Merge branch 'next' into for-linus
此提交包含在:
James Morris
@@ -167,7 +167,7 @@ EXPORT_SYMBOL(prepare_creds);
|
||||
|
||||
/*
|
||||
* Prepare credentials for current to perform an execve()
|
||||
* - The caller must hold current->cred_exec_mutex
|
||||
* - The caller must hold current->cred_guard_mutex
|
||||
*/
|
||||
struct cred *prepare_exec_creds(void)
|
||||
{
|
||||
@@ -276,7 +276,7 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags)
|
||||
struct cred *new;
|
||||
int ret;
|
||||
|
||||
mutex_init(&p->cred_exec_mutex);
|
||||
mutex_init(&p->cred_guard_mutex);
|
||||
|
||||
if (
|
||||
#ifdef CONFIG_KEYS
|
||||
|
||||
@@ -1476,6 +1476,7 @@ static int wait_consider_task(struct task_struct *parent, int ptrace,
|
||||
*/
|
||||
if (*notask_error)
|
||||
*notask_error = ret;
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (likely(!ptrace) && unlikely(p->ptrace)) {
|
||||
|
||||
@@ -72,6 +72,9 @@ DEFINE_MUTEX(module_mutex);
|
||||
EXPORT_SYMBOL_GPL(module_mutex);
|
||||
static LIST_HEAD(modules);
|
||||
|
||||
/* Block module loading/unloading? */
|
||||
int modules_disabled = 0;
|
||||
|
||||
/* Waiting for a module to finish initializing? */
|
||||
static DECLARE_WAIT_QUEUE_HEAD(module_wq);
|
||||
|
||||
@@ -777,7 +780,7 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user,
|
||||
char name[MODULE_NAME_LEN];
|
||||
int ret, forced = 0;
|
||||
|
||||
if (!capable(CAP_SYS_MODULE))
|
||||
if (!capable(CAP_SYS_MODULE) || modules_disabled)
|
||||
return -EPERM;
|
||||
|
||||
if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
|
||||
@@ -2336,7 +2339,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
|
||||
int ret = 0;
|
||||
|
||||
/* Must have permission */
|
||||
if (!capable(CAP_SYS_MODULE))
|
||||
if (!capable(CAP_SYS_MODULE) || modules_disabled)
|
||||
return -EPERM;
|
||||
|
||||
/* Only one module load at a time, please */
|
||||
|
||||
@@ -185,10 +185,11 @@ int ptrace_attach(struct task_struct *task)
|
||||
if (same_thread_group(task, current))
|
||||
goto out;
|
||||
|
||||
/* Protect exec's credential calculations against our interference;
|
||||
* SUID, SGID and LSM creds get determined differently under ptrace.
|
||||
/* Protect the target's credential calculations against our
|
||||
* interference; SUID, SGID and LSM creds get determined differently
|
||||
* under ptrace.
|
||||
*/
|
||||
retval = mutex_lock_interruptible(&task->cred_exec_mutex);
|
||||
retval = mutex_lock_interruptible(&task->cred_guard_mutex);
|
||||
if (retval < 0)
|
||||
goto out;
|
||||
|
||||
@@ -232,7 +233,7 @@ repeat:
|
||||
bad:
|
||||
write_unlock_irqrestore(&tasklist_lock, flags);
|
||||
task_unlock(task);
|
||||
mutex_unlock(&task->cred_exec_mutex);
|
||||
mutex_unlock(&task->cred_guard_mutex);
|
||||
out:
|
||||
return retval;
|
||||
}
|
||||
|
||||
@@ -249,14 +249,19 @@ void flush_sigqueue(struct sigpending *queue)
|
||||
/*
|
||||
* Flush all pending signals for a task.
|
||||
*/
|
||||
void __flush_signals(struct task_struct *t)
|
||||
{
|
||||
clear_tsk_thread_flag(t, TIF_SIGPENDING);
|
||||
flush_sigqueue(&t->pending);
|
||||
flush_sigqueue(&t->signal->shared_pending);
|
||||
}
|
||||
|
||||
void flush_signals(struct task_struct *t)
|
||||
{
|
||||
unsigned long flags;
|
||||
|
||||
spin_lock_irqsave(&t->sighand->siglock, flags);
|
||||
clear_tsk_thread_flag(t, TIF_SIGPENDING);
|
||||
flush_sigqueue(&t->pending);
|
||||
flush_sigqueue(&t->signal->shared_pending);
|
||||
__flush_signals(t);
|
||||
spin_unlock_irqrestore(&t->sighand->siglock, flags);
|
||||
}
|
||||
|
||||
|
||||
@@ -114,6 +114,7 @@ static int ngroups_max = NGROUPS_MAX;
|
||||
|
||||
#ifdef CONFIG_MODULES
|
||||
extern char modprobe_path[];
|
||||
extern int modules_disabled;
|
||||
#endif
|
||||
#ifdef CONFIG_CHR_DEV_SG
|
||||
extern int sg_big_buff;
|
||||
@@ -534,6 +535,17 @@ static struct ctl_table kern_table[] = {
|
||||
.proc_handler = &proc_dostring,
|
||||
.strategy = &sysctl_string,
|
||||
},
|
||||
{
|
||||
.ctl_name = CTL_UNNUMBERED,
|
||||
.procname = "modules_disabled",
|
||||
.data = &modules_disabled,
|
||||
.maxlen = sizeof(int),
|
||||
.mode = 0644,
|
||||
/* only handle a transition from default "0" to "1" */
|
||||
.proc_handler = &proc_dointvec_minmax,
|
||||
.extra1 = &one,
|
||||
.extra2 = &one,
|
||||
},
|
||||
#endif
|
||||
#if defined(CONFIG_HOTPLUG) && defined(CONFIG_NET)
|
||||
{
|
||||
@@ -1233,7 +1245,6 @@ static struct ctl_table vm_table[] = {
|
||||
.strategy = &sysctl_jiffies,
|
||||
},
|
||||
#endif
|
||||
#ifdef CONFIG_SECURITY
|
||||
{
|
||||
.ctl_name = CTL_UNNUMBERED,
|
||||
.procname = "mmap_min_addr",
|
||||
@@ -1242,7 +1253,6 @@ static struct ctl_table vm_table[] = {
|
||||
.mode = 0644,
|
||||
.proc_handler = &proc_doulongvec_minmax,
|
||||
},
|
||||
#endif
|
||||
#ifdef CONFIG_NUMA
|
||||
{
|
||||
.ctl_name = CTL_UNNUMBERED,
|
||||
|
||||
新增問題並參考
封鎖使用者