+}
--- a/grsecurity/grsec_sock.c 2008-03-24 00:24:22.482633101 +0100
+++ c/grsecurity/grsec_sock.c 2008-03-24 00:27:01.971671763 +0100
-@@ -247,23 +247,26 @@
+@@ -247,25 +247,26 @@
gr_cap_rtnetlink(struct sock *sock)
{
#ifdef CONFIG_GRKERNSEC
- gr_is_capable(CAP_AUDIT_CONTROL))
- return current_cap();
- else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
-- gr_is_capable(CAP_NET_ADMIN))
+- ((sock->sk_protocol == NETLINK_ROUTE) ?
+- gr_is_capable_nolog(CAP_NET_ADMIN) :
+- gr_is_capable(CAP_NET_ADMIN)))
- return current_cap();
- else
- return __cap_empty_set;
--- a/include/linux/grsecurity.h 2007-12-01 00:54:57.224769000 +0000
+++ c/include/linux/grsecurity.h 2007-12-01 01:09:34.923621750 +0000
@@ -76,6 +76,7 @@ void gr_log_semrm(const uid_t uid, const
- void gr_log_shmget(const int err, const int shmflg, const size_t size);
- void gr_log_shmrm(const uid_t uid, const uid_t cuid);
void gr_log_textrel(struct vm_area_struct *vma);
+ void gr_log_rwxmmap(struct file *file);
+ void gr_log_rwxmprotect(struct file *file);
+void gr_log_cap_pid(const int cap, pid_t pid);
int gr_handle_follow_link(const struct inode *parent,
return 0;
}
-===
-=== cap_dac_ succession with capable_nolog
-===
-diff -upr a/fs./namei.c a/fs/namei.c
---- a/fs./namei.c 2008-04-05 01:23:49.741310000 +0200
-+++ a/fs/namei.c 2008-04-05 14:36:39.350275977 +0200
-@@ -215,6 +215,13 @@ int generic_permission(struct inode *ino
-
- check_capabilities:
- /*
-+ * Searching includes executable on directories, else just read.
-+ */
-+ if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
-+ if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
-+ return 0;
-+
-+ /*
- * Read/write DACs are always overridable.
- * Executable DACs are overridable if at least one exec bit is set.
- */
-@@ -223,13 +230,6 @@ int generic_permission(struct inode *ino
- if (capable(CAP_DAC_OVERRIDE))
- return 0;
-
-- /*
-- * Searching includes executable on directories, else just read.
-- */
-- if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
-- if (capable(CAP_DAC_READ_SEARCH))
-- return 0;
--
- return -EACCES;
- }
-
-@@ -498,13 +498,13 @@ static int exec_permission_lite(struct i
- if (mode & MAY_EXEC)
- goto ok;
-
-- if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE))
-+ if (S_ISDIR(inode->i_mode) && capable_nolog(CAP_DAC_OVERRIDE))
- goto ok;
-
-- if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_OVERRIDE))
-+ if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH))
- goto ok;
-
-- if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH))
-+ if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE))
- goto ok;
-
- return -EACCES;
-
--- linux-2.6.30/kernel/vserver/context.c~ 2009-07-31 12:07:52.365267958 +0200
+++ linux-2.6.30/kernel/vserver/context.c 2009-07-31 12:43:04.991723596 +0200
@@ -122,7 +122,7 @@
write_unlock(&fs_vxi->lock);
}
+--- linux-2.6.28/fs/proc/Kconfig~ 2008-11-20 23:26:34.000000000 +0100
++++ linux-2.6.28/fs/proc/Kconfig 2008-12-01 20:37:12.000000000 +0100
+@@ -59,8 +59,8 @@
+ limited in memory.
+
+ config PROC_PAGE_MONITOR
+- default n
+- depends on PROC_FS && MMU && !GRKERNSEC
++ default y
++ depends on PROC_FS && MMU
+ bool "Enable /proc page monitoring" if EMBEDDED
+ help
+ Various /proc files exist to monitor process memory utilization: