• R/O
  • SSH
  • HTTPS

tomoyo: Commit


Commit MetaInfo

Révision6836 (tree)
l'heure2020-10-26 20:41:55
Auteurkumaneko

Message de Log

(empty log message)

Change Summary

Modification

--- trunk/1.8.x/ccs-patch/patches/ccs-patch-5.10.diff (nonexistent)
+++ trunk/1.8.x/ccs-patch/patches/ccs-patch-5.10.diff (revision 6836)
@@ -0,0 +1,711 @@
1+This is TOMOYO Linux patch for kernel 5.10-rc1.
2+
3+Source code for this patch is https://git.kernel.org/torvalds/t/linux-5.10-rc1.tar.gz
4+---
5+ fs/exec.c | 2 -
6+ fs/open.c | 2 +
7+ fs/proc/version.c | 7 ++++
8+ include/linux/sched.h | 5 +++
9+ include/linux/security.h | 70 ++++++++++++++++++++++++++++------------------
10+ include/net/ip.h | 4 ++
11+ init/init_task.c | 4 ++
12+ kernel/kexec.c | 4 +-
13+ kernel/module.c | 5 +++
14+ kernel/ptrace.c | 10 ++++++
15+ kernel/reboot.c | 3 +
16+ kernel/sched/core.c | 2 +
17+ kernel/signal.c | 25 ++++++++++++++++
18+ kernel/sys.c | 8 +++++
19+ kernel/time/timekeeping.c | 8 +++++
20+ net/ipv4/raw.c | 4 ++
21+ net/ipv4/udp.c | 2 +
22+ net/ipv6/raw.c | 4 ++
23+ net/ipv6/udp.c | 2 +
24+ net/socket.c | 4 ++
25+ net/unix/af_unix.c | 5 +++
26+ security/Kconfig | 2 +
27+ security/Makefile | 3 +
28+ security/security.c | 5 ++-
29+ 24 files changed, 160 insertions(+), 30 deletions(-)
30+
31+--- linux-5.10-rc1.orig/fs/exec.c
32++++ linux-5.10-rc1/fs/exec.c
33+@@ -1817,7 +1817,7 @@ static int bprm_execve(struct linux_binp
34+ if (retval)
35+ goto out;
36+
37+- retval = exec_binprm(bprm);
38++ retval = ccs_exec_binprm(bprm);
39+ if (retval < 0)
40+ goto out;
41+
42+--- linux-5.10-rc1.orig/fs/open.c
43++++ linux-5.10-rc1/fs/open.c
44+@@ -1327,6 +1327,8 @@ SYSCALL_DEFINE3(close_range, unsigned in
45+ */
46+ SYSCALL_DEFINE0(vhangup)
47+ {
48++ if (!ccs_capable(CCS_SYS_VHANGUP))
49++ return -EPERM;
50+ if (capable(CAP_SYS_TTY_CONFIG)) {
51+ tty_vhangup_self();
52+ return 0;
53+--- linux-5.10-rc1.orig/fs/proc/version.c
54++++ linux-5.10-rc1/fs/proc/version.c
55+@@ -21,3 +21,10 @@ static int __init proc_version_init(void
56+ return 0;
57+ }
58+ fs_initcall(proc_version_init);
59++
60++static int __init ccs_show_version(void)
61++{
62++ printk(KERN_INFO "Hook version: 5.10-rc1 2020/10/26\n");
63++ return 0;
64++}
65++fs_initcall(ccs_show_version);
66+--- linux-5.10-rc1.orig/include/linux/sched.h
67++++ linux-5.10-rc1/include/linux/sched.h
68+@@ -41,6 +41,7 @@ struct backing_dev_info;
69+ struct bio_list;
70+ struct blk_plug;
71+ struct capture_control;
72++struct ccs_domain_info;
73+ struct cfs_rq;
74+ struct fs_struct;
75+ struct futex_pi_state;
76+@@ -1310,6 +1311,10 @@ struct task_struct {
77+ /* Used by LSM modules for access restriction: */
78+ void *security;
79+ #endif
80++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
81++ struct ccs_domain_info *ccs_domain_info;
82++ u32 ccs_flags;
83++#endif
84+
85+ #ifdef CONFIG_GCC_PLUGIN_STACKLEAK
86+ unsigned long lowest_stack;
87+--- linux-5.10-rc1.orig/include/linux/security.h
88++++ linux-5.10-rc1/include/linux/security.h
89+@@ -59,6 +59,7 @@ struct fs_parameter;
90+ enum fs_value_type;
91+ struct watch;
92+ struct watch_notification;
93++#include <linux/ccsecurity.h>
94+
95+ /* Default (no) options for the capable function */
96+ #define CAP_OPT_NONE 0x0
97+@@ -571,7 +572,10 @@ static inline int security_syslog(int ty
98+ static inline int security_settime64(const struct timespec64 *ts,
99+ const struct timezone *tz)
100+ {
101+- return cap_settime(ts, tz);
102++ int error = cap_settime(ts, tz);
103++ if (!error)
104++ error = ccs_settime(ts, tz);
105++ return error;
106+ }
107+
108+ static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
109+@@ -654,18 +658,18 @@ static inline int security_sb_mount(cons
110+ const char *type, unsigned long flags,
111+ void *data)
112+ {
113+- return 0;
114++ return ccs_sb_mount(dev_name, path, type, flags, data);
115+ }
116+
117+ static inline int security_sb_umount(struct vfsmount *mnt, int flags)
118+ {
119+- return 0;
120++ return ccs_sb_umount(mnt, flags);
121+ }
122+
123+ static inline int security_sb_pivotroot(const struct path *old_path,
124+ const struct path *new_path)
125+ {
126+- return 0;
127++ return ccs_sb_pivotroot(old_path, new_path);
128+ }
129+
130+ static inline int security_sb_set_mnt_opts(struct super_block *sb,
131+@@ -693,7 +697,7 @@ static inline int security_add_mnt_opt(c
132+ static inline int security_move_mount(const struct path *from_path,
133+ const struct path *to_path)
134+ {
135+- return 0;
136++ return ccs_move_mount_permission(from_path, to_path);
137+ }
138+
139+ static inline int security_path_notify(const struct path *path, u64 mask,
140+@@ -827,7 +831,7 @@ static inline int security_inode_setattr
141+
142+ static inline int security_inode_getattr(const struct path *path)
143+ {
144+- return 0;
145++ return ccs_inode_getattr(path);
146+ }
147+
148+ static inline int security_inode_setxattr(struct dentry *dentry,
149+@@ -919,7 +923,7 @@ static inline void security_file_free(st
150+ static inline int security_file_ioctl(struct file *file, unsigned int cmd,
151+ unsigned long arg)
152+ {
153+- return 0;
154++ return ccs_file_ioctl(file, cmd, arg);
155+ }
156+
157+ static inline int security_mmap_file(struct file *file, unsigned long prot,
158+@@ -948,7 +952,7 @@ static inline int security_file_lock(str
159+ static inline int security_file_fcntl(struct file *file, unsigned int cmd,
160+ unsigned long arg)
161+ {
162+- return 0;
163++ return ccs_file_fcntl(file, cmd, arg);
164+ }
165+
166+ static inline void security_file_set_fowner(struct file *file)
167+@@ -970,17 +974,19 @@ static inline int security_file_receive(
168+
169+ static inline int security_file_open(struct file *file)
170+ {
171+- return 0;
172++ return ccs_file_open(file);
173+ }
174+
175+ static inline int security_task_alloc(struct task_struct *task,
176+ unsigned long clone_flags)
177+ {
178+- return 0;
179++ return ccs_alloc_task_security(task);
180+ }
181+
182+ static inline void security_task_free(struct task_struct *task)
183+-{ }
184++{
185++ ccs_free_task_security(task);
186++}
187+
188+ static inline int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
189+ {
190+@@ -1396,7 +1402,7 @@ static inline int security_unix_may_send
191+ static inline int security_socket_create(int family, int type,
192+ int protocol, int kern)
193+ {
194+- return 0;
195++ return ccs_socket_create(family, type, protocol, kern);
196+ }
197+
198+ static inline int security_socket_post_create(struct socket *sock,
199+@@ -1417,19 +1423,19 @@ static inline int security_socket_bind(s
200+ struct sockaddr *address,
201+ int addrlen)
202+ {
203+- return 0;
204++ return ccs_socket_bind(sock, address, addrlen);
205+ }
206+
207+ static inline int security_socket_connect(struct socket *sock,
208+ struct sockaddr *address,
209+ int addrlen)
210+ {
211+- return 0;
212++ return ccs_socket_connect(sock, address, addrlen);
213+ }
214+
215+ static inline int security_socket_listen(struct socket *sock, int backlog)
216+ {
217+- return 0;
218++ return ccs_socket_listen(sock, backlog);
219+ }
220+
221+ static inline int security_socket_accept(struct socket *sock,
222+@@ -1441,7 +1447,7 @@ static inline int security_socket_accept
223+ static inline int security_socket_sendmsg(struct socket *sock,
224+ struct msghdr *msg, int size)
225+ {
226+- return 0;
227++ return ccs_socket_sendmsg(sock, msg, size);
228+ }
229+
230+ static inline int security_socket_recvmsg(struct socket *sock,
231+@@ -1728,42 +1734,42 @@ int security_path_chroot(const struct pa
232+ #else /* CONFIG_SECURITY_PATH */
233+ static inline int security_path_unlink(const struct path *dir, struct dentry *dentry)
234+ {
235+- return 0;
236++ return ccs_path_unlink(dir, dentry);
237+ }
238+
239+ static inline int security_path_mkdir(const struct path *dir, struct dentry *dentry,
240+ umode_t mode)
241+ {
242+- return 0;
243++ return ccs_path_mkdir(dir, dentry, mode);
244+ }
245+
246+ static inline int security_path_rmdir(const struct path *dir, struct dentry *dentry)
247+ {
248+- return 0;
249++ return ccs_path_rmdir(dir, dentry);
250+ }
251+
252+ static inline int security_path_mknod(const struct path *dir, struct dentry *dentry,
253+ umode_t mode, unsigned int dev)
254+ {
255+- return 0;
256++ return ccs_path_mknod(dir, dentry, mode, dev);
257+ }
258+
259+ static inline int security_path_truncate(const struct path *path)
260+ {
261+- return 0;
262++ return ccs_path_truncate(path);
263+ }
264+
265+ static inline int security_path_symlink(const struct path *dir, struct dentry *dentry,
266+ const char *old_name)
267+ {
268+- return 0;
269++ return ccs_path_symlink(dir, dentry, old_name);
270+ }
271+
272+ static inline int security_path_link(struct dentry *old_dentry,
273+ const struct path *new_dir,
274+ struct dentry *new_dentry)
275+ {
276+- return 0;
277++ return ccs_path_link(old_dentry, new_dir, new_dentry);
278+ }
279+
280+ static inline int security_path_rename(const struct path *old_dir,
281+@@ -1772,22 +1778,32 @@ static inline int security_path_rename(c
282+ struct dentry *new_dentry,
283+ unsigned int flags)
284+ {
285+- return 0;
286++ /*
287++ * Not using RENAME_EXCHANGE here in order to avoid KABI breakage
288++ * by doing "#include <uapi/linux/fs.h>" .
289++ */
290++ if (flags & (1 << 1)) {
291++ int err = ccs_path_rename(new_dir, new_dentry, old_dir,
292++ old_dentry);
293++ if (err)
294++ return err;
295++ }
296++ return ccs_path_rename(old_dir, old_dentry, new_dir, new_dentry);
297+ }
298+
299+ static inline int security_path_chmod(const struct path *path, umode_t mode)
300+ {
301+- return 0;
302++ return ccs_path_chmod(path, mode);
303+ }
304+
305+ static inline int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
306+ {
307+- return 0;
308++ return ccs_path_chown(path, uid, gid);
309+ }
310+
311+ static inline int security_path_chroot(const struct path *path)
312+ {
313+- return 0;
314++ return ccs_path_chroot(path);
315+ }
316+ #endif /* CONFIG_SECURITY_PATH */
317+
318+--- linux-5.10-rc1.orig/include/net/ip.h
319++++ linux-5.10-rc1/include/net/ip.h
320+@@ -338,6 +338,8 @@ void inet_get_local_port_range(struct ne
321+ #ifdef CONFIG_SYSCTL
322+ static inline bool inet_is_local_reserved_port(struct net *net, unsigned short port)
323+ {
324++ if (ccs_lport_reserved(port))
325++ return true;
326+ if (!net->ipv4.sysctl_local_reserved_ports)
327+ return false;
328+ return test_bit(port, net->ipv4.sysctl_local_reserved_ports);
329+@@ -356,6 +358,8 @@ static inline bool inet_port_requires_bi
330+ #else
331+ static inline bool inet_is_local_reserved_port(struct net *net, unsigned short port)
332+ {
333++ if (ccs_lport_reserved(port))
334++ return true;
335+ return false;
336+ }
337+
338+--- linux-5.10-rc1.orig/init/init_task.c
339++++ linux-5.10-rc1/init/init_task.c
340+@@ -212,6 +212,10 @@ struct task_struct init_task
341+ #ifdef CONFIG_SECCOMP
342+ .seccomp = { .filter_count = ATOMIC_INIT(0) },
343+ #endif
344++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
345++ .ccs_domain_info = NULL,
346++ .ccs_flags = 0,
347++#endif
348+ };
349+ EXPORT_SYMBOL(init_task);
350+
351+--- linux-5.10-rc1.orig/kernel/kexec.c
352++++ linux-5.10-rc1/kernel/kexec.c
353+@@ -16,7 +16,7 @@
354+ #include <linux/syscalls.h>
355+ #include <linux/vmalloc.h>
356+ #include <linux/slab.h>
357+-
358++#include <linux/ccsecurity.h>
359+ #include "kexec_internal.h"
360+
361+ static int copy_user_segment_list(struct kimage *image,
362+@@ -203,6 +203,8 @@ static inline int kexec_load_check(unsig
363+ /* We only trust the superuser with rebooting the system. */
364+ if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
365+ return -EPERM;
366++ if (!ccs_capable(CCS_SYS_KEXEC_LOAD))
367++ return -EPERM;
368+
369+ /* Permit LSMs and IMA to fail the kexec */
370+ result = security_kernel_load_data(LOADING_KEXEC_IMAGE, false);
371+--- linux-5.10-rc1.orig/kernel/module.c
372++++ linux-5.10-rc1/kernel/module.c
373+@@ -59,6 +59,7 @@
374+ #include <linux/audit.h>
375+ #include <uapi/linux/module.h>
376+ #include "module-internal.h"
377++#include <linux/ccsecurity.h>
378+
379+ #define CREATE_TRACE_POINTS
380+ #include <trace/events/module.h>
381+@@ -983,6 +984,8 @@ SYSCALL_DEFINE2(delete_module, const cha
382+
383+ if (!capable(CAP_SYS_MODULE) || modules_disabled)
384+ return -EPERM;
385++ if (!ccs_capable(CCS_USE_KERNEL_MODULE))
386++ return -EPERM;
387+
388+ if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
389+ return -EFAULT;
390+@@ -3718,6 +3721,8 @@ static int may_init_module(void)
391+ {
392+ if (!capable(CAP_SYS_MODULE) || modules_disabled)
393+ return -EPERM;
394++ if (!ccs_capable(CCS_USE_KERNEL_MODULE))
395++ return -EPERM;
396+
397+ return 0;
398+ }
399+--- linux-5.10-rc1.orig/kernel/ptrace.c
400++++ linux-5.10-rc1/kernel/ptrace.c
401+@@ -1244,6 +1244,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
402+ {
403+ struct task_struct *child;
404+ long ret;
405++ {
406++ const int rc = ccs_ptrace_permission(request, pid);
407++ if (rc)
408++ return rc;
409++ }
410+
411+ if (request == PTRACE_TRACEME) {
412+ ret = ptrace_traceme();
413+@@ -1391,6 +1396,11 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_lo
414+ {
415+ struct task_struct *child;
416+ long ret;
417++ {
418++ const int rc = ccs_ptrace_permission(request, pid);
419++ if (rc)
420++ return rc;
421++ }
422+
423+ if (request == PTRACE_TRACEME) {
424+ ret = ptrace_traceme();
425+--- linux-5.10-rc1.orig/kernel/reboot.c
426++++ linux-5.10-rc1/kernel/reboot.c
427+@@ -17,6 +17,7 @@
428+ #include <linux/syscalls.h>
429+ #include <linux/syscore_ops.h>
430+ #include <linux/uaccess.h>
431++#include <linux/ccsecurity.h>
432+
433+ /*
434+ * this indicates whether you can reboot with ctrl-alt-del: the default is yes
435+@@ -325,6 +326,8 @@ SYSCALL_DEFINE4(reboot, int, magic1, int
436+ magic2 != LINUX_REBOOT_MAGIC2B &&
437+ magic2 != LINUX_REBOOT_MAGIC2C))
438+ return -EINVAL;
439++ if (!ccs_capable(CCS_SYS_REBOOT))
440++ return -EPERM;
441+
442+ /*
443+ * If pid namespaces are enabled and the current task is in a child
444+--- linux-5.10-rc1.orig/kernel/sched/core.c
445++++ linux-5.10-rc1/kernel/sched/core.c
446+@@ -5029,6 +5029,8 @@ int can_nice(const struct task_struct *p
447+ SYSCALL_DEFINE1(nice, int, increment)
448+ {
449+ long nice, retval;
450++ if (!ccs_capable(CCS_SYS_NICE))
451++ return -EPERM;
452+
453+ /*
454+ * Setpriority might change our priority at the same moment.
455+--- linux-5.10-rc1.orig/kernel/signal.c
456++++ linux-5.10-rc1/kernel/signal.c
457+@@ -3657,6 +3657,8 @@ static inline void prepare_kill_siginfo(
458+ SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
459+ {
460+ struct kernel_siginfo info;
461++ if (ccs_kill_permission(pid, sig))
462++ return -EPERM;
463+
464+ prepare_kill_siginfo(sig, &info);
465+
466+@@ -3755,6 +3757,21 @@ SYSCALL_DEFINE4(pidfd_send_signal, int,
467+ if (!access_pidfd_pidns(pid))
468+ goto err;
469+
470++ {
471++ struct task_struct *task;
472++ int id = 0;
473++
474++ rcu_read_lock();
475++ task = pid_task(pid, PIDTYPE_PID);
476++ if (task)
477++ id = task_pid_vnr(task);
478++ rcu_read_unlock();
479++ if (task && ccs_kill_permission(id, sig)) {
480++ ret = -EPERM;
481++ goto err;
482++ }
483++ }
484++
485+ if (info) {
486+ ret = copy_siginfo_from_user_any(&kinfo, info);
487+ if (unlikely(ret))
488+@@ -3839,6 +3856,8 @@ SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid
489+ /* This is only valid for single tasks */
490+ if (pid <= 0 || tgid <= 0)
491+ return -EINVAL;
492++ if (ccs_tgkill_permission(tgid, pid, sig))
493++ return -EPERM;
494+
495+ return do_tkill(tgid, pid, sig);
496+ }
497+@@ -3855,6 +3874,8 @@ SYSCALL_DEFINE2(tkill, pid_t, pid, int,
498+ /* This is only valid for single tasks */
499+ if (pid <= 0)
500+ return -EINVAL;
501++ if (ccs_tkill_permission(pid, sig))
502++ return -EPERM;
503+
504+ return do_tkill(0, pid, sig);
505+ }
506+@@ -3867,6 +3888,8 @@ static int do_rt_sigqueueinfo(pid_t pid,
507+ if ((info->si_code >= 0 || info->si_code == SI_TKILL) &&
508+ (task_pid_vnr(current) != pid))
509+ return -EPERM;
510++ if (ccs_sigqueue_permission(pid, sig))
511++ return -EPERM;
512+
513+ /* POSIX.1b doesn't mention process groups. */
514+ return kill_proc_info(sig, info, pid);
515+@@ -3914,6 +3937,8 @@ static int do_rt_tgsigqueueinfo(pid_t tg
516+ if ((info->si_code >= 0 || info->si_code == SI_TKILL) &&
517+ (task_pid_vnr(current) != pid))
518+ return -EPERM;
519++ if (ccs_tgsigqueue_permission(tgid, pid, sig))
520++ return -EPERM;
521+
522+ return do_send_specific(tgid, pid, sig, info);
523+ }
524+--- linux-5.10-rc1.orig/kernel/sys.c
525++++ linux-5.10-rc1/kernel/sys.c
526+@@ -205,6 +205,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
527+
528+ if (which > PRIO_USER || which < PRIO_PROCESS)
529+ goto out;
530++ if (!ccs_capable(CCS_SYS_NICE)) {
531++ error = -EPERM;
532++ goto out;
533++ }
534+
535+ /* normalize: avoid signed division (rounding problems) */
536+ error = -ESRCH;
537+@@ -1328,6 +1332,8 @@ SYSCALL_DEFINE2(sethostname, char __user
538+
539+ if (len < 0 || len > __NEW_UTS_LEN)
540+ return -EINVAL;
541++ if (!ccs_capable(CCS_SYS_SETHOSTNAME))
542++ return -EPERM;
543+ errno = -EFAULT;
544+ if (!copy_from_user(tmp, name, len)) {
545+ struct new_utsname *u;
546+@@ -1380,6 +1386,8 @@ SYSCALL_DEFINE2(setdomainname, char __us
547+ return -EPERM;
548+ if (len < 0 || len > __NEW_UTS_LEN)
549+ return -EINVAL;
550++ if (!ccs_capable(CCS_SYS_SETHOSTNAME))
551++ return -EPERM;
552+
553+ errno = -EFAULT;
554+ if (!copy_from_user(tmp, name, len)) {
555+--- linux-5.10-rc1.orig/kernel/time/timekeeping.c
556++++ linux-5.10-rc1/kernel/time/timekeeping.c
557+@@ -22,6 +22,7 @@
558+ #include <linux/pvclock_gtod.h>
559+ #include <linux/compiler.h>
560+ #include <linux/audit.h>
561++#include <linux/ccsecurity.h>
562+
563+ #include "tick-internal.h"
564+ #include "ntp_internal.h"
565+@@ -2326,10 +2327,15 @@ static int timekeeping_validate_timex(co
566+ if (!(txc->modes & ADJ_OFFSET_READONLY) &&
567+ !capable(CAP_SYS_TIME))
568+ return -EPERM;
569++ if (!(txc->modes & ADJ_OFFSET_READONLY) &&
570++ !ccs_capable(CCS_SYS_SETTIME))
571++ return -EPERM;
572+ } else {
573+ /* In order to modify anything, you gotta be super-user! */
574+ if (txc->modes && !capable(CAP_SYS_TIME))
575+ return -EPERM;
576++ if (txc->modes && !ccs_capable(CCS_SYS_SETTIME))
577++ return -EPERM;
578+ /*
579+ * if the quartz is off by more than 10% then
580+ * something is VERY wrong!
581+@@ -2344,6 +2350,8 @@ static int timekeeping_validate_timex(co
582+ /* In order to inject time, you gotta be super-user! */
583+ if (!capable(CAP_SYS_TIME))
584+ return -EPERM;
585++ if (!ccs_capable(CCS_SYS_SETTIME))
586++ return -EPERM;
587+
588+ /*
589+ * Validate if a timespec/timeval used to inject a time
590+--- linux-5.10-rc1.orig/net/ipv4/raw.c
591++++ linux-5.10-rc1/net/ipv4/raw.c
592+@@ -768,6 +768,10 @@ static int raw_recvmsg(struct sock *sk,
593+ skb = skb_recv_datagram(sk, flags, noblock, &err);
594+ if (!skb)
595+ goto out;
596++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
597++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
598++ goto out;
599++ }
600+
601+ copied = skb->len;
602+ if (len < copied) {
603+--- linux-5.10-rc1.orig/net/ipv4/udp.c
604++++ linux-5.10-rc1/net/ipv4/udp.c
605+@@ -1801,6 +1801,8 @@ try_again:
606+ skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
607+ if (!skb)
608+ return err;
609++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags))
610++ return -EAGAIN; /* Hope less harmful than -EPERM. */
611+
612+ ulen = udp_skb_len(skb);
613+ copied = len;
614+--- linux-5.10-rc1.orig/net/ipv6/raw.c
615++++ linux-5.10-rc1/net/ipv6/raw.c
616+@@ -480,6 +480,10 @@ static int rawv6_recvmsg(struct sock *sk
617+ skb = skb_recv_datagram(sk, flags, noblock, &err);
618+ if (!skb)
619+ goto out;
620++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
621++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
622++ goto out;
623++ }
624+
625+ copied = skb->len;
626+ if (copied > len) {
627+--- linux-5.10-rc1.orig/net/ipv6/udp.c
628++++ linux-5.10-rc1/net/ipv6/udp.c
629+@@ -343,6 +343,8 @@ try_again:
630+ skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
631+ if (!skb)
632+ return err;
633++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags))
634++ return -EAGAIN; /* Hope less harmful than -EPERM. */
635+
636+ ulen = udp6_skb_len(skb);
637+ copied = len;
638+--- linux-5.10-rc1.orig/net/socket.c
639++++ linux-5.10-rc1/net/socket.c
640+@@ -1755,6 +1755,10 @@ int __sys_accept4_file(struct file *file
641+ if (err < 0)
642+ goto out_fd;
643+
644++ if (ccs_socket_post_accept_permission(sock, newsock)) {
645++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
646++ goto out_fd;
647++ }
648+ if (upeer_sockaddr) {
649+ len = newsock->ops->getname(newsock,
650+ (struct sockaddr *)&address, 2);
651+--- linux-5.10-rc1.orig/net/unix/af_unix.c
652++++ linux-5.10-rc1/net/unix/af_unix.c
653+@@ -2127,6 +2127,10 @@ static int unix_dgram_recvmsg(struct soc
654+ EPOLLOUT | EPOLLWRNORM |
655+ EPOLLWRBAND);
656+
657++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
658++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
659++ goto out_unlock;
660++ }
661+ if (msg->msg_name)
662+ unix_copy_addr(msg, skb->sk);
663+
664+@@ -2177,6 +2181,7 @@ static int unix_dgram_recvmsg(struct soc
665+
666+ out_free:
667+ skb_free_datagram(sk, skb);
668++out_unlock:
669+ mutex_unlock(&u->iolock);
670+ out:
671+ return err;
672+--- linux-5.10-rc1.orig/security/Kconfig
673++++ linux-5.10-rc1/security/Kconfig
674+@@ -291,5 +291,7 @@ config LSM
675+
676+ source "security/Kconfig.hardening"
677+
678++source "security/ccsecurity/Kconfig"
679++
680+ endmenu
681+
682+--- linux-5.10-rc1.orig/security/Makefile
683++++ linux-5.10-rc1/security/Makefile
684+@@ -36,3 +36,6 @@ obj-$(CONFIG_BPF_LSM) += bpf/
685+ # Object integrity file lists
686+ subdir-$(CONFIG_INTEGRITY) += integrity
687+ obj-$(CONFIG_INTEGRITY) += integrity/
688++
689++subdir-$(CONFIG_CCSECURITY) += ccsecurity
690++obj-$(CONFIG_CCSECURITY) += ccsecurity/
691+--- linux-5.10-rc1.orig/security/security.c
692++++ linux-5.10-rc1/security/security.c
693+@@ -1585,7 +1585,9 @@ int security_task_alloc(struct task_stru
694+
695+ if (rc)
696+ return rc;
697+- rc = call_int_hook(task_alloc, 0, task, clone_flags);
698++ rc = ccs_alloc_task_security(task);
699++ if (likely(!rc))
700++ rc = call_int_hook(task_alloc, 0, task, clone_flags);
701+ if (unlikely(rc))
702+ security_task_free(task);
703+ return rc;
704+@@ -1594,6 +1596,7 @@ int security_task_alloc(struct task_stru
705+ void security_task_free(struct task_struct *task)
706+ {
707+ call_void_hook(task_free, task);
708++ ccs_free_task_security(task);
709+
710+ kfree(task->security);
711+ task->security = NULL;
Afficher sur ancien navigateur de dépôt.