/[linux-patches]/hardened/2.6/tags/2.6.14-6/4908_grsec-2.1.8-policy-recreation-fix.patch
Gentoo

Contents of /hardened/2.6/tags/2.6.14-6/4908_grsec-2.1.8-policy-recreation-fix.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 331 - (show annotations) (download)
Tue Mar 14 13:45:02 2006 UTC (8 years, 1 month ago) by johnm
File size: 7432 byte(s)
2.6.14-6 hardened release
1 This change was introduced between the 2.6.14.6-200601211647 and
2 2.6.14.7-200602072041 snapshots. According to spender, it fixes a problem that
3 would occur during policy recreation. WARNING! This introduces a dependency
4 on gradm-2.1.8-200602071945 or higher over in userland.
5
6 diff -urp linux-2.6.14-grsec-2.1.8-2.6.14.6-200601211647/grsecurity/gracl.c linux-2.6.14-grsec-2.1.8-2.6.14.7-200602072041/grsecurity/gracl.c
7 --- linux-2.6.14-grsec-2.1.8-2.6.14.6-200601211647/grsecurity/gracl.c 2006-02-07 22:24:38.000000000 -0500
8 +++ linux-2.6.14-grsec-2.1.8-2.6.14.7-200602072041/grsecurity/gracl.c 2006-02-07 22:24:50.000000000 -0500
9 @@ -28,7 +28,7 @@
10
11 static struct acl_role_db acl_role_set;
12 static struct name_db name_set;
13 -static struct name_db inodev_set;
14 +static struct inodev_db inodev_set;
15
16 /* for keeping track of userspace pointers used for subjects, so we
17 can share references in the kernel as well
18 @@ -481,32 +481,35 @@ lookup_name_entry(const char *name)
19 static struct name_entry *
20 lookup_inodev_entry(const ino_t ino, const dev_t dev)
21 {
22 - unsigned int index = fhash(ino, dev, inodev_set.n_size);
23 - struct name_entry *match;
24 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
25 + struct inodev_entry *match;
26
27 - match = inodev_set.n_hash[index];
28 + match = inodev_set.i_hash[index];
29
30 - while (match && (match->inode != ino || match->device != dev))
31 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
32 match = match->next;
33
34 - return match;
35 + if (match != NULL)
36 + return match->nentry;
37 + else
38 + return NULL;
39 }
40
41 static void
42 -insert_inodev_entry(struct name_entry *nentry)
43 +insert_inodev_entry(struct inodev_entry *entry)
44 {
45 - unsigned int index = fhash(nentry->inode, nentry->device,
46 - inodev_set.n_size);
47 - struct name_entry **curr;
48 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
49 + inodev_set.i_size);
50 + struct inodev_entry **curr;
51
52 - nentry->prev = NULL;
53 + entry->prev = NULL;
54
55 - curr = &inodev_set.n_hash[index];
56 + curr = &inodev_set.i_hash[index];
57 if (*curr != NULL)
58 - (*curr)->prev = nentry;
59 + (*curr)->prev = entry;
60
61 - nentry->next = *curr;
62 - *curr = nentry;
63 + entry->next = *curr;
64 + *curr = entry;
65
66 return;
67 }
68 @@ -546,6 +549,7 @@ static int
69 insert_name_entry(char *name, const ino_t inode, const dev_t device)
70 {
71 struct name_entry **curr, *nentry;
72 + struct inodev_entry *ientry;
73 unsigned int len = strlen(name);
74 unsigned int key = full_name_hash(name, len);
75 unsigned int index = key % name_set.n_size;
76 @@ -561,6 +565,10 @@ insert_name_entry(char *name, const ino_
77 nentry = acl_alloc(sizeof (struct name_entry));
78 if (nentry == NULL)
79 return 0;
80 + ientry = acl_alloc(sizeof (struct inodev_entry));
81 + if (ientry == NULL)
82 + return 0;
83 + ientry->nentry = nentry;
84
85 nentry->key = key;
86 nentry->name = name;
87 @@ -576,7 +584,7 @@ insert_name_entry(char *name, const ino_
88 *curr = nentry;
89
90 /* insert us into the table searchable by inode/dev */
91 - insert_inodev_entry(nentry);
92 + insert_inodev_entry(ientry);
93
94 return 1;
95 }
96 @@ -661,10 +669,10 @@ init_variables(const struct gr_arg *arg)
97 subj_map_set.s_size = arg->role_db.num_subjects;
98 acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
99 name_set.n_size = arg->role_db.num_objects;
100 - inodev_set.n_size = arg->role_db.num_objects;
101 + inodev_set.i_size = arg->role_db.num_objects;
102
103 if (!subj_map_set.s_size || !acl_role_set.r_size ||
104 - !name_set.n_size || !inodev_set.n_size)
105 + !name_set.n_size || !inodev_set.i_size)
106 return 1;
107
108 if (!gr_init_uidset())
109 @@ -689,11 +697,11 @@ init_variables(const struct gr_arg *arg)
110 acl_role_set.r_hash =
111 (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
112 name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
113 - inodev_set.n_hash =
114 - (struct name_entry **) create_table(&inodev_set.n_size, sizeof(void *));
115 + inodev_set.i_hash =
116 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
117
118 if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
119 - !name_set.n_hash || !inodev_set.n_hash)
120 + !name_set.n_hash || !inodev_set.i_hash)
121 return 1;
122
123 memset(subj_map_set.s_hash, 0,
124 @@ -702,8 +710,8 @@ init_variables(const struct gr_arg *arg)
125 sizeof (struct acl_role_label *) * acl_role_set.r_size);
126 memset(name_set.n_hash, 0,
127 sizeof (struct name_entry *) * name_set.n_size);
128 - memset(inodev_set.n_hash, 0,
129 - sizeof (struct name_entry *) * inodev_set.n_size);
130 + memset(inodev_set.i_hash, 0,
131 + sizeof (struct inodev_entry *) * inodev_set.i_size);
132
133 return 0;
134 }
135 @@ -806,18 +814,18 @@ free_variables(void)
136 vfree(name_set.n_hash);
137 }
138
139 - if (inodev_set.n_hash) {
140 - if ((inodev_set.n_size * sizeof (struct name_entry *)) <=
141 + if (inodev_set.i_hash) {
142 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
143 PAGE_SIZE)
144 - kfree(inodev_set.n_hash);
145 + kfree(inodev_set.i_hash);
146 else
147 - vfree(inodev_set.n_hash);
148 + vfree(inodev_set.i_hash);
149 }
150
151 gr_free_uidset();
152
153 memset(&name_set, 0, sizeof (struct name_db));
154 - memset(&inodev_set, 0, sizeof (struct name_db));
155 + memset(&inodev_set, 0, sizeof (struct inodev_db));
156 memset(&acl_role_set, 0, sizeof (struct acl_role_db));
157 memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
158
159 @@ -2384,19 +2392,19 @@ static void
160 update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
161 const ino_t newinode, const dev_t newdevice)
162 {
163 - unsigned int index = fhash(oldinode, olddevice, inodev_set.n_size);
164 - struct name_entry *match;
165 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
166 + struct inodev_entry *match;
167
168 - match = inodev_set.n_hash[index];
169 + match = inodev_set.i_hash[index];
170
171 - while (match && (match->inode != oldinode ||
172 - match->device != olddevice))
173 + while (match && (match->nentry->inode != oldinode ||
174 + match->nentry->device != olddevice))
175 match = match->next;
176
177 - if (match && (match->inode == oldinode)
178 - && (match->device == olddevice)) {
179 + if (match && (match->nentry->inode == oldinode)
180 + && (match->nentry->device == olddevice)) {
181 if (match->prev == NULL) {
182 - inodev_set.n_hash[index] = match->next;
183 + inodev_set.i_hash[index] = match->next;
184 if (match->next != NULL)
185 match->next->prev = NULL;
186 } else {
187 @@ -2406,8 +2414,8 @@ update_inodev_entry(const ino_t oldinode
188 }
189 match->prev = NULL;
190 match->next = NULL;
191 - match->inode = newinode;
192 - match->device = newdevice;
193 + match->nentry->inode = newinode;
194 + match->nentry->device = newdevice;
195
196 insert_inodev_entry(match);
197 }
198 diff -urp linux-2.6.14-grsec-2.1.8-2.6.14.6-200601211647/include/linux/gracl.h linux-2.6.14-grsec-2.1.8-2.6.14.7-200602072041/include/linux/gracl.h
199 --- linux-2.6.14-grsec-2.1.8-2.6.14.6-200601211647/include/linux/gracl.h 2006-02-07 22:24:38.000000000 -0500
200 +++ linux-2.6.14-grsec-2.1.8-2.6.14.7-200602072041/include/linux/gracl.h 2006-02-07 22:24:50.000000000 -0500
201 @@ -56,11 +56,22 @@ struct name_entry {
202 struct name_entry *next;
203 };
204
205 +struct inodev_entry {
206 + struct name_entry *nentry;
207 + struct inodev_entry *prev;
208 + struct inodev_entry *next;
209 +};
210 +
211 struct acl_role_db {
212 struct acl_role_label **r_hash;
213 __u32 r_size;
214 };
215
216 +struct inodev_db {
217 + struct inodev_entry **i_hash;
218 + __u32 i_size;
219 +};
220 +
221 struct name_db {
222 struct name_entry **n_hash;
223 __u32 n_size;

  ViewVC Help
Powered by ViewVC 1.1.20