diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/Makefile DEVEL/linux-2.4.21-vs1.1.1/Makefile --- DEVEL/linux-2.4.21-vs1.1.0/Makefile Mon Dec 1 16:17:35 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/Makefile Mon Dec 1 16:17:45 2003 @@ -1,7 +1,7 @@ VERSION = 2 PATCHLEVEL = 4 SUBLEVEL = 21 -EXTRAVERSION = -vs1.1.0 +EXTRAVERSION = -vs1.1.1 KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION) diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/arch/alpha/kernel/entry.S DEVEL/linux-2.4.21-vs1.1.1/arch/alpha/kernel/entry.S --- DEVEL/linux-2.4.21-vs1.1.0/arch/alpha/kernel/entry.S Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/arch/alpha/kernel/entry.S Mon Dec 1 16:17:45 2003 @@ -1044,7 +1044,7 @@ sys_call_table: .quad alpha_ni_syscall /* 270 */ .quad alpha_ni_syscall .quad alpha_ni_syscall - .quad sys_virtual_context /* 273 sys_virtual_context */ + .quad sys_vserver /* 273 sys_vserver */ .quad alpha_ni_syscall .quad alpha_ni_syscall /* 275 */ .quad alpha_ni_syscall diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/arch/i386/kernel/entry.S DEVEL/linux-2.4.21-vs1.1.1/arch/i386/kernel/entry.S --- DEVEL/linux-2.4.21-vs1.1.0/arch/i386/kernel/entry.S Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/arch/i386/kernel/entry.S Mon Dec 1 16:17:45 2003 @@ -677,7 +677,7 @@ ENTRY(sys_call_table) .long SYMBOL_NAME(sys_ni_syscall) /* 270 */ .long SYMBOL_NAME(sys_ni_syscall) .long SYMBOL_NAME(sys_ni_syscall) - .long SYMBOL_NAME(sys_virtual_context) /* 273 sys_virtual_context */ + .long SYMBOL_NAME(sys_vserver) /* 273 sys_vserver */ .rept NR_syscalls-(.-sys_call_table)/4 .long SYMBOL_NAME(sys_ni_syscall) diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/arch/i386/kernel/ptrace.c DEVEL/linux-2.4.21-vs1.1.1/arch/i386/kernel/ptrace.c --- DEVEL/linux-2.4.21-vs1.1.0/arch/i386/kernel/ptrace.c Mon Dec 1 16:17:35 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/arch/i386/kernel/ptrace.c Mon Dec 1 16:17:45 2003 @@ -13,6 +13,7 @@ #include #include #include +#include #include #include @@ -170,7 +171,7 @@ asmlinkage int sys_ptrace(long request, if (child) get_task_struct(child); read_unlock(&tasklist_lock); - if (!child || child->s_context != current->s_context) + if (!child || !vx_check(child->vx_id, VX_WATCH|VX_IDENT)) goto out; ret = -EPERM; diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/arch/ppc/kernel/misc.S DEVEL/linux-2.4.21-vs1.1.1/arch/ppc/kernel/misc.S --- DEVEL/linux-2.4.21-vs1.1.0/arch/ppc/kernel/misc.S Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/arch/ppc/kernel/misc.S Mon Dec 1 16:17:45 2003 @@ -1226,7 +1226,7 @@ _GLOBAL(sys_call_table) .long sys_ni_syscall /* 270 */ .long sys_ni_syscall .long sys_ni_syscall - .long sys_virtual_context /* 273 sys_virtual_context */ + .long sys_vserver /* 273 sys_vserver */ .rept NR_syscalls-(.-sys_call_table)/4 .long sys_ni_syscall diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/arch/ppc/kernel/ptrace.c DEVEL/linux-2.4.21-vs1.1.1/arch/ppc/kernel/ptrace.c --- DEVEL/linux-2.4.21-vs1.1.0/arch/ppc/kernel/ptrace.c Mon Dec 1 16:17:35 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/arch/ppc/kernel/ptrace.c Mon Dec 1 16:17:45 2003 @@ -24,6 +24,7 @@ #include #include #include +#include #include #include @@ -175,7 +176,7 @@ int sys_ptrace(long request, long pid, l if (child) get_task_struct(child); read_unlock(&tasklist_lock); - if (!child || child->s_context != current->s_context) + if (!child || !vx_check(child->vx_id, VX_WATCH|VX_IDENT)) goto out; ret = -EPERM; diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/arch/ppc64/kernel/misc.S DEVEL/linux-2.4.21-vs1.1.1/arch/ppc64/kernel/misc.S --- DEVEL/linux-2.4.21-vs1.1.0/arch/ppc64/kernel/misc.S Fri Jun 13 16:51:31 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/arch/ppc64/kernel/misc.S Mon Dec 1 16:17:45 2003 @@ -717,8 +717,75 @@ _GLOBAL(sys_call_table32) .llong .sys_madvise /* 205 */ .llong .sys_mincore /* 206 */ .llong .sys_gettid /* 207 */ - .rept NR_syscalls-208 - .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 210 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 215 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 220 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 225 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 230 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 235 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 240 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 245 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 250 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 255 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 260 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 265 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 270 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_vserver /* 273 sys_vserver */ + + .rept NR_syscalls-273 + .llong .sys_ni_syscall .endr #endif .balign 8 @@ -931,6 +998,73 @@ _GLOBAL(sys_call_table) .llong .sys_madvise /* 205 */ .llong .sys_mincore /* 206 */ .llong .sys_gettid /* 207 */ - .rept NR_syscalls-208 + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 210 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 215 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 220 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 225 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 230 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 235 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 240 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 245 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 250 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 255 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 260 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 265 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 270 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_vserver /* 273 sys_vserver */ + + .rept NR_syscalls-273 .llong .sys_ni_syscall .endr diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/arch/ppc64/kernel/ptrace.c DEVEL/linux-2.4.21-vs1.1.1/arch/ppc64/kernel/ptrace.c --- DEVEL/linux-2.4.21-vs1.1.0/arch/ppc64/kernel/ptrace.c Fri Jun 13 16:51:32 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/arch/ppc64/kernel/ptrace.c Mon Dec 1 16:17:45 2003 @@ -25,6 +25,7 @@ #include #include #include +#include #include #include @@ -115,7 +116,7 @@ int sys_ptrace(long request, long pid, l if (child) get_task_struct(child); read_unlock(&tasklist_lock); - if (!child) + if (!child || !vx_check(child->vx_id, VX_WATCH|VX_IDENT)) goto out; ret = -EPERM; diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/arch/sparc/kernel/systbls.S DEVEL/linux-2.4.21-vs1.1.1/arch/sparc/kernel/systbls.S --- DEVEL/linux-2.4.21-vs1.1.0/arch/sparc/kernel/systbls.S Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/arch/sparc/kernel/systbls.S Mon Dec 1 16:17:45 2003 @@ -73,7 +73,7 @@ sys_call_table: /*255*/ .long sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall /*260*/ .long sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall /*265*/ .long sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall -/*270*/ .long sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_virtual_context, sys_nis_syscall +/*270*/ .long sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_vserver, sys_nis_syscall #ifdef CONFIG_SUNOS_EMUL /* Now the SunOS syscall table. */ diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/arch/sparc64/kernel/ptrace.c DEVEL/linux-2.4.21-vs1.1.1/arch/sparc64/kernel/ptrace.c --- DEVEL/linux-2.4.21-vs1.1.0/arch/sparc64/kernel/ptrace.c Mon Dec 1 16:17:35 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/arch/sparc64/kernel/ptrace.c Mon Dec 1 16:17:45 2003 @@ -18,6 +18,7 @@ #include #include #include +#include #include #include @@ -156,7 +157,7 @@ asmlinkage void do_ptrace(struct pt_regs get_task_struct(child); read_unlock(&tasklist_lock); - if (!child || child->s_context != current->s_context) { + if (!child || !vx_check(child->vx_id, VX_WATCH|VX_IDENT)) { pt_error_return(regs, ESRCH); goto out; } diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/arch/sparc64/kernel/systbls.S DEVEL/linux-2.4.21-vs1.1.1/arch/sparc64/kernel/systbls.S --- DEVEL/linux-2.4.21-vs1.1.0/arch/sparc64/kernel/systbls.S Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/arch/sparc64/kernel/systbls.S Mon Dec 1 16:17:45 2003 @@ -73,7 +73,7 @@ sys_call_table32: .word sys_aplib, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall /*260*/ .word sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall .word sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall -/*270*/ .word sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_virtual_context, sys_nis_syscall +/*270*/ .word sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_vserver, sys_nis_syscall /* Now the 64-bit native Linux syscall table. */ @@ -135,7 +135,7 @@ sys_call_table: .word sys_aplib, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall /*260*/ .word sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall .word sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall -/*270*/ .word sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_virtual_context, sys_nis_syscall +/*270*/ .word sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_vserver, sys_nis_syscall #if defined(CONFIG_SUNOS_EMUL) || defined(CONFIG_SOLARIS_EMUL) || \ defined(CONFIG_SOLARIS_EMUL_MODULE) diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/arch/x86_64/ia32/ia32entry.S DEVEL/linux-2.4.21-vs1.1.1/arch/x86_64/ia32/ia32entry.S --- DEVEL/linux-2.4.21-vs1.1.0/arch/x86_64/ia32/ia32entry.S Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/arch/x86_64/ia32/ia32entry.S Mon Dec 1 16:17:45 2003 @@ -402,7 +402,7 @@ ia32_sys_call_table: .quad quiet_ni_syscall /* 270 */ .quad quiet_ni_syscall .quad quiet_ni_syscall - .quad sys_virtual_context /* 273 sys_virtual_context */ + .quad sys_vserver /* 273 sys_vserver */ ia32_syscall_end: .rept IA32_NR_syscalls-(ia32_syscall_end-ia32_sys_call_table)/8 diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/arch/x86_64/kernel/sys_x86_64.c DEVEL/linux-2.4.21-vs1.1.1/arch/x86_64/kernel/sys_x86_64.c --- DEVEL/linux-2.4.21-vs1.1.0/arch/x86_64/kernel/sys_x86_64.c Mon Dec 1 16:17:35 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/arch/x86_64/kernel/sys_x86_64.c Mon Dec 1 16:17:45 2003 @@ -15,6 +15,7 @@ #include #include #include +#include #include #include diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/fs/devpts/inode.c DEVEL/linux-2.4.21-vs1.1.1/fs/devpts/inode.c --- DEVEL/linux-2.4.21-vs1.1.0/fs/devpts/inode.c Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/fs/devpts/inode.c Mon Dec 1 16:17:45 2003 @@ -22,9 +22,9 @@ #include #include #include +#include #include #include -#include #include "devpts_i.h" @@ -184,7 +184,7 @@ static DECLARE_FSTYPE(devpts_fs_type, "d static int devpts_tty_permission(struct inode *inode, int mask) { int ret = -EACCES; - if (current->s_context == inode->u.devpts_i.s_context) + if (vx_check(inode->u.devpts_i.vx_id, VX_IDENT)) ret = vfs_permission(inode, mask); return ret; } @@ -211,7 +211,7 @@ void devpts_pty_new(int number, kdev_t d inode->i_uid = sbi->setuid ? sbi->uid : current->fsuid; inode->i_gid = sbi->setgid ? sbi->gid : current->fsgid; inode->i_mtime = inode->i_atime = inode->i_ctime = CURRENT_TIME; - inode->u.devpts_i.s_context = current->s_context; + inode->u.devpts_i.vx_id = current->vx_id; inode->i_op = &devpts_tty_inode_operations; init_special_inode(inode, S_IFCHR|sbi->mode, kdev_t_to_nr(device)); diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/fs/devpts/root.c DEVEL/linux-2.4.21-vs1.1.1/fs/devpts/root.c --- DEVEL/linux-2.4.21-vs1.1.0/fs/devpts/root.c Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/fs/devpts/root.c Mon Dec 1 16:17:45 2003 @@ -14,7 +14,7 @@ #include #include #include -#include +#include #include "devpts_i.h" static int devpts_root_readdir(struct file *,void *,filldir_t); @@ -66,8 +66,7 @@ static int devpts_root_readdir(struct fi while ( nr - 2 < sbi->max_ptys ) { int ptynr = nr - 2; struct inode *inode = sbi->inodes[ptynr]; - if (inode && (current->s_context == 1 - || inode->u.devpts_i.s_context == current->s_context)) { + if (inode && vx_check(inode->u.devpts_i.vx_id, VX_WATCH|VX_IDENT)) { genptsname(numbuf, ptynr); if ( filldir(dirent, numbuf, strlen(numbuf), nr, nr, DT_CHR) < 0 ) return 0; @@ -131,7 +130,7 @@ static struct dentry *devpts_root_lookup return NULL; inode = sbi->inodes[entry]; - if (inode && inode->u.devpts_i.s_context == current->s_context) + if (inode && vx_check(inode->u.devpts_i.vx_id, VX_IDENT)) atomic_inc(&inode->i_count); else inode = NULL; diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/fs/namei.c DEVEL/linux-2.4.21-vs1.1.1/fs/namei.c --- DEVEL/linux-2.4.21-vs1.1.0/fs/namei.c Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/fs/namei.c Mon Dec 1 16:17:45 2003 @@ -22,6 +22,7 @@ #include #include #include +#include #include #include @@ -158,9 +159,9 @@ int vfs_permission(struct inode * inode, chmod 000 /vservers you fix the "escape from chroot" bug. */ - if ((mode & 0777) == 0 - && S_ISDIR(mode) - && current->s_context != 0) return -EACCES; + if ((mode & 0777) == 0 && S_ISDIR(mode) + && !vx_check(0, VX_ADMIN)) + return -EACCES; if (mask & MAY_WRITE) { /* * Nobody gets write access to a read-only fs. diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/fs/proc/array.c DEVEL/linux-2.4.21-vs1.1.1/fs/proc/array.c --- DEVEL/linux-2.4.21-vs1.1.0/fs/proc/array.c Mon Dec 1 16:17:35 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/fs/proc/array.c Mon Dec 1 16:17:45 2003 @@ -70,6 +70,7 @@ #include #include #include +#include #include #include @@ -301,9 +302,9 @@ int proc_pid_status(struct task_struct * buffer = task_cap(task, buffer); if (task->s_info) { int i; - buffer += sprintf (buffer,"s_context: %d [",task->s_context); + buffer += sprintf (buffer,"s_context: %d [", task->vx_id); for (i=0; is_info->s_context[i]; + short int ctx = task->s_info->vx_id[i]; if (ctx == 0) break; buffer += sprintf (buffer," %d",ctx); } @@ -312,13 +313,13 @@ int proc_pid_status(struct task_struct * buffer += sprintf (buffer,"ctxticks: %d %ld %d\n" ,atomic_read(&task->s_info->ticks) ,task->counter - ,task->s_info->refcount); + ,atomic_read(&task->s_info->refcount)); buffer += sprintf (buffer,"ctxflags: %d\n" ,task->s_info->flags); buffer += sprintf (buffer,"initpid: %d\n" ,task->s_info->initpid); } else { - buffer += sprintf (buffer,"s_context: %d\n",task->s_context); + buffer += sprintf (buffer,"s_context: %d\n", task->vx_id); buffer += sprintf (buffer,"ctxticks: none\n"); buffer += sprintf (buffer,"ctxflags: none\n"); buffer += sprintf (buffer,"initpid: none\n"); diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/fs/proc/base.c DEVEL/linux-2.4.21-vs1.1.1/fs/proc/base.c --- DEVEL/linux-2.4.21-vs1.1.0/fs/proc/base.c Mon Dec 1 16:17:37 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/fs/proc/base.c Mon Dec 1 16:17:45 2003 @@ -25,6 +25,7 @@ #include #include #include +#include /* * For hysterical raisins we keep the same inumbers as in the old procfs. @@ -1026,8 +1027,7 @@ struct dentry *proc_pid_lookup(struct in if (!task) goto out; - if (pid != 1 && current->s_context != 1 - && task->s_context != current->s_context) { + if (pid != 1 && !vx_check(task->vx_id, VX_WATCH|VX_IDENT)) { free_task_struct(task); goto out; } @@ -1084,9 +1084,7 @@ static int get_pid_list(int index, unsig /* send any signal either */ /* A process with security context 1 can see all processes */ - if (pid != 1 - && current->s_context != 1 - && p->s_context != current->s_context) + if (pid != 1 && !vx_check(p->vx_id, VX_WATCH|VX_IDENT)) continue; /* We hide the fakeinit process since we show it as process 1 */ if (current->s_info && current->s_info->initpid == pid) diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/include/asm-ppc64/unistd.h DEVEL/linux-2.4.21-vs1.1.1/include/asm-ppc64/unistd.h --- DEVEL/linux-2.4.21-vs1.1.0/include/asm-ppc64/unistd.h Fri Jun 13 16:51:38 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/include/asm-ppc64/unistd.h Mon Dec 1 16:17:45 2003 @@ -244,6 +244,7 @@ #define __NR_alloc_hugepages 232 #define __NR_free_hugepages 233 #define __NR_exit_group 234 +#define __NR_vserver 273 #define __NR(n) #n diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/include/asm-x86_64/unistd.h DEVEL/linux-2.4.21-vs1.1.1/include/asm-x86_64/unistd.h --- DEVEL/linux-2.4.21-vs1.1.0/include/asm-x86_64/unistd.h Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/include/asm-x86_64/unistd.h Mon Dec 1 16:17:45 2003 @@ -497,7 +497,7 @@ __SYSCALL(__NR_remap_file_pages, sys_ni_ __SYSCALL(__NR_getdents64, sys_getdents64) #define __NR_virtual_context 273 -__SYSCALL(__NR_virtual_context, sys_virtual_context) +__SYSCALL(__NR_virtual_context, sys_vserver) #define __NR_syscall_max __NR_virtual_context diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/include/linux/devpts_fs_info.h DEVEL/linux-2.4.21-vs1.1.1/include/linux/devpts_fs_info.h --- DEVEL/linux-2.4.21-vs1.1.0/include/linux/devpts_fs_info.h Mon Dec 1 16:17:35 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/include/linux/devpts_fs_info.h Mon Dec 1 16:17:45 2003 @@ -1,4 +1,4 @@ struct devpts_inode_info { - int s_context; + int vx_id; }; diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/include/linux/sched.h DEVEL/linux-2.4.21-vs1.1.1/include/linux/sched.h --- DEVEL/linux-2.4.21-vs1.1.0/include/linux/sched.h Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/include/linux/sched.h Mon Dec 1 16:17:45 2003 @@ -26,7 +26,6 @@ extern unsigned long event; #include #include #include -#include struct exec_domain; @@ -271,7 +270,7 @@ struct user_struct { /* Hash table maintenance information */ struct user_struct *next, **pprev; uid_t uid; - int s_context; + int vx_id; }; #define get_current_user() ({ \ @@ -280,61 +279,8 @@ struct user_struct { __user; }) -/* - We may have a different domainname and nodename for each security - context. By default, a security context share the same as its - parent, potentially the information in system_utsname -*/ -#define S_CTX_INFO_LOCK 1 /* Can't request a new s_context */ -#define S_CTX_INFO_SCHED 2 /* All process in the s_context */ - /* Contribute to the schedular */ -#define S_CTX_INFO_NPROC 4 /* Limit number of processes in a context */ -#define S_CTX_INFO_PRIVATE 8 /* Noone can join this security context */ -#define S_CTX_INFO_INIT 16 /* This process wants to become the */ - /* logical process 1 of the security */ - /* context */ -#define S_CTX_INFO_HIDEINFO 32 /* Hide some information in /proc */ -#define S_CTX_INFO_ULIMIT 64 /* Use ulimit of the current process */ - /* to become the global limits */ - /* of the context */ - -#define NB_S_CONTEXT 16 - -struct context_info { - int refcount; - short int s_context[NB_S_CONTEXT];/* root is allowed to switch the current */ - /* security context using any in this table */ - unsigned long rlim[RLIM_NLIMITS]; /* Per context limit */ - atomic_t res[RLIM_NLIMITS]; /* Current value */ - struct proc_dir_entry *procent; - char nodename[65]; - char domainname[65]; - int flags; /* S_CTX_INFO_xxx */ - atomic_t ticks; /* Number of ticks used by all process */ - /* in the s_context */ - int initpid; /* PID of the logical process 1 of the */ - /* of the context */ - void *data1; - void *data2; - void *data3; - void *data4; -}; - -struct iproot_info { - unsigned long mark; /* Special signature for debugging */ - atomic_t refcount; - int nbipv4; - __u32 ipv4[NB_IPV4ROOT];/* Process can only bind to these IPs */ - /* The first one is used to connect */ - /* and for bind any service */ - /* The other must be used explicity when */ - /* binding */ - __u32 mask[NB_IPV4ROOT];/* Netmask for each ipv4 */ - /* Used to select the proper source address */ - /* for sockets */ - __u32 v4_bcast; /* Broadcast address used to receive UDP packets */ -}; - +struct context_info; +struct iproot_info; extern struct user_struct root_user; #define INIT_USER (&root_user) @@ -463,8 +409,8 @@ struct task_struct { unsigned long sas_ss_sp; size_t sas_ss_size; int (*notifier)(void *priv); - int s_context; /* Process can only deal with other processes */ - /* with the same s_context */ + int vx_id; /* Process can only deal with other processes */ + /* with the same vx_id */ __u32 cap_bset; /* Maximum capability of this process and children */ struct context_info *s_info; struct iproot_info *ip_info; @@ -1008,14 +954,6 @@ static inline char * d_path(struct dentr mntput(rootmnt); return res; } - -/* Manage the reference count of the context_info pointer */ -void sys_release_s_info (struct task_struct *); -void sys_assign_s_info (struct task_struct *); -void sys_alloc_s_info (void); -void sys_release_ip_info (struct iproot_info *); -void sys_assign_ip_info (struct iproot_info *); -void sys_alloc_ip_info (void); static inline int need_resched(void) { diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/include/linux/vcontext.h DEVEL/linux-2.4.21-vs1.1.1/include/linux/vcontext.h --- DEVEL/linux-2.4.21-vs1.1.0/include/linux/vcontext.h Thu Jan 1 01:00:00 1970 +++ DEVEL/linux-2.4.21-vs1.1.1/include/linux/vcontext.h Mon Dec 1 16:17:45 2003 @@ -0,0 +1,107 @@ +#ifndef _VX_CONTEXT_H +#define _VX_CONTEXT_H + +#include + +/* + We may have a different domainname and nodename for each security + context. By default, a security context share the same as its + parent, potentially the information in system_utsname +*/ +#define VX_INFO_LOCK 1 /* Can't request a new vx_id */ +#define VX_INFO_SCHED 2 /* All process in the vx_id */ + /* Contribute to the schedular */ +#define VX_INFO_NPROC 4 /* Limit number of processes in a context */ +#define VX_INFO_PRIVATE 8 /* Noone can join this security context */ +#define VX_INFO_INIT 16 /* This process wants to become the */ + /* logical process 1 of the security */ + /* context */ +#define VX_INFO_HIDEINFO 32 /* Hide some information in /proc */ +#define VX_INFO_ULIMIT 64 /* Use ulimit of the current process */ + /* to become the global limits */ + /* of the context */ + +#define MAX_S_CONTEXT 65535 /* Arbitrary limit */ +#define MIN_D_CONTEXT 49152 /* dynamic contexts start here */ + +#define NB_S_CONTEXT 16 + +#define NB_IPV4ROOT 16 + +struct context_info { + atomic_t refcount; + short int vx_id[NB_S_CONTEXT];/* root is allowed to switch the current */ + /* security context using any in this table */ + unsigned long rlim[RLIM_NLIMITS]; /* Per context limit */ + atomic_t res[RLIM_NLIMITS]; /* Current value */ + struct proc_dir_entry *procent; + char nodename[65]; + char domainname[65]; + int flags; /* VX_INFO_xxx */ + atomic_t ticks; /* Number of ticks used by all process */ + /* in the vx_id */ + int initpid; /* PID of the logical process 1 of the */ + /* of the context */ + void *data1; + void *data2; + void *data3; + void *data4; +}; + +struct iproot_info { + unsigned long mark; /* Special signature for debugging */ + atomic_t refcount; + int nbipv4; + __u32 ipv4[NB_IPV4ROOT];/* Process can only bind to these IPs */ + /* The first one is used to connect */ + /* and for bind any service */ + /* The other must be used explicity when */ + /* binding */ + __u32 mask[NB_IPV4ROOT];/* Netmask for each ipv4 */ + /* Used to select the proper source address */ + /* for sockets */ + __u32 v4_bcast; /* Broadcast address used to receive UDP packets */ +}; + + +#define VX_ADMIN 0x0001 +#define VX_WATCH 0x0002 + +#define VX_IDENT 0x0010 +#define VX_EQUIV 0x0020 +#define VX_PARENT 0x0040 +#define VX_CHILD 0x0080 + +#define VX_ARG_MASK 0x00F0 + +#include + +/* + * check current context for ADMIN/WATCH and + * optionally agains supplied argument + */ +static inline int vx_check(int ctx, unsigned int mode) +{ + int cctx = current->vx_id; + + if (mode & VX_ARG_MASK) { + if ((mode & VX_IDENT) && (ctx == cctx)) + return 1; + if ((mode & VX_EQUIV) && (ctx == cctx)) + return 1; + } + return (((mode & VX_ADMIN) && (cctx == 0)) || + ((mode & VX_WATCH) && (cctx == 1))); +} + + +void vx_assign_info(struct task_struct *); +void vx_release_info(struct task_struct *); + +void vx_assign_ip_info(struct iproot_info *); +void vx_release_ip_info(struct iproot_info *); + +int vc_new_s_context(uint32_t, void *); +int vc_set_ipv4root(uint32_t, void *); + +#endif diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/include/linux/virtual.h DEVEL/linux-2.4.21-vs1.1.1/include/linux/virtual.h --- DEVEL/linux-2.4.21-vs1.1.0/include/linux/virtual.h Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/include/linux/virtual.h Thu Jan 1 01:00:00 1970 @@ -1,88 +0,0 @@ -#ifndef _LINUX_VIRTUAL_H -#define _LINUX_VIRTUAL_H - -#include - -#define VC_CATEGORY(c) (((c) >> 24) & 0x3F) -#define VC_COMMAND(c) (((c) >> 16) & 0xFF) -#define VC_VERSION(c) ((c) & 0xFFF) - -#define VC_CMD(c,i,v) ((((VC_CAT_ ## c) & 0x3F) << 24) \ - | (((i) & 0xFF) << 16) | ((v) & 0xFFF)) - -/* - - Syscall Matrix V2.2 - - |VERSION|CREATE |MODIFY |MIGRATE|CONTROL|EXPERIM| |SPECIAL|SPECIAL| - |STATS |DESTROY|ALTER |CHANGE |LIMIT |TEST | | | | - |INFO |SETUP | |MOVE | | | | | | - -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ - SYSTEM |VERSION| | | | | | |DEVICES| | - HOST | 00| 01| 02| 03| 04| 05| | 06| 07| - -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ - CPU | | | | | | | |SCHED. | | - PROCESS| 08| 09| 10| 11| 12| 13| | 14| 15| - -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ - MEMORY | | | | | | | |SWAP | | - | 16| 17| 18| 19| 20| 21| | 22| 23| - -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ - NETWORK| | | | | | | |SERIAL | | - | 24| 25| 26| 27| 28| 29| | 30| 31| - -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ - DISK | | | | | | | | | | - VFS | 32| 33| 34| 35| 36| 37| | 38| 39| - -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ - OTHER | | | | | | | | | | - | 40| 41| 42| 43| 44| 45| | 46| 47| - =======+=======+=======+=======+=======+=======+=======+ +=======+=======+ - SPECIAL| | | | | | | | | | - | 48| 49| 50| 51| 52| 53| | 54| 55| - -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ - SPECIAL| | | | | |SYSCALL| | |COMPAT | - | 56| 57| 58| 59| 60|TEST 61| | 62| 63| - -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ - -*/ - -#define VC_CAT_VERSION 0 - -#define VC_CAT_SYSTEST 61 -#define VC_CAT_COMPAT 63 - -/* interface version */ - -#define VCI_VERSION 0x00010001 - - - -/* query version */ - -#define VCMD_get_version VC_CMD(VERSION, 0, 0) - - -/* compatibiliy vserver commands */ - -#define VCMD_new_s_context VC_CMD(COMPAT, 1, 1) -#define VCMD_set_ipv4root VC_CMD(COMPAT, 2, 3) - -/* compatibiliy vserver arguments */ - -struct vcmd_new_s_context_v1 { - uint32_t remove_cap; - uint32_t flags; -}; - -#define NB_IPV4ROOT 16 - -struct vcmd_set_ipv4root_v3 { - /* number of pairs in id */ - uint32_t broadcast; - struct { - uint32_t ip; - uint32_t mask; - } ip_mask_pair[NB_IPV4ROOT]; -}; - - -#endif /* _LINUX_VIRTUAL_H */ diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/include/linux/vswitch.h DEVEL/linux-2.4.21-vs1.1.1/include/linux/vswitch.h --- DEVEL/linux-2.4.21-vs1.1.0/include/linux/vswitch.h Thu Jan 1 01:00:00 1970 +++ DEVEL/linux-2.4.21-vs1.1.1/include/linux/vswitch.h Mon Dec 1 16:17:45 2003 @@ -0,0 +1,122 @@ +#ifndef _LINUX_VIRTUAL_H +#define _LINUX_VIRTUAL_H + +#include +#include + +#define VC_CATEGORY(c) (((c) >> 24) & 0x3F) +#define VC_COMMAND(c) (((c) >> 16) & 0xFF) +#define VC_VERSION(c) ((c) & 0xFFF) + +#define VC_CMD(c,i,v) ((((VC_CAT_ ## c) & 0x3F) << 24) \ + | (((i) & 0xFF) << 16) | ((v) & 0xFFF)) + +/* + + Syscall Matrix V2.3 + + |VERSION|CREATE |MODIFY |MIGRATE|CONTROL|EXPERIM| |SPECIAL|SPECIAL| + |STATS |DESTROY|ALTER |CHANGE |LIMIT |TEST | | | | + |INFO |SETUP | |MOVE | | | | | | + -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ + SYSTEM |VERSION| | | | | | |DEVICES| | + HOST | 00| 01| 02| 03| 04| 05| | 06| 07| + -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ + CPU | | | | | | | |SCHED. | | + PROCESS| 08| 09| 10| 11| 12| 13| | 14| 15| + -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ + MEMORY | | | | | | | |SWAP | | + | 16| 17| 18| 19| 20| 21| | 22| 23| + -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ + NETWORK| | | | | | | |SERIAL | | + | 24| 25| 26| 27| 28| 29| | 30| 31| + -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ + DISK | | | | | | | | | | + VFS | 32| 33| 34| 35| 36| 37| | 38| 39| + -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ + OTHER | | | | | | | | | | + | 40| 41| 42| 43| 44| 45| | 46| 47| + =======+=======+=======+=======+=======+=======+=======+ +=======+=======+ + SPECIAL| | | | | | | | | | + | 48| 49| 50| 51| 52| 53| | 54| 55| + -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ + SPECIAL| | | | |RLIMIT |SYSCALL| | |COMPAT | + | 56| 57| 58| 59| 60|TEST 61| | 62| 63| + -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ + +*/ + +#define VC_CAT_VERSION 0 + +#define VC_CAT_PROCTRL 12 + +#define VC_CAT_RLIMIT 60 + +#define VC_CAT_SYSTEST 61 +#define VC_CAT_COMPAT 63 + +/* interface version */ + +#define VCI_VERSION 0x00010002 + + + +/* query version */ + +#define VCMD_get_version VC_CMD(VERSION, 0, 0) + + +/* compatibiliy vserver commands */ + +#define VCMD_new_s_context VC_CMD(COMPAT, 1, 1) +#define VCMD_set_ipv4root VC_CMD(COMPAT, 2, 3) + +/* compatibiliy vserver arguments */ + +struct vcmd_new_s_context_v1 { + uint32_t remove_cap; + uint32_t flags; +}; + +struct vcmd_set_ipv4root_v3 { + /* number of pairs in id */ + uint32_t broadcast; + struct { + uint32_t ip; + uint32_t mask; + } ip_mask_pair[NB_IPV4ROOT]; +}; + +/* context signalling */ + +#define VCMD_ctx_kill VC_CMD(PROCTRL, 1, 0) + +struct vcmd_ctx_kill_v0 { + int32_t pid; + int32_t signal; +}; + +/* rlimit vserver commands */ + +#define VCMD_get_rlimit VC_CMD(RLIMIT, 1, 0) +#define VCMD_set_rlimit VC_CMD(RLIMIT, 2, 0) +#define VCMD_get_rlimit_mask VC_CMD(RLIMIT, 3, 0) + +struct vcmd_ctx_rlimit_v0 { + uint32_t id; + uint64_t minimum; + uint64_t softlimit; + uint64_t maximum; +}; + +struct vcmd_ctx_rlimit_mask_v0 { + uint32_t minimum; + uint32_t softlimit; + uint32_t maximum; +}; + +#define CRLIM_INFINITY (~0ULL) +#define CRLIM_KEEP (~1ULL) + + +#endif /* _LINUX_VIRTUAL_H */ diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/include/net/ip.h DEVEL/linux-2.4.21-vs1.1.1/include/net/ip.h --- DEVEL/linux-2.4.21-vs1.1.0/include/net/ip.h Mon Nov 24 15:47:21 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/include/net/ip.h Mon Dec 1 16:17:45 2003 @@ -29,6 +29,7 @@ #include #include #include +#include #include #include diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/include/net/route.h DEVEL/linux-2.4.21-vs1.1.1/include/net/route.h --- DEVEL/linux-2.4.21-vs1.1.0/include/net/route.h Mon Dec 1 16:17:37 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/include/net/route.h Mon Dec 1 16:17:45 2003 @@ -198,7 +198,7 @@ static inline int ip_route_connect(struc if (i==n) return -EPERM; } - if (dst == 0x0100007f && current->s_context != 0) + if (dst == 0x0100007f && !vx_check(0, VX_ADMIN)) dst = ipv4root; } } diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/include/net/sock.h DEVEL/linux-2.4.21-vs1.1.1/include/net/sock.h --- DEVEL/linux-2.4.21-vs1.1.0/include/net/sock.h Mon Dec 1 16:17:37 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/include/net/sock.h Mon Dec 1 16:17:45 2003 @@ -685,7 +685,7 @@ struct sock { void *user_data; /* Context of process creating this socket */ - int s_context; + int vx_id; /* Callbacks */ void (*state_change)(struct sock *sk); diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/include/net/tcp.h DEVEL/linux-2.4.21-vs1.1.1/include/net/tcp.h --- DEVEL/linux-2.4.21-vs1.1.0/include/net/tcp.h Mon Dec 1 16:17:37 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/include/net/tcp.h Mon Dec 1 16:17:45 2003 @@ -192,7 +192,7 @@ struct tcp_tw_bucket { struct in6_addr v6_daddr; struct in6_addr v6_rcv_saddr; #endif - int s_context; + int vx_id; }; extern kmem_cache_t *tcp_timewait_cachep; diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/ipc/util.c DEVEL/linux-2.4.21-vs1.1.1/ipc/util.c --- DEVEL/linux-2.4.21-vs1.1.0/ipc/util.c Mon Dec 1 16:17:37 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/ipc/util.c Mon Dec 1 16:17:45 2003 @@ -93,7 +93,7 @@ int ipc_findkey(struct ipc_ids* ids, key struct kern_ipc_perm* p; for (id = 0; id <= ids->max_id; id++) { - if (ids->entries[id].s_context != current->s_context) + if (!vx_check(ids->entries[id].vx_id, VX_IDENT)) continue; p = ids->entries[id].p; if(p==NULL) @@ -169,7 +169,7 @@ found: spin_lock(&ids->ary); ids->entries[id].p = new; - ids->entries[id].s_context = current->s_context; + ids->entries[id].vx_id = current->vx_id; return id; } diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/ipc/util.h DEVEL/linux-2.4.21-vs1.1.1/ipc/util.h --- DEVEL/linux-2.4.21-vs1.1.0/ipc/util.h Mon Dec 1 16:17:35 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/ipc/util.h Mon Dec 1 16:17:45 2003 @@ -5,6 +5,8 @@ * ipc helper functions (c) 1999 Manfred Spraul */ +#include + #define USHRT_MAX 0xffff #define SEQ_MULTIPLIER (IPCMNI) @@ -25,7 +27,7 @@ struct ipc_ids { struct ipc_id { struct kern_ipc_perm* p; - int s_context; // Context owning this ID + int vx_id; // Context owning this ID }; @@ -75,9 +77,8 @@ extern inline struct kern_ipc_perm* ipc_ spin_lock(&ids->ary); out = ids->entries[lid].p; - if (out==NULL - || (ids->entries[lid].s_context != current->s_context - && current->s_context != 1)) { + if (out==NULL || + !vx_check(ids->entries[lid].vx_id, VX_WATCH|VX_IDENT)) { spin_unlock(&ids->ary); out = NULL; } diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/kernel/Makefile DEVEL/linux-2.4.21-vs1.1.1/kernel/Makefile --- DEVEL/linux-2.4.21-vs1.1.0/kernel/Makefile Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/kernel/Makefile Mon Dec 1 16:17:45 2003 @@ -14,7 +14,7 @@ export-objs = signal.o sys.o kmod.o cont obj-y = sched.o dma.o fork.o exec_domain.o panic.o printk.o \ module.o exit.o itimer.o info.o time.o softirq.o resource.o \ sysctl.o acct.o capability.o ptrace.o timer.o user.o \ - signal.o sys.o kmod.o context.o virtual.o + signal.o sys.o kmod.o context.o vswitch.o vcontext.o obj-$(CONFIG_UID16) += uid16.o obj-$(CONFIG_MODULES) += ksyms.o diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/kernel/exit.c DEVEL/linux-2.4.21-vs1.1.1/kernel/exit.c --- DEVEL/linux-2.4.21-vs1.1.0/kernel/exit.c Mon Dec 1 16:17:35 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/kernel/exit.c Mon Dec 1 16:17:45 2003 @@ -16,6 +16,7 @@ #ifdef CONFIG_BSD_PROCESS_ACCT #include #endif +#include #include #include @@ -66,8 +67,8 @@ static void release_task(struct task_str current->counter += p->counter; if (current->counter >= MAX_COUNTER) current->counter = MAX_COUNTER; - sys_release_s_info(p); - sys_release_ip_info(p->ip_info); + vx_release_info(p); + vx_release_ip_info(p->ip_info); p->pid = 0; free_task_struct(p); } else { diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/kernel/fork.c DEVEL/linux-2.4.21-vs1.1.1/kernel/fork.c --- DEVEL/linux-2.4.21-vs1.1.0/kernel/fork.c Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/kernel/fork.c Mon Dec 1 16:17:45 2003 @@ -22,6 +22,7 @@ #include #include #include +#include #include #include @@ -629,8 +630,8 @@ int do_fork(unsigned long clone_flags, u *p = *current; retval = -EAGAIN; - if (p->s_info && (p->s_info->flags & S_CTX_INFO_NPROC)) { - if (p->s_info->refcount >= p->rlim[RLIMIT_NPROC].rlim_max) + if (p->s_info && (p->s_info->flags & VX_INFO_NPROC)) { + if (atomic_read(&p->s_info->refcount) >= p->rlim[RLIMIT_NPROC].rlim_max) goto bad_fork_free; } /* @@ -643,8 +644,8 @@ int do_fork(unsigned long clone_flags, u && !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) goto bad_fork_free; - sys_assign_s_info(p); - sys_assign_ip_info(p->ip_info); + vx_assign_info(p); + vx_assign_ip_info(p->ip_info); atomic_inc(&p->user->__count); atomic_inc(&p->user->processes); diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/kernel/printk.c DEVEL/linux-2.4.21-vs1.1.1/kernel/printk.c --- DEVEL/linux-2.4.21-vs1.1.0/kernel/printk.c Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/kernel/printk.c Mon Dec 1 16:17:45 2003 @@ -26,6 +26,7 @@ #include #include /* For in_interrupt() */ #include +#include #include @@ -172,7 +173,7 @@ int do_syslog(int type, char * buf, int char c; int error = 0; - if (!capable(CAP_SYS_ADMIN) && (current->s_context != 0)) + if (!capable(CAP_SYS_ADMIN) && !vx_check(0, VX_ADMIN)) return -EPERM; switch (type) { diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/kernel/sched.c DEVEL/linux-2.4.21-vs1.1.1/kernel/sched.c --- DEVEL/linux-2.4.21-vs1.1.0/kernel/sched.c Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/kernel/sched.c Mon Dec 1 16:17:45 2003 @@ -29,6 +29,7 @@ #include #include #include +#include #include #include @@ -166,8 +167,9 @@ static inline int goodness(struct task_s * over.. */ if (p->s_info != NULL - && (p->s_info->flags & S_CTX_INFO_SCHED)) { - weight = atomic_read (&p->s_info->ticks)/p->s_info->refcount; + && (p->s_info->flags & VX_INFO_SCHED)) { + weight = atomic_read(&p->s_info->ticks) / + atomic_read(&p->s_info->refcount); weight = (weight+p->counter)>>1; } else { weight = p->counter; @@ -630,13 +632,13 @@ repeat_schedule: */ for_each_task(p) { if (p->s_info != NULL - && (p->s_info->flags & S_CTX_INFO_SCHED)) + && (p->s_info->flags & VX_INFO_SCHED)) atomic_set (&p->s_info->ticks,0); } for_each_task(p) { p->counter = (p->counter >> 1) + NICE_TO_TICKS(p->nice); if (p->s_info != NULL - && (p->s_info->flags & S_CTX_INFO_SCHED)) + && (p->s_info->flags & VX_INFO_SCHED)) atomic_add (p->counter,&p->s_info->ticks); } read_unlock(&tasklist_lock); diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/kernel/signal.c DEVEL/linux-2.4.21-vs1.1.1/kernel/signal.c --- DEVEL/linux-2.4.21-vs1.1.0/kernel/signal.c Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/kernel/signal.c Mon Dec 1 16:17:45 2003 @@ -13,7 +13,8 @@ #include #include #include -#include +#include +#include #include @@ -624,7 +625,7 @@ kill_pg_info(int sig, struct siginfo *in for_each_task(p) { if (p->pgrp == pgrp && thread_group_leader(p) && ((long)info==1 - || p->s_context == current->s_context)) { + || vx_check(p->vx_id, VX_IDENT))) { int err = send_sig_info(sig, info, p); if (retval) retval = err; @@ -680,7 +681,7 @@ kill_proc_info(int sig, struct siginfo * } switch ((unsigned long)info) { case 0: - if (p->s_context == current->s_context) + if (vx_check(p->vx_id, VX_IDENT)) error = send_sig_info(sig, info, p); break; case 1: @@ -688,7 +689,7 @@ kill_proc_info(int sig, struct siginfo * break; default: if ((info->si_code == SI_KERNEL) - || (p->s_context == current->s_context)) + || vx_check(p->vx_id, VX_IDENT)) error = send_sig_info(sig, info, p); break; } @@ -716,7 +717,7 @@ static int kill_something_info(int sig, read_lock(&tasklist_lock); for_each_task(p) { if (p->pid > 1 && p != current && thread_group_leader(p) - && p->s_context == current->s_context) { + && vx_check(p->vx_id, VX_IDENT)) { int err = send_sig_info(sig, info, p); ++count; if (err != -EPERM) @@ -1340,145 +1341,3 @@ sys_signal(int sig, __sighandler_t handl return ret ? ret : (unsigned long)old_sa.sa.sa_handler; } #endif /* !alpha && !__ia64__ && !defined(__mips__) */ - -static int set_initpid (int flags) -{ - int ret = 0; - if (flags & S_CTX_INFO_INIT) { - if (current->s_info == NULL) - ret = -EINVAL; - else if (current->s_info->initpid != 0) - ret = -EPERM; - else - current->s_info->initpid = current->tgid; - } - return ret; -} - -static inline int switch_user_struct(int new_context) -{ - struct user_struct *new_user; - - new_user = alloc_uid(new_context, current->uid); - if (!new_user) - return -ENOMEM; - - if (new_user != current->user) { - struct user_struct *old_user = current->user; - - atomic_inc(&new_user->processes); - atomic_dec(&old_user->processes); - current->user = new_user; - free_uid(old_user); - } - return 0; -} - -/* - Change to a new security context and reduce the capability - basic set of the current process -*/ -int vc_new_s_context(uint32_t ctx, void *data) -{ - int ret = -EPERM; - struct vcmd_new_s_context_v1 vc_data; - #define MAX_S_CONTEXT 65535 /* Arbitrary limit */ - - if (copy_from_user (&vc_data, data, sizeof(vc_data))) - return -EFAULT; - if (ctx == -1) { - if (current->s_info == NULL - || !(current->s_info->flags & S_CTX_INFO_LOCK)) { - /* Ok we allocate a new context. For now, we just increase */ - /* it. Wrap around possible, so we loop */ - static int alloc_ctx=1; - static spinlock_t alloc_ctx_lock = SPIN_LOCK_UNLOCKED; - spin_lock(&alloc_ctx_lock); - while (1) { - int found = 0; - struct task_struct *p; - alloc_ctx++; - /* The s_context 1 is special. It sess all processes */ - if (alloc_ctx == 1) - alloc_ctx++; - else if (alloc_ctx > MAX_S_CONTEXT) - // No need to grow and grow - alloc_ctx = 2; - /* Check if in use */ - read_lock(&tasklist_lock); - for_each_task(p) { - if (p->s_context == alloc_ctx) { - found = 1; - break; - } - } - read_unlock(&tasklist_lock); - if (!found) break; - } - ret = switch_user_struct(alloc_ctx); - if (ret == 0) { - current->s_context = alloc_ctx; - current->cap_bset &= (~vc_data.remove_cap); - ret = alloc_ctx; - sys_alloc_s_info(); - if (current->s_info) { - set_initpid (vc_data.flags); - current->s_info->flags |= vc_data.flags; - } - } - spin_unlock(&alloc_ctx_lock); - } - } else if (ctx == -2) { - ret = set_initpid(vc_data.flags); - if (ret == 0) { - /* We keep the same s_context, but lower the capabilities */ - current->cap_bset &= (~vc_data.remove_cap); - ret = current->s_context; - if (current->s_info) { - if (vc_data.flags & S_CTX_INFO_INIT) - current->s_info->initpid = current->tgid; - current->s_info->flags |= vc_data.flags; - } - } - } else if (ctx <= 0 || ctx > MAX_S_CONTEXT) { - ret = -EINVAL; - } else if (current->s_context == 0 - && capable(CAP_SYS_ADMIN) - && (current->s_info == NULL - ||(current->s_info->flags & S_CTX_INFO_LOCK) == 0)) { - /* The root context can become any context it wants */ - int found = 0; - struct task_struct *p; - /* Check if in use so we reuse the same context_info */ - read_lock(&tasklist_lock); - ret = ctx; - for_each_task(p) { - if (p->s_context == ctx) { - found = 1; - if (p->s_info == NULL - || !(p->s_info->flags & S_CTX_INFO_PRIVATE)) { - sys_release_s_info(current); - sys_assign_s_info (p); - current->s_info = p->s_info; - } - else - ret = -EPERM; - break; - } - } - read_unlock(&tasklist_lock); - if (ret == ctx) { - ret = switch_user_struct(ctx); - if (ret == 0) { - current->s_context = ctx; - current->cap_bset &= (~vc_data.remove_cap); - if (!found) - sys_alloc_s_info(); - if (current->s_info) - current->s_info->flags |= vc_data.flags; - } - } - } - return ret; -} - diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/kernel/sys.c DEVEL/linux-2.4.21-vs1.1.1/kernel/sys.c --- DEVEL/linux-2.4.21-vs1.1.0/kernel/sys.c Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/kernel/sys.c Mon Dec 1 16:17:45 2003 @@ -15,6 +15,7 @@ #include #include #include +#include #include #include @@ -519,7 +520,7 @@ static int set_user(uid_t new_ruid, int * cheaply with the new uid cache, so if it matters * we should be checking for it. -DaveM */ - new_user = alloc_uid(current->s_context, new_ruid); + new_user = alloc_uid(current->vx_id, new_ruid); if (!new_user) return -EAGAIN; old_user = current->user; @@ -1051,121 +1052,6 @@ asmlinkage long sys_newuname(struct new_ up_read(&uts_sem); return errno; } - -/* - Decrease the reference count on the context_info member of a task - Free the struct if the reference count reach 0. -*/ -void sys_release_s_info (struct task_struct *p) -{ - down_write (&uts_sem); - if (p->s_info) { - p->s_info->refcount--; - if (p->s_info->refcount == 0) { - vfree (p->s_info); - p->s_info = NULL; - } - } - up_write (&uts_sem); -} -/* - Increase the reference count on the context_info member of a task -*/ -void sys_assign_s_info (struct task_struct *p) -{ - down_write (&uts_sem); - if (p->s_info) - p->s_info->refcount++; - up_write (&uts_sem); -} - -/* - Alloc a new s_info to the current process and release - the one currently owned by the current process. -*/ -void sys_alloc_s_info() -{ - struct context_info *s_info = vmalloc(sizeof(struct context_info)); - - if (s_info) { - int i; - memset (s_info,0,sizeof(*s_info)); - s_info->s_context[0] = current->s_context; - s_info->refcount = 1; - atomic_set (&s_info->ticks,current->counter); - s_info->flags = 0; - s_info->initpid = 0; - for (i=0; irlim[i] = 0xffffffff; - atomic_set (&s_info->res[i],0); - } - down_read (&uts_sem); - if (current->s_info) { - strcpy (s_info->nodename,current->s_info->nodename); - strcpy (s_info->domainname,current->s_info->domainname); - } else { - strcpy (s_info->nodename,system_utsname.nodename); - strcpy (s_info->domainname,system_utsname.domainname); - } - up_read (&uts_sem); - sys_release_s_info (current); - current->s_info = s_info; - /* - The current process is switching to a new context - so we preset the open file counter with - the file currently open by that process. - Some of those files may have been opened by - a parent, so do not strictly belong to this - process, so we kind of over bill the current process - but it is minimal. - */ - atomic_set (&s_info->res[RLIMIT_NOFILE] - ,atomic_read(¤t->files->count)); - } -} - -/* - Decrease the reference count on the ip_info struct - Free the struct if the reference count reach 0. -*/ -void sys_release_ip_info (struct iproot_info *ip_info) -{ - if (ip_info) { - if (atomic_dec_and_test(&ip_info->refcount)) { - if (ip_info->mark != 0xdeadbeef) - printk ("sys_release_ip_info: broken signature %08lx\n", ip_info->mark); - else - vfree (ip_info); - } - } -} -/* - Increase the reference count on the ip_info member of a task -*/ -void sys_assign_ip_info (struct iproot_info *ip_info) -{ - if (ip_info) { - atomic_inc (&ip_info->refcount); - if (ip_info->mark != 0xdeadbeef) - printk ("sys_assign_ip_info: broken signature %08lx\n", ip_info->mark); - } -} - -/* - Alloc a new ip_info to the current process and release - the one currently owned by the current process. -*/ -void sys_alloc_ip_info() -{ - struct iproot_info *ip_info = vmalloc(sizeof(struct iproot_info)); - - memset (ip_info,0,sizeof(*ip_info)); - ip_info->mark = 0xdeadbeef; - atomic_set (&ip_info->refcount,1); - sys_release_ip_info (current->ip_info); - current->ip_info = ip_info; -} - asmlinkage long sys_sethostname(char *name, int len) { diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/kernel/sysctl.c DEVEL/linux-2.4.21-vs1.1.1/kernel/sysctl.c --- DEVEL/linux-2.4.21-vs1.1.0/kernel/sysctl.c Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/kernel/sysctl.c Mon Dec 1 16:17:45 2003 @@ -30,6 +30,7 @@ #include #include #include +#include #include @@ -802,7 +803,7 @@ static int proc_doutsstring(ctl_table *t int r; ctl_table tmp; - /* HACK for per s_context hostname and domainname */ + /* HACK for per context hostname and domainname */ if (current->s_info) { tmp = *table; table = &tmp; diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/kernel/timer.c DEVEL/linux-2.4.21-vs1.1.1/kernel/timer.c --- DEVEL/linux-2.4.21-vs1.1.0/kernel/timer.c Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/kernel/timer.c Mon Dec 1 16:17:45 2003 @@ -22,6 +22,7 @@ #include #include #include +#include #include @@ -599,7 +600,7 @@ void update_process_times(int user_tick) update_one_process(p, user_tick, system, cpu); if (p->pid) { - if (p->s_info && (p->s_info->flags & S_CTX_INFO_SCHED)) + if (p->s_info && (p->s_info->flags & VX_INFO_SCHED)) atomic_dec (&p->s_info->ticks); if (--p->counter <= 0) { p->counter = 0; diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/kernel/user.c DEVEL/linux-2.4.21-vs1.1.1/kernel/user.c --- DEVEL/linux-2.4.21-vs1.1.0/kernel/user.c Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/kernel/user.c Mon Dec 1 16:17:45 2003 @@ -69,7 +69,7 @@ static inline void uid_hash_remove(struc *pprev = next; } -static inline struct user_struct *uid_hash_find(int s_context, uid_t uid, struct user_struct **hashent) +static inline struct user_struct *uid_hash_find(int vx_id, uid_t uid, struct user_struct **hashent) { struct user_struct *next; @@ -78,7 +78,7 @@ static inline struct user_struct *uid_ha struct user_struct *up = next; if (next) { next = up->next; - if (up->uid != uid || up->s_context != s_context) + if (up->uid != uid || up->vx_id != vx_id) continue; atomic_inc(&up->__count); } @@ -95,13 +95,13 @@ void free_uid(struct user_struct *up) } } -struct user_struct * alloc_uid(int s_context, uid_t uid) +struct user_struct * alloc_uid(int vx_id, uid_t uid) { struct user_struct **hashent = uidhashentry(uid); struct user_struct *up; spin_lock(&uidhash_lock); - up = uid_hash_find(s_context, uid, hashent); + up = uid_hash_find(vx_id, uid, hashent); spin_unlock(&uidhash_lock); if (!up) { @@ -111,7 +111,7 @@ struct user_struct * alloc_uid(int s_con if (!new) return NULL; new->uid = uid; - new->s_context = s_context; + new->vx_id = vx_id; atomic_set(&new->__count, 1); atomic_set(&new->processes, 0); atomic_set(&new->files, 0); @@ -121,7 +121,7 @@ struct user_struct * alloc_uid(int s_con * on adding the same user already.. */ spin_lock(&uidhash_lock); - up = uid_hash_find(s_context, uid, hashent); + up = uid_hash_find(vx_id, uid, hashent); if (up) { kmem_cache_free(uid_cachep, new); } else { diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/kernel/vcontext.c DEVEL/linux-2.4.21-vs1.1.1/kernel/vcontext.c --- DEVEL/linux-2.4.21-vs1.1.0/kernel/vcontext.c Thu Jan 1 01:00:00 1970 +++ DEVEL/linux-2.4.21-vs1.1.1/kernel/vcontext.c Mon Dec 1 16:17:45 2003 @@ -0,0 +1,359 @@ +/* + * linux/kernel/vcontext.c + * + * Virtual Context Support + * + * Copyright (C) 2003 Herbert Pötzl + * + * V0.01 context helper + * + */ + +#include +#include +#include +#include +#include +#include + +#include +#include + + +int vc_ctx_kill(uint32_t id, void *data) +{ + return -ENOSYS; +} + +int vc_get_rlimit(uint32_t id, void *data) +{ + return -ENOSYS; +} + +int vc_set_rlimit(uint32_t id, void *data) +{ + return -ENOSYS; +} + +int vc_get_rlimit_mask(uint32_t id, void *data) +{ + return -ENOSYS; +} + + + +/* system functions */ + + +/* + * Alloc a new s_info to the current process and release + * the one currently owned by the current process. + */ +static void vx_alloc_info(void) +{ + struct context_info *s_info = vmalloc(sizeof(struct context_info)); + + if (s_info) { + int i; + memset (s_info, 0, sizeof(*s_info)); + s_info->vx_id[0] = current->vx_id; + atomic_set(&s_info->refcount, 1); + atomic_set(&s_info->ticks, current->counter); + s_info->flags = 0; + s_info->initpid = 0; + for (i=0; irlim[i] = 0xffffffff; + atomic_set(&s_info->res[i], 0); + } + down_read(&uts_sem); + if (current->s_info) { + strcpy(s_info->nodename, current->s_info->nodename); + strcpy(s_info->domainname, current->s_info->domainname); + } else { + strcpy(s_info->nodename, system_utsname.nodename); + strcpy(s_info->domainname, system_utsname.domainname); + } + up_read(&uts_sem); + vx_release_info(current); + current->s_info = s_info; + /* + The current process is switching to a new context + so we preset the open file counter with + the file currently open by that process. + Some of those files may have been opened by + a parent, so do not strictly belong to this + process, so we kind of over bill the current process + but it is minimal. + */ + atomic_set(&s_info->res[RLIMIT_NOFILE], + atomic_read(¤t->files->count)); + } +} + +/* + * Increase the reference count on the context_info member of a task + */ +void vx_assign_info (struct task_struct *p) +{ + down_write (&uts_sem); + if (p->s_info) + atomic_inc(&p->s_info->refcount); + up_write (&uts_sem); +} + +/* + * Decrease the reference count on the context_info member of a task + * Free the struct if the reference count reach 0. + */ +void vx_release_info (struct task_struct *p) +{ + down_write (&uts_sem); + if (p->s_info) { + if (atomic_dec_and_test(&p->s_info->refcount)) { + vfree (p->s_info); + p->s_info = NULL; + } + } + up_write (&uts_sem); +} + +/* + * Alloc a new ip_info to the current process and release + * the one currently owned by the current process. + */ +static void vx_alloc_ip_info(void) +{ + struct iproot_info *ip_info = vmalloc(sizeof(struct iproot_info)); + + memset(ip_info, 0, sizeof(*ip_info)); + ip_info->mark = 0xdeadbeef; + atomic_set(&ip_info->refcount, 1); + vx_release_ip_info(current->ip_info); + current->ip_info = ip_info; +} + +/* + * Increase the reference count on the ip_info member of a task + */ +void vx_assign_ip_info (struct iproot_info *ip_info) +{ + if (ip_info) { + atomic_inc(&ip_info->refcount); + if (ip_info->mark != 0xdeadbeef) + printk("vx_assign_ip_info: broken signature %08lx\n", ip_info->mark); + } +} + +/* + * Decrease the reference count on the ip_info struct + * Free the struct if the reference count reach 0. + */ +void vx_release_ip_info (struct iproot_info *ip_info) +{ + if (ip_info) { + if (atomic_dec_and_test(&ip_info->refcount)) { + if (ip_info->mark != 0xdeadbeef) + printk("vx_release_ip_info: broken signature %08lx\n", ip_info->mark); + else + vfree(ip_info); + } + } +} + + +static int vx_switch_user_struct(int new_context) +{ + struct user_struct *new_user; + + new_user = alloc_uid(new_context, current->uid); + if (!new_user) + return -ENOMEM; + + if (new_user != current->user) { + struct user_struct *old_user = current->user; + + atomic_inc(&new_user->processes); + atomic_dec(&old_user->processes); + current->user = new_user; + free_uid(old_user); + } + return 0; +} + +static int vx_set_initpid(int flags) +{ + int ret = 0; + if (flags & VX_INFO_INIT) { + if (current->s_info == NULL) + ret = -EINVAL; + else if (current->s_info->initpid != 0) + ret = -EPERM; + else + current->s_info->initpid = current->tgid; + } + return ret; +} + + +/* new security context (syscall) */ + +/* + * Change to a new security context and reduce the capability + * basic set of the current process + */ +int vc_new_s_context(uint32_t ctx, void *data) +{ + int ret = -EPERM; + struct vcmd_new_s_context_v1 vc_data; + #define MAX_S_CONTEXT 65535 /* Arbitrary limit */ + + if (copy_from_user (&vc_data, data, sizeof(vc_data))) + return -EFAULT; + if (ctx == -1) { + if (current->s_info == NULL + || !(current->s_info->flags & VX_INFO_LOCK)) { + /* Ok we allocate a new context. For now, we just increase */ + /* it. Wrap around possible, so we loop */ + static int alloc_ctx = MIN_D_CONTEXT; + static spinlock_t alloc_ctx_lock = SPIN_LOCK_UNLOCKED; + spin_lock(&alloc_ctx_lock); + while (1) { + int found = 0; + struct task_struct *p; + alloc_ctx++; + /* The vx_id 1 is special. It sess all processes */ + if (alloc_ctx == 1) + alloc_ctx++; + else if (alloc_ctx > MAX_S_CONTEXT) + // No need to grow and grow + alloc_ctx = MIN_D_CONTEXT; + /* Check if in use */ + read_lock(&tasklist_lock); + for_each_task(p) { + if (p->vx_id == alloc_ctx) { + found = 1; + break; + } + } + read_unlock(&tasklist_lock); + if (!found) break; + } + ret = vx_switch_user_struct(alloc_ctx); + if (ret == 0) { + current->vx_id = alloc_ctx; + current->cap_bset &= (~vc_data.remove_cap); + ret = alloc_ctx; + vx_alloc_info(); + if (current->s_info) { + vx_set_initpid(vc_data.flags); + current->s_info->flags |= vc_data.flags; + } + } + spin_unlock(&alloc_ctx_lock); + } + } else if (ctx == -2) { + ret = vx_set_initpid(vc_data.flags); + if (ret == 0) { + /* We keep the same vx_id, but lower the capabilities */ + current->cap_bset &= (~vc_data.remove_cap); + ret = current->vx_id; + if (current->s_info) { + if (vc_data.flags & VX_INFO_INIT) + current->s_info->initpid = current->tgid; + current->s_info->flags |= vc_data.flags; + } + } + } else if (ctx <= 0 || ctx > MAX_S_CONTEXT) { + ret = -EINVAL; + } else if (vx_check(0, VX_ADMIN) + && capable(CAP_SYS_ADMIN) + && (current->s_info == NULL + ||(current->s_info->flags & VX_INFO_LOCK) == 0)) { + /* The root context can become any context it wants */ + int found = 0; + struct task_struct *p; + /* Check if in use so we reuse the same context_info */ + read_lock(&tasklist_lock); + ret = ctx; + for_each_task(p) { + if (p->vx_id == ctx) { + found = 1; + if (p->s_info == NULL + || !(p->s_info->flags & VX_INFO_PRIVATE)) { + vx_release_info(current); + vx_assign_info (p); + current->s_info = p->s_info; + } + else + ret = -EPERM; + break; + } + } + read_unlock(&tasklist_lock); + if (ret == ctx) { + ret = vx_switch_user_struct(ctx); + if (ret == 0) { + current->vx_id = ctx; + current->cap_bset &= (~vc_data.remove_cap); + if (!found) + vx_alloc_info(); + if (current->s_info) + current->s_info->flags |= vc_data.flags; + } + } + } + return ret; +} + + +/* set ipv4 root (syscall) */ + +int vc_set_ipv4root(uint32_t nbip, void *data) +{ + int ret = -EPERM; + struct vcmd_set_ipv4root_v3 vc_data; + struct iproot_info *ip_info = current->ip_info; + + if (copy_from_user (&vc_data, data, sizeof(vc_data))) + return -EFAULT; + + if (nbip < 0 || nbip > NB_IPV4ROOT) + ret = -EINVAL; + if (!ip_info || ip_info->ipv4[0] == 0 || capable(CAP_NET_ADMIN)) + // We are allowed to change everything + ret = 0; + else if (current->ip_info) { + // We are allowed to select a subset of the currently + // installed IP numbers. No new one allowed + // We can't change the broadcast address though + int i; + int found = 0; + for (i=0; inbipv4; j++) { + if (ipi == ip_info->ipv4[j]) { + found++; + break; + } + } + } + if (found == nbip && vc_data.broadcast == ip_info->v4_bcast) + ret = 0; + } + if (ret == 0) { + int i; + + vx_alloc_ip_info(); /* release existing? */ + ip_info = current->ip_info; + ip_info->nbipv4 = nbip; + for (i=0; iipv4[i] = vc_data.ip_mask_pair[i].ip; + ip_info->mask[i] = vc_data.ip_mask_pair[i].mask; + } + ip_info->v4_bcast = vc_data.broadcast; + } + return ret; +} + + diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/kernel/virtual.c DEVEL/linux-2.4.21-vs1.1.1/kernel/virtual.c --- DEVEL/linux-2.4.21-vs1.1.0/kernel/virtual.c Mon Dec 1 16:17:36 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/kernel/virtual.c Thu Jan 1 01:00:00 1970 @@ -1,51 +0,0 @@ -/* - * linux/kernel/virtual.c - * - * Virtual Context Support - * - * Copyright (C) 2003 Herbert Pötzl - * - * V0.01 syscall switch - * - */ - -#include -#include -#include - -#include - - -static inline int -vc_get_version(uint32_t id) -{ - return VCI_VERSION; -} - - -extern int vc_new_s_context(uint32_t, void *); -extern int vc_set_ipv4root(uint32_t, void *); - - -asmlinkage int -sys_virtual_context(uint32_t cmd, uint32_t id, void *data) -{ - int ret = -EINVAL; - - switch (cmd) { - case VCMD_get_version: - ret = vc_get_version(id); - break; - - case VCMD_new_s_context: - ret = vc_new_s_context(id, data); - break; - - case VCMD_set_ipv4root: - ret = vc_set_ipv4root(id, data); - break; - - } - return ret; -} - diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/kernel/vswitch.c DEVEL/linux-2.4.21-vs1.1.1/kernel/vswitch.c --- DEVEL/linux-2.4.21-vs1.1.0/kernel/vswitch.c Thu Jan 1 01:00:00 1970 +++ DEVEL/linux-2.4.21-vs1.1.1/kernel/vswitch.c Mon Dec 1 16:17:45 2003 @@ -0,0 +1,71 @@ +/* + * linux/kernel/vswitch.c + * + * Virtual Context Support + * + * Copyright (C) 2003 Herbert Pötzl + * + * V0.01 syscall switch + * V0.02 added signal to context + * + */ + +#include +#include +#include + +#include + + +static inline int +vc_get_version(uint32_t id) +{ + return VCI_VERSION; +} + + +extern int vc_new_s_context(uint32_t, void *); +extern int vc_set_ipv4root(uint32_t, void *); + +extern int vc_get_rlimit(uint32_t, void *); +extern int vc_set_rlimit(uint32_t, void *); +extern int vc_get_rlimit_mask(uint32_t, void *); + +extern int vc_ctx_kill(uint32_t, void *); + + +asmlinkage int +sys_vserver(uint32_t cmd, uint32_t id, void *data) +{ + int ret = -EINVAL; + + switch (cmd) { + case VCMD_get_version: + ret = vc_get_version(id); + break; + + case VCMD_new_s_context: + ret = vc_new_s_context(id, data); + break; + case VCMD_set_ipv4root: + ret = vc_set_ipv4root(id, data); + break; + + case VCMD_get_rlimit: + ret = vc_get_rlimit(id, data); + break; + case VCMD_set_rlimit: + ret = vc_set_rlimit(id, data); + break; + case VCMD_get_rlimit_mask: + ret = vc_get_rlimit_mask(id, data); + break; + + case VCMD_ctx_kill: + ret = vc_ctx_kill(id, data); + break; + + } + return ret; +} + diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/net/ipv4/af_inet.c DEVEL/linux-2.4.21-vs1.1.1/net/ipv4/af_inet.c --- DEVEL/linux-2.4.21-vs1.1.0/net/ipv4/af_inet.c Mon Dec 1 16:17:37 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/net/ipv4/af_inet.c Mon Dec 1 16:17:45 2003 @@ -177,7 +177,7 @@ void inet_sock_destruct(struct sock *sk) if (sk->protinfo.af_inet.opt) kfree(sk->protinfo.af_inet.opt); - sys_release_ip_info(sk->ip_info); + vx_release_ip_info(sk->ip_info); sk->ip_info = NULL; dst_release(sk->dst_cache); #ifdef INET_REFCNT_DEBUG @@ -395,7 +395,7 @@ static int inet_create(struct socket *so sk->protinfo.af_inet.mc_index = 0; sk->protinfo.af_inet.mc_list = NULL; - sk->s_context = current->s_context; + sk->vx_id = current->vx_id; sk->ip_info = NULL; #ifdef INET_REFCNT_DEBUG @@ -565,7 +565,7 @@ static int inet_bind(struct socket *sock sk->rcv_saddr2 = s_addr2; sk->ip_info = ip_info; if (ip_info) - sys_assign_ip_info(ip_info); + vx_assign_ip_info(ip_info); if (chk_addr_ret == RTN_MULTICAST || chk_addr_ret == RTN_BROADCAST) sk->saddr = 0; /* Use device */ @@ -573,7 +573,7 @@ static int inet_bind(struct socket *sock if (sk->prot->get_port(sk, snum) != 0) { sk->saddr = sk->rcv_saddr = 0; sk->ip_info = NULL; - sys_release_ip_info(ip_info); + vx_release_ip_info(ip_info); err = -EADDRINUSE; goto out; } diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/net/ipv4/devinet.c DEVEL/linux-2.4.21-vs1.1.1/net/ipv4/devinet.c --- DEVEL/linux-2.4.21-vs1.1.0/net/ipv4/devinet.c Mon Dec 1 16:17:37 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/net/ipv4/devinet.c Mon Dec 1 16:17:45 2003 @@ -466,13 +466,13 @@ static int devinet_notiproot (struct in_ { int ret = 0; struct iproot_info *info = current->ip_info; - if (current->s_context && info) { + if (info && !vx_check(0, VX_ADMIN)) { int i; int nbip = info->nbipv4; __u32 addr = ifa->ifa_local; ret = 1; for (i=0; iipv4[i] == addr) { + if(info->ipv4[i] == addr) { ret = 0; break; } diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/net/ipv4/raw.c DEVEL/linux-2.4.21-vs1.1.1/net/ipv4/raw.c --- DEVEL/linux-2.4.21-vs1.1.0/net/ipv4/raw.c Mon Dec 1 16:17:37 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/net/ipv4/raw.c Mon Dec 1 16:17:45 2003 @@ -688,7 +688,8 @@ int raw_get_info(char *buffer, char **st struct sock *sk; for (sk = raw_v4_htable[i]; sk; sk = sk->next, num++) { - if (sk->family != PF_INET || (current->s_context != 1 && sk->s_context != current->s_context)) + if (sk->family != PF_INET || + !vx_check(sk->vx_id, VX_WATCH|VX_IDENT)) continue; pos += 128; if (pos <= offset) diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/net/ipv4/tcp_ipv4.c DEVEL/linux-2.4.21-vs1.1.1/net/ipv4/tcp_ipv4.c --- DEVEL/linux-2.4.21-vs1.1.0/net/ipv4/tcp_ipv4.c Mon Dec 1 16:17:37 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/net/ipv4/tcp_ipv4.c Mon Dec 1 16:17:45 2003 @@ -2255,7 +2255,7 @@ int tcp_get_info(char *buffer, char **st int uid; struct tcp_opt *tp = &(sk->tp_pinfo.af_tcp); - if (current->s_context != 1 && sk->s_context != current->s_context) + if (!vx_check(sk->vx_id, VX_WATCH|VX_IDENT)) continue; if (!TCP_INET_FAMILY(sk->family)) @@ -2312,7 +2312,7 @@ skip_listen: read_lock(&head->lock); for(sk = head->chain; sk; sk = sk->next, num++) { if (!TCP_INET_FAMILY(sk->family) || - (current->s_context != 1 && sk->s_context != current->s_context)) + !vx_check(sk->vx_id, VX_WATCH|VX_IDENT)) continue; pos += TMPSZ; if (pos <= offset) @@ -2328,7 +2328,7 @@ skip_listen: tw != NULL; tw = (struct tcp_tw_bucket *)tw->next, num++) { if (!TCP_INET_FAMILY(tw->family) || - (current->s_context != 1 && tw->s_context != current->s_context)) + !vx_check(sk->vx_id, VX_WATCH|VX_IDENT)) continue; pos += TMPSZ; if (pos <= offset) diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/net/ipv4/tcp_minisocks.c DEVEL/linux-2.4.21-vs1.1.1/net/ipv4/tcp_minisocks.c --- DEVEL/linux-2.4.21-vs1.1.0/net/ipv4/tcp_minisocks.c Mon Dec 1 16:17:37 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/net/ipv4/tcp_minisocks.c Mon Dec 1 16:17:45 2003 @@ -380,7 +380,7 @@ void tcp_time_wait(struct sock *sk, int tw->ts_recent_stamp= tp->ts_recent_stamp; tw->pprev_death = NULL; - tw->s_context = sk->s_context; + tw->vx_id = sk->vx_id; tw->ip_info = NULL; #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) @@ -652,7 +652,7 @@ struct sock *tcp_create_openreq_child(st #endif memcpy(newsk, sk, sizeof(*newsk)); - sys_assign_ip_info(newsk->ip_info); + vx_assign_ip_info(newsk->ip_info); newsk->state = TCP_SYN_RECV; /* SANITY */ diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/net/ipv4/udp.c DEVEL/linux-2.4.21-vs1.1.1/net/ipv4/udp.c --- DEVEL/linux-2.4.21-vs1.1.0/net/ipv4/udp.c Mon Dec 1 16:17:37 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/net/ipv4/udp.c Mon Dec 1 16:17:45 2003 @@ -552,7 +552,7 @@ int udp_sendmsg(struct sock *sk, struct if (ip_info != NULL) { __u32 ipv4root = ip_info->ipv4[0]; if (ipv4root) { - if (daddr == 0x0100007f && current->s_context != 0) + if (daddr == 0x0100007f && !vx_check(0, VX_ADMIN)) daddr = ipv4root; if (ufh.saddr == 0) ufh.saddr = ipv4root; @@ -1046,7 +1046,7 @@ int udp_get_info(char *buffer, char **st for (sk = udp_hash[i]; sk; sk = sk->next, num++) { if (sk->family != PF_INET || - (current->s_context != 1 && sk->s_context != current->s_context)) + !vx_check(sk->vx_id, VX_WATCH|VX_IDENT)) continue; pos += 128; if (pos <= offset) diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/net/ipv6/raw.c DEVEL/linux-2.4.21-vs1.1.1/net/ipv6/raw.c --- DEVEL/linux-2.4.21-vs1.1.0/net/ipv6/raw.c Mon Dec 1 16:17:37 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/net/ipv6/raw.c Mon Dec 1 16:17:45 2003 @@ -880,7 +880,7 @@ int raw6_get_info(char *buffer, char **s for (sk = raw_v6_htable[i]; sk; sk = sk->next, num++) { if (sk->family != PF_INET6 || - (current->s_context != 1 && sk->s_context != current->s_context)) + !vx_check(sk->vx_id, VX_WATCH|VX_IDENT)) continue; pos += LINE_LEN+1; if (pos <= offset) diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/net/ipv6/tcp_ipv6.c DEVEL/linux-2.4.21-vs1.1.1/net/ipv6/tcp_ipv6.c --- DEVEL/linux-2.4.21-vs1.1.0/net/ipv6/tcp_ipv6.c Mon Dec 1 16:17:37 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/net/ipv6/tcp_ipv6.c Mon Dec 1 16:17:45 2003 @@ -2028,7 +2028,7 @@ int tcp6_get_info(char *buffer, char **s struct tcp_opt *tp = &(sk->tp_pinfo.af_tcp); if (sk->family != PF_INET6 || - (current->s_context != 1 && sk->s_context != current->s_context)) + !vx_check(sk->vx_id, VX_WATCH|VX_IDENT)) continue; pos += LINE_LEN+1; if (pos >= offset) { @@ -2079,7 +2079,7 @@ int tcp6_get_info(char *buffer, char **s read_lock(&head->lock); for(sk = head->chain; sk; sk = sk->next, num++) { if (sk->family != PF_INET6 || - (current->s_context != 1 && sk->s_context != current->s_context)) + !vx_check(sk->vx_id, VX_WATCH|VX_IDENT)) continue; pos += LINE_LEN+1; if (pos <= offset) @@ -2095,7 +2095,7 @@ int tcp6_get_info(char *buffer, char **s tw != NULL; tw = (struct tcp_tw_bucket *)tw->next, num++) { if (tw->family != PF_INET6 || - (current->s_context != 1 && tw->s_context != current->s_context)) + !vx_check(sk->vx_id, VX_WATCH|VX_IDENT)) continue; pos += LINE_LEN+1; if (pos <= offset) diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/net/ipv6/udp.c DEVEL/linux-2.4.21-vs1.1.1/net/ipv6/udp.c --- DEVEL/linux-2.4.21-vs1.1.0/net/ipv6/udp.c Mon Dec 1 16:17:37 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/net/ipv6/udp.c Mon Dec 1 16:17:45 2003 @@ -980,7 +980,7 @@ int udp6_get_info(char *buffer, char **s for (sk = udp_hash[i]; sk; sk = sk->next, num++) { if (sk->family != PF_INET6 || - (current->s_context != 1 && sk->s_context != current->s_context)) + !vx_check(sk->vx_id, VX_WATCH|VX_IDENT)) continue; pos += LINE_LEN+1; if (pos <= offset) diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/net/socket.c DEVEL/linux-2.4.21-vs1.1.1/net/socket.c --- DEVEL/linux-2.4.21-vs1.1.0/net/socket.c Mon Dec 1 16:17:37 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/net/socket.c Fri Jun 13 16:51:39 2003 @@ -84,7 +84,6 @@ #include #include #include -#include static int sock_no_open(struct inode *irrelevant, struct file *dontcare); static ssize_t sock_read(struct file *file, char *buf, @@ -1755,52 +1754,3 @@ int socket_get_info(char *buffer, char * len = 0; return len; } - -int vc_set_ipv4root(uint32_t nbip, void *data) -{ - int ret = -EPERM; - struct vcmd_set_ipv4root_v3 vc_data; - struct iproot_info *ip_info = current->ip_info; - - if (copy_from_user (&vc_data, data, sizeof(vc_data))) - return -EFAULT; - - if (nbip < 0 || nbip > NB_IPV4ROOT) - ret = -EINVAL; - if (!ip_info || ip_info->ipv4[0] == 0 || capable(CAP_NET_ADMIN)) - // We are allowed to change everything - ret = 0; - else if (current->ip_info) { - // We are allowed to select a subset of the currently - // installed IP numbers. No new one allowed - // We can't change the broadcast address though - int i; - int found = 0; - for (i=0; inbipv4; j++) { - if (ipi == ip_info->ipv4[j]) { - found++; - break; - } - } - } - if (found == nbip && vc_data.broadcast == ip_info->v4_bcast) - ret = 0; - } - if (ret == 0) { - int i; - - sys_alloc_ip_info(); /* release existing? */ - ip_info = current->ip_info; - ip_info->nbipv4 = nbip; - for (i=0; iipv4[i] = vc_data.ip_mask_pair[i].ip; - ip_info->mask[i] = vc_data.ip_mask_pair[i].mask; - } - ip_info->v4_bcast = vc_data.broadcast; - } - return ret; -} - diff -NurpP --minimal DEVEL/linux-2.4.21-vs1.1.0/net/unix/af_unix.c DEVEL/linux-2.4.21-vs1.1.1/net/unix/af_unix.c --- DEVEL/linux-2.4.21-vs1.1.0/net/unix/af_unix.c Mon Dec 1 16:17:37 2003 +++ DEVEL/linux-2.4.21-vs1.1.1/net/unix/af_unix.c Mon Dec 1 16:17:45 2003 @@ -109,6 +109,7 @@ #include #include #include +#include #include @@ -479,7 +480,7 @@ static struct sock * unix_create1(struct sk->write_space = unix_write_space; - sk->s_context = current->s_context; + sk->vx_id = current->vx_id; sk->max_ack_backlog = sysctl_unix_max_dgram_qlen; sk->destruct = unix_sock_destructor; @@ -1758,7 +1759,7 @@ static int unix_read_proc(char *buffer, read_lock(&unix_table_lock); forall_unix_sockets (i,s) { - if (current->s_context != 1 && s->s_context != current->s_context) + if (!vx_check(s->vx_id, VX_WATCH|VX_IDENT)) continue; unix_state_rlock(s);