1 --- linux-2.6.20/grsecurity/gracl_shm.c~ 2007-03-24 04:54:27.000000000 +0100
2 +++ linux-2.6.20/grsecurity/gracl_shm.c 2007-03-24 04:55:46.332159000 +0100
4 #include <linux/gracl.h>
5 #include <linux/grsecurity.h>
6 #include <linux/grinternal.h>
7 +#include <linux/vs_pid.h>
10 gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
11 --- linux-2.6.20/localversion-grsec 2007-03-24 04:54:27.000000000 +0100
12 +++ /dev/null 2007-03-24 05:05:10.455414500 +0100
15 --- linux-2.6.20/grsecurity/grsec_sock.c~ 2007-03-24 05:38:40.000000000 +0100
16 +++ linux-2.6.20/grsecurity/grsec_sock.c 2007-03-24 05:47:11.347998750 +0100
20 #include <net/inet_sock.h>
21 +#include <linux/vs_context.h>
22 #include <linux/grsecurity.h>
23 #include <linux/grinternal.h>
24 #include <linux/gracl.h>
26 === analogous as capable()
28 --- a/kernel/capability.c~ 2007-12-11 00:46:02.000000000 +0100
29 +++ a/kernel/capability.c 2007-12-11 01:35:00.244481500 +0100
30 @@ -253,6 +253,8 @@ int __capable(struct task_struct *t, int
32 int capable_nolog(int cap)
34 + if (vs_check_bit(VXC_CAP_MASK, cap) && !vx_mcaps(1L << cap))
36 if (has_capability(current, cap) && gr_is_capable_nolog(cap)) {
37 current->flags |= PF_SUPERPRIV;
40 === let vserver block signals before grsec
42 --- a/kernel/signal.c 2007-10-02 00:08:49.954483500 +0200
43 +++ b/kernel/signal.c 2007-10-02 00:24:31.969355750 +0200
44 @@ -553,6 +553,11 @@ static int check_kill_permission(int sig
45 sig, info, t, vx_task_xid(t), t->pid, current->xid);
50 + if (gr_handle_signal(t, sig))
54 return security_task_kill(t, info, sig, 0);
57 === vserver netlink protection
59 --- a/security/commoncap.c~ 2007-12-10 23:52:36.000000000 +0100
60 +++ a/security/commoncap.c 2007-12-11 01:43:04.426741000 +0100
63 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
65 - NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
66 + NETLINK_CB(skb).eff_cap = cap_intersect(gr_cap_rtnetlink(sk), vx_mbcaps(current->cap_effective));
71 === vserver hooks in cap_capable_nolog
73 --- i/security/commoncap.c1 2008-10-28 21:28:07.873037469 +0100
74 +++ i/security/commoncap.c 2008-10-28 21:36:20.429660261 +0100
75 @@ -76,8 +76,14 @@ int cap_capable (struct task_struct *tsk
77 int cap_capable_nolog (struct task_struct *tsk, int cap)
79 + struct vx_info *vxi = tsk->vx_info;
80 + /* special case SETUP */ /* co to jest? - zbyniu */
81 + if (vx_info_flags(vxi, VXF_STATE_SETUP, 0) &&
82 + cap_raised(tsk->cap_effective, cap))
85 /* tsk = current for all callers */
86 - if (cap_raised(tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
87 + if (vx_cap_raised(vxi, tsk->cap_effective, cap) && gr_is_capable_nolog(cap))