OSDN > ソフトウェアを探す > システム > オペレーティングシステムカーネル > Linux > CaitSith > SCM > SVN > コミット

CaitSith

R/O
SSH
HTTPS

caitsith: コミット

コミットメタ情報

リビジョン	291 (tree)
日時	2019-12-25 22:41:54
作者	kumaneko

ログメッセージ

(メッセージはありません)

変更サマリ

modified: tags/htdocs/index.html (diff)
modified: trunk/caitsith-patch/caitsith/permission.c (diff)
modified: trunk/caitsith-patch/caitsith/policy_io.c (diff)
modified: trunk/caitsith-patch/caitsith/realpath.c (diff)
modified: trunk/caitsith-patch/patches/ccs-patch-2.6.32-centos-6.diff (diff)
modified: trunk/caitsith-patch/patches/ccs-patch-3.16.diff (diff)
modified: trunk/caitsith-patch/patches/ccs-patch-4.14.diff (diff)
modified: trunk/caitsith-patch/patches/ccs-patch-4.18-centos-8.diff (diff)
modified: trunk/caitsith-patch/patches/ccs-patch-4.19.diff (diff)
modified: trunk/caitsith-patch/patches/ccs-patch-4.4.diff (diff)
modified: trunk/caitsith-patch/patches/ccs-patch-4.9.diff (diff)
modified: trunk/caitsith-patch/patches/ccs-patch-5.3.diff (diff)
modified: trunk/caitsith-patch/patches/ccs-patch-5.4.diff (diff)
added: trunk/caitsith-patch/patches/ccs-patch-5.5.diff (diff)
modified: trunk/caitsith-patch/security/caitsith/permission.c (diff)
modified: trunk/caitsith-patch/security/caitsith/policy_io.c (diff)
modified: trunk/caitsith-patch/security/caitsith/realpath.c (diff)
modified: trunk/caitsith-patch/specs/build-c6-2.6.32.sh (diff)
modified: trunk/caitsith-patch/specs/build-c7-3.10.sh (diff)
modified: trunk/caitsith-patch/specs/build-debian_wheezy.sh (diff)
modified: trunk/caitsith-patch/specs/build-ubuntu_12.04.sh (diff)
modified: trunk/caitsith-patch/specs/build-ubuntu_14.04.sh (diff)
modified: trunk/caitsith-patch/specs/build-vl6-4.4.sh (diff)
modified: trunk/caitsith-tools/kernel_test/caitsith_wildcard_test.c (diff)

差分

--- tags/htdocs/index.html (revision 290)

+++ tags/htdocs/index.html (revision 291)

		@@ -304,12 +304,12 @@
304	304	<p>Run the following commands in order to extract source code of CaitSith:</p>
305	305
306	306	<pre class="command">
307		-# wget -O caitsith-patch-0.2-20191111.tar.gz 'https://osdn.jp/frs/redir.php?m=jaist&f=/caitsith/66537/caitsith-patch-0.2-20191111.tar.gz'
308		-# wget -O caitsith-patch-0.2-20191111.tar.gz.asc 'https://osdn.jp/frs/redir.php?m=jaist&f=/caitsith/66537/caitsith-patch-0.2-20191111.tar.gz.asc'
	307	+# wget -O caitsith-patch-0.2-20191225.tar.gz 'https://osdn.jp/frs/redir.php?m=jaist&f=/caitsith/66537/caitsith-patch-0.2-20191225.tar.gz'
	308	+# wget -O caitsith-patch-0.2-20191225.tar.gz.asc 'https://osdn.jp/frs/redir.php?m=jaist&f=/caitsith/66537/caitsith-patch-0.2-20191225.tar.gz.asc'
309	309	# wget https://tomoyo.osdn.jp/kumaneko-key
310	310	# gpg --import kumaneko-key
311		-# gpg caitsith-patch-0.2-20191111.tar.gz.asc
312		-# tar -zxf caitsith-patch-0.2-20191111.tar.gz
	311	+# gpg caitsith-patch-0.2-20191225.tar.gz.asc
	312	+# tar -zxf caitsith-patch-0.2-20191225.tar.gz
313	313	</pre>
314	314
315	315	<hr>

		@@ -645,12 +645,12 @@
645	645	Also, there are several patches which can be applied to distributor's latest kernels. For example "3.10-centos-7" if using CentOS 7's latest kernel:</p>
646	646
647	647	<pre class="command">
648		-$ wget -O caitsith-patch-0.2-20191111.tar.gz 'https://osdn.jp/frs/redir.php?m=jaist&f=/caitsith/66537/caitsith-patch-0.2-20191111.tar.gz'
649		-$ wget -O caitsith-patch-0.2-20191111.tar.gz.asc 'https://osdn.jp/frs/redir.php?m=jaist&f=/caitsith/66537/caitsith-patch-0.2-20191111.tar.gz.asc'
	648	+$ wget -O caitsith-patch-0.2-20191225.tar.gz 'https://osdn.jp/frs/redir.php?m=jaist&f=/caitsith/66537/caitsith-patch-0.2-20191225.tar.gz'
	649	+$ wget -O caitsith-patch-0.2-20191225.tar.gz.asc 'https://osdn.jp/frs/redir.php?m=jaist&f=/caitsith/66537/caitsith-patch-0.2-20191225.tar.gz.asc'
650	650	$ wget https://tomoyo.osdn.jp/kumaneko-key
651	651	$ gpg --import kumaneko-key
652		-$ gpg caitsith-patch-0.2-20191111.tar.gz.asc
653		-$ tar -zxf caitsith-patch-0.2-20191111.tar.gz
	652	+$ gpg caitsith-patch-0.2-20191225.tar.gz.asc
	653	+$ tar -zxf caitsith-patch-0.2-20191225.tar.gz
654	654	$ sed -i -e 's/CCSECURITY/CAITSITH/g' -e 's/ccsecurity/caitsith/g' -e 's/ccs_domain_info/cs_domain_info/g' -e 's/ccs_flags/cs_flags/g' -- patches/ccs-patch-*.diff
655	655	$ patch -sp1 < patches/ccs-patch-$VERSION.diff
656	656	</pre>

--- trunk/caitsith-patch/caitsith/permission.c (revision 290)

+++ trunk/caitsith-patch/caitsith/permission.c (revision 291)

		@@ -3,7 +3,7 @@
3	3	*
4	4	* Copyright (C) 2005-2012 NTT DATA CORPORATION
5	5	*
6		- * Version: 0.2.4 2019/08/20
	6	+ * Version: 0.2.4+ 2019/12/25
7	7	*/
8	8
9	9	#include "caitsith.h"

--- trunk/caitsith-patch/caitsith/policy_io.c (revision 290)

+++ trunk/caitsith-patch/caitsith/policy_io.c (revision 291)

		@@ -3,7 +3,7 @@
3	3	*
4	4	* Copyright (C) 2005-2012 NTT DATA CORPORATION
5	5	*
6		- * Version: 0.2.4 2019/08/20
	6	+ * Version: 0.2.4+ 2019/12/25
7	7	*/
8	8
9	9	#include "caitsith.h"

		@@ -2200,7 +2200,7 @@
2200	2200	void cs_check_profile(void)
2201	2201	{
2202	2202	cs_policy_loaded = true;
2203		- printk(KERN_INFO "CaitSith (LSM): 0.2.4 2019/08/20\n");
	2203	+ printk(KERN_INFO "CaitSith (LSM): 0.2.4+ 2019/12/25\n");
2204	2204	if (cs_policy_version == 20120401) {
2205	2205	printk(KERN_INFO "CaitSith module activated.\n");
2206	2206	return;

--- trunk/caitsith-patch/caitsith/realpath.c (revision 290)

+++ trunk/caitsith-patch/caitsith/realpath.c (revision 291)

		@@ -3,7 +3,7 @@
3	3	*
4	4	* Copyright (C) 2005-2012 NTT DATA CORPORATION
5	5	*
6		- * Version: 0.2.4 2019/08/20
	6	+ * Version: 0.2.4+ 2019/12/25
7	7	*/
8	8
9	9	#include "caitsith.h"

--- trunk/caitsith-patch/patches/ccs-patch-2.6.32-centos-6.diff (revision 290)

+++ trunk/caitsith-patch/patches/ccs-patch-2.6.32-centos-6.diff (revision 291)

		@@ -1,6 +1,6 @@
1	1	This is TOMOYO Linux patch for CentOS 6.
2	2
3		-Source code for this patch is http://vault.centos.org/centos/6/updates/Source/SPackages/kernel-2.6.32-754.24.3.el6.src.rpm
	3	+Source code for this patch is http://vault.centos.org/centos/6/updates/Source/SPackages/kernel-2.6.32-754.25.1.el6.src.rpm
4	4	---
5	5	fs/compat.c \| 2 +-
6	6	fs/compat_ioctl.c \| 3 +++

		@@ -37,8 +37,8 @@
37	37	security/Makefile \| 3 +++
38	38	33 files changed, 201 insertions(+), 2 deletions(-)
39	39
40		---- linux-2.6.32-754.24.3.el6.orig/fs/compat.c
41		-+++ linux-2.6.32-754.24.3.el6/fs/compat.c
	40	+--- linux-2.6.32-754.25.1.el6.orig/fs/compat.c
	41	++++ linux-2.6.32-754.25.1.el6/fs/compat.c
42	42	@@ -1524,7 +1524,7 @@ int compat_do_execve(const char * filena
43	43	if (retval < 0)
44	44	goto out;

		@@ -48,8 +48,8 @@
48	48	if (retval < 0)
49	49	goto out;
50	50
51		---- linux-2.6.32-754.24.3.el6.orig/fs/compat_ioctl.c
52		-+++ linux-2.6.32-754.24.3.el6/fs/compat_ioctl.c
	51	+--- linux-2.6.32-754.25.1.el6.orig/fs/compat_ioctl.c
	52	++++ linux-2.6.32-754.25.1.el6/fs/compat_ioctl.c
53	53	@@ -114,6 +114,7 @@
54	54	#ifdef CONFIG_SPARC
55	55	#include <asm/fbio.h>

		@@ -67,8 +67,8 @@
67	67	if (error)
68	68	goto out_fput;
69	69
70		---- linux-2.6.32-754.24.3.el6.orig/fs/exec.c
71		-+++ linux-2.6.32-754.24.3.el6/fs/exec.c
	70	+--- linux-2.6.32-754.25.1.el6.orig/fs/exec.c
	71	++++ linux-2.6.32-754.25.1.el6/fs/exec.c
72	72	@@ -1511,7 +1511,7 @@ int do_execve(const char * filename,
73	73	goto out;
74	74

		@@ -78,8 +78,8 @@
78	78	if (retval < 0)
79	79	goto out;
80	80
81		---- linux-2.6.32-754.24.3.el6.orig/fs/fcntl.c
82		-+++ linux-2.6.32-754.24.3.el6/fs/fcntl.c
	81	+--- linux-2.6.32-754.25.1.el6.orig/fs/fcntl.c
	82	++++ linux-2.6.32-754.25.1.el6/fs/fcntl.c
83	83	@@ -431,6 +431,8 @@ SYSCALL_DEFINE3(fcntl, unsigned int, fd,
84	84	goto out;
85	85

		@@ -98,8 +98,8 @@
98	98	if (err) {
99	99	fput(filp);
100	100	return err;
101		---- linux-2.6.32-754.24.3.el6.orig/fs/ioctl.c
102		-+++ linux-2.6.32-754.24.3.el6/fs/ioctl.c
	101	+--- linux-2.6.32-754.25.1.el6.orig/fs/ioctl.c
	102	++++ linux-2.6.32-754.25.1.el6/fs/ioctl.c
103	103	@@ -639,6 +639,8 @@ SYSCALL_DEFINE3(ioctl, unsigned int, fd,
104	104	goto out;
105	105

		@@ -109,8 +109,8 @@
109	109	if (error)
110	110	goto out_fput;
111	111
112		---- linux-2.6.32-754.24.3.el6.orig/fs/namei.c
113		-+++ linux-2.6.32-754.24.3.el6/fs/namei.c
	112	+--- linux-2.6.32-754.25.1.el6.orig/fs/namei.c
	113	++++ linux-2.6.32-754.25.1.el6/fs/namei.c
114	114	@@ -2070,6 +2070,11 @@ int may_open(struct path *path, int acc_
115	115	if (flag & O_NOATIME && !is_owner_or_cap(inode))
116	116	return -EPERM;

		@@ -198,8 +198,8 @@
198	198	if (error)
199	199	goto exit5;
200	200	error = vfs_rename(old_dir->d_inode, old_dentry,
201		---- linux-2.6.32-754.24.3.el6.orig/fs/namespace.c
202		-+++ linux-2.6.32-754.24.3.el6/fs/namespace.c
	201	+--- linux-2.6.32-754.25.1.el6.orig/fs/namespace.c
	202	++++ linux-2.6.32-754.25.1.el6/fs/namespace.c
203	203	@@ -1097,6 +1097,8 @@ static int do_umount(struct vfsmount *mn
204	204	LIST_HEAD(umount_list);
205	205

		@@ -236,8 +236,8 @@
236	236	if (error) {
237	237	path_put(&old);
238	238	goto out1;
239		---- linux-2.6.32-754.24.3.el6.orig/fs/open.c
240		-+++ linux-2.6.32-754.24.3.el6/fs/open.c
	239	+--- linux-2.6.32-754.25.1.el6.orig/fs/open.c
	240	++++ linux-2.6.32-754.25.1.el6/fs/open.c
241	241	@@ -103,6 +103,8 @@ long vfs_truncate(struct path *path, lof
242	242	error = locks_verify_truncate(inode, NULL, length);
243	243	if (!error)

		@@ -328,8 +328,8 @@
328	328	if (capable(CAP_SYS_TTY_CONFIG)) {
329	329	tty_vhangup_self();
330	330	return 0;
331		---- linux-2.6.32-754.24.3.el6.orig/fs/proc/version.c
332		-+++ linux-2.6.32-754.24.3.el6/fs/proc/version.c
	331	+--- linux-2.6.32-754.25.1.el6.orig/fs/proc/version.c
	332	++++ linux-2.6.32-754.25.1.el6/fs/proc/version.c
333	333	@@ -32,3 +32,10 @@ static int __init proc_version_init(void
334	334	return 0;
335	335	}

		@@ -337,12 +337,12 @@
337	337	+
338	338	+static int __init ccs_show_version(void)
339	339	+{
340		-+ printk(KERN_INFO "Hook version: 2.6.32-754.24.3.el6 2019/11/16\n");
	340	++ printk(KERN_INFO "Hook version: 2.6.32-754.25.1.el6 2019/12/25\n");
341	341	+ return 0;
342	342	+}
343	343	+module_init(ccs_show_version);
344		---- linux-2.6.32-754.24.3.el6.orig/fs/stat.c
345		-+++ linux-2.6.32-754.24.3.el6/fs/stat.c
	344	+--- linux-2.6.32-754.25.1.el6.orig/fs/stat.c
	345	++++ linux-2.6.32-754.25.1.el6/fs/stat.c
346	346	@@ -43,6 +43,8 @@ int vfs_getattr(struct vfsmount *mnt, st
347	347	int retval;
348	348

		@@ -352,8 +352,8 @@
352	352	if (retval)
353	353	return retval;
354	354
355		---- linux-2.6.32-754.24.3.el6.orig/include/linux/init_task.h
356		-+++ linux-2.6.32-754.24.3.el6/include/linux/init_task.h
	355	+--- linux-2.6.32-754.25.1.el6.orig/include/linux/init_task.h
	356	++++ linux-2.6.32-754.25.1.el6/include/linux/init_task.h
357	357	@@ -123,6 +123,14 @@ extern struct cred init_cred;
358	358	# define INIT_PERF_EVENTS(tsk)
359	359	#endif

		@@ -377,8 +377,8 @@
377	377	}
378	378
379	379
380		---- linux-2.6.32-754.24.3.el6.orig/include/linux/sched.h
381		-+++ linux-2.6.32-754.24.3.el6/include/linux/sched.h
	380	+--- linux-2.6.32-754.25.1.el6.orig/include/linux/sched.h
	381	++++ linux-2.6.32-754.25.1.el6/include/linux/sched.h
382	382	@@ -43,6 +43,8 @@
383	383
384	384	#ifdef __KERNEL__

		@@ -399,8 +399,8 @@
399	399	};
400	400
401	401	/* Future-safe accessor for struct task_struct's cpus_allowed. */
402		---- linux-2.6.32-754.24.3.el6.orig/include/linux/security.h
403		-+++ linux-2.6.32-754.24.3.el6/include/linux/security.h
	402	+--- linux-2.6.32-754.25.1.el6.orig/include/linux/security.h
	403	++++ linux-2.6.32-754.25.1.el6/include/linux/security.h
404	404	@@ -35,6 +35,7 @@
405	405	#include <linux/xfrm.h>
406	406	#include <linux/gfp.h>

		@@ -409,8 +409,8 @@
409	409
410	410	/* Maximum number of letters for an LSM name string */
411	411	#define SECURITY_NAME_MAX 10
412		---- linux-2.6.32-754.24.3.el6.orig/include/net/ip.h
413		-+++ linux-2.6.32-754.24.3.el6/include/net/ip.h
	412	+--- linux-2.6.32-754.25.1.el6.orig/include/net/ip.h
	413	++++ linux-2.6.32-754.25.1.el6/include/net/ip.h
414	414	@@ -33,6 +33,7 @@
415	415	#endif
416	416	#include <net/snmp.h>

		@@ -428,8 +428,8 @@
428	428	return test_bit(port, sysctl_local_reserved_ports);
429	429	}
430	430
431		---- linux-2.6.32-754.24.3.el6.orig/kernel/compat.c
432		-+++ linux-2.6.32-754.24.3.el6/kernel/compat.c
	431	+--- linux-2.6.32-754.25.1.el6.orig/kernel/compat.c
	432	++++ linux-2.6.32-754.25.1.el6/kernel/compat.c
433	433	@@ -1005,6 +1005,8 @@ asmlinkage long compat_sys_stime(compat_
434	434	err = security_settime(&tv, NULL);
435	435	if (err)

		@@ -439,8 +439,8 @@
439	439
440	440	do_settimeofday(&tv);
441	441	return 0;
442		---- linux-2.6.32-754.24.3.el6.orig/kernel/fork.c
443		-+++ linux-2.6.32-754.24.3.el6/kernel/fork.c
	442	+--- linux-2.6.32-754.25.1.el6.orig/kernel/fork.c
	443	++++ linux-2.6.32-754.25.1.el6/kernel/fork.c
444	444	@@ -206,6 +206,7 @@ void __put_task_struct(struct task_struc
445	445	exit_creds(tsk);
446	446	delayacct_tsk_free(tsk);

		@@ -467,8 +467,8 @@
467	467	bad_fork_cleanup_perf:
468	468	perf_event_free_task(p);
469	469	bad_fork_cleanup_policy:
470		---- linux-2.6.32-754.24.3.el6.orig/kernel/kexec.c
471		-+++ linux-2.6.32-754.24.3.el6/kernel/kexec.c
	470	+--- linux-2.6.32-754.25.1.el6.orig/kernel/kexec.c
	471	++++ linux-2.6.32-754.25.1.el6/kernel/kexec.c
472	472	@@ -41,6 +41,7 @@
473	473	#include <asm/system.h>
474	474	#include <asm/sections.h>

		@@ -486,8 +486,8 @@
486	486
487	487	if (kexec_load_disabled)
488	488	return -EPERM;
489		---- linux-2.6.32-754.24.3.el6.orig/kernel/module.c
490		-+++ linux-2.6.32-754.24.3.el6/kernel/module.c
	489	+--- linux-2.6.32-754.25.1.el6.orig/kernel/module.c
	490	++++ linux-2.6.32-754.25.1.el6/kernel/module.c
491	491	@@ -57,6 +57,7 @@
492	492	#include <linux/percpu.h>
493	493	#include <linux/kmemleak.h>

		@@ -514,8 +514,8 @@
514	514
515	515	/*
516	516	* Make sure we don't speculate past the CAP_SYS_MODULE check. The
517		---- linux-2.6.32-754.24.3.el6.orig/kernel/ptrace.c
518		-+++ linux-2.6.32-754.24.3.el6/kernel/ptrace.c
	517	+--- linux-2.6.32-754.25.1.el6.orig/kernel/ptrace.c
	518	++++ linux-2.6.32-754.25.1.el6/kernel/ptrace.c
519	519	@@ -199,6 +199,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
520	520	{
521	521	struct task_struct *child;

		@@ -540,8 +540,8 @@
540	540
541	541	if (request == PTRACE_TRACEME) {
542	542	ret = ptrace_traceme();
543		---- linux-2.6.32-754.24.3.el6.orig/kernel/sched.c
544		-+++ linux-2.6.32-754.24.3.el6/kernel/sched.c
	543	+--- linux-2.6.32-754.25.1.el6.orig/kernel/sched.c
	544	++++ linux-2.6.32-754.25.1.el6/kernel/sched.c
545	545	@@ -6869,6 +6869,8 @@ int can_nice(const struct task_struct *p
546	546	SYSCALL_DEFINE1(nice, int, increment)
547	547	{

		@@ -551,8 +551,8 @@
551	551
552	552	/*
553	553	* Setpriority might change our priority at the same moment.
554		---- linux-2.6.32-754.24.3.el6.orig/kernel/signal.c
555		-+++ linux-2.6.32-754.24.3.el6/kernel/signal.c
	554	+--- linux-2.6.32-754.25.1.el6.orig/kernel/signal.c
	555	++++ linux-2.6.32-754.25.1.el6/kernel/signal.c
556	556	@@ -2316,6 +2316,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s
557	557	SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
558	558	{

		@@ -598,8 +598,8 @@
598	598
599	599	return do_send_specific(tgid, pid, sig, info);
600	600	}
601		---- linux-2.6.32-754.24.3.el6.orig/kernel/sys.c
602		-+++ linux-2.6.32-754.24.3.el6/kernel/sys.c
	601	+--- linux-2.6.32-754.25.1.el6.orig/kernel/sys.c
	602	++++ linux-2.6.32-754.25.1.el6/kernel/sys.c
603	603	@@ -163,6 +163,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
604	604
605	605	if (which > PRIO_USER \|\| which < PRIO_PROCESS)

		@@ -638,8 +638,8 @@
638	638
639	639	down_write(&uts_sem);
640	640	errno = -EFAULT;
641		---- linux-2.6.32-754.24.3.el6.orig/kernel/sysctl.c
642		-+++ linux-2.6.32-754.24.3.el6/kernel/sysctl.c
	641	+--- linux-2.6.32-754.25.1.el6.orig/kernel/sysctl.c
	642	++++ linux-2.6.32-754.25.1.el6/kernel/sysctl.c
643	643	@@ -2154,6 +2154,9 @@ int do_sysctl(int __user *name, int nlen
644	644
645	645	for (head = sysctl_head_next(NULL); head;

		@@ -650,8 +650,8 @@
650	650	error = parse_table(name, nlen, oldval, oldlenp,
651	651	newval, newlen,
652	652	head->root, head->ctl_table);
653		---- linux-2.6.32-754.24.3.el6.orig/kernel/time.c
654		-+++ linux-2.6.32-754.24.3.el6/kernel/time.c
	653	+--- linux-2.6.32-754.25.1.el6.orig/kernel/time.c
	654	++++ linux-2.6.32-754.25.1.el6/kernel/time.c
655	655	@@ -92,6 +92,8 @@ SYSCALL_DEFINE1(stime, time_t __user *,
656	656	err = security_settime(&tv, NULL);
657	657	if (err)

		@@ -670,8 +670,8 @@
670	670
671	671	if (tz) {
672	672	/* SMP safe, global irq locking makes it work. */
673		---- linux-2.6.32-754.24.3.el6.orig/kernel/time/ntp.c
674		-+++ linux-2.6.32-754.24.3.el6/kernel/time/ntp.c
	673	+--- linux-2.6.32-754.25.1.el6.orig/kernel/time/ntp.c
	674	++++ linux-2.6.32-754.25.1.el6/kernel/time/ntp.c
675	675	@@ -14,6 +14,7 @@
676	676	#include <linux/timex.h>
677	677	#include <linux/time.h>

		@@ -696,8 +696,8 @@
696	696
697	697	/*
698	698	* if the quartz is off by more than 10% then
699		---- linux-2.6.32-754.24.3.el6.orig/net/ipv4/raw.c
700		-+++ linux-2.6.32-754.24.3.el6/net/ipv4/raw.c
	699	+--- linux-2.6.32-754.25.1.el6.orig/net/ipv4/raw.c
	700	++++ linux-2.6.32-754.25.1.el6/net/ipv4/raw.c
701	701	@@ -77,6 +77,7 @@
702	702	#include <linux/seq_file.h>
703	703	#include <linux/netfilter.h>

		@@ -717,8 +717,8 @@
717	717
718	718	copied = skb->len;
719	719	if (len < copied) {
720		---- linux-2.6.32-754.24.3.el6.orig/net/ipv4/udp.c
721		-+++ linux-2.6.32-754.24.3.el6/net/ipv4/udp.c
	720	+--- linux-2.6.32-754.25.1.el6.orig/net/ipv4/udp.c
	721	++++ linux-2.6.32-754.25.1.el6/net/ipv4/udp.c
722	722	@@ -108,6 +108,7 @@
723	723	#include <trace/events/udp.h>
724	724	#include <net/busy_poll.h>

		@@ -738,8 +738,8 @@
738	738
739	739	ulen = skb->len - sizeof(struct udphdr);
740	740	copied = len;
741		---- linux-2.6.32-754.24.3.el6.orig/net/ipv6/raw.c
742		-+++ linux-2.6.32-754.24.3.el6/net/ipv6/raw.c
	741	+--- linux-2.6.32-754.25.1.el6.orig/net/ipv6/raw.c
	742	++++ linux-2.6.32-754.25.1.el6/net/ipv6/raw.c
743	743	@@ -59,6 +59,7 @@
744	744
745	745	#include <linux/proc_fs.h>

		@@ -759,8 +759,8 @@
759	759
760	760	copied = skb->len;
761	761	if (copied > len) {
762		---- linux-2.6.32-754.24.3.el6.orig/net/ipv6/udp.c
763		-+++ linux-2.6.32-754.24.3.el6/net/ipv6/udp.c
	762	+--- linux-2.6.32-754.25.1.el6.orig/net/ipv6/udp.c
	763	++++ linux-2.6.32-754.25.1.el6/net/ipv6/udp.c
764	764	@@ -50,6 +50,7 @@
765	765	#include <linux/proc_fs.h>
766	766	#include <linux/seq_file.h>

		@@ -780,8 +780,8 @@
780	780
781	781	ulen = skb->len - sizeof(struct udphdr);
782	782	copied = len;
783		---- linux-2.6.32-754.24.3.el6.orig/net/socket.c
784		-+++ linux-2.6.32-754.24.3.el6/net/socket.c
	783	+--- linux-2.6.32-754.25.1.el6.orig/net/socket.c
	784	++++ linux-2.6.32-754.25.1.el6/net/socket.c
785	785	@@ -579,6 +579,8 @@ static inline int __sock_sendmsg(struct
786	786	struct msghdr *msg, size_t size)
787	787	{

		@@ -842,8 +842,8 @@
842	842	if (err)
843	843	goto out_put;
844	844
845		---- linux-2.6.32-754.24.3.el6.orig/net/unix/af_unix.c
846		-+++ linux-2.6.32-754.24.3.el6/net/unix/af_unix.c
	845	+--- linux-2.6.32-754.25.1.el6.orig/net/unix/af_unix.c
	846	++++ linux-2.6.32-754.25.1.el6/net/unix/af_unix.c
847	847	@@ -984,6 +984,9 @@ static int unix_bind(struct socket *sock
848	848	mode = S_IFSOCK \|
849	849	(SOCK_INODE(sock)->i_mode & ~current_umask());

		@@ -865,8 +865,8 @@
865	865	if (msg->msg_name)
866	866	unix_copy_addr(msg, skb->sk);
867	867
868		---- linux-2.6.32-754.24.3.el6.orig/security/Kconfig
869		-+++ linux-2.6.32-754.24.3.el6/security/Kconfig
	868	+--- linux-2.6.32-754.25.1.el6.orig/security/Kconfig
	869	++++ linux-2.6.32-754.25.1.el6/security/Kconfig
870	870	@@ -188,5 +188,7 @@ source security/tomoyo/Kconfig
871	871
872	872	source security/integrity/ima/Kconfig

		@@ -875,8 +875,8 @@
875	875	+
876	876	endmenu
877	877
878		---- linux-2.6.32-754.24.3.el6.orig/security/Makefile
879		-+++ linux-2.6.32-754.24.3.el6/security/Makefile
	878	+--- linux-2.6.32-754.25.1.el6.orig/security/Makefile
	879	++++ linux-2.6.32-754.25.1.el6/security/Makefile
880	880	@@ -25,3 +25,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
881	881	# Object integrity file lists
882	882	subdir-$(CONFIG_IMA) += integrity/ima

--- trunk/caitsith-patch/patches/ccs-patch-3.16.diff (revision 290)

+++ trunk/caitsith-patch/patches/ccs-patch-3.16.diff (revision 291)

		@@ -1,6 +1,6 @@
1		-This is TOMOYO Linux patch for kernel 3.16.78.
	1	+This is TOMOYO Linux patch for kernel 3.16.80.
2	2
3		-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.16.78.tar.xz
	3	+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.16.80.tar.xz
4	4	---
5	5	fs/exec.c \| 2
6	6	fs/open.c \| 2

		@@ -29,8 +29,8 @@
29	29	security/security.c \| 111 +++++++++++++++++++++++++++++++++++++++++-----
30	30	25 files changed, 252 insertions(+), 37 deletions(-)
31	31
32		---- linux-3.16.78.orig/fs/exec.c
33		-+++ linux-3.16.78/fs/exec.c
	32	+--- linux-3.16.80.orig/fs/exec.c
	33	++++ linux-3.16.80/fs/exec.c
34	34	@@ -1482,7 +1482,7 @@ static int exec_binprm(struct linux_binp
35	35	old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
36	36	rcu_read_unlock();

		@@ -40,8 +40,8 @@
40	40	if (ret >= 0) {
41	41	audit_bprm(bprm);
42	42	trace_sched_process_exec(current, old_pid, bprm);
43		---- linux-3.16.78.orig/fs/open.c
44		-+++ linux-3.16.78/fs/open.c
	43	+--- linux-3.16.80.orig/fs/open.c
	44	++++ linux-3.16.80/fs/open.c
45	45	@@ -1069,6 +1069,8 @@ EXPORT_SYMBOL(sys_close);
46	46	*/
47	47	SYSCALL_DEFINE0(vhangup)

		@@ -51,8 +51,8 @@
51	51	if (capable(CAP_SYS_TTY_CONFIG)) {
52	52	tty_vhangup_self();
53	53	return 0;
54		---- linux-3.16.78.orig/fs/proc/version.c
55		-+++ linux-3.16.78/fs/proc/version.c
	54	+--- linux-3.16.80.orig/fs/proc/version.c
	55	++++ linux-3.16.80/fs/proc/version.c
56	56	@@ -32,3 +32,10 @@ static int __init proc_version_init(void
57	57	return 0;
58	58	}

		@@ -60,12 +60,12 @@
60	60	+
61	61	+static int __init ccs_show_version(void)
62	62	+{
63		-+ printk(KERN_INFO "Hook version: 3.16.78 2019/11/25\n");
	63	++ printk(KERN_INFO "Hook version: 3.16.80 2019/12/24\n");
64	64	+ return 0;
65	65	+}
66	66	+fs_initcall(ccs_show_version);
67		---- linux-3.16.78.orig/include/linux/init_task.h
68		-+++ linux-3.16.78/include/linux/init_task.h
	67	+--- linux-3.16.80.orig/include/linux/init_task.h
	68	++++ linux-3.16.80/include/linux/init_task.h
69	69	@@ -164,6 +164,14 @@ extern struct task_group root_task_group
70	70	# define INIT_RT_MUTEXES(tsk)
71	71	#endif

		@@ -89,8 +89,8 @@
89	89	}
90	90
91	91
92		---- linux-3.16.78.orig/include/linux/sched.h
93		-+++ linux-3.16.78/include/linux/sched.h
	92	+--- linux-3.16.80.orig/include/linux/sched.h
	93	++++ linux-3.16.80/include/linux/sched.h
94	94	@@ -6,6 +6,8 @@
95	95	#include <linux/sched/prio.h>
96	96

		@@ -111,8 +111,8 @@
111	111	};
112	112
113	113	/* Future-safe accessor for struct task_struct's cpus_allowed. */
114		---- linux-3.16.78.orig/include/linux/security.h
115		-+++ linux-3.16.78/include/linux/security.h
	114	+--- linux-3.16.80.orig/include/linux/security.h
	115	++++ linux-3.16.80/include/linux/security.h
116	116	@@ -53,6 +53,7 @@ struct msg_queue;
117	117	struct xattr;
118	118	struct xfrm_sec_ctx;

		@@ -324,8 +324,8 @@
324	324	}
325	325	#endif /* CONFIG_SECURITY_PATH */
326	326
327		---- linux-3.16.78.orig/include/net/ip.h
328		-+++ linux-3.16.78/include/net/ip.h
	327	+--- linux-3.16.80.orig/include/net/ip.h
	328	++++ linux-3.16.80/include/net/ip.h
329	329	@@ -213,6 +213,8 @@ void inet_get_local_port_range(struct ne
330	330	#ifdef CONFIG_SYSCTL
331	331	static inline int inet_is_local_reserved_port(struct net *net, int port)

		@@ -344,8 +344,8 @@
344	344	return 0;
345	345	}
346	346	#endif
347		---- linux-3.16.78.orig/kernel/fork.c
348		-+++ linux-3.16.78/kernel/fork.c
	347	+--- linux-3.16.80.orig/kernel/fork.c
	348	++++ linux-3.16.80/kernel/fork.c
349	349	@@ -248,6 +248,7 @@ void __put_task_struct(struct task_struc
350	350	delayacct_tsk_free(tsk);
351	351	put_signal_struct(tsk->signal);

		@@ -372,8 +372,8 @@
372	372	bad_fork_cleanup_perf:
373	373	perf_event_free_task(p);
374	374	bad_fork_cleanup_policy:
375		---- linux-3.16.78.orig/kernel/kexec.c
376		-+++ linux-3.16.78/kernel/kexec.c
	375	+--- linux-3.16.80.orig/kernel/kexec.c
	376	++++ linux-3.16.80/kernel/kexec.c
377	377	@@ -39,6 +39,7 @@
378	378	#include <asm/uaccess.h>
379	379	#include <asm/io.h>

		@@ -391,8 +391,8 @@
391	391
392	392	/*
393	393	* Verify we have a legal set of flags
394		---- linux-3.16.78.orig/kernel/module.c
395		-+++ linux-3.16.78/kernel/module.c
	394	+--- linux-3.16.80.orig/kernel/module.c
	395	++++ linux-3.16.80/kernel/module.c
396	396	@@ -63,6 +63,7 @@
397	397	#include <linux/fips.h>
398	398	#include <uapi/linux/module.h>

		@@ -419,8 +419,8 @@
419	419
420	420	return 0;
421	421	}
422		---- linux-3.16.78.orig/kernel/ptrace.c
423		-+++ linux-3.16.78/kernel/ptrace.c
	422	+--- linux-3.16.80.orig/kernel/ptrace.c
	423	++++ linux-3.16.80/kernel/ptrace.c
424	424	@@ -1144,6 +1144,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
425	425	{
426	426	struct task_struct *child;

		@@ -445,8 +445,8 @@
445	445
446	446	if (request == PTRACE_TRACEME) {
447	447	ret = ptrace_traceme();
448		---- linux-3.16.78.orig/kernel/reboot.c
449		-+++ linux-3.16.78/kernel/reboot.c
	448	+--- linux-3.16.80.orig/kernel/reboot.c
	449	++++ linux-3.16.80/kernel/reboot.c
450	450	@@ -16,6 +16,7 @@
451	451	#include <linux/syscalls.h>
452	452	#include <linux/syscore_ops.h>

		@@ -464,8 +464,8 @@
464	464
465	465	/*
466	466	* If pid namespaces are enabled and the current task is in a child
467		---- linux-3.16.78.orig/kernel/sched/core.c
468		-+++ linux-3.16.78/kernel/sched/core.c
	467	+--- linux-3.16.80.orig/kernel/sched/core.c
	468	++++ linux-3.16.80/kernel/sched/core.c
469	469	@@ -3152,6 +3152,8 @@ int can_nice(const struct task_struct *p
470	470	SYSCALL_DEFINE1(nice, int, increment)
471	471	{

		@@ -475,8 +475,8 @@
475	475
476	476	/*
477	477	* Setpriority might change our priority at the same moment.
478		---- linux-3.16.78.orig/kernel/signal.c
479		-+++ linux-3.16.78/kernel/signal.c
	478	+--- linux-3.16.80.orig/kernel/signal.c
	479	++++ linux-3.16.80/kernel/signal.c
480	480	@@ -2952,6 +2952,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s
481	481	SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
482	482	{

		@@ -522,8 +522,8 @@
522	522
523	523	return do_send_specific(tgid, pid, sig, info);
524	524	}
525		---- linux-3.16.78.orig/kernel/sys.c
526		-+++ linux-3.16.78/kernel/sys.c
	525	+--- linux-3.16.80.orig/kernel/sys.c
	526	++++ linux-3.16.80/kernel/sys.c
527	527	@@ -176,6 +176,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
528	528
529	529	if (which > PRIO_USER \|\| which < PRIO_PROCESS)

		@@ -553,8 +553,8 @@
553	553
554	554	down_write(&uts_sem);
555	555	errno = -EFAULT;
556		---- linux-3.16.78.orig/kernel/time/ntp.c
557		-+++ linux-3.16.78/kernel/time/ntp.c
	556	+--- linux-3.16.80.orig/kernel/time/ntp.c
	557	++++ linux-3.16.80/kernel/time/ntp.c
558	558	@@ -16,6 +16,7 @@
559	559	#include <linux/mm.h>
560	560	#include <linux/module.h>

		@@ -588,8 +588,8 @@
588	588
589	589	/*
590	590	* Check for potential multiplication overflows that can
591		---- linux-3.16.78.orig/net/ipv4/raw.c
592		-+++ linux-3.16.78/net/ipv4/raw.c
	591	+--- linux-3.16.80.orig/net/ipv4/raw.c
	592	++++ linux-3.16.80/net/ipv4/raw.c
593	593	@@ -731,6 +731,10 @@ static int raw_recvmsg(struct kiocb *ioc
594	594	skb = skb_recv_datagram(sk, flags, noblock, &err);
595	595	if (!skb)

		@@ -601,8 +601,8 @@
601	601
602	602	copied = skb->len;
603	603	if (len < copied) {
604		---- linux-3.16.78.orig/net/ipv4/udp.c
605		-+++ linux-3.16.78/net/ipv4/udp.c
	604	+--- linux-3.16.80.orig/net/ipv4/udp.c
	605	++++ linux-3.16.80/net/ipv4/udp.c
606	606	@@ -1288,6 +1288,10 @@ try_again:
607	607	&peeked, &off, &err);
608	608	if (!skb)

		@@ -614,8 +614,8 @@
614	614
615	615	ulen = skb->len - sizeof(struct udphdr);
616	616	copied = len;
617		---- linux-3.16.78.orig/net/ipv6/raw.c
618		-+++ linux-3.16.78/net/ipv6/raw.c
	617	+--- linux-3.16.80.orig/net/ipv6/raw.c
	618	++++ linux-3.16.80/net/ipv6/raw.c
619	619	@@ -478,6 +478,10 @@ static int rawv6_recvmsg(struct kiocb *i
620	620	skb = skb_recv_datagram(sk, flags, noblock, &err);
621	621	if (!skb)

		@@ -627,8 +627,8 @@
627	627
628	628	copied = skb->len;
629	629	if (copied > len) {
630		---- linux-3.16.78.orig/net/ipv6/udp.c
631		-+++ linux-3.16.78/net/ipv6/udp.c
	630	+--- linux-3.16.80.orig/net/ipv6/udp.c
	631	++++ linux-3.16.80/net/ipv6/udp.c
632	632	@@ -404,6 +404,10 @@ try_again:
633	633	&peeked, &off, &err);
634	634	if (!skb)

		@@ -640,8 +640,8 @@
640	640
641	641	ulen = skb->len - sizeof(struct udphdr);
642	642	copied = len;
643		---- linux-3.16.78.orig/net/socket.c
644		-+++ linux-3.16.78/net/socket.c
	643	+--- linux-3.16.80.orig/net/socket.c
	644	++++ linux-3.16.80/net/socket.c
645	645	@@ -1632,6 +1632,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
646	646	if (err < 0)
647	647	goto out_fd;

		@@ -653,8 +653,8 @@
653	653	if (upeer_sockaddr) {
654	654	if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
655	655	&len, 2) < 0) {
656		---- linux-3.16.78.orig/net/unix/af_unix.c
657		-+++ linux-3.16.78/net/unix/af_unix.c
	656	+--- linux-3.16.80.orig/net/unix/af_unix.c
	657	++++ linux-3.16.80/net/unix/af_unix.c
658	658	@@ -1981,6 +1981,10 @@ static int unix_dgram_recvmsg(struct kio
659	659	wake_up_interruptible_sync_poll(&u->peer_wait,
660	660	POLLOUT \| POLLWRNORM \| POLLWRBAND);

		@@ -666,8 +666,8 @@
666	666	if (msg->msg_name)
667	667	unix_copy_addr(msg, skb->sk);
668	668
669		---- linux-3.16.78.orig/security/Kconfig
670		-+++ linux-3.16.78/security/Kconfig
	669	+--- linux-3.16.80.orig/security/Kconfig
	670	++++ linux-3.16.80/security/Kconfig
671	671	@@ -177,5 +177,7 @@ config DEFAULT_SECURITY
672	672	default "yama" if DEFAULT_SECURITY_YAMA
673	673	default "" if DEFAULT_SECURITY_DAC

		@@ -676,8 +676,8 @@
676	676	+
677	677	endmenu
678	678
679		---- linux-3.16.78.orig/security/Makefile
680		-+++ linux-3.16.78/security/Makefile
	679	+--- linux-3.16.80.orig/security/Makefile
	680	++++ linux-3.16.80/security/Makefile
681	681	@@ -27,3 +27,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
682	682	# Object integrity file lists
683	683	subdir-$(CONFIG_INTEGRITY) += integrity

		@@ -685,8 +685,8 @@
685	685	+
686	686	+subdir-$(CONFIG_CCSECURITY) += ccsecurity
687	687	+obj-$(CONFIG_CCSECURITY) += ccsecurity/
688		---- linux-3.16.78.orig/security/security.c
689		-+++ linux-3.16.78/security/security.c
	688	+--- linux-3.16.80.orig/security/security.c
	689	++++ linux-3.16.80/security/security.c
690	690	@@ -203,7 +203,10 @@ int security_syslog(int type)
691	691
692	692	int security_settime(const struct timespec ts, const struct timezone tz)

--- trunk/caitsith-patch/patches/ccs-patch-4.14.diff (revision 290)

+++ trunk/caitsith-patch/patches/ccs-patch-4.14.diff (revision 291)

		@@ -1,6 +1,6 @@
1		-This is TOMOYO Linux patch for kernel 4.14.158.
	1	+This is TOMOYO Linux patch for kernel 4.14.160.
2	2
3		-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.158.tar.xz
	3	+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.160.tar.xz
4	4	---
5	5	fs/exec.c \| 2 -
6	6	fs/open.c \| 2 +

		@@ -28,8 +28,8 @@
28	28	security/security.c \| 9 +++++-
29	29	24 files changed, 153 insertions(+), 29 deletions(-)
30	30
31		---- linux-4.14.158.orig/fs/exec.c
32		-+++ linux-4.14.158/fs/exec.c
	31	+--- linux-4.14.160.orig/fs/exec.c
	32	++++ linux-4.14.160/fs/exec.c
33	33	@@ -1677,7 +1677,7 @@ static int exec_binprm(struct linux_binp
34	34	old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
35	35	rcu_read_unlock();

		@@ -39,8 +39,8 @@
39	39	if (ret >= 0) {
40	40	audit_bprm(bprm);
41	41	trace_sched_process_exec(current, old_pid, bprm);
42		---- linux-4.14.158.orig/fs/open.c
43		-+++ linux-4.14.158/fs/open.c
	42	+--- linux-4.14.160.orig/fs/open.c
	43	++++ linux-4.14.160/fs/open.c
44	44	@@ -1196,6 +1196,8 @@ EXPORT_SYMBOL(sys_close);
45	45	*/
46	46	SYSCALL_DEFINE0(vhangup)

		@@ -50,8 +50,8 @@
50	50	if (capable(CAP_SYS_TTY_CONFIG)) {
51	51	tty_vhangup_self();
52	52	return 0;
53		---- linux-4.14.158.orig/fs/proc/version.c
54		-+++ linux-4.14.158/fs/proc/version.c
	53	+--- linux-4.14.160.orig/fs/proc/version.c
	54	++++ linux-4.14.160/fs/proc/version.c
55	55	@@ -33,3 +33,10 @@ static int __init proc_version_init(void
56	56	return 0;
57	57	}

		@@ -59,12 +59,12 @@
59	59	+
60	60	+static int __init ccs_show_version(void)
61	61	+{
62		-+ printk(KERN_INFO "Hook version: 4.14.158 2019/12/07\n");
	62	++ printk(KERN_INFO "Hook version: 4.14.160 2019/12/24\n");
63	63	+ return 0;
64	64	+}
65	65	+fs_initcall(ccs_show_version);
66		---- linux-4.14.158.orig/include/linux/init_task.h
67		-+++ linux-4.14.158/include/linux/init_task.h
	66	+--- linux-4.14.160.orig/include/linux/init_task.h
	67	++++ linux-4.14.160/include/linux/init_task.h
68	68	@@ -219,6 +219,14 @@ extern struct cred init_cred;
69	69	#define INIT_TASK_SECURITY
70	70	#endif

		@@ -88,8 +88,8 @@
88	88	}
89	89
90	90
91		---- linux-4.14.158.orig/include/linux/sched.h
92		-+++ linux-4.14.158/include/linux/sched.h
	91	+--- linux-4.14.160.orig/include/linux/sched.h
	92	++++ linux-4.14.160/include/linux/sched.h
93	93	@@ -33,6 +33,7 @@ struct audit_context;
94	94	struct backing_dev_info;
95	95	struct bio_list;

		@@ -109,8 +109,8 @@
109	109
110	110	/*
111	111	* New fields for task_struct should be added above here, so that
112		---- linux-4.14.158.orig/include/linux/security.h
113		-+++ linux-4.14.158/include/linux/security.h
	112	+--- linux-4.14.160.orig/include/linux/security.h
	113	++++ linux-4.14.160/include/linux/security.h
114	114	@@ -56,6 +56,7 @@ struct msg_queue;
115	115	struct xattr;
116	116	struct xfrm_sec_ctx;

		@@ -331,8 +331,8 @@
331	331	}
332	332	#endif /* CONFIG_SECURITY_PATH */
333	333
334		---- linux-4.14.158.orig/include/net/ip.h
335		-+++ linux-4.14.158/include/net/ip.h
	334	+--- linux-4.14.160.orig/include/net/ip.h
	335	++++ linux-4.14.160/include/net/ip.h
336	336	@@ -266,6 +266,8 @@ void inet_get_local_port_range(struct ne
337	337	#ifdef CONFIG_SYSCTL
338	338	static inline int inet_is_local_reserved_port(struct net *net, int port)

		@@ -351,8 +351,8 @@
351	351	return 0;
352	352	}
353	353
354		---- linux-4.14.158.orig/kernel/kexec.c
355		-+++ linux-4.14.158/kernel/kexec.c
	354	+--- linux-4.14.160.orig/kernel/kexec.c
	355	++++ linux-4.14.160/kernel/kexec.c
356	356	@@ -17,7 +17,7 @@
357	357	#include <linux/syscalls.h>
358	358	#include <linux/vmalloc.h>

		@@ -371,8 +371,8 @@
371	371
372	372	/*
373	373	* Verify we have a legal set of flags
374		---- linux-4.14.158.orig/kernel/module.c
375		-+++ linux-4.14.158/kernel/module.c
	374	+--- linux-4.14.160.orig/kernel/module.c
	375	++++ linux-4.14.160/kernel/module.c
376	376	@@ -66,6 +66,7 @@
377	377	#include <linux/audit.h>
378	378	#include <uapi/linux/module.h>

		@@ -390,7 +390,7 @@
390	390
391	391	if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
392	392	return -EFAULT;
393		-@@ -3551,6 +3554,8 @@ static int may_init_module(void)
	393	+@@ -3553,6 +3556,8 @@ static int may_init_module(void)
394	394	{
395	395	if (!capable(CAP_SYS_MODULE) \|\| modules_disabled)
396	396	return -EPERM;

		@@ -399,8 +399,8 @@
399	399
400	400	return 0;
401	401	}
402		---- linux-4.14.158.orig/kernel/ptrace.c
403		-+++ linux-4.14.158/kernel/ptrace.c
	402	+--- linux-4.14.160.orig/kernel/ptrace.c
	403	++++ linux-4.14.160/kernel/ptrace.c
404	404	@@ -1148,6 +1148,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
405	405	{
406	406	struct task_struct *child;

		@@ -425,8 +425,8 @@
425	425
426	426	if (request == PTRACE_TRACEME) {
427	427	ret = ptrace_traceme();
428		---- linux-4.14.158.orig/kernel/reboot.c
429		-+++ linux-4.14.158/kernel/reboot.c
	428	+--- linux-4.14.160.orig/kernel/reboot.c
	429	++++ linux-4.14.160/kernel/reboot.c
430	430	@@ -16,6 +16,7 @@
431	431	#include <linux/syscalls.h>
432	432	#include <linux/syscore_ops.h>

		@@ -444,8 +444,8 @@
444	444
445	445	/*
446	446	* If pid namespaces are enabled and the current task is in a child
447		---- linux-4.14.158.orig/kernel/sched/core.c
448		-+++ linux-4.14.158/kernel/sched/core.c
	447	+--- linux-4.14.160.orig/kernel/sched/core.c
	448	++++ linux-4.14.160/kernel/sched/core.c
449	449	@@ -3855,6 +3855,8 @@ int can_nice(const struct task_struct *p
450	450	SYSCALL_DEFINE1(nice, int, increment)
451	451	{

		@@ -455,8 +455,8 @@
455	455
456	456	/*
457	457	* Setpriority might change our priority at the same moment.
458		---- linux-4.14.158.orig/kernel/signal.c
459		-+++ linux-4.14.158/kernel/signal.c
	458	+--- linux-4.14.160.orig/kernel/signal.c
	459	++++ linux-4.14.160/kernel/signal.c
460	460	@@ -3032,6 +3032,8 @@ COMPAT_SYSCALL_DEFINE4(rt_sigtimedwait,
461	461	SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
462	462	{

		@@ -502,8 +502,8 @@
502	502
503	503	return do_send_specific(tgid, pid, sig, info);
504	504	}
505		---- linux-4.14.158.orig/kernel/sys.c
506		-+++ linux-4.14.158/kernel/sys.c
	505	+--- linux-4.14.160.orig/kernel/sys.c
	506	++++ linux-4.14.160/kernel/sys.c
507	507	@@ -193,6 +193,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
508	508
509	509	if (which > PRIO_USER \|\| which < PRIO_PROCESS)

		@@ -533,8 +533,8 @@
533	533
534	534	errno = -EFAULT;
535	535	if (!copy_from_user(tmp, name, len)) {
536		---- linux-4.14.158.orig/kernel/time/ntp.c
537		-+++ linux-4.14.158/kernel/time/ntp.c
	536	+--- linux-4.14.160.orig/kernel/time/ntp.c
	537	++++ linux-4.14.160/kernel/time/ntp.c
538	538	@@ -18,6 +18,7 @@
539	539	#include <linux/module.h>
540	540	#include <linux/rtc.h>

		@@ -568,8 +568,8 @@
568	568
569	569	if (txc->modes & ADJ_NANO) {
570	570	struct timespec ts;
571		---- linux-4.14.158.orig/net/ipv4/raw.c
572		-+++ linux-4.14.158/net/ipv4/raw.c
	571	+--- linux-4.14.160.orig/net/ipv4/raw.c
	572	++++ linux-4.14.160/net/ipv4/raw.c
573	573	@@ -766,6 +766,10 @@ static int raw_recvmsg(struct sock *sk,
574	574	skb = skb_recv_datagram(sk, flags, noblock, &err);
575	575	if (!skb)

		@@ -581,8 +581,8 @@
581	581
582	582	copied = skb->len;
583	583	if (len < copied) {
584		---- linux-4.14.158.orig/net/ipv4/udp.c
585		-+++ linux-4.14.158/net/ipv4/udp.c
	584	+--- linux-4.14.160.orig/net/ipv4/udp.c
	585	++++ linux-4.14.160/net/ipv4/udp.c
586	586	@@ -1608,6 +1608,8 @@ try_again:
587	587	skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
588	588	if (!skb)

		@@ -592,8 +592,8 @@
592	592
593	593	ulen = udp_skb_len(skb);
594	594	copied = len;
595		---- linux-4.14.158.orig/net/ipv6/raw.c
596		-+++ linux-4.14.158/net/ipv6/raw.c
	595	+--- linux-4.14.160.orig/net/ipv6/raw.c
	596	++++ linux-4.14.160/net/ipv6/raw.c
597	597	@@ -485,6 +485,10 @@ static int rawv6_recvmsg(struct sock *sk
598	598	skb = skb_recv_datagram(sk, flags, noblock, &err);
599	599	if (!skb)

		@@ -605,8 +605,8 @@
605	605
606	606	copied = skb->len;
607	607	if (copied > len) {
608		---- linux-4.14.158.orig/net/ipv6/udp.c
609		-+++ linux-4.14.158/net/ipv6/udp.c
	608	+--- linux-4.14.160.orig/net/ipv6/udp.c
	609	++++ linux-4.14.160/net/ipv6/udp.c
610	610	@@ -371,6 +371,8 @@ try_again:
611	611	skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
612	612	if (!skb)

		@@ -616,8 +616,8 @@
616	616
617	617	ulen = udp6_skb_len(skb);
618	618	copied = len;
619		---- linux-4.14.158.orig/net/socket.c
620		-+++ linux-4.14.158/net/socket.c
	619	+--- linux-4.14.160.orig/net/socket.c
	620	++++ linux-4.14.160/net/socket.c
621	621	@@ -1588,6 +1588,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
622	622	if (err < 0)
623	623	goto out_fd;

		@@ -629,8 +629,8 @@
629	629	if (upeer_sockaddr) {
630	630	if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
631	631	&len, 2) < 0) {
632		---- linux-4.14.158.orig/net/unix/af_unix.c
633		-+++ linux-4.14.158/net/unix/af_unix.c
	632	+--- linux-4.14.160.orig/net/unix/af_unix.c
	633	++++ linux-4.14.160/net/unix/af_unix.c
634	634	@@ -2143,6 +2143,10 @@ static int unix_dgram_recvmsg(struct soc
635	635	POLLOUT \| POLLWRNORM \|
636	636	POLLWRBAND);

		@@ -650,8 +650,8 @@
650	650	mutex_unlock(&u->iolock);
651	651	out:
652	652	return err;
653		---- linux-4.14.158.orig/security/Kconfig
654		-+++ linux-4.14.158/security/Kconfig
	653	+--- linux-4.14.160.orig/security/Kconfig
	654	++++ linux-4.14.160/security/Kconfig
655	655	@@ -263,5 +263,7 @@ config DEFAULT_SECURITY
656	656	default "apparmor" if DEFAULT_SECURITY_APPARMOR
657	657	default "" if DEFAULT_SECURITY_DAC

		@@ -660,8 +660,8 @@
660	660	+
661	661	endmenu
662	662
663		---- linux-4.14.158.orig/security/Makefile
664		-+++ linux-4.14.158/security/Makefile
	663	+--- linux-4.14.160.orig/security/Makefile
	664	++++ linux-4.14.160/security/Makefile
665	665	@@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
666	666	# Object integrity file lists
667	667	subdir-$(CONFIG_INTEGRITY) += integrity

		@@ -669,8 +669,8 @@
669	669	+
670	670	+subdir-$(CONFIG_CCSECURITY) += ccsecurity
671	671	+obj-$(CONFIG_CCSECURITY) += ccsecurity/
672		---- linux-4.14.158.orig/security/security.c
673		-+++ linux-4.14.158/security/security.c
	672	+--- linux-4.14.160.orig/security/security.c
	673	++++ linux-4.14.160/security/security.c
674	674	@@ -978,12 +978,19 @@ int security_file_open(struct file *file
675	675
676	676	int security_task_alloc(struct task_struct *task, unsigned long clone_flags)

--- trunk/caitsith-patch/patches/ccs-patch-4.18-centos-8.diff (revision 290)

+++ trunk/caitsith-patch/patches/ccs-patch-4.18-centos-8.diff (revision 291)

		@@ -1,6 +1,6 @@
1	1	This is TOMOYO Linux patch for CentOS 8.
2	2
3		-Source code for this patch is http://vault.centos.org/centos/8/BaseOS/Source/SPackages/kernel-4.18.0-80.11.2.el8_0.src.rpm
	3	+Source code for this patch is kernel-4.18.0-147.0.3.el7.src.rpm
4	4	---
5	5	fs/exec.c \| 2 -
6	6	fs/open.c \| 2 +

		@@ -28,9 +28,9 @@
28	28	security/security.c \| 9 +++++-
29	29	24 files changed, 148 insertions(+), 29 deletions(-)
30	30
31		---- linux-4.18.0-80.11.2.el8.orig/fs/exec.c
32		-+++ linux-4.18.0-80.11.2.el8/fs/exec.c
33		-@@ -1691,7 +1691,7 @@ static int exec_binprm(struct linux_binp
	31	+--- linux-4.18.0-147.0.3.el8.orig/fs/exec.c
	32	++++ linux-4.18.0-147.0.3.el8/fs/exec.c
	33	+@@ -1692,7 +1692,7 @@ static int exec_binprm(struct linux_binp
34	34	old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
35	35	rcu_read_unlock();
36	36

		@@ -39,8 +39,8 @@
39	39	if (ret >= 0) {
40	40	audit_bprm(bprm);
41	41	trace_sched_process_exec(current, old_pid, bprm);
42		---- linux-4.18.0-80.11.2.el8.orig/fs/open.c
43		-+++ linux-4.18.0-80.11.2.el8/fs/open.c
	42	+--- linux-4.18.0-147.0.3.el8.orig/fs/open.c
	43	++++ linux-4.18.0-147.0.3.el8/fs/open.c
44	44	@@ -1180,6 +1180,8 @@ SYSCALL_DEFINE1(close, unsigned int, fd)
45	45	*/
46	46	SYSCALL_DEFINE0(vhangup)

		@@ -50,8 +50,8 @@
50	50	if (capable(CAP_SYS_TTY_CONFIG)) {
51	51	tty_vhangup_self();
52	52	return 0;
53		---- linux-4.18.0-80.11.2.el8.orig/fs/proc/version.c
54		-+++ linux-4.18.0-80.11.2.el8/fs/proc/version.c
	53	+--- linux-4.18.0-147.0.3.el8.orig/fs/proc/version.c
	54	++++ linux-4.18.0-147.0.3.el8/fs/proc/version.c
55	55	@@ -21,3 +21,10 @@ static int __init proc_version_init(void
56	56	return 0;
57	57	}

		@@ -59,12 +59,12 @@
59	59	+
60	60	+static int __init ccs_show_version(void)
61	61	+{
62		-+ printk(KERN_INFO "Hook version: 4.18.0-80.11.2.el8 2019/11/22\n");
	62	++ printk(KERN_INFO "Hook version: 4.18.0-147.0.3.el8 2019/12/25\n");
63	63	+ return 0;
64	64	+}
65	65	+fs_initcall(ccs_show_version);
66		---- linux-4.18.0-80.11.2.el8.orig/include/linux/sched.h
67		-+++ linux-4.18.0-80.11.2.el8/include/linux/sched.h
	66	+--- linux-4.18.0-147.0.3.el8.orig/include/linux/sched.h
	67	++++ linux-4.18.0-147.0.3.el8/include/linux/sched.h
68	68	@@ -35,6 +35,7 @@ struct audit_context;
69	69	struct backing_dev_info;
70	70	struct bio_list;

		@@ -73,7 +73,7 @@
73	73	struct cfs_rq;
74	74	struct fs_struct;
75	75	struct futex_pi_state;
76		-@@ -1189,6 +1190,10 @@ struct task_struct {
	76	+@@ -1223,6 +1224,10 @@ struct task_struct {
77	77	/* Used by LSM modules for access restriction: */
78	78	void *security;
79	79	#endif

		@@ -84,10 +84,10 @@
84	84
85	85	/*
86	86	* New fields for task_struct should be added above here, so that
87		---- linux-4.18.0-80.11.2.el8.orig/include/linux/security.h
88		-+++ linux-4.18.0-80.11.2.el8/include/linux/security.h
89		-@@ -53,6 +53,7 @@ struct msg_msg;
90		- struct xattr;
	87	+--- linux-4.18.0-147.0.3.el8.orig/include/linux/security.h
	88	++++ linux-4.18.0-147.0.3.el8/include/linux/security.h
	89	+@@ -54,6 +54,7 @@ struct xattr;
	90	+ struct kernfs_node;
91	91	struct xfrm_sec_ctx;
92	92	struct mm_struct;
93	93	+#include <linux/ccsecurity.h>

		@@ -94,7 +94,7 @@
94	94
95	95	/* If capable should audit the security request */
96	96	#define SECURITY_CAP_NOAUDIT 0
97		-@@ -499,7 +500,10 @@ static inline int security_syslog(int ty
	97	+@@ -502,7 +503,10 @@ static inline int security_syslog(int ty
98	98	static inline int security_settime64(const struct timespec64 *ts,
99	99	const struct timezone *tz)
100	100	{

		@@ -106,7 +106,7 @@
106	106	}
107	107
108	108	static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
109		-@@ -563,18 +567,18 @@ static inline int security_sb_mount(cons
	109	+@@ -566,18 +570,18 @@ static inline int security_sb_mount(cons
110	110	const char *type, unsigned long flags,
111	111	void *data)
112	112	{

		@@ -128,7 +128,7 @@
128	128	}
129	129
130	130	static inline int security_sb_set_mnt_opts(struct super_block *sb,
131		-@@ -723,7 +727,7 @@ static inline int security_inode_setattr
	131	+@@ -726,7 +730,7 @@ static inline int security_inode_setattr
132	132
133	133	static inline int security_inode_getattr(const struct path *path)
134	134	{

		@@ -137,7 +137,7 @@
137	137	}
138	138
139	139	static inline int security_inode_setxattr(struct dentry *dentry,
140		-@@ -809,7 +813,7 @@ static inline void security_file_free(st
	140	+@@ -818,7 +822,7 @@ static inline void security_file_free(st
141	141	static inline int security_file_ioctl(struct file *file, unsigned int cmd,
142	142	unsigned long arg)
143	143	{

		@@ -146,7 +146,7 @@
146	146	}
147	147
148	148	static inline int security_mmap_file(struct file *file, unsigned long prot,
149		-@@ -838,7 +842,7 @@ static inline int security_file_lock(str
	149	+@@ -847,7 +851,7 @@ static inline int security_file_lock(str
150	150	static inline int security_file_fcntl(struct file *file, unsigned int cmd,
151	151	unsigned long arg)
152	152	{

		@@ -155,7 +155,7 @@
155	155	}
156	156
157	157	static inline void security_file_set_fowner(struct file *file)
158		-@@ -860,17 +864,19 @@ static inline int security_file_receive(
	158	+@@ -869,17 +873,19 @@ static inline int security_file_receive(
159	159
160	160	static inline int security_file_open(struct file *file)
161	161	{

		@@ -178,7 +178,7 @@
178	178
179	179	static inline int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
180	180	{
181		-@@ -1237,7 +1243,7 @@ static inline int security_unix_may_send
	181	+@@ -1246,7 +1252,7 @@ static inline int security_unix_may_send
182	182	static inline int security_socket_create(int family, int type,
183	183	int protocol, int kern)
184	184	{

		@@ -187,7 +187,7 @@
187	187	}
188	188
189	189	static inline int security_socket_post_create(struct socket *sock,
190		-@@ -1258,19 +1264,19 @@ static inline int security_socket_bind(s
	190	+@@ -1267,19 +1273,19 @@ static inline int security_socket_bind(s
191	191	struct sockaddr *address,
192	192	int addrlen)
193	193	{

		@@ -210,7 +210,7 @@
210	210	}
211	211
212	212	static inline int security_socket_accept(struct socket *sock,
213		-@@ -1282,7 +1288,7 @@ static inline int security_socket_accept
	213	+@@ -1291,7 +1297,7 @@ static inline int security_socket_accept
214	214	static inline int security_socket_sendmsg(struct socket *sock,
215	215	struct msghdr *msg, int size)
216	216	{

		@@ -219,7 +219,7 @@
219	219	}
220	220
221	221	static inline int security_socket_recvmsg(struct socket *sock,
222		-@@ -1569,42 +1575,42 @@ int security_path_chroot(const struct pa
	222	+@@ -1578,42 +1584,42 @@ int security_path_chroot(const struct pa
223	223	#else /* CONFIG_SECURITY_PATH */
224	224	static inline int security_path_unlink(const struct path dir, struct dentry dentry)
225	225	{

		@@ -269,7 +269,7 @@
269	269	}
270	270
271	271	static inline int security_path_rename(const struct path *old_dir,
272		-@@ -1613,22 +1619,32 @@ static inline int security_path_rename(c
	272	+@@ -1622,22 +1628,32 @@ static inline int security_path_rename(c
273	273	struct dentry *new_dentry,
274	274	unsigned int flags)
275	275	{

		@@ -306,9 +306,9 @@
306	306	}
307	307	#endif /* CONFIG_SECURITY_PATH */
308	308
309		---- linux-4.18.0-80.11.2.el8.orig/include/net/ip.h
310		-+++ linux-4.18.0-80.11.2.el8/include/net/ip.h
311		-@@ -278,6 +278,8 @@ void inet_get_local_port_range(struct ne
	309	+--- linux-4.18.0-147.0.3.el8.orig/include/net/ip.h
	310	++++ linux-4.18.0-147.0.3.el8/include/net/ip.h
	311	+@@ -285,6 +285,8 @@ void inet_get_local_port_range(struct ne
312	312	#ifdef CONFIG_SYSCTL
313	313	static inline int inet_is_local_reserved_port(struct net *net, int port)
314	314	{

		@@ -317,7 +317,7 @@
317	317	if (!net->ipv4.sysctl_local_reserved_ports)
318	318	return 0;
319	319	return test_bit(port, net->ipv4.sysctl_local_reserved_ports);
320		-@@ -296,6 +298,8 @@ static inline int inet_prot_sock(struct
	320	+@@ -303,6 +305,8 @@ static inline int inet_prot_sock(struct
321	321	#else
322	322	static inline int inet_is_local_reserved_port(struct net *net, int port)
323	323	{

		@@ -326,9 +326,9 @@
326	326	return 0;
327	327	}
328	328
329		---- linux-4.18.0-80.11.2.el8.orig/init/init_task.c
330		-+++ linux-4.18.0-80.11.2.el8/init/init_task.c
331		-@@ -176,6 +176,10 @@ struct task_struct init_task
	329	+--- linux-4.18.0-147.0.3.el8.orig/init/init_task.c
	330	++++ linux-4.18.0-147.0.3.el8/init/init_task.c
	331	+@@ -181,6 +181,10 @@ struct task_struct init_task
332	332	#ifdef CONFIG_SECURITY
333	333	.security = NULL,
334	334	#endif

		@@ -339,8 +339,8 @@
339	339	};
340	340	EXPORT_SYMBOL(init_task);
341	341
342		---- linux-4.18.0-80.11.2.el8.orig/kernel/kexec.c
343		-+++ linux-4.18.0-80.11.2.el8/kernel/kexec.c
	342	+--- linux-4.18.0-147.0.3.el8.orig/kernel/kexec.c
	343	++++ linux-4.18.0-147.0.3.el8/kernel/kexec.c
344	344	@@ -17,7 +17,7 @@
345	345	#include <linux/syscalls.h>
346	346	#include <linux/vmalloc.h>

		@@ -359,8 +359,8 @@
359	359
360	360	/*
361	361	* kexec can be used to circumvent module loading restrictions, so
362		---- linux-4.18.0-80.11.2.el8.orig/kernel/module.c
363		-+++ linux-4.18.0-80.11.2.el8/kernel/module.c
	362	+--- linux-4.18.0-147.0.3.el8.orig/kernel/module.c
	363	++++ linux-4.18.0-147.0.3.el8/kernel/module.c
364	364	@@ -66,6 +66,7 @@
365	365	#include <linux/audit.h>
366	366	#include <uapi/linux/module.h>

		@@ -378,7 +378,7 @@
378	378
379	379	if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
380	380	return -EFAULT;
381		-@@ -3551,6 +3554,8 @@ static int may_init_module(void)
	381	+@@ -3555,6 +3558,8 @@ static int may_init_module(void)
382	382	{
383	383	if (!capable(CAP_SYS_MODULE) \|\| modules_disabled)
384	384	return -EPERM;

		@@ -387,9 +387,9 @@
387	387
388	388	return 0;
389	389	}
390		---- linux-4.18.0-80.11.2.el8.orig/kernel/ptrace.c
391		-+++ linux-4.18.0-80.11.2.el8/kernel/ptrace.c
392		-@@ -1110,6 +1110,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
	390	+--- linux-4.18.0-147.0.3.el8.orig/kernel/ptrace.c
	391	++++ linux-4.18.0-147.0.3.el8/kernel/ptrace.c
	392	+@@ -1109,6 +1109,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
393	393	{
394	394	struct task_struct *child;
395	395	long ret;

		@@ -401,7 +401,7 @@
401	401
402	402	if (request == PTRACE_TRACEME) {
403	403	ret = ptrace_traceme();
404		-@@ -1258,6 +1263,11 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_lo
	404	+@@ -1256,6 +1261,11 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_lo
405	405	{
406	406	struct task_struct *child;
407	407	long ret;

		@@ -413,8 +413,8 @@
413	413
414	414	if (request == PTRACE_TRACEME) {
415	415	ret = ptrace_traceme();
416		---- linux-4.18.0-80.11.2.el8.orig/kernel/reboot.c
417		-+++ linux-4.18.0-80.11.2.el8/kernel/reboot.c
	416	+--- linux-4.18.0-147.0.3.el8.orig/kernel/reboot.c
	417	++++ linux-4.18.0-147.0.3.el8/kernel/reboot.c
418	418	@@ -16,6 +16,7 @@
419	419	#include <linux/syscalls.h>
420	420	#include <linux/syscore_ops.h>

		@@ -432,9 +432,9 @@
432	432
433	433	/*
434	434	* If pid namespaces are enabled and the current task is in a child
435		---- linux-4.18.0-80.11.2.el8.orig/kernel/sched/core.c
436		-+++ linux-4.18.0-80.11.2.el8/kernel/sched/core.c
437		-@@ -3979,6 +3979,8 @@ int can_nice(const struct task_struct *p
	435	+--- linux-4.18.0-147.0.3.el8.orig/kernel/sched/core.c
	436	++++ linux-4.18.0-147.0.3.el8/kernel/sched/core.c
	437	+@@ -3968,6 +3968,8 @@ int can_nice(const struct task_struct *p
438	438	SYSCALL_DEFINE1(nice, int, increment)
439	439	{
440	440	long nice, retval;

		@@ -443,18 +443,18 @@
443	443
444	444	/*
445	445	* Setpriority might change our priority at the same moment.
446		---- linux-4.18.0-80.11.2.el8.orig/kernel/signal.c
447		-+++ linux-4.18.0-80.11.2.el8/kernel/signal.c
448		-@@ -3167,6 +3167,8 @@ COMPAT_SYSCALL_DEFINE4(rt_sigtimedwait,
449		- SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
	446	+--- linux-4.18.0-147.0.3.el8.orig/kernel/signal.c
	447	++++ linux-4.18.0-147.0.3.el8/kernel/signal.c
	448	+@@ -3413,6 +3413,8 @@ SYSCALL_DEFINE2(kill, pid_t, pid, int, s
450	449	{
451		- struct siginfo info;
	450	+ struct kernel_siginfo info;
	451	+
452	452	+ if (ccs_kill_permission(pid, sig))
453	453	+ return -EPERM;
454		-
455	454	clear_siginfo(&info);
456	455	info.si_signo = sig;
457		-@@ -3237,6 +3239,8 @@ SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid
	456	+ info.si_errno = 0;
	457	+@@ -3482,6 +3484,8 @@ SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid
458	458	/* This is only valid for single tasks */
459	459	if (pid <= 0 \|\| tgid <= 0)
460	460	return -EINVAL;

		@@ -463,7 +463,7 @@
463	463
464	464	return do_tkill(tgid, pid, sig);
465	465	}
466		-@@ -3253,6 +3257,8 @@ SYSCALL_DEFINE2(tkill, pid_t, pid, int,
	466	+@@ -3498,6 +3502,8 @@ SYSCALL_DEFINE2(tkill, pid_t, pid, int,
467	467	/* This is only valid for single tasks */
468	468	if (pid <= 0)
469	469	return -EINVAL;

		@@ -472,26 +472,26 @@
472	472
473	473	return do_tkill(0, pid, sig);
474	474	}
475		-@@ -3267,6 +3273,8 @@ static int do_rt_sigqueueinfo(pid_t pid,
	475	+@@ -3511,6 +3517,8 @@ static int do_rt_sigqueueinfo(pid_t pid,
	476	+ (task_pid_vnr(current) != pid))
476	477	return -EPERM;
477	478
478		- info->si_signo = sig;
479	479	+ if (ccs_sigqueue_permission(pid, sig))
480	480	+ return -EPERM;
481		-
482	481	/* POSIX.1b doesn't mention process groups. */
483	482	return kill_proc_info(sig, info, pid);
484		-@@ -3315,6 +3323,8 @@ static int do_rt_tgsigqueueinfo(pid_t tg
	483	+ }
	484	+@@ -3558,6 +3566,8 @@ static int do_rt_tgsigqueueinfo(pid_t tg
	485	+ (task_pid_vnr(current) != pid))
485	486	return -EPERM;
486	487
487		- info->si_signo = sig;
488	488	+ if (ccs_tgsigqueue_permission(tgid, pid, sig))
489	489	+ return -EPERM;
490		-
491	490	return do_send_specific(tgid, pid, sig, info);
492	491	}
493		---- linux-4.18.0-80.11.2.el8.orig/kernel/sys.c
494		-+++ linux-4.18.0-80.11.2.el8/kernel/sys.c
	492	+
	493	+--- linux-4.18.0-147.0.3.el8.orig/kernel/sys.c
	494	++++ linux-4.18.0-147.0.3.el8/kernel/sys.c
495	495	@@ -204,6 +204,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
496	496
497	497	if (which > PRIO_USER \|\| which < PRIO_PROCESS)

		@@ -521,17 +521,17 @@
521	521
522	522	down_write(&uts_sem);
523	523	errno = -EFAULT;
524		---- linux-4.18.0-80.11.2.el8.orig/kernel/time/timekeeping.c
525		-+++ linux-4.18.0-80.11.2.el8/kernel/time/timekeeping.c
526		-@@ -25,6 +25,7 @@
527		- #include <linux/stop_machine.h>
	524	+--- linux-4.18.0-147.0.3.el8.orig/kernel/time/timekeeping.c
	525	++++ linux-4.18.0-147.0.3.el8/kernel/time/timekeeping.c
	526	+@@ -26,6 +26,7 @@
528	527	#include <linux/pvclock_gtod.h>
529	528	#include <linux/compiler.h>
	529	+ #include <linux/audit.h>
530	530	+#include <linux/ccsecurity.h>
531	531
532	532	#include "tick-internal.h"
533	533	#include "ntp_internal.h"
534		-@@ -2229,10 +2230,15 @@ static int timekeeping_validate_timex(st
	534	+@@ -2254,10 +2255,15 @@ static int timekeeping_validate_timex(co
535	535	if (!(txc->modes & ADJ_OFFSET_READONLY) &&
536	536	!capable(CAP_SYS_TIME))
537	537	return -EPERM;

		@@ -547,7 +547,7 @@
547	547	/*
548	548	* if the quartz is off by more than 10% then
549	549	* something is VERY wrong!
550		-@@ -2247,6 +2253,8 @@ static int timekeeping_validate_timex(st
	550	+@@ -2272,6 +2278,8 @@ static int timekeeping_validate_timex(co
551	551	/* In order to inject time, you gotta be super-user! */
552	552	if (!capable(CAP_SYS_TIME))
553	553	return -EPERM;

		@@ -556,8 +556,8 @@
556	556
557	557	/*
558	558	* Validate if a timespec/timeval used to inject a time
559		---- linux-4.18.0-80.11.2.el8.orig/net/ipv4/raw.c
560		-+++ linux-4.18.0-80.11.2.el8/net/ipv4/raw.c
	559	+--- linux-4.18.0-147.0.3.el8.orig/net/ipv4/raw.c
	560	++++ linux-4.18.0-147.0.3.el8/net/ipv4/raw.c
561	561	@@ -781,6 +781,10 @@ static int raw_recvmsg(struct sock *sk,
562	562	skb = skb_recv_datagram(sk, flags, noblock, &err);
563	563	if (!skb)

		@@ -569,9 +569,9 @@
569	569
570	570	copied = skb->len;
571	571	if (len < copied) {
572		---- linux-4.18.0-80.11.2.el8.orig/net/ipv4/udp.c
573		-+++ linux-4.18.0-80.11.2.el8/net/ipv4/udp.c
574		-@@ -1660,6 +1660,8 @@ try_again:
	572	+--- linux-4.18.0-147.0.3.el8.orig/net/ipv4/udp.c
	573	++++ linux-4.18.0-147.0.3.el8/net/ipv4/udp.c
	574	+@@ -1741,6 +1741,8 @@ try_again:
575	575	skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
576	576	if (!skb)
577	577	return err;

		@@ -580,9 +580,9 @@
580	580
581	581	ulen = udp_skb_len(skb);
582	582	copied = len;
583		---- linux-4.18.0-80.11.2.el8.orig/net/ipv6/raw.c
584		-+++ linux-4.18.0-80.11.2.el8/net/ipv6/raw.c
585		-@@ -483,6 +483,10 @@ static int rawv6_recvmsg(struct sock *sk
	583	+--- linux-4.18.0-147.0.3.el8.orig/net/ipv6/raw.c
	584	++++ linux-4.18.0-147.0.3.el8/net/ipv6/raw.c
	585	+@@ -485,6 +485,10 @@ static int rawv6_recvmsg(struct sock *sk
586	586	skb = skb_recv_datagram(sk, flags, noblock, &err);
587	587	if (!skb)
588	588	goto out;

		@@ -593,9 +593,9 @@
593	593
594	594	copied = skb->len;
595	595	if (copied > len) {
596		---- linux-4.18.0-80.11.2.el8.orig/net/ipv6/udp.c
597		-+++ linux-4.18.0-80.11.2.el8/net/ipv6/udp.c
598		-@@ -339,6 +339,8 @@ try_again:
	596	+--- linux-4.18.0-147.0.3.el8.orig/net/ipv6/udp.c
	597	++++ linux-4.18.0-147.0.3.el8/net/ipv6/udp.c
	598	+@@ -344,6 +344,8 @@ try_again:
599	599	skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
600	600	if (!skb)
601	601	return err;

		@@ -604,9 +604,9 @@
604	604
605	605	ulen = udp6_skb_len(skb);
606	606	copied = len;
607		---- linux-4.18.0-80.11.2.el8.orig/net/socket.c
608		-+++ linux-4.18.0-80.11.2.el8/net/socket.c
609		-@@ -1602,6 +1602,10 @@ int __sys_accept4(int fd, struct sockadd
	607	+--- linux-4.18.0-147.0.3.el8.orig/net/socket.c
	608	++++ linux-4.18.0-147.0.3.el8/net/socket.c
	609	+@@ -1720,6 +1720,10 @@ int __sys_accept4(int fd, struct sockadd
610	610	if (err < 0)
611	611	goto out_fd;
612	612

		@@ -617,8 +617,8 @@
617	617	if (upeer_sockaddr) {
618	618	len = newsock->ops->getname(newsock,
619	619	(struct sockaddr *)&address, 2);
620		---- linux-4.18.0-80.11.2.el8.orig/net/unix/af_unix.c
621		-+++ linux-4.18.0-80.11.2.el8/net/unix/af_unix.c
	620	+--- linux-4.18.0-147.0.3.el8.orig/net/unix/af_unix.c
	621	++++ linux-4.18.0-147.0.3.el8/net/unix/af_unix.c
622	622	@@ -2122,6 +2122,10 @@ static int unix_dgram_recvmsg(struct soc
623	623	EPOLLOUT \| EPOLLWRNORM \|
624	624	EPOLLWRBAND);

		@@ -638,8 +638,8 @@
638	638	mutex_unlock(&u->iolock);
639	639	out:
640	640	return err;
641		---- linux-4.18.0-80.11.2.el8.orig/security/Kconfig
642		-+++ linux-4.18.0-80.11.2.el8/security/Kconfig
	641	+--- linux-4.18.0-147.0.3.el8.orig/security/Kconfig
	642	++++ linux-4.18.0-147.0.3.el8/security/Kconfig
643	643	@@ -313,4 +313,6 @@ config DEFAULT_SECURITY
644	644	default "apparmor" if DEFAULT_SECURITY_APPARMOR
645	645	default "" if DEFAULT_SECURITY_DAC

		@@ -647,8 +647,8 @@
647	647	+source security/ccsecurity/Kconfig
648	648	+
649	649	endmenu
650		---- linux-4.18.0-80.11.2.el8.orig/security/Makefile
651		-+++ linux-4.18.0-80.11.2.el8/security/Makefile
	650	+--- linux-4.18.0-147.0.3.el8.orig/security/Makefile
	651	++++ linux-4.18.0-147.0.3.el8/security/Makefile
652	652	@@ -33,3 +33,6 @@ obj-$(CONFIG_INTEGRITY) += integrity/
653	653
654	654	# Allow the kernel to be locked down

		@@ -656,9 +656,9 @@
656	656	+
657	657	+subdir-$(CONFIG_CCSECURITY) += ccsecurity
658	658	+obj-$(CONFIG_CCSECURITY) += ccsecurity/
659		---- linux-4.18.0-80.11.2.el8.orig/security/security.c
660		-+++ linux-4.18.0-80.11.2.el8/security/security.c
661		-@@ -983,12 +983,19 @@ int security_file_open(struct file *file
	659	+--- linux-4.18.0-147.0.3.el8.orig/security/security.c
	660	++++ linux-4.18.0-147.0.3.el8/security/security.c
	661	+@@ -989,12 +989,19 @@ int security_file_open(struct file *file
662	662
663	663	int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
664	664	{

--- trunk/caitsith-patch/patches/ccs-patch-4.19.diff (revision 290)

+++ trunk/caitsith-patch/patches/ccs-patch-4.19.diff (revision 291)

		@@ -1,6 +1,6 @@
1		-This is TOMOYO Linux patch for kernel 4.19.88.
	1	+This is TOMOYO Linux patch for kernel 4.19.91.
2	2
3		-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.88.tar.xz
	3	+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.91.tar.xz
4	4	---
5	5	fs/exec.c \| 2 -
6	6	fs/open.c \| 2 +

		@@ -28,8 +28,8 @@
28	28	security/security.c \| 9 +++++-
29	29	24 files changed, 148 insertions(+), 29 deletions(-)
30	30
31		---- linux-4.19.88.orig/fs/exec.c
32		-+++ linux-4.19.88/fs/exec.c
	31	+--- linux-4.19.91.orig/fs/exec.c
	32	++++ linux-4.19.91/fs/exec.c
33	33	@@ -1692,7 +1692,7 @@ static int exec_binprm(struct linux_binp
34	34	old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
35	35	rcu_read_unlock();

		@@ -39,8 +39,8 @@
39	39	if (ret >= 0) {
40	40	audit_bprm(bprm);
41	41	trace_sched_process_exec(current, old_pid, bprm);
42		---- linux-4.19.88.orig/fs/open.c
43		-+++ linux-4.19.88/fs/open.c
	42	+--- linux-4.19.91.orig/fs/open.c
	43	++++ linux-4.19.91/fs/open.c
44	44	@@ -1199,6 +1199,8 @@ SYSCALL_DEFINE1(close, unsigned int, fd)
45	45	*/
46	46	SYSCALL_DEFINE0(vhangup)

		@@ -50,8 +50,8 @@
50	50	if (capable(CAP_SYS_TTY_CONFIG)) {
51	51	tty_vhangup_self();
52	52	return 0;
53		---- linux-4.19.88.orig/fs/proc/version.c
54		-+++ linux-4.19.88/fs/proc/version.c
	53	+--- linux-4.19.91.orig/fs/proc/version.c
	54	++++ linux-4.19.91/fs/proc/version.c
55	55	@@ -21,3 +21,10 @@ static int __init proc_version_init(void
56	56	return 0;
57	57	}

		@@ -59,12 +59,12 @@
59	59	+
60	60	+static int __init ccs_show_version(void)
61	61	+{
62		-+ printk(KERN_INFO "Hook version: 4.19.88 2019/12/07\n");
	62	++ printk(KERN_INFO "Hook version: 4.19.91 2019/12/24\n");
63	63	+ return 0;
64	64	+}
65	65	+fs_initcall(ccs_show_version);
66		---- linux-4.19.88.orig/include/linux/sched.h
67		-+++ linux-4.19.88/include/linux/sched.h
	66	+--- linux-4.19.91.orig/include/linux/sched.h
	67	++++ linux-4.19.91/include/linux/sched.h
68	68	@@ -34,6 +34,7 @@ struct audit_context;
69	69	struct backing_dev_info;
70	70	struct bio_list;

		@@ -84,8 +84,8 @@
84	84
85	85	/*
86	86	* New fields for task_struct should be added above here, so that
87		---- linux-4.19.88.orig/include/linux/security.h
88		-+++ linux-4.19.88/include/linux/security.h
	87	+--- linux-4.19.91.orig/include/linux/security.h
	88	++++ linux-4.19.91/include/linux/security.h
89	89	@@ -53,6 +53,7 @@ struct msg_msg;
90	90	struct xattr;
91	91	struct xfrm_sec_ctx;

		@@ -306,8 +306,8 @@
306	306	}
307	307	#endif /* CONFIG_SECURITY_PATH */
308	308
309		---- linux-4.19.88.orig/include/net/ip.h
310		-+++ linux-4.19.88/include/net/ip.h
	309	+--- linux-4.19.91.orig/include/net/ip.h
	310	++++ linux-4.19.91/include/net/ip.h
311	311	@@ -301,6 +301,8 @@ void inet_get_local_port_range(struct ne
312	312	#ifdef CONFIG_SYSCTL
313	313	static inline int inet_is_local_reserved_port(struct net *net, int port)

		@@ -326,8 +326,8 @@
326	326	return 0;
327	327	}
328	328
329		---- linux-4.19.88.orig/init/init_task.c
330		-+++ linux-4.19.88/init/init_task.c
	329	+--- linux-4.19.91.orig/init/init_task.c
	330	++++ linux-4.19.91/init/init_task.c
331	331	@@ -179,6 +179,10 @@ struct task_struct init_task
332	332	#ifdef CONFIG_SECURITY
333	333	.security = NULL,

		@@ -339,8 +339,8 @@
339	339	};
340	340	EXPORT_SYMBOL(init_task);
341	341
342		---- linux-4.19.88.orig/kernel/kexec.c
343		-+++ linux-4.19.88/kernel/kexec.c
	342	+--- linux-4.19.91.orig/kernel/kexec.c
	343	++++ linux-4.19.91/kernel/kexec.c
344	344	@@ -18,7 +18,7 @@
345	345	#include <linux/syscalls.h>
346	346	#include <linux/vmalloc.h>

		@@ -359,8 +359,8 @@
359	359
360	360	/* Permit LSMs and IMA to fail the kexec */
361	361	result = security_kernel_load_data(LOADING_KEXEC_IMAGE);
362		---- linux-4.19.88.orig/kernel/module.c
363		-+++ linux-4.19.88/kernel/module.c
	362	+--- linux-4.19.91.orig/kernel/module.c
	363	++++ linux-4.19.91/kernel/module.c
364	364	@@ -66,6 +66,7 @@
365	365	#include <linux/audit.h>
366	366	#include <uapi/linux/module.h>

		@@ -378,7 +378,7 @@
378	378
379	379	if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
380	380	return -EFAULT;
381		-@@ -3554,6 +3557,8 @@ static int may_init_module(void)
	381	+@@ -3556,6 +3559,8 @@ static int may_init_module(void)
382	382	{
383	383	if (!capable(CAP_SYS_MODULE) \|\| modules_disabled)
384	384	return -EPERM;

		@@ -387,8 +387,8 @@
387	387
388	388	return 0;
389	389	}
390		---- linux-4.19.88.orig/kernel/ptrace.c
391		-+++ linux-4.19.88/kernel/ptrace.c
	390	+--- linux-4.19.91.orig/kernel/ptrace.c
	391	++++ linux-4.19.91/kernel/ptrace.c
392	392	@@ -1137,6 +1137,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
393	393	{
394	394	struct task_struct *child;

		@@ -413,8 +413,8 @@
413	413
414	414	if (request == PTRACE_TRACEME) {
415	415	ret = ptrace_traceme();
416		---- linux-4.19.88.orig/kernel/reboot.c
417		-+++ linux-4.19.88/kernel/reboot.c
	416	+--- linux-4.19.91.orig/kernel/reboot.c
	417	++++ linux-4.19.91/kernel/reboot.c
418	418	@@ -16,6 +16,7 @@
419	419	#include <linux/syscalls.h>
420	420	#include <linux/syscore_ops.h>

		@@ -432,8 +432,8 @@
432	432
433	433	/*
434	434	* If pid namespaces are enabled and the current task is in a child
435		---- linux-4.19.88.orig/kernel/sched/core.c
436		-+++ linux-4.19.88/kernel/sched/core.c
	435	+--- linux-4.19.91.orig/kernel/sched/core.c
	436	++++ linux-4.19.91/kernel/sched/core.c
437	437	@@ -3986,6 +3986,8 @@ int can_nice(const struct task_struct *p
438	438	SYSCALL_DEFINE1(nice, int, increment)
439	439	{

		@@ -443,8 +443,8 @@
443	443
444	444	/*
445	445	* Setpriority might change our priority at the same moment.
446		---- linux-4.19.88.orig/kernel/signal.c
447		-+++ linux-4.19.88/kernel/signal.c
	446	+--- linux-4.19.91.orig/kernel/signal.c
	447	++++ linux-4.19.91/kernel/signal.c
448	448	@@ -3275,6 +3275,8 @@ COMPAT_SYSCALL_DEFINE4(rt_sigtimedwait,
449	449	SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
450	450	{

		@@ -490,8 +490,8 @@
490	490
491	491	return do_send_specific(tgid, pid, sig, info);
492	492	}
493		---- linux-4.19.88.orig/kernel/sys.c
494		-+++ linux-4.19.88/kernel/sys.c
	493	+--- linux-4.19.91.orig/kernel/sys.c
	494	++++ linux-4.19.91/kernel/sys.c
495	495	@@ -201,6 +201,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
496	496
497	497	if (which > PRIO_USER \|\| which < PRIO_PROCESS)

		@@ -521,8 +521,8 @@
521	521
522	522	errno = -EFAULT;
523	523	if (!copy_from_user(tmp, name, len)) {
524		---- linux-4.19.88.orig/kernel/time/timekeeping.c
525		-+++ linux-4.19.88/kernel/time/timekeeping.c
	524	+--- linux-4.19.91.orig/kernel/time/timekeeping.c
	525	++++ linux-4.19.91/kernel/time/timekeeping.c
526	526	@@ -26,6 +26,7 @@
527	527	#include <linux/stop_machine.h>
528	528	#include <linux/pvclock_gtod.h>

		@@ -556,8 +556,8 @@
556	556
557	557	/*
558	558	* Validate if a timespec/timeval used to inject a time
559		---- linux-4.19.88.orig/net/ipv4/raw.c
560		-+++ linux-4.19.88/net/ipv4/raw.c
	559	+--- linux-4.19.91.orig/net/ipv4/raw.c
	560	++++ linux-4.19.91/net/ipv4/raw.c
561	561	@@ -772,6 +772,10 @@ static int raw_recvmsg(struct sock *sk,
562	562	skb = skb_recv_datagram(sk, flags, noblock, &err);
563	563	if (!skb)

		@@ -569,8 +569,8 @@
569	569
570	570	copied = skb->len;
571	571	if (len < copied) {
572		---- linux-4.19.88.orig/net/ipv4/udp.c
573		-+++ linux-4.19.88/net/ipv4/udp.c
	572	+--- linux-4.19.91.orig/net/ipv4/udp.c
	573	++++ linux-4.19.91/net/ipv4/udp.c
574	574	@@ -1682,6 +1682,8 @@ try_again:
575	575	skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
576	576	if (!skb)

		@@ -580,8 +580,8 @@
580	580
581	581	ulen = udp_skb_len(skb);
582	582	copied = len;
583		---- linux-4.19.88.orig/net/ipv6/raw.c
584		-+++ linux-4.19.88/net/ipv6/raw.c
	583	+--- linux-4.19.91.orig/net/ipv6/raw.c
	584	++++ linux-4.19.91/net/ipv6/raw.c
585	585	@@ -485,6 +485,10 @@ static int rawv6_recvmsg(struct sock *sk
586	586	skb = skb_recv_datagram(sk, flags, noblock, &err);
587	587	if (!skb)

		@@ -593,8 +593,8 @@
593	593
594	594	copied = skb->len;
595	595	if (copied > len) {
596		---- linux-4.19.88.orig/net/ipv6/udp.c
597		-+++ linux-4.19.88/net/ipv6/udp.c
	596	+--- linux-4.19.91.orig/net/ipv6/udp.c
	597	++++ linux-4.19.91/net/ipv6/udp.c
598	598	@@ -344,6 +344,8 @@ try_again:
599	599	skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
600	600	if (!skb)

		@@ -604,8 +604,8 @@
604	604
605	605	ulen = udp6_skb_len(skb);
606	606	copied = len;
607		---- linux-4.19.88.orig/net/socket.c
608		-+++ linux-4.19.88/net/socket.c
	607	+--- linux-4.19.91.orig/net/socket.c
	608	++++ linux-4.19.91/net/socket.c
609	609	@@ -1590,6 +1590,10 @@ int __sys_accept4(int fd, struct sockadd
610	610	if (err < 0)
611	611	goto out_fd;

		@@ -617,8 +617,8 @@
617	617	if (upeer_sockaddr) {
618	618	len = newsock->ops->getname(newsock,
619	619	(struct sockaddr *)&address, 2);
620		---- linux-4.19.88.orig/net/unix/af_unix.c
621		-+++ linux-4.19.88/net/unix/af_unix.c
	620	+--- linux-4.19.91.orig/net/unix/af_unix.c
	621	++++ linux-4.19.91/net/unix/af_unix.c
622	622	@@ -2139,6 +2139,10 @@ static int unix_dgram_recvmsg(struct soc
623	623	EPOLLOUT \| EPOLLWRNORM \|
624	624	EPOLLWRBAND);

		@@ -638,8 +638,8 @@
638	638	mutex_unlock(&u->iolock);
639	639	out:
640	640	return err;
641		---- linux-4.19.88.orig/security/Kconfig
642		-+++ linux-4.19.88/security/Kconfig
	641	+--- linux-4.19.91.orig/security/Kconfig
	642	++++ linux-4.19.91/security/Kconfig
643	643	@@ -276,5 +276,7 @@ config DEFAULT_SECURITY
644	644	default "apparmor" if DEFAULT_SECURITY_APPARMOR
645	645	default "" if DEFAULT_SECURITY_DAC

		@@ -648,8 +648,8 @@
648	648	+
649	649	endmenu
650	650
651		---- linux-4.19.88.orig/security/Makefile
652		-+++ linux-4.19.88/security/Makefile
	651	+--- linux-4.19.91.orig/security/Makefile
	652	++++ linux-4.19.91/security/Makefile
653	653	@@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
654	654	# Object integrity file lists
655	655	subdir-$(CONFIG_INTEGRITY) += integrity

		@@ -657,8 +657,8 @@
657	657	+
658	658	+subdir-$(CONFIG_CCSECURITY) += ccsecurity
659	659	+obj-$(CONFIG_CCSECURITY) += ccsecurity/
660		---- linux-4.19.88.orig/security/security.c
661		-+++ linux-4.19.88/security/security.c
	660	+--- linux-4.19.91.orig/security/security.c
	661	++++ linux-4.19.91/security/security.c
662	662	@@ -988,12 +988,19 @@ int security_file_open(struct file *file
663	663
664	664	int security_task_alloc(struct task_struct *task, unsigned long clone_flags)

--- trunk/caitsith-patch/patches/ccs-patch-4.4.diff (revision 290)

+++ trunk/caitsith-patch/patches/ccs-patch-4.4.diff (revision 291)

		@@ -1,6 +1,6 @@
1		-This is TOMOYO Linux patch for kernel 4.4.206.
	1	+This is TOMOYO Linux patch for kernel 4.4.207.
2	2
3		-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.4.206.tar.xz
	3	+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.4.207.tar.xz
4	4	---
5	5	fs/exec.c \| 2 -
6	6	fs/open.c \| 2 +

		@@ -28,8 +28,8 @@
28	28	security/Makefile \| 3 ++
29	29	24 files changed, 150 insertions(+), 26 deletions(-)
30	30
31		---- linux-4.4.206.orig/fs/exec.c
32		-+++ linux-4.4.206/fs/exec.c
	31	+--- linux-4.4.207.orig/fs/exec.c
	32	++++ linux-4.4.207/fs/exec.c
33	33	@@ -1512,7 +1512,7 @@ static int exec_binprm(struct linux_binp
34	34	old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
35	35	rcu_read_unlock();

		@@ -39,8 +39,8 @@
39	39	if (ret >= 0) {
40	40	audit_bprm(bprm);
41	41	trace_sched_process_exec(current, old_pid, bprm);
42		---- linux-4.4.206.orig/fs/open.c
43		-+++ linux-4.4.206/fs/open.c
	42	+--- linux-4.4.207.orig/fs/open.c
	43	++++ linux-4.4.207/fs/open.c
44	44	@@ -1136,6 +1136,8 @@ EXPORT_SYMBOL(sys_close);
45	45	*/
46	46	SYSCALL_DEFINE0(vhangup)

		@@ -50,8 +50,8 @@
50	50	if (capable(CAP_SYS_TTY_CONFIG)) {
51	51	tty_vhangup_self();
52	52	return 0;
53		---- linux-4.4.206.orig/fs/proc/version.c
54		-+++ linux-4.4.206/fs/proc/version.c
	53	+--- linux-4.4.207.orig/fs/proc/version.c
	54	++++ linux-4.4.207/fs/proc/version.c
55	55	@@ -32,3 +32,10 @@ static int __init proc_version_init(void
56	56	return 0;
57	57	}

		@@ -59,14 +59,14 @@
59	59	+
60	60	+static int __init ccs_show_version(void)
61	61	+{
62		-+ printk(KERN_INFO "Hook version: 4.4.206 2019/12/07\n");
	62	++ printk(KERN_INFO "Hook version: 4.4.207 2019/12/24\n");
63	63	+ return 0;
64	64	+}
65	65	+fs_initcall(ccs_show_version);
66		---- linux-4.4.206.orig/include/linux/init_task.h
67		-+++ linux-4.4.206/include/linux/init_task.h
68		-@@ -183,6 +183,14 @@ extern struct task_group root_task_group
69		- # define INIT_KASAN(tsk)
	66	+--- linux-4.4.207.orig/include/linux/init_task.h
	67	++++ linux-4.4.207/include/linux/init_task.h
	68	+@@ -191,6 +191,14 @@ extern struct task_group root_task_group
	69	+ # define INIT_TASK_TI(tsk)
70	70	#endif
71	71
72	72	+#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)

		@@ -80,7 +80,7 @@
80	80	/*
81	81	* INIT_TASK is used to set up the first task table, touch at
82	82	* your own risk!. Base=0, limit=0x1fffff (=2MB)
83		-@@ -260,6 +268,7 @@ extern struct task_group root_task_group
	83	+@@ -269,6 +277,7 @@ extern struct task_group root_task_group
84	84	INIT_VTIME(tsk) \
85	85	INIT_NUMA_BALANCING(tsk) \
86	86	INIT_KASAN(tsk) \

		@@ -88,8 +88,8 @@
88	88	}
89	89
90	90
91		---- linux-4.4.206.orig/include/linux/sched.h
92		-+++ linux-4.4.206/include/linux/sched.h
	91	+--- linux-4.4.207.orig/include/linux/sched.h
	92	++++ linux-4.4.207/include/linux/sched.h
93	93	@@ -6,6 +6,8 @@
94	94	#include <linux/sched/prio.h>
95	95

		@@ -99,7 +99,7 @@
99	99	struct sched_param {
100	100	int sched_priority;
101	101	};
102		-@@ -1831,6 +1833,10 @@ struct task_struct {
	102	+@@ -1841,6 +1843,10 @@ struct task_struct {
103	103	unsigned long task_state_change;
104	104	#endif
105	105	int pagefault_disabled;

		@@ -110,8 +110,8 @@
110	110	/* CPU-specific state of this task */
111	111	struct thread_struct thread;
112	112	/*
113		---- linux-4.4.206.orig/include/linux/security.h
114		-+++ linux-4.4.206/include/linux/security.h
	113	+--- linux-4.4.207.orig/include/linux/security.h
	114	++++ linux-4.4.207/include/linux/security.h
115	115	@@ -53,6 +53,7 @@ struct msg_queue;
116	116	struct xattr;
117	117	struct xfrm_sec_ctx;

		@@ -318,8 +318,8 @@
318	318	}
319	319	#endif /* CONFIG_SECURITY_PATH */
320	320
321		---- linux-4.4.206.orig/include/net/ip.h
322		-+++ linux-4.4.206/include/net/ip.h
	321	+--- linux-4.4.207.orig/include/net/ip.h
	322	++++ linux-4.4.207/include/net/ip.h
323	323	@@ -225,6 +225,8 @@ void inet_get_local_port_range(struct ne
324	324	#ifdef CONFIG_SYSCTL
325	325	static inline int inet_is_local_reserved_port(struct net *net, int port)

		@@ -338,8 +338,8 @@
338	338	return 0;
339	339	}
340	340	#endif
341		---- linux-4.4.206.orig/kernel/fork.c
342		-+++ linux-4.4.206/kernel/fork.c
	341	+--- linux-4.4.207.orig/kernel/fork.c
	342	++++ linux-4.4.207/kernel/fork.c
343	343	@@ -260,6 +260,7 @@ void __put_task_struct(struct task_struc
344	344	delayacct_tsk_free(tsk);
345	345	put_signal_struct(tsk->signal);

		@@ -366,8 +366,8 @@
366	366	bad_fork_cleanup_perf:
367	367	perf_event_free_task(p);
368	368	bad_fork_cleanup_policy:
369		---- linux-4.4.206.orig/kernel/kexec.c
370		-+++ linux-4.4.206/kernel/kexec.c
	369	+--- linux-4.4.207.orig/kernel/kexec.c
	370	++++ linux-4.4.207/kernel/kexec.c
371	371	@@ -17,7 +17,7 @@
372	372	#include <linux/syscalls.h>
373	373	#include <linux/vmalloc.h>

		@@ -386,8 +386,8 @@
386	386
387	387	/*
388	388	* Verify we have a legal set of flags
389		---- linux-4.4.206.orig/kernel/module.c
390		-+++ linux-4.4.206/kernel/module.c
	389	+--- linux-4.4.207.orig/kernel/module.c
	390	++++ linux-4.4.207/kernel/module.c
391	391	@@ -61,6 +61,7 @@
392	392	#include <linux/bsearch.h>
393	393	#include <uapi/linux/module.h>

		@@ -405,7 +405,7 @@
405	405
406	406	if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
407	407	return -EFAULT;
408		-@@ -3364,6 +3367,8 @@ static int may_init_module(void)
	408	+@@ -3366,6 +3369,8 @@ static int may_init_module(void)
409	409	{
410	410	if (!capable(CAP_SYS_MODULE) \|\| modules_disabled)
411	411	return -EPERM;

		@@ -414,8 +414,8 @@
414	414
415	415	return 0;
416	416	}
417		---- linux-4.4.206.orig/kernel/ptrace.c
418		-+++ linux-4.4.206/kernel/ptrace.c
	417	+--- linux-4.4.207.orig/kernel/ptrace.c
	418	++++ linux-4.4.207/kernel/ptrace.c
419	419	@@ -1109,6 +1109,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
420	420	{
421	421	struct task_struct *child;

		@@ -440,8 +440,8 @@
440	440
441	441	if (request == PTRACE_TRACEME) {
442	442	ret = ptrace_traceme();
443		---- linux-4.4.206.orig/kernel/reboot.c
444		-+++ linux-4.4.206/kernel/reboot.c
	443	+--- linux-4.4.207.orig/kernel/reboot.c
	444	++++ linux-4.4.207/kernel/reboot.c
445	445	@@ -16,6 +16,7 @@
446	446	#include <linux/syscalls.h>
447	447	#include <linux/syscore_ops.h>

		@@ -459,8 +459,8 @@
459	459
460	460	/*
461	461	* If pid namespaces are enabled and the current task is in a child
462		---- linux-4.4.206.orig/kernel/sched/core.c
463		-+++ linux-4.4.206/kernel/sched/core.c
	462	+--- linux-4.4.207.orig/kernel/sched/core.c
	463	++++ linux-4.4.207/kernel/sched/core.c
464	464	@@ -3549,6 +3549,8 @@ int can_nice(const struct task_struct *p
465	465	SYSCALL_DEFINE1(nice, int, increment)
466	466	{

		@@ -470,8 +470,8 @@
470	470
471	471	/*
472	472	* Setpriority might change our priority at the same moment.
473		---- linux-4.4.206.orig/kernel/signal.c
474		-+++ linux-4.4.206/kernel/signal.c
	473	+--- linux-4.4.207.orig/kernel/signal.c
	474	++++ linux-4.4.207/kernel/signal.c
475	475	@@ -2933,6 +2933,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s
476	476	SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
477	477	{

		@@ -517,8 +517,8 @@
517	517
518	518	return do_send_specific(tgid, pid, sig, info);
519	519	}
520		---- linux-4.4.206.orig/kernel/sys.c
521		-+++ linux-4.4.206/kernel/sys.c
	520	+--- linux-4.4.207.orig/kernel/sys.c
	521	++++ linux-4.4.207/kernel/sys.c
522	522	@@ -185,6 +185,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
523	523
524	524	if (which > PRIO_USER \|\| which < PRIO_PROCESS)

		@@ -548,8 +548,8 @@
548	548
549	549	errno = -EFAULT;
550	550	if (!copy_from_user(tmp, name, len)) {
551		---- linux-4.4.206.orig/kernel/time/ntp.c
552		-+++ linux-4.4.206/kernel/time/ntp.c
	551	+--- linux-4.4.207.orig/kernel/time/ntp.c
	552	++++ linux-4.4.207/kernel/time/ntp.c
553	553	@@ -16,6 +16,7 @@
554	554	#include <linux/mm.h>
555	555	#include <linux/module.h>

		@@ -583,8 +583,8 @@
583	583
584	584	if (txc->modes & ADJ_NANO) {
585	585	struct timespec ts;
586		---- linux-4.4.206.orig/net/ipv4/raw.c
587		-+++ linux-4.4.206/net/ipv4/raw.c
	586	+--- linux-4.4.207.orig/net/ipv4/raw.c
	587	++++ linux-4.4.207/net/ipv4/raw.c
588	588	@@ -747,6 +747,10 @@ static int raw_recvmsg(struct sock *sk,
589	589	skb = skb_recv_datagram(sk, flags, noblock, &err);
590	590	if (!skb)

		@@ -596,8 +596,8 @@
596	596
597	597	copied = skb->len;
598	598	if (len < copied) {
599		---- linux-4.4.206.orig/net/ipv4/udp.c
600		-+++ linux-4.4.206/net/ipv4/udp.c
	599	+--- linux-4.4.207.orig/net/ipv4/udp.c
	600	++++ linux-4.4.207/net/ipv4/udp.c
601	601	@@ -1289,6 +1289,10 @@ try_again:
602	602	&peeked, &off, &err);
603	603	if (!skb)

		@@ -609,8 +609,8 @@
609	609
610	610	ulen = skb->len - sizeof(struct udphdr);
611	611	copied = len;
612		---- linux-4.4.206.orig/net/ipv6/raw.c
613		-+++ linux-4.4.206/net/ipv6/raw.c
	612	+--- linux-4.4.207.orig/net/ipv6/raw.c
	613	++++ linux-4.4.207/net/ipv6/raw.c
614	614	@@ -480,6 +480,10 @@ static int rawv6_recvmsg(struct sock *sk
615	615	skb = skb_recv_datagram(sk, flags, noblock, &err);
616	616	if (!skb)

		@@ -622,8 +622,8 @@
622	622
623	623	copied = skb->len;
624	624	if (copied > len) {
625		---- linux-4.4.206.orig/net/ipv6/udp.c
626		-+++ linux-4.4.206/net/ipv6/udp.c
	625	+--- linux-4.4.207.orig/net/ipv6/udp.c
	626	++++ linux-4.4.207/net/ipv6/udp.c
627	627	@@ -417,6 +417,10 @@ try_again:
628	628	&peeked, &off, &err);
629	629	if (!skb)

		@@ -635,8 +635,8 @@
635	635
636	636	ulen = skb->len - sizeof(struct udphdr);
637	637	copied = len;
638		---- linux-4.4.206.orig/net/socket.c
639		-+++ linux-4.4.206/net/socket.c
	638	+--- linux-4.4.207.orig/net/socket.c
	639	++++ linux-4.4.207/net/socket.c
640	640	@@ -1465,6 +1465,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
641	641	if (err < 0)
642	642	goto out_fd;

		@@ -648,8 +648,8 @@
648	648	if (upeer_sockaddr) {
649	649	if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
650	650	&len, 2) < 0) {
651		---- linux-4.4.206.orig/net/unix/af_unix.c
652		-+++ linux-4.4.206/net/unix/af_unix.c
	651	+--- linux-4.4.207.orig/net/unix/af_unix.c
	652	++++ linux-4.4.207/net/unix/af_unix.c
653	653	@@ -2153,6 +2153,10 @@ static int unix_dgram_recvmsg(struct soc
654	654	wake_up_interruptible_sync_poll(&u->peer_wait,
655	655	POLLOUT \| POLLWRNORM \| POLLWRBAND);

		@@ -661,8 +661,8 @@
661	661	if (msg->msg_name)
662	662	unix_copy_addr(msg, skb->sk);
663	663
664		---- linux-4.4.206.orig/security/Kconfig
665		-+++ linux-4.4.206/security/Kconfig
	664	+--- linux-4.4.207.orig/security/Kconfig
	665	++++ linux-4.4.207/security/Kconfig
666	666	@@ -173,5 +173,7 @@ config DEFAULT_SECURITY
667	667	default "apparmor" if DEFAULT_SECURITY_APPARMOR
668	668	default "" if DEFAULT_SECURITY_DAC

		@@ -671,8 +671,8 @@
671	671	+
672	672	endmenu
673	673
674		---- linux-4.4.206.orig/security/Makefile
675		-+++ linux-4.4.206/security/Makefile
	674	+--- linux-4.4.207.orig/security/Makefile
	675	++++ linux-4.4.207/security/Makefile
676	676	@@ -27,3 +27,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
677	677	# Object integrity file lists
678	678	subdir-$(CONFIG_INTEGRITY) += integrity

--- trunk/caitsith-patch/patches/ccs-patch-4.9.diff (revision 290)

+++ trunk/caitsith-patch/patches/ccs-patch-4.9.diff (revision 291)

		@@ -1,6 +1,6 @@
1		-This is TOMOYO Linux patch for kernel 4.9.206.
	1	+This is TOMOYO Linux patch for kernel 4.9.207.
2	2
3		-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.9.206.tar.xz
	3	+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.9.207.tar.xz
4	4	---
5	5	fs/exec.c \| 2 -
6	6	fs/open.c \| 2 +

		@@ -28,8 +28,8 @@
28	28	security/Makefile \| 3 ++
29	29	24 files changed, 147 insertions(+), 26 deletions(-)
30	30
31		---- linux-4.9.206.orig/fs/exec.c
32		-+++ linux-4.9.206/fs/exec.c
	31	+--- linux-4.9.207.orig/fs/exec.c
	32	++++ linux-4.9.207/fs/exec.c
33	33	@@ -1660,7 +1660,7 @@ static int exec_binprm(struct linux_binp
34	34	old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
35	35	rcu_read_unlock();

		@@ -39,8 +39,8 @@
39	39	if (ret >= 0) {
40	40	audit_bprm(bprm);
41	41	trace_sched_process_exec(current, old_pid, bprm);
42		---- linux-4.9.206.orig/fs/open.c
43		-+++ linux-4.9.206/fs/open.c
	42	+--- linux-4.9.207.orig/fs/open.c
	43	++++ linux-4.9.207/fs/open.c
44	44	@@ -1176,6 +1176,8 @@ EXPORT_SYMBOL(sys_close);
45	45	*/
46	46	SYSCALL_DEFINE0(vhangup)

		@@ -50,8 +50,8 @@
50	50	if (capable(CAP_SYS_TTY_CONFIG)) {
51	51	tty_vhangup_self();
52	52	return 0;
53		---- linux-4.9.206.orig/fs/proc/version.c
54		-+++ linux-4.9.206/fs/proc/version.c
	53	+--- linux-4.9.207.orig/fs/proc/version.c
	54	++++ linux-4.9.207/fs/proc/version.c
55	55	@@ -32,3 +32,10 @@ static int __init proc_version_init(void
56	56	return 0;
57	57	}

		@@ -59,12 +59,12 @@
59	59	+
60	60	+static int __init ccs_show_version(void)
61	61	+{
62		-+ printk(KERN_INFO "Hook version: 4.9.206 2019/12/07\n");
	62	++ printk(KERN_INFO "Hook version: 4.9.207 2019/12/24\n");
63	63	+ return 0;
64	64	+}
65	65	+fs_initcall(ccs_show_version);
66		---- linux-4.9.206.orig/include/linux/init_task.h
67		-+++ linux-4.9.206/include/linux/init_task.h
	66	+--- linux-4.9.207.orig/include/linux/init_task.h
	67	++++ linux-4.9.207/include/linux/init_task.h
68	68	@@ -193,6 +193,14 @@ extern struct task_group root_task_group
69	69	# define INIT_TASK_TI(tsk)
70	70	#endif

		@@ -88,8 +88,8 @@
88	88	}
89	89
90	90
91		---- linux-4.9.206.orig/include/linux/sched.h
92		-+++ linux-4.9.206/include/linux/sched.h
	91	+--- linux-4.9.207.orig/include/linux/sched.h
	92	++++ linux-4.9.207/include/linux/sched.h
93	93	@@ -6,6 +6,8 @@
94	94	#include <linux/sched/prio.h>
95	95

		@@ -110,8 +110,8 @@
110	110	/* CPU-specific state of this task */
111	111	struct thread_struct thread;
112	112	/*
113		---- linux-4.9.206.orig/include/linux/security.h
114		-+++ linux-4.9.206/include/linux/security.h
	113	+--- linux-4.9.207.orig/include/linux/security.h
	114	++++ linux-4.9.207/include/linux/security.h
115	115	@@ -55,6 +55,7 @@ struct msg_queue;
116	116	struct xattr;
117	117	struct xfrm_sec_ctx;

		@@ -318,8 +318,8 @@
318	318	}
319	319	#endif /* CONFIG_SECURITY_PATH */
320	320
321		---- linux-4.9.206.orig/include/net/ip.h
322		-+++ linux-4.9.206/include/net/ip.h
	321	+--- linux-4.9.207.orig/include/net/ip.h
	322	++++ linux-4.9.207/include/net/ip.h
323	323	@@ -254,6 +254,8 @@ void inet_get_local_port_range(struct ne
324	324	#ifdef CONFIG_SYSCTL
325	325	static inline int inet_is_local_reserved_port(struct net *net, int port)

		@@ -338,8 +338,8 @@
338	338	return 0;
339	339	}
340	340	#endif
341		---- linux-4.9.206.orig/kernel/fork.c
342		-+++ linux-4.9.206/kernel/fork.c
	341	+--- linux-4.9.207.orig/kernel/fork.c
	342	++++ linux-4.9.207/kernel/fork.c
343	343	@@ -395,6 +395,7 @@ void __put_task_struct(struct task_struc
344	344	delayacct_tsk_free(tsk);
345	345	put_signal_struct(tsk->signal);

		@@ -366,8 +366,8 @@
366	366	bad_fork_cleanup_perf:
367	367	perf_event_free_task(p);
368	368	bad_fork_cleanup_policy:
369		---- linux-4.9.206.orig/kernel/kexec.c
370		-+++ linux-4.9.206/kernel/kexec.c
	369	+--- linux-4.9.207.orig/kernel/kexec.c
	370	++++ linux-4.9.207/kernel/kexec.c
371	371	@@ -17,7 +17,7 @@
372	372	#include <linux/syscalls.h>
373	373	#include <linux/vmalloc.h>

		@@ -386,8 +386,8 @@
386	386
387	387	/*
388	388	* Verify we have a legal set of flags
389		---- linux-4.9.206.orig/kernel/module.c
390		-+++ linux-4.9.206/kernel/module.c
	389	+--- linux-4.9.207.orig/kernel/module.c
	390	++++ linux-4.9.207/kernel/module.c
391	391	@@ -63,6 +63,7 @@
392	392	#include <linux/dynamic_debug.h>
393	393	#include <uapi/linux/module.h>

		@@ -405,7 +405,7 @@
405	405
406	406	if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
407	407	return -EFAULT;
408		-@@ -3494,6 +3497,8 @@ static int may_init_module(void)
	408	+@@ -3496,6 +3499,8 @@ static int may_init_module(void)
409	409	{
410	410	if (!capable(CAP_SYS_MODULE) \|\| modules_disabled)
411	411	return -EPERM;

		@@ -414,8 +414,8 @@
414	414
415	415	return 0;
416	416	}
417		---- linux-4.9.206.orig/kernel/ptrace.c
418		-+++ linux-4.9.206/kernel/ptrace.c
	417	+--- linux-4.9.207.orig/kernel/ptrace.c
	418	++++ linux-4.9.207/kernel/ptrace.c
419	419	@@ -1146,6 +1146,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
420	420	{
421	421	struct task_struct *child;

		@@ -440,8 +440,8 @@
440	440
441	441	if (request == PTRACE_TRACEME) {
442	442	ret = ptrace_traceme();
443		---- linux-4.9.206.orig/kernel/reboot.c
444		-+++ linux-4.9.206/kernel/reboot.c
	443	+--- linux-4.9.207.orig/kernel/reboot.c
	444	++++ linux-4.9.207/kernel/reboot.c
445	445	@@ -16,6 +16,7 @@
446	446	#include <linux/syscalls.h>
447	447	#include <linux/syscore_ops.h>

		@@ -459,8 +459,8 @@
459	459
460	460	/*
461	461	* If pid namespaces are enabled and the current task is in a child
462		---- linux-4.9.206.orig/kernel/sched/core.c
463		-+++ linux-4.9.206/kernel/sched/core.c
	462	+--- linux-4.9.207.orig/kernel/sched/core.c
	463	++++ linux-4.9.207/kernel/sched/core.c
464	464	@@ -3813,6 +3813,8 @@ int can_nice(const struct task_struct *p
465	465	SYSCALL_DEFINE1(nice, int, increment)
466	466	{

		@@ -470,8 +470,8 @@
470	470
471	471	/*
472	472	* Setpriority might change our priority at the same moment.
473		---- linux-4.9.206.orig/kernel/signal.c
474		-+++ linux-4.9.206/kernel/signal.c
	473	+--- linux-4.9.207.orig/kernel/signal.c
	474	++++ linux-4.9.207/kernel/signal.c
475	475	@@ -2933,6 +2933,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s
476	476	SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
477	477	{

		@@ -517,8 +517,8 @@
517	517
518	518	return do_send_specific(tgid, pid, sig, info);
519	519	}
520		---- linux-4.9.206.orig/kernel/sys.c
521		-+++ linux-4.9.206/kernel/sys.c
	520	+--- linux-4.9.207.orig/kernel/sys.c
	521	++++ linux-4.9.207/kernel/sys.c
522	522	@@ -185,6 +185,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
523	523
524	524	if (which > PRIO_USER \|\| which < PRIO_PROCESS)

		@@ -548,8 +548,8 @@
548	548
549	549	errno = -EFAULT;
550	550	if (!copy_from_user(tmp, name, len)) {
551		---- linux-4.9.206.orig/kernel/time/ntp.c
552		-+++ linux-4.9.206/kernel/time/ntp.c
	551	+--- linux-4.9.207.orig/kernel/time/ntp.c
	552	++++ linux-4.9.207/kernel/time/ntp.c
553	553	@@ -17,6 +17,7 @@
554	554	#include <linux/module.h>
555	555	#include <linux/rtc.h>

		@@ -583,8 +583,8 @@
583	583
584	584	if (txc->modes & ADJ_NANO) {
585	585	struct timespec ts;
586		---- linux-4.9.206.orig/net/ipv4/raw.c
587		-+++ linux-4.9.206/net/ipv4/raw.c
	586	+--- linux-4.9.207.orig/net/ipv4/raw.c
	587	++++ linux-4.9.207/net/ipv4/raw.c
588	588	@@ -744,6 +744,10 @@ static int raw_recvmsg(struct sock *sk,
589	589	skb = skb_recv_datagram(sk, flags, noblock, &err);
590	590	if (!skb)

		@@ -596,8 +596,8 @@
596	596
597	597	copied = skb->len;
598	598	if (len < copied) {
599		---- linux-4.9.206.orig/net/ipv4/udp.c
600		-+++ linux-4.9.206/net/ipv4/udp.c
	599	+--- linux-4.9.207.orig/net/ipv4/udp.c
	600	++++ linux-4.9.207/net/ipv4/udp.c
601	601	@@ -1271,6 +1271,8 @@ try_again:
602	602	&peeked, &off, &err);
603	603	if (!skb)

		@@ -607,8 +607,8 @@
607	607
608	608	ulen = skb->len;
609	609	copied = len;
610		---- linux-4.9.206.orig/net/ipv6/raw.c
611		-+++ linux-4.9.206/net/ipv6/raw.c
	610	+--- linux-4.9.207.orig/net/ipv6/raw.c
	611	++++ linux-4.9.207/net/ipv6/raw.c
612	612	@@ -480,6 +480,10 @@ static int rawv6_recvmsg(struct sock *sk
613	613	skb = skb_recv_datagram(sk, flags, noblock, &err);
614	614	if (!skb)

		@@ -620,8 +620,8 @@
620	620
621	621	copied = skb->len;
622	622	if (copied > len) {
623		---- linux-4.9.206.orig/net/ipv6/udp.c
624		-+++ linux-4.9.206/net/ipv6/udp.c
	623	+--- linux-4.9.207.orig/net/ipv6/udp.c
	624	++++ linux-4.9.207/net/ipv6/udp.c
625	625	@@ -348,6 +348,8 @@ try_again:
626	626	&peeked, &off, &err);
627	627	if (!skb)

		@@ -631,8 +631,8 @@
631	631
632	632	ulen = skb->len;
633	633	copied = len;
634		---- linux-4.9.206.orig/net/socket.c
635		-+++ linux-4.9.206/net/socket.c
	634	+--- linux-4.9.207.orig/net/socket.c
	635	++++ linux-4.9.207/net/socket.c
636	636	@@ -1482,6 +1482,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
637	637	if (err < 0)
638	638	goto out_fd;

		@@ -644,8 +644,8 @@
644	644	if (upeer_sockaddr) {
645	645	if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
646	646	&len, 2) < 0) {
647		---- linux-4.9.206.orig/net/unix/af_unix.c
648		-+++ linux-4.9.206/net/unix/af_unix.c
	647	+--- linux-4.9.207.orig/net/unix/af_unix.c
	648	++++ linux-4.9.207/net/unix/af_unix.c
649	649	@@ -2162,6 +2162,10 @@ static int unix_dgram_recvmsg(struct soc
650	650	POLLOUT \| POLLWRNORM \|
651	651	POLLWRBAND);

		@@ -665,8 +665,8 @@
665	665	mutex_unlock(&u->iolock);
666	666	out:
667	667	return err;
668		---- linux-4.9.206.orig/security/Kconfig
669		-+++ linux-4.9.206/security/Kconfig
	668	+--- linux-4.9.207.orig/security/Kconfig
	669	++++ linux-4.9.207/security/Kconfig
670	670	@@ -214,5 +214,7 @@ config DEFAULT_SECURITY
671	671	default "apparmor" if DEFAULT_SECURITY_APPARMOR
672	672	default "" if DEFAULT_SECURITY_DAC

		@@ -675,8 +675,8 @@
675	675	+
676	676	endmenu
677	677
678		---- linux-4.9.206.orig/security/Makefile
679		-+++ linux-4.9.206/security/Makefile
	678	+--- linux-4.9.207.orig/security/Makefile
	679	++++ linux-4.9.207/security/Makefile
680	680	@@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
681	681	# Object integrity file lists
682	682	subdir-$(CONFIG_INTEGRITY) += integrity

--- trunk/caitsith-patch/patches/ccs-patch-5.3.diff (revision 290)

+++ trunk/caitsith-patch/patches/ccs-patch-5.3.diff (revision 291)

		@@ -1,6 +1,6 @@
1		-This is TOMOYO Linux patch for kernel 5.3.15.
	1	+This is TOMOYO Linux patch for kernel 5.3.18.
2	2
3		-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.3.15.tar.xz
	3	+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.3.18.tar.xz
4	4	---
5	5	fs/exec.c \| 2 -
6	6	fs/open.c \| 2 +

		@@ -28,8 +28,8 @@
28	28	security/security.c \| 5 ++-
29	29	24 files changed, 160 insertions(+), 30 deletions(-)
30	30
31		---- linux-5.3.15.orig/fs/exec.c
32		-+++ linux-5.3.15/fs/exec.c
	31	+--- linux-5.3.18.orig/fs/exec.c
	32	++++ linux-5.3.18/fs/exec.c
33	33	@@ -1698,7 +1698,7 @@ static int exec_binprm(struct linux_binp
34	34	old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
35	35	rcu_read_unlock();

		@@ -39,8 +39,8 @@
39	39	if (ret >= 0) {
40	40	audit_bprm(bprm);
41	41	trace_sched_process_exec(current, old_pid, bprm);
42		---- linux-5.3.15.orig/fs/open.c
43		-+++ linux-5.3.15/fs/open.c
	42	+--- linux-5.3.18.orig/fs/open.c
	43	++++ linux-5.3.18/fs/open.c
44	44	@@ -1200,6 +1200,8 @@ SYSCALL_DEFINE1(close, unsigned int, fd)
45	45	*/
46	46	SYSCALL_DEFINE0(vhangup)

		@@ -50,8 +50,8 @@
50	50	if (capable(CAP_SYS_TTY_CONFIG)) {
51	51	tty_vhangup_self();
52	52	return 0;
53		---- linux-5.3.15.orig/fs/proc/version.c
54		-+++ linux-5.3.15/fs/proc/version.c
	53	+--- linux-5.3.18.orig/fs/proc/version.c
	54	++++ linux-5.3.18/fs/proc/version.c
55	55	@@ -21,3 +21,10 @@ static int __init proc_version_init(void
56	56	return 0;
57	57	}

		@@ -59,12 +59,12 @@
59	59	+
60	60	+static int __init ccs_show_version(void)
61	61	+{
62		-+ printk(KERN_INFO "Hook version: 5.3.15 2019/12/07\n");
	62	++ printk(KERN_INFO "Hook version: 5.3.18 2019/12/24\n");
63	63	+ return 0;
64	64	+}
65	65	+fs_initcall(ccs_show_version);
66		---- linux-5.3.15.orig/include/linux/sched.h
67		-+++ linux-5.3.15/include/linux/sched.h
	66	+--- linux-5.3.18.orig/include/linux/sched.h
	67	++++ linux-5.3.18/include/linux/sched.h
68	68	@@ -36,6 +36,7 @@ struct backing_dev_info;
69	69	struct bio_list;
70	70	struct blk_plug;

		@@ -84,8 +84,8 @@
84	84
85	85	#ifdef CONFIG_GCC_PLUGIN_STACKLEAK
86	86	unsigned long lowest_stack;
87		---- linux-5.3.15.orig/include/linux/security.h
88		-+++ linux-5.3.15/include/linux/security.h
	87	+--- linux-5.3.18.orig/include/linux/security.h
	88	++++ linux-5.3.18/include/linux/security.h
89	89	@@ -57,6 +57,7 @@ struct mm_struct;
90	90	struct fs_context;
91	91	struct fs_parameter;

		@@ -315,8 +315,8 @@
315	315	}
316	316	#endif /* CONFIG_SECURITY_PATH */
317	317
318		---- linux-5.3.15.orig/include/net/ip.h
319		-+++ linux-5.3.15/include/net/ip.h
	318	+--- linux-5.3.18.orig/include/net/ip.h
	319	++++ linux-5.3.18/include/net/ip.h
320	320	@@ -340,6 +340,8 @@ void inet_get_local_port_range(struct ne
321	321	#ifdef CONFIG_SYSCTL
322	322	static inline int inet_is_local_reserved_port(struct net *net, int port)

		@@ -335,8 +335,8 @@
335	335	return 0;
336	336	}
337	337
338		---- linux-5.3.15.orig/init/init_task.c
339		-+++ linux-5.3.15/init/init_task.c
	338	+--- linux-5.3.18.orig/init/init_task.c
	339	++++ linux-5.3.18/init/init_task.c
340	340	@@ -183,6 +183,10 @@ struct task_struct init_task
341	341	#ifdef CONFIG_SECURITY
342	342	.security = NULL,

		@@ -348,8 +348,8 @@
348	348	};
349	349	EXPORT_SYMBOL(init_task);
350	350
351		---- linux-5.3.15.orig/kernel/kexec.c
352		-+++ linux-5.3.15/kernel/kexec.c
	351	+--- linux-5.3.18.orig/kernel/kexec.c
	352	++++ linux-5.3.18/kernel/kexec.c
353	353	@@ -16,7 +16,7 @@
354	354	#include <linux/syscalls.h>
355	355	#include <linux/vmalloc.h>

		@@ -368,8 +368,8 @@
368	368
369	369	/* Permit LSMs and IMA to fail the kexec */
370	370	result = security_kernel_load_data(LOADING_KEXEC_IMAGE);
371		---- linux-5.3.15.orig/kernel/module.c
372		-+++ linux-5.3.15/kernel/module.c
	371	+--- linux-5.3.18.orig/kernel/module.c
	372	++++ linux-5.3.18/kernel/module.c
373	373	@@ -54,6 +54,7 @@
374	374	#include <linux/audit.h>
375	375	#include <uapi/linux/module.h>

		@@ -396,8 +396,8 @@
396	396
397	397	return 0;
398	398	}
399		---- linux-5.3.15.orig/kernel/ptrace.c
400		-+++ linux-5.3.15/kernel/ptrace.c
	399	+--- linux-5.3.18.orig/kernel/ptrace.c
	400	++++ linux-5.3.18/kernel/ptrace.c
401	401	@@ -1239,6 +1239,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
402	402	{
403	403	struct task_struct *child;

		@@ -422,8 +422,8 @@
422	422
423	423	if (request == PTRACE_TRACEME) {
424	424	ret = ptrace_traceme();
425		---- linux-5.3.15.orig/kernel/reboot.c
426		-+++ linux-5.3.15/kernel/reboot.c
	425	+--- linux-5.3.18.orig/kernel/reboot.c
	426	++++ linux-5.3.18/kernel/reboot.c
427	427	@@ -17,6 +17,7 @@
428	428	#include <linux/syscalls.h>
429	429	#include <linux/syscore_ops.h>

		@@ -441,8 +441,8 @@
441	441
442	442	/*
443	443	* If pid namespaces are enabled and the current task is in a child
444		---- linux-5.3.15.orig/kernel/sched/core.c
445		-+++ linux-5.3.15/kernel/sched/core.c
	444	+--- linux-5.3.18.orig/kernel/sched/core.c
	445	++++ linux-5.3.18/kernel/sched/core.c
446	446	@@ -4416,6 +4416,8 @@ int can_nice(const struct task_struct *p
447	447	SYSCALL_DEFINE1(nice, int, increment)
448	448	{

		@@ -452,8 +452,8 @@
452	452
453	453	/*
454	454	* Setpriority might change our priority at the same moment.
455		---- linux-5.3.15.orig/kernel/signal.c
456		-+++ linux-5.3.15/kernel/signal.c
	455	+--- linux-5.3.18.orig/kernel/signal.c
	456	++++ linux-5.3.18/kernel/signal.c
457	457	@@ -3634,6 +3634,8 @@ static inline void prepare_kill_siginfo(
458	458	SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
459	459	{

		@@ -521,8 +521,8 @@
521	521
522	522	return do_send_specific(tgid, pid, sig, info);
523	523	}
524		---- linux-5.3.15.orig/kernel/sys.c
525		-+++ linux-5.3.15/kernel/sys.c
	524	+--- linux-5.3.18.orig/kernel/sys.c
	525	++++ linux-5.3.18/kernel/sys.c
526	526	@@ -204,6 +204,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
527	527
528	528	if (which > PRIO_USER \|\| which < PRIO_PROCESS)

		@@ -552,8 +552,8 @@
552	552
553	553	errno = -EFAULT;
554	554	if (!copy_from_user(tmp, name, len)) {
555		---- linux-5.3.15.orig/kernel/time/timekeeping.c
556		-+++ linux-5.3.15/kernel/time/timekeeping.c
	555	+--- linux-5.3.18.orig/kernel/time/timekeeping.c
	556	++++ linux-5.3.18/kernel/time/timekeeping.c
557	557	@@ -22,6 +22,7 @@
558	558	#include <linux/pvclock_gtod.h>
559	559	#include <linux/compiler.h>

		@@ -587,8 +587,8 @@
587	587
588	588	/*
589	589	* Validate if a timespec/timeval used to inject a time
590		---- linux-5.3.15.orig/net/ipv4/raw.c
591		-+++ linux-5.3.15/net/ipv4/raw.c
	590	+--- linux-5.3.18.orig/net/ipv4/raw.c
	591	++++ linux-5.3.18/net/ipv4/raw.c
592	592	@@ -767,6 +767,10 @@ static int raw_recvmsg(struct sock *sk,
593	593	skb = skb_recv_datagram(sk, flags, noblock, &err);
594	594	if (!skb)

		@@ -600,8 +600,8 @@
600	600
601	601	copied = skb->len;
602	602	if (len < copied) {
603		---- linux-5.3.15.orig/net/ipv4/udp.c
604		-+++ linux-5.3.15/net/ipv4/udp.c
	603	+--- linux-5.3.18.orig/net/ipv4/udp.c
	604	++++ linux-5.3.18/net/ipv4/udp.c
605	605	@@ -1723,6 +1723,8 @@ try_again:
606	606	skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
607	607	if (!skb)

		@@ -611,8 +611,8 @@
611	611
612	612	ulen = udp_skb_len(skb);
613	613	copied = len;
614		---- linux-5.3.15.orig/net/ipv6/raw.c
615		-+++ linux-5.3.15/net/ipv6/raw.c
	614	+--- linux-5.3.18.orig/net/ipv6/raw.c
	615	++++ linux-5.3.18/net/ipv6/raw.c
616	616	@@ -480,6 +480,10 @@ static int rawv6_recvmsg(struct sock *sk
617	617	skb = skb_recv_datagram(sk, flags, noblock, &err);
618	618	if (!skb)

		@@ -624,8 +624,8 @@
624	624
625	625	copied = skb->len;
626	626	if (copied > len) {
627		---- linux-5.3.15.orig/net/ipv6/udp.c
628		-+++ linux-5.3.15/net/ipv6/udp.c
	627	+--- linux-5.3.18.orig/net/ipv6/udp.c
	628	++++ linux-5.3.18/net/ipv6/udp.c
629	629	@@ -288,6 +288,8 @@ try_again:
630	630	skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
631	631	if (!skb)

		@@ -635,8 +635,8 @@
635	635
636	636	ulen = udp6_skb_len(skb);
637	637	copied = len;
638		---- linux-5.3.15.orig/net/socket.c
639		-+++ linux-5.3.15/net/socket.c
	638	+--- linux-5.3.18.orig/net/socket.c
	639	++++ linux-5.3.18/net/socket.c
640	640	@@ -1755,6 +1755,10 @@ int __sys_accept4(int fd, struct sockadd
641	641	if (err < 0)
642	642	goto out_fd;

		@@ -648,8 +648,8 @@
648	648	if (upeer_sockaddr) {
649	649	len = newsock->ops->getname(newsock,
650	650	(struct sockaddr *)&address, 2);
651		---- linux-5.3.15.orig/net/unix/af_unix.c
652		-+++ linux-5.3.15/net/unix/af_unix.c
	651	+--- linux-5.3.18.orig/net/unix/af_unix.c
	652	++++ linux-5.3.18/net/unix/af_unix.c
653	653	@@ -2075,6 +2075,10 @@ static int unix_dgram_recvmsg(struct soc
654	654	EPOLLOUT \| EPOLLWRNORM \|
655	655	EPOLLWRBAND);

		@@ -669,8 +669,8 @@
669	669	mutex_unlock(&u->iolock);
670	670	out:
671	671	return err;
672		---- linux-5.3.15.orig/security/Kconfig
673		-+++ linux-5.3.15/security/Kconfig
	672	+--- linux-5.3.18.orig/security/Kconfig
	673	++++ linux-5.3.18/security/Kconfig
674	674	@@ -290,5 +290,7 @@ config LSM
675	675
676	676	source "security/Kconfig.hardening"

		@@ -679,8 +679,8 @@
679	679	+
680	680	endmenu
681	681
682		---- linux-5.3.15.orig/security/Makefile
683		-+++ linux-5.3.15/security/Makefile
	682	+--- linux-5.3.18.orig/security/Makefile
	683	++++ linux-5.3.18/security/Makefile
684	684	@@ -32,3 +32,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
685	685	# Object integrity file lists
686	686	subdir-$(CONFIG_INTEGRITY) += integrity

		@@ -688,8 +688,8 @@
688	688	+
689	689	+subdir-$(CONFIG_CCSECURITY) += ccsecurity
690	690	+obj-$(CONFIG_CCSECURITY) += ccsecurity/
691		---- linux-5.3.15.orig/security/security.c
692		-+++ linux-5.3.15/security/security.c
	691	+--- linux-5.3.18.orig/security/security.c
	692	++++ linux-5.3.18/security/security.c
693	693	@@ -1467,7 +1467,9 @@ int security_task_alloc(struct task_stru
694	694
695	695	if (rc)

--- trunk/caitsith-patch/patches/ccs-patch-5.4.diff (revision 290)

+++ trunk/caitsith-patch/patches/ccs-patch-5.4.diff (revision 291)

		@@ -1,6 +1,6 @@
1		-This is TOMOYO Linux patch for kernel 5.4.2.
	1	+This is TOMOYO Linux patch for kernel 5.4.6.
2	2
3		-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.4.2.tar.xz
	3	+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.4.6.tar.xz
4	4	---
5	5	fs/exec.c \| 2 -
6	6	fs/open.c \| 2 +

		@@ -28,8 +28,8 @@
28	28	security/security.c \| 5 ++-
29	29	24 files changed, 160 insertions(+), 30 deletions(-)
30	30
31		---- linux-5.4.2.orig/fs/exec.c
32		-+++ linux-5.4.2/fs/exec.c
	31	+--- linux-5.4.6.orig/fs/exec.c
	32	++++ linux-5.4.6/fs/exec.c
33	33	@@ -1699,7 +1699,7 @@ static int exec_binprm(struct linux_binp
34	34	old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
35	35	rcu_read_unlock();

		@@ -39,8 +39,8 @@
39	39	if (ret >= 0) {
40	40	audit_bprm(bprm);
41	41	trace_sched_process_exec(current, old_pid, bprm);
42		---- linux-5.4.2.orig/fs/open.c
43		-+++ linux-5.4.2/fs/open.c
	42	+--- linux-5.4.6.orig/fs/open.c
	43	++++ linux-5.4.6/fs/open.c
44	44	@@ -1208,6 +1208,8 @@ SYSCALL_DEFINE1(close, unsigned int, fd)
45	45	*/
46	46	SYSCALL_DEFINE0(vhangup)

		@@ -50,8 +50,8 @@
50	50	if (capable(CAP_SYS_TTY_CONFIG)) {
51	51	tty_vhangup_self();
52	52	return 0;
53		---- linux-5.4.2.orig/fs/proc/version.c
54		-+++ linux-5.4.2/fs/proc/version.c
	53	+--- linux-5.4.6.orig/fs/proc/version.c
	54	++++ linux-5.4.6/fs/proc/version.c
55	55	@@ -21,3 +21,10 @@ static int __init proc_version_init(void
56	56	return 0;
57	57	}

		@@ -59,12 +59,12 @@
59	59	+
60	60	+static int __init ccs_show_version(void)
61	61	+{
62		-+ printk(KERN_INFO "Hook version: 5.4.2 2019/12/07\n");
	62	++ printk(KERN_INFO "Hook version: 5.4.6 2019/12/24\n");
63	63	+ return 0;
64	64	+}
65	65	+fs_initcall(ccs_show_version);
66		---- linux-5.4.2.orig/include/linux/sched.h
67		-+++ linux-5.4.2/include/linux/sched.h
	66	+--- linux-5.4.6.orig/include/linux/sched.h
	67	++++ linux-5.4.6/include/linux/sched.h
68	68	@@ -38,6 +38,7 @@ struct backing_dev_info;
69	69	struct bio_list;
70	70	struct blk_plug;

		@@ -84,8 +84,8 @@
84	84
85	85	#ifdef CONFIG_GCC_PLUGIN_STACKLEAK
86	86	unsigned long lowest_stack;
87		---- linux-5.4.2.orig/include/linux/security.h
88		-+++ linux-5.4.2/include/linux/security.h
	87	+--- linux-5.4.6.orig/include/linux/security.h
	88	++++ linux-5.4.6/include/linux/security.h
89	89	@@ -57,6 +57,7 @@ struct mm_struct;
90	90	struct fs_context;
91	91	struct fs_parameter;

		@@ -315,8 +315,8 @@
315	315	}
316	316	#endif /* CONFIG_SECURITY_PATH */
317	317
318		---- linux-5.4.2.orig/include/net/ip.h
319		-+++ linux-5.4.2/include/net/ip.h
	318	+--- linux-5.4.6.orig/include/net/ip.h
	319	++++ linux-5.4.6/include/net/ip.h
320	320	@@ -341,6 +341,8 @@ void inet_get_local_port_range(struct ne
321	321	#ifdef CONFIG_SYSCTL
322	322	static inline int inet_is_local_reserved_port(struct net *net, int port)

		@@ -335,8 +335,8 @@
335	335	return 0;
336	336	}
337	337
338		---- linux-5.4.2.orig/init/init_task.c
339		-+++ linux-5.4.2/init/init_task.c
	338	+--- linux-5.4.6.orig/init/init_task.c
	339	++++ linux-5.4.6/init/init_task.c
340	340	@@ -181,6 +181,10 @@ struct task_struct init_task
341	341	#ifdef CONFIG_SECURITY
342	342	.security = NULL,

		@@ -348,8 +348,8 @@
348	348	};
349	349	EXPORT_SYMBOL(init_task);
350	350
351		---- linux-5.4.2.orig/kernel/kexec.c
352		-+++ linux-5.4.2/kernel/kexec.c
	351	+--- linux-5.4.6.orig/kernel/kexec.c
	352	++++ linux-5.4.6/kernel/kexec.c
353	353	@@ -16,7 +16,7 @@
354	354	#include <linux/syscalls.h>
355	355	#include <linux/vmalloc.h>

		@@ -368,8 +368,8 @@
368	368
369	369	/* Permit LSMs and IMA to fail the kexec */
370	370	result = security_kernel_load_data(LOADING_KEXEC_IMAGE);
371		---- linux-5.4.2.orig/kernel/module.c
372		-+++ linux-5.4.2/kernel/module.c
	371	+--- linux-5.4.6.orig/kernel/module.c
	372	++++ linux-5.4.6/kernel/module.c
373	373	@@ -55,6 +55,7 @@
374	374	#include <linux/audit.h>
375	375	#include <uapi/linux/module.h>

		@@ -396,8 +396,8 @@
396	396
397	397	return 0;
398	398	}
399		---- linux-5.4.2.orig/kernel/ptrace.c
400		-+++ linux-5.4.2/kernel/ptrace.c
	399	+--- linux-5.4.6.orig/kernel/ptrace.c
	400	++++ linux-5.4.6/kernel/ptrace.c
401	401	@@ -1239,6 +1239,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
402	402	{
403	403	struct task_struct *child;

		@@ -422,8 +422,8 @@
422	422
423	423	if (request == PTRACE_TRACEME) {
424	424	ret = ptrace_traceme();
425		---- linux-5.4.2.orig/kernel/reboot.c
426		-+++ linux-5.4.2/kernel/reboot.c
	425	+--- linux-5.4.6.orig/kernel/reboot.c
	426	++++ linux-5.4.6/kernel/reboot.c
427	427	@@ -17,6 +17,7 @@
428	428	#include <linux/syscalls.h>
429	429	#include <linux/syscore_ops.h>

		@@ -441,8 +441,8 @@
441	441
442	442	/*
443	443	* If pid namespaces are enabled and the current task is in a child
444		---- linux-5.4.2.orig/kernel/sched/core.c
445		-+++ linux-5.4.2/kernel/sched/core.c
	444	+--- linux-5.4.6.orig/kernel/sched/core.c
	445	++++ linux-5.4.6/kernel/sched/core.c
446	446	@@ -4572,6 +4572,8 @@ int can_nice(const struct task_struct *p
447	447	SYSCALL_DEFINE1(nice, int, increment)
448	448	{

		@@ -452,8 +452,8 @@
452	452
453	453	/*
454	454	* Setpriority might change our priority at the same moment.
455		---- linux-5.4.2.orig/kernel/signal.c
456		-+++ linux-5.4.2/kernel/signal.c
	455	+--- linux-5.4.6.orig/kernel/signal.c
	456	++++ linux-5.4.6/kernel/signal.c
457	457	@@ -3634,6 +3634,8 @@ static inline void prepare_kill_siginfo(
458	458	SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
459	459	{

		@@ -521,8 +521,8 @@
521	521
522	522	return do_send_specific(tgid, pid, sig, info);
523	523	}
524		---- linux-5.4.2.orig/kernel/sys.c
525		-+++ linux-5.4.2/kernel/sys.c
	524	+--- linux-5.4.6.orig/kernel/sys.c
	525	++++ linux-5.4.6/kernel/sys.c
526	526	@@ -204,6 +204,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
527	527
528	528	if (which > PRIO_USER \|\| which < PRIO_PROCESS)

		@@ -552,8 +552,8 @@
552	552
553	553	errno = -EFAULT;
554	554	if (!copy_from_user(tmp, name, len)) {
555		---- linux-5.4.2.orig/kernel/time/timekeeping.c
556		-+++ linux-5.4.2/kernel/time/timekeeping.c
	555	+--- linux-5.4.6.orig/kernel/time/timekeeping.c
	556	++++ linux-5.4.6/kernel/time/timekeeping.c
557	557	@@ -22,6 +22,7 @@
558	558	#include <linux/pvclock_gtod.h>
559	559	#include <linux/compiler.h>

		@@ -587,8 +587,8 @@
587	587
588	588	/*
589	589	* Validate if a timespec/timeval used to inject a time
590		---- linux-5.4.2.orig/net/ipv4/raw.c
591		-+++ linux-5.4.2/net/ipv4/raw.c
	590	+--- linux-5.4.6.orig/net/ipv4/raw.c
	591	++++ linux-5.4.6/net/ipv4/raw.c
592	592	@@ -767,6 +767,10 @@ static int raw_recvmsg(struct sock *sk,
593	593	skb = skb_recv_datagram(sk, flags, noblock, &err);
594	594	if (!skb)

		@@ -600,8 +600,8 @@
600	600
601	601	copied = skb->len;
602	602	if (len < copied) {
603		---- linux-5.4.2.orig/net/ipv4/udp.c
604		-+++ linux-5.4.2/net/ipv4/udp.c
	603	+--- linux-5.4.6.orig/net/ipv4/udp.c
	604	++++ linux-5.4.6/net/ipv4/udp.c
605	605	@@ -1740,6 +1740,8 @@ try_again:
606	606	skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
607	607	if (!skb)

		@@ -611,8 +611,8 @@
611	611
612	612	ulen = udp_skb_len(skb);
613	613	copied = len;
614		---- linux-5.4.2.orig/net/ipv6/raw.c
615		-+++ linux-5.4.2/net/ipv6/raw.c
	614	+--- linux-5.4.6.orig/net/ipv6/raw.c
	615	++++ linux-5.4.6/net/ipv6/raw.c
616	616	@@ -480,6 +480,10 @@ static int rawv6_recvmsg(struct sock *sk
617	617	skb = skb_recv_datagram(sk, flags, noblock, &err);
618	618	if (!skb)

		@@ -624,8 +624,8 @@
624	624
625	625	copied = skb->len;
626	626	if (copied > len) {
627		---- linux-5.4.2.orig/net/ipv6/udp.c
628		-+++ linux-5.4.2/net/ipv6/udp.c
	627	+--- linux-5.4.6.orig/net/ipv6/udp.c
	628	++++ linux-5.4.6/net/ipv6/udp.c
629	629	@@ -288,6 +288,8 @@ try_again:
630	630	skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
631	631	if (!skb)

		@@ -635,8 +635,8 @@
635	635
636	636	ulen = udp6_skb_len(skb);
637	637	copied = len;
638		---- linux-5.4.2.orig/net/socket.c
639		-+++ linux-5.4.2/net/socket.c
	638	+--- linux-5.4.6.orig/net/socket.c
	639	++++ linux-5.4.6/net/socket.c
640	640	@@ -1755,6 +1755,10 @@ int __sys_accept4(int fd, struct sockadd
641	641	if (err < 0)
642	642	goto out_fd;

		@@ -648,8 +648,8 @@
648	648	if (upeer_sockaddr) {
649	649	len = newsock->ops->getname(newsock,
650	650	(struct sockaddr *)&address, 2);
651		---- linux-5.4.2.orig/net/unix/af_unix.c
652		-+++ linux-5.4.2/net/unix/af_unix.c
	651	+--- linux-5.4.6.orig/net/unix/af_unix.c
	652	++++ linux-5.4.6/net/unix/af_unix.c
653	653	@@ -2075,6 +2075,10 @@ static int unix_dgram_recvmsg(struct soc
654	654	EPOLLOUT \| EPOLLWRNORM \|
655	655	EPOLLWRBAND);

		@@ -669,8 +669,8 @@
669	669	mutex_unlock(&u->iolock);
670	670	out:
671	671	return err;
672		---- linux-5.4.2.orig/security/Kconfig
673		-+++ linux-5.4.2/security/Kconfig
	672	+--- linux-5.4.6.orig/security/Kconfig
	673	++++ linux-5.4.6/security/Kconfig
674	674	@@ -291,5 +291,7 @@ config LSM
675	675
676	676	source "security/Kconfig.hardening"

		@@ -679,8 +679,8 @@
679	679	+
680	680	endmenu
681	681
682		---- linux-5.4.2.orig/security/Makefile
683		-+++ linux-5.4.2/security/Makefile
	682	+--- linux-5.4.6.orig/security/Makefile
	683	++++ linux-5.4.6/security/Makefile
684	684	@@ -34,3 +34,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
685	685	# Object integrity file lists
686	686	subdir-$(CONFIG_INTEGRITY) += integrity

		@@ -688,8 +688,8 @@
688	688	+
689	689	+subdir-$(CONFIG_CCSECURITY) += ccsecurity
690	690	+obj-$(CONFIG_CCSECURITY) += ccsecurity/
691		---- linux-5.4.2.orig/security/security.c
692		-+++ linux-5.4.2/security/security.c
	691	+--- linux-5.4.6.orig/security/security.c
	692	++++ linux-5.4.6/security/security.c
693	693	@@ -1507,7 +1507,9 @@ int security_task_alloc(struct task_stru
694	694
695	695	if (rc)

--- trunk/caitsith-patch/patches/ccs-patch-5.5.diff (nonexistent)

+++ trunk/caitsith-patch/patches/ccs-patch-5.5.diff (revision 291)

		@@ -0,0 +1,711 @@
	1	+This is TOMOYO Linux patch for kernel 5.5-rc3.
	2	+
	3	+Source code for this patch is https://git.kernel.org/torvalds/t/linux-5.5-rc3.tar.gz
	4	+---
	5	+ fs/exec.c \| 2 -
	6	+ fs/open.c \| 2 +
	7	+ fs/proc/version.c \| 7 ++++
	8	+ include/linux/sched.h \| 5 +++
	9	+ include/linux/security.h \| 70 ++++++++++++++++++++++++++++------------------
	10	+ include/net/ip.h \| 4 ++
	11	+ init/init_task.c \| 4 ++
	12	+ kernel/kexec.c \| 4 +-
	13	+ kernel/module.c \| 5 +++
	14	+ kernel/ptrace.c \| 10 ++++++
	15	+ kernel/reboot.c \| 3 +
	16	+ kernel/sched/core.c \| 2 +
	17	+ kernel/signal.c \| 25 ++++++++++++++++
	18	+ kernel/sys.c \| 8 +++++
	19	+ kernel/time/timekeeping.c \| 8 +++++
	20	+ net/ipv4/raw.c \| 4 ++
	21	+ net/ipv4/udp.c \| 2 +
	22	+ net/ipv6/raw.c \| 4 ++
	23	+ net/ipv6/udp.c \| 2 +
	24	+ net/socket.c \| 4 ++
	25	+ net/unix/af_unix.c \| 5 +++
	26	+ security/Kconfig \| 2 +
	27	+ security/Makefile \| 3 +
	28	+ security/security.c \| 5 ++-
	29	+ 24 files changed, 160 insertions(+), 30 deletions(-)
	30	+
	31	+--- linux-5.5-rc3.orig/fs/exec.c
	32	++++ linux-5.5-rc3/fs/exec.c
	33	+@@ -1698,7 +1698,7 @@ static int exec_binprm(struct linux_binp
	34	+ old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
	35	+ rcu_read_unlock();
	36	+
	37	+- ret = search_binary_handler(bprm);
	38	++ ret = ccs_search_binary_handler(bprm);
	39	+ if (ret >= 0) {
	40	+ audit_bprm(bprm);
	41	+ trace_sched_process_exec(current, old_pid, bprm);
	42	+--- linux-5.5-rc3.orig/fs/open.c
	43	++++ linux-5.5-rc3/fs/open.c
	44	+@@ -1208,6 +1208,8 @@ SYSCALL_DEFINE1(close, unsigned int, fd)
	45	+ */
	46	+ SYSCALL_DEFINE0(vhangup)
	47	+ {
	48	++ if (!ccs_capable(CCS_SYS_VHANGUP))
	49	++ return -EPERM;
	50	+ if (capable(CAP_SYS_TTY_CONFIG)) {
	51	+ tty_vhangup_self();
	52	+ return 0;
	53	+--- linux-5.5-rc3.orig/fs/proc/version.c
	54	++++ linux-5.5-rc3/fs/proc/version.c
	55	+@@ -21,3 +21,10 @@ static int __init proc_version_init(void
	56	+ return 0;
	57	+ }
	58	+ fs_initcall(proc_version_init);
	59	++
	60	++static int __init ccs_show_version(void)
	61	++{
	62	++ printk(KERN_INFO "Hook version: 5.5-rc3 2019/12/24\n");
	63	++ return 0;
	64	++}
	65	++fs_initcall(ccs_show_version);
	66	+--- linux-5.5-rc3.orig/include/linux/sched.h
	67	++++ linux-5.5-rc3/include/linux/sched.h
	68	+@@ -38,6 +38,7 @@ struct backing_dev_info;
	69	+ struct bio_list;
	70	+ struct blk_plug;
	71	+ struct capture_control;
	72	++struct ccs_domain_info;
	73	+ struct cfs_rq;
	74	+ struct fs_struct;
	75	+ struct futex_pi_state;
	76	+@@ -1275,6 +1276,10 @@ struct task_struct {
	77	+ /* Used by LSM modules for access restriction: */
	78	+ void *security;
	79	+ #endif
	80	++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
	81	++ struct ccs_domain_info *ccs_domain_info;
	82	++ u32 ccs_flags;
	83	++#endif
	84	+
	85	+ #ifdef CONFIG_GCC_PLUGIN_STACKLEAK
	86	+ unsigned long lowest_stack;
	87	+--- linux-5.5-rc3.orig/include/linux/security.h
	88	++++ linux-5.5-rc3/include/linux/security.h
	89	+@@ -57,6 +57,7 @@ struct mm_struct;
	90	+ struct fs_context;
	91	+ struct fs_parameter;
	92	+ enum fs_value_type;
	93	++#include <linux/ccsecurity.h>
	94	+
	95	+ /* Default (no) options for the capable function */
	96	+ #define CAP_OPT_NONE 0x0
	97	+@@ -560,7 +561,10 @@ static inline int security_syslog(int ty
	98	+ static inline int security_settime64(const struct timespec64 *ts,
	99	+ const struct timezone *tz)
	100	+ {
	101	+- return cap_settime(ts, tz);
	102	++ int error = cap_settime(ts, tz);
	103	++ if (!error)
	104	++ error = ccs_settime(ts, tz);
	105	++ return error;
	106	+ }
	107	+
	108	+ static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
	109	+@@ -637,18 +641,18 @@ static inline int security_sb_mount(cons
	110	+ const char *type, unsigned long flags,
	111	+ void *data)
	112	+ {
	113	+- return 0;
	114	++ return ccs_sb_mount(dev_name, path, type, flags, data);
	115	+ }
	116	+
	117	+ static inline int security_sb_umount(struct vfsmount *mnt, int flags)
	118	+ {
	119	+- return 0;
	120	++ return ccs_sb_umount(mnt, flags);
	121	+ }
	122	+
	123	+ static inline int security_sb_pivotroot(const struct path *old_path,
	124	+ const struct path *new_path)
	125	+ {
	126	+- return 0;
	127	++ return ccs_sb_pivotroot(old_path, new_path);
	128	+ }
	129	+
	130	+ static inline int security_sb_set_mnt_opts(struct super_block *sb,
	131	+@@ -676,7 +680,7 @@ static inline int security_add_mnt_opt(c
	132	+ static inline int security_move_mount(const struct path *from_path,
	133	+ const struct path *to_path)
	134	+ {
	135	+- return 0;
	136	++ return ccs_move_mount_permission(from_path, to_path);
	137	+ }
	138	+
	139	+ static inline int security_path_notify(const struct path *path, u64 mask,
	140	+@@ -810,7 +814,7 @@ static inline int security_inode_setattr
	141	+
	142	+ static inline int security_inode_getattr(const struct path *path)
	143	+ {
	144	+- return 0;
	145	++ return ccs_inode_getattr(path);
	146	+ }
	147	+
	148	+ static inline int security_inode_setxattr(struct dentry *dentry,
	149	+@@ -902,7 +906,7 @@ static inline void security_file_free(st
	150	+ static inline int security_file_ioctl(struct file *file, unsigned int cmd,
	151	+ unsigned long arg)
	152	+ {
	153	+- return 0;
	154	++ return ccs_file_ioctl(file, cmd, arg);
	155	+ }
	156	+
	157	+ static inline int security_mmap_file(struct file *file, unsigned long prot,
	158	+@@ -931,7 +935,7 @@ static inline int security_file_lock(str
	159	+ static inline int security_file_fcntl(struct file *file, unsigned int cmd,
	160	+ unsigned long arg)
	161	+ {
	162	+- return 0;
	163	++ return ccs_file_fcntl(file, cmd, arg);
	164	+ }
	165	+
	166	+ static inline void security_file_set_fowner(struct file *file)
	167	+@@ -953,17 +957,19 @@ static inline int security_file_receive(
	168	+
	169	+ static inline int security_file_open(struct file *file)
	170	+ {
	171	+- return 0;
	172	++ return ccs_file_open(file);
	173	+ }
	174	+
	175	+ static inline int security_task_alloc(struct task_struct *task,
	176	+ unsigned long clone_flags)
	177	+ {
	178	+- return 0;
	179	++ return ccs_alloc_task_security(task);
	180	+ }
	181	+
	182	+ static inline void security_task_free(struct task_struct *task)
	183	+-{ }
	184	++{
	185	++ ccs_free_task_security(task);
	186	++}
	187	+
	188	+ static inline int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
	189	+ {
	190	+@@ -1342,7 +1348,7 @@ static inline int security_unix_may_send
	191	+ static inline int security_socket_create(int family, int type,
	192	+ int protocol, int kern)
	193	+ {
	194	+- return 0;
	195	++ return ccs_socket_create(family, type, protocol, kern);
	196	+ }
	197	+
	198	+ static inline int security_socket_post_create(struct socket *sock,
	199	+@@ -1363,19 +1369,19 @@ static inline int security_socket_bind(s
	200	+ struct sockaddr *address,
	201	+ int addrlen)
	202	+ {
	203	+- return 0;
	204	++ return ccs_socket_bind(sock, address, addrlen);
	205	+ }
	206	+
	207	+ static inline int security_socket_connect(struct socket *sock,
	208	+ struct sockaddr *address,
	209	+ int addrlen)
	210	+ {
	211	+- return 0;
	212	++ return ccs_socket_connect(sock, address, addrlen);
	213	+ }
	214	+
	215	+ static inline int security_socket_listen(struct socket *sock, int backlog)
	216	+ {
	217	+- return 0;
	218	++ return ccs_socket_listen(sock, backlog);
	219	+ }
	220	+
	221	+ static inline int security_socket_accept(struct socket *sock,
	222	+@@ -1387,7 +1393,7 @@ static inline int security_socket_accept
	223	+ static inline int security_socket_sendmsg(struct socket *sock,
	224	+ struct msghdr *msg, int size)
	225	+ {
	226	+- return 0;
	227	++ return ccs_socket_sendmsg(sock, msg, size);
	228	+ }
	229	+
	230	+ static inline int security_socket_recvmsg(struct socket *sock,
	231	+@@ -1674,42 +1680,42 @@ int security_path_chroot(const struct pa
	232	+ #else /* CONFIG_SECURITY_PATH */
	233	+ static inline int security_path_unlink(const struct path dir, struct dentry dentry)
	234	+ {
	235	+- return 0;
	236	++ return ccs_path_unlink(dir, dentry);
	237	+ }
	238	+
	239	+ static inline int security_path_mkdir(const struct path dir, struct dentry dentry,
	240	+ umode_t mode)
	241	+ {
	242	+- return 0;
	243	++ return ccs_path_mkdir(dir, dentry, mode);
	244	+ }
	245	+
	246	+ static inline int security_path_rmdir(const struct path dir, struct dentry dentry)
	247	+ {
	248	+- return 0;
	249	++ return ccs_path_rmdir(dir, dentry);
	250	+ }
	251	+
	252	+ static inline int security_path_mknod(const struct path dir, struct dentry dentry,
	253	+ umode_t mode, unsigned int dev)
	254	+ {
	255	+- return 0;
	256	++ return ccs_path_mknod(dir, dentry, mode, dev);
	257	+ }
	258	+
	259	+ static inline int security_path_truncate(const struct path *path)
	260	+ {
	261	+- return 0;
	262	++ return ccs_path_truncate(path);
	263	+ }
	264	+
	265	+ static inline int security_path_symlink(const struct path dir, struct dentry dentry,
	266	+ const char *old_name)
	267	+ {
	268	+- return 0;
	269	++ return ccs_path_symlink(dir, dentry, old_name);
	270	+ }
	271	+
	272	+ static inline int security_path_link(struct dentry *old_dentry,
	273	+ const struct path *new_dir,
	274	+ struct dentry *new_dentry)
	275	+ {
	276	+- return 0;
	277	++ return ccs_path_link(old_dentry, new_dir, new_dentry);
	278	+ }
	279	+
	280	+ static inline int security_path_rename(const struct path *old_dir,
	281	+@@ -1718,22 +1724,32 @@ static inline int security_path_rename(c
	282	+ struct dentry *new_dentry,
	283	+ unsigned int flags)
	284	+ {
	285	+- return 0;
	286	++ /*
	287	++ * Not using RENAME_EXCHANGE here in order to avoid KABI breakage
	288	++ * by doing "#include <uapi/linux/fs.h>" .
	289	++ */
	290	++ if (flags & (1 << 1)) {
	291	++ int err = ccs_path_rename(new_dir, new_dentry, old_dir,
	292	++ old_dentry);
	293	++ if (err)
	294	++ return err;
	295	++ }
	296	++ return ccs_path_rename(old_dir, old_dentry, new_dir, new_dentry);
	297	+ }
	298	+
	299	+ static inline int security_path_chmod(const struct path *path, umode_t mode)
	300	+ {
	301	+- return 0;
	302	++ return ccs_path_chmod(path, mode);
	303	+ }
	304	+
	305	+ static inline int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
	306	+ {
	307	+- return 0;
	308	++ return ccs_path_chown(path, uid, gid);
	309	+ }
	310	+
	311	+ static inline int security_path_chroot(const struct path *path)
	312	+ {
	313	+- return 0;
	314	++ return ccs_path_chroot(path);
	315	+ }
	316	+ #endif /* CONFIG_SECURITY_PATH */
	317	+
	318	+--- linux-5.5-rc3.orig/include/net/ip.h
	319	++++ linux-5.5-rc3/include/net/ip.h
	320	+@@ -341,6 +341,8 @@ void inet_get_local_port_range(struct ne
	321	+ #ifdef CONFIG_SYSCTL
	322	+ static inline bool inet_is_local_reserved_port(struct net *net, unsigned short port)
	323	+ {
	324	++ if (ccs_lport_reserved(port))
	325	++ return true;
	326	+ if (!net->ipv4.sysctl_local_reserved_ports)
	327	+ return false;
	328	+ return test_bit(port, net->ipv4.sysctl_local_reserved_ports);
	329	+@@ -359,6 +361,8 @@ static inline bool inet_port_requires_bi
	330	+ #else
	331	+ static inline bool inet_is_local_reserved_port(struct net *net, unsigned short port)
	332	+ {
	333	++ if (ccs_lport_reserved(port))
	334	++ return true;
	335	+ return false;
	336	+ }
	337	+
	338	+--- linux-5.5-rc3.orig/init/init_task.c
	339	++++ linux-5.5-rc3/init/init_task.c
	340	+@@ -181,6 +181,10 @@ struct task_struct init_task
	341	+ #ifdef CONFIG_SECURITY
	342	+ .security = NULL,
	343	+ #endif
	344	++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
	345	++ .ccs_domain_info = NULL,
	346	++ .ccs_flags = 0,
	347	++#endif
	348	+ };
	349	+ EXPORT_SYMBOL(init_task);
	350	+
	351	+--- linux-5.5-rc3.orig/kernel/kexec.c
	352	++++ linux-5.5-rc3/kernel/kexec.c
	353	+@@ -16,7 +16,7 @@
	354	+ #include <linux/syscalls.h>
	355	+ #include <linux/vmalloc.h>
	356	+ #include <linux/slab.h>
	357	+-
	358	++#include <linux/ccsecurity.h>
	359	+ #include "kexec_internal.h"
	360	+
	361	+ static int copy_user_segment_list(struct kimage *image,
	362	+@@ -199,6 +199,8 @@ static inline int kexec_load_check(unsig
	363	+ /* We only trust the superuser with rebooting the system. */
	364	+ if (!capable(CAP_SYS_BOOT) \|\| kexec_load_disabled)
	365	+ return -EPERM;
	366	++ if (!ccs_capable(CCS_SYS_KEXEC_LOAD))
	367	++ return -EPERM;
	368	+
	369	+ /* Permit LSMs and IMA to fail the kexec */
	370	+ result = security_kernel_load_data(LOADING_KEXEC_IMAGE);
	371	+--- linux-5.5-rc3.orig/kernel/module.c
	372	++++ linux-5.5-rc3/kernel/module.c
	373	+@@ -55,6 +55,7 @@
	374	+ #include <linux/audit.h>
	375	+ #include <uapi/linux/module.h>
	376	+ #include "module-internal.h"
	377	++#include <linux/ccsecurity.h>
	378	+
	379	+ #define CREATE_TRACE_POINTS
	380	+ #include <trace/events/module.h>
	381	+@@ -973,6 +974,8 @@ SYSCALL_DEFINE2(delete_module, const cha
	382	+
	383	+ if (!capable(CAP_SYS_MODULE) \|\| modules_disabled)
	384	+ return -EPERM;
	385	++ if (!ccs_capable(CCS_USE_KERNEL_MODULE))
	386	++ return -EPERM;
	387	+
	388	+ if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
	389	+ return -EFAULT;
	390	+@@ -3671,6 +3674,8 @@ static int may_init_module(void)
	391	+ {
	392	+ if (!capable(CAP_SYS_MODULE) \|\| modules_disabled)
	393	+ return -EPERM;
	394	++ if (!ccs_capable(CCS_USE_KERNEL_MODULE))
	395	++ return -EPERM;
	396	+
	397	+ return 0;
	398	+ }
	399	+--- linux-5.5-rc3.orig/kernel/ptrace.c
	400	++++ linux-5.5-rc3/kernel/ptrace.c
	401	+@@ -1239,6 +1239,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
	402	+ {
	403	+ struct task_struct *child;
	404	+ long ret;
	405	++ {
	406	++ const int rc = ccs_ptrace_permission(request, pid);
	407	++ if (rc)
	408	++ return rc;
	409	++ }
	410	+
	411	+ if (request == PTRACE_TRACEME) {
	412	+ ret = ptrace_traceme();
	413	+@@ -1386,6 +1391,11 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_lo
	414	+ {
	415	+ struct task_struct *child;
	416	+ long ret;
	417	++ {
	418	++ const int rc = ccs_ptrace_permission(request, pid);
	419	++ if (rc)
	420	++ return rc;
	421	++ }
	422	+
	423	+ if (request == PTRACE_TRACEME) {
	424	+ ret = ptrace_traceme();
	425	+--- linux-5.5-rc3.orig/kernel/reboot.c
	426	++++ linux-5.5-rc3/kernel/reboot.c
	427	+@@ -17,6 +17,7 @@
	428	+ #include <linux/syscalls.h>
	429	+ #include <linux/syscore_ops.h>
	430	+ #include <linux/uaccess.h>
	431	++#include <linux/ccsecurity.h>
	432	+
	433	+ /*
	434	+ * this indicates whether you can reboot with ctrl-alt-del: the default is yes
	435	+@@ -325,6 +326,8 @@ SYSCALL_DEFINE4(reboot, int, magic1, int
	436	+ magic2 != LINUX_REBOOT_MAGIC2B &&
	437	+ magic2 != LINUX_REBOOT_MAGIC2C))
	438	+ return -EINVAL;
	439	++ if (!ccs_capable(CCS_SYS_REBOOT))
	440	++ return -EPERM;
	441	+
	442	+ /*
	443	+ * If pid namespaces are enabled and the current task is in a child
	444	+--- linux-5.5-rc3.orig/kernel/sched/core.c
	445	++++ linux-5.5-rc3/kernel/sched/core.c
	446	+@@ -4582,6 +4582,8 @@ int can_nice(const struct task_struct *p
	447	+ SYSCALL_DEFINE1(nice, int, increment)
	448	+ {
	449	+ long nice, retval;
	450	++ if (!ccs_capable(CCS_SYS_NICE))
	451	++ return -EPERM;
	452	+
	453	+ /*
	454	+ * Setpriority might change our priority at the same moment.
	455	+--- linux-5.5-rc3.orig/kernel/signal.c
	456	++++ linux-5.5-rc3/kernel/signal.c
	457	+@@ -3634,6 +3634,8 @@ static inline void prepare_kill_siginfo(
	458	+ SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
	459	+ {
	460	+ struct kernel_siginfo info;
	461	++ if (ccs_kill_permission(pid, sig))
	462	++ return -EPERM;
	463	+
	464	+ prepare_kill_siginfo(sig, &info);
	465	+
	466	+@@ -3732,6 +3734,21 @@ SYSCALL_DEFINE4(pidfd_send_signal, int,
	467	+ if (!access_pidfd_pidns(pid))
	468	+ goto err;
	469	+
	470	++ {
	471	++ struct task_struct *task;
	472	++ int id = 0;
	473	++
	474	++ rcu_read_lock();
	475	++ task = pid_task(pid, PIDTYPE_PID);
	476	++ if (task)
	477	++ id = task_pid_vnr(task);
	478	++ rcu_read_unlock();
	479	++ if (task && ccs_kill_permission(id, sig)) {
	480	++ ret = -EPERM;
	481	++ goto err;
	482	++ }
	483	++ }
	484	++
	485	+ if (info) {
	486	+ ret = copy_siginfo_from_user_any(&kinfo, info);
	487	+ if (unlikely(ret))
	488	+@@ -3816,6 +3833,8 @@ SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid
	489	+ /* This is only valid for single tasks */
	490	+ if (pid <= 0 \|\| tgid <= 0)
	491	+ return -EINVAL;
	492	++ if (ccs_tgkill_permission(tgid, pid, sig))
	493	++ return -EPERM;
	494	+
	495	+ return do_tkill(tgid, pid, sig);
	496	+ }
	497	+@@ -3832,6 +3851,8 @@ SYSCALL_DEFINE2(tkill, pid_t, pid, int,
	498	+ /* This is only valid for single tasks */
	499	+ if (pid <= 0)
	500	+ return -EINVAL;
	501	++ if (ccs_tkill_permission(pid, sig))
	502	++ return -EPERM;
	503	+
	504	+ return do_tkill(0, pid, sig);
	505	+ }
	506	+@@ -3844,6 +3865,8 @@ static int do_rt_sigqueueinfo(pid_t pid,
	507	+ if ((info->si_code >= 0 \|\| info->si_code == SI_TKILL) &&
	508	+ (task_pid_vnr(current) != pid))
	509	+ return -EPERM;
	510	++ if (ccs_sigqueue_permission(pid, sig))
	511	++ return -EPERM;
	512	+
	513	+ /* POSIX.1b doesn't mention process groups. */
	514	+ return kill_proc_info(sig, info, pid);
	515	+@@ -3891,6 +3914,8 @@ static int do_rt_tgsigqueueinfo(pid_t tg
	516	+ if ((info->si_code >= 0 \|\| info->si_code == SI_TKILL) &&
	517	+ (task_pid_vnr(current) != pid))
	518	+ return -EPERM;
	519	++ if (ccs_tgsigqueue_permission(tgid, pid, sig))
	520	++ return -EPERM;
	521	+
	522	+ return do_send_specific(tgid, pid, sig, info);
	523	+ }
	524	+--- linux-5.5-rc3.orig/kernel/sys.c
	525	++++ linux-5.5-rc3/kernel/sys.c
	526	+@@ -204,6 +204,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
	527	+
	528	+ if (which > PRIO_USER \|\| which < PRIO_PROCESS)
	529	+ goto out;
	530	++ if (!ccs_capable(CCS_SYS_NICE)) {
	531	++ error = -EPERM;
	532	++ goto out;
	533	++ }
	534	+
	535	+ /* normalize: avoid signed division (rounding problems) */
	536	+ error = -ESRCH;
	537	+@@ -1314,6 +1318,8 @@ SYSCALL_DEFINE2(sethostname, char __user
	538	+
	539	+ if (len < 0 \|\| len > __NEW_UTS_LEN)
	540	+ return -EINVAL;
	541	++ if (!ccs_capable(CCS_SYS_SETHOSTNAME))
	542	++ return -EPERM;
	543	+ errno = -EFAULT;
	544	+ if (!copy_from_user(tmp, name, len)) {
	545	+ struct new_utsname *u;
	546	+@@ -1366,6 +1372,8 @@ SYSCALL_DEFINE2(setdomainname, char __us
	547	+ return -EPERM;
	548	+ if (len < 0 \|\| len > __NEW_UTS_LEN)
	549	+ return -EINVAL;
	550	++ if (!ccs_capable(CCS_SYS_SETHOSTNAME))
	551	++ return -EPERM;
	552	+
	553	+ errno = -EFAULT;
	554	+ if (!copy_from_user(tmp, name, len)) {
	555	+--- linux-5.5-rc3.orig/kernel/time/timekeeping.c
	556	++++ linux-5.5-rc3/kernel/time/timekeeping.c
	557	+@@ -22,6 +22,7 @@
	558	+ #include <linux/pvclock_gtod.h>
	559	+ #include <linux/compiler.h>
	560	+ #include <linux/audit.h>
	561	++#include <linux/ccsecurity.h>
	562	+
	563	+ #include "tick-internal.h"
	564	+ #include "ntp_internal.h"
	565	+@@ -2253,10 +2254,15 @@ static int timekeeping_validate_timex(co
	566	+ if (!(txc->modes & ADJ_OFFSET_READONLY) &&
	567	+ !capable(CAP_SYS_TIME))
	568	+ return -EPERM;
	569	++ if (!(txc->modes & ADJ_OFFSET_READONLY) &&
	570	++ !ccs_capable(CCS_SYS_SETTIME))
	571	++ return -EPERM;
	572	+ } else {
	573	+ /* In order to modify anything, you gotta be super-user! */
	574	+ if (txc->modes && !capable(CAP_SYS_TIME))
	575	+ return -EPERM;
	576	++ if (txc->modes && !ccs_capable(CCS_SYS_SETTIME))
	577	++ return -EPERM;
	578	+ /*
	579	+ * if the quartz is off by more than 10% then
	580	+ * something is VERY wrong!
	581	+@@ -2271,6 +2277,8 @@ static int timekeeping_validate_timex(co
	582	+ /* In order to inject time, you gotta be super-user! */
	583	+ if (!capable(CAP_SYS_TIME))
	584	+ return -EPERM;
	585	++ if (!ccs_capable(CCS_SYS_SETTIME))
	586	++ return -EPERM;
	587	+
	588	+ /*
	589	+ * Validate if a timespec/timeval used to inject a time
	590	+--- linux-5.5-rc3.orig/net/ipv4/raw.c
	591	++++ linux-5.5-rc3/net/ipv4/raw.c
	592	+@@ -767,6 +767,10 @@ static int raw_recvmsg(struct sock *sk,
	593	+ skb = skb_recv_datagram(sk, flags, noblock, &err);
	594	+ if (!skb)
	595	+ goto out;
	596	++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
	597	++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
	598	++ goto out;
	599	++ }
	600	+
	601	+ copied = skb->len;
	602	+ if (len < copied) {
	603	+--- linux-5.5-rc3.orig/net/ipv4/udp.c
	604	++++ linux-5.5-rc3/net/ipv4/udp.c
	605	+@@ -1740,6 +1740,8 @@ try_again:
	606	+ skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
	607	+ if (!skb)
	608	+ return err;
	609	++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags))
	610	++ return -EAGAIN; /* Hope less harmful than -EPERM. */
	611	+
	612	+ ulen = udp_skb_len(skb);
	613	+ copied = len;
	614	+--- linux-5.5-rc3.orig/net/ipv6/raw.c
	615	++++ linux-5.5-rc3/net/ipv6/raw.c
	616	+@@ -480,6 +480,10 @@ static int rawv6_recvmsg(struct sock *sk
	617	+ skb = skb_recv_datagram(sk, flags, noblock, &err);
	618	+ if (!skb)
	619	+ goto out;
	620	++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
	621	++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
	622	++ goto out;
	623	++ }
	624	+
	625	+ copied = skb->len;
	626	+ if (copied > len) {
	627	+--- linux-5.5-rc3.orig/net/ipv6/udp.c
	628	++++ linux-5.5-rc3/net/ipv6/udp.c
	629	+@@ -288,6 +288,8 @@ try_again:
	630	+ skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
	631	+ if (!skb)
	632	+ return err;
	633	++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags))
	634	++ return -EAGAIN; /* Hope less harmful than -EPERM. */
	635	+
	636	+ ulen = udp6_skb_len(skb);
	637	+ copied = len;
	638	+--- linux-5.5-rc3.orig/net/socket.c
	639	++++ linux-5.5-rc3/net/socket.c
	640	+@@ -1747,6 +1747,10 @@ int __sys_accept4_file(struct file *file
	641	+ if (err < 0)
	642	+ goto out_fd;
	643	+
	644	++ if (ccs_socket_post_accept_permission(sock, newsock)) {
	645	++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
	646	++ goto out_fd;
	647	++ }
	648	+ if (upeer_sockaddr) {
	649	+ len = newsock->ops->getname(newsock,
	650	+ (struct sockaddr *)&address, 2);
	651	+--- linux-5.5-rc3.orig/net/unix/af_unix.c
	652	++++ linux-5.5-rc3/net/unix/af_unix.c
	653	+@@ -2085,6 +2085,10 @@ static int unix_dgram_recvmsg(struct soc
	654	+ EPOLLOUT \| EPOLLWRNORM \|
	655	+ EPOLLWRBAND);
	656	+
	657	++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
	658	++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
	659	++ goto out_unlock;
	660	++ }
	661	+ if (msg->msg_name)
	662	+ unix_copy_addr(msg, skb->sk);
	663	+
	664	+@@ -2135,6 +2139,7 @@ static int unix_dgram_recvmsg(struct soc
	665	+
	666	+ out_free:
	667	+ skb_free_datagram(sk, skb);
	668	++out_unlock:
	669	+ mutex_unlock(&u->iolock);
	670	+ out:
	671	+ return err;
	672	+--- linux-5.5-rc3.orig/security/Kconfig
	673	++++ linux-5.5-rc3/security/Kconfig
	674	+@@ -291,5 +291,7 @@ config LSM
	675	+
	676	+ source "security/Kconfig.hardening"
	677	+
	678	++source "security/ccsecurity/Kconfig"
	679	++
	680	+ endmenu
	681	+
	682	+--- linux-5.5-rc3.orig/security/Makefile
	683	++++ linux-5.5-rc3/security/Makefile
	684	+@@ -34,3 +34,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
	685	+ # Object integrity file lists
	686	+ subdir-$(CONFIG_INTEGRITY) += integrity
	687	+ obj-$(CONFIG_INTEGRITY) += integrity/
	688	++
	689	++subdir-$(CONFIG_CCSECURITY) += ccsecurity
	690	++obj-$(CONFIG_CCSECURITY) += ccsecurity/
	691	+--- linux-5.5-rc3.orig/security/security.c
	692	++++ linux-5.5-rc3/security/security.c
	693	+@@ -1507,7 +1507,9 @@ int security_task_alloc(struct task_stru
	694	+
	695	+ if (rc)
	696	+ return rc;
	697	+- rc = call_int_hook(task_alloc, 0, task, clone_flags);
	698	++ rc = ccs_alloc_task_security(task);
	699	++ if (likely(!rc))
	700	++ rc = call_int_hook(task_alloc, 0, task, clone_flags);
	701	+ if (unlikely(rc))
	702	+ security_task_free(task);
	703	+ return rc;
	704	+@@ -1516,6 +1518,7 @@ int security_task_alloc(struct task_stru
	705	+ void security_task_free(struct task_struct *task)
	706	+ {
	707	+ call_void_hook(task_free, task);
	708	++ ccs_free_task_security(task);
	709	+
	710	+ kfree(task->security);
	711	+ task->security = NULL;

--- trunk/caitsith-patch/security/caitsith/permission.c (revision 290)

+++ trunk/caitsith-patch/security/caitsith/permission.c (revision 291)

		@@ -3,7 +3,7 @@
3	3	*
4	4	* Copyright (C) 2005-2012 NTT DATA CORPORATION
5	5	*
6		- * Version: 0.2.4 2019/08/20
	6	+ * Version: 0.2.4+ 2019/12/25
7	7	*/
8	8
9	9	#include "internal.h"

--- trunk/caitsith-patch/security/caitsith/policy_io.c (revision 290)

+++ trunk/caitsith-patch/security/caitsith/policy_io.c (revision 291)

		@@ -3,7 +3,7 @@
3	3	*
4	4	* Copyright (C) 2005-2012 NTT DATA CORPORATION
5	5	*
6		- * Version: 0.2.4 2019/08/20
	6	+ * Version: 0.2.4+ 2019/12/25
7	7	*/
8	8
9	9	#include "internal.h"

		@@ -2243,7 +2243,7 @@
2243	2243	static void cs_check_profile(void)
2244	2244	{
2245	2245	cs_policy_loaded = true;
2246		- printk(KERN_INFO "CaitSith: 0.2.4 2019/08/20\n");
	2246	+ printk(KERN_INFO "CaitSith: 0.2.4+ 2019/12/25\n");
2247	2247	if (cs_policy_version == 20120401) {
2248	2248	printk(KERN_INFO "CaitSith module activated.\n");
2249	2249	return;

--- trunk/caitsith-patch/security/caitsith/realpath.c (revision 290)

+++ trunk/caitsith-patch/security/caitsith/realpath.c (revision 291)

		@@ -3,7 +3,7 @@
3	3	*
4	4	* Copyright (C) 2005-2012 NTT DATA CORPORATION
5	5	*
6		- * Version: 0.2.4 2019/08/20
	6	+ * Version: 0.2.4+ 2019/12/25
7	7	*/
8	8
9	9	#include "internal.h"

--- trunk/caitsith-patch/specs/build-c6-2.6.32.sh (revision 290)

+++ trunk/caitsith-patch/specs/build-c6-2.6.32.sh (revision 291)

		@@ -10,17 +10,17 @@
10	10
11	11	cd /tmp/ \|\| die "Can't chdir to /tmp/ ."
12	12
13		-if [ ! -r kernel-2.6.32-754.24.3.el6.src.rpm ]
	13	+if [ ! -r kernel-2.6.32-754.25.1.el6.src.rpm ]
14	14	then
15		- wget http://vault.centos.org/centos/6/updates/Source/SPackages/kernel-2.6.32-754.24.3.el6.src.rpm \|\| die "Can't download source package."
	15	+ wget http://vault.centos.org/centos/6/updates/Source/SPackages/kernel-2.6.32-754.25.1.el6.src.rpm \|\| die "Can't download source package."
16	16	fi
17		-LANG=C rpm --checksig kernel-2.6.32-754.24.3.el6.src.rpm \| grep -F ': rsa sha1 (md5) pgp md5 OK' \|\| die "Can't verify signature."
18		-rpm -ivh kernel-2.6.32-754.24.3.el6.src.rpm \|\| die "Can't install source package."
	17	+LANG=C rpm --checksig kernel-2.6.32-754.25.1.el6.src.rpm \| grep -F ': rsa sha1 (md5) pgp md5 OK' \|\| die "Can't verify signature."
	18	+rpm -ivh kernel-2.6.32-754.25.1.el6.src.rpm \|\| die "Can't install source package."
19	19
20	20	cd ~/rpmbuild/SOURCES/ \|\| die "Can't chdir to ~/rpmbuild/SOURCES/ ."
21		-if [ ! -r caitsith-patch-0.2-20191111.tar.gz ]
	21	+if [ ! -r caitsith-patch-0.2-20191225.tar.gz ]
22	22	then
23		- wget -O caitsith-patch-0.2-20191111.tar.gz 'https://osdn.jp/frs/redir.php?f=/caitsith/66537/caitsith-patch-0.2-20191111.tar.gz' \|\| die "Can't download patch."
	23	+ wget -O caitsith-patch-0.2-20191225.tar.gz 'https://osdn.jp/frs/redir.php?f=/caitsith/66537/caitsith-patch-0.2-20191225.tar.gz' \|\| die "Can't download patch."
24	24	fi
25	25
26	26	cd ~/rpmbuild/SPECS/ \|\| die "Can't chdir to ~/rpmbuild/SPECS/ ."

		@@ -33,9 +33,9 @@
33	33	# by setting the define to ".local" or ".bz123456"
34	34	#
35	35	-# % define buildid .local
36		-+%define buildid _caitsith_0.2.4
	36	++%define buildid _caitsith_0.2.4p1
37	37
38		- %define distro_build 754.24.3
	38	+ %define distro_build 754.25.1
39	39	%define kabi_build 754
40	40	@@ -438,7 +438,7 @@
41	41	# Packages that need to be installed before the kernel is, because the %post

		@@ -69,7 +69,7 @@
69	69	ApplyOptionalPatch linux-kernel-test.patch
70	70
71	71	+# CaitSith
72		-+tar -zxf %_sourcedir/caitsith-patch-0.2-20191111.tar.gz
	72	++tar -zxf %_sourcedir/caitsith-patch-0.2-20191225.tar.gz
73	73	+sed -i -e 's/CCSECURITY/CAITSITH/g' -e 's/ccsecurity/caitsith/g' -e 's/ccs_domain_info/cs_domain_info/g' -e 's/ccs_flags/cs_flags/g' patches/ccs-patch-*.diff
74	74	+patch -sp1 < patches/ccs-patch-2.6.32-centos-6.diff
75	75	# Any further pre-build tree manipulations happen here.

--- trunk/caitsith-patch/specs/build-c7-3.10.sh (revision 290)

+++ trunk/caitsith-patch/specs/build-c7-3.10.sh (revision 291)

		@@ -18,9 +18,9 @@
18	18	rpm -ivh kernel-3.10.0-1062.9.1.el7.src.rpm \|\| die "Can't install source package."
19	19
20	20	cd ~/rpmbuild/SOURCES/ \|\| die "Can't chdir to ~/rpmbuild/SOURCES/ ."
21		-if [ ! -r caitsith-patch-0.2-20191111.tar.gz ]
	21	+if [ ! -r caitsith-patch-0.2-20191225.tar.gz ]
22	22	then
23		- wget -O caitsith-patch-0.2-20191111.tar.gz 'https://osdn.jp/frs/redir.php?f=/caitsith/66537/caitsith-patch-0.2-20191111.tar.gz' \|\| die "Can't download patch."
	23	+ wget -O caitsith-patch-0.2-20191225.tar.gz 'https://osdn.jp/frs/redir.php?f=/caitsith/66537/caitsith-patch-0.2-20191225.tar.gz' \|\| die "Can't download patch."
24	24	fi
25	25
26	26	cd ~/rpmbuild/SPECS/ \|\| die "Can't chdir to ~/rpmbuild/SPECS/ ."

		@@ -33,7 +33,7 @@
33	33	%define dist .el7
34	34
35	35	-# % define buildid .local
36		-+%define buildid _caitsith_0.2.4
	36	++%define buildid _caitsith_0.2.4p1
37	37
38	38	# For a kernel released for public testing, released_kernel should be 1.
39	39	# For internal testing builds during development, it should be 0.

		@@ -69,7 +69,7 @@
69	69	ApplyOptionalPatch debrand-rh-i686-cpu.patch
70	70
71	71	+# CaitSith
72		-+tar -zxf %_sourcedir/caitsith-patch-0.2-20191111.tar.gz
	72	++tar -zxf %_sourcedir/caitsith-patch-0.2-20191225.tar.gz
73	73	+sed -i -e 's/CCSECURITY/CAITSITH/g' -e 's/ccsecurity/caitsith/g' -e 's/ccs_domain_info/cs_domain_info/g' -e 's/ccs_flags/cs_flags/g' patches/ccs-patch-*.diff
74	74	+patch -sp1 < patches/ccs-patch-3.10-centos-7.diff
75	75	# Any further pre-build tree manipulations happen here.

--- trunk/caitsith-patch/specs/build-debian_wheezy.sh (revision 290)

+++ trunk/caitsith-patch/specs/build-debian_wheezy.sh (revision 291)

		@@ -23,10 +23,10 @@
23	23	# Download CaitSith patches.
24	24	mkdir -p ~/rpmbuild/SOURCES/
25	25	cd ~/rpmbuild/SOURCES/ \|\| die "Can't chdir to ~/rpmbuild/SOURCES/ ."
26		-if [ ! -r caitsith-patch-0.2-20191111.tar.gz ]
	26	+if [ ! -r caitsith-patch-0.2-20191225.tar.gz ]
27	27	then
28	28	apt-get -y install wget
29		- wget -O caitsith-patch-0.2-20191111.tar.gz 'https://osdn.jp/frs/redir.php?f=/caitsith/66537/caitsith-patch-0.2-20191111.tar.gz' \|\| die "Can't download patch."
	29	+ wget -O caitsith-patch-0.2-20191225.tar.gz 'https://osdn.jp/frs/redir.php?f=/caitsith/66537/caitsith-patch-0.2-20191225.tar.gz' \|\| die "Can't download patch."
30	30	fi
31	31
32	32	# Install kernel source packages.

		@@ -38,7 +38,7 @@
38	38
39	39	# Apply patches and create kernel config.
40	40	cd linux-source-3.2 \|\| die "Can't chdir to linux-source-3.2/ ."
41		-tar -zxf ~/rpmbuild/SOURCES/caitsith-patch-0.2-20191111.tar.gz \|\| die "Can't extract patch."
	41	+tar -zxf ~/rpmbuild/SOURCES/caitsith-patch-0.2-20191225.tar.gz \|\| die "Can't extract patch."
42	42	sed -i -e 's/CCSECURITY/CAITSITH/g' -e 's/ccsecurity/caitsith/g' -e 's/ccs_domain_info/cs_domain_info/g' -e 's/ccs_flags/cs_flags/g' patches/ccs-patch-*.diff
43	43	patch -p1 < patches/ccs-patch-3.2-debian-wheezy.diff \|\| die "Can't apply patch."
44	44	cat /boot/config-3.2.0-$ABI_VERSION-$ORIGINAL_FLAVOUR config.caitsith > .config \|\| die "Can't create config."

--- trunk/caitsith-patch/specs/build-ubuntu_12.04.sh (revision 290)

+++ trunk/caitsith-patch/specs/build-ubuntu_12.04.sh (revision 291)

		@@ -29,9 +29,9 @@
29	29	# Download CaitSith patches.
30	30	mkdir -p ~/rpmbuild/SOURCES/
31	31	cd ~/rpmbuild/SOURCES/ \|\| die "Can't chdir to ~/rpmbuild/SOURCES/ ."
32		-if [ ! -r caitsith-patch-0.2-20191111.tar.gz ]
	32	+if [ ! -r caitsith-patch-0.2-20191225.tar.gz ]
33	33	then
34		- wget -O caitsith-patch-0.2-20191111.tar.gz 'https://osdn.jp/frs/redir.php?f=/caitsith/66537/caitsith-patch-0.2-20191111.tar.gz' \|\| die "Can't download patch."
	34	+ wget -O caitsith-patch-0.2-20191225.tar.gz 'https://osdn.jp/frs/redir.php?f=/caitsith/66537/caitsith-patch-0.2-20191225.tar.gz' \|\| die "Can't download patch."
35	35	fi
36	36
37	37	# Install kernel source packages.

		@@ -44,7 +44,7 @@
44	44	# Apply patches and create kernel config.
45	45	cd linux-3.2.0/ \|\| die "Can't chdir to linux-3.2.0/ ."
46	46	update_maintainer
47		-tar -zxf ~/rpmbuild/SOURCES/caitsith-patch-0.2-20191111.tar.gz \|\| die "Can't extract patch."
	47	+tar -zxf ~/rpmbuild/SOURCES/caitsith-patch-0.2-20191225.tar.gz \|\| die "Can't extract patch."
48	48	sed -i -e 's/CCSECURITY/CAITSITH/g' -e 's/ccsecurity/caitsith/g' -e 's/ccs_domain_info/cs_domain_info/g' -e 's/ccs_flags/cs_flags/g' patches/ccs-patch-*.diff
49	49	patch -p1 < patches/ccs-patch-3.2-ubuntu-12.04.diff \|\| die "Can't apply patch."
50	50	rm -fR patches/ specs/ \|\| die "Can't delete patch."

--- trunk/caitsith-patch/specs/build-ubuntu_14.04.sh (revision 290)

+++ trunk/caitsith-patch/specs/build-ubuntu_14.04.sh (revision 291)

		@@ -29,9 +29,9 @@
29	29	# Download CaitSith patches.
30	30	mkdir -p ~/rpmbuild/SOURCES/
31	31	cd ~/rpmbuild/SOURCES/ \|\| die "Can't chdir to ~/rpmbuild/SOURCES/ ."
32		-if [ ! -r caitsith-patch-0.2-20191111.tar.gz ]
	32	+if [ ! -r caitsith-patch-0.2-20191225.tar.gz ]
33	33	then
34		- wget -O caitsith-patch-0.2-20191111.tar.gz 'https://osdn.jp/frs/redir.php?f=/caitsith/66537/caitsith-patch-0.2-20191111.tar.gz' \|\| die "Can't download patch."
	34	+ wget -O caitsith-patch-0.2-20191225.tar.gz 'https://osdn.jp/frs/redir.php?f=/caitsith/66537/caitsith-patch-0.2-20191225.tar.gz' \|\| die "Can't download patch."
35	35	fi
36	36
37	37	# Install kernel source packages.

		@@ -44,7 +44,7 @@
44	44	# Apply patches and create kernel config.
45	45	cd linux-3.13.0/ \|\| die "Can't chdir to linux-3.13.0/ ."
46	46	update_maintainer
47		-tar -zxf ~/rpmbuild/SOURCES/caitsith-patch-0.2-20191111.tar.gz \|\| die "Can't extract patch."
	47	+tar -zxf ~/rpmbuild/SOURCES/caitsith-patch-0.2-20191225.tar.gz \|\| die "Can't extract patch."
48	48	sed -i -e 's/CCSECURITY/CAITSITH/g' -e 's/ccsecurity/caitsith/g' -e 's/ccs_domain_info/cs_domain_info/g' -e 's/ccs_flags/cs_flags/g' patches/ccs-patch-*.diff
49	49	patch -p1 < patches/ccs-patch-3.13-ubuntu-14.04.diff \|\| die "Can't apply patch."
50	50	rm -fR patches/ specs/ \|\| die "Can't delete patch."

--- trunk/caitsith-patch/specs/build-vl6-4.4.sh (revision 290)

+++ trunk/caitsith-patch/specs/build-vl6-4.4.sh (revision 291)

		@@ -18,9 +18,9 @@
18	18	rpm -ivh kernel-4.4.110-2vl6.src.rpm \|\| die "Can't install source package."
19	19
20	20	cd ~/rpm/SOURCES/ \|\| die "Can't chdir to ~/rpm/SOURCES/ ."
21		-if [ ! -r caitsith-patch-0.2-20191111.tar.gz ]
	21	+if [ ! -r caitsith-patch-0.2-20191225.tar.gz ]
22	22	then
23		- wget -O caitsith-patch-0.2-20191111.tar.gz 'https://osdn.jp/frs/redir.php?f=/caitsith/66537/caitsith-patch-0.2-20191111.tar.gz' \|\| die "Can't download patch."
	23	+ wget -O caitsith-patch-0.2-20191225.tar.gz 'https://osdn.jp/frs/redir.php?f=/caitsith/66537/caitsith-patch-0.2-20191225.tar.gz' \|\| die "Can't download patch."
24	24	fi
25	25
26	26	cd /tmp/ \|\| die "Can't chdir to /tmp/ ."

		@@ -33,7 +33,7 @@
33	33	%define kversion 4.%{sublevel}
34	34	%define rpmversion 4.%{sublevel}.%{patchlevel}
35	35	-%define release 2%{?_dist_release}
36		-+%define release 2%{?_dist_release}_caitsith_0.2.4
	36	++%define release 2%{?_dist_release}_caitsith_0.2.4p1
37	37
38	38	%define make_target bzImage
39	39	%define hdrarch %_target_cpu

		@@ -61,7 +61,7 @@
61	61	# END OF PATCH APPLICATIONS
62	62
63	63	+# CaitSith
64		-+tar -zxf %_sourcedir/caitsith-patch-0.2-20191111.tar.gz
	64	++tar -zxf %_sourcedir/caitsith-patch-0.2-20191225.tar.gz
65	65	+sed -i -e 's/CCSECURITY/CAITSITH/g' -e 's/ccsecurity/caitsith/g' -e 's/ccs_domain_info/cs_domain_info/g' -e 's/ccs_flags/cs_flags/g' patches/ccs-patch-*.diff
66	66	+patch -sp1 < patches/ccs-patch-4.4-vine-linux-6.diff
67	67	cp %{SOURCE10} Documentation/

--- trunk/caitsith-tools/kernel_test/caitsith_wildcard_test.c (revision 290)

+++ trunk/caitsith-tools/kernel_test/caitsith_wildcard_test.c (revision 291)

		@@ -603,7 +603,7 @@
603	603	{ "/usr/local/", "/usr/\\*/", 1 },
604	604	{ "/usr/local/", "/usr/\\\\\\@\\*/", 1 },
605	605	{ "pipe:[12345]", "pipe:[\\$]", 1 },
606		- { "socket:[family=1:type=2:protocol=3]", "socket:[family=1:type=2:protocol=\\$]", 1 },
	606	+ { "socket:[12345]", "socket:[\\$]", 1 },
607	607	{ "https://tomoyo.osdn.jp/", "\\/\\/\\*/", 1 },
608	608	{ "https://tomoyo.osdn.jp/index.html", "\\/\\/\\/\\", 1 },
609	609	{ "https://tomoyo.osdn.jp/index.html", "\\/\\/\\/\\\\\\@\\\\@", 1 },

		@@ -625,7 +625,7 @@
625	625	{ "https://tomoyo.osdn.jp/", "\\/\\/\\*/\\?", 0 },
626	626	{ "https://tomoyo.osdn.jp/index.html", "\\/\\/\\*/\\@", 0 },
627	627	{ "https://tomoyo.osdn.jp/index.html", "https://\\*/\\@", 0 },
628		- { "socket:[family=1:type=2:protocol=3]", "/\\{\\\\}/socket:[\\]", 0 },
	628	+ { "socket:[12345]", "/\\{\\\\}/socket:[\\]", 0 },
629	629	{ "/", "/\$\\\$/\\", 1 },
630	630	{ "/", "/\\{\\\\}/\\", 0 },
631	631	{ "/foo/", "/foo/\$\\\$/\$\\\$/\$\\\$/\$\\\$/\$\\\$/\\", 1 },

旧リポジトリブラウザで表示