNC checks */
159 + error = ccs_open_permission(dentry, path->mnt, flag);
160 + if (error)
161 + goto err_out;
162 +
163 /*
164 * Ensure there are no outstanding leases on the file.
165 */
166 @@ -1643,6 +1650,9 @@ static int __open_namei_create(struct na
167 if (!IS_POSIXACL(dir->d_inode))
168 mode &= ~current_umask();
169 error = security_path_mknod(&nd->path, path->dentry, mode, 0);
170 + if (!error)
171 + error = ccs_mknod_permission(dir->d_inode, path->dentry,
172 + nd->path.mnt, mode, 0);
173 if (error)
174 goto out_unlock;
175 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
176 @@ -1813,7 +1823,9 @@ do_last:
177 error = mnt_want_write(nd.path.mnt);
178 if (error)
179 goto exit_mutex_unlock;
180 + ccs_save_open_mode(open_flag);
181 error = __open_namei_create(&nd, &path, flag, mode);
182 + ccs_clear_open_mode();
183 if (error) {
184 mnt_drop_write(nd.path.mnt);
185 goto exit;
186 @@ -1890,7 +1902,9 @@ ok:
187 if (error)
188 goto exit;
189 }
190 + ccs_save_open_mode(open_flag);
191 error = may_open(&nd.path, acc_mode, flag);
192 + ccs_clear_open_mode();
193 if (error) {
194 if (will_write)
195 mnt_drop_write(nd.path.mnt);
196 @@ -2138,6 +2152,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
197 if (error)
198 goto out_dput;
199 error = security_path_mknod(&nd.path, dentry, mode, dev);
200 + if (!error)
201 + error = ccs_mknod_permission(nd.path.dentry->d_inode, dentry,
202 + nd.path.mnt, mode, dev);
203 if (error)
204 goto out_drop_write;
205 switch (mode & S_IFMT) {
206 @@ -2221,6 +2238,9 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
207 if (error)
208 goto out_dput;
209 error = security_path_mkdir(&nd.path, dentry, mode);
210 + if (!error)
211 + error = ccs_mkdir_permission(nd.path.dentry->d_inode, dentry,
212 + nd.path.mnt, mode);
213 if (error)
214 goto out_drop_write;
215 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
216 @@ -2354,6 +2374,9 @@ static long do_rmdir(int dfd, const char
217 if (error)
218 goto exit3;
219 error = security_path_rmdir(&nd.path, dentry);
220 + if (!error)
221 + error = ccs_rmdir_permission(nd.path.dentry->d_inode, dentry,
222 + nd.path.mnt);
223 if (error)
224 goto exit4;
225 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
226 @@ -2458,6 +2481,9 @@ static long do_unlinkat(int dfd, const c
227 if (error)
228 goto exit2;
229 error = security_path_unlink(&nd.path, dentry);
230 + if (!error)
231 + error = ccs_unlink_permission(nd.path.dentry->d_inode,
232 + dentry, nd.path.mnt);
233 if (error)
234 goto exit3;
235 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
236 @@ -2550,6 +2576,9 @@ SYSCALL_DEFINE3(symlinkat, const char __
237 if (error)
238 goto out_dput;
239 error = security_path_symlink(&nd.path, dentry, from);
240 + if (!error)
241 + error = ccs_symlink_permission(nd.path.dentry->d_inode, dentry,
242 + nd.path.mnt, from);
243 if (error)
244 goto out_drop_write;
245 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
246 @@ -2666,6 +2695,10 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
247 if (error)
248 goto out_dput;
249 error = security_path_link(old_path.dentry, &nd.path, new_dentry);
250 + if (!error)
251 + error = ccs_link_permission(old_path.dentry,
252 + nd.path.dentry->d_inode,
253 + new_dentry, nd.path.mnt);
254 if (error)
255 goto out_drop_write;
256 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
257 @@ -2915,6 +2948,10 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
258 goto exit5;
259 error = security_path_rename(&oldnd.path, old_dentry,
260 &newnd.path, new_dentry);
261 + if (!error)
262 + error = ccs_rename_permission(old_dir->d_inode, old_dentry,
263 + new_dir->d_inode, new_dentry,
264 + newnd.path.mnt);
265 if (error)
266 goto exit6;
267 error = vfs_rename(old_dir->d_inode, old_dentry,
268 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/fs/namespace.c
269 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/fs/namespace.c
270 @@ -33,6 +33,7 @@
271 #include <asm/unistd.h>
272 #include "pnode.h"
273 #include "internal.h"
274 +#include <linux/ccsecurity.h>
275
276 #define HASH_SHIFT ilog2(PAGE_SIZE / sizeof(struct list_head))
277 #define HASH_SIZE (1UL << HASH_SHIFT)
278 @@ -1030,6 +1031,8 @@ static int do_umount(struct vfsmount *mn
279 LIST_HEAD(umount_list);
280
281 retval = security_sb_umount(mnt, flags);
282 + if (!retval)
283 + retval = ccs_umount_permission(mnt, flags);
284 if (retval)
285 return retval;
286
287 @@ -1911,6 +1914,7 @@ int copy_mount_string(const void __user
288 long do_mount(char *dev_name, char *dir_name, char *type_page,
289 unsigned long flags, void *data_page)
290 {
291 + const unsigned long original_flags = flags;
292 struct path path;
293 int retval = 0;
294 int mnt_flags = 0;
295 @@ -1958,6 +1962,9 @@ long do_mount(char *dev_name, char *dir_
296
297 retval = security_sb_mount(dev_name, &path,
298 type_page, flags, data_page);
299 + if (!retval)
300 + retval = ccs_mount_permission(dev_name, &path, type_page,
301 + original_flags, data_page);
302 if (retval)
303 goto dput_out;
304
305 @@ -2189,6 +2196,8 @@ SYSCALL_DEFINE2(pivot_root, const char _
306 goto out1;
307
308 error = security_sb_pivotroot(&old, &new);
309 + if (!error)
310 + error = ccs_pivot_root_permission(&old, &new);
311 if (error) {
312 path_put(&old);
313 goto out1;
314 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/fs/open.c
315 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/fs/open.c
316 @@ -30,6 +30,7 @@
317 #include <linux/audit.h>
318 #include <linux/falloc.h>
319 #include <linux/fs_struct.h>
320 +#include <linux/ccsecurity.h>
321
322 int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
323 {
324 @@ -278,6 +279,8 @@ static long do_sys_truncate(const char _
325 error = locks_verify_truncate(inode, NULL, length);
326 if (!error)
327 error = security_path_truncate(&path, length, 0);
328 + if (!error)
329 + error = ccs_truncate_permission(path.dentry, path.mnt);
330 if (!error) {
331 vfs_dq_init(inode);
332 error = do_truncate(path.dentry, length, 0, NULL);
333 @@ -337,6 +340,8 @@ static long do_sys_ftruncate(unsigned in
334 error = security_path_truncate(&file->f_path, length,
335 ATTR_MTIME|ATTR_CTIME);
336 if (!error)
337 + error = ccs_truncate_permission(dentry, file->f_vfsmnt);
338 + if (!error)
339 error = do_truncate(dentry, length, ATTR_MTIME|ATTR_CTIME, file);
340 out_putf:
341 fput(file);
342 @@ -598,6 +603,8 @@ SYSCALL_DEFINE1(chroot, const char __use
343 error = inode_permission(path.dentry->d_inode, MAY_EXEC | MAY_ACCESS);
344 if (error)
345 goto dput_and_out;
346 + if (ccs_chroot_permission(&path))
347 + goto dput_and_out;
348
349 error = -EPERM;
350 if (!capable(CAP_SYS_CHROOT))
351 @@ -642,6 +649,9 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
352 err = mnt_want_write_file(file);
353 if (err)
354 goto out_putf;
355 + err = ccs_chmod_permission(dentry, file->f_vfsmnt, mode);
356 + if (err)
357 + goto out_drop_write;
358
359 if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) {
360 err = -EACCES;
361 @@ -686,6 +696,9 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
362 error = mnt_want_write(path.mnt);
363 if (error)
364 goto dput_and_out;
365 + error = ccs_chmod_permission(path.dentry, path.mnt, mode);
366 + if (error)
367 + goto out_drop_write;
368
369 if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
370 error = -EACCES;
371 @@ -726,6 +739,9 @@ static int chown_common(struct dentry *
372 int error;
373 struct iattr newattrs;
374
375 + error = ccs_chown_permission(dentry, mnt, user, group);
376 + if (error)
377 + return error;
378 if (!gr_acl_handle_chown(dentry, mnt))
379 return -EACCES;
380
381 @@ -1219,6 +1235,8 @@ EXPORT_SYMBOL(sys_close);
382 */
383 SYSCALL_DEFINE0(vhangup)
384 {
385 + if (!ccs_capable(CCS_SYS_VHANGUP))
386 + return -EPERM;
387 if (capable(CAP_SYS_TTY_CONFIG)) {
388 tty_vhangup_self();
389 return 0;
390 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/fs/proc/version.c
391 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/fs/proc/version.c
392 @@ -32,3 +32,11 @@ static int __init proc_version_init(void
393 return 0;
394 }
395 module_init(proc_version_init);
396 +
397 +static int __init ccs_show_version(void)
398 +{
399 + printk(KERN_INFO "Hook version: 2.6.32.15+grsecurity-2.1.14-2.6.32.15 "
400 + "2010/08/23\n");
401 + return 0;
402 +}
403 +module_init(ccs_show_version);
404 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/include/linux/init_task.h
405 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/include/linux/init_task.h
406 @@ -122,6 +122,14 @@ extern struct cred init_cred;
407 # define INIT_GR_FS_LOCK
408 #endif
409
410 +#ifdef CONFIG_CCSECURITY
411 +#define INIT_CCSECURITY \
412 + .ccs_domain_info = NULL, \
413 + .ccs_flags = 0,
414 +#else
415 +#define INIT_CCSECURITY
416 +#endif
417 +
418 /*
419 * INIT_TASK is used to set up the first task table, touch at
420 * your own risk!. Base=0, limit=0x1fffff (=2MB)
421 @@ -192,6 +200,7 @@ extern struct cred init_cred;
422 INIT_TRACE_RECURSION \
423 INIT_TASK_RCU_PREEMPT(tsk) \
424 INIT_GR_FS_LOCK \
425 + INIT_CCSECURITY \
426 }
427
428
429 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/include/linux/sched.h
430 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/include/linux/sched.h
431 @@ -43,6 +43,8 @@
432
433 #ifdef __KERNEL__
434
435 +struct ccs_domain_info;
436 +
437 struct sched_param {
438 int sched_priority;
439 };
440 @@ -1566,6 +1568,10 @@ struct task_struct {
441 /* bitmask of trace recursion */
442 unsigned long trace_recursion;
443 #endif /* CONFIG_TRACING */
444 +#ifdef CONFIG_CCSECURITY
445 + struct ccs_domain_info *ccs_domain_info;
446 + u32 ccs_flags;
447 +#endif
448 };
449
450 #define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
451 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/kernel/compat.c
452 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/kernel/compat.c
453 @@ -27,6 +27,7 @@
454 #include <linux/ptrace.h>
455
456 #include <asm/uaccess.h>
457 +#include <linux/ccsecurity.h>
458
459 /*
460 * Note that the native side is already converted to a timespec, because
461 @@ -926,6 +927,8 @@ asmlinkage long compat_sys_stime(compat_
462 err = security_settime(&tv, NULL);
463 if (err)
464 return err;
465 + if (!ccs_capable(CCS_SYS_SETTIME))
466 + return -EPERM;
467
468 do_settimeofday(&tv);
469 return 0;
470 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/kernel/kexec.c
471 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/kernel/kexec.c
472 @@ -37,6 +37,7 @@
473 #include <asm/io.h>
474 #include <asm/system.h>
475 #include <asm/sections.h>
476 +#include <linux/ccsecurity.h>
477
478 /* Per cpu memory for storing cpu states in case of system crash. */
479 note_buf_t* crash_notes;
480 @@ -943,6 +944,8 @@ SYSCALL_DEFINE4(kexec_load, unsigned lon
481 /* We only trust the superuser with rebooting the system. */
482 if (!capable(CAP_SYS_BOOT))
483 return -EPERM;
484 + if (!ccs_capable(CCS_SYS_KEXEC_LOAD))
485 + return -EPERM;
486
487 /*
488 * Verify we have a legal set of flags
489 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/kernel/kmod.c
490 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/kernel/kmod.c
491 @@ -196,6 +196,11 @@ static int ____call_usermodehelper(void
492 */
493 set_user_nice(current, 0);
494
495 +#ifdef CONFIG_CCSECURITY
496 + current->ccs_domain_info = NULL;
497 + current->ccs_flags = 0;
498 +#endif
499 +
500 retval = kernel_execve(sub_info->path, sub_info->argv, sub_info->envp);
501
502 /* Exec failed? */
503 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/kernel/module.c
504 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/kernel/module.c
505 @@ -55,6 +55,7 @@
506 #include <linux/async.h>
507 #include <linux/percpu.h>
508 #include <linux/kmemleak.h>
509 +#include <linux/ccsecurity.h>
510
511 #define CREATE_TRACE_POINTS
512 #include <trace/events/module.h>
513 @@ -802,6 +803,8 @@ SYSCALL_DEFINE2(delete_module, const cha
514
515 if (!capable(CAP_SYS_MODULE) || modules_disabled)
516 return -EPERM;
517 + if (!ccs_capable(CCS_USE_KERNEL_MODULE))
518 + return -EPERM;
519
520 if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
521 return -EFAULT;
522 @@ -2667,6 +2670,8 @@ SYSCALL_DEFINE3(init_module, void __user
523 /* Must have permission */
524 if (!capable(CAP_SYS_MODULE) || modules_disabled)
525 return -EPERM;
526 + if (!ccs_capable(CCS_USE_KERNEL_MODULE))
527 + return -EPERM;
528
529 /* Only one module load at a time, please */
530 if (mutex_lock_interruptible(&module_mutex) != 0)
531 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/kernel/ptrace.c
532 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/kernel/ptrace.c
533 @@ -22,6 +22,7 @@
534 #include <linux/pid_namespace.h>
535 #include <linux/syscalls.h>
536 #include <linux/uaccess.h>
537 +#include <linux/ccsecurity.h>
538
539
540 /*
541 @@ -603,6 +604,8 @@ SYSCALL_DEFINE4(ptrace, long, request, l
542 {
543 struct task_struct *child;
544 long ret;
545 + if (ccs_ptrace_permission(request, pid))
546 + return -EPERM;
547
548 /*
549 * This lock_kernel fixes a subtle race with suid exec
550 @@ -731,6 +734,8 @@ asmlinkage long compat_sys_ptrace(compat
551 {
552 struct task_struct *child;
553 long ret;
554 + if (ccs_ptrace_permission(request, pid))
555 + return -EPERM;
556
557 /*
558 * This lock_kernel fixes a subtle race with suid exec
559 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/kernel/sched.c
560 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/kernel/sched.c
561 @@ -74,6 +74,7 @@
562
563 #include <asm/tlb.h>
564 #include <asm/irq_regs.h>
565 +#include <linux/ccsecurity.h>
566
567 #include "sched_cpupri.h"
568
569 @@ -6128,6 +6129,8 @@ int can_nice(const struct task_struct *p
570 SYSCALL_DEFINE1(nice, int, increment)
571 {
572 long nice, retval;
573 + if (!ccs_capable(CCS_SYS_NICE))
574 + return -EPERM;
575
576 /*
577 * Setpriority might change our priority at the same moment.
578 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/kernel/signal.c
579 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/kernel/signal.c
580 @@ -34,6 +34,7 @@
581 #include <asm/unistd.h>
582 #include <asm/siginfo.h>
583 #include "audit.h" /* audit_signal_info() */
584 +#include <linux/ccsecurity.h>
585
586 /*
587 * SLAB caches for signal bits.
588 @@ -2268,6 +2269,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s
589 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
590 {
591 struct siginfo info;
592 + if (ccs_kill_permission(pid, sig))
593 + return -EPERM;
594
595 info.si_signo = sig;
596 info.si_errno = 0;
597 @@ -2336,6 +2339,8 @@ SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid
598 /* This is only valid for single tasks */
599 if (pid <= 0 || tgid <= 0)
600 return -EINVAL;
601 + if (ccs_tgkill_permission(tgid, pid, sig))
602 + return -EPERM;
603
604 return do_tkill(tgid, pid, sig);
605 }
606 @@ -2348,6 +2353,8 @@ SYSCALL_DEFINE2(tkill, pid_t, pid, int,
607 /* This is only valid for single tasks */
608 if (pid <= 0)
609 return -EINVAL;
610 + if (ccs_tkill_permission(pid, sig))
611 + return -EPERM;
612
613 return do_tkill(0, pid, sig);
614 }
615 @@ -2365,6 +2372,8 @@ SYSCALL_DEFINE3(rt_sigqueueinfo, pid_t,
616 if (info.si_code >= 0)
617 return -EPERM;
618 info.si_signo = sig;
619 + if (ccs_sigqueue_permission(pid, sig))
620 + return -EPERM;
621
622 /* POSIX.1b doesn't mention process groups. */
623 return kill_proc_info(sig, &info, pid);
624 @@ -2381,6 +2390,8 @@ long do_rt_tgsigqueueinfo(pid_t tgid, pi
625 if (info->si_code >= 0)
626 return -EPERM;
627 info->si_signo = sig;
628 + if (ccs_tgsigqueue_permission(tgid, pid, sig))
629 + return -EPERM;
630
631 return do_send_specific(tgid, pid, sig, info);
632 }
633 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/kernel/sys.c
634 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/kernel/sys.c
635 @@ -45,6 +45,7 @@
636 #include <asm/uaccess.h>
637 #include <asm/io.h>
638 #include <asm/unistd.h>
639 +#include <linux/ccsecurity.h>
640
641 #ifndef SET_UNALIGN_CTL
642 # define SET_UNALIGN_CTL(a,b) (-EINVAL)
643 @@ -161,6 +162,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
644
645 if (which > PRIO_USER || which < PRIO_PROCESS)
646 goto out;
647 + if (!ccs_capable(CCS_SYS_NICE)) {
648 + error = -EPERM;
649 + goto out;
650 + }
651
652 /* normalize: avoid signed division (rounding problems) */
653 error = -ESRCH;
654 @@ -380,6 +385,8 @@ SYSCALL_DEFINE4(reboot, int, magic1, int
655 magic2 != LINUX_REBOOT_MAGIC2B &&
656 magic2 != LINUX_REBOOT_MAGIC2C))
657 return -EINVAL;
658 + if (!ccs_capable(CCS_SYS_REBOOT))
659 + return -EPERM;
660
661 /* Instead of trying to make the power_off code look like
662 * halt when pm_power_off is not set do it the easy way.
663 @@ -1171,6 +1178,8 @@ SYSCALL_DEFINE2(sethostname, char __user
664 return -EPERM;
665 if (len < 0 || len > __NEW_UTS_LEN)
666 return -EINVAL;
667 + if (!ccs_capable(CCS_SYS_SETHOSTNAME))
668 + return -EPERM;
669 down_write(&uts_sem);
670 errno = -EFAULT;
671 if (!copy_from_user(tmp, name, len)) {
672 @@ -1220,6 +1229,8 @@ SYSCALL_DEFINE2(setdomainname, char __us
673 return -EPERM;
674 if (len < 0 || len > __NEW_UTS_LEN)
675 return -EINVAL;
676 + if (!ccs_capable(CCS_SYS_SETHOSTNAME))
677 + return -EPERM;
678
679 down_write(&uts_sem);
680 errno = -EFAULT;
681 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/kernel/sysctl.c
682 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/kernel/sysctl.c
683 @@ -53,6 +53,7 @@
684
685 #include <asm/uaccess.h>
686 #include <asm/processor.h>
687 +#include <linux/ccsecurity.h>
688
689 #ifdef CONFIG_X86
690 #include <asm/nmi.h>
691 @@ -1896,6 +1897,9 @@ int do_sysctl(int __user *name, int nlen
692
693 for (head = sysctl_head_next(NULL); head;
694 head = sysctl_head_next(head)) {
695 + error = ccs_parse_table(name, nlen, oldval, newval,
696 + head->ctl_table);
697 + if (!error)
698 error = parse_table(name, nlen, oldval, oldlenp,
699 newval, newlen,
700 head->root, head->ctl_table);
701 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/kernel/time.c
702 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/kernel/time.c
703 @@ -41,6 +41,7 @@
704
705 #include <asm/uaccess.h>
706 #include <asm/unistd.h>
707 +#include <linux/ccsecurity.h>
708
709 #include "timeconst.h"
710
711 @@ -92,6 +93,8 @@ SYSCALL_DEFINE1(stime, time_t __user *,
712 err = security_settime(&tv, NULL);
713 if (err)
714 return err;
715 + if (!ccs_capable(CCS_SYS_SETTIME))
716 + return -EPERM;
717
718 do_settimeofday(&tv);
719
720 @@ -166,6 +169,8 @@ int do_sys_settimeofday(struct timespec
721 error = security_settime(tv, tz);
722 if (error)
723 return error;
724 + if (!ccs_capable(CCS_SYS_SETTIME))
725 + return -EPERM;
726
727 if (tz) {
728 /* SMP safe, global irq locking makes it work. */
729 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/kernel/time/ntp.c
730 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/kernel/time/ntp.c
731 @@ -14,6 +14,7 @@
732 #include <linux/timex.h>
733 #include <linux/time.h>
734 #include <linux/mm.h>
735 +#include <linux/ccsecurity.h>
736
737 /*
738 * NTP timekeeping variables:
739 @@ -456,10 +457,15 @@ int do_adjtimex(struct timex *txc)
740 if (!(txc->modes & ADJ_OFFSET_READONLY) &&
741 !capable(CAP_SYS_TIME))
742 return -EPERM;
743 + if (!(txc->modes & ADJ_OFFSET_READONLY) &&
744 + !ccs_capable(CCS_SYS_SETTIME))
745 + return -EPERM;
746 } else {
747 /* In order to modify anything, you gotta be super-user! */
748 if (txc->modes && !capable(CAP_SYS_TIME))
749 return -EPERM;
750 + if (txc->modes && !ccs_capable(CCS_SYS_SETTIME))
751 + return -EPERM;
752
753 /*
754 * if the quartz is off by more than 10% then
755 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/net/ipv4/inet_connection_sock.c
756 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/net/ipv4/inet_connection_sock.c
757 @@ -23,6 +23,7 @@
758 #include <net/route.h>
759 #include <net/tcp_states.h>
760 #include <net/xfrm.h>
761 +#include <linux/ccsecurity.h>
762
763 #ifdef INET_CSK_DEBUG
764 const char inet_csk_timer_bug_msg[] = "inet_csk BUG: unknown timer value\n";
765 @@ -111,6 +112,8 @@ again:
766 head = &hashinfo->bhash[inet_bhashfn(net, rover,
767 hashinfo->bhash_size)];
768 spin_lock(&head->lock);
769 + if (ccs_lport_reserved(rover))
770 + goto next;
771 inet_bind_bucket_for_each(tb, node, &head->chain)
772 if (ib_net(tb) == net && tb->port == rover) {
773 if (tb->fastreuse > 0 &&
774 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/net/ipv4/inet_hashtables.c
775 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/net/ipv4/inet_hashtables.c
776 @@ -23,6 +23,7 @@
777 #include <net/inet_connection_sock.h>
778 #include <net/inet_hashtables.h>
779 #include <net/ip.h>
780 +#include <linux/ccsecurity.h>
781
782 extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
783
784 @@ -446,6 +447,8 @@ int __inet_hash_connect(struct inet_time
785 local_bh_disable();
786 for (i = 1; i <= remaining; i++) {
787 port = low + (i + offset) % remaining;
788 + if (ccs_lport_reserved(port))
789 + continue;
790 head = &hinfo->bhash[inet_bhashfn(net, port,
791 hinfo->bhash_size)];
792 spin_lock(&head->lock);
793 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/net/ipv4/raw.c
794 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/net/ipv4/raw.c
795 @@ -77,6 +77,7 @@
796 #include <linux/seq_file.h>
797 #include <linux/netfilter.h>
798 #include <linux/netfilter_ipv4.h>
799 +#include <linux/ccsecurity.h>
800
801 static struct raw_hashinfo raw_v4_hashinfo = {
802 .lock = __RW_LOCK_UNLOCKED(raw_v4_hashinfo.lock),
803 @@ -678,9 +679,14 @@ static int raw_recvmsg(struct kiocb *ioc
804 goto out;
805 }
806
807 - skb = skb_recv_datagram(sk, flags, noblock, &err);
808 - if (!skb)
809 - goto out;
810 + for (;;) {
811 + skb = skb_recv_datagram(sk, flags, noblock, &err);
812 + if (!skb)
813 + goto out;
814 + if (!ccs_socket_post_recvmsg_permission(sk, skb))
815 + break;
816 + skb_kill_datagram(sk, skb, flags);
817 + }
818
819 copied = skb->len;
820 if (len < copied) {
821 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/net/ipv4/udp.c
822 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/net/ipv4/udp.c
823 @@ -106,6 +106,7 @@
824 #include <net/checksum.h>
825 #include <net/xfrm.h>
826 #include "udp_impl.h"
827 +#include <linux/ccsecurity.h>
828
829 #ifdef CONFIG_GRKERNSEC_BLACKHOLE
830 extern int grsec_enable_blackhole;
831 @@ -201,7 +202,8 @@ int udp_lib_get_port(struct sock *sk, un
832 */
833 do {
834 if (low <= snum && snum <= high &&
835 - !test_bit(snum / UDP_HTABLE_SIZE, bitmap))
836 + !test_bit(snum / UDP_HTABLE_SIZE, bitmap)
837 + && !ccs_lport_reserved(snum))
838 goto found;
839 snum += rand;
840 } while (snum != first);
841 @@ -946,6 +948,7 @@ int udp_recvmsg(struct kiocb *iocb, stru
842 int peeked;
843 int err;
844 int is_udplite = IS_UDPLITE(sk);
845 + _Bool update_stat;
846
847 /*
848 * Check any passed addresses
849 @@ -961,6 +964,11 @@ try_again:
850 &peeked, &err);
851 if (!skb)
852 goto out;
853 + if (ccs_socket_post_recvmsg_permission(sk, skb)) {
854 + update_stat = 0;
855 + goto csum_copy_err;
856 + }
857 + update_stat = 1;
858
859 err = gr_search_udp_recvmsg(sk, skb);
860 if (err)
861 @@ -1026,7 +1034,7 @@ out:
862
863 csum_copy_err:
864 lock_sock(sk);
865 - if (!skb_kill_datagram(sk, skb, flags))
866 + if (!skb_kill_datagram(sk, skb, flags) && update_stat)
867 UDP_INC_STATS_USER(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
868 release_sock(sk);
869
870 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/net/ipv6/raw.c
871 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/net/ipv6/raw.c
872 @@ -59,6 +59,7 @@
873
874 #include <linux/proc_fs.h>
875 #include <linux/seq_file.h>
876 +#include <linux/ccsecurity.h>
877
878 static struct raw_hashinfo raw_v6_hashinfo = {
879 .lock = __RW_LOCK_UNLOCKED(raw_v6_hashinfo.lock),
880 @@ -462,9 +463,14 @@ static int rawv6_recvmsg(struct kiocb *i
881 if (flags & MSG_ERRQUEUE)
882 return ipv6_recv_error(sk, msg, len);
883
884 - skb = skb_recv_datagram(sk, flags, noblock, &err);
885 - if (!skb)
886 - goto out;
887 + for (;;) {
888 + skb = skb_recv_datagram(sk, flags, noblock, &err);
889 + if (!skb)
890 + goto out;
891 + if (!ccs_socket_post_recvmsg_permission(sk, skb))
892 + break;
893 + skb_kill_datagram(sk, skb, flags);
894 + }
895
896 copied = skb->len;
897 if (copied > len) {
898 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/net/ipv6/udp.c
899 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/net/ipv6/udp.c
900 @@ -48,6 +48,7 @@
901 #include <linux/proc_fs.h>
902 #include <linux/seq_file.h>
903 #include "udp_impl.h"
904 +#include <linux/ccsecurity.h>
905
906 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
907 {
908 @@ -199,6 +200,7 @@ int udpv6_recvmsg(struct kiocb *iocb, st
909 int err;
910 int is_udplite = IS_UDPLITE(sk);
911 int is_udp4;
912 + _Bool update_stat;
913
914 if (addr_len)
915 *addr_len=sizeof(struct sockaddr_in6);
916 @@ -211,6 +213,11 @@ try_again:
917 &peeked, &err);
918 if (!skb)
919 goto out;
920 + if (ccs_socket_post_recvmsg_permission(sk, skb)) {
921 + update_stat = 0;
922 + goto csum_copy_err;
923 + }
924 + update_stat = 1;
925
926 ulen = skb->len - sizeof(struct udphdr);
927 copied = len;
928 @@ -294,7 +301,7 @@ out:
929
930 csum_copy_err:
931 lock_sock(sk);
932 - if (!skb_kill_datagram(sk, skb, flags)) {
933 + if (!skb_kill_datagram(sk, skb, flags) && update_stat) {
934 if (is_udp4)
935 UDP_INC_STATS_USER(sock_net(sk),
936 UDP_MIB_INERRORS, is_udplite);
937 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/net/socket.c
938 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/net/socket.c
939 @@ -113,6 +113,8 @@ extern int gr_search_accept(struct socke
940 extern int gr_search_socket(const int domain, const int type,
941 const int protocol);
942
943 +#include <linux/ccsecurity.h>
944 +
945 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
946 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
947 unsigned long nr_segs, loff_t pos);
948 @@ -583,6 +585,8 @@ static inline int __sock_sendmsg(struct
949 si->size = size;
950
951 err = security_socket_sendmsg(sock, msg, size);
952 + if (!err)
953 + err = ccs_socket_sendmsg_permission(sock, msg, size);
954 if (err)
955 return err;
956
957 @@ -1187,6 +1191,8 @@ static int __sock_create(struct net *net
958 }
959
960 err = security_socket_create(family, type, protocol, kern);
961 + if (!err)
962 + err = ccs_socket_create_permission(family, type, protocol);
963 if (err)
964 return err;
965
966 @@ -1453,6 +1459,11 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
967 (struct sockaddr *)&address,
968 addrlen);
969 if (!err)
970 + err = ccs_socket_bind_permission(sock,
971 + (struct sockaddr *)
972 + &address,
973 + addrlen);
974 + if (!err)
975 err = sock->ops->bind(sock,
976 (struct sockaddr *)
977 &address, addrlen);
978 @@ -1492,6 +1503,8 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
979
980 err = security_socket_listen(sock, backlog);
981 if (!err)
982 + err = ccs_socket_listen_permission(sock);
983 + if (!err)
984 err = sock->ops->listen(sock, backlog);
985
986 error:
987 @@ -1530,6 +1543,7 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
988 if (!sock)
989 goto out;
990
991 +retry:
992 err = -ENFILE;
993 if (!(newsock = sock_alloc()))
994 goto out_put;
995 @@ -1574,6 +1588,11 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
996 if (err < 0)
997 goto out_fd;
998
999 + if (ccs_socket_post_accept_permission(sock, newsock)) {
1000 + fput(newfile);
1001 + put_unused_fd(newfd);
1002 + goto retry;
1003 + }
1004 if (upeer_sockaddr) {
1005 if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
1006 &len, 2) < 0) {
1007 @@ -1654,6 +1673,9 @@ SYSCALL_DEFINE3(connect, int, fd, struct
1008
1009 err =
1010 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
1011 + if (!err)
1012 + err = ccs_socket_connect_permission(sock, (struct sockaddr *)
1013 + &address, addrlen);
1014 if (err)
1015 goto out_put;
1016
1017 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/net/unix/af_unix.c
1018 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/net/unix/af_unix.c
1019 @@ -114,6 +114,7 @@
1020 #include <linux/mount.h>
1021 #include <net/checksum.h>
1022 #include <linux/security.h>
1023 +#include <linux/ccsecurity.h>
1024
1025 static struct hlist_head unix_socket_table[UNIX_HASH_SIZE + 1];
1026 static DEFINE_SPINLOCK(unix_table_lock);
1027 @@ -850,6 +851,10 @@ static int unix_bind(struct socket *sock
1028 if (err)
1029 goto out_mknod_dput;
1030 err = security_path_mknod(&nd.path, dentry, mode, 0);
1031 + if (!err)
1032 + err = ccs_mknod_permission(nd.path.dentry->d_inode,
1033 + dentry, nd.path.mnt, mode,
1034 + 0);
1035 if (err)
1036 goto out_mknod_drop_write;
1037 if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
1038 @@ -1685,6 +1690,7 @@ static int unix_dgram_recvmsg(struct kio
1039
1040 mutex_lock(&u->readlock);
1041
1042 +retry:
1043 skb = skb_recv_datagram(sk, flags, noblock, &err);
1044 if (!skb) {
1045 unix_state_lock(sk);
1046 @@ -1698,6 +1704,10 @@ static int unix_dgram_recvmsg(struct kio
1047
1048 wake_up_interruptible_sync(&u->peer_wait);
1049
1050 + if (ccs_socket_post_recvmsg_permission(sk, skb)) {
1051 + skb_kill_datagram(sk, skb, flags);
1052 + goto retry;
1053 + }
1054 if (msg->msg_name)
1055 unix_copy_addr(msg, skb->sk);
1056
1057 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/security/Kconfig
1058 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/security/Kconfig
1059 @@ -658,5 +658,7 @@ source security/tomoyo/Kconfig
1060
1061 source security/integrity/ima/Kconfig
1062
1063 +source security/ccsecurity/Kconfig
1064 +
1065 endmenu
1066
1067 --- linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506.orig/security/Makefile
1068 +++ linux-2.6.32.15+grsecurity-2.1.14-2.6.32.15-201006011506/security/Makefile
1069 @@ -25,3 +25,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
1070 # Object integrity file lists
1071 subdir-$(CONFIG_IMA) += integrity/ima
1072 obj-$(CONFIG_IMA) += integrity/ima/built-in.o
1073 +
1074 +subdir-$(CONFIG_CCSECURITY) += ccsecurity
1075 +obj-$(CONFIG_CCSECURITY) += ccsecurity/built-in.o
Back to OSDN">Back to OSDN
 ViewVC Help
Powered by ViewVC 1.1.26  
サイト情報
ソフトウェアを探す
ソフトウェアを作る
コミュニティ
ヘルプ