-diff -urN linux-2.6.12.6/drivers/char/keyboard.c linux-2.6.12.6-gr-minimal/drivers/char/keyboard.c
---- linux-2.6.12.6/drivers/char/keyboard.c 2005-08-30 14:50:44.362019968 +0200
-+++ linux-2.6.12.6-gr-minimal/drivers/char/keyboard.c 2005-08-30 16:55:16.698334512 +0200
-@@ -608,6 +608,16 @@
- kbd->kbdmode == VC_MEDIUMRAW) &&
+diff -urNp linux-2.6.26.orig/arch/sparc/Makefile linux-2.6.26/arch/sparc/Makefile
+--- linux-2.6.26.orig/arch/sparc/Makefile 2008-09-01 11:44:21.000000000 +0200
++++ linux-2.6.26/arch/sparc/Makefile 2008-09-02 12:17:21.000000000 +0200
+@@ -81,7 +81,7 @@
+ # Export what is needed by arch/sparc/boot/Makefile
+ export VMLINUX_INIT VMLINUX_MAIN
+ VMLINUX_INIT := $(head-y) $(init-y)
+-VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
++VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
+ VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
+ VMLINUX_MAIN += $(drivers-y) $(net-y)
+
+diff -urNp linux-2.6.26.orig/drivers/char/keyboard.c linux-2.6.26/drivers/char/keyboard.c
+--- linux-2.6.26.orig/drivers/char/keyboard.c 2008-09-01 11:43:37.000000000 +0200
++++ linux-2.6.26/drivers/char/keyboard.c 2008-09-02 12:17:21.000000000 +0200
+@@ -633,6 +633,16 @@ static void k_spec(struct vc_data *vc, u
+ kbd->kbdmode == VC_MEDIUMRAW) &&
value != KVAL(K_SAK))
return; /* SAK is allowed even in raw mode */
+
+ }
+#endif
+
- fn_handler[value](vc, regs);
+ fn_handler[value](vc);
}
-diff -urN linux-2.6.12.6/drivers/pci/proc.c linux-2.6.12.6-gr-minimal/drivers/pci/proc.c
---- linux-2.6.12.6/drivers/pci/proc.c 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/drivers/pci/proc.c 2005-08-30 16:55:16.748326912 +0200
-@@ -569,7 +569,15 @@
-
- static void legacy_proc_init(void)
- {
-+#ifdef CONFIG_GRKERNSEC_PROC_ADD
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ struct proc_dir_entry * entry = create_proc_entry("pci", S_IRUSR, NULL);
-+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
-+ struct proc_dir_entry * entry = create_proc_entry("pci", S_IRUSR | S_IRGRP, NULL);
-+#endif
-+#else
- struct proc_dir_entry * entry = create_proc_entry("pci", 0, NULL);
-+#endif
- if (entry)
- entry->proc_fops = &proc_pci_operations;
- }
-@@ -598,7 +606,15 @@
+diff -urNp linux-2.6.26.orig/drivers/pci/proc.c linux-2.6.26/drivers/pci/proc.c
+--- linux-2.6.26.orig/drivers/pci/proc.c 2008-09-01 11:43:47.000000000 +0200
++++ linux-2.6.26/drivers/pci/proc.c 2008-09-02 12:17:21.000000000 +0200
+@@ -472,7 +472,16 @@ static const struct file_operations proc
+ static int __init pci_proc_init(void)
{
- struct proc_dir_entry *entry;
struct pci_dev *dev = NULL;
++
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
-+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
-+ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
++ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
+#endif
+#else
- proc_bus_pci_dir = proc_mkdir("pci", proc_bus);
+ proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
+#endif
- entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
- if (entry)
- entry->proc_fops = &proc_bus_pci_dev_operations;
-diff -urN linux-2.6.12.6/fs/Kconfig linux-2.6.12.6-gr-minimal/fs/Kconfig
---- linux-2.6.12.6/fs/Kconfig 2005-08-30 14:50:48.897330496 +0200
-+++ linux-2.6.12.6-gr-minimal/fs/Kconfig 2005-08-30 16:55:16.787320984 +0200
-@@ -819,7 +819,7 @@
+ proc_create("devices", 0, proc_bus_pci_dir,
+ &proc_bus_pci_dev_operations);
+ proc_initialized = 1;
+diff -urNp linux-2.6.26.orig/fs/Kconfig linux-2.6.26/fs/Kconfig
+--- linux-2.6.26.orig/fs/proc/Kconfig 2008-09-01 11:43:58.000000000 +0200
++++ linux-2.6.26/fs/proc/Kconfig 2008-09-02 12:17:21.000000000 +0200
+@@ -926,12 +926,12 @@ config PROC_FS
config PROC_KCORE
bool "/proc/kcore support" if !ARM
- depends on PROC_FS && MMU
+ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
- config SYSFS
- bool "sysfs file system support" if EMBEDDED
-diff -urN linux-2.6.12.6/fs/namei.c linux-2.6.12.6-gr-minimal/fs/namei.c
---- linux-2.6.12.6/fs/namei.c 2005-08-30 14:50:44.000074992 +0200
-+++ linux-2.6.12.6-gr-minimal/fs/namei.c 2005-08-30 15:01:26.561724968 +0200
-@@ -541,6 +541,18 @@
+ config PROC_VMCORE
+ bool "/proc/vmcore support (EXPERIMENTAL)"
+- depends on PROC_FS && CRASH_DUMP
+- default y
++ depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
++ default n
+ help
+ Exports the dump image of crashed kernel in ELF format.
+
+diff -urNp linux-2.6.26.orig/fs/namei.c linux-2.6.26/fs/namei.c
+--- linux-2.6.26.orig/fs/namei.c 2008-09-01 11:43:59.000000000 +0200
++++ linux-2.6.26/fs/namei.c 2008-09-02 12:17:21.000000000 +0200
+@@ -38,6 +38,7 @@
+ #include <linux/vs_cowbl.h>
+ #include <linux/vs_device.h>
+ #include <linux/vs_context.h>
++#include <linux/grsecurity.h>
+ #include <linux/pid_namespace.h>
+ #include <asm/uaccess.h>
+
+@@ -740,6 +741,13 @@ static inline int do_follow_link(struct
err = security_inode_follow_link(path->dentry, nd);
if (err)
goto loop;
+
-+#ifdef CONFIG_GRKERNSEC_LINK
-+ if (S_ISLNK(path->dentry->d_inode->i_mode) &&
-+ (path->dentry->d_parent->d_inode->i_mode & S_ISVTX) &&
-+ (path->dentry->d_parent->d_inode->i_uid != path->dentry->d_inode->i_uid) &&
-+ (path->dentry->d_parent->d_inode->i_mode & S_IWOTH) &&
-+ (current->fsuid != path->dentry->d_inode->i_uid)) {
++ if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
++ path->dentry->d_inode, path->dentry)) {
+ err = -EACCES;
+ goto loop;
+ }
-+#endif
+
current->link_count++;
current->total_link_count++;
nd->depth++;
-@@ -1487,6 +1499,16 @@
+@@ -1925,6 +1933,12 @@ do_last:
/*
* It already exists.
*/
-+#ifdef CONFIG_GRKERNSEC_FIFO
-+ if (S_ISFIFO(path.dentry->d_inode->i_mode) &&
-+ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
-+ (path.dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
-+ (current->fsuid != path.dentry->d_inode->i_uid)) {
-+ up(&dir->d_inode->i_sem);
++
++ if (gr_handle_fifo(path.dentry, dir, flag, acc_mode)) {
+ error = -EACCES;
-+ goto exit_dput;
++ goto exit_mutex_unlock;
+ }
-+#endif
- up(&dir->d_inode->i_sem);
++
+ mutex_unlock(&dir->d_inode->i_mutex);
+ audit_inode(pathname, path.dentry);
- error = -EEXIST;
-@@ -1544,6 +1566,18 @@
- error = security_inode_follow_link(path.dentry, nd);
+@@ -2028,6 +2042,13 @@ do_link:
+ error = security_inode_follow_link(path.dentry, &nd);
if (error)
goto exit_dput;
+
-+#ifdef CONFIG_GRKERNSEC_LINK
-+ if (S_ISLNK(path.dentry->d_inode->i_mode) &&
-+ (path.dentry->d_parent->d_inode->i_mode & S_ISVTX) &&
-+ (path.dentry->d_parent->d_inode->i_uid != path.dentry->d_inode->i_uid) &&
-+ (path.dentry->d_parent->d_inode->i_mode & S_IWOTH) &&
-+ (current->fsuid != path.dentry->d_inode->i_uid)) {
++ if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
++ path.dentry)) {
+ error = -EACCES;
+ goto exit_dput;
+ }
-+#endif
+
- error = __do_follow_link(&path, nd);
- if (error)
- return error;
-@@ -2046,7 +2080,20 @@
- new_dentry = lookup_create(&nd, 0);
+ error = __do_follow_link(&path, &nd);
+ if (error) {
+ /* Does someone understand code flow here? Or it is only
+@@ -2669,6 +2690,13 @@ asmlinkage long sys_linkat(int olddfd, c
error = PTR_ERR(new_dentry);
- if (!IS_ERR(new_dentry)) {
-- error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
-+#ifdef CONFIG_GRKERNSEC_LINK
-+ error = 0;
-+ if (current->fsuid != old_nd.dentry->d_inode->i_uid &&
-+ (!S_ISREG(old_nd.dentry->d_inode->i_mode) ||
-+ (old_nd.dentry->d_inode->i_mode & S_ISUID) ||
-+ ((old_nd.dentry->d_inode->i_mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
-+ (generic_permission(old_nd.dentry->d_inode, MAY_READ | MAY_WRITE, NULL))) &&
-+ !capable(CAP_FOWNER) && current->uid) {
-+ error = -EPERM;
-+ }
-+ if (!error)
-+#endif
-+ error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
-+
- dput(new_dentry);
- }
- up(&nd.dentry->d_inode->i_sem);
-diff -urN linux-2.6.12.6/fs/proc/array.c linux-2.6.12.6-gr-minimal/fs/proc/array.c
---- linux-2.6.12.6/fs/proc/array.c 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/fs/proc/array.c 2005-08-30 16:55:16.799319160 +0200
-@@ -482,3 +482,14 @@
- return sprintf(buffer,"%d %d %d %d %d %d %d\n",
- size, resident, shared, text, lib, data, 0);
+ if (IS_ERR(new_dentry))
+ goto out_unlock;
++
++ if (gr_handle_hardlink(old_path.dentry, old_path.dentry->d_inode,
++ old_path.dentry->d_inode->i_mode, to)) {
++ error = -EACCES;
++ goto out_dput;
++ }
++
+ error = mnt_want_write(nd.path.mnt);
+ if (error)
+ goto out_dput;
+diff -urNp linux-2.6.26.orig/fs/proc/array.c linux-2.6.26/fs/proc/array.c
+--- linux-2.6.26.orig/fs/proc/array.c 2008-09-01 11:43:59.000000000 +0200
++++ linux-2.6.26/fs/proc/array.c 2008-09-02 12:17:21.000000000 +0200
+@@ -639,3 +639,10 @@ int proc_pid_statm(struct seq_file *m, s
+
+ return 0;
}
+
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+int proc_pid_ipaddr(struct task_struct *task, char * buffer)
++int proc_pid_ipaddr(struct task_struct *task, char *buffer)
+{
-+ int len;
-+
-+ len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
-+ return len;
++ return sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
+}
+#endif
+diff -urNp linux-2.6.26.orig/fs/proc/base.c linux-2.6.26/fs/proc/base.c
+--- linux-2.6.26.orig/fs/proc/base.c 2008-09-01 11:43:59.000000000 +0200
++++ linux-2.6.26/fs/proc/base.c 2008-09-02 12:23:45.000000000 +0200
+@@ -79,6 +79,8 @@
+ #include <linux/pid_namespace.h>
+ #include <linux/vs_context.h>
+ #include <linux/vs_network.h>
++#include <linux/grsecurity.h>
+
-diff -urN linux-2.6.12.6/fs/proc/base.c linux-2.6.12.6-gr-minimal/fs/proc/base.c
---- linux-2.6.12.6/fs/proc/base.c 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/fs/proc/base.c 2005-08-30 16:55:16.803318552 +0200
-@@ -83,6 +83,9 @@
- #ifdef CONFIG_AUDITSYSCALL
- PROC_TGID_LOGINUID,
- #endif
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+ PROC_TGID_IPADDR,
-+#endif
- PROC_TGID_FD_DIR,
- PROC_TGID_OOM_SCORE,
- PROC_TGID_OOM_ADJUST,
-@@ -152,6 +155,9 @@
- E(PROC_TGID_ROOT, "root", S_IFLNK|S_IRWXUGO),
- E(PROC_TGID_EXE, "exe", S_IFLNK|S_IRWXUGO),
- E(PROC_TGID_MOUNTS, "mounts", S_IFREG|S_IRUGO),
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+ E(PROC_TGID_IPADDR, "ipaddr", S_IFREG|S_IRUSR),
+ #include "internal.h"
+
+ /* NOTE:
+@@ -1445,7 +1445,11 @@
+ rcu_read_lock();
+ cred = __task_cred(task);
+ inode->i_uid = cred->euid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ inode->i_gid = cred->egid;
+#endif
- #ifdef CONFIG_SECURITY
- E(PROC_TGID_ATTR, "attr", S_IFDIR|S_IRUGO|S_IXUGO),
- #endif
-@@ -1149,6 +1155,9 @@
- inode->i_uid = task->euid;
- inode->i_gid = task->egid;
+ rcu_read_unlock();
}
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
+ /* procfs is xid tagged */
+@@ -1469,6 +1469,9 @@
+ struct inode *inode = dentry->d_inode;
+ struct task_struct *task;
+ const struct cred *cred;
++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ struct task_struct *tmp = current;
+#endif
- security_task_to_inode(task, inode);
- out:
-@@ -1177,7 +1186,9 @@
- if (pid_alive(task)) {
- if (proc_type(inode) == PROC_TGID_INO || proc_type(inode) == PROC_TID_INO || task_dumpable(task)) {
- inode->i_uid = task->euid;
-+#ifndef CONFIG_GRKERNSEC_PROC_USERGROUP
- inode->i_gid = task->egid;
-+#endif
- } else {
- inode->i_uid = 0;
- inode->i_gid = 0;
-@@ -1500,6 +1511,12 @@
- inode->i_fop = &proc_info_file_operations;
- ei->op.proc_read = proc_pid_status;
- break;
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+ case PROC_TGID_IPADDR:
-+ inode->i_fop = &proc_info_file_operations;
-+ ei->op.proc_read = proc_pid_ipaddr;
-+ break;
-+#endif
- case PROC_TID_STAT:
- inode->i_fop = &proc_info_file_operations;
- ei->op.proc_read = proc_tid_stat;
-@@ -1792,6 +1809,17 @@
- if (!task)
- goto out;
+ generic_fillattr(inode, stat);
+@@ -1476,12 +1479,29 @@
+ stat->uid = 0;
+ stat->gid = 0;
+ task = pid_task(proc_pid(inode), PIDTYPE_PID);
+- if (task) {
++ if (task
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ if (current->uid && (task->uid != current->uid)
++ && (!tmp->uid || (tmp->uid == task->uid)
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
+#endif
-+ ) {
-+ put_task_struct(task);
-+ goto out;
-+ }
++ )
+#endif
-+
- inode = proc_pid_make_inode(dir->i_sb, task, PROC_TGID_INO);
++ ) {
+ if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
++#endif
+ task_dumpable(task)) {
+ cred = __task_cred(task);
+ stat->uid = cred->euid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ stat->gid = cred->egid;
++#endif
+ }
+ }
+ rcu_read_unlock();
+@@ -1533,11 +1533,20 @@
+ if (task) {
+ if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
++#endif
+ task_dumpable(task)) {
+ rcu_read_lock();
+ cred = __task_cred(task);
+ inode->i_uid = cred->euid;
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++#else
+ inode->i_gid = cred->egid;
++#endif
+ rcu_read_unlock();
+ } else {
+ inode->i_uid = 0;
+@@ -1841,12 +1888,19 @@ static int proc_fd_permission(struct ino
+ struct nameidata *nd)
+ {
+ int rv;
++ struct task_struct *task;
-@@ -1799,7 +1827,15 @@
- put_task_struct(task);
- goto out;
- }
+ rv = generic_permission(inode, mask, NULL);
+- if (rv == 0)
+- return 0;
+
+ if (task_pid(current) == proc_pid(inode))
+ rv = 0;
++
++ task = get_proc_task(inode);
++ if (task == NULL)
++ return rv;
++
++ put_task_struct(task);
++
+ return rv;
+ }
+
+@@ -2617,7 +2683,14 @@ static struct dentry *proc_pid_instantia
+ if (!inode)
+ goto out;
+
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
-+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
-+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP;
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
+#else
inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
+#endif
inode->i_op = &proc_tgid_base_inode_operations;
inode->i_fop = &proc_tgid_base_operations;
inode->i_flags|=S_IMMUTABLE;
-@@ -1891,6 +1927,9 @@
- static int get_tgid_list(int index, unsigned long version, unsigned int *tgids)
+@@ -2724,6 +2801,9 @@ int proc_pid_readdir(struct file * filp,
{
- struct task_struct *p;
+ unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
+ struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ struct task_struct *tmp = current;
+#endif
- int nr_tgids = 0;
+ struct tgid_iter iter;
+ struct pid_namespace *ns;
- index--;
-@@ -1911,6 +1950,14 @@
- int tgid = p->pid;
- if (!pid_alive(p))
- continue;
+@@ -2742,6 +2822,15 @@ int proc_pid_readdir(struct file * filp,
+ for (iter = next_tgid(ns, iter);
+ iter.task;
+ iter.tgid += 1, iter = next_tgid(ns, iter)) {
+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+ if (tmp->uid && (p->uid != tmp->uid)
++ if (tmp->uid && (iter.task->uid != tmp->uid)
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
+#endif
+ )
-+ continue;
+#endif
- if (--index >= 0)
++ continue;
++
+ filp->f_pos = iter.tgid + TGID_OFFSET;
+ if (!vx_proc_task_visible(iter.task))
continue;
- tgids[nr_tgids] = tgid;
-diff -urN linux-2.6.12.6/fs/proc/inode.c linux-2.6.12.6-gr-minimal/fs/proc/inode.c
---- linux-2.6.12.6/fs/proc/inode.c 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/fs/proc/inode.c 2005-08-30 16:55:16.804318400 +0200
-@@ -163,7 +163,11 @@
+@@ -2815,6 +2906,9 @@ static const struct pid_entry tid_base_s
+ #ifdef CONFIG_FAULT_INJECTION
+ REG("make-it-fail", S_IRUGO|S_IWUSR, fault_inject),
+ #endif
++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
++ INF("ipaddr", S_IRUSR, pid_ipaddr),
++#endif
+ };
+
+ static int proc_tid_base_readdir(struct file * filp,
+diff -urNp linux-2.6.26.orig/fs/proc/inode.c linux-2.6.26/fs/proc/inode.c
+--- linux-2.6.26.orig/fs/proc/inode.c 2008-09-01 11:43:59.000000000 +0200
++++ linux-2.6.26/fs/proc/inode.c 2008-09-02 12:17:21.000000000 +0200
+@@ -403,7 +403,11 @@ struct inode *proc_get_inode(struct supe
if (de->mode) {
inode->i_mode = de->mode;
inode->i_uid = de->uid;
inode->i_gid = de->gid;
+#endif
}
- if (de->size)
- inode->i_size = de->size;
-diff -urN linux-2.6.12.6/fs/proc/internal.h linux-2.6.12.6-gr-minimal/fs/proc/internal.h
---- linux-2.6.12.6/fs/proc/internal.h 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/fs/proc/internal.h 2005-08-30 16:55:16.804318400 +0200
-@@ -36,6 +36,9 @@
- extern int proc_tgid_stat(struct task_struct *, char *);
- extern int proc_pid_status(struct task_struct *, char *);
- extern int proc_pid_statm(struct task_struct *, char *);
+ if (de->vx_flags)
+ PROC_I(inode)->vx_flags = de->vx_flags;
+diff -urNp linux-2.6.26.orig/fs/proc/internal.h linux-2.6.26/fs/proc/internal.h
+--- linux-2.6.26.orig/fs/proc/internal.h 2008-09-01 11:43:59.000000000 +0200
++++ linux-2.6.26/fs/proc/internal.h 2008-09-02 12:17:21.000000000 +0200
+@@ -58,6 +58,9 @@ extern int proc_pid_statm(struct seq_fil
+ struct pid *pid, struct task_struct *task);
+ extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
+ struct pid *pid, struct task_struct *task);
+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+extern int proc_pid_ipaddr(struct task_struct*,char*);
++extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
+#endif
- static inline struct task_struct *proc_task(struct inode *inode)
- {
-diff -urN linux-2.6.12.6/fs/proc/proc_misc.c linux-2.6.12.6-gr-minimal/fs/proc/proc_misc.c
---- linux-2.6.12.6/fs/proc/proc_misc.c 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/fs/proc/proc_misc.c 2005-08-30 16:55:16.806318096 +0200
-@@ -552,6 +552,8 @@
- void __init proc_misc_init(void)
+ extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
+
+--- linux-2.6.26.orig/fs/proc/cmdline.c 2008-12-25 00:26:37.000000000 +0100
++++ linux-2.6.26/fs/proc/cmdline.c 2009-01-02 17:46:34.278247774 +0100
+@@ -23,7 +23,15 @@
+
+ static int __init proc_cmdline_init(void)
{
- struct proc_dir_entry *entry;
+- proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
+ int gr_mode = 0;
-+
- static struct {
- char *name;
- int (*read_proc)(char*,char**,off_t,int,int*,void*);
-@@ -566,9 +568,13 @@
- #ifdef CONFIG_STRAM_PROC
- {"stram", stram_read_proc},
- #endif
-+#ifndef CONFIG_GRKERNSEC_PROC_ADD
- {"devices", devices_read_proc},
-+#endif
- {"filesystems", filesystems_read_proc},
-+#ifndef CONFIG_GRKERNSEC_PROC_ADD
- {"cmdline", cmdline_read_proc},
-+#endif
- {"locks", locks_read_proc},
- {"execdomains", execdomains_read_proc},
- {NULL,}
-@@ -576,6 +582,16 @@
- for (p = simple_ones; p->name; p++)
- create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
-
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+ gr_mode = S_IRUSR;
-+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
+ gr_mode = S_IRUSR | S_IRGRP;
+#endif
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
-+ create_proc_read_entry("devices", gr_mode, NULL, &devices_read_proc, NULL);
-+ create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL);
++ proc_create("cmdline", gr_mode, NULL, &cmdline_proc_fops);
+#endif
-+
- proc_symlink("mounts", NULL, "self/mounts");
+ return 0;
+ }
+ module_init(proc_cmdline_init);
+--- linux-2.6.26.orig/fs/proc/devices.c 2008-12-25 00:26:37.000000000 +0100
++++ linux-2.6.26/fs/proc/devices.c 2009-01-02 17:43:00.758269666 +0100
+@@ -64,7 +64,13 @@
- /* And now for trickier ones */
-@@ -586,17 +602,21 @@
- create_seq_entry("partitions", 0, &proc_partitions_operations);
- create_seq_entry("stat", 0, &proc_stat_operations);
- create_seq_entry("interrupts", 0, &proc_interrupts_operations);
-+#ifdef CONFIG_GRKERNSEC_PROC_ADD
-+ create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
-+#else
- create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
-+#endif
- create_seq_entry("buddyinfo",S_IRUGO, &fragmentation_file_operations);
- create_seq_entry("vmstat",S_IRUGO, &proc_vmstat_file_operations);
- create_seq_entry("diskstats", 0, &proc_diskstats_operations);
- #ifdef CONFIG_MODULES
-- create_seq_entry("modules", 0, &proc_modules_operations);
-+ create_seq_entry("modules", gr_mode, &proc_modules_operations);
- #endif
- #ifdef CONFIG_SCHEDSTATS
- create_seq_entry("schedstat", 0, &proc_schedstat_operations);
- #endif
--#ifdef CONFIG_PROC_KCORE
-+#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
- proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
- if (proc_root_kcore) {
- proc_root_kcore->proc_fops = &proc_kcore_operations;
-diff -urN linux-2.6.12.6/fs/proc/root.c linux-2.6.12.6-gr-minimal/fs/proc/root.c
---- linux-2.6.12.6/fs/proc/root.c 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/fs/proc/root.c 2005-08-30 16:55:16.807317944 +0200
-@@ -52,7 +52,13 @@
- return;
- }
- proc_misc_init();
+ static int __init proc_devices_init(void)
+ {
+- proc_create("devices", 0, NULL, &proc_devinfo_operations);
++ int gr_mode = 0;
+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, NULL);
-+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
-+ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
-+#else
- proc_net = proc_mkdir("net", NULL);
++ gr_mode = S_IRUSR;
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ gr_mode = S_IRUSR | S_IRGRP;
+#endif
- proc_net_stat = proc_mkdir("net/stat", NULL);
++ proc_create("devices", gr_mode, NULL, &proc_devinfo_operations);
+ return 0;
+ }
+ module_init(proc_devices_init);
+--- linux-2.6.26.orig/fs/proc/kcore.c 2008-12-25 00:26:37.000000000 +0100
++++ linux-2.6.26/fs/proc/kcore.c 2009-01-02 17:45:03.714922801 +0100
+@@ -404,10 +404,12 @@
- #ifdef CONFIG_SYSVIPC
-@@ -76,7 +82,15 @@
+ static int __init proc_kcore_init(void)
+ {
++#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
+ proc_root_kcore = proc_create("kcore", S_IRUSR, NULL, &proc_kcore_operations);
+ if (proc_root_kcore)
+ proc_root_kcore->size =
+ (size_t)high_memory - PAGE_OFFSET + PAGE_SIZE;
++#endif
+ return 0;
+ }
+ module_init(proc_kcore_init);
+diff -urNp linux-2.6.26.orig/fs/proc/root.c linux-2.6.26/fs/proc/root.c
+--- linux-2.6.26.orig/fs/proc/root.c 2008-09-01 11:43:59.000000000 +0200
++++ linux-2.6.26/fs/proc/root.c 2008-09-02 12:17:21.000000000 +0200
+@@ -139,7 +139,15 @@ void __init proc_root_init(void)
#ifdef CONFIG_PROC_DEVICETREE
proc_device_tree_init();
#endif
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
-+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
-+ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
++ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
+#endif
+#else
- proc_bus = proc_mkdir("bus", NULL);
+ proc_mkdir("bus", NULL);
+#endif
+ proc_sys_init();
+ proc_vx_init();
}
-
- static struct dentry *proc_root_lookup(struct inode * dir, struct dentry * dentry, struct nameidata *nd)
-diff -urN linux-2.6.12.6/include/linux/sched.h linux-2.6.12.6-gr-minimal/include/linux/sched.h
---- linux-2.6.12.6/include/linux/sched.h 2005-08-30 14:50:44.008073776 +0200
-+++ linux-2.6.12.6-gr-minimal/include/linux/sched.h 2005-08-30 16:57:22.493210784 +0200
-@@ -365,6 +365,13 @@
- struct key *session_keyring; /* keyring inherited over fork */
- struct key *process_keyring; /* keyring private to this process */
- #endif
-+#ifdef CONFIG_GRKERNSEC
-+ u32 curr_ip;
-+ u32 gr_saddr;
-+ u32 gr_daddr;
-+ u16 gr_sport;
-+ u16 gr_dport;
+diff -urNp linux-2.6.26.orig/grsecurity/grsec_disabled.c linux-2.6.26/grsecurity/grsec_disabled.c
+--- linux-2.6.26.orig/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.26/grsecurity/grsec_disabled.c 2008-09-02 12:17:21.000000000 +0200
+@@ -0,0 +1,6 @@
++void
++grsecurity_init(void)
++{
++ return;
++}
++
+diff -urNp linux-2.6.26.orig/grsecurity/grsec_fifo.c linux-2.6.26/grsecurity/grsec_fifo.c
+--- linux-2.6.26.orig/grsecurity/grsec_fifo.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.26/grsecurity/grsec_fifo.c 2008-09-02 12:17:21.000000000 +0200
+@@ -0,0 +1,20 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/fs.h>
++#include <linux/file.h>
++#include <linux/grinternal.h>
++
++int
++gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
++ const struct dentry *dir, const int flag, const int acc_mode)
++{
++#ifdef CONFIG_GRKERNSEC_FIFO
++ if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
++ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
++ (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
++ (current->fsuid != dentry->d_inode->i_uid)) {
++ return -EACCES;
++ }
+#endif
- };
-
- /*
-diff -urN linux-2.6.12.6/kernel/signal.c linux-2.6.12.6-gr-minimal/kernel/signal.c
---- linux-2.6.12.6/kernel/signal.c 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/kernel/signal.c 2005-08-30 16:53:56.488528256 +0200
-@@ -318,6 +318,9 @@
- spin_unlock_irqrestore(&t->sighand->siglock, flags);
- }
-
-+#ifdef CONFIG_GRKERNSEC
-+extern void gr_del_task_from_ip_table(struct task_struct *task);
++ return 0;
++}
+diff -urNp linux-2.6.26.orig/grsecurity/grsec_init.c linux-2.6.26/grsecurity/grsec_init.c
+--- linux-2.6.26.orig/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.26/grsecurity/grsec_init.c 2008-09-02 12:17:21.000000000 +0200
+@@ -0,0 +1,29 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/mm.h>
++#include <linux/smp_lock.h>
++#include <linux/slab.h>
++#include <linux/vmalloc.h>
++#include <linux/percpu.h>
++
++int grsec_enable_link;
++int grsec_enable_fifo;
++int grsec_lock;
++
++void
++grsecurity_init(void)
++{
++#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
++#ifndef CONFIG_GRKERNSEC_SYSCTL
++ grsec_lock = 1;
+#endif
- /*
- * This function expects the tasklist_lock write-locked.
- */
-@@ -356,6 +357,9 @@
- posix_cpu_timers_exit_group(tsk);
- if (tsk == sig->curr_target)
- sig->curr_target = next_thread(tsk);
-+#ifdef CONFIG_GRKERNSEC
-+ gr_del_task_from_ip_table(tsk);
-+#endif
- tsk->signal = NULL;
- spin_unlock(&sighand->siglock);
- flush_sigqueue(&sig->shared_pending);
-diff -urN linux-2.6.12.6/net/ipv4/tcp_ipv4.c linux-2.6.12.6-gr-minimal/net/ipv4/tcp_ipv4.c
---- linux-2.6.12.6/net/ipv4/tcp_ipv4.c 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/net/ipv4/tcp_ipv4.c 2005-08-30 16:53:51.152339480 +0200
-@@ -647,6 +647,10 @@
- inet->dport);
- }
-
++#ifdef CONFIG_GRKERNSEC_LINK
++ grsec_enable_link = 1;
++#endif
++#ifdef CONFIG_GRKERNSEC_FIFO
++ grsec_enable_fifo = 1;
++#endif
++#endif
++
++ return;
++}
+diff -urNp linux-2.6.26.orig/grsecurity/grsec_link.c linux-2.6.26/grsecurity/grsec_link.c
+--- linux-2.6.26.orig/grsecurity/grsec_link.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.26/grsecurity/grsec_link.c 2008-09-02 12:17:21.000000000 +0200
+@@ -0,0 +1,37 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/fs.h>
++#include <linux/file.h>
++#include <linux/grinternal.h>
++
++int
++gr_handle_follow_link(const struct inode *parent,
++ const struct inode *inode,
++ const struct dentry *dentry, const struct vfsmount *mnt)
++{
++#ifdef CONFIG_GRKERNSEC_LINK
++ if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
++ (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
++ (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) {
++ return -EACCES;
++ }
++#endif
++ return 0;
++}
++
++int
++gr_handle_hardlink(const struct dentry *dentry,
++ const struct vfsmount *mnt,
++ struct inode *inode, const int mode, const char *to)
++{
++#ifdef CONFIG_GRKERNSEC_LINK
++ if (grsec_enable_link && current->fsuid != inode->i_uid &&
++ (!S_ISREG(mode) || (mode & S_ISUID) ||
++ ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
++ (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
++ !capable(CAP_FOWNER) && current->uid) {
++ return -EPERM;
++ }
++#endif
++ return 0;
++}
+diff -urNp linux-2.6.26.orig/grsecurity/grsec_sock.c linux-2.6.26/grsecurity/grsec_sock.c
+--- linux-2.6.26.orig/grsecurity/grsec_sock.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.26/grsecurity/grsec_sock.c 2008-09-02 12:17:21.000000000 +0200
+@@ -0,0 +1,170 @@
++#include <linux/kernel.h>
++#include <linux/module.h>
++#include <linux/sched.h>
++#include <linux/file.h>
++#include <linux/net.h>
++#include <linux/in.h>
++#include <linux/ip.h>
++#include <net/sock.h>
++#include <net/inet_sock.h>
++#include <linux/grsecurity.h>
++#include <linux/grinternal.h>
++
+#ifdef CONFIG_GRKERNSEC
-+extern void gr_add_to_task_ip_table(struct task_struct *task);
-+extern void gr_del_task_from_ip_table(struct task_struct *task);
++#define gr_conn_table_size 32749
++struct conn_table_entry {
++ struct conn_table_entry *next;
++ struct signal_struct *sig;
++};
++
++struct conn_table_entry *gr_conn_table[gr_conn_table_size];
++spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED;
++
++extern const char * gr_socktype_to_name(unsigned char type);
++extern const char * gr_proto_to_name(unsigned char proto);
++
++static __inline__ int
++conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
++{
++ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
++}
++
++static __inline__ int
++conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
++ __u16 sport, __u16 dport)
++{
++ if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
++ sig->gr_sport == sport && sig->gr_dport == dport))
++ return 1;
++ else
++ return 0;
++}
++
++static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
++{
++ struct conn_table_entry **match;
++ unsigned int index;
++
++ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
++ sig->gr_sport, sig->gr_dport,
++ gr_conn_table_size);
++
++ newent->sig = sig;
++
++ match = &gr_conn_table[index];
++ newent->next = *match;
++ *match = newent;
++
++ return;
++}
++
++static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
++{
++ struct conn_table_entry *match, *last = NULL;
++ unsigned int index;
++
++ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
++ sig->gr_sport, sig->gr_dport,
++ gr_conn_table_size);
++
++ match = gr_conn_table[index];
++ while (match && !conn_match(match->sig,
++ sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
++ sig->gr_dport)) {
++ last = match;
++ match = match->next;
++ }
++
++ if (match) {
++ if (last)
++ last->next = match->next;
++ else
++ gr_conn_table[index] = NULL;
++ kfree(match);
++ }
++
++ return;
++}
++
++static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
++ __u16 sport, __u16 dport)
++{
++ struct conn_table_entry *match;
++ unsigned int index;
++
++ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
++
++ match = gr_conn_table[index];
++ while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
++ match = match->next;
++
++ if (match)
++ return match->sig;
++ else
++ return NULL;
++}
++
+#endif
- /*
- * Bind a port for a connect operation and hash it.
- */
-@@ -717,6 +719,15 @@
- }
- spin_unlock(&head->lock);
-
++
++void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
++{
+#ifdef CONFIG_GRKERNSEC
-+ gr_del_task_from_ip_table(current);
-+ current->signal->gr_saddr = inet_sk(sk)->rcv_saddr;
-+ current->signal->gr_daddr = inet_sk(sk)->daddr;
-+ current->signal->gr_sport = inet_sk(sk)->sport;
-+ current->signal->gr_dport = inet_sk(sk)->dport;
-+ gr_add_to_task_ip_table(current);
-+#endif
-+
- if (tw) {
- tcp_tw_deschedule(tw);
- tcp_tw_put(tw);
-diff -urN linux-2.6.12.6/net/socket.c linux-2.6.12.6-gr-minimal/net/socket.c
---- linux-2.6.12.6/net/socket.c 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/net/socket.c 2005-08-30 16:53:54.382848368 +0200
-@@ -81,6 +81,7 @@
- #include <linux/syscalls.h>
- #include <linux/compat.h>
- #include <linux/kmod.h>
-+#include <linux/in.h>
-
- #ifdef CONFIG_NET_RADIO
- #include <linux/wireless.h> /* Note : will define WIRELESS_EXT */
-@@ -94,6 +95,9 @@
- #include <net/sock.h>
- #include <linux/netfilter.h>
-
++ struct signal_struct *sig = task->signal;
++ struct conn_table_entry *newent;
++
++ newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
++ if (newent == NULL)
++ return;
++ /* no bh lock needed since we are called with bh disabled */
++ spin_lock(&gr_conn_table_lock);
++ gr_del_task_from_ip_table_nolock(sig);
++ sig->gr_saddr = inet->rcv_saddr;
++ sig->gr_daddr = inet->daddr;
++ sig->gr_sport = inet->sport;
++ sig->gr_dport = inet->dport;
++ gr_add_to_task_ip_table_nolock(sig, newent);
++ spin_unlock(&gr_conn_table_lock);
++#endif
++ return;
++}
++
++void gr_del_task_from_ip_table(struct task_struct *task)
++{
+#ifdef CONFIG_GRKERNSEC
-+extern void gr_attach_curr_ip(const struct sock *sk);
++ spin_lock(&gr_conn_table_lock);
++ gr_del_task_from_ip_table_nolock(task->signal);
++ spin_unlock(&gr_conn_table_lock);
+#endif
- static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
- static ssize_t sock_aio_read(struct kiocb *iocb, char __user *buf,
- size_t size, loff_t pos);
-@@ -1384,6 +1386,9 @@
- goto out_release;
-
- security_socket_post_accept(sock, newsock);
++ return;
++}
++
++void
++gr_attach_curr_ip(const struct sock *sk)
++{
+#ifdef CONFIG_GRKERNSEC
-+ gr_attach_curr_ip(newsock->sk);
++ struct signal_struct *p, *set;
++ const struct inet_sock *inet = inet_sk(sk);
++
++ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
++ return;
++
++ set = current->signal;
++
++ spin_lock_bh(&gr_conn_table_lock);
++ p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
++ inet->dport, inet->sport);
++ if (unlikely(p != NULL)) {
++ set->curr_ip = p->curr_ip;
++ set->used_accept = 1;
++ gr_del_task_from_ip_table_nolock(p);
++ spin_unlock_bh(&gr_conn_table_lock);
++ return;
++ }
++ spin_unlock_bh(&gr_conn_table_lock);
++
++ set->curr_ip = inet->daddr;
++ set->used_accept = 1;
+#endif
-
- out_put:
- sockfd_put(sock);
-diff -urN linux-2.6.12.6/security/Kconfig linux-2.6.12.6-gr-minimal/security/Kconfig
---- linux-2.6.12.6/security/Kconfig 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/security/Kconfig 2005-08-30 16:55:16.808317792 +0200
-@@ -87,5 +87,99 @@
-
- source security/selinux/Kconfig
-
++ return;
++}
++
+diff -urNp linux-2.6.26.orig/grsecurity/grsec_sysctl.c linux-2.6.26/grsecurity/grsec_sysctl.c
+--- linux-2.6.26.orig/grsecurity/grsec_sysctl.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.26/grsecurity/grsec_sysctl.c 2008-09-02 12:17:21.000000000 +0200
+@@ -0,0 +1,52 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/sysctl.h>
++#include <linux/grsecurity.h>
++#include <linux/grinternal.h>
++
++int
++gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
++{
++#ifdef CONFIG_GRKERNSEC_SYSCTL
++ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) {
++ return -EACCES;
++ }
++#endif
++ return 0;
++}
++
++#if defined(CONFIG_GRKERNSEC_SYSCTL)
++ctl_table grsecurity_table[] = {
++#ifdef CONFIG_GRKERNSEC_SYSCTL
++#ifdef CONFIG_GRKERNSEC_LINK
++ {
++ .ctl_name = CTL_UNNUMBERED,
++ .procname = "linking_restrictions",
++ .data = &grsec_enable_link,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++#ifdef CONFIG_GRKERNSEC_FIFO
++ {
++ .ctl_name = CTL_UNNUMBERED,
++ .procname = "fifo_restrictions",
++ .data = &grsec_enable_fifo,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++ {
++ .ctl_name = CTL_UNNUMBERED,
++ .procname = "grsec_lock",
++ .data = &grsec_lock,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
++ { .ctl_name = 0 }
++};
++#endif
+diff -urNp linux-2.6.26.orig/grsecurity/Kconfig linux-2.6.26/grsecurity/Kconfig
+--- linux-2.6.26.orig/grsecurity/Kconfig 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.26/grsecurity/Kconfig 2008-09-02 12:17:21.000000000 +0200
+@@ -0,0 +1,123 @@
+#
+# grecurity configuration
+#
+
+config GRKERNSEC
+ bool "Grsecurity"
++ select CRYPTO
++ select CRYPTO_SHA256
++ select SECURITY
++ select SECURITY_CAPABILITIES
+ help
+ If you say Y here, you will be able to configure many features
+ that will enhance the security of your system. It is highly
+ /proc that keep normal users from viewing device information and
+ slabinfo information that could be useful for exploits.
+
-+config GRKERNSEC_PROC_IPADDR
-+ bool "/proc/<pid>/ipaddr support"
-+ help
-+ If you say Y here, a new entry will be added to each /proc/<pid>
-+ directory that contains the IP address of the person using the task.
-+ The IP is carried across local TCP and AF_UNIX stream sockets.
-+ This information can be useful for IDS/IPSes to perform remote response
-+ to a local attack. The entry is readable by only the owner of the
-+ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
-+ the RBAC system), and thus does not create privacy concerns.
-+
+config GRKERNSEC_LINK
+ bool "Linking restrictions"
+ help
+ option is enabled, a sysctl option with name "fifo_restrictions" is
+ created.
+
-+endmenu
++config GRKERNSEC_PROC_IPADDR
++ bool "/proc/<pid>/ipaddr support"
++ help
++ If you say Y here, a new entry will be added to each /proc/<pid>
++ directory that contains the IP address of the person using the task.
++ The IP is carried across local TCP and AF_UNIX stream sockets.
++ This information can be useful for IDS/IPSes to perform remote response
++ to a local attack. The entry is readable by only the owner of the
++ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
++ the RBAC system), and thus does not create privacy concerns.
+
+endmenu
+
- endmenu
-
-diff -urN linux-2.6.12.6/security/Makefile linux-2.6.12.6-gr-minimal/security/Makefile
---- linux-2.6.12.6/security/Makefile 2005-08-29 18:55:27.000000000 +0200
-+++ linux-2.6.12.6-gr-minimal/security/Makefile 2005-08-30 16:57:57.950820408 +0200
-@@ -17,3 +17,4 @@
- obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o
- obj-$(CONFIG_SECURITY_ROOTPLUG) += commoncap.o root_plug.o
- obj-$(CONFIG_SECURITY_SECLVL) += seclvl.o
-+obj-$(CONFIG_GRKERNSEC) += grsec_sock.o
-diff -urN linux-2.6.12.6/security/grsec_sock.c linux-2.6.12.6-gr-minimal/security/grsec_sock.c
---- linux-2.6.12.6/security/grsec_sock.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.12.6-gr-minimal/security/grsec_sock.c 2005-08-30 16:57:11.727847368 +0200
-@@ -0,0 +1,138 @@
-+#include <linux/kernel.h>
-+#include <linux/module.h>
-+#include <linux/sched.h>
-+#include <linux/file.h>
-+#include <linux/net.h>
-+#include <linux/in.h>
-+#include <linux/ip.h>
-+#include <net/sock.h>
-+
-+#if defined(CONFIG_IP_NF_MATCH_STEALTH_MODULE)
-+extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
-+EXPORT_SYMBOL(udp_v4_lookup);
-+#endif
-+
-+#ifdef CONFIG_GRKERNSEC
-+#define gr_conn_table_size 65521
-+struct signal_struct *gr_conn_table[gr_conn_table_size];
-+struct signal_struct *deleted_conn = (struct signal_struct *)~0;
-+spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED;
-+
-+static __inline__ int
-+conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
-+{
-+ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
-+}
-+
-+static __inline__ int
-+conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
-+ __u16 sport, __u16 dport)
-+{
-+ if (unlikely(sig != deleted_conn && sig->gr_saddr == saddr &&
-+ sig->gr_daddr == daddr && sig->gr_sport == sport &&
-+ sig->gr_dport == dport))
-+ return 1;
-+ else
-+ return 0;
-+}
-+
-+void gr_add_to_task_ip_table(struct task_struct *task)
-+{
-+ unsigned int index;
-+ struct signal_struct *sig = task->signal;
++config GRKERNSEC_SYSCTL
++ bool "Sysctl support"
++ help
++ If you say Y here, you will be able to change the options that
++ grsecurity runs with at bootup, without having to recompile your
++ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
++ to enable (1) or disable (0) various features. All the sysctl entries
++ are mutable until the "grsec_lock" entry is set to a non-zero value.
++ All features enabled in the kernel configuration are disabled at boot
++ if you do not say Y to the "Turn on features by default" option.
++ All options should be set at startup, and the grsec_lock entry should
++ be set to a non-zero value after all the options are set.
++ *THIS IS EXTREMELY IMPORTANT*
+
-+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
-+ sig->gr_sport, sig->gr_dport,
-+ gr_conn_table_size);
++config GRKERNSEC_SYSCTL_ON
++ bool "Turn on features by default"
++ depends on GRKERNSEC_SYSCTL
++ help
++ If you say Y here, instead of having all features enabled in the
++ kernel configuration disabled at boot time, the features will be
++ enabled at boot time. It is recommended you say Y here unless
++ there is some reason you would want all sysctl-tunable features to
++ be disabled by default. As mentioned elsewhere, it is important
++ to enable the grsec_lock entry once you have finished modifying
++ the sysctl entries.
+
-+ spin_lock(&gr_conn_table_lock);
++endmenu
+diff -urNp linux-2.6.26.orig/grsecurity/Makefile linux-2.6.26/grsecurity/Makefile
+--- linux-2.6.26.orig/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.26/grsecurity/Makefile 2008-09-02 12:17:21.000000000 +0200
+@@ -0,0 +1,11 @@
++# All code in this directory and various hooks inserted throughout the kernel
++# are copyright Brad Spengler, and released under the GPL v2 or higher
+
-+ while (gr_conn_table[index] && gr_conn_table[index] != deleted_conn) {
-+ index = (index + 1) % gr_conn_table_size;
-+ }
++obj-y = grsec_fifo.o grsec_sock.o grsec_sysctl.o grsec_link.o
+
-+ gr_conn_table[index] = sig;
++obj-$(CONFIG_GRKERNSEC) += grsec_init.o
+
-+ spin_unlock(&gr_conn_table_lock);
++ifndef CONFIG_GRKERNSEC
++obj-y += grsec_disabled.o
++endif
+
-+ return;
-+}
+diff -urNp linux-2.6.26.orig/include/linux/grinternal.h linux-2.6.26/include/linux/grinternal.h
+--- linux-2.6.26.orig/include/linux/grinternal.h 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.26/include/linux/grinternal.h 2008-09-02 12:17:21.000000000 +0200
+@@ -0,0 +1,14 @@
++#ifndef __GRINTERNAL_H
++#define __GRINTERNAL_H
+
-+static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
-+{
-+ unsigned int index;
++#ifdef CONFIG_GRKERNSEC
+
-+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
-+ sig->gr_sport, sig->gr_dport,
-+ gr_conn_table_size);
++#include <linux/fs.h>
+
-+ while (gr_conn_table[index] && !conn_match(gr_conn_table[index],
-+ sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
-+ sig->gr_dport)) {
-+ index = (index + 1) % gr_conn_table_size;
-+ }
++extern int grsec_enable_link;
++extern int grsec_enable_fifo;
++extern int grsec_lock;
+
-+ if (gr_conn_table[index]) {
-+ if (gr_conn_table[(index + 1) % gr_conn_table_size])
-+ gr_conn_table[index] = deleted_conn;
-+ else
-+ gr_conn_table[index] = NULL;
-+ }
++#endif
+
-+ return;
-+}
++#endif
+diff -urNp linux-2.6.26.orig/include/linux/grsecurity.h linux-2.6.26/include/linux/grsecurity.h
+--- linux-2.6.26.orig/include/linux/grsecurity.h 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.26/include/linux/grsecurity.h 2008-09-02 12:17:21.000000000 +0200
+@@ -0,0 +1,18 @@
++#ifndef GR_SECURITY_H
++#define GR_SECURITY_H
++#include <linux/fs.h>
++#include <linux/binfmts.h>
+
-+static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
-+ __u16 sport, __u16 dport)
-+{
-+ unsigned int index;
++void gr_del_task_from_ip_table(struct task_struct *p);
+
-+ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
++int gr_handle_follow_link(const struct inode *parent,
++ const struct inode *inode,
++ const struct dentry *dentry);
++int gr_handle_fifo(const struct dentry *dentry,
++ const struct dentry *dir, const int flag,
++ const int acc_mode);
++int gr_handle_hardlink(const struct dentry *dentry,
++ struct inode *inode,
++ const int mode, const char *to);
+
-+ while (gr_conn_table[index] && !conn_match(gr_conn_table[index],
-+ saddr, daddr, sport, dport)) {
-+ index = (index + 1) % gr_conn_table_size;
-+ }
++#endif
+diff -urNp linux-2.6.26.orig/include/linux/sched.h linux-2.6.26/include/linux/sched.h
+--- linux-2.6.26.orig/include/linux/sched.h 2008-09-01 11:43:34.000000000 +0200
++++ linux-2.6.26/include/linux/sched.h 2008-09-02 12:17:21.000000000 +0200
+@@ -544,6 +544,15 @@ struct signal_struct {
+ unsigned audit_tty;
+ struct tty_audit_buf *tty_audit_buf;
+ #endif
+
-+ return gr_conn_table[index];
-+}
++#ifdef CONFIG_GRKERNSEC
++ u32 curr_ip;
++ u32 gr_saddr;
++ u32 gr_daddr;
++ u16 gr_sport;
++ u16 gr_dport;
++ u8 used_accept:1;
++#endif
+ };
+
+ /* Context switch must be unlocked if interrupts are to be enabled */
+diff -urNp linux-2.6.26.orig/include/linux/sysctl.h linux-2.6.26/include/linux/sysctl.h
+--- linux-2.6.26.orig/include/linux/sysctl.h 2008-09-01 11:43:34.000000000 +0200
++++ linux-2.6.26/include/linux/sysctl.h 2008-09-02 12:17:21.000000000 +0200
+@@ -165,8 +165,11 @@ enum
+ KERN_MAX_LOCK_DEPTH=74,
+ KERN_NMI_WATCHDOG=75, /* int: enable/disable nmi watchdog */
+ KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
+-};
++#ifdef CONFIG_GRKERNSEC
++ KERN_GRSECURITY=98, /* grsecurity */
++#endif
+
++};
+
+
+ /* CTL_VM names: */
+diff -urNp linux-2.6.26.orig/kernel/configs.c linux-2.6.26/kernel/configs.c
+--- linux-2.6.26.orig/kernel/configs.c 2008-09-01 11:43:58.000000000 +0200
++++ linux-2.6.26/kernel/configs.c 2008-09-02 12:17:21.000000000 +0200
+@@ -79,8 +79,19 @@ static int __init ikconfig_init(void)
+ struct proc_dir_entry *entry;
+
+ /* create the current config file */
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
++ &ikconfig_file_ops);
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
++ &ikconfig_file_ops);
++#endif
++#else
+ entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
+ &ikconfig_file_ops);
++#endif
+
+ if (!entry)
+ return -ENOMEM;
+
+diff -urNp linux-2.6.26.orig/kernel/exit.c linux-2.6.26/kernel/exit.c
+--- linux-2.6.26.orig/kernel/exit.c 2008-09-01 11:43:58.000000000 +0200
++++ linux-2.6.26/kernel/exit.c 2008-09-02 12:17:21.000000000 +0200
+@@ -50,6 +50,7 @@
+ #include <linux/vs_pid.h>
+ #include <linux/vserver/global.h>
+ #include <trace/sched.h>
++#include <linux/grsecurity.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/unistd.h>
+@@ -137,6 +138,7 @@ static void __exit_signal(struct task_st
+ */
+ flush_sigqueue(&tsk->pending);
+
++ gr_del_task_from_ip_table(tsk);
+ tsk->signal = NULL;
+ tsk->sighand = NULL;
+ spin_unlock(&sighand->siglock);
+diff -urNp linux-2.6.26.orig/kernel/kallsyms.c linux-2.6.26/kernel/kallsyms.c
+--- linux-2.6.26.orig/kernel/kallsyms.c 2008-09-01 11:43:58.000000000 +0200
++++ linux-2.6.26/kernel/kallsyms.c 2008-09-02 12:17:21.000000000 +0200
+@@ -472,7 +472,15 @@ static const struct file_operations kall
+
+ static int __init kallsyms_init(void)
+ {
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ proc_create("kallsyms", S_IFREG | S_IRUSR, NULL, &kallsyms_operations);
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ proc_create("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL, &kallsyms_operations);
++#endif
++#else
+ proc_create("kallsyms", 0444, NULL, &kallsyms_operations);
++#endif
+ return 0;
+ }
+ __initcall(kallsyms_init);
+diff -urNp linux-2.6.26.orig/kernel/resource.c linux-2.6.26/kernel/resource.c
+--- linux-2.6.26.orig/kernel/resource.c 2008-09-01 11:43:58.000000000 +0200
++++ linux-2.6.26/kernel/resource.c 2008-09-02 12:17:21.000000000 +0200
+@@ -131,8 +131,18 @@ static const struct file_operations proc
+
+ static int __init ioresources_init(void)
+ {
++#ifdef CONFIG_GRKERNSEC_PROC_ADD
++#ifdef CONFIG_GRKERNSEC_PROC_USER
++ proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
++ proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
++ proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
++ proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
+#endif
++#else
+ proc_create("ioports", 0, NULL, &proc_ioports_operations);
+ proc_create("iomem", 0, NULL, &proc_iomem_operations);
++#endif
+ return 0;
+ }
+ __initcall(ioresources_init);
+diff -urNp linux-2.6.26.orig/kernel/sysctl.c linux-2.6.26/kernel/sysctl.c
+--- linux-2.6.26.orig/kernel/sysctl.c 2008-09-01 11:43:58.000000000 +0200
++++ linux-2.6.26/kernel/sysctl.c 2008-09-02 12:17:21.000000000 +0200
+@@ -59,6 +59,11 @@
+ static int deprecated_sysctl_warning(struct __sysctl_args *args);
+
+ #if defined(CONFIG_SYSCTL)
++#include <linux/grsecurity.h>
++#include <linux/grinternal.h>
+
-+void gr_del_task_from_ip_table(struct task_struct *task)
-+{
-+#ifdef CONFIG_GRKERNSEC
-+ spin_lock(&gr_conn_table_lock);
-+ gr_del_task_from_ip_table_nolock(task->signal);
-+ spin_unlock(&gr_conn_table_lock);
++extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
++ const int op);
+
+ /* External variables not in a header file. */
+ extern int C_A_D;
+@@ -153,6 +158,7 @@ static int proc_do_cad_pid(struct ctl_ta
+ static int proc_dointvec_taint(struct ctl_table *table, int write, struct file *filp,
+ void __user *buffer, size_t *lenp, loff_t *ppos);
+ #endif
++extern ctl_table grsecurity_table[];
+
+ static struct ctl_table root_table[];
+ static struct ctl_table_root sysctl_table_root;
+@@ -823,6 +829,15 @@ static struct ctl_table kern_table[] = {
+ .child = key_sysctls,
+ },
+ #endif
++
++#if defined(CONFIG_GRKERNSEC_SYSCTL)
++ {
++ .ctl_name = CTL_UNNUMBERED,
++ .procname = "grsecurity",
++ .mode = 0500,
++ .child = grsecurity_table,
++ },
+#endif
-+ return;
-+}
+ /*
+ * NOTE: do not add new entries to this table unless you have read
+ * Documentation/sysctl/ctl_unnumbered.txt
+@@ -1585,6 +1600,10 @@ int sysctl_perm(struct ctl_table_root *r
+ int error;
+ int mode;
+
++ if (table->parent != NULL && table->parent->procname != NULL &&
++ table->procname != NULL &&
++ gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
++ return -EACCES;
+ error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
+ if (error)
+ return error;
+diff -urNp linux-2.6.26.orig/Makefile linux-2.6.26/Makefile
+--- linux-2.6.26.orig/Makefile 2008-09-01 11:44:01.000000000 +0200
++++ linux-2.6.26/Makefile 2008-09-02 12:17:21.000000000 +0200
+@@ -607,7 +607,7 @@ export mod_strip_cmd
+
+
+ ifeq ($(KBUILD_EXTMOD),)
+-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
++core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
+
+ vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
+ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
+diff -urNp linux-2.6.26.orig/net/ipv4/inet_hashtables.c linux-2.6.26/net/ipv4/inet_hashtables.c
+--- linux-2.6.26.orig/net/ipv4/inet_hashtables.c 2008-09-01 11:43:37.000000000 +0200
++++ linux-2.6.26/net/ipv4/inet_hashtables.c 2008-09-02 12:17:21.000000000 +0200
+@@ -18,12 +18,15 @@
+ #include <linux/sched.h>
+ #include <linux/slab.h>
+ #include <linux/wait.h>
++#include <linux/grsecurity.h>
+
+ #include <net/inet_connection_sock.h>
+ #include <net/inet_hashtables.h>
+ #include <net/route.h>
+ #include <net/ip.h>
+
++extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
+
-+void
-+gr_attach_curr_ip(const struct sock *sk)
-+{
-+#ifdef CONFIG_GRKERNSEC
-+ struct signal_struct *p, *set;
-+ const struct inet_sock *inet = inet_sk(sk);
+ /*
+ * Allocate and initialize a new local port bind bucket.
+ * The bindhash mutex for snum's hash chain must be held here.
+@@ -484,6 +487,8 @@ ok:
+ }
+ spin_unlock(&head->lock);
+
++ gr_update_task_in_ip_table(current, inet_sk(sk));
+
-+ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
-+ return;
+ if (tw) {
+ inet_twsk_deschedule(tw, death_row);
+ inet_twsk_put(tw);
+diff -urNp linux-2.6.26.orig/net/socket.c linux-2.6.26/net/socket.c
+--- linux-2.6.26.orig/net/socket.c 2008-09-01 11:43:36.000000000 +0200
++++ linux-2.6.26/net/socket.c 2008-09-02 12:17:21.000000000 +0200
+@@ -85,6 +85,7 @@
+ #include <linux/audit.h>
+ #include <linux/wireless.h>
+ #include <linux/nsproxy.h>
++#include <linux/in.h>
+
+ #include <asm/uaccess.h>
+ #include <asm/unistd.h>
+@@ -98,6 +99,8 @@
+ #include <linux/vs_inet.h>
+ #include <linux/vs_inet6.h>
+
++extern void gr_attach_curr_ip(const struct sock *sk);
+
-+ set = current->signal;
+ static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
+ static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
+ unsigned long nr_segs, loff_t pos);
+@@ -1577,6 +1577,8 @@
+ fd_install(newfd, newfile);
+ err = newfd;
+
++ gr_attach_curr_ip(newsock->sk);
+
-+ spin_lock(&gr_conn_table_lock);
-+ p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
-+ inet->dport, inet->sport);
-+ if (unlikely(p != NULL)) {
-+ set->curr_ip = p->curr_ip;
-+ gr_del_task_from_ip_table_nolock(p);
-+ spin_unlock(&gr_conn_table_lock);
-+ return;
-+ }
-+ spin_unlock(&gr_conn_table_lock);
+ out_put:
+ fput_light(sock->file, fput_needed);
+ out:
+diff -urNp linux-2.6.26.orig/security/Kconfig linux-2.6.26/security/Kconfig
+--- linux-2.6.26.orig/security/Kconfig 2008-09-01 11:43:58.000000000 +0200
++++ linux-2.6.26/security/Kconfig 2008-09-02 12:17:21.000000000 +0200
+@@ -4,6 +4,8 @@
+
+ menu "Security options"
+
++source grsecurity/Kconfig
+
-+ set->curr_ip = inet->daddr;
-+#endif
-+ return;
-+}
+ config KEYS
+ bool "Enable access key retention support"
+ help