1 diff -urNp linux-2.6.16.2/arch/sparc/Makefile linux-2.6.16.2/arch/sparc/Makefile
2 --- linux-2.6.16.2/arch/sparc/Makefile 2006-04-07 12:56:47.000000000 -0400
3 +++ linux-2.6.16.2/arch/sparc/Makefile 2006-04-09 21:23:54.000000000 -0400
4 @@ -34,7 +34,7 @@ libs-y += arch/sparc/prom/ arch/sparc/li
5 # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-)
6 INIT_Y := $(patsubst %/, %/built-in.o, $(init-y))
8 -CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
9 +CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
10 CORE_Y := $(patsubst %/, %/built-in.o, $(CORE_Y))
11 DRIVERS_Y := $(patsubst %/, %/built-in.o, $(drivers-y))
12 NET_Y := $(patsubst %/, %/built-in.o, $(net-y))
13 diff -urN linux-2.6.16.2/Makefile linux-2.6.16.2-grsec/Makefile
14 --- linux-2.6.16.2/Makefile 2006-04-07 18:56:47.000000000 +0200
15 +++ linux-2.6.16.2-grsec/Makefile 2006-04-11 17:44:40.069707000 +0200
19 ifeq ($(KBUILD_EXTMOD),)
20 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
21 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
23 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
24 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
25 diff -urN linux-2.6.16.2/drivers/char/keyboard.c linux-2.6.16.2-grsec/drivers/char/keyboard.c
26 --- linux-2.6.16.2/drivers/char/keyboard.c 2006-04-07 18:56:47.000000000 +0200
27 +++ linux-2.6.16.2-grsec/drivers/char/keyboard.c 2006-04-11 17:44:40.073707250 +0200
29 kbd->kbdmode == VC_MEDIUMRAW) &&
31 return; /* SAK is allowed even in raw mode */
33 +#if defined(CONFIG_GRKERNSEC_PROC)
35 + void *func = fn_handler[value];
36 + if (func == fn_show_state || func == fn_show_ptregs ||
37 + func == fn_show_mem)
42 fn_handler[value](vc, regs);
45 diff -urN linux-2.6.16.2/drivers/pci/proc.c linux-2.6.16.2-grsec/drivers/pci/proc.c
46 --- linux-2.6.16.2/drivers/pci/proc.c 2006-04-07 18:56:47.000000000 +0200
47 +++ linux-2.6.16.2-grsec/drivers/pci/proc.c 2006-04-11 17:44:40.073707250 +0200
51 sprintf(name, "%02x.%x", PCI_SLOT(dev->devfn), PCI_FUNC(dev->devfn));
52 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
53 +#ifdef CONFIG_GRKERNSEC_PROC_USER
54 + e = create_proc_entry(name, S_IFREG | S_IRUGO | S_IWUSR | S_IRUSR, bus->procdir);
55 +#elif CONFIG_GRKERNSEC_PROC_USERGROUP
56 + e = create_proc_entry(name, S_IFREG | S_IRUGO | S_IWUSR | S_IRUSR | S_IRGRP, bus->procdir);
59 e = create_proc_entry(name, S_IFREG | S_IRUGO | S_IWUSR, bus->procdir);
63 e->proc_fops = &proc_bus_pci_operations;
66 struct proc_dir_entry *entry;
67 struct pci_dev *dev = NULL;
68 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
69 +#ifdef CONFIG_GRKERNSEC_PROC_USER
70 + proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
71 +#elif CONFIG_GRKERNSEC_PROC_USERGROUP
72 + proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
75 proc_bus_pci_dir = proc_mkdir("pci", proc_bus);
77 entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
79 entry->proc_fops = &proc_bus_pci_dev_operations;
80 diff -urN linux-2.6.16.2/fs/Kconfig linux-2.6.16.2-grsec/fs/Kconfig
81 --- linux-2.6.16.2/fs/Kconfig 2006-04-07 18:56:47.000000000 +0200
82 +++ linux-2.6.16.2-grsec/fs/Kconfig 2006-04-11 17:44:40.073707250 +0200
86 bool "/proc/kcore support" if !ARM
87 - depends on PROC_FS && MMU
88 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
91 bool "/proc/vmcore support (EXPERIMENTAL)"
92 diff -urN linux-2.6.16.2/fs/namei.c linux-2.6.16.2-grsec/fs/namei.c
93 --- linux-2.6.16.2/fs/namei.c 2006-04-07 18:56:47.000000000 +0200
94 +++ linux-2.6.16.2-grsec/fs/namei.c 2006-04-11 18:10:35.961452750 +0200
96 #include <linux/vserver/inode.h>
97 #include <linux/vs_tag.h>
98 #include <linux/vserver/debug.h>
99 +#include <linux/grsecurity.h>
100 #include <asm/namei.h>
101 #include <asm/uaccess.h>
104 err = security_inode_follow_link(path->dentry, nd);
108 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
109 + path->dentry->d_inode, path->dentry, nd->mnt)) {
114 current->link_count++;
115 current->total_link_count++;
117 @@ -1647,6 +1655,13 @@
122 + if (gr_handle_fifo(path.dentry, nd->mnt, dir, flag, acc_mode)) {
123 + mutex_unlock(&dir->d_inode->i_mutex);
128 mutex_unlock(&dir->d_inode->i_mutex);
131 @@ -1700,6 +1715,13 @@
132 error = security_inode_follow_link(path.dentry, nd);
136 + if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
137 + path.dentry, nd->mnt)) {
142 error = __do_follow_link(&path, nd);
145 @@ -2251,8 +2273,14 @@
146 new_dentry = lookup_create(&nd, 0);
147 error = PTR_ERR(new_dentry);
148 if (!IS_ERR(new_dentry)) {
149 - error = vfs_link(old_nd.dentry, nd.dentry->d_inode,
152 + if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt,
153 + old_nd.dentry->d_inode,
154 + old_nd.dentry->d_inode->i_mode, to))
157 + error = vfs_link(old_nd.dentry, nd.dentry->d_inode,
161 mutex_unlock(&nd.dentry->d_inode->i_mutex);
162 diff -urN linux-2.6.16.2/fs/proc/array.c linux-2.6.16.2-grsec/fs/proc/array.c
163 --- linux-2.6.16.2/fs/proc/array.c 2006-04-07 18:56:47.000000000 +0200
164 +++ linux-2.6.16.2-grsec/fs/proc/array.c 2006-04-11 17:44:40.077707500 +0200
166 return sprintf(buffer,"%d %d %d %d %d %d %d\n",
167 size, resident, shared, text, lib, data, 0);
170 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
171 +int proc_pid_ipaddr(struct task_struct *task, char * buffer)
175 + len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
180 diff -urN linux-2.6.16.2/fs/proc/base.c linux-2.6.16.2-grsec/fs/proc/base.c
181 --- linux-2.6.16.2/fs/proc/base.c 2006-04-07 18:56:47.000000000 +0200
182 +++ linux-2.6.16.2-grsec/fs/proc/base.c 2006-04-11 17:44:40.077707500 +0200
184 #ifdef CONFIG_AUDITSYSCALL
187 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
191 PROC_TGID_OOM_ADJUST,
194 E(PROC_TGID_ROOT, "root", S_IFLNK|S_IRWXUGO),
195 E(PROC_TGID_EXE, "exe", S_IFLNK|S_IRWXUGO),
196 E(PROC_TGID_MOUNTS, "mounts", S_IFREG|S_IRUGO),
197 E(PROC_TGID_MOUNTSTATS, "mountstats", S_IFREG|S_IRUSR),
198 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
199 + E(PROC_TGID_IPADDR, "ipaddr", S_IFREG|S_IRUSR),
202 E(PROC_TGID_SMAPS, "smaps", S_IFREG|S_IRUGO),
204 @@ -1330,6 +1336,9 @@
206 /* procfs is xid tagged */
207 inode->i_tag = (tag_t)vx_task_xid(task);
208 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
209 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
211 security_task_to_inode(task, inode);
214 @@ -1358,7 +1367,9 @@
215 if (pid_alive(task)) {
216 if (proc_type(inode) == PROC_TGID_INO || proc_type(inode) == PROC_TID_INO || task_dumpable(task)) {
217 inode->i_uid = task->euid;
218 +#ifndef CONFIG_GRKERNSEC_PROC_USERGROUP
219 inode->i_gid = task->egid;
224 @@ -1681,6 +1692,12 @@
225 inode->i_fop = &proc_info_file_operations;
226 ei->op.proc_read = proc_pid_status;
228 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
229 + case PROC_TGID_IPADDR:
230 + inode->i_fop = &proc_info_file_operations;
231 + ei->op.proc_read = proc_pid_ipaddr;
235 inode->i_fop = &proc_info_file_operations;
236 ei->op.proc_read = proc_tid_stat;
237 @@ -1985,11 +2002,29 @@
238 if (!proc_pid_visible(task, tgid))
241 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
242 + if (current->uid && (task->uid != current->uid)
243 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
244 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
247 + put_task_struct(task);
252 inode = proc_pid_make_inode(dir->i_sb, task, PROC_TGID_INO);
256 +#ifdef CONFIG_GRKERNSEC_PROC_USER
257 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
258 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
259 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP;
260 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
262 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
264 inode->i_op = &proc_tgid_base_inode_operations;
265 inode->i_fop = &proc_tgid_base_operations;
266 inode->i_flags|=S_IMMUTABLE;
267 @@ -2084,6 +2120,9 @@
268 static int get_tgid_list(int index, unsigned long version, unsigned int *tgids)
270 struct task_struct *p;
271 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
272 + struct task_struct *tmp = current;
277 @@ -2104,6 +2143,14 @@
278 /* check for context visibility */
279 if (!proc_pid_visible(p, tgid))
281 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
282 + if (tmp->uid && (p->uid != tmp->uid)
283 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
284 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
291 tgids[nr_tgids] = vx_map_tgid(tgid);
292 diff -urN linux-2.6.16.2/fs/proc/inode.c linux-2.6.16.2-grsec/fs/proc/inode.c
293 --- linux-2.6.16.2/fs/proc/inode.c 2006-04-07 18:56:47.000000000 +0200
294 +++ linux-2.6.16.2-grsec/fs/proc/inode.c 2006-04-11 17:44:40.077707500 +0200
297 inode->i_mode = de->mode;
298 inode->i_uid = de->uid;
299 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
300 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
302 inode->i_gid = de->gid;
306 PROC_I(inode)->vx_flags = de->vx_flags;
307 diff -urN linux-2.6.16.2/fs/proc/internal.h linux-2.6.16.2-grsec/fs/proc/internal.h
308 --- linux-2.6.16.2/fs/proc/internal.h 2006-04-07 18:56:47.000000000 +0200
309 +++ linux-2.6.16.2-grsec/fs/proc/internal.h 2006-04-11 17:44:40.077707500 +0200
311 extern int proc_tgid_stat(struct task_struct *, char *);
312 extern int proc_pid_status(struct task_struct *, char *);
313 extern int proc_pid_statm(struct task_struct *, char *);
314 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
315 +extern int proc_pid_ipaddr(struct task_struct*,char*);
318 void free_proc_entry(struct proc_dir_entry *de);
320 diff -urN linux-2.6.16.2/fs/proc/proc_misc.c linux-2.6.16.2-grsec/fs/proc/proc_misc.c
321 --- linux-2.6.16.2/fs/proc/proc_misc.c 2006-04-07 18:56:47.000000000 +0200
322 +++ linux-2.6.16.2-grsec/fs/proc/proc_misc.c 2006-04-11 17:44:40.109709500 +0200
324 void __init proc_misc_init(void)
326 struct proc_dir_entry *entry;
331 int (*read_proc)(char*,char**,off_t,int,int*,void*);
333 {"stram", stram_read_proc},
335 {"filesystems", filesystems_read_proc},
336 +#ifndef CONFIG_GRKERNSEC_PROC_ADD
337 {"cmdline", cmdline_read_proc},
339 {"locks", locks_read_proc},
340 {"execdomains", execdomains_read_proc},
342 @@ -708,19 +712,37 @@
343 for (p = simple_ones; p->name; p++)
344 create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
346 +#ifdef CONFIG_GRKERNSEC_PROC_USER
348 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
349 + gr_mode = S_IRUSR | S_IRGRP;
351 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
352 + create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL);
355 proc_symlink("mounts", NULL, "self/mounts");
357 /* And now for trickier ones */
358 entry = create_proc_entry("kmsg", S_IRUSR, &proc_root);
360 entry->proc_fops = &proc_kmsg_operations;
362 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
363 + create_seq_entry("devices", gr_mode, &proc_devinfo_operations);
365 create_seq_entry("devices", 0, &proc_devinfo_operations);
367 create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
368 create_seq_entry("partitions", 0, &proc_partitions_operations);
369 create_seq_entry("stat", 0, &proc_stat_operations);
370 create_seq_entry("interrupts", 0, &proc_interrupts_operations);
372 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
373 + create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
375 create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
377 #ifdef CONFIG_DEBUG_SLAB_LEAK
378 create_seq_entry("slab_allocators", 0 ,&proc_slabstats_operations);
380 @@ -730,12 +752,12 @@
381 create_seq_entry("zoneinfo",S_IRUGO, &proc_zoneinfo_file_operations);
382 create_seq_entry("diskstats", 0, &proc_diskstats_operations);
383 #ifdef CONFIG_MODULES
384 - create_seq_entry("modules", 0, &proc_modules_operations);
385 + create_seq_entry("modules", gr_mode, &proc_modules_operations);
387 #ifdef CONFIG_SCHEDSTATS
388 create_seq_entry("schedstat", 0, &proc_schedstat_operations);
390 -#ifdef CONFIG_PROC_KCORE
391 +#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
392 proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
393 if (proc_root_kcore) {
394 proc_root_kcore->proc_fops = &proc_kcore_operations;
395 diff -urN linux-2.6.16.2/fs/proc/root.c linux-2.6.16.2-grsec/fs/proc/root.c
396 --- linux-2.6.16.2/fs/proc/root.c 2006-04-07 18:56:47.000000000 +0200
397 +++ linux-2.6.16.2-grsec/fs/proc/root.c 2006-04-11 17:44:40.113709750 +0200
402 +#ifdef CONFIG_GRKERNSEC_PROC_USER
403 + proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, NULL);
404 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
405 + proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
407 proc_net = proc_mkdir("net", NULL);
409 proc_net_stat = proc_mkdir("net/stat", NULL);
411 #ifdef CONFIG_SYSVIPC
413 #ifdef CONFIG_PROC_DEVICETREE
414 proc_device_tree_init();
416 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
417 +#ifdef CONFIG_GRKERNSEC_PROC_USER
418 + proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
419 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
420 + proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
423 proc_bus = proc_mkdir("bus", NULL);
428 diff -urN linux-2.6.16.2/grsecurity/Kconfig linux-2.6.16.2-grsec/grsecurity/Kconfig
429 --- linux-2.6.16.2/grsecurity/Kconfig 1970-01-01 01:00:00.000000000 +0100
430 +++ linux-2.6.16.2-grsec/grsecurity/Kconfig 2006-04-11 19:03:04.020561250 +0200
433 +# grecurity configuration
441 + select CRYPTO_SHA256
443 + If you say Y here, you will be able to configure many features
444 + that will enhance the security of your system. It is highly
445 + recommended that you say Y here and read through the help
446 + for each option so that you fully understand the features and
447 + can evaluate their usefulness for your machine.
449 +menu "Filesystem Protections"
450 +depends on GRKERNSEC
452 +config GRKERNSEC_PROC
453 + bool "Proc restrictions"
455 + If you say Y here, the permissions of the /proc filesystem
456 + will be altered to enhance system security and privacy. You MUST
457 + choose either a user only restriction or a user and group restriction.
458 + Depending upon the option you choose, you can either restrict users to
459 + see only the processes they themselves run, or choose a group that can
460 + view all processes and files normally restricted to root if you choose
461 + the "restrict to user only" option. NOTE: If you're running identd as
462 + a non-root user, you will have to run it as the group you specify here.
464 +config GRKERNSEC_PROC_USER
465 + bool "Restrict /proc to user only"
466 + depends on GRKERNSEC_PROC
468 + If you say Y here, non-root users will only be able to view their own
469 + processes, and restricts them from viewing network-related information,
470 + and viewing kernel symbol and module information.
472 +config GRKERNSEC_PROC_USERGROUP
473 + bool "Allow special group"
474 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
476 + If you say Y here, you will be able to select a group that will be
477 + able to view all processes, network-related information, and
478 + kernel and symbol information. This option is useful if you want
479 + to run identd as a non-root user.
481 +config GRKERNSEC_PROC_GID
482 + int "GID for special group"
483 + depends on GRKERNSEC_PROC_USERGROUP
486 +config GRKERNSEC_PROC_ADD
487 + bool "Additional restrictions"
488 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
490 + If you say Y here, additional restrictions will be placed on
491 + /proc that keep normal users from viewing device information and
492 + slabinfo information that could be useful for exploits.
494 +config GRKERNSEC_LINK
495 + bool "Linking restrictions"
497 + If you say Y here, /tmp race exploits will be prevented, since users
498 + will no longer be able to follow symlinks owned by other users in
499 + world-writable +t directories (i.e. /tmp), unless the owner of the
500 + symlink is the owner of the directory. users will also not be
501 + able to hardlink to files they do not own. If the sysctl option is
502 + enabled, a sysctl option with name "linking_restrictions" is created.
504 +config GRKERNSEC_FIFO
505 + bool "FIFO restrictions"
507 + If you say Y here, users will not be able to write to FIFOs they don't
508 + own in world-writable +t directories (i.e. /tmp), unless the owner of
509 + the FIFO is the same owner of the directory it's held in. If the sysctl
510 + option is enabled, a sysctl option with name "fifo_restrictions" is
515 +config GRKERNSEC_PROC_IPADDR
516 + depends on GRKERNSEC
517 + bool "/proc/<pid>/ipaddr support"
519 + If you say Y here, a new entry will be added to each /proc/<pid>
520 + directory that contains the IP address of the person using the task.
521 + The IP is carried across local TCP and AF_UNIX stream sockets.
522 + This information can be useful for IDS/IPSes to perform remote response
523 + to a local attack. The entry is readable by only the owner of the
524 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
525 + the RBAC system), and thus does not create privacy concerns.
527 +config GRKERNSEC_SHM
528 + depends on GRKERNSEC
529 + bool "Destroy unused shared memory"
532 + If you say Y here, shared memory will be destroyed when no one is
533 + attached to it. Otherwise, resources involved with the shared
534 + memory can be used up and not be associated with any process (as the
535 + shared memory still exists, and the creating process has exited). If
536 + the sysctl option is enabled, a sysctl option with name
537 + "destroy_unused_shm" is created.
539 +config GRKERNSEC_SYSCTL
540 + depends on GRKERNSEC && SYSCTL
541 + bool "Sysctl support"
543 + If you say Y here, you will be able to change the options that
544 + grsecurity runs with at bootup, without having to recompile your
545 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
546 + to enable (1) or disable (0) various features. All the sysctl entries
547 + are mutable until the "grsec_lock" entry is set to a non-zero value.
548 + All features enabled in the kernel configuration are disabled at boot
549 + if you do not say Y to the "Turn on features by default" option.
550 + All options should be set at startup, and the grsec_lock entry should
551 + be set to a non-zero value after all the options are set.
552 + *THIS IS EXTREMELY IMPORTANT*
554 +config GRKERNSEC_SYSCTL_ON
555 + bool "Turn on features by default"
556 + depends on GRKERNSEC_SYSCTL
558 + If you say Y here, instead of having all features enabled in the
559 + kernel configuration disabled at boot time, the features will be
560 + enabled at boot time. It is recommended you say Y here unless
561 + there is some reason you would want all sysctl-tunable features to
562 + be disabled by default. As mentioned elsewhere, it is important
563 + to enable the grsec_lock entry once you have finished modifying
564 + the sysctl entries.
567 diff -urN linux-2.6.16.2/grsecurity/Makefile linux-2.6.16.2-grsec/grsecurity/Makefile
568 --- linux-2.6.16.2/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100
569 +++ linux-2.6.16.2-grsec/grsecurity/Makefile 2006-04-11 19:03:17.509404250 +0200
571 +# All code in this directory and various hooks inserted throughout the kernel
572 +# are copyright Brad Spengler, and released under the GPL v2 or higher
574 +obj-y = grsec_fifo.o grsec_sock.o grsec_sysctl.o grsec_link.o
576 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o
578 +ifndef CONFIG_GRKERNSEC
579 +obj-y += grsec_disabled.o
582 diff -urN linux-2.6.16.2/grsecurity/grsec_disabled.c linux-2.6.16.2-grsec/grsecurity/grsec_disabled.c
583 --- linux-2.6.16.2/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000 +0100
584 +++ linux-2.6.16.2-grsec/grsecurity/grsec_disabled.c 2006-04-11 17:44:40.113709750 +0200
586 +#include <linux/kernel.h>
587 +#include <linux/module.h>
588 +#include <linux/config.h>
589 +#include <linux/sched.h>
590 +#include <linux/file.h>
591 +#include <linux/fs.h>
592 +#include <linux/kdev_t.h>
593 +#include <linux/net.h>
594 +#include <linux/in.h>
595 +#include <linux/ip.h>
596 +#include <linux/skbuff.h>
597 +#include <linux/sysctl.h>
599 +#ifdef CONFIG_SYSCTL
601 +gr_handle_sysctl(const struct ctl_table * table, __u32 mode)
608 +grsecurity_init(void)
614 +gr_acl_handle_symlink(const struct dentry * new_dentry,
615 + const struct dentry * parent_dentry,
616 + const struct vfsmount * parent_mnt, const char *from)
622 +gr_acl_handle_link(const struct dentry * new_dentry,
623 + const struct dentry * parent_dentry,
624 + const struct vfsmount * parent_mnt,
625 + const struct dentry * old_dentry,
626 + const struct vfsmount * old_mnt, const char *to)
632 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
633 + const time_t shm_createtime, const uid_t cuid, const int shmid)
639 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
645 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
649 diff -urN linux-2.6.16.2/grsecurity/grsec_fifo.c linux-2.6.16.2-grsec/grsecurity/grsec_fifo.c
650 --- linux-2.6.16.2/grsecurity/grsec_fifo.c 1970-01-01 01:00:00.000000000 +0100
651 +++ linux-2.6.16.2-grsec/grsecurity/grsec_fifo.c 2006-04-11 19:04:02.872239250 +0200
653 +#include <linux/kernel.h>
654 +#include <linux/sched.h>
655 +#include <linux/fs.h>
656 +#include <linux/file.h>
657 +#include <linux/grinternal.h>
660 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
661 + const struct dentry *dir, const int flag, const int acc_mode)
663 +#ifdef CONFIG_GRKERNSEC_FIFO
664 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
665 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
666 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
667 + (current->fsuid != dentry->d_inode->i_uid)) {
673 diff -urN linux-2.6.16.2/grsecurity/grsec_init.c linux-2.6.16.2-grsec/grsecurity/grsec_init.c
674 --- linux-2.6.16.2/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000 +0100
675 +++ linux-2.6.16.2-grsec/grsecurity/grsec_init.c 2006-04-11 19:04:24.693603000 +0200
677 +#include <linux/kernel.h>
678 +#include <linux/sched.h>
679 +#include <linux/mm.h>
680 +#include <linux/smp_lock.h>
681 +#include <linux/slab.h>
682 +#include <linux/vmalloc.h>
683 +#include <linux/percpu.h>
685 +int grsec_enable_shm;
686 +int grsec_enable_link;
687 +int grsec_enable_fifo;
691 +grsecurity_init(void)
693 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
694 +#ifndef CONFIG_GRKERNSEC_SYSCTL
697 +#ifdef CONFIG_GRKERNSEC_SHM
698 + grsec_enable_shm = 1;
700 +#ifdef CONFIG_GRKERNSEC_LINK
701 + grsec_enable_link = 1;
703 +#ifdef CONFIG_GRKERNSEC_FIFO
704 + grsec_enable_fifo = 1;
710 diff -urN linux-2.6.16.2/grsecurity/grsec_link.c linux-2.6.16.2-grsec/grsecurity/grsec_link.c
711 --- linux-2.6.16.2/grsecurity/grsec_link.c 1970-01-01 01:00:00.000000000 +0100
712 +++ linux-2.6.16.2-grsec/grsecurity/grsec_link.c 2006-04-11 19:04:40.258575750 +0200
714 +#include <linux/kernel.h>
715 +#include <linux/sched.h>
716 +#include <linux/fs.h>
717 +#include <linux/file.h>
718 +#include <linux/grinternal.h>
721 +gr_handle_follow_link(const struct inode *parent,
722 + const struct inode *inode,
723 + const struct dentry *dentry, const struct vfsmount *mnt)
725 +#ifdef CONFIG_GRKERNSEC_LINK
726 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
727 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
728 + (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) {
736 +gr_handle_hardlink(const struct dentry *dentry,
737 + const struct vfsmount *mnt,
738 + struct inode *inode, const int mode, const char *to)
740 +#ifdef CONFIG_GRKERNSEC_LINK
741 + if (grsec_enable_link && current->fsuid != inode->i_uid &&
742 + (!S_ISREG(mode) || (mode & S_ISUID) ||
743 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
744 + (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
745 + !capable(CAP_FOWNER) && current->uid) {
751 diff -urN linux-2.6.16.2/grsecurity/grsec_sock.c linux-2.6.16.2-grsec/grsecurity/grsec_sock.c
752 --- linux-2.6.16.2/grsecurity/grsec_sock.c 1970-01-01 01:00:00.000000000 +0100
753 +++ linux-2.6.16.2-grsec/grsecurity/grsec_sock.c 2006-04-11 19:20:18.301199750 +0200
755 +#include <linux/kernel.h>
756 +#include <linux/module.h>
757 +#include <linux/sched.h>
758 +#include <linux/file.h>
759 +#include <linux/net.h>
760 +#include <linux/in.h>
761 +#include <linux/ip.h>
762 +#include <net/sock.h>
763 +#include <net/inet_sock.h>
764 +#include <linux/grsecurity.h>
765 +#include <linux/grinternal.h>
767 +#ifdef CONFIG_GRKERNSEC
768 +#define gr_conn_table_size 32749
769 +struct conn_table_entry {
770 + struct conn_table_entry *next;
771 + struct signal_struct *sig;
774 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
775 +spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED;
777 +static __inline__ int
778 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
780 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
783 +static __inline__ int
784 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
785 + __u16 sport, __u16 dport)
787 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
788 + sig->gr_sport == sport && sig->gr_dport == dport))
794 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
796 + struct conn_table_entry **match;
797 + unsigned int index;
799 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
800 + sig->gr_sport, sig->gr_dport,
801 + gr_conn_table_size);
805 + match = &gr_conn_table[index];
806 + newent->next = *match;
812 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
814 + struct conn_table_entry *match, *last = NULL;
815 + unsigned int index;
817 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
818 + sig->gr_sport, sig->gr_dport,
819 + gr_conn_table_size);
821 + match = gr_conn_table[index];
822 + while (match && !conn_match(match->sig,
823 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
826 + match = match->next;
831 + last->next = match->next;
833 + gr_conn_table[index] = NULL;
840 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
841 + __u16 sport, __u16 dport)
843 + struct conn_table_entry *match;
844 + unsigned int index;
846 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
848 + match = gr_conn_table[index];
849 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
850 + match = match->next;
860 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
862 +#ifdef CONFIG_GRKERNSEC
863 + struct signal_struct *sig = task->signal;
864 + struct conn_table_entry *newent;
866 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
867 + if (newent == NULL)
870 + spin_lock(&gr_conn_table_lock);
871 + gr_del_task_from_ip_table_nolock(sig);
872 + sig->gr_saddr = inet->rcv_saddr;
873 + sig->gr_daddr = inet->daddr;
874 + sig->gr_sport = inet->sport;
875 + sig->gr_dport = inet->dport;
876 + gr_add_to_task_ip_table_nolock(sig, newent);
877 + spin_unlock(&gr_conn_table_lock);
882 +void gr_del_task_from_ip_table(struct task_struct *task)
884 +#ifdef CONFIG_GRKERNSEC
885 + spin_lock(&gr_conn_table_lock);
886 + gr_del_task_from_ip_table_nolock(task->signal);
887 + spin_unlock(&gr_conn_table_lock);
893 +gr_attach_curr_ip(const struct sock *sk)
895 +#ifdef CONFIG_GRKERNSEC
896 + struct signal_struct *p, *set;
897 + const struct inet_sock *inet = inet_sk(sk);
899 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
902 + set = current->signal;
904 + spin_lock(&gr_conn_table_lock);
905 + p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
906 + inet->dport, inet->sport);
907 + if (unlikely(p != NULL)) {
908 + set->curr_ip = p->curr_ip;
909 + gr_del_task_from_ip_table_nolock(p);
910 + spin_unlock(&gr_conn_table_lock);
913 + spin_unlock(&gr_conn_table_lock);
915 + set->curr_ip = inet->daddr;
919 diff -urN linux-2.6.16.2/grsecurity/grsec_sysctl.c linux-2.6.16.2-grsec/grsecurity/grsec_sysctl.c
920 --- linux-2.6.16.2/grsecurity/grsec_sysctl.c 1970-01-01 01:00:00.000000000 +0100
921 +++ linux-2.6.16.2-grsec/grsecurity/grsec_sysctl.c 2006-04-11 19:04:50.363207250 +0200
923 +#include <linux/kernel.h>
924 +#include <linux/sched.h>
925 +#include <linux/sysctl.h>
926 +#include <linux/grsecurity.h>
927 +#include <linux/grinternal.h>
930 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
932 +#ifdef CONFIG_GRKERNSEC_SYSCTL
933 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) {
940 +#if defined(CONFIG_GRKERNSEC_SYSCTL)
941 +enum {GS_LINK=1, GS_FIFO, GS_SHM, GS_LOCK};
944 +ctl_table grsecurity_table[] = {
945 +#ifdef CONFIG_GRKERNSEC_SYSCTL
946 +#ifdef CONFIG_GRKERNSEC_LINK
948 + .ctl_name = GS_LINK,
949 + .procname = "linking_restrictions",
950 + .data = &grsec_enable_link,
951 + .maxlen = sizeof(int),
953 + .proc_handler = &proc_dointvec,
956 +#ifdef CONFIG_GRKERNSEC_FIFO
958 + .ctl_name = GS_FIFO,
959 + .procname = "fifo_restrictions",
960 + .data = &grsec_enable_fifo,
961 + .maxlen = sizeof(int),
963 + .proc_handler = &proc_dointvec,
966 +#ifdef CONFIG_GRKERNSEC_SHM
968 + .ctl_name = GS_SHM,
969 + .procname = "destroy_unused_shm",
970 + .data = &grsec_enable_shm,
971 + .maxlen = sizeof(int),
973 + .proc_handler = &proc_dointvec,
977 + .ctl_name = GS_LOCK,
978 + .procname = "grsec_lock",
979 + .data = &grsec_lock,
980 + .maxlen = sizeof(int),
982 + .proc_handler = &proc_dointvec,
988 diff -urN linux-2.6.16.2/include/linux/grinternal.h linux-2.6.16.2-grsec/include/linux/grinternal.h
989 --- linux-2.6.16.2/include/linux/grinternal.h 1970-01-01 01:00:00.000000000 +0100
990 +++ linux-2.6.16.2-grsec/include/linux/grinternal.h 2006-04-11 19:03:34.734480750 +0200
992 +#ifndef __GRINTERNAL_H
993 +#define __GRINTERNAL_H
995 +#ifdef CONFIG_GRKERNSEC
997 +#include <linux/fs.h>
999 +extern int grsec_enable_link;
1000 +extern int grsec_enable_fifo;
1001 +extern int grsec_enable_shm;
1002 +extern int grsec_lock;
1007 diff -urN linux-2.6.16.2/include/linux/grsecurity.h linux-2.6.16.2-grsec/include/linux/grsecurity.h
1008 --- linux-2.6.16.2/include/linux/grsecurity.h 1970-01-01 01:00:00.000000000 +0100
1009 +++ linux-2.6.16.2-grsec/include/linux/grsecurity.h 2006-04-11 18:06:03.000000000 +0200
1011 +#ifndef GR_SECURITY_H
1012 +#define GR_SECURITY_H
1013 +#include <linux/fs.h>
1014 +#include <linux/binfmts.h>
1016 +extern void gr_del_task_from_ip_table(struct task_struct *p);
1018 +extern int gr_handle_follow_link(const struct inode *parent,
1019 + const struct inode *inode,
1020 + const struct dentry *dentry,
1021 + const struct vfsmount *mnt);
1022 +extern int gr_handle_fifo(const struct dentry *dentry,
1023 + const struct vfsmount *mnt,
1024 + const struct dentry *dir, const int flag,
1025 + const int acc_mode);
1026 +extern int gr_handle_hardlink(const struct dentry *dentry,
1027 + const struct vfsmount *mnt,
1028 + struct inode *inode,
1029 + const int mode, const char *to);
1031 +#ifdef CONFIG_SYSVIPC
1032 +extern void gr_shm_exit(struct task_struct *task);
1034 +static inline void gr_shm_exit(struct task_struct *task)
1040 +#ifdef CONFIG_GRKERNSEC
1041 +extern int grsec_enable_shm;
1045 diff -urN linux-2.6.16.2/include/linux/sched.h linux-2.6.16.2-grsec/include/linux/sched.h
1046 --- linux-2.6.16.2/include/linux/sched.h 2006-04-07 18:56:47.000000000 +0200
1047 +++ linux-2.6.16.2-grsec/include/linux/sched.h 2006-04-11 19:14:15.574530750 +0200
1048 @@ -454,6 +454,13 @@
1049 struct key *session_keyring; /* keyring inherited over fork */
1050 struct key *process_keyring; /* keyring private to this process */
1052 +#ifdef CONFIG_GRKERNSEC
1061 /* Context switch must be unlocked if interrupts are to be enabled */
1062 diff -urN linux-2.6.16.2/include/linux/shm.h linux-2.6.16.2-grsec/include/linux/shm.h
1063 --- linux-2.6.16.2/include/linux/shm.h 2006-04-07 18:56:47.000000000 +0200
1064 +++ linux-2.6.16.2-grsec/include/linux/shm.h 2006-04-11 17:44:40.121710250 +0200
1068 struct user_struct *mlock_user;
1069 +#ifdef CONFIG_GRKERNSEC
1070 + time_t shm_createtime;
1075 /* shm_mode upper byte flags */
1076 diff -urN linux-2.6.16.2/include/linux/sysctl.h linux-2.6.16.2-grsec/include/linux/sysctl.h
1077 --- linux-2.6.16.2/include/linux/sysctl.h 2006-04-07 18:56:47.000000000 +0200
1078 +++ linux-2.6.16.2-grsec/include/linux/sysctl.h 2006-04-11 18:09:09.244033250 +0200
1083 +#ifdef CONFIG_GRKERNSEC
1084 + KERN_GRSECURITY=98, /* grsecurity */
1086 VM_UNUSED1=1, /* was: struct: Set vm swapping control */
1087 VM_UNUSED2=2, /* was; int: Linear or sqrt() swapout for hogs */
1088 VM_UNUSED3=3, /* was: struct: Set free page thresholds */
1089 diff -urN linux-2.6.16.2/ipc/shm.c linux-2.6.16.2-grsec/ipc/shm.c
1090 --- linux-2.6.16.2/ipc/shm.c 2006-04-07 18:56:47.000000000 +0200
1091 +++ linux-2.6.16.2-grsec/ipc/shm.c 2006-04-11 17:44:40.121710250 +0200
1093 #include <linux/seq_file.h>
1094 #include <linux/vs_context.h>
1095 #include <linux/vs_limit.h>
1096 +#include <linux/grsecurity.h>
1098 #include <asm/uaccess.h>
1100 @@ -146,6 +147,17 @@
1101 shp->shm_lprid = current->tgid;
1102 shp->shm_dtim = get_seconds();
1104 +#ifdef CONFIG_GRKERNSEC_SHM
1105 + if (grsec_enable_shm) {
1106 + if (shp->shm_nattch == 0) {
1107 + shp->shm_perm.mode |= SHM_DEST;
1111 + mutex_unlock(&shm_ids.mutex);
1115 if(shp->shm_nattch == 0 &&
1116 shp->shm_perm.mode & SHM_DEST)
1120 shp->shm_atim = shp->shm_dtim = 0;
1121 shp->shm_ctim = get_seconds();
1122 +#ifdef CONFIG_GRKERNSEC
1123 + shp->shm_createtime = get_seconds();
1125 shp->shm_segsz = size;
1126 shp->shm_nattch = 0;
1127 shp->id = shm_buildid(id,shp->shm_perm.seq);
1128 @@ -750,6 +765,11 @@
1129 file = shp->shm_file;
1130 size = i_size_read(file->f_dentry->d_inode);
1133 +#ifdef CONFIG_GRKERNSEC
1134 + shp->shm_lapid = current->pid;
1139 down_write(¤t->mm->mmap_sem);
1140 @@ -916,3 +936,24 @@
1145 +void gr_shm_exit(struct task_struct *task)
1147 +#ifdef CONFIG_GRKERNSEC_SHM
1149 + struct shmid_kernel *shp;
1151 + if (!grsec_enable_shm)
1154 + for (i = 0; i <= shm_ids.max_id; i++) {
1156 + if (shp && (shp->shm_cprid == task->pid) &&
1157 + (shp->shm_nattch <= 0)) {
1158 + shp->shm_perm.mode |= SHM_DEST;
1165 diff -urN linux-2.6.16.2/kernel/exit.c linux-2.6.16.2-grsec/kernel/exit.c
1166 --- linux-2.6.16.2/kernel/exit.c 2006-04-07 18:56:47.000000000 +0200
1167 +++ linux-2.6.16.2-grsec/kernel/exit.c 2006-04-11 17:44:40.125710500 +0200
1169 #include <linux/compat.h>
1170 #include <linux/pipe_fs_i.h>
1171 #include <linux/audit.h> /* for audit_free() */
1172 +#include <linux/grsecurity.h>
1173 #include <linux/vs_limit.h>
1174 #include <linux/vs_context.h>
1175 #include <linux/vs_network.h>
1178 if (tsk == sig->curr_target)
1179 sig->curr_target = next_thread(tsk);
1180 + gr_del_task_from_ip_table(tsk);
1182 * Accumulate here the counters for all threads but the
1183 * group leader as they die, so they can be added into
1184 diff -urN linux-2.6.16.2/kernel/sysctl.c linux-2.6.16.2-grsec/kernel/sysctl.c
1185 --- linux-2.6.16.2/kernel/sysctl.c 2006-04-07 18:56:47.000000000 +0200
1186 +++ linux-2.6.16.2-grsec/kernel/sysctl.c 2006-04-11 17:44:40.125710500 +0200
1188 void __user *buffer, size_t *lenp, loff_t *ppos);
1190 #if defined(CONFIG_SYSCTL)
1191 +#include <linux/grsecurity.h>
1192 +#include <linux/grinternal.h>
1194 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
1197 /* External variables not in a header file. */
1200 #ifdef HAVE_ARCH_PICK_MMAP_LAYOUT
1201 int sysctl_legacy_va_layout;
1203 +extern ctl_table grsecurity_table[];
1205 /* /proc declarations: */
1207 @@ -683,6 +689,16 @@
1208 .proc_handler = &proc_dointvec,
1212 +#if defined(CONFIG_GRKERNSEC_SYSCTL)
1214 + .ctl_name = KERN_GRSECURITY,
1215 + .procname = "grsecurity",
1217 + .child = grsecurity_table,
1224 @@ -1181,6 +1197,8 @@
1225 static inline int ctl_perm(ctl_table *table, int op)
1228 + if (table->de && gr_handle_sysctl_mod(table->de->parent->name, table->de->name, op))
1230 error = security_sysctl(table, op);
1233 diff -urN linux-2.6.16.2/net/ipv4/inet_hashtables.c linux-2.6.16.2-grsec/net/ipv4/inet_hashtables.c
1234 --- linux-2.6.16.2/net/ipv4/inet_hashtables.c 2006-04-07 18:56:47.000000000 +0200
1235 +++ linux-2.6.16.2-grsec/net/ipv4/inet_hashtables.c 2006-04-11 17:44:40.125710500 +0200
1237 #include <linux/sched.h>
1238 #include <linux/slab.h>
1239 #include <linux/wait.h>
1240 +#include <linux/grsecurity.h>
1242 #include <net/inet_connection_sock.h>
1243 #include <net/inet_hashtables.h>
1246 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
1249 * Allocate and initialize a new local port bind bucket.
1250 * The bindhash mutex for snum's hash chain must be held here.
1253 spin_unlock(&head->lock);
1255 + gr_update_task_in_ip_table(current, inet_sk(sk));
1258 inet_twsk_deschedule(tw, death_row);;
1260 diff -urN linux-2.6.16.2/net/socket.c linux-2.6.16.2-grsec/net/socket.c
1261 --- linux-2.6.16.2/net/socket.c 2006-04-07 18:56:47.000000000 +0200
1262 +++ linux-2.6.16.2-grsec/net/socket.c 2006-04-11 17:44:40.125710500 +0200
1264 #include <linux/compat.h>
1265 #include <linux/kmod.h>
1266 #include <linux/audit.h>
1267 +#include <linux/in.h>
1268 #include <linux/wireless.h>
1270 #include <asm/uaccess.h>
1272 #include <linux/netfilter.h>
1273 #include <linux/vs_socket.h>
1275 +extern void gr_attach_curr_ip(const struct sock *sk);
1276 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
1277 static ssize_t sock_aio_read(struct kiocb *iocb, char __user *buf,
1278 size_t size, loff_t pos);
1279 @@ -1396,6 +1398,7 @@
1282 security_socket_post_accept(sock, newsock);
1283 + gr_attach_curr_ip(newsock->sk);
1287 diff -urN linux-2.6.16.2/security/Kconfig linux-2.6.16.2-grsec/security/Kconfig
1288 --- linux-2.6.16.2/security/Kconfig 2006-04-07 18:56:47.000000000 +0200
1289 +++ linux-2.6.16.2-grsec/security/Kconfig 2006-04-11 17:44:40.129710750 +0200
1292 menu "Security options"
1294 +source grsecurity/Kconfig
1297 bool "Enable access key retention support"