- pldized

author zbyniu <zbyniu@pld-linux.org>

Mon, 19 May 2008 10:03:53 +0000 (10:03 +0000)

committer cvs2git <feedback@pld-linux.org>

Sun, 24 Jun 2012 12:13:13 +0000 (12:13 +0000)
author zbyniu <zbyniu@pld-linux.org>
Mon, 19 May 2008 10:03:53 +0000 (10:03 +0000)
committer cvs2git <feedback@pld-linux.org>
Sun, 24 Jun 2012 12:13:13 +0000 (12:13 +0000)
diff --git a/kernel-grsec_full.patch b/kernel-grsec_full.patch

index e6fe34b78754d60871ca3b7fd9469539606ece18..d1b1828d6a2bd8d65e00ca3347dcdb162ae61be7 100644 (file)
--- a/kernel-grsec_full.patch
+++ b/kernel-grsec_full.patch
@@ -39,9 +39,9 @@ diff -urNp linux-2.6.25.4/arch/alpha/kernel/ptrace.c linux-2.6.25.4/arch/alpha/k
  --- linux-2.6.25.4/arch/alpha/kernel/ptrace.c  2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/arch/alpha/kernel/ptrace.c  2008-05-18 13:33:13.000000000 -0400
  @@ -15,6 +15,7 @@
- #include <linux/slab.h>
   #include <linux/security.h>
   #include <linux/signal.h>
+ #include <linux/vs_base.h>
  +#include <linux/grsecurity.h>
   
   #include <asm/uaccess.h>
@@ -465,9 +465,9 @@ diff -urNp linux-2.6.25.4/arch/ia64/mm/fault.c linux-2.6.25.4/arch/ia64/mm/fault
  --- linux-2.6.25.4/arch/ia64/mm/fault.c        2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/arch/ia64/mm/fault.c        2008-05-18 13:33:14.000000000 -0400
  @@ -10,6 +10,7 @@
- #include <linux/interrupt.h>
   #include <linux/kprobes.h>
   #include <linux/kdebug.h>
+ #include <linux/vs_memory.h>
  +#include <linux/binfmts.h>
   
   #include <asm/pgtable.h>
@@ -9437,7 +9437,7 @@ diff -urNp linux-2.6.25.4/arch/x86/mm/extable.c linux-2.6.25.4/arch/x86/mm/extab
   
   #ifdef CONFIG_PNPBIOS
  -      if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
-+      if (unlikely(!(regs->eflags & VM_MASK) && SEGMENT_IS_PNP_CODE(regs->cs))) {
++      if (unlikely(!(regs->flags & VM_MASK) && SEGMENT_IS_PNP_CODE(regs->cs))) {
                 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
                 extern u32 pnp_bios_is_utter_crap;
                 pnp_bios_is_utter_crap = 1;
@@ -9445,9 +9445,9 @@ diff -urNp linux-2.6.25.4/arch/x86/mm/fault.c linux-2.6.25.4/arch/x86/mm/fault.c
  --- linux-2.6.25.4/arch/x86/mm/fault.c 2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/arch/x86/mm/fault.c 2008-05-18 13:33:15.000000000 -0400
  @@ -25,6 +25,9 @@
- #include <linux/kprobes.h>
   #include <linux/uaccess.h>
   #include <linux/kdebug.h>
+ #include <linux/suspend.h>
  +#include <linux/unistd.h>
  +#include <linux/compiler.h>
  +#include <linux/binfmts.h>
@@ -13603,9 +13603,9 @@ diff -urNp linux-2.6.25.4/fs/binfmt_aout.c linux-2.6.25.4/fs/binfmt_aout.c
  --- linux-2.6.25.4/fs/binfmt_aout.c    2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/binfmt_aout.c    2008-05-18 13:33:16.000000000 -0400
  @@ -24,6 +24,7 @@
- #include <linux/binfmts.h>
   #include <linux/personality.h>
   #include <linux/init.h>
+ #include <linux/vs_memory.h>
  +#include <linux/grsecurity.h>
   
   #include <asm/system.h>
@@ -13684,9 +13684,9 @@ diff -urNp linux-2.6.25.4/fs/binfmt_elf.c linux-2.6.25.4/fs/binfmt_elf.c
  --- linux-2.6.25.4/fs/binfmt_elf.c     2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/binfmt_elf.c     2008-05-18 13:33:16.000000000 -0400
  @@ -39,10 +39,16 @@
- #include <linux/random.h>
   #include <linux/elf.h>
   #include <linux/utsname.h>
+ #include <linux/vs_memory.h>
  +#include <linux/grsecurity.h>
  +
   #include <asm/uaccess.h>
@@ -14803,15 +14803,15 @@ diff -urNp linux-2.6.25.4/fs/ext2/balloc.c linux-2.6.25.4/fs/ext2/balloc.c
  diff -urNp linux-2.6.25.4/fs/ext3/balloc.c linux-2.6.25.4/fs/ext3/balloc.c
  --- linux-2.6.25.4/fs/ext3/balloc.c    2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/ext3/balloc.c    2008-05-18 13:33:16.000000000 -0400
-@@ -1421,7 +1421,7 @@ static int ext3_has_free_blocks(struct e
+@@ -1359,7 +1359,7 @@ static int ext3_has_free_blocks(struct e
+       DLIMIT_ADJUST_BLOCK(sb, dx_current_tag(), &free_blocks, &root_blocks);
   
-       free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
-       root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
--      if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
-+      if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
+       cond = (free_blocks < root_blocks + 1 &&
+-              !capable(CAP_SYS_RESOURCE) &&
++              !capable_nolog(CAP_SYS_RESOURCE) &&
                 sbi->s_resuid != current->fsuid &&
-               (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
-               return 0;
+               (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid)));
+ 
  diff -urNp linux-2.6.25.4/fs/ext3/namei.c linux-2.6.25.4/fs/ext3/namei.c
  --- linux-2.6.25.4/fs/ext3/namei.c     2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/ext3/namei.c     2008-05-18 13:33:16.000000000 -0400
@@ -14844,15 +14844,15 @@ diff -urNp linux-2.6.25.4/fs/ext3/xattr.c linux-2.6.25.4/fs/ext3/xattr.c
  diff -urNp linux-2.6.25.4/fs/ext4/balloc.c linux-2.6.25.4/fs/ext4/balloc.c
  --- linux-2.6.25.4/fs/ext4/balloc.c    2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/ext4/balloc.c    2008-05-18 13:33:16.000000000 -0400
-@@ -1557,7 +1557,7 @@ static int ext4_has_free_blocks(struct e
+@@ -1479,7 +1479,7 @@ static int ext4_has_free_blocks(struct e
+       DLIMIT_ADJUST_BLOCK(sb, dx_current_tag(), &free_blocks, &root_blocks);
   
-       free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
-       root_blocks = ext4_r_blocks_count(sbi->s_es);
--      if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
-+      if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
+       cond = (free_blocks < root_blocks + 1 &&
+-              !capable(CAP_SYS_RESOURCE) &&
++              !capable_nolog(CAP_SYS_RESOURCE) &&
                 sbi->s_resuid != current->fsuid &&
-               (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
-               return 0;
+               (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid)));
+ 
  diff -urNp linux-2.6.25.4/fs/ext4/namei.c linux-2.6.25.4/fs/ext4/namei.c
  --- linux-2.6.25.4/fs/ext4/namei.c     2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/ext4/namei.c     2008-05-18 13:33:16.000000000 -0400
@@ -14872,9 +14872,9 @@ diff -urNp linux-2.6.25.4/fs/fcntl.c linux-2.6.25.4/fs/fcntl.c
  --- linux-2.6.25.4/fs/fcntl.c  2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/fcntl.c  2008-05-18 13:33:16.000000000 -0400
  @@ -19,6 +19,7 @@
- #include <linux/signal.h>
   #include <linux/rcupdate.h>
   #include <linux/pid_namespace.h>
+ #include <linux/vs_limit.h>
  +#include <linux/grsecurity.h>
   
   #include <asm/poll.h>
@@ -15169,9 +15169,9 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c
  --- linux-2.6.25.4/fs/namei.c  2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/namei.c  2008-05-18 13:33:16.000000000 -0400
  @@ -30,6 +30,7 @@
- #include <linux/capability.h>
- #include <linux/file.h>
- #include <linux/fcntl.h>
+ #include <linux/vs_cowbl.h>
+ #include <linux/vs_device.h>
+ #include <linux/vs_context.h>
  +#include <linux/grsecurity.h>
   #include <asm/namei.h>
   #include <asm/uaccess.h>
@@ -15332,7 +15332,7 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c
  +
         if (!IS_POSIXACL(nd.path.dentry->d_inode))
                 mode &= ~current->fs->umask;
-       error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
+       error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode, &nd);
  +
  +      if (!error)
  +              gr_handle_create(dentry, nd.path.mnt);
@@ -15366,7 +15366,7 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c
  +              }
  +      }
  +
-       error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
+       error = vfs_rmdir(nd.path.dentry->d_inode, dentry, &nd);
  +      if (!error && (saved_dev || saved_ino))
  +              gr_handle_delete(saved_ino, saved_dev);
  +dput_exit2:
@@ -15402,16 +15402,16 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c
  +                              error = -EACCES;
  +
                         atomic_inc(&inode->i_count);
--              error = vfs_unlink(nd.path.dentry->d_inode, dentry);
+-              error = vfs_unlink(nd.path.dentry->d_inode, dentry, &nd);
  +              }
  +              if (!error)
-+                      error = vfs_unlink(nd.path.dentry->d_inode, dentry);
++                      error = vfs_unlink(nd.path.dentry->d_inode, dentry, &nd);
  +              if (!error && (saved_ino || saved_dev))
  +                      gr_handle_delete(saved_ino, saved_dev);
         exit2:
                 dput(dentry);
         }
-@@ -2313,7 +2428,17 @@ asmlinkage long sys_symlinkat(const char
+@@ -2313,8 +2428,18 @@ asmlinkage long sys_symlinkat(const char
         if (IS_ERR(dentry))
                 goto out_unlock;
   
@@ -15420,7 +15420,8 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c
  +              goto out_dput_unlock;
  +      }
  +
-       error = vfs_symlink(nd.path.dentry->d_inode, dentry, from, S_IALLUGO);
+       error = vfs_symlink(nd.path.dentry->d_inode, dentry, from,
+               S_IALLUGO, &nd);
  +
  +      if (!error)
  +              gr_handle_create(dentry, nd.path.mnt);
@@ -15429,7 +15430,7 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c
         dput(dentry);
   out_unlock:
         mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
-@@ -2408,7 +2533,26 @@ asmlinkage long sys_linkat(int olddfd, c
+@@ -2408,8 +2533,27 @@ asmlinkage long sys_linkat(int olddfd, c
         error = PTR_ERR(new_dentry);
         if (IS_ERR(new_dentry))
                 goto out_unlock;
@@ -15447,7 +15448,8 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c
  +              goto out_unlock_dput;
  +      }
  +
-       error = vfs_link(old_nd.path.dentry, nd.path.dentry->d_inode, new_dentry);
+       error = vfs_link(old_nd.path.dentry, nd.path.dentry->d_inode,
+               new_dentry, &nd);
  +
  +      if (!error)
  +              gr_handle_create(new_dentry, nd.path.mnt);
@@ -15478,9 +15480,9 @@ diff -urNp linux-2.6.25.4/fs/namespace.c linux-2.6.25.4/fs/namespace.c
  --- linux-2.6.25.4/fs/namespace.c      2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/namespace.c      2008-05-18 13:33:16.000000000 -0400
  @@ -26,6 +26,7 @@
- #include <linux/mount.h>
- #include <linux/ramfs.h>
- #include <linux/log2.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vserver/space.h>
+ #include <linux/vserver/global.h>
  +#include <linux/grsecurity.h>
   #include <asm/uaccess.h>
   #include <asm/unistd.h>
@@ -15849,9 +15851,9 @@ diff -urNp linux-2.6.25.4/fs/open.c linux-2.6.25.4/fs/open.c
  --- linux-2.6.25.4/fs/open.c   2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/open.c   2008-05-18 13:33:16.000000000 -0400
  @@ -27,6 +27,7 @@
- #include <linux/rcupdate.h>
- #include <linux/audit.h>
- #include <linux/falloc.h>
+ #include <linux/vs_dlimit.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vs_cowbl.h>
  +#include <linux/grsecurity.h>
   
   int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
@@ -15961,15 +15963,6 @@ diff -urNp linux-2.6.25.4/fs/open.c linux-2.6.25.4/fs/open.c
         newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
         newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
         error = notify_change(nd.path.dentry, &newattrs);
-@@ -627,7 +676,7 @@ asmlinkage long sys_chmod(const char __u
-       return sys_fchmodat(AT_FDCWD, filename, mode);
- }
- 
--static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
-+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
- {
-       struct inode * inode;
-       int error;
  @@ -644,6 +693,12 @@ static int chown_common(struct dentry * 
         error = -EPERM;
         if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
@@ -15983,42 +15976,6 @@ diff -urNp linux-2.6.25.4/fs/open.c linux-2.6.25.4/fs/open.c
         newattrs.ia_valid =  ATTR_CTIME;
         if (user != (uid_t) -1) {
                 newattrs.ia_valid |= ATTR_UID;
-@@ -671,7 +726,7 @@ asmlinkage long sys_chown(const char __u
-       error = user_path_walk(filename, &nd);
-       if (error)
-               goto out;
--      error = chown_common(nd.path.dentry, user, group);
-+      error = chown_common(nd.path.dentry, user, group, nd.path.mnt);
-       path_put(&nd.path);
- out:
-       return error;
-@@ -691,7 +746,7 @@ asmlinkage long sys_fchownat(int dfd, co
-       error = __user_walk_fd(dfd, filename, follow, &nd);
-       if (error)
-               goto out;
--      error = chown_common(nd.path.dentry, user, group);
-+      error = chown_common(nd.path.dentry, user, group, nd.path.mnt);
-       path_put(&nd.path);
- out:
-       return error;
-@@ -705,7 +760,7 @@ asmlinkage long sys_lchown(const char __
-       error = user_path_walk_link(filename, &nd);
-       if (error)
-               goto out;
--      error = chown_common(nd.path.dentry, user, group);
-+      error = chown_common(nd.path.dentry, user, group, nd.path.mnt);
-       path_put(&nd.path);
- out:
-       return error;
-@@ -724,7 +779,7 @@ asmlinkage long sys_fchown(unsigned int 
- 
-       dentry = file->f_path.dentry;
-       audit_inode(NULL, dentry);
--      error = chown_common(dentry, user, group);
-+      error = chown_common(dentry, user, group, file->f_path.mnt);
-       fput(file);
- out:
-       return error;
  @@ -948,6 +1003,7 @@ repeat:
          * N.B. For clone tasks sharing a files structure, this test
          * will limit the total number of files that can be opened.
@@ -16073,7 +16030,7 @@ diff -urNp linux-2.6.25.4/fs/proc/array.c linux-2.6.25.4/fs/proc/array.c
  +}
  +#endif
  +
- int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
+ int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
                         struct pid *pid, struct task_struct *task)
   {
  @@ -327,6 +342,11 @@ int proc_pid_status(struct seq_file *m, 
@@ -16155,9 +16112,9 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c
  --- linux-2.6.25.4/fs/proc/base.c      2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/proc/base.c      2008-05-18 13:33:16.000000000 -0400
  @@ -76,6 +76,8 @@
- #include <linux/oom.h>
- #include <linux/elf.h>
   #include <linux/pid_namespace.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_network.h>
  +#include <linux/grsecurity.h>
  +
   #include "internal.h"
@@ -16221,8 +16178,8 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c
                 inode->i_gid = task->egid;
  +#endif
         }
-       security_task_to_inode(task, inode);
- 
+       /* procfs is xid tagged */
+       inode->i_tag = (tag_t)vx_task_xid(task);
  @@ -1304,17 +1310,45 @@ static int pid_getattr(struct vfsmount *
   {
         struct inode *inode = dentry->d_inode;
@@ -16324,9 +16281,9 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c
  +      if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
  +              goto out;
  +
-       /*
-        * Yes, it does not scale. And it should not. Don't add
-        * new entries into /proc/<tgid>/ without very good reasons.
+       /* TODO: maybe we can come up with a generic approach? */
+       if (task_vx_flags(task, VXF_HIDE_VINFO, 0) &&
+               (dentry->d_name.len == 5) &&
  @@ -1877,6 +1934,9 @@ static int proc_pident_readdir(struct fi
         if (!task)
                 goto out_no_task;
@@ -16348,9 +16305,9 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c
   
   out:
  @@ -2350,6 +2413,9 @@ static const struct pid_entry tgid_base_
- #ifdef CONFIG_TASK_IO_ACCOUNTING
         INF("io",       S_IRUGO, pid_io_accounting),
   #endif
+       ONE("nsproxy",  S_IRUGO, pid_nsproxy),
  +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
  +      INF("ipaddr",     S_IRUSR, pid_ipaddr),
  +#endif
@@ -16387,7 +16344,7 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c
  @@ -2587,6 +2664,9 @@ int proc_pid_readdir(struct file * filp,
   {
         unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
-       struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
+       struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
  +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
  +      struct task_struct *tmp = current;
  +#endif
@@ -16410,8 +16367,8 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c
  +                      continue;
  +
                 filp->f_pos = iter.tgid + TGID_OFFSET;
-               if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
-                       put_task_struct(iter.task);
+               if (!vx_proc_task_visible(iter.task))
+                       continue;
  diff -urNp linux-2.6.25.4/fs/proc/inode.c linux-2.6.25.4/fs/proc/inode.c
  --- linux-2.6.25.4/fs/proc/inode.c     2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/proc/inode.c     2008-05-18 13:33:16.000000000 -0400
@@ -16425,22 +16382,22 @@ diff -urNp linux-2.6.25.4/fs/proc/inode.c linux-2.6.25.4/fs/proc/inode.c
                                 inode->i_gid = de->gid;
  +#endif
                         }
-                       if (de->size)
-                               inode->i_size = de->size;
+               if (de->vx_flags)
+                       PROC_I(inode)->vx_flags = de->vx_flags;
  diff -urNp linux-2.6.25.4/fs/proc/internal.h linux-2.6.25.4/fs/proc/internal.h
  --- linux-2.6.25.4/fs/proc/internal.h  2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/proc/internal.h  2008-05-18 13:33:16.000000000 -0400
  @@ -57,6 +57,10 @@ extern int proc_pid_status(struct seq_fi
                                 struct pid *pid, struct task_struct *task);
- extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
+ extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
                                 struct pid *pid, struct task_struct *task);
  +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
  +extern int proc_pid_ipaddr(struct seq_file *m, struct pid_namespace *ns,
  +                              struct pid *pid, struct task_struct *task);
  +#endif
+ 
   extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
   
- extern const struct file_operations proc_maps_operations;
  diff -urNp linux-2.6.25.4/fs/proc/proc_misc.c linux-2.6.25.4/fs/proc/proc_misc.c
  --- linux-2.6.25.4/fs/proc/proc_misc.c 2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/proc/proc_misc.c 2008-05-18 13:33:16.000000000 -0400
@@ -16616,9 +16573,9 @@ diff -urNp linux-2.6.25.4/fs/proc/root.c linux-2.6.25.4/fs/proc/root.c
  +#else
         proc_bus = proc_mkdir("bus", NULL);
  +#endif
+       proc_vx_init();
         proc_sys_init();
   }
- 
  diff -urNp linux-2.6.25.4/fs/proc/task_mmu.c linux-2.6.25.4/fs/proc/task_mmu.c
  --- linux-2.6.25.4/fs/proc/task_mmu.c  2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/proc/task_mmu.c  2008-05-18 13:33:16.000000000 -0400
@@ -16979,9 +16936,9 @@ diff -urNp linux-2.6.25.4/fs/utimes.c linux-2.6.25.4/fs/utimes.c
  --- linux-2.6.25.4/fs/utimes.c 2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/utimes.c 2008-05-18 13:33:16.000000000 -0400
  @@ -7,6 +7,7 @@
- #include <linux/stat.h>
- #include <linux/utime.h>
   #include <linux/syscalls.h>
+ #include <linux/mount.h>
+ #include <linux/vs_cowbl.h>
  +#include <linux/grsecurity.h>
   #include <asm/uaccess.h>
   #include <asm/unistd.h>
@@ -16994,7 +16951,7 @@ diff -urNp linux-2.6.25.4/fs/utimes.c linux-2.6.25.4/fs/utimes.c
         struct inode *inode;
         struct iattr newattrs;
         struct file *f = NULL;
-@@ -84,12 +86,14 @@ long do_utimes(int dfd, char __user *fil
+@@ -84,6 +86,7 @@ long do_utimes(int dfd, char __user *fil
                 if (!f)
                         goto out;
                 dentry = f->f_path.dentry;
@@ -17002,8 +16959,9 @@ diff -urNp linux-2.6.25.4/fs/utimes.c linux-2.6.25.4/fs/utimes.c
         } else {
                 error = __user_walk_fd(dfd, filename, (flags & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW, &nd);
                 if (error)
-                       goto out;
- 
+@@ -90,6 +93,7 @@ long do_utimes(int dfd, char __user *fil
+               if (error)
+                       goto dput_and_out;
                 dentry = nd.path.dentry;
  +              mnt = nd.path.mnt;
         }
@@ -30157,9 +30115,9 @@ diff -urNp linux-2.6.25.4/ipc/msg.c linux-2.6.25.4/ipc/msg.c
  --- linux-2.6.25.4/ipc/msg.c   2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/ipc/msg.c   2008-05-18 13:33:17.000000000 -0400
  @@ -37,6 +37,7 @@
- #include <linux/rwsem.h>
   #include <linux/nsproxy.h>
   #include <linux/ipc_namespace.h>
+ #include <linux/vs_base.h>
  +#include <linux/grsecurity.h>
   
   #include <asm/current.h>
@@ -30197,9 +30155,9 @@ diff -urNp linux-2.6.25.4/ipc/sem.c linux-2.6.25.4/ipc/sem.c
  --- linux-2.6.25.4/ipc/sem.c   2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/ipc/sem.c   2008-05-18 13:33:17.000000000 -0400
  @@ -83,6 +83,7 @@
- #include <linux/rwsem.h>
- #include <linux/nsproxy.h>
   #include <linux/ipc_namespace.h>
+ #include <linux/vs_base.h>
+ #include <linux/vs_limit.h>
  +#include <linux/grsecurity.h>
   
   #include <asm/uaccess.h>
@@ -30237,9 +30195,9 @@ diff -urNp linux-2.6.25.4/ipc/shm.c linux-2.6.25.4/ipc/shm.c
  --- linux-2.6.25.4/ipc/shm.c   2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/ipc/shm.c   2008-05-18 13:33:17.000000000 -0400
  @@ -39,6 +39,7 @@
- #include <linux/nsproxy.h>
- #include <linux/mount.h>
   #include <linux/ipc_namespace.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_limit.h>
  +#include <linux/grsecurity.h>
   
   #include <asm/uaccess.h>
@@ -30342,14 +30300,14 @@ diff -urNp linux-2.6.25.4/kernel/capability.c linux-2.6.25.4/kernel/capability.c
  --- linux-2.6.25.4/kernel/capability.c 2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/kernel/capability.c 2008-05-18 13:33:17.000000000 -0400
  @@ -13,6 +13,7 @@
- #include <linux/security.h>
   #include <linux/syscalls.h>
   #include <linux/pid_namespace.h>
+ #include <linux/vs_context.h>
  +#include <linux/grsecurity.h>
   #include <asm/uaccess.h>
   
   /*
-@@ -328,15 +329,25 @@ out:
+@@ -331,13 +332,22 @@ out:
   
   int __capable(struct task_struct *t, int cap)
   {
@@ -30370,8 +30328,10 @@ diff -urNp linux-2.6.25.4/kernel/capability.c linux-2.6.25.4/kernel/capability.c
  +      return 0;
  +}
  +
+ #include <linux/vserver/base.h>
   int capable(int cap)
   {
+@@ -347,3 +357,4 @@ int capable(int cap)
         return __capable(current, cap);
   }
   EXPORT_SYMBOL(capable);
@@ -30421,9 +30381,9 @@ diff -urNp linux-2.6.25.4/kernel/exit.c linux-2.6.25.4/kernel/exit.c
  --- linux-2.6.25.4/kernel/exit.c       2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/kernel/exit.c       2008-05-18 13:33:17.000000000 -0400
  @@ -44,6 +44,11 @@
- #include <linux/resource.h>
- #include <linux/blkdev.h>
- #include <linux/task_io_accounting_ops.h>
+ #include <linux/vs_network.h>
+ #include <linux/vs_pid.h>
+ #include <linux/vserver/global.h>
  +#include <linux/grsecurity.h>
  +
  +#ifdef CONFIG_GRKERNSEC
@@ -30505,9 +30465,9 @@ diff -urNp linux-2.6.25.4/kernel/fork.c linux-2.6.25.4/kernel/fork.c
  --- linux-2.6.25.4/kernel/fork.c       2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/kernel/fork.c       2008-05-18 13:33:17.000000000 -0400
  @@ -53,6 +53,7 @@
- #include <linux/tty.h>
- #include <linux/proc_fs.h>
- #include <linux/blkdev.h>
+ #include <linux/vs_limit.h>
+ #include <linux/vs_memory.h>
+ #include <linux/vserver/global.h>
  +#include <linux/grsecurity.h>
   
   #include <asm/pgtable.h>
@@ -30530,8 +30490,8 @@ diff -urNp linux-2.6.25.4/kernel/fork.c linux-2.6.25.4/kernel/fork.c
  +      mm->free_area_cache = oldmm->free_area_cache;
  +      mm->cached_hole_size = oldmm->cached_hole_size;
         mm->map_count = 0;
-       cpus_clear(mm->cpu_vm_mask);
-       mm->mm_rb = RB_ROOT;
+       __set_mm_counter(mm, file_rss, 0);
+       __set_mm_counter(mm, anon_rss, 0);
  @@ -264,6 +265,7 @@ static int dup_mmap(struct mm_struct *mm
                 tmp->vm_flags &= ~VM_LOCKED;
                 tmp->vm_mm = mm;
@@ -30591,15 +30551,15 @@ diff -urNp linux-2.6.25.4/kernel/fork.c linux-2.6.25.4/kernel/fork.c
   }
   
  @@ -1046,6 +1073,9 @@ static struct task_struct *copy_process(
+       DEBUG_LOCKS_WARN_ON(!p->hardirqs_enabled);
         DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
   #endif
-       retval = -EAGAIN;
  +
  +      gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0);
  +
-       if (atomic_read(&p->user->processes) >=
-                       p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
-               if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
+       init_vx_info(&p->vx_info, current->vx_info);
+       init_nx_info(&p->nx_info, current->nx_info);
+ 
  @@ -1212,6 +1242,8 @@ static struct task_struct *copy_process(
         if (clone_flags & CLONE_THREAD)
                 p->tgid = current->tgid;
@@ -31321,9 +31281,9 @@ diff -urNp linux-2.6.25.4/kernel/pid.c linux-2.6.25.4/kernel/pid.c
  --- linux-2.6.25.4/kernel/pid.c        2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/kernel/pid.c        2008-05-18 13:33:17.000000000 -0400
  @@ -35,6 +35,7 @@
- #include <linux/pid_namespace.h>
- #include <linux/init_task.h>
   #include <linux/syscalls.h>
+ #include <linux/vs_pid.h>
+ #include <linux/vserver/global.h>
  +#include <linux/grsecurity.h>
   
   #define pid_hashfn(nr, ns)    \
@@ -31388,16 +31348,16 @@ diff -urNp linux-2.6.25.4/kernel/printk.c linux-2.6.25.4/kernel/printk.c
  --- linux-2.6.25.4/kernel/printk.c     2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/kernel/printk.c     2008-05-18 13:33:17.000000000 -0400
  @@ -32,6 +32,7 @@
- #include <linux/security.h>
   #include <linux/bootmem.h>
   #include <linux/syscalls.h>
+ #include <linux/vs_cvirt.h>
  +#include <linux/grsecurity.h>
   
   #include <asm/uaccess.h>
   
  @@ -299,6 +300,11 @@ int do_syslog(int type, char __user *buf
         char c;
-       int error = 0;
+       int error;
   
  +#ifdef CONFIG_GRKERNSEC_DMESG
  +      if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
@@ -31411,9 +31371,9 @@ diff -urNp linux-2.6.25.4/kernel/ptrace.c linux-2.6.25.4/kernel/ptrace.c
  --- linux-2.6.25.4/kernel/ptrace.c     2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/kernel/ptrace.c     2008-05-18 13:33:17.000000000 -0400
  @@ -21,6 +21,7 @@
- #include <linux/audit.h>
   #include <linux/pid_namespace.h>
   #include <linux/syscalls.h>
+ #include <linux/vs_context.h>
  +#include <linux/grsecurity.h>
   
   #include <asm/pgtable.h>
@@ -31431,8 +31391,8 @@ diff -urNp linux-2.6.25.4/kernel/ptrace.c linux-2.6.25.4/kernel/ptrace.c
  -      if (!dumpable && !capable(CAP_SYS_PTRACE))
  +      if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
                 return -EPERM;
- 
-       return security_ptrace(current, task);
+       if (!vx_check(task->xid, VS_ADMIN_P|VS_IDENT))
+               return -EPERM;
  @@ -203,7 +204,7 @@ repeat:
   
         /* Go */
@@ -31501,9 +31461,9 @@ diff -urNp linux-2.6.25.4/kernel/sched.c linux-2.6.25.4/kernel/sched.c
  --- linux-2.6.25.4/kernel/sched.c      2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/kernel/sched.c      2008-05-18 13:33:17.000000000 -0400
  @@ -66,6 +66,7 @@
- #include <linux/unistd.h>
- #include <linux/pagemap.h>
   #include <linux/hrtimer.h>
+ #include <linux/vs_sched.h>
+ #include <linux/vs_cvirt.h>
  +#include <linux/grsecurity.h>
   
   #include <asm/tlb.h>
@@ -31515,7 +31475,7 @@ diff -urNp linux-2.6.25.4/kernel/sched.c linux-2.6.25.4/kernel/sched.c
  -      if (increment < 0 && !can_nice(current, nice))
  +      if (increment < 0 && (!can_nice(current, nice) ||
  +                            gr_handle_chroot_nice()))
-               return -EPERM;
+               return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
   
         retval = security_task_setnice(current, nice);
  @@ -5741,7 +5743,7 @@ static struct ctl_table sd_ctl_dir[] = {
@@ -31545,8 +31505,8 @@ diff -urNp linux-2.6.25.4/kernel/signal.c linux-2.6.25.4/kernel/signal.c
   #include <linux/pid_namespace.h>
  +#include <linux/grsecurity.h>
   #include <linux/nsproxy.h>
- 
- #include <asm/param.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_pid.h>
  @@ -540,7 +541,9 @@ static int check_kill_permission(int sig
                     && (current->euid ^ t->suid) && (current->euid ^ t->uid)
                     && (current->uid ^ t->suid) && (current->uid ^ t->uid)
@@ -31557,7 +31517,7 @@ diff -urNp linux-2.6.25.4/kernel/signal.c linux-2.6.25.4/kernel/signal.c
  +                      return error;
         }
   
-       return security_task_kill(t, info, sig, 0);
+       error = -ESRCH;
  @@ -757,7 +760,7 @@ static int __init setup_print_fatal_sign
   
   __setup("print-fatal-signals=", setup_print_fatal_signals);
@@ -31931,7 +31891,7 @@ diff -urNp linux-2.6.25.4/kernel/time.c linux-2.6.25.4/kernel/time.c
  @@ -90,6 +91,9 @@ asmlinkage long sys_stime(time_t __user 
                 return err;
   
-       do_settimeofday(&tv);
+       vx_settimeofday(&tv);
  +
  +      gr_log_timechange();
  +
@@ -32685,9 +32645,9 @@ diff -urNp linux-2.6.25.4/mm/mlock.c linux-2.6.25.4/mm/mlock.c
  --- linux-2.6.25.4/mm/mlock.c  2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/mm/mlock.c  2008-05-18 13:33:17.000000000 -0400
  @@ -12,6 +12,7 @@
- #include <linux/syscalls.h>
   #include <linux/sched.h>
   #include <linux/module.h>
+ #include <linux/vs_memory.h>
  +#include <linux/grsecurity.h>
   
   int can_do_mlock(void)
@@ -32717,7 +32677,7 @@ diff -urNp linux-2.6.25.4/mm/mlock.c linux-2.6.25.4/mm/mlock.c
  +      gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
         if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
                 error = do_mlock(start, len, 1);
-       up_write(&current->mm->mmap_sem);
+ out:
  @@ -173,10 +186,10 @@ asmlinkage long sys_munlock(unsigned lon
   static int do_mlockall(int flags)
   {
@@ -32749,9 +32709,9 @@ diff -urNp linux-2.6.25.4/mm/mlock.c linux-2.6.25.4/mm/mlock.c
   
         ret = -ENOMEM;
  +      gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
+       if (!vx_vmlocked_avail(current->mm, current->mm->total_vm))
+               goto out;
         if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
-           capable(CAP_IPC_LOCK))
-               ret = do_mlockall(flags);
  diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c
  --- linux-2.6.25.4/mm/mmap.c   2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/mm/mmap.c   2008-05-18 13:33:17.000000000 -0400
@@ -33170,11 +33130,11 @@ diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c
  +
         }
   out:  
-       mm->total_vm += len >> PAGE_SHIFT;
+       vx_vmpages_add(mm, len >> PAGE_SHIFT);
         vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
  +      track_exec_limit(mm, addr, addr + len, vm_flags);
         if (vm_flags & VM_LOCKED) {
-               mm->locked_vm += len >> PAGE_SHIFT;
+               vx_vmlocked_add(mm, len >> PAGE_SHIFT);
                 make_pages_present(addr, addr + len);
  @@ -1217,6 +1379,12 @@ unmap_and_free_vma:
         unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
@@ -33507,9 +33467,9 @@ diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c
  +              }
  +#endif
  +
-               mm->total_vm -= nrpages;
+               vx_vmpages_sub(mm, nrpages);
                 if (vma->vm_flags & VM_LOCKED)
-                       mm->locked_vm -= nrpages;
+                       vx_vmlocked_sub(mm, nrpages);
  @@ -1768,6 +2035,16 @@ detach_vmas_to_be_unmapped(struct mm_str
   
         insertion_point = (prev ? &prev->vm_next : &mm->mmap);
@@ -33754,7 +33714,7 @@ diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c
                 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
                         return -EAGAIN;
         }
-@@ -1978,22 +2389,22 @@ unsigned long do_brk(unsigned long addr,
+@@ -1978,23 +2389,23 @@ unsigned long do_brk(unsigned long addr,
         /*
          * Clear old maps.  this also does some error checking for us
          */
@@ -33776,8 +33736,10 @@ diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c
         if (mm->map_count > sysctl_max_map_count)
                 return -ENOMEM;
   
--      if (security_vm_enough_memory(len >> PAGE_SHIFT))
-+      if (security_vm_enough_memory(charged))
+-      if (security_vm_enough_memory(len >> PAGE_SHIFT) ||
+-              !vx_vmpages_avail(mm, len >> PAGE_SHIFT))
++      if (security_vm_enough_memory(charged) ||
++              !vx_vmpages_avail(mm, charged))
                 return -ENOMEM;
   
         /* Can we just expand an old private anonymous mapping? */
@@ -33815,11 +33777,11 @@ diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c
  +#endif
  +
   out:
--      mm->total_vm += len >> PAGE_SHIFT;
-+      mm->total_vm += charged;
+-      vx_vmpages_add(mm, len >> PAGE_SHIFT);
++      vx_vmpages_add(mm, charged);
         if (flags & VM_LOCKED) {
--              mm->locked_vm += len >> PAGE_SHIFT;
-+              mm->locked_vm += charged;
+-              vx_vmlocked_add(mm, len >> PAGE_SHIFT);
++              vx_vmlocked_add(mm, charged);
                 make_pages_present(addr, addr + len);
         }
  +      track_exec_limit(mm, addr, addr + len, flags);
@@ -34618,7 +34580,7 @@ diff -urNp linux-2.6.25.4/net/ipv4/inet_connection_sock.c linux-2.6.25.4/net/ipv
  diff -urNp linux-2.6.25.4/net/ipv4/inet_hashtables.c linux-2.6.25.4/net/ipv4/inet_hashtables.c
  --- linux-2.6.25.4/net/ipv4/inet_hashtables.c  2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/net/ipv4/inet_hashtables.c  2008-05-18 13:33:17.000000000 -0400
-@@ -18,11 +18,14 @@
+@@ -18,12 +18,15 @@
   #include <linux/sched.h>
   #include <linux/slab.h>
   #include <linux/wait.h>
@@ -34626,6 +34588,7 @@ diff -urNp linux-2.6.25.4/net/ipv4/inet_hashtables.c linux-2.6.25.4/net/ipv4/ine
   
   #include <net/inet_connection_sock.h>
   #include <net/inet_hashtables.h>
+ #include <net/route.h>
   #include <net/ip.h>
   
  +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
@@ -35113,9 +35076,9 @@ diff -urNp linux-2.6.25.4/net/unix/af_unix.c linux-2.6.25.4/net/unix/af_unix.c
  --- linux-2.6.25.4/net/unix/af_unix.c  2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/net/unix/af_unix.c  2008-05-18 13:33:17.000000000 -0400
  @@ -116,6 +116,7 @@
- #include <linux/mount.h>
- #include <net/checksum.h>
   #include <linux/security.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_limit.h>
  +#include <linux/grsecurity.h>
   
   static struct hlist_head unix_socket_table[UNIX_HASH_SIZE + 1];
@@ -35157,7 +35120,7 @@ diff -urNp linux-2.6.25.4/net/unix/af_unix.c linux-2.6.25.4/net/unix/af_unix.c
  +                      goto out_mknod_dput;
  +              }
  +
-               err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
+               err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0, NULL);
                 if (err)
                         goto out_mknod_dput;
  +
@@ -35210,9 +35173,9 @@ diff -urNp linux-2.6.25.4/security/commoncap.c linux-2.6.25.4/security/commoncap
  --- linux-2.6.25.4/security/commoncap.c        2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/security/commoncap.c        2008-05-18 13:33:17.000000000 -0400
  @@ -24,15 +24,18 @@
- #include <linux/hugetlb.h>
   #include <linux/mount.h>
   #include <linux/sched.h>
+ #include <linux/vs_context.h>
  +#include <linux/grsecurity.h>
   
   /* Global security state */
@@ -35224,7 +35187,7 @@ diff -urNp linux-2.6.25.4/security/commoncap.c linux-2.6.25.4/security/commoncap
  +
   int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
   {
--      NETLINK_CB(skb).eff_cap = current->cap_effective;
+-      NETLINK_CB(skb).eff_cap = vx_mbcaps(current->cap_effective);
  +      NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
         return 0;
   }
@@ -35233,8 +35196,8 @@ diff -urNp linux-2.6.25.4/security/commoncap.c linux-2.6.25.4/security/commoncap
   int cap_capable (struct task_struct *tsk, int cap)
   {
         /* Derived from include/linux/sched.h:capable. */
--      if (cap_raised(tsk->cap_effective, cap))
-+      if (cap_raised (tsk->cap_effective, cap))
+-      if (vx_cap_raised(vxi, tsk->cap_effective, cap))
++      if (vx_cap_raised (vxi, tsk->cap_effective, cap))
  +              return 0;
  +      return -EPERM;
  +}
@@ -35242,7 +35205,7 @@ diff -urNp linux-2.6.25.4/security/commoncap.c linux-2.6.25.4/security/commoncap
  +int cap_capable_nolog (struct task_struct *tsk, int cap)
  +{
  +      /* tsk = current for all callers */
-+      if (cap_raised(tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
++      if (vx_cap_raised(tsk->vx_info, tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
                 return 0;
         return -EPERM;
   }
@@ -35282,9 +35245,9 @@ diff -urNp linux-2.6.25.4/security/dummy.c linux-2.6.25.4/security/dummy.c
  --- linux-2.6.25.4/security/dummy.c    2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/security/dummy.c    2008-05-18 13:33:17.000000000 -0400
  @@ -27,6 +27,7 @@
- #include <linux/hugetlb.h>
   #include <linux/ptrace.h>
   #include <linux/file.h>
+ #include <linux/vs_context.h>
  +#include <linux/grsecurity.h>
   
   static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
diff --git a/linux-2.6-grsec_full.patch b/linux-2.6-grsec_full.patch

index e6fe34b78754d60871ca3b7fd9469539606ece18..d1b1828d6a2bd8d65e00ca3347dcdb162ae61be7 100644 (file)
--- a/linux-2.6-grsec_full.patch
+++ b/linux-2.6-grsec_full.patch
@@ -39,9 +39,9 @@ diff -urNp linux-2.6.25.4/arch/alpha/kernel/ptrace.c linux-2.6.25.4/arch/alpha/k
  --- linux-2.6.25.4/arch/alpha/kernel/ptrace.c  2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/arch/alpha/kernel/ptrace.c  2008-05-18 13:33:13.000000000 -0400
  @@ -15,6 +15,7 @@
- #include <linux/slab.h>
   #include <linux/security.h>
   #include <linux/signal.h>
+ #include <linux/vs_base.h>
  +#include <linux/grsecurity.h>
   
   #include <asm/uaccess.h>
@@ -465,9 +465,9 @@ diff -urNp linux-2.6.25.4/arch/ia64/mm/fault.c linux-2.6.25.4/arch/ia64/mm/fault
  --- linux-2.6.25.4/arch/ia64/mm/fault.c        2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/arch/ia64/mm/fault.c        2008-05-18 13:33:14.000000000 -0400
  @@ -10,6 +10,7 @@
- #include <linux/interrupt.h>
   #include <linux/kprobes.h>
   #include <linux/kdebug.h>
+ #include <linux/vs_memory.h>
  +#include <linux/binfmts.h>
   
   #include <asm/pgtable.h>
@@ -9437,7 +9437,7 @@ diff -urNp linux-2.6.25.4/arch/x86/mm/extable.c linux-2.6.25.4/arch/x86/mm/extab
   
   #ifdef CONFIG_PNPBIOS
  -      if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
-+      if (unlikely(!(regs->eflags & VM_MASK) && SEGMENT_IS_PNP_CODE(regs->cs))) {
++      if (unlikely(!(regs->flags & VM_MASK) && SEGMENT_IS_PNP_CODE(regs->cs))) {
                 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
                 extern u32 pnp_bios_is_utter_crap;
                 pnp_bios_is_utter_crap = 1;
@@ -9445,9 +9445,9 @@ diff -urNp linux-2.6.25.4/arch/x86/mm/fault.c linux-2.6.25.4/arch/x86/mm/fault.c
  --- linux-2.6.25.4/arch/x86/mm/fault.c 2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/arch/x86/mm/fault.c 2008-05-18 13:33:15.000000000 -0400
  @@ -25,6 +25,9 @@
- #include <linux/kprobes.h>
   #include <linux/uaccess.h>
   #include <linux/kdebug.h>
+ #include <linux/suspend.h>
  +#include <linux/unistd.h>
  +#include <linux/compiler.h>
  +#include <linux/binfmts.h>
@@ -13603,9 +13603,9 @@ diff -urNp linux-2.6.25.4/fs/binfmt_aout.c linux-2.6.25.4/fs/binfmt_aout.c
  --- linux-2.6.25.4/fs/binfmt_aout.c    2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/binfmt_aout.c    2008-05-18 13:33:16.000000000 -0400
  @@ -24,6 +24,7 @@
- #include <linux/binfmts.h>
   #include <linux/personality.h>
   #include <linux/init.h>
+ #include <linux/vs_memory.h>
  +#include <linux/grsecurity.h>
   
   #include <asm/system.h>
@@ -13684,9 +13684,9 @@ diff -urNp linux-2.6.25.4/fs/binfmt_elf.c linux-2.6.25.4/fs/binfmt_elf.c
  --- linux-2.6.25.4/fs/binfmt_elf.c     2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/binfmt_elf.c     2008-05-18 13:33:16.000000000 -0400
  @@ -39,10 +39,16 @@
- #include <linux/random.h>
   #include <linux/elf.h>
   #include <linux/utsname.h>
+ #include <linux/vs_memory.h>
  +#include <linux/grsecurity.h>
  +
   #include <asm/uaccess.h>
@@ -14803,15 +14803,15 @@ diff -urNp linux-2.6.25.4/fs/ext2/balloc.c linux-2.6.25.4/fs/ext2/balloc.c
  diff -urNp linux-2.6.25.4/fs/ext3/balloc.c linux-2.6.25.4/fs/ext3/balloc.c
  --- linux-2.6.25.4/fs/ext3/balloc.c    2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/ext3/balloc.c    2008-05-18 13:33:16.000000000 -0400
-@@ -1421,7 +1421,7 @@ static int ext3_has_free_blocks(struct e
+@@ -1359,7 +1359,7 @@ static int ext3_has_free_blocks(struct e
+       DLIMIT_ADJUST_BLOCK(sb, dx_current_tag(), &free_blocks, &root_blocks);
   
-       free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
-       root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
--      if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
-+      if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
+       cond = (free_blocks < root_blocks + 1 &&
+-              !capable(CAP_SYS_RESOURCE) &&
++              !capable_nolog(CAP_SYS_RESOURCE) &&
                 sbi->s_resuid != current->fsuid &&
-               (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
-               return 0;
+               (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid)));
+ 
  diff -urNp linux-2.6.25.4/fs/ext3/namei.c linux-2.6.25.4/fs/ext3/namei.c
  --- linux-2.6.25.4/fs/ext3/namei.c     2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/ext3/namei.c     2008-05-18 13:33:16.000000000 -0400
@@ -14844,15 +14844,15 @@ diff -urNp linux-2.6.25.4/fs/ext3/xattr.c linux-2.6.25.4/fs/ext3/xattr.c
  diff -urNp linux-2.6.25.4/fs/ext4/balloc.c linux-2.6.25.4/fs/ext4/balloc.c
  --- linux-2.6.25.4/fs/ext4/balloc.c    2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/ext4/balloc.c    2008-05-18 13:33:16.000000000 -0400
-@@ -1557,7 +1557,7 @@ static int ext4_has_free_blocks(struct e
+@@ -1479,7 +1479,7 @@ static int ext4_has_free_blocks(struct e
+       DLIMIT_ADJUST_BLOCK(sb, dx_current_tag(), &free_blocks, &root_blocks);
   
-       free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
-       root_blocks = ext4_r_blocks_count(sbi->s_es);
--      if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
-+      if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
+       cond = (free_blocks < root_blocks + 1 &&
+-              !capable(CAP_SYS_RESOURCE) &&
++              !capable_nolog(CAP_SYS_RESOURCE) &&
                 sbi->s_resuid != current->fsuid &&
-               (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
-               return 0;
+               (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid)));
+ 
  diff -urNp linux-2.6.25.4/fs/ext4/namei.c linux-2.6.25.4/fs/ext4/namei.c
  --- linux-2.6.25.4/fs/ext4/namei.c     2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/ext4/namei.c     2008-05-18 13:33:16.000000000 -0400
@@ -14872,9 +14872,9 @@ diff -urNp linux-2.6.25.4/fs/fcntl.c linux-2.6.25.4/fs/fcntl.c
  --- linux-2.6.25.4/fs/fcntl.c  2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/fcntl.c  2008-05-18 13:33:16.000000000 -0400
  @@ -19,6 +19,7 @@
- #include <linux/signal.h>
   #include <linux/rcupdate.h>
   #include <linux/pid_namespace.h>
+ #include <linux/vs_limit.h>
  +#include <linux/grsecurity.h>
   
   #include <asm/poll.h>
@@ -15169,9 +15169,9 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c
  --- linux-2.6.25.4/fs/namei.c  2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/namei.c  2008-05-18 13:33:16.000000000 -0400
  @@ -30,6 +30,7 @@
- #include <linux/capability.h>
- #include <linux/file.h>
- #include <linux/fcntl.h>
+ #include <linux/vs_cowbl.h>
+ #include <linux/vs_device.h>
+ #include <linux/vs_context.h>
  +#include <linux/grsecurity.h>
   #include <asm/namei.h>
   #include <asm/uaccess.h>
@@ -15332,7 +15332,7 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c
  +
         if (!IS_POSIXACL(nd.path.dentry->d_inode))
                 mode &= ~current->fs->umask;
-       error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
+       error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode, &nd);
  +
  +      if (!error)
  +              gr_handle_create(dentry, nd.path.mnt);
@@ -15366,7 +15366,7 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c
  +              }
  +      }
  +
-       error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
+       error = vfs_rmdir(nd.path.dentry->d_inode, dentry, &nd);
  +      if (!error && (saved_dev || saved_ino))
  +              gr_handle_delete(saved_ino, saved_dev);
  +dput_exit2:
@@ -15402,16 +15402,16 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c
  +                              error = -EACCES;
  +
                         atomic_inc(&inode->i_count);
--              error = vfs_unlink(nd.path.dentry->d_inode, dentry);
+-              error = vfs_unlink(nd.path.dentry->d_inode, dentry, &nd);
  +              }
  +              if (!error)
-+                      error = vfs_unlink(nd.path.dentry->d_inode, dentry);
++                      error = vfs_unlink(nd.path.dentry->d_inode, dentry, &nd);
  +              if (!error && (saved_ino || saved_dev))
  +                      gr_handle_delete(saved_ino, saved_dev);
         exit2:
                 dput(dentry);
         }
-@@ -2313,7 +2428,17 @@ asmlinkage long sys_symlinkat(const char
+@@ -2313,8 +2428,18 @@ asmlinkage long sys_symlinkat(const char
         if (IS_ERR(dentry))
                 goto out_unlock;
   
@@ -15420,7 +15420,8 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c
  +              goto out_dput_unlock;
  +      }
  +
-       error = vfs_symlink(nd.path.dentry->d_inode, dentry, from, S_IALLUGO);
+       error = vfs_symlink(nd.path.dentry->d_inode, dentry, from,
+               S_IALLUGO, &nd);
  +
  +      if (!error)
  +              gr_handle_create(dentry, nd.path.mnt);
@@ -15429,7 +15430,7 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c
         dput(dentry);
   out_unlock:
         mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
-@@ -2408,7 +2533,26 @@ asmlinkage long sys_linkat(int olddfd, c
+@@ -2408,8 +2533,27 @@ asmlinkage long sys_linkat(int olddfd, c
         error = PTR_ERR(new_dentry);
         if (IS_ERR(new_dentry))
                 goto out_unlock;
@@ -15447,7 +15448,8 @@ diff -urNp linux-2.6.25.4/fs/namei.c linux-2.6.25.4/fs/namei.c
  +              goto out_unlock_dput;
  +      }
  +
-       error = vfs_link(old_nd.path.dentry, nd.path.dentry->d_inode, new_dentry);
+       error = vfs_link(old_nd.path.dentry, nd.path.dentry->d_inode,
+               new_dentry, &nd);
  +
  +      if (!error)
  +              gr_handle_create(new_dentry, nd.path.mnt);
@@ -15478,9 +15480,9 @@ diff -urNp linux-2.6.25.4/fs/namespace.c linux-2.6.25.4/fs/namespace.c
  --- linux-2.6.25.4/fs/namespace.c      2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/namespace.c      2008-05-18 13:33:16.000000000 -0400
  @@ -26,6 +26,7 @@
- #include <linux/mount.h>
- #include <linux/ramfs.h>
- #include <linux/log2.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vserver/space.h>
+ #include <linux/vserver/global.h>
  +#include <linux/grsecurity.h>
   #include <asm/uaccess.h>
   #include <asm/unistd.h>
@@ -15849,9 +15851,9 @@ diff -urNp linux-2.6.25.4/fs/open.c linux-2.6.25.4/fs/open.c
  --- linux-2.6.25.4/fs/open.c   2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/open.c   2008-05-18 13:33:16.000000000 -0400
  @@ -27,6 +27,7 @@
- #include <linux/rcupdate.h>
- #include <linux/audit.h>
- #include <linux/falloc.h>
+ #include <linux/vs_dlimit.h>
+ #include <linux/vs_tag.h>
+ #include <linux/vs_cowbl.h>
  +#include <linux/grsecurity.h>
   
   int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
@@ -15961,15 +15963,6 @@ diff -urNp linux-2.6.25.4/fs/open.c linux-2.6.25.4/fs/open.c
         newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
         newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
         error = notify_change(nd.path.dentry, &newattrs);
-@@ -627,7 +676,7 @@ asmlinkage long sys_chmod(const char __u
-       return sys_fchmodat(AT_FDCWD, filename, mode);
- }
- 
--static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
-+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
- {
-       struct inode * inode;
-       int error;
  @@ -644,6 +693,12 @@ static int chown_common(struct dentry * 
         error = -EPERM;
         if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
@@ -15983,42 +15976,6 @@ diff -urNp linux-2.6.25.4/fs/open.c linux-2.6.25.4/fs/open.c
         newattrs.ia_valid =  ATTR_CTIME;
         if (user != (uid_t) -1) {
                 newattrs.ia_valid |= ATTR_UID;
-@@ -671,7 +726,7 @@ asmlinkage long sys_chown(const char __u
-       error = user_path_walk(filename, &nd);
-       if (error)
-               goto out;
--      error = chown_common(nd.path.dentry, user, group);
-+      error = chown_common(nd.path.dentry, user, group, nd.path.mnt);
-       path_put(&nd.path);
- out:
-       return error;
-@@ -691,7 +746,7 @@ asmlinkage long sys_fchownat(int dfd, co
-       error = __user_walk_fd(dfd, filename, follow, &nd);
-       if (error)
-               goto out;
--      error = chown_common(nd.path.dentry, user, group);
-+      error = chown_common(nd.path.dentry, user, group, nd.path.mnt);
-       path_put(&nd.path);
- out:
-       return error;
-@@ -705,7 +760,7 @@ asmlinkage long sys_lchown(const char __
-       error = user_path_walk_link(filename, &nd);
-       if (error)
-               goto out;
--      error = chown_common(nd.path.dentry, user, group);
-+      error = chown_common(nd.path.dentry, user, group, nd.path.mnt);
-       path_put(&nd.path);
- out:
-       return error;
-@@ -724,7 +779,7 @@ asmlinkage long sys_fchown(unsigned int 
- 
-       dentry = file->f_path.dentry;
-       audit_inode(NULL, dentry);
--      error = chown_common(dentry, user, group);
-+      error = chown_common(dentry, user, group, file->f_path.mnt);
-       fput(file);
- out:
-       return error;
  @@ -948,6 +1003,7 @@ repeat:
          * N.B. For clone tasks sharing a files structure, this test
          * will limit the total number of files that can be opened.
@@ -16073,7 +16030,7 @@ diff -urNp linux-2.6.25.4/fs/proc/array.c linux-2.6.25.4/fs/proc/array.c
  +}
  +#endif
  +
- int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
+ int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
                         struct pid *pid, struct task_struct *task)
   {
  @@ -327,6 +342,11 @@ int proc_pid_status(struct seq_file *m, 
@@ -16155,9 +16112,9 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c
  --- linux-2.6.25.4/fs/proc/base.c      2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/proc/base.c      2008-05-18 13:33:16.000000000 -0400
  @@ -76,6 +76,8 @@
- #include <linux/oom.h>
- #include <linux/elf.h>
   #include <linux/pid_namespace.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_network.h>
  +#include <linux/grsecurity.h>
  +
   #include "internal.h"
@@ -16221,8 +16178,8 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c
                 inode->i_gid = task->egid;
  +#endif
         }
-       security_task_to_inode(task, inode);
- 
+       /* procfs is xid tagged */
+       inode->i_tag = (tag_t)vx_task_xid(task);
  @@ -1304,17 +1310,45 @@ static int pid_getattr(struct vfsmount *
   {
         struct inode *inode = dentry->d_inode;
@@ -16324,9 +16281,9 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c
  +      if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
  +              goto out;
  +
-       /*
-        * Yes, it does not scale. And it should not. Don't add
-        * new entries into /proc/<tgid>/ without very good reasons.
+       /* TODO: maybe we can come up with a generic approach? */
+       if (task_vx_flags(task, VXF_HIDE_VINFO, 0) &&
+               (dentry->d_name.len == 5) &&
  @@ -1877,6 +1934,9 @@ static int proc_pident_readdir(struct fi
         if (!task)
                 goto out_no_task;
@@ -16348,9 +16305,9 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c
   
   out:
  @@ -2350,6 +2413,9 @@ static const struct pid_entry tgid_base_
- #ifdef CONFIG_TASK_IO_ACCOUNTING
         INF("io",       S_IRUGO, pid_io_accounting),
   #endif
+       ONE("nsproxy",  S_IRUGO, pid_nsproxy),
  +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
  +      INF("ipaddr",     S_IRUSR, pid_ipaddr),
  +#endif
@@ -16387,7 +16344,7 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c
  @@ -2587,6 +2664,9 @@ int proc_pid_readdir(struct file * filp,
   {
         unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
-       struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
+       struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
  +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
  +      struct task_struct *tmp = current;
  +#endif
@@ -16410,8 +16367,8 @@ diff -urNp linux-2.6.25.4/fs/proc/base.c linux-2.6.25.4/fs/proc/base.c
  +                      continue;
  +
                 filp->f_pos = iter.tgid + TGID_OFFSET;
-               if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
-                       put_task_struct(iter.task);
+               if (!vx_proc_task_visible(iter.task))
+                       continue;
  diff -urNp linux-2.6.25.4/fs/proc/inode.c linux-2.6.25.4/fs/proc/inode.c
  --- linux-2.6.25.4/fs/proc/inode.c     2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/proc/inode.c     2008-05-18 13:33:16.000000000 -0400
@@ -16425,22 +16382,22 @@ diff -urNp linux-2.6.25.4/fs/proc/inode.c linux-2.6.25.4/fs/proc/inode.c
                                 inode->i_gid = de->gid;
  +#endif
                         }
-                       if (de->size)
-                               inode->i_size = de->size;
+               if (de->vx_flags)
+                       PROC_I(inode)->vx_flags = de->vx_flags;
  diff -urNp linux-2.6.25.4/fs/proc/internal.h linux-2.6.25.4/fs/proc/internal.h
  --- linux-2.6.25.4/fs/proc/internal.h  2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/proc/internal.h  2008-05-18 13:33:16.000000000 -0400
  @@ -57,6 +57,10 @@ extern int proc_pid_status(struct seq_fi
                                 struct pid *pid, struct task_struct *task);
- extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
+ extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
                                 struct pid *pid, struct task_struct *task);
  +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
  +extern int proc_pid_ipaddr(struct seq_file *m, struct pid_namespace *ns,
  +                              struct pid *pid, struct task_struct *task);
  +#endif
+ 
   extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
   
- extern const struct file_operations proc_maps_operations;
  diff -urNp linux-2.6.25.4/fs/proc/proc_misc.c linux-2.6.25.4/fs/proc/proc_misc.c
  --- linux-2.6.25.4/fs/proc/proc_misc.c 2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/proc/proc_misc.c 2008-05-18 13:33:16.000000000 -0400
@@ -16616,9 +16573,9 @@ diff -urNp linux-2.6.25.4/fs/proc/root.c linux-2.6.25.4/fs/proc/root.c
  +#else
         proc_bus = proc_mkdir("bus", NULL);
  +#endif
+       proc_vx_init();
         proc_sys_init();
   }
- 
  diff -urNp linux-2.6.25.4/fs/proc/task_mmu.c linux-2.6.25.4/fs/proc/task_mmu.c
  --- linux-2.6.25.4/fs/proc/task_mmu.c  2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/proc/task_mmu.c  2008-05-18 13:33:16.000000000 -0400
@@ -16979,9 +16936,9 @@ diff -urNp linux-2.6.25.4/fs/utimes.c linux-2.6.25.4/fs/utimes.c
  --- linux-2.6.25.4/fs/utimes.c 2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/fs/utimes.c 2008-05-18 13:33:16.000000000 -0400
  @@ -7,6 +7,7 @@
- #include <linux/stat.h>
- #include <linux/utime.h>
   #include <linux/syscalls.h>
+ #include <linux/mount.h>
+ #include <linux/vs_cowbl.h>
  +#include <linux/grsecurity.h>
   #include <asm/uaccess.h>
   #include <asm/unistd.h>
@@ -16994,7 +16951,7 @@ diff -urNp linux-2.6.25.4/fs/utimes.c linux-2.6.25.4/fs/utimes.c
         struct inode *inode;
         struct iattr newattrs;
         struct file *f = NULL;
-@@ -84,12 +86,14 @@ long do_utimes(int dfd, char __user *fil
+@@ -84,6 +86,7 @@ long do_utimes(int dfd, char __user *fil
                 if (!f)
                         goto out;
                 dentry = f->f_path.dentry;
@@ -17002,8 +16959,9 @@ diff -urNp linux-2.6.25.4/fs/utimes.c linux-2.6.25.4/fs/utimes.c
         } else {
                 error = __user_walk_fd(dfd, filename, (flags & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW, &nd);
                 if (error)
-                       goto out;
- 
+@@ -90,6 +93,7 @@ long do_utimes(int dfd, char __user *fil
+               if (error)
+                       goto dput_and_out;
                 dentry = nd.path.dentry;
  +              mnt = nd.path.mnt;
         }
@@ -30157,9 +30115,9 @@ diff -urNp linux-2.6.25.4/ipc/msg.c linux-2.6.25.4/ipc/msg.c
  --- linux-2.6.25.4/ipc/msg.c   2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/ipc/msg.c   2008-05-18 13:33:17.000000000 -0400
  @@ -37,6 +37,7 @@
- #include <linux/rwsem.h>
   #include <linux/nsproxy.h>
   #include <linux/ipc_namespace.h>
+ #include <linux/vs_base.h>
  +#include <linux/grsecurity.h>
   
   #include <asm/current.h>
@@ -30197,9 +30155,9 @@ diff -urNp linux-2.6.25.4/ipc/sem.c linux-2.6.25.4/ipc/sem.c
  --- linux-2.6.25.4/ipc/sem.c   2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/ipc/sem.c   2008-05-18 13:33:17.000000000 -0400
  @@ -83,6 +83,7 @@
- #include <linux/rwsem.h>
- #include <linux/nsproxy.h>
   #include <linux/ipc_namespace.h>
+ #include <linux/vs_base.h>
+ #include <linux/vs_limit.h>
  +#include <linux/grsecurity.h>
   
   #include <asm/uaccess.h>
@@ -30237,9 +30195,9 @@ diff -urNp linux-2.6.25.4/ipc/shm.c linux-2.6.25.4/ipc/shm.c
  --- linux-2.6.25.4/ipc/shm.c   2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/ipc/shm.c   2008-05-18 13:33:17.000000000 -0400
  @@ -39,6 +39,7 @@
- #include <linux/nsproxy.h>
- #include <linux/mount.h>
   #include <linux/ipc_namespace.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_limit.h>
  +#include <linux/grsecurity.h>
   
   #include <asm/uaccess.h>
@@ -30342,14 +30300,14 @@ diff -urNp linux-2.6.25.4/kernel/capability.c linux-2.6.25.4/kernel/capability.c
  --- linux-2.6.25.4/kernel/capability.c 2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/kernel/capability.c 2008-05-18 13:33:17.000000000 -0400
  @@ -13,6 +13,7 @@
- #include <linux/security.h>
   #include <linux/syscalls.h>
   #include <linux/pid_namespace.h>
+ #include <linux/vs_context.h>
  +#include <linux/grsecurity.h>
   #include <asm/uaccess.h>
   
   /*
-@@ -328,15 +329,25 @@ out:
+@@ -331,13 +332,22 @@ out:
   
   int __capable(struct task_struct *t, int cap)
   {
@@ -30370,8 +30328,10 @@ diff -urNp linux-2.6.25.4/kernel/capability.c linux-2.6.25.4/kernel/capability.c
  +      return 0;
  +}
  +
+ #include <linux/vserver/base.h>
   int capable(int cap)
   {
+@@ -347,3 +357,4 @@ int capable(int cap)
         return __capable(current, cap);
   }
   EXPORT_SYMBOL(capable);
@@ -30421,9 +30381,9 @@ diff -urNp linux-2.6.25.4/kernel/exit.c linux-2.6.25.4/kernel/exit.c
  --- linux-2.6.25.4/kernel/exit.c       2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/kernel/exit.c       2008-05-18 13:33:17.000000000 -0400
  @@ -44,6 +44,11 @@
- #include <linux/resource.h>
- #include <linux/blkdev.h>
- #include <linux/task_io_accounting_ops.h>
+ #include <linux/vs_network.h>
+ #include <linux/vs_pid.h>
+ #include <linux/vserver/global.h>
  +#include <linux/grsecurity.h>
  +
  +#ifdef CONFIG_GRKERNSEC
@@ -30505,9 +30465,9 @@ diff -urNp linux-2.6.25.4/kernel/fork.c linux-2.6.25.4/kernel/fork.c
  --- linux-2.6.25.4/kernel/fork.c       2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/kernel/fork.c       2008-05-18 13:33:17.000000000 -0400
  @@ -53,6 +53,7 @@
- #include <linux/tty.h>
- #include <linux/proc_fs.h>
- #include <linux/blkdev.h>
+ #include <linux/vs_limit.h>
+ #include <linux/vs_memory.h>
+ #include <linux/vserver/global.h>
  +#include <linux/grsecurity.h>
   
   #include <asm/pgtable.h>
@@ -30530,8 +30490,8 @@ diff -urNp linux-2.6.25.4/kernel/fork.c linux-2.6.25.4/kernel/fork.c
  +      mm->free_area_cache = oldmm->free_area_cache;
  +      mm->cached_hole_size = oldmm->cached_hole_size;
         mm->map_count = 0;
-       cpus_clear(mm->cpu_vm_mask);
-       mm->mm_rb = RB_ROOT;
+       __set_mm_counter(mm, file_rss, 0);
+       __set_mm_counter(mm, anon_rss, 0);
  @@ -264,6 +265,7 @@ static int dup_mmap(struct mm_struct *mm
                 tmp->vm_flags &= ~VM_LOCKED;
                 tmp->vm_mm = mm;
@@ -30591,15 +30551,15 @@ diff -urNp linux-2.6.25.4/kernel/fork.c linux-2.6.25.4/kernel/fork.c
   }
   
  @@ -1046,6 +1073,9 @@ static struct task_struct *copy_process(
+       DEBUG_LOCKS_WARN_ON(!p->hardirqs_enabled);
         DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
   #endif
-       retval = -EAGAIN;
  +
  +      gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0);
  +
-       if (atomic_read(&p->user->processes) >=
-                       p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
-               if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
+       init_vx_info(&p->vx_info, current->vx_info);
+       init_nx_info(&p->nx_info, current->nx_info);
+ 
  @@ -1212,6 +1242,8 @@ static struct task_struct *copy_process(
         if (clone_flags & CLONE_THREAD)
                 p->tgid = current->tgid;
@@ -31321,9 +31281,9 @@ diff -urNp linux-2.6.25.4/kernel/pid.c linux-2.6.25.4/kernel/pid.c
  --- linux-2.6.25.4/kernel/pid.c        2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/kernel/pid.c        2008-05-18 13:33:17.000000000 -0400
  @@ -35,6 +35,7 @@
- #include <linux/pid_namespace.h>
- #include <linux/init_task.h>
   #include <linux/syscalls.h>
+ #include <linux/vs_pid.h>
+ #include <linux/vserver/global.h>
  +#include <linux/grsecurity.h>
   
   #define pid_hashfn(nr, ns)    \
@@ -31388,16 +31348,16 @@ diff -urNp linux-2.6.25.4/kernel/printk.c linux-2.6.25.4/kernel/printk.c
  --- linux-2.6.25.4/kernel/printk.c     2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/kernel/printk.c     2008-05-18 13:33:17.000000000 -0400
  @@ -32,6 +32,7 @@
- #include <linux/security.h>
   #include <linux/bootmem.h>
   #include <linux/syscalls.h>
+ #include <linux/vs_cvirt.h>
  +#include <linux/grsecurity.h>
   
   #include <asm/uaccess.h>
   
  @@ -299,6 +300,11 @@ int do_syslog(int type, char __user *buf
         char c;
-       int error = 0;
+       int error;
   
  +#ifdef CONFIG_GRKERNSEC_DMESG
  +      if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
@@ -31411,9 +31371,9 @@ diff -urNp linux-2.6.25.4/kernel/ptrace.c linux-2.6.25.4/kernel/ptrace.c
  --- linux-2.6.25.4/kernel/ptrace.c     2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/kernel/ptrace.c     2008-05-18 13:33:17.000000000 -0400
  @@ -21,6 +21,7 @@
- #include <linux/audit.h>
   #include <linux/pid_namespace.h>
   #include <linux/syscalls.h>
+ #include <linux/vs_context.h>
  +#include <linux/grsecurity.h>
   
   #include <asm/pgtable.h>
@@ -31431,8 +31391,8 @@ diff -urNp linux-2.6.25.4/kernel/ptrace.c linux-2.6.25.4/kernel/ptrace.c
  -      if (!dumpable && !capable(CAP_SYS_PTRACE))
  +      if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
                 return -EPERM;
- 
-       return security_ptrace(current, task);
+       if (!vx_check(task->xid, VS_ADMIN_P|VS_IDENT))
+               return -EPERM;
  @@ -203,7 +204,7 @@ repeat:
   
         /* Go */
@@ -31501,9 +31461,9 @@ diff -urNp linux-2.6.25.4/kernel/sched.c linux-2.6.25.4/kernel/sched.c
  --- linux-2.6.25.4/kernel/sched.c      2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/kernel/sched.c      2008-05-18 13:33:17.000000000 -0400
  @@ -66,6 +66,7 @@
- #include <linux/unistd.h>
- #include <linux/pagemap.h>
   #include <linux/hrtimer.h>
+ #include <linux/vs_sched.h>
+ #include <linux/vs_cvirt.h>
  +#include <linux/grsecurity.h>
   
   #include <asm/tlb.h>
@@ -31515,7 +31475,7 @@ diff -urNp linux-2.6.25.4/kernel/sched.c linux-2.6.25.4/kernel/sched.c
  -      if (increment < 0 && !can_nice(current, nice))
  +      if (increment < 0 && (!can_nice(current, nice) ||
  +                            gr_handle_chroot_nice()))
-               return -EPERM;
+               return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
   
         retval = security_task_setnice(current, nice);
  @@ -5741,7 +5743,7 @@ static struct ctl_table sd_ctl_dir[] = {
@@ -31545,8 +31505,8 @@ diff -urNp linux-2.6.25.4/kernel/signal.c linux-2.6.25.4/kernel/signal.c
   #include <linux/pid_namespace.h>
  +#include <linux/grsecurity.h>
   #include <linux/nsproxy.h>
- 
- #include <asm/param.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_pid.h>
  @@ -540,7 +541,9 @@ static int check_kill_permission(int sig
                     && (current->euid ^ t->suid) && (current->euid ^ t->uid)
                     && (current->uid ^ t->suid) && (current->uid ^ t->uid)
@@ -31557,7 +31517,7 @@ diff -urNp linux-2.6.25.4/kernel/signal.c linux-2.6.25.4/kernel/signal.c
  +                      return error;
         }
   
-       return security_task_kill(t, info, sig, 0);
+       error = -ESRCH;
  @@ -757,7 +760,7 @@ static int __init setup_print_fatal_sign
   
   __setup("print-fatal-signals=", setup_print_fatal_signals);
@@ -31931,7 +31891,7 @@ diff -urNp linux-2.6.25.4/kernel/time.c linux-2.6.25.4/kernel/time.c
  @@ -90,6 +91,9 @@ asmlinkage long sys_stime(time_t __user 
                 return err;
   
-       do_settimeofday(&tv);
+       vx_settimeofday(&tv);
  +
  +      gr_log_timechange();
  +
@@ -32685,9 +32645,9 @@ diff -urNp linux-2.6.25.4/mm/mlock.c linux-2.6.25.4/mm/mlock.c
  --- linux-2.6.25.4/mm/mlock.c  2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/mm/mlock.c  2008-05-18 13:33:17.000000000 -0400
  @@ -12,6 +12,7 @@
- #include <linux/syscalls.h>
   #include <linux/sched.h>
   #include <linux/module.h>
+ #include <linux/vs_memory.h>
  +#include <linux/grsecurity.h>
   
   int can_do_mlock(void)
@@ -32717,7 +32677,7 @@ diff -urNp linux-2.6.25.4/mm/mlock.c linux-2.6.25.4/mm/mlock.c
  +      gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
         if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
                 error = do_mlock(start, len, 1);
-       up_write(&current->mm->mmap_sem);
+ out:
  @@ -173,10 +186,10 @@ asmlinkage long sys_munlock(unsigned lon
   static int do_mlockall(int flags)
   {
@@ -32749,9 +32709,9 @@ diff -urNp linux-2.6.25.4/mm/mlock.c linux-2.6.25.4/mm/mlock.c
   
         ret = -ENOMEM;
  +      gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
+       if (!vx_vmlocked_avail(current->mm, current->mm->total_vm))
+               goto out;
         if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
-           capable(CAP_IPC_LOCK))
-               ret = do_mlockall(flags);
  diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c
  --- linux-2.6.25.4/mm/mmap.c   2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/mm/mmap.c   2008-05-18 13:33:17.000000000 -0400
@@ -33170,11 +33130,11 @@ diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c
  +
         }
   out:  
-       mm->total_vm += len >> PAGE_SHIFT;
+       vx_vmpages_add(mm, len >> PAGE_SHIFT);
         vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
  +      track_exec_limit(mm, addr, addr + len, vm_flags);
         if (vm_flags & VM_LOCKED) {
-               mm->locked_vm += len >> PAGE_SHIFT;
+               vx_vmlocked_add(mm, len >> PAGE_SHIFT);
                 make_pages_present(addr, addr + len);
  @@ -1217,6 +1379,12 @@ unmap_and_free_vma:
         unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
@@ -33507,9 +33467,9 @@ diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c
  +              }
  +#endif
  +
-               mm->total_vm -= nrpages;
+               vx_vmpages_sub(mm, nrpages);
                 if (vma->vm_flags & VM_LOCKED)
-                       mm->locked_vm -= nrpages;
+                       vx_vmlocked_sub(mm, nrpages);
  @@ -1768,6 +2035,16 @@ detach_vmas_to_be_unmapped(struct mm_str
   
         insertion_point = (prev ? &prev->vm_next : &mm->mmap);
@@ -33754,7 +33714,7 @@ diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c
                 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
                         return -EAGAIN;
         }
-@@ -1978,22 +2389,22 @@ unsigned long do_brk(unsigned long addr,
+@@ -1978,23 +2389,23 @@ unsigned long do_brk(unsigned long addr,
         /*
          * Clear old maps.  this also does some error checking for us
          */
@@ -33776,8 +33736,10 @@ diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c
         if (mm->map_count > sysctl_max_map_count)
                 return -ENOMEM;
   
--      if (security_vm_enough_memory(len >> PAGE_SHIFT))
-+      if (security_vm_enough_memory(charged))
+-      if (security_vm_enough_memory(len >> PAGE_SHIFT) ||
+-              !vx_vmpages_avail(mm, len >> PAGE_SHIFT))
++      if (security_vm_enough_memory(charged) ||
++              !vx_vmpages_avail(mm, charged))
                 return -ENOMEM;
   
         /* Can we just expand an old private anonymous mapping? */
@@ -33815,11 +33777,11 @@ diff -urNp linux-2.6.25.4/mm/mmap.c linux-2.6.25.4/mm/mmap.c
  +#endif
  +
   out:
--      mm->total_vm += len >> PAGE_SHIFT;
-+      mm->total_vm += charged;
+-      vx_vmpages_add(mm, len >> PAGE_SHIFT);
++      vx_vmpages_add(mm, charged);
         if (flags & VM_LOCKED) {
--              mm->locked_vm += len >> PAGE_SHIFT;
-+              mm->locked_vm += charged;
+-              vx_vmlocked_add(mm, len >> PAGE_SHIFT);
++              vx_vmlocked_add(mm, charged);
                 make_pages_present(addr, addr + len);
         }
  +      track_exec_limit(mm, addr, addr + len, flags);
@@ -34618,7 +34580,7 @@ diff -urNp linux-2.6.25.4/net/ipv4/inet_connection_sock.c linux-2.6.25.4/net/ipv
  diff -urNp linux-2.6.25.4/net/ipv4/inet_hashtables.c linux-2.6.25.4/net/ipv4/inet_hashtables.c
  --- linux-2.6.25.4/net/ipv4/inet_hashtables.c  2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/net/ipv4/inet_hashtables.c  2008-05-18 13:33:17.000000000 -0400
-@@ -18,11 +18,14 @@
+@@ -18,12 +18,15 @@
   #include <linux/sched.h>
   #include <linux/slab.h>
   #include <linux/wait.h>
@@ -34626,6 +34588,7 @@ diff -urNp linux-2.6.25.4/net/ipv4/inet_hashtables.c linux-2.6.25.4/net/ipv4/ine
   
   #include <net/inet_connection_sock.h>
   #include <net/inet_hashtables.h>
+ #include <net/route.h>
   #include <net/ip.h>
   
  +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
@@ -35113,9 +35076,9 @@ diff -urNp linux-2.6.25.4/net/unix/af_unix.c linux-2.6.25.4/net/unix/af_unix.c
  --- linux-2.6.25.4/net/unix/af_unix.c  2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/net/unix/af_unix.c  2008-05-18 13:33:17.000000000 -0400
  @@ -116,6 +116,7 @@
- #include <linux/mount.h>
- #include <net/checksum.h>
   #include <linux/security.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_limit.h>
  +#include <linux/grsecurity.h>
   
   static struct hlist_head unix_socket_table[UNIX_HASH_SIZE + 1];
@@ -35157,7 +35120,7 @@ diff -urNp linux-2.6.25.4/net/unix/af_unix.c linux-2.6.25.4/net/unix/af_unix.c
  +                      goto out_mknod_dput;
  +              }
  +
-               err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
+               err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0, NULL);
                 if (err)
                         goto out_mknod_dput;
  +
@@ -35210,9 +35173,9 @@ diff -urNp linux-2.6.25.4/security/commoncap.c linux-2.6.25.4/security/commoncap
  --- linux-2.6.25.4/security/commoncap.c        2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/security/commoncap.c        2008-05-18 13:33:17.000000000 -0400
  @@ -24,15 +24,18 @@
- #include <linux/hugetlb.h>
   #include <linux/mount.h>
   #include <linux/sched.h>
+ #include <linux/vs_context.h>
  +#include <linux/grsecurity.h>
   
   /* Global security state */
@@ -35224,7 +35187,7 @@ diff -urNp linux-2.6.25.4/security/commoncap.c linux-2.6.25.4/security/commoncap
  +
   int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
   {
--      NETLINK_CB(skb).eff_cap = current->cap_effective;
+-      NETLINK_CB(skb).eff_cap = vx_mbcaps(current->cap_effective);
  +      NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
         return 0;
   }
@@ -35233,8 +35196,8 @@ diff -urNp linux-2.6.25.4/security/commoncap.c linux-2.6.25.4/security/commoncap
   int cap_capable (struct task_struct *tsk, int cap)
   {
         /* Derived from include/linux/sched.h:capable. */
--      if (cap_raised(tsk->cap_effective, cap))
-+      if (cap_raised (tsk->cap_effective, cap))
+-      if (vx_cap_raised(vxi, tsk->cap_effective, cap))
++      if (vx_cap_raised (vxi, tsk->cap_effective, cap))
  +              return 0;
  +      return -EPERM;
  +}
@@ -35242,7 +35205,7 @@ diff -urNp linux-2.6.25.4/security/commoncap.c linux-2.6.25.4/security/commoncap
  +int cap_capable_nolog (struct task_struct *tsk, int cap)
  +{
  +      /* tsk = current for all callers */
-+      if (cap_raised(tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
++      if (vx_cap_raised(tsk->vx_info, tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
                 return 0;
         return -EPERM;
   }
@@ -35282,9 +35245,9 @@ diff -urNp linux-2.6.25.4/security/dummy.c linux-2.6.25.4/security/dummy.c
  --- linux-2.6.25.4/security/dummy.c    2008-05-15 11:00:12.000000000 -0400
  +++ linux-2.6.25.4/security/dummy.c    2008-05-18 13:33:17.000000000 -0400
  @@ -27,6 +27,7 @@
- #include <linux/hugetlb.h>
   #include <linux/ptrace.h>
   #include <linux/file.h>
+ #include <linux/vs_context.h>
  +#include <linux/grsecurity.h>
   
   static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
author	zbyniu <zbyniu@pld-linux.org>
	Mon, 19 May 2008 10:03:53 +0000 (10:03 +0000)
committer	cvs2git <feedback@pld-linux.org>
	Sun, 24 Jun 2012 12:13:13 +0000 (12:13 +0000)
kernel-grsec_full.patch		patch \| blob \| blame \| history
linux-2.6-grsec_full.patch		patch \| blob \| blame \| history