another .31 patch

diff --git a/queue-2.6.31/bsdacct-switch-credentials-for-writing-to-the-accounting-file.patch b/queue-2.6.31/bsdacct-switch-credentials-for-writing-to-the-accounting-file.patch
new file mode 100644 (file)
index 0000000..c0a2576
--- /dev/null
+++ b/queue-2.6.31/bsdacct-switch-credentials-for-writing-to-the-accounting-file.patch
@@ -0,0 +1,63 @@
+From d8e180dcd5bbbab9cd3ff2e779efcf70692ef541 Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Thu, 20 Aug 2009 14:39:52 -0700
+Subject: bsdacct: switch credentials for writing to the accounting file
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+commit d8e180dcd5bbbab9cd3ff2e779efcf70692ef541 upstream.
+
+When process accounting is enabled, every exiting process writes a log to
+the account file.  In addition, every once in a while one of the exiting
+processes checks whether there's enough free space for the log.
+
+SELinux policy may or may not allow the exiting process to stat the fs.
+So unsuspecting processes start generating AVC denials just because
+someone enabled process accounting.
+
+For these filesystem operations, the exiting process's credentials should
+be temporarily switched to that of the process which enabled accounting,
+because it's really that process which wanted to have the accounting
+information logged.
+
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Acked-by: David Howells <dhowells@redhat.com>
+Acked-by: Serge Hallyn <serue@us.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: James Morris <jmorris@namei.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/acct.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/kernel/acct.c
++++ b/kernel/acct.c
+@@ -491,13 +491,17 @@ static void do_acct_process(struct bsd_a
+       u64 run_time;
+       struct timespec uptime;
+       struct tty_struct *tty;
++      const struct cred *orig_cred;
++
++      /* Perform file operations on behalf of whoever enabled accounting */
++      orig_cred = override_creds(file->f_cred);
+ 
+       /*
+        * First check to see if there is enough free_space to continue
+        * the process accounting system.
+        */
+       if (!check_free_space(acct, file))
+-              return;
++              goto out;
+ 
+       /*
+        * Fill the accounting struct with the needed info as recorded
+@@ -578,6 +582,8 @@ static void do_acct_process(struct bsd_a
+                              sizeof(acct_t), &file->f_pos);
+       current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
+       set_fs(fs);
++out:
++      revert_creds(orig_cred);
+ }
+ 
+ /**

diff --git a/queue-2.6.31/series b/queue-2.6.31/series
index 9bf1f2e450998c730e3617bba01752848943d425..40a59b3371ee136b91f0bdb727a4e22cf9a53dd1 100644 (file)
--- a/queue-2.6.31/series
+++ b/queue-2.6.31/series
@@ -38,3 +38,4 @@ maintainers-fix-riku-voipio-s-address.patch
 macintosh-don-t-assume-i2c-device-probing-always-succeeds.patch
 i2c-hide-probe-errors-caused-by-acpi-resource-conflicts.patch
 alsa-don-t-assume-i2c-device-probing-always-succeeds.patch
+bsdacct-switch-credentials-for-writing-to-the-accounting-file.patch