--- linux-2.6.25.4/arch/alpha/kernel/ptrace.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/arch/alpha/kernel/ptrace.c 2008-05-18 13:33:13.000000000 -0400
@@ -15,6 +15,7 @@
- #include <linux/slab.h>
#include <linux/security.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
--- linux-2.6.25.4/arch/ia64/mm/fault.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/arch/ia64/mm/fault.c 2008-05-18 13:33:14.000000000 -0400
@@ -10,6 +10,7 @@
- #include <linux/interrupt.h>
#include <linux/kprobes.h>
#include <linux/kdebug.h>
+ #include <linux/vs_memory.h>
+#include <linux/binfmts.h>
#include <asm/pgtable.h>
#ifdef CONFIG_PNPBIOS
- if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
-+ if (unlikely(!(regs->eflags & VM_MASK) && SEGMENT_IS_PNP_CODE(regs->cs))) {
++ if (unlikely(!(regs->flags & VM_MASK) && SEGMENT_IS_PNP_CODE(regs->cs))) {
extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
extern u32 pnp_bios_is_utter_crap;
pnp_bios_is_utter_crap = 1;
--- linux-2.6.25.4/arch/x86/mm/fault.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/arch/x86/mm/fault.c 2008-05-18 13:33:15.000000000 -0400
@@ -25,6 +25,9 @@
- #include <linux/kprobes.h>
#include <linux/uaccess.h>
#include <linux/kdebug.h>
+ #include <linux/suspend.h>
+#include <linux/unistd.h>
+#include <linux/compiler.h>
+#include <linux/binfmts.h>
--- linux-2.6.25.4/fs/binfmt_aout.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/binfmt_aout.c 2008-05-18 13:33:16.000000000 -0400
@@ -24,6 +24,7 @@
- #include <linux/binfmts.h>
#include <linux/personality.h>
#include <linux/init.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
#include <asm/system.h>
--- linux-2.6.25.4/fs/binfmt_elf.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/binfmt_elf.c 2008-05-18 13:33:16.000000000 -0400
@@ -39,10 +39,16 @@
- #include <linux/random.h>
#include <linux/elf.h>
#include <linux/utsname.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
+
#include <asm/uaccess.h>
diff -urNp linux-2.6.25.4/fs/ext3/balloc.c linux-2.6.25.4/fs/ext3/balloc.c
--- linux-2.6.25.4/fs/ext3/balloc.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/ext3/balloc.c 2008-05-18 13:33:16.000000000 -0400
-@@ -1421,7 +1421,7 @@ static int ext3_has_free_blocks(struct e
+@@ -1359,7 +1359,7 @@ static int ext3_has_free_blocks(struct e
+ DLIMIT_ADJUST_BLOCK(sb, dx_current_tag(), &free_blocks, &root_blocks);
- free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
- root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
-- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
-+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
+ cond = (free_blocks < root_blocks + 1 &&
+- !capable(CAP_SYS_RESOURCE) &&
++ !capable_nolog(CAP_SYS_RESOURCE) &&
sbi->s_resuid != current->fsuid &&
- (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
- return 0;
+ (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid)));
+
diff -urNp linux-2.6.25.4/fs/ext3/namei.c linux-2.6.25.4/fs/ext3/namei.c
--- linux-2.6.25.4/fs/ext3/namei.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/ext3/namei.c 2008-05-18 13:33:16.000000000 -0400
diff -urNp linux-2.6.25.4/fs/ext4/balloc.c linux-2.6.25.4/fs/ext4/balloc.c
--- linux-2.6.25.4/fs/ext4/balloc.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/ext4/balloc.c 2008-05-18 13:33:16.000000000 -0400
-@@ -1557,7 +1557,7 @@ static int ext4_has_free_blocks(struct e
+@@ -1479,7 +1479,7 @@ static int ext4_has_free_blocks(struct e
+ DLIMIT_ADJUST_BLOCK(sb, dx_current_tag(), &free_blocks, &root_blocks);
- free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
- root_blocks = ext4_r_blocks_count(sbi->s_es);
-- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
-+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
+ cond = (free_blocks < root_blocks + 1 &&
+- !capable(CAP_SYS_RESOURCE) &&
++ !capable_nolog(CAP_SYS_RESOURCE) &&
sbi->s_resuid != current->fsuid &&
- (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
- return 0;
+ (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid)));
+
diff -urNp linux-2.6.25.4/fs/ext4/namei.c linux-2.6.25.4/fs/ext4/namei.c
--- linux-2.6.25.4/fs/ext4/namei.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/ext4/namei.c 2008-05-18 13:33:16.000000000 -0400
--- linux-2.6.25.4/fs/fcntl.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/fcntl.c 2008-05-18 13:33:16.000000000 -0400
@@ -19,6 +19,7 @@
- #include <linux/signal.h>
#include <linux/rcupdate.h>
#include <linux/pid_namespace.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/poll.h>
--- linux-2.6.25.4/fs/namei.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/namei.c 2008-05-18 13:33:16.000000000 -0400
@@ -30,6 +30,7 @@
- #include <linux/capability.h>
- #include <linux/file.h>
- #include <linux/fcntl.h>
+ #include <linux/vs_cowbl.h>
+ #include <linux/vs_device.h>
+ #include <linux/vs_context.h>
+#include <linux/grsecurity.h>
#include <asm/namei.h>
#include <asm/uaccess.h>
+
if (!IS_POSIXACL(nd.path.dentry->d_inode))
mode &= ~current->fs->umask;
- error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
+ error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode, &nd);
+
+ if (!error)
+ gr_handle_create(dentry, nd.path.mnt);
+ }
+ }
+
- error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
+ error = vfs_rmdir(nd.path.dentry->d_inode, dentry, &nd);
+ if (!error && (saved_dev || saved_ino))
+ gr_handle_delete(saved_ino, saved_dev);
+dput_exit2:
+ error = -EACCES;
+
atomic_inc(&inode->i_count);
-- error = vfs_unlink(nd.path.dentry->d_inode, dentry);
+- error = vfs_unlink(nd.path.dentry->d_inode, dentry, &nd);
+ }
+ if (!error)
-+ error = vfs_unlink(nd.path.dentry->d_inode, dentry);
++ error = vfs_unlink(nd.path.dentry->d_inode, dentry, &nd);
+ if (!error && (saved_ino || saved_dev))
+ gr_handle_delete(saved_ino, saved_dev);
exit2:
dput(dentry);
}
-@@ -2313,7 +2428,17 @@ asmlinkage long sys_symlinkat(const char
+@@ -2313,8 +2428,18 @@ asmlinkage long sys_symlinkat(const char
if (IS_ERR(dentry))
goto out_unlock;
+ goto out_dput_unlock;
+ }
+
- error = vfs_symlink(nd.path.dentry->d_inode, dentry, from, S_IALLUGO);
+ error = vfs_symlink(nd.path.dentry->d_inode, dentry, from,
+ S_IALLUGO, &nd);
+
+ if (!error)
+ gr_handle_create(dentry, nd.path.mnt);
dput(dentry);
out_unlock:
mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
-@@ -2408,7 +2533,26 @@ asmlinkage long sys_linkat(int olddfd, c
+@@ -2408,8 +2533,27 @@ asmlinkage long sys_linkat(int olddfd, c
error = PTR_ERR(new_dentry);
if (IS_ERR(new_dentry))
goto out_unlock;
+ goto out_unlock_dput;
+ }
+
- error = vfs_link(old_nd.path.dentry, nd.path.dentry->d_inode, new_dentry);
+ error = vfs_link(old_nd.path.dentry, nd.path.dentry->d_inode,
+ new_dentry, &nd);
+
+ if (!error)
+ gr_handle_create(new_dentry, nd.path.mnt);
--- linux-2.6.25.4/fs/namespace.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/namespace.c 2008-05-18 13:33:16.000000000 -0400
@@ -26,6 +26,7 @@
- #include <linux/mount.h>
- #include <linux/ramfs.h>
- #include <linux/log2.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vserver/space.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
--- linux-2.6.25.4/fs/open.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/open.c 2008-05-18 13:33:16.000000000 -0400
@@ -27,6 +27,7 @@
- #include <linux/rcupdate.h>
- #include <linux/audit.h>
- #include <linux/falloc.h>
+ #include <linux/vs_dlimit.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vs_cowbl.h>
+#include <linux/grsecurity.h>
int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
error = notify_change(nd.path.dentry, &newattrs);
-@@ -627,7 +676,7 @@ asmlinkage long sys_chmod(const char __u
- return sys_fchmodat(AT_FDCWD, filename, mode);
- }
-
--static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
-+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
- {
- struct inode * inode;
- int error;
@@ -644,6 +693,12 @@ static int chown_common(struct dentry *
error = -EPERM;
if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
newattrs.ia_valid = ATTR_CTIME;
if (user != (uid_t) -1) {
newattrs.ia_valid |= ATTR_UID;
-@@ -671,7 +726,7 @@ asmlinkage long sys_chown(const char __u
- error = user_path_walk(filename, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.path.dentry, user, group);
-+ error = chown_common(nd.path.dentry, user, group, nd.path.mnt);
- path_put(&nd.path);
- out:
- return error;
-@@ -691,7 +746,7 @@ asmlinkage long sys_fchownat(int dfd, co
- error = __user_walk_fd(dfd, filename, follow, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.path.dentry, user, group);
-+ error = chown_common(nd.path.dentry, user, group, nd.path.mnt);
- path_put(&nd.path);
- out:
- return error;
-@@ -705,7 +760,7 @@ asmlinkage long sys_lchown(const char __
- error = user_path_walk_link(filename, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.path.dentry, user, group);
-+ error = chown_common(nd.path.dentry, user, group, nd.path.mnt);
- path_put(&nd.path);
- out:
- return error;
-@@ -724,7 +779,7 @@ asmlinkage long sys_fchown(unsigned int
-
- dentry = file->f_path.dentry;
- audit_inode(NULL, dentry);
-- error = chown_common(dentry, user, group);
-+ error = chown_common(dentry, user, group, file->f_path.mnt);
- fput(file);
- out:
- return error;
@@ -948,6 +1003,7 @@ repeat:
* N.B. For clone tasks sharing a files structure, this test
* will limit the total number of files that can be opened.
+}
+#endif
+
- int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
+ int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task)
{
@@ -327,6 +342,11 @@ int proc_pid_status(struct seq_file *m,
--- linux-2.6.25.4/fs/proc/base.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/proc/base.c 2008-05-18 13:33:16.000000000 -0400
@@ -76,6 +76,8 @@
- #include <linux/oom.h>
- #include <linux/elf.h>
#include <linux/pid_namespace.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_network.h>
+#include <linux/grsecurity.h>
+
#include "internal.h"
inode->i_gid = task->egid;
+#endif
}
- security_task_to_inode(task, inode);
-
+ /* procfs is xid tagged */
+ inode->i_tag = (tag_t)vx_task_xid(task);
@@ -1304,17 +1310,45 @@ static int pid_getattr(struct vfsmount *
{
struct inode *inode = dentry->d_inode;
+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
+ goto out;
+
- /*
- * Yes, it does not scale. And it should not. Don't add
- * new entries into /proc/<tgid>/ without very good reasons.
+ /* TODO: maybe we can come up with a generic approach? */
+ if (task_vx_flags(task, VXF_HIDE_VINFO, 0) &&
+ (dentry->d_name.len == 5) &&
@@ -1877,6 +1934,9 @@ static int proc_pident_readdir(struct fi
if (!task)
goto out_no_task;
out:
@@ -2350,6 +2413,9 @@ static const struct pid_entry tgid_base_
- #ifdef CONFIG_TASK_IO_ACCOUNTING
INF("io", S_IRUGO, pid_io_accounting),
#endif
+ ONE("nsproxy", S_IRUGO, pid_nsproxy),
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+ INF("ipaddr", S_IRUSR, pid_ipaddr),
+#endif
@@ -2587,6 +2664,9 @@ int proc_pid_readdir(struct file * filp,
{
unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
- struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
+ struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ struct task_struct *tmp = current;
+#endif
+ continue;
+
filp->f_pos = iter.tgid + TGID_OFFSET;
- if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
- put_task_struct(iter.task);
+ if (!vx_proc_task_visible(iter.task))
+ continue;
diff -urNp linux-2.6.25.4/fs/proc/inode.c linux-2.6.25.4/fs/proc/inode.c
--- linux-2.6.25.4/fs/proc/inode.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/proc/inode.c 2008-05-18 13:33:16.000000000 -0400
inode->i_gid = de->gid;
+#endif
}
- if (de->size)
- inode->i_size = de->size;
+ if (de->vx_flags)
+ PROC_I(inode)->vx_flags = de->vx_flags;
diff -urNp linux-2.6.25.4/fs/proc/internal.h linux-2.6.25.4/fs/proc/internal.h
--- linux-2.6.25.4/fs/proc/internal.h 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/proc/internal.h 2008-05-18 13:33:16.000000000 -0400
@@ -57,6 +57,10 @@ extern int proc_pid_status(struct seq_fi
struct pid *pid, struct task_struct *task);
- extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
+ extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task);
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+extern int proc_pid_ipaddr(struct seq_file *m, struct pid_namespace *ns,
+ struct pid *pid, struct task_struct *task);
+#endif
+
extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
- extern const struct file_operations proc_maps_operations;
diff -urNp linux-2.6.25.4/fs/proc/proc_misc.c linux-2.6.25.4/fs/proc/proc_misc.c
--- linux-2.6.25.4/fs/proc/proc_misc.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/proc/proc_misc.c 2008-05-18 13:33:16.000000000 -0400
+#else
proc_bus = proc_mkdir("bus", NULL);
+#endif
+ proc_vx_init();
proc_sys_init();
}
-
diff -urNp linux-2.6.25.4/fs/proc/task_mmu.c linux-2.6.25.4/fs/proc/task_mmu.c
--- linux-2.6.25.4/fs/proc/task_mmu.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/proc/task_mmu.c 2008-05-18 13:33:16.000000000 -0400
--- linux-2.6.25.4/fs/utimes.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/utimes.c 2008-05-18 13:33:16.000000000 -0400
@@ -7,6 +7,7 @@
- #include <linux/stat.h>
- #include <linux/utime.h>
#include <linux/syscalls.h>
+ #include <linux/mount.h>
+ #include <linux/vs_cowbl.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
struct inode *inode;
struct iattr newattrs;
struct file *f = NULL;
-@@ -84,12 +86,14 @@ long do_utimes(int dfd, char __user *fil
+@@ -84,6 +86,7 @@ long do_utimes(int dfd, char __user *fil
if (!f)
goto out;
dentry = f->f_path.dentry;
} else {
error = __user_walk_fd(dfd, filename, (flags & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW, &nd);
if (error)
- goto out;
-
+@@ -90,6 +93,7 @@ long do_utimes(int dfd, char __user *fil
+ if (error)
+ goto dput_and_out;
dentry = nd.path.dentry;
+ mnt = nd.path.mnt;
}
--- linux-2.6.25.4/ipc/msg.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/ipc/msg.c 2008-05-18 13:33:17.000000000 -0400
@@ -37,6 +37,7 @@
- #include <linux/rwsem.h>
#include <linux/nsproxy.h>
#include <linux/ipc_namespace.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/current.h>
--- linux-2.6.25.4/ipc/sem.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/ipc/sem.c 2008-05-18 13:33:17.000000000 -0400
@@ -83,6 +83,7 @@
- #include <linux/rwsem.h>
- #include <linux/nsproxy.h>
#include <linux/ipc_namespace.h>
+ #include <linux/vs_base.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
--- linux-2.6.25.4/ipc/shm.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/ipc/shm.c 2008-05-18 13:33:17.000000000 -0400
@@ -39,6 +39,7 @@
- #include <linux/nsproxy.h>
- #include <linux/mount.h>
#include <linux/ipc_namespace.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
--- linux-2.6.25.4/kernel/capability.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/kernel/capability.c 2008-05-18 13:33:17.000000000 -0400
@@ -13,6 +13,7 @@
- #include <linux/security.h>
#include <linux/syscalls.h>
#include <linux/pid_namespace.h>
+ #include <linux/vs_context.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
/*
-@@ -328,15 +329,25 @@ out:
+@@ -331,13 +332,22 @@ out:
int __capable(struct task_struct *t, int cap)
{
+ return 0;
+}
+
+ #include <linux/vserver/base.h>
int capable(int cap)
{
+@@ -347,3 +357,4 @@ int capable(int cap)
return __capable(current, cap);
}
EXPORT_SYMBOL(capable);
--- linux-2.6.25.4/kernel/exit.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/kernel/exit.c 2008-05-18 13:33:17.000000000 -0400
@@ -44,6 +44,11 @@
- #include <linux/resource.h>
- #include <linux/blkdev.h>
- #include <linux/task_io_accounting_ops.h>
+ #include <linux/vs_network.h>
+ #include <linux/vs_pid.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
+
+#ifdef CONFIG_GRKERNSEC
--- linux-2.6.25.4/kernel/fork.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/kernel/fork.c 2008-05-18 13:33:17.000000000 -0400
@@ -53,6 +53,7 @@
- #include <linux/tty.h>
- #include <linux/proc_fs.h>
- #include <linux/blkdev.h>
+ #include <linux/vs_limit.h>
+ #include <linux/vs_memory.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
+ mm->free_area_cache = oldmm->free_area_cache;
+ mm->cached_hole_size = oldmm->cached_hole_size;
mm->map_count = 0;
- cpus_clear(mm->cpu_vm_mask);
- mm->mm_rb = RB_ROOT;
+ __set_mm_counter(mm, file_rss, 0);
+ __set_mm_counter(mm, anon_rss, 0);
@@ -264,6 +265,7 @@ static int dup_mmap(struct mm_struct *mm
tmp->vm_flags &= ~VM_LOCKED;
tmp->vm_mm = mm;
}
@@ -1046,6 +1073,9 @@ static struct task_struct *copy_process(
+ DEBUG_LOCKS_WARN_ON(!p->hardirqs_enabled);
DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
#endif
- retval = -EAGAIN;
+
+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0);
+
- if (atomic_read(&p->user->processes) >=
- p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
+ init_vx_info(&p->vx_info, current->vx_info);
+ init_nx_info(&p->nx_info, current->nx_info);
+
@@ -1212,6 +1242,8 @@ static struct task_struct *copy_process(
if (clone_flags & CLONE_THREAD)
p->tgid = current->tgid;
--- linux-2.6.25.4/kernel/pid.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/kernel/pid.c 2008-05-18 13:33:17.000000000 -0400
@@ -35,6 +35,7 @@
- #include <linux/pid_namespace.h>
- #include <linux/init_task.h>
#include <linux/syscalls.h>
+ #include <linux/vs_pid.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
#define pid_hashfn(nr, ns) \
--- linux-2.6.25.4/kernel/printk.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/kernel/printk.c 2008-05-18 13:33:17.000000000 -0400
@@ -32,6 +32,7 @@
- #include <linux/security.h>
#include <linux/bootmem.h>
#include <linux/syscalls.h>
+ #include <linux/vs_cvirt.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -299,6 +300,11 @@ int do_syslog(int type, char __user *buf
char c;
- int error = 0;
+ int error;
+#ifdef CONFIG_GRKERNSEC_DMESG
+ if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
--- linux-2.6.25.4/kernel/ptrace.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/kernel/ptrace.c 2008-05-18 13:33:17.000000000 -0400
@@ -21,6 +21,7 @@
- #include <linux/audit.h>
#include <linux/pid_namespace.h>
#include <linux/syscalls.h>
+ #include <linux/vs_context.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
- if (!dumpable && !capable(CAP_SYS_PTRACE))
+ if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
return -EPERM;
-
- return security_ptrace(current, task);
+ if (!vx_check(task->xid, VS_ADMIN_P|VS_IDENT))
+ return -EPERM;
@@ -203,7 +204,7 @@ repeat:
/* Go */
--- linux-2.6.25.4/kernel/sched.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/kernel/sched.c 2008-05-18 13:33:17.000000000 -0400
@@ -66,6 +66,7 @@
- #include <linux/unistd.h>
- #include <linux/pagemap.h>
#include <linux/hrtimer.h>
+ #include <linux/vs_sched.h>
+ #include <linux/vs_cvirt.h>
+#include <linux/grsecurity.h>
#include <asm/tlb.h>
- if (increment < 0 && !can_nice(current, nice))
+ if (increment < 0 && (!can_nice(current, nice) ||
+ gr_handle_chroot_nice()))
- return -EPERM;
+ return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
retval = security_task_setnice(current, nice);
@@ -5741,7 +5743,7 @@ static struct ctl_table sd_ctl_dir[] = {
#include <linux/pid_namespace.h>
+#include <linux/grsecurity.h>
#include <linux/nsproxy.h>
-
- #include <asm/param.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_pid.h>
@@ -540,7 +541,9 @@ static int check_kill_permission(int sig
&& (current->euid ^ t->suid) && (current->euid ^ t->uid)
&& (current->uid ^ t->suid) && (current->uid ^ t->uid)
+ return error;
}
- return security_task_kill(t, info, sig, 0);
+ error = -ESRCH;
@@ -757,7 +760,7 @@ static int __init setup_print_fatal_sign
__setup("print-fatal-signals=", setup_print_fatal_signals);
@@ -90,6 +91,9 @@ asmlinkage long sys_stime(time_t __user
return err;
- do_settimeofday(&tv);
+ vx_settimeofday(&tv);
+
+ gr_log_timechange();
+
--- linux-2.6.25.4/mm/mlock.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/mm/mlock.c 2008-05-18 13:33:17.000000000 -0400
@@ -12,6 +12,7 @@
- #include <linux/syscalls.h>
#include <linux/sched.h>
#include <linux/module.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
int can_do_mlock(void)
+ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
error = do_mlock(start, len, 1);
- up_write(¤t->mm->mmap_sem);
+ out:
@@ -173,10 +186,10 @@ asmlinkage long sys_munlock(unsigned lon
static int do_mlockall(int flags)
{
ret = -ENOMEM;
+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
+ if (!vx_vmlocked_avail(current->mm, current->mm->total_vm))
+ goto out;
if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
- capable(CAP_IPC_LOCK))
- ret = do_mlockall(flags);
diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c
--- linux-2.6.25.4/mm/mmap.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/mm/mmap.c 2008-05-18 13:33:17.000000000 -0400
+
}
out:
- mm->total_vm += len >> PAGE_SHIFT;
+ vx_vmpages_add(mm, len >> PAGE_SHIFT);
vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
+ track_exec_limit(mm, addr, addr + len, vm_flags);
if (vm_flags & VM_LOCKED) {
- mm->locked_vm += len >> PAGE_SHIFT;
+ vx_vmlocked_add(mm, len >> PAGE_SHIFT);
make_pages_present(addr, addr + len);
@@ -1217,6 +1379,12 @@ unmap_and_free_vma:
unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
+ }
+#endif
+
- mm->total_vm -= nrpages;
+ vx_vmpages_sub(mm, nrpages);
if (vma->vm_flags & VM_LOCKED)
- mm->locked_vm -= nrpages;
+ vx_vmlocked_sub(mm, nrpages);
@@ -1768,6 +2035,16 @@ detach_vmas_to_be_unmapped(struct mm_str
insertion_point = (prev ? &prev->vm_next : &mm->mmap);
if (locked > lock_limit && !capable(CAP_IPC_LOCK))
return -EAGAIN;
}
-@@ -1978,22 +2389,22 @@ unsigned long do_brk(unsigned long addr,
+@@ -1978,23 +2389,23 @@ unsigned long do_brk(unsigned long addr,
/*
* Clear old maps. this also does some error checking for us
*/
if (mm->map_count > sysctl_max_map_count)
return -ENOMEM;
-- if (security_vm_enough_memory(len >> PAGE_SHIFT))
-+ if (security_vm_enough_memory(charged))
+- if (security_vm_enough_memory(len >> PAGE_SHIFT) ||
+- !vx_vmpages_avail(mm, len >> PAGE_SHIFT))
++ if (security_vm_enough_memory(charged) ||
++ !vx_vmpages_avail(mm, charged))
return -ENOMEM;
/* Can we just expand an old private anonymous mapping? */
+#endif
+
out:
-- mm->total_vm += len >> PAGE_SHIFT;
-+ mm->total_vm += charged;
+- vx_vmpages_add(mm, len >> PAGE_SHIFT);
++ vx_vmpages_add(mm, charged);
if (flags & VM_LOCKED) {
-- mm->locked_vm += len >> PAGE_SHIFT;
-+ mm->locked_vm += charged;
+- vx_vmlocked_add(mm, len >> PAGE_SHIFT);
++ vx_vmlocked_add(mm, charged);
make_pages_present(addr, addr + len);
}
+ track_exec_limit(mm, addr, addr + len, flags);
diff -urNp linux-2.6.25.4/net/ipv4/inet_hashtables.c linux-2.6.25.4/net/ipv4/inet_hashtables.c
--- linux-2.6.25.4/net/ipv4/inet_hashtables.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/net/ipv4/inet_hashtables.c 2008-05-18 13:33:17.000000000 -0400
-@@ -18,11 +18,14 @@
+@@ -18,12 +18,15 @@
#include <linux/sched.h>
#include <linux/slab.h>
#include <linux/wait.h>
#include <net/inet_connection_sock.h>
#include <net/inet_hashtables.h>
+ #include <net/route.h>
#include <net/ip.h>
+extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
--- linux-2.6.25.4/net/unix/af_unix.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/net/unix/af_unix.c 2008-05-18 13:33:17.000000000 -0400
@@ -116,6 +116,7 @@
- #include <linux/mount.h>
- #include <net/checksum.h>
#include <linux/security.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
static struct hlist_head unix_socket_table[UNIX_HASH_SIZE + 1];
+ goto out_mknod_dput;
+ }
+
- err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
+ err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0, NULL);
if (err)
goto out_mknod_dput;
+
--- linux-2.6.25.4/security/commoncap.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/security/commoncap.c 2008-05-18 13:33:17.000000000 -0400
@@ -24,15 +24,18 @@
- #include <linux/hugetlb.h>
#include <linux/mount.h>
#include <linux/sched.h>
+ #include <linux/vs_context.h>
+#include <linux/grsecurity.h>
/* Global security state */
+
int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
{
-- NETLINK_CB(skb).eff_cap = current->cap_effective;
+- NETLINK_CB(skb).eff_cap = vx_mbcaps(current->cap_effective);
+ NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
return 0;
}
int cap_capable (struct task_struct *tsk, int cap)
{
/* Derived from include/linux/sched.h:capable. */
-- if (cap_raised(tsk->cap_effective, cap))
-+ if (cap_raised (tsk->cap_effective, cap))
+- if (vx_cap_raised(vxi, tsk->cap_effective, cap))
++ if (vx_cap_raised (vxi, tsk->cap_effective, cap))
+ return 0;
+ return -EPERM;
+}
+int cap_capable_nolog (struct task_struct *tsk, int cap)
+{
+ /* tsk = current for all callers */
-+ if (cap_raised(tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
++ if (vx_cap_raised(tsk->vx_info, tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
return 0;
return -EPERM;
}
--- linux-2.6.25.4/security/dummy.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/security/dummy.c 2008-05-18 13:33:17.000000000 -0400
@@ -27,6 +27,7 @@
- #include <linux/hugetlb.h>
#include <linux/ptrace.h>
#include <linux/file.h>
+ #include <linux/vs_context.h>
+#include <linux/grsecurity.h>
static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
--- linux-2.6.25.4/arch/alpha/kernel/ptrace.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/arch/alpha/kernel/ptrace.c 2008-05-18 13:33:13.000000000 -0400
@@ -15,6 +15,7 @@
- #include <linux/slab.h>
#include <linux/security.h>
#include <linux/signal.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
--- linux-2.6.25.4/arch/ia64/mm/fault.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/arch/ia64/mm/fault.c 2008-05-18 13:33:14.000000000 -0400
@@ -10,6 +10,7 @@
- #include <linux/interrupt.h>
#include <linux/kprobes.h>
#include <linux/kdebug.h>
+ #include <linux/vs_memory.h>
+#include <linux/binfmts.h>
#include <asm/pgtable.h>
#ifdef CONFIG_PNPBIOS
- if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
-+ if (unlikely(!(regs->eflags & VM_MASK) && SEGMENT_IS_PNP_CODE(regs->cs))) {
++ if (unlikely(!(regs->flags & VM_MASK) && SEGMENT_IS_PNP_CODE(regs->cs))) {
extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
extern u32 pnp_bios_is_utter_crap;
pnp_bios_is_utter_crap = 1;
--- linux-2.6.25.4/arch/x86/mm/fault.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/arch/x86/mm/fault.c 2008-05-18 13:33:15.000000000 -0400
@@ -25,6 +25,9 @@
- #include <linux/kprobes.h>
#include <linux/uaccess.h>
#include <linux/kdebug.h>
+ #include <linux/suspend.h>
+#include <linux/unistd.h>
+#include <linux/compiler.h>
+#include <linux/binfmts.h>
--- linux-2.6.25.4/fs/binfmt_aout.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/binfmt_aout.c 2008-05-18 13:33:16.000000000 -0400
@@ -24,6 +24,7 @@
- #include <linux/binfmts.h>
#include <linux/personality.h>
#include <linux/init.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
#include <asm/system.h>
--- linux-2.6.25.4/fs/binfmt_elf.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/binfmt_elf.c 2008-05-18 13:33:16.000000000 -0400
@@ -39,10 +39,16 @@
- #include <linux/random.h>
#include <linux/elf.h>
#include <linux/utsname.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
+
#include <asm/uaccess.h>
diff -urNp linux-2.6.25.4/fs/ext3/balloc.c linux-2.6.25.4/fs/ext3/balloc.c
--- linux-2.6.25.4/fs/ext3/balloc.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/ext3/balloc.c 2008-05-18 13:33:16.000000000 -0400
-@@ -1421,7 +1421,7 @@ static int ext3_has_free_blocks(struct e
+@@ -1359,7 +1359,7 @@ static int ext3_has_free_blocks(struct e
+ DLIMIT_ADJUST_BLOCK(sb, dx_current_tag(), &free_blocks, &root_blocks);
- free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
- root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
-- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
-+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
+ cond = (free_blocks < root_blocks + 1 &&
+- !capable(CAP_SYS_RESOURCE) &&
++ !capable_nolog(CAP_SYS_RESOURCE) &&
sbi->s_resuid != current->fsuid &&
- (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
- return 0;
+ (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid)));
+
diff -urNp linux-2.6.25.4/fs/ext3/namei.c linux-2.6.25.4/fs/ext3/namei.c
--- linux-2.6.25.4/fs/ext3/namei.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/ext3/namei.c 2008-05-18 13:33:16.000000000 -0400
diff -urNp linux-2.6.25.4/fs/ext4/balloc.c linux-2.6.25.4/fs/ext4/balloc.c
--- linux-2.6.25.4/fs/ext4/balloc.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/ext4/balloc.c 2008-05-18 13:33:16.000000000 -0400
-@@ -1557,7 +1557,7 @@ static int ext4_has_free_blocks(struct e
+@@ -1479,7 +1479,7 @@ static int ext4_has_free_blocks(struct e
+ DLIMIT_ADJUST_BLOCK(sb, dx_current_tag(), &free_blocks, &root_blocks);
- free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
- root_blocks = ext4_r_blocks_count(sbi->s_es);
-- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
-+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
+ cond = (free_blocks < root_blocks + 1 &&
+- !capable(CAP_SYS_RESOURCE) &&
++ !capable_nolog(CAP_SYS_RESOURCE) &&
sbi->s_resuid != current->fsuid &&
- (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
- return 0;
+ (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid)));
+
diff -urNp linux-2.6.25.4/fs/ext4/namei.c linux-2.6.25.4/fs/ext4/namei.c
--- linux-2.6.25.4/fs/ext4/namei.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/ext4/namei.c 2008-05-18 13:33:16.000000000 -0400
--- linux-2.6.25.4/fs/fcntl.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/fcntl.c 2008-05-18 13:33:16.000000000 -0400
@@ -19,6 +19,7 @@
- #include <linux/signal.h>
#include <linux/rcupdate.h>
#include <linux/pid_namespace.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/poll.h>
--- linux-2.6.25.4/fs/namei.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/namei.c 2008-05-18 13:33:16.000000000 -0400
@@ -30,6 +30,7 @@
- #include <linux/capability.h>
- #include <linux/file.h>
- #include <linux/fcntl.h>
+ #include <linux/vs_cowbl.h>
+ #include <linux/vs_device.h>
+ #include <linux/vs_context.h>
+#include <linux/grsecurity.h>
#include <asm/namei.h>
#include <asm/uaccess.h>
+
if (!IS_POSIXACL(nd.path.dentry->d_inode))
mode &= ~current->fs->umask;
- error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
+ error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode, &nd);
+
+ if (!error)
+ gr_handle_create(dentry, nd.path.mnt);
+ }
+ }
+
- error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
+ error = vfs_rmdir(nd.path.dentry->d_inode, dentry, &nd);
+ if (!error && (saved_dev || saved_ino))
+ gr_handle_delete(saved_ino, saved_dev);
+dput_exit2:
+ error = -EACCES;
+
atomic_inc(&inode->i_count);
-- error = vfs_unlink(nd.path.dentry->d_inode, dentry);
+- error = vfs_unlink(nd.path.dentry->d_inode, dentry, &nd);
+ }
+ if (!error)
-+ error = vfs_unlink(nd.path.dentry->d_inode, dentry);
++ error = vfs_unlink(nd.path.dentry->d_inode, dentry, &nd);
+ if (!error && (saved_ino || saved_dev))
+ gr_handle_delete(saved_ino, saved_dev);
exit2:
dput(dentry);
}
-@@ -2313,7 +2428,17 @@ asmlinkage long sys_symlinkat(const char
+@@ -2313,8 +2428,18 @@ asmlinkage long sys_symlinkat(const char
if (IS_ERR(dentry))
goto out_unlock;
+ goto out_dput_unlock;
+ }
+
- error = vfs_symlink(nd.path.dentry->d_inode, dentry, from, S_IALLUGO);
+ error = vfs_symlink(nd.path.dentry->d_inode, dentry, from,
+ S_IALLUGO, &nd);
+
+ if (!error)
+ gr_handle_create(dentry, nd.path.mnt);
dput(dentry);
out_unlock:
mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
-@@ -2408,7 +2533,26 @@ asmlinkage long sys_linkat(int olddfd, c
+@@ -2408,8 +2533,27 @@ asmlinkage long sys_linkat(int olddfd, c
error = PTR_ERR(new_dentry);
if (IS_ERR(new_dentry))
goto out_unlock;
+ goto out_unlock_dput;
+ }
+
- error = vfs_link(old_nd.path.dentry, nd.path.dentry->d_inode, new_dentry);
+ error = vfs_link(old_nd.path.dentry, nd.path.dentry->d_inode,
+ new_dentry, &nd);
+
+ if (!error)
+ gr_handle_create(new_dentry, nd.path.mnt);
--- linux-2.6.25.4/fs/namespace.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/namespace.c 2008-05-18 13:33:16.000000000 -0400
@@ -26,6 +26,7 @@
- #include <linux/mount.h>
- #include <linux/ramfs.h>
- #include <linux/log2.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vserver/space.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
--- linux-2.6.25.4/fs/open.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/open.c 2008-05-18 13:33:16.000000000 -0400
@@ -27,6 +27,7 @@
- #include <linux/rcupdate.h>
- #include <linux/audit.h>
- #include <linux/falloc.h>
+ #include <linux/vs_dlimit.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vs_cowbl.h>
+#include <linux/grsecurity.h>
int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
error = notify_change(nd.path.dentry, &newattrs);
-@@ -627,7 +676,7 @@ asmlinkage long sys_chmod(const char __u
- return sys_fchmodat(AT_FDCWD, filename, mode);
- }
-
--static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
-+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
- {
- struct inode * inode;
- int error;
@@ -644,6 +693,12 @@ static int chown_common(struct dentry *
error = -EPERM;
if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
newattrs.ia_valid = ATTR_CTIME;
if (user != (uid_t) -1) {
newattrs.ia_valid |= ATTR_UID;
-@@ -671,7 +726,7 @@ asmlinkage long sys_chown(const char __u
- error = user_path_walk(filename, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.path.dentry, user, group);
-+ error = chown_common(nd.path.dentry, user, group, nd.path.mnt);
- path_put(&nd.path);
- out:
- return error;
-@@ -691,7 +746,7 @@ asmlinkage long sys_fchownat(int dfd, co
- error = __user_walk_fd(dfd, filename, follow, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.path.dentry, user, group);
-+ error = chown_common(nd.path.dentry, user, group, nd.path.mnt);
- path_put(&nd.path);
- out:
- return error;
-@@ -705,7 +760,7 @@ asmlinkage long sys_lchown(const char __
- error = user_path_walk_link(filename, &nd);
- if (error)
- goto out;
-- error = chown_common(nd.path.dentry, user, group);
-+ error = chown_common(nd.path.dentry, user, group, nd.path.mnt);
- path_put(&nd.path);
- out:
- return error;
-@@ -724,7 +779,7 @@ asmlinkage long sys_fchown(unsigned int
-
- dentry = file->f_path.dentry;
- audit_inode(NULL, dentry);
-- error = chown_common(dentry, user, group);
-+ error = chown_common(dentry, user, group, file->f_path.mnt);
- fput(file);
- out:
- return error;
@@ -948,6 +1003,7 @@ repeat:
* N.B. For clone tasks sharing a files structure, this test
* will limit the total number of files that can be opened.
+}
+#endif
+
- int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
+ int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task)
{
@@ -327,6 +342,11 @@ int proc_pid_status(struct seq_file *m,
--- linux-2.6.25.4/fs/proc/base.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/proc/base.c 2008-05-18 13:33:16.000000000 -0400
@@ -76,6 +76,8 @@
- #include <linux/oom.h>
- #include <linux/elf.h>
#include <linux/pid_namespace.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_network.h>
+#include <linux/grsecurity.h>
+
#include "internal.h"
inode->i_gid = task->egid;
+#endif
}
- security_task_to_inode(task, inode);
-
+ /* procfs is xid tagged */
+ inode->i_tag = (tag_t)vx_task_xid(task);
@@ -1304,17 +1310,45 @@ static int pid_getattr(struct vfsmount *
{
struct inode *inode = dentry->d_inode;
+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
+ goto out;
+
- /*
- * Yes, it does not scale. And it should not. Don't add
- * new entries into /proc/<tgid>/ without very good reasons.
+ /* TODO: maybe we can come up with a generic approach? */
+ if (task_vx_flags(task, VXF_HIDE_VINFO, 0) &&
+ (dentry->d_name.len == 5) &&
@@ -1877,6 +1934,9 @@ static int proc_pident_readdir(struct fi
if (!task)
goto out_no_task;
out:
@@ -2350,6 +2413,9 @@ static const struct pid_entry tgid_base_
- #ifdef CONFIG_TASK_IO_ACCOUNTING
INF("io", S_IRUGO, pid_io_accounting),
#endif
+ ONE("nsproxy", S_IRUGO, pid_nsproxy),
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+ INF("ipaddr", S_IRUSR, pid_ipaddr),
+#endif
@@ -2587,6 +2664,9 @@ int proc_pid_readdir(struct file * filp,
{
unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
- struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
+ struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ struct task_struct *tmp = current;
+#endif
+ continue;
+
filp->f_pos = iter.tgid + TGID_OFFSET;
- if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
- put_task_struct(iter.task);
+ if (!vx_proc_task_visible(iter.task))
+ continue;
diff -urNp linux-2.6.25.4/fs/proc/inode.c linux-2.6.25.4/fs/proc/inode.c
--- linux-2.6.25.4/fs/proc/inode.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/proc/inode.c 2008-05-18 13:33:16.000000000 -0400
inode->i_gid = de->gid;
+#endif
}
- if (de->size)
- inode->i_size = de->size;
+ if (de->vx_flags)
+ PROC_I(inode)->vx_flags = de->vx_flags;
diff -urNp linux-2.6.25.4/fs/proc/internal.h linux-2.6.25.4/fs/proc/internal.h
--- linux-2.6.25.4/fs/proc/internal.h 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/proc/internal.h 2008-05-18 13:33:16.000000000 -0400
@@ -57,6 +57,10 @@ extern int proc_pid_status(struct seq_fi
struct pid *pid, struct task_struct *task);
- extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
+ extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task);
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+extern int proc_pid_ipaddr(struct seq_file *m, struct pid_namespace *ns,
+ struct pid *pid, struct task_struct *task);
+#endif
+
extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
- extern const struct file_operations proc_maps_operations;
diff -urNp linux-2.6.25.4/fs/proc/proc_misc.c linux-2.6.25.4/fs/proc/proc_misc.c
--- linux-2.6.25.4/fs/proc/proc_misc.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/proc/proc_misc.c 2008-05-18 13:33:16.000000000 -0400
+#else
proc_bus = proc_mkdir("bus", NULL);
+#endif
+ proc_vx_init();
proc_sys_init();
}
-
diff -urNp linux-2.6.25.4/fs/proc/task_mmu.c linux-2.6.25.4/fs/proc/task_mmu.c
--- linux-2.6.25.4/fs/proc/task_mmu.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/proc/task_mmu.c 2008-05-18 13:33:16.000000000 -0400
--- linux-2.6.25.4/fs/utimes.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/fs/utimes.c 2008-05-18 13:33:16.000000000 -0400
@@ -7,6 +7,7 @@
- #include <linux/stat.h>
- #include <linux/utime.h>
#include <linux/syscalls.h>
+ #include <linux/mount.h>
+ #include <linux/vs_cowbl.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
struct inode *inode;
struct iattr newattrs;
struct file *f = NULL;
-@@ -84,12 +86,14 @@ long do_utimes(int dfd, char __user *fil
+@@ -84,6 +86,7 @@ long do_utimes(int dfd, char __user *fil
if (!f)
goto out;
dentry = f->f_path.dentry;
} else {
error = __user_walk_fd(dfd, filename, (flags & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW, &nd);
if (error)
- goto out;
-
+@@ -90,6 +93,7 @@ long do_utimes(int dfd, char __user *fil
+ if (error)
+ goto dput_and_out;
dentry = nd.path.dentry;
+ mnt = nd.path.mnt;
}
--- linux-2.6.25.4/ipc/msg.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/ipc/msg.c 2008-05-18 13:33:17.000000000 -0400
@@ -37,6 +37,7 @@
- #include <linux/rwsem.h>
#include <linux/nsproxy.h>
#include <linux/ipc_namespace.h>
+ #include <linux/vs_base.h>
+#include <linux/grsecurity.h>
#include <asm/current.h>
--- linux-2.6.25.4/ipc/sem.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/ipc/sem.c 2008-05-18 13:33:17.000000000 -0400
@@ -83,6 +83,7 @@
- #include <linux/rwsem.h>
- #include <linux/nsproxy.h>
#include <linux/ipc_namespace.h>
+ #include <linux/vs_base.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
--- linux-2.6.25.4/ipc/shm.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/ipc/shm.c 2008-05-18 13:33:17.000000000 -0400
@@ -39,6 +39,7 @@
- #include <linux/nsproxy.h>
- #include <linux/mount.h>
#include <linux/ipc_namespace.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
--- linux-2.6.25.4/kernel/capability.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/kernel/capability.c 2008-05-18 13:33:17.000000000 -0400
@@ -13,6 +13,7 @@
- #include <linux/security.h>
#include <linux/syscalls.h>
#include <linux/pid_namespace.h>
+ #include <linux/vs_context.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
/*
-@@ -328,15 +329,25 @@ out:
+@@ -331,13 +332,22 @@ out:
int __capable(struct task_struct *t, int cap)
{
+ return 0;
+}
+
+ #include <linux/vserver/base.h>
int capable(int cap)
{
+@@ -347,3 +357,4 @@ int capable(int cap)
return __capable(current, cap);
}
EXPORT_SYMBOL(capable);
--- linux-2.6.25.4/kernel/exit.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/kernel/exit.c 2008-05-18 13:33:17.000000000 -0400
@@ -44,6 +44,11 @@
- #include <linux/resource.h>
- #include <linux/blkdev.h>
- #include <linux/task_io_accounting_ops.h>
+ #include <linux/vs_network.h>
+ #include <linux/vs_pid.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
+
+#ifdef CONFIG_GRKERNSEC
--- linux-2.6.25.4/kernel/fork.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/kernel/fork.c 2008-05-18 13:33:17.000000000 -0400
@@ -53,6 +53,7 @@
- #include <linux/tty.h>
- #include <linux/proc_fs.h>
- #include <linux/blkdev.h>
+ #include <linux/vs_limit.h>
+ #include <linux/vs_memory.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
+ mm->free_area_cache = oldmm->free_area_cache;
+ mm->cached_hole_size = oldmm->cached_hole_size;
mm->map_count = 0;
- cpus_clear(mm->cpu_vm_mask);
- mm->mm_rb = RB_ROOT;
+ __set_mm_counter(mm, file_rss, 0);
+ __set_mm_counter(mm, anon_rss, 0);
@@ -264,6 +265,7 @@ static int dup_mmap(struct mm_struct *mm
tmp->vm_flags &= ~VM_LOCKED;
tmp->vm_mm = mm;
}
@@ -1046,6 +1073,9 @@ static struct task_struct *copy_process(
+ DEBUG_LOCKS_WARN_ON(!p->hardirqs_enabled);
DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
#endif
- retval = -EAGAIN;
+
+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0);
+
- if (atomic_read(&p->user->processes) >=
- p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
+ init_vx_info(&p->vx_info, current->vx_info);
+ init_nx_info(&p->nx_info, current->nx_info);
+
@@ -1212,6 +1242,8 @@ static struct task_struct *copy_process(
if (clone_flags & CLONE_THREAD)
p->tgid = current->tgid;
--- linux-2.6.25.4/kernel/pid.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/kernel/pid.c 2008-05-18 13:33:17.000000000 -0400
@@ -35,6 +35,7 @@
- #include <linux/pid_namespace.h>
- #include <linux/init_task.h>
#include <linux/syscalls.h>
+ #include <linux/vs_pid.h>
+ #include <linux/vserver/global.h>
+#include <linux/grsecurity.h>
#define pid_hashfn(nr, ns) \
--- linux-2.6.25.4/kernel/printk.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/kernel/printk.c 2008-05-18 13:33:17.000000000 -0400
@@ -32,6 +32,7 @@
- #include <linux/security.h>
#include <linux/bootmem.h>
#include <linux/syscalls.h>
+ #include <linux/vs_cvirt.h>
+#include <linux/grsecurity.h>
#include <asm/uaccess.h>
@@ -299,6 +300,11 @@ int do_syslog(int type, char __user *buf
char c;
- int error = 0;
+ int error;
+#ifdef CONFIG_GRKERNSEC_DMESG
+ if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
--- linux-2.6.25.4/kernel/ptrace.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/kernel/ptrace.c 2008-05-18 13:33:17.000000000 -0400
@@ -21,6 +21,7 @@
- #include <linux/audit.h>
#include <linux/pid_namespace.h>
#include <linux/syscalls.h>
+ #include <linux/vs_context.h>
+#include <linux/grsecurity.h>
#include <asm/pgtable.h>
- if (!dumpable && !capable(CAP_SYS_PTRACE))
+ if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
return -EPERM;
-
- return security_ptrace(current, task);
+ if (!vx_check(task->xid, VS_ADMIN_P|VS_IDENT))
+ return -EPERM;
@@ -203,7 +204,7 @@ repeat:
/* Go */
--- linux-2.6.25.4/kernel/sched.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/kernel/sched.c 2008-05-18 13:33:17.000000000 -0400
@@ -66,6 +66,7 @@
- #include <linux/unistd.h>
- #include <linux/pagemap.h>
#include <linux/hrtimer.h>
+ #include <linux/vs_sched.h>
+ #include <linux/vs_cvirt.h>
+#include <linux/grsecurity.h>
#include <asm/tlb.h>
- if (increment < 0 && !can_nice(current, nice))
+ if (increment < 0 && (!can_nice(current, nice) ||
+ gr_handle_chroot_nice()))
- return -EPERM;
+ return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
retval = security_task_setnice(current, nice);
@@ -5741,7 +5743,7 @@ static struct ctl_table sd_ctl_dir[] = {
#include <linux/pid_namespace.h>
+#include <linux/grsecurity.h>
#include <linux/nsproxy.h>
-
- #include <asm/param.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_pid.h>
@@ -540,7 +541,9 @@ static int check_kill_permission(int sig
&& (current->euid ^ t->suid) && (current->euid ^ t->uid)
&& (current->uid ^ t->suid) && (current->uid ^ t->uid)
+ return error;
}
- return security_task_kill(t, info, sig, 0);
+ error = -ESRCH;
@@ -757,7 +760,7 @@ static int __init setup_print_fatal_sign
__setup("print-fatal-signals=", setup_print_fatal_signals);
@@ -90,6 +91,9 @@ asmlinkage long sys_stime(time_t __user
return err;
- do_settimeofday(&tv);
+ vx_settimeofday(&tv);
+
+ gr_log_timechange();
+
--- linux-2.6.25.4/mm/mlock.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/mm/mlock.c 2008-05-18 13:33:17.000000000 -0400
@@ -12,6 +12,7 @@
- #include <linux/syscalls.h>
#include <linux/sched.h>
#include <linux/module.h>
+ #include <linux/vs_memory.h>
+#include <linux/grsecurity.h>
int can_do_mlock(void)
+ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
error = do_mlock(start, len, 1);
- up_write(¤t->mm->mmap_sem);
+ out:
@@ -173,10 +186,10 @@ asmlinkage long sys_munlock(unsigned lon
static int do_mlockall(int flags)
{
ret = -ENOMEM;
+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
+ if (!vx_vmlocked_avail(current->mm, current->mm->total_vm))
+ goto out;
if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
- capable(CAP_IPC_LOCK))
- ret = do_mlockall(flags);
diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c
--- linux-2.6.25.4/mm/mmap.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/mm/mmap.c 2008-05-18 13:33:17.000000000 -0400
+
}
out:
- mm->total_vm += len >> PAGE_SHIFT;
+ vx_vmpages_add(mm, len >> PAGE_SHIFT);
vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
+ track_exec_limit(mm, addr, addr + len, vm_flags);
if (vm_flags & VM_LOCKED) {
- mm->locked_vm += len >> PAGE_SHIFT;
+ vx_vmlocked_add(mm, len >> PAGE_SHIFT);
make_pages_present(addr, addr + len);
@@ -1217,6 +1379,12 @@ unmap_and_free_vma:
unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
+ }
+#endif
+
- mm->total_vm -= nrpages;
+ vx_vmpages_sub(mm, nrpages);
if (vma->vm_flags & VM_LOCKED)
- mm->locked_vm -= nrpages;
+ vx_vmlocked_sub(mm, nrpages);
@@ -1768,6 +2035,16 @@ detach_vmas_to_be_unmapped(struct mm_str
insertion_point = (prev ? &prev->vm_next : &mm->mmap);
if (locked > lock_limit && !capable(CAP_IPC_LOCK))
return -EAGAIN;
}
-@@ -1978,22 +2389,22 @@ unsigned long do_brk(unsigned long addr,
+@@ -1978,23 +2389,23 @@ unsigned long do_brk(unsigned long addr,
/*
* Clear old maps. this also does some error checking for us
*/
if (mm->map_count > sysctl_max_map_count)
return -ENOMEM;
-- if (security_vm_enough_memory(len >> PAGE_SHIFT))
-+ if (security_vm_enough_memory(charged))
+- if (security_vm_enough_memory(len >> PAGE_SHIFT) ||
+- !vx_vmpages_avail(mm, len >> PAGE_SHIFT))
++ if (security_vm_enough_memory(charged) ||
++ !vx_vmpages_avail(mm, charged))
return -ENOMEM;
/* Can we just expand an old private anonymous mapping? */
+#endif
+
out:
-- mm->total_vm += len >> PAGE_SHIFT;
-+ mm->total_vm += charged;
+- vx_vmpages_add(mm, len >> PAGE_SHIFT);
++ vx_vmpages_add(mm, charged);
if (flags & VM_LOCKED) {
-- mm->locked_vm += len >> PAGE_SHIFT;
-+ mm->locked_vm += charged;
+- vx_vmlocked_add(mm, len >> PAGE_SHIFT);
++ vx_vmlocked_add(mm, charged);
make_pages_present(addr, addr + len);
}
+ track_exec_limit(mm, addr, addr + len, flags);
diff -urNp linux-2.6.25.4/net/ipv4/inet_hashtables.c linux-2.6.25.4/net/ipv4/inet_hashtables.c
--- linux-2.6.25.4/net/ipv4/inet_hashtables.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/net/ipv4/inet_hashtables.c 2008-05-18 13:33:17.000000000 -0400
-@@ -18,11 +18,14 @@
+@@ -18,12 +18,15 @@
#include <linux/sched.h>
#include <linux/slab.h>
#include <linux/wait.h>
#include <net/inet_connection_sock.h>
#include <net/inet_hashtables.h>
+ #include <net/route.h>
#include <net/ip.h>
+extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
--- linux-2.6.25.4/net/unix/af_unix.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/net/unix/af_unix.c 2008-05-18 13:33:17.000000000 -0400
@@ -116,6 +116,7 @@
- #include <linux/mount.h>
- #include <net/checksum.h>
#include <linux/security.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_limit.h>
+#include <linux/grsecurity.h>
static struct hlist_head unix_socket_table[UNIX_HASH_SIZE + 1];
+ goto out_mknod_dput;
+ }
+
- err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
+ err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0, NULL);
if (err)
goto out_mknod_dput;
+
--- linux-2.6.25.4/security/commoncap.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/security/commoncap.c 2008-05-18 13:33:17.000000000 -0400
@@ -24,15 +24,18 @@
- #include <linux/hugetlb.h>
#include <linux/mount.h>
#include <linux/sched.h>
+ #include <linux/vs_context.h>
+#include <linux/grsecurity.h>
/* Global security state */
+
int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
{
-- NETLINK_CB(skb).eff_cap = current->cap_effective;
+- NETLINK_CB(skb).eff_cap = vx_mbcaps(current->cap_effective);
+ NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
return 0;
}
int cap_capable (struct task_struct *tsk, int cap)
{
/* Derived from include/linux/sched.h:capable. */
-- if (cap_raised(tsk->cap_effective, cap))
-+ if (cap_raised (tsk->cap_effective, cap))
+- if (vx_cap_raised(vxi, tsk->cap_effective, cap))
++ if (vx_cap_raised (vxi, tsk->cap_effective, cap))
+ return 0;
+ return -EPERM;
+}
+int cap_capable_nolog (struct task_struct *tsk, int cap)
+{
+ /* tsk = current for all callers */
-+ if (cap_raised(tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
++ if (vx_cap_raised(tsk->vx_info, tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
return 0;
return -EPERM;
}
--- linux-2.6.25.4/security/dummy.c 2008-05-15 11:00:12.000000000 -0400
+++ linux-2.6.25.4/security/dummy.c 2008-05-18 13:33:17.000000000 -0400
@@ -27,6 +27,7 @@
- #include <linux/hugetlb.h>
#include <linux/ptrace.h>
#include <linux/file.h>
+ #include <linux/vs_context.h>
+#include <linux/grsecurity.h>
static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)