• R/O
  • SSH
  • HTTPS

caitsith: 提交


Commit MetaInfo

修订版371 (tree)
时间2022-09-10 00:27:52
作者kumaneko

Log Message

(empty log message)

更改概述

差异

--- trunk/caitsith-patch/caitsith/lsm-4.12.c (revision 370)
+++ trunk/caitsith-patch/caitsith/lsm-4.12.c (revision 371)
@@ -36,6 +36,10 @@
3636 static union security_list_options original_task_alloc;
3737 static union security_list_options original_task_free;
3838
39+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
40+long (*my_copy_to_kernel_nofault) (void *dst, const void *src, size_t size);
41+#endif
42+
3943 #if !defined(CONFIG_CAITSITH_DEBUG)
4044 #define cs_debug_trace(pos) do { } while (0)
4145 #else
@@ -1240,11 +1244,14 @@
12401244 {
12411245 int i;
12421246 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 17, 0)
1243-#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 8, 0)
12441247 struct hlist_head *list = &hooks->capable;
12451248
1249+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 8, 0)
12461250 if (!probe_kernel_write(list, list, sizeof(void *)))
12471251 return true;
1252+#else
1253+ if (!my_copy_to_kernel_nofault(list, list, sizeof(void *)))
1254+ return true;
12481255 #endif
12491256 for (i = 0; i < ARRAY_SIZE(caitsith_hooks); i++) {
12501257 struct hlist_head *head = caitsith_hooks[i].head;
@@ -1286,7 +1293,11 @@
12861293 struct list_head *list = &hooks->capable;
12871294 #endif
12881295
1296+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 8, 0)
12891297 return !probe_kernel_write(list, list, sizeof(void *));
1298+#else
1299+ return !my_copy_to_kernel_nofault(list, list, sizeof(void *));
1300+#endif
12901301 }
12911302 #endif
12921303 #endif
@@ -1307,6 +1318,11 @@
13071318 caitsith_hooks[idx].head = ((void *) hooks)
13081319 + ((unsigned long) caitsith_hooks[idx].head)
13091320 - ((unsigned long) &probe_dummy_security_hook_heads);
1321+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
1322+ my_copy_to_kernel_nofault = probe_copy_to_kernel_nofault();
1323+ if (!my_copy_to_kernel_nofault)
1324+ goto out;
1325+#endif
13101326 #if defined(NEED_TO_CHECK_HOOKS_ARE_WRITABLE)
13111327 if (!check_ro_pages(hooks)) {
13121328 printk(KERN_INFO "Can't update security_hook_heads due to write protected. Retry with rodata=0 kernel command line option added.\n");
--- trunk/caitsith-patch/caitsith/probe.c (revision 370)
+++ trunk/caitsith-patch/caitsith/probe.c (revision 371)
@@ -1012,3 +1012,19 @@
10121012 }
10131013
10141014 #endif
1015+
1016+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
1017+
1018+/**
1019+ * probe_copy_to_kernel_nofault - Find address of "copy_to_kernel_nofault()".
1020+ *
1021+ * Returns address of copy_to_kernel_nofault() on success, NULL otherwise.
1022+ */
1023+void * __init probe_copy_to_kernel_nofault(void)
1024+{
1025+ void *ptr = probe_find_symbol(" copy_to_kernel_nofault\n");
1026+
1027+ return check_function_address(ptr, "copy_to_kernel_nofault");
1028+}
1029+
1030+#endif
--- trunk/caitsith-patch/caitsith/probe.h (revision 370)
+++ trunk/caitsith-patch/caitsith/probe.h (revision 371)
@@ -61,3 +61,7 @@
6161 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 29)
6262 void * __init probe_ksize(void);
6363 #endif
64+
65+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
66+void * __init probe_copy_to_kernel_nofault(void);
67+#endif
--- trunk/caitsith-patch/caitsith/test.c (revision 370)
+++ trunk/caitsith-patch/caitsith/test.c (revision 371)
@@ -57,6 +57,12 @@
5757 goto out;
5858 printk(KERN_INFO "ksize=%lx\n", (unsigned long) ptr);
5959 #endif
60+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
61+ ptr = probe_copy_to_kernel_nofault();
62+ if (!ptr)
63+ goto out;
64+ printk(KERN_INFO "copy_to_kernel_nofault=%lx\n", (unsigned long) ptr);
65+#endif
6066 printk(KERN_INFO "All dependent symbols have been guessed.\n");
6167 printk(KERN_INFO "Please verify these addresses using System.map for this kernel (e.g. /boot/System.map-`uname -r` ).\n");
6268 printk(KERN_INFO "If these addresses are correct, you can try loading CaitSith module on this kernel.\n");
--- trunk/caitsith-patch/patches/ccs-patch-3.10-centos-7.diff (revision 370)
+++ trunk/caitsith-patch/patches/ccs-patch-3.10-centos-7.diff (revision 371)
@@ -1,6 +1,6 @@
11 This is TOMOYO Linux patch for CentOS 7.
22
3-Source code for this patch is https://vault.centos.org/centos/7/updates/Source/SPackages/kernel-3.10.0-1160.66.1.el7.src.rpm
3+Source code for this patch is https://vault.centos.org/centos/7/updates/Source/SPackages/kernel-3.10.0-1160.71.1.el7.src.rpm
44 ---
55 fs/exec.c | 2
66 fs/open.c | 2
@@ -28,8 +28,8 @@
2828 security/security.c | 111 +++++++++++++++++++++++++++++++++++++++++-----
2929 24 files changed, 248 insertions(+), 37 deletions(-)
3030
31---- linux-3.10.0-1160.66.1.el7.orig/fs/exec.c
32-+++ linux-3.10.0-1160.66.1.el7/fs/exec.c
31+--- linux-3.10.0-1160.71.1.el7.orig/fs/exec.c
32++++ linux-3.10.0-1160.71.1.el7/fs/exec.c
3333 @@ -1506,7 +1506,7 @@ static int exec_binprm(struct linux_binp
3434 old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
3535 rcu_read_unlock();
@@ -39,8 +39,8 @@
3939 if (ret >= 0) {
4040 audit_bprm(bprm);
4141 trace_sched_process_exec(current, old_pid, bprm);
42---- linux-3.10.0-1160.66.1.el7.orig/fs/open.c
43-+++ linux-3.10.0-1160.66.1.el7/fs/open.c
42+--- linux-3.10.0-1160.71.1.el7.orig/fs/open.c
43++++ linux-3.10.0-1160.71.1.el7/fs/open.c
4444 @@ -1106,6 +1106,8 @@ EXPORT_SYMBOL(sys_close);
4545 */
4646 SYSCALL_DEFINE0(vhangup)
@@ -50,8 +50,8 @@
5050 if (capable(CAP_SYS_TTY_CONFIG)) {
5151 tty_vhangup_self();
5252 return 0;
53---- linux-3.10.0-1160.66.1.el7.orig/fs/proc/version.c
54-+++ linux-3.10.0-1160.66.1.el7/fs/proc/version.c
53+--- linux-3.10.0-1160.71.1.el7.orig/fs/proc/version.c
54++++ linux-3.10.0-1160.71.1.el7/fs/proc/version.c
5555 @@ -32,3 +32,10 @@ static int __init proc_version_init(void
5656 return 0;
5757 }
@@ -59,12 +59,12 @@
5959 +
6060 +static int __init ccs_show_version(void)
6161 +{
62-+ printk(KERN_INFO "Hook version: 3.10.0-1160.66.1.el7 2022/05/23\n");
62++ printk(KERN_INFO "Hook version: 3.10.0-1160.71.1.el7 2022/07/25\n");
6363 + return 0;
6464 +}
6565 +module_init(ccs_show_version);
66---- linux-3.10.0-1160.66.1.el7.orig/include/linux/init_task.h
67-+++ linux-3.10.0-1160.66.1.el7/include/linux/init_task.h
66+--- linux-3.10.0-1160.71.1.el7.orig/include/linux/init_task.h
67++++ linux-3.10.0-1160.71.1.el7/include/linux/init_task.h
6868 @@ -173,6 +173,14 @@ extern struct task_group root_task_group
6969 # define INIT_RT_MUTEXES(tsk)
7070 #endif
@@ -88,8 +88,8 @@
8888 }
8989
9090
91---- linux-3.10.0-1160.66.1.el7.orig/include/linux/sched.h
92-+++ linux-3.10.0-1160.66.1.el7/include/linux/sched.h
91+--- linux-3.10.0-1160.71.1.el7.orig/include/linux/sched.h
92++++ linux-3.10.0-1160.71.1.el7/include/linux/sched.h
9393 @@ -4,6 +4,8 @@
9494 #include <uapi/linux/sched.h>
9595 #include <linux/rh_kabi.h>
@@ -110,8 +110,8 @@
110110 };
111111
112112 /* Future-safe accessor for struct task_struct's cpus_allowed. */
113---- linux-3.10.0-1160.66.1.el7.orig/include/linux/security.h
114-+++ linux-3.10.0-1160.66.1.el7/include/linux/security.h
113+--- linux-3.10.0-1160.71.1.el7.orig/include/linux/security.h
114++++ linux-3.10.0-1160.71.1.el7/include/linux/security.h
115115 @@ -56,6 +56,7 @@ struct msg_queue;
116116 struct xattr;
117117 struct xfrm_sec_ctx;
@@ -323,8 +323,8 @@
323323 }
324324 #endif /* CONFIG_SECURITY_PATH */
325325
326---- linux-3.10.0-1160.66.1.el7.orig/include/net/ip.h
327-+++ linux-3.10.0-1160.66.1.el7/include/net/ip.h
326+--- linux-3.10.0-1160.71.1.el7.orig/include/net/ip.h
327++++ linux-3.10.0-1160.71.1.el7/include/net/ip.h
328328 @@ -232,6 +232,8 @@ void inet_get_local_port_range(struct ne
329329 extern unsigned long *sysctl_local_reserved_ports;
330330 static inline int inet_is_reserved_local_port(int port)
@@ -334,8 +334,8 @@
334334 return test_bit(port, sysctl_local_reserved_ports);
335335 }
336336
337---- linux-3.10.0-1160.66.1.el7.orig/kernel/fork.c
338-+++ linux-3.10.0-1160.66.1.el7/kernel/fork.c
337+--- linux-3.10.0-1160.71.1.el7.orig/kernel/fork.c
338++++ linux-3.10.0-1160.71.1.el7/kernel/fork.c
339339 @@ -297,6 +297,7 @@ void __put_task_struct(struct task_struc
340340 delayacct_tsk_free(tsk);
341341 put_signal_struct(tsk->signal);
@@ -362,8 +362,8 @@
362362 bad_fork_cleanup_perf:
363363 perf_event_free_task(p);
364364 bad_fork_cleanup_policy:
365---- linux-3.10.0-1160.66.1.el7.orig/kernel/kexec.c
366-+++ linux-3.10.0-1160.66.1.el7/kernel/kexec.c
365+--- linux-3.10.0-1160.71.1.el7.orig/kernel/kexec.c
366++++ linux-3.10.0-1160.71.1.el7/kernel/kexec.c
367367 @@ -190,6 +190,8 @@ SYSCALL_DEFINE4(kexec_load, unsigned lon
368368 /* We only trust the superuser with rebooting the system. */
369369 if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
@@ -373,8 +373,8 @@
373373
374374 if (get_securelevel() > 0)
375375 return -EPERM;
376---- linux-3.10.0-1160.66.1.el7.orig/kernel/module.c
377-+++ linux-3.10.0-1160.66.1.el7/kernel/module.c
376+--- linux-3.10.0-1160.71.1.el7.orig/kernel/module.c
377++++ linux-3.10.0-1160.71.1.el7/kernel/module.c
378378 @@ -66,6 +66,7 @@
379379 #endif /* __GENKSYMS__ */
380380 #include <uapi/linux/module.h>
@@ -401,8 +401,8 @@
401401
402402 return 0;
403403 }
404---- linux-3.10.0-1160.66.1.el7.orig/kernel/ptrace.c
405-+++ linux-3.10.0-1160.66.1.el7/kernel/ptrace.c
404+--- linux-3.10.0-1160.71.1.el7.orig/kernel/ptrace.c
405++++ linux-3.10.0-1160.71.1.el7/kernel/ptrace.c
406406 @@ -1082,6 +1082,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
407407 {
408408 struct task_struct *child;
@@ -427,8 +427,8 @@
427427
428428 if (request == PTRACE_TRACEME) {
429429 ret = ptrace_traceme();
430---- linux-3.10.0-1160.66.1.el7.orig/kernel/sched/core.c
431-+++ linux-3.10.0-1160.66.1.el7/kernel/sched/core.c
430+--- linux-3.10.0-1160.71.1.el7.orig/kernel/sched/core.c
431++++ linux-3.10.0-1160.71.1.el7/kernel/sched/core.c
432432 @@ -4421,6 +4421,8 @@ int can_nice(const struct task_struct *p
433433 SYSCALL_DEFINE1(nice, int, increment)
434434 {
@@ -438,8 +438,8 @@
438438
439439 /*
440440 * Setpriority might change our priority at the same moment.
441---- linux-3.10.0-1160.66.1.el7.orig/kernel/signal.c
442-+++ linux-3.10.0-1160.66.1.el7/kernel/signal.c
441+--- linux-3.10.0-1160.71.1.el7.orig/kernel/signal.c
442++++ linux-3.10.0-1160.71.1.el7/kernel/signal.c
443443 @@ -2942,6 +2942,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s
444444 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
445445 {
@@ -485,8 +485,8 @@
485485
486486 return do_send_specific(tgid, pid, sig, info);
487487 }
488---- linux-3.10.0-1160.66.1.el7.orig/kernel/sys.c
489-+++ linux-3.10.0-1160.66.1.el7/kernel/sys.c
488+--- linux-3.10.0-1160.71.1.el7.orig/kernel/sys.c
489++++ linux-3.10.0-1160.71.1.el7/kernel/sys.c
490490 @@ -197,6 +197,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
491491
492492 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -525,8 +525,8 @@
525525
526526 down_write(&uts_sem);
527527 errno = -EFAULT;
528---- linux-3.10.0-1160.66.1.el7.orig/kernel/time/ntp.c
529-+++ linux-3.10.0-1160.66.1.el7/kernel/time/ntp.c
528+--- linux-3.10.0-1160.71.1.el7.orig/kernel/time/ntp.c
529++++ linux-3.10.0-1160.71.1.el7/kernel/time/ntp.c
530530 @@ -16,6 +16,7 @@
531531 #include <linux/mm.h>
532532 #include <linux/module.h>
@@ -560,8 +560,8 @@
560560
561561 return 0;
562562 }
563---- linux-3.10.0-1160.66.1.el7.orig/net/ipv4/raw.c
564-+++ linux-3.10.0-1160.66.1.el7/net/ipv4/raw.c
563+--- linux-3.10.0-1160.71.1.el7.orig/net/ipv4/raw.c
564++++ linux-3.10.0-1160.71.1.el7/net/ipv4/raw.c
565565 @@ -710,6 +710,10 @@ static int raw_recvmsg(struct kiocb *ioc
566566 skb = skb_recv_datagram(sk, flags, noblock, &err);
567567 if (!skb)
@@ -573,8 +573,8 @@
573573
574574 copied = skb->len;
575575 if (len < copied) {
576---- linux-3.10.0-1160.66.1.el7.orig/net/ipv4/udp.c
577-+++ linux-3.10.0-1160.66.1.el7/net/ipv4/udp.c
576+--- linux-3.10.0-1160.71.1.el7.orig/net/ipv4/udp.c
577++++ linux-3.10.0-1160.71.1.el7/net/ipv4/udp.c
578578 @@ -1467,6 +1467,10 @@ try_again:
579579 skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
580580 if (!skb)
@@ -586,8 +586,8 @@
586586
587587 ulen = skb->len - sizeof(struct udphdr);
588588 copied = len;
589---- linux-3.10.0-1160.66.1.el7.orig/net/ipv6/raw.c
590-+++ linux-3.10.0-1160.66.1.el7/net/ipv6/raw.c
589+--- linux-3.10.0-1160.71.1.el7.orig/net/ipv6/raw.c
590++++ linux-3.10.0-1160.71.1.el7/net/ipv6/raw.c
591591 @@ -470,6 +470,10 @@ static int rawv6_recvmsg(struct kiocb *i
592592 skb = skb_recv_datagram(sk, flags, noblock, &err);
593593 if (!skb)
@@ -599,8 +599,8 @@
599599
600600 copied = skb->len;
601601 if (copied > len) {
602---- linux-3.10.0-1160.66.1.el7.orig/net/ipv6/udp.c
603-+++ linux-3.10.0-1160.66.1.el7/net/ipv6/udp.c
602+--- linux-3.10.0-1160.71.1.el7.orig/net/ipv6/udp.c
603++++ linux-3.10.0-1160.71.1.el7/net/ipv6/udp.c
604604 @@ -384,6 +384,10 @@ try_again:
605605 skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
606606 if (!skb)
@@ -612,8 +612,8 @@
612612
613613 ulen = skb->len - sizeof(struct udphdr);
614614 copied = len;
615---- linux-3.10.0-1160.66.1.el7.orig/net/socket.c
616-+++ linux-3.10.0-1160.66.1.el7/net/socket.c
615+--- linux-3.10.0-1160.71.1.el7.orig/net/socket.c
616++++ linux-3.10.0-1160.71.1.el7/net/socket.c
617617 @@ -1662,6 +1662,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
618618 if (err < 0)
619619 goto out_fd;
@@ -625,8 +625,8 @@
625625 if (upeer_sockaddr) {
626626 if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
627627 &len, 2) < 0) {
628---- linux-3.10.0-1160.66.1.el7.orig/net/unix/af_unix.c
629-+++ linux-3.10.0-1160.66.1.el7/net/unix/af_unix.c
628+--- linux-3.10.0-1160.71.1.el7.orig/net/unix/af_unix.c
629++++ linux-3.10.0-1160.71.1.el7/net/unix/af_unix.c
630630 @@ -2186,6 +2186,10 @@ static int unix_dgram_recvmsg(struct kio
631631 wake_up_interruptible_sync_poll(&u->peer_wait,
632632 POLLOUT | POLLWRNORM | POLLWRBAND);
@@ -638,8 +638,8 @@
638638 if (msg->msg_name)
639639 unix_copy_addr(msg, skb->sk);
640640
641---- linux-3.10.0-1160.66.1.el7.orig/security/Kconfig
642-+++ linux-3.10.0-1160.66.1.el7/security/Kconfig
641+--- linux-3.10.0-1160.71.1.el7.orig/security/Kconfig
642++++ linux-3.10.0-1160.71.1.el7/security/Kconfig
643643 @@ -226,5 +226,7 @@ config DEFAULT_SECURITY
644644 default "yama" if DEFAULT_SECURITY_YAMA
645645 default "" if DEFAULT_SECURITY_DAC
@@ -648,8 +648,8 @@
648648 +
649649 endmenu
650650
651---- linux-3.10.0-1160.66.1.el7.orig/security/Makefile
652-+++ linux-3.10.0-1160.66.1.el7/security/Makefile
651+--- linux-3.10.0-1160.71.1.el7.orig/security/Makefile
652++++ linux-3.10.0-1160.71.1.el7/security/Makefile
653653 @@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
654654 # Object integrity file lists
655655 subdir-$(CONFIG_INTEGRITY) += integrity
@@ -657,8 +657,8 @@
657657 +
658658 +subdir-$(CONFIG_CCSECURITY) += ccsecurity
659659 +obj-$(CONFIG_CCSECURITY) += ccsecurity/built-in.o
660---- linux-3.10.0-1160.66.1.el7.orig/security/security.c
661-+++ linux-3.10.0-1160.66.1.el7/security/security.c
660+--- linux-3.10.0-1160.71.1.el7.orig/security/security.c
661++++ linux-3.10.0-1160.71.1.el7/security/security.c
662662 @@ -229,7 +229,10 @@ int security_syslog(int type)
663663
664664 int security_settime(const struct timespec *ts, const struct timezone *tz)
--- trunk/caitsith-patch/patches/ccs-patch-4.14.diff (revision 370)
+++ trunk/caitsith-patch/patches/ccs-patch-4.14.diff (revision 371)
@@ -1,6 +1,6 @@
1-This is TOMOYO Linux patch for kernel 4.14.284.
1+This is TOMOYO Linux patch for kernel 4.14.291.
22
3-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.284.tar.xz
3+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.291.tar.xz
44 ---
55 fs/exec.c | 2 -
66 fs/open.c | 2 +
@@ -28,8 +28,8 @@
2828 security/security.c | 9 +++++-
2929 24 files changed, 153 insertions(+), 29 deletions(-)
3030
31---- linux-4.14.284.orig/fs/exec.c
32-+++ linux-4.14.284/fs/exec.c
31+--- linux-4.14.291.orig/fs/exec.c
32++++ linux-4.14.291/fs/exec.c
3333 @@ -1692,7 +1692,7 @@ static int exec_binprm(struct linux_binp
3434 old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
3535 rcu_read_unlock();
@@ -39,8 +39,8 @@
3939 if (ret >= 0) {
4040 audit_bprm(bprm);
4141 trace_sched_process_exec(current, old_pid, bprm);
42---- linux-4.14.284.orig/fs/open.c
43-+++ linux-4.14.284/fs/open.c
42+--- linux-4.14.291.orig/fs/open.c
43++++ linux-4.14.291/fs/open.c
4444 @@ -1193,6 +1193,8 @@ EXPORT_SYMBOL(sys_close);
4545 */
4646 SYSCALL_DEFINE0(vhangup)
@@ -50,8 +50,8 @@
5050 if (capable(CAP_SYS_TTY_CONFIG)) {
5151 tty_vhangup_self();
5252 return 0;
53---- linux-4.14.284.orig/fs/proc/version.c
54-+++ linux-4.14.284/fs/proc/version.c
53+--- linux-4.14.291.orig/fs/proc/version.c
54++++ linux-4.14.291/fs/proc/version.c
5555 @@ -33,3 +33,10 @@ static int __init proc_version_init(void
5656 return 0;
5757 }
@@ -59,12 +59,12 @@
5959 +
6060 +static int __init ccs_show_version(void)
6161 +{
62-+ printk(KERN_INFO "Hook version: 4.14.284 2022/06/17\n");
62++ printk(KERN_INFO "Hook version: 4.14.291 2022/08/29\n");
6363 + return 0;
6464 +}
6565 +fs_initcall(ccs_show_version);
66---- linux-4.14.284.orig/include/linux/init_task.h
67-+++ linux-4.14.284/include/linux/init_task.h
66+--- linux-4.14.291.orig/include/linux/init_task.h
67++++ linux-4.14.291/include/linux/init_task.h
6868 @@ -219,6 +219,14 @@ extern struct cred init_cred;
6969 #define INIT_TASK_SECURITY
7070 #endif
@@ -88,8 +88,8 @@
8888 }
8989
9090
91---- linux-4.14.284.orig/include/linux/sched.h
92-+++ linux-4.14.284/include/linux/sched.h
91+--- linux-4.14.291.orig/include/linux/sched.h
92++++ linux-4.14.291/include/linux/sched.h
9393 @@ -33,6 +33,7 @@ struct audit_context;
9494 struct backing_dev_info;
9595 struct bio_list;
@@ -109,8 +109,8 @@
109109
110110 /*
111111 * New fields for task_struct should be added above here, so that
112---- linux-4.14.284.orig/include/linux/security.h
113-+++ linux-4.14.284/include/linux/security.h
112+--- linux-4.14.291.orig/include/linux/security.h
113++++ linux-4.14.291/include/linux/security.h
114114 @@ -56,6 +56,7 @@ struct msg_queue;
115115 struct xattr;
116116 struct xfrm_sec_ctx;
@@ -331,8 +331,8 @@
331331 }
332332 #endif /* CONFIG_SECURITY_PATH */
333333
334---- linux-4.14.284.orig/include/net/ip.h
335-+++ linux-4.14.284/include/net/ip.h
334+--- linux-4.14.291.orig/include/net/ip.h
335++++ linux-4.14.291/include/net/ip.h
336336 @@ -266,6 +266,8 @@ void inet_get_local_port_range(struct ne
337337 #ifdef CONFIG_SYSCTL
338338 static inline int inet_is_local_reserved_port(struct net *net, int port)
@@ -351,8 +351,8 @@
351351 return 0;
352352 }
353353
354---- linux-4.14.284.orig/kernel/kexec.c
355-+++ linux-4.14.284/kernel/kexec.c
354+--- linux-4.14.291.orig/kernel/kexec.c
355++++ linux-4.14.291/kernel/kexec.c
356356 @@ -17,7 +17,7 @@
357357 #include <linux/syscalls.h>
358358 #include <linux/vmalloc.h>
@@ -371,8 +371,8 @@
371371
372372 /*
373373 * Verify we have a legal set of flags
374---- linux-4.14.284.orig/kernel/module.c
375-+++ linux-4.14.284/kernel/module.c
374+--- linux-4.14.291.orig/kernel/module.c
375++++ linux-4.14.291/kernel/module.c
376376 @@ -66,6 +66,7 @@
377377 #include <linux/audit.h>
378378 #include <uapi/linux/module.h>
@@ -399,8 +399,8 @@
399399
400400 return 0;
401401 }
402---- linux-4.14.284.orig/kernel/ptrace.c
403-+++ linux-4.14.284/kernel/ptrace.c
402+--- linux-4.14.291.orig/kernel/ptrace.c
403++++ linux-4.14.291/kernel/ptrace.c
404404 @@ -1185,6 +1185,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
405405 {
406406 struct task_struct *child;
@@ -425,8 +425,8 @@
425425
426426 if (request == PTRACE_TRACEME) {
427427 ret = ptrace_traceme();
428---- linux-4.14.284.orig/kernel/reboot.c
429-+++ linux-4.14.284/kernel/reboot.c
428+--- linux-4.14.291.orig/kernel/reboot.c
429++++ linux-4.14.291/kernel/reboot.c
430430 @@ -16,6 +16,7 @@
431431 #include <linux/syscalls.h>
432432 #include <linux/syscore_ops.h>
@@ -444,8 +444,8 @@
444444
445445 /*
446446 * If pid namespaces are enabled and the current task is in a child
447---- linux-4.14.284.orig/kernel/sched/core.c
448-+++ linux-4.14.284/kernel/sched/core.c
447+--- linux-4.14.291.orig/kernel/sched/core.c
448++++ linux-4.14.291/kernel/sched/core.c
449449 @@ -3859,6 +3859,8 @@ int can_nice(const struct task_struct *p
450450 SYSCALL_DEFINE1(nice, int, increment)
451451 {
@@ -455,8 +455,8 @@
455455
456456 /*
457457 * Setpriority might change our priority at the same moment.
458---- linux-4.14.284.orig/kernel/signal.c
459-+++ linux-4.14.284/kernel/signal.c
458+--- linux-4.14.291.orig/kernel/signal.c
459++++ linux-4.14.291/kernel/signal.c
460460 @@ -3031,6 +3031,8 @@ COMPAT_SYSCALL_DEFINE4(rt_sigtimedwait,
461461 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
462462 {
@@ -502,8 +502,8 @@
502502
503503 return do_send_specific(tgid, pid, sig, info);
504504 }
505---- linux-4.14.284.orig/kernel/sys.c
506-+++ linux-4.14.284/kernel/sys.c
505+--- linux-4.14.291.orig/kernel/sys.c
506++++ linux-4.14.291/kernel/sys.c
507507 @@ -193,6 +193,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
508508
509509 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -533,8 +533,8 @@
533533
534534 errno = -EFAULT;
535535 if (!copy_from_user(tmp, name, len)) {
536---- linux-4.14.284.orig/kernel/time/ntp.c
537-+++ linux-4.14.284/kernel/time/ntp.c
536+--- linux-4.14.291.orig/kernel/time/ntp.c
537++++ linux-4.14.291/kernel/time/ntp.c
538538 @@ -18,6 +18,7 @@
539539 #include <linux/module.h>
540540 #include <linux/rtc.h>
@@ -568,8 +568,8 @@
568568
569569 if (txc->modes & ADJ_NANO) {
570570 struct timespec ts;
571---- linux-4.14.284.orig/net/ipv4/raw.c
572-+++ linux-4.14.284/net/ipv4/raw.c
571+--- linux-4.14.291.orig/net/ipv4/raw.c
572++++ linux-4.14.291/net/ipv4/raw.c
573573 @@ -771,6 +771,10 @@ static int raw_recvmsg(struct sock *sk,
574574 skb = skb_recv_datagram(sk, flags, noblock, &err);
575575 if (!skb)
@@ -581,8 +581,8 @@
581581
582582 copied = skb->len;
583583 if (len < copied) {
584---- linux-4.14.284.orig/net/ipv4/udp.c
585-+++ linux-4.14.284/net/ipv4/udp.c
584+--- linux-4.14.291.orig/net/ipv4/udp.c
585++++ linux-4.14.291/net/ipv4/udp.c
586586 @@ -1608,6 +1608,8 @@ try_again:
587587 skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
588588 if (!skb)
@@ -592,8 +592,8 @@
592592
593593 ulen = udp_skb_len(skb);
594594 copied = len;
595---- linux-4.14.284.orig/net/ipv6/raw.c
596-+++ linux-4.14.284/net/ipv6/raw.c
595+--- linux-4.14.291.orig/net/ipv6/raw.c
596++++ linux-4.14.291/net/ipv6/raw.c
597597 @@ -485,6 +485,10 @@ static int rawv6_recvmsg(struct sock *sk
598598 skb = skb_recv_datagram(sk, flags, noblock, &err);
599599 if (!skb)
@@ -605,8 +605,8 @@
605605
606606 copied = skb->len;
607607 if (copied > len) {
608---- linux-4.14.284.orig/net/ipv6/udp.c
609-+++ linux-4.14.284/net/ipv6/udp.c
608+--- linux-4.14.291.orig/net/ipv6/udp.c
609++++ linux-4.14.291/net/ipv6/udp.c
610610 @@ -371,6 +371,8 @@ try_again:
611611 skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
612612 if (!skb)
@@ -616,8 +616,8 @@
616616
617617 ulen = udp6_skb_len(skb);
618618 copied = len;
619---- linux-4.14.284.orig/net/socket.c
620-+++ linux-4.14.284/net/socket.c
619+--- linux-4.14.291.orig/net/socket.c
620++++ linux-4.14.291/net/socket.c
621621 @@ -1588,6 +1588,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
622622 if (err < 0)
623623 goto out_fd;
@@ -629,8 +629,8 @@
629629 if (upeer_sockaddr) {
630630 if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
631631 &len, 2) < 0) {
632---- linux-4.14.284.orig/net/unix/af_unix.c
633-+++ linux-4.14.284/net/unix/af_unix.c
632+--- linux-4.14.291.orig/net/unix/af_unix.c
633++++ linux-4.14.291/net/unix/af_unix.c
634634 @@ -2173,6 +2173,10 @@ static int unix_dgram_recvmsg(struct soc
635635 POLLOUT | POLLWRNORM |
636636 POLLWRBAND);
@@ -650,8 +650,8 @@
650650 mutex_unlock(&u->iolock);
651651 out:
652652 return err;
653---- linux-4.14.284.orig/security/Kconfig
654-+++ linux-4.14.284/security/Kconfig
653+--- linux-4.14.291.orig/security/Kconfig
654++++ linux-4.14.291/security/Kconfig
655655 @@ -263,5 +263,7 @@ config DEFAULT_SECURITY
656656 default "apparmor" if DEFAULT_SECURITY_APPARMOR
657657 default "" if DEFAULT_SECURITY_DAC
@@ -660,8 +660,8 @@
660660 +
661661 endmenu
662662
663---- linux-4.14.284.orig/security/Makefile
664-+++ linux-4.14.284/security/Makefile
663+--- linux-4.14.291.orig/security/Makefile
664++++ linux-4.14.291/security/Makefile
665665 @@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
666666 # Object integrity file lists
667667 subdir-$(CONFIG_INTEGRITY) += integrity
@@ -669,8 +669,8 @@
669669 +
670670 +subdir-$(CONFIG_CCSECURITY) += ccsecurity
671671 +obj-$(CONFIG_CCSECURITY) += ccsecurity/
672---- linux-4.14.284.orig/security/security.c
673-+++ linux-4.14.284/security/security.c
672+--- linux-4.14.291.orig/security/security.c
673++++ linux-4.14.291/security/security.c
674674 @@ -978,12 +978,19 @@ int security_file_open(struct file *file
675675
676676 int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
--- trunk/caitsith-patch/patches/ccs-patch-4.18-centos-8.diff (revision 370)
+++ trunk/caitsith-patch/patches/ccs-patch-4.18-centos-8.diff (revision 371)
@@ -1,6 +1,6 @@
11 This is TOMOYO Linux patch for CentOS Stream 8.
22
3-Source code for this patch is https://vault.centos.org/centos/8-stream/BaseOS/Source/SPackages/kernel-4.18.0-394.el8.src.rpm
3+Source code for this patch is https://vault.centos.org/centos/8-stream/BaseOS/Source/SPackages/kernel-4.18.0-408.el8.src.rpm
44 ---
55 fs/exec.c | 2 -
66 fs/open.c | 2 +
@@ -28,8 +28,8 @@
2828 security/security.c | 5 ++-
2929 24 files changed, 144 insertions(+), 29 deletions(-)
3030
31---- linux-4.18.0-394.el8.orig/fs/exec.c
32-+++ linux-4.18.0-394.el8/fs/exec.c
31+--- linux-4.18.0-408.el8.orig/fs/exec.c
32++++ linux-4.18.0-408.el8/fs/exec.c
3333 @@ -1748,7 +1748,7 @@ static int exec_binprm(struct linux_binp
3434 old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
3535 rcu_read_unlock();
@@ -39,8 +39,8 @@
3939 if (ret >= 0) {
4040 audit_bprm(bprm);
4141 trace_sched_process_exec(current, old_pid, bprm);
42---- linux-4.18.0-394.el8.orig/fs/open.c
43-+++ linux-4.18.0-394.el8/fs/open.c
42+--- linux-4.18.0-408.el8.orig/fs/open.c
43++++ linux-4.18.0-408.el8/fs/open.c
4444 @@ -1330,6 +1330,8 @@ SYSCALL_DEFINE3(close_range, unsigned in
4545 */
4646 SYSCALL_DEFINE0(vhangup)
@@ -50,8 +50,8 @@
5050 if (capable(CAP_SYS_TTY_CONFIG)) {
5151 tty_vhangup_self();
5252 return 0;
53---- linux-4.18.0-394.el8.orig/fs/proc/version.c
54-+++ linux-4.18.0-394.el8/fs/proc/version.c
53+--- linux-4.18.0-408.el8.orig/fs/proc/version.c
54++++ linux-4.18.0-408.el8/fs/proc/version.c
5555 @@ -21,3 +21,10 @@ static int __init proc_version_init(void
5656 return 0;
5757 }
@@ -59,12 +59,12 @@
5959 +
6060 +static int __init ccs_show_version(void)
6161 +{
62-+ printk(KERN_INFO "Hook version: 4.18.0-394.el8 2022/06/17\n");
62++ printk(KERN_INFO "Hook version: 4.18.0-408.el8 2022/07/26\n");
6363 + return 0;
6464 +}
6565 +fs_initcall(ccs_show_version);
66---- linux-4.18.0-394.el8.orig/include/linux/sched.h
67-+++ linux-4.18.0-394.el8/include/linux/sched.h
66+--- linux-4.18.0-408.el8.orig/include/linux/sched.h
67++++ linux-4.18.0-408.el8/include/linux/sched.h
6868 @@ -41,6 +41,7 @@ struct audit_context;
6969 struct backing_dev_info;
7070 struct bio_list;
@@ -73,7 +73,7 @@
7373 struct cfs_rq;
7474 struct fs_struct;
7575 struct futex_pi_state;
76-@@ -1432,6 +1433,10 @@ struct task_struct {
76+@@ -1435,6 +1436,10 @@ struct task_struct {
7777 /* Used by LSM modules for access restriction: */
7878 void *security;
7979 #endif
@@ -84,8 +84,8 @@
8484
8585 /*
8686 * New fields for task_struct should be added above here, so that
87---- linux-4.18.0-394.el8.orig/include/linux/security.h
88-+++ linux-4.18.0-394.el8/include/linux/security.h
87+--- linux-4.18.0-408.el8.orig/include/linux/security.h
88++++ linux-4.18.0-408.el8/include/linux/security.h
8989 @@ -56,6 +56,7 @@ struct mm_struct;
9090 struct fs_context;
9191 struct fs_parameter;
@@ -306,8 +306,8 @@
306306 }
307307 #endif /* CONFIG_SECURITY_PATH */
308308
309---- linux-4.18.0-394.el8.orig/include/net/ip.h
310-+++ linux-4.18.0-394.el8/include/net/ip.h
309+--- linux-4.18.0-408.el8.orig/include/net/ip.h
310++++ linux-4.18.0-408.el8/include/net/ip.h
311311 @@ -297,6 +297,8 @@ void inet_get_local_port_range(struct ne
312312 #ifdef CONFIG_SYSCTL
313313 static inline bool inet_is_local_reserved_port(struct net *net, int port)
@@ -326,8 +326,8 @@
326326 return false;
327327 }
328328
329---- linux-4.18.0-394.el8.orig/init/init_task.c
330-+++ linux-4.18.0-394.el8/init/init_task.c
329+--- linux-4.18.0-408.el8.orig/init/init_task.c
330++++ linux-4.18.0-408.el8/init/init_task.c
331331 @@ -217,6 +217,10 @@ struct task_struct init_task
332332 #ifdef CONFIG_SECURITY
333333 .security = NULL,
@@ -339,8 +339,8 @@
339339 };
340340 EXPORT_SYMBOL(init_task);
341341
342---- linux-4.18.0-394.el8.orig/kernel/kexec.c
343-+++ linux-4.18.0-394.el8/kernel/kexec.c
342+--- linux-4.18.0-408.el8.orig/kernel/kexec.c
343++++ linux-4.18.0-408.el8/kernel/kexec.c
344344 @@ -18,7 +18,7 @@
345345 #include <linux/syscalls.h>
346346 #include <linux/vmalloc.h>
@@ -359,8 +359,8 @@
359359
360360 /* Permit LSMs and IMA to fail the kexec */
361361 result = security_kernel_load_data(LOADING_KEXEC_IMAGE);
362---- linux-4.18.0-394.el8.orig/kernel/module.c
363-+++ linux-4.18.0-394.el8/kernel/module.c
362+--- linux-4.18.0-408.el8.orig/kernel/module.c
363++++ linux-4.18.0-408.el8/kernel/module.c
364364 @@ -67,6 +67,7 @@
365365 #include <linux/audit.h>
366366 #include <uapi/linux/module.h>
@@ -378,7 +378,7 @@
378378
379379 if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
380380 return -EFAULT;
381-@@ -3600,6 +3603,8 @@ static int may_init_module(void)
381+@@ -3616,6 +3619,8 @@ static int may_init_module(void)
382382 {
383383 if (!capable(CAP_SYS_MODULE) || modules_disabled)
384384 return -EPERM;
@@ -387,8 +387,8 @@
387387
388388 return 0;
389389 }
390---- linux-4.18.0-394.el8.orig/kernel/ptrace.c
391-+++ linux-4.18.0-394.el8/kernel/ptrace.c
390+--- linux-4.18.0-408.el8.orig/kernel/ptrace.c
391++++ linux-4.18.0-408.el8/kernel/ptrace.c
392392 @@ -1137,6 +1137,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
393393 {
394394 struct task_struct *child;
@@ -413,8 +413,8 @@
413413
414414 if (request == PTRACE_TRACEME) {
415415 ret = ptrace_traceme();
416---- linux-4.18.0-394.el8.orig/kernel/reboot.c
417-+++ linux-4.18.0-394.el8/kernel/reboot.c
416+--- linux-4.18.0-408.el8.orig/kernel/reboot.c
417++++ linux-4.18.0-408.el8/kernel/reboot.c
418418 @@ -16,6 +16,7 @@
419419 #include <linux/syscalls.h>
420420 #include <linux/syscore_ops.h>
@@ -432,8 +432,8 @@
432432
433433 /*
434434 * If pid namespaces are enabled and the current task is in a child
435---- linux-4.18.0-394.el8.orig/kernel/sched/core.c
436-+++ linux-4.18.0-394.el8/kernel/sched/core.c
435+--- linux-4.18.0-408.el8.orig/kernel/sched/core.c
436++++ linux-4.18.0-408.el8/kernel/sched/core.c
437437 @@ -4996,6 +4996,8 @@ int can_nice(const struct task_struct *p
438438 SYSCALL_DEFINE1(nice, int, increment)
439439 {
@@ -443,8 +443,8 @@
443443
444444 /*
445445 * Setpriority might change our priority at the same moment.
446---- linux-4.18.0-394.el8.orig/kernel/signal.c
447-+++ linux-4.18.0-394.el8/kernel/signal.c
446+--- linux-4.18.0-408.el8.orig/kernel/signal.c
447++++ linux-4.18.0-408.el8/kernel/signal.c
448448 @@ -3562,6 +3562,8 @@ SYSCALL_DEFINE2(kill, pid_t, pid, int, s
449449 {
450450 struct kernel_siginfo info;
@@ -490,8 +490,8 @@
490490 return do_send_specific(tgid, pid, sig, info);
491491 }
492492
493---- linux-4.18.0-394.el8.orig/kernel/sys.c
494-+++ linux-4.18.0-394.el8/kernel/sys.c
493+--- linux-4.18.0-408.el8.orig/kernel/sys.c
494++++ linux-4.18.0-408.el8/kernel/sys.c
495495 @@ -210,6 +210,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
496496
497497 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -521,8 +521,8 @@
521521
522522 down_write(&uts_sem);
523523 errno = -EFAULT;
524---- linux-4.18.0-394.el8.orig/kernel/time/timekeeping.c
525-+++ linux-4.18.0-394.el8/kernel/time/timekeeping.c
524+--- linux-4.18.0-408.el8.orig/kernel/time/timekeeping.c
525++++ linux-4.18.0-408.el8/kernel/time/timekeeping.c
526526 @@ -26,6 +26,7 @@
527527 #include <linux/pvclock_gtod.h>
528528 #include <linux/compiler.h>
@@ -556,8 +556,8 @@
556556
557557 /*
558558 * Validate if a timespec/timeval used to inject a time
559---- linux-4.18.0-394.el8.orig/net/ipv4/raw.c
560-+++ linux-4.18.0-394.el8/net/ipv4/raw.c
559+--- linux-4.18.0-408.el8.orig/net/ipv4/raw.c
560++++ linux-4.18.0-408.el8/net/ipv4/raw.c
561561 @@ -775,6 +775,10 @@ static int raw_recvmsg(struct sock *sk,
562562 skb = skb_recv_datagram(sk, flags, noblock, &err);
563563 if (!skb)
@@ -569,8 +569,8 @@
569569
570570 copied = skb->len;
571571 if (len < copied) {
572---- linux-4.18.0-394.el8.orig/net/ipv4/udp.c
573-+++ linux-4.18.0-394.el8/net/ipv4/udp.c
572+--- linux-4.18.0-408.el8.orig/net/ipv4/udp.c
573++++ linux-4.18.0-408.el8/net/ipv4/udp.c
574574 @@ -1848,6 +1848,8 @@ try_again:
575575 skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
576576 if (!skb)
@@ -580,8 +580,8 @@
580580
581581 ulen = udp_skb_len(skb);
582582 copied = len;
583---- linux-4.18.0-394.el8.orig/net/ipv6/raw.c
584-+++ linux-4.18.0-394.el8/net/ipv6/raw.c
583+--- linux-4.18.0-408.el8.orig/net/ipv6/raw.c
584++++ linux-4.18.0-408.el8/net/ipv6/raw.c
585585 @@ -485,6 +485,10 @@ static int rawv6_recvmsg(struct sock *sk
586586 skb = skb_recv_datagram(sk, flags, noblock, &err);
587587 if (!skb)
@@ -593,8 +593,8 @@
593593
594594 copied = skb->len;
595595 if (copied > len) {
596---- linux-4.18.0-394.el8.orig/net/ipv6/udp.c
597-+++ linux-4.18.0-394.el8/net/ipv6/udp.c
596+--- linux-4.18.0-408.el8.orig/net/ipv6/udp.c
597++++ linux-4.18.0-408.el8/net/ipv6/udp.c
598598 @@ -346,6 +346,8 @@ try_again:
599599 skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
600600 if (!skb)
@@ -604,8 +604,8 @@
604604
605605 ulen = udp6_skb_len(skb);
606606 copied = len;
607---- linux-4.18.0-394.el8.orig/net/socket.c
608-+++ linux-4.18.0-394.el8/net/socket.c
607+--- linux-4.18.0-408.el8.orig/net/socket.c
608++++ linux-4.18.0-408.el8/net/socket.c
609609 @@ -1715,6 +1715,10 @@ int __sys_accept4_file(struct file *file
610610 if (err < 0)
611611 goto out_fd;
@@ -617,8 +617,8 @@
617617 if (upeer_sockaddr) {
618618 len = newsock->ops->getname(newsock,
619619 (struct sockaddr *)&address, 2);
620---- linux-4.18.0-394.el8.orig/net/unix/af_unix.c
621-+++ linux-4.18.0-394.el8/net/unix/af_unix.c
620+--- linux-4.18.0-408.el8.orig/net/unix/af_unix.c
621++++ linux-4.18.0-408.el8/net/unix/af_unix.c
622622 @@ -2165,6 +2165,10 @@ static int unix_dgram_recvmsg(struct soc
623623 EPOLLOUT | EPOLLWRNORM |
624624 EPOLLWRBAND);
@@ -638,8 +638,8 @@
638638 mutex_unlock(&u->iolock);
639639 out:
640640 return err;
641---- linux-4.18.0-394.el8.orig/security/Kconfig
642-+++ linux-4.18.0-394.el8/security/Kconfig
641+--- linux-4.18.0-408.el8.orig/security/Kconfig
642++++ linux-4.18.0-408.el8/security/Kconfig
643643 @@ -326,4 +326,6 @@ config LSM
644644
645645 source "security/Kconfig.hardening"
@@ -647,8 +647,8 @@
647647 +source security/ccsecurity/Kconfig
648648 +
649649 endmenu
650---- linux-4.18.0-394.el8.orig/security/Makefile
651-+++ linux-4.18.0-394.el8/security/Makefile
650+--- linux-4.18.0-408.el8.orig/security/Makefile
651++++ linux-4.18.0-408.el8/security/Makefile
652652 @@ -35,3 +35,6 @@ obj-$(CONFIG_INTEGRITY) += integrity/
653653
654654 # Allow the kernel to be locked down
@@ -656,8 +656,8 @@
656656 +
657657 +subdir-$(CONFIG_CCSECURITY) += ccsecurity
658658 +obj-$(CONFIG_CCSECURITY) += ccsecurity/
659---- linux-4.18.0-394.el8.orig/security/security.c
660-+++ linux-4.18.0-394.el8/security/security.c
659+--- linux-4.18.0-408.el8.orig/security/security.c
660++++ linux-4.18.0-408.el8/security/security.c
661661 @@ -1553,7 +1553,9 @@ int security_task_alloc(struct task_stru
662662
663663 if (rc)
--- trunk/caitsith-patch/patches/ccs-patch-4.19.diff (revision 370)
+++ trunk/caitsith-patch/patches/ccs-patch-4.19.diff (revision 371)
@@ -1,6 +1,6 @@
1-This is TOMOYO Linux patch for kernel 4.19.248.
1+This is TOMOYO Linux patch for kernel 4.19.256.
22
3-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.248.tar.xz
3+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.256.tar.xz
44 ---
55 fs/exec.c | 2 -
66 fs/open.c | 2 +
@@ -28,8 +28,8 @@
2828 security/security.c | 9 +++++-
2929 24 files changed, 148 insertions(+), 29 deletions(-)
3030
31---- linux-4.19.248.orig/fs/exec.c
32-+++ linux-4.19.248/fs/exec.c
31+--- linux-4.19.256.orig/fs/exec.c
32++++ linux-4.19.256/fs/exec.c
3333 @@ -1707,7 +1707,7 @@ static int exec_binprm(struct linux_binp
3434 old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
3535 rcu_read_unlock();
@@ -39,8 +39,8 @@
3939 if (ret >= 0) {
4040 audit_bprm(bprm);
4141 trace_sched_process_exec(current, old_pid, bprm);
42---- linux-4.19.248.orig/fs/open.c
43-+++ linux-4.19.248/fs/open.c
42+--- linux-4.19.256.orig/fs/open.c
43++++ linux-4.19.256/fs/open.c
4444 @@ -1196,6 +1196,8 @@ SYSCALL_DEFINE1(close, unsigned int, fd)
4545 */
4646 SYSCALL_DEFINE0(vhangup)
@@ -50,8 +50,8 @@
5050 if (capable(CAP_SYS_TTY_CONFIG)) {
5151 tty_vhangup_self();
5252 return 0;
53---- linux-4.19.248.orig/fs/proc/version.c
54-+++ linux-4.19.248/fs/proc/version.c
53+--- linux-4.19.256.orig/fs/proc/version.c
54++++ linux-4.19.256/fs/proc/version.c
5555 @@ -21,3 +21,10 @@ static int __init proc_version_init(void
5656 return 0;
5757 }
@@ -59,12 +59,12 @@
5959 +
6060 +static int __init ccs_show_version(void)
6161 +{
62-+ printk(KERN_INFO "Hook version: 4.19.248 2022/06/17\n");
62++ printk(KERN_INFO "Hook version: 4.19.256 2022/08/29\n");
6363 + return 0;
6464 +}
6565 +fs_initcall(ccs_show_version);
66---- linux-4.19.248.orig/include/linux/sched.h
67-+++ linux-4.19.248/include/linux/sched.h
66+--- linux-4.19.256.orig/include/linux/sched.h
67++++ linux-4.19.256/include/linux/sched.h
6868 @@ -34,6 +34,7 @@ struct audit_context;
6969 struct backing_dev_info;
7070 struct bio_list;
@@ -84,8 +84,8 @@
8484
8585 /*
8686 * New fields for task_struct should be added above here, so that
87---- linux-4.19.248.orig/include/linux/security.h
88-+++ linux-4.19.248/include/linux/security.h
87+--- linux-4.19.256.orig/include/linux/security.h
88++++ linux-4.19.256/include/linux/security.h
8989 @@ -53,6 +53,7 @@ struct msg_msg;
9090 struct xattr;
9191 struct xfrm_sec_ctx;
@@ -306,8 +306,8 @@
306306 }
307307 #endif /* CONFIG_SECURITY_PATH */
308308
309---- linux-4.19.248.orig/include/net/ip.h
310-+++ linux-4.19.248/include/net/ip.h
309+--- linux-4.19.256.orig/include/net/ip.h
310++++ linux-4.19.256/include/net/ip.h
311311 @@ -302,6 +302,8 @@ void inet_get_local_port_range(struct ne
312312 #ifdef CONFIG_SYSCTL
313313 static inline int inet_is_local_reserved_port(struct net *net, int port)
@@ -326,8 +326,8 @@
326326 return 0;
327327 }
328328
329---- linux-4.19.248.orig/init/init_task.c
330-+++ linux-4.19.248/init/init_task.c
329+--- linux-4.19.256.orig/init/init_task.c
330++++ linux-4.19.256/init/init_task.c
331331 @@ -180,6 +180,10 @@ struct task_struct init_task
332332 #ifdef CONFIG_SECURITY
333333 .security = NULL,
@@ -339,8 +339,8 @@
339339 };
340340 EXPORT_SYMBOL(init_task);
341341
342---- linux-4.19.248.orig/kernel/kexec.c
343-+++ linux-4.19.248/kernel/kexec.c
342+--- linux-4.19.256.orig/kernel/kexec.c
343++++ linux-4.19.256/kernel/kexec.c
344344 @@ -18,7 +18,7 @@
345345 #include <linux/syscalls.h>
346346 #include <linux/vmalloc.h>
@@ -359,8 +359,8 @@
359359
360360 /* Permit LSMs and IMA to fail the kexec */
361361 result = security_kernel_load_data(LOADING_KEXEC_IMAGE);
362---- linux-4.19.248.orig/kernel/module.c
363-+++ linux-4.19.248/kernel/module.c
362+--- linux-4.19.256.orig/kernel/module.c
363++++ linux-4.19.256/kernel/module.c
364364 @@ -66,6 +66,7 @@
365365 #include <linux/audit.h>
366366 #include <uapi/linux/module.h>
@@ -387,8 +387,8 @@
387387
388388 return 0;
389389 }
390---- linux-4.19.248.orig/kernel/ptrace.c
391-+++ linux-4.19.248/kernel/ptrace.c
390+--- linux-4.19.256.orig/kernel/ptrace.c
391++++ linux-4.19.256/kernel/ptrace.c
392392 @@ -1168,6 +1168,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
393393 {
394394 struct task_struct *child;
@@ -413,8 +413,8 @@
413413
414414 if (request == PTRACE_TRACEME) {
415415 ret = ptrace_traceme();
416---- linux-4.19.248.orig/kernel/reboot.c
417-+++ linux-4.19.248/kernel/reboot.c
416+--- linux-4.19.256.orig/kernel/reboot.c
417++++ linux-4.19.256/kernel/reboot.c
418418 @@ -16,6 +16,7 @@
419419 #include <linux/syscalls.h>
420420 #include <linux/syscore_ops.h>
@@ -432,8 +432,8 @@
432432
433433 /*
434434 * If pid namespaces are enabled and the current task is in a child
435---- linux-4.19.248.orig/kernel/sched/core.c
436-+++ linux-4.19.248/kernel/sched/core.c
435+--- linux-4.19.256.orig/kernel/sched/core.c
436++++ linux-4.19.256/kernel/sched/core.c
437437 @@ -3992,6 +3992,8 @@ int can_nice(const struct task_struct *p
438438 SYSCALL_DEFINE1(nice, int, increment)
439439 {
@@ -443,8 +443,8 @@
443443
444444 /*
445445 * Setpriority might change our priority at the same moment.
446---- linux-4.19.248.orig/kernel/signal.c
447-+++ linux-4.19.248/kernel/signal.c
446+--- linux-4.19.256.orig/kernel/signal.c
447++++ linux-4.19.256/kernel/signal.c
448448 @@ -3276,6 +3276,8 @@ COMPAT_SYSCALL_DEFINE4(rt_sigtimedwait,
449449 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
450450 {
@@ -490,8 +490,8 @@
490490
491491 return do_send_specific(tgid, pid, sig, info);
492492 }
493---- linux-4.19.248.orig/kernel/sys.c
494-+++ linux-4.19.248/kernel/sys.c
493+--- linux-4.19.256.orig/kernel/sys.c
494++++ linux-4.19.256/kernel/sys.c
495495 @@ -201,6 +201,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
496496
497497 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -521,9 +521,9 @@
521521
522522 errno = -EFAULT;
523523 if (!copy_from_user(tmp, name, len)) {
524---- linux-4.19.248.orig/kernel/time/timekeeping.c
525-+++ linux-4.19.248/kernel/time/timekeeping.c
526-@@ -26,6 +26,7 @@
524+--- linux-4.19.256.orig/kernel/time/timekeeping.c
525++++ linux-4.19.256/kernel/time/timekeeping.c
526+@@ -27,6 +27,7 @@
527527 #include <linux/stop_machine.h>
528528 #include <linux/pvclock_gtod.h>
529529 #include <linux/compiler.h>
@@ -531,7 +531,7 @@
531531
532532 #include "tick-internal.h"
533533 #include "ntp_internal.h"
534-@@ -2255,10 +2256,15 @@ static int timekeeping_validate_timex(co
534+@@ -2256,10 +2257,15 @@ static int timekeeping_validate_timex(co
535535 if (!(txc->modes & ADJ_OFFSET_READONLY) &&
536536 !capable(CAP_SYS_TIME))
537537 return -EPERM;
@@ -547,7 +547,7 @@
547547 /*
548548 * if the quartz is off by more than 10% then
549549 * something is VERY wrong!
550-@@ -2273,6 +2279,8 @@ static int timekeeping_validate_timex(co
550+@@ -2274,6 +2280,8 @@ static int timekeeping_validate_timex(co
551551 /* In order to inject time, you gotta be super-user! */
552552 if (!capable(CAP_SYS_TIME))
553553 return -EPERM;
@@ -556,8 +556,8 @@
556556
557557 /*
558558 * Validate if a timespec/timeval used to inject a time
559---- linux-4.19.248.orig/net/ipv4/raw.c
560-+++ linux-4.19.248/net/ipv4/raw.c
559+--- linux-4.19.256.orig/net/ipv4/raw.c
560++++ linux-4.19.256/net/ipv4/raw.c
561561 @@ -775,6 +775,10 @@ static int raw_recvmsg(struct sock *sk,
562562 skb = skb_recv_datagram(sk, flags, noblock, &err);
563563 if (!skb)
@@ -569,8 +569,8 @@
569569
570570 copied = skb->len;
571571 if (len < copied) {
572---- linux-4.19.248.orig/net/ipv4/udp.c
573-+++ linux-4.19.248/net/ipv4/udp.c
572+--- linux-4.19.256.orig/net/ipv4/udp.c
573++++ linux-4.19.256/net/ipv4/udp.c
574574 @@ -1686,6 +1686,8 @@ try_again:
575575 skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
576576 if (!skb)
@@ -580,8 +580,8 @@
580580
581581 ulen = udp_skb_len(skb);
582582 copied = len;
583---- linux-4.19.248.orig/net/ipv6/raw.c
584-+++ linux-4.19.248/net/ipv6/raw.c
583+--- linux-4.19.256.orig/net/ipv6/raw.c
584++++ linux-4.19.256/net/ipv6/raw.c
585585 @@ -485,6 +485,10 @@ static int rawv6_recvmsg(struct sock *sk
586586 skb = skb_recv_datagram(sk, flags, noblock, &err);
587587 if (!skb)
@@ -593,8 +593,8 @@
593593
594594 copied = skb->len;
595595 if (copied > len) {
596---- linux-4.19.248.orig/net/ipv6/udp.c
597-+++ linux-4.19.248/net/ipv6/udp.c
596+--- linux-4.19.256.orig/net/ipv6/udp.c
597++++ linux-4.19.256/net/ipv6/udp.c
598598 @@ -347,6 +347,8 @@ try_again:
599599 skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
600600 if (!skb)
@@ -604,8 +604,8 @@
604604
605605 ulen = udp6_skb_len(skb);
606606 copied = len;
607---- linux-4.19.248.orig/net/socket.c
608-+++ linux-4.19.248/net/socket.c
607+--- linux-4.19.256.orig/net/socket.c
608++++ linux-4.19.256/net/socket.c
609609 @@ -1702,6 +1702,10 @@ int __sys_accept4(int fd, struct sockadd
610610 if (err < 0)
611611 goto out_fd;
@@ -617,8 +617,8 @@
617617 if (upeer_sockaddr) {
618618 len = newsock->ops->getname(newsock,
619619 (struct sockaddr *)&address, 2);
620---- linux-4.19.248.orig/net/unix/af_unix.c
621-+++ linux-4.19.248/net/unix/af_unix.c
620+--- linux-4.19.256.orig/net/unix/af_unix.c
621++++ linux-4.19.256/net/unix/af_unix.c
622622 @@ -2169,6 +2169,10 @@ static int unix_dgram_recvmsg(struct soc
623623 EPOLLOUT | EPOLLWRNORM |
624624 EPOLLWRBAND);
@@ -638,8 +638,8 @@
638638 mutex_unlock(&u->iolock);
639639 out:
640640 return err;
641---- linux-4.19.248.orig/security/Kconfig
642-+++ linux-4.19.248/security/Kconfig
641+--- linux-4.19.256.orig/security/Kconfig
642++++ linux-4.19.256/security/Kconfig
643643 @@ -279,5 +279,7 @@ config DEFAULT_SECURITY
644644 default "apparmor" if DEFAULT_SECURITY_APPARMOR
645645 default "" if DEFAULT_SECURITY_DAC
@@ -648,8 +648,8 @@
648648 +
649649 endmenu
650650
651---- linux-4.19.248.orig/security/Makefile
652-+++ linux-4.19.248/security/Makefile
651+--- linux-4.19.256.orig/security/Makefile
652++++ linux-4.19.256/security/Makefile
653653 @@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
654654 # Object integrity file lists
655655 subdir-$(CONFIG_INTEGRITY) += integrity
@@ -657,8 +657,8 @@
657657 +
658658 +subdir-$(CONFIG_CCSECURITY) += ccsecurity
659659 +obj-$(CONFIG_CCSECURITY) += ccsecurity/
660---- linux-4.19.248.orig/security/security.c
661-+++ linux-4.19.248/security/security.c
660+--- linux-4.19.256.orig/security/security.c
661++++ linux-4.19.256/security/security.c
662662 @@ -984,12 +984,19 @@ int security_file_open(struct file *file
663663
664664 int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
--- trunk/caitsith-patch/patches/ccs-patch-4.9.diff (revision 370)
+++ trunk/caitsith-patch/patches/ccs-patch-4.9.diff (revision 371)
@@ -1,6 +1,6 @@
1-This is TOMOYO Linux patch for kernel 4.9.319.
1+This is TOMOYO Linux patch for kernel 4.9.326.
22
3-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.9.319.tar.xz
3+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.9.326.tar.xz
44 ---
55 fs/exec.c | 2 -
66 fs/open.c | 2 +
@@ -28,8 +28,8 @@
2828 security/Makefile | 3 ++
2929 24 files changed, 147 insertions(+), 26 deletions(-)
3030
31---- linux-4.9.319.orig/fs/exec.c
32-+++ linux-4.9.319/fs/exec.c
31+--- linux-4.9.326.orig/fs/exec.c
32++++ linux-4.9.326/fs/exec.c
3333 @@ -1662,7 +1662,7 @@ static int exec_binprm(struct linux_binp
3434 old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
3535 rcu_read_unlock();
@@ -39,8 +39,8 @@
3939 if (ret >= 0) {
4040 audit_bprm(bprm);
4141 trace_sched_process_exec(current, old_pid, bprm);
42---- linux-4.9.319.orig/fs/open.c
43-+++ linux-4.9.319/fs/open.c
42+--- linux-4.9.326.orig/fs/open.c
43++++ linux-4.9.326/fs/open.c
4444 @@ -1173,6 +1173,8 @@ EXPORT_SYMBOL(sys_close);
4545 */
4646 SYSCALL_DEFINE0(vhangup)
@@ -50,8 +50,8 @@
5050 if (capable(CAP_SYS_TTY_CONFIG)) {
5151 tty_vhangup_self();
5252 return 0;
53---- linux-4.9.319.orig/fs/proc/version.c
54-+++ linux-4.9.319/fs/proc/version.c
53+--- linux-4.9.326.orig/fs/proc/version.c
54++++ linux-4.9.326/fs/proc/version.c
5555 @@ -32,3 +32,10 @@ static int __init proc_version_init(void
5656 return 0;
5757 }
@@ -59,12 +59,12 @@
5959 +
6060 +static int __init ccs_show_version(void)
6161 +{
62-+ printk(KERN_INFO "Hook version: 4.9.319 2022/06/17\n");
62++ printk(KERN_INFO "Hook version: 4.9.326 2022/08/29\n");
6363 + return 0;
6464 +}
6565 +fs_initcall(ccs_show_version);
66---- linux-4.9.319.orig/include/linux/init_task.h
67-+++ linux-4.9.319/include/linux/init_task.h
66+--- linux-4.9.326.orig/include/linux/init_task.h
67++++ linux-4.9.326/include/linux/init_task.h
6868 @@ -193,6 +193,14 @@ extern struct task_group root_task_group
6969 # define INIT_TASK_TI(tsk)
7070 #endif
@@ -88,8 +88,8 @@
8888 }
8989
9090
91---- linux-4.9.319.orig/include/linux/sched.h
92-+++ linux-4.9.319/include/linux/sched.h
91+--- linux-4.9.326.orig/include/linux/sched.h
92++++ linux-4.9.326/include/linux/sched.h
9393 @@ -6,6 +6,8 @@
9494 #include <linux/sched/prio.h>
9595
@@ -110,8 +110,8 @@
110110 /* CPU-specific state of this task */
111111 struct thread_struct thread;
112112 /*
113---- linux-4.9.319.orig/include/linux/security.h
114-+++ linux-4.9.319/include/linux/security.h
113+--- linux-4.9.326.orig/include/linux/security.h
114++++ linux-4.9.326/include/linux/security.h
115115 @@ -55,6 +55,7 @@ struct msg_queue;
116116 struct xattr;
117117 struct xfrm_sec_ctx;
@@ -120,7 +120,7 @@
120120
121121 /* If capable should audit the security request */
122122 #define SECURITY_CAP_NOAUDIT 0
123-@@ -476,7 +477,10 @@ static inline int security_syslog(int ty
123+@@ -475,7 +476,10 @@ static inline int security_syslog(int ty
124124 static inline int security_settime64(const struct timespec64 *ts,
125125 const struct timezone *tz)
126126 {
@@ -132,7 +132,7 @@
132132 }
133133
134134 static inline int security_settime(const struct timespec *ts,
135-@@ -553,18 +557,18 @@ static inline int security_sb_mount(cons
135+@@ -552,18 +556,18 @@ static inline int security_sb_mount(cons
136136 const char *type, unsigned long flags,
137137 void *data)
138138 {
@@ -154,7 +154,7 @@
154154 }
155155
156156 static inline int security_sb_set_mnt_opts(struct super_block *sb,
157-@@ -711,7 +715,7 @@ static inline int security_inode_setattr
157+@@ -710,7 +714,7 @@ static inline int security_inode_setattr
158158
159159 static inline int security_inode_getattr(const struct path *path)
160160 {
@@ -163,7 +163,7 @@
163163 }
164164
165165 static inline int security_inode_setxattr(struct dentry *dentry,
166-@@ -797,7 +801,7 @@ static inline void security_file_free(st
166+@@ -796,7 +800,7 @@ static inline void security_file_free(st
167167 static inline int security_file_ioctl(struct file *file, unsigned int cmd,
168168 unsigned long arg)
169169 {
@@ -172,7 +172,7 @@
172172 }
173173
174174 static inline int security_mmap_file(struct file *file, unsigned long prot,
175-@@ -826,7 +830,7 @@ static inline int security_file_lock(str
175+@@ -825,7 +829,7 @@ static inline int security_file_lock(str
176176 static inline int security_file_fcntl(struct file *file, unsigned int cmd,
177177 unsigned long arg)
178178 {
@@ -181,7 +181,7 @@
181181 }
182182
183183 static inline void security_file_set_fowner(struct file *file)
184-@@ -849,7 +853,7 @@ static inline int security_file_receive(
184+@@ -848,7 +852,7 @@ static inline int security_file_receive(
185185 static inline int security_file_open(struct file *file,
186186 const struct cred *cred)
187187 {
@@ -190,7 +190,7 @@
190190 }
191191
192192 static inline int security_task_create(unsigned long clone_flags)
193-@@ -1217,7 +1221,7 @@ static inline int security_unix_may_send
193+@@ -1211,7 +1215,7 @@ static inline int security_unix_may_send
194194 static inline int security_socket_create(int family, int type,
195195 int protocol, int kern)
196196 {
@@ -199,7 +199,7 @@
199199 }
200200
201201 static inline int security_socket_post_create(struct socket *sock,
202-@@ -1232,19 +1236,19 @@ static inline int security_socket_bind(s
202+@@ -1226,19 +1230,19 @@ static inline int security_socket_bind(s
203203 struct sockaddr *address,
204204 int addrlen)
205205 {
@@ -222,7 +222,7 @@
222222 }
223223
224224 static inline int security_socket_accept(struct socket *sock,
225-@@ -1256,7 +1260,7 @@ static inline int security_socket_accept
225+@@ -1250,7 +1254,7 @@ static inline int security_socket_accept
226226 static inline int security_socket_sendmsg(struct socket *sock,
227227 struct msghdr *msg, int size)
228228 {
@@ -231,7 +231,7 @@
231231 }
232232
233233 static inline int security_socket_recvmsg(struct socket *sock,
234-@@ -1498,42 +1502,42 @@ int security_path_chroot(const struct pa
234+@@ -1492,42 +1496,42 @@ int security_path_chroot(const struct pa
235235 #else /* CONFIG_SECURITY_PATH */
236236 static inline int security_path_unlink(const struct path *dir, struct dentry *dentry)
237237 {
@@ -281,7 +281,7 @@
281281 }
282282
283283 static inline int security_path_rename(const struct path *old_dir,
284-@@ -1542,22 +1546,32 @@ static inline int security_path_rename(c
284+@@ -1536,22 +1540,32 @@ static inline int security_path_rename(c
285285 struct dentry *new_dentry,
286286 unsigned int flags)
287287 {
@@ -318,8 +318,8 @@
318318 }
319319 #endif /* CONFIG_SECURITY_PATH */
320320
321---- linux-4.9.319.orig/include/net/ip.h
322-+++ linux-4.9.319/include/net/ip.h
321+--- linux-4.9.326.orig/include/net/ip.h
322++++ linux-4.9.326/include/net/ip.h
323323 @@ -254,6 +254,8 @@ void inet_get_local_port_range(struct ne
324324 #ifdef CONFIG_SYSCTL
325325 static inline int inet_is_local_reserved_port(struct net *net, int port)
@@ -338,8 +338,8 @@
338338 return 0;
339339 }
340340 #endif
341---- linux-4.9.319.orig/kernel/fork.c
342-+++ linux-4.9.319/kernel/fork.c
341+--- linux-4.9.326.orig/kernel/fork.c
342++++ linux-4.9.326/kernel/fork.c
343343 @@ -395,6 +395,7 @@ void __put_task_struct(struct task_struc
344344 delayacct_tsk_free(tsk);
345345 put_signal_struct(tsk->signal);
@@ -366,8 +366,8 @@
366366 bad_fork_cleanup_perf:
367367 perf_event_free_task(p);
368368 bad_fork_cleanup_policy:
369---- linux-4.9.319.orig/kernel/kexec.c
370-+++ linux-4.9.319/kernel/kexec.c
369+--- linux-4.9.326.orig/kernel/kexec.c
370++++ linux-4.9.326/kernel/kexec.c
371371 @@ -17,7 +17,7 @@
372372 #include <linux/syscalls.h>
373373 #include <linux/vmalloc.h>
@@ -386,8 +386,8 @@
386386
387387 /*
388388 * Verify we have a legal set of flags
389---- linux-4.9.319.orig/kernel/module.c
390-+++ linux-4.9.319/kernel/module.c
389+--- linux-4.9.326.orig/kernel/module.c
390++++ linux-4.9.326/kernel/module.c
391391 @@ -63,6 +63,7 @@
392392 #include <linux/dynamic_debug.h>
393393 #include <uapi/linux/module.h>
@@ -414,8 +414,8 @@
414414
415415 return 0;
416416 }
417---- linux-4.9.319.orig/kernel/ptrace.c
418-+++ linux-4.9.319/kernel/ptrace.c
417+--- linux-4.9.326.orig/kernel/ptrace.c
418++++ linux-4.9.326/kernel/ptrace.c
419419 @@ -1178,6 +1178,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
420420 {
421421 struct task_struct *child;
@@ -440,8 +440,8 @@
440440
441441 if (request == PTRACE_TRACEME) {
442442 ret = ptrace_traceme();
443---- linux-4.9.319.orig/kernel/reboot.c
444-+++ linux-4.9.319/kernel/reboot.c
443+--- linux-4.9.326.orig/kernel/reboot.c
444++++ linux-4.9.326/kernel/reboot.c
445445 @@ -16,6 +16,7 @@
446446 #include <linux/syscalls.h>
447447 #include <linux/syscore_ops.h>
@@ -459,8 +459,8 @@
459459
460460 /*
461461 * If pid namespaces are enabled and the current task is in a child
462---- linux-4.9.319.orig/kernel/sched/core.c
463-+++ linux-4.9.319/kernel/sched/core.c
462+--- linux-4.9.326.orig/kernel/sched/core.c
463++++ linux-4.9.326/kernel/sched/core.c
464464 @@ -3817,6 +3817,8 @@ int can_nice(const struct task_struct *p
465465 SYSCALL_DEFINE1(nice, int, increment)
466466 {
@@ -470,8 +470,8 @@
470470
471471 /*
472472 * Setpriority might change our priority at the same moment.
473---- linux-4.9.319.orig/kernel/signal.c
474-+++ linux-4.9.319/kernel/signal.c
473+--- linux-4.9.326.orig/kernel/signal.c
474++++ linux-4.9.326/kernel/signal.c
475475 @@ -2930,6 +2930,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s
476476 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
477477 {
@@ -517,8 +517,8 @@
517517
518518 return do_send_specific(tgid, pid, sig, info);
519519 }
520---- linux-4.9.319.orig/kernel/sys.c
521-+++ linux-4.9.319/kernel/sys.c
520+--- linux-4.9.326.orig/kernel/sys.c
521++++ linux-4.9.326/kernel/sys.c
522522 @@ -185,6 +185,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
523523
524524 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -548,8 +548,8 @@
548548
549549 errno = -EFAULT;
550550 if (!copy_from_user(tmp, name, len)) {
551---- linux-4.9.319.orig/kernel/time/ntp.c
552-+++ linux-4.9.319/kernel/time/ntp.c
551+--- linux-4.9.326.orig/kernel/time/ntp.c
552++++ linux-4.9.326/kernel/time/ntp.c
553553 @@ -17,6 +17,7 @@
554554 #include <linux/module.h>
555555 #include <linux/rtc.h>
@@ -583,8 +583,8 @@
583583
584584 if (txc->modes & ADJ_NANO) {
585585 struct timespec ts;
586---- linux-4.9.319.orig/net/ipv4/raw.c
587-+++ linux-4.9.319/net/ipv4/raw.c
586+--- linux-4.9.326.orig/net/ipv4/raw.c
587++++ linux-4.9.326/net/ipv4/raw.c
588588 @@ -749,6 +749,10 @@ static int raw_recvmsg(struct sock *sk,
589589 skb = skb_recv_datagram(sk, flags, noblock, &err);
590590 if (!skb)
@@ -596,8 +596,8 @@
596596
597597 copied = skb->len;
598598 if (len < copied) {
599---- linux-4.9.319.orig/net/ipv4/udp.c
600-+++ linux-4.9.319/net/ipv4/udp.c
599+--- linux-4.9.326.orig/net/ipv4/udp.c
600++++ linux-4.9.326/net/ipv4/udp.c
601601 @@ -1271,6 +1271,8 @@ try_again:
602602 &peeked, &off, &err);
603603 if (!skb)
@@ -607,8 +607,8 @@
607607
608608 ulen = skb->len;
609609 copied = len;
610---- linux-4.9.319.orig/net/ipv6/raw.c
611-+++ linux-4.9.319/net/ipv6/raw.c
610+--- linux-4.9.326.orig/net/ipv6/raw.c
611++++ linux-4.9.326/net/ipv6/raw.c
612612 @@ -480,6 +480,10 @@ static int rawv6_recvmsg(struct sock *sk
613613 skb = skb_recv_datagram(sk, flags, noblock, &err);
614614 if (!skb)
@@ -620,8 +620,8 @@
620620
621621 copied = skb->len;
622622 if (copied > len) {
623---- linux-4.9.319.orig/net/ipv6/udp.c
624-+++ linux-4.9.319/net/ipv6/udp.c
623+--- linux-4.9.326.orig/net/ipv6/udp.c
624++++ linux-4.9.326/net/ipv6/udp.c
625625 @@ -348,6 +348,8 @@ try_again:
626626 &peeked, &off, &err);
627627 if (!skb)
@@ -631,8 +631,8 @@
631631
632632 ulen = skb->len;
633633 copied = len;
634---- linux-4.9.319.orig/net/socket.c
635-+++ linux-4.9.319/net/socket.c
634+--- linux-4.9.326.orig/net/socket.c
635++++ linux-4.9.326/net/socket.c
636636 @@ -1482,6 +1482,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
637637 if (err < 0)
638638 goto out_fd;
@@ -644,8 +644,8 @@
644644 if (upeer_sockaddr) {
645645 if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
646646 &len, 2) < 0) {
647---- linux-4.9.319.orig/net/unix/af_unix.c
648-+++ linux-4.9.319/net/unix/af_unix.c
647+--- linux-4.9.326.orig/net/unix/af_unix.c
648++++ linux-4.9.326/net/unix/af_unix.c
649649 @@ -2167,6 +2167,10 @@ static int unix_dgram_recvmsg(struct soc
650650 POLLOUT | POLLWRNORM |
651651 POLLWRBAND);
@@ -665,8 +665,8 @@
665665 mutex_unlock(&u->iolock);
666666 out:
667667 return err;
668---- linux-4.9.319.orig/security/Kconfig
669-+++ linux-4.9.319/security/Kconfig
668+--- linux-4.9.326.orig/security/Kconfig
669++++ linux-4.9.326/security/Kconfig
670670 @@ -214,5 +214,7 @@ config DEFAULT_SECURITY
671671 default "apparmor" if DEFAULT_SECURITY_APPARMOR
672672 default "" if DEFAULT_SECURITY_DAC
@@ -675,8 +675,8 @@
675675 +
676676 endmenu
677677
678---- linux-4.9.319.orig/security/Makefile
679-+++ linux-4.9.319/security/Makefile
678+--- linux-4.9.326.orig/security/Makefile
679++++ linux-4.9.326/security/Makefile
680680 @@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
681681 # Object integrity file lists
682682 subdir-$(CONFIG_INTEGRITY) += integrity
--- trunk/caitsith-patch/patches/ccs-patch-5.10.diff (revision 370)
+++ trunk/caitsith-patch/patches/ccs-patch-5.10.diff (revision 371)
@@ -1,6 +1,6 @@
1-This is TOMOYO Linux patch for kernel 5.10.123.
1+This is TOMOYO Linux patch for kernel 5.10.139.
22
3-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.10.123.tar.xz
3+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.10.139.tar.xz
44 ---
55 fs/exec.c | 2 -
66 fs/open.c | 2 +
@@ -28,9 +28,9 @@
2828 security/security.c | 5 ++-
2929 24 files changed, 160 insertions(+), 30 deletions(-)
3030
31---- linux-5.10.123.orig/fs/exec.c
32-+++ linux-5.10.123/fs/exec.c
33-@@ -1823,7 +1823,7 @@ static int bprm_execve(struct linux_binp
31+--- linux-5.10.139.orig/fs/exec.c
32++++ linux-5.10.139/fs/exec.c
33+@@ -1826,7 +1826,7 @@ static int bprm_execve(struct linux_binp
3434 if (retval)
3535 goto out;
3636
@@ -39,8 +39,8 @@
3939 if (retval < 0)
4040 goto out;
4141
42---- linux-5.10.123.orig/fs/open.c
43-+++ linux-5.10.123/fs/open.c
42+--- linux-5.10.139.orig/fs/open.c
43++++ linux-5.10.139/fs/open.c
4444 @@ -1339,6 +1339,8 @@ SYSCALL_DEFINE3(close_range, unsigned in
4545 */
4646 SYSCALL_DEFINE0(vhangup)
@@ -50,8 +50,8 @@
5050 if (capable(CAP_SYS_TTY_CONFIG)) {
5151 tty_vhangup_self();
5252 return 0;
53---- linux-5.10.123.orig/fs/proc/version.c
54-+++ linux-5.10.123/fs/proc/version.c
53+--- linux-5.10.139.orig/fs/proc/version.c
54++++ linux-5.10.139/fs/proc/version.c
5555 @@ -21,3 +21,10 @@ static int __init proc_version_init(void
5656 return 0;
5757 }
@@ -59,12 +59,12 @@
5959 +
6060 +static int __init ccs_show_version(void)
6161 +{
62-+ printk(KERN_INFO "Hook version: 5.10.123 2022/06/17\n");
62++ printk(KERN_INFO "Hook version: 5.10.139 2022/08/29\n");
6363 + return 0;
6464 +}
6565 +fs_initcall(ccs_show_version);
66---- linux-5.10.123.orig/include/linux/sched.h
67-+++ linux-5.10.123/include/linux/sched.h
66+--- linux-5.10.139.orig/include/linux/sched.h
67++++ linux-5.10.139/include/linux/sched.h
6868 @@ -41,6 +41,7 @@ struct backing_dev_info;
6969 struct bio_list;
7070 struct blk_plug;
@@ -84,8 +84,8 @@
8484
8585 #ifdef CONFIG_GCC_PLUGIN_STACKLEAK
8686 unsigned long lowest_stack;
87---- linux-5.10.123.orig/include/linux/security.h
88-+++ linux-5.10.123/include/linux/security.h
87+--- linux-5.10.139.orig/include/linux/security.h
88++++ linux-5.10.139/include/linux/security.h
8989 @@ -59,6 +59,7 @@ struct fs_parameter;
9090 enum fs_value_type;
9191 struct watch;
@@ -315,8 +315,8 @@
315315 }
316316 #endif /* CONFIG_SECURITY_PATH */
317317
318---- linux-5.10.123.orig/include/net/ip.h
319-+++ linux-5.10.123/include/net/ip.h
318+--- linux-5.10.139.orig/include/net/ip.h
319++++ linux-5.10.139/include/net/ip.h
320320 @@ -340,6 +340,8 @@ void inet_get_local_port_range(struct ne
321321 #ifdef CONFIG_SYSCTL
322322 static inline bool inet_is_local_reserved_port(struct net *net, unsigned short port)
@@ -335,8 +335,8 @@
335335 return false;
336336 }
337337
338---- linux-5.10.123.orig/init/init_task.c
339-+++ linux-5.10.123/init/init_task.c
338+--- linux-5.10.139.orig/init/init_task.c
339++++ linux-5.10.139/init/init_task.c
340340 @@ -213,6 +213,10 @@ struct task_struct init_task
341341 #ifdef CONFIG_SECCOMP_FILTER
342342 .seccomp = { .filter_count = ATOMIC_INIT(0) },
@@ -348,8 +348,8 @@
348348 };
349349 EXPORT_SYMBOL(init_task);
350350
351---- linux-5.10.123.orig/kernel/kexec.c
352-+++ linux-5.10.123/kernel/kexec.c
351+--- linux-5.10.139.orig/kernel/kexec.c
352++++ linux-5.10.139/kernel/kexec.c
353353 @@ -16,7 +16,7 @@
354354 #include <linux/syscalls.h>
355355 #include <linux/vmalloc.h>
@@ -368,8 +368,8 @@
368368
369369 /* Permit LSMs and IMA to fail the kexec */
370370 result = security_kernel_load_data(LOADING_KEXEC_IMAGE, false);
371---- linux-5.10.123.orig/kernel/module.c
372-+++ linux-5.10.123/kernel/module.c
371+--- linux-5.10.139.orig/kernel/module.c
372++++ linux-5.10.139/kernel/module.c
373373 @@ -59,6 +59,7 @@
374374 #include <linux/audit.h>
375375 #include <uapi/linux/module.h>
@@ -396,8 +396,8 @@
396396
397397 return 0;
398398 }
399---- linux-5.10.123.orig/kernel/ptrace.c
400-+++ linux-5.10.123/kernel/ptrace.c
399+--- linux-5.10.139.orig/kernel/ptrace.c
400++++ linux-5.10.139/kernel/ptrace.c
401401 @@ -1270,6 +1270,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
402402 {
403403 struct task_struct *child;
@@ -422,8 +422,8 @@
422422
423423 if (request == PTRACE_TRACEME) {
424424 ret = ptrace_traceme();
425---- linux-5.10.123.orig/kernel/reboot.c
426-+++ linux-5.10.123/kernel/reboot.c
425+--- linux-5.10.139.orig/kernel/reboot.c
426++++ linux-5.10.139/kernel/reboot.c
427427 @@ -17,6 +17,7 @@
428428 #include <linux/syscalls.h>
429429 #include <linux/syscore_ops.h>
@@ -441,9 +441,9 @@
441441
442442 /*
443443 * If pid namespaces are enabled and the current task is in a child
444---- linux-5.10.123.orig/kernel/sched/core.c
445-+++ linux-5.10.123/kernel/sched/core.c
446-@@ -5057,6 +5057,8 @@ int can_nice(const struct task_struct *p
444+--- linux-5.10.139.orig/kernel/sched/core.c
445++++ linux-5.10.139/kernel/sched/core.c
446+@@ -5062,6 +5062,8 @@ int can_nice(const struct task_struct *p
447447 SYSCALL_DEFINE1(nice, int, increment)
448448 {
449449 long nice, retval;
@@ -452,8 +452,8 @@
452452
453453 /*
454454 * Setpriority might change our priority at the same moment.
455---- linux-5.10.123.orig/kernel/signal.c
456-+++ linux-5.10.123/kernel/signal.c
455+--- linux-5.10.139.orig/kernel/signal.c
456++++ linux-5.10.139/kernel/signal.c
457457 @@ -3648,6 +3648,8 @@ static inline void prepare_kill_siginfo(
458458 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
459459 {
@@ -521,8 +521,8 @@
521521
522522 return do_send_specific(tgid, pid, sig, info);
523523 }
524---- linux-5.10.123.orig/kernel/sys.c
525-+++ linux-5.10.123/kernel/sys.c
524+--- linux-5.10.139.orig/kernel/sys.c
525++++ linux-5.10.139/kernel/sys.c
526526 @@ -205,6 +205,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
527527
528528 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -552,17 +552,17 @@
552552
553553 errno = -EFAULT;
554554 if (!copy_from_user(tmp, name, len)) {
555---- linux-5.10.123.orig/kernel/time/timekeeping.c
556-+++ linux-5.10.123/kernel/time/timekeeping.c
557-@@ -23,6 +23,7 @@
558- #include <linux/pvclock_gtod.h>
555+--- linux-5.10.139.orig/kernel/time/timekeeping.c
556++++ linux-5.10.139/kernel/time/timekeeping.c
557+@@ -24,6 +24,7 @@
559558 #include <linux/compiler.h>
560559 #include <linux/audit.h>
560+ #include <linux/random.h>
561561 +#include <linux/ccsecurity.h>
562562
563563 #include "tick-internal.h"
564564 #include "ntp_internal.h"
565-@@ -2326,10 +2327,15 @@ static int timekeeping_validate_timex(co
565+@@ -2329,10 +2330,15 @@ static int timekeeping_validate_timex(co
566566 if (!(txc->modes & ADJ_OFFSET_READONLY) &&
567567 !capable(CAP_SYS_TIME))
568568 return -EPERM;
@@ -578,7 +578,7 @@
578578 /*
579579 * if the quartz is off by more than 10% then
580580 * something is VERY wrong!
581-@@ -2344,6 +2350,8 @@ static int timekeeping_validate_timex(co
581+@@ -2347,6 +2353,8 @@ static int timekeeping_validate_timex(co
582582 /* In order to inject time, you gotta be super-user! */
583583 if (!capable(CAP_SYS_TIME))
584584 return -EPERM;
@@ -587,8 +587,8 @@
587587
588588 /*
589589 * Validate if a timespec/timeval used to inject a time
590---- linux-5.10.123.orig/net/ipv4/raw.c
591-+++ linux-5.10.123/net/ipv4/raw.c
590+--- linux-5.10.139.orig/net/ipv4/raw.c
591++++ linux-5.10.139/net/ipv4/raw.c
592592 @@ -771,6 +771,10 @@ static int raw_recvmsg(struct sock *sk,
593593 skb = skb_recv_datagram(sk, flags, noblock, &err);
594594 if (!skb)
@@ -600,8 +600,8 @@
600600
601601 copied = skb->len;
602602 if (len < copied) {
603---- linux-5.10.123.orig/net/ipv4/udp.c
604-+++ linux-5.10.123/net/ipv4/udp.c
603+--- linux-5.10.139.orig/net/ipv4/udp.c
604++++ linux-5.10.139/net/ipv4/udp.c
605605 @@ -1808,6 +1808,8 @@ try_again:
606606 skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
607607 if (!skb)
@@ -611,8 +611,8 @@
611611
612612 ulen = udp_skb_len(skb);
613613 copied = len;
614---- linux-5.10.123.orig/net/ipv6/raw.c
615-+++ linux-5.10.123/net/ipv6/raw.c
614+--- linux-5.10.139.orig/net/ipv6/raw.c
615++++ linux-5.10.139/net/ipv6/raw.c
616616 @@ -480,6 +480,10 @@ static int rawv6_recvmsg(struct sock *sk
617617 skb = skb_recv_datagram(sk, flags, noblock, &err);
618618 if (!skb)
@@ -624,8 +624,8 @@
624624
625625 copied = skb->len;
626626 if (copied > len) {
627---- linux-5.10.123.orig/net/ipv6/udp.c
628-+++ linux-5.10.123/net/ipv6/udp.c
627+--- linux-5.10.139.orig/net/ipv6/udp.c
628++++ linux-5.10.139/net/ipv6/udp.c
629629 @@ -344,6 +344,8 @@ try_again:
630630 skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
631631 if (!skb)
@@ -635,8 +635,8 @@
635635
636636 ulen = udp6_skb_len(skb);
637637 copied = len;
638---- linux-5.10.123.orig/net/socket.c
639-+++ linux-5.10.123/net/socket.c
638+--- linux-5.10.139.orig/net/socket.c
639++++ linux-5.10.139/net/socket.c
640640 @@ -1744,6 +1744,10 @@ int __sys_accept4_file(struct file *file
641641 if (err < 0)
642642 goto out_fd;
@@ -648,8 +648,8 @@
648648 if (upeer_sockaddr) {
649649 len = newsock->ops->getname(newsock,
650650 (struct sockaddr *)&address, 2);
651---- linux-5.10.123.orig/net/unix/af_unix.c
652-+++ linux-5.10.123/net/unix/af_unix.c
651+--- linux-5.10.139.orig/net/unix/af_unix.c
652++++ linux-5.10.139/net/unix/af_unix.c
653653 @@ -2197,6 +2197,10 @@ static int unix_dgram_recvmsg(struct soc
654654 EPOLLOUT | EPOLLWRNORM |
655655 EPOLLWRBAND);
@@ -669,9 +669,9 @@
669669 mutex_unlock(&u->iolock);
670670 out:
671671 return err;
672---- linux-5.10.123.orig/security/Kconfig
673-+++ linux-5.10.123/security/Kconfig
674-@@ -294,5 +294,7 @@ config LSM
672+--- linux-5.10.139.orig/security/Kconfig
673++++ linux-5.10.139/security/Kconfig
674+@@ -283,5 +283,7 @@ config LSM
675675
676676 source "security/Kconfig.hardening"
677677
@@ -679,8 +679,8 @@
679679 +
680680 endmenu
681681
682---- linux-5.10.123.orig/security/Makefile
683-+++ linux-5.10.123/security/Makefile
682+--- linux-5.10.139.orig/security/Makefile
683++++ linux-5.10.139/security/Makefile
684684 @@ -36,3 +36,6 @@ obj-$(CONFIG_BPF_LSM) += bpf/
685685 # Object integrity file lists
686686 subdir-$(CONFIG_INTEGRITY) += integrity
@@ -688,8 +688,8 @@
688688 +
689689 +subdir-$(CONFIG_CCSECURITY) += ccsecurity
690690 +obj-$(CONFIG_CCSECURITY) += ccsecurity/
691---- linux-5.10.123.orig/security/security.c
692-+++ linux-5.10.123/security/security.c
691+--- linux-5.10.139.orig/security/security.c
692++++ linux-5.10.139/security/security.c
693693 @@ -1601,7 +1601,9 @@ int security_task_alloc(struct task_stru
694694
695695 if (rc)
--- trunk/caitsith-patch/patches/ccs-patch-5.15.diff (revision 370)
+++ trunk/caitsith-patch/patches/ccs-patch-5.15.diff (revision 371)
@@ -1,6 +1,6 @@
1-This is TOMOYO Linux patch for kernel 5.15.48.
1+This is TOMOYO Linux patch for kernel 5.15.63.
22
3-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.15.48.tar.xz
3+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.15.63.tar.xz
44 ---
55 fs/exec.c | 2 -
66 fs/open.c | 2 +
@@ -28,9 +28,9 @@
2828 security/security.c | 5 ++-
2929 24 files changed, 160 insertions(+), 30 deletions(-)
3030
31---- linux-5.15.48.orig/fs/exec.c
32-+++ linux-5.15.48/fs/exec.c
33-@@ -1838,7 +1838,7 @@ static int bprm_execve(struct linux_binp
31+--- linux-5.15.63.orig/fs/exec.c
32++++ linux-5.15.63/fs/exec.c
33+@@ -1841,7 +1841,7 @@ static int bprm_execve(struct linux_binp
3434 if (retval)
3535 goto out;
3636
@@ -39,9 +39,9 @@
3939 if (retval < 0)
4040 goto out;
4141
42---- linux-5.15.48.orig/fs/open.c
43-+++ linux-5.15.48/fs/open.c
44-@@ -1371,6 +1371,8 @@ SYSCALL_DEFINE3(close_range, unsigned in
42+--- linux-5.15.63.orig/fs/open.c
43++++ linux-5.15.63/fs/open.c
44+@@ -1373,6 +1373,8 @@ SYSCALL_DEFINE3(close_range, unsigned in
4545 */
4646 SYSCALL_DEFINE0(vhangup)
4747 {
@@ -50,8 +50,8 @@
5050 if (capable(CAP_SYS_TTY_CONFIG)) {
5151 tty_vhangup_self();
5252 return 0;
53---- linux-5.15.48.orig/fs/proc/version.c
54-+++ linux-5.15.48/fs/proc/version.c
53+--- linux-5.15.63.orig/fs/proc/version.c
54++++ linux-5.15.63/fs/proc/version.c
5555 @@ -21,3 +21,10 @@ static int __init proc_version_init(void
5656 return 0;
5757 }
@@ -59,12 +59,12 @@
5959 +
6060 +static int __init ccs_show_version(void)
6161 +{
62-+ printk(KERN_INFO "Hook version: 5.15.48 2022/06/17\n");
62++ printk(KERN_INFO "Hook version: 5.15.63 2022/08/29\n");
6363 + return 0;
6464 +}
6565 +fs_initcall(ccs_show_version);
66---- linux-5.15.48.orig/include/linux/sched.h
67-+++ linux-5.15.48/include/linux/sched.h
66+--- linux-5.15.63.orig/include/linux/sched.h
67++++ linux-5.15.63/include/linux/sched.h
6868 @@ -44,6 +44,7 @@ struct blk_plug;
6969 struct bpf_local_storage;
7070 struct bpf_run_ctx;
@@ -84,8 +84,8 @@
8484
8585 #ifdef CONFIG_TRACING
8686 /* State flags for use by tracers: */
87---- linux-5.15.48.orig/include/linux/security.h
88-+++ linux-5.15.48/include/linux/security.h
87+--- linux-5.15.63.orig/include/linux/security.h
88++++ linux-5.15.63/include/linux/security.h
8989 @@ -59,6 +59,7 @@ struct fs_parameter;
9090 enum fs_value_type;
9191 struct watch;
@@ -315,8 +315,8 @@
315315 }
316316 #endif /* CONFIG_SECURITY_PATH */
317317
318---- linux-5.15.48.orig/include/net/ip.h
319-+++ linux-5.15.48/include/net/ip.h
318+--- linux-5.15.63.orig/include/net/ip.h
319++++ linux-5.15.63/include/net/ip.h
320320 @@ -340,6 +340,8 @@ void inet_get_local_port_range(struct ne
321321 #ifdef CONFIG_SYSCTL
322322 static inline bool inet_is_local_reserved_port(struct net *net, unsigned short port)
@@ -335,8 +335,8 @@
335335 return false;
336336 }
337337
338---- linux-5.15.48.orig/init/init_task.c
339-+++ linux-5.15.48/init/init_task.c
338+--- linux-5.15.63.orig/init/init_task.c
339++++ linux-5.15.63/init/init_task.c
340340 @@ -214,6 +214,10 @@ struct task_struct init_task
341341 #ifdef CONFIG_SECCOMP_FILTER
342342 .seccomp = { .filter_count = ATOMIC_INIT(0) },
@@ -348,8 +348,8 @@
348348 };
349349 EXPORT_SYMBOL(init_task);
350350
351---- linux-5.15.48.orig/kernel/kexec.c
352-+++ linux-5.15.48/kernel/kexec.c
351+--- linux-5.15.63.orig/kernel/kexec.c
352++++ linux-5.15.63/kernel/kexec.c
353353 @@ -16,7 +16,7 @@
354354 #include <linux/syscalls.h>
355355 #include <linux/vmalloc.h>
@@ -368,8 +368,8 @@
368368
369369 /* Permit LSMs and IMA to fail the kexec */
370370 result = security_kernel_load_data(LOADING_KEXEC_IMAGE, false);
371---- linux-5.15.48.orig/kernel/module.c
372-+++ linux-5.15.48/kernel/module.c
371+--- linux-5.15.63.orig/kernel/module.c
372++++ linux-5.15.63/kernel/module.c
373373 @@ -59,6 +59,7 @@
374374 #include <linux/audit.h>
375375 #include <uapi/linux/module.h>
@@ -387,7 +387,7 @@
387387
388388 if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
389389 return -EFAULT;
390-@@ -3780,6 +3783,8 @@ static int may_init_module(void)
390+@@ -3819,6 +3822,8 @@ static int may_init_module(void)
391391 {
392392 if (!capable(CAP_SYS_MODULE) || modules_disabled)
393393 return -EPERM;
@@ -396,8 +396,8 @@
396396
397397 return 0;
398398 }
399---- linux-5.15.48.orig/kernel/ptrace.c
400-+++ linux-5.15.48/kernel/ptrace.c
399+--- linux-5.15.63.orig/kernel/ptrace.c
400++++ linux-5.15.63/kernel/ptrace.c
401401 @@ -1295,6 +1295,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
402402 {
403403 struct task_struct *child;
@@ -422,8 +422,8 @@
422422
423423 if (request == PTRACE_TRACEME) {
424424 ret = ptrace_traceme();
425---- linux-5.15.48.orig/kernel/reboot.c
426-+++ linux-5.15.48/kernel/reboot.c
425+--- linux-5.15.63.orig/kernel/reboot.c
426++++ linux-5.15.63/kernel/reboot.c
427427 @@ -18,6 +18,7 @@
428428 #include <linux/syscalls.h>
429429 #include <linux/syscore_ops.h>
@@ -441,9 +441,9 @@
441441
442442 /*
443443 * If pid namespaces are enabled and the current task is in a child
444---- linux-5.15.48.orig/kernel/sched/core.c
445-+++ linux-5.15.48/kernel/sched/core.c
446-@@ -6958,6 +6958,8 @@ int can_nice(const struct task_struct *p
444+--- linux-5.15.63.orig/kernel/sched/core.c
445++++ linux-5.15.63/kernel/sched/core.c
446+@@ -7002,6 +7002,8 @@ int can_nice(const struct task_struct *p
447447 SYSCALL_DEFINE1(nice, int, increment)
448448 {
449449 long nice, retval;
@@ -452,8 +452,8 @@
452452
453453 /*
454454 * Setpriority might change our priority at the same moment.
455---- linux-5.15.48.orig/kernel/signal.c
456-+++ linux-5.15.48/kernel/signal.c
455+--- linux-5.15.63.orig/kernel/signal.c
456++++ linux-5.15.63/kernel/signal.c
457457 @@ -3800,6 +3800,8 @@ static inline void prepare_kill_siginfo(
458458 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
459459 {
@@ -521,8 +521,8 @@
521521
522522 return do_send_specific(tgid, pid, sig, info);
523523 }
524---- linux-5.15.48.orig/kernel/sys.c
525-+++ linux-5.15.48/kernel/sys.c
524+--- linux-5.15.63.orig/kernel/sys.c
525++++ linux-5.15.63/kernel/sys.c
526526 @@ -211,6 +211,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
527527
528528 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -552,17 +552,17 @@
552552
553553 errno = -EFAULT;
554554 if (!copy_from_user(tmp, name, len)) {
555---- linux-5.15.48.orig/kernel/time/timekeeping.c
556-+++ linux-5.15.48/kernel/time/timekeeping.c
557-@@ -23,6 +23,7 @@
558- #include <linux/pvclock_gtod.h>
555+--- linux-5.15.63.orig/kernel/time/timekeeping.c
556++++ linux-5.15.63/kernel/time/timekeeping.c
557+@@ -24,6 +24,7 @@
559558 #include <linux/compiler.h>
560559 #include <linux/audit.h>
560+ #include <linux/random.h>
561561 +#include <linux/ccsecurity.h>
562562
563563 #include "tick-internal.h"
564564 #include "ntp_internal.h"
565-@@ -2328,10 +2329,15 @@ static int timekeeping_validate_timex(co
565+@@ -2331,10 +2332,15 @@ static int timekeeping_validate_timex(co
566566 if (!(txc->modes & ADJ_OFFSET_READONLY) &&
567567 !capable(CAP_SYS_TIME))
568568 return -EPERM;
@@ -578,7 +578,7 @@
578578 /*
579579 * if the quartz is off by more than 10% then
580580 * something is VERY wrong!
581-@@ -2346,6 +2352,8 @@ static int timekeeping_validate_timex(co
581+@@ -2349,6 +2355,8 @@ static int timekeeping_validate_timex(co
582582 /* In order to inject time, you gotta be super-user! */
583583 if (!capable(CAP_SYS_TIME))
584584 return -EPERM;
@@ -587,8 +587,8 @@
587587
588588 /*
589589 * Validate if a timespec/timeval used to inject a time
590---- linux-5.15.48.orig/net/ipv4/raw.c
591-+++ linux-5.15.48/net/ipv4/raw.c
590+--- linux-5.15.63.orig/net/ipv4/raw.c
591++++ linux-5.15.63/net/ipv4/raw.c
592592 @@ -771,6 +771,10 @@ static int raw_recvmsg(struct sock *sk,
593593 skb = skb_recv_datagram(sk, flags, noblock, &err);
594594 if (!skb)
@@ -600,8 +600,8 @@
600600
601601 copied = skb->len;
602602 if (len < copied) {
603---- linux-5.15.48.orig/net/ipv4/udp.c
604-+++ linux-5.15.48/net/ipv4/udp.c
603+--- linux-5.15.63.orig/net/ipv4/udp.c
604++++ linux-5.15.63/net/ipv4/udp.c
605605 @@ -1862,6 +1862,8 @@ try_again:
606606 skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
607607 if (!skb)
@@ -611,8 +611,8 @@
611611
612612 ulen = udp_skb_len(skb);
613613 copied = len;
614---- linux-5.15.48.orig/net/ipv6/raw.c
615-+++ linux-5.15.48/net/ipv6/raw.c
614+--- linux-5.15.63.orig/net/ipv6/raw.c
615++++ linux-5.15.63/net/ipv6/raw.c
616616 @@ -480,6 +480,10 @@ static int rawv6_recvmsg(struct sock *sk
617617 skb = skb_recv_datagram(sk, flags, noblock, &err);
618618 if (!skb)
@@ -624,8 +624,8 @@
624624
625625 copied = skb->len;
626626 if (copied > len) {
627---- linux-5.15.48.orig/net/ipv6/udp.c
628-+++ linux-5.15.48/net/ipv6/udp.c
627+--- linux-5.15.63.orig/net/ipv6/udp.c
628++++ linux-5.15.63/net/ipv6/udp.c
629629 @@ -344,6 +344,8 @@ try_again:
630630 skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
631631 if (!skb)
@@ -635,8 +635,8 @@
635635
636636 ulen = udp6_skb_len(skb);
637637 copied = len;
638---- linux-5.15.48.orig/net/socket.c
639-+++ linux-5.15.48/net/socket.c
638+--- linux-5.15.63.orig/net/socket.c
639++++ linux-5.15.63/net/socket.c
640640 @@ -1778,6 +1778,10 @@ struct file *do_accept(struct file *file
641641 if (err < 0)
642642 goto out_fd;
@@ -648,8 +648,8 @@
648648 if (upeer_sockaddr) {
649649 len = newsock->ops->getname(newsock,
650650 (struct sockaddr *)&address, 2);
651---- linux-5.15.48.orig/net/unix/af_unix.c
652-+++ linux-5.15.48/net/unix/af_unix.c
651+--- linux-5.15.63.orig/net/unix/af_unix.c
652++++ linux-5.15.63/net/unix/af_unix.c
653653 @@ -2331,6 +2331,10 @@ int __unix_dgram_recvmsg(struct sock *sk
654654 EPOLLOUT | EPOLLWRNORM |
655655 EPOLLWRBAND);
@@ -669,9 +669,9 @@
669669 mutex_unlock(&u->iolock);
670670 out:
671671 return err;
672---- linux-5.15.48.orig/security/Kconfig
673-+++ linux-5.15.48/security/Kconfig
674-@@ -295,5 +295,7 @@ config LSM
672+--- linux-5.15.63.orig/security/Kconfig
673++++ linux-5.15.63/security/Kconfig
674+@@ -284,5 +284,7 @@ config LSM
675675
676676 source "security/Kconfig.hardening"
677677
@@ -679,8 +679,8 @@
679679 +
680680 endmenu
681681
682---- linux-5.15.48.orig/security/Makefile
683-+++ linux-5.15.48/security/Makefile
682+--- linux-5.15.63.orig/security/Makefile
683++++ linux-5.15.63/security/Makefile
684684 @@ -27,3 +27,6 @@ obj-$(CONFIG_SECURITY_LANDLOCK) += land
685685
686686 # Object integrity file lists
@@ -688,8 +688,8 @@
688688 +
689689 +subdir-$(CONFIG_CCSECURITY) += ccsecurity
690690 +obj-$(CONFIG_CCSECURITY) += ccsecurity/
691---- linux-5.15.48.orig/security/security.c
692-+++ linux-5.15.48/security/security.c
691+--- linux-5.15.63.orig/security/security.c
692++++ linux-5.15.63/security/security.c
693693 @@ -1659,7 +1659,9 @@ int security_task_alloc(struct task_stru
694694
695695 if (rc)
--- trunk/caitsith-patch/patches/ccs-patch-5.18.diff (revision 370)
+++ trunk/caitsith-patch/patches/ccs-patch-5.18.diff (revision 371)
@@ -1,6 +1,6 @@
1-This is TOMOYO Linux patch for kernel 5.18.5.
1+This is TOMOYO Linux patch for kernel 5.18.19.
22
3-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.18.5.tar.xz
3+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.18.19.tar.xz
44 ---
55 fs/exec.c | 2 -
66 fs/open.c | 2 +
@@ -28,9 +28,9 @@
2828 security/security.c | 5 ++-
2929 24 files changed, 160 insertions(+), 30 deletions(-)
3030
31---- linux-5.18.5.orig/fs/exec.c
32-+++ linux-5.18.5/fs/exec.c
33-@@ -1831,7 +1831,7 @@ static int bprm_execve(struct linux_binp
31+--- linux-5.18.19.orig/fs/exec.c
32++++ linux-5.18.19/fs/exec.c
33+@@ -1834,7 +1834,7 @@ static int bprm_execve(struct linux_binp
3434 if (retval)
3535 goto out;
3636
@@ -39,8 +39,8 @@
3939 if (retval < 0)
4040 goto out;
4141
42---- linux-5.18.5.orig/fs/open.c
43-+++ linux-5.18.5/fs/open.c
42+--- linux-5.18.19.orig/fs/open.c
43++++ linux-5.18.19/fs/open.c
4444 @@ -1374,6 +1374,8 @@ SYSCALL_DEFINE3(close_range, unsigned in
4545 */
4646 SYSCALL_DEFINE0(vhangup)
@@ -50,8 +50,8 @@
5050 if (capable(CAP_SYS_TTY_CONFIG)) {
5151 tty_vhangup_self();
5252 return 0;
53---- linux-5.18.5.orig/fs/proc/version.c
54-+++ linux-5.18.5/fs/proc/version.c
53+--- linux-5.18.19.orig/fs/proc/version.c
54++++ linux-5.18.19/fs/proc/version.c
5555 @@ -21,3 +21,10 @@ static int __init proc_version_init(void
5656 return 0;
5757 }
@@ -59,12 +59,12 @@
5959 +
6060 +static int __init ccs_show_version(void)
6161 +{
62-+ printk(KERN_INFO "Hook version: 5.18.5 2022/06/17\n");
62++ printk(KERN_INFO "Hook version: 5.18.19 2022/08/29\n");
6363 + return 0;
6464 +}
6565 +fs_initcall(ccs_show_version);
66---- linux-5.18.5.orig/include/linux/sched.h
67-+++ linux-5.18.5/include/linux/sched.h
66+--- linux-5.18.19.orig/include/linux/sched.h
67++++ linux-5.18.19/include/linux/sched.h
6868 @@ -44,6 +44,7 @@ struct blk_plug;
6969 struct bpf_local_storage;
7070 struct bpf_run_ctx;
@@ -84,8 +84,8 @@
8484
8585 #ifdef CONFIG_TRACING
8686 /* State flags for use by tracers: */
87---- linux-5.18.5.orig/include/linux/security.h
88-+++ linux-5.18.5/include/linux/security.h
87+--- linux-5.18.19.orig/include/linux/security.h
88++++ linux-5.18.19/include/linux/security.h
8989 @@ -59,6 +59,7 @@ struct fs_parameter;
9090 enum fs_value_type;
9191 struct watch;
@@ -315,8 +315,8 @@
315315 }
316316 #endif /* CONFIG_SECURITY_PATH */
317317
318---- linux-5.18.5.orig/include/net/ip.h
319-+++ linux-5.18.5/include/net/ip.h
318+--- linux-5.18.19.orig/include/net/ip.h
319++++ linux-5.18.19/include/net/ip.h
320320 @@ -345,6 +345,8 @@ void inet_get_local_port_range(struct ne
321321 #ifdef CONFIG_SYSCTL
322322 static inline bool inet_is_local_reserved_port(struct net *net, unsigned short port)
@@ -335,8 +335,8 @@
335335 return false;
336336 }
337337
338---- linux-5.18.5.orig/init/init_task.c
339-+++ linux-5.18.5/init/init_task.c
338+--- linux-5.18.19.orig/init/init_task.c
339++++ linux-5.18.19/init/init_task.c
340340 @@ -209,6 +209,10 @@ struct task_struct init_task
341341 #ifdef CONFIG_SECCOMP_FILTER
342342 .seccomp = { .filter_count = ATOMIC_INIT(0) },
@@ -348,8 +348,8 @@
348348 };
349349 EXPORT_SYMBOL(init_task);
350350
351---- linux-5.18.5.orig/kernel/kexec.c
352-+++ linux-5.18.5/kernel/kexec.c
351+--- linux-5.18.19.orig/kernel/kexec.c
352++++ linux-5.18.19/kernel/kexec.c
353353 @@ -16,7 +16,7 @@
354354 #include <linux/syscalls.h>
355355 #include <linux/vmalloc.h>
@@ -368,8 +368,8 @@
368368
369369 /* Permit LSMs and IMA to fail the kexec */
370370 result = security_kernel_load_data(LOADING_KEXEC_IMAGE, false);
371---- linux-5.18.5.orig/kernel/module.c
372-+++ linux-5.18.5/kernel/module.c
371+--- linux-5.18.19.orig/kernel/module.c
372++++ linux-5.18.19/kernel/module.c
373373 @@ -59,6 +59,7 @@
374374 #include <linux/audit.h>
375375 #include <uapi/linux/module.h>
@@ -396,8 +396,8 @@
396396
397397 return 0;
398398 }
399---- linux-5.18.5.orig/kernel/ptrace.c
400-+++ linux-5.18.5/kernel/ptrace.c
399+--- linux-5.18.19.orig/kernel/ptrace.c
400++++ linux-5.18.19/kernel/ptrace.c
401401 @@ -1293,6 +1293,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
402402 {
403403 struct task_struct *child;
@@ -422,8 +422,8 @@
422422
423423 if (request == PTRACE_TRACEME) {
424424 ret = ptrace_traceme();
425---- linux-5.18.5.orig/kernel/reboot.c
426-+++ linux-5.18.5/kernel/reboot.c
425+--- linux-5.18.19.orig/kernel/reboot.c
426++++ linux-5.18.19/kernel/reboot.c
427427 @@ -18,6 +18,7 @@
428428 #include <linux/syscalls.h>
429429 #include <linux/syscore_ops.h>
@@ -441,9 +441,9 @@
441441
442442 /*
443443 * If pid namespaces are enabled and the current task is in a child
444---- linux-5.18.5.orig/kernel/sched/core.c
445-+++ linux-5.18.5/kernel/sched/core.c
446-@@ -6953,6 +6953,8 @@ int can_nice(const struct task_struct *p
444+--- linux-5.18.19.orig/kernel/sched/core.c
445++++ linux-5.18.19/kernel/sched/core.c
446+@@ -6997,6 +6997,8 @@ int can_nice(const struct task_struct *p
447447 SYSCALL_DEFINE1(nice, int, increment)
448448 {
449449 long nice, retval;
@@ -452,8 +452,8 @@
452452
453453 /*
454454 * Setpriority might change our priority at the same moment.
455---- linux-5.18.5.orig/kernel/signal.c
456-+++ linux-5.18.5/kernel/signal.c
455+--- linux-5.18.19.orig/kernel/signal.c
456++++ linux-5.18.19/kernel/signal.c
457457 @@ -3788,6 +3788,8 @@ static inline void prepare_kill_siginfo(
458458 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
459459 {
@@ -521,8 +521,8 @@
521521
522522 return do_send_specific(tgid, pid, sig, info);
523523 }
524---- linux-5.18.5.orig/kernel/sys.c
525-+++ linux-5.18.5/kernel/sys.c
524+--- linux-5.18.19.orig/kernel/sys.c
525++++ linux-5.18.19/kernel/sys.c
526526 @@ -212,6 +212,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
527527
528528 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -552,17 +552,17 @@
552552
553553 errno = -EFAULT;
554554 if (!copy_from_user(tmp, name, len)) {
555---- linux-5.18.5.orig/kernel/time/timekeeping.c
556-+++ linux-5.18.5/kernel/time/timekeeping.c
557-@@ -23,6 +23,7 @@
558- #include <linux/pvclock_gtod.h>
555+--- linux-5.18.19.orig/kernel/time/timekeeping.c
556++++ linux-5.18.19/kernel/time/timekeeping.c
557+@@ -24,6 +24,7 @@
559558 #include <linux/compiler.h>
560559 #include <linux/audit.h>
560+ #include <linux/random.h>
561561 +#include <linux/ccsecurity.h>
562562
563563 #include "tick-internal.h"
564564 #include "ntp_internal.h"
565-@@ -2328,10 +2329,15 @@ static int timekeeping_validate_timex(co
565+@@ -2331,10 +2332,15 @@ static int timekeeping_validate_timex(co
566566 if (!(txc->modes & ADJ_OFFSET_READONLY) &&
567567 !capable(CAP_SYS_TIME))
568568 return -EPERM;
@@ -578,7 +578,7 @@
578578 /*
579579 * if the quartz is off by more than 10% then
580580 * something is VERY wrong!
581-@@ -2346,6 +2352,8 @@ static int timekeeping_validate_timex(co
581+@@ -2349,6 +2355,8 @@ static int timekeeping_validate_timex(co
582582 /* In order to inject time, you gotta be super-user! */
583583 if (!capable(CAP_SYS_TIME))
584584 return -EPERM;
@@ -587,10 +587,10 @@
587587
588588 /*
589589 * Validate if a timespec/timeval used to inject a time
590---- linux-5.18.5.orig/net/ipv4/raw.c
591-+++ linux-5.18.5/net/ipv4/raw.c
592-@@ -772,6 +772,10 @@ static int raw_recvmsg(struct sock *sk,
593- skb = skb_recv_datagram(sk, flags, noblock, &err);
590+--- linux-5.18.19.orig/net/ipv4/raw.c
591++++ linux-5.18.19/net/ipv4/raw.c
592+@@ -745,6 +745,10 @@ static int raw_recvmsg(struct sock *sk,
593+ skb = skb_recv_datagram(sk, flags, &err);
594594 if (!skb)
595595 goto out;
596596 + if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
@@ -600,8 +600,8 @@
600600
601601 copied = skb->len;
602602 if (len < copied) {
603---- linux-5.18.5.orig/net/ipv4/udp.c
604-+++ linux-5.18.5/net/ipv4/udp.c
603+--- linux-5.18.19.orig/net/ipv4/udp.c
604++++ linux-5.18.19/net/ipv4/udp.c
605605 @@ -1862,6 +1862,8 @@ try_again:
606606 skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
607607 if (!skb)
@@ -611,10 +611,10 @@
611611
612612 ulen = udp_skb_len(skb);
613613 copied = len;
614---- linux-5.18.5.orig/net/ipv6/raw.c
615-+++ linux-5.18.5/net/ipv6/raw.c
616-@@ -480,6 +480,10 @@ static int rawv6_recvmsg(struct sock *sk
617- skb = skb_recv_datagram(sk, flags, noblock, &err);
614+--- linux-5.18.19.orig/net/ipv6/raw.c
615++++ linux-5.18.19/net/ipv6/raw.c
616+@@ -447,6 +447,10 @@ static int rawv6_recvmsg(struct sock *sk
617+ skb = skb_recv_datagram(sk, flags, &err);
618618 if (!skb)
619619 goto out;
620620 + if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
@@ -624,8 +624,8 @@
624624
625625 copied = skb->len;
626626 if (copied > len) {
627---- linux-5.18.5.orig/net/ipv6/udp.c
628-+++ linux-5.18.5/net/ipv6/udp.c
627+--- linux-5.18.19.orig/net/ipv6/udp.c
628++++ linux-5.18.19/net/ipv6/udp.c
629629 @@ -346,6 +346,8 @@ try_again:
630630 skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
631631 if (!skb)
@@ -635,8 +635,8 @@
635635
636636 ulen = udp6_skb_len(skb);
637637 copied = len;
638---- linux-5.18.5.orig/net/socket.c
639-+++ linux-5.18.5/net/socket.c
638+--- linux-5.18.19.orig/net/socket.c
639++++ linux-5.18.19/net/socket.c
640640 @@ -1779,6 +1779,10 @@ struct file *do_accept(struct file *file
641641 if (err < 0)
642642 goto out_fd;
@@ -648,9 +648,9 @@
648648 if (upeer_sockaddr) {
649649 len = newsock->ops->getname(newsock,
650650 (struct sockaddr *)&address, 2);
651---- linux-5.18.5.orig/net/unix/af_unix.c
652-+++ linux-5.18.5/net/unix/af_unix.c
653-@@ -2419,6 +2419,10 @@ int __unix_dgram_recvmsg(struct sock *sk
651+--- linux-5.18.19.orig/net/unix/af_unix.c
652++++ linux-5.18.19/net/unix/af_unix.c
653+@@ -2420,6 +2420,10 @@ int __unix_dgram_recvmsg(struct sock *sk
654654 EPOLLOUT | EPOLLWRNORM |
655655 EPOLLWRBAND);
656656
@@ -661,7 +661,7 @@
661661 if (msg->msg_name)
662662 unix_copy_addr(msg, skb->sk);
663663
664-@@ -2469,6 +2473,7 @@ int __unix_dgram_recvmsg(struct sock *sk
664+@@ -2470,6 +2474,7 @@ int __unix_dgram_recvmsg(struct sock *sk
665665
666666 out_free:
667667 skb_free_datagram(sk, skb);
@@ -669,9 +669,9 @@
669669 mutex_unlock(&u->iolock);
670670 out:
671671 return err;
672---- linux-5.18.5.orig/security/Kconfig
673-+++ linux-5.18.5/security/Kconfig
674-@@ -282,5 +282,7 @@ config LSM
672+--- linux-5.18.19.orig/security/Kconfig
673++++ linux-5.18.19/security/Kconfig
674+@@ -271,5 +271,7 @@ config LSM
675675
676676 source "security/Kconfig.hardening"
677677
@@ -679,8 +679,8 @@
679679 +
680680 endmenu
681681
682---- linux-5.18.5.orig/security/Makefile
683-+++ linux-5.18.5/security/Makefile
682+--- linux-5.18.19.orig/security/Makefile
683++++ linux-5.18.19/security/Makefile
684684 @@ -27,3 +27,6 @@ obj-$(CONFIG_SECURITY_LANDLOCK) += land
685685
686686 # Object integrity file lists
@@ -688,8 +688,8 @@
688688 +
689689 +subdir-$(CONFIG_CCSECURITY) += ccsecurity
690690 +obj-$(CONFIG_CCSECURITY) += ccsecurity/
691---- linux-5.18.5.orig/security/security.c
692-+++ linux-5.18.5/security/security.c
691+--- linux-5.18.19.orig/security/security.c
692++++ linux-5.18.19/security/security.c
693693 @@ -1663,7 +1663,9 @@ int security_task_alloc(struct task_stru
694694
695695 if (rc)
--- trunk/caitsith-patch/patches/ccs-patch-5.19.diff (revision 370)
+++ trunk/caitsith-patch/patches/ccs-patch-5.19.diff (revision 371)
@@ -1,6 +1,6 @@
1-This is TOMOYO Linux patch for kernel 5.19-rc3.
1+This is TOMOYO Linux patch for kernel 5.19.5.
22
3-Source code for this patch is https://git.kernel.org/torvalds/t/linux-5.19-rc3.tar.gz
3+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.19.5.tar.xz
44 ---
55 fs/exec.c | 2 -
66 fs/open.c | 2 +
@@ -28,9 +28,9 @@
2828 security/security.c | 5 +++
2929 24 files changed, 150 insertions(+), 30 deletions(-)
3030
31---- linux-5.19-rc3.orig/fs/exec.c
32-+++ linux-5.19-rc3/fs/exec.c
33-@@ -1835,7 +1835,7 @@ static int bprm_execve(struct linux_binp
31+--- linux-5.19.5.orig/fs/exec.c
32++++ linux-5.19.5/fs/exec.c
33+@@ -1838,7 +1838,7 @@ static int bprm_execve(struct linux_binp
3434 if (retval)
3535 goto out;
3636
@@ -39,8 +39,8 @@
3939 if (retval < 0)
4040 goto out;
4141
42---- linux-5.19-rc3.orig/fs/open.c
43-+++ linux-5.19-rc3/fs/open.c
42+--- linux-5.19.5.orig/fs/open.c
43++++ linux-5.19.5/fs/open.c
4444 @@ -1439,6 +1439,8 @@ SYSCALL_DEFINE3(close_range, unsigned in
4545 */
4646 SYSCALL_DEFINE0(vhangup)
@@ -50,8 +50,8 @@
5050 if (capable(CAP_SYS_TTY_CONFIG)) {
5151 tty_vhangup_self();
5252 return 0;
53---- linux-5.19-rc3.orig/fs/proc/version.c
54-+++ linux-5.19-rc3/fs/proc/version.c
53+--- linux-5.19.5.orig/fs/proc/version.c
54++++ linux-5.19.5/fs/proc/version.c
5555 @@ -21,3 +21,10 @@ static int __init proc_version_init(void
5656 return 0;
5757 }
@@ -59,12 +59,12 @@
5959 +
6060 +static int __init ccs_show_version(void)
6161 +{
62-+ printk(KERN_INFO "Hook version: 5.19-rc3 2022/06/21\n");
62++ printk(KERN_INFO "Hook version: 5.19.5 2022/08/29\n");
6363 + return 0;
6464 +}
6565 +fs_initcall(ccs_show_version);
66---- linux-5.19-rc3.orig/include/linux/sched.h
67-+++ linux-5.19-rc3/include/linux/sched.h
66+--- linux-5.19.5.orig/include/linux/sched.h
67++++ linux-5.19.5/include/linux/sched.h
6868 @@ -44,6 +44,7 @@ struct blk_plug;
6969 struct bpf_local_storage;
7070 struct bpf_run_ctx;
@@ -84,8 +84,8 @@
8484
8585 #ifdef CONFIG_TRACING
8686 /* State flags for use by tracers: */
87---- linux-5.19-rc3.orig/include/linux/security.h
88-+++ linux-5.19-rc3/include/linux/security.h
87+--- linux-5.19.5.orig/include/linux/security.h
88++++ linux-5.19.5/include/linux/security.h
8989 @@ -59,6 +59,7 @@ struct fs_parameter;
9090 enum fs_value_type;
9191 struct watch;
@@ -305,8 +305,8 @@
305305 }
306306 #endif /* CONFIG_SECURITY_PATH */
307307
308---- linux-5.19-rc3.orig/include/net/ip.h
309-+++ linux-5.19-rc3/include/net/ip.h
308+--- linux-5.19.5.orig/include/net/ip.h
309++++ linux-5.19.5/include/net/ip.h
310310 @@ -345,6 +345,8 @@ void inet_get_local_port_range(struct ne
311311 #ifdef CONFIG_SYSCTL
312312 static inline bool inet_is_local_reserved_port(struct net *net, unsigned short port)
@@ -325,8 +325,8 @@
325325 return false;
326326 }
327327
328---- linux-5.19-rc3.orig/init/init_task.c
329-+++ linux-5.19-rc3/init/init_task.c
328+--- linux-5.19.5.orig/init/init_task.c
329++++ linux-5.19.5/init/init_task.c
330330 @@ -209,6 +209,10 @@ struct task_struct init_task
331331 #ifdef CONFIG_SECCOMP_FILTER
332332 .seccomp = { .filter_count = ATOMIC_INIT(0) },
@@ -338,8 +338,8 @@
338338 };
339339 EXPORT_SYMBOL(init_task);
340340
341---- linux-5.19-rc3.orig/kernel/kexec.c
342-+++ linux-5.19-rc3/kernel/kexec.c
341+--- linux-5.19.5.orig/kernel/kexec.c
342++++ linux-5.19.5/kernel/kexec.c
343343 @@ -16,7 +16,7 @@
344344 #include <linux/syscalls.h>
345345 #include <linux/vmalloc.h>
@@ -358,8 +358,8 @@
358358
359359 /* Permit LSMs and IMA to fail the kexec */
360360 result = security_kernel_load_data(LOADING_KEXEC_IMAGE, false);
361---- linux-5.19-rc3.orig/kernel/module/main.c
362-+++ linux-5.19-rc3/kernel/module/main.c
361+--- linux-5.19.5.orig/kernel/module/main.c
362++++ linux-5.19.5/kernel/module/main.c
363363 @@ -58,6 +58,7 @@
364364
365365 #define CREATE_TRACE_POINTS
@@ -386,8 +386,8 @@
386386
387387 return 0;
388388 }
389---- linux-5.19-rc3.orig/kernel/ptrace.c
390-+++ linux-5.19-rc3/kernel/ptrace.c
389+--- linux-5.19.5.orig/kernel/ptrace.c
390++++ linux-5.19.5/kernel/ptrace.c
391391 @@ -1271,6 +1271,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
392392 {
393393 struct task_struct *child;
@@ -412,8 +412,8 @@
412412
413413 if (request == PTRACE_TRACEME) {
414414 ret = ptrace_traceme();
415---- linux-5.19-rc3.orig/kernel/reboot.c
416-+++ linux-5.19-rc3/kernel/reboot.c
415+--- linux-5.19.5.orig/kernel/reboot.c
416++++ linux-5.19.5/kernel/reboot.c
417417 @@ -18,6 +18,7 @@
418418 #include <linux/syscalls.h>
419419 #include <linux/syscore_ops.h>
@@ -422,7 +422,7 @@
422422
423423 /*
424424 * this indicates whether you can reboot with ctrl-alt-del: the default is yes
425-@@ -700,6 +701,8 @@ SYSCALL_DEFINE4(reboot, int, magic1, int
425+@@ -698,6 +699,8 @@ SYSCALL_DEFINE4(reboot, int, magic1, int
426426 magic2 != LINUX_REBOOT_MAGIC2B &&
427427 magic2 != LINUX_REBOOT_MAGIC2C))
428428 return -EINVAL;
@@ -431,9 +431,9 @@
431431
432432 /*
433433 * If pid namespaces are enabled and the current task is in a child
434---- linux-5.19-rc3.orig/kernel/sched/core.c
435-+++ linux-5.19-rc3/kernel/sched/core.c
436-@@ -7023,6 +7023,8 @@ int can_nice(const struct task_struct *p
434+--- linux-5.19.5.orig/kernel/sched/core.c
435++++ linux-5.19.5/kernel/sched/core.c
436+@@ -7049,6 +7049,8 @@ int can_nice(const struct task_struct *p
437437 SYSCALL_DEFINE1(nice, int, increment)
438438 {
439439 long nice, retval;
@@ -442,8 +442,8 @@
442442
443443 /*
444444 * Setpriority might change our priority at the same moment.
445---- linux-5.19-rc3.orig/kernel/signal.c
446-+++ linux-5.19-rc3/kernel/signal.c
445+--- linux-5.19.5.orig/kernel/signal.c
446++++ linux-5.19.5/kernel/signal.c
447447 @@ -3770,6 +3770,8 @@ static inline void prepare_kill_siginfo(
448448 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
449449 {
@@ -511,8 +511,8 @@
511511
512512 return do_send_specific(tgid, pid, sig, info);
513513 }
514---- linux-5.19-rc3.orig/kernel/sys.c
515-+++ linux-5.19-rc3/kernel/sys.c
514+--- linux-5.19.5.orig/kernel/sys.c
515++++ linux-5.19.5/kernel/sys.c
516516 @@ -218,6 +218,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
517517
518518 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -542,17 +542,17 @@
542542
543543 errno = -EFAULT;
544544 if (!copy_from_user(tmp, name, len)) {
545---- linux-5.19-rc3.orig/kernel/time/timekeeping.c
546-+++ linux-5.19-rc3/kernel/time/timekeeping.c
547-@@ -23,6 +23,7 @@
548- #include <linux/pvclock_gtod.h>
545+--- linux-5.19.5.orig/kernel/time/timekeeping.c
546++++ linux-5.19.5/kernel/time/timekeeping.c
547+@@ -24,6 +24,7 @@
549548 #include <linux/compiler.h>
550549 #include <linux/audit.h>
550+ #include <linux/random.h>
551551 +#include <linux/ccsecurity.h>
552552
553553 #include "tick-internal.h"
554554 #include "ntp_internal.h"
555-@@ -2345,10 +2346,15 @@ static int timekeeping_validate_timex(co
555+@@ -2348,10 +2349,15 @@ static int timekeeping_validate_timex(co
556556 if (!(txc->modes & ADJ_OFFSET_READONLY) &&
557557 !capable(CAP_SYS_TIME))
558558 return -EPERM;
@@ -568,7 +568,7 @@
568568 /*
569569 * if the quartz is off by more than 10% then
570570 * something is VERY wrong!
571-@@ -2363,6 +2369,8 @@ static int timekeeping_validate_timex(co
571+@@ -2366,6 +2372,8 @@ static int timekeeping_validate_timex(co
572572 /* In order to inject time, you gotta be super-user! */
573573 if (!capable(CAP_SYS_TIME))
574574 return -EPERM;
@@ -577,9 +577,9 @@
577577
578578 /*
579579 * Validate if a timespec/timeval used to inject a time
580---- linux-5.19-rc3.orig/net/ipv4/raw.c
581-+++ linux-5.19-rc3/net/ipv4/raw.c
582-@@ -772,6 +772,10 @@ static int raw_recvmsg(struct sock *sk,
580+--- linux-5.19.5.orig/net/ipv4/raw.c
581++++ linux-5.19.5/net/ipv4/raw.c
582+@@ -744,6 +744,10 @@ static int raw_recvmsg(struct sock *sk,
583583 skb = skb_recv_datagram(sk, flags, &err);
584584 if (!skb)
585585 goto out;
@@ -590,8 +590,8 @@
590590
591591 copied = skb->len;
592592 if (len < copied) {
593---- linux-5.19-rc3.orig/net/ipv4/udp.c
594-+++ linux-5.19-rc3/net/ipv4/udp.c
593+--- linux-5.19.5.orig/net/ipv4/udp.c
594++++ linux-5.19.5/net/ipv4/udp.c
595595 @@ -1861,6 +1861,8 @@ try_again:
596596 skb = __skb_recv_udp(sk, flags, &off, &err);
597597 if (!skb)
@@ -601,9 +601,9 @@
601601
602602 ulen = udp_skb_len(skb);
603603 copied = len;
604---- linux-5.19-rc3.orig/net/ipv6/raw.c
605-+++ linux-5.19-rc3/net/ipv6/raw.c
606-@@ -480,6 +480,10 @@ static int rawv6_recvmsg(struct sock *sk
604+--- linux-5.19.5.orig/net/ipv6/raw.c
605++++ linux-5.19.5/net/ipv6/raw.c
606+@@ -446,6 +446,10 @@ static int rawv6_recvmsg(struct sock *sk
607607 skb = skb_recv_datagram(sk, flags, &err);
608608 if (!skb)
609609 goto out;
@@ -614,8 +614,8 @@
614614
615615 copied = skb->len;
616616 if (copied > len) {
617---- linux-5.19-rc3.orig/net/ipv6/udp.c
618-+++ linux-5.19-rc3/net/ipv6/udp.c
617+--- linux-5.19.5.orig/net/ipv6/udp.c
618++++ linux-5.19.5/net/ipv6/udp.c
619619 @@ -346,6 +346,8 @@ try_again:
620620 skb = __skb_recv_udp(sk, flags, &off, &err);
621621 if (!skb)
@@ -625,8 +625,8 @@
625625
626626 ulen = udp6_skb_len(skb);
627627 copied = len;
628---- linux-5.19-rc3.orig/net/socket.c
629-+++ linux-5.19-rc3/net/socket.c
628+--- linux-5.19.5.orig/net/socket.c
629++++ linux-5.19.5/net/socket.c
630630 @@ -1858,6 +1858,10 @@ struct file *do_accept(struct file *file
631631 if (err < 0)
632632 goto out_fd;
@@ -638,8 +638,8 @@
638638 if (upeer_sockaddr) {
639639 len = newsock->ops->getname(newsock,
640640 (struct sockaddr *)&address, 2);
641---- linux-5.19-rc3.orig/net/unix/af_unix.c
642-+++ linux-5.19-rc3/net/unix/af_unix.c
641+--- linux-5.19.5.orig/net/unix/af_unix.c
642++++ linux-5.19.5/net/unix/af_unix.c
643643 @@ -2418,6 +2418,10 @@ int __unix_dgram_recvmsg(struct sock *sk
644644 EPOLLOUT | EPOLLWRNORM |
645645 EPOLLWRBAND);
@@ -659,9 +659,9 @@
659659 mutex_unlock(&u->iolock);
660660 out:
661661 return err;
662---- linux-5.19-rc3.orig/security/Kconfig
663-+++ linux-5.19-rc3/security/Kconfig
664-@@ -271,5 +271,7 @@ config LSM
662+--- linux-5.19.5.orig/security/Kconfig
663++++ linux-5.19.5/security/Kconfig
664+@@ -260,5 +260,7 @@ config LSM
665665
666666 source "security/Kconfig.hardening"
667667
@@ -669,8 +669,8 @@
669669 +
670670 endmenu
671671
672---- linux-5.19-rc3.orig/security/Makefile
673-+++ linux-5.19-rc3/security/Makefile
672+--- linux-5.19.5.orig/security/Makefile
673++++ linux-5.19.5/security/Makefile
674674 @@ -27,3 +27,6 @@ obj-$(CONFIG_SECURITY_LANDLOCK) += land
675675
676676 # Object integrity file lists
@@ -678,8 +678,8 @@
678678 +
679679 +subdir-$(CONFIG_CCSECURITY) += ccsecurity
680680 +obj-$(CONFIG_CCSECURITY) += ccsecurity/
681---- linux-5.19-rc3.orig/security/security.c
682-+++ linux-5.19-rc3/security/security.c
681+--- linux-5.19.5.orig/security/security.c
682++++ linux-5.19.5/security/security.c
683683 @@ -1655,7 +1655,9 @@ int security_task_alloc(struct task_stru
684684
685685 if (rc)
--- trunk/caitsith-patch/patches/ccs-patch-5.4.diff (revision 370)
+++ trunk/caitsith-patch/patches/ccs-patch-5.4.diff (revision 371)
@@ -1,6 +1,6 @@
1-This is TOMOYO Linux patch for kernel 5.4.199.
1+This is TOMOYO Linux patch for kernel 5.4.211.
22
3-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.4.199.tar.xz
3+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.4.211.tar.xz
44 ---
55 fs/exec.c | 2 -
66 fs/open.c | 2 +
@@ -28,8 +28,8 @@
2828 security/security.c | 5 ++-
2929 24 files changed, 160 insertions(+), 30 deletions(-)
3030
31---- linux-5.4.199.orig/fs/exec.c
32-+++ linux-5.4.199/fs/exec.c
31+--- linux-5.4.211.orig/fs/exec.c
32++++ linux-5.4.211/fs/exec.c
3333 @@ -1739,7 +1739,7 @@ static int exec_binprm(struct linux_binp
3434 old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
3535 rcu_read_unlock();
@@ -39,8 +39,8 @@
3939 if (ret >= 0) {
4040 audit_bprm(bprm);
4141 trace_sched_process_exec(current, old_pid, bprm);
42---- linux-5.4.199.orig/fs/open.c
43-+++ linux-5.4.199/fs/open.c
42+--- linux-5.4.211.orig/fs/open.c
43++++ linux-5.4.211/fs/open.c
4444 @@ -1205,6 +1205,8 @@ SYSCALL_DEFINE1(close, unsigned int, fd)
4545 */
4646 SYSCALL_DEFINE0(vhangup)
@@ -50,8 +50,8 @@
5050 if (capable(CAP_SYS_TTY_CONFIG)) {
5151 tty_vhangup_self();
5252 return 0;
53---- linux-5.4.199.orig/fs/proc/version.c
54-+++ linux-5.4.199/fs/proc/version.c
53+--- linux-5.4.211.orig/fs/proc/version.c
54++++ linux-5.4.211/fs/proc/version.c
5555 @@ -21,3 +21,10 @@ static int __init proc_version_init(void
5656 return 0;
5757 }
@@ -59,12 +59,12 @@
5959 +
6060 +static int __init ccs_show_version(void)
6161 +{
62-+ printk(KERN_INFO "Hook version: 5.4.199 2022/06/17\n");
62++ printk(KERN_INFO "Hook version: 5.4.211 2022/08/29\n");
6363 + return 0;
6464 +}
6565 +fs_initcall(ccs_show_version);
66---- linux-5.4.199.orig/include/linux/sched.h
67-+++ linux-5.4.199/include/linux/sched.h
66+--- linux-5.4.211.orig/include/linux/sched.h
67++++ linux-5.4.211/include/linux/sched.h
6868 @@ -38,6 +38,7 @@ struct backing_dev_info;
6969 struct bio_list;
7070 struct blk_plug;
@@ -84,8 +84,8 @@
8484
8585 #ifdef CONFIG_GCC_PLUGIN_STACKLEAK
8686 unsigned long lowest_stack;
87---- linux-5.4.199.orig/include/linux/security.h
88-+++ linux-5.4.199/include/linux/security.h
87+--- linux-5.4.211.orig/include/linux/security.h
88++++ linux-5.4.211/include/linux/security.h
8989 @@ -57,6 +57,7 @@ struct mm_struct;
9090 struct fs_context;
9191 struct fs_parameter;
@@ -315,8 +315,8 @@
315315 }
316316 #endif /* CONFIG_SECURITY_PATH */
317317
318---- linux-5.4.199.orig/include/net/ip.h
319-+++ linux-5.4.199/include/net/ip.h
318+--- linux-5.4.211.orig/include/net/ip.h
319++++ linux-5.4.211/include/net/ip.h
320320 @@ -342,6 +342,8 @@ void inet_get_local_port_range(struct ne
321321 #ifdef CONFIG_SYSCTL
322322 static inline int inet_is_local_reserved_port(struct net *net, int port)
@@ -335,8 +335,8 @@
335335 return 0;
336336 }
337337
338---- linux-5.4.199.orig/init/init_task.c
339-+++ linux-5.4.199/init/init_task.c
338+--- linux-5.4.211.orig/init/init_task.c
339++++ linux-5.4.211/init/init_task.c
340340 @@ -183,6 +183,10 @@ struct task_struct init_task
341341 #ifdef CONFIG_SECURITY
342342 .security = NULL,
@@ -348,8 +348,8 @@
348348 };
349349 EXPORT_SYMBOL(init_task);
350350
351---- linux-5.4.199.orig/kernel/kexec.c
352-+++ linux-5.4.199/kernel/kexec.c
351+--- linux-5.4.211.orig/kernel/kexec.c
352++++ linux-5.4.211/kernel/kexec.c
353353 @@ -16,7 +16,7 @@
354354 #include <linux/syscalls.h>
355355 #include <linux/vmalloc.h>
@@ -368,8 +368,8 @@
368368
369369 /* Permit LSMs and IMA to fail the kexec */
370370 result = security_kernel_load_data(LOADING_KEXEC_IMAGE);
371---- linux-5.4.199.orig/kernel/module.c
372-+++ linux-5.4.199/kernel/module.c
371+--- linux-5.4.211.orig/kernel/module.c
372++++ linux-5.4.211/kernel/module.c
373373 @@ -55,6 +55,7 @@
374374 #include <linux/audit.h>
375375 #include <uapi/linux/module.h>
@@ -396,8 +396,8 @@
396396
397397 return 0;
398398 }
399---- linux-5.4.199.orig/kernel/ptrace.c
400-+++ linux-5.4.199/kernel/ptrace.c
399+--- linux-5.4.211.orig/kernel/ptrace.c
400++++ linux-5.4.211/kernel/ptrace.c
401401 @@ -1270,6 +1270,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
402402 {
403403 struct task_struct *child;
@@ -422,8 +422,8 @@
422422
423423 if (request == PTRACE_TRACEME) {
424424 ret = ptrace_traceme();
425---- linux-5.4.199.orig/kernel/reboot.c
426-+++ linux-5.4.199/kernel/reboot.c
425+--- linux-5.4.211.orig/kernel/reboot.c
426++++ linux-5.4.211/kernel/reboot.c
427427 @@ -17,6 +17,7 @@
428428 #include <linux/syscalls.h>
429429 #include <linux/syscore_ops.h>
@@ -441,8 +441,8 @@
441441
442442 /*
443443 * If pid namespaces are enabled and the current task is in a child
444---- linux-5.4.199.orig/kernel/sched/core.c
445-+++ linux-5.4.199/kernel/sched/core.c
444+--- linux-5.4.211.orig/kernel/sched/core.c
445++++ linux-5.4.211/kernel/sched/core.c
446446 @@ -4677,6 +4677,8 @@ int can_nice(const struct task_struct *p
447447 SYSCALL_DEFINE1(nice, int, increment)
448448 {
@@ -452,8 +452,8 @@
452452
453453 /*
454454 * Setpriority might change our priority at the same moment.
455---- linux-5.4.199.orig/kernel/signal.c
456-+++ linux-5.4.199/kernel/signal.c
455+--- linux-5.4.211.orig/kernel/signal.c
456++++ linux-5.4.211/kernel/signal.c
457457 @@ -3634,6 +3634,8 @@ static inline void prepare_kill_siginfo(
458458 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
459459 {
@@ -521,8 +521,8 @@
521521
522522 return do_send_specific(tgid, pid, sig, info);
523523 }
524---- linux-5.4.199.orig/kernel/sys.c
525-+++ linux-5.4.199/kernel/sys.c
524+--- linux-5.4.211.orig/kernel/sys.c
525++++ linux-5.4.211/kernel/sys.c
526526 @@ -204,6 +204,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
527527
528528 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -552,17 +552,17 @@
552552
553553 errno = -EFAULT;
554554 if (!copy_from_user(tmp, name, len)) {
555---- linux-5.4.199.orig/kernel/time/timekeeping.c
556-+++ linux-5.4.199/kernel/time/timekeeping.c
557-@@ -22,6 +22,7 @@
558- #include <linux/pvclock_gtod.h>
555+--- linux-5.4.211.orig/kernel/time/timekeeping.c
556++++ linux-5.4.211/kernel/time/timekeeping.c
557+@@ -24,6 +24,7 @@
559558 #include <linux/compiler.h>
560559 #include <linux/audit.h>
560+ #include <linux/random.h>
561561 +#include <linux/ccsecurity.h>
562562
563563 #include "tick-internal.h"
564564 #include "ntp_internal.h"
565-@@ -2251,10 +2252,15 @@ static int timekeeping_validate_timex(co
565+@@ -2255,10 +2256,15 @@ static int timekeeping_validate_timex(co
566566 if (!(txc->modes & ADJ_OFFSET_READONLY) &&
567567 !capable(CAP_SYS_TIME))
568568 return -EPERM;
@@ -578,7 +578,7 @@
578578 /*
579579 * if the quartz is off by more than 10% then
580580 * something is VERY wrong!
581-@@ -2269,6 +2275,8 @@ static int timekeeping_validate_timex(co
581+@@ -2273,6 +2279,8 @@ static int timekeeping_validate_timex(co
582582 /* In order to inject time, you gotta be super-user! */
583583 if (!capable(CAP_SYS_TIME))
584584 return -EPERM;
@@ -587,8 +587,8 @@
587587
588588 /*
589589 * Validate if a timespec/timeval used to inject a time
590---- linux-5.4.199.orig/net/ipv4/raw.c
591-+++ linux-5.4.199/net/ipv4/raw.c
590+--- linux-5.4.211.orig/net/ipv4/raw.c
591++++ linux-5.4.211/net/ipv4/raw.c
592592 @@ -770,6 +770,10 @@ static int raw_recvmsg(struct sock *sk,
593593 skb = skb_recv_datagram(sk, flags, noblock, &err);
594594 if (!skb)
@@ -600,8 +600,8 @@
600600
601601 copied = skb->len;
602602 if (len < copied) {
603---- linux-5.4.199.orig/net/ipv4/udp.c
604-+++ linux-5.4.199/net/ipv4/udp.c
603+--- linux-5.4.211.orig/net/ipv4/udp.c
604++++ linux-5.4.211/net/ipv4/udp.c
605605 @@ -1751,6 +1751,8 @@ try_again:
606606 skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
607607 if (!skb)
@@ -611,8 +611,8 @@
611611
612612 ulen = udp_skb_len(skb);
613613 copied = len;
614---- linux-5.4.199.orig/net/ipv6/raw.c
615-+++ linux-5.4.199/net/ipv6/raw.c
614+--- linux-5.4.211.orig/net/ipv6/raw.c
615++++ linux-5.4.211/net/ipv6/raw.c
616616 @@ -480,6 +480,10 @@ static int rawv6_recvmsg(struct sock *sk
617617 skb = skb_recv_datagram(sk, flags, noblock, &err);
618618 if (!skb)
@@ -624,8 +624,8 @@
624624
625625 copied = skb->len;
626626 if (copied > len) {
627---- linux-5.4.199.orig/net/ipv6/udp.c
628-+++ linux-5.4.199/net/ipv6/udp.c
627+--- linux-5.4.211.orig/net/ipv6/udp.c
628++++ linux-5.4.211/net/ipv6/udp.c
629629 @@ -292,6 +292,8 @@ try_again:
630630 skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
631631 if (!skb)
@@ -635,8 +635,8 @@
635635
636636 ulen = udp6_skb_len(skb);
637637 copied = len;
638---- linux-5.4.199.orig/net/socket.c
639-+++ linux-5.4.199/net/socket.c
638+--- linux-5.4.211.orig/net/socket.c
639++++ linux-5.4.211/net/socket.c
640640 @@ -1744,6 +1744,10 @@ int __sys_accept4(int fd, struct sockadd
641641 if (err < 0)
642642 goto out_fd;
@@ -648,8 +648,8 @@
648648 if (upeer_sockaddr) {
649649 len = newsock->ops->getname(newsock,
650650 (struct sockaddr *)&address, 2);
651---- linux-5.4.199.orig/net/unix/af_unix.c
652-+++ linux-5.4.199/net/unix/af_unix.c
651+--- linux-5.4.211.orig/net/unix/af_unix.c
652++++ linux-5.4.211/net/unix/af_unix.c
653653 @@ -2164,6 +2164,10 @@ static int unix_dgram_recvmsg(struct soc
654654 EPOLLOUT | EPOLLWRNORM |
655655 EPOLLWRBAND);
@@ -669,8 +669,8 @@
669669 mutex_unlock(&u->iolock);
670670 out:
671671 return err;
672---- linux-5.4.199.orig/security/Kconfig
673-+++ linux-5.4.199/security/Kconfig
672+--- linux-5.4.211.orig/security/Kconfig
673++++ linux-5.4.211/security/Kconfig
674674 @@ -294,5 +294,7 @@ config LSM
675675
676676 source "security/Kconfig.hardening"
@@ -679,8 +679,8 @@
679679 +
680680 endmenu
681681
682---- linux-5.4.199.orig/security/Makefile
683-+++ linux-5.4.199/security/Makefile
682+--- linux-5.4.211.orig/security/Makefile
683++++ linux-5.4.211/security/Makefile
684684 @@ -34,3 +34,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
685685 # Object integrity file lists
686686 subdir-$(CONFIG_INTEGRITY) += integrity
@@ -688,8 +688,8 @@
688688 +
689689 +subdir-$(CONFIG_CCSECURITY) += ccsecurity
690690 +obj-$(CONFIG_CCSECURITY) += ccsecurity/
691---- linux-5.4.199.orig/security/security.c
692-+++ linux-5.4.199/security/security.c
691+--- linux-5.4.211.orig/security/security.c
692++++ linux-5.4.211/security/security.c
693693 @@ -1520,7 +1520,9 @@ int security_task_alloc(struct task_stru
694694
695695 if (rc)
--- trunk/caitsith-patch/patches/ccs-patch-6.0.diff (nonexistent)
+++ trunk/caitsith-patch/patches/ccs-patch-6.0.diff (revision 371)
@@ -0,0 +1,701 @@
1+This is TOMOYO Linux patch for kernel 6.0-rc3.
2+
3+Source code for this patch is https://git.kernel.org/torvalds/t/linux-6.0-rc3.tar.gz
4+---
5+ fs/exec.c | 2 -
6+ fs/open.c | 2 +
7+ fs/proc/version.c | 7 +++++
8+ include/linux/sched.h | 5 +++
9+ include/linux/security.h | 60 +++++++++++++++++++++++++---------------------
10+ include/net/ip.h | 4 +++
11+ init/init_task.c | 4 +++
12+ kernel/kexec.c | 4 ++-
13+ kernel/module/main.c | 5 +++
14+ kernel/ptrace.c | 10 +++++++
15+ kernel/reboot.c | 3 ++
16+ kernel/sched/core.c | 2 +
17+ kernel/signal.c | 25 +++++++++++++++++++
18+ kernel/sys.c | 8 ++++++
19+ kernel/time/timekeeping.c | 8 ++++++
20+ net/ipv4/raw.c | 4 +++
21+ net/ipv4/udp.c | 2 +
22+ net/ipv6/raw.c | 4 +++
23+ net/ipv6/udp.c | 2 +
24+ net/socket.c | 4 +++
25+ net/unix/af_unix.c | 5 +++
26+ security/Kconfig | 2 +
27+ security/Makefile | 3 ++
28+ security/security.c | 5 +++
29+ 24 files changed, 150 insertions(+), 30 deletions(-)
30+
31+--- linux-6.0-rc3.orig/fs/exec.c
32++++ linux-6.0-rc3/fs/exec.c
33+@@ -1841,7 +1841,7 @@ static int bprm_execve(struct linux_binp
34+ if (retval)
35+ goto out;
36+
37+- retval = exec_binprm(bprm);
38++ retval = ccs_exec_binprm(bprm);
39+ if (retval < 0)
40+ goto out;
41+
42+--- linux-6.0-rc3.orig/fs/open.c
43++++ linux-6.0-rc3/fs/open.c
44+@@ -1472,6 +1472,8 @@ SYSCALL_DEFINE3(close_range, unsigned in
45+ */
46+ SYSCALL_DEFINE0(vhangup)
47+ {
48++ if (!ccs_capable(CCS_SYS_VHANGUP))
49++ return -EPERM;
50+ if (capable(CAP_SYS_TTY_CONFIG)) {
51+ tty_vhangup_self();
52+ return 0;
53+--- linux-6.0-rc3.orig/fs/proc/version.c
54++++ linux-6.0-rc3/fs/proc/version.c
55+@@ -21,3 +21,10 @@ static int __init proc_version_init(void
56+ return 0;
57+ }
58+ fs_initcall(proc_version_init);
59++
60++static int __init ccs_show_version(void)
61++{
62++ printk(KERN_INFO "Hook version: 6.0-rc3 2022/08/29\n");
63++ return 0;
64++}
65++fs_initcall(ccs_show_version);
66+--- linux-6.0-rc3.orig/include/linux/sched.h
67++++ linux-6.0-rc3/include/linux/sched.h
68+@@ -45,6 +45,7 @@ struct blk_plug;
69+ struct bpf_local_storage;
70+ struct bpf_run_ctx;
71+ struct capture_control;
72++struct ccs_domain_info;
73+ struct cfs_rq;
74+ struct fs_struct;
75+ struct futex_pi_state;
76+@@ -1379,6 +1380,10 @@ struct task_struct {
77+ /* Pause tracing: */
78+ atomic_t tracing_graph_pause;
79+ #endif
80++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
81++ struct ccs_domain_info *ccs_domain_info;
82++ u32 ccs_flags;
83++#endif
84+
85+ #ifdef CONFIG_TRACING
86+ /* State flags for use by tracers: */
87+--- linux-6.0-rc3.orig/include/linux/security.h
88++++ linux-6.0-rc3/include/linux/security.h
89+@@ -59,6 +59,7 @@ struct fs_parameter;
90+ enum fs_value_type;
91+ struct watch;
92+ struct watch_notification;
93++#include <linux/ccsecurity.h>
94+
95+ /* Default (no) options for the capable function */
96+ #define CAP_OPT_NONE 0x0
97+@@ -590,7 +591,10 @@ static inline int security_syslog(int ty
98+ static inline int security_settime64(const struct timespec64 *ts,
99+ const struct timezone *tz)
100+ {
101+- return cap_settime(ts, tz);
102++ int error = cap_settime(ts, tz);
103++ if (!error)
104++ error = ccs_settime(ts, tz);
105++ return error;
106+ }
107+
108+ static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
109+@@ -683,18 +687,18 @@ static inline int security_sb_mount(cons
110+ const char *type, unsigned long flags,
111+ void *data)
112+ {
113+- return 0;
114++ return ccs_sb_mount(dev_name, path, type, flags, data);
115+ }
116+
117+ static inline int security_sb_umount(struct vfsmount *mnt, int flags)
118+ {
119+- return 0;
120++ return ccs_sb_umount(mnt, flags);
121+ }
122+
123+ static inline int security_sb_pivotroot(const struct path *old_path,
124+ const struct path *new_path)
125+ {
126+- return 0;
127++ return ccs_sb_pivotroot(old_path, new_path);
128+ }
129+
130+ static inline int security_sb_set_mnt_opts(struct super_block *sb,
131+@@ -716,7 +720,7 @@ static inline int security_sb_clone_mnt_
132+ static inline int security_move_mount(const struct path *from_path,
133+ const struct path *to_path)
134+ {
135+- return 0;
136++ return ccs_move_mount_permission(from_path, to_path);
137+ }
138+
139+ static inline int security_path_notify(const struct path *path, u64 mask,
140+@@ -859,7 +863,7 @@ static inline int security_inode_setattr
141+
142+ static inline int security_inode_getattr(const struct path *path)
143+ {
144+- return 0;
145++ return ccs_inode_getattr(path);
146+ }
147+
148+ static inline int security_inode_setxattr(struct user_namespace *mnt_userns,
149+@@ -957,7 +961,7 @@ static inline void security_file_free(st
150+ static inline int security_file_ioctl(struct file *file, unsigned int cmd,
151+ unsigned long arg)
152+ {
153+- return 0;
154++ return ccs_file_ioctl(file, cmd, arg);
155+ }
156+
157+ static inline int security_mmap_file(struct file *file, unsigned long prot,
158+@@ -986,7 +990,7 @@ static inline int security_file_lock(str
159+ static inline int security_file_fcntl(struct file *file, unsigned int cmd,
160+ unsigned long arg)
161+ {
162+- return 0;
163++ return ccs_file_fcntl(file, cmd, arg);
164+ }
165+
166+ static inline void security_file_set_fowner(struct file *file)
167+@@ -1008,17 +1012,19 @@ static inline int security_file_receive(
168+
169+ static inline int security_file_open(struct file *file)
170+ {
171+- return 0;
172++ return ccs_file_open(file);
173+ }
174+
175+ static inline int security_task_alloc(struct task_struct *task,
176+ unsigned long clone_flags)
177+ {
178+- return 0;
179++ return ccs_alloc_task_security(task);
180+ }
181+
182+ static inline void security_task_free(struct task_struct *task)
183+-{ }
184++{
185++ ccs_free_task_security(task);
186++}
187+
188+ static inline int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
189+ {
190+@@ -1453,7 +1459,7 @@ static inline int security_unix_may_send
191+ static inline int security_socket_create(int family, int type,
192+ int protocol, int kern)
193+ {
194+- return 0;
195++ return ccs_socket_create(family, type, protocol, kern);
196+ }
197+
198+ static inline int security_socket_post_create(struct socket *sock,
199+@@ -1474,19 +1480,19 @@ static inline int security_socket_bind(s
200+ struct sockaddr *address,
201+ int addrlen)
202+ {
203+- return 0;
204++ return ccs_socket_bind(sock, address, addrlen);
205+ }
206+
207+ static inline int security_socket_connect(struct socket *sock,
208+ struct sockaddr *address,
209+ int addrlen)
210+ {
211+- return 0;
212++ return ccs_socket_connect(sock, address, addrlen);
213+ }
214+
215+ static inline int security_socket_listen(struct socket *sock, int backlog)
216+ {
217+- return 0;
218++ return ccs_socket_listen(sock, backlog);
219+ }
220+
221+ static inline int security_socket_accept(struct socket *sock,
222+@@ -1498,7 +1504,7 @@ static inline int security_socket_accept
223+ static inline int security_socket_sendmsg(struct socket *sock,
224+ struct msghdr *msg, int size)
225+ {
226+- return 0;
227++ return ccs_socket_sendmsg(sock, msg, size);
228+ }
229+
230+ static inline int security_socket_recvmsg(struct socket *sock,
231+@@ -1795,42 +1801,42 @@ int security_path_chroot(const struct pa
232+ #else /* CONFIG_SECURITY_PATH */
233+ static inline int security_path_unlink(const struct path *dir, struct dentry *dentry)
234+ {
235+- return 0;
236++ return ccs_path_unlink(dir, dentry);
237+ }
238+
239+ static inline int security_path_mkdir(const struct path *dir, struct dentry *dentry,
240+ umode_t mode)
241+ {
242+- return 0;
243++ return ccs_path_mkdir(dir, dentry, mode);
244+ }
245+
246+ static inline int security_path_rmdir(const struct path *dir, struct dentry *dentry)
247+ {
248+- return 0;
249++ return ccs_path_rmdir(dir, dentry);
250+ }
251+
252+ static inline int security_path_mknod(const struct path *dir, struct dentry *dentry,
253+ umode_t mode, unsigned int dev)
254+ {
255+- return 0;
256++ return ccs_path_mknod(dir, dentry, mode, dev);
257+ }
258+
259+ static inline int security_path_truncate(const struct path *path)
260+ {
261+- return 0;
262++ return ccs_path_truncate(path);
263+ }
264+
265+ static inline int security_path_symlink(const struct path *dir, struct dentry *dentry,
266+ const char *old_name)
267+ {
268+- return 0;
269++ return ccs_path_symlink(dir, dentry, old_name);
270+ }
271+
272+ static inline int security_path_link(struct dentry *old_dentry,
273+ const struct path *new_dir,
274+ struct dentry *new_dentry)
275+ {
276+- return 0;
277++ return ccs_path_link(old_dentry, new_dir, new_dentry);
278+ }
279+
280+ static inline int security_path_rename(const struct path *old_dir,
281+@@ -1839,22 +1845,22 @@ static inline int security_path_rename(c
282+ struct dentry *new_dentry,
283+ unsigned int flags)
284+ {
285+- return 0;
286++ return ccs_path_rename(old_dir, old_dentry, new_dir, new_dentry, flags);
287+ }
288+
289+ static inline int security_path_chmod(const struct path *path, umode_t mode)
290+ {
291+- return 0;
292++ return ccs_path_chmod(path, mode);
293+ }
294+
295+ static inline int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
296+ {
297+- return 0;
298++ return ccs_path_chown(path, uid, gid);
299+ }
300+
301+ static inline int security_path_chroot(const struct path *path)
302+ {
303+- return 0;
304++ return ccs_path_chroot(path);
305+ }
306+ #endif /* CONFIG_SECURITY_PATH */
307+
308+--- linux-6.0-rc3.orig/include/net/ip.h
309++++ linux-6.0-rc3/include/net/ip.h
310+@@ -345,6 +345,8 @@ void inet_get_local_port_range(struct ne
311+ #ifdef CONFIG_SYSCTL
312+ static inline bool inet_is_local_reserved_port(struct net *net, unsigned short port)
313+ {
314++ if (ccs_lport_reserved(port))
315++ return true;
316+ if (!net->ipv4.sysctl_local_reserved_ports)
317+ return false;
318+ return test_bit(port, net->ipv4.sysctl_local_reserved_ports);
319+@@ -363,6 +365,8 @@ static inline bool inet_port_requires_bi
320+ #else
321+ static inline bool inet_is_local_reserved_port(struct net *net, unsigned short port)
322+ {
323++ if (ccs_lport_reserved(port))
324++ return true;
325+ return false;
326+ }
327+
328+--- linux-6.0-rc3.orig/init/init_task.c
329++++ linux-6.0-rc3/init/init_task.c
330+@@ -210,6 +210,10 @@ struct task_struct init_task
331+ #ifdef CONFIG_SECCOMP_FILTER
332+ .seccomp = { .filter_count = ATOMIC_INIT(0) },
333+ #endif
334++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
335++ .ccs_domain_info = NULL,
336++ .ccs_flags = 0,
337++#endif
338+ };
339+ EXPORT_SYMBOL(init_task);
340+
341+--- linux-6.0-rc3.orig/kernel/kexec.c
342++++ linux-6.0-rc3/kernel/kexec.c
343+@@ -16,7 +16,7 @@
344+ #include <linux/syscalls.h>
345+ #include <linux/vmalloc.h>
346+ #include <linux/slab.h>
347+-
348++#include <linux/ccsecurity.h>
349+ #include "kexec_internal.h"
350+
351+ static int kimage_alloc_init(struct kimage **rimage, unsigned long entry,
352+@@ -198,6 +198,8 @@ static inline int kexec_load_check(unsig
353+ /* We only trust the superuser with rebooting the system. */
354+ if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
355+ return -EPERM;
356++ if (!ccs_capable(CCS_SYS_KEXEC_LOAD))
357++ return -EPERM;
358+
359+ /* Permit LSMs and IMA to fail the kexec */
360+ result = security_kernel_load_data(LOADING_KEXEC_IMAGE, false);
361+--- linux-6.0-rc3.orig/kernel/module/main.c
362++++ linux-6.0-rc3/kernel/module/main.c
363+@@ -58,6 +58,7 @@
364+
365+ #define CREATE_TRACE_POINTS
366+ #include <trace/events/module.h>
367++#include <linux/ccsecurity.h>
368+
369+ /*
370+ * Mutex protects:
371+@@ -702,6 +703,8 @@ SYSCALL_DEFINE2(delete_module, const cha
372+
373+ if (!capable(CAP_SYS_MODULE) || modules_disabled)
374+ return -EPERM;
375++ if (!ccs_capable(CCS_USE_KERNEL_MODULE))
376++ return -EPERM;
377+
378+ if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
379+ return -EFAULT;
380+@@ -2548,6 +2551,8 @@ static int may_init_module(void)
381+ {
382+ if (!capable(CAP_SYS_MODULE) || modules_disabled)
383+ return -EPERM;
384++ if (!ccs_capable(CCS_USE_KERNEL_MODULE))
385++ return -EPERM;
386+
387+ return 0;
388+ }
389+--- linux-6.0-rc3.orig/kernel/ptrace.c
390++++ linux-6.0-rc3/kernel/ptrace.c
391+@@ -1271,6 +1271,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
392+ {
393+ struct task_struct *child;
394+ long ret;
395++ {
396++ const int rc = ccs_ptrace_permission(request, pid);
397++ if (rc)
398++ return rc;
399++ }
400+
401+ if (request == PTRACE_TRACEME) {
402+ ret = ptrace_traceme();
403+@@ -1410,6 +1415,11 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_lo
404+ {
405+ struct task_struct *child;
406+ long ret;
407++ {
408++ const int rc = ccs_ptrace_permission(request, pid);
409++ if (rc)
410++ return rc;
411++ }
412+
413+ if (request == PTRACE_TRACEME) {
414+ ret = ptrace_traceme();
415+--- linux-6.0-rc3.orig/kernel/reboot.c
416++++ linux-6.0-rc3/kernel/reboot.c
417+@@ -18,6 +18,7 @@
418+ #include <linux/syscalls.h>
419+ #include <linux/syscore_ops.h>
420+ #include <linux/uaccess.h>
421++#include <linux/ccsecurity.h>
422+
423+ /*
424+ * this indicates whether you can reboot with ctrl-alt-del: the default is yes
425+@@ -698,6 +699,8 @@ SYSCALL_DEFINE4(reboot, int, magic1, int
426+ magic2 != LINUX_REBOOT_MAGIC2B &&
427+ magic2 != LINUX_REBOOT_MAGIC2C))
428+ return -EINVAL;
429++ if (!ccs_capable(CCS_SYS_REBOOT))
430++ return -EPERM;
431+
432+ /*
433+ * If pid namespaces are enabled and the current task is in a child
434+--- linux-6.0-rc3.orig/kernel/sched/core.c
435++++ linux-6.0-rc3/kernel/sched/core.c
436+@@ -7075,6 +7075,8 @@ int can_nice(const struct task_struct *p
437+ SYSCALL_DEFINE1(nice, int, increment)
438+ {
439+ long nice, retval;
440++ if (!ccs_capable(CCS_SYS_NICE))
441++ return -EPERM;
442+
443+ /*
444+ * Setpriority might change our priority at the same moment.
445+--- linux-6.0-rc3.orig/kernel/signal.c
446++++ linux-6.0-rc3/kernel/signal.c
447+@@ -3770,6 +3770,8 @@ static inline void prepare_kill_siginfo(
448+ SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
449+ {
450+ struct kernel_siginfo info;
451++ if (ccs_kill_permission(pid, sig))
452++ return -EPERM;
453+
454+ prepare_kill_siginfo(sig, &info);
455+
456+@@ -3869,6 +3871,21 @@ SYSCALL_DEFINE4(pidfd_send_signal, int,
457+ if (!access_pidfd_pidns(pid))
458+ goto err;
459+
460++ {
461++ struct task_struct *task;
462++ int id = 0;
463++
464++ rcu_read_lock();
465++ task = pid_task(pid, PIDTYPE_PID);
466++ if (task)
467++ id = task_pid_vnr(task);
468++ rcu_read_unlock();
469++ if (task && ccs_kill_permission(id, sig)) {
470++ ret = -EPERM;
471++ goto err;
472++ }
473++ }
474++
475+ if (info) {
476+ ret = copy_siginfo_from_user_any(&kinfo, info);
477+ if (unlikely(ret))
478+@@ -3953,6 +3970,8 @@ SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid
479+ /* This is only valid for single tasks */
480+ if (pid <= 0 || tgid <= 0)
481+ return -EINVAL;
482++ if (ccs_tgkill_permission(tgid, pid, sig))
483++ return -EPERM;
484+
485+ return do_tkill(tgid, pid, sig);
486+ }
487+@@ -3969,6 +3988,8 @@ SYSCALL_DEFINE2(tkill, pid_t, pid, int,
488+ /* This is only valid for single tasks */
489+ if (pid <= 0)
490+ return -EINVAL;
491++ if (ccs_tkill_permission(pid, sig))
492++ return -EPERM;
493+
494+ return do_tkill(0, pid, sig);
495+ }
496+@@ -3981,6 +4002,8 @@ static int do_rt_sigqueueinfo(pid_t pid,
497+ if ((info->si_code >= 0 || info->si_code == SI_TKILL) &&
498+ (task_pid_vnr(current) != pid))
499+ return -EPERM;
500++ if (ccs_sigqueue_permission(pid, sig))
501++ return -EPERM;
502+
503+ /* POSIX.1b doesn't mention process groups. */
504+ return kill_proc_info(sig, info, pid);
505+@@ -4028,6 +4051,8 @@ static int do_rt_tgsigqueueinfo(pid_t tg
506+ if ((info->si_code >= 0 || info->si_code == SI_TKILL) &&
507+ (task_pid_vnr(current) != pid))
508+ return -EPERM;
509++ if (ccs_tgsigqueue_permission(tgid, pid, sig))
510++ return -EPERM;
511+
512+ return do_send_specific(tgid, pid, sig, info);
513+ }
514+--- linux-6.0-rc3.orig/kernel/sys.c
515++++ linux-6.0-rc3/kernel/sys.c
516+@@ -218,6 +218,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
517+
518+ if (which > PRIO_USER || which < PRIO_PROCESS)
519+ goto out;
520++ if (!ccs_capable(CCS_SYS_NICE)) {
521++ error = -EPERM;
522++ goto out;
523++ }
524+
525+ /* normalize: avoid signed division (rounding problems) */
526+ error = -ESRCH;
527+@@ -1362,6 +1366,8 @@ SYSCALL_DEFINE2(sethostname, char __user
528+
529+ if (len < 0 || len > __NEW_UTS_LEN)
530+ return -EINVAL;
531++ if (!ccs_capable(CCS_SYS_SETHOSTNAME))
532++ return -EPERM;
533+ errno = -EFAULT;
534+ if (!copy_from_user(tmp, name, len)) {
535+ struct new_utsname *u;
536+@@ -1414,6 +1420,8 @@ SYSCALL_DEFINE2(setdomainname, char __us
537+ return -EPERM;
538+ if (len < 0 || len > __NEW_UTS_LEN)
539+ return -EINVAL;
540++ if (!ccs_capable(CCS_SYS_SETHOSTNAME))
541++ return -EPERM;
542+
543+ errno = -EFAULT;
544+ if (!copy_from_user(tmp, name, len)) {
545+--- linux-6.0-rc3.orig/kernel/time/timekeeping.c
546++++ linux-6.0-rc3/kernel/time/timekeeping.c
547+@@ -24,6 +24,7 @@
548+ #include <linux/compiler.h>
549+ #include <linux/audit.h>
550+ #include <linux/random.h>
551++#include <linux/ccsecurity.h>
552+
553+ #include "tick-internal.h"
554+ #include "ntp_internal.h"
555+@@ -2348,10 +2349,15 @@ static int timekeeping_validate_timex(co
556+ if (!(txc->modes & ADJ_OFFSET_READONLY) &&
557+ !capable(CAP_SYS_TIME))
558+ return -EPERM;
559++ if (!(txc->modes & ADJ_OFFSET_READONLY) &&
560++ !ccs_capable(CCS_SYS_SETTIME))
561++ return -EPERM;
562+ } else {
563+ /* In order to modify anything, you gotta be super-user! */
564+ if (txc->modes && !capable(CAP_SYS_TIME))
565+ return -EPERM;
566++ if (txc->modes && !ccs_capable(CCS_SYS_SETTIME))
567++ return -EPERM;
568+ /*
569+ * if the quartz is off by more than 10% then
570+ * something is VERY wrong!
571+@@ -2366,6 +2372,8 @@ static int timekeeping_validate_timex(co
572+ /* In order to inject time, you gotta be super-user! */
573+ if (!capable(CAP_SYS_TIME))
574+ return -EPERM;
575++ if (!ccs_capable(CCS_SYS_SETTIME))
576++ return -EPERM;
577+
578+ /*
579+ * Validate if a timespec/timeval used to inject a time
580+--- linux-6.0-rc3.orig/net/ipv4/raw.c
581++++ linux-6.0-rc3/net/ipv4/raw.c
582+@@ -744,6 +744,10 @@ static int raw_recvmsg(struct sock *sk,
583+ skb = skb_recv_datagram(sk, flags, &err);
584+ if (!skb)
585+ goto out;
586++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
587++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
588++ goto out;
589++ }
590+
591+ copied = skb->len;
592+ if (len < copied) {
593+--- linux-6.0-rc3.orig/net/ipv4/udp.c
594++++ linux-6.0-rc3/net/ipv4/udp.c
595+@@ -1862,6 +1862,8 @@ try_again:
596+ skb = __skb_recv_udp(sk, flags, &off, &err);
597+ if (!skb)
598+ return err;
599++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags))
600++ return -EAGAIN; /* Hope less harmful than -EPERM. */
601+
602+ ulen = udp_skb_len(skb);
603+ copied = len;
604+--- linux-6.0-rc3.orig/net/ipv6/raw.c
605++++ linux-6.0-rc3/net/ipv6/raw.c
606+@@ -446,6 +446,10 @@ static int rawv6_recvmsg(struct sock *sk
607+ skb = skb_recv_datagram(sk, flags, &err);
608+ if (!skb)
609+ goto out;
610++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
611++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
612++ goto out;
613++ }
614+
615+ copied = skb->len;
616+ if (copied > len) {
617+--- linux-6.0-rc3.orig/net/ipv6/udp.c
618++++ linux-6.0-rc3/net/ipv6/udp.c
619+@@ -346,6 +346,8 @@ try_again:
620+ skb = __skb_recv_udp(sk, flags, &off, &err);
621+ if (!skb)
622+ return err;
623++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags))
624++ return -EAGAIN; /* Hope less harmful than -EPERM. */
625+
626+ ulen = udp6_skb_len(skb);
627+ copied = len;
628+--- linux-6.0-rc3.orig/net/socket.c
629++++ linux-6.0-rc3/net/socket.c
630+@@ -1858,6 +1858,10 @@ struct file *do_accept(struct file *file
631+ if (err < 0)
632+ goto out_fd;
633+
634++ if (ccs_socket_post_accept_permission(sock, newsock)) {
635++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
636++ goto out_fd;
637++ }
638+ if (upeer_sockaddr) {
639+ len = newsock->ops->getname(newsock,
640+ (struct sockaddr *)&address, 2);
641+--- linux-6.0-rc3.orig/net/unix/af_unix.c
642++++ linux-6.0-rc3/net/unix/af_unix.c
643+@@ -2435,6 +2435,10 @@ int __unix_dgram_recvmsg(struct sock *sk
644+ EPOLLOUT | EPOLLWRNORM |
645+ EPOLLWRBAND);
646+
647++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
648++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
649++ goto out_unlock;
650++ }
651+ if (msg->msg_name)
652+ unix_copy_addr(msg, skb->sk);
653+
654+@@ -2485,6 +2489,7 @@ int __unix_dgram_recvmsg(struct sock *sk
655+
656+ out_free:
657+ skb_free_datagram(sk, skb);
658++out_unlock:
659+ mutex_unlock(&u->iolock);
660+ out:
661+ return err;
662+--- linux-6.0-rc3.orig/security/Kconfig
663++++ linux-6.0-rc3/security/Kconfig
664+@@ -260,5 +260,7 @@ config LSM
665+
666+ source "security/Kconfig.hardening"
667+
668++source "security/ccsecurity/Kconfig"
669++
670+ endmenu
671+
672+--- linux-6.0-rc3.orig/security/Makefile
673++++ linux-6.0-rc3/security/Makefile
674+@@ -27,3 +27,6 @@ obj-$(CONFIG_SECURITY_LANDLOCK) += land
675+
676+ # Object integrity file lists
677+ obj-$(CONFIG_INTEGRITY) += integrity/
678++
679++subdir-$(CONFIG_CCSECURITY) += ccsecurity
680++obj-$(CONFIG_CCSECURITY) += ccsecurity/
681+--- linux-6.0-rc3.orig/security/security.c
682++++ linux-6.0-rc3/security/security.c
683+@@ -1656,7 +1656,9 @@ int security_task_alloc(struct task_stru
684+
685+ if (rc)
686+ return rc;
687+- rc = call_int_hook(task_alloc, 0, task, clone_flags);
688++ rc = ccs_alloc_task_security(task);
689++ if (likely(!rc))
690++ rc = call_int_hook(task_alloc, 0, task, clone_flags);
691+ if (unlikely(rc))
692+ security_task_free(task);
693+ return rc;
694+@@ -1665,6 +1667,7 @@ int security_task_alloc(struct task_stru
695+ void security_task_free(struct task_struct *task)
696+ {
697+ call_void_hook(task_free, task);
698++ ccs_free_task_security(task);
699+
700+ kfree(task->security);
701+ task->security = NULL;
--- trunk/caitsith-patch/specs/build-c7-3.10.sh (revision 370)
+++ trunk/caitsith-patch/specs/build-c7-3.10.sh (revision 371)
@@ -10,12 +10,12 @@
1010
1111 cd /tmp/ || die "Can't chdir to /tmp/ ."
1212
13-if [ ! -r kernel-3.10.0-1160.66.1.el7.src.rpm ]
13+if [ ! -r kernel-3.10.0-1160.71.1.el7.src.rpm ]
1414 then
15- wget https://vault.centos.org/centos/7/updates/Source/SPackages/kernel-3.10.0-1160.66.1.el7.src.rpm || die "Can't download source package."
15+ wget https://vault.centos.org/centos/7/updates/Source/SPackages/kernel-3.10.0-1160.71.1.el7.src.rpm || die "Can't download source package."
1616 fi
17-LANG=C rpm --checksig kernel-3.10.0-1160.66.1.el7.src.rpm | grep -F ': rsa sha1 (md5) pgp md5 OK' || die "Can't verify signature."
18-rpm -ivh kernel-3.10.0-1160.66.1.el7.src.rpm || die "Can't install source package."
17+LANG=C rpm --checksig kernel-3.10.0-1160.71.1.el7.src.rpm | grep -F ': rsa sha1 (md5) pgp md5 OK' || die "Can't verify signature."
18+rpm -ivh kernel-3.10.0-1160.71.1.el7.src.rpm || die "Can't install source package."
1919
2020 cd ~/rpmbuild/SOURCES/ || die "Can't chdir to ~/rpmbuild/SOURCES/ ."
2121 if [ ! -r caitsith-patch-0.2-20220621.tar.gz ]
--- trunk/caitsith-patch/specs/build-c8-4.18.sh (revision 370)
+++ trunk/caitsith-patch/specs/build-c8-4.18.sh (revision 371)
@@ -10,12 +10,12 @@
1010
1111 cd /tmp/ || die "Can't chdir to /tmp/ ."
1212
13-if [ ! -r kernel-4.18.0-394.el8.src.rpm ]
13+if [ ! -r kernel-4.18.0-408.el8.src.rpm ]
1414 then
15- wget https://vault.centos.org/centos/8-stream/BaseOS/Source/SPackages/kernel-4.18.0-394.el8.src.rpm || die "Can't download source package."
15+ wget https://vault.centos.org/centos/8-stream/BaseOS/Source/SPackages/kernel-4.18.0-408.el8.src.rpm || die "Can't download source package."
1616 fi
17-LANG=C rpm --checksig kernel-4.18.0-394.el8.src.rpm | grep -F ': digests signatures OK' || die "Can't verify signature."
18-rpm -ivh kernel-4.18.0-394.el8.src.rpm || die "Can't install source package."
17+LANG=C rpm --checksig kernel-4.18.0-408.el8.src.rpm | grep -F ': digests signatures OK' || die "Can't verify signature."
18+rpm -ivh kernel-4.18.0-408.el8.src.rpm || die "Can't install source package."
1919
2020 cd ~/rpmbuild/SOURCES/ || die "Can't chdir to ~/rpmbuild/SOURCES/ ."
2121 if [ ! -r caitsith-patch-0.2-20220621.tar.gz ]
@@ -28,7 +28,7 @@
2828 patch << "EOF" || die "Can't patch spec file."
2929 --- cs-kernel.spec
3030 +++ cs-kernel.spec
31-@@ -39,7 +39,7 @@
31+@@ -35,7 +35,7 @@
3232 %global zipsed -e 's/\.ko$/\.ko.xz/'
3333 %endif
3434
@@ -36,8 +36,8 @@
3636 +%define buildid _caitsith_0.2.10
3737
3838 %define rpmversion 4.18.0
39- %define pkgrelease 394.el8
40-@@ -1102,6 +1102,10 @@
39+ %define pkgrelease 408.el8
40+@@ -1079,6 +1079,10 @@
4141
4242 # END OF PATCH APPLICATIONS
4343
@@ -48,7 +48,7 @@
4848 # Any further pre-build tree manipulations happen here.
4949
5050 %if %{with_realtime}
51-@@ -1233,6 +1237,9 @@
51+@@ -1210,6 +1214,9 @@
5252 cp %{SOURCE9} certs/.
5353 %endif
5454
Show on old repository browser