kernel-5.15/0003-security-altha-altha_lsm.c-build-fixed-with-kernel-5.patch

From d89442861500242809d99c9e178b0ed1dd741b28 Mon Sep 17 00:00:00 2001
From: Kernel Bot <kernelbot@altlinux.org>
Date: Mon, 24 Aug 2020 17:16:53 +0300
Subject: [PATCH 3/4] security/altha/altha_lsm.c: build fixed with kernel 5.8

---
 security/altha/altha_lsm.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/security/altha/altha_lsm.c b/security/altha/altha_lsm.c
index 7d1cc8f8a1a7..41f0fc7ac8e5 100644
--- a/security/altha/altha_lsm.c
+++ b/security/altha/altha_lsm.c
@@ -216,6 +216,15 @@ struct altha_readdir_callback {
 	int found;
 };
 
+int compare_paths(const struct path *path1, const struct path *path2)
+{
+	char a1[PATH_MAX];
+	char a2[PATH_MAX];
+	char* p1, *p2;
+	p1=d_path(path1,a1,PATH_MAX);
+        p2=d_path(path2,a2,PATH_MAX);
+	return strcmp(p1,p2);
+}
 
 int is_olock_dir(struct inode *inode)
 {
@@ -233,14 +242,14 @@ int is_olock_dir(struct inode *inode)
 }
 
 /* Hooks */
-static int altha_bprm_set_creds(struct linux_binprm *bprm)
+static int altha_bprm_creds_from_file(struct linux_binprm *bprm, struct file * fi)
 {
 	struct altha_list_struct *node;
 	/* when it's not a shebang issued script interpreter */
-	if (rstrscript_enabled && !bprm->called_set_creds) {
+	if (rstrscript_enabled && bprm->filename == bprm->interp) {
 		down_read(&interpreters_sem);
 		list_for_each_entry(node, &interpreters_list, list) {
-			if (path_equal(&bprm->file->f_path, &node->path)) {
+			if (compare_paths(&bprm->file->f_path, &node->path) == 0) {
 				uid_t cur_uid = from_kuid(bprm->cred->user_ns,
 							  bprm->cred->uid);
 				pr_notice_ratelimited
@@ -257,7 +266,7 @@ static int altha_bprm_set_creds(struct linux_binprm *bprm)
 		uid_t cur_uid = from_kuid(bprm->cred->user_ns, bprm->cred->uid);
 		down_read(&nosuid_exceptions_sem);
 		list_for_each_entry(node, &nosuid_exceptions_list, list) {
-			if (path_equal(&bprm->file->f_path, &node->path)) {
+			if (compare_paths(&bprm->file->f_path, &node->path) == 0) {
 				pr_notice_ratelimited
 				    ("AltHa/NoSUID: %s permitted to setuid from %d\n",
 				     bprm->filename, cur_uid);
@@ -291,7 +300,7 @@ static int altha_inode_unlink(struct inode *inode, struct dentry *dentry)
 /* Initialization */
 
 static struct security_hook_list altha_hooks[] = {
-	LSM_HOOK_INIT(bprm_set_creds, altha_bprm_set_creds),
+	LSM_HOOK_INIT(bprm_creds_from_file, altha_bprm_creds_from_file),
 	LSM_HOOK_INIT(inode_unlink, altha_inode_unlink),
 };
 
-- 
2.25.1
Update from 5.4 to 5.10.1 - rediffed most of patches, renamed files to easify further rediffs by git format-patch - thanks to abf.io/kernels_stable for some patches for kernel 5.9 - using unofficial patch for AUFS for kernel 5.10, there may be issues with stability, try to avoid using AUFS (I would have dropped it, but MagOS wants it very much) - pulled updates of AltHa from http://git.altlinux.org/gears/k/kernel-image-un-def.git?p=kernel-image-un-def.git;a=history;f=security/altha;hb=HEAD - dropped patch adding sysctl to disable disk-based swap because it has not found any usage - bpf is now in the list of LSM modules (ability to write LSM modules as BPF programs), enable it, it is potentially useful and does not seem to be harmful - keeping kernel libc headers in older kernels for now - dropped building external virtualbox guest modules because they are now included into the mainline kernel - offed building VirtualBox host modules, I do not know how to keep these binary modules in sync with userspace part of VirtualBox, users can continue using dkms - offed building kernel-shredder because it is not buildable on kernel 5.10 - updated rtl8821ce and added a dependency from its "blacklist" subpackage here (see https://github.com/tomaspinho/rtl8821ce/commit/14b536f0) It is not clear if kernel 5.10 will receive an LTS support longer than 5.4 or not. Support until Dec, 2022 is declared right now at https://www.kernel.org/category/releases.html for 5.10 and until Dec, 2025 - for 5.4. TODO: update kernel configs TODO: solve problems with version of virtualbox host modules not matching version of the virtualbox package after virtualbox is updated but kernel is not rebuilt 2020-12-20 18:49:24 +03:00			`From d89442861500242809d99c9e178b0ed1dd741b28 Mon Sep 17 00:00:00 2001`
			`From: Kernel Bot <kernelbot@altlinux.org>`
			`Date: Mon, 24 Aug 2020 17:16:53 +0300`
			`Subject: [PATCH 3/4] security/altha/altha_lsm.c: build fixed with kernel 5.8`

			`---`
			`security/altha/altha_lsm.c \| 19 ++++++++++++++-----`
			`1 file changed, 14 insertions(+), 5 deletions(-)`

			`diff --git a/security/altha/altha_lsm.c b/security/altha/altha_lsm.c`
			`index 7d1cc8f8a1a7..41f0fc7ac8e5 100644`
			`--- a/security/altha/altha_lsm.c`
			`+++ b/security/altha/altha_lsm.c`
			`@@ -216,6 +216,15 @@ struct altha_readdir_callback {`
			`int found;`
			`};`

			`+int compare_paths(const struct path path1, const struct path path2)`
			`+{`
			`+ char a1[PATH_MAX];`
			`+ char a2[PATH_MAX];`
			`+ char* p1, *p2;`
			`+ p1=d_path(path1,a1,PATH_MAX);`
			`+ p2=d_path(path2,a2,PATH_MAX);`
			`+ return strcmp(p1,p2);`
			`+}`

			`int is_olock_dir(struct inode *inode)`
			`{`
			`@@ -233,14 +242,14 @@ int is_olock_dir(struct inode *inode)`
			`}`

			`/* Hooks */`
			`-static int altha_bprm_set_creds(struct linux_binprm *bprm)`
			`+static int altha_bprm_creds_from_file(struct linux_binprm bprm, struct file fi)`
			`{`
			`struct altha_list_struct *node;`
			`/* when it's not a shebang issued script interpreter */`
			`- if (rstrscript_enabled && !bprm->called_set_creds) {`
			`+ if (rstrscript_enabled && bprm->filename == bprm->interp) {`
			`down_read(&interpreters_sem);`
			`list_for_each_entry(node, &interpreters_list, list) {`
			`- if (path_equal(&bprm->file->f_path, &node->path)) {`
			`+ if (compare_paths(&bprm->file->f_path, &node->path) == 0) {`
			`uid_t cur_uid = from_kuid(bprm->cred->user_ns,`
			`bprm->cred->uid);`
			`pr_notice_ratelimited`
			`@@ -257,7 +266,7 @@ static int altha_bprm_set_creds(struct linux_binprm *bprm)`
			`uid_t cur_uid = from_kuid(bprm->cred->user_ns, bprm->cred->uid);`
			`down_read(&nosuid_exceptions_sem);`
			`list_for_each_entry(node, &nosuid_exceptions_list, list) {`
			`- if (path_equal(&bprm->file->f_path, &node->path)) {`
			`+ if (compare_paths(&bprm->file->f_path, &node->path) == 0) {`
			`pr_notice_ratelimited`
			`("AltHa/NoSUID: %s permitted to setuid from %d\n",`
			`bprm->filename, cur_uid);`
			`@@ -291,7 +300,7 @@ static int altha_inode_unlink(struct inode inode, struct dentry dentry)`
			`/* Initialization */`

			`static struct security_hook_list altha_hooks[] = {`
			`- LSM_HOOK_INIT(bprm_set_creds, altha_bprm_set_creds),`
			`+ LSM_HOOK_INIT(bprm_creds_from_file, altha_bprm_creds_from_file),`
			`LSM_HOOK_INIT(inode_unlink, altha_inode_unlink),`
			`};`

			`--`
			`2.25.1`