diff -NurpP --minimal linux-2.4.23-vs1.00/Documentation/Configure.help linux-2.4.23-vs1.20/Documentation/Configure.help --- linux-2.4.23-vs1.00/Documentation/Configure.help Fri Nov 28 19:26:19 2003 +++ linux-2.4.23-vs1.20/Documentation/Configure.help Thu Dec 4 20:16:32 2003 @@ -538,6 +538,11 @@ CONFIG_BLK_DEV_LOOP Most users will answer N here. +Virtual Root device support +CONFIG_BLK_DEV_VROOT + Saying Y here will allow you to use quota/fs ioctls on a shared + partition within a virtual server without compromising security. + Micro Memory MM5415 Battery Backed RAM support (EXPERIMENTAL) CONFIG_BLK_DEV_UMEM Saying Y here will include support for the MM5415 family of diff -NurpP --minimal linux-2.4.23-vs1.00/Makefile linux-2.4.23-vs1.20/Makefile --- linux-2.4.23-vs1.00/Makefile Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/Makefile Thu Dec 4 20:16:31 2003 @@ -1,7 +1,7 @@ VERSION = 2 PATCHLEVEL = 4 SUBLEVEL = 23 -EXTRAVERSION = -vs1.00 +EXTRAVERSION = -vs1.20 KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION) diff -NurpP --minimal linux-2.4.23-vs1.00/arch/alpha/kernel/entry.S linux-2.4.23-vs1.20/arch/alpha/kernel/entry.S --- linux-2.4.23-vs1.00/arch/alpha/kernel/entry.S Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/arch/alpha/kernel/entry.S Thu Dec 4 20:16:31 2003 @@ -1044,8 +1044,8 @@ sys_call_table: .quad alpha_ni_syscall /* 270 */ .quad alpha_ni_syscall .quad alpha_ni_syscall - .quad sys_new_s_context /* 273 sys_virtual_context */ - .quad sys_set_ipv4root /* 274 borrowed for now */ + .quad sys_vserver /* 273 sys_vserver */ + .quad alpha_ni_syscall .quad alpha_ni_syscall /* 275 */ .quad alpha_ni_syscall .quad alpha_ni_syscall diff -NurpP --minimal linux-2.4.23-vs1.00/arch/i386/kernel/entry.S linux-2.4.23-vs1.20/arch/i386/kernel/entry.S --- linux-2.4.23-vs1.00/arch/i386/kernel/entry.S Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/arch/i386/kernel/entry.S Thu Dec 4 20:16:31 2003 @@ -677,8 +677,7 @@ ENTRY(sys_call_table) .long SYMBOL_NAME(sys_ni_syscall) /* 270 */ .long SYMBOL_NAME(sys_ni_syscall) .long SYMBOL_NAME(sys_ni_syscall) - .long SYMBOL_NAME(sys_new_s_context) /* 273 sys_virtual_context */ - .long SYMBOL_NAME(sys_set_ipv4root) /* 274 borrowed */ + .long SYMBOL_NAME(sys_vserver) /* 273 sys_vserver */ .rept NR_syscalls-(.-sys_call_table)/4 .long SYMBOL_NAME(sys_ni_syscall) diff -NurpP --minimal linux-2.4.23-vs1.00/arch/i386/kernel/ptrace.c linux-2.4.23-vs1.20/arch/i386/kernel/ptrace.c --- linux-2.4.23-vs1.00/arch/i386/kernel/ptrace.c Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/arch/i386/kernel/ptrace.c Thu Dec 4 20:16:31 2003 @@ -170,7 +170,7 @@ asmlinkage int sys_ptrace(long request, if (child) get_task_struct(child); read_unlock(&tasklist_lock); - if (!child || child->s_context != current->s_context) + if (!child || !vx_check(child->vx_id, VX_WATCH|VX_IDENT)) goto out; ret = -EPERM; diff -NurpP --minimal linux-2.4.23-vs1.00/arch/parisc/kernel/syscall.S linux-2.4.23-vs1.20/arch/parisc/kernel/syscall.S --- linux-2.4.23-vs1.00/arch/parisc/kernel/syscall.S Fri Jun 13 16:51:31 2003 +++ linux-2.4.23-vs1.20/arch/parisc/kernel/syscall.S Thu Dec 4 20:16:31 2003 @@ -605,6 +605,71 @@ sys_call_table: ENTRY_SAME(gettid) ENTRY_SAME(readahead) ENTRY_SAME(tkill) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) /* 210 */ + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) /* 215 */ + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) /* 220 */ + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) /* 225 */ + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) /* 230 */ + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) /* 235 */ + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) /* 240 */ + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) /* 245 */ + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) /* 250 */ + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) /* 255 */ + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) /* 260 */ + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) /* 265 */ + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) /* 270 */ + ENTRY_SAME(ni_syscall) + ENTRY_SAME(ni_syscall) + ENTRY_SAME(vserver) /* 273 sys_vserver */ .end diff -NurpP --minimal linux-2.4.23-vs1.00/arch/ppc/kernel/misc.S linux-2.4.23-vs1.20/arch/ppc/kernel/misc.S --- linux-2.4.23-vs1.00/arch/ppc/kernel/misc.S Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/arch/ppc/kernel/misc.S Thu Dec 4 20:16:31 2003 @@ -1321,8 +1321,7 @@ _GLOBAL(sys_call_table) .long sys_ni_syscall /* 270 */ .long sys_ni_syscall .long sys_ni_syscall - .long sys_new_s_context /* 273 sys_virtual_context */ - .long sys_set_ipv4root /* 274 borrowed */ + .long sys_vserver /* 273 sys_vserver */ .rept NR_syscalls-(.-sys_call_table)/4 .long sys_ni_syscall diff -NurpP --minimal linux-2.4.23-vs1.00/arch/ppc/kernel/ptrace.c linux-2.4.23-vs1.20/arch/ppc/kernel/ptrace.c --- linux-2.4.23-vs1.00/arch/ppc/kernel/ptrace.c Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/arch/ppc/kernel/ptrace.c Thu Dec 4 20:16:31 2003 @@ -188,7 +188,7 @@ int sys_ptrace(long request, long pid, l if (child) get_task_struct(child); read_unlock(&tasklist_lock); - if (!child || child->s_context != current->s_context) + if (!child || !vx_check(child->vx_id, VX_WATCH|VX_IDENT)) goto out; ret = -EPERM; diff -NurpP --minimal linux-2.4.23-vs1.00/arch/ppc64/kernel/misc.S linux-2.4.23-vs1.20/arch/ppc64/kernel/misc.S --- linux-2.4.23-vs1.00/arch/ppc64/kernel/misc.S Mon Aug 25 13:44:40 2003 +++ linux-2.4.23-vs1.20/arch/ppc64/kernel/misc.S Thu Dec 4 20:16:31 2003 @@ -803,24 +803,74 @@ _GLOBAL(sys_call_table32) .llong .sys_madvise /* 205 */ .llong .sys_mincore /* 206 */ .llong .sys_gettid /* 207 */ -#if 0 /* Reserved syscalls */ - .llong .sys_tkill /* 208 */ - .llong .sys_setxattr - .llong .sys_lsetxattr /* 210 */ - .llong .sys_fsetxattr - .llong .sys_getxattr - .llong .sys_lgetxattr - .llong .sys_fgetxattr - .llong .sys_listxattr /* 215 */ - .llong .sys_llistxattr - .llong .sys_flistxattr - .llong .sys_removexattr - .llong .sys_lremovexattr - .llong .sys_fremovexattr /* 220 */ - .llong .sys_futex -#endif - .llong .sys_perfmonctl /* Put this here for now ... */ - .rept NR_syscalls-222 + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 210 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 215 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 220 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 225 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 230 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 235 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 240 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 245 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 250 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 255 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 260 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 265 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 270 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_vserver /* 273 sys_vserver */ + + .rept NR_syscalls-273 .llong .sys_ni_syscall .endr #endif @@ -1034,23 +1084,73 @@ _GLOBAL(sys_call_table) .llong .sys_madvise /* 205 */ .llong .sys_mincore /* 206 */ .llong .sys_gettid /* 207 */ -#if 0 /* Reserved syscalls */ - .llong .sys_tkill /* 208 */ - .llong .sys_setxattr - .llong .sys_lsetxattr /* 210 */ - .llong .sys_fsetxattr - .llong .sys_getxattr - .llong .sys_lgetxattr - .llong .sys_fgetxattr - .llong .sys_listxattr /* 215 */ - .llong .sys_llistxattr - .llong .sys_flistxattr - .llong .sys_removexattr - .llong .sys_lremovexattr - .llong .sys_fremovexattr /* 220 */ - .llong .sys_futex -#endif - .llong .sys_perfmonctl /* Put this here for now ... */ - .rept NR_syscalls-222 + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 210 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 215 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 220 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 225 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 230 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 235 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 240 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 245 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 250 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 255 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 260 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 265 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_ni_syscall /* 270 */ + .llong .sys_ni_syscall + .llong .sys_ni_syscall + .llong .sys_vserver /* 273 sys_vserver */ + + .rept NR_syscalls-273 .llong .sys_ni_syscall .endr diff -NurpP --minimal linux-2.4.23-vs1.00/arch/ppc64/kernel/ptrace.c linux-2.4.23-vs1.20/arch/ppc64/kernel/ptrace.c --- linux-2.4.23-vs1.00/arch/ppc64/kernel/ptrace.c Fri Jun 13 16:51:32 2003 +++ linux-2.4.23-vs1.20/arch/ppc64/kernel/ptrace.c Thu Dec 4 20:16:31 2003 @@ -115,7 +115,7 @@ int sys_ptrace(long request, long pid, l if (child) get_task_struct(child); read_unlock(&tasklist_lock); - if (!child) + if (!child || !vx_check(child->vx_id, VX_WATCH|VX_IDENT)) goto out; ret = -EPERM; diff -NurpP --minimal linux-2.4.23-vs1.00/arch/sparc/kernel/systbls.S linux-2.4.23-vs1.20/arch/sparc/kernel/systbls.S --- linux-2.4.23-vs1.00/arch/sparc/kernel/systbls.S Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/arch/sparc/kernel/systbls.S Thu Dec 4 20:16:31 2003 @@ -71,9 +71,9 @@ sys_call_table: /*245*/ .long sys_sched_yield, sys_sched_get_priority_max, sys_sched_get_priority_min, sys_sched_rr_get_interval, sys_nanosleep /*250*/ .long sparc_mremap, sys_sysctl, sys_getsid, sys_fdatasync, sys_nfsservctl /*255*/ .long sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall -/*260*/ .long sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall -/*265*/ .long sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall -/*270*/ .long sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_new_s_context, sys_set_ipv4root +/*260*/ .long sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall +/*265*/ .long sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall +/*270*/ .long sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_vserver, sys_nis_syscall #ifdef CONFIG_SUNOS_EMUL /* Now the SunOS syscall table. */ diff -NurpP --minimal linux-2.4.23-vs1.00/arch/sparc64/kernel/entry.S linux-2.4.23-vs1.20/arch/sparc64/kernel/entry.S --- linux-2.4.23-vs1.00/arch/sparc64/kernel/entry.S Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/arch/sparc64/kernel/entry.S Thu Dec 4 20:16:31 2003 @@ -26,7 +26,7 @@ #define curptr g6 -#define NR_SYSCALLS 275 /* Each OS is different... */ +#define NR_SYSCALLS 274 /* Each OS is different... */ .text .align 32 diff -NurpP --minimal linux-2.4.23-vs1.00/arch/sparc64/kernel/ptrace.c linux-2.4.23-vs1.20/arch/sparc64/kernel/ptrace.c --- linux-2.4.23-vs1.00/arch/sparc64/kernel/ptrace.c Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/arch/sparc64/kernel/ptrace.c Thu Dec 4 20:16:31 2003 @@ -156,7 +156,7 @@ asmlinkage void do_ptrace(struct pt_regs get_task_struct(child); read_unlock(&tasklist_lock); - if (!child || child->s_context != current->s_context) { + if (!child || !vx_check(child->vx_id, VX_WATCH|VX_IDENT)) { pt_error_return(regs, ESRCH); goto out; } diff -NurpP --minimal linux-2.4.23-vs1.00/arch/sparc64/kernel/systbls.S linux-2.4.23-vs1.20/arch/sparc64/kernel/systbls.S --- linux-2.4.23-vs1.00/arch/sparc64/kernel/systbls.S Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/arch/sparc64/kernel/systbls.S Thu Dec 4 20:16:31 2003 @@ -73,7 +73,7 @@ sys_call_table32: .word sys_aplib, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall /*260*/ .word sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall .word sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall -/*270*/ .word sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_new_s_context, sys_set_ipv4root +/*270*/ .word sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_vserver, sys_nis_syscall /* Now the 64-bit native Linux syscall table. */ @@ -135,7 +135,7 @@ sys_call_table: .word sys_aplib, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall /*260*/ .word sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall .word sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_nis_syscall -/*270*/ .word sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_new_s_context, sys_set_ipv4root +/*270*/ .word sys_nis_syscall, sys_nis_syscall, sys_nis_syscall, sys_vserver, sys_nis_syscall #if defined(CONFIG_SUNOS_EMUL) || defined(CONFIG_SOLARIS_EMUL) || \ defined(CONFIG_SOLARIS_EMUL_MODULE) diff -NurpP --minimal linux-2.4.23-vs1.00/arch/x86_64/ia32/ia32entry.S linux-2.4.23-vs1.20/arch/x86_64/ia32/ia32entry.S --- linux-2.4.23-vs1.00/arch/x86_64/ia32/ia32entry.S Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/arch/x86_64/ia32/ia32entry.S Thu Dec 4 20:16:31 2003 @@ -402,8 +402,8 @@ ia32_sys_call_table: .quad quiet_ni_syscall /* 270 */ .quad quiet_ni_syscall .quad quiet_ni_syscall - .quad sys_new_s_context /* 273 sys_virtual_context */ - .quad sys_set_ipv4root /* 274 borrowed for now */ + .quad sys_vserver /* 273 sys_vserver */ + ia32_syscall_end: .rept IA32_NR_syscalls-(ia32_syscall_end-ia32_sys_call_table)/8 .quad ni_syscall diff -NurpP --minimal linux-2.4.23-vs1.00/arch/x86_64/kernel/sys_x86_64.c linux-2.4.23-vs1.20/arch/x86_64/kernel/sys_x86_64.c --- linux-2.4.23-vs1.00/arch/x86_64/kernel/sys_x86_64.c Fri Nov 28 19:26:19 2003 +++ linux-2.4.23-vs1.20/arch/x86_64/kernel/sys_x86_64.c Thu Dec 4 20:16:31 2003 @@ -108,8 +108,18 @@ unsigned long arch_get_unmapped_area(str asmlinkage long sys_uname(struct new_utsname * name) { int err; + struct new_utsname tmp, *pttmp; + down_read(&uts_sem); - err=copy_to_user(name, &system_utsname, sizeof (*name)); + if (current->s_info) { + tmp = system_utsname; + strcpy (tmp.nodename, current->s_info->nodename); + strcpy (tmp.domainname, current->s_info->domainname); + pttmp = &tmp; + } + else + pttmp = &system_utsname; + err=copy_to_user(name, pttmp, sizeof (*name)); up_read(&uts_sem); if (personality(current->personality) == PER_LINUX32) err = copy_to_user(name->machine, "i686", 5); diff -NurpP --minimal linux-2.4.23-vs1.00/drivers/block/Config.in linux-2.4.23-vs1.20/drivers/block/Config.in --- linux-2.4.23-vs1.00/drivers/block/Config.in Fri Nov 28 19:26:19 2003 +++ linux-2.4.23-vs1.20/drivers/block/Config.in Thu Dec 4 20:16:32 2003 @@ -41,6 +41,7 @@ dep_tristate 'Mylex DAC960/DAC1100 PCI R dep_tristate 'Micro Memory MM5415 Battery Backed RAM support (EXPERIMENTAL)' CONFIG_BLK_DEV_UMEM $CONFIG_PCI $CONFIG_EXPERIMENTAL tristate 'Loopback device support' CONFIG_BLK_DEV_LOOP +tristate 'Virtual Root device support' CONFIG_BLK_DEV_VROOT dep_tristate 'Network block device support' CONFIG_BLK_DEV_NBD $CONFIG_NET tristate 'RAM disk support' CONFIG_BLK_DEV_RAM diff -NurpP --minimal linux-2.4.23-vs1.00/drivers/block/Makefile linux-2.4.23-vs1.20/drivers/block/Makefile --- linux-2.4.23-vs1.00/drivers/block/Makefile Fri Jun 13 16:51:32 2003 +++ linux-2.4.23-vs1.20/drivers/block/Makefile Thu Dec 4 20:16:32 2003 @@ -31,6 +31,7 @@ obj-$(CONFIG_BLK_CPQ_CISS_DA) += cciss. obj-$(CONFIG_BLK_DEV_DAC960) += DAC960.o obj-$(CONFIG_BLK_DEV_UMEM) += umem.o obj-$(CONFIG_BLK_DEV_NBD) += nbd.o +obj-$(CONFIG_BLK_DEV_VROOT) += vroot.o subdir-$(CONFIG_PARIDE) += paride diff -NurpP --minimal linux-2.4.23-vs1.00/drivers/block/vroot.c linux-2.4.23-vs1.20/drivers/block/vroot.c --- linux-2.4.23-vs1.00/drivers/block/vroot.c Thu Jan 1 01:00:00 1970 +++ linux-2.4.23-vs1.20/drivers/block/vroot.c Thu Dec 4 20:16:32 2003 @@ -0,0 +1,329 @@ +/* + * linux/drivers/block/vroot.c + * + * Written by Herbert Pötzl, 9/11/2002 + * + * based on the loop.c code by Theodore Ts'o. + * + * Copyright 2002-2003 by Herbert Pötzl. + * Redistribution of this file is permitted under the + * GNU General Public License. + * + */ + +#define MAJOR_NR VROOT_MAJOR + +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#include "vroot.h" + +static int max_vroot = MAX_VROOT_DEFAULT; +static struct vroot_device *vroot_dev; +static devfs_handle_t devfs_handle; /* For the directory */ + +#ifdef MODULE +typedef kdev_t (*vroot_get_dev_f)(int dev); + +extern int register_vroot_get_dev(vroot_get_dev_f); +extern int unregister_vroot_get_dev(vroot_get_dev_f); + +static kdev_t _vroot_get_dev(int dev) +#else + kdev_t vroot_get_dev(int dev) +#endif +{ + struct vroot_device *vr; + + if (dev >= max_vroot) + return NODEV; + + vr = &vroot_dev[dev]; + if (vr->vr_state != Vr_bound) + return NODEV; + dprintk(KERN_INFO "vroot[%d]_get_dev: dev(%d,%d)\n", + dev, MAJOR(vr->vr_device), MINOR(vr->vr_device)); + return vr->vr_device; +} + +static int vroot_set_dev( + struct vroot_device *vr, + struct file *vr_file, + kdev_t dev, + unsigned int arg) +{ + struct file *file; + struct inode *inode; + int error; + + MOD_INC_USE_COUNT; + + error = -EBUSY; + if (vr->vr_state != Vr_unbound) + goto out; + + error = -EBADF; + file = fget(arg); + if (!file) + goto out; + + error = -EINVAL; + inode = file->f_dentry->d_inode; + + if (S_ISBLK(inode->i_mode)) { + vr->vr_device = inode->i_rdev; + if (vr->vr_device == dev) { + error = -EBUSY; + goto out_fput; + } + } else + goto out_fput; + + dprintk(KERN_INFO "vroot[%d]_set_dev: dev(%d,%d)\n", + vr->vr_number, + MAJOR(inode->i_rdev), MINOR(inode->i_rdev)); + + vr->vr_state = Vr_bound; + fput(file); + return 0; + out_fput: + fput(file); + out: + MOD_DEC_USE_COUNT; + return error; +} + +static int vroot_clr_dev( + struct vroot_device *vr, + struct file *vr_file, + kdev_t dev) +{ + if (vr->vr_state != Vr_bound) + return -ENXIO; + if (vr->vr_refcnt > 1) /* we needed one fd for the ioctl */ + return -EBUSY; + + dprintk(KERN_INFO "vroot[%d]_clr_dev: dev(%d,%d)\n", + vr->vr_number, + MAJOR(vr->vr_device), MINOR(vr->vr_device)); + + vr->vr_state = Vr_unbound; + vr->vr_device = NODEV; + MOD_DEC_USE_COUNT; + return 0; +} + +static int vroot_make_request( + request_queue_t *q, + int rw, + struct buffer_head *rbh) +{ + if (!buffer_locked(rbh)) + BUG(); + + if (MINOR(rbh->b_rdev) >= max_vroot) + goto out; + + dprintk(KERN_WARNING "vroot[%d]_make_request: denied.\n", + MINOR(rbh->b_rdev)); + out: + buffer_IO_error(rbh); + return 0; +} + +static int vr_ioctl( + struct inode * inode, + struct file * file, + unsigned int cmd, + unsigned long arg) +{ + struct vroot_device *vr; + int dev, err; + + if (!inode) + return -EINVAL; + if (MAJOR(inode->i_rdev) != MAJOR_NR) { + dprintk(KERN_WARNING "vr_ioctl: pseudo-major != %d\n", + MAJOR_NR); + return -ENODEV; + } + dev = MINOR(inode->i_rdev); + if (dev >= max_vroot) + return -ENODEV; + vr = &vroot_dev[dev]; + down(&vr->vr_ctl_mutex); + switch (cmd) { + case VROOT_SET_DEV: + err = vroot_set_dev(vr, file, inode->i_rdev, arg); + break; + case VROOT_CLR_DEV: + err = vroot_clr_dev(vr, file, inode->i_rdev); + break; + default: + err = -EINVAL; + break; + } + up(&vr->vr_ctl_mutex); + return err; +} + +static int vr_open( + struct inode *inode, + struct file *file) +{ + struct vroot_device *vr; + int dev; + + if (!inode) + return -EINVAL; + if (MAJOR(inode->i_rdev) != MAJOR_NR) { + dprintk(KERN_WARNING "vr_open: pseudo-major != %d\n", MAJOR_NR); + return -ENODEV; + } + dev = MINOR(inode->i_rdev); + if (dev >= max_vroot) + return -ENODEV; + + vr = &vroot_dev[dev]; + MOD_INC_USE_COUNT; + down(&vr->vr_ctl_mutex); + + vr->vr_refcnt++; + up(&vr->vr_ctl_mutex); + return 0; +} + +static int vr_release( + struct inode *inode, + struct file *file) +{ + struct vroot_device *vr; + int dev; + + if (!inode) + return 0; + if (MAJOR(inode->i_rdev) != MAJOR_NR) { + dprintk(KERN_WARNING "vr_release: pseudo-major != %d\n", + MAJOR_NR); + return 0; + } + dev = MINOR(inode->i_rdev); + if (dev >= max_vroot) + return 0; + + vr = &vroot_dev[dev]; + down(&vr->vr_ctl_mutex); + + vr->vr_refcnt--; + up(&vr->vr_ctl_mutex); + MOD_DEC_USE_COUNT; + return 0; +} + +static struct block_device_operations vr_fops = { + owner: THIS_MODULE, + open: vr_open, + release: vr_release, + ioctl: vr_ioctl, +}; + +/* + * And now the modules code and kernel interface. + */ +MODULE_PARM(max_vroot, "i"); +MODULE_PARM_DESC(max_vroot, "Maximum number of vroot devices (1-256)"); +MODULE_LICENSE("GPL"); + +MODULE_AUTHOR ("Herbert Pötzl"); +MODULE_DESCRIPTION ("Virtual Root Device Mapper"); + + +int __init vroot_init(void) +{ + int i; + + if ((max_vroot < 1) || (max_vroot > 256)) { + printk(KERN_WARNING "vroot: invalid max_vroot (must be between" + " 1 and 256), using default (%d)\n", + MAX_VROOT_DEFAULT); + max_vroot = MAX_VROOT_DEFAULT; + } + + if (devfs_register_blkdev(MAJOR_NR, "vroot", &vr_fops)) { + printk(KERN_WARNING "Unable to get major number %d for vroot" + " device\n", MAJOR_NR); + return -EIO; + } + + devfs_handle = devfs_mk_dir(NULL, "vroot", NULL); + devfs_register_series(devfs_handle, "%u", max_vroot, + DEVFS_FL_DEFAULT, MAJOR_NR, 0, + S_IFBLK | S_IRUSR | S_IWUSR | S_IRGRP, + &vr_fops, NULL); + + vroot_dev = kmalloc(max_vroot * sizeof(struct vroot_device), GFP_KERNEL); + if (!vroot_dev) + return -ENOMEM; + + blk_queue_make_request(BLK_DEFAULT_QUEUE(MAJOR_NR), vroot_make_request); + + for (i = 0; i < max_vroot; i++) { + struct vroot_device *vr = &vroot_dev[i]; + memset(vr, 0, sizeof(struct vroot_device)); + init_MUTEX(&vr->vr_ctl_mutex); + vr->vr_number = i; + vr->vr_state = Vr_unbound; + } + + for (i = 0; i < max_vroot; i++) + register_disk(NULL, MKDEV(MAJOR_NR, i), 1, &vr_fops, 0); + +#ifdef MODULE + register_vroot_get_dev(_vroot_get_dev); +#endif + printk(KERN_INFO "vroot: loaded (max %d devices)\n", max_vroot); + return 0; +} + +void vroot_exit(void) +{ +#ifdef MODULE + unregister_vroot_get_dev(_vroot_get_dev); +#endif + devfs_unregister(devfs_handle); + if (devfs_unregister_blkdev(MAJOR_NR, "vroot")) + printk(KERN_WARNING "vroot: cannot unregister blkdev\n"); + + kfree(vroot_dev); +} + +module_init(vroot_init); +module_exit(vroot_exit); + +#ifndef MODULE +static int __init max_vroot_setup(char *str) +{ + max_vroot = simple_strtol(str, NULL, 0); + return 1; +} + +__setup("max_vroot=", max_vroot_setup); + +#endif diff -NurpP --minimal linux-2.4.23-vs1.00/drivers/block/vroot.h linux-2.4.23-vs1.20/drivers/block/vroot.h --- linux-2.4.23-vs1.00/drivers/block/vroot.h Thu Jan 1 01:00:00 1970 +++ linux-2.4.23-vs1.20/drivers/block/vroot.h Thu Dec 4 20:16:32 2003 @@ -0,0 +1,46 @@ +#ifndef _LINUX_VROOT_H +#define _LINUX_VROOT_H + +#include + +/* + * linux/drivers/block/vroot.h + * + * Written by Herbert Pötzl, 9/11/2002 + * + * Copyright 2002-2003 by Herbert Pötzl. + * Redistribution of this file is permitted under the + * GNU General Public License. + */ + +#ifdef __KERNEL__ + +/* Possible states of device */ +enum { + Vr_unbound, + Vr_bound, +}; + +struct vroot_device { + int vr_number; + int vr_refcnt; + + struct semaphore vr_ctl_mutex; + kdev_t vr_device; + int vr_state; +}; + +#define dprintk(...) /* printk(__VA_ARGS__) */ + +#endif /* __KERNEL__ */ + +#define MAX_VROOT_DEFAULT 8 + +/* + * IOCTL commands --- we will commandeer 0x56 ('V') + */ + +#define VROOT_SET_DEV 0x5600 +#define VROOT_CLR_DEV 0x5601 + +#endif diff -NurpP --minimal linux-2.4.23-vs1.00/fs/Makefile linux-2.4.23-vs1.20/fs/Makefile --- linux-2.4.23-vs1.00/fs/Makefile Mon Aug 25 13:44:43 2003 +++ linux-2.4.23-vs1.20/fs/Makefile Thu Dec 4 20:16:32 2003 @@ -7,7 +7,7 @@ O_TARGET := fs.o -export-objs := filesystems.o open.o dcache.o buffer.o dquot.o +export-objs := filesystems.o open.o dcache.o buffer.o dquot.o quota.o mod-subdirs := nls obj-y := open.o read_write.o devices.o file_table.o buffer.o \ diff -NurpP --minimal linux-2.4.23-vs1.00/fs/devpts/inode.c linux-2.4.23-vs1.20/fs/devpts/inode.c --- linux-2.4.23-vs1.00/fs/devpts/inode.c Sun Nov 30 16:24:39 2003 +++ linux-2.4.23-vs1.20/fs/devpts/inode.c Thu Dec 4 20:16:31 2003 @@ -22,9 +22,9 @@ #include #include #include +#include #include #include -#include #include "devpts_i.h" @@ -184,7 +184,7 @@ static DECLARE_FSTYPE(devpts_fs_type, "d static int devpts_tty_permission(struct inode *inode, int mask) { int ret = -EACCES; - if (current->s_context == inode->u.devpts_i.s_context) + if (vx_check(inode->u.devpts_i.vx_id, VX_IDENT)) ret = vfs_permission(inode, mask); return ret; } @@ -211,7 +211,7 @@ void devpts_pty_new(int number, kdev_t d inode->i_uid = sbi->setuid ? sbi->uid : current->fsuid; inode->i_gid = sbi->setgid ? sbi->gid : current->fsgid; inode->i_mtime = inode->i_atime = inode->i_ctime = CURRENT_TIME; - inode->u.devpts_i.s_context = current->s_context; + inode->u.devpts_i.vx_id = current->vx_id; inode->i_op = &devpts_tty_inode_operations; init_special_inode(inode, S_IFCHR|sbi->mode, kdev_t_to_nr(device)); diff -NurpP --minimal linux-2.4.23-vs1.00/fs/devpts/root.c linux-2.4.23-vs1.20/fs/devpts/root.c --- linux-2.4.23-vs1.00/fs/devpts/root.c Sun Nov 30 16:24:39 2003 +++ linux-2.4.23-vs1.20/fs/devpts/root.c Thu Dec 4 20:16:31 2003 @@ -66,8 +66,8 @@ static int devpts_root_readdir(struct fi while ( nr - 2 < sbi->max_ptys ) { int ptynr = nr - 2; struct inode *inode = sbi->inodes[ptynr]; - if (inode && (current->s_context == 1 - || inode->u.devpts_i.s_context == current->s_context)) { + if (inode && vx_check(inode->u.devpts_i.vx_id, + VX_WATCH|VX_IDENT)) { genptsname(numbuf, ptynr); if ( filldir(dirent, numbuf, strlen(numbuf), nr, nr, DT_CHR) < 0 ) return 0; @@ -131,7 +131,7 @@ static struct dentry *devpts_root_lookup return NULL; inode = sbi->inodes[entry]; - if (inode && inode->u.devpts_i.s_context == current->s_context) + if (inode && vx_check(inode->u.devpts_i.vx_id, VX_IDENT)) atomic_inc(&inode->i_count); else inode = NULL; diff -NurpP --minimal linux-2.4.23-vs1.00/fs/ext2/inode.c linux-2.4.23-vs1.20/fs/ext2/inode.c --- linux-2.4.23-vs1.00/fs/ext2/inode.c Sun Nov 30 16:24:41 2003 +++ linux-2.4.23-vs1.20/fs/ext2/inode.c Thu Dec 4 20:16:31 2003 @@ -64,7 +64,7 @@ void ext2_delete_inode (struct inode * i ext2_update_inode(inode, IS_SYNC(inode)); inode->i_size = 0; if (inode->i_blocks) - ext2_truncate_nocheck (inode); + ext2_truncate_nocheck(inode); ext2_free_inode (inode); unlock_kernel(); @@ -788,7 +788,7 @@ static void ext2_free_branches(struct in ext2_free_data(inode, p, q); } -static void ext2_truncate_nocheck (struct inode * inode) +static void ext2_truncate_nocheck(struct inode * inode) { u32 *i_data = inode->u.ext2_i.i_data; int addr_per_block = EXT2_ADDR_PER_BLOCK(inode->i_sb); @@ -881,7 +881,7 @@ void ext2_truncate (struct inode * inode { if (IS_APPEND(inode) || IS_IMMUTABLE_FILE(inode)) return; - ext2_truncate_nocheck (inode); + ext2_truncate_nocheck(inode); } void ext2_set_inode_flags(struct inode *inode) diff -NurpP --minimal linux-2.4.23-vs1.00/fs/ext3/inode.c linux-2.4.23-vs1.20/fs/ext3/inode.c --- linux-2.4.23-vs1.00/fs/ext3/inode.c Sun Nov 30 16:24:41 2003 +++ linux-2.4.23-vs1.20/fs/ext3/inode.c Thu Dec 4 20:16:31 2003 @@ -2004,7 +2004,7 @@ void ext3_truncate(struct inode * inode) { if (IS_APPEND(inode) || IS_IMMUTABLE_FILE(inode)) return; - ext3_truncate_nocheck (inode); + ext3_truncate_nocheck(inode); } /* diff -NurpP --minimal linux-2.4.23-vs1.00/fs/namei.c linux-2.4.23-vs1.20/fs/namei.c --- linux-2.4.23-vs1.00/fs/namei.c Sun Nov 30 16:24:41 2003 +++ linux-2.4.23-vs1.20/fs/namei.c Thu Dec 4 20:16:31 2003 @@ -22,6 +22,7 @@ #include #include #include +#include #include #include @@ -158,9 +159,9 @@ int vfs_permission(struct inode * inode, chmod 000 /vservers you fix the "escape from chroot" bug. */ - if ((mode & 0777) == 0 - && S_ISDIR(mode) - && current->s_context != 0) return -EACCES; + if ((mode & 0777) == 0 && S_ISDIR(mode) + && !vx_check(0, VX_ADMIN)) + return -EACCES; if (mask & MAY_WRITE) { /* * Nobody gets write access to a read-only fs. diff -NurpP --minimal linux-2.4.23-vs1.00/fs/proc/array.c linux-2.4.23-vs1.20/fs/proc/array.c --- linux-2.4.23-vs1.00/fs/proc/array.c Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/fs/proc/array.c Thu Dec 4 20:16:31 2003 @@ -300,32 +300,36 @@ int proc_pid_status(struct task_struct * } buffer = task_sig(task, buffer); buffer = task_cap(task, buffer); -#ifdef __NR_new_s_context if (task->s_info) { int i; - buffer += sprintf (buffer,"s_context: %d [",task->s_context); + + buffer += sprintf (buffer,"s_context: %d [", task->vx_id); for (i=0; is_info->s_context[i]; - if (ctx == 0) break; + int ctx = task->s_info->vx_id[i]; + + if (ctx == 0) + break; buffer += sprintf (buffer," %d",ctx); } *buffer++ = ']'; *buffer++ = '\n'; buffer += sprintf (buffer,"ctxticks: %d %ld %d\n" - ,atomic_read(&task->s_info->ticks),task->counter - ,task->s_info->refcount); + ,atomic_read(&task->s_info->ticks) + ,task->counter + ,atomic_read(&task->s_info->refcount)); buffer += sprintf (buffer,"ctxflags: %d\n" ,task->s_info->flags); buffer += sprintf (buffer,"initpid: %d\n" ,task->s_info->initpid); } else { - buffer += sprintf (buffer,"s_context: %d\n",task->s_context); + buffer += sprintf (buffer,"s_context: %d\n", task->vx_id); buffer += sprintf (buffer,"ctxticks: none\n"); buffer += sprintf (buffer,"ctxflags: none\n"); buffer += sprintf (buffer,"initpid: none\n"); } if (task->ip_info) { int i; + buffer += sprintf (buffer,"ipv4root:"); for (i=0; iip_info->nbipv4; i++){ buffer += sprintf (buffer," %08x/%08x" @@ -341,9 +345,6 @@ int proc_pid_status(struct task_struct * buffer += sprintf (buffer,"ipv4root: 0\n"); buffer += sprintf (buffer,"ipv4root_bcast: 0\n"); } - buffer += sprintf (buffer,"__NR_new_s_context: %d\n",__NR_new_s_context); - buffer += sprintf (buffer,"__NR_set_ipv4root: %d rev3\n",__NR_set_ipv4root); -#endif #if defined(CONFIG_ARCH_S390) buffer = task_show_regs(task, buffer); #endif diff -NurpP --minimal linux-2.4.23-vs1.00/fs/proc/base.c linux-2.4.23-vs1.20/fs/proc/base.c --- linux-2.4.23-vs1.00/fs/proc/base.c Sun Nov 30 16:24:41 2003 +++ linux-2.4.23-vs1.20/fs/proc/base.c Thu Dec 4 20:16:31 2003 @@ -1078,8 +1078,7 @@ struct dentry *proc_pid_lookup(struct in if (!task) goto out; - if (pid != 1 && current->s_context != 1 - && task->s_context != current->s_context) { + if (pid != 1 && !vx_check(task->vx_id, VX_WATCH|VX_IDENT)) { free_task_struct(task); goto out; } @@ -1136,9 +1135,7 @@ static int get_pid_list(int index, unsig /* send any signal either */ /* A process with security context 1 can see all processes */ - if (pid != 1 - && current->s_context != 1 - && p->s_context != current->s_context) + if (pid != 1 && !vx_check(p->vx_id, VX_WATCH|VX_IDENT)) continue; /* We hide the fakeinit process since we show it as process 1 */ if (current->s_info && current->s_info->initpid == pid) diff -NurpP --minimal linux-2.4.23-vs1.00/fs/quota.c linux-2.4.23-vs1.20/fs/quota.c --- linux-2.4.23-vs1.00/fs/quota.c Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/fs/quota.c Thu Dec 4 20:16:32 2003 @@ -14,6 +14,10 @@ #include #include +#include +#include +#include + struct dqstats dqstats; /* Check validity of quotactl */ @@ -104,6 +108,51 @@ static int check_quotactl_valid(struct s return 0; } +#if defined(CONFIG_BLK_DEV_VROOT) || defined(CONFIG_BLK_DEV_VROOT_MODULE) +#if defined(CONFIG_BLK_DEV_VROOT_MODULE) + +static rwlock_t dquot_vroot_lock = RW_LOCK_UNLOCKED; + +typedef kdev_t (*vroot_get_dev_f)(int dev); + +static vroot_get_dev_f vroot_get_dev = NULL; + +int register_vroot_get_dev(vroot_get_dev_f func) +{ + int ret = -EBUSY; + + write_lock(&dquot_vroot_lock); + if (!vroot_get_dev) { + vroot_get_dev = func; + ret = 0; + } + write_unlock(&dquot_vroot_lock); + return ret; +} + +int unregister_vroot_get_dev(vroot_get_dev_f func) +{ + int ret = -EINVAL; + + write_lock(&dquot_vroot_lock); + if (vroot_get_dev == func) { + vroot_get_dev = NULL; + ret = 0; + } + write_unlock(&dquot_vroot_lock); + return ret; +} + +EXPORT_SYMBOL(register_vroot_get_dev); +EXPORT_SYMBOL(unregister_vroot_get_dev); + +#else /* CONFIG_BLK_DEV_VROOT */ + +extern kdev_t vroot_get_dev(int dev); + +#endif +#endif + /* Resolve device pathname to superblock */ static struct super_block *resolve_dev(const char *path) { @@ -124,6 +173,21 @@ static struct super_block *resolve_dev(c ret = -ENOTBLK; if (!S_ISBLK(mode)) goto out; + +#if defined(CONFIG_BLK_DEV_VROOT) || defined(CONFIG_BLK_DEV_VROOT_MODULE) + if (MAJOR(dev) == VROOT_MAJOR) { + ret = -ENODEV; +#ifdef CONFIG_BLK_DEV_VROOT_MODULE + read_lock(&dquot_vroot_lock); + dev = (vroot_get_dev) ? vroot_get_dev(MINOR(dev)) : NODEV; + read_unlock(&dquot_vroot_lock); +#else + dev = vroot_get_dev(MINOR(dev)); +#endif + if (dev == NODEV) + goto out; + } +#endif ret = -ENODEV; sb = get_super(dev); if (!sb) @@ -308,11 +372,11 @@ static int check_compat_quotactl_valid(s if (cmd == Q_V1_GETQUOTA || cmd == Q_V2_GETQUOTA) { if (((type == USRQUOTA && current->euid != id) || (type == GRPQUOTA && !in_egroup_p(id))) && - !capable(CAP_SYS_ADMIN)) + !capable(CAP_SYS_ADMIN) && !capable(CAP_QUOTACTL)) return -EPERM; } else if (cmd != Q_V1_GETSTATS && cmd != Q_V2_GETSTATS && cmd != Q_V2_GETINFO && cmd != Q_COMP_SYNC) - if (!capable(CAP_SYS_ADMIN)) + if (!capable(CAP_SYS_ADMIN) && !capable(CAP_QUOTACTL)) return -EPERM; return 0; } diff -NurpP --minimal linux-2.4.23-vs1.00/include/asm-alpha/unistd.h linux-2.4.23-vs1.20/include/asm-alpha/unistd.h --- linux-2.4.23-vs1.00/include/asm-alpha/unistd.h Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/include/asm-alpha/unistd.h Thu Dec 4 20:16:31 2003 @@ -233,8 +233,7 @@ #define __NR_osf_memcntl 260 /* not implemented */ #define __NR_osf_fdatasync 261 /* not implemented */ -#define __NR_new_s_context 273 -#define __NR_set_ipv4root 274 +#define __NR_vserver 273 /* * Linux-specific system calls begin at 300 diff -NurpP --minimal linux-2.4.23-vs1.00/include/asm-i386/unistd.h linux-2.4.23-vs1.20/include/asm-i386/unistd.h --- linux-2.4.23-vs1.00/include/asm-i386/unistd.h Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/include/asm-i386/unistd.h Thu Dec 4 20:16:31 2003 @@ -257,8 +257,8 @@ #define __NR_alloc_hugepages 250 #define __NR_free_hugepages 251 #define __NR_exit_group 252 -#define __NR_new_s_context 273 -#define __NR_set_ipv4root 274 + +#define __NR_vserver 273 /* user-visible error numbers are in the range -1 - -124: see */ diff -NurpP --minimal linux-2.4.23-vs1.00/include/asm-parisc/unistd.h linux-2.4.23-vs1.20/include/asm-parisc/unistd.h --- linux-2.4.23-vs1.00/include/asm-parisc/unistd.h Fri Jun 13 16:51:38 2003 +++ linux-2.4.23-vs1.20/include/asm-parisc/unistd.h Thu Dec 4 20:16:31 2003 @@ -702,7 +702,9 @@ #define __NR_readahead (__NR_Linux + 207) #define __NR_tkill (__NR_Linux + 208) -#define __NR_Linux_syscalls 208 +#define __NR_vserver (__NR_Linux + 273) + +#define __NR_Linux_syscalls 274 #define HPUX_GATEWAY_ADDR 0xC0000004 #define LINUX_GATEWAY_ADDR 0x100 diff -NurpP --minimal linux-2.4.23-vs1.00/include/asm-ppc/unistd.h linux-2.4.23-vs1.20/include/asm-ppc/unistd.h --- linux-2.4.23-vs1.00/include/asm-ppc/unistd.h Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/include/asm-ppc/unistd.h Thu Dec 4 20:16:31 2003 @@ -256,8 +256,8 @@ #define __NR_clock_nanosleep 248 #endif #define __NR_swapcontext 249 -#define __NR_new_s_context 273 -#define __NR_set_ipv4root 274 + +#define __NR_vserver 273 #define __NR(n) #n diff -NurpP --minimal linux-2.4.23-vs1.00/include/asm-ppc64/unistd.h linux-2.4.23-vs1.20/include/asm-ppc64/unistd.h --- linux-2.4.23-vs1.00/include/asm-ppc64/unistd.h Fri Nov 28 19:26:21 2003 +++ linux-2.4.23-vs1.20/include/asm-ppc64/unistd.h Thu Dec 4 20:16:31 2003 @@ -244,6 +244,7 @@ #define __NR_alloc_hugepages 232 #define __NR_free_hugepages 233 #define __NR_exit_group 234 +#define __NR_vserver 273 /* On powerpc a system call basically clobbers the same registers like a * function call, with the exception of LR (which is needed for the diff -NurpP --minimal linux-2.4.23-vs1.00/include/asm-sparc/unistd.h linux-2.4.23-vs1.20/include/asm-sparc/unistd.h --- linux-2.4.23-vs1.00/include/asm-sparc/unistd.h Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/include/asm-sparc/unistd.h Thu Dec 4 20:16:31 2003 @@ -271,8 +271,8 @@ #define __NR_fdatasync 253 #define __NR_nfsservctl 254 #define __NR_aplib 255 -#define __NR_new_s_context 273 -#define __NR_set_ipv4root 274 + +#define __NR_vserver 273 #define _syscall0(type,name) \ type name(void) \ diff -NurpP --minimal linux-2.4.23-vs1.00/include/asm-sparc64/unistd.h linux-2.4.23-vs1.20/include/asm-sparc64/unistd.h --- linux-2.4.23-vs1.00/include/asm-sparc64/unistd.h Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/include/asm-sparc64/unistd.h Thu Dec 4 20:16:31 2003 @@ -273,8 +273,8 @@ #define __NR_fdatasync 253 #define __NR_nfsservctl 254 #define __NR_aplib 255 -#define __NR_new_s_context 273 -#define __NR_set_ipv4root 274 + +#define __NR_vserver 273 #define _syscall0(type,name) \ type name(void) \ diff -NurpP --minimal linux-2.4.23-vs1.00/include/asm-x86_64/ia32_unistd.h linux-2.4.23-vs1.20/include/asm-x86_64/ia32_unistd.h --- linux-2.4.23-vs1.00/include/asm-x86_64/ia32_unistd.h Fri Jun 13 16:51:38 2003 +++ linux-2.4.23-vs1.20/include/asm-x86_64/ia32_unistd.h Thu Dec 4 20:16:31 2003 @@ -250,6 +250,8 @@ #define __NR_ia32_sched_setaffinity 241 #define __NR_ia32_sched_getaffinity 242 -#define IA32_NR_syscalls 245 +#define __NR_ia32_vserver 273 + +#define IA32_NR_syscalls 274 #endif /* _ASM_X86_64_IA32_UNISTD_H_ */ diff -NurpP --minimal linux-2.4.23-vs1.00/include/asm-x86_64/unistd.h linux-2.4.23-vs1.20/include/asm-x86_64/unistd.h --- linux-2.4.23-vs1.00/include/asm-x86_64/unistd.h Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/include/asm-x86_64/unistd.h Thu Dec 4 20:16:31 2003 @@ -499,12 +499,11 @@ __SYSCALL(__NR_getdents64, sys_getdents6 __SYSCALL(__NR_restart_syscall, sys_ni_syscall) #define __NR_semtimedop 220 __SYSCALL(__NR_semtimedop, sys_semtimedop) -#define __NR_new_s_context 273 -__SYSCALL(__NR_new_s_context, sys_new_s_context) -#define __NR_set_ipv4root 274 -__SYSCALL(__NR_set_ipv4root, sys_set_ipv4root) -#define __NR_syscall_max __NR_set_ipv4root +#define __NR_vserver 273 +__SYSCALL(__NR_vserver, sys_vserver) + +#define __NR_syscall_max __NR_vserver #ifndef __NO_STUBS diff -NurpP --minimal linux-2.4.23-vs1.00/include/linux/devpts_fs_info.h linux-2.4.23-vs1.20/include/linux/devpts_fs_info.h --- linux-2.4.23-vs1.00/include/linux/devpts_fs_info.h Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/include/linux/devpts_fs_info.h Thu Dec 4 20:16:31 2003 @@ -1,4 +1,4 @@ struct devpts_inode_info { - int s_context; + int vx_id; }; diff -NurpP --minimal linux-2.4.23-vs1.00/include/linux/ext2_fs.h linux-2.4.23-vs1.20/include/linux/ext2_fs.h --- linux-2.4.23-vs1.00/include/linux/ext2_fs.h Mon Dec 1 04:53:37 2003 +++ linux-2.4.23-vs1.20/include/linux/ext2_fs.h Thu Dec 4 20:19:47 2003 @@ -198,7 +198,7 @@ struct ext2_group_desc #define EXT2_ECOMPR_FL 0x00000800 /* Compression error */ /* End compression flags --- maybe not all used */ #define EXT2_BTREE_FL 0x00001000 /* btree format dir */ -#define EXT2_IMMUTABLE_LINK_FL 0x00008000 /* Immutable link */ +#define EXT2_IMMUTABLE_LINK_FL 0x00008000 /* Immutable link */ #define EXT2_RESERVED_FL 0x80000000 /* reserved for ext2 lib */ #define EXT2_FL_USER_VISIBLE 0x00009FFF /* User visible flags */ diff -NurpP --minimal linux-2.4.23-vs1.00/include/linux/major.h linux-2.4.23-vs1.20/include/linux/major.h --- linux-2.4.23-vs1.00/include/linux/major.h Fri Jun 13 16:51:38 2003 +++ linux-2.4.23-vs1.20/include/linux/major.h Thu Dec 4 20:16:32 2003 @@ -24,6 +24,7 @@ #define PTY_SLAVE_MAJOR 3 #define HD_MAJOR IDE0_MAJOR #define TTY_MAJOR 4 +#define VROOT_MAJOR 4 #define TTYAUX_MAJOR 5 #define LP_MAJOR 6 #define VCS_MAJOR 7 diff -NurpP --minimal linux-2.4.23-vs1.00/include/linux/sched.h linux-2.4.23-vs1.20/include/linux/sched.h --- linux-2.4.23-vs1.00/include/linux/sched.h Sun Nov 30 16:25:10 2003 +++ linux-2.4.23-vs1.20/include/linux/sched.h Thu Dec 4 20:18:33 2003 @@ -85,6 +85,7 @@ extern int last_pid; #endif #include +#include #define TASK_RUNNING 0 #define TASK_INTERRUPTIBLE 1 @@ -270,7 +271,7 @@ struct user_struct { /* Hash table maintenance information */ struct user_struct *next, **pprev; uid_t uid; - int s_context; + int vx_id; }; #define get_current_user() ({ \ @@ -279,61 +280,8 @@ struct user_struct { __user; }) -/* - We may have a different domainname and nodename for each security - context. By default, a security context share the same as its - parent, potentially the information in system_utsname -*/ -#define S_CTX_INFO_LOCK 1 /* Can't request a new s_context */ -#define S_CTX_INFO_SCHED 2 /* All process in the s_context */ - /* Contribute to the schedular */ -#define S_CTX_INFO_NPROC 4 /* Limit number of processes in a context */ -#define S_CTX_INFO_PRIVATE 8 /* Noone can join this security context */ -#define S_CTX_INFO_INIT 16 /* This process wants to become the */ - /* logical process 1 of the security */ - /* context */ -#define S_CTX_INFO_HIDEINFO 32 /* Hide some information in /proc */ -#define S_CTX_INFO_ULIMIT 64 /* Use ulimit of the current process */ - /* to become the global limits */ - /* of the context */ - -#define NB_IPV4ROOT 16 -#define NB_S_CONTEXT 16 - -struct context_info { - int refcount; - short int s_context[NB_S_CONTEXT];/* root is allowed to switch the current */ - /* security context using any in this table */ - unsigned long rlim[RLIM_NLIMITS]; /* Per context limit */ - atomic_t res[RLIM_NLIMITS]; /* Current value */ - char nodename[65]; - char domainname[65]; - int flags; /* S_CTX_INFO_xxx */ - atomic_t ticks; /* Number of ticks used by all process */ - /* in the s_context */ - int initpid; /* PID of the logical process 1 of the */ - /* of the context */ - void *data1; - void *data2; - void *data3; - void *data4; -}; - -struct iproot_info { - unsigned long mark; /* Special signature for debugging */ - atomic_t refcount; - int nbipv4; - __u32 ipv4[NB_IPV4ROOT];/* Process can only bind to these IPs */ - /* The first one is used to connect */ - /* and for bind any service */ - /* The other must be used explicity when */ - /* binding */ - __u32 mask[NB_IPV4ROOT];/* Netmask for each ipv4 */ - /* Used to select the proper source address */ - /* for sockets */ - __u32 v4_bcast; /* Broadcast address used to receive UDP packets */ -}; - +struct context_info; +struct iproot_info; extern struct user_struct root_user; #define INIT_USER (&root_user) @@ -462,9 +410,8 @@ struct task_struct { unsigned long sas_ss_sp; size_t sas_ss_size; int (*notifier)(void *priv); -/* Field to make virtual server running in chroot more isolated */ - int s_context; /* Process can only deal with other processes */ - /* with the same s_context */ + int vx_id; /* Process can only deal with other processes */ + /* with the same vx_id */ __u32 cap_bset; /* Maximum capability of this process and children */ struct context_info *s_info; struct iproot_info *ip_info; @@ -1008,14 +955,6 @@ static inline char * d_path(struct dentr mntput(rootmnt); return res; } - -/* Manage the reference count of the context_info pointer */ -void sys_release_s_info (struct task_struct *); -void sys_assign_s_info (struct task_struct *); -void sys_alloc_s_info (void); -void sys_release_ip_info (struct iproot_info *); -void sys_assign_ip_info (struct iproot_info *); -void sys_alloc_ip_info (void); static inline int need_resched(void) { diff -NurpP --minimal linux-2.4.23-vs1.00/include/linux/sys.h linux-2.4.23-vs1.20/include/linux/sys.h --- linux-2.4.23-vs1.00/include/linux/sys.h Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/include/linux/sys.h Thu Dec 4 20:16:31 2003 @@ -4,7 +4,7 @@ /* * system call entry points ... but not all are defined */ -#define NR_syscalls 275 +#define NR_syscalls 274 /* * These are system calls that will be removed at some time diff -NurpP --minimal linux-2.4.23-vs1.00/include/linux/sysctl.h linux-2.4.23-vs1.20/include/linux/sysctl.h --- linux-2.4.23-vs1.00/include/linux/sysctl.h Tue Dec 2 08:47:40 2003 +++ linux-2.4.23-vs1.20/include/linux/sysctl.h Thu Dec 4 20:18:36 2003 @@ -128,6 +128,7 @@ enum KERN_PPC_L3CR=57, /* l3cr register on PPC */ KERN_EXCEPTION_TRACE=58, /* boolean: exception trace */ KERN_CORE_SETUID=59, /* int: set to allow core dumps of setuid apps */ + KERN_VSHELPER=60, /* string: path to vshelper policy agent */ }; diff -NurpP --minimal linux-2.4.23-vs1.00/include/linux/vcontext.h linux-2.4.23-vs1.20/include/linux/vcontext.h --- linux-2.4.23-vs1.00/include/linux/vcontext.h Thu Jan 1 01:00:00 1970 +++ linux-2.4.23-vs1.20/include/linux/vcontext.h Thu Dec 4 20:18:33 2003 @@ -0,0 +1,114 @@ +#ifndef _VX_CONTEXT_H +#define _VX_CONTEXT_H + +/* + We may have a different domainname and nodename for each security + context. By default, a security context share the same as its + parent, potentially the information in system_utsname +*/ +#define VX_INFO_LOCK 1 /* Can't request a new vx_id */ +#define VX_INFO_SCHED 2 /* All process in the vx_id */ + /* Contribute to the schedular */ +#define VX_INFO_NPROC 4 /* Limit number of processes in a context */ +#define VX_INFO_PRIVATE 8 /* Noone can join this security context */ +#define VX_INFO_INIT 16 /* This process wants to become the */ + /* logical process 1 of the security */ + /* context */ +#define VX_INFO_HIDEINFO 32 /* Hide some information in /proc */ +#define VX_INFO_ULIMIT 64 /* Use ulimit of the current process */ + /* to become the global limits */ + /* of the context */ + +#define MAX_S_CONTEXT 65535 /* Arbitrary limit */ +#define MIN_D_CONTEXT 49152 /* dynamic contexts start here */ + +#define NB_S_CONTEXT 16 + +#define NB_IPV4ROOT 16 + +#include +#include + +struct context_info { + atomic_t refcount; + short int vx_id[NB_S_CONTEXT];/* root is allowed to switch the current */ + /* security context using any in this table */ + unsigned long rlim[RLIM_NLIMITS]; /* Per context limit */ + atomic_t res[RLIM_NLIMITS]; /* Current value */ + struct proc_dir_entry *procent; + char nodename[65]; + char domainname[65]; + int flags; /* VX_INFO_xxx */ + atomic_t ticks; /* Number of ticks used by all process */ + /* in the vx_id */ + int initpid; /* PID of the logical process 1 of the */ + /* of the context */ + int nr_threads; + unsigned long total_forks; + unsigned int bias_cswtch; + long bias_jiffies; + long bias_idle; + void *data1; + void *data2; + void *data3; + void *data4; +}; + +struct iproot_info { + unsigned long mark; /* Special signature for debugging */ + atomic_t refcount; + int nbipv4; + __u32 ipv4[NB_IPV4ROOT];/* Process can only bind to these IPs */ + /* The first one is used to connect */ + /* and for bind any service */ + /* The other must be used explicity when */ + /* binding */ + __u32 mask[NB_IPV4ROOT];/* Netmask for each ipv4 */ + /* Used to select the proper source address */ + /* for sockets */ + __u32 v4_bcast; /* Broadcast address used to receive UDP packets */ +}; + + +#define VX_ADMIN 0x0001 +#define VX_WATCH 0x0002 + +#define VX_IDENT 0x0010 +#define VX_EQUIV 0x0020 +#define VX_PARENT 0x0040 +#define VX_CHILD 0x0080 + +#define VX_ARG_MASK 0x00F0 + +#include + +/* required to resolve recursive dependancies */ +#define vx_check(c,m) __vx_check(current->vx_id,c,m) + +/* + * check current context for ADMIN/WATCH and + * optionally agains supplied argument + */ +static inline int __vx_check(int cctx, int ctx, unsigned int mode) +{ + if (mode & VX_ARG_MASK) { + if ((mode & VX_IDENT) && (ctx == cctx)) + return 1; + if ((mode & VX_EQUIV) && (ctx == cctx)) + return 1; + } + return (((mode & VX_ADMIN) && (cctx == 0)) || + ((mode & VX_WATCH) && (cctx == 1))); +} + + +void vx_assign_info(struct task_struct *); +void vx_release_info(struct task_struct *); + +void vx_assign_ip_info(struct iproot_info *); +void vx_release_ip_info(struct iproot_info *); + +int vc_new_s_context(uint32_t, void *); +int vc_set_ipv4root(uint32_t, void *); + +#endif diff -NurpP --minimal linux-2.4.23-vs1.00/include/linux/vswitch.h linux-2.4.23-vs1.20/include/linux/vswitch.h --- linux-2.4.23-vs1.00/include/linux/vswitch.h Thu Jan 1 01:00:00 1970 +++ linux-2.4.23-vs1.20/include/linux/vswitch.h Thu Dec 4 20:18:45 2003 @@ -0,0 +1,122 @@ +#ifndef _LINUX_VIRTUAL_H +#define _LINUX_VIRTUAL_H + +#include +#include + +#define VC_CATEGORY(c) (((c) >> 24) & 0x3F) +#define VC_COMMAND(c) (((c) >> 16) & 0xFF) +#define VC_VERSION(c) ((c) & 0xFFF) + +#define VC_CMD(c,i,v) ((((VC_CAT_ ## c) & 0x3F) << 24) \ + | (((i) & 0xFF) << 16) | ((v) & 0xFFF)) + +/* + + Syscall Matrix V2.3 + + |VERSION|CREATE |MODIFY |MIGRATE|CONTROL|EXPERIM| |SPECIAL|SPECIAL| + |STATS |DESTROY|ALTER |CHANGE |LIMIT |TEST | | | | + |INFO |SETUP | |MOVE | | | | | | + -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ + SYSTEM |VERSION| | | | | | |DEVICES| | + HOST | 00| 01| 02| 03| 04| 05| | 06| 07| + -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ + CPU | | | | | | | |SCHED. | | + PROCESS| 08| 09| 10| 11| 12| 13| | 14| 15| + -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ + MEMORY | | | | | | | |SWAP | | + | 16| 17| 18| 19| 20| 21| | 22| 23| + -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ + NETWORK| | | | | | | |SERIAL | | + | 24| 25| 26| 27| 28| 29| | 30| 31| + -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ + DISK | | | | | | | | | | + VFS | 32| 33| 34| 35| 36| 37| | 38| 39| + -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ + OTHER | | | | | | | | | | + | 40| 41| 42| 43| 44| 45| | 46| 47| + =======+=======+=======+=======+=======+=======+=======+ +=======+=======+ + SPECIAL| | | | | | | | | | + | 48| 49| 50| 51| 52| 53| | 54| 55| + -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ + SPECIAL| | | | |RLIMIT |SYSCALL| | |COMPAT | + | 56| 57| 58| 59| 60|TEST 61| | 62| 63| + -------+-------+-------+-------+-------+-------+-------+ +-------+-------+ + +*/ + +#define VC_CAT_VERSION 0 + +#define VC_CAT_PROCTRL 12 + +#define VC_CAT_RLIMIT 60 + +#define VC_CAT_SYSTEST 61 +#define VC_CAT_COMPAT 63 + +/* interface version */ + +#define VCI_VERSION 0x00010004 + + + +/* query version */ + +#define VCMD_get_version VC_CMD(VERSION, 0, 0) + + +/* compatibiliy vserver commands */ + +#define VCMD_new_s_context VC_CMD(COMPAT, 1, 1) +#define VCMD_set_ipv4root VC_CMD(COMPAT, 2, 3) + +/* compatibiliy vserver arguments */ + +struct vcmd_new_s_context_v1 { + uint32_t remove_cap; + uint32_t flags; +}; + +struct vcmd_set_ipv4root_v3 { + /* number of pairs in id */ + uint32_t broadcast; + struct { + uint32_t ip; + uint32_t mask; + } ip_mask_pair[NB_IPV4ROOT]; +}; + +/* context signalling */ + +#define VCMD_ctx_kill VC_CMD(PROCTRL, 1, 0) + +struct vcmd_ctx_kill_v0 { + int32_t pid; + int32_t sig; +}; + +/* rlimit vserver commands */ + +#define VCMD_get_rlimit VC_CMD(RLIMIT, 1, 0) +#define VCMD_set_rlimit VC_CMD(RLIMIT, 2, 0) +#define VCMD_get_rlimit_mask VC_CMD(RLIMIT, 3, 0) + +struct vcmd_ctx_rlimit_v0 { + uint32_t id; + uint64_t minimum; + uint64_t softlimit; + uint64_t maximum; +}; + +struct vcmd_ctx_rlimit_mask_v0 { + uint32_t minimum; + uint32_t softlimit; + uint32_t maximum; +}; + +#define CRLIM_INFINITY (~0ULL) +#define CRLIM_KEEP (~1ULL) + + +#endif /* _LINUX_VIRTUAL_H */ diff -NurpP --minimal linux-2.4.23-vs1.00/include/net/ip.h linux-2.4.23-vs1.20/include/net/ip.h --- linux-2.4.23-vs1.00/include/net/ip.h Tue Dec 2 08:49:44 2003 +++ linux-2.4.23-vs1.20/include/net/ip.h Thu Dec 4 20:20:46 2003 @@ -29,6 +29,7 @@ #include #include #include +#include #include #include diff -NurpP --minimal linux-2.4.23-vs1.00/include/net/route.h linux-2.4.23-vs1.20/include/net/route.h --- linux-2.4.23-vs1.00/include/net/route.h Mon Dec 1 04:54:35 2003 +++ linux-2.4.23-vs1.20/include/net/route.h Thu Dec 4 20:20:46 2003 @@ -32,6 +32,7 @@ #include #include #include +#include #ifndef __KERNEL__ #warning This file is not supposed to be used outside of kernel. @@ -170,7 +171,7 @@ static inline int ip_route_connect(struc if (ip_info != NULL) { __u32 ipv4root = ip_info->ipv4[0]; if (ipv4root != 0) { - int n=ip_info->nbipv4; + int n = ip_info->nbipv4; if (src == 0) { if (n > 1) { u32 foundsrc; @@ -197,10 +198,10 @@ static inline int ip_route_connect(struc for (i=0; iipv4[i] == src) break; } - if (i==n) + if (i == n) return -EPERM; } - if (dst == 0x0100007f && current->s_context != 0) + if (dst == 0x0100007f && !vx_check(0, VX_ADMIN)) dst = ipv4root; } } diff -NurpP --minimal linux-2.4.23-vs1.00/include/net/sock.h linux-2.4.23-vs1.20/include/net/sock.h --- linux-2.4.23-vs1.00/include/net/sock.h Mon Dec 1 04:53:14 2003 +++ linux-2.4.23-vs1.20/include/net/sock.h Thu Dec 4 20:19:23 2003 @@ -691,7 +691,7 @@ struct sock { void *user_data; /* Context of process creating this socket */ - int s_context; + int vx_id; /* Callbacks */ void (*state_change)(struct sock *sk); diff -NurpP --minimal linux-2.4.23-vs1.00/include/net/tcp.h linux-2.4.23-vs1.20/include/net/tcp.h --- linux-2.4.23-vs1.00/include/net/tcp.h Mon Dec 1 05:05:58 2003 +++ linux-2.4.23-vs1.20/include/net/tcp.h Thu Dec 4 20:21:46 2003 @@ -192,7 +192,7 @@ struct tcp_tw_bucket { struct in6_addr v6_daddr; struct in6_addr v6_rcv_saddr; #endif - int s_context; + int vx_id; }; extern kmem_cache_t *tcp_timewait_cachep; diff -NurpP --minimal linux-2.4.23-vs1.00/ipc/util.c linux-2.4.23-vs1.20/ipc/util.c --- linux-2.4.23-vs1.00/ipc/util.c Sun Nov 30 16:24:43 2003 +++ linux-2.4.23-vs1.20/ipc/util.c Thu Dec 4 20:16:31 2003 @@ -93,7 +93,7 @@ int ipc_findkey(struct ipc_ids* ids, key struct kern_ipc_perm* p; for (id = 0; id <= ids->max_id; id++) { - if (ids->entries[id].s_context != current->s_context) + if (!vx_check(ids->entries[id].vx_id, VX_IDENT)) continue; p = ids->entries[id].p; if(p==NULL) @@ -169,7 +169,7 @@ found: spin_lock(&ids->ary); ids->entries[id].p = new; - ids->entries[id].s_context = current->s_context; + ids->entries[id].vx_id = current->vx_id; return id; } diff -NurpP --minimal linux-2.4.23-vs1.00/ipc/util.h linux-2.4.23-vs1.20/ipc/util.h --- linux-2.4.23-vs1.00/ipc/util.h Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/ipc/util.h Thu Dec 4 20:23:04 2003 @@ -5,6 +5,8 @@ * ipc helper functions (c) 1999 Manfred Spraul */ +#include + #define USHRT_MAX 0xffff #define SEQ_MULTIPLIER (IPCMNI) @@ -25,7 +27,7 @@ struct ipc_ids { struct ipc_id { struct kern_ipc_perm* p; - int s_context; // Context owning this ID + int vx_id; // Context owning this ID }; @@ -75,9 +77,8 @@ extern inline struct kern_ipc_perm* ipc_ spin_lock(&ids->ary); out = ids->entries[lid].p; - if (out==NULL - || (ids->entries[lid].s_context != current->s_context - && current->s_context != 1)) { + if (out==NULL || + !vx_check(ids->entries[lid].vx_id, VX_WATCH|VX_IDENT)) { spin_unlock(&ids->ary); out = NULL; } diff -NurpP --minimal linux-2.4.23-vs1.00/kernel/Makefile linux-2.4.23-vs1.20/kernel/Makefile --- linux-2.4.23-vs1.00/kernel/Makefile Mon Sep 17 06:22:40 2001 +++ linux-2.4.23-vs1.20/kernel/Makefile Thu Dec 4 20:16:31 2003 @@ -14,7 +14,7 @@ export-objs = signal.o sys.o kmod.o cont obj-y = sched.o dma.o fork.o exec_domain.o panic.o printk.o \ module.o exit.o itimer.o info.o time.o softirq.o resource.o \ sysctl.o acct.o capability.o ptrace.o timer.o user.o \ - signal.o sys.o kmod.o context.o + signal.o sys.o kmod.o context.o vswitch.o vcontext.o obj-$(CONFIG_UID16) += uid16.o obj-$(CONFIG_MODULES) += ksyms.o diff -NurpP --minimal linux-2.4.23-vs1.00/kernel/exit.c linux-2.4.23-vs1.20/kernel/exit.c --- linux-2.4.23-vs1.00/kernel/exit.c Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/kernel/exit.c Thu Dec 4 20:16:31 2003 @@ -16,6 +16,7 @@ #ifdef CONFIG_BSD_PROCESS_ACCT #include #endif +#include #include #include @@ -66,8 +67,8 @@ static void release_task(struct task_str current->counter += p->counter; if (current->counter >= MAX_COUNTER) current->counter = MAX_COUNTER; - sys_release_s_info(p); - sys_release_ip_info(p->ip_info); + vx_release_info(p); + vx_release_ip_info(p->ip_info); p->pid = 0; free_task_struct(p); } else { @@ -168,6 +169,7 @@ static inline void forget_original_paren pid_t initpid = father->s_info->initpid; if ((initpid != 0) && (father->pid != initpid)) { struct task_struct *r = find_task_by_pid(initpid); + if (r != NULL) vchild_reaper = r; } diff -NurpP --minimal linux-2.4.23-vs1.00/kernel/fork.c linux-2.4.23-vs1.20/kernel/fork.c --- linux-2.4.23-vs1.00/kernel/fork.c Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/kernel/fork.c Thu Dec 4 20:16:31 2003 @@ -22,6 +22,7 @@ #include #include #include +#include #include #include @@ -662,8 +663,8 @@ int do_fork(unsigned long clone_flags, u *p = *current; retval = -EAGAIN; - if (p->s_info && (p->s_info->flags & S_CTX_INFO_NPROC)) { - if (p->s_info->refcount >= p->rlim[RLIMIT_NPROC].rlim_max) + if (p->s_info && (p->s_info->flags & VX_INFO_NPROC)) { + if (atomic_read(&p->s_info->refcount) >= p->rlim[RLIMIT_NPROC].rlim_max) goto bad_fork_free; } /* @@ -676,8 +677,8 @@ int do_fork(unsigned long clone_flags, u && !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) goto bad_fork_free; - sys_assign_s_info(p); - sys_assign_ip_info(p->ip_info); + vx_assign_info(p); + vx_assign_ip_info(p->ip_info); atomic_inc(&p->user->__count); atomic_inc(&p->user->processes); diff -NurpP --minimal linux-2.4.23-vs1.00/kernel/printk.c linux-2.4.23-vs1.20/kernel/printk.c --- linux-2.4.23-vs1.00/kernel/printk.c Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/kernel/printk.c Thu Dec 4 20:16:31 2003 @@ -26,6 +26,7 @@ #include #include /* For in_interrupt() */ #include +#include #include @@ -176,7 +177,7 @@ int do_syslog(int type, char * buf, int char c; int error = 0; - if (!capable(CAP_SYS_ADMIN) && (current->s_context != 0)) + if (!capable(CAP_SYS_ADMIN) && !vx_check(0, VX_ADMIN)) return -EPERM; switch (type) { diff -NurpP --minimal linux-2.4.23-vs1.00/kernel/sched.c linux-2.4.23-vs1.20/kernel/sched.c --- linux-2.4.23-vs1.00/kernel/sched.c Sun Nov 30 16:24:39 2003 +++ linux-2.4.23-vs1.20/kernel/sched.c Thu Dec 4 20:16:31 2003 @@ -29,6 +29,7 @@ #include #include #include +#include #include #include @@ -165,13 +166,12 @@ static inline int goodness(struct task_s * Don't do any other calculations if the time slice is * over.. */ - if (p->s_info != NULL - && (p->s_info->flags & S_CTX_INFO_SCHED)) { - weight = atomic_read (&p->s_info->ticks)/p->s_info->refcount; - weight = (weight+p->counter)>>1; - } else { + if (p->s_info && (p->s_info->flags & VX_INFO_SCHED)) { + weight = atomic_read(&p->s_info->ticks) / + atomic_read(&p->s_info->refcount); + weight = (weight+p->counter) >> 1; + } else weight = p->counter; - } if (!weight) goto out; @@ -629,15 +629,13 @@ repeat_schedule: member processes p->counter */ for_each_task(p) { - if (p->s_info != NULL - && (p->s_info->flags & S_CTX_INFO_SCHED)) - atomic_set (&p->s_info->ticks,0); + if (p->s_info && (p->s_info->flags & VX_INFO_SCHED)) + atomic_set(&p->s_info->ticks, 0); } for_each_task(p) { p->counter = (p->counter >> 1) + NICE_TO_TICKS(p->nice); - if (p->s_info != NULL - && (p->s_info->flags & S_CTX_INFO_SCHED)) - atomic_add (p->counter,&p->s_info->ticks); + if (p->s_info && (p->s_info->flags & VX_INFO_SCHED)) + atomic_add(p->counter, &p->s_info->ticks); } read_unlock(&tasklist_lock); spin_lock_irq(&runqueue_lock); diff -NurpP --minimal linux-2.4.23-vs1.00/kernel/signal.c linux-2.4.23-vs1.20/kernel/signal.c --- linux-2.4.23-vs1.00/kernel/signal.c Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/kernel/signal.c Thu Dec 4 20:16:31 2003 @@ -13,6 +13,7 @@ #include #include #include +#include #include @@ -621,9 +622,9 @@ kill_pg_info(int sig, struct siginfo *in retval = -ESRCH; read_lock(&tasklist_lock); for_each_task(p) { - if (p->pgrp == pgrp && thread_group_leader(p) - && ((long)info==1 - || p->s_context == current->s_context)) { + if (p->pgrp == pgrp && thread_group_leader(p) && + ((long)info == 1 || + vx_check(p->vx_id, VX_IDENT))) { int err = send_sig_info(sig, info, p); if (retval) retval = err; @@ -679,7 +680,7 @@ kill_proc_info(int sig, struct siginfo * } switch ((unsigned long)info) { case 0: - if (p->s_context == current->s_context) + if (vx_check(p->vx_id, VX_IDENT)) error = send_sig_info(sig, info, p); break; case 1: @@ -687,7 +688,7 @@ kill_proc_info(int sig, struct siginfo * break; default: if ((info->si_code == SI_KERNEL) - || (p->s_context == current->s_context)) + || vx_check(p->vx_id, VX_IDENT)) error = send_sig_info(sig, info, p); break; } @@ -714,8 +715,9 @@ static int kill_something_info(int sig, read_lock(&tasklist_lock); for_each_task(p) { - if (p->pid > 1 && p != current && thread_group_leader(p) - && p->s_context == current->s_context) { + if (p->pid > 1 && p != current && + thread_group_leader(p) && + vx_check(p->vx_id, VX_IDENT)) { int err = send_sig_info(sig, info, p); ++count; if (err != -EPERM) @@ -1339,142 +1341,3 @@ sys_signal(int sig, __sighandler_t handl return ret ? ret : (unsigned long)old_sa.sa.sa_handler; } #endif /* !alpha && !__ia64__ && !defined(__mips__) */ - -static int set_initpid (int flags) -{ - int ret = 0; - if (flags & S_CTX_INFO_INIT) { - if (current->s_info == NULL) - ret = -EINVAL; - else if (current->s_info->initpid != 0) - ret = -EPERM; - else - current->s_info->initpid = current->tgid; - } - return ret; -} - -static inline int switch_user_struct(int new_context) -{ - struct user_struct *new_user; - - new_user = alloc_uid(new_context, current->uid); - if (!new_user) - return -ENOMEM; - - if (new_user != current->user) { - struct user_struct *old_user = current->user; - - atomic_inc(&new_user->processes); - atomic_dec(&old_user->processes); - current->user = new_user; - free_uid(old_user); - } - return 0; -} - -/* - Change to a new security context and reduce the capability - basic set of the current process -*/ -asmlinkage int -sys_new_s_context(int ctx, __u32 remove_cap, int flags) -{ - #define MAX_S_CONTEXT 65535 /* Arbitrary limit */ - int ret = -EPERM; - if (ctx == -1) { - if (current->s_info == NULL - || !(current->s_info->flags & S_CTX_INFO_LOCK)) { - /* Ok we allocate a new context. For now, we just increase */ - /* it. Wrap around possible, so we loop */ - static int alloc_ctx=1; - static spinlock_t alloc_ctx_lock = SPIN_LOCK_UNLOCKED; - spin_lock(&alloc_ctx_lock); - while (1) { - int found = 0; - struct task_struct *p; - alloc_ctx++; - /* The s_context 1 is special. It sess all processes */ - if (alloc_ctx == 1) - alloc_ctx++; - else if (alloc_ctx > MAX_S_CONTEXT) - // No need to grow and grow - alloc_ctx = 2; - /* Check if in use */ - read_lock(&tasklist_lock); - for_each_task(p) { - if (p->s_context == alloc_ctx) { - found = 1; - break; - } - } - read_unlock(&tasklist_lock); - if (!found) break; - } - ret = switch_user_struct(alloc_ctx); - if (ret == 0) { - current->s_context = alloc_ctx; - current->cap_bset &= (~remove_cap); - ret = alloc_ctx; - sys_alloc_s_info(); - if (current->s_info) { - set_initpid (flags); - current->s_info->flags |= flags; - } - } - spin_unlock(&alloc_ctx_lock); - } - } else if (ctx == -2) { - ret = set_initpid(flags); - if (ret == 0) { - /* We keep the same s_context, but lower the capabilities */ - current->cap_bset &= (~remove_cap); - ret = current->s_context; - if (current->s_info) { - if (flags & S_CTX_INFO_INIT) - current->s_info->initpid = current->tgid; - current->s_info->flags |= flags; - } - } - } else if (ctx <= 0 || ctx > MAX_S_CONTEXT) { - ret = -EINVAL; - } else if (current->s_context == 0 - && capable(CAP_SYS_ADMIN) - && (current->s_info == NULL - ||(current->s_info->flags & S_CTX_INFO_LOCK) == 0)) { - /* The root context can become any context it wants */ - int found = 0; - struct task_struct *p; - /* Check if in use so we reuse the same context_info */ - read_lock(&tasklist_lock); - ret = ctx; - for_each_task(p) { - if (p->s_context == ctx) { - found = 1; - if (p->s_info == NULL - || !(p->s_info->flags & S_CTX_INFO_PRIVATE)) { - sys_release_s_info(current); - sys_assign_s_info (p); - current->s_info = p->s_info; - } - else - ret = -EPERM; - break; - } - } - read_unlock(&tasklist_lock); - if (ret == ctx) { - ret = switch_user_struct(ctx); - if (ret == 0) { - current->s_context = ctx; - current->cap_bset &= (~remove_cap); - if (!found) - sys_alloc_s_info(); - if (current->s_info) - current->s_info->flags |= flags; - } - } - } - return ret; -} - diff -NurpP --minimal linux-2.4.23-vs1.00/kernel/sys.c linux-2.4.23-vs1.20/kernel/sys.c --- linux-2.4.23-vs1.00/kernel/sys.c Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/kernel/sys.c Thu Dec 4 20:16:32 2003 @@ -11,10 +11,12 @@ #include #include #include +#include #include #include #include #include +#include #include #include @@ -278,6 +280,67 @@ asmlinkage long sys_getpriority(int whic return retval; } +/* + * vshelper path is set via /proc/sys + * invoked by vserver sys_reboot(), with + * the following arguments + * + * argv [0] = vshelper_path; + * argv [1] = context identifier + * argv [2] = "restart", "halt", "poweroff", ... + * argv [3] = additional argument (restart2) + * + * envp [*] = type-specific parameters + */ +char vshelper_path[255] = "/sbin/vshelper"; + +long vs_reboot(unsigned int cmd, void * arg) +{ + char id_buf[8], cmd_buf[32]; + char uid_buf[32], pid_buf[32]; + char buffer[256]; + + char *argv[] = {vshelper_path, id_buf, NULL, NULL, 0}; + char *envp[] = {"HOME=/", "TERM=linux", + "PATH=/sbin:/usr/sbin:/bin:/usr/bin", + uid_buf, pid_buf, cmd_buf, 0}; + + snprintf(id_buf, sizeof(id_buf)-1, "%d", current->vx_id); + + snprintf(cmd_buf, sizeof(cmd_buf)-1, "VS_CMD=%08x", cmd); + snprintf(uid_buf, sizeof(uid_buf)-1, "VS_UID=%d", current->uid); + snprintf(pid_buf, sizeof(pid_buf)-1, "VS_PID=%d", current->pid); + + switch (cmd) { + case LINUX_REBOOT_CMD_RESTART: + argv[2] = "restart"; + break; + + case LINUX_REBOOT_CMD_HALT: + argv[2] = "halt"; + break; + + case LINUX_REBOOT_CMD_POWER_OFF: + argv[2] = "poweroff"; + break; + + case LINUX_REBOOT_CMD_RESTART2: + if (strncpy_from_user(&buffer[0], (char *)arg, sizeof(buffer) - 1) < 0) + return -EFAULT; + argv[3] = buffer; + default: + argv[2] = "restart2"; + break; + } + + if (call_usermodehelper(*argv, argv, envp)) { + printk( KERN_WARNING + "vs_reboot(): failed to exec (%s %s %s %s)\n", + vshelper_path, argv[1], argv[2], argv[3]); + return -EPERM; + } + return 0; +} /* * Reboot system call: for obvious reasons only root may call it, @@ -301,6 +364,9 @@ asmlinkage long sys_reboot(int magic1, i magic2 != LINUX_REBOOT_MAGIC2B)) return -EINVAL; + if (!vx_check(0, VX_ADMIN | VX_WATCH)) + return vs_reboot(cmd, arg); + lock_kernel(); switch (cmd) { case LINUX_REBOOT_CMD_RESTART: @@ -514,7 +580,7 @@ static int set_user(uid_t new_ruid, int { struct user_struct *new_user; - new_user = alloc_uid(current->s_context, new_ruid); + new_user = alloc_uid(current->vx_id, new_ruid); if (!new_user) return -EAGAIN; switch_uid(new_user); @@ -1043,121 +1109,6 @@ asmlinkage long sys_newuname(struct new_ return errno; } -/* - Decrease the reference count on the context_info member of a task - Free the struct if the reference count reach 0. -*/ -void sys_release_s_info (struct task_struct *p) -{ - down_write (&uts_sem); - if (p->s_info) { - p->s_info->refcount--; - if (p->s_info->refcount == 0) { - vfree (p->s_info); - p->s_info = NULL; - } - } - up_write (&uts_sem); -} -/* - Increase the reference count on the context_info member of a task -*/ -void sys_assign_s_info (struct task_struct *p) -{ - down_write (&uts_sem); - if (p->s_info) - p->s_info->refcount++; - up_write (&uts_sem); -} - -/* - Alloc a new s_info to the current process and release - the one currently owned by the current process. -*/ -void sys_alloc_s_info() -{ - struct context_info *s_info = vmalloc(sizeof(struct context_info)); - - if (s_info) { - int i; - memset (s_info,0,sizeof(*s_info)); - s_info->s_context[0] = current->s_context; - s_info->refcount = 1; - atomic_set (&s_info->ticks,current->counter); - s_info->flags = 0; - s_info->initpid = 0; - for (i=0; irlim[i] = 0xffffffff; - atomic_set (&s_info->res[i],0); - } - down_read (&uts_sem); - if (current->s_info) { - strcpy (s_info->nodename,current->s_info->nodename); - strcpy (s_info->domainname,current->s_info->domainname); - } else { - strcpy (s_info->nodename,system_utsname.nodename); - strcpy (s_info->domainname,system_utsname.domainname); - } - up_read (&uts_sem); - sys_release_s_info (current); - current->s_info = s_info; - /* - The current process is switching to a new context - so we preset the open file counter with - the file currently open by that process. - Some of those files may have been opened by - a parent, so do not strictly belong to this - process, so we kind of over bill the current process - but it is minimal. - */ - atomic_set (&s_info->res[RLIMIT_NOFILE] - ,atomic_read(¤t->files->count)); - } -} - -/* - Decrease the reference count on the ip_info struct - Free the struct if the reference count reach 0. -*/ -void sys_release_ip_info (struct iproot_info *ip_info) -{ - if (ip_info) { - if (atomic_dec_and_test(&ip_info->refcount)) { - if (ip_info->mark != 0xdeadbeef) - printk ("sys_release_ip_info: broken signature %08lx\n", ip_info->mark); - else - vfree (ip_info); - } - } -} -/* - Increase the reference count on the ip_info member of a task -*/ -void sys_assign_ip_info (struct iproot_info *ip_info) -{ - if (ip_info) { - atomic_inc (&ip_info->refcount); - if (ip_info->mark != 0xdeadbeef) - printk ("sys_assign_ip_info: broken signature %08lx\n", ip_info->mark); - } -} - -/* - Alloc a new ip_info to the current process and release - the one currently owned by the current process. -*/ -void sys_alloc_ip_info() -{ - struct iproot_info *ip_info = vmalloc(sizeof(struct iproot_info)); - - memset (ip_info,0,sizeof(*ip_info)); - ip_info->mark = 0xdeadbeef; - atomic_set (&ip_info->refcount,1); - sys_release_ip_info (current->ip_info); - current->ip_info = ip_info; -} - - asmlinkage long sys_sethostname(char *name, int len) { int errno; @@ -1220,7 +1171,8 @@ asmlinkage long sys_setdomainname(char * down_write(&uts_sem); domainname = system_utsname.domainname; - if (current->s_info) domainname = current->s_info->domainname; + if (current->s_info) + domainname = current->s_info->domainname; errno = -EFAULT; if (!copy_from_user(tmp, name, len)) { memcpy(domainname, tmp, len); diff -NurpP --minimal linux-2.4.23-vs1.00/kernel/sysctl.c linux-2.4.23-vs1.20/kernel/sysctl.c --- linux-2.4.23-vs1.00/kernel/sysctl.c Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/kernel/sysctl.c Thu Dec 4 20:16:32 2003 @@ -31,6 +31,7 @@ #include #include #include +#include #include @@ -80,6 +81,7 @@ extern int sem_ctls[]; #endif extern int exception_trace; +extern char vshelper_path[]; #ifdef __sparc__ extern char reboot_command []; @@ -275,6 +277,8 @@ static ctl_table kern_table[] = { {KERN_EXCEPTION_TRACE,"exception-trace", &exception_trace,sizeof(int),0644,NULL,&proc_dointvec}, #endif + {KERN_VSHELPER,"vshelper", + &vshelper_path,256,0644,NULL,&proc_dostring,&sysctl_string}, {0} }; @@ -833,10 +837,11 @@ static int proc_doutsstring(ctl_table *t int r; ctl_table tmp; - /* HACK for per s_context hostname and domainname */ + /* HACK for per context hostname and domainname */ if (current->s_info) { tmp = *table; table = &tmp; + if (table->data == (void*)&system_utsname.nodename) tmp.data = ¤t->s_info->nodename; else if (table->data == (void*)&system_utsname.domainname) diff -NurpP --minimal linux-2.4.23-vs1.00/kernel/timer.c linux-2.4.23-vs1.20/kernel/timer.c --- linux-2.4.23-vs1.00/kernel/timer.c Sun Nov 30 16:24:41 2003 +++ linux-2.4.23-vs1.20/kernel/timer.c Thu Dec 4 20:16:31 2003 @@ -22,6 +22,7 @@ #include #include #include +#include #include @@ -599,7 +600,7 @@ void update_process_times(int user_tick) update_one_process(p, user_tick, system, cpu); if (p->pid) { - if (p->s_info && (p->s_info->flags & S_CTX_INFO_SCHED)) + if (p->s_info && (p->s_info->flags & VX_INFO_SCHED)) atomic_dec (&p->s_info->ticks); if (--p->counter <= 0) { p->counter = 0; @@ -754,7 +755,8 @@ asmlinkage unsigned long sys_alarm(unsig */ asmlinkage long sys_getpid(void) { - if (current->s_info && current->s_info->initpid == current->tgid) + if (current->s_info && + current->s_info->initpid == current->tgid) /* We are faking process 1 for this security context */ return 1; return current->tgid; diff -NurpP --minimal linux-2.4.23-vs1.00/kernel/user.c linux-2.4.23-vs1.20/kernel/user.c --- linux-2.4.23-vs1.00/kernel/user.c Sun Nov 30 16:24:38 2003 +++ linux-2.4.23-vs1.20/kernel/user.c Thu Dec 4 20:16:31 2003 @@ -69,7 +69,7 @@ static inline void uid_hash_remove(struc *pprev = next; } -static inline struct user_struct *uid_hash_find(int s_context, uid_t uid, struct user_struct **hashent) +static inline struct user_struct *uid_hash_find(int vx_id, uid_t uid, struct user_struct **hashent) { struct user_struct *next; @@ -78,7 +78,7 @@ static inline struct user_struct *uid_ha struct user_struct *up = next; if (next) { next = up->next; - if (up->uid != uid || up->s_context != s_context) + if (up->uid != uid || up->vx_id != vx_id) continue; atomic_inc(&up->__count); } @@ -95,13 +95,13 @@ void free_uid(struct user_struct *up) } } -struct user_struct * alloc_uid(int s_context, uid_t uid) +struct user_struct * alloc_uid(int vx_id, uid_t uid) { struct user_struct **hashent = uidhashentry(uid); struct user_struct *up; spin_lock(&uidhash_lock); - up = uid_hash_find(s_context, uid, hashent); + up = uid_hash_find(vx_id, uid, hashent); spin_unlock(&uidhash_lock); if (!up) { @@ -111,7 +111,7 @@ struct user_struct * alloc_uid(int s_con if (!new) return NULL; new->uid = uid; - new->s_context = s_context; + new->vx_id = vx_id; atomic_set(&new->__count, 1); atomic_set(&new->processes, 0); atomic_set(&new->files, 0); @@ -121,7 +121,7 @@ struct user_struct * alloc_uid(int s_con * on adding the same user already.. */ spin_lock(&uidhash_lock); - up = uid_hash_find(s_context, uid, hashent); + up = uid_hash_find(vx_id, uid, hashent); if (up) { kmem_cache_free(uid_cachep, new); } else { diff -NurpP --minimal linux-2.4.23-vs1.00/kernel/vcontext.c linux-2.4.23-vs1.20/kernel/vcontext.c --- linux-2.4.23-vs1.00/kernel/vcontext.c Thu Jan 1 01:00:00 1970 +++ linux-2.4.23-vs1.20/kernel/vcontext.c Thu Dec 4 20:16:31 2003 @@ -0,0 +1,425 @@ +/* + * linux/kernel/vcontext.c + * + * Virtual Context Support + * + * Copyright (C) 2003 Herbert Pötzl + * + * V0.01 context helper + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + + +int vc_ctx_kill(uint32_t id, void *data) +{ + int retval, count=0; + struct vcmd_ctx_kill_v0 vc_data; + struct siginfo info; + struct task_struct *p; + pid_t initpid = 0; + + if (copy_from_user (&vc_data, data, sizeof(vc_data))) + return -EFAULT; + if (!vx_check(0, VX_ADMIN)) + return -EPERM; + + info.si_signo = vc_data.sig; + info.si_errno = 0; + info.si_code = SI_USER; + info.si_pid = current->pid; + info.si_uid = current->uid; + + retval = -ESRCH; + read_lock(&tasklist_lock); + switch (vc_data.pid) { + case -1: + case 0: + for_each_task(p) { + if (!initpid && p->vx_id == id && p->s_info) + initpid = p->s_info->initpid; + if (p->vx_id == id && p->pid > 1 + && (!vc_data.pid || initpid != p->pid) + && thread_group_leader(p)) { + int err = send_sig_info(vc_data.sig, &info, p); + + ++count; + if (err != -EPERM) + retval = err; + } + } + break; + + default: + p = find_task_by_pid(vc_data.pid); + if (p) { + if (!thread_group_leader(p)) { + struct task_struct *tg; + + tg = find_task_by_pid(p->tgid); + if (tg) + p = tg; + } + if ((id == -1) || (p->vx_id == id)) + retval = send_sig_info(vc_data.sig, &info, p); + } + break; + } + read_unlock(&tasklist_lock); + return retval; +} + +int vc_get_rlimit(uint32_t id, void *data) +{ + return -ENOSYS; +} + +int vc_set_rlimit(uint32_t id, void *data) +{ + return -ENOSYS; +} + +int vc_get_rlimit_mask(uint32_t id, void *data) +{ + return -ENOSYS; +} + + + +/* system functions */ + + +/* + * Alloc a new s_info to the current process and release + * the one currently owned by the current process. + */ +static void vx_alloc_info(void) +{ + struct context_info *s_info; + + s_info = kmalloc(sizeof(struct context_info), GFP_KERNEL); + if (s_info) { + int i; + memset (s_info, 0, sizeof(*s_info)); + s_info->vx_id[0] = current->vx_id; + atomic_set(&s_info->refcount, 1); + atomic_set(&s_info->ticks, current->counter); + s_info->flags = 0; + s_info->initpid = 0; + s_info->nr_threads = 1; + s_info->total_forks = 0; + s_info->bias_cswtch = kstat.context_swtch; + s_info->bias_jiffies = jiffies; + s_info->bias_idle = init_tasks[0]->times.tms_utime + + init_tasks[0]->times.tms_stime; + for (i=0; irlim[i] = 0xffffffff; + atomic_set(&s_info->res[i], 0); + } + down_read(&uts_sem); + if (current->s_info) { + strcpy(s_info->nodename, current->s_info->nodename); + strcpy(s_info->domainname, current->s_info->domainname); + } else { + strcpy(s_info->nodename, system_utsname.nodename); + strcpy(s_info->domainname, system_utsname.domainname); + } + up_read(&uts_sem); + vx_release_info(current); + current->s_info = s_info; + /* + The current process is switching to a new context + so we preset the open file counter with + the file currently open by that process. + Some of those files may have been opened by + a parent, so do not strictly belong to this + process, so we kind of over bill the current process + but it is minimal. + */ + atomic_set(&s_info->res[RLIMIT_NOFILE], + atomic_read(¤t->files->count)); + } +} + +/* + * Increase the reference count on the context_info member of a task + */ +void vx_assign_info (struct task_struct *p) +{ + down_write (&uts_sem); + if (p->s_info) + atomic_inc(&p->s_info->refcount); + up_write (&uts_sem); +} + +/* + * Decrease the reference count on the context_info member of a task + * Free the struct if the reference count reach 0. + */ +void vx_release_info (struct task_struct *p) +{ + down_write (&uts_sem); + if (p->s_info) { + if (atomic_dec_and_test(&p->s_info->refcount)) { + kfree(p->s_info); + p->s_info = NULL; + } + } + up_write (&uts_sem); +} + +/* + * Alloc a new ip_info to the current process and release + * the one currently owned by the current process. + */ +static void vx_alloc_ip_info(void) +{ + struct iproot_info *ip_info = + kmalloc(sizeof(struct iproot_info), GFP_KERNEL); + + memset(ip_info, 0, sizeof(*ip_info)); + ip_info->mark = 0xdeadbeef; + atomic_set(&ip_info->refcount, 1); + vx_release_ip_info(current->ip_info); + current->ip_info = ip_info; +} + +/* + * Increase the reference count on the ip_info member of a task + */ +void vx_assign_ip_info (struct iproot_info *ip_info) +{ + if (ip_info) { + atomic_inc(&ip_info->refcount); + if (ip_info->mark != 0xdeadbeef) + printk("vx_assign_ip_info: broken signature %08lx\n", ip_info->mark); + } +} + +/* + * Decrease the reference count on the ip_info struct + * Free the struct if the reference count reach 0. + */ +void vx_release_ip_info (struct iproot_info *ip_info) +{ + if (ip_info) + if (atomic_dec_and_test(&ip_info->refcount)) + kfree(ip_info); +} + + +static int vx_switch_user_struct(int new_context) +{ + struct user_struct *new_user; + + new_user = alloc_uid(new_context, current->uid); + if (!new_user) + return -ENOMEM; + + if (new_user != current->user) { + struct user_struct *old_user = current->user; + + atomic_inc(&new_user->processes); + atomic_dec(&old_user->processes); + current->user = new_user; + free_uid(old_user); + } else + free_uid(new_user); + return 0; +} + +static int vx_set_initpid(int flags) +{ + int ret = 0; + if (flags & VX_INFO_INIT) { + if (current->s_info == NULL) + ret = -EINVAL; + else if (current->s_info->initpid != 0) + ret = -EPERM; + else + current->s_info->initpid = current->tgid; + } + return ret; +} + + +/* new security context (syscall) */ + +/* + * Change to a new security context and reduce the capability + * basic set of the current process + */ +int vc_new_s_context(uint32_t ctx, void *data) +{ + int ret = -EPERM; + struct vcmd_new_s_context_v1 vc_data; + + if (copy_from_user(&vc_data, data, sizeof(vc_data))) + return -EFAULT; + if (ctx == -1) { + if (current->s_info == NULL + || !(current->s_info->flags & VX_INFO_LOCK)) { + /* Ok we allocate a new context. For now, we just increase */ + /* it. Wrap around possible, so we loop */ + static int new_xid = MAX_S_CONTEXT; + static spinlock_t alloc_ctx_lock = SPIN_LOCK_UNLOCKED; + int old_xid = current->vx_id; + int barrier = new_xid; + int valid = 0; + + spin_lock(&alloc_ctx_lock); + do { + struct task_struct *p; + + valid = 1; + if (++new_xid > MAX_S_CONTEXT) + new_xid = MIN_D_CONTEXT; + + /* Check if in use */ + read_lock(&tasklist_lock); + for_each_task(p) { + if (p->vx_id == new_xid) { + valid = 0; + break; + } + } + read_unlock(&tasklist_lock); + + if (valid) { + current->vx_id = new_xid; + break; + } + } while (barrier != new_xid); + spin_unlock(&alloc_ctx_lock); + + if (!valid) + return -EDEADLK; + + ret = vx_switch_user_struct(new_xid); + if (ret == 0) { + current->cap_bset &= (~vc_data.remove_cap); + ret = new_xid; + vx_alloc_info(); + if (current->s_info) { + vx_set_initpid(vc_data.flags); + current->s_info->flags |= vc_data.flags; + } + } else + current->vx_id = old_xid; + } + } else if (ctx == -2) { + ret = vx_set_initpid(vc_data.flags); + if (ret == 0) { + /* We keep the same vx_id, but lower the capabilities */ + current->cap_bset &= (~vc_data.remove_cap); + ret = current->vx_id; + if (current->s_info) { + if (vc_data.flags & VX_INFO_INIT) + current->s_info->initpid = current->tgid; + current->s_info->flags |= vc_data.flags; + } + } + } else if (ctx <= 0 || ctx > MAX_S_CONTEXT) { + ret = -EINVAL; + } else if (vx_check(0, VX_ADMIN) + && capable(CAP_SYS_ADMIN) + && (current->s_info == NULL + ||(current->s_info->flags & VX_INFO_LOCK) == 0)) { + /* The root context can become any context it wants */ + int found = 0; + struct task_struct *p; + + /* Check if in use so we reuse the same context_info */ + read_lock(&tasklist_lock); + ret = ctx; + for_each_task(p) { + if (p->vx_id == ctx) { + found = 1; + if (p->s_info == NULL + || !(p->s_info->flags & VX_INFO_PRIVATE)) { + vx_release_info(current); + vx_assign_info (p); + current->s_info = p->s_info; + } + else + ret = -EPERM; + break; + } + } + read_unlock(&tasklist_lock); + if (ret == ctx) { + ret = vx_switch_user_struct(ctx); + if (ret == 0) { + current->vx_id = ctx; + current->cap_bset &= (~vc_data.remove_cap); + if (!found) + vx_alloc_info(); + if (current->s_info) + current->s_info->flags |= vc_data.flags; + } + } + } + return ret; +} + + +/* set ipv4 root (syscall) */ + +int vc_set_ipv4root(uint32_t nbip, void *data) +{ + int ret = -EPERM; + struct vcmd_set_ipv4root_v3 vc_data; + struct iproot_info *ip_info = current->ip_info; + + if (copy_from_user (&vc_data, data, sizeof(vc_data))) + return -EFAULT; + + if (nbip < 0 || nbip > NB_IPV4ROOT) + ret = -EINVAL; + if (!ip_info || ip_info->ipv4[0] == 0 || capable(CAP_NET_ADMIN)) + // We are allowed to change everything + ret = 0; + else if (current->ip_info) { + // We are allowed to select a subset of the currently + // installed IP numbers. No new one allowed + // We can't change the broadcast address though + int i; + int found = 0; + for (i=0; inbipv4; j++) { + if (ipi == ip_info->ipv4[j]) { + found++; + break; + } + } + } + if (found == nbip && vc_data.broadcast == ip_info->v4_bcast) + ret = 0; + } + if (ret == 0) { + int i; + + vx_alloc_ip_info(); /* release existing? */ + ip_info = current->ip_info; + ip_info->nbipv4 = nbip; + for (i=0; iipv4[i] = vc_data.ip_mask_pair[i].ip; + ip_info->mask[i] = vc_data.ip_mask_pair[i].mask; + } + ip_info->v4_bcast = vc_data.broadcast; + } + return ret; +} diff -NurpP --minimal linux-2.4.23-vs1.00/kernel/vswitch.c linux-2.4.23-vs1.20/kernel/vswitch.c --- linux-2.4.23-vs1.00/kernel/vswitch.c Thu Jan 1 01:00:00 1970 +++ linux-2.4.23-vs1.20/kernel/vswitch.c Thu Dec 4 20:16:31 2003 @@ -0,0 +1,71 @@ +/* + * linux/kernel/vswitch.c + * + * Virtual Context Support + * + * Copyright (C) 2003 Herbert Pötzl + * + * V0.01 syscall switch + * V0.02 added signal to context + * + */ + +#include +#include +#include + +#include + + +static inline int +vc_get_version(uint32_t id) +{ + return VCI_VERSION; +} + + +extern int vc_new_s_context(uint32_t, void *); +extern int vc_set_ipv4root(uint32_t, void *); + +extern int vc_get_rlimit(uint32_t, void *); +extern int vc_set_rlimit(uint32_t, void *); +extern int vc_get_rlimit_mask(uint32_t, void *); + +extern int vc_ctx_kill(uint32_t, void *); + + +asmlinkage int +sys_vserver(uint32_t cmd, uint32_t id, void *data) +{ + int ret = -EINVAL; + + switch (cmd) { + case VCMD_get_version: + ret = vc_get_version(id); + break; + + case VCMD_new_s_context: + ret = vc_new_s_context(id, data); + break; + case VCMD_set_ipv4root: + ret = vc_set_ipv4root(id, data); + break; + + case VCMD_get_rlimit: + ret = vc_get_rlimit(id, data); + break; + case VCMD_set_rlimit: + ret = vc_set_rlimit(id, data); + break; + case VCMD_get_rlimit_mask: + ret = vc_get_rlimit_mask(id, data); + break; + + case VCMD_ctx_kill: + ret = vc_ctx_kill(id, data); + break; + + } + return ret; +} + diff -NurpP --minimal linux-2.4.23-vs1.00/net/ipv4/af_inet.c linux-2.4.23-vs1.20/net/ipv4/af_inet.c --- linux-2.4.23-vs1.00/net/ipv4/af_inet.c Sun Nov 30 16:24:43 2003 +++ linux-2.4.23-vs1.20/net/ipv4/af_inet.c Thu Dec 4 20:16:31 2003 @@ -177,7 +177,7 @@ void inet_sock_destruct(struct sock *sk) if (sk->protinfo.af_inet.opt) kfree(sk->protinfo.af_inet.opt); - sys_release_ip_info(sk->ip_info); + vx_release_ip_info(sk->ip_info); sk->ip_info = NULL; dst_release(sk->dst_cache); #ifdef INET_REFCNT_DEBUG @@ -395,7 +395,7 @@ static int inet_create(struct socket *so sk->protinfo.af_inet.mc_index = 0; sk->protinfo.af_inet.mc_list = NULL; - sk->s_context = current->s_context; + sk->vx_id = current->vx_id; sk->ip_info = NULL; #ifdef INET_REFCNT_DEBUG @@ -565,7 +565,7 @@ int inet_bind(struct socket *sock, struc sk->rcv_saddr2 = s_addr2; sk->ip_info = ip_info; if (ip_info) - sys_assign_ip_info(ip_info); + vx_assign_ip_info(ip_info); if (chk_addr_ret == RTN_MULTICAST || chk_addr_ret == RTN_BROADCAST) sk->saddr = 0; /* Use device */ @@ -573,7 +573,7 @@ int inet_bind(struct socket *sock, struc if (sk->prot->get_port(sk, snum) != 0) { sk->saddr = sk->rcv_saddr = 0; sk->ip_info = NULL; - sys_release_ip_info(ip_info); + vx_release_ip_info(ip_info); err = -EADDRINUSE; goto out; } diff -NurpP --minimal linux-2.4.23-vs1.00/net/ipv4/devinet.c linux-2.4.23-vs1.20/net/ipv4/devinet.c --- linux-2.4.23-vs1.00/net/ipv4/devinet.c Sun Nov 30 16:24:43 2003 +++ linux-2.4.23-vs1.20/net/ipv4/devinet.c Thu Dec 4 20:16:31 2003 @@ -466,7 +466,8 @@ static int devinet_notiproot (struct in_ { int ret = 0; struct iproot_info *info = current->ip_info; - if (current->s_context && info) { + + if (info && !vx_check(0, VX_ADMIN)) { int i; int nbip = info->nbipv4; __u32 addr = ifa->ifa_local; @@ -584,8 +585,7 @@ int devinet_ioctl(unsigned int cmd, void ret = -EADDRNOTAVAIL; goto done; } - if (ifa != NULL - && devinet_notiproot(ifa)) { + if (ifa != NULL && devinet_notiproot(ifa)) { ret = -EADDRNOTAVAIL; goto done; } diff -NurpP --minimal linux-2.4.23-vs1.00/net/ipv4/raw.c linux-2.4.23-vs1.20/net/ipv4/raw.c --- linux-2.4.23-vs1.00/net/ipv4/raw.c Sun Nov 30 16:24:43 2003 +++ linux-2.4.23-vs1.20/net/ipv4/raw.c Thu Dec 4 20:16:31 2003 @@ -688,7 +688,8 @@ int raw_get_info(char *buffer, char **st struct sock *sk; for (sk = raw_v4_htable[i]; sk; sk = sk->next, num++) { - if (sk->family != PF_INET || (current->s_context != 1 && sk->s_context != current->s_context)) + if (sk->family != PF_INET || + !vx_check(sk->vx_id, VX_WATCH|VX_IDENT)) continue; pos += 128; if (pos <= offset) diff -NurpP --minimal linux-2.4.23-vs1.00/net/ipv4/tcp_ipv4.c linux-2.4.23-vs1.20/net/ipv4/tcp_ipv4.c --- linux-2.4.23-vs1.00/net/ipv4/tcp_ipv4.c Sun Nov 30 16:24:43 2003 +++ linux-2.4.23-vs1.20/net/ipv4/tcp_ipv4.c Thu Dec 4 20:16:31 2003 @@ -191,6 +191,7 @@ static inline int tcp_in_list (struct so if (ip_info) { int n = ip_info->nbipv4; int i; + for (i=0; iipv4[i] == addr) return 1; @@ -206,19 +207,20 @@ static inline int tcp_in_list (struct so int tcp_ipv4_addr_conflict (struct sock *sk1, struct sock *sk2) { int ret = 0; - if (sk1->rcv_saddr) + + if (sk1->rcv_saddr) { /* Bind to one address only */ ret = tcp_in_list (sk2,sk1->rcv_saddr); - else if (sk1->ip_info) { + } else if (sk1->ip_info) { /* A restricted bind(any) */ struct iproot_info *ip_info = sk1->ip_info; int n = ip_info->nbipv4; int i; + for (i=0; iipv4[i])) return 1; - } - else /* A bind(any) do not allow other bind on the same port */ + } else /* A bind(any) do not allow other bind on the same port */ return 1; return 0; } @@ -468,15 +470,17 @@ static inline int tcp_addr_in_list ( if (rcv_saddr == daddr) return 1; else if (rcv_saddr == 0) { - /* Accept any address or only the one in the list */ - if (ip_info) { + /* Accept any address or check the list */ + if (!ip_info) + return 1; + else { int n = ip_info->nbipv4; int i; + for (i=0; iipv4[i] == daddr) return 1; } - else return 1; } return 0; } @@ -2257,7 +2261,7 @@ int tcp_get_info(char *buffer, char **st int uid; struct tcp_opt *tp = &(sk->tp_pinfo.af_tcp); - if (current->s_context != 1 && sk->s_context != current->s_context) + if (!vx_check(sk->vx_id, VX_WATCH|VX_IDENT)) continue; if (!TCP_INET_FAMILY(sk->family)) @@ -2314,7 +2318,7 @@ skip_listen: read_lock(&head->lock); for(sk = head->chain; sk; sk = sk->next, num++) { if (!TCP_INET_FAMILY(sk->family) || - (current->s_context != 1 && sk->s_context != current->s_context)) + !vx_check(sk->vx_id, VX_WATCH|VX_IDENT)) continue; pos += TMPSZ; if (pos <= offset) @@ -2330,7 +2334,7 @@ skip_listen: tw != NULL; tw = (struct tcp_tw_bucket *)tw->next, num++) { if (!TCP_INET_FAMILY(tw->family) || - (current->s_context != 1 && tw->s_context != current->s_context)) + !vx_check(tw->vx_id, VX_WATCH|VX_IDENT)) continue; pos += TMPSZ; if (pos <= offset) diff -NurpP --minimal linux-2.4.23-vs1.00/net/ipv4/tcp_minisocks.c linux-2.4.23-vs1.20/net/ipv4/tcp_minisocks.c --- linux-2.4.23-vs1.00/net/ipv4/tcp_minisocks.c Sun Nov 30 16:24:43 2003 +++ linux-2.4.23-vs1.20/net/ipv4/tcp_minisocks.c Thu Dec 4 20:16:31 2003 @@ -380,7 +380,7 @@ void tcp_time_wait(struct sock *sk, int tw->ts_recent_stamp= tp->ts_recent_stamp; tw->pprev_death = NULL; - tw->s_context = sk->s_context; + tw->vx_id = sk->vx_id; tw->ip_info = NULL; #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) @@ -654,7 +654,7 @@ struct sock *tcp_create_openreq_child(st #endif memcpy(newsk, sk, sizeof(*newsk)); - sys_assign_ip_info(newsk->ip_info); + vx_assign_ip_info(newsk->ip_info); newsk->state = TCP_SYN_RECV; /* SANITY */ diff -NurpP --minimal linux-2.4.23-vs1.00/net/ipv4/udp.c linux-2.4.23-vs1.20/net/ipv4/udp.c --- linux-2.4.23-vs1.00/net/ipv4/udp.c Sun Nov 30 16:24:43 2003 +++ linux-2.4.23-vs1.20/net/ipv4/udp.c Thu Dec 4 20:16:31 2003 @@ -215,16 +215,13 @@ static void udp_v4_unhash(struct sock *s static int udp_in_list (struct iproot_info *ip_info, u32 addr) { - int ret = 0; int n = ip_info->nbipv4; int i; - for (i=0; iipv4[i] == addr) { - ret = 1; - break; - } - } - return ret; + + for (i=0; iipv4[i] == addr) + return 1; + return 0; } /* UDP is nearly always wildcards out the wazoo, it makes no sense to try @@ -555,10 +552,12 @@ int udp_sendmsg(struct sock *sk, struct if (rt == NULL) { struct iproot_info *ip_info = current->ip_info; + if (ip_info != NULL) { __u32 ipv4root = ip_info->ipv4[0]; if (ipv4root) { - if (daddr == 0x0100007f && current->s_context != 0) + if (daddr == 0x0100007f && + !vx_check(0, VX_ADMIN)) daddr = ipv4root; if (ufh.saddr == 0) ufh.saddr = ipv4root; @@ -1052,7 +1051,7 @@ int udp_get_info(char *buffer, char **st for (sk = udp_hash[i]; sk; sk = sk->next, num++) { if (sk->family != PF_INET || - (current->s_context != 1 && sk->s_context != current->s_context)) + !vx_check(sk->vx_id, VX_WATCH|VX_IDENT)) continue; pos += 128; if (pos <= offset) diff -NurpP --minimal linux-2.4.23-vs1.00/net/ipv6/raw.c linux-2.4.23-vs1.20/net/ipv6/raw.c --- linux-2.4.23-vs1.00/net/ipv6/raw.c Sun Nov 30 16:24:43 2003 +++ linux-2.4.23-vs1.20/net/ipv6/raw.c Thu Dec 4 20:16:31 2003 @@ -881,7 +881,7 @@ int raw6_get_info(char *buffer, char **s for (sk = raw_v6_htable[i]; sk; sk = sk->next, num++) { if (sk->family != PF_INET6 || - (current->s_context != 1 && sk->s_context != current->s_context)) + !vx_check(sk->vx_id, VX_WATCH|VX_IDENT)) continue; pos += LINE_LEN+1; if (pos <= offset) diff -NurpP --minimal linux-2.4.23-vs1.00/net/ipv6/tcp_ipv6.c linux-2.4.23-vs1.20/net/ipv6/tcp_ipv6.c --- linux-2.4.23-vs1.00/net/ipv6/tcp_ipv6.c Sun Nov 30 16:24:43 2003 +++ linux-2.4.23-vs1.20/net/ipv6/tcp_ipv6.c Thu Dec 4 20:16:31 2003 @@ -2030,7 +2030,7 @@ int tcp6_get_info(char *buffer, char **s struct tcp_opt *tp = &(sk->tp_pinfo.af_tcp); if (sk->family != PF_INET6 || - (current->s_context != 1 && sk->s_context != current->s_context)) + !vx_check(sk->vx_id, VX_WATCH|VX_IDENT)) continue; pos += LINE_LEN+1; if (pos >= offset) { @@ -2081,7 +2081,7 @@ int tcp6_get_info(char *buffer, char **s read_lock(&head->lock); for(sk = head->chain; sk; sk = sk->next, num++) { if (sk->family != PF_INET6 || - (current->s_context != 1 && sk->s_context != current->s_context)) + !vx_check(sk->vx_id, VX_WATCH|VX_IDENT)) continue; pos += LINE_LEN+1; if (pos <= offset) @@ -2097,7 +2097,7 @@ int tcp6_get_info(char *buffer, char **s tw != NULL; tw = (struct tcp_tw_bucket *)tw->next, num++) { if (tw->family != PF_INET6 || - (current->s_context != 1 && tw->s_context != current->s_context)) + !vx_check(tw->vx_id, VX_WATCH|VX_IDENT)) continue; pos += LINE_LEN+1; if (pos <= offset) diff -NurpP --minimal linux-2.4.23-vs1.00/net/ipv6/udp.c linux-2.4.23-vs1.20/net/ipv6/udp.c --- linux-2.4.23-vs1.00/net/ipv6/udp.c Sun Nov 30 16:24:43 2003 +++ linux-2.4.23-vs1.20/net/ipv6/udp.c Thu Dec 4 20:16:31 2003 @@ -982,7 +982,7 @@ int udp6_get_info(char *buffer, char **s for (sk = udp_hash[i]; sk; sk = sk->next, num++) { if (sk->family != PF_INET6 || - (current->s_context != 1 && sk->s_context != current->s_context)) + !vx_check(sk->vx_id, VX_WATCH|VX_IDENT)) continue; pos += LINE_LEN+1; if (pos <= offset) diff -NurpP --minimal linux-2.4.23-vs1.00/net/socket.c linux-2.4.23-vs1.20/net/socket.c --- linux-2.4.23-vs1.00/net/socket.c Sun Nov 30 16:24:43 2003 +++ linux-2.4.23-vs1.20/net/socket.c Fri Nov 28 19:26:21 2003 @@ -1754,55 +1754,3 @@ int socket_get_info(char *buffer, char * len = 0; return len; } - -asmlinkage int sys_set_ipv4root ( - __u32 ip[], - int nbip, - __u32 bcast, - __u32 mask[]) -{ - int ret = -EPERM; - __u32 tbip[NB_IPV4ROOT]; - __u32 tbmask[NB_IPV4ROOT]; - struct iproot_info *ip_info = current->ip_info; - if (nbip < 0 || nbip > NB_IPV4ROOT) - ret = -EINVAL; - else if (copy_from_user(tbip,ip,nbip*sizeof(ip[0])) - || copy_from_user(tbmask,mask,nbip*sizeof(ip[0]))) - ret = -EFAULT; - else if (!ip_info - || ip_info->ipv4[0] == 0 - || capable(CAP_NET_ADMIN)) - // We are allowed to change everything - ret = 0; - else if (current->ip_info) { - // We are allowed to select a subset of the currently - // installed IP numbers. No new one allowed - // We can't change the broadcast address though - int i; - int found = 0; - for (i=0; inbipv4; j++) { - if (ipi == ip_info->ipv4[j]) { - found++; - break; - } - } - } - if (found == nbip && bcast == ip_info->v4_bcast) { - ret = 0; - } - - } - if (ret == 0) { - sys_alloc_ip_info(); - current->ip_info->nbipv4 = nbip; - memcpy (current->ip_info->ipv4,tbip,nbip*sizeof(tbip[0])); - current->ip_info->v4_bcast = bcast; - memcpy (current->ip_info->mask,tbmask,nbip*sizeof(tbmask[0])); - } - return ret; -} - diff -NurpP --minimal linux-2.4.23-vs1.00/net/unix/af_unix.c linux-2.4.23-vs1.20/net/unix/af_unix.c --- linux-2.4.23-vs1.00/net/unix/af_unix.c Sun Nov 30 16:24:43 2003 +++ linux-2.4.23-vs1.20/net/unix/af_unix.c Thu Dec 4 20:16:31 2003 @@ -479,7 +479,7 @@ static struct sock * unix_create1(struct sk->write_space = unix_write_space; - sk->s_context = current->s_context; + sk->vx_id = current->vx_id; sk->max_ack_backlog = sysctl_unix_max_dgram_qlen; sk->destruct = unix_sock_destructor; @@ -1758,7 +1758,7 @@ static int unix_read_proc(char *buffer, read_lock(&unix_table_lock); forall_unix_sockets (i,s) { - if (current->s_context != 1 && s->s_context != current->s_context) + if (!vx_check(s->vx_id, VX_WATCH|VX_IDENT)) continue; unix_state_rlock(s);