diff options
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/cred.c | 4 | ||||
| -rw-r--r-- | kernel/exit.c | 1 | ||||
| -rw-r--r-- | kernel/module.c | 7 | ||||
| -rw-r--r-- | kernel/ptrace.c | 9 | ||||
| -rw-r--r-- | kernel/signal.c | 11 | ||||
| -rw-r--r-- | kernel/sysctl.c | 14 | 
6 files changed, 33 insertions, 13 deletions
| diff --git a/kernel/cred.c b/kernel/cred.c index 3a039189d70..1bb4d7e5d61 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -167,7 +167,7 @@ EXPORT_SYMBOL(prepare_creds);  /*   * Prepare credentials for current to perform an execve() - * - The caller must hold current->cred_exec_mutex + * - The caller must hold current->cred_guard_mutex   */  struct cred *prepare_exec_creds(void)  { @@ -276,7 +276,7 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags)  	struct cred *new;  	int ret; -	mutex_init(&p->cred_exec_mutex); +	mutex_init(&p->cred_guard_mutex);  	if (  #ifdef CONFIG_KEYS diff --git a/kernel/exit.c b/kernel/exit.c index cab535c427b..51d1fe3fb7a 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -1472,6 +1472,7 @@ static int wait_consider_task(struct task_struct *parent, int ptrace,  		 */  		if (*notask_error)  			*notask_error = ret; +		return 0;  	}  	if (likely(!ptrace) && unlikely(p->ptrace)) { diff --git a/kernel/module.c b/kernel/module.c index 2383e60fcf3..278e9b6762b 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -73,6 +73,9 @@ DEFINE_MUTEX(module_mutex);  EXPORT_SYMBOL_GPL(module_mutex);  static LIST_HEAD(modules); +/* Block module loading/unloading? */ +int modules_disabled = 0; +  /* Waiting for a module to finish initializing? */  static DECLARE_WAIT_QUEUE_HEAD(module_wq); @@ -778,7 +781,7 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user,  	char name[MODULE_NAME_LEN];  	int ret, forced = 0; -	if (!capable(CAP_SYS_MODULE)) +	if (!capable(CAP_SYS_MODULE) || modules_disabled)  		return -EPERM;  	if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0) @@ -2338,7 +2341,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,  	int ret = 0;  	/* Must have permission */ -	if (!capable(CAP_SYS_MODULE)) +	if (!capable(CAP_SYS_MODULE) || modules_disabled)  		return -EPERM;  	/* Only one module load at a time, please */ diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 2442d140bd9..f6d8b8cb5e3 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -175,10 +175,11 @@ int ptrace_attach(struct task_struct *task)  	if (same_thread_group(task, current))  		goto out; -	/* Protect exec's credential calculations against our interference; -	 * SUID, SGID and LSM creds get determined differently under ptrace. +	/* Protect the target's credential calculations against our +	 * interference; SUID, SGID and LSM creds get determined differently +	 * under ptrace.  	 */ -	retval = mutex_lock_interruptible(&task->cred_exec_mutex); +	retval = mutex_lock_interruptible(&task->cred_guard_mutex);  	if (retval  < 0)  		goto out; @@ -222,7 +223,7 @@ repeat:  bad:  	write_unlock_irqrestore(&tasklist_lock, flags);  	task_unlock(task); -	mutex_unlock(&task->cred_exec_mutex); +	mutex_unlock(&task->cred_guard_mutex);  out:  	return retval;  } diff --git a/kernel/signal.c b/kernel/signal.c index dba6ae99978..809a228019a 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -247,14 +247,19 @@ void flush_sigqueue(struct sigpending *queue)  /*   * Flush all pending signals for a task.   */ +void __flush_signals(struct task_struct *t) +{ +	clear_tsk_thread_flag(t, TIF_SIGPENDING); +	flush_sigqueue(&t->pending); +	flush_sigqueue(&t->signal->shared_pending); +} +  void flush_signals(struct task_struct *t)  {  	unsigned long flags;  	spin_lock_irqsave(&t->sighand->siglock, flags); -	clear_tsk_thread_flag(t, TIF_SIGPENDING); -	flush_sigqueue(&t->pending); -	flush_sigqueue(&t->signal->shared_pending); +	__flush_signals(t);  	spin_unlock_irqrestore(&t->sighand->siglock, flags);  } diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 6a463716ecb..944ba03cae1 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -114,6 +114,7 @@ static int ngroups_max = NGROUPS_MAX;  #ifdef CONFIG_MODULES  extern char modprobe_path[]; +extern int modules_disabled;  #endif  #ifdef CONFIG_CHR_DEV_SG  extern int sg_big_buff; @@ -534,6 +535,17 @@ static struct ctl_table kern_table[] = {  		.proc_handler	= &proc_dostring,  		.strategy	= &sysctl_string,  	}, +	{ +		.ctl_name	= CTL_UNNUMBERED, +		.procname	= "modules_disabled", +		.data		= &modules_disabled, +		.maxlen		= sizeof(int), +		.mode		= 0644, +		/* only handle a transition from default "0" to "1" */ +		.proc_handler	= &proc_dointvec_minmax, +		.extra1		= &one, +		.extra2		= &one, +	},  #endif  #if defined(CONFIG_HOTPLUG) && defined(CONFIG_NET)  	{ @@ -1233,7 +1245,6 @@ static struct ctl_table vm_table[] = {  		.strategy	= &sysctl_jiffies,  	},  #endif -#ifdef CONFIG_SECURITY  	{  		.ctl_name	= CTL_UNNUMBERED,  		.procname	= "mmap_min_addr", @@ -1242,7 +1253,6 @@ static struct ctl_table vm_table[] = {  		.mode		= 0644,  		.proc_handler	= &proc_doulongvec_minmax,  	}, -#endif  #ifdef CONFIG_NUMA  	{  		.ctl_name	= CTL_UNNUMBERED, | 
