run depmod before geninitrd and rc-boot

[packages/kernel.git] / grsecurity-1.9.2-2.4.17.patch

diff -urN linux/Documentation/Configure.help linux/Documentation/Configure.help
--- linux/Documentation/Configure.help  Fri Dec 21 12:41:53 2001
+++ linux/Documentation/Configure.help  Sun Dec 23 19:13:16 2001
@@ -19794,6 +19794,746 @@
 
   "Area6" will work for most boards. For ADX, select "Area5".
 
+Grsecurity
+CONFIG_GRKERNSEC
+  If you say Y here, you will be able to configure many features that
+  will enhance the security of your system.  It is highly recommended
+  that you say Y here and read through the help for each option so
+  you fully understand what its doing and can evaluate its usefulness
+  for your machine.
+
+OpenWall Non-executable Stack
+CONFIG_GRKERNSEC_STACK
+  If you say Y here, your system will not allow execution of
+  code on the stack, making buffer overflow exploitation more difficult.
+  The code for this protection is taken from the Openwall patch for
+  linux 2.2 by Solar Designer. You can view his projects at 
+  http://www.openwall.com/linux.
+  Exploits against your machine with this protection will have to dabble 
+  in more obscure methods of exploitation(bss,got,heap..)
+
+Gcc trampoline support
+CONFIG_GRKERNSEC_STACK_GCC
+  If you say Y here, the system will support trampoline code along
+  with the stack protection.  If you do not have any programs on
+  your system that require this (glibc 2.0 users must say YES to
+  this option) you may say no here.
+
+PaX protection
+CONFIG_GRKERNSEC_PAX 
+  By design the IA-32 architecture does not allow for protecting
+  memory pages against execution, i.e. if a page is readable (such
+  as the stack or heap) it is also executable.  There is a well
+  known exploit technique that makes use of this fact and a common
+  programming mistake where an attacker can introduce executable
+  code of his choice somewhere in the attacked program's memory
+  (typically the stack or the heap) and then execute it.  If the
+  attacked program was running with different (typically higher)
+  privileges than that of the attacker, then he can elevate his
+  own privilege level (e.g. get a root shell, write to files for
+  which he does not have write access to, etc).
+
+  Since the implementation is software based, it comes with a
+  performance impact, you should evaluate your system carefully
+  before deciding to use this feature on production systems.
+
+  Enabling this feature will enforce the non-executable flag on
+  memory pages thereby making it harder to execute 'foreign' code
+  in a program.  This will also break programs that rely on the
+  old behaviour and expect that dynamically allocated memory via
+  the malloc() family of functions is executable (which it is not).
+  Notable examples are the XFree86 4.x server, the java runtime
+  and wine.
+
+  NOTE: you can use the 'chpax' utility to enable/disable this
+  feature on a per file basis.  chpax is available at
+  http://pageexec.virtualave.net
+
+Emulate trampolines
+CONFIG_GRKERNSEC_PAX_EMUTRAMP
+  There are some programs and libraries that for one reason or
+  another attempt to execute special small code snippets from
+  non-executable memory pages.  Most notable examples are the
+  signal handler return code generated by the kernel itself and
+  the GCC trampolines.
+
+  If you enabled CONFIG_GRKERNSEC_PAX then such programs will no
+  longer work under your kernel.  As a remedy you can say Y here
+  and use the 'chpax' utility to enable trampoline emulation for
+  the affected programs yet still have the protection provided by
+  CONFIG_GRKERNSEC_PAX.  Alternatively you can say N here and use
+  the 'chpax' utility to disable CONFIG_GRKERNSEC_PAX for the
+  affected files.  chpax is available at 
+  http://pageexec.virtualave.net
+
+  NOTE: enabling this feature *may* open up a loophole in the
+  protection provided by CONFIG_GRKERNSEC_PAX that an attacker
+  could abuse.  Therefore the best solution is to not have any
+  files on your system that would require this option.  This can
+  be achieved by not using libc5 (which relies on the kernel
+  signal handler return code) and not using or rewriting programs
+  that make use of the nested function implementation of GCC.
+  Skilled users can just fix GCC itself so that it implements
+  nested function calls in a way that does not interfere with PaX.
+
+Restrict mprotect()
+CONFIG_GRKERNSEC_PAX_MPROTECT
+  Enabling this option will prevent programs from changing the
+  executable status of memory pages that were not originally
+  created as executable.  The kernel will also prevent programs
+  from making read-only executable pages writable again.
+
+  You should say Y here to complete the protection provided by
+  the enforcement of the PAGE_EXEC flag (CONFIG_GRKERNSEC_PAX).
+
+  NOTE: you can use the 'chpax' utility to enable/disable this
+  feature on a per file basis. chpax is available at
+  http://pageexec.virtualave.net
+
+Randomize mmap() base
+CONFIG_GRKERNSEC_PAX_RANDMMAP
+  By saying Y here the kernel will somewhat randomize the address
+  space of programs at each execution (the top of the stack, the
+  base address for mmap() requests that do not specify one themselves
+  and the base address of dynamic ELF executables).
+
+  As a result all dynamically loaded libraries will appear at random
+  addresses and therefore be harder to exploit by a technique where
+  an attacker attempts to execute library code for his purposes
+  (e.g. spawn a shell from an exploited program that is running at
+  an elevated privilege level).
+
+  Furthermore, if a program is relinked as a dynamic ELF file, its
+  base address will be randomized as well, completing the full
+  randomization of the address space.  Attacking such programs becomes
+  a guess game.
+
+  It is strongly recommended to say Y here even if CONFIG_GRKERNSEC_PAX
+  is not enabled as address space randomization has negligible impact
+  on performance yet it provides a very effective protection.
+
+  NOTE: you can use the 'chpax' utility to enable/disable this
+  feature on a per file basis.  chpax is available at
+  http://pageexec.virtualave.net
+
+Proc Restrictions
+CONFIG_GRKERNSEC_PROC
+  If you say Y here, the permissions of the /proc filesystem
+  will be altered to enhance system security and privacy.  Depending
+  upon the options you choose, you can either restrict users to see
+  only the processes they themselves run, or choose a group that can
+  view all processes and files normally restricted to root if you choose
+  the "restrict to user only" option.  NOTE: If you're running identd as 
+  a non-root user, you will have to run it as the group you specify here.
+
+Restrict /proc to user only
+CONFIG_GRKERNSEC_PROC_USER
+  If you say Y here, non-root users will only be able to view their own 
+  processes, and restricts them from viewing network-related information,  
+  running dmesg(8), and viewing kernel symbol and module information.
+
+Restrict /proc to user and group
+CONFIG_GRKERNSEC_PROC_USERGROUP
+  If you say Y here, you will be able to select a group that will be
+  able to view all processes, network-related information, and
+  kernel and symbol information.  This option is useful if you want
+  to run identd as a non-root user.
+
+Linking restrictions
+CONFIG_GRKERNSEC_LINK
+  If you say Y here, /tmp race exploits will be prevented, since users
+  will no longer be able to follow symlinks owned by other users in 
+  world-writeable +t directories (i.e. /tmp), unless the owner of the 
+  symlink is the owner of the directory. users will also not be
+  able to hardlink to files they do not own.  If the sysctl option is
+  enabled, a sysctl option with name "linking_restrictions" is created.
+
+FIFO restrictions
+CONFIG_GRKERNSEC_FIFO
+  If you say Y here, users will not be able to write to FIFOs they don't
+  own in world-writeable +t directories (i.e. /tmp), unless the owner of
+  the FIFO is the same owner of the directory it's held in.  If the sysctl
+  option is enabled, a sysctl option with name "fifo_restrictions" is 
+  created.
+
+Secure file descriptors
+CONFIG_GRKERNSEC_FD
+  If you say Y here, set*id binaries will be protected from data spoofing
+  attacks (eg. making a program read /etc/shadow).  The patches do this
+  by opening up /dev/null to any of the stdin, stdout, stderr file descriptors
+  for set*id binaries that are open and run by a user that is not the owner
+  of the file.  If the sysctl option is enabled, a sysctl option with name
+  "secure_fds" is created.
+
+Exec process limiting
+CONFIG_GRKERNSEC_EXECVE
+  If you say Y here, users with a resource limit on processes will
+  have the value checked during execve() calls.  The current system
+  only checks the system limit during fork() calls.  If the sysctl option
+  is enabled, a sysctl option with name "execve_limiting" is created.
+
+Fork-bombing protection
+CONFIG_GRKERNSEC_FORKBOMB
+  If you say Y here, you will be able to configure a group to add to users
+  on your system that you want to be unable to fork-bomb the system.
+  You will be able to specify a maximum process limit for the user and
+  set a rate limit for all forks under their uid. (Fork-bombing is a
+  tactic used by attackers that can be enacted in two ways, (1) loading
+  up thousands of processes until the system can't take any more (this
+  method can be stopped outside of the kernel with PAM, however we place
+  protection for it in the kernel to be more complete and reduce overhead),
+  and (2), by forking processes at a rapid rate, and then killing them
+  off, which cannot be protected against in the same way at tactic 1)
+  The rate limit is specified in forks allowed per second.  Set this
+  limit low enough to stop tactic 2, but high enough to allow for
+  normal operation.  The protection will kill the offending process.
+  If the sysctl option is enabled, a sysctl option with name 
+  "fork_bomb_prot" is created.
+
+Max processes for fork-bomb protection
+CONFIG_GRKERNSEC_FORKBOMB_MAX
+  Here you can configure the maximum number of processes users in the
+  fork-bomb protected group can run.  I would not recommend setting a
+  value lower than 8, since some programs like man(1) spawn up to 8
+  processes to run.  The default value should be fine for most purposes.
+  If the sysctl option is enabled, a sysctl option with name
+  "fork_bomb_max" is created.
+
+Forks allowed per second
+CONFIG_GRKERNSEC_FORKBOMB_SEC
+  Here you can specify the maximum number of forks allowed per second.
+  You don't want to set this value too low, or else you'll hinder
+  normal operation of your system.  The default value should be fine for
+  most users.  If the sysctl option is enabled, a sysctl option with name
+  "fork_bomb_sec" is created.
+
+Group for fork-bomb protection
+CONFIG_GRKERNSEC_FORKBOMB_GID
+  Here you can choose the GID to enable fork-bomb protection for.
+  Remember to add the users you want protection enabled for to the GID 
+  specified here.  If the sysctl option is enabled, whatever you choose
+  here won't matter. You'll have to specify the GID in your bootup 
+  script by echoing the GID to the proper /proc entry.  View the help
+  on the sysctl option for more information.  If the sysctl option is
+  enabled, a sysctl option with name "fork_bomb_gid" is created.
+
+Exec logging for all users
+CONFIG_GRKERNSEC_EXECLOG
+  If you say Y here, all execve() calls will be logged (since the
+  other exec*() calls are frontends to execve(), all execution
+  will be logged).  Useful for shell-servers that like to keep track
+  of their users.  If the sysctl option is enabled, a sysctl option with
+  name "exec_logging" is created.
+  WARNING: This option when enabled will produce a LOT of logs, especially
+  on an active system.
+
+Exec logging for a single group
+CONFIG_GRKERNSEC_EXECLOG_GROUP
+  If you say Y here, only execs by users in the group you specify will
+  be logged.  Useful for shell-servers that like to keep track
+  of their users.  If the sysctl option is enabled, a sysctl option with
+  name "exec_group logging" is created.
+  WARNING: Depending on the number of users in the group you specify,
+  this option could produce a lot of logs.
+ 
+Group for exec logging
+CONFIG_GRKERNSEC_EXECLOG_GID
+  Here you can choose the GID to log all file executions for.
+  Remember to add the users you want to log to the GID specified here.
+  If the sysctl option is enabled, whatever you choose here won't matter. 
+  You'll have to specify the GID in your bootup script by echoing the GID 
+  to the proper /proc entry.  View the help on the sysctl option for more 
+  information.  If the sysctl option is enabled, a sysctl option with name 
+  "exec_logging_gid" is created.
+
+Set*id logging for all users
+CONFIG_GRKERNSEC_SUID
+  If you say Y here, all set*id() calls will be logged.  Such information
+  could be useful when detecting a possible intrusion attempt.  This 
+  option can produce a lot of logs on an active system.  If the sysctl
+  option is enabled, a sysctl option with name "suid_logging" is created.
+
+Set*id logging for root
+CONFIG_GRKERNSEC_SUID
+  If you say Y here, only set*id() calls where a user is changing to the
+  gid or uid of the root user will be logged.  Such information
+  could be useful when detecting a possible intrusion attempt.  This
+  option will produce less logs than logging all calls.  If the sysctl
+  option is enabled, a sysctl option with name "suid_root_logging" is
+  created.
+
+Altered default IPC permissions
+CONFIG_GRKERNSEC_IPC
+  If you say Y here, the default permissions for IPC objects will be
+  set based on the filesystem umask of the user creating the object.
+  By default linux sets the permissions to ugo+rwx, which can be
+  a security problem if the application doesn't explicitly set the
+  permissions of the IPC object.
+
+Signal logging
+CONFIG_GRKERNSEC_SIGNAL
+  If you say Y here, certain important signals will be logged, such as
+  SIGSEGV, which will as a result inform you of when a error in a program
+  occurred, which in some cases could mean a possible exploit attempt.
+  If the sysctl option is enabled, a sysctl option with name 
+  "signal_logging" is created.
+
+BSD-style coredumps
+CONFIG_GRKERNSEC_COREDUMP
+  If you say Y here, linux will use a style similar to BSD for
+  coredumps, core.processname.  Not a security feature, just
+  a useful one.  If the sysctl option is enabled, a sysctl option with 
+  name "coredump" is created.
+
+Fork failure logging
+CONFIG_GRKERNSEC_FORKFAIL
+  If you say Y here, all failed fork() attempts will be logged.
+  This could suggest a fork bomb, or someone attempting to overstep
+  their process limit.  If the sysctl option is enabled, a sysctl option
+  with name "forkfail_logging" is created.
+
+Time change logging
+CONFIG_GRKERNSEC_TIME
+  If you say Y here, any changes of the system clock will be logged.
+  If the sysctl option is enabled, a sysctl option with name 
+  "timechange_logging" is created.
+
+Secure keymap loading
+CONFIG_GRKERNSEC_KBMAP
+  If you say Y here, KDSKBENT and KDSKBSENT ioctl calls being
+  called by unprivileged users will be denied. If you answer N,
+  everyone with access to the console will be able to modify keyboard 
+  bindings.  If the sysctl option is enabled, a sysctl option with name
+  "secure_kbmap" is created.
+
+Enhanced network randomness
+CONFIG_GRKERNSEC_RANDNET
+  If you say Y here, the functions controlling the randomness
+  of the Linux IP stack will be enhanced to decrease the chances
+  of being able to predict certain packets that require some
+  amount of randomness.  If the sysctl option is enabled, a sysctl option
+  with name "rand_net" is created.
+
+Chroot jail restrictions
+CONFIG_GRKERNSEC_CHROOT
+  If you say Y here, you will be able to choose several options that will
+  make breaking out of a chrooted jail much more difficult.  If you
+  encounter no software incompatibilities with the following options, it
+  is recommended that you enable each one.
+
+Restricted signals in chroot
+CONFIG_GRKERNSEC_CHROOT_SIG
+  If you say Y here, processes inside a chroot will not be able to send
+  signals outside of the chroot.  The only signals allowed are null 
+  signals which perform no action, and the parent process sending 
+  a certain signal to its child.  If the sysctl option is enabled, a
+  sysctl option with name "chroot_restrict_sigs" is created.
+
+Deny mounts in chroot
+CONFIG_GRKERNSEC_CHROOT_MOUNT
+  If you say Y here, processes inside a chroot will not be able to
+  mount or remount filesystems.  If the sysctl option is enabled, a 
+  sysctl option with name "chroot_deny_mount" is created.
+
+Deny double-chroots
+CONFIG_GRKERNSEC_CHROOT_DOUBLE
+  If you say Y here, processes inside a chroot will not be able to chroot
+  again.  This is a widely used method of breaking out of a chroot jail
+  and should not be allowed.  If the sysctl option is enabled, a sysctl
+  option with name "chroot_deny_chroot" is created.
+
+Enforce chdir("/") on all chroots
+CONFIG_GRKERNSEC_CHROOT_CHDIR
+  If you say Y here, the current working directory of all newly-chrooted
+  applications will be set to the the root directory of the chroot.
+  The man page on chroot(2) states:
+  Note that this call does not change  the  current  working
+  directory,  so  that `.' can be outside the tree rooted at
+  `/'.  In particular, the  super-user  can  escape  from  a
+  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.  
+
+  It is recommended that you say Y here, since it's not known to break
+  any software.  If the sysctl option is enabled, a sysctl option with
+  name "chroot_enforce_chdir" is created.
+
+Deny (f)chmod +s in chroot
+CONFIG_GRKERNSEC_CHROOT_CHMOD
+  If you say Y here, processes inside a chroot will not be able to chmod
+  or fchmod files to make them have suid or sgid bits.  This protects 
+  against another published method of breaking a chroot.  If the sysctl 
+  option is enabled, a sysctl option with name "chroot_deny_chmod" is
+  created.
+
+Deny mknod in chroot
+CONFIG_GRKERNSEC_CHROOT_MKNOD
+  If you say Y here, processes inside a chroot will not be allowed to
+  mknod.  The problem with using mknod inside a chroot is that it
+  would allow an attacker to create a device entry that is the same
+  as one on the physical root of your system, which could range from
+  anyhing from the console device to a device for your harddrive (which
+  they could then use to wipe the drive or steal data).  It is recommended
+  that you say Y here, unless you run into software incompatibilities.
+  If the sysctl option is enabled, a sysctl option with name
+  "chroot_deny_mknod" is created.
+
+Deny ptraces in chroot
+CONFIG_GRKERNSEC_CHROOT_PTRACE
+  If you say Y here, processes inside a chroot will not be able to ptrace
+  other processes.  Ptracing a process allows one to attach and alter the
+  flow of execution for the process.  It is strongly recommended that you
+  say Y here.  If the sysctl option is enabled, a sysctl option with name
+  "chroot_deny_ptrace" is created.
+
+Restrict priority changes in chroot
+CONFIG_GRKERNSEC_CHROOT_NICE
+  If you say Y here, processes inside a chroot will not be able to raise
+  the priority of processes in the chroot, or alter the priority of 
+  processes outside the chroot.  This provides more security than simply
+  removing CAP_SYS_NICE from the process' capability set.  If the
+  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
+  is created.
+
+Log all execs within chroot
+CONFIG_GRKERNSEC_CHROOT_EXECLOG
+  If you say Y here, all executions inside a chroot jail will be logged 
+  to syslog.  If the sysctl option is enabled, a sysctl option with name
+  "chroot_execlog" is created.
+
+Chroot jail capability restrictions
+CONFIG_GRKERNSEC_CHROOT_CAPS
+  If you say Y here, the capabilities on all root processes within a
+  chroot jail will be lowered to stop module insertion, raw i/o,
+  system and net admin tasks, transferring capabilities, and
+  tty configuration tasks.  This is left an option because it breaks
+  some apps.  Disable this if your chrooted apps are having
+  problems performing those kinds of tasks.  If the sysctl option is 
+  enabled, a sysctl option with name "chroot_caps" is created.
+
+Trusted path execution
+CONFIG_GRKERNSEC_TPE
+  If you say Y here, you will be able to choose a gid to add to the
+  supplementary groups of users you want to mark as "untrusted."
+  These users will not be able to execute any files that are not in
+  root-owned directories writeable only by root.  If the sysctl option
+  is enabled, a sysctl option with name "tpe" is created.
+
+Group for trusted path execution
+CONFIG_GRKERNSEC_TPE_GID
+  Here you can choose the GID to enable trusted path protection for.
+  Remember to add the users you want protection enabled for to the GID 
+  specified here.  If the sysctl option is enabled, whatever you choose
+  here won't matter. You'll have to specify the GID in your bootup 
+  script by echoing the GID to the proper /proc entry.  View the help
+  on the sysctl option for more information.  If the sysctl option is
+  enabled, a sysctl option with name "tpe_gid" is created.
+
+Partially restrict non-root users
+CONFIG_GRKERNSEC_TPE_ALL
+  If you say Y here, All other non-root users will only be allowed to
+  execute files in directories they own that are not group or
+  world-writeable, or in directories owned by root and writeable only by
+  root.  If the sysctl option is enabled, a sysctl option with name 
+  "tpe_restrict_all" is created.
+
+Trusted path execution glibc protection
+CONFIG_GRKERNSEC_TPE_GLIBC
+  If you say Y here, all non-root users will not be able to execute
+  any files while glibc specific environment variables such as
+  LD_PRELOAD are set, which could be used to evade the trusted path 
+  execution protection.  It also protects against evasion through 
+  /lib/ld-2.*  It is recommended you say Y here also. If the sysctl option 
+  is enabled, a sysctl option with name "tpe_glibc" is created.
+
+Restricted ptrace
+CONFIG_GRKERNSEC_PTRACE
+  If you say Y here, no one but root will be able to ptrace processes.
+  Tracing syscalls inside the kernel will also be disabled.  All allowed
+  ptraces will be logged when this option is enabled.  If the sysctl
+  option is enabled, a sysctl option with name "restrict_ptrace" is
+  created.
+
+Allow ptrace for group
+CONFIG_GRKERNSEC_PTRACE_GROUP
+  If you say Y here, you will be able to choose a GID of whose users
+  will be able to ptrace.  If the sysctl option is enabled, a sysctl 
+  option with name "allow_ptrace_group" is created.
+
+GID for ptrace
+CONFIG_GRKERNSEC_PTRACE_GID
+  Here you can choose the GID of whose users will be able to ptrace.
+  Remember to add the users you want ptrace enabled for to the GID
+  specified here.  If the sysctl option is enabled, whatever you choose
+  here won't matter. You'll have to specify the GID in your bootup
+  script by echoing the GID to the proper /proc entry.  View the help
+  on the sysctl option for more information.  If the sysctl option is
+  enabled, a sysctl option with name "ptrace_gid" is created.
+
+Randomized PIDs
+CONFIG_GRKERNSEC_RANDPID
+  If you say Y here, all PIDs created on the system will be
+  pseudo-randomly generated.  This is extremely effective along
+  with the /proc restrictions to disallow an attacker from guessing
+  pids of daemons, etc.  PIDs are also used in some cases as part
+  of a naming system for temporary files, so this option would keep
+  those filenames from being predicted as well.  We also use code
+  to make sure that PID numbers aren't reused too soon.  If the sysctl
+  option is enabled, a sysctl option with name "rand_pids" is created.
+
+Limit uid/gid changes to root
+CONFIG_GRKERNSEC_TTYROOT
+  If you say Y here, you will be able choose from three option that
+  will allow you to restrict access to the root account by console
+  type.  These options should only be enabled if you are sure of what
+  you're doing.  Also note that they only apply to processes that have
+  ttys, which generally involves some kind of user-interaction.  The
+  options are basically in place to keep users on a system who have a
+  (stolen) password for root from using it unless their console
+  credentials match.
+
+Deny physical consoles (tty)
+CONFIG_GRKERNSEC_TTYROOT_PHYS
+  If you say Y here, access to root from physical consoles will be
+  denied. This is only recommended for rare cases where you will
+  never need to be physically at the machine.  If the sysctl option
+  is enabled, a sysctl option with name "deny_phys_root" is created.
+
+Deny serial consoles (ttyS)
+CONFIG_GRKERNSEC_TTYROOT_SERIAL
+  If you say Y here, access to root from serial consoles will be
+  denied. Most people can say Y here, since most don't use serial
+  devices for their console access.  If you are unsure, say N.  If
+  the sysctl option is enabled, a sysctl option with name 
+  "deny_serial_root" is created.
+
+Deny pseudo consoles (pty)
+CONFIG_GRKERNSEC_TTYROOT_PSEUDO
+  If you say Y here, access to root from pseudo consoles will be
+  denied. Pseudo consoles include consoles from telnet, ssh, or any other
+  kind of interactive shell initiated from the network.  Pseudo consoles
+  also include any terminals you use in XFree86.  If you will only be
+  accessing the machine for root access from the physical console, you
+  can say Y here.  Only say Y here if you're sure of what you're doing.
+  If the sysctl option is enabled, a sysctl option with name 
+  "deny_pseudo_root" is created.
+
+Randomized IP IDs
+CONFIG_GRKERNSEC_RANDID
+  If you say Y here, all the id field on all outgoing packets
+  will be randomized.  This hinders os fingerprinters and
+  keeps your machine from being used as a bounce for an untraceable
+  portscan.  Ids are used for fragmented packets, fragments belonging
+  to the same packet have the same id.  By default linux only
+  increments the id value on each packet sent to an individual host.
+  We use a port of the OpenBSD random ip id code to achieve the
+  randomness, while keeping the possibility of id duplicates to
+  near none.  If the sysctl option is enabled, a sysctl option with name
+  "rand_ip_ids" is created.
+
+Randomized TCP source ports
+CONFIG_GRKERNSEC_RANDSRC
+  If you say Y here, situations where a source port is generated on the
+  fly for the TCP protocol (ie. with connect() ) will be altered so that
+  the source port is generated at random, instead of a simple incrementing
+  algorithm.  If the sysctl option is enabled, a sysctl option with name
+  "rand_tcp_src_ports" is created.
+
+Altered Ping IDs
+CONFIG_GRKERNSEC_RANDPING
+  If you say Y here, the way Linux handles echo replies will be changed
+  so that the reply uses an ID equal to the ID of the echo request.
+  This will help in confusing OS detection.  If the sysctl option is
+  enabled, a sysctl option with name "altered_pings" is created.
+
+Randomized TTL
+CONFIG_GRKERNSEC_RANDTTL
+  If you say Y here, your TTL (time to live) for packets will be set at
+  random, with a base level you specify, to further confuse OS detection.
+  If the sysctl option is enabled, a sysctl option with name "rand_ttl"
+  is created.
+
+Randomized TTL threshold
+CONFIG_GRKERNSEC_RANDTTL_THRESH
+  Here you can choose a base TTL for the randomization.  The default value
+  for this setting is the Linux default TTL.  Most users will want to 
+  leave this setting as-is.  The higher you set the base level (note that
+  you can't set it above 255) the more hops your packets will live.  
+  If the sysctl option is enabled, whatever you choose here won't matter. 
+  You'll have to specify the threshold in your bootup script by echoing 
+  the threshold to the proper /proc entry.  View the help on the sysctl 
+  option for more information.  If the sysctl option is enabled, a sysctl 
+  option with name "rand_ttl_thresh" is created.
+
+Socket restrictions
+CONFIG_GRKERNSEC_SOCKET
+  If you say Y here, you will be able to choose from several options.
+  If you assign a GID on your system and add it to the supplementary
+  groups of users you want to restrict socket access to, this patch
+  will perform up to three things, based on the option(s) you choose.
+
+Deny all socket access
+CONFIG_GRKERNSEC_SOCKET_ALL
+  If you say Y here, you will be able to choose a GID of whose users will
+  be unable to connect to other hosts from your machine or run server
+  applications from your machine.  If the sysctl option is enabled, a
+  sysctl option with name "socket_all" is created.
+
+Group for disabled socket access
+CONFIG_GRKERNSEC_SOCKET_ALL_GID
+  Here you can choose the GID to disable socket access for. Remember to 
+  add the users you want socket access disabled for to the GID 
+  specified here.  If the sysctl option is enabled, whatever you choose
+  here won't matter. You'll have to specify the GID in your bootup 
+  script by echoing the GID to the proper /proc entry.  View the help
+  on the sysctl option for more information.  If the sysctl option is
+  enabled, a sysctl option with name "socket_all_gid" is created.
+
+Deny all client socket access
+CONFIG_GRKERNSEC_SOCKET_CLIENT
+  If you say Y here, you will be able to choose a GID of whose users will
+  be unable to connect to other hosts from your machine, but will be
+  able to run servers.  If this option is enabled, all users in the group
+  you specify will have to use passive mode when initiating ftp transfers
+  from the shell on your machine.  If the sysctl option is enabled, a
+  sysctl option with name "socket_client" is created.
+
+Group for disabled client socket access
+CONFIG_GRKERNSEC_SOCKET_CLIENT_GID
+  Here you can choose the GID to disable client socket access for. 
+  Remember to add the users you want client socket access disabled for to 
+  the GID specified here.  If the sysctl option is enabled, whatever you 
+  choose here won't matter. You'll have to specify the GID in your bootup 
+  script by echoing the GID to the proper /proc entry.  View the help
+  on the sysctl option for more information.  If the sysctl option is
+  enabled, a sysctl option with name "socket_client_gid" is created.
+
+Deny all server socket access
+CONFIG_GRKERNSEC_SOCKET_SERVER
+  If you say Y here, you will be able to choose a GID of whose users will
+  be unable to run server applications from your machine.  If the sysctl 
+  option is enabled, a sysctl option with name "socket_server" is created.
+
+Group for disabled server socket access
+CONFIG_GRKERNSEC_SOCKET_SERVER_GID
+  Here you can choose the GID to disable server socket access for. 
+  Remember to add the users you want server socket access disabled for to 
+  the GID specified here.  If the sysctl option is enabled, whatever you 
+  choose here won't matter. You'll have to specify the GID in your bootup 
+  script by echoing the GID to the proper /proc entry.  View the help
+  on the sysctl option for more information.  If the sysctl option is
+  enabled, a sysctl option with name "socket_server_gid" is created.
+
+Stealth network enhancements
+CONFIG_GRKERNSEC_STEALTH
+  If you say Y here, you will enable several enhancements that will
+  improve your system's protection against portscans.
+  Enabling these options and filtering all open ports should make
+  your machine very hard to detect, while not interfering with (most)
+  normal operation.  All the stealth options break RFC, so there's always the
+  possibility that it might affect how certain network applications react
+  to your system.  
+
+Do not RSTs on unserved TCP
+CONFIG_GRKERNSEC_STEALTH_RST
+  If you say Y here, your machine will not send RSTs (connection resets)
+  on unserved TCP ports.  This will slow down portscanners a great deal,
+  since it has the same effect as dropping all packets to unserved TCP
+  ports.  It will also force clients connecting to a non-open port to
+  time out instead of immediately stating "connection refused."  If the
+  sysctl option is enabled, a sysctl option with name "stealth_rst" is
+  created.
+
+Do not reply to UDP with ICMP unreachables
+CONFIG_GRKERNSEC_STEALTH_UDP
+  If you say Y here, your machine will not reply with ICMP unreachable
+  packets (type 3) on UDP ports not waiting for data.  This hinders
+  portscanners from scanning your UDP ports.  Enabling the UDP stealth 
+  options is known to slow down SSH connection times, and may also  
+  interfere with other protocols as well.  Packets travelling across the
+  local loopback interface will not be tampered with.  If the sysctl 
+  option is enabled, a sysctl option with name "stealth_udp" is created.
+
+Do not process ICMP packets
+CONFIG_GRKERNSEC_STEALTH_ICMP
+  If you say Y here, your machine will drop all ICMP packets but
+  echo-reply (Which allows you to ping from your machine, while not
+  allowing your machine to be pinged).  Since ICMP packets can be spoofed
+  and are commonly used in Denial of Service attacks, it is recommended
+  that you say Y here.  Theoretically, it is possible that this option 
+  could hinder your ability to connect to certain hosts since it also 
+  blocks "packet too large" icmp messages, though in reality this 
+  occurance is rare.  Packets travelling across the local loopback 
+  interface will not be tampered with.  If the sysctl option is enabled, a 
+  sysctl option with name "stealth_icmp" is created.
+
+Do not reply to IGMP requests
+CONFIG_GRKERNSEC_STEALTH_IGMP
+  If you say Y here, your machine will drop all IGMP packets.  IGMP
+  stands for Internet Group Management Protocol.  Most users should
+  enable this option, unless you are actually connected to a multicast
+  network, which IGMP is used for.  If the sysctl option is enabled, a 
+  sysctl option with name "stealth_igmp" is created.
+
+Drop packets with illegitimate flags
+CONFIG_GRKERNSEC_STEALTH_FLAGS
+  If you say Y here, your machine will drop packets with TCP flags that
+  are never used in normal communication.  Such packets are used in
+  "stealth" scans, and should not be allowed.  It is recommended that
+  you say Y here.  If the sysctl option is enabled, a sysctl option with
+  name "stealth_flags" is created.
+
+Log requests to unserved TCP ports
+CONFIG_GRKERNSEC_STEALTH_RST_LOG
+  If you say Y here, your machine will log requests to unserved TCP ports.
+  If the sysctl option is enabled, a sysctl option with name 
+  "stealth_rst_log" is created.
+
+Log requests to unserved UDP ports
+CONFIG_GRKERNSEC_STEALTH_UDP_LOG
+  If you say Y here, your machine will log packets to UDP ports on your
+  system that are not waiting for data. Packets travelling across the
+  local loopback interface will not be logged.  If the sysctl option is 
+  enabled, a sysctl option with name "stealth_udp_log" is created.
+
+Log ICMP packets
+CONFIG_GRKERNSEC_STEALTH_ICMP_LOG
+  If you say Y here, your machine will log all ICMP packets but
+  echo-reply.  Packets travelling across the local loopback interface
+  will not be logged. If the sysctl option is enabled, a sysctl option 
+  with name "stealth_icmp_log" is created.
+
+Log packets with illegitimate flags
+CONFIG_GRKERNSEC_STEALTH_FLAGS_LOG
+  If you say Y here, your machine will log packets with TCP flags that
+  are never used in normal communication.  Such packets are used in
+  "stealth" scans, and should not be allowed.  If the sysctl option is 
+  enabled, a sysctl option with name "stealth_flags_log" is created.
+
+Sysctl support
+CONFIG_GRKERNSEC_SYSCTL
+  If you say Y here, you will be able to change the options that
+  grsecurity runs with at bootup, without having to recompile your
+  kernel.  You can echo values to files in /proc/sys/kernel/grsecurity
+  to enable (1) or disable (0) various features.  All the sysctl entries
+  are mutable until the "grsec_lock" entry is set to a non-zero value.
+  All features are disabled by default. Please note that this option could 
+  reduce the effectiveness of the added security of this patch if an ACL 
+  system is not put in place.  Your init scripts should be read-only, and 
+  root should not have access to adding modules or performing raw i/o 
+  operations.  All options should be set at startup, and the grsec_lock 
+  entry should be set to a non-zero value after all the options are set.  
+  *THIS IS EXTREMELY IMPORTANT*
+
+Oblivion ACL System
+CONFIG_GRKERNSEC_ACL
+  If you say Y here, you enable the Access Control List system for 
+  grsecurity called Oblivion. Oblivion is a very advanced ACL system
+  that is optimized for speed and correctness of ACLS.  Unlike many 
+  other popular ACL systems, it allows both process and file ACLs.
+  To use the ACL system, you must also download the userspace code
+  and documentation off the grsecurity website: http://grsecurity.net
+  You will then need to run obvadm setup to set your password and create 
+  your config files.
+  
 #
 # m68k-specific kernel options
 # Documented by Chris Lawrence <mailto:quango@themall.net> et al.
diff -urN linux/arch/alpha/config.in linux/arch/alpha/config.in
--- linux/arch/alpha/config.in  Tue Nov 20 18:49:31 2001
+++ linux/arch/alpha/config.in  Sun Dec 23 19:13:16 2001
@@ -393,3 +393,12 @@
 fi
 
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -urN linux/arch/arm/config.in linux/arch/arm/config.in
--- linux/arch/arm/config.in    Fri Nov  9 16:58:02 2001
+++ linux/arch/arm/config.in    Sun Dec 23 19:13:16 2001
@@ -606,3 +606,12 @@
 dep_bool '  Kernel low-level debugging messages via footbridge serial port' CONFIG_DEBUG_DC21285_PORT $CONFIG_DEBUG_LL $CONFIG_FOOTBRIDGE
 dep_bool '  kernel low-level debugging messages via UART2' CONFIG_DEBUG_CLPS711X_UART2 $CONFIG_DEBUG_LL $CONFIG_ARCH_CLPS711X
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -urN linux/arch/cris/config.in linux/arch/cris/config.in
--- linux/arch/cris/config.in   Mon Oct 15 16:42:14 2001
+++ linux/arch/cris/config.in   Sun Dec 23 19:13:16 2001
@@ -251,3 +251,12 @@
   int ' Profile shift count' CONFIG_PROFILE_SHIFT 2
 fi
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -urN linux/arch/i386/config.in linux/arch/i386/config.in
--- linux/arch/i386/config.in   Fri Dec 21 12:41:53 2001
+++ linux/arch/i386/config.in   Sun Dec 23 19:13:16 2001
@@ -416,3 +416,12 @@
 fi
 
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -urN linux/arch/i386/kernel/entry.S linux/arch/i386/kernel/entry.S
--- linux/arch/i386/kernel/entry.S      Fri Nov  2 20:18:49 2001
+++ linux/arch/i386/kernel/entry.S      Sun Dec 23 19:13:16 2001
@@ -45,6 +45,7 @@
 #include <linux/linkage.h>
 #include <asm/segment.h>
 #include <asm/smp.h>
+#include <asm/page.h>
 
 EBX            = 0x00
 ECX            = 0x04
@@ -381,8 +382,52 @@
        jmp error_code
 
 ENTRY(page_fault)
+#ifdef CONFIG_GRKERNSEC_PAX
+       ALIGN
+       pushl $ SYMBOL_NAME(pax_do_page_fault)
+       pushl %ds
+       pushl %eax
+       xorl %eax,%eax
+       pushl %ebp
+       pushl %edi
+       pushl %esi
+       pushl %edx
+       decl %eax                       # eax = -1
+       pushl %ecx
+       pushl %ebx
+       cld
+       movl %es,%ecx
+       movl ORIG_EAX(%esp), %esi       # get the error code
+       movl ES(%esp), %edi             # get the function address
+       movl %eax, ORIG_EAX(%esp)
+       movl %ecx, ES(%esp)
+       movl %esp,%edx
+       pushl %esi                      # push the error code
+       pushl %edx                      # push the pt_regs pointer
+       movl $(__KERNEL_DS),%edx
+       movl %edx,%ds
+       movl %edx,%es
+       GET_CURRENT(%ebx)
+       call *%edi
+       addl $8,%esp
+       decl %eax
+       jnz ret_from_exception
+
+       popl %ebx
+       popl %ecx
+       popl %edx
+       popl %esi
+       popl %edi
+       popl %ebp
+       popl %eax
+       popl %ds
+       popl %es
+       addl $4,%esp
+       jmp system_call
+#else
        pushl $ SYMBOL_NAME(do_page_fault)
        jmp error_code
+#endif
 
 ENTRY(machine_check)
        pushl $0
diff -urN linux/arch/i386/kernel/head.S linux/arch/i386/kernel/head.S
--- linux/arch/i386/kernel/head.S       Wed Jun 20 14:00:53 2001
+++ linux/arch/i386/kernel/head.S       Sun Dec 23 19:13:16 2001
@@ -433,7 +433,11 @@
        .quad 0x0000000000000000        /* not used */
        .quad 0x00cf9a000000ffff        /* 0x10 kernel 4GB code at 0x00000000 */
        .quad 0x00cf92000000ffff        /* 0x18 kernel 4GB data at 0x00000000 */
+#ifdef CONFIG_GRKERNSEC_STACK
+        .quad 0x00cbfa000000f7ff        /* 0x23 user   3GB-8MB code at 0 */
+#else
        .quad 0x00cffa000000ffff        /* 0x23 user   4GB code at 0x00000000 */
+#endif
        .quad 0x00cff2000000ffff        /* 0x2b user   4GB data at 0x00000000 */
        .quad 0x0000000000000000        /* not used */
        .quad 0x0000000000000000        /* not used */
diff -urN linux/arch/i386/kernel/ptrace.c linux/arch/i386/kernel/ptrace.c
--- linux/arch/i386/kernel/ptrace.c     Wed Nov 21 13:42:41 2001
+++ linux/arch/i386/kernel/ptrace.c     Sun Dec 23 19:13:16 2001
@@ -21,6 +21,9 @@
 #include <asm/i387.h>
 #include <asm/debugreg.h>
 
+#if defined(CONFIG_GRKERNSEC_CHROOT_PTRACE) || defined(CONFIG_GRKERNSEC_PTRACE)
+#include <linux/grsecurity.h>
+#endif
 /*
  * does not yet catch signals sent when the child dies.
  * in exit.c or in signal.c.
@@ -177,6 +180,32 @@
        if (pid == 1)           /* you may not mess with init */
                goto out_tsk;
 
+#ifdef CONFIG_GRKERNSEC_PTRACE
+       if(grsec_enable_ptrace && current->uid
+#ifdef CONFIG_GRKERNSEC_PTRACE_GROUP
+          && ((grsec_enable_ptrace_group && !in_group_p(grsec_ptrace_gid))
+          || !grsec_enable_ptrace_group)
+#endif
+       ) {
+               security_alert("denied ptrace of (%.16s:%d) by " DEFAULTSECMSG,
+                               "denied ptraces", child->comm, child->pid, DEFAULTSECARGS);
+               goto out_tsk;
+       }
+               security_alert("ptrace of (%.16s:%d) by " DEFAULTSECMSG,
+                               "ptraces", child->comm, child->pid, DEFAULTSECARGS);
+#endif         
+#ifdef CONFIG_GRKERNSEC_CHROOT_PTRACE
+       if(grsec_enable_chroot_ptrace && proc_is_chrooted(current) &&
+          have_same_root(current,child)) {
+               security_alert("denied ptrace of process(%.16s:%d) within chroot jail "
+                               "(%.32s:%lu) by " DEFAULTSECMSG, 
+                               "ptrace from chroot",
+                               child->comm,child->pid,kdevname(current->fs->root->d_inode->i_dev),
+                               current->fs->root->d_inode->i_ino, 
+                              DEFAULTSECARGS);
+               goto out_tsk;
+       }
+#endif
        if (request == PTRACE_ATTACH) {
                ret = ptrace_attach(child);
                goto out_tsk;
@@ -439,11 +468,23 @@
        return ret;
 }
 
+#ifdef CONFIG_GRKERNSEC_PTRACE
+asmlinkage void syscall_trace(int unused)
+#else
 asmlinkage void syscall_trace(void)
+#endif
 {
+#ifdef CONFIG_GRKERNSEC_PTRACE
+       struct pt_regs *regs = (struct pt_regs *) &unused;
+#endif
+
        if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) !=
                        (PT_PTRACED|PT_TRACESYS))
                return;
+#ifdef CONFIG_GRKERNSEC_PTRACE
+       if(!user_mode(regs))
+               return;
+#endif
        /* the 0x80 provides a way for the tracing parent to distinguish
           between a syscall stop and SIGTRAP delivery */
        current->exit_code = SIGTRAP | ((current->ptrace & PT_TRACESYSGOOD)
diff -urN linux/arch/i386/kernel/signal.c linux/arch/i386/kernel/signal.c
--- linux/arch/i386/kernel/signal.c     Fri Sep 14 17:15:40 2001
+++ linux/arch/i386/kernel/signal.c     Sun Dec 23 19:13:16 2001
@@ -7,6 +7,7 @@
  *  2000-06-20  Pentium III FXSR, SSE support by Gareth Hughes
  */
 
+#include <linux/config.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
 #include <linux/smp.h>
@@ -421,11 +422,15 @@
        if (ka->sa.sa_flags & SA_RESTORER) {
                err |= __put_user(ka->sa.sa_restorer, &frame->pretcode);
        } else {
+#ifdef CONFIG_GRKERNSEC_STACK
+               err |= __put_user(MAGIC_SIGRETURN, &frame->pretcode);
+#else
                err |= __put_user(frame->retcode, &frame->pretcode);
                /* This is popl %eax ; movl $,%eax ; int $0x80 */
                err |= __put_user(0xb858, (short *)(frame->retcode+0));
                err |= __put_user(__NR_sigreturn, (int *)(frame->retcode+2));
                err |= __put_user(0x80cd, (short *)(frame->retcode+6));
+#endif
        }
 
        if (err)
@@ -496,11 +501,15 @@
        if (ka->sa.sa_flags & SA_RESTORER) {
                err |= __put_user(ka->sa.sa_restorer, &frame->pretcode);
        } else {
+#ifdef CONFIG_GRKERNSEC_STACK
+               err |= __put_user(MAGIC_RT_SIGRETURN, &frame->pretcode);
+#else
                err |= __put_user(frame->retcode, &frame->pretcode);
                /* This is movl $,%eax ; int $0x80 */
                err |= __put_user(0xb8, (char *)(frame->retcode+0));
                err |= __put_user(__NR_rt_sigreturn, (int *)(frame->retcode+1));
                err |= __put_user(0x80cd, (short *)(frame->retcode+5));
+#endif
        }
 
        if (err)
@@ -557,6 +566,18 @@
                                regs->eip -= 2;
                }
        }
+
+#ifdef CONFIG_GRKERNSEC_PAX
+       /* PaX: clean up as our trace attempt became obsolete */
+       if ((current->flags & PF_PAX_PAGEEXEC) && (current->ptrace & PT_PAX_TRACE)) {
+               if (!(current->ptrace & PT_PAX_OLDTF)) {
+                       regs->eflags &= ~TF_MASK;
+               }
+               current->ptrace &= ~(PT_PAX_TRACE | PT_PAX_KEEPTF | PT_PAX_OLDTF);
+               current->thread.pax_faults.eip = 0;
+               current->thread.pax_faults.count = 0;
+       }
+#endif
 
        /* Set up the stack frame */
        if (ka->sa.sa_flags & SA_SIGINFO)
diff -urN linux/arch/i386/kernel/traps.c linux/arch/i386/kernel/traps.c
--- linux/arch/i386/kernel/traps.c      Sun Sep 30 15:26:08 2001
+++ linux/arch/i386/kernel/traps.c      Sun Dec 23 19:13:16 2001
@@ -49,6 +49,9 @@
 
 #include <linux/irq.h>
 #include <linux/module.h>
+#ifdef CONFIG_GRKERNSEC_STACK
+#include <linux/grsecurity.h>
+#endif
 
 asmlinkage int system_call(void);
 asmlinkage void lcall7(void);
@@ -348,14 +351,183 @@
 DO_ERROR(12, SIGBUS,  "stack segment", stack_segment)
 DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, get_cr2())
 
+#if defined(CONFIG_GRKERNSEC_STACK) && defined(CONFIG_GRKERNSEC_STACK_GCC)
+static unsigned long *get_reg(struct pt_regs *regs, unsigned char regnum)
+{
+    switch (regnum) {
+       case 0: return &regs->eax;
+       case 1: return &regs->ecx;
+       case 2: return &regs->edx;
+       case 3: return &regs->ebx;
+       case 4: return &regs->esp;
+       case 5: return &regs->ebp;
+       case 6: return &regs->esi;
+       case 7: return &regs->edi;
+    }
+    return NULL;
+}
+static unsigned long get_modrm(struct pt_regs *regs, int *err)
+{
+       unsigned char modrm, sib;
+       signed char rel8;
+       unsigned long rel32;
+       int size, regnum, scale;
+       unsigned long index, base, addr, value;
+
+       *err |= __get_user(modrm, (unsigned char *)(regs->eip + 1));
+       size = 2;
+       regnum = modrm & 7;
+       addr = *get_reg(regs, regnum);
+       if (regnum == 4 && (modrm & 0xC0) != 0xC0) {
+               *err |= __get_user(sib, (unsigned char *)(regs->eip + 2));
+               size = 3;
+               scale = sib >> 6;
+               index = *get_reg(regs, (sib >> 3) & 7);
+               base = *get_reg(regs, sib & 7);
+               addr = base + (index << scale);
+       }
+
+       switch (modrm & 0xC0) {
+       case 0x00:
+               if (regnum == 5) {
+                       *err |= __get_user(addr,
+                               (unsigned long *)(regs->eip + 2));
+                       size = 6;
+               }
+               *err |= __get_user(value, (unsigned long *)addr);
+               break;
+
+       case 0x40:
+               *err |= __get_user(rel8, (signed char *)(regs->eip + size));
+               size++;
+               addr += rel8;
+               *err |= __get_user(value, (unsigned long *)addr);
+               break;
+
+       case 0x80:
+               *err |= __get_user(rel32, (unsigned long *)(regs->eip + size));
+               size += 4;
+               addr += rel32;
+               *err |= __get_user(value, (unsigned long *)addr);
+               break;
+
+       case 0xC0:
+       default:
+               value = addr;
+       }
+
+       if (*err) return 0;
+       regs->eip += size;
+       return value;
+}
+#endif
 asmlinkage void do_general_protection(struct pt_regs * regs, long error_code)
 {
+#ifdef CONFIG_GRKERNSEC_STACK
+    unsigned long addr;
+#ifdef CONFIG_GRKERNSEC_STACK_GCC
+    unsigned char insn;
+    int err, count;
+#endif
+#endif
        if (regs->eflags & VM_MASK)
                goto gp_in_vm86;
 
        if (!(regs->xcs & 3))
                goto gp_in_kernel;
 
+#ifdef CONFIG_GRKERNSEC_STACK
+/* Check if it was return from a signal handler */
+        if ((regs->xcs & 0xFFFF) == __USER_CS)
+        if (*(unsigned char *)regs->eip == 0xC3)
+        if (!__get_user(addr, (unsigned long *)regs->esp)) {
+                if ((addr & 0xFFFFFFFE) == MAGIC_SIGRETURN) {
+/* Call sys_sigreturn() or sys_rt_sigreturn() to restore the context */
+                        regs->esp += 8;
+                        __asm__("movl %3,%%esi\n\t"
+                                "subl %1,%%esp\n\t"
+                                "movl %2,%%ecx\n\t"
+                                "movl %%esp,%%edi\n\t"
+                                "rep; movsl\n\t"
+                                "testl $1,%4\n\t"
+                                "jnz 1f\n\t"
+                                "call sys_sigreturn\n\t"
+                                "leal %3,%%edi\n\t"
+                                "jmp 2f\n\t"
+                                "1:\n\t"
+                                "call sys_rt_sigreturn\n\t"
+                                "leal %3,%%edi\n\t"
+                                "2:\n\t"
+                                "addl %1,%%edi\n\t"
+                                "movl %%esp,%%esi\n\t"
+                                "movl %2,%%ecx\n\t"
+                                "movl (%%edi),%%edi\n\t"
+                                "rep; movsl\n\t"
+                                "movl %%esi,%%esp"
+                        :
+/* %eax is returned separately */
+                        "=a" (regs->eax)
+                        :
+                        "i" (sizeof(*regs)),
+                        "i" (sizeof(*regs) >> 2),
+                        "m" (regs),
+                        "r" (addr)
+                        :
+                        "cx", "dx", "si", "di", "cc", "memory");
+                        return;
+                }
+/*
+ *  * Check if we're returning to the stack area, which is only likely to happen
+ *   * when attempting to exploit a buffer overflow.
+ *    */
+                if ((addr & 0xFF800000) == 0xBF800000 ||
+                    (addr >= PAGE_OFFSET - _STK_LIM && addr < PAGE_OFFSET))
+                        security_alert("return onto stack by " DEFAULTSECMSG,
+                                "returns onto stack", DEFAULTSECARGS);
+        }
+ 
+#ifdef CONFIG_GRKERNSEC_STACK_GCC
+/* Check if it could have been a trampoline call */
+        if ((regs->xcs & 0xFFFF) == __USER_CS)
+        if (*(unsigned char *)regs->eip == 0xFF)
+        if (!__get_user(insn, (unsigned char *)(regs->eip + 1)))
+        if ((insn & 0x38) == 0x10 && insn != 0xD4) {    /* call mod r/m */
+/* First, emulate the call */
+                err = 0;
+                addr = get_modrm(regs, &err);
+                if (!err) {
+                        regs->esp -= 4;
+                        err = __put_user(regs->eip, (unsigned long *)regs->esp);
+                        regs->eip = addr;
+                }  
+/* Then, start emulating the trampoline itself */
+               count = 0;
+               while (!err && !__get_user(insn, (unsigned char *)regs->eip++))
+               if ((insn & 0xF8) == 0xB8) {            /* movl imm32,%reg */
+/* We only have 8 GP registers, no reason to initialize one twice */
+                        if (count++ >= 8) break;
+                        err |= __get_user(addr, (unsigned long *)regs->eip);
+                        regs->eip += 4;
+                        *get_reg(regs, insn & 7) = addr;
+                } else
+                if (insn == 0xFF) {
+                        err |= __get_user(insn, (unsigned char *)regs->eip);
+                        if ((insn & 0xF8) == 0xE0) {    /* jmp *%reg */
+                                regs->eip = *get_reg(regs, insn & 7);
+                                if (err) break; else return;
+                        }
+                        break;
+                } else
+               if (insn == 0xE9) {                     /* jmp rel32 */
+                       err |= __get_user(addr, (unsigned long *)regs->eip);
+                       if (err) break;
+                       regs->eip += 4 + addr;
+                       return;
+               } else
+                       break;
+       }                        
+#endif
+#endif
        current->thread.error_code = error_code;
        current->thread.trap_no = 13;
        force_sig(SIGSEGV, current);
@@ -452,6 +624,10 @@
        inb(0x71);              /* dummy */
 }
 
+#ifdef CONFIG_GRKERNSEC_PAX
+void pax_handle_ptes(struct task_struct *tsk);
+#endif
+
 /*
  * Our handling of the processor debug registers is non-trivial.
  * We do not clear them on entry and exit from the kernel. Therefore
@@ -482,6 +658,22 @@
 
        __asm__ __volatile__("movl %%db6,%0" : "=r" (condition));
 
+#ifdef CONFIG_GRKERNSEC_PAX
+       /* PaX: clean up */
+       if ((tsk->flags & PF_PAX_PAGEEXEC) && (condition & DR_STEP) && (tsk->ptrace & PT_PAX_TRACE)) {
+               tsk->ptrace &= ~PT_PAX_TRACE;
+               pax_handle_ptes(tsk);
+               if (!(tsk->ptrace & PT_PAX_KEEPTF) && !(tsk->ptrace & PT_PAX_OLDTF))
+                       regs->eflags &= ~TF_MASK;
+               tsk->ptrace &= ~PT_PAX_KEEPTF;
+               if (!(tsk->ptrace & PT_PAX_OLDTF)) {
+                       condition &= ~DR_STEP;
+                       if (!(condition & (DR_TRAP0|DR_TRAP1|DR_TRAP2|DR_TRAP3)))
+                               return;
+               }
+               tsk->ptrace &= ~PT_PAX_OLDTF;
+       }
+#endif
        /* Mask out spurious debug traps due to lazy DR7 setting */
        if (condition & (DR_TRAP0|DR_TRAP1|DR_TRAP2|DR_TRAP3)) {
                if (!tsk->thread.debugreg[7])
diff -urN linux/arch/i386/mm/fault.c linux/arch/i386/mm/fault.c
--- linux/arch/i386/mm/fault.c  Tue Oct  9 18:13:03 2001
+++ linux/arch/i386/mm/fault.c  Sun Dec 23 19:13:16 2001
@@ -4,6 +4,7 @@
  *  Copyright (C) 1995  Linus Torvalds
  */
 
+#include <linux/config.h>
 #include <linux/signal.h>
 #include <linux/sched.h>
 #include <linux/kernel.h>
@@ -19,6 +20,9 @@
 #include <linux/init.h>
 #include <linux/tty.h>
 #include <linux/vt_kern.h>             /* For unblank_screen() */
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_RANDMMAP)
+#include <linux/unistd.h>
+#endif
 
 #include <asm/system.h>
 #include <asm/uaccess.h>
@@ -146,23 +150,31 @@
  *     bit 1 == 0 means read, 1 means write
  *     bit 2 == 0 means kernel, 1 means user-mode
  */
+#ifdef CONFIG_GRKERNSEC_PAX
+asmlinkage void do_page_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address)
+#else
 asmlinkage void do_page_fault(struct pt_regs *regs, unsigned long error_code)
+#endif
 {
        struct task_struct *tsk;
        struct mm_struct *mm;
        struct vm_area_struct * vma;
+#ifndef CONFIG_GRKERNSEC_PAX
        unsigned long address;
+#endif
        unsigned long page;
        unsigned long fixup;
        int write;
        siginfo_t info;
 
+#ifndef CONFIG_GRKERNSEC_PAX
        /* get the address */
        __asm__("movl %%cr2,%0":"=r" (address));
 
        /* It's safe to allow irq's after cr2 has been saved */
        if (regs->eflags & X86_EFLAGS_IF)
                local_irq_enable();
+#endif
 
        tsk = current;
 
@@ -220,21 +232,37 @@
 good_area:
        info.si_code = SEGV_ACCERR;
        write = 0;
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+       switch (error_code & 7) {
+#else
        switch (error_code & 3) {
+#endif
                default:        /* 3: write, present */
 #ifdef TEST_VERIFY_AREA
                        if (regs->cs == KERNEL_CS)
                                printk("WP fault at %08lx\n", regs->eip);
 #endif
                        /* fall through */
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+               case 7:         /* PaX: write, present, some protection violation */
+#endif
                case 2:         /* write, not present */
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+               case 6:
+#endif
                        if (!(vma->vm_flags & VM_WRITE))
                                goto bad_area;
                        write++;
                        break;
                case 1:         /* read, present */
                        goto bad_area;
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+               case 5:         /* PaX: read, present, protection violation */
+#endif
                case 0:         /* read, not present */
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+               case 4:
+#endif
                        if (!(vma->vm_flags & (VM_READ | VM_EXEC)))
                                goto bad_area;
        }
@@ -409,3 +437,441 @@
                return;
        }
 }
+#ifdef CONFIG_GRKERNSEC_PAX
+/* PaX: called with the page_table_lock spinlock held */
+static inline pte_t * pax_get_pte(struct mm_struct *mm, unsigned long address)
+{
+       pgd_t *pgd;
+       pmd_t *pmd;
+
+       pgd = pgd_offset(mm, address);
+       if (!pgd || !pgd_present(*pgd))
+               return 0;
+       pmd = pmd_offset(pgd, address);
+       if (!pmd || !pmd_present(*pmd))
+               return 0;
+       return pte_offset(pmd, address);
+}
+
+/*
+ * PaX: decide what to do with offenders
+ *
+ * returns 0 when access should be allowed
+ *         1 when task should be killed
+ *         2 when sigreturn trampoline was detected
+ *         3 when rt_sigreturn trampoline was detected
+ *         4 when gcc trampoline was detected
+ */
+static int pax_handle_read_fault(struct pt_regs *regs, unsigned long address)
+{
+       static unsigned char trans[8] = {6, 1, 2, 0, 13, 5, 3, 4};
+       int err;
+
+#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP
+       if (!(current->flags & PF_PAX_EMUTRAMP))
+               return 1;
+
+       { /* PaX: sigreturn emulation */
+               unsigned char pop, mov;
+               unsigned short sys;
+               unsigned long nr;
+
+               err = __get_user(pop, (unsigned char *)(regs->eip));
+               err |= __get_user(mov, (unsigned char *)(regs->eip + 1));
+               err |= __get_user(nr, (unsigned long *)(regs->eip + 2));
+               err |= __get_user(sys, (unsigned short *)(regs->eip + 6));
+
+               if (!err) {
+                       if (pop == 0x58 &&
+                           mov == 0xb8 &&
+                           nr == __NR_sigreturn &&
+                           sys == 0x80cd)
+                       {
+                               regs->esp += 4;
+                               regs->eax = nr;
+                               regs->eip += 8;
+                               return 2;
+                       }
+               }
+       }
+
+       { /* PaX: rt_sigreturn emulation */
+               unsigned char mov;
+               unsigned short sys;
+               unsigned long nr;
+
+               err = __get_user(mov, (unsigned char *)(regs->eip));
+               err |= __get_user(nr, (unsigned long *)(regs->eip + 1));
+               err |= __get_user(sys, (unsigned short *)(regs->eip + 5));
+
+               if (!err) {
+                       if (mov == 0xb8 &&
+                           nr == __NR_rt_sigreturn &&
+                           sys == 0x80cd)
+                       {
+                               regs->eax = nr;
+                               regs->eip += 7;
+                               return 3;
+                       }
+               }
+       }
+
+       { /* PaX: gcc trampoline emulation #1 */
+               unsigned char mov1, mov2;
+               unsigned short jmp;
+               unsigned long addr1, addr2, ret;
+
+               err = __get_user(mov1, (unsigned char *)(regs->eip));
+               err |= __get_user(addr1, (unsigned long *)(regs->eip + 1));
+               err |= __get_user(mov2, (unsigned char *)(regs->eip + 5));
+               err |= __get_user(addr2, (unsigned long *)(regs->eip + 6));
+               err |= __get_user(jmp, (unsigned short *)(regs->eip + 10));
+               err |= __get_user(ret, (unsigned long *)(regs->esp));
+
+               if (!err) {
+                       unsigned short call;
+
+                       err = __get_user(call, (unsigned short *)(ret-2));
+                       if (!err) {
+                               if ((mov1 & 0xF8) == 0xB8 &&
+                                   (mov2 & 0xF8) == 0xB8 &&
+                                   (mov1 & 0x07) != (mov2 & 0x07) &&
+                                   (jmp & 0xF8FF) == 0xE0FF &&
+                                   (mov2 & 0x07) == ((jmp>>8) & 0x07) &&
+                                   (call & 0xF8FF) == 0xD0FF &&
+                                   (regs->eip == ((unsigned long*)regs)[trans[(call>>8) & 0x07]]))
+                               {
+                                       ((unsigned long *)regs)[trans[mov1 & 0x07]] = addr1;
+                                       ((unsigned long *)regs)[trans[mov2 & 0x07]] = addr2;
+                                       regs->eip = addr2;
+                                       return 4;
+                               }
+                       }
+               }
+       }
+
+       { /* PaX: gcc trampoline emulation #2 */
+               unsigned char mov, jmp;
+               unsigned long addr1, addr2, ret;
+
+               err = __get_user(mov, (unsigned char *)(regs->eip));
+               err |= __get_user(addr1, (unsigned long *)(regs->eip + 1));
+               err |= __get_user(jmp, (unsigned char *)(regs->eip + 5));
+               err |= __get_user(addr2, (unsigned long *)(regs->eip + 6));
+               err |= __get_user(ret, (unsigned long *)(regs->esp));
+
+               if (!err) {
+                       unsigned short call;
+
+                       err = __get_user(call, (unsigned short *)(ret-2));
+                       if (!err) {
+                               if ((mov & 0xF8) == 0xB8 &&
+                                   jmp == 0xE9 &&
+                                   (call & 0xF8FF) == 0xD0FF &&
+                                   (regs->eip == ((unsigned long*)regs)[trans[(call>>8) & 0x07]]))
+                               {
+                                       ((unsigned long *)regs)[trans[mov & 0x07]] = addr1;
+                                       regs->eip += addr2 + 10;
+                                       return 4;
+                               }
+                       }
+               }
+       }
+#endif
+
+       return 1; /* PaX in action */
+}
+
+static int pax_handle_opcode(struct task_struct *tsk, struct pt_regs *regs)
+{
+       unsigned long opsize = 1;
+       unsigned long opsize_override = 0;
+       unsigned long i;
+
+       if (regs->eflags & TF_MASK)
+               tsk->ptrace |= PT_PAX_OLDTF;
+       else
+               tsk->ptrace &= ~PT_PAX_OLDTF;
+       tsk->ptrace &= ~PT_PAX_KEEPTF;
+
+       for (i=0; i<15; i++) {
+               unsigned char opcode;
+               if (__get_user(opcode, (unsigned char*)(regs->eip+i)))
+                       break;
+               switch (opcode) {
+               case 0x26:
+               case 0x2E:
+               case 0x36:
+               case 0x3E:
+               case 0x64:
+               case 0x65:
+               case 0x67:
+               case 0xF0:
+               case 0xF2:
+               case 0xF3:
+                       break;
+
+               case 0x66:
+                       opsize_override = 1;
+                       break;
+
+               case 0x9C: /* PUSHF */
+                       if (opsize ^ opsize_override) {
+                               __put_user(regs->eflags & 0x00FCFFFFul, (unsigned long*)(regs->esp-4));
+                               regs->esp -= 4;
+                       } else {
+                               __put_user(regs->eflags, (unsigned short*)(regs->esp-2));
+                               regs->esp -= 2;
+                       }
+                       regs->eip += i + 1;
+                       return 1;
+
+               case 0x9D: /* POPF */
+               case 0xCF: /* IRET */
+                       tsk->ptrace |= PT_PAX_KEEPTF;
+                       return 0;
+
+               default:
+                       return 0;
+               }
+       }
+       return 0;
+}
+
+static inline void pax_handle_pte(struct mm_struct *mm, unsigned long address)
+{
+       pte_t *pte;
+       pte = pax_get_pte(mm, address);
+       if (pte) {
+               set_pte(pte, pte_exprotect(*pte));
+               __flush_tlb_one(address);
+       }
+}
+
+#define PAX_SPIN_COUNT 256
+
+void pax_handle_ptes(struct task_struct *tsk)
+{
+       struct mm_struct *mm;
+
+       mm = tsk->mm;
+       spin_lock(&mm->page_table_lock);
+       switch (tsk->thread.pax_faults.count) {
+       default:
+               printk(KERN_ERR "PAX: wtf: %s:%d, %ld\n", tsk->comm, tsk->pid, tsk->thread.pax_faults.count);
+               break;
+
+       case PAX_SPIN_COUNT+4:
+               pax_handle_pte(mm, tsk->thread.pax_faults.addresses[3]);
+
+       case PAX_SPIN_COUNT+3:
+               pax_handle_pte(mm, tsk->thread.pax_faults.addresses[2]);
+
+       case PAX_SPIN_COUNT+2:
+               pax_handle_pte(mm, tsk->thread.pax_faults.addresses[1]);
+
+       case PAX_SPIN_COUNT+1:
+               pax_handle_pte(mm, tsk->thread.pax_faults.addresses[0]);
+       }
+       spin_unlock(&mm->page_table_lock);
+       tsk->thread.pax_faults.eip = 0;
+       tsk->thread.pax_faults.count = 0;
+}
+
+/*
+ * PaX: handle the extra page faults or pass it down to the original handler
+ *
+ * returns 0 when nothing special was detected
+ *         1 when sigreturn trampoline (syscall) has to be emulated
+ */
+asmlinkage int pax_do_page_fault(struct pt_regs *regs, unsigned long error_code)
+{
+       struct task_struct *tsk = current;
+       struct mm_struct *mm = current->mm;
+       unsigned long address;
+       pte_t *pte;
+       unsigned char pte_mask = _PAGE_ACCESSED | _PAGE_USER;
+       int ret;
+       unsigned long i;
+
+       __asm__("movl %%cr2,%0":"=r" (address));
+
+       /* It's safe to allow irq's after cr2 has been saved */
+       if (regs->eflags & X86_EFLAGS_IF)
+               local_irq_enable();
+
+       if ((error_code & 5) != 5 || address >= TASK_SIZE || regs->xcs != __USER_CS || (VM_MASK & regs->eflags))
+               goto chain;
+
+       /* PaX: it's our fault, let's handle it if we can */
+
+       if (error_code == 7) {
+               pte_mask |= _PAGE_DIRTY;
+       /* PaX: take a look at read faults before acquiring any locks */
+       } else if (regs->eip == address) { /* read/instruction fetch attempt from a protected page in user mode */
+               ret = pax_handle_read_fault(regs, address);
+               switch (ret) {
+               case 4:
+                       tsk->thread.pax_faults.eip = 0;
+                       tsk->thread.pax_faults.count = 0;
+                       return 0;
+
+               case 3:
+               case 2:
+                       tsk->thread.pax_faults.eip = 0;
+                       tsk->thread.pax_faults.count = 0;
+                       return 1;
+
+               default:
+               case 1: {
+                       char* buffer = (char*)__get_free_page(GFP_KERNEL);
+                       char* path=NULL;
+
+                       if (buffer) {
+                               struct vm_area_struct* vma;
+
+                               down_read(&mm->mmap_sem);
+                               vma = mm->mmap;
+                               while (vma) {
+                                       if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) {
+                                               break;
+                                       }
+                                       vma = vma->vm_next;
+                               }
+                               if (vma)
+                                       path = d_path(vma->vm_file->f_dentry, vma->vm_file->f_vfsmnt, buffer, PAGE_SIZE);
+                               up_read(&mm->mmap_sem);
+                       }
+                       printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, EIP: %08lX, ESP: %08lX\n", path, tsk->comm, tsk->pid, tsk->uid, tsk->euid, regs->eip, regs->esp);
+                       if (buffer) free_page((unsigned long)buffer);
+                       printk(KERN_ERR "PAX: bytes at EIP: ");
+                       for (i = 0; i < 20; i++) {
+                               unsigned char c;
+                               if (__get_user(c, (unsigned char*)(regs->eip+i))) {
+                                       printk("<invalid address>.");
+                                       break;
+                               }
+                               printk("%02x ", c);
+                       }
+                       printk("\n");
+
+                       tsk->thread.pax_faults.eip = 0;
+                       tsk->thread.pax_faults.count = 0;
+                       tsk->ptrace &= ~(PT_PAX_TRACE | PT_PAX_KEEPTF | PT_PAX_OLDTF);
+                       regs->eflags &= ~TF_MASK;
+                       tsk->thread.cr2 = address;
+                       tsk->thread.error_code = error_code;
+                       tsk->thread.trap_no = 14;
+                       force_sig(SIGKILL,tsk);
+                       return 0;
+               }
+
+               case 0:
+               }
+       }
+
+       spin_lock(&mm->page_table_lock);
+       pte = pax_get_pte(mm, address);
+       if (!pte || !(pte_val(*pte) & _PAGE_PRESENT) || pte_exec(*pte)) {
+               spin_unlock(&mm->page_table_lock);
+               goto chain;
+       }
+
+       if ((error_code == 7) && !pte_write(*pte)) { /* write attempt to a protected page in user mode */
+               spin_unlock(&mm->page_table_lock);
+               goto chain;
+       }
+
+       /*
+        * PaX: fill DTLB with user rights and retry
+        */
+       if (regs->eip != tsk->thread.pax_faults.eip) { /* detect DTLB trashing */
+               tsk->thread.pax_faults.eip = regs->eip;
+               tsk->thread.pax_faults.count = 0;
+
+pax_emu:
+               __asm__ __volatile__ (
+                       "orb %2,%1\n"
+                       "invlpg %0\n"
+                       "testb $0,%0\n"
+                       "xorb %3,%1\n"
+                       :
+                       : "m" (*(char*)address), "m" (*(char*)pte) , "r" (pte_mask) , "i" (_PAGE_USER)
+                       : "memory", "cc");
+               spin_unlock(&mm->page_table_lock);
+               return 0;
+       }
+
+       if (tsk->thread.pax_faults.count < PAX_SPIN_COUNT) {
+               ++tsk->thread.pax_faults.count;
+               goto pax_emu;
+       }
+       spin_unlock(&mm->page_table_lock);
+
+       if (tsk->thread.pax_faults.count == PAX_SPIN_COUNT) {
+               if (pax_handle_opcode(tsk, regs)) {
+                       tsk->thread.pax_faults.eip = 0;
+                       tsk->thread.pax_faults.count = 0;
+                       tsk->ptrace &= ~(PT_PAX_TRACE | PT_PAX_KEEPTF | PT_PAX_OLDTF);
+                       return 0;
+               } else {
+                       ++tsk->thread.pax_faults.count;
+               }
+       }
+
+       if (tsk->thread.pax_faults.count > PAX_SPIN_COUNT+1+3) {
+               printk(KERN_ERR "PAX: preventing DoS: %s:%d, EIP: %08lX, ESP: %08lX\n", tsk->comm, tsk->pid, regs->eip, regs->esp);
+               printk(KERN_ERR "PAX: bytes at EIP: ");
+               for (i = 0; i < 20; i++) {
+                       unsigned char c;
+                       if (__get_user(c, (unsigned char*)(regs->eip+i))) {
+                               printk("<invalid address>.");
+                               break;
+                       }
+                       printk("%02x ", c);
+               }
+               printk("\n");
+
+               tsk->thread.pax_faults.eip = 0;
+               tsk->thread.pax_faults.count = 0;
+               tsk->ptrace &= ~(PT_PAX_TRACE | PT_PAX_KEEPTF | PT_PAX_OLDTF);
+               regs->eflags &= ~TF_MASK;
+               tsk->thread.cr2 = address;
+               tsk->thread.error_code = error_code;
+               tsk->thread.trap_no = 14;
+               force_sig(SIGKILL,tsk);
+               return 0;
+       }
+
+       spin_lock(&mm->page_table_lock);
+       pte = pax_get_pte(mm, address);
+       if (pte) {
+               set_pte(pte, pte_mkexec(*pte));
+               __flush_tlb_one(address);
+               tsk->thread.pax_faults.addresses[tsk->thread.pax_faults.count-PAX_SPIN_COUNT-1] = address;
+               ++tsk->thread.pax_faults.count;
+       }
+       spin_unlock(&mm->page_table_lock);
+       tsk->ptrace |= PT_PAX_TRACE;
+       regs->eflags |= TF_MASK;
+
+#if 0
+       if (tsk->thread.pax_faults.count > PAX_SPIN_COUNT+1+1) {
+               printk(KERN_ERR "PAX: DTLB trashing, level %ld: %s:%d,"
+                               "EIP: %08lX, ESP: %08lX, cr2: %08lX\n",
+                               tsk->thread.pax_faults.count - (PAX_SPIN_COUNT+1),
+                               tsk->comm, tsk->pid, regs->eip, regs->esp, address);
+               printk(KERN_ERR "PAX: DTLB trashing, %08lX, %08lX, %08lX\n",
+                               tsk->thread.pax_faults.addresses[0],
+                               tsk->thread.pax_faults.addresses[1],
+                               tsk->thread.pax_faults.addresses[2]);
+       }
+#endif
+       return 0;
+
+chain:
+       do_page_fault(regs, error_code, address);
+       return 0;
+}
+#endif
+
diff -urN linux/arch/i386/mm/init.c linux/arch/i386/mm/init.c
--- linux/arch/i386/mm/init.c   Fri Dec 21 12:41:53 2001
+++ linux/arch/i386/mm/init.c   Sun Dec 23 19:13:16 2001
@@ -400,7 +400,11 @@
        pmd = pmd_offset(pgd, vaddr);
        pte = pte_offset(pmd, vaddr);
        old_pte = *pte;
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+       *pte = mk_pte_phys(0, PAGE_READONLY_EXEC);
+#else
        *pte = mk_pte_phys(0, PAGE_READONLY);
+#endif
        local_flush_tlb();
 
        boot_cpu_data.wp_works_ok = do_test_wp_bit(vaddr);
diff -urN linux/arch/ia64/config.in linux/arch/ia64/config.in
--- linux/arch/ia64/config.in   Fri Nov  9 17:26:17 2001
+++ linux/arch/ia64/config.in   Sun Dec 23 19:13:16 2001
@@ -276,3 +276,12 @@
 fi
 
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -urN linux/arch/m68k/config.in linux/arch/m68k/config.in
--- linux/arch/m68k/config.in   Mon Jun 11 22:15:27 2001
+++ linux/arch/m68k/config.in   Sun Dec 23 19:13:16 2001
@@ -546,3 +546,12 @@
 #bool 'Debug kmalloc/kfree' CONFIG_DEBUG_MALLOC
 bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -urN linux/arch/mips/config.in linux/arch/mips/config.in
--- linux/arch/mips/config.in   Mon Oct 15 16:41:34 2001
+++ linux/arch/mips/config.in   Sun Dec 23 19:13:16 2001
@@ -520,3 +520,12 @@
    bool 'Run uncached' CONFIG_MIPS_UNCACHED
 fi
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -urN linux/arch/mips64/config.in linux/arch/mips64/config.in
--- linux/arch/mips64/config.in Sun Sep  9 13:43:02 2001
+++ linux/arch/mips64/config.in Sun Dec 23 19:13:16 2001
@@ -276,3 +276,12 @@
    bool 'Run uncached' CONFIG_MIPS_UNCACHED
 fi
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -urN linux/arch/parisc/config.in linux/arch/parisc/config.in
--- linux/arch/parisc/config.in Tue Apr 17 20:19:25 2001
+++ linux/arch/parisc/config.in Sun Dec 23 19:13:16 2001
@@ -208,3 +208,11 @@
 bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ
 endmenu
 
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -urN linux/arch/ppc/config.in linux/arch/ppc/config.in
--- linux/arch/ppc/config.in    Fri Nov 16 13:10:08 2001
+++ linux/arch/ppc/config.in    Sun Dec 23 19:13:16 2001
@@ -393,3 +393,12 @@
 bool 'Include kgdb kernel debugger' CONFIG_KGDB
 bool 'Include xmon kernel debugger' CONFIG_XMON
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -urN linux/arch/s390/config.in linux/arch/s390/config.in
--- linux/arch/s390/config.in   Fri Nov  9 16:58:02 2001
+++ linux/arch/s390/config.in   Sun Dec 23 19:13:16 2001
@@ -73,3 +73,11 @@
 bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ
 endmenu
 
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -urN linux/arch/s390x/config.in linux/arch/s390x/config.in
--- linux/arch/s390x/config.in  Thu Oct 11 12:04:57 2001
+++ linux/arch/s390x/config.in  Sun Dec 23 19:13:16 2001
@@ -77,3 +77,11 @@
 bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ
 endmenu
 
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -urN linux/arch/sh/config.in linux/arch/sh/config.in
--- linux/arch/sh/config.in     Mon Oct 15 16:36:48 2001
+++ linux/arch/sh/config.in     Sun Dec 23 19:13:16 2001
@@ -386,3 +386,12 @@
    bool 'Early printk support' CONFIG_SH_EARLY_PRINTK
 fi
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -urN linux/arch/sparc/config.in linux/arch/sparc/config.in
--- linux/arch/sparc/config.in  Mon Jun 11 22:15:27 2001
+++ linux/arch/sparc/config.in  Sun Dec 23 19:13:16 2001
@@ -266,3 +266,12 @@
 
 bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -urN linux/arch/sparc64/config.in linux/arch/sparc64/config.in
--- linux/arch/sparc64/config.in        Fri Dec 21 12:41:53 2001
+++ linux/arch/sparc64/config.in        Sun Dec 23 19:13:16 2001
@@ -306,3 +306,12 @@
 fi
 
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -urN linux/drivers/char/mem.c linux/drivers/char/mem.c
--- linux/drivers/char/mem.c    Fri Dec 21 12:41:54 2001
+++ linux/drivers/char/mem.c    Sun Dec 23 19:13:16 2001
@@ -200,9 +200,21 @@
        /*
         * Don't dump addresses that are not real memory to a core file.
         */
+#ifdef CONFIG_GRKERNSEC_PAX
+       if (offset >= __pa(high_memory) || (file->f_flags & O_SYNC)) {
+#else 
        if (offset >= __pa(high_memory) || (file->f_flags & O_SYNC))
+#endif
                vma->vm_flags |= VM_IO;
 
+#ifdef CONFIG_GRKERNSEC_PAX
+               /* it turned out to be device memory (eg. video RAM), don't apply PaX */
+               if ((current->flags & PF_PAX_PAGEEXEC) &&!(vma->vm_flags & VM_EXEC)) {
+                       vma->vm_flags |= VM_EXEC | VM_MAYEXEC;
+                       vma->vm_page_prot = protection_map[vma->vm_flags & 0x0f];
+               }                                                                                                          
+       }
+#endif
        if (remap_page_range(vma->vm_start, offset, vma->vm_end-vma->vm_start,
                             vma->vm_page_prot))
                return -EAGAIN;
@@ -401,8 +413,12 @@
                        count = size;
 
                zap_page_range(mm, addr, count);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+               zeromap_page_range(addr, count, vma->vm_page_prot); 
+#else
                zeromap_page_range(addr, count, PAGE_COPY);
 
+#endif
                size -= count;
                buf += count;
                addr += count;
diff -urN linux/drivers/char/random.c linux/drivers/char/random.c
--- linux/drivers/char/random.c Fri Nov  9 17:01:21 2001
+++ linux/drivers/char/random.c Sun Dec 23 19:13:16 2001
@@ -260,6 +260,12 @@
 /*
  * Configuration information
  */
+#ifdef CONFIG_GRKERNSEC_RANDNET
+#include <linux/grsecurity.h>
+#define DEFAULT_POOL_SIZE_RANDNET 4096
+#define SECONDARY_POOL_SIZE_RANDNET 1024
+#define BATCH_ENTROPY_SIZE_RANDNET 2048
+#endif
 #define DEFAULT_POOL_SIZE 512
 #define SECONDARY_POOL_SIZE 128
 #define BATCH_ENTROPY_SIZE 256
@@ -387,8 +393,13 @@
 /*
  * Static global variables
  */
+#ifdef CONFIG_GRKERNSEC_RANDPID
+struct entropy_store *random_state; /* The default global store */
+struct entropy_store *sec_random_state; /* secondary store */
+#else
 static struct entropy_store *random_state; /* The default global store */
 static struct entropy_store *sec_random_state; /* secondary store */
+#endif
 static DECLARE_WAIT_QUEUE_HEAD(random_read_wait);
 static DECLARE_WAIT_QUEUE_HEAD(random_write_wait);
 
@@ -1433,11 +1444,23 @@
 {
        int i;
 
-       if (create_entropy_store(DEFAULT_POOL_SIZE, &random_state))
+       if (create_entropy_store(
+#ifdef CONFIG_GRKERNSEC_RANDNET
+       grsec_enable_randnet?DEFAULT_POOL_SIZE_RANDNET:
+#endif
+       DEFAULT_POOL_SIZE, &random_state))
                return;         /* Error, return */
-       if (batch_entropy_init(BATCH_ENTROPY_SIZE, random_state))
+       if (batch_entropy_init(
+#ifdef CONFIG_GRKERNSEC_RANDNET
+       grsec_enable_randnet?BATCH_ENTROPY_SIZE_RANDNET:
+#endif
+       BATCH_ENTROPY_SIZE, random_state))
                return;         /* Error, return */
-       if (create_entropy_store(SECONDARY_POOL_SIZE, &sec_random_state))
+       if (create_entropy_store(
+#ifdef CONFIG_GRKERNSEC_RANDNET
+       grsec_enable_randnet?SECONDARY_POOL_SIZE_RANDNET:
+#endif
+       SECONDARY_POOL_SIZE, &sec_random_state))
                return;         /* Error, return */
        clear_entropy_store(random_state);
        clear_entropy_store(sec_random_state);
diff -urN linux/drivers/char/vt.c linux/drivers/char/vt.c
--- linux/drivers/char/vt.c     Fri Nov 16 13:08:28 2001
+++ linux/drivers/char/vt.c     Sun Dec 23 19:13:16 2001
@@ -37,6 +37,10 @@
 #include <asm/vc_ioctl.h>
 #endif /* CONFIG_FB_COMPAT_XPMAC */
 
+#ifdef CONFIG_GRKERNSEC_KBMAP
+#include <linux/grsecurity.h>
+#endif
+
 char vt_dont_switch;
 extern struct tty_driver console_driver;
 
@@ -177,7 +181,11 @@
                    val = (i ? K_HOLE : K_NOSUCHMAP);
                return put_user(val, &user_kbe->kb_value);
        case KDSKBENT:
+#ifdef CONFIG_GRKERNSEC_KBMAP
+               if (!perm || (grsec_enable_kbmap && !suser()))
+#else 
                if (!perm)
+#endif
                        return -EPERM;
                if (!i && v == K_NOSUCHMAP) {
                        /* disallocate map */
@@ -298,7 +306,11 @@
                        return -EFAULT;
                return ((p && *p) ? -EOVERFLOW : 0);
        case KDSKBSENT:
+#ifdef CONFIG_GRKERNSEC_KBMAP
+               if (!perm || (grsec_enable_kbmap && !suser()))
+#else 
                if (!perm)
+#endif
                        return -EPERM;
 
                q = func_table[i];
diff -urN linux/drivers/ieee1394/video1394.c linux/drivers/ieee1394/video1394.c
--- linux/drivers/ieee1394/video1394.c  Fri Dec 21 12:41:54 2001
+++ linux/drivers/ieee1394/video1394.c  Sun Dec 23 19:13:16 2001
@@ -843,7 +843,11 @@
         pos=(unsigned long) d->buf;
         while (size > 0) {
                 page = kvirt_to_pa(pos);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+               if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC))
+#else
                 if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED))
+#endif
                         return -EAGAIN;
                 start+=PAGE_SIZE;
                 pos+=PAGE_SIZE;
diff -urN linux/drivers/media/video/bttv-driver.c linux/drivers/media/video/bttv-driver.c
--- linux/drivers/media/video/bttv-driver.c     Fri Dec 21 12:41:54 2001
+++ linux/drivers/media/video/bttv-driver.c     Sun Dec 23 19:13:16 2001
@@ -2052,7 +2052,11 @@
         pos=(unsigned long) btv->fbuffer;
         while (size > 0) {
                 page = kvirt_to_pa(pos);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+                if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC))
+#else
                 if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED))
+#endif
                         return -EAGAIN;
                 start+=PAGE_SIZE;
                 pos+=PAGE_SIZE;
diff -urN linux/drivers/media/video/cpia.c linux/drivers/media/video/cpia.c
--- linux/drivers/media/video/cpia.c    Thu Oct 25 16:53:47 2001
+++ linux/drivers/media/video/cpia.c    Sun Dec 23 19:13:16 2001
@@ -3005,7 +3005,11 @@
        pos = (unsigned long)(cam->frame_buf);
        while (size > 0) {
                page = kvirt_to_pa(pos);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+               if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) {
+#else
                if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) {
+#endif
                        up(&cam->busy_lock);
                        return -EAGAIN;
                }
diff -urN linux/drivers/media/video/meye.c linux/drivers/media/video/meye.c
--- linux/drivers/media/video/meye.c    Fri Dec 21 12:41:54 2001
+++ linux/drivers/media/video/meye.c    Sun Dec 23 19:13:16 2001
@@ -1263,7 +1263,11 @@
 
        while (size > 0) {
                page = kvirt_to_pa(pos);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+               if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) {
+#else
                if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) {
+#endif
                        up(&meye.lock);
                        return -EAGAIN;
                }
diff -urN linux/drivers/media/video/planb.c linux/drivers/media/video/planb.c
--- linux/drivers/media/video/planb.c   Thu Oct 25 16:53:47 2001
+++ linux/drivers/media/video/planb.c   Sun Dec 23 19:13:16 2001
@@ -2009,7 +2009,11 @@
        }
        for (i = 0; i < pb->rawbuf_size; i++) {
                if (remap_page_range(start, virt_to_phys((void *)pb->rawbuf[i]),
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+                                               PAGE_SIZE, PAGE_SHARED_EXEC))
+#else
                                                PAGE_SIZE, PAGE_SHARED))
+#endif
                        return -EAGAIN;
                start += PAGE_SIZE;
                if (size <= PAGE_SIZE)
diff -urN linux/drivers/media/video/zr36067.c linux/drivers/media/video/zr36067.c
--- linux/drivers/media/video/zr36067.c Fri Nov  9 17:01:22 2001
+++ linux/drivers/media/video/zr36067.c Sun Dec 23 19:13:16 2001
@@ -4322,7 +4322,11 @@
                                    frag_tab[2 * j];
                                page = virt_to_phys(bus_to_virt(pos));  /* should just be pos on i386 */
                                if (remap_page_range
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+                                   (start, page, todo, PAGE_SHARED_EXEC)) {
+#else
                                    (start, page, todo, PAGE_SHARED)) {
+#endif
                                        printk(KERN_ERR
                                               "%s: zoran_mmap(V4L): remap_page_range failed\n",
                                               zr->name);
@@ -4363,7 +4367,11 @@
                               ("V4L remap page range %d 0x%lx %ld to 0x%lx\n",
                                i, page, todo, start));
                        if (remap_page_range
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+                           (start, page, todo, PAGE_SHARED_EXEC)) {
+#else
                            (start, page, todo, PAGE_SHARED)) {
+#endif
                                printk(KERN_ERR
                                       "%s: zoran_mmap(V4L): remap_page_range failed\n",
                                       zr->name);
diff -urN linux/drivers/media/video/zr36120.c linux/drivers/media/video/zr36120.c
--- linux/drivers/media/video/zr36120.c Fri Nov  9 17:01:22 2001
+++ linux/drivers/media/video/zr36120.c Sun Dec 23 19:13:16 2001
@@ -1484,7 +1484,11 @@
        pos = (unsigned long)ztv->fbuffer;
        while (size>0) {
                unsigned long page = virt_to_phys((void*)pos);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+               if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC))
+#else
                if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED))
+#endif
                        return -EAGAIN;
                start += PAGE_SIZE;
                pos += PAGE_SIZE;
diff -urN linux/drivers/usb/ov511.c linux/drivers/usb/ov511.c
--- linux/drivers/usb/ov511.c   Fri Sep 14 17:04:07 2001
+++ linux/drivers/usb/ov511.c   Sun Dec 23 19:13:16 2001
@@ -2769,7 +2769,11 @@
        pos = (unsigned long)ov511->fbuf;
        while (size > 0) {
                page = kvirt_to_pa(pos);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+               if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC))
+#else
                if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED))
+#endif
                        return -EAGAIN;
                start += PAGE_SIZE;
                pos += PAGE_SIZE;
diff -urN linux/drivers/usb/pwc-if.c linux/drivers/usb/pwc-if.c
--- linux/drivers/usb/pwc-if.c  Fri Dec 21 12:41:55 2001
+++ linux/drivers/usb/pwc-if.c  Sun Dec 23 19:13:16 2001
@@ -1581,7 +1581,11 @@
        pos = (unsigned long)pdev->image_data;
        while (size > 0) {
                page = kvirt_to_pa(pos);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+               if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC))
+#else
                if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED))
+#endif
                        return -EAGAIN;
 
                start += PAGE_SIZE;
diff -urN linux/drivers/usb/se401.c linux/drivers/usb/se401.c
--- linux/drivers/usb/se401.c   Fri Sep 14 17:27:10 2001
+++ linux/drivers/usb/se401.c   Sun Dec 23 19:13:16 2001
@@ -1374,7 +1374,11 @@
        pos = (unsigned long)se401->fbuf;
        while (size > 0) {
                page = kvirt_to_pa(pos);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+               if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) {
+#else
                if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) {
+#endif
                        up(&se401->lock);
                        return -EAGAIN;
                }
diff -urN linux/drivers/usb/usbvideo.c linux/drivers/usb/usbvideo.c
--- linux/drivers/usb/usbvideo.c        Thu Oct 11 02:42:46 2001
+++ linux/drivers/usb/usbvideo.c        Sun Dec 23 19:13:16 2001
@@ -1199,7 +1199,11 @@
        pos = (unsigned long) uvd->fbuf;
        while (size > 0) {
                page = usbvideo_kvirt_to_pa(pos);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+               if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC))
+#else
                if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED))
+#endif
                        return -EAGAIN;
 
                start += PAGE_SIZE;
diff -urN linux/fs/binfmt_aout.c linux/fs/binfmt_aout.c
--- linux/fs/binfmt_aout.c      Fri Nov  2 20:39:20 2001
+++ linux/fs/binfmt_aout.c      Sun Dec 23 19:13:16 2001
@@ -5,6 +5,7 @@
  */
 
 #include <linux/module.h>
+#include <linux/config.h>
 
 #include <linux/sched.h>
 #include <linux/kernel.h>
@@ -307,6 +308,25 @@
        current->mm->mmap = NULL;
        compute_creds(bprm);
        current->flags &= ~PF_FORKNOEXEC;
+#ifdef CONFIG_GRKERNSEC_STACK
+       if (N_FLAGS(ex) & F_STACKEXEC) current->flags |= PF_STACKEXEC;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX
+      if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC))
+              current->flags |= PF_PAX_PAGEEXEC;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP
+      if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
+              current->flags |= PF_PAX_EMUTRAMP;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
+      if (!(N_FLAGS(ex) & F_PAX_MPROTECT))        
+              current->flags |= PF_PAX_MPROTECT;
+#endif
+
 #ifdef __sparc__
        if (N_MAGIC(ex) == NMAGIC) {
                loff_t pos = fd_offset;
@@ -393,7 +413,11 @@
 
                down_write(&current->mm->mmap_sem);
                error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+                               PROT_READ | PROT_WRITE,
+#else
                                PROT_READ | PROT_WRITE | PROT_EXEC,
+#endif
                                MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
                                fd_offset + ex.a_text);
                up_write(&current->mm->mmap_sem);
diff -urN linux/fs/binfmt_elf.c linux/fs/binfmt_elf.c
--- linux/fs/binfmt_elf.c       Fri Dec 21 12:41:55 2001
+++ linux/fs/binfmt_elf.c       Sun Dec 23 19:14:37 2001
@@ -11,6 +11,7 @@
 
 #include <linux/module.h>
 
+#include <linux/config.h>
 #include <linux/fs.h>
 #include <linux/stat.h>
 #include <linux/sched.h>
@@ -33,6 +34,9 @@
 #include <linux/smp_lock.h>
 #include <linux/compiler.h>
 #include <linux/highmem.h>
+#if defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) || defined(CONFIG_GRKERNSEC_PAX)
+#include <linux/random.h>
+#endif
 
 #include <asm/uaccess.h>
 #include <asm/param.h>
@@ -73,7 +77,10 @@
 #define ELF_PAGEOFFSET(_v) ((_v) & (ELF_MIN_ALIGN-1))
 #define ELF_PAGEALIGN(_v) (((_v) + ELF_MIN_ALIGN - 1) & ~(ELF_MIN_ALIGN - 1))
 
-static struct linux_binfmt elf_format = {
+#ifndef CONFIG_GRKERNSEC_STACK
+static
+#endif
+struct linux_binfmt elf_format = {
        NULL, THIS_MODULE, load_elf_binary, load_elf_library, elf_core_dump, ELF_EXEC_PAGESIZE
 };
 
@@ -138,6 +145,11 @@
        } else
                u_platform = p;
 
+#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP
+       if (current->flags & PF_PAX_RANDMMAP)
+               u_platform -= (current->mm->delta_stack & ~PAGE_MASK);
+#endif
+
        /*
         * Force 16 byte _final_ alignment here for generality.
         */
@@ -599,7 +611,49 @@
        current->mm->end_data = 0;
        current->mm->end_code = 0;
        current->mm->mmap = NULL;
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+       current->mm->delta_mmap = 0;
+       current->mm->delta_exec = 0;
+       current->mm->delta_stack = 0;
+#endif
        current->flags &= ~PF_FORKNOEXEC;
+
+#ifdef CONFIG_GRKERNSEC_STACK
+       if (elf_ex.e_flags & EF_STACKEXEC)
+       current->flags |= PF_STACKEXEC;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX
+       if (!(elf_ex.e_flags & EF_PAX_PAGEEXEC))
+               current->flags |= PF_PAX_PAGEEXEC;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP
+       if (elf_ex.e_flags & EF_PAX_EMUTRAMP)
+               current->flags |= PF_PAX_EMUTRAMP;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
+       if (!(elf_ex.e_flags & EF_PAX_MPROTECT))
+               current->flags |= PF_PAX_MPROTECT;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP
+       if (!(elf_ex.e_flags & EF_PAX_RANDMMAP)) {
+               unsigned short delta;
+               current->flags |= PF_PAX_RANDMMAP;
+
+               get_random_bytes(&delta, sizeof(delta));
+               current->mm->delta_mmap = (unsigned long)delta << PAGE_SHIFT;
+
+               get_random_bytes(&delta, sizeof(delta));
+               current->mm->delta_exec = (unsigned long)delta << PAGE_SHIFT;
+
+               get_random_bytes(&delta, sizeof(delta));
+               current->mm->delta_stack = (unsigned long)delta << 4;
+       }
+#endif
+
        elf_entry = (unsigned long) elf_ex.e_entry;
 
        /* Do this immediately, since STACK_TOP as used in setup_arg_pages
@@ -654,6 +708,13 @@
                           base, as well as whatever program they might try to exec.  This
                           is because the brk will follow the loader, and is not movable.  */
                        load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
+#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP
+                       /* PaX: randomize base address at the default exe base if requested */
+                       if (current->flags | PF_PAX_RANDMMAP) {
+                               load_bias = ELF_PAGESTART(0x08048000 - vaddr + current->mm->delta_exec);
+                       }
+#endif
+
                }
 
                error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, elf_prot, elf_flags);
diff -urN linux/fs/devices.c linux/fs/devices.c
--- linux/fs/devices.c  Sat Sep 22 23:35:43 2001
+++ linux/fs/devices.c  Sun Dec 23 19:13:16 2001
@@ -162,7 +162,11 @@
  * is contain the open that then fills in the correct operations
  * depending on the special file...
  */
-static struct file_operations def_chr_fops = {
+
+#ifndef CONFIG_GRKERNSEC_FD
+static
+#endif
+struct file_operations def_chr_fops = {
        open:           chrdev_open,
 };
 
diff -urN linux/fs/exec.c linux/fs/exec.c
--- linux/fs/exec.c     Fri Dec 21 12:41:55 2001
+++ linux/fs/exec.c     Sun Dec 23 19:13:16 2001
@@ -48,6 +48,20 @@
 
 int core_uses_pid;
 
+#if defined(CONFIG_GRKERNSEC_FD) || defined(CONFIG_GRKERNSEC_EXECVE) ||\
+    defined(CONFIG_GRKERNSEC_COREDUMP)||defined(CONFIG_GRKERNSEC_TPE) ||\
+    defined(CONFIG_GRKERNSEC_CHROOT_EXECLOG) || \
+    defined(CONFIG_GRKERNSEC_EXECLOG) ||\
+    defined(CONFIG_GRKERNSEC_EXECLOG_GROUP) ||\
+    defined(CONFIG_GRKERNSEC_PTRACE) || defined(CONFIG_GRKERNSEC_ACL)
+#include <linux/grsecurity.h>
+#endif
+
+#ifdef CONFIG_GRKERNSEC_FD
+#include <linux/major.h>
+extern struct file_operations def_chr_fops;
+#endif
+
 static struct linux_binfmt *formats;
 static rwlock_t binfmt_lock = RW_LOCK_UNLOCKED;
 
@@ -278,7 +292,12 @@
        lru_cache_add(page);
        flush_dcache_page(page);
        flush_page_to_ram(page);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+       set_pte(pte, pte_mkdirty(pte_mkwrite(mk_pte(page,
+               (tsk->flags & PF_PAX_PAGEEXEC)?PAGE_COPY_NOEXEC:PAGE_COPY_EXEC))));
+#else
        set_pte(pte, pte_mkdirty(pte_mkwrite(mk_pte(page, PAGE_COPY))));
+#endif
        tsk->mm->rss++;
        spin_unlock(&tsk->mm->page_table_lock);
 
@@ -299,6 +318,12 @@
 
        stack_base = STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
 
+#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP
+       if (current->flags & PF_PAX_RANDMMAP)
+               stack_base = PAGE_MASK & (stack_base - current->mm->delta_stack);
+
+#endif
+ 
        bprm->p += stack_base;
        if (bprm->loader)
                bprm->loader += stack_base;
@@ -312,9 +337,15 @@
        {
                mpnt->vm_mm = current->mm;
                mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p;
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+               mpnt->vm_end = stack_base + MAX_ARG_PAGES*PAGE_SIZE;
+               mpnt->vm_page_prot = (current->flags & PF_PAX_PAGEEXEC)?PAGE_COPY_NOEXEC:PAGE_COPY_EXEC;
+               mpnt->vm_flags = (current->flags & PF_PAX_PAGEEXEC)?VM_STACK_FLAGS:(VM_STACK_FLAGS|VM_EXEC|VM_MAYEXEC);
+#else
                mpnt->vm_end = STACK_TOP;
                mpnt->vm_page_prot = PAGE_COPY;
                mpnt->vm_flags = VM_STACK_FLAGS;
+#endif
                mpnt->vm_ops = NULL;
                mpnt->vm_pgoff = 0;
                mpnt->vm_file = NULL;
@@ -473,6 +504,69 @@
        if (atomic_dec_and_test(&oldsig->count))
                kmem_cache_free(sigact_cachep, oldsig);
 }
+#ifdef CONFIG_GRKERNSEC_FD
+static inline int tweak_fd_open_null(struct linux_binprm *bprm)
+{
+       struct inode *i;
+       struct dentry *d;
+       struct file *f;
+
+       if(!(i = get_empty_inode()))
+               return -ENOMEM;
+       if(!(d = dget(d_alloc_root(i)))) {
+               iput(i);
+               return -ENOMEM;
+       }
+       if(!(f = get_empty_filp())) {
+               dput(d);
+               iput(i);
+               return -ENFILE;
+       }
+       i->i_mode = S_IFCHR | S_IRUGO | S_IWUGO;
+       i->i_uid = current->fsuid;
+       i->i_gid = current->fsgid;
+       i->i_rdev = MKDEV(MEM_MAJOR,3);
+       i->i_blksize = PAGE_SIZE;
+       i->i_blocks = 0;
+       i->i_atime = i->i_mtime = i->i_ctime = CURRENT_TIME;
+       i->i_fop = &def_chr_fops;
+       i->i_state = I_DIRTY;
+
+       f->f_flags = O_RDWR;
+       f->f_mode = FMODE_READ | FMODE_WRITE;
+       f->f_dentry = d;
+       f->f_op = i->i_fop;
+       f->f_pos = 0;
+       f->f_reada = 0;
+       f->f_op->open(i,f);
+
+       bprm->tweak_fd_null = f;
+
+       return 0;
+}
+
+static int tweak_fd_0_1_2(struct linux_binprm *bprm)
+{
+       int fd,new,retval;
+
+       for(fd=0;fd<=2;fd++) {
+               if(current->files->fd[fd]) continue;
+               if((new = get_unused_fd()) != fd) {
+                       if(new >= 0) put_unused_fd(new);
+                       return -EMFILE;
+               }
+               if(bprm->tweak_fd_null)
+                       atomic_inc(&bprm->tweak_fd_null->f_count);
+               else
+                       if((retval = tweak_fd_open_null(bprm)))
+                               return retval;
+
+               fd_install(fd,bprm->tweak_fd_null);
+               bprm->tweak_fd_mask |= 1 << fd;
+       }
+       return 0;
+}
+#endif
 
 /*
  * These functions flushes out all traces of the currently running executable
@@ -563,6 +657,25 @@
                                current->comm[i++] = ch;
        }
        current->comm[i] = '\0';
+#ifdef CONFIG_GRKERNSEC_STACK
+        current->flags &= ~PF_STACKEXEC;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX
+       current->flags &= ~PF_PAX_PAGEEXEC;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP
+       current->flags &= ~PF_PAX_EMUTRAMP;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
+       current->flags &= ~PF_PAX_MPROTECT;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP
+       current->flags &= ~PF_PAX_RANDMMAP;
+#endif
 
        flush_thread();
 
@@ -580,6 +693,10 @@
        flush_signal_handlers(current);
        flush_old_files(current->files);
 
+#ifdef CONFIG_GRKERNSEC_FD
+        if(grsec_enable_fd && bprm->priv_change)
+               return tweak_fd_0_1_2(bprm);
+#endif
        return 0;
 
 mmap_failed:
@@ -610,6 +727,9 @@
 {
        int mode;
        struct inode * inode = bprm->file->f_dentry->d_inode;
+#ifdef CONFIG_GRKERNSEC_FD
+       if (grsec_enable_fd) bprm->priv_change = 0;
+#endif
 
        mode = inode->i_mode;
        /*
@@ -626,8 +746,16 @@
 
        if(!(bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)) {
                /* Set-uid? */
-               if (mode & S_ISUID)
-                       bprm->e_uid = inode->i_uid;
+#ifdef CONFIG_GRKERNSEC_FD
+                if (mode & S_ISUID) {
+                        bprm->e_uid = inode->i_uid;
+                        if(grsec_enable_fd && (bprm->e_uid != current->euid))
+                               bprm->priv_change = 1;
+                }
+#else
+                if (mode & S_ISUID)
+                        bprm->e_uid = inode->i_uid;
+#endif
 
                /* Set-gid? */
                /*
@@ -635,9 +763,17 @@
                 * is a candidate for mandatory locking, not a setgid
                 * executable.
                 */
-               if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
-                       bprm->e_gid = inode->i_gid;
-       }
+#ifdef CONFIG_GRKERNSEC_FD
+                if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
+                        bprm->e_gid = inode->i_gid;
+                        if(grsec_enable_fd && !in_group_p(bprm->e_gid))
+                               bprm->priv_change = 1;
+                }
+#else
+                if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
+                        bprm->e_gid = inode->i_gid;
+#endif 
+}
 
        /* We don't have VFS support for capabilities yet */
        cap_clear(bprm->cap_inheritable);
@@ -660,7 +796,26 @@
                if (bprm->e_uid == 0) 
                        cap_set_full(bprm->cap_effective);
        }
-
+#ifdef CONFIG_GRKERNSEC_PTRACE
+       if (current->ptrace & PT_PTRACED){
+               if(current->uid && grsec_enable_ptrace
+#ifdef CONFIG_GRKERNSEC_PTRACE_GROUP
+           && ((grsec_enable_ptrace_group && !in_group_p(grsec_ptrace_gid))
+           || !grsec_enable_ptrace_group)
+#endif
+               ) {
+                       security_alert("denied ptrace of [%.32s:%lu] (%s) by " DEFAULTSECMSG,
+                               "denied ptraces", kdevname(bprm->file->f_dentry->d_inode->i_dev),
+                                bprm->file->f_dentry->d_inode->i_ino, bprm->filename, 
+                               DEFAULTSECARGS);
+                       return -EPERM;
+               }
+               security_alert("ptrace of [%.32s:%lu] (%s) by " DEFAULTSECMSG,
+                       "ptraces", kdevname(bprm->file->f_dentry->d_inode->i_dev),
+                        bprm->file->f_dentry->d_inode->i_ino, bprm->filename, 
+                       DEFAULTSECARGS);
+       }
+#endif
        memset(bprm->buf,0,BINPRM_BUF_SIZE);
        return kernel_read(bprm->file,0,bprm->buf,BINPRM_BUF_SIZE);
 }
@@ -708,6 +863,9 @@
                                                        current->cap_permitted);
                        }
                }
+#ifdef CONFIG_GRKERNSEC_FD
+            if (grsec_enable_fd) tweak_fd_0_1_2(bprm);
+#endif
                do_unlock = 1;
        }
 
@@ -859,6 +1017,20 @@
        struct file *file;
        int retval;
        int i;
+#if defined(CONFIG_GRKERNSEC_EXECLOG) || defined(CONFIG_GRKERNSEC_EXECLOG_GROUP)
+       int x;
+       char *grargs;
+       char grarg[68];
+#endif
+
+#ifdef CONFIG_GRKERNSEC_EXECVE
+       if(grsec_enable_execve && current->user)
+               if(atomic_read(&current->user->processes) > current->rlim[RLIMIT_NPROC].rlim_cur) {
+                       security_alert("Attempt to overstep process limit by " DEFAULTSECMSG,
+                                       "proc limit overstep", DEFAULTSECARGS);
+                       return -EAGAIN;
+               }
+#endif
 
        file = open_exec(filename);
 
@@ -866,6 +1038,16 @@
        if (IS_ERR(file))
                return retval;
 
+#ifdef CONFIG_GRKERNSEC_ACL
+if( ( (gr_search(file->f_dentry,GR_EXEC,file->f_vfsmnt)) == GR_DENY) ) {
+       security_alert("denying execution of %.1024s by " DEFAULTSECMSG,
+                       "file exec attempts", filename, DEFAULTSECARGS);
+       allow_write_access(file);
+       fput(file);
+       return -EPERM;
+}
+#endif
+
        bprm.p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
        memset(bprm.page, 0, MAX_ARG_PAGES*sizeof(bprm.page[0])); 
 
@@ -886,10 +1068,111 @@
                return bprm.envc;
        }
 
+#ifdef CONFIG_GRKERNSEC_FD
+        if (grsec_enable_fd) {
+               bprm.tweak_fd_mask = 0;
+               bprm.tweak_fd_null = NULL;
+       }
+#endif
        retval = prepare_binprm(&bprm);
        if (retval < 0) 
                goto out; 
 
+
+#ifdef CONFIG_GRKERNSEC_TPE
+if (grsec_enable_tpe) {
+#ifdef CONFIG_GRKERNSEC_TPE_GLIBC
+if (grsec_enable_tpe_glibc) {
+#ifdef CONFIG_GRKERNSEC_TPE_ALL
+if(grsec_enable_tpe_all?current->uid:in_group_p(grsec_tpe_gid)){
+#else
+if(in_group_p(grsec_tpe_gid)){
+#endif
+               char **envpp=envp,*envpt;
+                while(*envpp){
+               envpt=*envpp;
+               if((*envpt == 'L') && (*(envpt + 1) == 'D') &&
+               (*(envpt + 2) == '_') && strchr(envpt,'=')){
+       security_alert("denied exec of %.32s by " DEFAULTSECMSG
+       "reason: malicious environment","denied execs",
+       filename, DEFAULTSECARGS);
+       dput(file->f_dentry);
+       return -EACCES;
+               }
+               *envpp=*++envpp;
+        }
+    if(!strncmp(file->f_dentry->d_name.name,"ld-2.",5) &&
+    !strncmp(file->f_dentry->d_parent->d_name.name,"lib",3)){
+       security_alert("denied exec of %.32s by " DEFAULTSECMSG
+       "reason: tried to bypass via ld","denied execs",
+       filename, DEFAULTSECARGS);
+       dput(file->f_dentry);
+       return -EACCES;
+    }
+}
+}
+#endif
+if((current->uid) &&
+   ((file->f_dentry->d_parent->d_inode->i_uid) ||
+   (!(file->f_dentry->d_parent->d_inode->i_uid) &&
+   ((file->f_dentry->d_parent->d_inode->i_mode & S_IWGRP) ||
+    (file->f_dentry->d_parent->d_inode->i_mode & S_IWOTH)))) &&
+   (in_group_p(grsec_tpe_gid))){
+       security_alert("denied exec of %.32s by " DEFAULTSECMSG
+                       "reason: untrusted","denied execs",
+                       filename, DEFAULTSECARGS);
+       dput(file->f_dentry);
+       return -EACCES;
+}
+#ifdef CONFIG_GRKERNSEC_TPE_ALL
+else if(grsec_enable_tpe_all &&
+       (current->uid) && !(((!(file->f_dentry->d_parent->d_inode->i_uid) &&
+    !(file->f_dentry->d_parent->d_inode->i_mode & S_IWGRP) &&
+    !(file->f_dentry->d_parent->d_inode->i_mode & S_IWOTH)) ||
+    ((file->f_dentry->d_parent->d_inode->i_uid == current->uid) &&
+    !(file->f_dentry->d_parent->d_inode->i_mode & S_IWGRP) &&
+    !(file->f_dentry->d_parent->d_inode->i_mode & S_IWOTH))))){
+       security_alert("denied exec of %.32s by " DEFAULTSECMSG
+       "reason: untrusted","denied execs",
+       filename, DEFAULTSECARGS);
+       dput(file->f_dentry);
+       return -EACCES;
+}
+#endif
+}
+#endif
+
+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
+       if(grsec_enable_chroot_execlog && proc_is_chrooted(current)) {
+               printk(KERN_INFO "grsec: exec of %.64s within chroot "
+                      "jail (%.32s:%lu) by process " DEFAULTSECMSG "\n",
+                              filename,kdevname(current->fs->root->d_inode->i_dev),
+                              current->fs->root->d_inode->i_ino,
+                              DEFAULTSECARGS);
+               }
+#endif
+
+#if defined(CONFIG_GRKERNSEC_EXECLOG) || defined(CONFIG_GRKERNSEC_EXECLOG_GROUP)
+#ifdef CONFIG_GRKERNSEC_EXECLOG_GROUP
+       if (in_group_p(grsec_execlog_gid) && grsec_enable_execlog_group) {
+#else
+       if (grsec_enable_execlog) {
+#endif
+               for(x=0;x<sizeof(grarg);x++)
+                       grarg[x]='\0';
+               for(x=0;x<bprm.argc;x++) {
+                       if((strlen(argv[x]) + strlen(grarg) + 2) < sizeof(grarg)) {
+                               grargs=strcat(grarg,argv[x]);
+                               if(x<bprm.argc-1)
+                                       grargs=strcat(grarg," ");
+               }
+           }
+           printk(KERN_INFO "grsec: exec of [%.32s:%lu] (%.68s) by " DEFAULTSECMSG
+                       "\n", kdevname(file->f_dentry->d_inode->i_dev),
+                             file->f_dentry->d_inode->i_ino, grarg, DEFAULTSECARGS);
+       }
+#endif
+
        retval = copy_strings_kernel(1, &bprm.filename, &bprm);
        if (retval < 0) 
                goto out; 
@@ -904,9 +1187,20 @@
                goto out; 
 
        retval = search_binary_handler(&bprm,regs);
-       if (retval >= 0)
+       if (retval >= 0) {
+#ifdef CONFIG_GRKERNSEC_ACL
+               if(gr_set_proc_acl(file->f_dentry,current,filename,file->f_vfsmnt)) {
+                       security_alert("could not set acl for %ld %d",
+                       "acl set failures",
+                       file->f_dentry->d_inode->i_ino,
+                       file->f_dentry->d_inode->i_dev);
+                       goto out; 
+               }
+#endif
+
                /* execve success */
                return retval;
+       }
 
 out:
        /* Something went wrong, return the inode and free the argument pages*/
@@ -920,6 +1214,13 @@
                        __free_page(page);
        }
 
+#ifdef CONFIG_GRKERNSEC_FD
+       if(grsec_enable_fd && bprm.tweak_fd_mask) {                                            
+               for(i=0;i<=2;i++)
+                       if(bprm.tweak_fd_mask & (1 << i))
+                               (void)sys_close(i);
+       }
+#endif
        return retval;
 }
 
@@ -952,7 +1253,14 @@
                goto fail;
 
        memcpy(corename,"core.", 5);
+#ifdef CONFIG_GRKERNSEC_COREDUMP
+       if(grsec_enable_coredump)
+              memcpy(corename+5,current->comm,sizeof(current->comm));
+       else
+              corename[4] = '\0';
+#else
        corename[4] = '\0';
+#endif
        if (core_uses_pid || atomic_read(&current->mm->mm_users) != 1)
                sprintf(&corename[4], ".%d", current->pid);
        file = filp_open(corename, O_CREAT | 2 | O_NOFOLLOW, 0600);
@@ -970,7 +1278,11 @@
                goto close_fail;
        if (!file->f_op->write)
                goto close_fail;
+#ifdef CONFIG_GRKERNSEC_ACL
+       if (do_truncate(file->f_dentry, 0, file->f_vfsmnt) != 0)
+#else
        if (do_truncate(file->f_dentry, 0) != 0)
+#endif
                goto close_fail;
 
        retval = binfmt->core_dump(signr, regs, file);
diff -urN linux/fs/namei.c linux/fs/namei.c
--- linux/fs/namei.c    Wed Oct 17 17:46:29 2001
+++ linux/fs/namei.c    Sun Dec 23 19:13:16 2001
@@ -26,6 +26,11 @@
 #include <asm/namei.h>
 #include <asm/uaccess.h>
 
+#if defined(CONFIG_GRKERNSEC_LINK) || defined(CONFIG_GRKERNSEC_FIFO) ||\
+    defined(CONFIG_GRKERNSEC_CHROOT_MKNOD) || defined(CONFIG_GRKERNSEC_ACL)
+#include <linux/grsecurity.h>
+#endif
+
 #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
 
 /* [Feb-1997 T. Schoebel-Theuer]
@@ -342,6 +347,27 @@
                current->state = TASK_RUNNING;
                schedule();
        }
+
+#ifdef CONFIG_GRKERNSEC_LINK
+        if(grsec_enable_link && S_ISLNK(dentry->d_inode->i_mode) &&
+          (dentry->d_parent->d_inode->i_mode & S_ISVTX) &&
+          dentry->d_parent->d_inode->i_uid != dentry->d_inode->i_uid &&
+          (dentry->d_parent->d_inode->i_mode & S_IWOTH) &&
+          current->fsuid != dentry->d_inode->i_uid) {
+          security_alert("not following symlink (%.30s/%.30s) of [%.32s]:%lu owned by %d.%d "
+                         "by " DEFAULTSECMSG,"symlinks not followed",
+                         dentry->d_parent->d_name.name,
+                         dentry->d_name.name,
+                         kdevname(dentry->d_inode->i_dev),
+                         dentry->d_inode->i_ino,
+                         dentry->d_inode->i_uid,
+                         dentry->d_inode->i_gid,
+                         DEFAULTSECARGS);
+       path_release(nd);
+        return -EACCES;
+        }
+#endif
+
        current->link_count++;
        current->total_link_count++;
        UPDATE_ATIME(dentry->d_inode);
@@ -625,6 +651,22 @@
                else if (this.len == 2 && this.name[1] == '.')
                        nd->last_type = LAST_DOTDOT;
 return_base:
+#ifdef CONFIG_GRKERNSEC_ACL
+               if(nd->dentry && !(IS_ERR(nd->dentry)))
+                       if( ( (gr_check_hidden(nd->dentry,nd->mnt)) == GR_DENY) ) {
+                               security_alert("attempt to access hidden file "
+                               "with inode %ld dev %d by " 
+                               DEFAULTSECMSG, 
+                               "hidden file access attempts",
+                               nd->dentry->d_inode->i_ino,
+                               nd->dentry->d_inode->i_dev, DEFAULTSECARGS);
+                               err =  -ENOENT; /*Fake that its not there*/
+                               dput(dentry);
+                               path_release(nd);
+                               goto return_err;
+                       }
+#endif
+
                return 0;
 out_dput:
                dput(dentry);
@@ -976,6 +1018,52 @@
        struct dentry *dentry;
        struct dentry *dir;
        int count = 0;
+#ifdef CONFIG_GRKERNSEC_ACL
+       int tmp;
+       if(flag & GR_NONEXISTANT) {
+               flag &= ~GR_NONEXISTANT;
+               if(path_init(pathname,lookup_flags(flag)|LOOKUP_PARENT,nd))
+                       error = path_walk(pathname,nd);
+               if(error) return error;
+       } else {
+               if(path_init(pathname,lookup_flags(flag),nd))
+                       error = path_walk(pathname,nd);
+               if(error) return error;
+       }
+       if( (tmp = (flag&O_ACCMODE)) > 0) {
+               if(tmp & FMODE_READ ) {
+                       if( (gr_search(nd->dentry,GR_READ,nd->mnt)) == GR_DENY) {
+                               security_alert("attempt to open %.1024s read-only "
+                               "by " DEFAULTSECMSG,    
+                               "file open attempts", pathname, DEFAULTSECARGS);
+                               error = -EPERM;
+                               goto exit;
+                       }
+               }
+               else if(flag & O_APPEND) {
+                       if( (gr_search(nd->dentry,GR_APPEND,nd->mnt)) == GR_DENY) {
+                               security_alert("attempt to open %.1024s "
+                                       "append-only by " DEFAULTSECMSG ,
+                                       "file open attempts",
+                                       pathname, DEFAULTSECARGS);
+                               error = -EPERM;
+                               goto exit;
+                       }
+               }
+               if(tmp & FMODE_WRITE && (!(flag & O_APPEND))) { /* its write*/
+                       if( ( (gr_search(nd->dentry,GR_WRITE,nd->mnt)) == GR_DENY) ) {
+                               security_alert("attempt to open %.1024s "
+                                       "for writing by " DEFAULTSECMSG,
+                                       "file open attempts",
+                                       pathname, DEFAULTSECARGS);
+                               error = -EPERM;
+                               goto exit;
+                       }
+               }
+       }
+       path_release(nd);
+#endif
+
 
        acc_mode = ACC_MODE(flag);
 
@@ -1083,6 +1171,22 @@
         * actually live on the filesystem itself, and as such you
         * can write to them even if the filesystem is read-only.
         */
+#ifdef CONFIG_GRKERNSEC_FIFO
+               if (grsec_enable_fifo &&
+                  S_ISFIFO(inode->i_mode) && !(flag & O_EXCL) &&
+                   (dentry->d_parent->d_inode->i_mode & S_ISVTX) &&
+                   inode->i_uid != dentry->d_parent->d_inode->i_uid &&
+                   current->fsuid != inode->i_uid) {
+                       if (!permission(inode, acc_mode))
+                       security_alert("denied writing FIFO (%.32s/%.32s) of %d.%d "
+                               "by " DEFAULTSECMSG,
+                               "writes into a FIFO denied",dentry->d_parent->d_name.name,dentry->d_name.name,
+                               inode->i_uid, inode->i_gid,
+                              DEFAULTSECARGS);
+                       error = -EACCES;
+                       goto exit_dput;
+               }
+#endif
        if (S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) {
                flag &= ~O_TRUNC;
        } else if (S_ISBLK(inode->i_mode) || S_ISCHR(inode->i_mode)) {
@@ -1126,7 +1230,11 @@
                if (!error) {
                        DQUOT_INIT(inode);
                        
+#ifdef CONFIG_GRKERNSEC_ACL
+                       error = do_truncate(dentry,0,nd->mnt);
+#else
                        error = do_truncate(dentry, 0);
+#endif
                }
                put_write_access(inode);
                if (error)
@@ -1157,6 +1265,24 @@
         * stored in nd->last.name and we will have to putname() it when we
         * are done. Procfs-like symlinks just set LAST_BIND.
         */
+#ifdef CONFIG_GRKERNSEC_LINK
+       if(grsec_enable_link && S_ISLNK(dentry->d_inode->i_mode) &&
+         (dentry->d_parent->d_inode->i_mode & S_ISVTX) &&
+         dentry->d_parent->d_inode->i_uid != dentry->d_inode->i_uid &&
+         (dentry->d_parent->d_inode->i_mode & S_IWOTH) &&
+         current->fsuid != dentry->d_inode->i_uid) {
+         security_alert("not following symlink (%.30s/%.30s) [%.32s]:%lu of %d.%d "
+                        "by " DEFAULTSECMSG,"symlinks not followed",
+                        dentry->d_parent->d_name.name, dentry->d_name.name, 
+                        kdevname(dentry->d_inode->i_dev), 
+                        dentry->d_inode->i_ino, dentry->d_inode->i_uid,
+                        dentry->d_inode->i_gid,
+                        DEFAULTSECARGS);
+       error = -EACCES;
+       goto exit_dput;
+       }
+#endif
+
        UPDATE_ATIME(dentry->d_inode);
        error = dentry->d_inode->i_op->follow_link(dentry, nd);
        dput(dentry);
@@ -1241,6 +1367,9 @@
        struct dentry * dentry;
        struct nameidata nd;
 
+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
+       char grdevmode;
+#endif
        if (S_ISDIR(mode))
                return -EPERM;
        tmp = getname(filename);
@@ -1256,6 +1385,37 @@
 
        mode &= ~current->fs->umask;
        if (!IS_ERR(dentry)) {
+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
+       if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && proc_is_chrooted(current)) {
+               switch (mode & S_IFMT) {
+                   case S_IFREG:       grdevmode = 'r';        break;
+                   case S_IFCHR:       grdevmode = 'c';        break;
+                   case S_IFBLK:       grdevmode = 'b';        break;
+                   case S_IFSOCK:      grdevmode = 's';        break;
+                   default:            grdevmode = 'u';
+               }
+               security_alert("refused attempt to mknod(%c:%.32s) (%.30s) from chroot() jail (%s:%lu) "
+                              "owned by %d %d by " DEFAULTSECMSG, 
+                              "mknods in chroot denied",grdevmode,kdevname(dev),tmp,
+                              kdevname(current->fs->root->d_inode->i_dev),current->fs->root->d_inode->i_ino,
+                              current->fs->root->d_inode->i_uid,current->fs->root->d_inode->i_gid,
+                              DEFAULTSECARGS);
+                       error = -EPERM;
+                       dput(dentry);
+                       goto out_dput;
+       }
+#endif 
+#ifdef CONFIG_GRKERNSEC_ACL
+       if( ( (gr_search(nd.dentry,GR_WRITE,nd.mnt)) == GR_DENY) ) {
+               security_alert("attempt to mknod %.1024s (dev %d) by "
+                               DEFAULTSECMSG, "mknod attempts", filename, dev,
+                               DEFAULTSECARGS);
+               error = -EPERM;
+               dput(dentry);
+               goto out_dput;
+       }
+#endif
+       
                switch (mode & S_IFMT) {
                case 0: case S_IFREG:
                        error = vfs_create(nd.dentry->d_inode,dentry,mode);
@@ -1271,6 +1431,7 @@
                }
                dput(dentry);
        }
+out_dput:
        up(&nd.dentry->d_inode->i_sem);
        path_release(&nd);
 out:
@@ -1323,6 +1484,18 @@
                dentry = lookup_create(&nd, 1);
                error = PTR_ERR(dentry);
                if (!IS_ERR(dentry)) {
+#ifdef CONFIG_GRKERNSEC_ACL
+                       error = 0;
+                       if( ( ((gr_search(nd.dentry,GR_WRITE,nd.mnt)) == GR_DENY))){
+                       security_alert("attempt to mkdir %.1024s by "
+                                       DEFAULTSECMSG, "mkdir attempts",
+                                       pathname,
+                                       DEFAULTSECARGS);
+                               error = -EPERM;
+                       }
+                       if(!error)
+#endif
+
                        if (!IS_POSIX_ACL(nd.dentry->d_inode))
                                mode &= ~current->fs->umask;
                        error = vsf_mkdir(nd.dentry->d_inode, dentry, mode);                    
@@ -1431,7 +1604,18 @@
        dentry = lookup_hash(&nd.last, nd.dentry);
        error = PTR_ERR(dentry);
        if (!IS_ERR(dentry)) {
-               error = vfs_rmdir(nd.dentry->d_inode, dentry);
+#ifdef CONFIG_GRKERNSEC_ACL
+               error = 0;
+               if( ( (gr_search(nd.dentry,GR_WRITE,nd.mnt)) == GR_DENY)) {
+                       security_alert("attempt to rmdir %.1024s by "
+                                       DEFAULTSECMSG, "rmdir attempts",
+                                       pathname,
+                                       DEFAULTSECARGS);
+                       error = -EPERM;
+               }
+               if(!error)
+#endif
+                       error = vfs_rmdir(nd.dentry->d_inode, dentry);
                dput(dentry);
        }
        up(&nd.dentry->d_inode->i_sem);
@@ -1494,7 +1678,18 @@
                /* Why not before? Because we want correct error value */
                if (nd.last.name[nd.last.len])
                        goto slashes;
-               error = vfs_unlink(nd.dentry->d_inode, dentry);
+#ifdef CONFIG_GRKERNSEC_ACL
+               error = 0;
+               if( ( (gr_search(dentry,GR_WRITE, nd.mnt)) == GR_DENY)) {
+               security_alert("attempt to unlink %.1024s by " DEFAULTSECMSG,
+                               "unlink attempts",
+                               name, DEFAULTSECARGS);
+                       error = -EPERM;
+               }
+               if(!error)
+#endif
+
+                       error = vfs_unlink(nd.dentry->d_inode, dentry);
        exit2:
                dput(dentry);
        }
@@ -1559,7 +1754,20 @@
                dentry = lookup_create(&nd, 0);
                error = PTR_ERR(dentry);
                if (!IS_ERR(dentry)) {
-                       error = vfs_symlink(nd.dentry->d_inode, dentry, from);
+#ifdef CONFIG_GRKERNSEC_ACL
+                       error = 0;
+                       if( gr_search(nd.dentry,GR_WRITE,nd.mnt) == GR_DENY)
+                       {
+                               security_alert("attempt to symlink %.1024s"
+                                          "to %.1024s by " DEFAULTSECMSG,
+                                          "symlink attempts",
+                                       from, to, DEFAULTSECARGS);
+                               error = -EPERM;
+                       }
+
+                       if(!error)      
+#endif
+                               error = vfs_symlink(nd.dentry->d_inode, dentry, from);
                        dput(dentry);
                }
                up(&nd.dentry->d_inode->i_sem);
@@ -1650,6 +1858,35 @@
                new_dentry = lookup_create(&nd, 0);
                error = PTR_ERR(new_dentry);
                if (!IS_ERR(new_dentry)) {
+#ifdef CONFIG_GRKERNSEC_LINK
+                       if(grsec_enable_link) {
+                               error = -EPERM;
+                               if(current->fsuid != old_nd.dentry->d_inode->i_uid &&
+                                 (!S_ISREG(old_nd.dentry->d_inode->i_mode) ||
+                                 (old_nd.dentry->d_inode->i_mode & S_ISUID) ||
+                                 ((old_nd.dentry->d_inode->i_mode & (S_ISGID | S_IXGRP)) == 
+                                 (S_ISGID | S_IXGRP)) || (error = permission(old_nd.dentry->d_inode,
+                                 MAY_READ | MAY_WRITE))) && !capable(CAP_FOWNER) 
+                                 && current->uid) {
+                                       security_alert("denied hardlink of %.30s (owned by %d.%d) to %.30s for "
+                                                       DEFAULTSECMSG, "denied hardlinks",oldname,old_nd.dentry->d_inode->i_uid,
+                                                       old_nd.dentry->d_inode->i_gid,newname,DEFAULTSECARGS);
+                                       dput(new_dentry);
+                                       goto out_release;
+                               }
+                       }
+#endif 
+#ifdef CONFIG_GRKERNSEC_ACL
+                       error = 0;
+                       if( gr_search(old_nd.dentry,GR_WRITE,old_nd.mnt) == GR_DENY || gr_search(nd.dentry,GR_WRITE,nd.mnt) == GR_DENY) {
+                               security_alert("attempt to link %.1024s to %.1024s by " 
+                                       DEFAULTSECMSG, "attempted links", oldname, newname,
+                                       DEFAULTSECARGS);
+                               error = -EPERM;
+                       }
+                       if(!error)
+#endif
+
                        error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
                        dput(new_dentry);
                }
@@ -1887,11 +2124,26 @@
        error = PTR_ERR(new_dentry);
        if (IS_ERR(new_dentry))
                goto exit4;
+#ifdef CONFIG_GRKERNSEC_ACL
+       error = 0;
+       if( gr_search(old_dir,GR_WRITE,oldnd.mnt) == GR_DENY || gr_search(new_dir,GR_WRITE,newnd.mnt) == GR_DENY) {
+               security_alert("attempt to rename %.1024s to %.1024s by " 
+                                DEFAULTSECMSG, "rename attempts", 
+                               oldname, newname,
+                               DEFAULTSECARGS);
+               error = -EPERM;
+       }
+       if(!error) {
+#endif
+
 
        lock_kernel();
        error = vfs_rename(old_dir->d_inode, old_dentry,
                                   new_dir->d_inode, new_dentry);
        unlock_kernel();
+#ifdef CONFIG_GRKERNSEC_ACL
+       }
+#endif
 
        dput(new_dentry);
 exit4:
diff -urN linux/fs/namespace.c linux/fs/namespace.c
--- linux/fs/namespace.c        Fri Dec 21 12:41:55 2001
+++ linux/fs/namespace.c        Sun Dec 23 19:13:16 2001
@@ -16,6 +16,10 @@
 #include <linux/acct.h>
 #include <linux/module.h>
 #include <linux/devfs_fs_kernel.h>
+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
+#include <linux/sched.h>
+#include <linux/grsecurity.h>
+#endif
 
 #include <asm/uaccess.h>
 
@@ -673,6 +677,20 @@
                retval = path_walk(dir_name, &nd);
        if (retval)
                return retval;
+
+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
+      if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
+                security_alert("denied attempt to mount (%.30s) as %.64s from chroot jail (%.32s:%lu) "
+                "of %d.%d by " DEFAULTSECMSG, "denied mounts in chroot",
+               dev_name,dir_name, kdevname(current->fs->root->d_inode->i_dev),
+              current->fs->root->d_inode->i_ino,current->fs->root->d_inode->i_uid,
+              current->fs->root->d_inode->i_gid, DEFAULTSECARGS);
+                       retval = -EPERM;
+                       path_release(&nd);
+                       return retval;
+      }
+#endif
+
 
        if (flags & MS_REMOUNT)
                retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags,
diff -urN linux/fs/open.c linux/fs/open.c
--- linux/fs/open.c     Fri Oct 12 16:48:42 2001
+++ linux/fs/open.c     Sun Dec 23 19:13:16 2001
@@ -18,8 +18,31 @@
 
 #include <asm/uaccess.h>
 
+#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE)||\
+    defined(CONFIG_GRKERNSEC_CHROOT_CAPS) ||\
+    defined(CONFIG_GRKERNSEC_CHROOT_CHMOD) ||\
+    defined(CONFIG_GRKERNSEC_CHROOT_CHDIR) ||\
+    defined(CONFIG_GRKERNSEC_ACL)
+#include <linux/grsecurity.h>
+#endif
+
+
 #define special_file(m) (S_ISCHR(m)||S_ISBLK(m)||S_ISFIFO(m)||S_ISSOCK(m))
 
+#ifdef CONFIG_GRKERNSEC_ACL
+static int conv_flags(int p) {
+       int retval = LOOKUP_FOLLOW;
+       if(p & O_NOFOLLOW)
+               retval &= ~LOOKUP_FOLLOW;
+       if( (p & (O_CREAT|O_EXCL)) == (O_CREAT | O_EXCL))
+               retval &= ~LOOKUP_FOLLOW;
+       if(p & O_DIRECTORY)
+               retval |= LOOKUP_DIRECTORY;
+       return retval;
+}
+#endif
+
+
 int vfs_statfs(struct super_block *sb, struct statfs *buf)
 {
        int retval = -ENODEV;
@@ -71,7 +94,11 @@
        return error;
 }
 
+#ifdef CONFIG_GRKERNSEC_ACL
+int do_truncate(struct dentry *dentry, loff_t length, struct vfsmount *mnt)
+#else
 int do_truncate(struct dentry *dentry, loff_t length)
+#endif
 {
        struct inode *inode = dentry->d_inode;
        int error;
@@ -81,6 +108,17 @@
        if (length < 0)
                return -EINVAL;
 
+#ifdef CONFIG_GRKERNSEC_ACL
+       if( ( (gr_search(dentry,GR_WRITE,mnt)) == GR_DENY)) {
+               security_alert("attempted to truncate file with inode %ld dev "
+                       "%d by " DEFAULTSECMSG, "file truncate attempts",
+                       dentry->d_inode->i_ino,
+                       dentry->d_inode->i_dev, DEFAULTSECARGS);
+               return -EPERM;
+       }
+#endif
+
+
        down(&inode->i_sem);
        newattrs.ia_size = length;
        newattrs.ia_valid = ATTR_SIZE | ATTR_CTIME;
@@ -139,7 +177,11 @@
        error = locks_verify_truncate(inode, NULL, length);
        if (!error) {
                DQUOT_INIT(inode);
+#ifdef CONFIG_GRKERNSEC_ACL
+               error = do_truncate(nd.dentry, length, nd.mnt);
+#else
                error = do_truncate(nd.dentry, length);
+#endif
        }
        put_write_access(inode);
 
@@ -191,7 +233,11 @@
 
        error = locks_verify_truncate(inode, file, length);
        if (!error)
+#ifdef CONFIG_GRKERNSEC_ACL
+               error = do_truncate(dentry, length, file->f_vfsmnt);
+#else
                error = do_truncate(dentry, length);
+#endif
 out_putf:
        fput(file);
 out:
@@ -245,6 +291,19 @@
        if (IS_RDONLY(inode))
                goto dput_and_out;
 
+#ifdef CONFIG_GRKERNSEC_ACL
+       if( ( (gr_search(nd.dentry,GR_WRITE,nd.mnt)) == GR_DENY)) {
+               security_alert("attempted to change access time for file"  
+                               "with inode %ld dev %d by " DEFAULTSECMSG,
+                       "file access time change attempts",
+                               nd.dentry->d_inode->i_ino,
+                        nd.dentry->d_inode->i_dev, DEFAULTSECARGS);
+              error = -EPERM;
+              goto dput_and_out;
+       }
+#endif
+
+
        /* Don't worry, the checks are done in inode_change_ok() */
        newattrs.ia_valid = ATTR_CTIME | ATTR_MTIME | ATTR_ATIME;
        if (times) {
@@ -290,6 +349,19 @@
        if (IS_RDONLY(inode))
                goto dput_and_out;
 
+#ifdef CONFIG_GRKERNSEC_ACL
+       if( ( (gr_search(nd.dentry,GR_WRITE,nd.mnt)) == GR_DENY)) {
+               security_alert("attempted to change access time for file with"
+                       "inode %ld dev %d by " DEFAULTSECMSG,
+                       "file access time change attempts",
+                               nd.dentry->d_inode->i_ino,
+                        nd.dentry->d_inode->i_dev, DEFAULTSECARGS);
+                error = -EPERM;
+               goto dput_and_out;
+       }
+#endif
+
+
        /* Don't worry, the checks are done in inode_change_ok() */
        newattrs.ia_valid = ATTR_CTIME | ATTR_MTIME | ATTR_ATIME;
        if (utimes) {
@@ -341,6 +413,17 @@
 
        res = user_path_walk(filename, &nd);
        if (!res) {
+#ifdef CONFIG_GRKERNSEC_ACL
+       if( ( (gr_search(nd.dentry,GR_WRITE,nd.mnt)) == GR_DENY)) {
+               security_alert("attempted to access file with inode %ld dev "
+                               "%d by " DEFAULTSECMSG, "file access attempts",
+                       nd.dentry->d_inode->i_ino,
+                        nd.dentry->d_inode->i_dev, DEFAULTSECARGS);
+               path_release(&nd);
+               return -EPERM;
+       }
+#endif
+
                res = permission(nd.dentry->d_inode, mode);
                /* SuS v2 requires we report a read only fs too */
                if(!res && (mode & S_IWOTH) && IS_RDONLY(nd.dentry->d_inode)
@@ -378,6 +461,17 @@
        if (error)
                goto dput_and_out;
 
+#ifdef CONFIG_GRKERNSEC_ACL
+       if( ( (gr_search(nd.dentry,GR_READ,nd.mnt)) == GR_DENY)) {
+               security_alert("Attempted to chdir to directory with inode %ld dev "
+                               "%d by " DEFAULTSECMSG, "chdir attempts",
+                       nd.dentry->d_inode->i_ino,
+                        nd.dentry->d_inode->i_dev, DEFAULTSECARGS);
+               error = -EPERM;
+               goto dput_and_out;
+       }
+#endif
+
        set_fs_pwd(current->fs, nd.mnt, nd.dentry);
 
 dput_and_out:
@@ -408,6 +502,17 @@
                goto out_putf;
 
        error = permission(inode, MAY_EXEC);
+
+#ifdef CONFIG_GRKERNSEC_ACL
+       if( ( (gr_search(file->f_dentry,GR_WRITE,file->f_vfsmnt)) == GR_DENY)) {
+               security_alert("attempted to truncate file with inode %ld dev "
+                               "%d by " DEFAULTSECMSG, "file truncate attempts",
+                       file->f_dentry->d_inode->i_ino,
+                        file->f_dentry->d_inode->i_dev, DEFAULTSECARGS);
+               error = -EPERM;
+       }
+#endif
+
        if (!error)
                set_fs_pwd(current->fs, mnt, dentry);
 out_putf:
@@ -441,9 +546,39 @@
        error = -EPERM;
        if (!capable(CAP_SYS_CHROOT))
                goto dput_and_out;
+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
+       if(grsec_enable_chroot_double && proc_is_chrooted(current)) {
+               security_alert("denied attempt to chroot() from (%.32s:%lu) to (%.30s)"
+                              ", process " DEFAULTSECMSG,
+                              "double chroot() denied",
+                              kdevname(current->fs->root->d_inode->i_dev),
+                              current->fs->root->d_inode->i_ino,name,
+                              DEFAULTSECARGS);
+                       goto dput_and_out;
+       }
+#endif 
 
        set_fs_root(current->fs, nd.mnt, nd.dentry);
        set_fs_altroot();
+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
+       if(grsec_enable_chroot_caps && current->pid && current->pid > 1) {
+           cap_lower(current->cap_permitted,CAP_FOWNER & CAP_SETPCAP & CAP_LINUX_IMMUTABLE &
+                     CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & CAP_SYS_PACCT &
+                     CAP_SYS_ADMIN & CAP_SYS_BOOT & CAP_SYS_RESOURCE & CAP_SYS_TIME &
+                     CAP_SYS_TTY_CONFIG);
+           cap_lower(current->cap_inheritable,CAP_FOWNER & CAP_SETPCAP & CAP_LINUX_IMMUTABLE &
+                     CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & CAP_SYS_PACCT &
+                     CAP_SYS_ADMIN & CAP_SYS_BOOT & CAP_SYS_RESOURCE & CAP_SYS_TIME &
+                     CAP_SYS_TTY_CONFIG);
+           cap_lower(current->cap_effective,CAP_FOWNER & CAP_SETPCAP & CAP_LINUX_IMMUTABLE &
+                     CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & CAP_SYS_PACCT &
+                     CAP_SYS_ADMIN & CAP_SYS_BOOT & CAP_SYS_RESOURCE & CAP_SYS_TIME &
+                     CAP_SYS_TTY_CONFIG);
+       }
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
+       if (grsec_enable_chroot_chdir) set_fs_pwd(current->fs, nd.mnt, nd.dentry);
+#endif
        error = 0;
 dput_and_out:
        path_release(&nd);
@@ -472,8 +607,36 @@
        err = -EPERM;
        if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
                goto out_putf;
+
+#ifdef CONFIG_GRKERNSEC_ACL
+       if( ( (gr_search(dentry,GR_WRITE,file->f_vfsmnt)) == GR_DENY)) {
+               security_alert("Attempt to fchmod program with inode %ld dev %d "
+                       "by " DEFAULTSECMSG, "fchmod attempts",
+                       dentry->d_inode->i_ino,
+                        dentry->d_inode->i_dev, DEFAULTSECARGS);
+
+               err = -EPERM;
+               goto out_putf;
+       }
+#endif
+
        if (mode == (mode_t) -1)
                mode = inode->i_mode;
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
+       if(grsec_enable_chroot_chmod && ((mode & S_ISUID) || (mode & S_ISGID))
+          && proc_is_chrooted(current)) {
+           security_alert("denied attempt to fchmod +s (%.32s:%lu) owned by %d.%d to mode 0%07o "
+                          "from chroot jail (%.32s:%lu) of %d.%d by "
+                          DEFAULTSECMSG,
+                          "denied fchmod +s in chroot",
+                          kdevname(inode->i_dev),inode->i_ino,inode->i_uid,inode->i_gid,mode,
+                          kdevname(current->fs->root->d_inode->i_dev),current->fs->root->d_inode->i_ino,
+                          current->fs->root->d_inode->i_uid,current->fs->root->d_inode->i_gid,
+                          DEFAULTSECARGS);
+               err = -EPERM;
+               goto out_putf;
+       }           
+#endif
        newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
        newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
        err = notify_change(dentry, &newattrs);
@@ -504,8 +667,34 @@
        if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
                goto dput_and_out;
 
+#ifdef CONFIG_GRKERNSEC_ACL
+       if( ( (gr_search(nd.dentry,GR_WRITE,nd.mnt)) == GR_DENY)) {
+               security_alert("Attempt to chmod file %1024s by "
+                               DEFAULTSECMSG, "chmod attempts",
+                               filename, DEFAULTSECARGS); 
+               error = -EPERM;
+               goto dput_and_out;
+       }
+#endif
+
+
        if (mode == (mode_t) -1)
                mode = inode->i_mode;
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
+       if (grsec_enable_chroot_chmod && ((mode & S_ISUID) || (mode & S_ISGID))
+           && proc_is_chrooted(current)) {
+           security_alert("denied attempt to chmod +s (%.32s:%lu) (%.30s) owned by %d.%d to mode 0%07o "
+                          "from chroot jail (%.32s:%lu) of %d.%d by "
+                          DEFAULTSECMSG,"denied chmod +s in chroot",
+                          kdevname(inode->i_dev),inode->i_ino,filename,inode->i_uid,inode->i_gid,
+                          mode,kdevname(current->fs->root->d_inode->i_dev),
+                          current->fs->root->d_inode->i_ino,current->fs->root->d_inode->i_uid,
+                          current->fs->root->d_inode->i_gid,
+                          DEFAULTSECARGS);
+                   error = -EPERM;
+                   goto dput_and_out;
+       }
+#endif
        newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
        newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
        error = notify_change(nd.dentry, &newattrs);
@@ -516,7 +705,11 @@
        return error;
 }
 
+#ifdef CONFIG_GRKERNSEC_ACL
+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
+#else
 static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
+#endif
 {
        struct inode * inode;
        int error;
@@ -533,6 +726,17 @@
        error = -EPERM;
        if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
                goto out;
+#ifdef CONFIG_GRKERNSEC_ACL
+       if( ( (gr_search(dentry,GR_WRITE,mnt)) == GR_DENY)) {
+               security_alert("Attempt to chown file with inode %ld dev %d "
+                       "to %d.%d by " DEFAULTSECMSG, "chown attempts",
+                       dentry->d_inode->i_ino,dentry->d_inode->i_dev,
+                       user, group, DEFAULTSECARGS);
+               error = -EPERM;
+               goto out;
+       }
+#endif
+
        if (user == (uid_t) -1)
                user = inode->i_uid;
        if (group == (gid_t) -1)
@@ -583,7 +787,11 @@
 
        error = user_path_walk(filename, &nd);
        if (!error) {
+#ifdef CONFIG_GRKERNSEC_ACL
+               error = chown_common(nd.dentry, user, group, nd.mnt);
+#else
                error = chown_common(nd.dentry, user, group);
+#endif
                path_release(&nd);
        }
        return error;
@@ -596,7 +804,11 @@
 
        error = user_path_walk_link(filename, &nd);
        if (!error) {
+#ifdef CONFIG_GRKERNSEC_ACL
+               error = chown_common(nd.dentry, user, group, nd.mnt);
+#else
                error = chown_common(nd.dentry, user, group);
+#endif
                path_release(&nd);
        }
        return error;
@@ -610,7 +822,11 @@
 
        file = fget(fd);
        if (file) {
+#ifdef CONFIG_GRKERNSEC_ACL
+               error = chown_common(file->f_dentry, user, group, file->f_vfsmnt);
+#else
                error = chown_common(file->f_dentry, user, group);
+#endif
                fput(file);
        }
        return error;
@@ -634,12 +850,41 @@
 {
        int namei_flags, error;
        struct nameidata nd;
+#ifdef CONFIG_GRKERNSEC_ACL
+       struct nameidata obv;
+#endif
 
        namei_flags = flags;
        if ((namei_flags+1) & O_ACCMODE)
                namei_flags++;
        if (namei_flags & O_TRUNC)
                namei_flags |= 2;
+
+#ifdef CONFIG_GRKERNSEC_ACL
+       error = 0;
+       if(path_init(filename,conv_flags(namei_flags),&obv))
+               error = path_walk(filename,&obv);
+       if(error) goto out;
+       if(!obv.dentry->d_inode) 
+               flags |= GR_NONEXISTANT;
+       else 
+               if(S_ISBLK(obv.dentry->d_inode->i_mode) && !capable(CAP_SYS_RAWIO)) {
+                       security_alert("Attempt to block device %ld %d with "
+                               "insuffificent capabilities by process "
+                               DEFAULTSECMSG,
+                               "attempt to access block devices",
+                               obv.dentry->d_inode->i_ino,
+                               obv.dentry->d_inode->i_dev, DEFAULTSECARGS);
+                       path_release(&obv);
+                       error = -EPERM;
+                       return ERR_PTR(error);
+               }
+
+       path_release(&obv);
+out:
+
+#endif
+
 
        error = open_namei(filename, namei_flags, mode, &nd);
        if (!error)
diff -urN linux/fs/proc/base.c linux/fs/proc/base.c
--- linux/fs/proc/base.c        Thu Oct 11 02:42:47 2001
+++ linux/fs/proc/base.c        Sun Dec 23 19:13:16 2001
@@ -24,6 +24,10 @@
 #include <linux/file.h>
 #include <linux/string.h>
 
+#ifdef CONFIG_GRKERNSEC_ACL
+#include <linux/grsecurity.h>
+#endif
+
 /*
  * For hysterical raisins we keep the same inumbers as in the old procfs.
  * Feel free to change the macro below - just keep the range distinct from
@@ -663,7 +667,11 @@
        inode->i_gid = 0;
        if (ino == PROC_PID_INO || task_dumpable(task)) {
                inode->i_uid = task->euid;
+#ifndef CONFIG_GRKERNSEC_PROC_USERGROUP
                inode->i_gid = task->egid;
+#else
+               inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
+#endif
        }
 
 out:
@@ -966,13 +974,27 @@
        if (!task)
                goto out;
 
+#ifdef CONFIG_GRKERNSEC_ACL
+               if(gr_check_hidden_proc(task->acl)) {
+                       free_task_struct(task);
+                       goto out;
+               }
+#endif
+
+
        inode = proc_pid_make_inode(dir->i_sb, task, PROC_PID_INO);
 
        free_task_struct(task);
 
        if (!inode)
                goto out;
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+       inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+       inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP;
+#else
        inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
+#endif
        inode->i_op = &proc_base_inode_operations;
        inode->i_fop = &proc_base_operations;
        inode->i_nlink = 3;
@@ -1012,8 +1034,13 @@
                int pid = p->pid;
                if (!pid)
                        continue;
+#ifdef CONFIG_GRKERNSEC_ACL
+                       if(gr_check_hidden_proc(p->acl)) 
+                               continue;
+#endif
                if (--index >= 0)
                        continue;
+
                pids[nr_pids] = pid;
                nr_pids++;
                if (nr_pids >= PROC_MAXPIDS)
diff -urN linux/fs/proc/generic.c linux/fs/proc/generic.c
--- linux/fs/proc/generic.c     Fri Sep  7 13:53:59 2001
+++ linux/fs/proc/generic.c     Sun Dec 23 19:13:16 2001
@@ -491,6 +491,22 @@
        return ent;
 }
 
+#ifdef CONFIG_GRKERNSEC_PROC
+struct proc_dir_entry *proc_priv_mkdir(const char *name, mode_t mode, struct proc_dir_entry *parent)
+{
+       struct proc_dir_entry *ent;
+
+       ent = proc_create(&parent, name, mode, 2);
+       if (ent) {
+               ent->proc_fops = &proc_dir_operations;
+               ent->proc_iops = &proc_dir_inode_operations;
+
+               proc_register(parent, ent);
+       }
+       return ent;
+}
+#endif
+
 struct proc_dir_entry *create_proc_entry(const char *name, mode_t mode,
                                         struct proc_dir_entry *parent)
 {
diff -urN linux/fs/proc/inode.c linux/fs/proc/inode.c
--- linux/fs/proc/inode.c       Sat Nov 17 14:24:32 2001
+++ linux/fs/proc/inode.c       Sun Dec 23 19:13:16 2001
@@ -152,7 +152,11 @@
                if (de->mode) {
                        inode->i_mode = de->mode;
                        inode->i_uid = de->uid;
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
+                       inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
+#else
                        inode->i_gid = de->gid;
+#endif
                }
                if (de->size)
                        inode->i_size = de->size;
diff -urN linux/fs/proc/proc_misc.c linux/fs/proc/proc_misc.c
--- linux/fs/proc/proc_misc.c   Wed Nov 21 00:29:09 2001
+++ linux/fs/proc/proc_misc.c   Sun Dec 23 19:13:16 2001
@@ -507,8 +507,10 @@
                {"meminfo",     meminfo_read_proc},
                {"version",     version_read_proc},
 #ifdef CONFIG_MODULES
+#ifndef CONFIG_GRKERNSEC_PROC
                {"modules",     modules_read_proc},
 #endif
+#endif
                {"stat",        kstat_read_proc},
                {"devices",     devices_read_proc},
                {"partitions",  partitions_read_proc},
@@ -531,6 +533,13 @@
        for (p = simple_ones; p->name; p++)
                create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
 
+#if defined(CONFIG_GRKERNSEC_PROC) && defined(CONFIG_MODULES)
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+       create_proc_read_entry("modules", S_IRUSR, NULL, &modules_read_proc, NULL);
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+       create_proc_read_entry("modules", S_IRUSR | S_IRGRP, NULL, &modules_read_proc, NULL);
+#endif
+#endif
        /* And now for trickier ones */
        entry = create_proc_entry("kmsg", S_IRUSR, &proc_root);
        if (entry)
@@ -538,7 +547,13 @@
        create_seq_entry("mounts", 0, &proc_mounts_operations);
        create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
 #ifdef CONFIG_MODULES
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+       create_seq_entry("ksyms", S_IRUSR, &proc_ksyms_operations);
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+       create_seq_entry("ksyms", S_IRUSR | S_IRGRP, &proc_ksyms_operations);
+#else
        create_seq_entry("ksyms", 0, &proc_ksyms_operations);
+#endif
 #endif
        proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
        if (proc_root_kcore) {
diff -urN linux/fs/proc/proc_tty.c linux/fs/proc/proc_tty.c
--- linux/fs/proc/proc_tty.c    Fri Apr 21 18:17:57 2000
+++ linux/fs/proc/proc_tty.c    Sun Dec 23 19:13:16 2001
@@ -174,7 +174,13 @@
        if (!proc_mkdir("tty", 0))
                return;
        proc_tty_ldisc = proc_mkdir("tty/ldisc", 0);
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+       proc_tty_driver = proc_priv_mkdir("tty/driver", S_IFDIR|S_IRUSR|S_IXUSR, 0);
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+       proc_tty_driver = proc_priv_mkdir("tty/driver", S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP, 0);
+#else
        proc_tty_driver = proc_mkdir("tty/driver", 0);
+#endif
 
        create_proc_read_entry("tty/ldiscs", 0, 0, tty_ldiscs_read_proc,NULL);
        create_proc_read_entry("tty/drivers", 0, 0, tty_drivers_read_proc,NULL);
diff -urN linux/fs/proc/root.c linux/fs/proc/root.c
--- linux/fs/proc/root.c        Sat Oct 20 22:14:42 2001
+++ linux/fs/proc/root.c        Sun Dec 23 19:13:16 2001
@@ -37,13 +37,25 @@
                return;
        }
        proc_misc_init();
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+       proc_net = proc_priv_mkdir("net", S_IFDIR|S_IRUSR|S_IXUSR, 0);
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+       proc_net = proc_priv_mkdir("net", S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP, 0);
+#else
        proc_net = proc_mkdir("net", 0);
+#endif
 #ifdef CONFIG_SYSVIPC
        proc_mkdir("sysvipc", 0);
 #endif
 #ifdef CONFIG_SYSCTL
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+       proc_sys_root = proc_priv_mkdir("sys", S_IFDIR|S_IRUSR|S_IXUSR, 0);
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+       proc_sys_root = proc_priv_mkdir("sys", S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP, 0);
+#else
        proc_sys_root = proc_mkdir("sys", 0);
 #endif
+#endif
 #if defined(CONFIG_BINFMT_MISC) || defined(CONFIG_BINFMT_MISC_MODULE)
        proc_mkdir("sys/fs", 0);
        proc_mkdir("sys/fs/binfmt_misc", 0);
@@ -132,6 +144,9 @@
 EXPORT_SYMBOL(proc_symlink);
 EXPORT_SYMBOL(proc_mknod);
 EXPORT_SYMBOL(proc_mkdir);
+#ifdef CONFIG_GRKERNSEC_PROC
+EXPORT_SYMBOL(proc_priv_mkdir);
+#endif
 EXPORT_SYMBOL(create_proc_entry);
 EXPORT_SYMBOL(remove_proc_entry);
 EXPORT_SYMBOL(proc_root);
diff -urN linux/fs/readdir.c linux/fs/readdir.c
--- linux/fs/readdir.c  Sun Aug 12 17:59:08 2001
+++ linux/fs/readdir.c  Sun Dec 23 19:13:16 2001
@@ -13,6 +13,10 @@
 
 #include <asm/uaccess.h>
 
+#ifdef CONFIG_GRKERNSEC_ACL
+#include <linux/grsecurity.h>
+#endif
+
 int vfs_readdir(struct file *file, filldir_t filler, void *buf)
 {
        struct inode *inode = file->f_dentry->d_inode;
@@ -120,6 +124,10 @@
 struct readdir_callback {
        struct old_linux_dirent * dirent;
        int count;
+#ifdef CONFIG_GRKERNSEC_ACL
+       struct dentry *dentry;
+       struct vfsmount *mnt;
+#endif
 };
 
 static int fillonedir(void * __buf, const char * name, int namlen, loff_t offset,
@@ -127,9 +135,27 @@
 {
        struct readdir_callback * buf = (struct readdir_callback *) __buf;
        struct old_linux_dirent * dirent;
+#ifdef CONFIG_GRKERNSEC_ACL
+       ino_t old_ino;
+#endif
 
        if (buf->count)
                return -EINVAL;
+#ifdef CONFIG_GRKERNSEC_ACL
+       if(buf->dentry && buf->dentry->d_inode) {
+               old_ino = buf->dentry->d_inode->i_ino;
+               buf->dentry->d_inode->i_ino = ino;
+#ifdef CONFIG_GR_DEBUG
+               printk("Guess what: %ld %d is about to get a readdir check\n",buf->dentry->d_inode->i_ino,buf->dentry->d_inode->i_dev);
+#endif
+       if( gr_check_hidden(buf->dentry,buf->mnt) == GR_DENY) {
+               buf->dentry->d_inode->i_ino = old_ino;
+               return 0;
+       }
+       buf->dentry->d_inode->i_ino = ino;
+       }
+#endif
+           
        buf->count++;
        dirent = buf->dirent;
        put_user(ino, &dirent->d_ino);
@@ -153,6 +179,10 @@
 
        buf.count = 0;
        buf.dirent = dirent;
+#ifdef CONFIG_GRKERNSEC_ACL
+       buf.dentry = file->f_dentry;
+       buf.mnt = file->f_vfsmnt;
+#endif
 
        error = vfs_readdir(file, fillonedir, &buf);
        if (error >= 0)
@@ -181,6 +211,10 @@
        struct linux_dirent * previous;
        int count;
        int error;
+#ifdef CONFIG_GRKERNSEC_ACL
+       struct dentry *dentry;
+       struct vfsmount *mnt;
+#endif
 };
 
 static int filldir(void * __buf, const char * name, int namlen, loff_t offset,
@@ -189,10 +223,27 @@
        struct linux_dirent * dirent;
        struct getdents_callback * buf = (struct getdents_callback *) __buf;
        int reclen = ROUND_UP(NAME_OFFSET(dirent) + namlen + 1);
+#ifdef CONFIG_GRKERNSEC_ACL
+       ino_t old_ino;
+#endif
 
        buf->error = -EINVAL;   /* only used if we fail.. */
        if (reclen > buf->count)
                return -EINVAL;
+#ifdef CONFIG_GRKERNSEC_ACL
+       if(buf->dentry && buf->dentry->d_inode) {
+               old_ino = buf->dentry->d_inode->i_ino;
+               buf->dentry->d_inode->i_ino = ino;
+#ifdef CONFIG_GR_DEBUG
+               printk("Guess what: %ld %d is about to get a readdir check\n",buf->dentry->d_inode->i_ino,buf->dentry->d_inode->i_dev);
+#endif
+       if( gr_check_hidden(buf->dentry,buf->mnt) == GR_DENY) {
+               buf->dentry->d_inode->i_ino = old_ino;
+               return 0;
+       }
+       buf->dentry->d_inode->i_ino = old_ino;
+       }
+#endif
        dirent = buf->previous;
        if (dirent)
                put_user(offset, &dirent->d_off);
@@ -224,6 +275,10 @@
        buf.previous = NULL;
        buf.count = count;
        buf.error = 0;
+#ifdef CONFIG_GRKERNSEC_ACL
+       buf.dentry = file->f_dentry;
+       buf.mnt = file->f_vfsmnt;
+#endif
 
        error = vfs_readdir(file, filldir, &buf);
        if (error < 0)
@@ -259,6 +314,10 @@
        struct linux_dirent64 * previous;
        int count;
        int error;
+#ifdef CONFIG_GRKERNSEC_ACL
+       struct dentry *dentry;
+       struct vfsmount *mnt;
+#endif
 };
 
 static int filldir64(void * __buf, const char * name, int namlen, loff_t offset,
@@ -268,9 +327,26 @@
        struct getdents_callback64 * buf = (struct getdents_callback64 *) __buf;
        int reclen = ROUND_UP64(NAME_OFFSET(dirent) + namlen + 1);
 
+#ifdef CONFIG_GRKERNSEC_ACL
+       ino_t old_ino;
+#endif
        buf->error = -EINVAL;   /* only used if we fail.. */
        if (reclen > buf->count)
                return -EINVAL;
+#ifdef CONFIG_GRKERNSEC_ACL
+       if(buf->dentry && buf->dentry->d_inode) {
+               old_ino = buf->dentry->d_inode->i_ino;
+               buf->dentry->d_inode->i_ino = ino;
+               if((gr_check_hidden(buf->dentry,buf->mnt)) == GR_DENY) {
+                       buf->dentry->d_inode->i_ino = old_ino;
+                       return 0;
+               }
+               buf->dentry->d_inode->i_ino = old_ino;
+       }
+#endif
+
+
+       
        dirent = buf->previous;
        if (dirent) {
                d.d_off = offset;
@@ -307,6 +383,11 @@
        buf.previous = NULL;
        buf.count = count;
        buf.error = 0;
+#ifdef CONFIG_GRKERNSEC_ACL
+       buf.mnt = file->f_vfsmnt;
+       buf.dentry = file->f_dentry;
+#endif
+
 
        error = vfs_readdir(file, filldir64, &buf);
        if (error < 0)
diff -urN linux/grsecurity/Config.in linux/grsecurity/Config.in
--- linux/grsecurity/Config.in  Wed Dec 31 19:00:00 1969
+++ linux/grsecurity/Config.in  Sun Dec 23 19:13:16 2001
@@ -0,0 +1,170 @@
+mainmenu_option next_comment
+comment 'Buffer Overflow Protection'
+if [ "$CONFIG_X86" != "n" ]; then
+if [ "$CONFIG_GRKERNSEC_PAX" != "y" ]; then
+bool 'Openwall non-executable stack' CONFIG_GRKERNSEC_STACK
+if [ "$CONFIG_GRKERNSEC_STACK" != "n" ]; then
+bool '   Gcc trampoline support' CONFIG_GRKERNSEC_STACK_GCC
+fi
+fi
+if [ "$CONFIG_GRKERNSEC_STACK" != "y" ]; then
+bool 'PaX protection' CONFIG_GRKERNSEC_PAX
+if [ "$CONFIG_GRKERNSEC_PAX" = "y" ]; then
+  bool '   Emulate trampolines' CONFIG_GRKERNSEC_PAX_EMUTRAMP
+  bool '   Restrict mprotect()' CONFIG_GRKERNSEC_PAX_MPROTECT
+fi
+  bool 'Randomize mmap() base' CONFIG_GRKERNSEC_PAX_RANDMMAP
+fi
+fi
+endmenu
+mainmenu_option next_comment
+comment 'Access Control Lists'
+bool 'Enable grsecurity ACL system' CONFIG_GRKERNSEC_ACL
+if [ "$CONFIG_GRKERNSEC_ACL" = "y" ]; then
+   int 'Maximum Number of Rulesets for Files, Processes' CONFIG_GR_MAX_RULESET 256
+   int 'Seconds in between log messages(minimum)' CONFIG_GR_FLOODTIME 3
+   choice 'Default ruleset for programs without acls' \
+   "Deny CONFIG_GR_DEF_DENY \
+    Allow CONFIG_GR_DEF_ALLOW \
+    Deny_if_running_as_root CONFIG_GR_DEF_DENY_ROOT " Allow
+   bool 'Enable ACL Debugging Messages' CONFIG_GR_DEBUG
+   string 'Path to gradm' CONFIG_GRADM_PATH "/sbin/gradm"
+   int 'Maximum tries before password lockout' CONFIG_GR_MAXTRIES 3
+   int 'Time to wait after max password tries, in seconds' CONFIG_GR_TIMEOUT 30
+fi
+endmenu
+mainmenu_option next_comment
+comment 'Filesystem Protections'
+bool 'Proc restrictions' CONFIG_GRKERNSEC_PROC
+if [ "$CONFIG_GRKERNSEC_PROC" != "n" ]; then
+bool '   Restrict to user only' CONFIG_GRKERNSEC_PROC_USER
+if [ "$CONFIG_GRKERNSEC_PROC_USER" != "y" ]; then
+bool '   Allow special group' CONFIG_GRKERNSEC_PROC_USERGROUP
+if [ "$CONFIG_GRKERNSEC_PROC_USERGROUP" != "n" ]; then
+int  '   GID for special group' CONFIG_GRKERNSEC_PROC_GID 1001
+fi
+fi
+fi
+bool 'Linking restrictions' CONFIG_GRKERNSEC_LINK
+bool 'FIFO restrictions' CONFIG_GRKERNSEC_FIFO
+bool 'Secure file descriptors' CONFIG_GRKERNSEC_FD
+bool 'Chroot jail restrictions' CONFIG_GRKERNSEC_CHROOT
+if [ "$CONFIG_GRKERNSEC_CHROOT" != "n" ]; then
+bool '   Restricted signals' CONFIG_GRKERNSEC_CHROOT_SIG
+bool '   Deny mounts' CONFIG_GRKERNSEC_CHROOT_MOUNT
+bool '   Deny double-chroots' CONFIG_GRKERNSEC_CHROOT_DOUBLE
+bool '   Enforce chdir("/") on all chroots' CONFIG_GRKERNSEC_CHROOT_CHDIR
+bool '   Deny (f)chmod +s' CONFIG_GRKERNSEC_CHROOT_CHMOD
+bool '   Deny mknod' CONFIG_GRKERNSEC_CHROOT_MKNOD
+bool '   Deny ptraces' CONFIG_GRKERNSEC_CHROOT_PTRACE
+bool '   Restrict priority changes' CONFIG_GRKERNSEC_CHROOT_NICE
+fi
+bool 'Log execs within chroot' CONFIG_GRKERNSEC_CHROOT_EXECLOG
+bool 'Capability restrictions within chroot' CONFIG_GRKERNSEC_CHROOT_CAPS
+bool 'Secure keymap loading' CONFIG_GRKERNSEC_KBMAP
+endmenu
+mainmenu_option next_comment
+comment 'Security Logging'
+if [ "$CONFIG_GRKERNSEC_EXECLOG_GROUP" != "y" ]; then
+bool 'Exec logging for all users' CONFIG_GRKERNSEC_EXECLOG
+fi
+if [ "$CONFIG_GRKERNSEC_EXECLOG" != "y" ]; then
+bool 'Exec logging for a single group' CONFIG_GRKERNSEC_EXECLOG_GROUP
+if [ "$CONFIG_GRKERNSEC_EXECLOG_GROUP" != "n" ]; then
+int  '   GID of logged execs' CONFIG_GRKERNSEC_EXECLOG_GID 1007
+fi
+fi
+if [ "$CONFIG_GRKERNSEC_SUID_ROOT" != "y" ]; then
+bool 'Set*id logging for all users' CONFIG_GRKERNSEC_SUID
+fi
+if [ "$CONFIG_GRKERNSEC_SUID" != "y" ]; then
+bool 'Set*id logging for root' CONFIG_GRKERNSEC_SUID_ROOT
+fi
+bool 'Signal logging' CONFIG_GRKERNSEC_SIGNAL
+bool 'Fork failure logging' CONFIG_GRKERNSEC_FORKFAIL
+bool 'Time change logging' CONFIG_GRKERNSEC_TIME
+endmenu
+mainmenu_option next_comment
+comment 'Executable Protections'
+bool 'Exec process limiting' CONFIG_GRKERNSEC_EXECVE
+bool 'Randomized PIDs' CONFIG_GRKERNSEC_RANDPID
+bool 'Altered default IPC permissions' CONFIG_GRKERNSEC_IPC
+bool 'Limit uid/gid changes to root' CONFIG_GRKERNSEC_TTYROOT
+if [ "$CONFIG_GRKERNSEC_TTYROOT" != "n" ]; then
+bool '  Deny physical consoles (tty)' CONFIG_GRKERNSEC_TTYROOT_PHYS
+bool '  Deny serial consoles (ttyS)' CONFIG_GRKERNSEC_TTYROOT_SERIAL
+bool '  Deny pseudo consoles (pty)' CONFIG_GRKERNSEC_TTYROOT_PSEUDO
+fi
+bool 'Fork-bomb protection' CONFIG_GRKERNSEC_FORKBOMB
+if [ "$CONFIG_GRKERNSEC_FORKBOMB" != "n" ]; then
+int '   GID for restricted users' CONFIG_GRKERNSEC_FORKBOMB_GID 1006
+int '   Forks allowed per second' CONFIG_GRKERNSEC_FORKBOMB_SEC 40
+int '   Maximum processes allowed' CONFIG_GRKERNSEC_FORKBOMB_MAX 20
+fi
+bool 'Trusted path execution' CONFIG_GRKERNSEC_TPE
+if [ "$CONFIG_GRKERNSEC_TPE" != "n" ]; then
+bool '   Glibc protection' CONFIG_GRKERNSEC_TPE_GLIBC
+bool '   Partially restrict non-root users' CONFIG_GRKERNSEC_TPE_ALL
+int  '   GID for untrusted users:' CONFIG_GRKERNSEC_TPE_GID 1005
+fi
+if [ "$CONFIG_X86" != "n" ]; then
+bool 'Restricted ptrace' CONFIG_GRKERNSEC_PTRACE
+if [ "$CONFIG_GRKERNSEC_PTRACE" != "n" ]; then
+bool '   Allow ptrace for group' CONFIG_GRKERNSEC_PTRACE_GROUP
+if [ "$CONFIG_GRKERNSEC_PTRACE_GROUP" != "n" ]; then
+int  '   GID for ptrace' CONFIG_GRKERNSEC_PTRACE_GID 1008
+fi
+fi
+fi
+endmenu
+mainmenu_option next_comment
+comment 'Network Protections'
+bool 'Randomized IP IDs' CONFIG_GRKERNSEC_RANDID
+bool 'Randomized TCP source ports' CONFIG_GRKERNSEC_RANDSRC
+bool 'Altered Ping IDs' CONFIG_GRKERNSEC_RANDPING
+bool 'Randomized TTL' CONFIG_GRKERNSEC_RANDTTL
+if [ "$CONFIG_GRKERNSEC_RANDTTL" != "n" ]; then
+int  '   TTL starting point:' CONFIG_GRKERNSEC_RANDTTL_THRESH 64
+fi
+bool 'Enhanced network randomness' CONFIG_GRKERNSEC_RANDNET
+bool 'Socket restrictions' CONFIG_GRKERNSEC_SOCKET
+if [ "$CONFIG_GRKERNSEC_SOCKET" != "n" ]; then
+bool '  Deny any sockets to group' CONFIG_GRKERNSEC_SOCKET_ALL
+if [ "$CONFIG_GRKERNSEC_SOCKET_ALL" != "n" ]; then
+int  '   GID to deny all sockets for:' CONFIG_GRKERNSEC_SOCKET_ALL_GID 1004
+fi
+bool '  Deny client sockets to group' CONFIG_GRKERNSEC_SOCKET_CLIENT
+if [ "$CONFIG_GRKERNSEC_SOCKET_CLIENT" != "n" ]; then
+int  '   GID to deny client sockets for:' CONFIG_GRKERNSEC_SOCKET_CLIENT_GID 1003
+fi
+bool '  Deny server sockets to group' CONFIG_GRKERNSEC_SOCKET_SERVER
+if [ "$CONFIG_GRKERNSEC_SOCKET_SERVER" != "n" ]; then
+int  '   GID to deny server sockets for:' CONFIG_GRKERNSEC_SOCKET_SERVER_GID 1002
+fi
+fi
+bool 'Stealth networking' CONFIG_GRKERNSEC_STEALTH
+if [ "$CONFIG_GRKERNSEC_STEALTH" != "n" ]; then
+bool '   Do not send RSTs on unserved TCP' CONFIG_GRKERNSEC_STEALTH_RST
+bool '   Do not reply to UDP with ICMP unreachables' CONFIG_GRKERNSEC_STEALTH_UDP
+bool '   Do not process ICMP packets' CONFIG_GRKERNSEC_STEALTH_ICMP
+bool '   Do not reply to IGMP requests' CONFIG_GRKERNSEC_STEALTH_IGMP
+bool '   Drop packets with illegitimate flags' CONFIG_GRKERNSEC_STEALTH_FLAGS
+fi
+endmenu
+mainmenu_option next_comment
+comment 'Network Logging'
+bool 'Log requests to unserved TCP ports' CONFIG_GRKERNSEC_STEALTH_RST_LOG
+bool 'Log requests to unserved UDP ports' CONFIG_GRKERNSEC_STEALTH_UDP_LOG
+bool 'Log ICMP packets' CONFIG_GRKERNSEC_STEALTH_ICMP_LOG
+bool 'Log packets with illegitimate flags' CONFIG_GRKERNSEC_STEALTH_FLAGS_LOG
+endmenu
+if [ "$CONFIG_SYSCTL" != "n" ]; then
+mainmenu_option next_comment
+comment 'Sysctl support'
+bool 'Sysctl support' CONFIG_GRKERNSEC_SYSCTL
+endmenu
+fi
+mainmenu_option next_comment
+comment 'Miscellaneous Enhancements'
+bool 'BSD-style coredumps' CONFIG_GRKERNSEC_COREDUMP
+endmenu
diff -urN linux/include/asm-i386/a.out.h linux/include/asm-i386/a.out.h
--- linux/include/asm-i386/a.out.h      Fri Jun 16 14:33:06 1995
+++ linux/include/asm-i386/a.out.h      Sun Dec 23 19:13:16 2001
@@ -19,8 +19,12 @@
 
 #ifdef __KERNEL__
 
+#ifdef CONFIG_GRKERNSEC_STACK
+#define STACK_TOP      ((current->flags & PF_STACKEXEC) ? TASK_SIZE - _STK_LIM : TASK_SIZE)
+#else
 #define STACK_TOP      TASK_SIZE
 
+#endif
 #endif
 
 #endif /* __A_OUT_GNU_H__ */
diff -urN linux/include/asm-i386/pgtable.h linux/include/asm-i386/pgtable.h
--- linux/include/asm-i386/pgtable.h    Thu Nov 22 14:46:19 2001
+++ linux/include/asm-i386/pgtable.h    Sun Dec 23 19:13:16 2001
@@ -192,9 +192,26 @@
 #define _PAGE_CHG_MASK (PTE_MASK | _PAGE_ACCESSED | _PAGE_DIRTY)
 
 #define PAGE_NONE      __pgprot(_PAGE_PROTNONE | _PAGE_ACCESSED)
+
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+#define PAGE_SHARED_EXEC  __pgprot(_PAGE_PRESENT | _PAGE_RW |_PAGE_USER |_PAGE_ACCESSED)
+#define PAGE_COPY_EXEC  __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
+#define PAGE_READONLY_EXEC  __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
+#else
 #define PAGE_SHARED    __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED)
 #define PAGE_COPY      __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
 #define PAGE_READONLY  __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX
+#define PAGE_SHARED_NOEXEC  __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_ACCESSED)
+#define PAGE_COPY_NOEXEC  __pgprot(_PAGE_PRESENT | _PAGE_ACCESSED)
+#define PAGE_READONLY_NOEXEC  __pgprot(_PAGE_PRESENT | _PAGE_ACCESSED) 
+#else
+#define PAGE_SHARED_NOEXEC    PAGE_SHARED_EXEC
+#define PAGE_COPY_NOEXEC      PAGE_COPY_EXEC
+#define PAGE_READONLY_NOEXEC  PAGE_READONLY_EXEC
+#endif
 
 #define __PAGE_KERNEL \
        (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED)
@@ -228,6 +245,15 @@
  * This is the closest we can get..
  */
 #define __P000 PAGE_NONE
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+#define __P001  PAGE_READONLY_NOEXEC
+#define __P010  PAGE_COPY_NOEXEC
+#define __P011  PAGE_COPY_NOEXEC
+#define __P100  PAGE_READONLY_EXEC
+#define __P101  PAGE_READONLY_EXEC
+#define __P110  PAGE_COPY_EXEC
+#define __P111  PAGE_COPY_EXEC
+#else
 #define __P001 PAGE_READONLY
 #define __P010 PAGE_COPY
 #define __P011 PAGE_COPY
@@ -235,8 +261,18 @@
 #define __P101 PAGE_READONLY
 #define __P110 PAGE_COPY
 #define __P111 PAGE_COPY
+#endif
 
 #define __S000 PAGE_NONE
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+#define __S001  PAGE_READONLY_NOEXEC
+#define __S010  PAGE_SHARED_NOEXEC
+#define __S011  PAGE_SHARED_NOEXEC
+#define __S100  PAGE_READONLY_EXEC
+#define __S101  PAGE_READONLY_EXEC
+#define __S110  PAGE_SHARED_EXEC
+#define __S111  PAGE_SHARED_EXEC
+#else
 #define __S001 PAGE_READONLY
 #define __S010 PAGE_SHARED
 #define __S011 PAGE_SHARED
@@ -244,6 +280,7 @@
 #define __S101 PAGE_READONLY
 #define __S110 PAGE_SHARED
 #define __S111 PAGE_SHARED
+#endif
 
 /*
  * Define this if things work differently on an i386 and an i486:
diff -urN linux/include/asm-i386/processor.h linux/include/asm-i386/processor.h
--- linux/include/asm-i386/processor.h  Thu Nov 22 14:46:19 2001
+++ linux/include/asm-i386/processor.h  Sun Dec 23 19:13:16 2001
@@ -267,11 +267,25 @@
  */
 #define TASK_SIZE      (PAGE_OFFSET)
 
+#ifdef CONFIG_GRKERNSEC_STACK
+#define MAGIC_SIGRETURN                (PAGE_OFFSET + 0xDE0000)
+#define MAGIC_RT_SIGRETURN     (PAGE_OFFSET + 0xDE0001)
+#endif
 /* This decides where the kernel will search for a free chunk of vm
  * space during mmap's.
  */
+#ifdef CONFIG_GRKERNSEC_STACK
+extern struct linux_binfmt elf_format;
+#define TASK_UNMAPPED_BASE(size) ( \
+       current->binfmt == &elf_format && \
+       !(current->flags & PF_STACKEXEC) && \
+       (size) < 0x00ef0000UL \
+       ? 0x00110000UL \
+       : TASK_SIZE / 3 )     
+#else
 #define TASK_UNMAPPED_BASE     (TASK_SIZE / 3)
 
+#endif
 /*
  * Size of io_bitmap in longwords: 32 is ports 0-0x3ff.
  */
@@ -362,6 +376,14 @@
        unsigned long __cacheline_filler[5];
 };
 
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+struct pax_fault_info {
+       unsigned long eip;
+       unsigned long addresses[4];
+       unsigned long count;
+};
+#endif
+
 struct thread_struct {
        unsigned long   esp0;
        unsigned long   eip;
@@ -372,6 +394,11 @@
        unsigned long   debugreg[8];  /* %%db0-7 debug registers */
 /* fault info */
        unsigned long   cr2, trap_no, error_code;
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+/* PaX fault info */
+       struct pax_fault_info pax_faults;
+#endif
+
 /* floating point info */
        union i387_union        i387;
 /* virtual 86 mode info */
diff -urN linux/include/linux/a.out.h linux/include/linux/a.out.h
--- linux/include/linux/a.out.h Thu Nov 22 14:46:18 2001
+++ linux/include/linux/a.out.h Sun Dec 23 19:13:16 2001
@@ -37,6 +37,14 @@
   M_MIPS2 = 152                /* MIPS R6000/R4000 binary */
 };
 
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+/* Constants for the N_FLAGS field */
+#define F_PAX_PAGEEXEC        1       /* Enforce PAGE_EXEC */
+#define F_PAX_EMUTRAMP        2       /* Emulate trampolines */
+#define F_PAX_MPROTECT        4       /* Restrict mprotect() */
+#define F_PAX_RANDMMAP        8       /* Randomize mmap() base */   
+#endif
+
 #if !defined (N_MAGIC)
 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
 #endif
@@ -57,6 +65,9 @@
        ((exec).a_info = \
         ((exec).a_info&0x00ffffff) | (((flags) & 0xff) << 24))
 
+#ifdef CONFIG_GRKERNSEC_STACK
+#define F_STACKEXEC    1
+#endif
 /* Code indicating object file or impure executable.  */
 #define OMAGIC 0407
 /* Code indicating pure executable.  */
diff -urN linux/include/linux/binfmts.h linux/include/linux/binfmts.h
--- linux/include/linux/binfmts.h       Thu Nov 22 14:46:19 2001
+++ linux/include/linux/binfmts.h       Sun Dec 23 19:13:16 2001
@@ -1,6 +1,7 @@
 #ifndef _LINUX_BINFMTS_H
 #define _LINUX_BINFMTS_H
 
+#include <linux/config.h>
 #include <linux/ptrace.h>
 #include <linux/capability.h>
 
@@ -30,6 +31,11 @@
        int argc, envc;
        char * filename;        /* Name of binary */
        unsigned long loader, exec;
+#ifdef CONFIG_GRKERNSEC_FD
+        int priv_change;
+        int tweak_fd_mask;
+        struct file *tweak_fd_null;
+#endif
 };
 
 /*
diff -urN linux/include/linux/elf.h linux/include/linux/elf.h
--- linux/include/linux/elf.h   Thu Nov 22 14:48:29 2001
+++ linux/include/linux/elf.h   Sun Dec 23 19:13:16 2001
@@ -87,6 +87,9 @@
  */
 #define EM_ALPHA       0x9026
 
+#ifdef CONFIG_GRKERNSEC_STACK
+#define EF_STACKEXEC   1
+#endif
 /*
  * This is the old interim value for S/390 architecture
  */
@@ -255,6 +258,13 @@
 #define R_MIPS_LOVENDOR                100
 #define R_MIPS_HIVENDOR                127
 
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+/* Constants for the e_flags field */
+#define EF_PAX_PAGEEXEC               1       /* 0: Enforce PAGE_EXEC */
+#define EF_PAX_EMUTRAMP               2       /* 0: Emulate trampolines */
+#define EF_PAX_MPROTECT               4       /* 0: Restrict mprotect() */
+#define EF_PAX_RANDMMAP               8       /* 0: Randomize mmap() base */ 
+#endif
 
 /*
  * Sparc ELF relocation types
diff -urN linux/include/linux/fs.h linux/include/linux/fs.h
--- linux/include/linux/fs.h    Fri Dec 21 12:42:03 2001
+++ linux/include/linux/fs.h    Sun Dec 23 19:13:16 2001
@@ -1047,7 +1047,11 @@
 
 asmlinkage long sys_open(const char *, int, int);
 asmlinkage long sys_close(unsigned int);       /* yes, it's really unsigned */
+#ifdef CONFIG_GRKERNSEC_ACL
+extern int do_truncate(struct dentry *, loff_t start, struct vfsmount *);
+#else
 extern int do_truncate(struct dentry *, loff_t start);
+#endif
 
 extern struct file *filp_open(const char *, int, int);
 extern struct file * dentry_open(struct dentry *, struct vfsmount *, int);
diff -urN linux/include/linux/gracl.h linux/include/linux/gracl.h
--- linux/include/linux/gracl.h Wed Dec 31 19:00:00 1969
+++ linux/include/linux/gracl.h Sun Dec 23 19:13:16 2001
@@ -0,0 +1,140 @@
+#ifndef GR_ACL_H
+#define GR_ACL_H
+#endif
+#include <linux/grsecurity.h>
+#include <linux/grdefs.h>
+
+
+/* * * * * * * * * * * * * * * * * * * * *
+ * Oblivion kernel Modification
+ * Main header file
+ * Purpose: define most Oblivion data structures 
+ * * * * * * * * * * * * * * * * * * * * */
+
+#define GR_VERSION "grsecurity 2.0"
+
+#define SHUTDOWN  0
+#define ENABLE    1
+#define CHCAPS    2
+#define AUTH      3
+#define GOD       4
+
+#define GR_SET_INHERIT 0
+#define GR_SET_AUTH 1
+#define GR_SET_PROC 2
+/* required headers: <linux/kdev_t.h>, <linux/types.h> */
+
+/* I need to include linux/fs.h in oblivion.c and it would be
+ * overkill to include kdev_t.h twice(once here and once in fs.h)
+ * so I just did the other necessary header inclusion before including oblivion.h*/
+
+
+
+#define GR_PW_LEN 129
+#define GR_SHA_SIZE 20
+#define GR_EXTRA_LEN 1025
+
+/* Begin Data Structures */
+struct admin_pw {
+       char pw[GR_PW_LEN];
+       char extra[GR_EXTRA_LEN];
+       __u8 sum[GR_SHA_SIZE];  /* 160-bit SHA hash of the password*/
+       __u8 mode; /* On/Off/Restart(Restart is not ready yet..*/
+};
+
+struct file_acl {
+       ino_t inode;
+       kdev_t device;
+       __u32 mode; 
+};
+
+/* When sorting/searching, we can effectively search obv_file_acl and obv_acl structures since their identifying information(inodes/devs) are the same name and their size, due to the above padding, is also the same*/
+
+struct file_db {
+       struct file_acl *db;
+       int max_ref;
+};
+
+
+/* information about r/w/x info for a file by a process */
+/* Uses a (balanced )binary tree for its implementation...ideas are welcome for 
+ * a more efficient way however=)*/
+
+struct proc_acl {
+       ino_t inode;
+       kdev_t device; 
+       /* to do rules like /tmp * set the dir /tmp rw .. best solution I can find*/
+       __u16 mode;
+       /* you may consider the file inode, file_dev, and mode to(combined) be the key */
+       struct proc_acl *left;
+       struct proc_acl *right;
+       __u16 height; /* used for avl rebalancing*/
+};
+
+
+
+/* information about a process */
+struct acl_subject {
+       ino_t inode;
+       kdev_t device;
+       __u8 mode;
+       kernel_cap_t file_caps; /* capability set*/
+       struct proc_acl *tree;
+};
+
+/* database - contains process ACLs */
+struct proc_db {
+       struct acl_subject *db;
+       int max_ref;
+};
+
+/* Temporary storage--see kernel/oblivion.c */
+struct acl_temp {
+       ino_t inode;
+       kdev_t device;
+       __u16 mode;
+};
+/* Begin Capabilities subsection */
+
+#define CONFIG_GR_MAX_CAP 30
+
+struct cap_entry {
+       char * capname;
+       kernel_cap_t capval;
+};
+
+struct capset {
+       struct cap_entry table[CONFIG_GR_MAX_CAP];
+};
+/* End Capabilities subsection */
+/* End Data Structures */
+
+/* Begin SHA hash section */
+#define SHA1HANDSOFF /* Copies data before messing with it. */
+
+struct SHA1_CTX {
+       unsigned long state[5];
+       unsigned long count[2];
+       unsigned char buffer[64];
+};
+
+#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
+
+/* blk0() and blk() perform the initial expand. */
+/* I got the idea of expanding during the round function from SSLeay */
+#ifdef __LITTLE_ENDIAN
+#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \
+               |(rol(block->l[i],8)&0x00FF00FF))
+#else
+#define blk0(i) block->l[i]
+#endif /* __LITTLE_ENDIAN */
+#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \
+                       ^block->l[(i+2)&15]^block->l[i&15],1))
+
+       /* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */
+#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30);
+#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30);
+#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30);
+#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30);
+#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30);
+/* End SHA hash section */                    
diff -urN linux/include/linux/grdefs.h linux/include/linux/grdefs.h
--- linux/include/linux/grdefs.h        Wed Dec 31 19:00:00 1969
+++ linux/include/linux/grdefs.h        Sun Dec 23 19:13:16 2001
@@ -0,0 +1,82 @@
+
+/* Begin Status/Return value declarations */
+
+#define GR_ALLOW 1
+#define GR_NOTFOUND -1
+#define GR_DENY 0
+
+#define GR_LOADING 0x01
+#define GR_DISABLED 0x02
+#define GR_READY 0x04
+#define GR_1ST 0x08
+/* Debugging mode*/ 
+#define GR_TESTING 0x080
+
+#ifdef CONFIG_GR_DEF_DENY
+#define GR_DEFAULT GR_DENY
+#endif
+#ifdef CONFIG_GR_DEF_DENY_ROOT
+#define GR_DEFAULT !(current->euid) ? GR_DENY : GR_ALLOW;
+#endif
+#ifdef CONFIG_GR_DEF_ALLOW
+#define GR_DEFAULT GR_ALLOW
+#endif
+
+/* End Status declarations */
+
+
+
+
+/* Begin  ACL declarations */
+#define GR_READ 0x01
+#define GR_APPEND 0x02
+#define GR_WRITE 0x04
+#define GR_EXEC 0x08
+#define GR_HIDDEN 0x10
+#define GR_OVERRIDE 0x20 /* Override File ACL, useful for proc only*/
+#define GR_PROTECTED 0x40
+#define GR_NONEXISTANT 0x40000000 /* File does not exist, check parent. Done when *checking* for a file's ACL */
+
+
+/* Standard stuff done, on to File ACL stuff */
+
+#define GR_FILE_READ GR_READ
+#define GR_FILE_APPEND GR_APPEND
+#define GR_FILE_WRITE (GR_WRITE | GR_APPEND)
+#define GR_FILE_EXEC GR_EXEC
+#define GR_FILE_HIDDEN GR_HIDDEN
+
+
+#define GR_PROC_READ GR_READ
+#define GR_PROC_APPEND GR_APPEND
+#define GR_PROC_WRITE (GR_WRITE|GR_APPEND); /* write access implies append access*/
+#define GR_PROC_EXEC GR_EXEC
+#define GR_PROC_ACCESS GR_HIDDEN
+#define GR_PROC_OVERRIDE GR_OVERRIDE
+#define GR_PROC_HIDDEN GR_HIDDEN /* Hidden, unkillable(except by init) process. Good for hiding your IDSes / logging daemons:)*/
+#define GR_PROC_PROTECTED GR_PROTECTED
+ 
+/* Begin TODO */
+#define GR_REQSUM 0x200 /* Require program to have SHAsum in database*/
+#define GR_INHERIT 0x400 /* Children inherit parent's process acls*/
+#define GR_AUTH 0x100    /* Require secondary authentication before execution*/
+#define GR_AUTH_IF_ROOT 0x800 /* Require secondary authentication IF the user has root priveleges */
+
+#define GR_FILE_REQSUM GR_REQSUM
+#define GR_FILE_AUTH GR_AUTH
+#define GR_PROC_REQSUM GR_REQSUM
+#define GR_PROC_INHERIT GR_INHERIT
+#define GR_PROC_AUTH GR_AUTH
+#define GR_PROC_AUTH_IF_ROOT GR_AUTH_IF_ROOT
+/* End TODO */
+
+#define GR_PROC_EXTRA (GR_PROC_OVERRIDE|GR_PROC_REQSUM|GR_PROC_INHERIT|GR_PROC_AUTH)
+/* Extra things that must be checked after a search*/
+
+#define GR_FILE_EXTRA (GR_FILE_REQSUM|GR_FILE_AUTH)
+#define GR_RW (GR_READ|GR_WRITE)
+#define GR_RX (GR_READ|GR_EXEC)
+#define GR_RWX (GR_READ|GR_WRITE|GR_EXEC)
+
+/* End ACL Declarations */
+
diff -urN linux/include/linux/grext.h linux/include/linux/grext.h
--- linux/include/linux/grext.h Wed Dec 31 19:00:00 1969
+++ linux/include/linux/grext.h Sun Dec 23 19:13:16 2001
@@ -0,0 +1,18 @@
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+ * Oblivion external header
+ * Used for sections of the kernel that must access oblivion
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+#include <linux/dcache.h>
+#include <linux/sysctl.h>
+#include <linux/grdefs.h>
+
+extern int gr_status;
+extern int gr_disable;
+extern int gr_check_hidden(struct dentry *dentry, struct vfsmount *mnt);
+extern int gr_search(struct dentry *dentry, __u16 mode, struct vfsmount *mnt);
+extern int gr_set_proc_acl(struct dentry *dentry,struct task_struct *tsk,char *filename, struct vfsmount *mnt);
+extern int gr_check_hidden_proc(struct task_struct *tsk);
+extern int gr_check_protected(struct task_struct *tsk);
+extern int gr_copy_acl(struct task_struct *tsk);
+extern int gr_proc_handler(ctl_table *table,int write, struct file *filp, void *buffer, size_t *lenp);
diff -urN linux/include/linux/grhash.h linux/include/linux/grhash.h
--- linux/include/linux/grhash.h        Wed Dec 31 19:00:00 1969
+++ linux/include/linux/grhash.h        Sun Dec 23 19:13:16 2001
@@ -0,0 +1,4 @@
+extern void SHA1Init(struct SHA1_CTX *context);
+extern void SHA1Update(struct SHA1_CTX *context, unsigned char *data,unsigned  int len);
+extern void SHA1Final(unsigned char digest[20],struct SHA1_CTX *context);
+extern int chkpw(struct admin_pw *entry);
diff -urN linux/include/linux/grsecurity.h linux/include/linux/grsecurity.h
--- linux/include/linux/grsecurity.h    Wed Dec 31 19:00:00 1969
+++ linux/include/linux/grsecurity.h    Sun Dec 23 19:13:16 2001
@@ -0,0 +1,130 @@
+#ifndef GR_ACL_H
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+ * Oblivion external header
+ * Used for sections of the kernel that must access oblivion
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+#include <linux/dcache.h>
+#include <linux/sysctl.h>
+#include <linux/grdefs.h>
+
+extern int gr_status;
+extern int gr_disable;
+extern int gr_check_hidden(struct dentry *dentry, struct vfsmount *mnt);
+extern int gr_search(struct dentry *dentry, __u16 mode, struct vfsmount *mnt);
+extern int gr_set_proc_acl(struct dentry *dentry,struct task_struct *tsk,char *filename, struct vfsmount *mnt);
+extern int gr_check_hidden_proc(struct task_struct *tsk);
+extern int gr_check_protected(struct task_struct *tsk);
+extern int gr_copy_acl(struct task_struct *tsk);
+extern int gr_proc_handler(ctl_table *table,int write, struct file *filp, void *buffer, size_t *lenp);
+#endif
+
+extern int grsec_enable_link;
+extern int grsec_enable_fifo;    
+extern int grsec_enable_fd;
+extern int grsec_enable_execve;
+extern int grsec_enable_forkbomb;
+extern int grsec_forkbomb_gid;
+extern int grsec_forkbomb_sec;
+extern int grsec_forkbomb_max;
+extern int grsec_enable_execlog;
+extern int grsec_enable_execlog_group;
+extern int grsec_execlog_gid;
+extern int grsec_enable_suid;
+extern int grsec_enable_suid_root;
+extern int grsec_enable_signal;
+extern int grsec_enable_coredump;
+extern int grsec_enable_forkfail;
+extern int grsec_enable_time;
+extern int grsec_enable_kbmap;
+extern int grsec_enable_randnet;
+extern int grsec_enable_chroot_sig;
+extern int grsec_enable_chroot_mount;
+extern int grsec_enable_chroot_double;
+extern int grsec_enable_chroot_chdir;
+extern int grsec_enable_chroot_chmod;
+extern int grsec_enable_chroot_mknod;
+extern int grsec_enable_chroot_ptrace;
+extern int grsec_enable_chroot_nice;
+extern int grsec_enable_chroot_execlog;
+extern int grsec_enable_chroot_caps;
+extern int grsec_enable_tpe;
+extern int grsec_tpe_gid;
+extern int grsec_enable_tpe_glibc;
+extern int grsec_enable_tpe_all; 
+extern int grsec_enable_ptrace; 
+extern int grsec_enable_ptrace_group; 
+extern int grsec_ptrace_gid; 
+extern int grsec_enable_sidcaps;
+extern int grsec_enable_randpid;
+extern int grsec_enable_randid; 
+extern int grsec_enable_randsrc;
+extern int grsec_enable_randping;
+extern int grsec_enable_randttl; 
+extern int grsec_randttl_thresh; 
+extern int grsec_enable_socket_all;
+extern int grsec_socket_all_gid;
+extern int grsec_enable_socket_client;
+extern int grsec_socket_client_gid;
+extern int grsec_enable_socket_server; 
+extern int grsec_socket_server_gid; 
+extern int grsec_enable_stealth_rst;
+extern int grsec_enable_stealth_udp;
+extern int grsec_enable_stealth_icmp;
+extern int grsec_enable_stealth_igmp;
+extern int grsec_enable_stealth_flags;
+extern int grsec_enable_stealth_rst_log;
+extern int grsec_enable_stealth_udp_log;
+extern int grsec_enable_stealth_icmp_log;
+extern int grsec_enable_stealth_flags_log;
+extern int grsec_enable_serial_deny;
+extern int grsec_enable_phys_deny;
+extern int grsec_enable_pseudo_deny;
+extern int grsec_enable_ipc;
+extern int grsec_lock;
+
+extern struct task_struct *child_reaper;
+
+#define proc_is_chrooted(tsk_a)  ((tsk_a->fs->root->d_inode->i_dev != \
+                         child_reaper->fs->root->d_inode->i_dev) || \
+                         (tsk_a->fs->root->d_inode->i_ino != \
+                         child_reaper->fs->root->d_inode->i_ino)) 
+
+#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs->root->d_inode->i_dev == \
+                         tsk_b->fs->root->d_inode->i_dev) && \
+                         (tsk_a->fs->root->d_inode->i_ino == \
+                         tsk_b->fs->root->d_inode->i_ino)) 
+
+#define DEFAULTSECMSG "(%.16s:%d) UID(%d) EUID(%d), parent (%.16s:%d) " \
+                     "UID(%d) EUID(%d)"
+
+#define DEFAULTSECARGS current->comm, current->pid, current->uid, \
+                      current->euid, current->p_pptr->comm, \
+                      current->p_pptr->pid, current->p_pptr->uid, \
+                      current->p_pptr->euid
+
+#define CHROOTLONGCHECK t->pid && t->fs && t->fs->root && \
+                       t->fs->root->d_inode && t->p_pptr && \
+                       current->pid && current->fs && current->fs->root && \
+                       current->fs->root->d_inode && \
+                       current->p_pptr && child_reaper && child_reaper->pid && \
+                       child_reaper->fs && child_reaper->fs->root && \
+                       child_reaper->fs->root->d_inode && \
+                       grsec_enable_chroot_sig
+
+#define is_tty_allowed_for_setid(t_uid,t_uid2,t_uid3,f_name)           \
+        if(current->tty && (!t_uid || !t_uid2 || !t_uid3) &&           \
+       ((grsec_enable_serial_deny &&                                   \
+        (current->tty->driver.type == TTY_DRIVER_TYPE_SERIAL)) ||      \
+       (grsec_enable_pseudo_deny &&                                    \
+        (current->tty->driver.type == TTY_DRIVER_TYPE_PTY)) ||                 \
+       (grsec_enable_phys_deny &&                                      \
+        (current->tty->driver.type == TTY_DRIVER_TYPE_CONSOLE)))       \
+        ) {                                                            \
+                security_alert("attempted " f_name " root on "         \
+                               "illegal console by " DEFAULTSECMSG,    \
+                                "attempted " f_name " roots",          \
+                                DEFAULTSECARGS);                       \
+                return -EPERM;                                                 \
+        }
+
diff -urN linux/include/linux/kernel.h linux/include/linux/kernel.h
--- linux/include/linux/kernel.h        Thu Nov 22 14:46:18 2001
+++ linux/include/linux/kernel.h        Sun Dec 23 19:13:16 2001
@@ -122,6 +122,29 @@
        ((unsigned char *)&addr)[2], \
        ((unsigned char *)&addr)[3]
 
+#ifndef CONFIG_GR_DEBUG
+#define security_alert(normal_msg,flood_msg,args...) \
+({ \
+       static unsigned long warning_time = 0, no_flood_yet = 0; \
+       static spinlock_t security_alert_lock = SPIN_LOCK_UNLOCKED; \
+       \
+       spin_lock(&security_alert_lock); \
+       if(!warning_time || jiffies - warning_time > 30 * HZ) { \
+           warning_time = jiffies; no_flood_yet = 1; \
+           printk(KERN_ALERT "grsec: " normal_msg "\n", ## args); \
+       } else if (no_flood_yet) { \
+           warning_time = jiffies; no_flood_yet = 0; \
+           printk(KERN_ALERT "grsec: more " flood_msg \
+                   ", logging disabled for 30 seconds\n"); \
+       } \
+       \
+       spin_unlock(&security_alert_lock); \
+})
+#else
+#define security_alert(normal_msg, flood_msg, args...) \
+printk(KERN_INFO normal_msg "\n", ## args)
+#endif
+
 #define HIPQUAD(addr) \
        ((unsigned char *)&addr)[3], \
        ((unsigned char *)&addr)[2], \
diff -urN linux/include/linux/mm.h linux/include/linux/mm.h
--- linux/include/linux/mm.h    Fri Dec 21 12:42:03 2001
+++ linux/include/linux/mm.h    Sun Dec 23 19:13:16 2001
@@ -103,7 +103,11 @@
 #define VM_DONTEXPAND  0x00040000      /* Cannot expand with mremap() */
 #define VM_RESERVED    0x00080000      /* Don't unmap it from swap_out */
 
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+#define VM_STACK_FLAGS  0x00000133 
+#else
 #define VM_STACK_FLAGS 0x00000177
+#endif
 
 #define VM_READHINTMASK                        (VM_SEQ_READ | VM_RAND_READ)
 #define VM_ClearReadHint(v)            (v)->vm_flags &= ~VM_READHINTMASK
diff -urN linux/include/linux/proc_fs.h linux/include/linux/proc_fs.h
--- linux/include/linux/proc_fs.h       Thu Nov 22 14:46:23 2001
+++ linux/include/linux/proc_fs.h       Sun Dec 23 19:13:16 2001
@@ -137,6 +137,9 @@
 extern struct proc_dir_entry *proc_mknod(const char *,mode_t,
                struct proc_dir_entry *,kdev_t);
 extern struct proc_dir_entry *proc_mkdir(const char *,struct proc_dir_entry *);
+#ifdef CONFIG_GRKERNSEC_PROC
+extern struct proc_dir_entry *proc_priv_mkdir(const char *, mode_t mode, struct proc_dir_entry *);
+#endif
 
 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
        mode_t mode, struct proc_dir_entry *base, 
diff -urN linux/include/linux/sched.h linux/include/linux/sched.h
--- linux/include/linux/sched.h Fri Dec 21 12:42:03 2001
+++ linux/include/linux/sched.h Sun Dec 23 19:13:16 2001
@@ -29,6 +29,7 @@
 
 struct exec_domain;
 
+
 /*
  * cloning flags:
  */
@@ -225,6 +226,12 @@
        unsigned long cpu_vm_mask;
        unsigned long swap_address;
 
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+       unsigned long delta_mmap;               /* PaX: randomized offset */
+       unsigned long delta_exec;               /* PaX: randomized offset */
+       unsigned long delta_stack;              /* PaX: randomized offset */
+#endif
+ 
        unsigned dumpable:1;
 
        /* Architecture-specific MM context */
@@ -401,6 +408,10 @@
        int (*notifier)(void *priv);
        void *notifier_data;
        sigset_t *notifier_mask;
+
+#ifdef CONFIG_GRKERNSEC_ACL
+       void * acl;
+#endif
        
 /* Thread group tracking */
        u32 parent_exec_id;
@@ -430,6 +441,13 @@
 
 #define PF_USEDFPU     0x00100000      /* task used FPU this quantum (SMP) */
 
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+#define PF_PAX_PAGEEXEC       0x01000000      /* PaX: Enforce PAGE_EXEC */
+#define PF_PAX_EMUTRAMP       0x02000000      /* PaX: Emulate trampolines */
+#define PF_PAX_MPROTECT       0x04000000      /* PaX: Restrict mprotect() */
+#define PF_PAX_RANDMMAP       0x08000000      /* PaX: Randomize mmap() base */
+#endif
+
 /*
  * Ptrace flags
  */
@@ -437,8 +455,18 @@
 #define PT_PTRACED     0x00000001
 #define PT_TRACESYS    0x00000002
 #define PT_DTRACE      0x00000004      /* delayed trace (used on m68k, i386) */
+#ifdef CONFIG_GRKERNSEC_STACK
+#define PF_STACKEXEC    0x01000000
+#endif
 #define PT_TRACESYSGOOD        0x00000008
 #define PT_PTRACE_CAP  0x00000010      /* ptracer can follow suid-exec */
+
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+/* PaX: for handling DTLB trashing */
+#define PT_PAX_TRACE    0x00000020
+#define PT_PAX_KEEPTF   0x00000040
+#define PT_PAX_OLDTF    0x00000080
+#endif
 
 /*
  * Limit the stack by to some sane default: root can always
diff -urN linux/include/linux/sysctl.h linux/include/linux/sysctl.h
--- linux/include/linux/sysctl.h        Mon Nov 26 08:29:17 2001
+++ linux/include/linux/sysctl.h        Sun Dec 23 19:13:16 2001
@@ -124,6 +124,8 @@
 #ifdef CONFIG_KDB
        KERN_KDB=55,            /* int: mdb on/off */
 #endif /* CONFIG_KDB */
+        KERN_GRSECURITY=68,              /* grsecurity */
+        KERN_OBV = 69                    /* struct obv_pw, controls oblivion*/
 };
 
 
diff -urN linux/include/net/inetpeer.h linux/include/net/inetpeer.h
--- linux/include/net/inetpeer.h        Thu Nov 22 14:47:11 2001
+++ linux/include/net/inetpeer.h        Sun Dec 23 19:13:16 2001
@@ -14,6 +14,11 @@
 #include <linux/sched.h>
 #include <linux/spinlock.h>
 #include <asm/atomic.h>
+#include <linux/config.h>
+#ifdef CONFIG_GRKERNSEC_RANDID
+#include <linux/grsecurity.h>
+extern __u16 ip_randomid(void);
+#endif
 
 struct inet_peer
 {
@@ -58,6 +63,11 @@
        __u16 id;
 
        spin_lock_bh(&inet_peer_idlock);
+#ifdef CONFIG_GRKERNSEC_RANDID
+       if(grsec_enable_randid)
+               id = htons(ip_randomid());
+       else
+#endif
        id = p->ip_id_count++;
        spin_unlock_bh(&inet_peer_idlock);
        return id;
diff -urN linux/include/net/ip.h linux/include/net/ip.h
--- linux/include/net/ip.h      Thu Nov 22 14:47:15 2001
+++ linux/include/net/ip.h      Sun Dec 23 19:13:16 2001
@@ -38,6 +38,11 @@
 
 #include <net/sock.h>  /* struct sock */
 
+#ifdef CONFIG_GRKERNSEC_RANDID
+#include <linux/grsecurity.h>
+extern __u16 ip_randomid(void);
+#endif
+
 struct inet_skb_parm
 {
        struct ip_options       opt;            /* Compiled IP options          */
@@ -196,6 +201,11 @@
                 * does not change, they drop every other packet in
                 * a TCP stream using header compression.
                 */
+#ifdef CONFIG_GRKERNSEC_RANDID
+       if(grsec_enable_randid)
+               iph->id = htons(ip_randomid());
+       else
+#endif
                iph->id = ((sk && sk->daddr) ? htons(sk->protinfo.af_inet.id++) : 0);
        } else
                __ip_select_ident(iph, dst);
diff -urN linux/init/main.c linux/init/main.c
--- linux/init/main.c   Fri Dec 21 12:42:04 2001
+++ linux/init/main.c   Sun Dec 23 19:13:16 2001
@@ -69,6 +69,12 @@
 #include <asm/smp.h>
 #endif
 
+#ifdef CONFIG_GRKERNSEC_ACL
+#include <linux/grsecurity.h>
+#endif
+
+
+
 /*
  * Versions of gcc older than that listed below may actually compile
  * and link okay, but the end product can have subtle run time bugs.
@@ -107,6 +113,12 @@
 extern void ipc_init(void);
 #endif
 
+#ifdef CONFIG_GRKERNSEC_ACL
+static __init int gr_setup(char *line);
+#endif
+
+
+
 /*
  * Boot command-line arguments
  */
@@ -307,6 +319,19 @@
 }
 
 __setup("root=", root_dev_setup);
+
+#ifdef CONFIG_GRKERNSEC_ACL
+static int __init gr_setup(char *str) 
+{
+#ifdef CONFIG_GR_DEBUG
+       security_alert("Grsecurity: got %.3s at startup","",str);
+#endif
+       if(*str == '0') gr_disable = 1;
+       return 1;
+}
+__setup("oblivion=",gr_setup);
+#endif
+
 
 static int __init checksetup(char *line)
 {
diff -urN linux/ipc/msg.c linux/ipc/msg.c
--- linux/ipc/msg.c     Fri Sep 14 17:17:00 2001
+++ linux/ipc/msg.c     Sun Dec 23 19:13:16 2001
@@ -23,6 +23,9 @@
 #include <linux/proc_fs.h>
 #include <linux/list.h>
 #include <asm/uaccess.h>
+#ifdef CONFIG_GRKERNSEC_IPC
+#include <linux/grsecurity.h>
+#endif
 #include "util.h"
 
 /* sysctl: */
@@ -127,7 +130,14 @@
                kfree(msq);
                return -ENOSPC;
        }
+#ifdef CONFIG_GRKERNSEC_IPC
+       if(grsec_enable_ipc)
+               msq->q_perm.mode = (msgflg & ~current->fs->umask);
+       else
+               msq->q_perm.mode = (msgflg & S_IRWXUGO);
+#else
        msq->q_perm.mode = (msgflg & S_IRWXUGO);
+#endif
        msq->q_perm.key = key;
 
        msq->q_stime = msq->q_rtime = 0;
@@ -545,8 +555,17 @@
 
                ipcp->uid = setbuf.uid;
                ipcp->gid = setbuf.gid;
+#ifdef CONFIG_GRKERNSEC_IPC
+               if(grsec_enable_ipc)
+                       ipcp->mode = (ipcp->mode & ~current->fs->umask) | 
+                               (~current->fs->umask & setbuf.mode);
+               else
+                       ipcp->mode = (ipcp->mode & ~S_IRWXUGO) | 
+                               (S_IRWXUGO & setbuf.mode);
+#else
                ipcp->mode = (ipcp->mode & ~S_IRWXUGO) | 
                        (S_IRWXUGO & setbuf.mode);
+#endif
                msq->q_ctime = CURRENT_TIME;
                /* sleeping receivers might be excluded by
                 * stricter permissions.
diff -urN linux/ipc/sem.c linux/ipc/sem.c
--- linux/ipc/sem.c     Sun Sep 30 15:26:42 2001
+++ linux/ipc/sem.c     Sun Dec 23 19:13:16 2001
@@ -63,6 +63,9 @@
 #include <linux/init.h>
 #include <linux/proc_fs.h>
 #include <asm/uaccess.h>
+#ifdef CONFIG_GRKERNSEC_IPC
+#include <linux/grsecurity.h>
+#endif
 #include "util.h"
 
 
@@ -135,7 +138,14 @@
        }
        used_sems += nsems;
 
+#ifdef CONFIG_GRKERNSEC_IPC
+       if(grsec_enable_ipc)
+               sma->sem_perm.mode = (semflg & ~current->fs->umask);
+       else
+               sma->sem_perm.mode = (semflg & S_IRWXUGO);
+#else
        sma->sem_perm.mode = (semflg & S_IRWXUGO);
+#endif
        sma->sem_perm.key = key;
 
        sma->sem_base = (struct sem *) &sma[1];
@@ -733,8 +743,17 @@
        case IPC_SET:
                ipcp->uid = setbuf.uid;
                ipcp->gid = setbuf.gid;
+#ifdef CONFIG_GRKERNSEC_IPC
+               if(grsec_enable_ipc)
+                       ipcp->mode = (ipcp->mode & ~current->fs->umask)
+                                       | (setbuf.mode & ~current->fs->umask);
+               else
+                       ipcp->mode = (ipcp->mode & ~S_IRWXUGO)
+                                       | (setbuf.mode & S_IRWXUGO);
+#else
                ipcp->mode = (ipcp->mode & ~S_IRWXUGO)
                                | (setbuf.mode & S_IRWXUGO);
+#endif
                sma->sem_ctime = CURRENT_TIME;
                sem_unlock(semid);
                err = 0;
diff -urN linux/ipc/shm.c linux/ipc/shm.c
--- linux/ipc/shm.c     Fri Dec 21 12:42:04 2001
+++ linux/ipc/shm.c     Sun Dec 23 19:13:16 2001
@@ -23,6 +23,9 @@
 #include <linux/mman.h>
 #include <linux/proc_fs.h>
 #include <asm/uaccess.h>
+#ifdef CONFIG_GRKERNSEC_IPC
+#include <linux/grsecurity.h>
+#endif
 
 #include "util.h"
 
@@ -202,7 +205,14 @@
        if(id == -1) 
                goto no_id;
        shp->shm_perm.key = key;
+#ifdef CONFIG_GRKERNSEC_IPC
+       if(grsec_enable_ipc)
+               shp->shm_flags = (shmflg & ~current->fs->umask);
+       else
+               shp->shm_flags = (shmflg & S_IRWXUGO);
+#else
        shp->shm_flags = (shmflg & S_IRWXUGO);
+#endif 
        shp->shm_cprid = current->pid;
        shp->shm_lprid = 0;
        shp->shm_atim = shp->shm_dtim = 0;
@@ -541,8 +551,17 @@
 
                shp->shm_perm.uid = setbuf.uid;
                shp->shm_perm.gid = setbuf.gid;
+#ifdef CONFIG_GRKERNSEC_IPC
+               if(grsec_enable_ipc)
+                       shp->shm_flags = (shp->shm_flags & ~current->fs->umask)
+                               | (setbuf.mode & ~current->fs->umask);
+               else
+                       shp->shm_flags = (shp->shm_flags & ~S_IRWXUGO)
+                               | (setbuf.mode & S_IRWXUGO);
+#else
                shp->shm_flags = (shp->shm_flags & ~S_IRWXUGO)
                        | (setbuf.mode & S_IRWXUGO);
+#endif
                shp->shm_ctim = CURRENT_TIME;
                break;
        }
diff -urN linux/kernel/Makefile linux/kernel/Makefile
--- linux/kernel/Makefile       Mon Sep 17 00:22:40 2001
+++ linux/kernel/Makefile       Sun Dec 23 19:13:16 2001
@@ -14,11 +14,12 @@
 obj-y     = sched.o dma.o fork.o exec_domain.o panic.o printk.o \
            module.o exit.o itimer.o info.o time.o softirq.o resource.o \
            sysctl.o acct.o capability.o ptrace.o timer.o user.o \
-           signal.o sys.o kmod.o context.o syscall_ksyms.o
+           signal.o sys.o grsecurity.o kmod.o context.o syscall_ksyms.o
 
 obj-$(CONFIG_UID16) += uid16.o
 obj-$(CONFIG_MODULES) += ksyms.o
 obj-$(CONFIG_PM) += pm.o
+obj-$(CONFIG_GRKERNSEC_ACL) += gracl.o grsort.o grhash.o
 obj-$(CONFIG_KALLSYMS) += kallsyms.o
 
 ifneq ($(CONFIG_IA64),y)
diff -urN linux/kernel/exit.c linux/kernel/exit.c
--- linux/kernel/exit.c Wed Nov 21 17:42:27 2001
+++ linux/kernel/exit.c Sun Dec 23 19:13:16 2001
@@ -20,6 +20,10 @@
 #include <asm/pgtable.h>
 #include <asm/mmu_context.h>
 
+#ifdef CONFIG_GRKERNSEC_RANDPID
+#include <linux/grsecurity.h>
+#endif
+
 extern void sem_exit (void);
 extern struct task_struct *child_reaper;
 
@@ -416,6 +420,10 @@
        write_unlock_irq(&tasklist_lock);
 }
 
+#ifdef CONFIG_GRKERNSEC_RANDPID
+pid_t last_pids[64];
+int cur_n_pids;
+#endif
 NORET_TYPE void do_exit(long code)
 {
        struct task_struct *tsk = current;
@@ -436,6 +444,12 @@
        __exit_mm(tsk);
 
        lock_kernel();
+#ifdef CONFIG_GRKERNSEC_RANDPID
+       if(grsec_enable_randpid){
+       last_pids[cur_n_pids++] = tsk -> pid;
+       cur_n_pids &= 63;
+       }
+#endif
        sem_exit();
        __exit_files(tsk);
        __exit_fs(tsk);
diff -urN linux/kernel/fork.c linux/kernel/fork.c
--- linux/kernel/fork.c Wed Nov 21 13:18:42 2001
+++ linux/kernel/fork.c Sun Dec 23 19:13:16 2001
@@ -20,12 +20,25 @@
 #include <linux/vmalloc.h>
 #include <linux/completion.h>
 #include <linux/personality.h>
+#ifdef CONFIG_GRKERNSEC_RANDPID
+#include <linux/random.h>
+#endif
+
+#if defined(CONFIG_GRKERNSEC_FORKFAIL)||defined(CONFIG_GRKERNSEC_RANDPID) \
+ || defined(CONFIG_GRKERNSEC_FORKBOMB) || defined(CONFIG_GRKERNSEC_ACL)
+#include <linux/grsecurity.h>
+#endif
 
 #include <asm/pgtable.h>
 #include <asm/pgalloc.h>
 #include <asm/uaccess.h>
 #include <asm/mmu_context.h>
 
+#ifdef CONFIG_GRKERNSEC_RANDPID
+extern struct entropy_store *random_state;
+extern struct entropy_store *sec_random_state;
+#endif
+
 /* The idle threads do not count.. */
 int nr_threads;
 int nr_running;
@@ -81,9 +94,18 @@
 /* Protects next_safe and last_pid. */
 spinlock_t lastpid_lock = SPIN_LOCK_UNLOCKED;
 
+#ifdef CONFIG_GRKERNSEC_RANDPID
+extern pid_t last_pids[64];
+extern int cur_n_pids;
+#endif
+
 static int get_pid(unsigned long flags)
 {
        static int next_safe = PID_MAX;
+#ifdef CONFIG_GRKERNSEC_RANDPID
+       int loops;      
+#endif
+
        struct task_struct *p;
 
        if (flags & CLONE_PID)
@@ -91,32 +113,72 @@
 
        spin_lock(&lastpid_lock);
        if((++last_pid) & 0xffff8000) {
+#ifdef CONFIG_GRKERNSEC_RANDPID
+       if(!grsec_enable_randpid || (current->p_pptr->pid < 1))
+#endif
                last_pid = 300;         /* Skip daemons etc. */
                goto inside;
        }
-       if(last_pid >= next_safe) {
+       if(last_pid >= 
+#ifdef CONFIG_GRKERNSEC_RANDPID
+       (grsec_enable_randpid && (current->p_pptr->pid >= 1))?2:
+#endif
+       next_safe) {
 inside:
+#ifdef CONFIG_GRKERNSEC_RANDPID
+       if(!grsec_enable_randpid || (current->p_pptr->pid < 1))
+#endif
                next_safe = PID_MAX;
                read_lock(&tasklist_lock);
        repeat:
+#ifdef CONFIG_GRKERNSEC_RANDPID
+       if (grsec_enable_randpid && (current->p_pptr->pid >= 1)) {
+                if((random_state) || (sec_random_state)){
+               do {
+                        get_random_bytes(&last_pid, sizeof(last_pid));
+                        last_pid %= PID_MAX;
+                       if(last_pid < 0)
+                               last_pid = -1 * last_pid;
+                } while (last_pid <= 1);
+               } else
+               last_pid = 1+((xtime.tv_usec * total_forks) % PID_MAX);
+               for(loops=0;loops<64;loops++){
+                       if(last_pids[loops] == last_pid)
+                               goto repeat;
+               }
+       }
+#endif
+
                for_each_task(p) {
                        if(p->pid == last_pid   ||
                           p->pgrp == last_pid  ||
                           p->tgid == last_pid  ||
                           p->session == last_pid) {
-                               if(++last_pid >= next_safe) {
+                               if(
+#ifdef CONFIG_GRKERNSEC_RANDPID
+                               (!grsec_enable_randpid || 
+                               (current->p_pptr->pid < 1)) &&
+#endif
+                               ++last_pid >= next_safe) {
                                        if(last_pid & 0xffff8000)
                                                last_pid = 300;
                                        next_safe = PID_MAX;
                                }
                                goto repeat;
                        }
+#ifdef CONFIG_GRKERNSEC_RANDPID
+                       if(!grsec_enable_randpid || 
+                       (current->p_pptr->pid < 1)){
+#endif
                        if(p->pid > last_pid && next_safe > p->pid)
                                next_safe = p->pid;
                        if(p->pgrp > last_pid && next_safe > p->pgrp)
                                next_safe = p->pgrp;
                        if(p->session > last_pid && next_safe > p->session)
                                next_safe = p->session;
+#ifdef CONFIG_GRKERNSEC_RANDPID
+                       }
+#endif
                }
                read_unlock(&tasklist_lock);
        }
@@ -565,6 +627,39 @@
        int retval;
        struct task_struct *p;
        struct completion vfork;
+#ifdef CONFIG_GRKERNSEC_FORKBOMB
+       int fork_user;
+       int sec_forks = 0;
+       int user_tasks = 0;
+       unsigned long curr_time = jiffies;
+
+fork_user = current->uid;
+if(grsec_enable_forkbomb) {
+if(in_group_p(grsec_forkbomb_gid) && fork_user){
+        read_lock(&tasklist_lock);
+        for_each_task(p)
+        {
+                if ((p->uid) == fork_user)
+                {
+                user_tasks++;
+                if ( (curr_time - (p->start_time)) <= 100)
+                        sec_forks++;
+                }
+        }
+        read_unlock(&tasklist_lock);
+
+       if (user_tasks >= grsec_forkbomb_max){
+       security_alert("max process limit reached with "
+               DEFAULTSECMSG,"max proc limits reached",DEFAULTSECARGS);
+       return(kill_pg(current->pgrp,SIGKILL,0));
+       } else if (sec_forks >= grsec_forkbomb_sec){
+       security_alert("fork rate-limit reached with "
+               DEFAULTSECMSG,"fork rate-limits reached", DEFAULTSECARGS);
+       return(kill_pg(current->pgrp,SIGKILL,0));
+       }
+}
+}
+#endif
 
        retval = -EPERM;
 
@@ -661,6 +756,11 @@
                goto bad_fork_cleanup_fs;
        if (copy_mm(clone_flags, p))
                goto bad_fork_cleanup_sighand;
+#ifdef CONFIG_GRKERNSEC_ACL
+       if (gr_copy_acl(p))
+           goto bad_fork_cleanup_sighand;
+#endif
+
        retval = copy_thread(0, clone_flags, stack_start, stack_size, p, regs);
        if (retval)
                goto bad_fork_cleanup_mm;
@@ -747,6 +847,11 @@
        free_uid(p->user);
 bad_fork_free:
        free_task_struct(p);
+#ifdef CONFIG_GRKERNSEC_FORKFAIL
+       if(grsec_enable_forkfail)
+               security_alert("failed fork with errno %d by " DEFAULTSECMSG,
+                              "failed forks",retval, DEFAULTSECARGS);
+#endif
        goto fork_out;
 }
 
diff -urN linux/kernel/gracl.c linux/kernel/gracl.c
--- linux/kernel/gracl.c        Wed Dec 31 19:00:00 1969
+++ linux/kernel/gracl.c        Sun Dec 23 19:13:16 2001
@@ -0,0 +1,1366 @@
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+ * Oblivion: A Security-Enhancing Linux Kernel Modification
+ * Author: Michael Dalton
+ * E-Mail: michael@linux.com
+ * Information: This modification is designed to give 
+ * fine-tuned control over processes, to prevent
+ * the damage of buffer overflows by disallowing them to run or
+ * write to anything that is abnormal.  It also protects files from
+ * access by unauthorized programs(read only/append only/hidden modes)
+ * and has capability management features.
+ *
+ * Modifications
+ * 4-20-2001 - Began development of OPM .3 
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+/* Access Layers */
+
+/* Files -
+ * file database -> file info
+ */
+
+/* Process
+ * process database -> process entry (and capabilities) -> process file access rights 
+ */
+
+#include <linux/kernel.h>
+#include <linux/mm.h>
+#include <linux/ctype.h>
+#include <asm/uaccess.h>
+#include <asm/errno.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/slab.h>
+#include <linux/types.h>
+#include <linux/capability.h>
+#include <linux/sched.h>
+#include <linux/gracl.h>
+#include <linux/grhash.h>
+#include <linux/sysctl.h>
+
+#define SET_AUTH           1
+#define SET_INHERIT        2
+#define SET_PROC           3
+
+#define PROC_CONF           "/etc/grsec/proc.acl"
+#define FILE_CONF           "/etc/grsec/file.acl"
+#define PW_CONF             "/etc/grsec/pw"
+#define GRADM_ACL           CONFIG_GRADM_PATH ## " fx"
+#define GODMODE_ACL         "/ frwxoi"
+/* i.e. this would become "/sbin/gradm x" for executable access only to
+ * /sbin/gradm (and find it if its hidden) */
+
+#define empty_tree (struct proc_acl *) NULL
+
+#define heightof(tree) ( (tree == empty_tree) ? 0 : (tree->height) )
+
+#define INIT_CAP_TABLE(table) \
+table[0].capname = "CAP_CHOWN";\
+table[0].capval = CAP_CHOWN; \
+table[1].capname = "CAP_DAC_OVERRIDE"; \
+table[1].capval = CAP_DAC_OVERRIDE; \
+table[2].capname = "CAP_DAC_READ_SEARCH"; \
+table[2].capval = CAP_DAC_READ_SEARCH; \
+table[3].capname = "CAP_FOWNER"; \
+table[3].capval = CAP_FOWNER; \
+table[4].capname = "CAP_FSETID"; \
+table[4].capval = CAP_FSETID; \
+table[5].capname = "CAP_FS_MASK"; \
+table[5].capval = CAP_FS_MASK; \
+table[6].capname = "CAP_KILL"; \
+table[6].capval = CAP_KILL; \
+table[7].capname = "CAP_SETGID"; \
+table[7].capval = CAP_SETGID; \
+table[8].capname = "CAP_SETUID"; \
+table[8].capval = CAP_SETUID; \
+table[9].capname = "CAP_SETPCAP"; \
+table[9].capval = CAP_SETPCAP; \
+table[10].capname = "CAP_LINUX_IMMUTABLE"; \
+table[10].capval = CAP_LINUX_IMMUTABLE; \
+table[11].capname = "CAP_NET_BIND_SERVICE"; \
+table[11].capval = CAP_NET_BIND_SERVICE; \
+table[12].capname = "CAP_NET_BROADCAST"; \
+table[12].capval = CAP_NET_BROADCAST;\
+table[13].capname = "CAP_NET_ADMIN"; \
+table[13].capval = CAP_NET_ADMIN; \
+table[14].capname = "CAP_NET_RAW"; \
+table[14].capval = CAP_NET_RAW; \
+table[15].capname = "CAP_IPC_LOCK"; \
+table[15].capval = CAP_IPC_LOCK; \
+table[16].capname = "CAP_IPC_OWNER"; \
+table[16].capval = CAP_IPC_OWNER; \
+table[17].capname = "CAP_SYS_MODULE"; \
+table[17].capval = CAP_SYS_MODULE; \
+table[18].capname = "CAP_SYS_RAWIO"; \
+table[18].capval = CAP_SYS_RAWIO; \
+table[19].capname = "CAP_SYS_CHROOT"; \
+table[19].capval = CAP_SYS_CHROOT; \
+table[20].capname = "CAP_SYS_PTRACE"; \
+table[20].capval = CAP_SYS_PTRACE; \
+table[21].capname = "CAP_SYS_PACCT"; \
+table[21].capval = CAP_SYS_PACCT; \
+table[22].capname = "CAP_SYS_ADMIN"; \
+table[22].capval = CAP_SYS_ADMIN; \
+table[23].capname = "CAP_SYS_BOOT"; \
+table[23].capval = CAP_SYS_BOOT; \
+table[24].capname = "CAP_SYS_NICE"; \
+table[24].capval = CAP_SYS_NICE; \
+table[25].capname = "CAP_SYS_RESOURCE"; \
+table[25].capval = CAP_SYS_RESOURCE; \
+table[26].capname = "CAP_SYS_TIME"; \
+table[26].capval = CAP_SYS_TIME; \
+table[27].capname = "CAP_SYS_TTY_CONFIG"; \
+table[27].capval = CAP_SYS_TTY_CONFIG; \
+table[28].capname = "CAP_MKNOD"; \
+table[28].capval = CAP_MKNOD; \
+table[29].capname = "CAP_LEASE"; \
+table[29].capval = CAP_LEASE;
+
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+ * Global variables
+ * * * * * * * * ** * * * * * * * * * * * * * * * * * * * * */
+
+int _enable_acl_load = 0;
+int gr_disable = 0; /* handles boot time disabling of oblivion*/
+static struct proc_db procdb;
+static struct file_db filedb;
+/* Main variables for holding the rulesets*/
+static spinlock_t gr_lock = SPIN_LOCK_UNLOCKED;
+__u8 gr_status = (GR_1ST | GR_DISABLED);
+struct admin_pw pwent;
+struct capset * caplist;    
+struct acl_subject god = { 0,0,0,~0,empty_tree};
+/* iddqd style god mode;) Full caps/access rights*/
+extern kdev_t ROOT_DEV;
+struct acl_subject auth = { 0,0,(__u8)GR_PROC_AUTH,CAP_INIT_EFF_SET,empty_tree };
+/* acl for authentication mode */
+
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+ * Sorting Routines
+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+
+
+static __inline__ int procacl_less(const struct acl_temp *a, const struct proc_acl *b) 
+{
+       return ( (a->inode < b->inode) || ( (a->inode == b->inode) && (a->device < b->device) ) ) ? 1 : 0;
+}
+
+static __inline__ int procacl_eq(const struct acl_temp *a, const struct proc_acl *b)
+{
+       return ( (a->inode == b->inode) && (a->device == b->device) ) ? 1:0;
+}
+
+
+static __inline__ int acl_eq(const struct acl_subject *a, const struct acl_subject *b) 
+{
+       return ( (a->inode == b->inode) && (a->device == b->device)) ? 1 : 0;
+}
+
+extern void qsort(void *const pbase,size_t total_elems,size_t size,int (*cmp) (const void *, const void *));
+
+static __inline__ int file_acl_cmp(const void *va, const void *vb) 
+{
+       struct file_acl *a = (struct file_acl *) va;
+       struct file_acl *b = (struct file_acl *) vb;
+       if (a->inode < b->inode) 
+               return -1;
+       else if(a->inode == b->inode)  {
+               if(a->device < b->device) 
+                       return -1;
+               else if(a->device == b->device)
+                       return 0;
+       }
+       return 1;
+}
+
+static __inline__ int fileacl_less(const struct file_acl *f1, const struct acl_temp *f2) {
+       return ( ((f1->inode < f2->inode)) || (f1->inode == f2->inode && f1->device < f2->device) ) ? 1 : 0;
+}
+
+static __inline__ int fileacl_eq(const struct file_acl *f1, const struct acl_temp *f2) {
+       return ( (f1->inode == f2->inode) && (f1->device == f2->device)) ? 1 : 0;
+}
+static __inline__ int acl_cmp(const void *va, const void *vb) 
+{
+       struct acl_subject *a = (struct acl_subject *) va;
+       struct acl_subject *b = (struct acl_subject *) vb;
+       if (a->inode < b->inode)  
+               return -1;
+
+       else if(a->inode == b->inode)  {
+               if(a->device < b->device) 
+                       return -1;
+               else if(a->device == b->device) 
+                       return 0;
+       }
+       return 1;
+}
+#define acl_less(a,b) (((acl_cmp((const void *)a,(const void *)b)) < 0))
+
+static struct proc_acl * avl_rotl(struct proc_acl *tree) 
+{
+       struct proc_acl *tmp = tree->right;
+       tree->right = tmp->left;
+       tmp->left = tree;
+       if(heightof(tree->left) >= heightof(tree->right))
+               tree->height = heightof(tree->left) +1;
+       else
+               tree->height = heightof(tree->right) + 1;
+       if(heightof(tmp->left) >= heightof(tmp->right))
+               tmp->height = heightof(tmp->left) + 1;
+       else
+               tmp->height = heightof(tmp->right) + 1;
+       return tmp;
+}
+
+static struct proc_acl * avl_rotr(struct proc_acl *tree)
+{
+       struct proc_acl *tmp = tree->left;
+       tree->left = tmp->right;
+       tmp->right = tree;
+       if(heightof(tree->left) >= heightof(tree->right))
+               tree->height=heightof(tree->left) + 1;
+       else
+               tree->height = heightof(tree->right) + 1;
+       if(heightof(tmp->left) >= heightof(tmp->right))
+               tmp->height = heightof(tmp->left) + 1;
+       else
+               tmp->height = heightof(tmp->right) + 1;  
+       return tmp;
+}
+
+static struct proc_acl * avl_drlr(struct proc_acl *tree) {
+       tree->right = avl_rotr(tree->right);
+       return avl_rotl(tree);
+}
+
+static struct proc_acl * avl_dlrr(struct proc_acl *tree) {
+       tree->left = avl_rotl(tree->left);
+       return avl_rotr(tree);
+}
+
+
+static void acl_sort(void) 
+{
+       qsort((void *)procdb.db,procdb.max_ref,sizeof(struct acl_subject),acl_cmp);
+       qsort((void *)filedb.db,filedb.max_ref,sizeof(struct file_acl),file_acl_cmp);
+}
+
+#ifdef CONFIG_GR_SUPERDEBUG
+static  void list_file_acls(void)
+{
+       int i;
+       for(i=0;i<filedb.max_ref;i++) {
+               security_alert("File ACL pos %d has inode %ld dev %d mode %x","",
+                          i,filedb.db[i].inode,filedb.db[i].device,
+                          filedb.db[i].mode);
+       }
+}
+
+static void traverse(struct proc_acl *head) 
+{
+       if(!head) {
+               return;
+       }
+       security_alert("Tree: %ld %d %x","",head->inode,head->device,
+                       head->mode);
+       if(head->left != empty_tree) {
+               security_alert("Doing left proc acl","");
+               traverse(head->left);
+       }
+       if(head->right != empty_tree) {
+               security_alert("Doing right proc acl","");
+               traverse(head->right);
+       }
+}
+
+static void obv_list_proc_acls(void) 
+{
+       int i;
+       for(i=0;i<procdb.max_ref;i++) {
+               security_alert("ACL pos %d has inode %ld dev %d","",i,
+                               procdb.db[i].inode,procdb.db[i].device);
+               security_alert("ACL tree is..","");
+               traverse(procdb.db[i].tree);
+       }
+}
+#endif
+
+/* * * * * * * * * * * * * * * * * * * * * * * * * * *
+ * Config file management
+ * Yikes! If anyone has cleanup ideas I'd love to hear em
+ * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+
+
+
+static int add_pw_conf(void)
+{
+       struct file *filp;
+       int retval;
+       mm_segment_t old_fs = get_fs();
+       filp = filp_open(PW_CONF, O_RDONLY, O_RDONLY);
+       if( ( IS_ERR(filp) ) || (filp == NULL) || (!(filp->f_op->read)) ) {
+               security_alert("Could not open config file %.1024s", 
+                               "config file open errors",
+                               PW_CONF);
+               return 1;
+       }
+       filp->f_pos = 0;
+       set_fs(KERNEL_DS);
+       retval = filp->f_op->read(filp,pwent.sum,sizeof(pwent.sum)/sizeof(pwent.sum[0]),&filp->f_pos);
+       set_fs(old_fs);
+       if(retval != sizeof(pwent.sum)/sizeof(pwent.sum[0])) {
+               security_alert("Invalid pw entry detected, got %d wanted %d",
+                               "password file errors",
+                               retval,sizeof(pwent.sum));
+               retval = 1;
+       } else retval = 0;
+       filp_close(filp,NULL);
+       return retval;
+}
+
+
+
+
+static int add_file_acl(char *line) 
+{
+       char *p, *q;
+       struct nameidata filedata;
+       int working = 1;
+       struct file_acl *curr;
+
+       if( (p = memscan(line,'/',strlen(line))) == line + strlen(line) ) {
+               return 0;
+       }
+       else curr = &(filedb.db[filedb.max_ref]);
+
+       if( (q = memscan(p,' ',strlen(p))) == p + strlen(p))
+               return 0;
+       *q++ = '\0';
+       if(path_init(p,LOOKUP_FOLLOW|LOOKUP_POSITIVE,&filedata)) 
+               if(path_walk(p,&filedata)) {
+                       security_alert("Unable to locate file %.1024s","",p);
+                       //goto out;
+                       return 0;
+               }
+       if( !(filedata.dentry) || IS_ERR(filedata.dentry) ) {
+               security_alert("Error adding file acl for file %.1024s",
+                               "acl add errors",p);
+               // goto out;
+               return 0;
+       }
+       curr->inode = filedata.dentry->d_inode->i_ino;
+       curr->device = filedata.dentry->d_inode->i_dev;
+       curr->mode = 0;
+
+       while(*q == ' ') q++;
+       while(working) {        
+               switch(*q) {
+                       case 'r' :
+                               curr->mode |= GR_FILE_READ;
+                               q++;
+                               break;
+                       case 'h' :
+                               curr->mode |= GR_FILE_HIDDEN;
+                               q++;
+                               break;
+                       case 'a' :
+                               curr->mode |= GR_FILE_APPEND;
+                               q++;
+                               break;
+                       case 'w' :
+                               curr->mode |= GR_FILE_WRITE;
+                               q++;
+                               break;
+                       case 'x':
+                               curr->mode |= GR_FILE_EXEC;
+                               q++;
+                               break;
+                               /* Note: 's' and 'a' only come into play when something is executed*/
+                       case 's' :
+                               filedb.db[filedb.max_ref].mode |= GR_FILE_REQSUM;
+                               q++;
+                               break;
+                       case 'u' :
+                               filedb.db[filedb.max_ref].mode |= GR_FILE_AUTH;
+                               q++;
+                               break;
+                       default:  /* if anything else, the '\0' at the end of the line will hit here and cause us to terminate, so it won't go on indefinately and start accessing memory it shouldn't*/
+                               working = 0;
+                               break;
+               }
+       }
+#ifdef CONFIG_GR_DEBUG
+       security_alert("Added File ACL for inode %ld dev %d with mode %x and max_ref %d", "",
+                       curr->inode,curr->device,curr->mode,filedb.max_ref);
+#endif
+       filedb.max_ref++;
+       path_release(&filedata); 
+       return 0;
+}
+
+
+static __inline__ struct proc_acl * avl_set(struct acl_temp *data, struct proc_acl *left, struct proc_acl *right,__u16 height) 
+{
+       struct proc_acl *dest = kmalloc(sizeof(struct proc_acl),GFP_KERNEL);
+       if(dest == NULL) {
+               security_alert("Memory allocation failure for %s, Oblivion panicking",
+                               "memory allocation failures",GR_VERSION);
+               return procdb.db[procdb.max_ref].tree;
+       }
+       dest->inode = data->inode;
+       dest->device = data->device;
+       dest->mode = data->mode;
+       dest->left = left; dest->right = right;
+       dest->height = height;
+       return dest;
+}
+
+
+static struct proc_acl * avl_tree_ins(struct proc_acl *tree, struct acl_temp *entry) 
+{
+       if(tree == empty_tree) {
+               tree = avl_set(entry,empty_tree,empty_tree,0);
+               return tree;
+       }
+       else if(procacl_less(entry,tree)) {
+               tree->left = avl_tree_ins(tree->left,entry);
+               if(heightof(tree->left) > heightof(tree->right) + 1) {
+                       if(procacl_less(entry,tree->left)) 
+                               tree = avl_rotr(tree);
+                       else
+                               tree = avl_dlrr(tree);
+               }
+       }
+       else /* assuming no duplicate entries*/ {
+               tree->right = avl_tree_ins(tree->right,entry);
+               if(heightof(tree->right) > heightof(tree->left) + 1) {
+                       if(procacl_less(entry,tree->right)) 
+                               tree = avl_drlr(tree);
+                       else
+                               tree = avl_rotl(tree);
+               }
+       }
+       if(heightof(tree->left) >= heightof(tree->right))
+               tree->height = heightof(tree->left) + 1;
+       else
+               tree->height = heightof(tree->right) + 1;
+       return tree;
+}
+
+static kernel_cap_t cap_conv(char *p)
+{
+       kernel_cap_t cap;
+       int i;
+       char *q;
+       cap_t(cap) = 0;
+       if(!p) return cap;
+       if( (q = memscan(p,'\n',strlen(p))) != p + strlen(p))
+               *q = '\0';
+
+       while(*p == ' ') p++;
+       if( (strncmp(p,"CAP",3)) != 0) 
+               goto out;
+       for(i=0;i<CONFIG_GR_MAX_CAP;i++) {
+               if(!(strcmp(p,caplist->table[i].capname))) {
+                       cap_t(cap) = CAP_TO_MASK(caplist->table[i].capval);
+                       return cap;
+               }
+       }
+out:
+       return cap;
+}
+
+
+static int add_proc_acl(char *line,struct acl_subject *obv) 
+{
+       char *p, *q;
+       struct nameidata nd;
+       int working = 1;
+       struct acl_temp curr;
+       if( (p = memscan(line,'+',strlen(line)) ) != line + strlen(line) ) {
+               cap_t(obv->file_caps) |= cap_t(cap_conv(++p));
+               return 0;
+       }
+       else if ( (p = memscan(line,'-',strlen(line)) ) != line + strlen(line) ) {
+               cap_t(obv->file_caps) &= ~cap_t(cap_conv(++p));
+               return 0;
+       } 
+
+       else {
+               if( (p = memscan(line,'/',strlen(line))) == line + strlen(line)) {
+                       security_alert("Line %.1024s missing a /","",line);
+                       return 0;
+               }
+               if ( (q = memscan(p,' ',strlen(p))) == p + strlen(p)) {
+                       security_alert("Missing a space in obv proc acl entry, 
+                                       line %.1024s","",line);
+                       return 0;
+               }
+               *q++ = '\0';
+               if(path_init(p,LOOKUP_FOLLOW|LOOKUP_POSITIVE,&nd))
+                       if(path_walk(p,&nd)) {
+                               security_alert("Unable to locate file %.1024s","",p);
+                               return 0;
+                       }
+               if( (!nd.dentry) || (IS_ERR(nd.dentry)) || (!(nd.dentry->d_inode)) ) {
+                       if(nd.dentry)
+                               path_release(&nd);
+                       security_alert("Unable to locate file %.1024s","",p);
+                       return 0;
+               }
+               curr.inode = nd.dentry->d_inode->i_ino;
+               curr.device = nd.dentry->d_inode->i_dev;
+               curr.mode = 0;
+
+               while(*q == ' ') q++;
+               while(working) {
+                       switch(*q) {
+                               case 'r' :
+                                       curr.mode |= GR_PROC_READ;
+                                       q++;
+                                       break;
+                               case 'w' :
+                                       curr.mode |= GR_PROC_WRITE;
+                                       q++;
+                                       break;
+                               case 'x' :
+                                       curr.mode |= GR_PROC_EXEC;
+                                       q++;
+                                       break;
+                               case 'a' :
+                                       curr.mode |= GR_PROC_APPEND;
+                                       q++;
+                                       break;
+                               case 'f':
+                                       curr.mode |= GR_PROC_ACCESS;
+                                       q++;
+                                       break;
+                               case 'o':
+                                       curr.mode |= GR_PROC_OVERRIDE;
+                                       q++;
+                                       break;
+                               case 'u' :
+                                       curr.mode |= GR_PROC_AUTH;
+                                       q++;
+                                       break;
+                               case 'R' :
+                                       curr.mode |= GR_PROC_AUTH_IF_ROOT;
+                                       q++;
+                                       break;
+                               case 'i' :
+                                       curr.mode |= GR_PROC_INHERIT;
+                                       q++;
+                                       break;
+                               case 's' :
+                                       curr.mode |= GR_PROC_REQSUM;
+                                       q++;
+                                       break;
+                               default: 
+                                       working = 0;
+                                       break;
+                       }
+               }
+#ifdef CONFIG_GR_DEBUG
+               security_alert("About to insert %ld %d %.1024s mode %x", "",
+                               curr.inode,curr.device,line,curr.mode);
+#endif
+               obv->tree = avl_tree_ins(obv->tree,&curr);
+               path_release(&nd);
+               return 0;
+       }
+       return 1; /* we should never make it here*/
+}
+
+static int add_pw(char *pw)
+{
+       struct SHA1_CTX context;
+       SHA1Init(&context);
+       SHA1Update(&context,pw,strlen(pw));
+       SHA1Final(pwent.sum,&context);
+       return 0;
+}
+
+static int add_line(char *line, int type) 
+{
+       static int mode = 0;
+       char *p,*q;
+       struct dentry *file;
+       struct nameidata filed;
+       static struct acl_subject *curr;
+       int working;
+       /* mode = 0 : we are ready for a new program acl
+        * mode = 1 : we are in the middle of reading a program acl*/
+       switch(type) {
+               case 2 : return add_pw(line);
+               case 1 : return add_file_acl(line);
+               case 0 : break; /* handled below*/
+               default: security_alert("Unknown type %d passed", "",type);
+                        return 1;
+                        break;
+       }
+
+       if(!mode) {
+               if(procdb.max_ref >= CONFIG_GR_MAX_RULESET) return 1;
+               if( (p = memscan (line,'/',strlen(line))) == (line+strlen(line)) ) {
+                       security_alert("Could not find a '/' in line %.1024s","",line);
+                       return 0;
+               }
+               else curr = &(procdb.db[procdb.max_ref]);
+
+
+               if( (q = memscan(p,' ',strlen(p)) ) != p + strlen(p) )
+               *q++= '\0';
+
+               if(path_init(p,LOOKUP_FOLLOW|LOOKUP_POSITIVE,&filed) ) 
+                       if(path_walk(p,&filed)) {
+                               security_alert("Add file error for file %.1024s"
+                                               ,"",p);
+                               return 1;
+                       }
+               file = filed.dentry;
+               if (IS_ERR(file) || !file || !(file->d_inode)) {
+                       if(file)
+                               path_release(&filed);
+                       security_alert("Could not lookup file on line %.1024s",
+                                       "",line);
+                       return 1;
+               }
+               curr->inode = file->d_inode->i_ino;
+               curr->device = file->d_inode->i_dev;
+               while(*q == ' ') q++;
+               curr->mode = 0;
+               working = 1;
+               while(working) {
+                       switch(*q) {
+                               case 'p':
+                                       curr->mode |= GR_PROC_PROTECTED;
+                                       q++;
+                                       break;
+                               case 'h':
+                                       curr->mode |= GR_PROC_HIDDEN;
+                                       q++;
+                                       break;
+                               default:
+                                       working = 0;
+                       }
+               }
+               curr->file_caps = cap_bset;
+               mode = 1;
+#ifdef CONFIG_GR_DEBUG
+               security_alert("Added program (full entry) with inode %ld dev %d 
+                               mode %x line %.1024s", "",
+                               curr->inode,curr->device,curr->mode,line); 
+#endif
+               path_release(&filed);
+               curr->tree = empty_tree;
+               return 0;
+       }
+       else if( (p=memscan(line,'}',strlen(line))) != (line + strlen(line)) ) {
+               procdb.max_ref++;
+               mode = 0;
+               return 0;
+       } else {
+               return add_proc_acl(line,curr);
+       }
+}
+
+static int init_variables(void) 
+{
+       caplist = kmalloc(sizeof(struct capset),GFP_KERNEL);
+       if(caplist) {
+               INIT_CAP_TABLE(caplist->table)
+       }
+
+       procdb.db = kmalloc(sizeof(struct acl_subject) * CONFIG_GR_MAX_RULESET,GFP_KERNEL);
+       filedb.db = kmalloc(sizeof(struct file_acl) * CONFIG_GR_MAX_RULESET,GFP_KERNEL);
+       procdb.max_ref = filedb.max_ref = 0;
+
+       if( (add_proc_acl(GRADM_ACL,&auth)) )
+               return 1;
+       else if( (add_proc_acl(GODMODE_ACL,&god)) )
+               return 1;
+       else if( (add_proc_acl("/etc r",&auth)) )
+               return 1;
+       else if( (add_proc_acl("/lib r",&auth)) )
+               return 1;
+
+       return procdb.db && filedb.db && caplist ? 0 : 1;
+}
+
+
+static int conf_parse(const char *conffile,const int type)
+{
+       /* Purpose: open and read from oblivion config file */
+       struct file *filp;
+       int bytes_read = 0, end = 0, obv_fatal = 0;
+       char buffer[1024];
+       char *filepos = NULL,*memscanp = NULL;
+       mm_segment_t old_fs = get_fs();
+       filepos = buffer;
+       filp = filp_open(conffile, O_RDONLY, O_RDONLY);
+       if( ( IS_ERR(filp) ) || (filp == NULL) ) {
+               security_alert("Could not open config file %.1024s","",conffile);
+
+               obv_fatal = 1;
+               return obv_fatal;
+       } else if ( filp->f_op->read == NULL ) {
+               fput(filp);
+               obv_fatal = 2;
+               return obv_fatal;
+       }
+       filp->f_pos = 0;
+       /* end error checking, now for the real work */
+       while ( ! end ) {
+               filepos = buffer;
+               /* if current task isn't from the kernel, we'll
+                  have a current->addr_limit.seg that isn't 0xFFFFFFFF
+
+                  and we can't have that */
+               set_fs(KERNEL_DS);
+               bytes_read = filp->f_op->read (filp,buffer,(sizeof(buffer)/sizeof(buffer[0])),&filp->f_pos);
+               filp->f_pos -= bytes_read;
+               set_fs(old_fs);
+               if(bytes_read < (sizeof(buffer)/sizeof(buffer[0]))  ) {
+                       end = 1;
+                       filepos[bytes_read++] = '\n'; /* make sure it ends on a '\n' */
+               }  
+                                       
+               while ( bytes_read > 0 && ( memscanp = memscan(filepos,'\n',bytes_read) )   != filepos + bytes_read ) {
+                       *memscanp++ = '\0' ;
+                       filp->f_pos += (int) (memscanp - filepos);
+                       bytes_read -= (int) (memscanp - filepos);
+                       /* necessary for later strlen()'s...*/
+                       if( (*filepos != '#') ) 
+                               if(add_line(filepos,type))
+                                       return 1;
+                       filepos = memscanp; /* next area to search .. */
+               }
+       }
+       filp_close(filp,NULL);
+       return obv_fatal;
+}
+
+static int grsecurity_init(void) 
+{
+       int error = 0;
+       spin_lock(&gr_lock);
+       gr_status &= ~GR_DISABLED;
+       gr_status |= GR_LOADING;
+       if(init_variables() )
+               error = -1;
+       else if(add_pw_conf())
+               error = -2;
+       else if (conf_parse(PROC_CONF,0))
+               error = -3;
+       else if(conf_parse(FILE_CONF,1))
+               error = -4;
+       if(!error) {
+#ifdef CONFIG_GR_SUPERDEBUG
+               list_proc_acls();
+               list_file_acls();
+#endif
+               acl_sort();
+               gr_status |= GR_READY; /* locked, cocked, and ready to rock*/ 
+       }else {
+               gr_status |= GR_DISABLED;
+               security_alert("Error loading %s, trying to run kernel with oblivion disabled. To disable oblivion at startup use <kernel image name> oblivion=off from your boot loader","errors loading Oblivion",GR_VERSION);
+       }
+       gr_status &= ~GR_LOADING;
+       spin_unlock(&gr_lock);
+       return error;
+}
+
+/* * * * * * * * * * * * * * * * * * * * * * *
+ * Begin Misc Section 
+ * * * * * * * * * * * * * * * * * * * * * * */
+
+/* Searching stuff, program exit cleanup, and sysctl parsing */
+
+/* Nonrecursive binary sort, idea from libc, implementation is slightly different but the inspirationw as found there=) */
+
+static __inline__ int do_file_acl_search(struct acl_temp *curr) 
+{
+       int high, low; 
+       struct file_acl *pos;
+       high = filedb.max_ref;
+       low = 0;
+       while(low < high) {
+               pos = &filedb.db[((low+high)/2)];
+               if(fileacl_less(pos,curr))
+                       low = (( (low + high) / 2) + 1 );
+               else if(fileacl_eq(pos,curr)) {
+                       if(pos->mode & curr->mode) {
+#ifdef CONFIG_GR_DEBUG
+                               security_alert("File ACL allow, req %x allowed %x\n source: %ld %d dest %ld %d", "",
+                                               curr->mode,pos->mode,pos->inode,pos->device,curr->inode,curr->device);
+#endif
+                               return GR_ALLOW;
+                       }
+                       else {
+#ifdef CONFIG_GR_DEBUG
+                               if(!(curr->mode & GR_FILE_HIDDEN))
+                               security_alert("File ACL deny, req %x allowed %x\n source %ld %d dest %ld %d", "",
+                                               curr->mode,pos->mode,pos->inode,pos->device,curr->inode,curr->device);
+#endif
+                               return GR_DENY;
+                       }
+               }
+               else high = ( (low + high) / 2);
+       }
+       return GR_NOTFOUND;
+}
+
+static __inline__ int do_proc_acl_search(struct acl_subject *proc,struct proc_acl *root,struct acl_temp *curr) 
+{
+       /* Nonrecursively search down the Red-Black tree to see if we have an acl for this file*/
+       struct proc_acl *pos = root;
+       if(proc == NULL || pos == NULL) /* no entry*/ {
+               return GR_DEFAULT;
+       }
+       // security_alert("Got called...and there's an entry (curr is %ld %d)","",curr->inode,curr->device);
+       while(pos != empty_tree) {
+               if(procacl_eq(curr,pos))  {
+                       if(curr->mode & pos->mode) {
+                               __u16 tmp;
+#ifdef CONFIG_GR_DEBUG
+                               security_alert("Process %ld %d allowed for file %ld %d tried for mode %x allowed mode %x", "",
+                                               proc->inode,proc->device,curr->inode,curr->device,curr->mode,pos->mode);
+#endif
+                               tmp = pos->mode & GR_PROC_EXTRA;
+                               curr->mode |= tmp; /* Store any "extra" access rights like 
+                                                     inherit or override*/
+                               return GR_ALLOW;
+                       } else {
+#ifdef CONFIG_GR_DEBUG
+                               security_alert("Process %ld %d denied for file %ld %d tried for mode %x allowed mode %x", "",
+                                               proc->inode,proc->device,curr->inode,curr->device,curr->mode,pos->mode);
+#endif
+                               return GR_DENY;
+                       }
+               }
+               else if(procacl_less(curr,pos)) 
+                       pos = pos->left;
+               else 
+                       pos=pos->right;
+       }
+
+       return GR_NOTFOUND; 
+}
+
+static __inline__ int chk_proc_acls(struct dentry * dentry, struct acl_temp *searchval, struct vfsmount *mnt)
+{
+       struct dentry *curr = dentry;
+       int retval = GR_NOTFOUND;
+       struct nameidata tmp = {NULL, NULL};
+       struct vfsmount *parent;
+       struct acl_subject *curracl = (struct acl_subject *) current->acl;
+
+loop :         
+       do {
+               if(!curr || !curr->d_inode) break;
+               searchval->inode = curr->d_inode->i_ino;
+               searchval->device = curr->d_inode->i_dev;
+               retval = do_proc_acl_search(curracl,curracl->tree,searchval); 
+               if(curr->d_inode == curr->d_parent->d_inode) break;
+               curr = curr->d_parent;
+       } while( (curr) && (retval == GR_NOTFOUND) );
+       if(retval == GR_NOTFOUND && curr->d_inode && curr->d_inode->i_dev != ROOT_DEV ) {
+               if(tmp.mnt) {
+                       if(tmp.mnt == tmp.mnt->mnt_parent) goto exit;
+               }
+               else if(mnt == mnt->mnt_parent) goto exit;
+
+
+               if(!tmp.mnt) {
+                       tmp.mnt = mnt->mnt_parent;
+                       tmp.dentry = dget(mnt->mnt_mountpoint);
+
+               }
+
+               else {
+                       parent = tmp.mnt->mnt_parent;
+                       dput(tmp.dentry);
+                       tmp.dentry = dget(tmp.mnt->mnt_mountpoint);
+                       mntput(tmp.mnt);
+                       tmp.mnt = parent;
+               }
+               mntget(tmp.mnt);
+               curr = tmp.dentry;
+               goto loop;
+       }
+exit:          
+       if(tmp.mnt) mntput(tmp.mnt);
+       if(tmp.dentry) dput(tmp.dentry);
+
+
+       return retval == GR_NOTFOUND ? GR_DENY : retval;
+       /* if its not in a program's ACL list it should be denied */
+
+}
+
+static __inline__ int chk_file_acls(struct dentry * dentry, struct acl_temp *searchval, struct vfsmount *mnt) 
+{
+       struct dentry *curr = dentry;
+       int retval = GR_NOTFOUND;
+       struct vfsmount *parent;
+       struct nameidata tmp = {NULL,NULL};
+loop:  
+       do {
+               if(!curr || !curr->d_inode) break;
+               searchval->inode = curr->d_inode->i_ino;
+               searchval->device = curr->d_inode->i_dev;
+               retval = do_file_acl_search(searchval); 
+               if(curr->d_inode == curr->d_parent->d_inode) break;
+               curr = curr->d_parent;
+       } while( (curr) && (retval == GR_NOTFOUND) );
+
+       if(retval == GR_NOTFOUND && curr->d_inode && curr->d_inode->i_dev != ROOT_DEV ) {
+               if(tmp.mnt) {
+                       if(tmp.mnt == tmp.mnt->mnt_parent) goto exit;
+               }
+               else if(mnt == mnt->mnt_parent) goto exit;
+               if(!tmp.mnt) {
+                       tmp.mnt = mnt->mnt_parent;
+                       tmp.dentry = dget(mnt->mnt_mountpoint);
+
+               }
+
+               else {
+                       parent = tmp.mnt->mnt_parent;
+                       dput(tmp.dentry);
+                       tmp.dentry = dget(tmp.mnt->mnt_mountpoint);
+                       mntput(tmp.mnt);
+                       tmp.mnt = parent;
+               }
+               mntget(tmp.mnt);
+               curr = tmp.dentry;
+               goto loop;
+       }
+exit:          
+       if(tmp.mnt) mntput(tmp.mnt);
+       if(tmp.dentry) dput(tmp.dentry);
+
+
+
+       return retval;
+ }
+
+
+int gr_check_hidden(struct dentry *dentry, struct vfsmount *mnt) {
+       /* This has to be done a little differently than a normal search.
+        * If a file "allows" hidden access it is hidden, and thus requires 
+        * a process that has hidden file access capabilities to access it.
+        * If the file acl denies hidden access/has no acl then no proc acl 
+        * check is needed*/
+       struct acl_temp searchval;
+       struct acl_subject *acl = (struct acl_subject *)current->acl;
+       searchval.mode = GR_HIDDEN;
+       if(!dentry) return GR_ALLOW;
+       if(gr_status & GR_READY) {
+               if( (chk_file_acls(dentry,&searchval,mnt)) == GR_ALLOW) {
+                       if(acl && acl->tree)
+                               return chk_proc_acls(dentry,&searchval,mnt);
+                       else return GR_DENY;
+               }
+       }
+       return GR_ALLOW;
+}
+
+int gr_check_hidden_proc(struct acl_subject * acl) 
+{
+       if((gr_status & GR_READY) && acl) {
+               if( acl->mode & GR_PROC_HIDDEN) 
+                       return 1; /* next release adds processes allowed to view hidden ones*/
+       }
+       return 0;
+}
+
+int gr_check_protected(struct task_struct *tsk)
+{
+       if(gr_status & GR_READY && tsk) {
+               struct acl_subject *curracl = (struct acl_subject *) tsk->acl;
+               if(curracl)
+                       if(curracl->mode & GR_PROC_PROTECTED)
+                               return 1;
+       }
+       return 0;
+}
+
+
+int gr_search(struct dentry *dentry, __u16 mode, struct vfsmount *mnt) 
+{
+       int proc_retval = GR_NOTFOUND, file_retval = GR_NOTFOUND;
+       int retval = GR_DEFAULT;
+       if(dentry && dentry->d_inode && mnt) {
+               if(gr_status & GR_READY) {
+                       struct acl_subject *acl = (struct acl_subject *) current->acl;
+                       struct acl_temp searchval;
+                       searchval.mode = mode;
+                       if(acl && acl->tree)  {
+                               if( ( proc_retval = chk_proc_acls(dentry,&searchval,mnt) ) == GR_DENY) {
+                                       if( (acl->mode & GR_AUTH) && (S_ISCHR(dentry->d_inode->i_mode)))
+                                               retval = GR_NOTFOUND;
+                                       /* Okay. This process is under
+                                        * authentication mode. Let it
+                                        * read/write to the tty (and pass it on
+                                        * to the file acls just in case
+                                        * Does anyone know how to gain the ino$
+                                        * from current->tty? It seems only the
+                                        * device num(major/minor) is stored*/
+
+                                       else {
+                                               retval = GR_DENY;
+                                               goto out;
+                                       }
+                               }
+                       }
+
+
+                       if( (proc_retval == GR_ALLOW) && (searchval.mode & GR_PROC_OVERRIDE)){
+                               retval = GR_ALLOW;
+                               goto out;
+                       }
+
+                       if( (file_retval = chk_file_acls(dentry,&searchval,mnt)) == GR_DENY) {
+                               retval = GR_DENY;
+                               goto out;
+                       }
+
+                       if( (proc_retval != file_retval) || (proc_retval == GR_ALLOW)) {
+                               /* The choice to check for proc_retval being GR_ALLOW was
+                                * random. If proc_retval and file_retval are equal and
+                                * either one is the value GR_ALLOW then both are GR_ALLOW
+                                * */
+                               retval = GR_ALLOW;
+                               goto out;
+                       }
+               } else retval = GR_ALLOW; /* we aren't loaded, must be early in bootup*/
+       }
+out: 
+
+return retval; /* Else both returned GR_NOTFOUND..must be the default*/
+}
+
+
+ __inline__ int gr_copy_acl(struct task_struct *tsk) {
+        struct acl_subject * curracl = (struct acl_subject *) current->acl;
+               tsk->acl = (void *) curracl;
+                       return 0;
+}
+
+
+
+static __inline__ struct acl_subject * do_find_proc(struct acl_subject *curr)  
+{
+       int high,low;
+       struct acl_subject *pos;
+       low = 0;
+       high = procdb.max_ref;
+       while(low < high) {
+               pos = &procdb.db[((low+high)/2)];
+               if(acl_less(pos,curr))
+                       low = ( ( (low + high) / 2) +1 );
+               else if(acl_eq(pos,curr))
+                       return pos;
+               else
+                       high = ( (high + low) / 2);
+       }
+       return NULL;
+}
+
+static int __inline__ chk_inherit(struct dentry *dentry, struct vfsmount *mnt)
+{
+       struct acl_temp temp;
+       temp.mode = GR_PROC_INHERIT;
+       if( (chk_proc_acls(dentry,&temp,mnt)) == GR_ALLOW) 
+               return 1;
+       return 0;
+}
+
+static int __inline__ chk_auth(struct dentry *dentry, struct vfsmount *mnt)
+{
+       struct acl_temp temp;
+       temp.mode = GR_PROC_AUTH;
+       if( (chk_proc_acls(dentry,&temp,mnt)) == GR_ALLOW)
+               return 1;
+       else if(!current->uid || !current->gid || !current->euid || !current->egid || !current->suid || !current->sgid || !current->fsuid || !current->fsgid) 
+       {
+               temp.mode = GR_PROC_AUTH_IF_ROOT;
+               if( (chk_proc_acls(dentry,&temp,mnt)) == GR_ALLOW)
+                       return 1;
+       }
+               
+       return 0;   
+}
+
+
+static int do_auth(void)
+{
+#define GR_AUTH_MSG "Authorize yourself to Oblivion please\n"
+
+       char *p = GR_AUTH_MSG;   
+       if(!(current->tty) || (!current->tty->driver.write)) return 1;
+       current->tty->driver.write(current->tty,0,p,strlen(p));
+       current->acl = (void *)&auth;
+       return 0;
+}
+
+static int do_set_proc_acl(struct dentry *dentry, struct vfsmount *mnt, int mode) 
+{
+       struct vfsmount *parent;
+       struct nameidata tmp = {NULL, NULL};
+       struct acl_subject curracl, *retval = NULL;
+       struct dentry *curr = dentry;
+
+
+       switch(mode) {
+               case GR_SET_AUTH:
+                       return chk_auth(dentry,mnt);
+                       break;
+               case GR_SET_INHERIT:
+                       return chk_inherit(dentry,mnt);
+                       break;
+               case GR_SET_PROC: 
+                       break;
+               default :
+                       security_alert("BUG! Received unknown mode %d for set_proc_acl","",mode);
+                       return (unsigned long)NULL;
+                       break;
+       }
+       /* Okay now we handle GR_SET_PROC */
+loop:  
+       do {
+
+               if(!curr || !curr->d_inode) break;
+               curracl.inode = curr->d_inode->i_ino;
+               curracl.device = curr->d_inode->i_dev;
+               retval = do_find_proc(&curracl); 
+               if(curr->d_inode == curr->d_parent->d_inode) break;
+               curr = curr->d_parent;
+       } while( (curr) && (!retval) );
+       if(!retval && curr->d_inode && curr->d_inode->i_dev != ROOT_DEV) {
+               if(tmp.mnt) {
+                       if(tmp.mnt == tmp.mnt->mnt_parent) 
+                               goto exit;
+               }
+               else if(mnt == mnt->mnt_parent) 
+                       goto exit;
+
+               if(!tmp.mnt) {
+                       tmp.mnt = mnt->mnt_parent;
+                       tmp.dentry = dget(mnt->mnt_mountpoint);
+
+               }
+
+               else {
+                       parent = tmp.mnt->mnt_parent;
+                       dput(tmp.dentry);
+                       tmp.dentry = dget(tmp.mnt->mnt_mountpoint);
+                       mntput(tmp.mnt);
+                       tmp.mnt = parent;
+               }
+               mntget(tmp.mnt);
+               curr = tmp.dentry;
+               goto loop;
+       }
+exit:
+       if(tmp.mnt) mntput(tmp.mnt);
+       if(tmp.dentry) dput(tmp.dentry);
+
+       return (unsigned long)retval;
+
+}
+
+static int do_inherit(void) 
+{
+       return 0; 
+       /* Note: for copying due to fork() we use the code the oblivin code in
+        * kernel/fork.c. If we're inheriting then our current ACL
+        * (that of the program calling execve) is the ACL we inherit, 
+        * so no work needs to be done. Just return success 
+        */
+}
+
+
+int gr_set_proc_acl(struct dentry *dentry,struct task_struct *tsk,char *filename, struct vfsmount *mnt) 
+{
+       struct acl_subject *temp = NULL;
+       if(gr_status & GR_READY) {
+               struct acl_subject *curracl = (struct acl_subject *) current->acl;
+               if(curracl) {
+               if(do_set_proc_acl(dentry,mnt,GR_SET_INHERIT))
+                       return do_inherit();
+               
+               else if(do_set_proc_acl(dentry,mnt,GR_SET_AUTH))
+                       return do_auth();
+               }
+               temp = (struct acl_subject *)do_set_proc_acl(dentry,mnt,GR_SET_PROC);
+       }  
+        tsk->acl = (void *)temp;
+       if(tsk->acl)
+       {
+               temp = (struct acl_subject *) tsk->acl;
+               tsk->cap_permitted = tsk->cap_effective =  temp->file_caps;
+       }
+       return 0;
+}
+
+
+static int chcaps(struct admin_pw *entry)
+{
+       char *p = entry->extra;
+       char *q;
+       char *mode;
+       p[GR_EXTRA_LEN-1] = '\0'; /* take no chances*/
+       while( (q = memscan(p,'\n',strlen(p))) != p + strlen(p)) {
+               mode = p++;
+               *q++ = '\0';
+               switch(*mode) {
+                       case '+' :
+                               cap_bset |= cap_t(cap_conv(p));
+                               break;
+                       case '-' :
+                               cap_bset &= ~cap_t(cap_conv(p));
+                               break;
+                       default:
+                               break;
+               }
+               p = q;
+       }
+#ifdef CONFIG_GR_DEBUG
+       security_alert("cap bset is now %x","",cap_bset);
+#endif
+       return 0;
+}
+
+/* The following variables are needed for timer manipulation */
+static struct timer_list gr_badpw;
+static int failures = 0;
+static int during_wait = 0;
+
+static void gr_timer(unsigned long ignored)
+{
+       failures = 0;
+       during_wait = 0;
+       del_timer(&gr_badpw);          
+}
+
+int gr_proc_handler(ctl_table *table, int write, struct file *filp, void *buffer, size_t *lenp) 
+{
+       /* This is the main todo. simply I allow disabling oblivion only
+        * at bootup(after its turned on). I don't have time today to 
+        * impelement a good pw scheme. The first thing I do when I get back is to do that.
+        */
+       struct admin_pw *usermode = (struct admin_pw *) buffer;
+       int error = sizeof(struct admin_pw);
+       if(*lenp != sizeof(struct admin_pw)){
+               security_alert("Proc handler: being fed garbage %d byte send %d required","more garbage",*lenp,sizeof(struct admin_pw)); 
+               return -EINVAL;
+       }
+       if(during_wait) return -EPERM;
+       switch (usermode->mode){
+               case SHUTDOWN:
+                       if(gr_status & GR_READY) {
+                               if(!(chkpw(usermode))) {
+                                       security_alert("shutdown auth success for "
+                                       DEFAULTSECMSG,"shutdown successes",DEFAULTSECARGS);
+                                       spin_lock(&gr_lock);
+                                       gr_status &= ~GR_READY;
+                                       gr_status |= GR_DISABLED;
+                                       spin_unlock(&gr_lock);
+                                       break;
+                               } else 
+                                       error = -EPERM;
+                       }
+                       break;
+               case ENABLE:
+                       if(gr_disable) {
+                               security_alert("%s at boot time, ignoring load request","attempts to load oblivion when disabled on boot time",GR_VERSION);
+                               break;
+                       }
+                       else if(gr_status & GR_1ST) {
+                               security_alert("Loading %.32s","",GR_VERSION);
+                               grsecurity_init();
+                               spin_lock(&gr_lock);
+                               gr_status &= ~GR_1ST; 
+                               spin_unlock(&gr_lock);
+                               break;
+                       }
+                       else {
+                               security_alert("%.32s already loaded, re-enabling","",GR_VERSION);
+                               spin_lock(&gr_lock);
+                               gr_status &= ~GR_DISABLED;
+                               gr_status |= GR_READY;
+                               spin_unlock(&gr_lock);
+                               break;
+                       }
+
+               case CHCAPS : 
+                       if(gr_status & GR_1ST) {
+                               grsecurity_init();
+                       }
+                       if(gr_status & GR_1ST ||( gr_status & GR_READY && !(chkpw(usermode)))) {
+                               if(!(chcaps(usermode))) {
+                                       security_alert("successful capability change by "
+                                                       DEFAULTSECMSG, "cap changes",
+                                                       DEFAULTSECARGS);
+                               }
+                               gr_status &= ~GR_1ST;
+                       }
+                       else
+                               error = -EPERM;
+                       break;
+               case GOD:
+                       if(gr_status & GR_READY) {
+                               if(!(chkpw(usermode))) {
+                                       security_alert("successful change to admin mode by "
+                                                       DEFAULTSECMSG,"",
+                                                       DEFAULTSECARGS);
+                                       if(current->p_pptr)
+                                               current->p_pptr->acl = (void *)&god;
+                               }
+                               else
+                                       error = -EPERM;
+                       }
+                       break;
+               case AUTH:
+                       if(gr_status & GR_READY) {
+                               if(!(chkpw(usermode)) ) {
+                                       security_alert("successful authentication by "
+                                                       DEFAULTSECMSG, "",
+                                                       DEFAULTSECARGS);
+                                       if(current->p_pptr)
+                                               current->p_pptr->acl = NULL;
+                                       /* The parent invoked obvadm, it is the
+                                        * task that we must deal with */
+                               }
+                               else
+                                       error = -EPERM;
+                       }
+                       break;
+
+               default:
+                       security_alert("Invalid value %d by " DEFAULTSECMSG, "",
+                                       usermode->mode, DEFAULTSECARGS);
+                       break;
+       }
+
+       if(error < 0) {
+               failures++;
+               if(failures > CONFIG_GR_MAXTRIES) {
+                       security_alert("Maximum pw attempts reached (%d), locking "
+                                       "password authentication","password attempt failed",CONFIG_GR_MAXTRIES);
+                       init_timer(&gr_badpw);
+                       gr_badpw.data = 0;
+                       gr_badpw.function = gr_timer;
+                       gr_badpw.expires = jiffies + CONFIG_GR_TIMEOUT*HZ;
+                       add_timer(&gr_badpw);
+                       during_wait = 1;
+               }
+       }
+
+       return error;
+}
diff -urN linux/kernel/grhash.c linux/kernel/grhash.c
--- linux/kernel/grhash.c       Wed Dec 31 19:00:00 1969
+++ linux/kernel/grhash.c       Sun Dec 23 19:13:16 2001
@@ -0,0 +1,160 @@
+#include <linux/kernel.h>
+#include <linux/types.h>
+#include <linux/fs.h>
+#include <linux/capability.h>
+#include <linux/gracl.h>
+
+/*
+Modified for use in OPM by Michael Dalton <michael@linux.com> 
+Modified for kerneli by Andrew McDonald <andrew@mcdonald.org.uk>
+from:
+
+SHA-1 in C
+By Steve Reid <steve@edmweb.com>
+100% Public Domain
+Available from:
+ftp://ftp.zedz.net/pub/crypto/crypto/HASH/sha/sha1.c
+
+Test Vectors (from FIPS PUB 180-1)
+"abc"
+  A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
+"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
+  84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1
+A million repetitions of "a"
+  34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F
+*/
+
+
+extern struct admin_pw pwent;
+
+void SHA1Transform(unsigned long state[5], unsigned char buffer[64])
+{
+       unsigned long a, b, c, d, e;
+       typedef union {
+               unsigned char c[64];
+               unsigned long l[16];
+       } CHAR64LONG16;
+       CHAR64LONG16* block;
+#ifdef SHA1HANDSOFF
+       static unsigned char workspace[64];
+       block = (CHAR64LONG16*)workspace;
+       memcpy(block, buffer, 64);
+#else
+       block = (CHAR64LONG16*)buffer;
+#endif
+       /* Copy context->state[] to working vars */
+       a = state[0];
+       b = state[1];
+       c = state[2];
+       d = state[3];
+       e = state[4];
+       /* 4 rounds of 20 operations each. Loop unrolled. */
+       R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
+       R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
+       R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
+       R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
+       R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
+       R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
+       R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
+       R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
+       R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
+       R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
+       R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
+       R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
+       R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
+       R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
+       R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
+       R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
+       R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
+       R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
+       R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
+       R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
+       /* Add the working vars back into context.state[] */
+       state[0] += a;
+       state[1] += b;
+       state[2] += c;
+       state[3] += d;
+       state[4] += e;
+       /* Wipe variables */
+       a = b = c = d = e = 0;
+}
+
+
+/* SHA1Init - Initialize new context */
+
+void SHA1Init(struct SHA1_CTX* context)
+{
+       /* SHA1 initialization constants */
+       context->state[0] = 0x67452301;
+       context->state[1] = 0xEFCDAB89;
+       context->state[2] = 0x98BADCFE;
+       context->state[3] = 0x10325476;
+       context->state[4] = 0xC3D2E1F0;
+       context->count[0] = context->count[1] = 0;
+}
+
+
+/* Run your data through this. */
+
+void SHA1Update(struct SHA1_CTX* context, unsigned char* data, unsigned int len)
+{
+       unsigned int i, j;
+
+       j = (context->count[0] >> 3) & 63;
+       if ((context->count[0] += len << 3) < (len << 3)) context->count[1]++;
+       context->count[1] += (len >> 29);
+       if ((j + len) > 63) {
+               memcpy(&context->buffer[j], data, (i = 64-j));
+               SHA1Transform(context->state, context->buffer);
+               for ( ; i + 63 < len; i += 64) {
+                       SHA1Transform(context->state, &data[i]);
+               }
+               j = 0;
+       }
+       else i = 0;
+       memcpy(&context->buffer[j], &data[i], len - i);
+}
+
+
+/* Add padding and return the message digest. */
+
+void SHA1Final(unsigned char digest[20], struct SHA1_CTX* context)
+{
+       unsigned long i, j;
+       unsigned char finalcount[8];
+
+       for (i = 0; i < 8; i++) {
+               finalcount[i] = (unsigned char)((context->count[(i >= 4 ? 0 : 1)]
+                                >> ((3-(i & 3)) * 8) ) & 255); 
+                                 /* Endian independent */
+       }
+       SHA1Update(context, (unsigned char *)"\200", 1);
+       while ((context->count[0] & 504) != 448) {
+               SHA1Update(context, (unsigned char *)"\0", 1);
+       }
+       SHA1Update(context, finalcount, 8);  /* Should cause a SHA1Transform() */
+       for (i = 0; i < 20; i++) {
+               digest[i] = (unsigned char)
+                       ((context->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
+       }
+       /* Wipe variables */
+       i = j = 0;
+       memset(context->buffer, 0, 64);
+       memset(context->state, 0, 20);
+       memset(context->count, 0, 8);
+       memset(&finalcount, 0, 8);
+#ifdef SHA1HANDSOFF  /* make SHA1Transform overwrite it's own static vars */
+       SHA1Transform(context->state, context->buffer);
+#endif
+}
+
+int chkpw(struct admin_pw *entry) 
+{
+       struct SHA1_CTX context;
+       char *pos = memscan(entry->pw,'\n',strlen(entry->pw));
+       if(pos != entry->pw + strlen(entry->pw)) *pos = '\0';
+       SHA1Init(&context);
+       SHA1Update(&context,entry->pw,strlen(entry->pw));
+       SHA1Final(entry->sum,&context);
+       return memcmp(pwent.sum,entry->sum,GR_SHA_SIZE);
+}
diff -urN linux/kernel/grsecurity.c linux/kernel/grsecurity.c
--- linux/kernel/grsecurity.c   Wed Dec 31 19:00:00 1969
+++ linux/kernel/grsecurity.c   Sun Dec 23 19:13:16 2001
@@ -0,0 +1,336 @@
+#include <linux/config.h>
+
+#ifdef CONFIG_GRKERNSEC_SYSCTL
+#ifdef CONFIG_GRKERNSEC_LINK
+int grsec_enable_link = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_FIFO
+int grsec_enable_fifo = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_FD
+int grsec_enable_fd = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_EXECVE
+int grsec_enable_execve = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_FORKBOMB
+int grsec_enable_forkbomb = 0;
+int grsec_forkbomb_gid = 0;
+int grsec_forkbomb_sec = 0;
+int grsec_forkbomb_max = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_EXECLOG
+int grsec_enable_execlog = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_EXECLOG_GROUP
+int grsec_enable_execlog_group = 0;
+int grsec_execlog_gid = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_IPC
+int grsec_enable_ipc = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_SUID
+int grsec_enable_suid = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+int grsec_enable_suid_root = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_SIGNAL
+int grsec_enable_signal = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_COREDUMP
+int grsec_enable_coredump = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_FORKFAIL
+int grsec_enable_forkfail = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_TIME
+int grsec_enable_time = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_KBMAP
+int grsec_enable_kbmap = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDNET
+int grsec_enable_randnet = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_SIG
+int grsec_enable_chroot_sig = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
+int grsec_enable_chroot_mount = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
+int grsec_enable_chroot_double = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
+int grsec_enable_chroot_chdir = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
+int grsec_enable_chroot_chmod = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
+int grsec_enable_chroot_mknod = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_PTRACE
+int grsec_enable_chroot_ptrace = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
+int grsec_enable_chroot_nice = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
+int grsec_enable_chroot_execlog = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
+int grsec_enable_chroot_caps = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_TPE
+int grsec_enable_tpe = 0;
+int grsec_tpe_gid = 0;
+#ifdef CONFIG_GRKERNSEC_TPE_GLIBC
+int grsec_enable_tpe_glibc = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_TPE_ALL
+int grsec_enable_tpe_all = 0;
+#endif
+#endif
+#ifdef CONFIG_GRKERNSEC_PTRACE
+int grsec_enable_ptrace = 0;
+#ifdef CONFIG_GRKERNSEC_PTRACE_GROUP
+int grsec_enable_ptrace_group = 0;
+int grsec_ptrace_gid = 0;
+#endif
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDPID
+int grsec_enable_randpid = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+int grsec_enable_phys_deny = 0;
+int grsec_enable_pseudo_deny = 0;
+int grsec_enable_serial_deny = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDID
+int grsec_enable_randid = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDSRC
+int grsec_enable_randsrc = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDPING
+int grsec_enable_randping = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+int grsec_enable_randttl = 0;
+int grsec_randttl_thresh = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
+int grsec_enable_socket_all = 0;
+int grsec_socket_all_gid = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
+int grsec_enable_socket_client = 0;
+int grsec_socket_client_gid = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
+int grsec_enable_socket_server = 0;
+int grsec_socket_server_gid = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_RST
+int grsec_enable_stealth_rst = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_UDP
+int grsec_enable_stealth_udp = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_ICMP
+int grsec_enable_stealth_icmp = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_IGMP
+int grsec_enable_stealth_igmp = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_FLAGS
+int grsec_enable_stealth_flags = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_FLAGS_LOG
+int grsec_enable_stealth_flags_log = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_UDP_LOG
+int grsec_enable_stealth_udp_log = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_RST_LOG
+int grsec_enable_stealth_rst_log = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_ICMP_LOG
+int grsec_enable_stealth_icmp_log = 0;
+#endif
+int grsec_lock = 0;
+#else
+#ifdef CONFIG_GRKERNSEC_LINK
+int grsec_enable_link = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_FIFO
+int grsec_enable_fifo = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_FD
+int grsec_enable_fd = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_EXECVE
+int grsec_enable_execve = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_FORKBOMB
+int grsec_enable_forkbomb = 1;
+int grsec_forkbomb_gid = CONFIG_GRKERNSEC_FORKBOMB_GID;
+int grsec_forkbomb_sec = CONFIG_GRKERNSEC_FORKBOMB_SEC;
+int grsec_forkbomb_max = CONFIG_GRKERNSEC_FORKBOMB_MAX;
+#endif
+#ifdef CONFIG_GRKERNSEC_EXECLOG
+int grsec_enable_execlog = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_EXECLOG_GROUP
+int grsec_enable_execlog_group = 1;
+int grsec_execlog_gid= CONFIG_GRKERNSEC_EXECLOG_GID;
+#endif
+#ifdef CONFIG_GRKERNSEC_IPC
+int grsec_enable_ipc = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_SUID
+int grsec_enable_suid = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+int grsec_enable_suid_root = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_SIGNAL
+int grsec_enable_signal = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_COREDUMP
+int grsec_enable_coredump = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_FORKFAIL
+int grsec_enable_forkfail = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_TIME
+int grsec_enable_time = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_KBMAP
+int grsec_enable_kbmap = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDNET
+int grsec_enable_randnet = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_SIG
+int grsec_enable_chroot_sig = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
+int grsec_enable_chroot_mount = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
+int grsec_enable_chroot_double = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
+int grsec_enable_chroot_chdir = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
+int grsec_enable_chroot_chmod = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
+int grsec_enable_chroot_mknod = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_PTRACE
+int grsec_enable_chroot_ptrace = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
+int grsec_enable_chroot_nice = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
+int grsec_enable_chroot_execlog = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
+int grsec_enable_chroot_caps = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_TPE
+int grsec_enable_tpe = 1;
+int grsec_tpe_gid= CONFIG_GRKERNSEC_TPE_GID;
+#ifdef CONFIG_GRKERNSEC_TPE_GLIBC
+int grsec_enable_tpe_glibc = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_TPE_ALL
+int grsec_enable_tpe_all = 1;
+#endif
+#endif
+#ifdef CONFIG_GRKERNSEC_PTRACE
+int grsec_enable_ptrace = 1;
+#ifdef CONFIG_GRKERNSEC_PTRACE_GROUP
+int grsec_enable_ptrace_group = 1;
+int grsec_ptrace_gid = CONFIG_GRKERNSEC_PTRACE_GID;
+#endif
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDPID
+int grsec_enable_randpid = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+#ifdef CONFIG_GRKERNSEC_TTYROOT_SERIAL
+int grsec_enable_serial_deny = 1;
+#else
+int grsec_enable_serial_deny = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_TTYROOT_PHYS
+int grsec_enable_phys_deny = 1;
+#else
+int grsec_enable_phys_deny = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_TTYROOT_PSEUDO
+int grsec_enable_pseudo_deny = 1;
+#else
+int grsec_enable_pseudo_deny = 0;
+#endif
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDID
+int grsec_enable_randid = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDSRC
+int grsec_enable_randsrc = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDPING
+int grsec_enable_randping = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+int grsec_enable_randttl = 1;
+int grsec_randttl_thresh= CONFIG_GRKERNSEC_RANDTTL_THRESH;
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
+int grsec_enable_socket_all = 1;
+int grsec_socket_all_gid= CONFIG_GRKERNSEC_SOCKET_ALL_GID;
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
+int grsec_enable_socket_client = 1;
+int grsec_socket_client_gid= CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
+int grsec_enable_socket_server = 1;
+int grsec_socket_server_gid= CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_RST
+int grsec_enable_stealth_rst = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_UDP
+int grsec_enable_stealth_udp = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_ICMP
+int grsec_enable_stealth_icmp = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_IGMP
+int grsec_enable_stealth_igmp = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_FLAGS
+int grsec_enable_stealth_flags = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_FLAGS_LOG
+int grsec_enable_stealth_flags_log = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_UDP_LOG
+int grsec_enable_stealth_udp_log = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_RST_LOG
+int grsec_enable_stealth_rst_log = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_ICMP_LOG
+int grsec_enable_stealth_icmp_log = 1;
+#endif
+#endif
diff -urN linux/kernel/grsort.c linux/kernel/grsort.c
--- linux/kernel/grsort.c       Wed Dec 31 19:00:00 1969
+++ linux/kernel/grsort.c       Sun Dec 23 19:13:16 2001
@@ -0,0 +1,229 @@
+/* * * * * * * * * * * * * * * * * * * * * * * * *
+ * The following code is a slightly modified qsort found in glibc
+ * The best implementation for a non-recursive qsort around
+ * that I could find, and probably
+ * better than what I would have come up with=)
+ * * * * * * * * * * * * * * * * * * * * * * * * */
+#include <linux/kernel.h>
+#include <linux/types.h>
+#include <linux/slab.h>
+
+
+
+/* Byte-wise swap two items of size SIZE. */
+#define SWAP(a, b, size)                                                     \
+  do                                                                         \
+    {                                                                        \
+      register size_t __size = (size);                                       \
+      register char *__a = (a), *__b = (b);                                  \
+      do                                                                     \
+       {                                                                     \
+         char __tmp = *__a;                                                  \
+         *__a++ = *__b;                                                      \
+         *__b++ = __tmp;                                                     \
+       } while (--__size > 0);                                               \
+    } while (0)
+
+/* Discontinue quicksort algorithm when partition gets below this size.
+   This particular magic number was chosen to work best on a Sun 4/260. */
+#define MAX_THRESH 4
+
+/* Stack node declarations used to store unfulfilled partition obligations. */
+typedef struct
+  {
+    char *lo;
+    char *hi;
+  } stack_node;
+
+/* The next 4 #defines implement a very fast in-line stack abstraction. */
+#define STACK_SIZE     (8 * sizeof(unsigned long int))
+#define PUSH(low, high)        ((void) ((top->lo = (low)), (top->hi = (high)), ++top))
+#define        POP(low, high)  ((void) (--top, (low = top->lo), (high = top->hi)))
+#define        STACK_NOT_EMPTY (stack < top)
+
+
+/* Order size using quicksort.  This implementation incorporates
+   four optimizations discussed in Sedgewick:
+
+   1. Non-recursive, using an explicit stack of pointer that store the
+      next array partition to sort.  To save time, this maximum amount
+      of space required to store an array of MAX_INT is allocated on the
+      stack.  Assuming a 32-bit integer, this needs only 32 *
+      sizeof(stack_node) == 136 bits.  Pretty cheap, actually.
+
+   2. Chose the pivot element using a median-of-three decision tree.
+      This reduces the probability of selecting a bad pivot value and
+      eliminates certain extraneous comparisons.
+
+   3. Only quicksorts TOTAL_ELEMS / MAX_THRESH partitions, leaving
+      insertion sort to order the MAX_THRESH items within each partition.
+      This is a big win, since insertion sort is faster for small, mostly
+      sorted array segments.
+
+   4. The larger of the two sub-partitions is always pushed onto the
+      stack first, with the algorithm then concentrating on the
+      smaller partition.  This *guarantees* no more than log (n)
+      stack size is needed (actually O(1) in this case)!  */
+
+
+void qsort (void *pbase, size_t total_elems, size_t size, int (*cmp) (const void *, const void*))
+{
+  register char *base_ptr = (char *) pbase;
+
+  /* Allocating SIZE bytes for a pivot buffer facilitates a better
+     algorithm below since we can do comparisons directly on the pivot. */
+  char *pivot_buffer = (char *) kmalloc(size,GFP_KERNEL);
+  const size_t max_thresh = MAX_THRESH * size;
+
+  if (total_elems == 0 || !pivot_buffer)
+    /* Avoid lossage with unsigned arithmetic below.  */
+    return;
+
+  if (total_elems > MAX_THRESH)
+    {
+      char *lo = base_ptr;
+      char *hi = &lo[size * (total_elems - 1)];
+      /* Largest size needed for 32-bit int!!! */
+      stack_node stack[STACK_SIZE];
+      stack_node *top = stack + 1;
+
+      while (STACK_NOT_EMPTY)
+        {
+          char *left_ptr;
+          char *right_ptr;
+
+         char *pivot = pivot_buffer;
+
+         /* Select median value from among LO, MID, and HI. Rearrange
+            LO and HI so the three values are sorted. This lowers the
+            probability of picking a pathological pivot value and
+            skips a comparison for both the LEFT_PTR and RIGHT_PTR. */
+
+         char *mid = lo + size * ((hi - lo) / size >> 1);
+
+         if ((*cmp) ((void *) mid, (void *) lo) < 0)
+           SWAP (mid, lo, size);
+         if ((*cmp) ((void *) hi, (void *) mid) < 0)
+           SWAP (mid, hi, size);
+         else
+           goto jump_over;
+         if ((*cmp) ((void *) mid, (void *) lo) < 0)
+           SWAP (mid, lo, size);
+       jump_over:;
+         memcpy (pivot, mid, size);
+         pivot = pivot_buffer;
+
+         left_ptr  = lo + size;
+         right_ptr = hi - size;
+
+         /* Here's the famous ``collapse the walls'' section of quicksort.
+            Gotta like those tight inner loops!  They are the main reason
+            that this algorithm runs much faster than others. */
+         do
+           {
+             while ((*cmp) ((void *) left_ptr, (void *) pivot) < 0)
+               left_ptr += size;
+
+             while ((*cmp) ((void *) pivot, (void *) right_ptr) < 0)
+               right_ptr -= size;
+
+             if (left_ptr < right_ptr)
+               {
+                 SWAP (left_ptr, right_ptr, size);
+                 left_ptr += size;
+                 right_ptr -= size;
+               }
+             else if (left_ptr == right_ptr)
+               {
+                 left_ptr += size;
+                 right_ptr -= size;
+                 break;
+               }
+           }
+         while (left_ptr <= right_ptr);
+
+          /* Set up pointers for next iteration.  First determine whether
+             left and right partitions are below the threshold size.  If so,
+             ignore one or both.  Otherwise, push the larger partition's
+             bounds on the stack and continue sorting the smaller one. */
+
+          if ((size_t) (right_ptr - lo) <= max_thresh)
+            {
+              if ((size_t) (hi - left_ptr) <= max_thresh)
+               /* Ignore both small partitions. */
+                POP (lo, hi);
+              else
+               /* Ignore small left partition. */
+                lo = left_ptr;
+            }
+          else if ((size_t) (hi - left_ptr) <= max_thresh)
+           /* Ignore small right partition. */
+            hi = right_ptr;
+          else if ((right_ptr - lo) > (hi - left_ptr))
+            {
+             /* Push larger left partition indices. */
+              PUSH (lo, right_ptr);
+              lo = left_ptr;
+            }
+          else
+            {
+             /* Push larger right partition indices. */
+              PUSH (left_ptr, hi);
+              hi = right_ptr;
+            }
+        }
+    }
+    kfree(pivot_buffer);
+
+  /* Once the BASE_PTR array is partially sorted by quicksort the rest
+     is completely sorted using insertion sort, since this is efficient
+     for partitions below MAX_THRESH size. BASE_PTR points to the beginning
+     of the array to sort, and END_PTR points at the very last element in
+     the array (*not* one beyond it!). */
+
+
+  {
+    char *const end_ptr = &base_ptr[size * (total_elems - 1)];
+    char *tmp_ptr = base_ptr;
+    char *thresh = min(end_ptr, base_ptr + max_thresh);
+    register char *run_ptr;
+
+    /* Find smallest element in first threshold and place it at the
+       array's beginning.  This is the smallest array element,
+       and the operation speeds up insertion sort's inner loop. */
+
+    for (run_ptr = tmp_ptr + size; run_ptr <= thresh; run_ptr += size)
+      if ((*cmp) ((void *) run_ptr, (void *) tmp_ptr) < 0)
+        tmp_ptr = run_ptr;
+
+    if (tmp_ptr != base_ptr)
+      SWAP (tmp_ptr, base_ptr, size);
+
+    /* Insertion sort, running from left-hand-side up to right-hand-side.  */
+
+    run_ptr = base_ptr + size;
+    while ((run_ptr += size) <= end_ptr)
+      {
+       tmp_ptr = run_ptr - size;
+       while ((*cmp) ((void *) run_ptr, (void *) tmp_ptr) < 0)
+         tmp_ptr -= size;
+
+       tmp_ptr += size;
+        if (tmp_ptr != run_ptr)
+          {
+            char *trav;
+
+           trav = run_ptr + size;
+           while (--trav >= run_ptr)
+              {
+                char c = *trav;
+                char *hi, *lo;
+
+                for (hi = lo = trav; (lo -= size) >= tmp_ptr; hi = lo)
+                  *hi = *lo;
+                *hi = c;
+              }
+          }
+      }
+  }
+}
diff -urN linux/kernel/printk.c linux/kernel/printk.c
--- linux/kernel/printk.c       Fri Dec 21 12:42:04 2001
+++ linux/kernel/printk.c       Sun Dec 23 19:13:16 2001
@@ -290,7 +290,11 @@
 
 asmlinkage long sys_syslog(int type, char * buf, int len)
 {
+#ifdef CONFIG_GRKERNSEC_PROC
+       if (!capable(CAP_SYS_ADMIN))
+#else
        if ((type != 3) && !capable(CAP_SYS_ADMIN))
+#endif
                return -EPERM;
        return do_syslog(type, buf, len);
 }
diff -urN linux/kernel/sched.c linux/kernel/sched.c
--- linux/kernel/sched.c        Fri Dec 21 12:42:04 2001
+++ linux/kernel/sched.c        Sun Dec 23 19:13:16 2001
@@ -32,6 +32,9 @@
 
 #include <asm/uaccess.h>
 #include <asm/mmu_context.h>
+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
+#include <linux/grsecurity.h>
+#endif
 
 extern void timer_bh(void);
 extern void tqueue_bh(void);
@@ -874,6 +877,14 @@
                        return -EPERM;
                if (increment < -40)
                        increment = -40;
+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
+               if(grsec_enable_chroot_nice && proc_is_chrooted(current)){
+                       security_alert("attempted priority change by "
+                               DEFAULTSECMSG, "attempted priority changes",
+                               DEFAULTSECARGS);
+                       return -EPERM;
+               }
+#endif
        }
        if (increment > 40)
                increment = 40;
diff -urN linux/kernel/signal.c linux/kernel/signal.c
--- linux/kernel/signal.c       Wed Nov 21 19:26:27 2001
+++ linux/kernel/signal.c       Sun Dec 23 19:13:16 2001
@@ -16,6 +16,12 @@
 
 #include <asm/uaccess.h>
 
+#if defined(CONFIG_GRKERNSEC_SIGNAL) || defined(CONFIG_GRKERNSEC_CHROOT_SIG) \
+|| defined(CONFIG_GRKERNSEC_ACL)
+#include <linux/fs.h>
+#include <linux/grsecurity.h>
+#endif
+
 /*
  * SLAB caches for signal bits.
  */
@@ -526,8 +532,37 @@
                goto out_nolock;
 
        spin_lock_irqsave(&t->sigmask_lock, flags);
+#ifdef CONFIG_GRKERNSEC_CHROOT_SIG
+       if(CHROOTLONGCHECK &&
+             !( sig == SIGALRM || sig == SIGIO || !proc_is_chrooted(current) ||
+             have_same_root(current,t) ||
+             (t->pid == current->p_pptr->pid && sig == SIGCHLD) ) ) {
+             security_alert("denied signal %d out of chroot jail (%.32s:%lu) of %d.%d "
+                            "by " DEFAULTSECMSG " to " DEFAULTSECMSG,
+                            "denied signals in chroot",sig,kdevname(current->fs->root->d_inode->i_dev),
+                            current->fs->root->d_inode->i_ino,current->fs->root->d_inode->i_uid,
+                            current->fs->root->d_inode->i_gid,DEFAULTSECARGS,
+                            t->comm,t->pid,t->uid,t->euid,t->p_pptr->comm,
+                            t->p_pptr->pid,t->p_pptr->uid,t->p_pptr->euid);
+                       goto out;
+             }
+#endif
        handle_stop_signal(sig, t);
-
+#ifdef CONFIG_GRKERNSEC_SIGNAL
+    if(grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) || 
+       (sig == SIGABRT) || (sig == SIGBUS))) {
+       if(t->pid == current->pid) {
+           security_alert("signal %d  sent to " DEFAULTSECMSG,"signal warnings",sig,
+                          t->comm,t->pid,t->uid,t->euid,t->p_pptr->comm,t->p_pptr->pid,
+                          t->p_pptr->uid,t->p_pptr->euid);
+       } else {
+           security_alert("signal %d sent to " DEFAULTSECMSG " by "
+                          DEFAULTSECMSG, "signal warnings",
+                          sig,t->comm,t->pid,t->uid,t->euid,t->p_pptr->comm,t->p_pptr->pid,
+                          t->p_pptr->uid,t->p_pptr->euid, DEFAULTSECARGS);
+       }
+    } 
+#endif
        /* Optimize away the signal, if it's a signal that can be
           handled immediately (ie non-blocked and untraced) and
           that is ignored (either explicitly or by default).  */
@@ -592,6 +627,9 @@
                retval = -ESRCH;
                read_lock(&tasklist_lock);
                for_each_task(p) {
+#ifdef CONFIG_GRKERNSEC_ACL
+                       if( !(gr_check_protected(p)) || current->pid == 1)
+#endif
                        if (p->pgrp == pgrp) {
                                int err = send_sig_info(sig, info, p);
                                if (retval)
@@ -619,6 +657,9 @@
                retval = -ESRCH;
                read_lock(&tasklist_lock);
                for_each_task(p) {
+#ifdef CONFIG_GRKERNSEC_ACL
+                       if( !(gr_check_protected(p)) || current->pid == 1)
+#endif
                        if (p->leader && p->session == sess) {
                                int err = send_sig_info(sig, info, p);
                                if (retval)
@@ -640,6 +681,9 @@
        p = find_task_by_pid(pid);
        error = -ESRCH;
        if (p)
+#ifdef CONFIG_GRKERNSEC_ACL
+               if( !(gr_check_protected(p)) || current->pid == 1)
+#endif
                error = send_sig_info(sig, info, p);
        read_unlock(&tasklist_lock);
        return error;
@@ -663,6 +707,9 @@
 
                read_lock(&tasklist_lock);
                for_each_task(p) {
+#ifdef CONFIG_GRKERNSEC_ACL
+                       if(!(gr_check_protected(p) || current->pid == 1))
+#endif
                        if (p->pid > 1 && p != current) {
                                int err = send_sig_info(sig, info, p);
                                ++count;
diff -urN linux/kernel/sys.c linux/kernel/sys.c
--- linux/kernel/sys.c  Tue Sep 18 17:10:43 2001
+++ linux/kernel/sys.c  Sun Dec 23 19:13:16 2001
@@ -4,6 +4,7 @@
  *  Copyright (C) 1991, 1992  Linus Torvalds
  */
 
+#include <linux/config.h>
 #include <linux/module.h>
 #include <linux/mm.h>
 #include <linux/utsname.h>
@@ -18,6 +19,12 @@
 #include <asm/uaccess.h>
 #include <asm/io.h>
 
+#if defined(CONFIG_GRKERNSEC_SUID) ||\
+    defined(CONFIG_GRKERNSEC_SUID_ROOT) ||\
+    defined(CONFIG_GRKERNSEC_TTYROOT) || defined(CONFIG_GRKERNSEC_CHROOT_NICE)
+#include <linux/grsecurity.h>
+#endif
+
 /*
  * this is where the system-wide overflow UID and GID are defined, for
  * architectures that now have 32-bit UID/GID but didn't in the past
@@ -213,6 +220,7 @@
        for_each_task(p) {
                if (!proc_sel(p, which, who))
                        continue;
+
                if (p->uid != current->euid &&
                        p->uid != current->uid && !capable(CAP_SYS_NICE)) {
                        error = -EPERM;
@@ -220,6 +228,15 @@
                }
                if (error == -ESRCH)
                        error = 0;
+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
+               if(grsec_enable_chroot_nice && (!have_same_root(p,current)
+                  || (have_same_root(p,current) && (niceval < p->nice) && proc_is_chrooted(current)))) {
+                               security_alert("attempted priority change of "
+                               "process (%.16s:%d) by " DEFAULTSECMSG,
+                               "attempted priority changes",p->comm,p->pid,DEFAULTSECARGS);
+                               return -ESRCH; /* be stealthy */
+               }
+#endif
                if (niceval < p->nice && !capable(CAP_SYS_NICE))
                        error = -EACCES;
                else
@@ -380,6 +397,20 @@
        int new_rgid = old_rgid;
        int new_egid = old_egid;
 
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+       is_tty_allowed_for_setid(rgid,egid,1,"setregid");
+#endif
+
+#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT)
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+       if(grsec_enable_suid_root && current->uid && (!rgid || !egid))
+#else
+       if(grsec_enable_suid)
+#endif
+       printk(KERN_INFO "grsec: setregid(rgid=%d/egid=%d) by " DEFAULTSECMSG
+                      "\n",rgid,egid, DEFAULTSECARGS);
+#endif         
+
        if (rgid != (gid_t) -1) {
                if ((old_rgid == rgid) ||
                    (current->egid==rgid) ||
@@ -421,6 +452,20 @@
 {
        int old_egid = current->egid;
 
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+       is_tty_allowed_for_setid(gid,1,1,"setgid");
+#endif
+
+#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT)
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+       if(grsec_enable_suid_root && current->uid && !gid)
+#else
+       if(grsec_enable_suid)
+#endif
+       printk(KERN_INFO "grsec: setgid(%d) by " DEFAULTSECMSG "\n",gid, 
+               DEFAULTSECARGS);
+#endif         
+
        if (capable(CAP_SETGID))
        {
                if(old_egid != gid)
@@ -540,6 +585,20 @@
        new_euid = old_euid = current->euid;
        old_suid = current->suid;
 
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+       is_tty_allowed_for_setid(ruid,euid,1,"setreuid");
+#endif
+
+#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT)
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+       if(grsec_enable_suid_root && current->uid && (!ruid || !euid))
+#else
+       if(grsec_enable_suid)
+#endif
+       printk(KERN_INFO "grsec: setreuid(ruid=%d/euid=%d) by " DEFAULTSECMSG
+                      "\n",ruid,euid, DEFAULTSECARGS);
+#endif         
+
        if (ruid != (uid_t) -1) {
                new_ruid = ruid;
                if ((old_ruid != ruid) &&
@@ -599,7 +658,20 @@
        old_ruid = new_ruid = current->uid;
        old_suid = current->suid;
        new_suid = old_suid;
-       
+
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+       is_tty_allowed_for_setid(uid,1,1,"setuid");
+#endif
+
+#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT)
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+       if(grsec_enable_suid_root && current->uid && !uid)
+#else
+       if(grsec_enable_suid)
+#endif
+       printk(KERN_INFO "grsec: setuid(%d) by " DEFAULTSECMSG "\n", uid,
+               DEFAULTSECARGS);
+#endif         
        if (capable(CAP_SETUID)) {
                if (uid != old_ruid && set_user(uid, old_euid != uid) < 0)
                        return -EAGAIN;
@@ -633,6 +705,20 @@
        int old_euid = current->euid;
        int old_suid = current->suid;
 
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+       is_tty_allowed_for_setid(ruid,euid,suid,"setresuid");
+#endif
+
+#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT)
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+       if(grsec_enable_suid_root && current->uid && (!ruid || !euid || !suid))
+#else
+       if(grsec_enable_suid)
+#endif
+       printk(KERN_INFO "grsec: setresuid(ruid=%d/suid=%d/euid=%d) by "
+                       DEFAULTSECMSG "\n", ruid, suid, euid, DEFAULTSECARGS);
+#endif         
+
        if (!capable(CAP_SETUID)) {
                if ((ruid != (uid_t) -1) && (ruid != current->uid) &&
                    (ruid != current->euid) && (ruid != current->suid))
@@ -683,6 +769,20 @@
  */
 asmlinkage long sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
 {
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+       is_tty_allowed_for_setid(rgid,egid,sgid,"setresgid");
+#endif
+
+#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT)
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+       if(grsec_enable_suid_root && current->uid && (!rgid || !egid || !sgid))
+#else
+       if(grsec_enable_suid)
+#endif
+       printk(KERN_INFO "grsec: setresgid(rgid=%d/sgid=%d/egid=%d) by "
+                       DEFAULTSECMSG "\n", rgid, sgid, egid, DEFAULTSECARGS);
+#endif         
+
        if (!capable(CAP_SETGID)) {
                if ((rgid != (gid_t) -1) && (rgid != current->gid) &&
                    (rgid != current->egid) && (rgid != current->sgid))
@@ -732,6 +832,20 @@
 {
        int old_fsuid;
 
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+       is_tty_allowed_for_setid(uid,1,1,"setfsuid");
+#endif
+
+#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT)
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+       if(grsec_enable_suid_root && current->uid && !uid)
+#else
+       if(grsec_enable_suid)
+#endif
+       printk(KERN_INFO "grsec: setfsuid(%d) by " DEFAULTSECMSG "\n", uid,
+                       DEFAULTSECARGS);
+#endif         
+
        old_fsuid = current->fsuid;
        if (uid == current->uid || uid == current->euid ||
            uid == current->suid || uid == current->fsuid || 
@@ -774,6 +888,20 @@
 {
        int old_fsgid;
 
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+       is_tty_allowed_for_setid(gid,1,1,"setfsgid");
+#endif
+
+#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT)
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+       if(grsec_enable_suid_root && current->uid && !gid)
+#else
+       if(grsec_enable_suid)
+#endif
+       printk(KERN_INFO "grsec: setfsgid(%d) by " DEFAULTSECMSG "\n", gid,
+                       DEFAULTSECARGS);
+#endif         
+
        old_fsgid = current->fsgid;
        if (gid == current->gid || gid == current->egid ||
            gid == current->sgid || gid == current->fsgid || 
@@ -971,6 +1099,11 @@
                return -EINVAL;
        if(copy_from_user(current->groups, grouplist, gidsetsize * sizeof(gid_t)))
                return -EFAULT;
+
+#ifdef CONFIG_GRKERNSEC_SUID
+       if(grsec_enable_suid)
+               printk(KERN_INFO "grsec: setgroups by " DEFAULTSECMSG "\n", DEFAULTSECARGS);
+#endif         
        current->ngroups = gidsetsize;
        return 0;
 }
diff -urN linux/kernel/sysctl.c linux/kernel/sysctl.c
--- linux/kernel/sysctl.c       Fri Dec 21 12:42:04 2001
+++ linux/kernel/sysctl.c       Sun Dec 23 19:13:16 2001
@@ -37,7 +37,8 @@
 #include <linux/nfs_fs.h>
 #endif
 
-#if defined(CONFIG_SYSCTL)
+#ifdef CONFIG_SYSCTL
+#include <linux/grsecurity.h>
 
 /* External variables not in a header file. */
 extern int panic_timeout;
@@ -117,6 +118,9 @@
 static ctl_table debug_table[];
 static ctl_table dev_table[];
 extern ctl_table random_table[];
+#ifdef CONFIG_GRKERNSEC_SYSCTL
+static ctl_table grsecurity_table[];
+#endif
 
 /* /proc declarations: */
 
@@ -256,8 +260,272 @@
        {KERN_KDB, "kdb", &kdb_on, sizeof(int),
         0644, NULL, &proc_dointvec),
 #endif /* CONFIG_KDB */
+#ifdef CONFIG_GRKERNSEC_SYSCTL
+       {KERN_GRSECURITY, "grsecurity", NULL, 0, 0550, grsecurity_table},
+#endif
+#ifdef CONFIG_GRKERNSEC_ACL
+        {KERN_OBV,"oblivion",NULL,sizeof(int),0600,NULL,&gr_proc_handler},
+#endif
+
+       {0}
+};
+
+#ifdef CONFIG_GRKERNSEC_SYSCTL
+enum {GS_LINK=1,GS_FIFO, GS_FD, GS_EXECVE, GS_FORK,
+GS_FORK_GID, GS_FORK_SEC, GS_FORK_MAX, GS_EXECLOG, GS_EXECLOG_GID, 
+GS_EXECLOG_GRP, GS_SUID, GS_SUID_ROOT, GS_SIGNAL, GS_COREDUMP, GS_FORKFAIL, 
+GS_TIME, GS_KBMAP, GS_RANDNET, GS_CHROOT_SIG, GS_CHROOT_MNT, 
+GS_CHROOT_DBL, GS_CHROOT_CD, GS_CHROOT_CM, GS_CHROOT_MK, GS_CHROOT_PT, 
+GS_CHROOT_NI, GS_CHROOT_EXECLOG, GS_CHROOT_CAPS, GS_TPE, GS_TPE_GID, 
+GS_TPE_GLIBC, GS_TPE_ALL, GS_PTRACE, GS_PTRACE_GRP, GS_PTRACE_GID, 
+GS_SIDCAPS, GS_RANDPID, GS_RANDID, GS_RANDSRC, GS_RANDPING, GS_RANDTTL, 
+GS_RANDTTL_THRESH, GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT, 
+GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID, 
+GS_STEALTH_RST, GS_STEALTH_RST_LOG, GS_STEALTH_UDP, GS_STEALTH_UDP_LOG, 
+GS_STEALTH_ICMP, GS_STEALTH_ICMP_LOG, GS_STEALTH_IGMP, GS_STEALTH_FLAGS, 
+GS_STEALTH_FLAGS_LOG, GS_IPC, GS_TTY, GS_TTYS, GS_PTY, GS_LOCK};
+
+static ctl_table grsecurity_table[] = {
+#ifdef CONFIG_GRKERNSEC_LINK
+       {GS_LINK, "linking_restrictions", &grsec_enable_link, sizeof (int),
+        0640, NULL, &proc_dointvec}, 
+#endif
+#ifdef CONFIG_GRKERNSEC_FIFO
+       {GS_FIFO, "fifo_restrictions", &grsec_enable_fifo, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_FD
+       {GS_FD, "secure_fds", &grsec_enable_fd, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_EXECVE
+       {GS_EXECVE, "execve_limiting", &grsec_enable_execve, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_FORKBOMB
+       {GS_FORK, "fork_bomb_prot", &grsec_enable_forkbomb, sizeof (int),
+        0640, NULL, &proc_dointvec},
+       {GS_FORK_GID, "fork_bomb_gid", &grsec_forkbomb_gid, sizeof (int),
+        0640, NULL, &proc_dointvec},
+       {GS_FORK_SEC, "fork_bomb_sec", &grsec_forkbomb_sec, sizeof (int),
+        0640, NULL, &proc_dointvec},
+       {GS_FORK_MAX, "fork_bomb_max", &grsec_forkbomb_max, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_EXECLOG
+       {GS_EXECLOG, "exec_logging", &grsec_enable_execlog, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_EXECLOG_GROUP
+       {GS_EXECLOG_GRP, "exec_group_logging", &grsec_enable_execlog_group, 
+        sizeof (int), 0640, NULL, &proc_dointvec},
+       {GS_EXECLOG_GID, "exec_logging_gid", &grsec_execlog_gid, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_SUID
+       {GS_SUID, "suid_logging", &grsec_enable_suid, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+       {GS_SUID_ROOT, "suid_root_logging", &grsec_enable_suid_root, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_SIGNAL
+       {GS_SIGNAL, "signal_logging", &grsec_enable_signal, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_COREDUMP
+       {GS_COREDUMP, "coredump", &grsec_enable_coredump, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_FORKFAIL
+       {GS_FORKFAIL, "forkfail_logging", &grsec_enable_forkfail, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_TIME
+       {GS_TIME, "timechange_logging", &grsec_enable_time, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_KBMAP
+       {GS_KBMAP, "secure_kbmap", &grsec_enable_kbmap, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDNET
+       {GS_RANDNET, "rand_net", &grsec_enable_randnet, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_SIG
+       {GS_CHROOT_SIG, "chroot_restrict_sigs", &grsec_enable_chroot_sig, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
+       {GS_CHROOT_MNT, "chroot_deny_mount", &grsec_enable_chroot_mount, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
+       {GS_CHROOT_DBL, "chroot_deny_chroot", &grsec_enable_chroot_double, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
+       {GS_CHROOT_CD, "chroot_deny_chdir", &grsec_enable_chroot_chdir, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
+       {GS_CHROOT_CM, "chroot_deny_chmod", &grsec_enable_chroot_chmod, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
+       {GS_CHROOT_MK, "chroot_deny_mknod", &grsec_enable_chroot_mknod, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_PTRACE
+       {GS_CHROOT_PT, "chroot_deny_ptrace", &grsec_enable_chroot_ptrace, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
+       {GS_CHROOT_NI, "chroot_restrict_nice", &grsec_enable_chroot_nice, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
+       {GS_CHROOT_EXECLOG, "chroot_execlog",
+        &grsec_enable_chroot_execlog, sizeof (int),
+         0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
+       {GS_CHROOT_CAPS, "chroot_caps", &grsec_enable_chroot_caps, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_TPE
+       {GS_TPE, "tpe", &grsec_enable_tpe, sizeof (int),
+        0640, NULL, &proc_dointvec},
+       {GS_TPE_GID, "tpe_gid", &grsec_tpe_gid, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_TPE_GLIBC
+       {GS_TPE_GLIBC, "tpe_glibc", &grsec_enable_tpe_glibc, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_TPE_ALL
+       {GS_TPE_ALL, "tpe_restrict_all", &grsec_enable_tpe_all, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_PTRACE
+       {GS_PTRACE, "restrict_ptrace", &grsec_enable_ptrace, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_PTRACE_GROUP
+       {GS_PTRACE_GRP, "allow_ptrace_group", &grsec_enable_ptrace_group, sizeof (int),
+        0640, NULL, &proc_dointvec},
+       {GS_PTRACE_GID, "ptrace_gid", &grsec_ptrace_gid, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDPID
+       {GS_RANDPID, "rand_pids", &grsec_enable_randpid, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDID
+       {GS_RANDID, "rand_ip_ids", &grsec_enable_randid, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDSRC
+       {GS_RANDSRC, "rand_tcp_src_ports", &grsec_enable_randsrc, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDPING
+       {GS_RANDPING, "altered_pings", &grsec_enable_randping, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+       {GS_RANDTTL, "rand_ttl", &grsec_enable_randttl, sizeof (int),
+        0640, NULL, &proc_dointvec},
+       {GS_RANDTTL_THRESH, "rand_ttl_thresh", 
+        &grsec_randttl_thresh, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
+       {GS_SOCKET_ALL, "socket_all", &grsec_enable_socket_all, sizeof (int),
+        0640, NULL, &proc_dointvec},
+       {GS_SOCKET_ALL_GID, "socket_all_gid",
+        &grsec_socket_all_gid, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
+       {GS_SOCKET_CLIENT, "socket_client", 
+        &grsec_enable_socket_client, sizeof (int),
+        0640, NULL, &proc_dointvec},
+       {GS_SOCKET_CLIENT_GID, "socket_client_gid", 
+        &grsec_socket_client_gid, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
+       {GS_SOCKET_SERVER, "socket_server", 
+        &grsec_enable_socket_server, sizeof (int),
+        0640, NULL, &proc_dointvec},
+       {GS_SOCKET_SERVER_GID, "socket_server_gid",
+        &grsec_socket_server_gid, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_RST
+       {GS_STEALTH_RST, "stealth_rst", &grsec_enable_stealth_rst, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_RST_LOG
+       {GS_STEALTH_RST_LOG, "stealth_rst_log", &grsec_enable_stealth_rst_log, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_UDP
+       {GS_STEALTH_UDP, "stealth_udp", &grsec_enable_stealth_udp, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_UDP_LOG
+       {GS_STEALTH_UDP_LOG, "stealth_udp_log", &grsec_enable_stealth_udp_log, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_ICMP
+       {GS_STEALTH_ICMP, "stealth_icmp", 
+        &grsec_enable_stealth_icmp, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_ICMP_LOG
+       {GS_STEALTH_ICMP_LOG, "stealth_icmp_log", 
+        &grsec_enable_stealth_icmp_log, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_IGMP
+       {GS_STEALTH_IGMP, "stealth_igmp", 
+        &grsec_enable_stealth_igmp, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_FLAGS
+       {GS_STEALTH_FLAGS, "stealth_flags", 
+        &grsec_enable_stealth_flags, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_FLAGS_LOG
+       {GS_STEALTH_FLAGS_LOG, "stealth_flags_log", 
+        &grsec_enable_stealth_flags_log, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_IPC
+       {GS_IPC, "alt_ipc_perms", &grsec_enable_ipc, sizeof (int), 0640,
+        NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+       {GS_TTY, "deny_phys_root", 
+        &grsec_enable_phys_deny, sizeof (int),
+        0640, NULL, &proc_dointvec},
+       {GS_TTYS, "deny_serial_root", 
+        &grsec_enable_serial_deny, sizeof (int),
+        0640, NULL, &proc_dointvec},
+       {GS_PTY, "deny_pseudo_root", 
+        &grsec_enable_pseudo_deny, sizeof (int),
+        0640, NULL, &proc_dointvec},
+#endif
+       {GS_LOCK, "grsec_lock", &grsec_lock, sizeof (int), 0640, NULL,
+        &proc_dointvec},
        {0}
 };
+#endif
 
 static ctl_table vm_table[] = {
        {VM_BDFLUSH, "bdflush", &bdf_prm, 9*sizeof(int), 0644, NULL,
@@ -828,6 +1096,17 @@
        }
        
        i = (int *) table->data;
+#ifdef CONFIG_GRKERNSEC_SYSCTL
+       if(table->de->parent->name && strlen(table->de->parent->name) == 10) {
+               if((!strcmp(table->de->parent->name, "grsecurity")) && grsec_lock && write) { 
+                        security_alert("attempt to modify grsecurity "
+                        "sysctl value: %.32s by " DEFAULTSECMSG,
+                        "attempted sysctl changes", table->de->name,
+                       DEFAULTSECARGS);
+                        return -EACCES;
+               }
+       }
+#endif
        vleft = table->maxlen / sizeof(int);
        left = *lenp;
        
diff -urN linux/kernel/time.c linux/kernel/time.c
--- linux/kernel/time.c Fri Dec 21 12:42:04 2001
+++ linux/kernel/time.c Sun Dec 23 19:13:16 2001
@@ -29,6 +29,9 @@
 #include <linux/smp_lock.h>
 
 #include <asm/uaccess.h>
+#ifdef CONFIG_GRKERNSEC_TIME
+#include <linux/grsecurity.h>
+#endif
 
 /* 
  * The timezone where the local system is located.  Used as a default by some
@@ -105,6 +108,11 @@
        time_maxerror = NTP_PHASE_LIMIT;
        time_esterror = NTP_PHASE_LIMIT;
        write_unlock_irq(&xtime_lock);
+#ifdef CONFIG_GRKERNSEC_TIME
+   if(grsec_enable_time)
+       security_alert("time set by " DEFAULTSECMSG, "time sets",
+                       DEFAULTSECARGS);
+#endif
        return 0;
 }
 
@@ -181,6 +189,11 @@
                 * globally block out interrupts when it runs.
                 */
                do_settimeofday(tv);
+#ifdef CONFIG_GRKERNSEC_TIME
+    if(grsec_enable_time)
+       security_alert("time set by " DEFAULTSECMSG, "time sets", 
+                       DEFAULTSECARGS);
+#endif
        }
        return 0;
 }
diff -urN linux/mm/mmap.c linux/mm/mmap.c
--- linux/mm/mmap.c     Sun Nov  4 13:17:20 2001
+++ linux/mm/mmap.c     Sun Dec 23 19:13:16 2001
@@ -14,6 +14,7 @@
 #include <linux/file.h>
 #include <linux/fs.h>
 #include <linux/personality.h>
+#include <linux/random.h>
 
 #include <asm/uaccess.h>
 #include <asm/pgalloc.h>
@@ -429,6 +430,24 @@
         */
        vm_flags = calc_vm_flags(prot,flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
 
+#ifdef CONFIG_GRKERNSEC_PAX
+       if (current->flags & PF_PAX_PAGEEXEC) {
+               if (flags & MAP_GROWSDOWN)
+                       vm_flags &= ~VM_EXEC;
+
+#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
+               if ((current->flags & PF_PAX_MPROTECT) && !(prot & PROT_EXEC))
+                       vm_flags &= ~VM_MAYEXEC;
+               if ((current->flags & PF_PAX_MPROTECT) && (flags & MAP_GROWSDOWN))
+                       vm_flags &= ~VM_MAYEXEC;
+#endif
+
+       } else {
+               if (prot & (PROT_READ | PROT_WRITE)) /* they imply PROT_EXEC on IA-32 */
+                       vm_flags |= VM_EXEC;
+       }
+#endif
+
        /* mlock MCL_FUTURE? */
        if (vm_flags & VM_LOCKED) {
                unsigned long locked = mm->locked_vm << PAGE_SHIFT;
@@ -601,7 +620,20 @@
                    (!vma || addr + len <= vma->vm_start))
                        return addr;
        }
+#if defined(CONFIG_GRKERNSEC_STACK)
+        addr = TASK_UNMAPPED_BASE(len);
+       addr = PAGE_ALIGN(TASK_UNMAPPED_BASE(len));
+#else
+        addr = TASK_UNMAPPED_BASE;
        addr = PAGE_ALIGN(TASK_UNMAPPED_BASE);
+#endif
+
+
+#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP
+               /* PaX: randomize base address if requested */
+               if (current->flags & PF_PAX_RANDMMAP)
+                       addr += current->mm->delta_mmap;
+#endif
 
        for (vma = find_vma(current->mm, addr); ; vma = vma->vm_next) {
                /* At this point:  (!vma || addr < vma->vm_end). */
@@ -1050,6 +1082,18 @@
                                MAP_FIXED|MAP_PRIVATE) | mm->def_flags;
 
        flags |= VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
+
+#ifdef CONFIG_GRKERNSEC_PAX
+       if (current->flags & PF_PAX_PAGEEXEC) {
+               flags &= ~VM_EXEC;
+
+#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
+              if (current->flags & PF_PAX_MPROTECT)
+                      flags &= ~VM_MAYEXEC;
+#endif
+       }
+#endif
+
 
        /* Can we just expand an old anonymous mapping? */
        if (rb_parent && vma_merge(mm, prev, rb_parent, addr, addr + len, flags))
diff -urN linux/mm/mprotect.c linux/mm/mprotect.c
--- linux/mm/mprotect.c Mon Sep 17 18:30:23 2001
+++ linux/mm/mprotect.c Sun Dec 23 19:13:16 2001
@@ -300,6 +300,12 @@
                }
 
 #endif /* CONFIG_HAVE_XFS_DMAPI */
+#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
+               /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
+               if ((current->flags & PF_PAX_MPROTECT) && (prot & PROT_WRITE) && (vma->vm_flags & VM_MAYEXEC)) {
+                       newflags &= ~VM_MAYWRITE;
+               }
+#endif
                if (vma->vm_end > end) {
                        error = mprotect_fixup(vma, &prev, nstart, end, newflags);
                        goto out;
diff -urN linux/net/core/utils.c linux/net/core/utils.c
--- linux/net/core/utils.c      Mon Aug 23 13:01:02 1999
+++ linux/net/core/utils.c      Sun Dec 23 19:13:16 2001
@@ -23,16 +23,50 @@
 
 static unsigned long net_rand_seed = 152L;
 
+#ifdef CONFIG_GRKERNSEC_RANDNET
+#include <linux/random.h>
+#include <linux/grsecurity.h>
+
+#define RNG_N_STORED_WORDS 256
+unsigned long rng_storage[RNG_N_STORED_WORDS];
+int nleft=0;
+#endif
+
 unsigned long net_random(void)
 {
+#ifdef CONFIG_GRKERNSEC_RANDNET
+       if (grsec_enable_randnet) {
+       if (!nleft)
+       {
+               get_random_bytes(rng_storage,sizeof(rng_storage));
+               nleft=RNG_N_STORED_WORDS;
+       }
+       
+       nleft--;
+       return rng_storage[nleft];
+       } else {
+       net_rand_seed=net_rand_seed*69069L+1;
+        return net_rand_seed^jiffies;
+       }
+#else
        net_rand_seed=net_rand_seed*69069L+1;
         return net_rand_seed^jiffies;
+#endif
 }
 
 void net_srandom(unsigned long entropy)
 {
+#ifdef CONFIG_GRKERNSEC_RANDNET
+       if(grsec_enable_randnet)
+       add_mouse_randomness((__u32)entropy);
+       else {
        net_rand_seed ^= entropy;
        net_random();
+       }
+#else
+       net_rand_seed ^= entropy;
+       net_random();
+#endif
 }
 
 int net_msg_cost = 5*HZ;
@@ -71,3 +105,4 @@
        spin_unlock_irqrestore(&ratelimit_lock, flags);
        return 0;
 }
+
diff -urN linux/net/ipv4/Makefile linux/net/ipv4/Makefile
--- linux/net/ipv4/Makefile     Fri Dec 21 12:42:05 2001
+++ linux/net/ipv4/Makefile     Sun Dec 23 19:13:16 2001
@@ -13,7 +13,7 @@
 
 obj-y     := utils.o route.o inetpeer.o proc.o protocol.o \
             ip_input.o ip_fragment.o ip_forward.o ip_options.o \
-            ip_output.o ip_sockglue.o \
+            ip_id.o ip_output.o ip_sockglue.o \
             tcp.o tcp_input.o tcp_output.o tcp_timer.o tcp_ipv4.o tcp_minisocks.o \
             tcp_diag.o raw.o udp.o arp.o icmp.o devinet.o af_inet.o igmp.o \
             sysctl_net_ipv4.o fib_frontend.o fib_semantics.o fib_hash.o
diff -urN linux/net/ipv4/af_inet.c linux/net/ipv4/af_inet.c
--- linux/net/ipv4/af_inet.c    Fri Dec 21 12:42:05 2001
+++ linux/net/ipv4/af_inet.c    Sun Dec 23 19:13:16 2001
@@ -83,6 +83,10 @@
 #include <linux/init.h>
 #include <linux/poll.h>
 #include <linux/netfilter_ipv4.h>
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+#include <linux/random.h>
+#include <linux/grsecurity.h>
+#endif
 
 #include <asm/uaccess.h>
 #include <asm/system.h>
@@ -322,6 +326,10 @@
         struct list_head *p;
         struct inet_protosw *answer;
 
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+      unsigned long randttl;
+#endif
+
        sock->state = SS_UNCONNECTED;
        sk = sk_alloc(PF_INET, GFP_KERNEL, 1);
        if (sk == NULL) 
@@ -374,7 +382,14 @@
        else
                sk->protinfo.af_inet.pmtudisc = IP_PMTUDISC_WANT;
 
+#ifdef CONFIG_GRKERNSEC_RANDID
+       if(grsec_enable_randid)
+               sk->protinfo.af_inet.id = htons(ip_randomid());
+       else
+               sk->protinfo.af_inet.id = 0;
+#else
        sk->protinfo.af_inet.id = 0;
+#endif
 
        sock_init_data(sock,sk);
 
@@ -386,7 +401,16 @@
 
        sk->backlog_rcv = sk->prot->backlog_rcv;
 
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+if(grsec_enable_randttl){
+        get_random_bytes(&randttl,sizeof(randttl));
+        sk->protinfo.af_inet.ttl = grsec_randttl_thresh +
+        (randttl % (256 - grsec_randttl_thresh));
+} else
+       sk->protinfo.af_inet.ttl        = sysctl_ip_default_ttl;
+#else                  
        sk->protinfo.af_inet.ttl        = sysctl_ip_default_ttl;
+#endif
 
        sk->protinfo.af_inet.mc_loop    = 1;
        sk->protinfo.af_inet.mc_ttl     = 1;
diff -urN linux/net/ipv4/icmp.c linux/net/ipv4/icmp.c
--- linux/net/ipv4/icmp.c       Wed Nov  7 17:39:36 2001
+++ linux/net/ipv4/icmp.c       Sun Dec 23 19:13:16 2001
@@ -90,6 +90,15 @@
 #include <asm/system.h>
 #include <asm/uaccess.h>
 #include <net/checksum.h>
+#ifdef CONFIG_GRKERNSEC_RANDPING
+#include <linux/random.h>
+#endif
+
+#if defined(CONFIG_GRKERNSEC_RANDPING)||\
+    defined(CONFIG_GRKERNSEC_STEALTH_ICMP) ||\
+    defined(CONFIG_GRKERNSEC_STEALTH_ICMP_LOG)
+#include <linux/grsecurity.h>
+#endif
 
 /*
  *     Build xmit assembly blocks
@@ -738,6 +747,11 @@
 
                icmp_param.data.icmph=*skb->h.icmph;
                icmp_param.data.icmph.type=ICMP_ECHOREPLY;
+#ifdef CONFIG_GRKERNSEC_RANDPING
+       if(grsec_enable_randping)
+               icmp_param.data.icmph.un.echo.id =
+               skb->h.icmph->un.echo.id;
+#endif
                icmp_param.skb=skb;
                icmp_param.offset=0;
                icmp_param.data_len=skb->len;
@@ -907,6 +921,19 @@
        /*
         *      Parse the ICMP message 
         */
+#ifdef CONFIG_GRKERNSEC_STEALTH_ICMP_LOG
+       if(grsec_enable_stealth_icmp_log && net_ratelimit() && (icmph->type != ICMP_ECHOREPLY)
+           && ((strlen(skb->dev->name) != 2) || strcmp(skb->dev->name,"lo")))
+               printk(KERN_INFO "grsec: icmp type=%d code=%d on %.8s src=%u.%u.%u.%u "
+                      "dst=%u.%u.%u.%u\n", icmph->type, icmph->code, 
+                      (skb->dev->name ? skb->dev->name : "unknown"),
+                      NIPQUAD(skb->nh.iph->saddr), NIPQUAD(skb->nh.iph->daddr));
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_ICMP
+       if(grsec_enable_stealth_icmp && (icmph->type != ICMP_ECHOREPLY) &&
+           ((strlen(skb->dev->name) != 2) || strcmp(skb->dev->name,"lo")))
+               goto drop;
+#endif
 
        if (rt->rt_flags&(RTCF_BROADCAST|RTCF_MULTICAST)) {
                /*
diff -urN linux/net/ipv4/igmp.c linux/net/ipv4/igmp.c
--- linux/net/ipv4/igmp.c       Sat Jul 28 15:12:38 2001
+++ linux/net/ipv4/igmp.c       Sun Dec 23 19:13:16 2001
@@ -98,6 +98,9 @@
 #include <linux/mroute.h>
 #endif
 
+#ifdef CONFIG_GRKERNSEC_STEALTH_IGMP
+#include <linux/grsecurity.h>
+#endif
 
 #define IP_MAX_MEMBERSHIPS 20
 
@@ -200,6 +203,10 @@
        struct rtable *rt;
        u32     dst;
 
+#ifdef CONFIG_GRKERNSEC_STEALTH_IGMP
+       if(grsec_enable_stealth_igmp)
+               return(-1);
+#endif
        /* According to IGMPv2 specs, LEAVE messages are
         * sent to all-routers group.
         */
diff -urN linux/net/ipv4/ip_gre.c linux/net/ipv4/ip_gre.c
--- linux/net/ipv4/ip_gre.c     Tue Oct 30 18:08:12 2001
+++ linux/net/ipv4/ip_gre.c     Sun Dec 23 19:13:16 2001
@@ -28,6 +28,10 @@
 #include <linux/inetdevice.h>
 #include <linux/igmp.h>
 #include <linux/netfilter_ipv4.h>
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+#include <linux/random.h>
+#include <linux/grsecurity.h>
+#endif
 
 #include <net/sock.h>
 #include <net/ip.h>
@@ -842,6 +846,9 @@
        iph->saddr              =       rt->rt_src;
 
        if ((iph->ttl = tiph->ttl) == 0) {
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+       unsigned long randttl;
+#endif
                if (skb->protocol == __constant_htons(ETH_P_IP))
                        iph->ttl = old_iph->ttl;
 #ifdef CONFIG_IPV6
@@ -849,6 +856,13 @@
                        iph->ttl = ((struct ipv6hdr*)old_iph)->hop_limit;
 #endif
                else
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+                       if(grsec_enable_randttl){
+                       get_random_bytes(&randttl,sizeof(randttl));
+                       iph->ttl = grsec_randttl_thresh +
+                       (randttl % (256 - grsec_randttl_thresh)); 
+                       } else
+#endif
                        iph->ttl = sysctl_ip_default_ttl;
        }
 
diff -urN linux/net/ipv4/ip_id.c linux/net/ipv4/ip_id.c
--- linux/net/ipv4/ip_id.c      Wed Dec 31 19:00:00 1969
+++ linux/net/ipv4/ip_id.c      Sun Dec 23 19:13:16 2001
@@ -0,0 +1,146 @@
+/*
+ * This code is based on OpenBSD's ip_id.c, by Niels Provos.
+ * Ported to Linux 2.2 by Salvatore Sanfilippo.
+ * Ported to Linux 2.4 by Brad Spengler.
+ *
+ * 26-10-1999: Ported from OpenBSD's ip_id.c version 1.2
+ * (previous versions seems to be predictable
+ * after David Wagner's auditing)
+ * Salvatore Sanfilippo <antirez@invece.org>
+ *
+ * TODO:
+ * - Make this code SMP safe
+ */
+
+/*
+ * Copyright 1998 Niels Provos <provos@citi.umich.edu>
+ * All rights reserved.
+ * Theo de Raadt <deraadt@openbsd.org> came up with the idea of using
+ * such a mathematical system to generate more random (yet non-repeating)
+ * ids to solve the resolver/named problem.  But Niels designed the
+ * actual system based on the constraints.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer,
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    This product includes software developed by Niels Provos.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include <linux/types.h>
+#include <linux/sched.h>
+#include <linux/random.h>
+#include <linux/grsecurity.h>
+
+#define RU_OUT 180
+#define RU_MAX 30000
+#define RU_GEN 2
+#define RU_N 32749
+#define RU_AGEN 7
+#define RU_M 31104
+#define PFAC_N 3
+const static __u16 pfacts[PFAC_N] = { 2,3,2729 };
+
+static __u16 ru_x;
+static __u16 ru_seed, ru_seed2;
+static __u16 ru_a, ru_b;
+static __u16 ru_g;
+static __u16 ru_counter = 0;
+static __u16 ru_msb = 0;
+static __u32 ru_reseed;
+static __u32 tmp;
+
+static __u16 pmod(u_int16_t, u_int16_t, u_int16_t);
+static void ip_initid (void);
+__u16 ip_randomip (void);
+
+static __u16 pmod(__u16 gen, __u16 exp, __u16 mod) {
+       __u16 s, t, u;
+
+       s = 1;
+       t = gen;
+       u = exp;
+
+       while(u) {
+               if (u & 1)
+                       s = (s*t) % mod;
+               u >>=1;
+               t = (t*t) % mod;
+       }
+       return(s);
+}
+
+static void ip_initid (void) {         
+       __u16 j, i;
+       int noprime = 1;
+
+       get_random_bytes((void *) &tmp, sizeof(tmp));
+       ru_x = (tmp & 0xFFFF) % RU_M;
+       ru_seed = (tmp >> 16) & 0x7FFF;
+       get_random_bytes((void *) &tmp, sizeof(tmp));
+       ru_seed2 = tmp & 0x7FFF;
+       
+       get_random_bytes((void *) &tmp, sizeof(tmp));
+       
+       ru_b = (tmp & 0xfffe) | 1;
+       ru_a = pmod(RU_AGEN, (tmp >> 16) & 0xfffe, RU_M);
+       while (ru_b % 3 == 0)
+               ru_b += 2;
+
+       get_random_bytes((void *) &tmp, sizeof(tmp));
+       j = tmp % RU_N;
+       tmp = tmp >> 16;
+       
+       while(noprime) {
+               for (i=0; i<PFAC_N; i++)
+                       if(j%pfacts[i] == 0)
+                               break;
+               
+               if (i>=PFAC_N)
+                       noprime = 0;
+               else
+                       j = (j+1) % RU_N;
+       }
+
+       ru_g = pmod(RU_GEN,j,RU_N);
+       ru_counter = 0;
+       ru_reseed = jiffies + (RU_OUT * HZ);
+       ru_msb = ru_msb == 0x8000 ? 0 : 0x8000;
+}
+
+__u16 ip_randomid (void) {
+       int i, n;
+       
+       if (ru_counter >= RU_MAX || jiffies > ru_reseed)
+               ip_initid();
+
+       if (!tmp)
+               get_random_bytes((void *) &tmp, sizeof(tmp));
+
+       n = tmp & 0x3; tmp = tmp >> 2;
+       if (ru_counter + n >= RU_MAX)
+               ip_initid();
+       for (i=0; i <= n; i++)
+               ru_x = (ru_a*ru_x + ru_b) % RU_M;
+       ru_counter += i;
+       
+       return (ru_seed ^ pmod(ru_g,ru_seed2 ^ ru_x, RU_N)) | ru_msb;
+}
diff -urN linux/net/ipv4/ip_output.c linux/net/ipv4/ip_output.c
--- linux/net/ipv4/ip_output.c  Wed Oct 17 17:16:39 2001
+++ linux/net/ipv4/ip_output.c  Sun Dec 23 19:13:16 2001
@@ -77,6 +77,10 @@
 #include <linux/netfilter_ipv4.h>
 #include <linux/mroute.h>
 #include <linux/netlink.h>
+#ifdef CONFIG_GRKERNSEC_RANDID
+#include <linux/random.h>
+#include <linux/grsecurity.h>
+#endif
 
 /*
  *      Shall we try to damage output packets if routing dev changes?
@@ -510,6 +514,12 @@
         *      Begin outputting the bytes.
         */
 
+#ifdef CONFIG_GRKERNSEC_RANDID
+       if(grsec_enable_randid){ 
+               get_random_bytes(&id,(sizeof(id) / 2));
+               sk->protinfo.af_inet.id = id;
+       } else
+#endif
        id = sk->protinfo.af_inet.id++;
 
        do {
diff -urN linux/net/ipv4/ip_sockglue.c linux/net/ipv4/ip_sockglue.c
--- linux/net/ipv4/ip_sockglue.c        Tue Oct 30 18:08:12 2001
+++ linux/net/ipv4/ip_sockglue.c        Sun Dec 23 19:13:16 2001
@@ -42,6 +42,10 @@
 
 #include <linux/errqueue.h>
 #include <asm/uaccess.h>
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+#include <linux/random.h>
+#include <linux/grsecurity.h>
+#endif
 
 #define IP_CMSG_PKTINFO                1
 #define IP_CMSG_TTL            2
@@ -382,6 +386,9 @@
 {
        int val=0,err;
 
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+       unsigned long randttl;
+#endif
        if (level != SOL_IP)
                return -ENOPROTOOPT;
 
@@ -492,8 +499,16 @@
                case IP_TTL:
                        if (optlen<1)
                                goto e_inval;
-                       if(val==-1)
+                       if(val==-1) {
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+                        if(grsec_enable_randttl){
+                        get_random_bytes(&randttl,sizeof(randttl));
+                        val = grsec_randttl_thresh +
+                        (randttl % (256 - grsec_randttl_thresh));
+                        } else
+#endif
                                val = sysctl_ip_default_ttl;
+                       }
                        if(val<1||val>255)
                                goto e_inval;
                        sk->protinfo.af_inet.ttl=val;
diff -urN linux/net/ipv4/tcp_ipv4.c linux/net/ipv4/tcp_ipv4.c
--- linux/net/ipv4/tcp_ipv4.c   Fri Dec 21 12:42:05 2001
+++ linux/net/ipv4/tcp_ipv4.c   Sun Dec 23 19:13:16 2001
@@ -63,6 +63,15 @@
 #include <linux/stddef.h>
 #include <linux/ipsec.h>
 
+#if defined(CONFIG_GRKERNSEC_RANDID)||defined(CONFIG_GRKERNSEC_RANDSRC)||\
+    defined(CONFIG_GRKERNSEC_STEALTH_RST)||\
+    defined(CONFIG_GRKERNSEC_STEALTH_FLAGS) ||\
+    defined(CONFIG_GRKERNSEC_STEALTH_RST_LOG)||\
+    defined(CONFIG_GRKERNSEC_STEALTH_FLAGS_LOG)
+#include <linux/grsecurity.h>
+#endif
+
+
 extern int sysctl_ip_dynaddr;
 
 /* Check TCP sequence numbers in ICMP packets. */
@@ -201,6 +210,9 @@
        struct tcp_bind_hashbucket *head;
        struct tcp_bind_bucket *tb;
        int ret;
+#ifdef CONFIG_GRKERNSEC_RANDSRC
+       unsigned long longrover;
+#endif
 
        local_bh_disable();
        if (snum == 0) {
@@ -211,9 +223,21 @@
 
                spin_lock(&tcp_portalloc_lock);
                rover = tcp_port_rover;
+#ifdef CONFIG_GRKERNSEC_RANDSRC
+                do {
+       if(grsec_enable_randsrc) {
+                       get_random_bytes(&longrover,sizeof(longrover));
+                       rover = low + (longrover % (high - low));
+       } else {
+                       rover++;
+                       if ((rover < low) || (rover > high))
+                               rover = low;
+       }
+#else
                do {    rover++;
                        if ((rover < low) || (rover > high))
                                rover = low;
+#endif
                        head = &tcp_bhash[tcp_bhashfn(rover)];
                        spin_lock(&head->lock);
                        for (tb = head->chain; tb; tb = tb->next)
@@ -725,6 +749,11 @@
        tp->ext_header_len = 0;
        if (sk->protinfo.af_inet.opt)
                tp->ext_header_len = sk->protinfo.af_inet.opt->optlen;
+#ifdef CONFIG_GRKERNSEC_RANDID
+       if(grsec_enable_randid)
+               sk->protinfo.af_inet.id = htons(ip_randomid());
+       else
+#endif
        sk->protinfo.af_inet.id = tp->write_seq^jiffies;
 
        tp->mss_clamp = 536;
@@ -1450,6 +1479,11 @@
        newtp->ext_header_len = 0;
        if (newsk->protinfo.af_inet.opt)
                newtp->ext_header_len = newsk->protinfo.af_inet.opt->optlen;
+#ifdef CONFIG_GRKERNSEC_RANDID
+       if(grsec_enable_randid)
+               newsk->protinfo.af_inet.id = htons(ip_randomid());
+       else
+#endif
        newsk->protinfo.af_inet.id = newtp->write_seq^jiffies;
 
        tcp_sync_mss(newsk, dst->pmtu);
@@ -1566,8 +1600,20 @@
                        goto discard;
 
                if (nsk != sk) {
-                       if (tcp_child_process(sk, nsk, skb))
+                       if (tcp_child_process(sk, nsk, skb)) {
+#ifdef CONFIG_GRKERNSEC_STEALTH_RST_LOG
+                       if(grsec_enable_stealth_rst_log && net_ratelimit())
+                               printk(KERN_INFO "grsec: unserved TCP on %.8s "
+                                       "src=%u.%u.%u.%u:%hu dst=%u.%u.%u.%u:%hu\n",
+                                       (skb->dev->name ? skb->dev->name : "unknown"), 
+                                       NIPQUAD(skb->nh.iph->saddr), ntohs(skb->h.th->source), 
+                                       NIPQUAD(skb->nh.iph->daddr), ntohs(skb->h.th->dest));
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_RST
+                       if(grsec_enable_stealth_rst) goto discard;
+#endif
                                goto reset;
+                       }
                        return 0;
                }
        }
@@ -1617,6 +1663,32 @@
 
        if (th->doff < sizeof(struct tcphdr)/4)
                goto bad_packet;
+
+#if defined(CONFIG_GRKERNSEC_STEALTH_FLAGS) || defined(CONFIG_GRKERNSEC_STEALTH_FLAGS_LOG)
+       if((th->fin && th->syn) || 
+          (!(th->ack || th->syn || th->rst) || th->res1) ||
+           (th->fin && th->psh && th->urg)) {
+#ifdef CONFIG_GRKERNSEC_STEALTH_FLAGS_LOG
+               if(grsec_enable_stealth_flags_log && net_ratelimit())
+                       printk(KERN_INFO "grsec: illegitimate flags on %.8s "
+                               "src=%u.%u.%u.%u:%hu dst=%u.%u.%u.%u:%hu"
+                               "%.4s%.4s%.4s%.4s%.4s%.4s\n",
+                               (skb->dev->name ? skb->dev->name : "unknown"),
+                               NIPQUAD(skb->nh.iph->saddr), ntohs(th->source),
+                               NIPQUAD(skb->nh.iph->daddr), ntohs(th->dest),
+                               th->syn ? " SYN" : "",
+                               th->fin ? " FIN" : "",
+                               th->rst ? " RST" : "",
+                               th->psh ? " PSH" : "",
+                               th->ack ? " ACK" : "",
+                               th->urg ? " URG" : "");
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_FLAGS
+               if(grsec_enable_stealth_flags)
+                       goto discard_it;
+#endif
+       }
+#endif
        if (!pskb_may_pull(skb, th->doff*4))
                goto discard_it;
 
@@ -1670,6 +1742,17 @@
 bad_packet:
                TCP_INC_STATS_BH(TcpInErrs);
        } else {
+#ifdef CONFIG_GRKERNSEC_STEALTH_RST_LOG
+               if(grsec_enable_stealth_rst_log && net_ratelimit())
+                       printk(KERN_INFO "grsec: unserved TCP on %.8s "
+                               "src=%u.%u.%u.%u:%hu dst=%u.%u.%u.%u:%hu\n",
+                               (skb->dev->name ? skb->dev->name : "unknown"), 
+                               NIPQUAD(skb->nh.iph->saddr), ntohs(skb->h.th->source), 
+                               NIPQUAD(skb->nh.iph->daddr), ntohs(skb->h.th->dest));
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_RST
+               if(grsec_enable_stealth_rst) goto discard_it;
+#endif
                tcp_v4_send_reset(skb);
        }
 
diff -urN linux/net/ipv4/udp.c linux/net/ipv4/udp.c
--- linux/net/ipv4/udp.c        Wed Oct 17 17:16:39 2001
+++ linux/net/ipv4/udp.c        Sun Dec 23 19:13:16 2001
@@ -94,6 +94,11 @@
 #include <net/inet_common.h>
 #include <net/checksum.h>
 
+#if defined(CONFIG_GRKERNSEC_RANDID) ||\
+    defined(CONFIG_GRKERNSEC_STEALTH_UDP) ||\
+    defined(CONFIG_GRKERNSEC_STEALTH_UDP_LOG)
+#include <linux/grsecurity.h>
+#endif
 /*
  *     Snmp MIB for the UDP layer
  */
@@ -738,6 +743,12 @@
        sk->daddr = rt->rt_dst;
        sk->dport = usin->sin_port;
        sk->state = TCP_ESTABLISHED;
+
+#ifdef CONFIG_GRKERNSEC_RANDID
+       if(grsec_enable_randid)
+               sk->protinfo.af_inet.id = htons(ip_randomid());
+       else
+#endif
        sk->protinfo.af_inet.id = jiffies;
 
        sk_dst_set(sk, &rt->u.dst);
@@ -915,6 +926,18 @@
                goto csum_error;
 
        UDP_INC_STATS_BH(UdpNoPorts);
+#ifdef CONFIG_GRKERNSEC_STEALTH_UDP_LOG
+       if(grsec_enable_stealth_udp_log && net_ratelimit() &&
+          ((strlen(skb->dev->name) != 2) || strcmp(skb->dev->name,"lo")))
+               printk(KERN_INFO "grsec: unserved UDP on %.8s src=%u.%u.%u.%u:%hu "
+                       "dst=%u.%u.%u.%u:%hu\n", 
+                       (skb->dev->name ? skb->dev->name : "unknown"), NIPQUAD(saddr),
+                       ntohs(uh->source), NIPQUAD(daddr), ntohs(uh->dest));
+#endif
+#ifdef CONFIG_GRKERNSEC_STEALTH_UDP
+       if(!grsec_enable_stealth_udp || ((strlen(skb->dev->name) == 2) && 
+          !strcmp(skb->dev->name,"lo")))
+#endif 
        icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
 
        /*
diff -urN linux/net/netsyms.c linux/net/netsyms.c
--- linux/net/netsyms.c Fri Dec 21 12:42:06 2001
+++ linux/net/netsyms.c Sun Dec 23 19:13:16 2001
@@ -578,4 +578,22 @@
 EXPORT_SYMBOL(net_call_rx_atomic);
 EXPORT_SYMBOL(softnet_data);
 
+#if defined(CONFIG_GRKERNSEC_RANDID) || defined(CONFIG_GRKERNSEC_RANDTTL) ||\
+    defined(CONFIG_GRKERNSEC_RANDSRC)
+#include <linux/grsecurity.h>
+#endif
+#if defined(CONFIG_GRKERNSEC_RANDID) || defined(CONFIG_GRKERNSEC_RANDSRC)
+EXPORT_SYMBOL(ip_randomid);
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDID
+EXPORT_SYMBOL(grsec_enable_randid);
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDSRC
+EXPORT_SYMBOL(grsec_enable_randsrc);
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+EXPORT_SYMBOL(grsec_enable_randttl);
+EXPORT_SYMBOL(grsec_randttl_thresh);
+#endif
+
 #endif  /* CONFIG_NET */
diff -urN linux/net/socket.c linux/net/socket.c
--- linux/net/socket.c  Fri Dec 21 12:42:06 2001
+++ linux/net/socket.c  Sun Dec 23 19:13:16 2001
@@ -85,6 +85,13 @@
 #include <net/scm.h>
 #include <linux/netfilter.h>
 
+#if defined(CONFIG_GRKERNSEC_SOCKET_ALL)||\
+    defined(CONFIG_GRKERNSEC_SOCKET_CLIENT)||\
+    defined(CONFIG_GRKERNSEC_SOCKET_SERVER)
+#include <linux/grsecurity.h>
+#endif
+
+
 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
 static loff_t sock_lseek(struct file *file, loff_t offset, int whence);
 static ssize_t sock_read(struct file *file, char *buf,
@@ -912,6 +919,16 @@
        int retval;
        struct socket *sock;
 
+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
+       if(grsec_enable_socket_all &&
+       (in_group_p(grsec_socket_all_gid)) && (family != AF_UNIX) && (family != AF_LOCAL)){
+               security_alert("attempted socket(%d,%d,%d) by "
+               DEFAULTSECMSG,"attempted sockets",family,type,protocol,
+               DEFAULTSECARGS);
+               retval = -EACCES;
+               goto out;
+       }
+#endif
        retval = sock_create(family, type, protocol, &sock);
        if (retval < 0)
                goto out;
@@ -1009,6 +1026,14 @@
        char address[MAX_SOCK_ADDR];
        int err;
 
+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
+       if(grsec_enable_socket_server &&
+       (in_group_p(grsec_socket_server_gid)) && (umyaddr->sa_family != AF_UNIX) && (umyaddr->sa_family != AF_LOCAL)){
+               security_alert("attempted bind() by " DEFAULTSECMSG,
+               "attempted binds", DEFAULTSECARGS);
+               return -EACCES;
+       }
+#endif
        if((sock = sockfd_lookup(fd,&err))!=NULL)
        {
                if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0)
@@ -1117,6 +1142,16 @@
        char address[MAX_SOCK_ADDR];
        int err;
 
+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
+       if(grsec_enable_socket_client &&
+       (in_group_p(grsec_socket_client_gid)) && (uservaddr->sa_family != AF_UNIX) && (uservaddr->sa_family != AF_LOCAL)){
+               security_alert("attempted connect() to fd %d by "
+                               DEFAULTSECMSG, "attempted connects", fd, 
+                               DEFAULTSECARGS);
+               err = -EACCES;
+               goto out;
+       }
+#endif
        sock = sockfd_lookup(fd, &err);
        if (!sock)
                goto out;