(empty log message)
@@ -0,0 +1,711 @@ | ||
1 | +This is TOMOYO Linux patch for kernel 5.10-rc1. | |
2 | + | |
3 | +Source code for this patch is https://git.kernel.org/torvalds/t/linux-5.10-rc1.tar.gz | |
4 | +--- | |
5 | + fs/exec.c | 2 - | |
6 | + fs/open.c | 2 + | |
7 | + fs/proc/version.c | 7 ++++ | |
8 | + include/linux/sched.h | 5 +++ | |
9 | + include/linux/security.h | 70 ++++++++++++++++++++++++++++------------------ | |
10 | + include/net/ip.h | 4 ++ | |
11 | + init/init_task.c | 4 ++ | |
12 | + kernel/kexec.c | 4 +- | |
13 | + kernel/module.c | 5 +++ | |
14 | + kernel/ptrace.c | 10 ++++++ | |
15 | + kernel/reboot.c | 3 + | |
16 | + kernel/sched/core.c | 2 + | |
17 | + kernel/signal.c | 25 ++++++++++++++++ | |
18 | + kernel/sys.c | 8 +++++ | |
19 | + kernel/time/timekeeping.c | 8 +++++ | |
20 | + net/ipv4/raw.c | 4 ++ | |
21 | + net/ipv4/udp.c | 2 + | |
22 | + net/ipv6/raw.c | 4 ++ | |
23 | + net/ipv6/udp.c | 2 + | |
24 | + net/socket.c | 4 ++ | |
25 | + net/unix/af_unix.c | 5 +++ | |
26 | + security/Kconfig | 2 + | |
27 | + security/Makefile | 3 + | |
28 | + security/security.c | 5 ++- | |
29 | + 24 files changed, 160 insertions(+), 30 deletions(-) | |
30 | + | |
31 | +--- linux-5.10-rc1.orig/fs/exec.c | |
32 | ++++ linux-5.10-rc1/fs/exec.c | |
33 | +@@ -1817,7 +1817,7 @@ static int bprm_execve(struct linux_binp | |
34 | + if (retval) | |
35 | + goto out; | |
36 | + | |
37 | +- retval = exec_binprm(bprm); | |
38 | ++ retval = ccs_exec_binprm(bprm); | |
39 | + if (retval < 0) | |
40 | + goto out; | |
41 | + | |
42 | +--- linux-5.10-rc1.orig/fs/open.c | |
43 | ++++ linux-5.10-rc1/fs/open.c | |
44 | +@@ -1327,6 +1327,8 @@ SYSCALL_DEFINE3(close_range, unsigned in | |
45 | + */ | |
46 | + SYSCALL_DEFINE0(vhangup) | |
47 | + { | |
48 | ++ if (!ccs_capable(CCS_SYS_VHANGUP)) | |
49 | ++ return -EPERM; | |
50 | + if (capable(CAP_SYS_TTY_CONFIG)) { | |
51 | + tty_vhangup_self(); | |
52 | + return 0; | |
53 | +--- linux-5.10-rc1.orig/fs/proc/version.c | |
54 | ++++ linux-5.10-rc1/fs/proc/version.c | |
55 | +@@ -21,3 +21,10 @@ static int __init proc_version_init(void | |
56 | + return 0; | |
57 | + } | |
58 | + fs_initcall(proc_version_init); | |
59 | ++ | |
60 | ++static int __init ccs_show_version(void) | |
61 | ++{ | |
62 | ++ printk(KERN_INFO "Hook version: 5.10-rc1 2020/10/26\n"); | |
63 | ++ return 0; | |
64 | ++} | |
65 | ++fs_initcall(ccs_show_version); | |
66 | +--- linux-5.10-rc1.orig/include/linux/sched.h | |
67 | ++++ linux-5.10-rc1/include/linux/sched.h | |
68 | +@@ -41,6 +41,7 @@ struct backing_dev_info; | |
69 | + struct bio_list; | |
70 | + struct blk_plug; | |
71 | + struct capture_control; | |
72 | ++struct ccs_domain_info; | |
73 | + struct cfs_rq; | |
74 | + struct fs_struct; | |
75 | + struct futex_pi_state; | |
76 | +@@ -1310,6 +1311,10 @@ struct task_struct { | |
77 | + /* Used by LSM modules for access restriction: */ | |
78 | + void *security; | |
79 | + #endif | |
80 | ++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY) | |
81 | ++ struct ccs_domain_info *ccs_domain_info; | |
82 | ++ u32 ccs_flags; | |
83 | ++#endif | |
84 | + | |
85 | + #ifdef CONFIG_GCC_PLUGIN_STACKLEAK | |
86 | + unsigned long lowest_stack; | |
87 | +--- linux-5.10-rc1.orig/include/linux/security.h | |
88 | ++++ linux-5.10-rc1/include/linux/security.h | |
89 | +@@ -59,6 +59,7 @@ struct fs_parameter; | |
90 | + enum fs_value_type; | |
91 | + struct watch; | |
92 | + struct watch_notification; | |
93 | ++#include <linux/ccsecurity.h> | |
94 | + | |
95 | + /* Default (no) options for the capable function */ | |
96 | + #define CAP_OPT_NONE 0x0 | |
97 | +@@ -571,7 +572,10 @@ static inline int security_syslog(int ty | |
98 | + static inline int security_settime64(const struct timespec64 *ts, | |
99 | + const struct timezone *tz) | |
100 | + { | |
101 | +- return cap_settime(ts, tz); | |
102 | ++ int error = cap_settime(ts, tz); | |
103 | ++ if (!error) | |
104 | ++ error = ccs_settime(ts, tz); | |
105 | ++ return error; | |
106 | + } | |
107 | + | |
108 | + static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) | |
109 | +@@ -654,18 +658,18 @@ static inline int security_sb_mount(cons | |
110 | + const char *type, unsigned long flags, | |
111 | + void *data) | |
112 | + { | |
113 | +- return 0; | |
114 | ++ return ccs_sb_mount(dev_name, path, type, flags, data); | |
115 | + } | |
116 | + | |
117 | + static inline int security_sb_umount(struct vfsmount *mnt, int flags) | |
118 | + { | |
119 | +- return 0; | |
120 | ++ return ccs_sb_umount(mnt, flags); | |
121 | + } | |
122 | + | |
123 | + static inline int security_sb_pivotroot(const struct path *old_path, | |
124 | + const struct path *new_path) | |
125 | + { | |
126 | +- return 0; | |
127 | ++ return ccs_sb_pivotroot(old_path, new_path); | |
128 | + } | |
129 | + | |
130 | + static inline int security_sb_set_mnt_opts(struct super_block *sb, | |
131 | +@@ -693,7 +697,7 @@ static inline int security_add_mnt_opt(c | |
132 | + static inline int security_move_mount(const struct path *from_path, | |
133 | + const struct path *to_path) | |
134 | + { | |
135 | +- return 0; | |
136 | ++ return ccs_move_mount_permission(from_path, to_path); | |
137 | + } | |
138 | + | |
139 | + static inline int security_path_notify(const struct path *path, u64 mask, | |
140 | +@@ -827,7 +831,7 @@ static inline int security_inode_setattr | |
141 | + | |
142 | + static inline int security_inode_getattr(const struct path *path) | |
143 | + { | |
144 | +- return 0; | |
145 | ++ return ccs_inode_getattr(path); | |
146 | + } | |
147 | + | |
148 | + static inline int security_inode_setxattr(struct dentry *dentry, | |
149 | +@@ -919,7 +923,7 @@ static inline void security_file_free(st | |
150 | + static inline int security_file_ioctl(struct file *file, unsigned int cmd, | |
151 | + unsigned long arg) | |
152 | + { | |
153 | +- return 0; | |
154 | ++ return ccs_file_ioctl(file, cmd, arg); | |
155 | + } | |
156 | + | |
157 | + static inline int security_mmap_file(struct file *file, unsigned long prot, | |
158 | +@@ -948,7 +952,7 @@ static inline int security_file_lock(str | |
159 | + static inline int security_file_fcntl(struct file *file, unsigned int cmd, | |
160 | + unsigned long arg) | |
161 | + { | |
162 | +- return 0; | |
163 | ++ return ccs_file_fcntl(file, cmd, arg); | |
164 | + } | |
165 | + | |
166 | + static inline void security_file_set_fowner(struct file *file) | |
167 | +@@ -970,17 +974,19 @@ static inline int security_file_receive( | |
168 | + | |
169 | + static inline int security_file_open(struct file *file) | |
170 | + { | |
171 | +- return 0; | |
172 | ++ return ccs_file_open(file); | |
173 | + } | |
174 | + | |
175 | + static inline int security_task_alloc(struct task_struct *task, | |
176 | + unsigned long clone_flags) | |
177 | + { | |
178 | +- return 0; | |
179 | ++ return ccs_alloc_task_security(task); | |
180 | + } | |
181 | + | |
182 | + static inline void security_task_free(struct task_struct *task) | |
183 | +-{ } | |
184 | ++{ | |
185 | ++ ccs_free_task_security(task); | |
186 | ++} | |
187 | + | |
188 | + static inline int security_cred_alloc_blank(struct cred *cred, gfp_t gfp) | |
189 | + { | |
190 | +@@ -1396,7 +1402,7 @@ static inline int security_unix_may_send | |
191 | + static inline int security_socket_create(int family, int type, | |
192 | + int protocol, int kern) | |
193 | + { | |
194 | +- return 0; | |
195 | ++ return ccs_socket_create(family, type, protocol, kern); | |
196 | + } | |
197 | + | |
198 | + static inline int security_socket_post_create(struct socket *sock, | |
199 | +@@ -1417,19 +1423,19 @@ static inline int security_socket_bind(s | |
200 | + struct sockaddr *address, | |
201 | + int addrlen) | |
202 | + { | |
203 | +- return 0; | |
204 | ++ return ccs_socket_bind(sock, address, addrlen); | |
205 | + } | |
206 | + | |
207 | + static inline int security_socket_connect(struct socket *sock, | |
208 | + struct sockaddr *address, | |
209 | + int addrlen) | |
210 | + { | |
211 | +- return 0; | |
212 | ++ return ccs_socket_connect(sock, address, addrlen); | |
213 | + } | |
214 | + | |
215 | + static inline int security_socket_listen(struct socket *sock, int backlog) | |
216 | + { | |
217 | +- return 0; | |
218 | ++ return ccs_socket_listen(sock, backlog); | |
219 | + } | |
220 | + | |
221 | + static inline int security_socket_accept(struct socket *sock, | |
222 | +@@ -1441,7 +1447,7 @@ static inline int security_socket_accept | |
223 | + static inline int security_socket_sendmsg(struct socket *sock, | |
224 | + struct msghdr *msg, int size) | |
225 | + { | |
226 | +- return 0; | |
227 | ++ return ccs_socket_sendmsg(sock, msg, size); | |
228 | + } | |
229 | + | |
230 | + static inline int security_socket_recvmsg(struct socket *sock, | |
231 | +@@ -1728,42 +1734,42 @@ int security_path_chroot(const struct pa | |
232 | + #else /* CONFIG_SECURITY_PATH */ | |
233 | + static inline int security_path_unlink(const struct path *dir, struct dentry *dentry) | |
234 | + { | |
235 | +- return 0; | |
236 | ++ return ccs_path_unlink(dir, dentry); | |
237 | + } | |
238 | + | |
239 | + static inline int security_path_mkdir(const struct path *dir, struct dentry *dentry, | |
240 | + umode_t mode) | |
241 | + { | |
242 | +- return 0; | |
243 | ++ return ccs_path_mkdir(dir, dentry, mode); | |
244 | + } | |
245 | + | |
246 | + static inline int security_path_rmdir(const struct path *dir, struct dentry *dentry) | |
247 | + { | |
248 | +- return 0; | |
249 | ++ return ccs_path_rmdir(dir, dentry); | |
250 | + } | |
251 | + | |
252 | + static inline int security_path_mknod(const struct path *dir, struct dentry *dentry, | |
253 | + umode_t mode, unsigned int dev) | |
254 | + { | |
255 | +- return 0; | |
256 | ++ return ccs_path_mknod(dir, dentry, mode, dev); | |
257 | + } | |
258 | + | |
259 | + static inline int security_path_truncate(const struct path *path) | |
260 | + { | |
261 | +- return 0; | |
262 | ++ return ccs_path_truncate(path); | |
263 | + } | |
264 | + | |
265 | + static inline int security_path_symlink(const struct path *dir, struct dentry *dentry, | |
266 | + const char *old_name) | |
267 | + { | |
268 | +- return 0; | |
269 | ++ return ccs_path_symlink(dir, dentry, old_name); | |
270 | + } | |
271 | + | |
272 | + static inline int security_path_link(struct dentry *old_dentry, | |
273 | + const struct path *new_dir, | |
274 | + struct dentry *new_dentry) | |
275 | + { | |
276 | +- return 0; | |
277 | ++ return ccs_path_link(old_dentry, new_dir, new_dentry); | |
278 | + } | |
279 | + | |
280 | + static inline int security_path_rename(const struct path *old_dir, | |
281 | +@@ -1772,22 +1778,32 @@ static inline int security_path_rename(c | |
282 | + struct dentry *new_dentry, | |
283 | + unsigned int flags) | |
284 | + { | |
285 | +- return 0; | |
286 | ++ /* | |
287 | ++ * Not using RENAME_EXCHANGE here in order to avoid KABI breakage | |
288 | ++ * by doing "#include <uapi/linux/fs.h>" . | |
289 | ++ */ | |
290 | ++ if (flags & (1 << 1)) { | |
291 | ++ int err = ccs_path_rename(new_dir, new_dentry, old_dir, | |
292 | ++ old_dentry); | |
293 | ++ if (err) | |
294 | ++ return err; | |
295 | ++ } | |
296 | ++ return ccs_path_rename(old_dir, old_dentry, new_dir, new_dentry); | |
297 | + } | |
298 | + | |
299 | + static inline int security_path_chmod(const struct path *path, umode_t mode) | |
300 | + { | |
301 | +- return 0; | |
302 | ++ return ccs_path_chmod(path, mode); | |
303 | + } | |
304 | + | |
305 | + static inline int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid) | |
306 | + { | |
307 | +- return 0; | |
308 | ++ return ccs_path_chown(path, uid, gid); | |
309 | + } | |
310 | + | |
311 | + static inline int security_path_chroot(const struct path *path) | |
312 | + { | |
313 | +- return 0; | |
314 | ++ return ccs_path_chroot(path); | |
315 | + } | |
316 | + #endif /* CONFIG_SECURITY_PATH */ | |
317 | + | |
318 | +--- linux-5.10-rc1.orig/include/net/ip.h | |
319 | ++++ linux-5.10-rc1/include/net/ip.h | |
320 | +@@ -338,6 +338,8 @@ void inet_get_local_port_range(struct ne | |
321 | + #ifdef CONFIG_SYSCTL | |
322 | + static inline bool inet_is_local_reserved_port(struct net *net, unsigned short port) | |
323 | + { | |
324 | ++ if (ccs_lport_reserved(port)) | |
325 | ++ return true; | |
326 | + if (!net->ipv4.sysctl_local_reserved_ports) | |
327 | + return false; | |
328 | + return test_bit(port, net->ipv4.sysctl_local_reserved_ports); | |
329 | +@@ -356,6 +358,8 @@ static inline bool inet_port_requires_bi | |
330 | + #else | |
331 | + static inline bool inet_is_local_reserved_port(struct net *net, unsigned short port) | |
332 | + { | |
333 | ++ if (ccs_lport_reserved(port)) | |
334 | ++ return true; | |
335 | + return false; | |
336 | + } | |
337 | + | |
338 | +--- linux-5.10-rc1.orig/init/init_task.c | |
339 | ++++ linux-5.10-rc1/init/init_task.c | |
340 | +@@ -212,6 +212,10 @@ struct task_struct init_task | |
341 | + #ifdef CONFIG_SECCOMP | |
342 | + .seccomp = { .filter_count = ATOMIC_INIT(0) }, | |
343 | + #endif | |
344 | ++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY) | |
345 | ++ .ccs_domain_info = NULL, | |
346 | ++ .ccs_flags = 0, | |
347 | ++#endif | |
348 | + }; | |
349 | + EXPORT_SYMBOL(init_task); | |
350 | + | |
351 | +--- linux-5.10-rc1.orig/kernel/kexec.c | |
352 | ++++ linux-5.10-rc1/kernel/kexec.c | |
353 | +@@ -16,7 +16,7 @@ | |
354 | + #include <linux/syscalls.h> | |
355 | + #include <linux/vmalloc.h> | |
356 | + #include <linux/slab.h> | |
357 | +- | |
358 | ++#include <linux/ccsecurity.h> | |
359 | + #include "kexec_internal.h" | |
360 | + | |
361 | + static int copy_user_segment_list(struct kimage *image, | |
362 | +@@ -203,6 +203,8 @@ static inline int kexec_load_check(unsig | |
363 | + /* We only trust the superuser with rebooting the system. */ | |
364 | + if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) | |
365 | + return -EPERM; | |
366 | ++ if (!ccs_capable(CCS_SYS_KEXEC_LOAD)) | |
367 | ++ return -EPERM; | |
368 | + | |
369 | + /* Permit LSMs and IMA to fail the kexec */ | |
370 | + result = security_kernel_load_data(LOADING_KEXEC_IMAGE, false); | |
371 | +--- linux-5.10-rc1.orig/kernel/module.c | |
372 | ++++ linux-5.10-rc1/kernel/module.c | |
373 | +@@ -59,6 +59,7 @@ | |
374 | + #include <linux/audit.h> | |
375 | + #include <uapi/linux/module.h> | |
376 | + #include "module-internal.h" | |
377 | ++#include <linux/ccsecurity.h> | |
378 | + | |
379 | + #define CREATE_TRACE_POINTS | |
380 | + #include <trace/events/module.h> | |
381 | +@@ -983,6 +984,8 @@ SYSCALL_DEFINE2(delete_module, const cha | |
382 | + | |
383 | + if (!capable(CAP_SYS_MODULE) || modules_disabled) | |
384 | + return -EPERM; | |
385 | ++ if (!ccs_capable(CCS_USE_KERNEL_MODULE)) | |
386 | ++ return -EPERM; | |
387 | + | |
388 | + if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0) | |
389 | + return -EFAULT; | |
390 | +@@ -3718,6 +3721,8 @@ static int may_init_module(void) | |
391 | + { | |
392 | + if (!capable(CAP_SYS_MODULE) || modules_disabled) | |
393 | + return -EPERM; | |
394 | ++ if (!ccs_capable(CCS_USE_KERNEL_MODULE)) | |
395 | ++ return -EPERM; | |
396 | + | |
397 | + return 0; | |
398 | + } | |
399 | +--- linux-5.10-rc1.orig/kernel/ptrace.c | |
400 | ++++ linux-5.10-rc1/kernel/ptrace.c | |
401 | +@@ -1244,6 +1244,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l | |
402 | + { | |
403 | + struct task_struct *child; | |
404 | + long ret; | |
405 | ++ { | |
406 | ++ const int rc = ccs_ptrace_permission(request, pid); | |
407 | ++ if (rc) | |
408 | ++ return rc; | |
409 | ++ } | |
410 | + | |
411 | + if (request == PTRACE_TRACEME) { | |
412 | + ret = ptrace_traceme(); | |
413 | +@@ -1391,6 +1396,11 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_lo | |
414 | + { | |
415 | + struct task_struct *child; | |
416 | + long ret; | |
417 | ++ { | |
418 | ++ const int rc = ccs_ptrace_permission(request, pid); | |
419 | ++ if (rc) | |
420 | ++ return rc; | |
421 | ++ } | |
422 | + | |
423 | + if (request == PTRACE_TRACEME) { | |
424 | + ret = ptrace_traceme(); | |
425 | +--- linux-5.10-rc1.orig/kernel/reboot.c | |
426 | ++++ linux-5.10-rc1/kernel/reboot.c | |
427 | +@@ -17,6 +17,7 @@ | |
428 | + #include <linux/syscalls.h> | |
429 | + #include <linux/syscore_ops.h> | |
430 | + #include <linux/uaccess.h> | |
431 | ++#include <linux/ccsecurity.h> | |
432 | + | |
433 | + /* | |
434 | + * this indicates whether you can reboot with ctrl-alt-del: the default is yes | |
435 | +@@ -325,6 +326,8 @@ SYSCALL_DEFINE4(reboot, int, magic1, int | |
436 | + magic2 != LINUX_REBOOT_MAGIC2B && | |
437 | + magic2 != LINUX_REBOOT_MAGIC2C)) | |
438 | + return -EINVAL; | |
439 | ++ if (!ccs_capable(CCS_SYS_REBOOT)) | |
440 | ++ return -EPERM; | |
441 | + | |
442 | + /* | |
443 | + * If pid namespaces are enabled and the current task is in a child | |
444 | +--- linux-5.10-rc1.orig/kernel/sched/core.c | |
445 | ++++ linux-5.10-rc1/kernel/sched/core.c | |
446 | +@@ -5029,6 +5029,8 @@ int can_nice(const struct task_struct *p | |
447 | + SYSCALL_DEFINE1(nice, int, increment) | |
448 | + { | |
449 | + long nice, retval; | |
450 | ++ if (!ccs_capable(CCS_SYS_NICE)) | |
451 | ++ return -EPERM; | |
452 | + | |
453 | + /* | |
454 | + * Setpriority might change our priority at the same moment. | |
455 | +--- linux-5.10-rc1.orig/kernel/signal.c | |
456 | ++++ linux-5.10-rc1/kernel/signal.c | |
457 | +@@ -3657,6 +3657,8 @@ static inline void prepare_kill_siginfo( | |
458 | + SYSCALL_DEFINE2(kill, pid_t, pid, int, sig) | |
459 | + { | |
460 | + struct kernel_siginfo info; | |
461 | ++ if (ccs_kill_permission(pid, sig)) | |
462 | ++ return -EPERM; | |
463 | + | |
464 | + prepare_kill_siginfo(sig, &info); | |
465 | + | |
466 | +@@ -3755,6 +3757,21 @@ SYSCALL_DEFINE4(pidfd_send_signal, int, | |
467 | + if (!access_pidfd_pidns(pid)) | |
468 | + goto err; | |
469 | + | |
470 | ++ { | |
471 | ++ struct task_struct *task; | |
472 | ++ int id = 0; | |
473 | ++ | |
474 | ++ rcu_read_lock(); | |
475 | ++ task = pid_task(pid, PIDTYPE_PID); | |
476 | ++ if (task) | |
477 | ++ id = task_pid_vnr(task); | |
478 | ++ rcu_read_unlock(); | |
479 | ++ if (task && ccs_kill_permission(id, sig)) { | |
480 | ++ ret = -EPERM; | |
481 | ++ goto err; | |
482 | ++ } | |
483 | ++ } | |
484 | ++ | |
485 | + if (info) { | |
486 | + ret = copy_siginfo_from_user_any(&kinfo, info); | |
487 | + if (unlikely(ret)) | |
488 | +@@ -3839,6 +3856,8 @@ SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid | |
489 | + /* This is only valid for single tasks */ | |
490 | + if (pid <= 0 || tgid <= 0) | |
491 | + return -EINVAL; | |
492 | ++ if (ccs_tgkill_permission(tgid, pid, sig)) | |
493 | ++ return -EPERM; | |
494 | + | |
495 | + return do_tkill(tgid, pid, sig); | |
496 | + } | |
497 | +@@ -3855,6 +3874,8 @@ SYSCALL_DEFINE2(tkill, pid_t, pid, int, | |
498 | + /* This is only valid for single tasks */ | |
499 | + if (pid <= 0) | |
500 | + return -EINVAL; | |
501 | ++ if (ccs_tkill_permission(pid, sig)) | |
502 | ++ return -EPERM; | |
503 | + | |
504 | + return do_tkill(0, pid, sig); | |
505 | + } | |
506 | +@@ -3867,6 +3888,8 @@ static int do_rt_sigqueueinfo(pid_t pid, | |
507 | + if ((info->si_code >= 0 || info->si_code == SI_TKILL) && | |
508 | + (task_pid_vnr(current) != pid)) | |
509 | + return -EPERM; | |
510 | ++ if (ccs_sigqueue_permission(pid, sig)) | |
511 | ++ return -EPERM; | |
512 | + | |
513 | + /* POSIX.1b doesn't mention process groups. */ | |
514 | + return kill_proc_info(sig, info, pid); | |
515 | +@@ -3914,6 +3937,8 @@ static int do_rt_tgsigqueueinfo(pid_t tg | |
516 | + if ((info->si_code >= 0 || info->si_code == SI_TKILL) && | |
517 | + (task_pid_vnr(current) != pid)) | |
518 | + return -EPERM; | |
519 | ++ if (ccs_tgsigqueue_permission(tgid, pid, sig)) | |
520 | ++ return -EPERM; | |
521 | + | |
522 | + return do_send_specific(tgid, pid, sig, info); | |
523 | + } | |
524 | +--- linux-5.10-rc1.orig/kernel/sys.c | |
525 | ++++ linux-5.10-rc1/kernel/sys.c | |
526 | +@@ -205,6 +205,10 @@ SYSCALL_DEFINE3(setpriority, int, which, | |
527 | + | |
528 | + if (which > PRIO_USER || which < PRIO_PROCESS) | |
529 | + goto out; | |
530 | ++ if (!ccs_capable(CCS_SYS_NICE)) { | |
531 | ++ error = -EPERM; | |
532 | ++ goto out; | |
533 | ++ } | |
534 | + | |
535 | + /* normalize: avoid signed division (rounding problems) */ | |
536 | + error = -ESRCH; | |
537 | +@@ -1328,6 +1332,8 @@ SYSCALL_DEFINE2(sethostname, char __user | |
538 | + | |
539 | + if (len < 0 || len > __NEW_UTS_LEN) | |
540 | + return -EINVAL; | |
541 | ++ if (!ccs_capable(CCS_SYS_SETHOSTNAME)) | |
542 | ++ return -EPERM; | |
543 | + errno = -EFAULT; | |
544 | + if (!copy_from_user(tmp, name, len)) { | |
545 | + struct new_utsname *u; | |
546 | +@@ -1380,6 +1386,8 @@ SYSCALL_DEFINE2(setdomainname, char __us | |
547 | + return -EPERM; | |
548 | + if (len < 0 || len > __NEW_UTS_LEN) | |
549 | + return -EINVAL; | |
550 | ++ if (!ccs_capable(CCS_SYS_SETHOSTNAME)) | |
551 | ++ return -EPERM; | |
552 | + | |
553 | + errno = -EFAULT; | |
554 | + if (!copy_from_user(tmp, name, len)) { | |
555 | +--- linux-5.10-rc1.orig/kernel/time/timekeeping.c | |
556 | ++++ linux-5.10-rc1/kernel/time/timekeeping.c | |
557 | +@@ -22,6 +22,7 @@ | |
558 | + #include <linux/pvclock_gtod.h> | |
559 | + #include <linux/compiler.h> | |
560 | + #include <linux/audit.h> | |
561 | ++#include <linux/ccsecurity.h> | |
562 | + | |
563 | + #include "tick-internal.h" | |
564 | + #include "ntp_internal.h" | |
565 | +@@ -2326,10 +2327,15 @@ static int timekeeping_validate_timex(co | |
566 | + if (!(txc->modes & ADJ_OFFSET_READONLY) && | |
567 | + !capable(CAP_SYS_TIME)) | |
568 | + return -EPERM; | |
569 | ++ if (!(txc->modes & ADJ_OFFSET_READONLY) && | |
570 | ++ !ccs_capable(CCS_SYS_SETTIME)) | |
571 | ++ return -EPERM; | |
572 | + } else { | |
573 | + /* In order to modify anything, you gotta be super-user! */ | |
574 | + if (txc->modes && !capable(CAP_SYS_TIME)) | |
575 | + return -EPERM; | |
576 | ++ if (txc->modes && !ccs_capable(CCS_SYS_SETTIME)) | |
577 | ++ return -EPERM; | |
578 | + /* | |
579 | + * if the quartz is off by more than 10% then | |
580 | + * something is VERY wrong! | |
581 | +@@ -2344,6 +2350,8 @@ static int timekeeping_validate_timex(co | |
582 | + /* In order to inject time, you gotta be super-user! */ | |
583 | + if (!capable(CAP_SYS_TIME)) | |
584 | + return -EPERM; | |
585 | ++ if (!ccs_capable(CCS_SYS_SETTIME)) | |
586 | ++ return -EPERM; | |
587 | + | |
588 | + /* | |
589 | + * Validate if a timespec/timeval used to inject a time | |
590 | +--- linux-5.10-rc1.orig/net/ipv4/raw.c | |
591 | ++++ linux-5.10-rc1/net/ipv4/raw.c | |
592 | +@@ -768,6 +768,10 @@ static int raw_recvmsg(struct sock *sk, | |
593 | + skb = skb_recv_datagram(sk, flags, noblock, &err); | |
594 | + if (!skb) | |
595 | + goto out; | |
596 | ++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) { | |
597 | ++ err = -EAGAIN; /* Hope less harmful than -EPERM. */ | |
598 | ++ goto out; | |
599 | ++ } | |
600 | + | |
601 | + copied = skb->len; | |
602 | + if (len < copied) { | |
603 | +--- linux-5.10-rc1.orig/net/ipv4/udp.c | |
604 | ++++ linux-5.10-rc1/net/ipv4/udp.c | |
605 | +@@ -1801,6 +1801,8 @@ try_again: | |
606 | + skb = __skb_recv_udp(sk, flags, noblock, &off, &err); | |
607 | + if (!skb) | |
608 | + return err; | |
609 | ++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) | |
610 | ++ return -EAGAIN; /* Hope less harmful than -EPERM. */ | |
611 | + | |
612 | + ulen = udp_skb_len(skb); | |
613 | + copied = len; | |
614 | +--- linux-5.10-rc1.orig/net/ipv6/raw.c | |
615 | ++++ linux-5.10-rc1/net/ipv6/raw.c | |
616 | +@@ -480,6 +480,10 @@ static int rawv6_recvmsg(struct sock *sk | |
617 | + skb = skb_recv_datagram(sk, flags, noblock, &err); | |
618 | + if (!skb) | |
619 | + goto out; | |
620 | ++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) { | |
621 | ++ err = -EAGAIN; /* Hope less harmful than -EPERM. */ | |
622 | ++ goto out; | |
623 | ++ } | |
624 | + | |
625 | + copied = skb->len; | |
626 | + if (copied > len) { | |
627 | +--- linux-5.10-rc1.orig/net/ipv6/udp.c | |
628 | ++++ linux-5.10-rc1/net/ipv6/udp.c | |
629 | +@@ -343,6 +343,8 @@ try_again: | |
630 | + skb = __skb_recv_udp(sk, flags, noblock, &off, &err); | |
631 | + if (!skb) | |
632 | + return err; | |
633 | ++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) | |
634 | ++ return -EAGAIN; /* Hope less harmful than -EPERM. */ | |
635 | + | |
636 | + ulen = udp6_skb_len(skb); | |
637 | + copied = len; | |
638 | +--- linux-5.10-rc1.orig/net/socket.c | |
639 | ++++ linux-5.10-rc1/net/socket.c | |
640 | +@@ -1755,6 +1755,10 @@ int __sys_accept4_file(struct file *file | |
641 | + if (err < 0) | |
642 | + goto out_fd; | |
643 | + | |
644 | ++ if (ccs_socket_post_accept_permission(sock, newsock)) { | |
645 | ++ err = -EAGAIN; /* Hope less harmful than -EPERM. */ | |
646 | ++ goto out_fd; | |
647 | ++ } | |
648 | + if (upeer_sockaddr) { | |
649 | + len = newsock->ops->getname(newsock, | |
650 | + (struct sockaddr *)&address, 2); | |
651 | +--- linux-5.10-rc1.orig/net/unix/af_unix.c | |
652 | ++++ linux-5.10-rc1/net/unix/af_unix.c | |
653 | +@@ -2127,6 +2127,10 @@ static int unix_dgram_recvmsg(struct soc | |
654 | + EPOLLOUT | EPOLLWRNORM | | |
655 | + EPOLLWRBAND); | |
656 | + | |
657 | ++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) { | |
658 | ++ err = -EAGAIN; /* Hope less harmful than -EPERM. */ | |
659 | ++ goto out_unlock; | |
660 | ++ } | |
661 | + if (msg->msg_name) | |
662 | + unix_copy_addr(msg, skb->sk); | |
663 | + | |
664 | +@@ -2177,6 +2181,7 @@ static int unix_dgram_recvmsg(struct soc | |
665 | + | |
666 | + out_free: | |
667 | + skb_free_datagram(sk, skb); | |
668 | ++out_unlock: | |
669 | + mutex_unlock(&u->iolock); | |
670 | + out: | |
671 | + return err; | |
672 | +--- linux-5.10-rc1.orig/security/Kconfig | |
673 | ++++ linux-5.10-rc1/security/Kconfig | |
674 | +@@ -291,5 +291,7 @@ config LSM | |
675 | + | |
676 | + source "security/Kconfig.hardening" | |
677 | + | |
678 | ++source "security/ccsecurity/Kconfig" | |
679 | ++ | |
680 | + endmenu | |
681 | + | |
682 | +--- linux-5.10-rc1.orig/security/Makefile | |
683 | ++++ linux-5.10-rc1/security/Makefile | |
684 | +@@ -36,3 +36,6 @@ obj-$(CONFIG_BPF_LSM) += bpf/ | |
685 | + # Object integrity file lists | |
686 | + subdir-$(CONFIG_INTEGRITY) += integrity | |
687 | + obj-$(CONFIG_INTEGRITY) += integrity/ | |
688 | ++ | |
689 | ++subdir-$(CONFIG_CCSECURITY) += ccsecurity | |
690 | ++obj-$(CONFIG_CCSECURITY) += ccsecurity/ | |
691 | +--- linux-5.10-rc1.orig/security/security.c | |
692 | ++++ linux-5.10-rc1/security/security.c | |
693 | +@@ -1585,7 +1585,9 @@ int security_task_alloc(struct task_stru | |
694 | + | |
695 | + if (rc) | |
696 | + return rc; | |
697 | +- rc = call_int_hook(task_alloc, 0, task, clone_flags); | |
698 | ++ rc = ccs_alloc_task_security(task); | |
699 | ++ if (likely(!rc)) | |
700 | ++ rc = call_int_hook(task_alloc, 0, task, clone_flags); | |
701 | + if (unlikely(rc)) | |
702 | + security_task_free(task); | |
703 | + return rc; | |
704 | +@@ -1594,6 +1596,7 @@ int security_task_alloc(struct task_stru | |
705 | + void security_task_free(struct task_struct *task) | |
706 | + { | |
707 | + call_void_hook(task_free, task); | |
708 | ++ ccs_free_task_security(task); | |
709 | + | |
710 | + kfree(task->security); | |
711 | + task->security = NULL; |