[packages/kernel.git] / linux-2.6-grsec-minimal.patch

diff -urNp linux-2.6.25.orig/arch/sparc/Makefile linux-2.6.25/arch/sparc/Makefile
--- linux-2.6.25.orig/arch/sparc/Makefile	2008-04-25 15:09:15.000000000 +0200
+++ linux-2.6.25/arch/sparc/Makefile	2008-04-25 15:10:25.000000000 +0200
@@ -36,7 +36,7 @@ drivers-$(CONFIG_OPROFILE)	+= arch/sparc
 # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-)
 INIT_Y		:= $(patsubst %/, %/built-in.o, $(init-y))
 CORE_Y		:= $(core-y)
-CORE_Y		+= kernel/ mm/ fs/ ipc/ security/ crypto/ block/
+CORE_Y		+= kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
 CORE_Y		:= $(patsubst %/, %/built-in.o, $(CORE_Y))
 DRIVERS_Y	:= $(patsubst %/, %/built-in.o, $(drivers-y))
 NET_Y		:= $(patsubst %/, %/built-in.o, $(net-y))
diff -urNp linux-2.6.25.orig/Makefile linux-2.6.25/Makefile
--- linux-2.6.25.orig/Makefile	2008-04-25 15:09:13.000000000 +0200
+++ linux-2.6.25/Makefile	2008-04-25 15:10:25.000000000 +0200
@@ -603,7 +603,7 @@ export mod_strip_cmd
 
 
 ifeq ($(KBUILD_EXTMOD),)
-core-y		+= kernel/ mm/ fs/ ipc/ security/ crypto/ block/
+core-y		+= kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
 
 vmlinux-dirs	:= $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
 		     $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
diff -urNp linux-2.6.25.orig/drivers/char/keyboard.c linux-2.6.25/drivers/char/keyboard.c
--- linux-2.6.25.orig/drivers/char/keyboard.c	2008-04-25 15:09:06.000000000 +0200
+++ linux-2.6.25/drivers/char/keyboard.c	2008-04-25 15:10:25.000000000 +0200
@@ -630,6 +630,16 @@ static void k_spec(struct vc_data *vc, u
 	     kbd->kbdmode == VC_MEDIUMRAW) &&
 	     value != KVAL(K_SAK))
 		return;		/* SAK is allowed even in raw mode */
+
+#if defined(CONFIG_GRKERNSEC_PROC)
+	{
+		void *func = fn_handler[value];
+		if (func == fn_show_state || func == fn_show_ptregs ||
+		    func == fn_show_mem)
+			return;
+	}
+#endif
+
 	fn_handler[value](vc);
 }
 
diff -urNp linux-2.6.25.orig/drivers/pci/proc.c linux-2.6.25/drivers/pci/proc.c
--- linux-2.6.25.orig/drivers/pci/proc.c	2008-04-25 15:09:08.000000000 +0200
+++ linux-2.6.25/drivers/pci/proc.c	2008-04-25 15:10:25.000000000 +0200
@@ -472,7 +472,15 @@ static int __init pci_proc_init(void)
 {
 	struct proc_dir_entry *entry;
 	struct pci_dev *dev = NULL;
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+	proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+	proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
+#endif
+#else
 	proc_bus_pci_dir = proc_mkdir("pci", proc_bus);
+#endif
 	entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
 	if (entry)
 		entry->proc_fops = &proc_bus_pci_dev_operations;
diff -urNp linux-2.6.25.orig/fs/Kconfig linux-2.6.25/fs/Kconfig
--- linux-2.6.25.orig/fs/Kconfig	2008-04-25 15:09:12.000000000 +0200
+++ linux-2.6.25/fs/Kconfig	2008-04-25 15:10:25.000000000 +0200
@@ -899,7 +899,7 @@ config PROC_FS
 
 config PROC_KCORE
 	bool "/proc/kcore support" if !ARM
-	depends on PROC_FS && MMU
+	depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
 
 config PROC_VMCORE
         bool "/proc/vmcore support (EXPERIMENTAL)"
diff -urNp linux-2.6.25.orig/fs/namei.c linux-2.6.25/fs/namei.c
--- linux-2.6.25.orig/fs/namei.c	2008-04-25 15:09:12.000000000 +0200
+++ linux-2.6.25/fs/namei.c	2008-04-25 15:10:25.000000000 +0200
@@ -37,6 +37,7 @@
 #include <linux/vs_cowbl.h>
 #include <linux/vs_device.h>
 #include <linux/vs_context.h>
+#include <linux/grsecurity.h>
 #include <asm/namei.h>
 #include <asm/uaccess.h>
 
@@ -729,6 +730,13 @@ static inline int do_follow_link(struct 
 	err = security_inode_follow_link(path->dentry, nd);
 	if (err)
 		goto loop;
+
+	if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
+				  path->dentry->d_inode, path->dentry)) {
+		err = -EACCES;
+		goto loop;
+	}
+
 	current->link_count++;
 	current->total_link_count++;
 	nd->depth++;
@@ -1859,6 +1867,13 @@ do_last:
 	/*
 	 * It already exists.
 	 */
+
+	if (gr_handle_fifo(path.dentry, dir, flag, acc_mode)) {
+		mutex_unlock(&dir->d_inode->i_mutex);
+		error = -EACCES;
+		goto exit_dput;
+	}
+
 	mutex_unlock(&dir->d_inode->i_mutex);
 	audit_inode(pathname, path.dentry);
 
@@ -1930,6 +1945,13 @@ do_link:
 	error = security_inode_follow_link(path.dentry, nd);
 	if (error)
 		goto exit_dput;
+
+	if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
+				  path.dentry)) {
+		error = -EACCES;
+		goto exit_dput;
+	}
+
 	error = __do_follow_link(&path, nd);
 	if (error) {
 		/* Does someone understand code flow here? Or it is only
@@ -2514,8 +2536,16 @@ asmlinkage long sys_linkat(int olddfd, c
 	error = PTR_ERR(new_dentry);
 	if (IS_ERR(new_dentry))
 		goto out_unlock;
+
+	if (gr_handle_hardlink(old_nd.path.dentry, old_nd.path.dentry->d_inode,
+			       old_nd.path.dentry->d_inode->i_mode, to)) {
+		error = -EACCES;
+		goto out_unlock_dput;
+	}
+
 	error = vfs_link(old_nd.path.dentry, nd.path.dentry->d_inode,
 		new_dentry, &nd);
+out_unlock_dput:
 	dput(new_dentry);
 out_unlock:
 	mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
diff -urNp linux-2.6.25.orig/fs/proc/array.c linux-2.6.25/fs/proc/array.c
--- linux-2.6.25.orig/fs/proc/array.c	2008-04-25 15:09:12.000000000 +0200
+++ linux-2.6.25/fs/proc/array.c	2008-04-25 15:10:25.000000000 +0200
@@ -637,3 +637,15 @@ int proc_pid_statm(struct seq_file *m, s
 
 	return 0;
 }
+
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+int proc_pid_ipaddr(struct seq_file *m, struct pid_namespace *ns,
+			struct pid *pid, struct task_struct *task)
+{
+	int len;
+
+	len = seq_printf(m, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
+	return len;
+}
+#endif
+
diff -urNp linux-2.6.25.orig/fs/proc/inode.c linux-2.6.25/fs/proc/inode.c
--- linux-2.6.25.orig/fs/proc/inode.c	2008-04-25 15:09:12.000000000 +0200
+++ linux-2.6.25/fs/proc/inode.c	2008-04-25 15:10:25.000000000 +0200
@@ -406,7 +406,11 @@ struct inode *proc_get_inode(struct supe
 			if (de->mode) {
 				inode->i_mode = de->mode;
 				inode->i_uid = de->uid;
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
+				inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
+#else
 				inode->i_gid = de->gid;
+#endif
 			}
 		if (de->vx_flags)
 			PROC_I(inode)->vx_flags = de->vx_flags;
diff -urNp linux-2.6.25.orig/fs/proc/internal.h linux-2.6.25/fs/proc/internal.h
--- linux-2.6.25.orig/fs/proc/internal.h	2008-04-25 15:09:12.000000000 +0200
+++ linux-2.6.25/fs/proc/internal.h	2008-04-25 15:10:25.000000000 +0200
@@ -60,6 +60,10 @@ extern int proc_pid_statm(struct seq_fil
 				struct pid *pid, struct task_struct *task);
 extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
 				struct pid *pid, struct task_struct *task);
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+extern int proc_pid_ipaddr(struct seq_file *m, struct pid_namespace *ns,
+				struct pid *pid, struct task_struct *task);
+#endif
 
 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
 
diff -urNp linux-2.6.25.orig/fs/proc/proc_misc.c linux-2.6.25/fs/proc/proc_misc.c
--- linux-2.6.25.orig/fs/proc/proc_misc.c	2008-04-25 15:09:12.000000000 +0200
+++ linux-2.6.25/fs/proc/proc_misc.c	2008-04-25 15:10:25.000000000 +0200
@@ -843,6 +843,8 @@ void create_seq_entry(char *name, mode_t
 
 void __init proc_misc_init(void)
 {
+	int gr_mode = 0;
+
 	static struct {
 		char *name;
 		int (*read_proc)(char*,char**,off_t,int,int*,void*);
@@ -858,13 +860,24 @@ void __init proc_misc_init(void)
 		{"stram",	stram_read_proc},
 #endif
 		{"filesystems",	filesystems_read_proc},
+#ifndef CONFIG_GRKERNSEC_PROC_ADD
 		{"cmdline",	cmdline_read_proc},
+#endif
 		{"execdomains",	execdomains_read_proc},
 		{NULL,}
 	};
 	for (p = simple_ones; p->name; p++)
 		create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
 
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+	gr_mode = S_IRUSR;
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+	gr_mode = S_IRUSR | S_IRGRP;
+#endif
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+	create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL);
+#endif
+
 	proc_symlink("mounts", NULL, "self/mounts");
 
 	/* And now for trickier ones */
@@ -877,7 +890,11 @@ void __init proc_misc_init(void)
 	}
 #endif
 	create_seq_entry("locks", 0, &proc_locks_operations);
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+	create_seq_entry("devices", gr_mode, &proc_devinfo_operations);
+#else
 	create_seq_entry("devices", 0, &proc_devinfo_operations);
+#endif
 	create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
 #ifdef CONFIG_BLOCK
 	create_seq_entry("partitions", 0, &proc_partitions_operations);
@@ -885,7 +902,11 @@ void __init proc_misc_init(void)
 	create_seq_entry("stat", 0, &proc_stat_operations);
 	create_seq_entry("interrupts", 0, &proc_interrupts_operations);
 #ifdef CONFIG_SLABINFO
+#ifdef CONFIG_GRKRENSEC_PROC_ADD
+	create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
+#else
 	create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
+#endif
 #ifdef CONFIG_DEBUG_SLAB_LEAK
 	create_seq_entry("slab_allocators", 0 ,&proc_slabstats_operations);
 #endif
@@ -903,7 +924,7 @@ void __init proc_misc_init(void)
 #ifdef CONFIG_SCHEDSTATS
 	create_seq_entry("schedstat", 0, &proc_schedstat_operations);
 #endif
-#ifdef CONFIG_PROC_KCORE
+#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
 	proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
 	if (proc_root_kcore) {
 		proc_root_kcore->proc_fops = &proc_kcore_operations;
diff -urNp linux-2.6.25.orig/fs/proc/root.c linux-2.6.25/fs/proc/root.c
--- linux-2.6.25.orig/fs/proc/root.c	2008-04-25 15:09:12.000000000 +0200
+++ linux-2.6.25/fs/proc/root.c	2008-04-25 15:10:25.000000000 +0200
@@ -140,7 +140,15 @@ void __init proc_root_init(void)
 #ifdef CONFIG_PROC_DEVICETREE
 	proc_device_tree_init();
 #endif
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+	proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+	proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
+#endif
+#else
 	proc_bus = proc_mkdir("bus", NULL);
+#endif
 	proc_vx_init();
 	proc_sys_init();
 }
diff -urNp linux-2.6.25.orig/grsecurity/Kconfig linux-2.6.25/grsecurity/Kconfig
--- linux-2.6.25.orig/grsecurity/Kconfig	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.25/grsecurity/Kconfig	2008-04-25 15:10:25.000000000 +0200
@@ -0,0 +1,123 @@
+#
+# grecurity configuration
+#
+
+menu "Grsecurity"
+
+config GRKERNSEC
+	bool "Grsecurity"
+	select CRYPTO
+	select CRYPTO_SHA256
+	select SECURITY
+	select SECURITY_CAPABILITIES
+	help
+	  If you say Y here, you will be able to configure many features
+	  that will enhance the security of your system.  It is highly
+	  recommended that you say Y here and read through the help
+	  for each option so that you fully understand the features and
+	  can evaluate their usefulness for your machine.
+
+menu "Filesystem Protections"
+depends on GRKERNSEC
+
+config GRKERNSEC_PROC
+	bool "Proc restrictions"
+	help
+	  If you say Y here, the permissions of the /proc filesystem
+	  will be altered to enhance system security and privacy.  You MUST
+  	  choose either a user only restriction or a user and group restriction.
+	  Depending upon the option you choose, you can either restrict users to
+	  see only the processes they themselves run, or choose a group that can
+	  view all processes and files normally restricted to root if you choose
+	  the "restrict to user only" option.  NOTE: If you're running identd as
+	  a non-root user, you will have to run it as the group you specify here.
+
+config GRKERNSEC_PROC_USER
+	bool "Restrict /proc to user only"
+	depends on GRKERNSEC_PROC
+	help
+	  If you say Y here, non-root users will only be able to view their own
+	  processes, and restricts them from viewing network-related information,
+	  and viewing kernel symbol and module information.
+
+config GRKERNSEC_PROC_USERGROUP
+	bool "Allow special group"
+	depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
+	help
+	  If you say Y here, you will be able to select a group that will be
+	  able to view all processes, network-related information, and
+	  kernel and symbol information.  This option is useful if you want
+	  to run identd as a non-root user.
+
+config GRKERNSEC_PROC_GID
+	int "GID for special group"
+	depends on GRKERNSEC_PROC_USERGROUP
+	default 1001
+
+config GRKERNSEC_PROC_ADD
+	bool "Additional restrictions"
+	depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
+	help
+	  If you say Y here, additional restrictions will be placed on
+	  /proc that keep normal users from viewing device information and 
+	  slabinfo information that could be useful for exploits.
+
+config GRKERNSEC_LINK
+	bool "Linking restrictions"
+	help
+	  If you say Y here, /tmp race exploits will be prevented, since users
+	  will no longer be able to follow symlinks owned by other users in
+	  world-writable +t directories (i.e. /tmp), unless the owner of the
+	  symlink is the owner of the directory. users will also not be
+	  able to hardlink to files they do not own.  If the sysctl option is
+	  enabled, a sysctl option with name "linking_restrictions" is created.
+
+config GRKERNSEC_FIFO
+	bool "FIFO restrictions"
+	help
+	  If you say Y here, users will not be able to write to FIFOs they don't
+	  own in world-writable +t directories (i.e. /tmp), unless the owner of
+	  the FIFO is the same owner of the directory it's held in.  If the sysctl
+	  option is enabled, a sysctl option with name "fifo_restrictions" is
+	  created.
+
+endmenu
+
+config GRKERNSEC_PROC_IPADDR
+	bool "/proc/<pid>/ipaddr support"
+	help
+	  If you say Y here, a new entry will be added to each /proc/<pid>
+	  directory that contains the IP address of the person using the task.
+	  The IP is carried across local TCP and AF_UNIX stream sockets.
+	  This information can be useful for IDS/IPSes to perform remote response
+	  to a local attack.  The entry is readable by only the owner of the
+	  process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
+	  the RBAC system), and thus does not create privacy concerns.
+
+config GRKERNSEC_SYSCTL
+	bool "Sysctl support"
+	help
+	  If you say Y here, you will be able to change the options that
+	  grsecurity runs with at bootup, without having to recompile your
+	  kernel.  You can echo values to files in /proc/sys/kernel/grsecurity
+	  to enable (1) or disable (0) various features.  All the sysctl entries
+	  are mutable until the "grsec_lock" entry is set to a non-zero value.
+	  All features enabled in the kernel configuration are disabled at boot
+	  if you do not say Y to the "Turn on features by default" option.
+	  All options should be set at startup, and the grsec_lock entry should
+	  be set to a non-zero value after all the options are set.
+	  *THIS IS EXTREMELY IMPORTANT*
+
+config GRKERNSEC_SYSCTL_ON
+	bool "Turn on features by default"
+	depends on GRKERNSEC_SYSCTL
+	help
+	  If you say Y here, instead of having all features enabled in the
+	  kernel configuration disabled at boot time, the features will be
+	  enabled at boot time.  It is recommended you say Y here unless
+	  there is some reason you would want all sysctl-tunable features to
+	  be disabled by default.  As mentioned elsewhere, it is important
+	  to enable the grsec_lock entry once you have finished modifying
+	  the sysctl entries.
+
+endmenu
diff -urNp linux-2.6.25.orig/grsecurity/Makefile linux-2.6.25/grsecurity/Makefile
--- linux-2.6.25.orig/grsecurity/Makefile	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.25/grsecurity/Makefile	2008-04-25 15:10:25.000000000 +0200
@@ -0,0 +1,11 @@
+# All code in this directory and various hooks inserted throughout the kernel
+# are copyright Brad Spengler, and released under the GPL v2 or higher
+
+obj-y = grsec_fifo.o grsec_sock.o grsec_sysctl.o grsec_link.o
+
+obj-$(CONFIG_GRKERNSEC) += grsec_init.o
+
+ifndef CONFIG_GRKERNSEC
+obj-y += grsec_disabled.o
+endif
+
diff -urNp linux-2.6.25.orig/grsecurity/grsec_disabled.c linux-2.6.25/grsecurity/grsec_disabled.c
--- linux-2.6.25.orig/grsecurity/grsec_disabled.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.25/grsecurity/grsec_disabled.c	2008-04-25 15:10:25.000000000 +0200
@@ -0,0 +1,6 @@
+void
+grsecurity_init(void)
+{
+	return;
+}
+
diff -urNp linux-2.6.25.orig/grsecurity/grsec_fifo.c linux-2.6.25/grsecurity/grsec_fifo.c
--- linux-2.6.25.orig/grsecurity/grsec_fifo.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.25/grsecurity/grsec_fifo.c	2008-04-25 15:10:25.000000000 +0200
@@ -0,0 +1,21 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/fs.h>
+#include <linux/file.h>
+#include <linux/grinternal.h>
+
+int
+gr_handle_fifo(const struct dentry *dentry, const struct dentry *dir,
+	       const int flag, const int acc_mode)
+{
+#ifdef CONFIG_GRKERNSEC_FIFO
+	if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
+	    !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
+	    (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
+	    (current->fsuid != dentry->d_inode->i_uid)) {
+		if (!generic_permission(dentry->d_inode, acc_mode, NULL))
+		return -EACCES;
+	}
+#endif
+	return 0;
+}
diff -urNp linux-2.6.25.orig/grsecurity/grsec_init.c linux-2.6.25/grsecurity/grsec_init.c
--- linux-2.6.25.orig/grsecurity/grsec_init.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.25/grsecurity/grsec_init.c	2008-04-25 15:10:25.000000000 +0200
@@ -0,0 +1,29 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/mm.h>
+#include <linux/smp_lock.h>
+#include <linux/slab.h>
+#include <linux/vmalloc.h>
+#include <linux/percpu.h>
+
+int grsec_enable_link;
+int grsec_enable_fifo;
+int grsec_lock;
+
+void
+grsecurity_init(void)
+{
+#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
+#ifndef CONFIG_GRKERNSEC_SYSCTL
+	grsec_lock = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_LINK
+	grsec_enable_link = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_FIFO
+	grsec_enable_fifo = 1;
+#endif
+#endif
+
+	return;
+}
diff -urNp linux-2.6.25.orig/grsecurity/grsec_link.c linux-2.6.25/grsecurity/grsec_link.c
--- linux-2.6.25.orig/grsecurity/grsec_link.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.25/grsecurity/grsec_link.c	2008-04-25 15:10:25.000000000 +0200
@@ -0,0 +1,36 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/fs.h>
+#include <linux/file.h>
+#include <linux/grinternal.h>
+
+int
+gr_handle_follow_link(const struct inode *parent,
+		      const struct inode *inode,
+		      const struct dentry *dentry)
+{
+#ifdef CONFIG_GRKERNSEC_LINK
+	if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
+	    (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
+	    (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) {
+		return -EACCES;
+	}
+#endif
+	return 0;
+}
+
+int
+gr_handle_hardlink(const struct dentry *dentry, struct inode *inode,
+		   const int mode, const char *to)
+{
+#ifdef CONFIG_GRKERNSEC_LINK
+	if (grsec_enable_link && current->fsuid != inode->i_uid &&
+	    (!S_ISREG(mode) || (mode & S_ISUID) ||
+	     ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
+	     (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
+	    !capable(CAP_FOWNER) && current->uid) {
+		return -EPERM;
+	}
+#endif
+	return 0;
+}
diff -urNp linux-2.6.25.orig/grsecurity/grsec_sock.c linux-2.6.25/grsecurity/grsec_sock.c
--- linux-2.6.25.orig/grsecurity/grsec_sock.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.25/grsecurity/grsec_sock.c	2008-04-25 15:10:25.000000000 +0200
@@ -0,0 +1,167 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
+#include <linux/file.h>
+#include <linux/net.h>
+#include <linux/in.h>
+#include <linux/ip.h>
+#include <net/sock.h>
+#include <net/inet_sock.h>
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+
+#ifdef CONFIG_GRKERNSEC
+#define gr_conn_table_size 32749
+struct conn_table_entry {
+	struct conn_table_entry *next;
+	struct signal_struct *sig;
+};
+
+struct conn_table_entry *gr_conn_table[gr_conn_table_size];
+spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED;
+
+static __inline__ int 
+conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
+{
+	return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
+}
+
+static __inline__ int
+conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr, 
+	   __u16 sport, __u16 dport)
+{
+	if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
+		     sig->gr_sport == sport && sig->gr_dport == dport))
+		return 1;
+	else
+		return 0;
+}
+
+static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
+{
+	struct conn_table_entry **match;
+	unsigned int index;
+
+	index = conn_hash(sig->gr_saddr, sig->gr_daddr, 
+			  sig->gr_sport, sig->gr_dport, 
+			  gr_conn_table_size);
+
+	newent->sig = sig;
+	
+	match = &gr_conn_table[index];
+	newent->next = *match;
+	*match = newent;
+
+	return;
+}
+
+static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
+{
+	struct conn_table_entry *match, *last = NULL;
+	unsigned int index;
+
+	index = conn_hash(sig->gr_saddr, sig->gr_daddr, 
+			  sig->gr_sport, sig->gr_dport, 
+			  gr_conn_table_size);
+
+	match = gr_conn_table[index];
+	while (match && !conn_match(match->sig, 
+		sig->gr_saddr, sig->gr_daddr, sig->gr_sport, 
+		sig->gr_dport)) {
+		last = match;
+		match = match->next;
+	}
+
+	if (match) {
+		if (last)
+			last->next = match->next;
+		else
+			gr_conn_table[index] = NULL;
+		kfree(match);
+	}
+
+	return;
+}
+
+static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
+					     __u16 sport, __u16 dport)
+{
+	struct conn_table_entry *match;
+	unsigned int index;
+
+	index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
+
+	match = gr_conn_table[index];
+	while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
+		match = match->next;
+
+	if (match)
+		return match->sig;
+	else
+		return NULL;
+}
+
+#endif
+
+void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
+{
+#ifdef CONFIG_GRKERNSEC
+	struct signal_struct *sig = task->signal;
+	struct conn_table_entry *newent;
+
+	newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
+	if (newent == NULL)
+		return;
+	/* no bh lock needed since we are called with bh disabled */
+	spin_lock(&gr_conn_table_lock);
+	gr_del_task_from_ip_table_nolock(sig);
+	sig->gr_saddr = inet->rcv_saddr;
+	sig->gr_daddr = inet->daddr;
+	sig->gr_sport = inet->sport;
+	sig->gr_dport = inet->dport;
+	gr_add_to_task_ip_table_nolock(sig, newent);
+	spin_unlock(&gr_conn_table_lock);
+#endif
+	return;
+}
+
+void gr_del_task_from_ip_table(struct task_struct *task)
+{
+#ifdef CONFIG_GRKERNSEC
+	spin_lock(&gr_conn_table_lock);
+	gr_del_task_from_ip_table_nolock(task->signal);
+	spin_unlock(&gr_conn_table_lock);
+#endif
+	return;
+}
+
+void
+gr_attach_curr_ip(const struct sock *sk)
+{
+#ifdef CONFIG_GRKERNSEC
+	struct signal_struct *p, *set;
+	const struct inet_sock *inet = inet_sk(sk);	
+
+	if (unlikely(sk->sk_protocol != IPPROTO_TCP))
+		return;
+
+	set = current->signal;
+
+	spin_lock_bh(&gr_conn_table_lock);
+	p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
+				    inet->dport, inet->sport);
+	if (unlikely(p != NULL)) {
+		set->curr_ip = p->curr_ip;
+		set->used_accept = 1;
+		gr_del_task_from_ip_table_nolock(p);
+		spin_unlock_bh(&gr_conn_table_lock);
+		return;
+	}
+	spin_unlock_bh(&gr_conn_table_lock);
+
+	set->curr_ip = inet->daddr;
+	set->used_accept = 1;
+#endif
+	return;
+}
+
diff -urNp linux-2.6.25.orig/grsecurity/grsec_sysctl.c linux-2.6.25/grsecurity/grsec_sysctl.c
--- linux-2.6.25.orig/grsecurity/grsec_sysctl.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.25/grsecurity/grsec_sysctl.c	2008-04-25 15:10:25.000000000 +0200
@@ -0,0 +1,52 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/sysctl.h>
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+
+int
+gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
+{
+#ifdef CONFIG_GRKERNSEC_SYSCTL
+	if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) {
+		return -EACCES;
+	}
+#endif
+	return 0;
+}
+
+#if defined(CONFIG_GRKERNSEC_SYSCTL)
+ctl_table grsecurity_table[] = {
+#ifdef CONFIG_GRKERNSEC_SYSCTL
+#ifdef CONFIG_GRKERNSEC_LINK
+	{
+		.ctl_name	= CTL_UNNUMBERED,
+		.procname	= "linking_restrictions",
+		.data		= &grsec_enable_link,
+		.maxlen		= sizeof(int),
+		.mode		= 0600,
+		.proc_handler	= &proc_dointvec,
+	},
+#endif
+#ifdef CONFIG_GRKERNSEC_FIFO
+	{
+		.ctl_name	= CTL_UNNUMBERED,
+		.procname	= "fifo_restrictions",
+		.data		= &grsec_enable_fifo,
+		.maxlen		= sizeof(int),
+		.mode		= 0600,
+		.proc_handler	= &proc_dointvec,
+	},
+#endif
+	{
+		.ctl_name	= CTL_UNNUMBERED,
+		.procname	= "grsec_lock",
+		.data		= &grsec_lock,
+		.maxlen		= sizeof(int),
+		.mode		= 0600,
+		.proc_handler	= &proc_dointvec,
+	},
+#endif
+	{ .ctl_name = 0 }
+};
+#endif
diff -urNp linux-2.6.25.orig/include/linux/grinternal.h linux-2.6.25/include/linux/grinternal.h
--- linux-2.6.25.orig/include/linux/grinternal.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.25/include/linux/grinternal.h	2008-04-25 15:10:25.000000000 +0200
@@ -0,0 +1,14 @@
+#ifndef __GRINTERNAL_H
+#define __GRINTERNAL_H
+
+#ifdef CONFIG_GRKERNSEC
+
+#include <linux/fs.h>
+
+extern int grsec_enable_link;
+extern int grsec_enable_fifo;
+extern int grsec_lock;
+
+#endif
+
+#endif
diff -urNp linux-2.6.25.orig/include/linux/grsecurity.h linux-2.6.25/include/linux/grsecurity.h
--- linux-2.6.25.orig/include/linux/grsecurity.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.25/include/linux/grsecurity.h	2008-04-25 15:10:25.000000000 +0200
@@ -0,0 +1,18 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
+#include <linux/binfmts.h>
+
+void gr_del_task_from_ip_table(struct task_struct *p);
+
+int gr_handle_follow_link(const struct inode *parent,
+				 const struct inode *inode,
+				 const struct dentry *dentry);
+int gr_handle_fifo(const struct dentry *dentry,
+			  const struct dentry *dir, const int flag,
+			  const int acc_mode);
+int gr_handle_hardlink(const struct dentry *dentry,
+			      struct inode *inode,
+			      const int mode, const char *to);
+
+#endif
diff -urNp linux-2.6.25.orig/include/linux/sched.h linux-2.6.25/include/linux/sched.h
--- linux-2.6.25.orig/include/linux/sched.h	2008-04-25 15:09:05.000000000 +0200
+++ linux-2.6.25/include/linux/sched.h	2008-04-25 15:10:25.000000000 +0200
@@ -544,6 +544,15 @@ struct signal_struct {
 	unsigned audit_tty;
 	struct tty_audit_buf *tty_audit_buf;
 #endif
+
+#ifdef CONFIG_GRKERNSEC
+	u32 curr_ip;
+	u32 gr_saddr;
+	u32 gr_daddr;
+	u16 gr_sport;
+	u16 gr_dport;
+	u8 used_accept:1;
+#endif
 };
 
 /* Context switch must be unlocked if interrupts are to be enabled */
diff -urNp linux-2.6.25.orig/include/linux/sysctl.h linux-2.6.25/include/linux/sysctl.h
--- linux-2.6.25.orig/include/linux/sysctl.h	2008-04-25 15:09:05.000000000 +0200
+++ linux-2.6.25/include/linux/sysctl.h	2008-04-25 15:10:25.000000000 +0200
@@ -165,8 +165,11 @@ enum
 	KERN_MAX_LOCK_DEPTH=74,
 	KERN_NMI_WATCHDOG=75, /* int: enable/disable nmi watchdog */
 	KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
-};
+#ifdef CONFIG_GRKERNSEC
+	KERN_GRSECURITY=98,	/* grsecurity */
+#endif
 
+};
 
 
 /* CTL_VM names: */
diff -urNp linux-2.6.25.orig/kernel/configs.c linux-2.6.25/kernel/configs.c
--- linux-2.6.25.orig/kernel/configs.c	2008-04-25 15:09:12.000000000 +0200
+++ linux-2.6.25/kernel/configs.c	2008-04-25 15:10:25.000000000 +0200
@@ -79,8 +79,16 @@ static int __init ikconfig_init(void)
 	struct proc_dir_entry *entry;
 
 	/* create the current config file */
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+	entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR, &proc_root);
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+	entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR | S_IRGRP, &proc_root);
+#endif
+#else
 	entry = create_proc_entry("config.gz", S_IFREG | S_IRUGO,
 				  &proc_root);
+#endif
 	if (!entry)
 		return -ENOMEM;
 
diff -urNp linux-2.6.25.orig/kernel/exit.c linux-2.6.25/kernel/exit.c
--- linux-2.6.25.orig/kernel/exit.c	2008-04-25 15:09:12.000000000 +0200
+++ linux-2.6.25/kernel/exit.c	2008-04-25 15:10:25.000000000 +0200
@@ -49,6 +49,7 @@
 #include <linux/vs_network.h>
 #include <linux/vs_pid.h>
 #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 #include <asm/unistd.h>
@@ -125,6 +126,7 @@ static void __exit_signal(struct task_st
 
 	__unhash_process(tsk);
 
+	gr_del_task_from_ip_table(tsk);
 	tsk->signal = NULL;
 	tsk->sighand = NULL;
 	spin_unlock(&sighand->siglock);
diff -urNp linux-2.6.25.orig/kernel/kallsyms.c linux-2.6.25/kernel/kallsyms.c
--- linux-2.6.25.orig/kernel/kallsyms.c	2008-04-25 15:09:12.000000000 +0200
+++ linux-2.6.25/kernel/kallsyms.c	2008-04-25 15:10:25.000000000 +0200
@@ -474,7 +474,15 @@ static int __init kallsyms_init(void)
 {
 	struct proc_dir_entry *entry;
 
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+	entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR, NULL);
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+	entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL);
+#endif
+#else
 	entry = create_proc_entry("kallsyms", 0444, NULL);
+#endif
 	if (entry)
 		entry->proc_fops = &kallsyms_operations;
 	return 0;
diff -urNp linux-2.6.25.orig/kernel/resource.c linux-2.6.25/kernel/resource.c
--- linux-2.6.25.orig/kernel/resource.c	2008-04-25 15:09:12.000000000 +0200
+++ linux-2.6.25/kernel/resource.c	2008-04-25 15:10:25.000000000 +0200
@@ -133,10 +133,27 @@ static int __init ioresources_init(void)
 {
 	struct proc_dir_entry *entry;
 
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+	entry = create_proc_entry("ioports", S_IRUSR, NULL);
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+	entry = create_proc_entry("ioports", S_IRUSR | S_IRGRP, NULL);
+#endif
+#else
 	entry = create_proc_entry("ioports", 0, NULL);
+#endif
 	if (entry)
 		entry->proc_fops = &proc_ioports_operations;
+
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+	entry = create_proc_entry("iomem", S_IRUSR, NULL);
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+	entry = create_proc_entry("iomem", S_IRUSR | S_IRGRP, NULL);
+#endif
+#else
 	entry = create_proc_entry("iomem", 0, NULL);
+#endif
 	if (entry)
 		entry->proc_fops = &proc_iomem_operations;
 	return 0;
diff -urNp linux-2.6.25.orig/kernel/sysctl.c linux-2.6.25/kernel/sysctl.c
--- linux-2.6.25.orig/kernel/sysctl.c	2008-04-25 15:09:12.000000000 +0200
+++ linux-2.6.25/kernel/sysctl.c	2008-04-25 15:10:25.000000000 +0200
@@ -58,6 +58,11 @@
 static int deprecated_sysctl_warning(struct __sysctl_args *args);
 
 #if defined(CONFIG_SYSCTL)
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+
+extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
+				const int op);
 
 /* External variables not in a header file. */
 extern int C_A_D;
@@ -157,6 +162,7 @@ static int proc_do_cad_pid(struct ctl_ta
 static int proc_dointvec_taint(struct ctl_table *table, int write, struct file *filp,
 			       void __user *buffer, size_t *lenp, loff_t *ppos);
 #endif
+extern ctl_table grsecurity_table[];
 
 static struct ctl_table root_table[];
 static struct ctl_table_root sysctl_table_root;
@@ -830,6 +836,14 @@ static struct ctl_table kern_table[] = {
 		.proc_handler	= &proc_dostring,
 		.strategy	= &sysctl_string,
 	},
+#if defined(CONFIG_GRKERNSEC_SYSCTL)
+	{
+		.ctl_name	= CTL_UNNUMBERED,
+		.procname	= "grsecurity",
+		.mode		= 0500,
+		.child		= grsecurity_table,
+	},
+#endif
 /*
  * NOTE: do not add new entries to this table unless you have read
  * Documentation/sysctl/ctl_unnumbered.txt
@@ -1517,6 +1531,10 @@ static int test_perm(int mode, int op)
 int sysctl_perm(struct ctl_table *table, int op)
 {
 	int error;
+	if (table->parent != NULL && table->parent->procname != NULL &&
+	    table->procname != NULL &&
+	    gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
+		return -EACCES;
 	error = security_sysctl(table, op);
 	if (error)
 		return error;
diff -urNp linux-2.6.25.orig/net/ipv4/inet_hashtables.c linux-2.6.25/net/ipv4/inet_hashtables.c
--- linux-2.6.25.orig/net/ipv4/inet_hashtables.c	2008-04-25 15:09:05.000000000 +0200
+++ linux-2.6.25/net/ipv4/inet_hashtables.c	2008-04-25 15:10:25.000000000 +0200
@@ -18,12 +18,15 @@
 #include <linux/sched.h>
 #include <linux/slab.h>
 #include <linux/wait.h>
+#include <linux/grsecurity.h>
 
 #include <net/inet_connection_sock.h>
 #include <net/inet_hashtables.h>
 #include <net/route.h>
 #include <net/ip.h>
 
+extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
+
 /*
  * Allocate and initialize a new local port bind bucket.
  * The bindhash mutex for snum's hash chain must be held here.
@@ -467,6 +470,8 @@ ok:
 		}
 		spin_unlock(&head->lock);
 
+		gr_update_task_in_ip_table(current, inet_sk(sk));
+
 		if (tw) {
 			inet_twsk_deschedule(tw, death_row);
 			inet_twsk_put(tw);
diff -urNp linux-2.6.25.orig/net/socket.c linux-2.6.25/net/socket.c
--- linux-2.6.25.orig/net/socket.c	2008-04-25 15:09:05.000000000 +0200
+++ linux-2.6.25/net/socket.c	2008-04-25 15:10:25.000000000 +0200
@@ -85,6 +85,7 @@
 #include <linux/audit.h>
 #include <linux/wireless.h>
 #include <linux/nsproxy.h>
+#include <linux/in.h>
 
 #include <asm/uaccess.h>
 #include <asm/unistd.h>
@@ -98,6 +99,8 @@
 #include <linux/vs_inet.h>
 #include <linux/vs_inet6.h>
 
+extern void gr_attach_curr_ip(const struct sock *sk);
+
 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
 			 unsigned long nr_segs, loff_t pos);
@@ -1502,6 +1505,7 @@ asmlinkage long sys_accept(int fd, struc
 	err = newfd;
 
 	security_socket_post_accept(sock, newsock);
+	gr_attach_curr_ip(newsock->sk);
 
 out_put:
 	fput_light(sock->file, fput_needed);
diff -urNp linux-2.6.25.orig/security/Kconfig linux-2.6.25/security/Kconfig
--- linux-2.6.25.orig/security/Kconfig	2008-04-25 15:09:12.000000000 +0200
+++ linux-2.6.25/security/Kconfig	2008-04-25 15:10:25.000000000 +0200
@@ -4,6 +4,8 @@
 
 menu "Security options"
 
+source grsecurity/Kconfig
+
 config KEYS
 	bool "Enable access key retention support"
 	help
diff -urNp linux-2.6.25.orig/fs/proc/base.c linux-2.6.25/fs/proc/base.c
--- linux-2.6.25.orig/fs/proc/base.c	2008-04-25 15:09:12.000000000 +0200
+++ linux-2.6.25/fs/proc/base.c	2008-04-25 15:10:25.000000000 +0200
@@ -1290,7 +1290,11 @@ static struct inode *proc_pid_make_inode
 	inode->i_gid = 0;
 	if (task_dumpable(task)) {
 		inode->i_uid = task->euid;
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
+		inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
+#else
 		inode->i_gid = task->egid;
+#endif
 	}
 	/* procfs is xid tagged */
 	inode->i_tag = (tag_t)vx_task_xid(task);
@@ -1308,17 +1312,38 @@ static int pid_getattr(struct vfsmount *
 {
 	struct inode *inode = dentry->d_inode;
 	struct task_struct *task;
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+	struct task_struct *tmp = current;
+#endif
+
 	generic_fillattr(inode, stat);
 
 	rcu_read_lock();
 	stat->uid = 0;
 	stat->gid = 0;
 	task = pid_task(proc_pid(inode), PIDTYPE_PID);
-	if (task) {
+	if (task
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+	    && (!tmp->uid || (tmp->uid == task->uid)
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
+	    || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
+#endif
+	    )
+#endif
+	) {
 		if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+		    (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+		    (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
+#endif
 		    task_dumpable(task)) {
 			stat->uid = task->euid;
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
+			stat->gid = CONFIG_GRKERNSEC_PROC_GID;
+#else
 			stat->gid = task->egid;
+#endif
 		}
 	}
 	rcu_read_unlock();
@@ -1348,9 +1373,18 @@ static int pid_revalidate(struct dentry 
 	struct task_struct *task = get_proc_task(inode);
 	if (task) {
 		if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+		    (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+		    (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
+#endif
 		    task_dumpable(task)) {
 			inode->i_uid = task->euid;
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
+			inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
+#else
 			inode->i_gid = task->egid;
+#endif
 		} else {
 			inode->i_uid = 0;
 			inode->i_gid = 0;
@@ -2367,6 +2401,9 @@ static const struct pid_entry tgid_base_
 	INF("io",	S_IRUGO, pid_io_accounting),
 #endif
 	ONE("nsproxy",	S_IRUGO, pid_nsproxy),
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+	INF("ipaddr",	S_IRUSR, pid_ipaddr),
+#endif
 };
 
 static int proc_tgid_base_readdir(struct file * filp,
@@ -2496,7 +2533,14 @@ static struct dentry *proc_pid_instantia
 	if (!inode)
 		goto out;
 
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+	inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+	inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
+	inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
+#else
 	inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
+#endif
 	inode->i_op = &proc_tgid_base_inode_operations;
 	inode->i_fop = &proc_tgid_base_operations;
 	inode->i_flags|=S_IMMUTABLE;
@@ -2604,6 +2648,9 @@ int proc_pid_readdir(struct file * filp,
 {
 	unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
 	struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+	struct task_struct *tmp = current;
+#endif
 	struct tgid_iter iter;
 	struct pid_namespace *ns;
 
@@ -2622,6 +2669,15 @@ int proc_pid_readdir(struct file * filp,
 	for (iter = next_tgid(ns, iter);
 	     iter.task;
 	     iter.tgid += 1, iter = next_tgid(ns, iter)) {
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+		if (tmp->uid && (iter.task->uid != tmp->uid)
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
+			&& !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
+#endif
+		)
+#endif
+			continue;
+
 		filp->f_pos = iter.tgid + TGID_OFFSET;
 		if (!vx_proc_task_visible(iter.task))
 			continue;