netlink cap_dac* diff -upr a/grsecurity/gracl_cap.c c/grsecurity/gracl_cap.c --- a/grsecurity/gracl_cap.c 2007-12-01 00:54:57.312774500 +0000 +++ c/grsecurity/gracl_cap.c 2007-12-01 01:09:34.923621750 +0000 @@ -110,3 +110,19 @@ gr_is_capable_nolog(const int cap) return 0; } +void +gr_log_cap_pid(const int cap, const pid_t pid) +{ + struct task_struct *p; + + if (gr_acl_is_enabled()) { + read_lock(&tasklist_lock); + p = find_task_by_vpid(pid); + if (p) { + get_task_struct(p); + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, p, captab_log[cap]); + } + read_unlock(&tasklist_lock); + } + return; +} --- linux-2.6.35/include/linux/grsecurity.h~ 2010-10-20 21:01:00.758532744 +0200 +++ linux-2.6.35/include/linux/grsecurity.h 2010-10-20 21:03:27.556754795 +0200 @@ -78,6 +78,7 @@ void gr_log_textrel(struct vm_area_struct *vma); void gr_log_rwxmmap(struct file *file); void gr_log_rwxmprotect(struct file *file); +void gr_log_cap_pid(const int cap, pid_t pid); int gr_handle_follow_link(const struct inode *parent, const struct inode *inode, diff -upr a/security/commoncap.c c/security/commoncap.c --- a/security/commoncap.c 2007-12-01 00:54:57.300773750 +0000 +++ c/security/commoncap.c 2007-12-01 01:09:34.923621750 +0000 @@ -55,8 +55,12 @@ int cap_netlink_recv(struct sk_buff *skb, int cap) { - if (!cap_raised(current_cap(), cap) || !gr_is_capable(cap)) + if (!cap_raised(current_cap(), cap) || !gr_is_capable(cap)) { +#ifdef CONFIG_GRKERNSEC + gr_log_cap_pid(cap, NETLINK_CREDS(skb)->pid); +#endif return -EPERM; + } return 0; } --- linux-2.6.30/kernel/vserver/context.c~ 2009-07-31 12:07:52.365267958 +0200 +++ linux-2.6.30/kernel/vserver/context.c 2009-07-31 12:43:04.991723596 +0200 @@ -122,7 +122,7 @@ // preconfig fs entries for (index = 0; index < VX_SPACES; index++) { spin_lock(&init_fs.lock); - init_fs.users++; + atomic_inc(&init_fs.users); spin_unlock(&init_fs.lock); new->vx_fs[index] = &init_fs; } @@ -197,7 +197,7 @@ fs = xchg(&vxi->vx_fs[index], NULL); spin_lock(&fs->lock); - kill = !--fs->users; + kill = !atomic_dec_return(&fs->users); spin_unlock(&fs->lock); if (kill) free_fs_struct(fs); --- linux-2.6.30/kernel/vserver/space.c~ 2009-07-31 12:07:52.398601243 +0200 +++ linux-2.6.30/kernel/vserver/space.c 2009-07-31 12:47:48.638394441 +0200 @@ -220,7 +220,7 @@ if (mask & CLONE_FS) { write_lock(&fs_cur->lock); current->fs = fs; - kill = !--fs_cur->users; + kill = !atomic_dec_return(&fs_cur->users); spin_unlock(&fs_cur->lock); } @@ -278,7 +278,7 @@ if (mask & CLONE_FS) { spin_lock(&fs_vxi->lock); space->vx_fs = fs; - kill = !--fs_vxi->users; + kill = !atomic_dec_return(&fs_vxi->users); spin_unlock(&fs_vxi->lock); } --- linux-2.6.28/fs/proc/Kconfig~ 2008-11-20 23:26:34.000000000 +0100 +++ linux-2.6.28/fs/proc/Kconfig 2008-12-01 20:37:12.000000000 +0100 @@ -59,8 +59,8 @@ limited in memory. config PROC_PAGE_MONITOR - default n - depends on PROC_FS && MMU && !GRKERNSEC + default y + depends on PROC_FS && MMU bool "Enable /proc page monitoring" if EXPERT help Various /proc files exist to monitor process memory utilization: --- linux-2.6.34/net/socket.c~ 2010-07-06 15:35:03.398523320 +0200 +++ linux-2.6.34/net/socket.c 2010-07-06 15:35:26.021020905 +0200 @@ -1573,12 +1573,6 @@ newsock->type = sock->type; newsock->ops = sock->ops; - if (gr_handle_sock_server_other(sock->sk)) { - err = -EPERM; - sock_release(newsock); - goto out_put; - } - err = gr_search_accept(sock); if (err) { sock_release(newsock); --- linux-3.0/include/linux/vermagic.h~ 2011-10-14 19:55:36.000000000 +0200 +++ linux-3.0/include/linux/vermagic.h 2011-10-16 15:45:11.251098590 +0200 @@ -33,7 +33,7 @@ #endif #ifdef CONSTIFY_PLUGIN -#define MODULE_CONSTIFY_PLUGIN "CONSTIFY_PLUGIN " +#define MODULE_CONSTIFY_PLUGIN "" #else #define MODULE_CONSTIFY_PLUGIN "" #endif --- linux-3.1/kernel/fork.c.org 2011-11-17 20:43:03.561319929 +0100 +++ linux-3.1/kernel/fork.c 2011-11-17 20:44:09.022832196 +0100 @@ -1704,7 +1704,7 @@ return 0; /* don't need lock here; in the worst case we'll do useless copy */ - if (fs->users == 1) + if (atomic_read(&fs->users) == 1) return 0; *new_fsp = copy_fs_struct(fs); @@ -1793,7 +1793,7 @@ fs = current->fs; spin_lock(&fs->lock); current->fs = new_fs; - if (--fs->users) + if (atomic_dec_return(&fs->users)) new_fs = NULL; else new_fs = fs;