tags/2.6.14-6/4908_grsec-2.1.8-policy-recreation-fix.patch

This change was introduced between the 2.6.14.6-200601211647 and
2.6.14.7-200602072041 snapshots. According to spender, it fixes a problem that
would occur during policy recreation. WARNING! This introduces a dependency
on gradm-2.1.8-200602071945 or higher over in userland.

diff -urp linux-2.6.14-grsec-2.1.8-2.6.14.6-200601211647/grsecurity/gracl.c linux-2.6.14-grsec-2.1.8-2.6.14.7-200602072041/grsecurity/gracl.c
--- linux-2.6.14-grsec-2.1.8-2.6.14.6-200601211647/grsecurity/gracl.c   2006-02-07 22:24:38.000000000 -0500
+++ linux-2.6.14-grsec-2.1.8-2.6.14.7-200602072041/grsecurity/gracl.c   2006-02-07 22:24:50.000000000 -0500
@@ -28,7 +28,7 @@
 
 static struct acl_role_db acl_role_set;
 static struct name_db name_set;
-static struct name_db inodev_set;
+static struct inodev_db inodev_set;
 
 /* for keeping track of userspace pointers used for subjects, so we
    can share references in the kernel as well
@@ -481,32 +481,35 @@ lookup_name_entry(const char *name)
 static struct name_entry *
 lookup_inodev_entry(const ino_t ino, const dev_t dev)
 {
-       unsigned int index = fhash(ino, dev, inodev_set.n_size);
-       struct name_entry *match;
+       unsigned int index = fhash(ino, dev, inodev_set.i_size);
+       struct inodev_entry *match;
 
-       match = inodev_set.n_hash[index];
+       match = inodev_set.i_hash[index];
 
-       while (match && (match->inode != ino || match->device != dev))
+       while (match && (match->nentry->inode != ino || match->nentry->device != dev))
                match = match->next;
 
-       return match;
+       if (match != NULL)
+               return match->nentry;
+       else
+               return NULL;
 }
 
 static void
-insert_inodev_entry(struct name_entry *nentry)
+insert_inodev_entry(struct inodev_entry *entry)
 {
-       unsigned int index = fhash(nentry->inode, nentry->device,
-                                   inodev_set.n_size);
-       struct name_entry **curr;
+       unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
+                                   inodev_set.i_size);
+       struct inodev_entry **curr;
 
-       nentry->prev = NULL;
+       entry->prev = NULL;
 
-       curr = &inodev_set.n_hash[index];
+       curr = &inodev_set.i_hash[index];
        if (*curr != NULL)
-               (*curr)->prev = nentry;
+               (*curr)->prev = entry;
        
-       nentry->next = *curr;
-       *curr = nentry;
+       entry->next = *curr;
+       *curr = entry;
 
        return;
 }
@@ -546,6 +549,7 @@ static int
 insert_name_entry(char *name, const ino_t inode, const dev_t device)
 {
        struct name_entry **curr, *nentry;
+       struct inodev_entry *ientry;
        unsigned int len = strlen(name);
        unsigned int key = full_name_hash(name, len);
        unsigned int index = key % name_set.n_size;
@@ -561,6 +565,10 @@ insert_name_entry(char *name, const ino_
        nentry = acl_alloc(sizeof (struct name_entry));
        if (nentry == NULL)
                return 0;
+       ientry = acl_alloc(sizeof (struct inodev_entry));
+       if (ientry == NULL)
+               return 0;
+       ientry->nentry = nentry;
 
        nentry->key = key;
        nentry->name = name;
@@ -576,7 +584,7 @@ insert_name_entry(char *name, const ino_
        *curr = nentry;
 
        /* insert us into the table searchable by inode/dev */
-       insert_inodev_entry(nentry);
+       insert_inodev_entry(ientry);
 
        return 1;
 }
@@ -661,10 +669,10 @@ init_variables(const struct gr_arg *arg)
        subj_map_set.s_size = arg->role_db.num_subjects;
        acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
        name_set.n_size = arg->role_db.num_objects;
-       inodev_set.n_size = arg->role_db.num_objects;
+       inodev_set.i_size = arg->role_db.num_objects;
 
        if (!subj_map_set.s_size || !acl_role_set.r_size ||
-           !name_set.n_size || !inodev_set.n_size)
+           !name_set.n_size || !inodev_set.i_size)
                return 1;
 
        if (!gr_init_uidset())
@@ -689,11 +697,11 @@ init_variables(const struct gr_arg *arg)
        acl_role_set.r_hash =
            (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
        name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
-       inodev_set.n_hash =
-           (struct name_entry **) create_table(&inodev_set.n_size, sizeof(void *));
+       inodev_set.i_hash =
+           (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
 
        if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
-           !name_set.n_hash || !inodev_set.n_hash)
+           !name_set.n_hash || !inodev_set.i_hash)
                return 1;
 
        memset(subj_map_set.s_hash, 0,
@@ -702,8 +710,8 @@ init_variables(const struct gr_arg *arg)
               sizeof (struct acl_role_label *) * acl_role_set.r_size);
        memset(name_set.n_hash, 0,
               sizeof (struct name_entry *) * name_set.n_size);
-       memset(inodev_set.n_hash, 0,
-              sizeof (struct name_entry *) * inodev_set.n_size);
+       memset(inodev_set.i_hash, 0,
+              sizeof (struct inodev_entry *) * inodev_set.i_size);
 
        return 0;
 }
@@ -806,18 +814,18 @@ free_variables(void)
                        vfree(name_set.n_hash);
        }
 
-       if (inodev_set.n_hash) {
-               if ((inodev_set.n_size * sizeof (struct name_entry *)) <=
+       if (inodev_set.i_hash) {
+               if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
                    PAGE_SIZE)
-                       kfree(inodev_set.n_hash);
+                       kfree(inodev_set.i_hash);
                else
-                       vfree(inodev_set.n_hash);
+                       vfree(inodev_set.i_hash);
        }
 
        gr_free_uidset();
 
        memset(&name_set, 0, sizeof (struct name_db));
-       memset(&inodev_set, 0, sizeof (struct name_db));
+       memset(&inodev_set, 0, sizeof (struct inodev_db));
        memset(&acl_role_set, 0, sizeof (struct acl_role_db));
        memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
 
@@ -2384,19 +2392,19 @@ static void
 update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
                    const ino_t newinode, const dev_t newdevice)
 {
-       unsigned int index = fhash(oldinode, olddevice, inodev_set.n_size);
-       struct name_entry *match;
+       unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
+       struct inodev_entry *match;
 
-       match = inodev_set.n_hash[index];
+       match = inodev_set.i_hash[index];
 
-       while (match && (match->inode != oldinode ||
-              match->device != olddevice))
+       while (match && (match->nentry->inode != oldinode ||
+              match->nentry->device != olddevice))
                match = match->next;
 
-       if (match && (match->inode == oldinode)
-           && (match->device == olddevice)) {
+       if (match && (match->nentry->inode == oldinode)
+           && (match->nentry->device == olddevice)) {
                if (match->prev == NULL) {
-                       inodev_set.n_hash[index] = match->next;
+                       inodev_set.i_hash[index] = match->next;
                        if (match->next != NULL)
                                match->next->prev = NULL;
                } else {
@@ -2406,8 +2414,8 @@ update_inodev_entry(const ino_t oldinode
                }
                match->prev = NULL;
                match->next = NULL;
-               match->inode = newinode;
-               match->device = newdevice;
+               match->nentry->inode = newinode;
+               match->nentry->device = newdevice;
 
                insert_inodev_entry(match);
        }
diff -urp linux-2.6.14-grsec-2.1.8-2.6.14.6-200601211647/include/linux/gracl.h linux-2.6.14-grsec-2.1.8-2.6.14.7-200602072041/include/linux/gracl.h
--- linux-2.6.14-grsec-2.1.8-2.6.14.6-200601211647/include/linux/gracl.h        2006-02-07 22:24:38.000000000 -0500
+++ linux-2.6.14-grsec-2.1.8-2.6.14.7-200602072041/include/linux/gracl.h        2006-02-07 22:24:50.000000000 -0500
@@ -56,11 +56,22 @@ struct name_entry {
        struct name_entry *next;
 };
 
+struct inodev_entry {
+       struct name_entry *nentry;
+       struct inodev_entry *prev;
+       struct inodev_entry *next;
+};
+
 struct acl_role_db {
        struct acl_role_label **r_hash;
        __u32 r_size;
 };
 
+struct inodev_db {
+       struct inodev_entry **i_hash;
+       __u32 i_size;
+};
+
 struct name_db {
        struct name_entry **n_hash;
        __u32 n_size;
1	This change was introduced between the 2.6.14.6-200601211647 and
2	2.6.14.7-200602072041 snapshots. According to spender, it fixes a problem that
3	would occur during policy recreation. WARNING! This introduces a dependency
4	on gradm-2.1.8-200602071945 or higher over in userland.
5
6	diff -urp linux-2.6.14-grsec-2.1.8-2.6.14.6-200601211647/grsecurity/gracl.c linux-2.6.14-grsec-2.1.8-2.6.14.7-200602072041/grsecurity/gracl.c
7	--- linux-2.6.14-grsec-2.1.8-2.6.14.6-200601211647/grsecurity/gracl.c 2006-02-07 22:24:38.000000000 -0500
8	+++ linux-2.6.14-grsec-2.1.8-2.6.14.7-200602072041/grsecurity/gracl.c 2006-02-07 22:24:50.000000000 -0500
9	@@ -28,7 +28,7 @@
10
11	static struct acl_role_db acl_role_set;
12	static struct name_db name_set;
13	-static struct name_db inodev_set;
14	+static struct inodev_db inodev_set;
15
16	/* for keeping track of userspace pointers used for subjects, so we
17	can share references in the kernel as well
18	@@ -481,32 +481,35 @@ lookup_name_entry(const char *name)
19	static struct name_entry *
20	lookup_inodev_entry(const ino_t ino, const dev_t dev)
21	{
22	- unsigned int index = fhash(ino, dev, inodev_set.n_size);
23	- struct name_entry *match;
24	+ unsigned int index = fhash(ino, dev, inodev_set.i_size);
25	+ struct inodev_entry *match;
26
27	- match = inodev_set.n_hash[index];
28	+ match = inodev_set.i_hash[index];
29
30	- while (match && (match->inode != ino \|\| match->device != dev))
31	+ while (match && (match->nentry->inode != ino \|\| match->nentry->device != dev))
32	match = match->next;
33
34	- return match;
35	+ if (match != NULL)
36	+ return match->nentry;
37	+ else
38	+ return NULL;
39	}
40
41	static void
42	-insert_inodev_entry(struct name_entry *nentry)
43	+insert_inodev_entry(struct inodev_entry *entry)
44	{
45	- unsigned int index = fhash(nentry->inode, nentry->device,
46	- inodev_set.n_size);
47	- struct name_entry **curr;
48	+ unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
49	+ inodev_set.i_size);
50	+ struct inodev_entry **curr;
51
52	- nentry->prev = NULL;
53	+ entry->prev = NULL;
54
55	- curr = &inodev_set.n_hash[index];
56	+ curr = &inodev_set.i_hash[index];
57	if (*curr != NULL)
58	- (*curr)->prev = nentry;
59	+ (*curr)->prev = entry;
60
61	- nentry->next = *curr;
62	- *curr = nentry;
63	+ entry->next = *curr;
64	+ *curr = entry;
65
66	return;
67	}
68	@@ -546,6 +549,7 @@ static int
69	insert_name_entry(char *name, const ino_t inode, const dev_t device)
70	{
71	struct name_entry *curr, nentry;
72	+ struct inodev_entry *ientry;
73	unsigned int len = strlen(name);
74	unsigned int key = full_name_hash(name, len);
75	unsigned int index = key % name_set.n_size;
76	@@ -561,6 +565,10 @@ insert_name_entry(char *name, const ino_
77	nentry = acl_alloc(sizeof (struct name_entry));
78	if (nentry == NULL)
79	return 0;
80	+ ientry = acl_alloc(sizeof (struct inodev_entry));
81	+ if (ientry == NULL)
82	+ return 0;
83	+ ientry->nentry = nentry;
84
85	nentry->key = key;
86	nentry->name = name;
87	@@ -576,7 +584,7 @@ insert_name_entry(char *name, const ino_
88	*curr = nentry;
89
90	/* insert us into the table searchable by inode/dev */
91	- insert_inodev_entry(nentry);
92	+ insert_inodev_entry(ientry);
93
94	return 1;
95	}
96	@@ -661,10 +669,10 @@ init_variables(const struct gr_arg *arg)
97	subj_map_set.s_size = arg->role_db.num_subjects;
98	acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
99	name_set.n_size = arg->role_db.num_objects;
100	- inodev_set.n_size = arg->role_db.num_objects;
101	+ inodev_set.i_size = arg->role_db.num_objects;
102
103	if (!subj_map_set.s_size \|\| !acl_role_set.r_size \|\|
104	- !name_set.n_size \|\| !inodev_set.n_size)
105	+ !name_set.n_size \|\| !inodev_set.i_size)
106	return 1;
107
108	if (!gr_init_uidset())
109	@@ -689,11 +697,11 @@ init_variables(const struct gr_arg *arg)
110	acl_role_set.r_hash =
111	(struct acl_role_label *) create_table(&acl_role_set.r_size, sizeof(void ));
112	name_set.n_hash = (struct name_entry *) create_table(&name_set.n_size, sizeof(void ));
113	- inodev_set.n_hash =
114	- (struct name_entry *) create_table(&inodev_set.n_size, sizeof(void ));
115	+ inodev_set.i_hash =
116	+ (struct inodev_entry *) create_table(&inodev_set.i_size, sizeof(void ));
117
118	if (!subj_map_set.s_hash \|\| !acl_role_set.r_hash \|\|
119	- !name_set.n_hash \|\| !inodev_set.n_hash)
120	+ !name_set.n_hash \|\| !inodev_set.i_hash)
121	return 1;
122
123	memset(subj_map_set.s_hash, 0,
124	@@ -702,8 +710,8 @@ init_variables(const struct gr_arg *arg)
125	sizeof (struct acl_role_label ) acl_role_set.r_size);
126	memset(name_set.n_hash, 0,
127	sizeof (struct name_entry ) name_set.n_size);
128	- memset(inodev_set.n_hash, 0,
129	- sizeof (struct name_entry ) inodev_set.n_size);
130	+ memset(inodev_set.i_hash, 0,
131	+ sizeof (struct inodev_entry ) inodev_set.i_size);
132
133	return 0;
134	}
135	@@ -806,18 +814,18 @@ free_variables(void)
136	vfree(name_set.n_hash);
137	}
138
139	- if (inodev_set.n_hash) {
140	- if ((inodev_set.n_size * sizeof (struct name_entry *)) <=
141	+ if (inodev_set.i_hash) {
142	+ if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
143	PAGE_SIZE)
144	- kfree(inodev_set.n_hash);
145	+ kfree(inodev_set.i_hash);
146	else
147	- vfree(inodev_set.n_hash);
148	+ vfree(inodev_set.i_hash);
149	}
150
151	gr_free_uidset();
152
153	memset(&name_set, 0, sizeof (struct name_db));
154	- memset(&inodev_set, 0, sizeof (struct name_db));
155	+ memset(&inodev_set, 0, sizeof (struct inodev_db));
156	memset(&acl_role_set, 0, sizeof (struct acl_role_db));
157	memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
158
159	@@ -2384,19 +2392,19 @@ static void
160	update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
161	const ino_t newinode, const dev_t newdevice)
162	{
163	- unsigned int index = fhash(oldinode, olddevice, inodev_set.n_size);
164	- struct name_entry *match;
165	+ unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
166	+ struct inodev_entry *match;
167
168	- match = inodev_set.n_hash[index];
169	+ match = inodev_set.i_hash[index];
170
171	- while (match && (match->inode != oldinode \|\|
172	- match->device != olddevice))
173	+ while (match && (match->nentry->inode != oldinode \|\|
174	+ match->nentry->device != olddevice))
175	match = match->next;
176
177	- if (match && (match->inode == oldinode)
178	- && (match->device == olddevice)) {
179	+ if (match && (match->nentry->inode == oldinode)
180	+ && (match->nentry->device == olddevice)) {
181	if (match->prev == NULL) {
182	- inodev_set.n_hash[index] = match->next;
183	+ inodev_set.i_hash[index] = match->next;
184	if (match->next != NULL)
185	match->next->prev = NULL;
186	} else {
187	@@ -2406,8 +2414,8 @@ update_inodev_entry(const ino_t oldinode
188	}
189	match->prev = NULL;
190	match->next = NULL;
191	- match->inode = newinode;
192	- match->device = newdevice;
193	+ match->nentry->inode = newinode;
194	+ match->nentry->device = newdevice;
195
196	insert_inodev_entry(match);
197	}
198	diff -urp linux-2.6.14-grsec-2.1.8-2.6.14.6-200601211647/include/linux/gracl.h linux-2.6.14-grsec-2.1.8-2.6.14.7-200602072041/include/linux/gracl.h
199	--- linux-2.6.14-grsec-2.1.8-2.6.14.6-200601211647/include/linux/gracl.h 2006-02-07 22:24:38.000000000 -0500
200	+++ linux-2.6.14-grsec-2.1.8-2.6.14.7-200602072041/include/linux/gracl.h 2006-02-07 22:24:50.000000000 -0500
201	@@ -56,11 +56,22 @@ struct name_entry {
202	struct name_entry *next;
203	};
204
205	+struct inodev_entry {
206	+ struct name_entry *nentry;
207	+ struct inodev_entry *prev;
208	+ struct inodev_entry *next;
209	+};
210	+
211	struct acl_role_db {
212	struct acl_role_label **r_hash;
213	__u32 r_size;
214	};
215
216	+struct inodev_db {
217	+ struct inodev_entry **i_hash;
218	+ __u32 i_size;
219	+};
220	+
221	struct name_db {
222	struct name_entry **n_hash;
223	__u32 n_size;