diff options
Diffstat (limited to 'vserver-sources/2.0.1-r5/4915_vs2.0.1-vxcapable-fix.patch')
-rw-r--r-- | vserver-sources/2.0.1-r5/4915_vs2.0.1-vxcapable-fix.patch | 220 |
1 files changed, 220 insertions, 0 deletions
diff --git a/vserver-sources/2.0.1-r5/4915_vs2.0.1-vxcapable-fix.patch b/vserver-sources/2.0.1-r5/4915_vs2.0.1-vxcapable-fix.patch new file mode 100644 index 0000000..1de8d90 --- /dev/null +++ b/vserver-sources/2.0.1-r5/4915_vs2.0.1-vxcapable-fix.patch @@ -0,0 +1,220 @@ +Index: linux-2.6.15/fs/namespace.c +=================================================================== +--- linux-2.6.15.orig/fs/namespace.c ++++ linux-2.6.15/fs/namespace.c +@@ -671,7 +671,7 @@ asmlinkage long sys_umount(char __user * + goto dput_and_out; + + retval = -EPERM; +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT)) ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT)) + goto dput_and_out; + + retval = do_umount(nd.mnt, flags); +@@ -695,9 +695,7 @@ asmlinkage long sys_oldumount(char __use + + static int mount_is_safe(struct nameidata *nd) + { +- if (capable(CAP_SYS_ADMIN)) +- return 0; +- if (vx_ccaps(VXC_SECURE_MOUNT)) ++ if (vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT)) + return 0; + return -EPERM; + #ifdef notyet +@@ -989,7 +987,7 @@ static int do_remount(struct nameidata * + int err; + struct super_block *sb = nd->mnt->mnt_sb; + +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_REMOUNT)) ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_REMOUNT)) + return -EPERM; + + if (!check_mnt(nd->mnt)) +@@ -1023,7 +1021,7 @@ static int do_move_mount(struct nameidat + struct nameidata old_nd, parent_nd; + struct vfsmount *p; + int err = 0; +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT)) ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT)) + return -EPERM; + if (!old_name || !*old_name) + return -EINVAL; +@@ -1103,7 +1101,7 @@ static int do_new_mount(struct nameidata + return -EINVAL; + + /* we need capabilities... */ +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT)) ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT)) + return -EPERM; + + mnt = do_kern_mount(type, flags, name, data); +@@ -1421,7 +1419,7 @@ int copy_namespace(int flags, struct tas + if (!(flags & CLONE_NEWNS)) + return 0; + +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT)) { ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT)) { + put_namespace(namespace); + return -EPERM; + } +Index: linux-2.6.15/fs/quota.c +=================================================================== +--- linux-2.6.15.orig/fs/quota.c ++++ linux-2.6.15/fs/quota.c +@@ -83,11 +83,11 @@ static int generic_quotactl_valid(struct + if (cmd == Q_GETQUOTA) { + if (((type == USRQUOTA && current->euid != id) || + (type == GRPQUOTA && !in_egroup_p(id))) && +- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL)) ++ !vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL)) + return -EPERM; + } + else if (cmd != Q_GETFMT && cmd != Q_SYNC && cmd != Q_GETINFO) +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL)) ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL)) + return -EPERM; + + return 0; +@@ -134,10 +134,10 @@ static int xqm_quotactl_valid(struct sup + if (cmd == Q_XGETQUOTA) { + if (((type == XQM_USRQUOTA && current->euid != id) || + (type == XQM_GRPQUOTA && !in_egroup_p(id))) && +- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL)) ++ !vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL)) + return -EPERM; + } else if (cmd != Q_XGETQSTAT && cmd != Q_XQUOTASYNC) { +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL)) ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL)) + return -EPERM; + } + +Index: linux-2.6.15/fs/super.c +=================================================================== +--- linux-2.6.15.orig/fs/super.c ++++ linux-2.6.15/fs/super.c +@@ -815,7 +815,7 @@ do_kern_mount(const char *fstype, int fl + + sb = ERR_PTR(-EPERM); + if ((type->fs_flags & FS_BINARY_MOUNTDATA) && +- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_BINARY_MOUNT)) ++ !vx_capable(CAP_SYS_ADMIN, VXC_BINARY_MOUNT)) + goto out; + + sb = ERR_PTR(-ENOMEM); +Index: linux-2.6.15/include/linux/vs_base.h +=================================================================== +--- linux-2.6.15.orig/include/linux/vs_base.h ++++ linux-2.6.15/include/linux/vs_base.h +@@ -98,6 +98,9 @@ static inline int __vx_check(xid_t cid, + (current->vx_info && \ + (current->vx_info->vx_initpid == (n))) + ++#define vx_capable(b,c) (capable(b) || \ ++ ((current->euid == 0) && vx_ccaps(c))) ++ + + #else + #warning duplicate inclusion +Index: linux-2.6.15/kernel/sys.c +=================================================================== +--- linux-2.6.15.orig/kernel/sys.c ++++ linux-2.6.15/kernel/sys.c +@@ -1531,7 +1531,7 @@ asmlinkage long sys_sethostname(char __u + int errno; + char tmp[__NEW_UTS_LEN]; + +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SET_UTSNAME)) ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SET_UTSNAME)) + return -EPERM; + if (len < 0 || len > __NEW_UTS_LEN) + return -EINVAL; +@@ -1580,7 +1580,7 @@ asmlinkage long sys_setdomainname(char _ + int errno; + char tmp[__NEW_UTS_LEN]; + +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SET_UTSNAME)) ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SET_UTSNAME)) + return -EPERM; + if (len < 0 || len > __NEW_UTS_LEN) + return -EINVAL; +@@ -1648,7 +1648,7 @@ asmlinkage long sys_setrlimit(unsigned i + return -EINVAL; + old_rlim = current->signal->rlim + resource; + if ((new_rlim.rlim_max > old_rlim->rlim_max) && +- !capable(CAP_SYS_RESOURCE) && !vx_ccaps(VXC_SET_RLIMIT)) ++ !vx_capable(CAP_SYS_RESOURCE, VXC_SET_RLIMIT)) + return -EPERM; + if (resource == RLIMIT_NOFILE && new_rlim.rlim_max > NR_OPEN) + return -EPERM; +Index: linux-2.6.15/security/commoncap.c +=================================================================== +--- linux-2.6.15.orig/security/commoncap.c ++++ linux-2.6.15/security/commoncap.c +@@ -312,7 +312,7 @@ void cap_task_reparent_to_init (struct t + int cap_syslog (int type) + { + if ((type != 3 && type != 10) && +- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SYSLOG)) ++ !vx_capable(CAP_SYS_ADMIN, VXC_SYSLOG)) + return -EPERM; + return 0; + } +Index: linux-2.6.15/security/security.c +=================================================================== +--- linux-2.6.15.orig/security/security.c ++++ linux-2.6.15/security/security.c +@@ -197,24 +197,10 @@ int capable(int cap) + return 1; + } + +-int vx_capable(int cap, int ccap) +-{ +- if (security_ops->capable(current, cap)) { +- /* capability denied */ +- return 0; +- } +- if (!vx_ccaps(ccap)) +- return 0; +- +- /* capability granted */ +- current->flags |= PF_SUPERPRIV; +- return 1; +-} + + EXPORT_SYMBOL_GPL(register_security); + EXPORT_SYMBOL_GPL(unregister_security); + EXPORT_SYMBOL_GPL(mod_reg_security); + EXPORT_SYMBOL_GPL(mod_unreg_security); + EXPORT_SYMBOL(capable); +-EXPORT_SYMBOL(vx_capable); + EXPORT_SYMBOL(security_ops); +Index: linux-2.6.15/include/linux/sched.h +=================================================================== +--- linux-2.6.15.orig/include/linux/sched.h ++++ linux-2.6.15/include/linux/sched.h +@@ -1125,7 +1125,6 @@ static inline int sas_ss_flags(unsigned + #ifdef CONFIG_SECURITY + /* code is in security.c */ + extern int capable(int cap); +-extern int vx_capable(int cap, int ccap); + #else + static inline int capable(int cap) + { +@@ -1137,16 +1136,6 @@ static inline int capable(int cap) + } + return 0; + } +- +-static inline int vx_capable(int cap, int ccap) +-{ +- if (cap_raised(current->cap_effective, cap) && +- vx_ccaps(ccap)) { +- current->flags |= PF_SUPERPRIV; +- return 1; +- } +- return 0; +-} + #endif + + /* |