diff options
Diffstat (limited to 'sys-kernel')
23 files changed, 1355 insertions, 0 deletions
diff --git a/sys-kernel/rsbac-dev-sources/ChangeLog b/sys-kernel/rsbac-dev-sources/ChangeLog new file mode 100644 index 000000000000..41c70e57ffc8 --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/ChangeLog @@ -0,0 +1,133 @@ +# ChangeLog for sys-kernel/rsbac-dev-sources +# Copyright 2000-2004 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/sys-kernel/rsbac-dev-sources/ChangeLog,v 1.21 2005/01/12 22:31:13 johnm Exp $ + +*rsbac-dev-sources-2.6.7-r11 (20 Dec 2004) + + 20 Dec 2004; Guillaume Destuynder <kang@gentoo.org> + -rsbac-dev-sources-2.6.7-r10.ebuild, +rsbac-dev-sources-2.6.7-r11.ebuild: + Security fix: #72317 CAN-2004-1069, extra patch for AF_UNIX vuln. + + 16 Dec 2004; Guillaume Destuynder <kang@gentoo.org> : + 1.2.4pre + 2.6.9 in ~x86 + + 11 Dec 2004; Guillaume Destuynder <kang@gentoo.org> + files/rsbac-dev-sources-2.6.7-dos_mem_disc2.patch: + Fixes #73899, incoherent patch from the last security fixes removes a + variable it also added in fs/exec.c + +*rsbac-dev-sources-2.6.7-r10 (08 Dec 2004) + + 08 Dec 2004; Guillaume Destuynder <kang@gentoo.org> + +files/rsbac-dev-sources-2.6.7-dos_mem_disc1.patch, + +files/rsbac-dev-sources-2.6.7-dos_mem_disc2.patch, + +rsbac-dev-sources-2.6.7-r10.ebuild, -rsbac-dev-sources-2.6.7-r9.ebuild: + Security fix bug #72452: Linux Kernel Local DoS and Memory Content + Disclosure Vulnerabilities ; and PaX upgrade + +*rsbac-dev-sources-2.6.7-r9 (02 Dec 2004) + + 02 Dec 2004; Guillaume Destuynder <kang@gentoo.org> + +files/rsbac-dev-sources-2.6.7-AF_UNIX.patch, + -rsbac-dev-sources-2.6.7-r8.ebuild, +rsbac-dev-sources-2.6.7-r9.ebuild: + Security vulnerability fix: #72317 - AF_UNIX Arbitrary Kernel Memory + +*rsbac-dev-sources-2.6.7-r8 (28 Nov 2004) + + 28 Nov 2004; Guillaume Destuynder <kang@gentoo.org> + files/rsbac-dev-sources-2.6.7-70681-binfmt.patch, + -rsbac-dev-sources-2.6.7-r7.ebuild: + reupdated #79681, fixes CAN 0883 + + 13 Nov 2004; Sven Wegener <swegener@gentoo.org> : + Removed stray digest. + +*rsbac-dev-sources-2.6.7-r7 (13 Nov 2004) + + 13 Nov 2004; Guillaume Destuynder <kang@gentoo.org> + +files/rsbac-bugfix-v1.2.3-6.diff, + +files/rsbac-dev-sources-2.6.7-62524-ptmx.patch, + -rsbac-dev-sources-2.6.7-r6.ebuild, +rsbac-dev-sources-2.6.7-r7.ebuild: + Fixes #70681 (binfmt_elf), #62524 (pmtx) + +*rsbac-dev-sources-2.6.7-r6 (22 Oct 2004) + + 22 Oct 2004; Guillaume Destuynder <kang@gentoo.org> + +files/rsbac-dev-sources-CAN-2004-0816.patch, + -rsbac-dev-sources-2.6.7-r5.ebuild, + +rsbac-dev-sources-2.6.7-r6.ebuild: + Fixes CAN-2004-0816 and #68375 + +*rsbac-dev-sources-2.6.7-r5 (10 Aug 2004) + + 10 Aug 2004; Guillaume Destuynder <kang@gentoo.org> + -rsbac-dev-sources-2.6.7-r4.ebuild, + +rsbac-dev-sources-2.6.7-r5.ebuild: + Fixes #59905 - cmdline security bug + +*rsbac-dev-sources-2.6.7-r4 (05 Aug 2004) + + 05 Aug 2004; Guillaume Destuynder <kang@gentoo.org> + -rsbac-dev-sources-2.6.7-r3.ebuild, + +rsbac-dev-sources-2.6.7-r4.ebuild: + Fixes CAN 0415 and #59378 (file offset pointer handling vulnerability) + +*rsbac-dev-sources-2.6.7-r3 (22 Jul 2004) + + 26 Jul 2004; Guillaume Destuynder <kang@gentoo.org> + rsbac-dev-sources-2.6.7-r3.ebuild: + Marked stabled on x86 + + 22 Jul 2004; Guillaume Destuynder <kang@gentoo.org> + +files/rsbac-dev-sources-CAN-2004-0596.patch, + +rsbac-dev-sources-2.6.7-r3, + -rsbac-dev-sources-2.6.7-r2 + Fixes CAN 0596 and #57826. + +*rsbac-dev-sources-2.6.7-r2 (16 Jul 2004) + + 16 Jul 2004; Guillaume Destuynder <kang@gentoo.org> + +files/rsbac-dev-sources-CAN-2004-0497.patch, + +rsbac-dev-sources-2.6.7-r2.ebuild, + -rsbac-dev-sources-2.6.7-r1.ebuild: + Fixes CAN 0497 and #56479. + +*rsbac-dev-sources-2.6.7-r1 (30 Jun 2004) + + 30 Jun 2004; Guillaume Destuynder <kang@gentoo.org> + +rsbac-dev-sources-2.6.7-r1.ebuild, + +files/rsbac-dev-sources-v1.2.3-3.patch, + +files/rsbac-dev-sources-iptables-dos.patch, + -rsbac-dev-sources-2.6.7.ebuild, + -rsbac-dev-sources-2.6.5-r1.ebuild, + -files/rsbac-dev-sources.CAN-2004-0075.patch, + -files/rsbac-dev-sources.CAN-2004-0228.patch, + -files/rsbac-dev-sources.CAN-2004-0229.patch, + -files/rsbac-dev-sources.CAN-2004-0427.patch, + -files/rsbac-dev-sources.FPULockup-53804.patch: + Security fix for RSBAC JAIL (rsbac.org ; #55698) + Security fix for 2.6.x iptables dos (#55694) + +*rsbac-dev-sources-2.6.7 (28 Jun 2004) + + 28 Jun 2004; Guillaume Destuynder <kang@gentoo.org> +rsbac-dev-sources-2.6.7.ebuild + Version bump. Includes hardened 2.6.7 patches and latest PaX. + +*rsbac-dev-sources-2.6.5-r1 (14 Jun 2004) + + 14 Jun 2004; <plasmaroo@gentoo.org> +rsbac-dev-sources-2.6.5-r1.ebuild, + -rsbac-dev-sources-2.6.5.ebuild, + +files/rsbac-dev-sources.CAN-2004-0075.patch, + +files/rsbac-dev-sources.CAN-2004-0228.patch, + +files/rsbac-dev-sources.CAN-2004-0229.patch, + +files/rsbac-dev-sources.CAN-2004-0427.patch, + +files/rsbac-dev-sources.FPULockup-53804.patch: + Added a patch for the FPU-lockup issue; and also for the CAN-2004-0075, + CAN-2004-0228, CAN-2004-0229, and CAN-2004-0427 issues. Please see bugs + #47881 and #58304 for details. + +*rsbac-dev-sources-2.6.5 (09 Jun 2004) + + 09 Jun 2004; Guillaume Destuynder <kang@gentoo.org>: + Initial import. Ebuild submitted by Michal Purzynski + <albeiro@gentoo.pl>. diff --git a/sys-kernel/rsbac-dev-sources/Manifest b/sys-kernel/rsbac-dev-sources/Manifest new file mode 100644 index 000000000000..1bf6eeb836b1 --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/Manifest @@ -0,0 +1,32 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +MD5 909ea57b976778bcc7a49f3c73b7d6b2 rsbac-dev-sources-2.6.9.ebuild 1481 +MD5 9b73b04fee8078a4105012bbc1e4883e rsbac-dev-sources-2.6.7-r11.ebuild 1926 +MD5 91644f250333e66a726f7aea6607baf4 ChangeLog 4963 +MD5 ed6fb50f79e8049f3f3576bb25c32747 metadata.xml 465 +MD5 91dd923056c1af13054cb00fb0a8daa3 files/rsbac-dev-sources-2.6.7-dos_mem_disc1.patch 1578 +MD5 7872d0af6e27fb6007833b113097bb34 files/rsbac-dev-sources-2.6.7-CAN-2004-0883.patch 3357 +MD5 ee9c2340e890a15d199f98f98e027466 files/digest-rsbac-dev-sources-2.6.7-r11 281 +MD5 632a66f683783bebc9c7b565284284d0 files/rsbac-dev-sources-2.6.7-dos_mem_disc2.patch 7369 +MD5 b6e38b41c8a79943df2ab2642149d06f files/rsbac-dev-sources-CAN-2004-0497.patch 2214 +MD5 97a40292e0b33025c43888a20190ef29 files/rsbac-bugfix-v1.2.3-ao-01.diff 1180 +MD5 a869ab037c7e264df5f8e899864f08e9 files/rsbac-dev-sources-v1.2.3-3.patch 557 +MD5 6451bd210935a3978fd3a3edac673591 files/rsbac-dev-sources-iptables-dos.patch 389 +MD5 263a9f529a3b80e2c91340a73c0c5920 files/rsbac-dev-sources-CAN-2004-0816.patch 1445 +MD5 452e04a312368605e145428c35bd0e05 files/rsbac-dev-sources-2.6.7-62524-ptmx.patch 572 +MD5 f0e12ba218f53c2694a91259bdc2fdc7 files/rsbac-dev-sources-CAN-2004-0596.patch 494 +MD5 530630d25910e6bd9376b63ea099655f files/rsbac-dev-sources-2.6.7-AF_UNIX.patch 469 +MD5 76e034360be9c90c736b2440f39349d7 files/digest-rsbac-dev-sources-2.6.9 217 +MD5 4d656fa3f3a47df751c0d78b64ed8353 files/rsbac-dev-sources-CAN-2004-1069.patch 1761 +MD5 706d7794a822074aaf31502d7a7e48d3 files/2.6.7-cmdline.patch 455 +MD5 b70bcb7c4896526b671f12695522cb0e files/rsbac-bugfix-v1.2.3-kang-01.diff 510 +MD5 6197e52bf5742c3f61716fe6a681055c files/rsbac-bugfix-v1.2.3-6.diff 13068 +MD5 accdbfc81ddc59d568ed845b5972f10a files/rsbac-dev-sources-2.6.7-70681-binfmt.patch 2606 +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.0 (GNU/Linux) + +iD8DBQFB5aVLm/TpOlox+n8RAm+aAKDurKKtsmgoKOvB/bKd5/v/C6dfdACggD1f +tmIGw6zp5Ote+fV2HMBhYSw= +=eAxg +-----END PGP SIGNATURE----- diff --git a/sys-kernel/rsbac-dev-sources/files/2.6.7-cmdline.patch b/sys-kernel/rsbac-dev-sources/files/2.6.7-cmdline.patch new file mode 100644 index 000000000000..3f0edd1b1af8 --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/files/2.6.7-cmdline.patch @@ -0,0 +1,11 @@ +diff -puN fs/proc/base.c~proc_pid_cmdline-race-fix fs/proc/base.c +--- 25/fs/proc/base.c~proc_pid_cmdline-race-fix 2004-08-05 11:28:21.915442360 -0700 ++++ 25-akpm/fs/proc/base.c 2004-08-05 11:28:21.919441752 -0700 +@@ -340,6 +340,8 @@ static int proc_pid_cmdline(struct task_ + struct mm_struct *mm = get_task_mm(task); + if (!mm) + goto out; ++ if (!mm->arg_end) ++ goto out; /* Shh! No looking before we're done */ + + len = mm->arg_end - mm->arg_start; diff --git a/sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.7-r11 b/sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.7-r11 new file mode 100644 index 000000000000..19b8dd9a9c31 --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.7-r11 @@ -0,0 +1,4 @@ +MD5 a74671ea68b0e3c609e8785ed8497c14 linux-2.6.7.tar.bz2 35092228 +MD5 f3759250e9c4bb5ccb773174fafe0ba7 rsbac-v1.2.3.tar.bz2 489127 +MD5 6a59fc81ca1786d6ed3185ecc98854de rsbac-patches-2.6-7.2.tar.bz2 109155 +MD5 52996b643afbd6ed9ba38b9483c2cac3 linux-2.6.7-CAN-2004-0415.patch 112612 diff --git a/sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.9 b/sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.9 new file mode 100644 index 000000000000..d7cf0cee2554 --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.9 @@ -0,0 +1,3 @@ +MD5 e921200f074ca97184e150ef5a4af825 linux-2.6.9.tar.bz2 36261440 +MD5 31cd1643f28771031a4b3781381021e6 rsbac-patches-2.6-9.0.tar.bz2 1040819 +MD5 52996b643afbd6ed9ba38b9483c2cac3 linux-2.6.7-CAN-2004-0415.patch 112612 diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-bugfix-v1.2.3-6.diff b/sys-kernel/rsbac-dev-sources/files/rsbac-bugfix-v1.2.3-6.diff new file mode 100644 index 000000000000..e87509f12cde --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/files/rsbac-bugfix-v1.2.3-6.diff @@ -0,0 +1,339 @@ +Index: linux-2.4.27-rsbac-v1.2.3/include/rsbac/aci_data_structures.h +=================================================================== +--- linux-2.4.27-rsbac-v1.2.3/include/rsbac/aci_data_structures.h (revision 16) ++++ linux-2.4.27-rsbac-v1.2.3/include/rsbac/aci_data_structures.h (working copy) +@@ -1134,7 +1134,7 @@ + #endif + + +-#define RSBAC_USER_NR_ATTRIBUTES 28 ++#define RSBAC_USER_NR_ATTRIBUTES 24 + #define RSBAC_USER_ATTR_LIST { \ + A_pseudo, \ + A_log_user_based, \ +Index: linux-2.4.27-rsbac-v1.2.3/rsbac/help/syscalls.c +=================================================================== +--- linux-2.4.27-rsbac-v1.2.3/rsbac/help/syscalls.c (revision 16) ++++ linux-2.4.27-rsbac-v1.2.3/rsbac/help/syscalls.c (working copy) +@@ -1405,7 +1405,7 @@ + + int sys_rsbac_switch(enum rsbac_switch_target_t target, int value) + { +-#ifdef CONFIG_RSBAC_SWITCH ++#if defined(CONFIG_RSBAC_SWITCH) || defined(CONFIG_RSBAC_SOFTMODE) + union rsbac_target_id_t rsbac_target_id; + union rsbac_attribute_value_t rsbac_attribute_value; + char * switch_name; +@@ -1509,6 +1509,7 @@ + case SOFTMODE: rsbac_softmode = value; + break; + #endif ++#ifdef CONFIG_RSBAC_SWITCH + #ifdef CONFIG_RSBAC_MAC + case MAC: rsbac_switch_mac = value; + break; +@@ -1557,6 +1558,7 @@ + case RES: rsbac_switch_res = value; + break; + #endif ++#endif /* SWITCH */ + default: + return (-RSBAC_EINVALIDMODULE); + } +Index: linux-2.4.27-rsbac-v1.2.3/rsbac/adf/jail/jail_syscalls.c +=================================================================== +--- linux-2.4.27-rsbac-v1.2.3/rsbac/adf/jail/jail_syscalls.c (revision 16) ++++ linux-2.4.27-rsbac-v1.2.3/rsbac/adf/jail/jail_syscalls.c (working copy) +@@ -41,8 +41,10 @@ + /* Externally visible functions */ + /************************************************* */ + ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) + extern long sys_chroot(const char * filename); + extern long sys_chdir(const char * filename); ++#endif + + /* Create a jail for current process */ + /* Note: It is allowed to create jails within jails, but with restrictions */ +Index: linux-2.4.27-rsbac-v1.2.3/rsbac/adf/adf_main.c +=================================================================== +--- linux-2.4.27-rsbac-v1.2.3/rsbac/adf/adf_main.c (revision 16) ++++ linux-2.4.27-rsbac-v1.2.3/rsbac/adf/adf_main.c (working copy) +@@ -333,6 +333,14 @@ + && (sb_p->s_magic == PIPEFS_MAGIC) + ) + return DO_NOT_CARE; ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) ++ /* No decision on pseudo sockfs */ ++ if( (target == T_FILE) ++ && (!RSBAC_MAJOR(tid.file.device)) ++ && (!RSBAC_MINOR(tid.file.device)) ++ ) ++ return DO_NOT_CARE; ++#endif + switch(request) + { + case R_GET_STATUS_DATA: +@@ -1008,6 +1016,7 @@ + rsbac_pid_t parent_pid = 0; + + /* Get owner's logging pseudo */ ++ i_tid.user = owner; + if (rsbac_get_attr(GEN,T_USER,i_tid,A_pseudo,&i_attr_val,FALSE)) + { + rsbac_ds_get_error("rsbac_adf_request()", A_pseudo); +@@ -2448,6 +2457,7 @@ + #endif /* SECDEL */ + + #ifdef CONFIG_RSBAC_SYM_REDIR ++EXPORT_SYMBOL(rsbac_symlink_redirect); + void rsbac_symlink_redirect(struct dentry * dentry_p, char * name) + { + int err; +Index: linux-2.4.27-rsbac-v1.2.3/rsbac/adf/adf_check.c +=================================================================== +--- linux-2.4.27-rsbac-v1.2.3/rsbac/adf/adf_check.c (revision 16) ++++ linux-2.4.27-rsbac-v1.2.3/rsbac/adf/adf_check.c (working copy) +@@ -439,6 +439,7 @@ + { + case T_DIR: + case T_SCD: ++ case T_IPC: + #ifdef CONFIG_RSBAC_RW + case T_FILE: + case T_FIFO: +Index: linux-2.4.27-rsbac-v1.2.3/rsbac/data_structures/rc_data_structures.c +=================================================================== +--- linux-2.4.27-rsbac-v1.2.3/rsbac/data_structures/rc_data_structures.c (revision 16) ++++ linux-2.4.27-rsbac-v1.2.3/rsbac/data_structures/rc_data_structures.c (working copy) +@@ -146,7 +146,7 @@ + off_t pos = 0; + off_t begin = 0; + +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + printk(KERN_WARNING "stats_rc_proc_info(): RSBAC not initialized\n"); + return(-RSBAC_ENOTINITIALIZED); +@@ -1540,7 +1540,7 @@ + + int rsbac_stats_rc(void) + { +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + printk(KERN_WARNING "rsbac_stats_rc(): RSBAC not initialized\n"); + return(-RSBAC_ENOTINITIALIZED); +Index: linux-2.4.27-rsbac-v1.2.3/rsbac/data_structures/aci_data_structures.c +=================================================================== +--- linux-2.4.27-rsbac-v1.2.3/rsbac/data_structures/aci_data_structures.c (revision 16) ++++ linux-2.4.27-rsbac-v1.2.3/rsbac/data_structures/aci_data_structures.c (working copy) +@@ -9504,10 +9504,11 @@ + /* All functions return 0, if no error occurred, and a negative error code */ + /* otherwise. The error codes are defined in rsbac_error.h. */ + ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) + /* declare sys_kill */ + extern long sys_kill(int pid, int sig); ++#endif + +- + #ifdef CONFIG_RSBAC_INIT_DELAY + int rsbac_init(kdev_t root_dev) + #else +Index: linux-2.4.27-rsbac-v1.2.3/rsbac/data_structures/pm_data_structures.c +=================================================================== +--- linux-2.4.27-rsbac-v1.2.3/rsbac/data_structures/pm_data_structures.c (revision 16) ++++ linux-2.4.27-rsbac-v1.2.3/rsbac/data_structures/pm_data_structures.c (working copy) +@@ -90,7 +90,7 @@ + union rsbac_attribute_value_t rsbac_attribute_value; + #endif + +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + #ifdef CONFIG_RSBAC_RMSG + rsbac_printk(KERN_WARNING "stats_pm_proc_info(): RSBAC not initialized\n"); +@@ -1661,7 +1661,7 @@ + u_long all_member_count = 0; + u_long all_count = 0; + +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + #ifdef CONFIG_RSBAC_RMSG + rsbac_printk(KERN_WARNING "rsbac_stats_pm(): RSBAC not initialized\n"); +Index: linux-2.4.27-rsbac-v1.2.3/rsbac/data_structures/acl_data_structures.c +=================================================================== +--- linux-2.4.27-rsbac-v1.2.3/rsbac/data_structures/acl_data_structures.c (revision 16) ++++ linux-2.4.27-rsbac-v1.2.3/rsbac/data_structures/acl_data_structures.c (working copy) +@@ -539,7 +539,7 @@ + union rsbac_target_id_t rsbac_target_id; + union rsbac_attribute_value_t rsbac_attribute_value; + +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + #ifdef CONFIG_RSBAC_RMSG + rsbac_printk(KERN_WARNING "stats_acl_proc_info(): RSBAC not initialized\n"); +@@ -759,7 +759,7 @@ + union rsbac_target_id_t rsbac_target_id; + union rsbac_attribute_value_t rsbac_attribute_value; + +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + #ifdef CONFIG_RSBAC_RMSG + rsbac_printk(KERN_WARNING "acl_acllist_proc_info(): RSBAC not initialized\n"); +@@ -1697,7 +1697,7 @@ + union rsbac_target_id_t rsbac_target_id; + union rsbac_attribute_value_t rsbac_attribute_value; + +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + #ifdef CONFIG_RSBAC_RMSG + rsbac_printk(KERN_WARNING "acl_grouplist_proc_info(): RSBAC not initialized\n"); +@@ -3057,7 +3057,7 @@ + union rsbac_target_id_t rsbac_target_id; + union rsbac_attribute_value_t rsbac_attribute_value; + +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + printk(KERN_WARNING "rsbac_stats_acl(): RSBAC not initialized\n"); + return(-RSBAC_ENOTINITIALIZED); +Index: linux-2.4.27-rsbac-v1.2.3/rsbac/data_structures/mac_data_structures.c +=================================================================== +--- linux-2.4.27-rsbac-v1.2.3/rsbac/data_structures/mac_data_structures.c (revision 16) ++++ linux-2.4.27-rsbac-v1.2.3/rsbac/data_structures/mac_data_structures.c (working copy) +@@ -483,7 +483,7 @@ + union rsbac_target_id_t rsbac_target_id; + union rsbac_attribute_value_t rsbac_attribute_value; + +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + printk(KERN_WARNING "stats_mac_proc_info(): RSBAC not initialized\n"); + return(-RSBAC_ENOTINITIALIZED); +@@ -587,7 +587,7 @@ + union rsbac_target_id_t rsbac_target_id; + union rsbac_attribute_value_t rsbac_attribute_value; + +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + printk(KERN_WARNING "mac_trulist_proc_info(): RSBAC not initialized\n"); + return(-RSBAC_ENOTINITIALIZED); +@@ -1174,7 +1174,7 @@ + union rsbac_target_id_t rsbac_target_id; + union rsbac_attribute_value_t rsbac_attribute_value; + +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + #ifdef CONFIG_RSBAC_RMSG + rsbac_printk(KERN_WARNING "rsbac_stats_mac(): RSBAC not initialized\n"); +@@ -1771,7 +1771,7 @@ + struct rsbac_mac_device_list_item_t * device_p; + int err=0; + +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + printk(KERN_WARNING "rsbac_mac_copy_fp_truset(): RSBAC not initialized\n"); + return(-RSBAC_ENOTINITIALIZED); +@@ -1822,7 +1822,7 @@ + int rsbac_mac_copy_pp_truset(rsbac_pid_t old_p_set_id, + rsbac_pid_t new_p_set_id) + { +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + printk(KERN_WARNING "rsbac_mac_copy_pp_truset(): RSBAC not initialized\n"); + return(-RSBAC_ENOTINITIALIZED); +@@ -1850,7 +1850,7 @@ + struct rsbac_mac_device_list_item_t * device_p; + long count; + +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + printk(KERN_WARNING "rsbac_mac_get_f_trulist(): RSBAC not initialized\n"); + return(-RSBAC_ENOTINITIALIZED); +@@ -1904,7 +1904,7 @@ + rsbac_uid_t **trulist_p, + rsbac_time_t **ttllist_p) + { +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + printk(KERN_WARNING "rsbac_mac_get_p_trulist(): RSBAC not initialized\n"); + return(-RSBAC_ENOTINITIALIZED); +Index: linux-2.4.27-rsbac-v1.2.3/rsbac/data_structures/auth_data_structures.c +=================================================================== +--- linux-2.4.27-rsbac-v1.2.3/rsbac/data_structures/auth_data_structures.c (revision 16) ++++ linux-2.4.27-rsbac-v1.2.3/rsbac/data_structures/auth_data_structures.c (working copy) +@@ -770,7 +770,7 @@ + union rsbac_target_id_t rsbac_target_id; + union rsbac_attribute_value_t rsbac_attribute_value; + +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + printk(KERN_WARNING "stats_auth_proc_info(): RSBAC not initialized\n"); + return(-RSBAC_ENOTINITIALIZED); +@@ -940,7 +940,7 @@ + union rsbac_target_id_t rsbac_target_id; + union rsbac_attribute_value_t rsbac_attribute_value; + +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + printk(KERN_WARNING "auth_caplist_proc_info(): RSBAC not initialized\n"); + return(-RSBAC_ENOTINITIALIZED); +@@ -1908,7 +1908,7 @@ + union rsbac_target_id_t rsbac_target_id; + union rsbac_attribute_value_t rsbac_attribute_value; + +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + #ifdef CONFIG_RSBAC_RMSG + rsbac_printk(KERN_WARNING "rsbac_stats_auth(): RSBAC not initialized\n"); +@@ -2940,7 +2940,7 @@ + struct rsbac_auth_device_list_item_t * device_p; + int err=0; + +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + printk(KERN_WARNING "rsbac_auth_copy_fp_capset(): RSBAC not initialized\n"); + return(-RSBAC_ENOTINITIALIZED); +@@ -2991,7 +2991,7 @@ + int rsbac_auth_copy_pp_capset(rsbac_pid_t old_p_set_id, + rsbac_pid_t new_p_set_id) + { +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + printk(KERN_WARNING "rsbac_auth_copy_pp_capset(): RSBAC not initialized\n"); + return(-RSBAC_ENOTINITIALIZED); +@@ -3020,7 +3020,7 @@ + struct rsbac_auth_device_list_item_t * device_p; + long count; + +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + printk(KERN_WARNING "rsbac_auth_get_f_caplist(): RSBAC not initialized\n"); + return(-RSBAC_ENOTINITIALIZED); +@@ -3098,7 +3098,7 @@ + { + long count; + +- if (!rsbac_is_initialized) ++ if (!rsbac_is_initialized()) + { + printk(KERN_WARNING "rsbac_auth_get_p_caplist(): RSBAC not initialized\n"); + return(-RSBAC_ENOTINITIALIZED); diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-bugfix-v1.2.3-ao-01.diff b/sys-kernel/rsbac-dev-sources/files/rsbac-bugfix-v1.2.3-ao-01.diff new file mode 100644 index 000000000000..47ef679afd71 --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/files/rsbac-bugfix-v1.2.3-ao-01.diff @@ -0,0 +1,37 @@ + +Index: linux-2.6.9-rsbac-v1.2.3/include/rsbac/fs.h +=================================================================== +--- linux-2.6.9-rsbac-v1.2.3/include/rsbac/fs.h (revision 46) ++++ linux-2.6.9-rsbac-v1.2.3/include/rsbac/fs.h (working copy) +@@ -33,7 +33,9 @@ + + struct super_block * rsbac_get_super_block(kdev_t kdev); + ++#ifndef __fput + extern void __fput(struct file *); ++#endif + + #ifndef SHM_FS_MAGIC + #define SHM_FS_MAGIC 0x02011994 +Index: linux-2.6.9-rsbac-v1.2.3/rsbac/adf/reg/kproc_hide.c +=================================================================== +--- linux-2.6.9-rsbac-v1.2.3/rsbac/adf/reg/kproc_hide.c (revision 46) ++++ linux-2.6.9-rsbac-v1.2.3/rsbac/adf/reg/kproc_hide.c (working copy) +@@ -10,6 +10,8 @@ + #include <linux/kernel.h> + #include <linux/string.h> + #include <linux/fs.h> ++#include <linux/sched.h> ++#include <linux/file.h> + #include <rsbac/types.h> + #include <rsbac/reg.h> + #include <rsbac/adf.h> +@@ -17,8 +19,6 @@ + #include <rsbac/getname.h> + #include <rsbac/error.h> + #include <rsbac/proc_fs.h> +-#include <linux/sched.h> +-#include <linux/file.h> + + MODULE_AUTHOR("Michal Purzynski"); + MODULE_DESCRIPTION("RSBAC REG kproc_hide decision module"); diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-bugfix-v1.2.3-kang-01.diff b/sys-kernel/rsbac-dev-sources/files/rsbac-bugfix-v1.2.3-kang-01.diff new file mode 100644 index 000000000000..570df3e3e236 --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/files/rsbac-bugfix-v1.2.3-kang-01.diff @@ -0,0 +1,12 @@ +--- include/rsbac/aci.h.ori 2004-11-13 13:39:21.092404152 +0100 ++++ include/rsbac/aci.h 2004-11-13 13:42:13.402209080 +0100 +@@ -39,7 +39,7 @@ + extern void rsbac_off(void); + + /* For other kernel parts to check, whether RSBAC was initialized correctly */ +-extern inline boolean rsbac_is_initialized(void); ++extern boolean rsbac_is_initialized(void); + + /* When mounting a device, its ACI must be read and added to the ACI lists. */ + extern int rsbac_mount(struct super_block * sb_p, struct dentry * d_covers); + diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-2.6.7-62524-ptmx.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-2.6.7-62524-ptmx.patch new file mode 100644 index 000000000000..2312a2bf5e3b --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-2.6.7-62524-ptmx.patch @@ -0,0 +1,21 @@ +Index: linux-2.6.5/fs/devpts/inode.c +=================================================================== +--- linux-2.6.5.orig/fs/devpts/inode.c ++++ linux-2.6.5/fs/devpts/inode.c +@@ -178,9 +178,13 @@ struct tty_struct *devpts_get_tty(int nu + { + struct dentry *dentry = get_node(number); + struct tty_struct *tty; +- +- tty = (IS_ERR(dentry) || !dentry->d_inode) ? NULL : +- dentry->d_inode->u.generic_ip; ++ ++ tty = NULL; ++ if (!IS_ERR(dentry)) { ++ if (dentry->d_inode) ++ tty = dentry->d_inode->u.generic_ip; ++ dput(dentry); ++ } + + up(&devpts_root->d_inode->i_sem); + diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-2.6.7-70681-binfmt.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-2.6.7-70681-binfmt.patch new file mode 100644 index 000000000000..c0f90a5dfbd8 --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-2.6.7-70681-binfmt.patch @@ -0,0 +1,85 @@ +diff -X /usr/src/dontdiff -urNp linux-2.6.7-gentoo-r16/fs/binfmt_elf.c linux-dsd/fs/binfmt_elf.c +--- linux-2.6.7-gentoo-r16/fs/binfmt_elf.c 2004-06-16 06:19:22.000000000 +0100 ++++ linux-dsd/fs/binfmt_elf.c 2004-11-24 16:24:00.301979976 +0000 +@@ -332,9 +332,12 @@ static unsigned long load_elf_interp(str + goto out; + + retval = kernel_read(interpreter,interp_elf_ex->e_phoff,(char *)elf_phdata,size); +- error = retval; +- if (retval < 0) ++ error = -EIO; ++ if (retval != size) { ++ if (retval < 0) ++ error = retval; + goto out_close; ++ } + + eppnt = elf_phdata; + for (i=0; i<interp_elf_ex->e_phnum; i++, eppnt++) { +@@ -520,8 +523,11 @@ static int load_elf_binary(struct linux_ + goto out; + + retval = kernel_read(bprm->file, elf_ex.e_phoff, (char *) elf_phdata, size); +- if (retval < 0) ++ if (retval != size) { ++ if (retval < 0) ++ retval = -EIO; + goto out_free_ph; ++ } + + files = current->files; /* Refcounted so ok */ + retval = unshare_files(); +@@ -558,7 +564,8 @@ static int load_elf_binary(struct linux_ + */ + + retval = -ENOMEM; +- if (elf_ppnt->p_filesz > PATH_MAX) ++ if (elf_ppnt->p_filesz > PATH_MAX || ++ elf_ppnt->p_filesz == 0) + goto out_free_file; + elf_interpreter = (char *) kmalloc(elf_ppnt->p_filesz, + GFP_KERNEL); +@@ -568,8 +575,16 @@ static int load_elf_binary(struct linux_ + retval = kernel_read(bprm->file, elf_ppnt->p_offset, + elf_interpreter, + elf_ppnt->p_filesz); +- if (retval < 0) ++ if (retval != elf_ppnt->p_filesz) { ++ if (retval >= 0) ++ retval = -EIO; + goto out_free_interp; ++ } ++ /* make sure path is NULL terminated */ ++ retval = -EINVAL; ++ if (elf_interpreter[elf_ppnt->p_filesz - 1] != '\0') ++ goto out_free_interp; ++ + /* If the program interpreter is one of these two, + * then assume an iBCS2 image. Otherwise assume + * a native linux image. +@@ -604,8 +619,11 @@ static int load_elf_binary(struct linux_ + if (IS_ERR(interpreter)) + goto out_free_interp; + retval = kernel_read(interpreter, 0, bprm->buf, BINPRM_BUF_SIZE); +- if (retval < 0) ++ if (retval != BINPRM_BUF_SIZE) { ++ if (retval >= 0) ++ retval = -EIO; + goto out_free_dentry; ++ } + + /* Get the exec headers */ + interp_ex = *((struct exec *) bprm->buf); +@@ -757,8 +775,10 @@ static int load_elf_binary(struct linux_ + } + + error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, elf_prot, elf_flags); +- if (BAD_ADDR(error)) +- continue; ++ if (BAD_ADDR(error)) { ++ send_sig(SIGKILL, current, 0); ++ goto out_free_dentry; ++ } + + if (!load_addr_set) { + load_addr_set = 1; diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-2.6.7-AF_UNIX.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-2.6.7-AF_UNIX.patch new file mode 100644 index 000000000000..a95e94fd9362 --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-2.6.7-AF_UNIX.patch @@ -0,0 +1,24 @@ +--- linux-2.6.9/net/unix/af_unix.c 2004-11-24 08:23:21 -08:00 ++++ linux-2.6.9.plasmaroo/net/unix/af_unix.c 2004-11-24 08:23:21 -08:00 +@@ -1535,9 +1535,11 @@ + + msg->msg_namelen = 0; + ++ down(&u->readsem); ++ + skb = skb_recv_datagram(sk, flags, noblock, &err); + if (!skb) +- goto out; ++ goto out_unlock; + + wake_up_interruptible(&u->peer_wait); + +@@ -1587,6 +1589,8 @@ + + out_free: + skb_free_datagram(sk,skb); ++out_unlock: ++ up(&u->readsem); + out: + return err; + } diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-2.6.7-CAN-2004-0883.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-2.6.7-CAN-2004-0883.patch new file mode 100644 index 000000000000..74840e628699 --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-2.6.7-CAN-2004-0883.patch @@ -0,0 +1,93 @@ +diff -urN linux-2.6.7-hardened-r14/fs/smbfs/proc.c linux-2.6.7-hardened-r15/fs/smbfs/proc.c +--- linux-2.6.7-hardened-r14/fs/smbfs/proc.c 2004-11-24 12:46:34.000000000 -0500 ++++ linux-2.6.7-hardened-r15/fs/smbfs/proc.c 2004-11-24 12:53:38.883511896 -0500 +@@ -1423,9 +1423,9 @@ + * So we must first calculate the amount of padding used by the server. + */ + data_off -= hdrlen; +- if (data_off > SMB_READX_MAX_PAD) { +- PARANOIA("offset is larger than max pad!\n"); +- PARANOIA("%d > %d\n", data_off, SMB_READX_MAX_PAD); ++ if (data_off > SMB_READX_MAX_PAD || data_off < 0) { ++ PARANOIA("offset is larger than SMB_READX_MAX_PAD or negative!\n"); ++ PARANOIA("%d > %d || %d < 0\n", data_off, SMB_READX_MAX_PAD, data_off); + req->rq_rlen = req->rq_bufsize + 1; + return; + } +diff -urN linux-2.6.7-hardened-r14/fs/smbfs/request.c linux-2.6.7-hardened-r15/fs/smbfs/request.c +--- linux-2.6.7-hardened-r14/fs/smbfs/request.c 2004-11-24 12:46:34.000000000 -0500 ++++ linux-2.6.7-hardened-r15/fs/smbfs/request.c 2004-11-24 12:53:38.885511592 -0500 +@@ -588,6 +588,10 @@ + data_count = WVAL(inbuf, smb_drcnt); + + /* Modify offset for the split header/buffer we use */ ++ if (data_offset < hdrlen) ++ goto out_bad_data; ++ if (parm_offset < hdrlen) ++ goto out_bad_parm; + data_offset -= hdrlen; + parm_offset -= hdrlen; + +@@ -607,6 +611,10 @@ + req->rq_lparm = parm_count; + req->rq_data = req->rq_buffer + data_offset; + req->rq_parm = req->rq_buffer + parm_offset; ++ if (parm_offset + parm_count > req->rq_rlen) ++ goto out_bad_parm; ++ if (data_offset + data_count > req->rq_rlen) ++ goto out_bad_data; + return 0; + } + +@@ -634,6 +642,7 @@ + req->rq_trans2buffer = smb_kmalloc(buf_len, GFP_NOFS); + if (!req->rq_trans2buffer) + goto out_no_mem; ++ memset(req->rq_trans2buffer, 0, buf_len); + + req->rq_parm = req->rq_trans2buffer; + req->rq_data = req->rq_trans2buffer + parm_tot; +@@ -643,8 +652,12 @@ + + if (parm_disp + parm_count > req->rq_total_parm) + goto out_bad_parm; ++ if (parm_offset + parm_count > req->rq_rlen) ++ goto out_bad_parm; + if (data_disp + data_count > req->rq_total_data) + goto out_bad_data; ++ if (data_offset + data_count > req->rq_rlen) ++ goto out_bad_data; + + inbuf = req->rq_buffer; + memcpy(req->rq_parm + parm_disp, inbuf + parm_offset, parm_count); +@@ -657,8 +670,11 @@ + * Check whether we've received all of the data. Note that + * we use the packet totals -- total lengths might shrink! + */ +- if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot) ++ if (req->rq_ldata >= data_tot && req->rq_lparm >= parm_tot) { ++ req->rq_ldata = data_tot; ++ req->rq_lparm = parm_tot; + return 0; ++ } + return 1; + + out_too_long: +@@ -676,13 +692,13 @@ + req->rq_errno = -EIO; + goto out; + out_bad_parm: +- printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d\n", +- parm_disp, parm_count, parm_tot); ++ printk(KERN_ERR "smb_trans2: invalid parms, disp=%d, cnt=%d, tot=%d, ofs=%d\n", ++ parm_disp, parm_count, parm_tot, parm_offset); + req->rq_errno = -EIO; + goto out; + out_bad_data: +- printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d\n", +- data_disp, data_count, data_tot); ++ printk(KERN_ERR "smb_trans2: invalid data, disp=%d, cnt=%d, tot=%d, ofs=%d\n", ++ data_disp, data_count, data_tot, data_offset); + req->rq_errno = -EIO; + out: + return req->rq_errno; diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-2.6.7-dos_mem_disc1.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-2.6.7-dos_mem_disc1.patch new file mode 100644 index 000000000000..162eb7bbe6f1 --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-2.6.7-dos_mem_disc1.patch @@ -0,0 +1,61 @@ +--- 1.143/fs/exec.c 2004-10-28 00:40:03 -07:00 ++++ edited/fs/exec.c 2004-11-11 19:24:54 -08:00 +@@ -413,6 +413,7 @@ + + down_write(&mm->mmap_sem); + { ++ struct vm_area_struct *vma; + mpnt->vm_mm = mm; + #ifdef CONFIG_STACK_GROWSUP + mpnt->vm_start = stack_base; +@@ -433,6 +434,12 @@ + mpnt->vm_flags = VM_STACK_FLAGS; + mpnt->vm_flags |= mm->def_flags; + mpnt->vm_page_prot = protection_map[mpnt->vm_flags & 0x7]; ++ vma = find_vma(mm, mpnt->vm_start); ++ if (vma) { ++ up_write(&mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, mpnt); ++ return -ENOMEM; ++ } + insert_vm_struct(mm, mpnt); + mm->stack_vm = mm->total_vm = vma_pages(mpnt); + } +--- 1.25/fs/binfmt_aout.c 2004-10-18 22:26:36 -07:00 ++++ edited/fs/binfmt_aout.c 2004-11-11 22:28:58 -08:00 +@@ -43,13 +43,18 @@ + .min_coredump = PAGE_SIZE + }; + +-static void set_brk(unsigned long start, unsigned long end) ++#define BAD_ADDR(x) ((unsigned long)(x) >= TASK_SIZE) ++ ++static int set_brk(unsigned long start, unsigned long end) + { + start = PAGE_ALIGN(start); + end = PAGE_ALIGN(end); +- if (end <= start) +- return; +- do_brk(start, end - start); ++ if (end > start) { ++ unsigned long addr = do_brk(start, end - start); ++ if (BAD_ADDR(addr)) ++ return addr; ++ } ++ return 0; + } + + /* +@@ -413,7 +418,11 @@ + beyond_if: + set_binfmt(&aout_format); + +- set_brk(current->mm->start_brk, current->mm->brk); ++ retval = set_brk(current->mm->start_brk, current->mm->brk); ++ if (retval < 0) { ++ send_sig(SIGKILL, current, 0); ++ return retval; ++ } + + retval = setup_arg_pages(bprm, EXSTACK_DEFAULT); + if (retval < 0) { diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-2.6.7-dos_mem_disc2.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-2.6.7-dos_mem_disc2.patch new file mode 100644 index 000000000000..60baa63df5a7 --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-2.6.7-dos_mem_disc2.patch @@ -0,0 +1,183 @@ +diff -urNp -X /usr/src/dontdiff linux-2.6.7-gentoo-r19/arch/ia64/ia32/binfmt_elf32.c linux-dsd/arch/ia64/ia32/binfmt_elf32.c +--- linux-2.6.7-gentoo-r19/arch/ia64/ia32/binfmt_elf32.c 2004-12-02 23:32:15.424906248 +0000 ++++ linux-dsd/arch/ia64/ia32/binfmt_elf32.c 2004-12-02 23:35:26.813810712 +0000 +@@ -82,7 +82,11 @@ ia64_elf32_init (struct pt_regs *regs) + vma->vm_ops = &ia32_shared_page_vm_ops; + down_write(¤t->mm->mmap_sem); + { +- insert_vm_struct(current->mm, vma); ++ if (insert_vm_struct(current->mm, vma)) { ++ kmem_cache_free(vm_area_cachep, vma); ++ up_write(¤t->mm->mmap_sem); ++ return; ++ } + } + up_write(¤t->mm->mmap_sem); + } +@@ -101,7 +105,11 @@ ia64_elf32_init (struct pt_regs *regs) + vma->vm_flags = VM_READ|VM_WRITE|VM_MAYREAD|VM_MAYWRITE; + down_write(¤t->mm->mmap_sem); + { +- insert_vm_struct(current->mm, vma); ++ if (insert_vm_struct(current->mm, vma)) { ++ kmem_cache_free(vm_area_cachep, vma); ++ up_write(¤t->mm->mmap_sem); ++ return; ++ } + } + up_write(¤t->mm->mmap_sem); + } +@@ -149,7 +157,7 @@ ia32_setup_arg_pages (struct linux_binpr + unsigned long stack_base; + struct vm_area_struct *mpnt; + struct mm_struct *mm = current->mm; +- int i; ++ int i, ret; + + stack_base = IA32_STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE; + mm->arg_start = bprm->p + stack_base; +@@ -182,8 +190,12 @@ ia32_setup_arg_pages (struct linux_binpr + else + mpnt->vm_flags = VM_STACK_FLAGS; + mpnt->vm_page_prot = (mpnt->vm_flags & VM_EXEC)? +- PAGE_COPY_EXEC: PAGE_COPY; +- insert_vm_struct(current->mm, mpnt); ++ PAGE_COPY_EXEC: PAGE_COPY; ++ if ((ret = insert_vm_struct(current->mm, mpnt))) { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, mpnt); ++ return ret; ++ } + current->mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT; + } + +diff -urNp -X /usr/src/dontdiff linux-2.6.7-gentoo-r19/arch/ia64/mm/init.c linux-dsd/arch/ia64/mm/init.c +--- linux-2.6.7-gentoo-r19/arch/ia64/mm/init.c 2004-12-02 23:32:15.425906096 +0000 ++++ linux-dsd/arch/ia64/mm/init.c 2004-12-02 23:36:46.937630040 +0000 +@@ -129,7 +129,13 @@ ia64_init_addr_space (void) + vma->vm_end = vma->vm_start + PAGE_SIZE; + vma->vm_page_prot = protection_map[VM_DATA_DEFAULT_FLAGS & 0x7]; + vma->vm_flags = VM_READ|VM_WRITE|VM_MAYREAD|VM_MAYWRITE|VM_GROWSUP; +- insert_vm_struct(current->mm, vma); ++ down_write(¤t->mm->mmap_sem); ++ if (insert_vm_struct(current->mm, vma)) { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, vma); ++ return; ++ } ++ up_write(¤t->mm->mmap_sem); + } + + /* map NaT-page at address zero to speed up speculative dereferencing of NULL: */ +@@ -141,7 +147,13 @@ ia64_init_addr_space (void) + vma->vm_end = PAGE_SIZE; + vma->vm_page_prot = __pgprot(pgprot_val(PAGE_READONLY) | _PAGE_MA_NAT); + vma->vm_flags = VM_READ | VM_MAYREAD | VM_IO | VM_RESERVED; +- insert_vm_struct(current->mm, vma); ++ down_write(¤t->mm->mmap_sem); ++ if (insert_vm_struct(current->mm, vma)) { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, vma); ++ return; ++ } ++ up_write(¤t->mm->mmap_sem); + } + } + } +diff -urNp -X /usr/src/dontdiff linux-2.6.7-gentoo-r19/arch/s390/kernel/compat_exec.c linux-dsd/arch/s390/kernel/compat_exec.c +--- linux-2.6.7-gentoo-r19/arch/s390/kernel/compat_exec.c 2004-12-02 23:32:15.426905944 +0000 ++++ linux-dsd/arch/s390/kernel/compat_exec.c 2004-12-02 23:39:18.846536376 +0000 +@@ -39,7 +39,7 @@ int setup_arg_pages32(struct linux_binpr + unsigned long stack_base; + struct vm_area_struct *mpnt; + struct mm_struct *mm = current->mm; +- int i; ++ int i, ret; + + stack_base = STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE; + mm->arg_start = bprm->p + stack_base; +@@ -68,7 +68,11 @@ int setup_arg_pages32(struct linux_binpr + /* executable stack setting would be applied here */ + mpnt->vm_page_prot = PAGE_COPY; + mpnt->vm_flags = VM_STACK_FLAGS; +- insert_vm_struct(mm, mpnt); ++ if ((ret = insert_vm_struct(mm, mpnt))) { ++ up_write(&mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, mpnt); ++ return ret; ++ } + mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT; + } + +diff -urNp -X /usr/src/dontdiff linux-2.6.7-gentoo-r19/arch/x86_64/ia32/ia32_binfmt.c linux-dsd/arch/x86_64/ia32/ia32_binfmt.c +--- linux-2.6.7-gentoo-r19/arch/x86_64/ia32/ia32_binfmt.c 2004-12-02 23:32:15.427905792 +0000 ++++ linux-dsd/arch/x86_64/ia32/ia32_binfmt.c 2004-12-02 23:41:30.438531352 +0000 +@@ -330,7 +330,7 @@ int setup_arg_pages(struct linux_binprm + unsigned long stack_base; + struct vm_area_struct *mpnt; + struct mm_struct *mm = current->mm; +- int i; ++ int i, ret; + + stack_base = IA32_STACK_TOP - MAX_ARG_PAGES * PAGE_SIZE; + mm->arg_start = bprm->p + stack_base; +@@ -364,7 +364,11 @@ int setup_arg_pages(struct linux_binprm + mpnt->vm_flags = vm_stack_flags32; + mpnt->vm_page_prot = (mpnt->vm_flags & VM_EXEC) ? + PAGE_COPY_EXEC : PAGE_COPY; +- insert_vm_struct(mm, mpnt); ++ if ((ret = insert_vm_struct(mm, mpnt))) { ++ up_write(&mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, mpnt); ++ return ret; ++ } + mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT; + } + +diff -urNp -X /usr/src/dontdiff linux-2.6.7-gentoo-r19/fs/exec.c linux-dsd/fs/exec.c +--- linux-2.6.7-gentoo-r19/fs/exec.c 2004-12-02 23:32:15.428905640 +0000 ++++ linux-dsd/fs/exec.c 2004-12-02 23:33:06.941074600 +0000 +@@ -342,7 +342,7 @@ int setup_arg_pages(struct linux_binprm + unsigned long stack_base; + struct vm_area_struct *mpnt; + struct mm_struct *mm = current->mm; +- int i; ++ int i, ret; + long arg_size; + + #ifdef CONFIG_STACK_GROWSUP +diff -urNp -X /usr/src/dontdiff linux-2.6.7-gentoo-r19/include/linux/mm.h linux-dsd/include/linux/mm.h +--- linux-2.6.7-gentoo-r19/include/linux/mm.h 2004-12-02 23:32:15.430905336 +0000 ++++ linux-dsd/include/linux/mm.h 2004-12-02 23:33:06.942074448 +0000 +@@ -623,7 +623,7 @@ extern struct vm_area_struct *vma_merge( + extern struct anon_vma *find_mergeable_anon_vma(struct vm_area_struct *); + extern int split_vma(struct mm_struct *, + struct vm_area_struct *, unsigned long addr, int new_below); +-extern void insert_vm_struct(struct mm_struct *, struct vm_area_struct *); ++extern int insert_vm_struct(struct mm_struct *, struct vm_area_struct *); + extern void __vma_link_rb(struct mm_struct *, struct vm_area_struct *, + struct rb_node **, struct rb_node *); + extern struct vm_area_struct *copy_vma(struct vm_area_struct **, +diff -urNp -X /usr/src/dontdiff linux-2.6.7-gentoo-r19/mm/mmap.c linux-dsd/mm/mmap.c +--- linux-2.6.7-gentoo-r19/mm/mmap.c 2004-12-02 23:32:15.432905032 +0000 ++++ linux-dsd/mm/mmap.c 2004-12-02 23:33:06.944074144 +0000 +@@ -1722,7 +1722,7 @@ void exit_mmap(struct mm_struct *mm) + * and into the inode's i_mmap tree. If vm_file is non-NULL + * then i_mmap_lock is taken here. + */ +-void insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) ++int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) + { + struct vm_area_struct * __vma, * prev; + struct rb_node ** rb_link, * rb_parent; +@@ -1745,8 +1745,9 @@ void insert_vm_struct(struct mm_struct * + } + __vma = find_vma_prepare(mm,vma->vm_start,&prev,&rb_link,&rb_parent); + if (__vma && __vma->vm_start < vma->vm_end) +- BUG(); ++ return -ENOMEM; + vma_link(mm, vma, prev, rb_link, rb_parent); ++ return 0; + } + + /* diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-CAN-2004-0497.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-CAN-2004-0497.patch new file mode 100644 index 000000000000..1e4ba6f7601a --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-CAN-2004-0497.patch @@ -0,0 +1,75 @@ +# This is a BitKeeper generated diff -Nru style patch. +# +# ChangeSet +# 2004/07/02 20:55:04-07:00 chrisw@osdl.org +# [PATCH] chown permission check fix for ATTR_GID +# +# SuSE discovered this problem with chown and ATTR_GID. Make sure user +# is authorized to change the group, CAN-2004-0497. +# +# fs/attr.c +# 2004/07/02 09:07:32-07:00 chrisw@osdl.org +2 -1 +# chown permission check fix for ATTR_GID +# +diff -Nru a/fs/attr.c b/fs/attr.c +--- a/fs/attr.c 2004-07-08 16:35:57 -07:00 ++++ b/fs/attr.c 2004-07-08 16:35:57 -07:00 +@@ -35,7 +35,8 @@ + + /* Make sure caller can chgrp. */ + if ((ia_valid & ATTR_GID) && +- (!in_group_p(attr->ia_gid) && attr->ia_gid != inode->i_gid) && ++ (current->fsuid != inode->i_uid || ++ (!in_group_p(attr->ia_gid) && attr->ia_gid != inode->i_gid)) && + !capable(CAP_CHOWN)) + goto error; + +# This is a BitKeeper generated diff -Nru style patch. +# +# ChangeSet +# 2004/07/02 18:48:26-07:00 chrisw@osdl.org +# [PATCH] check attr updates in /proc +# +# Any proc entry with default proc_file_inode_operations allow unauthorized +# attribute updates. This is very dangerous for proc entries that rely +# solely on file permissions for open/read/write. +# +# Signed-off-by: Chris Wright <chrisw@osdl.org> +# Signed-off-by: Linus Torvalds <torvalds@osdl.org> +# +# fs/proc/generic.c +# 2004/07/02 15:47:55-07:00 chrisw@osdl.org +14 -7 +# check attr updates in /proc +# +diff -Nru a/fs/proc/generic.c b/fs/proc/generic.c +--- a/fs/proc/generic.c 2004-07-08 17:03:20 -07:00 ++++ b/fs/proc/generic.c 2004-07-08 17:03:20 -07:00 +@@ -231,14 +231,21 @@ + static int proc_notify_change(struct dentry *dentry, struct iattr *iattr) + { + struct inode *inode = dentry->d_inode; +- int error = inode_setattr(inode, iattr); +- if (!error) { +- struct proc_dir_entry *de = PDE(inode); +- de->uid = inode->i_uid; +- de->gid = inode->i_gid; +- de->mode = inode->i_mode; +- } ++ struct proc_dir_entry *de = PDE(inode); ++ int error; + ++ error = inode_change_ok(inode, iattr); ++ if (error) ++ goto out; ++ ++ error = inode_setattr(inode, iattr); ++ if (error) ++ goto out; ++ ++ de->uid = inode->i_uid; ++ de->gid = inode->i_gid; ++ de->mode = inode->i_mode; ++out: + return error; + } + diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-CAN-2004-0596.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-CAN-2004-0596.patch new file mode 100644 index 000000000000..8ea0f0488310 --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-CAN-2004-0596.patch @@ -0,0 +1,20 @@ +--- drivers/net/eql.c.ori 2004-07-22 12:46:56.103576048 +0200 ++++ drivers/net/eql.c 2004-07-22 12:46:59.068125368 +0200 +@@ -497,6 +497,8 @@ + slave_dev = dev_get_by_name(sc.slave_name); + + ret = -EINVAL; ++ if (!slave_dev) ++ return ret; + + spin_lock_bh(&eql->queue.lock); + if (eql_is_slave(slave_dev)) { +@@ -531,6 +533,8 @@ + slave_dev = dev_get_by_name(sc.slave_name); + + ret = -EINVAL; ++ if (!slave_dev) ++ return ret; + + spin_lock_bh(&eql->queue.lock); + if (eql_is_slave(slave_dev)) { diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-CAN-2004-0816.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-CAN-2004-0816.patch new file mode 100644 index 000000000000..92ffd3336a02 --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-CAN-2004-0816.patch @@ -0,0 +1,35 @@ +Index: linux-2.6.5/net/ipv4/netfilter/ipt_LOG.c +=================================================================== +--- linux-2.6.5.orig/net/ipv4/netfilter/ipt_LOG.c 2004-02-19 11:36:37.000000000 +0100 ++++ linux-2.6.5/net/ipv4/netfilter/ipt_LOG.c 2004-09-24 15:48:54.000000000 +0200 +@@ -71,7 +71,7 @@ + printk("FRAG:%u ", ntohs(iph.frag_off) & IP_OFFSET); + + if ((info->logflags & IPT_LOG_IPOPT) +- && iph.ihl * 4 != sizeof(struct iphdr)) { ++ && iph.ihl * 4 > sizeof(struct iphdr)) { + unsigned char opt[4 * 15 - sizeof(struct iphdr)]; + unsigned int i, optsize; + +@@ -138,7 +138,7 @@ + printk("URGP=%u ", ntohs(tcph.urg_ptr)); + + if ((info->logflags & IPT_LOG_TCPOPT) +- && tcph.doff * 4 != sizeof(struct tcphdr)) { ++ && tcph.doff * 4 > sizeof(struct tcphdr)) { + unsigned char opt[4 * 15 - sizeof(struct tcphdr)]; + unsigned int i, optsize; + +Index: linux-2.6.5/net/ipv6/netfilter/ip6t_LOG.c +=================================================================== +--- linux-2.6.5.orig/net/ipv6/netfilter/ip6t_LOG.c 2004-09-24 15:47:00.000000000 +0200 ++++ linux-2.6.5/net/ipv6/netfilter/ip6t_LOG.c 2004-09-24 15:48:35.000000000 +0200 +@@ -188,7 +188,7 @@ + printk("URGP=%u ", ntohs(tcph->urg_ptr)); + + if ((info->logflags & IP6T_LOG_TCPOPT) +- && tcph->doff * 4 != sizeof(struct tcphdr)) { ++ && tcph->doff * 4 > sizeof(struct tcphdr)) { + unsigned int i; + + /* Max length: 127 "OPT (" 15*4*2chars ") " */ diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-CAN-2004-1069.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-CAN-2004-1069.patch new file mode 100644 index 000000000000..dbb8b2329a28 --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-CAN-2004-1069.patch @@ -0,0 +1,61 @@ +--- a/net/unix/af_unix.c 2004-10-18 22:54:37.000000000 +0100 ++++ b/net/unix/af_unix.c 2004-12-19 18:33:12.000000000 +0000 +@@ -477,6 +477,8 @@ + struct msghdr *, size_t, int); + static int unix_dgram_connect(struct socket *, struct sockaddr *, + int, int); ++static int unix_seqpacket_sendmsg(struct kiocb *, struct socket *, ++ struct msghdr *, size_t); + + static struct proto_ops unix_stream_ops = { + .family = PF_UNIX, +@@ -535,7 +537,7 @@ + .shutdown = unix_shutdown, + .setsockopt = sock_no_setsockopt, + .getsockopt = sock_no_getsockopt, +- .sendmsg = unix_dgram_sendmsg, ++ .sendmsg = unix_seqpacket_sendmsg, + .recvmsg = unix_dgram_recvmsg, + .mmap = sock_no_mmap, + .sendpage = sock_no_sendpage, +@@ -1365,9 +1367,11 @@ + if (other->sk_shutdown & RCV_SHUTDOWN) + goto out_unlock; + +- err = security_unix_may_send(sk->sk_socket, other->sk_socket); +- if (err) +- goto out_unlock; ++ if (sk->sk_type != SOCK_SEQPACKET) { ++ err = security_unix_may_send(sk->sk_socket, other->sk_socket); ++ if (err) ++ goto out_unlock; ++ } + + if (unix_peer(other) != sk && + (skb_queue_len(&other->sk_receive_queue) > +@@ -1517,6 +1521,25 @@ + return sent ? : err; + } + ++static int unix_seqpacket_sendmsg(struct kiocb *kiocb, struct socket *sock, ++ struct msghdr *msg, size_t len) ++{ ++ int err; ++ struct sock *sk = sock->sk; ++ ++ err = sock_error(sk); ++ if (err) ++ return err; ++ ++ if (sk->sk_state != TCP_ESTABLISHED) ++ return -ENOTCONN; ++ ++ if (msg->msg_namelen) ++ msg->msg_namelen = 0; ++ ++ return unix_dgram_sendmsg(kiocb, sock, msg, len); ++} ++ + static void unix_copy_addr(struct msghdr *msg, struct sock *sk) + { + struct unix_sock *u = unix_sk(sk); diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-iptables-dos.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-iptables-dos.patch new file mode 100644 index 000000000000..9eb1c3cd1667 --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-iptables-dos.patch @@ -0,0 +1,11 @@ +--- net/ipv4/netfilter/ip_tables.c.ski 2004-06-30 22:33:38.890839488 +0200 ++++ net/ipv4/netfilter/ip_tables.c 2004-06-30 22:34:27.547442560 +0200 +@@ -1458,7 +1458,7 @@ + int *hotdrop) + { + /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */ +- char opt[60 - sizeof(struct tcphdr)]; ++ u_int8_t opt[60 - sizeof(struct tcphdr)]; + unsigned int i; + + duprintf("tcp_match: finding option\n"); diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-v1.2.3-3.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-v1.2.3-3.patch new file mode 100644 index 000000000000..90484797584c --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-v1.2.3-3.patch @@ -0,0 +1,10 @@ +--- linux-2.4.26-rsbac-v1.2.3/rsbac/adf/jail/jail_main.c.sik 2004-06-08 11:37:30.000000000 +0200 ++++ linux-2.4.26-rsbac-v1.2.3/rsbac/adf/jail/jail_main.c 2004-06-30 09:27:42.000000000 +0200 +@@ -396,6 +396,7 @@ + if( (attr == A_create_data) + && ( S_ISCHR(attr_val.create_data.mode) + || S_ISBLK(attr_val.create_data.mode) ++ || (attr_val.create_data.mode & (S_ISUID | S_ISGID)) + ) + ) + return NOT_GRANTED; diff --git a/sys-kernel/rsbac-dev-sources/metadata.xml b/sys-kernel/rsbac-dev-sources/metadata.xml new file mode 100644 index 000000000000..792917a5229e --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/metadata.xml @@ -0,0 +1,11 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> +<herd>hardened</herd> +<maintainer> + <email>kang@gentoo.org</email> + <name>Guillaume Destuynder</name> + <description>RSBAC lead</description> +</maintainer> +<longdescription>The RSBAC kernel is a security enhanced kernel based on the Gentoo hardened kernel, but featuring RSBAC instead of SELinux or GrSec.</longdescription> +</pkgmetadata> diff --git a/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.7-r11.ebuild b/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.7-r11.ebuild new file mode 100644 index 000000000000..f761f2d9b738 --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.7-r11.ebuild @@ -0,0 +1,53 @@ +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.7-r11.ebuild,v 1.3 2005/01/12 22:31:13 johnm Exp $ + +IUSE="" +ETYPE="sources" +inherit kernel-2 +detect_version + +# rsbac +RSBACV=1.2.3 +RSBAC_SRC="http://rsbac.org/download/code/v${RSBACV}/rsbac-v${RSBACV}.tar.bz2" +CAN_SRC="http://dev.gentoo.org/~plasmaroo/patches/kernel/misc/security/linux-2.6.7-CAN-2004-0415.patch" + +# rsbac kernel patches +RGPV=7.2 +RGPV_SRC="http://dev.gentoo.org/~kang/rsbac/patches/1.2.3/2.6/rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}.tar.bz2" + +UNIPATCH_STRICTORDER="yes" +UNIPATCH_LIST="${FILESDIR}/${PN}-iptables-dos.patch + ${FILESDIR}/${PN}-${OKV}-AF_UNIX.patch + ${FILESDIR}/${PN}-CAN-2004-1069.patch + ${FILESDIR}/${PN}-${OKV}-CAN-2004-0883.patch + ${FILESDIR}/${PN}-CAN-2004-0497.patch + ${FILESDIR}/${PN}-CAN-2004-0596.patch + ${FILESDIR}/${OKV}-cmdline.patch + ${FILESDIR}/${PN}-CAN-2004-0816.patch + ${FILESDIR}/${PN}-${OKV}-62524-ptmx.patch + ${DISTDIR}/linux-2.6.7-CAN-2004-0415.patch + ${DISTDIR}/rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}.tar.bz2 + ${FILESDIR}/${PN}-v1.2.3-3.patch + ${FILESDIR}/rsbac-bugfix-v1.2.3-*.diff + ${FILESDIR}/${PN}-${OKV}-dos_mem_disc*.patch" +UNIPATCH_DOCS="${WORKDIR}/patches/rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}/0000_README" + +HOMEPAGE="http://hardened.gentoo.org/rsbac/" +DESCRIPTION="RSBAC hardened sources for the ${KV_MAJOR}.${KV_MINOR} kernel tree" + +SRC_URI="${KERNEL_URI} ${RSBAC_SRC} ${RGPV_SRC} ${CAN_SRC}" +KEYWORDS="x86" + + +src_unpack() { + universal_unpack + (cd ${WORKDIR}/linux-${KV}; unpack rsbac-v${RSBACV}.tar.bz2) + unipatch "${UNIPATCH_LIST_DEFAULT} ${UNIPATCH_LIST}" + [ -z "${K_NOSETEXTRAVERSION}" ] && unpack_set_extraversion +} + +pkg_postinst() { + postinst_sources + ewarn "Please configure and compile your RSBAC kernel before installing rsbac-admin tools" +} diff --git a/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.9.ebuild b/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.9.ebuild new file mode 100644 index 000000000000..b1f1448edbec --- /dev/null +++ b/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.9.ebuild @@ -0,0 +1,41 @@ +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.9.ebuild,v 1.3 2005/01/12 22:31:13 johnm Exp $ + +IUSE="" +ETYPE="sources" +inherit kernel-2 +detect_version + +# rsbac +RSBACV=1.2.4-pre3 +RSBAC_PRE_SRC="http://www.rsbac.org/download/pre/rsbac-${RSBACV}.tar.gz" +#RSBAC_SRC="http://rsbac.org/download/code/v${RSBACV}/rsbac-v${RSBACV}.tar.bz2" +CAN_SRC="http://dev.gentoo.org/~plasmaroo/patches/kernel/misc/security/linux-2.6.7-CAN-2004-0415.patch" + +# rsbac kernel patches +RGPV=9.0 +RGPV_SRC="http://dev.gentoo.org/~kang/rsbac/patches/1.2.4/2.6/rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}.tar.bz2" + +UNIPATCH_STRICTORDER="yes" +UNIPATCH_LIST="${DISTDIR}/rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}.tar.bz2" +UNIPATCH_DOCS="${WORKDIR}/patches/rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}/0000_README" + +HOMEPAGE="http://hardened.gentoo.org/rsbac/" +DESCRIPTION="RSBAC hardened sources for the ${KV_MAJOR}.${KV_MINOR} kernel tree" + +SRC_URI="${KERNEL_URI} ${RSBAC_SRC} ${RGPV_SRC} ${CAN_SRC}" +KEYWORDS="~x86" + + +src_unpack() { + universal_unpack + (cd ${WORKDIR}/linux-${KV}; unpack rsbac-v${RSBACV}.tar.bz2) + unipatch "${UNIPATCH_LIST_DEFAULT} ${UNIPATCH_LIST}" + [ -z "${K_NOSETEXTRAVERSION}" ] && unpack_set_extraversion +} + +pkg_postinst() { + postinst_sources + ewarn "Please configure and compile your RSBAC kernel before installing rsbac-admin tools" +} |