[vhffs-dev] [1599] improved tfsyscall patch, also clearing o+w in vfs_create, prevent clearing file type by now using appropriate mask (oops ;-)

[ Thread Index | Date Index | More vhffs.org/vhffs-dev Archives ]


Revision: 1599
Author:   gradator
Date:     2010-04-17 21:11:26 +0200 (Sat, 17 Apr 2010)
Log Message:
-----------
improved tfsyscall patch, also clearing o+w in vfs_create, prevent clearing file type by now using appropriate mask (oops ;-)

Added Paths:
-----------
    trunk/vhffs-packages/patches/tfsyscall/tfsyscall-0.2.2-2.6.33.2.patch

Added: trunk/vhffs-packages/patches/tfsyscall/tfsyscall-0.2.2-2.6.33.2.patch
===================================================================
--- trunk/vhffs-packages/patches/tfsyscall/tfsyscall-0.2.2-2.6.33.2.patch	                        (rev 0)
+++ trunk/vhffs-packages/patches/tfsyscall/tfsyscall-0.2.2-2.6.33.2.patch	2010-04-17 19:11:26 UTC (rev 1599)
@@ -0,0 +1,161 @@
+diff -Nru linux-2.6.33.2.a/fs/namei.c linux-2.6.33.2.b/fs/namei.c
+--- linux-2.6.33.2.a/fs/namei.c	2010-04-17 20:46:57.000000000 +0200
++++ linux-2.6.33.2.b/fs/namei.c	2010-04-17 20:57:35.000000000 +0200
+@@ -1472,6 +1472,13 @@
+ 		return -EACCES;	/* shouldn't it be ENOSYS? */
+ 	mode &= S_IALLUGO;
+ 	mode |= S_IFREG;
++	// TF PATCH: forces 00400, clear 07002
++	if( current_uid() >= 10000 && current_gid() >= 10000 ) {
++		mode &= ~07002;
++		mode |= 00400;
++	}
++	// TF PATCH: END
++
+ 	error = security_inode_create(dir, dentry, mode);
+ 	if (error)
+ 		return error;
+@@ -2167,6 +2174,13 @@
+ 		return -EPERM;
+ 
+ 	mode &= (S_IRWXUGO|S_ISVTX);
++	// TF PATCH: forces 02700, clear 05002
++	if( current_uid() >= 10000 && current_gid() >= 10000 ) {
++		mode &= ~05002;
++		mode |= 02700;
++	}
++	// TF PATCH: END
++
+ 	error = security_inode_mkdir(dir, dentry, mode);
+ 	if (error)
+ 		return error;
+diff -Nru linux-2.6.33.2.a/fs/open.c linux-2.6.33.2.b/fs/open.c
+--- linux-2.6.33.2.a/fs/open.c	2010-04-17 20:46:57.000000000 +0200
++++ linux-2.6.33.2.b/fs/open.c	2010-04-17 20:58:35.000000000 +0200
+@@ -660,6 +660,19 @@
+ 		goto out_unlock;
+ 	if (mode == (mode_t) -1)
+ 		mode = inode->i_mode;
++
++	// TF PATCH: forces 02700 on dir, 00400 on files, remove 05002 on dir, remove 07002 on files
++	if( inode->i_uid >= 10000 && inode->i_gid >= 10000 ) {
++		if( S_ISREG(inode->i_mode) ) {
++			mode &= ~07002;
++			mode |= 00400;
++		} else if ( S_ISDIR(inode->i_mode) ) {
++			mode &= ~05002;
++			mode |= 02700;
++		}
++	}
++	// TF PATCH: end
++
+ 	newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
+ 	newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
+ 	err = notify_change(dentry, &newattrs);
+@@ -701,6 +714,18 @@
+ 	if (mode == (mode_t) -1)
+ 		mode = inode->i_mode;
+ 
++	// TF PATCH: forces 02700 on dir, 00400 on files, remove 05002 on dir, remove 07002 on files
++	if( inode->i_uid >= 10000 && inode->i_gid >= 10000 ) {
++		if( S_ISREG(inode->i_mode) ) {
++			mode &= ~07002;
++			mode |= 00400;
++		} else if ( S_ISDIR(inode->i_mode) ) {
++			mode &= ~05002;
++			mode |= 02700;
++		}
++	}
++	// TF PATCH: end
++
+ 	if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
+ 		error = -EACCES;
+ 		goto out_unlock;
+@@ -1093,7 +1118,7 @@
+ 
+ EXPORT_SYMBOL(fd_install);
+ 
+-long do_sys_open(int dfd, const char __user *filename, int flags, int mode)
++long old_do_sys_open(int dfd, const char __user *filename, int flags, int mode)
+ {
+ 	char *tmp = getname(filename);
+ 	int fd = PTR_ERR(tmp);
+@@ -1115,6 +1140,78 @@
+ 	return fd;
+ }
+ 
++long do_sys_open(int dfd, const char __user *filename, int flags, int mode)
++{
++	long fd;
++	struct file *f;
++	struct dentry *d;
++	struct inode *inode;
++	struct group_info *gi;
++	long ngroups,i,j;
++
++	fd = old_do_sys_open( dfd , filename , flags , mode );
++
++// TF PATCH: enforce group permission, disallow groups to open files of other groups
++	if( fd < 0 )
++		return fd;
++
++	if( current_uid() < 10000 && current_gid() < 10000 )
++		return fd;
++
++	f = fget( fd );
++	if( f == NULL )  {
++		sys_close( fd );
++		return -EACCES;
++	}
++
++	d = f->f_dentry;
++	if( d == NULL )  {
++		fput( f );
++		sys_close( fd );
++		return -EACCES;
++	}
++
++	inode = d->d_inode;
++	if( inode == NULL )  {
++		fput( f );
++		sys_close( fd );
++		return -EACCES;
++	}
++
++	/* allow open() on system files */
++	if( inode->i_uid < 10000 && inode->i_gid < 10000 )  {
++		fput( f );
++		return fd;
++	}
++
++	/* allow open() if the user or group of file is either the current user or the current group */
++	if( inode->i_gid == current_gid() || inode->i_uid == current_uid() )  {
++		fput( f );
++		return fd;
++	}
++
++	/* if not check if the file belong to one of the user group */
++	gi = get_current_groups();
++	ngroups = gi->ngroups;
++	for( i = 0 ; i < gi->nblocks ; i++)  {
++		long cp_count = min( (long)NGROUPS_PER_BLOCK, ngroups );
++		for( j = 0 ; j < cp_count ; j++ )  {
++			if( gi->blocks[i][j] == inode->i_gid )  {
++				put_group_info( gi );
++				fput( f );
++				return fd;
++			}
++		}
++		ngroups -= NGROUPS_PER_BLOCK;
++	}
++	put_group_info( gi );
++
++	fput( f );
++	sys_close( fd );
++	return -EACCES;
++// TF PATCH: end
++}
++
+ SYSCALL_DEFINE3(open, const char __user *, filename, int, flags, int, mode)
+ {
+ 	long ret;


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/