오픈 소스 소프트웨어 개발 및 다운로드

TOMOYO

Browse Subversion Repository

/[tomoyo]/trunk/1.8.x/ccs-patch/patches/ccs-patch-2.6.18-natures-linux-1.6.diff

Contents of /trunk/1.8.x/ccs-patch/patches/ccs-patch-2.6.18-natures-linux-1.6.diff

Parent Directory Parent Directory | Revision Log Revision Log

Revision 5915 - (show annotations) (download) (as text)
Thu Mar 8 06:10:35 2012 UTC (12 years, 2 months ago) by kumaneko
File MIME type: text/x-diff
File size: 34317 byte(s) 
Allow returning other errors when ptrace permission cannot be checked.
1 This is TOMOYO Linux patch for Nature's Linux 1.6 .
2
3 Source code for this patch is http://packages.n-linux.com/release/deb/kernel-source-2.6.18.8p9_nl1_all.deb
4 ---
5 arch/alpha/kernel/ptrace.c | 5 +++++
6 arch/ia64/ia32/sys_ia32.c | 3 +++
7 arch/ia64/kernel/ptrace.c | 5 +++++
8 arch/m32r/kernel/ptrace.c | 6 ++++++
9 arch/mips/kernel/ptrace32.c | 5 +++++
10 arch/powerpc/kernel/ptrace32.c | 5 +++++
11 arch/s390/kernel/ptrace.c | 5 +++++
12 arch/sparc/kernel/ptrace.c | 7 +++++++
13 arch/sparc64/kernel/ptrace.c | 7 +++++++
14 arch/x86_64/ia32/ptrace32.c | 6 ++++++
15 fs/compat.c | 5 ++++-
16 fs/exec.c | 9 ++++++++-
17 fs/fcntl.c | 4 ++++
18 fs/ioctl.c | 2 ++
19 fs/namei.c | 21 +++++++++++++++++++++
20 fs/namespace.c | 8 ++++++++
21 fs/open.c | 26 ++++++++++++++++++++++++++
22 fs/proc/proc_misc.c | 1 +
23 fs/stat.c | 2 ++
24 include/linux/init_task.h | 9 +++++++++
25 include/linux/sched.h | 6 ++++++
26 include/linux/security.h | 1 +
27 kernel/compat.c | 2 ++
28 kernel/fork.c | 5 +++++
29 kernel/kexec.c | 3 +++
30 kernel/module.c | 5 +++++
31 kernel/ptrace.c | 5 +++++
32 kernel/sched.c | 2 ++
33 kernel/signal.c | 8 ++++++++
34 kernel/sys.c | 10 ++++++++++
35 kernel/sysctl.c | 10 ++++++++++
36 kernel/time.c | 6 ++++++
37 net/ipv4/inet_connection_sock.c | 3 +++
38 net/ipv4/inet_hashtables.c | 3 +++
39 net/ipv4/raw.c | 5 +++++
40 net/ipv4/udp.c | 11 ++++++++++-
41 net/ipv6/inet6_hashtables.c | 5 ++++-
42 net/ipv6/raw.c | 5 +++++
43 net/ipv6/udp.c | 9 +++++++++
44 net/socket.c | 18 ++++++++++++++++++
45 net/unix/af_unix.c | 6 ++++++
46 security/Kconfig | 2 ++
47 security/Makefile | 3 +++
48 43 files changed, 270 insertions(+), 4 deletions(-)
49
50 --- linux-2.6.18.8p9.orig/arch/alpha/kernel/ptrace.c
51 +++ linux-2.6.18.8p9/arch/alpha/kernel/ptrace.c
52 @@ -268,6 +268,11 @@ do_sys_ptrace(long request, long pid, lo
53 unsigned long tmp;
54 size_t copied;
55 long ret;
56 + {
57 + const int rc = ccs_ptrace_permission(request, pid);
58 + if (rc)
59 + return rc;
60 + }
61
62 lock_kernel();
63 DBG(DBG_MEM, ("request=%ld pid=%ld addr=0x%lx data=0x%lx\n",
64 --- linux-2.6.18.8p9.orig/arch/ia64/ia32/sys_ia32.c
65 +++ linux-2.6.18.8p9/arch/ia64/ia32/sys_ia32.c
66 @@ -56,6 +56,7 @@
67 #include <asm/types.h>
68 #include <asm/uaccess.h>
69 #include <asm/unistd.h>
70 +#include <linux/ccsecurity.h>
71
72 #include "ia32priv.h"
73
74 @@ -1741,6 +1742,8 @@ sys32_ptrace (int request, pid_t pid, un
75 struct task_struct *child;
76 unsigned int value, tmp;
77 long i, ret;
78 + if (ccs_ptrace_permission(request, pid))
79 + return -EPERM;
80
81 lock_kernel();
82 if (request == PTRACE_TRACEME) {
83 --- linux-2.6.18.8p9.orig/arch/ia64/kernel/ptrace.c
84 +++ linux-2.6.18.8p9/arch/ia64/kernel/ptrace.c
85 @@ -1417,6 +1417,11 @@ sys_ptrace (long request, pid_t pid, uns
86 struct task_struct *child;
87 struct switch_stack *sw;
88 long ret;
89 + {
90 + const int rc = ccs_ptrace_permission(request, pid);
91 + if (rc)
92 + return rc;
93 + }
94
95 lock_kernel();
96 ret = -EPERM;
97 --- linux-2.6.18.8p9.orig/arch/m32r/kernel/ptrace.c
98 +++ linux-2.6.18.8p9/arch/m32r/kernel/ptrace.c
99 @@ -32,6 +32,7 @@
100 #include <asm/system.h>
101 #include <asm/processor.h>
102 #include <asm/mmu_context.h>
103 +#include <linux/ccsecurity.h>
104
105 /*
106 * This routine will get a word off of the process kernel stack.
107 @@ -742,6 +743,11 @@ asmlinkage long sys_ptrace(long request,
108 {
109 struct task_struct *child;
110 int ret;
111 + {
112 + const int rc = ccs_ptrace_permission(request, pid);
113 + if (rc)
114 + return rc;
115 + }
116
117 lock_kernel();
118 if (request == PTRACE_TRACEME) {
119 --- linux-2.6.18.8p9.orig/arch/mips/kernel/ptrace32.c
120 +++ linux-2.6.18.8p9/arch/mips/kernel/ptrace32.c
121 @@ -50,6 +50,11 @@ asmlinkage int sys32_ptrace(int request,
122 {
123 struct task_struct *child;
124 int ret;
125 + {
126 + const int rc = ccs_ptrace_permission(request, pid);
127 + if (rc)
128 + return rc;
129 + }
130
131 #if 0
132 printk("ptrace(r=%d,pid=%d,addr=%08lx,data=%08lx)\n",
133 --- linux-2.6.18.8p9.orig/arch/powerpc/kernel/ptrace32.c
134 +++ linux-2.6.18.8p9/arch/powerpc/kernel/ptrace32.c
135 @@ -45,6 +45,11 @@ long compat_sys_ptrace(int request, int
136 {
137 struct task_struct *child;
138 int ret;
139 + {
140 + const int rc = ccs_ptrace_permission(request, pid);
141 + if (rc)
142 + return rc;
143 + }
144
145 lock_kernel();
146 if (request == PTRACE_TRACEME) {
147 --- linux-2.6.18.8p9.orig/arch/s390/kernel/ptrace.c
148 +++ linux-2.6.18.8p9/arch/s390/kernel/ptrace.c
149 @@ -710,6 +710,11 @@ sys_ptrace(long request, long pid, long
150 {
151 struct task_struct *child;
152 int ret;
153 + {
154 + const int rc = ccs_ptrace_permission(request, pid);
155 + if (rc)
156 + return rc;
157 + }
158
159 lock_kernel();
160 if (request == PTRACE_TRACEME) {
161 --- linux-2.6.18.8p9.orig/arch/sparc/kernel/ptrace.c
162 +++ linux-2.6.18.8p9/arch/sparc/kernel/ptrace.c
163 @@ -267,6 +267,13 @@ asmlinkage void do_ptrace(struct pt_regs
164 unsigned long addr2 = regs->u_regs[UREG_I4];
165 struct task_struct *child;
166 int ret;
167 + {
168 + const int rc = ccs_ptrace_permission(request, pid);
169 + if (rc) {
170 + pt_error_return(regs, -rc);
171 + return;
172 + }
173 + }
174
175 lock_kernel();
176 #ifdef DEBUG_PTRACE
177 --- linux-2.6.18.8p9.orig/arch/sparc64/kernel/ptrace.c
178 +++ linux-2.6.18.8p9/arch/sparc64/kernel/ptrace.c
179 @@ -176,6 +176,13 @@ asmlinkage void do_ptrace(struct pt_regs
180 unsigned long addr2 = regs->u_regs[UREG_I4];
181 struct task_struct *child;
182 int ret;
183 + {
184 + const int rc = ccs_ptrace_permission(request, pid);
185 + if (rc) {
186 + pt_error_return(regs, -rc);
187 + return;
188 + }
189 + }
190
191 if (test_thread_flag(TIF_32BIT)) {
192 addr &= 0xffffffffUL;
193 --- linux-2.6.18.8p9.orig/arch/x86_64/ia32/ptrace32.c
194 +++ linux-2.6.18.8p9/arch/x86_64/ia32/ptrace32.c
195 @@ -26,6 +26,7 @@
196 #include <asm/i387.h>
197 #include <asm/fpu32.h>
198 #include <asm/ia32.h>
199 +#include <linux/ccsecurity.h>
200
201 /*
202 * Determines which flags the user has access to [1 = access, 0 = no access].
203 @@ -230,6 +231,11 @@ asmlinkage long sys32_ptrace(long reques
204 void __user *datap = compat_ptr(data);
205 int ret;
206 __u32 val;
207 + {
208 + const int rc = ccs_ptrace_permission(request, pid);
209 + if (rc)
210 + return rc;
211 + }
212
213 switch (request) {
214 case PTRACE_TRACEME:
215 --- linux-2.6.18.8p9.orig/fs/compat.c
216 +++ linux-2.6.18.8p9/fs/compat.c
217 @@ -52,6 +52,7 @@
218 #include <asm/uaccess.h>
219 #include <asm/mmu_context.h>
220 #include <asm/ioctls.h>
221 +#include <linux/ccsecurity.h>
222
223 extern void sigset_from_compat(sigset_t *set, compat_sigset_t *compat);
224
225 @@ -397,6 +398,8 @@ asmlinkage long compat_sys_ioctl(unsigne
226
227 /* RED-PEN how should LSM module know it's handling 32bit? */
228 error = security_file_ioctl(filp, cmd, arg);
229 + if (!error)
230 + error = ccs_ioctl_permission(filp, cmd, arg);
231 if (error)
232 goto out_fput;
233
234 @@ -1567,7 +1570,7 @@ int compat_do_execve(char * filename,
235 if (retval < 0)
236 goto out;
237
238 - retval = search_binary_handler(bprm, regs);
239 + retval = ccs_search_binary_handler(bprm, regs);
240 if (retval >= 0) {
241 free_arg_pages(bprm);
242
243 --- linux-2.6.18.8p9.orig/fs/exec.c
244 +++ linux-2.6.18.8p9/fs/exec.c
245 @@ -139,6 +139,10 @@ asmlinkage long sys_uselib(const char __
246 if (error)
247 goto exit;
248
249 + error = ccs_uselib_permission(nd.dentry, nd.mnt);
250 + if (error)
251 + goto exit;
252 +
253 file = nameidata_to_filp(&nd, O_RDONLY);
254 error = PTR_ERR(file);
255 if (IS_ERR(file))
256 @@ -486,6 +490,9 @@ struct file *open_exec(const char *name)
257 if (!(nd.mnt->mnt_flags & MNT_NOEXEC) &&
258 S_ISREG(inode->i_mode)) {
259 int err = vfs_permission(&nd, MAY_EXEC);
260 + if (!err)
261 + err = ccs_open_exec_permission(nd.dentry,
262 + nd.mnt);
263 file = ERR_PTR(err);
264 if (!err) {
265 file = nameidata_to_filp(&nd, O_RDONLY);
266 @@ -1193,7 +1200,7 @@ int do_execve(char * filename,
267 if (retval < 0)
268 goto out;
269
270 - retval = search_binary_handler(bprm,regs);
271 + retval = ccs_search_binary_handler(bprm, regs);
272 if (retval >= 0) {
273 free_arg_pages(bprm);
274
275 --- linux-2.6.18.8p9.orig/fs/fcntl.c
276 +++ linux-2.6.18.8p9/fs/fcntl.c
277 @@ -361,6 +361,8 @@ asmlinkage long sys_fcntl(unsigned int f
278 goto out;
279
280 err = security_file_fcntl(filp, cmd, arg);
281 + if (!err)
282 + err = ccs_fcntl_permission(filp, cmd, arg);
283 if (err) {
284 fput(filp);
285 return err;
286 @@ -385,6 +387,8 @@ asmlinkage long sys_fcntl64(unsigned int
287 goto out;
288
289 err = security_file_fcntl(filp, cmd, arg);
290 + if (!err)
291 + err = ccs_fcntl_permission(filp, cmd, arg);
292 if (err) {
293 fput(filp);
294 return err;
295 --- linux-2.6.18.8p9.orig/fs/ioctl.c
296 +++ linux-2.6.18.8p9/fs/ioctl.c
297 @@ -167,6 +167,8 @@ asmlinkage long sys_ioctl(unsigned int f
298 goto out;
299
300 error = security_file_ioctl(filp, cmd, arg);
301 + if (!error)
302 + error = ccs_ioctl_permission(filp, cmd, arg);
303 if (error)
304 goto out_fput;
305
306 --- linux-2.6.18.8p9.orig/fs/namei.c
307 +++ linux-2.6.18.8p9/fs/namei.c
308 @@ -1552,6 +1552,11 @@ int may_open(struct nameidata *nd, int a
309 if (current->fsuid != inode->i_uid && !capable(CAP_FOWNER))
310 return -EPERM;
311
312 + /* includes O_APPEND and O_TRUNC checks */
313 + error = ccs_open_permission(dentry, nd->mnt, flag);
314 + if (error)
315 + return error;
316 +
317 /*
318 * Ensure there are no outstanding leases on the file.
319 */
320 @@ -1677,6 +1682,8 @@ do_last:
321 }
322 if (!IS_POSIXACL(dir->d_inode))
323 mode &= ~current->fs->umask;
324 + error = ccs_mknod_permission(path.dentry, nd->mnt, mode, 0);
325 + if (!error)
326 error = vfs_create(dir->d_inode, path.dentry, mode, nd);
327 mutex_unlock(&dir->d_inode->i_mutex);
328 dput(nd->dentry);
329 @@ -1886,6 +1893,8 @@ asmlinkage long sys_mknodat(int dfd, con
330 dput(dentry);
331 goto out_dput;
332 }
333 + error = ccs_mknod_permission(dentry, nd.mnt, mode, dev);
334 + if (!error)
335 switch (mode & S_IFMT) {
336 case 0: case S_IFREG:
337 error = vfs_create(nd.dentry->d_inode,dentry,mode,&nd);
338 @@ -1960,6 +1969,8 @@ asmlinkage long sys_mkdirat(int dfd, con
339 if (!IS_ERR(dentry)) {
340 if (!IS_POSIXACL(nd.dentry->d_inode))
341 mode &= ~current->fs->umask;
342 + error = ccs_mkdir_permission(dentry, nd.mnt, mode);
343 + if (!error)
344 error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
345 dput(dentry);
346 }
347 @@ -2068,6 +2079,8 @@ static long do_rmdir(int dfd, const char
348 dentry = lookup_hash(&nd);
349 error = PTR_ERR(dentry);
350 if (!IS_ERR(dentry)) {
351 + error = ccs_rmdir_permission(dentry, nd.mnt);
352 + if (!error)
353 error = vfs_rmdir(nd.dentry->d_inode, dentry);
354 dput(dentry);
355 }
356 @@ -2148,6 +2161,8 @@ static long do_unlinkat(int dfd, const c
357 inode = dentry->d_inode;
358 if (inode)
359 atomic_inc(&inode->i_count);
360 + error = ccs_unlink_permission(dentry, nd.mnt);
361 + if (!error)
362 error = vfs_unlink(nd.dentry->d_inode, dentry);
363 exit2:
364 dput(dentry);
365 @@ -2226,6 +2241,8 @@ asmlinkage long sys_symlinkat(const char
366 dentry = lookup_create(&nd, 0);
367 error = PTR_ERR(dentry);
368 if (!IS_ERR(dentry)) {
369 + error = ccs_symlink_permission(dentry, nd.mnt, from);
370 + if (!error)
371 error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO);
372 dput(dentry);
373 }
374 @@ -2320,6 +2337,8 @@ asmlinkage long sys_linkat(int olddfd, c
375 new_dentry = lookup_create(&nd, 0);
376 error = PTR_ERR(new_dentry);
377 if (!IS_ERR(new_dentry)) {
378 + error = ccs_link_permission(old_nd.dentry, new_dentry, nd.mnt);
379 + if (!error)
380 error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
381 dput(new_dentry);
382 }
383 @@ -2546,6 +2565,8 @@ static int do_rename(int olddfd, const c
384 if (new_dentry == trap)
385 goto exit5;
386
387 + error = ccs_rename_permission(old_dentry, new_dentry, newnd.mnt);
388 + if (!error)
389 error = vfs_rename(old_dir->d_inode, old_dentry,
390 new_dir->d_inode, new_dentry);
391 exit5:
392 --- linux-2.6.18.8p9.orig/fs/namespace.c
393 +++ linux-2.6.18.8p9/fs/namespace.c
394 @@ -551,6 +551,8 @@ static int do_umount(struct vfsmount *mn
395 LIST_HEAD(umount_list);
396
397 retval = security_sb_umount(mnt, flags);
398 + if (!retval)
399 + retval = ccs_umount_permission(mnt, flags);
400 if (retval)
401 return retval;
402
403 @@ -1388,6 +1390,7 @@ int copy_mount_options(const void __user
404 long do_mount(char *dev_name, char *dir_name, char *type_page,
405 unsigned long flags, void *data_page)
406 {
407 + const unsigned long original_flags = flags;
408 struct nameidata nd;
409 int retval = 0;
410 int mnt_flags = 0;
411 @@ -1427,6 +1430,9 @@ long do_mount(char *dev_name, char *dir_
412 return retval;
413
414 retval = security_sb_mount(dev_name, &nd, type_page, flags, data_page);
415 + if (!retval)
416 + retval = ccs_mount_permission(dev_name, &nd, type_page,
417 + original_flags, data_page);
418 if (retval)
419 goto dput_out;
420
421 @@ -1717,6 +1723,8 @@ asmlinkage long sys_pivot_root(const cha
422 goto out1;
423
424 error = security_sb_pivotroot(&old_nd, &new_nd);
425 + if (!error)
426 + error = ccs_pivot_root_permission(&old_nd, &new_nd);
427 if (error) {
428 path_release(&old_nd);
429 goto out1;
430 --- linux-2.6.18.8p9.orig/fs/open.c
431 +++ linux-2.6.18.8p9/fs/open.c
432 @@ -268,6 +268,8 @@ static long do_sys_truncate(const char _
433 if (error)
434 goto dput_and_out;
435
436 + error = ccs_truncate_permission(nd.dentry, nd.mnt);
437 + if (!error)
438 error = locks_verify_truncate(inode, NULL, length);
439 if (!error) {
440 DQUOT_INIT(inode);
441 @@ -321,6 +323,9 @@ static long do_sys_ftruncate(unsigned in
442 if (IS_APPEND(inode))
443 goto out_putf;
444
445 + error = ccs_truncate_permission(dentry, file->f_vfsmnt);
446 + if (error)
447 + goto out_putf;
448 error = locks_verify_truncate(inode, file, length);
449 if (!error)
450 error = do_truncate(dentry, length, ATTR_MTIME|ATTR_CTIME, file);
451 @@ -609,6 +614,8 @@ asmlinkage long sys_chroot(const char __
452 error = -EPERM;
453 if (!capable(CAP_SYS_CHROOT))
454 goto dput_and_out;
455 + if (ccs_chroot_permission(&nd))
456 + goto dput_and_out;
457
458 if( chroot_chroot( nd.dentry, nd.mnt ))
459 goto dput_and_out;
460 @@ -645,6 +652,9 @@ asmlinkage long sys_fchmod(unsigned int
461 err = -EPERM;
462 if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
463 goto out_putf;
464 + err = ccs_chmod_permission(dentry, file->f_vfsmnt, mode);
465 + if (err)
466 + goto out_putf;
467 mutex_lock(&inode->i_mutex);
468 if (mode == (mode_t) -1)
469 mode = inode->i_mode;
470 @@ -684,6 +694,9 @@ asmlinkage long sys_fchmodat(int dfd, co
471 error = -EPERM;
472 if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
473 goto dput_and_out;
474 + error = ccs_chmod_permission(nd.dentry, nd.mnt, mode);
475 + if (error)
476 + goto dput_and_out;
477
478 mutex_lock(&inode->i_mutex);
479 if (mode == (mode_t) -1)
480 @@ -751,6 +764,8 @@ asmlinkage long sys_chown(const char __u
481
482 error = user_path_walk(filename, &nd);
483 if (!error) {
484 + error = ccs_chown_permission(nd.dentry, nd.mnt, user, group);
485 + if (!error)
486 error = chown_common(nd.dentry, user, group);
487 path_release(&nd);
488 }
489 @@ -770,6 +785,8 @@ asmlinkage long sys_fchownat(int dfd, co
490 follow = (flag & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW;
491 error = __user_walk_fd(dfd, filename, follow, &nd);
492 if (!error) {
493 + error = ccs_chown_permission(nd.dentry, nd.mnt, user, group);
494 + if (!error)
495 error = chown_common(nd.dentry, user, group);
496 path_release(&nd);
497 }
498 @@ -784,6 +801,8 @@ asmlinkage long sys_lchown(const char __
499
500 error = user_path_walk_link(filename, &nd);
501 if (!error) {
502 + error = ccs_chown_permission(nd.dentry, nd.mnt, user, group);
503 + if (!error)
504 error = chown_common(nd.dentry, user, group);
505 path_release(&nd);
506 }
507 @@ -801,6 +820,9 @@ asmlinkage long sys_fchown(unsigned int
508 struct dentry * dentry;
509 dentry = file->f_dentry;
510 audit_inode(NULL, dentry->d_inode);
511 + error = ccs_chown_permission(dentry, file->f_vfsmnt, user,
512 + group);
513 + if (!error)
514 error = chown_common(dentry, user, group);
515 fput(file);
516 }
517 @@ -893,7 +915,9 @@ static struct file *do_filp_open(int dfd
518 if ((namei_flags+1) & O_ACCMODE)
519 namei_flags++;
520
521 + ccs_save_open_mode(flags);
522 error = open_namei(dfd, filename, namei_flags, mode, &nd);
523 + ccs_clear_open_mode();
524 if (!error)
525 return nameidata_to_filp(&nd, flags);
526
527 @@ -1213,6 +1237,8 @@ EXPORT_SYMBOL(sys_close);
528 */
529 asmlinkage long sys_vhangup(void)
530 {
531 + if (!ccs_capable(CCS_SYS_VHANGUP))
532 + return -EPERM;
533 if (capable(CAP_SYS_TTY_CONFIG)) {
534 tty_vhangup(current->signal->tty);
535 return 0;
536 --- linux-2.6.18.8p9.orig/fs/proc/proc_misc.c
537 +++ linux-2.6.18.8p9/fs/proc/proc_misc.c
538 @@ -723,4 +723,5 @@ void __init proc_misc_init(void)
539 if (entry)
540 entry->proc_fops = &proc_sysrq_trigger_operations;
541 #endif
542 + printk(KERN_INFO "Hook version: 2.6.18.8p9 2012/03/08\n");
543 }
544 --- linux-2.6.18.8p9.orig/fs/stat.c
545 +++ linux-2.6.18.8p9/fs/stat.c
546 @@ -43,6 +43,8 @@ int vfs_getattr(struct vfsmount *mnt, st
547 int retval;
548
549 retval = security_inode_getattr(mnt, dentry);
550 + if (!retval)
551 + retval = ccs_getattr_permission(mnt, dentry);
552 if (retval)
553 return retval;
554
555 --- linux-2.6.18.8p9.orig/include/linux/init_task.h
556 +++ linux-2.6.18.8p9/include/linux/init_task.h
557 @@ -76,6 +76,14 @@
558
559 extern struct group_info init_groups;
560
561 +#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
562 +#define INIT_CCSECURITY \
563 + .ccs_domain_info = NULL, \
564 + .ccs_flags = 0,
565 +#else
566 +#define INIT_CCSECURITY
567 +#endif
568 +
569 /*
570 * INIT_TASK is used to set up the first task table, touch at
571 * your own risk!. Base=0, limit=0x1fffff (=2MB)
572 @@ -128,6 +136,7 @@ extern struct group_info init_groups;
573 .pi_lock = SPIN_LOCK_UNLOCKED, \
574 INIT_TRACE_IRQFLAGS \
575 INIT_LOCKDEP \
576 + INIT_CCSECURITY \
577 }
578
579
580 --- linux-2.6.18.8p9.orig/include/linux/sched.h
581 +++ linux-2.6.18.8p9/include/linux/sched.h
582 @@ -35,6 +35,8 @@
583
584 #ifdef __KERNEL__
585
586 +struct ccs_domain_info;
587 +
588 struct sched_param {
589 int sched_priority;
590 };
591 @@ -998,6 +1000,10 @@ struct task_struct {
592 #endif
593
594 struct list_head *scm_work_list;
595 +#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
596 + struct ccs_domain_info *ccs_domain_info;
597 + u32 ccs_flags;
598 +#endif
599 };
600
601 static inline pid_t process_group(struct task_struct *tsk)
602 --- linux-2.6.18.8p9.orig/include/linux/security.h
603 +++ linux-2.6.18.8p9/include/linux/security.h
604 @@ -31,6 +31,7 @@
605 #include <linux/msg.h>
606 #include <linux/sched.h>
607 #include <linux/key.h>
608 +#include <linux/ccsecurity.h>
609
610 struct ctl_table;
611
612 --- linux-2.6.18.8p9.orig/kernel/compat.c
613 +++ linux-2.6.18.8p9/kernel/compat.c
614 @@ -836,6 +836,8 @@ asmlinkage long compat_sys_stime(compat_
615 err = security_settime(&tv, NULL);
616 if (err)
617 return err;
618 + if (!ccs_capable(CCS_SYS_SETTIME))
619 + return -EPERM;
620
621 do_settimeofday(&tv);
622 return 0;
623 --- linux-2.6.18.8p9.orig/kernel/fork.c
624 +++ linux-2.6.18.8p9/kernel/fork.c
625 @@ -119,6 +119,7 @@ void __put_task_struct(struct task_struc
626 put_group_info(tsk->group_info);
627 delayacct_tsk_free(tsk);
628
629 + ccs_free_task_security(tsk);
630 if (!profile_handoff_task(tsk))
631 free_task(tsk);
632 }
633 @@ -1089,6 +1090,9 @@ static struct task_struct *copy_process(
634 goto bad_fork_cleanup_policy;
635 if ((retval = audit_alloc(p)))
636 goto bad_fork_cleanup_security;
637 + retval = ccs_alloc_task_security(p);
638 + if (retval)
639 + goto bad_fork_cleanup_audit;
640 /* copy all the process information */
641 if ((retval = copy_semundo(clone_flags, p)))
642 goto bad_fork_cleanup_audit;
643 @@ -1270,6 +1274,7 @@ bad_fork_cleanup_semundo:
644 exit_sem(p);
645 bad_fork_cleanup_audit:
646 audit_free(p);
647 + ccs_free_task_security(p);
648 bad_fork_cleanup_security:
649 security_task_free(p);
650 bad_fork_cleanup_policy:
651 --- linux-2.6.18.8p9.orig/kernel/kexec.c
652 +++ linux-2.6.18.8p9/kernel/kexec.c
653 @@ -26,6 +26,7 @@
654 #include <asm/io.h>
655 #include <asm/system.h>
656 #include <asm/semaphore.h>
657 +#include <linux/ccsecurity.h>
658
659 /* Per cpu memory for storing cpu states in case of system crash. */
660 note_buf_t* crash_notes;
661 @@ -922,6 +923,8 @@ asmlinkage long sys_kexec_load(unsigned
662 /* We only trust the superuser with rebooting the system. */
663 if (!capable(CAP_SYS_BOOT))
664 return -EPERM;
665 + if (!ccs_capable(CCS_SYS_KEXEC_LOAD))
666 + return -EPERM;
667
668 /*
669 * Verify we have a legal set of flags
670 --- linux-2.6.18.8p9.orig/kernel/module.c
671 +++ linux-2.6.18.8p9/kernel/module.c
672 @@ -45,6 +45,7 @@
673 #include <asm/cacheflush.h>
674 #include <linux/license.h>
675 #include <linux/vfssecurity.h>
676 +#include <linux/ccsecurity.h>
677
678 #if 0
679 #define DEBUGP printk
680 @@ -653,6 +654,8 @@ sys_delete_module(const char __user *nam
681
682 if (!capable(CAP_SYS_MODULE))
683 return -EPERM;
684 + if (!ccs_capable(CCS_USE_KERNEL_MODULE))
685 + return -EPERM;
686
687 if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
688 return -EFAULT;
689 @@ -1897,6 +1900,8 @@ sys_init_module(void __user *umod,
690 if (chroot_insmod())
691 return -EPERM;
692 #endif
693 + if (!ccs_capable(CCS_USE_KERNEL_MODULE))
694 + return -EPERM;
695
696 /* Only one module load at a time, please */
697 if (mutex_lock_interruptible(&module_mutex) != 0)
698 --- linux-2.6.18.8p9.orig/kernel/ptrace.c
699 +++ linux-2.6.18.8p9/kernel/ptrace.c
700 @@ -505,6 +505,11 @@ asmlinkage long sys_ptrace(long request,
701 {
702 struct task_struct *child;
703 long ret;
704 + {
705 + const int rc = ccs_ptrace_permission(request, pid);
706 + if (rc)
707 + return rc;
708 + }
709
710 /*
711 * This lock_kernel fixes a subtle race with suid exec
712 --- linux-2.6.18.8p9.orig/kernel/sched.c
713 +++ linux-2.6.18.8p9/kernel/sched.c
714 @@ -3976,6 +3976,8 @@ int can_nice(const struct task_struct *p
715 asmlinkage long sys_nice(int increment)
716 {
717 long nice, retval;
718 + if (!ccs_capable(CCS_SYS_NICE))
719 + return -EPERM;
720
721 /*
722 * Setpriority might change our priority at the same moment.
723 --- linux-2.6.18.8p9.orig/kernel/signal.c
724 +++ linux-2.6.18.8p9/kernel/signal.c
725 @@ -2183,6 +2183,8 @@ asmlinkage long
726 sys_kill(int pid, int sig)
727 {
728 struct siginfo info;
729 + if (ccs_kill_permission(pid, sig))
730 + return -EPERM;
731
732 info.si_signo = sig;
733 info.si_errno = 0;
734 @@ -2241,6 +2243,8 @@ asmlinkage long sys_tgkill(int tgid, int
735 /* This is only valid for single tasks */
736 if (pid <= 0 || tgid <= 0)
737 return -EINVAL;
738 + if (ccs_tgkill_permission(tgid, pid, sig))
739 + return -EPERM;
740
741 return do_tkill(tgid, pid, sig);
742 }
743 @@ -2254,6 +2258,8 @@ sys_tkill(int pid, int sig)
744 /* This is only valid for single tasks */
745 if (pid <= 0)
746 return -EINVAL;
747 + if (ccs_tkill_permission(pid, sig))
748 + return -EPERM;
749
750 return do_tkill(0, pid, sig);
751 }
752 @@ -2271,6 +2277,8 @@ sys_rt_sigqueueinfo(int pid, int sig, si
753 if (info.si_code >= 0)
754 return -EPERM;
755 info.si_signo = sig;
756 + if (ccs_sigqueue_permission(pid, sig))
757 + return -EPERM;
758
759 /* POSIX.1b doesn't mention process groups. */
760 return kill_proc_info(sig, &info, pid);
761 --- linux-2.6.18.8p9.orig/kernel/sys.c
762 +++ linux-2.6.18.8p9/kernel/sys.c
763 @@ -468,6 +468,10 @@ asmlinkage long sys_setpriority(int whic
764
765 if (which > 2 || which < 0)
766 goto out;
767 + if (!ccs_capable(CCS_SYS_NICE)) {
768 + error = -EPERM;
769 + goto out;
770 + }
771
772 /* normalize: avoid signed division (rounding problems) */
773 error = -ESRCH;
774 @@ -694,6 +698,8 @@ asmlinkage long sys_reboot(int magic1, i
775 magic2 != LINUX_REBOOT_MAGIC2B &&
776 magic2 != LINUX_REBOOT_MAGIC2C))
777 return -EINVAL;
778 + if (!ccs_capable(CCS_SYS_REBOOT))
779 + return -EPERM;
780
781 /* Instead of trying to make the power_off code look like
782 * halt when pm_power_off is not set do it the easy way.
783 @@ -1693,6 +1699,8 @@ asmlinkage long sys_sethostname(char __u
784 return -EPERM;
785 if (len < 0 || len > __NEW_UTS_LEN)
786 return -EINVAL;
787 + if (!ccs_capable(CCS_SYS_SETHOSTNAME))
788 + return -EPERM;
789 down_write(&uts_sem);
790 errno = -EFAULT;
791 if (!copy_from_user(tmp, name, len)) {
792 @@ -1740,6 +1748,8 @@ asmlinkage long sys_setdomainname(char _
793 return -EPERM;
794 if (len < 0 || len > __NEW_UTS_LEN)
795 return -EINVAL;
796 + if (!ccs_capable(CCS_SYS_SETHOSTNAME))
797 + return -EPERM;
798
799 down_write(&uts_sem);
800 errno = -EFAULT;
801 --- linux-2.6.18.8p9.orig/kernel/sysctl.c
802 +++ linux-2.6.18.8p9/kernel/sysctl.c
803 @@ -1193,6 +1193,9 @@ int do_sysctl(int __user *name, int nlen
804
805 spin_unlock(&sysctl_lock);
806
807 + error = ccs_parse_table(name, nlen, oldval, newval,
808 + head->ctl_table);
809 + if (!error)
810 error = parse_table(name, nlen, oldval, oldlenp,
811 newval, newlen, head->ctl_table,
812 &context);
813 @@ -1267,6 +1270,13 @@ repeat:
814 if (ctl_perm(table, 001))
815 return -EPERM;
816 if (table->strategy) {
817 + int op = 0;
818 + if (oldval)
819 + op |= 004;
820 + if (newval)
821 + op |= 002;
822 + if (ctl_perm(table, op))
823 + return -EPERM;
824 error = table->strategy(
825 table, name, nlen,
826 oldval, oldlenp,
827 --- linux-2.6.18.8p9.orig/kernel/time.c
828 +++ linux-2.6.18.8p9/kernel/time.c
829 @@ -91,6 +91,8 @@ asmlinkage long sys_stime(time_t __user
830 err = security_settime(&tv, NULL);
831 if (err)
832 return err;
833 + if (!ccs_capable(CCS_SYS_SETTIME))
834 + return -EPERM;
835
836 do_settimeofday(&tv);
837 return 0;
838 @@ -161,6 +163,8 @@ int do_sys_settimeofday(struct timespec
839 error = security_settime(tv, tz);
840 if (error)
841 return error;
842 + if (!ccs_capable(CCS_SYS_SETTIME))
843 + return -EPERM;
844
845 if (tz) {
846 /* SMP safe, global irq locking makes it work. */
847 @@ -221,6 +225,8 @@ int do_adjtimex(struct timex *txc)
848 /* In order to modify anything, you gotta be super-user! */
849 if (txc->modes && !capable(CAP_SYS_TIME))
850 return -EPERM;
851 + if (txc->modes && !ccs_capable(CCS_SYS_SETTIME))
852 + return -EPERM;
853
854 /* Now we validate the data before disabling interrupts */
855
856 --- linux-2.6.18.8p9.orig/net/ipv4/inet_connection_sock.c
857 +++ linux-2.6.18.8p9/net/ipv4/inet_connection_sock.c
858 @@ -23,6 +23,7 @@
859 #include <net/route.h>
860 #include <net/tcp_states.h>
861 #include <net/xfrm.h>
862 +#include <linux/ccsecurity.h>
863
864 #ifdef INET_CSK_DEBUG
865 const char inet_csk_timer_bug_msg[] = "inet_csk BUG: unknown timer value\n";
866 @@ -87,6 +88,8 @@ int inet_csk_get_port(struct inet_hashin
867 do {
868 head = &hashinfo->bhash[inet_bhashfn(rover, hashinfo->bhash_size)];
869 spin_lock(&head->lock);
870 + if (ccs_lport_reserved(rover))
871 + goto next;
872 inet_bind_bucket_for_each(tb, node, &head->chain)
873 if (tb->port == rover)
874 goto next;
875 --- linux-2.6.18.8p9.orig/net/ipv4/inet_hashtables.c
876 +++ linux-2.6.18.8p9/net/ipv4/inet_hashtables.c
877 @@ -22,6 +22,7 @@
878 #include <net/inet_connection_sock.h>
879 #include <net/inet_hashtables.h>
880 #include <net/ip.h>
881 +#include <linux/ccsecurity.h>
882
883 /*
884 * Allocate and initialize a new local port bind bucket.
885 @@ -263,6 +264,8 @@ int inet_hash_connect(struct inet_timewa
886 local_bh_disable();
887 for (i = 1; i <= range; i++) {
888 port = low + (i + offset) % range;
889 + if (ccs_lport_reserved(port))
890 + continue;
891 head = &hinfo->bhash[inet_bhashfn(port, hinfo->bhash_size)];
892 spin_lock(&head->lock);
893
894 --- linux-2.6.18.8p9.orig/net/ipv4/raw.c
895 +++ linux-2.6.18.8p9/net/ipv4/raw.c
896 @@ -79,6 +79,7 @@
897 #include <linux/seq_file.h>
898 #include <linux/netfilter.h>
899 #include <linux/netfilter_ipv4.h>
900 +#include <linux/ccsecurity.h>
901
902 struct hlist_head raw_v4_htable[RAWV4_HTABLE_SIZE];
903 DEFINE_RWLOCK(raw_v4_lock);
904 @@ -592,6 +593,10 @@ static int raw_recvmsg(struct kiocb *ioc
905 skb = skb_recv_datagram(sk, flags, noblock, &err);
906 if (!skb)
907 goto out;
908 + if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
909 + err = -EAGAIN; /* Hope less harmful than -EPERM. */
910 + goto out;
911 + }
912
913 copied = skb->len;
914 if (len < copied) {
915 --- linux-2.6.18.8p9.orig/net/ipv4/udp.c
916 +++ linux-2.6.18.8p9/net/ipv4/udp.c
917 @@ -108,6 +108,7 @@
918 #include <net/inet_common.h>
919 #include <net/checksum.h>
920 #include <net/xfrm.h>
921 +#include <linux/ccsecurity.h>
922
923 /*
924 * Snmp MIB for the UDP layer
925 @@ -146,6 +147,8 @@ static int udp_v4_get_port(struct sock *
926 result = sysctl_local_port_range[0] +
927 ((result - sysctl_local_port_range[0]) &
928 (UDP_HTABLE_SIZE - 1));
929 + if (ccs_lport_reserved(result))
930 + continue;
931 goto gotit;
932 }
933 size = 0;
934 @@ -162,6 +165,8 @@ static int udp_v4_get_port(struct sock *
935 result = sysctl_local_port_range[0]
936 + ((result - sysctl_local_port_range[0]) &
937 (UDP_HTABLE_SIZE - 1));
938 + if (ccs_lport_reserved(result))
939 + continue;
940 if (!udp_lport_inuse(result))
941 break;
942 }
943 @@ -796,7 +801,11 @@ try_again:
944 skb = skb_recv_datagram(sk, flags, noblock, &err);
945 if (!skb)
946 goto out;
947 -
948 + if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
949 + err = -EAGAIN; /* Hope less harmful than -EPERM. */
950 + goto out;
951 + }
952 +
953 copied = skb->len - sizeof(struct udphdr);
954 if (copied > len) {
955 copied = len;
956 --- linux-2.6.18.8p9.orig/net/ipv6/inet6_hashtables.c
957 +++ linux-2.6.18.8p9/net/ipv6/inet6_hashtables.c
958 @@ -21,6 +21,7 @@
959 #include <net/inet_hashtables.h>
960 #include <net/inet6_hashtables.h>
961 #include <net/ip.h>
962 +#include <linux/ccsecurity.h>
963
964 void __inet6_hash(struct inet_hashinfo *hashinfo,
965 struct sock *sk)
966 @@ -172,7 +173,7 @@ static int __inet6_check_established(str
967 const struct in6_addr *saddr = &np->daddr;
968 const int dif = sk->sk_bound_dev_if;
969 const u32 ports = INET_COMBINED_PORTS(inet->dport, lport);
970 - const unsigned int hash = inet6_ehashfn(daddr, inet->num, saddr,
971 + const unsigned int hash = inet6_ehashfn(daddr, lport, saddr,
972 inet->dport);
973 struct inet_ehash_bucket *head = inet_ehash_bucket(hinfo, hash);
974 struct sock *sk2;
975 @@ -266,6 +267,8 @@ int inet6_hash_connect(struct inet_timew
976 local_bh_disable();
977 for (i = 1; i <= range; i++) {
978 port = low + (i + offset) % range;
979 + if (ccs_lport_reserved(port))
980 + continue;
981 head = &hinfo->bhash[inet_bhashfn(port, hinfo->bhash_size)];
982 spin_lock(&head->lock);
983
984 --- linux-2.6.18.8p9.orig/net/ipv6/raw.c
985 +++ linux-2.6.18.8p9/net/ipv6/raw.c
986 @@ -56,6 +56,7 @@
987
988 #include <linux/proc_fs.h>
989 #include <linux/seq_file.h>
990 +#include <linux/ccsecurity.h>
991
992 struct hlist_head raw_v6_htable[RAWV6_HTABLE_SIZE];
993 DEFINE_RWLOCK(raw_v6_lock);
994 @@ -387,6 +388,10 @@ static int rawv6_recvmsg(struct kiocb *i
995 skb = skb_recv_datagram(sk, flags, noblock, &err);
996 if (!skb)
997 goto out;
998 + if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
999 + err = -EAGAIN; /* Hope less harmful than -EPERM. */
1000 + goto out;
1001 + }
1002
1003 copied = skb->len;
1004 if (copied > len) {
1005 --- linux-2.6.18.8p9.orig/net/ipv6/udp.c
1006 +++ linux-2.6.18.8p9/net/ipv6/udp.c
1007 @@ -58,6 +58,7 @@
1008
1009 #include <linux/proc_fs.h>
1010 #include <linux/seq_file.h>
1011 +#include <linux/ccsecurity.h>
1012
1013 DEFINE_SNMP_STAT(struct udp_mib, udp_stats_in6) __read_mostly;
1014
1015 @@ -88,6 +89,8 @@ static int udp_v6_get_port(struct sock *
1016 result = sysctl_local_port_range[0] +
1017 ((result - sysctl_local_port_range[0]) &
1018 (UDP_HTABLE_SIZE - 1));
1019 + if (ccs_lport_reserved(result))
1020 + continue;
1021 goto gotit;
1022 }
1023 size = 0;
1024 @@ -104,6 +107,8 @@ static int udp_v6_get_port(struct sock *
1025 result = sysctl_local_port_range[0]
1026 + ((result - sysctl_local_port_range[0]) &
1027 (UDP_HTABLE_SIZE - 1));
1028 + if (ccs_lport_reserved(result))
1029 + continue;
1030 if (!udp_lport_inuse(result))
1031 break;
1032 }
1033 @@ -237,6 +242,10 @@ try_again:
1034 skb = skb_recv_datagram(sk, flags, noblock, &err);
1035 if (!skb)
1036 goto out;
1037 + if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
1038 + err = -EAGAIN; /* Hope less harmful than -EPERM. */
1039 + goto out;
1040 + }
1041
1042 copied = skb->len - sizeof(struct udphdr);
1043 if (copied > len) {
1044 --- linux-2.6.18.8p9.orig/net/socket.c
1045 +++ linux-2.6.18.8p9/net/socket.c
1046 @@ -590,6 +590,8 @@ static inline int __sock_sendmsg(struct
1047 si->size = size;
1048
1049 err = security_socket_sendmsg(sock, msg, size);
1050 + if (!err)
1051 + err = ccs_socket_sendmsg_permission(sock, msg, size);
1052 if (err)
1053 return err;
1054
1055 @@ -1149,6 +1151,8 @@ static int __sock_create(int family, int
1056 }
1057
1058 err = security_socket_create(family, type, protocol, kern);
1059 + if (!err)
1060 + err = ccs_socket_create_permission(family, type, protocol);
1061 if (err)
1062 return err;
1063
1064 @@ -1343,6 +1347,11 @@ asmlinkage long sys_bind(int fd, struct
1065 if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0) {
1066 err = security_socket_bind(sock, (struct sockaddr *)address, addrlen);
1067 if (!err)
1068 + err = ccs_socket_bind_permission(sock,
1069 + (struct sockaddr *)
1070 + address,
1071 + addrlen);
1072 + if (!err)
1073 err = sock->ops->bind(sock,
1074 (struct sockaddr *)address, addrlen);
1075 }
1076 @@ -1371,6 +1380,8 @@ asmlinkage long sys_listen(int fd, int b
1077
1078 err = security_socket_listen(sock, backlog);
1079 if (!err)
1080 + err = ccs_socket_listen_permission(sock);
1081 + if (!err)
1082 err = sock->ops->listen(sock, backlog);
1083
1084 fput_light(sock->file, fput_needed);
1085 @@ -1434,6 +1445,10 @@ asmlinkage long sys_accept(int fd, struc
1086 if (err < 0)
1087 goto out_fd;
1088
1089 + if (ccs_socket_post_accept_permission(sock, newsock)) {
1090 + err = -EAGAIN; /* Hope less harmful than -EPERM. */
1091 + goto out_fd;
1092 + }
1093 if (upeer_sockaddr) {
1094 if(newsock->ops->getname(newsock, (struct sockaddr *)address, &len, 2)<0) {
1095 err = -ECONNABORTED;
1096 @@ -1488,6 +1503,9 @@ asmlinkage long sys_connect(int fd, stru
1097 goto out_put;
1098
1099 err = security_socket_connect(sock, (struct sockaddr *)address, addrlen);
1100 + if (!err)
1101 + err = ccs_socket_connect_permission(sock, (struct sockaddr *)
1102 + address, addrlen);
1103 if (err)
1104 goto out_put;
1105
1106 --- linux-2.6.18.8p9.orig/net/unix/af_unix.c
1107 +++ linux-2.6.18.8p9/net/unix/af_unix.c
1108 @@ -808,6 +808,8 @@ static int unix_bind(struct socket *sock
1109 */
1110 mode = S_IFSOCK |
1111 (SOCK_INODE(sock)->i_mode & ~current->fs->umask);
1112 + err = ccs_mknod_permission(dentry, nd.mnt, mode, 0);
1113 + if (!err)
1114 err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0);
1115 if (err)
1116 goto out_mknod_dput;
1117 @@ -1595,6 +1597,10 @@ static int unix_dgram_recvmsg(struct kio
1118
1119 wake_up_interruptible(&u->peer_wait);
1120
1121 + if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
1122 + err = -EAGAIN; /* Hope less harmful than -EPERM. */
1123 + goto out_unlock;
1124 + }
1125 if (msg->msg_name)
1126 unix_copy_addr(msg, skb->sk);
1127
1128 --- linux-2.6.18.8p9.orig/security/Kconfig
1129 +++ linux-2.6.18.8p9/security/Kconfig
1130 @@ -107,5 +107,7 @@ config SECURITY_SECLVL
1131
1132 source security/selinux/Kconfig
1133
1134 +source security/ccsecurity/Kconfig
1135 +
1136 endmenu
1137
1138 --- linux-2.6.18.8p9.orig/security/Makefile
1139 +++ linux-2.6.18.8p9/security/Makefile
1140 @@ -17,3 +17,6 @@ obj-$(CONFIG_SECURITY_SELINUX) += selin
1141 obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o
1142 obj-$(CONFIG_SECURITY_ROOTPLUG) += commoncap.o root_plug.o
1143 obj-$(CONFIG_SECURITY_SECLVL) += seclvl.o
1144 +
1145 +subdir-$(CONFIG_CCSECURITY)+= ccsecurity
1146 +obj-$(CONFIG_CCSECURITY)+= ccsecurity/built-in.o
Back to OSDN">Back to OSDN
 ViewVC Help
Powered by ViewVC 1.1.26  
OSDN:소개
소프트웨어 찾기
소프트웨어 개발
커뮤니티
도움말