diff options
author | Bastian Blank <waldi@debian.org> | 2006-04-28 19:51:01 +0000 |
---|---|---|
committer | Bastian Blank <waldi@debian.org> | 2006-04-28 19:51:01 +0000 |
commit | 1bb95e2a23f668672ca30cf9436085b2d4015414 (patch) | |
tree | e545aa1599ad5f55afe6df0982cd984e2013bd9f | |
parent | d7381e4e022095ad078b2aad5720c38a8f6759ea (diff) | |
download | kernel_replicant_linux-1bb95e2a23f668672ca30cf9436085b2d4015414.tar.gz kernel_replicant_linux-1bb95e2a23f668672ca30cf9436085b2d4015414.tar.bz2 kernel_replicant_linux-1bb95e2a23f668672ca30cf9436085b2d4015414.zip |
Update vserver patch to 2.0.2-rc18.
* debian/changelog: Update.
* debian/patches/series/11-extra: Enable vserver-vs2.0.2-rc18-update.patch.
* debian/patches/vserver-vs2.0.2-rc18-update.patch: Add.
svn path=/dists/sid/linux-2.6/; revision=6483
-rw-r--r-- | debian/changelog | 7 | ||||
-rw-r--r-- | debian/patches/series/11-extra | 1 | ||||
-rw-r--r-- | debian/patches/vserver-vs2.0.2-rc18-update.patch | 349 |
3 files changed, 357 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 4381281b63cd..d5961780b880 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +linux-2.6 (2.6.16-11) UNRELEASED; urgency=low + + * Update vserver patch to 2.0.2-rc18. + - Limit ccaps to root inside a guest + + -- Bastian Blank <waldi@debian.org> Fri, 28 Apr 2006 16:08:01 +0200 + linux-2.6 (2.6.16-10) unstable; urgency=low [ Norbert Tretkowski ] diff --git a/debian/patches/series/11-extra b/debian/patches/series/11-extra new file mode 100644 index 000000000000..74a272487d89 --- /dev/null +++ b/debian/patches/series/11-extra @@ -0,0 +1 @@ ++ vserver-vs2.0.2-rc18-update.patch *_vserver diff --git a/debian/patches/vserver-vs2.0.2-rc18-update.patch b/debian/patches/vserver-vs2.0.2-rc18-update.patch new file mode 100644 index 000000000000..cdd9420eb166 --- /dev/null +++ b/debian/patches/vserver-vs2.0.2-rc18-update.patch @@ -0,0 +1,349 @@ +diff -u linux-2.6.16.8-vs2.0.2-rc17/fs/namespace.c linux-2.6.16.11-vs2.0.2-rc18/fs/namespace.c +--- linux-2.6.16.8-vs2.0.2-rc17/fs/namespace.c 2006-03-20 17:34:49 +0100 ++++ linux-2.6.16.11-vs2.0.2-rc18/fs/namespace.c 2006-04-28 01:59:36 +0200 +@@ -676,7 +676,7 @@ + goto dput_and_out; + + retval = -EPERM; +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT)) ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT)) + goto dput_and_out; + + retval = do_umount(nd.mnt, flags); +@@ -700,9 +700,7 @@ + + static int mount_is_safe(struct nameidata *nd) + { +- if (capable(CAP_SYS_ADMIN)) +- return 0; +- if (vx_ccaps(VXC_SECURE_MOUNT)) ++ if (vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT)) + return 0; + return -EPERM; + #ifdef notyet +@@ -996,7 +994,7 @@ + int err; + struct super_block *sb = nd->mnt->mnt_sb; + +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_REMOUNT)) ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_REMOUNT)) + return -EPERM; + + if (!check_mnt(nd->mnt)) +@@ -1030,7 +1028,7 @@ + struct nameidata old_nd, parent_nd; + struct vfsmount *p; + int err = 0; +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT)) ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT)) + return -EPERM; + if (!old_name || !*old_name) + return -EINVAL; +@@ -1110,7 +1108,7 @@ + return -EINVAL; + + /* we need capabilities... */ +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT)) ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT)) + return -EPERM; + + mnt = do_kern_mount(type, flags, name, data); +@@ -1502,7 +1500,7 @@ + if (!(flags & CLONE_NEWNS)) + return 0; + +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT)) { ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT)) { + err = -EPERM; + goto out; + } +diff -u linux-2.6.16.8-vs2.0.2-rc17/fs/quota.c linux-2.6.16.11-vs2.0.2-rc18/fs/quota.c +--- linux-2.6.16.8-vs2.0.2-rc17/fs/quota.c 2006-03-20 17:34:49 +0100 ++++ linux-2.6.16.11-vs2.0.2-rc18/fs/quota.c 2006-04-28 01:59:36 +0200 +@@ -84,11 +84,11 @@ + if (cmd == Q_GETQUOTA) { + if (((type == USRQUOTA && current->euid != id) || + (type == GRPQUOTA && !in_egroup_p(id))) && +- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL)) ++ !vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL)) + return -EPERM; + } + else if (cmd != Q_GETFMT && cmd != Q_SYNC && cmd != Q_GETINFO) +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL)) ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL)) + return -EPERM; + + return 0; +@@ -135,10 +135,10 @@ + if (cmd == Q_XGETQUOTA) { + if (((type == XQM_USRQUOTA && current->euid != id) || + (type == XQM_GRPQUOTA && !in_egroup_p(id))) && +- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL)) ++ !vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL)) + return -EPERM; + } else if (cmd != Q_XGETQSTAT && cmd != Q_XQUOTASYNC) { +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL)) ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL)) + return -EPERM; + } + +diff -u linux-2.6.16.8-vs2.0.2-rc17/fs/super.c linux-2.6.16.11-vs2.0.2-rc18/fs/super.c +--- linux-2.6.16.8-vs2.0.2-rc17/fs/super.c 2006-03-20 17:34:49 +0100 ++++ linux-2.6.16.11-vs2.0.2-rc18/fs/super.c 2006-04-28 01:59:36 +0200 +@@ -815,7 +815,7 @@ + + sb = ERR_PTR(-EPERM); + if ((type->fs_flags & FS_BINARY_MOUNTDATA) && +- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_BINARY_MOUNT)) ++ !vx_capable(CAP_SYS_ADMIN, VXC_BINARY_MOUNT)) + goto out; + + sb = ERR_PTR(-ENOMEM); +diff -u linux-2.6.16.8-vs2.0.2-rc17/fs/xfs/quota/xfs_qm_syscalls.c linux-2.6.16.11-vs2.0.2-rc18/fs/xfs/quota/xfs_qm_syscalls.c +--- linux-2.6.16.8-vs2.0.2-rc17/fs/xfs/quota/xfs_qm_syscalls.c 2006-03-20 17:34:49 +0100 ++++ linux-2.6.16.11-vs2.0.2-rc18/fs/xfs/quota/xfs_qm_syscalls.c 2006-04-28 01:59:36 +0200 +@@ -215,7 +215,7 @@ + xfs_qoff_logitem_t *qoffstart; + int nculprits; + +- if (!force && !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL)) ++ if (!force && !vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL)) + return XFS_ERROR(EPERM); + /* + * No file system can have quotas enabled on disk but not in core. +@@ -384,7 +384,7 @@ + int error; + xfs_inode_t *qip; + +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL)) ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL)) + return XFS_ERROR(EPERM); + error = 0; + if (!XFS_SB_VERSION_HASQUOTA(&mp->m_sb) || flags == 0) { +@@ -429,7 +429,7 @@ + uint accflags; + __int64_t sbflags; + +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL)) ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL)) + return XFS_ERROR(EPERM); + + flags &= (XFS_ALL_QUOTA_ACCT | XFS_ALL_QUOTA_ENFD); +@@ -600,7 +600,7 @@ + int error; + xfs_qcnt_t hard, soft; + +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL)) ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL)) + return XFS_ERROR(EPERM); + + if ((newlim->d_fieldmask & +diff -u linux-2.6.16.8-vs2.0.2-rc17/include/linux/vs_base.h linux-2.6.16.11-vs2.0.2-rc18/include/linux/vs_base.h +--- linux-2.6.16.8-vs2.0.2-rc17/include/linux/vs_base.h 2006-03-20 17:34:50 +0100 ++++ linux-2.6.16.11-vs2.0.2-rc18/include/linux/vs_base.h 2006-04-28 02:00:37 +0200 +@@ -97,6 +97,9 @@ + (current->vx_info && \ + (current->vx_info->vx_initpid == (n))) + ++#define vx_capable(b,c) (capable(b) || \ ++ ((current->euid == 0) && vx_ccaps(c))) ++ + + #else + #warning duplicate inclusion +diff -u linux-2.6.16.8-vs2.0.2-rc17/include/net/route.h linux-2.6.16.11-vs2.0.2-rc18/include/net/route.h +--- linux-2.6.16.8-vs2.0.2-rc17/include/net/route.h 2006-03-20 17:34:50 +0100 ++++ linux-2.6.16.11-vs2.0.2-rc18/include/net/route.h 2006-04-26 19:12:32 +0200 +@@ -229,6 +229,8 @@ + return err; + if (fl.fl4_dst == IPI_LOOPBACK && !vx_check(0, VX_ADMIN)) + fl.fl4_dst = nx_info->ipv4[0]; ++ if (fl.fl4_src == IPI_LOOPBACK && !vx_check(0, VX_ADMIN)) ++ fl.fl4_src = nx_info->ipv4[0]; + } + if (!fl.fl4_dst || !fl.fl4_src) { + err = __ip_route_output_key(rp, &fl); +diff -u linux-2.6.16.8-vs2.0.2-rc17/kernel/sys.c linux-2.6.16.11-vs2.0.2-rc18/kernel/sys.c +--- linux-2.6.16.8-vs2.0.2-rc17/kernel/sys.c 2006-04-18 02:12:08 +0200 ++++ linux-2.6.16.11-vs2.0.2-rc18/kernel/sys.c 2006-04-28 01:59:36 +0200 +@@ -1547,7 +1547,7 @@ + int errno; + char tmp[__NEW_UTS_LEN]; + +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SET_UTSNAME)) ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SET_UTSNAME)) + return -EPERM; + if (len < 0 || len > __NEW_UTS_LEN) + return -EINVAL; +@@ -1596,7 +1596,7 @@ + int errno; + char tmp[__NEW_UTS_LEN]; + +- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SET_UTSNAME)) ++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SET_UTSNAME)) + return -EPERM; + if (len < 0 || len > __NEW_UTS_LEN) + return -EINVAL; +@@ -1664,7 +1664,7 @@ + return -EINVAL; + old_rlim = current->signal->rlim + resource; + if ((new_rlim.rlim_max > old_rlim->rlim_max) && +- !capable(CAP_SYS_RESOURCE) && !vx_ccaps(VXC_SET_RLIMIT)) ++ !vx_capable(CAP_SYS_RESOURCE, VXC_SET_RLIMIT)) + return -EPERM; + if (resource == RLIMIT_NOFILE && new_rlim.rlim_max > NR_OPEN) + return -EPERM; +diff -u linux-2.6.16.8-vs2.0.2-rc17/kernel/vserver/legacy.c linux-2.6.16.11-vs2.0.2-rc18/kernel/vserver/legacy.c +--- linux-2.6.16.8-vs2.0.2-rc17/kernel/vserver/legacy.c 2006-03-20 17:34:50 +0100 ++++ linux-2.6.16.11-vs2.0.2-rc18/kernel/vserver/legacy.c 2006-04-28 03:18:07 +0200 +@@ -31,6 +31,7 @@ + if (!init) + return -ESRCH; + ++ vxi->vx_flags &= ~VXF_STATE_INIT; + return vx_set_init(vxi, init); + } + +@@ -88,7 +89,7 @@ + vx_info_flags(new_vxi, VX_INFO_PRIVATE, 0)) + goto out_put; + +- new_vxi->vx_flags &= ~(VXF_STATE_SETUP|VXF_STATE_INIT); ++ new_vxi->vx_flags &= ~VXF_STATE_SETUP; + + ret = vx_migrate_task(current, new_vxi); + if (ret == 0) { +@@ -102,6 +103,9 @@ + if (vc_data.flags & VX_INFO_NPROC) + new_vxi->limit.rlim[RLIMIT_NPROC] = + current->signal->rlim[RLIMIT_NPROC].rlim_max; ++ ++ /* tweak some defaults for legacy */ ++ new_vxi->vx_flags |= (VXF_HIDE_NETIF|VXF_INFO_INIT); + ret = new_vxi->vx_id; + } + out_put: +diff -u linux-2.6.16.8-vs2.0.2-rc17/kernel/vserver/sched.c linux-2.6.16.11-vs2.0.2-rc18/kernel/vserver/sched.c +--- linux-2.6.16.8-vs2.0.2-rc17/kernel/vserver/sched.c 2006-03-24 16:50:48 +0100 ++++ linux-2.6.16.11-vs2.0.2-rc18/kernel/vserver/sched.c 2006-04-28 01:39:59 +0200 +@@ -117,7 +117,7 @@ + vavavoom = 0; + + vxi->sched.vavavoom = vavavoom; +- return vavavoom; ++ return vavavoom + vxi->sched.priority_bias; + } + + +diff -u linux-2.6.16.8-vs2.0.2-rc17/net/ipv4/devinet.c linux-2.6.16.11-vs2.0.2-rc18/net/ipv4/devinet.c +--- linux-2.6.16.8-vs2.0.2-rc17/net/ipv4/devinet.c 2006-04-17 20:56:32 +0200 ++++ linux-2.6.16.11-vs2.0.2-rc18/net/ipv4/devinet.c 2006-04-26 19:09:22 +0200 +@@ -607,6 +607,9 @@ + *colon = ':'; + + if ((in_dev = __in_dev_get_rtnl(dev)) != NULL) { ++ struct nx_info *nxi = current->nx_info; ++ int hide_netif = vx_flags(VXF_HIDE_NETIF, 0); ++ + if (tryaddrmatch) { + /* Matthias Andree */ + /* compare label and address (4.4BSD style) */ +@@ -615,6 +618,8 @@ + This is checked above. */ + for (ifap = &in_dev->ifa_list; (ifa = *ifap) != NULL; + ifap = &ifa->ifa_next) { ++ if (hide_netif && !ifa_in_nx_info(ifa, nxi)) ++ continue; + if (!strcmp(ifr.ifr_name, ifa->ifa_label) && + sin_orig.sin_addr.s_addr == + ifa->ifa_address) { +@@ -627,18 +632,18 @@ + comparing just the label */ + if (!ifa) { + for (ifap = &in_dev->ifa_list; (ifa = *ifap) != NULL; +- ifap = &ifa->ifa_next) ++ ifap = &ifa->ifa_next) { ++ if (hide_netif && !ifa_in_nx_info(ifa, nxi)) ++ continue; + if (!strcmp(ifr.ifr_name, ifa->ifa_label)) + break; ++ } + } + } + + ret = -EADDRNOTAVAIL; + if (!ifa && cmd != SIOCSIFADDR && cmd != SIOCSIFFLAGS) + goto done; +- if (vx_flags(VXF_HIDE_NETIF, 0) && +- !ifa_in_nx_info(ifa, current->nx_info)) +- goto done; + + switch(cmd) { + case SIOCGIFADDR: /* Get interface address */ +diff -u linux-2.6.16.8-vs2.0.2-rc17/net/ipv4/udp.c linux-2.6.16.11-vs2.0.2-rc18/net/ipv4/udp.c +--- linux-2.6.16.8-vs2.0.2-rc17/net/ipv4/udp.c 2006-03-20 17:34:50 +0100 ++++ linux-2.6.16.11-vs2.0.2-rc18/net/ipv4/udp.c 2006-04-26 19:08:56 +0200 +@@ -216,16 +216,6 @@ + write_unlock_bh(&udp_hash_lock); + } + +-static inline int udp_in_list(struct nx_info *nx_info, u32 addr) +-{ +- int n = nx_info->nbipv4; +- int i; +- +- for (i=0; i<n; i++) +- if (nx_info->ipv4[i] == addr) +- return 1; +- return 0; +-} + + /* UDP is nearly always wildcards out the wazoo, it makes no sense to try + * harder than this. -DaveM +@@ -248,7 +238,7 @@ + continue; + score+=2; + } else if (sk->sk_nx_info) { +- if (udp_in_list(sk->sk_nx_info, daddr)) ++ if (addr_in_nx_info(sk->sk_nx_info, daddr)) + score+=2; + else + continue; +diff -u linux-2.6.16.8-vs2.0.2-rc17/security/commoncap.c linux-2.6.16.11-vs2.0.2-rc18/security/commoncap.c +--- linux-2.6.16.8-vs2.0.2-rc17/security/commoncap.c 2006-03-20 17:34:50 +0100 ++++ linux-2.6.16.11-vs2.0.2-rc18/security/commoncap.c 2006-04-28 01:59:36 +0200 +@@ -313,7 +313,7 @@ + int cap_syslog (int type) + { + if ((type != 3 && type != 10) && +- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SYSLOG)) ++ !vx_capable(CAP_SYS_ADMIN, VXC_SYSLOG)) + return -EPERM; + return 0; + } +diff -u linux-2.6.16.8-vs2.0.2-rc17/security/security.c linux-2.6.16.11-vs2.0.2-rc18/security/security.c +--- linux-2.6.16.8-vs2.0.2-rc17/security/security.c 2006-03-20 17:34:50 +0100 ++++ linux-2.6.16.11-vs2.0.2-rc18/security/security.c 2006-04-28 01:59:36 +0200 +@@ -200,22 +200,8 @@ + +-int vx_capable(int cap, int ccap) +-{ +- if (security_ops->capable(current, cap)) { +- /* capability denied */ +- return 0; +- } +- if (!vx_ccaps(ccap)) +- return 0; +- +- /* capability granted */ +- current->flags |= PF_SUPERPRIV; +- return 1; +-} + + EXPORT_SYMBOL_GPL(register_security); + EXPORT_SYMBOL_GPL(unregister_security); + EXPORT_SYMBOL_GPL(mod_reg_security); + EXPORT_SYMBOL_GPL(mod_unreg_security); + EXPORT_SYMBOL(capable); +-EXPORT_SYMBOL(vx_capable); + EXPORT_SYMBOL(security_ops); |