Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/vserver-sources/2.0.1-r5/4915_vs2.0.1-vxcapable-fix.patch
diff options
context:
space:
mode:
Diffstat (limited to 'vserver-sources/2.0.1-r5/4915_vs2.0.1-vxcapable-fix.patch')
-rw-r--r--vserver-sources/2.0.1-r5/4915_vs2.0.1-vxcapable-fix.patch220
1 files changed, 220 insertions, 0 deletions
diff --git a/vserver-sources/2.0.1-r5/4915_vs2.0.1-vxcapable-fix.patch b/vserver-sources/2.0.1-r5/4915_vs2.0.1-vxcapable-fix.patch
new file mode 100644
index 0000000..1de8d90
--- /dev/null
+++ b/vserver-sources/2.0.1-r5/4915_vs2.0.1-vxcapable-fix.patch
@@ -0,0 +1,220 @@
+Index: linux-2.6.15/fs/namespace.c
+===================================================================
+--- linux-2.6.15.orig/fs/namespace.c
++++ linux-2.6.15/fs/namespace.c
+@@ -671,7 +671,7 @@ asmlinkage long sys_umount(char __user *
+ goto dput_and_out;
+
+ retval = -EPERM;
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT))
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
+ goto dput_and_out;
+
+ retval = do_umount(nd.mnt, flags);
+@@ -695,9 +695,7 @@ asmlinkage long sys_oldumount(char __use
+
+ static int mount_is_safe(struct nameidata *nd)
+ {
+- if (capable(CAP_SYS_ADMIN))
+- return 0;
+- if (vx_ccaps(VXC_SECURE_MOUNT))
++ if (vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
+ return 0;
+ return -EPERM;
+ #ifdef notyet
+@@ -989,7 +987,7 @@ static int do_remount(struct nameidata *
+ int err;
+ struct super_block *sb = nd->mnt->mnt_sb;
+
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_REMOUNT))
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_REMOUNT))
+ return -EPERM;
+
+ if (!check_mnt(nd->mnt))
+@@ -1023,7 +1021,7 @@ static int do_move_mount(struct nameidat
+ struct nameidata old_nd, parent_nd;
+ struct vfsmount *p;
+ int err = 0;
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT))
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
+ return -EPERM;
+ if (!old_name || !*old_name)
+ return -EINVAL;
+@@ -1103,7 +1101,7 @@ static int do_new_mount(struct nameidata
+ return -EINVAL;
+
+ /* we need capabilities... */
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT))
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
+ return -EPERM;
+
+ mnt = do_kern_mount(type, flags, name, data);
+@@ -1421,7 +1419,7 @@ int copy_namespace(int flags, struct tas
+ if (!(flags & CLONE_NEWNS))
+ return 0;
+
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT)) {
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT)) {
+ put_namespace(namespace);
+ return -EPERM;
+ }
+Index: linux-2.6.15/fs/quota.c
+===================================================================
+--- linux-2.6.15.orig/fs/quota.c
++++ linux-2.6.15/fs/quota.c
+@@ -83,11 +83,11 @@ static int generic_quotactl_valid(struct
+ if (cmd == Q_GETQUOTA) {
+ if (((type == USRQUOTA && current->euid != id) ||
+ (type == GRPQUOTA && !in_egroup_p(id))) &&
+- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
++ !vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
+ return -EPERM;
+ }
+ else if (cmd != Q_GETFMT && cmd != Q_SYNC && cmd != Q_GETINFO)
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
+ return -EPERM;
+
+ return 0;
+@@ -134,10 +134,10 @@ static int xqm_quotactl_valid(struct sup
+ if (cmd == Q_XGETQUOTA) {
+ if (((type == XQM_USRQUOTA && current->euid != id) ||
+ (type == XQM_GRPQUOTA && !in_egroup_p(id))) &&
+- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
++ !vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
+ return -EPERM;
+ } else if (cmd != Q_XGETQSTAT && cmd != Q_XQUOTASYNC) {
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
+ return -EPERM;
+ }
+
+Index: linux-2.6.15/fs/super.c
+===================================================================
+--- linux-2.6.15.orig/fs/super.c
++++ linux-2.6.15/fs/super.c
+@@ -815,7 +815,7 @@ do_kern_mount(const char *fstype, int fl
+
+ sb = ERR_PTR(-EPERM);
+ if ((type->fs_flags & FS_BINARY_MOUNTDATA) &&
+- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_BINARY_MOUNT))
++ !vx_capable(CAP_SYS_ADMIN, VXC_BINARY_MOUNT))
+ goto out;
+
+ sb = ERR_PTR(-ENOMEM);
+Index: linux-2.6.15/include/linux/vs_base.h
+===================================================================
+--- linux-2.6.15.orig/include/linux/vs_base.h
++++ linux-2.6.15/include/linux/vs_base.h
+@@ -98,6 +98,9 @@ static inline int __vx_check(xid_t cid,
+ (current->vx_info && \
+ (current->vx_info->vx_initpid == (n)))
+
++#define vx_capable(b,c) (capable(b) || \
++ ((current->euid == 0) && vx_ccaps(c)))
++
+
+ #else
+ #warning duplicate inclusion
+Index: linux-2.6.15/kernel/sys.c
+===================================================================
+--- linux-2.6.15.orig/kernel/sys.c
++++ linux-2.6.15/kernel/sys.c
+@@ -1531,7 +1531,7 @@ asmlinkage long sys_sethostname(char __u
+ int errno;
+ char tmp[__NEW_UTS_LEN];
+
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SET_UTSNAME))
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SET_UTSNAME))
+ return -EPERM;
+ if (len < 0 || len > __NEW_UTS_LEN)
+ return -EINVAL;
+@@ -1580,7 +1580,7 @@ asmlinkage long sys_setdomainname(char _
+ int errno;
+ char tmp[__NEW_UTS_LEN];
+
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SET_UTSNAME))
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SET_UTSNAME))
+ return -EPERM;
+ if (len < 0 || len > __NEW_UTS_LEN)
+ return -EINVAL;
+@@ -1648,7 +1648,7 @@ asmlinkage long sys_setrlimit(unsigned i
+ return -EINVAL;
+ old_rlim = current->signal->rlim + resource;
+ if ((new_rlim.rlim_max > old_rlim->rlim_max) &&
+- !capable(CAP_SYS_RESOURCE) && !vx_ccaps(VXC_SET_RLIMIT))
++ !vx_capable(CAP_SYS_RESOURCE, VXC_SET_RLIMIT))
+ return -EPERM;
+ if (resource == RLIMIT_NOFILE && new_rlim.rlim_max > NR_OPEN)
+ return -EPERM;
+Index: linux-2.6.15/security/commoncap.c
+===================================================================
+--- linux-2.6.15.orig/security/commoncap.c
++++ linux-2.6.15/security/commoncap.c
+@@ -312,7 +312,7 @@ void cap_task_reparent_to_init (struct t
+ int cap_syslog (int type)
+ {
+ if ((type != 3 && type != 10) &&
+- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SYSLOG))
++ !vx_capable(CAP_SYS_ADMIN, VXC_SYSLOG))
+ return -EPERM;
+ return 0;
+ }
+Index: linux-2.6.15/security/security.c
+===================================================================
+--- linux-2.6.15.orig/security/security.c
++++ linux-2.6.15/security/security.c
+@@ -197,24 +197,10 @@ int capable(int cap)
+ return 1;
+ }
+
+-int vx_capable(int cap, int ccap)
+-{
+- if (security_ops->capable(current, cap)) {
+- /* capability denied */
+- return 0;
+- }
+- if (!vx_ccaps(ccap))
+- return 0;
+-
+- /* capability granted */
+- current->flags |= PF_SUPERPRIV;
+- return 1;
+-}
+
+ EXPORT_SYMBOL_GPL(register_security);
+ EXPORT_SYMBOL_GPL(unregister_security);
+ EXPORT_SYMBOL_GPL(mod_reg_security);
+ EXPORT_SYMBOL_GPL(mod_unreg_security);
+ EXPORT_SYMBOL(capable);
+-EXPORT_SYMBOL(vx_capable);
+ EXPORT_SYMBOL(security_ops);
+Index: linux-2.6.15/include/linux/sched.h
+===================================================================
+--- linux-2.6.15.orig/include/linux/sched.h
++++ linux-2.6.15/include/linux/sched.h
+@@ -1125,7 +1125,6 @@ static inline int sas_ss_flags(unsigned
+ #ifdef CONFIG_SECURITY
+ /* code is in security.c */
+ extern int capable(int cap);
+-extern int vx_capable(int cap, int ccap);
+ #else
+ static inline int capable(int cap)
+ {
+@@ -1137,16 +1136,6 @@ static inline int capable(int cap)
+ }
+ return 0;
+ }
+-
+-static inline int vx_capable(int cap, int ccap)
+-{
+- if (cap_raised(current->cap_effective, cap) &&
+- vx_ccaps(ccap)) {
+- current->flags |= PF_SUPERPRIV;
+- return 1;
+- }
+- return 0;
+-}
+ #endif
+
+ /*