linux-3.19.patch 6.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222
  1. diff --git a/Kconfig b/Kconfig
  2. index c13f48d..e18713e 100644
  3. --- a/Kconfig
  4. +++ b/Kconfig
  5. @@ -9,3 +9,4 @@ config SRCARCH
  6. option env="SRCARCH"
  7. source "arch/$SRCARCH/Kconfig"
  8. +source "graphene/Kconfig"
  9. diff --git a/Makefile b/Makefile
  10. index e5ac8a6..116ac82 100644
  11. --- a/Makefile
  12. +++ b/Makefile
  13. @@ -779,7 +779,7 @@ export mod_sign_cmd
  14. ifeq ($(KBUILD_EXTMOD),)
  15. -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
  16. +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ graphene/
  17. vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
  18. $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
  19. diff --git a/include/linux/miscdevice.h b/include/linux/miscdevice.h
  20. index 3737f72..f7a4aba 100644
  21. --- a/include/linux/miscdevice.h
  22. +++ b/include/linux/miscdevice.h
  23. @@ -3,6 +3,7 @@
  24. #include <linux/major.h>
  25. #include <linux/list.h>
  26. #include <linux/types.h>
  27. +#include <../graphene/graphene.h>
  28. /*
  29. * These allocations are managed by device@lanana.org. If you use an
  30. diff --git a/include/linux/sched.h b/include/linux/sched.h
  31. index a781dec..3381137 100644
  32. --- a/include/linux/sched.h
  33. +++ b/include/linux/sched.h
  34. @@ -1161,6 +1161,11 @@ enum perf_event_task_context {
  35. perf_nr_task_contexts,
  36. };
  37. +#ifdef CONFIG_GRAPHENE
  38. +# include <../graphene/graphene.h>
  39. +struct graphene_struct;
  40. +#endif
  41. +
  42. struct task_struct {
  43. volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
  44. void *stack;
  45. @@ -1581,6 +1586,11 @@ struct task_struct {
  46. unsigned int sequential_io;
  47. unsigned int sequential_io_avg;
  48. #endif
  49. +
  50. +#ifdef CONFIG_GRAPHENE
  51. + /* for graphene tasks */
  52. + struct graphene_struct *graphene; /* structure to store graphene info */
  53. +#endif
  54. };
  55. /* Future-safe accessor for struct task_struct's cpus_allowed. */
  56. diff --git a/kernel/fork.c b/kernel/fork.c
  57. index a17621c..41d5958 100644
  58. --- a/kernel/fork.c
  59. +++ b/kernel/fork.c
  60. @@ -11,6 +11,7 @@
  61. * management can be a bitch. See 'mm/memory.c': 'copy_page_range()'
  62. */
  63. +#include <linux/version.h>
  64. #include <linux/slab.h>
  65. #include <linux/init.h>
  66. #include <linux/unistd.h>
  67. @@ -84,6 +85,10 @@
  68. #define CREATE_TRACE_POINTS
  69. #include <trace/events/task.h>
  70. +#ifdef CONFIG_GRAPHENE
  71. +# include <../graphene/graphene.h>
  72. +#endif
  73. +
  74. /*
  75. * Protected counters by write_lock_irq(&tasklist_lock)
  76. */
  77. @@ -242,6 +247,10 @@ void __put_task_struct(struct task_struct *tsk)
  78. delayacct_tsk_free(tsk);
  79. put_signal_struct(tsk->signal);
  80. +#ifdef CONFIG_GRAPHENE
  81. + put_graphene_struct(tsk);
  82. +#endif
  83. +
  84. if (!profile_handoff_task(tsk))
  85. free_task(tsk);
  86. }
  87. @@ -322,6 +331,16 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
  88. tsk->stack_canary = get_random_int();
  89. #endif
  90. +#ifdef CONFIG_GRAPHENE
  91. + err = dup_graphene_struct(tsk);
  92. + if (err)
  93. +#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 6, 0)
  94. + goto free_ti;
  95. +#else
  96. + goto out;
  97. +#endif
  98. +#endif
  99. +
  100. /*
  101. * One for us, one for whoever does the "release_task()" (usually
  102. * parent)
  103. diff -ruNp linux-3.19/mm/mmap.c linux-3.19.new/mm/mmap.c
  104. --- linux-3.19/mm/mmap.c 2015-02-08 21:54:22.000000000 -0500
  105. +++ linux-3.19.new/mm/mmap.c 2016-08-23 22:15:18.387511888 -0400
  106. @@ -2000,6 +2000,10 @@ arch_get_unmapped_area_topdown(struct fi
  107. }
  108. #endif
  109. +#ifdef CONFIG_GRAPHENE
  110. +# include <../graphene/graphene.h>
  111. +#endif
  112. +
  113. unsigned long
  114. get_unmapped_area(struct file *file, unsigned long addr, unsigned long len,
  115. unsigned long pgoff, unsigned long flags)
  116. @@ -2018,6 +2022,10 @@ get_unmapped_area(struct file *file, uns
  117. get_area = current->mm->get_unmapped_area;
  118. if (file && file->f_op->get_unmapped_area)
  119. get_area = file->f_op->get_unmapped_area;
  120. +#ifdef CONFIG_GRAPHENE
  121. + if (file && current->in_execve && GRAPHENE_ENABLED())
  122. + get_area = graphene_execve_get_area;
  123. +#endif
  124. addr = get_area(file, addr, len, pgoff, flags);
  125. if (IS_ERR_VALUE(addr))
  126. return addr;
  127. diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
  128. index 4257b7e..b21c19d 100644
  129. --- a/security/apparmor/lsm.c
  130. +++ b/security/apparmor/lsm.c
  131. @@ -36,6 +36,10 @@
  132. #include "include/policy.h"
  133. #include "include/procattr.h"
  134. +#ifdef CONFIG_GRAPHENE
  135. +# include <../graphene/graphene.h>
  136. +#endif
  137. +
  138. /* Flag indicating whether initialization completed */
  139. int apparmor_initialized __initdata;
  140. @@ -165,6 +169,12 @@ static int common_perm(int op, struct path *path, u32 mask,
  141. struct aa_profile *profile;
  142. int error = 0;
  143. +#ifdef CONFIG_GRAPHENE
  144. + if (GRAPHENE_ENABLED() &&
  145. + (error = graphene_common_perm(op, path, mask)))
  146. + return error;
  147. +#endif
  148. +
  149. profile = __aa_current_profile();
  150. if (!unconfined(profile))
  151. error = aa_path_perm(op, profile, path, 0, mask, cond);
  152. @@ -377,6 +387,7 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
  153. {
  154. struct aa_file_cxt *fcxt = file->f_security;
  155. struct aa_profile *profile;
  156. + u32 mask;
  157. int error = 0;
  158. if (!mediated_filesystem(file_inode(file)))
  159. @@ -388,10 +399,21 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
  160. * actually execute the image.
  161. */
  162. if (current->in_execve) {
  163. +#ifdef CONFIG_GRAPHENE
  164. + if (GRAPHENE_ENABLED() && (error = graphene_execve_open(file)))
  165. + return error;
  166. +#endif
  167. fcxt->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
  168. return 0;
  169. }
  170. +#ifdef CONFIG_GRAPHENE
  171. + mask = aa_map_file_to_perms(file);
  172. + if (GRAPHENE_ENABLED() &&
  173. + (error = graphene_common_perm(OP_OPEN, &file->f_path, mask)))
  174. + return error;
  175. +#endif
  176. +
  177. profile = aa_cred_profile(cred);
  178. if (!unconfined(profile)) {
  179. struct inode *inode = file_inode(file);
  180. @@ -647,6 +669,14 @@ static struct security_operations apparmor_ops = {
  181. .getprocattr = apparmor_getprocattr,
  182. .setprocattr = apparmor_setprocattr,
  183. +#ifdef CONFIG_GRAPHENE
  184. + .socket_bind = graphene_socket_bind,
  185. + .socket_listen = graphene_socket_listen,
  186. + .socket_connect = graphene_socket_connect,
  187. + .socket_sendmsg = graphene_socket_sendmsg,
  188. + .socket_recvmsg = graphene_socket_recvmsg,
  189. +#endif
  190. +
  191. .cred_alloc_blank = apparmor_cred_alloc_blank,
  192. .cred_free = apparmor_cred_free,
  193. .cred_prepare = apparmor_cred_prepare,
  194. @@ -658,6 +688,10 @@ static struct security_operations apparmor_ops = {
  195. .bprm_secureexec = apparmor_bprm_secureexec,
  196. .task_setrlimit = apparmor_task_setrlimit,
  197. +
  198. +#ifdef CONFIG_GRAPHENE
  199. + .task_kill = graphene_task_kill,
  200. +#endif
  201. };
  202. /*