--- /dev/null
+diff -uNr linux-2.6.6/arch/alpha/kernel/osf_sys.c linux-2.6.6.fixed/arch/alpha/kernel/osf_sys.c
+--- linux-2.6.6/arch/alpha/kernel/osf_sys.c 2004-05-10 04:31:55.000000000 +0200
++++ linux-2.6.6.fixed/arch/alpha/kernel/osf_sys.c 2004-05-11 10:55:55.000000000 +0200
+@@ -37,6 +37,7 @@
+ #include <linux/namei.h>
+ #include <linux/uio.h>
+ #include <linux/vfs.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/fpu.h>
+ #include <asm/io.h>
+@@ -179,6 +180,11 @@
+ struct file *file = NULL;
+ unsigned long ret = -EBADF;
+
++#ifdef CONFIG_PAX_RANDEXEC
++ if (flags & MAP_MIRROR)
++ return -EINVAL;
++#endif
++
+ #if 0
+ if (flags & (_MAP_HASSEMAPHORE | _MAP_INHERIT | _MAP_UNALIGNED))
+ printk("%s: unimplemented OSF mmap flags %04lx\n",
+@@ -189,6 +195,13 @@
+ if (!file)
+ goto out;
+ }
++
++ if (gr_handle_mmap(file, prot)) {
++ fput(file);
++ ret = -EACCES;
++ goto out;
++ }
++
+ flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+ down_write(¤t->mm->mmap_sem);
+ ret = do_mmap(file, addr, len, prot, flags, off);
+@@ -1292,6 +1305,10 @@
+ merely specific addresses, but regions of memory -- perhaps
+ this feature should be incorporated into all ports? */
+
++#ifdef CONFIG_PAX_RANDMMAP
++ if (!(current->flags & PF_PAX_RANDMMAP) || !filp)
++#endif
++
+ if (addr) {
+ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
+ if (addr != (unsigned long) -ENOMEM)
+@@ -1299,8 +1316,16 @@
+ }
+
+ /* Next, try allocating at TASK_UNMAPPED_BASE. */
+- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
+- len, limit);
++
++ addr = TASK_UNMAPPED_BASE;
++
++#ifdef CONFIG_PAX_RANDMMAP
++ if (current->flags & PF_PAX_RANDMMAP)
++ addr += current->mm->delta_mmap;
++#endif
++
++ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
++
+ if (addr != (unsigned long) -ENOMEM)
+ return addr;
+
+diff -uNr linux-2.6.6/arch/alpha/kernel/ptrace.c linux-2.6.6.fixed/arch/alpha/kernel/ptrace.c
+--- linux-2.6.6/arch/alpha/kernel/ptrace.c 2004-05-10 04:33:19.000000000 +0200
++++ linux-2.6.6.fixed/arch/alpha/kernel/ptrace.c 2004-05-11 10:55:55.000000000 +0200
+@@ -14,6 +14,7 @@
+ #include <linux/user.h>
+ #include <linux/slab.h>
+ #include <linux/security.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/pgtable.h>
+@@ -288,6 +289,9 @@
+ if (!child)
+ goto out_notsk;
+
++ if (gr_handle_ptrace(child, request))
++ goto out;
++
+ if (request == PTRACE_ATTACH) {
+ ret = ptrace_attach(child);
+ goto out;
+diff -uNr linux-2.6.6/arch/alpha/mm/fault.c linux-2.6.6.fixed/arch/alpha/mm/fault.c
+--- linux-2.6.6/arch/alpha/mm/fault.c 2004-05-10 04:32:27.000000000 +0200
++++ linux-2.6.6.fixed/arch/alpha/mm/fault.c 2004-05-11 10:55:55.000000000 +0200
+@@ -25,6 +25,7 @@
+ #include <linux/smp_lock.h>
+ #include <linux/interrupt.h>
+ #include <linux/module.h>
++#include <linux/binfmts.h>
+
+ #include <asm/system.h>
+ #include <asm/uaccess.h>
+@@ -56,6 +57,142 @@
+ __reload_thread(pcb);
+ }
+
++#ifdef CONFIG_PAX_PAGEEXEC
++/*
++ * PaX: decide what to do with offenders (regs->pc = fault address)
++ *
++ * returns 1 when task should be killed
++ * 2 when patched PLT trampoline was detected
++ * 3 when unpatched PLT trampoline was detected
++ * 4 when legitimate ET_EXEC was detected
++ */
++static int pax_handle_fetch_fault(struct pt_regs *regs)
++{
++
++#ifdef CONFIG_PAX_EMUPLT
++ int err;
++#endif
++
++#ifdef CONFIG_PAX_RANDEXEC
++ if (current->flags & PF_PAX_RANDEXEC) {
++ if (regs->pc >= current->mm->start_code &&
++ regs->pc < current->mm->end_code)
++ {
++ if (regs->r26 == regs->pc)
++ return 1;
++
++ regs->pc += current->mm->delta_exec;
++ return 4;
++ }
++ }
++#endif
++
++#ifdef CONFIG_PAX_EMUPLT
++ do { /* PaX: patched PLT emulation #1 */
++ unsigned int ldah, ldq, jmp;
++
++ err = get_user(ldah, (unsigned int *)regs->pc);
++ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
++ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
++
++ if (err)
++ break;
++
++ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
++ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
++ jmp == 0x6BFB0000U)
++ {
++ unsigned long r27, addr;
++ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
++ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
++
++ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
++ err = get_user(r27, (unsigned long*)addr);
++ if (err)
++ break;
++
++ regs->r27 = r27;
++ regs->pc = r27;
++ return 2;
++ }
++ } while (0);
++
++ do { /* PaX: patched PLT emulation #2 */
++ unsigned int ldah, lda, br;
++
++ err = get_user(ldah, (unsigned int *)regs->pc);
++ err |= get_user(lda, (unsigned int *)(regs->pc+4));
++ err |= get_user(br, (unsigned int *)(regs->pc+8));
++
++ if (err)
++ break;
++
++ if ((ldah & 0xFFFF0000U)== 0x277B0000U &&
++ (lda & 0xFFFF0000U) == 0xA77B0000U &&
++ (br & 0xFFE00000U) == 0xC3E00000U)
++ {
++ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
++ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
++ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
++
++ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
++ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
++ return 2;
++ }
++ } while (0);
++
++ do { /* PaX: unpatched PLT emulation */
++ unsigned int br;
++
++ err = get_user(br, (unsigned int *)regs->pc);
++
++ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
++ unsigned int br2, ldq, nop, jmp;
++ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
++
++ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
++ err = get_user(br2, (unsigned int *)addr);
++ err |= get_user(ldq, (unsigned int *)(addr+4));
++ err |= get_user(nop, (unsigned int *)(addr+8));
++ err |= get_user(jmp, (unsigned int *)(addr+12));
++ err |= get_user(resolver, (unsigned long *)(addr+16));
++
++ if (err)
++ break;
++
++ if (br2 == 0xC3600000U &&
++ ldq == 0xA77B000CU &&
++ nop == 0x47FF041FU &&
++ jmp == 0x6B7B0000U)
++ {
++ regs->r28 = regs->pc+4;
++ regs->r27 = addr+16;
++ regs->pc = resolver;
++ return 3;
++ }
++ }
++ } while (0);
++#endif
++
++ return 1;
++}
++
++void pax_report_insns(void *pc, void *sp)
++{
++ unsigned long i;
++
++ printk(KERN_ERR "PAX: bytes at PC: ");
++ for (i = 0; i < 5; i++) {
++ unsigned int c;
++ if (get_user(c, (unsigned int*)pc+i)) {
++ printk("<invalid address>.");
++ break;
++ }
++ printk("%08x ", c);
++ }
++ printk("\n");
++}
++#endif
+
+ /*
+ * This routine handles page faults. It determines the address,
+@@ -133,8 +270,34 @@
+ good_area:
+ si_code = SEGV_ACCERR;
+ if (cause < 0) {
+- if (!(vma->vm_flags & VM_EXEC))
++ if (!(vma->vm_flags & VM_EXEC)) {
++
++#ifdef CONFIG_PAX_PAGEEXEC
++ if (!(current->flags & PF_PAX_PAGEEXEC) || address != regs->pc)
++ goto bad_area;
++
++ up_read(&mm->mmap_sem);
++ switch(pax_handle_fetch_fault(regs)) {
++
++#ifdef CONFIG_PAX_EMUPLT
++ case 2:
++ case 3:
++ return;
++#endif
++
++#ifdef CONFIG_PAX_RANDEXEC
++ case 4:
++ return;
++#endif
++
++ }
++ pax_report_fault(regs, (void*)regs->pc, (void*)rdusp());
++ do_exit(SIGKILL);
++#else
+ goto bad_area;
++#endif
++
++ }
+ } else if (!cause) {
+ /* Allow reads even for write-only mappings */
+ if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
+diff -uNr linux-2.6.6/arch/i386/Kconfig linux-2.6.6.fixed/arch/i386/Kconfig
+--- linux-2.6.6/arch/i386/Kconfig 2004-05-10 04:32:01.000000000 +0200
++++ linux-2.6.6.fixed/arch/i386/Kconfig 2004-05-11 10:55:55.000000000 +0200
+@@ -394,7 +394,7 @@
+
+ config X86_ALIGNMENT_16
+ bool
+- depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2
++ depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2
+ default y
+
+ config X86_GOOD_APIC
+diff -uNr linux-2.6.6/arch/i386/kernel/apm.c linux-2.6.6.fixed/arch/i386/kernel/apm.c
+--- linux-2.6.6/arch/i386/kernel/apm.c 2004-05-10 04:31:59.000000000 +0200
++++ linux-2.6.6.fixed/arch/i386/kernel/apm.c 2004-05-11 10:55:55.000000000 +0200
+@@ -597,19 +597,40 @@
+ int cpu;
+ struct desc_struct save_desc_40;
+
++#ifdef CONFIG_PAX_KERNEXEC
++ unsigned long cr3;
++#endif
++
+ cpus = apm_save_cpus();
+
+ cpu = get_cpu();
++
++#ifdef CONFIG_PAX_KERNEXEC
++ pax_open_kernel(flags, cr3);
++#endif
++
+ save_desc_40 = cpu_gdt_table[cpu][0x40 / 8];
+ cpu_gdt_table[cpu][0x40 / 8] = bad_bios_desc;
+
++#ifndef CONFIG_PAX_KERNEXEC
+ local_save_flags(flags);
+ APM_DO_CLI;
++#endif
++
+ APM_DO_SAVE_SEGS;
+ apm_bios_call_asm(func, ebx_in, ecx_in, eax, ebx, ecx, edx, esi);
+ APM_DO_RESTORE_SEGS;
++
++#ifndef CONFIG_PAX_KERNEXEC
+ local_irq_restore(flags);
++#endif
++
+ cpu_gdt_table[cpu][0x40 / 8] = save_desc_40;
++
++#ifdef CONFIG_PAX_KERNEXEC
++ pax_close_kernel(flags, cr3);
++#endif
++
+ put_cpu();
+ apm_restore_cpus(cpus);
+
+@@ -639,20 +660,40 @@
+ int cpu;
+ struct desc_struct save_desc_40;
+
++#ifdef CONFIG_PAX_KERNEXEC
++ unsigned long cr3;
++#endif
+
+ cpus = apm_save_cpus();
+
+ cpu = get_cpu();
++
++#ifdef CONFIG_PAX_KERNEXEC
++ pax_open_kernel(flags, cr3);
++#endif
++
+ save_desc_40 = cpu_gdt_table[cpu][0x40 / 8];
+ cpu_gdt_table[cpu][0x40 / 8] = bad_bios_desc;
+
++#ifndef CONFIG_PAX_KERNEXEC
+ local_save_flags(flags);
+ APM_DO_CLI;
++#endif
++
+ APM_DO_SAVE_SEGS;
+ error = apm_bios_call_simple_asm(func, ebx_in, ecx_in, eax);
+ APM_DO_RESTORE_SEGS;
++
++#ifndef CONFIG_PAX_KERNEXEC
+ local_irq_restore(flags);
++#endif
++
+ cpu_gdt_table[smp_processor_id()][0x40 / 8] = save_desc_40;
++
++#ifdef CONFIG_PAX_KERNEXEC
++ pax_close_kernel(flags, cr3);
++#endif
++
+ put_cpu();
+ apm_restore_cpus(cpus);
+ return error;
+diff -uNr linux-2.6.6/arch/i386/kernel/cpu/common.c linux-2.6.6.fixed/arch/i386/kernel/cpu/common.c
+--- linux-2.6.6/arch/i386/kernel/cpu/common.c 2004-05-10 04:31:59.000000000 +0200
++++ linux-2.6.6.fixed/arch/i386/kernel/cpu/common.c 2004-05-11 10:55:55.000000000 +0200
+@@ -320,6 +320,10 @@
+ if (this_cpu->c_init)
+ this_cpu->c_init(c);
+
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_NOVSYSCALL)
++ clear_bit(X86_FEATURE_SEP, c->x86_capability);
++#endif
++
+ /* Disable the PN if appropriate */
+ squash_the_stupid_serial_number(c);
+
+@@ -515,7 +519,7 @@
+ set_tss_desc(cpu,t);
+ cpu_gdt_table[cpu][GDT_ENTRY_TSS].b &= 0xfffffdff;
+ load_TR_desc();
+- load_LDT(&init_mm.context);
++ _load_LDT(&init_mm.context);
+
+ /* Set up doublefault TSS pointer in the GDT */
+ __set_tss_desc(cpu, GDT_ENTRY_DOUBLEFAULT_TSS, &doublefault_tss);
+diff -uNr linux-2.6.6/arch/i386/kernel/entry.S linux-2.6.6.fixed/arch/i386/kernel/entry.S
+--- linux-2.6.6/arch/i386/kernel/entry.S 2004-05-10 04:32:26.000000000 +0200
++++ linux-2.6.6.fixed/arch/i386/kernel/entry.S 2004-05-11 10:55:55.000000000 +0200
+@@ -272,6 +272,11 @@
+ movl TI_FLAGS(%ebp), %ecx
+ testw $_TIF_ALLWORK_MASK, %cx
+ jne syscall_exit_work
++
++#ifdef CONFIG_PAX_RANDKSTACK
++ call pax_randomize_kstack
++#endif
++
+ /* if something modifies registers it must also disable sysexit */
+ movl EIP(%esp), %edx
+ movl OLDESP(%esp), %ecx
+@@ -299,6 +304,11 @@
+ movl TI_FLAGS(%ebp), %ecx
+ testw $_TIF_ALLWORK_MASK, %cx # current->work
+ jne syscall_exit_work
++
++#ifdef CONFIG_PAX_RANDKSTACK
++ call pax_randomize_kstack
++#endif
++
+ restore_all:
+ RESTORE_ALL
+
+@@ -591,7 +601,13 @@
+ jmp error_code
+
+ ENTRY(page_fault)
++#ifdef CONFIG_PAX_PAGEEXEC
++ ALIGN
++ pushl $pax_do_page_fault
++#else
+ pushl $do_page_fault
++#endif
++
+ jmp error_code
+
+ #ifdef CONFIG_X86_MCE
+@@ -606,7 +622,7 @@
+ pushl $do_spurious_interrupt_bug
+ jmp error_code
+
+-.data
++.section .rodata,"a",@progbits
+ ENTRY(sys_call_table)
+ .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
+ .long sys_exit
+diff -uNr linux-2.6.6/arch/i386/kernel/head.S linux-2.6.6.fixed/arch/i386/kernel/head.S
+--- linux-2.6.6/arch/i386/kernel/head.S.orig 2004-05-10 04:32:00.000000000 +0200
++++ linux-2.6.6/arch/i386/kernel/head.S 2004-05-11 14:05:55.000000000 +0200
+@@ -49,6 +49,12 @@
+
+
+ /*
++ * Real beginning of normal "text" segment
++ */
++ENTRY(stext)
++ENTRY(_stext)
++
++/*
+ * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
+ * %esi points to the real-mode code as a 32-bit pointer.
+ * CS and DS must be 4 GB flat segments, but we don't depend on
+@@ -93,9 +99,9 @@
+
+ movl $(pg0 - __PAGE_OFFSET), %edi
+ movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
+- movl $0x007, %eax /* 0x007 = PRESENT+RW+USER */
++ movl $0x067, %eax /* 0x067 = DIRTY+ACCESSED+PRESENT+RW+USER */
+ 10:
+- leal 0x007(%edi),%ecx /* Create PDE entry */
++ leal 0x067(%edi),%ecx /* Create PDE entry */
+ movl %ecx,(%edx) /* Store identity PDE entry */
+ movl %ecx,page_pde_offset(%edx) /* Store kernel PDE entry */
+ addl $4,%edx
+@@ -105,8 +111,8 @@
+ addl $0x1000,%eax
+ loop 11b
+ /* End condition: we must map up to and including INIT_MAP_BEYOND_END */
+- /* bytes beyond the end of our own page tables; the +0x007 is the attribute bits */
+- leal (INIT_MAP_BEYOND_END+0x007)(%edi),%ebp
++ /* bytes beyond the end of our own page tables; the +0x067 is the attribute bits */
++ leal (INIT_MAP_BEYOND_END+0x067)(%edi),%ebp
+ cmpl %ebp,%eax
+ jb 10b
+ movl %edi,(init_pg_tables_end - __PAGE_OFFSET)
+@@ -165,7 +171,7 @@
+ movl %cr0,%eax
+ orl $0x80000000,%eax
+ movl %eax,%cr0 /* ..and set paging (PG) bit */
+- ljmp $__BOOT_CS,$1f /* Clear prefetch and normalize %eip */
++ ljmp $__BOOT_CS,$1f + __KERNEL_TEXT_OFFSET /* Clear prefetch and normalize %eip */
+ 1:
+ /* Set up the stack pointer */
+ lss stack_start,%esp
+@@ -380,31 +386,52 @@
+ iret
+
+ /*
+- * Real beginning of normal "text" segment
++ * This starts the data section. Note that the above is all
++ * in the text section because it has alignment requirements
++ * that we cannot fulfill any other way except for PaX ;-).
+ */
+-ENTRY(stext)
+-ENTRY(_stext)
++.data
++ready: .byte 0
+
+ /*
+- * BSS section
++ * swapper_pg_dir is the main page directory, address 0x00101000
++ *
++ * This is initialized to create an identity-mapping at 0 (for bootup
++ * purposes) and another mapping at virtual address PAGE_OFFSET. The
++ * values put here should be all invalid (zero); the valid
++ * entries are created dynamically at boot time.
++ *
++ * The code creates enough page tables to map 0-_end, the page tables
++ * themselves, plus INIT_MAP_BEYOND_END bytes; see comment at beginning.
+ */
+-.section ".bss.page_aligned","w"
++.section .data.swapper_pg_dir,"a",@progbits
+ ENTRY(swapper_pg_dir)
+ .fill 1024,4,0
++
++#ifdef CONFIG_PAX_KERNEXEC
++ENTRY(kernexec_pg_dir)
++ .fill 1024,4,0
++#endif
++
++.section .rodata.empty_zero_page,"a",@progbits
+ ENTRY(empty_zero_page)
+ .fill 4096,1,0
+
+ /*
+- * This starts the data section.
+- */
+-.data
++ * The IDT has to be page-aligned to simplify the Pentium
++ * F0 0F bug workaround.. We have a special link segment
++ * for this.
++ */
++.section .rodata.idt,"a",@progbits
++ENTRY(idt_table)
++ .fill 256,8,0
+
++.section .rodata,"a",@progbits
+ ENTRY(stack_start)
+ .long init_thread_union+THREAD_SIZE
+ .long __BOOT_DS
+
+-ready: .byte 0
+-
++/* This is the default interrupt "handler" :-) */
+ int_msg:
+ .asciz "Unknown interrupt or fault at EIP %p %p %p\n"
+
+@@ -446,8 +473,8 @@
+ .align L1_CACHE_BYTES
+ ENTRY(boot_gdt_table)
+ .fill GDT_ENTRY_BOOT_CS,8,0
+- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
+- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
++ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
++ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
+
+ /*
+ * The Global Descriptor Table contains 28 quadwords, per-CPU.
+@@ -458,7 +485,13 @@
+ .quad 0x0000000000000000 /* 0x0b reserved */
+ .quad 0x0000000000000000 /* 0x13 reserved */
+ .quad 0x0000000000000000 /* 0x1b reserved */
++
++#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_PCI_BIOS)
++ .quad 0x00cf9b000000ffff /* 0x20 kernel 4GB code at 0x00000000 */
++#else
+ .quad 0x0000000000000000 /* 0x20 unused */
++#endif
++
+ .quad 0x0000000000000000 /* 0x28 unused */
+ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
+ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
+@@ -467,27 +500,32 @@
+ .quad 0x0000000000000000 /* 0x53 reserved */
+ .quad 0x0000000000000000 /* 0x5b reserved */
+
+- .quad 0x00cf9a000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
+- .quad 0x00cf92000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
+- .quad 0x00cffa000000ffff /* 0x73 user 4GB code at 0x00000000 */
+- .quad 0x00cff2000000ffff /* 0x7b user 4GB data at 0x00000000 */
++#ifdef CONFIG_PAX_KERNEXEC
++ .quad 0xc0cf9b400000ffff /* 0x60 kernel 4GB code at 0xc0400000 */
++#else
++ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
++#endif
++
++ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
++ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
++ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
+
+ .quad 0x0000000000000000 /* 0x80 TSS descriptor */
+ .quad 0x0000000000000000 /* 0x88 LDT descriptor */
+
+ /* Segments used for calling PnP BIOS */
+- .quad 0x00c09a0000000000 /* 0x90 32-bit code */
+- .quad 0x00809a0000000000 /* 0x98 16-bit code */
+- .quad 0x0080920000000000 /* 0xa0 16-bit data */
+- .quad 0x0080920000000000 /* 0xa8 16-bit data */
+- .quad 0x0080920000000000 /* 0xb0 16-bit data */
++ .quad 0x00c09b0000000000 /* 0x90 32-bit code */
++ .quad 0x00809b0000000000 /* 0x98 16-bit code */
++ .quad 0x0080930000000000 /* 0xa0 16-bit data */
++ .quad 0x0080930000000000 /* 0xa8 16-bit data */
++ .quad 0x0080930000000000 /* 0xb0 16-bit data */
+ /*
+ * The APM segments have byte granularity and their bases
+ * and limits are set at run time.
+ */
+- .quad 0x00409a0000000000 /* 0xb8 APM CS code */
+- .quad 0x00009a0000000000 /* 0xc0 APM CS 16 code (16 bit) */
+- .quad 0x0040920000000000 /* 0xc8 APM DS data */
++ .quad 0x00409b0000000000 /* 0xb8 APM CS code */
++ .quad 0x00009b0000000000 /* 0xc0 APM CS 16 code (16 bit) */
++ .quad 0x0040930000000000 /* 0xc8 APM DS data */
+
+ .quad 0x0000000000000000 /* 0xd0 - unused */
+ .quad 0x0000000000000000 /* 0xd8 - unused */
+diff -uNr linux-2.6.6/arch/i386/kernel/ioport.c linux-2.6.6.fixed/arch/i386/kernel/ioport.c
+--- linux-2.6.6/arch/i386/kernel/ioport.c 2004-05-10 04:32:29.000000000 +0200
++++ linux-2.6.6.fixed/arch/i386/kernel/ioport.c 2004-05-11 10:55:55.000000000 +0200
+@@ -15,6 +15,7 @@
+ #include <linux/stddef.h>
+ #include <linux/slab.h>
+ #include <linux/thread_info.h>
++#include <linux/grsecurity.h>
+
+ /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
+ static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value)
+@@ -62,9 +63,16 @@
+
+ if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
+ return -EINVAL;
++#ifdef CONFIG_GRKERNSEC_IO
++ if (turn_on) {
++ gr_handle_ioperm();
++#else
+ if (turn_on && !capable(CAP_SYS_RAWIO))
++#endif
+ return -EPERM;
+-
++#ifdef CONFIG_GRKERNSEC_IO
++ }
++#endif
+ /*
+ * If it's the first ioperm() call in this thread's lifetime, set the
+ * IO bitmap up. ioperm() is much less timing critical than clone(),
+@@ -115,8 +123,13 @@
+ return -EINVAL;
+ /* Trying to gain more privileges? */
+ if (level > old) {
++#ifdef CONFIG_GRKERNSEC_IO
++ gr_handle_iopl();
++ return -EPERM;
++#else
+ if (!capable(CAP_SYS_RAWIO))
+ return -EPERM;
++#endif
+ }
+ regs->eflags = (regs->eflags &~ 0x3000UL) | (level << 12);
+ /* Make sure we return the long way (not sysenter) */
+diff -uNr linux-2.6.6/arch/i386/kernel/ldt.c linux-2.6.6.fixed/arch/i386/kernel/ldt.c
+--- linux-2.6.6/arch/i386/kernel/ldt.c 2004-05-10 04:32:54.000000000 +0200
++++ linux-2.6.6.fixed/arch/i386/kernel/ldt.c 2004-05-11 10:55:55.000000000 +0200
+@@ -154,7 +154,7 @@
+ {
+ int err;
+ unsigned long size;
+- void *address;
++ const void *address;
+
+ err = 0;
+ address = &default_ldt[0];
+@@ -211,6 +211,13 @@
+ }
+ }
+
++#ifdef CONFIG_PAX_SEGMEXEC
++ if ((current->flags & PF_PAX_SEGMEXEC) && (ldt_info.contents & 2)) {
++ error = -EINVAL;
++ goto out_unlock;
++ }
++#endif
++
+ entry_1 = LDT_entry_a(&ldt_info);
+ entry_2 = LDT_entry_b(&ldt_info);
+ if (oldmode)
+diff -uNr linux-2.6.6/arch/i386/kernel/process.c linux-2.6.6.fixed/arch/i386/kernel/process.c
+--- linux-2.6.6/arch/i386/kernel/process.c 2004-05-10 04:31:54.000000000 +0200
++++ linux-2.6.6.fixed/arch/i386/kernel/process.c 2004-05-11 10:55:55.000000000 +0200
+@@ -348,7 +348,7 @@
+ struct task_struct *tsk;
+ int err;
+
+- childregs = ((struct pt_regs *) (THREAD_SIZE + (unsigned long) p->thread_info)) - 1;
++ childregs = ((struct pt_regs *) (THREAD_SIZE + (unsigned long) p->thread_info - sizeof(unsigned long))) - 1;
+ struct_cpy(childregs, regs);
+ childregs->eax = 0;
+ childregs->esp = esp;
+@@ -450,9 +450,8 @@
+ int dump_task_regs(struct task_struct *tsk, elf_gregset_t *regs)
+ {
+ struct pt_regs ptregs;
+-
+- ptregs = *(struct pt_regs *)
+- ((unsigned long)tsk->thread_info+THREAD_SIZE - sizeof(ptregs));
++
++ ptregs = *(struct pt_regs *)(tsk->thread.esp0 - sizeof(ptregs));
+ ptregs.xcs &= 0xffff;
+ ptregs.xds &= 0xffff;
+ ptregs.xes &= 0xffff;
+@@ -505,10 +504,22 @@
+ int cpu = smp_processor_id();
+ struct tss_struct *tss = init_tss + cpu;
+
++#ifdef CONFIG_PAX_KERNEXEC
++ unsigned long flags, cr3;
++#endif
++
+ /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
+
+ __unlazy_fpu(prev_p);
+
++#ifdef CONFIG_PAX_KERNEXEC
++ pax_open_kernel(flags, cr3);
++#endif
++
++#ifdef CONFIG_PAX_SEGMEXEC
++ pax_switch_segments(next_p, cpu);
++#endif
++
+ /*
+ * Reload esp0, LDT and the page table pointer:
+ */
+@@ -519,6 +530,10 @@
+ */
+ load_TLS(next, cpu);
+
++#ifdef CONFIG_PAX_KERNEXEC
++ pax_close_kernel(flags, cr3);
++#endif
++
+ /*
+ * Save away %fs and %gs. No need to save %es and %ds, as
+ * those are always kernel segments while inside the kernel.
+@@ -691,6 +706,10 @@
+ struct desc_struct *desc;
+ int cpu, idx;
+
++#ifdef CONFIG_PAX_KERNEXEC
++ unsigned long flags, cr3;
++#endif
++
+ if (copy_from_user(&info, u_info, sizeof(info)))
+ return -EFAULT;
+ idx = info.entry_number;
+@@ -724,8 +743,17 @@
+ desc->a = LDT_entry_a(&info);
+ desc->b = LDT_entry_b(&info);
+ }
++
++#ifdef CONFIG_PAX_KERNEXEC
++ pax_open_kernel(flags, cr3);
++#endif
++
+ load_TLS(t, cpu);
+
++#ifdef CONFIG_PAX_KERNEXEC
++ pax_close_kernel(flags, cr3);
++#endif
++
+ put_cpu();
+
+ return 0;
+@@ -779,3 +807,29 @@
+ return 0;
+ }
+
++#ifdef CONFIG_PAX_RANDKSTACK
++asmlinkage void pax_randomize_kstack(void)
++{
++ struct tss_struct *tss = init_tss + smp_processor_id();
++ unsigned long time;
++
++#ifdef CONFIG_PAX_SOFTMODE
++ if (!pax_aslr)
++ return;
++#endif
++
++ rdtscl(time);
++
++ /* P4 seems to return a 0 LSB, ignore it */
++#ifdef CONFIG_MPENTIUM4
++ time &= 0x3EUL;
++ time <<= 1;
++#else
++ time &= 0x1FUL;
++ time <<= 2;
++#endif
++
++ tss->esp0 ^= time;
++ current->thread.esp0 = tss->esp0;
++}
++#endif
+diff -uNr linux-2.6.6/arch/i386/kernel/ptrace.c linux-2.6.6.fixed/arch/i386/kernel/ptrace.c
+--- linux-2.6.6/arch/i386/kernel/ptrace.c 2004-05-10 04:32:26.000000000 +0200
++++ linux-2.6.6.fixed/arch/i386/kernel/ptrace.c 2004-05-11 12:17:35.000000000 +0200
+@@ -15,6 +15,7 @@
+ #include <linux/user.h>
+ #include <linux/security.h>
+ #include <linux/audit.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/pgtable.h>
+@@ -263,6 +264,9 @@
+ if (pid == 1) /* you may not mess with init */
+ goto out_tsk;
+
++ if (gr_handle_ptrace(child, request))
++ goto out_tsk;
++
+ if (request == PTRACE_ATTACH) {
+ ret = ptrace_attach(child);
+ goto out_tsk;
+@@ -341,6 +345,17 @@
+ if(addr == (long) &dummy->u_debugreg[5]) break;
+ if(addr < (long) &dummy->u_debugreg[4] &&
+ ((unsigned long) data) >= TASK_SIZE-3) break;
++
++#ifdef CONFIG_GRKERNSEC
++ if(addr >= (long) &dummy->u_debugreg[0] &&
++ addr <= (long) &dummy->u_debugreg[3]){
++ long reg = (addr - (long) &dummy->u_debugreg[0]) >> 2;
++ long type = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 4*reg)) & 3;
++ long align = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 2 + 4*reg)) & 3;
++ if((type & 1) && (data & align))
++ break;
++ }
++#endif
+
+ if(addr == (long) &dummy->u_debugreg[7]) {
+ data &= ~DR_CONTROL_RESERVED;
+diff -uNr linux-2.6.6/arch/i386/kernel/reboot.c linux-2.6.6.fixed/arch/i386/kernel/reboot.c
+--- linux-2.6.6/arch/i386/kernel/reboot.c 2004-05-10 04:32:27.000000000 +0200
++++ linux-2.6.6.fixed/arch/i386/kernel/reboot.c 2004-05-11 10:55:55.000000000 +0200
+@@ -74,18 +74,18 @@
+ doesn't work with at least one type of 486 motherboard. It is easy
+ to stop this code working; hence the copious comments. */
+
+-static unsigned long long
++static const unsigned long long
+ real_mode_gdt_entries [3] =
+ {
+ 0x0000000000000000ULL, /* Null descriptor */
+- 0x00009a000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
+- 0x000092000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
++ 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
++ 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
+ };
+
+ static struct
+ {
+ unsigned short size __attribute__ ((packed));
+- unsigned long long * base __attribute__ ((packed));
++ const unsigned long long * base __attribute__ ((packed));
+ }
+ real_mode_gdt = { sizeof (real_mode_gdt_entries) - 1, real_mode_gdt_entries },
+ real_mode_idt = { 0x3ff, 0 },
+diff -uNr linux-2.6.6/arch/i386/kernel/setup.c linux-2.6.6.fixed/arch/i386/kernel/setup.c
+--- linux-2.6.6/arch/i386/kernel/setup.c 2004-05-10 04:32:29.000000000 +0200
++++ linux-2.6.6.fixed/arch/i386/kernel/setup.c 2004-05-11 10:55:55.000000000 +0200
+@@ -1196,6 +1196,15 @@
+ #endif
+ }
+
++#ifdef CONFIG_PAX_SOFTMODE
++static int __init setup_pax_softmode(char *str)
++{
++ get_option (&str, &pax_softmode);
++ return 1;
++}
++__setup("pax_softmode=", setup_pax_softmode);
++#endif
++
+ #include "setup_arch_post.h"
+ /*
+ * Local Variables:
+diff -uNr linux-2.6.6/arch/i386/kernel/signal.c linux-2.6.6.fixed/arch/i386/kernel/signal.c
+--- linux-2.6.6/arch/i386/kernel/signal.c 2004-05-10 04:32:29.000000000 +0200
++++ linux-2.6.6.fixed/arch/i386/kernel/signal.c 2004-05-11 10:55:55.000000000 +0200
+@@ -376,7 +376,17 @@
+ if (err)
+ goto give_sigsegv;
+
++#ifdef CONFIG_PAX_NOVSYSCALL
++ restorer = frame->retcode;
++#else
+ restorer = &__kernel_sigreturn;
++
++#ifdef CONFIG_PAX_SEGMEXEC
++ if (current->flags & PF_PAX_SEGMEXEC)
++ restorer -= SEGMEXEC_TASK_SIZE;
++#endif
++#endif
++
+ if (ka->sa.sa_flags & SA_RESTORER)
+ restorer = ka->sa.sa_restorer;
+
+@@ -459,7 +469,18 @@
+ goto give_sigsegv;
+
+ /* Set up to return from userspace. */
++
++#ifdef CONFIG_PAX_NOVSYSCALL
++ restorer = frame->retcode;
++#else
+ restorer = &__kernel_rt_sigreturn;
++
++#ifdef CONFIG_PAX_SEGMEXEC
++ if (current->flags & PF_PAX_SEGMEXEC)
++ restorer -= SEGMEXEC_TASK_SIZE;
++#endif
++#endif
++
+ if (ka->sa.sa_flags & SA_RESTORER)
+ restorer = ka->sa.sa_restorer;
+ err |= __put_user(restorer, &frame->pretcode);
+diff -uNr linux-2.6.6/arch/i386/kernel/sysenter.c linux-2.6.6.fixed/arch/i386/kernel/sysenter.c
+--- linux-2.6.6/arch/i386/kernel/sysenter.c 2004-05-10 04:33:21.000000000 +0200
++++ linux-2.6.6.fixed/arch/i386/kernel/sysenter.c 2004-05-11 10:55:55.000000000 +0200
+@@ -41,13 +41,15 @@
+ extern const char vsyscall_int80_start, vsyscall_int80_end;
+ extern const char vsyscall_sysenter_start, vsyscall_sysenter_end;
+
++#ifndef CONFIG_PAX_NOVSYSCALL
+ static int __init sysenter_setup(void)
+ {
+ unsigned long page = get_zeroed_page(GFP_ATOMIC);
+
+ __set_fixmap(FIX_VSYSCALL, __pa(page), PAGE_READONLY);
+
+- if (!boot_cpu_has(X86_FEATURE_SEP)) {
++ if (!boot_cpu_has(X86_FEATURE_SEP))
++ {
+ memcpy((void *) page,
+ &vsyscall_int80_start,
+ &vsyscall_int80_end - &vsyscall_int80_start);
+@@ -63,3 +65,4 @@
+ }
+
+ __initcall(sysenter_setup);
++#endif
+diff -uNr linux-2.6.6/arch/i386/kernel/sys_i386.c linux-2.6.6.fixed/arch/i386/kernel/sys_i386.c
+--- linux-2.6.6/arch/i386/kernel/sys_i386.c 2004-05-10 04:33:20.000000000 +0200
++++ linux-2.6.6.fixed/arch/i386/kernel/sys_i386.c 2004-05-11 10:55:55.000000000 +0200
+@@ -19,6 +19,7 @@
+ #include <linux/mman.h>
+ #include <linux/file.h>
+ #include <linux/utsname.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/ipc.h>
+@@ -49,6 +50,11 @@
+ int error = -EBADF;
+ struct file * file = NULL;
+
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ if (flags & MAP_MIRROR)
++ return -EINVAL;
++#endif
++
+ flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+ if (!(flags & MAP_ANONYMOUS)) {
+ file = fget(fd);
+@@ -56,6 +62,12 @@
+ goto out;
+ }
+
++ if (gr_handle_mmap(file, prot)) {
++ fput(file);
++ error = -EACCES;
++ goto out;
++ }
++
+ down_write(¤t->mm->mmap_sem);
+ error = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+ up_write(¤t->mm->mmap_sem);
+diff -uNr linux-2.6.6/arch/i386/kernel/trampoline.S linux-2.6.6.fixed/arch/i386/kernel/trampoline.S
+--- linux-2.6.6/arch/i386/kernel/trampoline.S 2004-05-10 04:32:28.000000000 +0200
++++ linux-2.6.6.fixed/arch/i386/kernel/trampoline.S 2004-05-11 10:55:55.000000000 +0200
+@@ -58,7 +58,7 @@
+ inc %ax # protected mode (PE) bit
+ lmsw %ax # into protected mode
+ # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
+- ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
++ ljmpl $__BOOT_CS, $(startup_32_smp+__KERNEL_TEXT_OFFSET-__PAGE_OFFSET)
+
+ # These need to be in the same 64K segment as the above;
+ # hence we don't use the boot_gdt_descr defined in head.S
+diff -uNr linux-2.6.6/arch/i386/kernel/traps.c linux-2.6.6.fixed/arch/i386/kernel/traps.c
+--- linux-2.6.6/arch/i386/kernel/traps.c 2004-05-10 04:32:02.000000000 +0200
++++ linux-2.6.6.fixed/arch/i386/kernel/traps.c 2004-05-11 12:16:56.000000000 +0200
+@@ -59,18 +59,13 @@
+ asmlinkage void lcall7(void);
+ asmlinkage void lcall27(void);
+
+-struct desc_struct default_ldt[] = { { 0, 0 }, { 0, 0 }, { 0, 0 },
++const struct desc_struct default_ldt[] = { { 0, 0 }, { 0, 0 }, { 0, 0 },
+ { 0, 0 }, { 0, 0 } };
+
+ /* Do we ignore FPU interrupts ? */
+ char ignore_fpu_irq = 0;
+
+-/*
+- * The IDT has to be page-aligned to simplify the Pentium
+- * F0 0F bug workaround.. We have a special link segment
+- * for this.
+- */
+-struct desc_struct idt_table[256] __attribute__((__section__(".data.idt"))) = { {0, 0}, };
++extern struct desc_struct idt_table[256];
+
+ asmlinkage void divide_error(void);
+ asmlinkage void debug(void);
+@@ -97,6 +92,7 @@
+ void show_trace(struct task_struct *task, unsigned long * stack)
+ {
+ unsigned long addr;
++ int i = kstack_depth_to_print;
+
+ if (!stack)
+ stack = (unsigned long*)&stack;
+@@ -108,11 +104,12 @@
+ while (1) {
+ struct thread_info *context;
+ context = (struct thread_info*) ((unsigned long)stack & (~(THREAD_SIZE - 1)));
+- while (!kstack_end(stack)) {
++ while (i && !kstack_end(stack)) {
+ addr = *stack++;
+ if (kernel_text_address(addr)) {
+ printk(" [<%08lx>] ", addr);
+ print_symbol("%s\n", addr);
++ --i;
+ }
+ }
+ stack = (unsigned long*)context->previous_esp;
+@@ -197,14 +194,23 @@
+ show_stack(NULL, (unsigned long*)esp);
+
+ printk("Code: ");
++
++#ifndef CONFIG_PAX_KERNEXEC
+ if(regs->eip < PAGE_OFFSET)
+ goto bad;
++#endif
+
+ for(i=0;i<20;i++)
+ {
+ unsigned char c;
++
++#ifdef CONFIG_PAX_KERNEXEC
++ if(__get_user(c, &((unsigned char*)regs->eip)[i+__KERNEL_TEXT_OFFSET])) {
++#else
+ if(__get_user(c, &((unsigned char*)regs->eip)[i])) {
+ bad:
++#endif
++
+ printk(" Bad EIP value.");
+ break;
+ }
+@@ -227,8 +233,13 @@
+
+ eip = regs->eip;
+
++#ifdef CONFIG_PAX_KERNEXEC
++ eip += __KERNEL_TEXT_OFFSET;
++#else
+ if (eip < PAGE_OFFSET)
+ goto no_bug;
++#endif
++
+ if (__get_user(ud2, (unsigned short *)eip))
+ goto no_bug;
+ if (ud2 != 0x0b0f)
+@@ -236,7 +247,13 @@
+ if (__get_user(line, (unsigned short *)(eip + 2)))
+ goto bug;
+ if (__get_user(file, (char **)(eip + 4)) ||
++
++#ifdef CONFIG_PAX_KERNEXEC
++ __get_user(c, file + __KERNEL_TEXT_OFFSET))
++#else
+ (unsigned long)file < PAGE_OFFSET || __get_user(c, file))
++#endif
++
+ file = "<bad filename>";
+
+ printk("------------[ cut here ]------------\n");
+@@ -409,8 +426,16 @@
+ return;
+
+ gp_in_kernel:
+- if (!fixup_exception(regs))
++ if (!fixup_exception(regs)) {
++
++#ifdef CONFIG_PAX_KERNEXEC
++ if ((regs->xcs & 0xFFFF) == __KERNEL_CS)
++ die("PAX: suspicious general protection fault", regs, error_code);
++ else
++#endif
++
+ die("general protection fault", regs, error_code);
++ }
+ }
+
+ static void mem_parity_error(unsigned char reason, struct pt_regs * regs)
+@@ -843,7 +868,7 @@
+ _set_gate(idt_table+n,15,3,addr,__KERNEL_CS);
+ }
+
+-static void __init set_call_gate(void *a, void *addr)
++static void __init set_call_gate(const void *a, void *addr)
+ {
+ _set_gate(a,12,3,addr,__KERNEL_CS);
+ }
+diff -uNr linux-2.6.6/arch/i386/kernel/vmlinux.lds.S linux-2.6.6.fixed/arch/i386/kernel/vmlinux.lds.S
+--- linux-2.6.6/arch/i386/kernel/vmlinux.lds.S 2004-05-10 04:32:02.000000000 +0200
++++ linux-2.6.6.fixed/arch/i386/kernel/vmlinux.lds.S 2004-05-11 12:48:27.000000000 +0200
+@@ -2,7 +2,12 @@
+ * Written by Martin Mares <mj@atrey.karlin.mff.cuni.cz>;
+ */
+
++#include <linux/config.h>
++
+ #include <asm-generic/vmlinux.lds.h>
++#include <asm-i386/page.h>
++#include <asm-i386/segment.h>
++
+ #include <asm/thread_info.h>
+
+ OUTPUT_FORMAT("elf32-i386", "elf32-i386", "elf32-i386")
+@@ -11,26 +16,16 @@
+ jiffies = jiffies_64;
+ SECTIONS
+ {
+- . = 0xC0000000 + 0x100000;
+- /* read-only */
+- _text = .; /* Text and read-only data */
+- .text : {
+- *(.text)
+- SCHED_TEXT
+- *(.fixup)
+- *(.gnu.warning)
+- } = 0x9090
+-
+- _etext = .; /* End of text section */
+-
+- . = ALIGN(16); /* Exception table */
+- __start___ex_table = .;
+- __ex_table : { *(__ex_table) }
+- __stop___ex_table = .;
+-
+- RODATA
++ . = __PAGE_OFFSET + 0x100000;
++ .text.startup : {
++ BYTE(0xEA) /* jmp far */
++ LONG(startup_32 + __KERNEL_TEXT_OFFSET - __PAGE_OFFSET)
++ SHORT(__BOOT_CS)
++ }
+
+ /* writeable */
++ . = ALIGN(32);
++ _data = .;
+ .data : { /* Data */
+ *(.data)
+ CONSTRUCTORS
+@@ -42,25 +37,28 @@
+ . = ALIGN(4096);
+ __nosave_end = .;
+
+- . = ALIGN(4096);
+- .data.page_aligned : { *(.data.idt) }
+-
+ . = ALIGN(32);
+ .data.cacheline_aligned : { *(.data.cacheline_aligned) }
+
+- _edata = .; /* End of data section */
+-
+ . = ALIGN(THREAD_SIZE); /* init_task */
+ .data.init_task : { *(.data.init_task) }
+
++ . = ALIGN(4096);
++ .data.page_aligned : { *(.data.swapper_pg_dir) }
++
++ _edata = .; /* End of data section */
++
++ __bss_start = .; /* BSS */
++ .bss : {
++ *(.bss)
++ LONG(0)
++ }
++ . = ALIGN(4);
++ __bss_stop = .;
++
+ /* will be freed after init */
+ . = ALIGN(4096); /* Init code and data */
+ __init_begin = .;
+- .init.text : {
+- _sinittext = .;
+- *(.init.text)
+- _einittext = .;
+- }
+ .init.data : { *(.init.data) }
+ . = ALIGN(16);
+ __setup_start = .;
+@@ -89,9 +87,13 @@
+ .altinstructions : { *(.altinstructions) }
+ __alt_instructions_end = .;
+ .altinstr_replacement : { *(.altinstr_replacement) }
++
++#ifndef CONFIG_PAX_KERNEXEC
+ /* .exit.text is discard at runtime, not link time, to deal with references
+ from .altinstructions and .eh_frame */
+ .exit.text : { *(.exit.text) }
++#endif
++
+ .exit.data : { *(.exit.data) }
+ . = ALIGN(4096);
+ __initramfs_start = .;
+@@ -101,19 +103,69 @@
+ __per_cpu_start = .;
+ .data.percpu : { *(.data.percpu) }
+ __per_cpu_end = .;
++
++ /* read-only */
++
++#ifdef CONFIG_PAX_KERNEXEC
++ __init_text_start = .;
++ .init.text (. - __KERNEL_TEXT_OFFSET) : AT (__init_text_start) {
++ _sinittext = .;
++ *(.init.text)
++ _einittext = .;
++ *(.exit.text)
++ . = ALIGN(4*1024*1024) - 1;
++ BYTE(0)
++ }
+ . = ALIGN(4096);
+- __init_end = .;
++ __init_end = . + __KERNEL_TEXT_OFFSET;
+ /* freed after init ends here */
+-
+- __bss_start = .; /* BSS */
+- .bss : {
+- *(.bss.page_aligned)
+- *(.bss)
++
++/*
++ * PaX: this must be kept in synch with the KERNEL_CS base
++ * in the GDTs in arch/i386/kernel/head.S
++ */
++ _text = .; /* Text and read-only data */
++ .text : AT (. + __KERNEL_TEXT_OFFSET) {
++#else
++ .init.text : {
++ _sinittext = .;
++ *(.init.text)
++ _einittext = .;
+ }
+- . = ALIGN(4);
+- __bss_stop = .;
++ . = ALIGN(4096);
++ __init_end = .;
++ /* freed after init ends here */
++
++ _text = .; /* Text and read-only data */
++ .text : {
++#endif
++
++ *(.text)
++ *(.fixup)
++ *(.gnu.warning)
++ } = 0x9090
++
++ _etext = .; /* End of text section */
++ . += __KERNEL_TEXT_OFFSET;
++ . = ALIGN(16); /* Exception table */
++ __start___ex_table = .;
++ __ex_table : { *(__ex_table) }
++ __stop___ex_table = .;
++
++ . = ALIGN(4096);
++ .rodata.page_aligned : {
++ *(.rodata.empty_zero_page)
++ *(.rodata.idt)
++ }
++
++ RODATA
+
++#ifdef CONFIG_PAX_KERNEXEC
++ _end = ALIGN(4*1024*1024);
++ . = _end ;
++#else
+ _end = . ;
++#endif
+
+ /* This is where the kernel creates the early boot page tables */
+ . = ALIGN(4096);
+diff -uNr linux-2.6.6/arch/i386/mm/fault.c linux-2.6.6.fixed/arch/i386/mm/fault.c
+--- linux-2.6.6/arch/i386/mm/fault.c 2004-05-10 04:31:57.000000000 +0200
++++ linux-2.6.6.fixed/arch/i386/mm/fault.c 2004-05-11 10:55:55.000000000 +0200
+@@ -21,6 +21,9 @@
+ #include <linux/vt_kern.h> /* For unblank_screen() */
+ #include <linux/highmem.h>
+ #include <linux/module.h>
++#include <linux/unistd.h>
++#include <linux/compiler.h>
++#include <linux/binfmts.h>
+
+ #include <asm/system.h>
+ #include <asm/uaccess.h>
+@@ -199,6 +202,10 @@
+
+ asmlinkage void do_invalid_op(struct pt_regs *, unsigned long);
+
++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
++static int pax_handle_fetch_fault(struct pt_regs *regs);
++#endif
++
+ /*
+ * This routine handles page faults. It determines the address,
+ * and the problem, and then passes it off to one of the appropriate
+@@ -209,22 +216,31 @@
+ * bit 1 == 0 means read, 1 means write
+ * bit 2 == 0 means kernel, 1 means user-mode
+ */
++
++#ifdef CONFIG_PAX_PAGEEXEC
++static void do_page_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address)
++#else
+ asmlinkage void do_page_fault(struct pt_regs *regs, unsigned long error_code)
++#endif
+ {
+ struct task_struct *tsk;
+ struct mm_struct *mm;
+ struct vm_area_struct * vma;
++#ifndef CONFIG_PAX_PAGEEXEC
+ unsigned long address;
++#endif
+ unsigned long page;
+ int write;
+ siginfo_t info;
+
++#ifndef CONFIG_PAX_PAGEEXEC
+ /* get the address */
+ __asm__("movl %%cr2,%0":"=r" (address));
+
+ /* It's safe to allow irq's after cr2 has been saved */
+ if (regs->eflags & (X86_EFLAGS_IF|VM_MASK))
+ local_irq_enable();
++#endif
+
+ tsk = current;
+
+@@ -358,6 +374,34 @@
+ if (is_prefetch(regs, address))
+ return;
+
++#ifdef CONFIG_PAX_SEGMEXEC
++ if (current->flags & PF_PAX_SEGMEXEC) {
++
++#if defined(CONFIG_PAX_EMUTRAMP) || defined(CONFIG_PAX_RANDEXEC)
++ if ((error_code == 4) && (regs->eip + SEGMEXEC_TASK_SIZE == address)) {
++ switch (pax_handle_fetch_fault(regs)) {
++
++#ifdef CONFIG_PAX_RANDEXEC
++ case 3:
++ return;
++#endif
++
++#ifdef CONFIG_PAX_EMUTRAMP
++ case 2:
++ return;
++#endif
++
++ }
++ }
++#endif
++
++ if (address >= SEGMEXEC_TASK_SIZE) {
++ pax_report_fault(regs, (void*)regs->eip, (void*)regs->esp);
++ do_exit(SIGKILL);
++ }
++ }
++#endif
++
+ tsk->thread.cr2 = address;
+ /* Kernel addresses are always protection faults */
+ tsk->thread.error_code = error_code | (address >= TASK_SIZE);
+@@ -408,6 +452,13 @@
+
+ if (address < PAGE_SIZE)
+ printk(KERN_ALERT "Unable to handle kernel NULL pointer dereference");
++
++#ifdef CONFIG_PAX_KERNEXEC
++ else if (init_mm.start_code + __KERNEL_TEXT_OFFSET <= address && address < init_mm.end_code + __KERNEL_TEXT_OFFSET)
++ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
++ tsk->comm, tsk->pid, tsk->uid, tsk->euid);
++#endif
++
+ else
+ printk(KERN_ALERT "Unable to handle kernel paging request");
+ printk(" at virtual address %08lx\n",address);
+@@ -509,3 +560,359 @@
+ return;
+ }
+ }
++
++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
++/*
++ * PaX: decide what to do with offenders (regs->eip = fault address)
++ *
++ * returns 1 when task should be killed
++ * 2 when gcc trampoline was detected
++ * 3 when legitimate ET_EXEC was detected
++ */
++static int pax_handle_fetch_fault(struct pt_regs *regs)
++{
++
++#ifdef CONFIG_PAX_EMUTRAMP
++ static const unsigned char trans[8] = {6, 1, 2, 0, 13, 5, 3, 4};
++#endif
++
++#if defined(CONFIG_PAX_RANDEXEC) || defined(CONFIG_PAX_EMUTRAMP)
++ int err;
++#endif
++
++#ifdef CONFIG_PAX_RANDEXEC
++ if (current->flags & PF_PAX_RANDEXEC) {
++ unsigned long esp_4;
++
++ if (regs->eip >= current->mm->start_code &&
++ regs->eip < current->mm->end_code)
++ {
++ err = get_user(esp_4, (unsigned long*)(regs->esp-4UL));
++ if (err || esp_4 == regs->eip)
++ return 1;
++
++ regs->eip += current->mm->delta_exec;
++ return 3;
++ }
++ }
++#endif
++
++#ifdef CONFIG_PAX_EMUTRAMP
++ do { /* PaX: gcc trampoline emulation #1 */
++ unsigned char mov1, mov2;
++ unsigned short jmp;
++ unsigned long addr1, addr2, ret;
++ unsigned short call;
++
++ err = get_user(mov1, (unsigned char *)regs->eip);
++ err |= get_user(addr1, (unsigned long *)(regs->eip + 1));
++ err |= get_user(mov2, (unsigned char *)(regs->eip + 5));
++ err |= get_user(addr2, (unsigned long *)(regs->eip + 6));
++ err |= get_user(jmp, (unsigned short *)(regs->eip + 10));
++ err |= get_user(ret, (unsigned long *)regs->esp);
++
++ if (err)
++ break;
++
++ err = get_user(call, (unsigned short *)(ret-2));
++ if (err)
++ break;
++
++ if ((mov1 & 0xF8) == 0xB8 &&
++ (mov2 & 0xF8) == 0xB8 &&
++ (mov1 & 0x07) != (mov2 & 0x07) &&
++ (jmp & 0xF8FF) == 0xE0FF &&
++ (mov2 & 0x07) == ((jmp>>8) & 0x07) &&
++ (call & 0xF8FF) == 0xD0FF &&
++ regs->eip == ((unsigned long*)regs)[trans[(call>>8) & 0x07]])
++ {
++ ((unsigned long *)regs)[trans[mov1 & 0x07]] = addr1;
++ ((unsigned long *)regs)[trans[mov2 & 0x07]] = addr2;
++ regs->eip = addr2;
++ return 2;
++ }
++ } while (0);
++
++ do { /* PaX: gcc trampoline emulation #2 */
++ unsigned char mov, jmp;
++ unsigned long addr1, addr2, ret;
++ unsigned short call;
++
++ err = get_user(mov, (unsigned char *)regs->eip);
++ err |= get_user(addr1, (unsigned long *)(regs->eip + 1));
++ err |= get_user(jmp, (unsigned char *)(regs->eip + 5));
++ err |= get_user(addr2, (unsigned long *)(regs->eip + 6));
++ err |= get_user(ret, (unsigned long *)regs->esp);
++
++ if (err)
++ break;
++
++ err = get_user(call, (unsigned short *)(ret-2));
++ if (err)
++ break;
++
++ if ((mov & 0xF8) == 0xB8 &&
++ jmp == 0xE9 &&
++ (call & 0xF8FF) == 0xD0FF &&
++ regs->eip == ((unsigned long*)regs)[trans[(call>>8) & 0x07]])
++ {
++ ((unsigned long *)regs)[trans[mov & 0x07]] = addr1;
++ regs->eip += addr2 + 10;
++ return 2;
++ }
++ } while (0);
++
++ do { /* PaX: gcc trampoline emulation #3 */
++ unsigned char mov, jmp;
++ char offset;
++ unsigned long addr1, addr2, ret;
++ unsigned short call;
++
++ err = get_user(mov, (unsigned char *)regs->eip);
++ err |= get_user(addr1, (unsigned long *)(regs->eip + 1));
++ err |= get_user(jmp, (unsigned char *)(regs->eip + 5));
++ err |= get_user(addr2, (unsigned long *)(regs->eip + 6));
++ err |= get_user(ret, (unsigned long *)regs->esp);
++
++ if (err)
++ break;
++
++ err = get_user(call, (unsigned short *)(ret-3));
++ err |= get_user(offset, (char *)(ret-1));
++ if (err)
++ break;
++
++ if ((mov & 0xF8) == 0xB8 &&
++ jmp == 0xE9 &&
++ call == 0x55FF)
++ {
++ unsigned long addr;
++
++ err = get_user(addr, (unsigned long*)(regs->ebp + (unsigned long)(long)offset));
++ if (err || regs->eip != addr)
++ break;
++
++ ((unsigned long *)regs)[trans[mov & 0x07]] = addr1;
++ regs->eip += addr2 + 10;
++ return 2;
++ }
++ } while (0);
++
++ do { /* PaX: gcc trampoline emulation #4 */
++ unsigned char mov, jmp, sib;
++ char offset;
++ unsigned long addr1, addr2, ret;
++ unsigned short call;
++
++ err = get_user(mov, (unsigned char *)regs->eip);
++ err |= get_user(addr1, (unsigned long *)(regs->eip + 1));
++ err |= get_user(jmp, (unsigned char *)(regs->eip + 5));
++ err |= get_user(addr2, (unsigned long *)(regs->eip + 6));
++ err |= get_user(ret, (unsigned long *)regs->esp);
++
++ if (err)
++ break;
++
++ err = get_user(call, (unsigned short *)(ret-4));
++ err |= get_user(sib, (unsigned char *)(ret-2));
++ err |= get_user(offset, (char *)(ret-1));
++ if (err)
++ break;
++
++ if ((mov & 0xF8) == 0xB8 &&
++ jmp == 0xE9 &&
++ call == 0x54FF &&
++ sib == 0x24)
++ {
++ unsigned long addr;
++
++ err = get_user(addr, (unsigned long*)(regs->esp + 4 + (unsigned long)(long)offset));
++ if (err || regs->eip != addr)
++ break;
++
++ ((unsigned long *)regs)[trans[mov & 0x07]] = addr1;
++ regs->eip += addr2 + 10;
++ return 2;
++ }
++ } while (0);
++
++ do { /* PaX: gcc trampoline emulation #5 */
++ unsigned char mov, jmp, sib;
++ unsigned long addr1, addr2, ret, offset;
++ unsigned short call;
++
++ err = get_user(mov, (unsigned char *)regs->eip);
++ err |= get_user(addr1, (unsigned long *)(regs->eip + 1));
++ err |= get_user(jmp, (unsigned char *)(regs->eip + 5));
++ err |= get_user(addr2, (unsigned long *)(regs->eip + 6));
++ err |= get_user(ret, (unsigned long *)regs->esp);
++
++ if (err)
++ break;
++
++ err = get_user(call, (unsigned short *)(ret-7));
++ err |= get_user(sib, (unsigned char *)(ret-5));
++ err |= get_user(offset, (unsigned long *)(ret-4));
++ if (err)
++ break;
++
++ if ((mov & 0xF8) == 0xB8 &&
++ jmp == 0xE9 &&
++ call == 0x94FF &&
++ sib == 0x24)
++ {
++ unsigned long addr;
++
++ err = get_user(addr, (unsigned long*)(regs->esp + 4 + offset));
++ if (err || regs->eip != addr)
++ break;
++
++ ((unsigned long *)regs)[trans[mov & 0x07]] = addr1;
++ regs->eip += addr2 + 10;
++ return 2;
++ }
++ } while (0);
++#endif
++
++ return 1; /* PaX in action */
++}
++
++void pax_report_insns(void *pc, void *sp)
++{
++ unsigned long i;
++
++ printk(KERN_ERR "PAX: bytes at PC: ");
++ for (i = 0; i < 20; i++) {
++ unsigned char c;
++ if (get_user(c, (unsigned char*)pc+i)) {
++ printk("<invalid address>.");
++ break;
++ }
++ printk("%02x ", c);
++ }
++ printk("\n");
++
++ printk(KERN_ERR "PAX: bytes at SP: ");
++ for (i = 0; i < 20; i++) {
++ unsigned long c;
++ if (get_user(c, (unsigned long*)sp+i)) {
++ printk("<invalid address>.");
++ break;
++ }
++ printk("%08lx ", c);
++ }
++ printk("\n");
++}
++#endif
++
++#ifdef CONFIG_PAX_PAGEEXEC
++/* PaX: called with the page_table_lock spinlock held */
++static inline pte_t * pax_get_pte(struct mm_struct *mm, unsigned long address)
++{
++ pgd_t *pgd;
++ pmd_t *pmd;
++
++ pgd = pgd_offset(mm, address);
++ if (!pgd || !pgd_present(*pgd))
++ return 0;
++ pmd = pmd_offset(pgd, address);
++ if (!pmd || !pmd_present(*pmd))
++ return 0;
++ return pte_offset_map(pmd, address);
++}
++
++/*
++ * PaX: handle the extra page faults or pass it down to the original handler
++ */
++asmlinkage void pax_do_page_fault(struct pt_regs *regs, unsigned long error_code)
++{
++ struct mm_struct *mm = current->mm;
++ unsigned long address;
++ pte_t *pte;
++ unsigned char pte_mask;
++ int ret;
++
++ __asm__("movl %%cr2,%0":"=r" (address));
++
++ /* It's safe to allow irq's after cr2 has been saved */
++ if (regs->eflags & (X86_EFLAGS_IF|VM_MASK))
++ local_irq_enable();
++
++ if (unlikely((error_code & 5) != 5 ||
++ address >= TASK_SIZE ||
++ !(current->flags & PF_PAX_PAGEEXEC)))
++ return do_page_fault(regs, error_code, address);
++
++ /* PaX: it's our fault, let's handle it if we can */
++
++ /* PaX: take a look at read faults before acquiring any locks */
++ if (unlikely((error_code == 5) && (regs->eip == address))) {
++ /* instruction fetch attempt from a protected page in user mode */
++ ret = pax_handle_fetch_fault(regs);
++ switch (ret) {
++
++#ifdef CONFIG_PAX_RANDEXEC
++ case 3:
++ return;
++#endif
++
++#ifdef CONFIG_PAX_EMUTRAMP
++ case 2:
++ return;
++#endif
++
++ }
++ pax_report_fault(regs, (void*)regs->eip, (void*)regs->esp);
++ do_exit(SIGKILL);
++ }
++
++ pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & 2) << (_PAGE_BIT_DIRTY-1));
++
++ spin_lock(&mm->page_table_lock);
++ pte = pax_get_pte(mm, address);
++ if (unlikely(!pte || !(pte_val(*pte) & _PAGE_PRESENT) || pte_exec(*pte))) {
++ pte_unmap(pte);
++ spin_unlock(&mm->page_table_lock);
++ do_page_fault(regs, error_code, address);
++ return;
++ }
++
++ if (unlikely((error_code == 7) && !pte_write(*pte))) {
++ /* write attempt to a protected page in user mode */
++ pte_unmap(pte);
++ spin_unlock(&mm->page_table_lock);
++ do_page_fault(regs, error_code, address);
++ return;
++ }
++
++ /*
++ * PaX: fill DTLB with user rights and retry
++ */
++ __asm__ __volatile__ (
++ "orb %2,%1\n"
++#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
++/*
++ * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
++ * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
++ * page fault when examined during a TLB load attempt. this is true not only
++ * for PTEs holding a non-present entry but also present entries that will
++ * raise a page fault (such as those set up by PaX, or the copy-on-write
++ * mechanism). in effect it means that we do *not* need to flush the TLBs
++ * for our target pages since their PTEs are simply not in the TLBs at all.
++
++ * the best thing in omitting it is that we gain around 15-20% speed in the
++ * fast path of the page fault handler and can get rid of tracing since we
++ * can no longer flush unintended entries.
++ */
++ "invlpg %0\n"
++#endif
++ "testb $0,%0\n"
++ "xorb %3,%1\n"
++ :
++ : "m" (*(char*)address), "m" (*(char*)pte), "q" (pte_mask), "i" (_PAGE_USER)
++ : "memory", "cc");
++ pte_unmap(pte);
++ spin_unlock(&mm->page_table_lock);
++ return;
++}
++#endif
+diff -uNr linux-2.6.6/arch/i386/mm/init.c linux-2.6.6.fixed/arch/i386/mm/init.c
+--- linux-2.6.6/arch/i386/mm/init.c 2004-05-10 04:33:08.000000000 +0200
++++ linux-2.6.6.fixed/arch/i386/mm/init.c 2004-05-11 10:55:55.000000000 +0200
+@@ -40,6 +40,7 @@
+ #include <asm/tlb.h>
+ #include <asm/tlbflush.h>
+ #include <asm/sections.h>
++#include <asm/desc.h>
+
+ DEFINE_PER_CPU(struct mmu_gather, mmu_gathers);
+ unsigned long highstart_pfn, highend_pfn;
+@@ -394,6 +395,10 @@
+ #endif
+ __flush_tlb_all();
+
++#ifdef CONFIG_PAX_KERNEXEC
++ memcpy(kernexec_pg_dir, swapper_pg_dir, sizeof(kernexec_pg_dir));
++#endif
++
+ kmap_init();
+ zone_sizes_init();
+ }
+@@ -488,7 +493,7 @@
+ set_highmem_pages_init(bad_ppro);
+
+ codesize = (unsigned long) &_etext - (unsigned long) &_text;
+- datasize = (unsigned long) &_edata - (unsigned long) &_etext;
++ datasize = (unsigned long) &_edata - (unsigned long) &_data;
+ initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
+
+ kclist_add(&kcore_mem, __va(0), max_low_pfn << PAGE_SHIFT);
+@@ -587,6 +592,42 @@
+ totalram_pages++;
+ }
+ printk (KERN_INFO "Freeing unused kernel memory: %dk freed\n", (__init_end - __init_begin) >> 10);
++
++#ifdef CONFIG_PAX_KERNEXEC
++ /* PaX: limit KERNEL_CS to actual size */
++ {
++ unsigned long limit;
++ int cpu;
++ pgd_t *pgd;
++ pmd_t *pmd;
++
++ limit = (unsigned long)&_etext >> PAGE_SHIFT;
++ for (cpu = 0; cpu < NR_CPUS; cpu++) {
++ cpu_gdt_table[cpu][GDT_ENTRY_KERNEL_CS].a = (cpu_gdt_table[cpu][GDT_ENTRY_KERNEL_CS].a & 0xFFFF0000UL) | (limit & 0x0FFFFUL);
++ cpu_gdt_table[cpu][GDT_ENTRY_KERNEL_CS].b = (cpu_gdt_table[cpu][GDT_ENTRY_KERNEL_CS].b & 0xFFF0FFFFUL) | (limit & 0xF0000UL);
++
++#ifdef CONFIG_PCI_BIOS
++ printk(KERN_INFO "PAX: warning, PCI BIOS might still be in use, keeping flat KERNEL_CS.\n");
++#endif
++
++ }
++
++ /* PaX: make KERNEL_CS read-only */
++ for (addr = __KERNEL_TEXT_OFFSET; addr < __KERNEL_TEXT_OFFSET + 0x00400000UL; addr += (1UL << PMD_SHIFT)) {
++ pgd = pgd_offset_k(addr);
++ pmd = pmd_offset(pgd, addr);
++ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_GLOBAL));
++ }
++ memcpy(kernexec_pg_dir, swapper_pg_dir, sizeof(kernexec_pg_dir));
++ for (addr = __KERNEL_TEXT_OFFSET; addr < __KERNEL_TEXT_OFFSET + 0x00400000UL; addr += (1UL << PMD_SHIFT)) {
++ pgd = pgd_offset_k(addr);
++ pmd = pmd_offset(pgd, addr);
++ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
++ }
++ flush_tlb_all();
++ }
++#endif
++
+ }
+
+ #ifdef CONFIG_BLK_DEV_INITRD
+diff -uNr linux-2.6.6/arch/i386/pci/pcbios.c linux-2.6.6.fixed/arch/i386/pci/pcbios.c
+--- linux-2.6.6/arch/i386/pci/pcbios.c 2004-05-10 04:32:00.000000000 +0200
++++ linux-2.6.6.fixed/arch/i386/pci/pcbios.c 2004-05-11 10:55:55.000000000 +0200
+@@ -6,7 +6,7 @@
+ #include <linux/init.h>
+ #include "pci.h"
+ #include "pci-functions.h"
+-
++#include <asm/desc.h>
+
+ /* BIOS32 signature: "_32_" */
+ #define BIOS32_SIGNATURE (('_' << 0) + ('3' << 8) + ('2' << 16) + ('_' << 24))
+@@ -33,6 +33,12 @@
+ * and the PCI BIOS specification.
+ */
+
++#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_PCI_BIOS)
++#define __FLAT_KERNEL_CS 0x20
++#else
++#define __FLAT_KERNEL_CS __KERNEL_CS
++#endif
++
+ union bios32 {
+ struct {
+ unsigned long signature; /* _32_ */
+@@ -55,7 +61,7 @@
+ static struct {
+ unsigned long address;
+ unsigned short segment;
+-} bios32_indirect = { 0, __KERNEL_CS };
++} bios32_indirect = { 0, __FLAT_KERNEL_CS };
+
+ /*
+ * Returns the entry point for the given service, NULL on error
+@@ -96,7 +102,9 @@
+ static struct {
+ unsigned long address;
+ unsigned short segment;
+-} pci_indirect = { 0, __KERNEL_CS };
++} pci_indirect = { 0, __FLAT_KERNEL_CS };
++
++#undef __FLAT_KERNEL_CS
+
+ static int pci_bios_present;
+
+diff -uNr linux-2.6.6/arch/ia64/ia32/binfmt_elf32.c linux-2.6.6.fixed/arch/ia64/ia32/binfmt_elf32.c
+--- linux-2.6.6/arch/ia64/ia32/binfmt_elf32.c 2004-05-10 04:33:20.000000000 +0200
++++ linux-2.6.6.fixed/arch/ia64/ia32/binfmt_elf32.c 2004-05-11 12:12:42.000000000 +0200
+@@ -41,6 +41,17 @@
+ #undef SET_PERSONALITY
+ #define SET_PERSONALITY(ex, ibcs2) elf32_set_personality()
+
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE(tsk) ((tsk)->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
++
++#define PAX_DELTA_MMAP_LSB(tsk) IA32_PAGE_SHIFT
++#define PAX_DELTA_MMAP_LEN(tsk) ((tsk)->personality == PER_LINUX32 ? 16 : 43 - IA32_PAGE_SHIFT)
++#define PAX_DELTA_EXEC_LSB(tsk) IA32_PAGE_SHIFT
++#define PAX_DELTA_EXEC_LEN(tsk) ((tsk)->personality == PER_LINUX32 ? 16 : 43 - IA32_PAGE_SHIFT)
++#define PAX_DELTA_STACK_LSB(tsk) IA32_PAGE_SHIFT
++#define PAX_DELTA_STACK_LEN(tsk) ((tsk)->personality == PER_LINUX32 ? 16 : 43 - IA32_PAGE_SHIFT)
++#endif
++
+ /* Ugly but avoids duplication */
+ #include "../../../fs/binfmt_elf.c"
+
+@@ -184,8 +195,7 @@
+ mpnt->vm_flags = VM_STACK_FLAGS & ~VM_EXEC;
+ else
+ mpnt->vm_flags = VM_STACK_FLAGS;
+- mpnt->vm_page_prot = (mpnt->vm_flags & VM_EXEC)?
+- PAGE_COPY_EXEC: PAGE_COPY;
++ mpnt->vm_page_prot = protection_map[VM_STACK_FLAGS & 0x7];
+ mpnt->vm_ops = NULL;
+ mpnt->vm_pgoff = 0;
+ mpnt->vm_file = NULL;
+diff -uNr linux-2.6.6/arch/ia64/ia32/ia32priv.h linux-2.6.6.fixed/arch/ia64/ia32/ia32priv.h
+--- linux-2.6.6/arch/ia64/ia32/ia32priv.h 2004-05-10 04:33:20.000000000 +0200
++++ linux-2.6.6.fixed/arch/ia64/ia32/ia32priv.h 2004-05-11 10:55:55.000000000 +0200
+@@ -295,7 +295,14 @@
+ #define ELF_ARCH EM_386
+
+ #define IA32_PAGE_OFFSET 0xc0000000
+-#define IA32_STACK_TOP IA32_PAGE_OFFSET
++
++#ifdef CONFIG_PAX_RANDUSTACK
++#define __IA32_DELTA_STACK (current->mm->delta_stack)
++#else
++#define __IA32_DELTA_STACK 0UL
++#endif
++
++#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
+
+ /*
+ * The system segments (GDT, TSS, LDT) have to be mapped below 4GB so the IA-32 engine can
+diff -uNr linux-2.6.6/arch/ia64/ia32/sys_ia32.c linux-2.6.6.fixed/arch/ia64/ia32/sys_ia32.c
+--- linux-2.6.6/arch/ia64/ia32/sys_ia32.c 2004-05-10 04:32:39.000000000 +0200
++++ linux-2.6.6.fixed/arch/ia64/ia32/sys_ia32.c 2004-05-11 10:55:55.000000000 +0200
+@@ -475,6 +475,11 @@
+
+ flags = a.flags;
+
++#ifdef CONFIG_PAX_RANDEXEC
++ if (flags & MAP_MIRROR)
++ return -EINVAL;
++#endif
++
+ flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+ if (!(flags & MAP_ANONYMOUS)) {
+ file = fget(a.fd);
+@@ -496,6 +501,11 @@
+ struct file *file = NULL;
+ unsigned long retval;
+
++#ifdef CONFIG_PAX_RANDEXEC
++ if (flags & MAP_MIRROR)
++ return -EINVAL;
++#endif
++
+ flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+ if (!(flags & MAP_ANONYMOUS)) {
+ file = fget(fd);
+diff -uNr linux-2.6.6/arch/ia64/kernel/ptrace.c linux-2.6.6.fixed/arch/ia64/kernel/ptrace.c
+--- linux-2.6.6/arch/ia64/kernel/ptrace.c 2004-05-10 04:33:21.000000000 +0200
++++ linux-2.6.6.fixed/arch/ia64/kernel/ptrace.c 2004-05-11 10:55:55.000000000 +0200
+@@ -17,6 +17,7 @@
+ #include <linux/smp_lock.h>
+ #include <linux/user.h>
+ #include <linux/security.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/pgtable.h>
+ #include <asm/processor.h>
+@@ -1314,6 +1315,9 @@
+ if (pid == 1) /* no messing around with init! */
+ goto out_tsk;
+
++ if (gr_handle_ptrace(child, request))
++ goto out_tsk;
++
+ if (request == PTRACE_ATTACH) {
+ ret = ptrace_attach(child);
+ goto out_tsk;
+diff -uNr linux-2.6.6/arch/ia64/kernel/sys_ia64.c linux-2.6.6.fixed/arch/ia64/kernel/sys_ia64.c
+--- linux-2.6.6/arch/ia64/kernel/sys_ia64.c 2004-05-10 04:32:38.000000000 +0200
++++ linux-2.6.6.fixed/arch/ia64/kernel/sys_ia64.c 2004-05-11 10:55:55.000000000 +0200
+@@ -18,6 +18,7 @@
+ #include <linux/syscalls.h>
+ #include <linux/highuid.h>
+ #include <linux/hugetlb.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/shmparam.h>
+ #include <asm/uaccess.h>
+@@ -38,6 +39,13 @@
+ if (REGION_NUMBER(addr) == REGION_HPAGE)
+ addr = 0;
+ #endif
++
++#ifdef CONFIG_PAX_RANDMMAP
++ if ((current->flags & PF_PAX_RANDMMAP) && addr && filp)
++ addr = mm->free_area_cache;
++ else
++#endif
++
+ if (!addr)
+ addr = mm->free_area_cache;
+
+@@ -58,6 +66,13 @@
+ if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
+ if (start_addr != TASK_UNMAPPED_BASE) {
+ /* Start a new search --- just in case we missed some holes. */
++
++#ifdef CONFIG_PAX_RANDMMAP
++ if (current->flags & PF_PAX_RANDMMAP)
++ addr = TASK_UNMAPPED_BASE + mm->delta_mmap;
++ else
++#endif
++
+ addr = TASK_UNMAPPED_BASE;
+ goto full_search;
+ }
+@@ -185,6 +200,11 @@
+ unsigned long roff;
+ struct file *file = 0;
+
++#ifdef CONFIG_PAX_RANDEXEC
++ if (flags & MAP_MIRROR)
++ return -EINVAL;
++#endif
++
+ flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+ if (!(flags & MAP_ANONYMOUS)) {
+ file = fget(fd);
+@@ -222,6 +242,11 @@
+ goto out;
+ }
+
++ if (gr_handle_mmap(file, prot)) {
++ addr = -EACCES;
++ goto out;
++ }
++
+ down_write(¤t->mm->mmap_sem);
+ addr = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+ up_write(¤t->mm->mmap_sem);
+diff -uNr linux-2.6.6/arch/ia64/mm/fault.c linux-2.6.6.fixed/arch/ia64/mm/fault.c
+--- linux-2.6.6/arch/ia64/mm/fault.c 2004-05-10 04:33:20.000000000 +0200
++++ linux-2.6.6.fixed/arch/ia64/mm/fault.c 2004-05-11 10:55:55.000000000 +0200
+@@ -9,6 +9,7 @@
+ #include <linux/mm.h>
+ #include <linux/smp_lock.h>
+ #include <linux/interrupt.h>
++#include <linux/binfmts.h>
+
+ #include <asm/pgtable.h>
+ #include <asm/processor.h>
+@@ -70,6 +71,54 @@
+ return pte_present(pte);
+ }
+
++#ifdef CONFIG_PAX_PAGEEXEC
++/*
++ * PaX: decide what to do with offenders (regs->cr_iip = fault address)
++ *
++ * returns 1 when task should be killed
++ * 2 when legitimate ET_EXEC was detected
++ */
++static int pax_handle_fetch_fault(struct pt_regs *regs)
++{
++
++#ifdef CONFIG_PAX_RANDEXEC
++ int err;
++
++ if (current->flags & PF_PAX_RANDEXEC) {
++ if (regs->cr_iip >= current->mm->start_code &&
++ regs->cr_iip < current->mm->end_code)
++ {
++#if 0
++ /* PaX: this needs fixing */
++ if (regs->b0 == regs->cr_iip)
++ return 1;
++#endif
++ regs->cr_iip += current->mm->delta_exec;
++ return 2;
++ }
++ }
++#endif
++
++ return 1;
++}
++
++void pax_report_insns(void *pc, void *sp)
++{
++ unsigned long i;
++
++ printk(KERN_ERR "PAX: bytes at PC: ");
++ for (i = 0; i < 8; i++) {
++ unsigned int c;
++ if (get_user(c, (unsigned int*)pc+i)) {
++ printk("<invalid address>.");
++ break;
++ }
++ printk("%08x ", c);
++ }
++ printk("\n");
++}
++#endif
++
+ void
+ ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
+ {
+@@ -125,9 +174,31 @@
+ | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT)
+ | (((isr >> IA64_ISR_R_BIT) & 1UL) << VM_READ_BIT));
+
+- if ((vma->vm_flags & mask) != mask)
++ if ((vma->vm_flags & mask) != mask) {
++
++#ifdef CONFIG_PAX_PAGEEXEC
++ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
++ if (!(current->flags & PF_PAX_PAGEEXEC) || address != regs->cr_iip)
++ goto bad_area;
++
++ up_read(&mm->mmap_sem);
++ switch(pax_handle_fetch_fault(regs)) {
++
++#ifdef CONFIG_PAX_RANDEXEC
++ case 2:
++ return;
++#endif
++
++ }
++ pax_report_fault(regs, (void*)regs->cr_iip, (void*)regs->r12);
++ do_exit(SIGKILL);
++ }
++#endif
++
+ goto bad_area;
+
++ }
++
+ survive:
+ /*
+ * If for any reason at all we couldn't handle the fault, make
+diff -uNr linux-2.6.6/arch/mips/kernel/binfmt_elfn32.c linux-2.6.6.fixed/arch/mips/kernel/binfmt_elfn32.c
+--- linux-2.6.6/arch/mips/kernel/binfmt_elfn32.c 2004-05-10 04:32:39.000000000 +0200
++++ linux-2.6.6.fixed/arch/mips/kernel/binfmt_elfn32.c 2004-05-11 10:55:55.000000000 +0200
+@@ -50,6 +50,17 @@
+ #undef ELF_ET_DYN_BASE
+ #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
+
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
++
++#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_MMAP_LEN(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
++#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_EXEC_LEN(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
++#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_STACK_LEN(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
++#endif
++
+ #include <asm/processor.h>
+ #include <linux/module.h>
+ #include <linux/config.h>
+diff -uNr linux-2.6.6/arch/mips/kernel/binfmt_elfo32.c linux-2.6.6.fixed/arch/mips/kernel/binfmt_elfo32.c
+--- linux-2.6.6/arch/mips/kernel/binfmt_elfo32.c 2004-05-10 04:32:27.000000000 +0200
++++ linux-2.6.6.fixed/arch/mips/kernel/binfmt_elfo32.c 2004-05-11 10:55:55.000000000 +0200
+@@ -52,6 +52,17 @@
+ #undef ELF_ET_DYN_BASE
+ #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
+
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
++
++#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_MMAP_LEN(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
++#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_EXEC_LEN(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
++#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_STACK_LEN(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
++#endif
++
+ #include <asm/processor.h>
+ #include <linux/module.h>
+ #include <linux/config.h>
+diff -uNr linux-2.6.6/arch/mips/kernel/syscall.c linux-2.6.6.fixed/arch/mips/kernel/syscall.c
+--- linux-2.6.6/arch/mips/kernel/syscall.c 2004-05-10 04:33:12.000000000 +0200
++++ linux-2.6.6.fixed/arch/mips/kernel/syscall.c 2004-05-11 10:55:55.000000000 +0200
+@@ -86,6 +86,11 @@
+ do_color_align = 0;
+ if (filp || (flags & MAP_SHARED))
+ do_color_align = 1;
++
++#ifdef CONFIG_PAX_RANDMMAP
++ if (!(current->flags & PF_PAX_RANDMMAP) || !filp)
++#endif
++
+ if (addr) {
+ if (do_color_align)
+ addr = COLOUR_ALIGN(addr, pgoff);
+@@ -96,6 +101,13 @@
+ (!vmm || addr + len <= vmm->vm_start))
+ return addr;
+ }
++
++#ifdef CONFIG_PAX_RANDMMAP
++ if ((current->flags & PF_PAX_RANDMMAP) && (!addr || filp))
++ addr = TASK_UNMAPPED_BASE + current->mm->delta_mmap;
++ else
++#endif
++
+ addr = TASK_UNMAPPED_BASE;
+ if (do_color_align)
+ addr = COLOUR_ALIGN(addr, pgoff);
+diff -uNr linux-2.6.6/arch/mips/mm/fault.c linux-2.6.6.fixed/arch/mips/mm/fault.c
+--- linux-2.6.6/arch/mips/mm/fault.c 2004-05-10 04:32:26.000000000 +0200
++++ linux-2.6.6.fixed/arch/mips/mm/fault.c 2004-05-11 10:55:55.000000000 +0200
+@@ -27,6 +27,24 @@
+ #include <asm/uaccess.h>
+ #include <asm/ptrace.h>
+
++#ifdef CONFIG_PAX_PAGEEXEC
++void pax_report_insns(void *pc)
++{
++ unsigned long i;
++
++ printk(KERN_ERR "PAX: bytes at PC: ");
++ for (i = 0; i < 5; i++) {
++ unsigned int c;
++ if (get_user(c, (unsigned int*)pc+i)) {
++ printk("<invalid address>.");
++ break;
++ }
++ printk("%08x ", c);
++ }
++ printk("\n");
++}
++#endif
++
+ /*
+ * This routine handles page faults. It determines the address,
+ * and the problem, and then passes it off to one of the appropriate
+diff -uNr linux-2.6.6/arch/parisc/kernel/ptrace.c linux-2.6.6.fixed/arch/parisc/kernel/ptrace.c
+--- linux-2.6.6/arch/parisc/kernel/ptrace.c 2004-05-10 04:32:01.000000000 +0200
++++ linux-2.6.6.fixed/arch/parisc/kernel/ptrace.c 2004-05-11 10:55:55.000000000 +0200
+@@ -17,6 +17,7 @@
+ #include <linux/personality.h>
+ #include <linux/security.h>
+ #include <linux/compat.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/pgtable.h>
+@@ -114,6 +115,9 @@
+ if (pid == 1) /* no messing around with init! */
+ goto out_tsk;
+
++ if (gr_handle_ptrace(child, request))
++ goto out_tsk;
++
+ if (request == PTRACE_ATTACH) {
+ ret = ptrace_attach(child);
+ goto out_tsk;
+diff -uNr linux-2.6.6/arch/parisc/kernel/sys_parisc32.c linux-2.6.6.fixed/arch/parisc/kernel/sys_parisc32.c
+--- linux-2.6.6/arch/parisc/kernel/sys_parisc32.c 2004-05-10 04:32:27.000000000 +0200
++++ linux-2.6.6.fixed/arch/parisc/kernel/sys_parisc32.c 2004-05-11 10:55:55.000000000 +0200
+@@ -48,6 +48,8 @@
+ #include <linux/ptrace.h>
+ #include <linux/swap.h>
+ #include <linux/syscalls.h>
++#include <linux/random.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/types.h>
+ #include <asm/uaccess.h>
+@@ -171,6 +173,11 @@
+ struct file *file;
+ int retval;
+ int i;
++#ifdef CONFIG_GRKERNSEC
++ struct file *old_exec_file;
++ struct acl_subject_label *old_acl;
++ struct rlimit old_rlim[RLIM_NLIMITS];
++#endif
+
+ file = open_exec(filename);
+
+@@ -178,7 +185,26 @@
+ if (IS_ERR(file))
+ return retval;
+
++ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->user->processes, 1);
++
++ if (gr_handle_nproc()) {
++ allow_write_access(file);
++ fput(file);
++ return -EAGAIN;
++ }
++
++ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
++ allow_write_access(file);
++ fput(file);
++ return -EACCES;
++ }
++
+ bprm.p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
++
++#ifdef CONFIG_PAX_RANDUSTACK
++ bprm.p -= (pax_get_random_long() & ~(sizeof(void *)-1)) & ~PAGE_MASK;
++#endif
++
+ memset(bprm.page, 0, MAX_ARG_PAGES*sizeof(bprm.page[0]));
+
+ DBG(("do_execve32(%s, %p, %p, %p)\n", filename, argv, envp, regs));
+@@ -209,11 +235,24 @@
+ if (retval < 0)
+ goto out;
+
++ if (!gr_tpe_allow(file)) {
++ retval = -EACCES;
++ goto out;
++ }
++
++ if (gr_check_crash_exec(file)) {
++ retval = -EACCES;
++ goto out;
++ }
++
+ retval = copy_strings_kernel(1, &bprm.filename, &bprm);
+ if (retval < 0)
+ goto out;
+
+ bprm.exec = bprm.p;
++
++ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
++
+ retval = copy_strings32(bprm.envc, envp, &bprm);
+ if (retval < 0)
+ goto out;
+@@ -222,10 +261,32 @@
+ if (retval < 0)
+ goto out;
+
++#ifdef CONFIG_GRKERNSEC
++ old_acl = current->acl;
++ memcpy(old_rlim, current->rlim, sizeof(old_rlim));
++ old_exec_file = current->exec_file;
++ get_file(file);
++ current->exec_file = file;
++#endif
++
++ gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
++
+ retval = search_binary_handler(&bprm,regs);
+- if (retval >= 0)
++ if (retval >= 0) {
++#ifdef CONFIG_GRKERNSEC
++ if (old_exec_file)
++ fput(old_exec_file);
++#endif
+ /* execve success */
+ return retval;
++ }
++
++#ifdef CONFIG_GRKERNSEC
++ current->acl = old_acl;
++ memcpy(current->rlim, old_rlim, sizeof(old_rlim));
++ fput(current->exec_file);
++ current->exec_file = old_exec_file;
++#endif
+
+ out:
+ /* Something went wrong, return the inode and free the argument pages*/
+diff -uNr linux-2.6.6/arch/parisc/kernel/sys_parisc.c linux-2.6.6.fixed/arch/parisc/kernel/sys_parisc.c
+--- linux-2.6.6/arch/parisc/kernel/sys_parisc.c 2004-05-10 04:33:13.000000000 +0200
++++ linux-2.6.6.fixed/arch/parisc/kernel/sys_parisc.c 2004-05-11 10:55:55.000000000 +0200
+@@ -31,6 +31,7 @@
+ #include <linux/shm.h>
+ #include <linux/smp_lock.h>
+ #include <linux/syscalls.h>
++#include <linux/grsecurity.h>
+
+ int sys_pipe(int *fildes)
+ {
+@@ -114,6 +115,13 @@
+ {
+ if (len > TASK_SIZE)
+ return -ENOMEM;
++
++#ifdef CONFIG_PAX_RANDMMAP
++ if ((current->flags & PF_PAX_RANDMMAP) && (!addr || filp))
++ addr = TASK_UNMAPPED_BASE + current->mm->delta_mmap;
++ else
++#endif
++
+ if (!addr)
+ addr = TASK_UNMAPPED_BASE;
+
+@@ -131,12 +139,23 @@
+ {
+ struct file * file = NULL;
+ unsigned long error = -EBADF;
++
++#ifdef CONFIG_PAX_RANDEXEC
++ if (flags & MAP_MIRROR)
++ return -EINVAL;
++#endif
++
+ if (!(flags & MAP_ANONYMOUS)) {
+ file = fget(fd);
+ if (!file)
+ goto out;
+ }
+
++ if (gr_handle_mmap(file, prot)) {
++ fput(file);
++ return -EACCES;
++ }
++
+ flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+
+ down_write(¤t->mm->mmap_sem);
+diff -uNr linux-2.6.6/arch/parisc/kernel/traps.c linux-2.6.6.fixed/arch/parisc/kernel/traps.c
+--- linux-2.6.6/arch/parisc/kernel/traps.c 2004-05-10 04:33:22.000000000 +0200
++++ linux-2.6.6.fixed/arch/parisc/kernel/traps.c 2004-05-11 10:55:55.000000000 +0200
+@@ -656,9 +656,7 @@
+
+ down_read(¤t->mm->mmap_sem);
+ vma = find_vma(current->mm,regs->iaoq[0]);
+- if (vma && (regs->iaoq[0] >= vma->vm_start)
+- && (vma->vm_flags & VM_EXEC)) {
+-
++ if (vma && (regs->iaoq[0] >= vma->vm_start)) {
+ fault_address = regs->iaoq[0];
+ fault_space = regs->iasq[0];
+
+diff -uNr linux-2.6.6/arch/parisc/mm/fault.c linux-2.6.6.fixed/arch/parisc/mm/fault.c
+--- linux-2.6.6/arch/parisc/mm/fault.c 2004-05-10 04:33:13.000000000 +0200
++++ linux-2.6.6.fixed/arch/parisc/mm/fault.c 2004-05-11 10:55:56.000000000 +0200
+@@ -16,6 +16,8 @@
+ #include <linux/sched.h>
+ #include <linux/interrupt.h>
+ #include <linux/module.h>
++#include <linux/unistd.h>
++#include <linux/binfmts.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/traps.h>
+@@ -54,7 +56,7 @@
+ static unsigned long
+ parisc_acctyp(unsigned long code, unsigned int inst)
+ {
+- if (code == 6 || code == 16)
++ if (code == 6 || code == 7 || code == 16)
+ return VM_EXEC;
+
+ switch (inst & 0xf0000000) {
+@@ -140,6 +142,139 @@
+ }
+ #endif
+
++#ifdef CONFIG_PAX_PAGEEXEC
++/*
++ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
++ *
++ * returns 1 when task should be killed
++ * 2 when rt_sigreturn trampoline was detected
++ * 3 when unpatched PLT trampoline was detected
++ * 4 when legitimate ET_EXEC was detected
++ */
++static int pax_handle_fetch_fault(struct pt_regs *regs)
++{
++
++#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUTRAMP)
++ int err;
++#endif
++
++#ifdef CONFIG_PAX_RANDEXEC
++ if (current->flags & PF_PAX_RANDEXEC) {
++ if (instruction_pointer(regs) >= current->mm->start_code &&
++ instruction_pointer(regs) < current->mm->end_code)
++ {
++#if 0
++ /* PaX: this needs fixing */
++ if ((regs->gr[2] & ~3UL) == instruction_pointer(regs))
++ return 1;
++#endif
++ regs->iaoq[0] += current->mm->delta_exec;
++ if ((regs->iaoq[1] & ~3UL) >= current->mm->start_code &&
++ (regs->iaoq[1] & ~3UL) < current->mm->end_code)
++ regs->iaoq[1] += current->mm->delta_exec;
++ return 4;
++ }
++ }
++#endif
++
++#ifdef CONFIG_PAX_EMUPLT
++ do { /* PaX: unpatched PLT emulation */
++ unsigned int bl, depwi;
++
++ err = get_user(bl, (unsigned int*)instruction_pointer(regs));
++ err |= get_user(depwi, (unsigned int*)(instruction_pointer(regs)+4));
++
++ if (err)
++ break;
++
++ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
++ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
++
++ err = get_user(ldw, (unsigned int*)addr);
++ err |= get_user(bv, (unsigned int*)(addr+4));
++ err |= get_user(ldw2, (unsigned int*)(addr+8));
++
++ if (err)
++ break;
++
++ if (ldw == 0x0E801096U &&
++ bv == 0xEAC0C000U &&
++ ldw2 == 0x0E881095U)
++ {
++ unsigned int resolver, map;
++
++ err = get_user(resolver, (unsigned int*)(instruction_pointer(regs)+8));
++ err |= get_user(map, (unsigned int*)(instruction_pointer(regs)+12));
++ if (err)
++ break;
++
++ regs->gr[20] = instruction_pointer(regs)+8;
++ regs->gr[21] = map;
++ regs->gr[22] = resolver;
++ regs->iaoq[0] = resolver | 3UL;
++ regs->iaoq[1] = regs->iaoq[0] + 4;
++ return 3;
++ }
++ }
++ } while (0);
++#endif
++
++#ifdef CONFIG_PAX_EMUTRAMP
++
++#ifndef CONFIG_PAX_EMUSIGRT
++ if (!(current->flags & PF_PAX_EMUTRAMP))
++ return 1;
++#endif
++
++ do { /* PaX: rt_sigreturn emulation */
++ unsigned int ldi1, ldi2, bel, nop;
++
++ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
++ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
++ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
++ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
++
++ if (err)
++ break;
++
++ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
++ ldi2 == 0x3414015AU &&
++ bel == 0xE4008200U &&
++ nop == 0x08000240U)
++ {
++ regs->gr[25] = (ldi1 & 2) >> 1;
++ regs->gr[20] = __NR_rt_sigreturn;
++ regs->gr[31] = regs->iaoq[1] + 16;
++ regs->sr[0] = regs->iasq[1];
++ regs->iaoq[0] = 0x100UL;
++ regs->iaoq[1] = regs->iaoq[0] + 4;
++ regs->iasq[0] = regs->sr[2];
++ regs->iasq[1] = regs->sr[2];
++ return 2;
++ }
++ } while (0);
++#endif
++
++ return 1;
++}
++
++void pax_report_insns(void *pc, void *sp)
++{
++ unsigned long i;
++
++ printk(KERN_ERR "PAX: bytes at PC: ");
++ for (i = 0; i < 5; i++) {
++ unsigned int c;
++ if (get_user(c, (unsigned int*)pc+i)) {
++ printk("<invalid address>.");
++ break;
++ }
++ printk("%08x ", c);
++ }
++ printk("\n");
++}
++#endif
++
+ void do_page_fault(struct pt_regs *regs, unsigned long code,
+ unsigned long address)
+ {
+@@ -165,8 +300,38 @@
+
+ acc_type = parisc_acctyp(code,regs->iir);
+
+- if ((vma->vm_flags & acc_type) != acc_type)
++ if ((vma->vm_flags & acc_type) != acc_type) {
++
++#ifdef CONFIG_PAX_PAGEEXEC
++ if ((current->flags & PF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
++ (address & ~3UL) == instruction_pointer(regs))
++ {
++ up_read(&mm->mmap_sem);
++ switch(pax_handle_fetch_fault(regs)) {
++
++#ifdef CONFIG_PAX_RANDEXEC
++ case 4:
++ return;
++#endif
++
++#ifdef CONFIG_PAX_EMUPLT
++ case 3:
++ return;
++#endif
++
++#ifdef CONFIG_PAX_EMUTRAMP
++ case 2:
++ return;
++#endif
++
++ }
++ pax_report_fault(regs, (void*)instruction_pointer(regs), (void*)regs->gr[30]);
++ do_exit(SIGKILL);
++ }
++#endif
++
+ goto bad_area;
++ }
+
+ /*
+ * If for any reason at all we couldn't handle the fault, make
+diff -uNr linux-2.6.6/arch/ppc/kernel/ptrace.c linux-2.6.6.fixed/arch/ppc/kernel/ptrace.c
+--- linux-2.6.6/arch/ppc/kernel/ptrace.c 2004-05-10 04:32:26.000000000 +0200
++++ linux-2.6.6.fixed/arch/ppc/kernel/ptrace.c 2004-05-11 10:55:56.000000000 +0200
+@@ -26,6 +26,7 @@
+ #include <linux/ptrace.h>
+ #include <linux/user.h>
+ #include <linux/security.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/page.h>
+@@ -202,6 +203,9 @@
+ if (pid == 1) /* you may not mess with init */
+ goto out_tsk;
+
++ if (gr_handle_ptrace(child, request))
++ goto out_tsk;
++
+ if (request == PTRACE_ATTACH) {
+ ret = ptrace_attach(child);
+ goto out_tsk;
+diff -uNr linux-2.6.6/arch/ppc/kernel/syscalls.c linux-2.6.6.fixed/arch/ppc/kernel/syscalls.c
+--- linux-2.6.6/arch/ppc/kernel/syscalls.c 2004-05-10 04:33:20.000000000 +0200
++++ linux-2.6.6.fixed/arch/ppc/kernel/syscalls.c 2004-05-11 10:55:56.000000000 +0200
+@@ -36,6 +36,7 @@
+ #include <linux/utsname.h>
+ #include <linux/file.h>
+ #include <linux/unistd.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/ipc.h>
+@@ -165,12 +166,23 @@
+ struct file * file = NULL;
+ int ret = -EBADF;
+
++#ifdef CONFIG_PAX_RANDEXEC
++ if (flags & MAP_MIRROR)
++ return -EINVAL;
++#endif
++
+ flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+ if (!(flags & MAP_ANONYMOUS)) {
+ if (!(file = fget(fd)))
+ goto out;
+ }
+
++ if (gr_handle_mmap(file, prot)) {
++ fput(file);
++ ret = -EACCES;
++ goto out;
++ }
++
+ down_write(¤t->mm->mmap_sem);
+ ret = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+ up_write(¤t->mm->mmap_sem);
+diff -uNr linux-2.6.6/arch/ppc/mm/fault.c linux-2.6.6.fixed/arch/ppc/mm/fault.c
+--- linux-2.6.6/arch/ppc/mm/fault.c 2004-05-10 04:32:27.000000000 +0200
++++ linux-2.6.6.fixed/arch/ppc/mm/fault.c 2004-05-11 10:55:56.000000000 +0200
+@@ -28,6 +28,11 @@
+ #include <linux/interrupt.h>
+ #include <linux/highmem.h>
+ #include <linux/module.h>
++#include <linux/slab.h>
++#include <linux/pagemap.h>
++#include <linux/compiler.h>
++#include <linux/binfmts.h>
++#include <linux/unistd.h>
+
+ #include <asm/page.h>
+ #include <asm/pgtable.h>
+@@ -56,6 +61,366 @@
+ void do_page_fault(struct pt_regs *, unsigned long, unsigned long);
+ extern int get_pteptr(struct mm_struct *mm, unsigned long addr, pte_t **ptep);
+
++#ifdef CONFIG_PAX_EMUSIGRT
++void pax_syscall_close(struct vm_area_struct * vma)
++{
++ vma->vm_mm->call_syscall = 0UL;
++}
++
++static struct page* pax_syscall_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
++{
++ struct page* page;
++ unsigned int *kaddr;
++
++ page = alloc_page(GFP_HIGHUSER);
++ if (!page)
++ return NOPAGE_OOM;
++
++ kaddr = kmap(page);
++ memset(kaddr, 0, PAGE_SIZE);
++ kaddr[0] = 0x44000002U; /* sc */
++ __flush_dcache_icache(kaddr);
++ kunmap(page);
++ if (type)
++ *type = VM_FAULT_MAJOR;
++ return page;
++}
++
++static struct vm_operations_struct pax_vm_ops = {
++ close: pax_syscall_close,
++ nopage: pax_syscall_nopage,
++};
++
++static void pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
++{
++ vma->vm_mm = current->mm;
++ vma->vm_start = addr;
++ vma->vm_end = addr + PAGE_SIZE;
++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
++ vma->vm_page_prot = protection_map[vma->vm_flags & 0x0f];
++ vma->vm_ops = &pax_vm_ops;
++ vma->vm_pgoff = 0UL;
++ vma->vm_file = NULL;
++ vma->vm_private_data = NULL;
++ INIT_LIST_HEAD(&vma->shared);
++ insert_vm_struct(current->mm, vma);
++ ++current->mm->total_vm;
++}
++#endif
++
++#ifdef CONFIG_PAX_PAGEEXEC
++/*
++ * PaX: decide what to do with offenders (regs->nip = fault address)
++ *
++ * returns 1 when task should be killed
++ * 2 when patched GOT trampoline was detected
++ * 3 when patched PLT trampoline was detected
++ * 4 when unpatched PLT trampoline was detected
++ * 5 when legitimate ET_EXEC was detected
++ * 6 when sigreturn trampoline was detected
++ * 7 when rt_sigreturn trampoline was detected
++ */
++static int pax_handle_fetch_fault(struct pt_regs *regs)
++{
++
++#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUSIGRT)
++ int err;
++#endif
++
++#ifdef CONFIG_PAX_RANDEXEC
++ if (current->flags & PF_PAX_RANDEXEC) {
++ if (regs->nip >= current->mm->start_code &&
++ regs->nip < current->mm->end_code)
++ {
++ if (regs->link == regs->nip)
++ return 1;
++
++ regs->nip += current->mm->delta_exec;
++ return 5;
++ }
++ }
++#endif
++
++#ifdef CONFIG_PAX_EMUPLT
++ do { /* PaX: patched GOT emulation */
++ unsigned int blrl;
++
++ err = get_user(blrl, (unsigned int*)regs->nip);
++
++ if (!err && blrl == 0x4E800021U) {
++ unsigned long temp = regs->nip;
++
++ regs->nip = regs->link & 0xFFFFFFFCUL;
++ regs->link = temp + 4UL;
++ return 2;
++ }
++ } while (0);
++
++ do { /* PaX: patched PLT emulation #1 */
++ unsigned int b;
++
++ err = get_user(b, (unsigned int *)regs->nip);
++
++ if (!err && (b & 0xFC000003U) == 0x48000000U) {
++ regs->nip += (((b | 0xFC000000UL) ^ 0x02000000UL) + 0x02000000UL);
++ return 3;
++ }
++ } while (0);
++
++ do { /* PaX: unpatched PLT emulation #1 */
++ unsigned int li, b;
++
++ err = get_user(li, (unsigned int *)regs->nip);
++ err |= get_user(b, (unsigned int *)(regs->nip+4));
++
++ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
++ unsigned int rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
++ unsigned long addr = b | 0xFC000000UL;
++
++ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
++ err = get_user(rlwinm, (unsigned int*)addr);
++ err |= get_user(add, (unsigned int*)(addr+4));
++ err |= get_user(li2, (unsigned int*)(addr+8));
++ err |= get_user(addis2, (unsigned int*)(addr+12));
++ err |= get_user(mtctr, (unsigned int*)(addr+16));
++ err |= get_user(li3, (unsigned int*)(addr+20));
++ err |= get_user(addis3, (unsigned int*)(addr+24));
++ err |= get_user(bctr, (unsigned int*)(addr+28));
++
++ if (err)
++ break;
++
++ if (rlwinm == 0x556C083CU &&
++ add == 0x7D6C5A14U &&
++ (li2 & 0xFFFF0000U) == 0x39800000U &&
++ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
++ mtctr == 0x7D8903A6U &&
++ (li3 & 0xFFFF0000U) == 0x39800000U &&
++ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
++ bctr == 0x4E800420U)
++ {
++ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
++ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
++ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
++ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
++ regs->ctr += (addis2 & 0xFFFFU) << 16;
++ regs->nip = regs->ctr;
++ return 4;
++ }
++ }
++ } while (0);
++
++#if 0
++ do { /* PaX: unpatched PLT emulation #2 */
++ unsigned int lis, lwzu, b, bctr;
++
++ err = get_user(lis, (unsigned int *)regs->nip);
++ err |= get_user(lwzu, (unsigned int *)(regs->nip+4));
++ err |= get_user(b, (unsigned int *)(regs->nip+8));
++ err |= get_user(bctr, (unsigned int *)(regs->nip+12));
++
++ if (err)
++ break;
++
++ if ((lis & 0xFFFF0000U) == 0x39600000U &&
++ (lwzu & 0xU) == 0xU &&
++ (b & 0xFC000003U) == 0x48000000U &&
++ bctr == 0x4E800420U)
++ {
++ unsigned int addis, addi, rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
++ unsigned long addr = b | 0xFC000000UL;
++
++ addr = regs->nip + 12 + ((addr ^ 0x02000000UL) + 0x02000000UL);
++ err = get_user(addis, (unsigned int*)addr);
++ err |= get_user(addi, (unsigned int*)(addr+4));
++ err |= get_user(rlwinm, (unsigned int*)(addr+8));
++ err |= get_user(add, (unsigned int*)(addr+12));
++ err |= get_user(li2, (unsigned int*)(addr+16));
++ err |= get_user(addis2, (unsigned int*)(addr+20));
++ err |= get_user(mtctr, (unsigned int*)(addr+24));
++ err |= get_user(li3, (unsigned int*)(addr+28));
++ err |= get_user(addis3, (unsigned int*)(addr+32));
++ err |= get_user(bctr, (unsigned int*)(addr+36));
++
++ if (err)
++ break;
++
++ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
++ (addi & 0xFFFF0000U) == 0x396B0000U &&
++ rlwinm == 0x556C083CU &&
++ add == 0x7D6C5A14U &&
++ (li2 & 0xFFFF0000U) == 0x39800000U &&
++ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
++ mtctr == 0x7D8903A6U &&
++ (li3 & 0xFFFF0000U) == 0x39800000U &&
++ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
++ bctr == 0x4E800420U)
++ {
++ regs->gpr[PT_R11] =
++ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
++ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
++ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
++ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
++ regs->ctr += (addis2 & 0xFFFFU) << 16;
++ regs->nip = regs->ctr;
++ return 4;
++ }
++ }
++ } while (0);
++#endif
++
++ do { /* PaX: unpatched PLT emulation #3 */
++ unsigned int li, b;
++
++ err = get_user(li, (unsigned int *)regs->nip);
++ err |= get_user(b, (unsigned int *)(regs->nip+4));
++
++ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
++ unsigned int addis, lwz, mtctr, bctr;
++ unsigned long addr = b | 0xFC000000UL;
++
++ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
++ err = get_user(addis, (unsigned int*)addr);
++ err |= get_user(lwz, (unsigned int*)(addr+4));
++ err |= get_user(mtctr, (unsigned int*)(addr+8));
++ err |= get_user(bctr, (unsigned int*)(addr+12));
++
++ if (err)
++ break;
++
++ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
++ (lwz & 0xFFFF0000U) == 0x816B0000U &&
++ mtctr == 0x7D6903A6U &&
++ bctr == 0x4E800420U)
++ {
++ unsigned int r11;
++
++ addr = (addis << 16) + (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
++ addr += (((lwz | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
++
++ err = get_user(r11, (unsigned int*)addr);
++ if (err)
++ break;
++
++ regs->gpr[PT_R11] = r11;
++ regs->ctr = r11;
++ regs->nip = r11;
++ return 4;
++ }
++ }
++ } while (0);
++#endif
++
++#ifdef CONFIG_PAX_EMUSIGRT
++ do { /* PaX: sigreturn emulation */
++ unsigned int li, sc;
++
++ err = get_user(li, (unsigned int *)regs->nip);
++ err |= get_user(sc, (unsigned int *)(regs->nip+4));
++
++ if (!err && li == 0x38000000U + __NR_sigreturn && sc == 0x44000002U) {
++ struct vm_area_struct *vma;
++ unsigned long call_syscall;
++
++ down_read(¤t->mm->mmap_sem);
++ call_syscall = current->mm->call_syscall;
++ up_read(¤t->mm->mmap_sem);
++ if (likely(call_syscall))
++ goto emulate;
++
++ vma = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL);
++
++ down_write(¤t->mm->mmap_sem);
++ if (current->mm->call_syscall) {
++ call_syscall = current->mm->call_syscall;
++ up_write(¤t->mm->mmap_sem);
++ if (vma) kmem_cache_free(vm_area_cachep, vma);
++ goto emulate;
++ }
++
++ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
++ if (!vma || (call_syscall & ~PAGE_MASK)) {
++ up_write(¤t->mm->mmap_sem);
++ if (vma) kmem_cache_free(vm_area_cachep, vma);
++ return 1;
++ }
++
++ pax_insert_vma(vma, call_syscall);
++ current->mm->call_syscall = call_syscall;
++ up_write(¤t->mm->mmap_sem);
++
++emulate:
++ regs->gpr[PT_R0] = __NR_sigreturn;
++ regs->nip = call_syscall;
++ return 6;
++ }
++ } while (0);
++
++ do { /* PaX: rt_sigreturn emulation */
++ unsigned int li, sc;
++
++ err = get_user(li, (unsigned int *)regs->nip);
++ err |= get_user(sc, (unsigned int *)(regs->nip+4));
++
++ if (!err && li == 0x38000000U + __NR_rt_sigreturn && sc == 0x44000002U) {
++ struct vm_area_struct *vma;
++ unsigned int call_syscall;
++
++ down_read(¤t->mm->mmap_sem);
++ call_syscall = current->mm->call_syscall;
++ up_read(¤t->mm->mmap_sem);
++ if (likely(call_syscall))
++ goto rt_emulate;
++
++ vma = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL);
++
++ down_write(¤t->mm->mmap_sem);
++ if (current->mm->call_syscall) {
++ call_syscall = current->mm->call_syscall;
++ up_write(¤t->mm->mmap_sem);
++ if (vma) kmem_cache_free(vm_area_cachep, vma);
++ goto rt_emulate;
++ }
++
++ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
++ if (!vma || (call_syscall & ~PAGE_MASK)) {
++ up_write(¤t->mm->mmap_sem);
++ if (vma) kmem_cache_free(vm_area_cachep, vma);
++ return 1;
++ }
++
++ pax_insert_vma(vma, call_syscall);
++ current->mm->call_syscall = call_syscall;
++ up_write(¤t->mm->mmap_sem);
++
++rt_emulate:
++ regs->gpr[PT_R0] = __NR_rt_sigreturn;
++ regs->nip = call_syscall;
++ return 7;
++ }
++ } while (0);
++#endif
++
++ return 1;
++}
++
++void pax_report_insns(void *pc, void *sp)
++{
++ unsigned long i;
++
++ printk(KERN_ERR "PAX: bytes at PC: ");
++ for (i = 0; i < 5; i++) {
++ unsigned int c;
++ if (get_user(c, (unsigned int*)pc+i)) {
++ printk("<invalid address>.");
++ break;
++ }
++ printk("%08x ", c);
++ }
++ printk("\n");
++}
++#endif
++
+ /*
+ * Check whether the instruction at regs->nip is a store using
+ * an update addressing form which will update r1.
+@@ -116,7 +481,7 @@
+ * indicate errors in DSISR but can validly be set in SRR1.
+ */
+ if (TRAP(regs) == 0x400)
+- error_code &= 0x48200000;
++ error_code &= 0x58200000;
+ else
+ is_write = error_code & 0x02000000;
+ #endif /* CONFIG_4xx */
+@@ -211,15 +576,14 @@
+ } else if (TRAP(regs) == 0x400) {
+ pte_t *ptep;
+
+-#if 0
++#if 1
+ /* It would be nice to actually enforce the VM execute
+ permission on CPUs which can do so, but far too
+ much stuff in userspace doesn't get the permissions
+ right, so we let any page be executed for now. */
+ if (! (vma->vm_flags & VM_EXEC))
+ goto bad_area;
+-#endif
+-
++#else
+ /* Since 4xx supports per-page execute permission,
+ * we lazily flush dcache to icache. */
+ ptep = NULL;
+@@ -240,6 +604,7 @@
+ if (ptep != NULL)
+ pte_unmap(ptep);
+ #endif
++#endif
+ /* a read */
+ } else {
+ /* protection fault */
+@@ -285,6 +650,38 @@
+
+ /* User mode accesses cause a SIGSEGV */
+ if (user_mode(regs)) {
++
++#ifdef CONFIG_PAX_PAGEEXEC
++ if (current->flags & PF_PAX_PAGEEXEC) {
++ if ((TRAP(regs) == 0x400) && (regs->nip == address)) {
++ switch (pax_handle_fetch_fault(regs)) {
++
++#ifdef CONFIG_PAX_EMUPLT
++ case 2:
++ case 3:
++ case 4:
++ return;
++#endif
++
++#ifdef CONFIG_PAX_RANDEXEC
++ case 5:
++ return;
++#endif
++
++#ifdef CONFIG_PAX_EMUSIGRT
++ case 6:
++ case 7:
++ return;
++#endif
++
++ }
++
++ pax_report_fault(regs, (void*)regs->nip, (void*)regs->gpr[1]);
++ do_exit(SIGKILL);
++ }
++ }
++#endif
++
+ info.si_signo = SIGSEGV;
+ info.si_errno = 0;
+ info.si_code = code;
+diff -uNr linux-2.6.6/arch/sparc/kernel/ptrace.c linux-2.6.6.fixed/arch/sparc/kernel/ptrace.c
+--- linux-2.6.6/arch/sparc/kernel/ptrace.c 2004-05-10 04:33:21.000000000 +0200
++++ linux-2.6.6.fixed/arch/sparc/kernel/ptrace.c 2004-05-11 10:55:56.000000000 +0200
+@@ -18,6 +18,7 @@
+ #include <linux/smp.h>
+ #include <linux/smp_lock.h>
+ #include <linux/security.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/pgtable.h>
+ #include <asm/system.h>
+@@ -320,6 +321,11 @@
+ goto out;
+ }
+
++ if (gr_handle_ptrace(child, request)) {
++ pt_error_return(regs, EPERM);
++ goto out_tsk;
++ }
++
+ if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
+ || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
+ if (ptrace_attach(child)) {
+diff -uNr linux-2.6.6/arch/sparc/kernel/sys_sparc.c linux-2.6.6.fixed/arch/sparc/kernel/sys_sparc.c
+--- linux-2.6.6/arch/sparc/kernel/sys_sparc.c 2004-05-10 04:32:28.000000000 +0200
++++ linux-2.6.6.fixed/arch/sparc/kernel/sys_sparc.c 2004-05-11 10:55:56.000000000 +0200
+@@ -21,6 +21,7 @@
+ #include <linux/utsname.h>
+ #include <linux/smp.h>
+ #include <linux/smp_lock.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/ipc.h>
+@@ -55,6 +56,13 @@
+ return -ENOMEM;
+ if (ARCH_SUN4C_SUN4 && len > 0x20000000)
+ return -ENOMEM;
++
++#ifdef CONFIG_PAX_RANDMMAP
++ if ((current->flags & PF_PAX_RANDMMAP) && (!addr || filp))
++ addr = TASK_UNMAPPED_BASE + current->mm->delta_mmap;
++ else
++#endif
++
+ if (!addr)
+ addr = TASK_UNMAPPED_BASE;
+
+@@ -224,6 +232,11 @@
+ struct file * file = NULL;
+ unsigned long retval = -EBADF;
+
++#ifdef CONFIG_PAX_RANDEXEC
++ if (flags & MAP_MIRROR)
++ return -EINVAL;
++#endif
++
+ if (!(flags & MAP_ANONYMOUS)) {
+ file = fget(fd);
+ if (!file)
+@@ -242,6 +255,12 @@
+ if (len > TASK_SIZE - PAGE_SIZE || addr + len > TASK_SIZE - PAGE_SIZE)
+ goto out_putf;
+
++ if (gr_handle_mmap(file, prot)) {
++ fput(file);
++ retval = -EACCES;
++ goto out;
++ }
++
+ flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+
+ down_write(¤t->mm->mmap_sem);
+diff -uNr linux-2.6.6/arch/sparc/kernel/sys_sunos.c linux-2.6.6.fixed/arch/sparc/kernel/sys_sunos.c
+--- linux-2.6.6/arch/sparc/kernel/sys_sunos.c 2004-05-10 04:32:28.000000000 +0200
++++ linux-2.6.6.fixed/arch/sparc/kernel/sys_sunos.c 2004-05-11 10:55:56.000000000 +0200
+@@ -71,6 +71,11 @@
+ struct file * file = NULL;
+ unsigned long retval, ret_type;
+
++#ifdef CONFIG_PAX_RANDEXEC
++ if (flags & MAP_MIRROR)
++ return -EINVAL;
++#endif
++
+ if(flags & MAP_NORESERVE) {
+ static int cnt;
+ if (cnt++ < 10)
+diff -uNr linux-2.6.6/arch/sparc/mm/fault.c linux-2.6.6.fixed/arch/sparc/mm/fault.c
+--- linux-2.6.6/arch/sparc/mm/fault.c 2004-05-10 04:32:27.000000000 +0200
++++ linux-2.6.6.fixed/arch/sparc/mm/fault.c 2004-05-11 10:55:56.000000000 +0200
+@@ -21,6 +21,10 @@
+ #include <linux/smp_lock.h>
+ #include <linux/interrupt.h>
+ #include <linux/module.h>
++#include <linux/slab.h>
++#include <linux/pagemap.h>
++#include <linux/compiler.h>
++#include <linux/binfmts.h>
+
+ #include <asm/system.h>
+ #include <asm/segment.h>
+@@ -201,6 +205,272 @@
+ return 0;
+ }
+
++#ifdef CONFIG_PAX_PAGEEXEC
++void pax_emuplt_close(struct vm_area_struct * vma)
++{
++ vma->vm_mm->call_dl_resolve = 0UL;
++}
++
++static struct page* pax_emuplt_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
++{
++ struct page* page;
++ unsigned int *kaddr;
++
++ page = alloc_page(GFP_HIGHUSER);
++ if (!page)
++ return NOPAGE_OOM;
++
++ kaddr = kmap(page);
++ memset(kaddr, 0, PAGE_SIZE);
++ kaddr[0] = 0x9DE3BFA8U; /* save */
++ flush_dcache_page(page);
++ kunmap(page);
++ if (type)
++ *type = VM_FAULT_MAJOR;
++
++ return page;
++}
++
++static struct vm_operations_struct pax_vm_ops = {
++ close: pax_emuplt_close,
++ nopage: pax_emuplt_nopage,
++};
++
++static void pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
++{
++ vma->vm_mm = current->mm;
++ vma->vm_start = addr;
++ vma->vm_end = addr + PAGE_SIZE;
++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
++ vma->vm_page_prot = protection_map[vma->vm_flags & 0x0f];
++ vma->vm_ops = &pax_vm_ops;
++ vma->vm_pgoff = 0UL;
++ vma->vm_file = NULL;
++ vma->vm_private_data = NULL;
++ INIT_LIST_HEAD(&vma->shared);
++ insert_vm_struct(current->mm, vma);
++ ++current->mm->total_vm;
++}
++
++/*
++ * PaX: decide what to do with offenders (regs->pc = fault address)
++ *
++ * returns 1 when task should be killed
++ * 2 when patched PLT trampoline was detected
++ * 3 when unpatched PLT trampoline was detected
++ * 4 when legitimate ET_EXEC was detected
++ */
++static int pax_handle_fetch_fault(struct pt_regs *regs)
++{
++
++#ifdef CONFIG_PAX_EMUPLT
++ int err;
++#endif
++
++#ifdef CONFIG_PAX_RANDEXEC
++ if (current->flags & PF_PAX_RANDEXEC) {
++ if (regs->pc >= current->mm->start_code &&
++ regs->pc < current->mm->end_code)
++ {
++ if (regs->u_regs[UREG_RETPC] + 8UL == regs->pc)
++ return 1;
++
++ regs->pc += current->mm->delta_exec;
++ if (regs->npc >= current->mm->start_code &&
++ regs->npc < current->mm->end_code)
++ regs->npc += current->mm->delta_exec;
++ return 4;
++ }
++ if (regs->pc >= current->mm->start_code + current->mm->delta_exec &&
++ regs->pc < current->mm->end_code + current->mm->delta_exec)
++ {
++ regs->pc -= current->mm->delta_exec;
++ if (regs->npc >= current->mm->start_code + current->mm->delta_exec &&
++ regs->npc < current->mm->end_code + current->mm->delta_exec)
++ regs->npc -= current->mm->delta_exec;
++ }
++ }
++#endif
++
++#ifdef CONFIG_PAX_EMUPLT
++ do { /* PaX: patched PLT emulation #1 */
++ unsigned int sethi1, sethi2, jmpl;
++
++ err = get_user(sethi1, (unsigned int*)regs->pc);
++ err |= get_user(sethi2, (unsigned int*)(regs->pc+4));
++ err |= get_user(jmpl, (unsigned int*)(regs->pc+8));
++
++ if (err)
++ break;
++
++ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
++ (sethi2 & 0xFFC00000U) == 0x03000000U &&
++ (jmpl & 0xFFFFE000U) == 0x81C06000U)
++ {
++ unsigned int addr;
++
++ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
++ addr = regs->u_regs[UREG_G1];
++ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
++ regs->pc = addr;
++ regs->npc = addr+4;
++ return 2;
++ }
++ } while (0);
++
++ { /* PaX: patched PLT emulation #2 */
++ unsigned int ba;
++
++ err = get_user(ba, (unsigned int*)regs->pc);
++
++ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
++ unsigned int addr;
++
++ addr = regs->pc + 4 + (((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U);
++ regs->pc = addr;
++ regs->npc = addr+4;
++ return 2;
++ }
++ }
++
++ do { /* PaX: patched PLT emulation #3 */
++ unsigned int sethi, jmpl, nop;
++
++ err = get_user(sethi, (unsigned int*)regs->pc);
++ err |= get_user(jmpl, (unsigned int*)(regs->pc+4));
++ err |= get_user(nop, (unsigned int*)(regs->pc+8));
++
++ if (err)
++ break;
++
++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
++ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
++ nop == 0x01000000U)
++ {
++ unsigned int addr;
++
++ addr = (sethi & 0x003FFFFFU) << 10;
++ regs->u_regs[UREG_G1] = addr;
++ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
++ regs->pc = addr;
++ regs->npc = addr+4;
++ return 2;
++ }
++ } while (0);
++
++ do { /* PaX: unpatched PLT emulation step 1 */
++ unsigned int sethi, ba, nop;
++
++ err = get_user(sethi, (unsigned int*)regs->pc);
++ err |= get_user(ba, (unsigned int*)(regs->pc+4));
++ err |= get_user(nop, (unsigned int*)(regs->pc+8));
++
++ if (err)
++ break;
++
++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
++ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
++ nop == 0x01000000U)
++ {
++ unsigned int addr, save, call;
++
++ if ((ba & 0xFFC00000U) == 0x30800000U)
++ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
++ else
++ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
++
++ err = get_user(save, (unsigned int*)addr);
++ err |= get_user(call, (unsigned int*)(addr+4));
++ err |= get_user(nop, (unsigned int*)(addr+8));
++ if (err)
++ break;
++
++ if (save == 0x9DE3BFA8U &&
++ (call & 0xC0000000U) == 0x40000000U &&
++ nop == 0x01000000U)
++ {
++ struct vm_area_struct *vma;
++ unsigned long call_dl_resolve;
++
++ down_read(¤t->mm->mmap_sem);
++ call_dl_resolve = current->mm->call_dl_resolve;
++ up_read(¤t->mm->mmap_sem);
++ if (likely(call_dl_resolve))
++ goto emulate;
++
++ vma = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL);
++
++ down_write(¤t->mm->mmap_sem);
++ if (current->mm->call_dl_resolve) {
++ call_dl_resolve = current->mm->call_dl_resolve;
++ up_write(¤t->mm->mmap_sem);
++ if (vma) kmem_cache_free(vm_area_cachep, vma);
++ goto emulate;
++ }
++
++ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
++ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
++ up_write(¤t->mm->mmap_sem);
++ if (vma) kmem_cache_free(vm_area_cachep, vma);
++ return 1;
++ }
++
++ pax_insert_vma(vma, call_dl_resolve);
++ current->mm->call_dl_resolve = call_dl_resolve;
++ up_write(¤t->mm->mmap_sem);
++
++emulate:
++ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
++ regs->pc = call_dl_resolve;
++ regs->npc = addr+4;
++ return 3;
++ }
++ }
++ } while (0);
++
++ do { /* PaX: unpatched PLT emulation step 2 */
++ unsigned int save, call, nop;
++
++ err = get_user(save, (unsigned int*)(regs->pc-4));
++ err |= get_user(call, (unsigned int*)regs->pc);
++ err |= get_user(nop, (unsigned int*)(regs->pc+4));
++ if (err)
++ break;
++
++ if (save == 0x9DE3BFA8U &&
++ (call & 0xC0000000U) == 0x40000000U &&
++ nop == 0x01000000U)
++ {
++ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
++
++ regs->u_regs[UREG_RETPC] = regs->pc;
++ regs->pc = dl_resolve;
++ regs->npc = dl_resolve+4;
++ return 3;
++ }
++ } while (0);
++#endif
++
++ return 1;
++}
++
++void pax_report_insns(void *pc, void *sp)
++{
++ unsigned long i;
++
++ printk(KERN_ERR "PAX: bytes at PC: ");
++ for (i = 0; i < 5; i++) {
++ unsigned int c;
++ if (get_user(c, (unsigned int*)pc+i)) {
++ printk("<invalid address>.");
++ break;
++ }
++ printk("%08x ", c);
++ }
++ printk("\n");
++}
++#endif
++
+ asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
+ unsigned long address)
+ {
+@@ -264,6 +534,29 @@
+ if(!(vma->vm_flags & VM_WRITE))
+ goto bad_area;
+ } else {
++
++#ifdef CONFIG_PAX_PAGEEXEC
++ if ((current->flags & PF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
++ up_read(&mm->mmap_sem);
++ switch (pax_handle_fetch_fault(regs)) {
++
++#ifdef CONFIG_PAX_EMUPLT
++ case 2:
++ case 3:
++ return;
++#endif
++
++#ifdef CONFIG_PAX_RANDEXEC
++ case 4:
++ return;
++#endif
++
++ }
++ pax_report_fault(regs, (void*)regs->pc, (void*)regs->u_regs[UREG_FP]);
++ do_exit(SIGKILL);
++ }
++#endif
++
+ /* Allow reads even for write-only mappings */
+ if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
+ goto bad_area;
+diff -uNr linux-2.6.6/arch/sparc/mm/init.c linux-2.6.6.fixed/arch/sparc/mm/init.c
+--- linux-2.6.6/arch/sparc/mm/init.c 2004-05-10 04:32:29.000000000 +0200
++++ linux-2.6.6.fixed/arch/sparc/mm/init.c 2004-05-11 10:55:56.000000000 +0200
+@@ -337,17 +337,17 @@
+
+ /* Initialize the protection map with non-constant, MMU dependent values. */
+ protection_map[0] = PAGE_NONE;
+- protection_map[1] = PAGE_READONLY;
+- protection_map[2] = PAGE_COPY;
+- protection_map[3] = PAGE_COPY;
++ protection_map[1] = PAGE_READONLY_NOEXEC;
++ protection_map[2] = PAGE_COPY_NOEXEC;
++ protection_map[3] = PAGE_COPY_NOEXEC;
+ protection_map[4] = PAGE_READONLY;
+ protection_map[5] = PAGE_READONLY;
+ protection_map[6] = PAGE_COPY;
+ protection_map[7] = PAGE_COPY;
+ protection_map[8] = PAGE_NONE;
+- protection_map[9] = PAGE_READONLY;
+- protection_map[10] = PAGE_SHARED;
+- protection_map[11] = PAGE_SHARED;
++ protection_map[9] = PAGE_READONLY_NOEXEC;
++ protection_map[10] = PAGE_SHARED_NOEXEC;
++ protection_map[11] = PAGE_SHARED_NOEXEC;
+ protection_map[12] = PAGE_READONLY;
+ protection_map[13] = PAGE_READONLY;
+ protection_map[14] = PAGE_SHARED;
+diff -uNr linux-2.6.6/arch/sparc/mm/srmmu.c linux-2.6.6.fixed/arch/sparc/mm/srmmu.c
+--- linux-2.6.6/arch/sparc/mm/srmmu.c 2004-05-10 04:32:38.000000000 +0200
++++ linux-2.6.6.fixed/arch/sparc/mm/srmmu.c 2004-05-11 10:55:56.000000000 +0200
+@@ -2155,6 +2155,13 @@
+ BTFIXUPSET_INT(page_shared, pgprot_val(SRMMU_PAGE_SHARED));
+ BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
+ BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
++
++#ifdef CONFIG_PAX_PAGEEXEC
++ BTFIXUPSET_INT(page_shared_noexec, pgprot_val(SRMMU_PAGE_SHARED_NOEXEC));
++ BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
++ BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
++#endif
++
+ BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
+ page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
+ pg_iobits = SRMMU_VALID | SRMMU_WRITE | SRMMU_REF;
+diff -uNr linux-2.6.6/arch/sparc64/kernel/itlb_base.S linux-2.6.6.fixed/arch/sparc64/kernel/itlb_base.S
+--- linux-2.6.6/arch/sparc64/kernel/itlb_base.S 2004-05-10 04:32:01.000000000 +0200
++++ linux-2.6.6.fixed/arch/sparc64/kernel/itlb_base.S 2004-05-11 10:55:56.000000000 +0200
+@@ -41,7 +41,9 @@
+ CREATE_VPTE_OFFSET2(%g4, %g6) ! Create VPTE offset
+ ldxa [%g3 + %g6] ASI_P, %g5 ! Load VPTE
+ 1: brgez,pn %g5, 3f ! Not valid, branch out
+- nop ! Delay-slot
++ and %g5, _PAGE_EXEC, %g4
++ brz,pn %g4, 3f ! Not executable, branch out
++ nop ! Delay-slot
+ 2: stxa %g5, [%g0] ASI_ITLB_DATA_IN ! Load PTE into TLB
+ retry ! Trap return
+ 3: rdpr %pstate, %g4 ! Move into alternate globals
+@@ -74,8 +76,6 @@
+ nop
+ nop
+ nop
+- nop
+- nop
+ CREATE_VPTE_NOP
+
+ #undef CREATE_VPTE_OFFSET1
+diff -uNr linux-2.6.6/arch/sparc64/kernel/ptrace.c linux-2.6.6.fixed/arch/sparc64/kernel/ptrace.c
+--- linux-2.6.6/arch/sparc64/kernel/ptrace.c 2004-05-10 04:33:21.000000000 +0200
++++ linux-2.6.6.fixed/arch/sparc64/kernel/ptrace.c 2004-05-11 10:55:56.000000000 +0200
+@@ -19,6 +19,7 @@
+ #include <linux/smp.h>
+ #include <linux/smp_lock.h>
+ #include <linux/security.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/asi.h>
+ #include <asm/pgtable.h>
+@@ -169,6 +170,11 @@
+ goto out;
+ }
+
++ if (gr_handle_ptrace(child, (long)request)) {
++ pt_error_return(regs, EPERM);
++ goto out_tsk;
++ }
++
+ if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
+ || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
+ if (ptrace_attach(child)) {
+diff -uNr linux-2.6.6/arch/sparc64/kernel/sys_sparc32.c linux-2.6.6.fixed/arch/sparc64/kernel/sys_sparc32.c
+--- linux-2.6.6/arch/sparc64/kernel/sys_sparc32.c 2004-05-10 04:32:52.000000000 +0200
++++ linux-2.6.6.fixed/arch/sparc64/kernel/sys_sparc32.c 2004-05-11 10:55:56.000000000 +0200
+@@ -54,6 +54,8 @@
+ #include <linux/netfilter_ipv4/ip_tables.h>
+ #include <linux/ptrace.h>
+ #include <linux/highuid.h>
++#include <linux/random.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/types.h>
+ #include <asm/ipc.h>
+@@ -1759,6 +1761,11 @@
+ struct file * file;
+ int retval;
+ int i;
++#ifdef CONFIG_GRKERNSEC
++ struct file *old_exec_file;
++ struct acl_subject_label *old_acl;
++ struct rlimit old_rlim[RLIM_NLIMITS];
++#endif
+
+ sched_balance_exec();
+
+@@ -1768,7 +1775,26 @@
+ if (IS_ERR(file))
+ return retval;
+
++ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->user->processes), 1);
++
++ if (gr_handle_nproc()) {
++ allow_write_access(file);
++ fput(file);
++ return -EAGAIN;
++ }
++
++ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
++ allow_write_access(file);
++ fput(file);
++ return -EACCES;
++ }
++
+ bprm.p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
++
++#ifdef CONFIG_PAX_RANDUSTACK
++ bprm.p -= (pax_get_random_long() & ~(sizeof(void *)-1)) & ~PAGE_MASK;
++#endif
++
+ memset(bprm.page, 0, MAX_ARG_PAGES * sizeof(bprm.page[0]));
+
+ bprm.file = file;
+@@ -1803,11 +1829,24 @@
+ if (retval < 0)
+ goto out;
+
++ if (!gr_tpe_allow(file)) {
++ retval = -EACCES;
++ goto out;
++ }
++
++ if (gr_check_crash_exec(file)) {
++ retval = -EACCES;
++ goto out;
++ }
++
+ retval = copy_strings_kernel(1, &bprm.filename, &bprm);
+ if (retval < 0)
+ goto out;
+
+ bprm.exec = bprm.p;
++
++ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
++
+ retval = copy_strings32(bprm.envc, envp, &bprm);
+ if (retval < 0)
+ goto out;
+@@ -1816,13 +1855,34 @@
+ if (retval < 0)
+ goto out;
+
++#ifdef CONFIG_GRKERNSEC
++ old_acl = current->acl;
++ memcpy(old_rlim, current->rlim, sizeof(old_rlim));
++ old_exec_file = current->exec_file;
++ get_file(file);
++ current->exec_file = file;
++#endif
++
++ gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
++
+ retval = search_binary_handler(&bprm, regs);
+ if (retval >= 0) {
+ /* execve success */
++#ifdef CONFIG_GRKERNSEC
++ if (old_exec_file)
++ fput(old_exec_file);
++#endif
+ security_bprm_free(&bprm);
+ return retval;
+ }
+
++#ifdef CONFIG_GRKERNSEC
++ current->acl = old_acl;
++ memcpy(current->rlim, old_rlim, sizeof(old_rlim));
++ fput(current->exec_file);
++ current->exec_file = old_exec_file;
++#endif
++
+ out:
+ /* Something went wrong, return the inode and free the argument pages*/
+ for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
+diff -uNr linux-2.6.6/arch/sparc64/kernel/sys_sparc.c linux-2.6.6.fixed/arch/sparc64/kernel/sys_sparc.c
+--- linux-2.6.6/arch/sparc64/kernel/sys_sparc.c 2004-05-10 04:32:38.000000000 +0200
++++ linux-2.6.6.fixed/arch/sparc64/kernel/sys_sparc.c 2004-05-11 10:55:56.000000000 +0200
+@@ -25,6 +25,7 @@
+ #include <linux/syscalls.h>
+ #include <linux/ipc.h>
+ #include <linux/personality.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/ipc.h>
+@@ -72,6 +73,10 @@
+ if (filp || (flags & MAP_SHARED))
+ do_color_align = 1;
+
++#ifdef CONFIG_PAX_RANDMMAP
++ if (!(current->flags & PF_PAX_RANDMMAP) || !filp)
++#endif
++
+ if (addr) {
+ if (do_color_align)
+ addr = COLOUR_ALIGN(addr, pgoff);
+@@ -102,6 +107,13 @@
+ }
+ if (task_size < addr) {
+ if (start_addr != TASK_UNMAPPED_BASE) {
++
++#ifdef CONFIG_PAX_RANDMMAP
++ if (current->flags & PF_PAX_RANDMMAP)
++ start_addr = addr = TASK_UNMAPPED_BASE + mm->delta_mmap;
++ else
++#endif
++
+ start_addr = addr = TASK_UNMAPPED_BASE;
+ goto full_search;
+ }
+@@ -311,11 +323,22 @@
+ struct file * file = NULL;
+ unsigned long retval = -EBADF;
+
++#ifdef CONFIG_PAX_RANDEXEC
++ if (flags & MAP_MIRROR)
++ return -EINVAL;
++#endif
++
+ if (!(flags & MAP_ANONYMOUS)) {
+ file = fget(fd);
+ if (!file)
+ goto out;
+ }
++
++ if (gr_handle_mmap(file, prot)) {
++ retval = -EACCES;
++ goto out_putf;
++ }
++
+ flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+ len = PAGE_ALIGN(len);
+ retval = -EINVAL;
+diff -uNr linux-2.6.6/arch/sparc64/kernel/sys_sunos32.c linux-2.6.6.fixed/arch/sparc64/kernel/sys_sunos32.c
+--- linux-2.6.6/arch/sparc64/kernel/sys_sunos32.c 2004-05-10 04:32:51.000000000 +0200
++++ linux-2.6.6.fixed/arch/sparc64/kernel/sys_sunos32.c 2004-05-11 10:55:56.000000000 +0200
+@@ -75,6 +75,11 @@
+ struct file *file = NULL;
+ unsigned long retval, ret_type;
+
++#ifdef CONFIG_PAX_RANDEXEC
++ if (flags & MAP_MIRROR)
++ return -EINVAL;
++#endif
++
+ if (flags & MAP_NORESERVE) {
+ static int cnt;
+ if (cnt++ < 10)
+diff -uNr linux-2.6.6/arch/sparc64/mm/fault.c linux-2.6.6.fixed/arch/sparc64/mm/fault.c
+--- linux-2.6.6/arch/sparc64/mm/fault.c 2004-05-10 04:33:20.000000000 +0200
++++ linux-2.6.6.fixed/arch/sparc64/mm/fault.c 2004-05-11 10:55:56.000000000 +0200
+@@ -18,6 +18,10 @@
+ #include <linux/smp_lock.h>
+ #include <linux/init.h>
+ #include <linux/interrupt.h>
++#include <linux/slab.h>
++#include <linux/pagemap.h>
++#include <linux/compiler.h>
++#include <linux/binfmts.h>
+
+ #include <asm/page.h>
+ #include <asm/pgtable.h>
+@@ -303,6 +307,364 @@
+ unhandled_fault (address, current, regs);
+ }
+
++#ifdef CONFIG_PAX_PAGEEXEC
++#ifdef CONFIG_PAX_EMUPLT
++static void pax_emuplt_close(struct vm_area_struct * vma)
++{
++ vma->vm_mm->call_dl_resolve = 0UL;
++}
++
++static struct page* pax_emuplt_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
++{
++ struct page* page;
++ unsigned int *kaddr;
++
++ page = alloc_page(GFP_HIGHUSER);
++ if (!page)
++ return NOPAGE_OOM;
++
++ kaddr = kmap(page);
++ memset(kaddr, 0, PAGE_SIZE);
++ kaddr[0] = 0x9DE3BFA8U; /* save */
++ flush_dcache_page(page);
++ kunmap(page);
++ if (type)
++ *type = VM_FAULT_MAJOR;
++ return page;
++}
++
++static struct vm_operations_struct pax_vm_ops = {
++ close: pax_emuplt_close,
++ nopage: pax_emuplt_nopage,
++};
++
++static void pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
++{
++ vma->vm_mm = current->mm;
++ vma->vm_start = addr;
++ vma->vm_end = addr + PAGE_SIZE;
++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
++ vma->vm_page_prot = protection_map[vma->vm_flags & 0x0f];
++ vma->vm_ops = &pax_vm_ops;
++ vma->vm_pgoff = 0UL;
++ vma->vm_file = NULL;
++ vma->vm_private_data = NULL;
++ INIT_LIST_HEAD(&vma->shared);
++ insert_vm_struct(current->mm, vma);
++ ++current->mm->total_vm;
++}
++#endif
++
++/*
++ * PaX: decide what to do with offenders (regs->tpc = fault address)
++ *
++ * returns 1 when task should be killed
++ * 2 when patched PLT trampoline was detected
++ * 3 when unpatched PLT trampoline was detected
++ * 4 when legitimate ET_EXEC was detected
++ */
++static int pax_handle_fetch_fault(struct pt_regs *regs)
++{
++
++#ifdef CONFIG_PAX_EMUPLT
++ int err;
++#endif
++
++#ifdef CONFIG_PAX_RANDEXEC
++ if (current->flags & PF_PAX_RANDEXEC) {
++ if (regs->tpc >= current->mm->start_code &&
++ regs->tpc < current->mm->end_code)
++ {
++ if (regs->u_regs[UREG_RETPC] + 8UL == regs->tpc)
++ return 1;
++
++ regs->tpc += current->mm->delta_exec;
++ if (regs->tnpc >= current->mm->start_code &&
++ regs->tnpc < current->mm->end_code)
++ regs->tnpc += current->mm->delta_exec;
++ return 4;
++ }
++ if (regs->tpc >= current->mm->start_code + current->mm->delta_exec &&
++ regs->tpc < current->mm->end_code + current->mm->delta_exec)
++ {
++ regs->tpc -= current->mm->delta_exec;
++ if (regs->tnpc >= current->mm->start_code + current->mm->delta_exec &&
++ regs->tnpc < current->mm->end_code + current->mm->delta_exec)
++ regs->tnpc -= current->mm->delta_exec;
++ }
++ }
++#endif
++
++#ifdef CONFIG_PAX_EMUPLT
++ do { /* PaX: patched PLT emulation #1 */
++ unsigned int sethi1, sethi2, jmpl;
++
++ err = get_user(sethi1, (unsigned int*)regs->tpc);
++ err |= get_user(sethi2, (unsigned int*)(regs->tpc+4));
++ err |= get_user(jmpl, (unsigned int*)(regs->tpc+8));
++
++ if (err)
++ break;
++
++ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
++ (sethi2 & 0xFFC00000U) == 0x03000000U &&
++ (jmpl & 0xFFFFE000U) == 0x81C06000U)
++ {
++ unsigned long addr;
++
++ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
++ addr = regs->u_regs[UREG_G1];
++ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
++ regs->tpc = addr;
++ regs->tnpc = addr+4;
++ return 2;
++ }
++ } while (0);
++
++ { /* PaX: patched PLT emulation #2 */
++ unsigned int ba;
++
++ err = get_user(ba, (unsigned int*)regs->tpc);
++
++ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
++ unsigned long addr;
++
++ addr = regs->tpc + 4 + (((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL);
++ regs->tpc = addr;
++ regs->tnpc = addr+4;
++ return 2;
++ }
++ }
++
++ do { /* PaX: patched PLT emulation #3 */
++ unsigned int sethi, jmpl, nop;
++
++ err = get_user(sethi, (unsigned int*)regs->tpc);
++ err |= get_user(jmpl, (unsigned int*)(regs->tpc+4));
++ err |= get_user(nop, (unsigned int*)(regs->tpc+8));
++
++ if (err)
++ break;
++
++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
++ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
++ nop == 0x01000000U)
++ {
++ unsigned long addr;
++
++ addr = (sethi & 0x003FFFFFU) << 10;
++ regs->u_regs[UREG_G1] = addr;
++ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
++ regs->tpc = addr;
++ regs->tnpc = addr+4;
++ return 2;
++ }
++ } while (0);
++
++ do { /* PaX: patched PLT emulation #4 */
++ unsigned int mov1, call, mov2;
++
++ err = get_user(mov1, (unsigned int*)regs->tpc);
++ err |= get_user(call, (unsigned int*)(regs->tpc+4));
++ err |= get_user(mov2, (unsigned int*)(regs->tpc+8));
++
++ if (err)
++ break;
++
++ if (mov1 == 0x8210000FU &&
++ (call & 0xC0000000U) == 0x40000000U &&
++ mov2 == 0x9E100001U)
++ {
++ unsigned long addr;
++
++ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
++ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
++ regs->tpc = addr;
++ regs->tnpc = addr+4;
++ return 2;
++ }
++ } while (0);
++
++ do { /* PaX: patched PLT emulation #5 */
++ unsigned int sethi1, sethi2, or1, or2, sllx, jmpl, nop;
++
++ err = get_user(sethi1, (unsigned int*)regs->tpc);
++ err |= get_user(sethi2, (unsigned int*)(regs->tpc+4));
++ err |= get_user(or1, (unsigned int*)(regs->tpc+8));
++ err |= get_user(or2, (unsigned int*)(regs->tpc+12));
++ err |= get_user(sllx, (unsigned int*)(regs->tpc+16));
++ err |= get_user(jmpl, (unsigned int*)(regs->tpc+20));
++ err |= get_user(nop, (unsigned int*)(regs->tpc+24));
++
++ if (err)
++ break;
++
++ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
++ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
++ (or1 & 0xFFFFE000U) == 0x82106000U &&
++ (or2 & 0xFFFFE000U) == 0x8A116000U &&
++ sllx == 0x83287020 &&
++ jmpl == 0x81C04005U &&
++ nop == 0x01000000U)
++ {
++ unsigned long addr;
++
++ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
++ regs->u_regs[UREG_G1] <<= 32;
++ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
++ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
++ regs->tpc = addr;
++ regs->tnpc = addr+4;
++ return 2;
++ }
++ } while (0);
++
++ do { /* PaX: patched PLT emulation #6 */
++ unsigned int sethi1, sethi2, sllx, or, jmpl, nop;
++
++ err = get_user(sethi1, (unsigned int*)regs->tpc);
++ err |= get_user(sethi2, (unsigned int*)(regs->tpc+4));
++ err |= get_user(sllx, (unsigned int*)(regs->tpc+8));
++ err |= get_user(or, (unsigned int*)(regs->tpc+12));
++ err |= get_user(jmpl, (unsigned int*)(regs->tpc+16));
++ err |= get_user(nop, (unsigned int*)(regs->tpc+20));
++
++ if (err)
++ break;
++
++ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
++ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
++ sllx == 0x83287020 &&
++ (or & 0xFFFFE000U) == 0x8A116000U &&
++ jmpl == 0x81C04005U &&
++ nop == 0x01000000U)
++ {
++ unsigned long addr;
++
++ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
++ regs->u_regs[UREG_G1] <<= 32;
++ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
++ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
++ regs->tpc = addr;
++ regs->tnpc = addr+4;
++ return 2;
++ }
++ } while (0);
++
++ do { /* PaX: unpatched PLT emulation step 1 */
++ unsigned int sethi, ba, nop;
++
++ err = get_user(sethi, (unsigned int*)regs->tpc);
++ err |= get_user(ba, (unsigned int*)(regs->tpc+4));
++ err |= get_user(nop, (unsigned int*)(regs->tpc+8));
++
++ if (err)
++ break;
++
++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
++ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
++ nop == 0x01000000U)
++ {
++ unsigned long addr;
++ unsigned int save, call;
++
++ if ((ba & 0xFFC00000U) == 0x30800000U)
++ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
++ else
++ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
++
++ err = get_user(save, (unsigned int*)addr);
++ err |= get_user(call, (unsigned int*)(addr+4));
++ err |= get_user(nop, (unsigned int*)(addr+8));
++ if (err)
++ break;
++
++ if (save == 0x9DE3BFA8U &&
++ (call & 0xC0000000U) == 0x40000000U &&
++ nop == 0x01000000U)
++ {
++ struct vm_area_struct *vma;
++ unsigned long call_dl_resolve;
++
++ down_read(¤t->mm->mmap_sem);
++ call_dl_resolve = current->mm->call_dl_resolve;
++ up_read(¤t->mm->mmap_sem);
++ if (likely(call_dl_resolve))
++ goto emulate;
++
++ vma = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL);
++
++ down_write(¤t->mm->mmap_sem);
++ if (current->mm->call_dl_resolve) {
++ call_dl_resolve = current->mm->call_dl_resolve;
++ up_write(¤t->mm->mmap_sem);
++ if (vma) kmem_cache_free(vm_area_cachep, vma);
++ goto emulate;
++ }
++
++ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
++ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
++ up_write(¤t->mm->mmap_sem);
++ if (vma) kmem_cache_free(vm_area_cachep, vma);
++ return 1;
++ }
++
++ pax_insert_vma(vma, call_dl_resolve);
++ current->mm->call_dl_resolve = call_dl_resolve;
++ up_write(¤t->mm->mmap_sem);
++
++emulate:
++ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
++ regs->tpc = call_dl_resolve;
++ regs->tnpc = addr+4;
++ return 3;
++ }
++ }
++ } while (0);
++
++ do { /* PaX: unpatched PLT emulation step 2 */
++ unsigned int save, call, nop;
++
++ err = get_user(save, (unsigned int*)(regs->tpc-4));
++ err |= get_user(call, (unsigned int*)regs->tpc);
++ err |= get_user(nop, (unsigned int*)(regs->tpc+4));
++ if (err)
++ break;
++
++ if (save == 0x9DE3BFA8U &&
++ (call & 0xC0000000U) == 0x40000000U &&
++ nop == 0x01000000U)
++ {
++ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
++
++ regs->u_regs[UREG_RETPC] = regs->tpc;
++ regs->tpc = dl_resolve;
++ regs->tnpc = dl_resolve+4;
++ return 3;
++ }
++ } while (0);
++#endif
++
++ return 1;
++}
++
++void pax_report_insns(void *pc, void *sp)
++{
++ unsigned long i;
++
++ printk(KERN_ERR "PAX: bytes at PC: ");
++ for (i = 0; i < 5; i++) {
++ unsigned int c;
++ if (get_user(c, (unsigned int*)pc+i)) {
++ printk("<invalid address>.");
++ break;
++ }
++ printk("%08x ", c);
++ }
++ printk("\n");
++}
++#endif
++
+ asmlinkage void do_sparc64_fault(struct pt_regs *regs)
+ {
+ struct mm_struct *mm = current->mm;
+@@ -340,8 +702,10 @@
+ goto intr_or_no_mm;
+
+ if (test_thread_flag(TIF_32BIT)) {
+- if (!(regs->tstate & TSTATE_PRIV))
++ if (!(regs->tstate & TSTATE_PRIV)) {
+ regs->tpc &= 0xffffffff;
++ regs->tnpc &= 0xffffffff;
++ }
+ address &= 0xffffffff;
+ }
+
+@@ -350,6 +714,34 @@
+ if (!vma)
+ goto bad_area;
+
++#ifdef CONFIG_PAX_PAGEEXEC
++ /* PaX: detect ITLB misses on non-exec pages */
++ if ((current->flags & PF_PAX_PAGEEXEC) && vma->vm_start <= address &&
++ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
++ {
++ if (address != regs->tpc)
++ goto good_area;
++
++ up_read(&mm->mmap_sem);
++ switch (pax_handle_fetch_fault(regs)) {
++
++#ifdef CONFIG_PAX_EMUPLT
++ case 2:
++ case 3:
++ goto fault_done;
++#endif
++
++#ifdef CONFIG_PAX_RANDEXEC
++ case 4:
++ goto fault_done;
++#endif
++
++ }
++ pax_report_fault(regs, (void*)regs->tpc, (void*)(regs->u_regs[UREG_FP] + STACK_BIAS));
++ do_exit(SIGKILL);
++ }
++#endif
++
+ /* Pure DTLB misses do not tell us whether the fault causing
+ * load/store/atomic was a write or not, it only says that there
+ * was no match. So in such a case we (carefully) read the
+diff -uNr linux-2.6.6/arch/sparc64/solaris/misc.c linux-2.6.6.fixed/arch/sparc64/solaris/misc.c
+--- linux-2.6.6/arch/sparc64/solaris/misc.c 2004-05-10 04:33:20.000000000 +0200
++++ linux-2.6.6.fixed/arch/sparc64/solaris/misc.c 2004-05-11 10:55:56.000000000 +0200
+@@ -56,6 +56,11 @@
+ struct file *file = NULL;
+ unsigned long retval, ret_type;
+
++#ifdef CONFIG_PAX_RANDEXEC
++ if (flags & MAP_MIRROR)
++ return -EINVAL;
++#endif
++
+ /* Do we need it here? */
+ set_personality(PER_SVR4);
+ if (flags & MAP_NORESERVE) {
+diff -uNr linux-2.6.6/arch/x86_64/ia32/ia32_binfmt.c linux-2.6.6.fixed/arch/x86_64/ia32/ia32_binfmt.c
+--- linux-2.6.6/arch/x86_64/ia32/ia32_binfmt.c 2004-05-10 04:31:59.000000000 +0200
++++ linux-2.6.6.fixed/arch/x86_64/ia32/ia32_binfmt.c 2004-05-11 12:05:06.000000000 +0200
+@@ -185,6 +185,17 @@
+ //#include <asm/ia32.h>
+ #include <linux/elf.h>
+
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE(tsk) (test_thread_flag(TIF_IA32) ? 0x08048000UL : 0x400000UL)
++
++#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_MMAP_LEN(tsk) (test_thread_flag(TIF_IA32) ? 16 : 24)
++#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_EXEC_LEN(tsk) (test_thread_flag(TIF_IA32) ? 16 : 24)
++#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_STACK_LEN(tsk) (test_thread_flag(TIF_IA32) ? 16 : 24)
++#endif
++
+ typedef struct user_i387_ia32_struct elf_fpregset_t;
+ typedef struct user32_fxsr_struct elf_fpxregset_t;
+
+@@ -354,6 +365,13 @@
+ mpnt->vm_mm = mm;
+ mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p;
+ mpnt->vm_end = IA32_STACK_TOP;
++
++#ifdef CONFIG_PAX_PAGEEXEC
++ mpnt->vm_flags = VM_STACK_FLAGS;
++#else
++ mpnt->vm_flags = vm_stack_flags32;
++#endif
++
+ if (executable_stack == EXSTACK_ENABLE_X)
+ mpnt->vm_flags = vm_stack_flags32 | VM_EXEC;
+ else if (executable_stack == EXSTACK_DISABLE_X)
+diff -uNr linux-2.6.6/arch/x86_64/ia32/sys_ia32.c linux-2.6.6.fixed/arch/x86_64/ia32/sys_ia32.c
+--- linux-2.6.6/arch/x86_64/ia32/sys_ia32.c 2004-05-10 04:32:29.000000000 +0200
++++ linux-2.6.6.fixed/arch/x86_64/ia32/sys_ia32.c 2004-05-11 10:55:56.000000000 +0200
+@@ -212,6 +212,11 @@
+ if (a.offset & ~PAGE_MASK)
+ return -EINVAL;
+
++#ifdef CONFIG_PAX_RANDEXEC
++ if (a.flags & MAP_MIRROR)
++ return -EINVAL;
++#endif
++
+ if (!(a.flags & MAP_ANONYMOUS)) {
+ file = fget(a.fd);
+ if (!file)
+@@ -1236,6 +1241,11 @@
+ unsigned long error;
+ struct file * file = NULL;
+
++#ifdef CONFIG_PAX_RANDEXEC
++ if (flags & MAP_MIRROR)
++ return -EINVAL;
++#endif
++
+ flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+ if (!(flags & MAP_ANONYMOUS)) {
+ file = fget(fd);
+diff -uNr linux-2.6.6/arch/x86_64/kernel/ptrace.c linux-2.6.6.fixed/arch/x86_64/kernel/ptrace.c
+--- linux-2.6.6/arch/x86_64/kernel/ptrace.c 2004-05-10 04:32:27.000000000 +0200
++++ linux-2.6.6.fixed/arch/x86_64/kernel/ptrace.c 2004-05-11 12:01:02.000000000 +0200
+@@ -17,6 +17,7 @@
+ #include <linux/user.h>
+ #include <linux/security.h>
+ #include <linux/audit.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/pgtable.h>
+@@ -213,6 +214,9 @@
+ if (pid == 1) /* you may not mess with init */
+ goto out_tsk;
+
++ if (gr_handle_ptrace(child, request))
++ goto out_tsk;
++
+ if (request == PTRACE_ATTACH) {
+ ret = ptrace_attach(child);
+ goto out_tsk;
+diff -uNr linux-2.6.6/arch/x86_64/kernel/setup64.c linux-2.6.6.fixed/arch/x86_64/kernel/setup64.c
+--- linux-2.6.6/arch/x86_64/kernel/setup64.c 2004-05-10 04:32:26.000000000 +0200
++++ linux-2.6.6.fixed/arch/x86_64/kernel/setup64.c 2004-05-11 10:55:56.000000000 +0200
+@@ -43,8 +43,15 @@
+
+ unsigned long __supported_pte_mask = ~0UL;
+ static int do_not_nx __initdata = 0;
++
++#ifdef CONFIG_PAX_PAGEEXEC
++unsigned long vm_stack_flags = VM_GROWSDOWN | __VM_DATA_DEFAULT_FLAGS;
++unsigned long vm_stack_flags32 = VM_GROWSDOWN | __VM_DATA_DEFAULT_FLAGS;
++#else
+ unsigned long vm_stack_flags = __VM_STACK_FLAGS;
+ unsigned long vm_stack_flags32 = __VM_STACK_FLAGS;
++#endif
++
+ unsigned long vm_data_default_flags = __VM_DATA_DEFAULT_FLAGS;
+ unsigned long vm_data_default_flags32 = __VM_DATA_DEFAULT_FLAGS;
+ unsigned long vm_force_exec32 = PROT_EXEC;
+diff -uNr linux-2.6.6/arch/x86_64/kernel/sys_x86_64.c linux-2.6.6.fixed/arch/x86_64/kernel/sys_x86_64.c
+--- linux-2.6.6/arch/x86_64/kernel/sys_x86_64.c 2004-05-10 04:32:52.000000000 +0200
++++ linux-2.6.6.fixed/arch/x86_64/kernel/sys_x86_64.c 2004-05-11 10:55:56.000000000 +0200
+@@ -48,6 +48,11 @@
+ if (off & ~PAGE_MASK)
+ goto out;
+
++#ifdef CONFIG_PAX_RANDEXEC
++ if (flags & MAP_MIRROR)
++ goto out;
++#endif
++
+ error = -EBADF;
+ file = NULL;
+ flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+@@ -102,6 +107,15 @@
+
+ find_start_end(flags, &begin, &end);
+
++#ifdef CONFIG_PAX_RANDMMAP
++ if ((current->flags & PF_PAX_RANDMMAP) && (!addr || filp)) {
++ if (begin == 0x40000000)
++ begin += current->mm->delta_mmap & 0x0FFFFFFFU;
++ else
++ begin += current->mm->delta_mmap;
++ }
++#endif
++
+ if (len > end)
+ return -ENOMEM;
+
+diff -uNr linux-2.6.6/arch/x86_64/mm/fault.c linux-2.6.6.fixed/arch/x86_64/mm/fault.c
+--- linux-2.6.6/arch/x86_64/mm/fault.c 2004-05-10 04:31:58.000000000 +0200
++++ linux-2.6.6.fixed/arch/x86_64/mm/fault.c 2004-05-11 10:55:56.000000000 +0200
+@@ -23,6 +23,7 @@
+ #include <linux/vt_kern.h> /* For unblank_screen() */
+ #include <linux/compiler.h>
+ #include <linux/module.h>
++#include <linux/binfmts.h>
+
+ #include <asm/system.h>
+ #include <asm/uaccess.h>
+@@ -217,6 +218,63 @@
+ (tsk->sighand->action[sig-1].sa.sa_handler == SIG_DFL);
+ }
+
++#ifdef CONFIG_PAX_PAGEEXEC
++/*
++ * PaX: decide what to do with offenders (regs->rip = fault address)
++ *
++ * returns 1 when task should be killed
++ * 2 when legitimate ET_EXEC was detected
++ */
++static int pax_handle_fetch_fault(struct pt_regs *regs)
++{
++
++#ifdef CONFIG_PAX_RANDEXEC
++ int err;
++
++ if (current->flags & PF_PAX_RANDEXEC) {
++ if (regs->rip >= current->mm->start_code &&
++ regs->rip < current->mm->end_code)
++ {
++ if (test_thread_flag(TIF_IA32)) {
++ unsigned int esp_4;
++
++ err = get_user(esp_4, (unsigned int*)(regs->rsp-4UL));
++ if (err || esp_4 == regs->rip)
++ return 1;
++ } else {
++ unsigned long esp_8;
++
++ err = get_user(esp_8, (unsigned long*)(regs->rsp-8UL));
++ if (err || esp_8 == regs->rip)
++ return 1;
++ }
++
++ regs->rip += current->mm->delta_exec;
++ return 2;
++ }
++ }
++#endif
++
++ return 1;
++}
++
++void pax_report_insns(void *pc, void *sp)
++{
++ unsigned long i;
++
++ printk(KERN_ERR "PAX: bytes at PC: ");
++ for (i = 0; i < 20; i++) {
++ unsigned int c;
++ if (get_user(c, (unsigned char*)pc+i)) {
++ printk("<invalid address>.");
++ break;
++ }
++ printk("%08x ", c);
++ }
++ printk("\n");
++}
++#endif
++
+ int page_fault_trace;
+ int exception_trace = 1;
+
+@@ -302,6 +360,23 @@
+ * we can handle it..
+ */
+ good_area:
++
++#ifdef CONFIG_PAX_PAGEEXEC
++ if ((current->flags & PF_PAX_PAGEEXEC) && (error_code & 16) && !(vma->vm_flags & VM_EXEC)) {
++ up_read(&mm->mmap_sem);
++ switch(pax_handle_fetch_fault(regs)) {
++
++#ifdef CONFIG_PAX_RANDEXEC
++ case 2:
++ return;
++#endif
++
++ }
++ pax_report_fault(regs, (void*)regs->rip, (void*)regs->rsp);
++ do_exit(SIGKILL);
++ }
++#endif
++
+ info.si_code = SEGV_ACCERR;
+ write = 0;
+ switch (error_code & 3) {
+diff -uNr linux-2.6.6/drivers/char/keyboard.c linux-2.6.6.fixed/drivers/char/keyboard.c
+--- linux-2.6.6/drivers/char/keyboard.c 2004-05-10 04:33:22.000000000 +0200
++++ linux-2.6.6.fixed/drivers/char/keyboard.c 2004-05-11 10:55:56.000000000 +0200
+@@ -606,6 +606,16 @@
+ kbd->kbdmode == VC_MEDIUMRAW) &&
+ value != KVAL(K_SAK))
+ return; /* SAK is allowed even in raw mode */
++
++#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
++ {
++ void *func = fn_handler[value];
++ if (func == fn_show_state || func == fn_show_ptregs ||
++ func == fn_show_mem)
++ return;
++ }
++#endif
++
+ fn_handler[value](vc, regs);
+ }
+
+diff -uNr linux-2.6.6/drivers/char/mem.c linux-2.6.6.fixed/drivers/char/mem.c
+--- linux-2.6.6/drivers/char/mem.c 2004-05-10 04:32:37.000000000 +0200
++++ linux-2.6.6.fixed/drivers/char/mem.c 2004-05-11 11:59:26.000000000 +0200
+@@ -23,6 +23,7 @@
+ #include <linux/devfs_fs_kernel.h>
+ #include <linux/ptrace.h>
+ #include <linux/device.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/io.h>
+@@ -39,6 +40,10 @@
+ extern void tapechar_init(void);
+ #endif
+
++#ifdef CONFIG_GRKERNSEC
++extern struct file_operations grsec_fops;
++#endif
++
+ /*
+ * Architectures vary in how they handle caching for addresses
+ * outside of main memory.
+@@ -178,6 +183,12 @@
+
+ if (!valid_phys_addr_range(p, &count))
+ return -EFAULT;
++
++#ifdef CONFIG_GRKERNSEC_KMEM
++ gr_handle_mem_write();
++ return -EPERM;
++#endif
++
+ return do_write_mem(__va(p), p, buf, count, ppos);
+ }
+
+@@ -192,6 +203,11 @@
+ vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
+ #endif
+
++#ifdef CONFIG_GRKERNSEC_KMEM
++ if (gr_handle_mem_mmap(offset, vma))
++ return -EPERM;
++#endif
++
+ /* Don't try to swap out physical pages.. */
+ vma->vm_flags |= VM_RESERVED;
+
+@@ -285,6 +301,11 @@
+ ssize_t written;
+ char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
+
++#ifdef CONFIG_GRKERNSEC_KMEM
++ gr_handle_kmem_write();
++ return -EPERM;
++#endif
++
+ if (p < (unsigned long) high_memory) {
+
+ wrote = count;
+@@ -411,7 +432,23 @@
+ count = size;
+
+ zap_page_range(vma, addr, count, NULL);
+- zeromap_page_range(vma, addr, count, PAGE_COPY);
++ zeromap_page_range(vma, addr, count, vma->vm_page_prot);
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ if (vma->vm_flags & VM_MIRROR) {
++ unsigned long addr_m;
++ struct vm_area_struct * vma_m;
++
++ addr_m = vma->vm_start + (unsigned long)vma->vm_private_data;
++ vma_m = find_vma(mm, addr_m);
++ if (vma_m && vma_m->vm_start == addr_m && (vma_m->vm_flags & VM_MIRROR)) {
++ addr_m = addr + (unsigned long)vma->vm_private_data;
++ zap_page_range(vma_m, addr_m, count, NULL);
++ } else
++ printk(KERN_ERR "PAX: VMMIRROR: read_zero bug, %08lx, %08lx\n",
++ addr, vma->vm_start);
++ }
++#endif
+
+ size -= count;
+ buf += count;
+@@ -560,6 +597,16 @@
+
+ static int open_port(struct inode * inode, struct file * filp)
+ {
++#ifdef CONFIG_GRKERNSEC_KMEM
++ gr_handle_open_port();
++ return -EPERM;
++#endif
++
++ return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
++}
++
++static int open_mem(struct inode * inode, struct file * filp)
++{
+ return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
+ }
+
+@@ -568,7 +615,6 @@
+ #define full_lseek null_lseek
+ #define write_zero write_null
+ #define read_full read_zero
+-#define open_mem open_port
+ #define open_kmem open_mem
+
+ static struct file_operations mem_fops = {
+@@ -666,6 +712,11 @@
+ case 9:
+ filp->f_op = &urandom_fops;
+ break;
++#ifdef CONFIG_GRKERNSEC
++ case 10:
++ filp->f_op = &grsec_fops;
++ break;
++#endif
+ case 11:
+ filp->f_op = &kmsg_fops;
+ break;
+@@ -697,6 +748,9 @@
+ {7, "full", S_IRUGO | S_IWUGO, &full_fops},
+ {8, "random", S_IRUGO | S_IWUSR, &random_fops},
+ {9, "urandom", S_IRUGO | S_IWUSR, &urandom_fops},
++#ifdef CONFIG_GRKERNSEC
++ {10,"grsec", S_IRUSR | S_IWUGO, &grsec_fops},
++#endif
+ {11,"kmsg", S_IRUGO | S_IWUSR, &kmsg_fops},
+ };
+
+diff -uNr linux-2.6.6/drivers/char/random.c linux-2.6.6.fixed/drivers/char/random.c
+--- linux-2.6.6/drivers/char/random.c 2004-05-10 04:32:00.000000000 +0200
++++ linux-2.6.6.fixed/drivers/char/random.c 2004-05-11 10:55:56.000000000 +0200
+@@ -263,9 +263,15 @@
+ /*
+ * Configuration information
+ */
++#ifdef CONFIG_GRKERNSEC_RANDNET
++#define DEFAULT_POOL_SIZE 1024
++#define SECONDARY_POOL_SIZE 256
++#define BATCH_ENTROPY_SIZE 512
++#else
+ #define DEFAULT_POOL_SIZE 512
+ #define SECONDARY_POOL_SIZE 128
+ #define BATCH_ENTROPY_SIZE 256
++#endif
+ #define USE_SHA
+
+ /*
+@@ -2380,6 +2386,29 @@
+ return halfMD4Transform(hash, keyptr->secret);
+ }
+
++#ifdef CONFIG_GRKERNSEC
++/* the following function is provided by PaX under the GPL */
++unsigned long get_random_long(void)
++{
++ static time_t rekey_time;
++ static __u32 secret[12];
++ time_t t;
++
++ /*
++ * Pick a random secret every REKEY_INTERVAL seconds
++ */
++ t = get_seconds();
++ if (!rekey_time || (t - rekey_time) > REKEY_INTERVAL) {
++ rekey_time = t;
++ get_random_bytes(secret, sizeof(secret));
++ }
++
++ secret[1] = halfMD4Transform(secret+8, secret);
++ secret[0] = halfMD4Transform(secret+8, secret);
++ return *(unsigned long *)secret;
++}
++#endif
++
+ #ifdef CONFIG_SYN_COOKIES
+ /*
+ * Secure SYN cookie computation. This is the algorithm worked out by
+@@ -2479,3 +2508,25 @@
+ return (cookie - tmp[17]) & COOKIEMASK; /* Leaving the data behind */
+ }
+ #endif
++
++#ifdef CONFIG_PAX_ASLR
++unsigned long pax_get_random_long(void)
++{
++ static time_t rekey_time;
++ static __u32 secret[12];
++ time_t t;
++
++ /*
++ * Pick a random secret every REKEY_INTERVAL seconds.
++ */
++ t = get_seconds();
++ if (!rekey_time || (t - rekey_time) > REKEY_INTERVAL) {
++ rekey_time = t;
++ get_random_bytes(secret, sizeof(secret));
++ }
++
++ secret[1] = halfMD4Transform(secret+8, secret);
++ secret[0] = halfMD4Transform(secret+8, secret);
++ return *(unsigned long *)secret;
++}
++#endif
+diff -uNr linux-2.6.6/drivers/char/vt_ioctl.c linux-2.6.6.fixed/drivers/char/vt_ioctl.c
+--- linux-2.6.6/drivers/char/vt_ioctl.c 2004-05-10 04:32:54.000000000 +0200
++++ linux-2.6.6.fixed/drivers/char/vt_ioctl.c 2004-05-11 10:55:56.000000000 +0200
+@@ -96,6 +96,12 @@
+ case KDSKBENT:
+ if (!perm)
+ return -EPERM;
++
++#ifdef CONFIG_GRKERNSEC
++ if (!capable(CAP_SYS_TTY_CONFIG))
++ return -EPERM;
++#endif
++
+ if (!i && v == K_NOSUCHMAP) {
+ /* disallocate map */
+ key_map = key_maps[s];
+@@ -232,6 +238,13 @@
+ goto reterr;
+ }
+
++#ifdef CONFIG_GRKERNSEC
++ if (!capable(CAP_SYS_TTY_CONFIG)) {
++ return -EPERM;
++ goto reterr;
++ }
++#endif
++
+ q = func_table[i];
+ first_free = funcbufptr + (funcbufsize - funcbufleft);
+ for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)
+diff -uNr linux-2.6.6/drivers/pci/proc.c linux-2.6.6.fixed/drivers/pci/proc.c
+--- linux-2.6.6/drivers/pci/proc.c 2004-05-10 04:32:38.000000000 +0200
++++ linux-2.6.6.fixed/drivers/pci/proc.c 2004-05-11 10:55:56.000000000 +0200
+@@ -565,7 +565,15 @@
+
+ static void legacy_proc_init(void)
+ {
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ struct proc_dir_entry * entry = create_proc_entry("pci", S_IRUSR, NULL);
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++ struct proc_dir_entry * entry = create_proc_entry("pci", S_IRUSR | S_IRGRP, NULL);
++#endif
++#else
+ struct proc_dir_entry * entry = create_proc_entry("pci", 0, NULL);
++#endif
+ if (entry)
+ entry->proc_fops = &proc_pci_operations;
+ }
+@@ -594,7 +602,15 @@
+ {
+ struct proc_dir_entry *entry;
+ struct pci_dev *dev = NULL;
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
++#endif
++#else
+ proc_bus_pci_dir = proc_mkdir("pci", proc_bus);
++#endif
+ entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
+ if (entry)
+ entry->proc_fops = &proc_bus_pci_dev_operations;
+diff -uNr linux-2.6.6/drivers/pnp/pnpbios/bioscalls.c linux-2.6.6.fixed/drivers/pnp/pnpbios/bioscalls.c
+--- linux-2.6.6/drivers/pnp/pnpbios/bioscalls.c 2004-05-10 04:32:53.000000000 +0200
++++ linux-2.6.6.fixed/drivers/pnp/pnpbios/bioscalls.c 2004-05-11 10:55:56.000000000 +0200
+@@ -79,7 +79,7 @@
+ set_limit(cpu_gdt_table[cpu][(selname) >> 3], size); \
+ } while(0)
+
+-static struct desc_struct bad_bios_desc = { 0, 0x00409200 };
++static struct desc_struct bad_bios_desc = { 0, 0x00409300 };
+
+ /*
+ * At some point we want to use this stack frame pointer to unwind
+@@ -107,6 +107,10 @@
+ struct desc_struct save_desc_40;
+ int cpu;
+
++#ifdef CONFIG_PAX_KERNEXEC
++ unsigned long cr3;
++#endif
++
+ /*
+ * PnP BIOSes are generally not terribly re-entrant.
+ * Also, don't rely on them to save everything correctly.
+@@ -115,11 +119,21 @@
+ return PNP_FUNCTION_NOT_SUPPORTED;
+
+ cpu = get_cpu();
++
++#ifdef CONFIG_PAX_KERNEXEC
++ pax_open_kernel(flags, cr3);
++#endif
++
+ save_desc_40 = cpu_gdt_table[cpu][0x40 / 8];
+ cpu_gdt_table[cpu][0x40 / 8] = bad_bios_desc;
+
+ /* On some boxes IRQ's during PnP BIOS calls are deadly. */
++
++#ifdef CONFIG_PAX_KERNEXEC
++ spin_lock_irq(&pnp_bios_lock);
++#else
+ spin_lock_irqsave(&pnp_bios_lock, flags);
++#endif
+
+ /* The lock prevents us bouncing CPU here */
+ if (ts1_size)
+@@ -156,9 +170,19 @@
+ "i" (0)
+ : "memory"
+ );
++
++#ifdef CONFIG_PAX_KERNEXEC
++ spin_unlock_irq(&pnp_bios_lock);
++#else
+ spin_unlock_irqrestore(&pnp_bios_lock, flags);
++#endif
+
+ cpu_gdt_table[cpu][0x40 / 8] = save_desc_40;
++
++#ifdef CONFIG_PAX_KERNEXEC
++ pax_close_kernel(flags, cr3);
++#endif
++
+ put_cpu();
+
+ /* If we get here and this is set then the PnP BIOS faulted on us. */
+diff -uNr linux-2.6.6/drivers/scsi/scsi_devinfo.c linux-2.6.6.fixed/drivers/scsi/scsi_devinfo.c
+--- linux-2.6.6/drivers/scsi/scsi_devinfo.c 2004-05-10 04:32:27.000000000 +0200
++++ linux-2.6.6.fixed/drivers/scsi/scsi_devinfo.c 2004-05-11 10:55:56.000000000 +0200
+@@ -27,7 +27,7 @@
+ static const char spaces[] = " "; /* 16 of them */
+ static unsigned scsi_default_dev_flags;
+ static LIST_HEAD(scsi_dev_info_list);
+-static __init char scsi_dev_flags[256];
++static __initdata char scsi_dev_flags[256];
+
+ /*
+ * scsi_static_device_list: deprecated list of devices that require
+diff -uNr linux-2.6.6/drivers/video/vesafb.c linux-2.6.6.fixed/drivers/video/vesafb.c
+--- linux-2.6.6/drivers/video/vesafb.c 2004-05-10 04:32:00.000000000 +0200
++++ linux-2.6.6.fixed/drivers/video/vesafb.c 2004-05-11 10:55:56.000000000 +0200
+@@ -239,7 +239,7 @@
+ if (vesafb_fix.smem_len > 16 * 1024 * 1024)
+ vesafb_fix.smem_len = 16 * 1024 * 1024;
+
+-#ifndef __i386__
++#if !defined(__i386__) || defined(CONFIG_PAX_KERNEXEC)
+ screen_info.vesapm_seg = 0;
+ #endif
+
+diff -uNr linux-2.6.6/fs/binfmt_aout.c linux-2.6.6.fixed/fs/binfmt_aout.c
+--- linux-2.6.6/fs/binfmt_aout.c 2004-05-10 04:32:02.000000000 +0200
++++ linux-2.6.6.fixed/fs/binfmt_aout.c 2004-05-11 10:55:56.000000000 +0200
+@@ -24,6 +24,7 @@
+ #include <linux/binfmts.h>
+ #include <linux/personality.h>
+ #include <linux/init.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/system.h>
+ #include <asm/uaccess.h>
+@@ -118,10 +119,12 @@
+ /* If the size of the dump file exceeds the rlimit, then see what would happen
+ if we wrote the stack, but not the data area. */
+ #ifdef __sparc__
++ gr_learn_resource(current, RLIMIT_CORE, dump.u_dsize+dump.u_ssize, 1);
+ if ((dump.u_dsize+dump.u_ssize) >
+ current->rlim[RLIMIT_CORE].rlim_cur)
+ dump.u_dsize = 0;
+ #else
++ gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize+dump.u_ssize+1) * PAGE_SIZE, 1);
+ if ((dump.u_dsize+dump.u_ssize+1) * PAGE_SIZE >
+ current->rlim[RLIMIT_CORE].rlim_cur)
+ dump.u_dsize = 0;
+@@ -129,10 +132,12 @@
+
+ /* Make sure we have enough room to write the stack and data areas. */
+ #ifdef __sparc__
++ gr_learn_resource(current, RLIMIT_CORE, dump.u_ssize, 1);
+ if ((dump.u_ssize) >
+ current->rlim[RLIMIT_CORE].rlim_cur)
+ dump.u_ssize = 0;
+ #else
++ gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize+1) * PAGE_SIZE, 1);
+ if ((dump.u_ssize+1) * PAGE_SIZE >
+ current->rlim[RLIMIT_CORE].rlim_cur)
+ dump.u_ssize = 0;
+@@ -281,6 +286,8 @@
+ rlim = current->rlim[RLIMIT_DATA].rlim_cur;
+ if (rlim >= RLIM_INFINITY)
+ rlim = ~0;
++
++ gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
+ if (ex.a_data + ex.a_bss > rlim)
+ return -ENOMEM;
+
+@@ -309,10 +316,33 @@
+ (current->mm->start_brk = N_BSSADDR(ex));
+ current->mm->free_area_cache = TASK_UNMAPPED_BASE;
+
++#ifdef CONFIG_PAX_RANDMMAP
++ if (current->flags & PF_PAX_RANDMMAP)
++ current->mm->free_area_cache += current->mm->delta_mmap;
++#endif
++
+ current->mm->rss = 0;
+ current->mm->mmap = NULL;
+ compute_creds(bprm);
+ current->flags &= ~PF_FORKNOEXEC;
++
++#ifdef CONFIG_PAX_PAGEEXEC
++ if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
++ current->flags |= PF_PAX_PAGEEXEC;
++
++#ifdef CONFIG_PAX_EMUTRAMP
++ if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
++ current->flags |= PF_PAX_EMUTRAMP;
++#endif
++
++#ifdef CONFIG_PAX_MPROTECT
++ if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
++ current->flags |= PF_PAX_MPROTECT;
++#endif
++
++ }
++#endif
++
+ #ifdef __sparc__
+ if (N_MAGIC(ex) == NMAGIC) {
+ loff_t pos = fd_offset;
+@@ -399,7 +429,7 @@
+
+ down_write(¤t->mm->mmap_sem);
+ error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
+- PROT_READ | PROT_WRITE | PROT_EXEC,
++ PROT_READ | PROT_WRITE,
+ MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
+ fd_offset + ex.a_text);
+ up_write(¤t->mm->mmap_sem);
+diff -uNr linux-2.6.6/fs/binfmt_elf.c linux-2.6.6.fixed/fs/binfmt_elf.c
+--- linux-2.6.6/fs/binfmt_elf.c 2004-05-10 04:32:29.000000000 +0200
++++ linux-2.6.6.fixed/fs/binfmt_elf.c 2004-05-11 11:53:30.000000000 +0200
+@@ -37,11 +37,17 @@
+ #include <linux/pagemap.h>
+ #include <linux/security.h>
+ #include <linux/syscalls.h>
++#include <linux/random.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/param.h>
+ #include <asm/pgalloc.h>
+
++#ifdef CONFIG_PAX_SEGMEXEC
++#include <asm/desc.h>
++#endif
++
+ #include <linux/elf.h>
+
+ static int load_elf_binary(struct linux_binprm * bprm, struct pt_regs * regs);
+@@ -85,14 +91,22 @@
+
+ static int set_brk(unsigned long start, unsigned long end)
+ {
++ current->mm->start_brk = current->mm->brk = end;
+ start = ELF_PAGEALIGN(start);
+ end = ELF_PAGEALIGN(end);
+ if (end > start) {
+ unsigned long addr = do_brk(start, end - start);
+ if (BAD_ADDR(addr))
+ return addr;
++
++#ifdef CONFIG_PAX_RANDEXEC
++ if (current->flags & PF_PAX_RANDEXEC)
++ addr = __do_mmap_pgoff(NULL, ELF_PAGEALIGN(start + current->mm->delta_exec), 0UL, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_FIXED | MAP_MIRROR, start);
++ if (BAD_ADDR(addr))
++ return addr;
++#endif
++
+ }
+- current->mm->start_brk = current->mm->brk = end;
+ return 0;
+ }
+
+@@ -456,6 +470,203 @@
+ return elf_entry;
+ }
+
++#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
++static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
++{
++ unsigned long pax_flags = 0UL;
++
++#ifdef CONFIG_PAX_PAGEEXEC
++ if (elf_phdata->p_flags & PF_PAGEEXEC)
++ pax_flags |= PF_PAX_PAGEEXEC;
++#endif
++
++#ifdef CONFIG_PAX_SEGMEXEC
++ if (elf_phdata->p_flags & PF_SEGMEXEC) {
++ pax_flags &= ~PF_PAX_PAGEEXEC;
++ pax_flags |= PF_PAX_SEGMEXEC;
++ }
++#endif
++
++#ifdef CONFIG_PAX_EMUTRAMP
++ if (elf_phdata->p_flags & PF_EMUTRAMP)
++ pax_flags |= PF_PAX_EMUTRAMP;
++#endif
++
++#ifdef CONFIG_PAX_MPROTECT
++ if (elf_phdata->p_flags & PF_MPROTECT)
++ pax_flags |= PF_PAX_MPROTECT;
++#endif
++
++#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
++
++#ifdef CONFIG_PAX_SOFTMODE
++ if (pax_aslr)
++#endif
++
++ if (elf_phdata->p_flags & PF_RANDMMAP)
++ pax_flags |= PF_PAX_RANDMMAP;
++#endif
++
++#ifdef CONFIG_PAX_RANDEXEC
++
++#ifdef CONFIG_PAX_SOFTMODE
++ if (pax_aslr)
++#endif
++
++ if (elf_phdata->p_flags & PF_RANDEXEC)
++ pax_flags |= PF_PAX_RANDEXEC;
++#endif
++
++ return pax_flags;
++}
++#endif
++
++#ifdef CONFIG_PAX_PT_PAX_FLAGS
++static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
++{
++ unsigned long pax_flags = 0UL;
++
++#ifdef CONFIG_PAX_PAGEEXEC
++ if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
++ pax_flags |= PF_PAX_PAGEEXEC;
++#endif
++
++#ifdef CONFIG_PAX_SEGMEXEC
++ if (!(elf_phdata->p_flags & PF_NOSEGMEXEC)) {
++ pax_flags &= ~PF_PAX_PAGEEXEC;
++ pax_flags |= PF_PAX_SEGMEXEC;
++ }
++#endif
++
++#ifdef CONFIG_PAX_EMUTRAMP
++ if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
++ pax_flags |= PF_PAX_EMUTRAMP;
++#endif
++
++#ifdef CONFIG_PAX_MPROTECT
++ if (!(elf_phdata->p_flags & PF_NOMPROTECT))
++ pax_flags |= PF_PAX_MPROTECT;
++#endif
++
++#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
++
++#ifdef CONFIG_PAX_SOFTMODE
++ if (pax_aslr)
++#endif
++
++ if (!(elf_phdata->p_flags & PF_NORANDMMAP))
++ pax_flags |= PF_PAX_RANDMMAP;
++#endif
++
++#ifdef CONFIG_PAX_RANDEXEC
++
++#ifdef CONFIG_PAX_SOFTMODE
++ if (pax_aslr)
++#endif
++
++ if (!(elf_phdata->p_flags & PF_NORANDEXEC))
++ pax_flags |= PF_PAX_RANDEXEC;
++#endif
++
++ return pax_flags;
++}
++#endif
++
++#ifdef CONFIG_PAX_EI_PAX
++static int pax_parse_ei_pax(const struct elfhdr * const elf_ex)
++{
++ unsigned long pax_flags = 0UL;
++
++#ifdef CONFIG_PAX_PAGEEXEC
++ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
++ pax_flags |= PF_PAX_PAGEEXEC;
++#endif
++
++#ifdef CONFIG_PAX_SEGMEXEC
++ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC)) {
++ pax_flags &= ~PF_PAX_PAGEEXEC;
++ pax_flags |= PF_PAX_SEGMEXEC;
++ }
++#endif
++
++#ifdef CONFIG_PAX_EMUTRAMP
++ if ((pax_flags & (PF_PAX_PAGEEXEC | PF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
++ pax_flags |= PF_PAX_EMUTRAMP;
++#endif
++
++#ifdef CONFIG_PAX_MPROTECT
++ if ((pax_flags & (PF_PAX_PAGEEXEC | PF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
++ pax_flags |= PF_PAX_MPROTECT;
++#endif
++
++#ifdef CONFIG_PAX_ASLR
++
++#ifdef CONFIG_PAX_SOFTMODE
++ if (pax_aslr)
++#endif
++
++ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
++ pax_flags |= PF_PAX_RANDMMAP;
++#endif
++
++#ifdef CONFIG_PAX_RANDEXEC
++
++#ifdef CONFIG_PAX_SOFTMODE
++ if (pax_aslr)
++#endif
++
++ if ((elf_ex->e_ident[EI_PAX] & EF_PAX_RANDEXEC) && (elf_ex->e_type == ET_EXEC) && (pax_flags & PF_PAX_MPROTECT))
++ pax_flags |= PF_PAX_RANDEXEC;
++#endif
++
++ return pax_flags;
++}
++#endif
++
++#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
++static int pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
++{
++ unsigned long pax_flags = 0UL;
++
++#ifdef CONFIG_PAX_PT_PAX_FLAGS
++ unsigned long i;
++#endif
++
++#ifdef CONFIG_PAX_EI_PAX
++ pax_flags = pax_parse_ei_pax(elf_ex);
++#endif
++
++#ifdef CONFIG_PAX_PT_PAX_FLAGS
++ for (i = 0UL; i < elf_ex->e_phnum; i++)
++ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
++ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
++ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
++ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
++ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
++ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)) ||
++ ((elf_phdata[i].p_flags & PF_RANDEXEC) && ((elf_phdata[i].p_flags & PF_NORANDEXEC) || elf_ex->e_type == ET_DYN || !(elf_phdata[i].p_flags & PF_MPROTECT))) ||
++ (!(elf_phdata[i].p_flags & PF_NORANDEXEC) && (elf_ex->e_type == ET_DYN || (elf_phdata[i].p_flags & PF_NOMPROTECT))))
++ return -EINVAL;
++
++#ifdef CONFIG_PAX_SOFTMODE
++ if (pax_softmode)
++ pax_flags = pax_parse_softmode(&elf_phdata[i]);
++ else
++#endif
++
++ pax_flags = pax_parse_hardmode(&elf_phdata[i]);
++ break;
++ }
++#endif
++
++ if (0 > pax_check_flags(&pax_flags))
++ return -EINVAL;
++
++ current->flags |= pax_flags;
++ return 0;
++}
++#endif
++
+ /*
+ * These are the functions used to load ELF style executables and shared
+ * libraries. There is no binary dependent code anywhere else.
+@@ -488,6 +699,12 @@
+ struct exec interp_ex;
+ char passed_fileno[6];
+ struct files_struct *files;
++
++#ifdef CONFIG_PAX_RANDEXEC
++ unsigned long load_addr_random = 0UL;
++ unsigned long load_bias_random = 0UL;
++#endif
++
+ int executable_stack = EXSTACK_DEFAULT;
+
+ /* Get the exec-header */
+@@ -687,8 +904,52 @@
+ current->mm->end_data = 0;
+ current->mm->end_code = 0;
+ current->mm->mmap = NULL;
++
++#ifdef CONFIG_PAX_DLRESOLVE
++ current->mm->call_dl_resolve = 0UL;
++#endif
++
++#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
++ current->mm->call_syscall = 0UL;
++#endif
++
++#ifdef CONFIG_PAX_ASLR
++ current->mm->delta_mmap = 0UL;
++ current->mm->delta_exec = 0UL;
++ current->mm->delta_stack = 0UL;
++#endif
++
+ current->flags &= ~PF_FORKNOEXEC;
+
++#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
++ if (0 > pax_parse_elf_flags(&elf_ex, elf_phdata)) {
++ send_sig(SIGKILL, current, 0);
++ goto out_free_dentry;
++ }
++#endif
++
++#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
++ pax_set_flags(bprm);
++#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
++ if (pax_set_flags_func)
++ (pax_set_flags_func)(bprm);
++#endif
++
++#ifdef CONFIG_PAX_DLRESOLVE
++ if (current->flags & PF_PAX_PAGEEXEC)
++ current->mm->call_dl_resolve = 0UL;
++#endif
++
++#ifdef CONFIG_PAX_ASLR
++ if (current->flags & PF_PAX_RANDMMAP) {
++#define pax_delta_mask(delta, lsb, len) (((delta) & ((1UL << (len)) - 1)) << (lsb))
++
++ current->mm->delta_mmap = pax_delta_mask(pax_get_random_long(), PAX_DELTA_MMAP_LSB(current), PAX_DELTA_MMAP_LEN(current));
++ current->mm->delta_exec = pax_delta_mask(pax_get_random_long(), PAX_DELTA_EXEC_LSB(current), PAX_DELTA_EXEC_LEN(current));
++ current->mm->delta_stack = pax_delta_mask(pax_get_random_long(), PAX_DELTA_STACK_LSB(current), PAX_DELTA_STACK_LEN(current));
++ }
++#endif
++
+ /* Do this immediately, since STACK_TOP as used in setup_arg_pages
+ may depend on the personality. */
+ SET_PERSONALITY(elf_ex, ibcs2_interpreter);
+@@ -697,6 +958,12 @@
+ change some of these later */
+ current->mm->rss = 0;
+ current->mm->free_area_cache = TASK_UNMAPPED_BASE;
++
++#ifdef CONFIG_PAX_RANDMMAP
++ if (current->flags & PF_PAX_RANDMMAP)
++ current->mm->free_area_cache += current->mm->delta_mmap;
++#endif
++
+ retval = setup_arg_pages(bprm, executable_stack);
+ if (retval < 0) {
+ send_sig(SIGKILL, current, 0);
+@@ -752,11 +1019,85 @@
+ base, as well as whatever program they might try to exec. This
+ is because the brk will follow the loader, and is not movable. */
+ load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
++
++#ifdef CONFIG_PAX_RANDMMAP
++ /* PaX: randomize base address at the default exe base if requested */
++ if (current->flags & PF_PAX_RANDMMAP) {
++ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE(current) - vaddr + current->mm->delta_exec);
++ elf_flags |= MAP_FIXED;
++ }
++#endif
++
+ }
+
+- error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, elf_prot, elf_flags);
+- if (BAD_ADDR(error))
+- continue;
++#ifdef CONFIG_PAX_RANDEXEC
++ if ((current->flags & PF_PAX_RANDEXEC) && (elf_ex.e_type == ET_EXEC)) {
++ error = -ENOMEM;
++
++#ifdef CONFIG_PAX_PAGEEXEC
++ if (current->flags & PF_PAX_PAGEEXEC)
++ error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, elf_prot & ~PROT_EXEC, elf_flags);
++#endif
++
++#ifdef CONFIG_PAX_SEGMEXEC
++ if (current->flags & PF_PAX_SEGMEXEC) {
++ unsigned long addr, len;
++
++ addr = ELF_PAGESTART(load_bias + vaddr);
++ len = elf_ppnt->p_filesz + ELF_PAGEOFFSET(elf_ppnt->p_vaddr);
++ if (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len)
++ continue;
++ down_write(¤t->mm->mmap_sem);
++ error = __do_mmap_pgoff(bprm->file, addr, len, elf_prot, elf_flags, (elf_ppnt->p_offset - ELF_PAGEOFFSET(elf_ppnt->p_vaddr)) >> PAGE_SHIFT);
++ up_write(¤t->mm->mmap_sem);
++ }
++#endif
++
++ if (BAD_ADDR(error))
++ continue;
++
++ /* PaX: mirror at a randomized base */
++ down_write(¤t->mm->mmap_sem);
++
++ if (!load_addr_set) {
++ load_addr_random = get_unmapped_area(bprm->file, 0UL, elf_ppnt->p_filesz + ELF_PAGEOFFSET(elf_ppnt->p_vaddr), (elf_ppnt->p_offset - ELF_PAGEOFFSET(elf_ppnt->p_vaddr)) >> PAGE_SHIFT, MAP_PRIVATE);
++ if (BAD_ADDR(load_addr_random)) {
++ up_write(¤t->mm->mmap_sem);
++ continue;
++ }
++ load_bias_random = load_addr_random - vaddr;
++ }
++
++#ifdef CONFIG_PAX_PAGEEXEC
++ if (current->flags & PF_PAX_PAGEEXEC)
++ load_addr_random = __do_mmap_pgoff(NULL, ELF_PAGESTART(load_bias_random + vaddr), 0UL, elf_prot, elf_flags | MAP_MIRROR, error);
++#endif
++
++#ifdef CONFIG_PAX_SEGMEXEC
++ if (current->flags & PF_PAX_SEGMEXEC) {
++ if (elf_prot & PROT_EXEC) {
++ load_addr_random = __do_mmap_pgoff(NULL, ELF_PAGESTART(load_bias_random + vaddr), elf_ppnt->p_memsz + ELF_PAGEOFFSET(elf_ppnt->p_vaddr), PROT_NONE, MAP_PRIVATE | MAP_FIXED, 0UL);
++ if (!BAD_ADDR(load_addr_random)) {
++ load_addr_random = __do_mmap_pgoff(NULL, ELF_PAGESTART(load_bias_random + vaddr + SEGMEXEC_TASK_SIZE), 0UL, elf_prot, elf_flags | MAP_MIRROR, error);
++ if (!BAD_ADDR(load_addr_random))
++ load_addr_random -= SEGMEXEC_TASK_SIZE;
++ }
++ } else
++ load_addr_random = __do_mmap_pgoff(NULL, ELF_PAGESTART(load_bias_random + vaddr), 0UL, elf_prot, elf_flags | MAP_MIRROR, error);
++ }
++#endif
++
++ up_write(¤t->mm->mmap_sem);
++ if (BAD_ADDR(load_addr_random))
++ continue;
++ } else
++#endif
++
++ {
++ error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, elf_prot, elf_flags);
++ if (BAD_ADDR(error))
++ continue;
++ }
+
+ if (!load_addr_set) {
+ load_addr_set = 1;
+@@ -767,6 +1108,11 @@
+ load_addr += load_bias;
+ reloc_func_desc = load_bias;
+ }
++
++#ifdef CONFIG_PAX_RANDEXEC
++ current->mm->delta_exec = load_addr_random - load_addr;
++#endif
++
+ }
+ k = elf_ppnt->p_vaddr;
+ if (k < start_code) start_code = k;
+@@ -806,6 +1152,16 @@
+ start_data += load_bias;
+ end_data += load_bias;
+
++#ifdef CONFIG_PAX_RANDMMAP
++
++#ifdef CONFIG_PAX_SOFTMODE
++ if (pax_aslr)
++#endif
++
++ elf_brk += pax_delta_mask(pax_get_random_long(), 4, PAGE_SHIFT);
++#undef pax_delta_mask
++#endif
++
+ /* Calling set_brk effectively mmaps the pages that we need
+ * for the bss and break sections. We must do this before
+ * mapping in the interpreter, to make sure it doesn't wind
+@@ -886,6 +1242,26 @@
+ ELF_PLAT_INIT(regs, reloc_func_desc);
+ #endif
+
++#ifdef CONFIG_PAX_SEGMEXEC
++ i = get_cpu();
++
++#ifdef CONFIG_PAX_KERNEXEC
++ {
++ unsigned long flags, cr3;
++
++ pax_open_kernel(flags, cr3);
++#endif
++
++ pax_switch_segments(current, i);
++
++#ifdef CONFIG_PAX_KERNEXEC
++ pax_close_kernel(flags, cr3);
++ }
++#endif
++
++ put_cpu();
++#endif
++
+ start_thread(regs, elf_entry, bprm->p);
+ if (unlikely(current->ptrace & PT_PTRACED)) {
+ if (current->ptrace & PT_TRACE_EXEC)
+@@ -1098,8 +1474,11 @@
+ #undef DUMP_SEEK
+
+ #define DUMP_WRITE(addr, nr) \
++ do { \
++ gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
+ if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \
+- goto end_coredump;
++ goto end_coredump; \
++ } while (0);
+ #define DUMP_SEEK(off) \
+ if (!dump_seek(file, (off))) \
+ goto end_coredump;
+diff -uNr linux-2.6.6/fs/binfmt_misc.c linux-2.6.6.fixed/fs/binfmt_misc.c
+--- linux-2.6.6/fs/binfmt_misc.c 2004-05-10 04:32:28.000000000 +0200
++++ linux-2.6.6.fixed/fs/binfmt_misc.c 2004-05-11 10:55:56.000000000 +0200
+@@ -108,9 +108,11 @@
+ int retval;
+
+ retval = -ENOEXEC;
+- if (!enabled)
++ if (!enabled || bprm->misc)
+ goto _ret;
+
++ bprm->misc++;
++
+ /* to keep locking time low, we copy the interpreter string */
+ read_lock(&entries_lock);
+ fmt = check_file(bprm);
+diff -uNr linux-2.6.6/fs/buffer.c linux-2.6.6.fixed/fs/buffer.c
+--- linux-2.6.6/fs/buffer.c 2004-05-10 04:32:38.000000000 +0200
++++ linux-2.6.6.fixed/fs/buffer.c 2004-05-11 10:55:56.000000000 +0200
+@@ -37,6 +37,7 @@
+ #include <linux/bio.h>
+ #include <linux/notifier.h>
+ #include <linux/cpu.h>
++#include <linux/grsecurity.h>
+ #include <asm/bitops.h>
+
+ static void invalidate_bh_lrus(void);
+@@ -2168,6 +2169,9 @@
+ int err;
+
+ err = -EFBIG;
++
++ gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long) size, 1);
++
+ limit = current->rlim[RLIMIT_FSIZE].rlim_cur;
+ if (limit != RLIM_INFINITY && size > (loff_t)limit) {
+ send_sig(SIGXFSZ, current, 0);
+diff -uNr linux-2.6.6/fs/dcache.c linux-2.6.6.fixed/fs/dcache.c
+--- linux-2.6.6/fs/dcache.c 2004-05-10 04:32:01.000000000 +0200
++++ linux-2.6.6.fixed/fs/dcache.c 2004-05-11 10:55:56.000000000 +0200
+@@ -1262,7 +1262,7 @@
+ *
+ * "buflen" should be positive. Caller holds the dcache_lock.
+ */
+-static char * __d_path( struct dentry *dentry, struct vfsmount *vfsmnt,
++char * __d_path( struct dentry *dentry, struct vfsmount *vfsmnt,
+ struct dentry *root, struct vfsmount *rootmnt,
+ char *buffer, int buflen)
+ {
+diff -uNr linux-2.6.6/fs/exec.c linux-2.6.6.fixed/fs/exec.c
+--- linux-2.6.6/fs/exec.c 2004-05-10 04:32:28.000000000 +0200
++++ linux-2.6.6.fixed/fs/exec.c 2004-05-11 11:44:39.000000000 +0200
+@@ -46,6 +46,8 @@
+ #include <linux/security.h>
+ #include <linux/syscalls.h>
+ #include <linux/rmap.h>
++#include <linux/random.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/pgalloc.h>
+@@ -62,6 +64,20 @@
+ static struct linux_binfmt *formats;
+ static rwlock_t binfmt_lock = RW_LOCK_UNLOCKED;
+
++#ifdef CONFIG_PAX_SOFTMODE
++
++#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK) || defined(CONFIG_PAX_RANDKSTACK)
++unsigned int pax_aslr=1;
++#endif
++
++unsigned int pax_softmode;
++#endif
++
++#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
++void (*pax_set_flags_func)(struct linux_binprm * bprm);
++EXPORT_SYMBOL(pax_set_flags_func);
++#endif
++
+ int register_binfmt(struct linux_binfmt * fmt)
+ {
+ struct linux_binfmt ** tmp = &formats;
+@@ -303,7 +319,12 @@
+ pte_t * pte;
+ struct pte_chain *pte_chain;
+
++#ifdef CONFIG_PAX_SEGMEXEC
++ if (page_count(page) != 1 && (!(tsk->flags & PF_PAX_SEGMEXEC) || page_count(page) != 3))
++#else
+ if (page_count(page) != 1)
++#endif
++
+ printk(KERN_ERR "mem_map disagrees with %p at %08lx\n",
+ page, address);
+
+@@ -322,8 +343,18 @@
+ pte_unmap(pte);
+ goto out;
+ }
++
++#ifdef CONFIG_PAX_SEGMEXEC
++ if (page_count(page) == 1) {
++#endif
++
+ lru_cache_add_active(page);
+ flush_dcache_page(page);
++
++#ifdef CONFIG_PAX_SEGMEXEC
++ }
++#endif
++
+ set_pte(pte, pte_mkdirty(pte_mkwrite(mk_pte(page, prot))));
+ pte_chain = page_add_rmap(page, pte, pte_chain);
+ pte_unmap(pte);
+@@ -350,6 +381,10 @@
+ int i;
+ long arg_size;
+
++#ifdef CONFIG_PAX_SEGMEXEC
++ struct vm_area_struct *mpnt_m = NULL;
++#endif
++
+ #ifdef CONFIG_STACK_GROWSUP
+ /* Move the argument and environment strings to the bottom of the
+ * stack space.
+@@ -409,6 +444,16 @@
+ if (!mpnt)
+ return -ENOMEM;
+
++#ifdef CONFIG_PAX_SEGMEXEC
++ if ((current->flags & PF_PAX_SEGMEXEC) && (VM_STACK_FLAGS & VM_MAYEXEC)) {
++ mpnt_m = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL);
++ if (!mpnt_m) {
++ kmem_cache_free(vm_area_cachep, mpnt);
++ return -ENOMEM;
++ }
++ }
++#endif
++
+ if (security_vm_enough_memory(arg_size >> PAGE_SHIFT)) {
+ kmem_cache_free(vm_area_cachep, mpnt);
+ return -ENOMEM;
+@@ -425,6 +470,11 @@
+ mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p;
+ mpnt->vm_end = STACK_TOP;
+ #endif
++#ifdef CONFIG_PAX_PAGEEXEC
++ if (!(current->flags & PF_PAX_PAGEEXEC))
++ mpnt->vm_page_prot = protection_map[(VM_STACK_FLAGS | VM_EXEC) & 0x7];
++ else
++#endif
+ /* Adjust stack execute permissions; explicitly enable
+ * for EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X
+ * and leave alone (arch default) otherwise. */
+@@ -442,6 +492,26 @@
+ mpnt->vm_private_data = (void *) 0;
+ insert_vm_struct(mm, mpnt);
+ mm->total_vm = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
++
++#ifdef CONFIG_PAX_SEGMEXEC
++ if (mpnt_m) {
++ *mpnt_m = *mpnt;
++ INIT_LIST_HEAD(&mpnt_m->shared);
++ if (!(VM_STACK_FLAGS & VM_EXEC)) {
++ mpnt_m->vm_flags &= ~(VM_READ | VM_WRITE | VM_EXEC);
++ mpnt_m->vm_page_prot = PAGE_NONE;
++ }
++ mpnt_m->vm_start += SEGMEXEC_TASK_SIZE;
++ mpnt_m->vm_end += SEGMEXEC_TASK_SIZE;
++ mpnt_m->vm_flags |= VM_MIRROR;
++ mpnt->vm_flags |= VM_MIRROR;
++ mpnt_m->vm_private_data = (void *)(mpnt->vm_start - mpnt_m->vm_start);
++ mpnt->vm_private_data = (void *)(mpnt_m->vm_start - mpnt->vm_start);
++ insert_vm_struct(mm, mpnt_m);
++ current->mm->total_vm = (mpnt_m->vm_end - mpnt_m->vm_start) >> PAGE_SHIFT;
++ }
++#endif
++
+ }
+
+ for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
+@@ -450,6 +520,15 @@
+ bprm->page[i] = NULL;
+ put_dirty_page(current, page, stack_base,
+ mpnt->vm_page_prot);
++
++#if defined(CONFIG_PAX_SEGMEXEC) && defined(CONFIG_PAX_MPROTECT)
++ if (mpnt_m) {
++ page_cache_get(page);
++ put_dirty_page(current, page, stack_base + SEGMEXEC_TASK_SIZE,
++ mpnt_m->vm_page_prot);
++ }
++#endif
++
+ }
+ stack_base += PAGE_SIZE;
+ }
+@@ -845,6 +924,30 @@
+ }
+ current->comm[i] = '\0';
+
++#ifdef CONFIG_PAX_PAGEEXEC
++ current->flags &= ~PF_PAX_PAGEEXEC;
++#endif
++
++#ifdef CONFIG_PAX_EMUTRAMP
++ current->flags &= ~PF_PAX_EMUTRAMP;
++#endif
++
++#ifdef CONFIG_PAX_MPROTECT
++ current->flags &= ~PF_PAX_MPROTECT;
++#endif
++
++#ifdef CONFIG_PAX_ASLR
++ current->flags &= ~PF_PAX_RANDMMAP;
++#endif
++
++#ifdef CONFIG_PAX_RANDEXEC
++ current->flags &= ~PF_PAX_RANDEXEC;
++#endif
++
++#ifdef CONFIG_PAX_SEGMEXEC
++ current->flags &= ~PF_PAX_SEGMEXEC;
++#endif
++
+ flush_thread();
+
+ if (bprm->e_uid != current->euid || bprm->e_gid != current->egid ||
+@@ -913,6 +1016,9 @@
+ if (retval)
+ return retval;
+
++ if (gr_handle_ptrace_exec(bprm->file->f_dentry, bprm->file->f_vfsmnt))
++ return -EACCES;
++
+ memset(bprm->buf,0,BINPRM_BUF_SIZE);
+ return kernel_read(bprm->file,0,bprm->buf,BINPRM_BUF_SIZE);
+ }
+@@ -942,6 +1048,7 @@
+ task_lock(current);
+ unsafe = unsafe_exec(current);
+ security_bprm_apply_creds(bprm, unsafe);
++ gr_handle_chroot_caps(current);
+ task_unlock(current);
+ }
+
+@@ -1082,6 +1189,11 @@
+ struct file *file;
+ int retval;
+ int i;
++#ifdef CONFIG_GRKERNSEC
++ struct file *old_exec_file;
++ struct acl_subject_label *old_acl;
++ struct rlimit old_rlim[RLIM_NLIMITS];
++#endif
+
+ sched_balance_exec();
+
+@@ -1091,13 +1203,39 @@
+ if (IS_ERR(file))
+ return retval;
+
++ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->user->processes), 1);
++
++ if (gr_handle_nproc()) {
++ allow_write_access(file);
++ fput(file);
++ return -EAGAIN;
++ }
++
++ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
++ allow_write_access(file);
++ fput(file);
++ return -EACCES;
++ }
++
++
+ bprm.p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
++
++#ifdef CONFIG_PAX_RANDUSTACK
++
++#ifdef CONFIG_PAX_SOFTMODE
++ if (pax_aslr)
++#endif
++
++ bprm.p -= (pax_get_random_long() & ~(sizeof(void *)-1)) & ~PAGE_MASK;
++#endif
++
+ memset(bprm.page, 0, MAX_ARG_PAGES*sizeof(bprm.page[0]));
+
+ bprm.file = file;
+ bprm.filename = filename;
+ bprm.interp = filename;
+ bprm.sh_bang = 0;
++ bprm.misc = 0;
+ bprm.loader = 0;
+ bprm.exec = 0;
+ bprm.security = NULL;
+@@ -1126,11 +1264,26 @@
+ if (retval < 0)
+ goto out;
+
++ if (!gr_tpe_allow(file)) {
++ retval = -EACCES;
++ goto out;
++ }
++
++ if (gr_check_crash_exec(file)) {
++ retval = -EACCES;
++ goto out;
++ }
++
+ retval = copy_strings_kernel(1, &bprm.filename, &bprm);
+ if (retval < 0)
+ goto out;
+
+ bprm.exec = bprm.p;
++
++ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
++
++ gr_handle_exec_args(&bprm, argv);
++
+ retval = copy_strings(bprm.envc, envp, &bprm);
+ if (retval < 0)
+ goto out;
+@@ -1139,8 +1292,22 @@
+ if (retval < 0)
+ goto out;
+
++#ifdef CONFIG_GRKERNSEC
++ old_acl = current->acl;
++ memcpy(old_rlim, current->rlim, sizeof(old_rlim));
++ old_exec_file = current->exec_file;
++ get_file(file);
++ current->exec_file = file;
++#endif
++
++ gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
++
+ retval = search_binary_handler(&bprm,regs);
+ if (retval >= 0) {
++#ifdef CONFIG_GRKERNSEC
++ if (old_exec_file)
++ fput(old_exec_file);
++#endif
+ free_arg_pages(&bprm);
+
+ /* execve success */
+@@ -1148,6 +1315,13 @@
+ return retval;
+ }
+
++#ifdef CONFIG_GRKERNSEC
++ current->acl = old_acl;
++ memcpy(current->rlim, old_rlim, sizeof(old_rlim));
++ fput(current->exec_file);
++ current->exec_file = old_exec_file;
++#endif
++
+ out:
+ /* Something went wrong, return the inode and free the argument pages*/
+ for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
+@@ -1305,6 +1479,128 @@
+ *out_ptr = 0;
+ }
+
++int pax_check_flags(unsigned long * flags)
++{
++ int retval = 0;
++
++#if !defined(__i386__) || !defined(CONFIG_PAX_SEGMEXEC)
++ if (*flags & PF_PAX_SEGMEXEC)
++ {
++ *flags &= ~PF_PAX_SEGMEXEC;
++ retval = -EINVAL;
++ }
++#endif
++
++ if ((*flags & PF_PAX_PAGEEXEC)
++
++#ifdef CONFIG_PAX_PAGEEXEC
++ && (*flags & PF_PAX_SEGMEXEC)
++#endif
++
++ )
++ {
++ *flags &= ~PF_PAX_PAGEEXEC;
++ retval = -EINVAL;
++ }
++
++ if ((*flags & PF_PAX_MPROTECT)
++
++#ifdef CONFIG_PAX_MPROTECT
++ && !(*flags & (PF_PAX_PAGEEXEC | PF_PAX_SEGMEXEC))
++#endif
++
++ )
++ {
++ *flags &= ~PF_PAX_MPROTECT;
++ retval = -EINVAL;
++ }
++
++ if ((*flags & PF_PAX_EMUTRAMP)
++
++#ifdef CONFIG_PAX_EMUTRAMP
++ && !(*flags & (PF_PAX_PAGEEXEC | PF_PAX_SEGMEXEC))
++#endif
++
++ )
++ {
++ *flags &= ~PF_PAX_EMUTRAMP;
++ retval = -EINVAL;
++ }
++
++ if ((*flags & PF_PAX_RANDEXEC)
++
++#ifdef CONFIG_PAX_RANDEXEC
++ && !(*flags & PF_PAX_MPROTECT)
++#endif
++
++ )
++ {
++ *flags &= ~PF_PAX_RANDEXEC;
++ retval = -EINVAL;
++ }
++
++ return retval;
++}
++
++EXPORT_SYMBOL(pax_check_flags);
++
++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
++void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
++{
++ struct task_struct *tsk = current;
++ struct mm_struct *mm = current->mm;
++ char* buffer_exec = (char*)__get_free_page(GFP_ATOMIC);
++ char* buffer_fault = (char*)__get_free_page(GFP_ATOMIC);
++ char* path_exec=NULL;
++ char* path_fault=NULL;
++ unsigned long start=0UL, end=0UL, offset=0UL;
++
++ if (buffer_exec && buffer_fault) {
++ struct vm_area_struct* vma, * vma_exec=NULL, * vma_fault=NULL;
++
++ down_read(&mm->mmap_sem);
++ vma = mm->mmap;
++ while (vma && (!vma_exec || !vma_fault)) {
++ if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
++ vma_exec = vma;
++ if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
++ vma_fault = vma;
++ vma = vma->vm_next;
++ }
++ if (vma_exec) {
++ path_exec = d_path(vma_exec->vm_file->f_dentry, vma_exec->vm_file->f_vfsmnt, buffer_exec, PAGE_SIZE);
++ if (IS_ERR(path_exec))
++ path_exec = "<path too long>";
++ }
++ if (vma_fault) {
++ start = vma_fault->vm_start;
++ end = vma_fault->vm_end;
++ offset = vma_fault->vm_pgoff << PAGE_SHIFT;
++ if (vma_fault->vm_file) {
++ path_fault = d_path(vma_fault->vm_file->f_dentry, vma_fault->vm_file->f_vfsmnt, buffer_fault, PAGE_SIZE);
++ if (IS_ERR(path_fault))
++ path_fault = "<path too long>";
++ } else
++ path_fault = "<anonymous mapping>";
++ }
++ up_read(&mm->mmap_sem);
++ }
++#ifdef CONFIG_GRKERNSEC
++ if (tsk->curr_ip)
++ printk(KERN_ERR "PAX: execution attempt from %u.%u.%u.%u in: %s, %08lx-%08lx %08lx\n", NIPQUAD(tsk->curr_ip), path_fault, start, end, offset);
++ else
++#endif
++ printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
++ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
++ "PC: %p, SP: %p\n", path_exec, tsk->comm, tsk->pid,
++ tsk->uid, tsk->euid, pc, sp);
++ if (buffer_exec) free_page((unsigned long)buffer_exec);
++ if (buffer_fault) free_page((unsigned long)buffer_fault);
++ pax_report_insns(pc, sp);
++ do_coredump(SIGKILL, SIGKILL, regs);
++}
++#endif
++
+ static void zap_threads (struct mm_struct *mm)
+ {
+ struct task_struct *g, *p;
+@@ -1374,6 +1670,7 @@
+ current->signal->group_exit_code = exit_code;
+ coredump_wait(mm);
+
++ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
+ if (current->rlim[RLIMIT_CORE].rlim_cur < binfmt->min_coredump)
+ goto fail_unlock;
+
+@@ -1393,7 +1690,7 @@
+ goto close_fail;
+ if (!file->f_op->write)
+ goto close_fail;
+- if (do_truncate(file->f_dentry, 0) != 0)
++ if (do_truncate(file->f_dentry, 0, file->f_vfsmnt) != 0)
+ goto close_fail;
+
+ retval = binfmt->core_dump(signr, regs, file);
+diff -uNr linux-2.6.6/fs/fcntl.c linux-2.6.6.fixed/fs/fcntl.c
+--- linux-2.6.6/fs/fcntl.c 2004-05-10 04:32:53.000000000 +0200
++++ linux-2.6.6.fixed/fs/fcntl.c 2004-05-11 10:55:56.000000000 +0200
+@@ -14,6 +14,7 @@
+ #include <linux/module.h>
+ #include <linux/security.h>
+ #include <linux/ptrace.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/poll.h>
+ #include <asm/siginfo.h>
+@@ -86,6 +87,9 @@
+ int error;
+
+ error = -EINVAL;
++
++ gr_learn_resource(current, RLIMIT_NOFILE, orig_start, 0);
++
+ if (orig_start >= current->rlim[RLIMIT_NOFILE].rlim_cur)
+ goto out;
+
+@@ -105,6 +109,9 @@
+ }
+
+ error = -EMFILE;
++
++ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
++
+ if (newfd >= current->rlim[RLIMIT_NOFILE].rlim_cur)
+ goto out;
+
+@@ -154,6 +161,8 @@
+ struct file * file, *tofree;
+ struct files_struct * files = current->files;
+
++ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
++
+ spin_lock(&files->file_lock);
+ if (!(file = fcheck(oldfd)))
+ goto out_unlock;
+@@ -493,13 +502,15 @@
+ if (pid > 0) {
+ p = find_task_by_pid(pid);
+ if (p) {
+- send_sigio_to_task(p, fown, fd, band);
++ if (!gr_check_protected_task(p))
++ send_sigio_to_task(p, fown, fd, band);
+ }
+ } else {
+ struct list_head *l;
+ struct pid *pidptr;
+ for_each_task_pid(-pid, PIDTYPE_PGID, p, l, pidptr) {
+- send_sigio_to_task(p, fown, fd, band);
++ if (!gr_check_protected_task(p) && !gr_pid_is_chrooted(p))
++ send_sigio_to_task(p, fown, fd, band);
+ }
+ }
+ read_unlock(&tasklist_lock);
+diff -uNr linux-2.6.6/fs/Kconfig linux-2.6.6.fixed/fs/Kconfig
+--- linux-2.6.6/fs/Kconfig 2004-05-10 04:32:38.000000000 +0200
++++ linux-2.6.6.fixed/fs/Kconfig 2004-05-11 10:55:56.000000000 +0200
+@@ -781,6 +781,7 @@
+
+ config PROC_KCORE
+ bool
++ depends on !GRKERNSEC_PROC_ADD
+ default y if !ARM
+
+ config SYSFS
+diff -uNr linux-2.6.6/fs/namei.c linux-2.6.6.fixed/fs/namei.c
+--- linux-2.6.6/fs/namei.c 2004-05-10 04:32:27.000000000 +0200
++++ linux-2.6.6.fixed/fs/namei.c 2004-05-11 11:29:49.000000000 +0200
+@@ -27,6 +27,7 @@
+ #include <linux/security.h>
+ #include <linux/mount.h>
+ #include <linux/audit.h>
++#include <linux/grsecurity.h>
+ #include <asm/namei.h>
+ #include <asm/uaccess.h>
+
+@@ -413,6 +414,13 @@
+ err = security_inode_follow_link(dentry, nd);
+ if (err)
+ goto loop;
++
++ if (gr_handle_follow_link(dentry->d_parent->d_inode,
++ dentry->d_inode, dentry, nd->mnt)) {
++ err = -EACCES;
++ goto loop;
++ }
++
+ current->link_count++;
+ current->total_link_count++;
+ touch_atime(nd->mnt, dentry);
+@@ -764,6 +772,10 @@
+ break;
+ }
+ return_base:
++ if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt)) {
++ path_release(nd);
++ return -ENOENT;
++ }
+ return 0;
+ out_dput:
+ dput(next.dentry);
+@@ -1225,7 +1237,7 @@
+ if (!error) {
+ DQUOT_INIT(inode);
+
+- error = do_truncate(dentry, 0);
++ error = do_truncate(dentry, 0, nd->mnt);
+ }
+ put_write_access(inode);
+ if (error)
+@@ -1276,6 +1288,17 @@
+ error = path_lookup(pathname, lookup_flags(flag)|LOOKUP_OPEN, nd);
+ if (error)
+ return error;
++
++ if (gr_handle_rawio(nd->dentry->d_inode)) {
++ error = -EPERM;
++ goto exit;
++ }
++
++ if (!gr_acl_handle_open(nd->dentry, nd->mnt, flag)) {
++ error = -EACCES;
++ goto exit;
++ }
++
+ goto ok;
+ }
+
+@@ -1309,9 +1332,19 @@
+
+ /* Negative dentry, just create the file */
+ if (!dentry->d_inode) {
++ if (!gr_acl_handle_creat(dentry, nd->dentry, nd->mnt, flag, mode)) {
++ error = -EACCES;
++ up(&dir->d_inode->i_sem);
++ goto exit_dput;
++ }
++
+ if (!IS_POSIXACL(dir->d_inode))
+ mode &= ~current->fs->umask;
+ error = vfs_create(dir->d_inode, dentry, mode, nd);
++
++ if (!error)
++ gr_handle_create(dentry, nd->mnt);
++
+ up(&dir->d_inode->i_sem);
+ dput(nd->dentry);
+ nd->dentry = dentry;
+@@ -1326,6 +1359,25 @@
+ /*
+ * It already exists.
+ */
++
++ if (gr_handle_rawio(dentry->d_inode)) {
++ error = -EPERM;
++ up(&dir->d_inode->i_sem);
++ goto exit_dput;
++ }
++
++ if (!gr_acl_handle_open(dentry, nd->mnt, flag)) {
++ up(&dir->d_inode->i_sem);
++ error = -EACCES;
++ goto exit_dput;
++ }
++
++ if (gr_handle_fifo(dentry, nd->mnt, dir, flag, acc_mode)) {
++ up(&dir->d_inode->i_sem);
++ error = -EACCES;
++ goto exit_dput;
++ }
++
+ up(&dir->d_inode->i_sem);
+
+ error = -EEXIST;
+@@ -1379,6 +1431,13 @@
+ error = security_inode_follow_link(dentry, nd);
+ if (error)
+ goto exit_dput;
++
++ if (gr_handle_follow_link(dentry->d_parent->d_inode, dentry->d_inode,
++ dentry, nd->mnt)) {
++ error = -EACCES;
++ goto exit_dput;
++ }
++
+ touch_atime(nd->mnt, dentry);
+ error = dentry->d_inode->i_op->follow_link(dentry, nd);
+ dput(dentry);
+@@ -1486,6 +1545,22 @@
+ if (!IS_POSIXACL(nd.dentry->d_inode))
+ mode &= ~current->fs->umask;
+ if (!IS_ERR(dentry)) {
++ if (gr_handle_chroot_mknod(dentry, nd.mnt, mode)) {
++ error = -EPERM;
++ dput(dentry);
++ up(&nd.dentry->d_inode->i_sem);
++ path_release(&nd);
++ goto out;
++ }
++
++ if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
++ error = -EACCES;
++ dput(dentry);
++ up(&nd.dentry->d_inode->i_sem);
++ path_release(&nd);
++ goto out;
++ }
++
+ switch (mode & S_IFMT) {
+ case 0: case S_IFREG:
+ error = vfs_create(nd.dentry->d_inode,dentry,mode,&nd);
+@@ -1503,6 +1578,10 @@
+ default:
+ error = -EINVAL;
+ }
++
++ if (!error)
++ gr_handle_create(dentry, nd.mnt);
++
+ dput(dentry);
+ }
+ up(&nd.dentry->d_inode->i_sem);
+@@ -1554,9 +1633,19 @@
+ dentry = lookup_create(&nd, 1);
+ error = PTR_ERR(dentry);
+ if (!IS_ERR(dentry)) {
++ error = 0;
+ if (!IS_POSIXACL(nd.dentry->d_inode))
+ mode &= ~current->fs->umask;
+- error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
++
++ if (!gr_acl_handle_mkdir(dentry, nd.dentry, nd.mnt))
++ error = -EACCES;
++
++ if (!error)
++ error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
++
++ if (!error)
++ gr_handle_create(dentry, nd.mnt);
++
+ dput(dentry);
+ }
+ up(&nd.dentry->d_inode->i_sem);
+@@ -1640,6 +1729,8 @@
+ char * name;
+ struct dentry *dentry;
+ struct nameidata nd;
++ ino_t saved_ino = 0;
++ dev_t saved_dev = 0;
+
+ name = getname(pathname);
+ if(IS_ERR(name))
+@@ -1664,7 +1755,21 @@
+ dentry = lookup_hash(&nd.last, nd.dentry);
+ error = PTR_ERR(dentry);
+ if (!IS_ERR(dentry)) {
+- error = vfs_rmdir(nd.dentry->d_inode, dentry);
++ error = 0;
++ if (dentry->d_inode) {
++ if (dentry->d_inode->i_nlink <= 1) {
++ saved_ino = dentry->d_inode->i_ino;
++ saved_dev = dentry->d_inode->i_sb->s_dev;
++ }
++
++ if (!gr_acl_handle_rmdir(dentry, nd.mnt))
++ error = -EACCES;
++ }
++
++ if (!error)
++ error = vfs_rmdir(nd.dentry->d_inode, dentry);
++ if (!error && (saved_dev || saved_ino))
++ gr_handle_delete(saved_ino, saved_dev);
+ dput(dentry);
+ }
+ up(&nd.dentry->d_inode->i_sem);
+@@ -1718,6 +1823,8 @@
+ struct dentry *dentry;
+ struct nameidata nd;
+ struct inode *inode = NULL;
++ ino_t saved_ino = 0;
++ dev_t saved_dev = 0;
+
+ name = getname(pathname);
+ if(IS_ERR(name))
+@@ -1733,13 +1840,26 @@
+ dentry = lookup_hash(&nd.last, nd.dentry);
+ error = PTR_ERR(dentry);
+ if (!IS_ERR(dentry)) {
++ error = 0;
+ /* Why not before? Because we want correct error value */
+ if (nd.last.name[nd.last.len])
+ goto slashes;
+ inode = dentry->d_inode;
+- if (inode)
++ if (inode) {
++ if (inode->i_nlink <= 1) {
++ saved_ino = inode->i_ino;
++ saved_dev = inode->i_sb->s_dev;
++ }
++
++ if (!gr_acl_handle_unlink(dentry, nd.mnt))
++ error = -EACCES;
++
+ atomic_inc(&inode->i_count);
+- error = vfs_unlink(nd.dentry->d_inode, dentry);
++ }
++ if (!error)
++ error = vfs_unlink(nd.dentry->d_inode, dentry);
++ if (!error && (saved_ino || saved_dev))
++ gr_handle_delete(saved_ino, saved_dev);
+ exit2:
+ dput(dentry);
+ }
+@@ -1803,7 +1923,15 @@
+ dentry = lookup_create(&nd, 0);
+ error = PTR_ERR(dentry);
+ if (!IS_ERR(dentry)) {
+- error = vfs_symlink(nd.dentry->d_inode, dentry, from);
++ error = 0;
++ if (!gr_acl_handle_symlink(dentry, nd.dentry, nd.mnt, from))
++ error = -EACCES;
++
++ if (!error)
++ error = vfs_symlink(nd.dentry->d_inode, dentry, from);
++
++ if (!error)
++ gr_handle_create(dentry, nd.mnt);
+ dput(dentry);
+ }
+ up(&nd.dentry->d_inode->i_sem);
+@@ -1887,7 +2015,20 @@
+ new_dentry = lookup_create(&nd, 0);
+ error = PTR_ERR(new_dentry);
+ if (!IS_ERR(new_dentry)) {
+- error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
++ error = 0;
++ if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt,
++ old_nd.dentry->d_inode,
++ old_nd.dentry->d_inode->i_mode, to))
++ error = -EPERM;
++ if (!gr_acl_handle_link(new_dentry, nd.dentry, nd.mnt,
++ old_nd.dentry, old_nd.mnt, to))
++ error = -EACCES;
++ if (!error)
++ error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
++
++ if (!error)
++ gr_handle_create(new_dentry, nd.mnt);
++
+ dput(new_dentry);
+ }
+ up(&nd.dentry->d_inode->i_sem);
+@@ -2109,8 +2250,16 @@
+ if (new_dentry == trap)
+ goto exit5;
+
+- error = vfs_rename(old_dir->d_inode, old_dentry,
++ error = gr_acl_handle_rename(new_dentry, newnd.dentry, newnd.mnt,
++ old_dentry, old_dir->d_inode, oldnd.mnt,
++ newname);
++
++ if (!error)
++ error = vfs_rename(old_dir->d_inode, old_dentry,
+ new_dir->d_inode, new_dentry);
++ if (!error)
++ gr_handle_rename(old_dir->d_inode, newnd.dentry->d_inode, old_dentry,
++ new_dentry, oldnd.mnt, new_dentry->d_inode ? 1 : 0);
+ exit5:
+ dput(new_dentry);
+ exit4:
+diff -uNr linux-2.6.6/fs/namespace.c linux-2.6.6.fixed/fs/namespace.c
+--- linux-2.6.6/fs/namespace.c 2004-05-10 04:32:52.000000000 +0200
++++ linux-2.6.6.fixed/fs/namespace.c 2004-05-11 10:55:56.000000000 +0200
+@@ -21,6 +21,8 @@
+ #include <linux/namei.h>
+ #include <linux/security.h>
+ #include <linux/mount.h>
++#include <linux/sched.h>
++#include <linux/grsecurity.h>
+ #include <asm/uaccess.h>
+
+ extern int __init init_rootfs(void);
+@@ -342,6 +344,8 @@
+ lock_kernel();
+ retval = do_remount_sb(sb, MS_RDONLY, 0, 0);
+ unlock_kernel();
++
++ gr_log_remount(mnt->mnt_devname, retval);
+ }
+ up_write(&sb->s_umount);
+ return retval;
+@@ -370,6 +374,9 @@
+ if (retval)
+ security_sb_umount_busy(mnt);
+ up_write(¤t->namespace->sem);
++
++ gr_log_unmount(mnt->mnt_devname, retval);
++
+ return retval;
+ }
+
+@@ -788,6 +795,11 @@
+ if (retval)
+ goto dput_out;
+
++ if (gr_handle_chroot_mount(nd.dentry, nd.mnt, dev_name)) {
++ retval = -EPERM;
++ goto dput_out;
++ }
++
+ if (flags & MS_REMOUNT)
+ retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags,
+ data_page);
+@@ -800,6 +812,9 @@
+ dev_name, data_page);
+ dput_out:
+ path_release(&nd);
++
++ gr_log_mount(dev_name, dir_name, retval);
++
+ return retval;
+ }
+
+@@ -1022,6 +1037,9 @@
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
++ if (gr_handle_chroot_pivot())
++ return -EPERM;
++
+ lock_kernel();
+
+ error = __user_walk(new_root, LOOKUP_FOLLOW|LOOKUP_DIRECTORY, &new_nd);
+diff -uNr linux-2.6.6/fs/open.c linux-2.6.6.fixed/fs/open.c
+--- linux-2.6.6/fs/open.c 2004-05-10 04:31:59.000000000 +0200
++++ linux-2.6.6.fixed/fs/open.c 2004-05-11 10:55:56.000000000 +0200
+@@ -22,6 +22,7 @@
+ #include <asm/uaccess.h>
+ #include <linux/fs.h>
+ #include <linux/pagemap.h>
++#include <linux/grsecurity.h>
+
+ int vfs_statfs(struct super_block *sb, struct kstatfs *buf)
+ {
+@@ -189,7 +190,7 @@
+ return error;
+ }
+
+-int do_truncate(struct dentry *dentry, loff_t length)
++int do_truncate(struct dentry *dentry, loff_t length, struct vfsmount *mnt)
+ {
+ int err;
+ struct iattr newattrs;
+@@ -198,6 +199,9 @@
+ if (length < 0)
+ return -EINVAL;
+
++ if (!gr_acl_handle_truncate(dentry, mnt))
++ return -EACCES;
++
+ newattrs.ia_size = length;
+ newattrs.ia_valid = ATTR_SIZE | ATTR_CTIME;
+ down(&dentry->d_inode->i_sem);
+@@ -258,7 +262,7 @@
+ error = locks_verify_truncate(inode, NULL, length);
+ if (!error) {
+ DQUOT_INIT(inode);
+- error = do_truncate(nd.dentry, length);
++ error = do_truncate(nd.dentry, length, nd.mnt);
+ }
+ put_write_access(inode);
+
+@@ -310,7 +314,7 @@
+
+ error = locks_verify_truncate(inode, file, length);
+ if (!error)
+- error = do_truncate(dentry, length);
++ error = do_truncate(dentry, length, file->f_vfsmnt);
+ out_putf:
+ fput(file);
+ out:
+@@ -389,6 +393,11 @@
+ (error = permission(inode,MAY_WRITE,&nd)) != 0)
+ goto dput_and_out;
+ }
++ if (!gr_acl_handle_utime(nd.dentry, nd.mnt)) {
++ error = -EACCES;
++ goto dput_and_out;
++ }
++
+ down(&inode->i_sem);
+ error = notify_change(nd.dentry, &newattrs);
+ up(&inode->i_sem);
+@@ -442,6 +451,12 @@
+ (error = permission(inode,MAY_WRITE,&nd)) != 0)
+ goto dput_and_out;
+ }
++
++ if (!gr_acl_handle_utime(nd.dentry, nd.mnt)) {
++ error = -EACCES;
++ goto dput_and_out;
++ }
++
+ down(&inode->i_sem);
+ error = notify_change(nd.dentry, &newattrs);
+ up(&inode->i_sem);
+@@ -503,6 +518,10 @@
+ if(!res && (mode & S_IWOTH) && IS_RDONLY(nd.dentry->d_inode)
+ && !special_file(nd.dentry->d_inode->i_mode))
+ res = -EROFS;
++
++ if (!res && !gr_acl_handle_access(nd.dentry, nd.mnt, mode))
++ res = -EACCES;
++
+ path_release(&nd);
+ }
+
+@@ -526,6 +545,8 @@
+ if (error)
+ goto dput_and_out;
+
++ gr_log_chdir(nd.dentry, nd.mnt);
++
+ set_fs_pwd(current->fs, nd.mnt, nd.dentry);
+
+ dput_and_out:
+@@ -556,6 +577,13 @@
+ goto out_putf;
+
+ error = permission(inode, MAY_EXEC, NULL);
++
++ if (!error && !gr_chroot_fchdir(dentry, mnt))
++ error = -EPERM;
++
++ if (!error)
++ gr_log_chdir(dentry, mnt);
++
+ if (!error)
+ set_fs_pwd(current->fs, mnt, dentry);
+ out_putf:
+@@ -581,8 +609,16 @@
+ if (!capable(CAP_SYS_CHROOT))
+ goto dput_and_out;
+
++ if (gr_handle_chroot_chroot(nd.dentry, nd.mnt))
++ goto dput_and_out;
++
+ set_fs_root(current->fs, nd.mnt, nd.dentry);
+ set_fs_altroot();
++
++ gr_handle_chroot_caps(current);
++
++ gr_handle_chroot_chdir(nd.dentry, nd.mnt);
++
+ error = 0;
+ dput_and_out:
+ path_release(&nd);
+@@ -611,9 +647,22 @@
+ err = -EPERM;
+ if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
+ goto out_putf;
++
++ if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
++ err = -EACCES;
++ goto out_putf;
++ }
++
+ down(&inode->i_sem);
+ if (mode == (mode_t) -1)
+ mode = inode->i_mode;
++
++ if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
++ err = -EPERM;
++ up(&inode->i_sem);
++ goto out_putf;
++ }
++
+ newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
+ newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
+ err = notify_change(dentry, &newattrs);
+@@ -645,9 +694,21 @@
+ if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
+ goto dput_and_out;
+
++ if (!gr_acl_handle_chmod(nd.dentry, nd.mnt, mode)) {
++ error = -EACCES;
++ goto dput_and_out;
++ }
++
+ down(&inode->i_sem);
+ if (mode == (mode_t) -1)
+ mode = inode->i_mode;
++
++ if (gr_handle_chroot_chmod(nd.dentry, nd.mnt, mode)) {
++ error = -EACCES;
++ up(&inode->i_sem);
++ goto dput_and_out;
++ }
++
+ newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
+ newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
+ error = notify_change(nd.dentry, &newattrs);
+@@ -659,7 +720,7 @@
+ return error;
+ }
+
+-static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
++static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
+ {
+ struct inode * inode;
+ int error;
+@@ -676,6 +737,12 @@
+ error = -EPERM;
+ if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
+ goto out;
++
++ if (!gr_acl_handle_chown(dentry, mnt)) {
++ error = -EACCES;
++ goto out;
++ }
++
+ newattrs.ia_valid = ATTR_CTIME;
+ if (user != (uid_t) -1) {
+ newattrs.ia_valid |= ATTR_UID;
+@@ -701,7 +768,7 @@
+
+ error = user_path_walk(filename, &nd);
+ if (!error) {
+- error = chown_common(nd.dentry, user, group);
++ error = chown_common(nd.dentry, user, group, nd.mnt);
+ path_release(&nd);
+ }
+ return error;
+@@ -714,7 +781,7 @@
+
+ error = user_path_walk_link(filename, &nd);
+ if (!error) {
+- error = chown_common(nd.dentry, user, group);
++ error = chown_common(nd.dentry, user, group, nd.mnt);
+ path_release(&nd);
+ }
+ return error;
+@@ -728,7 +795,8 @@
+
+ file = fget(fd);
+ if (file) {
+- error = chown_common(file->f_dentry, user, group);
++ error = chown_common(file->f_dentry, user,
++ group, file->f_vfsmnt);
+ fput(file);
+ }
+ return error;
+@@ -850,6 +918,7 @@
+ * N.B. For clone tasks sharing a files structure, this test
+ * will limit the total number of files that can be opened.
+ */
++ gr_learn_resource(current, RLIMIT_NOFILE, fd, 0);
+ if (fd >= current->rlim[RLIMIT_NOFILE].rlim_cur)
+ goto out;
+
+diff -uNr linux-2.6.6/fs/proc/array.c linux-2.6.6.fixed/fs/proc/array.c
+--- linux-2.6.6/fs/proc/array.c 2004-05-10 04:32:39.000000000 +0200
++++ linux-2.6.6.fixed/fs/proc/array.c 2004-05-11 10:55:56.000000000 +0200
+@@ -271,6 +271,19 @@
+ cap_t(p->cap_effective));
+ }
+
++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
++static inline char *task_pax(struct task_struct *p, char *buffer)
++{
++ return buffer + sprintf(buffer, "PaX:\t%c%c%c%c%c%c\n",
++ p->flags & PF_PAX_PAGEEXEC ? 'P' : 'p',
++ p->flags & PF_PAX_EMUTRAMP ? 'E' : 'e',
++ p->flags & PF_PAX_MPROTECT ? 'M' : 'm',
++ p->flags & PF_PAX_RANDMMAP ? 'R' : 'r',
++ p->flags & PF_PAX_RANDEXEC ? 'X' : 'x',
++ p->flags & PF_PAX_SEGMEXEC ? 'S' : 's');
++}
++#endif
++
+ extern char *task_mem(struct mm_struct *, char *);
+ int proc_pid_status(struct task_struct *task, char * buffer)
+ {
+@@ -289,9 +302,20 @@
+ #if defined(CONFIG_ARCH_S390)
+ buffer = task_show_regs(task, buffer);
+ #endif
++
++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
++ buffer = task_pax(task, buffer);
++#endif
++
+ return buffer - orig;
+ }
+
++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
++#define PAX_RAND_FLAGS (task->flags & PF_PAX_RANDMMAP || \
++ task->flags & PF_PAX_SEGMEXEC || \
++ task->flags & PF_PAX_RANDEXEC)
++#endif
++
+ extern unsigned long task_vsize(struct mm_struct *);
+ int proc_pid_stat(struct task_struct *task, char * buffer)
+ {
+@@ -323,6 +347,19 @@
+
+ wchan = get_wchan(task);
+
++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
++ if (PAX_RAND_FLAGS) {
++ eip = 0;
++ esp = 0;
++ wchan = 0;
++ }
++#endif
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++ wchan = 0;
++ eip =0;
++ esp =0;
++#endif
++
+ sigemptyset(&sigign);
+ sigemptyset(&sigcatch);
+ read_lock(&tasklist_lock);
+@@ -382,9 +419,15 @@
+ vsize,
+ mm ? mm->rss : 0, /* you might want to shift this left 3 */
+ task->rlim[RLIMIT_RSS].rlim_cur,
++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
++ PAX_RAND_FLAGS ? 0 : (mm ? mm->start_code : 0),
++ PAX_RAND_FLAGS ? 0 : (mm ? mm->end_code : 0),
++ PAX_RAND_FLAGS ? 0 : (mm ? mm->start_stack : 0),
++#else
+ mm ? mm->start_code : 0,
+ mm ? mm->end_code : 0,
+ mm ? mm->start_stack : 0,
++#endif
+ esp,
+ eip,
+ /* The signal information here is obsolete.
+@@ -424,3 +467,14 @@
+ return sprintf(buffer,"%d %d %d %d %d %d %d\n",
+ size, resident, shared, text, lib, data, 0);
+ }
++
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++int proc_pid_ipaddr(struct task_struct *task, char * buffer)
++{
++ int len;
++
++ len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->curr_ip));
++ return len;
++}
++#endif
++
+diff -uNr linux-2.6.6/fs/proc/base.c linux-2.6.6.fixed/fs/proc/base.c
+--- linux-2.6.6/fs/proc/base.c 2004-05-10 04:32:52.000000000 +0200
++++ linux-2.6.6.fixed/fs/proc/base.c 2004-05-11 10:55:56.000000000 +0200
+@@ -32,6 +32,7 @@
+ #include <linux/mount.h>
+ #include <linux/security.h>
+ #include <linux/ptrace.h>
++#include <linux/grsecurity.h>
+
+ /*
+ * For hysterical raisins we keep the same inumbers as in the old procfs.
+@@ -67,6 +68,9 @@
+ PROC_TGID_ATTR_EXEC,
+ PROC_TGID_ATTR_FSCREATE,
+ #endif
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++ PROC_TGID_IPADDR,
++#endif
+ PROC_TGID_FD_DIR,
+ PROC_TID_INO,
+ PROC_TID_STATUS,
+@@ -117,6 +121,9 @@
+ E(PROC_TGID_ROOT, "root", S_IFLNK|S_IRWXUGO),
+ E(PROC_TGID_EXE, "exe", S_IFLNK|S_IRWXUGO),
+ E(PROC_TGID_MOUNTS, "mounts", S_IFREG|S_IRUGO),
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++ E(PROC_TGID_IPADDR, "ipaddr", S_IFREG|S_IRUSR),
++#endif
+ #ifdef CONFIG_SECURITY
+ E(PROC_TGID_ATTR, "attr", S_IFDIR|S_IRUGO|S_IXUGO),
+ #endif
+@@ -181,6 +188,9 @@
+ int proc_pid_status(struct task_struct*,char*);
+ int proc_pid_statm(struct task_struct*,char*);
+ int proc_pid_cpu(struct task_struct*,char*);
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++int proc_pid_ipaddr(struct task_struct*,char*);
++#endif
+
+ static int proc_fd_link(struct inode *inode, struct dentry **dentry, struct vfsmount **mnt)
+ {
+@@ -277,7 +287,7 @@
+ (task == current || \
+ (task->parent == current && \
+ (task->ptrace & PT_PTRACED) && task->state == TASK_STOPPED && \
+- security_ptrace(current,task) == 0))
++ security_ptrace(current,task) == 0 && !gr_handle_proc_ptrace(task)))
+
+ static int may_ptrace_attach(struct task_struct *task)
+ {
+@@ -292,13 +302,15 @@
+ (current->uid != task->uid) ||
+ (current->gid != task->egid) ||
+ (current->gid != task->sgid) ||
+- (current->gid != task->gid)) && !capable(CAP_SYS_PTRACE))
++ (current->gid != task->gid)) && !capable_nolog(CAP_SYS_PTRACE))
+ goto out;
+ rmb();
+- if (!task->mm->dumpable && !capable(CAP_SYS_PTRACE))
++ if (!task->mm->dumpable && !capable_nolog(CAP_SYS_PTRACE))
+ goto out;
+ if (security_ptrace(current, task))
+ goto out;
++ if (gr_handle_proc_ptrace(task))
++ goto out;
+
+ retval = 1;
+ out:
+@@ -445,9 +457,22 @@
+
+ static int proc_permission(struct inode *inode, int mask, struct nameidata *nd)
+ {
++ int ret;
++ struct task_struct *task;
++
+ if (vfs_permission(inode, mask) != 0)
+ return -EACCES;
+- return proc_check_root(inode);
++ ret = proc_check_root(inode);
++
++ if (ret)
++ return ret;
++
++ task = proc_task(inode);
++
++ if (!task)
++ return 0;
++
++ return gr_acl_handle_procpidmem(task);
+ }
+
+ extern struct seq_operations proc_pid_maps_op;
+@@ -954,6 +979,9 @@
+ inode->i_uid = task->euid;
+ inode->i_gid = task->egid;
+ }
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#endif
+ security_task_to_inode(task, inode);
+
+ out:
+@@ -982,7 +1010,9 @@
+ if (pid_alive(task)) {
+ if (proc_type(inode) == PROC_TGID_INO || proc_type(inode) == PROC_TID_INO || task_dumpable(task)) {
+ inode->i_uid = task->euid;
++#ifndef CONFIG_GRKERNSEC_PROC_USERGROUP
+ inode->i_gid = task->egid;
++#endif
+ } else {
+ inode->i_uid = 0;
+ inode->i_gid = 0;
+@@ -1318,6 +1348,12 @@
+ inode->i_fop = &proc_info_file_operations;
+ ei->op.proc_read = proc_pid_status;
+ break;
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++ case PROC_TGID_IPADDR:
++ inode->i_fop = &proc_info_file_operations;
++ ei->op.proc_read = proc_pid_ipaddr;
++ break;
++#endif
+ case PROC_TID_STAT:
+ case PROC_TGID_STAT:
+ inode->i_fop = &proc_info_file_operations;
+@@ -1567,6 +1603,22 @@
+ if (!task)
+ goto out;
+
++ if (gr_check_hidden_task(task)) {
++ put_task_struct(task);
++ goto out;
++ }
++
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ if (current->uid && (task->uid != current->uid)
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++#endif
++ ) {
++ put_task_struct(task);
++ goto out;
++ }
++#endif
++
+ inode = proc_pid_make_inode(dir->i_sb, task, PROC_TGID_INO);
+
+
+@@ -1574,7 +1626,15 @@
+ put_task_struct(task);
+ goto out;
+ }
++
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP;
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
++#endif
+ inode->i_op = &proc_tgid_base_inode_operations;
+ inode->i_fop = &proc_tgid_base_operations;
+ inode->i_nlink = 3;
+@@ -1658,6 +1718,9 @@
+ static int get_tgid_list(int index, unsigned long version, unsigned int *tgids)
+ {
+ struct task_struct *p;
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ struct task_struct *tmp = current;
++#endif
+ int nr_tgids = 0;
+
+ index--;
+@@ -1678,6 +1741,18 @@
+ int tgid = p->pid;
+ if (!pid_alive(p))
+ continue;
++ if (gr_pid_is_chrooted(p))
++ continue;
++ if (gr_check_hidden_task(p))
++ continue;
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ if (tmp->uid && (p->uid != tmp->uid)
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++#endif
++ )
++ continue;
++#endif
+ if (--index >= 0)
+ continue;
+ tgids[nr_tgids] = tgid;
+diff -uNr linux-2.6.6/fs/proc/inode.c linux-2.6.6.fixed/fs/proc/inode.c
+--- linux-2.6.6/fs/proc/inode.c 2004-05-10 04:33:19.000000000 +0200
++++ linux-2.6.6.fixed/fs/proc/inode.c 2004-05-11 10:55:56.000000000 +0200
+@@ -209,7 +209,11 @@
+ if (de->mode) {
+ inode->i_mode = de->mode;
+ inode->i_uid = de->uid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ inode->i_gid = de->gid;
++#endif
+ }
+ if (de->size)
+ inode->i_size = de->size;
+diff -uNr linux-2.6.6/fs/proc/proc_misc.c linux-2.6.6.fixed/fs/proc/proc_misc.c
+--- linux-2.6.6/fs/proc/proc_misc.c 2004-05-10 04:32:01.000000000 +0200
++++ linux-2.6.6.fixed/fs/proc/proc_misc.c 2004-05-11 10:55:56.000000000 +0200
+@@ -654,6 +654,8 @@
+ void __init proc_misc_init(void)
+ {
+ struct proc_dir_entry *entry;
++ int gr_mode = 0;
++
+ static struct {
+ char *name;
+ int (*read_proc)(char*,char**,off_t,int,int*,void*);
+@@ -668,9 +670,13 @@
+ #ifdef CONFIG_STRAM_PROC
+ {"stram", stram_read_proc},
+ #endif
++#ifndef CONFIG_GRKERNSEC_PROC_ADD
+ {"devices", devices_read_proc},
++#endif
+ {"filesystems", filesystems_read_proc},
++#ifndef CONFIG_GRKERNSEC_PROC_ADD
+ {"cmdline", cmdline_read_proc},
++#endif
+ #ifdef CONFIG_SGI_DS1286
+ {"rtc", ds1286_read_proc},
+ #endif
+@@ -681,24 +687,39 @@
+ for (p = simple_ones; p->name; p++)
+ create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
+
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ gr_mode = S_IRUSR;
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++ gr_mode = S_IRUSR | S_IRGRP;
++#endif
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++ create_proc_read_entry("devices", gr_mode, NULL, &devices_read_proc, NULL);
++ create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL);
++#endif
++
+ proc_symlink("mounts", NULL, "self/mounts");
+
+ /* And now for trickier ones */
+ entry = create_proc_entry("kmsg", S_IRUSR, &proc_root);
+ if (entry)
+ entry->proc_fops = &proc_kmsg_operations;
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++ create_seq_entry("cpuinfo", gr_mode, &proc_cpuinfo_operations);
++ create_seq_entry("slabinfo",gr_mode,&proc_slabinfo_operations);
++#else
+ create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
++ create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
++#endif
+ create_seq_entry("partitions", 0, &proc_partitions_operations);
+ create_seq_entry("stat", 0, &proc_stat_operations);
+ create_seq_entry("interrupts", 0, &proc_interrupts_operations);
+- create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
+ create_seq_entry("buddyinfo",S_IRUGO, &fragmentation_file_operations);
+ create_seq_entry("vmstat",S_IRUGO, &proc_vmstat_file_operations);
+ create_seq_entry("diskstats", 0, &proc_diskstats_operations);
+ #ifdef CONFIG_MODULES
+- create_seq_entry("modules", 0, &proc_modules_operations);
++ create_seq_entry("modules", gr_mode, &proc_modules_operations);
+ #endif
+-#ifdef CONFIG_PROC_KCORE
++#if defined(CONFIG_PROC_KCORE)
+ proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
+ if (proc_root_kcore) {
+ proc_root_kcore->proc_fops = &proc_kcore_operations;
+diff -uNr linux-2.6.6/fs/proc/root.c linux-2.6.6.fixed/fs/proc/root.c
+--- linux-2.6.6/fs/proc/root.c 2004-05-10 04:33:10.000000000 +0200
++++ linux-2.6.6.fixed/fs/proc/root.c 2004-05-11 10:55:56.000000000 +0200
+@@ -52,13 +52,26 @@
+ return;
+ }
+ proc_misc_init();
++
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, 0);
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, 0);
++#else
+ proc_net = proc_mkdir("net", 0);
++#endif
+ #ifdef CONFIG_SYSVIPC
+ proc_mkdir("sysvipc", 0);
+ #endif
+ #ifdef CONFIG_SYSCTL
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ proc_sys_root = proc_mkdir_mode("sys", S_IRUSR | S_IXUSR, 0);
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++ proc_sys_root = proc_mkdir_mode("sys", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, 0);
++#else
+ proc_sys_root = proc_mkdir("sys", 0);
+ #endif
++#endif
+ #if defined(CONFIG_BINFMT_MISC) || defined(CONFIG_BINFMT_MISC_MODULE)
+ proc_mkdir("sys/fs", 0);
+ proc_mkdir("sys/fs/binfmt_misc", 0);
+@@ -74,7 +87,15 @@
+ #ifdef CONFIG_PROC_DEVICETREE
+ proc_device_tree_init();
+ #endif
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, 0);
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, 0);
++#endif
++#else
+ proc_bus = proc_mkdir("bus", 0);
++#endif
+ }
+
+ static struct dentry *proc_root_lookup(struct inode * dir, struct dentry * dentry, struct nameidata *nd)
+diff -uNr linux-2.6.6/fs/proc/task_mmu.c linux-2.6.6.fixed/fs/proc/task_mmu.c
+--- linux-2.6.6/fs/proc/task_mmu.c 2004-05-10 04:32:01.000000000 +0200
++++ linux-2.6.6.fixed/fs/proc/task_mmu.c 2004-05-11 10:55:56.000000000 +0200
+@@ -76,8 +76,17 @@
+ return size;
+ }
+
++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
++#define PAX_RAND_FLAGS (task->flags & PF_PAX_RANDMMAP || \
++ task->flags & PF_PAX_SEGMEXEC || \
++ task->flags & PF_PAX_RANDEXEC)
++#endif
++
+ static int show_map(struct seq_file *m, void *v)
+ {
++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
++ struct task_struct *task = m->private;
++#endif
+ struct vm_area_struct *map = v;
+ struct file *file = map->vm_file;
+ int flags = map->vm_flags;
+@@ -92,8 +101,14 @@
+ }
+
+ seq_printf(m, "%08lx-%08lx %c%c%c%c %08lx %02x:%02x %lu %n",
++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
++ PAX_RAND_FLAGS ? 0UL : map->vm_start,
++ PAX_RAND_FLAGS ? 0UL : map->vm_end,
++#else
+ map->vm_start,
+ map->vm_end,
++#endif
++
+ flags & VM_READ ? 'r' : '-',
+ flags & VM_WRITE ? 'w' : '-',
+ flags & VM_EXEC ? 'x' : '-',
+diff -uNr linux-2.6.6/fs/readdir.c linux-2.6.6.fixed/fs/readdir.c
+--- linux-2.6.6/fs/readdir.c 2004-05-10 04:32:29.000000000 +0200
++++ linux-2.6.6.fixed/fs/readdir.c 2004-05-11 10:55:56.000000000 +0200
+@@ -14,6 +14,8 @@
+ #include <linux/fs.h>
+ #include <linux/dirent.h>
+ #include <linux/security.h>
++#include <linux/namei.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+
+@@ -64,6 +66,7 @@
+ struct readdir_callback {
+ struct old_linux_dirent __user * dirent;
+ int result;
++ struct nameidata nd;
+ };
+
+ static int fillonedir(void * __buf, const char * name, int namlen, loff_t offset,
+@@ -74,6 +77,10 @@
+
+ if (buf->result)
+ return -EINVAL;
++
++ if (!gr_acl_handle_filldir(buf->nd.dentry, buf->nd.mnt, ino))
++ return 0;
++
+ buf->result++;
+ dirent = buf->dirent;
+ if (!access_ok(VERIFY_WRITE, (unsigned long)dirent,
+@@ -106,6 +113,9 @@
+ buf.result = 0;
+ buf.dirent = dirent;
+
++ buf.nd.dentry = file->f_dentry;
++ buf.nd.mnt = file->f_vfsmnt;
++
+ error = vfs_readdir(file, fillonedir, &buf);
+ if (error >= 0)
+ error = buf.result;
+@@ -133,6 +143,7 @@
+ struct linux_dirent __user * previous;
+ int count;
+ int error;
++ struct nameidata nd;
+ };
+
+ static int filldir(void * __buf, const char * name, int namlen, loff_t offset,
+@@ -145,6 +156,10 @@
+ buf->error = -EINVAL; /* only used if we fail.. */
+ if (reclen > buf->count)
+ return -EINVAL;
++
++ if (!gr_acl_handle_filldir(buf->nd.dentry, buf->nd.mnt, ino))
++ return 0;
++
+ dirent = buf->previous;
+ if (dirent) {
+ if (__put_user(offset, &dirent->d_off))
+@@ -192,6 +207,9 @@
+ buf.count = count;
+ buf.error = 0;
+
++ buf.nd.dentry = file->f_dentry;
++ buf.nd.mnt = file->f_vfsmnt;
++
+ error = vfs_readdir(file, filldir, &buf);
+ if (error < 0)
+ goto out_putf;
+@@ -217,6 +235,7 @@
+ struct linux_dirent64 __user * previous;
+ int count;
+ int error;
++ struct nameidata nd;
+ };
+
+ static int filldir64(void * __buf, const char * name, int namlen, loff_t offset,
+@@ -229,6 +248,10 @@
+ buf->error = -EINVAL; /* only used if we fail.. */
+ if (reclen > buf->count)
+ return -EINVAL;
++
++ if (!gr_acl_handle_filldir(buf->nd.dentry, buf->nd.mnt, ino))
++ return 0;
++
+ dirent = buf->previous;
+ if (dirent) {
+ if (__put_user(offset, &dirent->d_off))
+@@ -278,6 +301,9 @@
+ buf.count = count;
+ buf.error = 0;
+
++ buf.nd.mnt = file->f_vfsmnt;
++ buf.nd.dentry = file->f_dentry;
++
+ error = vfs_readdir(file, filldir64, &buf);
+ if (error < 0)
+ goto out_putf;
+diff -uNr linux-2.6.6/grsecurity/gracl_alloc.c linux-2.6.6.fixed/grsecurity/gracl_alloc.c
+--- linux-2.6.6/grsecurity/gracl_alloc.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/gracl_alloc.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,93 @@
++/* stack-based acl allocation tracking (c) Brad Spengler 2002,2003 */
++
++#include <linux/kernel.h>
++#include <linux/mm.h>
++#include <linux/slab.h>
++#include <linux/vmalloc.h>
++#include <linux/gracl.h>
++#include <linux/grsecurity.h>
++
++static unsigned long alloc_stack_next = 1;
++static unsigned long alloc_stack_size = 1;
++static void **alloc_stack;
++
++static __inline__ int
++alloc_pop(void)
++{
++ if (alloc_stack_next == 1)
++ return 0;
++
++ kfree(alloc_stack[alloc_stack_next - 2]);
++
++ alloc_stack_next--;
++
++ return 1;
++}
++
++static __inline__ void
++alloc_push(void *buf)
++{
++ if (alloc_stack_next >= alloc_stack_size)
++ BUG();
++
++ alloc_stack[alloc_stack_next - 1] = buf;
++
++ alloc_stack_next++;
++
++ return;
++}
++
++void *
++acl_alloc(unsigned long len)
++{
++ void *ret;
++
++ if (len > PAGE_SIZE)
++ BUG();
++
++ ret = kmalloc(len, GFP_KERNEL);
++
++ if (ret)
++ alloc_push(ret);
++
++ return ret;
++}
++
++void
++acl_free_all(void)
++{
++ if (gr_acl_is_enabled() || !alloc_stack)
++ return;
++
++ while (alloc_pop()) ;
++
++ if (alloc_stack) {
++ if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
++ kfree(alloc_stack);
++ else
++ vfree(alloc_stack);
++ }
++
++ alloc_stack = NULL;
++ alloc_stack_size = 1;
++ alloc_stack_next = 1;
++
++ return;
++}
++
++int
++acl_alloc_stack_init(unsigned long size)
++{
++ if ((size * sizeof (void *)) <= PAGE_SIZE)
++ alloc_stack =
++ (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
++ else
++ alloc_stack = (void **) vmalloc(size * sizeof (void *));
++
++ alloc_stack_size = size;
++
++ if (!alloc_stack)
++ return 0;
++ else
++ return 1;
++}
+diff -uNr linux-2.6.6/grsecurity/gracl.c linux-2.6.6.fixed/grsecurity/gracl.c
+--- linux-2.6.6/grsecurity/gracl.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/gracl.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,3340 @@
++/*
++ * grsecurity/gracl.c
++ * Copyright Brad Spengler 2001, 2002, 2003
++ *
++ */
++
++#include <linux/kernel.h>
++#include <linux/module.h>
++#include <linux/sched.h>
++#include <linux/mm.h>
++#include <linux/file.h>
++#include <linux/fs.h>
++#include <linux/namei.h>
++#include <linux/mount.h>
++#include <linux/tty.h>
++#include <linux/proc_fs.h>
++#include <linux/smp_lock.h>
++#include <linux/slab.h>
++#include <linux/vmalloc.h>
++#include <linux/types.h>
++#include <linux/capability.h>
++#include <linux/sysctl.h>
++#include <linux/ptrace.h>
++#include <linux/gracl.h>
++#include <linux/gralloc.h>
++#include <linux/grsecurity.h>
++#include <linux/grinternal.h>
++#include <linux/percpu.h>
++
++#include <asm/uaccess.h>
++#include <asm/errno.h>
++#include <asm/mman.h>
++
++static struct acl_role_db acl_role_set;
++static struct acl_role_label *role_list_head;
++static struct name_db name_set;
++static struct name_db inodev_set;
++
++/* for keeping track of userspace pointers used for subjects, so we
++ can share references in the kernel as well
++*/
++static struct acl_subj_map_db subj_map_set;
++
++static struct acl_role_label *default_role;
++
++static u16 acl_sp_role_value;
++
++extern char *gr_shared_page[4];
++static DECLARE_MUTEX(gr_dev_sem);
++rwlock_t gr_inode_lock = RW_LOCK_UNLOCKED;
++
++struct gr_arg *gr_usermode;
++
++static unsigned long gr_status = GR_STATUS_INIT;
++
++extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
++extern void gr_clear_learn_entries(void);
++
++#ifdef CONFIG_GRKERNSEC_RESLOG
++extern void gr_log_resource(const struct task_struct *task,
++ const int res, const unsigned long wanted, const int gt);
++#endif
++
++extern char * __d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
++ struct dentry *root, struct vfsmount *rootmnt,
++ char *buffer, int buflen);
++
++unsigned char *gr_system_salt;
++unsigned char *gr_system_sum;
++
++static struct sprole_pw **acl_special_roles = NULL;
++static __u16 num_sprole_pws = 0;
++
++static struct acl_role_label *kernel_role = NULL;
++
++/* The following are used to keep a place held in the hash table when we move
++ entries around. They can be replaced during insert. */
++
++static struct acl_subject_label *deleted_subject;
++static struct acl_object_label *deleted_object;
++static struct name_entry *deleted_inodev;
++
++/* for keeping track of the last and final allocated subjects, since
++ nested subject parsing is tricky
++*/
++static struct acl_subject_label *s_last = NULL;
++static struct acl_subject_label *s_final = NULL;
++
++static unsigned int gr_auth_attempts = 0;
++static unsigned long gr_auth_expires = 0UL;
++
++extern int gr_init_uidset(void);
++extern void gr_free_uidset(void);
++extern void gr_remove_uid(uid_t uid);
++extern int gr_find_uid(uid_t uid);
++
++__inline__ int
++gr_acl_is_enabled(void)
++{
++ return (gr_status & GR_READY);
++}
++
++__inline__ int
++gr_acl_tpe_check(void)
++{
++ if (unlikely(!(gr_status & GR_READY)))
++ return 0;
++ if (current->role->roletype & GR_ROLE_TPE)
++ return 1;
++ else
++ return 0;
++}
++
++int
++gr_handle_rawio(const struct inode *inode)
++{
++ if (inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO) &&
++ ((gr_status & GR_READY)
++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
++ || (grsec_enable_chroot_caps && proc_is_chrooted(current))
++#endif
++ ))
++ return 1;
++ return 0;
++}
++
++
++static __inline__ int
++gr_streq(const char *a, const char *b, const __u16 lena, const __u16 lenb)
++{
++ int i;
++ unsigned long *l1;
++ unsigned long *l2;
++ unsigned char *c1;
++ unsigned char *c2;
++ int num_longs;
++
++ if (likely(lena != lenb))
++ return 0;
++
++ l1 = (unsigned long *)a;
++ l2 = (unsigned long *)b;
++
++ num_longs = lena / sizeof(unsigned long);
++
++ for (i = num_longs; i--; l1++, l2++) {
++ if (unlikely(*l1 != *l2))
++ return 0;
++ }
++
++ c1 = (unsigned char *) l1;
++ c2 = (unsigned char *) l2;
++
++ i = lena - (num_longs * sizeof(unsigned long));
++
++ for (; i--; c1++, c2++) {
++ if (unlikely(*c1 != *c2))
++ return 0;
++ }
++
++ return 1;
++}
++
++static __inline__ char *
++__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
++ char *buf, int buflen)
++{
++ char *res;
++ struct dentry *our_dentry;
++ struct vfsmount *our_mount;
++ struct vfsmount *rootmnt;
++ struct dentry *root;
++
++ our_dentry = (struct dentry *) dentry;
++ our_mount = (struct vfsmount *) vfsmnt;
++
++ read_lock(&child_reaper->fs->lock);
++ rootmnt = mntget(child_reaper->fs->rootmnt);
++ root = dget(child_reaper->fs->root);
++ read_unlock(&child_reaper->fs->lock);
++
++ res = __d_path(our_dentry, our_mount, root, rootmnt, buf, buflen);
++ if (unlikely(IS_ERR(res)))
++ res = strcpy(buf, "<path too long>");
++ dput(root);
++ mntput(rootmnt);
++ return res;
++}
++
++char *
++gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
++{
++ return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
++ PAGE_SIZE);
++}
++
++static __inline__ char *
++d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
++ char *buf, int buflen)
++{
++ char *res;
++ struct dentry *our_dentry;
++ struct vfsmount *our_mount;
++ struct vfsmount *rootmnt;
++ struct dentry *root;
++
++ our_dentry = (struct dentry *) dentry;
++ our_mount = (struct vfsmount *) vfsmnt;
++
++ read_lock(&child_reaper->fs->lock);
++ rootmnt = mntget(child_reaper->fs->rootmnt);
++ root = dget(child_reaper->fs->root);
++ read_unlock(&child_reaper->fs->lock);
++
++ spin_lock(&dcache_lock);
++ res = __d_path(our_dentry, our_mount, root, rootmnt, buf, buflen);
++ spin_unlock(&dcache_lock);
++ if (unlikely(IS_ERR(res)))
++ res = strcpy(buf, "<path too long>");
++ dput(root);
++ mntput(rootmnt);
++ return res;
++}
++
++char *
++gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
++{
++ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
++ PAGE_SIZE);
++}
++
++char *
++gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
++{
++ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
++ PAGE_SIZE);
++}
++
++char *
++gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
++{
++ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
++ PAGE_SIZE);
++}
++
++char *
++gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
++{
++ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
++ PAGE_SIZE);
++}
++
++__inline__ __u32
++to_gr_audit(const __u32 reqmode)
++{
++ __u32 retmode = 0;
++
++ retmode |= (reqmode & GR_READ) ? GR_AUDIT_READ : 0;
++ retmode |= (reqmode & GR_WRITE) ? GR_AUDIT_WRITE | GR_AUDIT_APPEND : 0;
++ retmode |= (reqmode & GR_APPEND) ? GR_AUDIT_APPEND : 0;
++ retmode |= (reqmode & GR_EXEC) ? GR_AUDIT_EXEC : 0;
++ retmode |= (reqmode & GR_INHERIT) ? GR_AUDIT_INHERIT : 0;
++ retmode |= (reqmode & GR_FIND) ? GR_AUDIT_FIND : 0;
++ retmode |= (reqmode & GR_SETID) ? GR_AUDIT_SETID : 0;
++ retmode |= (reqmode & GR_CREATE) ? GR_AUDIT_CREATE : 0;
++ retmode |= (reqmode & GR_DELETE) ? GR_AUDIT_DELETE : 0;
++
++ return retmode;
++}
++
++__inline__ struct acl_subject_label *
++lookup_subject_map(const struct acl_subject_label *userp)
++{
++ unsigned long index = shash(userp, subj_map_set.s_size);
++ struct subject_map *match;
++ __u8 i = 0;
++
++ match = subj_map_set.s_hash[index];
++
++ while (match && match->user != userp) {
++ index = (index + (1 << i)) % subj_map_set.s_size;
++ match = subj_map_set.s_hash[index];
++ i = (i + 1) % 32;
++ }
++
++ if (match)
++ return match->kernel;
++ else
++ return NULL;
++}
++
++static void
++insert_subj_map_entry(struct subject_map *subjmap)
++{
++ unsigned long index = shash(subjmap->user, subj_map_set.s_size);
++ struct subject_map **curr;
++ __u8 i = 0;
++
++ curr = &subj_map_set.s_hash[index];
++
++ while (*curr) {
++ index = (index + (1 << i)) % subj_map_set.s_size;
++ curr = &subj_map_set.s_hash[index];
++ i = (i + 1) % 32;
++ }
++
++ *curr = subjmap;
++
++ return;
++}
++
++__inline__ struct acl_role_label *
++lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
++ const gid_t gid)
++{
++ unsigned long index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
++ struct acl_role_label *match;
++ struct role_allowed_ip *ipp;
++ __u8 i = 0;
++
++ match = acl_role_set.r_hash[index];
++
++ while (match
++ && (match->uidgid != uid || !(match->roletype & GR_ROLE_USER))) {
++ index = (index + (1 << i)) % acl_role_set.r_size;
++ match = acl_role_set.r_hash[index];
++ i = (i + 1) % 32;
++ }
++
++ if (match == NULL) {
++ try_group:
++ index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
++ match = acl_role_set.r_hash[index];
++ i = 0;
++
++ while (match && (match->uidgid != gid
++ || !(match->roletype & GR_ROLE_GROUP))) {
++ index = (index + (1 << i)) % acl_role_set.r_size;
++ match = acl_role_set.r_hash[index];
++ i = (i + 1) % 32;
++ }
++
++ if (match == NULL)
++ match = default_role;
++ if (match->allowed_ips == NULL)
++ return match;
++ else {
++ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
++ if (likely
++ ((task->curr_ip & ipp->netmask) ==
++ (ipp->addr & ipp->netmask)))
++ return match;
++ }
++ match = default_role;
++ }
++ } else if (match->allowed_ips == NULL) {
++ return match;
++ } else {
++ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
++ if (likely
++ ((task->curr_ip & ipp->netmask) ==
++ (ipp->addr & ipp->netmask)))
++ return match;
++ }
++ goto try_group;
++ }
++
++ return match;
++}
++
++__inline__ struct acl_subject_label *
++lookup_acl_subj_label(const ino_t ino, const dev_t dev,
++ const struct acl_role_label *role)
++{
++ unsigned long subj_size = role->subj_hash_size;
++ struct acl_subject_label **s_hash = role->subj_hash;
++ unsigned long index = fhash(ino, dev, subj_size);
++ struct acl_subject_label *match;
++ __u8 i = 0;
++
++ match = s_hash[index];
++
++ while (match && (match->inode != ino || match->device != dev ||
++ (match->mode & GR_DELETED))) {
++ index = (index + (1 << i)) % subj_size;
++ match = s_hash[index];
++ i = (i + 1) % 32;
++ }
++
++ if (match && (match != deleted_subject) && !(match->mode & GR_DELETED))
++ return match;
++ else
++ return NULL;
++}
++
++static __inline__ struct acl_object_label *
++lookup_acl_obj_label(const ino_t ino, const dev_t dev,
++ const struct acl_subject_label *subj)
++{
++ unsigned long obj_size = subj->obj_hash_size;
++ struct acl_object_label **o_hash = subj->obj_hash;
++ unsigned long index = fhash(ino, dev, obj_size);
++ struct acl_object_label *match;
++ __u8 i = 0;
++
++ match = o_hash[index];
++
++ while (match && (match->inode != ino || match->device != dev ||
++ (match->mode & GR_DELETED))) {
++ index = (index + (1 << i)) % obj_size;
++ match = o_hash[index];
++ i = (i + 1) % 32;
++ }
++
++ if (match && (match != deleted_object) && !(match->mode & GR_DELETED))
++ return match;
++ else
++ return NULL;
++}
++
++static __inline__ struct acl_object_label *
++lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
++ const struct acl_subject_label *subj)
++{
++ unsigned long obj_size = subj->obj_hash_size;
++ struct acl_object_label **o_hash = subj->obj_hash;
++ unsigned long index = fhash(ino, dev, obj_size);
++ struct acl_object_label *match;
++ __u8 i = 0;
++
++ match = o_hash[index];
++
++ while (match && (match->inode != ino || match->device != dev ||
++ !(match->mode & GR_DELETED))) {
++ index = (index + (1 << i)) % obj_size;
++ match = o_hash[index];
++ i = (i + 1) % 32;
++ }
++
++ if (match && (match != deleted_object) && (match->mode & GR_DELETED))
++ return match;
++
++ i = 0;
++ index = fhash(ino, dev, obj_size);
++ match = o_hash[index];
++
++ while (match && (match->inode != ino || match->device != dev ||
++ (match->mode & GR_DELETED))) {
++ index = (index + (1 << i)) % obj_size;
++ match = o_hash[index];
++ i = (i + 1) % 32;
++ }
++
++ if (match && (match != deleted_object) && !(match->mode & GR_DELETED))
++ return match;
++ else
++ return NULL;
++}
++
++static __inline__ struct name_entry *
++lookup_name_entry(const char *name)
++{
++ __u16 len = strlen(name);
++ unsigned long index = nhash(name, len, name_set.n_size);
++ struct name_entry *match;
++ __u8 i = 0;
++
++ match = name_set.n_hash[index];
++
++ while (match && !gr_streq(match->name, name, match->len, len)) {
++ index = (index + (1 << i)) % name_set.n_size;
++ match = name_set.n_hash[index];
++ i = (i + 1) % 32;
++ }
++
++ return match;
++}
++
++static __inline__ struct name_entry *
++lookup_inodev_entry(const ino_t ino, const dev_t dev)
++{
++ unsigned long index = fhash(ino, dev, inodev_set.n_size);
++ struct name_entry *match;
++ __u8 i = 0;
++
++ match = inodev_set.n_hash[index];
++
++ while (match && (match->inode != ino || match->device != dev)) {
++ index = (index + (1 << i)) % inodev_set.n_size;
++ match = inodev_set.n_hash[index];
++ i = (i + 1) % 32;
++ }
++
++ if (match && (match != deleted_inodev))
++ return match;
++ else
++ return NULL;
++}
++
++static void
++insert_inodev_entry(struct name_entry *nentry)
++{
++ unsigned long index = fhash(nentry->inode, nentry->device,
++ inodev_set.n_size);
++ struct name_entry **curr;
++ __u8 i = 0;
++
++ curr = &inodev_set.n_hash[index];
++
++ while (*curr && *curr != deleted_inodev) {
++ index = (index + (1 << i)) % inodev_set.n_size;
++ curr = &inodev_set.n_hash[index];
++ i = (i + 1) % 32;
++ }
++
++ *curr = nentry;
++
++ return;
++}
++
++static void
++insert_acl_role_label(struct acl_role_label *role)
++{
++ unsigned long index =
++ rhash(role->uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
++ struct acl_role_label **curr;
++ __u8 i = 0;
++
++ curr = &acl_role_set.r_hash[index];
++
++ while (*curr) {
++ index = (index + (1 << i)) % acl_role_set.r_size;
++ curr = &acl_role_set.r_hash[index];
++ i = (i + 1) % 32;
++ }
++
++ *curr = role;
++
++ return;
++}
++
++static int
++insert_name_entry(char *name, const ino_t inode, const dev_t device)
++{
++ struct name_entry **curr;
++ __u8 i = 0;
++ __u16 len = strlen(name);
++ unsigned long index = nhash(name, len, name_set.n_size);
++
++ curr = &name_set.n_hash[index];
++
++ while (*curr && !gr_streq((*curr)->name, name, (*curr)->len, len)) {
++ index = (index + (1 << i)) % name_set.n_size;
++ curr = &name_set.n_hash[index];
++ i = (i + 1) % 32;
++ }
++
++ if (!(*curr)) {
++ struct name_entry *nentry =
++ acl_alloc(sizeof (struct name_entry));
++ if (!nentry)
++ return 0;
++ nentry->name = name;
++ nentry->inode = inode;
++ nentry->device = device;
++ nentry->len = len;
++ *curr = nentry;
++ /* insert us into the table searchable by inode/dev */
++ insert_inodev_entry(nentry);
++ }
++
++ return 1;
++}
++
++static void
++insert_acl_obj_label(struct acl_object_label *obj,
++ struct acl_subject_label *subj)
++{
++ unsigned long index =
++ fhash(obj->inode, obj->device, subj->obj_hash_size);
++ struct acl_object_label **curr;
++ __u8 i = 0;
++
++ curr = &subj->obj_hash[index];
++
++ while (*curr && *curr != deleted_object) {
++ index = (index + (1 << i)) % subj->obj_hash_size;
++ curr = &subj->obj_hash[index];
++ i = (i + 1) % 32;
++ }
++
++ *curr = obj;
++
++ return;
++}
++
++static void
++insert_acl_subj_label(struct acl_subject_label *obj,
++ struct acl_role_label *role)
++{
++ unsigned long subj_size = role->subj_hash_size;
++ struct acl_subject_label **s_hash = role->subj_hash;
++ unsigned long index = fhash(obj->inode, obj->device, subj_size);
++ struct acl_subject_label **curr;
++ __u8 i = 0;
++
++ curr = &s_hash[index];
++
++ while (*curr && *curr != deleted_subject) {
++ index = (index + (1 << i)) % subj_size;
++ curr = &s_hash[index];
++ i = (i + 1) % 32;
++ }
++
++ *curr = obj;
++
++ return;
++}
++
++static void **
++create_table(__u32 * len)
++{
++ unsigned long table_sizes[] = {
++ 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
++ 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
++ 4194301, 8388593, 16777213, 33554393, 67108859, 134217689,
++ 268435399, 536870909, 1073741789, 2147483647
++ };
++ void *newtable = NULL;
++ unsigned int pwr = 0;
++
++ while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
++ table_sizes[pwr] <= (2 * (*len)))
++ pwr++;
++
++ if (table_sizes[pwr] <= (2 * (*len)))
++ return newtable;
++
++ if ((table_sizes[pwr] * sizeof (void *)) <= PAGE_SIZE)
++ newtable =
++ kmalloc(table_sizes[pwr] * sizeof (void *), GFP_KERNEL);
++ else
++ newtable = vmalloc(table_sizes[pwr] * sizeof (void *));
++
++ *len = table_sizes[pwr];
++
++ return newtable;
++}
++
++static int
++init_variables(const unsigned long acl_obj_size,
++ const unsigned long acl_glob_size,
++ const unsigned long acl_subj_size,
++ const unsigned long acl_ip_size,
++ const unsigned long acl_role_size,
++ const unsigned long allowed_ip_size,
++ const unsigned long acl_trans_size,
++ const __u16 num_sprole_pws)
++{
++ unsigned long stacksize;
++
++ subj_map_set.s_size = acl_subj_size;
++ acl_role_set.r_size = acl_role_size;
++ name_set.n_size = (acl_obj_size + acl_subj_size);
++ inodev_set.n_size = (acl_obj_size + acl_subj_size);
++
++ if (!gr_init_uidset())
++ return 1;
++
++ /* set up the stack that holds allocation info */
++
++ stacksize = (3 * acl_obj_size) + (3 * acl_role_size) +
++ (6 * acl_subj_size) + acl_ip_size + (2 * acl_trans_size) +
++ allowed_ip_size + (2 * num_sprole_pws) + (2 * acl_glob_size) + 5;
++
++ if (!acl_alloc_stack_init(stacksize))
++ return 1;
++
++ /* create our empty, fake deleted acls */
++ deleted_subject =
++ (struct acl_subject_label *)
++ acl_alloc(sizeof (struct acl_subject_label));
++ deleted_object =
++ (struct acl_object_label *)
++ acl_alloc(sizeof (struct acl_object_label));
++ deleted_inodev =
++ (struct name_entry *) acl_alloc(sizeof (struct name_entry));
++
++ if (!deleted_subject || !deleted_object || !deleted_inodev)
++ return 1;
++
++ memset(deleted_subject, 0, sizeof (struct acl_subject_label));
++ memset(deleted_object, 0, sizeof (struct acl_object_label));
++ memset(deleted_inodev, 0, sizeof (struct name_entry));
++
++ /* We only want 50% full tables for now */
++
++ subj_map_set.s_hash =
++ (struct subject_map **) create_table(&subj_map_set.s_size);
++ acl_role_set.r_hash =
++ (struct acl_role_label **) create_table(&acl_role_set.r_size);
++ name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size);
++ inodev_set.n_hash =
++ (struct name_entry **) create_table(&inodev_set.n_size);
++
++ if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
++ !name_set.n_hash || !inodev_set.n_hash)
++ return 1;
++
++ memset(subj_map_set.s_hash, 0,
++ sizeof(struct subject_map *) * subj_map_set.s_size);
++ memset(acl_role_set.r_hash, 0,
++ sizeof (struct acl_role_label *) * acl_role_set.r_size);
++ memset(name_set.n_hash, 0,
++ sizeof (struct name_entry *) * name_set.n_size);
++ memset(inodev_set.n_hash, 0,
++ sizeof (struct name_entry *) * inodev_set.n_size);
++
++ return 0;
++}
++
++/* free information not needed after startup
++ currently contains user->kernel pointer mappings for subjects
++*/
++
++static void
++free_init_variables(void)
++{
++ __u32 i;
++
++ if (subj_map_set.s_hash) {
++ for (i = 0; i < subj_map_set.s_size; i++) {
++ if (subj_map_set.s_hash[i]) {
++ kfree(subj_map_set.s_hash[i]);
++ subj_map_set.s_hash[i] = NULL;
++ }
++ }
++
++ if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
++ PAGE_SIZE)
++ kfree(subj_map_set.s_hash);
++ else
++ vfree(subj_map_set.s_hash);
++ }
++
++ return;
++}
++
++static void
++free_variables(void)
++{
++ struct acl_subject_label *s;
++ struct acl_role_label *r;
++ struct task_struct *task, *task2;
++
++ gr_clear_learn_entries();
++
++ read_lock(&tasklist_lock);
++ for_each_process(task) {
++ task2 = task;
++ do {
++ task2->acl_sp_role = 0;
++ task2->acl_role_id = 0;
++ task2->acl = NULL;
++ task2->role = NULL;
++ } while ((task2 = next_thread(task2)) != task);
++ }
++ read_unlock(&tasklist_lock);
++
++ /* free all object hash tables */
++
++ if (role_list_head) {
++ for (r = role_list_head; r; r = r->next) {
++ if (!r->subj_hash)
++ break;
++ for (s = r->hash->first; s; s = s->next) {
++ if (!s->obj_hash)
++ break;
++ if ((s->obj_hash_size *
++ sizeof (struct acl_object_label *)) <=
++ PAGE_SIZE)
++ kfree(s->obj_hash);
++ else
++ vfree(s->obj_hash);
++ }
++ if ((r->subj_hash_size *
++ sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
++ kfree(r->subj_hash);
++ else
++ vfree(r->subj_hash);
++ }
++ }
++
++ acl_free_all();
++
++ if (acl_role_set.r_hash) {
++ if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
++ PAGE_SIZE)
++ kfree(acl_role_set.r_hash);
++ else
++ vfree(acl_role_set.r_hash);
++ }
++ if (name_set.n_hash) {
++ if ((name_set.n_size * sizeof (struct name_entry *)) <=
++ PAGE_SIZE)
++ kfree(name_set.n_hash);
++ else
++ vfree(name_set.n_hash);
++ }
++
++ if (inodev_set.n_hash) {
++ if ((inodev_set.n_size * sizeof (struct name_entry *)) <=
++ PAGE_SIZE)
++ kfree(inodev_set.n_hash);
++ else
++ vfree(inodev_set.n_hash);
++ }
++
++ gr_free_uidset();
++
++ memset(&name_set, 0, sizeof (struct name_db));
++ memset(&inodev_set, 0, sizeof (struct name_db));
++ memset(&acl_role_set, 0, sizeof (struct acl_role_db));
++ memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
++
++ role_list_head = NULL;
++ default_role = NULL;
++
++ return;
++}
++
++static __u32
++count_user_objs(struct acl_object_label *userp)
++{
++ struct acl_object_label o_tmp;
++ __u32 num = 0;
++
++ while (userp) {
++ if (copy_from_user(&o_tmp, userp,
++ sizeof (struct acl_object_label)))
++ break;
++
++ userp = o_tmp.prev;
++ num++;
++ }
++
++ return num;
++}
++
++static struct acl_subject_label *
++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
++
++static int
++copy_user_glob(struct acl_object_label *obj)
++{
++ struct acl_object_label *g_tmp, **guser, *glast = NULL;
++ unsigned int len;
++ char *tmp;
++
++ if (obj->globbed == NULL)
++ return 0;
++
++ guser = &obj->globbed;
++ while (*guser) {
++ g_tmp = (struct acl_object_label *)
++ acl_alloc(sizeof (struct acl_object_label));
++ if (g_tmp == NULL)
++ return -ENOMEM;
++
++ if (copy_from_user(g_tmp, *guser,
++ sizeof (struct acl_object_label)))
++ return -EFAULT;
++
++ len = strnlen_user(g_tmp->filename, PATH_MAX);
++
++ if (!len || len >= PATH_MAX)
++ return -EINVAL;
++
++ if ((tmp = (char *) acl_alloc(len)) == NULL)
++ return -ENOMEM;
++
++ if (copy_from_user(tmp, g_tmp->filename, len))
++ return -EFAULT;
++
++ g_tmp->filename = tmp;
++
++ if (glast)
++ glast->next = g_tmp;
++ g_tmp->prev = glast;
++ *guser = g_tmp;
++ glast = g_tmp;
++ guser = &((*guser)->next);
++ }
++
++ return 0;
++}
++
++static int
++copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
++ struct acl_role_label *role)
++{
++ struct acl_object_label *o_tmp;
++ unsigned int len;
++ int ret;
++ char *tmp;
++
++ while (userp) {
++ if ((o_tmp = (struct acl_object_label *)
++ acl_alloc(sizeof (struct acl_object_label))) == NULL)
++ return -ENOMEM;
++
++ if (copy_from_user(o_tmp, userp,
++ sizeof (struct acl_object_label)))
++ return -EFAULT;
++
++ userp = o_tmp->prev;
++
++ len = strnlen_user(o_tmp->filename, PATH_MAX);
++
++ if (!len || len >= PATH_MAX)
++ return -EINVAL;
++
++ if ((tmp = (char *) acl_alloc(len)) == NULL)
++ return -ENOMEM;
++
++ if (copy_from_user(tmp, o_tmp->filename, len))
++ return -EFAULT;
++
++ o_tmp->filename = tmp;
++
++ insert_acl_obj_label(o_tmp, subj);
++ if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
++ o_tmp->device))
++ return -ENOMEM;
++
++ ret = copy_user_glob(o_tmp);
++ if (ret)
++ return ret;
++
++ if (o_tmp->nested) {
++ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
++ if (IS_ERR(o_tmp->nested))
++ return PTR_ERR(o_tmp->nested);
++
++ s_final = o_tmp->nested;
++ }
++ }
++
++ return 0;
++}
++
++static __u32
++count_user_subjs(struct acl_subject_label *userp)
++{
++ struct acl_subject_label s_tmp;
++ __u32 num = 0;
++
++ while (userp) {
++ if (copy_from_user(&s_tmp, userp,
++ sizeof (struct acl_subject_label)))
++ break;
++
++ userp = s_tmp.prev;
++ /* do not count nested subjects against this count, since
++ they are not included in the hash table, but are
++ attached to objects. We have already counted
++ the subjects in userspace for the allocation
++ stack
++ */
++ if (!(s_tmp.mode & GR_NESTED))
++ num++;
++ }
++
++ return num;
++}
++
++static int
++copy_user_allowedips(struct acl_role_label *rolep)
++{
++ struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
++
++ ruserip = rolep->allowed_ips;
++
++ while (ruserip) {
++ rlast = rtmp;
++
++ if ((rtmp = (struct role_allowed_ip *)
++ acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
++ return -ENOMEM;
++
++ if (copy_from_user(rtmp, ruserip,
++ sizeof (struct role_allowed_ip)))
++ return -EFAULT;
++
++ ruserip = rtmp->prev;
++
++ if (!rlast) {
++ rtmp->prev = NULL;
++ rolep->allowed_ips = rtmp;
++ } else {
++ rlast->next = rtmp;
++ rtmp->prev = rlast;
++ }
++
++ if (!ruserip)
++ rtmp->next = NULL;
++ }
++
++ return 0;
++}
++
++static int
++copy_user_transitions(struct acl_role_label *rolep)
++{
++ struct role_transition *rusertp, *rtmp = NULL, *rlast;
++ unsigned int len;
++ char *tmp;
++
++ rusertp = rolep->transitions;
++
++ while (rusertp) {
++ rlast = rtmp;
++
++ if ((rtmp = (struct role_transition *)
++ acl_alloc(sizeof (struct role_transition))) == NULL)
++ return -ENOMEM;
++
++ if (copy_from_user(rtmp, rusertp,
++ sizeof (struct role_transition)))
++ return -EFAULT;
++
++ rusertp = rtmp->prev;
++
++ len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
++
++ if (!len || len >= GR_SPROLE_LEN)
++ return -EINVAL;
++
++ if ((tmp = (char *) acl_alloc(len)) == NULL)
++ return -ENOMEM;
++
++ if (copy_from_user(tmp, rtmp->rolename, len))
++ return -EFAULT;
++
++ rtmp->rolename = tmp;
++
++ if (!rlast) {
++ rtmp->prev = NULL;
++ rolep->transitions = rtmp;
++ } else {
++ rlast->next = rtmp;
++ rtmp->prev = rlast;
++ }
++
++ if (!rusertp)
++ rtmp->next = NULL;
++ }
++
++ return 0;
++}
++
++static struct acl_subject_label *
++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
++{
++ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
++ unsigned int len;
++ char *tmp;
++ __u32 num_objs;
++ struct acl_ip_label **i_tmp, *i_utmp2;
++ struct gr_hash_struct ghash;
++ struct subject_map *subjmap;
++ unsigned long i_num;
++ int err;
++
++ s_tmp = lookup_subject_map(userp);
++
++ /* we've already copied this subject into the kernel, just return
++ the reference to it, and don't copy it over again
++ */
++ if (s_tmp)
++ return(s_tmp);
++
++
++ if ((s_tmp = (struct acl_subject_label *)
++ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
++ return ERR_PTR(-ENOMEM);
++
++ subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
++ if (subjmap == NULL)
++ return ERR_PTR(-ENOMEM);
++
++ subjmap->user = userp;
++ subjmap->kernel = s_tmp;
++ insert_subj_map_entry(subjmap);
++
++ if (copy_from_user(s_tmp, userp,
++ sizeof (struct acl_subject_label)))
++ return ERR_PTR(-EFAULT);
++
++ if (!s_last) {
++ s_tmp->prev = NULL;
++ role->hash->first = s_tmp;
++ } else {
++ s_last->next = s_tmp;
++ s_tmp->prev = s_last;
++ }
++
++ s_last = s_tmp;
++
++ len = strnlen_user(s_tmp->filename, PATH_MAX);
++
++ if (!len || len >= PATH_MAX)
++ return ERR_PTR(-EINVAL);
++
++ if ((tmp = (char *) acl_alloc(len)) == NULL)
++ return ERR_PTR(-ENOMEM);
++
++ if (copy_from_user(tmp, s_tmp->filename, len))
++ return ERR_PTR(-EFAULT);
++
++ s_tmp->filename = tmp;
++
++ if (!strcmp(s_tmp->filename, "/"))
++ role->root_label = s_tmp;
++
++ if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
++ return ERR_PTR(-EFAULT);
++
++ /* copy user and group transition tables */
++
++ if (s_tmp->user_trans_num) {
++ uid_t *uidlist;
++
++ uidlist = (uid_t *)acl_alloc(s_tmp->user_trans_num * sizeof(uid_t));
++ if (uidlist == NULL)
++ return ERR_PTR(-ENOMEM);
++ if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
++ return ERR_PTR(-EFAULT);
++
++ s_tmp->user_transitions = uidlist;
++ }
++
++ if (s_tmp->group_trans_num) {
++ gid_t *gidlist;
++
++ gidlist = (gid_t *)acl_alloc(s_tmp->group_trans_num * sizeof(gid_t));
++ if (gidlist == NULL)
++ return ERR_PTR(-ENOMEM);
++ if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
++ return ERR_PTR(-EFAULT);
++
++ s_tmp->group_transitions = gidlist;
++ }
++
++ /* set up object hash table */
++ num_objs = count_user_objs(ghash.first);
++
++ s_tmp->obj_hash_size = num_objs;
++ s_tmp->obj_hash =
++ (struct acl_object_label **)
++ create_table(&(s_tmp->obj_hash_size));
++
++ if (!s_tmp->obj_hash)
++ return ERR_PTR(-ENOMEM);
++
++ memset(s_tmp->obj_hash, 0,
++ s_tmp->obj_hash_size *
++ sizeof (struct acl_object_label *));
++
++ /* copy before adding in objects, since a nested
++ acl could be found and be the final subject
++ copied
++ */
++
++ s_final = s_tmp;
++
++ /* add in objects */
++ err = copy_user_objs(ghash.first, s_tmp, role);
++
++ if (err)
++ return ERR_PTR(err);
++
++ /* set pointer for parent subject */
++ if (s_tmp->parent_subject) {
++ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
++
++ if (IS_ERR(s_tmp2))
++ return s_tmp2;
++
++ s_tmp->parent_subject = s_tmp2;
++ }
++
++ /* add in ip acls */
++
++ if (!s_tmp->ip_num) {
++ s_tmp->ips = NULL;
++ goto insert;
++ }
++
++ i_tmp =
++ (struct acl_ip_label **) acl_alloc(s_tmp->ip_num *
++ sizeof (struct
++ acl_ip_label *));
++
++ if (!i_tmp)
++ return ERR_PTR(-ENOMEM);
++
++ for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
++ *(i_tmp + i_num) =
++ (struct acl_ip_label *)
++ acl_alloc(sizeof (struct acl_ip_label));
++ if (!*(i_tmp + i_num))
++ return ERR_PTR(-ENOMEM);
++
++ if (copy_from_user
++ (&i_utmp2, s_tmp->ips + i_num,
++ sizeof (struct acl_ip_label *)))
++ return ERR_PTR(-EFAULT);
++
++ if (copy_from_user
++ (*(i_tmp + i_num), i_utmp2,
++ sizeof (struct acl_ip_label)))
++ return ERR_PTR(-EFAULT);
++ }
++
++ s_tmp->ips = i_tmp;
++
++insert:
++ if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
++ s_tmp->device))
++ return ERR_PTR(-ENOMEM);
++
++ return s_tmp;
++}
++
++static int
++copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
++{
++ struct acl_subject_label s_pre;
++ struct acl_subject_label * ret;
++ int err;
++
++ while (userp) {
++ if (copy_from_user(&s_pre, userp,
++ sizeof (struct acl_subject_label)))
++ return -EFAULT;
++
++ /* do not add nested subjects here, add
++ while parsing objects
++ */
++
++ if (s_pre.mode & GR_NESTED) {
++ userp = s_pre.prev;
++ continue;
++ }
++
++ ret = do_copy_user_subj(userp, role);
++
++ err = PTR_ERR(ret);
++ if (IS_ERR(ret))
++ return err;
++
++ insert_acl_subj_label(ret, role);
++
++ userp = s_pre.prev;
++ }
++
++ s_final->next = NULL;
++
++ return 0;
++}
++
++static int
++copy_user_acl(struct gr_arg *arg)
++{
++ struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2, *r_last;
++ struct sprole_pw *sptmp;
++ struct gr_hash_struct *ghash;
++ unsigned long r_num;
++ unsigned int len;
++ char *tmp;
++ int err = 0;
++ __u16 i;
++ __u32 num_subjs;
++
++ /* we need a default and kernel role */
++ if (arg->role_db.r_entries < 2)
++ return -EINVAL;
++
++ /* copy special role authentication info from userspace */
++
++ num_sprole_pws = arg->num_sprole_pws;
++ acl_special_roles = (struct sprole_pw **) acl_alloc(num_sprole_pws * sizeof(struct sprole_pw *));
++
++ if (!acl_special_roles) {
++ err = -ENOMEM;
++ goto cleanup;
++ }
++
++ for (i = 0; i < num_sprole_pws; i++) {
++ sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
++ if (!sptmp) {
++ err = -ENOMEM;
++ goto cleanup;
++ }
++ if (copy_from_user(sptmp, arg->sprole_pws + i,
++ sizeof (struct sprole_pw))) {
++ err = -EFAULT;
++ goto cleanup;
++ }
++
++ len =
++ strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
++
++ if (!len || len >= GR_SPROLE_LEN) {
++ err = -EINVAL;
++ goto cleanup;
++ }
++
++ if ((tmp = (char *) acl_alloc(len)) == NULL) {
++ err = -ENOMEM;
++ goto cleanup;
++ }
++
++ if (copy_from_user(tmp, sptmp->rolename, len)) {
++ err = -EFAULT;
++ goto cleanup;
++ }
++
++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
++ printk(KERN_ALERT "Copying special role %s\n", tmp);
++#endif
++ sptmp->rolename = tmp;
++ acl_special_roles[i] = sptmp;
++ }
++
++ r_utmp = (struct acl_role_label **) arg->role_db.r_table;
++
++ for (r_num = 0; r_num < arg->role_db.r_entries; r_num++) {
++ r_last = r_tmp;
++
++ r_tmp = acl_alloc(sizeof (struct acl_role_label));
++
++ if (!r_tmp) {
++ err = -ENOMEM;
++ goto cleanup;
++ }
++
++ if (copy_from_user(&r_utmp2, r_utmp + r_num,
++ sizeof (struct acl_role_label *))) {
++ err = -EFAULT;
++ goto cleanup;
++ }
++
++ if (copy_from_user(r_tmp, r_utmp2,
++ sizeof (struct acl_role_label))) {
++ err = -EFAULT;
++ goto cleanup;
++ }
++
++ if (!r_last) {
++ r_tmp->prev = NULL;
++ role_list_head = r_tmp;
++ } else {
++ r_last->next = r_tmp;
++ r_tmp->prev = r_last;
++ }
++
++ if (r_num == (arg->role_db.r_entries - 1))
++ r_tmp->next = NULL;
++
++ len = strnlen_user(r_tmp->rolename, PATH_MAX);
++
++ if (!len || len >= PATH_MAX) {
++ err = -EINVAL;
++ goto cleanup;
++ }
++
++ if ((tmp = (char *) acl_alloc(len)) == NULL) {
++ err = -ENOMEM;
++ goto cleanup;
++ }
++ if (copy_from_user(tmp, r_tmp->rolename, len)) {
++ err = -EFAULT;
++ goto cleanup;
++ }
++ r_tmp->rolename = tmp;
++
++ if (!strcmp(r_tmp->rolename, "default")
++ && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
++ default_role = r_tmp;
++ } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
++ kernel_role = r_tmp;
++ }
++
++ if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
++ err = -ENOMEM;
++ goto cleanup;
++ }
++ if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
++ err = -EFAULT;
++ goto cleanup;
++ }
++
++ r_tmp->hash = ghash;
++
++ num_subjs = count_user_subjs(r_tmp->hash->first);
++
++ r_tmp->subj_hash_size = num_subjs;
++ r_tmp->subj_hash =
++ (struct acl_subject_label **)
++ create_table(&(r_tmp->subj_hash_size));
++
++ if (!r_tmp->subj_hash) {
++ err = -ENOMEM;
++ goto cleanup;
++ }
++
++ err = copy_user_allowedips(r_tmp);
++ if (err)
++ goto cleanup;
++
++ err = copy_user_transitions(r_tmp);
++ if (err)
++ goto cleanup;
++
++ memset(r_tmp->subj_hash, 0,
++ r_tmp->subj_hash_size *
++ sizeof (struct acl_subject_label *));
++
++ s_last = NULL;
++
++ err = copy_user_subjs(r_tmp->hash->first, r_tmp);
++
++ if (err)
++ goto cleanup;
++
++ insert_acl_role_label(r_tmp);
++ }
++
++ goto return_err;
++ cleanup:
++ free_variables();
++ return_err:
++ return err;
++
++}
++
++static int
++gracl_init(struct gr_arg *args)
++{
++ int error = 0;
++
++ memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
++ memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
++
++ if (init_variables(args->role_db.o_entries, args->role_db.g_entries,
++ args->role_db.s_entries, args->role_db.i_entries,
++ args->role_db.r_entries, args->role_db.a_entries,
++ args->role_db.t_entries, args->num_sprole_pws)) {
++ security_alert_good(GR_INITF_ACL_MSG, GR_VERSION);
++ error = -ENOMEM;
++ free_variables();
++ goto out;
++ }
++
++ error = copy_user_acl(args);
++ free_init_variables();
++ if (error) {
++ free_variables();
++ goto out;
++ }
++
++ if ((error = gr_set_acls(0))) {
++ free_variables();
++ goto out;
++ }
++
++ gr_status |= GR_READY;
++ out:
++ return error;
++}
++
++static int
++glob_match(char *pattern, char *string)
++{
++ char *p1, *p2;
++
++ p1 = pattern;
++ p2 = string;
++
++ while (*p1 != '\0' && *p2 != '\0' && *p1 != '*') {
++ if (*p1 == *p2 || *p1 == '?') {
++ p1++;
++ p2++;
++ } else
++ break;
++ }
++ if (*p1 == '*') {
++ p1++;
++ while (*p2 != '\0') {
++ if (!glob_match(p1, p2))
++ return 0;
++ else
++ p2++;
++ }
++ }
++
++ if (*p2 == '\0' && *p1 == '*')
++ while (*p1 == '*')
++ p1++;
++
++ if (*p1 == '\0' && *p2 == '\0')
++ return 0;
++ else
++ return 1;
++}
++
++static struct acl_object_label *
++chk_glob_label(struct acl_object_label *globbed,
++ struct dentry *dentry, struct vfsmount *mnt, char **path)
++{
++ struct acl_object_label *tmp;
++
++ if (*path == NULL)
++ *path = gr_to_filename_nolock(dentry, mnt);
++
++ tmp = globbed;
++
++ while (tmp) {
++ if (!glob_match(tmp->filename, *path))
++ return tmp;
++ tmp = tmp->next;
++ }
++
++ return NULL;
++}
++
++static __inline__ struct acl_object_label *
++full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
++ struct dentry *curr_dentry,
++ const struct acl_subject_label *subj, char **path)
++{
++ struct acl_subject_label *tmpsubj;
++ struct acl_object_label *retval;
++ struct acl_object_label *retval2;
++
++ tmpsubj = (struct acl_subject_label *) subj;
++ read_lock(&gr_inode_lock);
++ do {
++ retval = lookup_acl_obj_label(curr_dentry->d_inode->i_ino,
++ curr_dentry->d_inode->i_sb->s_dev, tmpsubj);
++ if (retval) {
++ if (retval->globbed) {
++ retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
++ (struct vfsmount *)orig_mnt, path);
++ if (retval2)
++ retval = retval2;
++ }
++ break;
++ }
++ } while ((tmpsubj = tmpsubj->parent_subject));
++ read_unlock(&gr_inode_lock);
++
++ return retval;
++}
++
++static struct acl_object_label *
++chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
++ const struct acl_subject_label *subj)
++{
++ struct dentry *dentry = (struct dentry *) l_dentry;
++ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
++ struct dentry *root;
++ struct vfsmount *rootmnt;
++ struct acl_object_label *retval;
++ char *path = NULL;
++
++ read_lock(&child_reaper->fs->lock);
++ rootmnt = mntget(child_reaper->fs->rootmnt);
++ root = dget(child_reaper->fs->root);
++ read_unlock(&child_reaper->fs->lock);
++ spin_lock(&dcache_lock);
++
++ for (;;) {
++ if (dentry == root && mnt == rootmnt)
++ break;
++ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
++ if (mnt->mnt_parent == mnt)
++ break;
++
++ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
++ if (retval != NULL)
++ goto out;
++
++ dentry = mnt->mnt_mountpoint;
++ mnt = mnt->mnt_parent;
++ continue;
++ }
++
++ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
++ if (retval != NULL)
++ goto out;
++
++ dentry = dentry->d_parent;
++ }
++
++ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
++
++ if (retval == NULL)
++ retval = full_lookup(l_dentry, l_mnt, root, subj, &path);
++out:
++ spin_unlock(&dcache_lock);
++ dput(root);
++ mntput(rootmnt);
++
++ return retval;
++}
++
++static struct acl_object_label *
++chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
++ const struct acl_subject_label *subj, char *path)
++{
++ struct dentry *dentry = (struct dentry *) l_dentry;
++ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
++ struct dentry *root;
++ struct vfsmount *rootmnt;
++ struct acl_object_label *retval;
++
++ read_lock(&child_reaper->fs->lock);
++ rootmnt = mntget(child_reaper->fs->rootmnt);
++ root = dget(child_reaper->fs->root);
++ read_unlock(&child_reaper->fs->lock);
++ spin_lock(&dcache_lock);
++
++ for (;;) {
++ if (dentry == root && mnt == rootmnt)
++ break;
++ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
++ if (mnt->mnt_parent == mnt)
++ break;
++
++ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
++ if (retval != NULL)
++ goto out;
++
++ dentry = mnt->mnt_mountpoint;
++ mnt = mnt->mnt_parent;
++ continue;
++ }
++
++ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
++ if (retval != NULL)
++ goto out;
++
++ dentry = dentry->d_parent;
++ }
++
++ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
++
++ if (retval == NULL)
++ retval = full_lookup(l_dentry, l_mnt, root, subj, &path);
++out:
++ spin_unlock(&dcache_lock);
++ dput(root);
++ mntput(rootmnt);
++
++ return retval;
++}
++
++static struct acl_subject_label *
++chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
++ const struct acl_role_label *role)
++{
++ struct dentry *dentry = (struct dentry *) l_dentry;
++ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
++ struct dentry *root;
++ struct vfsmount *rootmnt;
++ struct acl_subject_label *retval;
++
++ read_lock(&child_reaper->fs->lock);
++ rootmnt = mntget(child_reaper->fs->rootmnt);
++ root = dget(child_reaper->fs->root);
++ read_unlock(&child_reaper->fs->lock);
++ spin_lock(&dcache_lock);
++
++ for (;;) {
++ if (unlikely(dentry == root && mnt == rootmnt))
++ break;
++ if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
++ if (mnt->mnt_parent == mnt)
++ break;
++
++ read_lock(&gr_inode_lock);
++ retval =
++ lookup_acl_subj_label(dentry->d_inode->i_ino,
++ dentry->d_inode->i_sb->s_dev, role);
++ read_unlock(&gr_inode_lock);
++ if (unlikely(retval != NULL))
++ goto out;
++
++ dentry = mnt->mnt_mountpoint;
++ mnt = mnt->mnt_parent;
++ continue;
++ }
++
++ read_lock(&gr_inode_lock);
++ retval =
++ lookup_acl_subj_label(dentry->d_inode->i_ino,
++ dentry->d_inode->i_sb->s_dev, role);
++ read_unlock(&gr_inode_lock);
++ if (unlikely(retval != NULL))
++ goto out;
++
++ dentry = dentry->d_parent;
++ }
++
++ read_lock(&gr_inode_lock);
++ retval =
++ lookup_acl_subj_label(dentry->d_inode->i_ino,
++ dentry->d_inode->i_sb->s_dev, role);
++ read_unlock(&gr_inode_lock);
++
++ if (unlikely(retval == NULL)) {
++ read_lock(&gr_inode_lock);
++ retval =
++ lookup_acl_subj_label(root->d_inode->i_ino,
++ root->d_inode->i_sb->s_dev, role);
++ read_unlock(&gr_inode_lock);
++ }
++ out:
++ spin_unlock(&dcache_lock);
++ dput(root);
++ mntput(rootmnt);
++
++ return retval;
++}
++
++static __inline__ void
++gr_log_learn(const struct acl_role_label *role, const uid_t uid, const gid_t gid,
++ const struct task_struct *task, const char *pathname,
++ const __u32 mode)
++{
++ security_learn(GR_LEARN_AUDIT_MSG, role->rolename, role->roletype,
++ uid, gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
++ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
++ 1, 1, pathname, (unsigned long) mode, NIPQUAD(task->curr_ip));
++
++ return;
++}
++
++__u32
++gr_check_link(const struct dentry * new_dentry,
++ const struct dentry * parent_dentry,
++ const struct vfsmount * parent_mnt,
++ const struct dentry * old_dentry, const struct vfsmount * old_mnt)
++{
++ struct acl_object_label *obj;
++ __u32 oldmode, newmode;
++
++ if (unlikely(!(gr_status & GR_READY)))
++ return (GR_WRITE | GR_CREATE);
++
++ obj = chk_obj_label(old_dentry, old_mnt, current->acl);
++ oldmode = obj->mode;
++
++ if (current->acl->mode & GR_LEARN)
++ oldmode |= (GR_WRITE | GR_CREATE);
++ newmode =
++ gr_check_create(new_dentry, parent_dentry, parent_mnt,
++ oldmode | GR_CREATE | GR_AUDIT_CREATE |
++ GR_AUDIT_WRITE | GR_SUPPRESS);
++
++ if ((newmode & oldmode) == oldmode)
++ return newmode;
++ else if (current->acl->mode & GR_LEARN) {
++ gr_log_learn(current->role, current->uid, current->gid,
++ current, gr_to_filename(old_dentry, old_mnt), oldmode);
++ return (GR_WRITE | GR_CREATE);
++ } else if (newmode & GR_SUPPRESS)
++ return GR_SUPPRESS;
++ else
++ return 0;
++}
++
++__u32
++gr_search_file(const struct dentry * dentry, const __u32 mode,
++ const struct vfsmount * mnt)
++{
++ __u32 retval = mode;
++ struct acl_subject_label *curracl;
++ struct acl_object_label *currobj;
++
++ if (unlikely(!(gr_status & GR_READY)))
++ return (mode & ~GR_AUDITS);
++
++ curracl = current->acl;
++
++ currobj = chk_obj_label(dentry, mnt, curracl);
++ retval = currobj->mode & mode;
++
++ if (unlikely
++ ((curracl->mode & GR_LEARN) && !(mode & GR_NOPTRACE)
++ && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
++ __u32 new_mode = mode;
++
++ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
++
++ retval = new_mode;
++
++ if (!(mode & GR_NOLEARN))
++ gr_log_learn(current->role, current->uid, current->gid,
++ current, gr_to_filename(dentry, mnt), new_mode);
++ }
++
++ return retval;
++}
++
++__u32
++gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
++ const struct vfsmount * mnt, const __u32 mode)
++{
++ struct name_entry *match;
++ struct acl_object_label *matchpo;
++ struct acl_subject_label *curracl;
++ char *path;
++ __u32 retval;
++
++ if (unlikely(!(gr_status & GR_READY)))
++ return (mode & ~GR_AUDITS);
++
++ preempt_disable();
++ path = gr_to_filename(new_dentry, mnt);
++ match = lookup_name_entry(path);
++
++ if (!match)
++ goto check_parent;
++
++ curracl = current->acl;
++
++ read_lock(&gr_inode_lock);
++ matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
++ read_unlock(&gr_inode_lock);
++
++ if (matchpo) {
++ if ((matchpo->mode & mode) !=
++ (mode & ~(GR_AUDITS | GR_SUPPRESS))
++ && curracl->mode & GR_LEARN) {
++ __u32 new_mode = mode;
++
++ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
++
++ gr_log_learn(current->role, current->uid, current->gid,
++ current, gr_to_filename(new_dentry, mnt), new_mode);
++
++ preempt_enable();
++ return new_mode;
++ }
++ preempt_enable();
++ return (matchpo->mode & mode);
++ }
++
++ check_parent:
++ curracl = current->acl;
++
++ matchpo = chk_obj_create_label(parent, mnt, curracl, path);
++ retval = matchpo->mode & mode;
++
++ if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
++ && (curracl->mode & GR_LEARN)) {
++ __u32 new_mode = mode;
++
++ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
++
++ gr_log_learn(current->role, current->uid, current->gid,
++ current, gr_to_filename(new_dentry, mnt), new_mode);
++ preempt_enable();
++ return new_mode;
++ }
++
++ preempt_enable();
++ return retval;
++}
++
++int
++gr_check_hidden_task(const struct task_struct *task)
++{
++ if (unlikely(!(gr_status & GR_READY)))
++ return 0;
++
++ if (!(task->acl->mode & GR_FIND) && !(current->acl->mode & GR_VIEW))
++ return 1;
++
++ return 0;
++}
++
++int
++gr_check_protected_task(const struct task_struct *task)
++{
++ if (unlikely(!(gr_status & GR_READY) || !task))
++ return 0;
++
++ if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL))
++ return 1;
++
++ return 0;
++}
++
++__inline__ void
++gr_copy_label(struct task_struct *tsk)
++{
++ tsk->used_accept = 0;
++ tsk->acl_sp_role = 0;
++ tsk->acl_role_id = current->acl_role_id;
++ tsk->acl = current->acl;
++ tsk->role = current->role;
++ tsk->curr_ip = current->curr_ip;
++ if (current->exec_file)
++ get_file(current->exec_file);
++ tsk->exec_file = current->exec_file;
++ tsk->is_writable = current->is_writable;
++ if (unlikely(current->used_accept))
++ current->curr_ip = 0;
++
++ return;
++}
++
++static __inline__ void
++gr_set_proc_res(void)
++{
++ struct acl_subject_label *proc;
++ unsigned short i;
++
++ proc = current->acl;
++
++ if (proc->mode & GR_LEARN)
++ return;
++
++ for (i = 0; i < RLIM_NLIMITS; i++) {
++ if (!(proc->resmask & (1 << i)))
++ continue;
++
++ current->rlim[i].rlim_cur = proc->res[i].rlim_cur;
++ current->rlim[i].rlim_max = proc->res[i].rlim_max;
++ }
++
++ return;
++}
++
++static __inline__ void
++do_set_role_label(struct task_struct *task, const uid_t uid, const gid_t gid)
++{
++ task->role = lookup_acl_role_label(task, uid, gid);
++
++ return;
++}
++
++int
++gr_check_user_change(int real, int effective, int fs)
++{
++ unsigned int i;
++ __u16 num;
++ uid_t *uidlist;
++ int curuid;
++ int realok = 0;
++ int effectiveok = 0;
++ int fsok = 0;
++
++ if (unlikely(!(gr_status & GR_READY)))
++ return 0;
++
++ num = current->acl->user_trans_num;
++ uidlist = current->acl->user_transitions;
++
++ if (uidlist == NULL)
++ return 0;
++
++ if (real == -1)
++ realok = 1;
++ if (effective == -1)
++ effectiveok = 1;
++ if (fs == -1)
++ fsok = 1;
++
++ if (current->acl->user_trans_type & GR_ID_ALLOW) {
++ for (i = 0; i < num; i++) {
++ curuid = (int)uidlist[i];
++ if (real == curuid)
++ realok = 1;
++ if (effective == curuid)
++ effectiveok = 1;
++ if (fs == curuid)
++ fsok = 1;
++ }
++ } else if (current->acl->user_trans_type & GR_ID_DENY) {
++ for (i = 0; i < num; i++) {
++ curuid = (int)uidlist[i];
++ if (real == curuid)
++ break;
++ if (effective == curuid)
++ break;
++ if (fs == curuid)
++ break;
++ }
++ /* not in deny list */
++ if (i == num) {
++ realok = 1;
++ effectiveok = 1;
++ fsok = 1;
++ }
++ }
++
++ if (realok && effectiveok && fsok)
++ return 0;
++ else {
++ security_alert(GR_USRCHANGE_ACL_MSG,
++ realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real, DEFAULTSECARGS);
++ return 1;
++ }
++}
++
++int
++gr_check_group_change(int real, int effective, int fs)
++{
++ unsigned int i;
++ __u16 num;
++ gid_t *gidlist;
++ int curgid;
++ int realok = 0;
++ int effectiveok = 0;
++ int fsok = 0;
++
++ if (unlikely(!(gr_status & GR_READY)))
++ return 0;
++
++ num = current->acl->group_trans_num;
++ gidlist = current->acl->group_transitions;
++
++ if (gidlist == NULL)
++ return 0;
++
++ if (real == -1)
++ realok = 1;
++ if (effective == -1)
++ effectiveok = 1;
++ if (fs == -1)
++ fsok = 1;
++
++ if (current->acl->group_trans_type & GR_ID_ALLOW) {
++ for (i = 0; i < num; i++) {
++ curgid = (int)gidlist[i];
++ if (real == curgid)
++ realok = 1;
++ if (effective == curgid)
++ effectiveok = 1;
++ if (fs == curgid)
++ fsok = 1;
++ }
++ } else if (current->acl->group_trans_type & GR_ID_DENY) {
++ for (i = 0; i < num; i++) {
++ curgid = (int)gidlist[i];
++ if (real == curgid)
++ break;
++ if (effective == curgid)
++ break;
++ if (fs == curgid)
++ break;
++ }
++ /* not in deny list */
++ if (i == num) {
++ realok = 1;
++ effectiveok = 1;
++ fsok = 1;
++ }
++ }
++
++ if (realok && effectiveok && fsok)
++ return 0;
++ else {
++ security_alert(GR_GRPCHANGE_ACL_MSG,
++ realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real, DEFAULTSECARGS);
++ return 1;
++ }
++}
++
++void
++gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
++{
++ struct acl_object_label *obj;
++ struct file *filp;
++
++ if (unlikely(!(gr_status & GR_READY)))
++ return;
++
++ filp = task->exec_file;
++
++ /* kernel process, we'll give them the kernel role */
++ if (unlikely(!filp)) {
++ task->role = kernel_role;
++ task->acl = kernel_role->root_label;
++ return;
++ } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
++ do_set_role_label(task, uid, gid);
++
++ task->acl =
++ chk_subj_label(filp->f_dentry, filp->f_vfsmnt, task->role);
++
++ task->is_writable = 0;
++
++ /* ignore additional mmap checks for processes that are writable
++ by the default ACL */
++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
++ if (unlikely(obj->mode & GR_WRITE))
++ task->is_writable = 1;
++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
++ if (unlikely(obj->mode & GR_WRITE))
++ task->is_writable = 1;
++
++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
++ printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
++#endif
++
++ gr_set_proc_res();
++
++ return;
++}
++
++void
++gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
++{
++ struct acl_subject_label *newacl;
++ struct acl_object_label *obj;
++ __u32 retmode;
++
++ if (unlikely(!(gr_status & GR_READY)))
++ return;
++
++ newacl = chk_subj_label(dentry, mnt, current->role);
++
++ obj = chk_obj_label(dentry, mnt, current->acl);
++ retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
++
++ if ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT)) {
++ if (obj->nested)
++ current->acl = obj->nested;
++ else
++ current->acl = newacl;
++ } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
++ security_audit(GR_INHERIT_ACL_MSG, current->acl->filename,
++ gr_to_filename(dentry, mnt), DEFAULTSECARGS);
++
++ current->is_writable = 0;
++
++ /* ignore additional mmap checks for processes that are writable
++ by the default ACL */
++ obj = chk_obj_label(dentry, mnt, default_role->root_label);
++ if (unlikely(obj->mode & GR_WRITE))
++ current->is_writable = 1;
++ obj = chk_obj_label(dentry, mnt, current->role->root_label);
++ if (unlikely(obj->mode & GR_WRITE))
++ current->is_writable = 1;
++
++ gr_set_proc_res();
++
++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
++ printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", current->comm, current->pid, current->role->rolename, current->acl->filename);
++#endif
++ return;
++}
++
++static __inline__ void
++do_handle_delete(const ino_t ino, const dev_t dev)
++{
++ struct acl_object_label *matchpo;
++ struct acl_subject_label *matchps;
++ struct acl_subject_label *i;
++ struct acl_role_label *role;
++
++ for (role = role_list_head; role; role = role->next) {
++ for (i = role->hash->first; i; i = i->next) {
++ if (unlikely((i->mode & GR_NESTED) &&
++ (i->inode == ino) &&
++ (i->device == dev)))
++ i->mode |= GR_DELETED;
++ if (unlikely((matchpo =
++ lookup_acl_obj_label(ino, dev, i)) != NULL))
++ matchpo->mode |= GR_DELETED;
++ }
++
++ if (unlikely((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL))
++ matchps->mode |= GR_DELETED;
++ }
++
++ return;
++}
++
++void
++gr_handle_delete(const ino_t ino, const dev_t dev)
++{
++ if (unlikely(!(gr_status & GR_READY)))
++ return;
++
++ write_lock(&gr_inode_lock);
++ if (unlikely((unsigned long)lookup_inodev_entry(ino, dev)))
++ do_handle_delete(ino, dev);
++ write_unlock(&gr_inode_lock);
++
++ return;
++}
++
++static __inline__ void
++update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
++ const ino_t newinode, const dev_t newdevice,
++ struct acl_subject_label *subj)
++{
++ unsigned long index = fhash(oldinode, olddevice, subj->obj_hash_size);
++ struct acl_object_label **match;
++ struct acl_object_label *tmp;
++ __u8 i = 0;
++
++ match = &subj->obj_hash[index];
++
++ while (*match && ((*match)->inode != oldinode ||
++ (*match)->device != olddevice ||
++ !((*match)->mode & GR_DELETED))) {
++ index = (index + (1 << i)) % subj->obj_hash_size;
++ match = &subj->obj_hash[index];
++ i = (i + 1) % 32;
++ }
++
++ if (*match && ((*match) != deleted_object)
++ && ((*match)->inode == oldinode)
++ && ((*match)->device == olddevice)
++ && ((*match)->mode & GR_DELETED)) {
++ tmp = *match;
++ tmp->inode = newinode;
++ tmp->device = newdevice;
++ tmp->mode &= ~GR_DELETED;
++
++ *match = deleted_object;
++
++ insert_acl_obj_label(tmp, subj);
++ }
++
++ return;
++}
++
++static __inline__ void
++update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
++ const ino_t newinode, const dev_t newdevice,
++ struct acl_role_label *role)
++{
++ struct acl_subject_label **s_hash = role->subj_hash;
++ unsigned long subj_size = role->subj_hash_size;
++ unsigned long index = fhash(oldinode, olddevice, subj_size);
++ struct acl_subject_label **match;
++ struct acl_subject_label *tmp;
++ __u8 i = 0;
++
++ match = &s_hash[index];
++
++ while (*match && ((*match)->inode != oldinode ||
++ (*match)->device != olddevice ||
++ !((*match)->mode & GR_DELETED))) {
++ index = (index + (1 << i)) % subj_size;
++ i = (i + 1) % 32;
++ match = &s_hash[index];
++ }
++
++ if (*match && (*match != deleted_subject)
++ && ((*match)->inode == oldinode)
++ && ((*match)->device == olddevice)
++ && ((*match)->mode & GR_DELETED)) {
++ tmp = *match;
++
++ tmp->inode = newinode;
++ tmp->device = newdevice;
++ tmp->mode &= ~GR_DELETED;
++
++ *match = deleted_subject;
++
++ insert_acl_subj_label(tmp, role);
++ }
++
++ return;
++}
++
++static __inline__ void
++update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
++ const ino_t newinode, const dev_t newdevice)
++{
++ unsigned long index = fhash(oldinode, olddevice, inodev_set.n_size);
++ struct name_entry **match;
++ struct name_entry *tmp;
++ __u8 i = 0;
++
++ match = &inodev_set.n_hash[index];
++
++ while (*match
++ && ((*match)->inode != oldinode
++ || (*match)->device != olddevice)) {
++ index = (index + (1 << i)) % inodev_set.n_size;
++ i = (i + 1) % 32;
++ match = &inodev_set.n_hash[index];
++ }
++
++ if (*match && (*match != deleted_inodev)
++ && ((*match)->inode == oldinode)
++ && ((*match)->device == olddevice)) {
++ tmp = *match;
++
++ tmp->inode = newinode;
++ tmp->device = newdevice;
++
++ *match = deleted_inodev;
++
++ insert_inodev_entry(tmp);
++ }
++
++ return;
++}
++
++static __inline__ void
++do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
++ const struct vfsmount *mnt)
++{
++ struct acl_subject_label *i;
++ struct acl_role_label *role;
++
++ for (role = role_list_head; role; role = role->next) {
++ update_acl_subj_label(matchn->inode, matchn->device,
++ dentry->d_inode->i_ino,
++ dentry->d_inode->i_sb->s_dev, role);
++
++ for (i = role->hash->first; i; i = i->next) {
++ if (unlikely((i->mode & GR_NESTED) &&
++ (i->inode == dentry->d_inode->i_ino) &&
++ (i->device == dentry->d_inode->i_sb->s_dev))) {
++ i->inode = dentry->d_inode->i_ino;
++ i->device = dentry->d_inode->i_sb->s_dev;
++ }
++ update_acl_obj_label(matchn->inode, matchn->device,
++ dentry->d_inode->i_ino,
++ dentry->d_inode->i_sb->s_dev, i);
++ }
++ }
++
++ update_inodev_entry(matchn->inode, matchn->device,
++ dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
++
++ return;
++}
++
++void
++gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
++{
++ struct name_entry *matchn;
++
++ if (unlikely(!(gr_status & GR_READY)))
++ return;
++
++ preempt_disable();
++ matchn = lookup_name_entry(gr_to_filename(dentry, mnt));
++ preempt_enable();
++
++ if (unlikely((unsigned long)matchn)) {
++ write_lock(&gr_inode_lock);
++ do_handle_create(matchn, dentry, mnt);
++ write_unlock(&gr_inode_lock);
++ }
++
++ return;
++}
++
++void
++gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
++ struct dentry *old_dentry,
++ struct dentry *new_dentry,
++ struct vfsmount *mnt, const __u8 replace)
++{
++ struct name_entry *matchn;
++
++ if (unlikely(!(gr_status & GR_READY)))
++ return;
++
++ preempt_disable();
++ matchn = lookup_name_entry(gr_to_filename(new_dentry, mnt));
++ preempt_enable();
++
++ /* we wouldn't have to check d_inode if it weren't for
++ NFS silly-renaming
++ */
++
++ write_lock(&gr_inode_lock);
++ if (unlikely(replace && new_dentry->d_inode)) {
++ if (unlikely(lookup_inodev_entry(new_dentry->d_inode->i_ino,
++ new_dentry->d_inode->i_sb->s_dev) &&
++ (old_dentry->d_inode->i_nlink <= 1)))
++ do_handle_delete(new_dentry->d_inode->i_ino,
++ new_dentry->d_inode->i_sb->s_dev);
++ }
++
++ if (unlikely(lookup_inodev_entry(old_dentry->d_inode->i_ino,
++ old_dentry->d_inode->i_sb->s_dev) &&
++ (old_dentry->d_inode->i_nlink <= 1)))
++ do_handle_delete(old_dentry->d_inode->i_ino,
++ old_dentry->d_inode->i_sb->s_dev);
++
++ if (unlikely((unsigned long)matchn))
++ do_handle_create(matchn, old_dentry, mnt);
++ write_unlock(&gr_inode_lock);
++
++ return;
++}
++
++static int
++lookup_special_role_auth(const char *rolename, unsigned char **salt,
++ unsigned char **sum)
++{
++ struct acl_role_label *r;
++ struct role_transition *trans;
++ __u16 i;
++ int found = 0;
++
++ /* check transition table */
++
++ for (trans = current->role->transitions; trans; trans = trans->next) {
++ if (!strcmp(rolename, trans->rolename)) {
++ found = 1;
++ break;
++ }
++ }
++
++ if (!found)
++ return 0;
++
++ /* handle special roles that do not require authentication */
++
++ for (r = role_list_head; r; r = r->next) {
++ if (!strcmp(rolename, r->rolename)
++ && (r->roletype & GR_ROLE_NOPW)) {
++ *salt = NULL;
++ *sum = NULL;
++ return 1;
++ }
++ }
++
++ for (i = 0; i < num_sprole_pws; i++) {
++ if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
++ *salt = acl_special_roles[i]->salt;
++ *sum = acl_special_roles[i]->sum;
++ return 1;
++ }
++ }
++
++ return 0;
++}
++
++static void
++assign_special_role(char *rolename)
++{
++ struct acl_object_label *obj;
++ struct acl_role_label *r;
++ struct acl_role_label *assigned = NULL;
++ struct task_struct *tsk;
++ struct file *filp;
++
++ for (r = role_list_head; r; r = r->next)
++ if (!strcmp(rolename, r->rolename) &&
++ (r->roletype & GR_ROLE_SPECIAL))
++ assigned = r;
++
++ if (!assigned)
++ return;
++
++ tsk = current->parent;
++ filp = tsk->exec_file;
++
++ if (tsk && filp) {
++ tsk->is_writable = 0;
++
++ acl_sp_role_value = (acl_sp_role_value % 65535) + 1;
++ tsk->acl_sp_role = 1;
++ tsk->acl_role_id = acl_sp_role_value;
++ tsk->role = assigned;
++ tsk->acl =
++ chk_subj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role);
++
++ /* ignore additional mmap checks for processes that are writable
++ by the default ACL */
++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
++ if (unlikely(obj->mode & GR_WRITE))
++ tsk->is_writable = 1;
++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role->root_label);
++ if (unlikely(obj->mode & GR_WRITE))
++ tsk->is_writable = 1;
++
++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
++ printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
++#endif
++ }
++
++ return;
++}
++
++ssize_t
++write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
++{
++ struct gr_arg *arg;
++ unsigned char *sprole_salt;
++ unsigned char *sprole_sum;
++ int error = sizeof (struct gr_arg);
++ int error2 = 0;
++
++ down(&gr_dev_sem);
++
++ arg = (struct gr_arg *) buf;
++
++ if (count != sizeof (struct gr_arg)) {
++ security_alert_good(GR_DEV_ACL_MSG, count,
++ (int) sizeof (struct gr_arg));
++ error = -EINVAL;
++ goto out;
++ }
++
++ if ((gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES)
++ && time_before_eq(gr_auth_expires, get_seconds())) {
++ gr_auth_expires = 0;
++ gr_auth_attempts = 0;
++ }
++
++ if (copy_from_user(gr_usermode, arg, sizeof (struct gr_arg))) {
++ error = -EFAULT;
++ goto out;
++ }
++
++ if (gr_usermode->mode != SPROLE && time_after(gr_auth_expires, get_seconds())) {
++ error = -EBUSY;
++ goto out;
++ }
++
++ /* if non-root trying to do anything other than use a special role,
++ do not attempt authentication, do not count towards authentication
++ locking
++ */
++
++ if (gr_usermode->mode != SPROLE && current->uid) {
++ error = -EPERM;
++ goto out;
++ }
++
++ /* ensure pw and special role name are null terminated */
++
++ gr_usermode->pw[GR_PW_LEN - 1] = '\0';
++ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
++
++ /* Okay.
++ * We have our enough of the argument structure..(we have yet
++ * to copy_from_user the tables themselves) . Copy the tables
++ * only if we need them, i.e. for loading operations. */
++
++ switch (gr_usermode->mode) {
++ case STATUS:
++ if (gr_status & GR_READY)
++ error = 1;
++ else
++ error = 2;
++ goto out;
++ case SHUTDOWN:
++ if ((gr_status & GR_READY)
++ && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
++ gr_status &= ~GR_READY;
++ security_alert_good(GR_SHUTS_ACL_MSG, DEFAULTSECARGS);
++ free_variables();
++ memset(gr_usermode, 0, sizeof (struct gr_arg));
++ memset(gr_system_salt, 0, GR_SALT_LEN);
++ memset(gr_system_sum, 0, GR_SHA_LEN);
++ } else if (gr_status & GR_READY) {
++ security_alert(GR_SHUTF_ACL_MSG, DEFAULTSECARGS);
++ error = -EPERM;
++ } else {
++ security_alert_good(GR_SHUTI_ACL_MSG, DEFAULTSECARGS);
++ error = -EAGAIN;
++ }
++ break;
++ case ENABLE:
++ if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
++ security_alert_good(GR_ENABLE_ACL_MSG, GR_VERSION);
++ else {
++ if (gr_status & GR_READY)
++ error = -EAGAIN;
++ else
++ error = error2;
++ security_alert(GR_ENABLEF_ACL_MSG, GR_VERSION,
++ DEFAULTSECARGS);
++ }
++ break;
++ case RELOAD:
++ if (!(gr_status & GR_READY)) {
++ security_alert_good(GR_RELOADI_ACL_MSG);
++ error = -EAGAIN;
++ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
++ lock_kernel();
++ gr_status &= ~GR_READY;
++ free_variables();
++ if (!(error2 = gracl_init(gr_usermode))) {
++ unlock_kernel();
++ security_alert_good(GR_RELOAD_ACL_MSG,
++ GR_VERSION);
++ } else {
++ unlock_kernel();
++ error = error2;
++ security_alert(GR_RELOADF_ACL_MSG, GR_VERSION,
++ DEFAULTSECARGS);
++ }
++ } else {
++ security_alert(GR_RELOADF_ACL_MSG, GR_VERSION,
++ DEFAULTSECARGS);
++ error = -EPERM;
++ }
++ break;
++ case SEGVMOD:
++ if (unlikely(!(gr_status & GR_READY))) {
++ security_alert_good(GR_SEGVMODI_ACL_MSG,
++ DEFAULTSECARGS);
++ error = -EAGAIN;
++ break;
++ }
++
++ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
++ security_alert_good(GR_SEGVMODS_ACL_MSG,
++ DEFAULTSECARGS);
++ if (gr_usermode->segv_device && gr_usermode->segv_inode) {
++ struct acl_subject_label *segvacl;
++ segvacl =
++ lookup_acl_subj_label(gr_usermode->segv_inode,
++ gr_usermode->segv_device,
++ current->role);
++ if (segvacl) {
++ segvacl->crashes = 0;
++ segvacl->expires = 0;
++ }
++ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
++ gr_remove_uid(gr_usermode->segv_uid);
++ }
++ } else {
++ security_alert(GR_SEGVMODF_ACL_MSG, DEFAULTSECARGS);
++ error = -EPERM;
++ }
++ break;
++ case SPROLE:
++ if (unlikely(!(gr_status & GR_READY))) {
++ security_alert_good(GR_SPROLEI_ACL_MSG, DEFAULTSECARGS);
++ error = -EAGAIN;
++ break;
++ }
++
++ if ((current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES)
++ && time_before_eq(current->role->expires, get_seconds())) {
++ current->role->expires = 0;
++ current->role->auth_attempts = 0;
++ }
++
++ if (time_after(current->role->expires, get_seconds())) {
++ error = -EBUSY;
++ goto out;
++ }
++
++ if (lookup_special_role_auth
++ (gr_usermode->sp_role, &sprole_salt, &sprole_sum)
++ && ((!sprole_salt && !sprole_sum)
++ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
++ assign_special_role(gr_usermode->sp_role);
++ security_alert_good(GR_SPROLES_ACL_MSG,
++ (current->parent) ? current->
++ parent->role->rolename : "",
++ acl_sp_role_value, DEFAULTSECARGS);
++ } else {
++ security_alert(GR_SPROLEF_ACL_MSG, gr_usermode->sp_role,
++ DEFAULTSECARGS);
++ error = -EPERM;
++ current->role->auth_attempts++;
++ if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES) {
++ current->role->expires =
++ get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
++ security_alert(GR_MAXROLEPW_ACL_MSG,
++ CONFIG_GRKERNSEC_ACL_MAXTRIES,
++ gr_usermode->sp_role, DEFAULTSECARGS);
++ }
++
++ goto out;
++ }
++ break;
++ case UNSPROLE:
++ if (unlikely(!(gr_status & GR_READY))) {
++ security_alert_good(GR_UNSPROLEI_ACL_MSG, DEFAULTSECARGS);
++ error = -EAGAIN;
++ break;
++ }
++
++ if ((current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES)
++ && time_before_eq(current->role->expires, get_seconds())) {
++ current->role->expires = 0;
++ current->role->auth_attempts = 0;
++ }
++
++ if (time_after(current->role->expires, get_seconds())) {
++ error = -EBUSY;
++ goto out;
++ }
++
++ if ((current->role->roletype & GR_ROLE_SPECIAL) &&
++ lookup_special_role_auth
++ (current->role->rolename, &sprole_salt, &sprole_sum)
++ && ((!sprole_salt && !sprole_sum)
++ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
++ security_alert_good(GR_UNSPROLES_ACL_MSG,
++ (current->parent) ? current->
++ parent->role->rolename : "",
++ (current->parent) ? current->
++ parent->acl_role_id : 0, DEFAULTSECARGS);
++ gr_set_acls(1);
++ if (current->parent)
++ current->parent->acl_sp_role = 0;
++ } else {
++ security_alert(GR_UNSPROLEF_ACL_MSG, current->role->rolename,
++ DEFAULTSECARGS);
++ error = -EPERM;
++ current->role->auth_attempts++;
++ if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES) {
++ current->role->expires =
++ get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
++ security_alert(GR_MAXROLEPW_ACL_MSG,
++ CONFIG_GRKERNSEC_ACL_MAXTRIES,
++ current->role->rolename, DEFAULTSECARGS);
++ }
++
++ goto out;
++ }
++ break;
++ default:
++ security_alert(GR_INVMODE_ACL_MSG, gr_usermode->mode,
++ DEFAULTSECARGS);
++ error = -EINVAL;
++ break;
++ }
++
++ if (error != -EPERM)
++ goto out;
++
++ gr_auth_attempts++;
++
++ if (gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES) {
++ security_alert(GR_MAXPW_ACL_MSG, CONFIG_GRKERNSEC_ACL_MAXTRIES);
++ gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
++ }
++
++ out:
++ up(&gr_dev_sem);
++ return error;
++}
++
++int
++gr_set_acls(const int type)
++{
++ struct acl_object_label *obj;
++ struct task_struct *task, *task2;
++ struct file *filp;
++ unsigned short i;
++
++ read_lock(&tasklist_lock);
++ for_each_process(task2) {
++ task = task2;
++ do {
++ /* check to see if we're called from the exit handler,
++ if so, only replace ACLs that have inherited the admin
++ ACL */
++
++ if (type && (task->role != current->role ||
++ task->acl_role_id != current->acl_role_id))
++ continue;
++
++ task->acl_role_id = 0;
++
++ if ((filp = task->exec_file)) {
++ do_set_role_label(task, task->uid, task->gid);
++
++ task->acl =
++ chk_subj_label(filp->f_dentry, filp->f_vfsmnt,
++ task->role);
++ if (task->acl) {
++ struct acl_subject_label *curr;
++ curr = task->acl;
++
++ task->is_writable = 0;
++ /* ignore additional mmap checks for processes that are writable
++ by the default ACL */
++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
++ if (unlikely(obj->mode & GR_WRITE))
++ task->is_writable = 1;
++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
++ if (unlikely(obj->mode & GR_WRITE))
++ task->is_writable = 1;
++
++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
++ printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
++#endif
++ if (!(curr->mode & GR_LEARN))
++ for (i = 0; i < RLIM_NLIMITS; i++) {
++ if (!(curr->resmask & (1 << i)))
++ continue;
++
++ task->rlim[i].rlim_cur =
++ curr->res[i].rlim_cur;
++ task->rlim[i].rlim_max =
++ curr->res[i].rlim_max;
++ }
++ } else {
++ read_unlock(&tasklist_lock);
++ security_alert_good(GR_DEFACL_MSG, task->comm,
++ task->pid);
++ return 1;
++ }
++ } else {
++ // it's a kernel process
++ task->role = kernel_role;
++ task->acl = kernel_role->root_label;
++#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
++ task->acl->mode &= ~GR_FIND;
++#endif
++ }
++ } while ((task = next_thread(task)) != task2);
++ }
++ read_unlock(&tasklist_lock);
++ return 0;
++}
++
++EXPORT_SYMBOL(gr_learn_resource);
++
++void
++gr_learn_resource(const struct task_struct *task,
++ const int res, const unsigned long wanted, const int gt)
++{
++ struct acl_subject_label *acl;
++
++ if (unlikely((gr_status & GR_READY) &&
++ task->acl && (task->acl->mode & GR_LEARN)))
++ goto skip_reslog;
++
++#ifdef CONFIG_GRKERNSEC_RESLOG
++ gr_log_resource(task, res, wanted, gt);
++#endif
++ skip_reslog:
++
++ if (unlikely(!(gr_status & GR_READY) || !wanted))
++ return;
++
++ acl = task->acl;
++
++ if (likely(!acl || !(acl->mode & GR_LEARN) ||
++ !(acl->resmask & (1 << (unsigned short) res))))
++ return;
++
++ if (wanted >= acl->res[res].rlim_cur) {
++ unsigned long res_add;
++
++ res_add = wanted;
++ switch (res) {
++ case RLIMIT_CPU:
++ res_add += GR_RLIM_CPU_BUMP;
++ break;
++ case RLIMIT_FSIZE:
++ res_add += GR_RLIM_FSIZE_BUMP;
++ break;
++ case RLIMIT_DATA:
++ res_add += GR_RLIM_DATA_BUMP;
++ break;
++ case RLIMIT_STACK:
++ res_add += GR_RLIM_STACK_BUMP;
++ break;
++ case RLIMIT_CORE:
++ res_add += GR_RLIM_CORE_BUMP;
++ break;
++ case RLIMIT_RSS:
++ res_add += GR_RLIM_RSS_BUMP;
++ break;
++ case RLIMIT_NPROC:
++ res_add += GR_RLIM_NPROC_BUMP;
++ break;
++ case RLIMIT_NOFILE:
++ res_add += GR_RLIM_NOFILE_BUMP;
++ break;
++ case RLIMIT_MEMLOCK:
++ res_add += GR_RLIM_MEMLOCK_BUMP;
++ break;
++ case RLIMIT_AS:
++ res_add += GR_RLIM_AS_BUMP;
++ break;
++ case RLIMIT_LOCKS:
++ res_add += GR_RLIM_LOCKS_BUMP;
++ break;
++ }
++
++ acl->res[res].rlim_cur = res_add;
++
++ if (wanted > acl->res[res].rlim_max)
++ acl->res[res].rlim_max = res_add;
++
++ security_learn(GR_LEARN_AUDIT_MSG, current->role->rolename,
++ current->role->roletype, acl->filename,
++ acl->res[res].rlim_cur, acl->res[res].rlim_max,
++ "", (unsigned long) res);
++ }
++
++ return;
++}
++
++#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
++void
++pax_set_flags(struct linux_binprm *bprm)
++{
++ struct task_struct *task = current;
++ struct acl_subject_label *proc;
++
++ if (unlikely(!(gr_status & GR_READY)))
++ return;
++
++ proc = task->acl;
++
++ if (proc->mode & GR_PAXPAGE)
++ task->flags &= ~PF_PAX_PAGEEXEC;
++ if (proc->mode & GR_PAXSEGM)
++ task->flags &= ~PF_PAX_SEGMEXEC;
++ if (proc->mode & GR_PAXGCC)
++ task->flags |= PF_PAX_EMUTRAMP;
++ if (proc->mode & GR_PAXMPROTECT)
++ task->flags &= ~PF_PAX_MPROTECT;
++ if (proc->mode & GR_PAXRANDMMAP)
++ task->flags &= ~PF_PAX_RANDMMAP;
++ if (proc->mode & GR_PAXRANDEXEC)
++ task->flags |= PF_PAX_RANDEXEC;
++
++ return;
++}
++#endif
++
++#ifdef CONFIG_SYSCTL
++extern struct proc_dir_entry *proc_sys_root;
++
++
++/* the following function is called under the BKL */
++
++__u32
++gr_handle_sysctl(const struct ctl_table *table, const void *oldval,
++ const void *newval)
++{
++ struct proc_dir_entry *tmp;
++ struct nameidata nd;
++ const char *proc_sys = "/proc/sys";
++ char *path;
++ struct acl_object_label *obj;
++ unsigned short len = 0, pos = 0, depth = 0, i;
++ __u32 err = 0;
++ __u32 mode = 0;
++
++ if (unlikely(!(gr_status & GR_READY)))
++ return 1;
++
++ path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
++
++ if (oldval)
++ mode |= GR_READ;
++ if (newval)
++ mode |= GR_WRITE;
++
++ /* convert the requested sysctl entry into a pathname */
++
++ for (tmp = table->de; tmp != proc_sys_root; tmp = tmp->parent) {
++ len += strlen(tmp->name);
++ len++;
++ depth++;
++ }
++
++ if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE)
++ return 0; /* deny */
++
++ memset(path, 0, PAGE_SIZE);
++
++ memcpy(path, proc_sys, strlen(proc_sys));
++
++ pos += strlen(proc_sys);
++
++ for (; depth > 0; depth--) {
++ path[pos] = '/';
++ pos++;
++ for (i = 1, tmp = table->de; tmp != proc_sys_root;
++ tmp = tmp->parent) {
++ if (depth == i) {
++ memcpy(path + pos, tmp->name,
++ strlen(tmp->name));
++ pos += strlen(tmp->name);
++ }
++ i++;
++ }
++ }
++
++ err = path_lookup(path, LOOKUP_FOLLOW, &nd);
++
++ if (err)
++ goto out;
++
++ obj = chk_obj_label(nd.dentry, nd.mnt, current->acl);
++ err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
++
++ if (unlikely((current->acl->mode & GR_LEARN) && ((err & mode) != mode))) {
++ __u32 new_mode = mode;
++
++ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
++
++ err = new_mode;
++ gr_log_learn(current->role, current->uid, current->gid,
++ current, path, new_mode);
++ } else if ((err & mode) != mode && !(err & GR_SUPPRESS)) {
++ security_alert(GR_SYSCTL_ACL_MSG, "denied", path,
++ (mode & GR_READ) ? " reading" : "",
++ (mode & GR_WRITE) ? " writing" : "",
++ DEFAULTSECARGS);
++ err = 0;
++ } else if ((err & mode) != mode) {
++ err = 0;
++ } else if (((err & mode) == mode) && (err & GR_AUDITS)) {
++ security_audit(GR_SYSCTL_ACL_MSG, "successful",
++ path, (mode & GR_READ) ? " reading" : "",
++ (mode & GR_WRITE) ? " writing" : "",
++ DEFAULTSECARGS);
++ }
++
++ path_release(&nd);
++
++ out:
++ return err;
++}
++#endif
++
++int
++gr_handle_proc_ptrace(struct task_struct *task)
++{
++ struct file *filp;
++ struct task_struct *tmp = task;
++ struct task_struct *curtemp = current;
++ __u32 retmode;
++
++ if (unlikely(!(gr_status & GR_READY)))
++ return 0;
++
++ filp = task->exec_file;
++
++ read_lock(&tasklist_lock);
++ while (tmp->pid > 0) {
++ if (tmp == curtemp)
++ break;
++ tmp = tmp->parent;
++ }
++ read_unlock(&tasklist_lock);
++
++ if (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE))
++ return 1;
++
++ retmode = gr_search_file(filp->f_dentry, GR_NOPTRACE, filp->f_vfsmnt);
++
++ if (retmode & GR_NOPTRACE)
++ return 1;
++
++ if (!(current->acl->mode & GR_OVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
++ && (current->acl != task->acl || (current->acl != current->role->root_label
++ && current->pid != task->pid)))
++ return 1;
++
++ return 0;
++}
++
++int
++gr_handle_ptrace(struct task_struct *task, const long request)
++{
++ struct file *filp;
++ struct task_struct *tmp = task;
++ struct task_struct *curtemp = current;
++ __u32 retmode;
++
++ if (unlikely(!(gr_status & GR_READY)))
++ return 0;
++
++ filp = task->exec_file;
++
++ if (task->acl->mode & GR_NOPTRACE) {
++ security_alert(GR_PTRACE_ACL_MSG, filp ?
++ gr_to_filename(filp->f_dentry, filp->f_vfsmnt)
++ : "(none)", task->comm, task->pid,
++ DEFAULTSECARGS);
++ return 1;
++ }
++
++ read_lock(&tasklist_lock);
++ while (tmp->pid > 0) {
++ if (tmp == curtemp)
++ break;
++ tmp = tmp->parent;
++ }
++ read_unlock(&tasklist_lock);
++
++ if (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE)) {
++ security_alert(GR_PTRACE_ACL_MSG, filp ?
++ gr_to_filename(filp->f_dentry, filp->f_vfsmnt)
++ : "(none)", task->comm, task->pid,
++ DEFAULTSECARGS);
++ return 1;
++ }
++
++ if (unlikely(!filp))
++ return 0;
++
++ retmode = gr_search_file(filp->f_dentry, GR_PTRACERD | GR_NOPTRACE, filp->f_vfsmnt);
++
++ if (retmode & GR_NOPTRACE) {
++ security_alert(GR_PTRACE_ACL_MSG, gr_to_filename(filp->f_dentry, filp->f_vfsmnt),
++ task->comm, task->pid, DEFAULTSECARGS);
++ return 1;
++ }
++
++ if (retmode & GR_PTRACERD) {
++ switch (request) {
++ case PTRACE_POKETEXT:
++ case PTRACE_POKEDATA:
++ case PTRACE_POKEUSR:
++#if !defined(CONFIG_PPC32) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA)
++ case PTRACE_SETREGS:
++ case PTRACE_SETFPREGS:
++#endif
++#ifdef CONFIG_X86
++ case PTRACE_SETFPXREGS:
++#endif
++#ifdef CONFIG_ALTIVEC
++ case PTRACE_SETVRREGS:
++#endif
++ return 1;
++ default:
++ return 0;
++ }
++ } else if (!(current->acl->mode & GR_OVERRIDE) &&
++ !(current->role->roletype & GR_ROLE_GOD)
++ && (current->acl != task->acl
++ || (current->acl != current->role->root_label
++ && current->pid != task->pid))) {
++ security_alert(GR_PTRACE_ACL_MSG,
++ gr_to_filename(filp->f_dentry, filp->f_vfsmnt),
++ task->comm, task->pid, DEFAULTSECARGS);
++ return 1;
++ }
++
++ return 0;
++}
++
++int
++gr_handle_ptrace_exec(const struct dentry *dentry, const struct vfsmount *mnt)
++{
++ __u32 retmode;
++ struct acl_subject_label *subj;
++
++ if (unlikely(!(gr_status & GR_READY)))
++ return 0;
++
++ if (unlikely
++ ((current->ptrace & PT_PTRACED)
++ && !(current->acl->mode & GR_OVERRIDE)))
++ retmode = gr_search_file(dentry, GR_PTRACERD, mnt);
++ else
++ return 0;
++
++ subj = chk_subj_label(dentry, mnt, current->role);
++
++ if (!(retmode & GR_PTRACERD) &&
++ !(current->role->roletype & GR_ROLE_GOD) &&
++ (current->acl != subj)) {
++ security_alert(GR_PTRACE_EXEC_ACL_MSG,
++ gr_to_filename(dentry, mnt), DEFAULTSECARGS);
++ return 1;
++ }
++
++ return 0;
++}
++
++int
++gr_handle_mmap(const struct file *filp, const unsigned long prot)
++{
++ struct acl_object_label *obj, *obj2;
++
++ if (unlikely(!(gr_status & GR_READY) ||
++ (current->acl->mode & GR_OVERRIDE) || !filp ||
++ !(prot & PROT_EXEC)))
++ return 0;
++
++ if (unlikely(current->is_writable))
++ return 0;
++
++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
++ obj2 = chk_obj_label(filp->f_dentry, filp->f_vfsmnt,
++ current->role->root_label);
++ if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
++ security_alert(GR_WRITLIB_ACL_MSG,
++ gr_to_filename(filp->f_dentry, filp->f_vfsmnt),
++ DEFAULTSECARGS);
++ return 1;
++ }
++
++ return 0;
++}
++
++int
++gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
++{
++ __u32 mode;
++
++ if (unlikely(!file || !(prot & PROT_EXEC)))
++ return 1;
++
++ mode =
++ gr_search_file(file->f_dentry,
++ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
++ file->f_vfsmnt);
++
++ if (unlikely(!gr_tpe_allow(file) || (!(mode & GR_EXEC) && !(mode & GR_SUPPRESS)))) {
++ security_alert(GR_MMAP_ACL_MSG, "denied",
++ gr_to_filename(file->f_dentry, file->f_vfsmnt),
++ DEFAULTSECARGS);
++ return 0;
++ } else if (unlikely(!gr_tpe_allow(file) || !(mode & GR_EXEC))) {
++ return 0;
++ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
++ security_audit(GR_MMAP_ACL_MSG, "successful",
++ gr_to_filename(file->f_dentry, file->f_vfsmnt),
++ DEFAULTSECARGS);
++ return 1;
++ }
++
++ return 1;
++}
++
++int
++gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
++{
++ __u32 mode;
++
++ if (unlikely(!file || !(prot & PROT_EXEC)))
++ return 1;
++
++ mode =
++ gr_search_file(file->f_dentry,
++ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
++ file->f_vfsmnt);
++
++ if (unlikely(!gr_tpe_allow(file) || (!(mode & GR_EXEC) && !(mode & GR_SUPPRESS)))) {
++ security_alert(GR_MPROTECT_ACL_MSG, "denied",
++ gr_to_filename(file->f_dentry, file->f_vfsmnt),
++ DEFAULTSECARGS);
++ return 0;
++ } else if (unlikely(!gr_tpe_allow(file) || !(mode & GR_EXEC))) {
++ return 0;
++ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
++ security_audit(GR_MPROTECT_ACL_MSG, "successful",
++ gr_to_filename(file->f_dentry, file->f_vfsmnt),
++ DEFAULTSECARGS);
++ return 1;
++ }
++
++ return 1;
++}
++
++void
++gr_acl_handle_psacct(struct task_struct *task, const long code)
++{
++ u64 runtime64;
++ unsigned long runtime;
++ unsigned long cputime;
++ unsigned int wday, cday;
++ __u8 whr, chr;
++ __u8 wmin, cmin;
++ __u8 wsec, csec;
++ char cur_tty[64] = { 0 };
++ char parent_tty[64] = { 0 };
++
++ if (unlikely(!(gr_status & GR_READY) || !task->acl ||
++ !(task->acl->mode & GR_PROCACCT)))
++ return;
++
++ runtime64 = get_jiffies_64() - task->start_time;
++ do_div(runtime64, HZ);
++ runtime = (unsigned long)runtime64;
++ wday = runtime / (3600 * 24);
++ runtime -= wday * (3600 * 24);
++ whr = runtime / 3600;
++ runtime -= whr * 3600;
++ wmin = runtime / 60;
++ runtime -= wmin * 60;
++ wsec = runtime;
++
++ cputime = (task->utime + task->stime) / HZ;
++ cday = cputime / (3600 * 24);
++ cputime -= cday * (3600 * 24);
++ chr = cputime / 3600;
++ cputime -= chr * 3600;
++ cmin = cputime / 60;
++ cputime -= cmin * 60;
++ csec = cputime;
++
++ security_audit(GR_ACL_PROCACCT_MSG, gr_task_fullpath(task), task->comm,
++ task->pid, NIPQUAD(task->curr_ip), tty_name(task->signal->tty,
++ cur_tty),
++ task->uid, task->euid, task->gid, task->egid, wday, whr,
++ wmin, wsec, cday, chr, cmin, csec,
++ (task->flags & PF_SIGNALED) ? "killed by signal" : "exited",
++ code, gr_parent_task_fullpath(task),
++ task->parent->comm, task->parent->pid,
++ NIPQUAD(task->parent->curr_ip),
++ tty_name(task->parent->signal->tty, parent_tty),
++ task->parent->uid, task->parent->euid, task->parent->gid,
++ task->parent->egid);
++
++ return;
++}
++
++EXPORT_SYMBOL(gr_set_kernel_label);
++
++void gr_set_kernel_label(struct task_struct *task)
++{
++ if (gr_status & GR_READY) {
++ task->role = kernel_role;
++ task->acl = kernel_role->root_label;
++ }
++ return;
++}
+diff -uNr linux-2.6.6/grsecurity/gracl_cap.c linux-2.6.6.fixed/grsecurity/gracl_cap.c
+--- linux-2.6.6/grsecurity/gracl_cap.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/gracl_cap.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,115 @@
++/* capability handling routines, (c) Brad Spengler 2002,2003 */
++
++#include <linux/kernel.h>
++#include <linux/module.h>
++#include <linux/sched.h>
++#include <linux/capability.h>
++#include <linux/gracl.h>
++#include <linux/grsecurity.h>
++#include <linux/grinternal.h>
++
++static const char *captab_log[29] = {
++ "CAP_CHOWN",
++ "CAP_DAC_OVERRIDE",
++ "CAP_DAC_READ_SEARCH",
++ "CAP_FOWNER",
++ "CAP_FSETID",
++ "CAP_KILL",
++ "CAP_SETGID",
++ "CAP_SETUID",
++ "CAP_SETPCAP",
++ "CAP_LINUX_IMMUTABLE",
++ "CAP_NET_BIND_SERVICE",
++ "CAP_NET_BROADCAST",
++ "CAP_NET_ADMIN",
++ "CAP_NET_RAW",
++ "CAP_IPC_LOCK",
++ "CAP_IPC_OWNER",
++ "CAP_SYS_MODULE",
++ "CAP_SYS_RAWIO",
++ "CAP_SYS_CHROOT",
++ "CAP_SYS_PTRACE",
++ "CAP_SYS_PACCT",
++ "CAP_SYS_ADMIN",
++ "CAP_SYS_BOOT",
++ "CAP_SYS_NICE",
++ "CAP_SYS_RESOURCE",
++ "CAP_SYS_TIME",
++ "CAP_SYS_TTY_CONFIG",
++ "CAP_MKNOD",
++ "CAP_LEASE"
++};
++
++EXPORT_SYMBOL(gr_task_is_capable);
++
++int
++gr_task_is_capable(struct task_struct *task, const int cap)
++{
++ struct acl_subject_label *curracl;
++ __u32 cap_drop = 0, cap_mask = 0;
++
++ if (!gr_acl_is_enabled())
++ return 1;
++
++ curracl = task->acl;
++
++ cap_drop = curracl->cap_lower;
++ cap_mask = curracl->cap_mask;
++
++ while ((curracl = curracl->parent_subject)) {
++ cap_drop |= curracl->cap_lower & (cap_mask & ~curracl->cap_mask);
++ cap_mask |= curracl->cap_mask;
++ }
++
++ if (!cap_raised(cap_drop, cap))
++ return 1;
++
++ curracl = task->acl;
++
++ if ((curracl->mode & GR_LEARN)
++ && cap_raised(task->cap_effective, cap)) {
++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
++ task->role->roletype, task->uid,
++ task->gid, task->exec_file ?
++ gr_to_filename(task->exec_file->f_dentry,
++ task->exec_file->f_vfsmnt) : curracl->filename,
++ curracl->filename, 0UL,
++ 0UL, "", (unsigned long) cap, NIPQUAD(task->curr_ip));
++ return 1;
++ }
++
++ if ((cap >= 0) && (cap < 29) && cap_raised(task->cap_effective, cap))
++ security_alert(GR_CAP_ACL_MSG, captab_log[cap],
++ gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid,
++ task->gid, task->egid, gr_parent_task_fullpath(task),
++ task->parent->comm, task->parent->pid, task->parent->uid,
++ task->parent->euid, task->parent->gid, task->parent->egid);
++
++ return 0;
++}
++
++int
++gr_is_capable_nolog(const int cap)
++{
++ struct acl_subject_label *curracl;
++ __u32 cap_drop = 0, cap_mask = 0;
++
++ if (!gr_acl_is_enabled())
++ return 1;
++
++ curracl = current->acl;
++
++ cap_drop = curracl->cap_lower;
++ cap_mask = curracl->cap_mask;
++
++ while ((curracl = curracl->parent_subject)) {
++ cap_drop |= curracl->cap_lower & (cap_mask & ~curracl->cap_mask);
++ cap_mask |= curracl->cap_mask;
++ }
++
++ if (!cap_raised(cap_drop, cap))
++ return 1;
++
++ return 0;
++}
++
+diff -uNr linux-2.6.6/grsecurity/gracl_fs.c linux-2.6.6.fixed/grsecurity/gracl_fs.c
+--- linux-2.6.6/grsecurity/gracl_fs.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/gracl_fs.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,460 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/types.h>
++#include <linux/fs.h>
++#include <linux/file.h>
++#include <linux/grsecurity.h>
++#include <linux/grinternal.h>
++#include <linux/gracl.h>
++
++__u32
++gr_acl_handle_hidden_file(const struct dentry * dentry,
++ const struct vfsmount * mnt)
++{
++ __u32 mode;
++
++ if (unlikely(!dentry->d_inode))
++ return GR_FIND;
++
++ mode =
++ gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
++
++ if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
++ security_audit(GR_HIDDEN_ACL_MSG, "successful",
++ gr_to_filename(dentry, mnt), DEFAULTSECARGS);
++ return mode;
++ } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
++ security_alert(GR_HIDDEN_ACL_MSG, "denied",
++ gr_to_filename(dentry, mnt),
++ DEFAULTSECARGS);
++ return 0;
++ } else if (unlikely(!(mode & GR_FIND)))
++ return 0;
++
++ return GR_FIND;
++}
++
++__u32
++gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
++ const int fmode)
++{
++ __u32 reqmode = GR_FIND;
++ __u32 mode;
++
++ if (unlikely(!dentry->d_inode))
++ return reqmode;
++
++ if (unlikely(fmode & O_APPEND))
++ reqmode |= GR_APPEND;
++ else if (unlikely(fmode & FMODE_WRITE))
++ reqmode |= GR_WRITE;
++ if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
++ reqmode |= GR_READ;
++
++ mode =
++ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
++ mnt);
++
++ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
++ security_audit(GR_OPEN_ACL_MSG, "successful",
++ gr_to_filename(dentry, mnt),
++ reqmode & GR_READ ? " reading" : "",
++ reqmode & GR_WRITE ? " writing" :
++ reqmode & GR_APPEND ? " appending" : "",
++ DEFAULTSECARGS);
++ return reqmode;
++ } else
++ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
++ {
++ security_alert(GR_OPEN_ACL_MSG, "denied",
++ gr_to_filename(dentry, mnt),
++ reqmode & GR_READ ? " reading" : "",
++ reqmode & GR_WRITE ? " writing" : reqmode &
++ GR_APPEND ? " appending" : "", DEFAULTSECARGS);
++ return 0;
++ } else if (unlikely((mode & reqmode) != reqmode))
++ return 0;
++
++ return reqmode;
++}
++
++__u32
++gr_acl_handle_creat(const struct dentry * dentry,
++ const struct dentry * p_dentry,
++ const struct vfsmount * p_mnt, const int fmode,
++ const int imode)
++{
++ __u32 reqmode = GR_WRITE | GR_CREATE;
++ __u32 mode;
++
++ if (unlikely(fmode & O_APPEND))
++ reqmode |= GR_APPEND;
++ if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
++ reqmode |= GR_READ;
++ if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
++ reqmode |= GR_SETID;
++
++ mode =
++ gr_check_create(dentry, p_dentry, p_mnt,
++ reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
++
++ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
++ security_audit(GR_CREATE_ACL_MSG, "successful",
++ gr_to_filename(dentry, p_mnt),
++ reqmode & GR_READ ? " reading" : "",
++ reqmode & GR_WRITE ? " writing" :
++ reqmode & GR_APPEND ? " appending" : "",
++ DEFAULTSECARGS);
++ return reqmode;
++ } else
++ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
++ {
++ security_alert(GR_CREATE_ACL_MSG, "denied",
++ gr_to_filename(dentry, p_mnt),
++ reqmode & GR_READ ? " reading" : "",
++ reqmode & GR_WRITE ? " writing" : reqmode &
++ GR_APPEND ? " appending" : "", DEFAULTSECARGS);
++ return 0;
++ } else if (unlikely((mode & reqmode) != reqmode))
++ return 0;
++
++ return reqmode;
++}
++
++__u32
++gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
++ const int fmode)
++{
++ __u32 mode, reqmode = GR_FIND;
++
++ if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
++ reqmode |= GR_EXEC;
++ if (fmode & S_IWOTH)
++ reqmode |= GR_WRITE;
++ if (fmode & S_IROTH)
++ reqmode |= GR_READ;
++
++ mode =
++ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
++ mnt);
++
++ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
++ security_audit(GR_ACCESS_ACL_MSG, "successful",
++ gr_to_filename(dentry, mnt),
++ reqmode & GR_READ ? " reading" : "",
++ reqmode & GR_WRITE ? " writing" : "",
++ reqmode & GR_EXEC ? " executing" : "",
++ DEFAULTSECARGS);
++ return reqmode;
++ } else
++ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
++ {
++ security_alert(GR_ACCESS_ACL_MSG, "denied",
++ gr_to_filename(dentry, mnt),
++ reqmode & GR_READ ? " reading" : "",
++ reqmode & GR_WRITE ? " writing" : "",
++ reqmode & GR_EXEC ? " executing" : "",
++ DEFAULTSECARGS);
++ return 0;
++ } else if (unlikely((mode & reqmode) != reqmode))
++ return 0;
++
++ return reqmode;
++}
++
++#define generic_fs_handler(dentry, mnt, reqmode, fmt) \
++{ \
++ __u32 mode; \
++ \
++ mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt); \
++ \
++ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) { \
++ security_audit(fmt, "successful", \
++ gr_to_filename(dentry, mnt), DEFAULTSECARGS); \
++ return mode; \
++ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) { \
++ security_alert(fmt, "denied", gr_to_filename(dentry, mnt), \
++ DEFAULTSECARGS); \
++ return 0; \
++ } else if (unlikely((mode & (reqmode)) != (reqmode))) \
++ return 0; \
++ \
++ return (reqmode); \
++}
++
++__u32
++gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
++{
++ generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
++}
++
++__u32
++gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
++{
++ generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
++}
++
++__u32
++gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
++{
++ generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
++}
++
++__u32
++gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
++{
++ generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
++}
++
++__u32
++gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
++ mode_t mode)
++{
++ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
++ generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
++ GR_FCHMOD_ACL_MSG);
++ } else {
++ generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
++ }
++}
++
++__u32
++gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
++ mode_t mode)
++{
++ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
++ generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
++ GR_CHMOD_ACL_MSG);
++ } else {
++ generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
++ }
++}
++
++__u32
++gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
++{
++ generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
++}
++
++__u32
++gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
++{
++ generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
++}
++
++__u32
++gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
++{
++ generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
++ GR_UNIXCONNECT_ACL_MSG);
++}
++
++__u32
++gr_acl_handle_filldir(const struct dentry *dentry, const struct vfsmount *mnt,
++ const ino_t ino)
++{
++ if (likely((unsigned long)(dentry->d_inode))) {
++ struct dentry d = *dentry;
++ struct inode inode = *(dentry->d_inode);
++
++ inode.i_ino = ino;
++ d.d_inode = &inode;
++
++ if (unlikely(!gr_search_file(&d, GR_FIND | GR_NOLEARN, mnt)))
++ return 0;
++ }
++
++ return 1;
++}
++
++__u32
++gr_acl_handle_link(const struct dentry * new_dentry,
++ const struct dentry * parent_dentry,
++ const struct vfsmount * parent_mnt,
++ const struct dentry * old_dentry,
++ const struct vfsmount * old_mnt, const char *to)
++{
++ __u32 needmode = GR_WRITE | GR_CREATE;
++ __u32 mode;
++
++ mode =
++ gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
++ old_mnt);
++
++ if (unlikely(((mode & needmode) == needmode) && mode & GR_AUDITS)) {
++ security_audit(GR_LINK_ACL_MSG, "successful",
++ gr_to_filename(old_dentry, old_mnt), to,
++ DEFAULTSECARGS);
++ return mode;
++ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
++ security_alert(GR_LINK_ACL_MSG, "denied",
++ gr_to_filename(old_dentry, old_mnt), to,
++ DEFAULTSECARGS);
++ return 0;
++ } else if (unlikely((mode & needmode) != needmode))
++ return 0;
++
++ return (GR_WRITE | GR_CREATE);
++}
++
++__u32
++gr_acl_handle_symlink(const struct dentry * new_dentry,
++ const struct dentry * parent_dentry,
++ const struct vfsmount * parent_mnt, const char *from)
++{
++ __u32 needmode = GR_WRITE | GR_CREATE;
++ __u32 mode;
++
++ mode =
++ gr_check_create(new_dentry, parent_dentry, parent_mnt,
++ GR_CREATE | GR_AUDIT_CREATE |
++ GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
++
++ if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
++ security_audit(GR_SYMLINK_ACL_MSG, "successful",
++ from, gr_to_filename(new_dentry, parent_mnt),
++ DEFAULTSECARGS);
++ return mode;
++ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
++ security_alert(GR_SYMLINK_ACL_MSG, "denied",
++ from, gr_to_filename(new_dentry, parent_mnt),
++ DEFAULTSECARGS);
++ return 0;
++ } else if (unlikely((mode & needmode) != needmode))
++ return 0;
++
++ return (GR_WRITE | GR_CREATE);
++}
++
++#define generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt, reqmode, fmt) \
++{ \
++ __u32 mode; \
++ \
++ mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS); \
++ \
++ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) { \
++ security_audit(fmt, "successful", \
++ gr_to_filename(new_dentry, parent_mnt), \
++ DEFAULTSECARGS); \
++ return mode; \
++ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) { \
++ security_alert(fmt, "denied", \
++ gr_to_filename(new_dentry, parent_mnt), \
++ DEFAULTSECARGS); \
++ return 0; \
++ } else if (unlikely((mode & (reqmode)) != (reqmode))) \
++ return 0; \
++ \
++ return (reqmode); \
++}
++
++__u32
++gr_acl_handle_mknod(const struct dentry * new_dentry,
++ const struct dentry * parent_dentry,
++ const struct vfsmount * parent_mnt,
++ const int mode)
++{
++ __u32 reqmode = GR_WRITE | GR_CREATE;
++ if (unlikely(mode & (S_ISUID | S_ISGID)))
++ reqmode |= GR_SETID;
++
++ generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
++ reqmode, GR_MKNOD_ACL_MSG);
++}
++
++__u32
++gr_acl_handle_mkdir(const struct dentry *new_dentry,
++ const struct dentry *parent_dentry,
++ const struct vfsmount *parent_mnt)
++{
++ generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
++ GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
++}
++
++#define RENAME_CHECK_SUCCESS(old, new) \
++ (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
++ ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
++
++int
++gr_acl_handle_rename(struct dentry *new_dentry,
++ struct dentry *parent_dentry,
++ const struct vfsmount *parent_mnt,
++ struct dentry *old_dentry,
++ struct inode *old_parent_inode,
++ struct vfsmount *old_mnt, const char *newname)
++{
++ __u32 comp1, comp2;
++ int error = 0;
++
++ if (unlikely(!gr_acl_is_enabled()))
++ return 0;
++
++ if (!new_dentry->d_inode) {
++ comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
++ GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
++ GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
++ comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
++ GR_DELETE | GR_AUDIT_DELETE |
++ GR_AUDIT_READ | GR_AUDIT_WRITE |
++ GR_SUPPRESS, old_mnt);
++ } else {
++ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
++ GR_CREATE | GR_DELETE |
++ GR_AUDIT_CREATE | GR_AUDIT_DELETE |
++ GR_AUDIT_READ | GR_AUDIT_WRITE |
++ GR_SUPPRESS, parent_mnt);
++ comp2 =
++ gr_search_file(old_dentry,
++ GR_READ | GR_WRITE | GR_AUDIT_READ |
++ GR_DELETE | GR_AUDIT_DELETE |
++ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
++ }
++
++ if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
++ ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
++ security_audit(GR_RENAME_ACL_MSG, "successful",
++ gr_to_filename(old_dentry, old_mnt),
++ newname, DEFAULTSECARGS);
++ else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
++ && !(comp2 & GR_SUPPRESS)) {
++ security_alert(GR_RENAME_ACL_MSG, "denied",
++ gr_to_filename(old_dentry, old_mnt), newname,
++ DEFAULTSECARGS);
++ error = -EACCES;
++ } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
++ error = -EACCES;
++
++ return error;
++}
++
++void
++gr_acl_handle_exit(void)
++{
++ u16 id;
++ char *rolename;
++
++ if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
++ id = current->acl_role_id;
++ rolename = current->role->rolename;
++ gr_set_acls(1);
++ security_alert_good(GR_SPROLEL_ACL_MSG,
++ rolename, id, DEFAULTSECARGS);
++ }
++
++ if (current->exec_file) {
++ fput(current->exec_file);
++ current->exec_file = NULL;
++ }
++}
++
++int
++gr_acl_handle_procpidmem(const struct task_struct *task)
++{
++ if (unlikely(!gr_acl_is_enabled()))
++ return 0;
++
++ if (task->acl->mode & GR_PROTPROCFD)
++ return -EACCES;
++
++ return 0;
++}
+diff -uNr linux-2.6.6/grsecurity/gracl_ip.c linux-2.6.6.fixed/grsecurity/gracl_ip.c
+--- linux-2.6.6/grsecurity/gracl_ip.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/gracl_ip.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,236 @@
++/*
++ * grsecurity/gracl_ip.c
++ * Copyright Brad Spengler 2002, 2003
++ *
++ */
++
++#include <linux/kernel.h>
++#include <asm/uaccess.h>
++#include <asm/errno.h>
++#include <net/sock.h>
++#include <linux/file.h>
++#include <linux/fs.h>
++#include <linux/net.h>
++#include <linux/in.h>
++#include <linux/skbuff.h>
++#include <linux/ip.h>
++#include <linux/udp.h>
++#include <linux/smp_lock.h>
++#include <linux/types.h>
++#include <linux/sched.h>
++#include <linux/gracl.h>
++#include <linux/grsecurity.h>
++#include <linux/grinternal.h>
++
++#define GR_BIND 0x01
++#define GR_CONNECT 0x02
++
++static const char * gr_protocols[256] = {
++ "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
++ "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
++ "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
++ "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
++ "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
++ "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
++ "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
++ "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
++ "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
++ "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
++ "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
++ "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
++ "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
++ "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
++ "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
++ "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
++ "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
++ "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
++ "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
++ "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
++ "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
++ "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
++ "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
++ "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
++ "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
++ "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
++ "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
++ "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
++ "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
++ "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
++ "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
++ "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
++ };
++
++static const char * gr_socktypes[11] = {
++ "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
++ "unknown:7", "unknown:8", "unknown:9", "packet"
++ };
++
++__inline__ const char *
++gr_proto_to_name(unsigned char proto)
++{
++ return gr_protocols[proto];
++}
++
++__inline__ const char *
++gr_socktype_to_name(unsigned char type)
++{
++ return gr_socktypes[type];
++}
++
++int
++gr_search_socket(const int domain, const int type, const int protocol)
++{
++ struct acl_subject_label *curr;
++
++ if (unlikely(!gr_acl_is_enabled()))
++ goto exit;
++
++ if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
++ || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
++ goto exit; // let the kernel handle it
++
++ curr = current->acl;
++
++ if (!curr->ips)
++ goto exit;
++
++ if ((curr->ip_type & (1 << type)) &&
++ (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
++ goto exit;
++
++ if (curr->mode & GR_LEARN) {
++ /* we don't place acls on raw sockets , and sometimes
++ dgram/ip sockets are opened for ioctl and not
++ bind/connect, so we'll fake a bind learn log */
++ if (type == SOCK_RAW || type == SOCK_PACKET) {
++ __u32 fakeip = 0;
++ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
++ current->role->roletype, current->uid,
++ current->gid, current->exec_file ?
++ gr_to_filename(current->exec_file->f_dentry,
++ current->exec_file->f_vfsmnt) :
++ curr->filename, curr->filename,
++ NIPQUAD(fakeip), 0, type,
++ protocol, GR_CONNECT, NIPQUAD(current->curr_ip));
++ } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
++ __u32 fakeip = 0;
++ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
++ current->role->roletype, current->uid,
++ current->gid, current->exec_file ?
++ gr_to_filename(current->exec_file->f_dentry,
++ current->exec_file->f_vfsmnt) :
++ curr->filename, curr->filename,
++ NIPQUAD(fakeip), 0, type,
++ protocol, GR_BIND, NIPQUAD(current->curr_ip));
++ }
++ /* we'll log when they use connect or bind */
++ goto exit;
++ }
++
++ security_alert(GR_SOCK_MSG, "inet", gr_socktype_to_name(type),
++ gr_proto_to_name(protocol), DEFAULTSECARGS);
++
++ return 0;
++ exit:
++ return 1;
++}
++
++static __inline__ int
++gr_search_connectbind(const int mode, const struct sock *sk,
++ const struct sockaddr_in *addr, const int type)
++{
++ struct acl_subject_label *curr;
++ struct acl_ip_label *ip;
++ unsigned long i;
++ __u32 ip_addr = 0;
++ __u16 ip_port = 0;
++
++ if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
++ return 1;
++
++ curr = current->acl;
++
++ if (!curr->ips)
++ return 1;
++
++ ip_addr = addr->sin_addr.s_addr;
++ ip_port = ntohs(addr->sin_port);
++
++ for (i = 0; i < curr->ip_num; i++) {
++ ip = *(curr->ips + i);
++ if ((ip->mode & mode) &&
++ (ip_port >= ip->low) &&
++ (ip_port <= ip->high) &&
++ ((ntohl(ip_addr) & ip->netmask) ==
++ (ntohl(ip->addr) & ip->netmask))
++ && (ip->
++ proto[sk->sk_protocol / 32] & (1 << (sk->sk_protocol % 32)))
++ && (ip->type & (1 << type)))
++ return 1;
++ }
++
++ if (curr->mode & GR_LEARN) {
++ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
++ current->role->roletype, current->uid,
++ current->gid, current->exec_file ?
++ gr_to_filename(current->exec_file->f_dentry,
++ current->exec_file->f_vfsmnt) :
++ curr->filename, curr->filename,
++ NIPQUAD(ip_addr), ip_port, type,
++ sk->sk_protocol, mode, NIPQUAD(current->curr_ip));
++ return 1;
++ }
++
++ if (mode == GR_BIND)
++ security_alert(GR_BIND_ACL_MSG, NIPQUAD(ip_addr), ip_port,
++ gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol),
++ DEFAULTSECARGS);
++ else if (mode == GR_CONNECT)
++ security_alert(GR_CONNECT_ACL_MSG, NIPQUAD(ip_addr), ip_port,
++ gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol),
++ DEFAULTSECARGS);
++
++ return 0;
++}
++
++int
++gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
++{
++ return gr_search_connectbind(GR_CONNECT, sock->sk, addr, sock->type);
++}
++
++int
++gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
++{
++ return gr_search_connectbind(GR_BIND, sock->sk, addr, sock->type);
++}
++
++int
++gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
++{
++ if (addr)
++ return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
++ else {
++ struct sockaddr_in sin;
++ const struct inet_opt *inet = inet_sk(sk);
++
++ sin.sin_addr.s_addr = inet->daddr;
++ sin.sin_port = inet->dport;
++
++ return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
++ }
++}
++
++int
++gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
++{
++ struct sockaddr_in sin;
++
++ if (unlikely(skb->len < sizeof (struct udphdr)))
++ return 1; // skip this packet
++
++ sin.sin_addr.s_addr = skb->nh.iph->saddr;
++ sin.sin_port = skb->h.uh->source;
++
++ return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
++}
+diff -uNr linux-2.6.6/grsecurity/gracl_learn.c linux-2.6.6.fixed/grsecurity/gracl_learn.c
+--- linux-2.6.6/grsecurity/gracl_learn.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/gracl_learn.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,204 @@
++#include <linux/kernel.h>
++#include <linux/mm.h>
++#include <linux/sched.h>
++#include <linux/poll.h>
++#include <linux/smp_lock.h>
++#include <linux/string.h>
++#include <linux/file.h>
++#include <linux/types.h>
++#include <linux/vmalloc.h>
++#include <linux/grinternal.h>
++
++extern ssize_t write_grsec_handler(struct file * file, const char * buf,
++ size_t count, loff_t *ppos);
++extern int gr_acl_is_enabled(void);
++
++static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
++static int gr_learn_attached;
++
++/* use a 512k buffer */
++#define LEARN_BUFFER_SIZE (512 * 1024)
++
++static spinlock_t gr_learn_lock = SPIN_LOCK_UNLOCKED;
++static DECLARE_MUTEX(gr_learn_user_sem);
++
++/* we need to maintain two buffers, so that the kernel context of grlearn
++ uses a semaphore around the userspace copying, and the other kernel contexts
++ use a spinlock when copying into the buffer, since they cannot sleep
++*/
++static char *learn_buffer;
++static char *learn_buffer_user;
++static int learn_buffer_len;
++static int learn_buffer_user_len;
++
++static ssize_t
++read_learn(struct file *file, char * buf, size_t count, loff_t * ppos)
++{
++ DECLARE_WAITQUEUE(wait, current);
++ ssize_t retval = 0;
++
++ add_wait_queue(&learn_wait, &wait);
++ set_current_state(TASK_INTERRUPTIBLE);
++ do {
++ down(&gr_learn_user_sem);
++ spin_lock(&gr_learn_lock);
++ if (learn_buffer_len)
++ break;
++ spin_unlock(&gr_learn_lock);
++ up(&gr_learn_user_sem);
++ if (file->f_flags & O_NONBLOCK) {
++ retval = -EAGAIN;
++ goto out;
++ }
++ if (signal_pending(current)) {
++ retval = -ERESTARTSYS;
++ goto out;
++ }
++
++ schedule();
++ } while (1);
++
++ memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
++ learn_buffer_user_len = learn_buffer_len;
++ retval = learn_buffer_len;
++ learn_buffer_len = 0;
++
++ spin_unlock(&gr_learn_lock);
++
++ if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
++ retval = -EFAULT;
++
++ up(&gr_learn_user_sem);
++out:
++ set_current_state(TASK_RUNNING);
++ remove_wait_queue(&learn_wait, &wait);
++ return retval;
++}
++
++static unsigned int
++poll_learn(struct file * file, poll_table * wait)
++{
++ poll_wait(file, &learn_wait, wait);
++
++ if (learn_buffer_len)
++ return (POLLIN | POLLRDNORM);
++
++ return 0;
++}
++
++void
++gr_clear_learn_entries(void)
++{
++ char *tmp;
++
++ down(&gr_learn_user_sem);
++ if (learn_buffer != NULL) {
++ spin_lock(&gr_learn_lock);
++ tmp = learn_buffer;
++ learn_buffer = NULL;
++ spin_unlock(&gr_learn_lock);
++ vfree(learn_buffer);
++ }
++ if (learn_buffer_user != NULL) {
++ vfree(learn_buffer_user);
++ learn_buffer_user = NULL;
++ }
++ learn_buffer_len = 0;
++ up(&gr_learn_user_sem);
++
++ return;
++}
++
++void
++gr_add_learn_entry(const char *fmt, ...)
++{
++ va_list args;
++ unsigned int len;
++
++ if (!gr_learn_attached)
++ return;
++
++ spin_lock(&gr_learn_lock);
++
++ /* leave a gap at the end so we know when it's "full" but don't have to
++ compute the exact length of the string we're trying to append
++ */
++ if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
++ spin_unlock(&gr_learn_lock);
++ wake_up_interruptible(&learn_wait);
++ return;
++ }
++ if (learn_buffer == NULL) {
++ spin_unlock(&gr_learn_lock);
++ return;
++ }
++
++ va_start(args, fmt);
++ len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
++ va_end(args);
++
++ learn_buffer_len += len + 1;
++
++ spin_unlock(&gr_learn_lock);
++ wake_up_interruptible(&learn_wait);
++
++ return;
++}
++
++static int
++open_learn(struct inode *inode, struct file *file)
++{
++ if (file->f_mode & FMODE_READ && gr_learn_attached)
++ return -EBUSY;
++ if (file->f_mode & FMODE_READ) {
++ down(&gr_learn_user_sem);
++ if (learn_buffer == NULL)
++ learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
++ if (learn_buffer_user == NULL)
++ learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
++ if (learn_buffer == NULL)
++ return -ENOMEM;
++ if (learn_buffer_user == NULL)
++ return -ENOMEM;
++ learn_buffer_len = 0;
++ learn_buffer_user_len = 0;
++ gr_learn_attached = 1;
++ up(&gr_learn_user_sem);
++ }
++ return 0;
++}
++
++static int
++close_learn(struct inode *inode, struct file *file)
++{
++ char *tmp;
++
++ if (file->f_mode & FMODE_READ) {
++ down(&gr_learn_user_sem);
++ if (learn_buffer != NULL) {
++ spin_lock(&gr_learn_lock);
++ tmp = learn_buffer;
++ learn_buffer = NULL;
++ spin_unlock(&gr_learn_lock);
++ vfree(tmp);
++ }
++ if (learn_buffer_user != NULL) {
++ vfree(learn_buffer_user);
++ learn_buffer_user = NULL;
++ }
++ learn_buffer_len = 0;
++ learn_buffer_user_len = 0;
++ gr_learn_attached = 0;
++ up(&gr_learn_user_sem);
++ }
++
++ return 0;
++}
++
++struct file_operations grsec_fops = {
++ read: read_learn,
++ write: write_grsec_handler,
++ open: open_learn,
++ release: close_learn,
++ poll: poll_learn,
++};
+diff -uNr linux-2.6.6/grsecurity/gracl_res.c linux-2.6.6.fixed/grsecurity/gracl_res.c
+--- linux-2.6.6/grsecurity/gracl_res.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/gracl_res.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,50 @@
++/* resource handling routines (c) Brad Spengler 2002, 2003 */
++
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/gracl.h>
++#include <linux/grinternal.h>
++
++static const char *restab_log[11] = {
++ "RLIMIT_CPU",
++ "RLIMIT_FSIZE",
++ "RLIMIT_DATA",
++ "RLIMIT_STACK",
++ "RLIMIT_CORE",
++ "RLIMIT_RSS",
++ "RLIMIT_NPROC",
++ "RLIMIT_NOFILE",
++ "RLIMIT_MEMLOCK",
++ "RLIMIT_AS",
++ "RLIMIT_LOCKS"
++};
++
++__inline__ void
++gr_log_resource(const struct task_struct *task,
++ const int res, const unsigned long wanted, const int gt)
++{
++ if (unlikely(res == RLIMIT_NPROC &&
++ (cap_raised(task->cap_effective, CAP_SYS_ADMIN) ||
++ cap_raised(task->cap_effective, CAP_SYS_RESOURCE))))
++ return;
++
++ preempt_disable();
++
++ if (unlikely(((gt && wanted > task->rlim[res].rlim_cur) ||
++ (!gt && wanted >= task->rlim[res].rlim_cur)) &&
++ task->rlim[res].rlim_cur != RLIM_INFINITY))
++ security_alert(GR_RESOURCE_MSG, wanted, restab_log[res],
++ task->rlim[res].rlim_cur,
++ gr_task_fullpath(task), task->comm,
++ task->pid, task->uid, task->euid,
++ task->gid, task->egid,
++ gr_parent_task_fullpath(task),
++ task->parent->comm,
++ task->parent->pid, task->parent->uid,
++ task->parent->euid, task->parent->gid,
++ task->parent->egid);
++
++ preempt_enable_no_resched();
++
++ return;
++}
+diff -uNr linux-2.6.6/grsecurity/gracl_segv.c linux-2.6.6.fixed/grsecurity/gracl_segv.c
+--- linux-2.6.6/grsecurity/gracl_segv.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/gracl_segv.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,330 @@
++/*
++ * grsecurity/gracl_segv.c
++ * Copyright Brad Spengler 2002, 2003
++ *
++ */
++
++#include <linux/kernel.h>
++#include <linux/mm.h>
++#include <asm/uaccess.h>
++#include <asm/errno.h>
++#include <asm/mman.h>
++#include <net/sock.h>
++#include <linux/file.h>
++#include <linux/fs.h>
++#include <linux/net.h>
++#include <linux/in.h>
++#include <linux/smp_lock.h>
++#include <linux/slab.h>
++#include <linux/types.h>
++#include <linux/sched.h>
++#include <linux/timer.h>
++#include <linux/gracl.h>
++#include <linux/grsecurity.h>
++#include <linux/grinternal.h>
++
++static struct crash_uid *uid_set;
++static unsigned short uid_used;
++static rwlock_t gr_uid_lock = RW_LOCK_UNLOCKED;
++extern rwlock_t gr_inode_lock;
++extern struct acl_subject_label *
++ lookup_acl_subj_label(const ino_t inode, const dev_t dev,
++ struct acl_role_label *role);
++extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
++
++int
++gr_init_uidset(void)
++{
++ uid_set =
++ kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
++ uid_used = 0;
++
++ return uid_set ? 1 : 0;
++}
++
++void
++gr_free_uidset(void)
++{
++ if (uid_set)
++ kfree(uid_set);
++
++ return;
++}
++
++int
++gr_find_uid(const uid_t uid)
++{
++ struct crash_uid *tmp = uid_set;
++ uid_t buid;
++ int low = 0, high = uid_used - 1, mid;
++
++ while (high >= low) {
++ mid = (low + high) >> 1;
++ buid = tmp[mid].uid;
++ if (buid == uid)
++ return mid;
++ if (buid > uid)
++ high = mid - 1;
++ if (buid < uid)
++ low = mid + 1;
++ }
++
++ return -1;
++}
++
++static __inline__ void
++gr_insertsort(void)
++{
++ unsigned short i, j;
++ struct crash_uid index;
++
++ for (i = 1; i < uid_used; i++) {
++ index = uid_set[i];
++ j = i;
++ while ((j > 0) && uid_set[j - 1].uid > index.uid) {
++ uid_set[j] = uid_set[j - 1];
++ j--;
++ }
++ uid_set[j] = index;
++ }
++
++ return;
++}
++
++static __inline__ void
++gr_insert_uid(const uid_t uid, const unsigned long expires)
++{
++ int loc;
++
++ if (uid_used == GR_UIDTABLE_MAX)
++ return;
++
++ loc = gr_find_uid(uid);
++
++ if (loc >= 0) {
++ uid_set[loc].expires = expires;
++ return;
++ }
++
++ uid_set[uid_used].uid = uid;
++ uid_set[uid_used].expires = expires;
++ uid_used++;
++
++ gr_insertsort();
++
++ return;
++}
++
++void
++gr_remove_uid(const unsigned short loc)
++{
++ unsigned short i;
++
++ for (i = loc + 1; i < uid_used; i++)
++ uid_set[i - i] = uid_set[i];
++
++ uid_used--;
++
++ return;
++}
++
++int
++gr_check_crash_uid(const uid_t uid)
++{
++ int loc;
++
++ if (unlikely(!gr_acl_is_enabled()))
++ return 0;
++
++ read_lock(&gr_uid_lock);
++ loc = gr_find_uid(uid);
++ read_unlock(&gr_uid_lock);
++
++ if (loc < 0)
++ return 0;
++
++ write_lock(&gr_uid_lock);
++ if (time_before_eq(uid_set[loc].expires, get_seconds()))
++ gr_remove_uid(loc);
++ else {
++ write_unlock(&gr_uid_lock);
++ return 1;
++ }
++
++ write_unlock(&gr_uid_lock);
++ return 0;
++}
++
++static __inline__ int
++proc_is_setxid(const struct task_struct *task)
++{
++ if (task->uid != task->euid || task->uid != task->suid ||
++ task->uid != task->fsuid)
++ return 1;
++ if (task->gid != task->egid || task->gid != task->sgid ||
++ task->gid != task->fsgid)
++ return 1;
++
++ return 0;
++}
++static __inline__ int
++gr_fake_force_sig(int sig, struct task_struct *t)
++{
++ unsigned long int flags;
++ int ret;
++
++ spin_lock_irqsave(&t->sighand->siglock, flags);
++ if (sigismember(&t->blocked, sig) || t->sighand->action[sig-1].sa.sa_handler == SIG_IGN) {
++ t->sighand->action[sig-1].sa.sa_handler = SIG_DFL;
++ sigdelset(&t->blocked, sig);
++ recalc_sigpending_tsk(t);
++ }
++ ret = specific_send_sig_info(sig, (void*)1L, t);
++ spin_unlock_irqrestore(&t->sighand->siglock, flags);
++
++ return ret;
++}
++
++void
++gr_handle_crash(struct task_struct *task, const int sig)
++{
++ struct acl_subject_label *curr;
++ struct acl_subject_label *curr2;
++ struct task_struct *tsk, *tsk2;
++
++ if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
++ return;
++
++ if (unlikely(!gr_acl_is_enabled()))
++ return;
++
++ curr = task->acl;
++
++ if (!(curr->resmask & (1 << GR_CRASH_RES)))
++ return;
++
++ if (time_before_eq(curr->expires, get_seconds())) {
++ curr->expires = 0;
++ curr->crashes = 0;
++ }
++
++ curr->crashes++;
++
++ if (!curr->expires)
++ curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
++
++ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
++ time_after(curr->expires, get_seconds())) {
++ if (task->uid && proc_is_setxid(task)) {
++ security_alert(GR_SEGVSTART_ACL_MSG,
++ gr_task_fullpath(task), task->comm,
++ task->pid, task->uid, task->euid,
++ task->gid, task->egid,
++ gr_parent_task_fullpath(task),
++ task->parent->comm, task->parent->pid,
++ task->parent->uid, task->parent->euid,
++ task->parent->gid, task->parent->egid,
++ task->uid,
++ curr->res[GR_CRASH_RES].rlim_max);
++ write_lock(&gr_uid_lock);
++ gr_insert_uid(task->uid, curr->expires);
++ write_unlock(&gr_uid_lock);
++ curr->expires = 0;
++ curr->crashes = 0;
++ read_lock(&tasklist_lock);
++ for_each_process(tsk) {
++ tsk2 = tsk;
++ do {
++ if (tsk2 != task && tsk2->uid == task->uid)
++ gr_fake_force_sig(SIGKILL, tsk2);
++ } while ((tsk2 = next_thread(tsk2)) != tsk);
++ }
++ read_unlock(&tasklist_lock);
++ } else {
++ security_alert(GR_SEGVNOSUID_ACL_MSG,
++ gr_task_fullpath(task), task->comm,
++ task->pid, task->uid, task->euid,
++ task->gid, task->egid,
++ gr_parent_task_fullpath(task),
++ task->parent->comm, task->parent->pid,
++ task->parent->uid, task->parent->euid,
++ task->parent->gid, task->parent->egid,
++ curr->res[GR_CRASH_RES].rlim_max);
++ read_lock(&tasklist_lock);
++ for_each_process(tsk) {
++ tsk2 = tsk;
++ do {
++ if (likely(tsk2 != task)) {
++ curr2 = tsk2->acl;
++
++ if (curr2->device == curr->device &&
++ curr2->inode == curr->inode)
++ gr_fake_force_sig(SIGKILL, tsk2);
++ }
++ } while ((tsk2 = next_thread(tsk2)) != tsk);
++ }
++ read_unlock(&tasklist_lock);
++ }
++ }
++
++ return;
++}
++
++int
++gr_check_crash_exec(const struct file *filp)
++{
++ struct acl_subject_label *curr;
++
++ if (unlikely(!gr_acl_is_enabled()))
++ return 0;
++
++ read_lock(&gr_inode_lock);
++ curr = lookup_acl_subj_label(filp->f_dentry->d_inode->i_ino,
++ filp->f_dentry->d_inode->i_sb->s_dev,
++ current->role);
++ read_unlock(&gr_inode_lock);
++
++ if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
++ (!curr->crashes && !curr->expires))
++ return 0;
++
++ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
++ time_after(curr->expires, get_seconds()))
++ return 1;
++ else if (time_before_eq(curr->expires, get_seconds())) {
++ curr->crashes = 0;
++ curr->expires = 0;
++ }
++
++ return 0;
++}
++
++void
++gr_handle_alertkill(void)
++{
++ struct acl_subject_label *curracl;
++ __u32 curr_ip;
++ struct task_struct *task, *task2;
++
++ if (unlikely(!gr_acl_is_enabled()))
++ return;
++
++ curracl = current->acl;
++ curr_ip = current->curr_ip;
++
++ if ((curracl->mode & GR_KILLIPPROC) && curr_ip &&
++ (curr_ip != 0xffffffff)) {
++ read_lock(&tasklist_lock);
++ for_each_process(task) {
++ task2 = task;
++ do {
++ if (task2->curr_ip == curr_ip)
++ gr_fake_force_sig(SIGKILL, task2);
++ } while ((task2 = next_thread(task2)) != task);
++ }
++ read_unlock(&tasklist_lock);
++ } else if (curracl->mode & GR_KILLPROC)
++ gr_fake_force_sig(SIGKILL, current);
++
++ return;
++}
+diff -uNr linux-2.6.6/grsecurity/gracl_shm.c linux-2.6.6.fixed/grsecurity/gracl_shm.c
+--- linux-2.6.6/grsecurity/gracl_shm.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/gracl_shm.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,36 @@
++/* shared memory handling routines, (c) Brad Spengler 2002, 2003 */
++
++#include <linux/kernel.h>
++#include <linux/mm.h>
++#include <linux/sched.h>
++#include <linux/file.h>
++#include <linux/ipc.h>
++#include <linux/gracl.h>
++#include <linux/grsecurity.h>
++#include <linux/grinternal.h>
++
++int
++gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
++ const time_t shm_createtime, const uid_t cuid, const int shmid)
++{
++ struct task_struct *task;
++
++ if (!gr_acl_is_enabled())
++ return 1;
++
++ task = find_task_by_pid(shm_cprid);
++
++ if (unlikely(!task))
++ task = find_task_by_pid(shm_lapid);
++
++ if (unlikely(task && ((task->start_time < shm_createtime) ||
++ (task->pid == shm_lapid)) &&
++ (task->acl->mode & GR_PROTSHM) &&
++ (task->acl != current->acl))) {
++ security_alert(GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid,
++ DEFAULTSECARGS);
++ return 0;
++ }
++
++ return 1;
++}
+diff -uNr linux-2.6.6/grsecurity/grsec_chdir.c linux-2.6.6.fixed/grsecurity/grsec_chdir.c
+--- linux-2.6.6/grsecurity/grsec_chdir.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/grsec_chdir.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,20 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/fs.h>
++#include <linux/file.h>
++#include <linux/grsecurity.h>
++#include <linux/grinternal.h>
++
++void
++gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
++{
++#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
++ if ((grsec_enable_chdir && grsec_enable_group &&
++ in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
++ !grsec_enable_group)) {
++ security_audit(GR_CHDIR_AUDIT_MSG, gr_to_filename(dentry, mnt),
++ DEFAULTSECARGS);
++ }
++#endif
++ return;
++}
+diff -uNr linux-2.6.6/grsecurity/grsec_chroot.c linux-2.6.6.fixed/grsecurity/grsec_chroot.c
+--- linux-2.6.6/grsecurity/grsec_chroot.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/grsec_chroot.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,346 @@
++#include <linux/kernel.h>
++#include <linux/module.h>
++#include <linux/sched.h>
++#include <linux/file.h>
++#include <linux/fs.h>
++#include <linux/mount.h>
++#include <linux/types.h>
++#include <linux/grinternal.h>
++
++int
++gr_handle_chroot_unix(const pid_t pid)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
++ struct pid *spid = NULL;
++
++ if (unlikely(!grsec_enable_chroot_unix))
++ return 1;
++
++ if (likely(!proc_is_chrooted(current)))
++ return 1;
++
++ read_lock(&tasklist_lock);
++
++ spid = find_pid(PIDTYPE_PID, pid);
++ if (spid) {
++ struct task_struct *p;
++ p = pid_task(spid->task_list.next, PIDTYPE_PID);
++ if (unlikely(!have_same_root(current, p))) {
++ read_unlock(&tasklist_lock);
++ security_alert(GR_UNIX_CHROOT_MSG, DEFAULTSECARGS);
++ return 0;
++ }
++ }
++ read_unlock(&tasklist_lock);
++#endif
++ return 1;
++}
++
++int
++gr_handle_chroot_nice(void)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
++ if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
++ security_alert(GR_NICE_CHROOT_MSG, DEFAULTSECARGS);
++ return -EPERM;
++ }
++#endif
++ return 0;
++}
++
++int
++gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
++ if (grsec_enable_chroot_nice && (niceval < task_nice(p))
++ && proc_is_chrooted(current)) {
++ security_alert(GR_PRIORITY_CHROOT_MSG, p->comm, p->pid,
++ DEFAULTSECARGS);
++ return -EACCES;
++ }
++#endif
++ return 0;
++}
++
++int
++gr_handle_chroot_capset(const struct task_struct *target)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
++ if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
++ !have_same_root(current, target)) {
++ security_alert(GR_CAPSET_CHROOT_MSG, target->comm, target->pid,
++ DEFAULTSECARGS);
++ return 1;
++ }
++#endif
++ return 0;
++}
++
++int
++gr_handle_chroot_rawio(const struct inode *inode)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
++ if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
++ inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
++ return 1;
++#endif
++ return 0;
++}
++
++int
++gr_pid_is_chrooted(const struct task_struct *p)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
++ if (!grsec_enable_chroot_findtask || (current->pid <= 1))
++ return 0;
++
++ if (p && p->fs && p->fs->root && p->fs->root->d_inode &&
++ child_reaper && child_reaper->fs && child_reaper->fs->root &&
++ child_reaper->fs->root->d_inode && current && current->fs &&
++ current->fs->root && current->fs->root->d_inode) {
++ if (proc_is_chrooted(current) && !have_same_root(current, p))
++ return 1;
++ }
++#endif
++ return 0;
++}
++
++EXPORT_SYMBOL(gr_pid_is_chrooted);
++
++#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
++int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
++{
++ struct dentry *dentry = (struct dentry *)u_dentry;
++ struct vfsmount *mnt = (struct vfsmount *)u_mnt;
++ struct dentry *realroot;
++ struct vfsmount *realrootmnt;
++ struct dentry *currentroot;
++ struct vfsmount *currentmnt;
++
++ read_lock(&child_reaper->fs->lock);
++ realrootmnt = mntget(child_reaper->fs->rootmnt);
++ realroot = dget(child_reaper->fs->root);
++ read_unlock(&child_reaper->fs->lock);
++
++ read_lock(¤t->fs->lock);
++ currentmnt = mntget(current->fs->rootmnt);
++ currentroot = dget(current->fs->root);
++ read_unlock(¤t->fs->lock);
++
++ spin_lock(&dcache_lock);
++ for (;;) {
++ if (unlikely((dentry == realroot && mnt == realrootmnt)
++ || (dentry == currentroot && mnt == currentmnt)))
++ break;
++ if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
++ if (mnt->mnt_parent == mnt)
++ break;
++ dentry = mnt->mnt_mountpoint;
++ mnt = mnt->mnt_parent;
++ continue;
++ }
++ dentry = dentry->d_parent;
++ }
++ spin_unlock(&dcache_lock);
++
++ dput(currentroot);
++ mntput(currentmnt);
++
++ if (dentry == realroot && mnt == realrootmnt) {
++ /* access is outside of chroot */
++ dput(realroot);
++ mntput(realrootmnt);
++ return 0;
++ }
++
++ dput(realroot);
++ mntput(realrootmnt);
++ return 1;
++}
++#endif
++
++int
++gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
++ if (!grsec_enable_chroot_fchdir)
++ return 1;
++
++ if (!proc_is_chrooted(current))
++ return 1;
++ else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
++ security_alert(GR_CHROOT_FCHDIR_MSG,
++ gr_to_filename(u_dentry, u_mnt),
++ DEFAULTSECARGS);
++ return 0;
++ }
++#endif
++ return 1;
++}
++
++int
++gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
++ const time_t shm_createtime)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
++ struct pid *pid = NULL;
++ u64 starttime64;
++ time_t starttime;
++
++ if (unlikely(!grsec_enable_chroot_shmat))
++ return 1;
++
++ if (likely(!proc_is_chrooted(current)))
++ return 1;
++
++ read_lock(&tasklist_lock);
++
++ pid = find_pid(PIDTYPE_PID, shm_cprid);
++ if (pid) {
++ struct task_struct *p;
++ p = pid_task(pid->task_list.next, PIDTYPE_PID);
++ starttime64 = p->start_time;
++ do_div(starttime64, HZ);
++ starttime = (time_t) starttime64;
++ if (unlikely(!have_same_root(current, p) &&
++ time_before((unsigned long)starttime, (unsigned long)shm_createtime))) {
++ read_unlock(&tasklist_lock);
++ security_alert(GR_SHMAT_CHROOT_MSG, DEFAULTSECARGS);
++ return 0;
++ }
++ } else {
++ pid = find_pid(PIDTYPE_PID, shm_lapid);
++ if (pid) {
++ struct task_struct *p;
++ p = pid_task(pid->task_list.next, PIDTYPE_PID);
++ if (unlikely(!have_same_root(current, p))) {
++ read_unlock(&tasklist_lock);
++ security_alert(GR_SHMAT_CHROOT_MSG, DEFAULTSECARGS);
++ return 0;
++ }
++ }
++ }
++
++ read_unlock(&tasklist_lock);
++#endif
++ return 1;
++}
++
++void
++gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
++ if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
++ security_audit(GR_EXEC_CHROOT_MSG, gr_to_filename(dentry, mnt),
++ DEFAULTSECARGS);
++#endif
++ return;
++}
++
++int
++gr_handle_chroot_mknod(const struct dentry *dentry,
++ const struct vfsmount *mnt, const int mode)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
++ if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
++ proc_is_chrooted(current)) {
++ security_alert(GR_MKNOD_CHROOT_MSG,
++ gr_to_filename(dentry, mnt), DEFAULTSECARGS);
++ return -EPERM;
++ }
++#endif
++ return 0;
++}
++
++int
++gr_handle_chroot_mount(const struct dentry *dentry,
++ const struct vfsmount *mnt, const char *dev_name)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
++ if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
++ security_alert(GR_MOUNT_CHROOT_MSG, dev_name,
++ gr_to_filename(dentry, mnt), DEFAULTSECARGS);
++ return -EPERM;
++ }
++#endif
++ return 0;
++}
++
++int
++gr_handle_chroot_pivot(void)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
++ if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
++ security_alert(GR_PIVOT_CHROOT_MSG, DEFAULTSECARGS);
++ return -EPERM;
++ }
++#endif
++ return 0;
++}
++
++int
++gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
++ if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
++ !gr_is_outside_chroot(dentry, mnt)) {
++ security_alert(GR_CHROOT_CHROOT_MSG,
++ gr_to_filename(dentry, mnt), DEFAULTSECARGS);
++ return -EPERM;
++ }
++#endif
++ return 0;
++}
++
++void
++gr_handle_chroot_caps(struct task_struct *task)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
++ if (grsec_enable_chroot_caps && proc_is_chrooted(task)) {
++ task->cap_permitted =
++ cap_drop(task->cap_permitted, GR_CHROOT_CAPS);
++ task->cap_inheritable =
++ cap_drop(task->cap_inheritable, GR_CHROOT_CAPS);
++ task->cap_effective =
++ cap_drop(task->cap_effective, GR_CHROOT_CAPS);
++ }
++#endif
++ return;
++}
++
++int
++gr_handle_chroot_sysctl(const int op)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
++ if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
++ && (op & 002))
++ return -EACCES;
++#endif
++ return 0;
++}
++
++void
++gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
++ if (grsec_enable_chroot_chdir)
++ set_fs_pwd(current->fs, mnt, dentry);
++#endif
++ return;
++}
++
++int
++gr_handle_chroot_chmod(const struct dentry *dentry,
++ const struct vfsmount *mnt, const int mode)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
++ if (grsec_enable_chroot_chmod &&
++ ((mode & S_ISUID) || (mode & S_ISGID)) &&
++ proc_is_chrooted(current)) {
++ security_alert(GR_CHMOD_CHROOT_MSG,
++ gr_to_filename(dentry, mnt), DEFAULTSECARGS);
++ return -EPERM;
++ }
++#endif
++ return 0;
++}
+diff -uNr linux-2.6.6/grsecurity/grsec_disabled.c linux-2.6.6.fixed/grsecurity/grsec_disabled.c
+--- linux-2.6.6/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/grsec_disabled.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,419 @@
++/*
++ * when grsecurity is disabled, compile all external functions into nothing
++ */
++
++#include <linux/kernel.h>
++#include <linux/module.h>
++#include <linux/config.h>
++#include <linux/sched.h>
++#include <linux/file.h>
++#include <linux/fs.h>
++#include <linux/kdev_t.h>
++#include <linux/net.h>
++#include <linux/in.h>
++#include <linux/ip.h>
++#include <linux/skbuff.h>
++#include <linux/sysctl.h>
++
++#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
++__inline__ void
++pax_set_flags(struct linux_binprm *bprm)
++{
++ return;
++}
++#endif
++
++#ifdef CONFIG_SYSCTL
++__inline__ __u32
++gr_handle_sysctl(const struct ctl_table * table, __u32 mode)
++{
++ return mode;
++}
++#endif
++
++__inline__ int
++gr_acl_is_enabled(void)
++{
++ return 0;
++}
++
++__inline__ int
++gr_handle_rawio(const struct inode *inode)
++{
++ return 0;
++}
++
++__inline__ void
++gr_acl_handle_psacct(struct task_struct *task, const long code)
++{
++ return;
++}
++
++__inline__ int
++gr_handle_ptrace_exec(const struct dentry *dentry, const struct vfsmount *mnt)
++{
++ return 0;
++}
++
++__inline__ int
++gr_handle_mmap(const struct file *filp, const unsigned long prot)
++{
++ return 0;
++}
++
++__inline__ int
++gr_handle_ptrace(struct task_struct *task, const long request)
++{
++ return 0;
++}
++
++__inline__ int
++gr_handle_proc_ptrace(struct task_struct *task)
++{
++ return 0;
++}
++
++__inline__ void
++gr_learn_resource(const struct task_struct *task,
++ const int res, const unsigned long wanted, const int gt)
++{
++ return;
++}
++
++__inline__ int
++gr_set_acls(const int type)
++{
++ return 0;
++}
++
++__inline__ int
++gr_check_hidden_task(const struct task_struct *tsk)
++{
++ return 0;
++}
++
++__inline__ int
++gr_check_protected_task(const struct task_struct *task)
++{
++ return 0;
++}
++
++__inline__ void
++gr_copy_label(struct task_struct *tsk)
++{
++ return;
++}
++
++__inline__ void
++gr_set_pax_flags(struct task_struct *task)
++{
++ return;
++}
++
++__inline__ void
++gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
++{
++ return;
++}
++
++__inline__ void
++gr_handle_delete(const ino_t ino, const dev_t dev)
++{
++ return;
++}
++
++__inline__ void
++gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
++{
++ return;
++}
++
++__inline__ void
++gr_handle_crash(struct task_struct *task, const int sig)
++{
++ return;
++}
++
++__inline__ int
++gr_check_crash_exec(const struct file *filp)
++{
++ return 0;
++}
++
++__inline__ int
++gr_check_crash_uid(const uid_t uid)
++{
++ return 0;
++}
++
++__inline__ void
++gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
++ struct dentry *old_dentry,
++ struct dentry *new_dentry,
++ struct vfsmount *mnt, const __u8 replace)
++{
++ return;
++}
++
++__inline__ int
++gr_search_socket(const int family, const int type, const int protocol)
++{
++ return 1;
++}
++
++__inline__ int
++gr_search_connectbind(const int mode, const struct socket *sock,
++ const struct sockaddr_in *addr)
++{
++ return 1;
++}
++
++__inline__ int
++gr_task_is_capable(struct task_struct *task, const int cap)
++{
++ return 1;
++}
++
++__inline__ int
++gr_is_capable_nolog(const int cap)
++{
++ return 1;
++}
++
++__inline__ void
++gr_handle_alertkill(void)
++{
++ return;
++}
++
++__inline__ __u32
++gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
++{
++ return 1;
++}
++
++__inline__ __u32
++gr_acl_handle_hidden_file(const struct dentry * dentry,
++ const struct vfsmount * mnt)
++{
++ return 1;
++}
++
++__inline__ __u32
++gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
++ const int fmode)
++{
++ return 1;
++}
++
++__inline__ __u32
++gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
++{
++ return 1;
++}
++
++__inline__ __u32
++gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
++{
++ return 1;
++}
++
++__inline__ int
++gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
++ unsigned int *vm_flags)
++{
++ return 1;
++}
++
++__inline__ __u32
++gr_acl_handle_truncate(const struct dentry * dentry,
++ const struct vfsmount * mnt)
++{
++ return 1;
++}
++
++__inline__ __u32
++gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
++{
++ return 1;
++}
++
++__inline__ __u32
++gr_acl_handle_access(const struct dentry * dentry,
++ const struct vfsmount * mnt, const int fmode)
++{
++ return 1;
++}
++
++__inline__ __u32
++gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
++ mode_t mode)
++{
++ return 1;
++}
++
++__inline__ __u32
++gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
++ mode_t mode)
++{
++ return 1;
++}
++
++__inline__ __u32
++gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
++{
++ return 1;
++}
++
++__inline__ void
++grsecurity_init(void)
++{
++ return;
++}
++
++__inline__ __u32
++gr_acl_handle_mknod(const struct dentry * new_dentry,
++ const struct dentry * parent_dentry,
++ const struct vfsmount * parent_mnt,
++ const int mode)
++{
++ return 1;
++}
++
++__inline__ __u32
++gr_acl_handle_mkdir(const struct dentry * new_dentry,
++ const struct dentry * parent_dentry,
++ const struct vfsmount * parent_mnt)
++{
++ return 1;
++}
++
++__inline__ __u32
++gr_acl_handle_symlink(const struct dentry * new_dentry,
++ const struct dentry * parent_dentry,
++ const struct vfsmount * parent_mnt, const char *from)
++{
++ return 1;
++}
++
++__inline__ __u32
++gr_acl_handle_link(const struct dentry * new_dentry,
++ const struct dentry * parent_dentry,
++ const struct vfsmount * parent_mnt,
++ const struct dentry * old_dentry,
++ const struct vfsmount * old_mnt, const char *to)
++{
++ return 1;
++}
++
++__inline__ int
++gr_acl_handle_rename(const struct dentry *new_dentry,
++ const struct dentry *parent_dentry,
++ const struct vfsmount *parent_mnt,
++ const struct dentry *old_dentry,
++ const struct inode *old_parent_inode,
++ const struct vfsmount *old_mnt, const char *newname)
++{
++ return 0;
++}
++
++__inline__ __u32
++gr_acl_handle_filldir(const struct dentry * dentry,
++ const struct vfsmount * mnt, const ino_t ino)
++{
++ return 1;
++}
++
++__inline__ int
++gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
++ const time_t shm_createtime, const uid_t cuid, const int shmid)
++{
++ return 1;
++}
++
++__inline__ int
++gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
++{
++ return 1;
++}
++
++__inline__ int
++gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
++{
++ return 1;
++}
++
++__inline__ __u32
++gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
++{
++ return 1;
++}
++
++__inline__ __u32
++gr_acl_handle_creat(const struct dentry * dentry,
++ const struct dentry * p_dentry,
++ const struct vfsmount * p_mnt, const int fmode,
++ const int imode)
++{
++ return 1;
++}
++
++__inline__ void
++gr_acl_handle_exit(void)
++{
++ return;
++}
++
++__inline__ int
++gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
++{
++ return 1;
++}
++
++__inline__ void
++gr_set_role_label(const uid_t uid, const gid_t gid)
++{
++ return;
++}
++
++__inline__ int
++gr_acl_handle_procpidmem(const struct task_struct *task)
++{
++ return 0;
++}
++
++__inline__ int
++gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
++{
++ return 1;
++}
++
++__inline__ int
++gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
++{
++ return 1;
++}
++
++__inline__ void
++gr_set_kernel_label(struct task_struct *task)
++{
++ return;
++}
++
++__inline__ int
++gr_check_user_change(int real, int effective, int fs)
++{
++ return 0;
++}
++
++__inline__ int
++gr_check_group_change(int real, int effective, int fs)
++{
++ return 0;
++}
++
++
++EXPORT_SYMBOL(gr_task_is_capable);
++EXPORT_SYMBOL(gr_learn_resource);
++EXPORT_SYMBOL(gr_set_kernel_label);
++
+diff -uNr linux-2.6.6/grsecurity/grsec_exec.c linux-2.6.6.fixed/grsecurity/grsec_exec.c
+--- linux-2.6.6/grsecurity/grsec_exec.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/grsec_exec.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,71 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/file.h>
++#include <linux/binfmts.h>
++#include <linux/fs.h>
++#include <linux/types.h>
++#include <linux/grdefs.h>
++#include <linux/grinternal.h>
++#include <linux/capability.h>
++
++#include <asm/uaccess.h>
++
++int
++gr_handle_nproc(void)
++{
++#ifdef CONFIG_GRKERNSEC_EXECVE
++ if (grsec_enable_execve && current->user &&
++ (atomic_read(¤t->user->processes) >
++ current->rlim[RLIMIT_NPROC].rlim_cur) &&
++ !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
++ security_alert(GR_NPROC_MSG, DEFAULTSECARGS);
++ return -EAGAIN;
++ }
++#endif
++ return 0;
++}
++
++void
++gr_handle_exec_args(struct linux_binprm *bprm, char **argv)
++{
++#ifdef CONFIG_GRKERNSEC_EXECLOG
++ char grarg[64] = { 0 };
++ __u8 execlen = 0;
++ unsigned int i;
++
++ if (!((grsec_enable_execlog && grsec_enable_group &&
++ in_group_p(grsec_audit_gid))
++ || (grsec_enable_execlog && !grsec_enable_group)))
++ return;
++
++ if (unlikely(!argv))
++ goto log;
++
++ for (i = 0; i < bprm->argc && execlen < 62; i++) {
++ char *p;
++ __u8 len;
++
++ if (get_user(p, argv + i))
++ goto log;
++ if (!p)
++ goto log;
++ len = strnlen_user(p, 62 - execlen);
++ if (len > 62 - execlen)
++ len = 62 - execlen;
++ else if (len > 0)
++ len--;
++ if (copy_from_user(grarg + execlen, p, len))
++ goto log;
++ execlen += len;
++ *(grarg + execlen) = ' ';
++ *(grarg + execlen + 1) = '\0';
++ execlen++;
++ }
++
++ log:
++ security_audit(GR_EXEC_AUDIT_MSG, gr_to_filename(bprm->file->f_dentry,
++ bprm->file->f_vfsmnt),
++ grarg, DEFAULTSECARGS);
++#endif
++ return;
++}
+diff -uNr linux-2.6.6/grsecurity/grsec_fifo.c linux-2.6.6.fixed/grsecurity/grsec_fifo.c
+--- linux-2.6.6/grsecurity/grsec_fifo.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/grsec_fifo.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,24 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/fs.h>
++#include <linux/file.h>
++#include <linux/grinternal.h>
++
++int
++gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
++ const struct dentry *dir, const int flag, const int acc_mode)
++{
++#ifdef CONFIG_GRKERNSEC_FIFO
++ if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
++ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
++ (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
++ (current->fsuid != dentry->d_inode->i_uid)) {
++ if (!vfs_permission(dentry->d_inode, acc_mode))
++ security_alert(GR_FIFO_MSG, gr_to_filename(dentry, mnt),
++ dentry->d_inode->i_uid,
++ dentry->d_inode->i_gid, DEFAULTSECARGS);
++ return -EACCES;
++ }
++#endif
++ return 0;
++}
+diff -uNr linux-2.6.6/grsecurity/grsec_fork.c linux-2.6.6.fixed/grsecurity/grsec_fork.c
+--- linux-2.6.6/grsecurity/grsec_fork.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/grsec_fork.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,14 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/grsecurity.h>
++#include <linux/grinternal.h>
++
++void
++gr_log_forkfail(const int retval)
++{
++#ifdef CONFIG_GRKERNSEC_FORKFAIL
++ if (grsec_enable_forkfail)
++ security_alert(GR_FAILFORK_MSG, retval, DEFAULTSECARGS);
++#endif
++ return;
++}
+diff -uNr linux-2.6.6/grsecurity/grsec_init.c linux-2.6.6.fixed/grsecurity/grsec_init.c
+--- linux-2.6.6/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/grsec_init.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,227 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/mm.h>
++#include <linux/smp_lock.h>
++#include <linux/gracl.h>
++#include <linux/slab.h>
++#include <linux/vmalloc.h>
++#include <linux/percpu.h>
++
++int grsec_enable_link;
++int grsec_enable_dmesg;
++int grsec_enable_fifo;
++int grsec_enable_execve;
++int grsec_enable_execlog;
++int grsec_enable_signal;
++int grsec_enable_forkfail;
++int grsec_enable_time;
++int grsec_enable_audit_textrel;
++int grsec_enable_group;
++int grsec_audit_gid;
++int grsec_enable_chdir;
++int grsec_enable_audit_ipc;
++int grsec_enable_mount;
++int grsec_enable_chroot_findtask;
++int grsec_enable_chroot_mount;
++int grsec_enable_chroot_shmat;
++int grsec_enable_chroot_fchdir;
++int grsec_enable_chroot_double;
++int grsec_enable_chroot_pivot;
++int grsec_enable_chroot_chdir;
++int grsec_enable_chroot_chmod;
++int grsec_enable_chroot_mknod;
++int grsec_enable_chroot_nice;
++int grsec_enable_chroot_execlog;
++int grsec_enable_chroot_caps;
++int grsec_enable_chroot_sysctl;
++int grsec_enable_chroot_unix;
++int grsec_enable_tpe;
++int grsec_tpe_gid;
++int grsec_enable_tpe_all;
++int grsec_enable_randpid;
++int grsec_enable_randid;
++int grsec_enable_randisn;
++int grsec_enable_randsrc;
++int grsec_enable_randrpc;
++int grsec_enable_socket_all;
++int grsec_socket_all_gid;
++int grsec_enable_socket_client;
++int grsec_socket_client_gid;
++int grsec_enable_socket_server;
++int grsec_socket_server_gid;
++int grsec_lock;
++
++spinlock_t grsec_alert_lock = SPIN_LOCK_UNLOCKED;
++unsigned long grsec_alert_wtime = 0;
++unsigned long grsec_alert_fyet = 0;
++
++spinlock_t grsec_alertgood_lock = SPIN_LOCK_UNLOCKED;
++unsigned long grsec_alertgood_wtime = 0;
++unsigned long grsec_alertgood_fyet = 0;
++
++spinlock_t grsec_audit_lock = SPIN_LOCK_UNLOCKED;
++
++char *gr_shared_page[4];
++extern struct gr_arg *gr_usermode;
++extern unsigned char *gr_system_salt;
++extern unsigned char *gr_system_sum;
++extern struct task_struct **gr_conn_table;
++extern const unsigned int gr_conn_table_size;
++
++void
++grsecurity_init(void)
++{
++ int j;
++ /* create the per-cpu shared pages */
++
++ preempt_disable();
++ for (j = 0; j < 4; j++) {
++ gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(char *));
++ if (gr_shared_page[j] == NULL) {
++ panic("Unable to allocate grsecurity shared page");
++ return;
++ }
++ }
++ preempt_enable();
++
++ /* create hash tables for ip tagging */
++
++ gr_conn_table = (struct task_struct **) vmalloc(gr_conn_table_size * sizeof(struct task_struct *));
++ if (gr_conn_table == NULL) {
++ panic("Unable to allocate grsecurity IP tagging table");
++ return;
++ }
++ memset(gr_conn_table, 0, gr_conn_table_size * sizeof(struct task_struct *));
++
++ /* allocate memory for authentication structure */
++ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
++ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
++ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
++
++ if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
++ panic("Unable to allocate grsecurity authentication structure");
++ return;
++ }
++
++#ifndef CONFIG_GRKERNSEC_SYSCTL
++ grsec_lock = 1;
++#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
++ grsec_enable_audit_textrel = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
++ grsec_enable_group = 1;
++ grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
++#endif
++#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
++ grsec_enable_chdir = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
++ grsec_enable_audit_ipc = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
++ grsec_enable_mount = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_LINK
++ grsec_enable_link = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_DMESG
++ grsec_enable_dmesg = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_FIFO
++ grsec_enable_fifo = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_EXECVE
++ grsec_enable_execve = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_EXECLOG
++ grsec_enable_execlog = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_SIGNAL
++ grsec_enable_signal = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_FORKFAIL
++ grsec_enable_forkfail = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_TIME
++ grsec_enable_time = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
++ grsec_enable_chroot_findtask = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
++ grsec_enable_chroot_unix = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
++ grsec_enable_chroot_mount = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
++ grsec_enable_chroot_fchdir = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
++ grsec_enable_chroot_shmat = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
++ grsec_enable_chroot_double = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
++ grsec_enable_chroot_pivot = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
++ grsec_enable_chroot_chdir = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
++ grsec_enable_chroot_chmod = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
++ grsec_enable_chroot_mknod = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
++ grsec_enable_chroot_nice = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
++ grsec_enable_chroot_execlog = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
++ grsec_enable_chroot_caps = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
++ grsec_enable_chroot_sysctl = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_TPE
++ grsec_enable_tpe = 1;
++ grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
++#ifdef CONFIG_GRKERNSEC_TPE_ALL
++ grsec_enable_tpe_all = 1;
++#endif
++#endif
++#ifdef CONFIG_GRKERNSEC_RANDPID
++ grsec_enable_randpid = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_RANDID
++ grsec_enable_randid = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_RANDISN
++ grsec_enable_randisn = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_RANDSRC
++ grsec_enable_randsrc = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_RANDRPC
++ grsec_enable_randrpc = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
++ grsec_enable_socket_all = 1;
++ grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
++#endif
++#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
++ grsec_enable_socket_client = 1;
++ grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
++#endif
++#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
++ grsec_enable_socket_server = 1;
++ grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
++#endif
++#endif
++
++ return;
++}
+diff -uNr linux-2.6.6/grsecurity/grsec_ipc.c linux-2.6.6.fixed/grsecurity/grsec_ipc.c
+--- linux-2.6.6/grsecurity/grsec_ipc.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/grsec_ipc.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,81 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/types.h>
++#include <linux/ipc.h>
++#include <linux/grsecurity.h>
++#include <linux/grinternal.h>
++
++void
++gr_log_msgget(const int ret, const int msgflg)
++{
++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
++ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
++ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
++ !grsec_enable_group)) && (ret >= 0)
++ && (msgflg & IPC_CREAT))
++ security_audit(GR_MSGQ_AUDIT_MSG, DEFAULTSECARGS);
++#endif
++ return;
++}
++
++void
++gr_log_msgrm(const uid_t uid, const uid_t cuid)
++{
++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
++ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
++ grsec_enable_audit_ipc) ||
++ (grsec_enable_audit_ipc && !grsec_enable_group))
++ security_audit(GR_MSGQR_AUDIT_MSG, uid, cuid, DEFAULTSECARGS);
++#endif
++ return;
++}
++
++void
++gr_log_semget(const int err, const int semflg)
++{
++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
++ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
++ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
++ !grsec_enable_group)) && (err >= 0)
++ && (semflg & IPC_CREAT))
++ security_audit(GR_SEM_AUDIT_MSG, DEFAULTSECARGS);
++#endif
++ return;
++}
++
++void
++gr_log_semrm(const uid_t uid, const uid_t cuid)
++{
++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
++ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
++ grsec_enable_audit_ipc) ||
++ (grsec_enable_audit_ipc && !grsec_enable_group))
++ security_audit(GR_SEMR_AUDIT_MSG, uid, cuid, DEFAULTSECARGS);
++#endif
++ return;
++}
++
++void
++gr_log_shmget(const int err, const int shmflg, const size_t size)
++{
++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
++ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
++ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
++ !grsec_enable_group)) && (err >= 0)
++ && (shmflg & IPC_CREAT))
++ security_audit(GR_SHM_AUDIT_MSG, size, DEFAULTSECARGS);
++#endif
++ return;
++}
++
++void
++gr_log_shmrm(const uid_t uid, const uid_t cuid)
++{
++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
++ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
++ grsec_enable_audit_ipc) ||
++ (grsec_enable_audit_ipc && !grsec_enable_group))
++ security_audit(GR_SHMR_AUDIT_MSG, uid, cuid, DEFAULTSECARGS);
++#endif
++ return;
++}
+diff -uNr linux-2.6.6/grsecurity/grsec_link.c linux-2.6.6.fixed/grsecurity/grsec_link.c
+--- linux-2.6.6/grsecurity/grsec_link.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/grsec_link.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,41 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/fs.h>
++#include <linux/file.h>
++#include <linux/grinternal.h>
++
++int
++gr_handle_follow_link(const struct inode *parent,
++ const struct inode *inode,
++ const struct dentry *dentry, const struct vfsmount *mnt)
++{
++#ifdef CONFIG_GRKERNSEC_LINK
++ if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
++ (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
++ (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) {
++ security_alert(GR_SYMLINK_MSG, gr_to_filename(dentry, mnt),
++ inode->i_uid, inode->i_gid, DEFAULTSECARGS);
++ return -EACCES;
++ }
++#endif
++ return 0;
++}
++
++int
++gr_handle_hardlink(const struct dentry *dentry,
++ const struct vfsmount *mnt,
++ struct inode *inode, const int mode, const char *to)
++{
++#ifdef CONFIG_GRKERNSEC_LINK
++ if (grsec_enable_link && current->fsuid != inode->i_uid &&
++ (!S_ISREG(mode) || (mode & S_ISUID) ||
++ ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
++ (vfs_permission(inode, MAY_READ | MAY_WRITE))) &&
++ !capable(CAP_FOWNER) && current->uid) {
++ security_alert(GR_HARDLINK_MSG, gr_to_filename(dentry, mnt),
++ inode->i_uid, inode->i_gid, to, DEFAULTSECARGS);
++ return -EPERM;
++ }
++#endif
++ return 0;
++}
+diff -uNr linux-2.6.6/grsecurity/grsec_mem.c linux-2.6.6.fixed/grsecurity/grsec_mem.c
+--- linux-2.6.6/grsecurity/grsec_mem.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/grsec_mem.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,54 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/mm.h>
++#include <linux/mman.h>
++#include <linux/grinternal.h>
++
++void
++gr_handle_ioperm(void)
++{
++ security_alert(GR_IOPERM_MSG, DEFAULTSECARGS);
++ return;
++}
++
++void
++gr_handle_iopl(void)
++{
++ security_alert(GR_IOPL_MSG, DEFAULTSECARGS);
++ return;
++}
++
++void
++gr_handle_mem_write(void)
++{
++ security_alert(GR_MEM_WRITE_MSG, DEFAULTSECARGS);
++ return;
++}
++
++void
++gr_handle_kmem_write(void)
++{
++ security_alert(GR_KMEM_MSG, DEFAULTSECARGS);
++ return;
++}
++
++void
++gr_handle_open_port(void)
++{
++ security_alert(GR_PORT_OPEN_MSG, DEFAULTSECARGS);
++ return;
++}
++
++int
++gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
++{
++ if (offset < __pa(high_memory) && (vma->vm_flags & VM_WRITE) &&
++ !(offset == 0xf0000 && ((vma->vm_end - vma->vm_start) <= 0x10000)) &&
++ !(offset == 0xa0000 && ((vma->vm_end - vma->vm_start) <= 0x20000))) {
++ security_alert(GR_MEM_MMAP_MSG, DEFAULTSECARGS);
++ return -EPERM;
++ } else if (offset < __pa(high_memory))
++ vma->vm_flags &= ~VM_MAYWRITE;
++
++ return 0;
++}
+diff -uNr linux-2.6.6/grsecurity/grsec_mount.c linux-2.6.6.fixed/grsecurity/grsec_mount.c
+--- linux-2.6.6/grsecurity/grsec_mount.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/grsec_mount.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,34 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/grsecurity.h>
++#include <linux/grinternal.h>
++
++void
++gr_log_remount(const char *devname, const int retval)
++{
++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
++ if (grsec_enable_mount && (retval >= 0))
++ security_audit(GR_REMOUNT_AUDIT_MSG, devname ? devname : "none", DEFAULTSECARGS);
++#endif
++ return;
++}
++
++void
++gr_log_unmount(const char *devname, const int retval)
++{
++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
++ if (grsec_enable_mount && (retval >= 0))
++ security_audit(GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none", DEFAULTSECARGS);
++#endif
++ return;
++}
++
++void
++gr_log_mount(const char *from, const char *to, const int retval)
++{
++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
++ if (grsec_enable_mount && (retval >= 0))
++ security_audit(GR_MOUNT_AUDIT_MSG, from, to, DEFAULTSECARGS);
++#endif
++ return;
++}
+diff -uNr linux-2.6.6/grsecurity/grsec_rand.c linux-2.6.6.fixed/grsecurity/grsec_rand.c
+--- linux-2.6.6/grsecurity/grsec_rand.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/grsec_rand.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,22 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/smp_lock.h>
++#include <linux/grsecurity.h>
++#include <linux/grinternal.h>
++
++extern int pid_max;
++
++int
++gr_random_pid(void)
++{
++#ifdef CONFIG_GRKERNSEC_RANDPID
++ int pid;
++
++ if (grsec_enable_randpid && current->fs->root) {
++
++ pid = 1 + (get_random_long() % pid_max);
++ return pid;
++ }
++#endif
++ return 0;
++}
+diff -uNr linux-2.6.6/grsecurity/grsec_sig.c linux-2.6.6.fixed/grsecurity/grsec_sig.c
+--- linux-2.6.6/grsecurity/grsec_sig.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/grsec_sig.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,48 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/grsecurity.h>
++#include <linux/grinternal.h>
++
++void
++gr_log_signal(const int sig, const struct task_struct *t)
++{
++#ifdef CONFIG_GRKERNSEC_SIGNAL
++ if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
++ (sig == SIGABRT) || (sig == SIGBUS))) {
++ if (t->pid == current->pid) {
++ security_alert_good(GR_UNISIGLOG_MSG, sig,
++ DEFAULTSECARGS);
++ } else {
++ security_alert_good(GR_DUALSIGLOG_MSG, sig,
++ gr_task_fullpath0(t), t->comm,
++ t->pid, t->uid, t->euid, t->gid,
++ t->egid, gr_parent_task_fullpath0(t),
++ t->parent->comm,
++ t->parent->pid, t->parent->uid,
++ t->parent->euid, t->parent->gid,
++ t->parent->egid, DEFAULTSECARGS);
++ }
++ }
++#endif
++ return;
++}
++
++int
++gr_handle_signal(const struct task_struct *p, const int sig)
++{
++#ifdef CONFIG_GRKERNSEC
++ if (current->pid > 1 && gr_check_protected_task(p)) {
++ security_alert(GR_SIG_ACL_MSG, sig, gr_task_fullpath0(p),
++ p->comm, p->pid, p->uid,
++ p->euid, p->gid, p->egid,
++ gr_parent_task_fullpath0(p), p->parent->comm,
++ p->parent->pid, p->parent->uid,
++ p->parent->euid, p->parent->gid,
++ p->parent->egid, DEFAULTSECARGS);
++ return -EPERM;
++ } else if (gr_pid_is_chrooted(p)) {
++ return -EPERM;
++ }
++#endif
++ return 0;
++}
+diff -uNr linux-2.6.6/grsecurity/grsec_sock.c linux-2.6.6.fixed/grsecurity/grsec_sock.c
+--- linux-2.6.6/grsecurity/grsec_sock.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/grsec_sock.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,256 @@
++#include <linux/kernel.h>
++#include <linux/module.h>
++#include <linux/sched.h>
++#include <linux/file.h>
++#include <linux/net.h>
++#include <linux/in.h>
++#include <linux/ip.h>
++#include <net/sock.h>
++#include <linux/grsecurity.h>
++#include <linux/grinternal.h>
++#include <linux/gracl.h>
++
++#if defined(CONFIG_IP_NF_MATCH_STEALTH_MODULE)
++extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
++EXPORT_SYMBOL(udp_v4_lookup);
++#endif
++#if defined(CONFIG_GRKERNSEC_RANDID)
++EXPORT_SYMBOL(ip_randomid);
++#endif
++#if defined(CONFIG_GRKERNSEC_RANDSRC) || defined(CONFIG_GRKERNSEC_RANDRPC)
++EXPORT_SYMBOL(get_random_long);
++#endif
++#ifdef CONFIG_GRKERNSEC_RANDISN
++EXPORT_SYMBOL(ip_randomisn);
++EXPORT_SYMBOL(grsec_enable_randisn);
++#endif
++#ifdef CONFIG_GRKERNSEC_RANDID
++EXPORT_SYMBOL(grsec_enable_randid);
++#endif
++#ifdef CONFIG_GRKERNSEC_RANDSRC
++EXPORT_SYMBOL(grsec_enable_randsrc);
++#endif
++#ifdef CONFIG_GRKERNSEC_RANDRPC
++EXPORT_SYMBOL(grsec_enable_randrpc);
++#endif
++
++EXPORT_SYMBOL(gr_cap_rtnetlink);
++
++extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
++extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
++
++EXPORT_SYMBOL(gr_search_udp_recvmsg);
++EXPORT_SYMBOL(gr_search_udp_sendmsg);
++
++#ifdef CONFIG_UNIX_MODULE
++EXPORT_SYMBOL(gr_acl_handle_unix);
++EXPORT_SYMBOL(gr_acl_handle_mknod);
++EXPORT_SYMBOL(gr_handle_chroot_unix);
++EXPORT_SYMBOL(gr_handle_create);
++#endif
++
++#ifdef CONFIG_GRKERNSEC
++struct task_struct **gr_conn_table;
++const unsigned int gr_conn_table_size = 65521;
++struct task_struct *deleted_conn = (struct task_struct *)~0;
++spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED;
++
++extern __inline__ const char * gr_socktype_to_name(unsigned char type);
++extern __inline__ const char * gr_proto_to_name(unsigned char proto);
++
++static __inline__ int
++conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
++{
++ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
++}
++
++static __inline__ int
++conn_match(const struct task_struct *task, __u32 saddr, __u32 daddr,
++ __u16 sport, __u16 dport)
++{
++ if (unlikely(task != deleted_conn && task->gr_saddr == saddr &&
++ task->gr_daddr == daddr && task->gr_sport == sport &&
++ task->gr_dport == dport))
++ return 1;
++ else
++ return 0;
++}
++
++void gr_add_to_task_ip_table(struct task_struct *task)
++{
++ unsigned int index;
++
++ if (unlikely(gr_conn_table == NULL))
++ return;
++
++ if (!thread_group_leader(task))
++ task = task->group_leader;
++
++ index = conn_hash(task->gr_saddr, task->gr_daddr,
++ task->gr_sport, task->gr_dport,
++ gr_conn_table_size);
++
++ spin_lock(&gr_conn_table_lock);
++
++ while (gr_conn_table[index] && gr_conn_table[index] != deleted_conn) {
++ index = (index + 1) % gr_conn_table_size;
++ }
++
++ gr_conn_table[index] = task;
++
++ spin_unlock(&gr_conn_table_lock);
++
++ return;
++}
++
++void gr_del_task_from_ip_table_nolock(struct task_struct *task)
++{
++ unsigned int index;
++
++ if (unlikely(gr_conn_table == NULL))
++ return;
++
++ if (!thread_group_leader(task))
++ task = task->group_leader;
++
++ index = conn_hash(task->gr_saddr, task->gr_daddr,
++ task->gr_sport, task->gr_dport,
++ gr_conn_table_size);
++
++ while (gr_conn_table[index] && !conn_match(gr_conn_table[index],
++ task->gr_saddr, task->gr_daddr, task->gr_sport,
++ task->gr_dport)) {
++ index = (index + 1) % gr_conn_table_size;
++ }
++
++ if (gr_conn_table[index]) {
++ if (gr_conn_table[(index + 1) % gr_conn_table_size])
++ gr_conn_table[index] = deleted_conn;
++ else
++ gr_conn_table[index] = NULL;
++ }
++
++ return;
++}
++
++struct task_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
++ __u16 sport, __u16 dport)
++{
++ unsigned int index;
++
++ if (unlikely(gr_conn_table == NULL))
++ return NULL;
++
++ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
++
++ while (gr_conn_table[index] && !conn_match(gr_conn_table[index],
++ saddr, daddr, sport, dport)) {
++ index = (index + 1) % gr_conn_table_size;
++ }
++
++ return gr_conn_table[index];
++}
++
++#endif
++
++void gr_del_task_from_ip_table(struct task_struct *task)
++{
++#ifdef CONFIG_GRKERNSEC
++ spin_lock(&gr_conn_table_lock);
++ if (!thread_group_leader(task))
++ gr_del_task_from_ip_table_nolock(task->group_leader);
++ else
++ gr_del_task_from_ip_table_nolock(task);
++ spin_unlock(&gr_conn_table_lock);
++#endif
++ return;
++}
++
++void
++gr_attach_curr_ip(const struct sock *sk)
++{
++#ifdef CONFIG_GRKERNSEC
++ struct task_struct *p;
++ struct task_struct *set;
++ const struct inet_opt *inet = inet_sk(sk);
++
++ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
++ return;
++
++ set = current;
++ if (!thread_group_leader(set))
++ set = set->group_leader;
++
++ spin_lock(&gr_conn_table_lock);
++ p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
++ inet->dport, inet->sport);
++ if (unlikely(p != NULL)) {
++ set->curr_ip = p->curr_ip;
++ set->used_accept = 1;
++ gr_del_task_from_ip_table_nolock(p);
++ spin_unlock(&gr_conn_table_lock);
++ return;
++ }
++ spin_unlock(&gr_conn_table_lock);
++
++ set->curr_ip = inet->daddr;
++ set->used_accept = 1;
++#endif
++ return;
++}
++
++int
++gr_handle_sock_all(const int family, const int type, const int protocol)
++{
++#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
++ if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
++ (family != AF_UNIX) && (family != AF_LOCAL)) {
++ security_alert(GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol),
++ DEFAULTSECARGS);
++ return -EACCES;
++ }
++#endif
++ return 0;
++}
++
++int
++gr_handle_sock_server(const struct sockaddr *sck)
++{
++#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
++ if (grsec_enable_socket_server &&
++ in_group_p(grsec_socket_server_gid) &&
++ sck && (sck->sa_family != AF_UNIX) &&
++ (sck->sa_family != AF_LOCAL)) {
++ security_alert(GR_BIND_MSG, DEFAULTSECARGS);
++ return -EACCES;
++ }
++#endif
++ return 0;
++}
++
++int
++gr_handle_sock_client(const struct sockaddr *sck)
++{
++#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
++ if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
++ sck && (sck->sa_family != AF_UNIX) &&
++ (sck->sa_family != AF_LOCAL)) {
++ security_alert(GR_CONNECT_MSG, DEFAULTSECARGS);
++ return -EACCES;
++ }
++#endif
++ return 0;
++}
++
++__u32
++gr_cap_rtnetlink(void)
++{
++#ifdef CONFIG_GRKERNSEC
++ if (!gr_acl_is_enabled())
++ return current->cap_effective;
++ else
++ return (current->cap_effective & ~(current->acl->cap_lower));
++#else
++ return current->cap_effective;
++#endif
++}
+diff -uNr linux-2.6.6/grsecurity/grsec_sysctl.c linux-2.6.6.fixed/grsecurity/grsec_sysctl.c
+--- linux-2.6.6/grsecurity/grsec_sysctl.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/grsec_sysctl.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,453 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/sysctl.h>
++#include <linux/grsecurity.h>
++#include <linux/grinternal.h>
++
++int
++gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
++{
++#ifdef CONFIG_GRKERNSEC_SYSCTL
++ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) {
++ security_alert(GR_SYSCTL_MSG, name, DEFAULTSECARGS);
++ return -EACCES;
++ }
++#endif
++ return 0;
++}
++
++#ifdef CONFIG_GRKERNSEC_SYSCTL
++enum {GS_LINK=1, GS_FIFO, GS_EXECVE, GS_EXECLOG, GS_SIGNAL,
++GS_FORKFAIL, GS_TIME, GS_CHROOT_SHMAT, GS_CHROOT_UNIX, GS_CHROOT_MNT,
++GS_CHROOT_FCHDIR, GS_CHROOT_DBL, GS_CHROOT_PVT, GS_CHROOT_CD, GS_CHROOT_CM,
++GS_CHROOT_MK, GS_CHROOT_NI, GS_CHROOT_EXECLOG, GS_CHROOT_CAPS,
++GS_CHROOT_SYSCTL, GS_TPE, GS_TPE_GID, GS_TPE_ALL, GS_SIDCAPS,
++GS_RANDPID, GS_RANDID, GS_RANDSRC, GS_RANDISN,
++GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT,
++GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID, GS_TTY, GS_TTYS,
++GS_PTY, GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC, GS_DMSG, GS_RANDRPC,
++GS_TEXTREL, GS_FINDTASK, GS_LOCK};
++
++
++ctl_table grsecurity_table[] = {
++#ifdef CONFIG_GRKERNSEC_LINK
++ {
++ .ctl_name = GS_LINK,
++ .procname = "linking_restrictions",
++ .data = &grsec_enable_link,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_FIFO
++ {
++ .ctl_name = GS_FIFO,
++ .procname = "fifo_restrictions",
++ .data = &grsec_enable_fifo,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_EXECVE
++ {
++ .ctl_name = GS_EXECVE,
++ .procname = "execve_limiting",
++ .data = &grsec_enable_execve,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_EXECLOG
++ {
++ .ctl_name = GS_EXECLOG,
++ .procname = "exec_logging",
++ .data = &grsec_enable_execlog,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_SIGNAL
++ {
++ .ctl_name = GS_SIGNAL,
++ .procname = "signal_logging",
++ .data = &grsec_enable_signal,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_FORKFAIL
++ {
++ .ctl_name = GS_FORKFAIL,
++ .procname = "forkfail_logging",
++ .data = &grsec_enable_forkfail,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_TIME
++ {
++ .ctl_name = GS_TIME,
++ .procname = "timechange_logging",
++ .data = &grsec_enable_time,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
++ {
++ .ctl_name = GS_CHROOT_SHMAT,
++ .procname = "chroot_deny_shmat",
++ .data = &grsec_enable_chroot_shmat,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
++ {
++ .ctl_name = GS_CHROOT_UNIX,
++ .procname = "chroot_deny_unix",
++ .data = &grsec_enable_chroot_unix,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
++ {
++ .ctl_name = GS_CHROOT_MNT,
++ .procname = "chroot_deny_mount",
++ .data = &grsec_enable_chroot_mount,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
++ {
++ .ctl_name = GS_CHROOT_FCHDIR,
++ .procname = "chroot_deny_fchdir",
++ .data = &grsec_enable_chroot_fchdir,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
++ {
++ .ctl_name = GS_CHROOT_DBL,
++ .procname = "chroot_deny_chroot",
++ .data = &grsec_enable_chroot_double,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
++ {
++ .ctl_name = GS_CHROOT_PVT,
++ .procname = "chroot_deny_pivot",
++ .data = &grsec_enable_chroot_pivot,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
++ {
++ .ctl_name = GS_CHROOT_CD,
++ .procname = "chroot_enforce_chdir",
++ .data = &grsec_enable_chroot_chdir,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
++ {
++ .ctl_name = GS_CHROOT_CM,
++ .procname = "chroot_deny_chmod",
++ .data = &grsec_enable_chroot_chmod,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
++ {
++ .ctl_name = GS_CHROOT_MK,
++ .procname = "chroot_deny_mknod",
++ .data = &grsec_enable_chroot_mknod,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
++ {
++ .ctl_name = GS_CHROOT_NI,
++ .procname = "chroot_restrict_nice",
++ .data = &grsec_enable_chroot_nice,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
++ {
++ .ctl_name = GS_CHROOT_EXECLOG,
++ .procname = "chroot_execlog",
++ .data = &grsec_enable_chroot_execlog,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
++ {
++ .ctl_name = GS_CHROOT_CAPS,
++ .procname = "chroot_caps",
++ .data = &grsec_enable_chroot_caps,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
++ {
++ .ctl_name = GS_CHROOT_SYSCTL,
++ .procname = "chroot_deny_sysctl",
++ .data = &grsec_enable_chroot_sysctl,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_TPE
++ {
++ .ctl_name = GS_TPE,
++ .procname = "tpe",
++ .data = &grsec_enable_tpe,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++ {
++ .ctl_name = GS_TPE_GID,
++ .procname = "tpe_gid",
++ .data = &grsec_tpe_gid,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_TPE_ALL
++ {
++ .ctl_name = GS_TPE_ALL,
++ .procname = "tpe_restrict_all",
++ .data = &grsec_enable_tpe_all,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_RANDPID
++ {
++ .ctl_name = GS_RANDPID,
++ .procname = "rand_pids",
++ .data = &grsec_enable_randpid,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_RANDID
++ {
++ .ctl_name = GS_RANDID,
++ .procname = "rand_ip_ids",
++ .data = &grsec_enable_randid,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_RANDSRC
++ {
++ .ctl_name = GS_RANDSRC,
++ .procname = "rand_tcp_src_ports",
++ .data = &grsec_enable_randsrc,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_RANDISN
++ {
++ .ctl_name = GS_RANDISN,
++ .procname = "rand_isns",
++ .data = &grsec_enable_randisn,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
++ {
++ .ctl_name = GS_SOCKET_ALL,
++ .procname = "socket_all",
++ .data = &grsec_enable_socket_all,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++ {
++ .ctl_name = GS_SOCKET_ALL_GID,
++ .procname = "socket_all_gid",
++ .data = &grsec_socket_all_gid,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
++ {
++ .ctl_name = GS_SOCKET_CLIENT,
++ .procname = "socket_client",
++ .data = &grsec_enable_socket_client,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++ {
++ .ctl_name = GS_SOCKET_CLIENT_GID,
++ .procname = "socket_client_gid",
++ .data = &grsec_socket_client_gid,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
++ {
++ .ctl_name = GS_SOCKET_SERVER,
++ .procname = "socket_server",
++ .data = &grsec_enable_socket_server,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++ {
++ .ctl_name = GS_SOCKET_SERVER_GID,
++ .procname = "socket_server_gid",
++ .data = &grsec_socket_server_gid,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
++ {
++ .ctl_name = GS_GROUP,
++ .procname = "audit_group",
++ .data = &grsec_enable_group,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++ {
++ .ctl_name = GS_GID,
++ .procname = "audit_gid",
++ .data = &grsec_audit_gid,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
++ {
++ .ctl_name = GS_ACHDIR,
++ .procname = "audit_chdir",
++ .data = &grsec_enable_chdir,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
++ {
++ .ctl_name = GS_AMOUNT,
++ .procname = "audit_mount",
++ .data = &grsec_enable_mount,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
++ {
++ .ctl_name = GS_AIPC,
++ .procname = "audit_ipc",
++ .data = &grsec_enable_audit_ipc,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
++ {
++ .ctl_name = GS_TEXTREL,
++ .procname = "audit_textrel",
++ .data = &grsec_enable_audit_textrel,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_DMESG
++ {
++ .ctl_name = GS_DMSG,
++ .procname = "dmesg",
++ .data = &grsec_enable_dmesg,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_RANDRPC
++ {
++ .ctl_name = GS_RANDRPC,
++ .procname = "rand_rpc",
++ .data = &grsec_enable_randrpc,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
++ {
++ .ctl_name = GS_FINDTASK,
++ .procname = "chroot_findtask",
++ .data = &grsec_enable_chroot_findtask,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++ {
++ .ctl_name = GS_LOCK,
++ .procname = "grsec_lock",
++ .data = &grsec_lock,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++ { .ctl_name = 0 }
++};
++#endif
+diff -uNr linux-2.6.6/grsecurity/grsec_textrel.c linux-2.6.6.fixed/grsecurity/grsec_textrel.c
+--- linux-2.6.6/grsecurity/grsec_textrel.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/grsec_textrel.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,19 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/mm.h>
++#include <linux/file.h>
++#include <linux/grinternal.h>
++#include <linux/grsecurity.h>
++
++void
++gr_log_textrel(struct vm_area_struct * vma)
++{
++#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
++ if (grsec_enable_audit_textrel)
++ security_audit(GR_TEXTREL_AUDIT_MSG, vma->vm_file ?
++ gr_to_filename(vma->vm_file->f_dentry, vma->vm_file->f_vfsmnt)
++ : "<anonymous mapping>", vma->vm_start,
++ vma->vm_pgoff, DEFAULTSECARGS);
++#endif
++ return;
++}
+diff -uNr linux-2.6.6/grsecurity/grsec_time.c linux-2.6.6.fixed/grsecurity/grsec_time.c
+--- linux-2.6.6/grsecurity/grsec_time.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/grsec_time.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,13 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/grinternal.h>
++
++void
++gr_log_timechange(void)
++{
++#ifdef CONFIG_GRKERNSEC_TIME
++ if (grsec_enable_time)
++ security_alert_good(GR_TIME_MSG, DEFAULTSECARGS);
++#endif
++ return;
++}
+diff -uNr linux-2.6.6/grsecurity/grsec_tpe.c linux-2.6.6.fixed/grsecurity/grsec_tpe.c
+--- linux-2.6.6/grsecurity/grsec_tpe.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/grsec_tpe.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,35 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/file.h>
++#include <linux/fs.h>
++#include <linux/grinternal.h>
++
++extern int gr_acl_tpe_check(void);
++
++int
++gr_tpe_allow(const struct file *file)
++{
++#ifdef CONFIG_GRKERNSEC
++ struct inode *inode = file->f_dentry->d_parent->d_inode;
++
++ if (current->uid && ((grsec_enable_tpe && in_group_p(grsec_tpe_gid)) || gr_acl_tpe_check()) &&
++ (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
++ (inode->i_mode & S_IWOTH))))) {
++ security_alert(GR_EXEC_TPE_MSG,
++ gr_to_filename(file->f_dentry, file->f_vfsmnt),
++ DEFAULTSECARGS);
++ return 0;
++ }
++#ifdef CONFIG_GRKERNSEC_TPE_ALL
++ if (current->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
++ ((inode->i_uid && (inode->i_uid != current->uid)) ||
++ (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
++ security_alert(GR_EXEC_TPE_MSG,
++ gr_to_filename(file->f_dentry, file->f_vfsmnt),
++ DEFAULTSECARGS);
++ return 0;
++ }
++#endif
++#endif
++ return 1;
++}
+diff -uNr linux-2.6.6/grsecurity/grsum.c linux-2.6.6.fixed/grsecurity/grsum.c
+--- linux-2.6.6/grsecurity/grsum.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/grsum.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,59 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/mm.h>
++#include <asm/scatterlist.h>
++#include <linux/crypto.h>
++#include <linux/gracl.h>
++
++
++#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
++#error "crypto and sha256 must be built into the kernel"
++#endif
++
++int
++chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
++{
++ char *p;
++ struct crypto_tfm *tfm;
++ unsigned char temp_sum[GR_SHA_LEN];
++ struct scatterlist sg[2];
++ volatile int retval = 0;
++ volatile int dummy = 0;
++ unsigned int i;
++
++ tfm = crypto_alloc_tfm("sha256", 0);
++ if (tfm == NULL) {
++ /* should never happen, since sha256 should be built in */
++ return 1;
++ }
++
++ crypto_digest_init(tfm);
++
++ p = salt;
++ sg[0].page = virt_to_page(p);
++ sg[0].offset = ((long) p & ~PAGE_MASK);
++ sg[0].length = GR_SALT_LEN;
++
++ crypto_digest_update(tfm, sg, 1);
++
++ p = entry->pw;
++ sg[0].page = virt_to_page(p);
++ sg[0].offset = ((long) p & ~PAGE_MASK);
++ sg[0].length = strlen(entry->pw);
++
++ crypto_digest_update(tfm, sg, 1);
++
++ crypto_digest_final(tfm, temp_sum);
++
++ memset(entry->pw, 0, GR_PW_LEN);
++
++ for (i = 0; i < GR_SHA_LEN; i++)
++ if (sum[i] != temp_sum[i])
++ retval = 1;
++ else
++ dummy = 1; // waste a cycle
++
++ crypto_free_tfm(tfm);
++
++ return retval;
++}
+diff -uNr linux-2.6.6/grsecurity/Kconfig linux-2.6.6.fixed/grsecurity/Kconfig
+--- linux-2.6.6/grsecurity/Kconfig 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/Kconfig 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,864 @@
++#
++# grecurity configuration
++#
++
++menu "Grsecurity"
++
++config GRKERNSEC
++ bool "Grsecurity"
++ select CRYPTO
++ select CRYPTO_SHA256
++ help
++ If you say Y here, you will be able to configure many features
++ that will enhance the security of your system. It is highly
++ recommended that you say Y here and read through the help
++ for each option so that you fully understand the features and
++ can evaluate their usefulness for your machine.
++
++choice
++ prompt "Security Level"
++ depends GRKERNSEC
++ default GRKERNSEC_CUSTOM
++
++config GRKERNSEC_LOW
++ bool "Low"
++ select GRKERNSEC_LINK
++ select GRKERNSEC_FIFO
++ select GRKERNSEC_RANDPID
++ select GRKERNSEC_EXECVE
++ select GRKERNSEC_RANDNET
++ select GRKERNSEC_RANDISN
++ select GRKERNSEC_DMESG
++ select GRKERNSEC_RANDID
++ select GRKERNSEC_CHROOT_CHDIR
++ help
++ If you choose this option, several of the grsecurity options will
++ be enabled that will give you greater protection against a number
++ of attacks, while assuring that none of your software will have any
++ conflicts with the additional security measures. If you run a lot
++ of unusual software, or you are having problems with the higher
++ security levels, you should say Y here. With this option, the
++ following features are enabled:
++
++ - Linking Restrictions
++ - FIFO Restrictions
++ - Randomized PIDs
++ - Enforcing RLIMIT_NPROC on execve
++ - Restricted dmesg
++ - Randomized IP IDs
++ - Enforced chdir("/") on chroot
++
++config GRKERNSEC_MEDIUM
++ bool "Medium"
++ select PAX_EI_PAX
++ select PAX_PT_PAX_FLAGS
++ select PAX_HAVE_ACL_FLAGS
++ select GRKERNSEC_PROC_MEMMAP
++ select GRKERNSEC_CHROOT_SYSCTL
++ select GRKERNSEC_LINK
++ select GRKERNSEC_FIFO
++ select GRKERNSEC_RANDPID
++ select GRKERNSEC_EXECVE
++ select GRKERNSEC_DMESG
++ select GRKERNSEC_RANDID
++ select GRKERNSEC_RANDNET
++ select GRKERNSEC_RANDISN
++ select GRKERNSEC_RANDSRC
++ select GRKERNSEC_RANDRPC
++ select GRKERNSEC_FORKFAIL
++ select GRKERNSEC_TIME
++ select GRKERNSEC_SIGNAL
++ select GRKERNSEC_CHROOT
++ select GRKERNSEC_CHROOT_UNIX
++ select GRKERNSEC_CHROOT_MOUNT
++ select GRKERNSEC_CHROOT_PIVOT
++ select GRKERNSEC_CHROOT_DOUBLE
++ select GRKERNSEC_CHROOT_CHDIR
++ select GRKERNSEC_CHROOT_MKNOD
++ select GRKERNSEC_PROC
++ select GRKERNSEC_PROC_USERGROUP
++ select PAX_RANDUSTACK
++ select PAX_ASLR
++ select PAX_RANDMMAP
++
++ help
++ If you say Y here, several features in addition to those included
++ in the low additional security level will be enabled. These
++ features provide even more security to your system, though in rare
++ cases they may be incompatible with very old or poorly written
++ software. If you enable this option, make sure that your auth
++ service (identd) is running as gid 1001. With this option,
++ the following features (in addition to those provided in the
++ low additional security level) will be enabled:
++
++ - Randomized TCP Source Ports
++ - Failed Fork Logging
++ - Time Change Logging
++ - Signal Logging
++ - Deny Mounts in chroot
++ - Deny Double chrooting
++ - Deny Sysctl Writes in chroot
++ - Deny Mknod in chroot
++ - Deny Access to Abstract AF_UNIX Sockets out of chroot
++ - Deny pivot_root in chroot
++ - Denied Writes of /dev/kmem, /dev/mem, and /dev/port
++ - /proc restrictions with special GID set to 10 (usually wheel)
++ - Address Space Layout Randomization (ASLR)
++
++config GRKERNSEC_HIGH
++ bool "High"
++ select GRKERNSEC_LINK
++ select GRKERNSEC_FIFO
++ select GRKERNSEC_RANDPID
++ select GRKERNSEC_EXECVE
++ select GRKERNSEC_DMESG
++ select GRKERNSEC_RANDID
++ select GRKERNSEC_RANDSRC
++ select GRKERNSEC_RANDRPC
++ select GRKERNSEC_FORKFAIL
++ select GRKERNSEC_TIME
++ select GRKERNSEC_SIGNAL
++ select GRKERNSEC_CHROOT_SHMAT
++ select GRKERNSEC_CHROOT_UNIX
++ select GRKERNSEC_CHROOT_MOUNT
++ select GRKERNSEC_CHROOT_FCHDIR
++ select GRKERNSEC_CHROOT_PIVOT
++ select GRKERNSEC_CHROOT_DOUBLE
++ select GRKERNSEC_CHROOT_CHDIR
++ select GRKERNSEC_CHROOT_MKNOD
++ select GRKERNSEC_CHROOT_CAPS
++ select GRKERNSEC_CHROOT_SYSCTL
++ select GRKERNSEC_CHROOT_FINDTASK
++ select GRKERNSEC_PROC
++ select GRKERNSEC_PROC_MEMMAP
++ select GRKERNSEC_HIDESYM
++ select GRKERNSEC_PROC_USERGROUP
++ select GRKERNSEC_KMEM
++ select GRKERNSEC_RESLOG
++ select GRKERNSEC_RANDNET
++ select GRKERNSEC_RANDISN
++ select GRKERNSEC_PROC_ADD
++ select GRKERNSEC_CHROOT_CHMOD
++ select GRKERNSEC_CHROOT_NICE
++ select GRKERNSEC_AUDIT_MOUNT
++ select PAX_RANDUSTACK
++ select PAX_ASLR
++ select PAX_RANDMMAP
++ select PAX_NOEXEC
++ select PAX_MPROTECT
++ select PAX_EI_PAX
++ select PAX_PT_PAX_FLAGS
++ select PAX_HAVE_ACL_FLAGS
++ select PAX_KERNEXEC
++ select PAX_RANDKSTACK
++ select PAX_RANDEXEC
++ select PAX_SEGMEXEC
++ select PAX_EMUTRAMP
++ select PAX_NOVSYSCALL
++ help
++ If you say Y here, many of the features of grsecurity will be
++ enabled, which will protect you against many kinds of attacks
++ against your system. The heightened security comes at a cost
++ of an increased chance of incompatibilities with rare software
++ on your machine. Since this security level enables PaX, you should
++ view <http://pax.grsecurity.net> and read about the PaX
++ project. While you are there, download chpax and run it on
++ binaries that cause problems with PaX. Also remember that
++ since the /proc restrictions are enabled, you must run your
++ identd as gid 1001. This security level enables the following
++ features in addition to those listed in the low and medium
++ security levels:
++
++ - Additional /proc Restrictions
++ - Chmod Restrictions in chroot
++ - No Signals, Ptrace, or Viewing of Processes Outside of chroot
++ - Capability Restrictions in chroot
++ - Deny fchdir out of chroot
++ - Priority Restrictions in chroot
++ - Segmentation-based Implementation of PaX
++ - Mprotect Restrictions
++ - Removal of Addresses from /proc/<pid>/[maps|stat]
++ - Kernel Stack Randomization
++ - Mount/Unmount/Remount Logging
++ - Kernel Symbol Hiding
++
++config GRKERNSEC_CUSTOM
++ bool "Custom"
++ help
++ If you say Y here, you will be able to configure every grsecurity
++ option, which allows you to enable many more features that aren't
++ covered in the basic security levels. These additional features
++ include TPE, socket restrictions, and the sysctl system for
++ grsecurity. It is advised that you read through the help for
++ each option to determine its usefulness in your situation.
++
++endchoice
++
++menu "Address Space Protection"
++depends on GRKERNSEC
++
++config GRKERNSEC_KMEM
++ bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
++ help
++ If you say Y here, /dev/kmem and /dev/mem won't be allowed to
++ be written to via mmap or otherwise to modify the running kernel.
++ /dev/port will also not be allowed to be opened. If you have module
++ support disabled, enabling this will close up four ways that are
++ currently used to insert malicious code into the running kernel.
++ Even with all these features enabled, we still highly recommend that
++ you use the ACL system, as it is still possible for an attacker to
++ modify the running kernel through privileged I/O granted by ioperm/iopl.
++ If you are not using XFree86, you may be able to stop this additional
++ case by enabling the 'Disable privileged I/O' option. Though nothing
++ legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
++ but only to video memory, which is the only writing we allow in this
++ case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
++ not be allowed to mprotect it with PROT_WRITE later.
++ Enabling this feature could make certain apps like VMWare stop working,
++ as they need to write to other locations in /dev/mem.
++ It is highly recommended that you say Y here if you meet all the
++ conditions above.
++
++config GRKERNSEC_IO
++ bool "Disable privileged I/O"
++ depends on X86
++ select RTC
++ help
++ If you say Y here, all ioperm and iopl calls will return an error.
++ Ioperm and iopl can be used to modify the running kernel.
++ Unfortunately, some programs need this access to operate properly,
++ the most notable of which are XFree86 and hwclock. hwclock can be
++ remedied by having RTC support in the kernel, so CONFIG_RTC is
++ enabled if this option is enabled, to ensure that hwclock operates
++ correctly. XFree86 still will not operate correctly with this option
++ enabled, so DO NOT CHOOSE Y IF YOU USE XFree86. If you use XFree86
++ and you still want to protect your kernel against modification,
++ use the ACL system.
++
++config GRKERNSEC_PROC_MEMMAP
++ bool "Remove addresses from /proc/<pid>/[maps|stat]"
++ help
++ If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
++ give no information about the addresses of its mappings if
++ PaX features that rely on random addresses are enabled on the task.
++ If you use PaX it is greatly recommended that you say Y here as it
++ closes up a hole that makes the full ASLR useless for suid
++ binaries.
++
++config GRKERNSEC_HIDESYM
++ bool "Hide kernel symbols"
++ help
++ If you say Y here, getting information on loaded modules, and
++ displaying all kernel symbols through a syscall will be restricted
++ to users with CAP_SYS_MODULE. This option is only effective
++ provided the following conditions are met:
++ 1) The kernel using grsecurity is not precompiled by some distribution
++ 2) You are using the ACL system and hiding other files such as your
++ kernel image and System.map
++ 3) You have the additional /proc restrictions enabled, which removes
++ /proc/kcore
++ If the above conditions are met, this option will aid to provide a
++ useful protection against local and remote kernel exploitation of
++ overflows and arbitrary read/write vulnerabilities.
++
++endmenu
++menu "Role Based Access Control Options"
++depends on GRKERNSEC
++
++config GRKERNSEC_ACL_HIDEKERN
++ bool "Hide kernel processes"
++ help
++ If you say Y here, when the RBAC system is enabled via gradm -E,
++ an additional ACL will be passed to the kernel that hides all kernel
++ processes. These processes will only be viewable by the authenticated
++ admin, or processes that have viewing access set.
++
++config GRKERNSEC_ACL_MAXTRIES
++ int "Maximum tries before password lockout"
++ default 3
++ help
++ This option enforces the maximum number of times a user can attempt
++ to authorize themselves with the grsecurity ACL system before being
++ denied the ability to attempt authorization again for a specified time.
++ The lower the number, the harder it will be to brute-force a password.
++
++config GRKERNSEC_ACL_TIMEOUT
++ int "Time to wait after max password tries, in seconds"
++ default 30
++ help
++ This option specifies the time the user must wait after attempting to
++ authorize to the ACL system with the maximum number of invalid
++ passwords. The higher the number, the harder it will be to brute-force
++ a password.
++
++endmenu
++menu "Filesystem Protections"
++depends on GRKERNSEC
++
++config GRKERNSEC_PROC
++ bool "Proc restrictions"
++ help
++ If you say Y here, the permissions of the /proc filesystem
++ will be altered to enhance system security and privacy. Depending
++ upon the options you choose, you can either restrict users to see
++ only the processes they themselves run, or choose a group that can
++ view all processes and files normally restricted to root if you choose
++ the "restrict to user only" option. NOTE: If you're running identd as
++ a non-root user, you will have to run it as the group you specify here.
++
++config GRKERNSEC_PROC_USER
++ bool "Restrict /proc to user only"
++ depends on GRKERNSEC_PROC
++ help
++ If you say Y here, non-root users will only be able to view their own
++ processes, and restricts them from viewing network-related information,
++ and viewing kernel symbol and module information.
++
++config GRKERNSEC_PROC_USERGROUP
++ bool "Allow special group"
++ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
++ help
++ If you say Y here, you will be able to select a group that will be
++ able to view all processes, network-related information, and
++ kernel and symbol information. This option is useful if you want
++ to run identd as a non-root user.
++
++config GRKERNSEC_PROC_GID
++ int "GID for special group"
++ depends on GRKERNSEC_PROC_USERGROUP
++ default 1001
++
++config GRKERNSEC_PROC_ADD
++ bool "Additional restrictions"
++ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
++ help
++ If you say Y here, additional restrictions will be placed on
++ /proc that keep normal users from viewing cpu and device information.
++
++config GRKERNSEC_LINK
++ bool "Linking restrictions"
++ help
++ If you say Y here, /tmp race exploits will be prevented, since users
++ will no longer be able to follow symlinks owned by other users in
++ world-writable +t directories (i.e. /tmp), unless the owner of the
++ symlink is the owner of the directory. users will also not be
++ able to hardlink to files they do not own. If the sysctl option is
++ enabled, a sysctl option with name "linking_restrictions" is created.
++
++config GRKERNSEC_FIFO
++ bool "FIFO restrictions"
++ help
++ If you say Y here, users will not be able to write to FIFOs they don't
++ own in world-writable +t directories (i.e. /tmp), unless the owner of
++ the FIFO is the same owner of the directory it's held in. If the sysctl
++ option is enabled, a sysctl option with name "fifo_restrictions" is
++ created.
++
++config GRKERNSEC_CHROOT
++ bool "Chroot jail restrictions"
++ help
++ If you say Y here, you will be able to choose several options that will
++ make breaking out of a chrooted jail much more difficult. If you
++ encounter no software incompatibilities with the following options, it
++ is recommended that you enable each one.
++
++config GRKERNSEC_CHROOT_MOUNT
++ bool "Deny mounts"
++ depends on GRKERNSEC_CHROOT
++ help
++ If you say Y here, processes inside a chroot will not be able to
++ mount or remount filesystems. If the sysctl option is enabled, a
++ sysctl option with name "chroot_deny_mount" is created.
++
++config GRKERNSEC_CHROOT_DOUBLE
++ bool "Deny double-chroots"
++ depends on GRKERNSEC_CHROOT
++ help
++ If you say Y here, processes inside a chroot will not be able to chroot
++ again outside the chroot. This is a widely used method of breaking
++ out of a chroot jail and should not be allowed. If the sysctl
++ option is enabled, a sysctl option with name
++ "chroot_deny_chroot" is created.
++
++config GRKERNSEC_CHROOT_PIVOT
++ bool "Deny pivot_root in chroot"
++ depends on GRKERNSEC_CHROOT
++ help
++ If you say Y here, processes inside a chroot will not be able to use
++ a function called pivot_root() that was introduced in Linux 2.3.41. It
++ works similar to chroot in that it changes the root filesystem. This
++ function could be misused in a chrooted process to attempt to break out
++ of the chroot, and therefore should not be allowed. If the sysctl
++ option is enabled, a sysctl option with name "chroot_deny_pivot" is
++ created.
++
++config GRKERNSEC_CHROOT_CHDIR
++ bool "Enforce chdir(\"/\") on all chroots"
++ depends on GRKERNSEC_CHROOT
++ help
++ If you say Y here, the current working directory of all newly-chrooted
++ applications will be set to the the root directory of the chroot.
++ The man page on chroot(2) states:
++ Note that this call does not change the current working
++ directory, so that `.' can be outside the tree rooted at
++ `/'. In particular, the super-user can escape from a
++ `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
++
++ It is recommended that you say Y here, since it's not known to break
++ any software. If the sysctl option is enabled, a sysctl option with
++ name "chroot_enforce_chdir" is created.
++
++config GRKERNSEC_CHROOT_CHMOD
++ bool "Deny (f)chmod +s"
++ depends on GRKERNSEC_CHROOT
++ help
++ If you say Y here, processes inside a chroot will not be able to chmod
++ or fchmod files to make them have suid or sgid bits. This protects
++ against another published method of breaking a chroot. If the sysctl
++ option is enabled, a sysctl option with name "chroot_deny_chmod" is
++ created.
++
++config GRKERNSEC_CHROOT_FCHDIR
++ bool "Deny fchdir out of chroot"
++ depends on GRKERNSEC_CHROOT
++ help
++ If you say Y here, a well-known method of breaking chroots by fchdir'ing
++ to a file descriptor of the chrooting process that points to a directory
++ outside the filesystem will be stopped. If the sysctl option
++ is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
++
++config GRKERNSEC_CHROOT_MKNOD
++ bool "Deny mknod"
++ depends on GRKERNSEC_CHROOT
++ help
++ If you say Y here, processes inside a chroot will not be allowed to
++ mknod. The problem with using mknod inside a chroot is that it
++ would allow an attacker to create a device entry that is the same
++ as one on the physical root of your system, which could range from
++ anything from the console device to a device for your harddrive (which
++ they could then use to wipe the drive or steal data). It is recommended
++ that you say Y here, unless you run into software incompatibilities.
++ If the sysctl option is enabled, a sysctl option with name
++ "chroot_deny_mknod" is created.
++
++config GRKERNSEC_CHROOT_SHMAT
++ bool "Deny shmat() out of chroot"
++ depends on GRKERNSEC_CHROOT
++ help
++ If you say Y here, processes inside a chroot will not be able to attach
++ to shared memory segments that were created outside of the chroot jail.
++ It is recommended that you say Y here. If the sysctl option is enabled,
++ a sysctl option with name "chroot_deny_shmat" is created.
++
++config GRKERNSEC_CHROOT_UNIX
++ bool "Deny access to abstract AF_UNIX sockets out of chroot"
++ depends on GRKERNSEC_CHROOT
++ help
++ If you say Y here, processes inside a chroot will not be able to
++ connect to abstract (meaning not belonging to a filesystem) Unix
++ domain sockets that were bound outside of a chroot. It is recommended
++ that you say Y here. If the sysctl option is enabled, a sysctl option
++ with name "chroot_deny_unix" is created.
++
++config GRKERNSEC_CHROOT_FINDTASK
++ bool "Protect outside processes"
++ depends on GRKERNSEC_CHROOT
++ help
++ If you say Y here, processes inside a chroot will not be able to
++ kill, send signals with fcntl, ptrace, capget, setpgid, getpgid,
++ getsid, or view any process outside of the chroot. If the sysctl
++ option is enabled, a sysctl option with name "chroot_findtask" is
++ created.
++
++config GRKERNSEC_CHROOT_NICE
++ bool "Restrict priority changes"
++ depends on GRKERNSEC_CHROOT
++ help
++ If you say Y here, processes inside a chroot will not be able to raise
++ the priority of processes in the chroot, or alter the priority of
++ processes outside the chroot. This provides more security than simply
++ removing CAP_SYS_NICE from the process' capability set. If the
++ sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
++ is created.
++
++config GRKERNSEC_CHROOT_SYSCTL
++ bool "Deny sysctl writes"
++ depends on GRKERNSEC_CHROOT
++ help
++ If you say Y here, an attacker in a chroot will not be able to
++ write to sysctl entries, either by sysctl(2) or through a /proc
++ interface. It is strongly recommended that you say Y here. If the
++ sysctl option is enabled, a sysctl option with name
++ "chroot_deny_sysctl" is created.
++
++config GRKERNSEC_CHROOT_CAPS
++ bool "Capability restrictions"
++ depends on GRKERNSEC_CHROOT
++ help
++ If you say Y here, the capabilities on all root processes within a
++ chroot jail will be lowered to stop module insertion, raw i/o,
++ system and net admin tasks, rebooting the system, modifying immutable
++ files, modifying IPC owned by another, and changing the system time.
++ This is left an option because it can break some apps. Disable this
++ if your chrooted apps are having problems performing those kinds of
++ tasks. If the sysctl option is enabled, a sysctl option with
++ name "chroot_caps" is created.
++
++endmenu
++menu "Kernel Auditing"
++depends on GRKERNSEC
++
++config GRKERNSEC_AUDIT_GROUP
++ bool "Single group for auditing"
++ help
++ If you say Y here, the exec, chdir, (un)mount, and ipc logging features
++ will only operate on a group you specify. This option is recommended
++ if you only want to watch certain users instead of having a large
++ amount of logs from the entire system. If the sysctl option is enabled,
++ a sysctl option with name "audit_group" is created.
++
++config GRKERNSEC_AUDIT_GID
++ int "GID for auditing"
++ depends on GRKERNSEC_AUDIT_GROUP
++ default 1007
++
++config GRKERNSEC_EXECLOG
++ bool "Exec logging"
++ help
++ If you say Y here, all execve() calls will be logged (since the
++ other exec*() calls are frontends to execve(), all execution
++ will be logged). Useful for shell-servers that like to keep track
++ of their users. If the sysctl option is enabled, a sysctl option with
++ name "exec_logging" is created.
++ WARNING: This option when enabled will produce a LOT of logs, especially
++ on an active system.
++
++config GRKERNSEC_RESLOG
++ bool "Resource logging"
++ help
++ If you say Y here, all attempts to overstep resource limits will
++ be logged with the resource name, the requested size, and the current
++ limit. It is highly recommended that you say Y here.
++
++config GRKERNSEC_CHROOT_EXECLOG
++ bool "Log execs within chroot"
++ help
++ If you say Y here, all executions inside a chroot jail will be logged
++ to syslog. This can cause a large amount of logs if certain
++ applications (eg. djb's daemontools) are installed on the system, and
++ is therefore left as an option. If the sysctl option is enabled, a
++ sysctl option with name "chroot_execlog" is created.
++
++config GRKERNSEC_AUDIT_CHDIR
++ bool "Chdir logging"
++ help
++ If you say Y here, all chdir() calls will be logged. If the sysctl
++ option is enabled, a sysctl option with name "audit_chdir" is created.
++
++config GRKERNSEC_AUDIT_MOUNT
++ bool "(Un)Mount logging"
++ help
++ If you say Y here, all mounts and unmounts will be logged. If the
++ sysctl option is enabled, a sysctl option with name "audit_mount" is
++ created.
++
++config GRKERNSEC_AUDIT_IPC
++ bool "IPC logging"
++ help
++ If you say Y here, creation and removal of message queues, semaphores,
++ and shared memory will be logged. If the sysctl option is enabled, a
++ sysctl option with name "audit_ipc" is created.
++
++config GRKERNSEC_SIGNAL
++ bool "Signal logging"
++ help
++ If you say Y here, certain important signals will be logged, such as
++ SIGSEGV, which will as a result inform you of when a error in a program
++ occurred, which in some cases could mean a possible exploit attempt.
++ If the sysctl option is enabled, a sysctl option with name
++ "signal_logging" is created.
++
++config GRKERNSEC_FORKFAIL
++ bool "Fork failure logging"
++ help
++ If you say Y here, all failed fork() attempts will be logged.
++ This could suggest a fork bomb, or someone attempting to overstep
++ their process limit. If the sysctl option is enabled, a sysctl option
++ with name "forkfail_logging" is created.
++
++config GRKERNSEC_TIME
++ bool "Time change logging"
++ help
++ If you say Y here, any changes of the system clock will be logged.
++ If the sysctl option is enabled, a sysctl option with name
++ "timechange_logging" is created.
++
++config GRKERNSEC_PROC_IPADDR
++ bool "/proc/<pid>/ipaddr support"
++ help
++ If you say Y here, a new entry will be added to each /proc/<pid>
++ directory that contains the IP address of the person using the task.
++ The IP is carried across local TCP and AF_UNIX stream sockets.
++ This information can be useful for IDS/IPSes to perform remote response
++ to a local attack. The entry is readable by only the owner of the
++ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
++ the RBAC system), and thus does not create privacy concerns.
++
++config GRKERNSEC_AUDIT_TEXTREL
++ bool 'ELF text relocations logging (READ HELP)'
++ depends on PAX_MPROTECT
++ help
++ If you say Y here, text relocations will be logged with the filename
++ of the offending library or binary. The purpose of the feature is
++ to help Linux distribution developers get rid of libraries and
++ binaries that need text relocations which hinder the future progress
++ of PaX. Only Linux distribution developers should say Y here, and
++ never on a production machine, as this option creates an information
++ leak that could aid an attacker in defeating the randomization of
++ a single memory region. If the sysctl option is enabled, a sysctl
++ option with name "audit_textrel" is created.
++
++endmenu
++
++menu "Executable Protections"
++depends on GRKERNSEC
++
++config GRKERNSEC_EXECVE
++ bool "Enforce RLIMIT_NPROC on execs"
++ help
++ If you say Y here, users with a resource limit on processes will
++ have the value checked during execve() calls. The current system
++ only checks the system limit during fork() calls. If the sysctl option
++ is enabled, a sysctl option with name "execve_limiting" is created.
++
++config GRKERNSEC_DMESG
++ bool "Dmesg(8) restriction"
++ help
++ If you say Y here, non-root users will not be able to use dmesg(8)
++ to view up to the last 4kb of messages in the kernel's log buffer.
++ If the sysctl option is enabled, a sysctl option with name "dmesg" is
++ created.
++
++config GRKERNSEC_RANDPID
++ bool "Randomized PIDs"
++ help
++ If you say Y here, all PIDs created on the system will be
++ pseudo-randomly generated. This is extremely effective along
++ with the /proc restrictions to disallow an attacker from guessing
++ pids of daemons, etc. PIDs are also used in some cases as part
++ of a naming system for temporary files, so this option would keep
++ those filenames from being predicted as well. We also use code
++ to make sure that PID numbers aren't reused too soon. If the sysctl
++ option is enabled, a sysctl option with name "rand_pids" is created.
++
++config GRKERNSEC_TPE
++ bool "Trusted Path Execution (TPE)"
++ help
++ If you say Y here, you will be able to choose a gid to add to the
++ supplementary groups of users you want to mark as "untrusted."
++ These users will not be able to execute any files that are not in
++ root-owned directories writable only by root. If the sysctl option
++ is enabled, a sysctl option with name "tpe" is created.
++
++config GRKERNSEC_TPE_ALL
++ bool "Partially restrict non-root users"
++ depends on GRKERNSEC_TPE
++ help
++ If you say Y here, All non-root users other than the ones in the
++ group specified in the main TPE option will only be allowed to
++ execute files in directories they own that are not group or
++ world-writable, or in directories owned by root and writable only by
++ root. If the sysctl option is enabled, a sysctl option with name
++ "tpe_restrict_all" is created.
++
++config GRKERNSEC_TPE_GID
++ int "GID for untrusted users"
++ depends on GRKERNSEC_TPE
++ default 1005
++ help
++ Here you can choose the GID to enable trusted path protection for.
++ Remember to add the users you want protection enabled for to the GID
++ specified here. If the sysctl option is enabled, whatever you choose
++ here won't matter. You'll have to specify the GID in your bootup
++ script by echoing the GID to the proper /proc entry. View the help
++ on the sysctl option for more information. If the sysctl option is
++ enabled, a sysctl option with name "tpe_gid" is created.
++
++endmenu
++menu "Network Protections"
++depends on GRKERNSEC
++
++config GRKERNSEC_RANDNET
++ bool "Larger entropy pools"
++ help
++ If you say Y here, the entropy pools used for many features of Linux
++ and grsecurity will be doubled in size. Since several grsecurity
++ features use additional randomness, it is recommended that you say Y
++ here. Saying Y here has a similar effect as modifying
++ /proc/sys/kernel/random/poolsize.
++
++config GRKERNSEC_RANDISN
++ bool "Truly random TCP ISN selection"
++ help
++ If you say Y here, Linux's default selection of TCP Initial Sequence
++ Numbers (ISNs) will be replaced with that of OpenBSD. Linux uses
++ an MD4 hash based on the connection plus a time value to create the
++ ISN, while OpenBSD's selection is random. If the sysctl option is
++ enabled, a sysctl option with name "rand_isns" is created.
++
++config GRKERNSEC_RANDID
++ bool "Randomized IP IDs"
++ help
++ If you say Y here, all the id field on all outgoing packets
++ will be randomized. This hinders os fingerprinters and
++ keeps your machine from being used as a bounce for an untraceable
++ portscan. Ids are used for fragmented packets, fragments belonging
++ to the same packet have the same id. By default linux only
++ increments the id value on each packet sent to an individual host.
++ We use a port of the OpenBSD random ip id code to achieve the
++ randomness, while keeping the possibility of id duplicates to
++ near none. If the sysctl option is enabled, a sysctl option with name
++ "rand_ip_ids" is created.
++
++config GRKERNSEC_RANDSRC
++ bool "Randomized TCP source ports"
++ default n if GRKERNSEC_LOW || GRKERNSEC_MID
++ default y if GRKERNSEC_HIGH
++ help
++ If you say Y here, situations where a source port is generated on the
++ fly for the TCP protocol (ie. with connect() ) will be altered so that
++ the source port is generated at random, instead of a simple incrementing
++ algorithm. If the sysctl option is enabled, a sysctl option with name
++ "rand_tcp_src_ports" is created.
++
++config GRKERNSEC_RANDRPC
++ bool "Randomized RPC XIDs"
++ help
++ If you say Y here, the method of determining XIDs for RPC requests will
++ be randomized, instead of using linux's default behavior of simply
++ incrementing the XID. If you want your RPC connections to be more
++ secure, say Y here. If the sysctl option is enabled, a sysctl option
++ with name "rand_rpc" is created.
++
++config GRKERNSEC_SOCKET
++ bool "Socket restrictions"
++ help
++ If you say Y here, you will be able to choose from several options.
++ If you assign a GID on your system and add it to the supplementary
++ groups of users you want to restrict socket access to, this patch
++ will perform up to three things, based on the option(s) you choose.
++
++config GRKERNSEC_SOCKET_ALL
++ bool "Deny any sockets to group"
++ depends on GRKERNSEC_SOCKET
++ help
++ If you say Y here, you will be able to choose a GID of whose users will
++ be unable to connect to other hosts from your machine or run server
++ applications from your machine. If the sysctl option is enabled, a
++ sysctl option with name "socket_all" is created.
++
++config GRKERNSEC_SOCKET_ALL_GID
++ int "GID to deny all sockets for"
++ depends on GRKERNSEC_SOCKET_ALL
++ default 1004
++ help
++ Here you can choose the GID to disable socket access for. Remember to
++ add the users you want socket access disabled for to the GID
++ specified here. If the sysctl option is enabled, whatever you choose
++ here won't matter. You'll have to specify the GID in your bootup
++ script by echoing the GID to the proper /proc entry. View the help
++ on the sysctl option for more information. If the sysctl option is
++ enabled, a sysctl option with name "socket_all_gid" is created.
++
++config GRKERNSEC_SOCKET_CLIENT
++ bool "Deny client sockets to group"
++ depends on GRKERNSEC_SOCKET
++ help
++ If you say Y here, you will be able to choose a GID of whose users will
++ be unable to connect to other hosts from your machine, but will be
++ able to run servers. If this option is enabled, all users in the group
++ you specify will have to use passive mode when initiating ftp transfers
++ from the shell on your machine. If the sysctl option is enabled, a
++ sysctl option with name "socket_client" is created.
++
++config GRKERNSEC_SOCKET_CLIENT_GID
++ int "GID to deny client sockets for"
++ depends on GRKERNSEC_SOCKET_CLIENT
++ default 1003
++ help
++ Here you can choose the GID to disable client socket access for.
++ Remember to add the users you want client socket access disabled for to
++ the GID specified here. If the sysctl option is enabled, whatever you
++ choose here won't matter. You'll have to specify the GID in your bootup
++ script by echoing the GID to the proper /proc entry. View the help
++ on the sysctl option for more information. If the sysctl option is
++ enabled, a sysctl option with name "socket_client_gid" is created.
++
++config GRKERNSEC_SOCKET_SERVER
++ bool "Deny server sockets to group"
++ depends on GRKERNSEC_SOCKET
++ help
++ If you say Y here, you will be able to choose a GID of whose users will
++ be unable to run server applications from your machine. If the sysctl
++ option is enabled, a sysctl option with name "socket_server" is created.
++
++config GRKERNSEC_SOCKET_SERVER_GID
++ int "GID to deny server sockets for"
++ depends on GRKERNSEC_SOCKET_SERVER
++ default 1002
++ help
++ Here you can choose the GID to disable server socket access for.
++ Remember to add the users you want server socket access disabled for to
++ the GID specified here. If the sysctl option is enabled, whatever you
++ choose here won't matter. You'll have to specify the GID in your bootup
++ script by echoing the GID to the proper /proc entry. View the help
++ on the sysctl option for more information. If the sysctl option is
++ enabled, a sysctl option with name "socket_server_gid" is created.
++
++endmenu
++menu "Sysctl support"
++depends on GRKERNSEC && SYSCTL
++
++config GRKERNSEC_SYSCTL
++ bool "Sysctl support"
++ help
++ If you say Y here, you will be able to change the options that
++ grsecurity runs with at bootup, without having to recompile your
++ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
++ to enable (1) or disable (0) various features. All the sysctl entries
++ are mutable until the "grsec_lock" entry is set to a non-zero value.
++ All features are disabled by default. Please note that this option could
++ reduce the effectiveness of the added security of this patch if an ACL
++ system is not put in place. Your init scripts should be read-only, and
++ root should not have access to adding modules or performing raw i/o
++ operations. All options should be set at startup, and the grsec_lock
++ entry should be set to a non-zero value after all the options are set.
++ *THIS IS EXTREMELY IMPORTANT*
++
++endmenu
++menu "Logging Options"
++depends on GRKERNSEC
++
++config GRKERNSEC_FLOODTIME
++ int "Seconds in between log messages (minimum)"
++ default 10
++ help
++ This option allows you to enforce the number of seconds between
++ grsecurity log messages. The default should be suitable for most
++ people, however, if you choose to change it, choose a value small enough
++ to allow informative logs to be produced, but large enough to
++ prevent flooding.
++
++config GRKERNSEC_FLOODBURST
++ int "Number of messages in a burst (maximum)"
++ default 4
++ help
++ This option allows you to choose the maximum number of messages allowed
++ within the flood time interval you chose in a separate option. The
++ default should be suitable for most people, however if you find that
++ many of your logs are being interpreted as flooding, you may want to
++ raise this value.
++
++endmenu
++
++endmenu
+diff -uNr linux-2.6.6/grsecurity/Makefile linux-2.6.6.fixed/grsecurity/Makefile
+--- linux-2.6.6/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/Makefile 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,21 @@
++# grsecurity's ACL system was originally written in 2001 by Michael Dalton
++# during 2001, 2002, and 2003 it has been completely redesigned by
++# Brad Spengler
++#
++# All code in this directory and various hooks inserted throughout the kernel
++# are copyright Brad Spengler, and released under the GPL, unless otherwise
++# noted (as in obsd_rand.c)
++
++obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
++ grsec_mount.o grsec_rand.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
++ grsec_time.o grsec_tpe.o grsec_ipc.o grsec_link.o grsec_textrel.o
++
++obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o obsd_rand.o \
++ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
++ gracl_learn.o
++obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
++
++ifndef CONFIG_GRKERNSEC
++obj-y += grsec_disabled.o
++endif
++
+diff -uNr linux-2.6.6/grsecurity/obsd_rand.c linux-2.6.6.fixed/grsecurity/obsd_rand.c
+--- linux-2.6.6/grsecurity/obsd_rand.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/grsecurity/obsd_rand.c 2004-05-11 10:55:56.000000000 +0200
+@@ -0,0 +1,186 @@
++
++/*
++ * Copyright (c) 1996, 1997, 2000-2002 Michael Shalayeff.
++ *
++ * Version 1.89, last modified 19-Sep-99
++ *
++ * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999.
++ * All rights reserved.
++ *
++ * Copyright 1998 Niels Provos <provos@citi.umich.edu>
++ * All rights reserved.
++ * Theo de Raadt <deraadt@openbsd.org> came up with the idea of using
++ * such a mathematical system to generate more random (yet non-repeating)
++ * ids to solve the resolver/named problem. But Niels designed the
++ * actual system based on the constraints.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer,
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/time.h>
++#include <linux/timer.h>
++#include <linux/smp_lock.h>
++#include <linux/random.h>
++#include <linux/grsecurity.h>
++
++#define RU_OUT 180
++#define RU_MAX 30000
++#define RU_GEN 2
++#define RU_N 32749
++#define RU_AGEN 7
++#define RU_M 31104
++#define PFAC_N 3
++const static __u16 pfacts[PFAC_N] = { 2, 3, 2729 };
++
++static __u16 ru_x;
++static __u16 ru_seed, ru_seed2;
++static __u16 ru_a, ru_b;
++static __u16 ru_g;
++static __u16 ru_counter = 0;
++static __u16 ru_msb = 0;
++static unsigned long ru_reseed = 0;
++static __u32 tmp;
++
++#define TCP_RNDISS_ROUNDS 15
++#define TCP_RNDISS_OUT 7200
++#define TCP_RNDISS_MAX 30000
++
++static __u8 tcp_rndiss_sbox[128];
++static __u16 tcp_rndiss_msb;
++static __u16 tcp_rndiss_cnt;
++static unsigned long tcp_rndiss_reseed;
++
++static __u16 pmod(__u16, __u16, __u16);
++static void ip_initid(void);
++__u16 ip_randomid(void);
++
++static __u16
++pmod(__u16 gen, __u16 exp, __u16 mod)
++{
++ __u16 s, t, u;
++
++ s = 1;
++ t = gen;
++ u = exp;
++
++ while (u) {
++ if (u & 1)
++ s = (s * t) % mod;
++ u >>= 1;
++ t = (t * t) % mod;
++ }
++ return (s);
++}
++
++static void
++ip_initid(void)
++{
++ __u16 j, i;
++ int noprime = 1;
++
++ ru_x = ((tmp = get_random_long()) & 0xFFFF) % RU_M;
++
++ ru_seed = (tmp >> 16) & 0x7FFF;
++ ru_seed2 = get_random_long() & 0x7FFF;
++
++ ru_b = ((tmp = get_random_long()) & 0xfffe) | 1;
++ ru_a = pmod(RU_AGEN, (tmp >> 16) & 0xfffe, RU_M);
++ while (ru_b % 3 == 0)
++ ru_b += 2;
++
++ j = (tmp = get_random_long()) % RU_N;
++ tmp = tmp >> 16;
++
++ while (noprime) {
++ for (i = 0; i < PFAC_N; i++)
++ if (j % pfacts[i] == 0)
++ break;
++
++ if (i >= PFAC_N)
++ noprime = 0;
++ else
++ j = (j + 1) % RU_N;
++ }
++
++ ru_g = pmod(RU_GEN, j, RU_N);
++ ru_counter = 0;
++
++ ru_reseed = xtime.tv_sec + RU_OUT;
++ ru_msb = ru_msb == 0x8000 ? 0 : 0x8000;
++}
++
++__u16
++ip_randomid(void)
++{
++ int i, n;
++
++ if (ru_counter >= RU_MAX || time_after(get_seconds(), ru_reseed))
++ ip_initid();
++
++ if (!tmp)
++ tmp = get_random_long();
++
++ n = tmp & 0x3;
++ tmp = tmp >> 2;
++ if (ru_counter + n >= RU_MAX)
++ ip_initid();
++ for (i = 0; i <= n; i++)
++ ru_x = (ru_a * ru_x + ru_b) % RU_M;
++ ru_counter += i;
++
++ return ((ru_seed ^ pmod(ru_g, ru_seed2 ^ ru_x, RU_N)) | ru_msb);
++}
++
++__u16
++tcp_rndiss_encrypt(__u16 val)
++{
++ __u16 sum = 0, i;
++
++ for (i = 0; i < TCP_RNDISS_ROUNDS; i++) {
++ sum += 0x79b9;
++ val ^= ((__u16) tcp_rndiss_sbox[(val ^ sum) & 0x7f]) << 7;
++ val = ((val & 0xff) << 7) | (val >> 8);
++ }
++
++ return val;
++}
++
++static void
++tcp_rndiss_init(void)
++{
++ get_random_bytes(tcp_rndiss_sbox, sizeof (tcp_rndiss_sbox));
++ tcp_rndiss_reseed = get_seconds() + TCP_RNDISS_OUT;
++ tcp_rndiss_msb = tcp_rndiss_msb == 0x8000 ? 0 : 0x8000;
++ tcp_rndiss_cnt = 0;
++}
++
++__u32
++ip_randomisn(void)
++{
++ if (tcp_rndiss_cnt >= TCP_RNDISS_MAX ||
++ time_after(get_seconds(), tcp_rndiss_reseed))
++ tcp_rndiss_init();
++
++ return (((tcp_rndiss_encrypt(tcp_rndiss_cnt++) |
++ tcp_rndiss_msb) << 16) | (get_random_long() & 0x7fff));
++}
+diff -uNr linux-2.6.6/include/asm-alpha/a.out.h linux-2.6.6.fixed/include/asm-alpha/a.out.h
+--- linux-2.6.6/include/asm-alpha/a.out.h 2004-05-10 04:32:54.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-alpha/a.out.h 2004-05-11 10:55:56.000000000 +0200
+@@ -98,7 +98,7 @@
+ set_personality (((BFPM->sh_bang || EX.ah.entry < 0x100000000 \
+ ? ADDR_LIMIT_32BIT : 0) | PER_OSF4))
+
+-#define STACK_TOP \
++#define __STACK_TOP \
+ (current->personality & ADDR_LIMIT_32BIT ? 0x80000000 : 0x00120000000UL)
+
+ #endif
+diff -uNr linux-2.6.6/include/asm-alpha/elf.h linux-2.6.6.fixed/include/asm-alpha/elf.h
+--- linux-2.6.6/include/asm-alpha/elf.h 2004-05-10 04:32:37.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-alpha/elf.h 2004-05-11 10:55:57.000000000 +0200
+@@ -84,6 +84,17 @@
+
+ #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
+
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE(tsk) ((tsk)->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
++
++#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_MMAP_LEN(tsk) ((tsk)->personality & ADDR_LIMIT_32BIT ? 14 : 28)
++#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_EXEC_LEN(tsk) ((tsk)->personality & ADDR_LIMIT_32BIT ? 14 : 28)
++#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_STACK_LEN(tsk) ((tsk)->personality & ADDR_LIMIT_32BIT ? 14 : 19)
++#endif
++
+ /* $0 is set by ld.so to a pointer to a function which might be
+ registered using atexit. This provides a mean for the dynamic
+ linker to call DT_FINI functions for shared libraries that have
+diff -uNr linux-2.6.6/include/asm-alpha/mman.h linux-2.6.6.fixed/include/asm-alpha/mman.h
+--- linux-2.6.6/include/asm-alpha/mman.h 2004-05-10 04:31:58.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-alpha/mman.h 2004-05-11 10:55:57.000000000 +0200
+@@ -29,6 +29,10 @@
+ #define MAP_POPULATE 0x20000 /* populate (prefault) pagetables */
+ #define MAP_NONBLOCK 0x40000 /* do not block on IO */
+
++#ifdef CONFIG_PAX_RANDEXEC
++#define MAP_MIRROR 0x20000
++#endif
++
+ #define MS_ASYNC 1 /* sync memory asynchronously */
+ #define MS_SYNC 2 /* synchronous memory sync */
+ #define MS_INVALIDATE 4 /* invalidate the caches */
+diff -uNr linux-2.6.6/include/asm-alpha/page.h linux-2.6.6.fixed/include/asm-alpha/page.h
+--- linux-2.6.6/include/asm-alpha/page.h 2004-05-10 04:33:10.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-alpha/page.h 2004-05-11 10:55:57.000000000 +0200
+@@ -98,6 +98,15 @@
+ #define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_EXEC | \
+ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
+
++#ifdef CONFIG_PAX_PAGEEXEC
++#ifdef CONFIG_PAX_MPROTECT
++#define __VM_STACK_FLAGS (((current->flags & PF_PAX_MPROTECT)?0:VM_MAYEXEC) | \
++ ((current->flags & PF_PAX_PAGEEXEC)?0:VM_EXEC))
++#else
++#define __VM_STACK_FLAGS (VM_MAYEXEC | ((current->flags & PF_PAX_PAGEEXEC)?0:VM_EXEC))
++#endif
++#endif
++
+ #endif /* __KERNEL__ */
+
+ #endif /* _ALPHA_PAGE_H */
+diff -uNr linux-2.6.6/include/asm-alpha/pgtable.h linux-2.6.6.fixed/include/asm-alpha/pgtable.h
+--- linux-2.6.6/include/asm-alpha/pgtable.h 2004-05-10 04:32:27.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-alpha/pgtable.h 2004-05-11 10:55:57.000000000 +0200
+@@ -96,6 +96,17 @@
+ #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
+ #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
+ #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
++
++#ifdef CONFIG_PAX_PAGEEXEC
++# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
++# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
++# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
++#else
++# define PAGE_SHARED_NOEXEC PAGE_SHARED
++# define PAGE_COPY_NOEXEC PAGE_COPY
++# define PAGE_READONLY_NOEXEC PAGE_READONLY
++#endif
++
+ #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
+
+ #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
+diff -uNr linux-2.6.6/include/asm-i386/a.out.h linux-2.6.6.fixed/include/asm-i386/a.out.h
+--- linux-2.6.6/include/asm-i386/a.out.h 2004-05-10 04:32:28.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-i386/a.out.h 2004-05-11 10:55:57.000000000 +0200
+@@ -19,7 +19,11 @@
+
+ #ifdef __KERNEL__
+
+-#define STACK_TOP TASK_SIZE
++#ifdef CONFIG_PAX_SEGMEXEC
++#define __STACK_TOP ((current->flags & PF_PAX_SEGMEXEC)?TASK_SIZE/2:TASK_SIZE)
++#else
++#define __STACK_TOP TASK_SIZE
++#endif
+
+ #endif
+
+diff -uNr linux-2.6.6/include/asm-i386/desc.h linux-2.6.6.fixed/include/asm-i386/desc.h
+--- linux-2.6.6/include/asm-i386/desc.h 2004-05-10 04:31:55.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-i386/desc.h 2004-05-11 10:55:57.000000000 +0200
+@@ -8,11 +8,19 @@
+
+ #include <linux/preempt.h>
+ #include <linux/smp.h>
++#include <linux/sched.h>
+
+ #include <asm/mmu.h>
++#include <asm/pgtable.h>
++#include <asm/tlbflush.h>
+
+ extern struct desc_struct cpu_gdt_table[NR_CPUS][GDT_ENTRIES];
+
++static inline void pax_switch_segments(struct task_struct * tsk, int cpu)
++{
++ cpu_gdt_table[cpu][GDT_ENTRY_DEFAULT_USER_CS].b = tsk->flags & PF_PAX_SEGMEXEC ? 0x60c9fb00U : 0x00cffb00U;
++}
++
+ struct Xgt_desc_struct {
+ unsigned short size;
+ unsigned long address __attribute__((packed));
+@@ -28,7 +36,7 @@
+ * This is the ldt that every process will get unless we need
+ * something other than this.
+ */
+-extern struct desc_struct default_ldt[];
++extern const struct desc_struct default_ldt[];
+ extern void set_intr_gate(unsigned int irq, void * addr);
+
+ #define _set_tssldt_desc(n,addr,limit,type) \
+@@ -42,16 +50,50 @@
+ "rorl $16,%%eax" \
+ : "=m"(*(n)) : "a" (addr), "r"(n), "ir"(limit), "i"(type))
+
+-static inline void __set_tss_desc(unsigned int cpu, unsigned int entry, void *addr)
++static inline void __set_tss_desc(unsigned int cpu, unsigned int entry, const void *addr)
+ {
+ _set_tssldt_desc(&cpu_gdt_table[cpu][entry], (int)addr, 235, 0x89);
+ }
+
+ #define set_tss_desc(cpu,addr) __set_tss_desc(cpu, GDT_ENTRY_TSS, addr)
+
+-static inline void set_ldt_desc(unsigned int cpu, void *addr, unsigned int size)
++static inline void __set_ldt_desc(unsigned int cpu, const void *addr, unsigned int size)
++{
++ _set_tssldt_desc(&cpu_gdt_table[cpu][GDT_ENTRY_LDT], (int)addr, ((size << 3)-1), 0x82);
++}
++
++#define pax_open_kernel(flags, cr3) \
++do { \
++ typecheck(unsigned long,flags); \
++ typecheck(unsigned long,cr3); \
++ local_irq_save(flags); \
++ asm("movl %%cr3,%0":"=r" (cr3)); \
++ load_cr3(kernexec_pg_dir); \
++} while(0)
++
++#define pax_close_kernel(flags, cr3) \
++do { \
++ typecheck(unsigned long,flags); \
++ typecheck(unsigned long,cr3); \
++ asm("movl %0,%%cr3": :"r" (cr3)); \
++ local_irq_restore(flags); \
++} while(0)
++
++static inline void set_ldt_desc(unsigned int cpu, const void *addr, unsigned int size)
+ {
++
++#ifdef CONFIG_PAX_KERNEXEC
++ unsigned long flags, cr3;
++
++ pax_open_kernel(flags, cr3);
++#endif
++
+ _set_tssldt_desc(&cpu_gdt_table[cpu][GDT_ENTRY_LDT], (int)addr, ((size << 3)-1), 0x82);
++
++#ifdef CONFIG_PAX_KERNEXEC
++ pax_close_kernel(flags, cr3);
++#endif
++
+ }
+
+ #define LDT_entry_a(info) \
+@@ -67,7 +109,7 @@
+ ((info)->seg_32bit << 22) | \
+ ((info)->limit_in_pages << 23) | \
+ ((info)->useable << 20) | \
+- 0x7000)
++ 0x7100)
+
+ #define LDT_empty(info) (\
+ (info)->base_addr == 0 && \
+@@ -104,7 +146,7 @@
+ */
+ static inline void load_LDT_nolock(mm_context_t *pc, int cpu)
+ {
+- void *segments = pc->ldt;
++ const void *segments = pc->ldt;
+ int count = pc->size;
+
+ if (likely(!count)) {
+@@ -123,6 +165,22 @@
+ put_cpu();
+ }
+
++static inline void _load_LDT(mm_context_t *pc)
++{
++ int cpu = get_cpu();
++ const void *segments = pc->ldt;
++ int count = pc->size;
++
++ if (likely(!count)) {
++ segments = &default_ldt[0];
++ count = 5;
++ }
++
++ __set_ldt_desc(cpu, segments, count);
++ load_LDT_desc();
++ put_cpu();
++}
++
+ #endif /* !__ASSEMBLY__ */
+
+ #endif
+diff -uNr linux-2.6.6/include/asm-i386/elf.h linux-2.6.6.fixed/include/asm-i386/elf.h
+--- linux-2.6.6/include/asm-i386/elf.h 2004-05-10 04:32:53.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-i386/elf.h 2004-05-11 10:55:57.000000000 +0200
+@@ -70,7 +70,22 @@
+ the loader. We need to make sure that it is out of the way of the program
+ that it will "exec", and that there is sufficient room for the brk. */
+
++#ifdef CONFIG_PAX_SEGMEXEC
++#define ELF_ET_DYN_BASE ((current->flags & PF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE/3*2:TASK_SIZE/3*2)
++#else
+ #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
++#endif
++
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE(tsk) 0x08048000UL
++
++#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_MMAP_LEN(tsk) 16
++#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_EXEC_LEN(tsk) 16
++#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_STACK_LEN(tsk) ((tsk)->flags & PF_PAX_SEGMEXEC ? 15 : 16)
++#endif
+
+ /* regs is struct pt_regs, pr_reg is elf_gregset_t (which is
+ now struct_user_regs, they are different) */
+@@ -113,8 +128,11 @@
+ * Architecture-neutral AT_ values in 0-17, leave some room
+ * for more of them, start the x86-specific ones at 32.
+ */
++
++#ifndef CONFIG_PAX_NOVSYSCALL
+ #define AT_SYSINFO 32
+ #define AT_SYSINFO_EHDR 33
++#endif
+
+ #ifdef __KERNEL__
+ #define SET_PERSONALITY(ex, ibcs2) set_personality((ibcs2)?PER_SVR4:PER_LINUX)
+@@ -129,7 +147,14 @@
+
+ #define VSYSCALL_BASE (__fix_to_virt(FIX_VSYSCALL))
+ #define VSYSCALL_EHDR ((const struct elfhdr *) VSYSCALL_BASE)
++
++#ifndef CONFIG_PAX_NOVSYSCALL
++#ifdef CONFIG_PAX_SEGMEXEC
++#define VSYSCALL_ENTRY ((current->flags & PF_PAX_SEGMEXEC) ? (unsigned long) &__kernel_vsyscall - SEGMEXEC_TASK_SIZE : (unsigned long) &__kernel_vsyscall)
++#else
+ #define VSYSCALL_ENTRY ((unsigned long) &__kernel_vsyscall)
++#endif
++
+ extern void __kernel_vsyscall;
+
+ #define ARCH_DLINFO \
+@@ -185,3 +210,5 @@
+ #endif
+
+ #endif
++
++#endif
+diff -uNr linux-2.6.6/include/asm-i386/mach-default/apm.h linux-2.6.6.fixed/include/asm-i386/mach-default/apm.h
+--- linux-2.6.6/include/asm-i386/mach-default/apm.h 2004-05-10 04:32:02.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-i386/mach-default/apm.h 2004-05-11 10:55:57.000000000 +0200
+@@ -36,7 +36,7 @@
+ __asm__ __volatile__(APM_DO_ZERO_SEGS
+ "pushl %%edi\n\t"
+ "pushl %%ebp\n\t"
+- "lcall *%%cs:apm_bios_entry\n\t"
++ "lcall *%%ss:apm_bios_entry\n\t"
+ "setc %%al\n\t"
+ "popl %%ebp\n\t"
+ "popl %%edi\n\t"
+@@ -60,7 +60,7 @@
+ __asm__ __volatile__(APM_DO_ZERO_SEGS
+ "pushl %%edi\n\t"
+ "pushl %%ebp\n\t"
+- "lcall *%%cs:apm_bios_entry\n\t"
++ "lcall *%%ss:apm_bios_entry\n\t"
+ "setc %%bl\n\t"
+ "popl %%ebp\n\t"
+ "popl %%edi\n\t"
+diff -uNr linux-2.6.6/include/asm-i386/mach-pc9800/apm.h linux-2.6.6.fixed/include/asm-i386/mach-pc9800/apm.h
+--- linux-2.6.6/include/asm-i386/mach-pc9800/apm.h 2004-05-10 04:32:28.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-i386/mach-pc9800/apm.h 2004-05-11 10:55:57.000000000 +0200
+@@ -39,7 +39,7 @@
+ "pushl %%edi\n\t"
+ "pushl %%ebp\n\t"
+ "pushfl\n\t"
+- "lcall *%%cs:apm_bios_entry\n\t"
++ "lcall *%%ss:apm_bios_entry\n\t"
+ "setc %%al\n\t"
+ "popl %%ebp\n\t"
+ "popl %%edi\n\t"
+@@ -64,7 +64,7 @@
+ "pushl %%edi\n\t"
+ "pushl %%ebp\n\t"
+ "pushfl\n\t"
+- "lcall *%%cs:apm_bios_entry\n\t"
++ "lcall *%%ss:apm_bios_entry\n\t"
+ "setc %%bl\n\t"
+ "popl %%ebp\n\t"
+ "popl %%edi\n\t"
+diff -uNr linux-2.6.6/include/asm-i386/mman.h linux-2.6.6.fixed/include/asm-i386/mman.h
+--- linux-2.6.6/include/asm-i386/mman.h 2004-05-10 04:32:01.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-i386/mman.h 2004-05-11 10:55:57.000000000 +0200
+@@ -23,6 +23,10 @@
+ #define MAP_POPULATE 0x8000 /* populate (prefault) pagetables */
+ #define MAP_NONBLOCK 0x10000 /* do not block on IO */
+
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++#define MAP_MIRROR 0x20000
++#endif
++
+ #define MS_ASYNC 1 /* sync memory asynchronously */
+ #define MS_INVALIDATE 2 /* invalidate the caches */
+ #define MS_SYNC 4 /* synchronous memory sync */
+diff -uNr linux-2.6.6/include/asm-i386/module.h linux-2.6.6.fixed/include/asm-i386/module.h
+--- linux-2.6.6/include/asm-i386/module.h 2004-05-10 04:32:01.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-i386/module.h 2004-05-11 11:28:59.000000000 +0200
+@@ -60,12 +60,18 @@
+ #define MODULE_REGPARM ""
+ #endif
+
++#ifdef CONFIG_GRKERNSEC
++#define MODULE_GRSEC "GRSECURITY "
++#else
++#define MODULE_GRSEC ""
++#endif
++
+ #ifdef CONFIG_4KSTACKS
+ #define MODULE_STACKSIZE "4KSTACKS "
+ #else
+ #define MODULE_STACKSIZE ""
+ #endif
+
+-#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_REGPARM MODULE_STACKSIZE
++#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_REGPARM MODULE_STACKSIZE MODULE_GRSEC
+
+ #endif /* _ASM_I386_MODULE_H */
+diff -uNr linux-2.6.6/include/asm-i386/page.h linux-2.6.6.fixed/include/asm-i386/page.h
+--- linux-2.6.6/include/asm-i386/page.h 2004-05-10 04:32:01.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-i386/page.h 2004-05-11 10:55:57.000000000 +0200
+@@ -120,6 +120,19 @@
+ #define __PAGE_OFFSET (0xC0000000UL)
+ #endif
+
++#ifdef CONFIG_PAX_KERNEXEC
++#ifdef __ASSEMBLY__
++#define __KERNEL_TEXT_OFFSET (0xC0400000)
++#else
++#define __KERNEL_TEXT_OFFSET (0xC0400000UL)
++#endif
++#else
++#ifdef __ASSEMBLY__
++#define __KERNEL_TEXT_OFFSET (0)
++#else
++#define __KERNEL_TEXT_OFFSET (0x0UL)
++#endif
++#endif
+
+ #define PAGE_OFFSET ((unsigned long)__PAGE_OFFSET)
+ #define VMALLOC_RESERVE ((unsigned long)__VMALLOC_RESERVE)
+@@ -139,6 +152,15 @@
+ #define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_EXEC | \
+ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
+
++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
++#ifdef CONFIG_PAX_MPROTECT
++#define __VM_STACK_FLAGS (((current->flags & PF_PAX_MPROTECT)?0:VM_MAYEXEC) | \
++ ((current->flags & (PF_PAX_PAGEEXEC|PF_PAX_SEGMEXEC))?0:VM_EXEC))
++#else
++#define __VM_STACK_FLAGS (VM_MAYEXEC | ((current->flags & (PF_PAX_PAGEEXEC|PF_PAX_SEGMEXEC))?0:VM_EXEC))
++#endif
++#endif
++
+ #endif /* __KERNEL__ */
+
+ #endif /* _I386_PAGE_H */
+diff -uNr linux-2.6.6/include/asm-i386/pgalloc.h linux-2.6.6.fixed/include/asm-i386/pgalloc.h
+--- linux-2.6.6/include/asm-i386/pgalloc.h 2004-05-10 04:31:59.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-i386/pgalloc.h 2004-05-11 10:55:57.000000000 +0200
+@@ -8,7 +8,7 @@
+ #include <linux/mm.h> /* for struct page */
+
+ #define pmd_populate_kernel(mm, pmd, pte) \
+- set_pmd(pmd, __pmd(_PAGE_TABLE + __pa(pte)))
++ set_pmd(pmd, __pmd(_KERNPG_TABLE + __pa(pte)))
+
+ static inline void pmd_populate(struct mm_struct *mm, pmd_t *pmd, struct page *pte)
+ {
+diff -uNr linux-2.6.6/include/asm-i386/pgtable.h linux-2.6.6.fixed/include/asm-i386/pgtable.h
+--- linux-2.6.6/include/asm-i386/pgtable.h 2004-05-10 04:32:54.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-i386/pgtable.h 2004-05-11 10:55:57.000000000 +0200
+@@ -32,6 +32,11 @@
+ #define ZERO_PAGE(vaddr) (virt_to_page(empty_zero_page))
+ extern unsigned long empty_zero_page[1024];
+ extern pgd_t swapper_pg_dir[1024];
++
++#ifdef CONFIG_PAX_KERNEXEC
++extern pgd_t kernexec_pg_dir[1024];
++#endif
++
+ extern kmem_cache_t *pgd_cache;
+ extern kmem_cache_t *pmd_cache;
+ extern spinlock_t pgd_lock;
+@@ -136,6 +141,16 @@
+ #define PAGE_COPY __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
+ #define PAGE_READONLY __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
+
++#ifdef CONFIG_PAX_PAGEEXEC
++# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_ACCESSED)
++# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_ACCESSED)
++# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_ACCESSED)
++#else
++# define PAGE_SHARED_NOEXEC PAGE_SHARED
++# define PAGE_COPY_NOEXEC PAGE_COPY
++# define PAGE_READONLY_NOEXEC PAGE_READONLY
++#endif
++
+ #define _PAGE_KERNEL \
+ (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED)
+
+@@ -155,18 +170,18 @@
+ * This is the closest we can get..
+ */
+ #define __P000 PAGE_NONE
+-#define __P001 PAGE_READONLY
+-#define __P010 PAGE_COPY
+-#define __P011 PAGE_COPY
++#define __P001 PAGE_READONLY_NOEXEC
++#define __P010 PAGE_COPY_NOEXEC
++#define __P011 PAGE_COPY_NOEXEC
+ #define __P100 PAGE_READONLY
+ #define __P101 PAGE_READONLY
+ #define __P110 PAGE_COPY
+ #define __P111 PAGE_COPY
+
+ #define __S000 PAGE_NONE
+-#define __S001 PAGE_READONLY
+-#define __S010 PAGE_SHARED
+-#define __S011 PAGE_SHARED
++#define __S001 PAGE_READONLY_NOEXEC
++#define __S010 PAGE_SHARED_NOEXEC
++#define __S011 PAGE_SHARED_NOEXEC
+ #define __S100 PAGE_READONLY
+ #define __S101 PAGE_READONLY
+ #define __S110 PAGE_SHARED
+diff -uNr linux-2.6.6/include/asm-i386/processor.h linux-2.6.6.fixed/include/asm-i386/processor.h
+--- linux-2.6.6/include/asm-i386/processor.h 2004-05-10 04:31:59.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-i386/processor.h 2004-05-11 10:55:57.000000000 +0200
+@@ -296,10 +296,19 @@
+ */
+ #define TASK_SIZE (PAGE_OFFSET)
+
++#ifdef CONFIG_PAX_SEGMEXEC
++#define SEGMEXEC_TASK_SIZE ((PAGE_OFFSET) / 2)
++#endif
++
+ /* This decides where the kernel will search for a free chunk of vm
+ * space during mmap's.
+ */
++
++#ifdef CONFIG_PAX_SEGMEXEC
++#define TASK_UNMAPPED_BASE (PAGE_ALIGN((current->flags & PF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE/3:TASK_SIZE/3))
++#else
+ #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
++#endif
+
+ /*
+ * Size of io_bitmap, covering ports 0 to 0x3ff.
+@@ -626,7 +635,7 @@
+ extern inline void prefetch(const void *x)
+ {
+ alternative_input(ASM_NOP4,
+- "prefetchnta (%1)",
++ "prefetchnta (%2)",
+ X86_FEATURE_XMM,
+ "r" (x));
+ }
+@@ -640,7 +649,7 @@
+ extern inline void prefetchw(const void *x)
+ {
+ alternative_input(ASM_NOP4,
+- "prefetchw (%1)",
++ "prefetchw (%2)",
+ X86_FEATURE_3DNOW,
+ "r" (x));
+ }
+diff -uNr linux-2.6.6/include/asm-i386/system.h linux-2.6.6.fixed/include/asm-i386/system.h
+--- linux-2.6.6/include/asm-i386/system.h 2004-05-10 04:31:58.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-i386/system.h 2004-05-11 10:55:57.000000000 +0200
+@@ -5,6 +5,7 @@
+ #include <linux/kernel.h>
+ #include <asm/segment.h>
+ #include <asm/cpufeature.h>
++#include <asm/page.h>
+ #include <linux/bitops.h> /* for LOCK_PREFIX */
+
+ #ifdef __KERNEL__
+@@ -301,7 +302,7 @@
+ asm volatile ("661:\n\t" oldinstr "\n662:\n" \
+ ".section .altinstructions,\"a\"\n" \
+ " .align 4\n" \
+- " .long 661b\n" /* label */ \
++ " .long 661b + %c1\n" /* label */ \
+ " .long 663f\n" /* new instruction */ \
+ " .byte %c0\n" /* feature bit */ \
+ " .byte 662b-661b\n" /* sourcelen */ \
+@@ -309,7 +310,7 @@
+ ".previous\n" \
+ ".section .altinstr_replacement,\"ax\"\n" \
+ "663:\n\t" newinstr "\n664:\n" /* replacement */ \
+- ".previous" :: "i" (feature) : "memory")
++ ".previous" :: "i" (feature), "i" (__KERNEL_TEXT_OFFSET) : "memory")
+
+ /*
+ * Alternative inline assembly with input.
+@@ -325,7 +326,7 @@
+ asm volatile ("661:\n\t" oldinstr "\n662:\n" \
+ ".section .altinstructions,\"a\"\n" \
+ " .align 4\n" \
+- " .long 661b\n" /* label */ \
++ " .long 661b + %c1\n" /* label */ \
+ " .long 663f\n" /* new instruction */ \
+ " .byte %c0\n" /* feature bit */ \
+ " .byte 662b-661b\n" /* sourcelen */ \
+@@ -333,7 +334,7 @@
+ ".previous\n" \
+ ".section .altinstr_replacement,\"ax\"\n" \
+ "663:\n\t" newinstr "\n664:\n" /* replacement */ \
+- ".previous" :: "i" (feature), input)
++ ".previous" :: "i" (feature), "i" (__KERNEL_TEXT_OFFSET), input)
+
+ /*
+ * Force strict CPU ordering.
+diff -uNr linux-2.6.6/include/asm-ia64/elf.h linux-2.6.6.fixed/include/asm-ia64/elf.h
+--- linux-2.6.6/include/asm-ia64/elf.h 2004-05-10 04:32:53.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-ia64/elf.h 2004-05-11 10:55:57.000000000 +0200
+@@ -162,6 +162,16 @@
+ typedef struct ia64_fpreg elf_fpreg_t;
+ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
+
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE(tsk) ((tsk)->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
++
++#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_MMAP_LEN(tsk) ((tsk)->personality == PER_LINUX32 ? 16 : 43 - PAGE_SHIFT)
++#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_EXEC_LEN(tsk) ((tsk)->personality == PER_LINUX32 ? 16 : 43 - PAGE_SHIFT)
++#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_STACK_LEN(tsk) ((tsk)->personality == PER_LINUX32 ? 16 : 43 - PAGE_SHIFT)
++#endif
+
+
+ struct pt_regs; /* forward declaration... */
+diff -uNr linux-2.6.6/include/asm-ia64/mman.h linux-2.6.6.fixed/include/asm-ia64/mman.h
+--- linux-2.6.6/include/asm-ia64/mman.h 2004-05-10 04:32:37.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-ia64/mman.h 2004-05-11 10:55:57.000000000 +0200
+@@ -31,6 +31,10 @@
+ #define MAP_POPULATE 0x08000 /* populate (prefault) pagetables */
+ #define MAP_NONBLOCK 0x10000 /* do not block on IO */
+
++#ifdef CONFIG_PAX_RANDEXEC
++#define MAP_MIRROR 0x40000
++#endif
++
+ #define MS_ASYNC 1 /* sync memory asynchronously */
+ #define MS_INVALIDATE 2 /* invalidate the caches */
+ #define MS_SYNC 4 /* synchronous memory sync */
+diff -uNr linux-2.6.6/include/asm-ia64/page.h linux-2.6.6.fixed/include/asm-ia64/page.h
+--- linux-2.6.6/include/asm-ia64/page.h 2004-05-10 04:32:01.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-ia64/page.h 2004-05-11 10:55:57.000000000 +0200
+@@ -187,4 +187,13 @@
+ (((current->thread.flags & IA64_THREAD_XSTACK) != 0) \
+ ? VM_EXEC : 0))
+
++#ifdef CONFIG_PAX_PAGEEXEC
++#ifdef CONFIG_PAX_MPROTECT
++#define __VM_STACK_FLAGS (((current->flags & PF_PAX_MPROTECT)?0:VM_MAYEXEC) | \
++ ((current->flags & PF_PAX_PAGEEXEC)?0:VM_EXEC))
++#else
++#define __VM_STACK_FLAGS (VM_MAYEXEC | ((current->flags & PF_PAX_PAGEEXEC)?0:VM_EXEC))
++#endif
++#endif
++
+ #endif /* _ASM_IA64_PAGE_H */
+diff -uNr linux-2.6.6/include/asm-ia64/pgtable.h linux-2.6.6.fixed/include/asm-ia64/pgtable.h
+--- linux-2.6.6/include/asm-ia64/pgtable.h 2004-05-10 04:32:27.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-ia64/pgtable.h 2004-05-11 11:26:44.000000000 +0200
+@@ -120,6 +120,17 @@
+ #define PAGE_SHARED __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
+ #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
+ #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
++
++#ifdef CONFIG_PAX_PAGEEXEC
++# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
++# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
++# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
++#else
++# define PAGE_SHARED_NOEXEC PAGE_SHARED
++# define PAGE_READONLY_NOEXEC PAGE_READONLY
++# define PAGE_COPY_NOEXEC PAGE_COPY
++#endif
++
+ #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
+ #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
+ #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
+diff -uNr linux-2.6.6/include/asm-ia64/ustack.h linux-2.6.6.fixed/include/asm-ia64/ustack.h
+--- linux-2.6.6/include/asm-ia64/ustack.h 2004-05-10 04:33:20.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-ia64/ustack.h 2004-05-11 10:55:57.000000000 +0200
+@@ -11,6 +11,6 @@
+ #define MAX_USER_STACK_SIZE (RGN_MAP_LIMIT/2)
+ /* Make a default stack size of 2GB */
+ #define DEFAULT_USER_STACK_SIZE (1UL << 31)
+-#define STACK_TOP (0x6000000000000000UL + RGN_MAP_LIMIT)
++#define __STACK_TOP (0x6000000000000000UL + RGN_MAP_LIMIT)
+
+ #endif /* _ASM_IA64_USTACK_H */
+diff -uNr linux-2.6.6/include/asm-mips/a.out.h linux-2.6.6.fixed/include/asm-mips/a.out.h
+--- linux-2.6.6/include/asm-mips/a.out.h 2004-05-10 04:32:28.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-mips/a.out.h 2004-05-11 10:55:57.000000000 +0200
+@@ -36,10 +36,10 @@
+ #ifdef __KERNEL__
+
+ #ifdef CONFIG_MIPS32
+-#define STACK_TOP TASK_SIZE
++#define __STACK_TOP TASK_SIZE
+ #endif
+ #ifdef CONFIG_MIPS64
+-#define STACK_TOP (current->thread.mflags & MF_32BIT_ADDR ? TASK_SIZE32 : TASK_SIZE)
++#define __STACK_TOP (current->thread.mflags & MF_32BIT_ADDR ? TASK_SIZE32 : TASK_SIZE)
+ #endif
+
+ #endif
+diff -uNr linux-2.6.6/include/asm-mips/elf.h linux-2.6.6.fixed/include/asm-mips/elf.h
+--- linux-2.6.6/include/asm-mips/elf.h 2004-05-10 04:32:29.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-mips/elf.h 2004-05-11 10:55:57.000000000 +0200
+@@ -273,4 +273,15 @@
+ #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
+ #endif
+
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
++
++#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_MMAP_LEN(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
++#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_EXEC_LEN(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
++#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_STACK_LEN(tsk) (((tsk)->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
++#endif
++
+ #endif /* _ASM_ELF_H */
+diff -uNr linux-2.6.6/include/asm-mips/page.h linux-2.6.6.fixed/include/asm-mips/page.h
+--- linux-2.6.6/include/asm-mips/page.h 2004-05-10 04:32:28.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-mips/page.h 2004-05-11 10:55:57.000000000 +0200
+@@ -124,6 +124,15 @@
+ #define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_EXEC | \
+ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
+
++#ifdef CONFIG_PAX_PAGEEXEC
++#ifdef CONFIG_PAX_MPROTECT
++#define __VM_STACK_FLAGS (((current->flags & PF_PAX_MPROTECT)?0:VM_MAYEXEC) | \
++ ((current->flags & PF_PAX_PAGEEXEC)?0:VM_EXEC))
++#else
++#define __VM_STACK_FLAGS (VM_MAYEXEC | ((current->flags & PF_PAX_PAGEEXEC)?0:VM_EXEC))
++#endif
++#endif
++
+ #define UNCAC_ADDR(addr) ((addr) - PAGE_OFFSET + UNCAC_BASE)
+ #define CAC_ADDR(addr) ((addr) - UNCAC_BASE + PAGE_OFFSET)
+
+diff -uNr linux-2.6.6/include/asm-parisc/a.out.h linux-2.6.6.fixed/include/asm-parisc/a.out.h
+--- linux-2.6.6/include/asm-parisc/a.out.h 2004-05-10 04:33:20.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-parisc/a.out.h 2004-05-11 10:55:57.000000000 +0200
+@@ -22,7 +22,7 @@
+ /* XXX: STACK_TOP actually should be STACK_BOTTOM for parisc.
+ * prumpf */
+
+-#define STACK_TOP TASK_SIZE
++#define __STACK_TOP TASK_SIZE
+
+ #endif
+
+diff -uNr linux-2.6.6/include/asm-parisc/elf.h linux-2.6.6.fixed/include/asm-parisc/elf.h
+--- linux-2.6.6/include/asm-parisc/elf.h 2004-05-10 04:32:54.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-parisc/elf.h 2004-05-11 10:55:57.000000000 +0200
+@@ -337,6 +337,17 @@
+
+ #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
+
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE(tsk) 0x10000UL
++
++#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_MMAP_LEN(tsk) 16
++#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_EXEC_LEN(tsk) 16
++#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_STACK_LEN(tsk) 16
++#endif
++
+ /* This yields a mask that user programs can use to figure out what
+ instruction set this CPU supports. This could be done in user space,
+ but it's not easy, and we've already done it here. */
+diff -uNr linux-2.6.6/include/asm-parisc/mman.h linux-2.6.6.fixed/include/asm-parisc/mman.h
+--- linux-2.6.6/include/asm-parisc/mman.h 2004-05-10 04:32:52.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-parisc/mman.h 2004-05-11 10:55:57.000000000 +0200
+@@ -23,6 +23,10 @@
+ #define MAP_POPULATE 0x10000 /* populate (prefault) pagetables */
+ #define MAP_NONBLOCK 0x20000 /* do not block on IO */
+
++#ifdef CONFIG_PAX_RANDEXEC
++#define MAP_MIRROR 0x0400
++#endif
++
+ #define MS_SYNC 1 /* synchronous memory sync */
+ #define MS_ASYNC 2 /* sync memory asynchronously */
+ #define MS_INVALIDATE 4 /* invalidate the caches */
+diff -uNr linux-2.6.6/include/asm-parisc/page.h linux-2.6.6.fixed/include/asm-parisc/page.h
+--- linux-2.6.6/include/asm-parisc/page.h 2004-05-10 04:32:19.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-parisc/page.h 2004-05-11 10:55:57.000000000 +0200
+@@ -113,6 +113,15 @@
+ #define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_EXEC | \
+ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
+
++#ifdef CONFIG_PAX_PAGEEXEC
++#ifdef CONFIG_PAX_MPROTECT
++#define __VM_STACK_FLAGS (((current->flags & PF_PAX_MPROTECT)?0:VM_MAYEXEC) | \
++ ((current->flags & PF_PAX_PAGEEXEC)?0:VM_EXEC))
++#else
++#define __VM_STACK_FLAGS (VM_MAYEXEC | ((current->flags & PF_PAX_PAGEEXEC)?0:VM_EXEC))
++#endif
++#endif
++
+ #endif /* __KERNEL__ */
+
+ #endif /* _PARISC_PAGE_H */
+diff -uNr linux-2.6.6/include/asm-parisc/pgtable.h linux-2.6.6.fixed/include/asm-parisc/pgtable.h
+--- linux-2.6.6/include/asm-parisc/pgtable.h 2004-05-10 04:33:19.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-parisc/pgtable.h 2004-05-11 10:55:57.000000000 +0200
+@@ -179,6 +179,17 @@
+ #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
+ #define PAGE_COPY PAGE_EXECREAD
+ #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
++
++#ifdef CONFIG_PAX_PAGEEXEC
++# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
++# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
++# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
++#else
++# define PAGE_SHARED_NOEXEC PAGE_SHARED
++# define PAGE_COPY_NOEXEC PAGE_COPY
++# define PAGE_READONLY_NOEXEC PAGE_READONLY
++#endif
++
+ #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
+ #define PAGE_KERNEL_RO __pgprot(_PAGE_PRESENT | _PAGE_EXEC | _PAGE_READ | _PAGE_DIRTY | _PAGE_ACCESSED)
+ #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
+diff -uNr linux-2.6.6/include/asm-ppc/a.out.h linux-2.6.6.fixed/include/asm-ppc/a.out.h
+--- linux-2.6.6/include/asm-ppc/a.out.h 2004-05-10 04:32:37.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-ppc/a.out.h 2004-05-11 10:55:57.000000000 +0200
+@@ -2,7 +2,7 @@
+ #define __PPC_A_OUT_H__
+
+ /* grabbed from the intel stuff */
+-#define STACK_TOP TASK_SIZE
++#define __STACK_TOP TASK_SIZE
+
+
+ struct exec
+diff -uNr linux-2.6.6/include/asm-ppc/elf.h linux-2.6.6.fixed/include/asm-ppc/elf.h
+--- linux-2.6.6/include/asm-ppc/elf.h 2004-05-10 04:31:57.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-ppc/elf.h 2004-05-11 10:55:57.000000000 +0200
+@@ -89,6 +89,17 @@
+
+ #define ELF_ET_DYN_BASE (0x08000000)
+
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE(tsk) 0x10000000UL
++
++#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_MMAP_LEN(tsk) 15
++#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_EXEC_LEN(tsk) 15
++#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_STACK_LEN(tsk) 15
++#endif
++
+ #define USE_ELF_CORE_DUMP
+ #define ELF_EXEC_PAGESIZE 4096
+
+diff -uNr linux-2.6.6/include/asm-ppc/mman.h linux-2.6.6.fixed/include/asm-ppc/mman.h
+--- linux-2.6.6/include/asm-ppc/mman.h 2004-05-10 04:33:22.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-ppc/mman.h 2004-05-11 10:55:57.000000000 +0200
+@@ -24,6 +24,10 @@
+ #define MAP_POPULATE 0x8000 /* populate (prefault) pagetables */
+ #define MAP_NONBLOCK 0x10000 /* do not block on IO */
+
++#ifdef CONFIG_PAX_RANDEXEC
++#define MAP_MIRROR 0x0200
++#endif
++
+ #define MS_ASYNC 1 /* sync memory asynchronously */
+ #define MS_INVALIDATE 2 /* invalidate the caches */
+ #define MS_SYNC 4 /* synchronous memory sync */
+diff -uNr linux-2.6.6/include/asm-ppc/page.h linux-2.6.6.fixed/include/asm-ppc/page.h
+--- linux-2.6.6/include/asm-ppc/page.h 2004-05-10 04:32:26.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-ppc/page.h 2004-05-11 10:55:57.000000000 +0200
+@@ -163,5 +163,14 @@
+ #define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_EXEC | \
+ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
+
++#ifdef CONFIG_PAX_PAGEEXEC
++#ifdef CONFIG_PAX_MPROTECT
++#define __VM_STACK_FLAGS (((current->flags & PF_PAX_MPROTECT)?0:VM_MAYEXEC) | \
++ ((current->flags & PF_PAX_PAGEEXEC)?0:VM_EXEC))
++#else
++#define __VM_STACK_FLAGS (VM_MAYEXEC | ((current->flags & PF_PAX_PAGEEXEC)?0:VM_EXEC))
++#endif
++#endif
++
+ #endif /* __KERNEL__ */
+ #endif /* _PPC_PAGE_H */
+diff -uNr linux-2.6.6/include/asm-ppc/pgtable.h linux-2.6.6.fixed/include/asm-ppc/pgtable.h
+--- linux-2.6.6/include/asm-ppc/pgtable.h 2004-05-10 04:32:25.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-ppc/pgtable.h 2004-05-11 10:55:57.000000000 +0200
+@@ -349,11 +349,21 @@
+
+ #define PAGE_NONE __pgprot(_PAGE_BASE)
+ #define PAGE_READONLY __pgprot(_PAGE_BASE | _PAGE_USER)
+-#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC)
++#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC | _PAGE_HWEXEC)
+ #define PAGE_SHARED __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW)
+-#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC)
++#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC | _PAGE_HWEXEC)
+ #define PAGE_COPY __pgprot(_PAGE_BASE | _PAGE_USER)
+-#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC)
++#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC | _PAGE_HWEXEC)
++
++#if defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_40x) && !defined(CONFIG_44x)
++# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_GUARDED)
++# define PAGE_COPY_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_GUARDED)
++# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_GUARDED)
++#else
++# define PAGE_SHARED_NOEXEC PAGE_SHARED
++# define PAGE_COPY_NOEXEC PAGE_COPY
++# define PAGE_READONLY_NOEXEC PAGE_READONLY
++#endif
+
+ #define PAGE_KERNEL __pgprot(_PAGE_RAM)
+ #define PAGE_KERNEL_NOCACHE __pgprot(_PAGE_IO)
+@@ -365,21 +375,21 @@
+ * This is the closest we can get..
+ */
+ #define __P000 PAGE_NONE
+-#define __P001 PAGE_READONLY_X
+-#define __P010 PAGE_COPY
+-#define __P011 PAGE_COPY_X
+-#define __P100 PAGE_READONLY
++#define __P001 PAGE_READONLY_NOEXEC
++#define __P010 PAGE_COPY_NOEXEC
++#define __P011 PAGE_COPY_NOEXEC
++#define __P100 PAGE_READONLY_X
+ #define __P101 PAGE_READONLY_X
+-#define __P110 PAGE_COPY
++#define __P110 PAGE_COPY_X
+ #define __P111 PAGE_COPY_X
+
+ #define __S000 PAGE_NONE
+-#define __S001 PAGE_READONLY_X
+-#define __S010 PAGE_SHARED
+-#define __S011 PAGE_SHARED_X
+-#define __S100 PAGE_READONLY
++#define __S001 PAGE_READONLY_NOEXEC
++#define __S010 PAGE_SHARED_NOEXEC
++#define __S011 PAGE_SHARED_NOEXEC
++#define __S100 PAGE_READONLY_X
+ #define __S101 PAGE_READONLY_X
+-#define __S110 PAGE_SHARED
++#define __S110 PAGE_SHARED_X
+ #define __S111 PAGE_SHARED_X
+
+ #ifndef __ASSEMBLY__
+diff -uNr linux-2.6.6/include/asm-sparc/a.out.h linux-2.6.6.fixed/include/asm-sparc/a.out.h
+--- linux-2.6.6/include/asm-sparc/a.out.h 2004-05-10 04:31:59.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-sparc/a.out.h 2004-05-11 10:55:57.000000000 +0200
+@@ -91,7 +91,7 @@
+
+ #include <asm/page.h>
+
+-#define STACK_TOP (PAGE_OFFSET - PAGE_SIZE)
++#define __STACK_TOP (PAGE_OFFSET - PAGE_SIZE)
+
+ #endif /* __KERNEL__ */
+
+diff -uNr linux-2.6.6/include/asm-sparc/elf.h linux-2.6.6.fixed/include/asm-sparc/elf.h
+--- linux-2.6.6/include/asm-sparc/elf.h 2004-05-10 04:33:13.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-sparc/elf.h 2004-05-11 10:55:57.000000000 +0200
+@@ -145,6 +145,17 @@
+
+ #define ELF_ET_DYN_BASE (0x08000000)
+
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE(tsk) 0x10000UL
++
++#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_MMAP_LEN(tsk) 16
++#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_EXEC_LEN(tsk) 16
++#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_STACK_LEN(tsk) 16
++#endif
++
+ /* This yields a mask that user programs can use to figure out what
+ instruction set this cpu supports. This can NOT be done in userspace
+ on Sparc. */
+diff -uNr linux-2.6.6/include/asm-sparc/mman.h linux-2.6.6.fixed/include/asm-sparc/mman.h
+--- linux-2.6.6/include/asm-sparc/mman.h 2004-05-10 04:33:20.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-sparc/mman.h 2004-05-11 10:55:57.000000000 +0200
+@@ -27,6 +27,10 @@
+ #define MAP_DENYWRITE 0x0800 /* ETXTBSY */
+ #define MAP_EXECUTABLE 0x1000 /* mark it as an executable */
+
++#ifdef CONFIG_PAX_RANDEXEC
++#define MAP_MIRROR 0x0400
++#endif
++
+ #define MS_ASYNC 1 /* sync memory asynchronously */
+ #define MS_INVALIDATE 2 /* invalidate the caches */
+ #define MS_SYNC 4 /* synchronous memory sync */
+diff -uNr linux-2.6.6/include/asm-sparc/page.h linux-2.6.6.fixed/include/asm-sparc/page.h
+--- linux-2.6.6/include/asm-sparc/page.h 2004-05-10 04:32:26.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-sparc/page.h 2004-05-11 10:55:57.000000000 +0200
+@@ -176,6 +176,15 @@
+ #define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_EXEC | \
+ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
+
++#ifdef CONFIG_PAX_PAGEEXEC
++#ifdef CONFIG_PAX_MPROTECT
++#define __VM_STACK_FLAGS (((current->flags & PF_PAX_MPROTECT)?0:VM_MAYEXEC) | \
++ ((current->flags & PF_PAX_PAGEEXEC)?0:VM_EXEC))
++#else
++#define __VM_STACK_FLAGS (VM_MAYEXEC | ((current->flags & PF_PAX_PAGEEXEC)?0:VM_EXEC))
++#endif
++#endif
++
+ #endif /* __KERNEL__ */
+
+ #endif /* _SPARC_PAGE_H */
+diff -uNr linux-2.6.6/include/asm-sparc/pgtable.h linux-2.6.6.fixed/include/asm-sparc/pgtable.h
+--- linux-2.6.6/include/asm-sparc/pgtable.h 2004-05-10 04:32:38.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-sparc/pgtable.h 2004-05-11 10:55:57.000000000 +0200
+@@ -110,6 +110,13 @@
+ BTFIXUPDEF_INT(page_shared)
+ BTFIXUPDEF_INT(page_copy)
+ BTFIXUPDEF_INT(page_readonly)
++
++#ifdef CONFIG_PAX_PAGEEXEC
++BTFIXUPDEF_INT(page_shared_noexec)
++BTFIXUPDEF_INT(page_copy_noexec)
++BTFIXUPDEF_INT(page_readonly_noexec)
++#endif
++
+ BTFIXUPDEF_INT(page_kernel)
+
+ #define PMD_SHIFT BTFIXUP_SIMM13(pmd_shift)
+@@ -131,6 +138,16 @@
+ #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
+ #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
+
++#ifdef CONFIG_PAX_PAGEEXEC
++# define PAGE_SHARED_NOEXEC __pgprot(BTFIXUP_INT(page_shared_noexec))
++# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
++# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
++#else
++# define PAGE_SHARED_NOEXEC PAGE_SHARED
++# define PAGE_COPY_NOEXEC PAGE_COPY
++# define PAGE_READONLY_NOEXEC PAGE_READONLY
++#endif
++
+ extern unsigned long page_kernel;
+
+ #ifdef MODULE
+diff -uNr linux-2.6.6/include/asm-sparc/pgtsrmmu.h linux-2.6.6.fixed/include/asm-sparc/pgtsrmmu.h
+--- linux-2.6.6/include/asm-sparc/pgtsrmmu.h 2004-05-10 04:32:27.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-sparc/pgtsrmmu.h 2004-05-11 10:55:57.000000000 +0200
+@@ -119,6 +119,16 @@
+ SRMMU_EXEC | SRMMU_REF)
+ #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
+ SRMMU_EXEC | SRMMU_REF)
++
++#ifdef CONFIG_PAX_PAGEEXEC
++#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
++ SRMMU_WRITE | SRMMU_REF)
++#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
++ SRMMU_REF)
++#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
++ SRMMU_REF)
++#endif
++
+ #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
+ SRMMU_DIRTY | SRMMU_REF)
+
+diff -uNr linux-2.6.6/include/asm-sparc/uaccess.h linux-2.6.6.fixed/include/asm-sparc/uaccess.h
+--- linux-2.6.6/include/asm-sparc/uaccess.h 2004-05-10 04:33:19.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-sparc/uaccess.h 2004-05-11 10:55:57.000000000 +0200
+@@ -41,7 +41,7 @@
+ * No one can read/write anything from userland in the kernel space by setting
+ * large size and address near to PAGE_OFFSET - a fault will break his intentions.
+ */
+-#define __user_ok(addr,size) ((addr) < STACK_TOP)
++#define __user_ok(addr,size) ((addr) < __STACK_TOP)
+ #define __kernel_ok (segment_eq(get_fs(), KERNEL_DS))
+ #define __access_ok(addr,size) (__user_ok((addr) & get_fs().seg,(size)))
+ #define access_ok(type,addr,size) __access_ok((unsigned long)(addr),(size))
+diff -uNr linux-2.6.6/include/asm-sparc64/a.out.h linux-2.6.6.fixed/include/asm-sparc64/a.out.h
+--- linux-2.6.6/include/asm-sparc64/a.out.h 2004-05-10 04:32:54.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-sparc64/a.out.h 2004-05-11 10:55:57.000000000 +0200
+@@ -95,7 +95,7 @@
+
+ #ifdef __KERNEL__
+
+-#define STACK_TOP (test_thread_flag(TIF_32BIT) ? 0xf0000000 : 0x80000000000L)
++#define __STACK_TOP (test_thread_flag(TIF_32BIT) ? 0xf0000000 : 0x80000000000L)
+
+ #endif
+
+diff -uNr linux-2.6.6/include/asm-sparc64/elf.h linux-2.6.6.fixed/include/asm-sparc64/elf.h
+--- linux-2.6.6/include/asm-sparc64/elf.h 2004-05-10 04:32:27.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-sparc64/elf.h 2004-05-11 10:55:57.000000000 +0200
+@@ -140,6 +140,16 @@
+ #define ELF_ET_DYN_BASE 0x0000010000000000UL
+ #endif
+
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE(tsk) (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
++
++#define PAX_DELTA_MMAP_LSB(tsk) (PAGE_SHIFT + 1)
++#define PAX_DELTA_MMAP_LEN(tsk) (test_thread_flag(TIF_32BIT) ? 14 : 28 )
++#define PAX_DELTA_EXEC_LSB(tsk) (PAGE_SHIFT + 1)
++#define PAX_DELTA_EXEC_LEN(tsk) (test_thread_flag(TIF_32BIT) ? 14 : 28 )
++#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_STACK_LEN(tsk) (test_thread_flag(TIF_32BIT) ? 15 : 29 )
++#endif
+
+ /* This yields a mask that user programs can use to figure out what
+ instruction set this cpu supports. */
+diff -uNr linux-2.6.6/include/asm-sparc64/mman.h linux-2.6.6.fixed/include/asm-sparc64/mman.h
+--- linux-2.6.6/include/asm-sparc64/mman.h 2004-05-10 04:32:29.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-sparc64/mman.h 2004-05-11 10:55:57.000000000 +0200
+@@ -27,6 +27,10 @@
+ #define MAP_DENYWRITE 0x0800 /* ETXTBSY */
+ #define MAP_EXECUTABLE 0x1000 /* mark it as an executable */
+
++#ifdef CONFIG_PAX_RANDEXEC
++#define MAP_MIRROR 0x0400
++#endif
++
+ #define MS_ASYNC 1 /* sync memory asynchronously */
+ #define MS_INVALIDATE 2 /* invalidate the caches */
+ #define MS_SYNC 4 /* synchronous memory sync */
+diff -uNr linux-2.6.6/include/asm-sparc64/page.h linux-2.6.6.fixed/include/asm-sparc64/page.h
+--- linux-2.6.6/include/asm-sparc64/page.h 2004-05-10 04:32:28.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-sparc64/page.h 2004-05-11 10:55:57.000000000 +0200
+@@ -174,6 +174,15 @@
+ #define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_EXEC | \
+ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
+
++#ifdef CONFIG_PAX_PAGEEXEC
++#ifdef CONFIG_PAX_MPROTECT
++#define __VM_STACK_FLAGS (((current->flags & PF_PAX_MPROTECT)?0:VM_MAYEXEC) | \
++ ((current->flags & PF_PAX_PAGEEXEC)?0:VM_EXEC))
++#else
++#define __VM_STACK_FLAGS (VM_MAYEXEC | ((current->flags & PF_PAX_PAGEEXEC)?0:VM_EXEC))
++#endif
++#endif
++
+ #endif /* !(__KERNEL__) */
+
+ #endif /* !(_SPARC64_PAGE_H) */
+diff -uNr linux-2.6.6/include/asm-sparc64/pgtable.h linux-2.6.6.fixed/include/asm-sparc64/pgtable.h
+--- linux-2.6.6/include/asm-sparc64/pgtable.h 2004-05-10 04:31:58.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-sparc64/pgtable.h 2004-05-11 10:55:57.000000000 +0200
+@@ -124,7 +124,8 @@
+
+ /* Here are the SpitFire software bits we use in the TTE's. */
+ #define _PAGE_FILE 0x0000000000001000 /* Pagecache page */
+-#define _PAGE_MODIFIED 0x0000000000000800 /* Modified Page (ie. dirty) */
++#define _PAGE_MODIFIED 0x0000000000001000 /* Modified Page (ie. dirty) */
++#define _PAGE_EXEC 0x0000000000000800 /* Executable SW Bit */
+ #define _PAGE_ACCESSED 0x0000000000000400 /* Accessed Page (ie. referenced) */
+ #define _PAGE_READ 0x0000000000000200 /* Readable SW Bit */
+ #define _PAGE_WRITE 0x0000000000000100 /* Writable SW Bit */
+@@ -160,34 +161,48 @@
+
+ /* Don't set the TTE _PAGE_W bit here, else the dirty bit never gets set. */
+ #define PAGE_SHARED __pgprot (_PAGE_PRESENT | _PAGE_VALID | _PAGE_CACHE | \
+- __ACCESS_BITS | _PAGE_WRITE)
++ __ACCESS_BITS | _PAGE_WRITE | _PAGE_EXEC)
+
+ #define PAGE_COPY __pgprot (_PAGE_PRESENT | _PAGE_VALID | _PAGE_CACHE | \
+- __ACCESS_BITS)
++ __ACCESS_BITS | _PAGE_EXEC)
+
+ #define PAGE_READONLY __pgprot (_PAGE_PRESENT | _PAGE_VALID | _PAGE_CACHE | \
+- __ACCESS_BITS)
++ __ACCESS_BITS | _PAGE_EXEC)
+
+ #define PAGE_KERNEL __pgprot (_PAGE_PRESENT | _PAGE_VALID | _PAGE_CACHE | \
+- __PRIV_BITS | __ACCESS_BITS | __DIRTY_BITS)
++ __PRIV_BITS | __ACCESS_BITS | __DIRTY_BITS | \
++ _PAGE_EXEC)
++
++#ifdef CONFIG_PAX_PAGEEXEC
++# define PAGE_SHARED_NOEXEC __pgprot (_PAGE_PRESENT | _PAGE_VALID | _PAGE_CACHE | \
++ __ACCESS_BITS | _PAGE_WRITE)
++# define PAGE_COPY_NOEXEC __pgprot (_PAGE_PRESENT | _PAGE_VALID | _PAGE_CACHE | \
++ __ACCESS_BITS)
++# define PAGE_READONLY_NOEXEC __pgprot (_PAGE_PRESENT | _PAGE_VALID | _PAGE_CACHE | \
++ __ACCESS_BITS)
++#else
++# define PAGE_SHARED_NOEXEC PAGE_SHARED
++# define PAGE_COPY_NOEXEC PAGE_COPY
++# define PAGE_READONLY_NOEXEC PAGE_READONLY
++#endif
+
+ #define _PFN_MASK _PAGE_PADDR
+
+ #define pg_iobits (_PAGE_VALID | _PAGE_PRESENT | __DIRTY_BITS | __ACCESS_BITS | _PAGE_E)
+
+ #define __P000 PAGE_NONE
+-#define __P001 PAGE_READONLY
+-#define __P010 PAGE_COPY
+-#define __P011 PAGE_COPY
++#define __P001 PAGE_READONLY_NOEXEC
++#define __P010 PAGE_COPY_NOEXEC
++#define __P011 PAGE_COPY_NOEXEC
+ #define __P100 PAGE_READONLY
+ #define __P101 PAGE_READONLY
+ #define __P110 PAGE_COPY
+ #define __P111 PAGE_COPY
+
+ #define __S000 PAGE_NONE
+-#define __S001 PAGE_READONLY
+-#define __S010 PAGE_SHARED
+-#define __S011 PAGE_SHARED
++#define __S001 PAGE_READONLY_NOEXEC
++#define __S010 PAGE_SHARED_NOEXEC
++#define __S011 PAGE_SHARED_NOEXEC
+ #define __S100 PAGE_READONLY
+ #define __S101 PAGE_READONLY
+ #define __S110 PAGE_SHARED
+diff -uNr linux-2.6.6/include/asm-x86_64/a.out.h linux-2.6.6.fixed/include/asm-x86_64/a.out.h
+--- linux-2.6.6/include/asm-x86_64/a.out.h 2004-05-10 04:32:29.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-x86_64/a.out.h 2004-05-11 10:55:57.000000000 +0200
+@@ -21,7 +21,7 @@
+
+ #ifdef __KERNEL__
+ #include <linux/thread_info.h>
+-#define STACK_TOP (test_thread_flag(TIF_IA32) ? IA32_PAGE_OFFSET : TASK_SIZE)
++#define __STACK_TOP (test_thread_flag(TIF_IA32) ? IA32_PAGE_OFFSET : TASK_SIZE)
+ #endif
+
+ #endif /* __A_OUT_GNU_H__ */
+diff -uNr linux-2.6.6/include/asm-x86_64/elf.h linux-2.6.6.fixed/include/asm-x86_64/elf.h
+--- linux-2.6.6/include/asm-x86_64/elf.h 2004-05-10 04:33:13.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-x86_64/elf.h 2004-05-11 10:55:58.000000000 +0200
+@@ -89,6 +89,17 @@
+
+ #define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
+
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE(tsk) (test_thread_flag(TIF_IA32) ? 0x08048000UL : 0x400000UL)
++
++#define PAX_DELTA_MMAP_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_MMAP_LEN(tsk) (test_thread_flag(TIF_IA32) ? 16 : 24)
++#define PAX_DELTA_EXEC_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_EXEC_LEN(tsk) (test_thread_flag(TIF_IA32) ? 16 : 24)
++#define PAX_DELTA_STACK_LSB(tsk) PAGE_SHIFT
++#define PAX_DELTA_STACK_LEN(tsk) (test_thread_flag(TIF_IA32) ? 16 : 24)
++#endif
++
+ /* regs is struct pt_regs, pr_reg is elf_gregset_t (which is
+ now struct_user_regs, they are different). Assumes current is the process
+ getting dumped. */
+diff -uNr linux-2.6.6/include/asm-x86_64/mman.h linux-2.6.6.fixed/include/asm-x86_64/mman.h
+--- linux-2.6.6/include/asm-x86_64/mman.h 2004-05-10 04:32:53.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-x86_64/mman.h 2004-05-11 10:55:58.000000000 +0200
+@@ -24,6 +24,10 @@
+ #define MAP_POPULATE 0x8000 /* populate (prefault) pagetables */
+ #define MAP_NONBLOCK 0x10000 /* do not block on IO */
+
++#ifdef CONFIG_PAX_RANDEXEC
++#define MAP_MIRROR 0x8000
++#endif
++
+ #define MS_ASYNC 1 /* sync memory asynchronously */
+ #define MS_INVALIDATE 2 /* invalidate the caches */
+ #define MS_SYNC 4 /* synchronous memory sync */
+diff -uNr linux-2.6.6/include/asm-x86_64/page.h linux-2.6.6.fixed/include/asm-x86_64/page.h
+--- linux-2.6.6/include/asm-x86_64/page.h 2004-05-10 04:31:59.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-x86_64/page.h 2004-05-11 10:55:58.000000000 +0200
+@@ -127,6 +127,16 @@
+
+ #define __VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_EXEC | \
+ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
++
++#ifdef CONFIG_PAX_PAGEEXEC
++#define VM_DATA_DEFAULT_FLAGS __VM_DATA_DEFAULT_FLAGS
++#ifdef CONFIG_PAX_MPROTECT
++#define __VM_STACK_FLAGS (((current->flags & PF_PAX_MPROTECT)?0:VM_MAYEXEC) | \
++ ((current->flags & PF_PAX_PAGEEXEC)?0:VM_EXEC))
++#else
++#define __VM_STACK_FLAGS (VM_MAYEXEC | ((current->flags & PF_PAX_PAGEEXEC)?0:VM_EXEC))
++#endif
++#else
+ #define __VM_STACK_FLAGS (VM_GROWSDOWN | VM_READ | VM_WRITE | VM_EXEC | \
+ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
+
+@@ -137,6 +147,8 @@
+ #define VM_STACK_DEFAULT_FLAGS \
+ (test_thread_flag(TIF_IA32) ? vm_stack_flags32 : vm_stack_flags)
+
++#endif
++
+ #define CONFIG_ARCH_GATE_AREA 1
+
+ #ifndef __ASSEMBLY__
+diff -uNr linux-2.6.6/include/asm-x86_64/pgalloc.h linux-2.6.6.fixed/include/asm-x86_64/pgalloc.h
+--- linux-2.6.6/include/asm-x86_64/pgalloc.h 2004-05-10 04:32:37.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-x86_64/pgalloc.h 2004-05-11 10:55:58.000000000 +0200
+@@ -8,7 +8,7 @@
+ #include <linux/mm.h>
+
+ #define pmd_populate_kernel(mm, pmd, pte) \
+- set_pmd(pmd, __pmd(_PAGE_TABLE | __pa(pte)))
++ set_pmd(pmd, __pmd(_KERNPG_TABLE | __pa(pte)))
+ #define pgd_populate(mm, pgd, pmd) \
+ set_pgd(pgd, __pgd(_PAGE_TABLE | __pa(pmd)))
+
+diff -uNr linux-2.6.6/include/asm-x86_64/pgtable.h linux-2.6.6.fixed/include/asm-x86_64/pgtable.h
+--- linux-2.6.6/include/asm-x86_64/pgtable.h 2004-05-10 04:32:54.000000000 +0200
++++ linux-2.6.6.fixed/include/asm-x86_64/pgtable.h 2004-05-11 10:55:58.000000000 +0200
+@@ -170,6 +170,10 @@
+ #define PAGE_COPY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
+ #define PAGE_READONLY __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
+ #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
++
++#define PAGE_READONLY_NOEXEC PAGE_READONLY
++#define PAGE_SHARED_NOEXEC PAGE_SHARED
++
+ #define __PAGE_KERNEL \
+ (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_NX)
+ #define __PAGE_KERNEL_EXECUTABLE \
+diff -uNr linux-2.6.6/include/linux/a.out.h linux-2.6.6.fixed/include/linux/a.out.h
+--- linux-2.6.6/include/linux/a.out.h 2004-05-10 04:32:52.000000000 +0200
++++ linux-2.6.6.fixed/include/linux/a.out.h 2004-05-11 10:55:58.000000000 +0200
+@@ -7,6 +7,16 @@
+
+ #include <asm/a.out.h>
+
++#ifdef CONFIG_PAX_RANDUSTACK
++#define __DELTA_STACK (current->mm->delta_stack)
++#else
++#define __DELTA_STACK 0UL
++#endif
++
++#ifndef STACK_TOP
++#define STACK_TOP (__STACK_TOP - __DELTA_STACK)
++#endif
++
+ #endif /* __STRUCT_EXEC_OVERRIDE__ */
+
+ /* these go in the N_MACHTYPE field */
+@@ -37,6 +47,14 @@
+ M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
+ };
+
++/* Constants for the N_FLAGS field */
++#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
++#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
++#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
++#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
++#define F_PAX_RANDEXEC 16 /* Randomize ET_EXEC base */
++#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
++
+ #if !defined (N_MAGIC)
+ #define N_MAGIC(exec) ((exec).a_info & 0xffff)
+ #endif
+diff -uNr linux-2.6.6/include/linux/binfmts.h linux-2.6.6.fixed/include/linux/binfmts.h
+--- linux-2.6.6/include/linux/binfmts.h 2004-05-10 04:32:37.000000000 +0200
++++ linux-2.6.6.fixed/include/linux/binfmts.h 2004-05-11 10:55:58.000000000 +0200
+@@ -36,6 +36,7 @@
+ of the time same as filename, but could be
+ different for binfmt_{misc,script} */
+ unsigned long loader, exec;
++ int misc;
+ };
+
+ /*
+@@ -71,5 +72,8 @@
+ extern int do_coredump(long signr, int exit_code, struct pt_regs * regs);
+ extern int set_binfmt(struct linux_binfmt *new);
+
++void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
++void pax_report_insns(void *pc, void *sp);
++
+ #endif /* __KERNEL__ */
+ #endif /* _LINUX_BINFMTS_H */
+diff -uNr linux-2.6.6/include/linux/elf.h linux-2.6.6.fixed/include/linux/elf.h
+--- linux-2.6.6/include/linux/elf.h 2004-05-10 04:32:01.000000000 +0200
++++ linux-2.6.6.fixed/include/linux/elf.h 2004-05-11 10:55:58.000000000 +0200
+@@ -37,6 +37,17 @@
+
+ #define PT_GNU_STACK (PT_LOOS + 0x474e551)
+
++#define PT_GNU_STACK (PT_LOOS + 0x474e551)
++#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
++
++/* Constants for the e_flags field */
++#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
++#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
++#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
++#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
++#define EF_PAX_RANDEXEC 16 /* Randomize ET_EXEC base */
++#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
++
+ /* These constants define the different elf file types */
+ #define ET_NONE 0
+ #define ET_REL 1
+@@ -123,6 +134,8 @@
+ #define DT_DEBUG 21
+ #define DT_TEXTREL 22
+ #define DT_JMPREL 23
++#define DT_FLAGS 30
++ #define DF_TEXTREL 0x00000004
+ #define DT_LOPROC 0x70000000
+ #define DT_HIPROC 0x7fffffff
+
+@@ -273,6 +286,19 @@
+ #define PF_W 0x2
+ #define PF_X 0x1
+
++#define PF_PAGEEXEC (1 << 4) /* Enable PAGEEXEC */
++#define PF_NOPAGEEXEC (1 << 5) /* Disable PAGEEXEC */
++#define PF_SEGMEXEC (1 << 6) /* Enable SEGMEXEC */
++#define PF_NOSEGMEXEC (1 << 7) /* Disable SEGMEXEC */
++#define PF_MPROTECT (1 << 8) /* Enable MPROTECT */
++#define PF_NOMPROTECT (1 << 9) /* Disable MPROTECT */
++#define PF_RANDEXEC (1 << 10) /* Enable RANDEXEC */
++#define PF_NORANDEXEC (1 << 11) /* Disable RANDEXEC */
++#define PF_EMUTRAMP (1 << 12) /* Enable EMUTRAMP */
++#define PF_NOEMUTRAMP (1 << 13) /* Disable EMUTRAMP */
++#define PF_RANDMMAP (1 << 14) /* Enable RANDMMAP */
++#define PF_NORANDMMAP (1 << 15) /* Disable RANDMMAP */
++
+ typedef struct elf32_phdr{
+ Elf32_Word p_type;
+ Elf32_Off p_offset;
+@@ -365,6 +391,8 @@
+ #define EI_OSABI 7
+ #define EI_PAD 8
+
++#define EI_PAX 14
++
+ #define ELFMAG0 0x7f /* EI_MAG */
+ #define ELFMAG1 'E'
+ #define ELFMAG2 'L'
+@@ -421,6 +449,7 @@
+ #define elfhdr elf32_hdr
+ #define elf_phdr elf32_phdr
+ #define elf_note elf32_note
++#define elf_dyn Elf32_Dyn
+
+ #else
+
+@@ -428,6 +457,7 @@
+ #define elfhdr elf64_hdr
+ #define elf_phdr elf64_phdr
+ #define elf_note elf64_note
++#define elf_dyn Elf64_Dyn
+
+ #endif
+
+diff -uNr linux-2.6.6/include/linux/fs.h linux-2.6.6.fixed/include/linux/fs.h
+--- linux-2.6.6/include/linux/fs.h 2004-05-10 04:32:26.000000000 +0200
++++ linux-2.6.6.fixed/include/linux/fs.h 2004-05-11 10:55:58.000000000 +0200
+@@ -1187,7 +1187,7 @@
+
+ /* fs/open.c */
+
+-extern int do_truncate(struct dentry *, loff_t start);
++extern int do_truncate(struct dentry *, loff_t start, struct vfsmount *);
+ extern struct file *filp_open(const char *, int, int);
+ extern struct file * dentry_open(struct dentry *, struct vfsmount *, int);
+ extern int filp_close(struct file *, fl_owner_t id);
+diff -uNr linux-2.6.6/include/linux/gracl.h linux-2.6.6.fixed/include/linux/gracl.h
+--- linux-2.6.6/include/linux/gracl.h 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/include/linux/gracl.h 2004-05-11 10:55:58.000000000 +0200
+@@ -0,0 +1,246 @@
++#ifndef GR_ACL_H
++#define GR_ACL_H
++#endif
++#include <linux/grdefs.h>
++#include <linux/resource.h>
++#include <linux/dcache.h>
++#include <asm/resource.h>
++
++/* * * * * * * * * * * * * * * * * * * * *
++ * grsecurity ACL System
++ * Main header file
++ * Purpose: define most gracl data structures
++ * * * * * * * * * * * * * * * * * * * * */
++
++/* Major status information */
++
++#define GR_VERSION "grsecurity 2.0"
++
++enum {
++
++ SHUTDOWN = 0,
++ ENABLE = 1,
++ SPROLE = 2,
++ RELOAD = 3,
++ SEGVMOD = 4,
++ STATUS = 5,
++ UNSPROLE = 6
++};
++
++/* Password setup definitions
++ * kernel/grhash.c */
++enum {
++ GR_PW_LEN = 128,
++ GR_SALT_LEN = 16,
++ GR_SHA_LEN = 32,
++};
++
++enum {
++ GR_SPROLE_LEN = 64,
++};
++
++/* Begin Data Structures */
++
++struct sprole_pw {
++ unsigned char *rolename;
++ unsigned char salt[GR_SALT_LEN];
++ unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
++};
++
++struct name_entry {
++ ino_t inode;
++ dev_t device;
++ char *name;
++ __u16 len;
++};
++
++struct acl_role_db {
++ struct acl_role_label **r_hash;
++ __u32 r_size;
++};
++
++struct name_db {
++ struct name_entry **n_hash;
++ __u32 n_size;
++};
++
++struct crash_uid {
++ uid_t uid;
++ unsigned long expires;
++};
++
++struct gr_hash_struct {
++ void **table;
++ void **nametable;
++ void *first;
++ __u32 table_size;
++ __u32 used_size;
++ int type;
++};
++
++/* Userspace Grsecurity ACL data structures */
++struct acl_subject_label {
++ char *filename;
++ ino_t inode;
++ dev_t device;
++ __u32 mode;
++ __u32 cap_mask;
++ __u32 cap_lower;
++
++ struct rlimit res[RLIM_NLIMITS + 1];
++ __u16 resmask;
++
++ __u8 user_trans_type;
++ __u8 group_trans_type;
++ uid_t *user_transitions;
++ gid_t *group_transitions;
++ __u16 user_trans_num;
++ __u16 group_trans_num;
++
++ __u32 ip_proto[8];
++ __u32 ip_type;
++ struct acl_ip_label **ips;
++ __u32 ip_num;
++
++ __u32 crashes;
++ unsigned long expires;
++
++ struct acl_subject_label *parent_subject;
++ struct gr_hash_struct *hash;
++ struct acl_ip_label *ip_object;
++ struct acl_subject_label *prev;
++ struct acl_subject_label *next;
++
++ struct acl_object_label **obj_hash;
++ __u32 obj_hash_size;
++};
++
++struct role_allowed_ip {
++ __u32 addr;
++ __u32 netmask;
++
++ struct role_allowed_ip *prev;
++ struct role_allowed_ip *next;
++};
++
++struct role_transition {
++ char *rolename;
++
++ struct role_transition *prev;
++ struct role_transition *next;
++};
++
++struct acl_role_label {
++ char *rolename;
++ uid_t uidgid;
++ __u16 roletype;
++
++ __u16 auth_attempts;
++ unsigned long expires;
++
++ struct acl_subject_label *root_label;
++ struct gr_hash_struct *hash;
++
++ struct acl_role_label *prev;
++ struct acl_role_label *next;
++
++ struct role_transition *transitions;
++ struct role_allowed_ip *allowed_ips;
++ struct acl_subject_label **subj_hash;
++ __u32 subj_hash_size;
++};
++
++struct user_acl_role_db {
++ struct acl_role_label **r_table;
++ __u32 r_entries; /* number of entries in table */
++ __u32 s_entries; /* total number of subject acls */
++ __u32 i_entries; /* total number of ip acls */
++ __u32 o_entries; /* Total number of object acls */
++ __u32 g_entries; /* total number of globbed objects */
++ __u32 a_entries; /* total number of allowed ips */
++ __u32 t_entries; /* total number of transitions */
++};
++
++struct acl_object_label {
++ char *filename;
++ ino_t inode;
++ dev_t device;
++ __u32 mode;
++
++ struct acl_subject_label *nested;
++ struct acl_object_label *globbed;
++
++ /* next two structures not used */
++
++ struct acl_object_label *prev;
++ struct acl_object_label *next;
++};
++
++struct acl_ip_label {
++ __u32 addr;
++ __u32 netmask;
++ __u16 low, high;
++ __u8 mode;
++ __u32 type;
++ __u32 proto[8];
++
++ /* next two structures not used */
++
++ struct acl_ip_label *prev;
++ struct acl_ip_label *next;
++};
++
++struct gr_arg {
++ struct user_acl_role_db role_db;
++ unsigned char pw[GR_PW_LEN];
++ unsigned char salt[GR_SALT_LEN];
++ unsigned char sum[GR_SHA_LEN];
++ unsigned char sp_role[GR_SPROLE_LEN];
++ struct sprole_pw *sprole_pws;
++ dev_t segv_device;
++ ino_t segv_inode;
++ uid_t segv_uid;
++ __u16 num_sprole_pws;
++ __u16 mode;
++};
++
++struct subject_map {
++ struct acl_subject_label *user;
++ struct acl_subject_label *kernel;
++};
++
++struct acl_subj_map_db {
++ struct subject_map **s_hash;
++ __u32 s_size;
++};
++
++/* End Data Structures Section */
++
++/* Hash functions generated by empirical testing by Brad Spengler
++ Makes good use of the low bits of the inode. Generally 0-1 times
++ in loop for successful match. 0-3 for unsuccessful match.
++ Shift/add algorithm with modulus of table size and an XOR*/
++
++static __inline__ unsigned long
++rhash(const uid_t uid, const __u16 type, const unsigned long sz)
++{
++ return (((uid << type) + (uid ^ type)) % sz);
++}
++
++ static __inline__ unsigned long
++shash(const struct acl_subject_label *userp, const unsigned long sz)
++{
++ return ((const unsigned long)userp % sz);
++}
++
++static __inline__ unsigned long
++fhash(const ino_t ino, const dev_t dev, const unsigned long sz)
++{
++ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
++}
++
++static __inline__ unsigned long
++nhash(const char *name, const __u16 len, const unsigned long sz)
++{
++ return full_name_hash(name, len) % sz;
++}
+diff -uNr linux-2.6.6/include/linux/gralloc.h linux-2.6.6.fixed/include/linux/gralloc.h
+--- linux-2.6.6/include/linux/gralloc.h 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/include/linux/gralloc.h 2004-05-11 10:55:58.000000000 +0200
+@@ -0,0 +1,8 @@
++#ifndef __GRALLOC_H
++#define __GRALLOC_H
++
++void acl_free_all(void);
++int acl_alloc_stack_init(unsigned long size);
++void *acl_alloc(unsigned long len);
++
++#endif
+diff -uNr linux-2.6.6/include/linux/grdefs.h linux-2.6.6.fixed/include/linux/grdefs.h
+--- linux-2.6.6/include/linux/grdefs.h 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/include/linux/grdefs.h 2004-05-11 10:55:58.000000000 +0200
+@@ -0,0 +1,116 @@
++#ifndef GRDEFS_H
++#define GRDEFS_H
++
++/* Begin grsecurity status declarations */
++
++enum {
++ GR_READY = 0x01,
++ GR_STATUS_INIT = 0x00 // disabled state
++};
++
++/* Begin ACL declarations */
++
++/* Role flags */
++
++enum {
++ GR_ROLE_USER = 0x0001,
++ GR_ROLE_GROUP = 0x0002,
++ GR_ROLE_DEFAULT = 0x0004,
++ GR_ROLE_SPECIAL = 0x0008,
++ GR_ROLE_AUTH = 0x0010,
++ GR_ROLE_NOPW = 0x0020,
++ GR_ROLE_GOD = 0x0040,
++ GR_ROLE_LEARN = 0x0080,
++ GR_ROLE_TPE = 0x0100
++};
++
++/* ACL Subject and Object mode flags */
++enum {
++ GR_DELETED = 0x00000080
++};
++
++/* ACL Object-only mode flags */
++enum {
++ GR_READ = 0x00000001,
++ GR_APPEND = 0x00000002,
++ GR_WRITE = 0x00000004,
++ GR_EXEC = 0x00000008,
++ GR_FIND = 0x00000010,
++ GR_INHERIT = 0x00000040,
++ GR_PTRACERD = 0x00000100,
++ GR_SETID = 0x00000200,
++ GR_CREATE = 0x00000400,
++ GR_DELETE = 0x00000800,
++ GR_NOPTRACE = 0x00001000,
++ GR_AUDIT_READ = 0x00002000,
++ GR_AUDIT_APPEND = 0x00004000,
++ GR_AUDIT_WRITE = 0x00008000,
++ GR_AUDIT_EXEC = 0x00010000,
++ GR_AUDIT_FIND = 0x00020000,
++ GR_AUDIT_INHERIT= 0x00040000,
++ GR_AUDIT_SETID = 0x00080000,
++ GR_AUDIT_CREATE = 0x00100000,
++ GR_AUDIT_DELETE = 0x00200000,
++ GR_SUPPRESS = 0x00400000,
++ GR_NOLEARN = 0x00800000
++};
++
++#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
++ GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
++ GR_AUDIT_CREATE | GR_AUDIT_DELETE)
++
++/* ACL subject-only mode flags */
++enum {
++ GR_KILL = 0x00000001,
++ GR_VIEW = 0x00000002,
++ GR_PROTECTED = 0x00000100,
++ GR_LEARN = 0x00000200,
++ GR_OVERRIDE = 0x00000400,
++ /* just a placeholder, this mode is only used in userspace */
++ GR_DUMMY = 0x00000800,
++ GR_PAXPAGE = 0x00001000,
++ GR_PAXSEGM = 0x00002000,
++ GR_PAXGCC = 0x00004000,
++ GR_PAXRANDMMAP = 0x00008000,
++ GR_PAXRANDEXEC = 0x00010000,
++ GR_PAXMPROTECT = 0x00020000,
++ GR_PROTSHM = 0x00040000,
++ GR_KILLPROC = 0x00080000,
++ GR_KILLIPPROC = 0x00100000,
++ /* just a placeholder, this mode is only used in userspace */
++ GR_NOTROJAN = 0x00200000,
++ GR_PROTPROCFD = 0x00400000,
++ GR_PROCACCT = 0x00800000,
++ GR_RELAXPTRACE = 0x01000000,
++ GR_NESTED = 0x02000000
++};
++
++enum {
++ GR_ID_USER = 0x01,
++ GR_ID_GROUP = 0x02,
++};
++
++enum {
++ GR_ID_ALLOW = 0x01,
++ GR_ID_DENY = 0x02,
++};
++
++#define GR_CRASH_RES 11
++#define GR_UIDTABLE_MAX 500
++
++/* begin resource learning section */
++enum {
++ GR_RLIM_CPU_BUMP = 60,
++ GR_RLIM_FSIZE_BUMP = 50000,
++ GR_RLIM_DATA_BUMP = 10000,
++ GR_RLIM_STACK_BUMP = 1000,
++ GR_RLIM_CORE_BUMP = 10000,
++ GR_RLIM_RSS_BUMP = 500000,
++ GR_RLIM_NPROC_BUMP = 1,
++ GR_RLIM_NOFILE_BUMP = 5,
++ GR_RLIM_MEMLOCK_BUMP = 50000,
++ GR_RLIM_AS_BUMP = 500000,
++ GR_RLIM_LOCKS_BUMP = 2
++};
++
++#endif
+diff -uNr linux-2.6.6/include/linux/grinternal.h linux-2.6.6.fixed/include/linux/grinternal.h
+--- linux-2.6.6/include/linux/grinternal.h 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/include/linux/grinternal.h 2004-05-11 10:55:58.000000000 +0200
+@@ -0,0 +1,201 @@
++#ifndef __GRINTERNAL_H
++#define __GRINTERNAL_H
++
++#ifdef CONFIG_GRKERNSEC
++
++#include <linux/fs.h>
++#include <linux/grdefs.h>
++#include <linux/grmsg.h>
++
++extern void gr_add_learn_entry(const char *fmt, ...);
++extern __u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
++ const struct vfsmount *mnt);
++extern __u32 gr_check_create(const struct dentry *new_dentry,
++ const struct dentry *parent,
++ const struct vfsmount *mnt, const __u32 mode);
++extern int gr_check_protected_task(const struct task_struct *task);
++extern __u32 to_gr_audit(const __u32 reqmode);
++extern int gr_set_acls(const int type);
++
++extern void gr_handle_alertkill(void);
++extern char *gr_to_filename(const struct dentry *dentry,
++ const struct vfsmount *mnt);
++extern char *gr_to_filename1(const struct dentry *dentry,
++ const struct vfsmount *mnt);
++extern char *gr_to_filename2(const struct dentry *dentry,
++ const struct vfsmount *mnt);
++extern char *gr_to_filename3(const struct dentry *dentry,
++ const struct vfsmount *mnt);
++
++extern int grsec_enable_link;
++extern int grsec_enable_fifo;
++extern int grsec_enable_execve;
++extern int grsec_enable_forkbomb;
++extern int grsec_forkbomb_gid;
++extern int grsec_forkbomb_sec;
++extern int grsec_forkbomb_max;
++extern int grsec_enable_execlog;
++extern int grsec_enable_signal;
++extern int grsec_enable_forkfail;
++extern int grsec_enable_time;
++extern int grsec_enable_chroot_shmat;
++extern int grsec_enable_chroot_findtask;
++extern int grsec_enable_chroot_mount;
++extern int grsec_enable_chroot_double;
++extern int grsec_enable_chroot_pivot;
++extern int grsec_enable_chroot_chdir;
++extern int grsec_enable_chroot_chmod;
++extern int grsec_enable_chroot_mknod;
++extern int grsec_enable_chroot_fchdir;
++extern int grsec_enable_chroot_nice;
++extern int grsec_enable_chroot_execlog;
++extern int grsec_enable_chroot_caps;
++extern int grsec_enable_chroot_sysctl;
++extern int grsec_enable_chroot_unix;
++extern int grsec_enable_tpe;
++extern int grsec_tpe_gid;
++extern int grsec_enable_tpe_all;
++extern int grsec_enable_sidcaps;
++extern int grsec_enable_randpid;
++extern int grsec_enable_socket_all;
++extern int grsec_socket_all_gid;
++extern int grsec_enable_socket_client;
++extern int grsec_socket_client_gid;
++extern int grsec_enable_socket_server;
++extern int grsec_socket_server_gid;
++extern int grsec_audit_gid;
++extern int grsec_enable_group;
++extern int grsec_enable_audit_ipc;
++extern int grsec_enable_audit_textrel;
++extern int grsec_enable_mount;
++extern int grsec_enable_chdir;
++extern int grsec_lock;
++
++extern struct task_struct *child_reaper;
++
++extern spinlock_t grsec_alert_lock;
++extern unsigned long grsec_alert_wtime;
++extern unsigned long grsec_alert_fyet;
++
++extern spinlock_t grsec_alertgood_lock;
++extern unsigned long grsec_alertgood_wtime;
++extern unsigned long grsec_alertgood_fyet;
++
++extern spinlock_t grsec_audit_lock;
++
++#define gr_task_fullpath(tsk) (tsk->exec_file ? \
++ gr_to_filename2(tsk->exec_file->f_dentry, \
++ tsk->exec_file->f_vfsmnt) : "/")
++
++#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \
++ gr_to_filename3(tsk->parent->exec_file->f_dentry, \
++ tsk->parent->exec_file->f_vfsmnt) : "/")
++
++#define gr_task_fullpath0(tsk) (tsk->exec_file ? \
++ gr_to_filename(tsk->exec_file->f_dentry, \
++ tsk->exec_file->f_vfsmnt) : "/")
++
++#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \
++ gr_to_filename1(tsk->parent->exec_file->f_dentry, \
++ tsk->parent->exec_file->f_vfsmnt) : "/")
++
++#define proc_is_chrooted(tsk_a) ((tsk_a->pid > 1) && \
++ ((tsk_a->fs->root->d_inode->i_sb->s_dev != \
++ child_reaper->fs->root->d_inode->i_sb->s_dev) || \
++ (tsk_a->fs->root->d_inode->i_ino != \
++ child_reaper->fs->root->d_inode->i_ino)))
++
++#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs->root->d_inode->i_sb->s_dev == \
++ tsk_b->fs->root->d_inode->i_sb->s_dev) && \
++ (tsk_a->fs->root->d_inode->i_ino == \
++ tsk_b->fs->root->d_inode->i_ino))
++
++#define DEFAULTSECARGS gr_task_fullpath(current), current->comm, \
++ current->pid, current->uid, \
++ current->euid, current->gid, current->egid, \
++ gr_parent_task_fullpath(current), \
++ current->parent->comm, current->parent->pid, \
++ current->parent->uid, current->parent->euid, \
++ current->parent->gid, current->parent->egid
++
++#define GR_CHROOT_CAPS ( \
++ CAP_TO_MASK(CAP_FOWNER) | \
++ CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
++ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
++ CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
++ CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
++ CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
++ CAP_TO_MASK(CAP_IPC_OWNER))
++
++#define security_alert_good(normal_msg,args...) \
++({ \
++ spin_lock(&grsec_alertgood_lock); \
++ \
++ if (!grsec_alertgood_wtime || get_seconds() - grsec_alertgood_wtime > CONFIG_GRKERNSEC_FLOODTIME) { \
++ grsec_alertgood_wtime = get_seconds(); grsec_alertgood_fyet = 0; \
++ if (current->curr_ip) \
++ printk(KERN_ALERT "grsec: From %u.%u.%u.%u: " normal_msg "\n", NIPQUAD(current->curr_ip) , ## args); \
++ else \
++ printk(KERN_ALERT "grsec: " normal_msg "\n" , ## args); \
++ } else if((get_seconds() - grsec_alertgood_wtime < CONFIG_GRKERNSEC_FLOODTIME) && (grsec_alertgood_fyet < CONFIG_GRKERNSEC_FLOODBURST)) { \
++ grsec_alertgood_fyet++; \
++ if (current->curr_ip) \
++ printk(KERN_ALERT "grsec: From %u.%u.%u.%u: " normal_msg "\n", NIPQUAD(current->curr_ip) , ## args); \
++ else \
++ printk(KERN_ALERT "grsec: " normal_msg "\n" , ## args); \
++ } else if (grsec_alertgood_fyet == CONFIG_GRKERNSEC_FLOODBURST) { \
++ grsec_alertgood_wtime = get_seconds(); grsec_alertgood_fyet++; \
++ printk(KERN_ALERT "grsec: more alerts, logging disabled for " \
++ "%d seconds\n", CONFIG_GRKERNSEC_FLOODTIME); \
++ } \
++ \
++ spin_unlock(&grsec_alertgood_lock); \
++})
++
++#define security_alert(normal_msg,args...) \
++({ \
++ spin_lock(&grsec_alert_lock); \
++ \
++ if (!grsec_alert_wtime || get_seconds() - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME) { \
++ grsec_alert_wtime = get_seconds(); grsec_alert_fyet = 0; \
++ if (current->curr_ip) \
++ printk(KERN_ALERT "grsec: From %u.%u.%u.%u: " normal_msg "\n", NIPQUAD(current->curr_ip) , ## args); \
++ else \
++ printk(KERN_ALERT "grsec: " normal_msg "\n" , ## args); \
++ } else if((get_seconds() - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) { \
++ grsec_alert_fyet++; \
++ if (current->curr_ip) \
++ printk(KERN_ALERT "grsec: From %u.%u.%u.%u: " normal_msg "\n", NIPQUAD(current->curr_ip) , ## args); \
++ else \
++ printk(KERN_ALERT "grsec: " normal_msg "\n" , ## args); \
++ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) { \
++ grsec_alert_wtime = get_seconds(); grsec_alert_fyet++; \
++ printk(KERN_ALERT "grsec: more alerts, logging disabled for " \
++ "%d seconds\n", CONFIG_GRKERNSEC_FLOODTIME); \
++ } \
++ \
++ gr_handle_alertkill(); \
++ spin_unlock(&grsec_alert_lock); \
++})
++
++#define security_audit(normal_msg,args...) \
++({ \
++ spin_lock(&grsec_audit_lock); \
++ if (current->curr_ip) \
++ printk(KERN_INFO "grsec: From %u.%u.%u.%u: " normal_msg "\n", \
++ NIPQUAD(current->curr_ip) , ## args); \
++ else \
++ printk(KERN_INFO "grsec: " normal_msg "\n", ## args); \
++ spin_unlock(&grsec_audit_lock); \
++})
++
++#define security_learn(normal_msg,args...) \
++({ \
++ preempt_disable(); \
++ gr_add_learn_entry(normal_msg "\n", ## args); \
++ preempt_enable(); \
++})
++
++#endif
++
++#endif
+diff -uNr linux-2.6.6/include/linux/grmsg.h linux-2.6.6.fixed/include/linux/grmsg.h
+--- linux-2.6.6/include/linux/grmsg.h 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/include/linux/grmsg.h 2004-05-11 10:55:58.000000000 +0200
+@@ -0,0 +1,108 @@
++#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%d/%d gid/egid:%d/%d, parent %.256s[%.16s:%d] uid/euid:%d/%d gid/egid:%d/%d"
++#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%d/%d gid/egid:%d/%d run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%d/%d gid/egid:%d/%d"
++#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by " DEFAULTSECMSG
++#define GR_IOPERM_MSG "denied use of ioperm() by " DEFAULTSECMSG
++#define GR_IOPL_MSG "denied use of iopl() by " DEFAULTSECMSG
++#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by " DEFAULTSECMSG
++#define GR_UNIX_CHROOT_MSG "denied connect to abstract AF_UNIX socket outside of chroot by " DEFAULTSECMSG
++#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by " DEFAULTSECMSG
++#define GR_KMEM_MSG "attempted write to /dev/kmem by " DEFAULTSECMSG
++#define GR_PORT_OPEN_MSG "attempted open of /dev/port by " DEFAULTSECMSG
++#define GR_MEM_WRITE_MSG "attempted write of /dev/mem by " DEFAULTSECMSG
++#define GR_MEM_MMAP_MSG "attempted mmap write of /dev/[k]mem by " DEFAULTSECMSG
++#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by " DEFAULTSECMSG
++#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%u.%u.%u.%u"
++#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by " DEFAULTSECMSG
++#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by " DEFAULTSECMSG
++#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by " DEFAULTSECMSG
++#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by " DEFAULTSECMSG
++#define GR_MKNOD_CHROOT_MSG "refused attempt to mknod %.950s from chroot by " DEFAULTSECMSG
++#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by " DEFAULTSECMSG
++#define GR_UNIXCONNECT_ACL_MSG "%s connect to the unix domain socket %.950s by " DEFAULTSECMSG
++#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by " DEFAULTSECMSG
++#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by " DEFAULTSECMSG
++#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by " DEFAULTSECMSG
++#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by " DEFAULTSECMSG
++#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for " DEFAULTSECMSG
++#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by " DEFAULTSECMSG
++#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by " DEFAULTSECMSG
++#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by " DEFAULTSECMSG
++#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by " DEFAULTSECMSG
++#define GR_NPROC_MSG "attempt to overstep process limit by " DEFAULTSECMSG
++#define GR_EXEC_ACL_MSG "%s execution of %.950s by " DEFAULTSECMSG
++#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by " DEFAULTSECMSG
++#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " Banning uid %u from login for %lu seconds"
++#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " Banning execution for %lu seconds"
++#define GR_MOUNT_CHROOT_MSG "denied attempt to mount %.30s as %.930s from chroot by " DEFAULTSECMSG
++#define GR_PIVOT_CHROOT_MSG "denied attempt to pivot_root from chroot by " DEFAULTSECMSG
++#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by " DEFAULTSECMSG
++#define GR_ATIME_ACL_MSG "%s access time change of %.950s by " DEFAULTSECMSG
++#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by " DEFAULTSECMSG
++#define GR_CHROOT_CHROOT_MSG "denied attempt to double chroot to %.950s by " DEFAULTSECMSG
++#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by " DEFAULTSECMSG
++#define GR_CHMOD_CHROOT_MSG "denied attempt to chmod +s %.950s by " DEFAULTSECMSG
++#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by " DEFAULTSECMSG
++#define GR_CHROOT_FCHDIR_MSG "attempted fchdir outside of chroot to %.950s by " DEFAULTSECMSG
++#define GR_CHOWN_ACL_MSG "%s chown of %.950s by " DEFAULTSECMSG
++#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by " DEFAULTSECMSG
++#define GR_INITF_ACL_MSG "init_variables() failed %s"
++#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
++#define GR_DEV_ACL_MSG "/dev/grsec: being fed garbage %d bytes sent %d required"
++#define GR_SHUTS_ACL_MSG "shutdown auth success for " DEFAULTSECMSG
++#define GR_SHUTF_ACL_MSG "shutdown auth failure for " DEFAULTSECMSG
++#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for " DEFAULTSECMSG
++#define GR_SEGVMODS_ACL_MSG "segvmod auth success for " DEFAULTSECMSG
++#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for " DEFAULTSECMSG
++#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for " DEFAULTSECMSG
++#define GR_ENABLE_ACL_MSG "Loaded %s"
++#define GR_ENABLEF_ACL_MSG "Unable to load %s for " DEFAULTSECMSG " RBAC system may already be enabled."
++#define GR_RELOADI_ACL_MSG "Ignoring reload request for disabled RBAC system"
++#define GR_RELOAD_ACL_MSG "Reloaded %s"
++#define GR_RELOADF_ACL_MSG "Failed reload of %s for " DEFAULTSECMSG
++#define GR_SPROLEI_ACL_MSG "Ignoring change to special role for disabled RBAC system for " DEFAULTSECMSG
++#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by " DEFAULTSECMSG
++#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by " DEFAULTSECMSG
++#define GR_SPROLEF_ACL_MSG "special role %s failure for " DEFAULTSECMSG
++#define GR_UNSPROLEI_ACL_MSG "Ignoring unauth of special role for disabled RBAC system for " DEFAULTSECMSG
++#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by " DEFAULTSECMSG
++#define GR_UNSPROLEF_ACL_MSG "special role unauth of %s failure for " DEFAULTSECMSG
++#define GR_INVMODE_ACL_MSG "Invalid mode %d by " DEFAULTSECMSG
++#define GR_MAXPW_ACL_MSG "Maximum pw attempts reached (%d), locking password authentication"
++#define GR_MAXROLEPW_ACL_MSG "Maximum pw attempts reached (%d) trying to auth to special role %s, locking auth for role of " DEFAULTSECMSG
++#define GR_PRIORITY_CHROOT_MSG "attempted priority change of process (%.16s:%d) by " DEFAULTSECMSG
++#define GR_CAPSET_CHROOT_MSG "denied capset of (%.16s:%d) within chroot by " DEFAULTSECMSG
++#define GR_FAILFORK_MSG "failed fork with errno %d by " DEFAULTSECMSG
++#define GR_NICE_CHROOT_MSG "attempted priority change by " DEFAULTSECMSG
++#define GR_UNISIGLOG_MSG "signal %d sent to " DEFAULTSECMSG
++#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by " DEFAULTSECMSG
++#define GR_SIG_ACL_MSG "Attempted send of signal %d to protected task " DEFAULTSECMSG " by " DEFAULTSECMSG
++#define GR_SYSCTL_MSG "attempt to modify grsecurity sysctl value : %.32s by " DEFAULTSECMSG
++#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by " DEFAULTSECMSG
++#define GR_TIME_MSG "time set by " DEFAULTSECMSG
++#define GR_DEFACL_MSG "Fatal: Unable to find ACL for (%.16s:%d)"
++#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by " DEFAULTSECMSG
++#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by " DEFAULTSECMSG
++#define GR_SOCK_MSG "attempted socket(%.16s,%.16s,%.16s) by " DEFAULTSECMSG
++#define GR_SOCK2_MSG "attempted socket(%d,%.16s,%.16s) by " DEFAULTSECMSG
++#define GR_BIND_MSG "attempted bind() by " DEFAULTSECMSG
++#define GR_CONNECT_MSG "attempted connect by " DEFAULTSECMSG
++#define GR_BIND_ACL_MSG "attempted bind to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by " DEFAULTSECMSG
++#define GR_CONNECT_ACL_MSG "attempted connect to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by " DEFAULTSECMSG
++#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%u.%u.%u.%u\t%u\t%u\t%u\t%u\t%u.%u.%u.%u"
++#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process " DEFAULTSECMSG
++#define GR_CAP_ACL_MSG "use of %s denied for " DEFAULTSECMSG
++#define GR_USRCHANGE_ACL_MSG "change to uid %d denied for " DEFAULTSECMSG
++#define GR_GRPCHANGE_ACL_MSG "change to gid %d denied for " DEFAULTSECMSG
++#define GR_REMOUNT_AUDIT_MSG "remount of %.30s by " DEFAULTSECMSG
++#define GR_UNMOUNT_AUDIT_MSG "unmount of %.30s by " DEFAULTSECMSG
++#define GR_MOUNT_AUDIT_MSG "mount %.30s to %.64s by " DEFAULTSECMSG
++#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by " DEFAULTSECMSG
++#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.63s) by " DEFAULTSECMSG
++#define GR_MSGQ_AUDIT_MSG "message queue created by " DEFAULTSECMSG
++#define GR_MSGQR_AUDIT_MSG "message queue of uid:%d euid:%d removed by " DEFAULTSECMSG
++#define GR_SEM_AUDIT_MSG "semaphore created by " DEFAULTSECMSG
++#define GR_SEMR_AUDIT_MSG "semaphore of uid:%d euid:%d removed by " DEFAULTSECMSG
++#define GR_SHM_AUDIT_MSG "shared memory of size %d created by " DEFAULTSECMSG
++#define GR_SHMR_AUDIT_MSG "shared memory of uid:%d euid:%d removed by " DEFAULTSECMSG
++#define GR_RESOURCE_MSG "attempted resource overstep by requesting %lu for %.16s against limit %lu by " DEFAULTSECMSG
++#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by " DEFAULTSECMSG
+diff -uNr linux-2.6.6/include/linux/grsecurity.h linux-2.6.6.fixed/include/linux/grsecurity.h
+--- linux-2.6.6/include/linux/grsecurity.h 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/include/linux/grsecurity.h 2004-05-11 10:55:58.000000000 +0200
+@@ -0,0 +1,188 @@
++#ifndef GR_SECURITY_H
++#define GR_SECURITY_H
++#include <linux/fs.h>
++#include <linux/binfmts.h>
++
++extern int gr_check_user_change(int real, int effective, int fs);
++extern int gr_check_group_change(int real, int effective, int fs);
++
++extern void gr_add_to_task_ip_table(struct task_struct *p);
++extern void gr_del_task_from_ip_table(struct task_struct *p);
++
++extern int gr_pid_is_chrooted(const struct task_struct *p);
++extern int gr_handle_chroot_nice(void);
++extern int gr_handle_chroot_sysctl(const int op);
++extern int gr_handle_chroot_capset(const struct task_struct *target);
++extern int gr_handle_chroot_setpriority(struct task_struct *p,
++ const int niceval);
++extern int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
++extern int gr_handle_chroot_chroot(const struct dentry *dentry,
++ const struct vfsmount *mnt);
++extern void gr_handle_chroot_caps(struct task_struct *task);
++extern void gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt);
++extern int gr_handle_chroot_chmod(const struct dentry *dentry,
++ const struct vfsmount *mnt, const int mode);
++extern int gr_handle_chroot_mknod(const struct dentry *dentry,
++ const struct vfsmount *mnt, const int mode);
++extern int gr_handle_chroot_mount(const struct dentry *dentry,
++ const struct vfsmount *mnt,
++ const char *dev_name);
++extern int gr_handle_chroot_pivot(void);
++extern int gr_handle_chroot_unix(const pid_t pid);
++
++extern int gr_handle_rawio(const struct inode *inode);
++extern int gr_handle_nproc(void);
++
++extern void gr_handle_ioperm(void);
++extern void gr_handle_iopl(void);
++
++extern int gr_tpe_allow(const struct file *file);
++
++extern int gr_random_pid(void);
++
++extern void gr_log_forkfail(const int retval);
++extern void gr_log_timechange(void);
++extern void gr_log_signal(const int sig, const struct task_struct *t);
++extern void gr_log_chdir(const struct dentry *dentry,
++ const struct vfsmount *mnt);
++extern void gr_log_chroot_exec(const struct dentry *dentry,
++ const struct vfsmount *mnt);
++extern void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
++extern void gr_log_remount(const char *devname, const int retval);
++extern void gr_log_unmount(const char *devname, const int retval);
++extern void gr_log_mount(const char *from, const char *to, const int retval);
++extern void gr_log_msgget(const int ret, const int msgflg);
++extern void gr_log_msgrm(const uid_t uid, const uid_t cuid);
++extern void gr_log_semget(const int err, const int semflg);
++extern void gr_log_semrm(const uid_t uid, const uid_t cuid);
++extern void gr_log_shmget(const int err, const int shmflg, const size_t size);
++extern void gr_log_shmrm(const uid_t uid, const uid_t cuid);
++extern void gr_log_textrel(struct vm_area_struct *vma);
++
++extern int gr_handle_follow_link(const struct inode *parent,
++ const struct inode *inode,
++ const struct dentry *dentry,
++ const struct vfsmount *mnt);
++extern int gr_handle_fifo(const struct dentry *dentry,
++ const struct vfsmount *mnt,
++ const struct dentry *dir, const int flag,
++ const int acc_mode);
++extern int gr_handle_hardlink(const struct dentry *dentry,
++ const struct vfsmount *mnt,
++ struct inode *inode,
++ const int mode, const char *to);
++
++extern int gr_task_is_capable(struct task_struct *task, const int cap);
++extern int gr_is_capable_nolog(const int cap);
++extern void gr_learn_resource(const struct task_struct *task, const int limit,
++ const unsigned long wanted, const int gt);
++extern void gr_copy_label(struct task_struct *tsk);
++extern void gr_handle_crash(struct task_struct *task, const int sig);
++extern int gr_handle_signal(const struct task_struct *p, const int sig);
++extern int gr_check_crash_uid(const uid_t uid);
++extern int gr_check_protected_task(const struct task_struct *task);
++extern int gr_acl_handle_mmap(const struct file *file,
++ const unsigned long prot);
++extern int gr_acl_handle_mprotect(const struct file *file,
++ const unsigned long prot);
++extern int gr_check_hidden_task(const struct task_struct *tsk);
++extern __u32 gr_acl_handle_truncate(const struct dentry *dentry,
++ const struct vfsmount *mnt);
++extern __u32 gr_acl_handle_utime(const struct dentry *dentry,
++ const struct vfsmount *mnt);
++extern __u32 gr_acl_handle_access(const struct dentry *dentry,
++ const struct vfsmount *mnt, const int fmode);
++extern __u32 gr_acl_handle_fchmod(const struct dentry *dentry,
++ const struct vfsmount *mnt, mode_t mode);
++extern __u32 gr_acl_handle_chmod(const struct dentry *dentry,
++ const struct vfsmount *mnt, mode_t mode);
++extern __u32 gr_acl_handle_chown(const struct dentry *dentry,
++ const struct vfsmount *mnt);
++extern int gr_handle_ptrace_exec(const struct dentry *dentry,
++ const struct vfsmount *mnt);
++extern int gr_handle_ptrace(struct task_struct *task, const long request);
++extern int gr_handle_proc_ptrace(struct task_struct *task);
++extern int gr_handle_mmap(const struct file *filp, const unsigned long prot);
++extern __u32 gr_acl_handle_execve(const struct dentry *dentry,
++ const struct vfsmount *mnt);
++extern int gr_check_crash_exec(const struct file *filp);
++extern int gr_acl_is_enabled(void);
++extern void gr_set_kernel_label(struct task_struct *task);
++extern void gr_set_role_label(struct task_struct *task, const uid_t uid,
++ const gid_t gid);
++extern void gr_set_proc_label(const struct dentry *dentry,
++ const struct vfsmount *mnt);
++extern __u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
++ const struct vfsmount *mnt);
++extern __u32 gr_acl_handle_open(const struct dentry *dentry,
++ const struct vfsmount *mnt, const int fmode);
++extern __u32 gr_acl_handle_creat(const struct dentry *dentry,
++ const struct dentry *p_dentry,
++ const struct vfsmount *p_mnt, const int fmode,
++ const int imode);
++extern void gr_handle_create(const struct dentry *dentry,
++ const struct vfsmount *mnt);
++extern __u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
++ const struct dentry *parent_dentry,
++ const struct vfsmount *parent_mnt,
++ const int mode);
++extern __u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
++ const struct dentry *parent_dentry,
++ const struct vfsmount *parent_mnt);
++extern __u32 gr_acl_handle_rmdir(const struct dentry *dentry,
++ const struct vfsmount *mnt);
++extern void gr_handle_delete(const ino_t ino, const dev_t dev);
++extern __u32 gr_acl_handle_unlink(const struct dentry *dentry,
++ const struct vfsmount *mnt);
++extern __u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
++ const struct dentry *parent_dentry,
++ const struct vfsmount *parent_mnt,
++ const char *from);
++extern __u32 gr_acl_handle_link(const struct dentry *new_dentry,
++ const struct dentry *parent_dentry,
++ const struct vfsmount *parent_mnt,
++ const struct dentry *old_dentry,
++ const struct vfsmount *old_mnt, const char *to);
++extern int gr_acl_handle_rename(struct dentry *new_dentry,
++ struct dentry *parent_dentry,
++ const struct vfsmount *parent_mnt,
++ struct dentry *old_dentry,
++ struct inode *old_parent_inode,
++ struct vfsmount *old_mnt, const char *newname);
++extern void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
++ struct dentry *old_dentry,
++ struct dentry *new_dentry,
++ struct vfsmount *mnt, const __u8 replace);
++extern __u32 gr_check_link(const struct dentry *new_dentry,
++ const struct dentry *parent_dentry,
++ const struct vfsmount *parent_mnt,
++ const struct dentry *old_dentry,
++ const struct vfsmount *old_mnt);
++extern __u32 gr_acl_handle_filldir(const struct dentry *dentry,
++ const struct vfsmount *mnt, const ino_t ino);
++extern __u32 gr_acl_handle_unix(const struct dentry *dentry,
++ const struct vfsmount *mnt);
++extern void gr_acl_handle_exit(void);
++extern void gr_acl_handle_psacct(struct task_struct *task, const long code);
++extern int gr_acl_handle_procpidmem(const struct task_struct *task);
++extern __u32 gr_cap_rtnetlink(void);
++
++#ifdef CONFIG_GRKERNSEC
++extern void gr_handle_mem_write(void);
++extern void gr_handle_kmem_write(void);
++extern void gr_handle_open_port(void);
++extern int gr_handle_mem_mmap(const unsigned long offset,
++ struct vm_area_struct *vma);
++
++extern __u16 ip_randomid(void);
++extern __u32 ip_randomisn(void);
++extern unsigned long get_random_long(void);
++
++extern int grsec_enable_dmesg;
++extern int grsec_enable_randid;
++extern int grsec_enable_randisn;
++extern int grsec_enable_randsrc;
++extern int grsec_enable_randrpc;
++#endif
++
++#endif
+diff -uNr linux-2.6.6/include/linux/mman.h linux-2.6.6.fixed/include/linux/mman.h
+--- linux-2.6.6/include/linux/mman.h 2004-05-10 04:32:01.000000000 +0200
++++ linux-2.6.6.fixed/include/linux/mman.h 2004-05-11 10:55:58.000000000 +0200
+@@ -56,6 +56,11 @@
+ calc_vm_flag_bits(unsigned long flags)
+ {
+ return _calc_vm_trans(flags, MAP_GROWSDOWN, VM_GROWSDOWN ) |
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ _calc_vm_trans(flags, MAP_MIRROR, VM_MIRROR) |
++#endif
++
+ _calc_vm_trans(flags, MAP_DENYWRITE, VM_DENYWRITE ) |
+ _calc_vm_trans(flags, MAP_EXECUTABLE, VM_EXECUTABLE) |
+ _calc_vm_trans(flags, MAP_LOCKED, VM_LOCKED );
+diff -uNr linux-2.6.6/include/linux/mm.h linux-2.6.6.fixed/include/linux/mm.h
+--- linux-2.6.6/include/linux/mm.h 2004-05-10 04:31:59.000000000 +0200
++++ linux-2.6.6.fixed/include/linux/mm.h 2004-05-11 10:55:58.000000000 +0200
+@@ -25,6 +25,7 @@
+ #include <asm/pgtable.h>
+ #include <asm/processor.h>
+ #include <asm/atomic.h>
++#include <asm/mman.h>
+
+ #ifndef MM_VM_SIZE
+ #define MM_VM_SIZE(mm) TASK_SIZE
+@@ -115,6 +116,18 @@
+ /* It makes sense to apply VM_ACCOUNT to this vma. */
+ #define VM_MAYACCT(vma) (!!((vma)->vm_flags & VM_HUGETLB))
+
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++#define VM_MIRROR 0x01000000 /* vma is mirroring another */
++#endif
++
++#ifdef CONFIG_PAX_MPROTECT
++#define VM_MAYNOTWRITE 0x02000000 /* vma cannot be granted VM_WRITE any more */
++#endif
++
++#ifdef __VM_STACK_FLAGS
++#define VM_STACK_DEFAULT_FLAGS (0x00000033 | __VM_STACK_FLAGS)
++#endif
++
+ #ifndef VM_STACK_DEFAULT_FLAGS /* arch can override this */
+ #define VM_STACK_DEFAULT_FLAGS VM_DATA_DEFAULT_FLAGS
+ #endif
+@@ -552,6 +565,10 @@
+ unsigned long len, unsigned long prot,
+ unsigned long flag, unsigned long pgoff);
+
++extern unsigned long __do_mmap_pgoff(struct file *file, unsigned long addr,
++ unsigned long len, unsigned long prot,
++ unsigned long flag, unsigned long pgoff);
++
+ static inline unsigned long do_mmap(struct file *file, unsigned long addr,
+ unsigned long len, unsigned long prot,
+ unsigned long flag, unsigned long offset)
+@@ -582,6 +599,12 @@
+ static inline int
+ can_vma_merge(struct vm_area_struct *vma, unsigned long vm_flags)
+ {
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ if ((vma->vm_flags | vm_flags) & VM_MIRROR)
++ return 0;
++#endif
++
+ #ifdef CONFIG_MMU
+ if (!vma->vm_file && vma->vm_flags == vm_flags)
+ return 1;
+diff -uNr linux-2.6.6/include/linux/proc_fs.h linux-2.6.6.fixed/include/linux/proc_fs.h
+--- linux-2.6.6/include/linux/proc_fs.h 2004-05-10 04:33:22.000000000 +0200
++++ linux-2.6.6.fixed/include/linux/proc_fs.h 2004-05-11 10:55:58.000000000 +0200
+@@ -221,7 +221,7 @@
+
+ #endif /* CONFIG_PROC_FS */
+
+-#if !defined(CONFIG_PROC_FS)
++#if !defined(CONFIG_PROC_FS) || !defined(CONFIG_PROC_KCORE)
+ static inline void kclist_add(struct kcore_list *new, void *addr, size_t size)
+ {
+ }
+diff -uNr linux-2.6.6/include/linux/random.h linux-2.6.6.fixed/include/linux/random.h
+--- linux-2.6.6/include/linux/random.h 2004-05-10 04:33:21.000000000 +0200
++++ linux-2.6.6.fixed/include/linux/random.h 2004-05-11 10:55:58.000000000 +0200
+@@ -69,6 +69,8 @@
+
+ extern __u32 secure_ipv6_id(__u32 *daddr);
+
++extern unsigned long pax_get_random_long(void);
++
+ #ifndef MODULE
+ extern struct file_operations random_fops, urandom_fops;
+ #endif
+diff -uNr linux-2.6.6/include/linux/sched.h linux-2.6.6.fixed/include/linux/sched.h
+--- linux-2.6.6/include/linux/sched.h 2004-05-10 04:32:00.000000000 +0200
++++ linux-2.6.6.fixed/include/linux/sched.h 2004-05-11 10:55:58.000000000 +0200
+@@ -31,6 +31,7 @@
+ #include <linux/percpu.h>
+
+ struct exec_domain;
++struct linux_binprm;
+
+ /*
+ * cloning flags:
+@@ -231,6 +232,21 @@
+ struct kioctx *ioctx_list;
+
+ struct kioctx default_kioctx;
++
++#ifdef CONFIG_PAX_DLRESOLVE
++ unsigned long call_dl_resolve;
++#endif
++
++#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
++ unsigned long call_syscall;
++#endif
++
++#ifdef CONFIG_PAX_ASLR
++ unsigned long delta_mmap; /* randomized offset */
++ unsigned long delta_exec; /* randomized offset */
++ unsigned long delta_stack; /* randomized offset */
++#endif
++
+ };
+
+ extern int mmlist_nr;
+@@ -504,6 +520,22 @@
+
+ unsigned long ptrace_message;
+ siginfo_t *last_siginfo; /* For ptrace use. */
++
++#ifdef CONFIG_GRKERNSEC
++ /* grsecurity */
++ struct acl_subject_label *acl;
++ struct acl_role_label *role;
++ struct file *exec_file;
++ u32 curr_ip;
++ u32 gr_saddr;
++ u32 gr_daddr;
++ u16 gr_sport;
++ u16 gr_dport;
++ u16 acl_role_id;
++ u8 acl_sp_role:1;
++ u8 used_accept:1;
++ u8 is_writable:1;
++#endif
+ };
+
+ static inline pid_t process_group(struct task_struct *tsk)
+@@ -541,6 +573,29 @@
+ #define PF_LESS_THROTTLE 0x00100000 /* Throttle me less: I clean memory */
+ #define PF_SYNCWRITE 0x00200000 /* I am doing a sync write */
+
++#define PF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
++#define PF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
++#define PF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
++#define PF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
++#define PF_PAX_RANDEXEC 0x10000000 /* Randomize ET_EXEC base */
++#define PF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
++
++#ifdef CONFIG_PAX_SOFTMODE
++#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK) || defined(CONFIG_PAX_RANDKSTACK)
++extern unsigned int pax_aslr;
++#endif
++
++extern unsigned int pax_softmode;
++#endif
++
++extern int pax_check_flags(unsigned long *);
++
++#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
++extern void pax_set_flags(struct linux_binprm * bprm);
++#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
++extern void (*pax_set_flags_func)(struct linux_binprm * bprm);
++#endif
++
+ #ifdef CONFIG_SMP
+ extern int set_cpus_allowed(task_t *p, cpumask_t new_mask);
+ #else
+@@ -686,14 +741,29 @@
+ : on_sig_stack(sp) ? SS_ONSTACK : 0);
+ }
+
++extern int gr_task_is_capable(struct task_struct *task, const int cap);
++extern int gr_is_capable_nolog(const int cap);
+
+ #ifdef CONFIG_SECURITY
+ /* code is in security.c */
+ extern int capable(int cap);
++static inline int capable_nolog(int cap)
++{
++ return capable(cap);
++}
+ #else
+ static inline int capable(int cap)
+ {
+- if (cap_raised(current->cap_effective, cap)) {
++ if (cap_raised(current->cap_effective, cap) && gr_task_is_capable(current, cap)) {
++ current->flags |= PF_SUPERPRIV;
++ return 1;
++ }
++ return 0;
++}
++
++static inline int capable_nolog(int cap)
++{
++ if (cap_raised(current->cap_effective, cap) && gr_is_capable_nolog(cap)) {
+ current->flags |= PF_SUPERPRIV;
+ return 1;
+ }
+diff -uNr linux-2.6.6/include/linux/shm.h linux-2.6.6.fixed/include/linux/shm.h
+--- linux-2.6.6/include/linux/shm.h 2004-05-10 04:32:54.000000000 +0200
++++ linux-2.6.6.fixed/include/linux/shm.h 2004-05-11 10:55:58.000000000 +0200
+@@ -84,6 +84,10 @@
+ time_t shm_ctim;
+ pid_t shm_cprid;
+ pid_t shm_lprid;
++#ifdef CONFIG_GRKERNSEC
++ time_t shm_createtime;
++ pid_t shm_lapid;
++#endif
+ };
+
+ /* shm_mode upper byte flags */
+diff -uNr linux-2.6.6/include/linux/sysctl.h linux-2.6.6.fixed/include/linux/sysctl.h
+--- linux-2.6.6/include/linux/sysctl.h 2004-05-10 04:32:38.000000000 +0200
++++ linux-2.6.6.fixed/include/linux/sysctl.h 2004-05-11 11:16:39.000000000 +0200
+@@ -133,8 +133,20 @@
+ KERN_NGROUPS_MAX=63, /* int: NGROUPS_MAX */
+ KERN_SPARC_SCONS_PWROFF=64, /* int: serial console power-off halt */
+ KERN_HZ_TIMER=65, /* int: hz timer on or off */
+-};
++ KERN_GRSECURITY=68, /* grsecurity */
++
+
++#ifdef CONFIG_PAX_SOFTMODE
++ KERN_PAX=69, /* PaX control */
++#endif
++};
++
++#ifdef CONFIG_PAX_SOFTMODE
++enum {
++ PAX_ASLR=1, /* PaX: disable/enable all randomization features */
++ PAX_SOFTMODE=2 /* PaX: disable/enable soft mode */
++};
++#endif
+
+ /* CTL_VM names: */
+ enum
+diff -uNr linux-2.6.6/include/net/ip.h linux-2.6.6.fixed/include/net/ip.h
+--- linux-2.6.6/include/net/ip.h 2004-05-10 04:32:53.000000000 +0200
++++ linux-2.6.6.fixed/include/net/ip.h 2004-05-11 10:55:58.000000000 +0200
+@@ -33,6 +33,11 @@
+ #include <net/route.h>
+ #include <net/arp.h>
+
++#ifdef CONFIG_GRKERNSEC_RANDID
++extern int grsec_enable_randid;
++extern __u16 ip_randomid(void);
++#endif
++
+ #ifndef _SNMP_H
+ #include <net/snmp.h>
+ #endif
+@@ -188,6 +193,13 @@
+
+ static inline void ip_select_ident(struct iphdr *iph, struct dst_entry *dst, struct sock *sk)
+ {
++
++#ifdef CONFIG_GRKERNSEC_RANDID
++ if (grsec_enable_randid)
++ iph->id = htons(ip_randomid());
++ else
++#endif
++
+ if (iph->frag_off & htons(IP_DF)) {
+ /* This is only to work around buggy Windows95/2000
+ * VJ compression implementations. If the ID field
+diff -uNr linux-2.6.6/init/do_mounts.c linux-2.6.6.fixed/init/do_mounts.c
+--- linux-2.6.6/init/do_mounts.c 2004-05-10 04:32:28.000000000 +0200
++++ linux-2.6.6.fixed/init/do_mounts.c 2004-05-11 10:55:58.000000000 +0200
+@@ -291,6 +291,7 @@
+ case -EINVAL:
+ continue;
+ }
++
+ /*
+ * Allow the user to distinguish between failed sys_open
+ * and bad superblock on root device.
+diff -uNr linux-2.6.6/init/Kconfig linux-2.6.6.fixed/init/Kconfig
+--- linux-2.6.6/init/Kconfig 2004-05-10 04:33:13.000000000 +0200
++++ linux-2.6.6.fixed/init/Kconfig 2004-05-11 10:55:58.000000000 +0200
+@@ -230,6 +230,7 @@
+ config KALLSYMS
+ bool "Load all symbols for debugging/kksymoops" if EMBEDDED
+ default y
++ depends on !GRKERNSEC_HIDESYM
+ help
+ Say Y here to let the kernel print out symbolic crash information and
+ symbolic stack backtraces. This increases the size of the kernel
+diff -uNr linux-2.6.6/init/main.c linux-2.6.6.fixed/init/main.c
+--- linux-2.6.6/init/main.c 2004-05-10 04:32:01.000000000 +0200
++++ linux-2.6.6.fixed/init/main.c 2004-05-11 11:13:42.000000000 +0200
+@@ -90,6 +90,7 @@
+ extern void populate_rootfs(void);
+ extern void driver_init(void);
+ extern void prepare_namespace(void);
++extern void grsecurity_init(void);
+
+ #ifdef CONFIG_TC
+ extern void tc_init(void);
+@@ -614,6 +615,7 @@
+ else
+ prepare_namespace();
+
++ grsecurity_init();
+ /*
+ * Ok, we have completed the initial bootup, and
+ * we're essentially up and running. Get rid of the
+diff -uNr linux-2.6.6/ipc/msg.c linux-2.6.6.fixed/ipc/msg.c
+--- linux-2.6.6/ipc/msg.c 2004-05-10 04:31:57.000000000 +0200
++++ linux-2.6.6.fixed/ipc/msg.c 2004-05-11 10:55:58.000000000 +0200
+@@ -24,6 +24,7 @@
+ #include <linux/list.h>
+ #include <linux/security.h>
+ #include <linux/sched.h>
++#include <linux/grsecurity.h>
+ #include <asm/current.h>
+ #include <asm/uaccess.h>
+ #include "util.h"
+@@ -226,6 +227,9 @@
+ msg_unlock(msq);
+ }
+ up(&msg_ids.sem);
++
++ gr_log_msgget(ret, msgflg);
++
+ return ret;
+ }
+
+@@ -475,6 +479,8 @@
+ break;
+ }
+ case IPC_RMID:
++ gr_log_msgrm(ipcp->uid, ipcp->cuid);
++
+ freeque (msq, msqid);
+ break;
+ }
+diff -uNr linux-2.6.6/ipc/sem.c linux-2.6.6.fixed/ipc/sem.c
+--- linux-2.6.6/ipc/sem.c 2004-05-10 04:32:28.000000000 +0200
++++ linux-2.6.6.fixed/ipc/sem.c 2004-05-11 10:55:58.000000000 +0200
+@@ -71,6 +71,7 @@
+ #include <linux/time.h>
+ #include <linux/smp_lock.h>
+ #include <linux/security.h>
++#include <linux/grsecurity.h>
+ #include <asm/uaccess.h>
+ #include "util.h"
+
+@@ -238,6 +239,9 @@
+ }
+
+ up(&sem_ids.sem);
++
++ gr_log_semget(err, semflg);
++
+ return err;
+ }
+
+@@ -804,6 +808,8 @@
+
+ switch(cmd){
+ case IPC_RMID:
++ gr_log_semrm(ipcp->uid, ipcp->cuid);
++
+ freeary(sma, semid);
+ err = 0;
+ break;
+diff -uNr linux-2.6.6/ipc/shm.c linux-2.6.6.fixed/ipc/shm.c
+--- linux-2.6.6/ipc/shm.c 2004-05-10 04:32:37.000000000 +0200
++++ linux-2.6.6.fixed/ipc/shm.c 2004-05-11 10:55:58.000000000 +0200
+@@ -26,6 +26,7 @@
+ #include <linux/proc_fs.h>
+ #include <linux/shmem_fs.h>
+ #include <linux/security.h>
++#include <linux/grsecurity.h>
+ #include <asm/uaccess.h>
+
+ #include "util.h"
+@@ -50,6 +51,14 @@
+ static int sysvipc_shm_read_proc(char *buffer, char **start, off_t offset, int length, int *eof, void *data);
+ #endif
+
++#ifdef CONFIG_GRKERNSEC
++extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
++ const time_t shm_createtime, const uid_t cuid,
++ const int shmid);
++extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
++ const time_t shm_createtime);
++#endif
++
+ size_t shm_ctlmax = SHMMAX;
+ size_t shm_ctlall = SHMALL;
+ int shm_ctlmni = SHMMNI;
+@@ -213,6 +222,9 @@
+ shp->shm_lprid = 0;
+ shp->shm_atim = shp->shm_dtim = 0;
+ shp->shm_ctim = get_seconds();
++#ifdef CONFIG_GRKERNSEC
++ shp->shm_createtime = get_seconds();
++#endif
+ shp->shm_segsz = size;
+ shp->shm_nattch = 0;
+ shp->id = shm_buildid(id,shp->shm_perm.seq);
+@@ -267,6 +279,8 @@
+ }
+ up(&shm_ids.sem);
+
++ gr_log_shmget(err, shmflg, size);
++
+ return err;
+ }
+
+@@ -565,6 +579,8 @@
+ if (err)
+ goto out_unlock_up;
+
++ gr_log_shmrm(shp->shm_perm.uid, shp->shm_perm.cuid);
++
+ if (shp->shm_nattch){
+ shp->shm_flags |= SHM_DEST;
+ /* Do not find it any more */
+@@ -703,9 +719,27 @@
+ return err;
+ }
+
++#ifdef CONFIG_GRKERNSEC
++ if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
++ shp->shm_perm.cuid, shmid)) {
++ shm_unlock(shp);
++ return -EACCES;
++ }
++
++ if (!gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
++ shm_unlock(shp);
++ return -EACCES;
++ }
++#endif
++
+ file = shp->shm_file;
+ size = i_size_read(file->f_dentry->d_inode);
+ shp->shm_nattch++;
++
++#ifdef CONFIG_GRKERNSEC
++ shp->shm_lapid = current->pid;
++#endif
++
+ shm_unlock(shp);
+
+ down_write(¤t->mm->mmap_sem);
+diff -uNr linux-2.6.6/kernel/capability.c linux-2.6.6.fixed/kernel/capability.c
+--- linux-2.6.6/kernel/capability.c 2004-05-10 04:32:53.000000000 +0200
++++ linux-2.6.6.fixed/kernel/capability.c 2004-05-11 10:55:58.000000000 +0200
+@@ -10,6 +10,7 @@
+ #include <linux/mm.h>
+ #include <linux/module.h>
+ #include <linux/security.h>
++#include <linux/grsecurity.h>
+ #include <asm/uaccess.h>
+
+ unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */
+@@ -168,6 +169,11 @@
+ } else
+ target = current;
+
++ if (gr_handle_chroot_capset(target)) {
++ ret = -ESRCH;
++ goto out;
++ }
++
+ ret = -EPERM;
+
+ if (security_capset_check(target, &effective, &inheritable, &permitted))
+diff -uNr linux-2.6.6/kernel/configs.c linux-2.6.6.fixed/kernel/configs.c
+--- linux-2.6.6/kernel/configs.c 2004-05-10 04:32:27.000000000 +0200
++++ linux-2.6.6.fixed/kernel/configs.c 2004-05-11 10:55:58.000000000 +0200
+@@ -78,8 +78,16 @@
+ struct proc_dir_entry *entry;
+
+ /* create the current config file */
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR, &proc_root);
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++ entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR | S_IRGRP, &proc_root);
++#endif
++#else
+ entry = create_proc_entry("config.gz", S_IFREG | S_IRUGO,
+ &proc_root);
++#endif
+ if (!entry)
+ return -ENOMEM;
+
+diff -uNr linux-2.6.6/kernel/exit.c linux-2.6.6.fixed/kernel/exit.c
+--- linux-2.6.6/kernel/exit.c 2004-05-10 04:33:19.000000000 +0200
++++ linux-2.6.6.fixed/kernel/exit.c 2004-05-11 10:55:58.000000000 +0200
+@@ -22,6 +22,7 @@
+ #include <linux/profile.h>
+ #include <linux/mount.h>
+ #include <linux/proc_fs.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/pgtable.h>
+@@ -231,6 +232,13 @@
+ {
+ write_lock_irq(&tasklist_lock);
+
++#ifdef CONFIG_GRKERNSEC
++ if (current->exec_file) {
++ fput(current->exec_file);
++ current->exec_file = NULL;
++ }
++#endif
++
+ ptrace_unlink(current);
+ /* Reparent to init */
+ REMOVE_LINKS(current);
+@@ -238,6 +246,8 @@
+ current->real_parent = child_reaper;
+ SET_LINKS(current);
+
++ gr_set_kernel_label(current);
++
+ /* Set the exit signal to SIGCHLD so we signal init on exit */
+ current->exit_signal = SIGCHLD;
+
+@@ -332,6 +342,15 @@
+ vsnprintf(current->comm, sizeof(current->comm), name, args);
+ va_end(args);
+
++#ifdef CONFIG_GRKERNSEC
++ if (current->exec_file) {
++ fput(current->exec_file);
++ current->exec_file = NULL;
++ }
++#endif
++
++ gr_set_kernel_label(current);
++
+ /*
+ * If we were started as result of loading a module, close all of the
+ * user space pages. We don't need them, and if we didn't close them
+@@ -783,6 +802,11 @@
+ }
+
+ acct_process(code);
++
++ gr_acl_handle_psacct(tsk, code);
++ gr_acl_handle_exit();
++ gr_del_task_from_ip_table(tsk);
++
+ __exit_mm(tsk);
+
+ exit_sem(tsk);
+diff -uNr linux-2.6.6/kernel/fork.c linux-2.6.6.fixed/kernel/fork.c
+--- linux-2.6.6/kernel/fork.c 2004-05-10 04:32:00.000000000 +0200
++++ linux-2.6.6.fixed/kernel/fork.c 2004-05-11 11:07:27.000000000 +0200
+@@ -33,6 +33,7 @@
+ #include <linux/ptrace.h>
+ #include <linux/mount.h>
+ #include <linux/audit.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/pgtable.h>
+ #include <asm/pgalloc.h>
+@@ -278,7 +279,7 @@
+ mm->locked_vm = 0;
+ mm->mmap = NULL;
+ mm->mmap_cache = NULL;
+- mm->free_area_cache = TASK_UNMAPPED_BASE;
++ mm->free_area_cache = oldmm->free_area_cache;
+ mm->map_count = 0;
+ mm->rss = 0;
+ cpus_clear(mm->cpu_vm_mask);
+@@ -890,6 +891,9 @@
+ goto fork_out;
+
+ retval = -EAGAIN;
++
++ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0);
++
+ if (atomic_read(&p->user->processes) >=
+ p->rlim[RLIMIT_NPROC].rlim_cur) {
+ if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
+@@ -978,6 +982,8 @@
+ if (retval)
+ goto bad_fork_cleanup_namespace;
+
++ gr_copy_label(p);
++
+ p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
+ /*
+ * Clear TID on mm_release()?
+@@ -1115,6 +1121,9 @@
+ free_uid(p->user);
+ bad_fork_free:
+ free_task(p);
++
++ gr_log_forkfail(retval);
++
+ goto fork_out;
+ }
+
+diff -uNr linux-2.6.6/kernel/kallsyms.c linux-2.6.6.fixed/kernel/kallsyms.c
+--- linux-2.6.6/kernel/kallsyms.c 2004-05-10 04:33:21.000000000 +0200
++++ linux-2.6.6.fixed/kernel/kallsyms.c 2004-05-11 10:55:58.000000000 +0200
+@@ -301,7 +301,15 @@
+ {
+ struct proc_dir_entry *entry;
+
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR, NULL);
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++ entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL);
++#endif
++#else
+ entry = create_proc_entry("kallsyms", 0444, NULL);
++#endif
+ if (entry)
+ entry->proc_fops = &kallsyms_operations;
+ return 0;
+diff -uNr linux-2.6.6/kernel/pid.c linux-2.6.6.fixed/kernel/pid.c
+--- linux-2.6.6/kernel/pid.c 2004-05-10 04:32:38.000000000 +0200
++++ linux-2.6.6.fixed/kernel/pid.c 2004-05-11 10:55:58.000000000 +0200
+@@ -25,6 +25,7 @@
+ #include <linux/init.h>
+ #include <linux/bootmem.h>
+ #include <linux/hash.h>
++#include <linux/grsecurity.h>
+
+ #define pid_hashfn(nr) hash_long((unsigned long)nr, pidhash_shift)
+ static struct list_head *pid_hash[PIDTYPE_MAX];
+@@ -99,10 +100,12 @@
+
+ int alloc_pidmap(void)
+ {
+- int pid, offset, max_steps = PIDMAP_ENTRIES + 1;
++ int pid = 0, offset, max_steps = PIDMAP_ENTRIES + 1;
+ pidmap_t *map;
+
+- pid = last_pid + 1;
++ pid = gr_random_pid();
++ if (!pid)
++ pid = last_pid + 1;
+ if (pid >= pid_max)
+ pid = RESERVED_PIDS;
+
+@@ -225,10 +228,16 @@
+ task_t *find_task_by_pid(int nr)
+ {
+ struct pid *pid = find_pid(PIDTYPE_PID, nr);
++ struct task_struct *task = NULL;
+
+ if (!pid)
+ return NULL;
+- return pid_task(pid->task_list.next, PIDTYPE_PID);
++ task = pid_task(pid->task_list.next, PIDTYPE_PID);
++
++ if (gr_pid_is_chrooted(task))
++ return NULL;
++
++ return task;
+ }
+
+ EXPORT_SYMBOL(find_task_by_pid);
+diff -uNr linux-2.6.6/kernel/printk.c linux-2.6.6.fixed/kernel/printk.c
+--- linux-2.6.6/kernel/printk.c 2004-05-10 04:33:21.000000000 +0200
++++ linux-2.6.6.fixed/kernel/printk.c 2004-05-11 10:55:58.000000000 +0200
+@@ -30,6 +30,7 @@
+ #include <linux/smp.h>
+ #include <linux/security.h>
+ #include <linux/bootmem.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+
+@@ -249,6 +250,11 @@
+ char c;
+ int error = 0;
+
++#ifdef CONFIG_GRKERNSEC_DMESG
++ if (!capable(CAP_SYS_ADMIN) && grsec_enable_dmesg)
++ return -EPERM;
++#endif
++
+ error = security_syslog(type);
+ if (error)
+ return error;
+diff -uNr linux-2.6.6/kernel/resource.c linux-2.6.6.fixed/kernel/resource.c
+--- linux-2.6.6/kernel/resource.c 2004-05-10 04:32:53.000000000 +0200
++++ linux-2.6.6.fixed/kernel/resource.c 2004-05-11 10:55:58.000000000 +0200
+@@ -134,10 +134,27 @@
+ {
+ struct proc_dir_entry *entry;
+
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ entry = create_proc_entry("ioports", S_IRUSR, NULL);
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++ entry = create_proc_entry("ioports", S_IRUSR | S_IRGRP, NULL);
++#endif
++#else
+ entry = create_proc_entry("ioports", 0, NULL);
++#endif
+ if (entry)
+ entry->proc_fops = &proc_ioports_operations;
++
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ entry = create_proc_entry("iomem", S_IRUSR, NULL);
++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++ entry = create_proc_entry("iomem", S_IRUSR | S_IRGRP, NULL);
++#endif
++#else
+ entry = create_proc_entry("iomem", 0, NULL);
++#endif
+ if (entry)
+ entry->proc_fops = &proc_iomem_operations;
+ return 0;
+diff -uNr linux-2.6.6/kernel/sched.c linux-2.6.6.fixed/kernel/sched.c
+--- linux-2.6.6/kernel/sched.c.orig 2004-05-10 04:33:13.000000000 +0200
++++ linux-2.6.6/kernel/sched.c 2004-05-11 16:57:32.559053240 +0200
+@@ -39,6 +39,7 @@
+ #include <linux/cpu.h>
+ #include <linux/percpu.h>
+ #include <linux/kthread.h>
++#include <linux/grsecurity.h>
+
+ #ifdef CONFIG_NUMA
+ #define cpu_to_node_mask(cpu) node_to_cpumask(cpu_to_node(cpu))
+@@ -225,8 +226,8 @@
+ #define task_rq(p) cpu_rq(task_cpu(p))
+ #define cpu_curr(cpu) (cpu_rq(cpu)->curr)
+
+-extern unsigned long __scheduling_functions_start_here;
+-extern unsigned long __scheduling_functions_end_here;
++void __scheduling_functions_start_here(void);
++void __scheduling_functions_end_here(void);
+ const unsigned long scheduling_functions_start_here =
+ (unsigned long)&__scheduling_functions_start_here;
+ const unsigned long scheduling_functions_end_here =
+@@ -1594,6 +1595,8 @@
+ rebalance_tick(rq, 0);
+ }
+
++void __scheduling_functions_start_here() {}
++
+ /*
+ * schedule() is the main scheduler function.
+ */
+@@ -1966,6 +1969,8 @@
+
+ EXPORT_SYMBOL(sleep_on_timeout);
+
++void __scheduling_functions_end_here() {}
++
+ void set_user_nice(task_t *p, long nice)
+ {
+ unsigned long flags;
+@@ -2039,6 +2044,8 @@
+ return -EPERM;
+ if (increment < -40)
+ increment = -40;
++ if (gr_handle_chroot_nice())
++ return -EPERM;
+ }
+ if (increment > 40)
+ increment = 40;
+diff -uNr linux-2.6.6/kernel/signal.c linux-2.6.6.fixed/kernel/signal.c
+--- linux-2.6.6/kernel/signal.c 2004-05-10 04:32:28.000000000 +0200
++++ linux-2.6.6.fixed/kernel/signal.c 2004-05-11 10:55:58.000000000 +0200
+@@ -21,6 +21,7 @@
+ #include <linux/binfmts.h>
+ #include <linux/security.h>
+ #include <linux/ptrace.h>
++#include <linux/grsecurity.h>
+ #include <asm/param.h>
+ #include <asm/uaccess.h>
+ #include <asm/siginfo.h>
+@@ -769,11 +770,13 @@
+ (((sig) < SIGRTMIN) && sigismember(&(sigptr)->signal, (sig)))
+
+
+-static int
++int
+ specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
+ {
+ int ret = 0;
+
++ gr_log_signal(sig, t);
++
+ if (!irqs_disabled())
+ BUG();
+ #ifdef CONFIG_SMP
+@@ -824,6 +827,8 @@
+ ret = specific_send_sig_info(sig, info, t);
+ spin_unlock_irqrestore(&t->sighand->siglock, flags);
+
++ gr_handle_crash(t, sig);
++
+ return ret;
+ }
+
+@@ -1082,9 +1087,14 @@
+ int err;
+
+ found = 1;
+- err = group_send_sig_info(sig, info, p);
+- if (!retval)
+- retval = err;
++
++ if (gr_handle_signal(p, sig))
++ retval = -EPERM;
++ else {
++ err = group_send_sig_info(sig, info, p);
++ if (!retval)
++ retval = err;
++ }
+ }
+ return found ? retval : -ESRCH;
+ }
+@@ -1142,8 +1152,12 @@
+ read_lock(&tasklist_lock);
+ p = find_task_by_pid(pid);
+ error = -ESRCH;
+- if (p)
+- error = group_send_sig_info(sig, info, p);
++ if (p) {
++ if (gr_handle_signal(p, sig))
++ error = -EPERM;
++ else
++ error = group_send_sig_info(sig, info, p);
++ }
+ read_unlock(&tasklist_lock);
+ return error;
+ }
+@@ -1167,10 +1181,14 @@
+ read_lock(&tasklist_lock);
+ for_each_process(p) {
+ if (p->pid > 1 && p->tgid != current->tgid) {
+- int err = group_send_sig_info(sig, info, p);
+- ++count;
+- if (err != -EPERM)
+- retval = err;
++ if (gr_handle_signal(p, sig))
++ retval = -EPERM;
++ else {
++ int err = group_send_sig_info(sig, info, p);
++ ++count;
++ if (err != -EPERM)
++ retval = err;
++ }
+ }
+ }
+ read_unlock(&tasklist_lock);
+diff -uNr linux-2.6.6/kernel/sys.c linux-2.6.6.fixed/kernel/sys.c
+--- linux-2.6.6/kernel/sys.c 2004-05-10 04:32:00.000000000 +0200
++++ linux-2.6.6.fixed/kernel/sys.c 2004-05-11 10:55:58.000000000 +0200
+@@ -23,6 +23,7 @@
+ #include <linux/security.h>
+ #include <linux/dcookies.h>
+ #include <linux/suspend.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/io.h>
+@@ -290,6 +291,12 @@
+ error = -EACCES;
+ goto out;
+ }
++
++ if (gr_handle_chroot_setpriority(p, niceval)) {
++ error = -EACCES;
++ goto out;
++ }
++
+ no_nice = security_task_setnice(p, niceval);
+ if (no_nice) {
+ error = no_nice;
+@@ -590,6 +597,9 @@
+ if (rgid != (gid_t) -1 ||
+ (egid != (gid_t) -1 && egid != old_rgid))
+ current->sgid = new_egid;
++
++ gr_set_role_label(current, current->uid, new_rgid);
++
+ current->fsgid = new_egid;
+ current->egid = new_egid;
+ current->gid = new_rgid;
+@@ -617,6 +627,9 @@
+ current->mm->dumpable=0;
+ wmb();
+ }
++
++ gr_set_role_label(current, current->uid, gid);
++
+ current->gid = current->egid = current->sgid = current->fsgid = gid;
+ }
+ else if ((gid == current->gid) || (gid == current->sgid))
+@@ -655,6 +668,9 @@
+ current->mm->dumpable = 0;
+ wmb();
+ }
++
++ gr_set_role_label(current, new_ruid, current->gid);
++
+ current->uid = new_ruid;
+ return 0;
+ }
+@@ -755,6 +771,9 @@
+ } else if ((uid != current->uid) && (uid != new_suid))
+ return -EPERM;
+
++ if (gr_check_crash_uid(uid))
++ return -EPERM;
++
+ if (old_euid != uid)
+ {
+ current->mm->dumpable = 0;
+@@ -854,8 +873,10 @@
+ current->egid = egid;
+ }
+ current->fsgid = current->egid;
+- if (rgid != (gid_t) -1)
++ if (rgid != (gid_t) -1) {
++ gr_set_role_label(current, current->uid, rgid);
+ current->gid = rgid;
++ }
+ if (sgid != (gid_t) -1)
+ current->sgid = sgid;
+ return 0;
+diff -uNr linux-2.6.6/kernel/sysctl.c linux-2.6.6.fixed/kernel/sysctl.c
+--- linux-2.6.6/kernel/sysctl.c 2004-05-10 04:32:00.000000000 +0200
++++ linux-2.6.6.fixed/kernel/sysctl.c 2004-05-11 10:55:58.000000000 +0200
+@@ -46,6 +46,14 @@
+ #endif
+
+ #if defined(CONFIG_SYSCTL)
++#include <linux/grsecurity.h>
++#include <linux/grinternal.h>
++
++extern __u32 gr_handle_sysctl(const ctl_table *table, const void *oldval,
++ const void *newval);
++extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
++ const int op);
++extern int gr_handle_chroot_sysctl(const int op);
+
+ /* External variables not in a header file. */
+ extern int panic_timeout;
+@@ -142,6 +150,32 @@
+ #ifdef CONFIG_UNIX98_PTYS
+ extern ctl_table pty_table[];
+ #endif
++extern ctl_table grsecurity_table[];
++
++#ifdef CONFIG_PAX_SOFTMODE
++static ctl_table pax_table[] = {
++
++#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK) || defined(CONFIG_PAX_RANDKSTACK)
++ {
++ .ctl_name = PAX_ASLR,
++ .procname = "aslr",
++ .data = &pax_aslr,
++ .maxlen = sizeof(unsigned int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++
++ {
++ .ctl_name = PAX_SOFTMODE,
++ .procname = "softmode",
++ .data = &pax_softmode,
++ .maxlen = sizeof(unsigned int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ }
++};
++#endif
+
+ /* /proc declarations: */
+
+@@ -636,6 +670,14 @@
+ .mode = 0444,
+ .proc_handler = &proc_dointvec,
+ },
++#ifdef CONFIG_GRKERNSEC_SYSCTL
++ {
++ .ctl_name = KERN_GRSECURITY,
++ .procname = "grsecurity",
++ .mode = 0500,
++ .child = grsecurity_table,
++ },
++#endif
+ { .ctl_name = 0 }
+ };
+
+@@ -897,6 +939,16 @@
+ .mode = 0644,
+ .proc_handler = &proc_dointvec,
+ },
++
++#ifdef CONFIG_PAX_SOFTMODE
++ {
++ .ctl_name = KERN_PAX,
++ .procname = "pax",
++ .mode = 0500,
++ .child = pax_table,
++ },
++#endif
++
+ { .ctl_name = 0 }
+ };
+
+@@ -981,6 +1033,10 @@
+ static inline int ctl_perm(ctl_table *table, int op)
+ {
+ int error;
++ if (table->de && gr_handle_sysctl_mod(table->de->parent->name, table->de->name, op))
++ return -EACCES;
++ if (gr_handle_chroot_sysctl(op))
++ return -EACCES;
+ error = security_sysctl(table, op);
+ if (error)
+ return error;
+@@ -1017,6 +1073,10 @@
+ table = table->child;
+ goto repeat;
+ }
++
++ if (!gr_handle_sysctl(table, oldval, newval))
++ return -EACCES;
++
+ error = do_sysctl_strategy(table, name, nlen,
+ oldval, oldlenp,
+ newval, newlen, context);
+diff -uNr linux-2.6.6/kernel/time.c linux-2.6.6.fixed/kernel/time.c
+--- linux-2.6.6/kernel/time.c 2004-05-10 04:32:26.000000000 +0200
++++ linux-2.6.6.fixed/kernel/time.c 2004-05-11 10:55:58.000000000 +0200
+@@ -28,6 +28,7 @@
+ #include <linux/timex.h>
+ #include <linux/errno.h>
+ #include <linux/smp_lock.h>
++#include <linux/grsecurity.h>
+ #include <asm/uaccess.h>
+
+ /*
+@@ -81,6 +82,9 @@
+
+ tv.tv_nsec = 0;
+ do_settimeofday(&tv);
++
++ gr_log_timechange();
++
+ return 0;
+ }
+
+@@ -182,6 +186,8 @@
+ return -EFAULT;
+ }
+
++ gr_log_timechange();
++
+ return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
+ }
+
+diff -uNr linux-2.6.6/kernel/timer.c linux-2.6.6.fixed/kernel/timer.c
+--- linux-2.6.6/kernel/timer.c 2004-05-10 04:33:13.000000000 +0200
++++ linux-2.6.6.fixed/kernel/timer.c 2004-05-11 10:55:58.000000000 +0200
+@@ -31,6 +31,7 @@
+ #include <linux/time.h>
+ #include <linux/jiffies.h>
+ #include <linux/cpu.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/div64.h>
+@@ -757,6 +758,9 @@
+
+ psecs = (p->utime += user);
+ psecs += (p->stime += system);
++
++ gr_learn_resource(p, RLIMIT_CPU, psecs / HZ, 1);
++
+ if (psecs / HZ > p->rlim[RLIMIT_CPU].rlim_cur) {
+ /* Send SIGXCPU every second.. */
+ if (!(psecs % HZ))
+diff -uNr linux-2.6.6/Makefile linux-2.6.6.fixed/Makefile
+--- linux-2.6.6/Makefile 2004-05-10 04:32:53.000000000 +0200
++++ linux-2.6.6.fixed/Makefile 2004-05-11 10:57:58.000000000 +0200
+@@ -1,7 +1,7 @@
+ VERSION = 2
+ PATCHLEVEL = 6
+ SUBLEVEL = 6
+-EXTRAVERSION =
++EXTRAVERSION = -grsec
+ NAME=Zonked Quokka
+
+ # *DOCUMENTATION*
+@@ -484,7 +484,7 @@
+
+
+ ifeq ($(KBUILD_EXTMOD),)
+-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/
++core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ grsecurity/
+
+ vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
+ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
+diff -uNr linux-2.6.6/mm/filemap.c linux-2.6.6.fixed/mm/filemap.c
+--- linux-2.6.6/mm/filemap.c 2004-05-10 04:32:27.000000000 +0200
++++ linux-2.6.6.fixed/mm/filemap.c 2004-05-11 10:55:58.000000000 +0200
+@@ -27,6 +27,8 @@
+ #include <linux/pagevec.h>
+ #include <linux/blkdev.h>
+ #include <linux/security.h>
++#include <linux/grsecurity.h>
++
+ /*
+ * This is needed for the following functions:
+ * - try_to_release_page
+@@ -1386,6 +1388,12 @@
+
+ if (!mapping->a_ops->readpage)
+ return -ENOEXEC;
++
++#ifdef CONFIG_PAX_PAGEEXEC
++ if (current->flags & PF_PAX_PAGEEXEC)
++ vma->vm_page_prot = protection_map[vma->vm_flags & 0x0f];
++#endif
++
+ file_accessed(file);
+ vma->vm_ops = &generic_file_vm_ops;
+ return 0;
+@@ -1684,6 +1692,7 @@
+ *pos = i_size_read(inode);
+
+ if (limit != RLIM_INFINITY) {
++ gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
+ if (*pos >= limit) {
+ send_sig(SIGXFSZ, current, 0);
+ return -EFBIG;
+diff -uNr linux-2.6.6/mm/madvise.c linux-2.6.6.fixed/mm/madvise.c
+--- linux-2.6.6/mm/madvise.c 2004-05-10 04:32:26.000000000 +0200
++++ linux-2.6.6.fixed/mm/madvise.c 2004-05-11 10:55:58.000000000 +0200
+@@ -13,8 +13,42 @@
+ * We can potentially split a vm area into separate
+ * areas, each area with its own behavior.
+ */
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++static long __madvise_behavior(struct vm_area_struct * vma, unsigned long start,
++ unsigned long end, int behavior);
++
++static long madvise_behavior(struct vm_area_struct * vma, unsigned long start,
++ unsigned long end, int behavior)
++{
++ if (vma->vm_flags & VM_MIRROR) {
++ struct vm_area_struct * vma_m, * prev_m;
++ unsigned long start_m, end_m;
++ int error;
++
++ start_m = vma->vm_start + (unsigned long)vma->vm_private_data;
++ vma_m = find_vma_prev(vma->vm_mm, start_m, &prev_m);
++ if (vma_m && vma_m->vm_start == start_m && (vma_m->vm_flags & VM_MIRROR)) {
++ start_m = start + (unsigned long)vma->vm_private_data;
++ end_m = end + (unsigned long)vma->vm_private_data;
++ error = __madvise_behavior(vma_m, start_m, end_m, behavior);
++ if (error)
++ return error;
++ } else {
++ printk("PAX: VMMIRROR: madvise bug in %s, %08lx\n", current->comm, vma->vm_start);
++ return -ENOMEM;
++ }
++ }
++
++ return __madvise_behavior(vma, start, end, behavior);
++}
++
++static long __madvise_behavior(struct vm_area_struct * vma, unsigned long start,
++ unsigned long end, int behavior)
++#else
+ static long madvise_behavior(struct vm_area_struct * vma, unsigned long start,
+ unsigned long end, int behavior)
++#endif
+ {
+ struct mm_struct * mm = vma->vm_mm;
+ int error;
+diff -uNr linux-2.6.6/mm/memory.c linux-2.6.6.fixed/mm/memory.c
+--- linux-2.6.6/mm/memory.c 2004-05-10 04:32:29.000000000 +0200
++++ linux-2.6.6.fixed/mm/memory.c 2004-05-11 10:55:58.000000000 +0200
+@@ -46,6 +46,7 @@
+ #include <linux/rmap.h>
+ #include <linux/module.h>
+ #include <linux/init.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/pgalloc.h>
+ #include <asm/rmap.h>
+@@ -1045,6 +1046,69 @@
+ update_mmu_cache(vma, address, entry);
+ }
+
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++/* PaX: if vma is mirrored, synchronize the mirror's PTE
++ *
++ * mm->page_table_lock is held on entry and is not released on exit or inside
++ * to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
++ */
++struct pte_chain * pax_mirror_fault(struct mm_struct *mm, struct vm_area_struct * vma,
++ unsigned long address, pte_t *pte, struct pte_chain *pte_chain)
++{
++ unsigned long address_m;
++ struct vm_area_struct * vma_m = NULL;
++ pte_t * pte_m, entry_m;
++ struct page * page_m;
++
++ address_m = vma->vm_start + (unsigned long)vma->vm_private_data;
++ vma_m = find_vma(mm, address_m);
++ BUG_ON(!vma_m || vma_m->vm_start != address_m);
++
++ address_m = address + (unsigned long)vma->vm_private_data;
++
++ {
++ pgd_t *pgd_m;
++ pmd_t *pmd_m;
++
++ pgd_m = pgd_offset(mm, address_m);
++ pmd_m = pmd_offset(pgd_m, address_m);
++ pte_m = pte_offset_map_nested(pmd_m, address_m);
++ }
++
++ if (pte_present(*pte_m)) {
++ flush_cache_page(vma_m, address_m);
++ flush_icache_page(vma_m, pte_page(*pte_m));
++ }
++ entry_m = ptep_get_and_clear(pte_m);
++ if (pte_present(entry_m))
++ flush_tlb_page(vma_m, address_m);
++
++ if (pte_none(entry_m)) {
++ ++mm->rss;
++ } else if (pte_present(entry_m)) {
++ page_remove_rmap(pte_page(entry_m), pte_m);
++ page_cache_release(pte_page(entry_m));
++ } else if (!pte_file(entry_m)) {
++ free_swap_and_cache(pte_to_swp_entry(entry_m));
++ ++mm->rss;
++ } else {
++ printk(KERN_ERR "PAX: VMMIRROR: bug in mirror_fault: %08lx, %08lx, %08lx, %08lx\n",
++ address, vma->vm_start, address_m, vma_m->vm_start);
++ }
++
++ page_m = pte_page(*pte);
++ page_cache_get(page_m);
++ entry_m = mk_pte(page_m, vma_m->vm_page_prot);
++ if (pte_write(*pte))
++ entry_m = pte_mkdirty(pte_mkwrite(entry_m));
++ pte_chain = page_add_rmap(page_m, pte_m, pte_chain);
++ ptep_establish(vma_m, address_m, pte_m, entry_m);
++ update_mmu_cache(vma_m, address_m, entry_m);
++ pte_unmap_nested(pte_m);
++ return pte_chain;
++}
++#endif
++
+ /*
+ * This routine handles present pages, when users try to write
+ * to a shared page. It is done by copying the page to a new address
+@@ -1073,6 +1137,10 @@
+ struct pte_chain *pte_chain;
+ pte_t entry;
+
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ struct pte_chain *pte_chain_m = NULL;
++#endif
++
+ if (unlikely(!pfn_valid(pfn))) {
+ /*
+ * This should really halt the system so it can be debugged or
+@@ -1112,6 +1180,13 @@
+ pte_chain = pte_chain_alloc(GFP_KERNEL);
+ if (!pte_chain)
+ goto no_pte_chain;
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ pte_chain_m = pte_chain_alloc(GFP_KERNEL);
++ if (!pte_chain_m)
++ goto no_new_page;
++#endif
++
+ new_page = alloc_page(GFP_HIGHUSER);
+ if (!new_page)
+ goto no_new_page;
+@@ -1132,16 +1207,32 @@
+
+ /* Free the old page.. */
+ new_page = old_page;
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ if (vma->vm_flags & VM_MIRROR)
++ pte_chain_m = pax_mirror_fault(mm, vma, address, page_table, pte_chain_m);
++#endif
++
+ }
+ pte_unmap(page_table);
+ page_cache_release(new_page);
+ page_cache_release(old_page);
+ spin_unlock(&mm->page_table_lock);
+ pte_chain_free(pte_chain);
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ pte_chain_free(pte_chain_m);
++#endif
++
+ return VM_FAULT_MINOR;
+
+ no_new_page:
+ pte_chain_free(pte_chain);
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ pte_chain_free(pte_chain_m);
++#endif
++
+ no_pte_chain:
+ page_cache_release(old_page);
+ return VM_FAULT_OOM;
+@@ -1257,6 +1348,7 @@
+
+ do_expand:
+ limit = current->rlim[RLIMIT_FSIZE].rlim_cur;
++ gr_learn_resource(current, RLIMIT_FSIZE, offset, 1);
+ if (limit != RLIM_INFINITY && offset > limit)
+ goto out_sig;
+ if (offset > inode->i_sb->s_maxbytes)
+@@ -1316,6 +1408,10 @@
+ int ret = VM_FAULT_MINOR;
+ struct pte_chain *pte_chain = NULL;
+
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ struct pte_chain *pte_chain_m = NULL;
++#endif
++
+ pte_unmap(page_table);
+ spin_unlock(&mm->page_table_lock);
+ page = lookup_swap_cache(entry);
+@@ -1349,6 +1445,15 @@
+ ret = VM_FAULT_OOM;
+ goto out;
+ }
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ pte_chain_m = pte_chain_alloc(GFP_KERNEL);
++ if (!pte_chain_m) {
++ ret = -ENOMEM;
++ goto out;
++ }
++#endif
++
+ lock_page(page);
+
+ /*
+@@ -1384,10 +1489,21 @@
+
+ /* No need to invalidate - it was non-present before */
+ update_mmu_cache(vma, address, pte);
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ if (vma->vm_flags & VM_MIRROR)
++ pte_chain_m = pax_mirror_fault(mm, vma, address, page_table, pte_chain_m);
++#endif
++
+ pte_unmap(page_table);
+ spin_unlock(&mm->page_table_lock);
+ out:
+ pte_chain_free(pte_chain);
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ pte_chain_free(pte_chain_m);
++#endif
++
+ return ret;
+ }
+
+@@ -1406,13 +1522,38 @@
+ struct pte_chain *pte_chain;
+ int ret;
+
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ struct pte_chain *pte_chain_m = NULL;
++#endif
++
+ pte_chain = pte_chain_alloc(GFP_ATOMIC | __GFP_NOWARN);
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ pte_chain_m = pte_chain_alloc(GFP_ATOMIC | __GFP_NOWARN);
++#endif
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ if (!pte_chain || !pte_chain_m) {
++#else
+ if (!pte_chain) {
++#endif
++
+ pte_unmap(page_table);
+ spin_unlock(&mm->page_table_lock);
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ if (!pte_chain)
++ pte_chain = pte_chain_alloc(GFP_KERNEL);
++ if (!pte_chain_m)
++ pte_chain_m = pte_chain_alloc(GFP_KERNEL);
++ if (!pte_chain || !pte_chain_m)
++ goto no_mem;
++#else
+ pte_chain = pte_chain_alloc(GFP_KERNEL);
+ if (!pte_chain)
+ goto no_mem;
++#endif
++
+ spin_lock(&mm->page_table_lock);
+ page_table = pte_offset_map(pmd, addr);
+ }
+@@ -1452,10 +1593,16 @@
+ set_pte(page_table, entry);
+ /* ignores ZERO_PAGE */
+ pte_chain = page_add_rmap(page, page_table, pte_chain);
+- pte_unmap(page_table);
+
+ /* No need to invalidate - it was non-present before */
+ update_mmu_cache(vma, addr, entry);
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ if (vma->vm_flags & VM_MIRROR)
++ pte_chain_m = pax_mirror_fault(mm, vma, addr, page_table, pte_chain_m);
++#endif
++
++ pte_unmap(page_table);
+ spin_unlock(&mm->page_table_lock);
+ ret = VM_FAULT_MINOR;
+ goto out;
+@@ -1464,6 +1611,11 @@
+ ret = VM_FAULT_OOM;
+ out:
+ pte_chain_free(pte_chain);
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ pte_chain_free(pte_chain_m);
++#endif
++
+ return ret;
+ }
+
+@@ -1490,6 +1642,10 @@
+ int sequence = 0;
+ int ret = VM_FAULT_MINOR;
+
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ struct pte_chain *pte_chain_m = NULL;
++#endif
++
+ if (!vma->vm_ops || !vma->vm_ops->nopage)
+ return do_anonymous_page(mm, vma, page_table,
+ pmd, write_access, address);
+@@ -1514,6 +1670,12 @@
+ if (!pte_chain)
+ goto oom;
+
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ pte_chain_m = pte_chain_alloc(GFP_KERNEL);
++ if (!pte_chain_m)
++ goto oom;
++#endif
++
+ /*
+ * Should we do an early C-O-W break?
+ */
+@@ -1539,6 +1701,11 @@
+ spin_unlock(&mm->page_table_lock);
+ page_cache_release(new_page);
+ pte_chain_free(pte_chain);
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ pte_chain_free(pte_chain_m);
++#endif
++
+ goto retry;
+ }
+ page_table = pte_offset_map(pmd, address);
+@@ -1563,6 +1730,15 @@
+ entry = maybe_mkwrite(pte_mkdirty(entry), vma);
+ set_pte(page_table, entry);
+ pte_chain = page_add_rmap(new_page, page_table, pte_chain);
++
++ /* no need to invalidate: a not-present page shouldn't be cached */
++ update_mmu_cache(vma, address, entry);
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ if (vma->vm_flags & VM_MIRROR)
++ pte_chain_m = pax_mirror_fault(mm, vma, address, page_table, pte_chain_m);
++#endif
++
+ pte_unmap(page_table);
+ } else {
+ /* One of our sibling threads was faster, back out. */
+@@ -1572,8 +1748,6 @@
+ goto out;
+ }
+
+- /* no need to invalidate: a not-present page shouldn't be cached */
+- update_mmu_cache(vma, address, entry);
+ spin_unlock(&mm->page_table_lock);
+ goto out;
+ oom:
+@@ -1581,6 +1755,11 @@
+ ret = VM_FAULT_OOM;
+ out:
+ pte_chain_free(pte_chain);
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ pte_chain_free(pte_chain_m);
++#endif
++
+ return ret;
+ }
+
+@@ -1683,6 +1862,11 @@
+ pgd_t *pgd;
+ pmd_t *pmd;
+
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ unsigned long address_m = 0UL;
++ struct vm_area_struct * vma_m = NULL;
++#endif
++
+ __set_current_state(TASK_RUNNING);
+ pgd = pgd_offset(mm, address);
+
+@@ -1696,6 +1880,48 @@
+ * and the SMP-safe atomic PTE updates.
+ */
+ spin_lock(&mm->page_table_lock);
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ if (vma->vm_flags & VM_MIRROR) {
++ pgd_t *pgd_m;
++ pmd_t *pmd_m;
++ pte_t *pte_m;
++
++ address_m = vma->vm_start + (unsigned long)vma->vm_private_data;
++ vma_m = find_vma(mm, address_m);
++
++ /* PaX: sanity checks */
++ if (!vma_m) {
++ spin_unlock(&mm->page_table_lock);
++ printk(KERN_ERR "PAX: VMMIRROR: fault bug, %08lx, %p, %08lx, %p\n",
++ address, vma, address_m, vma_m);
++ return VM_FAULT_SIGBUS;
++ } else if (!(vma_m->vm_flags & VM_MIRROR) ||
++ vma_m->vm_start != address_m ||
++ vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start)
++ {
++ spin_unlock(&mm->page_table_lock);
++ printk(KERN_ERR "PAX: VMMIRROR: fault bug2, %08lx, %08lx, %08lx, %08lx, %08lx\n",
++ address, vma->vm_start, vma_m->vm_start, vma->vm_end, vma_m->vm_end);
++ return VM_FAULT_SIGBUS;
++ }
++
++ address_m = address + (unsigned long)vma->vm_private_data;
++ pgd_m = pgd_offset(mm, address_m);
++ pmd_m = pmd_alloc(mm, pgd_m, address_m);
++ if (!pmd_m) {
++ spin_unlock(&mm->page_table_lock);
++ return VM_FAULT_OOM;
++ }
++ pte_m = pte_alloc_map(mm, pmd_m, address_m);
++ if (!pte_m) {
++ spin_unlock(&mm->page_table_lock);
++ return VM_FAULT_OOM;
++ }
++ pte_unmap(pte_m);
++ }
++#endif
++
+ pmd = pmd_alloc(mm, pgd, address);
+
+ if (pmd) {
+diff -uNr linux-2.6.6/mm/mlock.c linux-2.6.6.fixed/mm/mlock.c
+--- linux-2.6.6/mm/mlock.c 2004-05-10 04:31:59.000000000 +0200
++++ linux-2.6.6.fixed/mm/mlock.c 2004-05-11 10:55:58.000000000 +0200
+@@ -7,11 +7,43 @@
+
+ #include <linux/mman.h>
+ #include <linux/mm.h>
++#include <linux/grsecurity.h>
+
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++static int __mlock_fixup(struct vm_area_struct * vma,
++ unsigned long start, unsigned long end, unsigned int newflags);
+
+ static int mlock_fixup(struct vm_area_struct * vma,
+ unsigned long start, unsigned long end, unsigned int newflags)
+ {
++ if (vma->vm_flags & VM_MIRROR) {
++ struct vm_area_struct * vma_m;
++ unsigned long start_m, end_m;
++ int error;
++
++ start_m = vma->vm_start + (unsigned long)vma->vm_private_data;
++ vma_m = find_vma(vma->vm_mm, start_m);
++ if (vma_m && vma_m->vm_start == start_m && (vma_m->vm_flags & VM_MIRROR)) {
++ start_m = start + (unsigned long)vma->vm_private_data;
++ end_m = end + (unsigned long)vma->vm_private_data;
++ error = __mlock_fixup(vma_m, start_m, end_m, newflags);
++ if (error)
++ return error;
++ } else {
++ printk("PAX: VMMIRROR: mlock bug in %s, %08lx\n", current->comm, vma->vm_start);
++ return -ENOMEM;
++ }
++ }
++ return __mlock_fixup(vma, start, end, newflags);
++}
++
++static int __mlock_fixup(struct vm_area_struct * vma,
++ unsigned long start, unsigned long end, unsigned int newflags)
++#else
++static int mlock_fixup(struct vm_area_struct * vma,
++ unsigned long start, unsigned long end, unsigned int newflags)
++#endif
++{
+ struct mm_struct * mm = vma->vm_mm;
+ int pages;
+ int ret = 0;
+@@ -65,6 +97,17 @@
+ return -EINVAL;
+ if (end == start)
+ return 0;
++
++#ifdef CONFIG_PAX_SEGMEXEC
++ if (current->flags & PF_PAX_SEGMEXEC) {
++ if (end > SEGMEXEC_TASK_SIZE)
++ return -EINVAL;
++ } else
++#endif
++
++ if (end > TASK_SIZE)
++ return -EINVAL;
++
+ vma = find_vma(current->mm, start);
+ if (!vma || vma->vm_start > start)
+ return -ENOMEM;
+@@ -115,6 +158,7 @@
+ lock_limit >>= PAGE_SHIFT;
+
+ /* check against resource limits */
++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked, 1);
+ if (locked <= lock_limit)
+ error = do_mlock(start, len, 1);
+ up_write(¤t->mm->mmap_sem);
+@@ -151,6 +195,16 @@
+ for (vma = current->mm->mmap; vma ; vma = vma->vm_next) {
+ unsigned int newflags;
+
++#ifdef CONFIG_PAX_SEGMEXEC
++ if (current->flags & PF_PAX_SEGMEXEC) {
++ if (vma->vm_end > SEGMEXEC_TASK_SIZE)
++ break;
++ } else
++#endif
++
++ if (vma->vm_end > TASK_SIZE)
++ break;
++
+ newflags = vma->vm_flags | VM_LOCKED;
+ if (!(flags & MCL_CURRENT))
+ newflags &= ~VM_LOCKED;
+@@ -174,6 +228,7 @@
+ lock_limit >>= PAGE_SHIFT;
+
+ ret = -ENOMEM;
++ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
+ if (current->mm->total_vm <= lock_limit)
+ ret = do_mlockall(flags);
+ out:
+diff -uNr linux-2.6.6/mm/mmap.c linux-2.6.6.fixed/mm/mmap.c
+--- linux-2.6.6/mm/mmap.c 2004-05-10 04:32:52.000000000 +0200
++++ linux-2.6.6.fixed/mm/mmap.c 2004-05-11 10:55:58.000000000 +0200
+@@ -21,6 +21,7 @@
+ #include <linux/profile.h>
+ #include <linux/module.h>
+ #include <linux/mount.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/pgalloc.h>
+@@ -121,6 +122,7 @@
+
+ /* Check against rlimit.. */
+ rlim = current->rlim[RLIMIT_DATA].rlim_cur;
++ gr_learn_resource(current, RLIMIT_DATA, brk - mm->start_data, 1);
+ if (rlim < RLIM_INFINITY && brk - mm->start_data > rlim)
+ goto out;
+
+@@ -327,6 +329,12 @@
+ static inline int is_mergeable_vma(struct vm_area_struct *vma,
+ struct file *file, unsigned long vm_flags)
+ {
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ if ((vma->vm_flags | vm_flags) & VM_MIRROR)
++ return 0;
++#endif
++
+ if (vma->vm_ops && vma->vm_ops->close)
+ return 0;
+ if (vma->vm_file != file)
+@@ -484,6 +492,43 @@
+ unsigned long len, unsigned long prot,
+ unsigned long flags, unsigned long pgoff)
+ {
++ unsigned long ret = -EINVAL;
++
++#ifdef CONFIG_PAX_SEGMEXEC
++ if ((current->flags & PF_PAX_SEGMEXEC) &&
++ (len > SEGMEXEC_TASK_SIZE || (addr && addr > SEGMEXEC_TASK_SIZE-len)))
++ goto out;
++#endif
++
++ ret = __do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
++
++#ifdef CONFIG_PAX_SEGMEXEC
++ if ((current->flags & PF_PAX_SEGMEXEC) && ret < TASK_SIZE && ((flags & MAP_TYPE) == MAP_PRIVATE)
++
++#ifdef CONFIG_PAX_MPROTECT
++ && (!(current->flags & PF_PAX_MPROTECT) || ((prot & PROT_EXEC) && file && !(prot & PROT_WRITE)))
++#endif
++
++ )
++ {
++ unsigned long ret_m;
++ prot = prot & PROT_EXEC ? prot : PROT_NONE;
++ ret_m = __do_mmap_pgoff(NULL, ret + SEGMEXEC_TASK_SIZE, 0UL, prot, flags | MAP_MIRROR | MAP_FIXED, ret);
++ if (ret_m >= TASK_SIZE) {
++ do_munmap(current->mm, ret, len);
++ ret = ret_m;
++ }
++ }
++#endif
++
++out:
++ return ret;
++}
++
++unsigned long __do_mmap_pgoff(struct file * file, unsigned long addr,
++ unsigned long len, unsigned long prot,
++ unsigned long flags, unsigned long pgoff)
++{
+ struct mm_struct * mm = current->mm;
+ struct vm_area_struct * vma, * prev;
+ struct inode *inode;
+@@ -494,6 +539,28 @@
+ int accountable = 1;
+ unsigned long charged = 0;
+
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ struct vm_area_struct * vma_m = NULL;
++
++ if (flags & MAP_MIRROR) {
++ /* PaX: sanity checks, to be removed when proved to be stable */
++ if (file || len || ((flags & MAP_TYPE) != MAP_PRIVATE))
++ return -EINVAL;
++
++ vma_m = find_vma(mm, pgoff);
++
++ if (!vma_m || is_vm_hugetlb_page(vma_m) ||
++ vma_m->vm_start != pgoff ||
++ (vma_m->vm_flags & VM_MIRROR) ||
++ (!(vma_m->vm_flags & VM_WRITE) && (prot & PROT_WRITE)))
++ return -EINVAL;
++
++ file = vma_m->vm_file;
++ pgoff = vma_m->vm_pgoff;
++ len = vma_m->vm_end - vma_m->vm_start;
++ }
++#endif
++
+ if (file) {
+ if (is_file_hugepages(file))
+ accountable = 0;
+@@ -535,6 +602,30 @@
+ vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
+ mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
+
++ if (file && (file->f_vfsmnt->mnt_flags & MNT_NOEXEC))
++ vm_flags &= ~VM_MAYEXEC;
++
++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
++ if (current->flags & (PF_PAX_PAGEEXEC | PF_PAX_SEGMEXEC)) {
++
++#ifdef CONFIG_PAX_MPROTECT
++ if (current->flags & PF_PAX_MPROTECT) {
++ if (!file || (prot & PROT_WRITE))
++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
++ else
++ vm_flags &= ~VM_MAYWRITE;
++
++#ifdef CONFIG_PAX_RANDEXEC
++ if (file && (flags & MAP_MIRROR) && (vm_flags & VM_EXEC))
++ vma_m->vm_flags &= ~VM_MAYWRITE;
++#endif
++
++ }
++#endif
++
++ }
++#endif
++
+ if (flags & MAP_LOCKED) {
+ if (!capable(CAP_IPC_LOCK))
+ return -EPERM;
+@@ -544,6 +635,7 @@
+ if (vm_flags & VM_LOCKED) {
+ unsigned long locked = mm->locked_vm << PAGE_SHIFT;
+ locked += len;
++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked, 1);
+ if (locked > current->rlim[RLIMIT_MEMLOCK].rlim_cur)
+ return -EAGAIN;
+ }
+@@ -599,6 +691,9 @@
+ if (error)
+ return error;
+
++ if (!gr_acl_handle_mmap(file, prot))
++ return -EACCES;
++
+ /* Clear old maps */
+ error = -ENOMEM;
+ munmap_back:
+@@ -610,6 +705,7 @@
+ }
+
+ /* Check against address space limit. */
++ gr_learn_resource(current, RLIMIT_AS, (mm->total_vm << PAGE_SHIFT) + len, 1);
+ if ((mm->total_vm << PAGE_SHIFT) + len
+ > current->rlim[RLIMIT_AS].rlim_cur)
+ return -ENOMEM;
+@@ -650,6 +746,13 @@
+ vma->vm_start = addr;
+ vma->vm_end = addr + len;
+ vma->vm_flags = vm_flags;
++
++#ifdef CONFIG_PAX_PAGEEXEC
++ if ((file || !(current->flags & PF_PAX_PAGEEXEC)) && (vm_flags & (VM_READ|VM_WRITE)))
++ vma->vm_page_prot = protection_map[(vm_flags | VM_EXEC) & 0x0f];
++ else
++#endif
++
+ vma->vm_page_prot = protection_map[vm_flags & 0x0f];
+ vma->vm_ops = NULL;
+ vma->vm_pgoff = pgoff;
+@@ -679,6 +782,14 @@
+ goto free_vma;
+ }
+
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ if (flags & MAP_MIRROR) {
++ vma_m->vm_flags |= VM_MIRROR;
++ vma_m->vm_private_data = (void *)(vma->vm_start - vma_m->vm_start);
++ vma->vm_private_data = (void *)(vma_m->vm_start - vma->vm_start);
++ }
++#endif
++
+ /* We set VM_ACCOUNT in a shared mapping's vm_flags, to inform
+ * shmem_zero_setup (perhaps called through /dev/zero's ->mmap)
+ * that memory reservation must be checked; but that reservation
+@@ -738,6 +849,7 @@
+ }
+
+ EXPORT_SYMBOL(do_mmap_pgoff);
++EXPORT_SYMBOL(__do_mmap_pgoff);
+
+ /* Get an address range which is currently unmapped.
+ * For shmat() with addr=0.
+@@ -759,12 +871,28 @@
+ struct vm_area_struct *vma;
+ unsigned long start_addr;
+
++#ifdef CONFIG_PAX_SEGMEXEC
++ if ((current->flags & PF_PAX_SEGMEXEC) && len > SEGMEXEC_TASK_SIZE)
++ return -ENOMEM;
++ else
++#endif
++
+ if (len > TASK_SIZE)
+ return -ENOMEM;
+
++#ifdef CONFIG_PAX_RANDMMAP
++ if (!(current->flags & PF_PAX_RANDMMAP) || !filp)
++#endif
++
+ if (addr) {
+ addr = PAGE_ALIGN(addr);
+ vma = find_vma(mm, addr);
++
++#ifdef CONFIG_PAX_SEGMEXEC
++ if ((current->flags & PF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE-len < addr)
++ return -ENOMEM;
++#endif
++
+ if (TASK_SIZE - len >= addr &&
+ (!vma || addr + len <= vma->vm_start))
+ return addr;
+@@ -779,6 +907,17 @@
+ * Start a new search - just in case we missed
+ * some holes.
+ */
++
++#ifdef CONFIG_PAX_RANDMMAP
++ if (current->flags & PF_PAX_RANDMMAP) {
++ if (start_addr != TASK_UNMAPPED_BASE + mm->delta_mmap) {
++ start_addr = addr = TASK_UNMAPPED_BASE + mm->delta_mmap;
++ goto full_search;
++ }
++ return -ENOMEM;
++ } else
++#endif
++
+ if (start_addr != TASK_UNMAPPED_BASE) {
+ start_addr = addr = TASK_UNMAPPED_BASE;
+ goto full_search;
+@@ -939,10 +1078,18 @@
+ spin_unlock(&vma->vm_mm->page_table_lock);
+ return -ENOMEM;
+ }
+-
++
++ gr_learn_resource(current, RLIMIT_STACK, address - vma->vm_start, 1);
++ gr_learn_resource(current, RLIMIT_AS, (vma->vm_mm->total_vm + grow) << PAGE_SHIFT, 1);
++ if (vma->vm_flags & VM_LOCKED)
++ gr_learn_resource(current, RLIMIT_MEMLOCK, (vma->vm_mm->locked_vm + grow) << PAGE_SHIFT, 1);
++
+ if (address - vma->vm_start > current->rlim[RLIMIT_STACK].rlim_cur ||
+ ((vma->vm_mm->total_vm + grow) << PAGE_SHIFT) >
+- current->rlim[RLIMIT_AS].rlim_cur) {
++ current->rlim[RLIMIT_AS].rlim_cur ||
++ ((vma->vm_flags & VM_LOCKED) &&
++ ((vma->vm_mm->locked_vm + grow) << PAGE_SHIFT) >
++ current->rlim[RLIMIT_MEMLOCK].rlim_cur)) {
+ spin_unlock(&vma->vm_mm->page_table_lock);
+ vm_unacct_memory(grow);
+ return -ENOMEM;
+@@ -993,10 +1140,62 @@
+ spin_unlock(&vma->vm_mm->page_table_lock);
+ return -ENOMEM;
+ }
+-
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ if (vma->vm_flags & VM_MIRROR) {
++ struct vm_area_struct * vma_m;
++ unsigned long address_m;
++
++ address_m = vma->vm_start + (unsigned long)vma->vm_private_data;
++ vma_m = find_vma(vma->vm_mm, address_m);
++ if (!vma_m || vma_m->vm_start != address_m ||
++ !(vma_m->vm_flags & VM_MIRROR) ||
++ vma->vm_end - vma->vm_start !=
++ vma_m->vm_end - vma_m->vm_start) {
++ spin_unlock(&vma->vm_mm->page_table_lock);
++ vm_unacct_memory(grow);
++ printk(KERN_ERR "PAX: VMMIRROR: expand bug, %08lx, %08lx, %08lx, %08lx, %08lx\n",
++ address, vma->vm_start, vma_m->vm_start, vma->vm_end, vma_m->vm_end);
++ return -ENOMEM;
++ }
++
++ address_m = address + (unsigned long)vma->vm_private_data;
++
++ gr_learn_resource(current, RLIMIT_STACK, vma_m->vm_end - address_m, 1);
++ gr_learn_resource(current, RLIMIT_AS, (vma_m->vm_mm->total_vm + 2*grow) << PAGE_SHIFT, 1);
++ if (vma_m->vm_flags & VM_LOCKED)
++ gr_learn_resource(current, RLIMIT_MEMLOCK, (vma_m->vm_mm->locked_vm + 2*grow) << PAGE_SHIFT, 1);
++
++ if (vma_m->vm_end - address_m > current->rlim[RLIMIT_STACK].rlim_cur ||
++ ((vma_m->vm_mm->total_vm + 2*grow) << PAGE_SHIFT) >
++ current->rlim[RLIMIT_AS].rlim_cur ||
++ ((vma_m->vm_flags & VM_LOCKED) &&
++ ((vma_m->vm_mm->locked_vm + 2*grow) << PAGE_SHIFT) >
++ current->rlim[RLIMIT_MEMLOCK].rlim_cur)) {
++ spin_unlock(&vma->vm_mm->page_table_lock);
++ vm_unacct_memory(grow);
++ return -ENOMEM;
++ }
++
++ vma_m->vm_start = address_m;
++ vma_m->vm_pgoff -= grow;
++ vma_m->vm_mm->total_vm += grow;
++ if (vma_m->vm_flags & VM_LOCKED)
++ vma_m->vm_mm->locked_vm += grow;
++ } else
++#endif
++
++ gr_learn_resource(current, RLIMIT_STACK, vma->vm_end - address, 1);
++ gr_learn_resource(current, RLIMIT_AS, (vma->vm_mm->total_vm + grow) << PAGE_SHIFT, 1);
++ if (vma->vm_flags & VM_LOCKED)
++ gr_learn_resource(current, RLIMIT_MEMLOCK, (vma->vm_mm->locked_vm + grow) << PAGE_SHIFT, 1);
++
+ if (vma->vm_end - address > current->rlim[RLIMIT_STACK].rlim_cur ||
+ ((vma->vm_mm->total_vm + grow) << PAGE_SHIFT) >
+- current->rlim[RLIMIT_AS].rlim_cur) {
++ current->rlim[RLIMIT_AS].rlim_cur ||
++ ((vma->vm_flags & VM_LOCKED) &&
++ ((vma->vm_mm->locked_vm + grow) << PAGE_SHIFT) >
++ current->rlim[RLIMIT_MEMLOCK].rlim_cur)) {
+ spin_unlock(&vma->vm_mm->page_table_lock);
+ vm_unacct_memory(grow);
+ return -ENOMEM;
+@@ -1108,15 +1307,15 @@
+ {
+ size_t len = area->vm_end - area->vm_start;
+
+- area->vm_mm->total_vm -= len >> PAGE_SHIFT;
++ mm->total_vm -= len >> PAGE_SHIFT;
+ if (area->vm_flags & VM_LOCKED)
+- area->vm_mm->locked_vm -= len >> PAGE_SHIFT;
++ mm->locked_vm -= len >> PAGE_SHIFT;
+ /*
+ * Is this a new hole at the lowest possible address?
+ */
+ if (area->vm_start >= TASK_UNMAPPED_BASE &&
+- area->vm_start < area->vm_mm->free_area_cache)
+- area->vm_mm->free_area_cache = area->vm_start;
++ area->vm_start < mm->free_area_cache)
++ mm->free_area_cache = area->vm_start;
+
+ remove_shared_vm_struct(area);
+
+@@ -1178,21 +1377,73 @@
+ */
+ static void
+ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+- struct vm_area_struct *prev, unsigned long end)
++ struct vm_area_struct *prev, unsigned long *start, unsigned long *end)
+ {
+ struct vm_area_struct **insertion_point;
+ struct vm_area_struct *tail_vma = NULL;
+
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ unsigned long start_m;
++ struct vm_area_struct *vma_m, *head_vma = vma, *mirrors = NULL, *head_vma_m = NULL;
++#endif
++
+ insertion_point = (prev ? &prev->vm_next : &mm->mmap);
+ do {
+ rb_erase(&vma->vm_rb, &mm->mm_rb);
+ mm->map_count--;
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ if ((vma->vm_flags & VM_MIRROR) &&
++ vma->vm_start + (unsigned long)vma->vm_private_data >= *start &&
++ vma->vm_start + (unsigned long)vma->vm_private_data < *end)
++ {
++ mm->mmap_cache = NULL; /* Kill the cache. */
++ start_m = vma->vm_start + (unsigned long)vma->vm_private_data;
++ vma_m = find_vma(mm, start_m);
++ if (vma_m && (vma_m->vm_flags & VM_MIRROR) && vma_m->vm_start == start_m) {
++ vma->vm_flags &= ~VM_MIRROR;
++ vma_m->vm_flags &= ~VM_MIRROR;
++ } else
++ printk("PAX: VMMIRROR: munmap bug in %s, %08lx\n", current->comm, vma->vm_start);
++ }
++#endif
++
+ tail_vma = vma;
+ vma = vma->vm_next;
+- } while (vma && vma->vm_start < end);
++ } while (vma && vma->vm_start < *end);
+ *insertion_point = vma;
+ tail_vma->vm_next = NULL;
+ mm->mmap_cache = NULL; /* Kill the cache. */
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ for (; head_vma; head_vma = head_vma->vm_next) {
++ struct vm_area_struct *prev_m;
++
++ if (!(head_vma->vm_flags & VM_MIRROR))
++ continue;
++
++ start_m = head_vma->vm_start + (unsigned long)head_vma->vm_private_data;
++ vma_m = find_vma_prev(mm, start_m, &prev_m);
++ rb_erase(&vma_m->vm_rb, &mm->mm_rb);
++ mm->map_count--;
++ insertion_point = prev_m ? &prev_m->vm_next : &mm->mmap;
++ *insertion_point = vma_m->vm_next;
++ if (head_vma_m) {
++ mirrors->vm_next = vma_m;
++ mirrors = vma_m;
++ } else
++ head_vma_m = mirrors = vma_m;
++ mirrors->vm_next = NULL;
++ if (vma_m->vm_start < *start)
++ *start = vma_m->vm_start;
++ if (vma_m->vm_end > *end)
++ *end = vma_m->vm_end;
++ mm->mmap_cache = NULL; /* Kill the cache. */
++ }
++ if (head_vma_m)
++ tail_vma->vm_next = head_vma_m;
++#endif
++
+ }
+
+ /*
+@@ -1262,6 +1513,10 @@
+ unsigned long end;
+ struct vm_area_struct *mpnt, *prev, *last;
+
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ struct vm_area_struct *mpnt_m = NULL, *last_m;
++#endif
++
+ if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
+ return -EINVAL;
+
+@@ -1298,6 +1553,20 @@
+ * places tmp vma above, and higher split_vma places tmp vma below.
+ */
+ if (start > mpnt->vm_start) {
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ if (mpnt->vm_flags & VM_MIRROR) {
++ unsigned long start_m = mpnt->vm_start + (unsigned long)mpnt->vm_private_data;
++
++ mpnt_m = find_vma(mm, start_m);
++ if (!mpnt_m || (!mpnt_m->vm_flags & VM_MIRROR) || mpnt_m->vm_start != start_m)
++ return -EINVAL;
++ start_m = start + (unsigned long)mpnt->vm_private_data;
++ if (split_vma(mm, mpnt_m, start_m, 0))
++ return -ENOMEM;
++ }
++#endif
++
+ if (split_vma(mm, mpnt, start, 0))
+ return -ENOMEM;
+ prev = mpnt;
+@@ -1306,6 +1575,20 @@
+ /* Does it split the last one? */
+ last = find_vma(mm, end);
+ if (last && end > last->vm_start) {
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ if (last->vm_flags & VM_MIRROR) {
++ unsigned long end_m = last->vm_start + (unsigned long)last->vm_private_data;
++
++ last_m = find_vma(mm, end_m);
++ if (!last_m || (!last_m->vm_flags & VM_MIRROR) || last_m->vm_start != end_m)
++ return -EINVAL;
++ end_m = end + (unsigned long)last->vm_private_data;
++ if (split_vma(mm, last_m, end_m, 1))
++ return -ENOMEM;
++ }
++#endif
++
+ if (split_vma(mm, last, end, 1))
+ return -ENOMEM;
+ }
+@@ -1315,7 +1598,7 @@
+ * Remove the vma's, and unmap the actual pages
+ */
+ spin_lock(&mm->page_table_lock);
+- detach_vmas_to_be_unmapped(mm, mpnt, prev, end);
++ detach_vmas_to_be_unmapped(mm, mpnt, prev, &start, &end);
+ unmap_region(mm, mpnt, prev, start, end);
+ spin_unlock(&mm->page_table_lock);
+
+@@ -1332,6 +1615,12 @@
+ int ret;
+ struct mm_struct *mm = current->mm;
+
++#ifdef CONFIG_PAX_SEGMEXEC
++ if ((current->flags & PF_PAX_SEGMEXEC) &&
++ (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
++ return -EINVAL;
++#endif
++
+ down_write(&mm->mmap_sem);
+ ret = do_munmap(mm, addr, len);
+ up_write(&mm->mmap_sem);
+@@ -1343,7 +1632,31 @@
+ * anonymous maps. eventually we may be able to do some
+ * brk-specific accounting here.
+ */
++#if defined(CONFIG_PAX_SEGMEXEC) && defined(CONFIG_PAX_MPROTECT)
++unsigned long __do_brk(unsigned long addr, unsigned long len);
++
++unsigned long do_brk(unsigned long addr, unsigned long len)
++{
++ unsigned long ret;
++
++ ret = __do_brk(addr, len);
++ if (ret == addr && (current->flags & (PF_PAX_SEGMEXEC | PF_PAX_MPROTECT)) == PF_PAX_SEGMEXEC) {
++ unsigned long ret_m;
++
++ ret_m = __do_mmap_pgoff(NULL, addr + SEGMEXEC_TASK_SIZE, 0UL, PROT_NONE, MAP_PRIVATE | MAP_FIXED | MAP_MIRROR, addr);
++ if (ret_m > TASK_SIZE) {
++ do_munmap(current->mm, addr, len);
++ ret = ret_m;
++ }
++ }
++
++ return ret;
++}
++
++unsigned long __do_brk(unsigned long addr, unsigned long len)
++#else
+ unsigned long do_brk(unsigned long addr, unsigned long len)
++#endif
+ {
+ struct mm_struct * mm = current->mm;
+ struct vm_area_struct * vma, * prev;
+@@ -1354,6 +1667,13 @@
+ if (!len)
+ return addr;
+
++#ifdef CONFIG_PAX_SEGMEXEC
++ if (current->flags & PF_PAX_SEGMEXEC) {
++ if ((addr + len) > SEGMEXEC_TASK_SIZE || (addr + len) < addr)
++ return -EINVAL;
++ } else
++#endif
++
+ if ((addr + len) > TASK_SIZE || (addr + len) < addr)
+ return -EINVAL;
+
+@@ -1363,6 +1683,7 @@
+ if (mm->def_flags & VM_LOCKED) {
+ unsigned long locked = mm->locked_vm << PAGE_SHIFT;
+ locked += len;
++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked, 1);
+ if (locked > current->rlim[RLIMIT_MEMLOCK].rlim_cur)
+ return -EAGAIN;
+ }
+@@ -1379,6 +1700,7 @@
+ }
+
+ /* Check against address space limits *after* clearing old maps... */
++ gr_learn_resource(current, RLIMIT_AS, (mm->total_vm << PAGE_SHIFT) + len, 1);
+ if ((mm->total_vm << PAGE_SHIFT) + len
+ > current->rlim[RLIMIT_AS].rlim_cur)
+ return -ENOMEM;
+@@ -1391,6 +1713,18 @@
+
+ flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
+
++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
++ if (current->flags & (PF_PAX_PAGEEXEC | PF_PAX_SEGMEXEC)) {
++ flags &= ~VM_EXEC;
++
++#ifdef CONFIG_PAX_MPROTECT
++ if (current->flags & PF_PAX_MPROTECT)
++ flags &= ~VM_MAYEXEC;
++#endif
++
++ }
++#endif
++
+ /* Can we just expand an old anonymous mapping? */
+ if (rb_parent && vma_merge(mm, prev, rb_parent, addr, addr + len,
+ flags, NULL, 0))
+@@ -1409,6 +1743,13 @@
+ vma->vm_start = addr;
+ vma->vm_end = addr + len;
+ vma->vm_flags = flags;
++
++#ifdef CONFIG_PAX_PAGEEXEC
++ if (!(current->flags & PF_PAX_PAGEEXEC) && (flags & (VM_READ|VM_WRITE)))
++ vma->vm_page_prot = protection_map[(flags | VM_EXEC) & 0x0f];
++ else
++#endif
++
+ vma->vm_page_prot = protection_map[flags & 0x0f];
+ vma->vm_ops = NULL;
+ vma->vm_pgoff = 0;
+diff -uNr linux-2.6.6/mm/mprotect.c linux-2.6.6.fixed/mm/mprotect.c
+--- linux-2.6.6/mm/mprotect.c 2004-05-10 04:33:22.000000000 +0200
++++ linux-2.6.6.fixed/mm/mprotect.c 2004-05-11 10:55:58.000000000 +0200
+@@ -16,6 +16,12 @@
+ #include <linux/fs.h>
+ #include <linux/highmem.h>
+ #include <linux/security.h>
++#include <linux/grsecurity.h>
++
++#ifdef CONFIG_PAX_MPROTECT
++#include <linux/elf.h>
++#include <linux/fs.h>
++#endif
+
+ #include <asm/uaccess.h>
+ #include <asm/pgalloc.h>
+@@ -151,6 +157,46 @@
+ return 1;
+ }
+
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++static int __mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
++ unsigned long start, unsigned long end, unsigned int newflags);
++
++static int mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
++ unsigned long start, unsigned long end, unsigned int newflags)
++{
++ if (vma->vm_flags & VM_MIRROR) {
++ struct vm_area_struct * vma_m, * prev_m;
++ unsigned long start_m, end_m;
++ int error;
++
++ start_m = vma->vm_start + (unsigned long)vma->vm_private_data;
++ vma_m = find_vma_prev(vma->vm_mm, start_m, &prev_m);
++ if (vma_m && vma_m->vm_start == start_m && (vma_m->vm_flags & VM_MIRROR)) {
++ start_m = start + (unsigned long)vma->vm_private_data;
++ end_m = end + (unsigned long)vma->vm_private_data;
++ if ((current->flags & PF_PAX_SEGMEXEC) && !(newflags & VM_EXEC))
++ error = __mprotect_fixup(vma_m, &prev_m, start_m, end_m, vma_m->vm_flags & ~(PROT_READ | PROT_WRITE | PROT_EXEC));
++ else
++ error = __mprotect_fixup(vma_m, &prev_m, start_m, end_m, newflags);
++ if (error)
++ return error;
++ } else {
++ printk("PAX: VMMIRROR: mprotect bug in %s, %08lx\n", current->comm, vma->vm_start);
++ return -ENOMEM;
++ }
++ }
++
++ return __mprotect_fixup(vma, pprev, start, end, newflags);
++}
++
++static int __mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
++ unsigned long start, unsigned long end, unsigned int newflags)
++{
++ struct mm_struct * mm = vma->vm_mm;
++ unsigned long charged = 0;
++ pgprot_t newprot;
++ int error;
++#else
+ static int
+ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
+ unsigned long start, unsigned long end, unsigned int newflags)
+@@ -164,6 +210,7 @@
+ *pprev = vma;
+ return 0;
+ }
++#endif
+
+ /*
+ * If we make a private mapping writable we increase our commit;
+@@ -183,6 +230,12 @@
+ }
+ }
+
++#ifdef CONFIG_PAX_PAGEEXEC
++ if (!(current->flags & PF_PAX_PAGEEXEC) && (newflags & (VM_READ|VM_WRITE)))
++ newprot = protection_map[(newflags | VM_EXEC) & 0xf];
++ else
++#endif
++
+ newprot = protection_map[newflags & 0xf];
+
+ if (start == vma->vm_start) {
+@@ -223,6 +276,69 @@
+ return error;
+ }
+
++#ifdef CONFIG_PAX_MPROTECT
++/* PaX: non-PIC ELF libraries need relocations on their executable segments
++ * therefore we'll grant them VM_MAYWRITE once during their life.
++ *
++ * The checks favour ld-linux.so behaviour which operates on a per ELF segment
++ * basis because we want to allow the common case and not the special ones.
++ */
++static inline void pax_handle_maywrite(struct vm_area_struct * vma, unsigned long start)
++{
++ struct elfhdr elf_h;
++ struct elf_phdr elf_p, p_dyn;
++ elf_dyn dyn;
++ unsigned long i, j = 65536UL / sizeof(struct elf_phdr);
++
++#ifndef CONFIG_PAX_NOELFRELOCS
++ if ((vma->vm_start != start) ||
++ !vma->vm_file ||
++ !(vma->vm_flags & VM_MAYEXEC) ||
++ (vma->vm_flags & VM_MAYNOTWRITE))
++#endif
++
++ return;
++
++ if (0 > kernel_read(vma->vm_file, 0UL, (char*)&elf_h, sizeof(elf_h)) ||
++ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
++
++#ifdef CONFIG_PAX_ETEXECRELOCS
++ (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC) ||
++#else
++ elf_h.e_type != ET_DYN ||
++#endif
++
++ !elf_check_arch(&elf_h) ||
++ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
++ elf_h.e_phnum > j)
++ return;
++
++ for (i = 0UL; i < elf_h.e_phnum; i++) {
++ if (0 > kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char*)&elf_p, sizeof(elf_p)))
++ return;
++ if (elf_p.p_type == PT_DYNAMIC) {
++ p_dyn = elf_p;
++ j = i;
++ }
++ }
++ if (elf_h.e_phnum <= j)
++ return;
++
++ i = 0UL;
++ do {
++ if (0 > kernel_read(vma->vm_file, p_dyn.p_offset + i*sizeof(dyn), (char*)&dyn, sizeof(dyn)))
++ return;
++ if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
++ vma->vm_flags |= VM_MAYWRITE | VM_MAYNOTWRITE;
++ gr_log_textrel(vma);
++ return;
++ }
++ i++;
++ } while (dyn.d_tag != DT_NULL);
++ return;
++}
++#endif
++
+ asmlinkage long
+ sys_mprotect(unsigned long start, size_t len, unsigned long prot)
+ {
+@@ -240,6 +356,17 @@
+ end = start + len;
+ if (end < start)
+ return -ENOMEM;
++
++#ifdef CONFIG_PAX_SEGMEXEC
++ if (current->flags & PF_PAX_SEGMEXEC) {
++ if (end > SEGMEXEC_TASK_SIZE)
++ return -EINVAL;
++ } else
++#endif
++
++ if (end > TASK_SIZE)
++ return -EINVAL;
++
+ if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC | PROT_SEM))
+ return -EINVAL;
+ if (end == start)
+@@ -272,6 +399,16 @@
+ }
+ }
+
++ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
++ error = -EACCES;
++ goto out;
++ }
++
++#ifdef CONFIG_PAX_MPROTECT
++ if ((current->flags & PF_PAX_MPROTECT) && (prot & PROT_WRITE))
++ pax_handle_maywrite(vma, start);
++#endif
++
+ for (nstart = start ; ; ) {
+ unsigned int newflags;
+ int last = 0;
+@@ -290,6 +427,12 @@
+ goto out;
+ }
+
++#ifdef CONFIG_PAX_MPROTECT
++ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
++ if ((current->flags & PF_PAX_MPROTECT) && (prot & PROT_WRITE) && (vma->vm_flags & VM_MAYNOTWRITE))
++ newflags &= ~VM_MAYWRITE;
++#endif
++
+ error = security_file_mprotect(vma, prot);
+ if (error)
+ goto out;
+diff -uNr linux-2.6.6/mm/mremap.c linux-2.6.6.fixed/mm/mremap.c
+--- linux-2.6.6/mm/mremap.c 2004-05-10 04:32:38.000000000 +0200
++++ linux-2.6.6.fixed/mm/mremap.c 2004-05-11 10:55:58.000000000 +0200
+@@ -281,6 +281,18 @@
+ if (!new_len)
+ goto out;
+
++#ifdef CONFIG_PAX_SEGMEXEC
++ if (current->flags & PF_PAX_SEGMEXEC) {
++ if (new_len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-new_len ||
++ old_len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-old_len)
++ goto out;
++ } else
++#endif
++
++ if (new_len > TASK_SIZE || addr > TASK_SIZE-new_len ||
++ old_len > TASK_SIZE || addr > TASK_SIZE-old_len)
++ goto out;
++
+ /* new_addr is only valid if MREMAP_FIXED is specified */
+ if (flags & MREMAP_FIXED) {
+ if (new_addr & ~PAGE_MASK)
+@@ -288,6 +300,13 @@
+ if (!(flags & MREMAP_MAYMOVE))
+ goto out;
+
++#ifdef CONFIG_PAX_SEGMEXEC
++ if (current->flags & PF_PAX_SEGMEXEC) {
++ if (new_len > SEGMEXEC_TASK_SIZE || new_addr > SEGMEXEC_TASK_SIZE-new_len)
++ goto out;
++ } else
++#endif
++
+ if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
+ goto out;
+
+@@ -331,6 +350,16 @@
+ ret = -EINVAL;
+ goto out;
+ }
++
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_RANDEXEC)
++ if ((current->flags & (PF_PAX_SEGMEXEC | PF_PAX_RANDEXEC)) &&
++ (vma->vm_flags & VM_MIRROR))
++ {
++ ret = -EINVAL;
++ goto out;
++ }
++#endif
++
+ /* We can't remap across vm area boundaries */
+ if (old_len > vma->vm_end - addr)
+ goto out;
+diff -uNr linux-2.6.6/net/ipv4/af_inet.c linux-2.6.6.fixed/net/ipv4/af_inet.c
+--- linux-2.6.6/net/ipv4/af_inet.c 2004-05-10 04:32:01.000000000 +0200
++++ linux-2.6.6.fixed/net/ipv4/af_inet.c 2004-05-11 10:55:58.000000000 +0200
+@@ -87,6 +87,7 @@
+ #include <linux/init.h>
+ #include <linux/poll.h>
+ #include <linux/netfilter_ipv4.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/system.h>
+@@ -387,7 +388,12 @@
+ else
+ inet->pmtudisc = IP_PMTUDISC_WANT;
+
+- inet->id = 0;
++#ifdef CONFIG_GRKERNSEC_RANDID
++ if (grsec_enable_randid)
++ inet->id = htons(ip_randomid());
++ else
++#endif
++ inet->id = 0;
+
+ sock_init_data(sock, sk);
+ sk_set_owner(sk, THIS_MODULE);
+diff -uNr linux-2.6.6/net/ipv4/ip_output.c linux-2.6.6.fixed/net/ipv4/ip_output.c
+--- linux-2.6.6/net/ipv4/ip_output.c 2004-05-10 04:33:21.000000000 +0200
++++ linux-2.6.6.fixed/net/ipv4/ip_output.c 2004-05-11 10:55:58.000000000 +0200
+@@ -64,6 +64,7 @@
+ #include <linux/proc_fs.h>
+ #include <linux/stat.h>
+ #include <linux/init.h>
++#include <linux/grsecurity.h>
+
+ #include <net/snmp.h>
+ #include <net/ip.h>
+@@ -1161,6 +1162,12 @@
+ iph->tos = inet->tos;
+ iph->tot_len = htons(skb->len);
+ iph->frag_off = df;
++
++#ifdef CONFIG_GRKERNSEC_RANDID
++ if (grsec_enable_randid)
++ iph->id = htons(ip_randomid());
++ else
++#endif
+ if (!df) {
+ __ip_select_ident(iph, &rt->u.dst, 0);
+ } else {
+diff -uNr linux-2.6.6/net/ipv4/netfilter/ipt_stealth.c linux-2.6.6.fixed/net/ipv4/netfilter/ipt_stealth.c
+--- linux-2.6.6/net/ipv4/netfilter/ipt_stealth.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.6.fixed/net/ipv4/netfilter/ipt_stealth.c 2004-05-11 10:55:58.000000000 +0200
+@@ -0,0 +1,112 @@
++/* Kernel module to add stealth support.
++ *
++ * Copyright (C) 2002 Brad Spengler <spender@grsecurity.net>
++ *
++ */
++
++#include <linux/kernel.h>
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/net.h>
++#include <linux/sched.h>
++#include <linux/inet.h>
++#include <linux/stddef.h>
++
++#include <net/ip.h>
++#include <net/sock.h>
++#include <net/tcp.h>
++#include <net/udp.h>
++#include <net/route.h>
++#include <net/inet_common.h>
++
++#include <linux/netfilter_ipv4/ip_tables.h>
++
++MODULE_LICENSE("GPL");
++
++extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
++
++static int
++match(const struct sk_buff *skb,
++ const struct net_device *in,
++ const struct net_device *out,
++ const void *matchinfo,
++ int offset,
++ int *hotdrop)
++{
++ struct iphdr *ip = skb->nh.iph;
++ struct tcphdr th;
++ struct udphdr uh;
++ struct sock *sk = NULL;
++
++ if (!ip || offset) return 0;
++
++ switch(ip->protocol) {
++ case IPPROTO_TCP:
++ if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &th, sizeof(th)) < 0) {
++ *hotdrop = 1;
++ return 0;
++ }
++ if (!(th.syn && !th.ack)) return 0;
++ sk = tcp_v4_lookup_listener(ip->daddr, ntohs(th.dest), ((struct rtable*)skb->dst)->rt_iif);
++ break;
++ case IPPROTO_UDP:
++ if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &uh, sizeof(uh)) < 0) {
++ *hotdrop = 1;
++ return 0;
++ }
++ sk = udp_v4_lookup(ip->saddr, uh.source, ip->daddr, uh.dest, skb->dev->ifindex);
++ break;
++ default:
++ return 0;
++ }
++
++ if(!sk) // port is being listened on, match this
++ return 1;
++ else {
++ sock_put(sk);
++ return 0;
++ }
++}
++
++/* Called when user tries to insert an entry of this type. */
++static int
++checkentry(const char *tablename,
++ const struct ipt_ip *ip,
++ void *matchinfo,
++ unsigned int matchsize,
++ unsigned int hook_mask)
++{
++ if (matchsize != IPT_ALIGN(0))
++ return 0;
++
++ if(((ip->proto == IPPROTO_TCP && !(ip->invflags & IPT_INV_PROTO)) ||
++ ((ip->proto == IPPROTO_UDP) && !(ip->invflags & IPT_INV_PROTO)))
++ && (hook_mask & (1 << NF_IP_LOCAL_IN)))
++ return 1;
++
++ printk("stealth: Only works on TCP and UDP for the INPUT chain.\n");
++
++ return 0;
++}
++
++
++static struct ipt_match stealth_match = {
++ .name = "stealth",
++ .match = &match,
++ .checkentry = &checkentry,
++ .destroy = NULL,
++ .me = THIS_MODULE
++};
++
++static int __init init(void)
++{
++ return ipt_register_match(&stealth_match);
++}
++
++static void __exit fini(void)
++{
++ ipt_unregister_match(&stealth_match);
++}
++
++module_init(init);
++module_exit(fini);
+diff -uNr linux-2.6.6/net/ipv4/netfilter/Kconfig linux-2.6.6.fixed/net/ipv4/netfilter/Kconfig
+--- linux-2.6.6/net/ipv4/netfilter/Kconfig 2004-05-10 04:33:13.000000000 +0200
++++ linux-2.6.6.fixed/net/ipv4/netfilter/Kconfig 2004-05-11 10:55:58.000000000 +0200
+@@ -225,6 +225,21 @@
+
+ To compile it as a module, choose M here. If unsure, say N.
+
++config IP_NF_MATCH_STEALTH
++ tristate "stealth match support"
++ depends on IP_NF_IPTABLES
++ help
++ Enabling this option will drop all syn packets coming to unserved tcp
++ ports as well as all packets coming to unserved udp ports. If you
++ are using your system to route any type of packets (ie. via NAT)
++ you should put this module at the end of your ruleset, since it will
++ drop packets that aren't going to ports that are listening on your
++ machine itself, it doesn't take into account that the packet might be
++ destined for someone on your internal network if you're using NAT for
++ instance.
++
++ To compile it as a module, choose M here. If unsure, say N.
++
+ config IP_NF_MATCH_HELPER
+ tristate "Helper match support"
+ depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
+diff -uNr linux-2.6.6/net/ipv4/netfilter/Makefile linux-2.6.6.fixed/net/ipv4/netfilter/Makefile
+--- linux-2.6.6/net/ipv4/netfilter/Makefile 2004-05-10 04:32:26.000000000 +0200
++++ linux-2.6.6.fixed/net/ipv4/netfilter/Makefile 2004-05-11 10:55:58.000000000 +0200
+@@ -65,6 +65,8 @@
+ obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
+ obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
+
++obj-$(CONFIG_IP_NF_MATCH_STEALTH) += ipt_stealth.o
++
+ obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o
+
+ # targets
+diff -uNr linux-2.6.6/net/ipv4/tcp_ipv4.c linux-2.6.6.fixed/net/ipv4/tcp_ipv4.c
+--- linux-2.6.6/net/ipv4/tcp_ipv4.c 2004-05-10 04:32:27.000000000 +0200
++++ linux-2.6.6.fixed/net/ipv4/tcp_ipv4.c 2004-05-11 10:55:58.000000000 +0200
+@@ -62,6 +62,7 @@
+ #include <linux/jhash.h>
+ #include <linux/init.h>
+ #include <linux/times.h>
++#include <linux/grsecurity.h>
+
+ #include <net/icmp.h>
+ #include <net/tcp.h>
+@@ -224,9 +225,16 @@
+ spin_lock(&tcp_portalloc_lock);
+ rover = tcp_port_rover;
+ do {
+- rover++;
+- if (rover < low || rover > high)
+- rover = low;
++#ifdef CONFIG_GRKERNSEC_RANDSRC
++ if (grsec_enable_randsrc && (high > low)) {
++ rover = low + (get_random_long() % (high - low));
++ } else
++#endif
++ {
++ rover++;
++ if (rover < low || rover > high)
++ rover = low;
++ }
+ head = &tcp_bhash[tcp_bhashfn(rover)];
+ spin_lock(&head->lock);
+ tb_for_each(tb, node, &head->chain)
+@@ -537,6 +545,11 @@
+
+ static inline __u32 tcp_v4_init_sequence(struct sock *sk, struct sk_buff *skb)
+ {
++#ifdef CONFIG_GRKERNSEC_RANDISN
++ if (likely(grsec_enable_randisn))
++ return ip_randomisn();
++ else
++#endif
+ return secure_tcp_sequence_number(skb->nh.iph->daddr,
+ skb->nh.iph->saddr,
+ skb->h.th->dest,
+@@ -671,10 +684,17 @@
+ rover = tcp_port_rover;
+
+ do {
+- rover++;
+- if ((rover < low) || (rover > high))
+- rover = low;
+- head = &tcp_bhash[tcp_bhashfn(rover)];
++#ifdef CONFIG_GRKERNSEC_RANDSRC
++ if (grsec_enable_randsrc && (high > low)) {
++ rover = low + (get_random_long() % (high - low));
++ } else
++#endif
++ {
++ rover++;
++ if ((rover < low) || (rover > high))
++ rover = low;
++ }
++ head = &tcp_bhash[tcp_bhashfn(rover)];
+ spin_lock(&head->lock);
+
+ /* Does not bother with rcv_saddr checks,
+@@ -724,6 +744,15 @@
+ }
+ spin_unlock(&head->lock);
+
++#ifdef CONFIG_GRKERNSEC
++ gr_del_task_from_ip_table(current);
++ current->gr_saddr = inet_sk(sk)->rcv_saddr;
++ current->gr_daddr = inet_sk(sk)->daddr;
++ current->gr_sport = inet_sk(sk)->sport;
++ current->gr_dport = inet_sk(sk)->dport;
++ gr_add_to_task_ip_table(current);
++#endif
++
+ if (tw) {
+ tcp_tw_deschedule(tw);
+ tcp_tw_put(tw);
+@@ -843,13 +872,24 @@
+ tcp_v4_setup_caps(sk, &rt->u.dst);
+ tp->ext2_header_len = rt->u.dst.header_len;
+
+- if (!tp->write_seq)
++ if (!tp->write_seq) {
++#ifdef CONFIG_GRKERNSEC_RANDISN
++ if (likely(grsec_enable_randisn))
++ tp->write_seq = ip_randomisn();
++ else
++#endif
+ tp->write_seq = secure_tcp_sequence_number(inet->saddr,
+ inet->daddr,
+ inet->sport,
+ usin->sin_port);
++ }
+
+- inet->id = tp->write_seq ^ jiffies;
++#ifdef CONFIG_GRKERNSEC_RANDID
++ if (grsec_enable_randid)
++ inet->id = htons(ip_randomid());
++ else
++#endif
++ inet->id = tp->write_seq ^ jiffies;
+
+ err = tcp_connect(sk);
+ rt = NULL;
+@@ -1593,7 +1633,13 @@
+ if (newinet->opt)
+ newtp->ext_header_len = newinet->opt->optlen;
+ newtp->ext2_header_len = dst->header_len;
+- newinet->id = newtp->write_seq ^ jiffies;
++
++#ifdef CONFIG_GRKERNSEC_RANDID
++ if (grsec_enable_randid)
++ newinet->id = htons(ip_randomid());
++ else
++#endif
++ newinet->id = newtp->write_seq ^ jiffies;
+
+ tcp_sync_mss(newsk, dst_pmtu(dst));
+ newtp->advmss = dst_metric(dst, RTAX_ADVMSS);
+diff -uNr linux-2.6.6/net/ipv4/udp.c linux-2.6.6.fixed/net/ipv4/udp.c
+--- linux-2.6.6/net/ipv4/udp.c 2004-05-10 04:32:01.000000000 +0200
++++ linux-2.6.6.fixed/net/ipv4/udp.c 2004-05-11 10:55:58.000000000 +0200
+@@ -100,6 +100,7 @@
+ #include <linux/skbuff.h>
+ #include <linux/proc_fs.h>
+ #include <linux/seq_file.h>
++#include <linux/grsecurity.h>
+ #include <net/sock.h>
+ #include <net/udp.h>
+ #include <net/icmp.h>
+@@ -108,6 +109,12 @@
+ #include <net/checksum.h>
+ #include <net/xfrm.h>
+
++extern int gr_search_udp_recvmsg(const struct sock *sk,
++ const struct sk_buff *skb);
++extern int gr_search_udp_sendmsg(const struct sock *sk,
++ const struct sockaddr_in *addr);
++
++
+ /*
+ * Snmp MIB for the UDP layer
+ */
+@@ -538,9 +545,16 @@
+ dport = usin->sin_port;
+ if (dport == 0)
+ return -EINVAL;
++
++ if (!gr_search_udp_sendmsg(sk, usin))
++ return -EPERM;
+ } else {
+ if (sk->sk_state != TCP_ESTABLISHED)
+ return -EDESTADDRREQ;
++
++ if (!gr_search_udp_sendmsg(sk, NULL))
++ return -EPERM;
++
+ daddr = inet->daddr;
+ dport = inet->dport;
+ /* Open fast path for connected socket.
+@@ -792,7 +806,12 @@
+ if (!skb)
+ goto out;
+
+- copied = skb->len - sizeof(struct udphdr);
++ if (!gr_search_udp_recvmsg(sk, skb)) {
++ err = -EPERM;
++ goto out_free;
++ }
++
++ copied = skb->len - sizeof(struct udphdr);
+ if (copied > len) {
+ copied = len;
+ msg->msg_flags |= MSG_TRUNC;
+@@ -901,7 +920,12 @@
+ inet->daddr = rt->rt_dst;
+ inet->dport = usin->sin_port;
+ sk->sk_state = TCP_ESTABLISHED;
+- inet->id = jiffies;
++#ifdef CONFIG_GRKERNSEC_RANDID
++ if (grsec_enable_randid)
++ inet->id = htons(ip_randomid());
++ else
++#endif
++ inet->id = jiffies;
+
+ sk_dst_set(sk, &rt->u.dst);
+ return(0);
+diff -uNr linux-2.6.6/net/socket.c linux-2.6.6.fixed/net/socket.c
+--- linux-2.6.6/net/socket.c 2004-05-10 04:32:27.000000000 +0200
++++ linux-2.6.6.fixed/net/socket.c 2004-05-11 10:55:58.000000000 +0200
+@@ -81,6 +81,7 @@
+ #include <linux/syscalls.h>
+ #include <linux/compat.h>
+ #include <linux/kmod.h>
++#include <linux/in.h>
+
+ #ifdef CONFIG_NET_RADIO
+ #include <linux/wireless.h> /* Note : will define WIRELESS_EXT */
+@@ -92,6 +93,18 @@
+ #include <net/sock.h>
+ #include <linux/netfilter.h>
+
++extern void gr_attach_curr_ip(const struct sock *sk);
++extern int gr_handle_sock_all(const int family, const int type,
++ const int protocol);
++extern int gr_handle_sock_server(const struct sockaddr *sck);
++extern int gr_handle_sock_client(const struct sockaddr *sck);
++extern int gr_search_connect(const struct socket * sock,
++ const struct sockaddr_in * addr);
++extern int gr_search_bind(const struct socket * sock,
++ const struct sockaddr_in * addr);
++extern int gr_search_socket(const int domain, const int type,
++ const int protocol);
++
+ static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
+ static ssize_t sock_aio_read(struct kiocb *iocb, char __user *buf,
+ size_t size, loff_t pos);
+@@ -893,6 +906,7 @@
+ printk(KERN_DEBUG "sock_close: NULL inode\n");
+ return 0;
+ }
++
+ sock_fasync(-1, filp, 0);
+ sock_release(SOCKET_I(inode));
+ return 0;
+@@ -1122,6 +1136,16 @@
+ int retval;
+ struct socket *sock;
+
++ if(!gr_search_socket(family, type, protocol)) {
++ retval = -EACCES;
++ goto out;
++ }
++
++ if (gr_handle_sock_all(family, type, protocol)) {
++ retval = -EACCES;
++ goto out;
++ }
++
+ retval = sock_create(family, type, protocol, &sock);
+ if (retval < 0)
+ goto out;
+@@ -1217,11 +1241,23 @@
+ {
+ struct socket *sock;
+ char address[MAX_SOCK_ADDR];
++ struct sockaddr *sck;
+ int err;
+
+ if((sock = sockfd_lookup(fd,&err))!=NULL)
+ {
+ if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0) {
++ sck = (struct sockaddr *)address;
++ if (!gr_search_bind(sock, (struct sockaddr_in *)sck)) {
++ sockfd_put(sock);
++ return -EACCES;
++ }
++
++ if (gr_handle_sock_server(sck)) {
++ sockfd_put(sock);
++ return -EACCES;
++ }
++
+ err = security_socket_bind(sock, (struct sockaddr *)address, addrlen);
+ if (err) {
+ sockfd_put(sock);
+@@ -1324,6 +1360,7 @@
+ goto out_release;
+
+ security_socket_post_accept(sock, newsock);
++ gr_attach_curr_ip(newsock->sk);
+
+ out_put:
+ sockfd_put(sock);
+@@ -1351,6 +1388,7 @@
+ {
+ struct socket *sock;
+ char address[MAX_SOCK_ADDR];
++ struct sockaddr *sck;
+ int err;
+
+ sock = sockfd_lookup(fd, &err);
+@@ -1360,6 +1398,18 @@
+ if (err < 0)
+ goto out_put;
+
++ sck = (struct sockaddr *)address;
++
++ if (!gr_search_connect(sock, (struct sockaddr_in *)sck)) {
++ err = -EACCES;
++ goto out_put;
++ }
++
++ if (gr_handle_sock_client(sck)) {
++ err = -EACCES;
++ goto out_put;
++ }
++
+ err = security_socket_connect(sock, (struct sockaddr *)address, addrlen);
+ if (err)
+ goto out_put;
+@@ -1613,6 +1663,7 @@
+ err=sock->ops->shutdown(sock, how);
+ sockfd_put(sock);
+ }
++
+ return err;
+ }
+
+diff -uNr linux-2.6.6/net/sunrpc/xprt.c linux-2.6.6.fixed/net/sunrpc/xprt.c
+--- linux-2.6.6/net/sunrpc/xprt.c 2004-05-10 04:32:53.000000000 +0200
++++ linux-2.6.6.fixed/net/sunrpc/xprt.c 2004-05-11 10:55:58.000000000 +0200
+@@ -58,6 +58,7 @@
+ #include <linux/file.h>
+ #include <linux/workqueue.h>
+ #include <linux/random.h>
++#include <linux/grsecurity.h>
+
+ #include <net/sock.h>
+ #include <net/checksum.h>
+@@ -1308,6 +1309,12 @@
+ */
+ static inline u32 xprt_alloc_xid(struct rpc_xprt *xprt)
+ {
++
++#ifdef CONFIG_GRKERNSEC_RANDRPC
++ if (grsec_enable_randrpc)
++ return (u32) get_random_long();
++#endif
++
+ return xprt->xid++;
+ }
+
+diff -uNr linux-2.6.6/net/unix/af_unix.c linux-2.6.6.fixed/net/unix/af_unix.c
+--- linux-2.6.6/net/unix/af_unix.c 2004-05-10 04:32:52.000000000 +0200
++++ linux-2.6.6.fixed/net/unix/af_unix.c 2004-05-11 10:55:58.000000000 +0200
+@@ -118,6 +118,7 @@
+ #include <linux/mount.h>
+ #include <net/checksum.h>
+ #include <linux/security.h>
++#include <linux/grsecurity.h>
+
+ int sysctl_unix_max_dgram_qlen = 10;
+
+@@ -681,6 +682,11 @@
+ if (err)
+ goto put_fail;
+
++ if (!gr_acl_handle_unix(nd.dentry, nd.mnt)) {
++ err = -EACCES;
++ goto put_fail;
++ }
++
+ err = -ECONNREFUSED;
+ if (!S_ISSOCK(nd.dentry->d_inode->i_mode))
+ goto put_fail;
+@@ -704,6 +710,13 @@
+ if (u) {
+ struct dentry *dentry;
+ dentry = unix_sk(u)->dentry;
++
++ if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
++ err = -EPERM;
++ sock_put(u);
++ goto fail;
++ }
++
+ if (dentry)
+ touch_atime(unix_sk(u)->mnt, dentry);
+ } else
+@@ -803,9 +816,18 @@
+ */
+ mode = S_IFSOCK |
+ (SOCK_INODE(sock)->i_mode & ~current->fs->umask);
++
++ if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
++ err = -EACCES;
++ goto out_mknod_dput;
++ }
++
+ err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0);
+ if (err)
+ goto out_mknod_dput;
++
++ gr_handle_create(dentry, nd.mnt);
++
+ up(&nd.dentry->d_inode->i_sem);
+ dput(nd.dentry);
+ nd.dentry = dentry;
+@@ -823,6 +845,10 @@
+ goto out_unlock;
+ }
+
++#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
++ sk->sk_peercred.pid = current->pid;
++#endif
++
+ list = &unix_socket_table[addr->hash];
+ } else {
+ list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
+diff -uNr linux-2.6.6/security/commoncap.c linux-2.6.6.fixed/security/commoncap.c
+--- linux-2.6.6/security/commoncap.c 2004-05-10 04:32:28.000000000 +0200
++++ linux-2.6.6.fixed/security/commoncap.c 2004-05-11 10:55:58.000000000 +0200
+@@ -27,7 +27,7 @@
+ int cap_capable (struct task_struct *tsk, int cap)
+ {
+ /* Derived from include/linux/sched.h:capable. */
+- if (cap_raised (tsk->cap_effective, cap))
++ if (cap_raised (tsk->cap_effective, cap) && gr_task_is_capable(tsk, cap))
+ return 0;
+ else
+ return -EPERM;
+@@ -37,7 +37,7 @@
+ {
+ /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */
+ if (!cap_issubset (child->cap_permitted, current->cap_permitted) &&
+- !capable (CAP_SYS_PTRACE))
++ !capable_nolog (CAP_SYS_PTRACE))
+ return -EPERM;
+ else
+ return 0;
+@@ -334,7 +334,7 @@
+ /*
+ * Leave the last 3% for root
+ */
+- if (!capable(CAP_SYS_ADMIN))
++ if (!capable_nolog(CAP_SYS_ADMIN))
+ free -= free / 32;
+
+ if (free > pages)
+@@ -345,7 +345,7 @@
+ * only call if we're about to fail.
+ */
+ n = nr_free_pages();
+- if (!capable(CAP_SYS_ADMIN))
++ if (!capable_nolog(CAP_SYS_ADMIN))
+ n -= n / 32;
+ free += n;
+
+diff -uNr linux-2.6.6/security/Kconfig linux-2.6.6.fixed/security/Kconfig
+--- linux-2.6.6/security/Kconfig 2004-05-10 04:32:53.000000000 +0200
++++ linux-2.6.6.fixed/security/Kconfig 2004-05-11 10:55:58.000000000 +0200
+@@ -4,6 +4,407 @@
+
+ menu "Security options"
+
++source grsecurity/Kconfig
++
++menu "PaX"
++
++config PAX
++ bool "Enable various PaX features"
++ depends on ALPHA || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || SPARC32 || SPARC64 || X86 || X86_64
++ help
++ This allows you to enable various PaX features. PaX adds
++ intrusion prevention mechanisms to the kernel that reduce
++ the risks posed by exploitable memory corruption bugs.
++
++menu "PaX Control"
++ depends on PAX
++
++config PAX_SOFTMODE
++ bool 'Support soft mode'
++ help
++ Enabling this option will allow you to run PaX in soft mode, that
++ is, PaX features will not be enforced by default, only on executables
++ marked explicitly. You must also enable PT_PAX_FLAGS support as it
++ is the only way to mark executables for soft mode use.
++
++ Soft mode can be activated by using the "pax_softmode=1" kernel command
++ line option on boot. Furthermore you can control various PaX features
++ at runtime via the entries in /proc/sys/kernel/pax.
++
++config PAX_EI_PAX
++ bool 'Use legacy ELF header marking'
++ help
++ Enabling this option will allow you to control PaX features on
++ a per executable basis via the 'chpax' utility available at
++ http://pax.grsecurity.net/. The control flags will be read from
++ an otherwise reserved part of the ELF header. This marking has
++ numerous drawbacks (no support for soft-mode, toolchain does not
++ know about the non-standard use of the ELF header) therefore it
++ has been deprecated in favour of PT_PAX_FLAGS support.
++
++ You should enable this option only if your toolchain does not yet
++ support the new control flag location (PT_PAX_FLAGS) or you still
++ have applications not marked by PT_PAX_FLAGS.
++
++ Note that if you enable PT_PAX_FLAGS marking support as well,
++ it will override the legacy EI_PAX marks.
++
++config PAX_PT_PAX_FLAGS
++ bool 'Use ELF program header marking'
++ help
++ Enabling this option will allow you to control PaX features on
++ a per executable basis via the 'paxctl' utility available at
++ http://pax.grsecurity.net/. The control flags will be read from
++ a PaX specific ELF program header (PT_PAX_FLAGS). This marking
++ has the benefits of supporting both soft mode and being fully
++ integrated into the toolchain (the binutils patch is available
++ from http://pax.grsecurity.net).
++
++ Note that if you enable the legacy EI_PAX marking support as well,
++ it will be overridden by the PT_PAX_FLAGS marking.
++
++choice
++ prompt 'MAC system integration'
++ default PAX_NO_ACL_FLAGS
++ help
++ Mandatory Access Control systems have the option of controlling
++ PaX flags on a per executable basis, choose the method supported
++ by your particular system.
++
++ - "none": if your MAC system does not interact with PaX,
++ - "direct": if your MAC system defines pax_set_flags() itself,
++ - "hook": if your MAC system uses the pax_set_flags_func callback.
++
++ NOTE: this option is for developers/integrators only.
++
++config PAX_NO_ACL_FLAGS
++ bool 'none'
++
++config PAX_HAVE_ACL_FLAGS
++ bool 'direct'
++
++config PAX_HOOK_ACL_FLAGS
++ bool 'hook'
++endchoice
++
++endmenu
++
++menu "Non-executable pages"
++ depends on PAX
++
++config PAX_NOEXEC
++ bool "Enforce non-executable pages"
++ depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || SPARC32 || SPARC64 || X86 || X86_64)
++ help
++ By design some architectures do not allow for protecting memory
++ pages against execution or even if they do, Linux does not make
++ use of this feature. In practice this means that if a page is
++ readable (such as the stack or heap) it is also executable.
++
++ There is a well known exploit technique that makes use of this
++ fact and a common programming mistake where an attacker can
++ introduce code of his choice somewhere in the attacked program's
++ memory (typically the stack or the heap) and then execute it.
++
++ If the attacked program was running with different (typically
++ higher) privileges than that of the attacker, then he can elevate
++ his own privilege level (e.g. get a root shell, write to files for
++ which he does not have write access to, etc).
++
++ Enabling this option will let you choose from various features
++ that prevent the injection and execution of 'foreign' code in
++ a program.
++
++ This will also break programs that rely on the old behaviour and
++ expect that dynamically allocated memory via the malloc() family
++ of functions is executable (which it is not). Notable examples
++ are the XFree86 4.x server, the java runtime and wine.
++
++config PAX_PAGEEXEC
++ bool "Paging based non-executable pages"
++ depends on PAX_NOEXEC && !HIGHPTE && (!X86 || X86_64 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUM4 || MK7 || MK8)
++ help
++ This implementation is based on the paging feature of the CPU.
++ On i386 it has a variable performance impact on applications
++ depending on their memory usage pattern. You should carefully
++ test your applications before using this feature in production.
++ On alpha, ia64, parisc, sparc, sparc64 and x86_64 there is no
++ performance impact. On ppc there is a slight performance impact.
++
++config PAX_SEGMEXEC
++ bool "Segmentation based non-executable pages"
++ depends on PAX_NOEXEC && X86 && !X86_64
++ help
++ This implementation is based on the segmentation feature of the
++ CPU and has little performance impact, however applications will
++ be limited to a 1.5 GB address space instead of the normal 3 GB.
++
++config PAX_EMUTRAMP
++ bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || PPC || X86) && !X86_64
++ default y if PARISC || PPC
++ help
++ There are some programs and libraries that for one reason or
++ another attempt to execute special small code snippets from
++ non-executable memory pages. Most notable examples are the
++ signal handler return code generated by the kernel itself and
++ the GCC trampolines.
++
++ If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
++ such programs will no longer work under your kernel.
++
++ As a remedy you can say Y here and use the 'chpax' or 'paxctl'
++ utilities to enable trampoline emulation for the affected programs
++ yet still have the protection provided by the non-executable pages.
++
++ On parisc and ppc you MUST enable this option and EMUSIGRT as
++ well, otherwise your system will not even boot.
++
++ Alternatively you can say N here and use the 'chpax' or 'paxctl'
++ utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
++ for the affected files.
++
++ NOTE: enabling this feature *may* open up a loophole in the
++ protection provided by non-executable pages that an attacker
++ could abuse. Therefore the best solution is to not have any
++ files on your system that would require this option. This can
++ be achieved by not using libc5 (which relies on the kernel
++ signal handler return code) and not using or rewriting programs
++ that make use of the nested function implementation of GCC.
++ Skilled users can just fix GCC itself so that it implements
++ nested function calls in a way that does not interfere with PaX.
++
++config PAX_EMUSIGRT
++ bool "Automatically emulate sigreturn trampolines"
++ depends on PAX_EMUTRAMP && (PARISC || PPC)
++ default y
++ help
++ Enabling this option will have the kernel automatically detect
++ and emulate signal return trampolines executing on the stack
++ that would otherwise lead to task termination.
++
++ This solution is intended as a temporary one for users with
++ legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
++ Modula-3 runtime, etc) or executables linked to such, basically
++ everything that does not specify its own SA_RESTORER function in
++ normal executable memory like glibc 2.1+ does.
++
++ On parisc and ppc you MUST enable this option, otherwise your
++ system will not even boot.
++
++ NOTE: this feature cannot be disabled on a per executable basis
++ and since it *does* open up a loophole in the protection provided
++ by non-executable pages, the best solution is to not have any
++ files on your system that would require this option.
++
++config PAX_MPROTECT
++ bool "Restrict mprotect()"
++ depends on PAX_PAGEEXEC || PAX_SEGMEXEC
++ help
++ Enabling this option will prevent programs from
++ - changing the executable status of memory pages that were
++ not originally created as executable,
++ - making read-only executable pages writable again,
++ - creating executable pages from anonymous memory.
++
++ You should say Y here to complete the protection provided by
++ the enforcement of non-executable pages.
++
++ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
++ this feature on a per file basis.
++
++config PAX_NOELFRELOCS
++ bool "Disallow ELF text relocations"
++ depends on PAX_MPROTECT && (IA64 || X86 || X86_64)
++ help
++ Non-executable pages and mprotect() restrictions are effective
++ in preventing the introduction of new executable code into an
++ attacked task's address space. There remain only two venues
++ for this kind of attack: if the attacker can execute already
++ existing code in the attacked task then he can either have it
++ create and mmap() a file containing his code or have it mmap()
++ an already existing ELF library that does not have position
++ independent code in it and use mprotect() on it to make it
++ writable and copy his code there. While protecting against
++ the former approach is beyond PaX, the latter can be prevented
++ by having only PIC ELF libraries on one's system (which do not
++ need to relocate their code). If you are sure this is your case,
++ then enable this option otherwise be careful as you may not even
++ be able to boot or log on your system (for example, some PAM
++ modules are erroneously compiled as non-PIC by default).
++
++ NOTE: if you are using dynamic ELF executables (as suggested
++ when using ASLR) then you must have made sure that you linked
++ your files using the PIC version of crt1 (the et_dyn.tar.gz package
++ referenced there has already been updated to support this).
++
++config PAX_ETEXECRELOCS
++ bool "Allow ELF ET_EXEC text relocations"
++ depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
++ default y
++ help
++ On some architectures there are incorrectly created applications
++ that require text relocations and would not work without enabling
++ this option. If you are an alpha, ia64 or parisc user, you should
++ enable this option and disable it once you have made sure that
++ none of your applications need it.
++
++config PAX_EMUPLT
++ bool "Automatically emulate ELF PLT"
++ depends on PAX_MPROTECT && (ALPHA || PARISC || PPC || SPARC32 || SPARC64)
++ default y
++ help
++ Enabling this option will have the kernel automatically detect
++ and emulate the Procedure Linkage Table entries in ELF files.
++ On some architectures such entries are in writable memory, and
++ become non-executable leading to task termination. Therefore
++ it is mandatory that you enable this option on alpha, parisc, ppc,
++ sparc and sparc64, otherwise your system would not even boot.
++
++ NOTE: this feature *does* open up a loophole in the protection
++ provided by the non-executable pages, therefore the proper
++ solution is to modify the toolchain to produce a PLT that does
++ not need to be writable.
++
++config PAX_DLRESOLVE
++ bool
++ depends on PAX_EMUPLT && (SPARC32 || SPARC64)
++ default y
++
++config PAX_SYSCALL
++ bool
++ depends on PAX_PAGEEXEC && PPC
++ default y
++
++config PAX_KERNEXEC
++ bool "Enforce non-executable kernel pages"
++ depends on PAX_NOEXEC && X86 && !X86_64 && !MODULES && !HOTPLUG_PCI_COMPAQ_NVRAM
++ help
++ This is the kernel land equivalent of PAGEEXEC and MPROTECT,
++ that is, enabling this option will make it harder to inject
++ and execute 'foreign' code in kernel memory itself.
++
++endmenu
++
++menu "Address Space Layout Randomization"
++ depends on PAX
++
++config PAX_ASLR
++ bool "Address Space Layout Randomization"
++ depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
++ help
++ Many if not most exploit techniques rely on the knowledge of
++ certain addresses in the attacked program. The following options
++ will allow the kernel to apply a certain amount of randomization
++ to specific parts of the program thereby forcing an attacker to
++ guess them in most cases. Any failed guess will most likely crash
++ the attacked program which allows the kernel to detect such attempts
++ and react on them. PaX itself provides no reaction mechanisms,
++ instead it is strongly encouraged that you make use of Nergal's
++ segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
++ (http://www.grsecurity.net/) built-in crash detection features or
++ develop one yourself.
++
++ By saying Y here you can choose to randomize the following areas:
++ - top of the task's kernel stack
++ - top of the task's userland stack
++ - base address for mmap() requests that do not specify one
++ (this includes all libraries)
++ - base address of the main executable
++
++ It is strongly recommended to say Y here as address space layout
++ randomization has negligible impact on performance yet it provides
++ a very effective protection.
++
++ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
++ this feature on a per file basis.
++
++config PAX_RANDKSTACK
++ bool "Randomize kernel stack base"
++ depends on PAX_ASLR && X86_TSC && !X86_64
++ help
++ By saying Y here the kernel will randomize every task's kernel
++ stack on every system call. This will not only force an attacker
++ to guess it but also prevent him from making use of possible
++ leaked information about it.
++
++ Since the kernel stack is a rather scarce resource, randomization
++ may cause unexpected stack overflows, therefore you should very
++ carefully test your system. Note that once enabled in the kernel
++ configuration, this feature cannot be disabled on a per file basis.
++
++config PAX_RANDUSTACK
++ bool "Randomize user stack base"
++ depends on PAX_ASLR
++ help
++ By saying Y here the kernel will randomize every task's userland
++ stack. The randomization is done in two steps where the second
++ one may apply a big amount of shift to the top of the stack and
++ cause problems for programs that want to use lots of memory (more
++ than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
++ For this reason the second step can be controlled by 'chpax' or
++ 'paxctl' on a per file basis.
++
++config PAX_RANDMMAP
++ bool "Randomize mmap() base"
++ depends on PAX_ASLR
++ help
++ By saying Y here the kernel will use a randomized base address for
++ mmap() requests that do not specify one themselves. As a result
++ all dynamically loaded libraries will appear at random addresses
++ and therefore be harder to exploit by a technique where an attacker
++ attempts to execute library code for his purposes (e.g. spawn a
++ shell from an exploited program that is running at an elevated
++ privilege level).
++
++ Furthermore, if a program is relinked as a dynamic ELF file, its
++ base address will be randomized as well, completing the full
++ randomization of the address space layout. Attacking such programs
++ becomes a guess game. You can find an example of doing this at
++ http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
++ http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
++
++ NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
++ feature on a per file basis.
++
++config PAX_RANDEXEC
++ bool "Randomize ET_EXEC base"
++ depends on PAX_MPROTECT && PAX_RANDMMAP
++ help
++ By saying Y here the kernel will randomize the base address of normal
++ ET_EXEC ELF executables as well. This is accomplished by mapping the
++ executable in memory in a special way which also allows for detecting
++ attackers who attempt to execute its code for their purposes. Since
++ this special mapping causes performance degradation and the attack
++ detection may create false alarms as well, you should carefully test
++ your executables when this feature is enabled.
++
++ This solution is intended only as a temporary one until you relink
++ your programs as a dynamic ELF file.
++
++ NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
++ feature on a per file basis.
++
++config PAX_NOVSYSCALL
++ bool "Disable the vsyscall page"
++ depends on PAX_ASLR && X86 && !X86_64
++ help
++ The Linux 2.6 kernel introduced a new feature that speeds up or
++ simplifies certain operations, such as system calls or returns
++ from signal handlers.
++
++ Unfortunately the implementation also gives a powerful instrument
++ into the hands of exploit writers: the so-called vsyscall page exists
++ in every task at the same fixed address and it contains machine code
++ that is very useful in performing the return-to-libc style attack.
++
++ Since this exploit technique cannot in general be protected against
++ via kernel solutions, this option will allow you to disable the use
++ of the vsyscall page and revert back to the old behaviour.
++
++endmenu
++
++endmenu
++
+ config SECURITY
+ bool "Enable different security models"
+ help
+diff -uNr linux-2.6.6/security/security.c linux-2.6.6.fixed/security/security.c
+--- linux-2.6.6/security/security.c 2004-05-10 04:31:58.000000000 +0200
++++ linux-2.6.6.fixed/security/security.c 2004-05-11 10:55:58.000000000 +0200
+@@ -206,4 +206,5 @@
+ EXPORT_SYMBOL_GPL(mod_reg_security);
+ EXPORT_SYMBOL_GPL(mod_unreg_security);
+ EXPORT_SYMBOL(capable);
++EXPORT_SYMBOL(capable_nolog);
+ EXPORT_SYMBOL(security_ops);
projects / packages / kernel.git / commitdiff