--- zzzz-none-000/linux-2.6.19.2/fs/proc/base.c 2007-01-10 19:10:37.000000000 +0000 +++ davinci-8020-5505/linux-2.6.19.2/fs/proc/base.c 2008-04-10 12:21:44.000000000 +0000 @@ -73,6 +73,7 @@ #include #include #include +#include #include "internal.h" /* NOTE: @@ -194,7 +195,7 @@ (task->parent == current && \ (task->ptrace & PT_PTRACED) && \ (task->state == TASK_STOPPED || task->state == TASK_TRACED) && \ - security_ptrace(current,task) == 0)) + security_ptrace(current,task) == 0 && !gr_handle_proc_ptrace(task))) static int proc_pid_environ(struct task_struct *task, char * buffer) { @@ -330,6 +331,8 @@ task = get_proc_task(inode); if (task) { allowed = ptrace_may_attach(task); + if (allowed != 0) + allowed = !gr_acl_handle_procpidmem(task); put_task_struct(task); } return allowed; @@ -442,8 +445,7 @@ if (task) { task_lock(task); - if (task->nsproxy) - namespace = task->nsproxy->namespace; + namespace = task->nsproxy->namespace; if (namespace) get_namespace(namespace); task_unlock(task); @@ -521,7 +523,7 @@ if (!task) goto out_no_task; - if (!MAY_PTRACE(task) || !ptrace_may_attach(task)) + if (!MAY_PTRACE(task) || !ptrace_may_attach(task) || gr_acl_handle_procpidmem(task)) goto out; ret = -ENOMEM; @@ -591,7 +593,7 @@ if (!task) goto out_no_task; - if (!MAY_PTRACE(task) || !ptrace_may_attach(task)) + if (!MAY_PTRACE(task) || !ptrace_may_attach(task) || gr_acl_handle_procpidmem(task)) goto out; copied = -ENOMEM; @@ -969,7 +971,11 @@ inode->i_gid = 0; if (task_dumpable(task)) { inode->i_uid = task->euid; +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; +#else inode->i_gid = task->egid; +#endif } security_task_to_inode(task, inode); @@ -985,17 +991,38 @@ { struct inode *inode = dentry->d_inode; struct task_struct *task; +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + struct task_struct *tmp = current; +#endif + generic_fillattr(inode, stat); rcu_read_lock(); stat->uid = 0; stat->gid = 0; task = pid_task(proc_pid(inode), PIDTYPE_PID); - if (task) { + if (task && +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + (!tmp->uid || (tmp->uid == task->uid) +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + || in_group_p(CONFIG_GRKERNSEC_PROC_GID) +#endif + ) && +#endif + !gr_check_hidden_task(task)) { if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || +#if defined(CONFIG_GRKERNSEC_PROC_USER) + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) || +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) || +#endif task_dumpable(task)) { stat->uid = task->euid; +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + stat->gid = CONFIG_GRKERNSEC_PROC_GID; +#else stat->gid = task->egid; +#endif } } rcu_read_unlock(); @@ -1025,9 +1052,18 @@ struct task_struct *task = get_proc_task(inode); if (task) { if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) || +#if defined(CONFIG_GRKERNSEC_PROC_USER) + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) || +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) || +#endif task_dumpable(task)) { inode->i_uid = task->euid; +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; +#else inode->i_gid = task->egid; +#endif } else { inode->i_uid = 0; inode->i_gid = 0; @@ -1273,6 +1309,9 @@ if (fd == ~0U) goto out; + if (gr_acl_handle_procpidmem(task)) + goto out; + result = proc_fd_instantiate(dir, dentry, task, &fd); out: put_task_struct(task); @@ -1317,6 +1356,8 @@ goto out; filp->f_pos++; default: + if (gr_acl_handle_procpidmem(p)) + goto out; files = get_files_struct(p); if (!files) goto out; @@ -1791,6 +1832,9 @@ #ifdef CONFIG_AUDITSYSCALL REG("loginuid", S_IWUSR|S_IRUGO, loginuid), #endif +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR + INF("ipaddr", S_IRUSR, pid_ipaddr), +#endif }; static int proc_tgid_base_readdir(struct file * filp, @@ -1893,7 +1937,14 @@ if (!inode) goto out; +#if defined(CONFIG_GRKERNSEC_PROC_USER) + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR; +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID; + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP; +#else inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO; +#endif inode->i_op = &proc_tgid_base_inode_operations; inode->i_fop = &proc_tgid_base_operations; inode->i_flags|=S_IMMUTABLE; @@ -1934,7 +1985,11 @@ if (!task) goto out; + if (gr_check_hidden_task(task)) + goto out_put_task; + result = proc_pid_instantiate(dir, dentry, task, NULL); +out_put_task: put_task_struct(task); out: return result; @@ -1992,6 +2047,9 @@ { unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY; struct task_struct *reaper = get_proc_task(filp->f_dentry->d_inode); +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + struct task_struct *tmp = current; +#endif struct task_struct *task; int tgid; @@ -2009,6 +2067,18 @@ task; put_task_struct(task), task = next_tgid(tgid + 1)) { tgid = task->pid; + + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task) +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP) + || (tmp->uid && (task->uid != tmp->uid) +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID) +#endif + ) +#endif + ) + continue; + filp->f_pos = tgid + TGID_OFFSET; if (proc_pid_fill_cache(filp, dirent, filldir, task, tgid) < 0) { put_task_struct(task);