debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity
linux/debian/patches/vserver-vs2.0.2-rc18-update...

350 lines
12 KiB
Diff
Raw Blame History

diff -u linux-2.6.16.8-vs2.0.2-rc17/fs/namespace.c linux-2.6.16.11-vs2.0.2-rc18/fs/namespace.c
--- linux-2.6.16.8-vs2.0.2-rc17/fs/namespace.c 2006-03-20 17:34:49 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/fs/namespace.c 2006-04-28 01:59:36 +0200
@@ -676,7 +676,7 @@
goto dput_and_out;
retval = -EPERM;
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
goto dput_and_out;
retval = do_umount(nd.mnt, flags);
@@ -700,9 +700,7 @@
static int mount_is_safe(struct nameidata *nd)
{
- if (capable(CAP_SYS_ADMIN))
- return 0;
- if (vx_ccaps(VXC_SECURE_MOUNT))
+ if (vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
return 0;
return -EPERM;
#ifdef notyet
@@ -996,7 +994,7 @@
int err;
struct super_block *sb = nd->mnt->mnt_sb;
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_REMOUNT))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_REMOUNT))
return -EPERM;
if (!check_mnt(nd->mnt))
@@ -1030,7 +1028,7 @@
struct nameidata old_nd, parent_nd;
struct vfsmount *p;
int err = 0;
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
return -EPERM;
if (!old_name || !*old_name)
return -EINVAL;
@@ -1110,7 +1108,7 @@
return -EINVAL;
/* we need capabilities... */
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
return -EPERM;
mnt = do_kern_mount(type, flags, name, data);
@@ -1502,7 +1500,7 @@
if (!(flags & CLONE_NEWNS))
return 0;
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT)) {
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT)) {
err = -EPERM;
goto out;
}
diff -u linux-2.6.16.8-vs2.0.2-rc17/fs/quota.c linux-2.6.16.11-vs2.0.2-rc18/fs/quota.c
--- linux-2.6.16.8-vs2.0.2-rc17/fs/quota.c 2006-03-20 17:34:49 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/fs/quota.c 2006-04-28 01:59:36 +0200
@@ -84,11 +84,11 @@
if (cmd == Q_GETQUOTA) {
if (((type == USRQUOTA && current->euid != id) ||
(type == GRPQUOTA && !in_egroup_p(id))) &&
- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+ !vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
return -EPERM;
}
else if (cmd != Q_GETFMT && cmd != Q_SYNC && cmd != Q_GETINFO)
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
return -EPERM;
return 0;
@@ -135,10 +135,10 @@
if (cmd == Q_XGETQUOTA) {
if (((type == XQM_USRQUOTA && current->euid != id) ||
(type == XQM_GRPQUOTA && !in_egroup_p(id))) &&
- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+ !vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
return -EPERM;
} else if (cmd != Q_XGETQSTAT && cmd != Q_XQUOTASYNC) {
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
return -EPERM;
}
diff -u linux-2.6.16.8-vs2.0.2-rc17/fs/super.c linux-2.6.16.11-vs2.0.2-rc18/fs/super.c
--- linux-2.6.16.8-vs2.0.2-rc17/fs/super.c 2006-03-20 17:34:49 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/fs/super.c 2006-04-28 01:59:36 +0200
@@ -815,7 +815,7 @@
sb = ERR_PTR(-EPERM);
if ((type->fs_flags & FS_BINARY_MOUNTDATA) &&
- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_BINARY_MOUNT))
+ !vx_capable(CAP_SYS_ADMIN, VXC_BINARY_MOUNT))
goto out;
sb = ERR_PTR(-ENOMEM);
diff -u linux-2.6.16.8-vs2.0.2-rc17/fs/xfs/quota/xfs_qm_syscalls.c linux-2.6.16.11-vs2.0.2-rc18/fs/xfs/quota/xfs_qm_syscalls.c
--- linux-2.6.16.8-vs2.0.2-rc17/fs/xfs/quota/xfs_qm_syscalls.c 2006-03-20 17:34:49 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/fs/xfs/quota/xfs_qm_syscalls.c 2006-04-28 01:59:36 +0200
@@ -215,7 +215,7 @@
xfs_qoff_logitem_t *qoffstart;
int nculprits;
- if (!force && !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+ if (!force && !vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
return XFS_ERROR(EPERM);
/*
* No file system can have quotas enabled on disk but not in core.
@@ -384,7 +384,7 @@
int error;
xfs_inode_t *qip;
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
return XFS_ERROR(EPERM);
error = 0;
if (!XFS_SB_VERSION_HASQUOTA(&mp->m_sb) || flags == 0) {
@@ -429,7 +429,7 @@
uint accflags;
__int64_t sbflags;
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
return XFS_ERROR(EPERM);
flags &= (XFS_ALL_QUOTA_ACCT | XFS_ALL_QUOTA_ENFD);
@@ -600,7 +600,7 @@
int error;
xfs_qcnt_t hard, soft;
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
return XFS_ERROR(EPERM);
if ((newlim->d_fieldmask &
diff -u linux-2.6.16.8-vs2.0.2-rc17/include/linux/vs_base.h linux-2.6.16.11-vs2.0.2-rc18/include/linux/vs_base.h
--- linux-2.6.16.8-vs2.0.2-rc17/include/linux/vs_base.h 2006-03-20 17:34:50 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/include/linux/vs_base.h 2006-04-28 02:00:37 +0200
@@ -97,6 +97,9 @@
(current->vx_info && \
(current->vx_info->vx_initpid == (n)))
+#define vx_capable(b,c) (capable(b) || \
+ ((current->euid == 0) && vx_ccaps(c)))
+
#else
#warning duplicate inclusion
diff -u linux-2.6.16.8-vs2.0.2-rc17/include/net/route.h linux-2.6.16.11-vs2.0.2-rc18/include/net/route.h
--- linux-2.6.16.8-vs2.0.2-rc17/include/net/route.h 2006-03-20 17:34:50 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/include/net/route.h 2006-04-26 19:12:32 +0200
@@ -229,6 +229,8 @@
return err;
if (fl.fl4_dst == IPI_LOOPBACK && !vx_check(0, VX_ADMIN))
fl.fl4_dst = nx_info->ipv4[0];
+ if (fl.fl4_src == IPI_LOOPBACK && !vx_check(0, VX_ADMIN))
+ fl.fl4_src = nx_info->ipv4[0];
}
if (!fl.fl4_dst || !fl.fl4_src) {
err = __ip_route_output_key(rp, &fl);
diff -u linux-2.6.16.8-vs2.0.2-rc17/kernel/sys.c linux-2.6.16.11-vs2.0.2-rc18/kernel/sys.c
--- linux-2.6.16.8-vs2.0.2-rc17/kernel/sys.c 2006-04-18 02:12:08 +0200
+++ linux-2.6.16.11-vs2.0.2-rc18/kernel/sys.c 2006-04-28 01:59:36 +0200
@@ -1547,7 +1547,7 @@
int errno;
char tmp[__NEW_UTS_LEN];
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SET_UTSNAME))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_SET_UTSNAME))
return -EPERM;
if (len < 0 || len > __NEW_UTS_LEN)
return -EINVAL;
@@ -1596,7 +1596,7 @@
int errno;
char tmp[__NEW_UTS_LEN];
- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SET_UTSNAME))
+ if (!vx_capable(CAP_SYS_ADMIN, VXC_SET_UTSNAME))
return -EPERM;
if (len < 0 || len > __NEW_UTS_LEN)
return -EINVAL;
@@ -1664,7 +1664,7 @@
return -EINVAL;
old_rlim = current->signal->rlim + resource;
if ((new_rlim.rlim_max > old_rlim->rlim_max) &&
- !capable(CAP_SYS_RESOURCE) && !vx_ccaps(VXC_SET_RLIMIT))
+ !vx_capable(CAP_SYS_RESOURCE, VXC_SET_RLIMIT))
return -EPERM;
if (resource == RLIMIT_NOFILE && new_rlim.rlim_max > NR_OPEN)
return -EPERM;
diff -u linux-2.6.16.8-vs2.0.2-rc17/kernel/vserver/legacy.c linux-2.6.16.11-vs2.0.2-rc18/kernel/vserver/legacy.c
--- linux-2.6.16.8-vs2.0.2-rc17/kernel/vserver/legacy.c 2006-03-20 17:34:50 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/kernel/vserver/legacy.c 2006-04-28 03:18:07 +0200
@@ -31,6 +31,7 @@
if (!init)
return -ESRCH;
+ vxi->vx_flags &= ~VXF_STATE_INIT;
return vx_set_init(vxi, init);
}
@@ -88,7 +89,7 @@
vx_info_flags(new_vxi, VX_INFO_PRIVATE, 0))
goto out_put;
- new_vxi->vx_flags &= ~(VXF_STATE_SETUP|VXF_STATE_INIT);
+ new_vxi->vx_flags &= ~VXF_STATE_SETUP;
ret = vx_migrate_task(current, new_vxi);
if (ret == 0) {
@@ -102,6 +103,9 @@
if (vc_data.flags & VX_INFO_NPROC)
new_vxi->limit.rlim[RLIMIT_NPROC] =
current->signal->rlim[RLIMIT_NPROC].rlim_max;
+
+ /* tweak some defaults for legacy */
+ new_vxi->vx_flags |= (VXF_HIDE_NETIF|VXF_INFO_INIT);
ret = new_vxi->vx_id;
}
out_put:
diff -u linux-2.6.16.8-vs2.0.2-rc17/kernel/vserver/sched.c linux-2.6.16.11-vs2.0.2-rc18/kernel/vserver/sched.c
--- linux-2.6.16.8-vs2.0.2-rc17/kernel/vserver/sched.c 2006-03-24 16:50:48 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/kernel/vserver/sched.c 2006-04-28 01:39:59 +0200
@@ -117,7 +117,7 @@
vavavoom = 0;
vxi->sched.vavavoom = vavavoom;
- return vavavoom;
+ return vavavoom + vxi->sched.priority_bias;
}
diff -u linux-2.6.16.8-vs2.0.2-rc17/net/ipv4/devinet.c linux-2.6.16.11-vs2.0.2-rc18/net/ipv4/devinet.c
--- linux-2.6.16.8-vs2.0.2-rc17/net/ipv4/devinet.c 2006-04-17 20:56:32 +0200
+++ linux-2.6.16.11-vs2.0.2-rc18/net/ipv4/devinet.c 2006-04-26 19:09:22 +0200
@@ -607,6 +607,9 @@
*colon = ':';
if ((in_dev = __in_dev_get_rtnl(dev)) != NULL) {
+ struct nx_info *nxi = current->nx_info;
+ int hide_netif = vx_flags(VXF_HIDE_NETIF, 0);
+
if (tryaddrmatch) {
/* Matthias Andree */
/* compare label and address (4.4BSD style) */
@@ -615,6 +618,8 @@
This is checked above. */
for (ifap = &in_dev->ifa_list; (ifa = *ifap) != NULL;
ifap = &ifa->ifa_next) {
+ if (hide_netif && !ifa_in_nx_info(ifa, nxi))
+ continue;
if (!strcmp(ifr.ifr_name, ifa->ifa_label) &&
sin_orig.sin_addr.s_addr ==
ifa->ifa_address) {
@@ -627,18 +632,18 @@
comparing just the label */
if (!ifa) {
for (ifap = &in_dev->ifa_list; (ifa = *ifap) != NULL;
- ifap = &ifa->ifa_next)
+ ifap = &ifa->ifa_next) {
+ if (hide_netif && !ifa_in_nx_info(ifa, nxi))
+ continue;
if (!strcmp(ifr.ifr_name, ifa->ifa_label))
break;
+ }
}
}
ret = -EADDRNOTAVAIL;
if (!ifa && cmd != SIOCSIFADDR && cmd != SIOCSIFFLAGS)
goto done;
- if (vx_flags(VXF_HIDE_NETIF, 0) &&
- !ifa_in_nx_info(ifa, current->nx_info))
- goto done;
switch(cmd) {
case SIOCGIFADDR: /* Get interface address */
diff -u linux-2.6.16.8-vs2.0.2-rc17/net/ipv4/udp.c linux-2.6.16.11-vs2.0.2-rc18/net/ipv4/udp.c
--- linux-2.6.16.8-vs2.0.2-rc17/net/ipv4/udp.c 2006-03-20 17:34:50 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/net/ipv4/udp.c 2006-04-26 19:08:56 +0200
@@ -216,16 +216,6 @@
write_unlock_bh(&udp_hash_lock);
}
-static inline int udp_in_list(struct nx_info *nx_info, u32 addr)
-{
- int n = nx_info->nbipv4;
- int i;
-
- for (i=0; i<n; i++)
- if (nx_info->ipv4[i] == addr)
- return 1;
- return 0;
-}
/* UDP is nearly always wildcards out the wazoo, it makes no sense to try
* harder than this. -DaveM
@@ -248,7 +238,7 @@
continue;
score+=2;
} else if (sk->sk_nx_info) {
- if (udp_in_list(sk->sk_nx_info, daddr))
+ if (addr_in_nx_info(sk->sk_nx_info, daddr))
score+=2;
else
continue;
diff -u linux-2.6.16.8-vs2.0.2-rc17/security/commoncap.c linux-2.6.16.11-vs2.0.2-rc18/security/commoncap.c
--- linux-2.6.16.8-vs2.0.2-rc17/security/commoncap.c 2006-03-20 17:34:50 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/security/commoncap.c 2006-04-28 01:59:36 +0200
@@ -313,7 +313,7 @@
int cap_syslog (int type)
{
if ((type != 3 && type != 10) &&
- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SYSLOG))
+ !vx_capable(CAP_SYS_ADMIN, VXC_SYSLOG))
return -EPERM;
return 0;
}
diff -u linux-2.6.16.8-vs2.0.2-rc17/security/security.c linux-2.6.16.11-vs2.0.2-rc18/security/security.c
--- linux-2.6.16.8-vs2.0.2-rc17/security/security.c 2006-03-20 17:34:50 +0100
+++ linux-2.6.16.11-vs2.0.2-rc18/security/security.c 2006-04-28 01:59:36 +0200
@@ -200,22 +200,8 @@
-int vx_capable(int cap, int ccap)
-{
- if (security_ops->capable(current, cap)) {
- /* capability denied */
- return 0;
- }
- if (!vx_ccaps(ccap))
- return 0;
-
- /* capability granted */
- current->flags |= PF_SUPERPRIV;
- return 1;
-}
EXPORT_SYMBOL_GPL(register_security);
EXPORT_SYMBOL_GPL(unregister_security);
EXPORT_SYMBOL_GPL(mod_reg_security);
EXPORT_SYMBOL_GPL(mod_unreg_security);
EXPORT_SYMBOL(capable);
-EXPORT_SYMBOL(vx_capable);
EXPORT_SYMBOL(security_ops);
View Git Blame Copy Permalink