Develop and Download Open Source Software

Browse Subversion Repository

Diff of /trunk/caitsith-patch/patches/ccs-patch-3.10-centos-7.diff

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 137 by kumaneko, Mon Jan 12 13:02:37 2015 UTC revision 139 by kumaneko, Mon Apr 6 06:08:47 2015 UTC
# Line 1  Line 1 
1  This is TOMOYO Linux patch for CentOS 7.  This is TOMOYO Linux patch for CentOS 7.
2    
3  Source code for this patch is http://vault.centos.org/centos/7/updates/Source/SPackages/kernel-3.10.0-123.13.2.el7.src.rpm  Source code for this patch is http://vault.centos.org/centos/7/updates/Source/SPackages/kernel-3.10.0-229.1.2.el7.src.rpm
4  ---  ---
5   fs/exec.c                 |    2   fs/exec.c                 |    2
6   fs/open.c                 |    2   fs/open.c                 |    2
7   fs/proc/version.c         |    7 +++   fs/proc/version.c         |    7 ++
8   include/linux/init_task.h |    9 +++   include/linux/init_task.h |    9 +++
9   include/linux/sched.h     |    6 ++   include/linux/sched.h     |    6 ++
10   include/linux/security.h  |   55 +++++++++++++----------   include/linux/security.h  |   65 ++++++++++++++++----------
11   include/net/ip.h          |    2   include/net/ip.h          |    2
12   kernel/fork.c             |    5 ++   kernel/fork.c             |    5 ++
13   kernel/kexec.c            |    2   kernel/kexec.c            |    2
# Line 25  Source code for this patch is http://vau Line 25  Source code for this patch is http://vau
25   net/unix/af_unix.c        |    4 +   net/unix/af_unix.c        |    4 +
26   security/Kconfig          |    2   security/Kconfig          |    2
27   security/Makefile         |    3 +   security/Makefile         |    3 +
28   security/security.c       |  107 ++++++++++++++++++++++++++++++++++++++++------   security/security.c       |  111 +++++++++++++++++++++++++++++++++++++++++-----
29   24 files changed, 234 insertions(+), 37 deletions(-)   24 files changed, 248 insertions(+), 37 deletions(-)
30    
31  --- linux-3.10.0-123.13.2.el7.orig/fs/exec.c  --- linux-3.10.0-229.1.2.el7.orig/fs/exec.c
32  +++ linux-3.10.0-123.13.2.el7/fs/exec.c  +++ linux-3.10.0-229.1.2.el7/fs/exec.c
33  @@ -1536,7 +1536,7 @@ static int do_execve_common(const char *  @@ -1537,7 +1537,7 @@ static int do_execve_common(const char *
34          if (retval < 0)          if (retval < 0)
35                  goto out;                  goto out;
36    
# Line 39  Source code for this patch is http://vau Line 39  Source code for this patch is http://vau
39          if (retval < 0)          if (retval < 0)
40                  goto out;                  goto out;
41    
42  --- linux-3.10.0-123.13.2.el7.orig/fs/open.c  --- linux-3.10.0-229.1.2.el7.orig/fs/open.c
43  +++ linux-3.10.0-123.13.2.el7/fs/open.c  +++ linux-3.10.0-229.1.2.el7/fs/open.c
44  @@ -1064,6 +1064,8 @@ EXPORT_SYMBOL(sys_close);  @@ -1104,6 +1104,8 @@ EXPORT_SYMBOL(sys_close);
45    */    */
46   SYSCALL_DEFINE0(vhangup)   SYSCALL_DEFINE0(vhangup)
47   {   {
# Line 50  Source code for this patch is http://vau Line 50  Source code for this patch is http://vau
50          if (capable(CAP_SYS_TTY_CONFIG)) {          if (capable(CAP_SYS_TTY_CONFIG)) {
51                  tty_vhangup_self();                  tty_vhangup_self();
52                  return 0;                  return 0;
53  --- linux-3.10.0-123.13.2.el7.orig/fs/proc/version.c  --- linux-3.10.0-229.1.2.el7.orig/fs/proc/version.c
54  +++ linux-3.10.0-123.13.2.el7/fs/proc/version.c  +++ linux-3.10.0-229.1.2.el7/fs/proc/version.c
55  @@ -32,3 +32,10 @@ static int __init proc_version_init(void  @@ -32,3 +32,10 @@ static int __init proc_version_init(void
56          return 0;          return 0;
57   }   }
# Line 59  Source code for this patch is http://vau Line 59  Source code for this patch is http://vau
59  +  +
60  +static int __init ccs_show_version(void)  +static int __init ccs_show_version(void)
61  +{  +{
62  +       printk(KERN_INFO "Hook version: 3.10.0-123.13.2.el7 2015/01/04\n");  +       printk(KERN_INFO "Hook version: 3.10.0-229.1.2.el7 2015/04/01\n");
63  +       return 0;  +       return 0;
64  +}  +}
65  +module_init(ccs_show_version);  +module_init(ccs_show_version);
66  --- linux-3.10.0-123.13.2.el7.orig/include/linux/init_task.h  --- linux-3.10.0-229.1.2.el7.orig/include/linux/init_task.h
67  +++ linux-3.10.0-123.13.2.el7/include/linux/init_task.h  +++ linux-3.10.0-229.1.2.el7/include/linux/init_task.h
68  @@ -155,6 +155,14 @@ extern struct task_group root_task_group  @@ -155,6 +155,14 @@ extern struct task_group root_task_group
69    
70   #define INIT_TASK_COMM "swapper"   #define INIT_TASK_COMM "swapper"
# Line 88  Source code for this patch is http://vau Line 88  Source code for this patch is http://vau
88   }   }
89    
90    
91  --- linux-3.10.0-123.13.2.el7.orig/include/linux/sched.h  --- linux-3.10.0-229.1.2.el7.orig/include/linux/sched.h
92  +++ linux-3.10.0-123.13.2.el7/include/linux/sched.h  +++ linux-3.10.0-229.1.2.el7/include/linux/sched.h
93  @@ -4,6 +4,8 @@  @@ -4,6 +4,8 @@
94   #include <uapi/linux/sched.h>   #include <uapi/linux/sched.h>
95     #include <linux/rh_kabi.h>
96    
97  +struct ccs_domain_info;  +struct ccs_domain_info;
98  +  +
99   struct sched_param {   struct sched_param {
100          int sched_priority;          int sched_priority;
101   };   };
102  @@ -1502,6 +1504,10 @@ struct task_struct {  @@ -1555,6 +1557,10 @@ struct task_struct {
103          unsigned long rh_reserved6;          RH_KABI_RESERVE(6)
104          unsigned long rh_reserved7;          RH_KABI_RESERVE(7)
105          unsigned long rh_reserved8;          RH_KABI_RESERVE(8)
106  +#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)  +#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
107  +       struct ccs_domain_info *ccs_domain_info;  +       struct ccs_domain_info *ccs_domain_info;
108  +       u32 ccs_flags;  +       u32 ccs_flags;
# Line 110  Source code for this patch is http://vau Line 110  Source code for this patch is http://vau
110   };   };
111    
112   /* Future-safe accessor for struct task_struct's cpus_allowed. */   /* Future-safe accessor for struct task_struct's cpus_allowed. */
113  --- linux-3.10.0-123.13.2.el7.orig/include/linux/security.h  --- linux-3.10.0-229.1.2.el7.orig/include/linux/security.h
114  +++ linux-3.10.0-123.13.2.el7/include/linux/security.h  +++ linux-3.10.0-229.1.2.el7/include/linux/security.h
115  @@ -53,6 +53,7 @@ struct msg_queue;  @@ -53,6 +53,7 @@ struct msg_queue;
116   struct xattr;   struct xattr;
117   struct xfrm_sec_ctx;   struct xfrm_sec_ctx;
# Line 120  Source code for this patch is http://vau Line 120  Source code for this patch is http://vau
120    
121   /* Maximum number of letters for an LSM name string */   /* Maximum number of letters for an LSM name string */
122   #define SECURITY_NAME_MAX      10   #define SECURITY_NAME_MAX      10
123  @@ -1961,7 +1962,10 @@ static inline int security_syslog(int ty  @@ -1962,7 +1963,10 @@ static inline int security_syslog(int ty
124   static inline int security_settime(const struct timespec *ts,   static inline int security_settime(const struct timespec *ts,
125                                     const struct timezone *tz)                                     const struct timezone *tz)
126   {   {
# Line 132  Source code for this patch is http://vau Line 132  Source code for this patch is http://vau
132   }   }
133    
134   static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)   static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
135  @@ -2030,18 +2034,18 @@ static inline int security_sb_mount(cons  @@ -2031,18 +2035,18 @@ static inline int security_sb_mount(cons
136                                      const char *type, unsigned long flags,                                      const char *type, unsigned long flags,
137                                      void *data)                                      void *data)
138   {   {
# Line 154  Source code for this patch is http://vau Line 154  Source code for this patch is http://vau
154   }   }
155    
156   static inline int security_sb_set_mnt_opts(struct super_block *sb,   static inline int security_sb_set_mnt_opts(struct super_block *sb,
157  @@ -2179,7 +2183,7 @@ static inline int security_inode_setattr  @@ -2181,7 +2185,7 @@ static inline int security_inode_setattr
158   static inline int security_inode_getattr(struct vfsmount *mnt,   static inline int security_inode_getattr(struct vfsmount *mnt,
159                                            struct dentry *dentry)                                            struct dentry *dentry)
160   {   {
# Line 163  Source code for this patch is http://vau Line 163  Source code for this patch is http://vau
163   }   }
164    
165   static inline int security_inode_setxattr(struct dentry *dentry,   static inline int security_inode_setxattr(struct dentry *dentry,
166  @@ -2255,7 +2259,7 @@ static inline void security_file_free(st  @@ -2257,7 +2261,7 @@ static inline void security_file_free(st
167   static inline int security_file_ioctl(struct file *file, unsigned int cmd,   static inline int security_file_ioctl(struct file *file, unsigned int cmd,
168                                        unsigned long arg)                                        unsigned long arg)
169   {   {
# Line 172  Source code for this patch is http://vau Line 172  Source code for this patch is http://vau
172   }   }
173    
174   static inline int security_mmap_file(struct file *file, unsigned long prot,   static inline int security_mmap_file(struct file *file, unsigned long prot,
175  @@ -2284,7 +2288,7 @@ static inline int security_file_lock(str  @@ -2286,7 +2290,7 @@ static inline int security_file_lock(str
176   static inline int security_file_fcntl(struct file *file, unsigned int cmd,   static inline int security_file_fcntl(struct file *file, unsigned int cmd,
177                                        unsigned long arg)                                        unsigned long arg)
178   {   {
# Line 181  Source code for this patch is http://vau Line 181  Source code for this patch is http://vau
181   }   }
182    
183   static inline int security_file_set_fowner(struct file *file)   static inline int security_file_set_fowner(struct file *file)
184  @@ -2307,7 +2311,7 @@ static inline int security_file_receive(  @@ -2309,7 +2313,7 @@ static inline int security_file_receive(
185   static inline int security_file_open(struct file *file,   static inline int security_file_open(struct file *file,
186                                       const struct cred *cred)                                       const struct cred *cred)
187   {   {
# Line 190  Source code for this patch is http://vau Line 190  Source code for this patch is http://vau
190   }   }
191    
192   static inline int security_task_create(unsigned long clone_flags)   static inline int security_task_create(unsigned long clone_flags)
193  @@ -2665,7 +2669,7 @@ static inline int security_unix_may_send  @@ -2667,7 +2671,7 @@ static inline int security_unix_may_send
194   static inline int security_socket_create(int family, int type,   static inline int security_socket_create(int family, int type,
195                                           int protocol, int kern)                                           int protocol, int kern)
196   {   {
# Line 199  Source code for this patch is http://vau Line 199  Source code for this patch is http://vau
199   }   }
200    
201   static inline int security_socket_post_create(struct socket *sock,   static inline int security_socket_post_create(struct socket *sock,
202  @@ -2680,19 +2684,19 @@ static inline int security_socket_bind(s  @@ -2682,19 +2686,19 @@ static inline int security_socket_bind(s
203                                         struct sockaddr *address,                                         struct sockaddr *address,
204                                         int addrlen)                                         int addrlen)
205   {   {
# Line 222  Source code for this patch is http://vau Line 222  Source code for this patch is http://vau
222   }   }
223    
224   static inline int security_socket_accept(struct socket *sock,   static inline int security_socket_accept(struct socket *sock,
225  @@ -2704,7 +2708,7 @@ static inline int security_socket_accept  @@ -2706,7 +2710,7 @@ static inline int security_socket_accept
226   static inline int security_socket_sendmsg(struct socket *sock,   static inline int security_socket_sendmsg(struct socket *sock,
227                                            struct msghdr *msg, int size)                                            struct msghdr *msg, int size)
228   {   {
# Line 231  Source code for this patch is http://vau Line 231  Source code for this patch is http://vau
231   }   }
232    
233   static inline int security_socket_recvmsg(struct socket *sock,   static inline int security_socket_recvmsg(struct socket *sock,
234  @@ -2945,44 +2949,47 @@ int security_path_chmod(struct path *pat  @@ -2948,44 +2952,47 @@ int security_path_chmod(struct path *pat
235   int security_path_chown(struct path *path, kuid_t uid, kgid_t gid);   int security_path_chown(struct path *path, kuid_t uid, kgid_t gid);
236   int security_path_chroot(struct path *path);   int security_path_chroot(struct path *path);
237   #else  /* CONFIG_SECURITY_PATH */   #else  /* CONFIG_SECURITY_PATH */
# Line 286  Source code for this patch is http://vau Line 286  Source code for this patch is http://vau
286   }   }
287    
288   static inline int security_path_rename(struct path *old_dir,   static inline int security_path_rename(struct path *old_dir,
289  @@ -2990,22 +2997,22 @@ static inline int security_path_rename(s  @@ -2994,22 +3001,32 @@ static inline int security_path_rename(s
290                                         struct path *new_dir,                                         struct dentry *new_dentry,
291                                         struct dentry *new_dentry)                                         unsigned int flags)
292   {   {
293  -       return 0;  -       return 0;
294    +       /*
295    +        * Not using RENAME_EXCHANGE here in order to avoid KABI breakage
296    +        * by doing "#include <uapi/linux/fs.h>" .
297    +        */
298    +       if (flags & (1 << 1)) {
299    +               int err = ccs_rename_permission(new_dentry, old_dentry,
300    +                                               old_dir->mnt);
301    +               if (err)
302    +                       return err;
303    +       }
304  +       return ccs_rename_permission(old_dentry, new_dentry, new_dir->mnt);  +       return ccs_rename_permission(old_dentry, new_dentry, new_dir->mnt);
305   }   }
306    
# Line 313  Source code for this patch is http://vau Line 323  Source code for this patch is http://vau
323   }   }
324   #endif /* CONFIG_SECURITY_PATH */   #endif /* CONFIG_SECURITY_PATH */
325    
326  --- linux-3.10.0-123.13.2.el7.orig/include/net/ip.h  --- linux-3.10.0-229.1.2.el7.orig/include/net/ip.h
327  +++ linux-3.10.0-123.13.2.el7/include/net/ip.h  +++ linux-3.10.0-229.1.2.el7/include/net/ip.h
328  @@ -229,6 +229,8 @@ extern void inet_get_local_port_range(in  @@ -229,6 +229,8 @@ extern void inet_get_local_port_range(in
329   extern unsigned long *sysctl_local_reserved_ports;   extern unsigned long *sysctl_local_reserved_ports;
330   static inline int inet_is_reserved_local_port(int port)   static inline int inet_is_reserved_local_port(int port)
# Line 324  Source code for this patch is http://vau Line 334  Source code for this patch is http://vau
334          return test_bit(port, sysctl_local_reserved_ports);          return test_bit(port, sysctl_local_reserved_ports);
335   }   }
336    
337  --- linux-3.10.0-123.13.2.el7.orig/kernel/fork.c  --- linux-3.10.0-229.1.2.el7.orig/kernel/fork.c
338  +++ linux-3.10.0-123.13.2.el7/kernel/fork.c  +++ linux-3.10.0-229.1.2.el7/kernel/fork.c
339  @@ -242,6 +242,7 @@ void __put_task_struct(struct task_struc  @@ -242,6 +242,7 @@ void __put_task_struct(struct task_struc
340          delayacct_tsk_free(tsk);          delayacct_tsk_free(tsk);
341          put_signal_struct(tsk->signal);          put_signal_struct(tsk->signal);
# Line 334  Source code for this patch is http://vau Line 344  Source code for this patch is http://vau
344          if (!profile_handoff_task(tsk))          if (!profile_handoff_task(tsk))
345                  free_task(tsk);                  free_task(tsk);
346   }   }
347  @@ -1328,6 +1329,9 @@ static struct task_struct *copy_process(  @@ -1334,6 +1335,9 @@ static struct task_struct *copy_process(
348          retval = audit_alloc(p);          retval = audit_alloc(p);
349          if (retval)          if (retval)
350                  goto bad_fork_cleanup_policy;                  goto bad_fork_cleanup_policy;
# Line 344  Source code for this patch is http://vau Line 354  Source code for this patch is http://vau
354          /* copy all the process information */          /* copy all the process information */
355          retval = copy_semundo(clone_flags, p);          retval = copy_semundo(clone_flags, p);
356          if (retval)          if (retval)
357  @@ -1526,6 +1530,7 @@ bad_fork_cleanup_semundo:  @@ -1532,6 +1536,7 @@ bad_fork_cleanup_semundo:
358          exit_sem(p);          exit_sem(p);
359   bad_fork_cleanup_audit:   bad_fork_cleanup_audit:
360          audit_free(p);          audit_free(p);
# Line 352  Source code for this patch is http://vau Line 362  Source code for this patch is http://vau
362   bad_fork_cleanup_policy:   bad_fork_cleanup_policy:
363          perf_event_free_task(p);          perf_event_free_task(p);
364   #ifdef CONFIG_NUMA   #ifdef CONFIG_NUMA
365  --- linux-3.10.0-123.13.2.el7.orig/kernel/kexec.c  --- linux-3.10.0-229.1.2.el7.orig/kernel/kexec.c
366  +++ linux-3.10.0-123.13.2.el7/kernel/kexec.c  +++ linux-3.10.0-229.1.2.el7/kernel/kexec.c
367  @@ -943,6 +943,8 @@ SYSCALL_DEFINE4(kexec_load, unsigned lon  @@ -1250,6 +1250,8 @@ SYSCALL_DEFINE4(kexec_load, unsigned lon
368          /* We only trust the superuser with rebooting the system. */          /* We only trust the superuser with rebooting the system. */
369          if (!capable(CAP_SYS_BOOT))          if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
370                  return -EPERM;                  return -EPERM;
371  +       if (!ccs_capable(CCS_SYS_KEXEC_LOAD))  +       if (!ccs_capable(CCS_SYS_KEXEC_LOAD))
372  +               return -EPERM;  +               return -EPERM;
373    
374          if (get_securelevel() > 0)          if (get_securelevel() > 0)
375                  return -EPERM;                  return -EPERM;
376  --- linux-3.10.0-123.13.2.el7.orig/kernel/module.c  --- linux-3.10.0-229.1.2.el7.orig/kernel/module.c
377  +++ linux-3.10.0-123.13.2.el7/kernel/module.c  +++ linux-3.10.0-229.1.2.el7/kernel/module.c
378  @@ -63,6 +63,7 @@  @@ -62,6 +62,7 @@
379   #include <linux/fips.h>   #include <linux/bsearch.h>
380   #include <uapi/linux/module.h>   #include <uapi/linux/module.h>
381   #include "module-internal.h"   #include "module-internal.h"
382  +#include <linux/ccsecurity.h>  +#include <linux/ccsecurity.h>
383    
384   #define CREATE_TRACE_POINTS   #define CREATE_TRACE_POINTS
385   #include <trace/events/module.h>   #include <trace/events/module.h>
386  @@ -829,6 +830,8 @@ SYSCALL_DEFINE2(delete_module, const cha  @@ -911,6 +912,8 @@ SYSCALL_DEFINE2(delete_module, const cha
387    
388          if (!capable(CAP_SYS_MODULE) || modules_disabled)          if (!capable(CAP_SYS_MODULE) || modules_disabled)
389                  return -EPERM;                  return -EPERM;
# Line 382  Source code for this patch is http://vau Line 392  Source code for this patch is http://vau
392    
393          if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)          if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
394                  return -EFAULT;                  return -EFAULT;
395  @@ -3145,6 +3148,8 @@ static int may_init_module(void)  @@ -3234,6 +3237,8 @@ static int may_init_module(void)
396   {   {
397          if (!capable(CAP_SYS_MODULE) || modules_disabled)          if (!capable(CAP_SYS_MODULE) || modules_disabled)
398                  return -EPERM;                  return -EPERM;
# Line 391  Source code for this patch is http://vau Line 401  Source code for this patch is http://vau
401    
402          return 0;          return 0;
403   }   }
404  --- linux-3.10.0-123.13.2.el7.orig/kernel/ptrace.c  --- linux-3.10.0-229.1.2.el7.orig/kernel/ptrace.c
405  +++ linux-3.10.0-123.13.2.el7/kernel/ptrace.c  +++ linux-3.10.0-229.1.2.el7/kernel/ptrace.c
406  @@ -998,6 +998,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l  @@ -998,6 +998,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
407   {   {
408          struct task_struct *child;          struct task_struct *child;
# Line 417  Source code for this patch is http://vau Line 427  Source code for this patch is http://vau
427    
428          if (request == PTRACE_TRACEME) {          if (request == PTRACE_TRACEME) {
429                  ret = ptrace_traceme();                  ret = ptrace_traceme();
430  --- linux-3.10.0-123.13.2.el7.orig/kernel/sched/core.c  --- linux-3.10.0-229.1.2.el7.orig/kernel/sched/core.c
431  +++ linux-3.10.0-123.13.2.el7/kernel/sched/core.c  +++ linux-3.10.0-229.1.2.el7/kernel/sched/core.c
432  @@ -3886,6 +3886,8 @@ int can_nice(const struct task_struct *p  @@ -3917,6 +3917,8 @@ int can_nice(const struct task_struct *p
433   SYSCALL_DEFINE1(nice, int, increment)   SYSCALL_DEFINE1(nice, int, increment)
434   {   {
435          long nice, retval;          long nice, retval;
# Line 428  Source code for this patch is http://vau Line 438  Source code for this patch is http://vau
438    
439          /*          /*
440           * Setpriority might change our priority at the same moment.           * Setpriority might change our priority at the same moment.
441  --- linux-3.10.0-123.13.2.el7.orig/kernel/signal.c  --- linux-3.10.0-229.1.2.el7.orig/kernel/signal.c
442  +++ linux-3.10.0-123.13.2.el7/kernel/signal.c  +++ linux-3.10.0-229.1.2.el7/kernel/signal.c
443  @@ -2909,6 +2909,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s  @@ -2909,6 +2909,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s
444   SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)   SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
445   {   {
# Line 475  Source code for this patch is http://vau Line 485  Source code for this patch is http://vau
485    
486          return do_send_specific(tgid, pid, sig, info);          return do_send_specific(tgid, pid, sig, info);
487   }   }
488  --- linux-3.10.0-123.13.2.el7.orig/kernel/sys.c  --- linux-3.10.0-229.1.2.el7.orig/kernel/sys.c
489  +++ linux-3.10.0-123.13.2.el7/kernel/sys.c  +++ linux-3.10.0-229.1.2.el7/kernel/sys.c
490  @@ -186,6 +186,10 @@ SYSCALL_DEFINE3(setpriority, int, which,  @@ -186,6 +186,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
491    
492          if (which > PRIO_USER || which < PRIO_PROCESS)          if (which > PRIO_USER || which < PRIO_PROCESS)
# Line 497  Source code for this patch is http://vau Line 507  Source code for this patch is http://vau
507    
508          /*          /*
509           * If pid namespaces are enabled and the current task is in a child           * If pid namespaces are enabled and the current task is in a child
510  @@ -1467,6 +1473,8 @@ SYSCALL_DEFINE2(sethostname, char __user  @@ -1465,6 +1471,8 @@ SYSCALL_DEFINE2(sethostname, char __user
511    
512          if (len < 0 || len > __NEW_UTS_LEN)          if (len < 0 || len > __NEW_UTS_LEN)
513                  return -EINVAL;                  return -EINVAL;
# Line 506  Source code for this patch is http://vau Line 516  Source code for this patch is http://vau
516          down_write(&uts_sem);          down_write(&uts_sem);
517          errno = -EFAULT;          errno = -EFAULT;
518          if (!copy_from_user(tmp, name, len)) {          if (!copy_from_user(tmp, name, len)) {
519  @@ -1517,6 +1525,8 @@ SYSCALL_DEFINE2(setdomainname, char __us  @@ -1515,6 +1523,8 @@ SYSCALL_DEFINE2(setdomainname, char __us
520                  return -EPERM;                  return -EPERM;
521          if (len < 0 || len > __NEW_UTS_LEN)          if (len < 0 || len > __NEW_UTS_LEN)
522                  return -EINVAL;                  return -EINVAL;
# Line 515  Source code for this patch is http://vau Line 525  Source code for this patch is http://vau
525    
526          down_write(&uts_sem);          down_write(&uts_sem);
527          errno = -EFAULT;          errno = -EFAULT;
528  --- linux-3.10.0-123.13.2.el7.orig/kernel/time/ntp.c  --- linux-3.10.0-229.1.2.el7.orig/kernel/time/ntp.c
529  +++ linux-3.10.0-123.13.2.el7/kernel/time/ntp.c  +++ linux-3.10.0-229.1.2.el7/kernel/time/ntp.c
530  @@ -16,6 +16,7 @@  @@ -16,6 +16,7 @@
531   #include <linux/mm.h>   #include <linux/mm.h>
532   #include <linux/module.h>   #include <linux/module.h>
# Line 550  Source code for this patch is http://vau Line 560  Source code for this patch is http://vau
560    
561          return 0;          return 0;
562   }   }
563  --- linux-3.10.0-123.13.2.el7.orig/net/ipv4/raw.c  --- linux-3.10.0-229.1.2.el7.orig/net/ipv4/raw.c
564  +++ linux-3.10.0-123.13.2.el7/net/ipv4/raw.c  +++ linux-3.10.0-229.1.2.el7/net/ipv4/raw.c
565  @@ -702,6 +702,10 @@ static int raw_recvmsg(struct kiocb *ioc  @@ -702,6 +702,10 @@ static int raw_recvmsg(struct kiocb *ioc
566          skb = skb_recv_datagram(sk, flags, noblock, &err);          skb = skb_recv_datagram(sk, flags, noblock, &err);
567          if (!skb)          if (!skb)
# Line 563  Source code for this patch is http://vau Line 573  Source code for this patch is http://vau
573    
574          copied = skb->len;          copied = skb->len;
575          if (len < copied) {          if (len < copied) {
576  --- linux-3.10.0-123.13.2.el7.orig/net/ipv4/udp.c  --- linux-3.10.0-229.1.2.el7.orig/net/ipv4/udp.c
577  +++ linux-3.10.0-123.13.2.el7/net/ipv4/udp.c  +++ linux-3.10.0-229.1.2.el7/net/ipv4/udp.c
578  @@ -1221,6 +1221,10 @@ try_again:  @@ -1259,6 +1259,10 @@ try_again:
579                                    &peeked, &off, &err);                                    &peeked, &off, &err);
580          if (!skb)          if (!skb)
581                  goto out;                  goto out;
# Line 576  Source code for this patch is http://vau Line 586  Source code for this patch is http://vau
586    
587          ulen = skb->len - sizeof(struct udphdr);          ulen = skb->len - sizeof(struct udphdr);
588          copied = len;          copied = len;
589  --- linux-3.10.0-123.13.2.el7.orig/net/ipv6/raw.c  --- linux-3.10.0-229.1.2.el7.orig/net/ipv6/raw.c
590  +++ linux-3.10.0-123.13.2.el7/net/ipv6/raw.c  +++ linux-3.10.0-229.1.2.el7/net/ipv6/raw.c
591  @@ -467,6 +467,10 @@ static int rawv6_recvmsg(struct kiocb *i  @@ -467,6 +467,10 @@ static int rawv6_recvmsg(struct kiocb *i
592          skb = skb_recv_datagram(sk, flags, noblock, &err);          skb = skb_recv_datagram(sk, flags, noblock, &err);
593          if (!skb)          if (!skb)
# Line 589  Source code for this patch is http://vau Line 599  Source code for this patch is http://vau
599    
600          copied = skb->len;          copied = skb->len;
601          if (copied > len) {          if (copied > len) {
602  --- linux-3.10.0-123.13.2.el7.orig/net/ipv6/udp.c  --- linux-3.10.0-229.1.2.el7.orig/net/ipv6/udp.c
603  +++ linux-3.10.0-123.13.2.el7/net/ipv6/udp.c  +++ linux-3.10.0-229.1.2.el7/net/ipv6/udp.c
604  @@ -380,6 +380,10 @@ try_again:  @@ -380,6 +380,10 @@ try_again:
605                                    &peeked, &off, &err);                                    &peeked, &off, &err);
606          if (!skb)          if (!skb)
# Line 602  Source code for this patch is http://vau Line 612  Source code for this patch is http://vau
612    
613          ulen = skb->len - sizeof(struct udphdr);          ulen = skb->len - sizeof(struct udphdr);
614          copied = len;          copied = len;
615  --- linux-3.10.0-123.13.2.el7.orig/net/socket.c  --- linux-3.10.0-229.1.2.el7.orig/net/socket.c
616  +++ linux-3.10.0-123.13.2.el7/net/socket.c  +++ linux-3.10.0-229.1.2.el7/net/socket.c
617  @@ -1628,6 +1628,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct  @@ -1628,6 +1628,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
618          if (err < 0)          if (err < 0)
619                  goto out_fd;                  goto out_fd;
# Line 615  Source code for this patch is http://vau Line 625  Source code for this patch is http://vau
625          if (upeer_sockaddr) {          if (upeer_sockaddr) {
626                  if (newsock->ops->getname(newsock, (struct sockaddr *)&address,                  if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
627                                            &len, 2) < 0) {                                            &len, 2) < 0) {
628  --- linux-3.10.0-123.13.2.el7.orig/net/unix/af_unix.c  --- linux-3.10.0-229.1.2.el7.orig/net/unix/af_unix.c
629  +++ linux-3.10.0-123.13.2.el7/net/unix/af_unix.c  +++ linux-3.10.0-229.1.2.el7/net/unix/af_unix.c
630  @@ -1807,6 +1807,10 @@ static int unix_dgram_recvmsg(struct kio  @@ -1810,6 +1810,10 @@ static int unix_dgram_recvmsg(struct kio
631          wake_up_interruptible_sync_poll(&u->peer_wait,          wake_up_interruptible_sync_poll(&u->peer_wait,
632                                          POLLOUT | POLLWRNORM | POLLWRBAND);                                          POLLOUT | POLLWRNORM | POLLWRBAND);
633    
# Line 628  Source code for this patch is http://vau Line 638  Source code for this patch is http://vau
638          if (msg->msg_name)          if (msg->msg_name)
639                  unix_copy_addr(msg, skb->sk);                  unix_copy_addr(msg, skb->sk);
640    
641  --- linux-3.10.0-123.13.2.el7.orig/security/Kconfig  --- linux-3.10.0-229.1.2.el7.orig/security/Kconfig
642  +++ linux-3.10.0-123.13.2.el7/security/Kconfig  +++ linux-3.10.0-229.1.2.el7/security/Kconfig
643  @@ -175,5 +175,7 @@ config DEFAULT_SECURITY  @@ -175,5 +175,7 @@ config DEFAULT_SECURITY
644          default "yama" if DEFAULT_SECURITY_YAMA          default "yama" if DEFAULT_SECURITY_YAMA
645          default "" if DEFAULT_SECURITY_DAC          default "" if DEFAULT_SECURITY_DAC
# Line 638  Source code for this patch is http://vau Line 648  Source code for this patch is http://vau
648  +  +
649   endmenu   endmenu
650    
651  --- linux-3.10.0-123.13.2.el7.orig/security/Makefile  --- linux-3.10.0-229.1.2.el7.orig/security/Makefile
652  +++ linux-3.10.0-123.13.2.el7/security/Makefile  +++ linux-3.10.0-229.1.2.el7/security/Makefile
653  @@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE)           += device_c  @@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE)           += device_c
654   # Object integrity file lists   # Object integrity file lists
655   subdir-$(CONFIG_INTEGRITY)             += integrity   subdir-$(CONFIG_INTEGRITY)             += integrity
# Line 647  Source code for this patch is http://vau Line 657  Source code for this patch is http://vau
657  +  +
658  +subdir-$(CONFIG_CCSECURITY)            += ccsecurity  +subdir-$(CONFIG_CCSECURITY)            += ccsecurity
659  +obj-$(CONFIG_CCSECURITY)               += ccsecurity/built-in.o  +obj-$(CONFIG_CCSECURITY)               += ccsecurity/built-in.o
660  --- linux-3.10.0-123.13.2.el7.orig/security/security.c  --- linux-3.10.0-229.1.2.el7.orig/security/security.c
661  +++ linux-3.10.0-123.13.2.el7/security/security.c  +++ linux-3.10.0-229.1.2.el7/security/security.c
662  @@ -203,7 +203,10 @@ int security_syslog(int type)  @@ -203,7 +203,10 @@ int security_syslog(int type)
663    
664   int security_settime(const struct timespec *ts, const struct timezone *tz)   int security_settime(const struct timespec *ts, const struct timezone *tz)
# Line 740  Source code for this patch is http://vau Line 750  Source code for this patch is http://vau
750          return security_ops->path_unlink(dir, dentry);          return security_ops->path_unlink(dir, dentry);
751   }   }
752   EXPORT_SYMBOL(security_path_unlink);   EXPORT_SYMBOL(security_path_unlink);
753  @@ -421,25 +450,37 @@ EXPORT_SYMBOL(security_path_unlink);  @@ -421,16 +450,24 @@ EXPORT_SYMBOL(security_path_unlink);
754   int security_path_symlink(struct path *dir, struct dentry *dentry,   int security_path_symlink(struct path *dir, struct dentry *dentry,
755                            const char *old_name)                            const char *old_name)
756   {   {
# Line 765  Source code for this patch is http://vau Line 775  Source code for this patch is http://vau
775          return security_ops->path_link(old_dentry, new_dir, new_dentry);          return security_ops->path_link(old_dentry, new_dir, new_dentry);
776   }   }
777    
778   int security_path_rename(struct path *old_dir, struct dentry *old_dentry,  @@ -438,6 +475,7 @@ int security_path_rename(struct path *ol
779                           struct path *new_dir, struct dentry *new_dentry)                           struct path *new_dir, struct dentry *new_dentry,
780                             unsigned int flags)
781   {   {
782  +       int error;  +       int error;
783          if (unlikely(IS_PRIVATE(old_dentry->d_inode) ||          if (unlikely(IS_PRIVATE(old_dentry->d_inode) ||
784                       (new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode))))                       (new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode))))
785                  return 0;                  return 0;
786    @@ -447,8 +485,15 @@ int security_path_rename(struct path *ol
787                                                        old_dir, old_dentry);
788                    if (err)
789                            return err;
790    +               err = ccs_rename_permission(new_dentry, old_dentry,
791    +                                           old_dir->mnt);
792    +               if (err)
793    +                       return err;
794            }
795    
796  +       error = ccs_rename_permission(old_dentry, new_dentry, new_dir->mnt);  +       error = ccs_rename_permission(old_dentry, new_dentry, new_dir->mnt);
797  +       if (error)  +       if (error)
798  +               return error;  +               return error;
799          return security_ops->path_rename(old_dir, old_dentry, new_dir,          return security_ops->path_rename(old_dir, old_dentry, new_dir,
800                                           new_dentry);                                           new_dentry);
801   }   }
802  @@ -447,27 +488,42 @@ EXPORT_SYMBOL(security_path_rename);  @@ -456,27 +501,42 @@ EXPORT_SYMBOL(security_path_rename);
803    
804   int security_path_truncate(struct path *path)   int security_path_truncate(struct path *path)
805   {   {
# Line 821  Source code for this patch is http://vau Line 842  Source code for this patch is http://vau
842          return security_ops->path_chroot(path);          return security_ops->path_chroot(path);
843   }   }
844   #endif   #endif
845  @@ -571,9 +627,13 @@ EXPORT_SYMBOL_GPL(security_inode_setattr  @@ -589,9 +649,13 @@ EXPORT_SYMBOL_GPL(security_inode_setattr
846    
847   int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)   int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
848   {   {
# Line 836  Source code for this patch is http://vau Line 857  Source code for this patch is http://vau
857   }   }
858    
859   int security_inode_setxattr(struct dentry *dentry, const char *name,   int security_inode_setxattr(struct dentry *dentry, const char *name,
860  @@ -690,7 +750,10 @@ void security_file_free(struct file *fil  @@ -708,7 +772,10 @@ void security_file_free(struct file *fil
861    
862   int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)   int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
863   {   {
# Line 848  Source code for this patch is http://vau Line 869  Source code for this patch is http://vau
869   }   }
870    
871   static inline unsigned long mmap_prot(struct file *file, unsigned long prot)   static inline unsigned long mmap_prot(struct file *file, unsigned long prot)
872  @@ -756,7 +819,10 @@ int security_file_lock(struct file *file  @@ -774,7 +841,10 @@ int security_file_lock(struct file *file
873    
874   int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)   int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
875   {   {
# Line 860  Source code for this patch is http://vau Line 881  Source code for this patch is http://vau
881   }   }
882    
883   int security_file_set_fowner(struct file *file)   int security_file_set_fowner(struct file *file)
884  @@ -780,6 +846,8 @@ int security_file_open(struct file *file  @@ -798,6 +868,8 @@ int security_file_open(struct file *file
885          int ret;          int ret;
886    
887          ret = security_ops->file_open(file, cred);          ret = security_ops->file_open(file, cred);
# Line 869  Source code for this patch is http://vau Line 890  Source code for this patch is http://vau
890          if (ret)          if (ret)
891                  return ret;                  return ret;
892    
893  @@ -1119,7 +1187,10 @@ EXPORT_SYMBOL(security_unix_may_send);  @@ -1137,7 +1209,10 @@ EXPORT_SYMBOL(security_unix_may_send);
894    
895   int security_socket_create(int family, int type, int protocol, int kern)   int security_socket_create(int family, int type, int protocol, int kern)
896   {   {
# Line 881  Source code for this patch is http://vau Line 902  Source code for this patch is http://vau
902   }   }
903    
904   int security_socket_post_create(struct socket *sock, int family,   int security_socket_post_create(struct socket *sock, int family,
905  @@ -1131,17 +1202,26 @@ int security_socket_post_create(struct s  @@ -1149,17 +1224,26 @@ int security_socket_post_create(struct s
906    
907   int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)   int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
908   {   {
# Line 911  Source code for this patch is http://vau Line 932  Source code for this patch is http://vau
932   }   }
933    
934   int security_socket_accept(struct socket *sock, struct socket *newsock)   int security_socket_accept(struct socket *sock, struct socket *newsock)
935  @@ -1151,7 +1231,10 @@ int security_socket_accept(struct socket  @@ -1169,7 +1253,10 @@ int security_socket_accept(struct socket
936    
937   int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)   int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
938   {   {

Legend:
Removed from v.137  
changed lines
  Added in v.139

Back to OSDN">Back to OSDN
ViewVC Help
Powered by ViewVC 1.1.26