• R/O
  • SSH
  • HTTPS

caitsith: Commit


Commit MetaInfo

Revisão288 (tree)
Hora2019-09-26 22:08:55
Autorkumaneko

Mensagem de Log

(mensagem de log vazia)

Mudança Sumário

Diff

--- trunk/caitsith-patch/caitsith/lsm-4.12.c (revision 287)
+++ trunk/caitsith-patch/caitsith/lsm-4.12.c (revision 288)
@@ -261,7 +261,7 @@
261261 return cs_start_execve(bprm, &security->r);
262262 }
263263
264-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 0)
264+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 0) || (defined(RHEL_MAJOR) && RHEL_MAJOR == 8)
265265 /**
266266 * cs_file_open - Check permission for open().
267267 *
--- trunk/caitsith-patch/include/linux/lsm2caitsith.h (revision 287)
+++ trunk/caitsith-patch/include/linux/lsm2caitsith.h (revision 288)
@@ -28,7 +28,7 @@
2828 #endif
2929 int ccs_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
3030 int ccs_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg);
31-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 0)
31+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 0) || (defined(RHEL_MAJOR) && RHEL_MAJOR == 8)
3232 int ccs_file_open(struct file *file);
3333 #else
3434 int ccs_file_open(struct file *file, const struct cred *cred);
--- trunk/caitsith-patch/patches/ccs-patch-3.10-centos-7.diff (revision 287)
+++ trunk/caitsith-patch/patches/ccs-patch-3.10-centos-7.diff (revision 288)
@@ -1,6 +1,6 @@
11 This is TOMOYO Linux patch for CentOS 7.
22
3-Source code for this patch is http://vault.centos.org/centos/7/updates/Source/SPackages/kernel-3.10.0-957.27.2.el7.src.rpm
3+Source code for this patch is http://vault.centos.org/centos/7/updates/Source/SPackages/kernel-3.10.0-1062.1.1.el7.src.rpm
44 ---
55 fs/exec.c | 2
66 fs/open.c | 2
@@ -28,9 +28,9 @@
2828 security/security.c | 111 +++++++++++++++++++++++++++++++++++++++++-----
2929 24 files changed, 248 insertions(+), 37 deletions(-)
3030
31---- linux-3.10.0-957.27.2.el7.orig/fs/exec.c
32-+++ linux-3.10.0-957.27.2.el7/fs/exec.c
33-@@ -1507,7 +1507,7 @@ static int exec_binprm(struct linux_binp
31+--- linux-3.10.0-1062.1.1.el7.orig/fs/exec.c
32++++ linux-3.10.0-1062.1.1.el7/fs/exec.c
33+@@ -1508,7 +1508,7 @@ static int exec_binprm(struct linux_binp
3434 old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
3535 rcu_read_unlock();
3636
@@ -39,9 +39,9 @@
3939 if (ret >= 0) {
4040 audit_bprm(bprm);
4141 trace_sched_process_exec(current, old_pid, bprm);
42---- linux-3.10.0-957.27.2.el7.orig/fs/open.c
43-+++ linux-3.10.0-957.27.2.el7/fs/open.c
44-@@ -1142,6 +1142,8 @@ EXPORT_SYMBOL(sys_close);
42+--- linux-3.10.0-1062.1.1.el7.orig/fs/open.c
43++++ linux-3.10.0-1062.1.1.el7/fs/open.c
44+@@ -1140,6 +1140,8 @@ EXPORT_SYMBOL(sys_close);
4545 */
4646 SYSCALL_DEFINE0(vhangup)
4747 {
@@ -50,8 +50,8 @@
5050 if (capable(CAP_SYS_TTY_CONFIG)) {
5151 tty_vhangup_self();
5252 return 0;
53---- linux-3.10.0-957.27.2.el7.orig/fs/proc/version.c
54-+++ linux-3.10.0-957.27.2.el7/fs/proc/version.c
53+--- linux-3.10.0-1062.1.1.el7.orig/fs/proc/version.c
54++++ linux-3.10.0-1062.1.1.el7/fs/proc/version.c
5555 @@ -32,3 +32,10 @@ static int __init proc_version_init(void
5656 return 0;
5757 }
@@ -59,12 +59,12 @@
5959 +
6060 +static int __init ccs_show_version(void)
6161 +{
62-+ printk(KERN_INFO "Hook version: 3.10.0-957.27.2.el7 2019/08/04\n");
62++ printk(KERN_INFO "Hook version: 3.10.0-1062.1.1.el7 2019/09/18\n");
6363 + return 0;
6464 +}
6565 +module_init(ccs_show_version);
66---- linux-3.10.0-957.27.2.el7.orig/include/linux/init_task.h
67-+++ linux-3.10.0-957.27.2.el7/include/linux/init_task.h
66+--- linux-3.10.0-1062.1.1.el7.orig/include/linux/init_task.h
67++++ linux-3.10.0-1062.1.1.el7/include/linux/init_task.h
6868 @@ -173,6 +173,14 @@ extern struct task_group root_task_group
6969 # define INIT_RT_MUTEXES(tsk)
7070 #endif
@@ -81,7 +81,7 @@
8181 * INIT_TASK is used to set up the first task table, touch at
8282 * your own risk!. Base=0, limit=0x1fffff (=2MB)
8383 @@ -244,6 +252,7 @@ extern struct task_group root_task_group
84- INIT_RT_MUTEXES(tsk) \
84+ INIT_RT_MUTEXES(tsk) \
8585 INIT_PREV_CPUTIME(tsk) \
8686 INIT_VTIME(tsk) \
8787 + INIT_CCSECURITY \
@@ -88,8 +88,8 @@
8888 }
8989
9090
91---- linux-3.10.0-957.27.2.el7.orig/include/linux/sched.h
92-+++ linux-3.10.0-957.27.2.el7/include/linux/sched.h
91+--- linux-3.10.0-1062.1.1.el7.orig/include/linux/sched.h
92++++ linux-3.10.0-1062.1.1.el7/include/linux/sched.h
9393 @@ -4,6 +4,8 @@
9494 #include <uapi/linux/sched.h>
9595 #include <linux/rh_kabi.h>
@@ -99,9 +99,9 @@
9999 struct sched_param {
100100 int sched_priority;
101101 };
102-@@ -1840,6 +1842,10 @@ struct task_struct {
103- struct wake_q_node wake_q;
102+@@ -1869,6 +1871,10 @@ struct task_struct {
104103 struct prev_cputime prev_cputime;
104+ struct vtime vtime;
105105 #endif /* __GENKSYMS__ */
106106 +#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
107107 + struct ccs_domain_info *ccs_domain_info;
@@ -110,8 +110,8 @@
110110 };
111111
112112 /* Future-safe accessor for struct task_struct's cpus_allowed. */
113---- linux-3.10.0-957.27.2.el7.orig/include/linux/security.h
114-+++ linux-3.10.0-957.27.2.el7/include/linux/security.h
113+--- linux-3.10.0-1062.1.1.el7.orig/include/linux/security.h
114++++ linux-3.10.0-1062.1.1.el7/include/linux/security.h
115115 @@ -56,6 +56,7 @@ struct msg_queue;
116116 struct xattr;
117117 struct xfrm_sec_ctx;
@@ -323,8 +323,8 @@
323323 }
324324 #endif /* CONFIG_SECURITY_PATH */
325325
326---- linux-3.10.0-957.27.2.el7.orig/include/net/ip.h
327-+++ linux-3.10.0-957.27.2.el7/include/net/ip.h
326+--- linux-3.10.0-1062.1.1.el7.orig/include/net/ip.h
327++++ linux-3.10.0-1062.1.1.el7/include/net/ip.h
328328 @@ -232,6 +232,8 @@ void inet_get_local_port_range(struct ne
329329 extern unsigned long *sysctl_local_reserved_ports;
330330 static inline int inet_is_reserved_local_port(int port)
@@ -334,8 +334,8 @@
334334 return test_bit(port, sysctl_local_reserved_ports);
335335 }
336336
337---- linux-3.10.0-957.27.2.el7.orig/kernel/fork.c
338-+++ linux-3.10.0-957.27.2.el7/kernel/fork.c
337+--- linux-3.10.0-1062.1.1.el7.orig/kernel/fork.c
338++++ linux-3.10.0-1062.1.1.el7/kernel/fork.c
339339 @@ -278,6 +278,7 @@ void __put_task_struct(struct task_struc
340340 delayacct_tsk_free(tsk);
341341 put_signal_struct(tsk->signal);
@@ -344,7 +344,7 @@
344344 if (!profile_handoff_task(tsk))
345345 free_task(tsk);
346346 }
347-@@ -1489,6 +1490,9 @@ static struct task_struct *copy_process(
347+@@ -1492,6 +1493,9 @@ static struct task_struct *copy_process(
348348 retval = audit_alloc(p);
349349 if (retval)
350350 goto bad_fork_cleanup_perf;
@@ -354,7 +354,7 @@
354354 /* copy all the process information */
355355 retval = copy_semundo(clone_flags, p);
356356 if (retval)
357-@@ -1707,6 +1711,7 @@ bad_fork_cleanup_semundo:
357+@@ -1710,6 +1714,7 @@ bad_fork_cleanup_semundo:
358358 exit_sem(p);
359359 bad_fork_cleanup_audit:
360360 audit_free(p);
@@ -362,8 +362,8 @@
362362 bad_fork_cleanup_perf:
363363 perf_event_free_task(p);
364364 bad_fork_cleanup_policy:
365---- linux-3.10.0-957.27.2.el7.orig/kernel/kexec.c
366-+++ linux-3.10.0-957.27.2.el7/kernel/kexec.c
365+--- linux-3.10.0-1062.1.1.el7.orig/kernel/kexec.c
366++++ linux-3.10.0-1062.1.1.el7/kernel/kexec.c
367367 @@ -190,6 +190,8 @@ SYSCALL_DEFINE4(kexec_load, unsigned lon
368368 /* We only trust the superuser with rebooting the system. */
369369 if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
@@ -373,8 +373,8 @@
373373
374374 if (get_securelevel() > 0)
375375 return -EPERM;
376---- linux-3.10.0-957.27.2.el7.orig/kernel/module.c
377-+++ linux-3.10.0-957.27.2.el7/kernel/module.c
376+--- linux-3.10.0-1062.1.1.el7.orig/kernel/module.c
377++++ linux-3.10.0-1062.1.1.el7/kernel/module.c
378378 @@ -66,6 +66,7 @@
379379 #endif /* __GENKSYMS__ */
380380 #include <uapi/linux/module.h>
@@ -392,7 +392,7 @@
392392
393393 if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
394394 return -EFAULT;
395-@@ -3439,6 +3442,8 @@ static int may_init_module(void)
395+@@ -3438,6 +3441,8 @@ static int may_init_module(void)
396396 {
397397 if (!capable(CAP_SYS_MODULE) || modules_disabled)
398398 return -EPERM;
@@ -401,8 +401,8 @@
401401
402402 return 0;
403403 }
404---- linux-3.10.0-957.27.2.el7.orig/kernel/ptrace.c
405-+++ linux-3.10.0-957.27.2.el7/kernel/ptrace.c
404+--- linux-3.10.0-1062.1.1.el7.orig/kernel/ptrace.c
405++++ linux-3.10.0-1062.1.1.el7/kernel/ptrace.c
406406 @@ -1082,6 +1082,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
407407 {
408408 struct task_struct *child;
@@ -427,9 +427,9 @@
427427
428428 if (request == PTRACE_TRACEME) {
429429 ret = ptrace_traceme();
430---- linux-3.10.0-957.27.2.el7.orig/kernel/sched/core.c
431-+++ linux-3.10.0-957.27.2.el7/kernel/sched/core.c
432-@@ -4355,6 +4355,8 @@ int can_nice(const struct task_struct *p
430+--- linux-3.10.0-1062.1.1.el7.orig/kernel/sched/core.c
431++++ linux-3.10.0-1062.1.1.el7/kernel/sched/core.c
432+@@ -4404,6 +4404,8 @@ int can_nice(const struct task_struct *p
433433 SYSCALL_DEFINE1(nice, int, increment)
434434 {
435435 long nice, retval;
@@ -438,8 +438,8 @@
438438
439439 /*
440440 * Setpriority might change our priority at the same moment.
441---- linux-3.10.0-957.27.2.el7.orig/kernel/signal.c
442-+++ linux-3.10.0-957.27.2.el7/kernel/signal.c
441+--- linux-3.10.0-1062.1.1.el7.orig/kernel/signal.c
442++++ linux-3.10.0-1062.1.1.el7/kernel/signal.c
443443 @@ -2942,6 +2942,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s
444444 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
445445 {
@@ -485,8 +485,8 @@
485485
486486 return do_send_specific(tgid, pid, sig, info);
487487 }
488---- linux-3.10.0-957.27.2.el7.orig/kernel/sys.c
489-+++ linux-3.10.0-957.27.2.el7/kernel/sys.c
488+--- linux-3.10.0-1062.1.1.el7.orig/kernel/sys.c
489++++ linux-3.10.0-1062.1.1.el7/kernel/sys.c
490490 @@ -197,6 +197,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
491491
492492 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -525,8 +525,8 @@
525525
526526 down_write(&uts_sem);
527527 errno = -EFAULT;
528---- linux-3.10.0-957.27.2.el7.orig/kernel/time/ntp.c
529-+++ linux-3.10.0-957.27.2.el7/kernel/time/ntp.c
528+--- linux-3.10.0-1062.1.1.el7.orig/kernel/time/ntp.c
529++++ linux-3.10.0-1062.1.1.el7/kernel/time/ntp.c
530530 @@ -16,6 +16,7 @@
531531 #include <linux/mm.h>
532532 #include <linux/module.h>
@@ -560,9 +560,9 @@
560560
561561 return 0;
562562 }
563---- linux-3.10.0-957.27.2.el7.orig/net/ipv4/raw.c
564-+++ linux-3.10.0-957.27.2.el7/net/ipv4/raw.c
565-@@ -706,6 +706,10 @@ static int raw_recvmsg(struct kiocb *ioc
563+--- linux-3.10.0-1062.1.1.el7.orig/net/ipv4/raw.c
564++++ linux-3.10.0-1062.1.1.el7/net/ipv4/raw.c
565+@@ -708,6 +708,10 @@ static int raw_recvmsg(struct kiocb *ioc
566566 skb = skb_recv_datagram(sk, flags, noblock, &err);
567567 if (!skb)
568568 goto out;
@@ -573,9 +573,9 @@
573573
574574 copied = skb->len;
575575 if (len < copied) {
576---- linux-3.10.0-957.27.2.el7.orig/net/ipv4/udp.c
577-+++ linux-3.10.0-957.27.2.el7/net/ipv4/udp.c
578-@@ -1393,6 +1393,10 @@ try_again:
576+--- linux-3.10.0-1062.1.1.el7.orig/net/ipv4/udp.c
577++++ linux-3.10.0-1062.1.1.el7/net/ipv4/udp.c
578+@@ -1467,6 +1467,10 @@ try_again:
579579 skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
580580 if (!skb)
581581 goto out;
@@ -586,8 +586,8 @@
586586
587587 ulen = skb->len - sizeof(struct udphdr);
588588 copied = len;
589---- linux-3.10.0-957.27.2.el7.orig/net/ipv6/raw.c
590-+++ linux-3.10.0-957.27.2.el7/net/ipv6/raw.c
589+--- linux-3.10.0-1062.1.1.el7.orig/net/ipv6/raw.c
590++++ linux-3.10.0-1062.1.1.el7/net/ipv6/raw.c
591591 @@ -468,6 +468,10 @@ static int rawv6_recvmsg(struct kiocb *i
592592 skb = skb_recv_datagram(sk, flags, noblock, &err);
593593 if (!skb)
@@ -599,8 +599,8 @@
599599
600600 copied = skb->len;
601601 if (copied > len) {
602---- linux-3.10.0-957.27.2.el7.orig/net/ipv6/udp.c
603-+++ linux-3.10.0-957.27.2.el7/net/ipv6/udp.c
602+--- linux-3.10.0-1062.1.1.el7.orig/net/ipv6/udp.c
603++++ linux-3.10.0-1062.1.1.el7/net/ipv6/udp.c
604604 @@ -384,6 +384,10 @@ try_again:
605605 skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
606606 if (!skb)
@@ -612,8 +612,8 @@
612612
613613 ulen = skb->len - sizeof(struct udphdr);
614614 copied = len;
615---- linux-3.10.0-957.27.2.el7.orig/net/socket.c
616-+++ linux-3.10.0-957.27.2.el7/net/socket.c
615+--- linux-3.10.0-1062.1.1.el7.orig/net/socket.c
616++++ linux-3.10.0-1062.1.1.el7/net/socket.c
617617 @@ -1660,6 +1660,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
618618 if (err < 0)
619619 goto out_fd;
@@ -625,8 +625,8 @@
625625 if (upeer_sockaddr) {
626626 if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
627627 &len, 2) < 0) {
628---- linux-3.10.0-957.27.2.el7.orig/net/unix/af_unix.c
629-+++ linux-3.10.0-957.27.2.el7/net/unix/af_unix.c
628+--- linux-3.10.0-1062.1.1.el7.orig/net/unix/af_unix.c
629++++ linux-3.10.0-1062.1.1.el7/net/unix/af_unix.c
630630 @@ -2137,6 +2137,10 @@ static int unix_dgram_recvmsg(struct kio
631631 wake_up_interruptible_sync_poll(&u->peer_wait,
632632 POLLOUT | POLLWRNORM | POLLWRBAND);
@@ -638,8 +638,8 @@
638638 if (msg->msg_name)
639639 unix_copy_addr(msg, skb->sk);
640640
641---- linux-3.10.0-957.27.2.el7.orig/security/Kconfig
642-+++ linux-3.10.0-957.27.2.el7/security/Kconfig
641+--- linux-3.10.0-1062.1.1.el7.orig/security/Kconfig
642++++ linux-3.10.0-1062.1.1.el7/security/Kconfig
643643 @@ -226,5 +226,7 @@ config DEFAULT_SECURITY
644644 default "yama" if DEFAULT_SECURITY_YAMA
645645 default "" if DEFAULT_SECURITY_DAC
@@ -648,8 +648,8 @@
648648 +
649649 endmenu
650650
651---- linux-3.10.0-957.27.2.el7.orig/security/Makefile
652-+++ linux-3.10.0-957.27.2.el7/security/Makefile
651+--- linux-3.10.0-1062.1.1.el7.orig/security/Makefile
652++++ linux-3.10.0-1062.1.1.el7/security/Makefile
653653 @@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
654654 # Object integrity file lists
655655 subdir-$(CONFIG_INTEGRITY) += integrity
@@ -657,8 +657,8 @@
657657 +
658658 +subdir-$(CONFIG_CCSECURITY) += ccsecurity
659659 +obj-$(CONFIG_CCSECURITY) += ccsecurity/built-in.o
660---- linux-3.10.0-957.27.2.el7.orig/security/security.c
661-+++ linux-3.10.0-957.27.2.el7/security/security.c
660+--- linux-3.10.0-1062.1.1.el7.orig/security/security.c
661++++ linux-3.10.0-1062.1.1.el7/security/security.c
662662 @@ -229,7 +229,10 @@ int security_syslog(int type)
663663
664664 int security_settime(const struct timespec *ts, const struct timezone *tz)
--- trunk/caitsith-patch/patches/ccs-patch-3.16.diff (revision 287)
+++ trunk/caitsith-patch/patches/ccs-patch-3.16.diff (revision 288)
@@ -1,6 +1,6 @@
1-This is TOMOYO Linux patch for kernel 3.16.72.
1+This is TOMOYO Linux patch for kernel 3.16.74.
22
3-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.16.72.tar.xz
3+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.16.74.tar.xz
44 ---
55 fs/exec.c | 2
66 fs/open.c | 2
@@ -29,8 +29,8 @@
2929 security/security.c | 111 +++++++++++++++++++++++++++++++++++++++++-----
3030 25 files changed, 252 insertions(+), 37 deletions(-)
3131
32---- linux-3.16.72.orig/fs/exec.c
33-+++ linux-3.16.72/fs/exec.c
32+--- linux-3.16.74.orig/fs/exec.c
33++++ linux-3.16.74/fs/exec.c
3434 @@ -1482,7 +1482,7 @@ static int exec_binprm(struct linux_binp
3535 old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
3636 rcu_read_unlock();
@@ -40,8 +40,8 @@
4040 if (ret >= 0) {
4141 audit_bprm(bprm);
4242 trace_sched_process_exec(current, old_pid, bprm);
43---- linux-3.16.72.orig/fs/open.c
44-+++ linux-3.16.72/fs/open.c
43+--- linux-3.16.74.orig/fs/open.c
44++++ linux-3.16.74/fs/open.c
4545 @@ -1069,6 +1069,8 @@ EXPORT_SYMBOL(sys_close);
4646 */
4747 SYSCALL_DEFINE0(vhangup)
@@ -51,8 +51,8 @@
5151 if (capable(CAP_SYS_TTY_CONFIG)) {
5252 tty_vhangup_self();
5353 return 0;
54---- linux-3.16.72.orig/fs/proc/version.c
55-+++ linux-3.16.72/fs/proc/version.c
54+--- linux-3.16.74.orig/fs/proc/version.c
55++++ linux-3.16.74/fs/proc/version.c
5656 @@ -32,3 +32,10 @@ static int __init proc_version_init(void
5757 return 0;
5858 }
@@ -60,12 +60,12 @@
6060 +
6161 +static int __init ccs_show_version(void)
6262 +{
63-+ printk(KERN_INFO "Hook version: 3.16.72 2019/08/19\n");
63++ printk(KERN_INFO "Hook version: 3.16.74 2019/09/26\n");
6464 + return 0;
6565 +}
6666 +fs_initcall(ccs_show_version);
67---- linux-3.16.72.orig/include/linux/init_task.h
68-+++ linux-3.16.72/include/linux/init_task.h
67+--- linux-3.16.74.orig/include/linux/init_task.h
68++++ linux-3.16.74/include/linux/init_task.h
6969 @@ -164,6 +164,14 @@ extern struct task_group root_task_group
7070 # define INIT_RT_MUTEXES(tsk)
7171 #endif
@@ -89,8 +89,8 @@
8989 }
9090
9191
92---- linux-3.16.72.orig/include/linux/sched.h
93-+++ linux-3.16.72/include/linux/sched.h
92+--- linux-3.16.74.orig/include/linux/sched.h
93++++ linux-3.16.74/include/linux/sched.h
9494 @@ -6,6 +6,8 @@
9595 #include <linux/sched/prio.h>
9696
@@ -111,8 +111,8 @@
111111 };
112112
113113 /* Future-safe accessor for struct task_struct's cpus_allowed. */
114---- linux-3.16.72.orig/include/linux/security.h
115-+++ linux-3.16.72/include/linux/security.h
114+--- linux-3.16.74.orig/include/linux/security.h
115++++ linux-3.16.74/include/linux/security.h
116116 @@ -53,6 +53,7 @@ struct msg_queue;
117117 struct xattr;
118118 struct xfrm_sec_ctx;
@@ -324,8 +324,8 @@
324324 }
325325 #endif /* CONFIG_SECURITY_PATH */
326326
327---- linux-3.16.72.orig/include/net/ip.h
328-+++ linux-3.16.72/include/net/ip.h
327+--- linux-3.16.74.orig/include/net/ip.h
328++++ linux-3.16.74/include/net/ip.h
329329 @@ -213,6 +213,8 @@ void inet_get_local_port_range(struct ne
330330 #ifdef CONFIG_SYSCTL
331331 static inline int inet_is_local_reserved_port(struct net *net, int port)
@@ -344,8 +344,8 @@
344344 return 0;
345345 }
346346 #endif
347---- linux-3.16.72.orig/kernel/fork.c
348-+++ linux-3.16.72/kernel/fork.c
347+--- linux-3.16.74.orig/kernel/fork.c
348++++ linux-3.16.74/kernel/fork.c
349349 @@ -248,6 +248,7 @@ void __put_task_struct(struct task_struc
350350 delayacct_tsk_free(tsk);
351351 put_signal_struct(tsk->signal);
@@ -372,8 +372,8 @@
372372 bad_fork_cleanup_perf:
373373 perf_event_free_task(p);
374374 bad_fork_cleanup_policy:
375---- linux-3.16.72.orig/kernel/kexec.c
376-+++ linux-3.16.72/kernel/kexec.c
375+--- linux-3.16.74.orig/kernel/kexec.c
376++++ linux-3.16.74/kernel/kexec.c
377377 @@ -39,6 +39,7 @@
378378 #include <asm/uaccess.h>
379379 #include <asm/io.h>
@@ -391,8 +391,8 @@
391391
392392 /*
393393 * Verify we have a legal set of flags
394---- linux-3.16.72.orig/kernel/module.c
395-+++ linux-3.16.72/kernel/module.c
394+--- linux-3.16.74.orig/kernel/module.c
395++++ linux-3.16.74/kernel/module.c
396396 @@ -63,6 +63,7 @@
397397 #include <linux/fips.h>
398398 #include <uapi/linux/module.h>
@@ -419,8 +419,8 @@
419419
420420 return 0;
421421 }
422---- linux-3.16.72.orig/kernel/ptrace.c
423-+++ linux-3.16.72/kernel/ptrace.c
422+--- linux-3.16.74.orig/kernel/ptrace.c
423++++ linux-3.16.74/kernel/ptrace.c
424424 @@ -1128,6 +1128,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
425425 {
426426 struct task_struct *child;
@@ -445,8 +445,8 @@
445445
446446 if (request == PTRACE_TRACEME) {
447447 ret = ptrace_traceme();
448---- linux-3.16.72.orig/kernel/reboot.c
449-+++ linux-3.16.72/kernel/reboot.c
448+--- linux-3.16.74.orig/kernel/reboot.c
449++++ linux-3.16.74/kernel/reboot.c
450450 @@ -16,6 +16,7 @@
451451 #include <linux/syscalls.h>
452452 #include <linux/syscore_ops.h>
@@ -464,8 +464,8 @@
464464
465465 /*
466466 * If pid namespaces are enabled and the current task is in a child
467---- linux-3.16.72.orig/kernel/sched/core.c
468-+++ linux-3.16.72/kernel/sched/core.c
467+--- linux-3.16.74.orig/kernel/sched/core.c
468++++ linux-3.16.74/kernel/sched/core.c
469469 @@ -3152,6 +3152,8 @@ int can_nice(const struct task_struct *p
470470 SYSCALL_DEFINE1(nice, int, increment)
471471 {
@@ -475,8 +475,8 @@
475475
476476 /*
477477 * Setpriority might change our priority at the same moment.
478---- linux-3.16.72.orig/kernel/signal.c
479-+++ linux-3.16.72/kernel/signal.c
478+--- linux-3.16.74.orig/kernel/signal.c
479++++ linux-3.16.74/kernel/signal.c
480480 @@ -2950,6 +2950,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s
481481 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
482482 {
@@ -522,8 +522,8 @@
522522
523523 return do_send_specific(tgid, pid, sig, info);
524524 }
525---- linux-3.16.72.orig/kernel/sys.c
526-+++ linux-3.16.72/kernel/sys.c
525+--- linux-3.16.74.orig/kernel/sys.c
526++++ linux-3.16.74/kernel/sys.c
527527 @@ -176,6 +176,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
528528
529529 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -553,8 +553,8 @@
553553
554554 down_write(&uts_sem);
555555 errno = -EFAULT;
556---- linux-3.16.72.orig/kernel/time/ntp.c
557-+++ linux-3.16.72/kernel/time/ntp.c
556+--- linux-3.16.74.orig/kernel/time/ntp.c
557++++ linux-3.16.74/kernel/time/ntp.c
558558 @@ -16,6 +16,7 @@
559559 #include <linux/mm.h>
560560 #include <linux/module.h>
@@ -588,8 +588,8 @@
588588
589589 /*
590590 * Check for potential multiplication overflows that can
591---- linux-3.16.72.orig/net/ipv4/raw.c
592-+++ linux-3.16.72/net/ipv4/raw.c
591+--- linux-3.16.74.orig/net/ipv4/raw.c
592++++ linux-3.16.74/net/ipv4/raw.c
593593 @@ -731,6 +731,10 @@ static int raw_recvmsg(struct kiocb *ioc
594594 skb = skb_recv_datagram(sk, flags, noblock, &err);
595595 if (!skb)
@@ -601,8 +601,8 @@
601601
602602 copied = skb->len;
603603 if (len < copied) {
604---- linux-3.16.72.orig/net/ipv4/udp.c
605-+++ linux-3.16.72/net/ipv4/udp.c
604+--- linux-3.16.74.orig/net/ipv4/udp.c
605++++ linux-3.16.74/net/ipv4/udp.c
606606 @@ -1288,6 +1288,10 @@ try_again:
607607 &peeked, &off, &err);
608608 if (!skb)
@@ -614,8 +614,8 @@
614614
615615 ulen = skb->len - sizeof(struct udphdr);
616616 copied = len;
617---- linux-3.16.72.orig/net/ipv6/raw.c
618-+++ linux-3.16.72/net/ipv6/raw.c
617+--- linux-3.16.74.orig/net/ipv6/raw.c
618++++ linux-3.16.74/net/ipv6/raw.c
619619 @@ -478,6 +478,10 @@ static int rawv6_recvmsg(struct kiocb *i
620620 skb = skb_recv_datagram(sk, flags, noblock, &err);
621621 if (!skb)
@@ -627,8 +627,8 @@
627627
628628 copied = skb->len;
629629 if (copied > len) {
630---- linux-3.16.72.orig/net/ipv6/udp.c
631-+++ linux-3.16.72/net/ipv6/udp.c
630+--- linux-3.16.74.orig/net/ipv6/udp.c
631++++ linux-3.16.74/net/ipv6/udp.c
632632 @@ -404,6 +404,10 @@ try_again:
633633 &peeked, &off, &err);
634634 if (!skb)
@@ -640,8 +640,8 @@
640640
641641 ulen = skb->len - sizeof(struct udphdr);
642642 copied = len;
643---- linux-3.16.72.orig/net/socket.c
644-+++ linux-3.16.72/net/socket.c
643+--- linux-3.16.74.orig/net/socket.c
644++++ linux-3.16.74/net/socket.c
645645 @@ -1632,6 +1632,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
646646 if (err < 0)
647647 goto out_fd;
@@ -653,8 +653,8 @@
653653 if (upeer_sockaddr) {
654654 if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
655655 &len, 2) < 0) {
656---- linux-3.16.72.orig/net/unix/af_unix.c
657-+++ linux-3.16.72/net/unix/af_unix.c
656+--- linux-3.16.74.orig/net/unix/af_unix.c
657++++ linux-3.16.74/net/unix/af_unix.c
658658 @@ -1981,6 +1981,10 @@ static int unix_dgram_recvmsg(struct kio
659659 wake_up_interruptible_sync_poll(&u->peer_wait,
660660 POLLOUT | POLLWRNORM | POLLWRBAND);
@@ -666,8 +666,8 @@
666666 if (msg->msg_name)
667667 unix_copy_addr(msg, skb->sk);
668668
669---- linux-3.16.72.orig/security/Kconfig
670-+++ linux-3.16.72/security/Kconfig
669+--- linux-3.16.74.orig/security/Kconfig
670++++ linux-3.16.74/security/Kconfig
671671 @@ -177,5 +177,7 @@ config DEFAULT_SECURITY
672672 default "yama" if DEFAULT_SECURITY_YAMA
673673 default "" if DEFAULT_SECURITY_DAC
@@ -676,8 +676,8 @@
676676 +
677677 endmenu
678678
679---- linux-3.16.72.orig/security/Makefile
680-+++ linux-3.16.72/security/Makefile
679+--- linux-3.16.74.orig/security/Makefile
680++++ linux-3.16.74/security/Makefile
681681 @@ -27,3 +27,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
682682 # Object integrity file lists
683683 subdir-$(CONFIG_INTEGRITY) += integrity
@@ -685,8 +685,8 @@
685685 +
686686 +subdir-$(CONFIG_CCSECURITY) += ccsecurity
687687 +obj-$(CONFIG_CCSECURITY) += ccsecurity/
688---- linux-3.16.72.orig/security/security.c
689-+++ linux-3.16.72/security/security.c
688+--- linux-3.16.74.orig/security/security.c
689++++ linux-3.16.74/security/security.c
690690 @@ -203,7 +203,10 @@ int security_syslog(int type)
691691
692692 int security_settime(const struct timespec *ts, const struct timezone *tz)
--- trunk/caitsith-patch/patches/ccs-patch-4.14.diff (revision 287)
+++ trunk/caitsith-patch/patches/ccs-patch-4.14.diff (revision 288)
@@ -1,6 +1,6 @@
1-This is TOMOYO Linux patch for kernel 4.14.139.
1+This is TOMOYO Linux patch for kernel 4.14.146.
22
3-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.139.tar.xz
3+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.146.tar.xz
44 ---
55 fs/exec.c | 2 -
66 fs/open.c | 2 +
@@ -28,8 +28,8 @@
2828 security/security.c | 9 +++++-
2929 24 files changed, 153 insertions(+), 29 deletions(-)
3030
31---- linux-4.14.139.orig/fs/exec.c
32-+++ linux-4.14.139/fs/exec.c
31+--- linux-4.14.146.orig/fs/exec.c
32++++ linux-4.14.146/fs/exec.c
3333 @@ -1677,7 +1677,7 @@ static int exec_binprm(struct linux_binp
3434 old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
3535 rcu_read_unlock();
@@ -39,8 +39,8 @@
3939 if (ret >= 0) {
4040 audit_bprm(bprm);
4141 trace_sched_process_exec(current, old_pid, bprm);
42---- linux-4.14.139.orig/fs/open.c
43-+++ linux-4.14.139/fs/open.c
42+--- linux-4.14.146.orig/fs/open.c
43++++ linux-4.14.146/fs/open.c
4444 @@ -1196,6 +1196,8 @@ EXPORT_SYMBOL(sys_close);
4545 */
4646 SYSCALL_DEFINE0(vhangup)
@@ -50,8 +50,8 @@
5050 if (capable(CAP_SYS_TTY_CONFIG)) {
5151 tty_vhangup_self();
5252 return 0;
53---- linux-4.14.139.orig/fs/proc/version.c
54-+++ linux-4.14.139/fs/proc/version.c
53+--- linux-4.14.146.orig/fs/proc/version.c
54++++ linux-4.14.146/fs/proc/version.c
5555 @@ -33,3 +33,10 @@ static int __init proc_version_init(void
5656 return 0;
5757 }
@@ -59,12 +59,12 @@
5959 +
6060 +static int __init ccs_show_version(void)
6161 +{
62-+ printk(KERN_INFO "Hook version: 4.14.139 2019/08/19\n");
62++ printk(KERN_INFO "Hook version: 4.14.146 2019/09/26\n");
6363 + return 0;
6464 +}
6565 +fs_initcall(ccs_show_version);
66---- linux-4.14.139.orig/include/linux/init_task.h
67-+++ linux-4.14.139/include/linux/init_task.h
66+--- linux-4.14.146.orig/include/linux/init_task.h
67++++ linux-4.14.146/include/linux/init_task.h
6868 @@ -219,6 +219,14 @@ extern struct cred init_cred;
6969 #define INIT_TASK_SECURITY
7070 #endif
@@ -88,8 +88,8 @@
8888 }
8989
9090
91---- linux-4.14.139.orig/include/linux/sched.h
92-+++ linux-4.14.139/include/linux/sched.h
91+--- linux-4.14.146.orig/include/linux/sched.h
92++++ linux-4.14.146/include/linux/sched.h
9393 @@ -33,6 +33,7 @@ struct audit_context;
9494 struct backing_dev_info;
9595 struct bio_list;
@@ -109,8 +109,8 @@
109109
110110 /*
111111 * New fields for task_struct should be added above here, so that
112---- linux-4.14.139.orig/include/linux/security.h
113-+++ linux-4.14.139/include/linux/security.h
112+--- linux-4.14.146.orig/include/linux/security.h
113++++ linux-4.14.146/include/linux/security.h
114114 @@ -56,6 +56,7 @@ struct msg_queue;
115115 struct xattr;
116116 struct xfrm_sec_ctx;
@@ -331,8 +331,8 @@
331331 }
332332 #endif /* CONFIG_SECURITY_PATH */
333333
334---- linux-4.14.139.orig/include/net/ip.h
335-+++ linux-4.14.139/include/net/ip.h
334+--- linux-4.14.146.orig/include/net/ip.h
335++++ linux-4.14.146/include/net/ip.h
336336 @@ -266,6 +266,8 @@ void inet_get_local_port_range(struct ne
337337 #ifdef CONFIG_SYSCTL
338338 static inline int inet_is_local_reserved_port(struct net *net, int port)
@@ -351,8 +351,8 @@
351351 return 0;
352352 }
353353
354---- linux-4.14.139.orig/kernel/kexec.c
355-+++ linux-4.14.139/kernel/kexec.c
354+--- linux-4.14.146.orig/kernel/kexec.c
355++++ linux-4.14.146/kernel/kexec.c
356356 @@ -17,7 +17,7 @@
357357 #include <linux/syscalls.h>
358358 #include <linux/vmalloc.h>
@@ -371,8 +371,8 @@
371371
372372 /*
373373 * Verify we have a legal set of flags
374---- linux-4.14.139.orig/kernel/module.c
375-+++ linux-4.14.139/kernel/module.c
374+--- linux-4.14.146.orig/kernel/module.c
375++++ linux-4.14.146/kernel/module.c
376376 @@ -66,6 +66,7 @@
377377 #include <linux/audit.h>
378378 #include <uapi/linux/module.h>
@@ -390,7 +390,7 @@
390390
391391 if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
392392 return -EFAULT;
393-@@ -3539,6 +3542,8 @@ static int may_init_module(void)
393+@@ -3551,6 +3554,8 @@ static int may_init_module(void)
394394 {
395395 if (!capable(CAP_SYS_MODULE) || modules_disabled)
396396 return -EPERM;
@@ -399,8 +399,8 @@
399399
400400 return 0;
401401 }
402---- linux-4.14.139.orig/kernel/ptrace.c
403-+++ linux-4.14.139/kernel/ptrace.c
402+--- linux-4.14.146.orig/kernel/ptrace.c
403++++ linux-4.14.146/kernel/ptrace.c
404404 @@ -1148,6 +1148,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
405405 {
406406 struct task_struct *child;
@@ -425,8 +425,8 @@
425425
426426 if (request == PTRACE_TRACEME) {
427427 ret = ptrace_traceme();
428---- linux-4.14.139.orig/kernel/reboot.c
429-+++ linux-4.14.139/kernel/reboot.c
428+--- linux-4.14.146.orig/kernel/reboot.c
429++++ linux-4.14.146/kernel/reboot.c
430430 @@ -16,6 +16,7 @@
431431 #include <linux/syscalls.h>
432432 #include <linux/syscore_ops.h>
@@ -444,8 +444,8 @@
444444
445445 /*
446446 * If pid namespaces are enabled and the current task is in a child
447---- linux-4.14.139.orig/kernel/sched/core.c
448-+++ linux-4.14.139/kernel/sched/core.c
447+--- linux-4.14.146.orig/kernel/sched/core.c
448++++ linux-4.14.146/kernel/sched/core.c
449449 @@ -3854,6 +3854,8 @@ int can_nice(const struct task_struct *p
450450 SYSCALL_DEFINE1(nice, int, increment)
451451 {
@@ -455,8 +455,8 @@
455455
456456 /*
457457 * Setpriority might change our priority at the same moment.
458---- linux-4.14.139.orig/kernel/signal.c
459-+++ linux-4.14.139/kernel/signal.c
458+--- linux-4.14.146.orig/kernel/signal.c
459++++ linux-4.14.146/kernel/signal.c
460460 @@ -3028,6 +3028,8 @@ COMPAT_SYSCALL_DEFINE4(rt_sigtimedwait,
461461 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
462462 {
@@ -502,8 +502,8 @@
502502
503503 return do_send_specific(tgid, pid, sig, info);
504504 }
505---- linux-4.14.139.orig/kernel/sys.c
506-+++ linux-4.14.139/kernel/sys.c
505+--- linux-4.14.146.orig/kernel/sys.c
506++++ linux-4.14.146/kernel/sys.c
507507 @@ -193,6 +193,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
508508
509509 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -533,8 +533,8 @@
533533
534534 errno = -EFAULT;
535535 if (!copy_from_user(tmp, name, len)) {
536---- linux-4.14.139.orig/kernel/time/ntp.c
537-+++ linux-4.14.139/kernel/time/ntp.c
536+--- linux-4.14.146.orig/kernel/time/ntp.c
537++++ linux-4.14.146/kernel/time/ntp.c
538538 @@ -18,6 +18,7 @@
539539 #include <linux/module.h>
540540 #include <linux/rtc.h>
@@ -568,8 +568,8 @@
568568
569569 if (txc->modes & ADJ_NANO) {
570570 struct timespec ts;
571---- linux-4.14.139.orig/net/ipv4/raw.c
572-+++ linux-4.14.139/net/ipv4/raw.c
571+--- linux-4.14.146.orig/net/ipv4/raw.c
572++++ linux-4.14.146/net/ipv4/raw.c
573573 @@ -766,6 +766,10 @@ static int raw_recvmsg(struct sock *sk,
574574 skb = skb_recv_datagram(sk, flags, noblock, &err);
575575 if (!skb)
@@ -581,8 +581,8 @@
581581
582582 copied = skb->len;
583583 if (len < copied) {
584---- linux-4.14.139.orig/net/ipv4/udp.c
585-+++ linux-4.14.139/net/ipv4/udp.c
584+--- linux-4.14.146.orig/net/ipv4/udp.c
585++++ linux-4.14.146/net/ipv4/udp.c
586586 @@ -1597,6 +1597,8 @@ try_again:
587587 skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
588588 if (!skb)
@@ -592,8 +592,8 @@
592592
593593 ulen = udp_skb_len(skb);
594594 copied = len;
595---- linux-4.14.139.orig/net/ipv6/raw.c
596-+++ linux-4.14.139/net/ipv6/raw.c
595+--- linux-4.14.146.orig/net/ipv6/raw.c
596++++ linux-4.14.146/net/ipv6/raw.c
597597 @@ -485,6 +485,10 @@ static int rawv6_recvmsg(struct sock *sk
598598 skb = skb_recv_datagram(sk, flags, noblock, &err);
599599 if (!skb)
@@ -605,8 +605,8 @@
605605
606606 copied = skb->len;
607607 if (copied > len) {
608---- linux-4.14.139.orig/net/ipv6/udp.c
609-+++ linux-4.14.139/net/ipv6/udp.c
608+--- linux-4.14.146.orig/net/ipv6/udp.c
609++++ linux-4.14.146/net/ipv6/udp.c
610610 @@ -371,6 +371,8 @@ try_again:
611611 skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
612612 if (!skb)
@@ -616,8 +616,8 @@
616616
617617 ulen = udp6_skb_len(skb);
618618 copied = len;
619---- linux-4.14.139.orig/net/socket.c
620-+++ linux-4.14.139/net/socket.c
619+--- linux-4.14.146.orig/net/socket.c
620++++ linux-4.14.146/net/socket.c
621621 @@ -1588,6 +1588,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
622622 if (err < 0)
623623 goto out_fd;
@@ -629,8 +629,8 @@
629629 if (upeer_sockaddr) {
630630 if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
631631 &len, 2) < 0) {
632---- linux-4.14.139.orig/net/unix/af_unix.c
633-+++ linux-4.14.139/net/unix/af_unix.c
632+--- linux-4.14.146.orig/net/unix/af_unix.c
633++++ linux-4.14.146/net/unix/af_unix.c
634634 @@ -2141,6 +2141,10 @@ static int unix_dgram_recvmsg(struct soc
635635 POLLOUT | POLLWRNORM |
636636 POLLWRBAND);
@@ -650,8 +650,8 @@
650650 mutex_unlock(&u->iolock);
651651 out:
652652 return err;
653---- linux-4.14.139.orig/security/Kconfig
654-+++ linux-4.14.139/security/Kconfig
653+--- linux-4.14.146.orig/security/Kconfig
654++++ linux-4.14.146/security/Kconfig
655655 @@ -263,5 +263,7 @@ config DEFAULT_SECURITY
656656 default "apparmor" if DEFAULT_SECURITY_APPARMOR
657657 default "" if DEFAULT_SECURITY_DAC
@@ -660,8 +660,8 @@
660660 +
661661 endmenu
662662
663---- linux-4.14.139.orig/security/Makefile
664-+++ linux-4.14.139/security/Makefile
663+--- linux-4.14.146.orig/security/Makefile
664++++ linux-4.14.146/security/Makefile
665665 @@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
666666 # Object integrity file lists
667667 subdir-$(CONFIG_INTEGRITY) += integrity
@@ -669,8 +669,8 @@
669669 +
670670 +subdir-$(CONFIG_CCSECURITY) += ccsecurity
671671 +obj-$(CONFIG_CCSECURITY) += ccsecurity/
672---- linux-4.14.139.orig/security/security.c
673-+++ linux-4.14.139/security/security.c
672+--- linux-4.14.146.orig/security/security.c
673++++ linux-4.14.146/security/security.c
674674 @@ -978,12 +978,19 @@ int security_file_open(struct file *file
675675
676676 int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
--- trunk/caitsith-patch/patches/ccs-patch-4.18-centos-8.diff (nonexistent)
+++ trunk/caitsith-patch/patches/ccs-patch-4.18-centos-8.diff (revision 288)
@@ -0,0 +1,681 @@
1+This is TOMOYO Linux patch for CentOS 8.
2+
3+Source code for this patch is http://vault.centos.org/8.0.1905/BaseOS/Source/SPackages/kernel-4.18.0-80.7.1.el8_0.src.rpm
4+---
5+ fs/exec.c | 2 -
6+ fs/open.c | 2 +
7+ fs/proc/version.c | 7 ++++
8+ include/linux/sched.h | 5 +++
9+ include/linux/security.h | 68 ++++++++++++++++++++++++++++------------------
10+ include/net/ip.h | 4 ++
11+ init/init_task.c | 4 ++
12+ kernel/kexec.c | 4 ++
13+ kernel/module.c | 5 +++
14+ kernel/ptrace.c | 10 ++++++
15+ kernel/reboot.c | 3 ++
16+ kernel/sched/core.c | 2 +
17+ kernel/signal.c | 10 ++++++
18+ kernel/sys.c | 8 +++++
19+ kernel/time/timekeeping.c | 8 +++++
20+ net/ipv4/raw.c | 4 ++
21+ net/ipv4/udp.c | 2 +
22+ net/ipv6/raw.c | 4 ++
23+ net/ipv6/udp.c | 2 +
24+ net/socket.c | 4 ++
25+ net/unix/af_unix.c | 5 +++
26+ security/Kconfig | 2 +
27+ security/Makefile | 3 ++
28+ security/security.c | 9 +++++-
29+ 24 files changed, 148 insertions(+), 29 deletions(-)
30+
31+--- linux-4.18.0-80.7.1.el8.orig/fs/exec.c
32++++ linux-4.18.0-80.7.1.el8/fs/exec.c
33+@@ -1691,7 +1691,7 @@ static int exec_binprm(struct linux_binp
34+ old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
35+ rcu_read_unlock();
36+
37+- ret = search_binary_handler(bprm);
38++ ret = ccs_search_binary_handler(bprm);
39+ if (ret >= 0) {
40+ audit_bprm(bprm);
41+ trace_sched_process_exec(current, old_pid, bprm);
42+--- linux-4.18.0-80.7.1.el8.orig/fs/open.c
43++++ linux-4.18.0-80.7.1.el8/fs/open.c
44+@@ -1180,6 +1180,8 @@ SYSCALL_DEFINE1(close, unsigned int, fd)
45+ */
46+ SYSCALL_DEFINE0(vhangup)
47+ {
48++ if (!ccs_capable(CCS_SYS_VHANGUP))
49++ return -EPERM;
50+ if (capable(CAP_SYS_TTY_CONFIG)) {
51+ tty_vhangup_self();
52+ return 0;
53+--- linux-4.18.0-80.7.1.el8.orig/fs/proc/version.c
54++++ linux-4.18.0-80.7.1.el8/fs/proc/version.c
55+@@ -21,3 +21,10 @@ static int __init proc_version_init(void
56+ return 0;
57+ }
58+ fs_initcall(proc_version_init);
59++
60++static int __init ccs_show_version(void)
61++{
62++ printk(KERN_INFO "Hook version: 4.18.0-80.7.1.el8 2019/09/26\n");
63++ return 0;
64++}
65++fs_initcall(ccs_show_version);
66+--- linux-4.18.0-80.7.1.el8.orig/include/linux/sched.h
67++++ linux-4.18.0-80.7.1.el8/include/linux/sched.h
68+@@ -35,6 +35,7 @@ struct audit_context;
69+ struct backing_dev_info;
70+ struct bio_list;
71+ struct blk_plug;
72++struct ccs_domain_info;
73+ struct cfs_rq;
74+ struct fs_struct;
75+ struct futex_pi_state;
76+@@ -1189,6 +1190,10 @@ struct task_struct {
77+ /* Used by LSM modules for access restriction: */
78+ void *security;
79+ #endif
80++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
81++ struct ccs_domain_info *ccs_domain_info;
82++ u32 ccs_flags;
83++#endif
84+
85+ /*
86+ * New fields for task_struct should be added above here, so that
87+--- linux-4.18.0-80.7.1.el8.orig/include/linux/security.h
88++++ linux-4.18.0-80.7.1.el8/include/linux/security.h
89+@@ -53,6 +53,7 @@ struct msg_msg;
90+ struct xattr;
91+ struct xfrm_sec_ctx;
92+ struct mm_struct;
93++#include <linux/ccsecurity.h>
94+
95+ /* If capable should audit the security request */
96+ #define SECURITY_CAP_NOAUDIT 0
97+@@ -499,7 +500,10 @@ static inline int security_syslog(int ty
98+ static inline int security_settime64(const struct timespec64 *ts,
99+ const struct timezone *tz)
100+ {
101+- return cap_settime(ts, tz);
102++ int error = cap_settime(ts, tz);
103++ if (!error)
104++ error = ccs_settime(ts, tz);
105++ return error;
106+ }
107+
108+ static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
109+@@ -563,18 +567,18 @@ static inline int security_sb_mount(cons
110+ const char *type, unsigned long flags,
111+ void *data)
112+ {
113+- return 0;
114++ return ccs_sb_mount(dev_name, path, type, flags, data);
115+ }
116+
117+ static inline int security_sb_umount(struct vfsmount *mnt, int flags)
118+ {
119+- return 0;
120++ return ccs_sb_umount(mnt, flags);
121+ }
122+
123+ static inline int security_sb_pivotroot(const struct path *old_path,
124+ const struct path *new_path)
125+ {
126+- return 0;
127++ return ccs_sb_pivotroot(old_path, new_path);
128+ }
129+
130+ static inline int security_sb_set_mnt_opts(struct super_block *sb,
131+@@ -723,7 +727,7 @@ static inline int security_inode_setattr
132+
133+ static inline int security_inode_getattr(const struct path *path)
134+ {
135+- return 0;
136++ return ccs_inode_getattr(path);
137+ }
138+
139+ static inline int security_inode_setxattr(struct dentry *dentry,
140+@@ -809,7 +813,7 @@ static inline void security_file_free(st
141+ static inline int security_file_ioctl(struct file *file, unsigned int cmd,
142+ unsigned long arg)
143+ {
144+- return 0;
145++ return ccs_file_ioctl(file, cmd, arg);
146+ }
147+
148+ static inline int security_mmap_file(struct file *file, unsigned long prot,
149+@@ -838,7 +842,7 @@ static inline int security_file_lock(str
150+ static inline int security_file_fcntl(struct file *file, unsigned int cmd,
151+ unsigned long arg)
152+ {
153+- return 0;
154++ return ccs_file_fcntl(file, cmd, arg);
155+ }
156+
157+ static inline void security_file_set_fowner(struct file *file)
158+@@ -860,17 +864,19 @@ static inline int security_file_receive(
159+
160+ static inline int security_file_open(struct file *file)
161+ {
162+- return 0;
163++ return ccs_file_open(file);
164+ }
165+
166+ static inline int security_task_alloc(struct task_struct *task,
167+ unsigned long clone_flags)
168+ {
169+- return 0;
170++ return ccs_alloc_task_security(task);
171+ }
172+
173+ static inline void security_task_free(struct task_struct *task)
174+-{ }
175++{
176++ ccs_free_task_security(task);
177++}
178+
179+ static inline int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
180+ {
181+@@ -1237,7 +1243,7 @@ static inline int security_unix_may_send
182+ static inline int security_socket_create(int family, int type,
183+ int protocol, int kern)
184+ {
185+- return 0;
186++ return ccs_socket_create(family, type, protocol, kern);
187+ }
188+
189+ static inline int security_socket_post_create(struct socket *sock,
190+@@ -1258,19 +1264,19 @@ static inline int security_socket_bind(s
191+ struct sockaddr *address,
192+ int addrlen)
193+ {
194+- return 0;
195++ return ccs_socket_bind(sock, address, addrlen);
196+ }
197+
198+ static inline int security_socket_connect(struct socket *sock,
199+ struct sockaddr *address,
200+ int addrlen)
201+ {
202+- return 0;
203++ return ccs_socket_connect(sock, address, addrlen);
204+ }
205+
206+ static inline int security_socket_listen(struct socket *sock, int backlog)
207+ {
208+- return 0;
209++ return ccs_socket_listen(sock, backlog);
210+ }
211+
212+ static inline int security_socket_accept(struct socket *sock,
213+@@ -1282,7 +1288,7 @@ static inline int security_socket_accept
214+ static inline int security_socket_sendmsg(struct socket *sock,
215+ struct msghdr *msg, int size)
216+ {
217+- return 0;
218++ return ccs_socket_sendmsg(sock, msg, size);
219+ }
220+
221+ static inline int security_socket_recvmsg(struct socket *sock,
222+@@ -1569,42 +1575,42 @@ int security_path_chroot(const struct pa
223+ #else /* CONFIG_SECURITY_PATH */
224+ static inline int security_path_unlink(const struct path *dir, struct dentry *dentry)
225+ {
226+- return 0;
227++ return ccs_path_unlink(dir, dentry);
228+ }
229+
230+ static inline int security_path_mkdir(const struct path *dir, struct dentry *dentry,
231+ umode_t mode)
232+ {
233+- return 0;
234++ return ccs_path_mkdir(dir, dentry, mode);
235+ }
236+
237+ static inline int security_path_rmdir(const struct path *dir, struct dentry *dentry)
238+ {
239+- return 0;
240++ return ccs_path_rmdir(dir, dentry);
241+ }
242+
243+ static inline int security_path_mknod(const struct path *dir, struct dentry *dentry,
244+ umode_t mode, unsigned int dev)
245+ {
246+- return 0;
247++ return ccs_path_mknod(dir, dentry, mode, dev);
248+ }
249+
250+ static inline int security_path_truncate(const struct path *path)
251+ {
252+- return 0;
253++ return ccs_path_truncate(path);
254+ }
255+
256+ static inline int security_path_symlink(const struct path *dir, struct dentry *dentry,
257+ const char *old_name)
258+ {
259+- return 0;
260++ return ccs_path_symlink(dir, dentry, old_name);
261+ }
262+
263+ static inline int security_path_link(struct dentry *old_dentry,
264+ const struct path *new_dir,
265+ struct dentry *new_dentry)
266+ {
267+- return 0;
268++ return ccs_path_link(old_dentry, new_dir, new_dentry);
269+ }
270+
271+ static inline int security_path_rename(const struct path *old_dir,
272+@@ -1613,22 +1619,32 @@ static inline int security_path_rename(c
273+ struct dentry *new_dentry,
274+ unsigned int flags)
275+ {
276+- return 0;
277++ /*
278++ * Not using RENAME_EXCHANGE here in order to avoid KABI breakage
279++ * by doing "#include <uapi/linux/fs.h>" .
280++ */
281++ if (flags & (1 << 1)) {
282++ int err = ccs_path_rename(new_dir, new_dentry, old_dir,
283++ old_dentry);
284++ if (err)
285++ return err;
286++ }
287++ return ccs_path_rename(old_dir, old_dentry, new_dir, new_dentry);
288+ }
289+
290+ static inline int security_path_chmod(const struct path *path, umode_t mode)
291+ {
292+- return 0;
293++ return ccs_path_chmod(path, mode);
294+ }
295+
296+ static inline int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
297+ {
298+- return 0;
299++ return ccs_path_chown(path, uid, gid);
300+ }
301+
302+ static inline int security_path_chroot(const struct path *path)
303+ {
304+- return 0;
305++ return ccs_path_chroot(path);
306+ }
307+ #endif /* CONFIG_SECURITY_PATH */
308+
309+--- linux-4.18.0-80.7.1.el8.orig/include/net/ip.h
310++++ linux-4.18.0-80.7.1.el8/include/net/ip.h
311+@@ -278,6 +278,8 @@ void inet_get_local_port_range(struct ne
312+ #ifdef CONFIG_SYSCTL
313+ static inline int inet_is_local_reserved_port(struct net *net, int port)
314+ {
315++ if (ccs_lport_reserved(port))
316++ return 1;
317+ if (!net->ipv4.sysctl_local_reserved_ports)
318+ return 0;
319+ return test_bit(port, net->ipv4.sysctl_local_reserved_ports);
320+@@ -296,6 +298,8 @@ static inline int inet_prot_sock(struct
321+ #else
322+ static inline int inet_is_local_reserved_port(struct net *net, int port)
323+ {
324++ if (ccs_lport_reserved(port))
325++ return 1;
326+ return 0;
327+ }
328+
329+--- linux-4.18.0-80.7.1.el8.orig/init/init_task.c
330++++ linux-4.18.0-80.7.1.el8/init/init_task.c
331+@@ -176,6 +176,10 @@ struct task_struct init_task
332+ #ifdef CONFIG_SECURITY
333+ .security = NULL,
334+ #endif
335++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
336++ .ccs_domain_info = NULL,
337++ .ccs_flags = 0,
338++#endif
339+ };
340+ EXPORT_SYMBOL(init_task);
341+
342+--- linux-4.18.0-80.7.1.el8.orig/kernel/kexec.c
343++++ linux-4.18.0-80.7.1.el8/kernel/kexec.c
344+@@ -17,7 +17,7 @@
345+ #include <linux/syscalls.h>
346+ #include <linux/vmalloc.h>
347+ #include <linux/slab.h>
348+-
349++#include <linux/ccsecurity.h>
350+ #include "kexec_internal.h"
351+
352+ static int copy_user_segment_list(struct kimage *image,
353+@@ -198,6 +198,8 @@ static inline int kexec_load_check(unsig
354+ /* We only trust the superuser with rebooting the system. */
355+ if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
356+ return -EPERM;
357++ if (!ccs_capable(CCS_SYS_KEXEC_LOAD))
358++ return -EPERM;
359+
360+ /*
361+ * kexec can be used to circumvent module loading restrictions, so
362+--- linux-4.18.0-80.7.1.el8.orig/kernel/module.c
363++++ linux-4.18.0-80.7.1.el8/kernel/module.c
364+@@ -66,6 +66,7 @@
365+ #include <linux/audit.h>
366+ #include <uapi/linux/module.h>
367+ #include "module-internal.h"
368++#include <linux/ccsecurity.h>
369+
370+ #define CREATE_TRACE_POINTS
371+ #include <trace/events/module.h>
372+@@ -969,6 +970,8 @@ SYSCALL_DEFINE2(delete_module, const cha
373+
374+ if (!capable(CAP_SYS_MODULE) || modules_disabled)
375+ return -EPERM;
376++ if (!ccs_capable(CCS_USE_KERNEL_MODULE))
377++ return -EPERM;
378+
379+ if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
380+ return -EFAULT;
381+@@ -3551,6 +3554,8 @@ static int may_init_module(void)
382+ {
383+ if (!capable(CAP_SYS_MODULE) || modules_disabled)
384+ return -EPERM;
385++ if (!ccs_capable(CCS_USE_KERNEL_MODULE))
386++ return -EPERM;
387+
388+ return 0;
389+ }
390+--- linux-4.18.0-80.7.1.el8.orig/kernel/ptrace.c
391++++ linux-4.18.0-80.7.1.el8/kernel/ptrace.c
392+@@ -1112,6 +1112,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
393+ {
394+ struct task_struct *child;
395+ long ret;
396++ {
397++ const int rc = ccs_ptrace_permission(request, pid);
398++ if (rc)
399++ return rc;
400++ }
401+
402+ if (request == PTRACE_TRACEME) {
403+ ret = ptrace_traceme();
404+@@ -1260,6 +1265,11 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_lo
405+ {
406+ struct task_struct *child;
407+ long ret;
408++ {
409++ const int rc = ccs_ptrace_permission(request, pid);
410++ if (rc)
411++ return rc;
412++ }
413+
414+ if (request == PTRACE_TRACEME) {
415+ ret = ptrace_traceme();
416+--- linux-4.18.0-80.7.1.el8.orig/kernel/reboot.c
417++++ linux-4.18.0-80.7.1.el8/kernel/reboot.c
418+@@ -16,6 +16,7 @@
419+ #include <linux/syscalls.h>
420+ #include <linux/syscore_ops.h>
421+ #include <linux/uaccess.h>
422++#include <linux/ccsecurity.h>
423+
424+ /*
425+ * this indicates whether you can reboot with ctrl-alt-del: the default is yes
426+@@ -322,6 +323,8 @@ SYSCALL_DEFINE4(reboot, int, magic1, int
427+ magic2 != LINUX_REBOOT_MAGIC2B &&
428+ magic2 != LINUX_REBOOT_MAGIC2C))
429+ return -EINVAL;
430++ if (!ccs_capable(CCS_SYS_REBOOT))
431++ return -EPERM;
432+
433+ /*
434+ * If pid namespaces are enabled and the current task is in a child
435+--- linux-4.18.0-80.7.1.el8.orig/kernel/sched/core.c
436++++ linux-4.18.0-80.7.1.el8/kernel/sched/core.c
437+@@ -3979,6 +3979,8 @@ int can_nice(const struct task_struct *p
438+ SYSCALL_DEFINE1(nice, int, increment)
439+ {
440+ long nice, retval;
441++ if (!ccs_capable(CCS_SYS_NICE))
442++ return -EPERM;
443+
444+ /*
445+ * Setpriority might change our priority at the same moment.
446+--- linux-4.18.0-80.7.1.el8.orig/kernel/signal.c
447++++ linux-4.18.0-80.7.1.el8/kernel/signal.c
448+@@ -3167,6 +3167,8 @@ COMPAT_SYSCALL_DEFINE4(rt_sigtimedwait,
449+ SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
450+ {
451+ struct siginfo info;
452++ if (ccs_kill_permission(pid, sig))
453++ return -EPERM;
454+
455+ clear_siginfo(&info);
456+ info.si_signo = sig;
457+@@ -3237,6 +3239,8 @@ SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid
458+ /* This is only valid for single tasks */
459+ if (pid <= 0 || tgid <= 0)
460+ return -EINVAL;
461++ if (ccs_tgkill_permission(tgid, pid, sig))
462++ return -EPERM;
463+
464+ return do_tkill(tgid, pid, sig);
465+ }
466+@@ -3253,6 +3257,8 @@ SYSCALL_DEFINE2(tkill, pid_t, pid, int,
467+ /* This is only valid for single tasks */
468+ if (pid <= 0)
469+ return -EINVAL;
470++ if (ccs_tkill_permission(pid, sig))
471++ return -EPERM;
472+
473+ return do_tkill(0, pid, sig);
474+ }
475+@@ -3267,6 +3273,8 @@ static int do_rt_sigqueueinfo(pid_t pid,
476+ return -EPERM;
477+
478+ info->si_signo = sig;
479++ if (ccs_sigqueue_permission(pid, sig))
480++ return -EPERM;
481+
482+ /* POSIX.1b doesn't mention process groups. */
483+ return kill_proc_info(sig, info, pid);
484+@@ -3315,6 +3323,8 @@ static int do_rt_tgsigqueueinfo(pid_t tg
485+ return -EPERM;
486+
487+ info->si_signo = sig;
488++ if (ccs_tgsigqueue_permission(tgid, pid, sig))
489++ return -EPERM;
490+
491+ return do_send_specific(tgid, pid, sig, info);
492+ }
493+--- linux-4.18.0-80.7.1.el8.orig/kernel/sys.c
494++++ linux-4.18.0-80.7.1.el8/kernel/sys.c
495+@@ -204,6 +204,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
496+
497+ if (which > PRIO_USER || which < PRIO_PROCESS)
498+ goto out;
499++ if (!ccs_capable(CCS_SYS_NICE)) {
500++ error = -EPERM;
501++ goto out;
502++ }
503+
504+ /* normalize: avoid signed division (rounding problems) */
505+ error = -ESRCH;
506+@@ -1319,6 +1323,8 @@ SYSCALL_DEFINE2(sethostname, char __user
507+
508+ if (len < 0 || len > __NEW_UTS_LEN)
509+ return -EINVAL;
510++ if (!ccs_capable(CCS_SYS_SETHOSTNAME))
511++ return -EPERM;
512+ down_write(&uts_sem);
513+ errno = -EFAULT;
514+ if (!copy_from_user(tmp, name, len)) {
515+@@ -1369,6 +1375,8 @@ SYSCALL_DEFINE2(setdomainname, char __us
516+ return -EPERM;
517+ if (len < 0 || len > __NEW_UTS_LEN)
518+ return -EINVAL;
519++ if (!ccs_capable(CCS_SYS_SETHOSTNAME))
520++ return -EPERM;
521+
522+ down_write(&uts_sem);
523+ errno = -EFAULT;
524+--- linux-4.18.0-80.7.1.el8.orig/kernel/time/timekeeping.c
525++++ linux-4.18.0-80.7.1.el8/kernel/time/timekeeping.c
526+@@ -25,6 +25,7 @@
527+ #include <linux/stop_machine.h>
528+ #include <linux/pvclock_gtod.h>
529+ #include <linux/compiler.h>
530++#include <linux/ccsecurity.h>
531+
532+ #include "tick-internal.h"
533+ #include "ntp_internal.h"
534+@@ -2229,10 +2230,15 @@ static int timekeeping_validate_timex(st
535+ if (!(txc->modes & ADJ_OFFSET_READONLY) &&
536+ !capable(CAP_SYS_TIME))
537+ return -EPERM;
538++ if (!(txc->modes & ADJ_OFFSET_READONLY) &&
539++ !ccs_capable(CCS_SYS_SETTIME))
540++ return -EPERM;
541+ } else {
542+ /* In order to modify anything, you gotta be super-user! */
543+ if (txc->modes && !capable(CAP_SYS_TIME))
544+ return -EPERM;
545++ if (txc->modes && !ccs_capable(CCS_SYS_SETTIME))
546++ return -EPERM;
547+ /*
548+ * if the quartz is off by more than 10% then
549+ * something is VERY wrong!
550+@@ -2247,6 +2253,8 @@ static int timekeeping_validate_timex(st
551+ /* In order to inject time, you gotta be super-user! */
552+ if (!capable(CAP_SYS_TIME))
553+ return -EPERM;
554++ if (!ccs_capable(CCS_SYS_SETTIME))
555++ return -EPERM;
556+
557+ /*
558+ * Validate if a timespec/timeval used to inject a time
559+--- linux-4.18.0-80.7.1.el8.orig/net/ipv4/raw.c
560++++ linux-4.18.0-80.7.1.el8/net/ipv4/raw.c
561+@@ -781,6 +781,10 @@ static int raw_recvmsg(struct sock *sk,
562+ skb = skb_recv_datagram(sk, flags, noblock, &err);
563+ if (!skb)
564+ goto out;
565++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
566++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
567++ goto out;
568++ }
569+
570+ copied = skb->len;
571+ if (len < copied) {
572+--- linux-4.18.0-80.7.1.el8.orig/net/ipv4/udp.c
573++++ linux-4.18.0-80.7.1.el8/net/ipv4/udp.c
574+@@ -1660,6 +1660,8 @@ try_again:
575+ skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
576+ if (!skb)
577+ return err;
578++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags))
579++ return -EAGAIN; /* Hope less harmful than -EPERM. */
580+
581+ ulen = udp_skb_len(skb);
582+ copied = len;
583+--- linux-4.18.0-80.7.1.el8.orig/net/ipv6/raw.c
584++++ linux-4.18.0-80.7.1.el8/net/ipv6/raw.c
585+@@ -483,6 +483,10 @@ static int rawv6_recvmsg(struct sock *sk
586+ skb = skb_recv_datagram(sk, flags, noblock, &err);
587+ if (!skb)
588+ goto out;
589++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
590++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
591++ goto out;
592++ }
593+
594+ copied = skb->len;
595+ if (copied > len) {
596+--- linux-4.18.0-80.7.1.el8.orig/net/ipv6/udp.c
597++++ linux-4.18.0-80.7.1.el8/net/ipv6/udp.c
598+@@ -339,6 +339,8 @@ try_again:
599+ skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
600+ if (!skb)
601+ return err;
602++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags))
603++ return -EAGAIN; /* Hope less harmful than -EPERM. */
604+
605+ ulen = udp6_skb_len(skb);
606+ copied = len;
607+--- linux-4.18.0-80.7.1.el8.orig/net/socket.c
608++++ linux-4.18.0-80.7.1.el8/net/socket.c
609+@@ -1602,6 +1602,10 @@ int __sys_accept4(int fd, struct sockadd
610+ if (err < 0)
611+ goto out_fd;
612+
613++ if (ccs_socket_post_accept_permission(sock, newsock)) {
614++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
615++ goto out_fd;
616++ }
617+ if (upeer_sockaddr) {
618+ len = newsock->ops->getname(newsock,
619+ (struct sockaddr *)&address, 2);
620+--- linux-4.18.0-80.7.1.el8.orig/net/unix/af_unix.c
621++++ linux-4.18.0-80.7.1.el8/net/unix/af_unix.c
622+@@ -2122,6 +2122,10 @@ static int unix_dgram_recvmsg(struct soc
623+ EPOLLOUT | EPOLLWRNORM |
624+ EPOLLWRBAND);
625+
626++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
627++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
628++ goto out_unlock;
629++ }
630+ if (msg->msg_name)
631+ unix_copy_addr(msg, skb->sk);
632+
633+@@ -2172,6 +2176,7 @@ static int unix_dgram_recvmsg(struct soc
634+
635+ out_free:
636+ skb_free_datagram(sk, skb);
637++out_unlock:
638+ mutex_unlock(&u->iolock);
639+ out:
640+ return err;
641+--- linux-4.18.0-80.7.1.el8.orig/security/Kconfig
642++++ linux-4.18.0-80.7.1.el8/security/Kconfig
643+@@ -313,4 +313,6 @@ config DEFAULT_SECURITY
644+ default "apparmor" if DEFAULT_SECURITY_APPARMOR
645+ default "" if DEFAULT_SECURITY_DAC
646+
647++source security/ccsecurity/Kconfig
648++
649+ endmenu
650+--- linux-4.18.0-80.7.1.el8.orig/security/Makefile
651++++ linux-4.18.0-80.7.1.el8/security/Makefile
652+@@ -33,3 +33,6 @@ obj-$(CONFIG_INTEGRITY) += integrity/
653+
654+ # Allow the kernel to be locked down
655+ obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o
656++
657++subdir-$(CONFIG_CCSECURITY) += ccsecurity
658++obj-$(CONFIG_CCSECURITY) += ccsecurity/
659+--- linux-4.18.0-80.7.1.el8.orig/security/security.c
660++++ linux-4.18.0-80.7.1.el8/security/security.c
661+@@ -983,12 +983,19 @@ int security_file_open(struct file *file
662+
663+ int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
664+ {
665+- return call_int_hook(task_alloc, 0, task, clone_flags);
666++ int ret = ccs_alloc_task_security(task);
667++ if (ret)
668++ return ret;
669++ ret = call_int_hook(task_alloc, 0, task, clone_flags);
670++ if (ret)
671++ ccs_free_task_security(task);
672++ return ret;
673+ }
674+
675+ void security_task_free(struct task_struct *task)
676+ {
677+ call_void_hook(task_free, task);
678++ ccs_free_task_security(task);
679+ }
680+
681+ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
--- trunk/caitsith-patch/patches/ccs-patch-4.19.diff (revision 287)
+++ trunk/caitsith-patch/patches/ccs-patch-4.19.diff (revision 288)
@@ -1,6 +1,6 @@
1-This is TOMOYO Linux patch for kernel 4.19.67.
1+This is TOMOYO Linux patch for kernel 4.19.75.
22
3-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.67.tar.xz
3+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.75.tar.xz
44 ---
55 fs/exec.c | 2 -
66 fs/open.c | 2 +
@@ -28,8 +28,8 @@
2828 security/security.c | 9 +++++-
2929 24 files changed, 148 insertions(+), 29 deletions(-)
3030
31---- linux-4.19.67.orig/fs/exec.c
32-+++ linux-4.19.67/fs/exec.c
31+--- linux-4.19.75.orig/fs/exec.c
32++++ linux-4.19.75/fs/exec.c
3333 @@ -1692,7 +1692,7 @@ static int exec_binprm(struct linux_binp
3434 old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
3535 rcu_read_unlock();
@@ -39,8 +39,8 @@
3939 if (ret >= 0) {
4040 audit_bprm(bprm);
4141 trace_sched_process_exec(current, old_pid, bprm);
42---- linux-4.19.67.orig/fs/open.c
43-+++ linux-4.19.67/fs/open.c
42+--- linux-4.19.75.orig/fs/open.c
43++++ linux-4.19.75/fs/open.c
4444 @@ -1199,6 +1199,8 @@ SYSCALL_DEFINE1(close, unsigned int, fd)
4545 */
4646 SYSCALL_DEFINE0(vhangup)
@@ -50,8 +50,8 @@
5050 if (capable(CAP_SYS_TTY_CONFIG)) {
5151 tty_vhangup_self();
5252 return 0;
53---- linux-4.19.67.orig/fs/proc/version.c
54-+++ linux-4.19.67/fs/proc/version.c
53+--- linux-4.19.75.orig/fs/proc/version.c
54++++ linux-4.19.75/fs/proc/version.c
5555 @@ -21,3 +21,10 @@ static int __init proc_version_init(void
5656 return 0;
5757 }
@@ -59,12 +59,12 @@
5959 +
6060 +static int __init ccs_show_version(void)
6161 +{
62-+ printk(KERN_INFO "Hook version: 4.19.67 2019/08/19\n");
62++ printk(KERN_INFO "Hook version: 4.19.75 2019/09/26\n");
6363 + return 0;
6464 +}
6565 +fs_initcall(ccs_show_version);
66---- linux-4.19.67.orig/include/linux/sched.h
67-+++ linux-4.19.67/include/linux/sched.h
66+--- linux-4.19.75.orig/include/linux/sched.h
67++++ linux-4.19.75/include/linux/sched.h
6868 @@ -34,6 +34,7 @@ struct audit_context;
6969 struct backing_dev_info;
7070 struct bio_list;
@@ -84,8 +84,8 @@
8484
8585 /*
8686 * New fields for task_struct should be added above here, so that
87---- linux-4.19.67.orig/include/linux/security.h
88-+++ linux-4.19.67/include/linux/security.h
87+--- linux-4.19.75.orig/include/linux/security.h
88++++ linux-4.19.75/include/linux/security.h
8989 @@ -53,6 +53,7 @@ struct msg_msg;
9090 struct xattr;
9191 struct xfrm_sec_ctx;
@@ -306,8 +306,8 @@
306306 }
307307 #endif /* CONFIG_SECURITY_PATH */
308308
309---- linux-4.19.67.orig/include/net/ip.h
310-+++ linux-4.19.67/include/net/ip.h
309+--- linux-4.19.75.orig/include/net/ip.h
310++++ linux-4.19.75/include/net/ip.h
311311 @@ -301,6 +301,8 @@ void inet_get_local_port_range(struct ne
312312 #ifdef CONFIG_SYSCTL
313313 static inline int inet_is_local_reserved_port(struct net *net, int port)
@@ -326,8 +326,8 @@
326326 return 0;
327327 }
328328
329---- linux-4.19.67.orig/init/init_task.c
330-+++ linux-4.19.67/init/init_task.c
329+--- linux-4.19.75.orig/init/init_task.c
330++++ linux-4.19.75/init/init_task.c
331331 @@ -179,6 +179,10 @@ struct task_struct init_task
332332 #ifdef CONFIG_SECURITY
333333 .security = NULL,
@@ -339,8 +339,8 @@
339339 };
340340 EXPORT_SYMBOL(init_task);
341341
342---- linux-4.19.67.orig/kernel/kexec.c
343-+++ linux-4.19.67/kernel/kexec.c
342+--- linux-4.19.75.orig/kernel/kexec.c
343++++ linux-4.19.75/kernel/kexec.c
344344 @@ -18,7 +18,7 @@
345345 #include <linux/syscalls.h>
346346 #include <linux/vmalloc.h>
@@ -359,8 +359,8 @@
359359
360360 /* Permit LSMs and IMA to fail the kexec */
361361 result = security_kernel_load_data(LOADING_KEXEC_IMAGE);
362---- linux-4.19.67.orig/kernel/module.c
363-+++ linux-4.19.67/kernel/module.c
362+--- linux-4.19.75.orig/kernel/module.c
363++++ linux-4.19.75/kernel/module.c
364364 @@ -66,6 +66,7 @@
365365 #include <linux/audit.h>
366366 #include <uapi/linux/module.h>
@@ -369,7 +369,7 @@
369369
370370 #define CREATE_TRACE_POINTS
371371 #include <trace/events/module.h>
372-@@ -966,6 +967,8 @@ SYSCALL_DEFINE2(delete_module, const cha
372+@@ -961,6 +962,8 @@ SYSCALL_DEFINE2(delete_module, const cha
373373
374374 if (!capable(CAP_SYS_MODULE) || modules_disabled)
375375 return -EPERM;
@@ -378,7 +378,7 @@
378378
379379 if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
380380 return -EFAULT;
381-@@ -3538,6 +3541,8 @@ static int may_init_module(void)
381+@@ -3554,6 +3557,8 @@ static int may_init_module(void)
382382 {
383383 if (!capable(CAP_SYS_MODULE) || modules_disabled)
384384 return -EPERM;
@@ -387,8 +387,8 @@
387387
388388 return 0;
389389 }
390---- linux-4.19.67.orig/kernel/ptrace.c
391-+++ linux-4.19.67/kernel/ptrace.c
390+--- linux-4.19.75.orig/kernel/ptrace.c
391++++ linux-4.19.75/kernel/ptrace.c
392392 @@ -1137,6 +1137,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
393393 {
394394 struct task_struct *child;
@@ -413,8 +413,8 @@
413413
414414 if (request == PTRACE_TRACEME) {
415415 ret = ptrace_traceme();
416---- linux-4.19.67.orig/kernel/reboot.c
417-+++ linux-4.19.67/kernel/reboot.c
416+--- linux-4.19.75.orig/kernel/reboot.c
417++++ linux-4.19.75/kernel/reboot.c
418418 @@ -16,6 +16,7 @@
419419 #include <linux/syscalls.h>
420420 #include <linux/syscore_ops.h>
@@ -432,8 +432,8 @@
432432
433433 /*
434434 * If pid namespaces are enabled and the current task is in a child
435---- linux-4.19.67.orig/kernel/sched/core.c
436-+++ linux-4.19.67/kernel/sched/core.c
435+--- linux-4.19.75.orig/kernel/sched/core.c
436++++ linux-4.19.75/kernel/sched/core.c
437437 @@ -3945,6 +3945,8 @@ int can_nice(const struct task_struct *p
438438 SYSCALL_DEFINE1(nice, int, increment)
439439 {
@@ -443,8 +443,8 @@
443443
444444 /*
445445 * Setpriority might change our priority at the same moment.
446---- linux-4.19.67.orig/kernel/signal.c
447-+++ linux-4.19.67/kernel/signal.c
446+--- linux-4.19.75.orig/kernel/signal.c
447++++ linux-4.19.75/kernel/signal.c
448448 @@ -3271,6 +3271,8 @@ COMPAT_SYSCALL_DEFINE4(rt_sigtimedwait,
449449 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
450450 {
@@ -490,8 +490,8 @@
490490
491491 return do_send_specific(tgid, pid, sig, info);
492492 }
493---- linux-4.19.67.orig/kernel/sys.c
494-+++ linux-4.19.67/kernel/sys.c
493+--- linux-4.19.75.orig/kernel/sys.c
494++++ linux-4.19.75/kernel/sys.c
495495 @@ -201,6 +201,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
496496
497497 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -521,8 +521,8 @@
521521
522522 errno = -EFAULT;
523523 if (!copy_from_user(tmp, name, len)) {
524---- linux-4.19.67.orig/kernel/time/timekeeping.c
525-+++ linux-4.19.67/kernel/time/timekeeping.c
524+--- linux-4.19.75.orig/kernel/time/timekeeping.c
525++++ linux-4.19.75/kernel/time/timekeeping.c
526526 @@ -26,6 +26,7 @@
527527 #include <linux/stop_machine.h>
528528 #include <linux/pvclock_gtod.h>
@@ -556,8 +556,8 @@
556556
557557 /*
558558 * Validate if a timespec/timeval used to inject a time
559---- linux-4.19.67.orig/net/ipv4/raw.c
560-+++ linux-4.19.67/net/ipv4/raw.c
559+--- linux-4.19.75.orig/net/ipv4/raw.c
560++++ linux-4.19.75/net/ipv4/raw.c
561561 @@ -772,6 +772,10 @@ static int raw_recvmsg(struct sock *sk,
562562 skb = skb_recv_datagram(sk, flags, noblock, &err);
563563 if (!skb)
@@ -569,9 +569,9 @@
569569
570570 copied = skb->len;
571571 if (len < copied) {
572---- linux-4.19.67.orig/net/ipv4/udp.c
573-+++ linux-4.19.67/net/ipv4/udp.c
574-@@ -1667,6 +1667,8 @@ try_again:
572+--- linux-4.19.75.orig/net/ipv4/udp.c
573++++ linux-4.19.75/net/ipv4/udp.c
574+@@ -1668,6 +1668,8 @@ try_again:
575575 skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
576576 if (!skb)
577577 return err;
@@ -580,8 +580,8 @@
580580
581581 ulen = udp_skb_len(skb);
582582 copied = len;
583---- linux-4.19.67.orig/net/ipv6/raw.c
584-+++ linux-4.19.67/net/ipv6/raw.c
583+--- linux-4.19.75.orig/net/ipv6/raw.c
584++++ linux-4.19.75/net/ipv6/raw.c
585585 @@ -485,6 +485,10 @@ static int rawv6_recvmsg(struct sock *sk
586586 skb = skb_recv_datagram(sk, flags, noblock, &err);
587587 if (!skb)
@@ -593,9 +593,9 @@
593593
594594 copied = skb->len;
595595 if (copied > len) {
596---- linux-4.19.67.orig/net/ipv6/udp.c
597-+++ linux-4.19.67/net/ipv6/udp.c
598-@@ -343,6 +343,8 @@ try_again:
596+--- linux-4.19.75.orig/net/ipv6/udp.c
597++++ linux-4.19.75/net/ipv6/udp.c
598+@@ -344,6 +344,8 @@ try_again:
599599 skb = __skb_recv_udp(sk, flags, noblock, &peeked, &off, &err);
600600 if (!skb)
601601 return err;
@@ -604,8 +604,8 @@
604604
605605 ulen = udp6_skb_len(skb);
606606 copied = len;
607---- linux-4.19.67.orig/net/socket.c
608-+++ linux-4.19.67/net/socket.c
607+--- linux-4.19.75.orig/net/socket.c
608++++ linux-4.19.75/net/socket.c
609609 @@ -1590,6 +1590,10 @@ int __sys_accept4(int fd, struct sockadd
610610 if (err < 0)
611611 goto out_fd;
@@ -617,8 +617,8 @@
617617 if (upeer_sockaddr) {
618618 len = newsock->ops->getname(newsock,
619619 (struct sockaddr *)&address, 2);
620---- linux-4.19.67.orig/net/unix/af_unix.c
621-+++ linux-4.19.67/net/unix/af_unix.c
620+--- linux-4.19.75.orig/net/unix/af_unix.c
621++++ linux-4.19.75/net/unix/af_unix.c
622622 @@ -2137,6 +2137,10 @@ static int unix_dgram_recvmsg(struct soc
623623 EPOLLOUT | EPOLLWRNORM |
624624 EPOLLWRBAND);
@@ -638,8 +638,8 @@
638638 mutex_unlock(&u->iolock);
639639 out:
640640 return err;
641---- linux-4.19.67.orig/security/Kconfig
642-+++ linux-4.19.67/security/Kconfig
641+--- linux-4.19.75.orig/security/Kconfig
642++++ linux-4.19.75/security/Kconfig
643643 @@ -276,5 +276,7 @@ config DEFAULT_SECURITY
644644 default "apparmor" if DEFAULT_SECURITY_APPARMOR
645645 default "" if DEFAULT_SECURITY_DAC
@@ -648,8 +648,8 @@
648648 +
649649 endmenu
650650
651---- linux-4.19.67.orig/security/Makefile
652-+++ linux-4.19.67/security/Makefile
651+--- linux-4.19.75.orig/security/Makefile
652++++ linux-4.19.75/security/Makefile
653653 @@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
654654 # Object integrity file lists
655655 subdir-$(CONFIG_INTEGRITY) += integrity
@@ -657,8 +657,8 @@
657657 +
658658 +subdir-$(CONFIG_CCSECURITY) += ccsecurity
659659 +obj-$(CONFIG_CCSECURITY) += ccsecurity/
660---- linux-4.19.67.orig/security/security.c
661-+++ linux-4.19.67/security/security.c
660+--- linux-4.19.75.orig/security/security.c
661++++ linux-4.19.75/security/security.c
662662 @@ -988,12 +988,19 @@ int security_file_open(struct file *file
663663
664664 int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
--- trunk/caitsith-patch/patches/ccs-patch-4.4.diff (revision 287)
+++ trunk/caitsith-patch/patches/ccs-patch-4.4.diff (revision 288)
@@ -1,6 +1,6 @@
1-This is TOMOYO Linux patch for kernel 4.4.189.
1+This is TOMOYO Linux patch for kernel 4.4.194.
22
3-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.4.189.tar.xz
3+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.4.194.tar.xz
44 ---
55 fs/exec.c | 2 -
66 fs/open.c | 2 +
@@ -28,8 +28,8 @@
2828 security/Makefile | 3 ++
2929 24 files changed, 150 insertions(+), 26 deletions(-)
3030
31---- linux-4.4.189.orig/fs/exec.c
32-+++ linux-4.4.189/fs/exec.c
31+--- linux-4.4.194.orig/fs/exec.c
32++++ linux-4.4.194/fs/exec.c
3333 @@ -1512,7 +1512,7 @@ static int exec_binprm(struct linux_binp
3434 old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
3535 rcu_read_unlock();
@@ -39,8 +39,8 @@
3939 if (ret >= 0) {
4040 audit_bprm(bprm);
4141 trace_sched_process_exec(current, old_pid, bprm);
42---- linux-4.4.189.orig/fs/open.c
43-+++ linux-4.4.189/fs/open.c
42+--- linux-4.4.194.orig/fs/open.c
43++++ linux-4.4.194/fs/open.c
4444 @@ -1136,6 +1136,8 @@ EXPORT_SYMBOL(sys_close);
4545 */
4646 SYSCALL_DEFINE0(vhangup)
@@ -50,8 +50,8 @@
5050 if (capable(CAP_SYS_TTY_CONFIG)) {
5151 tty_vhangup_self();
5252 return 0;
53---- linux-4.4.189.orig/fs/proc/version.c
54-+++ linux-4.4.189/fs/proc/version.c
53+--- linux-4.4.194.orig/fs/proc/version.c
54++++ linux-4.4.194/fs/proc/version.c
5555 @@ -32,3 +32,10 @@ static int __init proc_version_init(void
5656 return 0;
5757 }
@@ -59,12 +59,12 @@
5959 +
6060 +static int __init ccs_show_version(void)
6161 +{
62-+ printk(KERN_INFO "Hook version: 4.4.189 2019/08/12\n");
62++ printk(KERN_INFO "Hook version: 4.4.194 2019/09/26\n");
6363 + return 0;
6464 +}
6565 +fs_initcall(ccs_show_version);
66---- linux-4.4.189.orig/include/linux/init_task.h
67-+++ linux-4.4.189/include/linux/init_task.h
66+--- linux-4.4.194.orig/include/linux/init_task.h
67++++ linux-4.4.194/include/linux/init_task.h
6868 @@ -183,6 +183,14 @@ extern struct task_group root_task_group
6969 # define INIT_KASAN(tsk)
7070 #endif
@@ -88,8 +88,8 @@
8888 }
8989
9090
91---- linux-4.4.189.orig/include/linux/sched.h
92-+++ linux-4.4.189/include/linux/sched.h
91+--- linux-4.4.194.orig/include/linux/sched.h
92++++ linux-4.4.194/include/linux/sched.h
9393 @@ -6,6 +6,8 @@
9494 #include <linux/sched/prio.h>
9595
@@ -110,8 +110,8 @@
110110 /* CPU-specific state of this task */
111111 struct thread_struct thread;
112112 /*
113---- linux-4.4.189.orig/include/linux/security.h
114-+++ linux-4.4.189/include/linux/security.h
113+--- linux-4.4.194.orig/include/linux/security.h
114++++ linux-4.4.194/include/linux/security.h
115115 @@ -53,6 +53,7 @@ struct msg_queue;
116116 struct xattr;
117117 struct xfrm_sec_ctx;
@@ -318,8 +318,8 @@
318318 }
319319 #endif /* CONFIG_SECURITY_PATH */
320320
321---- linux-4.4.189.orig/include/net/ip.h
322-+++ linux-4.4.189/include/net/ip.h
321+--- linux-4.4.194.orig/include/net/ip.h
322++++ linux-4.4.194/include/net/ip.h
323323 @@ -225,6 +225,8 @@ void inet_get_local_port_range(struct ne
324324 #ifdef CONFIG_SYSCTL
325325 static inline int inet_is_local_reserved_port(struct net *net, int port)
@@ -338,8 +338,8 @@
338338 return 0;
339339 }
340340 #endif
341---- linux-4.4.189.orig/kernel/fork.c
342-+++ linux-4.4.189/kernel/fork.c
341+--- linux-4.4.194.orig/kernel/fork.c
342++++ linux-4.4.194/kernel/fork.c
343343 @@ -260,6 +260,7 @@ void __put_task_struct(struct task_struc
344344 delayacct_tsk_free(tsk);
345345 put_signal_struct(tsk->signal);
@@ -366,8 +366,8 @@
366366 bad_fork_cleanup_perf:
367367 perf_event_free_task(p);
368368 bad_fork_cleanup_policy:
369---- linux-4.4.189.orig/kernel/kexec.c
370-+++ linux-4.4.189/kernel/kexec.c
369+--- linux-4.4.194.orig/kernel/kexec.c
370++++ linux-4.4.194/kernel/kexec.c
371371 @@ -17,7 +17,7 @@
372372 #include <linux/syscalls.h>
373373 #include <linux/vmalloc.h>
@@ -386,8 +386,8 @@
386386
387387 /*
388388 * Verify we have a legal set of flags
389---- linux-4.4.189.orig/kernel/module.c
390-+++ linux-4.4.189/kernel/module.c
389+--- linux-4.4.194.orig/kernel/module.c
390++++ linux-4.4.194/kernel/module.c
391391 @@ -61,6 +61,7 @@
392392 #include <linux/bsearch.h>
393393 #include <uapi/linux/module.h>
@@ -414,8 +414,8 @@
414414
415415 return 0;
416416 }
417---- linux-4.4.189.orig/kernel/ptrace.c
418-+++ linux-4.4.189/kernel/ptrace.c
417+--- linux-4.4.194.orig/kernel/ptrace.c
418++++ linux-4.4.194/kernel/ptrace.c
419419 @@ -1109,6 +1109,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
420420 {
421421 struct task_struct *child;
@@ -440,8 +440,8 @@
440440
441441 if (request == PTRACE_TRACEME) {
442442 ret = ptrace_traceme();
443---- linux-4.4.189.orig/kernel/reboot.c
444-+++ linux-4.4.189/kernel/reboot.c
443+--- linux-4.4.194.orig/kernel/reboot.c
444++++ linux-4.4.194/kernel/reboot.c
445445 @@ -16,6 +16,7 @@
446446 #include <linux/syscalls.h>
447447 #include <linux/syscore_ops.h>
@@ -459,8 +459,8 @@
459459
460460 /*
461461 * If pid namespaces are enabled and the current task is in a child
462---- linux-4.4.189.orig/kernel/sched/core.c
463-+++ linux-4.4.189/kernel/sched/core.c
462+--- linux-4.4.194.orig/kernel/sched/core.c
463++++ linux-4.4.194/kernel/sched/core.c
464464 @@ -3549,6 +3549,8 @@ int can_nice(const struct task_struct *p
465465 SYSCALL_DEFINE1(nice, int, increment)
466466 {
@@ -470,8 +470,8 @@
470470
471471 /*
472472 * Setpriority might change our priority at the same moment.
473---- linux-4.4.189.orig/kernel/signal.c
474-+++ linux-4.4.189/kernel/signal.c
473+--- linux-4.4.194.orig/kernel/signal.c
474++++ linux-4.4.194/kernel/signal.c
475475 @@ -2929,6 +2929,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s
476476 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
477477 {
@@ -517,8 +517,8 @@
517517
518518 return do_send_specific(tgid, pid, sig, info);
519519 }
520---- linux-4.4.189.orig/kernel/sys.c
521-+++ linux-4.4.189/kernel/sys.c
520+--- linux-4.4.194.orig/kernel/sys.c
521++++ linux-4.4.194/kernel/sys.c
522522 @@ -185,6 +185,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
523523
524524 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -548,8 +548,8 @@
548548
549549 errno = -EFAULT;
550550 if (!copy_from_user(tmp, name, len)) {
551---- linux-4.4.189.orig/kernel/time/ntp.c
552-+++ linux-4.4.189/kernel/time/ntp.c
551+--- linux-4.4.194.orig/kernel/time/ntp.c
552++++ linux-4.4.194/kernel/time/ntp.c
553553 @@ -16,6 +16,7 @@
554554 #include <linux/mm.h>
555555 #include <linux/module.h>
@@ -583,8 +583,8 @@
583583
584584 if (txc->modes & ADJ_NANO) {
585585 struct timespec ts;
586---- linux-4.4.189.orig/net/ipv4/raw.c
587-+++ linux-4.4.189/net/ipv4/raw.c
586+--- linux-4.4.194.orig/net/ipv4/raw.c
587++++ linux-4.4.194/net/ipv4/raw.c
588588 @@ -747,6 +747,10 @@ static int raw_recvmsg(struct sock *sk,
589589 skb = skb_recv_datagram(sk, flags, noblock, &err);
590590 if (!skb)
@@ -596,8 +596,8 @@
596596
597597 copied = skb->len;
598598 if (len < copied) {
599---- linux-4.4.189.orig/net/ipv4/udp.c
600-+++ linux-4.4.189/net/ipv4/udp.c
599+--- linux-4.4.194.orig/net/ipv4/udp.c
600++++ linux-4.4.194/net/ipv4/udp.c
601601 @@ -1289,6 +1289,10 @@ try_again:
602602 &peeked, &off, &err);
603603 if (!skb)
@@ -609,8 +609,8 @@
609609
610610 ulen = skb->len - sizeof(struct udphdr);
611611 copied = len;
612---- linux-4.4.189.orig/net/ipv6/raw.c
613-+++ linux-4.4.189/net/ipv6/raw.c
612+--- linux-4.4.194.orig/net/ipv6/raw.c
613++++ linux-4.4.194/net/ipv6/raw.c
614614 @@ -480,6 +480,10 @@ static int rawv6_recvmsg(struct sock *sk
615615 skb = skb_recv_datagram(sk, flags, noblock, &err);
616616 if (!skb)
@@ -622,8 +622,8 @@
622622
623623 copied = skb->len;
624624 if (copied > len) {
625---- linux-4.4.189.orig/net/ipv6/udp.c
626-+++ linux-4.4.189/net/ipv6/udp.c
625+--- linux-4.4.194.orig/net/ipv6/udp.c
626++++ linux-4.4.194/net/ipv6/udp.c
627627 @@ -417,6 +417,10 @@ try_again:
628628 &peeked, &off, &err);
629629 if (!skb)
@@ -635,8 +635,8 @@
635635
636636 ulen = skb->len - sizeof(struct udphdr);
637637 copied = len;
638---- linux-4.4.189.orig/net/socket.c
639-+++ linux-4.4.189/net/socket.c
638+--- linux-4.4.194.orig/net/socket.c
639++++ linux-4.4.194/net/socket.c
640640 @@ -1465,6 +1465,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
641641 if (err < 0)
642642 goto out_fd;
@@ -648,8 +648,8 @@
648648 if (upeer_sockaddr) {
649649 if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
650650 &len, 2) < 0) {
651---- linux-4.4.189.orig/net/unix/af_unix.c
652-+++ linux-4.4.189/net/unix/af_unix.c
651+--- linux-4.4.194.orig/net/unix/af_unix.c
652++++ linux-4.4.194/net/unix/af_unix.c
653653 @@ -2151,6 +2151,10 @@ static int unix_dgram_recvmsg(struct soc
654654 wake_up_interruptible_sync_poll(&u->peer_wait,
655655 POLLOUT | POLLWRNORM | POLLWRBAND);
@@ -661,8 +661,8 @@
661661 if (msg->msg_name)
662662 unix_copy_addr(msg, skb->sk);
663663
664---- linux-4.4.189.orig/security/Kconfig
665-+++ linux-4.4.189/security/Kconfig
664+--- linux-4.4.194.orig/security/Kconfig
665++++ linux-4.4.194/security/Kconfig
666666 @@ -173,5 +173,7 @@ config DEFAULT_SECURITY
667667 default "apparmor" if DEFAULT_SECURITY_APPARMOR
668668 default "" if DEFAULT_SECURITY_DAC
@@ -671,8 +671,8 @@
671671 +
672672 endmenu
673673
674---- linux-4.4.189.orig/security/Makefile
675-+++ linux-4.4.189/security/Makefile
674+--- linux-4.4.194.orig/security/Makefile
675++++ linux-4.4.194/security/Makefile
676676 @@ -27,3 +27,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
677677 # Object integrity file lists
678678 subdir-$(CONFIG_INTEGRITY) += integrity
--- trunk/caitsith-patch/patches/ccs-patch-4.9.diff (revision 287)
+++ trunk/caitsith-patch/patches/ccs-patch-4.9.diff (revision 288)
@@ -1,6 +1,6 @@
1-This is TOMOYO Linux patch for kernel 4.9.189.
1+This is TOMOYO Linux patch for kernel 4.9.194.
22
3-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.9.189.tar.xz
3+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.9.194.tar.xz
44 ---
55 fs/exec.c | 2 -
66 fs/open.c | 2 +
@@ -28,8 +28,8 @@
2828 security/Makefile | 3 ++
2929 24 files changed, 147 insertions(+), 26 deletions(-)
3030
31---- linux-4.9.189.orig/fs/exec.c
32-+++ linux-4.9.189/fs/exec.c
31+--- linux-4.9.194.orig/fs/exec.c
32++++ linux-4.9.194/fs/exec.c
3333 @@ -1660,7 +1660,7 @@ static int exec_binprm(struct linux_binp
3434 old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
3535 rcu_read_unlock();
@@ -39,8 +39,8 @@
3939 if (ret >= 0) {
4040 audit_bprm(bprm);
4141 trace_sched_process_exec(current, old_pid, bprm);
42---- linux-4.9.189.orig/fs/open.c
43-+++ linux-4.9.189/fs/open.c
42+--- linux-4.9.194.orig/fs/open.c
43++++ linux-4.9.194/fs/open.c
4444 @@ -1176,6 +1176,8 @@ EXPORT_SYMBOL(sys_close);
4545 */
4646 SYSCALL_DEFINE0(vhangup)
@@ -50,8 +50,8 @@
5050 if (capable(CAP_SYS_TTY_CONFIG)) {
5151 tty_vhangup_self();
5252 return 0;
53---- linux-4.9.189.orig/fs/proc/version.c
54-+++ linux-4.9.189/fs/proc/version.c
53+--- linux-4.9.194.orig/fs/proc/version.c
54++++ linux-4.9.194/fs/proc/version.c
5555 @@ -32,3 +32,10 @@ static int __init proc_version_init(void
5656 return 0;
5757 }
@@ -59,12 +59,12 @@
5959 +
6060 +static int __init ccs_show_version(void)
6161 +{
62-+ printk(KERN_INFO "Hook version: 4.9.189 2019/08/12\n");
62++ printk(KERN_INFO "Hook version: 4.9.194 2019/09/26\n");
6363 + return 0;
6464 +}
6565 +fs_initcall(ccs_show_version);
66---- linux-4.9.189.orig/include/linux/init_task.h
67-+++ linux-4.9.189/include/linux/init_task.h
66+--- linux-4.9.194.orig/include/linux/init_task.h
67++++ linux-4.9.194/include/linux/init_task.h
6868 @@ -193,6 +193,14 @@ extern struct task_group root_task_group
6969 # define INIT_TASK_TI(tsk)
7070 #endif
@@ -88,8 +88,8 @@
8888 }
8989
9090
91---- linux-4.9.189.orig/include/linux/sched.h
92-+++ linux-4.9.189/include/linux/sched.h
91+--- linux-4.9.194.orig/include/linux/sched.h
92++++ linux-4.9.194/include/linux/sched.h
9393 @@ -6,6 +6,8 @@
9494 #include <linux/sched/prio.h>
9595
@@ -110,8 +110,8 @@
110110 /* CPU-specific state of this task */
111111 struct thread_struct thread;
112112 /*
113---- linux-4.9.189.orig/include/linux/security.h
114-+++ linux-4.9.189/include/linux/security.h
113+--- linux-4.9.194.orig/include/linux/security.h
114++++ linux-4.9.194/include/linux/security.h
115115 @@ -55,6 +55,7 @@ struct msg_queue;
116116 struct xattr;
117117 struct xfrm_sec_ctx;
@@ -318,8 +318,8 @@
318318 }
319319 #endif /* CONFIG_SECURITY_PATH */
320320
321---- linux-4.9.189.orig/include/net/ip.h
322-+++ linux-4.9.189/include/net/ip.h
321+--- linux-4.9.194.orig/include/net/ip.h
322++++ linux-4.9.194/include/net/ip.h
323323 @@ -254,6 +254,8 @@ void inet_get_local_port_range(struct ne
324324 #ifdef CONFIG_SYSCTL
325325 static inline int inet_is_local_reserved_port(struct net *net, int port)
@@ -338,8 +338,8 @@
338338 return 0;
339339 }
340340 #endif
341---- linux-4.9.189.orig/kernel/fork.c
342-+++ linux-4.9.189/kernel/fork.c
341+--- linux-4.9.194.orig/kernel/fork.c
342++++ linux-4.9.194/kernel/fork.c
343343 @@ -395,6 +395,7 @@ void __put_task_struct(struct task_struc
344344 delayacct_tsk_free(tsk);
345345 put_signal_struct(tsk->signal);
@@ -366,8 +366,8 @@
366366 bad_fork_cleanup_perf:
367367 perf_event_free_task(p);
368368 bad_fork_cleanup_policy:
369---- linux-4.9.189.orig/kernel/kexec.c
370-+++ linux-4.9.189/kernel/kexec.c
369+--- linux-4.9.194.orig/kernel/kexec.c
370++++ linux-4.9.194/kernel/kexec.c
371371 @@ -17,7 +17,7 @@
372372 #include <linux/syscalls.h>
373373 #include <linux/vmalloc.h>
@@ -386,8 +386,8 @@
386386
387387 /*
388388 * Verify we have a legal set of flags
389---- linux-4.9.189.orig/kernel/module.c
390-+++ linux-4.9.189/kernel/module.c
389+--- linux-4.9.194.orig/kernel/module.c
390++++ linux-4.9.194/kernel/module.c
391391 @@ -63,6 +63,7 @@
392392 #include <linux/dynamic_debug.h>
393393 #include <uapi/linux/module.h>
@@ -414,8 +414,8 @@
414414
415415 return 0;
416416 }
417---- linux-4.9.189.orig/kernel/ptrace.c
418-+++ linux-4.9.189/kernel/ptrace.c
417+--- linux-4.9.194.orig/kernel/ptrace.c
418++++ linux-4.9.194/kernel/ptrace.c
419419 @@ -1146,6 +1146,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
420420 {
421421 struct task_struct *child;
@@ -440,8 +440,8 @@
440440
441441 if (request == PTRACE_TRACEME) {
442442 ret = ptrace_traceme();
443---- linux-4.9.189.orig/kernel/reboot.c
444-+++ linux-4.9.189/kernel/reboot.c
443+--- linux-4.9.194.orig/kernel/reboot.c
444++++ linux-4.9.194/kernel/reboot.c
445445 @@ -16,6 +16,7 @@
446446 #include <linux/syscalls.h>
447447 #include <linux/syscore_ops.h>
@@ -459,8 +459,8 @@
459459
460460 /*
461461 * If pid namespaces are enabled and the current task is in a child
462---- linux-4.9.189.orig/kernel/sched/core.c
463-+++ linux-4.9.189/kernel/sched/core.c
462+--- linux-4.9.194.orig/kernel/sched/core.c
463++++ linux-4.9.194/kernel/sched/core.c
464464 @@ -3813,6 +3813,8 @@ int can_nice(const struct task_struct *p
465465 SYSCALL_DEFINE1(nice, int, increment)
466466 {
@@ -470,8 +470,8 @@
470470
471471 /*
472472 * Setpriority might change our priority at the same moment.
473---- linux-4.9.189.orig/kernel/signal.c
474-+++ linux-4.9.189/kernel/signal.c
473+--- linux-4.9.194.orig/kernel/signal.c
474++++ linux-4.9.194/kernel/signal.c
475475 @@ -2929,6 +2929,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s
476476 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
477477 {
@@ -517,8 +517,8 @@
517517
518518 return do_send_specific(tgid, pid, sig, info);
519519 }
520---- linux-4.9.189.orig/kernel/sys.c
521-+++ linux-4.9.189/kernel/sys.c
520+--- linux-4.9.194.orig/kernel/sys.c
521++++ linux-4.9.194/kernel/sys.c
522522 @@ -185,6 +185,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
523523
524524 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -548,8 +548,8 @@
548548
549549 errno = -EFAULT;
550550 if (!copy_from_user(tmp, name, len)) {
551---- linux-4.9.189.orig/kernel/time/ntp.c
552-+++ linux-4.9.189/kernel/time/ntp.c
551+--- linux-4.9.194.orig/kernel/time/ntp.c
552++++ linux-4.9.194/kernel/time/ntp.c
553553 @@ -17,6 +17,7 @@
554554 #include <linux/module.h>
555555 #include <linux/rtc.h>
@@ -583,8 +583,8 @@
583583
584584 if (txc->modes & ADJ_NANO) {
585585 struct timespec ts;
586---- linux-4.9.189.orig/net/ipv4/raw.c
587-+++ linux-4.9.189/net/ipv4/raw.c
586+--- linux-4.9.194.orig/net/ipv4/raw.c
587++++ linux-4.9.194/net/ipv4/raw.c
588588 @@ -744,6 +744,10 @@ static int raw_recvmsg(struct sock *sk,
589589 skb = skb_recv_datagram(sk, flags, noblock, &err);
590590 if (!skb)
@@ -596,8 +596,8 @@
596596
597597 copied = skb->len;
598598 if (len < copied) {
599---- linux-4.9.189.orig/net/ipv4/udp.c
600-+++ linux-4.9.189/net/ipv4/udp.c
599+--- linux-4.9.194.orig/net/ipv4/udp.c
600++++ linux-4.9.194/net/ipv4/udp.c
601601 @@ -1271,6 +1271,8 @@ try_again:
602602 &peeked, &off, &err);
603603 if (!skb)
@@ -607,8 +607,8 @@
607607
608608 ulen = skb->len;
609609 copied = len;
610---- linux-4.9.189.orig/net/ipv6/raw.c
611-+++ linux-4.9.189/net/ipv6/raw.c
610+--- linux-4.9.194.orig/net/ipv6/raw.c
611++++ linux-4.9.194/net/ipv6/raw.c
612612 @@ -480,6 +480,10 @@ static int rawv6_recvmsg(struct sock *sk
613613 skb = skb_recv_datagram(sk, flags, noblock, &err);
614614 if (!skb)
@@ -620,8 +620,8 @@
620620
621621 copied = skb->len;
622622 if (copied > len) {
623---- linux-4.9.189.orig/net/ipv6/udp.c
624-+++ linux-4.9.189/net/ipv6/udp.c
623+--- linux-4.9.194.orig/net/ipv6/udp.c
624++++ linux-4.9.194/net/ipv6/udp.c
625625 @@ -348,6 +348,8 @@ try_again:
626626 &peeked, &off, &err);
627627 if (!skb)
@@ -631,8 +631,8 @@
631631
632632 ulen = skb->len;
633633 copied = len;
634---- linux-4.9.189.orig/net/socket.c
635-+++ linux-4.9.189/net/socket.c
634+--- linux-4.9.194.orig/net/socket.c
635++++ linux-4.9.194/net/socket.c
636636 @@ -1482,6 +1482,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
637637 if (err < 0)
638638 goto out_fd;
@@ -644,8 +644,8 @@
644644 if (upeer_sockaddr) {
645645 if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
646646 &len, 2) < 0) {
647---- linux-4.9.189.orig/net/unix/af_unix.c
648-+++ linux-4.9.189/net/unix/af_unix.c
647+--- linux-4.9.194.orig/net/unix/af_unix.c
648++++ linux-4.9.194/net/unix/af_unix.c
649649 @@ -2160,6 +2160,10 @@ static int unix_dgram_recvmsg(struct soc
650650 POLLOUT | POLLWRNORM |
651651 POLLWRBAND);
@@ -665,8 +665,8 @@
665665 mutex_unlock(&u->iolock);
666666 out:
667667 return err;
668---- linux-4.9.189.orig/security/Kconfig
669-+++ linux-4.9.189/security/Kconfig
668+--- linux-4.9.194.orig/security/Kconfig
669++++ linux-4.9.194/security/Kconfig
670670 @@ -214,5 +214,7 @@ config DEFAULT_SECURITY
671671 default "apparmor" if DEFAULT_SECURITY_APPARMOR
672672 default "" if DEFAULT_SECURITY_DAC
@@ -675,8 +675,8 @@
675675 +
676676 endmenu
677677
678---- linux-4.9.189.orig/security/Makefile
679-+++ linux-4.9.189/security/Makefile
678+--- linux-4.9.194.orig/security/Makefile
679++++ linux-4.9.194/security/Makefile
680680 @@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
681681 # Object integrity file lists
682682 subdir-$(CONFIG_INTEGRITY) += integrity
--- trunk/caitsith-patch/patches/ccs-patch-5.2.diff (revision 287)
+++ trunk/caitsith-patch/patches/ccs-patch-5.2.diff (revision 288)
@@ -1,6 +1,6 @@
1-This is TOMOYO Linux patch for kernel 5.2.9.
1+This is TOMOYO Linux patch for kernel 5.2.17.
22
3-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.2.9.tar.xz
3+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.2.17.tar.xz
44 ---
55 fs/exec.c | 2 -
66 fs/open.c | 2 +
@@ -28,8 +28,8 @@
2828 security/security.c | 5 ++-
2929 24 files changed, 160 insertions(+), 30 deletions(-)
3030
31---- linux-5.2.9.orig/fs/exec.c
32-+++ linux-5.2.9/fs/exec.c
31+--- linux-5.2.17.orig/fs/exec.c
32++++ linux-5.2.17/fs/exec.c
3333 @@ -1698,7 +1698,7 @@ static int exec_binprm(struct linux_binp
3434 old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
3535 rcu_read_unlock();
@@ -39,8 +39,8 @@
3939 if (ret >= 0) {
4040 audit_bprm(bprm);
4141 trace_sched_process_exec(current, old_pid, bprm);
42---- linux-5.2.9.orig/fs/open.c
43-+++ linux-5.2.9/fs/open.c
42+--- linux-5.2.17.orig/fs/open.c
43++++ linux-5.2.17/fs/open.c
4444 @@ -1200,6 +1200,8 @@ SYSCALL_DEFINE1(close, unsigned int, fd)
4545 */
4646 SYSCALL_DEFINE0(vhangup)
@@ -50,8 +50,8 @@
5050 if (capable(CAP_SYS_TTY_CONFIG)) {
5151 tty_vhangup_self();
5252 return 0;
53---- linux-5.2.9.orig/fs/proc/version.c
54-+++ linux-5.2.9/fs/proc/version.c
53+--- linux-5.2.17.orig/fs/proc/version.c
54++++ linux-5.2.17/fs/proc/version.c
5555 @@ -21,3 +21,10 @@ static int __init proc_version_init(void
5656 return 0;
5757 }
@@ -59,12 +59,12 @@
5959 +
6060 +static int __init ccs_show_version(void)
6161 +{
62-+ printk(KERN_INFO "Hook version: 5.2.9 2019/08/19\n");
62++ printk(KERN_INFO "Hook version: 5.2.17 2019/09/26\n");
6363 + return 0;
6464 +}
6565 +fs_initcall(ccs_show_version);
66---- linux-5.2.9.orig/include/linux/sched.h
67-+++ linux-5.2.9/include/linux/sched.h
66+--- linux-5.2.17.orig/include/linux/sched.h
67++++ linux-5.2.17/include/linux/sched.h
6868 @@ -35,6 +35,7 @@ struct audit_context;
6969 struct backing_dev_info;
7070 struct bio_list;
@@ -84,8 +84,8 @@
8484
8585 #ifdef CONFIG_GCC_PLUGIN_STACKLEAK
8686 unsigned long lowest_stack;
87---- linux-5.2.9.orig/include/linux/security.h
88-+++ linux-5.2.9/include/linux/security.h
87+--- linux-5.2.17.orig/include/linux/security.h
88++++ linux-5.2.17/include/linux/security.h
8989 @@ -57,6 +57,7 @@ struct mm_struct;
9090 struct fs_context;
9191 struct fs_parameter;
@@ -315,8 +315,8 @@
315315 }
316316 #endif /* CONFIG_SECURITY_PATH */
317317
318---- linux-5.2.9.orig/include/net/ip.h
319-+++ linux-5.2.9/include/net/ip.h
318+--- linux-5.2.17.orig/include/net/ip.h
319++++ linux-5.2.17/include/net/ip.h
320320 @@ -302,6 +302,8 @@ void inet_get_local_port_range(struct ne
321321 #ifdef CONFIG_SYSCTL
322322 static inline int inet_is_local_reserved_port(struct net *net, int port)
@@ -335,8 +335,8 @@
335335 return 0;
336336 }
337337
338---- linux-5.2.9.orig/init/init_task.c
339-+++ linux-5.2.9/init/init_task.c
338+--- linux-5.2.17.orig/init/init_task.c
339++++ linux-5.2.17/init/init_task.c
340340 @@ -180,6 +180,10 @@ struct task_struct init_task
341341 #ifdef CONFIG_SECURITY
342342 .security = NULL,
@@ -348,8 +348,8 @@
348348 };
349349 EXPORT_SYMBOL(init_task);
350350
351---- linux-5.2.9.orig/kernel/kexec.c
352-+++ linux-5.2.9/kernel/kexec.c
351+--- linux-5.2.17.orig/kernel/kexec.c
352++++ linux-5.2.17/kernel/kexec.c
353353 @@ -16,7 +16,7 @@
354354 #include <linux/syscalls.h>
355355 #include <linux/vmalloc.h>
@@ -368,8 +368,8 @@
368368
369369 /* Permit LSMs and IMA to fail the kexec */
370370 result = security_kernel_load_data(LOADING_KEXEC_IMAGE);
371---- linux-5.2.9.orig/kernel/module.c
372-+++ linux-5.2.9/kernel/module.c
371+--- linux-5.2.17.orig/kernel/module.c
372++++ linux-5.2.17/kernel/module.c
373373 @@ -54,6 +54,7 @@
374374 #include <linux/audit.h>
375375 #include <uapi/linux/module.h>
@@ -378,7 +378,7 @@
378378
379379 #define CREATE_TRACE_POINTS
380380 #include <trace/events/module.h>
381-@@ -964,6 +965,8 @@ SYSCALL_DEFINE2(delete_module, const cha
381+@@ -959,6 +960,8 @@ SYSCALL_DEFINE2(delete_module, const cha
382382
383383 if (!capable(CAP_SYS_MODULE) || modules_disabled)
384384 return -EPERM;
@@ -387,7 +387,7 @@
387387
388388 if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
389389 return -EFAULT;
390-@@ -3555,6 +3558,8 @@ static int may_init_module(void)
390+@@ -3569,6 +3572,8 @@ static int may_init_module(void)
391391 {
392392 if (!capable(CAP_SYS_MODULE) || modules_disabled)
393393 return -EPERM;
@@ -396,8 +396,8 @@
396396
397397 return 0;
398398 }
399---- linux-5.2.9.orig/kernel/ptrace.c
400-+++ linux-5.2.9/kernel/ptrace.c
399+--- linux-5.2.17.orig/kernel/ptrace.c
400++++ linux-5.2.17/kernel/ptrace.c
401401 @@ -1137,6 +1137,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
402402 {
403403 struct task_struct *child;
@@ -422,8 +422,8 @@
422422
423423 if (request == PTRACE_TRACEME) {
424424 ret = ptrace_traceme();
425---- linux-5.2.9.orig/kernel/reboot.c
426-+++ linux-5.2.9/kernel/reboot.c
425+--- linux-5.2.17.orig/kernel/reboot.c
426++++ linux-5.2.17/kernel/reboot.c
427427 @@ -17,6 +17,7 @@
428428 #include <linux/syscalls.h>
429429 #include <linux/syscore_ops.h>
@@ -441,9 +441,9 @@
441441
442442 /*
443443 * If pid namespaces are enabled and the current task is in a child
444---- linux-5.2.9.orig/kernel/sched/core.c
445-+++ linux-5.2.9/kernel/sched/core.c
446-@@ -3937,6 +3937,8 @@ int can_nice(const struct task_struct *p
444+--- linux-5.2.17.orig/kernel/sched/core.c
445++++ linux-5.2.17/kernel/sched/core.c
446+@@ -3940,6 +3940,8 @@ int can_nice(const struct task_struct *p
447447 SYSCALL_DEFINE1(nice, int, increment)
448448 {
449449 long nice, retval;
@@ -452,8 +452,8 @@
452452
453453 /*
454454 * Setpriority might change our priority at the same moment.
455---- linux-5.2.9.orig/kernel/signal.c
456-+++ linux-5.2.9/kernel/signal.c
455+--- linux-5.2.17.orig/kernel/signal.c
456++++ linux-5.2.17/kernel/signal.c
457457 @@ -3615,6 +3615,8 @@ static inline void prepare_kill_siginfo(
458458 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
459459 {
@@ -521,8 +521,8 @@
521521
522522 return do_send_specific(tgid, pid, sig, info);
523523 }
524---- linux-5.2.9.orig/kernel/sys.c
525-+++ linux-5.2.9/kernel/sys.c
524+--- linux-5.2.17.orig/kernel/sys.c
525++++ linux-5.2.17/kernel/sys.c
526526 @@ -204,6 +204,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
527527
528528 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -552,8 +552,8 @@
552552
553553 errno = -EFAULT;
554554 if (!copy_from_user(tmp, name, len)) {
555---- linux-5.2.9.orig/kernel/time/timekeeping.c
556-+++ linux-5.2.9/kernel/time/timekeeping.c
555+--- linux-5.2.17.orig/kernel/time/timekeeping.c
556++++ linux-5.2.17/kernel/time/timekeeping.c
557557 @@ -22,6 +22,7 @@
558558 #include <linux/pvclock_gtod.h>
559559 #include <linux/compiler.h>
@@ -587,8 +587,8 @@
587587
588588 /*
589589 * Validate if a timespec/timeval used to inject a time
590---- linux-5.2.9.orig/net/ipv4/raw.c
591-+++ linux-5.2.9/net/ipv4/raw.c
590+--- linux-5.2.17.orig/net/ipv4/raw.c
591++++ linux-5.2.17/net/ipv4/raw.c
592592 @@ -767,6 +767,10 @@ static int raw_recvmsg(struct sock *sk,
593593 skb = skb_recv_datagram(sk, flags, noblock, &err);
594594 if (!skb)
@@ -600,9 +600,9 @@
600600
601601 copied = skb->len;
602602 if (len < copied) {
603---- linux-5.2.9.orig/net/ipv4/udp.c
604-+++ linux-5.2.9/net/ipv4/udp.c
605-@@ -1720,6 +1720,8 @@ try_again:
603+--- linux-5.2.17.orig/net/ipv4/udp.c
604++++ linux-5.2.17/net/ipv4/udp.c
605+@@ -1721,6 +1721,8 @@ try_again:
606606 skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
607607 if (!skb)
608608 return err;
@@ -611,8 +611,8 @@
611611
612612 ulen = udp_skb_len(skb);
613613 copied = len;
614---- linux-5.2.9.orig/net/ipv6/raw.c
615-+++ linux-5.2.9/net/ipv6/raw.c
614+--- linux-5.2.17.orig/net/ipv6/raw.c
615++++ linux-5.2.17/net/ipv6/raw.c
616616 @@ -480,6 +480,10 @@ static int rawv6_recvmsg(struct sock *sk
617617 skb = skb_recv_datagram(sk, flags, noblock, &err);
618618 if (!skb)
@@ -624,9 +624,9 @@
624624
625625 copied = skb->len;
626626 if (copied > len) {
627---- linux-5.2.9.orig/net/ipv6/udp.c
628-+++ linux-5.2.9/net/ipv6/udp.c
629-@@ -299,6 +299,8 @@ try_again:
627+--- linux-5.2.17.orig/net/ipv6/udp.c
628++++ linux-5.2.17/net/ipv6/udp.c
629+@@ -300,6 +300,8 @@ try_again:
630630 skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
631631 if (!skb)
632632 return err;
@@ -635,8 +635,8 @@
635635
636636 ulen = udp6_skb_len(skb);
637637 copied = len;
638---- linux-5.2.9.orig/net/socket.c
639-+++ linux-5.2.9/net/socket.c
638+--- linux-5.2.17.orig/net/socket.c
639++++ linux-5.2.17/net/socket.c
640640 @@ -1761,6 +1761,10 @@ int __sys_accept4(int fd, struct sockadd
641641 if (err < 0)
642642 goto out_fd;
@@ -648,8 +648,8 @@
648648 if (upeer_sockaddr) {
649649 len = newsock->ops->getname(newsock,
650650 (struct sockaddr *)&address, 2);
651---- linux-5.2.9.orig/net/unix/af_unix.c
652-+++ linux-5.2.9/net/unix/af_unix.c
651+--- linux-5.2.17.orig/net/unix/af_unix.c
652++++ linux-5.2.17/net/unix/af_unix.c
653653 @@ -2075,6 +2075,10 @@ static int unix_dgram_recvmsg(struct soc
654654 EPOLLOUT | EPOLLWRNORM |
655655 EPOLLWRBAND);
@@ -669,8 +669,8 @@
669669 mutex_unlock(&u->iolock);
670670 out:
671671 return err;
672---- linux-5.2.9.orig/security/Kconfig
673-+++ linux-5.2.9/security/Kconfig
672+--- linux-5.2.17.orig/security/Kconfig
673++++ linux-5.2.17/security/Kconfig
674674 @@ -290,5 +290,7 @@ config LSM
675675
676676 source "security/Kconfig.hardening"
@@ -679,8 +679,8 @@
679679 +
680680 endmenu
681681
682---- linux-5.2.9.orig/security/Makefile
683-+++ linux-5.2.9/security/Makefile
682+--- linux-5.2.17.orig/security/Makefile
683++++ linux-5.2.17/security/Makefile
684684 @@ -32,3 +32,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
685685 # Object integrity file lists
686686 subdir-$(CONFIG_INTEGRITY) += integrity
@@ -688,8 +688,8 @@
688688 +
689689 +subdir-$(CONFIG_CCSECURITY) += ccsecurity
690690 +obj-$(CONFIG_CCSECURITY) += ccsecurity/
691---- linux-5.2.9.orig/security/security.c
692-+++ linux-5.2.9/security/security.c
691+--- linux-5.2.17.orig/security/security.c
692++++ linux-5.2.17/security/security.c
693693 @@ -1464,7 +1464,9 @@ int security_task_alloc(struct task_stru
694694
695695 if (rc)
--- trunk/caitsith-patch/patches/ccs-patch-5.3.diff (revision 287)
+++ trunk/caitsith-patch/patches/ccs-patch-5.3.diff (revision 288)
@@ -1,6 +1,6 @@
1-This is TOMOYO Linux patch for kernel 5.3-rc5.
1+This is TOMOYO Linux patch for kernel 5.3.1.
22
3-Source code for this patch is https://git.kernel.org/torvalds/t/linux-5.3-rc5.tar.gz
3+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.3.1.tar.xz
44 ---
55 fs/exec.c | 2 -
66 fs/open.c | 2 +
@@ -28,8 +28,8 @@
2828 security/security.c | 5 ++-
2929 24 files changed, 160 insertions(+), 30 deletions(-)
3030
31---- linux-5.3-rc5.orig/fs/exec.c
32-+++ linux-5.3-rc5/fs/exec.c
31+--- linux-5.3.1.orig/fs/exec.c
32++++ linux-5.3.1/fs/exec.c
3333 @@ -1698,7 +1698,7 @@ static int exec_binprm(struct linux_binp
3434 old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
3535 rcu_read_unlock();
@@ -39,8 +39,8 @@
3939 if (ret >= 0) {
4040 audit_bprm(bprm);
4141 trace_sched_process_exec(current, old_pid, bprm);
42---- linux-5.3-rc5.orig/fs/open.c
43-+++ linux-5.3-rc5/fs/open.c
42+--- linux-5.3.1.orig/fs/open.c
43++++ linux-5.3.1/fs/open.c
4444 @@ -1200,6 +1200,8 @@ SYSCALL_DEFINE1(close, unsigned int, fd)
4545 */
4646 SYSCALL_DEFINE0(vhangup)
@@ -50,8 +50,8 @@
5050 if (capable(CAP_SYS_TTY_CONFIG)) {
5151 tty_vhangup_self();
5252 return 0;
53---- linux-5.3-rc5.orig/fs/proc/version.c
54-+++ linux-5.3-rc5/fs/proc/version.c
53+--- linux-5.3.1.orig/fs/proc/version.c
54++++ linux-5.3.1/fs/proc/version.c
5555 @@ -21,3 +21,10 @@ static int __init proc_version_init(void
5656 return 0;
5757 }
@@ -59,12 +59,12 @@
5959 +
6060 +static int __init ccs_show_version(void)
6161 +{
62-+ printk(KERN_INFO "Hook version: 5.3-rc5 2019/08/19\n");
62++ printk(KERN_INFO "Hook version: 5.3.1 2019/09/26\n");
6363 + return 0;
6464 +}
6565 +fs_initcall(ccs_show_version);
66---- linux-5.3-rc5.orig/include/linux/sched.h
67-+++ linux-5.3-rc5/include/linux/sched.h
66+--- linux-5.3.1.orig/include/linux/sched.h
67++++ linux-5.3.1/include/linux/sched.h
6868 @@ -36,6 +36,7 @@ struct backing_dev_info;
6969 struct bio_list;
7070 struct blk_plug;
@@ -84,8 +84,8 @@
8484
8585 #ifdef CONFIG_GCC_PLUGIN_STACKLEAK
8686 unsigned long lowest_stack;
87---- linux-5.3-rc5.orig/include/linux/security.h
88-+++ linux-5.3-rc5/include/linux/security.h
87+--- linux-5.3.1.orig/include/linux/security.h
88++++ linux-5.3.1/include/linux/security.h
8989 @@ -57,6 +57,7 @@ struct mm_struct;
9090 struct fs_context;
9191 struct fs_parameter;
@@ -315,8 +315,8 @@
315315 }
316316 #endif /* CONFIG_SECURITY_PATH */
317317
318---- linux-5.3-rc5.orig/include/net/ip.h
319-+++ linux-5.3-rc5/include/net/ip.h
318+--- linux-5.3.1.orig/include/net/ip.h
319++++ linux-5.3.1/include/net/ip.h
320320 @@ -340,6 +340,8 @@ void inet_get_local_port_range(struct ne
321321 #ifdef CONFIG_SYSCTL
322322 static inline int inet_is_local_reserved_port(struct net *net, int port)
@@ -335,8 +335,8 @@
335335 return 0;
336336 }
337337
338---- linux-5.3-rc5.orig/init/init_task.c
339-+++ linux-5.3-rc5/init/init_task.c
338+--- linux-5.3.1.orig/init/init_task.c
339++++ linux-5.3.1/init/init_task.c
340340 @@ -183,6 +183,10 @@ struct task_struct init_task
341341 #ifdef CONFIG_SECURITY
342342 .security = NULL,
@@ -348,8 +348,8 @@
348348 };
349349 EXPORT_SYMBOL(init_task);
350350
351---- linux-5.3-rc5.orig/kernel/kexec.c
352-+++ linux-5.3-rc5/kernel/kexec.c
351+--- linux-5.3.1.orig/kernel/kexec.c
352++++ linux-5.3.1/kernel/kexec.c
353353 @@ -16,7 +16,7 @@
354354 #include <linux/syscalls.h>
355355 #include <linux/vmalloc.h>
@@ -368,8 +368,8 @@
368368
369369 /* Permit LSMs and IMA to fail the kexec */
370370 result = security_kernel_load_data(LOADING_KEXEC_IMAGE);
371---- linux-5.3-rc5.orig/kernel/module.c
372-+++ linux-5.3-rc5/kernel/module.c
371+--- linux-5.3.1.orig/kernel/module.c
372++++ linux-5.3.1/kernel/module.c
373373 @@ -54,6 +54,7 @@
374374 #include <linux/audit.h>
375375 #include <uapi/linux/module.h>
@@ -396,8 +396,8 @@
396396
397397 return 0;
398398 }
399---- linux-5.3-rc5.orig/kernel/ptrace.c
400-+++ linux-5.3-rc5/kernel/ptrace.c
399+--- linux-5.3.1.orig/kernel/ptrace.c
400++++ linux-5.3.1/kernel/ptrace.c
401401 @@ -1239,6 +1239,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
402402 {
403403 struct task_struct *child;
@@ -422,8 +422,8 @@
422422
423423 if (request == PTRACE_TRACEME) {
424424 ret = ptrace_traceme();
425---- linux-5.3-rc5.orig/kernel/reboot.c
426-+++ linux-5.3-rc5/kernel/reboot.c
425+--- linux-5.3.1.orig/kernel/reboot.c
426++++ linux-5.3.1/kernel/reboot.c
427427 @@ -17,6 +17,7 @@
428428 #include <linux/syscalls.h>
429429 #include <linux/syscore_ops.h>
@@ -441,9 +441,9 @@
441441
442442 /*
443443 * If pid namespaces are enabled and the current task is in a child
444---- linux-5.3-rc5.orig/kernel/sched/core.c
445-+++ linux-5.3-rc5/kernel/sched/core.c
446-@@ -4372,6 +4372,8 @@ int can_nice(const struct task_struct *p
444+--- linux-5.3.1.orig/kernel/sched/core.c
445++++ linux-5.3.1/kernel/sched/core.c
446+@@ -4375,6 +4375,8 @@ int can_nice(const struct task_struct *p
447447 SYSCALL_DEFINE1(nice, int, increment)
448448 {
449449 long nice, retval;
@@ -452,9 +452,9 @@
452452
453453 /*
454454 * Setpriority might change our priority at the same moment.
455---- linux-5.3-rc5.orig/kernel/signal.c
456-+++ linux-5.3-rc5/kernel/signal.c
457-@@ -3629,6 +3629,8 @@ static inline void prepare_kill_siginfo(
455+--- linux-5.3.1.orig/kernel/signal.c
456++++ linux-5.3.1/kernel/signal.c
457+@@ -3634,6 +3634,8 @@ static inline void prepare_kill_siginfo(
458458 SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
459459 {
460460 struct kernel_siginfo info;
@@ -463,7 +463,7 @@
463463
464464 prepare_kill_siginfo(sig, &info);
465465
466-@@ -3724,6 +3726,21 @@ SYSCALL_DEFINE4(pidfd_send_signal, int,
466+@@ -3729,6 +3731,21 @@ SYSCALL_DEFINE4(pidfd_send_signal, int,
467467 if (!access_pidfd_pidns(pid))
468468 goto err;
469469
@@ -485,7 +485,7 @@
485485 if (info) {
486486 ret = copy_siginfo_from_user_any(&kinfo, info);
487487 if (unlikely(ret))
488-@@ -3808,6 +3825,8 @@ SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid
488+@@ -3813,6 +3830,8 @@ SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid
489489 /* This is only valid for single tasks */
490490 if (pid <= 0 || tgid <= 0)
491491 return -EINVAL;
@@ -494,7 +494,7 @@
494494
495495 return do_tkill(tgid, pid, sig);
496496 }
497-@@ -3824,6 +3843,8 @@ SYSCALL_DEFINE2(tkill, pid_t, pid, int,
497+@@ -3829,6 +3848,8 @@ SYSCALL_DEFINE2(tkill, pid_t, pid, int,
498498 /* This is only valid for single tasks */
499499 if (pid <= 0)
500500 return -EINVAL;
@@ -503,7 +503,7 @@
503503
504504 return do_tkill(0, pid, sig);
505505 }
506-@@ -3836,6 +3857,8 @@ static int do_rt_sigqueueinfo(pid_t pid,
506+@@ -3841,6 +3862,8 @@ static int do_rt_sigqueueinfo(pid_t pid,
507507 if ((info->si_code >= 0 || info->si_code == SI_TKILL) &&
508508 (task_pid_vnr(current) != pid))
509509 return -EPERM;
@@ -512,7 +512,7 @@
512512
513513 /* POSIX.1b doesn't mention process groups. */
514514 return kill_proc_info(sig, info, pid);
515-@@ -3883,6 +3906,8 @@ static int do_rt_tgsigqueueinfo(pid_t tg
515+@@ -3888,6 +3911,8 @@ static int do_rt_tgsigqueueinfo(pid_t tg
516516 if ((info->si_code >= 0 || info->si_code == SI_TKILL) &&
517517 (task_pid_vnr(current) != pid))
518518 return -EPERM;
@@ -521,8 +521,8 @@
521521
522522 return do_send_specific(tgid, pid, sig, info);
523523 }
524---- linux-5.3-rc5.orig/kernel/sys.c
525-+++ linux-5.3-rc5/kernel/sys.c
524+--- linux-5.3.1.orig/kernel/sys.c
525++++ linux-5.3.1/kernel/sys.c
526526 @@ -204,6 +204,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
527527
528528 if (which > PRIO_USER || which < PRIO_PROCESS)
@@ -552,8 +552,8 @@
552552
553553 errno = -EFAULT;
554554 if (!copy_from_user(tmp, name, len)) {
555---- linux-5.3-rc5.orig/kernel/time/timekeeping.c
556-+++ linux-5.3-rc5/kernel/time/timekeeping.c
555+--- linux-5.3.1.orig/kernel/time/timekeeping.c
556++++ linux-5.3.1/kernel/time/timekeeping.c
557557 @@ -22,6 +22,7 @@
558558 #include <linux/pvclock_gtod.h>
559559 #include <linux/compiler.h>
@@ -562,7 +562,7 @@
562562
563563 #include "tick-internal.h"
564564 #include "ntp_internal.h"
565-@@ -2248,10 +2249,15 @@ static int timekeeping_validate_timex(co
565+@@ -2253,10 +2254,15 @@ static int timekeeping_validate_timex(co
566566 if (!(txc->modes & ADJ_OFFSET_READONLY) &&
567567 !capable(CAP_SYS_TIME))
568568 return -EPERM;
@@ -578,7 +578,7 @@
578578 /*
579579 * if the quartz is off by more than 10% then
580580 * something is VERY wrong!
581-@@ -2266,6 +2272,8 @@ static int timekeeping_validate_timex(co
581+@@ -2271,6 +2277,8 @@ static int timekeeping_validate_timex(co
582582 /* In order to inject time, you gotta be super-user! */
583583 if (!capable(CAP_SYS_TIME))
584584 return -EPERM;
@@ -587,8 +587,8 @@
587587
588588 /*
589589 * Validate if a timespec/timeval used to inject a time
590---- linux-5.3-rc5.orig/net/ipv4/raw.c
591-+++ linux-5.3-rc5/net/ipv4/raw.c
590+--- linux-5.3.1.orig/net/ipv4/raw.c
591++++ linux-5.3.1/net/ipv4/raw.c
592592 @@ -767,6 +767,10 @@ static int raw_recvmsg(struct sock *sk,
593593 skb = skb_recv_datagram(sk, flags, noblock, &err);
594594 if (!skb)
@@ -600,9 +600,9 @@
600600
601601 copied = skb->len;
602602 if (len < copied) {
603---- linux-5.3-rc5.orig/net/ipv4/udp.c
604-+++ linux-5.3-rc5/net/ipv4/udp.c
605-@@ -1708,6 +1708,8 @@ try_again:
603+--- linux-5.3.1.orig/net/ipv4/udp.c
604++++ linux-5.3.1/net/ipv4/udp.c
605+@@ -1709,6 +1709,8 @@ try_again:
606606 skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
607607 if (!skb)
608608 return err;
@@ -611,8 +611,8 @@
611611
612612 ulen = udp_skb_len(skb);
613613 copied = len;
614---- linux-5.3-rc5.orig/net/ipv6/raw.c
615-+++ linux-5.3-rc5/net/ipv6/raw.c
614+--- linux-5.3.1.orig/net/ipv6/raw.c
615++++ linux-5.3.1/net/ipv6/raw.c
616616 @@ -480,6 +480,10 @@ static int rawv6_recvmsg(struct sock *sk
617617 skb = skb_recv_datagram(sk, flags, noblock, &err);
618618 if (!skb)
@@ -624,9 +624,9 @@
624624
625625 copied = skb->len;
626626 if (copied > len) {
627---- linux-5.3-rc5.orig/net/ipv6/udp.c
628-+++ linux-5.3-rc5/net/ipv6/udp.c
629-@@ -287,6 +287,8 @@ try_again:
627+--- linux-5.3.1.orig/net/ipv6/udp.c
628++++ linux-5.3.1/net/ipv6/udp.c
629+@@ -288,6 +288,8 @@ try_again:
630630 skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
631631 if (!skb)
632632 return err;
@@ -635,8 +635,8 @@
635635
636636 ulen = udp6_skb_len(skb);
637637 copied = len;
638---- linux-5.3-rc5.orig/net/socket.c
639-+++ linux-5.3-rc5/net/socket.c
638+--- linux-5.3.1.orig/net/socket.c
639++++ linux-5.3.1/net/socket.c
640640 @@ -1755,6 +1755,10 @@ int __sys_accept4(int fd, struct sockadd
641641 if (err < 0)
642642 goto out_fd;
@@ -648,8 +648,8 @@
648648 if (upeer_sockaddr) {
649649 len = newsock->ops->getname(newsock,
650650 (struct sockaddr *)&address, 2);
651---- linux-5.3-rc5.orig/net/unix/af_unix.c
652-+++ linux-5.3-rc5/net/unix/af_unix.c
651+--- linux-5.3.1.orig/net/unix/af_unix.c
652++++ linux-5.3.1/net/unix/af_unix.c
653653 @@ -2075,6 +2075,10 @@ static int unix_dgram_recvmsg(struct soc
654654 EPOLLOUT | EPOLLWRNORM |
655655 EPOLLWRBAND);
@@ -669,8 +669,8 @@
669669 mutex_unlock(&u->iolock);
670670 out:
671671 return err;
672---- linux-5.3-rc5.orig/security/Kconfig
673-+++ linux-5.3-rc5/security/Kconfig
672+--- linux-5.3.1.orig/security/Kconfig
673++++ linux-5.3.1/security/Kconfig
674674 @@ -290,5 +290,7 @@ config LSM
675675
676676 source "security/Kconfig.hardening"
@@ -679,8 +679,8 @@
679679 +
680680 endmenu
681681
682---- linux-5.3-rc5.orig/security/Makefile
683-+++ linux-5.3-rc5/security/Makefile
682+--- linux-5.3.1.orig/security/Makefile
683++++ linux-5.3.1/security/Makefile
684684 @@ -32,3 +32,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
685685 # Object integrity file lists
686686 subdir-$(CONFIG_INTEGRITY) += integrity
@@ -688,8 +688,8 @@
688688 +
689689 +subdir-$(CONFIG_CCSECURITY) += ccsecurity
690690 +obj-$(CONFIG_CCSECURITY) += ccsecurity/
691---- linux-5.3-rc5.orig/security/security.c
692-+++ linux-5.3-rc5/security/security.c
691+--- linux-5.3.1.orig/security/security.c
692++++ linux-5.3.1/security/security.c
693693 @@ -1467,7 +1467,9 @@ int security_task_alloc(struct task_stru
694694
695695 if (rc)
--- trunk/caitsith-patch/patches/ccs-patch-5.4.diff (nonexistent)
+++ trunk/caitsith-patch/patches/ccs-patch-5.4.diff (revision 288)
@@ -0,0 +1,711 @@
1+This is TOMOYO Linux patch for linux-next.
2+
3+Source code for this patch is https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/snapshot/linux-next-next-20190915.tar.gz
4+---
5+ fs/exec.c | 2 -
6+ fs/open.c | 2 +
7+ fs/proc/version.c | 7 ++++
8+ include/linux/sched.h | 5 +++
9+ include/linux/security.h | 70 ++++++++++++++++++++++++++++------------------
10+ include/net/ip.h | 4 ++
11+ init/init_task.c | 4 ++
12+ kernel/kexec.c | 4 +-
13+ kernel/module.c | 5 +++
14+ kernel/ptrace.c | 10 ++++++
15+ kernel/reboot.c | 3 +
16+ kernel/sched/core.c | 2 +
17+ kernel/signal.c | 25 ++++++++++++++++
18+ kernel/sys.c | 8 +++++
19+ kernel/time/timekeeping.c | 8 +++++
20+ net/ipv4/raw.c | 4 ++
21+ net/ipv4/udp.c | 2 +
22+ net/ipv6/raw.c | 4 ++
23+ net/ipv6/udp.c | 2 +
24+ net/socket.c | 4 ++
25+ net/unix/af_unix.c | 5 +++
26+ security/Kconfig | 2 +
27+ security/Makefile | 3 +
28+ security/security.c | 5 ++-
29+ 24 files changed, 160 insertions(+), 30 deletions(-)
30+
31+--- linux-next.orig/fs/exec.c
32++++ linux-next/fs/exec.c
33+@@ -1698,7 +1698,7 @@ static int exec_binprm(struct linux_binp
34+ old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
35+ rcu_read_unlock();
36+
37+- ret = search_binary_handler(bprm);
38++ ret = ccs_search_binary_handler(bprm);
39+ if (ret >= 0) {
40+ audit_bprm(bprm);
41+ trace_sched_process_exec(current, old_pid, bprm);
42+--- linux-next.orig/fs/open.c
43++++ linux-next/fs/open.c
44+@@ -1208,6 +1208,8 @@ SYSCALL_DEFINE1(close, unsigned int, fd)
45+ */
46+ SYSCALL_DEFINE0(vhangup)
47+ {
48++ if (!ccs_capable(CCS_SYS_VHANGUP))
49++ return -EPERM;
50+ if (capable(CAP_SYS_TTY_CONFIG)) {
51+ tty_vhangup_self();
52+ return 0;
53+--- linux-next.orig/fs/proc/version.c
54++++ linux-next/fs/proc/version.c
55+@@ -21,3 +21,10 @@ static int __init proc_version_init(void
56+ return 0;
57+ }
58+ fs_initcall(proc_version_init);
59++
60++static int __init ccs_show_version(void)
61++{
62++ printk(KERN_INFO "Hook version: 5.3-rc8-next-20190915 2019/09/16\n");
63++ return 0;
64++}
65++fs_initcall(ccs_show_version);
66+--- linux-next.orig/include/linux/sched.h
67++++ linux-next/include/linux/sched.h
68+@@ -38,6 +38,7 @@ struct backing_dev_info;
69+ struct bio_list;
70+ struct blk_plug;
71+ struct capture_control;
72++struct ccs_domain_info;
73+ struct cfs_rq;
74+ struct fs_struct;
75+ struct futex_pi_state;
76+@@ -1258,6 +1259,10 @@ struct task_struct {
77+ /* Used by LSM modules for access restriction: */
78+ void *security;
79+ #endif
80++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
81++ struct ccs_domain_info *ccs_domain_info;
82++ u32 ccs_flags;
83++#endif
84+
85+ #ifdef CONFIG_GCC_PLUGIN_STACKLEAK
86+ unsigned long lowest_stack;
87+--- linux-next.orig/include/linux/security.h
88++++ linux-next/include/linux/security.h
89+@@ -59,6 +59,7 @@ struct fs_parameter;
90+ enum fs_value_type;
91+ struct watch;
92+ struct watch_notification;
93++#include <linux/ccsecurity.h>
94+
95+ /* Default (no) options for the capable function */
96+ #define CAP_OPT_NONE 0x0
97+@@ -559,7 +560,10 @@ static inline int security_syslog(int ty
98+ static inline int security_settime64(const struct timespec64 *ts,
99+ const struct timezone *tz)
100+ {
101+- return cap_settime(ts, tz);
102++ int error = cap_settime(ts, tz);
103++ if (!error)
104++ error = ccs_settime(ts, tz);
105++ return error;
106+ }
107+
108+ static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
109+@@ -636,18 +640,18 @@ static inline int security_sb_mount(cons
110+ const char *type, unsigned long flags,
111+ void *data)
112+ {
113+- return 0;
114++ return ccs_sb_mount(dev_name, path, type, flags, data);
115+ }
116+
117+ static inline int security_sb_umount(struct vfsmount *mnt, int flags)
118+ {
119+- return 0;
120++ return ccs_sb_umount(mnt, flags);
121+ }
122+
123+ static inline int security_sb_pivotroot(const struct path *old_path,
124+ const struct path *new_path)
125+ {
126+- return 0;
127++ return ccs_sb_pivotroot(old_path, new_path);
128+ }
129+
130+ static inline int security_sb_set_mnt_opts(struct super_block *sb,
131+@@ -675,7 +679,7 @@ static inline int security_add_mnt_opt(c
132+ static inline int security_move_mount(const struct path *from_path,
133+ const struct path *to_path)
134+ {
135+- return 0;
136++ return ccs_move_mount_permission(from_path, to_path);
137+ }
138+
139+ static inline int security_path_notify(const struct path *path, u64 mask,
140+@@ -809,7 +813,7 @@ static inline int security_inode_setattr
141+
142+ static inline int security_inode_getattr(const struct path *path)
143+ {
144+- return 0;
145++ return ccs_inode_getattr(path);
146+ }
147+
148+ static inline int security_inode_setxattr(struct dentry *dentry,
149+@@ -901,7 +905,7 @@ static inline void security_file_free(st
150+ static inline int security_file_ioctl(struct file *file, unsigned int cmd,
151+ unsigned long arg)
152+ {
153+- return 0;
154++ return ccs_file_ioctl(file, cmd, arg);
155+ }
156+
157+ static inline int security_mmap_file(struct file *file, unsigned long prot,
158+@@ -930,7 +934,7 @@ static inline int security_file_lock(str
159+ static inline int security_file_fcntl(struct file *file, unsigned int cmd,
160+ unsigned long arg)
161+ {
162+- return 0;
163++ return ccs_file_fcntl(file, cmd, arg);
164+ }
165+
166+ static inline void security_file_set_fowner(struct file *file)
167+@@ -952,17 +956,19 @@ static inline int security_file_receive(
168+
169+ static inline int security_file_open(struct file *file)
170+ {
171+- return 0;
172++ return ccs_file_open(file);
173+ }
174+
175+ static inline int security_task_alloc(struct task_struct *task,
176+ unsigned long clone_flags)
177+ {
178+- return 0;
179++ return ccs_alloc_task_security(task);
180+ }
181+
182+ static inline void security_task_free(struct task_struct *task)
183+-{ }
184++{
185++ ccs_free_task_security(task);
186++}
187+
188+ static inline int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
189+ {
190+@@ -1370,7 +1376,7 @@ static inline int security_unix_may_send
191+ static inline int security_socket_create(int family, int type,
192+ int protocol, int kern)
193+ {
194+- return 0;
195++ return ccs_socket_create(family, type, protocol, kern);
196+ }
197+
198+ static inline int security_socket_post_create(struct socket *sock,
199+@@ -1391,19 +1397,19 @@ static inline int security_socket_bind(s
200+ struct sockaddr *address,
201+ int addrlen)
202+ {
203+- return 0;
204++ return ccs_socket_bind(sock, address, addrlen);
205+ }
206+
207+ static inline int security_socket_connect(struct socket *sock,
208+ struct sockaddr *address,
209+ int addrlen)
210+ {
211+- return 0;
212++ return ccs_socket_connect(sock, address, addrlen);
213+ }
214+
215+ static inline int security_socket_listen(struct socket *sock, int backlog)
216+ {
217+- return 0;
218++ return ccs_socket_listen(sock, backlog);
219+ }
220+
221+ static inline int security_socket_accept(struct socket *sock,
222+@@ -1415,7 +1421,7 @@ static inline int security_socket_accept
223+ static inline int security_socket_sendmsg(struct socket *sock,
224+ struct msghdr *msg, int size)
225+ {
226+- return 0;
227++ return ccs_socket_sendmsg(sock, msg, size);
228+ }
229+
230+ static inline int security_socket_recvmsg(struct socket *sock,
231+@@ -1702,42 +1708,42 @@ int security_path_chroot(const struct pa
232+ #else /* CONFIG_SECURITY_PATH */
233+ static inline int security_path_unlink(const struct path *dir, struct dentry *dentry)
234+ {
235+- return 0;
236++ return ccs_path_unlink(dir, dentry);
237+ }
238+
239+ static inline int security_path_mkdir(const struct path *dir, struct dentry *dentry,
240+ umode_t mode)
241+ {
242+- return 0;
243++ return ccs_path_mkdir(dir, dentry, mode);
244+ }
245+
246+ static inline int security_path_rmdir(const struct path *dir, struct dentry *dentry)
247+ {
248+- return 0;
249++ return ccs_path_rmdir(dir, dentry);
250+ }
251+
252+ static inline int security_path_mknod(const struct path *dir, struct dentry *dentry,
253+ umode_t mode, unsigned int dev)
254+ {
255+- return 0;
256++ return ccs_path_mknod(dir, dentry, mode, dev);
257+ }
258+
259+ static inline int security_path_truncate(const struct path *path)
260+ {
261+- return 0;
262++ return ccs_path_truncate(path);
263+ }
264+
265+ static inline int security_path_symlink(const struct path *dir, struct dentry *dentry,
266+ const char *old_name)
267+ {
268+- return 0;
269++ return ccs_path_symlink(dir, dentry, old_name);
270+ }
271+
272+ static inline int security_path_link(struct dentry *old_dentry,
273+ const struct path *new_dir,
274+ struct dentry *new_dentry)
275+ {
276+- return 0;
277++ return ccs_path_link(old_dentry, new_dir, new_dentry);
278+ }
279+
280+ static inline int security_path_rename(const struct path *old_dir,
281+@@ -1746,22 +1752,32 @@ static inline int security_path_rename(c
282+ struct dentry *new_dentry,
283+ unsigned int flags)
284+ {
285+- return 0;
286++ /*
287++ * Not using RENAME_EXCHANGE here in order to avoid KABI breakage
288++ * by doing "#include <uapi/linux/fs.h>" .
289++ */
290++ if (flags & (1 << 1)) {
291++ int err = ccs_path_rename(new_dir, new_dentry, old_dir,
292++ old_dentry);
293++ if (err)
294++ return err;
295++ }
296++ return ccs_path_rename(old_dir, old_dentry, new_dir, new_dentry);
297+ }
298+
299+ static inline int security_path_chmod(const struct path *path, umode_t mode)
300+ {
301+- return 0;
302++ return ccs_path_chmod(path, mode);
303+ }
304+
305+ static inline int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
306+ {
307+- return 0;
308++ return ccs_path_chown(path, uid, gid);
309+ }
310+
311+ static inline int security_path_chroot(const struct path *path)
312+ {
313+- return 0;
314++ return ccs_path_chroot(path);
315+ }
316+ #endif /* CONFIG_SECURITY_PATH */
317+
318+--- linux-next.orig/include/net/ip.h
319++++ linux-next/include/net/ip.h
320+@@ -341,6 +341,8 @@ void inet_get_local_port_range(struct ne
321+ #ifdef CONFIG_SYSCTL
322+ static inline int inet_is_local_reserved_port(struct net *net, int port)
323+ {
324++ if (ccs_lport_reserved(port))
325++ return 1;
326+ if (!net->ipv4.sysctl_local_reserved_ports)
327+ return 0;
328+ return test_bit(port, net->ipv4.sysctl_local_reserved_ports);
329+@@ -359,6 +361,8 @@ static inline int inet_prot_sock(struct
330+ #else
331+ static inline int inet_is_local_reserved_port(struct net *net, int port)
332+ {
333++ if (ccs_lport_reserved(port))
334++ return 1;
335+ return 0;
336+ }
337+
338+--- linux-next.orig/init/init_task.c
339++++ linux-next/init/init_task.c
340+@@ -181,6 +181,10 @@ struct task_struct init_task
341+ #ifdef CONFIG_SECURITY
342+ .security = NULL,
343+ #endif
344++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
345++ .ccs_domain_info = NULL,
346++ .ccs_flags = 0,
347++#endif
348+ };
349+ EXPORT_SYMBOL(init_task);
350+
351+--- linux-next.orig/kernel/kexec.c
352++++ linux-next/kernel/kexec.c
353+@@ -16,7 +16,7 @@
354+ #include <linux/syscalls.h>
355+ #include <linux/vmalloc.h>
356+ #include <linux/slab.h>
357+-
358++#include <linux/ccsecurity.h>
359+ #include "kexec_internal.h"
360+
361+ static int copy_user_segment_list(struct kimage *image,
362+@@ -199,6 +199,8 @@ static inline int kexec_load_check(unsig
363+ /* We only trust the superuser with rebooting the system. */
364+ if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
365+ return -EPERM;
366++ if (!ccs_capable(CCS_SYS_KEXEC_LOAD))
367++ return -EPERM;
368+
369+ /* Permit LSMs and IMA to fail the kexec */
370+ result = security_kernel_load_data(LOADING_KEXEC_IMAGE);
371+--- linux-next.orig/kernel/module.c
372++++ linux-next/kernel/module.c
373+@@ -55,6 +55,7 @@
374+ #include <linux/audit.h>
375+ #include <uapi/linux/module.h>
376+ #include "module-internal.h"
377++#include <linux/ccsecurity.h>
378+
379+ #define CREATE_TRACE_POINTS
380+ #include <trace/events/module.h>
381+@@ -965,6 +966,8 @@ SYSCALL_DEFINE2(delete_module, const cha
382+
383+ if (!capable(CAP_SYS_MODULE) || modules_disabled)
384+ return -EPERM;
385++ if (!ccs_capable(CCS_USE_KERNEL_MODULE))
386++ return -EPERM;
387+
388+ if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
389+ return -EFAULT;
390+@@ -3607,6 +3610,8 @@ static int may_init_module(void)
391+ {
392+ if (!capable(CAP_SYS_MODULE) || modules_disabled)
393+ return -EPERM;
394++ if (!ccs_capable(CCS_USE_KERNEL_MODULE))
395++ return -EPERM;
396+
397+ return 0;
398+ }
399+--- linux-next.orig/kernel/ptrace.c
400++++ linux-next/kernel/ptrace.c
401+@@ -1239,6 +1239,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
402+ {
403+ struct task_struct *child;
404+ long ret;
405++ {
406++ const int rc = ccs_ptrace_permission(request, pid);
407++ if (rc)
408++ return rc;
409++ }
410+
411+ if (request == PTRACE_TRACEME) {
412+ ret = ptrace_traceme();
413+@@ -1386,6 +1391,11 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_lo
414+ {
415+ struct task_struct *child;
416+ long ret;
417++ {
418++ const int rc = ccs_ptrace_permission(request, pid);
419++ if (rc)
420++ return rc;
421++ }
422+
423+ if (request == PTRACE_TRACEME) {
424+ ret = ptrace_traceme();
425+--- linux-next.orig/kernel/reboot.c
426++++ linux-next/kernel/reboot.c
427+@@ -17,6 +17,7 @@
428+ #include <linux/syscalls.h>
429+ #include <linux/syscore_ops.h>
430+ #include <linux/uaccess.h>
431++#include <linux/ccsecurity.h>
432+
433+ /*
434+ * this indicates whether you can reboot with ctrl-alt-del: the default is yes
435+@@ -325,6 +326,8 @@ SYSCALL_DEFINE4(reboot, int, magic1, int
436+ magic2 != LINUX_REBOOT_MAGIC2B &&
437+ magic2 != LINUX_REBOOT_MAGIC2C))
438+ return -EINVAL;
439++ if (!ccs_capable(CCS_SYS_REBOOT))
440++ return -EPERM;
441+
442+ /*
443+ * If pid namespaces are enabled and the current task is in a child
444+--- linux-next.orig/kernel/sched/core.c
445++++ linux-next/kernel/sched/core.c
446+@@ -4560,6 +4560,8 @@ int can_nice(const struct task_struct *p
447+ SYSCALL_DEFINE1(nice, int, increment)
448+ {
449+ long nice, retval;
450++ if (!ccs_capable(CCS_SYS_NICE))
451++ return -EPERM;
452+
453+ /*
454+ * Setpriority might change our priority at the same moment.
455+--- linux-next.orig/kernel/signal.c
456++++ linux-next/kernel/signal.c
457+@@ -3634,6 +3634,8 @@ static inline void prepare_kill_siginfo(
458+ SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
459+ {
460+ struct kernel_siginfo info;
461++ if (ccs_kill_permission(pid, sig))
462++ return -EPERM;
463+
464+ prepare_kill_siginfo(sig, &info);
465+
466+@@ -3732,6 +3734,21 @@ SYSCALL_DEFINE4(pidfd_send_signal, int,
467+ if (!access_pidfd_pidns(pid))
468+ goto err;
469+
470++ {
471++ struct task_struct *task;
472++ int id = 0;
473++
474++ rcu_read_lock();
475++ task = pid_task(pid, PIDTYPE_PID);
476++ if (task)
477++ id = task_pid_vnr(task);
478++ rcu_read_unlock();
479++ if (task && ccs_kill_permission(id, sig)) {
480++ ret = -EPERM;
481++ goto err;
482++ }
483++ }
484++
485+ if (info) {
486+ ret = copy_siginfo_from_user_any(&kinfo, info);
487+ if (unlikely(ret))
488+@@ -3816,6 +3833,8 @@ SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid
489+ /* This is only valid for single tasks */
490+ if (pid <= 0 || tgid <= 0)
491+ return -EINVAL;
492++ if (ccs_tgkill_permission(tgid, pid, sig))
493++ return -EPERM;
494+
495+ return do_tkill(tgid, pid, sig);
496+ }
497+@@ -3832,6 +3851,8 @@ SYSCALL_DEFINE2(tkill, pid_t, pid, int,
498+ /* This is only valid for single tasks */
499+ if (pid <= 0)
500+ return -EINVAL;
501++ if (ccs_tkill_permission(pid, sig))
502++ return -EPERM;
503+
504+ return do_tkill(0, pid, sig);
505+ }
506+@@ -3844,6 +3865,8 @@ static int do_rt_sigqueueinfo(pid_t pid,
507+ if ((info->si_code >= 0 || info->si_code == SI_TKILL) &&
508+ (task_pid_vnr(current) != pid))
509+ return -EPERM;
510++ if (ccs_sigqueue_permission(pid, sig))
511++ return -EPERM;
512+
513+ /* POSIX.1b doesn't mention process groups. */
514+ return kill_proc_info(sig, info, pid);
515+@@ -3891,6 +3914,8 @@ static int do_rt_tgsigqueueinfo(pid_t tg
516+ if ((info->si_code >= 0 || info->si_code == SI_TKILL) &&
517+ (task_pid_vnr(current) != pid))
518+ return -EPERM;
519++ if (ccs_tgsigqueue_permission(tgid, pid, sig))
520++ return -EPERM;
521+
522+ return do_send_specific(tgid, pid, sig, info);
523+ }
524+--- linux-next.orig/kernel/sys.c
525++++ linux-next/kernel/sys.c
526+@@ -204,6 +204,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
527+
528+ if (which > PRIO_USER || which < PRIO_PROCESS)
529+ goto out;
530++ if (!ccs_capable(CCS_SYS_NICE)) {
531++ error = -EPERM;
532++ goto out;
533++ }
534+
535+ /* normalize: avoid signed division (rounding problems) */
536+ error = -ESRCH;
537+@@ -1312,6 +1316,8 @@ SYSCALL_DEFINE2(sethostname, char __user
538+
539+ if (len < 0 || len > __NEW_UTS_LEN)
540+ return -EINVAL;
541++ if (!ccs_capable(CCS_SYS_SETHOSTNAME))
542++ return -EPERM;
543+ errno = -EFAULT;
544+ if (!copy_from_user(tmp, name, len)) {
545+ struct new_utsname *u;
546+@@ -1364,6 +1370,8 @@ SYSCALL_DEFINE2(setdomainname, char __us
547+ return -EPERM;
548+ if (len < 0 || len > __NEW_UTS_LEN)
549+ return -EINVAL;
550++ if (!ccs_capable(CCS_SYS_SETHOSTNAME))
551++ return -EPERM;
552+
553+ errno = -EFAULT;
554+ if (!copy_from_user(tmp, name, len)) {
555+--- linux-next.orig/kernel/time/timekeeping.c
556++++ linux-next/kernel/time/timekeeping.c
557+@@ -22,6 +22,7 @@
558+ #include <linux/pvclock_gtod.h>
559+ #include <linux/compiler.h>
560+ #include <linux/audit.h>
561++#include <linux/ccsecurity.h>
562+
563+ #include "tick-internal.h"
564+ #include "ntp_internal.h"
565+@@ -2253,10 +2254,15 @@ static int timekeeping_validate_timex(co
566+ if (!(txc->modes & ADJ_OFFSET_READONLY) &&
567+ !capable(CAP_SYS_TIME))
568+ return -EPERM;
569++ if (!(txc->modes & ADJ_OFFSET_READONLY) &&
570++ !ccs_capable(CCS_SYS_SETTIME))
571++ return -EPERM;
572+ } else {
573+ /* In order to modify anything, you gotta be super-user! */
574+ if (txc->modes && !capable(CAP_SYS_TIME))
575+ return -EPERM;
576++ if (txc->modes && !ccs_capable(CCS_SYS_SETTIME))
577++ return -EPERM;
578+ /*
579+ * if the quartz is off by more than 10% then
580+ * something is VERY wrong!
581+@@ -2271,6 +2277,8 @@ static int timekeeping_validate_timex(co
582+ /* In order to inject time, you gotta be super-user! */
583+ if (!capable(CAP_SYS_TIME))
584+ return -EPERM;
585++ if (!ccs_capable(CCS_SYS_SETTIME))
586++ return -EPERM;
587+
588+ /*
589+ * Validate if a timespec/timeval used to inject a time
590+--- linux-next.orig/net/ipv4/raw.c
591++++ linux-next/net/ipv4/raw.c
592+@@ -767,6 +767,10 @@ static int raw_recvmsg(struct sock *sk,
593+ skb = skb_recv_datagram(sk, flags, noblock, &err);
594+ if (!skb)
595+ goto out;
596++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
597++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
598++ goto out;
599++ }
600+
601+ copied = skb->len;
602+ if (len < copied) {
603+--- linux-next.orig/net/ipv4/udp.c
604++++ linux-next/net/ipv4/udp.c
605+@@ -1708,6 +1708,8 @@ try_again:
606+ skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
607+ if (!skb)
608+ return err;
609++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags))
610++ return -EAGAIN; /* Hope less harmful than -EPERM. */
611+
612+ ulen = udp_skb_len(skb);
613+ copied = len;
614+--- linux-next.orig/net/ipv6/raw.c
615++++ linux-next/net/ipv6/raw.c
616+@@ -480,6 +480,10 @@ static int rawv6_recvmsg(struct sock *sk
617+ skb = skb_recv_datagram(sk, flags, noblock, &err);
618+ if (!skb)
619+ goto out;
620++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
621++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
622++ goto out;
623++ }
624+
625+ copied = skb->len;
626+ if (copied > len) {
627+--- linux-next.orig/net/ipv6/udp.c
628++++ linux-next/net/ipv6/udp.c
629+@@ -287,6 +287,8 @@ try_again:
630+ skb = __skb_recv_udp(sk, flags, noblock, &off, &err);
631+ if (!skb)
632+ return err;
633++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags))
634++ return -EAGAIN; /* Hope less harmful than -EPERM. */
635+
636+ ulen = udp6_skb_len(skb);
637+ copied = len;
638+--- linux-next.orig/net/socket.c
639++++ linux-next/net/socket.c
640+@@ -1756,6 +1756,10 @@ int __sys_accept4(int fd, struct sockadd
641+ if (err < 0)
642+ goto out_fd;
643+
644++ if (ccs_socket_post_accept_permission(sock, newsock)) {
645++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
646++ goto out_fd;
647++ }
648+ if (upeer_sockaddr) {
649+ len = newsock->ops->getname(newsock,
650+ (struct sockaddr *)&address, 2);
651+--- linux-next.orig/net/unix/af_unix.c
652++++ linux-next/net/unix/af_unix.c
653+@@ -2087,6 +2087,10 @@ static int unix_dgram_recvmsg(struct soc
654+ EPOLLOUT | EPOLLWRNORM |
655+ EPOLLWRBAND);
656+
657++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
658++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
659++ goto out_unlock;
660++ }
661+ if (msg->msg_name)
662+ unix_copy_addr(msg, skb->sk);
663+
664+@@ -2137,6 +2141,7 @@ static int unix_dgram_recvmsg(struct soc
665+
666+ out_free:
667+ skb_free_datagram(sk, skb);
668++out_unlock:
669+ mutex_unlock(&u->iolock);
670+ out:
671+ return err;
672+--- linux-next.orig/security/Kconfig
673++++ linux-next/security/Kconfig
674+@@ -291,5 +291,7 @@ config LSM
675+
676+ source "security/Kconfig.hardening"
677+
678++source "security/ccsecurity/Kconfig"
679++
680+ endmenu
681+
682+--- linux-next.orig/security/Makefile
683++++ linux-next/security/Makefile
684+@@ -34,3 +34,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
685+ # Object integrity file lists
686+ subdir-$(CONFIG_INTEGRITY) += integrity
687+ obj-$(CONFIG_INTEGRITY) += integrity/
688++
689++subdir-$(CONFIG_CCSECURITY) += ccsecurity
690++obj-$(CONFIG_CCSECURITY) += ccsecurity/
691+--- linux-next.orig/security/security.c
692++++ linux-next/security/security.c
693+@@ -1507,7 +1507,9 @@ int security_task_alloc(struct task_stru
694+
695+ if (rc)
696+ return rc;
697+- rc = call_int_hook(task_alloc, 0, task, clone_flags);
698++ rc = ccs_alloc_task_security(task);
699++ if (likely(!rc))
700++ rc = call_int_hook(task_alloc, 0, task, clone_flags);
701+ if (unlikely(rc))
702+ security_task_free(task);
703+ return rc;
704+@@ -1516,6 +1518,7 @@ int security_task_alloc(struct task_stru
705+ void security_task_free(struct task_struct *task)
706+ {
707+ call_void_hook(task_free, task);
708++ ccs_free_task_security(task);
709+
710+ kfree(task->security);
711+ task->security = NULL;
--- trunk/caitsith-patch/security/caitsith/lsm2caitsith.c (revision 287)
+++ trunk/caitsith-patch/security/caitsith/lsm2caitsith.c (revision 288)
@@ -37,7 +37,7 @@
3737 return ccs_fcntl_permission(file, cmd, arg);
3838 }
3939
40-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 0)
40+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 0) || (defined(RHEL_MAJOR) && RHEL_MAJOR == 8)
4141 int ccs_file_open(struct file *file)
4242 {
4343 return ccs_open_permission(file);
--- trunk/caitsith-patch/specs/build-c7-3.10.sh (revision 287)
+++ trunk/caitsith-patch/specs/build-c7-3.10.sh (revision 288)
@@ -10,12 +10,12 @@
1010
1111 cd /tmp/ || die "Can't chdir to /tmp/ ."
1212
13-if [ ! -r kernel-3.10.0-957.27.2.el7.src.rpm ]
13+if [ ! -r kernel-3.10.0-1062.1.1.el7.src.rpm ]
1414 then
15- wget http://vault.centos.org/centos/7/updates/Source/SPackages/kernel-3.10.0-957.27.2.el7.src.rpm || die "Can't download source package."
15+ wget http://vault.centos.org/centos/7/updates/Source/SPackages/kernel-3.10.0-1062.1.1.el7.src.rpm || die "Can't download source package."
1616 fi
17-LANG=C rpm --checksig kernel-3.10.0-957.27.2.el7.src.rpm | grep -F ': rsa sha1 (md5) pgp md5 OK' || die "Can't verify signature."
18-rpm -ivh kernel-3.10.0-957.27.2.el7.src.rpm || die "Can't install source package."
17+LANG=C rpm --checksig kernel-3.10.0-1062.1.1.el7.src.rpm | grep -F ': rsa sha1 (md5) pgp md5 OK' || die "Can't verify signature."
18+rpm -ivh kernel-3.10.0-1062.1.1.el7.src.rpm || die "Can't install source package."
1919
2020 cd ~/rpmbuild/SOURCES/ || die "Can't chdir to ~/rpmbuild/SOURCES/ ."
2121 if [ ! -r caitsith-patch-0.2-20190820.tar.gz ]
@@ -37,7 +37,7 @@
3737
3838 # For a kernel released for public testing, released_kernel should be 1.
3939 # For internal testing builds during development, it should be 0.
40-@@ -324,7 +324,7 @@
40+@@ -325,7 +325,7 @@
4141 AutoProv: yes\
4242 %{nil}
4343
@@ -46,7 +46,7 @@
4646 Group: System Environment/Kernel
4747 License: GPLv2
4848 URL: http://www.kernel.org/
49-@@ -664,13 +664,13 @@
49+@@ -678,13 +678,13 @@
5050 %package %{?1:%{1}-}devel\
5151 Summary: Development package for building kernel modules to match the %{?2:%{2} }kernel\
5252 Group: System Environment/Kernel\
@@ -64,7 +64,7 @@
6464 This package provides kernel headers and makefiles sufficient to build modules\
6565 against the %{?2:%{2} }kernel package.\
6666 %{nil}
67-@@ -782,6 +782,10 @@
67+@@ -796,6 +796,10 @@
6868 ApplyOptionalPatch debrand-rh_taint.patch
6969 ApplyOptionalPatch debrand-rh-i686-cpu.patch
7070
@@ -75,7 +75,7 @@
7575 # Any further pre-build tree manipulations happen here.
7676
7777 chmod +x scripts/checkpatch.pl
78-@@ -820,6 +824,17 @@
78+@@ -834,6 +838,17 @@
7979 for i in *.config
8080 do
8181 mv $i .config
Show on old repository browser