- obsolete

[packages/kernel.git] / grsecurity-nopax-2.0-rc3-2.4.22.patch

diff -urN linux-2.4.22/Documentation/Configure.help linux-2.4.22/Documentation/Configure.help
--- linux-2.4.22/Documentation/Configure.help   2003-09-01 22:19:45.000000000 -0400
+++ linux-2.4.22/Documentation/Configure.help   2003-09-02 19:29:41.000000000 -0400
@@ -2725,6 +2725,20 @@
   If you want to compile it as a module, say M here and read
   Documentation/modules.txt.  If unsure, say `N'.
 
+stealth networking support
+CONFIG_IP_NF_MATCH_STEALTH
+  Enabling this option will drop all syn packets coming to unserved tcp
+  ports as well as all packets coming to unserved udp ports.  If you
+  are using your system to route any type of packets (ie. via NAT)
+  you should put this module at the end of your ruleset, since it will 
+  drop packets that aren't going to ports that are listening on your 
+  machine itself, it doesn't take into account that the packet might be 
+  destined for someone on your internal network if you're using NAT for 
+  instance.
+
+  If you want to compile it as a module, say M here and read
+  Documentation/modules.txt.  If unsure, say `N'.
+
 MAC address match support
 CONFIG_IP_NF_MATCH_MAC
   MAC matching allows you to match packets based on the source
@@ -22263,6 +22277,609 @@
 
   "Area6" will work for most boards. For ADX, select "Area5".
 
+Grsecurity
+CONFIG_GRKERNSEC
+  If you say Y here, you will be able to configure many features that
+  will enhance the security of your system.  It is highly recommended
+  that you say Y here and read through the help for each option so
+  you fully understand the features and can evaluate their usefulness
+  for your machine.
+
+Additional security levels
+CONFIG_GRKERNSEC_LOW
+
+  Low additional security
+  -----------------------------------------------------------------------
+  If you choose this option, several of the grsecurity options will
+  be enabled that will give you greater protection against a number
+  of attacks, while assuring that none of your software will have any 
+  conflicts with the additional security measures.  If you run a lot of 
+  unusual software, or you are having problems with the higher security 
+  levels, you should say Y here.  With this option, the following features
+  are enabled:
+  
+  linking restrictions
+  fifo restrictions
+  random pids
+  enforcing nproc on execve()
+  restricted dmesg
+  random ip ids
+  enforced chdir("/") on chroot
+
+  Medium additional security
+  -----------------------------------------------------------------------
+  If you say Y here, several features in addition to those included in the 
+  low additional security level will be enabled.  These features provide
+  even more security to your system, though in rare cases they may
+  be incompatible with very old or poorly written software.  If you 
+  enable this option, make sure that your auth service (identd) is 
+  running as gid 10 (usually group wheel). With this option the following 
+  features (in addition to those provided in the low additional security 
+  level) will be enabled:
+
+  random tcp source ports
+  altered ping ids
+  failed fork logging
+  time change logging
+  signal logging
+  deny mounts in chroot
+  deny double chrooting
+  deny sysctl writes in chroot
+  deny mknod in chroot
+  deny access to abstract AF_UNIX sockets out of chroot
+  deny pivot_root in chroot
+  denied writes of /dev/kmem, /dev/mem, and /dev/port
+  /proc restrictions with special gid set to 10 (usually wheel)
+  address space layout randomization
+
+  High additional security
+  ----------------------------------------------------------------------
+  If you say Y here, many of the features of grsecurity will be enabled,
+  that will protect you against many kinds of attacks against
+  your system.  The heightened security comes at a cost of an 
+  increased chance of incompatibilities with rare software on your 
+  machine.  It is highly recommended that you view 
+  <http://grsecurity.net/features.htm> and read about each option.
+  Also remember that since the /proc restrictions are 
+  enabled, you must run your identd as group wheel (gid 10).  
+  This security level enables the following features in addition to those
+  listed in the low and medium security levels:
+
+  additional /proc restrictions
+  chmod restrictions in chroot
+  no signals, ptrace, or viewing processes outside of chroot
+  capability restrictions in chroot
+  deny fchdir out of chroot
+  priority restrictions in chroot
+  mprotect restrictions
+  removal of /proc/<pid>/[maps|mem]
+  kernel stack randomization
+  mount/unmount/remount logging
+  kernel symbol hiding
+
+Customized additional security
+CONFIG_GRKERNSEC_CUSTOM
+  If you say Y here, you will be able to configure every grsecurity 
+  option, which allows you to enable many more features that aren't 
+  covered in the basic security levels.  These additional features include 
+  TPE, socket restrictions, and the sysctl system for grsecurity.  It is 
+  advised that you read through the help for each option to determine its 
+  usefulness in your situation.
+
+Deny writing to /dev/kmem, /dev/mem, and /dev/port
+CONFIG_GRKERNSEC_KMEM
+  If you say Y here, /dev/kmem and /dev/mem won't be allowed to
+  be written to via mmap or otherwise to modify the running kernel.
+  /dev/port will also not be allowed to be opened. If you have module
+  support disabled, enabling this will close up four ways that are
+  currently used  to insert malicious code into the running kernel.
+  Even with all these features enabled, we still highly recommend that
+  you use the ACL system, as it is still possible for an attacker to 
+  modify the running kernel through privileged I/O granted by ioperm/iopl.
+  If you are not using XFree86, you may be able to stop this additional
+  case by enabling the 'Disable privileged I/O' option. Though nothing
+  legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
+  but only to video memory, which is the only writing we allow in this
+  case.  If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
+  not be allowed to mprotect it with PROT_WRITE later.
+  Enabling this feature could make certain apps like VMWare stop working,
+  as they need to write to other locations in /dev/mem.
+  It is highly recommended that you say Y here if you meet all the 
+  conditions above.
+
+Disable privileged I/O
+CONFIG_GRKERNSEC_IO
+  If you say Y here, all ioperm and iopl calls will return an error.
+  Ioperm and iopl can be used to modify the running kernel.
+  Unfortunately, some programs need this access to operate properly,
+  the most notable of which are XFree86 and hwclock.  hwclock can be
+  remedied by having RTC support in the kernel, so CONFIG_RTC is
+  enabled if this option is enabled, to ensure that hwclock operates
+  correctly.  XFree86 still will not operate correctly with this option
+  enabled, so DO NOT CHOOSE Y IF YOU USE XFree86.  If you use XFree86
+  and you still want to protect your kernel against modification,
+  use the ACL system.
+
+Hide kernel symbols
+CONFIG_GRKERNSEC_HIDESYM
+  If you say Y here, getting information on loaded modules, and 
+  displaying all kernel symbols through a syscall will be restricted
+  to users with CAP_SYS_MODULE.  This option is only effective 
+  provided the following conditions are met:
+  1) The kernel using grsecurity is not precompiled by some distribution
+  2) You are using the ACL system and hiding other files such as your
+     kernel image and System.map
+  3) You have the additional /proc restrictions enabled, which removes
+     /proc/kcore
+  If the above conditions are met, this option will aid to provide a
+  useful protection against local and remote kernel exploitation of
+  overflows and arbitrary read/write vulnerabilities.
+
+/proc/<pid>/ipaddr support
+CONFIG_GRKERNSEC_PROC_IPADDR
+  If you say Y here, a new entry will be added to each /proc/<pid>
+  directory that contains the IP address of the person using the task.
+  The IP is carried across local TCP and AF_UNIX stream sockets.
+  This information can be useful for IDS/IPSes to perform remote response
+  to a local attack.  The entry is readable by only the owner of the 
+  process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
+  the RBAC system), and thus does not create privacy concerns.
+
+Proc Restrictions
+CONFIG_GRKERNSEC_PROC
+  If you say Y here, the permissions of the /proc filesystem
+  will be altered to enhance system security and privacy.  Depending
+  upon the options you choose, you can either restrict users to see
+  only the processes they themselves run, or choose a group that can
+  view all processes and files normally restricted to root if you choose
+  the "restrict to user only" option.  NOTE: If you're running identd as 
+  a non-root user, you will have to run it as the group you specify here.
+
+Restrict /proc to user only
+CONFIG_GRKERNSEC_PROC_USER
+  If you say Y here, non-root users will only be able to view their own 
+  processes, and restricts them from viewing network-related information,  
+  and viewing kernel symbol and module information.
+
+Restrict /proc to user and group
+CONFIG_GRKERNSEC_PROC_USERGROUP
+  If you say Y here, you will be able to select a group that will be
+  able to view all processes, network-related information, and
+  kernel and symbol information.  This option is useful if you want
+  to run identd as a non-root user.
+
+Additional proc restrictions
+CONFIG_GRKERNSEC_PROC_ADD
+  If you say Y here, additional restrictions will be placed on
+  /proc that keep normal users from viewing cpu and device information.
+
+Dmesg(8) Restriction
+CONFIG_GRKERNSEC_DMESG
+  If you say Y here, non-root users will not be able to use dmesg(8)
+  to view up to the last 4kb of messages in the kernel's log buffer.
+  If the sysctl option is enabled, a sysctl option with name "dmesg" is 
+  created.
+
+Linking restrictions
+CONFIG_GRKERNSEC_LINK
+  If you say Y here, /tmp race exploits will be prevented, since users
+  will no longer be able to follow symlinks owned by other users in 
+  world-writable +t directories (i.e. /tmp), unless the owner of the 
+  symlink is the owner of the directory. users will also not be
+  able to hardlink to files they do not own.  If the sysctl option is
+  enabled, a sysctl option with name "linking_restrictions" is created.
+
+FIFO restrictions
+CONFIG_GRKERNSEC_FIFO
+  If you say Y here, users will not be able to write to FIFOs they don't
+  own in world-writable +t directories (i.e. /tmp), unless the owner of
+  the FIFO is the same owner of the directory it's held in.  If the sysctl
+  option is enabled, a sysctl option with name "fifo_restrictions" is 
+  created.
+
+Enforce RLIMIT_NPROC on execs
+CONFIG_GRKERNSEC_EXECVE
+  If you say Y here, users with a resource limit on processes will
+  have the value checked during execve() calls.  The current system
+  only checks the system limit during fork() calls.  If the sysctl option
+  is enabled, a sysctl option with name "execve_limiting" is created.
+
+Single group for auditing
+CONFIG_GRKERNSEC_AUDIT_GROUP
+  If you say Y here, the exec, chdir, (un)mount, and ipc logging features
+  will only operate on a group you specify.  This option is recommended
+  if you only want to watch certain users instead of having a large
+  amount of logs from the entire system.  If the sysctl option is enabled,
+  a sysctl option with name "audit_group" is created.
+
+GID for auditing
+CONFIG_GRKERNSEC_AUDIT_GID
+  Here you can choose the GID that will be the target of kernel auditing.
+  Remember to add the users you want to log to the GID specified here.
+  If the sysctl option is enabled, whatever you choose here won't matter. 
+  You'll have to specify the GID in your bootup script by echoing the GID 
+  to the proper /proc entry.  View the help on the sysctl option for more 
+  information.  If the sysctl option is enabled, a sysctl option with name 
+  "audit_gid" is created.
+
+Chdir logging
+CONFIG_GRKERNSEC_AUDIT_CHDIR
+  If you say Y here, all chdir() calls will be logged.  If the sysctl 
+  option is enabled, a sysctl option with name "audit_chdir" is created.
+
+(Un)Mount logging
+CONFIG_GRKERNSEC_AUDIT_MOUNT
+  If you say Y here, all mounts and unmounts will be logged.  If the 
+  sysctl option is enabled, a sysctl option with name "audit_mount" is 
+  created.
+
+IPC logging
+CONFIG_GRKERNSEC_AUDIT_IPC
+  If you say Y here, creation and removal of message queues, semaphores,
+  and shared memory will be logged.  If the sysctl option is enabled, a
+  sysctl option with name "audit_ipc" is created.
+
+Exec logging
+CONFIG_GRKERNSEC_EXECLOG
+  If you say Y here, all execve() calls will be logged (since the
+  other exec*() calls are frontends to execve(), all execution
+  will be logged).  Useful for shell-servers that like to keep track
+  of their users.  If the sysctl option is enabled, a sysctl option with
+  name "exec_logging" is created.
+  WARNING: This option when enabled will produce a LOT of logs, especially
+  on an active system.
+
+Resource logging
+CONFIG_GRKERNSEC_RESLOG
+  If you say Y here, all attempts to overstep resource limits will
+  be logged with the resource name, the requested size, and the current
+  limit.  It is highly recommended that you say Y here.
+
+Signal logging
+CONFIG_GRKERNSEC_SIGNAL
+  If you say Y here, certain important signals will be logged, such as
+  SIGSEGV, which will as a result inform you of when a error in a program
+  occurred, which in some cases could mean a possible exploit attempt.
+  If the sysctl option is enabled, a sysctl option with name 
+  "signal_logging" is created.
+
+Fork failure logging
+CONFIG_GRKERNSEC_FORKFAIL
+  If you say Y here, all failed fork() attempts will be logged.
+  This could suggest a fork bomb, or someone attempting to overstep
+  their process limit.  If the sysctl option is enabled, a sysctl option
+  with name "forkfail_logging" is created.
+
+Time change logging
+CONFIG_GRKERNSEC_TIME
+  If you say Y here, any changes of the system clock will be logged.
+  If the sysctl option is enabled, a sysctl option with name 
+  "timechange_logging" is created.
+
+Chroot jail restrictions
+CONFIG_GRKERNSEC_CHROOT
+  If you say Y here, you will be able to choose several options that will
+  make breaking out of a chrooted jail much more difficult.  If you
+  encounter no software incompatibilities with the following options, it
+  is recommended that you enable each one.
+
+Deny access to abstract AF_UNIX sockets out of chroot
+CONFIG_GRKERNSEC_CHROOT_UNIX
+  If you say Y here, processes inside a chroot will not be able to
+  connect to abstract (meaning not belonging to a filesystem) Unix
+  domain sockets that were bound outside of a chroot.  It is recommended
+  that you say Y here.  If the sysctl option is enabled, a sysctl option
+  with name "chroot_deny_unix" is created.
+
+Deny shmat() out of chroot
+CONFIG_GRKERNSEC_CHROOT_SHMAT
+  If you say Y here, processes inside a chroot will not be able to attach
+  to shared memory segments that were created outside of the chroot jail.
+  It is recommended that you say Y here.  If the sysctl option is enabled,
+  a sysctl option with name "chroot_deny_shmat" is created.
+
+Protect outside processes
+CONFIG_GRKERNSEC_CHROOT_FINDTASK
+  If you say Y here, processes inside a chroot will not be able to
+  kill, send signals with fcntl, ptrace, capget, setpgid, getpgid, 
+  getsid, or view any process outside of the chroot.  If the sysctl 
+  option is enabled, a sysctl option with name "chroot_findtask" is 
+  created.
+
+Deny mounts in chroot
+CONFIG_GRKERNSEC_CHROOT_MOUNT
+  If you say Y here, processes inside a chroot will not be able to
+  mount or remount filesystems.  If the sysctl option is enabled, a 
+  sysctl option with name "chroot_deny_mount" is created.
+
+Deny pivot_root in chroot
+CONFIG_GRKERNSEC_CHROOT_PIVOT
+  If you say Y here, processes inside a chroot will not be able to use
+  a function called pivot_root() that was introduced in Linux 2.3.41.  It 
+  works similar to chroot in that it changes the root filesystem.  This 
+  function could be misused in a chrooted process to attempt to break out 
+  of the chroot, and therefore should not be allowed.  If the sysctl 
+  option is enabled, a sysctl option with name "chroot_deny_pivot" is 
+  created.
+
+Deny double-chroots
+CONFIG_GRKERNSEC_CHROOT_DOUBLE
+  If you say Y here, processes inside a chroot will not be able to chroot
+  again.  This is a widely used method of breaking out of a chroot jail
+  and should not be allowed.  If the sysctl option is enabled, a sysctl
+  option with name "chroot_deny_chroot" is created.
+
+Deny fchdir outside of chroot
+CONFIG_GRKERNSEC_CHROOT_FCHDIR
+  If you say Y here, a well-known method of breaking chroots by fchdir'ing
+  to a file descriptor of the chrooting process that points to a directory
+  outside the filesystem will be stopped.  If the sysctl option
+  is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
+
+Enforce chdir("/") on all chroots
+CONFIG_GRKERNSEC_CHROOT_CHDIR
+  If you say Y here, the current working directory of all newly-chrooted
+  applications will be set to the the root directory of the chroot.
+  The man page on chroot(2) states:
+  Note that this call does not change  the  current  working
+  directory,  so  that `.' can be outside the tree rooted at
+  `/'.  In particular, the  super-user  can  escape  from  a
+  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.  
+
+  It is recommended that you say Y here, since it's not known to break
+  any software.  If the sysctl option is enabled, a sysctl option with
+  name "chroot_enforce_chdir" is created.
+
+Deny (f)chmod +s in chroot
+CONFIG_GRKERNSEC_CHROOT_CHMOD
+  If you say Y here, processes inside a chroot will not be able to chmod
+  or fchmod files to make them have suid or sgid bits.  This protects 
+  against another published method of breaking a chroot.  If the sysctl 
+  option is enabled, a sysctl option with name "chroot_deny_chmod" is
+  created.
+
+Deny mknod in chroot
+CONFIG_GRKERNSEC_CHROOT_MKNOD
+  If you say Y here, processes inside a chroot will not be allowed to
+  mknod.  The problem with using mknod inside a chroot is that it
+  would allow an attacker to create a device entry that is the same
+  as one on the physical root of your system, which could range from
+  anything from the console device to a device for your harddrive (which
+  they could then use to wipe the drive or steal data).  It is recommended
+  that you say Y here, unless you run into software incompatibilities.
+  If the sysctl option is enabled, a sysctl option with name
+  "chroot_deny_mknod" is created.
+
+Restrict priority changes in chroot
+CONFIG_GRKERNSEC_CHROOT_NICE
+  If you say Y here, processes inside a chroot will not be able to raise
+  the priority of processes in the chroot, or alter the priority of 
+  processes outside the chroot.  This provides more security than simply
+  removing CAP_SYS_NICE from the process' capability set.  If the
+  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
+  is created.
+
+Log all execs within chroot
+CONFIG_GRKERNSEC_CHROOT_EXECLOG
+  If you say Y here, all executions inside a chroot jail will be logged 
+  to syslog.  This can cause a large amount of logs if certain
+  applications (eg. djb's daemontools) are installed on the system, and
+  is therefore left as an option.  If the sysctl option is enabled, a 
+  sysctl option with name "chroot_execlog" is created.
+
+Deny sysctl writes in chroot
+CONFIG_GRKERNSEC_CHROOT_SYSCTL
+  If you say Y here, an attacker in a chroot will not be able to
+  write to sysctl entries, either by sysctl(2) or through a /proc
+  interface.  It is strongly recommended that you say Y here. If the
+  sysctl option is enabled, a sysctl option with name 
+  "chroot_deny_sysctl" is created.
+
+Chroot jail capability restrictions
+CONFIG_GRKERNSEC_CHROOT_CAPS
+  If you say Y here, the capabilities on all root processes within a
+  chroot jail will be lowered to stop module insertion, raw i/o,
+  system and net admin tasks, rebooting the system, modifying immutable 
+  files, modifying IPC owned by another, and changing the system time.
+  This is left an option because it can break some apps.  Disable this
+  if your chrooted apps are having problems performing those kinds of
+  tasks.  If the sysctl option is enabled, a sysctl option with
+  name "chroot_caps" is created.
+
+Trusted path execution
+CONFIG_GRKERNSEC_TPE
+  If you say Y here, you will be able to choose a gid to add to the
+  supplementary groups of users you want to mark as "untrusted."
+  These users will not be able to execute any files that are not in
+  root-owned directories writable only by root.  If the sysctl option
+  is enabled, a sysctl option with name "tpe" is created.
+
+Group for trusted path execution
+CONFIG_GRKERNSEC_TPE_GID
+  Here you can choose the GID to enable trusted path protection for.
+  Remember to add the users you want protection enabled for to the GID 
+  specified here.  If the sysctl option is enabled, whatever you choose
+  here won't matter. You'll have to specify the GID in your bootup 
+  script by echoing the GID to the proper /proc entry.  View the help
+  on the sysctl option for more information.  If the sysctl option is
+  enabled, a sysctl option with name "tpe_gid" is created.
+
+Partially restrict non-root users
+CONFIG_GRKERNSEC_TPE_ALL
+  If you say Y here, All non-root users other than the ones in the 
+  group specified in the main TPE option will only be allowed to
+  execute files in directories they own that are not group or
+  world-writable, or in directories owned by root and writable only by
+  root.  If the sysctl option is enabled, a sysctl option with name 
+  "tpe_restrict_all" is created.
+
+Randomized PIDs
+CONFIG_GRKERNSEC_RANDPID
+  If you say Y here, all PIDs created on the system will be
+  pseudo-randomly generated.  This is extremely effective along
+  with the /proc restrictions to disallow an attacker from guessing
+  pids of daemons, etc.  PIDs are also used in some cases as part
+  of a naming system for temporary files, so this option would keep
+  those filenames from being predicted as well.  We also use code
+  to make sure that PID numbers aren't reused too soon.  If the sysctl
+  option is enabled, a sysctl option with name "rand_pids" is created.
+
+Larger entropy pools
+CONFIG_GRKERNSEC_RANDNET
+  If you say Y here, the entropy pools used for many features of Linux
+  and grsecurity will be doubled in size.  Since several grsecurity 
+  features use additional randomness, it is recommended that you say Y 
+  here.  Saying Y here has a similar effect as modifying
+  /proc/sys/kernel/random/poolsize.
+
+Truly random TCP ISN selection
+CONFIG_GRKERNSEC_RANDISN
+  If you say Y here, Linux's default selection of TCP Initial Sequence
+  Numbers (ISNs) will be replaced with that of OpenBSD.  Linux uses
+  an MD4 hash based on the connection plus a time value to create the
+  ISN, while OpenBSD's selection is random.  If the sysctl option is 
+  enabled, a sysctl option with name "rand_isns" is created.
+
+Randomized IP IDs
+CONFIG_GRKERNSEC_RANDID
+  If you say Y here, all the id field on all outgoing packets
+  will be randomized.  This hinders os fingerprinters and
+  keeps your machine from being used as a bounce for an untraceable
+  portscan.  Ids are used for fragmented packets, fragments belonging
+  to the same packet have the same id.  By default linux only
+  increments the id value on each packet sent to an individual host.
+  We use a port of the OpenBSD random ip id code to achieve the
+  randomness, while keeping the possibility of id duplicates to
+  near none.  If the sysctl option is enabled, a sysctl option with name
+  "rand_ip_ids" is created.
+
+Randomized TCP source ports
+CONFIG_GRKERNSEC_RANDSRC
+  If you say Y here, situations where a source port is generated on the
+  fly for the TCP protocol (ie. with connect() ) will be altered so that
+  the source port is generated at random, instead of a simple incrementing
+  algorithm.  If the sysctl option is enabled, a sysctl option with name
+  "rand_tcp_src_ports" is created.
+
+Randomized RPC XIDs
+CONFIG_GRKERNSEC_RANDRPC
+  If you say Y here, the method of determining XIDs for RPC requests will
+  be randomized, instead of using linux's default behavior of simply
+  incrementing the XID.  If you want your RPC connections to be more
+  secure, say Y here.  If the sysctl option is enabled, a sysctl option 
+  with name "rand_rpc" is created.
+
+Socket restrictions
+CONFIG_GRKERNSEC_SOCKET
+  If you say Y here, you will be able to choose from several options.
+  If you assign a GID on your system and add it to the supplementary
+  groups of users you want to restrict socket access to, this patch
+  will perform up to three things, based on the option(s) you choose.
+
+Deny all socket access
+CONFIG_GRKERNSEC_SOCKET_ALL
+  If you say Y here, you will be able to choose a GID of whose users will
+  be unable to connect to other hosts from your machine or run server
+  applications from your machine.  If the sysctl option is enabled, a
+  sysctl option with name "socket_all" is created.
+
+Group for disabled socket access
+CONFIG_GRKERNSEC_SOCKET_ALL_GID
+  Here you can choose the GID to disable socket access for. Remember to 
+  add the users you want socket access disabled for to the GID 
+  specified here.  If the sysctl option is enabled, whatever you choose
+  here won't matter. You'll have to specify the GID in your bootup 
+  script by echoing the GID to the proper /proc entry.  View the help
+  on the sysctl option for more information.  If the sysctl option is
+  enabled, a sysctl option with name "socket_all_gid" is created.
+
+Deny all client socket access
+CONFIG_GRKERNSEC_SOCKET_CLIENT
+  If you say Y here, you will be able to choose a GID of whose users will
+  be unable to connect to other hosts from your machine, but will be
+  able to run servers.  If this option is enabled, all users in the group
+  you specify will have to use passive mode when initiating ftp transfers
+  from the shell on your machine.  If the sysctl option is enabled, a
+  sysctl option with name "socket_client" is created.
+
+Group for disabled client socket access
+CONFIG_GRKERNSEC_SOCKET_CLIENT_GID
+  Here you can choose the GID to disable client socket access for. 
+  Remember to add the users you want client socket access disabled for to 
+  the GID specified here.  If the sysctl option is enabled, whatever you 
+  choose here won't matter. You'll have to specify the GID in your bootup 
+  script by echoing the GID to the proper /proc entry.  View the help
+  on the sysctl option for more information.  If the sysctl option is
+  enabled, a sysctl option with name "socket_client_gid" is created.
+
+Deny all server socket access
+CONFIG_GRKERNSEC_SOCKET_SERVER
+  If you say Y here, you will be able to choose a GID of whose users will
+  be unable to run server applications from your machine.  If the sysctl 
+  option is enabled, a sysctl option with name "socket_server" is created.
+
+Group for disabled server socket access
+CONFIG_GRKERNSEC_SOCKET_SERVER_GID
+  Here you can choose the GID to disable server socket access for. 
+  Remember to add the users you want server socket access disabled for to 
+  the GID specified here.  If the sysctl option is enabled, whatever you 
+  choose here won't matter. You'll have to specify the GID in your bootup 
+  script by echoing the GID to the proper /proc entry.  View the help
+  on the sysctl option for more information.  If the sysctl option is
+  enabled, a sysctl option with name "socket_server_gid" is created.
+
+Sysctl support
+CONFIG_GRKERNSEC_SYSCTL
+  If you say Y here, you will be able to change the options that
+  grsecurity runs with at bootup, without having to recompile your
+  kernel.  You can echo values to files in /proc/sys/kernel/grsecurity
+  to enable (1) or disable (0) various features.  All the sysctl entries
+  are mutable until the "grsec_lock" entry is set to a non-zero value.
+  All features are disabled by default. Please note that this option could 
+  reduce the effectiveness of the added security of this patch if an ACL 
+  system is not put in place.  Your init scripts should be read-only, and 
+  root should not have access to adding modules or performing raw i/o 
+  operations.  All options should be set at startup, and the grsec_lock 
+  entry should be set to a non-zero value after all the options are set.  
+  *THIS IS EXTREMELY IMPORTANT*
+
+Number of burst messages
+CONFIG_GRKERNSEC_FLOODBURST
+  This option allows you to choose the maximum number of messages allowed
+  within the flood time interval you chose in a separate option.  The 
+  default should be suitable for most people, however if you find that 
+  many of your logs are being interpreted as flooding, you may want to 
+  raise this value.
+
+Seconds in between log messages
+CONFIG_GRKERNSEC_FLOODTIME
+  This option allows you to enforce the number of seconds between
+  grsecurity log messages.  The default should be suitable for most 
+  people, however, if you choose to change it, choose a value small enough
+  to allow informative logs to be produced, but large enough to
+  prevent flooding.
+
+Hide kernel processes
+CONFIG_GRKERNSEC_ACL_HIDEKERN
+  If you say Y here, when the ACL system is enabled via gradm -E,
+  an additional ACL will be passed to the kernel that hides all kernel
+  processes.  These processes will only be viewable by the authenticated
+  admin, or processes that have viewing access set.
+
+Maximum tries before password lockout
+CONFIG_GRKERNSEC_ACL_MAXTRIES
+  This option enforces the maximum number of times a user can attempt
+  to authorize themselves with the grsecurity ACL system before being
+  denied the ability to attempt authorization again for a specified time.  
+  The lower the number, the harder it will be to brute-force a password.
+
+Time to wait after max password tries, in seconds
+CONFIG_GRKERNSEC_ACL_TIMEOUT
+  This option specifies the time the user must wait after attempting to 
+  authorize to the ACL system with the maximum number of invalid 
+  passwords.  The higher the number, the harder it will be to brute-force 
+  a password.
+
 Disable data cache
 CONFIG_DCACHE_DISABLE
   This option allows you to run the kernel with data cache disabled.
diff -urN linux-2.4.22/Makefile linux-2.4.22/Makefile
--- linux-2.4.22/Makefile       2003-09-01 22:19:00.000000000 -0400
+++ linux-2.4.22/Makefile       2003-09-02 19:29:41.000000000 -0400
@@ -1,7 +1,7 @@
 VERSION = 2
 PATCHLEVEL = 4
 SUBLEVEL = 22
-EXTRAVERSION =
+EXTRAVERSION = -grsec
 
 KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION)
 
@@ -126,9 +126,10 @@
 
 CORE_FILES     =kernel/kernel.o mm/mm.o fs/fs.o ipc/ipc.o
 NETWORKS       =net/network.o
+GRSECURITY     =grsecurity/grsec.o
 
 LIBS           =$(TOPDIR)/lib/lib.a
-SUBDIRS                =kernel drivers mm fs net ipc lib crypto
+SUBDIRS                =kernel drivers mm fs net ipc lib crypto grsecurity
 
 DRIVERS-n :=
 DRIVERS-y :=
@@ -270,7 +271,7 @@
 
 export CPPFLAGS CFLAGS CFLAGS_KERNEL AFLAGS AFLAGS_KERNEL
 
-export NETWORKS DRIVERS LIBS HEAD LDFLAGS LINKFLAGS MAKEBOOT ASFLAGS
+export NETWORKS DRIVERS LIBS HEAD LDFLAGS LINKFLAGS MAKEBOOT ASFLAGS GRSECURITY
 
 .S.s:
        $(CPP) $(AFLAGS) $(AFLAGS_KERNEL) -traditional -o $*.s $<
@@ -289,6 +290,7 @@
                $(CORE_FILES) \
                $(DRIVERS) \
                $(NETWORKS) \
+               $(GRSECURITY) \
                $(LIBS) \
                --end-group \
                -o vmlinux
diff -urN linux-2.4.22/arch/alpha/config.in linux-2.4.22/arch/alpha/config.in
--- linux-2.4.22/arch/alpha/config.in   2003-09-01 22:19:33.000000000 -0400
+++ linux-2.4.22/arch/alpha/config.in   2003-09-02 19:29:41.000000000 -0400
@@ -457,3 +457,12 @@
 
 source crypto/Config.in
 source lib/Config.in
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+       source grsecurity/Config.in
+fi
+endmenu
+
diff -urN linux-2.4.22/arch/alpha/kernel/osf_sys.c linux-2.4.22/arch/alpha/kernel/osf_sys.c
--- linux-2.4.22/arch/alpha/kernel/osf_sys.c    2003-09-01 22:19:34.000000000 -0400
+++ linux-2.4.22/arch/alpha/kernel/osf_sys.c    2003-09-02 19:29:41.000000000 -0400
@@ -33,6 +33,7 @@
 #include <linux/file.h>
 #include <linux/types.h>
 #include <linux/ipc.h>
+#include <linux/grsecurity.h>
 
 #include <asm/fpu.h>
 #include <asm/io.h>
@@ -240,6 +246,13 @@
                if (!file)
                        goto out;
        }
+
+       if(gr_handle_mmap(file, prot)) {
+               fput(file);
+               ret = -EACCES;
+               goto out;
+       }
+
        flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
        down_write(&current->mm->mmap_sem);
        ret = do_mmap(file, addr, len, prot, flags, off);
diff -urN linux-2.4.22/arch/alpha/kernel/ptrace.c linux-2.4.22/arch/alpha/kernel/ptrace.c
--- linux-2.4.22/arch/alpha/kernel/ptrace.c     2003-09-01 22:19:34.000000000 -0400
+++ linux-2.4.22/arch/alpha/kernel/ptrace.c     2003-09-02 19:29:41.000000000 -0400
@@ -13,6 +13,7 @@
 #include <linux/ptrace.h>
 #include <linux/user.h>
 #include <linux/slab.h>
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 #include <asm/pgtable.h>
@@ -275,6 +276,10 @@
        read_unlock(&tasklist_lock);
        if (!child)
                goto out_notsk;
+
+       if(gr_handle_ptrace(child, request))
+               goto out;
+
        if (request == PTRACE_ATTACH) {
                ret = ptrace_attach(child);
                goto out;
diff -urN linux-2.4.22/arch/arm/config.in linux-2.4.22/arch/arm/config.in
--- linux-2.4.22/arch/arm/config.in     2003-09-01 22:19:37.000000000 -0400
+++ linux-2.4.22/arch/arm/config.in     2003-09-02 19:29:41.000000000 -0400
@@ -734,3 +734,11 @@
 
 source crypto/Config.in
 source lib/Config.in
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+       source grsecurity/Config.in
+fi
+endmenu
diff -urN linux-2.4.22/arch/cris/config.in linux-2.4.22/arch/cris/config.in
--- linux-2.4.22/arch/cris/config.in    2003-09-01 22:19:44.000000000 -0400
+++ linux-2.4.22/arch/cris/config.in    2003-09-02 19:29:41.000000000 -0400
@@ -275,3 +275,12 @@
 source crypto/Config.in
 source lib/Config.in
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -urN linux-2.4.22/arch/i386/config.in linux-2.4.22/arch/i386/config.in
--- linux-2.4.22/arch/i386/config.in    2003-09-01 22:19:33.000000000 -0400
+++ linux-2.4.22/arch/i386/config.in    2003-09-02 19:29:41.000000000 -0400
@@ -480,3 +480,11 @@
 
 source crypto/Config.in
 source lib/Config.in
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+       source grsecurity/Config.in
+fi
+endmenu
diff -urN linux-2.4.22/arch/i386/kernel/ioport.c linux-2.4.22/arch/i386/kernel/ioport.c
--- linux-2.4.22/arch/i386/kernel/ioport.c      2003-09-01 22:19:33.000000000 -0400
+++ linux-2.4.22/arch/i386/kernel/ioport.c      2003-09-02 19:29:41.000000000 -0400
@@ -14,6 +14,7 @@
 #include <linux/smp.h>
 #include <linux/smp_lock.h>
 #include <linux/stddef.h>
+#include <linux/grsecurity.h>
 
 /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
 static void set_bitmap(unsigned long *bitmap, short base, short extent, int new_value)
@@ -59,8 +60,16 @@
 
        if ((from + num <= from) || (from + num > IO_BITMAP_SIZE*32))
                return -EINVAL;
+#ifdef CONFIG_GRKERNSEC_IO
+       if (turn_on) {
+               gr_handle_ioperm();
+#else
        if (turn_on && !capable(CAP_SYS_RAWIO))
+#endif
                return -EPERM;
+#ifdef CONFIG_GRKERNSEC_IO
+       }
+#endif
        /*
         * If it's the first ioperm() call in this thread's lifetime, set the
         * IO bitmap up. ioperm() is much less timing critical than clone(),
@@ -109,8 +118,13 @@
                return -EINVAL;
        /* Trying to gain more privileges? */
        if (level > old) {
+#ifdef CONFIG_GRKERNSEC_IO
+               gr_handle_iopl();
+               return -EPERM;
+#else
                if (!capable(CAP_SYS_RAWIO))
                        return -EPERM;
+#endif
        }
        regs->eflags = (regs->eflags & 0xffffcfff) | (level << 12);
        return 0;
diff -urN linux-2.4.22/arch/i386/kernel/ptrace.c linux-2.4.22/arch/i386/kernel/ptrace.c
--- linux-2.4.22/arch/i386/kernel/ptrace.c      2003-09-01 22:19:33.000000000 -0400
+++ linux-2.4.22/arch/i386/kernel/ptrace.c      2003-09-02 19:29:41.000000000 -0400
@@ -13,6 +13,7 @@
 #include <linux/errno.h>
 #include <linux/ptrace.h>
 #include <linux/user.h>
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 #include <asm/pgtable.h>
@@ -177,6 +178,9 @@
        if (pid == 1)           /* you may not mess with init */
                goto out_tsk;
 
+       if(gr_handle_ptrace(child, request))
+               goto out_tsk;
+
        if (request == PTRACE_ATTACH) {
                ret = ptrace_attach(child);
                goto out_tsk;
@@ -256,6 +260,17 @@
                          if(addr < (long) &dummy->u_debugreg[4] &&
                             ((unsigned long) data) >= TASK_SIZE-3) break;
                          
+#ifdef CONFIG_GRKERNSEC
+                         if(addr >= (long) &dummy->u_debugreg[0] &&
+                            addr <= (long) &dummy->u_debugreg[3]){
+                                 long reg   = (addr - (long) &dummy->u_debugreg[0]) >> 2;
+                                 long type  = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 4*reg)) & 3;
+                                 long align = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 2 + 4*reg)) & 3;
+                                 if((type & 1) && (data & align))
+                                       break;
+                         }
+#endif
+
                          if(addr == (long) &dummy->u_debugreg[7]) {
                                  data &= ~DR_CONTROL_RESERVED;
                                  for(i=0; i<4; i++)
diff -urN linux-2.4.22/arch/i386/kernel/sys_i386.c linux-2.4.22/arch/i386/kernel/sys_i386.c
--- linux-2.4.22/arch/i386/kernel/sys_i386.c    2003-09-01 22:19:33.000000000 -0400
+++ linux-2.4.22/arch/i386/kernel/sys_i386.c    2003-09-02 19:29:41.000000000 -0400
@@ -18,6 +18,7 @@
 #include <linux/mman.h>
 #include <linux/file.h>
 #include <linux/utsname.h>
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 #include <asm/ipc.h>
@@ -55,6 +61,12 @@
                        goto out;
        }
 
+       if(gr_handle_mmap(file, prot)) {
+               fput(file);
+               error = -EACCES;
+               goto out;
+       }
+
        down_write(&mm->mmap_sem);
        error = do_mmap_pgoff(mm, file, addr, len, prot, flags, pgoff);
        up_write(&mm->mmap_sem);
diff -urN linux-2.4.22/arch/ia64/config.in linux-2.4.22/arch/ia64/config.in
--- linux-2.4.22/arch/ia64/config.in    2003-09-01 22:19:38.000000000 -0400
+++ linux-2.4.22/arch/ia64/config.in    2003-09-02 19:29:41.000000000 -0400
@@ -291,3 +291,12 @@
 fi
 
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -urN linux-2.4.22/arch/ia64/kernel/ptrace.c linux-2.4.22/arch/ia64/kernel/ptrace.c
--- linux-2.4.22/arch/ia64/kernel/ptrace.c      2003-09-01 22:19:39.000000000 -0400
+++ linux-2.4.22/arch/ia64/kernel/ptrace.c      2003-09-02 19:29:41.000000000 -0400
@@ -16,6 +16,7 @@
 #include <linux/ptrace.h>
 #include <linux/smp_lock.h>
 #include <linux/user.h>
+#include <linux/grsecurity.h>
 
 #include <asm/pgtable.h>
 #include <asm/processor.h>
@@ -1213,6 +1214,9 @@
        if (pid == 1)           /* no messing around with init! */
                goto out_tsk;
 
+       if (gr_handle_ptrace(child, request))
+               goto out_tsk;
+
        if (request == PTRACE_ATTACH) {
                ret = ptrace_attach(child);
                goto out_tsk;
diff -urN linux-2.4.22/arch/ia64/kernel/sys_ia64.c linux-2.4.22/arch/ia64/kernel/sys_ia64.c
--- linux-2.4.22/arch/ia64/kernel/sys_ia64.c    2003-09-01 22:19:39.000000000 -0400
+++ linux-2.4.22/arch/ia64/kernel/sys_ia64.c    2003-09-02 19:29:41.000000000 -0400
@@ -15,6 +15,7 @@
 #include <linux/smp.h>
 #include <linux/smp_lock.h>
 #include <linux/highuid.h>
+#include <linux/grsecurity.h>
 
 #include <asm/shmparam.h>
 #include <asm/uaccess.h>
@@ -206,6 +207,11 @@
                goto out;
        }
 
+       if (gr_handle_mmap(file, prot)) {
+               addr = -EACCES;
+               goto out;
+       }
+
        down_write(&current->mm->mmap_sem);
        addr = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
        up_write(&current->mm->mmap_sem);
diff -urN linux-2.4.22/arch/m68k/config.in linux-2.4.22/arch/m68k/config.in
--- linux-2.4.22/arch/m68k/config.in    2003-09-01 22:19:37.000000000 -0400
+++ linux-2.4.22/arch/m68k/config.in    2003-09-02 19:29:41.000000000 -0400
@@ -564,3 +564,11 @@
 
 source crypto/Config.in
 source lib/Config.in
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+       source grsecurity/Config.in
+fi
+endmenu
diff -urN linux-2.4.22/arch/mips/config.in linux-2.4.22/arch/mips/config.in
--- linux-2.4.22/arch/mips/config.in    2003-09-01 22:19:35.000000000 -0400
+++ linux-2.4.22/arch/mips/config.in    2003-09-02 19:29:41.000000000 -0400
@@ -7,3 +7,11 @@
 define_bool CONFIG_MIPS64 n
 
 source arch/mips/config-shared.in
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+        source grsecurity/Config.in
+fi
+endmenu
diff -urN linux-2.4.22/arch/mips64/config.in linux-2.4.22/arch/mips64/config.in
--- linux-2.4.22/arch/mips64/config.in  2003-09-01 22:19:39.000000000 -0400
+++ linux-2.4.22/arch/mips64/config.in  2003-09-02 19:29:41.000000000 -0400
@@ -7,3 +7,11 @@
 define_bool CONFIG_MIPS64 y
 
 source arch/mips/config-shared.in
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+        source grsecurity/Config.in
+fi
+endmenu
diff -urN linux-2.4.22/arch/parisc/config.in linux-2.4.22/arch/parisc/config.in
--- linux-2.4.22/arch/parisc/config.in  2003-09-01 22:19:39.000000000 -0400
+++ linux-2.4.22/arch/parisc/config.in  2003-09-02 19:29:41.000000000 -0400
@@ -198,3 +198,11 @@
 
 source crypto/Config.in
 source lib/Config.in
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+       source grsecurity/Config.in
+fi
+endmenu
diff -urN linux-2.4.22/arch/parisc/kernel/ioctl32.c linux-2.4.22/arch/parisc/kernel/ioctl32.c
--- linux-2.4.22/arch/parisc/kernel/ioctl32.c   2003-09-01 22:19:44.000000000 -0400
+++ linux-2.4.22/arch/parisc/kernel/ioctl32.c   2003-09-02 19:29:41.000000000 -0400
@@ -1434,7 +1434,11 @@
         * To have permissions to do most of the vt ioctls, we either have
         * to be the owner of the tty, or super-user.
         */
+#ifdef CONFIG_GRKERNSEC
+       if (current->tty == tty || capable(CAP_SYS_TTY_CONFIG))
+#else
        if (current->tty == tty || suser())
+#endif
                return 1;
        return 0;                                                    
 }
diff -urN linux-2.4.22/arch/parisc/kernel/ptrace.c linux-2.4.22/arch/parisc/kernel/ptrace.c
--- linux-2.4.22/arch/parisc/kernel/ptrace.c    2003-09-01 22:19:44.000000000 -0400
+++ linux-2.4.22/arch/parisc/kernel/ptrace.c    2003-09-02 19:29:41.000000000 -0400
@@ -15,7 +15,7 @@
 #include <linux/ptrace.h>
 #include <linux/user.h>
 #include <linux/personality.h>
-
+#include <linux/grsecurity.h>
 #include <asm/uaccess.h>
 #include <asm/pgtable.h>
 #include <asm/system.h>
@@ -119,6 +119,9 @@
        if (pid == 1)           /* no messing around with init! */
                goto out_tsk;
 
+       if (gr_handle_ptrace(child, request))
+               goto out_tsk;
+
        if (request == PTRACE_ATTACH) {
                ret = ptrace_attach(child);
                goto out_tsk;
diff -urN linux-2.4.22/arch/parisc/kernel/sys_parisc.c linux-2.4.22/arch/parisc/kernel/sys_parisc.c
--- linux-2.4.22/arch/parisc/kernel/sys_parisc.c        2003-09-01 22:19:44.000000000 -0400
+++ linux-2.4.22/arch/parisc/kernel/sys_parisc.c        2003-09-02 19:29:41.000000000 -0400
@@ -12,6 +12,7 @@
 #include <linux/mman.h>
 #include <linux/shm.h>
 #include <linux/smp_lock.h>
+#include <linux/grsecurity.h>
 
 int sys_pipe(int *fildes)
 {
@@ -104,6 +110,11 @@
                        goto out;
        }
 
+       if (gr_handle_mmap(file, prot)) {
+               fput(file);
+               return -EACCES;
+       }
+
        flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
 
        down_write(&current->mm->mmap_sem);
diff -urN linux-2.4.22/arch/parisc/kernel/sys_parisc32.c linux-2.4.22/arch/parisc/kernel/sys_parisc32.c
--- linux-2.4.22/arch/parisc/kernel/sys_parisc32.c      2003-09-01 22:19:44.000000000 -0400
+++ linux-2.4.22/arch/parisc/kernel/sys_parisc32.c      2003-09-02 19:29:41.000000000 -0400
@@ -50,6 +50,7 @@
 #include <linux/highmem.h>
 #include <linux/highuid.h>
 #include <linux/mman.h>
+#include <linux/grsecurity.h>
 
 #include <asm/types.h>
 #include <asm/uaccess.h>
@@ -177,6 +178,11 @@
        struct file *file;
        int retval;
        int i;
+#ifdef CONFIG_GRKERNSEC
+       struct file *old_exec_file;
+       struct acl_subject_label *old_acl;
+       struct rlimit old_rlim[RLIM_NLIMITS];
+#endif
 
        file = open_exec(filename);
 
@@ -184,6 +190,20 @@
        if (IS_ERR(file))
                return retval;
 
+       gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes));
+
+       if (gr_handle_nproc()) {
+               allow_write_access(file);
+               fput(file);
+               return -EAGAIN;
+       }
+
+       if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
+               allow_write_access(file);
+               fput(file);
+               return -EACCES;
+       }
+
        bprm.p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
        memset(bprm.page, 0, MAX_ARG_PAGES*sizeof(bprm.page[0]));
 
@@ -209,11 +234,24 @@
        if (retval < 0)
                goto out;
        
+       if (!gr_tpe_allow(file)) {
+               retval = -EACCES;
+               goto out;
+       }
+
+       if (gr_check_crash_exec(file)) {
+               retval = -EACCES;
+               goto out;
+       }
+
        retval = copy_strings_kernel(1, &bprm.filename, &bprm);
        if (retval < 0)
                goto out;
 
        bprm.exec = bprm.p;
+
+       gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
+
        retval = copy_strings32(bprm.envc, envp, &bprm);
        if (retval < 0)
                goto out;
@@ -222,11 +260,32 @@
        if (retval < 0)
                goto out;
 
+#ifdef CONFIG_GRKERNSEC
+       old_acl = current->acl;
+       memcpy(old_rlim, current->rlim, sizeof(old_rlim));
+       old_exec_file = current->exec_file;
+       get_file(file);
+       current->exec_file = file;
+#endif
+
+       gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
+
        retval = search_binary_handler(&bprm,regs);
-       if (retval >= 0)
+       if (retval >= 0) {
+#ifdef CONFIG_GRKERNSEC
+               if (old_exec_file)
+                       fput(old_exec_file);
+#endif
                /* execve success */
                return retval;
+       }
 
+#ifdef CONFIG_GRKERNSEC
+       current->acl = old_acl;
+       memcpy(current->rlim, old_rlim, sizeof(old_rlim));
+       fput(current->exec_file);
+       current->exec_file = old_exec_file;
+#endif
 out:
        /* Something went wrong, return the inode and free the argument pages*/
        allow_write_access(bprm.file);
diff -urN linux-2.4.22/arch/ppc/config.in linux-2.4.22/arch/ppc/config.in
--- linux-2.4.22/arch/ppc/config.in     2003-09-01 22:19:36.000000000 -0400
+++ linux-2.4.22/arch/ppc/config.in     2003-09-02 19:29:41.000000000 -0400
@@ -488,3 +488,12 @@
   bool 'Support for early boot texts over serial port' CONFIG_SERIAL_TEXT_DEBUG
 fi
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -urN linux-2.4.22/arch/ppc/kernel/ptrace.c linux-2.4.22/arch/ppc/kernel/ptrace.c
--- linux-2.4.22/arch/ppc/kernel/ptrace.c       2003-09-01 22:19:36.000000000 -0400
+++ linux-2.4.22/arch/ppc/kernel/ptrace.c       2003-09-02 19:29:41.000000000 -0400
@@ -24,6 +24,7 @@
 #include <linux/errno.h>
 #include <linux/ptrace.h>
 #include <linux/user.h>
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 #include <asm/page.h>
@@ -195,6 +196,9 @@
        if (pid == 1)           /* you may not mess with init */
                goto out_tsk;
 
+       if (gr_handle_ptrace(child, request))
+               goto out_tsk;
+
        if (request == PTRACE_ATTACH) {
                ret = ptrace_attach(child);
                goto out_tsk;
diff -urN linux-2.4.22/arch/ppc/kernel/syscalls.c linux-2.4.22/arch/ppc/kernel/syscalls.c
--- linux-2.4.22/arch/ppc/kernel/syscalls.c     2003-09-01 22:19:36.000000000 -0400
+++ linux-2.4.22/arch/ppc/kernel/syscalls.c     2003-09-02 19:29:41.000000000 -0400
@@ -35,6 +35,7 @@
 #include <linux/ipc.h>
 #include <linux/utsname.h>
 #include <linux/file.h>
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 #include <asm/ipc.h>
@@ -175,6 +176,12 @@
                        goto out;
        }
 
+       if (gr_handle_mmap(file, prot)) {
+               fput(file);
+               ret = -EACCES;
+               goto out;
+       }
+
        down_write(&current->mm->mmap_sem);
        ret = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
        up_write(&current->mm->mmap_sem);
diff -urN linux-2.4.22/arch/ppc64/kernel/ioctl32.c linux-2.4.22/arch/ppc64/kernel/ioctl32.c
--- linux-2.4.22/arch/ppc64/kernel/ioctl32.c    2003-09-01 22:19:33.000000000 -0400
+++ linux-2.4.22/arch/ppc64/kernel/ioctl32.c    2003-09-02 19:29:41.000000000 -0400
@@ -1800,7 +1800,11 @@
         * To have permissions to do most of the vt ioctls, we either have
         * to be the owner of the tty, or super-user.
         */
+#ifdef CONFIG_GRKERNSEC
+       if (current->tty == tty || capable(CAP_SYS_TTY_CONFIG))
+#else
        if (current->tty == tty || suser())
+#endif
                return 1;
        return 0;                                                    
 }
diff -urN linux-2.4.22/arch/s390/config.in linux-2.4.22/arch/s390/config.in
--- linux-2.4.22/arch/s390/config.in    2003-09-01 22:19:39.000000000 -0400
+++ linux-2.4.22/arch/s390/config.in    2003-09-02 19:29:41.000000000 -0400
@@ -81,3 +81,11 @@
 
 source crypto/Config.in
 source lib/Config.in
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+       source grsecurity/Config.in
+fi
+endmenu
diff -urN linux-2.4.22/arch/s390x/config.in linux-2.4.22/arch/s390x/config.in
--- linux-2.4.22/arch/s390x/config.in   2003-09-01 22:19:44.000000000 -0400
+++ linux-2.4.22/arch/s390x/config.in   2003-09-02 19:29:41.000000000 -0400
@@ -85,3 +85,11 @@
 
 source crypto/Config.in
 source lib/Config.in
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+       source grsecurity/Config.in
+fi
+endmenu
diff -urN linux-2.4.22/arch/sh/config.in linux-2.4.22/arch/sh/config.in
--- linux-2.4.22/arch/sh/config.in      2003-09-01 22:19:38.000000000 -0400
+++ linux-2.4.22/arch/sh/config.in      2003-09-02 19:29:41.000000000 -0400
@@ -469,3 +469,11 @@
 
 source crypto/Config.in
 source lib/Config.in
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+       source grsecurity/Config.in
+fi
+endmenu
diff -urN linux-2.4.22/arch/sparc/boot/Makefile linux-2.4.22/arch/sparc/boot/Makefile
--- linux-2.4.22/arch/sparc/boot/Makefile       2003-09-01 22:19:34.000000000 -0400
+++ linux-2.4.22/arch/sparc/boot/Makefile       2003-09-02 19:29:41.000000000 -0400
@@ -24,7 +24,7 @@
 
 BTOBJS := $(HEAD) init/main.o init/version.o init/do_mounts.o
 BTLIBS := $(CORE_FILES_NO_BTFIX) $(FILESYSTEMS) \
-       $(DRIVERS) $(NETWORKS)
+       $(DRIVERS) $(NETWORKS) $(GRSECURITY)
 
 # I wanted to make this depend upon BTOBJS so that a parallel
 # build would work, but this fails because $(HEAD) cannot work
diff -urN linux-2.4.22/arch/sparc/config.in linux-2.4.22/arch/sparc/config.in
--- linux-2.4.22/arch/sparc/config.in   2003-09-01 22:19:34.000000000 -0400
+++ linux-2.4.22/arch/sparc/config.in   2003-09-02 19:29:41.000000000 -0400
@@ -277,3 +277,11 @@
 
 source crypto/Config.in
 source lib/Config.in
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+       source grsecurity/Config.in
+fi
+endmenu
diff -urN linux-2.4.22/arch/sparc/kernel/ptrace.c linux-2.4.22/arch/sparc/kernel/ptrace.c
--- linux-2.4.22/arch/sparc/kernel/ptrace.c     2003-09-01 22:19:34.000000000 -0400
+++ linux-2.4.22/arch/sparc/kernel/ptrace.c     2003-09-02 19:29:41.000000000 -0400
@@ -17,6 +17,7 @@
 #include <linux/user.h>
 #include <linux/smp.h>
 #include <linux/smp_lock.h>
+#include <linux/grsecurity.h>
 
 #include <asm/pgtable.h>
 #include <asm/system.h>
@@ -310,6 +311,9 @@
                goto out;
        }
 
+       if(gr_handle_ptrace(child, request))
+               goto out_tsk;
+
        if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
            || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
                if (ptrace_attach(child)) {
diff -urN linux-2.4.22/arch/sparc/kernel/sys_sparc.c linux-2.4.22/arch/sparc/kernel/sys_sparc.c
--- linux-2.4.22/arch/sparc/kernel/sys_sparc.c  2003-09-01 22:19:34.000000000 -0400
+++ linux-2.4.22/arch/sparc/kernel/sys_sparc.c  2003-09-02 19:29:41.000000000 -0400
@@ -20,6 +20,7 @@
 #include <linux/utsname.h>
 #include <linux/smp.h>
 #include <linux/smp_lock.h>
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 #include <asm/ipc.h>
@@ -243,6 +256,12 @@
        if (len > TASK_SIZE - PAGE_SIZE || addr + len > TASK_SIZE - PAGE_SIZE)
                goto out_putf;
 
+       if (gr_handle_mmap(file, prot)) {
+               fput(file);
+               retval = -EACCES;
+               goto out;
+       }
+
        flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
 
        down_write(&current->mm->mmap_sem);
diff -urN linux-2.4.22/arch/sparc64/config.in linux-2.4.22/arch/sparc64/config.in
--- linux-2.4.22/arch/sparc64/config.in 2003-09-01 22:19:37.000000000 -0400
+++ linux-2.4.22/arch/sparc64/config.in 2003-09-02 19:29:41.000000000 -0400
@@ -311,3 +311,11 @@
 
 source crypto/Config.in
 source lib/Config.in
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+       source grsecurity/Config.in
+fi
+endmenu
diff -urN linux-2.4.22/arch/sparc64/kernel/ioctl32.c linux-2.4.22/arch/sparc64/kernel/ioctl32.c
--- linux-2.4.22/arch/sparc64/kernel/ioctl32.c  2003-09-01 22:19:37.000000000 -0400
+++ linux-2.4.22/arch/sparc64/kernel/ioctl32.c  2003-09-02 19:29:41.000000000 -0400
@@ -2046,7 +2046,11 @@
         * To have permissions to do most of the vt ioctls, we either have
         * to be the owner of the tty, or super-user.
         */
+#ifdef CONFIG_GRKERNSEC
+       if (current->tty == tty || capable(CAP_SYS_TTY_CONFIG))
+#else
        if (current->tty == tty || suser())
+#endif
                return 1;
        return 0;                                                    
 }
diff -urN linux-2.4.22/arch/sparc64/kernel/ptrace.c linux-2.4.22/arch/sparc64/kernel/ptrace.c
--- linux-2.4.22/arch/sparc64/kernel/ptrace.c   2003-09-01 22:19:37.000000000 -0400
+++ linux-2.4.22/arch/sparc64/kernel/ptrace.c   2003-09-02 19:29:41.000000000 -0400
@@ -18,6 +18,7 @@
 #include <linux/user.h>
 #include <linux/smp.h>
 #include <linux/smp_lock.h>
+#include <linux/grsecurity.h>
 
 #include <asm/asi.h>
 #include <asm/pgtable.h>
@@ -161,6 +162,11 @@
                goto out;
        }
 
+       if (gr_handle_ptrace(child, (long)request)) {
+               pt_error_return(regs, EPERM);
+               goto out;
+       }
+
        if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
            || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
                if (ptrace_attach(child)) {
diff -urN linux-2.4.22/arch/sparc64/kernel/sys_sparc.c linux-2.4.22/arch/sparc64/kernel/sys_sparc.c
--- linux-2.4.22/arch/sparc64/kernel/sys_sparc.c        2003-09-01 22:19:37.000000000 -0400
+++ linux-2.4.22/arch/sparc64/kernel/sys_sparc.c        2003-09-02 19:29:41.000000000 -0400
@@ -24,6 +24,7 @@
 #include <linux/slab.h>
 #include <linux/ipc.h>
 #include <linux/personality.h>
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 #include <asm/ipc.h>
@@ -289,6 +297,12 @@
                if (!file)
                        goto out;
        }
+
+       if (gr_handle_mmap(file, prot)) {
+               retval = -EACCES;
+               goto out_putf;
+       }
+
        flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
        len = PAGE_ALIGN(len);
        retval = -EINVAL;
diff -urN linux-2.4.22/arch/sparc64/kernel/sys_sparc32.c linux-2.4.22/arch/sparc64/kernel/sys_sparc32.c
--- linux-2.4.22/arch/sparc64/kernel/sys_sparc32.c      2003-09-01 22:19:37.000000000 -0400
+++ linux-2.4.22/arch/sparc64/kernel/sys_sparc32.c      2003-09-02 19:29:41.000000000 -0400
@@ -52,6 +52,8 @@
 #include <linux/sysctl.h>
 #include <linux/dnotify.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/random.h>
+#include <linux/grsecurity.h>
 
 #include <asm/types.h>
 #include <asm/ipc.h>
@@ -3233,6 +3235,11 @@
        struct file * file;
        int retval;
        int i;
+#ifdef CONFIG_GRKERNSEC
+       struct file *old_exec_file;
+       struct acl_subject_label *old_acl;
+       struct rlimit old_rlim[RLIM_NLIMITS];
+#endif
 
        bprm.p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
        memset(bprm.page, 0, MAX_ARG_PAGES * sizeof(bprm.page[0]));
@@ -3243,6 +3255,20 @@
        if (IS_ERR(file))
                return retval;
 
+       gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes));
+
+       if (gr_handle_nproc()) {
+               allow_write_access(file);
+               fput(file);
+               return -EAGAIN;
+       }
+
+       if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
+               allow_write_access(file);
+               fput(file);
+               return -EACCES;
+       }
+
        bprm.file = file;
        bprm.filename = filename;
        bprm.sh_bang = 0;
@@ -3263,11 +3289,24 @@
        if (retval < 0)
                goto out;
        
+       if(!gr_tpe_allow(file)) {
+               retval = -EACCES;
+               goto out;
+       }
+
+       if (gr_check_crash_exec(file)) {
+               retval = -EACCES;
+               goto out;
+       }
+
        retval = copy_strings_kernel(1, &bprm.filename, &bprm);
        if (retval < 0)
                goto out;
 
        bprm.exec = bprm.p;
+
+       gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
+
        retval = copy_strings32(bprm.envc, envp, &bprm);
        if (retval < 0)
                goto out;
@@ -3276,11 +3315,32 @@
        if (retval < 0)
                goto out;
 
+#ifdef CONFIG_GRKERNSEC
+       old_acl = current->acl;
+       memcpy(old_rlim, current->rlim, sizeof(old_rlim));
+       old_exec_file = current->exec_file;
+       get_file(file);
+       current->exec_file = file;
+#endif
+
+        gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
+
        retval = search_binary_handler(&bprm, regs);
-       if (retval >= 0)
+       if (retval >= 0) {
+#ifdef CONFIG_GRKERNSEC
+               if (old_exec_file)
+                       fput(old_exec_file);
+#endif
                /* execve success */
                return retval;
+       }
 
+#ifdef CONFIG_GRKERNSEC
+       current->acl = old_acl;
+       memcpy(current->rlim, old_rlim, sizeof(old_rlim));
+       fput(current->exec_file);
+       current->exec_file = old_exec_file;
+#endif
 out:
        /* Something went wrong, return the inode and free the argument pages*/
        allow_write_access(bprm.file);
diff -urN linux-2.4.22/arch/x86_64/ia32/ia32_ioctl.c linux-2.4.22/arch/x86_64/ia32/ia32_ioctl.c
--- linux-2.4.22/arch/x86_64/ia32/ia32_ioctl.c  2003-09-01 22:19:33.000000000 -0400
+++ linux-2.4.22/arch/x86_64/ia32/ia32_ioctl.c  2003-09-02 19:29:41.000000000 -0400
@@ -1932,7 +1932,11 @@
         * To have permissions to do most of the vt ioctls, we either have
         * to be the owner of the tty, or super-user.
         */
+#ifdef CONFIG_GRKERNSEC
+       if (current->tty == tty || capable(CAP_SYS_TTY_CONFIG))
+#else
        if (current->tty == tty || suser())
+#endif
                return 1;
        return 0;                                                    
 }
diff -urN linux-2.4.22/drivers/char/mem.c linux-2.4.22/drivers/char/mem.c
--- linux-2.4.22/drivers/char/mem.c     2003-09-01 22:19:16.000000000 -0400
+++ linux-2.4.22/drivers/char/mem.c     2003-09-02 19:29:41.000000000 -0400
@@ -21,6 +21,7 @@
 #include <linux/raw.h>
 #include <linux/tty.h>
 #include <linux/capability.h>
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 #include <asm/io.h>
@@ -41,6 +42,10 @@
 #if defined(CONFIG_S390_TAPE) && defined(CONFIG_S390_TAPE_CHAR)
 extern void tapechar_init(void);
 #endif
+
+#ifdef CONFIG_GRKERNSEC
+extern struct file_operations grsec_fops;
+#endif
      
 static ssize_t do_write_mem(struct file * file, void *p, unsigned long realp,
                            const char * buf, size_t count, loff_t *ppos)
@@ -114,6 +119,11 @@
        unsigned long p = *ppos;
        unsigned long end_mem;
 
+#ifdef CONFIG_GRKERNSEC_KMEM
+       gr_handle_mem_write();
+       return -EPERM;
+#endif
+
        end_mem = __pa(high_memory);
        if (p >= end_mem)
                return 0;
@@ -186,6 +196,12 @@
 {
        unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
 
+#ifdef CONFIG_GRKERNSEC_KMEM
+       if (gr_handle_mem_mmap(offset, vma))
+               return -EPERM;
+#endif
+
+
        /*
         * Accessing memory above the top the kernel knows about or
         * through a file pointer that was marked O_SYNC will be
@@ -285,6 +301,11 @@
        ssize_t virtr = 0;
        char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
 
+#ifdef CONFIG_GRKERNSEC_KMEM
+       gr_handle_kmem_write();
+       return -EPERM;
+#endif
+
        if (p < (unsigned long) high_memory) {
                wrote = count;
                if (count > (unsigned long) high_memory - p)
@@ -517,6 +538,15 @@
 
 static int open_port(struct inode * inode, struct file * filp)
 {
+#ifdef CONFIG_GRKERNSEC_KMEM
+       gr_handle_open_port();
+       return -EPERM;
+#endif
+       return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
+}
+
+static int open_mem(struct inode * inode, struct file * filp)
+{
        return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
 }
 
@@ -574,6 +604,11 @@
        unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
        unsigned long size = vma->vm_end - vma->vm_start;
 
+#ifdef CONFIG_GRKERNSEC_KMEM
+       if (gr_handle_mem_mmap(offset, vma))
+               return -EPERM;
+#endif
+
        /*
         * If the user is not attempting to mmap a high memory address then
         * the standard mmap_mem mechanism will work.  High memory addresses
@@ -609,7 +644,6 @@
 #define full_lseek      null_lseek
 #define write_zero     write_null
 #define read_full       read_zero
-#define open_mem       open_port
 #define open_kmem      open_mem
 
 static struct file_operations mem_fops = {
@@ -685,6 +719,11 @@
                case 9:
                        filp->f_op = &urandom_fops;
                        break;
+#ifdef CONFIG_GRKERNSEC
+               case 10:
+                       filp->f_op = &grsec_fops;
+                       break;
+#endif
                default:
                        return -ENXIO;
        }
@@ -711,7 +750,10 @@
        {5, "zero",    S_IRUGO | S_IWUGO,           &zero_fops},
        {7, "full",    S_IRUGO | S_IWUGO,           &full_fops},
        {8, "random",  S_IRUGO | S_IWUSR,           &random_fops},
-       {9, "urandom", S_IRUGO | S_IWUSR,           &urandom_fops}
+       {9, "urandom", S_IRUGO | S_IWUSR,           &urandom_fops},
+#ifdef CONFIG_GRKERNSEC
+       {10,"grsec",   S_IRUSR | S_IWUGO,           &grsec_fops}
+#endif
     };
     int i;
 
diff -urN linux-2.4.22/drivers/char/random.c linux-2.4.22/drivers/char/random.c
--- linux-2.4.22/drivers/char/random.c  2003-09-01 22:19:16.000000000 -0400
+++ linux-2.4.22/drivers/char/random.c  2003-09-02 19:29:42.000000000 -0400
@@ -262,9 +262,15 @@
 /*
  * Configuration information
  */
+#ifdef CONFIG_GRKERNSEC_RANDNET
+#define DEFAULT_POOL_SIZE 1024
+#define SECONDARY_POOL_SIZE 256
+#define BATCH_ENTROPY_SIZE 512
+#else
 #define DEFAULT_POOL_SIZE 512
 #define SECONDARY_POOL_SIZE 128
 #define BATCH_ENTROPY_SIZE 256
+#endif
 #define USE_SHA
 
 /*
@@ -389,6 +395,7 @@
 /*
  * Static global variables
  */
+
 static struct entropy_store *random_state; /* The default global store */
 static struct entropy_store *sec_random_state; /* secondary store */
 static DECLARE_WAIT_QUEUE_HEAD(random_read_wait);
@@ -2202,6 +2209,29 @@
        return halfMD4Transform(hash, keyptr->secret);
 }
 
+#ifdef CONFIG_GRKERNSEC
+/* the following function is provided by PaX under the GPL */
+unsigned long get_random_long(void)
+{       
+       static time_t rekey_time;
+       static __u32 secret[12];
+       time_t t;
+
+       /*
+        * Pick a random secret every REKEY_INTERVAL seconds
+        */
+       t = CURRENT_TIME;
+       if (!rekey_time || (t - rekey_time) > REKEY_INTERVAL) {
+               rekey_time = t;
+               get_random_bytes(secret, sizeof(secret));
+       }
+
+       secret[1] = halfMD4Transform(secret+8, secret);
+       secret[0] = halfMD4Transform(secret+8, secret);
+       return *(unsigned long *)secret;
+}
+#endif
+
 #ifdef CONFIG_SYN_COOKIES
 /*
  * Secure SYN cookie computation. This is the algorithm worked out by
diff -urN linux-2.4.22/drivers/char/tty_io.c linux-2.4.22/drivers/char/tty_io.c
--- linux-2.4.22/drivers/char/tty_io.c  2003-09-01 22:19:16.000000000 -0400
+++ linux-2.4.22/drivers/char/tty_io.c  2003-09-02 19:29:42.000000000 -0400
@@ -99,7 +99,7 @@
 #include <linux/vt_kern.h>
 #include <linux/selection.h>
 #include <linux/devfs_fs_kernel.h>
-
+#include <linux/grsecurity.h>
 #include <linux/kmod.h>
 
 #ifdef CONFIG_VT
@@ -1402,7 +1402,11 @@
                retval = -ENODEV;
        filp->f_flags = saved_flags;
 
+#ifdef CONFIG_GRKERNSEC
+       if (!retval && test_bit(TTY_EXCLUSIVE, &tty->flags) && !capable(CAP_SYS_TTY_CONFIG))
+#else
        if (!retval && test_bit(TTY_EXCLUSIVE, &tty->flags) && !suser())
+#endif
                retval = -EBUSY;
 
        if (retval) {
@@ -1504,7 +1508,11 @@
 {
        char ch, mbz = 0;
 
+#ifdef CONFIG_GRKERNSEC
+       if ((current->tty != tty) && !capable(CAP_SYS_TTY_CONFIG))
+#else
        if ((current->tty != tty) && !suser())
+#endif
                return -EPERM;
        if (get_user(ch, arg))
                return -EFAULT;
@@ -1542,7 +1550,11 @@
        if (inode->i_rdev == SYSCONS_DEV ||
            inode->i_rdev == CONSOLE_DEV) {
                struct file *f;
+#ifdef CONFIG_GRKERNSEC
+               if (!capable(CAP_SYS_TTY_CONFIG))
+#else
                if (!suser())
+#endif
                        return -EPERM;
                spin_lock(&redirect_lock);
                f = redirect;
@@ -1594,7 +1606,11 @@
                 * This tty is already the controlling
                 * tty for another session group!
                 */
+#ifdef CONFIG_GRKERNSEC
+               if ((arg == 1) && capable(CAP_SYS_ADMIN)) {
+#else
                if ((arg == 1) && suser()) {
+#endif
                        /*
                         * Steal it away
                         */
diff -urN linux-2.4.22/drivers/char/vt.c linux-2.4.22/drivers/char/vt.c
--- linux-2.4.22/drivers/char/vt.c      2003-09-01 22:19:16.000000000 -0400
+++ linux-2.4.22/drivers/char/vt.c      2003-09-02 19:29:42.000000000 -0400
@@ -32,6 +32,7 @@
 #include <linux/vt_kern.h>
 #include <linux/kbd_diacr.h>
 #include <linux/selection.h>
+#include <linux/grsecurity.h>
 
 #ifdef CONFIG_FB_COMPAT_XPMAC
 #include <asm/vc_ioctl.h>
@@ -443,7 +444,11 @@
         * to be the owner of the tty, or super-user.
         */
        perm = 0;
+#ifdef CONFIG_GRKERNSEC
+       if (current->tty == tty || capable(CAP_SYS_TTY_CONFIG))
+#else
        if (current->tty == tty || suser())
+#endif
                perm = 1;
  
        kbd = kbd_table + console;
@@ -1038,12 +1043,20 @@
                return do_unimap_ioctl(cmd, (struct unimapdesc *)arg, perm);
 
        case VT_LOCKSWITCH:
+#ifdef CONFIG_GRKERNSEC
+               if (!capable(CAP_SYS_TTY_CONFIG))
+#else
                if (!suser())
+#endif
                   return -EPERM;
                vt_dont_switch = 1;
                return 0;
        case VT_UNLOCKSWITCH:
+#ifdef CONFIG_GRKERNSEC
+               if (!capable(CAP_SYS_TTY_CONFIG))
+#else
                if (!suser())
+#endif
                   return -EPERM;
                vt_dont_switch = 0;
                return 0;
diff -urN linux-2.4.22/drivers/pci/proc.c linux-2.4.22/drivers/pci/proc.c
--- linux-2.4.22/drivers/pci/proc.c     2003-09-01 22:19:22.000000000 -0400
+++ linux-2.4.22/drivers/pci/proc.c     2003-09-02 19:29:42.000000000 -0400
@@ -562,7 +562,15 @@
                pci_for_each_dev(dev) {
                        pci_proc_attach_device(dev);
                }
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+               entry = create_proc_entry("pci", S_IRUSR, NULL);
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+               entry = create_proc_entry("pci", S_IRUSR | S_IRGRP, NULL);
+#endif
+#else
                entry = create_proc_entry("pci", 0, NULL);
+#endif
                if (entry)
                        entry->proc_fops = &proc_pci_operations;
        }
diff -urN linux-2.4.22/fs/binfmt_aout.c linux-2.4.22/fs/binfmt_aout.c
--- linux-2.4.22/fs/binfmt_aout.c       2003-09-01 22:19:01.000000000 -0400
+++ linux-2.4.22/fs/binfmt_aout.c       2003-09-02 19:29:42.000000000 -0400
@@ -5,6 +5,7 @@
  */
 
 #include <linux/module.h>
+#include <linux/config.h>
 
 #include <linux/sched.h>
 #include <linux/kernel.h>
@@ -113,10 +114,12 @@
 /* If the size of the dump file exceeds the rlimit, then see what would happen
    if we wrote the stack, but not the data area.  */
 #ifdef __sparc__
+       gr_learn_resource(current, RLIMIT_CORE, dump.u_dsize+dump.u_ssize);
        if ((dump.u_dsize+dump.u_ssize) >
            current->rlim[RLIMIT_CORE].rlim_cur)
                dump.u_dsize = 0;
 #else
+       gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize+dump.u_ssize+1) * PAGE_SIZE);
        if ((dump.u_dsize+dump.u_ssize+1) * PAGE_SIZE >
            current->rlim[RLIMIT_CORE].rlim_cur)
                dump.u_dsize = 0;
@@ -124,10 +127,12 @@
 
 /* Make sure we have enough room to write the stack and data areas. */
 #ifdef __sparc__
+       gr_learn_resource(current, RLIMIT_CORE, dump.u_ssize);
        if ((dump.u_ssize) >
            current->rlim[RLIMIT_CORE].rlim_cur)
                dump.u_ssize = 0;
 #else
+       gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize+1) * PAGE_SIZE);
        if ((dump.u_ssize+1) * PAGE_SIZE >
            current->rlim[RLIMIT_CORE].rlim_cur)
                dump.u_ssize = 0;
@@ -276,6 +281,8 @@
        rlim = current->rlim[RLIMIT_DATA].rlim_cur;
        if (rlim >= RLIM_INFINITY)
                rlim = ~0;
+
+       gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss);
        if (ex.a_data + ex.a_bss > rlim)
                return -ENOMEM;
 
diff -urN linux-2.4.22/fs/binfmt_elf.c linux-2.4.22/fs/binfmt_elf.c
--- linux-2.4.22/fs/binfmt_elf.c        2003-09-01 22:19:00.000000000 -0400
+++ linux-2.4.22/fs/binfmt_elf.c        2003-09-02 19:29:42.000000000 -0400
@@ -11,6 +11,7 @@
 
 #include <linux/module.h>
 
+#include <linux/config.h>
 #include <linux/fs.h>
 #include <linux/stat.h>
 #include <linux/sched.h>
@@ -33,10 +34,13 @@
 #include <linux/smp_lock.h>
 #include <linux/compiler.h>
 #include <linux/highmem.h>
+#include <linux/random.h>
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 #include <asm/param.h>
 #include <asm/pgalloc.h>
+#include <asm/system.h>
 
 #define DLINFO_ITEMS 13
 
@@ -1026,8 +1184,11 @@
 #undef DUMP_SEEK
 
 #define DUMP_WRITE(addr, nr)   \
+       do { \
+       gr_learn_resource(current, RLIMIT_CORE, size + (nr)); \
        if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \
-               goto end_coredump;
+               goto end_coredump; \
+       } while (0);
 #define DUMP_SEEK(off) \
        if (!dump_seek(file, (off))) \
                goto end_coredump;
diff -urN linux-2.4.22/fs/buffer.c linux-2.4.22/fs/buffer.c
--- linux-2.4.22/fs/buffer.c    2003-09-01 22:19:00.000000000 -0400
+++ linux-2.4.22/fs/buffer.c    2003-09-02 19:29:42.000000000 -0400
@@ -1810,6 +1810,9 @@
        int err;
 
        err = -EFBIG;
+
+       gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long) size);
+
         limit = current->rlim[RLIMIT_FSIZE].rlim_cur;
        if (limit != RLIM_INFINITY && size > (loff_t)limit) {
                send_sig(SIGXFSZ, current, 0);
diff -urN linux-2.4.22/fs/exec.c linux-2.4.22/fs/exec.c
--- linux-2.4.22/fs/exec.c      2003-09-01 22:19:00.000000000 -0400
+++ linux-2.4.22/fs/exec.c      2003-09-02 19:29:42.000000000 -0400
@@ -43,6 +43,9 @@
 #include <asm/uaccess.h>
 #include <asm/pgalloc.h>
 #include <asm/mmu_context.h>
+#include <linux/major.h>
+#include <linux/random.h>
+#include <linux/grsecurity.h>
 
 #ifdef CONFIG_KMOD
 #include <linux/kmod.h>
@@ -709,6 +741,9 @@
                        cap_set_full(bprm->cap_effective);
        }
 
+       if (gr_handle_ptrace_exec(bprm->file->f_dentry, bprm->file->f_vfsmnt))
+               return -EACCES;
+
        memset(bprm->buf,0,BINPRM_BUF_SIZE);
        return kernel_read(bprm->file,0,bprm->buf,BINPRM_BUF_SIZE);
 }
@@ -774,6 +809,8 @@
         current->suid = current->euid = current->fsuid = bprm->e_uid;
         current->sgid = current->egid = current->fsgid = bprm->e_gid;
 
+       gr_handle_chroot_caps(current);
+
        if(do_unlock)
                unlock_kernel();
        current->keep_capabilities = 0;
@@ -907,6 +944,11 @@
        struct file *file;
        int retval;
        int i;
+#ifdef CONFIG_GRKERNSEC
+       struct file *old_exec_file;
+       struct acl_subject_label *old_acl;
+       struct rlimit old_rlim[RLIM_NLIMITS];
+#endif
 
        file = open_exec(filename);
 
@@ -914,6 +956,20 @@
        if (IS_ERR(file))
                return retval;
 
+       gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes));
+
+       if (gr_handle_nproc()) {
+               allow_write_access(file);
+               fput(file);
+               return -EAGAIN;
+       }
+
+       if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
+               allow_write_access(file);
+               fput(file);
+               return -EACCES;
+       }
+
        bprm.p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
        memset(bprm.page, 0, MAX_ARG_PAGES*sizeof(bprm.page[0])); 
 
@@ -938,11 +999,26 @@
        if (retval < 0) 
                goto out; 
 
+       if (!gr_tpe_allow(file)) {
+               retval = -EACCES;
+               goto out;
+       }
+
+       if(gr_check_crash_exec(file)) {
+               retval = -EACCES;
+               goto out;
+       }
+
        retval = copy_strings_kernel(1, &bprm.filename, &bprm);
        if (retval < 0) 
                goto out; 
 
        bprm.exec = bprm.p;
+
+       gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
+
+       gr_handle_exec_args(&bprm, argv);
+
        retval = copy_strings(bprm.envc, envp, &bprm);
        if (retval < 0) 
                goto out; 
@@ -951,11 +1027,32 @@
        if (retval < 0) 
                goto out; 
 
+#ifdef CONFIG_GRKERNSEC
+       old_acl = current->acl;
+       memcpy(old_rlim, current->rlim, sizeof(old_rlim));
+       old_exec_file = current->exec_file;
+       get_file(file);
+       current->exec_file = file;
+#endif
+
+       gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
+
        retval = search_binary_handler(&bprm,regs);
-       if (retval >= 0)
+       if (retval >= 0) {
+#ifdef CONFIG_GRKERNSEC
+               if (old_exec_file)
+                       fput(old_exec_file);
+#endif
                /* execve success */
                return retval;
+       }
 
+#ifdef CONFIG_GRKERNSEC
+       current->acl = old_acl;
+       memcpy(current->rlim, old_rlim, sizeof(old_rlim));
+       fput(current->exec_file);
+       current->exec_file = old_exec_file;
+#endif
 out:
        /* Something went wrong, return the inode and free the argument pages*/
        allow_write_access(bprm.file);
@@ -1112,6 +1246,7 @@
        if (!is_dumpable(current))
                goto fail;
        current->mm->dumpable = 0;
+       gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump);
        if (current->rlim[RLIMIT_CORE].rlim_cur < binfmt->min_coredump)
                goto fail;
 
@@ -1131,7 +1266,7 @@
                goto close_fail;
        if (!file->f_op->write)
                goto close_fail;
-       if (do_truncate(file->f_dentry, 0) != 0)
+       if (do_truncate(file->f_dentry, 0, file->f_vfsmnt) != 0)
                goto close_fail;
 
        retval = binfmt->core_dump(signr, regs, file);
diff -urN linux-2.4.22/fs/fcntl.c linux-2.4.22/fs/fcntl.c
--- linux-2.4.22/fs/fcntl.c     2003-09-01 22:19:00.000000000 -0400
+++ linux-2.4.22/fs/fcntl.c     2003-09-02 19:29:42.000000000 -0400
@@ -11,6 +11,7 @@
 #include <linux/smp_lock.h>
 #include <linux/slab.h>
 #include <linux/iobuf.h>
+#include <linux/grsecurity.h>
 
 #include <asm/poll.h>
 #include <asm/siginfo.h>
@@ -64,6 +65,8 @@
        int error;
        int start;
 
+       gr_learn_resource(current, RLIMIT_NOFILE, orig_start);
+
        write_lock(&files->file_lock);
        
        error = -EINVAL;
@@ -86,6 +89,7 @@
        }
        
        error = -EMFILE;
+       gr_learn_resource(current, RLIMIT_NOFILE, newfd);
        if (newfd >= current->rlim[RLIMIT_NOFILE].rlim_cur)
                goto out;
 
@@ -141,6 +145,8 @@
        struct file * file, *tofree;
        struct files_struct * files = current->files;
 
+       gr_learn_resource(current, RLIMIT_NOFILE, newfd);
+
        write_lock(&files->file_lock);
        if (!(file = fcheck(oldfd)))
                goto out_unlock;
@@ -448,6 +454,10 @@
                        match = -p->pgrp;
                if (pid != match)
                        continue;
+               if (gr_check_protected_task(p))
+                       continue;
+               if (gr_pid_is_chrooted(p))
+                       continue;
                send_sigio_to_task(p, fown, fd, band);
        }
 out:
diff -urN linux-2.4.22/fs/locks.c linux-2.4.22/fs/locks.c
--- linux-2.4.22/fs/locks.c     2003-09-01 22:19:00.000000000 -0400
+++ linux-2.4.22/fs/locks.c     2003-09-02 19:29:42.000000000 -0400
@@ -138,6 +138,7 @@
 static struct file_lock *locks_alloc_lock(int account)
 {
        struct file_lock *fl;
+       if(account) gr_learn_resource(current, RLIMIT_LOCKS, current->locks);
        if (account && current->locks >= current->rlim[RLIMIT_LOCKS].rlim_cur)
                return NULL;
        fl = kmem_cache_alloc(filelock_cache, SLAB_KERNEL);
diff -urN linux-2.4.22/fs/namei.c linux-2.4.22/fs/namei.c
--- linux-2.4.22/fs/namei.c     2003-09-01 22:19:00.000000000 -0400
+++ linux-2.4.22/fs/namei.c     2003-09-02 19:29:42.000000000 -0400
@@ -22,6 +22,7 @@
 #include <linux/dnotify.h>
 #include <linux/smp_lock.h>
 #include <linux/personality.h>
+#include <linux/grsecurity.h>
 
 #include <asm/namei.h>
 #include <asm/uaccess.h>
@@ -343,6 +344,13 @@
                current->state = TASK_RUNNING;
                schedule();
        }
+
+       if (gr_handle_follow_link(dentry->d_parent->d_inode,
+                                 dentry->d_inode, dentry, nd->mnt)) {
+               path_release(nd);
+               return -EACCES;
+       }
+
        current->link_count++;
        current->total_link_count++;
        UPDATE_ATIME(dentry->d_inode);
@@ -643,6 +651,10 @@
                        }
                }
 return_base:
+               if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt)) {
+                       path_release(nd);
+                       return -ENOENT;
+               }
                return 0;
 out_dput:
                dput(dentry);
@@ -1005,7 +1017,7 @@
        struct dentry *dentry;
        struct dentry *dir;
        int count = 0;
-
+       
        acc_mode = ACC_MODE(flag);
 
        /*
@@ -1015,7 +1027,19 @@
                error = path_lookup(pathname, lookup_flags(flag), nd);
                if (error)
                        return error;
+
+               if (gr_handle_rawio(nd->dentry->d_inode)) {
+                       error = -EPERM;
+                       goto exit;
+               }
+       
+               if (!gr_acl_handle_open(nd->dentry, nd->mnt, flag)) {
+                       error = -EACCES;
+                       goto exit;
+               }
+
                dentry = nd->dentry;
+
                goto ok;
        }
 
@@ -1048,7 +1072,16 @@
        if (!dentry->d_inode) {
                if (!IS_POSIXACL(dir->d_inode))
                        mode &= ~current->fs->umask;
+               if (!gr_acl_handle_creat(dentry, nd->dentry, nd->mnt, flag, mode)) {
+                       error = -EACCES;
+                       up(&dir->d_inode->i_sem);
+                       goto exit_dput;
+               }
+
                error = vfs_create(dir->d_inode, dentry, mode);
+               if (!error)
+                       gr_handle_create(dentry, nd->mnt);
+
                up(&dir->d_inode->i_sem);
                dput(nd->dentry);
                nd->dentry = dentry;
@@ -1058,12 +1091,35 @@
                /* Don't check for write permission, don't truncate */
                acc_mode = 0;
                flag &= ~O_TRUNC;
+
                goto ok;
        }
 
        /*
         * It already exists.
         */
+
+       if (gr_acl_is_enabled() && S_ISBLK(dentry->d_inode->i_mode) &&
+           !capable(CAP_SYS_RAWIO)) {
+               error = -EPERM;
+               up(&dir->d_inode->i_sem);
+               goto exit_dput;
+       }
+
+       if (!gr_acl_handle_open(dentry, nd->mnt, flag)) {
+               error = -EACCES;
+               up(&dir->d_inode->i_sem);
+               goto exit_dput;
+       }
+
+       inode = dentry->d_inode;
+
+       if (gr_handle_fifo(dentry, nd->mnt, dir, flag, acc_mode)) {
+               up(&dir->d_inode->i_sem);
+               error = -EACCES;
+               goto exit_dput;
+       }
+
        up(&dir->d_inode->i_sem);
 
        error = -EEXIST;
@@ -1153,7 +1209,7 @@
                if (!error) {
                        DQUOT_INIT(inode);
                        
-                       error = do_truncate(dentry, 0);
+                       error = do_truncate(dentry,0,nd->mnt);
                }
                put_write_access(inode);
                if (error)
@@ -1184,6 +1240,13 @@
         * stored in nd->last.name and we will have to putname() it when we
         * are done. Procfs-like symlinks just set LAST_BIND.
         */
+
+       if (gr_handle_follow_link(dentry->d_parent->d_inode, dentry->d_inode,
+                                 dentry, nd->mnt)) {
+               error = -EACCES;
+               goto exit_dput;
+       }
+
        UPDATE_ATIME(dentry->d_inode);
        error = dentry->d_inode->i_op->follow_link(dentry, nd);
        dput(dentry);
@@ -1282,6 +1345,18 @@
        if (!IS_POSIXACL(nd.dentry->d_inode))
                mode &= ~current->fs->umask;
        if (!IS_ERR(dentry)) {
+               if (gr_handle_chroot_mknod(dentry, nd.mnt, mode)) {
+                       error = -EPERM;
+                       dput(dentry);
+                       goto out_dput;
+               }
+
+               if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
+                       error = -EACCES;
+                       dput(dentry);
+                       goto out_dput;
+               }
+       
                switch (mode & S_IFMT) {
                case 0: case S_IFREG:
                        error = vfs_create(nd.dentry->d_inode,dentry,mode);
@@ -1295,8 +1370,13 @@
                default:
                        error = -EINVAL;
                }
+
+               if(!error)
+                       gr_handle_create(dentry, nd.mnt);
+
                dput(dentry);
        }
+out_dput:
        up(&nd.dentry->d_inode->i_sem);
        path_release(&nd);
 out:
@@ -1348,7 +1428,16 @@
                if (!IS_ERR(dentry)) {
                        if (!IS_POSIXACL(nd.dentry->d_inode))
                                mode &= ~current->fs->umask;
-                       error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
+                       error = 0;
+
+                       if (!gr_acl_handle_mkdir(dentry, nd.dentry, nd.mnt))
+                               error = -EACCES;
+
+                       if(!error)
+                               error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
+                       if(!error)
+                               gr_handle_create(dentry, nd.mnt);
+                       
                        dput(dentry);
                }
                up(&nd.dentry->d_inode->i_sem);
@@ -1433,6 +1522,8 @@
        char * name;
        struct dentry *dentry;
        struct nameidata nd;
+       ino_t saved_ino = 0;
+       kdev_t saved_dev = 0;
 
        name = getname(pathname);
        if(IS_ERR(name))
@@ -1457,7 +1548,22 @@
        dentry = lookup_hash(&nd.last, nd.dentry);
        error = PTR_ERR(dentry);
        if (!IS_ERR(dentry)) {
-               error = vfs_rmdir(nd.dentry->d_inode, dentry);
+               error = 0;
+               if (dentry->d_inode) {
+                       if (dentry->d_inode->i_nlink <= 1) {
+                               saved_ino = dentry->d_inode->i_ino;
+                               saved_dev = dentry->d_inode->i_dev;
+                       }
+
+                       if (!gr_acl_handle_rmdir(dentry, nd.mnt))
+                               error = -EACCES;
+               }
+
+               if (!error)
+                       error = vfs_rmdir(nd.dentry->d_inode, dentry);
+               if (!error && (saved_dev || saved_ino))
+                       gr_handle_delete(saved_ino,saved_dev);
+
                dput(dentry);
        }
        up(&nd.dentry->d_inode->i_sem);
@@ -1501,6 +1607,8 @@
        char * name;
        struct dentry *dentry;
        struct nameidata nd;
+       ino_t saved_ino = 0;
+       kdev_t saved_dev = 0;
 
        name = getname(pathname);
        if(IS_ERR(name))
@@ -1519,7 +1627,21 @@
                /* Why not before? Because we want correct error value */
                if (nd.last.name[nd.last.len])
                        goto slashes;
-               error = vfs_unlink(nd.dentry->d_inode, dentry);
+               error = 0;
+               if (dentry->d_inode) {
+                       if (dentry->d_inode->i_nlink <= 1) {
+                               saved_ino = dentry->d_inode->i_ino;
+                               saved_dev = dentry->d_inode->i_dev;
+                       }
+
+                       if (!gr_acl_handle_unlink(dentry, nd.mnt))
+                               error = -EACCES;
+               }
+
+               if (!error)
+                       error = vfs_unlink(nd.dentry->d_inode, dentry);
+               if (!error && (saved_ino || saved_dev))
+                       gr_handle_delete(saved_ino,saved_dev);
        exit2:
                dput(dentry);
        }
@@ -1583,7 +1705,15 @@
                dentry = lookup_create(&nd, 0);
                error = PTR_ERR(dentry);
                if (!IS_ERR(dentry)) {
-                       error = vfs_symlink(nd.dentry->d_inode, dentry, from);
+                       error = 0;
+
+                       if (!gr_acl_handle_symlink(dentry, nd.dentry, nd.mnt, from))
+                               error = -EACCES;
+
+                       if(!error)      
+                               error = vfs_symlink(nd.dentry->d_inode, dentry, from);
+                       if (!error)
+                               gr_handle_create(dentry, nd.mnt);
                        dput(dentry);
                }
                up(&nd.dentry->d_inode->i_sem);
@@ -1667,7 +1797,27 @@
                new_dentry = lookup_create(&nd, 0);
                error = PTR_ERR(new_dentry);
                if (!IS_ERR(new_dentry)) {
-                       error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
+                       error = 0;
+
+                       if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt,
+                                              old_nd.dentry->d_inode,
+                                              old_nd.dentry->d_inode->i_mode, to)) {
+                               error = -EPERM;
+                               goto out_error;
+                       }
+
+                       if (!gr_acl_handle_link(new_dentry, nd.dentry, nd.mnt,
+                                                old_nd.dentry, old_nd.mnt, to)) {
+                               error = -EACCES;
+                               goto out_error;
+                       }
+
+                       error = vfs_link(old_nd.dentry, 
+                                       nd.dentry->d_inode, new_dentry);
+
+                       if (!error)
+                               gr_handle_create(new_dentry, nd.mnt);
+out_error:
                        dput(new_dentry);
                }
                up(&nd.dentry->d_inode->i_sem);
@@ -1898,10 +2048,15 @@
        if (IS_ERR(new_dentry))
                goto exit4;
 
-       lock_kernel();
-       error = vfs_rename(old_dir->d_inode, old_dentry,
+       error = gr_acl_handle_rename(new_dentry, newnd.dentry, newnd.mnt,
+                                    old_dentry, old_dir->d_inode, oldnd.mnt, newname);
+
+       if (error == 1) {
+               lock_kernel();
+               error = vfs_rename(old_dir->d_inode, old_dentry,
                                   new_dir->d_inode, new_dentry);
-       unlock_kernel();
+               unlock_kernel();
+       }
 
        dput(new_dentry);
 exit4:
diff -urN linux-2.4.22/fs/namespace.c linux-2.4.22/fs/namespace.c
--- linux-2.4.22/fs/namespace.c 2003-09-01 22:19:00.000000000 -0400
+++ linux-2.4.22/fs/namespace.c 2003-09-02 19:29:42.000000000 -0400
@@ -15,6 +15,8 @@
 #include <linux/quotaops.h>
 #include <linux/acct.h>
 #include <linux/module.h>
+#include <linux/sched.h>
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 
@@ -325,6 +327,8 @@
                        lock_kernel();
                        retval = do_remount_sb(sb, MS_RDONLY, 0);
                        unlock_kernel();
+
+                       gr_log_remount(mnt->mnt_devname, retval);
                }
                up_write(&sb->s_umount);
                return retval;
@@ -350,6 +354,9 @@
        }
        spin_unlock(&dcache_lock);
        up_write(&current->namespace->sem);
+
+       gr_log_unmount(mnt->mnt_devname, retval);
+
        return retval;
 }
 
@@ -729,6 +736,12 @@
        if (retval)
                return retval;
 
+       if (gr_handle_chroot_mount(nd.dentry, nd.mnt, dev_name)) {
+               retval = -EPERM;
+               path_release(&nd);
+               return retval;
+       }
+
        if (flags & MS_REMOUNT)
                retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags,
                                    data_page);
@@ -740,6 +753,9 @@
                retval = do_add_mount(&nd, type_page, flags, mnt_flags,
                                      dev_name, data_page);
        path_release(&nd);
+
+       gr_log_mount(dev_name, dir_name, retval);
+
        return retval;
 }
 
@@ -909,6 +925,9 @@
        if (!capable(CAP_SYS_ADMIN))
                return -EPERM;
 
+       if (gr_handle_chroot_pivot())
+               return -EPERM;
+
        lock_kernel();
 
        error = __user_walk(new_root, LOOKUP_POSITIVE|LOOKUP_FOLLOW|LOOKUP_DIRECTORY, &new_nd);
diff -urN linux-2.4.22/fs/open.c linux-2.4.22/fs/open.c
--- linux-2.4.22/fs/open.c      2003-09-01 22:19:00.000000000 -0400
+++ linux-2.4.22/fs/open.c      2003-09-02 19:29:42.000000000 -0400
@@ -15,6 +15,7 @@
 #include <linux/slab.h>
 #include <linux/tty.h>
 #include <linux/iobuf.h>
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 
@@ -95,7 +96,7 @@
        write_unlock(&files->file_lock);
 }
 
-int do_truncate(struct dentry *dentry, loff_t length)
+int do_truncate(struct dentry *dentry, loff_t length, struct vfsmount *mnt)
 {
        struct inode *inode = dentry->d_inode;
        int error;
@@ -105,6 +106,9 @@
        if (length < 0)
                return -EINVAL;
 
+       if (!gr_acl_handle_truncate(dentry, mnt))
+               return -EACCES;
+
        down_write(&inode->i_alloc_sem);
        down(&inode->i_sem);
        newattrs.ia_size = length;
@@ -165,7 +169,7 @@
        error = locks_verify_truncate(inode, NULL, length);
        if (!error) {
                DQUOT_INIT(inode);
-               error = do_truncate(nd.dentry, length);
+               error = do_truncate(nd.dentry, length, nd.mnt);
        }
        put_write_access(inode);
 
@@ -217,7 +221,7 @@
 
        error = locks_verify_truncate(inode, file, length);
        if (!error)
-               error = do_truncate(dentry, length);
+               error = do_truncate(dentry, length, file->f_vfsmnt);
 out_putf:
        fput(file);
 out:
@@ -286,6 +290,12 @@
                    (error = permission(inode,MAY_WRITE)) != 0)
                        goto dput_and_out;
        }
+
+       if (!gr_acl_handle_utime(nd.dentry, nd.mnt)) {
+               error = -EACCES;
+               goto dput_and_out;
+       }
+
        error = notify_change(nd.dentry, &newattrs);
 dput_and_out:
        path_release(&nd);
@@ -331,6 +341,12 @@
                    (error = permission(inode,MAY_WRITE)) != 0)
                        goto dput_and_out;
        }
+
+       if (!gr_acl_handle_utime(nd.dentry, nd.mnt)) {
+               error = -EACCES;
+               goto dput_and_out;
+       }
+
        error = notify_change(nd.dentry, &newattrs);
 dput_and_out:
        path_release(&nd);
@@ -373,6 +389,10 @@
                if(!res && (mode & S_IWOTH) && IS_RDONLY(nd.dentry->d_inode)
                   && !special_file(nd.dentry->d_inode->i_mode))
                        res = -EROFS;
+               
+               if (!res && !gr_acl_handle_access(nd.dentry, nd.mnt, mode))
+                       res =  -EACCES;
+
                path_release(&nd);
        }
 
@@ -396,6 +416,8 @@
        if (error)
                goto dput_and_out;
 
+       gr_log_chdir(nd.dentry, nd.mnt);
+
        set_fs_pwd(current->fs, nd.mnt, nd.dentry);
 
 dput_and_out:
@@ -426,6 +448,13 @@
                goto out_putf;
 
        error = permission(inode, MAY_EXEC);
+
+       if (!error && !gr_chroot_fchdir(dentry, mnt))
+               error = -EPERM;
+
+       if (!error)
+               gr_log_chdir(dentry, mnt);
+
        if (!error)
                set_fs_pwd(current->fs, mnt, dentry);
 out_putf:
@@ -452,8 +481,16 @@
        if (!capable(CAP_SYS_CHROOT))
                goto dput_and_out;
 
+       if (gr_handle_chroot_chroot(nd.dentry, nd.mnt))
+               goto dput_and_out;
+
        set_fs_root(current->fs, nd.mnt, nd.dentry);
        set_fs_altroot();
+
+       gr_handle_chroot_caps(current);
+
+       gr_handle_chroot_chdir(nd.dentry, nd.mnt);
+
        error = 0;
 dput_and_out:
        path_release(&nd);
@@ -482,8 +519,20 @@
        err = -EPERM;
        if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
                goto out_putf;
+
+       if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
+               err = -EACCES;
+               goto out_putf;
+       }
+
        if (mode == (mode_t) -1)
                mode = inode->i_mode;
+
+       if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
+               err = -EPERM;
+               goto out_putf;
+       }           
+
        newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
        newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
        err = notify_change(dentry, &newattrs);
@@ -514,8 +563,19 @@
        if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
                goto dput_and_out;
 
+       if (!gr_acl_handle_chmod(nd.dentry, nd.mnt, mode)) {
+               error = -EACCES;
+               goto dput_and_out;
+       }
+
        if (mode == (mode_t) -1)
                mode = inode->i_mode;
+
+       if (gr_handle_chroot_chmod(nd.dentry, nd.mnt, mode)) {
+               error = -EACCES;
+               goto dput_and_out;
+       }
+
        newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
        newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
        error = notify_change(nd.dentry, &newattrs);
@@ -526,7 +586,7 @@
        return error;
 }
 
-static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
 {
        struct inode * inode;
        int error;
@@ -543,6 +603,12 @@
        error = -EPERM;
        if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
                goto out;
+
+       if (!gr_acl_handle_chown(dentry, mnt)) {
+               error = -EACCES;
+               goto out;
+       }
+
        if (user == (uid_t) -1)
                user = inode->i_uid;
        if (group == (gid_t) -1)
@@ -593,7 +659,7 @@
 
        error = user_path_walk(filename, &nd);
        if (!error) {
-               error = chown_common(nd.dentry, user, group);
+               error = chown_common(nd.dentry, user, group, nd.mnt);
                path_release(&nd);
        }
        return error;
@@ -606,7 +672,7 @@
 
        error = user_path_walk_link(filename, &nd);
        if (!error) {
-               error = chown_common(nd.dentry, user, group);
+               error = chown_common(nd.dentry, user, group, nd.mnt);
                path_release(&nd);
        }
        return error;
@@ -620,7 +686,8 @@
 
        file = fget(fd);
        if (file) {
-               error = chown_common(file->f_dentry, user, group);
+               error = chown_common(file->f_dentry, user,
+                               group, file->f_vfsmnt);
                fput(file);
        }
        return error;
@@ -740,6 +807,7 @@
         * N.B. For clone tasks sharing a files structure, this test
         * will limit the total number of files that can be opened.
         */
+       gr_learn_resource(current, RLIMIT_NOFILE, fd);
        if (fd >= current->rlim[RLIMIT_NOFILE].rlim_cur)
                goto out;
 
diff -urN linux-2.4.22/fs/proc/array.c linux-2.4.22/fs/proc/array.c
--- linux-2.4.22/fs/proc/array.c        2003-09-01 22:19:00.000000000 -0400
+++ linux-2.4.22/fs/proc/array.c        2003-09-02 19:29:42.000000000 -0400
@@ -334,6 +340,12 @@
 
        wchan = get_wchan(task);
 
+#ifdef CONFIG_GRKERNSEC_HIDESYM
+       wchan = 0;
+       eip = 0;
+       esp = 0;
+#endif
+
        collect_sigign_sigcatch(task, &sigign, &sigcatch);
 
        /* scale priority and nice values from timeslices to -20..20 */
@@ -684,6 +728,16 @@
        return retval;
 }
 
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR     
+int proc_pid_ipaddr(struct task_struct *task, char * buffer)    
+{       
+       int len;         
+
+       len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->curr_ip));  
+       return len;      
+}       
+#endif
+
 #ifdef CONFIG_SMP
 int proc_pid_cpu(struct task_struct *task, char * buffer)
 {
diff -urN linux-2.4.22/fs/proc/base.c linux-2.4.22/fs/proc/base.c
--- linux-2.4.22/fs/proc/base.c 2003-09-01 22:19:00.000000000 -0400
+++ linux-2.4.22/fs/proc/base.c 2003-09-02 19:29:42.000000000 -0400
@@ -25,6 +25,7 @@
 #include <linux/string.h>
 #include <linux/seq_file.h>
 #include <linux/namespace.h>
+#include <linux/grsecurity.h>
 
 /*
  * For hysterical raisins we keep the same inumbers as in the old procfs.
@@ -41,6 +42,9 @@
 int proc_pid_status(struct task_struct*,char*);
 int proc_pid_statm(struct task_struct*,char*);
 int proc_pid_cpu(struct task_struct*,char*);
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+int proc_pid_ipaddr(struct task_struct*,char*);
+#endif
 
 static int proc_fd_link(struct inode *inode, struct dentry **dentry, struct vfsmount **mnt)
 {
@@ -264,9 +268,22 @@
 
 static int proc_permission(struct inode *inode, int mask)
 {
+       int ret;
+       struct task_struct *task;
+
        if (vfs_permission(inode, mask) != 0)
                return -EACCES;
-       return proc_check_root(inode);
+       ret = proc_check_root(inode);
+
+       if (ret)
+               return ret;
+
+       task = inode->u.proc_i.task;
+
+       if (!task)
+               return 0;
+
+       return gr_acl_handle_procpidmem(task);
 }
 
 static ssize_t pid_maps_read(struct file * file, char * buf,
@@ -576,6 +593,9 @@
        PROC_PID_STATM,
        PROC_PID_MAPS,
        PROC_PID_CPU,
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+       PROC_PID_IPADDR,
+#endif
        PROC_PID_MOUNTS,
        PROC_PID_FD_DIR = 0x8000,       /* 0x8000-0xffff */
 };
@@ -591,6 +611,9 @@
 #ifdef CONFIG_SMP
   E(PROC_PID_CPU,      "cpu",          S_IFREG|S_IRUGO),
 #endif
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+  E(PROC_PID_IPADDR,   "ipaddr",       S_IFREG|S_IRUSR),
+#endif
   E(PROC_PID_MAPS,     "maps",         S_IFREG|S_IRUGO),
   E(PROC_PID_MEM,      "mem",          S_IFREG|S_IRUSR|S_IWUSR),
   E(PROC_PID_CWD,      "cwd",          S_IFLNK|S_IRWXUGO),
@@ -747,10 +770,17 @@
        get_task_struct(task);
        inode->u.proc_i.task = task;
        inode->i_uid = 0;
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
+       inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
+#else
        inode->i_gid = 0;
+#endif
+
        if (ino == PROC_PID_INO || task_dumpable(task)) {
                inode->i_uid = task->euid;
+#ifndef CONFIG_GRKERNSEC_PROC_USERGROUP
                inode->i_gid = task->egid;
+#endif
        }
 
 out:
@@ -958,6 +988,12 @@
                        inode->u.proc_i.op.proc_read = proc_pid_cpu;
                        break;
 #endif
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
+               case PROC_PID_IPADDR:
+                       inode->i_fop = &proc_info_file_operations;
+                       inode->u.proc_i.op.proc_read = proc_pid_ipaddr;
+                       break;
+#endif
                case PROC_PID_MEM:
                        inode->i_op = &proc_mem_inode_operations;
                        inode->i_fop = &proc_mem_operations;
@@ -1056,13 +1092,34 @@
        if (!task)
                goto out;
 
+       if(gr_check_hidden_task(task)) {
+               free_task_struct(task);
+               goto out;
+       }
+       
+#ifdef CONFIG_GRKERNSEC_PROC
+       if (current->uid && (task->uid != current->uid)
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
+           && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
+#endif
+       ) {
+               free_task_struct(task);
+               goto out;
+       }       
+#endif
        inode = proc_pid_make_inode(dir->i_sb, task, PROC_PID_INO);
 
        free_task_struct(task);
 
        if (!inode)
                goto out;
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+       inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+       inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP;
+#else
        inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
+#endif
        inode->i_op = &proc_base_inode_operations;
        inode->i_fop = &proc_base_operations;
        inode->i_nlink = 3;
@@ -1102,6 +1159,18 @@
                int pid = p->pid;
                if (!pid)
                        continue;
+               if(gr_pid_is_chrooted(p))
+                       continue;
+               if(gr_check_hidden_task(p)) 
+                       continue;
+#ifdef CONFIG_GRKERNSEC_PROC
+               if (current->uid && (p->uid != current->uid)
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
+                       && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
+#endif
+               )
+                       continue;       
+#endif
                if (--index >= 0)
                        continue;
                pids[nr_pids] = pid;
diff -urN linux-2.4.22/fs/proc/generic.c linux-2.4.22/fs/proc/generic.c
--- linux-2.4.22/fs/proc/generic.c      2003-09-01 22:19:00.000000000 -0400
+++ linux-2.4.22/fs/proc/generic.c      2003-09-02 19:29:42.000000000 -0400
@@ -503,6 +503,32 @@
        return ent;
 }
 
+#ifdef CONFIG_GRKERNSEC_PROC
+struct proc_dir_entry *proc_priv_mkdir(const char *name, struct proc_dir_entry *parent)
+{
+       struct proc_dir_entry *ent;
+       mode_t mode = 0;
+
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+       mode = S_IFDIR | S_IRUSR | S_IXUSR;
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+       mode = S_IFDIR | S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP;
+#endif
+
+       ent = proc_create(&parent, name, mode, 2);
+       if (ent) {
+               ent->proc_fops = &proc_dir_operations;
+               ent->proc_iops = &proc_dir_inode_operations;
+
+               if (proc_register(parent, ent) < 0) {
+                       kfree(ent);
+                       ent = NULL;
+               }
+       }
+       return ent;
+}
+#endif
+
 struct proc_dir_entry *create_proc_entry(const char *name, mode_t mode,
                                         struct proc_dir_entry *parent)
 {
diff -urN linux-2.4.22/fs/proc/inode.c linux-2.4.22/fs/proc/inode.c
--- linux-2.4.22/fs/proc/inode.c        2003-09-01 22:19:00.000000000 -0400
+++ linux-2.4.22/fs/proc/inode.c        2003-09-02 19:29:42.000000000 -0400
@@ -152,7 +152,11 @@
                if (de->mode) {
                        inode->i_mode = de->mode;
                        inode->i_uid = de->uid;
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
+                       inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
+#else
                        inode->i_gid = de->gid;
+#endif                 
                }
                if (de->size)
                        inode->i_size = de->size;
diff -urN linux-2.4.22/fs/proc/proc_misc.c linux-2.4.22/fs/proc/proc_misc.c
--- linux-2.4.22/fs/proc/proc_misc.c    2003-09-01 22:19:00.000000000 -0400
+++ linux-2.4.22/fs/proc/proc_misc.c    2003-09-02 19:29:42.000000000 -0400
@@ -569,6 +569,7 @@
 void __init proc_misc_init(void)
 {
        struct proc_dir_entry *entry;
+       int gr_mode = 0;
        static struct {
                char *name;
                int (*read_proc)(char*,char**,off_t,int,int*,void*);
@@ -583,48 +584,81 @@
 #ifdef CONFIG_STRAM_PROC
                {"stram",       stram_read_proc},
 #endif
-#ifdef CONFIG_MODULES
+#if defined(CONFIG_MODULES) && !defined(CONFIG_GRKERNSEC_PROC)
                {"modules",     modules_read_proc},
 #endif
                {"stat",        kstat_read_proc},
+#ifndef CONFIG_GRKERNSEC_PROC_ADD
                {"devices",     devices_read_proc},
-#if !defined(CONFIG_ARCH_S390)
+#endif
+#if !defined(CONFIG_ARCH_S390) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
                {"interrupts",  interrupts_read_proc},
 #endif
                {"filesystems", filesystems_read_proc},
+#ifndef CONFIG_GRKERNSEC_PROC_ADD
                {"dma",         dma_read_proc},
                {"ioports",     ioports_read_proc},
                {"cmdline",     cmdline_read_proc},
+#endif
 #ifdef CONFIG_SGI_DS1286
                {"rtc",         ds1286_read_proc},
 #endif
                {"locks",       locks_read_proc},
                {"swaps",       swaps_read_proc},
+#ifndef CONFIG_GRKERNSEC_PROC_ADD
                {"iomem",       memory_read_proc},
+#endif
                {"execdomains", execdomains_read_proc},
                {NULL,}
        };
        for (p = simple_ones; p->name; p++)
                create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
 
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+       gr_mode = S_IRUSR;
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+       gr_mode = S_IRUSR | S_IRGRP;
+#endif
+
+#if defined(CONFIG_GRKERNSEC_PROC) && defined(CONFIG_MODULES)
+       create_proc_read_entry("modules", gr_mode, NULL, &modules_read_proc, NULL);
+#endif
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+       create_proc_read_entry("devices", gr_mode, NULL, &devices_read_proc, NULL);
+       create_proc_read_entry("dma", gr_mode, NULL, &dma_read_proc, NULL);
+       create_proc_read_entry("ioports", gr_mode, NULL, &ioports_read_proc, NULL);
+       create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL);
+       create_proc_read_entry("iomem", gr_mode, NULL, &memory_read_proc, NULL);
+#if !defined(CONFIG_ARCH_S390)
+       create_proc_read_entry("interrupts", gr_mode, NULL, &interrupts_read_proc, NULL);
+#endif
+#endif
+
        proc_symlink("mounts", NULL, "self/mounts");
 
        /* And now for trickier ones */
        entry = create_proc_entry("kmsg", S_IRUSR, &proc_root);
        if (entry)
                entry->proc_fops = &proc_kmsg_operations;
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+       create_seq_entry("cpuinfo", gr_mode, &proc_cpuinfo_operations);
+       create_seq_entry("slabinfo", gr_mode,&proc_slabinfo_operations);
+#else
        create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
-       create_seq_entry("partitions", 0, &proc_partitions_operations);
        create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
+#endif
+       create_seq_entry("partitions", 0, &proc_partitions_operations);
 #ifdef CONFIG_MODULES
-       create_seq_entry("ksyms", 0, &proc_ksyms_operations);
+       create_seq_entry("ksyms", gr_mode, &proc_ksyms_operations);
 #endif
+#ifndef CONFIG_GRKERNSEC_PROC_ADD
        proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
        if (proc_root_kcore) {
                proc_root_kcore->proc_fops = &proc_kcore_operations;
                proc_root_kcore->size =
                                (size_t)high_memory - PAGE_OFFSET + PAGE_SIZE;
        }
+#endif
        if (prof_shift) {
                entry = create_proc_entry("profile", S_IWUSR | S_IRUGO, NULL);
                if (entry) {
diff -urN linux-2.4.22/fs/proc/root.c linux-2.4.22/fs/proc/root.c
--- linux-2.4.22/fs/proc/root.c 2003-09-01 22:19:00.000000000 -0400
+++ linux-2.4.22/fs/proc/root.c 2003-09-02 19:29:42.000000000 -0400
@@ -37,13 +37,21 @@
                return;
        }
        proc_misc_init();
+#ifdef CONFIG_GRKERNSEC_PROC
+       proc_net = proc_priv_mkdir("net", 0);
+#else
        proc_net = proc_mkdir("net", 0);
+#endif
 #ifdef CONFIG_SYSVIPC
        proc_mkdir("sysvipc", 0);
 #endif
 #ifdef CONFIG_SYSCTL
+#ifdef CONFIG_GRKERNSEC_PROC
+       proc_sys_root = proc_priv_mkdir("sys", 0);
+#else
        proc_sys_root = proc_mkdir("sys", 0);
 #endif
+#endif
 #if defined(CONFIG_BINFMT_MISC) || defined(CONFIG_BINFMT_MISC_MODULE)
        proc_mkdir("sys/fs", 0);
        proc_mkdir("sys/fs/binfmt_misc", 0);
@@ -67,7 +75,12 @@
 #ifdef CONFIG_PPC_RTAS
        proc_rtas_init();
 #endif
+
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+       proc_bus = proc_priv_mkdir("bus", 0);
+#else
        proc_bus = proc_mkdir("bus", 0);
+#endif
 }
 
 static struct dentry *proc_root_lookup(struct inode * dir, struct dentry * dentry)
diff -urN linux-2.4.22/fs/readdir.c linux-2.4.22/fs/readdir.c
--- linux-2.4.22/fs/readdir.c   2003-09-01 22:19:00.000000000 -0400
+++ linux-2.4.22/fs/readdir.c   2003-09-02 19:29:42.000000000 -0400
@@ -10,6 +10,7 @@
 #include <linux/stat.h>
 #include <linux/file.h>
 #include <linux/smp_lock.h>
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 
@@ -181,6 +182,7 @@
 struct readdir_callback {
        struct old_linux_dirent * dirent;
        int count;
+       struct nameidata nd;
 };
 
 static int fillonedir(void * __buf, const char * name, int namlen, loff_t offset,
@@ -191,6 +193,10 @@
 
        if (buf->count)
                return -EINVAL;
+
+       if (!gr_acl_handle_filldir(buf->nd.dentry, buf->nd.mnt, ino))
+               return 0;
+           
        buf->count++;
        dirent = buf->dirent;
        put_user(ino, &dirent->d_ino);
@@ -215,6 +221,9 @@
        buf.count = 0;
        buf.dirent = dirent;
 
+       buf.nd.dentry = file->f_dentry;
+       buf.nd.mnt = file->f_vfsmnt;
+
        error = vfs_readdir(file, fillonedir, &buf);
        if (error >= 0)
                error = buf.count;
@@ -242,6 +251,7 @@
        struct linux_dirent * previous;
        int count;
        int error;
+       struct nameidata nd;
 };
 
 static int filldir(void * __buf, const char * name, int namlen, loff_t offset,
@@ -254,6 +264,10 @@
        buf->error = -EINVAL;   /* only used if we fail.. */
        if (reclen > buf->count)
                return -EINVAL;
+
+       if (!gr_acl_handle_filldir(buf->nd.dentry, buf->nd.mnt, ino))
+               return 0;
+
        dirent = buf->previous;
        if (dirent)
                put_user(offset, &dirent->d_off);
@@ -286,6 +300,9 @@
        buf.count = count;
        buf.error = 0;
 
+       buf.nd.dentry = file->f_dentry;
+       buf.nd.mnt = file->f_vfsmnt;
+
        error = vfs_readdir(file, filldir, &buf);
        if (error < 0)
                goto out_putf;
@@ -320,6 +337,7 @@
        struct linux_dirent64 * previous;
        int count;
        int error;
+       struct nameidata nd;
 };
 
 static int filldir64(void * __buf, const char * name, int namlen, loff_t offset,
@@ -332,6 +350,10 @@
        buf->error = -EINVAL;   /* only used if we fail.. */
        if (reclen > buf->count)
                return -EINVAL;
+
+       if (!gr_acl_handle_filldir(buf->nd.dentry, buf->nd.mnt, ino))
+               return 0;
+       
        dirent = buf->previous;
        if (dirent) {
                d.d_off = offset;
@@ -369,6 +391,9 @@
        buf.count = count;
        buf.error = 0;
 
+       buf.nd.mnt = file->f_vfsmnt;
+       buf.nd.dentry = file->f_dentry;
+
        error = vfs_readdir(file, filldir64, &buf);
        if (error < 0)
                goto out_putf;
diff -urN linux-2.4.22/grsecurity/Config.in linux-2.4.22/grsecurity/Config.in
--- linux-2.4.22/grsecurity/Config.in   1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/Config.in   2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,262 @@
+define_bool CONFIG_CRYPTO y
+define_bool CONFIG_CRYPTO_SHA256 y
+choice 'Security level' \
+        "Low           CONFIG_GRKERNSEC_LOW \
+         Medium                CONFIG_GRKERNSEC_MID \
+         High          CONFIG_GRKERNSEC_HI \
+         Customized    CONFIG_GRKERNSEC_CUSTOM" Customized
+if [ "$CONFIG_GRKERNSEC_LOW" = "y" ]; then
+define_bool CONFIG_GRKERNSEC_RANDSRC n
+define_bool CONFIG_GRKERNSEC_RANDRPC n
+define_bool CONFIG_GRKERNSEC_FORKFAIL n
+define_bool CONFIG_GRKERNSEC_TIME n
+define_bool CONFIG_GRKERNSEC_SIGNAL n
+define_bool CONFIG_GRKERNSEC_CHROOT_SHMAT n
+define_bool CONFIG_GRKERNSEC_CHROOT_MOUNT n
+define_bool CONFIG_GRKERNSEC_CHROOT_FCHDIR n
+define_bool CONFIG_GRKERNSEC_CHROOT_DOUBLE n
+define_bool CONFIG_GRKERNSEC_CHROOT_PIVOT n
+define_bool CONFIG_GRKERNSEC_CHROOT_MKNOD n
+define_bool CONFIG_GRKERNSEC_PROC n
+define_bool CONFIG_GRKERNSEC_PROC_IPADDR n
+define_bool CONFIG_GRKERNSEC_HIDESYM n
+define_bool CONFIG_GRKERNSEC_CHROOT_CAPS n
+define_bool CONFIG_GRKERNSEC_CHROOT_SYSCTL n
+define_bool CONFIG_GRKERNSEC_PROC_USERGROUP n
+define_bool CONFIG_GRKERNSEC_KMEM n
+define_bool CONFIG_GRKERNSEC_PROC_ADD n
+define_bool CONFIG_GRKERNSEC_CHROOT_CHMOD n
+define_bool CONFIG_GRKERNSEC_CHROOT_NICE n
+define_bool CONFIG_GRKERNSEC_CHROOT_FINDTASK n
+if [ "$CONFIG_X86" = "y" ]; then
+define_bool CONFIG_GRKERNSEC_IO n
+fi
+define_bool CONFIG_GRKERNSEC_AUDIT_MOUNT n
+define_bool CONFIG_GRKERNSEC_ACL_HIDEKERN n
+define_bool CONFIG_GRKERNSEC_RESLOG n
+define_int CONFIG_GRKERNSEC_ACL_MAXTRIES 3
+define_int CONFIG_GRKERNSEC_ACL_TIMEOUT 30
+
+define_int  CONFIG_GRKERNSEC_FLOODTIME 10
+define_int  CONFIG_GRKERNSEC_FLOODBURST 4
+define_bool CONFIG_GRKERNSEC_LINK y
+define_bool CONFIG_GRKERNSEC_FIFO y
+define_bool CONFIG_GRKERNSEC_RANDPID y
+define_bool CONFIG_GRKERNSEC_EXECVE y
+define_bool CONFIG_GRKERNSEC_RANDNET y
+define_bool CONFIG_GRKERNSEC_RANDISN n
+define_bool CONFIG_GRKERNSEC_DMESG y
+define_bool CONFIG_GRKERNSEC_RANDID y
+define_bool CONFIG_GRKERNSEC_CHROOT_CHDIR y
+fi
+if [ "$CONFIG_GRKERNSEC_MID" = "y" ]; then
+define_bool CONFIG_GRKERNSEC_KMEM n
+define_bool CONFIG_GRKERNSEC_PROC_IPADDR n
+define_bool CONFIG_GRKERNSEC_HIDESYM n
+define_bool CONFIG_GRKERNSEC_PROC_ADD n
+define_bool CONFIG_GRKERNSEC_CHROOT_CHMOD n
+define_bool CONFIG_GRKERNSEC_CHROOT_NICE n
+define_bool CONFIG_GRKERNSEC_CHROOT_FINDTASK n
+if [ "$CONFIG_X86" = "y" ]; then
+define_bool CONFIG_GRKERNSEC_IO n
+fi
+define_bool CONFIG_GRKERNSEC_AUDIT_MOUNT n
+define_bool CONFIG_GRKERNSEC_CHROOT_CAPS n
+define_bool CONFIG_GRKERNSEC_CHROOT_SYSCTL y
+define_bool CONFIG_GRKERNSEC_AUDIT_MOUNT n
+define_bool CONFIG_GRKERNSEC_CHROOT_FCHDIR n
+define_bool CONFIG_GRKERNSEC_ACL_HIDEKERN n
+define_bool CONFIG_GRKERNSEC_RESLOG n
+define_int CONFIG_GRKERNSEC_ACL_MAXTRIES 3
+define_int CONFIG_GRKERNSEC_ACL_TIMEOUT 30
+
+define_int  CONFIG_GRKERNSEC_FLOODTIME 10
+define_int  CONFIG_GRKERNSEC_FLOODBURST 4
+define_bool CONFIG_GRKERNSEC_LINK y
+define_bool CONFIG_GRKERNSEC_FIFO y
+define_bool CONFIG_GRKERNSEC_RANDPID y
+define_bool CONFIG_GRKERNSEC_EXECVE y
+define_bool CONFIG_GRKERNSEC_DMESG y
+define_bool CONFIG_GRKERNSEC_RANDID y
+define_bool CONFIG_GRKERNSEC_RANDNET y
+define_bool CONFIG_GRKERNSEC_RANDISN y
+define_bool CONFIG_GRKERNSEC_RANDSRC y
+define_bool CONFIG_GRKERNSEC_RANDRPC y
+define_bool CONFIG_GRKERNSEC_FORKFAIL y
+define_bool CONFIG_GRKERNSEC_TIME y
+define_bool CONFIG_GRKERNSEC_SIGNAL y
+define_bool CONFIG_GRKERNSEC_CHROOT y
+define_bool CONFIG_GRKERNSEC_CHROOT_SHMAT n
+define_bool CONFIG_GRKERNSEC_CHROOT_UNIX y
+define_bool CONFIG_GRKERNSEC_CHROOT_MOUNT y
+define_bool CONFIG_GRKERNSEC_CHROOT_PIVOT y
+define_bool CONFIG_GRKERNSEC_CHROOT_DOUBLE y
+define_bool CONFIG_GRKERNSEC_CHROOT_CHDIR y
+define_bool CONFIG_GRKERNSEC_CHROOT_MKNOD y
+define_bool CONFIG_GRKERNSEC_PROC y
+define_bool CONFIG_GRKERNSEC_PROC_USERGROUP y
+define_int  CONFIG_GRKERNSEC_PROC_GID 10
+fi
+if [ "$CONFIG_GRKERNSEC_HI" = "y" ]; then
+define_int CONFIG_GRKERNSEC_FLOODTIME 10
+define_int  CONFIG_GRKERNSEC_FLOODBURST 4
+define_bool CONFIG_GRKERNSEC_LINK y
+define_bool CONFIG_GRKERNSEC_FIFO y
+define_bool CONFIG_GRKERNSEC_RANDPID y
+define_bool CONFIG_GRKERNSEC_EXECVE y
+define_bool CONFIG_GRKERNSEC_DMESG y
+define_bool CONFIG_GRKERNSEC_RANDID y
+define_bool CONFIG_GRKERNSEC_RANDSRC y
+define_bool CONFIG_GRKERNSEC_RANDRPC y
+define_bool CONFIG_GRKERNSEC_FORKFAIL y
+define_bool CONFIG_GRKERNSEC_TIME y
+define_bool CONFIG_GRKERNSEC_SIGNAL y
+define_bool CONFIG_GRKERNSEC_CHROOT_SHMAT y
+define_bool CONFIG_GRKERNSEC_CHROOT_UNIX y
+define_bool CONFIG_GRKERNSEC_CHROOT_MOUNT y
+define_bool CONFIG_GRKERNSEC_CHROOT_FCHDIR y
+define_bool CONFIG_GRKERNSEC_CHROOT_PIVOT y
+define_bool CONFIG_GRKERNSEC_CHROOT_DOUBLE y
+define_bool CONFIG_GRKERNSEC_CHROOT_CHDIR y
+define_bool CONFIG_GRKERNSEC_CHROOT_MKNOD y
+define_bool CONFIG_GRKERNSEC_CHROOT_CAPS y
+define_bool CONFIG_GRKERNSEC_CHROOT_SYSCTL y
+define_bool CONFIG_GRKERNSEC_CHROOT_FINDTASK y
+define_bool CONFIG_GRKERNSEC_PROC y
+define_bool CONFIG_GRKERNSEC_PROC_IPADDR n
+define_bool CONFIG_GRKERNSEC_HIDESYM y
+define_bool CONFIG_GRKERNSEC_PROC_USERGROUP y
+define_int  CONFIG_GRKERNSEC_PROC_GID 10
+define_bool CONFIG_GRKERNSEC_KMEM y
+define_bool CONFIG_GRKERNSEC_RESLOG y
+define_bool CONFIG_GRKERNSEC_RANDNET y
+define_bool CONFIG_GRKERNSEC_RANDISN y
+
+define_bool CONFIG_GRKERNSEC_AUDIT_MOUNT n
+define_bool CONFIG_GRKERNSEC_ACL_HIDEKERN n
+define_int CONFIG_GRKERNSEC_ACL_MAXTRIES 3
+define_int CONFIG_GRKERNSEC_ACL_TIMEOUT 30
+
+define_bool CONFIG_GRKERNSEC_PROC_ADD y
+define_bool CONFIG_GRKERNSEC_CHROOT_CHMOD y
+define_bool CONFIG_GRKERNSEC_CHROOT_NICE y
+if [ "$CONFIG_X86" = "y" ]; then
+define_bool CONFIG_GRKERNSEC_IO n
+fi
+define_bool CONFIG_GRKERNSEC_AUDIT_MOUNT y
+fi
+if [ "$CONFIG_GRKERNSEC_CUSTOM" = "y" ]; then
+mainmenu_option next_comment
+comment 'Address Space Protection'
+bool 'Deny writing to /dev/kmem, /dev/mem, and /dev/port' CONFIG_GRKERNSEC_KMEM
+if [ "$CONFIG_X86" = "y" ]; then
+  bool 'Disable privileged I/O' CONFIG_GRKERNSEC_IO
+  if [ "$CONFIG_GRKERNSEC_IO" = "y" ]; then
+    define_bool CONFIG_RTC y
+  fi
+fi
+bool 'Hide kernel symbols' CONFIG_GRKERNSEC_HIDESYM
+endmenu
+mainmenu_option next_comment
+comment 'Role Based Access Control Options'
+bool 'Hide kernel processes' CONFIG_GRKERNSEC_ACL_HIDEKERN
+int 'Maximum tries before password lockout' CONFIG_GRKERNSEC_ACL_MAXTRIES 3
+int 'Time to wait after max password tries, in seconds' CONFIG_GRKERNSEC_ACL_TIMEOUT 30
+endmenu
+mainmenu_option next_comment
+comment 'Filesystem Protections'
+bool 'Proc restrictions' CONFIG_GRKERNSEC_PROC
+if [ "$CONFIG_GRKERNSEC_PROC" != "n" ]; then
+ bool '   Restrict to user only' CONFIG_GRKERNSEC_PROC_USER
+ if [ "$CONFIG_GRKERNSEC_PROC_USER" != "y" ]; then
+  bool '   Allow special group' CONFIG_GRKERNSEC_PROC_USERGROUP
+  if [ "$CONFIG_GRKERNSEC_PROC_USERGROUP" != "n" ]; then
+   int  '   GID for special group' CONFIG_GRKERNSEC_PROC_GID 1001
+  fi
+ fi
+ if [ "$CONFIG_GRKERNSEC_PROC_USER" != "n" -o "$CONFIG_GRKERNSEC_PROC_USERGROUP" != "n" ]; then
+  bool '   Additional restrictions' CONFIG_GRKERNSEC_PROC_ADD
+ fi
+fi
+bool 'Linking restrictions' CONFIG_GRKERNSEC_LINK
+bool 'FIFO restrictions' CONFIG_GRKERNSEC_FIFO
+bool 'Chroot jail restrictions' CONFIG_GRKERNSEC_CHROOT
+if [ "$CONFIG_GRKERNSEC_CHROOT" != "n" ]; then
+bool '   Deny mounts' CONFIG_GRKERNSEC_CHROOT_MOUNT
+bool '   Deny double-chroots' CONFIG_GRKERNSEC_CHROOT_DOUBLE
+bool '   Deny pivot_root in chroot' CONFIG_GRKERNSEC_CHROOT_PIVOT
+bool '   Enforce chdir("/") on all chroots' CONFIG_GRKERNSEC_CHROOT_CHDIR
+bool '   Deny (f)chmod +s' CONFIG_GRKERNSEC_CHROOT_CHMOD
+bool '   Deny fchdir out of chroot' CONFIG_GRKERNSEC_CHROOT_FCHDIR
+bool '   Deny mknod' CONFIG_GRKERNSEC_CHROOT_MKNOD
+bool '   Deny shmat() out of chroot' CONFIG_GRKERNSEC_CHROOT_SHMAT
+bool '   Deny access to abstract AF_UNIX sockets out of chroot' CONFIG_GRKERNSEC_CHROOT_UNIX
+bool '   Protect outside processes' CONFIG_GRKERNSEC_CHROOT_FINDTASK
+bool '   Restrict priority changes' CONFIG_GRKERNSEC_CHROOT_NICE
+bool '   Deny sysctl writes in chroot' CONFIG_GRKERNSEC_CHROOT_SYSCTL
+bool '   Capability restrictions within chroot' CONFIG_GRKERNSEC_CHROOT_CAPS
+fi
+endmenu
+mainmenu_option next_comment
+comment 'Kernel Auditing'
+bool 'Single group for auditing' CONFIG_GRKERNSEC_AUDIT_GROUP
+if [ "$CONFIG_GRKERNSEC_AUDIT_GROUP" != "n" ]; then
+int  '   GID for auditing' CONFIG_GRKERNSEC_AUDIT_GID 1007
+fi
+bool 'Exec logging' CONFIG_GRKERNSEC_EXECLOG
+bool 'Resource logging' CONFIG_GRKERNSEC_RESLOG
+bool 'Log execs within chroot' CONFIG_GRKERNSEC_CHROOT_EXECLOG
+bool 'Chdir logging' CONFIG_GRKERNSEC_AUDIT_CHDIR
+bool '(Un)Mount logging' CONFIG_GRKERNSEC_AUDIT_MOUNT
+bool 'IPC logging' CONFIG_GRKERNSEC_AUDIT_IPC
+bool 'Signal logging' CONFIG_GRKERNSEC_SIGNAL
+bool 'Fork failure logging' CONFIG_GRKERNSEC_FORKFAIL
+bool 'Time change logging' CONFIG_GRKERNSEC_TIME
+bool '/proc/<pid>/ipaddr support' CONFIG_GRKERNSEC_PROC_IPADDR
+endmenu
+mainmenu_option next_comment
+comment 'Executable Protections'
+bool 'Enforce RLIMIT_NPROC on execs' CONFIG_GRKERNSEC_EXECVE
+bool 'Dmesg(8) restriction' CONFIG_GRKERNSEC_DMESG
+bool 'Randomized PIDs' CONFIG_GRKERNSEC_RANDPID
+bool 'Trusted path execution' CONFIG_GRKERNSEC_TPE
+if [ "$CONFIG_GRKERNSEC_TPE" != "n" ]; then
+bool '   Partially restrict non-root users' CONFIG_GRKERNSEC_TPE_ALL
+int  '   GID for untrusted users:' CONFIG_GRKERNSEC_TPE_GID 1005
+fi
+endmenu
+mainmenu_option next_comment
+comment 'Network Protections'
+bool 'Larger entropy pools' CONFIG_GRKERNSEC_RANDNET
+bool 'Truly random TCP ISN selection' CONFIG_GRKERNSEC_RANDISN
+bool 'Randomized IP IDs' CONFIG_GRKERNSEC_RANDID
+bool 'Randomized TCP source ports' CONFIG_GRKERNSEC_RANDSRC
+bool 'Randomized RPC XIDs' CONFIG_GRKERNSEC_RANDRPC
+bool 'Socket restrictions' CONFIG_GRKERNSEC_SOCKET
+if [ "$CONFIG_GRKERNSEC_SOCKET" != "n" ]; then
+bool '  Deny any sockets to group' CONFIG_GRKERNSEC_SOCKET_ALL
+if [ "$CONFIG_GRKERNSEC_SOCKET_ALL" != "n" ]; then
+int  '   GID to deny all sockets for:' CONFIG_GRKERNSEC_SOCKET_ALL_GID 1004
+fi
+bool '  Deny client sockets to group' CONFIG_GRKERNSEC_SOCKET_CLIENT
+if [ "$CONFIG_GRKERNSEC_SOCKET_CLIENT" != "n" ]; then
+int  '   GID to deny client sockets for:' CONFIG_GRKERNSEC_SOCKET_CLIENT_GID 1003
+fi
+bool '  Deny server sockets to group' CONFIG_GRKERNSEC_SOCKET_SERVER
+if [ "$CONFIG_GRKERNSEC_SOCKET_SERVER" != "n" ]; then
+int  '   GID to deny server sockets for:' CONFIG_GRKERNSEC_SOCKET_SERVER_GID 1002
+fi
+fi
+endmenu
+if [ "$CONFIG_SYSCTL" != "n" ]; then
+mainmenu_option next_comment
+comment 'Sysctl support'
+bool 'Sysctl support' CONFIG_GRKERNSEC_SYSCTL
+endmenu
+fi
+mainmenu_option next_comment
+comment 'Logging options'
+int 'Seconds in between log messages (minimum)' CONFIG_GRKERNSEC_FLOODTIME 10
+int 'Number of messages in a burst (maximum)' CONFIG_GRKERNSEC_FLOODBURST 4
+endmenu
+fi
diff -urN linux-2.4.22/grsecurity/Makefile linux-2.4.22/grsecurity/Makefile
--- linux-2.4.22/grsecurity/Makefile    1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/Makefile    2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,24 @@
+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
+# during 2001, 2002, and 2003 it has been completely redesigned by
+# Brad Spengler
+#
+# All code in this directory and various hooks inserted throughout the kernel
+# are copyright Brad Spengler, and released under the GPL, unless otherwise
+# noted (as in obsd_rand.c)
+
+O_TARGET := grsec.o
+
+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
+       grsec_mount.o grsec_rand.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
+       grsec_time.o grsec_tpe.o grsec_ipc.o grsec_link.o
+
+ifeq ($(CONFIG_GRKERNSEC),y)
+obj-y += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o obsd_rand.o \
+       gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
+       gracl_learn.o
+obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
+else
+obj-y += grsec_disabled.o
+endif
+
+include $(TOPDIR)/Rules.make
diff -urN linux-2.4.22/grsecurity/gracl.c linux-2.4.22/grsecurity/gracl.c
--- linux-2.4.22/grsecurity/gracl.c     1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/gracl.c     2003-09-02 19:50:30.000000000 -0400
@@ -0,0 +1,2740 @@
+/* 
+ * grsecurity/gracl.c
+ * Copyright Brad Spengler 2001, 2002, 2003
+ *
+ */
+
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/mm.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/proc_fs.h>
+#include <linux/smp_lock.h>
+#include <linux/slab.h>
+#include <linux/vmalloc.h>
+#include <linux/types.h>
+#include <linux/capability.h>
+#include <linux/sysctl.h>
+#include <linux/gracl.h>
+#include <linux/gralloc.h>
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+
+#include <asm/uaccess.h>
+#include <asm/errno.h>
+#include <asm/mman.h>
+
+static struct acl_role_db acl_role_set;
+static struct acl_role_label *role_list_head;
+static struct name_db name_set;
+static struct name_db inodev_set;
+
+static struct acl_role_label *default_role;
+
+static u16 acl_sp_role_value;
+
+static DECLARE_MUTEX(gr_dev_sem);
+rwlock_t gr_inode_lock = RW_LOCK_UNLOCKED;
+
+extern char *gr_shared_page[4][NR_CPUS];
+struct gr_arg *gr_usermode;
+
+static unsigned long gr_status = GR_STATUS_INIT;
+
+extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
+extern void gr_clear_learn_entries(void);
+
+#ifdef CONFIG_GRKERNSEC_RESLOG
+extern __inline__ void gr_log_resource(const struct task_struct *task,
+                                      const int res,
+                                      const unsigned long wanted);
+#endif
+
+unsigned char *gr_system_salt;
+unsigned char *gr_system_sum;
+
+static struct sprole_pw **acl_special_roles = NULL;
+static __u16 num_sprole_pws = 0;
+
+static struct acl_role_label *kernel_role = NULL;
+
+/* The following are used to keep a place held in the hash table when we move
+   entries around.  They can be replaced during insert. */
+
+static struct acl_subject_label *deleted_subject;
+static struct acl_object_label *deleted_object;
+static struct name_entry *deleted_inodev;
+
+/* for keeping track of the last and final allocated subjects, since
+   nested subject parsing is tricky
+*/
+static struct acl_subject_label *s_last = NULL;
+static struct acl_subject_label *s_final = NULL;
+
+static unsigned int gr_auth_attempts = 0;
+static unsigned long gr_auth_expires = 0UL;
+
+extern int gr_init_uidset(void);
+extern void gr_free_uidset(void);
+extern void gr_remove_uid(uid_t uid);
+extern int gr_find_uid(uid_t uid);
+
+__inline__ int
+gr_acl_is_enabled(void)
+{
+       return (gr_status & GR_READY);
+}
+
+__inline__ int
+gr_acl_tpe_check(void)
+{
+       if (unlikely(!(gr_status & GR_READY)))
+               return 0;
+       if (current->role->roletype & GR_ROLE_TPE)
+               return 1;
+       else
+               return 0;
+}
+
+int
+gr_handle_rawio(const struct inode *inode)
+{
+       if (inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO) &&
+           ((gr_status & GR_READY)
+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
+            || (grsec_enable_chroot_caps && proc_is_chrooted(current))
+#endif
+           ))
+               return 1;
+       return 0;
+}
+
+
+static __inline__ int
+gr_streq(const char *a, const char *b, const __u16 lena, const __u16 lenb)
+{
+       int i;
+       unsigned long *l1;
+       unsigned long *l2;
+       unsigned char *c1;
+       unsigned char *c2;
+       int num_longs;
+
+       if (likely(lena != lenb))
+               return 0;
+
+       l1 = (unsigned long *)a;
+       l2 = (unsigned long *)b;
+
+       num_longs = lena / sizeof(unsigned long);
+
+       for (i = num_longs; i--; l1++, l2++) {
+               if (unlikely(*l1 != *l2))
+                       return 0;
+       }
+
+       c1 = (unsigned char *) l1;
+       c2 = (unsigned char *) l2;
+
+       i = lena - (num_longs * sizeof(unsigned long)); 
+
+       for (; i--; c1++, c2++) {
+               if (unlikely(*c1 != *c2))
+                       return 0;
+       }
+
+       return 1;
+}
+               
+static __inline__ char *
+d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
+           char *buf, int buflen)
+{
+       char *res;
+       struct dentry *our_dentry;
+       struct vfsmount *our_mount;
+       struct vfsmount *rootmnt;
+       struct dentry *root;
+
+       our_dentry = (struct dentry *) dentry;
+       our_mount = (struct vfsmount *) vfsmnt;
+
+       read_lock(&child_reaper->fs->lock);
+       rootmnt = mntget(child_reaper->fs->rootmnt);
+       root = dget(child_reaper->fs->root);
+       read_unlock(&child_reaper->fs->lock);
+
+       spin_lock(&dcache_lock);
+       res = __d_path(our_dentry, our_mount, root, rootmnt, buf, buflen);
+       spin_unlock(&dcache_lock);
+       dput(root);
+       mntput(rootmnt);
+       return res;
+}
+
+char *
+gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
+{
+       return d_real_path(dentry, mnt, gr_shared_page[0][smp_processor_id()],
+                          PAGE_SIZE);
+}
+
+char *
+gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
+{
+       return d_real_path(dentry, mnt, gr_shared_page[1][smp_processor_id()],
+                          PAGE_SIZE);
+}
+
+char *
+gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
+{
+       return d_real_path(dentry, mnt, gr_shared_page[2][smp_processor_id()],
+                          PAGE_SIZE);
+}
+
+char *
+gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
+{
+       return d_real_path(dentry, mnt, gr_shared_page[3][smp_processor_id()],
+                          PAGE_SIZE);
+}
+
+__inline__ __u32
+to_gr_audit(const __u32 reqmode)
+{
+       __u32 retmode = 0;
+
+       retmode |= (reqmode & GR_READ) ? GR_AUDIT_READ : 0;
+       retmode |= (reqmode & GR_WRITE) ? GR_AUDIT_WRITE | GR_AUDIT_APPEND : 0;
+       retmode |= (reqmode & GR_APPEND) ? GR_AUDIT_APPEND : 0;
+       retmode |= (reqmode & GR_EXEC) ? GR_AUDIT_EXEC : 0;
+       retmode |= (reqmode & GR_INHERIT) ? GR_AUDIT_INHERIT : 0;
+       retmode |= (reqmode & GR_FIND) ? GR_AUDIT_FIND : 0;
+       retmode |= (reqmode & GR_SETID) ? GR_AUDIT_SETID : 0;
+       retmode |= (reqmode & GR_CREATE) ? GR_AUDIT_CREATE : 0;
+       retmode |= (reqmode & GR_DELETE) ? GR_AUDIT_DELETE : 0;
+
+       return retmode;
+}
+
+__inline__ struct acl_role_label *
+lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
+                     const gid_t gid)
+{
+       unsigned long index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
+       struct acl_role_label *match;
+       struct role_allowed_ip *ipp;
+       __u8 i = 0;
+
+       match = acl_role_set.r_hash[index];
+
+       while (match
+              && (match->uidgid != uid || !(match->roletype & GR_ROLE_USER))) {
+               index = (index + (1 << i)) % acl_role_set.r_size;
+               match = acl_role_set.r_hash[index];
+               i = (i + 1) % 32;
+       }
+
+       if (!match || match->uidgid != uid || !(match->roletype & GR_ROLE_USER)) {
+             try_group:
+               index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
+               match = acl_role_set.r_hash[index];
+               i = 0;
+
+               while (match
+                      && (match->uidgid != gid
+                          || !(match->roletype & GR_ROLE_GROUP))) {
+                       index = (index + (1 << i)) % acl_role_set.r_size;
+                       match = acl_role_set.r_hash[index];
+                       i = (i + 1) % 32;
+               }
+
+               if (!match || match->uidgid != gid
+                   || !(match->roletype & GR_ROLE_GROUP))
+                       match = default_role;
+               else if (likely(!match->allowed_ips)) {
+                       return match;
+               } else {
+                       for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
+                               if (likely
+                                   ((task->curr_ip & ipp->netmask) ==
+                                    (ipp->addr & ipp->netmask)))
+                                       return match;
+                       }
+                       match = default_role;
+               }
+       } else if (likely(!match->allowed_ips)) {
+               return match;
+       } else {
+               for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
+                       if (likely
+                           ((task->curr_ip & ipp->netmask) ==
+                            (ipp->addr & ipp->netmask)))
+                               return match;
+               }
+               goto try_group;
+       }
+
+       return match;
+}
+
+__inline__ struct acl_subject_label *
+lookup_acl_subj_label(const ino_t ino, const kdev_t dev,
+                     const struct acl_role_label *role)
+{
+       unsigned long subj_size = role->subj_hash_size;
+       struct acl_subject_label **s_hash = role->subj_hash;
+       unsigned long index = fhash(ino, dev, subj_size);
+       struct acl_subject_label *match;
+       __u8 i = 0;
+
+       match = s_hash[index];
+
+       while (match && (match->inode != ino || match->device != dev ||
+              (match->mode & GR_DELETED))) {
+               index = (index + (1 << i)) % subj_size;
+               match = s_hash[index];
+               i = (i + 1) % 32;
+       }
+
+       if (unlikely(match && (match != deleted_subject) &&
+                    (match->inode == ino) && (match->device == dev) &&
+                    !(match->mode & GR_DELETED)))
+               return match;
+       else
+               return NULL;
+}
+
+static __inline__ struct acl_object_label *
+lookup_acl_obj_label(const ino_t ino, const kdev_t dev,
+                    const struct acl_subject_label *subj)
+{
+       unsigned long obj_size = subj->obj_hash_size;
+       struct acl_object_label **o_hash = subj->obj_hash;
+       unsigned long index = fhash(ino, dev, obj_size);
+       struct acl_object_label *match;
+       __u8 i = 0;
+
+       match = o_hash[index];
+
+       while (match && (match->inode != ino || match->device != dev ||
+              (match->mode & GR_DELETED))) {
+               index = (index + (1 << i)) % obj_size;
+               match = o_hash[index];
+               i = (i + 1) % 32;
+       }
+
+       if (unlikely(match && (match != deleted_object) &&
+                    (match->inode == ino) && (match->device == dev) &&
+                    !(match->mode & GR_DELETED)))
+               return match;
+       else
+               return NULL;
+}
+
+static __inline__ struct acl_object_label *
+lookup_acl_obj_label_create(const ino_t ino, const kdev_t dev,
+                    const struct acl_subject_label *subj)
+{
+       unsigned long obj_size = subj->obj_hash_size;
+       struct acl_object_label **o_hash = subj->obj_hash;
+       unsigned long index = fhash(ino, dev, obj_size);
+       struct acl_object_label *match;
+       __u8 i = 0;
+
+       match = o_hash[index];
+
+       while (match && (match->inode != ino || match->device != dev ||
+              !(match->mode & GR_DELETED))) {
+               index = (index + (1 << i)) % obj_size;
+               match = o_hash[index];
+               i = (i + 1) % 32;
+       }
+
+       if (unlikely(match && (match != deleted_object) &&
+                    (match->inode == ino) && (match->device == dev) &&
+                    (match->mode & GR_DELETED)))
+               return match;
+
+       i = 0;
+       index = fhash(ino, dev, obj_size);
+       match = o_hash[index];
+
+       while (match && (match->inode != ino || match->device != dev ||
+              (match->mode & GR_DELETED))) {
+               index = (index + (1 << i)) % obj_size;
+               match = o_hash[index];
+               i = (i + 1) % 32;
+       }
+
+       if (unlikely(match && (match != deleted_object) &&
+                    (match->inode == ino) && (match->device == dev) &&
+                    !(match->mode & GR_DELETED)))
+               return match;
+       else
+               return NULL;
+}
+
+static __inline__ struct name_entry *
+lookup_name_entry(const char *name)
+{
+       __u16 len = strlen(name);
+       unsigned long index = nhash(name, len, name_set.n_size);
+       struct name_entry *match;
+       __u8 i = 0;
+
+       match = name_set.n_hash[index];
+
+       while (match && !gr_streq(match->name, name, match->len, len)) {
+               index = (index + (1 << i)) % name_set.n_size;
+               match = name_set.n_hash[index];
+               i = (i + 1) % 32;
+       }
+
+       if (unlikely(!match || !gr_streq(match->name, name, match->len, len)))
+               return NULL;
+       else
+               return match;
+}
+
+static __inline__ struct name_entry *
+lookup_inodev_entry(const ino_t ino, const kdev_t dev)
+{
+       unsigned long index = fhash(ino, dev, inodev_set.n_size);
+       struct name_entry *match;
+       __u8 i = 0;
+
+       match = inodev_set.n_hash[index];
+
+       while (match && (match->inode != ino || match->device != dev)) {
+               index = (index + (1 << i)) % inodev_set.n_size;
+               match = inodev_set.n_hash[index];
+               i = (i + 1) % 32;
+       }
+
+       if (unlikely(match && (match != deleted_inodev) &&
+                    (match->inode == ino) && (match->device == dev)))
+               return match;
+       else
+               return NULL;
+}
+
+static void
+insert_inodev_entry(struct name_entry *nentry)
+{
+       unsigned long index = fhash(nentry->inode, nentry->device,
+                                   inodev_set.n_size);
+       struct name_entry **curr;
+       __u8 i = 0;
+
+       curr = &inodev_set.n_hash[index];
+
+       while (*curr && *curr != deleted_inodev) {
+               index = (index + (1 << i)) % inodev_set.n_size;
+               curr = &inodev_set.n_hash[index];
+               i = (i + 1) % 32;
+       }
+
+       *curr = nentry;
+
+       return;
+}
+
+static void
+insert_acl_role_label(struct acl_role_label *role)
+{
+       unsigned long index =
+           rhash(role->uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
+       struct acl_role_label **curr;
+       __u8 i = 0;
+
+       curr = &acl_role_set.r_hash[index];
+
+       while (*curr) {
+               index = (index + (1 << i)) % acl_role_set.r_size;
+               curr = &acl_role_set.r_hash[index];
+               i = (i + 1) % 32;
+       }
+
+       *curr = role;
+
+       return;
+}
+
+static int
+insert_name_entry(char *name, const ino_t inode, const kdev_t device)
+{
+       struct name_entry **curr;
+       __u8 i = 0;
+       __u16 len = strlen(name);
+       unsigned long index = nhash(name, len, name_set.n_size);
+
+       curr = &name_set.n_hash[index];
+
+       while (*curr && !gr_streq((*curr)->name, name, (*curr)->len, len)) {
+               index = (index + (1 << i)) % name_set.n_size;
+               curr = &name_set.n_hash[index];
+               i = (i + 1) % 32;
+       }
+
+       if (!(*curr)) {
+               struct name_entry *nentry =
+                   acl_alloc(sizeof (struct name_entry));
+               if (!nentry)
+                       return 0;
+               nentry->name = name;
+               nentry->inode = inode;
+               nentry->device = device;
+               nentry->len = len;
+               *curr = nentry;
+               /* insert us into the table searchable by inode/dev */
+               insert_inodev_entry(nentry);
+       }
+
+       return 1;
+}
+
+static void
+insert_acl_obj_label(struct acl_object_label *obj,
+                    struct acl_subject_label *subj)
+{
+       unsigned long index =
+           fhash(obj->inode, obj->device, subj->obj_hash_size);
+       struct acl_object_label **curr;
+       __u8 i = 0;
+
+       curr = &subj->obj_hash[index];
+
+       while (*curr && *curr != deleted_object) {
+               index = (index + (1 << i)) % subj->obj_hash_size;
+               curr = &subj->obj_hash[index];
+               i = (i + 1) % 32;
+       }
+
+       *curr = obj;
+
+       return;
+}
+
+static void
+insert_acl_subj_label(struct acl_subject_label *obj,
+                     struct acl_role_label *role)
+{
+       unsigned long subj_size = role->subj_hash_size;
+       struct acl_subject_label **s_hash = role->subj_hash;
+       unsigned long index = fhash(obj->inode, obj->device, subj_size);
+       struct acl_subject_label **curr;
+       __u8 i = 0;
+
+       curr = &s_hash[index];
+
+       while (*curr && *curr != deleted_subject) {
+               index = (index + (1 << i)) % subj_size;
+               curr = &s_hash[index];
+               i = (i + 1) % 32;
+       }
+
+       *curr = obj;
+
+       return;
+}
+
+static void **
+create_table(__u32 * len)
+{
+       unsigned long table_sizes[] = {
+               7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
+               32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
+               4194301, 8388593, 16777213, 33554393, 67108859, 134217689,
+               268435399, 536870909, 1073741789, 2147483647
+       };
+       void *newtable = NULL;
+       unsigned int pwr = 0;
+
+       while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
+              table_sizes[pwr] <= (2 * (*len)))
+               pwr++;
+
+       if (table_sizes[pwr] <= (2 * (*len)))
+               return newtable;
+
+       if ((table_sizes[pwr] * sizeof (void *)) <= PAGE_SIZE)
+               newtable =
+                   kmalloc(table_sizes[pwr] * sizeof (void *), GFP_KERNEL);
+       else
+               newtable = vmalloc(table_sizes[pwr] * sizeof (void *));
+
+       *len = table_sizes[pwr];
+
+       return newtable;
+}
+
+static int
+init_variables(const unsigned long acl_obj_size,
+              const unsigned long acl_subj_size,
+              const unsigned long acl_ip_size,
+              const unsigned long acl_role_size,
+              const unsigned long allowed_ip_size,
+              const unsigned long acl_trans_size,
+              const __u16 num_sprole_pws)
+{
+       unsigned long stacksize;
+
+       acl_role_set.r_size = acl_role_size;
+       name_set.n_size = (acl_obj_size + acl_subj_size);
+       inodev_set.n_size = (acl_obj_size + acl_subj_size);
+
+       if (!gr_init_uidset())
+               return 1;
+
+       /* set up the stack that holds allocation info */
+
+       stacksize = (3 * acl_obj_size) + (2 * acl_role_size) +
+           (4 * acl_subj_size) + acl_ip_size + (2 * acl_trans_size) +
+           allowed_ip_size + (2 * num_sprole_pws) + 5;
+
+       if (!acl_alloc_stack_init(stacksize))
+               return 1;
+
+       /* create our empty, fake deleted acls */
+       deleted_subject =
+           (struct acl_subject_label *)
+           acl_alloc(sizeof (struct acl_subject_label));
+       deleted_object =
+           (struct acl_object_label *)
+           acl_alloc(sizeof (struct acl_object_label));
+       deleted_inodev =
+           (struct name_entry *) acl_alloc(sizeof (struct name_entry));
+
+       if (!deleted_subject || !deleted_object || !deleted_inodev)
+               return 1;
+
+       memset(deleted_subject, 0, sizeof (struct acl_subject_label));
+       memset(deleted_object, 0, sizeof (struct acl_object_label));
+       memset(deleted_inodev, 0, sizeof (struct name_entry));
+
+       /* We only want 50% full tables for now */
+
+       acl_role_set.r_hash =
+           (struct acl_role_label **) create_table(&acl_role_set.r_size);
+       name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size);
+       inodev_set.n_hash =
+           (struct name_entry **) create_table(&inodev_set.n_size);
+
+       if (!acl_role_set.r_hash || !name_set.n_hash || !inodev_set.n_hash)
+               return 1;
+       memset(acl_role_set.r_hash, 0,
+              sizeof (struct acl_role_label *) * acl_role_set.r_size);
+       memset(name_set.n_hash, 0,
+              sizeof (struct name_entry *) * name_set.n_size);
+       memset(inodev_set.n_hash, 0,
+              sizeof (struct name_entry *) * inodev_set.n_size);
+
+       return 0;
+}
+
+static void
+free_variables(void)
+{
+       struct acl_subject_label *s;
+       struct acl_role_label *r;
+       struct task_struct *task;
+
+       gr_clear_learn_entries();
+
+       read_lock(&tasklist_lock);
+       for_each_task(task) {
+               task->acl_sp_role = 0;
+               task->acl_role_id = 0;
+               task->acl = NULL;
+               task->role = NULL;
+       }
+       read_unlock(&tasklist_lock);
+
+       /* free all object hash tables */
+
+       if (role_list_head) {
+               for (r = role_list_head; r; r = r->next) {
+                       if (!r->subj_hash)
+                               break;
+                       for (s = r->proc_subject; s; s = s->next) {
+                               if (!s->obj_hash)
+                                       break;
+                               if ((s->obj_hash_size *
+                                    sizeof (struct acl_object_label *)) <=
+                                   PAGE_SIZE)
+                                       kfree(s->obj_hash);
+                               else
+                                       vfree(s->obj_hash);
+                       }
+                       if ((r->subj_hash_size *
+                            sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
+                               kfree(r->subj_hash);
+                       else
+                               vfree(r->subj_hash);
+               }
+       }
+
+       acl_free_all();
+
+       if (acl_role_set.r_hash) {
+               if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
+                   PAGE_SIZE)
+                       kfree(acl_role_set.r_hash);
+               else
+                       vfree(acl_role_set.r_hash);
+       }
+       if (name_set.n_hash) {
+               if ((name_set.n_size * sizeof (struct name_entry *)) <=
+                   PAGE_SIZE)
+                       kfree(name_set.n_hash);
+               else
+                       vfree(name_set.n_hash);
+       }
+
+       if (inodev_set.n_hash) {
+               if ((inodev_set.n_size * sizeof (struct name_entry *)) <=
+                   PAGE_SIZE)
+                       kfree(inodev_set.n_hash);
+               else
+                       vfree(inodev_set.n_hash);
+       }
+
+       gr_free_uidset();
+
+       memset(&name_set, 0, sizeof (struct name_db));
+       memset(&inodev_set, 0, sizeof (struct name_db));
+       memset(&acl_role_set, 0, sizeof (struct acl_role_db));
+
+       role_list_head = NULL;
+       default_role = NULL;
+
+       return;
+}
+
+static __u32
+count_user_objs(struct acl_object_label *userp)
+{
+       struct acl_object_label o_tmp;
+       __u32 num = 0;
+
+       while (userp) {
+               if (copy_from_user(&o_tmp, userp,
+                                  sizeof (struct acl_object_label)))
+                       break;
+
+               userp = o_tmp.prev;
+               num++;
+       }
+
+       return num;
+}
+
+static struct acl_subject_label *
+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
+
+static int
+copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
+              struct acl_role_label *role)
+{
+       struct acl_object_label *o_tmp;
+       unsigned int len;
+       char *tmp;
+
+       while (userp) {
+               if ((o_tmp = (struct acl_object_label *)
+                    acl_alloc(sizeof (struct acl_object_label))) == NULL)
+                       return -ENOMEM;
+
+               if (copy_from_user(o_tmp, userp,
+                                  sizeof (struct acl_object_label)))
+                       return -EFAULT;
+
+               userp = o_tmp->prev;
+
+               len = strnlen_user(o_tmp->filename, PATH_MAX);
+
+               if (!len || len >= PATH_MAX)
+                       return -EINVAL;
+
+               if ((tmp = (char *) acl_alloc(len)) == NULL)
+                       return -ENOMEM;
+
+               if (copy_from_user(tmp, o_tmp->filename, len))
+                       return -EFAULT;
+
+               o_tmp->filename = tmp;
+
+               insert_acl_obj_label(o_tmp, subj);
+               if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
+                                      o_tmp->device))
+                       return -ENOMEM;
+
+               if (o_tmp->nested) {
+                       o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
+                       if (IS_ERR(o_tmp->nested))
+                               return PTR_ERR(o_tmp->nested);
+
+                       s_final = o_tmp->nested;
+               }
+       }
+
+       return 0;
+}
+
+static __u32
+count_user_subjs(struct acl_subject_label *userp)
+{
+       struct acl_subject_label s_tmp;
+       __u32 num = 0;
+
+       while (userp) {
+               if (copy_from_user(&s_tmp, userp,
+                                  sizeof (struct acl_subject_label)))
+                       break;
+
+               userp = s_tmp.prev;
+               /* do not count nested subjects against this count, since
+                  they are not included in the hash table, but are
+                  attached to objects.  We have already counted
+                  the subjects in userspace for the allocation 
+                  stack
+               */
+               if (!s_tmp.parent_subject)
+                       num++;
+       }
+
+       return num;
+}
+
+static int
+copy_user_allowedips(struct acl_role_label *rolep)
+{
+       struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
+
+       ruserip = rolep->allowed_ips;
+
+       while (ruserip) {
+               rlast = rtmp;
+
+               if ((rtmp = (struct role_allowed_ip *)
+                    acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
+                       return -ENOMEM;
+
+               if (copy_from_user(rtmp, ruserip,
+                                  sizeof (struct role_allowed_ip)))
+                       return -EFAULT;
+
+               ruserip = rtmp->prev;
+
+               if (!rlast) {
+                       rtmp->prev = NULL;
+                       rolep->allowed_ips = rtmp;
+               } else {
+                       rlast->next = rtmp;
+                       rtmp->prev = rlast;
+               }
+
+               if (!ruserip)
+                       rtmp->next = NULL;
+       }
+
+       return 0;
+}
+
+static int
+copy_user_transitions(struct acl_role_label *rolep)
+{
+       struct role_transition *rusertp, *rtmp = NULL, *rlast;
+       unsigned int len;
+       char *tmp;
+
+       rusertp = rolep->transitions;
+
+       while (rusertp) {
+               rlast = rtmp;
+
+               if ((rtmp = (struct role_transition *)
+                    acl_alloc(sizeof (struct role_transition))) == NULL)
+                       return -ENOMEM;
+
+               if (copy_from_user(rtmp, rusertp,
+                                  sizeof (struct role_transition)))
+                       return -EFAULT;
+
+               rusertp = rtmp->prev;
+
+               len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
+
+               if (!len || len >= GR_SPROLE_LEN)
+                       return -EINVAL;
+
+               if ((tmp = (char *) acl_alloc(len)) == NULL)
+                       return -ENOMEM;
+
+               if (copy_from_user(tmp, rtmp->rolename, len))
+                       return -EFAULT;
+
+               rtmp->rolename = tmp;
+
+               if (!rlast) {
+                       rtmp->prev = NULL;
+                       rolep->transitions = rtmp;
+               } else {
+                       rlast->next = rtmp;
+                       rtmp->prev = rlast;
+               }
+
+               if (!rusertp)
+                       rtmp->next = NULL;
+       }
+
+       return 0;
+}
+
+static struct acl_subject_label *
+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
+{
+       struct acl_subject_label *s_tmp = NULL;
+       unsigned int len;
+       char *tmp;
+       __u32 num_objs;
+       struct acl_ip_label **i_tmp, *i_utmp2;
+       unsigned long i_num;
+       int err;
+
+
+       if ((s_tmp = (struct acl_subject_label *)
+           acl_alloc(sizeof (struct acl_subject_label))) == NULL)
+               return ERR_PTR(-ENOMEM);
+
+       if (copy_from_user(s_tmp, userp,
+                          sizeof (struct acl_subject_label)))
+               return ERR_PTR(-EFAULT);
+
+       if (!s_last) {
+               s_tmp->prev = NULL;
+               role->proc_subject = s_tmp;
+       } else {
+               s_last->next = s_tmp;
+               s_tmp->prev = s_last;
+       }
+
+       s_last = s_tmp;
+
+       len = strnlen_user(s_tmp->filename, PATH_MAX);
+
+       if (!len || len >= PATH_MAX)
+               return ERR_PTR(-EINVAL);
+
+       if ((tmp = (char *) acl_alloc(len)) == NULL)
+               return ERR_PTR(-ENOMEM);
+
+       if (copy_from_user(tmp, s_tmp->filename, len))
+               return ERR_PTR(-EFAULT);
+
+       s_tmp->filename = tmp;
+
+       if (!strcmp(s_tmp->filename, "/"))
+               role->root_label = s_tmp;
+
+       /* set up object hash table */
+       num_objs = count_user_objs(s_tmp->proc_object);
+
+       s_tmp->obj_hash_size = num_objs;
+       s_tmp->obj_hash =
+           (struct acl_object_label **)
+           create_table(&(s_tmp->obj_hash_size));
+
+       if (!s_tmp->obj_hash)
+               return ERR_PTR(-ENOMEM);
+
+       memset(s_tmp->obj_hash, 0,
+              s_tmp->obj_hash_size *
+              sizeof (struct acl_object_label *));
+
+       /* copy before adding in objects, since a nested
+          acl could be found and be the final subject
+          copied
+       */
+
+       s_final = s_tmp;
+
+       /* add in objects */
+       err = copy_user_objs(s_tmp->proc_object, s_tmp, role);
+
+       if (err)
+               return ERR_PTR(err);
+
+       /* add in ip acls */
+
+       if (!s_tmp->ip_num) {
+               s_tmp->ips = NULL;
+               goto insert;
+       }
+
+       i_tmp =
+           (struct acl_ip_label **) acl_alloc(s_tmp->ip_num *
+                                              sizeof (struct
+                                                      acl_ip_label *));
+
+       if (!i_tmp)
+               return ERR_PTR(-ENOMEM);
+
+       for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
+               *(i_tmp + i_num) =
+                   (struct acl_ip_label *)
+                   acl_alloc(sizeof (struct acl_ip_label));
+               if (!*(i_tmp + i_num))
+                       return ERR_PTR(-ENOMEM);
+
+               if (copy_from_user
+                   (&i_utmp2, s_tmp->ips + i_num,
+                    sizeof (struct acl_ip_label *)))
+                       return ERR_PTR(-EFAULT);
+
+               if (copy_from_user
+                   (*(i_tmp + i_num), i_utmp2,
+                    sizeof (struct acl_ip_label)))
+                       return ERR_PTR(-EFAULT);
+       }
+
+       s_tmp->ips = i_tmp;
+
+insert:
+       if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
+                              s_tmp->device))
+               return ERR_PTR(-ENOMEM);
+
+       return s_tmp;
+}
+
+static int
+copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
+{
+       struct acl_subject_label s_pre;
+       struct acl_subject_label * ret;
+       int err;
+
+       while (userp) {
+               if (copy_from_user(&s_pre, userp,
+                                  sizeof (struct acl_subject_label)))
+                       return -EFAULT;
+               
+               /* do not add nested subjects here, add
+                  while parsing objects
+               */
+
+               if (s_pre.parent_subject) {
+                       userp = s_pre.prev;
+                       continue;
+               }
+
+               ret = do_copy_user_subj(userp, role);
+
+               err = PTR_ERR(ret);
+               if (IS_ERR(ret))
+                       return err;
+
+               insert_acl_subj_label(ret, role);
+
+               userp = s_pre.prev;
+       }
+
+       s_final->next = NULL;
+
+       return 0;
+}
+
+static int
+copy_user_acl(struct gr_arg *arg)
+{
+       struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2, *r_last;
+       struct sprole_pw *sptmp;
+       unsigned long r_num;
+       unsigned int len;
+       char *tmp;
+       int err = 0;
+       __u16 i;
+       __u32 num_subjs;
+
+       /* we need a default and kernel role */
+       if (arg->role_db.r_entries < 2)
+               return -EINVAL;
+
+       /* copy special role authentication info from userspace */
+
+       num_sprole_pws = arg->num_sprole_pws;
+       acl_special_roles = (struct sprole_pw **) acl_alloc(num_sprole_pws * sizeof(struct sprole_pw *));
+
+       if (!acl_special_roles) {
+               err = -ENOMEM;
+               goto cleanup;
+       }
+
+       for (i = 0; i < num_sprole_pws; i++) {
+               sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
+               if (!sptmp) {
+                       err = -ENOMEM;
+                       goto cleanup;
+               }
+               if (copy_from_user(sptmp, arg->sprole_pws + i,
+                                  sizeof (struct sprole_pw))) {
+                       err = -EFAULT;
+                       goto cleanup;
+               }
+
+               len =
+                   strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
+
+               if (!len || len >= GR_SPROLE_LEN) {
+                       err = -EINVAL;
+                       goto cleanup;
+               }
+
+               if ((tmp = (char *) acl_alloc(len)) == NULL) {
+                       err = -ENOMEM;
+                       goto cleanup;
+               }
+
+               if (copy_from_user(tmp, sptmp->rolename, len)) {
+                       err = -EFAULT;
+                       goto cleanup;
+               }
+
+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
+               printk(KERN_ALERT "Copying special role %s\n", tmp);
+#endif
+               sptmp->rolename = tmp;
+               acl_special_roles[i] = sptmp;
+       }
+
+       r_utmp = (struct acl_role_label **) arg->role_db.r_table;
+
+       for (r_num = 0; r_num < arg->role_db.r_entries; r_num++) {
+               r_last = r_tmp;
+
+               r_tmp = acl_alloc(sizeof (struct acl_role_label));
+
+               if (!r_tmp) {
+                       err = -ENOMEM;
+                       goto cleanup;
+               }
+
+               if (copy_from_user(&r_utmp2, r_utmp + r_num,
+                                  sizeof (struct acl_role_label *))) {
+                       err = -EFAULT;
+                       goto cleanup;
+               }
+
+               if (copy_from_user(r_tmp, r_utmp2,
+                                  sizeof (struct acl_role_label))) {
+                       err = -EFAULT;
+                       goto cleanup;
+               }
+
+               if (!r_last) {
+                       r_tmp->prev = NULL;
+                       role_list_head = r_tmp;
+               } else {
+                       r_last->next = r_tmp;
+                       r_tmp->prev = r_last;
+               }
+
+               if (r_num == (arg->role_db.r_entries - 1))
+                       r_tmp->next = NULL;
+
+               len = strnlen_user(r_tmp->rolename, PATH_MAX);
+
+               if (!len || len >= PATH_MAX) {
+                       err = -EINVAL;
+                       goto cleanup;
+               }
+
+               if ((tmp = (char *) acl_alloc(len)) == NULL) {
+                       err = -ENOMEM;
+                       goto cleanup;
+               }
+               if (copy_from_user(tmp, r_tmp->rolename, len)) {
+                       err = -EFAULT;
+                       goto cleanup;
+               }
+               r_tmp->rolename = tmp;
+
+               if (!strcmp(r_tmp->rolename, "default")
+                   && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
+                       default_role = r_tmp;
+               } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
+                       kernel_role = r_tmp;
+               }
+
+               num_subjs = count_user_subjs(r_tmp->proc_subject);
+
+               r_tmp->subj_hash_size = num_subjs;
+               r_tmp->subj_hash =
+                   (struct acl_subject_label **)
+                   create_table(&(r_tmp->subj_hash_size));
+
+               if (!r_tmp->subj_hash) {
+                       err = -ENOMEM;
+                       goto cleanup;
+               }
+
+               err = copy_user_allowedips(r_tmp);
+               if (err)
+                       goto cleanup;
+
+               err = copy_user_transitions(r_tmp);
+               if (err)
+                       goto cleanup;
+
+               memset(r_tmp->subj_hash, 0,
+                      r_tmp->subj_hash_size *
+                      sizeof (struct acl_subject_label *));
+
+               s_last = NULL;
+
+               err = copy_user_subjs(r_tmp->proc_subject, r_tmp);
+
+               if (err)
+                       goto cleanup;
+
+               insert_acl_role_label(r_tmp);
+       }
+
+       goto return_err;
+      cleanup:
+       free_variables();
+      return_err:
+       return err;
+
+}
+
+static int
+gracl_init(struct gr_arg *args)
+{
+       int error = 0;
+
+       memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
+       memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
+
+       if (init_variables(args->role_db.o_entries, args->role_db.s_entries,
+                          args->role_db.i_entries, args->role_db.r_entries,
+                          args->role_db.a_entries, args->role_db.t_entries,
+                          args->num_sprole_pws)) {
+               security_alert_good(GR_INITF_ACL_MSG, GR_VERSION);
+               error = -ENOMEM;
+               free_variables();
+               goto out;
+       }
+
+       error = copy_user_acl(args);
+       if (error)
+               goto out;
+
+       if ((error = gr_set_acls(0))) {
+               free_variables();
+               goto out;
+       }
+
+       gr_status |= GR_READY;
+      out:
+       return error;
+}
+
+static struct acl_object_label *
+chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
+             const struct acl_subject_label *subj)
+{
+       struct dentry *dentry = (struct dentry *) l_dentry;
+       struct vfsmount *mnt = (struct vfsmount *) l_mnt;
+       struct dentry *root;
+       struct vfsmount *rootmnt;
+       struct acl_object_label *retval;
+
+       read_lock(&child_reaper->fs->lock);
+       rootmnt = mntget(child_reaper->fs->rootmnt);
+       root = dget(child_reaper->fs->root);
+       read_unlock(&child_reaper->fs->lock);
+       spin_lock(&dcache_lock);
+
+       for (;;) {
+               if (unlikely(dentry == root && mnt == rootmnt))
+                       break;
+               if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
+                       if (mnt->mnt_parent == mnt)
+                               break;
+
+                       read_lock(&gr_inode_lock);
+                       retval =
+                           lookup_acl_obj_label(dentry->d_inode->i_ino,
+                                                dentry->d_inode->i_dev, subj);
+                       read_unlock(&gr_inode_lock);
+                       if (unlikely(retval != NULL))
+                               goto out;
+
+                       dentry = mnt->mnt_mountpoint;
+                       mnt = mnt->mnt_parent;
+                       continue;
+               }
+
+               read_lock(&gr_inode_lock);
+               retval =
+                   lookup_acl_obj_label(dentry->d_inode->i_ino,
+                                        dentry->d_inode->i_dev, subj);
+               read_unlock(&gr_inode_lock);
+               if (unlikely(retval != NULL))
+                       goto out;
+
+               dentry = dentry->d_parent;
+       }
+
+       read_lock(&gr_inode_lock);
+       retval =
+           lookup_acl_obj_label(dentry->d_inode->i_ino, dentry->d_inode->i_dev,
+                                subj);
+       read_unlock(&gr_inode_lock);
+
+       if (unlikely(retval == NULL)) {
+               read_lock(&gr_inode_lock);
+               retval =
+                   lookup_acl_obj_label(root->d_inode->i_ino,
+                                        root->d_inode->i_dev, subj);
+               read_unlock(&gr_inode_lock);
+       }
+      out:
+       spin_unlock(&dcache_lock);
+       dput(root);
+       mntput(rootmnt);
+
+       return retval;
+}
+
+static struct acl_subject_label *
+chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
+              const struct acl_role_label *role)
+{
+       struct dentry *dentry = (struct dentry *) l_dentry;
+       struct vfsmount *mnt = (struct vfsmount *) l_mnt;
+       struct dentry *root;
+       struct vfsmount *rootmnt;
+       struct acl_subject_label *retval;
+
+       read_lock(&child_reaper->fs->lock);
+       rootmnt = mntget(child_reaper->fs->rootmnt);
+       root = dget(child_reaper->fs->root);
+       read_unlock(&child_reaper->fs->lock);
+       spin_lock(&dcache_lock);
+
+       for (;;) {
+               if (unlikely(dentry == root && mnt == rootmnt))
+                       break;
+               if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
+                       if (mnt->mnt_parent == mnt)
+                               break;
+
+                       read_lock(&gr_inode_lock);
+                       retval =
+                           lookup_acl_subj_label(dentry->d_inode->i_ino,
+                                                 dentry->d_inode->i_dev, role);
+                       read_unlock(&gr_inode_lock);
+                       if (unlikely(retval != NULL))
+                               goto out;
+
+                       dentry = mnt->mnt_mountpoint;
+                       mnt = mnt->mnt_parent;
+                       continue;
+               }
+
+               read_lock(&gr_inode_lock);
+               retval =
+                   lookup_acl_subj_label(dentry->d_inode->i_ino,
+                                         dentry->d_inode->i_dev, role);
+               read_unlock(&gr_inode_lock);
+               if (unlikely(retval != NULL))
+                       goto out;
+
+               dentry = dentry->d_parent;
+       }
+
+       read_lock(&gr_inode_lock);
+       retval =
+           lookup_acl_subj_label(dentry->d_inode->i_ino,
+                                 dentry->d_inode->i_dev, role);
+       read_unlock(&gr_inode_lock);
+
+       if (unlikely(retval == NULL)) {
+               read_lock(&gr_inode_lock);
+               retval =
+                   lookup_acl_subj_label(root->d_inode->i_ino,
+                                         root->d_inode->i_dev, role);
+               read_unlock(&gr_inode_lock);
+       }
+      out:
+       spin_unlock(&dcache_lock);
+       dput(root);
+       mntput(rootmnt);
+
+       return retval;
+}
+
+static __inline__ void
+gr_log_learn(const struct acl_role_label *role, const uid_t uid, const gid_t gid,
+            const struct task_struct *task, const char *pathname,
+            const __u32 mode)
+{
+       security_learn(GR_LEARN_AUDIT_MSG, role->rolename, role->roletype,
+                      uid, gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
+                      task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
+                      1, 1, pathname, (unsigned long) mode, NIPQUAD(task->curr_ip));
+
+       return;
+}
+
+__u32
+gr_check_link(const struct dentry * new_dentry,
+             const struct dentry * parent_dentry,
+             const struct vfsmount * parent_mnt,
+             const struct dentry * old_dentry, const struct vfsmount * old_mnt)
+{
+       struct acl_object_label *obj;
+       __u32 oldmode, newmode;
+
+       if (unlikely(!(gr_status & GR_READY)))
+               return (GR_WRITE | GR_CREATE);
+
+       obj = chk_obj_label(old_dentry, old_mnt, current->acl);
+       oldmode = obj->mode;
+
+       if (current->acl->mode & GR_LEARN)
+               oldmode |= (GR_WRITE | GR_CREATE);
+       newmode =
+           gr_check_create(new_dentry, parent_dentry, parent_mnt,
+                           oldmode | GR_CREATE | GR_AUDIT_CREATE |
+                           GR_AUDIT_WRITE | GR_SUPPRESS);
+
+       if ((newmode & oldmode) == oldmode)
+               return newmode;
+       else if (current->acl->mode & GR_LEARN) {
+               gr_log_learn(current->role, current->uid, current->gid,
+                       current, gr_to_filename(old_dentry, old_mnt), oldmode);
+               return (GR_WRITE | GR_CREATE);
+       } else if (newmode & GR_SUPPRESS)
+               return GR_SUPPRESS;
+       else
+               return 0;
+}
+
+__u32
+gr_search_file(const struct dentry * dentry, const __u32 mode,
+              const struct vfsmount * mnt)
+{
+       __u32 retval = mode;
+       struct acl_subject_label *curracl;
+       struct acl_object_label *currobj;
+
+       if (unlikely(!(gr_status & GR_READY)))
+               return (mode & ~GR_AUDITS);
+
+       curracl = current->acl;
+
+       currobj = chk_obj_label(dentry, mnt, curracl);
+       retval = currobj->mode & mode;
+
+       if (unlikely
+           ((curracl->mode & GR_LEARN) && (mode != GR_PTRACERD)
+            && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
+               __u32 new_mode = mode;
+
+               new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
+
+               retval = new_mode;
+
+               if (!(mode & GR_NOLEARN))
+                       gr_log_learn(current->role, current->uid, current->gid,
+                                    current, gr_to_filename(dentry, mnt), new_mode);
+       }
+
+       return retval;
+}
+
+__u32
+gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
+               const struct vfsmount * mnt, const __u32 mode)
+{
+       struct name_entry *match;
+       struct acl_object_label *matchpo;
+       struct acl_subject_label *curracl;
+       __u32 retval;
+
+       if (unlikely(!(gr_status & GR_READY)))
+               return (mode & ~GR_AUDITS);
+
+       match = lookup_name_entry(gr_to_filename(new_dentry, mnt));
+
+       if (!match)
+               goto check_parent;
+
+       curracl = current->acl;
+
+       read_lock(&gr_inode_lock);
+       matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
+       read_unlock(&gr_inode_lock);
+
+       if (matchpo) {
+               if ((matchpo->mode & mode) !=
+                   (mode & ~(GR_AUDITS | GR_SUPPRESS))
+                   && curracl->mode & GR_LEARN) {
+                       __u32 new_mode = mode;
+
+                       new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
+
+                       gr_log_learn(current->role, current->uid, current->gid,
+                                    current, gr_to_filename(new_dentry, mnt), new_mode);
+
+                       return new_mode;
+               }
+               return (matchpo->mode & mode);
+       }
+
+      check_parent:
+       curracl = current->acl;
+
+       matchpo = chk_obj_label(parent, mnt, curracl);
+       retval = matchpo->mode & mode;
+
+       if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
+           && (curracl->mode & GR_LEARN)) {
+               __u32 new_mode = mode;
+
+               new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
+
+               gr_log_learn(current->role, current->uid, current->gid, 
+                            current, gr_to_filename(new_dentry, mnt), new_mode);
+               return new_mode;
+       }
+
+       return retval;
+}
+
+int
+gr_check_hidden_task(const struct task_struct *task)
+{
+       if (unlikely(!(gr_status & GR_READY)))
+               return 0;
+
+       if (!(task->acl->mode & GR_FIND) && !(current->acl->mode & GR_VIEW))
+               return 1;
+
+       return 0;
+}
+
+int
+gr_check_protected_task(const struct task_struct *task)
+{
+       if (unlikely(!(gr_status & GR_READY) || !task))
+               return 0;
+
+       if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL))
+               return 1;
+
+       return 0;
+}
+
+__inline__ void
+gr_copy_label(struct task_struct *tsk)
+{
+       tsk->used_accept = 0;
+       tsk->used_connect = 0;
+       tsk->acl_sp_role = 0;
+       tsk->acl_role_id = current->acl_role_id;
+       tsk->acl = current->acl;
+       tsk->role = current->role;
+       tsk->curr_ip = current->curr_ip;
+       if (current->exec_file)
+               get_file(current->exec_file);
+       tsk->exec_file = current->exec_file;
+       tsk->is_writable = current->is_writable;
+       if (unlikely(current->used_accept))
+               current->curr_ip = 0;
+
+       return;
+}
+
+static __inline__ void
+gr_set_proc_res(void)
+{
+       struct acl_subject_label *proc;
+       unsigned short i;
+
+       proc = current->acl;
+
+       if (proc->mode & GR_LEARN)
+               return;
+
+       for (i = 0; i < RLIM_NLIMITS; i++) {
+               if (!(proc->resmask & (1 << i)))
+                       continue;
+
+               current->rlim[i].rlim_cur = proc->res[i].rlim_cur;
+               current->rlim[i].rlim_max = proc->res[i].rlim_max;
+       }
+
+       return;
+}
+
+static __inline__ void
+do_set_role_label(struct task_struct *task, const uid_t uid, const gid_t gid)
+{
+       task->role = lookup_acl_role_label(task, uid, gid);
+
+       return;
+}
+
+void
+gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
+{
+       struct acl_object_label *obj;
+       struct file *filp;
+
+       if (unlikely(!(gr_status & GR_READY)))
+               return;
+
+       filp = task->exec_file;
+
+       /* kernel process, we'll give them the kernel role */
+       if (unlikely(!filp)) {
+               task->role = kernel_role;
+               task->acl = kernel_role->root_label;
+               return;
+       } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
+               do_set_role_label(task, uid, gid);
+
+       task->acl =
+           chk_subj_label(filp->f_dentry, filp->f_vfsmnt, task->role);
+
+       task->is_writable = 0;
+
+       /* ignore additional mmap checks for processes that are writable 
+          by the default ACL */
+       obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
+       if (unlikely(obj->mode & GR_WRITE))
+               task->is_writable = 1;
+       obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
+       if (unlikely(obj->mode & GR_WRITE))
+               task->is_writable = 1;
+
+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
+       printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
+#endif
+
+       gr_set_proc_res();
+
+       return;
+}
+
+void
+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
+{
+       struct acl_subject_label *newacl;
+       struct acl_object_label *obj;
+       __u32 retmode;
+
+       if (unlikely(!(gr_status & GR_READY)))
+               return;
+
+       newacl = chk_subj_label(dentry, mnt, current->role);
+
+       obj = chk_obj_label(dentry, mnt, current->acl);
+       retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
+
+       if ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT)) {
+               if (obj->nested)
+                       current->acl = obj->nested;
+               else
+                       current->acl = newacl;
+       } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
+               security_audit(GR_INHERIT_ACL_MSG, current->acl->filename,
+                              gr_to_filename(dentry, mnt), DEFAULTSECARGS);
+
+       current->is_writable = 0;
+
+       /* ignore additional mmap checks for processes that are writable 
+          by the default ACL */
+       obj = chk_obj_label(dentry, mnt, default_role->root_label);
+       if (unlikely(obj->mode & GR_WRITE))
+               current->is_writable = 1;
+       obj = chk_obj_label(dentry, mnt, current->role->root_label);
+       if (unlikely(obj->mode & GR_WRITE))
+               current->is_writable = 1;
+
+       gr_set_proc_res();
+
+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
+       printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", current->comm, current->pid, current->role->rolename, current->acl->filename);
+#endif
+       return;
+}
+
+static __inline__ void
+do_handle_delete(const ino_t ino, const kdev_t dev)
+{
+       struct acl_object_label *matchpo;
+       struct acl_subject_label *matchps;
+       struct acl_subject_label *i;
+       struct acl_role_label *role;
+
+       for (role = role_list_head; role; role = role->next) {
+               for (i = role->proc_subject; i; i = i->next) {
+                       if (unlikely(i->parent_subject &&
+                                    (i->inode == ino) &&
+                                    (i->device == dev)))
+                               i->mode |= GR_DELETED;
+                       if (unlikely((matchpo =
+                            lookup_acl_obj_label(ino, dev, i)) != NULL))
+                               matchpo->mode |= GR_DELETED;
+               }
+
+               if (unlikely((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL))
+                       matchps->mode |= GR_DELETED;
+       }
+
+       return;
+}
+
+void
+gr_handle_delete(const ino_t ino, const kdev_t dev)
+{
+       if (unlikely(!(gr_status & GR_READY)))
+               return;
+
+       write_lock(&gr_inode_lock);
+       if (unlikely((unsigned long)lookup_inodev_entry(ino, dev)))
+               do_handle_delete(ino, dev);
+       write_unlock(&gr_inode_lock);
+
+       return;
+}
+
+static __inline__ void
+update_acl_obj_label(const ino_t oldinode, const kdev_t olddevice,
+                    const ino_t newinode, const kdev_t newdevice,
+                    struct acl_subject_label *subj)
+{
+       unsigned long index = fhash(oldinode, olddevice, subj->obj_hash_size);
+       struct acl_object_label **match;
+       struct acl_object_label *tmp;
+       __u8 i = 0;
+
+       match = &subj->obj_hash[index];
+
+       while (*match && ((*match)->inode != oldinode ||
+              (*match)->device != olddevice ||
+              !((*match)->mode & GR_DELETED))) {
+               index = (index + (1 << i)) % subj->obj_hash_size;
+               match = &subj->obj_hash[index];
+               i = (i + 1) % 32;
+       }
+
+       if (*match && ((*match) != deleted_object)
+           && ((*match)->inode == oldinode)
+           && ((*match)->device == olddevice)
+           && ((*match)->mode & GR_DELETED)) {
+               tmp = *match;
+               tmp->inode = newinode;
+               tmp->device = newdevice;
+               tmp->mode &= ~GR_DELETED;
+
+               *match = deleted_object;
+
+               insert_acl_obj_label(tmp, subj);
+       }
+
+       return;
+}
+
+static __inline__ void
+update_acl_subj_label(const ino_t oldinode, const kdev_t olddevice,
+                     const ino_t newinode, const kdev_t newdevice,
+                     struct acl_role_label *role)
+{
+       struct acl_subject_label **s_hash = role->subj_hash;
+       unsigned long subj_size = role->subj_hash_size;
+       unsigned long index = fhash(oldinode, olddevice, subj_size);
+       struct acl_subject_label **match;
+       struct acl_subject_label *tmp;
+       __u8 i = 0;
+
+       match = &s_hash[index];
+
+       while (*match && ((*match)->inode != oldinode ||
+              (*match)->device != olddevice ||
+              !((*match)->mode & GR_DELETED))) {
+               index = (index + (1 << i)) % subj_size;
+               i = (i + 1) % 32;
+               match = &s_hash[index];
+       }
+
+       if (*match && (*match != deleted_subject)
+           && ((*match)->inode == oldinode)
+           && ((*match)->device == olddevice)
+           && ((*match)->mode & GR_DELETED)) {
+               tmp = *match;
+
+               tmp->inode = newinode;
+               tmp->device = newdevice;
+               tmp->mode &= ~GR_DELETED;
+
+               *match = deleted_subject;
+
+               insert_acl_subj_label(tmp, role);
+       }
+
+       return;
+}
+
+static __inline__ void
+update_inodev_entry(const ino_t oldinode, const kdev_t olddevice,
+                   const ino_t newinode, const kdev_t newdevice)
+{
+       unsigned long index = fhash(oldinode, olddevice, inodev_set.n_size);
+       struct name_entry **match;
+       struct name_entry *tmp;
+       __u8 i = 0;
+
+       match = &inodev_set.n_hash[index];
+
+       while (*match
+              && ((*match)->inode != oldinode
+                  || (*match)->device != olddevice)) {
+               index = (index + (1 << i)) % inodev_set.n_size;
+               i = (i + 1) % 32;
+               match = &inodev_set.n_hash[index];
+       }
+
+       if (*match && (*match != deleted_inodev)
+           && ((*match)->inode == oldinode)
+           && ((*match)->device == olddevice)) {
+               tmp = *match;
+
+               tmp->inode = newinode;
+               tmp->device = newdevice;
+
+               *match = deleted_inodev;
+
+               insert_inodev_entry(tmp);
+       }
+
+       return;
+}
+
+static __inline__ void
+do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
+                const struct vfsmount *mnt)
+{
+       struct acl_subject_label *i;
+       struct acl_role_label *role;
+
+       for (role = role_list_head; role; role = role->next) {
+               update_acl_subj_label(matchn->inode, matchn->device,
+                                     dentry->d_inode->i_ino,
+                                     dentry->d_inode->i_dev, role);
+
+               for (i = role->proc_subject; i; i = i->next) {
+                       if (unlikely(i->parent_subject &&
+                                    (i->inode == dentry->d_inode->i_ino) &&
+                                    (i->device == dentry->d_inode->i_dev))) {
+                               i->inode = dentry->d_inode->i_ino;
+                               i->device = dentry->d_inode->i_dev;
+                       }
+                       update_acl_obj_label(matchn->inode, matchn->device,
+                                            dentry->d_inode->i_ino,
+                                            dentry->d_inode->i_dev, i);
+               }
+       }
+
+       update_inodev_entry(matchn->inode, matchn->device,
+                           dentry->d_inode->i_ino, dentry->d_inode->i_dev);
+
+       return;
+}
+
+void
+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
+{
+       struct name_entry *matchn;
+
+       if (unlikely(!(gr_status & GR_READY)))
+               return;
+
+       matchn = lookup_name_entry(gr_to_filename(dentry, mnt));
+
+       if (unlikely((unsigned long)matchn)) {
+               write_lock(&gr_inode_lock);
+               do_handle_create(matchn, dentry, mnt);
+               write_unlock(&gr_inode_lock);
+       }
+
+       return;
+}
+
+int
+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
+                struct dentry *old_dentry,
+                struct dentry *new_dentry,
+                struct vfsmount *mnt, const __u8 replace)
+{
+       struct name_entry *matchn;
+       int error = 0;
+
+       matchn = lookup_name_entry(gr_to_filename(new_dentry, mnt));
+
+       lock_kernel();
+       error = vfs_rename(old_dir, old_dentry, new_dir, new_dentry);
+       unlock_kernel();
+
+       if (unlikely(error))
+               return error;
+
+       /* we wouldn't have to check d_inode if it weren't for
+          NFS silly-renaming
+        */
+
+       write_lock(&gr_inode_lock);
+       if (unlikely(replace && new_dentry->d_inode)) {
+               if (unlikely(lookup_inodev_entry(new_dentry->d_inode->i_ino,
+                                       new_dentry->d_inode->i_dev) &&
+                   (old_dentry->d_inode->i_nlink <= 1)))
+                       do_handle_delete(new_dentry->d_inode->i_ino,
+                                        new_dentry->d_inode->i_dev);
+       }
+
+       if (unlikely(lookup_inodev_entry(old_dentry->d_inode->i_ino,
+                               old_dentry->d_inode->i_dev) &&
+           (old_dentry->d_inode->i_nlink <= 1)))
+               do_handle_delete(old_dentry->d_inode->i_ino,
+                                old_dentry->d_inode->i_dev);
+
+       if (unlikely((unsigned long)matchn))
+               do_handle_create(matchn, old_dentry, mnt);
+       write_unlock(&gr_inode_lock);
+
+       return error;
+}
+
+static int
+lookup_special_role_auth(const char *rolename, unsigned char **salt,
+                        unsigned char **sum)
+{
+       struct acl_role_label *r;
+       struct role_transition *trans;
+       __u16 i;
+       int found = 0;
+
+       /* check transition table */
+
+       for (trans = current->role->transitions; trans; trans = trans->next) {
+               if (!strcmp(rolename, trans->rolename)) {
+                       found = 1;
+                       break;
+               }
+       }
+
+       if (!found)
+               return 0;
+
+       /* handle special roles that do not require authentication */
+
+       for (r = role_list_head; r; r = r->next) {
+               if (!strcmp(rolename, r->rolename)
+                   && (r->roletype & GR_ROLE_NOPW)) {
+                       *salt = NULL;
+                       *sum = NULL;
+                       return 1;
+               }
+       }
+
+       for (i = 0; i < num_sprole_pws; i++) {
+               if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
+                       *salt = acl_special_roles[i]->salt;
+                       *sum = acl_special_roles[i]->sum;
+                       return 1;
+               }
+       }
+
+       return 0;
+}
+
+static void
+assign_special_role(char *rolename)
+{
+       struct acl_object_label *obj;
+       struct acl_role_label *r;
+       struct acl_role_label *assigned = NULL;
+       struct task_struct *tsk;
+       struct file *filp;
+
+       for (r = role_list_head; r; r = r->next)
+               if (!strcmp(rolename, r->rolename) &&
+                   (r->roletype & GR_ROLE_SPECIAL))
+                       assigned = r;
+
+       if (!assigned)
+               return;
+
+       tsk = current->p_pptr;
+       filp = tsk->exec_file;
+
+       if (tsk && filp) {
+               tsk->is_writable = 0;
+
+               acl_sp_role_value = (acl_sp_role_value % 65535) + 1;
+               tsk->acl_sp_role = 1;
+               tsk->acl_role_id = acl_sp_role_value;
+               tsk->role = assigned;
+               tsk->acl =
+                   chk_subj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role);
+
+               /* ignore additional mmap checks for processes that are writable 
+                  by the default ACL */
+               obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
+               if (unlikely(obj->mode & GR_WRITE))
+                       tsk->is_writable = 1;
+               obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role->root_label);
+               if (unlikely(obj->mode & GR_WRITE))
+                       tsk->is_writable = 1;
+
+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
+               printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
+#endif
+       }
+
+       return;
+}
+
+ssize_t
+write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
+{
+       struct gr_arg *arg;
+       unsigned char *sprole_salt;
+       unsigned char *sprole_sum;
+       int error = sizeof (struct gr_arg);
+       int error2 = 0;
+
+       down(&gr_dev_sem);
+
+       arg = (struct gr_arg *) buf;
+
+       if (count != sizeof (struct gr_arg)) {
+               security_alert_good(GR_DEV_ACL_MSG, count,
+                                   (int) sizeof (struct gr_arg));
+               error = -EINVAL;
+               goto out;
+       }
+
+       if ((gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES)
+           && time_before_eq(gr_auth_expires, jiffies)) {
+               gr_auth_expires = 0;
+               gr_auth_attempts = 0;
+       }
+
+       if (copy_from_user(gr_usermode, arg, sizeof (struct gr_arg))) {
+               error = -EFAULT;
+               goto out;
+       }
+
+       if (gr_usermode->mode != SPROLE && time_after(gr_auth_expires, jiffies)) {
+               error = -EBUSY;
+               goto out;
+       }
+
+       /* if non-root trying to do anything other than use a special role,
+          do not attempt authentication, do not count towards authentication
+          locking
+        */
+
+       if (gr_usermode->mode != SPROLE && current->uid) {
+               error = -EPERM;
+               goto out;
+       }
+
+       /* ensure pw and special role name are null terminated */
+
+       gr_usermode->pw[GR_PW_LEN - 1] = '\0';
+       gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
+
+       /* Okay. 
+        * We have our enough of the argument structure..(we have yet
+        * to copy_from_user the tables themselves) . Copy the tables
+        * only if we need them, i.e. for loading operations. */
+
+       switch (gr_usermode->mode) {
+       case STATUS:
+                       if (gr_status & GR_READY)
+                               error = 1;
+                       else
+                               error = 2;
+                       goto out;
+       case SHUTDOWN:
+               if ((gr_status & GR_READY)
+                   && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
+                       gr_status &= ~GR_READY;
+                       security_alert_good(GR_SHUTS_ACL_MSG, DEFAULTSECARGS);
+                       free_variables();
+                       memset(gr_usermode, 0, sizeof (struct gr_arg));
+                       memset(gr_system_salt, 0, GR_SALT_LEN);
+                       memset(gr_system_sum, 0, GR_SHA_LEN);
+               } else if (gr_status & GR_READY) {
+                       security_alert(GR_SHUTF_ACL_MSG, DEFAULTSECARGS);
+                       error = -EPERM;
+               } else {
+                       security_alert_good(GR_SHUTI_ACL_MSG, DEFAULTSECARGS);
+                       error = -EAGAIN;
+               }
+               break;
+       case ENABLE:
+               if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
+                       security_alert_good(GR_ENABLE_ACL_MSG, GR_VERSION);
+               else {
+                       if (gr_status & GR_READY)
+                               error = -EAGAIN;
+                       else
+                               error = error2;
+                       security_alert(GR_ENABLEF_ACL_MSG, GR_VERSION,
+                                      DEFAULTSECARGS);
+               }
+               break;
+       case RELOAD:
+               if (!(gr_status & GR_READY)) {
+                       security_alert_good(GR_RELOADI_ACL_MSG);
+                       error = -EAGAIN;
+               } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
+                       lock_kernel();
+                       gr_status &= ~GR_READY;
+                       free_variables();
+                       if (!(error2 = gracl_init(gr_usermode))) {
+                               unlock_kernel();
+                               security_alert_good(GR_RELOAD_ACL_MSG,
+                                                   GR_VERSION);
+                       } else {
+                               unlock_kernel();
+                               error = error2;
+                               security_alert(GR_RELOADF_ACL_MSG, GR_VERSION,
+                                              DEFAULTSECARGS);
+                       }
+               } else {
+                       security_alert(GR_RELOADF_ACL_MSG, GR_VERSION,
+                                      DEFAULTSECARGS);
+                       error = -EPERM;
+               }
+               break;
+       case SEGVMOD:
+               if (unlikely(!(gr_status & GR_READY))) {
+                       security_alert_good(GR_SEGVMODI_ACL_MSG,
+                                           DEFAULTSECARGS);
+                       error = -EAGAIN;
+                       break;
+               }
+
+               if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
+                       security_alert_good(GR_SEGVMODS_ACL_MSG,
+                                           DEFAULTSECARGS);
+                       if (gr_usermode->segv_device && gr_usermode->segv_inode) {
+                               struct acl_subject_label *segvacl;
+                               segvacl =
+                                   lookup_acl_subj_label(gr_usermode->segv_inode,
+                                                         gr_usermode->segv_device,
+                                                         current->role);
+                               if (segvacl) {
+                                       segvacl->crashes = 0;
+                                       segvacl->expires = 0;
+                               }
+                       } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
+                               gr_remove_uid(gr_usermode->segv_uid);
+                       }
+               } else {
+                       security_alert(GR_SEGVMODF_ACL_MSG, DEFAULTSECARGS);
+                       error = -EPERM;
+               }
+               break;
+       case SPROLE:
+               if (unlikely(!(gr_status & GR_READY))) {
+                       security_alert_good(GR_SPROLEI_ACL_MSG, DEFAULTSECARGS);
+                       error = -EAGAIN;
+                       break;
+               }
+
+               if ((current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES)
+                   && time_before_eq(current->role->expires, jiffies)) {
+                       current->role->expires = 0;
+                       current->role->auth_attempts = 0;
+               }
+
+               if (time_after(current->role->expires, jiffies)) {
+                       error = -EBUSY;
+                       goto out;
+               }
+
+               if (lookup_special_role_auth
+                   (gr_usermode->sp_role, &sprole_salt, &sprole_sum)
+                   && ((!sprole_salt && !sprole_sum)
+                       || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
+                       assign_special_role(gr_usermode->sp_role);
+                       security_alert_good(GR_SPROLES_ACL_MSG,
+                                           (current->p_pptr) ? current->
+                                           p_pptr->role->rolename : "",
+                                           acl_sp_role_value, DEFAULTSECARGS);
+               } else {
+                       security_alert(GR_SPROLEF_ACL_MSG, gr_usermode->sp_role,
+                                      DEFAULTSECARGS);
+                       error = -EPERM;
+                       current->role->auth_attempts++;
+                       if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES) {
+                               current->role->expires =
+                                   jiffies + CONFIG_GRKERNSEC_ACL_TIMEOUT * HZ;
+                               security_alert(GR_MAXROLEPW_ACL_MSG,
+                                      CONFIG_GRKERNSEC_ACL_MAXTRIES,
+                                      gr_usermode->sp_role, DEFAULTSECARGS);
+                       }
+
+                       goto out;
+               }
+               break;
+       case UNSPROLE:
+               if (unlikely(!(gr_status & GR_READY))) {
+                       security_alert_good(GR_UNSPROLEI_ACL_MSG, DEFAULTSECARGS);
+                       error = -EAGAIN;
+                       break;
+               }
+
+               if ((current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES)
+                   && time_before_eq(current->role->expires, jiffies)) {
+                       current->role->expires = 0;
+                       current->role->auth_attempts = 0;
+               }
+
+               if (time_after(current->role->expires, jiffies)) {
+                       error = -EBUSY;
+                       goto out;
+               }
+
+               if ((current->role->roletype & GR_ROLE_SPECIAL) && 
+                   lookup_special_role_auth
+                   (current->role->rolename, &sprole_salt, &sprole_sum)
+                   && ((!sprole_salt && !sprole_sum)
+                       || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
+                       security_alert_good(GR_UNSPROLES_ACL_MSG,
+                                           (current->p_pptr) ? current->
+                                           p_pptr->role->rolename : "",
+                                           (current->p_pptr) ? current->
+                                           p_pptr->acl_role_id : 0, DEFAULTSECARGS);
+                       gr_set_acls(1);
+                       if (current->p_pptr)
+                               current->p_pptr->acl_sp_role = 0;
+               } else {
+                       security_alert(GR_UNSPROLEF_ACL_MSG, gr_usermode->sp_role,
+                                      DEFAULTSECARGS);
+                       error = -EPERM;
+                       current->role->auth_attempts++;
+                       if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES) {
+                               current->role->expires =
+                                   jiffies + CONFIG_GRKERNSEC_ACL_TIMEOUT * HZ;
+                               security_alert(GR_MAXROLEPW_ACL_MSG,
+                                      CONFIG_GRKERNSEC_ACL_MAXTRIES,
+                                      current->role->rolename, DEFAULTSECARGS);
+                       }
+
+                       goto out;
+               }
+               break;
+       default:
+               security_alert(GR_INVMODE_ACL_MSG, gr_usermode->mode,
+                              DEFAULTSECARGS);
+               error = -EINVAL;
+               break;
+       }
+
+       if (error != -EPERM)
+               goto out;
+
+       gr_auth_attempts++;
+
+       if (gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES) {
+               security_alert(GR_MAXPW_ACL_MSG, CONFIG_GRKERNSEC_ACL_MAXTRIES);
+               gr_auth_expires = jiffies + CONFIG_GRKERNSEC_ACL_TIMEOUT * HZ;
+       }
+
+      out:
+       up(&gr_dev_sem);
+       return error;
+}
+
+int
+gr_set_acls(const int type)
+{
+       struct acl_object_label *obj;
+       struct task_struct *task;
+       struct file *filp;
+       unsigned short i;
+
+       read_lock(&tasklist_lock);
+       for_each_task(task) {
+               /* check to see if we're called from the exit handler,
+                  if so, only replace ACLs that have inherited the admin
+                  ACL */
+
+               if (type && (task->role != current->role ||
+                            task->acl_role_id != current->acl_role_id))
+                       continue;
+
+               task->acl_role_id = 0;
+
+               if ((filp = task->exec_file)) {
+                       do_set_role_label(task, task->uid, task->gid);
+
+                       task->acl =
+                           chk_subj_label(filp->f_dentry, filp->f_vfsmnt,
+                                          task->role);
+                       if (task->acl) {
+                               struct acl_subject_label *curr;
+                               curr = task->acl;
+
+                               task->is_writable = 0;
+                               /* ignore additional mmap checks for processes that are writable 
+                                  by the default ACL */
+                               obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
+                               if (unlikely(obj->mode & GR_WRITE))
+                                       task->is_writable = 1;
+                               obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
+                               if (unlikely(obj->mode & GR_WRITE))
+                                       task->is_writable = 1;
+
+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
+                               printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
+#endif
+                               if (!(curr->mode & GR_LEARN))
+                                       for (i = 0; i < RLIM_NLIMITS; i++) {
+                                               if (!(curr->resmask & (1 << i)))
+                                                       continue;
+
+                                               task->rlim[i].rlim_cur =
+                                                   curr->res[i].rlim_cur;
+                                               task->rlim[i].rlim_max =
+                                                   curr->res[i].rlim_max;
+                                       }
+                       } else {
+                               read_unlock(&tasklist_lock);
+                               security_alert_good(GR_DEFACL_MSG, task->comm,
+                                                   task->pid);
+                               return 1;
+                       }
+               } else {
+                       // it's a kernel process
+                       task->role = kernel_role;
+                       task->acl = kernel_role->root_label;
+#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
+                       task->acl->mode &= ~GR_FIND;
+#endif
+               }
+       }
+       read_unlock(&tasklist_lock);
+       return 0;
+}
+
+void
+gr_learn_resource(const struct task_struct *task,
+                 const int res, const unsigned long wanted)
+{
+       struct acl_subject_label *acl;
+
+       if (unlikely((gr_status & GR_READY) &&
+                    task->acl && (task->acl->mode & GR_LEARN)))
+               goto skip_reslog;
+
+#ifdef CONFIG_GRKERNSEC_RESLOG
+       gr_log_resource(task, res, wanted);
+#endif
+      skip_reslog:
+
+       if (unlikely(!(gr_status & GR_READY) || !wanted))
+               return;
+
+       acl = task->acl;
+
+       if (likely(!acl || !(acl->mode & GR_LEARN) ||
+                  !(acl->resmask & (1 << (unsigned short) res))))
+               return;
+
+       if (wanted >= acl->res[res].rlim_cur) {
+               unsigned long res_add;
+
+               res_add = wanted;
+               switch (res) {
+               case RLIMIT_CPU:
+                       res_add += GR_RLIM_CPU_BUMP;
+                       break;
+               case RLIMIT_FSIZE:
+                       res_add += GR_RLIM_FSIZE_BUMP;
+                       break;
+               case RLIMIT_DATA:
+                       res_add += GR_RLIM_DATA_BUMP;
+                       break;
+               case RLIMIT_STACK:
+                       res_add += GR_RLIM_STACK_BUMP;
+                       break;
+               case RLIMIT_CORE:
+                       res_add += GR_RLIM_CORE_BUMP;
+                       break;
+               case RLIMIT_RSS:
+                       res_add += GR_RLIM_RSS_BUMP;
+                       break;
+               case RLIMIT_NPROC:
+                       res_add += GR_RLIM_NPROC_BUMP;
+                       break;
+               case RLIMIT_NOFILE:
+                       res_add += GR_RLIM_NOFILE_BUMP;
+                       break;
+               case RLIMIT_MEMLOCK:
+                       res_add += GR_RLIM_MEMLOCK_BUMP;
+                       break;
+               case RLIMIT_AS:
+                       res_add += GR_RLIM_AS_BUMP;
+                       break;
+               case RLIMIT_LOCKS:
+                       res_add += GR_RLIM_LOCKS_BUMP;
+                       break;
+               }
+
+               acl->res[res].rlim_cur = res_add;
+
+               if (wanted > acl->res[res].rlim_max)
+                       acl->res[res].rlim_max = res_add;
+
+               security_learn(GR_LEARN_AUDIT_MSG, current->role->rolename,
+                              current->role->roletype, acl->filename,
+                              acl->res[res].rlim_cur, acl->res[res].rlim_max,
+                              "", (unsigned long) res);
+       }
+
+       return;
+}
+
+#ifdef CONFIG_SYSCTL
+extern struct proc_dir_entry *proc_sys_root;
+
+__u32
+gr_handle_sysctl(const struct ctl_table *table, const void *oldval,
+                const void *newval)
+{
+       struct proc_dir_entry *tmp;
+       struct nameidata nd;
+       const char *proc_sys = "/proc/sys";
+       char *path = gr_shared_page[0][smp_processor_id()];
+       struct acl_object_label *obj;
+       unsigned short len = 0, pos = 0, depth = 0, i;
+       __u32 err = 0;
+       __u32 mode = 0;
+
+       if (unlikely(!(gr_status & GR_READY)))
+               return 1;
+
+       if (oldval)
+               mode |= GR_READ;
+       if (newval)
+               mode |= GR_WRITE;
+
+       /* convert the requested sysctl entry into a pathname */
+
+       for (tmp = table->de; tmp != proc_sys_root; tmp = tmp->parent) {
+               len += strlen(tmp->name);
+               len++;
+               depth++;
+       }
+
+       if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE)
+               return 0;       // deny
+
+       memset(path, 0, PAGE_SIZE);
+
+       memcpy(path, proc_sys, strlen(proc_sys));
+
+       pos += strlen(proc_sys);
+
+       for (; depth > 0; depth--) {
+               path[pos] = '/';
+               pos++;
+               for (i = 1, tmp = table->de; tmp != proc_sys_root;
+                    tmp = tmp->parent) {
+                       if (depth == i) {
+                               memcpy(path + pos, tmp->name,
+                                      strlen(tmp->name));
+                               pos += strlen(tmp->name);
+                       }
+                       i++;
+               }
+       }
+
+       if (path_init(path, LOOKUP_FOLLOW, &nd))
+               err = path_walk(path, &nd);
+
+       if (err)
+               goto out;
+
+       obj = chk_obj_label(nd.dentry, nd.mnt, current->acl);
+       err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
+
+       if (unlikely((current->acl->mode & GR_LEARN) && ((err & mode) != mode))) {
+               __u32 new_mode = mode;
+
+               new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
+
+               err = new_mode;
+               gr_log_learn(current->role, current->uid, current->gid,
+                            current, path, new_mode);
+       } else if ((err & mode) != mode && !(err & GR_SUPPRESS)) {
+               security_alert(GR_SYSCTL_ACL_MSG, "denied", path,
+                              (mode & GR_READ) ? " reading" : "",
+                              (mode & GR_WRITE) ? " writing" : "",
+                              DEFAULTSECARGS);
+               err = 0;
+       } else if ((err & mode) != mode) {
+               err = 0;
+       } else if (((err & mode) == mode) && (err & GR_AUDITS)) {
+               security_audit(GR_SYSCTL_ACL_MSG, "successful",
+                              path, (mode & GR_READ) ? " reading" : "",
+                              (mode & GR_WRITE) ? " writing" : "",
+                              DEFAULTSECARGS);
+       }
+
+       path_release(&nd);
+
+      out:
+       return err;
+}
+#endif
+
+int
+gr_handle_ptrace(struct task_struct *task, const long request)
+{
+       struct file *filp;
+       __u32 retmode;
+
+       if (unlikely(!(gr_status & GR_READY)))
+               return 0;
+
+       filp = task->exec_file;
+
+       if (unlikely(!filp))
+               return 0;
+
+       retmode = gr_search_file(filp->f_dentry, GR_PTRACERD, filp->f_vfsmnt);
+
+       if (retmode & GR_PTRACERD) {
+               switch (request) {
+               case PTRACE_POKETEXT:
+               case PTRACE_POKEDATA:
+               case PTRACE_POKEUSR:
+#if !defined(CONFIG_PPC32) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA)
+               case PTRACE_SETREGS:
+               case PTRACE_SETFPREGS:
+#endif
+#ifdef CONFIG_X86
+               case PTRACE_SETFPXREGS:
+#endif
+#ifdef CONFIG_ALTIVEC
+               case PTRACE_SETVRREGS:
+#endif
+                       return 1;
+               default:
+                       return 0;
+               }
+       } else if (!(current->acl->mode & GR_OVERRIDE) &&
+                  !(current->role->roletype & GR_ROLE_GOD)
+                  && (current->acl != task->acl
+                      || (current->acl != current->role->root_label
+                          && current->pid != task->pid))) {
+               security_alert(GR_PTRACE_ACL_MSG,
+                              gr_to_filename(filp->f_dentry, filp->f_vfsmnt),
+                              task->comm, task->pid, DEFAULTSECARGS);
+               return 1;
+       }
+
+       return 0;
+}
+
+int
+gr_handle_ptrace_exec(const struct dentry *dentry, const struct vfsmount *mnt)
+{
+       __u32 retmode;
+       struct acl_subject_label *subj;
+
+       if (unlikely(!(gr_status & GR_READY)))
+               return 0;
+
+       if (unlikely
+           ((current->ptrace & PT_PTRACED)
+            && !(current->acl->mode & GR_OVERRIDE)))
+               retmode = gr_search_file(dentry, GR_PTRACERD, mnt);
+       else
+               return 0;
+
+       subj = chk_subj_label(dentry, mnt, current->role);
+
+       if (!(retmode & GR_PTRACERD) &&
+           !(current->role->roletype & GR_ROLE_GOD) &&
+           (current->acl != subj)) {
+               security_alert(GR_PTRACE_EXEC_ACL_MSG,
+                              gr_to_filename(dentry, mnt), DEFAULTSECARGS);
+               return 1;
+       }
+
+       return 0;
+}
+
+int
+gr_handle_mmap(const struct file *filp, const unsigned long prot)
+{
+       struct acl_object_label *obj, *obj2;
+
+       if (unlikely(!(gr_status & GR_READY) ||
+                    (current->acl->mode & GR_OVERRIDE) || !filp ||
+                    !(prot & PROT_EXEC)))
+               return 0;
+
+       if (unlikely(current->is_writable))
+               return 0;
+
+       obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
+       obj2 = chk_obj_label(filp->f_dentry, filp->f_vfsmnt,
+                            current->role->root_label);
+       if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
+               security_alert(GR_WRITLIB_ACL_MSG,
+                              gr_to_filename(filp->f_dentry, filp->f_vfsmnt),
+                              DEFAULTSECARGS);
+               return 1;
+       }
+
+       return 0;
+}
+
+int
+gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
+{
+       __u32 mode;
+
+       if (unlikely(!file || !(prot & PROT_EXEC)))
+               return 1;
+
+       mode =
+           gr_search_file(file->f_dentry,
+                          GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
+                          file->f_vfsmnt);
+
+       if (unlikely(!gr_tpe_allow(file) || (!(mode & GR_EXEC) && !(mode & GR_SUPPRESS)))) {
+               security_alert(GR_MMAP_ACL_MSG, "denied",
+                              gr_to_filename(file->f_dentry, file->f_vfsmnt),
+                              DEFAULTSECARGS);
+               return 0;
+       } else if (unlikely(!gr_tpe_allow(file) || !(mode & GR_EXEC))) {
+               return 0;
+       } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
+               security_audit(GR_MMAP_ACL_MSG, "successful",
+                              gr_to_filename(file->f_dentry, file->f_vfsmnt),
+                              DEFAULTSECARGS);
+               return 1;
+       }
+
+       return 1;
+}
+
+int
+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
+{
+       __u32 mode;
+
+       if (unlikely(!file || !(prot & PROT_EXEC)))
+               return 1;
+
+       mode =
+           gr_search_file(file->f_dentry,
+                          GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
+                          file->f_vfsmnt);
+
+       if (unlikely(!gr_tpe_allow(file) || (!(mode & GR_EXEC) && !(mode & GR_SUPPRESS)))) {
+               security_alert(GR_MPROTECT_ACL_MSG, "denied",
+                              gr_to_filename(file->f_dentry, file->f_vfsmnt),
+                              DEFAULTSECARGS);
+               return 0;
+       } else if (unlikely(!gr_tpe_allow(file) || !(mode & GR_EXEC))) {
+               return 0;
+       } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
+               security_audit(GR_MPROTECT_ACL_MSG, "successful",
+                              gr_to_filename(file->f_dentry, file->f_vfsmnt),
+                              DEFAULTSECARGS);
+               return 1;
+       }
+
+       return 1;
+}
+
+void
+gr_acl_handle_psacct(struct task_struct *task, const long code)
+{
+       unsigned long runtime;
+       unsigned long cputime;
+       unsigned int wday, cday;
+       __u8 whr, chr;
+       __u8 wmin, cmin;
+       __u8 wsec, csec;
+       char cur_tty[64] = { 0 };
+       char parent_tty[64] = { 0 };
+
+       if (unlikely(!(gr_status & GR_READY) || !task->acl ||
+                    !(task->acl->mode & GR_PROCACCT)))
+               return;
+
+       runtime = (jiffies - task->start_time) / HZ;
+       wday = runtime / (3600 * 24);
+       runtime -= wday * (3600 * 24);
+       whr = runtime / 3600;
+       runtime -= whr * 3600;
+       wmin = runtime / 60;
+       runtime -= wmin * 60;
+       wsec = runtime;
+
+       cputime = (task->times.tms_utime + task->times.tms_stime) / HZ;
+       cday = cputime / (3600 * 24);
+       cputime -= cday * (3600 * 24);
+       chr = cputime / 3600;
+       cputime -= chr * 3600;
+       cmin = cputime / 60;
+       cputime -= cmin * 60;
+       csec = cputime;
+
+       security_audit(GR_ACL_PROCACCT_MSG, gr_task_fullpath(task), task->comm,
+                      task->pid, NIPQUAD(task->curr_ip), tty_name(task->tty,
+                                                                  cur_tty),
+                      task->uid, task->euid, task->gid, task->egid, wday, whr,
+                      wmin, wsec, cday, chr, cmin, csec,
+                      (task->
+                       flags & PF_SIGNALED) ? "killed by signal" : "exited",
+                      code, gr_parent_task_fullpath(task), 
+                      task->p_pptr->comm, task->p_pptr->pid,
+                      NIPQUAD(task->p_pptr->curr_ip),
+                      tty_name(task->p_pptr->tty, parent_tty),
+                      task->p_pptr->uid, task->p_pptr->euid, task->p_pptr->gid,
+                      task->p_pptr->egid);
+
+       return;
+}
+
+void gr_set_kernel_label(struct task_struct *task)
+{
+       if (gr_status & GR_READY) {
+               task->role = kernel_role;
+               task->acl = kernel_role->root_label;
+       }
+       return;
+}
diff -urN linux-2.4.22/grsecurity/gracl_alloc.c linux-2.4.22/grsecurity/gracl_alloc.c
--- linux-2.4.22/grsecurity/gracl_alloc.c       1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/gracl_alloc.c       2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,94 @@
+/* stack-based acl allocation tracking (c) Brad Spengler 2002,2003 */
+
+#include <linux/kernel.h>
+#include <linux/mm.h>
+#include <linux/slab.h>
+#include <linux/vmalloc.h>
+#include <linux/gracl.h>
+#include <linux/grsecurity.h>
+
+static unsigned long alloc_stack_next = 1;
+static unsigned long alloc_stack_size = 1;
+static void **alloc_stack;
+
+static __inline__ int
+alloc_pop(void)
+{
+       if ((alloc_stack_next - 1) == 0)
+               return 0;
+
+       if (*(alloc_stack + alloc_stack_next - 2))
+               kfree(*(alloc_stack + alloc_stack_next - 2));
+
+       alloc_stack_next--;
+
+       return 1;
+}
+
+static __inline__ void
+alloc_push(void *buf)
+{
+       if (alloc_stack_next >= alloc_stack_size)
+               BUG();
+
+       *(alloc_stack + alloc_stack_next - 1) = buf;
+
+       alloc_stack_next++;
+
+       return;
+}
+
+void *
+acl_alloc(unsigned long len)
+{
+       void *ret;
+
+       if (len > PAGE_SIZE)
+               BUG();
+
+       ret = kmalloc(len, GFP_KERNEL);
+
+       if (ret)
+               alloc_push(ret);
+
+       return ret;
+}
+
+void
+acl_free_all(void)
+{
+       if (gr_acl_is_enabled() || !alloc_stack)
+               return;
+
+       while (alloc_pop()) ;
+
+       if (alloc_stack) {
+               if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
+                       kfree(alloc_stack);
+               else
+                       vfree(alloc_stack);
+       }
+
+       alloc_stack = NULL;
+       alloc_stack_size = 1;
+       alloc_stack_next = 1;
+
+       return;
+}
+
+int
+acl_alloc_stack_init(unsigned long size)
+{
+       if ((size * sizeof (void *)) <= PAGE_SIZE)
+               alloc_stack =
+                   (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
+       else
+               alloc_stack = (void **) vmalloc(size * sizeof (void *));
+
+       alloc_stack_size = size;
+
+       if (!alloc_stack)
+               return 0;
+       else
+               return 1;
+}
diff -urN linux-2.4.22/grsecurity/gracl_cap.c linux-2.4.22/grsecurity/gracl_cap.c
--- linux-2.4.22/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/gracl_cap.c 2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,71 @@
+/* capability handling routines, (c) Brad Spengler 2002,2003 */
+
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/capability.h>
+#include <linux/gracl.h>
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+
+static const char *captab_log[29] = {
+       "CAP_CHOWN",
+       "CAP_DAC_OVERRIDE",
+       "CAP_DAC_READ_SEARCH",
+       "CAP_FOWNER",
+       "CAP_FSETID",
+       "CAP_KILL",
+       "CAP_SETGID",
+       "CAP_SETUID",
+       "CAP_SETPCAP",
+       "CAP_LINUX_IMMUTABLE",
+       "CAP_NET_BIND_SERVICE",
+       "CAP_NET_BROADCAST",
+       "CAP_NET_ADMIN",
+       "CAP_NET_RAW",
+       "CAP_IPC_LOCK",
+       "CAP_IPC_OWNER",
+       "CAP_SYS_MODULE",
+       "CAP_SYS_RAWIO",
+       "CAP_SYS_CHROOT",
+       "CAP_SYS_PTRACE",
+       "CAP_SYS_PACCT",
+       "CAP_SYS_ADMIN",
+       "CAP_SYS_BOOT",
+       "CAP_SYS_NICE",
+       "CAP_SYS_RESOURCE",
+       "CAP_SYS_TIME",
+       "CAP_SYS_TTY_CONFIG",
+       "CAP_MKNOD",
+       "CAP_LEASE"
+};
+
+int
+gr_is_capable(const int cap)
+{
+       struct acl_subject_label *curracl;
+
+       if (!gr_acl_is_enabled())
+               return 1;
+
+       curracl = current->acl;
+
+       if (!cap_raised(curracl->cap_lower, cap))
+               return 1;
+
+       if ((curracl->mode & GR_LEARN)
+           && cap_raised(current->cap_effective, cap)) {
+               security_learn(GR_LEARN_AUDIT_MSG, current->role->rolename,
+                              current->role->roletype, current->uid,
+                              current->gid, current->exec_file ?
+                              gr_to_filename(current->exec_file->f_dentry,
+                              current->exec_file->f_vfsmnt) : curracl->filename,
+                              curracl->filename, 0UL,
+                              0UL, "", (unsigned long) cap, NIPQUAD(current->curr_ip));
+               return 1;
+       }
+
+       if ((cap >= 0) && (cap < 29) && cap_raised(current->cap_effective, cap))
+               security_alert(GR_CAP_ACL_MSG, captab_log[cap], DEFAULTSECARGS);
+
+       return 0;
+}
diff -urN linux-2.4.22/grsecurity/gracl_fs.c linux-2.4.22/grsecurity/gracl_fs.c
--- linux-2.4.22/grsecurity/gracl_fs.c  1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/gracl_fs.c  2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,469 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/types.h>
+#include <linux/fs.h>
+#include <linux/file.h>
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+#include <linux/gracl.h>
+
+__u32
+gr_acl_handle_hidden_file(const struct dentry * dentry,
+                         const struct vfsmount * mnt)
+{
+       __u32 mode;
+
+       if (unlikely(!dentry->d_inode))
+               return GR_FIND;
+
+       mode =
+           gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
+
+       if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
+               security_audit(GR_HIDDEN_ACL_MSG, "successful",
+                              gr_to_filename(dentry, mnt), DEFAULTSECARGS);
+               return mode;
+       } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
+               security_alert(GR_HIDDEN_ACL_MSG, "denied",
+                              gr_to_filename(dentry, mnt),
+                              DEFAULTSECARGS);
+               return 0;
+       } else if (unlikely(!(mode & GR_FIND)))
+               return 0;
+
+       return GR_FIND;
+}
+
+__u32
+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
+                  const int fmode)
+{
+       __u32 reqmode = GR_FIND;
+       __u32 mode;
+
+       if (unlikely(!dentry->d_inode))
+               return reqmode;
+
+       if (unlikely(fmode & O_APPEND))
+               reqmode |= GR_APPEND;
+       else if (unlikely(fmode & FMODE_WRITE))
+               reqmode |= GR_WRITE;
+       if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
+               reqmode |= GR_READ;
+
+       mode =
+           gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
+                          mnt);
+
+       if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
+               security_audit(GR_OPEN_ACL_MSG, "successful",
+                              gr_to_filename(dentry, mnt),
+                              reqmode & GR_READ ? " reading" : "",
+                              reqmode & GR_WRITE ? " writing" :
+                              reqmode & GR_APPEND ? " appending" : "",
+                              DEFAULTSECARGS);
+               return reqmode;
+       } else
+           if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
+       {
+               security_alert(GR_OPEN_ACL_MSG, "denied",
+                              gr_to_filename(dentry, mnt),
+                              reqmode & GR_READ ? " reading" : "",
+                              reqmode & GR_WRITE ? " writing" : reqmode &
+                              GR_APPEND ? " appending" : "", DEFAULTSECARGS);
+               return 0;
+       } else if (unlikely((mode & reqmode) != reqmode))
+               return 0;
+
+       return reqmode;
+}
+
+__u32
+gr_acl_handle_creat(const struct dentry * dentry,
+                   const struct dentry * p_dentry,
+                   const struct vfsmount * p_mnt, const int fmode,
+                   const int imode)
+{
+       __u32 reqmode = GR_WRITE | GR_CREATE;
+       __u32 mode;
+
+       if (unlikely(fmode & O_APPEND))
+               reqmode |= GR_APPEND;
+       if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
+               reqmode |= GR_READ;
+       if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
+               reqmode |= GR_SETID;
+
+       mode =
+           gr_check_create(dentry, p_dentry, p_mnt,
+                           reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
+
+       if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
+               security_audit(GR_CREATE_ACL_MSG, "successful",
+                              gr_to_filename(dentry, p_mnt),
+                              reqmode & GR_READ ? " reading" : "",
+                              reqmode & GR_WRITE ? " writing" :
+                              reqmode & GR_APPEND ? " appending" : "",
+                              DEFAULTSECARGS);
+               return reqmode;
+       } else
+           if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
+       {
+               security_alert(GR_CREATE_ACL_MSG, "denied",
+                              gr_to_filename(dentry, p_mnt),
+                              reqmode & GR_READ ? " reading" : "",
+                              reqmode & GR_WRITE ? " writing" : reqmode &
+                              GR_APPEND ? " appending" : "", DEFAULTSECARGS);
+               return 0;
+       } else if (unlikely((mode & reqmode) != reqmode))
+               return 0;
+
+       return reqmode;
+}
+
+__u32
+gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
+                    const int fmode)
+{
+       __u32 mode, reqmode = GR_FIND;
+
+       if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
+               reqmode |= GR_EXEC;
+       if (fmode & S_IWOTH)
+               reqmode |= GR_WRITE;
+       if (fmode & S_IROTH)
+               reqmode |= GR_READ;
+
+       mode =
+           gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
+                          mnt);
+
+       if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
+               security_audit(GR_ACCESS_ACL_MSG, "successful",
+                              gr_to_filename(dentry, mnt),
+                              reqmode & GR_READ ? " reading" : "",
+                              reqmode & GR_WRITE ? " writing" : "",
+                              reqmode & GR_EXEC ? " executing" : "",
+                              DEFAULTSECARGS);
+               return reqmode;
+       } else
+           if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
+       {
+               security_alert(GR_ACCESS_ACL_MSG, "denied",
+                              gr_to_filename(dentry, mnt),
+                              reqmode & GR_READ ? " reading" : "",
+                              reqmode & GR_WRITE ? " writing" : "",
+                              reqmode & GR_EXEC ? " executing" : "",
+                              DEFAULTSECARGS);
+               return 0;
+       } else if (unlikely((mode & reqmode) != reqmode))
+               return 0;
+
+       return reqmode;
+}
+
+#define generic_fs_handler(dentry, mnt, reqmode, fmt) \
+{ \
+       __u32 mode; \
+       \
+       mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt); \
+       \
+       if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) { \
+               security_audit(fmt, "successful", \
+                               gr_to_filename(dentry, mnt), DEFAULTSECARGS); \
+               return mode; \
+       } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) { \
+               security_alert(fmt, "denied", gr_to_filename(dentry, mnt), \
+                               DEFAULTSECARGS); \
+               return 0; \
+       } else if (unlikely((mode & (reqmode)) != (reqmode))) \
+               return 0; \
+       \
+       return (reqmode); \
+}
+
+__u32
+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
+{
+       generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
+}
+
+__u32
+gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
+{
+       generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
+}
+
+__u32
+gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
+{
+       generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
+}
+
+__u32
+gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
+{
+       generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
+}
+
+__u32
+gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
+                    mode_t mode)
+{
+       if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
+               generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
+                                  GR_FCHMOD_ACL_MSG);
+       } else {
+               generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
+       }
+}
+
+__u32
+gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
+                   mode_t mode)
+{
+       if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
+               generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
+                                  GR_CHMOD_ACL_MSG);
+       } else {
+               generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
+       }
+}
+
+__u32
+gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
+{
+       generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
+}
+
+__u32
+gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
+{
+       generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
+}
+
+__u32
+gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
+{
+       generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
+                          GR_UNIXCONNECT_ACL_MSG);
+}
+
+__u32
+gr_acl_handle_filldir(const struct dentry *dentry, const struct vfsmount *mnt,
+                     const ino_t ino)
+{
+       if (likely((unsigned long)(dentry->d_inode))) {
+               struct dentry d = *dentry;
+               struct inode inode = *(dentry->d_inode);
+
+               inode.i_ino = ino;
+               d.d_inode = &inode;
+
+               if (unlikely(!gr_search_file(&d, GR_FIND | GR_NOLEARN, mnt)))
+                       return 0;
+       }
+
+       return 1;
+}
+
+__u32
+gr_acl_handle_link(const struct dentry * new_dentry,
+                  const struct dentry * parent_dentry,
+                  const struct vfsmount * parent_mnt,
+                  const struct dentry * old_dentry,
+                  const struct vfsmount * old_mnt, const char *to)
+{
+       __u32 needmode = GR_WRITE | GR_CREATE;
+       __u32 mode;
+
+       mode =
+           gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
+                         old_mnt);
+
+       if (unlikely(((mode & needmode) == needmode) && mode & GR_AUDITS)) {
+               security_audit(GR_LINK_ACL_MSG, "successful",
+                              gr_to_filename(old_dentry, old_mnt), to,
+                              DEFAULTSECARGS);
+               return mode;
+       } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
+               security_alert(GR_LINK_ACL_MSG, "denied",
+                              gr_to_filename(old_dentry, old_mnt), to,
+                              DEFAULTSECARGS);
+               return 0;
+       } else if (unlikely((mode & needmode) != needmode))
+               return 0;
+
+       return (GR_WRITE | GR_CREATE);
+}
+
+__u32
+gr_acl_handle_symlink(const struct dentry * new_dentry,
+                     const struct dentry * parent_dentry,
+                     const struct vfsmount * parent_mnt, const char *from)
+{
+       __u32 needmode = GR_WRITE | GR_CREATE;
+       __u32 mode;
+
+       mode =
+           gr_check_create(new_dentry, parent_dentry, parent_mnt,
+                           GR_CREATE | GR_AUDIT_CREATE |
+                           GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
+
+       if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
+               security_audit(GR_SYMLINK_ACL_MSG, "successful",
+                              from, gr_to_filename(new_dentry, parent_mnt),
+                              DEFAULTSECARGS);
+               return mode;
+       } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
+               security_alert(GR_SYMLINK_ACL_MSG, "denied",
+                              from, gr_to_filename(new_dentry, parent_mnt),
+                              DEFAULTSECARGS);
+               return 0;
+       } else if (unlikely((mode & needmode) != needmode))
+               return 0;
+
+       return (GR_WRITE | GR_CREATE);
+}
+
+#define generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt, reqmode, fmt) \
+{ \
+       __u32 mode; \
+       \
+       mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS); \
+       \
+       if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) { \
+               security_audit(fmt, "successful", \
+                               gr_to_filename(new_dentry, parent_mnt), \
+                               DEFAULTSECARGS); \
+               return mode; \
+       } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) { \
+               security_alert(fmt, "denied", \
+                               gr_to_filename(new_dentry, parent_mnt), \
+                               DEFAULTSECARGS); \
+               return 0; \
+       } else if (unlikely((mode & (reqmode)) != (reqmode))) \
+               return 0; \
+       \
+       return (reqmode); \
+}
+
+__u32
+gr_acl_handle_mknod(const struct dentry * new_dentry,
+                   const struct dentry * parent_dentry,
+                   const struct vfsmount * parent_mnt,
+                   const int mode)
+{
+       __u32 reqmode = GR_WRITE | GR_CREATE;
+       if (unlikely(mode & (S_ISUID | S_ISGID)))
+               reqmode |= GR_SETID;
+
+       generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
+                                 reqmode, GR_MKNOD_ACL_MSG);
+}
+
+__u32
+gr_acl_handle_mkdir(const struct dentry *new_dentry,
+                   const struct dentry *parent_dentry,
+                   const struct vfsmount *parent_mnt)
+{
+       generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
+                                 GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
+}
+
+#define RENAME_CHECK_SUCCESS(old, new) \
+       (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
+        ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
+
+int
+gr_acl_handle_rename(struct dentry *new_dentry,
+                    struct dentry *parent_dentry,
+                    const struct vfsmount *parent_mnt,
+                    struct dentry *old_dentry,
+                    struct inode *old_parent_inode,
+                    struct vfsmount *old_mnt, const char *newname)
+{
+       __u8 gr_replace = 1;
+       __u32 comp1, comp2;
+       int error = 0;
+
+       if (unlikely(!gr_acl_is_enabled()))
+               return 1;
+
+       if (!new_dentry->d_inode) {
+               gr_replace = 0;
+
+               comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
+                                       GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
+                                       GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
+               comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
+                                      GR_DELETE | GR_AUDIT_DELETE |
+                                      GR_AUDIT_READ | GR_AUDIT_WRITE |
+                                      GR_SUPPRESS, old_mnt);
+       } else {
+               comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
+                                      GR_CREATE | GR_DELETE |
+                                      GR_AUDIT_CREATE | GR_AUDIT_DELETE |
+                                      GR_AUDIT_READ | GR_AUDIT_WRITE |
+                                      GR_SUPPRESS, parent_mnt);
+               comp2 =
+                   gr_search_file(old_dentry,
+                                  GR_READ | GR_WRITE | GR_AUDIT_READ |
+                                  GR_DELETE | GR_AUDIT_DELETE |
+                                  GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
+       }
+
+       if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
+           ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
+               security_audit(GR_RENAME_ACL_MSG, "successful",
+                              gr_to_filename(old_dentry, old_mnt),
+                              newname, DEFAULTSECARGS);
+       else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
+                && !(comp2 & GR_SUPPRESS)) {
+               security_alert(GR_RENAME_ACL_MSG, "denied",
+                              gr_to_filename(old_dentry, old_mnt), newname,
+                              DEFAULTSECARGS);
+               error = -EACCES;
+       } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
+               error = -EACCES;
+
+       if (error)
+               return error;
+
+       error = gr_handle_rename(old_parent_inode, parent_dentry->d_inode,
+                                old_dentry, new_dentry, old_mnt, gr_replace);
+
+       return error;
+}
+
+void
+gr_acl_handle_exit(void)
+{
+       u16 id;
+       char *rolename;
+
+       if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
+               id = current->acl_role_id;
+               rolename = current->role->rolename;
+               gr_set_acls(1);
+               security_alert_good(GR_SPROLEL_ACL_MSG,
+                                   rolename, id, DEFAULTSECARGS);
+       }
+
+       if (current->exec_file) {
+               fput(current->exec_file);
+               current->exec_file = NULL;
+       }
+}
+
+int
+gr_acl_handle_procpidmem(const struct task_struct *task)
+{
+       if (unlikely(!gr_acl_is_enabled()))
+               return 0;
+
+       if (task->acl->mode & GR_PROTPROCFD)
+               return -EACCES;
+
+       return 0;
+}
diff -urN linux-2.4.22/grsecurity/gracl_ip.c linux-2.4.22/grsecurity/gracl_ip.c
--- linux-2.4.22/grsecurity/gracl_ip.c  1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/gracl_ip.c  2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,235 @@
+/* 
+ * grsecurity/gracl_ip.c
+ * Copyright Brad Spengler 2002, 2003
+ *
+ */
+
+#include <linux/kernel.h>
+#include <asm/uaccess.h>
+#include <asm/errno.h>
+#include <net/sock.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/net.h>
+#include <linux/in.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <linux/udp.h>
+#include <linux/smp_lock.h>
+#include <linux/types.h>
+#include <linux/sched.h>
+#include <linux/gracl.h>
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+
+#define GR_BIND        0x01
+#define GR_CONNECT     0x02
+
+static const char * gr_protocols[256] = {
+       "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
+       "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
+       "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
+       "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
+       "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
+       "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
+       "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
+       "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
+       "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
+       "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak", 
+       "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf", 
+       "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
+       "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
+       "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
+       "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
+       "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
+       "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
+       "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
+       "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
+       "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
+       "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
+       "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
+       "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
+       "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
+       "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
+       "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
+       "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
+       "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
+       "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
+       "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
+       "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
+       "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
+       };
+
+static const char * gr_socktypes[11] = {
+       "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6", 
+       "unknown:7", "unknown:8", "unknown:9", "packet"
+       };
+
+static __inline__ const char *
+gr_proto_to_name(unsigned char proto)
+{
+       return gr_protocols[proto];
+}
+
+static __inline__ const char *
+gr_socktype_to_name(unsigned char type)
+{
+       return gr_socktypes[type];
+}
+
+int
+gr_search_socket(const int domain, const int type, const int protocol)
+{
+       struct acl_subject_label *curr;
+
+       if (unlikely(!gr_acl_is_enabled()))
+               goto exit;
+
+       if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
+           || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
+               goto exit;      // let the kernel handle it
+
+       curr = current->acl;
+
+       if (!curr->ips)
+               goto exit;
+
+       if ((curr->ip_type & (1 << type)) &&
+           (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
+               goto exit;
+
+       if (curr->mode & GR_LEARN) {
+               /* we don't place acls on raw sockets , and sometimes
+                  dgram/ip sockets are opened for ioctl and not
+                  bind/connect, so we'll fake a bind learn log */
+               if (type == SOCK_RAW || type == SOCK_PACKET) {
+                       __u32 fakeip = 0;
+                       security_learn(GR_IP_LEARN_MSG, current->role->rolename,
+                                      current->role->roletype, current->uid,
+                                      current->gid, current->exec_file ?
+                                      gr_to_filename(current->exec_file->f_dentry,
+                                      current->exec_file->f_vfsmnt) :
+                                      curr->filename, curr->filename,
+                                      NIPQUAD(fakeip), 0, type,
+                                      protocol, GR_CONNECT, NIPQUAD(current->curr_ip));
+               } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
+                       __u32 fakeip = 0;
+                       security_learn(GR_IP_LEARN_MSG, current->role->rolename,
+                                      current->role->roletype, current->uid,
+                                      current->gid, current->exec_file ?
+                                      gr_to_filename(current->exec_file->f_dentry,
+                                      current->exec_file->f_vfsmnt) :
+                                      curr->filename, curr->filename,
+                                      NIPQUAD(fakeip), 0, type,
+                                      protocol, GR_BIND, NIPQUAD(current->curr_ip));
+               }
+               /* we'll log when they use connect or bind */
+               goto exit;
+       }
+
+       security_alert(GR_SOCK_MSG, "inet", gr_socktype_to_name(type),
+                      gr_proto_to_name(protocol), DEFAULTSECARGS);
+
+       return 0;
+      exit:
+       return 1;
+}
+
+static __inline__ int
+gr_search_connectbind(const int mode, const struct sock *sk,
+                     const struct sockaddr_in *addr, const int type)
+{
+       struct acl_subject_label *curr;
+       struct acl_ip_label *ip;
+       unsigned long i;
+       __u32 ip_addr = 0;
+       __u16 ip_port = 0;
+
+       if (unlikely(!gr_acl_is_enabled() || sk->family != PF_INET))
+               return 1;
+
+       curr = current->acl;
+
+       if (!curr->ips)
+               return 1;
+
+       ip_addr = addr->sin_addr.s_addr;
+       ip_port = ntohs(addr->sin_port);
+
+       for (i = 0; i < curr->ip_num; i++) {
+               ip = *(curr->ips + i);
+               if ((ip->mode & mode) &&
+                   (ip_port >= ip->low) &&
+                   (ip_port <= ip->high) &&
+                   ((ntohl(ip_addr) & ip->netmask) ==
+                    (ntohl(ip->addr) & ip->netmask))
+                   && (ip->
+                       proto[sk->protocol / 32] & (1 << (sk->protocol % 32)))
+                   && (ip->type & (1 << type)))
+                       return 1;
+       }
+
+       if (curr->mode & GR_LEARN) {
+               security_learn(GR_IP_LEARN_MSG, current->role->rolename,
+                              current->role->roletype, current->uid,
+                              current->gid, current->exec_file ?
+                              gr_to_filename(current->exec_file->f_dentry,
+                              current->exec_file->f_vfsmnt) :
+                              curr->filename, curr->filename,
+                              NIPQUAD(ip_addr), ip_port, type,
+                              sk->protocol, mode, NIPQUAD(current->curr_ip));
+               return 1;
+       }
+
+       if (mode == GR_BIND)
+               security_alert(GR_BIND_ACL_MSG, NIPQUAD(ip_addr), ip_port,
+                              gr_socktype_to_name(type), gr_proto_to_name(sk->protocol),
+                              DEFAULTSECARGS);
+       else if (mode == GR_CONNECT)
+               security_alert(GR_CONNECT_ACL_MSG, NIPQUAD(ip_addr), ip_port,
+                              gr_socktype_to_name(type), gr_proto_to_name(sk->protocol),
+                              DEFAULTSECARGS);
+
+       return 0;
+}
+
+int
+gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
+{
+       return gr_search_connectbind(GR_CONNECT, sock->sk, addr, sock->type);
+}
+
+int
+gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
+{
+       return gr_search_connectbind(GR_BIND, sock->sk, addr, sock->type);
+}
+
+int
+gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
+{
+       if (addr)
+               return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
+       else {
+               struct sockaddr_in sin;
+
+               sin.sin_addr.s_addr = sk->daddr;
+               sin.sin_port = sk->dport;
+
+               return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
+       }
+}
+
+int
+gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
+{
+       struct sockaddr_in sin;
+
+       if (unlikely(skb->len < sizeof (struct udphdr)))
+               return 1;       // skip this packet
+
+       sin.sin_addr.s_addr = skb->nh.iph->saddr;
+       sin.sin_port = skb->h.uh->source;
+
+       return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
+}
diff -urN linux-2.4.22/grsecurity/gracl_learn.c linux-2.4.22/grsecurity/gracl_learn.c
--- linux-2.4.22/grsecurity/gracl_learn.c       1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/gracl_learn.c       2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,228 @@
+#include <linux/kernel.h>
+#include <linux/mm.h>
+#include <linux/sched.h>
+#include <linux/poll.h>
+#include <linux/smp_lock.h>
+#include <linux/string.h>
+#include <linux/file.h>
+#include <linux/types.h>
+#include <linux/vmalloc.h>
+#include <linux/grinternal.h>
+
+extern ssize_t write_grsec_handler(struct file * file, const char * buf,
+                                  size_t count, loff_t *ppos);
+extern int gr_acl_is_enabled(void);
+
+static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
+static DECLARE_WAIT_QUEUE_HEAD(input_wait);
+static atomic_t learn_buffer_count = ATOMIC_INIT(0);
+static int gr_learn_attached;
+
+#define LEARN_BUFFER_SLOTS 256
+#define LEARN_BUFFER_SIZE 16384
+
+static spinlock_t learn_buffer_lock[LEARN_BUFFER_SLOTS] = { [0 ... (LEARN_BUFFER_SLOTS - 1)] = SPIN_LOCK_UNLOCKED };
+static char *learn_buffer[LEARN_BUFFER_SLOTS];
+static int learn_buffer_len[LEARN_BUFFER_SLOTS];
+
+static ssize_t
+read_learn(struct file *file, char * buf, size_t count, loff_t * ppos)
+{
+       DECLARE_WAITQUEUE(wait, current);
+       ssize_t retval = 0;
+       char *tmp;
+       unsigned int len;
+       int i;
+
+       add_wait_queue(&learn_wait, &wait);
+       set_current_state(TASK_INTERRUPTIBLE);
+       do {
+               if (atomic_read(&learn_buffer_count) > 1)
+                       break;
+
+               if (file->f_flags & O_NONBLOCK) {
+                       retval = -EAGAIN;
+                       goto out;
+               }
+               if (signal_pending(current)) {
+                       retval = -ERESTARTSYS;
+                       goto out;
+               }
+
+               schedule();
+       } while (1);
+
+
+       for (i = 0; i < LEARN_BUFFER_SLOTS; i++) {
+               spin_lock(&learn_buffer_lock[i]);
+               len = learn_buffer_len[i];
+               tmp = learn_buffer[i];
+               if (!len || !tmp) {
+                       spin_unlock(&learn_buffer_lock[i]);
+                       continue;
+               }
+               learn_buffer[i] = NULL;
+               learn_buffer_len[i] = 0;
+               spin_unlock(&learn_buffer_lock[i]);
+
+               if (count < ((i * LEARN_BUFFER_SIZE) + len)) {
+                       retval = -EINVAL;
+                       vfree(tmp);
+                       goto out;
+               }
+               if (copy_to_user(buf + (i * LEARN_BUFFER_SIZE), tmp, len)) {
+                       retval = -EFAULT;
+                       vfree(tmp);
+                       goto out;
+               }
+
+               retval += len;
+               vfree(tmp);
+               atomic_dec(&learn_buffer_count);
+               atomic_dec(&learn_buffer_count);
+       }
+
+       wake_up(&input_wait);
+out:
+       set_current_state(TASK_RUNNING);
+       remove_wait_queue(&learn_wait, &wait);
+       return retval;
+}
+
+static unsigned int
+poll_learn(struct file * file, poll_table * wait)
+{
+       poll_wait(file, &learn_wait, wait);
+
+       if (atomic_read(&learn_buffer_count) > 1)
+               return (POLLIN | POLLRDNORM);
+
+       return 0;
+}
+
+void
+gr_clear_learn_entries(void)
+{
+       int i;
+
+       atomic_set(&learn_buffer_count, 0);
+       wake_up(&input_wait);
+       
+       for (i = 0; i < LEARN_BUFFER_SLOTS; i++) {
+               if (learn_buffer_len[i]) {
+                       vfree(learn_buffer[i]);
+                       learn_buffer[i] = NULL;
+                       learn_buffer_len[i] = 0;
+               }
+       }
+
+       return;
+}
+
+void
+gr_add_learn_entry(const char *fmt, ...)
+{
+       DECLARE_WAITQUEUE(wait, current);
+       va_list args;
+       char *tmpbuf;
+       char *buf;
+       int i;
+       unsigned int len;
+
+       if (!gr_learn_attached)
+               return;
+
+       tmpbuf = vmalloc(LEARN_BUFFER_SIZE);
+
+       if (tmpbuf == NULL)
+               return;
+
+       va_start(args, fmt);
+       len = vsnprintf(tmpbuf, LEARN_BUFFER_SIZE, fmt, args);
+       va_end(args);
+
+       if (len < 0)
+               len = LEARN_BUFFER_SIZE - 1;
+
+       buf = vmalloc(len + 1);
+
+       if (buf == NULL) {
+               vfree(tmpbuf);
+               return;
+       }
+
+       memcpy(buf, tmpbuf, len);
+       buf[len] = '\0';
+       vfree(tmpbuf);
+
+       add_wait_queue(&input_wait, &wait);
+
+       atomic_inc(&learn_buffer_count);
+       if (atomic_read(&learn_buffer_count) > ((2 * (LEARN_BUFFER_SLOTS - 1)) + 1)) {
+               /* don't sleep under the BKL */
+//             if (unlikely(current->lock_depth >= 0)) {
+               remove_wait_queue(&input_wait, &wait);
+               atomic_dec(&learn_buffer_count);
+               vfree(buf);
+               return;
+//             }
+//             sleep_on(&input_wait);
+       }
+
+       if (!gr_acl_is_enabled()) {
+               remove_wait_queue(&input_wait, &wait);
+               atomic_dec(&learn_buffer_count);
+               vfree(buf);
+               return;
+       }
+
+       for (i = 0; i < LEARN_BUFFER_SLOTS; i++) {
+               spin_lock(&learn_buffer_lock[i]);
+
+               if (learn_buffer_len[i]) {
+                       spin_unlock(&learn_buffer_lock[i]);
+                       continue;
+               }
+
+               learn_buffer[i] = buf;
+
+               learn_buffer_len[i] = len + 1;
+
+               atomic_inc(&learn_buffer_count);
+               spin_unlock(&learn_buffer_lock[i]);
+               break;
+       }
+
+       remove_wait_queue(&input_wait, &wait);
+       wake_up_interruptible(&learn_wait);
+
+       return;
+}
+
+static int
+open_learn(struct inode *inode, struct file *file)
+{
+       if (file->f_mode & FMODE_READ && gr_learn_attached)
+               return -EBUSY;
+       else if (file->f_mode & FMODE_READ)
+               gr_learn_attached = 1;
+
+       return 0;
+}
+
+static int
+close_learn(struct inode *inode, struct file *file)
+{
+       if (file->f_mode & FMODE_READ)
+               gr_learn_attached = 0;
+
+       return 0;
+}
+               
+struct file_operations grsec_fops = {
+       read:           read_learn,
+       write:          write_grsec_handler,
+       open:           open_learn,
+       release:        close_learn,
+       poll:           poll_learn,
+};
diff -urN linux-2.4.22/grsecurity/gracl_res.c linux-2.4.22/grsecurity/gracl_res.c
--- linux-2.4.22/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/gracl_res.c 2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,45 @@
+/* resource handling routines (c) Brad Spengler 2002, 2003 */
+
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/gracl.h>
+#include <linux/grinternal.h>
+
+static const char *restab_log[11] = {
+       "RLIMIT_CPU",
+       "RLIMIT_FSIZE",
+       "RLIMIT_DATA",
+       "RLIMIT_STACK",
+       "RLIMIT_CORE",
+       "RLIMIT_RSS",
+       "RLIMIT_NPROC",
+       "RLIMIT_NOFILE",
+       "RLIMIT_MEMLOCK",
+       "RLIMIT_AS",
+       "RLIMIT_LOCKS"
+};
+
+__inline__ void
+gr_log_resource(const struct task_struct *task,
+               const int res, const unsigned long wanted)
+{
+       if (unlikely(res == RLIMIT_NPROC && 
+           (cap_raised(task->cap_effective, CAP_SYS_ADMIN) || 
+            cap_raised(task->cap_effective, CAP_SYS_RESOURCE))))
+               return;
+
+       if (unlikely(wanted >= task->rlim[res].rlim_cur &&
+                    task->rlim[res].rlim_cur != RLIM_INFINITY))
+               security_alert(GR_RESOURCE_MSG, wanted, restab_log[res],
+                              task->rlim[res].rlim_cur,
+                              gr_task_fullpath(task), task->comm,
+                              task->pid, task->uid, task->euid,
+                              task->gid, task->egid,
+                              gr_parent_task_fullpath(task),
+                              task->p_pptr->comm,
+                              task->p_pptr->pid, task->p_pptr->uid, 
+                              task->p_pptr->euid, task->p_pptr->gid,
+                              task->p_pptr->egid);
+
+       return;
+}
diff -urN linux-2.4.22/grsecurity/gracl_segv.c linux-2.4.22/grsecurity/gracl_segv.c
--- linux-2.4.22/grsecurity/gracl_segv.c        1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/gracl_segv.c        2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,327 @@
+/* 
+ * grsecurity/gracl_segv.c
+ * Copyright Brad Spengler 2002, 2003
+ *
+ */
+
+#include <linux/kernel.h>
+#include <linux/mm.h>
+#include <asm/uaccess.h>
+#include <asm/errno.h>
+#include <asm/mman.h>
+#include <net/sock.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/net.h>
+#include <linux/in.h>
+#include <linux/smp_lock.h>
+#include <linux/slab.h>
+#include <linux/types.h>
+#include <linux/sched.h>
+#include <linux/timer.h>
+#include <linux/gracl.h>
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+
+static struct crash_uid *uid_set;
+static unsigned short uid_used;
+static rwlock_t gr_uid_lock = RW_LOCK_UNLOCKED;
+extern rwlock_t gr_inode_lock;
+extern __inline__ struct acl_subject_label *lookup_acl_subj_label(const ino_t
+                                                                 inode,
+                                                                 const kdev_t
+                                                                 dev,
+                                                                 struct
+                                                                 acl_role_label
+                                                                 *role);
+
+int
+gr_init_uidset(void)
+{
+       uid_set =
+           kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
+       uid_used = 0;
+
+       return uid_set ? 1 : 0;
+}
+
+void
+gr_free_uidset(void)
+{
+       if (uid_set)
+               kfree(uid_set);
+
+       return;
+}
+
+int
+gr_find_uid(const uid_t uid)
+{
+       struct crash_uid *tmp = uid_set;
+       uid_t buid;
+       int low = 0, high = uid_used - 1, mid;
+
+       while (high >= low) {
+               mid = (low + high) >> 1;
+               buid = tmp[mid].uid;
+               if (buid == uid)
+                       return mid;
+               if (buid > uid)
+                       high = mid - 1;
+               if (buid < uid)
+                       low = mid + 1;
+       }
+
+       return -1;
+}
+
+static __inline__ void
+gr_insertsort(void)
+{
+       unsigned short i, j;
+       struct crash_uid index;
+
+       for (i = 1; i < uid_used; i++) {
+               index = uid_set[i];
+               j = i;
+               while ((j > 0) && uid_set[j - 1].uid > index.uid) {
+                       uid_set[j] = uid_set[j - 1];
+                       j--;
+               }
+               uid_set[j] = index;
+       }
+
+       return;
+}
+
+static __inline__ void
+gr_insert_uid(const uid_t uid, const unsigned long expires)
+{
+       int loc;
+
+       if (uid_used == GR_UIDTABLE_MAX)
+               return;
+
+       loc = gr_find_uid(uid);
+
+       if (loc >= 0) {
+               uid_set[loc].expires = expires;
+               return;
+       }
+
+       uid_set[uid_used].uid = uid;
+       uid_set[uid_used].expires = expires;
+       uid_used++;
+
+       gr_insertsort();
+
+       return;
+}
+
+void
+gr_remove_uid(const unsigned short loc)
+{
+       unsigned short i;
+
+       for (i = loc + 1; i < uid_used; i++)
+               uid_set[i - i] = uid_set[i];
+
+       uid_used--;
+
+       return;
+}
+
+int
+gr_check_crash_uid(const uid_t uid)
+{
+       int loc;
+
+       if (unlikely(!gr_acl_is_enabled()))
+               return 0;
+
+       read_lock(&gr_uid_lock);
+       loc = gr_find_uid(uid);
+       read_unlock(&gr_uid_lock);
+
+       if (loc < 0)
+               return 0;
+
+       write_lock(&gr_uid_lock);
+       if (time_before_eq(uid_set[loc].expires, jiffies))
+               gr_remove_uid(loc);
+       else {
+               write_unlock(&gr_uid_lock);
+               return 1;
+       }
+
+       write_unlock(&gr_uid_lock);
+       return 0;
+}
+
+static __inline__ int
+proc_is_setxid(const struct task_struct *task)
+{
+       if (task->uid != task->euid || task->uid != task->suid ||
+           task->uid != task->fsuid)
+               return 1;
+       if (task->gid != task->egid || task->gid != task->sgid ||
+           task->gid != task->fsgid)
+               return 1;
+
+       return 0;
+}
+static __inline__ int
+gr_fake_force_sig(int sig, struct task_struct *t)
+{
+       unsigned long int flags;
+
+       spin_lock_irqsave(&t->sigmask_lock, flags);
+       if (t->sig == NULL) {
+               spin_unlock_irqrestore(&t->sigmask_lock, flags);
+               return -ESRCH;
+       }
+
+       if (t->sig->action[sig - 1].sa.sa_handler == SIG_IGN)
+               t->sig->action[sig - 1].sa.sa_handler = SIG_DFL;
+       sigdelset(&t->blocked, sig);
+       recalc_sigpending(t);
+       spin_unlock_irqrestore(&t->sigmask_lock, flags);
+
+       return send_sig_info(sig, (void *) 1L, t);
+}
+
+void
+gr_handle_crash(struct task_struct *task, const int sig)
+{
+       struct acl_subject_label *curr;
+       struct acl_subject_label *curr2;
+       struct task_struct *tsk;
+
+       if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
+               return;
+
+       if (unlikely(!gr_acl_is_enabled()))
+               return;
+
+       curr = task->acl;
+
+       if (!(curr->resmask & (1 << GR_CRASH_RES)))
+               return;
+
+       if (time_before_eq(curr->expires, jiffies)) {
+               curr->expires = 0;
+               curr->crashes = 0;
+       }
+
+       curr->crashes++;
+
+       if (!curr->expires)
+               curr->expires = jiffies + curr->res[GR_CRASH_RES].rlim_max;
+
+       if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
+           time_after(curr->expires, jiffies)) {
+               if (task->uid && proc_is_setxid(task)) {
+                       security_alert(GR_SEGVSTART_ACL_MSG,
+                                      gr_task_fullpath(task), task->comm,
+                                      task->pid, task->uid, task->euid,
+                                      task->gid, task->egid,
+                                      gr_parent_task_fullpath(task),
+                                      task->p_pptr->comm, task->p_pptr->pid,
+                                      task->p_pptr->uid, task->p_pptr->euid,
+                                      task->p_pptr->gid, task->p_pptr->egid,
+                                      task->uid,
+                                      curr->res[GR_CRASH_RES].rlim_max / HZ);
+                       write_lock(&gr_uid_lock);
+                       gr_insert_uid(task->uid, curr->expires);
+                       write_unlock(&gr_uid_lock);
+                       curr->expires = 0;
+                       curr->crashes = 0;
+                       read_lock(&tasklist_lock);
+                       for_each_task(tsk) {
+                               if (tsk != task && tsk->uid == task->uid)
+                                       gr_fake_force_sig(SIGKILL, tsk);
+                       }
+                       read_unlock(&tasklist_lock);
+               } else {
+                       security_alert(GR_SEGVNOSUID_ACL_MSG,
+                                      gr_task_fullpath(task), task->comm,
+                                      task->pid, task->uid, task->euid,
+                                      task->gid, task->egid,
+                                      gr_parent_task_fullpath(task),
+                                      task->p_pptr->comm, task->p_pptr->pid,
+                                      task->p_pptr->uid, task->p_pptr->euid,
+                                      task->p_pptr->gid, task->p_pptr->egid,
+                                      kdevname(curr->device), curr->inode,
+                                      curr->res[GR_CRASH_RES].rlim_max / HZ);
+                       read_lock(&tasklist_lock);
+                       for_each_task(tsk) {
+                               if (likely(tsk != task)) {
+                                       curr2 = tsk->acl;
+
+                                       if (curr2->device == curr->device &&
+                                           curr2->inode == curr->inode)
+                                               gr_fake_force_sig(SIGKILL, tsk);
+                               }
+                       }
+                       read_unlock(&tasklist_lock);
+               }
+       }
+
+       return;
+}
+
+int
+gr_check_crash_exec(const struct file *filp)
+{
+       struct acl_subject_label *curr;
+
+       if (unlikely(!gr_acl_is_enabled()))
+               return 0;
+
+       read_lock(&gr_inode_lock);
+       curr = lookup_acl_subj_label(filp->f_dentry->d_inode->i_ino,
+                                    filp->f_dentry->d_inode->i_dev,
+                                    current->role);
+       read_unlock(&gr_inode_lock);
+
+       if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
+           (!curr->crashes && !curr->expires))
+               return 0;
+
+       if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
+           time_after(curr->expires, jiffies))
+               return 1;
+       else if (time_before_eq(curr->expires, jiffies)) {
+               curr->crashes = 0;
+               curr->expires = 0;
+       }
+
+       return 0;
+}
+
+void
+gr_handle_alertkill(void)
+{
+       struct acl_subject_label *curracl;
+       __u32 curr_ip;
+       struct task_struct *task;
+
+       if (unlikely(!gr_acl_is_enabled()))
+               return;
+
+       curracl = current->acl;
+       curr_ip = current->curr_ip;
+
+       if ((curracl->mode & GR_KILLIPPROC) && curr_ip &&
+           (curr_ip != 0xffffffff)) {
+               read_lock(&tasklist_lock);
+               for_each_task(task) {
+                       if (task->curr_ip == curr_ip)
+                               gr_fake_force_sig(SIGKILL, task);
+               }
+               read_unlock(&tasklist_lock);
+       } else if (curracl->mode & GR_KILLPROC)
+               gr_fake_force_sig(SIGKILL, current);
+
+       return;
+}
diff -urN linux-2.4.22/grsecurity/gracl_shm.c linux-2.4.22/grsecurity/gracl_shm.c
--- linux-2.4.22/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/gracl_shm.c 2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,36 @@
+/* shared memory handling routines, (c) Brad Spengler 2002, 2003 */
+
+#include <linux/kernel.h>
+#include <linux/mm.h>
+#include <linux/sched.h>
+#include <linux/file.h>
+#include <linux/ipc.h>
+#include <linux/gracl.h>
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+
+int
+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
+               const time_t shm_createtime, const uid_t cuid, const int shmid)
+{
+       struct task_struct *task;
+
+       if (!gr_acl_is_enabled())
+               return 1;
+
+       task = find_task_by_pid(shm_cprid);
+
+       if (unlikely(!task))
+               task = find_task_by_pid(shm_lapid);
+
+       if (unlikely(task && ((task->start_time < shm_createtime) ||
+                             (task->pid == shm_lapid)) &&
+                    (task->acl->mode & GR_PROTSHM) &&
+                    (task->acl != current->acl))) {
+               security_alert(GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid,
+                              DEFAULTSECARGS);
+               return 0;
+       }
+
+       return 1;
+}
diff -urN linux-2.4.22/grsecurity/grsec_chdir.c linux-2.4.22/grsecurity/grsec_chdir.c
--- linux-2.4.22/grsecurity/grsec_chdir.c       1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/grsec_chdir.c       2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,20 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/fs.h>
+#include <linux/file.h>
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+
+void
+gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
+{
+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
+       if ((grsec_enable_chdir && grsec_enable_group &&
+            in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
+                                             !grsec_enable_group)) {
+               security_audit(GR_CHDIR_AUDIT_MSG, gr_to_filename(dentry, mnt),
+                              DEFAULTSECARGS);
+       }
+#endif
+       return;
+}
diff -urN linux-2.4.22/grsecurity/grsec_chroot.c linux-2.4.22/grsecurity/grsec_chroot.c
--- linux-2.4.22/grsecurity/grsec_chroot.c      1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/grsec_chroot.c      2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,333 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/types.h>
+#include <linux/grinternal.h>
+
+int
+gr_handle_chroot_unix(const pid_t pid)
+{
+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
+       struct task_struct *p, **htable;
+
+       if (unlikely(!grsec_enable_chroot_unix))
+               return 1;
+
+       if (likely(!proc_is_chrooted(current)))
+               return 1;
+
+       read_lock(&tasklist_lock);
+
+       htable = &pidhash[pid_hashfn(pid)];
+
+       for (p = *htable; p && p->pid != pid; p = p->pidhash_next) ;
+
+       if (unlikely(p && !have_same_root(current, p))) {
+               read_unlock(&tasklist_lock);
+               security_alert(GR_UNIX_CHROOT_MSG, DEFAULTSECARGS);
+               return 0;
+       }
+       read_unlock(&tasklist_lock);
+#endif
+       return 1;
+}
+
+int
+gr_handle_chroot_nice(void)
+{
+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
+       if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
+               security_alert(GR_NICE_CHROOT_MSG, DEFAULTSECARGS);
+               return -EPERM;
+       }
+#endif
+       return 0;
+}
+
+int
+gr_handle_chroot_setpriority(const struct task_struct *p, const int niceval)
+{
+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
+       if (grsec_enable_chroot_nice && (!have_same_root(p, current)
+                                        || (have_same_root(p, current)
+                                            && (niceval < task_nice(p))
+                                            && proc_is_chrooted(current)))) {
+               security_alert(GR_PRIORITY_CHROOT_MSG, p->comm, p->pid,
+                              DEFAULTSECARGS);
+               return -ESRCH;
+       }
+#endif
+       return 0;
+}
+
+int
+gr_handle_chroot_capset(const struct task_struct *target)
+{
+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
+       if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
+           !have_same_root(current, target)) {
+               security_alert(GR_CAPSET_CHROOT_MSG, target->comm, target->pid,
+                              DEFAULTSECARGS);
+               return 1;
+       }
+#endif
+       return 0;
+}
+
+int
+gr_handle_chroot_rawio(const struct inode *inode)
+{
+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
+       if (grsec_enable_chroot_caps && proc_is_chrooted(current) && 
+           inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
+               return 1;
+#endif
+       return 0;
+}
+
+int
+gr_pid_is_chrooted(const struct task_struct *p)
+{
+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
+       if (!grsec_enable_chroot_findtask || (current->pid <= 1))
+               return 0;
+
+       if (p && p->fs && p->fs->root && p->fs->root->d_inode &&
+           child_reaper && child_reaper->fs && child_reaper->fs->root &&
+           child_reaper->fs->root->d_inode && current && current->fs &&
+           current->fs->root && current->fs->root->d_inode) {
+               if (proc_is_chrooted(current) && !have_same_root(current, p))
+                       return 1;
+       }
+#endif
+       return 0;
+}
+
+int
+gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
+{
+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
+       if (!grsec_enable_chroot_fchdir)
+               return 1;
+
+       if (!proc_is_chrooted(current))
+               return 1;
+       else {
+               struct dentry *dentry = u_dentry;
+               struct vfsmount *mnt = u_mnt;
+               struct dentry *realroot;
+               struct vfsmount *realrootmnt;
+               struct dentry *currentroot;
+               struct vfsmount *currentmnt;
+
+               read_lock(&child_reaper->fs->lock);
+               realrootmnt = mntget(child_reaper->fs->rootmnt);
+               realroot = dget(child_reaper->fs->root);
+               read_unlock(&child_reaper->fs->lock);
+
+               read_lock(&current->fs->lock);
+               currentmnt = mntget(current->fs->rootmnt);
+               currentroot = dget(current->fs->root);
+               read_unlock(&current->fs->lock);
+
+               spin_lock(&dcache_lock);
+               for (;;) {
+                       if (unlikely
+                           ((dentry == realroot && mnt == realrootmnt)
+                            || (dentry == currentroot && mnt == currentmnt)))
+                               break;
+                       if (unlikely
+                           (dentry == mnt->mnt_root || IS_ROOT(dentry))) {
+                               if (mnt->mnt_parent == mnt)
+                                       break;
+                               dentry = mnt->mnt_mountpoint;
+                               mnt = mnt->mnt_parent;
+                               continue;
+                       }
+                       dentry = dentry->d_parent;
+               }
+               spin_unlock(&dcache_lock);
+
+               dput(currentroot);
+               mntput(currentmnt);
+
+               if (dentry == realroot && mnt == realrootmnt) {
+                       /* ok, they're definitely trying to fchdir outside of the
+                          chroot. */
+                       dput(realroot);
+                       mntput(realrootmnt);
+                       security_alert(GR_CHROOT_FCHDIR_MSG,
+                                      gr_to_filename(u_dentry, u_mnt),
+                                      DEFAULTSECARGS);
+                       return 0;
+               } else {
+                       dput(realroot);
+                       mntput(realrootmnt);
+                       return 1;
+               }
+       }
+#endif
+       return 1;
+}
+
+int
+gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
+               const time_t shm_createtime)
+{
+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
+       struct task_struct *p, **htable;
+
+       if (unlikely(!grsec_enable_chroot_shmat))
+               return 1;
+
+       if (likely(!proc_is_chrooted(current)))
+               return 1;
+
+       read_lock(&tasklist_lock);
+
+       htable = &pidhash[pid_hashfn(shm_cprid)];
+
+       for (p = *htable; p && p->pid != shm_cprid; p = p->pidhash_next) ;
+
+       if (unlikely(p && !have_same_root(current, p) &&
+                    (p->start_time < shm_createtime))) {
+               read_unlock(&tasklist_lock);
+               security_alert(GR_SHMAT_CHROOT_MSG, DEFAULTSECARGS);
+               return 0;
+       }
+
+       if (unlikely(!p)) {
+               htable = &pidhash[pid_hashfn(shm_lapid)];
+               for (p = *htable; p && p->pid != shm_lapid;
+                    p = p->pidhash_next) ;
+
+               if (unlikely(p && !have_same_root(current, p))) {
+                       read_unlock(&tasklist_lock);
+                       security_alert(GR_SHMAT_CHROOT_MSG, DEFAULTSECARGS);
+                       return 0;
+               }
+       }
+
+       read_unlock(&tasklist_lock);
+#endif
+       return 1;
+}
+
+void
+gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
+{
+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
+       if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
+               security_audit(GR_EXEC_CHROOT_MSG, gr_to_filename(dentry, mnt),
+                              DEFAULTSECARGS);
+#endif
+       return;
+}
+
+int
+gr_handle_chroot_mknod(const struct dentry *dentry,
+                      const struct vfsmount *mnt, const int mode)
+{
+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
+       if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) &&
+           proc_is_chrooted(current)) {
+               security_alert(GR_MKNOD_CHROOT_MSG,
+                              gr_to_filename(dentry, mnt), DEFAULTSECARGS);
+               return -EPERM;
+       }
+#endif
+       return 0;
+}
+
+int
+gr_handle_chroot_mount(const struct dentry *dentry,
+                      const struct vfsmount *mnt, const char *dev_name)
+{
+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
+       if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
+               security_alert(GR_MOUNT_CHROOT_MSG, dev_name,
+                              gr_to_filename(dentry, mnt), DEFAULTSECARGS);
+               return -EPERM;
+       }
+#endif
+       return 0;
+}
+
+int
+gr_handle_chroot_pivot(void)
+{
+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
+       if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
+               security_alert(GR_PIVOT_CHROOT_MSG, DEFAULTSECARGS);
+               return -EPERM;
+       }
+#endif
+       return 0;
+}
+
+int
+gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
+{
+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
+       if (grsec_enable_chroot_double && proc_is_chrooted(current)) {
+               security_alert(GR_CHROOT_CHROOT_MSG,
+                              gr_to_filename(dentry, mnt), DEFAULTSECARGS);
+               return -EPERM;
+       }
+#endif
+       return 0;
+}
+
+void
+gr_handle_chroot_caps(struct task_struct *task)
+{
+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
+       if (grsec_enable_chroot_caps && proc_is_chrooted(task)) {
+               task->cap_permitted =
+                   cap_drop(task->cap_permitted, GR_CHROOT_CAPS);
+               task->cap_inheritable =
+                   cap_drop(task->cap_inheritable, GR_CHROOT_CAPS);
+               task->cap_effective =
+                   cap_drop(task->cap_effective, GR_CHROOT_CAPS);
+       }
+#endif
+       return;
+}
+
+int
+gr_handle_chroot_sysctl(const int op)
+{
+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
+       if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
+           && (op & 002))
+               return -EACCES;
+#endif
+       return 0;
+}
+
+void
+gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt)
+{
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
+       if (grsec_enable_chroot_chdir)
+               set_fs_pwd(current->fs, mnt, dentry);
+#endif
+       return;
+}
+
+int
+gr_handle_chroot_chmod(const struct dentry *dentry,
+                      const struct vfsmount *mnt, const int mode)
+{
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
+       if (grsec_enable_chroot_chmod &&
+           ((mode & S_ISUID) || (mode & S_ISGID)) &&
+           proc_is_chrooted(current)) {
+               security_alert(GR_CHMOD_CHROOT_MSG,
+                              gr_to_filename(dentry, mnt), DEFAULTSECARGS);
+               return -EPERM;
+       }
+#endif
+       return 0;
+}
diff -urN linux-2.4.22/grsecurity/grsec_disabled.c linux-2.4.22/grsecurity/grsec_disabled.c
--- linux-2.4.22/grsecurity/grsec_disabled.c    1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/grsec_disabled.c    2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,374 @@
+/* 
+ * when grsecurity is disabled, compile all external functions into nothing
+ */
+
+#include <linux/kernel.h>
+#include <linux/config.h>
+#include <linux/sched.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/kdev_t.h>
+#include <linux/net.h>
+#include <linux/in.h>
+#include <linux/ip.h>
+#include <linux/skbuff.h>
+#include <linux/sysctl.h>
+
+#ifdef CONFIG_SYSCTL
+__u32
+gr_handle_sysctl(const struct ctl_table * table, __u32 mode)
+{
+       return mode;
+}
+#endif
+
+int
+gr_acl_is_enabled(void)
+{
+       return 0;
+}
+
+int
+gr_handle_rawio(const struct inode *inode)
+{
+       return 0;
+}
+
+void
+gr_acl_handle_psacct(struct task_struct *task, const long code)
+{
+       return;
+}
+
+int
+gr_handle_ptrace_exec(const struct dentry *dentry, const struct vfsmount *mnt)
+{
+       return 0;
+}
+
+int
+gr_handle_mmap(const struct file *filp, const unsigned long prot)
+{
+       return 0;
+}
+
+int
+gr_handle_ptrace(struct task_struct *task, const long request)
+{
+       return 0;
+}
+
+void
+gr_learn_resource(const struct task_struct *task,
+                 const int res, const unsigned long wanted)
+{
+       return;
+}
+
+int
+gr_set_acls(const int type)
+{
+       return 0;
+}
+
+int
+gr_check_hidden_task(const struct task_struct *tsk)
+{
+       return 0;
+}
+
+int
+gr_check_protected_task(const struct task_struct *task)
+{
+       return 0;
+}
+
+__inline__ void
+gr_copy_label(struct task_struct *tsk)
+{
+       return;
+}
+
+void
+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
+{
+       return;
+}
+
+void
+gr_handle_delete(const ino_t ino, const kdev_t dev)
+{
+       return;
+}
+
+void
+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
+{
+       return;
+}
+
+void
+gr_handle_crash(struct task_struct *task, const int sig)
+{
+       return;
+}
+
+int
+gr_check_crash_exec(const struct file *filp)
+{
+       return 0;
+}
+
+int
+gr_check_crash_uid(const uid_t uid)
+{
+       return 0;
+}
+
+int
+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
+                struct dentry *old_dentry,
+                struct dentry *new_dentry,
+                struct vfsmount *mnt, const __u8 replace)
+{
+       return 0;
+}
+
+int
+gr_search_socket(const int family, const int type, const int protocol)
+{
+       return 1;
+}
+
+int
+gr_search_connectbind(const int mode, const struct socket *sock,
+                     const struct sockaddr_in *addr)
+{
+       return 1;
+}
+
+int
+gr_is_capable(const int cap)
+{
+       return 1;
+}
+
+void
+gr_handle_alertkill(void)
+{
+       return;
+}
+
+__u32
+gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
+{
+       return 1;
+}
+
+__u32
+gr_acl_handle_hidden_file(const struct dentry * dentry,
+                         const struct vfsmount * mnt)
+{
+       return 1;
+}
+
+__u32
+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
+                  const int fmode)
+{
+       return 1;
+}
+
+__u32
+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
+{
+       return 1;
+}
+
+__u32
+gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
+{
+       return 1;
+}
+
+int
+gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
+                  unsigned int *vm_flags)
+{
+       return 1;
+}
+
+__u32
+gr_acl_handle_truncate(const struct dentry * dentry,
+                      const struct vfsmount * mnt)
+{
+       return 1;
+}
+
+__u32
+gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
+{
+       return 1;
+}
+
+__u32
+gr_acl_handle_access(const struct dentry * dentry,
+                    const struct vfsmount * mnt, const int fmode)
+{
+       return 1;
+}
+
+__u32
+gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
+                    mode_t mode)
+{
+       return 1;
+}
+
+__u32
+gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
+                   mode_t mode)
+{
+       return 1;
+}
+
+__u32
+gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
+{
+       return 1;
+}
+
+void
+grsecurity_init(void)
+{
+       return;
+}
+
+__u32
+gr_acl_handle_mknod(const struct dentry * new_dentry,
+                   const struct dentry * parent_dentry,
+                   const struct vfsmount * parent_mnt,
+                   const int mode)
+{
+       return 1;
+}
+
+__u32
+gr_acl_handle_mkdir(const struct dentry * new_dentry,
+                   const struct dentry * parent_dentry,
+                   const struct vfsmount * parent_mnt)
+{
+       return 1;
+}
+
+__u32
+gr_acl_handle_symlink(const struct dentry * new_dentry,
+                     const struct dentry * parent_dentry,
+                     const struct vfsmount * parent_mnt, const char *from)
+{
+       return 1;
+}
+
+__u32
+gr_acl_handle_link(const struct dentry * new_dentry,
+                  const struct dentry * parent_dentry,
+                  const struct vfsmount * parent_mnt,
+                  const struct dentry * old_dentry,
+                  const struct vfsmount * old_mnt, const char *to)
+{
+       return 1;
+}
+
+int
+gr_acl_handle_rename(const struct dentry *new_dentry,
+                    const struct dentry *parent_dentry,
+                    const struct vfsmount *parent_mnt,
+                    const struct dentry *old_dentry,
+                    const struct inode *old_parent_inode,
+                    const struct vfsmount *old_mnt, const char *newname)
+{
+       return 1;
+}
+
+__u32
+gr_acl_handle_filldir(const struct dentry * dentry,
+                     const struct vfsmount * mnt, const ino_t ino)
+{
+       return 1;
+}
+
+int
+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
+               const time_t shm_createtime, const uid_t cuid, const int shmid)
+{
+       return 1;
+}
+
+int
+gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
+{
+       return 1;
+}
+
+int
+gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
+{
+       return 1;
+}
+
+__u32
+gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
+{
+       return 1;
+}
+
+__u32
+gr_acl_handle_creat(const struct dentry * dentry,
+                   const struct dentry * p_dentry,
+                   const struct vfsmount * p_mnt, const int fmode,
+                   const int imode)
+{
+       return 1;
+}
+
+void
+gr_acl_handle_exit(void)
+{
+       return;
+}
+
+int
+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
+{
+       return 1;
+}
+
+void
+gr_set_role_label(const uid_t uid, const gid_t gid)
+{
+       return;
+}
+
+int
+gr_acl_handle_procpidmem(const struct task_struct *task)
+{
+       return 0;
+}
+
+int
+gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
+{
+       return 1;
+}
+
+int
+gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
+{
+       return 1;
+}
+
+void
+gr_set_kernel_label(struct task_struct *task)
+{
+       return;
+}
diff -urN linux-2.4.22/grsecurity/grsec_exec.c linux-2.4.22/grsecurity/grsec_exec.c
--- linux-2.4.22/grsecurity/grsec_exec.c        1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/grsec_exec.c        2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,70 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/types.h>
+#include <linux/grdefs.h>
+#include <linux/grinternal.h>
+#include <linux/capability.h>
+
+#include <asm/uaccess.h>
+
+int
+gr_handle_nproc(void)
+{
+#ifdef CONFIG_GRKERNSEC_EXECVE
+       if (grsec_enable_execve && current->user &&
+           (atomic_read(&current->user->processes) >
+            current->rlim[RLIMIT_NPROC].rlim_cur) &&
+           !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
+               security_alert(GR_NPROC_MSG, DEFAULTSECARGS);
+               return -EAGAIN;
+       }
+#endif
+       return 0;
+}
+
+void
+gr_handle_exec_args(struct linux_binprm *bprm, char **argv)
+{
+#ifdef CONFIG_GRKERNSEC_EXECLOG
+       char grarg[64] = { 0 };
+       __u8 execlen = 0;
+       unsigned int i;
+
+       if (!((grsec_enable_execlog && grsec_enable_group &&
+              in_group_p(grsec_audit_gid))
+             || (grsec_enable_execlog && !grsec_enable_group)))
+               return;
+
+       if (unlikely(!argv))
+               goto log;
+
+       for (i = 0; i < bprm->argc && execlen < 62; i++) {
+               char *p;
+               __u8 len;
+
+               if (get_user(p, argv + i))
+                       goto log;
+               if (!p)
+                       goto log;
+               len = strnlen_user(p, 62 - execlen);
+               if (len > 62 - execlen)
+                       len = 62 - execlen;
+               else if (len > 0)
+                       len--;
+               if (copy_from_user(grarg + execlen, p, len))
+                       goto log;
+               execlen += len;
+               *(grarg + execlen) = ' ';
+               *(grarg + execlen + 1) = '\0';
+               execlen++;
+       }
+
+      log:
+       security_audit(GR_EXEC_AUDIT_MSG, gr_to_filename(bprm->file->f_dentry,
+                                                        bprm->file->f_vfsmnt),
+                      grarg, DEFAULTSECARGS);
+#endif
+       return;
+}
diff -urN linux-2.4.22/grsecurity/grsec_fifo.c linux-2.4.22/grsecurity/grsec_fifo.c
--- linux-2.4.22/grsecurity/grsec_fifo.c        1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/grsec_fifo.c        2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,24 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/fs.h>
+#include <linux/file.h>
+#include <linux/grinternal.h>
+
+int
+gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
+              const struct dentry *dir, const int flag, const int acc_mode)
+{
+#ifdef CONFIG_GRKERNSEC_FIFO
+       if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
+           !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
+           (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
+           (current->fsuid != dentry->d_inode->i_uid)) {
+               if (!permission(dentry->d_inode, acc_mode))
+                       security_alert(GR_FIFO_MSG, gr_to_filename(dentry, mnt),
+                                      dentry->d_inode->i_uid,
+                                      dentry->d_inode->i_gid, DEFAULTSECARGS);
+               return -EACCES;
+       }
+#endif
+       return 0;
+}
diff -urN linux-2.4.22/grsecurity/grsec_fork.c linux-2.4.22/grsecurity/grsec_fork.c
--- linux-2.4.22/grsecurity/grsec_fork.c        1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/grsec_fork.c        2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,14 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+
+void
+gr_log_forkfail(const int retval)
+{
+#ifdef CONFIG_GRKERNSEC_FORKFAIL
+       if (grsec_enable_forkfail)
+               security_alert(GR_FAILFORK_MSG, retval, DEFAULTSECARGS);
+#endif
+       return;
+}
diff -urN linux-2.4.22/grsecurity/grsec_init.c linux-2.4.22/grsecurity/grsec_init.c
--- linux-2.4.22/grsecurity/grsec_init.c        1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/grsec_init.c        2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,210 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/mm.h>
+#include <linux/smp_lock.h>
+#include <linux/gracl.h>
+#include <linux/slab.h>
+
+int grsec_enable_link;
+int grsec_enable_dmesg;
+int grsec_enable_fifo;
+int grsec_enable_execve;
+int grsec_enable_execlog;
+int grsec_enable_signal;
+int grsec_enable_forkfail;
+int grsec_enable_time;
+int grsec_enable_group;
+int grsec_audit_gid;
+int grsec_enable_chdir;
+int grsec_enable_audit_ipc;
+int grsec_enable_mount;
+int grsec_enable_chroot_findtask;
+int grsec_enable_chroot_mount;
+int grsec_enable_chroot_shmat;
+int grsec_enable_chroot_fchdir;
+int grsec_enable_chroot_double;
+int grsec_enable_chroot_pivot;
+int grsec_enable_chroot_chdir;
+int grsec_enable_chroot_chmod;
+int grsec_enable_chroot_mknod;
+int grsec_enable_chroot_nice;
+int grsec_enable_chroot_execlog;
+int grsec_enable_chroot_caps;
+int grsec_enable_chroot_sysctl;
+int grsec_enable_chroot_unix;
+int grsec_enable_tpe;
+int grsec_tpe_gid;
+int grsec_enable_tpe_all;
+int grsec_enable_randpid;
+int grsec_enable_randid;
+int grsec_enable_randisn;
+int grsec_enable_randsrc;
+int grsec_enable_randrpc;
+int grsec_enable_socket_all;
+int grsec_socket_all_gid;
+int grsec_enable_socket_client;
+int grsec_socket_client_gid;
+int grsec_enable_socket_server;
+int grsec_socket_server_gid;
+int grsec_lock;
+
+spinlock_t grsec_alert_lock = SPIN_LOCK_UNLOCKED;
+unsigned long grsec_alert_wtime = 0;
+unsigned long grsec_alert_fyet = 0;
+
+spinlock_t grsec_alertgood_lock = SPIN_LOCK_UNLOCKED;
+unsigned long grsec_alertgood_wtime = 0;
+unsigned long grsec_alertgood_fyet = 0;
+
+spinlock_t grsec_audit_lock = SPIN_LOCK_UNLOCKED;
+
+char *gr_shared_page[4][NR_CPUS];
+extern struct gr_arg *gr_usermode;
+extern unsigned char *gr_system_salt;
+extern unsigned char *gr_system_sum;
+
+void
+grsecurity_init(void)
+{
+       int i, j;
+       /* create the per-cpu shared pages */
+
+       for (j = 0; j < 4; j++) {
+               for (i = 0; i < NR_CPUS; i++) {
+                       gr_shared_page[j][i] = (char *) get_zeroed_page(GFP_KERNEL);
+                       if (!gr_shared_page[j][i]) {
+                               panic("Unable to allocate grsecurity shared page");
+                               return;
+                       }
+               }
+       }
+
+       /* allocate memory for authentication structure */
+       gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
+       gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
+       gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
+
+       if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
+               panic("Unable to allocate grsecurity authentication structure");
+               return;
+       }
+
+#ifndef CONFIG_GRKERNSEC_SYSCTL
+       grsec_lock = 1;
+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
+       grsec_enable_group = 1;
+       grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
+       grsec_enable_chdir = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
+       grsec_enable_audit_ipc = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
+       grsec_enable_mount = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_LINK
+       grsec_enable_link = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_DMESG
+       grsec_enable_dmesg = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_FIFO
+       grsec_enable_fifo = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_EXECVE
+       grsec_enable_execve = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_EXECLOG
+       grsec_enable_execlog = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_SIGNAL
+       grsec_enable_signal = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_FORKFAIL
+       grsec_enable_forkfail = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_TIME
+       grsec_enable_time = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
+       grsec_enable_chroot_findtask = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
+       grsec_enable_chroot_unix = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
+       grsec_enable_chroot_mount = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
+       grsec_enable_chroot_fchdir = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
+       grsec_enable_chroot_shmat = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
+       grsec_enable_chroot_double = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
+       grsec_enable_chroot_pivot = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
+       grsec_enable_chroot_chdir = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
+       grsec_enable_chroot_chmod = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
+       grsec_enable_chroot_mknod = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
+       grsec_enable_chroot_nice = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
+       grsec_enable_chroot_execlog = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
+       grsec_enable_chroot_caps = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
+       grsec_enable_chroot_sysctl = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_TPE
+       grsec_enable_tpe = 1;
+       grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
+#ifdef CONFIG_GRKERNSEC_TPE_ALL
+       grsec_enable_tpe_all = 1;
+#endif
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDPID
+       grsec_enable_randpid = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDID
+       grsec_enable_randid = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDISN
+       grsec_enable_randisn = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDSRC
+       grsec_enable_randsrc = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDRPC
+       grsec_enable_randrpc = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
+       grsec_enable_socket_all = 1;
+       grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
+       grsec_enable_socket_client = 1;
+       grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
+       grsec_enable_socket_server = 1;
+       grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
+#endif
+#endif
+
+       return;
+}
diff -urN linux-2.4.22/grsecurity/grsec_ipc.c linux-2.4.22/grsecurity/grsec_ipc.c
--- linux-2.4.22/grsecurity/grsec_ipc.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/grsec_ipc.c 2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,81 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/types.h>
+#include <linux/ipc.h>
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+
+void
+gr_log_msgget(const int ret, const int msgflg)
+{
+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
+       if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
+             grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
+                                         !grsec_enable_group)) && (ret >= 0)
+           && (msgflg & IPC_CREAT))
+               security_audit(GR_MSGQ_AUDIT_MSG, DEFAULTSECARGS);
+#endif
+       return;
+}
+
+void
+gr_log_msgrm(const uid_t uid, const uid_t cuid)
+{
+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
+       if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
+            grsec_enable_audit_ipc) ||
+           (grsec_enable_audit_ipc && !grsec_enable_group))
+               security_audit(GR_MSGQR_AUDIT_MSG, uid, cuid, DEFAULTSECARGS);
+#endif
+       return;
+}
+
+void
+gr_log_semget(const int err, const int semflg)
+{
+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
+       if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
+             grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
+                                         !grsec_enable_group)) && (err >= 0)
+           && (semflg & IPC_CREAT))
+               security_audit(GR_SEM_AUDIT_MSG, DEFAULTSECARGS);
+#endif
+       return;
+}
+
+void
+gr_log_semrm(const uid_t uid, const uid_t cuid)
+{
+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
+       if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
+            grsec_enable_audit_ipc) ||
+           (grsec_enable_audit_ipc && !grsec_enable_group))
+               security_audit(GR_SEMR_AUDIT_MSG, uid, cuid, DEFAULTSECARGS);
+#endif
+       return;
+}
+
+void
+gr_log_shmget(const int err, const int shmflg, const size_t size)
+{
+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
+       if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
+             grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
+                                         !grsec_enable_group)) && (err >= 0)
+           && (shmflg & IPC_CREAT))
+               security_audit(GR_SHM_AUDIT_MSG, size, DEFAULTSECARGS);
+#endif
+       return;
+}
+
+void
+gr_log_shmrm(const uid_t uid, const uid_t cuid)
+{
+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
+       if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
+            grsec_enable_audit_ipc) ||
+           (grsec_enable_audit_ipc && !grsec_enable_group))
+               security_audit(GR_SHMR_AUDIT_MSG, uid, cuid, DEFAULTSECARGS);
+#endif
+       return;
+}
diff -urN linux-2.4.22/grsecurity/grsec_link.c linux-2.4.22/grsecurity/grsec_link.c
--- linux-2.4.22/grsecurity/grsec_link.c        1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/grsec_link.c        2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,41 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/fs.h>
+#include <linux/file.h>
+#include <linux/grinternal.h>
+
+int
+gr_handle_follow_link(const struct inode *parent,
+                     const struct inode *inode,
+                     const struct dentry *dentry, const struct vfsmount *mnt)
+{
+#ifdef CONFIG_GRKERNSEC_LINK
+       if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
+           (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
+           (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) {
+               security_alert(GR_SYMLINK_MSG, gr_to_filename(dentry, mnt),
+                              inode->i_uid, inode->i_gid, DEFAULTSECARGS);
+               return -EACCES;
+       }
+#endif
+       return 0;
+}
+
+int
+gr_handle_hardlink(const struct dentry *dentry,
+                  const struct vfsmount *mnt,
+                  struct inode *inode, const int mode, const char *to)
+{
+#ifdef CONFIG_GRKERNSEC_LINK
+       if (grsec_enable_link && current->fsuid != inode->i_uid &&
+           (!S_ISREG(mode) || (mode & S_ISUID) ||
+            ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
+            (permission(inode, MAY_READ | MAY_WRITE))) &&
+           !capable(CAP_FOWNER) && current->uid) {
+               security_alert(GR_HARDLINK_MSG, gr_to_filename(dentry, mnt),
+                              inode->i_uid, inode->i_gid, to, DEFAULTSECARGS);
+               return -EPERM;
+       }
+#endif
+       return 0;
+}
diff -urN linux-2.4.22/grsecurity/grsec_mem.c linux-2.4.22/grsecurity/grsec_mem.c
--- linux-2.4.22/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/grsec_mem.c 2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,54 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/mm.h>
+#include <linux/grinternal.h>
+
+void
+gr_handle_ioperm(void)
+{
+       security_alert(GR_IOPERM_MSG, DEFAULTSECARGS);
+       return;
+}
+
+void
+gr_handle_iopl(void)
+{
+       security_alert(GR_IOPL_MSG, DEFAULTSECARGS);
+       return;
+}
+
+void
+gr_handle_mem_write(void)
+{
+       security_alert(GR_MEM_WRITE_MSG, DEFAULTSECARGS);
+       return;
+}
+
+void
+gr_handle_kmem_write(void)
+{
+       security_alert(GR_KMEM_MSG, DEFAULTSECARGS);
+       return;
+}
+
+void
+gr_handle_open_port(void)
+{
+       security_alert(GR_PORT_OPEN_MSG, DEFAULTSECARGS);
+       return;
+}
+
+int
+gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
+{
+       if (offset < __pa(high_memory) &&
+           (pgprot_val(vma->vm_page_prot) & PROT_WRITE) &&
+           !(offset == 0xf0000 && ((vma->vm_end - vma->vm_start) <= 0x10000)) &&
+           !(offset == 0xa0000 && ((vma->vm_end - vma->vm_start) <= 0x20000))) {
+               security_alert(GR_MEM_MMAP_MSG, DEFAULTSECARGS);
+               return -EPERM;
+       } else if (offset < __pa(high_memory))
+               vma->vm_flags &= ~VM_MAYWRITE;
+
+       return 0;
+}
diff -urN linux-2.4.22/grsecurity/grsec_mount.c linux-2.4.22/grsecurity/grsec_mount.c
--- linux-2.4.22/grsecurity/grsec_mount.c       1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/grsec_mount.c       2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,34 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+
+void
+gr_log_remount(const char *devname, const int retval)
+{
+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
+       if (grsec_enable_mount && (retval >= 0))
+               security_audit(GR_REMOUNT_AUDIT_MSG, devname, DEFAULTSECARGS);
+#endif
+       return;
+}
+
+void
+gr_log_unmount(const char *devname, const int retval)
+{
+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
+       if (grsec_enable_mount && (retval >= 0))
+               security_audit(GR_UNMOUNT_AUDIT_MSG, devname, DEFAULTSECARGS);
+#endif
+       return;
+}
+
+void
+gr_log_mount(const char *from, const char *to, const int retval)
+{
+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
+       if (grsec_enable_mount && (retval >= 0))
+               security_audit(GR_MOUNT_AUDIT_MSG, from, to, DEFAULTSECARGS);
+#endif
+       return;
+}
diff -urN linux-2.4.22/grsecurity/grsec_rand.c linux-2.4.22/grsecurity/grsec_rand.c
--- linux-2.4.22/grsecurity/grsec_rand.c        1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/grsec_rand.c        2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,36 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/smp_lock.h>
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+
+extern int last_pid;
+
+int
+gr_random_pid(spinlock_t * pid_lock)
+{
+#ifdef CONFIG_GRKERNSEC_RANDPID
+       struct task_struct *p;
+       int pid;
+
+       if (grsec_enable_randpid && current->fs->root) {
+               read_lock(&tasklist_lock);
+               spin_lock(pid_lock);
+
+             repeater:
+
+               pid = 1 + (get_random_long() % PID_MAX);
+
+               for_each_task(p) {
+                       if (p->pid == pid || p->pgrp == pid ||
+                           p->tgid == pid || p->session == pid)
+                               goto repeater;
+               }
+               last_pid = pid;
+               spin_unlock(pid_lock);
+               read_unlock(&tasklist_lock);
+               return pid;
+       }
+#endif
+       return 0;
+}
diff -urN linux-2.4.22/grsecurity/grsec_sig.c linux-2.4.22/grsecurity/grsec_sig.c
--- linux-2.4.22/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/grsec_sig.c 2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,47 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/grinternal.h>
+
+void
+gr_log_signal(const int sig, const struct task_struct *t)
+{
+#ifdef CONFIG_GRKERNSEC_SIGNAL
+       if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
+                                   (sig == SIGABRT) || (sig == SIGBUS))) {
+               if (t->pid == current->pid) {
+                       security_alert_good(GR_UNISIGLOG_MSG, sig,
+                                           DEFAULTSECARGS);
+               } else {
+                       security_alert_good(GR_DUALSIGLOG_MSG, sig,
+                                           gr_task_fullpath(t), t->comm,
+                                           t->pid, t->uid, t->euid, t->gid,
+                                           t->egid, gr_parent_task_fullpath(t),
+                                           t->p_pptr->comm,
+                                           t->p_pptr->pid, t->p_pptr->uid,
+                                           t->p_pptr->euid, t->p_pptr->gid,
+                                           t->p_pptr->egid, DEFAULTSECARGS);
+               }
+       }
+#endif
+       return;
+}
+
+int
+gr_handle_signal(const struct task_struct *p, const int sig)
+{
+#ifdef CONFIG_GRKERNSEC
+       if (current->pid > 1 && gr_check_protected_task(p)) {
+               security_alert(GR_SIG_ACL_MSG, sig, gr_task_fullpath(p),
+                              p->comm, p->pid, p->uid,
+                              p->euid, p->gid, p->egid,
+                              gr_parent_task_fullpath(p), p->p_pptr->comm,
+                              p->p_pptr->pid, p->p_pptr->uid,
+                              p->p_pptr->euid, p->p_pptr->gid,
+                              p->p_pptr->egid, DEFAULTSECARGS);
+               return -EPERM;
+       } else if (gr_pid_is_chrooted(p)) {
+               return -EPERM;
+       }
+#endif
+       return 0;
+}
diff -urN linux-2.4.22/grsecurity/grsec_sock.c linux-2.4.22/grsecurity/grsec_sock.c
--- linux-2.4.22/grsecurity/grsec_sock.c        1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/grsec_sock.c        2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,123 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/file.h>
+#include <linux/net.h>
+#include <net/sock.h>
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+#include <linux/gracl.h>
+
+void
+gr_attach_curr_ip(const struct sock *sk)
+{
+#ifdef CONFIG_GRKERNSEC
+       struct task_struct *p;
+       unsigned int i;
+       struct inode *inode;
+       struct file *filp;
+       struct socket *connect_sock;
+
+       if (unlikely(sk->protocol != IPPROTO_TCP))
+               return;
+
+       read_lock(&tasklist_lock);
+       for_each_task(p) {
+               if (!p->used_connect)
+                       continue;
+               task_lock(p);
+               if (unlikely(!p->files)) {
+                       task_unlock(p);
+                       continue;
+               }
+               read_lock(&p->files->file_lock);
+               for (i = 0; i < p->files->max_fds; i++) {
+                       filp = fcheck_files(p->files, i);
+                       if (likely(!filp))
+                               continue;
+                       inode = filp->f_dentry->d_inode;
+                       if (likely(!inode || !inode->i_sock))
+                               continue;
+                       connect_sock = &inode->u.socket_i;
+                       if (unlikely(!connect_sock ||
+                                    connect_sock->sk->protocol != IPPROTO_TCP))
+                               continue;
+                       if (unlikely(sk->rcv_saddr == connect_sock->sk->daddr &&
+                                    sk->daddr == connect_sock->sk->rcv_saddr &&
+                                    ntohs(sk->sport) ==
+                                    ntohs(connect_sock->sk->dport)
+                                    && ntohs(sk->dport) ==
+                                    ntohs(connect_sock->sk->sport))) {
+                               current->curr_ip = p->curr_ip;
+                               current->used_accept = 1;
+                               read_unlock(&p->files->file_lock);
+                               task_unlock(p);
+                               read_unlock(&tasklist_lock);
+                               return;
+                       }
+               }
+               read_unlock(&p->files->file_lock);
+               task_unlock(p);
+       }
+       read_unlock(&tasklist_lock);
+
+       current->curr_ip = sk->daddr;
+       current->used_accept = 1;
+#endif
+       return;
+}
+
+int
+gr_handle_sock_all(const int family, const int type, const int protocol)
+{
+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
+       if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
+           (family != AF_UNIX) && (family != AF_LOCAL)) {
+               security_alert(GR_SOCK_MSG, family, type, protocol,
+                              DEFAULTSECARGS);
+               return -EACCES;
+       }
+#endif
+       return 0;
+}
+
+int
+gr_handle_sock_server(const struct sockaddr *sck)
+{
+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
+       if (grsec_enable_socket_server &&
+           in_group_p(grsec_socket_server_gid) &&
+           sck && (sck->sa_family != AF_UNIX) &&
+           (sck->sa_family != AF_LOCAL)) {
+               security_alert(GR_BIND_MSG, DEFAULTSECARGS);
+               return -EACCES;
+       }
+#endif
+       return 0;
+}
+
+int
+gr_handle_sock_client(const struct sockaddr *sck)
+{
+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
+       if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
+           sck && (sck->sa_family != AF_UNIX) &&
+           (sck->sa_family != AF_LOCAL)) {
+               security_alert(GR_CONNECT_MSG, DEFAULTSECARGS);
+               return -EACCES;
+       }
+#endif
+       return 0;
+}
+
+__u32
+gr_cap_rtnetlink(void)
+{
+#ifdef CONFIG_GRKERNSEC
+       if (!gr_acl_is_enabled())
+               return current->cap_effective;
+       else
+               return (current->cap_effective & ~(current->acl->cap_lower));
+#else
+       return current->cap_effective;
+#endif
+}
diff -urN linux-2.4.22/grsecurity/grsec_sysctl.c linux-2.4.22/grsecurity/grsec_sysctl.c
--- linux-2.4.22/grsecurity/grsec_sysctl.c      1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/grsec_sysctl.c      2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,16 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/sysctl.h>
+#include <linux/grinternal.h>
+
+int
+gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
+{
+#ifdef CONFIG_GRKERNSEC_SYSCTL
+       if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) {
+               security_alert(GR_SYSCTL_MSG, name, DEFAULTSECARGS);
+               return -EACCES;
+       }
+#endif
+       return 0;
+}
diff -urN linux-2.4.22/grsecurity/grsec_time.c linux-2.4.22/grsecurity/grsec_time.c
--- linux-2.4.22/grsecurity/grsec_time.c        1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/grsec_time.c        2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,13 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/grinternal.h>
+
+void
+gr_log_timechange(void)
+{
+#ifdef CONFIG_GRKERNSEC_TIME
+       if (grsec_enable_time)
+               security_alert_good(GR_TIME_MSG, DEFAULTSECARGS);
+#endif
+       return;
+}
diff -urN linux-2.4.22/grsecurity/grsec_tpe.c linux-2.4.22/grsecurity/grsec_tpe.c
--- linux-2.4.22/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/grsec_tpe.c 2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,35 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/grinternal.h>
+
+extern int gr_acl_tpe_check(void);
+
+int
+gr_tpe_allow(const struct file *file)
+{
+#ifdef CONFIG_GRKERNSEC
+       struct inode *inode = file->f_dentry->d_parent->d_inode;
+
+       if (current->uid && ((grsec_enable_tpe && in_group_p(grsec_tpe_gid)) || gr_acl_tpe_check()) &&
+           (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
+                                               (inode->i_mode & S_IWOTH))))) {
+               security_alert(GR_EXEC_TPE_MSG,
+                              gr_to_filename(file->f_dentry, file->f_vfsmnt),
+                              DEFAULTSECARGS);
+               return 0;
+       }
+#ifdef CONFIG_GRKERNSEC_TPE_ALL
+       if (current->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
+           ((inode->i_uid && (inode->i_uid != current->uid)) ||
+            (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
+               security_alert(GR_EXEC_TPE_MSG,
+                              gr_to_filename(file->f_dentry, file->f_vfsmnt),
+                              DEFAULTSECARGS);
+               return 0;
+       }
+#endif
+#endif
+       return 1;
+}
diff -urN linux-2.4.22/grsecurity/grsum.c linux-2.4.22/grsecurity/grsum.c
--- linux-2.4.22/grsecurity/grsum.c     1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/grsum.c     2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,59 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/mm.h>
+#include <asm/scatterlist.h>
+#include <linux/crypto.h>
+#include <linux/gracl.h>
+
+
+#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
+#error "crypto and sha256 must be built into the kernel"
+#endif
+
+int
+chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
+{
+       char *p;
+       struct crypto_tfm *tfm;
+       unsigned char temp_sum[GR_SHA_LEN];
+       struct scatterlist sg[2];
+       volatile int retval = 0;
+       volatile int dummy = 0;
+       unsigned int i;
+
+       tfm = crypto_alloc_tfm("sha256", 0);
+       if (tfm == NULL) {
+               /* should never happen, since sha256 should be built in */
+               return 1;
+       }
+
+       crypto_digest_init(tfm);
+
+       p = salt;
+       sg[0].page = virt_to_page(p);
+       sg[0].offset = ((long) p & ~PAGE_MASK);
+       sg[0].length = GR_SALT_LEN;
+       
+       crypto_digest_update(tfm, sg, 1);
+
+       p = entry->pw;
+       sg[0].page = virt_to_page(p);
+       sg[0].offset = ((long) p & ~PAGE_MASK);
+       sg[0].length = strlen(entry->pw);
+
+       crypto_digest_update(tfm, sg, 1);
+
+       crypto_digest_final(tfm, temp_sum);
+
+       memset(entry->pw, 0, GR_PW_LEN);
+
+       for (i = 0; i < GR_SHA_LEN; i++)
+               if (sum[i] != temp_sum[i])
+                       retval = 1;
+               else
+                       dummy = 1;      // waste a cycle
+
+       crypto_free_tfm(tfm);
+
+       return retval;
+}
diff -urN linux-2.4.22/grsecurity/obsd_rand.c linux-2.4.22/grsecurity/obsd_rand.c
--- linux-2.4.22/grsecurity/obsd_rand.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/grsecurity/obsd_rand.c 2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,195 @@
+
+/*
+ * Copyright (c) 1996, 1997, 2000-2002 Michael Shalayeff.
+ * 
+ * Version 1.89, last modified 19-Sep-99
+ *    
+ * Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999.
+ * All rights reserved.
+ *
+ * Copyright 1998 Niels Provos <provos@citi.umich.edu>
+ * All rights reserved.
+ * Theo de Raadt <deraadt@openbsd.org> came up with the idea of using
+ * such a mathematical system to generate more random (yet non-repeating)
+ * ids to solve the resolver/named problem.  But Niels designed the
+ * actual system based on the constraints.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer,
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    This product includes software developed by Niels Provos.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/timer.h>
+#include <linux/smp_lock.h>
+#include <linux/random.h>
+#include <linux/grsecurity.h>
+
+#define RU_OUT 180
+#define RU_MAX 30000
+#define RU_GEN 2
+#define RU_N 32749
+#define RU_AGEN 7
+#define RU_M 31104
+#define PFAC_N 3
+const static __u16 pfacts[PFAC_N] = { 2, 3, 2729 };
+
+static __u16 ru_x;
+static __u16 ru_seed, ru_seed2;
+static __u16 ru_a, ru_b;
+static __u16 ru_g;
+static __u16 ru_counter = 0;
+static __u16 ru_msb = 0;
+static unsigned long ru_reseed = 0;
+static __u32 tmp;
+
+#define TCP_RNDISS_ROUNDS      15
+#define TCP_RNDISS_OUT         7200
+#define TCP_RNDISS_MAX         30000
+
+static __u8 tcp_rndiss_sbox[NR_CPUS][128];
+static __u16 tcp_rndiss_msb[NR_CPUS];
+static __u16 tcp_rndiss_cnt[NR_CPUS];
+static unsigned long tcp_rndiss_reseed[NR_CPUS];
+
+static __u16 pmod(__u16, __u16, __u16);
+static void ip_initid(void);
+__u16 ip_randomid(void);
+
+static __u16
+pmod(__u16 gen, __u16 exp, __u16 mod)
+{
+       __u16 s, t, u;
+
+       s = 1;
+       t = gen;
+       u = exp;
+
+       while (u) {
+               if (u & 1)
+                       s = (s * t) % mod;
+               u >>= 1;
+               t = (t * t) % mod;
+       }
+       return (s);
+}
+
+static void
+ip_initid(void)
+{
+       __u16 j, i;
+       int noprime = 1;
+
+       ru_x = ((tmp = get_random_long()) & 0xFFFF) % RU_M;
+
+       ru_seed = (tmp >> 16) & 0x7FFF;
+       ru_seed2 = get_random_long() & 0x7FFF;
+
+       ru_b = ((tmp = get_random_long()) & 0xfffe) | 1;
+       ru_a = pmod(RU_AGEN, (tmp >> 16) & 0xfffe, RU_M);
+       while (ru_b % 3 == 0)
+               ru_b += 2;
+
+       j = (tmp = get_random_long()) % RU_N;
+       tmp = tmp >> 16;
+
+       while (noprime) {
+               for (i = 0; i < PFAC_N; i++)
+                       if (j % pfacts[i] == 0)
+                               break;
+
+               if (i >= PFAC_N)
+                       noprime = 0;
+               else
+                       j = (j + 1) % RU_N;
+       }
+
+       ru_g = pmod(RU_GEN, j, RU_N);
+       ru_counter = 0;
+
+       ru_reseed = xtime.tv_sec + RU_OUT;
+       ru_msb = ru_msb == 0x8000 ? 0 : 0x8000;
+}
+
+__u16
+ip_randomid(void)
+{
+       int i, n;
+
+       if (ru_counter >= RU_MAX || time_after(xtime.tv_sec, ru_reseed))
+               ip_initid();
+
+       if (!tmp)
+               tmp = get_random_long();
+
+       n = tmp & 0x3;
+       tmp = tmp >> 2;
+       if (ru_counter + n >= RU_MAX)
+               ip_initid();
+       for (i = 0; i <= n; i++)
+               ru_x = (ru_a * ru_x + ru_b) % RU_M;
+       ru_counter += i;
+
+       return ((ru_seed ^ pmod(ru_g, ru_seed2 ^ ru_x, RU_N)) | ru_msb);
+}
+
+__u16
+tcp_rndiss_encrypt(__u16 val)
+{
+       __u16 sum = 0, i;
+       int cpu = smp_processor_id();
+
+       for (i = 0; i < TCP_RNDISS_ROUNDS; i++) {
+               sum += 0x79b9;
+               val ^= ((__u16) tcp_rndiss_sbox[cpu][(val ^ sum) ^ 0x7f]) << 7;
+               val = ((val & 0xff) << 7) | (val >> 8);
+       }
+
+       return val;
+}
+
+static void
+tcp_rndiss_init(void)
+{
+       int cpu = smp_processor_id();
+
+       get_random_bytes(tcp_rndiss_sbox[cpu], sizeof (tcp_rndiss_sbox));
+       tcp_rndiss_reseed[cpu] = xtime.tv_sec + TCP_RNDISS_OUT;
+       tcp_rndiss_msb[cpu] = tcp_rndiss_msb[cpu] == 0x8000 ? 0 : 0x8000;
+       tcp_rndiss_cnt[cpu] = 0;
+}
+
+__u32
+ip_randomisn(void)
+{
+       int cpu = smp_processor_id();
+
+       if (tcp_rndiss_cnt[cpu] >= TCP_RNDISS_MAX ||
+           time_after(xtime.tv_sec, tcp_rndiss_reseed[cpu]))
+               tcp_rndiss_init();
+
+       return (((tcp_rndiss_encrypt(tcp_rndiss_cnt[cpu]++) |
+                 tcp_rndiss_msb[cpu]) << 16) | (get_random_long() & 0x7fff));
+}
diff -urN linux-2.4.22/include/linux/fs.h linux-2.4.22/include/linux/fs.h
--- linux-2.4.22/include/linux/fs.h     2003-09-01 22:19:02.000000000 -0400
+++ linux-2.4.22/include/linux/fs.h     2003-09-02 19:33:29.000000000 -0400
@@ -1087,7 +1087,7 @@
 
 asmlinkage long sys_open(const char *, int, int);
 asmlinkage long sys_close(unsigned int);       /* yes, it's really unsigned */
-extern int do_truncate(struct dentry *, loff_t start);
+extern int do_truncate(struct dentry *, loff_t start, struct vfsmount *);
 
 extern struct file *filp_open(const char *, int, int);
 extern struct file * dentry_open(struct dentry *, struct vfsmount *, int);
diff -urN linux-2.4.22/include/linux/gracl.h linux-2.4.22/include/linux/gracl.h
--- linux-2.4.22/include/linux/gracl.h  1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/include/linux/gracl.h  2003-09-02 19:40:47.000000000 -0400
@@ -0,0 +1,212 @@
+#ifndef GR_ACL_H
+#define GR_ACL_H
+#endif
+#include <linux/grdefs.h>
+#include <linux/resource.h>
+
+#include <asm/resource.h>
+
+/* * * * * * * * * * * * * * * * * * * * *
+ * grsecurity ACL System
+ * Main header file
+ * Purpose: define most gracl data structures 
+ * * * * * * * * * * * * * * * * * * * * */
+
+/* Major status information */
+
+#define GR_VERSION  "grsecurity 2.0"
+
+enum {
+
+       SHUTDOWN = 0,
+       ENABLE = 1,
+       SPROLE = 2,
+       RELOAD = 3,
+       SEGVMOD = 4,
+       STATUS = 5,
+       UNSPROLE = 6
+};
+
+/* Password setup definitions
+ * kernel/grhash.c */
+enum {
+       GR_PW_LEN = 128,
+       GR_SALT_LEN = 16,
+       GR_SHA_LEN = 32,
+};
+
+enum {
+       GR_SPROLE_LEN = 64,
+};
+
+/* Begin Data Structures */
+
+struct sprole_pw {
+       unsigned char *rolename;
+       unsigned char salt[GR_SALT_LEN];
+       unsigned char sum[GR_SHA_LEN];  /* 256-bit SHA hash of the password */
+};
+
+struct name_entry {
+       ino_t inode;
+       kdev_t device;
+       char *name;
+       __u16 len;
+};
+
+struct acl_role_db {
+       struct acl_role_label **r_hash;
+       __u32 r_size;
+};
+
+struct name_db {
+       struct name_entry **n_hash;
+       __u32 n_size;
+};
+
+struct crash_uid {
+       uid_t uid;
+       unsigned long expires;
+};
+
+/* Userspace Grsecurity ACL data structures */
+struct acl_subject_label {
+       char *filename;
+       ino_t inode;
+       kdev_t device;
+       __u32 mode;
+       __u32 cap_raise;
+       __u32 cap_lower;
+
+       struct rlimit res[RLIM_NLIMITS + 1];
+       __u16 resmask;
+
+       __u32 ip_proto[8];
+       __u32 ip_type;
+       struct acl_ip_label **ips;
+       __u32 ip_num;
+
+       __u32 crashes;
+       unsigned long expires;
+
+       struct acl_subject_label *parent_subject;
+       struct acl_object_label *proc_object;
+       struct acl_ip_label *ip_object;
+       struct acl_subject_label *prev;
+       struct acl_subject_label *next;
+
+       struct acl_object_label **obj_hash;
+       __u32 obj_hash_size;
+};
+
+struct role_allowed_ip {
+       __u32 addr;
+       __u32 netmask;
+
+       struct role_allowed_ip *prev;
+       struct role_allowed_ip *next;
+};
+
+struct role_transition {
+       char *rolename;
+
+       struct role_transition *prev;
+       struct role_transition *next;
+};
+
+struct acl_role_label {
+       char *rolename;
+       uid_t uidgid;
+       __u16 roletype;
+
+       __u16 auth_attempts;
+       unsigned long expires;
+
+       struct acl_subject_label *root_label;
+       struct acl_subject_label *proc_subject;
+
+       struct acl_role_label *prev;
+       struct acl_role_label *next;
+
+       struct role_transition *transitions;
+       struct role_allowed_ip *allowed_ips;
+       struct acl_subject_label **subj_hash;
+       __u32 subj_hash_size;
+};
+
+struct user_acl_role_db {
+       struct acl_role_label **r_table;
+       __u32 r_entries;        /* number of entries in table */
+       __u32 s_entries;        /* total number of subject acls */
+       __u32 i_entries;        /* total number of ip acls */
+       __u32 o_entries;        /* Total number of object acls */
+       __u32 a_entries;        /* total number of allowed ips */
+       __u32 t_entries;        /* total number of transitions */
+};
+
+struct acl_object_label {
+       char *filename;
+       ino_t inode;
+       kdev_t device;
+       __u32 mode;
+
+       struct acl_subject_label *nested;
+
+       /* next two structures not used */
+
+       struct acl_object_label *prev;
+       struct acl_object_label *next;
+};
+
+struct acl_ip_label {
+       __u32 addr;
+       __u32 netmask;
+       __u16 low, high;
+       __u8 mode;
+       __u32 type;
+       __u32 proto[8];
+
+       /* next two structures not used */
+
+       struct acl_ip_label *prev;
+       struct acl_ip_label *next;
+};
+
+struct gr_arg {
+       struct user_acl_role_db role_db;
+       unsigned char pw[GR_PW_LEN];
+       unsigned char salt[GR_SALT_LEN];
+       unsigned char sum[GR_SHA_LEN];
+       unsigned char sp_role[GR_SPROLE_LEN];
+       struct sprole_pw *sprole_pws;
+       __u16 num_sprole_pws;
+       kdev_t segv_device;
+       ino_t segv_inode;
+       uid_t segv_uid;
+       __u16 mode;
+};
+
+/* End Data Structures Section */
+
+/* Hash functions generated by empirical testing by Brad Spengler
+   Makes good use of the low bits of the inode.  Generally 0-1 times
+   in loop for successful match.  0-3 for unsuccessful match.
+   Shift/add algorithm with modulus of table size and an XOR*/
+
+static __inline__ unsigned long
+rhash(const uid_t uid, const __u16 type, const unsigned long sz)
+{
+       return (((uid << type) + (uid ^ type)) % sz);
+}
+
+static __inline__ unsigned long
+fhash(const ino_t ino, const kdev_t dev, const unsigned long sz)
+{
+       return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
+}
+
+static __inline__ unsigned long
+nhash(const char *name, const __u16 len, const unsigned long sz)
+{
+       return full_name_hash(name, len) % sz;
+}
diff -urN linux-2.4.22/include/linux/gralloc.h linux-2.4.22/include/linux/gralloc.h
--- linux-2.4.22/include/linux/gralloc.h        1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/include/linux/gralloc.h        2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,8 @@
+#ifndef __GRALLOC_H
+#define __GRALLOC_H
+
+void acl_free_all(void);
+int acl_alloc_stack_init(unsigned long size);
+void *acl_alloc(unsigned long len);
+
+#endif
diff -urN linux-2.4.22/include/linux/grdefs.h linux-2.4.22/include/linux/grdefs.h
--- linux-2.4.22/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/include/linux/grdefs.h 2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,104 @@
+#ifndef GRDEFS_H
+#define GRDEFS_H
+
+/* Begin grsecurity status declarations */
+
+enum {
+       GR_READY = 0x01,
+       GR_STATUS_INIT = 0x00   // disabled state
+};
+
+/* Begin  ACL declarations */
+
+/* Role flags */
+
+enum {
+       GR_ROLE_USER = 0x0001,
+       GR_ROLE_GROUP = 0x0002,
+       GR_ROLE_DEFAULT = 0x0004,
+       GR_ROLE_SPECIAL = 0x0008,
+       GR_ROLE_AUTH = 0x0010,
+       GR_ROLE_NOPW = 0x0020,
+       GR_ROLE_GOD = 0x0040,
+       GR_ROLE_LEARN = 0x0080,
+       GR_ROLE_TPE = 0x0100
+};
+
+/* ACL Subject and Object mode flags */
+enum {
+       GR_DELETED = 0x00000080
+};
+
+/* ACL Object-only mode flags */
+enum {
+       GR_READ = 0x00000001,
+       GR_APPEND = 0x00000002,
+       GR_WRITE = 0x00000004,
+       GR_EXEC = 0x00000008,
+       GR_FIND = 0x00000010,
+       GR_INHERIT = 0x00000040,
+       GR_PTRACERD = 0x00000100,
+       GR_SETID = 0x00000200,
+       GR_CREATE = 0x00000400,
+       GR_DELETE = 0x00000800,
+       GR_AUDIT_READ = 0x00001000,
+       GR_AUDIT_APPEND = 0x00002000,
+       GR_AUDIT_WRITE = 0x0004000,
+       GR_AUDIT_EXEC = 0x00008000,
+       GR_AUDIT_FIND = 0x00010000,
+       GR_AUDIT_INHERIT = 0x00020000,
+       GR_AUDIT_SETID = 0x00400000,
+       GR_AUDIT_CREATE = 0x00800000,
+       GR_AUDIT_DELETE = 0x01000000,
+       GR_SUPPRESS = 0x02000000,
+       GR_NOLEARN = 0x04000000
+};
+
+#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
+                  GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
+                  GR_AUDIT_CREATE | GR_AUDIT_DELETE)
+
+/* ACL subject-only mode flags */
+enum {
+       GR_KILL = 0x00000001,
+       GR_VIEW = 0x00000002,
+       GR_PROTECTED = 0x00000100,
+       GR_LEARN = 0x00000200,
+       GR_OVERRIDE = 0x00000400,
+       /* just a placeholder, this mode is only used in userspace */
+       GR_DUMMY = 0x00000800,
+
+       GR_PAXPAGE = 0x00001000,
+       GR_PAXSEGM = 0x00002000,
+       GR_PAXGCC = 0x00004000,
+       GR_PAXRANDMMAP = 0x00008000,
+       GR_PAXRANDEXEC = 0x00010000,
+       GR_PAXMPROTECT = 0x00020000,
+       GR_PROTSHM = 0x00040000,
+       GR_KILLPROC = 0x00080000,
+       GR_KILLIPPROC = 0x00100000,
+       /* just a placeholder, this mode is only used in userspace */
+       GR_NOTROJAN = 0x00200000,
+       GR_PROTPROCFD = 0x00400000,
+       GR_PROCACCT = 0x00800000
+};
+
+#define GR_CRASH_RES   11
+#define GR_UIDTABLE_MAX 500
+
+/* begin resource learning section */
+enum {
+       GR_RLIM_CPU_BUMP = 60,
+       GR_RLIM_FSIZE_BUMP = 50000,
+       GR_RLIM_DATA_BUMP = 10000,
+       GR_RLIM_STACK_BUMP = 1000,
+       GR_RLIM_CORE_BUMP = 10000,
+       GR_RLIM_RSS_BUMP = 500000,
+       GR_RLIM_NPROC_BUMP = 1,
+       GR_RLIM_NOFILE_BUMP = 5,
+       GR_RLIM_MEMLOCK_BUMP = 50000,
+       GR_RLIM_AS_BUMP = 500000,
+       GR_RLIM_LOCKS_BUMP = 2
+};
+
+#endif
diff -urN linux-2.4.22/include/linux/grinternal.h linux-2.4.22/include/linux/grinternal.h
--- linux-2.4.22/include/linux/grinternal.h     1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/include/linux/grinternal.h     2003-09-02 19:47:41.000000000 -0400
@@ -0,0 +1,193 @@
+#ifndef __GRINTERNAL_H
+#define __GRINTERNAL_H
+
+#ifdef CONFIG_GRKERNSEC
+
+#include <linux/grdefs.h>
+#include <linux/grmsg.h>
+
+extern void gr_add_learn_entry(const char *fmt, ...);
+extern __u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
+                           const struct vfsmount *mnt);
+extern __u32 gr_check_create(const struct dentry *new_dentry,
+                            const struct dentry *parent,
+                            const struct vfsmount *mnt, const __u32 mode);
+extern int gr_check_protected_task(const struct task_struct *task);
+extern __inline__ __u32 to_gr_audit(const __u32 reqmode);
+extern int gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
+                           struct dentry *old_dentry,
+                           struct dentry *new_dentry,
+                           struct vfsmount *mnt, const __u8 replace);
+extern int gr_set_acls(const int type);
+
+extern void gr_handle_alertkill(void);
+extern char *gr_to_filename(const struct dentry *dentry,
+                           const struct vfsmount *mnt);
+extern char *gr_to_filename1(const struct dentry *dentry,
+                           const struct vfsmount *mnt);
+extern char *gr_to_filename2(const struct dentry *dentry,
+                           const struct vfsmount *mnt);
+extern char *gr_to_filename3(const struct dentry *dentry,
+                           const struct vfsmount *mnt);
+
+extern int grsec_enable_link;
+extern int grsec_enable_fifo;
+extern int grsec_enable_execve;
+extern int grsec_enable_forkbomb;
+extern int grsec_forkbomb_gid;
+extern int grsec_forkbomb_sec;
+extern int grsec_forkbomb_max;
+extern int grsec_enable_execlog;
+extern int grsec_enable_signal;
+extern int grsec_enable_forkfail;
+extern int grsec_enable_time;
+extern int grsec_enable_chroot_shmat;
+extern int grsec_enable_chroot_findtask;
+extern int grsec_enable_chroot_mount;
+extern int grsec_enable_chroot_double;
+extern int grsec_enable_chroot_pivot;
+extern int grsec_enable_chroot_chdir;
+extern int grsec_enable_chroot_chmod;
+extern int grsec_enable_chroot_mknod;
+extern int grsec_enable_chroot_fchdir;
+extern int grsec_enable_chroot_nice;
+extern int grsec_enable_chroot_execlog;
+extern int grsec_enable_chroot_caps;
+extern int grsec_enable_chroot_sysctl;
+extern int grsec_enable_chroot_unix;
+extern int grsec_enable_tpe;
+extern int grsec_tpe_gid;
+extern int grsec_enable_tpe_all;
+extern int grsec_enable_sidcaps;
+extern int grsec_enable_randpid;
+extern int grsec_enable_socket_all;
+extern int grsec_socket_all_gid;
+extern int grsec_enable_socket_client;
+extern int grsec_socket_client_gid;
+extern int grsec_enable_socket_server;
+extern int grsec_socket_server_gid;
+extern int grsec_audit_gid;
+extern int grsec_enable_group;
+extern int grsec_enable_audit_ipc;
+extern int grsec_enable_mount;
+extern int grsec_enable_chdir;
+extern int grsec_lock;
+
+extern struct task_struct *child_reaper;
+
+extern spinlock_t grsec_alert_lock;
+extern unsigned long grsec_alert_wtime;
+extern unsigned long grsec_alert_fyet;
+
+extern spinlock_t grsec_alertgood_lock;
+extern unsigned long grsec_alertgood_wtime;
+extern unsigned long grsec_alertgood_fyet;
+
+extern spinlock_t grsec_audit_lock;
+
+#define gr_task_fullpath(tsk) (tsk->exec_file ? \
+                       gr_to_filename2(tsk->exec_file->f_dentry, \
+                       tsk->exec_file->f_vfsmnt) : "/")
+
+#define gr_parent_task_fullpath(tsk) (tsk->p_pptr->exec_file ? \
+                       gr_to_filename3(tsk->p_pptr->exec_file->f_dentry, \
+                       tsk->p_pptr->exec_file->f_vfsmnt) : "/")
+
+#define proc_is_chrooted(tsk_a)  ((tsk_a->pid > 1) && \
+                         ((tsk_a->fs->root->d_inode->i_dev != \
+                         child_reaper->fs->root->d_inode->i_dev) || \
+                         (tsk_a->fs->root->d_inode->i_ino != \
+                         child_reaper->fs->root->d_inode->i_ino)))
+
+#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs->root->d_inode->i_dev == \
+                         tsk_b->fs->root->d_inode->i_dev) && \
+                         (tsk_a->fs->root->d_inode->i_ino == \
+                         tsk_b->fs->root->d_inode->i_ino))
+
+#define DEFAULTSECARGS gr_task_fullpath(current), current->comm, \
+                      current->pid, current->uid, \
+                      current->euid, current->gid, current->egid, \
+                      gr_parent_task_fullpath(current), \
+                      current->p_pptr->comm, current->p_pptr->pid, \
+                      current->p_pptr->uid, current->p_pptr->euid, \
+                      current->p_pptr->gid, current->p_pptr->egid
+
+#define GR_CHROOT_CAPS ( \
+       CAP_TO_MASK(CAP_FOWNER) | \
+       CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
+       CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
+       CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
+       CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
+       CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
+       CAP_TO_MASK(CAP_IPC_OWNER))
+
+#define security_alert_good(normal_msg,args...) \
+({ \
+       spin_lock(&grsec_alertgood_lock); \
+       \
+       if (!grsec_alertgood_wtime || jiffies - grsec_alertgood_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) { \
+           grsec_alertgood_wtime = jiffies; grsec_alertgood_fyet = 0; \
+           if (current->curr_ip) \
+               printk(KERN_ALERT "grsec: From %u.%u.%u.%u: " normal_msg "\n", NIPQUAD(current->curr_ip) , ## args); \
+           else \
+               printk(KERN_ALERT "grsec: " normal_msg "\n" , ## args); \
+       } else if((jiffies - grsec_alertgood_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alertgood_fyet < CONFIG_GRKERNSEC_FLOODBURST)) { \
+           grsec_alertgood_fyet++; \
+           if (current->curr_ip) \
+               printk(KERN_ALERT "grsec: From %u.%u.%u.%u: " normal_msg "\n", NIPQUAD(current->curr_ip) , ## args); \
+           else \
+               printk(KERN_ALERT "grsec: " normal_msg "\n" , ## args); \
+       } else if (grsec_alertgood_fyet == CONFIG_GRKERNSEC_FLOODBURST) { \
+           grsec_alertgood_wtime = jiffies; grsec_alertgood_fyet++; \
+           printk(KERN_ALERT "grsec: more alerts, logging disabled for " \
+                   "%d seconds\n", CONFIG_GRKERNSEC_FLOODTIME); \
+       } \
+       \
+       spin_unlock(&grsec_alertgood_lock); \
+})
+
+#define security_alert(normal_msg,args...) \
+({ \
+       spin_lock(&grsec_alert_lock); \
+       \
+       if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) { \
+           grsec_alert_wtime = jiffies; grsec_alert_fyet = 0; \
+           if (current->curr_ip) \
+               printk(KERN_ALERT "grsec: From %u.%u.%u.%u: " normal_msg "\n", NIPQUAD(current->curr_ip) , ## args); \
+           else \
+               printk(KERN_ALERT "grsec: " normal_msg "\n" , ## args); \
+       } else if((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) { \
+           grsec_alert_fyet++; \
+           if (current->curr_ip) \
+               printk(KERN_ALERT "grsec: From %u.%u.%u.%u: " normal_msg "\n", NIPQUAD(current->curr_ip) , ## args); \
+           else \
+               printk(KERN_ALERT "grsec: " normal_msg "\n" , ## args); \
+       } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) { \
+           grsec_alert_wtime = jiffies; grsec_alert_fyet++; \
+           printk(KERN_ALERT "grsec: more alerts, logging disabled for " \
+                   "%d seconds\n", CONFIG_GRKERNSEC_FLOODTIME); \
+       } \
+       \
+       gr_handle_alertkill(); \
+       spin_unlock(&grsec_alert_lock); \
+})
+
+#define security_audit(normal_msg,args...) \
+({ \
+       spin_lock(&grsec_audit_lock); \
+       if (current->curr_ip) \
+               printk(KERN_INFO "grsec: From %u.%u.%u.%u: " normal_msg "\n", \
+                      NIPQUAD(current->curr_ip) , ## args); \
+       else \
+               printk(KERN_INFO "grsec: " normal_msg "\n", ## args); \
+       spin_unlock(&grsec_audit_lock); \
+})
+
+#define security_learn(normal_msg,args...) \
+({ \
+       gr_add_learn_entry(normal_msg "\n", ## args); \
+})
+
+#endif
+
+#endif
diff -urN linux-2.4.22/include/linux/grmsg.h linux-2.4.22/include/linux/grmsg.h
--- linux-2.4.22/include/linux/grmsg.h  1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/include/linux/grmsg.h  2003-09-02 19:47:26.000000000 -0400
@@ -0,0 +1,104 @@
+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%d/%d gid/egid:%d/%d, parent %.256s[%.16s:%d] uid/euid:%d/%d gid/egid:%d/%d"
+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%d/%d gid/egid:%d/%d run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%d/%d gid/egid:%d/%d"
+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by " DEFAULTSECMSG
+#define GR_IOPERM_MSG "denied use of ioperm() by " DEFAULTSECMSG
+#define GR_IOPL_MSG "denied use of iopl() by " DEFAULTSECMSG
+#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by " DEFAULTSECMSG
+#define GR_UNIX_CHROOT_MSG "denied connect to abstract AF_UNIX socket outside of chroot by " DEFAULTSECMSG
+#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by " DEFAULTSECMSG
+#define GR_KMEM_MSG "attempted write to /dev/kmem by " DEFAULTSECMSG
+#define GR_PORT_OPEN_MSG "attempted open of /dev/port by " DEFAULTSECMSG
+#define GR_MEM_WRITE_MSG "attempted write of /dev/mem by " DEFAULTSECMSG
+#define GR_MEM_MMAP_MSG "attempted mmap write of /dev/[k]mem by " DEFAULTSECMSG
+#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by " DEFAULTSECMSG
+#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%u.%u.%u.%u"
+#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by " DEFAULTSECMSG
+#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by " DEFAULTSECMSG
+#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by " DEFAULTSECMSG
+#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by " DEFAULTSECMSG
+#define GR_MKNOD_CHROOT_MSG "refused attempt to mknod %.950s from chroot by " DEFAULTSECMSG
+#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by " DEFAULTSECMSG
+#define GR_UNIXCONNECT_ACL_MSG "%s connect to the unix domain socket %.950s by " DEFAULTSECMSG
+#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by " DEFAULTSECMSG
+#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by " DEFAULTSECMSG
+#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by " DEFAULTSECMSG
+#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by " DEFAULTSECMSG
+#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for " DEFAULTSECMSG
+#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by " DEFAULTSECMSG
+#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by " DEFAULTSECMSG
+#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by " DEFAULTSECMSG
+#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by " DEFAULTSECMSG
+#define GR_NPROC_MSG "attempt to overstep process limit by " DEFAULTSECMSG
+#define GR_EXEC_ACL_MSG "%s execution of %.950s by " DEFAULTSECMSG
+#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by " DEFAULTSECMSG
+#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " Banning uid %u from login for %lu seconds"
+#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " Banning execution of [%.16s:%lu] for %lu seconds"
+#define GR_MOUNT_CHROOT_MSG "denied attempt to mount %.30s as %.930s from chroot by " DEFAULTSECMSG
+#define GR_PIVOT_CHROOT_MSG "denied attempt to pivot_root from chroot by " DEFAULTSECMSG
+#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by " DEFAULTSECMSG
+#define GR_ATIME_ACL_MSG "%s access time change of %.950s by " DEFAULTSECMSG
+#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by " DEFAULTSECMSG
+#define GR_CHROOT_CHROOT_MSG "denied attempt to double chroot to %.950s by " DEFAULTSECMSG
+#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by " DEFAULTSECMSG
+#define GR_CHMOD_CHROOT_MSG "denied attempt to chmod +s %.950s by " DEFAULTSECMSG
+#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by " DEFAULTSECMSG
+#define GR_CHROOT_FCHDIR_MSG "attempted fchdir outside of chroot to %.950s by " DEFAULTSECMSG
+#define GR_CHOWN_ACL_MSG "%s chown of %.950s by " DEFAULTSECMSG
+#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by " DEFAULTSECMSG
+#define GR_INITF_ACL_MSG "init_variables() failed %s"
+#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
+#define GR_DEV_ACL_MSG "/dev/grsec: being fed garbage %d bytes sent %d required"
+#define GR_SHUTS_ACL_MSG "shutdown auth success for " DEFAULTSECMSG
+#define GR_SHUTF_ACL_MSG "shutdown auth failure for " DEFAULTSECMSG
+#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for " DEFAULTSECMSG
+#define GR_SEGVMODS_ACL_MSG "segvmod auth success for " DEFAULTSECMSG
+#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for " DEFAULTSECMSG
+#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for " DEFAULTSECMSG
+#define GR_ENABLE_ACL_MSG "Loaded %s"
+#define GR_ENABLEF_ACL_MSG "Unable to load %s for " DEFAULTSECMSG " RBAC system may already be enabled."
+#define GR_RELOADI_ACL_MSG "Ignoring reload request for disabled RBAC system"
+#define GR_RELOAD_ACL_MSG "Reloaded %s"
+#define GR_RELOADF_ACL_MSG "Failed reload of %s for " DEFAULTSECMSG
+#define GR_SPROLEI_ACL_MSG "Ignoring change to special role for disabled RBAC system for " DEFAULTSECMSG
+#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by " DEFAULTSECMSG
+#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by " DEFAULTSECMSG
+#define GR_SPROLEF_ACL_MSG "special role %s failure for " DEFAULTSECMSG
+#define GR_UNSPROLEI_ACL_MSG "Ignoring unauth of special role for disabled RBAC system for " DEFAULTSECMSG
+#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by " DEFAULTSECMSG
+#define GR_UNSPROLEF_ACL_MSG "special role unauth of %s failure for " DEFAULTSECMSG
+#define GR_INVMODE_ACL_MSG "Invalid mode %d by " DEFAULTSECMSG
+#define GR_MAXPW_ACL_MSG "Maximum pw attempts reached (%d), locking password authentication"
+#define GR_MAXROLEPW_ACL_MSG "Maximum pw attempts reached (%d) trying to auth to special role %s, locking auth for role of " DEFAULTSECMSG
+#define GR_PRIORITY_CHROOT_MSG "attempted priority change of process (%.16s:%d) by " DEFAULTSECMSG
+#define GR_CAPSET_CHROOT_MSG "denied capset of (%.16s:%d) within chroot by " DEFAULTSECMSG
+#define GR_FAILFORK_MSG "failed fork with errno %d by " DEFAULTSECMSG
+#define GR_NICE_CHROOT_MSG "attempted priority change by " DEFAULTSECMSG
+#define GR_UNISIGLOG_MSG "signal %d sent to " DEFAULTSECMSG
+#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by " DEFAULTSECMSG
+#define GR_SIG_ACL_MSG "Attempted send of signal %d to protected task " DEFAULTSECMSG " by " DEFAULTSECMSG
+#define GR_SYSCTL_MSG "attempt to modify grsecurity sysctl value : %.32s by " DEFAULTSECMSG
+#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by " DEFAULTSECMSG
+#define GR_TIME_MSG "time set by " DEFAULTSECMSG
+#define GR_DEFACL_MSG "Fatal: Unable to find ACL for (%.16s:%d)"
+#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by " DEFAULTSECMSG
+#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by " DEFAULTSECMSG
+#define GR_SOCK_MSG "attempted socket(%.16s,%.16s,%.16s) by " DEFAULTSECMSG
+#define GR_BIND_MSG "attempted bind() by " DEFAULTSECMSG
+#define GR_CONNECT_MSG "attempted connect by " DEFAULTSECMSG
+#define GR_BIND_ACL_MSG "attempted bind to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by " DEFAULTSECMSG
+#define GR_CONNECT_ACL_MSG "attempted connect to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by " DEFAULTSECMSG
+#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%u.%u.%u.%u\t%u\t%u\t%u\t%u\t%u.%u.%u.%u"
+#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process " DEFAULTSECMSG
+#define GR_CAP_ACL_MSG "use of %s denied for " DEFAULTSECMSG
+#define GR_REMOUNT_AUDIT_MSG "remount of %.30s by " DEFAULTSECMSG
+#define GR_UNMOUNT_AUDIT_MSG "unmount of %.30s by " DEFAULTSECMSG
+#define GR_MOUNT_AUDIT_MSG "mount %.30s to %.64s by " DEFAULTSECMSG
+#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by " DEFAULTSECMSG
+#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.63s) by " DEFAULTSECMSG
+#define GR_MSGQ_AUDIT_MSG "message queue created by " DEFAULTSECMSG
+#define GR_MSGQR_AUDIT_MSG "message queue of uid:%d euid:%d removed by " DEFAULTSECMSG
+#define GR_SEM_AUDIT_MSG "semaphore created by " DEFAULTSECMSG
+#define GR_SEMR_AUDIT_MSG "semaphore of uid:%d euid:%d removed by " DEFAULTSECMSG
+#define GR_SHM_AUDIT_MSG "shared memory of size %d created by " DEFAULTSECMSG
+#define GR_SHMR_AUDIT_MSG "shared memory of uid:%d euid:%d removed by " DEFAULTSECMSG
+#define GR_RESOURCE_MSG "attempted resource overstep by requesting %lu for %.16s against limit %lu by " DEFAULTSECMSG
diff -urN linux-2.4.22/include/linux/grsecurity.h linux-2.4.22/include/linux/grsecurity.h
--- linux-2.4.22/include/linux/grsecurity.h     1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/include/linux/grsecurity.h     2003-09-02 19:33:29.000000000 -0400
@@ -0,0 +1,173 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+
+extern int gr_pid_is_chrooted(const struct task_struct *p);
+extern int gr_handle_chroot_nice(void);
+extern int gr_handle_chroot_sysctl(const int op);
+extern int gr_handle_chroot_capset(const struct task_struct *target);
+extern int gr_handle_chroot_setpriority(const struct task_struct *p,
+                                       const int niceval);
+extern int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
+extern int gr_handle_chroot_chroot(const struct dentry *dentry,
+                                  const struct vfsmount *mnt);
+extern void gr_handle_chroot_caps(struct task_struct *task);
+extern void gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt);
+extern int gr_handle_chroot_chmod(const struct dentry *dentry,
+                                 const struct vfsmount *mnt, const int mode);
+extern int gr_handle_chroot_mknod(const struct dentry *dentry,
+                                 const struct vfsmount *mnt, const int mode);
+extern int gr_handle_chroot_mount(const struct dentry *dentry,
+                                 const struct vfsmount *mnt,
+                                 const char *dev_name);
+extern int gr_handle_chroot_pivot(void);
+extern int gr_handle_chroot_unix(const pid_t pid);
+
+extern int gr_handle_rawio(const struct inode *inode);
+extern int gr_handle_nproc(void);
+
+extern void gr_handle_ioperm(void);
+extern void gr_handle_iopl(void);
+
+extern int gr_tpe_allow(const struct file *file);
+
+extern int gr_random_pid(spinlock_t * pid_lock);
+
+extern void gr_log_forkfail(const int retval);
+extern void gr_log_timechange(void);
+extern void gr_log_signal(const int sig, const struct task_struct *t);
+extern void gr_log_chdir(const struct dentry *dentry,
+                        const struct vfsmount *mnt);
+extern void gr_log_chroot_exec(const struct dentry *dentry,
+                              const struct vfsmount *mnt);
+extern void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
+extern void gr_log_remount(const char *devname, const int retval);
+extern void gr_log_unmount(const char *devname, const int retval);
+extern void gr_log_mount(const char *from, const char *to, const int retval);
+extern void gr_log_msgget(const int ret, const int msgflg);
+extern void gr_log_msgrm(const uid_t uid, const uid_t cuid);
+extern void gr_log_semget(const int err, const int semflg);
+extern void gr_log_semrm(const uid_t uid, const uid_t cuid);
+extern void gr_log_shmget(const int err, const int shmflg, const size_t size);
+extern void gr_log_shmrm(const uid_t uid, const uid_t cuid);
+
+extern int gr_handle_follow_link(const struct inode *parent,
+                                const struct inode *inode,
+                                const struct dentry *dentry,
+                                const struct vfsmount *mnt);
+extern int gr_handle_fifo(const struct dentry *dentry,
+                         const struct vfsmount *mnt,
+                         const struct dentry *dir, const int flag,
+                         const int acc_mode);
+extern int gr_handle_hardlink(const struct dentry *dentry,
+                             const struct vfsmount *mnt,
+                             struct inode *inode,
+                             const int mode, const char *to);
+
+extern int gr_is_capable(const int cap);
+extern void gr_learn_resource(const struct task_struct *task, const int limit,
+                             const unsigned long wanted);
+extern void gr_copy_label(struct task_struct *tsk);
+extern void gr_handle_crash(struct task_struct *task, const int sig);
+extern int gr_handle_signal(const struct task_struct *p, const int sig);
+extern int gr_check_crash_uid(const uid_t uid);
+extern int gr_check_protected_task(const struct task_struct *task);
+extern int gr_acl_handle_mmap(const struct file *file,
+                             const unsigned long prot);
+extern int gr_acl_handle_mprotect(const struct file *file,
+                                 const unsigned long prot);
+extern int gr_check_hidden_task(const struct task_struct *tsk);
+extern __u32 gr_acl_handle_truncate(const struct dentry *dentry,
+                                   const struct vfsmount *mnt);
+extern __u32 gr_acl_handle_utime(const struct dentry *dentry,
+                                const struct vfsmount *mnt);
+extern __u32 gr_acl_handle_access(const struct dentry *dentry,
+                                 const struct vfsmount *mnt, const int fmode);
+extern __u32 gr_acl_handle_fchmod(const struct dentry *dentry,
+                                 const struct vfsmount *mnt, mode_t mode);
+extern __u32 gr_acl_handle_chmod(const struct dentry *dentry,
+                                const struct vfsmount *mnt, mode_t mode);
+extern __u32 gr_acl_handle_chown(const struct dentry *dentry,
+                                const struct vfsmount *mnt);
+extern int gr_handle_ptrace_exec(const struct dentry *dentry,
+                                const struct vfsmount *mnt);
+extern int gr_handle_ptrace(struct task_struct *task, const long request);
+extern int gr_handle_mmap(const struct file *filp, const unsigned long prot);
+extern __u32 gr_acl_handle_execve(const struct dentry *dentry,
+                                 const struct vfsmount *mnt);
+extern int gr_check_crash_exec(const struct file *filp);
+extern int gr_acl_is_enabled(void);
+extern void gr_set_kernel_label(struct task_struct *task);
+extern void gr_set_role_label(struct task_struct *task, const uid_t uid,
+                             const gid_t gid);
+extern void gr_set_proc_label(const struct dentry *dentry,
+                             const struct vfsmount *mnt);
+extern __u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
+                                      const struct vfsmount *mnt);
+extern __u32 gr_acl_handle_open(const struct dentry *dentry,
+                               const struct vfsmount *mnt, const int fmode);
+extern __u32 gr_acl_handle_creat(const struct dentry *dentry,
+                                const struct dentry *p_dentry,
+                                const struct vfsmount *p_mnt, const int fmode,
+                                const int imode);
+extern void gr_handle_create(const struct dentry *dentry,
+                            const struct vfsmount *mnt);
+extern __u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
+                                const struct dentry *parent_dentry,
+                                const struct vfsmount *parent_mnt,
+                                const int mode);
+extern __u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
+                                const struct dentry *parent_dentry,
+                                const struct vfsmount *parent_mnt);
+extern __u32 gr_acl_handle_rmdir(const struct dentry *dentry,
+                                const struct vfsmount *mnt);
+extern void gr_handle_delete(const ino_t ino, const kdev_t dev);
+extern __u32 gr_acl_handle_unlink(const struct dentry *dentry,
+                                 const struct vfsmount *mnt);
+extern __u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
+                                  const struct dentry *parent_dentry,
+                                  const struct vfsmount *parent_mnt,
+                                  const char *from);
+extern __u32 gr_acl_handle_link(const struct dentry *new_dentry,
+                               const struct dentry *parent_dentry,
+                               const struct vfsmount *parent_mnt,
+                               const struct dentry *old_dentry,
+                               const struct vfsmount *old_mnt, const char *to);
+extern int gr_acl_handle_rename(struct dentry *new_dentry,
+                               struct dentry *parent_dentry,
+                               const struct vfsmount *parent_mnt,
+                               struct dentry *old_dentry,
+                               struct inode *old_parent_inode,
+                               struct vfsmount *old_mnt, const char *newname);
+extern __u32 gr_check_link(const struct dentry *new_dentry,
+                          const struct dentry *parent_dentry,
+                          const struct vfsmount *parent_mnt,
+                          const struct dentry *old_dentry,
+                          const struct vfsmount *old_mnt);
+extern __u32 gr_acl_handle_filldir(const struct dentry *dentry,
+                                  const struct vfsmount *mnt, const ino_t ino);
+extern __u32 gr_acl_handle_unix(const struct dentry *dentry,
+                               const struct vfsmount *mnt);
+extern void gr_acl_handle_exit(void);
+extern void gr_acl_handle_psacct(struct task_struct *task, const long code);
+extern int gr_acl_handle_procpidmem(const struct task_struct *task);
+extern __u32 gr_cap_rtnetlink(void);
+
+#ifdef CONFIG_GRKERNSEC
+extern void gr_handle_mem_write(void);
+extern void gr_handle_kmem_write(void);
+extern void gr_handle_open_port(void);
+extern int gr_handle_mem_mmap(const unsigned long offset,
+                             struct vm_area_struct *vma);
+
+extern __u16 ip_randomid(void);
+extern __u32 ip_randomisn(void);
+extern unsigned long get_random_long(void);
+
+extern int grsec_enable_dmesg;
+extern int grsec_enable_randid;
+extern int grsec_enable_randisn;
+extern int grsec_enable_randsrc;
+extern int grsec_enable_randrpc;
+#endif
+
+#endif
diff -urN linux-2.4.22/include/linux/mm.h linux-2.4.22/include/linux/mm.h
--- linux-2.4.22/include/linux/mm.h     2003-09-01 22:19:02.000000000 -0400
+++ linux-2.4.22/include/linux/mm.h     2003-09-02 19:33:29.000000000 -0400
@@ -22,9 +22,13 @@
 extern struct list_head active_list;
 extern struct list_head inactive_list;
 
+extern void gr_learn_resource(const struct task_struct * task, const int limit,
+                             const unsigned long wanted);
+
 #include <asm/page.h>
 #include <asm/pgtable.h>
 #include <asm/atomic.h>
+#include <asm/mman.h>
 
 /*
  * Linux kernel virtual memory manager primitives.
@@ -649,6 +719,11 @@
        address &= PAGE_MASK;
        spin_lock(&vma->vm_mm->page_table_lock);
        grow = (vma->vm_start - address) >> PAGE_SHIFT;
+
+       gr_learn_resource(current, RLIMIT_STACK, vma->vm_end - address);
+       gr_learn_resource(current, RLIMIT_AS, (vma->vm_mm->total_vm + grow) << PAGE_SHIFT);
+       gr_learn_resource(current, RLIMIT_MEMLOCK, (vma->vm_mm->locked_vm + grow) << PAGE_SHIFT);
+
        if (vma->vm_end - address > current->rlim[RLIMIT_STACK].rlim_cur ||
            ((vma->vm_mm->total_vm + grow) << PAGE_SHIFT) > current->rlim[RLIMIT_AS].rlim_cur) {
                spin_unlock(&vma->vm_mm->page_table_lock);
diff -urN linux-2.4.22/include/linux/proc_fs.h linux-2.4.22/include/linux/proc_fs.h
--- linux-2.4.22/include/linux/proc_fs.h        2003-09-01 22:19:02.000000000 -0400
+++ linux-2.4.22/include/linux/proc_fs.h        2003-09-02 19:33:36.000000000 -0400
@@ -143,6 +143,9 @@
 extern struct proc_dir_entry *proc_mknod(const char *,mode_t,
                struct proc_dir_entry *,kdev_t);
 extern struct proc_dir_entry *proc_mkdir(const char *,struct proc_dir_entry *);
+#ifdef CONFIG_GRKERNSEC_PROC
+extern struct proc_dir_entry *proc_priv_mkdir(const char *, struct proc_dir_entry *);
+#endif
 
 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
        mode_t mode, struct proc_dir_entry *base, 
diff -urN linux-2.4.22/include/linux/sched.h linux-2.4.22/include/linux/sched.h
--- linux-2.4.22/include/linux/sched.h  2003-09-01 22:19:02.000000000 -0400
+++ linux-2.4.22/include/linux/sched.h  2003-09-02 19:33:29.000000000 -0400
@@ -27,6 +27,9 @@
 #include <linux/securebits.h>
 #include <linux/fs_struct.h>
 
+extern int gr_is_capable(const int cap);
+extern int gr_pid_is_chrooted(const struct task_struct *p);
+
 struct exec_domain;
 
 /*
@@ -415,6 +432,19 @@
 
 /* journalling filesystem info */
        void *journal_info;
+
+#ifdef CONFIG_GRKERNSEC
+/* added by grsecurity's ACL system */ 
+       struct acl_subject_label *acl;
+       struct acl_role_label *role;
+       struct file *exec_file;
+       u32 curr_ip;
+       u16 acl_role_id;        
+       u8 acl_sp_role:1;       
+       u8 used_accept:1;       
+       u8 used_connect:1;      
+       u8 is_writable:1;
+#endif
 };
 
 /*
@@ -549,6 +586,8 @@
        *p->pidhash_pprev = p->pidhash_next;
 }
 
+#include <asm/current.h>
+
 static inline task_t *find_task_by_pid(int pid)
 {
        task_t *p, **htable = &pidhash[pid_hashfn(pid)];
@@ -556,6 +595,8 @@
        for(p = *htable; p && p->pid != pid; p = p->pidhash_next)
                ;
 
+       if(gr_pid_is_chrooted(p)) p = NULL;
+
        return p;
 }
 
@@ -576,8 +617,6 @@
 extern struct user_struct * alloc_uid(uid_t);
 extern void free_uid(struct user_struct *);
 
-#include <asm/current.h>
-
 extern unsigned long volatile jiffies;
 extern unsigned long itimer_ticks;
 extern unsigned long itimer_next;
@@ -741,7 +780,7 @@
 static inline int capable(int cap)
 {
 #if 1 /* ok now */
-       if (cap_raised(current->cap_effective, cap))
+       if (cap_raised(current->cap_effective, cap) && gr_is_capable(cap))
 #else
        if (cap_is_fs_cap(cap) ? current->fsuid == 0 : current->euid == 0)
 #endif
diff -urN linux-2.4.22/include/linux/sysctl.h linux-2.4.22/include/linux/sysctl.h
--- linux-2.4.22/include/linux/sysctl.h 2003-09-01 22:19:02.000000000 -0400
+++ linux-2.4.22/include/linux/sysctl.h 2003-09-02 19:33:31.000000000 -0400
@@ -127,6 +127,7 @@
        KERN_CORE_PATTERN=56,   /* string: pattern for core-files */
        KERN_PPC_L3CR=57,       /* l3cr register on PPC */
        KERN_EXCEPTION_TRACE=58, /* boolean: exception trace */
+       KERN_GRSECURITY=68,     /* grsecurity */
 };
 
 
diff -urN linux-2.4.22/include/net/inetpeer.h linux-2.4.22/include/net/inetpeer.h
--- linux-2.4.22/include/net/inetpeer.h 2003-09-01 22:19:06.000000000 -0400
+++ linux-2.4.22/include/net/inetpeer.h 2003-09-02 19:37:15.000000000 -0400
@@ -13,6 +13,7 @@
 #include <linux/init.h>
 #include <linux/sched.h>
 #include <linux/spinlock.h>
+
 #include <asm/atomic.h>
 
 struct inet_peer
@@ -34,6 +35,11 @@
 /* can be called with or without local BH being disabled */
 struct inet_peer       *inet_getpeer(__u32 daddr, int create);
 
+#ifdef CONFIG_GRKERNSEC_RANDID
+extern int grsec_enable_randid;
+extern __u16 ip_randomid(void);
+#endif
+
 extern spinlock_t inet_peer_unused_lock;
 extern struct inet_peer *inet_peer_unused_head;
 extern struct inet_peer **inet_peer_unused_tailp;
@@ -58,7 +64,14 @@
        __u16 id;
 
        spin_lock_bh(&inet_peer_idlock);
-       id = p->ip_id_count++;
+
+#ifdef CONFIG_GRKERNSEC_RANDID
+       if(grsec_enable_randid)
+               id = htons(ip_randomid());
+       else
+#endif
+               id = p->ip_id_count++;
+
        spin_unlock_bh(&inet_peer_idlock);
        return id;
 }
diff -urN linux-2.4.22/include/net/ip.h linux-2.4.22/include/net/ip.h
--- linux-2.4.22/include/net/ip.h       2003-09-01 22:19:03.000000000 -0400
+++ linux-2.4.22/include/net/ip.h       2003-09-02 19:37:15.000000000 -0400
@@ -64,6 +64,11 @@
        void                    (*destructor)(struct sock *);
 };
 
+#ifdef CONFIG_GRKERNSEC_RANDID
+extern int grsec_enable_randid;
+extern __u16 ip_randomid(void);
+#endif
+
 extern struct ip_ra_chain *ip_ra_chain;
 extern rwlock_t ip_ra_lock;
 
@@ -197,7 +202,13 @@
                 * does not change, they drop every other packet in
                 * a TCP stream using header compression.
                 */
-               iph->id = ((sk && sk->daddr) ? htons(sk->protinfo.af_inet.id++) : 0);
+
+#ifdef CONFIG_GRKERNSEC_RANDID
+               if(grsec_enable_randid)
+                       iph->id = htons(ip_randomid());
+               else
+#endif
+                       iph->id = ((sk && sk->daddr) ? htons(sk->protinfo.af_inet.id++) : 0);
        } else
                __ip_select_ident(iph, dst);
 }
diff -urN linux-2.4.22/init/main.c linux-2.4.22/init/main.c
--- linux-2.4.22/init/main.c    2003-09-01 22:19:01.000000000 -0400
+++ linux-2.4.22/init/main.c    2003-09-02 19:29:42.000000000 -0400
@@ -27,6 +27,7 @@
 #include <linux/iobuf.h>
 #include <linux/bootmem.h>
 #include <linux/tty.h>
+#include <linux/grsecurity.h>
 
 #include <asm/io.h>
 #include <asm/bugs.h>
@@ -111,6 +112,8 @@
 extern void ipc_init(void);
 #endif
 
+extern void grsecurity_init(void);
+
 /*
  * Boot command-line arguments
  */
@@ -552,6 +555,7 @@
        do_basic_setup();
 
        prepare_namespace();
+       grsecurity_init();
 
        /*
         * Ok, we have completed the initial bootup, and
diff -urN linux-2.4.22/ipc/msg.c linux-2.4.22/ipc/msg.c
--- linux-2.4.22/ipc/msg.c      2003-09-01 22:19:11.000000000 -0400
+++ linux-2.4.22/ipc/msg.c      2003-09-02 19:29:42.000000000 -0400
@@ -22,6 +22,7 @@
 #include <linux/init.h>
 #include <linux/proc_fs.h>
 #include <linux/list.h>
+#include <linux/grsecurity.h>
 #include <asm/uaccess.h>
 #include "util.h"
 
@@ -326,6 +327,9 @@
                msg_unlock(id);
        }
        up(&msg_ids.sem);
+
+       gr_log_msgget(ret, msgflg);
+
        return ret;
 }
 
@@ -560,6 +564,8 @@
                break;
        }
        case IPC_RMID:
+               gr_log_msgrm(ipcp->uid, ipcp->cuid);
+
                freeque (msqid); 
                break;
        }
diff -urN linux-2.4.22/ipc/sem.c linux-2.4.22/ipc/sem.c
--- linux-2.4.22/ipc/sem.c      2003-09-01 22:19:11.000000000 -0400
+++ linux-2.4.22/ipc/sem.c      2003-09-02 19:29:42.000000000 -0400
@@ -63,6 +63,7 @@
 #include <linux/init.h>
 #include <linux/proc_fs.h>
 #include <linux/time.h>
+#include <linux/grsecurity.h>
 #include <asm/uaccess.h>
 #include "util.h"
 
@@ -182,6 +183,9 @@
        }
 
        up(&sem_ids.sem);
+
+       gr_log_semget(err, semflg);
+
        return err;
 }
 
@@ -724,6 +728,8 @@
 
        switch(cmd){
        case IPC_RMID:
+               gr_log_semrm(ipcp->uid, ipcp->cuid);
+
                freeary(semid);
                err = 0;
                break;
diff -urN linux-2.4.22/ipc/shm.c linux-2.4.22/ipc/shm.c
--- linux-2.4.22/ipc/shm.c      2003-09-01 22:19:11.000000000 -0400
+++ linux-2.4.22/ipc/shm.c      2003-09-02 19:29:42.000000000 -0400
@@ -23,6 +23,7 @@
 #include <linux/mman.h>
 #include <linux/proc_fs.h>
 #include <asm/uaccess.h>
+#include <linux/grsecurity.h>
 
 #include "util.h"
 
@@ -38,8 +39,21 @@
        time_t                  shm_ctim;
        pid_t                   shm_cprid;
        pid_t                   shm_lprid;
+
+#ifdef CONFIG_GRKERNSEC
+       time_t                  shm_createtime;
+       pid_t                   shm_lapid;
+#endif
 };
 
+#ifdef CONFIG_GRKERNSEC
+extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
+                           const time_t shm_createtime, const uid_t cuid,
+                           const int shmid);
+extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
+                    const time_t shm_createtime);
+#endif
+
 #define shm_flags      shm_perm.mode
 
 static struct file_operations shm_file_operations;
@@ -209,6 +223,9 @@
        shp->shm_lprid = 0;
        shp->shm_atim = shp->shm_dtim = 0;
        shp->shm_ctim = CURRENT_TIME;
+#ifdef CONFIG_GRKERNSEC
+       shp->shm_createtime = CURRENT_TIME;
+#endif
        shp->shm_segsz = size;
        shp->shm_nattch = 0;
        shp->id = shm_buildid(id,shp->shm_perm.seq);
@@ -254,6 +271,9 @@
                shm_unlock(id);
        }
        up(&shm_ids.sem);
+
+       gr_log_shmget(err, shmflg, size);
+
        return err;
 }
 
@@ -509,6 +529,9 @@
                        err=-EPERM;
                        goto out_unlock_up;
                }
+
+               gr_log_shmrm(shp->shm_perm.uid, shp->shm_perm.cuid);
+
                if (shp->shm_nattch){
                        shp->shm_flags |= SHM_DEST;
                        /* Do not find it any more */
@@ -622,9 +645,28 @@
                shm_unlock(shmid);
                return -EACCES;
        }
+
+#ifdef CONFIG_GRKERNSEC
+       if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
+                            shp->shm_perm.cuid, shmid)) {
+               shm_unlock(shmid);
+               return -EACCES;
+       }
+
+       if (!gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
+               shm_unlock(shmid);
+               return -EACCES;
+       }
+#endif
+
        file = shp->shm_file;
        size = file->f_dentry->d_inode->i_size;
        shp->shm_nattch++;
+
+#ifdef CONFIG_GRKERNSEC
+       shp->shm_lapid = current->pid;
+#endif
+
        shm_unlock(shmid);
 
        down_write(&current->mm->mmap_sem);
diff -urN linux-2.4.22/kernel/capability.c linux-2.4.22/kernel/capability.c
--- linux-2.4.22/kernel/capability.c    2003-09-01 22:19:01.000000000 -0400
+++ linux-2.4.22/kernel/capability.c    2003-09-02 19:29:42.000000000 -0400
@@ -7,6 +7,7 @@
 
 #include <linux/mm.h>
 #include <asm/uaccess.h>
+#include <linux/grsecurity.h>
 
 kernel_cap_t cap_bset = CAP_INIT_EFF_SET;
 
@@ -168,6 +169,10 @@
              target = current;
      }
 
+     if (gr_handle_chroot_capset(target)) {
+            error = -ESRCH;
+            goto out;
+     }
 
      /* verify restrictions on target's new Inheritable set */
      if (!cap_issubset(inheritable,
diff -urN linux-2.4.22/kernel/exit.c linux-2.4.22/kernel/exit.c
--- linux-2.4.22/kernel/exit.c  2003-09-01 22:19:01.000000000 -0400
+++ linux-2.4.22/kernel/exit.c  2003-09-02 19:29:42.000000000 -0400
@@ -16,6 +16,7 @@
 #ifdef CONFIG_BSD_PROCESS_ACCT
 #include <linux/acct.h>
 #endif
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 #include <asm/pgtable.h>
@@ -165,12 +165,21 @@
 
        write_lock_irq(&tasklist_lock);
 
+#ifdef CONFIG_GRKERNSEC
+       if (current->exec_file) {
+               fput(current->exec_file);
+               current->exec_file = NULL;
+       }
+#endif
+
        /* Reparent to init */
        REMOVE_LINKS(current);
        current->p_pptr = child_reaper;
        current->p_opptr = child_reaper;
        SET_LINKS(current);
 
+       gr_set_kernel_label(current);
+
        /* Set the exit signal to SIGCHLD so we signal init on exit */
        current->exit_signal = SIGCHLD;
 
@@ -439,6 +440,10 @@
 #ifdef CONFIG_BSD_PROCESS_ACCT
        acct_process(code);
 #endif
+
+       gr_acl_handle_psacct(tsk, code);
+       gr_acl_handle_exit();
+
        __exit_mm(tsk);
 
        lock_kernel();
diff -urN linux-2.4.22/kernel/fork.c linux-2.4.22/kernel/fork.c
--- linux-2.4.22/kernel/fork.c  2003-09-01 22:19:01.000000000 -0400
+++ linux-2.4.22/kernel/fork.c  2003-09-02 19:29:42.000000000 -0400
@@ -22,6 +22,7 @@
 #include <linux/namespace.h>
 #include <linux/personality.h>
 #include <linux/compiler.h>
+#include <linux/grsecurity.h>
 
 #include <asm/pgtable.h>
 #include <asm/pgalloc.h>
@@ -93,6 +94,10 @@
        if (flags & CLONE_PID)
                return current->pid;
 
+       pid = gr_random_pid(&lastpid_lock);
+       if (pid)
+               return pid;
+
        spin_lock(&lastpid_lock);
        beginpid = last_pid;
        if((++last_pid) & 0xffff8000) {
@@ -667,6 +672,9 @@
         * friends to set the per-user process limit to something lower
         * than the amount of processes root is running. -- Rik
         */
+
+       gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes));
+
        if (atomic_read(&p->user->processes) >= p->rlim[RLIMIT_NPROC].rlim_cur
                      && !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
                goto bad_fork_free;
@@ -751,6 +759,7 @@
        retval = copy_thread(0, clone_flags, stack_start, stack_size, p, regs);
        if (retval)
                goto bad_fork_cleanup_namespace;
+       gr_copy_label(p);
        p->semundo = NULL;
        
        /* Our parent execution domain becomes current domain
@@ -836,6 +845,9 @@
        free_uid(p->user);
 bad_fork_free:
        free_task_struct(p);
+
+       gr_log_forkfail(retval);
+
        goto fork_out;
 }
 
diff -urN linux-2.4.22/kernel/ksyms.c linux-2.4.22/kernel/ksyms.c
--- linux-2.4.22/kernel/ksyms.c 2003-09-01 22:19:01.000000000 -0400
+++ linux-2.4.22/kernel/ksyms.c 2003-09-02 19:29:42.000000000 -0400
@@ -49,6 +49,7 @@
 #include <linux/seq_file.h>
 #include <linux/dnotify.h>
 #include <linux/crc32.h>
+#include <linux/grsecurity.h>
 #include <asm/checksum.h>
 
 #if defined(CONFIG_PROC_FS)
@@ -600,3 +601,9 @@
 /* To match ksyms with System.map */
 extern const char _end[];
 EXPORT_SYMBOL(_end);
+
+/* grsecurity */
+EXPORT_SYMBOL(gr_is_capable);
+EXPORT_SYMBOL(gr_pid_is_chrooted);
+EXPORT_SYMBOL(gr_learn_resource);
+EXPORT_SYMBOL(gr_set_kernel_label);
diff -urN linux-2.4.22/kernel/module.c linux-2.4.22/kernel/module.c
--- linux-2.4.22/kernel/module.c        2003-09-01 22:19:01.000000000 -0400
+++ linux-2.4.22/kernel/module.c        2003-09-02 19:29:42.000000000 -0400
@@ -900,6 +900,11 @@
        struct module *mod;
        int err;
 
+#ifdef CONFIG_GRKERNSEC_HIDESYM
+       if (!capable(CAP_SYS_MODULE))
+               return -EPERM;
+#endif
+
        lock_kernel();
        if (name_user == NULL)
                mod = &kernel_module;
@@ -969,6 +974,11 @@
        int i;
        struct kernel_sym ksym;
 
+#ifdef CONFIG_GRKERNSEC_HIDESYM
+       if (!capable(CAP_SYS_MODULE))
+               return 0;
+#endif
+
        lock_kernel();
        for (mod = module_list, i = 0; mod; mod = mod->next) {
                /* include the count for the module name! */
diff -urN linux-2.4.22/kernel/printk.c linux-2.4.22/kernel/printk.c
--- linux-2.4.22/kernel/printk.c        2003-09-01 22:19:01.000000000 -0400
+++ linux-2.4.22/kernel/printk.c        2003-09-02 19:29:42.000000000 -0400
@@ -26,6 +26,7 @@
 #include <linux/interrupt.h>                   /* For in_interrupt() */
 #include <linux/config.h>
 #include <linux/delay.h>
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 
@@ -294,6 +295,11 @@
 
 asmlinkage long sys_syslog(int type, char * buf, int len)
 {
+#ifdef CONFIG_GRKERNSEC_DMESG
+       if (!capable(CAP_SYS_ADMIN) && grsec_enable_dmesg)
+               return -EPERM;
+       else
+#endif
        if ((type != 3) && !capable(CAP_SYS_ADMIN))
                return -EPERM;
        return do_syslog(type, buf, len);
diff -urN linux-2.4.22/kernel/sched.c linux-2.4.22/kernel/sched.c
--- linux-2.4.22/kernel/sched.c 2003-09-01 22:19:01.000000000 -0400
+++ linux-2.4.22/kernel/sched.c 2003-09-02 19:29:42.000000000 -0400
@@ -22,11 +22,13 @@
 #include <linux/nmi.h>
 #include <linux/interrupt.h>
 #include <linux/init.h>
+#include <linux/file.h>
 #include <asm/uaccess.h>
 #include <linux/smp_lock.h>
 #include <asm/mmu_context.h>
 #include <linux/kernel_stat.h>
 #include <linux/completion.h>
+#include <linux/grsecurity.h>
 
 /*
  * Convert user-nice values [ -20 ... 0 ... 19 ]
@@ -910,6 +912,9 @@
                        return -EPERM;
                if (increment < -40)
                        increment = -40;
+
+               if (gr_handle_chroot_nice())
+                       return -EPERM;
        }
        if (increment > 40)
                increment = 40;
diff -urN linux-2.4.22/kernel/signal.c linux-2.4.22/kernel/signal.c
--- linux-2.4.22/kernel/signal.c        2003-09-01 22:19:01.000000000 -0400
+++ linux-2.4.22/kernel/signal.c        2003-09-02 19:29:42.000000000 -0400
@@ -13,6 +13,8 @@
 #include <linux/smp_lock.h>
 #include <linux/init.h>
 #include <linux/sched.h>
+#include <linux/fs.h>
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 
@@ -554,6 +556,8 @@
        if (!sig || !t->sig)
                goto out_nolock;
 
+       gr_log_signal(sig, t);
+
        spin_lock_irqsave(&t->sigmask_lock, flags);
        handle_stop_signal(sig, t);
 
@@ -603,6 +607,8 @@
        recalc_sigpending(t);
        spin_unlock_irqrestore(&t->sigmask_lock, flags);
 
+       gr_handle_crash(t, sig);
+
        return send_sig_info(sig, info, t);
 }
 
@@ -622,9 +628,13 @@
                read_lock(&tasklist_lock);
                for_each_task(p) {
                        if (p->pgrp == pgrp && thread_group_leader(p)) {
-                               int err = send_sig_info(sig, info, p);
-                               if (retval)
-                                       retval = err;
+                               if (gr_handle_signal(p, sig))
+                                       retval = -EPERM;
+                               else {
+                                       int err = send_sig_info(sig, info, p);
+                                       if (retval)
+                                               retval = err;
+                               }
                        }
                }
                read_unlock(&tasklist_lock);
@@ -675,7 +685,10 @@
                        if (tg)
                                p = tg;
                 }
-               error = send_sig_info(sig, info, p);
+               if (gr_handle_signal(p, sig))
+                       error = -EPERM;
+               else
+                       error = send_sig_info(sig, info, p);
        }
        read_unlock(&tasklist_lock);
        return error;
@@ -700,10 +713,14 @@
                read_lock(&tasklist_lock);
                for_each_task(p) {
                        if (p->pid > 1 && p != current && thread_group_leader(p)) {
-                               int err = send_sig_info(sig, info, p);
-                               ++count;
-                               if (err != -EPERM)
-                                       retval = err;
+                               if (gr_handle_signal(p, sig))
+                                       retval = -EPERM;
+                               else {
+                                       int err = send_sig_info(sig, info, p);
+                                       ++count;
+                                       if (err != -EPERM)
+                                               retval = err;
+                               }
                        }
                }
                read_unlock(&tasklist_lock);
diff -urN linux-2.4.22/kernel/sys.c linux-2.4.22/kernel/sys.c
--- linux-2.4.22/kernel/sys.c   2003-09-01 22:19:01.000000000 -0400
+++ linux-2.4.22/kernel/sys.c   2003-09-02 19:29:42.000000000 -0400
@@ -4,6 +4,7 @@
  *  Copyright (C) 1991, 1992  Linus Torvalds
  */
 
+#include <linux/config.h>
 #include <linux/module.h>
 #include <linux/mm.h>
 #include <linux/utsname.h>
@@ -14,6 +15,7 @@
 #include <linux/prctl.h>
 #include <linux/init.h>
 #include <linux/highuid.h>
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 #include <asm/io.h>
@@ -239,6 +241,12 @@
                }
                if (error == -ESRCH)
                        error = 0;
+
+               if (gr_handle_chroot_setpriority(p, niceval)) {
+                       read_unlock(&tasklist_lock);
+                       return -ESRCH;
+               }
+
                if (niceval < task_nice(p) && !capable(CAP_SYS_NICE))
                        error = -EACCES;
                else
@@ -425,6 +433,9 @@
        if (rgid != (gid_t) -1 ||
            (egid != (gid_t) -1 && egid != old_rgid))
                current->sgid = new_egid;
+
+       gr_set_role_label(current, current->uid, new_rgid);
+
        current->fsgid = new_egid;
        current->egid = new_egid;
        current->gid = new_rgid;
@@ -447,6 +458,9 @@
                        current->mm->dumpable=0;
                        wmb();
                }
+
+               gr_set_role_label(current, current->uid, gid);
+
                current->gid = current->egid = current->sgid = current->fsgid = gid;
        }
        else if ((gid == current->gid) || (gid == current->sgid))
@@ -530,6 +544,9 @@
                current->mm->dumpable = 0;
                wmb();
        }
+
+       gr_set_role_label(current, new_ruid, current->gid);
+
        current->uid = new_ruid;
        current->user = new_user;
        free_uid(old_user);
@@ -626,6 +643,9 @@
        } else if ((uid != current->uid) && (uid != new_suid))
                return -EPERM;
 
+       if (gr_check_crash_uid(uid))
+               return -EPERM;
+
        if (old_euid != uid)
        {
                current->mm->dumpable = 0;
@@ -722,8 +742,10 @@
                current->egid = egid;
        }
        current->fsgid = current->egid;
-       if (rgid != (gid_t) -1)
+       if (rgid != (gid_t) -1) {
+               gr_set_role_label(current, current->uid, rgid);
                current->gid = rgid;
+       }
        if (sgid != (gid_t) -1)
                current->sgid = sgid;
        return 0;
@@ -1146,6 +1168,10 @@
        if (new_rlim.rlim_cur > new_rlim.rlim_max)
                return -EINVAL;
        old_rlim = current->rlim + resource;
+
+       if (old_rlim->rlim_max < old_rlim->rlim_cur)
+               return -EINVAL;
+
        if (((new_rlim.rlim_cur > old_rlim->rlim_max) ||
             (new_rlim.rlim_max > old_rlim->rlim_max)) &&
            !capable(CAP_SYS_RESOURCE))
diff -urN linux-2.4.22/kernel/sysctl.c linux-2.4.22/kernel/sysctl.c
--- linux-2.4.22/kernel/sysctl.c        2003-09-01 22:19:01.000000000 -0400
+++ linux-2.4.22/kernel/sysctl.c        2003-09-02 19:29:42.000000000 -0400
@@ -38,6 +38,15 @@
 #endif
 
 #if defined(CONFIG_SYSCTL)
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+
+extern int gr_proc_handler(ctl_table * table, int write, struct file * filp,
+                          void * buffer, size_t * lenp);
+extern __u32 gr_handle_sysctl(const ctl_table * table, const void *oldval,
+                             const void *newval);
+extern int gr_handle_sysctl_mod(const char *dirname, const char *name, const int op);
+extern int gr_handle_chroot_sysctl(const int op);
 
 /* External variables not in a header file. */
 extern int panic_timeout;
@@ -123,6 +132,8 @@
 static ctl_table dev_table[];
 extern ctl_table random_table[];
 
+static ctl_table grsecurity_table[];
+
 /* /proc declarations: */
 
 #ifdef CONFIG_PROC_FS
@@ -269,8 +280,191 @@
        {KERN_EXCEPTION_TRACE,"exception-trace",
         &exception_trace,sizeof(int),0644,NULL,&proc_dointvec},
 #endif 
+#ifdef CONFIG_GRKERNSEC_SYSCTL
+       {KERN_GRSECURITY, "grsecurity", NULL, 0, 0500, grsecurity_table},
+#endif
+       {0}
+};
+
+#ifdef CONFIG_GRKERNSEC_SYSCTL
+enum {GS_LINK=1, GS_FIFO, GS_EXECVE, GS_EXECLOG, GS_SIGNAL, 
+GS_FORKFAIL, GS_TIME, GS_CHROOT_SHMAT, GS_CHROOT_UNIX, GS_CHROOT_MNT,
+GS_CHROOT_FCHDIR, GS_CHROOT_DBL, GS_CHROOT_PVT, GS_CHROOT_CD, GS_CHROOT_CM,
+GS_CHROOT_MK, GS_CHROOT_NI, GS_CHROOT_EXECLOG, GS_CHROOT_CAPS, 
+GS_CHROOT_SYSCTL, GS_TPE, GS_TPE_GID, GS_TPE_ALL, GS_SIDCAPS, 
+GS_RANDPID, GS_RANDID, GS_RANDSRC, GS_RANDISN,
+GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT,
+GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID, GS_TTY, GS_TTYS,
+GS_PTY, GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC, GS_DMSG, GS_RANDRPC,
+GS_FINDTASK, GS_LOCK};
+
+static ctl_table grsecurity_table[] = {
+#ifdef CONFIG_GRKERNSEC_LINK
+       {GS_LINK, "linking_restrictions", &grsec_enable_link, sizeof (int),
+        0600, NULL, &proc_dointvec}, 
+#endif
+#ifdef CONFIG_GRKERNSEC_FIFO
+       {GS_FIFO, "fifo_restrictions", &grsec_enable_fifo, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_EXECVE
+       {GS_EXECVE, "execve_limiting", &grsec_enable_execve, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_EXECLOG
+       {GS_EXECLOG, "exec_logging", &grsec_enable_execlog, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_SIGNAL
+       {GS_SIGNAL, "signal_logging", &grsec_enable_signal, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_FORKFAIL
+       {GS_FORKFAIL, "forkfail_logging", &grsec_enable_forkfail, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_TIME
+       {GS_TIME, "timechange_logging", &grsec_enable_time, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
+       {GS_CHROOT_SHMAT, "chroot_deny_shmat", &grsec_enable_chroot_shmat, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
+       {GS_CHROOT_UNIX, "chroot_deny_unix", &grsec_enable_chroot_unix, sizeof(int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
+       {GS_CHROOT_MNT, "chroot_deny_mount", &grsec_enable_chroot_mount, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
+       {GS_CHROOT_FCHDIR, "chroot_deny_fchdir", &grsec_enable_chroot_fchdir, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
+       {GS_CHROOT_DBL, "chroot_deny_chroot", &grsec_enable_chroot_double, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
+       {GS_CHROOT_PVT, "chroot_deny_pivot", &grsec_enable_chroot_pivot, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
+       {GS_CHROOT_CD, "chroot_enforce_chdir", &grsec_enable_chroot_chdir, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
+       {GS_CHROOT_CM, "chroot_deny_chmod", &grsec_enable_chroot_chmod, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
+       {GS_CHROOT_MK, "chroot_deny_mknod", &grsec_enable_chroot_mknod, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
+       {GS_CHROOT_NI, "chroot_restrict_nice", &grsec_enable_chroot_nice, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
+       {GS_CHROOT_EXECLOG, "chroot_execlog",
+        &grsec_enable_chroot_execlog, sizeof (int),
+         0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
+       {GS_CHROOT_CAPS, "chroot_caps", &grsec_enable_chroot_caps, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
+       {GS_CHROOT_SYSCTL, "chroot_deny_sysctl", &grsec_enable_chroot_sysctl, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_TPE
+       {GS_TPE, "tpe", &grsec_enable_tpe, sizeof (int),
+        0600, NULL, &proc_dointvec},
+       {GS_TPE_GID, "tpe_gid", &grsec_tpe_gid, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_TPE_ALL
+       {GS_TPE_ALL, "tpe_restrict_all", &grsec_enable_tpe_all, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDPID
+       {GS_RANDPID, "rand_pids", &grsec_enable_randpid, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDID
+       {GS_RANDID, "rand_ip_ids", &grsec_enable_randid, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDSRC
+       {GS_RANDSRC, "rand_tcp_src_ports", &grsec_enable_randsrc, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDISN
+       {GS_RANDISN, "rand_isns", &grsec_enable_randisn, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
+       {GS_SOCKET_ALL, "socket_all", &grsec_enable_socket_all, sizeof (int),
+        0600, NULL, &proc_dointvec},
+       {GS_SOCKET_ALL_GID, "socket_all_gid",
+        &grsec_socket_all_gid, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
+       {GS_SOCKET_CLIENT, "socket_client", 
+        &grsec_enable_socket_client, sizeof (int),
+        0600, NULL, &proc_dointvec},
+       {GS_SOCKET_CLIENT_GID, "socket_client_gid", 
+        &grsec_socket_client_gid, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
+       {GS_SOCKET_SERVER, "socket_server", 
+        &grsec_enable_socket_server, sizeof (int),
+        0600, NULL, &proc_dointvec},
+       {GS_SOCKET_SERVER_GID, "socket_server_gid",
+        &grsec_socket_server_gid, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
+       {GS_GROUP, "audit_group", &grsec_enable_group, sizeof (int),
+        0600, NULL, &proc_dointvec},
+       {GS_GID, "audit_gid",
+        &grsec_audit_gid, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
+       {GS_ACHDIR, "audit_chdir", &grsec_enable_chdir, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
+       {GS_AMOUNT, "audit_mount", &grsec_enable_mount, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
+       {GS_AIPC, "audit_ipc", &grsec_enable_audit_ipc, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_DMESG
+       {GS_AIPC, "dmesg", &grsec_enable_dmesg, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDRPC
+       {GS_RANDRPC, "rand_rpc", &grsec_enable_randrpc, sizeof (int),
+        0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
+       {GS_FINDTASK, "chroot_findtask", &grsec_enable_chroot_findtask, 
+        sizeof (int), 0600, NULL, &proc_dointvec},
+#endif
+       {GS_LOCK, "grsec_lock", &grsec_lock, sizeof (int), 0600, NULL,
+        &proc_dointvec},
        {0}
 };
+#endif
 
 static ctl_table vm_table[] = {
        {VM_BDFLUSH, "bdflush", &bdf_prm, 9*sizeof(int), 0644, NULL,
@@ -403,6 +597,11 @@
 
 static inline int ctl_perm(ctl_table *table, int op)
 {
+       if (gr_handle_sysctl_mod(table->de->parent->name, table->de->name, op))
+               return -EACCES;
+       if (gr_handle_chroot_sysctl(op))
+               return -EACCES;
+
        return test_perm(table->mode, op);
 }
 
@@ -436,6 +635,10 @@
                                table = table->child;
                                goto repeat;
                        }
+
+                       if (!gr_handle_sysctl(table, oldval, newval))
+                               return -EACCES;
+
                        error = do_sysctl_strategy(table, name, nlen,
                                                   oldval, oldlenp,
                                                   newval, newlen, context);
diff -urN linux-2.4.22/kernel/time.c linux-2.4.22/kernel/time.c
--- linux-2.4.22/kernel/time.c  2003-09-01 22:19:01.000000000 -0400
+++ linux-2.4.22/kernel/time.c  2003-09-02 19:29:42.000000000 -0400
@@ -27,6 +27,7 @@
 #include <linux/mm.h>
 #include <linux/timex.h>
 #include <linux/smp_lock.h>
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 
@@ -89,6 +90,9 @@
        time_maxerror = NTP_PHASE_LIMIT;
        time_esterror = NTP_PHASE_LIMIT;
        write_unlock_irq(&xtime_lock);
+
+       gr_log_timechange();
+
        return 0;
 }
 
@@ -167,6 +171,8 @@
                 * globally block out interrupts when it runs.
                 */
                do_settimeofday(tv);
+
+               gr_log_timechange();
        }
        return 0;
 }
diff -urN linux-2.4.22/kernel/timer.c linux-2.4.22/kernel/timer.c
--- linux-2.4.22/kernel/timer.c 2003-09-01 22:19:01.000000000 -0400
+++ linux-2.4.22/kernel/timer.c 2003-09-02 19:29:42.000000000 -0400
@@ -541,6 +541,9 @@
 
        psecs = (p->times.tms_utime += user);
        psecs += (p->times.tms_stime += system);
+
+       gr_learn_resource(p, RLIMIT_CPU, psecs / HZ);
+
        if (psecs / HZ > p->rlim[RLIMIT_CPU].rlim_cur) {
                /* Send SIGXCPU every second.. */
                if (!(psecs % HZ))
diff -urN linux-2.4.22/mm/filemap.c linux-2.4.22/mm/filemap.c
--- linux-2.4.22/mm/filemap.c   2003-09-01 22:19:02.000000000 -0400
+++ linux-2.4.22/mm/filemap.c   2003-09-02 19:29:42.000000000 -0400
@@ -2541,6 +2547,7 @@
        error = -EIO;
        rlim_rss = current->rlim ?  current->rlim[RLIMIT_RSS].rlim_cur :
                                LONG_MAX; /* default: see resource.h */
+       gr_learn_resource(current, RLIMIT_RSS, vma->vm_mm->rss + (end - start));
        if ((vma->vm_mm->rss + (end - start)) > rlim_rss)
                return error;
 
@@ -3016,6 +3023,7 @@
        err = -EFBIG;
        
        if (!S_ISBLK(inode->i_mode) && limit != RLIM_INFINITY) {
+               gr_learn_resource(current, RLIMIT_FSIZE, pos);
                if (pos >= limit) {
                        send_sig(SIGXFSZ, current, 0);
                        goto out;
@@ -3051,6 +3059,7 @@
         */
         
        if (!S_ISBLK(inode->i_mode)) {
+               gr_learn_resource(current, RLIMIT_FSIZE, *count + (u32)pos);
                if (pos >= inode->i_sb->s_maxbytes)
                {
                        if (*count || pos > inode->i_sb->s_maxbytes) {
diff -urN linux-2.4.22/mm/memory.c linux-2.4.22/mm/memory.c
--- linux-2.4.22/mm/memory.c    2003-09-01 22:19:02.000000000 -0400
+++ linux-2.4.22/mm/memory.c    2003-09-02 19:29:42.000000000 -0400
@@ -1065,6 +1129,7 @@
 
 do_expand:
        limit = current->rlim[RLIMIT_FSIZE].rlim_cur;
+       gr_learn_resource(current, RLIMIT_FSIZE, offset);
        if (limit != RLIM_INFINITY && offset > limit)
                goto out_sig;
        if (offset > inode->i_sb->s_maxbytes)
diff -urN linux-2.4.22/mm/mlock.c linux-2.4.22/mm/mlock.c
--- linux-2.4.22/mm/mlock.c     2003-09-01 22:19:02.000000000 -0400
+++ linux-2.4.22/mm/mlock.c     2003-09-02 19:29:42.000000000 -0400
@@ -209,6 +235,7 @@
        lock_limit >>= PAGE_SHIFT;
 
        /* check against resource limits */
+       gr_learn_resource(current, RLIMIT_MEMLOCK, locked);
        if (locked > lock_limit)
                goto out;
 
@@ -276,6 +303,7 @@
        lock_limit >>= PAGE_SHIFT;
 
        ret = -ENOMEM;
+       gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm);
        if (current->mm->total_vm > lock_limit)
                goto out;
 
diff -urN linux-2.4.22/mm/mmap.c linux-2.4.22/mm/mmap.c
--- linux-2.4.22/mm/mmap.c      2003-09-01 22:19:02.000000000 -0400
+++ linux-2.4.22/mm/mmap.c      2003-09-02 19:29:42.000000000 -0400
@@ -14,6 +14,8 @@
 #include <linux/file.h>
 #include <linux/fs.h>
 #include <linux/personality.h>
+#include <linux/random.h>
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 #include <asm/pgalloc.h>
@@ -168,6 +170,7 @@
 
        /* Check against rlimit.. */
        rlim = current->rlim[RLIMIT_DATA].rlim_cur;
+       gr_learn_resource(current, RLIMIT_DATA, brk - mm->start_data);
        if (rlim < RLIM_INFINITY && brk - mm->start_data > rlim)
                goto out;
 
@@ -432,6 +462,7 @@
        if (vm_flags & VM_LOCKED) {
                unsigned long locked = mm->locked_vm << PAGE_SHIFT;
                locked += len;
+               gr_learn_resource(current, RLIMIT_MEMLOCK, locked);
                if (locked > current->rlim[RLIMIT_MEMLOCK].rlim_cur)
                        return -EAGAIN;
        }
@@ -480,6 +532,9 @@
                }
        }
 
+       if (!gr_acl_handle_mmap(file, prot))
+               return -EACCES;
+
        /* Clear old maps */
 munmap_back:
        vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
@@ -490,6 +545,7 @@
        }
 
        /* Check against address space limit. */
+       gr_learn_resource(current, RLIMIT_AS, (mm->total_vm << PAGE_SHIFT) + len);
        if ((mm->total_vm << PAGE_SHIFT) + len
            > current->rlim[RLIMIT_AS].rlim_cur)
                return -ENOMEM;
@@ -1047,6 +1255,7 @@
        if (mm->def_flags & VM_LOCKED) {
                unsigned long locked = mm->locked_vm << PAGE_SHIFT;
                locked += len;
+               gr_learn_resource(current, RLIMIT_MEMLOCK, locked);
                if (locked > current->rlim[RLIMIT_MEMLOCK].rlim_cur)
                        return -EAGAIN;
        }
@@ -1063,6 +1272,7 @@
        }
 
        /* Check against address space limits *after* clearing old maps... */
+       gr_learn_resource(current, RLIMIT_AS, (mm->total_vm << PAGE_SHIFT) + len);
        if ((mm->total_vm << PAGE_SHIFT) + len
            > current->rlim[RLIMIT_AS].rlim_cur)
                return -ENOMEM;
diff -urN linux-2.4.22/mm/mprotect.c linux-2.4.22/mm/mprotect.c
--- linux-2.4.22/mm/mprotect.c  2003-09-01 22:19:02.000000000 -0400
+++ linux-2.4.22/mm/mprotect.c  2003-09-02 19:29:42.000000000 -0400
@@ -7,6 +7,7 @@
 #include <linux/smp_lock.h>
 #include <linux/shm.h>
 #include <linux/mman.h>
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 #include <asm/pgalloc.h>
@@ -288,6 +393,11 @@
        if (!vma || vma->vm_start > start)
                goto out;
 
+       if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
+               error = -EACCES;
+               goto out;
+       }
+
        for (nstart = start ; ; ) {
                unsigned int newflags;
                int last = 0;
diff -urN linux-2.4.22/mm/mremap.c linux-2.4.22/mm/mremap.c
--- linux-2.4.22/mm/mremap.c    2003-09-01 22:19:02.000000000 -0400
+++ linux-2.4.22/mm/mremap.c    2003-09-02 19:29:42.000000000 -0400
@@ -283,10 +305,12 @@
                unsigned long locked = current->mm->locked_vm << PAGE_SHIFT;
                locked += new_len - old_len;
                ret = -EAGAIN;
+               gr_learn_resource(current, RLIMIT_MEMLOCK, locked);
                if (locked > current->rlim[RLIMIT_MEMLOCK].rlim_cur)
                        goto out;
        }
        ret = -ENOMEM;
+       gr_learn_resource(current, RLIMIT_AS, (current->mm->total_vm << PAGE_SHIFT) + (new_len - old_len));
        if ((current->mm->total_vm << PAGE_SHIFT) + (new_len - old_len)
            > current->rlim[RLIMIT_AS].rlim_cur)
                goto out;
diff -urN linux-2.4.22/net/ipv4/af_inet.c linux-2.4.22/net/ipv4/af_inet.c
--- linux-2.4.22/net/ipv4/af_inet.c     2003-09-01 22:19:08.000000000 -0400
+++ linux-2.4.22/net/ipv4/af_inet.c     2003-09-02 19:29:42.000000000 -0400
@@ -83,6 +83,7 @@
 #include <linux/init.h>
 #include <linux/poll.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/grsecurity.h>
 
 #include <asm/uaccess.h>
 #include <asm/system.h>
@@ -374,7 +375,12 @@
        else
                sk->protinfo.af_inet.pmtudisc = IP_PMTUDISC_WANT;
 
-       sk->protinfo.af_inet.id = 0;
+#ifdef CONFIG_GRKERNSEC_RANDID
+       if(grsec_enable_randid)
+               sk->protinfo.af_inet.id = htons(ip_randomid());
+       else
+#endif
+               sk->protinfo.af_inet.id = 0;
 
        sock_init_data(sock,sk);
 
diff -urN linux-2.4.22/net/ipv4/icmp.c linux-2.4.22/net/ipv4/icmp.c
--- linux-2.4.22/net/ipv4/icmp.c        2003-09-01 22:19:08.000000000 -0400
+++ linux-2.4.22/net/ipv4/icmp.c        2003-09-02 19:29:42.000000000 -0400
@@ -87,6 +87,8 @@
 #include <linux/errno.h>
 #include <linux/timer.h>
 #include <linux/init.h>
+#include <linux/grsecurity.h>
+
 #include <asm/system.h>
 #include <asm/uaccess.h>
 #include <net/checksum.h>
@@ -715,6 +717,7 @@
 
                icmp_param.data.icmph=*skb->h.icmph;
                icmp_param.data.icmph.type=ICMP_ECHOREPLY;
+
                icmp_param.skb=skb;
                icmp_param.offset=0;
                icmp_param.data_len=skb->len;
diff -urN linux-2.4.22/net/ipv4/ip_output.c linux-2.4.22/net/ipv4/ip_output.c
--- linux-2.4.22/net/ipv4/ip_output.c   2003-09-01 22:19:08.000000000 -0400
+++ linux-2.4.22/net/ipv4/ip_output.c   2003-09-02 19:29:42.000000000 -0400
@@ -77,6 +77,7 @@
 #include <linux/netfilter_ipv4.h>
 #include <linux/mroute.h>
 #include <linux/netlink.h>
+#include <linux/grsecurity.h>
 
 /*
  *      Shall we try to damage output packets if routing dev changes?
@@ -514,7 +515,13 @@
         *      Begin outputting the bytes.
         */
 
-       id = sk->protinfo.af_inet.id++;
+#ifdef CONFIG_GRKERNSEC_RANDID
+       if(grsec_enable_randid) { 
+               id = htons(ip_randomid());      
+               sk->protinfo.af_inet.id = htons(ip_randomid());
+       } else
+#endif
+               id = sk->protinfo.af_inet.id++;
 
        do {
                char *data;
diff -urN linux-2.4.22/net/ipv4/netfilter/Config.in linux-2.4.22/net/ipv4/netfilter/Config.in
--- linux-2.4.22/net/ipv4/netfilter/Config.in   2003-09-01 22:19:08.000000000 -0400
+++ linux-2.4.22/net/ipv4/netfilter/Config.in   2003-09-02 19:29:42.000000000 -0400
@@ -33,6 +33,7 @@
   dep_tristate '  address type match support' CONFIG_IP_NF_MATCH_ADDRTYPE $CONFIG_IP_NF_IPTABLES
   dep_tristate '  tcpmss match support' CONFIG_IP_NF_MATCH_TCPMSS $CONFIG_IP_NF_IPTABLES
   dep_tristate '  realm match support' CONFIG_IP_NF_MATCH_REALM $CONFIG_IP_NF_IPTABLES
+  dep_tristate '  stealth match support' CONFIG_IP_NF_MATCH_STEALTH $CONFIG_IP_NF_IPTABLES
   if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
     dep_tristate '  Helper match support' CONFIG_IP_NF_MATCH_HELPER $CONFIG_IP_NF_IPTABLES
   fi
diff -urN linux-2.4.22/net/ipv4/netfilter/Makefile linux-2.4.22/net/ipv4/netfilter/Makefile
--- linux-2.4.22/net/ipv4/netfilter/Makefile    2003-09-01 22:19:08.000000000 -0400
+++ linux-2.4.22/net/ipv4/netfilter/Makefile    2003-09-02 19:29:42.000000000 -0400
@@ -86,6 +86,7 @@
 obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
 obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
 obj-$(CONFIG_IP_NF_MATCH_REALM) += ipt_realm.o
+obj-$(CONFIG_IP_NF_MATCH_STEALTH) += ipt_stealth.o
 
 # targets
 obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
diff -urN linux-2.4.22/net/ipv4/netfilter/ipt_stealth.c linux-2.4.22/net/ipv4/netfilter/ipt_stealth.c
--- linux-2.4.22/net/ipv4/netfilter/ipt_stealth.c       1969-12-31 19:00:00.000000000 -0500
+++ linux-2.4.22/net/ipv4/netfilter/ipt_stealth.c       2003-09-02 19:29:42.000000000 -0400
@@ -0,0 +1,109 @@
+/* Kernel module to add stealth support.
+ *
+ * Copyright (C) 2002 Brad Spengler  <spender@grsecurity.net>
+ *
+ */
+
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/net.h>
+#include <linux/sched.h>
+#include <linux/inet.h>
+#include <linux/stddef.h>
+
+#include <net/ip.h>
+#include <net/sock.h>
+#include <net/tcp.h>
+#include <net/udp.h>
+#include <net/route.h>
+#include <net/inet_common.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+MODULE_LICENSE("GPL");
+
+extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      const void *hdr,
+      u_int16_t datalen,
+      int *hotdrop)
+{
+       struct iphdr *ip = skb->nh.iph;
+       struct tcphdr *th = (struct tcphdr *) hdr;
+       struct udphdr *uh = (struct udphdr *) hdr;
+       struct sock *sk = NULL;
+
+       if (!ip || !hdr || offset) return 0;
+
+       switch(ip->protocol) {
+       case IPPROTO_TCP:
+               if (datalen < sizeof(struct tcphdr)) {
+                       *hotdrop = 1;
+                       return 0;
+               }
+               if (!(th->syn && !th->ack)) return 0;
+               sk = tcp_v4_lookup_listener(ip->daddr, ntohs(th->dest), ((struct rtable*)skb->dst)->rt_iif);    
+               break;
+       case IPPROTO_UDP:
+               if (datalen < sizeof(struct udphdr)) {
+                       *hotdrop = 1;
+                       return 0;
+               }
+               sk = udp_v4_lookup(ip->saddr, uh->source, ip->daddr, uh->dest, skb->dev->ifindex);
+               break;
+       default:
+               return 0;
+       }
+
+       if(!sk) // port is being listened on, match this
+               return 1;
+       else {
+               sock_put(sk);
+               return 0;
+       }
+}
+
+/* Called when user tries to insert an entry of this type. */
+static int
+checkentry(const char *tablename,
+           const struct ipt_ip *ip,
+           void *matchinfo,
+           unsigned int matchsize,
+           unsigned int hook_mask)
+{
+        if (matchsize != IPT_ALIGN(0))
+                return 0;
+
+       if(((ip->proto == IPPROTO_TCP && !(ip->invflags & IPT_INV_PROTO)) ||
+               ((ip->proto == IPPROTO_UDP) && !(ip->invflags & IPT_INV_PROTO)))
+               && (hook_mask & (1 << NF_IP_LOCAL_IN)))
+                       return 1;
+
+       printk("stealth: Only works on TCP and UDP for the INPUT chain.\n");
+
+        return 0;
+}
+
+
+static struct ipt_match stealth_match
+= { { NULL, NULL }, "stealth", &match, &checkentry, NULL, THIS_MODULE };
+
+static int __init init(void)
+{
+       return ipt_register_match(&stealth_match);
+}
+
+static void __exit fini(void)
+{
+       ipt_unregister_match(&stealth_match);
+}
+
+module_init(init);
+module_exit(fini);
diff -urN linux-2.4.22/net/ipv4/tcp_ipv4.c linux-2.4.22/net/ipv4/tcp_ipv4.c
--- linux-2.4.22/net/ipv4/tcp_ipv4.c    2003-09-01 22:19:08.000000000 -0400
+++ linux-2.4.22/net/ipv4/tcp_ipv4.c    2003-09-02 19:29:42.000000000 -0400
@@ -67,6 +67,7 @@
 #include <linux/inet.h>
 #include <linux/stddef.h>
 #include <linux/ipsec.h>
+#include <linux/grsecurity.h>
 
 extern int sysctl_ip_dynaddr;
 extern int sysctl_ip_default_ttl;
@@ -221,9 +222,18 @@
 
                spin_lock(&tcp_portalloc_lock);
                rover = tcp_port_rover;
-               do {    rover++;
-                       if ((rover < low) || (rover > high))
-                               rover = low;
+                do {
+#ifdef CONFIG_GRKERNSEC_RANDSRC
+                       if (grsec_enable_randsrc && (high > low)) {
+                               rover = low + (get_random_long() % (high - low));
+                       } else
+#endif
+                       {
+                               rover++;
+                               if ((rover < low) || (rover > high))
+                                       rover = low;
+                       }
+
                        head = &tcp_bhash[tcp_bhashfn(rover)];
                        spin_lock(&head->lock);
                        for (tb = head->chain; tb; tb = tb->next)
@@ -546,6 +556,11 @@
 
 static inline __u32 tcp_v4_init_sequence(struct sock *sk, struct sk_buff *skb)
 {
+#ifdef CONFIG_GRKERNSEC_RANDISN
+       if (likely(grsec_enable_randisn))
+               return ip_randomisn();
+       else
+#endif
        return secure_tcp_sequence_number(skb->nh.iph->daddr,
                                          skb->nh.iph->saddr,
                                          skb->h.th->dest,
@@ -681,9 +696,16 @@
                rover = tcp_port_rover;
 
                do {
-                       rover++;
-                       if ((rover < low) || (rover > high))
-                               rover = low;
+#ifdef CONFIG_GRKERNSEC_RANDSRC
+                       if(grsec_enable_randsrc && (high > low)) {
+                               rover = low + (get_random_long() % (high - low));
+                       } else
+#endif
+                       {
+                               rover++;
+                               if ((rover < low) || (rover > high))
+                                       rover = low;
+                       }
                        head = &tcp_bhash[tcp_bhashfn(rover)];
                        spin_lock(&head->lock);         
 
@@ -844,11 +866,22 @@
        if (err)
                goto failure;
 
-       if (!tp->write_seq)
+       if (!tp->write_seq) {
+#ifdef CONFIG_GRKERNSEC_RANDISN
+               if (likely(grsec_enable_randisn))
+                       tp->write_seq = ip_randomisn();
+               else
+#endif
                tp->write_seq = secure_tcp_sequence_number(sk->saddr, sk->daddr,
                                                           sk->sport, usin->sin_port);
+       }
 
-       sk->protinfo.af_inet.id = tp->write_seq^jiffies;
+#ifdef CONFIG_GRKERNSEC_RANDID
+       if(grsec_enable_randid)
+               sk->protinfo.af_inet.id = htons(ip_randomid());
+       else
+#endif
+               sk->protinfo.af_inet.id = tp->write_seq^jiffies;
 
        err = tcp_connect(sk);
        if (err)
@@ -1570,7 +1603,13 @@
        newtp->ext_header_len = 0;
        if (newsk->protinfo.af_inet.opt)
                newtp->ext_header_len = newsk->protinfo.af_inet.opt->optlen;
-       newsk->protinfo.af_inet.id = newtp->write_seq^jiffies;
+
+#ifdef CONFIG_GRKERNSEC_RANDID
+       if(grsec_enable_randid)
+               newsk->protinfo.af_inet.id = htons(ip_randomid());
+       else
+#endif
+               newsk->protinfo.af_inet.id = newtp->write_seq^jiffies;
 
        tcp_sync_mss(newsk, dst->pmtu);
        newtp->advmss = dst->advmss;
diff -urN linux-2.4.22/net/ipv4/udp.c linux-2.4.22/net/ipv4/udp.c
--- linux-2.4.22/net/ipv4/udp.c 2003-09-01 22:19:08.000000000 -0400
+++ linux-2.4.22/net/ipv4/udp.c 2003-09-02 19:29:42.000000000 -0400
@@ -91,6 +91,7 @@
 #include <net/ipv6.h>
 #include <net/protocol.h>
 #include <linux/skbuff.h>
+#include <linux/grsecurity.h>
 #include <net/sock.h>
 #include <net/udp.h>
 #include <net/icmp.h>
@@ -98,6 +99,11 @@
 #include <net/inet_common.h>
 #include <net/checksum.h>
 
+extern int gr_search_udp_recvmsg(const struct sock *sk,
+                                       const struct sk_buff *skb);
+extern int gr_search_udp_sendmsg(const struct sock *sk,
+                                       const struct sockaddr_in *addr);
+
 /*
  *     Snmp MIB for the UDP layer
  */
@@ -478,9 +484,16 @@
                ufh.uh.dest = usin->sin_port;
                if (ufh.uh.dest == 0)
                        return -EINVAL;
+
+               if (!gr_search_udp_sendmsg(sk, usin))
+                       return -EPERM;
        } else {
                if (sk->state != TCP_ESTABLISHED)
                        return -EDESTADDRREQ;
+
+               if (!gr_search_udp_sendmsg(sk, NULL))
+                       return -EPERM;
+
                ufh.daddr = sk->daddr;
                ufh.uh.dest = sk->dport;
                /* Open fast path for connected socket.
@@ -488,6 +501,7 @@
                 */
                connected = 1;
        }
+
        ipc.addr = sk->saddr;
        ufh.uh.source = sk->sport;
 
@@ -659,6 +673,11 @@
        if (!skb)
                goto out;
   
+       if (!gr_search_udp_recvmsg(sk, skb)) {
+               err = -EPERM;
+               goto out_free;
+       }
+
        copied = skb->len - sizeof(struct udphdr);
        if (copied > len) {
                copied = len;
@@ -763,7 +782,13 @@
        sk->daddr = rt->rt_dst;
        sk->dport = usin->sin_port;
        sk->state = TCP_ESTABLISHED;
-       sk->protinfo.af_inet.id = jiffies;
+
+#ifdef CONFIG_GRKERNSEC_RANDID
+       if(grsec_enable_randid)
+               sk->protinfo.af_inet.id = htons(ip_randomid());
+       else
+#endif
+               sk->protinfo.af_inet.id = jiffies;
 
        sk_dst_set(sk, &rt->u.dst);
        return(0);
diff -urN linux-2.4.22/net/netlink/af_netlink.c linux-2.4.22/net/netlink/af_netlink.c
--- linux-2.4.22/net/netlink/af_netlink.c       2003-09-01 22:19:11.000000000 -0400
+++ linux-2.4.22/net/netlink/af_netlink.c       2003-09-02 19:29:42.000000000 -0400
@@ -40,6 +40,7 @@
 #include <linux/proc_fs.h>
 #include <linux/smp_lock.h>
 #include <linux/notifier.h>
+#include <linux/grsecurity.h>
 #include <net/sock.h>
 #include <net/scm.h>
 
@@ -625,7 +626,8 @@
           check them, when this message will be delivered
           to corresponding kernel module.   --ANK (980802)
         */
-       NETLINK_CB(skb).eff_cap = current->cap_effective;
+
+       NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink();
 
        err = -EFAULT;
        if (memcpy_fromiovec(skb_put(skb,len), msg->msg_iov, len)) {
diff -urN linux-2.4.22/net/netsyms.c linux-2.4.22/net/netsyms.c
--- linux-2.4.22/net/netsyms.c  2003-09-01 22:19:08.000000000 -0400
+++ linux-2.4.22/net/netsyms.c  2003-09-02 19:29:42.000000000 -0400
@@ -24,6 +24,7 @@
 #include <net/checksum.h>
 #include <linux/etherdevice.h>
 #include <net/route.h>
+#include <linux/grsecurity.h>
 #ifdef CONFIG_HIPPI
 #include <linux/hippidevice.h>
 #endif
@@ -606,6 +607,47 @@
 
 EXPORT_SYMBOL(softnet_data);
 
+#if defined(CONFIG_IP_NF_MATCH_STEALTH_MODULE)
+#if !defined (CONFIG_IPV6_MODULE) && !defined (CONFIG_KHTTPD) && !defined (CONFIG_KHTTPD_MODULE)
+EXPORT_SYMBOL(tcp_v4_lookup_listener);
+#endif
+#endif
+
+#if defined(CONFIG_GRKERNSEC_RANDID)
+EXPORT_SYMBOL(ip_randomid);
+#endif
+#if defined(CONFIG_GRKERNSEC_RANDSRC) || defined(CONFIG_GRKERNSEC_RANDRPC)
+EXPORT_SYMBOL(get_random_long);
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDISN
+EXPORT_SYMBOL(ip_randomisn);
+EXPORT_SYMBOL(grsec_enable_randisn);
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDID
+EXPORT_SYMBOL(grsec_enable_randid);
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDSRC
+EXPORT_SYMBOL(grsec_enable_randsrc);
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDRPC
+EXPORT_SYMBOL(grsec_enable_randrpc);
+#endif
+
+EXPORT_SYMBOL(gr_cap_rtnetlink);
+
+extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
+extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
+
+EXPORT_SYMBOL(gr_search_udp_recvmsg);
+EXPORT_SYMBOL(gr_search_udp_sendmsg);
+
+#ifdef CONFIG_UNIX_MODULE
+EXPORT_SYMBOL(gr_acl_handle_unix);
+EXPORT_SYMBOL(gr_acl_handle_mknod);
+EXPORT_SYMBOL(gr_handle_chroot_unix);
+EXPORT_SYMBOL(gr_handle_create);
+#endif
+
 #if defined(CONFIG_NET_RADIO) || defined(CONFIG_NET_PCMCIA_RADIO)
 #include <net/iw_handler.h>
 EXPORT_SYMBOL(wireless_send_event);
diff -urN linux-2.4.22/net/socket.c linux-2.4.22/net/socket.c
--- linux-2.4.22/net/socket.c   2003-09-01 22:19:08.000000000 -0400
+++ linux-2.4.22/net/socket.c   2003-09-02 19:29:42.000000000 -0400
@@ -85,6 +85,18 @@
 #include <net/scm.h>
 #include <linux/netfilter.h>
 
+extern void gr_attach_curr_ip(const struct sock *sk);
+extern int gr_handle_sock_all(const int family, const int type,
+                             const int protocol);
+extern int gr_handle_sock_server(const struct sockaddr *sck);  
+extern int gr_handle_sock_client(const struct sockaddr *sck);
+extern int gr_search_connect(const struct socket * sock,
+                            const struct sockaddr_in * addr);  
+extern int gr_search_bind(const struct socket * sock,
+                         const struct sockaddr_in * addr);
+extern int gr_search_socket(const int domain, const int type,
+                           const int protocol);
+
 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
 static ssize_t sock_read(struct file *file, char *buf,
                         size_t size, loff_t *ppos);
@@ -699,6 +711,7 @@
 
 int sock_close(struct inode *inode, struct file *filp)
 {
+       struct socket *sock;
        /*
         *      It was possible the inode is NULL we were 
         *      closing an unfinished socket. 
@@ -709,8 +722,21 @@
                printk(KERN_DEBUG "sock_close: NULL inode\n");
                return 0;
        }
+       sock = socki_lookup(inode);
+
        sock_fasync(-1, filp, 0);
+
+#ifdef CONFIG_GRKERNSEC
+       if (unlikely(current->used_accept && sock->sk &&
+                    (sock->sk->protocol == IPPROTO_TCP) &&
+                    (sock->sk->daddr == current->curr_ip))) {
+               current->used_accept = 0;
+               current->curr_ip = 0;
+       }
+#endif
+
        sock_release(socki_lookup(inode));
+
        return 0;
 }
 
@@ -903,6 +929,16 @@
        int retval;
        struct socket *sock;
 
+       if(!gr_search_socket(family, type, protocol)) {
+               retval = -EACCES;
+               goto out;
+       }
+
+       if (gr_handle_sock_all(family, type, protocol)) {
+               retval = -EACCES;
+               goto out;
+       }
+
        retval = sock_create(family, type, protocol, &sock);
        if (retval < 0)
                goto out;
@@ -998,12 +1034,26 @@
 {
        struct socket *sock;
        char address[MAX_SOCK_ADDR];
+       struct sockaddr * sck;
        int err;
 
        if((sock = sockfd_lookup(fd,&err))!=NULL)
        {
-               if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0)
+               if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0) {
+                       sck = (struct sockaddr *) address;
+
+                       if(!gr_search_bind(sock, (struct sockaddr_in *) sck)) {
+                               sockfd_put(sock);
+                               return -EACCES;
+                       }
+
+                       if (gr_handle_sock_server(sck)) {
+                               sockfd_put(sock);
+                               return -EACCES;
+                       }
+
                        err = sock->ops->bind(sock, (struct sockaddr *)address, addrlen);
+               }
                sockfd_put(sock);
        }                       
        return err;
@@ -1079,6 +1129,8 @@
        if ((err = sock_map_fd(newsock)) < 0)
                goto out_release;
 
+       gr_attach_curr_ip(newsock->sk);
+
 out_put:
        sockfd_put(sock);
 out:
@@ -1106,6 +1158,7 @@
 {
        struct socket *sock;
        char address[MAX_SOCK_ADDR];
+       struct sockaddr * sck;
        int err;
 
        sock = sockfd_lookup(fd, &err);
@@ -1114,6 +1167,24 @@
        err = move_addr_to_kernel(uservaddr, addrlen, address);
        if (err < 0)
                goto out_put;
+
+       sck = (struct sockaddr *) address;
+
+       if (!gr_search_connect(sock, (struct sockaddr_in *) sck)) {
+               err = -EACCES;
+               goto out_put;
+       }
+
+       if (gr_handle_sock_client(sck)) {
+               err = -EACCES;
+               goto out_put;
+       }
+
+#ifdef CONFIG_GRKERNSEC
+       if (sock->sk->protocol == IPPROTO_TCP)
+               current->used_connect = 1;
+#endif
+
        err = sock->ops->connect(sock, (struct sockaddr *) address, addrlen,
                                 sock->file->f_flags);
 out_put:
@@ -1333,6 +1404,14 @@
                err=sock->ops->shutdown(sock, how);
                sockfd_put(sock);
        }
+
+#ifdef CONFIG_GRKERNSEC
+       if (likely(!err && current->used_accept)) {
+               current->used_accept = 0;
+               current->curr_ip = 0;
+       }
+#endif
+
        return err;
 }
 
diff -urN linux-2.4.22/net/sunrpc/xprt.c linux-2.4.22/net/sunrpc/xprt.c
--- linux-2.4.22/net/sunrpc/xprt.c      2003-09-01 22:19:11.000000000 -0400
+++ linux-2.4.22/net/sunrpc/xprt.c      2003-09-02 19:29:42.000000000 -0400
@@ -59,6 +59,7 @@
 #include <linux/unistd.h>
 #include <linux/sunrpc/clnt.h>
 #include <linux/file.h>
+#include <linux/grsecurity.h>
 
 #include <net/sock.h>
 #include <net/checksum.h>
@@ -1290,6 +1291,12 @@
        }
        ret = xid++;
        spin_unlock(&xid_lock);
+
+#ifdef CONFIG_GRKERNSEC_RANDRPC
+       if (grsec_enable_randrpc)
+               ret = (u32) get_random_long();
+#endif
+
        return ret;
 }
 
diff -urN linux-2.4.22/net/unix/af_unix.c linux-2.4.22/net/unix/af_unix.c
--- linux-2.4.22/net/unix/af_unix.c     2003-09-01 22:19:08.000000000 -0400
+++ linux-2.4.22/net/unix/af_unix.c     2003-09-02 19:29:42.000000000 -0400
@@ -109,6 +109,7 @@
 #include <linux/poll.h>
 #include <linux/smp_lock.h>
 #include <linux/rtnetlink.h>
+#include <linux/grsecurity.h>
 
 #include <asm/checksum.h>
 
@@ -599,6 +600,11 @@
                if (err)
                        goto put_fail;
 
+               if (!gr_acl_handle_unix(nd.dentry, nd.mnt)) {
+                       err = -EACCES;
+                       goto put_fail;
+               }
+               
                err = -ECONNREFUSED;
                if (!S_ISSOCK(nd.dentry->d_inode->i_mode))
                        goto put_fail;
@@ -622,6 +628,13 @@
                if (u) {
                        struct dentry *dentry;
                        dentry = u->protinfo.af_unix.dentry;
+
+                       if (!gr_handle_chroot_unix(u->peercred.pid)) {
+                               err = -EPERM;
+                               sock_put(u);
+                               goto fail;
+                       }
+
                        if (dentry)
                                UPDATE_ATIME(dentry->d_inode);
                } else
@@ -720,9 +733,19 @@
                 * All right, let's create it.
                 */
                mode = S_IFSOCK | (sock->inode->i_mode & ~current->fs->umask);
+       
+               if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
+                       err = -EACCES;
+                       goto out_mknod_dput;
+               }       
+
                err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0);
+
                if (err)
                        goto out_mknod_dput;
+
+               gr_handle_create(dentry, nd.mnt);
+
                up(&nd.dentry->d_inode->i_sem);
                dput(nd.dentry);
                nd.dentry = dentry;
@@ -740,6 +763,10 @@
                        goto out_unlock;
                }
 
+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
+               sk->peercred.pid = current->pid;
+#endif
+
                list = &unix_socket_table[addr->hash];
        } else {
                list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
@@ -866,6 +893,9 @@
        int st;
        int err;
        long timeo;
+#ifdef CONFIG_GRKERNSEC
+       struct task_struct *p, **htable;
+#endif
 
        err = unix_mkname(sunaddr, addr_len, &hash);
        if (err < 0)
@@ -989,6 +1019,17 @@
        /* Set credentials */
        sk->peercred = other->peercred;
 
+#ifdef CONFIG_GRKERNSEC
+       read_lock(&tasklist_lock);
+       htable = &pidhash[pid_hashfn(other->peercred.pid)];
+       for (p = *htable; p && p->pid != other->peercred.pid; p = p->pidhash_next);
+       if (p) {
+               p->curr_ip = current->curr_ip;
+               p->used_accept = 1;
+       }
+       read_unlock(&tasklist_lock);
+#endif
+
        sock_hold(newsk);
        unix_peer(sk)=newsk;
        sock->state=SS_CONNECTED;