1 diff -urNp linux-2.6.26.orig/arch/sparc/Makefile linux-2.6.26/arch/sparc/Makefile
2 --- linux-2.6.26.orig/arch/sparc/Makefile 2008-09-01 11:44:21.000000000 +0200
3 +++ linux-2.6.26/arch/sparc/Makefile 2008-09-02 12:17:21.000000000 +0200
4 @@ -36,7 +36,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
5 # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-)
6 INIT_Y := $(patsubst %/, %/built-in.o, $(init-y))
8 -CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
9 +CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
10 CORE_Y := $(patsubst %/, %/built-in.o, $(CORE_Y))
11 DRIVERS_Y := $(patsubst %/, %/built-in.o, $(drivers-y))
12 NET_Y := $(patsubst %/, %/built-in.o, $(net-y))
13 diff -urNp linux-2.6.26.orig/drivers/char/keyboard.c linux-2.6.26/drivers/char/keyboard.c
14 --- linux-2.6.26.orig/drivers/char/keyboard.c 2008-09-01 11:43:37.000000000 +0200
15 +++ linux-2.6.26/drivers/char/keyboard.c 2008-09-02 12:17:21.000000000 +0200
16 @@ -633,6 +633,16 @@ static void k_spec(struct vc_data *vc, u
17 kbd->kbdmode == VC_MEDIUMRAW) &&
19 return; /* SAK is allowed even in raw mode */
21 +#if defined(CONFIG_GRKERNSEC_PROC)
23 + void *func = fn_handler[value];
24 + if (func == fn_show_state || func == fn_show_ptregs ||
25 + func == fn_show_mem)
30 fn_handler[value](vc);
33 diff -urNp linux-2.6.26.orig/drivers/pci/proc.c linux-2.6.26/drivers/pci/proc.c
34 --- linux-2.6.26.orig/drivers/pci/proc.c 2008-09-01 11:43:47.000000000 +0200
35 +++ linux-2.6.26/drivers/pci/proc.c 2008-09-02 12:17:21.000000000 +0200
36 @@ -472,7 +472,16 @@ static const struct file_operations proc
37 static int __init pci_proc_init(void)
39 struct pci_dev *dev = NULL;
41 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
42 +#ifdef CONFIG_GRKERNSEC_PROC_USER
43 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
44 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
48 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
50 proc_create("devices", 0, proc_bus_pci_dir,
51 &proc_bus_pci_dev_operations);
53 diff -urNp linux-2.6.26.orig/fs/Kconfig linux-2.6.26/fs/Kconfig
54 --- linux-2.6.26.orig/fs/Kconfig 2008-09-01 11:43:58.000000000 +0200
55 +++ linux-2.6.26/fs/Kconfig 2008-09-02 12:17:21.000000000 +0200
56 @@ -926,12 +926,12 @@ config PROC_FS
59 bool "/proc/kcore support" if !ARM
60 - depends on PROC_FS && MMU
61 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
64 bool "/proc/vmcore support (EXPERIMENTAL)"
65 - depends on PROC_FS && EXPERIMENTAL && CRASH_DUMP
67 + depends on PROC_FS && EXPERIMENTAL && CRASH_DUMP && !GRKERNSEC
70 Exports the dump image of crashed kernel in ELF format.
72 diff -urNp linux-2.6.26.orig/fs/namei.c linux-2.6.26/fs/namei.c
73 --- linux-2.6.26.orig/fs/namei.c 2008-09-01 11:43:59.000000000 +0200
74 +++ linux-2.6.26/fs/namei.c 2008-09-02 12:17:21.000000000 +0200
76 #include <linux/vs_cowbl.h>
77 #include <linux/vs_device.h>
78 #include <linux/vs_context.h>
79 +#include <linux/grsecurity.h>
80 #include <asm/namei.h>
81 #include <asm/uaccess.h>
83 @@ -740,6 +741,13 @@ static inline int do_follow_link(struct
84 err = security_inode_follow_link(path->dentry, nd);
88 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
89 + path->dentry->d_inode, path->dentry)) {
94 current->link_count++;
95 current->total_link_count++;
97 @@ -1925,6 +1933,12 @@ do_last:
102 + if (gr_handle_fifo(path.dentry, dir, flag, acc_mode)) {
104 + goto exit_mutex_unlock;
107 mutex_unlock(&dir->d_inode->i_mutex);
108 audit_inode(pathname, path.dentry);
110 @@ -2028,6 +2042,13 @@ do_link:
111 error = security_inode_follow_link(path.dentry, &nd);
115 + if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
121 error = __do_follow_link(&path, &nd);
123 /* Does someone understand code flow here? Or it is only
124 @@ -2669,6 +2690,13 @@ asmlinkage long sys_linkat(int olddfd, c
125 error = PTR_ERR(new_dentry);
126 if (IS_ERR(new_dentry))
129 + if (gr_handle_hardlink(old_nd.path.dentry, old_nd.path.dentry->d_inode,
130 + old_nd.path.dentry->d_inode->i_mode, to)) {
135 error = mnt_want_write(nd.path.mnt);
138 diff -urNp linux-2.6.26.orig/fs/proc/array.c linux-2.6.26/fs/proc/array.c
139 --- linux-2.6.26.orig/fs/proc/array.c 2008-09-01 11:43:59.000000000 +0200
140 +++ linux-2.6.26/fs/proc/array.c 2008-09-02 12:17:21.000000000 +0200
141 @@ -639,3 +639,10 @@ int proc_pid_statm(struct seq_file *m, s
146 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
147 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
149 + return sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
152 diff -urNp linux-2.6.26.orig/fs/proc/base.c linux-2.6.26/fs/proc/base.c
153 --- linux-2.6.26.orig/fs/proc/base.c 2008-09-01 11:43:59.000000000 +0200
154 +++ linux-2.6.26/fs/proc/base.c 2008-09-02 12:23:45.000000000 +0200
156 #include <linux/pid_namespace.h>
157 #include <linux/vs_context.h>
158 #include <linux/vs_network.h>
159 +#include <linux/grsecurity.h>
161 #include "internal.h"
164 @@ -148,7 +150,7 @@ static unsigned int pid_entry_count_dirs
169 +int maps_protect = 1;
170 EXPORT_SYMBOL(maps_protect);
172 static struct fs_struct *get_fs_struct(struct task_struct *task)
173 @@ -307,9 +312,9 @@ static int proc_pid_auxv(struct task_str
174 struct mm_struct *mm = get_task_mm(task);
176 unsigned int nwords = 0;
180 - while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
181 + } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
182 res = nwords * sizeof(mm->saved_auxv[0]);
185 @@ -1412,7 +1417,11 @@ static struct inode *proc_pid_make_inode
187 if (task_dumpable(task)) {
188 inode->i_uid = task->euid;
189 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
190 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
192 inode->i_gid = task->egid;
195 /* procfs is xid tagged */
196 inode->i_tag = (tag_t)vx_task_xid(task);
197 @@ -1430,17 +1439,39 @@ static int pid_getattr(struct vfsmount *
199 struct inode *inode = dentry->d_inode;
200 struct task_struct *task;
201 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
202 + struct task_struct *tmp = current;
205 generic_fillattr(inode, stat);
210 task = pid_task(proc_pid(inode), PIDTYPE_PID);
214 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
215 + && (!tmp->uid || (tmp->uid == task->uid)
216 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
217 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
222 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
223 +#ifdef CONFIG_GRKERNSEC_PROC_USER
224 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
225 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
226 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
228 task_dumpable(task)) {
229 stat->uid = task->euid;
230 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
231 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
233 stat->gid = task->egid;
238 @@ -1468,11 +1505,21 @@ static int pid_revalidate(struct dentry
240 struct inode *inode = dentry->d_inode;
241 struct task_struct *task = get_proc_task(inode);
244 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
245 +#ifdef CONFIG_GRKERNSEC_PROC_USER
246 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
247 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
248 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
250 task_dumpable(task)) {
251 inode->i_uid = task->euid;
252 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
253 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
255 inode->i_gid = task->egid;
260 @@ -1841,12 +1888,19 @@ static int proc_fd_permission(struct ino
261 struct nameidata *nd)
264 + struct task_struct *task;
266 rv = generic_permission(inode, mask, NULL);
270 if (task_pid(current) == proc_pid(inode))
273 + task = get_proc_task(inode);
277 + put_task_struct(task);
282 @@ -2617,7 +2683,14 @@ static struct dentry *proc_pid_instantia
286 +#ifdef CONFIG_GRKERNSEC_PROC_USER
287 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
288 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
289 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
290 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
292 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
294 inode->i_op = &proc_tgid_base_inode_operations;
295 inode->i_fop = &proc_tgid_base_operations;
296 inode->i_flags|=S_IMMUTABLE;
297 @@ -2724,6 +2801,9 @@ int proc_pid_readdir(struct file * filp,
299 unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
300 struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
301 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
302 + struct task_struct *tmp = current;
304 struct tgid_iter iter;
305 struct pid_namespace *ns;
307 @@ -2742,6 +2822,15 @@ int proc_pid_readdir(struct file * filp,
308 for (iter = next_tgid(ns, iter);
310 iter.tgid += 1, iter = next_tgid(ns, iter)) {
311 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
312 + if (tmp->uid && (iter.task->uid != tmp->uid)
313 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
314 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
320 filp->f_pos = iter.tgid + TGID_OFFSET;
321 if (!vx_proc_task_visible(iter.task))
323 @@ -2815,6 +2906,9 @@ static const struct pid_entry tid_base_s
324 #ifdef CONFIG_FAULT_INJECTION
325 REG("make-it-fail", S_IRUGO|S_IWUSR, fault_inject),
327 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
328 + INF("ipaddr", S_IRUSR, pid_ipaddr),
332 static int proc_tid_base_readdir(struct file * filp,
333 diff -urNp linux-2.6.26.orig/fs/proc/inode.c linux-2.6.26/fs/proc/inode.c
334 --- linux-2.6.26.orig/fs/proc/inode.c 2008-09-01 11:43:59.000000000 +0200
335 +++ linux-2.6.26/fs/proc/inode.c 2008-09-02 12:17:21.000000000 +0200
336 @@ -403,7 +403,11 @@ struct inode *proc_get_inode(struct supe
338 inode->i_mode = de->mode;
339 inode->i_uid = de->uid;
340 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
341 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
343 inode->i_gid = de->gid;
347 PROC_I(inode)->vx_flags = de->vx_flags;
348 diff -urNp linux-2.6.26.orig/fs/proc/internal.h linux-2.6.26/fs/proc/internal.h
349 --- linux-2.6.26.orig/fs/proc/internal.h 2008-09-01 11:43:59.000000000 +0200
350 +++ linux-2.6.26/fs/proc/internal.h 2008-09-02 12:17:21.000000000 +0200
351 @@ -58,6 +58,9 @@ extern int proc_pid_statm(struct seq_fil
352 struct pid *pid, struct task_struct *task);
353 extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
354 struct pid *pid, struct task_struct *task);
355 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
356 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
359 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
361 diff -urNp linux-2.6.26.orig/fs/proc/proc_misc.c linux-2.6.26/fs/proc/proc_misc.c
362 --- linux-2.6.26.orig/fs/proc/proc_misc.c 2008-09-01 11:43:59.000000000 +0200
363 +++ linux-2.6.26/fs/proc/proc_misc.c 2008-09-02 12:17:21.000000000 +0200
364 @@ -851,6 +851,8 @@ struct proc_dir_entry *proc_root_kcore;
366 void __init proc_misc_init(void)
372 int (*read_proc)(char*,char**,off_t,int,int*,void*);
373 @@ -866,13 +868,24 @@ void __init proc_misc_init(void)
374 {"stram", stram_read_proc},
376 {"filesystems", filesystems_read_proc},
377 +#ifndef CONFIG_GRKERNSEC_PROC_ADD
378 {"cmdline", cmdline_read_proc},
380 {"execdomains", execdomains_read_proc},
383 for (p = simple_ones; p->name; p++)
384 create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
386 +#ifdef CONFIG_GRKERNSEC_PROC_USER
388 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
389 + gr_mode = S_IRUSR | S_IRGRP;
391 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
392 + create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL);
395 proc_symlink("mounts", NULL, "self/mounts");
397 /* And now for trickier ones */
398 @@ -880,14 +893,18 @@ void __init proc_misc_init(void)
399 proc_create("kmsg", S_IRUSR, NULL, &proc_kmsg_operations);
401 proc_create("locks", 0, NULL, &proc_locks_operations);
402 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
403 + proc_create("devices", gr_mode, NULL, &proc_devinfo_operations);
405 proc_create("devices", 0, NULL, &proc_devinfo_operations);
407 proc_create("cpuinfo", 0, NULL, &proc_cpuinfo_operations);
409 proc_create("partitions", 0, NULL, &proc_partitions_operations);
411 proc_create("stat", 0, NULL, &proc_stat_operations);
412 proc_create("interrupts", 0, NULL, &proc_interrupts_operations);
413 -#ifdef CONFIG_SLABINFO
414 +#if defined(CONFIG_SLABINFO) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
415 proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
416 #ifdef CONFIG_DEBUG_SLAB_LEAK
417 proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
418 @@ -909,7 +926,7 @@ void __init proc_misc_init(void)
419 #ifdef CONFIG_SCHEDSTATS
420 proc_create("schedstat", 0, NULL, &proc_schedstat_operations);
422 -#ifdef CONFIG_PROC_KCORE
423 +#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
424 proc_root_kcore = proc_create("kcore", S_IRUSR, NULL, &proc_kcore_operations);
426 proc_root_kcore->size =
427 diff -urNp linux-2.6.26.orig/fs/proc/root.c linux-2.6.26/fs/proc/root.c
428 --- linux-2.6.26.orig/fs/proc/root.c 2008-09-01 11:43:59.000000000 +0200
429 +++ linux-2.6.26/fs/proc/root.c 2008-09-02 12:17:21.000000000 +0200
430 @@ -139,7 +139,15 @@ void __init proc_root_init(void)
431 #ifdef CONFIG_PROC_DEVICETREE
432 proc_device_tree_init();
434 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
435 +#ifdef CONFIG_GRKERNSEC_PROC_USER
436 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
437 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
438 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
441 proc_mkdir("bus", NULL);
446 diff -urNp linux-2.6.26.orig/grsecurity/grsec_disabled.c linux-2.6.26/grsecurity/grsec_disabled.c
447 --- linux-2.6.26.orig/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000 +0100
448 +++ linux-2.6.26/grsecurity/grsec_disabled.c 2008-09-02 12:17:21.000000000 +0200
451 +grsecurity_init(void)
456 diff -urNp linux-2.6.26.orig/grsecurity/grsec_fifo.c linux-2.6.26/grsecurity/grsec_fifo.c
457 --- linux-2.6.26.orig/grsecurity/grsec_fifo.c 1970-01-01 01:00:00.000000000 +0100
458 +++ linux-2.6.26/grsecurity/grsec_fifo.c 2008-09-02 12:17:21.000000000 +0200
460 +#include <linux/kernel.h>
461 +#include <linux/sched.h>
462 +#include <linux/fs.h>
463 +#include <linux/file.h>
464 +#include <linux/grinternal.h>
467 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
468 + const struct dentry *dir, const int flag, const int acc_mode)
470 +#ifdef CONFIG_GRKERNSEC_FIFO
471 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
472 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
473 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
474 + (current->fsuid != dentry->d_inode->i_uid)) {
480 diff -urNp linux-2.6.26.orig/grsecurity/grsec_init.c linux-2.6.26/grsecurity/grsec_init.c
481 --- linux-2.6.26.orig/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000 +0100
482 +++ linux-2.6.26/grsecurity/grsec_init.c 2008-09-02 12:17:21.000000000 +0200
484 +#include <linux/kernel.h>
485 +#include <linux/sched.h>
486 +#include <linux/mm.h>
487 +#include <linux/smp_lock.h>
488 +#include <linux/slab.h>
489 +#include <linux/vmalloc.h>
490 +#include <linux/percpu.h>
492 +int grsec_enable_link;
493 +int grsec_enable_fifo;
497 +grsecurity_init(void)
499 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
500 +#ifndef CONFIG_GRKERNSEC_SYSCTL
503 +#ifdef CONFIG_GRKERNSEC_LINK
504 + grsec_enable_link = 1;
506 +#ifdef CONFIG_GRKERNSEC_FIFO
507 + grsec_enable_fifo = 1;
513 diff -urNp linux-2.6.26.orig/grsecurity/grsec_link.c linux-2.6.26/grsecurity/grsec_link.c
514 --- linux-2.6.26.orig/grsecurity/grsec_link.c 1970-01-01 01:00:00.000000000 +0100
515 +++ linux-2.6.26/grsecurity/grsec_link.c 2008-09-02 12:17:21.000000000 +0200
517 +#include <linux/kernel.h>
518 +#include <linux/sched.h>
519 +#include <linux/fs.h>
520 +#include <linux/file.h>
521 +#include <linux/grinternal.h>
524 +gr_handle_follow_link(const struct inode *parent,
525 + const struct inode *inode,
526 + const struct dentry *dentry, const struct vfsmount *mnt)
528 +#ifdef CONFIG_GRKERNSEC_LINK
529 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
530 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
531 + (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) {
539 +gr_handle_hardlink(const struct dentry *dentry,
540 + const struct vfsmount *mnt,
541 + struct inode *inode, const int mode, const char *to)
543 +#ifdef CONFIG_GRKERNSEC_LINK
544 + if (grsec_enable_link && current->fsuid != inode->i_uid &&
545 + (!S_ISREG(mode) || (mode & S_ISUID) ||
546 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
547 + (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
548 + !capable(CAP_FOWNER) && current->uid) {
554 diff -urNp linux-2.6.26.orig/grsecurity/grsec_sock.c linux-2.6.26/grsecurity/grsec_sock.c
555 --- linux-2.6.26.orig/grsecurity/grsec_sock.c 1970-01-01 01:00:00.000000000 +0100
556 +++ linux-2.6.26/grsecurity/grsec_sock.c 2008-09-02 12:17:21.000000000 +0200
558 +#include <linux/kernel.h>
559 +#include <linux/module.h>
560 +#include <linux/sched.h>
561 +#include <linux/file.h>
562 +#include <linux/net.h>
563 +#include <linux/in.h>
564 +#include <linux/ip.h>
565 +#include <net/sock.h>
566 +#include <net/inet_sock.h>
567 +#include <linux/grsecurity.h>
568 +#include <linux/grinternal.h>
570 +#ifdef CONFIG_GRKERNSEC
571 +#define gr_conn_table_size 32749
572 +struct conn_table_entry {
573 + struct conn_table_entry *next;
574 + struct signal_struct *sig;
577 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
578 +spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED;
580 +extern const char * gr_socktype_to_name(unsigned char type);
581 +extern const char * gr_proto_to_name(unsigned char proto);
583 +static __inline__ int
584 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
586 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
589 +static __inline__ int
590 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
591 + __u16 sport, __u16 dport)
593 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
594 + sig->gr_sport == sport && sig->gr_dport == dport))
600 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
602 + struct conn_table_entry **match;
603 + unsigned int index;
605 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
606 + sig->gr_sport, sig->gr_dport,
607 + gr_conn_table_size);
611 + match = &gr_conn_table[index];
612 + newent->next = *match;
618 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
620 + struct conn_table_entry *match, *last = NULL;
621 + unsigned int index;
623 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
624 + sig->gr_sport, sig->gr_dport,
625 + gr_conn_table_size);
627 + match = gr_conn_table[index];
628 + while (match && !conn_match(match->sig,
629 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
632 + match = match->next;
637 + last->next = match->next;
639 + gr_conn_table[index] = NULL;
646 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
647 + __u16 sport, __u16 dport)
649 + struct conn_table_entry *match;
650 + unsigned int index;
652 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
654 + match = gr_conn_table[index];
655 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
656 + match = match->next;
666 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
668 +#ifdef CONFIG_GRKERNSEC
669 + struct signal_struct *sig = task->signal;
670 + struct conn_table_entry *newent;
672 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
673 + if (newent == NULL)
675 + /* no bh lock needed since we are called with bh disabled */
676 + spin_lock(&gr_conn_table_lock);
677 + gr_del_task_from_ip_table_nolock(sig);
678 + sig->gr_saddr = inet->rcv_saddr;
679 + sig->gr_daddr = inet->daddr;
680 + sig->gr_sport = inet->sport;
681 + sig->gr_dport = inet->dport;
682 + gr_add_to_task_ip_table_nolock(sig, newent);
683 + spin_unlock(&gr_conn_table_lock);
688 +void gr_del_task_from_ip_table(struct task_struct *task)
690 +#ifdef CONFIG_GRKERNSEC
691 + spin_lock(&gr_conn_table_lock);
692 + gr_del_task_from_ip_table_nolock(task->signal);
693 + spin_unlock(&gr_conn_table_lock);
699 +gr_attach_curr_ip(const struct sock *sk)
701 +#ifdef CONFIG_GRKERNSEC
702 + struct signal_struct *p, *set;
703 + const struct inet_sock *inet = inet_sk(sk);
705 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
708 + set = current->signal;
710 + spin_lock_bh(&gr_conn_table_lock);
711 + p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
712 + inet->dport, inet->sport);
713 + if (unlikely(p != NULL)) {
714 + set->curr_ip = p->curr_ip;
715 + set->used_accept = 1;
716 + gr_del_task_from_ip_table_nolock(p);
717 + spin_unlock_bh(&gr_conn_table_lock);
720 + spin_unlock_bh(&gr_conn_table_lock);
722 + set->curr_ip = inet->daddr;
723 + set->used_accept = 1;
728 diff -urNp linux-2.6.26.orig/grsecurity/grsec_sysctl.c linux-2.6.26/grsecurity/grsec_sysctl.c
729 --- linux-2.6.26.orig/grsecurity/grsec_sysctl.c 1970-01-01 01:00:00.000000000 +0100
730 +++ linux-2.6.26/grsecurity/grsec_sysctl.c 2008-09-02 12:17:21.000000000 +0200
732 +#include <linux/kernel.h>
733 +#include <linux/sched.h>
734 +#include <linux/sysctl.h>
735 +#include <linux/grsecurity.h>
736 +#include <linux/grinternal.h>
739 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
741 +#ifdef CONFIG_GRKERNSEC_SYSCTL
742 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) {
749 +#if defined(CONFIG_GRKERNSEC_SYSCTL)
750 +ctl_table grsecurity_table[] = {
751 +#ifdef CONFIG_GRKERNSEC_SYSCTL
752 +#ifdef CONFIG_GRKERNSEC_LINK
754 + .ctl_name = CTL_UNNUMBERED,
755 + .procname = "linking_restrictions",
756 + .data = &grsec_enable_link,
757 + .maxlen = sizeof(int),
759 + .proc_handler = &proc_dointvec,
762 +#ifdef CONFIG_GRKERNSEC_FIFO
764 + .ctl_name = CTL_UNNUMBERED,
765 + .procname = "fifo_restrictions",
766 + .data = &grsec_enable_fifo,
767 + .maxlen = sizeof(int),
769 + .proc_handler = &proc_dointvec,
773 + .ctl_name = CTL_UNNUMBERED,
774 + .procname = "grsec_lock",
775 + .data = &grsec_lock,
776 + .maxlen = sizeof(int),
778 + .proc_handler = &proc_dointvec,
784 diff -urNp linux-2.6.26.orig/grsecurity/Kconfig linux-2.6.26/grsecurity/Kconfig
785 --- linux-2.6.26.orig/grsecurity/Kconfig 1970-01-01 01:00:00.000000000 +0100
786 +++ linux-2.6.26/grsecurity/Kconfig 2008-09-02 12:17:21.000000000 +0200
789 +# grecurity configuration
797 + select CRYPTO_SHA256
799 + select SECURITY_CAPABILITIES
801 + If you say Y here, you will be able to configure many features
802 + that will enhance the security of your system. It is highly
803 + recommended that you say Y here and read through the help
804 + for each option so that you fully understand the features and
805 + can evaluate their usefulness for your machine.
807 +menu "Filesystem Protections"
808 +depends on GRKERNSEC
810 +config GRKERNSEC_PROC
811 + bool "Proc restrictions"
813 + If you say Y here, the permissions of the /proc filesystem
814 + will be altered to enhance system security and privacy. You MUST
815 + choose either a user only restriction or a user and group restriction.
816 + Depending upon the option you choose, you can either restrict users to
817 + see only the processes they themselves run, or choose a group that can
818 + view all processes and files normally restricted to root if you choose
819 + the "restrict to user only" option. NOTE: If you're running identd as
820 + a non-root user, you will have to run it as the group you specify here.
822 +config GRKERNSEC_PROC_USER
823 + bool "Restrict /proc to user only"
824 + depends on GRKERNSEC_PROC
826 + If you say Y here, non-root users will only be able to view their own
827 + processes, and restricts them from viewing network-related information,
828 + and viewing kernel symbol and module information.
830 +config GRKERNSEC_PROC_USERGROUP
831 + bool "Allow special group"
832 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
834 + If you say Y here, you will be able to select a group that will be
835 + able to view all processes, network-related information, and
836 + kernel and symbol information. This option is useful if you want
837 + to run identd as a non-root user.
839 +config GRKERNSEC_PROC_GID
840 + int "GID for special group"
841 + depends on GRKERNSEC_PROC_USERGROUP
844 +config GRKERNSEC_PROC_ADD
845 + bool "Additional restrictions"
846 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
848 + If you say Y here, additional restrictions will be placed on
849 + /proc that keep normal users from viewing device information and
850 + slabinfo information that could be useful for exploits.
852 +config GRKERNSEC_LINK
853 + bool "Linking restrictions"
855 + If you say Y here, /tmp race exploits will be prevented, since users
856 + will no longer be able to follow symlinks owned by other users in
857 + world-writable +t directories (i.e. /tmp), unless the owner of the
858 + symlink is the owner of the directory. users will also not be
859 + able to hardlink to files they do not own. If the sysctl option is
860 + enabled, a sysctl option with name "linking_restrictions" is created.
862 +config GRKERNSEC_FIFO
863 + bool "FIFO restrictions"
865 + If you say Y here, users will not be able to write to FIFOs they don't
866 + own in world-writable +t directories (i.e. /tmp), unless the owner of
867 + the FIFO is the same owner of the directory it's held in. If the sysctl
868 + option is enabled, a sysctl option with name "fifo_restrictions" is
871 +config GRKERNSEC_PROC_IPADDR
872 + bool "/proc/<pid>/ipaddr support"
874 + If you say Y here, a new entry will be added to each /proc/<pid>
875 + directory that contains the IP address of the person using the task.
876 + The IP is carried across local TCP and AF_UNIX stream sockets.
877 + This information can be useful for IDS/IPSes to perform remote response
878 + to a local attack. The entry is readable by only the owner of the
879 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
880 + the RBAC system), and thus does not create privacy concerns.
884 +config GRKERNSEC_SYSCTL
885 + bool "Sysctl support"
887 + If you say Y here, you will be able to change the options that
888 + grsecurity runs with at bootup, without having to recompile your
889 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
890 + to enable (1) or disable (0) various features. All the sysctl entries
891 + are mutable until the "grsec_lock" entry is set to a non-zero value.
892 + All features enabled in the kernel configuration are disabled at boot
893 + if you do not say Y to the "Turn on features by default" option.
894 + All options should be set at startup, and the grsec_lock entry should
895 + be set to a non-zero value after all the options are set.
896 + *THIS IS EXTREMELY IMPORTANT*
898 +config GRKERNSEC_SYSCTL_ON
899 + bool "Turn on features by default"
900 + depends on GRKERNSEC_SYSCTL
902 + If you say Y here, instead of having all features enabled in the
903 + kernel configuration disabled at boot time, the features will be
904 + enabled at boot time. It is recommended you say Y here unless
905 + there is some reason you would want all sysctl-tunable features to
906 + be disabled by default. As mentioned elsewhere, it is important
907 + to enable the grsec_lock entry once you have finished modifying
908 + the sysctl entries.
911 diff -urNp linux-2.6.26.orig/grsecurity/Makefile linux-2.6.26/grsecurity/Makefile
912 --- linux-2.6.26.orig/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100
913 +++ linux-2.6.26/grsecurity/Makefile 2008-09-02 12:17:21.000000000 +0200
915 +# All code in this directory and various hooks inserted throughout the kernel
916 +# are copyright Brad Spengler, and released under the GPL v2 or higher
918 +obj-y = grsec_fifo.o grsec_sock.o grsec_sysctl.o grsec_link.o
920 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o
922 +ifndef CONFIG_GRKERNSEC
923 +obj-y += grsec_disabled.o
926 diff -urNp linux-2.6.26.orig/include/linux/grinternal.h linux-2.6.26/include/linux/grinternal.h
927 --- linux-2.6.26.orig/include/linux/grinternal.h 1970-01-01 01:00:00.000000000 +0100
928 +++ linux-2.6.26/include/linux/grinternal.h 2008-09-02 12:17:21.000000000 +0200
930 +#ifndef __GRINTERNAL_H
931 +#define __GRINTERNAL_H
933 +#ifdef CONFIG_GRKERNSEC
935 +#include <linux/fs.h>
937 +extern int grsec_enable_link;
938 +extern int grsec_enable_fifo;
939 +extern int grsec_lock;
944 diff -urNp linux-2.6.26.orig/include/linux/grsecurity.h linux-2.6.26/include/linux/grsecurity.h
945 --- linux-2.6.26.orig/include/linux/grsecurity.h 1970-01-01 01:00:00.000000000 +0100
946 +++ linux-2.6.26/include/linux/grsecurity.h 2008-09-02 12:17:21.000000000 +0200
948 +#ifndef GR_SECURITY_H
949 +#define GR_SECURITY_H
950 +#include <linux/fs.h>
951 +#include <linux/binfmts.h>
953 +void gr_del_task_from_ip_table(struct task_struct *p);
955 +int gr_handle_follow_link(const struct inode *parent,
956 + const struct inode *inode,
957 + const struct dentry *dentry);
958 +int gr_handle_fifo(const struct dentry *dentry,
959 + const struct dentry *dir, const int flag,
960 + const int acc_mode);
961 +int gr_handle_hardlink(const struct dentry *dentry,
962 + struct inode *inode,
963 + const int mode, const char *to);
966 diff -urNp linux-2.6.26.orig/include/linux/sched.h linux-2.6.26/include/linux/sched.h
967 --- linux-2.6.26.orig/include/linux/sched.h 2008-09-01 11:43:34.000000000 +0200
968 +++ linux-2.6.26/include/linux/sched.h 2008-09-02 12:17:21.000000000 +0200
969 @@ -544,6 +544,15 @@ struct signal_struct {
971 struct tty_audit_buf *tty_audit_buf;
974 +#ifdef CONFIG_GRKERNSEC
984 /* Context switch must be unlocked if interrupts are to be enabled */
985 diff -urNp linux-2.6.26.orig/include/linux/sysctl.h linux-2.6.26/include/linux/sysctl.h
986 --- linux-2.6.26.orig/include/linux/sysctl.h 2008-09-01 11:43:34.000000000 +0200
987 +++ linux-2.6.26/include/linux/sysctl.h 2008-09-02 12:17:21.000000000 +0200
988 @@ -165,8 +165,11 @@ enum
989 KERN_MAX_LOCK_DEPTH=74,
990 KERN_NMI_WATCHDOG=75, /* int: enable/disable nmi watchdog */
991 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
993 +#ifdef CONFIG_GRKERNSEC
994 + KERN_GRSECURITY=98, /* grsecurity */
1001 diff -urNp linux-2.6.26.orig/kernel/configs.c linux-2.6.26/kernel/configs.c
1002 --- linux-2.6.26.orig/kernel/configs.c 2008-09-01 11:43:58.000000000 +0200
1003 +++ linux-2.6.26/kernel/configs.c 2008-09-02 12:17:21.000000000 +0200
1004 @@ -79,8 +79,19 @@ static int __init ikconfig_init(void)
1005 struct proc_dir_entry *entry;
1007 /* create the current config file */
1008 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
1009 +#ifdef CONFIG_GRKERNSEC_PROC_USER
1010 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
1011 + &ikconfig_file_ops);
1012 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
1013 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
1014 + &ikconfig_file_ops);
1017 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
1018 &ikconfig_file_ops);
1024 diff -urNp linux-2.6.26.orig/kernel/exit.c linux-2.6.26/kernel/exit.c
1025 --- linux-2.6.26.orig/kernel/exit.c 2008-09-01 11:43:58.000000000 +0200
1026 +++ linux-2.6.26/kernel/exit.c 2008-09-02 12:17:21.000000000 +0200
1028 #include <linux/vs_network.h>
1029 #include <linux/vs_pid.h>
1030 #include <linux/vserver/global.h>
1031 +#include <linux/grsecurity.h>
1033 #include <asm/uaccess.h>
1034 #include <asm/unistd.h>
1035 @@ -137,6 +138,7 @@ static void __exit_signal(struct task_st
1037 flush_sigqueue(&tsk->pending);
1039 + gr_del_task_from_ip_table(tsk);
1041 tsk->sighand = NULL;
1042 spin_unlock(&sighand->siglock);
1043 diff -urNp linux-2.6.26.orig/kernel/kallsyms.c linux-2.6.26/kernel/kallsyms.c
1044 --- linux-2.6.26.orig/kernel/kallsyms.c 2008-09-01 11:43:58.000000000 +0200
1045 +++ linux-2.6.26/kernel/kallsyms.c 2008-09-02 12:17:21.000000000 +0200
1046 @@ -472,7 +472,15 @@ static const struct file_operations kall
1048 static int __init kallsyms_init(void)
1050 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
1051 +#ifdef CONFIG_GRKERNSEC_PROC_USER
1052 + proc_create("kallsyms", S_IFREG | S_IRUSR, NULL, &kallsyms_operations);
1053 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
1054 + proc_create("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL, &kallsyms_operations);
1057 proc_create("kallsyms", 0444, NULL, &kallsyms_operations);
1061 __initcall(kallsyms_init);
1062 diff -urNp linux-2.6.26.orig/kernel/resource.c linux-2.6.26/kernel/resource.c
1063 --- linux-2.6.26.orig/kernel/resource.c 2008-09-01 11:43:58.000000000 +0200
1064 +++ linux-2.6.26/kernel/resource.c 2008-09-02 12:17:21.000000000 +0200
1065 @@ -131,8 +131,18 @@ static const struct file_operations proc
1067 static int __init ioresources_init(void)
1069 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
1070 +#ifdef CONFIG_GRKERNSEC_PROC_USER
1071 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
1072 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
1073 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
1074 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
1075 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
1078 proc_create("ioports", 0, NULL, &proc_ioports_operations);
1079 proc_create("iomem", 0, NULL, &proc_iomem_operations);
1083 __initcall(ioresources_init);
1084 diff -urNp linux-2.6.26.orig/kernel/sysctl.c linux-2.6.26/kernel/sysctl.c
1085 --- linux-2.6.26.orig/kernel/sysctl.c 2008-09-01 11:43:58.000000000 +0200
1086 +++ linux-2.6.26/kernel/sysctl.c 2008-09-02 12:17:21.000000000 +0200
1088 static int deprecated_sysctl_warning(struct __sysctl_args *args);
1090 #if defined(CONFIG_SYSCTL)
1091 +#include <linux/grsecurity.h>
1092 +#include <linux/grinternal.h>
1094 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
1097 /* External variables not in a header file. */
1099 @@ -153,6 +158,7 @@ static int proc_do_cad_pid(struct ctl_ta
1100 static int proc_dointvec_taint(struct ctl_table *table, int write, struct file *filp,
1101 void __user *buffer, size_t *lenp, loff_t *ppos);
1103 +extern ctl_table grsecurity_table[];
1105 static struct ctl_table root_table[];
1106 static struct ctl_table_root sysctl_table_root;
1107 @@ -823,6 +829,15 @@ static struct ctl_table kern_table[] = {
1108 .child = key_sysctls,
1112 +#if defined(CONFIG_GRKERNSEC_SYSCTL)
1114 + .ctl_name = CTL_UNNUMBERED,
1115 + .procname = "grsecurity",
1117 + .child = grsecurity_table,
1121 * NOTE: do not add new entries to this table unless you have read
1122 * Documentation/sysctl/ctl_unnumbered.txt
1123 @@ -1585,6 +1600,10 @@ int sysctl_perm(struct ctl_table_root *r
1127 + if (table->parent != NULL && table->parent->procname != NULL &&
1128 + table->procname != NULL &&
1129 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
1131 error = security_sysctl(table, op);
1134 diff -urNp linux-2.6.26.orig/Makefile linux-2.6.26/Makefile
1135 --- linux-2.6.26.orig/Makefile 2008-09-01 11:44:01.000000000 +0200
1136 +++ linux-2.6.26/Makefile 2008-09-02 12:17:21.000000000 +0200
1137 @@ -607,7 +607,7 @@ export mod_strip_cmd
1140 ifeq ($(KBUILD_EXTMOD),)
1141 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
1142 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
1144 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
1145 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
1146 diff -urNp linux-2.6.26.orig/net/ipv4/inet_hashtables.c linux-2.6.26/net/ipv4/inet_hashtables.c
1147 --- linux-2.6.26.orig/net/ipv4/inet_hashtables.c 2008-09-01 11:43:37.000000000 +0200
1148 +++ linux-2.6.26/net/ipv4/inet_hashtables.c 2008-09-02 12:17:21.000000000 +0200
1150 #include <linux/sched.h>
1151 #include <linux/slab.h>
1152 #include <linux/wait.h>
1153 +#include <linux/grsecurity.h>
1155 #include <net/inet_connection_sock.h>
1156 #include <net/inet_hashtables.h>
1157 #include <net/route.h>
1160 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
1163 * Allocate and initialize a new local port bind bucket.
1164 * The bindhash mutex for snum's hash chain must be held here.
1165 @@ -484,6 +487,8 @@ ok:
1167 spin_unlock(&head->lock);
1169 + gr_update_task_in_ip_table(current, inet_sk(sk));
1172 inet_twsk_deschedule(tw, death_row);
1174 diff -urNp linux-2.6.26.orig/net/socket.c linux-2.6.26/net/socket.c
1175 --- linux-2.6.26.orig/net/socket.c 2008-09-01 11:43:36.000000000 +0200
1176 +++ linux-2.6.26/net/socket.c 2008-09-02 12:17:21.000000000 +0200
1178 #include <linux/audit.h>
1179 #include <linux/wireless.h>
1180 #include <linux/nsproxy.h>
1181 +#include <linux/in.h>
1183 #include <asm/uaccess.h>
1184 #include <asm/unistd.h>
1186 #include <linux/vs_inet.h>
1187 #include <linux/vs_inet6.h>
1189 +extern void gr_attach_curr_ip(const struct sock *sk);
1191 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
1192 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
1193 unsigned long nr_segs, loff_t pos);
1194 @@ -1502,6 +1505,7 @@ asmlinkage long sys_accept(int fd, struc
1197 security_socket_post_accept(sock, newsock);
1198 + gr_attach_curr_ip(newsock->sk);
1201 fput_light(sock->file, fput_needed);
1202 diff -urNp linux-2.6.26.orig/security/Kconfig linux-2.6.26/security/Kconfig
1203 --- linux-2.6.26.orig/security/Kconfig 2008-09-01 11:43:58.000000000 +0200
1204 +++ linux-2.6.26/security/Kconfig 2008-09-02 12:17:21.000000000 +0200
1207 menu "Security options"
1209 +source grsecurity/Kconfig
1212 bool "Enable access key retention support"