1 --- linux-2.6.20/grsecurity/gracl_shm.c~ 2007-03-24 04:54:27.000000000 +0100
2 +++ linux-2.6.20/grsecurity/gracl_shm.c 2007-03-24 04:55:46.332159000 +0100
4 #include <linux/gracl.h>
5 #include <linux/grsecurity.h>
6 #include <linux/grinternal.h>
7 +#include <linux/vs_pid.h>
10 gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
11 --- linux-2.6.20/localversion-grsec 2007-03-24 04:54:27.000000000 +0100
12 +++ /dev/null 2007-03-24 05:05:10.455414500 +0100
15 --- linux-2.6.20/grsecurity/grsec_sock.c~ 2007-03-24 05:38:40.000000000 +0100
16 +++ linux-2.6.20/grsecurity/grsec_sock.c 2007-03-24 05:47:11.347998750 +0100
20 #include <net/inet_sock.h>
21 +#include <linux/vs_context.h>
22 #include <linux/grsecurity.h>
23 #include <linux/grinternal.h>
24 #include <linux/gracl.h>
26 === analogous as capable()
28 --- a/kernel/capability.c~ 2007-12-11 00:46:02.000000000 +0100
29 +++ a/kernel/capability.c 2007-12-11 01:35:00.244481500 +0100
30 @@ -253,6 +253,8 @@ int __capable(struct task_struct *t, int
32 int capable_nolog(int cap)
34 + if (vs_check_bit(VXC_CAP_MASK, cap) && !vx_mcaps(1L << cap))
36 if ((security_capable(current, cap) == 0) && gr_is_capable_nolog(cap)) {
37 current->flags |= PF_SUPERPRIV;
40 === let vserver block signals before grsec
42 --- a/kernel/signal.c 2007-10-02 00:08:49.954483500 +0200
43 +++ b/kernel/signal.c 2007-10-02 00:24:31.969355750 +0200
44 @@ -539,11 +539,11 @@ static int check_kill_permission(int sig
48 - if ((((sig != SIGCONT) ||
49 + if (((sig != SIGCONT) ||
50 (process_session(current) != process_session(t)))
51 && (current->euid ^ t->suid) && (current->euid ^ t->uid)
52 && (current->uid ^ t->suid) && (current->uid ^ t->uid)
53 - && !capable(CAP_KILL)) || gr_handle_signal(t, sig))
54 + && !capable(CAP_KILL))
58 @@ -553,6 +553,11 @@ static int check_kill_permission(int sig
59 sig, info, t, vx_task_xid(t), t->pid, current->xid);
64 + if (gr_handle_signal(t, sig))
68 return security_task_kill(t, info, sig, 0);
71 === vserver netlink protection
73 --- a/security/commoncap.c~ 2007-12-10 23:52:36.000000000 +0100
74 +++ a/security/commoncap.c 2007-12-11 01:43:04.426741000 +0100
77 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
79 - cap_t(NETLINK_CB(skb).eff_cap) = gr_cap_rtnetlink();
80 + cap_t(NETLINK_CB(skb).eff_cap) = gr_cap_rtnetlink() & vx_mbcap(cap_effective);