--- linux-2.6.20/grsecurity/gracl_shm.c~	2007-03-24 04:54:27.000000000 +0100
+++ linux-2.6.20/grsecurity/gracl_shm.c	2007-03-24 04:55:46.332159000 +0100
@@ -6,6 +6,7 @@
 #include <linux/gracl.h>
 #include <linux/grsecurity.h>
 #include <linux/grinternal.h>
+#include <linux/vs_pid.h>
 
 int
 gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
--- linux-2.6.20/localversion-grsec	2007-03-24 04:54:27.000000000 +0100
+++ /dev/null	2007-03-24 05:05:10.455414500 +0100
@@ -1 +0,0 @@
--grsec
--- linux-2.6.20/grsecurity/grsec_sock.c~	2007-03-24 05:38:40.000000000 +0100
+++ linux-2.6.20/grsecurity/grsec_sock.c	2007-03-24 05:47:11.347998750 +0100
@@ -7,6 +7,7 @@
 #include <linux/ip.h>
 #include <net/sock.h>
 #include <net/inet_sock.h>
+#include <linux/vs_context.h>
 #include <linux/grsecurity.h>
 #include <linux/grinternal.h>
 #include <linux/gracl.h>
===
=== analogous as capable()
===
--- a/kernel/capability.c~	2007-12-11 00:46:02.000000000 +0100
+++ a/kernel/capability.c	2007-12-11 01:35:00.244481500 +0100
@@ -253,6 +253,8 @@ int __capable(struct task_struct *t, int
 }
 int capable_nolog(int cap)
 {
+	if (vs_check_bit(VXC_CAP_MASK, cap) && !vx_mcaps(1L << cap))
+		return 0;
 	if (has_capability(current, cap) && gr_is_capable_nolog(cap)) {
 		current->flags |= PF_SUPERPRIV;
 		return 1;
===
=== let vserver block signals before grsec
===
--- a/kernel/signal.c  2007-10-02 00:08:49.954483500 +0200
+++ b/kernel/signal.c  2007-10-02 00:24:31.969355750 +0200
@@ -553,6 +553,11 @@ static int check_kill_permission(int sig
 			sig, info, t, vx_task_xid(t), t->pid, current->xid);
 		return error;
 	}
+
+	error = -EPERM;
+	if (gr_handle_signal(t, sig))
+		return error;
+
 skip:
 	return security_task_kill(t, info, sig, 0);
 }
===
=== vserver netlink protection
===
--- a/security/commoncap.c~	2007-12-10 23:52:36.000000000 +0100
+++ a/security/commoncap.c	2007-12-11 01:43:04.426741000 +0100
@@ -27,7 +27,7 @@
 
 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
 {
-	NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
+	NETLINK_CB(skb).eff_cap = cap_intersect(gr_cap_rtnetlink(sk), vx_mbcaps(current->cap_effective));
 	return 0;
 }
 
===
=== vserver hooks in cap_capable_nolog
===
--- i/security/commoncap.c1	2008-10-28 21:28:07.873037469 +0100
+++ i/security/commoncap.c	2008-10-28 21:36:20.429660261 +0100
@@ -76,8 +76,14 @@ int cap_capable (struct task_struct *tsk
 
 int cap_capable_nolog (struct task_struct *tsk, int cap)
 {
+	struct vx_info *vxi = tsk->vx_info;
+	/* special case SETUP */  /* co to jest? - zbyniu */
+	if (vx_info_flags(vxi, VXF_STATE_SETUP, 0) &&
+		cap_raised(tsk->cap_effective, cap))
+		return 0;
+
 	/* tsk = current for all callers */
-	if (cap_raised(tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
+	if (vx_cap_raised(vxi, tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
 		return 0;
 
 	return -EPERM;