• R/O
  • SSH
  • HTTPS

caitsith: コミット


コミットメタ情報

リビジョン271 (tree)
日時2019-01-07 20:23:39
作者kumaneko

ログメッセージ

(メッセージはありません)

変更サマリ

差分

--- trunk/caitsith-patch/caitsith/caitsith.h (revision 270)
+++ trunk/caitsith-patch/caitsith/caitsith.h (revision 271)
@@ -61,6 +61,9 @@
6161 #include <net/udp.h>
6262 #include <linux/ctype.h>
6363 #include <linux/magic.h>
64+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
65+#include <uapi/linux/mount.h>
66+#endif
6467
6568 #ifndef current_uid
6669 #define current_uid() (current->uid)
--- trunk/caitsith-patch/patches/ccs-patch-4.14.diff (revision 270)
+++ trunk/caitsith-patch/patches/ccs-patch-4.14.diff (revision 271)
@@ -1,6 +1,6 @@
1-This is TOMOYO Linux patch for kernel 4.14.90.
1+This is TOMOYO Linux patch for kernel 4.14.91.
22
3-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.90.tar.xz
3+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.91.tar.xz
44 ---
55 fs/exec.c | 2 -
66 fs/open.c | 2 +
@@ -28,8 +28,8 @@
2828 security/security.c | 9 +++++-
2929 24 files changed, 153 insertions(+), 29 deletions(-)
3030
31---- linux-4.14.90.orig/fs/exec.c
32-+++ linux-4.14.90/fs/exec.c
31+--- linux-4.14.91.orig/fs/exec.c
32++++ linux-4.14.91/fs/exec.c
3333 @@ -1677,7 +1677,7 @@ static int exec_binprm(struct linux_binp
3434 old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
3535 rcu_read_unlock();
@@ -39,8 +39,8 @@
3939 if (ret >= 0) {
4040 audit_bprm(bprm);
4141 trace_sched_process_exec(current, old_pid, bprm);
42---- linux-4.14.90.orig/fs/open.c
43-+++ linux-4.14.90/fs/open.c
42+--- linux-4.14.91.orig/fs/open.c
43++++ linux-4.14.91/fs/open.c
4444 @@ -1171,6 +1171,8 @@ EXPORT_SYMBOL(sys_close);
4545 */
4646 SYSCALL_DEFINE0(vhangup)
@@ -50,8 +50,8 @@
5050 if (capable(CAP_SYS_TTY_CONFIG)) {
5151 tty_vhangup_self();
5252 return 0;
53---- linux-4.14.90.orig/fs/proc/version.c
54-+++ linux-4.14.90/fs/proc/version.c
53+--- linux-4.14.91.orig/fs/proc/version.c
54++++ linux-4.14.91/fs/proc/version.c
5555 @@ -33,3 +33,10 @@ static int __init proc_version_init(void
5656 return 0;
5757 }
@@ -59,12 +59,12 @@
5959 +
6060 +static int __init ccs_show_version(void)
6161 +{
62-+ printk(KERN_INFO "Hook version: 4.14.90 2018/12/24\n");
62++ printk(KERN_INFO "Hook version: 4.14.91 2019/01/07\n");
6363 + return 0;
6464 +}
6565 +fs_initcall(ccs_show_version);
66---- linux-4.14.90.orig/include/linux/init_task.h
67-+++ linux-4.14.90/include/linux/init_task.h
66+--- linux-4.14.91.orig/include/linux/init_task.h
67++++ linux-4.14.91/include/linux/init_task.h
6868 @@ -219,6 +219,14 @@ extern struct cred init_cred;
6969 #define INIT_TASK_SECURITY
7070 #endif
@@ -88,8 +88,8 @@
8888 }
8989
9090
91---- linux-4.14.90.orig/include/linux/sched.h
92-+++ linux-4.14.90/include/linux/sched.h
91+--- linux-4.14.91.orig/include/linux/sched.h
92++++ linux-4.14.91/include/linux/sched.h
9393 @@ -33,6 +33,7 @@ struct audit_context;
9494 struct backing_dev_info;
9595 struct bio_list;
@@ -109,8 +109,8 @@
109109
110110 /*
111111 * New fields for task_struct should be added above here, so that
112---- linux-4.14.90.orig/include/linux/security.h
113-+++ linux-4.14.90/include/linux/security.h
112+--- linux-4.14.91.orig/include/linux/security.h
113++++ linux-4.14.91/include/linux/security.h
114114 @@ -56,6 +56,7 @@ struct msg_queue;
115115 struct xattr;
116116 struct xfrm_sec_ctx;
@@ -331,8 +331,8 @@
331331 }
332332 #endif /* CONFIG_SECURITY_PATH */
333333
334---- linux-4.14.90.orig/include/net/ip.h
335-+++ linux-4.14.90/include/net/ip.h
334+--- linux-4.14.91.orig/include/net/ip.h
335++++ linux-4.14.91/include/net/ip.h
336336 @@ -266,6 +266,8 @@ void inet_get_local_port_range(struct ne
337337 #ifdef CONFIG_SYSCTL
338338 static inline int inet_is_local_reserved_port(struct net *net, int port)
@@ -351,8 +351,8 @@
351351 return 0;
352352 }
353353
354---- linux-4.14.90.orig/kernel/kexec.c
355-+++ linux-4.14.90/kernel/kexec.c
354+--- linux-4.14.91.orig/kernel/kexec.c
355++++ linux-4.14.91/kernel/kexec.c
356356 @@ -17,7 +17,7 @@
357357 #include <linux/syscalls.h>
358358 #include <linux/vmalloc.h>
@@ -371,8 +371,8 @@
371371
372372 /*
373373 * Verify we have a legal set of flags
374---- linux-4.14.90.orig/kernel/module.c
375-+++ linux-4.14.90/kernel/module.c
374+--- linux-4.14.91.orig/kernel/module.c
375++++ linux-4.14.91/kernel/module.c
376376 @@ -66,6 +66,7 @@
377377 #include <linux/audit.h>
378378 #include <uapi/linux/module.h>
@@ -399,8 +399,8 @@
399399
400400 return 0;
401401 }
402---- linux-4.14.90.orig/kernel/ptrace.c
403-+++ linux-4.14.90/kernel/ptrace.c
402+--- linux-4.14.91.orig/kernel/ptrace.c
403++++ linux-4.14.91/kernel/ptrace.c
404404 @@ -1123,6 +1123,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
405405 {
406406 struct task_struct *child;
@@ -425,8 +425,8 @@
425425
426426 if (request == PTRACE_TRACEME) {
427427 ret = ptrace_traceme();
428---- linux-4.14.90.orig/kernel/reboot.c
429-+++ linux-4.14.90/kernel/reboot.c
428+--- linux-4.14.91.orig/kernel/reboot.c
429++++ linux-4.14.91/kernel/reboot.c
430430 @@ -16,6 +16,7 @@
431431 #include <linux/syscalls.h>
432432 #include <linux/syscore_ops.h>
@@ -444,8 +444,8 @@
444444
445445 /*
446446 * If pid namespaces are enabled and the current task is in a child
447---- linux-4.14.90.orig/kernel/sched/core.c
448-+++ linux-4.14.90/kernel/sched/core.c
447+--- linux-4.14.91.orig/kernel/sched/core.c
448++++ linux-4.14.91/kernel/sched/core.c
449449 @@ -3854,6 +3854,8 @@ int can_nice(const struct task_struct *p
450450 SYSCALL_DEFINE1(nice, int, increment)
451451 {
@@ -455,8 +455,8 @@
455455
456456 /*
457457 * Setpriority might change our priority at the same moment.
458---- linux-4.14.90.orig/kernel/signal.c
459-+++ linux-4.14.90/kernel/signal.c
458+--- linux-4.14.91.orig/kernel/signal.c
459++++ linux-4.14.91/kernel/signal.c
460460 @@ -2967,6 +2967,8 @@ COMPAT_SYSCALL_DEFINE4(rt_sigtimedwait,
461461 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
462462 {
@@ -502,8 +502,8 @@
502502
503503 return do_send_specific(tgid, pid, sig, info);
504504 }
505---- linux-4.14.90.orig/kernel/sys.c
506-+++ linux-4.14.90/kernel/sys.c
505+--- linux-4.14.91.orig/kernel/sys.c
506++++ linux-4.14.91/kernel/sys.c
507507 @@ -193,6 +193,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
508508
509509 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -533,8 +533,8 @@
533533
534534 errno = -EFAULT;
535535 if (!copy_from_user(tmp, name, len)) {
536---- linux-4.14.90.orig/kernel/time/ntp.c
537-+++ linux-4.14.90/kernel/time/ntp.c
536+--- linux-4.14.91.orig/kernel/time/ntp.c
537++++ linux-4.14.91/kernel/time/ntp.c
538538 @@ -18,6 +18,7 @@
539539 #include <linux/module.h>
540540 #include <linux/rtc.h>
@@ -568,8 +568,8 @@
568568
569569 if (txc->modes & ADJ_NANO) {
570570 struct timespec ts;
571---- linux-4.14.90.orig/net/ipv4/raw.c
572-+++ linux-4.14.90/net/ipv4/raw.c
571+--- linux-4.14.91.orig/net/ipv4/raw.c
572++++ linux-4.14.91/net/ipv4/raw.c
573573 @@ -766,6 +766,10 @@ static int raw_recvmsg(struct sock *sk,
574574 skb = skb_recv_datagram(sk, flags, noblock, &err);
575575 if (!skb)
@@ -581,8 +581,8 @@
581581
582582 copied = skb->len;
583583 if (len < copied) {
584---- linux-4.14.90.orig/net/ipv4/udp.c
585-+++ linux-4.14.90/net/ipv4/udp.c
584+--- linux-4.14.91.orig/net/ipv4/udp.c
585++++ linux-4.14.91/net/ipv4/udp.c
586586 @@ -1593,6 +1593,8 @@ try_again:
587587 skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
588588 if (!skb)
@@ -592,8 +592,8 @@
592592
593593 ulen = udp_skb_len(skb);
594594 copied = len;
595---- linux-4.14.90.orig/net/ipv6/raw.c
596-+++ linux-4.14.90/net/ipv6/raw.c
595+--- linux-4.14.91.orig/net/ipv6/raw.c
596++++ linux-4.14.91/net/ipv6/raw.c
597597 @@ -483,6 +483,10 @@ static int rawv6_recvmsg(struct sock *sk
598598 skb = skb_recv_datagram(sk, flags, noblock, &err);
599599 if (!skb)
@@ -605,8 +605,8 @@
605605
606606 copied = skb->len;
607607 if (copied > len) {
608---- linux-4.14.90.orig/net/ipv6/udp.c
609-+++ linux-4.14.90/net/ipv6/udp.c
608+--- linux-4.14.91.orig/net/ipv6/udp.c
609++++ linux-4.14.91/net/ipv6/udp.c
610610 @@ -371,6 +371,8 @@ try_again:
611611 skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
612612 if (!skb)
@@ -616,8 +616,8 @@
616616
617617 ulen = udp6_skb_len(skb);
618618 copied = len;
619---- linux-4.14.90.orig/net/socket.c
620-+++ linux-4.14.90/net/socket.c
619+--- linux-4.14.91.orig/net/socket.c
620++++ linux-4.14.91/net/socket.c
621621 @@ -1587,6 +1587,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
622622 if (err < 0)
623623 goto out_fd;
@@ -629,8 +629,8 @@
629629 if (upeer_sockaddr) {
630630 if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
631631 &len, 2) < 0) {
632---- linux-4.14.90.orig/net/unix/af_unix.c
633-+++ linux-4.14.90/net/unix/af_unix.c
632+--- linux-4.14.91.orig/net/unix/af_unix.c
633++++ linux-4.14.91/net/unix/af_unix.c
634634 @@ -2131,6 +2131,10 @@ static int unix_dgram_recvmsg(struct soc
635635 POLLOUT | POLLWRNORM |
636636 POLLWRBAND);
@@ -650,8 +650,8 @@
650650 mutex_unlock(&u->iolock);
651651 out:
652652 return err;
653---- linux-4.14.90.orig/security/Kconfig
654-+++ linux-4.14.90/security/Kconfig
653+--- linux-4.14.91.orig/security/Kconfig
654++++ linux-4.14.91/security/Kconfig
655655 @@ -263,5 +263,7 @@ config DEFAULT_SECURITY
656656 default "apparmor" if DEFAULT_SECURITY_APPARMOR
657657 default "" if DEFAULT_SECURITY_DAC
@@ -660,8 +660,8 @@
660660 +
661661 endmenu
662662
663---- linux-4.14.90.orig/security/Makefile
664-+++ linux-4.14.90/security/Makefile
663+--- linux-4.14.91.orig/security/Makefile
664++++ linux-4.14.91/security/Makefile
665665 @@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
666666 # Object integrity file lists
667667 subdir-$(CONFIG_INTEGRITY) += integrity
@@ -669,8 +669,8 @@
669669 +
670670 +subdir-$(CONFIG_CCSECURITY) += ccsecurity
671671 +obj-$(CONFIG_CCSECURITY) += ccsecurity/
672---- linux-4.14.90.orig/security/security.c
673-+++ linux-4.14.90/security/security.c
672+--- linux-4.14.91.orig/security/security.c
673++++ linux-4.14.91/security/security.c
674674 @@ -978,12 +978,19 @@ int security_file_open(struct file *file
675675
676676 int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
--- trunk/caitsith-patch/patches/ccs-patch-4.19.diff (revision 270)
+++ trunk/caitsith-patch/patches/ccs-patch-4.19.diff (revision 271)
@@ -1,6 +1,6 @@
1-This is TOMOYO Linux patch for kernel 4.19.12.
1+This is TOMOYO Linux patch for kernel 4.19.13.
22
3-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.12.tar.xz
3+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.13.tar.xz
44 ---
55 fs/exec.c | 2 -
66 fs/open.c | 2 +
@@ -28,8 +28,8 @@
2828 security/security.c | 9 +++++-
2929 24 files changed, 148 insertions(+), 29 deletions(-)
3030
31---- linux-4.19.12.orig/fs/exec.c
32-+++ linux-4.19.12/fs/exec.c
31+--- linux-4.19.13.orig/fs/exec.c
32++++ linux-4.19.13/fs/exec.c
3333 @@ -1692,7 +1692,7 @@ static int exec_binprm(struct linux_binp
3434 old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
3535 rcu_read_unlock();
@@ -39,8 +39,8 @@
3939 if (ret >= 0) {
4040 audit_bprm(bprm);
4141 trace_sched_process_exec(current, old_pid, bprm);
42---- linux-4.19.12.orig/fs/open.c
43-+++ linux-4.19.12/fs/open.c
42+--- linux-4.19.13.orig/fs/open.c
43++++ linux-4.19.13/fs/open.c
4444 @@ -1174,6 +1174,8 @@ SYSCALL_DEFINE1(close, unsigned int, fd)
4545 */
4646 SYSCALL_DEFINE0(vhangup)
@@ -50,8 +50,8 @@
5050 if (capable(CAP_SYS_TTY_CONFIG)) {
5151 tty_vhangup_self();
5252 return 0;
53---- linux-4.19.12.orig/fs/proc/version.c
54-+++ linux-4.19.12/fs/proc/version.c
53+--- linux-4.19.13.orig/fs/proc/version.c
54++++ linux-4.19.13/fs/proc/version.c
5555 @@ -21,3 +21,10 @@ static int __init proc_version_init(void
5656 return 0;
5757 }
@@ -59,12 +59,12 @@
5959 +
6060 +static int __init ccs_show_version(void)
6161 +{
62-+ printk(KERN_INFO "Hook version: 4.19.12 2018/12/24\n");
62++ printk(KERN_INFO "Hook version: 4.19.13 2019/01/07\n");
6363 + return 0;
6464 +}
6565 +fs_initcall(ccs_show_version);
66---- linux-4.19.12.orig/include/linux/sched.h
67-+++ linux-4.19.12/include/linux/sched.h
66+--- linux-4.19.13.orig/include/linux/sched.h
67++++ linux-4.19.13/include/linux/sched.h
6868 @@ -34,6 +34,7 @@ struct audit_context;
6969 struct backing_dev_info;
7070 struct bio_list;
@@ -84,8 +84,8 @@
8484
8585 /*
8686 * New fields for task_struct should be added above here, so that
87---- linux-4.19.12.orig/include/linux/security.h
88-+++ linux-4.19.12/include/linux/security.h
87+--- linux-4.19.13.orig/include/linux/security.h
88++++ linux-4.19.13/include/linux/security.h
8989 @@ -53,6 +53,7 @@ struct msg_msg;
9090 struct xattr;
9191 struct xfrm_sec_ctx;
@@ -306,8 +306,8 @@
306306 }
307307 #endif /* CONFIG_SECURITY_PATH */
308308
309---- linux-4.19.12.orig/include/net/ip.h
310-+++ linux-4.19.12/include/net/ip.h
309+--- linux-4.19.13.orig/include/net/ip.h
310++++ linux-4.19.13/include/net/ip.h
311311 @@ -301,6 +301,8 @@ void inet_get_local_port_range(struct ne
312312 #ifdef CONFIG_SYSCTL
313313 static inline int inet_is_local_reserved_port(struct net *net, int port)
@@ -326,8 +326,8 @@
326326 return 0;
327327 }
328328
329---- linux-4.19.12.orig/init/init_task.c
330-+++ linux-4.19.12/init/init_task.c
329+--- linux-4.19.13.orig/init/init_task.c
330++++ linux-4.19.13/init/init_task.c
331331 @@ -179,6 +179,10 @@ struct task_struct init_task
332332 #ifdef CONFIG_SECURITY
333333 .security = NULL,
@@ -339,8 +339,8 @@
339339 };
340340 EXPORT_SYMBOL(init_task);
341341
342---- linux-4.19.12.orig/kernel/kexec.c
343-+++ linux-4.19.12/kernel/kexec.c
342+--- linux-4.19.13.orig/kernel/kexec.c
343++++ linux-4.19.13/kernel/kexec.c
344344 @@ -18,7 +18,7 @@
345345 #include <linux/syscalls.h>
346346 #include <linux/vmalloc.h>
@@ -359,8 +359,8 @@
359359
360360 /* Permit LSMs and IMA to fail the kexec */
361361 result = security_kernel_load_data(LOADING_KEXEC_IMAGE);
362---- linux-4.19.12.orig/kernel/module.c
363-+++ linux-4.19.12/kernel/module.c
362+--- linux-4.19.13.orig/kernel/module.c
363++++ linux-4.19.13/kernel/module.c
364364 @@ -66,6 +66,7 @@
365365 #include <linux/audit.h>
366366 #include <uapi/linux/module.h>
@@ -387,8 +387,8 @@
387387
388388 return 0;
389389 }
390---- linux-4.19.12.orig/kernel/ptrace.c
391-+++ linux-4.19.12/kernel/ptrace.c
390+--- linux-4.19.13.orig/kernel/ptrace.c
391++++ linux-4.19.13/kernel/ptrace.c
392392 @@ -1112,6 +1112,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
393393 {
394394 struct task_struct *child;
@@ -413,8 +413,8 @@
413413
414414 if (request == PTRACE_TRACEME) {
415415 ret = ptrace_traceme();
416---- linux-4.19.12.orig/kernel/reboot.c
417-+++ linux-4.19.12/kernel/reboot.c
416+--- linux-4.19.13.orig/kernel/reboot.c
417++++ linux-4.19.13/kernel/reboot.c
418418 @@ -16,6 +16,7 @@
419419 #include <linux/syscalls.h>
420420 #include <linux/syscore_ops.h>
@@ -432,8 +432,8 @@
432432
433433 /*
434434 * If pid namespaces are enabled and the current task is in a child
435---- linux-4.19.12.orig/kernel/sched/core.c
436-+++ linux-4.19.12/kernel/sched/core.c
435+--- linux-4.19.13.orig/kernel/sched/core.c
436++++ linux-4.19.13/kernel/sched/core.c
437437 @@ -3943,6 +3943,8 @@ int can_nice(const struct task_struct *p
438438 SYSCALL_DEFINE1(nice, int, increment)
439439 {
@@ -443,8 +443,8 @@
443443
444444 /*
445445 * Setpriority might change our priority at the same moment.
446---- linux-4.19.12.orig/kernel/signal.c
447-+++ linux-4.19.12/kernel/signal.c
446+--- linux-4.19.13.orig/kernel/signal.c
447++++ linux-4.19.13/kernel/signal.c
448448 @@ -3210,6 +3210,8 @@ COMPAT_SYSCALL_DEFINE4(rt_sigtimedwait,
449449 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
450450 {
@@ -490,8 +490,8 @@
490490
491491 return do_send_specific(tgid, pid, sig, info);
492492 }
493---- linux-4.19.12.orig/kernel/sys.c
494-+++ linux-4.19.12/kernel/sys.c
493+--- linux-4.19.13.orig/kernel/sys.c
494++++ linux-4.19.13/kernel/sys.c
495495 @@ -201,6 +201,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
496496
497497 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -521,8 +521,8 @@
521521
522522 errno = -EFAULT;
523523 if (!copy_from_user(tmp, name, len)) {
524---- linux-4.19.12.orig/kernel/time/timekeeping.c
525-+++ linux-4.19.12/kernel/time/timekeeping.c
524+--- linux-4.19.13.orig/kernel/time/timekeeping.c
525++++ linux-4.19.13/kernel/time/timekeeping.c
526526 @@ -26,6 +26,7 @@
527527 #include <linux/stop_machine.h>
528528 #include <linux/pvclock_gtod.h>
@@ -556,8 +556,8 @@
556556
557557 /*
558558 * Validate if a timespec/timeval used to inject a time
559---- linux-4.19.12.orig/net/ipv4/raw.c
560-+++ linux-4.19.12/net/ipv4/raw.c
559+--- linux-4.19.13.orig/net/ipv4/raw.c
560++++ linux-4.19.13/net/ipv4/raw.c
561561 @@ -772,6 +772,10 @@ static int raw_recvmsg(struct sock *sk,
562562 skb = skb_recv_datagram(sk, flags, noblock, &err);
563563 if (!skb)
@@ -569,8 +569,8 @@
569569
570570 copied = skb->len;
571571 if (len < copied) {
572---- linux-4.19.12.orig/net/ipv4/udp.c
573-+++ linux-4.19.12/net/ipv4/udp.c
572+--- linux-4.19.13.orig/net/ipv4/udp.c
573++++ linux-4.19.13/net/ipv4/udp.c
574574 @@ -1655,6 +1655,8 @@ try_again:
575575 skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
576576 if (!skb)
@@ -580,8 +580,8 @@
580580
581581 ulen = udp_skb_len(skb);
582582 copied = len;
583---- linux-4.19.12.orig/net/ipv6/raw.c
584-+++ linux-4.19.12/net/ipv6/raw.c
583+--- linux-4.19.13.orig/net/ipv6/raw.c
584++++ linux-4.19.13/net/ipv6/raw.c
585585 @@ -483,6 +483,10 @@ static int rawv6_recvmsg(struct sock *sk
586586 skb = skb_recv_datagram(sk, flags, noblock, &err);
587587 if (!skb)
@@ -593,8 +593,8 @@
593593
594594 copied = skb->len;
595595 if (copied > len) {
596---- linux-4.19.12.orig/net/ipv6/udp.c
597-+++ linux-4.19.12/net/ipv6/udp.c
596+--- linux-4.19.13.orig/net/ipv6/udp.c
597++++ linux-4.19.13/net/ipv6/udp.c
598598 @@ -343,6 +343,8 @@ try_again:
599599 skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
600600 if (!skb)
@@ -604,8 +604,8 @@
604604
605605 ulen = udp6_skb_len(skb);
606606 copied = len;
607---- linux-4.19.12.orig/net/socket.c
608-+++ linux-4.19.12/net/socket.c
607+--- linux-4.19.13.orig/net/socket.c
608++++ linux-4.19.13/net/socket.c
609609 @@ -1591,6 +1591,10 @@ int __sys_accept4(int fd, struct sockadd
610610 if (err < 0)
611611 goto out_fd;
@@ -617,8 +617,8 @@
617617 if (upeer_sockaddr) {
618618 len = newsock->ops->getname(newsock,
619619 (struct sockaddr *)&address, 2);
620---- linux-4.19.12.orig/net/unix/af_unix.c
621-+++ linux-4.19.12/net/unix/af_unix.c
620+--- linux-4.19.13.orig/net/unix/af_unix.c
621++++ linux-4.19.13/net/unix/af_unix.c
622622 @@ -2127,6 +2127,10 @@ static int unix_dgram_recvmsg(struct soc
623623 EPOLLOUT | EPOLLWRNORM |
624624 EPOLLWRBAND);
@@ -638,8 +638,8 @@
638638 mutex_unlock(&u->iolock);
639639 out:
640640 return err;
641---- linux-4.19.12.orig/security/Kconfig
642-+++ linux-4.19.12/security/Kconfig
641+--- linux-4.19.13.orig/security/Kconfig
642++++ linux-4.19.13/security/Kconfig
643643 @@ -276,5 +276,7 @@ config DEFAULT_SECURITY
644644 default "apparmor" if DEFAULT_SECURITY_APPARMOR
645645 default "" if DEFAULT_SECURITY_DAC
@@ -648,8 +648,8 @@
648648 +
649649 endmenu
650650
651---- linux-4.19.12.orig/security/Makefile
652-+++ linux-4.19.12/security/Makefile
651+--- linux-4.19.13.orig/security/Makefile
652++++ linux-4.19.13/security/Makefile
653653 @@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
654654 # Object integrity file lists
655655 subdir-$(CONFIG_INTEGRITY) += integrity
@@ -657,8 +657,8 @@
657657 +
658658 +subdir-$(CONFIG_CCSECURITY) += ccsecurity
659659 +obj-$(CONFIG_CCSECURITY) += ccsecurity/
660---- linux-4.19.12.orig/security/security.c
661-+++ linux-4.19.12/security/security.c
660+--- linux-4.19.13.orig/security/security.c
661++++ linux-4.19.13/security/security.c
662662 @@ -988,12 +988,19 @@ int security_file_open(struct file *file
663663
664664 int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
--- trunk/caitsith-patch/patches/ccs-patch-4.9.diff (revision 270)
+++ trunk/caitsith-patch/patches/ccs-patch-4.9.diff (revision 271)
@@ -1,6 +1,6 @@
1-This is TOMOYO Linux patch for kernel 4.9.147.
1+This is TOMOYO Linux patch for kernel 4.9.148.
22
3-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.9.147.tar.xz
3+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.9.148.tar.xz
44 ---
55 fs/exec.c | 2 -
66 fs/open.c | 2 +
@@ -28,8 +28,8 @@
2828 security/Makefile | 3 ++
2929 24 files changed, 147 insertions(+), 26 deletions(-)
3030
31---- linux-4.9.147.orig/fs/exec.c
32-+++ linux-4.9.147/fs/exec.c
31+--- linux-4.9.148.orig/fs/exec.c
32++++ linux-4.9.148/fs/exec.c
3333 @@ -1660,7 +1660,7 @@ static int exec_binprm(struct linux_binp
3434 old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
3535 rcu_read_unlock();
@@ -39,8 +39,8 @@
3939 if (ret >= 0) {
4040 audit_bprm(bprm);
4141 trace_sched_process_exec(current, old_pid, bprm);
42---- linux-4.9.147.orig/fs/open.c
43-+++ linux-4.9.147/fs/open.c
42+--- linux-4.9.148.orig/fs/open.c
43++++ linux-4.9.148/fs/open.c
4444 @@ -1151,6 +1151,8 @@ EXPORT_SYMBOL(sys_close);
4545 */
4646 SYSCALL_DEFINE0(vhangup)
@@ -50,8 +50,8 @@
5050 if (capable(CAP_SYS_TTY_CONFIG)) {
5151 tty_vhangup_self();
5252 return 0;
53---- linux-4.9.147.orig/fs/proc/version.c
54-+++ linux-4.9.147/fs/proc/version.c
53+--- linux-4.9.148.orig/fs/proc/version.c
54++++ linux-4.9.148/fs/proc/version.c
5555 @@ -32,3 +32,10 @@ static int __init proc_version_init(void
5656 return 0;
5757 }
@@ -59,12 +59,12 @@
5959 +
6060 +static int __init ccs_show_version(void)
6161 +{
62-+ printk(KERN_INFO "Hook version: 4.9.147 2018/12/24\n");
62++ printk(KERN_INFO "Hook version: 4.9.148 2019/01/07\n");
6363 + return 0;
6464 +}
6565 +fs_initcall(ccs_show_version);
66---- linux-4.9.147.orig/include/linux/init_task.h
67-+++ linux-4.9.147/include/linux/init_task.h
66+--- linux-4.9.148.orig/include/linux/init_task.h
67++++ linux-4.9.148/include/linux/init_task.h
6868 @@ -193,6 +193,14 @@ extern struct task_group root_task_group
6969 # define INIT_TASK_TI(tsk)
7070 #endif
@@ -88,8 +88,8 @@
8888 }
8989
9090
91---- linux-4.9.147.orig/include/linux/sched.h
92-+++ linux-4.9.147/include/linux/sched.h
91+--- linux-4.9.148.orig/include/linux/sched.h
92++++ linux-4.9.148/include/linux/sched.h
9393 @@ -6,6 +6,8 @@
9494 #include <linux/sched/prio.h>
9595
@@ -110,8 +110,8 @@
110110 /* CPU-specific state of this task */
111111 struct thread_struct thread;
112112 /*
113---- linux-4.9.147.orig/include/linux/security.h
114-+++ linux-4.9.147/include/linux/security.h
113+--- linux-4.9.148.orig/include/linux/security.h
114++++ linux-4.9.148/include/linux/security.h
115115 @@ -55,6 +55,7 @@ struct msg_queue;
116116 struct xattr;
117117 struct xfrm_sec_ctx;
@@ -318,8 +318,8 @@
318318 }
319319 #endif /* CONFIG_SECURITY_PATH */
320320
321---- linux-4.9.147.orig/include/net/ip.h
322-+++ linux-4.9.147/include/net/ip.h
321+--- linux-4.9.148.orig/include/net/ip.h
322++++ linux-4.9.148/include/net/ip.h
323323 @@ -254,6 +254,8 @@ void inet_get_local_port_range(struct ne
324324 #ifdef CONFIG_SYSCTL
325325 static inline int inet_is_local_reserved_port(struct net *net, int port)
@@ -338,8 +338,8 @@
338338 return 0;
339339 }
340340 #endif
341---- linux-4.9.147.orig/kernel/fork.c
342-+++ linux-4.9.147/kernel/fork.c
341+--- linux-4.9.148.orig/kernel/fork.c
342++++ linux-4.9.148/kernel/fork.c
343343 @@ -395,6 +395,7 @@ void __put_task_struct(struct task_struc
344344 delayacct_tsk_free(tsk);
345345 put_signal_struct(tsk->signal);
@@ -366,8 +366,8 @@
366366 bad_fork_cleanup_perf:
367367 perf_event_free_task(p);
368368 bad_fork_cleanup_policy:
369---- linux-4.9.147.orig/kernel/kexec.c
370-+++ linux-4.9.147/kernel/kexec.c
369+--- linux-4.9.148.orig/kernel/kexec.c
370++++ linux-4.9.148/kernel/kexec.c
371371 @@ -17,7 +17,7 @@
372372 #include <linux/syscalls.h>
373373 #include <linux/vmalloc.h>
@@ -386,8 +386,8 @@
386386
387387 /*
388388 * Verify we have a legal set of flags
389---- linux-4.9.147.orig/kernel/module.c
390-+++ linux-4.9.147/kernel/module.c
389+--- linux-4.9.148.orig/kernel/module.c
390++++ linux-4.9.148/kernel/module.c
391391 @@ -63,6 +63,7 @@
392392 #include <linux/dynamic_debug.h>
393393 #include <uapi/linux/module.h>
@@ -414,8 +414,8 @@
414414
415415 return 0;
416416 }
417---- linux-4.9.147.orig/kernel/ptrace.c
418-+++ linux-4.9.147/kernel/ptrace.c
417+--- linux-4.9.148.orig/kernel/ptrace.c
418++++ linux-4.9.148/kernel/ptrace.c
419419 @@ -1122,6 +1122,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
420420 {
421421 struct task_struct *child;
@@ -440,8 +440,8 @@
440440
441441 if (request == PTRACE_TRACEME) {
442442 ret = ptrace_traceme();
443---- linux-4.9.147.orig/kernel/reboot.c
444-+++ linux-4.9.147/kernel/reboot.c
443+--- linux-4.9.148.orig/kernel/reboot.c
444++++ linux-4.9.148/kernel/reboot.c
445445 @@ -16,6 +16,7 @@
446446 #include <linux/syscalls.h>
447447 #include <linux/syscore_ops.h>
@@ -459,8 +459,8 @@
459459
460460 /*
461461 * If pid namespaces are enabled and the current task is in a child
462---- linux-4.9.147.orig/kernel/sched/core.c
463-+++ linux-4.9.147/kernel/sched/core.c
462+--- linux-4.9.148.orig/kernel/sched/core.c
463++++ linux-4.9.148/kernel/sched/core.c
464464 @@ -3813,6 +3813,8 @@ int can_nice(const struct task_struct *p
465465 SYSCALL_DEFINE1(nice, int, increment)
466466 {
@@ -470,8 +470,8 @@
470470
471471 /*
472472 * Setpriority might change our priority at the same moment.
473---- linux-4.9.147.orig/kernel/signal.c
474-+++ linux-4.9.147/kernel/signal.c
473+--- linux-4.9.148.orig/kernel/signal.c
474++++ linux-4.9.148/kernel/signal.c
475475 @@ -2868,6 +2868,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s
476476 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
477477 {
@@ -517,8 +517,8 @@
517517
518518 return do_send_specific(tgid, pid, sig, info);
519519 }
520---- linux-4.9.147.orig/kernel/sys.c
521-+++ linux-4.9.147/kernel/sys.c
520+--- linux-4.9.148.orig/kernel/sys.c
521++++ linux-4.9.148/kernel/sys.c
522522 @@ -185,6 +185,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
523523
524524 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -548,8 +548,8 @@
548548
549549 errno = -EFAULT;
550550 if (!copy_from_user(tmp, name, len)) {
551---- linux-4.9.147.orig/kernel/time/ntp.c
552-+++ linux-4.9.147/kernel/time/ntp.c
551+--- linux-4.9.148.orig/kernel/time/ntp.c
552++++ linux-4.9.148/kernel/time/ntp.c
553553 @@ -17,6 +17,7 @@
554554 #include <linux/module.h>
555555 #include <linux/rtc.h>
@@ -583,8 +583,8 @@
583583
584584 if (txc->modes & ADJ_NANO) {
585585 struct timespec ts;
586---- linux-4.9.147.orig/net/ipv4/raw.c
587-+++ linux-4.9.147/net/ipv4/raw.c
586+--- linux-4.9.148.orig/net/ipv4/raw.c
587++++ linux-4.9.148/net/ipv4/raw.c
588588 @@ -744,6 +744,10 @@ static int raw_recvmsg(struct sock *sk,
589589 skb = skb_recv_datagram(sk, flags, noblock, &err);
590590 if (!skb)
@@ -596,8 +596,8 @@
596596
597597 copied = skb->len;
598598 if (len < copied) {
599---- linux-4.9.147.orig/net/ipv4/udp.c
600-+++ linux-4.9.147/net/ipv4/udp.c
599+--- linux-4.9.148.orig/net/ipv4/udp.c
600++++ linux-4.9.148/net/ipv4/udp.c
601601 @@ -1267,6 +1267,8 @@ try_again:
602602 &peeked, &off, &err);
603603 if (!skb)
@@ -607,8 +607,8 @@
607607
608608 ulen = skb->len;
609609 copied = len;
610---- linux-4.9.147.orig/net/ipv6/raw.c
611-+++ linux-4.9.147/net/ipv6/raw.c
610+--- linux-4.9.148.orig/net/ipv6/raw.c
611++++ linux-4.9.148/net/ipv6/raw.c
612612 @@ -478,6 +478,10 @@ static int rawv6_recvmsg(struct sock *sk
613613 skb = skb_recv_datagram(sk, flags, noblock, &err);
614614 if (!skb)
@@ -620,8 +620,8 @@
620620
621621 copied = skb->len;
622622 if (copied > len) {
623---- linux-4.9.147.orig/net/ipv6/udp.c
624-+++ linux-4.9.147/net/ipv6/udp.c
623+--- linux-4.9.148.orig/net/ipv6/udp.c
624++++ linux-4.9.148/net/ipv6/udp.c
625625 @@ -348,6 +348,8 @@ try_again:
626626 &peeked, &off, &err);
627627 if (!skb)
@@ -631,8 +631,8 @@
631631
632632 ulen = skb->len;
633633 copied = len;
634---- linux-4.9.147.orig/net/socket.c
635-+++ linux-4.9.147/net/socket.c
634+--- linux-4.9.148.orig/net/socket.c
635++++ linux-4.9.148/net/socket.c
636636 @@ -1482,6 +1482,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
637637 if (err < 0)
638638 goto out_fd;
@@ -644,8 +644,8 @@
644644 if (upeer_sockaddr) {
645645 if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
646646 &len, 2) < 0) {
647---- linux-4.9.147.orig/net/unix/af_unix.c
648-+++ linux-4.9.147/net/unix/af_unix.c
647+--- linux-4.9.148.orig/net/unix/af_unix.c
648++++ linux-4.9.148/net/unix/af_unix.c
649649 @@ -2150,6 +2150,10 @@ static int unix_dgram_recvmsg(struct soc
650650 POLLOUT | POLLWRNORM |
651651 POLLWRBAND);
@@ -665,8 +665,8 @@
665665 mutex_unlock(&u->iolock);
666666 out:
667667 return err;
668---- linux-4.9.147.orig/security/Kconfig
669-+++ linux-4.9.147/security/Kconfig
668+--- linux-4.9.148.orig/security/Kconfig
669++++ linux-4.9.148/security/Kconfig
670670 @@ -214,5 +214,7 @@ config DEFAULT_SECURITY
671671 default "apparmor" if DEFAULT_SECURITY_APPARMOR
672672 default "" if DEFAULT_SECURITY_DAC
@@ -675,8 +675,8 @@
675675 +
676676 endmenu
677677
678---- linux-4.9.147.orig/security/Makefile
679-+++ linux-4.9.147/security/Makefile
678+--- linux-4.9.148.orig/security/Makefile
679++++ linux-4.9.148/security/Makefile
680680 @@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
681681 # Object integrity file lists
682682 subdir-$(CONFIG_INTEGRITY) += integrity
--- trunk/caitsith-patch/patches/ccs-patch-5.0.diff (nonexistent)
+++ trunk/caitsith-patch/patches/ccs-patch-5.0.diff (revision 271)
@@ -0,0 +1,682 @@
1+This is TOMOYO Linux patch for kernel 5.0-rc1.
2+
3+Source code for this patch is https://git.kernel.org/torvalds/t/linux-5.0-rc1.tar.gz
4+---
5+ fs/exec.c | 2 -
6+ fs/open.c | 2 +
7+ fs/proc/version.c | 7 ++++
8+ include/linux/sched.h | 5 +++
9+ include/linux/security.h | 68 ++++++++++++++++++++++++++++------------------
10+ include/net/ip.h | 4 ++
11+ init/init_task.c | 4 ++
12+ kernel/kexec.c | 4 ++
13+ kernel/module.c | 5 +++
14+ kernel/ptrace.c | 10 ++++++
15+ kernel/reboot.c | 3 ++
16+ kernel/sched/core.c | 2 +
17+ kernel/signal.c | 10 ++++++
18+ kernel/sys.c | 8 +++++
19+ kernel/time/timekeeping.c | 8 +++++
20+ net/ipv4/raw.c | 4 ++
21+ net/ipv4/udp.c | 2 +
22+ net/ipv6/raw.c | 4 ++
23+ net/ipv6/udp.c | 2 +
24+ net/socket.c | 4 ++
25+ net/unix/af_unix.c | 5 +++
26+ security/Kconfig | 2 +
27+ security/Makefile | 3 ++
28+ security/security.c | 9 +++++-
29+ 24 files changed, 148 insertions(+), 29 deletions(-)
30+
31+--- linux-5.0-rc1.orig/fs/exec.c
32++++ linux-5.0-rc1/fs/exec.c
33+@@ -1695,7 +1695,7 @@ static int exec_binprm(struct linux_binp
34+ old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
35+ rcu_read_unlock();
36+
37+- ret = search_binary_handler(bprm);
38++ ret = ccs_search_binary_handler(bprm);
39+ if (ret >= 0) {
40+ audit_bprm(bprm);
41+ trace_sched_process_exec(current, old_pid, bprm);
42+--- linux-5.0-rc1.orig/fs/open.c
43++++ linux-5.0-rc1/fs/open.c
44+@@ -1174,6 +1174,8 @@ SYSCALL_DEFINE1(close, unsigned int, fd)
45+ */
46+ SYSCALL_DEFINE0(vhangup)
47+ {
48++ if (!ccs_capable(CCS_SYS_VHANGUP))
49++ return -EPERM;
50+ if (capable(CAP_SYS_TTY_CONFIG)) {
51+ tty_vhangup_self();
52+ return 0;
53+--- linux-5.0-rc1.orig/fs/proc/version.c
54++++ linux-5.0-rc1/fs/proc/version.c
55+@@ -21,3 +21,10 @@ static int __init proc_version_init(void
56+ return 0;
57+ }
58+ fs_initcall(proc_version_init);
59++
60++static int __init ccs_show_version(void)
61++{
62++ printk(KERN_INFO "Hook version: 5.0-rc1 2019/01/07\n");
63++ return 0;
64++}
65++fs_initcall(ccs_show_version);
66+--- linux-5.0-rc1.orig/include/linux/sched.h
67++++ linux-5.0-rc1/include/linux/sched.h
68+@@ -35,6 +35,7 @@ struct audit_context;
69+ struct backing_dev_info;
70+ struct bio_list;
71+ struct blk_plug;
72++struct ccs_domain_info;
73+ struct cfs_rq;
74+ struct fs_struct;
75+ struct futex_pi_state;
76+@@ -1207,6 +1208,10 @@ struct task_struct {
77+ unsigned long lowest_stack;
78+ unsigned long prev_lowest_stack;
79+ #endif
80++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
81++ struct ccs_domain_info *ccs_domain_info;
82++ u32 ccs_flags;
83++#endif
84+
85+ /*
86+ * New fields for task_struct should be added above here, so that
87+--- linux-5.0-rc1.orig/include/linux/security.h
88++++ linux-5.0-rc1/include/linux/security.h
89+@@ -53,6 +53,7 @@ struct msg_msg;
90+ struct xattr;
91+ struct xfrm_sec_ctx;
92+ struct mm_struct;
93++#include <linux/ccsecurity.h>
94+
95+ /* If capable should audit the security request */
96+ #define SECURITY_CAP_NOAUDIT 0
97+@@ -491,7 +492,10 @@ static inline int security_syslog(int ty
98+ static inline int security_settime64(const struct timespec64 *ts,
99+ const struct timezone *tz)
100+ {
101+- return cap_settime(ts, tz);
102++ int error = cap_settime(ts, tz);
103++ if (!error)
104++ error = ccs_settime(ts, tz);
105++ return error;
106+ }
107+
108+ static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
109+@@ -557,18 +561,18 @@ static inline int security_sb_mount(cons
110+ const char *type, unsigned long flags,
111+ void *data)
112+ {
113+- return 0;
114++ return ccs_sb_mount(dev_name, path, type, flags, data);
115+ }
116+
117+ static inline int security_sb_umount(struct vfsmount *mnt, int flags)
118+ {
119+- return 0;
120++ return ccs_sb_umount(mnt, flags);
121+ }
122+
123+ static inline int security_sb_pivotroot(const struct path *old_path,
124+ const struct path *new_path)
125+ {
126+- return 0;
127++ return ccs_sb_pivotroot(old_path, new_path);
128+ }
129+
130+ static inline int security_sb_set_mnt_opts(struct super_block *sb,
131+@@ -718,7 +722,7 @@ static inline int security_inode_setattr
132+
133+ static inline int security_inode_getattr(const struct path *path)
134+ {
135+- return 0;
136++ return ccs_inode_getattr(path);
137+ }
138+
139+ static inline int security_inode_setxattr(struct dentry *dentry,
140+@@ -804,7 +808,7 @@ static inline void security_file_free(st
141+ static inline int security_file_ioctl(struct file *file, unsigned int cmd,
142+ unsigned long arg)
143+ {
144+- return 0;
145++ return ccs_file_ioctl(file, cmd, arg);
146+ }
147+
148+ static inline int security_mmap_file(struct file *file, unsigned long prot,
149+@@ -833,7 +837,7 @@ static inline int security_file_lock(str
150+ static inline int security_file_fcntl(struct file *file, unsigned int cmd,
151+ unsigned long arg)
152+ {
153+- return 0;
154++ return ccs_file_fcntl(file, cmd, arg);
155+ }
156+
157+ static inline void security_file_set_fowner(struct file *file)
158+@@ -855,17 +859,19 @@ static inline int security_file_receive(
159+
160+ static inline int security_file_open(struct file *file)
161+ {
162+- return 0;
163++ return ccs_file_open(file);
164+ }
165+
166+ static inline int security_task_alloc(struct task_struct *task,
167+ unsigned long clone_flags)
168+ {
169+- return 0;
170++ return ccs_alloc_task_security(task);
171+ }
172+
173+ static inline void security_task_free(struct task_struct *task)
174+-{ }
175++{
176++ ccs_free_task_security(task);
177++}
178+
179+ static inline int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
180+ {
181+@@ -1237,7 +1243,7 @@ static inline int security_unix_may_send
182+ static inline int security_socket_create(int family, int type,
183+ int protocol, int kern)
184+ {
185+- return 0;
186++ return ccs_socket_create(family, type, protocol, kern);
187+ }
188+
189+ static inline int security_socket_post_create(struct socket *sock,
190+@@ -1258,19 +1264,19 @@ static inline int security_socket_bind(s
191+ struct sockaddr *address,
192+ int addrlen)
193+ {
194+- return 0;
195++ return ccs_socket_bind(sock, address, addrlen);
196+ }
197+
198+ static inline int security_socket_connect(struct socket *sock,
199+ struct sockaddr *address,
200+ int addrlen)
201+ {
202+- return 0;
203++ return ccs_socket_connect(sock, address, addrlen);
204+ }
205+
206+ static inline int security_socket_listen(struct socket *sock, int backlog)
207+ {
208+- return 0;
209++ return ccs_socket_listen(sock, backlog);
210+ }
211+
212+ static inline int security_socket_accept(struct socket *sock,
213+@@ -1282,7 +1288,7 @@ static inline int security_socket_accept
214+ static inline int security_socket_sendmsg(struct socket *sock,
215+ struct msghdr *msg, int size)
216+ {
217+- return 0;
218++ return ccs_socket_sendmsg(sock, msg, size);
219+ }
220+
221+ static inline int security_socket_recvmsg(struct socket *sock,
222+@@ -1569,42 +1575,42 @@ int security_path_chroot(const struct pa
223+ #else /* CONFIG_SECURITY_PATH */
224+ static inline int security_path_unlink(const struct path *dir, struct dentry *dentry)
225+ {
226+- return 0;
227++ return ccs_path_unlink(dir, dentry);
228+ }
229+
230+ static inline int security_path_mkdir(const struct path *dir, struct dentry *dentry,
231+ umode_t mode)
232+ {
233+- return 0;
234++ return ccs_path_mkdir(dir, dentry, mode);
235+ }
236+
237+ static inline int security_path_rmdir(const struct path *dir, struct dentry *dentry)
238+ {
239+- return 0;
240++ return ccs_path_rmdir(dir, dentry);
241+ }
242+
243+ static inline int security_path_mknod(const struct path *dir, struct dentry *dentry,
244+ umode_t mode, unsigned int dev)
245+ {
246+- return 0;
247++ return ccs_path_mknod(dir, dentry, mode, dev);
248+ }
249+
250+ static inline int security_path_truncate(const struct path *path)
251+ {
252+- return 0;
253++ return ccs_path_truncate(path);
254+ }
255+
256+ static inline int security_path_symlink(const struct path *dir, struct dentry *dentry,
257+ const char *old_name)
258+ {
259+- return 0;
260++ return ccs_path_symlink(dir, dentry, old_name);
261+ }
262+
263+ static inline int security_path_link(struct dentry *old_dentry,
264+ const struct path *new_dir,
265+ struct dentry *new_dentry)
266+ {
267+- return 0;
268++ return ccs_path_link(old_dentry, new_dir, new_dentry);
269+ }
270+
271+ static inline int security_path_rename(const struct path *old_dir,
272+@@ -1613,22 +1619,32 @@ static inline int security_path_rename(c
273+ struct dentry *new_dentry,
274+ unsigned int flags)
275+ {
276+- return 0;
277++ /*
278++ * Not using RENAME_EXCHANGE here in order to avoid KABI breakage
279++ * by doing "#include <uapi/linux/fs.h>" .
280++ */
281++ if (flags & (1 << 1)) {
282++ int err = ccs_path_rename(new_dir, new_dentry, old_dir,
283++ old_dentry);
284++ if (err)
285++ return err;
286++ }
287++ return ccs_path_rename(old_dir, old_dentry, new_dir, new_dentry);
288+ }
289+
290+ static inline int security_path_chmod(const struct path *path, umode_t mode)
291+ {
292+- return 0;
293++ return ccs_path_chmod(path, mode);
294+ }
295+
296+ static inline int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
297+ {
298+- return 0;
299++ return ccs_path_chown(path, uid, gid);
300+ }
301+
302+ static inline int security_path_chroot(const struct path *path)
303+ {
304+- return 0;
305++ return ccs_path_chroot(path);
306+ }
307+ #endif /* CONFIG_SECURITY_PATH */
308+
309+--- linux-5.0-rc1.orig/include/net/ip.h
310++++ linux-5.0-rc1/include/net/ip.h
311+@@ -302,6 +302,8 @@ void inet_get_local_port_range(struct ne
312+ #ifdef CONFIG_SYSCTL
313+ static inline int inet_is_local_reserved_port(struct net *net, int port)
314+ {
315++ if (ccs_lport_reserved(port))
316++ return 1;
317+ if (!net->ipv4.sysctl_local_reserved_ports)
318+ return 0;
319+ return test_bit(port, net->ipv4.sysctl_local_reserved_ports);
320+@@ -320,6 +322,8 @@ static inline int inet_prot_sock(struct
321+ #else
322+ static inline int inet_is_local_reserved_port(struct net *net, int port)
323+ {
324++ if (ccs_lport_reserved(port))
325++ return 1;
326+ return 0;
327+ }
328+
329+--- linux-5.0-rc1.orig/init/init_task.c
330++++ linux-5.0-rc1/init/init_task.c
331+@@ -179,6 +179,10 @@ struct task_struct init_task
332+ #ifdef CONFIG_SECURITY
333+ .security = NULL,
334+ #endif
335++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
336++ .ccs_domain_info = NULL,
337++ .ccs_flags = 0,
338++#endif
339+ };
340+ EXPORT_SYMBOL(init_task);
341+
342+--- linux-5.0-rc1.orig/kernel/kexec.c
343++++ linux-5.0-rc1/kernel/kexec.c
344+@@ -18,7 +18,7 @@
345+ #include <linux/syscalls.h>
346+ #include <linux/vmalloc.h>
347+ #include <linux/slab.h>
348+-
349++#include <linux/ccsecurity.h>
350+ #include "kexec_internal.h"
351+
352+ static int copy_user_segment_list(struct kimage *image,
353+@@ -201,6 +201,8 @@ static inline int kexec_load_check(unsig
354+ /* We only trust the superuser with rebooting the system. */
355+ if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
356+ return -EPERM;
357++ if (!ccs_capable(CCS_SYS_KEXEC_LOAD))
358++ return -EPERM;
359+
360+ /* Permit LSMs and IMA to fail the kexec */
361+ result = security_kernel_load_data(LOADING_KEXEC_IMAGE);
362+--- linux-5.0-rc1.orig/kernel/module.c
363++++ linux-5.0-rc1/kernel/module.c
364+@@ -66,6 +66,7 @@
365+ #include <linux/audit.h>
366+ #include <uapi/linux/module.h>
367+ #include "module-internal.h"
368++#include <linux/ccsecurity.h>
369+
370+ #define CREATE_TRACE_POINTS
371+ #include <trace/events/module.h>
372+@@ -967,6 +968,8 @@ SYSCALL_DEFINE2(delete_module, const cha
373+
374+ if (!capable(CAP_SYS_MODULE) || modules_disabled)
375+ return -EPERM;
376++ if (!ccs_capable(CCS_USE_KERNEL_MODULE))
377++ return -EPERM;
378+
379+ if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
380+ return -EFAULT;
381+@@ -3550,6 +3553,8 @@ static int may_init_module(void)
382+ {
383+ if (!capable(CAP_SYS_MODULE) || modules_disabled)
384+ return -EPERM;
385++ if (!ccs_capable(CCS_USE_KERNEL_MODULE))
386++ return -EPERM;
387+
388+ return 0;
389+ }
390+--- linux-5.0-rc1.orig/kernel/ptrace.c
391++++ linux-5.0-rc1/kernel/ptrace.c
392+@@ -1111,6 +1111,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
393+ {
394+ struct task_struct *child;
395+ long ret;
396++ {
397++ const int rc = ccs_ptrace_permission(request, pid);
398++ if (rc)
399++ return rc;
400++ }
401+
402+ if (request == PTRACE_TRACEME) {
403+ ret = ptrace_traceme();
404+@@ -1258,6 +1263,11 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_lo
405+ {
406+ struct task_struct *child;
407+ long ret;
408++ {
409++ const int rc = ccs_ptrace_permission(request, pid);
410++ if (rc)
411++ return rc;
412++ }
413+
414+ if (request == PTRACE_TRACEME) {
415+ ret = ptrace_traceme();
416+--- linux-5.0-rc1.orig/kernel/reboot.c
417++++ linux-5.0-rc1/kernel/reboot.c
418+@@ -16,6 +16,7 @@
419+ #include <linux/syscalls.h>
420+ #include <linux/syscore_ops.h>
421+ #include <linux/uaccess.h>
422++#include <linux/ccsecurity.h>
423+
424+ /*
425+ * this indicates whether you can reboot with ctrl-alt-del: the default is yes
426+@@ -323,6 +324,8 @@ SYSCALL_DEFINE4(reboot, int, magic1, int
427+ magic2 != LINUX_REBOOT_MAGIC2B &&
428+ magic2 != LINUX_REBOOT_MAGIC2C))
429+ return -EINVAL;
430++ if (!ccs_capable(CCS_SYS_REBOOT))
431++ return -EPERM;
432+
433+ /*
434+ * If pid namespaces are enabled and the current task is in a child
435+--- linux-5.0-rc1.orig/kernel/sched/core.c
436++++ linux-5.0-rc1/kernel/sched/core.c
437+@@ -3943,6 +3943,8 @@ int can_nice(const struct task_struct *p
438+ SYSCALL_DEFINE1(nice, int, increment)
439+ {
440+ long nice, retval;
441++ if (!ccs_capable(CCS_SYS_NICE))
442++ return -EPERM;
443+
444+ /*
445+ * Setpriority might change our priority at the same moment.
446+--- linux-5.0-rc1.orig/kernel/signal.c
447++++ linux-5.0-rc1/kernel/signal.c
448+@@ -3437,6 +3437,8 @@ COMPAT_SYSCALL_DEFINE4(rt_sigtimedwait,
449+ SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
450+ {
451+ struct kernel_siginfo info;
452++ if (ccs_kill_permission(pid, sig))
453++ return -EPERM;
454+
455+ clear_siginfo(&info);
456+ info.si_signo = sig;
457+@@ -3507,6 +3509,8 @@ SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid
458+ /* This is only valid for single tasks */
459+ if (pid <= 0 || tgid <= 0)
460+ return -EINVAL;
461++ if (ccs_tgkill_permission(tgid, pid, sig))
462++ return -EPERM;
463+
464+ return do_tkill(tgid, pid, sig);
465+ }
466+@@ -3523,6 +3527,8 @@ SYSCALL_DEFINE2(tkill, pid_t, pid, int,
467+ /* This is only valid for single tasks */
468+ if (pid <= 0)
469+ return -EINVAL;
470++ if (ccs_tkill_permission(pid, sig))
471++ return -EPERM;
472+
473+ return do_tkill(0, pid, sig);
474+ }
475+@@ -3535,6 +3541,8 @@ static int do_rt_sigqueueinfo(pid_t pid,
476+ if ((info->si_code >= 0 || info->si_code == SI_TKILL) &&
477+ (task_pid_vnr(current) != pid))
478+ return -EPERM;
479++ if (ccs_sigqueue_permission(pid, sig))
480++ return -EPERM;
481+
482+ /* POSIX.1b doesn't mention process groups. */
483+ return kill_proc_info(sig, info, pid);
484+@@ -3582,6 +3590,8 @@ static int do_rt_tgsigqueueinfo(pid_t tg
485+ if ((info->si_code >= 0 || info->si_code == SI_TKILL) &&
486+ (task_pid_vnr(current) != pid))
487+ return -EPERM;
488++ if (ccs_tgsigqueue_permission(tgid, pid, sig))
489++ return -EPERM;
490+
491+ return do_send_specific(tgid, pid, sig, info);
492+ }
493+--- linux-5.0-rc1.orig/kernel/sys.c
494++++ linux-5.0-rc1/kernel/sys.c
495+@@ -204,6 +204,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
496+
497+ if (which > PRIO_USER || which < PRIO_PROCESS)
498+ goto out;
499++ if (!ccs_capable(CCS_SYS_NICE)) {
500++ error = -EPERM;
501++ goto out;
502++ }
503+
504+ /* normalize: avoid signed division (rounding problems) */
505+ error = -ESRCH;
506+@@ -1311,6 +1315,8 @@ SYSCALL_DEFINE2(sethostname, char __user
507+
508+ if (len < 0 || len > __NEW_UTS_LEN)
509+ return -EINVAL;
510++ if (!ccs_capable(CCS_SYS_SETHOSTNAME))
511++ return -EPERM;
512+ errno = -EFAULT;
513+ if (!copy_from_user(tmp, name, len)) {
514+ struct new_utsname *u;
515+@@ -1363,6 +1369,8 @@ SYSCALL_DEFINE2(setdomainname, char __us
516+ return -EPERM;
517+ if (len < 0 || len > __NEW_UTS_LEN)
518+ return -EINVAL;
519++ if (!ccs_capable(CCS_SYS_SETHOSTNAME))
520++ return -EPERM;
521+
522+ errno = -EFAULT;
523+ if (!copy_from_user(tmp, name, len)) {
524+--- linux-5.0-rc1.orig/kernel/time/timekeeping.c
525++++ linux-5.0-rc1/kernel/time/timekeeping.c
526+@@ -21,6 +21,7 @@
527+ #include <linux/stop_machine.h>
528+ #include <linux/pvclock_gtod.h>
529+ #include <linux/compiler.h>
530++#include <linux/ccsecurity.h>
531+
532+ #include "tick-internal.h"
533+ #include "ntp_internal.h"
534+@@ -2243,10 +2244,15 @@ static int timekeeping_validate_timex(co
535+ if (!(txc->modes & ADJ_OFFSET_READONLY) &&
536+ !capable(CAP_SYS_TIME))
537+ return -EPERM;
538++ if (!(txc->modes & ADJ_OFFSET_READONLY) &&
539++ !ccs_capable(CCS_SYS_SETTIME))
540++ return -EPERM;
541+ } else {
542+ /* In order to modify anything, you gotta be super-user! */
543+ if (txc->modes && !capable(CAP_SYS_TIME))
544+ return -EPERM;
545++ if (txc->modes && !ccs_capable(CCS_SYS_SETTIME))
546++ return -EPERM;
547+ /*
548+ * if the quartz is off by more than 10% then
549+ * something is VERY wrong!
550+@@ -2261,6 +2267,8 @@ static int timekeeping_validate_timex(co
551+ /* In order to inject time, you gotta be super-user! */
552+ if (!capable(CAP_SYS_TIME))
553+ return -EPERM;
554++ if (!ccs_capable(CCS_SYS_SETTIME))
555++ return -EPERM;
556+
557+ /*
558+ * Validate if a timespec/timeval used to inject a time
559+--- linux-5.0-rc1.orig/net/ipv4/raw.c
560++++ linux-5.0-rc1/net/ipv4/raw.c
561+@@ -771,6 +771,10 @@ static int raw_recvmsg(struct sock *sk,
562+ skb = skb_recv_datagram(sk, flags, noblock, &err);
563+ if (!skb)
564+ goto out;
565++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
566++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
567++ goto out;
568++ }
569+
570+ copied = skb->len;
571+ if (len < copied) {
572+--- linux-5.0-rc1.orig/net/ipv4/udp.c
573++++ linux-5.0-rc1/net/ipv4/udp.c
574+@@ -1717,6 +1717,8 @@ try_again:
575+ skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
576+ if (!skb)
577+ return err;
578++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags))
579++ return -EAGAIN; /* Hope less harmful than -EPERM. */
580+
581+ ulen = udp_skb_len(skb);
582+ copied = len;
583+--- linux-5.0-rc1.orig/net/ipv6/raw.c
584++++ linux-5.0-rc1/net/ipv6/raw.c
585+@@ -482,6 +482,10 @@ static int rawv6_recvmsg(struct sock *sk
586+ skb = skb_recv_datagram(sk, flags, noblock, &err);
587+ if (!skb)
588+ goto out;
589++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
590++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
591++ goto out;
592++ }
593+
594+ copied = skb->len;
595+ if (copied > len) {
596+--- linux-5.0-rc1.orig/net/ipv6/udp.c
597++++ linux-5.0-rc1/net/ipv6/udp.c
598+@@ -304,6 +304,8 @@ try_again:
599+ skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
600+ if (!skb)
601+ return err;
602++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags))
603++ return -EAGAIN; /* Hope less harmful than -EPERM. */
604+
605+ ulen = udp6_skb_len(skb);
606+ copied = len;
607+--- linux-5.0-rc1.orig/net/socket.c
608++++ linux-5.0-rc1/net/socket.c
609+@@ -1591,6 +1591,10 @@ int __sys_accept4(int fd, struct sockadd
610+ if (err < 0)
611+ goto out_fd;
612+
613++ if (ccs_socket_post_accept_permission(sock, newsock)) {
614++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
615++ goto out_fd;
616++ }
617+ if (upeer_sockaddr) {
618+ len = newsock->ops->getname(newsock,
619+ (struct sockaddr *)&address, 2);
620+--- linux-5.0-rc1.orig/net/unix/af_unix.c
621++++ linux-5.0-rc1/net/unix/af_unix.c
622+@@ -2129,6 +2129,10 @@ static int unix_dgram_recvmsg(struct soc
623+ EPOLLOUT | EPOLLWRNORM |
624+ EPOLLWRBAND);
625+
626++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
627++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
628++ goto out_unlock;
629++ }
630+ if (msg->msg_name)
631+ unix_copy_addr(msg, skb->sk);
632+
633+@@ -2179,6 +2183,7 @@ static int unix_dgram_recvmsg(struct soc
634+
635+ out_free:
636+ skb_free_datagram(sk, skb);
637++out_unlock:
638+ mutex_unlock(&u->iolock);
639+ out:
640+ return err;
641+--- linux-5.0-rc1.orig/security/Kconfig
642++++ linux-5.0-rc1/security/Kconfig
643+@@ -276,5 +276,7 @@ config DEFAULT_SECURITY
644+ default "apparmor" if DEFAULT_SECURITY_APPARMOR
645+ default "" if DEFAULT_SECURITY_DAC
646+
647++source "security/ccsecurity/Kconfig"
648++
649+ endmenu
650+
651+--- linux-5.0-rc1.orig/security/Makefile
652++++ linux-5.0-rc1/security/Makefile
653+@@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
654+ # Object integrity file lists
655+ subdir-$(CONFIG_INTEGRITY) += integrity
656+ obj-$(CONFIG_INTEGRITY) += integrity/
657++
658++subdir-$(CONFIG_CCSECURITY) += ccsecurity
659++obj-$(CONFIG_CCSECURITY) += ccsecurity/
660+--- linux-5.0-rc1.orig/security/security.c
661++++ linux-5.0-rc1/security/security.c
662+@@ -1012,12 +1012,19 @@ int security_file_open(struct file *file
663+
664+ int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
665+ {
666+- return call_int_hook(task_alloc, 0, task, clone_flags);
667++ int ret = ccs_alloc_task_security(task);
668++ if (ret)
669++ return ret;
670++ ret = call_int_hook(task_alloc, 0, task, clone_flags);
671++ if (ret)
672++ ccs_free_task_security(task);
673++ return ret;
674+ }
675+
676+ void security_task_free(struct task_struct *task)
677+ {
678+ call_void_hook(task_free, task);
679++ ccs_free_task_security(task);
680+ }
681+
682+ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
--- trunk/caitsith-patch/security/caitsith/internal.h (revision 270)
+++ trunk/caitsith-patch/security/caitsith/internal.h (revision 271)
@@ -62,6 +62,9 @@
6262 #include <net/udp.h>
6363 #include <linux/ctype.h>
6464 #include <linux/magic.h>
65+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
66+#include <uapi/linux/mount.h>
67+#endif
6568
6669 #ifndef current_uid
6770 #define current_uid() (current->uid)
旧リポジトリブラウザで表示