[kernel] r6483 - in dists/sid/linux-2.6/debian: . patches
patches/series
Bastian Blank
waldi at costa.debian.org
Fri Apr 28 19:51:02 UTC 2006
Author: waldi
Date: Fri Apr 28 19:51:01 2006
New Revision: 6483
Added:
dists/sid/linux-2.6/debian/patches/series/11-extra
dists/sid/linux-2.6/debian/patches/vserver-vs2.0.2-rc18-update.patch (contents, props changed)
Modified:
dists/sid/linux-2.6/debian/changelog
Log:
Update vserver patch to 2.0.2-rc18.
* debian/changelog: Update.
* debian/patches/series/11-extra: Enable vserver-vs2.0.2-rc18-update.patch.
* debian/patches/vserver-vs2.0.2-rc18-update.patch: Add.
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog (original)
+++ dists/sid/linux-2.6/debian/changelog Fri Apr 28 19:51:01 2006
@@ -1,3 +1,10 @@
+linux-2.6 (2.6.16-11) UNRELEASED; urgency=low
+
+ * Update vserver patch to 2.0.2-rc18.
+ - Limit ccaps to root inside a guest
+
+ -- Bastian Blank <waldi at debian.org> Fri, 28 Apr 2006 16:08:01 +0200
+
linux-2.6 (2.6.16-10) unstable; urgency=low
[ Norbert Tretkowski ]
Added: dists/sid/linux-2.6/debian/patches/series/11-extra
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/series/11-extra Fri Apr 28 19:51:01 2006
@@ -0,0 +1 @@
++ vserver-vs2.0.2-rc18-update.patch *_vserver
Added: dists/sid/linux-2.6/debian/patches/vserver-vs2.0.2-rc18-update.patch
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/vserver-vs2.0.2-rc18-update.patch Fri Apr 28 19:51:01 2006
@@ -0,0 +1,349 @@
+diff -u linux-2.6.16.8-vs2.0.2-rc17/fs/namespace.c linux-2.6.16.11-vs2.0.2-rc18/fs/namespace.c
+--- linux-2.6.16.8-vs2.0.2-rc17/fs/namespace.c 2006-03-20 17:34:49 +0100
++++ linux-2.6.16.11-vs2.0.2-rc18/fs/namespace.c 2006-04-28 01:59:36 +0200
+@@ -676,7 +676,7 @@
+ goto dput_and_out;
+
+ retval = -EPERM;
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT))
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
+ goto dput_and_out;
+
+ retval = do_umount(nd.mnt, flags);
+@@ -700,9 +700,7 @@
+
+ static int mount_is_safe(struct nameidata *nd)
+ {
+- if (capable(CAP_SYS_ADMIN))
+- return 0;
+- if (vx_ccaps(VXC_SECURE_MOUNT))
++ if (vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
+ return 0;
+ return -EPERM;
+ #ifdef notyet
+@@ -996,7 +994,7 @@
+ int err;
+ struct super_block *sb = nd->mnt->mnt_sb;
+
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_REMOUNT))
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_REMOUNT))
+ return -EPERM;
+
+ if (!check_mnt(nd->mnt))
+@@ -1030,7 +1028,7 @@
+ struct nameidata old_nd, parent_nd;
+ struct vfsmount *p;
+ int err = 0;
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT))
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
+ return -EPERM;
+ if (!old_name || !*old_name)
+ return -EINVAL;
+@@ -1110,7 +1108,7 @@
+ return -EINVAL;
+
+ /* we need capabilities... */
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT))
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
+ return -EPERM;
+
+ mnt = do_kern_mount(type, flags, name, data);
+@@ -1502,7 +1500,7 @@
+ if (!(flags & CLONE_NEWNS))
+ return 0;
+
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT)) {
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT)) {
+ err = -EPERM;
+ goto out;
+ }
+diff -u linux-2.6.16.8-vs2.0.2-rc17/fs/quota.c linux-2.6.16.11-vs2.0.2-rc18/fs/quota.c
+--- linux-2.6.16.8-vs2.0.2-rc17/fs/quota.c 2006-03-20 17:34:49 +0100
++++ linux-2.6.16.11-vs2.0.2-rc18/fs/quota.c 2006-04-28 01:59:36 +0200
+@@ -84,11 +84,11 @@
+ if (cmd == Q_GETQUOTA) {
+ if (((type == USRQUOTA && current->euid != id) ||
+ (type == GRPQUOTA && !in_egroup_p(id))) &&
+- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
++ !vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
+ return -EPERM;
+ }
+ else if (cmd != Q_GETFMT && cmd != Q_SYNC && cmd != Q_GETINFO)
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
+ return -EPERM;
+
+ return 0;
+@@ -135,10 +135,10 @@
+ if (cmd == Q_XGETQUOTA) {
+ if (((type == XQM_USRQUOTA && current->euid != id) ||
+ (type == XQM_GRPQUOTA && !in_egroup_p(id))) &&
+- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
++ !vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
+ return -EPERM;
+ } else if (cmd != Q_XGETQSTAT && cmd != Q_XQUOTASYNC) {
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
+ return -EPERM;
+ }
+
+diff -u linux-2.6.16.8-vs2.0.2-rc17/fs/super.c linux-2.6.16.11-vs2.0.2-rc18/fs/super.c
+--- linux-2.6.16.8-vs2.0.2-rc17/fs/super.c 2006-03-20 17:34:49 +0100
++++ linux-2.6.16.11-vs2.0.2-rc18/fs/super.c 2006-04-28 01:59:36 +0200
+@@ -815,7 +815,7 @@
+
+ sb = ERR_PTR(-EPERM);
+ if ((type->fs_flags & FS_BINARY_MOUNTDATA) &&
+- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_BINARY_MOUNT))
++ !vx_capable(CAP_SYS_ADMIN, VXC_BINARY_MOUNT))
+ goto out;
+
+ sb = ERR_PTR(-ENOMEM);
+diff -u linux-2.6.16.8-vs2.0.2-rc17/fs/xfs/quota/xfs_qm_syscalls.c linux-2.6.16.11-vs2.0.2-rc18/fs/xfs/quota/xfs_qm_syscalls.c
+--- linux-2.6.16.8-vs2.0.2-rc17/fs/xfs/quota/xfs_qm_syscalls.c 2006-03-20 17:34:49 +0100
++++ linux-2.6.16.11-vs2.0.2-rc18/fs/xfs/quota/xfs_qm_syscalls.c 2006-04-28 01:59:36 +0200
+@@ -215,7 +215,7 @@
+ xfs_qoff_logitem_t *qoffstart;
+ int nculprits;
+
+- if (!force && !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
++ if (!force && !vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
+ return XFS_ERROR(EPERM);
+ /*
+ * No file system can have quotas enabled on disk but not in core.
+@@ -384,7 +384,7 @@
+ int error;
+ xfs_inode_t *qip;
+
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
+ return XFS_ERROR(EPERM);
+ error = 0;
+ if (!XFS_SB_VERSION_HASQUOTA(&mp->m_sb) || flags == 0) {
+@@ -429,7 +429,7 @@
+ uint accflags;
+ __int64_t sbflags;
+
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
+ return XFS_ERROR(EPERM);
+
+ flags &= (XFS_ALL_QUOTA_ACCT | XFS_ALL_QUOTA_ENFD);
+@@ -600,7 +600,7 @@
+ int error;
+ xfs_qcnt_t hard, soft;
+
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_QUOTA_CTL))
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_QUOTA_CTL))
+ return XFS_ERROR(EPERM);
+
+ if ((newlim->d_fieldmask &
+diff -u linux-2.6.16.8-vs2.0.2-rc17/include/linux/vs_base.h linux-2.6.16.11-vs2.0.2-rc18/include/linux/vs_base.h
+--- linux-2.6.16.8-vs2.0.2-rc17/include/linux/vs_base.h 2006-03-20 17:34:50 +0100
++++ linux-2.6.16.11-vs2.0.2-rc18/include/linux/vs_base.h 2006-04-28 02:00:37 +0200
+@@ -97,6 +97,9 @@
+ (current->vx_info && \
+ (current->vx_info->vx_initpid == (n)))
+
++#define vx_capable(b,c) (capable(b) || \
++ ((current->euid == 0) && vx_ccaps(c)))
++
+
+ #else
+ #warning duplicate inclusion
+diff -u linux-2.6.16.8-vs2.0.2-rc17/include/net/route.h linux-2.6.16.11-vs2.0.2-rc18/include/net/route.h
+--- linux-2.6.16.8-vs2.0.2-rc17/include/net/route.h 2006-03-20 17:34:50 +0100
++++ linux-2.6.16.11-vs2.0.2-rc18/include/net/route.h 2006-04-26 19:12:32 +0200
+@@ -229,6 +229,8 @@
+ return err;
+ if (fl.fl4_dst == IPI_LOOPBACK && !vx_check(0, VX_ADMIN))
+ fl.fl4_dst = nx_info->ipv4[0];
++ if (fl.fl4_src == IPI_LOOPBACK && !vx_check(0, VX_ADMIN))
++ fl.fl4_src = nx_info->ipv4[0];
+ }
+ if (!fl.fl4_dst || !fl.fl4_src) {
+ err = __ip_route_output_key(rp, &fl);
+diff -u linux-2.6.16.8-vs2.0.2-rc17/kernel/sys.c linux-2.6.16.11-vs2.0.2-rc18/kernel/sys.c
+--- linux-2.6.16.8-vs2.0.2-rc17/kernel/sys.c 2006-04-18 02:12:08 +0200
++++ linux-2.6.16.11-vs2.0.2-rc18/kernel/sys.c 2006-04-28 01:59:36 +0200
+@@ -1547,7 +1547,7 @@
+ int errno;
+ char tmp[__NEW_UTS_LEN];
+
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SET_UTSNAME))
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SET_UTSNAME))
+ return -EPERM;
+ if (len < 0 || len > __NEW_UTS_LEN)
+ return -EINVAL;
+@@ -1596,7 +1596,7 @@
+ int errno;
+ char tmp[__NEW_UTS_LEN];
+
+- if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SET_UTSNAME))
++ if (!vx_capable(CAP_SYS_ADMIN, VXC_SET_UTSNAME))
+ return -EPERM;
+ if (len < 0 || len > __NEW_UTS_LEN)
+ return -EINVAL;
+@@ -1664,7 +1664,7 @@
+ return -EINVAL;
+ old_rlim = current->signal->rlim + resource;
+ if ((new_rlim.rlim_max > old_rlim->rlim_max) &&
+- !capable(CAP_SYS_RESOURCE) && !vx_ccaps(VXC_SET_RLIMIT))
++ !vx_capable(CAP_SYS_RESOURCE, VXC_SET_RLIMIT))
+ return -EPERM;
+ if (resource == RLIMIT_NOFILE && new_rlim.rlim_max > NR_OPEN)
+ return -EPERM;
+diff -u linux-2.6.16.8-vs2.0.2-rc17/kernel/vserver/legacy.c linux-2.6.16.11-vs2.0.2-rc18/kernel/vserver/legacy.c
+--- linux-2.6.16.8-vs2.0.2-rc17/kernel/vserver/legacy.c 2006-03-20 17:34:50 +0100
++++ linux-2.6.16.11-vs2.0.2-rc18/kernel/vserver/legacy.c 2006-04-28 03:18:07 +0200
+@@ -31,6 +31,7 @@
+ if (!init)
+ return -ESRCH;
+
++ vxi->vx_flags &= ~VXF_STATE_INIT;
+ return vx_set_init(vxi, init);
+ }
+
+@@ -88,7 +89,7 @@
+ vx_info_flags(new_vxi, VX_INFO_PRIVATE, 0))
+ goto out_put;
+
+- new_vxi->vx_flags &= ~(VXF_STATE_SETUP|VXF_STATE_INIT);
++ new_vxi->vx_flags &= ~VXF_STATE_SETUP;
+
+ ret = vx_migrate_task(current, new_vxi);
+ if (ret == 0) {
+@@ -102,6 +103,9 @@
+ if (vc_data.flags & VX_INFO_NPROC)
+ new_vxi->limit.rlim[RLIMIT_NPROC] =
+ current->signal->rlim[RLIMIT_NPROC].rlim_max;
++
++ /* tweak some defaults for legacy */
++ new_vxi->vx_flags |= (VXF_HIDE_NETIF|VXF_INFO_INIT);
+ ret = new_vxi->vx_id;
+ }
+ out_put:
+diff -u linux-2.6.16.8-vs2.0.2-rc17/kernel/vserver/sched.c linux-2.6.16.11-vs2.0.2-rc18/kernel/vserver/sched.c
+--- linux-2.6.16.8-vs2.0.2-rc17/kernel/vserver/sched.c 2006-03-24 16:50:48 +0100
++++ linux-2.6.16.11-vs2.0.2-rc18/kernel/vserver/sched.c 2006-04-28 01:39:59 +0200
+@@ -117,7 +117,7 @@
+ vavavoom = 0;
+
+ vxi->sched.vavavoom = vavavoom;
+- return vavavoom;
++ return vavavoom + vxi->sched.priority_bias;
+ }
+
+
+diff -u linux-2.6.16.8-vs2.0.2-rc17/net/ipv4/devinet.c linux-2.6.16.11-vs2.0.2-rc18/net/ipv4/devinet.c
+--- linux-2.6.16.8-vs2.0.2-rc17/net/ipv4/devinet.c 2006-04-17 20:56:32 +0200
++++ linux-2.6.16.11-vs2.0.2-rc18/net/ipv4/devinet.c 2006-04-26 19:09:22 +0200
+@@ -607,6 +607,9 @@
+ *colon = ':';
+
+ if ((in_dev = __in_dev_get_rtnl(dev)) != NULL) {
++ struct nx_info *nxi = current->nx_info;
++ int hide_netif = vx_flags(VXF_HIDE_NETIF, 0);
++
+ if (tryaddrmatch) {
+ /* Matthias Andree */
+ /* compare label and address (4.4BSD style) */
+@@ -615,6 +618,8 @@
+ This is checked above. */
+ for (ifap = &in_dev->ifa_list; (ifa = *ifap) != NULL;
+ ifap = &ifa->ifa_next) {
++ if (hide_netif && !ifa_in_nx_info(ifa, nxi))
++ continue;
+ if (!strcmp(ifr.ifr_name, ifa->ifa_label) &&
+ sin_orig.sin_addr.s_addr ==
+ ifa->ifa_address) {
+@@ -627,18 +632,18 @@
+ comparing just the label */
+ if (!ifa) {
+ for (ifap = &in_dev->ifa_list; (ifa = *ifap) != NULL;
+- ifap = &ifa->ifa_next)
++ ifap = &ifa->ifa_next) {
++ if (hide_netif && !ifa_in_nx_info(ifa, nxi))
++ continue;
+ if (!strcmp(ifr.ifr_name, ifa->ifa_label))
+ break;
++ }
+ }
+ }
+
+ ret = -EADDRNOTAVAIL;
+ if (!ifa && cmd != SIOCSIFADDR && cmd != SIOCSIFFLAGS)
+ goto done;
+- if (vx_flags(VXF_HIDE_NETIF, 0) &&
+- !ifa_in_nx_info(ifa, current->nx_info))
+- goto done;
+
+ switch(cmd) {
+ case SIOCGIFADDR: /* Get interface address */
+diff -u linux-2.6.16.8-vs2.0.2-rc17/net/ipv4/udp.c linux-2.6.16.11-vs2.0.2-rc18/net/ipv4/udp.c
+--- linux-2.6.16.8-vs2.0.2-rc17/net/ipv4/udp.c 2006-03-20 17:34:50 +0100
++++ linux-2.6.16.11-vs2.0.2-rc18/net/ipv4/udp.c 2006-04-26 19:08:56 +0200
+@@ -216,16 +216,6 @@
+ write_unlock_bh(&udp_hash_lock);
+ }
+
+-static inline int udp_in_list(struct nx_info *nx_info, u32 addr)
+-{
+- int n = nx_info->nbipv4;
+- int i;
+-
+- for (i=0; i<n; i++)
+- if (nx_info->ipv4[i] == addr)
+- return 1;
+- return 0;
+-}
+
+ /* UDP is nearly always wildcards out the wazoo, it makes no sense to try
+ * harder than this. -DaveM
+@@ -248,7 +238,7 @@
+ continue;
+ score+=2;
+ } else if (sk->sk_nx_info) {
+- if (udp_in_list(sk->sk_nx_info, daddr))
++ if (addr_in_nx_info(sk->sk_nx_info, daddr))
+ score+=2;
+ else
+ continue;
+diff -u linux-2.6.16.8-vs2.0.2-rc17/security/commoncap.c linux-2.6.16.11-vs2.0.2-rc18/security/commoncap.c
+--- linux-2.6.16.8-vs2.0.2-rc17/security/commoncap.c 2006-03-20 17:34:50 +0100
++++ linux-2.6.16.11-vs2.0.2-rc18/security/commoncap.c 2006-04-28 01:59:36 +0200
+@@ -313,7 +313,7 @@
+ int cap_syslog (int type)
+ {
+ if ((type != 3 && type != 10) &&
+- !capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SYSLOG))
++ !vx_capable(CAP_SYS_ADMIN, VXC_SYSLOG))
+ return -EPERM;
+ return 0;
+ }
+diff -u linux-2.6.16.8-vs2.0.2-rc17/security/security.c linux-2.6.16.11-vs2.0.2-rc18/security/security.c
+--- linux-2.6.16.8-vs2.0.2-rc17/security/security.c 2006-03-20 17:34:50 +0100
++++ linux-2.6.16.11-vs2.0.2-rc18/security/security.c 2006-04-28 01:59:36 +0200
+@@ -200,22 +200,8 @@
+
+-int vx_capable(int cap, int ccap)
+-{
+- if (security_ops->capable(current, cap)) {
+- /* capability denied */
+- return 0;
+- }
+- if (!vx_ccaps(ccap))
+- return 0;
+-
+- /* capability granted */
+- current->flags |= PF_SUPERPRIV;
+- return 1;
+-}
+
+ EXPORT_SYMBOL_GPL(register_security);
+ EXPORT_SYMBOL_GPL(unregister_security);
+ EXPORT_SYMBOL_GPL(mod_reg_security);
+ EXPORT_SYMBOL_GPL(mod_unreg_security);
+ EXPORT_SYMBOL(capable);
+-EXPORT_SYMBOL(vx_capable);
+ EXPORT_SYMBOL(security_ops);
More information about the Kernel-svn-changes
mailing list