-- ./drivers/infiniband/core/addr.c ++ ./drivers/infiniband/core/addr.c @@ -252,7 +252,7 @@ static int addr6_resolve(struct sockaddr if (ipv6_addr_any(&fl.fl6_src)) { ret = ipv6_dev_get_saddr(&init_net, ip6_dst_idev(dst)->dev, - &fl.fl6_dst, 0, &fl.fl6_src); + &fl.fl6_dst, 0, &fl.fl6_src, NULL); if (ret) goto put; -- ./security/commoncap.c ++ ./security/commoncap.c @@ -52,7 +53,7 @@ static void warn_setuid_and_fcaps_mixed( int cap_netlink_send(struct sock *sk, struct sk_buff *skb) { - NETLINK_CB(skb).eff_cap = current_cap(); + NETLINK_CB(skb).eff_cap = vx_mbcaps(current_cap()); return 0; } @@ -82,7 +84,22 @@ EXPORT_SYMBOL(cap_netlink_recv); int cap_capable(struct task_struct *tsk, const struct cred *cred, int cap, int audit) { - return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; + struct vx_info *vxi = tsk->vx_info; + +#if 0 + printk("cap_capable() VXF_STATE_SETUP = %llx, raised = %x, eff = %08x:%08x\n", + vx_info_flags(vxi, VXF_STATE_SETUP, 0), + cap_raised(tsk->cap_effective, cap), + tsk->cap_effective.cap[1], tsk->cap_effective.cap[0]); +#endif + + /* special case SETUP */ + if (vx_info_flags(vxi, VXF_STATE_SETUP, 0) && + /* FIXME: maybe use cred instead? */ + cap_raised(tsk->cred->cap_effective, cap)) + return 0; + + return vx_cap_raised(vxi, cred->cap_effective, cap) ? 0 : -EPERM; } /** -- ./kernel/sys.c ++ ./kernel/sys.c @@ -1197,7 +1210,7 @@ SYSCALL_DEFINE2(sethostname, char __user int errno; char tmp[__NEW_UTS_LEN]; - if (!capable(CAP_SYS_ADMIN)) + if (!vx_capable(CAP_SYS_ADMIN, VXC_SET_UTSNAME)) return -EPERM; if (len < 0 || len > __NEW_UTS_LEN) return -EINVAL; @@ -1246,7 +1259,7 @@ SYSCALL_DEFINE2(setdomainname, char __us int errno; char tmp[__NEW_UTS_LEN]; - if (!capable(CAP_SYS_ADMIN)) + if (!vx_capable(CAP_SYS_ADMIN, VXC_SET_UTSNAME)) return -EPERM; if (len < 0 || len > __NEW_UTS_LEN) return -EINVAL; @@ -1415,7 +1428,7 @@ static int check_prlimit_permission(stru cred->gid != tcred->egid || cred->gid != tcred->sgid || cred->gid != tcred->gid) && - !capable(CAP_SYS_RESOURCE)) { + !vx_capable(CAP_SYS_RESOURCE, VXC_SET_RLIMIT)) { return -EPERM; } -- ./include/net/route.h ++ ./include/net/route.h @@ -211,6 +214,9 @@ static inline char rt_tos2priority(u8 to return ip_tos2prio[IPTOS_TOS(tos)>>1]; } +extern int ip_v4_find_src(struct net *net, struct nx_info *, + struct rtable **, struct flowi *); + static inline int ip_route_connect(struct rtable **rp, __be32 dst, __be32 src, u32 tos, int oif, u8 protocol, __be16 sport, __be16 dport, struct sock *sk, @@ -226,11 +232,24 @@ static inline int ip_route_connect(struc .fl_ip_dport = dport }; int err; struct net *net = sock_net(sk); + struct nx_info *nx_info = current_nx_info(); if (inet_sk(sk)->transparent) fl.flags |= FLOWI_FLAG_ANYSRC; - if (!dst || !src) { + if (sk) + nx_info = sk->sk_nx_info; + + vxdprintk(VXD_CBIT(net, 4), + "ip_route_connect(%p) %p,%p;%lx", + sk, nx_info, sk->sk_socket, + (sk->sk_socket?sk->sk_socket->flags:0)); + + err = ip_v4_find_src(net, nx_info, rp, &fl); + if (err) + return err; + + if (!fl.fl4_dst || !fl.fl4_src) { err = __ip_route_output_key(net, rp, &fl); if (err) return err; -- ./net/ipv6/route.c ++ ./net/ipv6/route.c @@ -2290,7 +2290,8 @@ static int rt6_fill_node(struct net *net struct inet6_dev *idev = ip6_dst_idev(&rt->dst); struct in6_addr saddr_buf; if (ipv6_dev_get_saddr(net, idev ? idev->dev : NULL, - dst, 0, &saddr_buf) == 0) + dst, 0, &saddr_buf, + (skb->sk ? skb->sk->sk_nx_info : NULL)) == 0) NLA_PUT(skb, RTA_PREFSRC, 16, &saddr_buf); } -- ./net/ipv6/ip6_output.c ++ ./net/ipv6/ip6_output.c @@ -933,7 +933,7 @@ static int ip6_dst_lookup_tail(struct so err = ipv6_dev_get_saddr(net, ip6_dst_idev(*dst)->dev, &fl->fl6_dst, sk ? inet6_sk(sk)->srcprefs : 0, - &fl->fl6_src); + &fl->fl6_src, sk->sk_nx_info); if (err) goto out_err_release; } -- ./net/netfilter/ipvs/ip_vs_xmit.c ++ ./net/netfilter/ipvs/ip_vs_xmit.c @@ -213,7 +213,7 @@ __ip_vs_route_output_v6(struct net *net, return dst; if (ipv6_addr_any(&fl.fl6_src) && ipv6_dev_get_saddr(net, ip6_dst_idev(dst)->dev, - &fl.fl6_dst, 0, &fl.fl6_src) < 0) + &fl.fl6_dst, 0, &fl.fl6_src, NULL) < 0) goto out_err; if (do_xfrm && xfrm_lookup(net, &dst, &fl, NULL, 0) < 0) goto out_err; -- ./net/socket.c ++ ./net/socket.c @@ -551,7 +555,7 @@ static inline int __sock_sendmsg(struct struct msghdr *msg, size_t size) { struct sock_iocb *si = kiocb_to_siocb(iocb); - int err; + int err, len; sock_update_classid(sock->sk); -- ./net/ipv4/udp.c ++ ./net/ipv4/udp.c @@ -898,8 +903,13 @@ int udp_sendmsg(struct kiocb *iocb, stru .fl_ip_sport = inet->inet_sport, .fl_ip_dport = dport }; struct net *net = sock_net(sk); + struct nx_info *nxi = sk->sk_nx_info; security_sk_classify_flow(sk, &fl); + err = ip_v4_find_src(net, nxi, &rt, &fl); + if (err) + goto out; + err = ip_route_output_flow(net, &rt, &fl, sk, 1); if (err) { if (err == -ENETUNREACH) @@ -2091,7 +2106,10 @@ static void udp4_format_sock(struct sock seq_printf(f, "%5d: %08X:%04X %08X:%04X" " %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d%n", - bucket, src, srcp, dest, destp, sp->sk_state, + bucket, + nx_map_sock_lback(current_nx_info(), src), srcp, + nx_map_sock_lback(current_nx_info(), dest), destp, + sp->sk_state, sk_wmem_alloc_get(sp), sk_rmem_alloc_get(sp), 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp), -- ./net/ipv4/tcp_ipv4.c ++ ./net/ipv4/tcp_ipv4.c @@ -2427,7 +2454,10 @@ static void get_tcp4_sock(struct sock *s seq_printf(f, "%4d: %08X:%04X %08X:%04X %02X %08X:%08X %02X:%08lX " "%08X %5d %8d %lu %d %p %lu %lu %u %u %d%n", - i, src, srcp, dest, destp, sk->sk_state, + i, + nx_map_sock_lback(current_nx_info(), src), srcp, + nx_map_sock_lback(current_nx_info(), dest), destp, + sk->sk_state, tp->write_seq - tp->snd_una, rx_queue, timer_active, @@ -2462,7 +2492,10 @@ static void get_timewait4_sock(struct in seq_printf(f, "%4d: %08X:%04X %08X:%04X" " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n", - i, src, srcp, dest, destp, tw->tw_substate, 0, 0, + i, + nx_map_sock_lback(current_nx_info(), src), srcp, + nx_map_sock_lback(current_nx_info(), dest), destp, + tw->tw_substate, 0, 0, 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0, atomic_read(&tw->tw_refcnt), tw, len); } -- ./net/ipv4/raw.c ++ ./net/ipv4/raw.c @@ -564,6 +570,13 @@ static int raw_sendmsg(struct kiocb *ioc } security_sk_classify_flow(sk, &fl); + if (sk->sk_nx_info) { + err = ip_v4_find_src(sock_net(sk), + sk->sk_nx_info, &rt, &fl); + + if (err) + goto done; + } err = ip_route_output_flow(sock_net(sk), &rt, &fl, sk, 1); } if (err) @@ -980,7 +998,10 @@ static void raw_sock_seq_show(struct seq seq_printf(seq, "%4d: %08X:%04X %08X:%04X" " %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d\n", - i, src, srcp, dest, destp, sp->sk_state, + i, + nx_map_sock_lback(current_nx_info(), src), srcp, + nx_map_sock_lback(current_nx_info(), dest), destp, + sp->sk_state, sk_wmem_alloc_get(sp), sk_rmem_alloc_get(sp), 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp), -- ./net/sctp/ipv6.c ++ ./net/sctp/ipv6.c @@ -306,7 +306,8 @@ static void sctp_v6_get_saddr(struct sct dst ? ip6_dst_idev(dst)->dev : NULL, &daddr->v6.sin6_addr, inet6_sk(&sk->inet.sk)->srcprefs, - &saddr->v6.sin6_addr); + &saddr->v6.sin6_addr, + asoc->base.sk->sk_nx_info); SCTP_DEBUG_PRINTK("saddr from ipv6_get_saddr: %pI6\n", &saddr->v6.sin6_addr); return; -- ./fs/super.c ++ ./fs/super.c @@ -31,6 +31,9 @@ #include #include #include +#include +#include +#include #include "internal.h" @@ -964,6 +967,7 @@ struct vfsmount * vfs_kern_mount(struct file_system_type *type, int flags, const char *name, void *data) { struct vfsmount *mnt; + struct super_block *sb; struct dentry *root; char *secdata = NULL; int error; @@ -971,6 +975,11 @@ vfs_kern_mount(struct file_system_type * if (!type) return ERR_PTR(-ENODEV); + error = -EPERM; + if ((type->fs_flags & FS_BINARY_MOUNTDATA) && + !vx_capable(CAP_SYS_ADMIN, VXC_BINARY_MOUNT)) + goto out; + error = -ENOMEM; mnt = alloc_vfsmnt(name); if (!mnt) @@ -1002,12 +1011,20 @@ vfs_kern_mount(struct file_system_type * if (error < 0) goto out_free_secdata; } - BUG_ON(!mnt->mnt_sb); - WARN_ON(!mnt->mnt_sb->s_bdi); + + sb = mnt->mnt_sb; + BUG_ON(!sb); + WARN_ON(!sb->s_bdi); WARN_ON(mnt->mnt_sb->s_bdi == &default_backing_dev_info); mnt->mnt_sb->s_flags |= MS_BORN; - error = security_sb_kern_mount(mnt->mnt_sb, flags, secdata); + error = -EPERM; + if (!vx_capable(CAP_SYS_ADMIN, VXC_BINARY_MOUNT) && !sb->s_bdev && + (sb->s_magic != PROC_SUPER_MAGIC) && + (sb->s_magic != DEVPTS_SUPER_MAGIC)) + goto out_sb; + + error = security_sb_kern_mount(sb, flags, secdata); if (error) goto out_sb; -- ./fs/namei.c ++ ./fs/namei.c @@ -1130,7 +1224,7 @@ static int do_lookup(struct nameidata *n { struct vfsmount *mnt = nd->path.mnt; struct dentry *dentry, *parent = nd->path.dentry; - struct inode *dir; + struct inode *dir, *d_inode; int err; /* @@ -1191,6 +1285,13 @@ found: if (IS_ERR(dentry)) goto fail; } + + d_inode = dentry->d_inode; + if (!d_inode) + goto done; + + if (__dx_permission(d_inode, MAY_ACCESS)) + goto hidden; done: path->mnt = mnt; path->dentry = dentry; @@ -1202,6 +1303,18 @@ done: *inode = path->dentry->d_inode; return 0; +hidden: +#ifndef CONFIG_VSERVER_WARN_DEVPTS + if (d_inode->i_sb->s_magic != DEVPTS_SUPER_MAGIC) +#endif + vxwprintk_task(1, + "did lookup hidden %s:%p[#%d,%lu] " VS_Q("%s/%.*s") ".", + d_inode->i_sb->s_id, d_inode, d_inode->i_tag, d_inode->i_ino, + vxd_path(&nd->path), name->len, name->name); + + dput(dentry); + return -ENOENT; + need_lookup: dir = parent->d_inode; BUG_ON(nd->inode != dir); @@ -2063,7 +2185,8 @@ static int open_will_truncate(int flag, } static struct file *finish_open(struct nameidata *nd, - int open_flag, int acc_mode) + int open_flag, int acc_mode, + const char *pathname) { struct file *filp; int will_truncate; @@ -2076,6 +2199,23 @@ static struct file *finish_open(struct n goto exit; } error = may_open(&nd->path, acc_mode, open_flag); +#ifdef CONFIG_VSERVER_COWBL + if (error == -EMLINK) { + struct dentry *dentry; + dentry = cow_break_link(pathname); + if (IS_ERR(dentry)) { + error = PTR_ERR(dentry); + goto exit_cow; + } + dput(dentry); + if (will_truncate) + mnt_drop_write(nd->path.mnt); + release_open_intent(nd); + path_put(&nd->path); + return ERR_PTR(-EMLINK); + } +exit_cow: +#endif if (error) { if (will_truncate) mnt_drop_write(nd->path.mnt); @@ -2223,7 +2363,7 @@ static struct file *do_last(struct namei if (S_ISDIR(nd->inode->i_mode)) goto exit; ok: - filp = finish_open(nd, open_flag, acc_mode); + filp = finish_open(nd, open_flag, acc_mode, pathname); return filp; exit_mutex_unlock: @@ -2250,7 +2390,12 @@ struct file *do_filp_open(int dfd, const int count = 0; int flag = open_to_namei_flags(open_flag); int flags; +#ifdef CONFIG_VSERVER_COWBL + int rflag = flag; + int rmode = mode; +restart: +#endif if (!(open_flag & O_CREAT)) mode = 0; @@ -2316,7 +2461,7 @@ struct file *do_filp_open(int dfd, const goto out_path2; } audit_inode(pathname, nd.path.dentry); - filp = finish_open(&nd, open_flag, acc_mode); + filp = finish_open(&nd, open_flag, acc_mode, pathname); out2: release_open_intent(&nd); return filp; @@ -2358,6 +2503,13 @@ reval: */ nd.flags = flags; filp = do_last(&nd, &path, open_flag, acc_mode, mode, pathname); +#ifdef CONFIG_VSERVER_COWBL + if (unlikely(IS_ERR(filp) && PTR_ERR(filp) == -EMLINK)) { + flag = rflag; + mode = rmode; + goto restart; + } +#endif while (unlikely(!filp)) { /* trailing symlink */ struct path link = path; struct inode *linki = link.dentry->d_inode; @@ -2392,6 +2544,13 @@ reval: } nd.flags &= ~LOOKUP_PARENT; filp = do_last(&nd, &path, open_flag, acc_mode, mode, pathname); +#ifdef CONFIG_VSERVER_COWBL + if (unlikely(IS_ERR(filp) && PTR_ERR(filp) == -EMLINK)) { + flag = rflag; + mode = rmode; + goto restart; + } +#endif if (linki->i_op->put_link) linki->i_op->put_link(link.dentry, &nd, cookie); path_put(&link); @@ -2490,9 +2649,17 @@ int vfs_mknod(struct inode *dir, struct if (error) return error; - if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD)) + if (!(S_ISCHR(mode) || S_ISBLK(mode))) + goto okay; + + if (!capable(CAP_MKNOD)) return -EPERM; + if (S_ISCHR(mode) && !vs_chrdev_perm(dev, DATTR_CREATE)) + return -EPERM; + if (S_ISBLK(mode) && !vs_blkdev_perm(dev, DATTR_CREATE)) + return -EPERM; +okay: if (!dir->i_op->mknod) return -EPERM;