• R/O
  • SSH
  • HTTPS

caitsith: 提交


Commit MetaInfo

修订版368 (tree)
时间2022-05-25 22:51:00
作者kumaneko

Log Message

(empty log message)

更改概述

差异

--- trunk/caitsith-patch/caitsith/lsm-4.12.c (revision 367)
+++ trunk/caitsith-patch/caitsith/lsm-4.12.c (revision 368)
@@ -479,6 +479,7 @@
479479 return cs_symlink_permission(&path, old_name);
480480 }
481481
482+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
482483 /**
483484 * cs_path_rename - Check permission for rename().
484485 *
@@ -486,6 +487,7 @@
486487 * @old_dentry: Pointer to "struct dentry".
487488 * @new_dir: Pointer to "struct path".
488489 * @new_dentry: Pointer to "struct dentry".
490+ * @flags: Rename flags.
489491 *
490492 * Returns 0 on success, negative value otherwise.
491493 */
@@ -492,6 +494,34 @@
492494 static int cs_path_rename(const struct path *old_dir,
493495 struct dentry *old_dentry,
494496 const struct path *new_dir,
497+ struct dentry *new_dentry,
498+ const unsigned int flags)
499+{
500+ struct path old = { .mnt = old_dir->mnt, .dentry = old_dentry };
501+ struct path new = { .mnt = new_dir->mnt, .dentry = new_dentry };
502+
503+ if (flags & RENAME_EXCHANGE) {
504+ const int err = cs_rename_permission(&new, &old);
505+
506+ if (err)
507+ return err;
508+ }
509+ return cs_rename_permission(&old, &new);
510+}
511+#else
512+/**
513+ * cs_path_rename - Check permission for rename().
514+ *
515+ * @old_dir: Pointer to "struct path".
516+ * @old_dentry: Pointer to "struct dentry".
517+ * @new_dir: Pointer to "struct path".
518+ * @new_dentry: Pointer to "struct dentry".
519+ *
520+ * Returns 0 on success, negative value otherwise.
521+ */
522+static int cs_path_rename(const struct path *old_dir,
523+ struct dentry *old_dentry,
524+ const struct path *new_dir,
495525 struct dentry *new_dentry)
496526 {
497527 struct path old = { .mnt = old_dir->mnt, .dentry = old_dentry };
@@ -499,6 +529,7 @@
499529
500530 return cs_rename_permission(&old, &new);
501531 }
532+#endif
502533
503534 /**
504535 * cs_path_link - Check permission for link().
--- trunk/caitsith-patch/include/linux/caitsith.h (revision 367)
+++ trunk/caitsith-patch/include/linux/caitsith.h (revision 368)
@@ -69,7 +69,7 @@
6969 #endif
7070 struct task_struct * (*find_task_by_vpid)(pid_t nr);
7171 struct task_struct * (*find_task_by_pid_ns)(pid_t nr,
72- struct pid_namespace *ns);
72+ struct pid_namespace *ns);
7373 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 29)
7474 size_t (*ksize)(const void *objp);
7575 #endif
@@ -80,54 +80,60 @@
8080 void (*check_profile)(void);
8181 int (*chroot_permission)(const struct path *path);
8282 int (*pivot_root_permission)(const struct path *old_path,
83- const struct path *new_path);
83+ const struct path *new_path);
8484 int (*mount_permission)(const char *dev_name, const struct path *path,
85- const char *type, unsigned long flags,
86- void *data_page);
85+ const char *type, unsigned long flags,
86+ void *data_page);
8787 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0)
8888 int (*move_mount_permission) (const struct path *from_path,
8989 const struct path *to_path);
9090 #endif
9191 int (*umount_permission)(struct vfsmount *mnt, int flags);
92-
9392 _Bool(*lport_reserved) (const u16 port); /* Not implemented. */
9493 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 32)
9594 void (*save_open_mode)(int mode);
9695 void (*clear_open_mode)(void);
9796 int (*open_permission)(struct dentry *dentry, struct vfsmount *mnt,
98- const int flag);
97+ const int flag);
9998 #else
10099 int (*open_permission)(struct file *file);
101100 #endif
102101 int (*ptrace_permission)(long request, long pid);
103102 int (*ioctl_permission)(struct file *filp, unsigned int cmd,
104- unsigned long arg);
103+ unsigned long arg);
105104 int (*parse_table)(int __user *name, int nlen, void __user *oldval,
106- void __user *newval, struct ctl_table *table);
105+ void __user *newval, struct ctl_table *table);
107106 _Bool(*capable) (const u8 operation);
108107 int (*mknod_permission)(struct dentry *dentry, struct vfsmount *mnt,
109- unsigned int mode, unsigned int dev);
108+ unsigned int mode, unsigned int dev);
110109 int (*mkdir_permission)(struct dentry *dentry, struct vfsmount *mnt,
111- unsigned int mode);
110+ unsigned int mode);
112111 int (*rmdir_permission)(struct dentry *dentry, struct vfsmount *mnt);
113112 int (*unlink_permission)(struct dentry *dentry, struct vfsmount *mnt);
114113 int (*symlink_permission)(struct dentry *dentry, struct vfsmount *mnt,
115- const char *from);
114+ const char *from);
116115 int (*truncate_permission)(struct dentry *dentry,
117- struct vfsmount *mnt);
116+ struct vfsmount *mnt);
117+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
118118 int (*rename_permission)(struct dentry *old_dentry,
119- struct dentry *new_dentry,
120- struct vfsmount *mnt);
119+ struct dentry *new_dentry,
120+ struct vfsmount *mnt,
121+ const unsigned int flags);
122+#else
123+ int (*rename_permission)(struct dentry *old_dentry,
124+ struct dentry *new_dentry,
125+ struct vfsmount *mnt);
126+#endif
121127 int (*link_permission)(struct dentry *old_dentry,
122- struct dentry *new_dentry,
123- struct vfsmount *mnt);
128+ struct dentry *new_dentry,
129+ struct vfsmount *mnt);
124130 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 30)
125131 int (*open_exec_permission)(struct dentry *dentry,
126- struct vfsmount *mnt);
132+ struct vfsmount *mnt);
127133 int (*uselib_permission)(struct dentry *dentry, struct vfsmount *mnt);
128134 #endif
129135 int (*fcntl_permission)(struct file *file, unsigned int cmd,
130- unsigned long arg);
136+ unsigned long arg);
131137 int (*kill_permission)(pid_t pid, int sig);
132138 int (*tgkill_permission)(pid_t tgid, pid_t pid, int sig);
133139 int (*tkill_permission)(pid_t pid, int sig);
@@ -134,26 +140,26 @@
134140 int (*socket_create_permission)(int family, int type, int protocol);
135141 int (*socket_listen_permission)(struct socket *sock);
136142 int (*socket_connect_permission)(struct socket *sock,
137- struct sockaddr *addr, int addr_len);
143+ struct sockaddr *addr, int addr_len);
138144 int (*socket_bind_permission)(struct socket *sock,
139- struct sockaddr *addr, int addr_len);
145+ struct sockaddr *addr, int addr_len);
140146 int (*socket_post_accept_permission)(struct socket *sock,
141- struct socket *newsock);
147+ struct socket *newsock);
142148 int (*socket_sendmsg_permission)(struct socket *sock,
143- struct msghdr *msg, int size);
149+ struct msghdr *msg, int size);
144150 int (*socket_post_recvmsg_permission)(struct sock *sk,
145- struct sk_buff *skb, int flags);
151+ struct sk_buff *skb, int flags);
146152 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
147153 int (*chown_permission)(struct dentry *dentry, struct vfsmount *mnt,
148- kuid_t user, kgid_t group);
154+ kuid_t user, kgid_t group);
149155 #else
150156 int (*chown_permission)(struct dentry *dentry, struct vfsmount *mnt,
151- uid_t user, gid_t group);
157+ uid_t user, gid_t group);
152158 #endif
153159 int (*chmod_permission)(struct dentry *dentry, struct vfsmount *mnt,
154- mode_t mode);
160+ mode_t mode);
155161 int (*getattr_permission)(struct vfsmount *mnt,
156- struct dentry *dentry);
162+ struct dentry *dentry);
157163 int (*sigqueue_permission)(pid_t pid, int sig);
158164 int (*tgsigqueue_permission)(pid_t tgid, pid_t pid, int sig);
159165 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
@@ -163,7 +169,7 @@
163169 int (*search_binary_handler)(struct linux_binprm *bprm);
164170 #else
165171 int (*search_binary_handler)(struct linux_binprm *bprm,
166- struct pt_regs *regs);
172+ struct pt_regs *regs);
167173 #endif
168174 #ifdef CONFIG_CAITSITH_USE_EXTERNAL_TASK_SECURITY
169175 int (*alloc_task_security)(const struct task_struct *task);
@@ -328,8 +334,19 @@
328334 return func ? func(dentry, mnt) : 0;
329335 }
330336
337+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
331338 static inline int ccs_rename_permission(struct dentry *old_dentry,
332339 struct dentry *new_dentry,
340+ struct vfsmount *mnt,
341+ const unsigned int flags)
342+{
343+ int (*func)(struct dentry *, struct dentry *, struct vfsmount *,
344+ const unsigned int) = caitsith_ops.rename_permission;
345+ return func ? func(old_dentry, new_dentry, mnt, flags) : 0;
346+}
347+#else
348+static inline int ccs_rename_permission(struct dentry *old_dentry,
349+ struct dentry *new_dentry,
333350 struct vfsmount *mnt)
334351 {
335352 int (*func)(struct dentry *, struct dentry *, struct vfsmount *)
@@ -336,6 +353,7 @@
336353 = caitsith_ops.rename_permission;
337354 return func ? func(old_dentry, new_dentry, mnt) : 0;
338355 }
356+#endif
339357
340358 static inline int ccs_link_permission(struct dentry *old_dentry,
341359 struct dentry *new_dentry,
@@ -541,12 +559,22 @@
541559 return 0;
542560 }
543561
562+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
544563 static inline int ccs_rename_permission(struct dentry *old_dentry,
545564 struct dentry *new_dentry,
565+ struct vfsmount *mnt,
566+ const unsigned int flags)
567+{
568+ return 0;
569+}
570+#else
571+static inline int ccs_rename_permission(struct dentry *old_dentry,
572+ struct dentry *new_dentry,
546573 struct vfsmount *mnt)
547574 {
548575 return 0;
549576 }
577+#endif
550578
551579 static inline int ccs_link_permission(struct dentry *old_dentry,
552580 struct dentry *new_dentry,
--- trunk/caitsith-patch/include/linux/lsm2caitsith.h (revision 367)
+++ trunk/caitsith-patch/include/linux/lsm2caitsith.h (revision 368)
@@ -50,8 +50,14 @@
5050 umode_t mode);
5151 int ccs_path_mknod(const struct path *dir, struct dentry *dentry, umode_t mode,
5252 unsigned int dev);
53+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
5354 int ccs_path_rename(const struct path *old_dir, struct dentry *old_dentry,
55+ const struct path *new_dir, struct dentry *new_dentry,
56+ const unsigned int flags);
57+#else
58+int ccs_path_rename(const struct path *old_dir, struct dentry *old_dentry,
5459 const struct path *new_dir, struct dentry *new_dentry);
60+#endif
5561 int ccs_path_rmdir(const struct path *dir, struct dentry *dentry);
5662 int ccs_path_symlink(const struct path *dir, struct dentry *dentry,
5763 const char *old_name);
@@ -209,13 +215,24 @@
209215 {
210216 return 0;
211217 }
218+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
212219 static inline int ccs_path_rename(const struct path *old_dir,
213220 struct dentry *old_dentry,
214221 const struct path *new_dir,
222+ struct dentry *new_dentry,
223+ const unsigned int flags)
224+{
225+ return 0;
226+}
227+#else
228+static inline int ccs_path_rename(const struct path *old_dir,
229+ struct dentry *old_dentry,
230+ const struct path *new_dir,
215231 struct dentry *new_dentry)
216232 {
217233 return 0;
218234 }
235+#endif
219236 static inline int ccs_path_chmod(const struct path *path, umode_t mode)
220237 {
221238 return 0;
--- trunk/caitsith-patch/patches/ccs-patch-5.19.diff (nonexistent)
+++ trunk/caitsith-patch/patches/ccs-patch-5.19.diff (revision 368)
@@ -0,0 +1,701 @@
1+This is TOMOYO Linux patch for kernel 5.19-rc1.
2+
3+Source code for this patch is https://git.kernel.org/torvalds/t/linux-5.19-rc1.tar.gz
4+---
5+ fs/exec.c | 2 -
6+ fs/open.c | 2 +
7+ fs/proc/version.c | 7 +++++
8+ include/linux/sched.h | 5 +++
9+ include/linux/security.h | 60 +++++++++++++++++++++++++---------------------
10+ include/net/ip.h | 4 +++
11+ init/init_task.c | 4 +++
12+ kernel/kexec.c | 4 ++-
13+ kernel/module.c | 5 +++
14+ kernel/ptrace.c | 10 +++++++
15+ kernel/reboot.c | 3 ++
16+ kernel/sched/core.c | 2 +
17+ kernel/signal.c | 25 +++++++++++++++++++
18+ kernel/sys.c | 8 ++++++
19+ kernel/time/timekeeping.c | 8 ++++++
20+ net/ipv4/raw.c | 4 +++
21+ net/ipv4/udp.c | 2 +
22+ net/ipv6/raw.c | 4 +++
23+ net/ipv6/udp.c | 2 +
24+ net/socket.c | 4 +++
25+ net/unix/af_unix.c | 5 +++
26+ security/Kconfig | 2 +
27+ security/Makefile | 3 ++
28+ security/security.c | 5 +++
29+ 24 files changed, 150 insertions(+), 30 deletions(-)
30+
31+--- linux.orig/fs/exec.c
32++++ linux/fs/exec.c
33+@@ -1833,7 +1833,7 @@ static int bprm_execve(struct linux_binp
34+ if (retval)
35+ goto out;
36+
37+- retval = exec_binprm(bprm);
38++ retval = ccs_exec_binprm(bprm);
39+ if (retval < 0)
40+ goto out;
41+
42+--- linux.orig/fs/open.c
43++++ linux/fs/open.c
44+@@ -1374,6 +1374,8 @@ SYSCALL_DEFINE3(close_range, unsigned in
45+ */
46+ SYSCALL_DEFINE0(vhangup)
47+ {
48++ if (!ccs_capable(CCS_SYS_VHANGUP))
49++ return -EPERM;
50+ if (capable(CAP_SYS_TTY_CONFIG)) {
51+ tty_vhangup_self();
52+ return 0;
53+--- linux.orig/fs/proc/version.c
54++++ linux/fs/proc/version.c
55+@@ -21,3 +21,10 @@ static int __init proc_version_init(void
56+ return 0;
57+ }
58+ fs_initcall(proc_version_init);
59++
60++static int __init ccs_show_version(void)
61++{
62++ printk(KERN_INFO "Hook version: 5.18+ 2022/05/25\n");
63++ return 0;
64++}
65++fs_initcall(ccs_show_version);
66+--- linux.orig/include/linux/sched.h
67++++ linux/include/linux/sched.h
68+@@ -44,6 +44,7 @@ struct blk_plug;
69+ struct bpf_local_storage;
70+ struct bpf_run_ctx;
71+ struct capture_control;
72++struct ccs_domain_info;
73+ struct cfs_rq;
74+ struct fs_struct;
75+ struct futex_pi_state;
76+@@ -1379,6 +1380,10 @@ struct task_struct {
77+ /* Pause tracing: */
78+ atomic_t tracing_graph_pause;
79+ #endif
80++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
81++ struct ccs_domain_info *ccs_domain_info;
82++ u32 ccs_flags;
83++#endif
84+
85+ #ifdef CONFIG_TRACING
86+ /* State flags for use by tracers: */
87+--- linux.orig/include/linux/security.h
88++++ linux/include/linux/security.h
89+@@ -59,6 +59,7 @@ struct fs_parameter;
90+ enum fs_value_type;
91+ struct watch;
92+ struct watch_notification;
93++#include <linux/ccsecurity.h>
94+
95+ /* Default (no) options for the capable function */
96+ #define CAP_OPT_NONE 0x0
97+@@ -588,7 +589,10 @@ static inline int security_syslog(int ty
98+ static inline int security_settime64(const struct timespec64 *ts,
99+ const struct timezone *tz)
100+ {
101+- return cap_settime(ts, tz);
102++ int error = cap_settime(ts, tz);
103++ if (!error)
104++ error = ccs_settime(ts, tz);
105++ return error;
106+ }
107+
108+ static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
109+@@ -681,18 +685,18 @@ static inline int security_sb_mount(cons
110+ const char *type, unsigned long flags,
111+ void *data)
112+ {
113+- return 0;
114++ return ccs_sb_mount(dev_name, path, type, flags, data);
115+ }
116+
117+ static inline int security_sb_umount(struct vfsmount *mnt, int flags)
118+ {
119+- return 0;
120++ return ccs_sb_umount(mnt, flags);
121+ }
122+
123+ static inline int security_sb_pivotroot(const struct path *old_path,
124+ const struct path *new_path)
125+ {
126+- return 0;
127++ return ccs_sb_pivotroot(old_path, new_path);
128+ }
129+
130+ static inline int security_sb_set_mnt_opts(struct super_block *sb,
131+@@ -714,7 +718,7 @@ static inline int security_sb_clone_mnt_
132+ static inline int security_move_mount(const struct path *from_path,
133+ const struct path *to_path)
134+ {
135+- return 0;
136++ return ccs_move_mount_permission(from_path, to_path);
137+ }
138+
139+ static inline int security_path_notify(const struct path *path, u64 mask,
140+@@ -856,7 +860,7 @@ static inline int security_inode_setattr
141+
142+ static inline int security_inode_getattr(const struct path *path)
143+ {
144+- return 0;
145++ return ccs_inode_getattr(path);
146+ }
147+
148+ static inline int security_inode_setxattr(struct user_namespace *mnt_userns,
149+@@ -954,7 +958,7 @@ static inline void security_file_free(st
150+ static inline int security_file_ioctl(struct file *file, unsigned int cmd,
151+ unsigned long arg)
152+ {
153+- return 0;
154++ return ccs_file_ioctl(file, cmd, arg);
155+ }
156+
157+ static inline int security_mmap_file(struct file *file, unsigned long prot,
158+@@ -983,7 +987,7 @@ static inline int security_file_lock(str
159+ static inline int security_file_fcntl(struct file *file, unsigned int cmd,
160+ unsigned long arg)
161+ {
162+- return 0;
163++ return ccs_file_fcntl(file, cmd, arg);
164+ }
165+
166+ static inline void security_file_set_fowner(struct file *file)
167+@@ -1005,17 +1009,19 @@ static inline int security_file_receive(
168+
169+ static inline int security_file_open(struct file *file)
170+ {
171+- return 0;
172++ return ccs_file_open(file);
173+ }
174+
175+ static inline int security_task_alloc(struct task_struct *task,
176+ unsigned long clone_flags)
177+ {
178+- return 0;
179++ return ccs_alloc_task_security(task);
180+ }
181+
182+ static inline void security_task_free(struct task_struct *task)
183+-{ }
184++{
185++ ccs_free_task_security(task);
186++}
187+
188+ static inline int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
189+ {
190+@@ -1444,7 +1450,7 @@ static inline int security_unix_may_send
191+ static inline int security_socket_create(int family, int type,
192+ int protocol, int kern)
193+ {
194+- return 0;
195++ return ccs_socket_create(family, type, protocol, kern);
196+ }
197+
198+ static inline int security_socket_post_create(struct socket *sock,
199+@@ -1465,19 +1471,19 @@ static inline int security_socket_bind(s
200+ struct sockaddr *address,
201+ int addrlen)
202+ {
203+- return 0;
204++ return ccs_socket_bind(sock, address, addrlen);
205+ }
206+
207+ static inline int security_socket_connect(struct socket *sock,
208+ struct sockaddr *address,
209+ int addrlen)
210+ {
211+- return 0;
212++ return ccs_socket_connect(sock, address, addrlen);
213+ }
214+
215+ static inline int security_socket_listen(struct socket *sock, int backlog)
216+ {
217+- return 0;
218++ return ccs_socket_listen(sock, backlog);
219+ }
220+
221+ static inline int security_socket_accept(struct socket *sock,
222+@@ -1489,7 +1495,7 @@ static inline int security_socket_accept
223+ static inline int security_socket_sendmsg(struct socket *sock,
224+ struct msghdr *msg, int size)
225+ {
226+- return 0;
227++ return ccs_socket_sendmsg(sock, msg, size);
228+ }
229+
230+ static inline int security_socket_recvmsg(struct socket *sock,
231+@@ -1786,42 +1792,42 @@ int security_path_chroot(const struct pa
232+ #else /* CONFIG_SECURITY_PATH */
233+ static inline int security_path_unlink(const struct path *dir, struct dentry *dentry)
234+ {
235+- return 0;
236++ return ccs_path_unlink(dir, dentry);
237+ }
238+
239+ static inline int security_path_mkdir(const struct path *dir, struct dentry *dentry,
240+ umode_t mode)
241+ {
242+- return 0;
243++ return ccs_path_mkdir(dir, dentry, mode);
244+ }
245+
246+ static inline int security_path_rmdir(const struct path *dir, struct dentry *dentry)
247+ {
248+- return 0;
249++ return ccs_path_rmdir(dir, dentry);
250+ }
251+
252+ static inline int security_path_mknod(const struct path *dir, struct dentry *dentry,
253+ umode_t mode, unsigned int dev)
254+ {
255+- return 0;
256++ return ccs_path_mknod(dir, dentry, mode, dev);
257+ }
258+
259+ static inline int security_path_truncate(const struct path *path)
260+ {
261+- return 0;
262++ return ccs_path_truncate(path);
263+ }
264+
265+ static inline int security_path_symlink(const struct path *dir, struct dentry *dentry,
266+ const char *old_name)
267+ {
268+- return 0;
269++ return ccs_path_symlink(dir, dentry, old_name);
270+ }
271+
272+ static inline int security_path_link(struct dentry *old_dentry,
273+ const struct path *new_dir,
274+ struct dentry *new_dentry)
275+ {
276+- return 0;
277++ return ccs_path_link(old_dentry, new_dir, new_dentry);
278+ }
279+
280+ static inline int security_path_rename(const struct path *old_dir,
281+@@ -1830,22 +1836,22 @@ static inline int security_path_rename(c
282+ struct dentry *new_dentry,
283+ unsigned int flags)
284+ {
285+- return 0;
286++ return ccs_path_rename(old_dir, old_dentry, new_dir, new_dentry, flags);
287+ }
288+
289+ static inline int security_path_chmod(const struct path *path, umode_t mode)
290+ {
291+- return 0;
292++ return ccs_path_chmod(path, mode);
293+ }
294+
295+ static inline int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
296+ {
297+- return 0;
298++ return ccs_path_chown(path, uid, gid);
299+ }
300+
301+ static inline int security_path_chroot(const struct path *path)
302+ {
303+- return 0;
304++ return ccs_path_chroot(path);
305+ }
306+ #endif /* CONFIG_SECURITY_PATH */
307+
308+--- linux.orig/include/net/ip.h
309++++ linux/include/net/ip.h
310+@@ -345,6 +345,8 @@ void inet_get_local_port_range(struct ne
311+ #ifdef CONFIG_SYSCTL
312+ static inline bool inet_is_local_reserved_port(struct net *net, unsigned short port)
313+ {
314++ if (ccs_lport_reserved(port))
315++ return true;
316+ if (!net->ipv4.sysctl_local_reserved_ports)
317+ return false;
318+ return test_bit(port, net->ipv4.sysctl_local_reserved_ports);
319+@@ -363,6 +365,8 @@ static inline bool inet_port_requires_bi
320+ #else
321+ static inline bool inet_is_local_reserved_port(struct net *net, unsigned short port)
322+ {
323++ if (ccs_lport_reserved(port))
324++ return true;
325+ return false;
326+ }
327+
328+--- linux.orig/init/init_task.c
329++++ linux/init/init_task.c
330+@@ -209,6 +209,10 @@ struct task_struct init_task
331+ #ifdef CONFIG_SECCOMP_FILTER
332+ .seccomp = { .filter_count = ATOMIC_INIT(0) },
333+ #endif
334++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
335++ .ccs_domain_info = NULL,
336++ .ccs_flags = 0,
337++#endif
338+ };
339+ EXPORT_SYMBOL(init_task);
340+
341+--- linux.orig/kernel/kexec.c
342++++ linux/kernel/kexec.c
343+@@ -16,7 +16,7 @@
344+ #include <linux/syscalls.h>
345+ #include <linux/vmalloc.h>
346+ #include <linux/slab.h>
347+-
348++#include <linux/ccsecurity.h>
349+ #include "kexec_internal.h"
350+
351+ static int kimage_alloc_init(struct kimage **rimage, unsigned long entry,
352+@@ -198,6 +198,8 @@ static inline int kexec_load_check(unsig
353+ /* We only trust the superuser with rebooting the system. */
354+ if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
355+ return -EPERM;
356++ if (!ccs_capable(CCS_SYS_KEXEC_LOAD))
357++ return -EPERM;
358+
359+ /* Permit LSMs and IMA to fail the kexec */
360+ result = security_kernel_load_data(LOADING_KEXEC_IMAGE, false);
361+--- linux.orig/kernel/module.c
362++++ linux/kernel/module.c
363+@@ -59,6 +59,7 @@
364+ #include <linux/audit.h>
365+ #include <uapi/linux/module.h>
366+ #include "module-internal.h"
367++#include <linux/ccsecurity.h>
368+
369+ #define CREATE_TRACE_POINTS
370+ #include <trace/events/module.h>
371+@@ -918,6 +919,8 @@ SYSCALL_DEFINE2(delete_module, const cha
372+
373+ if (!capable(CAP_SYS_MODULE) || modules_disabled)
374+ return -EPERM;
375++ if (!ccs_capable(CCS_USE_KERNEL_MODULE))
376++ return -EPERM;
377+
378+ if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
379+ return -EFAULT;
380+@@ -3822,6 +3825,8 @@ static int may_init_module(void)
381+ {
382+ if (!capable(CAP_SYS_MODULE) || modules_disabled)
383+ return -EPERM;
384++ if (!ccs_capable(CCS_USE_KERNEL_MODULE))
385++ return -EPERM;
386+
387+ return 0;
388+ }
389+--- linux.orig/kernel/ptrace.c
390++++ linux/kernel/ptrace.c
391+@@ -1294,6 +1294,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
392+ {
393+ struct task_struct *child;
394+ long ret;
395++ {
396++ const int rc = ccs_ptrace_permission(request, pid);
397++ if (rc)
398++ return rc;
399++ }
400+
401+ if (request == PTRACE_TRACEME) {
402+ ret = ptrace_traceme();
403+@@ -1441,6 +1446,11 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_lo
404+ {
405+ struct task_struct *child;
406+ long ret;
407++ {
408++ const int rc = ccs_ptrace_permission(request, pid);
409++ if (rc)
410++ return rc;
411++ }
412+
413+ if (request == PTRACE_TRACEME) {
414+ ret = ptrace_traceme();
415+--- linux.orig/kernel/reboot.c
416++++ linux/kernel/reboot.c
417+@@ -18,6 +18,7 @@
418+ #include <linux/syscalls.h>
419+ #include <linux/syscore_ops.h>
420+ #include <linux/uaccess.h>
421++#include <linux/ccsecurity.h>
422+
423+ /*
424+ * this indicates whether you can reboot with ctrl-alt-del: the default is yes
425+@@ -327,6 +328,8 @@ SYSCALL_DEFINE4(reboot, int, magic1, int
426+ magic2 != LINUX_REBOOT_MAGIC2B &&
427+ magic2 != LINUX_REBOOT_MAGIC2C))
428+ return -EINVAL;
429++ if (!ccs_capable(CCS_SYS_REBOOT))
430++ return -EPERM;
431+
432+ /*
433+ * If pid namespaces are enabled and the current task is in a child
434+--- linux.orig/kernel/sched/core.c
435++++ linux/kernel/sched/core.c
436+@@ -6956,6 +6956,8 @@ int can_nice(const struct task_struct *p
437+ SYSCALL_DEFINE1(nice, int, increment)
438+ {
439+ long nice, retval;
440++ if (!ccs_capable(CCS_SYS_NICE))
441++ return -EPERM;
442+
443+ /*
444+ * Setpriority might change our priority at the same moment.
445+--- linux.orig/kernel/signal.c
446++++ linux/kernel/signal.c
447+@@ -3788,6 +3788,8 @@ static inline void prepare_kill_siginfo(
448+ SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
449+ {
450+ struct kernel_siginfo info;
451++ if (ccs_kill_permission(pid, sig))
452++ return -EPERM;
453+
454+ prepare_kill_siginfo(sig, &info);
455+
456+@@ -3887,6 +3889,21 @@ SYSCALL_DEFINE4(pidfd_send_signal, int,
457+ if (!access_pidfd_pidns(pid))
458+ goto err;
459+
460++ {
461++ struct task_struct *task;
462++ int id = 0;
463++
464++ rcu_read_lock();
465++ task = pid_task(pid, PIDTYPE_PID);
466++ if (task)
467++ id = task_pid_vnr(task);
468++ rcu_read_unlock();
469++ if (task && ccs_kill_permission(id, sig)) {
470++ ret = -EPERM;
471++ goto err;
472++ }
473++ }
474++
475+ if (info) {
476+ ret = copy_siginfo_from_user_any(&kinfo, info);
477+ if (unlikely(ret))
478+@@ -3971,6 +3988,8 @@ SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid
479+ /* This is only valid for single tasks */
480+ if (pid <= 0 || tgid <= 0)
481+ return -EINVAL;
482++ if (ccs_tgkill_permission(tgid, pid, sig))
483++ return -EPERM;
484+
485+ return do_tkill(tgid, pid, sig);
486+ }
487+@@ -3987,6 +4006,8 @@ SYSCALL_DEFINE2(tkill, pid_t, pid, int,
488+ /* This is only valid for single tasks */
489+ if (pid <= 0)
490+ return -EINVAL;
491++ if (ccs_tkill_permission(pid, sig))
492++ return -EPERM;
493+
494+ return do_tkill(0, pid, sig);
495+ }
496+@@ -3999,6 +4020,8 @@ static int do_rt_sigqueueinfo(pid_t pid,
497+ if ((info->si_code >= 0 || info->si_code == SI_TKILL) &&
498+ (task_pid_vnr(current) != pid))
499+ return -EPERM;
500++ if (ccs_sigqueue_permission(pid, sig))
501++ return -EPERM;
502+
503+ /* POSIX.1b doesn't mention process groups. */
504+ return kill_proc_info(sig, info, pid);
505+@@ -4046,6 +4069,8 @@ static int do_rt_tgsigqueueinfo(pid_t tg
506+ if ((info->si_code >= 0 || info->si_code == SI_TKILL) &&
507+ (task_pid_vnr(current) != pid))
508+ return -EPERM;
509++ if (ccs_tgsigqueue_permission(tgid, pid, sig))
510++ return -EPERM;
511+
512+ return do_send_specific(tgid, pid, sig, info);
513+ }
514+--- linux.orig/kernel/sys.c
515++++ linux/kernel/sys.c
516+@@ -218,6 +218,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
517+
518+ if (which > PRIO_USER || which < PRIO_PROCESS)
519+ goto out;
520++ if (!ccs_capable(CCS_SYS_NICE)) {
521++ error = -EPERM;
522++ goto out;
523++ }
524+
525+ /* normalize: avoid signed division (rounding problems) */
526+ error = -ESRCH;
527+@@ -1362,6 +1366,8 @@ SYSCALL_DEFINE2(sethostname, char __user
528+
529+ if (len < 0 || len > __NEW_UTS_LEN)
530+ return -EINVAL;
531++ if (!ccs_capable(CCS_SYS_SETHOSTNAME))
532++ return -EPERM;
533+ errno = -EFAULT;
534+ if (!copy_from_user(tmp, name, len)) {
535+ struct new_utsname *u;
536+@@ -1414,6 +1420,8 @@ SYSCALL_DEFINE2(setdomainname, char __us
537+ return -EPERM;
538+ if (len < 0 || len > __NEW_UTS_LEN)
539+ return -EINVAL;
540++ if (!ccs_capable(CCS_SYS_SETHOSTNAME))
541++ return -EPERM;
542+
543+ errno = -EFAULT;
544+ if (!copy_from_user(tmp, name, len)) {
545+--- linux.orig/kernel/time/timekeeping.c
546++++ linux/kernel/time/timekeeping.c
547+@@ -23,6 +23,7 @@
548+ #include <linux/pvclock_gtod.h>
549+ #include <linux/compiler.h>
550+ #include <linux/audit.h>
551++#include <linux/ccsecurity.h>
552+
553+ #include "tick-internal.h"
554+ #include "ntp_internal.h"
555+@@ -2345,10 +2346,15 @@ static int timekeeping_validate_timex(co
556+ if (!(txc->modes & ADJ_OFFSET_READONLY) &&
557+ !capable(CAP_SYS_TIME))
558+ return -EPERM;
559++ if (!(txc->modes & ADJ_OFFSET_READONLY) &&
560++ !ccs_capable(CCS_SYS_SETTIME))
561++ return -EPERM;
562+ } else {
563+ /* In order to modify anything, you gotta be super-user! */
564+ if (txc->modes && !capable(CAP_SYS_TIME))
565+ return -EPERM;
566++ if (txc->modes && !ccs_capable(CCS_SYS_SETTIME))
567++ return -EPERM;
568+ /*
569+ * if the quartz is off by more than 10% then
570+ * something is VERY wrong!
571+@@ -2363,6 +2369,8 @@ static int timekeeping_validate_timex(co
572+ /* In order to inject time, you gotta be super-user! */
573+ if (!capable(CAP_SYS_TIME))
574+ return -EPERM;
575++ if (!ccs_capable(CCS_SYS_SETTIME))
576++ return -EPERM;
577+
578+ /*
579+ * Validate if a timespec/timeval used to inject a time
580+--- linux.orig/net/ipv4/raw.c
581++++ linux/net/ipv4/raw.c
582+@@ -772,6 +772,10 @@ static int raw_recvmsg(struct sock *sk,
583+ skb = skb_recv_datagram(sk, flags, noblock, &err);
584+ if (!skb)
585+ goto out;
586++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
587++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
588++ goto out;
589++ }
590+
591+ copied = skb->len;
592+ if (len < copied) {
593+--- linux.orig/net/ipv4/udp.c
594++++ linux/net/ipv4/udp.c
595+@@ -1862,6 +1862,8 @@ try_again:
596+ skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
597+ if (!skb)
598+ return err;
599++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags))
600++ return -EAGAIN; /* Hope less harmful than -EPERM. */
601+
602+ ulen = udp_skb_len(skb);
603+ copied = len;
604+--- linux.orig/net/ipv6/raw.c
605++++ linux/net/ipv6/raw.c
606+@@ -480,6 +480,10 @@ static int rawv6_recvmsg(struct sock *sk
607+ skb = skb_recv_datagram(sk, flags, noblock, &err);
608+ if (!skb)
609+ goto out;
610++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
611++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
612++ goto out;
613++ }
614+
615+ copied = skb->len;
616+ if (copied > len) {
617+--- linux.orig/net/ipv6/udp.c
618++++ linux/net/ipv6/udp.c
619+@@ -345,6 +345,8 @@ try_again:
620+ skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
621+ if (!skb)
622+ return err;
623++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags))
624++ return -EAGAIN; /* Hope less harmful than -EPERM. */
625+
626+ ulen = udp6_skb_len(skb);
627+ copied = len;
628+--- linux.orig/net/socket.c
629++++ linux/net/socket.c
630+@@ -1811,6 +1811,10 @@ struct file *do_accept(struct file *file
631+ if (err < 0)
632+ goto out_fd;
633+
634++ if (ccs_socket_post_accept_permission(sock, newsock)) {
635++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
636++ goto out_fd;
637++ }
638+ if (upeer_sockaddr) {
639+ len = newsock->ops->getname(newsock,
640+ (struct sockaddr *)&address, 2);
641+--- linux.orig/net/unix/af_unix.c
642++++ linux/net/unix/af_unix.c
643+@@ -2417,6 +2417,10 @@ int __unix_dgram_recvmsg(struct sock *sk
644+ EPOLLOUT | EPOLLWRNORM |
645+ EPOLLWRBAND);
646+
647++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
648++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
649++ goto out_unlock;
650++ }
651+ if (msg->msg_name)
652+ unix_copy_addr(msg, skb->sk);
653+
654+@@ -2467,6 +2471,7 @@ int __unix_dgram_recvmsg(struct sock *sk
655+
656+ out_free:
657+ skb_free_datagram(sk, skb);
658++out_unlock:
659+ mutex_unlock(&u->iolock);
660+ out:
661+ return err;
662+--- linux.orig/security/Kconfig
663++++ linux/security/Kconfig
664+@@ -271,5 +271,7 @@ config LSM
665+
666+ source "security/Kconfig.hardening"
667+
668++source "security/ccsecurity/Kconfig"
669++
670+ endmenu
671+
672+--- linux.orig/security/Makefile
673++++ linux/security/Makefile
674+@@ -27,3 +27,6 @@ obj-$(CONFIG_SECURITY_LANDLOCK) += land
675+
676+ # Object integrity file lists
677+ obj-$(CONFIG_INTEGRITY) += integrity/
678++
679++subdir-$(CONFIG_CCSECURITY) += ccsecurity
680++obj-$(CONFIG_CCSECURITY) += ccsecurity/
681+--- linux.orig/security/security.c
682++++ linux/security/security.c
683+@@ -1655,7 +1655,9 @@ int security_task_alloc(struct task_stru
684+
685+ if (rc)
686+ return rc;
687+- rc = call_int_hook(task_alloc, 0, task, clone_flags);
688++ rc = ccs_alloc_task_security(task);
689++ if (likely(!rc))
690++ rc = call_int_hook(task_alloc, 0, task, clone_flags);
691+ if (unlikely(rc))
692+ security_task_free(task);
693+ return rc;
694+@@ -1664,6 +1666,7 @@ int security_task_alloc(struct task_stru
695+ void security_task_free(struct task_struct *task)
696+ {
697+ call_void_hook(task_free, task);
698++ ccs_free_task_security(task);
699+
700+ kfree(task->security);
701+ task->security = NULL;
--- trunk/caitsith-patch/security/caitsith/lsm2caitsith.c (revision 367)
+++ trunk/caitsith-patch/security/caitsith/lsm2caitsith.c (revision 368)
@@ -138,11 +138,20 @@
138138 return ccs_link_permission(old_dentry, new_dentry, new_dir->mnt);
139139 }
140140
141+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
141142 int ccs_path_rename(const struct path *old_dir, struct dentry *old_dentry,
143+ const struct path *new_dir, struct dentry *new_dentry,
144+ const unsigned int flags)
145+{
146+ return ccs_rename_permission(old_dentry, new_dentry, new_dir->mnt, flags);
147+}
148+#else
149+int ccs_path_rename(const struct path *old_dir, struct dentry *old_dentry,
142150 const struct path *new_dir, struct dentry *new_dentry)
143151 {
144152 return ccs_rename_permission(old_dentry, new_dentry, new_dir->mnt);
145153 }
154+#endif
146155
147156 int ccs_path_chmod(const struct path *path, umode_t mode)
148157 {
--- trunk/caitsith-patch/security/caitsith/permission.c (revision 367)
+++ trunk/caitsith-patch/security/caitsith/permission.c (revision 368)
@@ -169,9 +169,16 @@
169169 #endif
170170 static int cs_pivot_root_permission(const struct path *old_path,
171171 const struct path *new_path);
172+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
172173 static int cs_rename_permission(struct dentry *old_dentry,
173174 struct dentry *new_dentry,
175+ struct vfsmount *mnt,
176+ const unsigned int flags);
177+#else
178+static int cs_rename_permission(struct dentry *old_dentry,
179+ struct dentry *new_dentry,
174180 struct vfsmount *mnt);
181+#endif
175182 static int cs_rmdir_permission(struct dentry *dentry, struct vfsmount *mnt);
176183 #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 8, 0)
177184 static int cs_search_binary_handler(struct linux_binprm *bprm,
@@ -1993,6 +2000,7 @@
19932000 return cs_path_perm(CS_MAC_TRUNCATE, &path);
19942001 }
19952002
2003+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
19962004 /**
19972005 * cs_rename_permission - Check permission for vfs_rename().
19982006 *
@@ -1999,11 +2007,38 @@
19992007 * @old_dentry: Pointer to "struct dentry".
20002008 * @new_dentry: Pointer to "struct dentry".
20012009 * @mnt: Pointer to "struct vfsmount". Maybe NULL.
2010+ * @flags: Rename flags.
20022011 *
20032012 * Returns 0 on success, negative value otherwise.
20042013 */
20052014 static int cs_rename_permission(struct dentry *old_dentry,
20062015 struct dentry *new_dentry,
2016+ struct vfsmount *mnt,
2017+ const unsigned int flags)
2018+{
2019+ struct path old = { .mnt = mnt, .dentry = old_dentry };
2020+ struct path new = { .mnt = mnt, .dentry = new_dentry };
2021+
2022+ if (flags & RENAME_EXCHANGE) {
2023+ const int err = cs_path2_perm(CS_MAC_RENAME, &new, &old);
2024+
2025+ if (err)
2026+ return err;
2027+ }
2028+ return cs_path2_perm(CS_MAC_RENAME, &old, &new);
2029+}
2030+#else
2031+/**
2032+ * cs_rename_permission - Check permission for vfs_rename().
2033+ *
2034+ * @old_dentry: Pointer to "struct dentry".
2035+ * @new_dentry: Pointer to "struct dentry".
2036+ * @mnt: Pointer to "struct vfsmount". Maybe NULL.
2037+ *
2038+ * Returns 0 on success, negative value otherwise.
2039+ */
2040+static int cs_rename_permission(struct dentry *old_dentry,
2041+ struct dentry *new_dentry,
20072042 struct vfsmount *mnt)
20082043 {
20092044 struct path old = { .mnt = mnt, .dentry = old_dentry };
@@ -2011,6 +2046,7 @@
20112046
20122047 return cs_path2_perm(CS_MAC_RENAME, &old, &new);
20132048 }
2049+#endif
20142050
20152051 /**
20162052 * cs_link_permission - Check permission for vfs_link().
Show on old repository browser