wonderful-mobile/exynos-linux-stable
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

import G965FXXU7DTAA OSRC

Browse source 
*First release for Android (Q).

Signed-off-by: FAROVITUS <farovitus@gmail.com>
This commit is contained in:
FAROVITUS 2020-02-04 13:44:48 +02:00
parent 856452b4f2
commit 2b92eefa41
7696 changed files with 3763754 additions and 92661 deletions
Download patch file Download diff file Expand all files Collapse all files

197
kernel/sys.c
View file

@ -65,6 +65,14 @@
#include <asm/io.h>
#include <asm/unistd.h>
#ifdef CONFIG_SECURITY_DEFEX
#include <linux/defex.h>
#endif
#ifdef CONFIG_LOD_SEC
#include <linux/linux_on_dex.h>
#endif
#ifndef SET_UNALIGN_CTL
# define SET_UNALIGN_CTL(a, b) (-EINVAL)
#endif
@ -130,6 +138,55 @@ int fs_overflowgid = DEFAULT_FS_OVERFLOWUID;
EXPORT_SYMBOL(fs_overflowuid);
EXPORT_SYMBOL(fs_overflowgid);
#if defined CONFIG_SEC_RESTRICT_SETUID
int sec_check_execpath(struct mm_struct *mm, char *denypath);
#if defined CONFIG_SEC_RESTRICT_ROOTING_LOG
#define PRINT_LOG(...)printk(KERN_ERR __VA_ARGS__)
#else
#define PRINT_LOG(...)
#endif// End of CONFIG_SEC_RESTRICT_ROOTING_LOG
static int sec_restrict_uid(void)
{
int ret = 0;
struct task_struct *parent_tsk;
const struct cred *parent_cred;
read_lock(&tasklist_lock);
parent_tsk = current->parent;
if (!parent_tsk) {
read_unlock(&tasklist_lock);
return 0;
}
get_task_struct(parent_tsk);
/* holding on to the task struct is enough so just release
* the tasklist lock here */
read_unlock(&tasklist_lock);
parent_cred = get_task_cred(parent_tsk);
if (!parent_cred)
goto out;
if (parent_cred->euid.val == 0 || parent_tsk->pid == 1) {
ret = 0;
} else if (sec_check_execpath(current->mm, "/system/bin/pppd")) {
PRINT_LOG("VPN allowed to use root permission");
ret = 0;
} else {
PRINT_LOG("Restricted changing UID. PID = %d(%s) PPID = %d(%s)\n",
current->pid, current->comm,
parent_tsk->pid, parent_tsk->comm);
ret = 1;
}
put_cred(parent_cred);
out:
put_task_struct(parent_tsk);
return ret;
}
#endif // End of CONFIG_SEC_RESTRICT_SETUID
/*
* Returns true if current's euid is same as p's uid or euid,
* or has CAP_SYS_NICE to p's user_ns.
@ -346,6 +403,23 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid)
if ((egid != (gid_t) -1) && !gid_valid(kegid))
return -EINVAL;
#if defined CONFIG_SEC_RESTRICT_SETUID
if (krgid.val == 0 || kegid.val == 0) {
if (sec_restrict_uid())
return -EACCES;
}
#endif // End of CONFIG_SEC_RESTRICT_SETUID
#ifdef CONFIG_LOD_SEC
if (current_is_LOD()) {
if (!gid_is_LOD(krgid.val))
return -EACCES;
if (!gid_is_LOD(kegid.val))
return -EACCES;
}
#endif
new = prepare_creds();
if (!new)
return -ENOMEM;
@ -399,6 +473,20 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
if (!gid_valid(kgid))
return -EINVAL;
#if defined CONFIG_SEC_RESTRICT_SETUID
if (kgid.val == 0) {
if (sec_restrict_uid())
return -EACCES;
}
#endif // End of CONFIG_SEC_RESTRICT_SETUID
#ifdef CONFIG_LOD_SEC
if (current_is_LOD()) {
if (!gid_is_LOD(kgid.val))
return -EACCES;
}
#endif
new = prepare_creds();
if (!new)
return -ENOMEM;
@ -479,6 +567,23 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid)
if ((euid != (uid_t) -1) && !uid_valid(keuid))
return -EINVAL;
#if defined CONFIG_SEC_RESTRICT_SETUID
if (kruid.val == 0 || keuid.val == 0) {
if (sec_restrict_uid())
return -EACCES;
}
#endif // End of CONFIG_SEC_RESTRICT_SETUID
#ifdef CONFIG_LOD_SEC
if (current_is_LOD()) {
if (!uid_is_LOD(kruid.val))
return -EACCES;
if (!uid_is_LOD(keuid.val))
return -EACCES;
}
#endif
new = prepare_creds();
if (!new)
return -ENOMEM;
@ -546,6 +651,20 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
if (!uid_valid(kuid))
return -EINVAL;
#if defined CONFIG_SEC_RESTRICT_SETUID
if (kuid.val == 0) {
if (sec_restrict_uid())
return -EACCES;
}
#endif // End of CONFIG_SEC_RESTRICT_SETUID
#ifdef CONFIG_LOD_SEC
if (current_is_LOD()) {
if (!uid_is_LOD(kuid.val))
return -EACCES;
}
#endif
new = prepare_creds();
if (!new)
return -ENOMEM;
@ -602,6 +721,26 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
if ((suid != (uid_t) -1) && !uid_valid(ksuid))
return -EINVAL;
#if defined CONFIG_SEC_RESTRICT_SETUID
if (kruid.val == 0 || keuid.val == 0 || ksuid.val == 0) {
if (sec_restrict_uid())
return -EACCES;
}
#endif // End of CONFIG_SEC_RESTRICT_SETUID
#ifdef CONFIG_LOD_SEC
if (current_is_LOD()) {
if (!uid_is_LOD(kruid.val))
return -EACCES;
if (!uid_is_LOD(keuid.val))
return -EACCES;
if (!uid_is_LOD(ksuid.val))
return -EACCES;
}
#endif
new = prepare_creds();
if (!new)
return -ENOMEM;
@ -687,6 +826,26 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)
if ((sgid != (gid_t) -1) && !gid_valid(ksgid))
return -EINVAL;
#if defined CONFIG_SEC_RESTRICT_SETUID
if (krgid.val == 0 || kegid.val == 0 || ksgid.val == 0) {
if (sec_restrict_uid())
return -EACCES;
}
#endif // End of CONFIG_SEC_RESTRICT_SETUID
#ifdef CONFIG_LOD_SEC
if (current_is_LOD()) {
if (!gid_is_LOD(krgid.val))
return -EACCES;
if (!gid_is_LOD(kegid.val))
return -EACCES;
if (!gid_is_LOD(ksgid.val))
return -EACCES;
}
#endif
new = prepare_creds();
if (!new)
return -ENOMEM;
@ -761,6 +920,25 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
if (!uid_valid(kuid))
return old_fsuid;
#if defined CONFIG_SEC_RESTRICT_SETUID
if (kuid.val == 0) {
if (sec_restrict_uid())
return -EACCES;
}
#endif // End of CONFIG_SEC_RESTRICT_SETUID
#ifdef CONFIG_LOD_SEC
if (current_is_LOD()) {
if (!uid_is_LOD(kuid.val))
return -EACCES;
}
#endif
#ifdef CONFIG_SECURITY_DEFEX
if (task_defex_enforce(current, NULL, -__NR_setfsuid))
return old_fsuid;
#endif
new = prepare_creds();
if (!new)
return old_fsuid;
@ -800,6 +978,25 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
if (!gid_valid(kgid))
return old_fsgid;
#if defined CONFIG_SEC_RESTRICT_SETUID
if (kgid.val == 0) {
if (sec_restrict_uid())
return -EACCES;
}
#endif // End of CONFIG_SEC_RESTRICT_SETUID
#ifdef CONFIG_LOD_SEC
if (current_is_LOD()) {
if (!gid_is_LOD(kgid.val))
return -EACCES;
}
#endif
#ifdef CONFIG_SECURITY_DEFEX
if (task_defex_enforce(current, NULL, -__NR_setfsgid))
return old_fsgid;
#endif
new = prepare_creds();
if (!new)
return old_fsgid;