Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Christian Heim (phreak)" <phreak@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] hardened r93 - in hardened-sources/2.6/tags: . 2.6.24-2
Date: Wed, 30 Apr 2008 11:40:36
Message-Id: E1JrAcx-0001Cc-Cz@stork.gentoo.org
1 Author: phreak
2 Date: 2008-04-30 11:37:34 +0000 (Wed, 30 Apr 2008)
3 New Revision: 93
4
5 Added:
6 hardened-sources/2.6/tags/2.6.24-2/
7 hardened-sources/2.6/tags/2.6.24-2/0000_README
8 hardened-sources/2.6/tags/2.6.24-2/1005_linux-2.6.24.Q_tehuti-check-register-size.patch
9 hardened-sources/2.6/tags/2.6.24-2/1006_linux-2.6.24.Q_tehuti-move-ioctl-perm-check-closer-to-function-start.patch
10 hardened-sources/2.6/tags/2.6.24-2/4420_grsec-2.1.11-2.6.24.5-200804211829.patch
11 hardened-sources/2.6/tags/2.6.24-2/4425_grsec-kconfig-default-gids.patch
12 hardened-sources/2.6/tags/2.6.24-2/4430_grsec-kconfig-gentoo.patch
13 hardened-sources/2.6/tags/2.6.24-2/4435_grsec-kconfig-pax-without-grsec.patch
14 hardened-sources/2.6/tags/2.6.24-2/4440_disable-compat_vdso.patch
15 hardened-sources/2.6/tags/2.6.24-2/4445_grsec-2.1.11-mute-warnings.patch
16 hardened-sources/2.6/tags/2.6.24-2/4450_grsec-2.1.11-pax-curr_ip-fixes.patch
17 hardened-sources/2.6/tags/2.6.24-2/4455_selinux-avc_audit-log-curr_ip.patch
18 Removed:
19 hardened-sources/2.6/tags/2.6.24-2/4420_grsec-2.1.11-2.6.24.4-200803262003.patch
20 hardened-sources/2.6/tags/2.6.24-2/4425_alpha-sysctl-uac-for-hardened.patch
21 hardened-sources/2.6/tags/2.6.24-2/4430_grsec-kconfig-default-gids.patch
22 hardened-sources/2.6/tags/2.6.24-2/4435_grsec-kconfig-gentoo.patch
23 hardened-sources/2.6/tags/2.6.24-2/4440_grsec-kconfig-pax-without-grsec.patch
24 hardened-sources/2.6/tags/2.6.24-2/4445_disable-compat_vdso.patch
25 hardened-sources/2.6/tags/2.6.24-2/4450_grsec-2.1.11-mute-warnings.patch
26 hardened-sources/2.6/tags/2.6.24-2/4455_grsec-2.1.11-pax-curr_ip-fixes.patch
27 hardened-sources/2.6/tags/2.6.24-2/4460_selinux-avc_audit-log-curr_ip.patch
28 Log:
29 Tagging hardened-patches-2.6.24-2.
30
31 Copied: hardened-sources/2.6/tags/2.6.24-2 (from rev 89, hardened-sources/2.6/trunk/2.6.24)
32
33 Copied: hardened-sources/2.6/tags/2.6.24-2/0000_README (from rev 92, hardened-sources/2.6/trunk/2.6.24/0000_README)
34 ===================================================================
35 --- hardened-sources/2.6/tags/2.6.24-2/0000_README (rev 0)
36 +++ hardened-sources/2.6/tags/2.6.24-2/0000_README 2008-04-30 11:37:34 UTC (rev 93)
37 @@ -0,0 +1,55 @@
38 +README
39 +------------------------------------------------------------------------------
40 +
41 +Individual Patch Descriptions:
42 +------------------------------------------------------------------------------
43 +Patch: 1005_linux-2.6.24.Q_tehuti-check-register-size.patch
44 +From: Francois Romieu <romieu@×××××××××.com>
45 +Desc: Fix for CVE-2008-1675 (retrieved from 2.6.24 stable queue)
46 +
47 +Patch: 1006_linux-2.6.24.Q_tehuti-move-ioctl-perm-check-closer-to-function-start.patch
48 +From: Jeff Garzik <jeff@××××××.org>
49 +Desc: Fix for CVE-2008-1675 (retrieved from 2.6.24 stable queue)
50 +
51 +Patch: 4420_grsec-2.1.11-2.6.24.5-200804211829.patch
52 +From: http://www.grsecurity.net
53 +Desc: hardened-sources base patch from upstream grsecurity
54 +
55 +Patch: 4421_remove-localversion-grsec.patch
56 +From: Kerin Millar <kerframil@×××××.com>
57 +Desc: Removes grsecurity's -localversion file
58 +
59 +Patch: 4425_grsec-kconfig-default-gids.patch
60 +From: Kerin Millar <kerframil@×××××.com>
61 +Desc: Sets sane(r) default GIDs on various grsecurity group-dependent
62 + features
63 +
64 +Patch: 4430_grsec-kconfig-gentoo.patch
65 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
66 + Kerin Millar <kerframil@×××××.com>
67 +Desc: Adds Hardened Gentoo [server/workstation] security levels, sets
68 + Hardened Gentoo [workstation] as default
69 +
70 +Patch: 4435_grsec-kconfig-pax-without-grsec.patch
71 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
72 +Desc: Allows PaX features to be selected without enabling GRKERNSEC
73 +
74 +Patch: 4440_disable-compat_vdso.patch
75 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
76 + Kerin Millar <kerframil@×××××.com>
77 +Desc: Disables VDSO_COMPAT operation completely
78 +
79 +Patch: 4445_grsec-2.1.11-mute-warnings.patch
80 +From: Alexander Gabert <gaberta@××××××××.de>
81 +Desc: Removes verbose compile warning settings from grsecurity, restores
82 + mainline Linux kernel behavior
83 +
84 +Patch: 4450_grsec-2.1.11-pax-curr_ip-fixes.patch
85 +From: <Unknown>
86 +Desc: Fixes grsecurity attempting to add IP address to log messages when
87 + GRKERNSEC_PROC_IPADDR is not defined
88 +
89 +Patch: 4455_selinux-avc_audit-log-curr_ip.patch
90 +From: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>
91 +Desc: Adds IP address to SELinux AVC audit log if GRKERNSEC_PROC_IPADDR
92 + is defined
93
94 Copied: hardened-sources/2.6/tags/2.6.24-2/1005_linux-2.6.24.Q_tehuti-check-register-size.patch (from rev 92, hardened-sources/2.6/trunk/2.6.24/1005_linux-2.6.24.Q_tehuti-check-register-size.patch)
95 ===================================================================
96 --- hardened-sources/2.6/tags/2.6.24-2/1005_linux-2.6.24.Q_tehuti-check-register-size.patch (rev 0)
97 +++ hardened-sources/2.6/tags/2.6.24-2/1005_linux-2.6.24.Q_tehuti-check-register-size.patch 2008-04-30 11:37:34 UTC (rev 93)
98 @@ -0,0 +1,52 @@
99 +From 6131a2601f42cd7fdbac0e960713396fe68af59f Mon Sep 17 00:00:00 2001
100 +From: Francois Romieu <romieu@×××××××××.com>
101 +Date: Sun, 20 Apr 2008 19:32:34 +0200
102 +Subject: tehuti: check register size (CVE-2008-1675)
103 +
104 +From: Francois Romieu <romieu@×××××××××.com>
105 +
106 +Signed-off-by: Francois Romieu <romieu@×××××××××.com>
107 +Signed-off-by: Jeff Garzik <jgarzik@××××××.com>
108 +Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>
109 +
110 +---
111 + drivers/net/tehuti.c | 14 ++++++++++++++
112 + 1 file changed, 14 insertions(+)
113 +
114 +--- a/drivers/net/tehuti.c
115 ++++ b/drivers/net/tehuti.c
116 +@@ -625,6 +625,12 @@ static void __init bdx_firmware_endianes
117 + s_firmLoad[i] = CPU_CHIP_SWAP32(s_firmLoad[i]);
118 + }
119 +
120 ++static int bdx_range_check(struct bdx_priv *priv, u32 offset)
121 ++{
122 ++ return (offset > (u32) (BDX_REGS_SIZE / priv->nic->port_num)) ?
123 ++ -EINVAL : 0;
124 ++}
125 ++
126 + static int bdx_ioctl_priv(struct net_device *ndev, struct ifreq *ifr, int cmd)
127 + {
128 + struct bdx_priv *priv = ndev->priv;
129 +@@ -646,6 +652,9 @@ static int bdx_ioctl_priv(struct net_dev
130 + switch (data[0]) {
131 +
132 + case BDX_OP_READ:
133 ++ error = bdx_range_check(priv, data[1]);
134 ++ if (error < 0)
135 ++ return error;
136 + data[2] = READ_REG(priv, data[1]);
137 + DBG("read_reg(0x%x)=0x%x (dec %d)\n", data[1], data[2],
138 + data[2]);
139 +@@ -655,6 +664,11 @@ static int bdx_ioctl_priv(struct net_dev
140 + break;
141 +
142 + case BDX_OP_WRITE:
143 ++ if (!capable(CAP_NET_ADMIN))
144 ++ return -EPERM;
145 ++ error = bdx_range_check(priv, data[1]);
146 ++ if (error < 0)
147 ++ return error;
148 + WRITE_REG(priv, data[1], data[2]);
149 + DBG("write_reg(0x%x, 0x%x)\n", data[1], data[2]);
150 + break;
151
152 Copied: hardened-sources/2.6/tags/2.6.24-2/1006_linux-2.6.24.Q_tehuti-move-ioctl-perm-check-closer-to-function-start.patch (from rev 92, hardened-sources/2.6/trunk/2.6.24/1006_linux-2.6.24.Q_tehuti-move-ioctl-perm-check-closer-to-function-start.patch)
153 ===================================================================
154 --- hardened-sources/2.6/tags/2.6.24-2/1006_linux-2.6.24.Q_tehuti-move-ioctl-perm-check-closer-to-function-start.patch (rev 0)
155 +++ hardened-sources/2.6/tags/2.6.24-2/1006_linux-2.6.24.Q_tehuti-move-ioctl-perm-check-closer-to-function-start.patch 2008-04-30 11:37:34 UTC (rev 93)
156 @@ -0,0 +1,39 @@
157 +From f946dffed6334f08da065a89ed65026ebf8b33b4 Mon Sep 17 00:00:00 2001
158 +From: Jeff Garzik <jeff@××××××.org>
159 +Date: Fri, 25 Apr 2008 03:11:31 -0400
160 +Subject: tehuti: move ioctl perm check closer to function start (CVE-2008-1675)
161 +
162 +From: Jeff Garzik <jeff@××××××.org>
163 +
164 +Commit f946dffed6334f08da065a89ed65026ebf8b33b4 upstream
165 +
166 +Noticed by davem.
167 +
168 +Signed-off-by: Jeff Garzik <jgarzik@××××××.com>
169 +Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>
170 +
171 +---
172 + drivers/net/tehuti.c | 5 +++--
173 + 1 file changed, 3 insertions(+), 2 deletions(-)
174 +
175 +--- a/drivers/net/tehuti.c
176 ++++ b/drivers/net/tehuti.c
177 +@@ -649,6 +649,9 @@ static int bdx_ioctl_priv(struct net_dev
178 + DBG("%d 0x%x 0x%x\n", data[0], data[1], data[2]);
179 + }
180 +
181 ++ if (!capable(CAP_NET_ADMIN))
182 ++ return -EPERM;
183 ++
184 + switch (data[0]) {
185 +
186 + case BDX_OP_READ:
187 +@@ -664,8 +667,6 @@ static int bdx_ioctl_priv(struct net_dev
188 + break;
189 +
190 + case BDX_OP_WRITE:
191 +- if (!capable(CAP_NET_ADMIN))
192 +- return -EPERM;
193 + error = bdx_range_check(priv, data[1]);
194 + if (error < 0)
195 + return error;
196
197 Deleted: hardened-sources/2.6/tags/2.6.24-2/4420_grsec-2.1.11-2.6.24.4-200803262003.patch
198 ===================================================================
199 --- hardened-sources/2.6/trunk/2.6.24/4420_grsec-2.1.11-2.6.24.4-200803262003.patch 2008-04-07 12:57:31 UTC (rev 89)
200 +++ hardened-sources/2.6/tags/2.6.24-2/4420_grsec-2.1.11-2.6.24.4-200803262003.patch 2008-04-30 11:37:34 UTC (rev 93)
201 @@ -1,37453 +0,0 @@
202 -diff -urNp linux-2.6.24.4/arch/alpha/kernel/module.c linux-2.6.24.4/arch/alpha/kernel/module.c
203 ---- linux-2.6.24.4/arch/alpha/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
204 -+++ linux-2.6.24.4/arch/alpha/kernel/module.c 2008-03-26 17:56:55.000000000 -0400
205 -@@ -176,7 +176,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
206 -
207 - /* The small sections were sorted to the end of the segment.
208 - The following should definitely cover them. */
209 -- gp = (u64)me->module_core + me->core_size - 0x8000;
210 -+ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
211 - got = sechdrs[me->arch.gotsecindex].sh_addr;
212 -
213 - for (i = 0; i < n; i++) {
214 -diff -urNp linux-2.6.24.4/arch/alpha/kernel/osf_sys.c linux-2.6.24.4/arch/alpha/kernel/osf_sys.c
215 ---- linux-2.6.24.4/arch/alpha/kernel/osf_sys.c 2008-03-24 14:49:18.000000000 -0400
216 -+++ linux-2.6.24.4/arch/alpha/kernel/osf_sys.c 2008-03-26 17:56:55.000000000 -0400
217 -@@ -1288,6 +1288,10 @@ arch_get_unmapped_area(struct file *filp
218 - merely specific addresses, but regions of memory -- perhaps
219 - this feature should be incorporated into all ports? */
220 -
221 -+#ifdef CONFIG_PAX_RANDMMAP
222 -+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
223 -+#endif
224 -+
225 - if (addr) {
226 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
227 - if (addr != (unsigned long) -ENOMEM)
228 -@@ -1295,8 +1299,8 @@ arch_get_unmapped_area(struct file *filp
229 - }
230 -
231 - /* Next, try allocating at TASK_UNMAPPED_BASE. */
232 -- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
233 -- len, limit);
234 -+ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
235 -+
236 - if (addr != (unsigned long) -ENOMEM)
237 - return addr;
238 -
239 -diff -urNp linux-2.6.24.4/arch/alpha/kernel/ptrace.c linux-2.6.24.4/arch/alpha/kernel/ptrace.c
240 ---- linux-2.6.24.4/arch/alpha/kernel/ptrace.c 2008-03-24 14:49:18.000000000 -0400
241 -+++ linux-2.6.24.4/arch/alpha/kernel/ptrace.c 2008-03-26 17:56:55.000000000 -0400
242 -@@ -15,6 +15,7 @@
243 - #include <linux/slab.h>
244 - #include <linux/security.h>
245 - #include <linux/signal.h>
246 -+#include <linux/grsecurity.h>
247 -
248 - #include <asm/uaccess.h>
249 - #include <asm/pgtable.h>
250 -@@ -266,6 +267,9 @@ long arch_ptrace(struct task_struct *chi
251 - size_t copied;
252 - long ret;
253 -
254 -+ if (gr_handle_ptrace(child, request))
255 -+ return -EPERM;
256 -+
257 - switch (request) {
258 - /* When I and D space are separate, these will need to be fixed. */
259 - case PTRACE_PEEKTEXT: /* read word at location addr. */
260 -diff -urNp linux-2.6.24.4/arch/alpha/mm/fault.c linux-2.6.24.4/arch/alpha/mm/fault.c
261 ---- linux-2.6.24.4/arch/alpha/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
262 -+++ linux-2.6.24.4/arch/alpha/mm/fault.c 2008-03-26 18:53:27.000000000 -0400
263 -@@ -23,6 +23,7 @@
264 - #include <linux/smp.h>
265 - #include <linux/interrupt.h>
266 - #include <linux/module.h>
267 -+#include <linux/binfmts.h>
268 -
269 - #include <asm/system.h>
270 - #include <asm/uaccess.h>
271 -@@ -54,6 +55,124 @@ __load_new_mm_context(struct mm_struct *
272 - __reload_thread(pcb);
273 - }
274 -
275 -+#ifdef CONFIG_PAX_PAGEEXEC
276 -+/*
277 -+ * PaX: decide what to do with offenders (regs->pc = fault address)
278 -+ *
279 -+ * returns 1 when task should be killed
280 -+ * 2 when patched PLT trampoline was detected
281 -+ * 3 when unpatched PLT trampoline was detected
282 -+ */
283 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
284 -+{
285 -+
286 -+#ifdef CONFIG_PAX_EMUPLT
287 -+ int err;
288 -+
289 -+ do { /* PaX: patched PLT emulation #1 */
290 -+ unsigned int ldah, ldq, jmp;
291 -+
292 -+ err = get_user(ldah, (unsigned int *)regs->pc);
293 -+ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
294 -+ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
295 -+
296 -+ if (err)
297 -+ break;
298 -+
299 -+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
300 -+ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
301 -+ jmp == 0x6BFB0000U)
302 -+ {
303 -+ unsigned long r27, addr;
304 -+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
305 -+ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
306 -+
307 -+ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
308 -+ err = get_user(r27, (unsigned long *)addr);
309 -+ if (err)
310 -+ break;
311 -+
312 -+ regs->r27 = r27;
313 -+ regs->pc = r27;
314 -+ return 2;
315 -+ }
316 -+ } while (0);
317 -+
318 -+ do { /* PaX: patched PLT emulation #2 */
319 -+ unsigned int ldah, lda, br;
320 -+
321 -+ err = get_user(ldah, (unsigned int *)regs->pc);
322 -+ err |= get_user(lda, (unsigned int *)(regs->pc+4));
323 -+ err |= get_user(br, (unsigned int *)(regs->pc+8));
324 -+
325 -+ if (err)
326 -+ break;
327 -+
328 -+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
329 -+ (lda & 0xFFFF0000U) == 0xA77B0000U &&
330 -+ (br & 0xFFE00000U) == 0xC3E00000U)
331 -+ {
332 -+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
333 -+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
334 -+ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
335 -+
336 -+ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
337 -+ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
338 -+ return 2;
339 -+ }
340 -+ } while (0);
341 -+
342 -+ do { /* PaX: unpatched PLT emulation */
343 -+ unsigned int br;
344 -+
345 -+ err = get_user(br, (unsigned int *)regs->pc);
346 -+
347 -+ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
348 -+ unsigned int br2, ldq, nop, jmp;
349 -+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
350 -+
351 -+ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
352 -+ err = get_user(br2, (unsigned int *)addr);
353 -+ err |= get_user(ldq, (unsigned int *)(addr+4));
354 -+ err |= get_user(nop, (unsigned int *)(addr+8));
355 -+ err |= get_user(jmp, (unsigned int *)(addr+12));
356 -+ err |= get_user(resolver, (unsigned long *)(addr+16));
357 -+
358 -+ if (err)
359 -+ break;
360 -+
361 -+ if (br2 == 0xC3600000U &&
362 -+ ldq == 0xA77B000CU &&
363 -+ nop == 0x47FF041FU &&
364 -+ jmp == 0x6B7B0000U)
365 -+ {
366 -+ regs->r28 = regs->pc+4;
367 -+ regs->r27 = addr+16;
368 -+ regs->pc = resolver;
369 -+ return 3;
370 -+ }
371 -+ }
372 -+ } while (0);
373 -+#endif
374 -+
375 -+ return 1;
376 -+}
377 -+
378 -+void pax_report_insns(void *pc, void *sp)
379 -+{
380 -+ unsigned long i;
381 -+
382 -+ printk(KERN_ERR "PAX: bytes at PC: ");
383 -+ for (i = 0; i < 5; i++) {
384 -+ unsigned int c;
385 -+ if (get_user(c, (unsigned int *)pc+i))
386 -+ printk("???????? ");
387 -+ else
388 -+ printk("%08x ", c);
389 -+ }
390 -+ printk("\n");
391 -+}
392 -+#endif
393 -
394 - /*
395 - * This routine handles page faults. It determines the address,
396 -@@ -131,8 +250,29 @@ do_page_fault(unsigned long address, uns
397 - good_area:
398 - si_code = SEGV_ACCERR;
399 - if (cause < 0) {
400 -- if (!(vma->vm_flags & VM_EXEC))
401 -+ if (!(vma->vm_flags & VM_EXEC)) {
402 -+
403 -+#ifdef CONFIG_PAX_PAGEEXEC
404 -+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
405 -+ goto bad_area;
406 -+
407 -+ up_read(&mm->mmap_sem);
408 -+ switch (pax_handle_fetch_fault(regs)) {
409 -+
410 -+#ifdef CONFIG_PAX_EMUPLT
411 -+ case 2:
412 -+ case 3:
413 -+ return;
414 -+#endif
415 -+
416 -+ }
417 -+ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
418 -+ do_group_exit(SIGKILL);
419 -+#else
420 - goto bad_area;
421 -+#endif
422 -+
423 -+ }
424 - } else if (!cause) {
425 - /* Allow reads even for write-only mappings */
426 - if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
427 -diff -urNp linux-2.6.24.4/arch/arm/mm/mmap.c linux-2.6.24.4/arch/arm/mm/mmap.c
428 ---- linux-2.6.24.4/arch/arm/mm/mmap.c 2008-03-24 14:49:18.000000000 -0400
429 -+++ linux-2.6.24.4/arch/arm/mm/mmap.c 2008-03-26 17:56:55.000000000 -0400
430 -@@ -60,6 +60,10 @@ arch_get_unmapped_area(struct file *filp
431 - if (len > TASK_SIZE)
432 - return -ENOMEM;
433 -
434 -+#ifdef CONFIG_PAX_RANDMMAP
435 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
436 -+#endif
437 -+
438 - if (addr) {
439 - if (do_align)
440 - addr = COLOUR_ALIGN(addr, pgoff);
441 -@@ -72,10 +76,10 @@ arch_get_unmapped_area(struct file *filp
442 - return addr;
443 - }
444 - if (len > mm->cached_hole_size) {
445 -- start_addr = addr = mm->free_area_cache;
446 -+ start_addr = addr = mm->free_area_cache;
447 - } else {
448 -- start_addr = addr = TASK_UNMAPPED_BASE;
449 -- mm->cached_hole_size = 0;
450 -+ start_addr = addr = mm->mmap_base;
451 -+ mm->cached_hole_size = 0;
452 - }
453 -
454 - full_search:
455 -@@ -91,8 +95,8 @@ full_search:
456 - * Start a new search - just in case we missed
457 - * some holes.
458 - */
459 -- if (start_addr != TASK_UNMAPPED_BASE) {
460 -- start_addr = addr = TASK_UNMAPPED_BASE;
461 -+ if (start_addr != mm->mmap_base) {
462 -+ start_addr = addr = mm->mmap_base;
463 - mm->cached_hole_size = 0;
464 - goto full_search;
465 - }
466 -diff -urNp linux-2.6.24.4/arch/avr32/mm/fault.c linux-2.6.24.4/arch/avr32/mm/fault.c
467 ---- linux-2.6.24.4/arch/avr32/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
468 -+++ linux-2.6.24.4/arch/avr32/mm/fault.c 2008-03-26 18:53:27.000000000 -0400
469 -@@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
470 -
471 - int exception_trace = 1;
472 -
473 -+#ifdef CONFIG_PAX_PAGEEXEC
474 -+void pax_report_insns(void *pc, void *sp)
475 -+{
476 -+ unsigned long i;
477 -+
478 -+ printk(KERN_ERR "PAX: bytes at PC: ");
479 -+ for (i = 0; i < 20; i++) {
480 -+ unsigned char c;
481 -+ if (get_user(c, (unsigned char *)pc+i))
482 -+ printk("???????? ");
483 -+ else
484 -+ printk("%02x ", c);
485 -+ }
486 -+ printk("\n");
487 -+}
488 -+#endif
489 -+
490 - /*
491 - * This routine handles page faults. It determines the address and the
492 - * problem, and then passes it off to one of the appropriate routines.
493 -@@ -157,6 +174,16 @@ bad_area:
494 - up_read(&mm->mmap_sem);
495 -
496 - if (user_mode(regs)) {
497 -+
498 -+#ifdef CONFIG_PAX_PAGEEXEC
499 -+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
500 -+ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
501 -+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
502 -+ do_group_exit(SIGKILL);
503 -+ }
504 -+ }
505 -+#endif
506 -+
507 - if (exception_trace && printk_ratelimit())
508 - printk("%s%s[%d]: segfault at %08lx pc %08lx "
509 - "sp %08lx ecr %lu\n",
510 -diff -urNp linux-2.6.24.4/arch/ia64/ia32/binfmt_elf32.c linux-2.6.24.4/arch/ia64/ia32/binfmt_elf32.c
511 ---- linux-2.6.24.4/arch/ia64/ia32/binfmt_elf32.c 2008-03-24 14:49:18.000000000 -0400
512 -+++ linux-2.6.24.4/arch/ia64/ia32/binfmt_elf32.c 2008-03-26 17:56:55.000000000 -0400
513 -@@ -45,6 +45,13 @@ randomize_stack_top(unsigned long stack_
514 -
515 - #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
516 -
517 -+#ifdef CONFIG_PAX_ASLR
518 -+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
519 -+
520 -+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
521 -+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
522 -+#endif
523 -+
524 - /* Ugly but avoids duplication */
525 - #include "../../../fs/binfmt_elf.c"
526 -
527 -diff -urNp linux-2.6.24.4/arch/ia64/ia32/ia32priv.h linux-2.6.24.4/arch/ia64/ia32/ia32priv.h
528 ---- linux-2.6.24.4/arch/ia64/ia32/ia32priv.h 2008-03-24 14:49:18.000000000 -0400
529 -+++ linux-2.6.24.4/arch/ia64/ia32/ia32priv.h 2008-03-26 17:56:55.000000000 -0400
530 -@@ -303,7 +303,14 @@ struct old_linux32_dirent {
531 - #define ELF_DATA ELFDATA2LSB
532 - #define ELF_ARCH EM_386
533 -
534 --#define IA32_STACK_TOP IA32_PAGE_OFFSET
535 -+#ifdef CONFIG_PAX_RANDUSTACK
536 -+#define __IA32_DELTA_STACK (current->mm->delta_stack)
537 -+#else
538 -+#define __IA32_DELTA_STACK 0UL
539 -+#endif
540 -+
541 -+#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
542 -+
543 - #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
544 - #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
545 -
546 -diff -urNp linux-2.6.24.4/arch/ia64/kernel/module.c linux-2.6.24.4/arch/ia64/kernel/module.c
547 ---- linux-2.6.24.4/arch/ia64/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
548 -+++ linux-2.6.24.4/arch/ia64/kernel/module.c 2008-03-26 17:56:55.000000000 -0400
549 -@@ -321,7 +321,7 @@ module_alloc (unsigned long size)
550 - void
551 - module_free (struct module *mod, void *module_region)
552 - {
553 -- if (mod->arch.init_unw_table && module_region == mod->module_init) {
554 -+ if (mod->arch.init_unw_table && module_region == mod->module_init_rx) {
555 - unw_remove_unwind_table(mod->arch.init_unw_table);
556 - mod->arch.init_unw_table = NULL;
557 - }
558 -@@ -499,15 +499,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
559 - }
560 -
561 - static inline int
562 -+in_init_rx (const struct module *mod, uint64_t addr)
563 -+{
564 -+ return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
565 -+}
566 -+
567 -+static inline int
568 -+in_init_rw (const struct module *mod, uint64_t addr)
569 -+{
570 -+ return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
571 -+}
572 -+
573 -+static inline int
574 - in_init (const struct module *mod, uint64_t addr)
575 - {
576 -- return addr - (uint64_t) mod->module_init < mod->init_size;
577 -+ return in_init_rx(mod, value) || in_init_rw(mod, value);
578 -+}
579 -+
580 -+static inline int
581 -+in_core_rx (const struct module *mod, uint64_t addr)
582 -+{
583 -+ return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
584 -+}
585 -+
586 -+static inline int
587 -+in_core_rw (const struct module *mod, uint64_t addr)
588 -+{
589 -+ return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
590 - }
591 -
592 - static inline int
593 - in_core (const struct module *mod, uint64_t addr)
594 - {
595 -- return addr - (uint64_t) mod->module_core < mod->core_size;
596 -+ return in_core_rx(mod, addr) || in_core_rw(mod, addr);
597 - }
598 -
599 - static inline int
600 -@@ -691,7 +715,14 @@ do_reloc (struct module *mod, uint8_t r_
601 - break;
602 -
603 - case RV_BDREL:
604 -- val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
605 -+ if (in_init_rx(mod, val))
606 -+ val -= (uint64_t) mod->module_init_rx;
607 -+ else if (in_init_rw(mod, val))
608 -+ val -= (uint64_t) mod->module_init_rw;
609 -+ else if (in_core_rx(mod, val))
610 -+ val -= (uint64_t) mod->module_core_rx;
611 -+ else if (in_core_rw(mod, val))
612 -+ val -= (uint64_t) mod->module_core_rw;
613 - break;
614 -
615 - case RV_LTV:
616 -@@ -825,15 +856,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
617 - * addresses have been selected...
618 - */
619 - uint64_t gp;
620 -- if (mod->core_size > MAX_LTOFF)
621 -+ if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
622 - /*
623 - * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
624 - * at the end of the module.
625 - */
626 -- gp = mod->core_size - MAX_LTOFF / 2;
627 -+ gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
628 - else
629 -- gp = mod->core_size / 2;
630 -- gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
631 -+ gp = (mod->core_size_rx + mod->core_size_rw) / 2;
632 -+ gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
633 - mod->arch.gp = gp;
634 - DEBUGP("%s: placing gp at 0x%lx\n", __FUNCTION__, gp);
635 - }
636 -diff -urNp linux-2.6.24.4/arch/ia64/kernel/ptrace.c linux-2.6.24.4/arch/ia64/kernel/ptrace.c
637 ---- linux-2.6.24.4/arch/ia64/kernel/ptrace.c 2008-03-24 14:49:18.000000000 -0400
638 -+++ linux-2.6.24.4/arch/ia64/kernel/ptrace.c 2008-03-26 17:56:55.000000000 -0400
639 -@@ -17,6 +17,7 @@
640 - #include <linux/security.h>
641 - #include <linux/audit.h>
642 - #include <linux/signal.h>
643 -+#include <linux/grsecurity.h>
644 -
645 - #include <asm/pgtable.h>
646 - #include <asm/processor.h>
647 -@@ -1451,6 +1452,9 @@ sys_ptrace (long request, pid_t pid, uns
648 - if (pid == 1) /* no messing around with init! */
649 - goto out_tsk;
650 -
651 -+ if (gr_handle_ptrace(child, request))
652 -+ goto out_tsk;
653 -+
654 - if (request == PTRACE_ATTACH) {
655 - ret = ptrace_attach(child);
656 - goto out_tsk;
657 -diff -urNp linux-2.6.24.4/arch/ia64/kernel/sys_ia64.c linux-2.6.24.4/arch/ia64/kernel/sys_ia64.c
658 ---- linux-2.6.24.4/arch/ia64/kernel/sys_ia64.c 2008-03-24 14:49:18.000000000 -0400
659 -+++ linux-2.6.24.4/arch/ia64/kernel/sys_ia64.c 2008-03-26 17:56:55.000000000 -0400
660 -@@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
661 - if (REGION_NUMBER(addr) == RGN_HPAGE)
662 - addr = 0;
663 - #endif
664 -+
665 -+#ifdef CONFIG_PAX_RANDMMAP
666 -+ if ((mm->pax_flags & MF_PAX_RANDMMAP) && addr && filp)
667 -+ addr = mm->free_area_cache;
668 -+ else
669 -+#endif
670 -+
671 - if (!addr)
672 - addr = mm->free_area_cache;
673 -
674 -@@ -61,9 +68,9 @@ arch_get_unmapped_area (struct file *fil
675 - for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
676 - /* At this point: (!vma || addr < vma->vm_end). */
677 - if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
678 -- if (start_addr != TASK_UNMAPPED_BASE) {
679 -+ if (start_addr != mm->mmap_base) {
680 - /* Start a new search --- just in case we missed some holes. */
681 -- addr = TASK_UNMAPPED_BASE;
682 -+ addr = mm->mmap_base;
683 - goto full_search;
684 - }
685 - return -ENOMEM;
686 -diff -urNp linux-2.6.24.4/arch/ia64/mm/fault.c linux-2.6.24.4/arch/ia64/mm/fault.c
687 ---- linux-2.6.24.4/arch/ia64/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
688 -+++ linux-2.6.24.4/arch/ia64/mm/fault.c 2008-03-26 18:53:27.000000000 -0400
689 -@@ -10,6 +10,7 @@
690 - #include <linux/interrupt.h>
691 - #include <linux/kprobes.h>
692 - #include <linux/kdebug.h>
693 -+#include <linux/binfmts.h>
694 -
695 - #include <asm/pgtable.h>
696 - #include <asm/processor.h>
697 -@@ -72,6 +73,23 @@ mapped_kernel_page_is_present (unsigned
698 - return pte_present(pte);
699 - }
700 -
701 -+#ifdef CONFIG_PAX_PAGEEXEC
702 -+void pax_report_insns(void *pc, void *sp)
703 -+{
704 -+ unsigned long i;
705 -+
706 -+ printk(KERN_ERR "PAX: bytes at PC: ");
707 -+ for (i = 0; i < 8; i++) {
708 -+ unsigned int c;
709 -+ if (get_user(c, (unsigned int *)pc+i))
710 -+ printk("???????? ");
711 -+ else
712 -+ printk("%08x ", c);
713 -+ }
714 -+ printk("\n");
715 -+}
716 -+#endif
717 -+
718 - void __kprobes
719 - ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
720 - {
721 -@@ -145,9 +163,23 @@ ia64_do_page_fault (unsigned long addres
722 - mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
723 - | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
724 -
725 -- if ((vma->vm_flags & mask) != mask)
726 -+ if ((vma->vm_flags & mask) != mask) {
727 -+
728 -+#ifdef CONFIG_PAX_PAGEEXEC
729 -+ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
730 -+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
731 -+ goto bad_area;
732 -+
733 -+ up_read(&mm->mmap_sem);
734 -+ pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
735 -+ do_group_exit(SIGKILL);
736 -+ }
737 -+#endif
738 -+
739 - goto bad_area;
740 -
741 -+ }
742 -+
743 - survive:
744 - /*
745 - * If for any reason at all we couldn't handle the fault, make
746 -diff -urNp linux-2.6.24.4/arch/ia64/mm/init.c linux-2.6.24.4/arch/ia64/mm/init.c
747 ---- linux-2.6.24.4/arch/ia64/mm/init.c 2008-03-24 14:49:18.000000000 -0400
748 -+++ linux-2.6.24.4/arch/ia64/mm/init.c 2008-03-26 17:56:55.000000000 -0400
749 -@@ -20,8 +20,8 @@
750 - #include <linux/proc_fs.h>
751 - #include <linux/bitops.h>
752 - #include <linux/kexec.h>
753 -+#include <linux/a.out.h>
754 -
755 --#include <asm/a.out.h>
756 - #include <asm/dma.h>
757 - #include <asm/ia32.h>
758 - #include <asm/io.h>
759 -@@ -128,6 +128,19 @@ ia64_init_addr_space (void)
760 - vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
761 - vma->vm_end = vma->vm_start + PAGE_SIZE;
762 - vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
763 -+
764 -+#ifdef CONFIG_PAX_PAGEEXEC
765 -+ if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
766 -+ vm->vm_flags &= ~VM_EXEC;
767 -+
768 -+#ifdef CONFIG_PAX_MPROTECT
769 -+ if (current->mm->pax_flags & MF_PAX_MPROTECT)
770 -+ vma->vm_flags &= ~VM_MAYEXEC;
771 -+#endif
772 -+
773 -+ }
774 -+#endif
775 -+
776 - vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
777 - down_write(&current->mm->mmap_sem);
778 - if (insert_vm_struct(current->mm, vma)) {
779 -diff -urNp linux-2.6.24.4/arch/mips/kernel/binfmt_elfn32.c linux-2.6.24.4/arch/mips/kernel/binfmt_elfn32.c
780 ---- linux-2.6.24.4/arch/mips/kernel/binfmt_elfn32.c 2008-03-24 14:49:18.000000000 -0400
781 -+++ linux-2.6.24.4/arch/mips/kernel/binfmt_elfn32.c 2008-03-26 17:56:55.000000000 -0400
782 -@@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
783 - #undef ELF_ET_DYN_BASE
784 - #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
785 -
786 -+#ifdef CONFIG_PAX_ASLR
787 -+#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
788 -+
789 -+#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
790 -+#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
791 -+#endif
792 -+
793 - #include <asm/processor.h>
794 - #include <linux/module.h>
795 - #include <linux/elfcore.h>
796 -diff -urNp linux-2.6.24.4/arch/mips/kernel/binfmt_elfo32.c linux-2.6.24.4/arch/mips/kernel/binfmt_elfo32.c
797 ---- linux-2.6.24.4/arch/mips/kernel/binfmt_elfo32.c 2008-03-24 14:49:18.000000000 -0400
798 -+++ linux-2.6.24.4/arch/mips/kernel/binfmt_elfo32.c 2008-03-26 17:56:55.000000000 -0400
799 -@@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
800 - #undef ELF_ET_DYN_BASE
801 - #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
802 -
803 -+#ifdef CONFIG_PAX_ASLR
804 -+#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
805 -+
806 -+#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
807 -+#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
808 -+#endif
809 -+
810 - #include <asm/processor.h>
811 - #include <linux/module.h>
812 - #include <linux/elfcore.h>
813 -diff -urNp linux-2.6.24.4/arch/mips/kernel/syscall.c linux-2.6.24.4/arch/mips/kernel/syscall.c
814 ---- linux-2.6.24.4/arch/mips/kernel/syscall.c 2008-03-24 14:49:18.000000000 -0400
815 -+++ linux-2.6.24.4/arch/mips/kernel/syscall.c 2008-03-26 17:56:55.000000000 -0400
816 -@@ -93,6 +93,11 @@ unsigned long arch_get_unmapped_area(str
817 - do_color_align = 0;
818 - if (filp || (flags & MAP_SHARED))
819 - do_color_align = 1;
820 -+
821 -+#ifdef CONFIG_PAX_RANDMMAP
822 -+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
823 -+#endif
824 -+
825 - if (addr) {
826 - if (do_color_align)
827 - addr = COLOUR_ALIGN(addr, pgoff);
828 -@@ -103,7 +108,7 @@ unsigned long arch_get_unmapped_area(str
829 - (!vmm || addr + len <= vmm->vm_start))
830 - return addr;
831 - }
832 -- addr = TASK_UNMAPPED_BASE;
833 -+ addr = current->mm->mmap_base;
834 - if (do_color_align)
835 - addr = COLOUR_ALIGN(addr, pgoff);
836 - else
837 -diff -urNp linux-2.6.24.4/arch/mips/mm/fault.c linux-2.6.24.4/arch/mips/mm/fault.c
838 ---- linux-2.6.24.4/arch/mips/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
839 -+++ linux-2.6.24.4/arch/mips/mm/fault.c 2008-03-26 17:56:55.000000000 -0400
840 -@@ -26,6 +26,23 @@
841 - #include <asm/ptrace.h>
842 - #include <asm/highmem.h> /* For VMALLOC_END */
843 -
844 -+#ifdef CONFIG_PAX_PAGEEXEC
845 -+void pax_report_insns(void *pc)
846 -+{
847 -+ unsigned long i;
848 -+
849 -+ printk(KERN_ERR "PAX: bytes at PC: ");
850 -+ for (i = 0; i < 5; i++) {
851 -+ unsigned int c;
852 -+ if (get_user(c, (unsigned int *)pc+i))
853 -+ printk("???????? ");
854 -+ else
855 -+ printk("%08x ", c);
856 -+ }
857 -+ printk("\n");
858 -+}
859 -+#endif
860 -+
861 - /*
862 - * This routine handles page faults. It determines the address,
863 - * and the problem, and then passes it off to one of the appropriate
864 -diff -urNp linux-2.6.24.4/arch/parisc/kernel/module.c linux-2.6.24.4/arch/parisc/kernel/module.c
865 ---- linux-2.6.24.4/arch/parisc/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
866 -+++ linux-2.6.24.4/arch/parisc/kernel/module.c 2008-03-26 17:56:55.000000000 -0400
867 -@@ -73,16 +73,38 @@
868 -
869 - /* three functions to determine where in the module core
870 - * or init pieces the location is */
871 -+static inline int in_init_rx(struct module *me, void *loc)
872 -+{
873 -+ return (loc >= me->module_init_rx &&
874 -+ loc < (me->module_init_rx + me->init_size_rx));
875 -+}
876 -+
877 -+static inline int in_init_rw(struct module *me, void *loc)
878 -+{
879 -+ return (loc >= me->module_init_rw &&
880 -+ loc < (me->module_init_rw + me->init_size_rw));
881 -+}
882 -+
883 - static inline int in_init(struct module *me, void *loc)
884 - {
885 -- return (loc >= me->module_init &&
886 -- loc <= (me->module_init + me->init_size));
887 -+ return in_init_rx(me, loc) || in_init_rw(me, loc);
888 -+}
889 -+
890 -+static inline int in_core_rx(struct module *me, void *loc)
891 -+{
892 -+ return (loc >= me->module_core_rx &&
893 -+ loc < (me->module_core_rx + me->core_size_rx));
894 -+}
895 -+
896 -+static inline int in_core_rw(struct module *me, void *loc)
897 -+{
898 -+ return (loc >= me->module_core_rw &&
899 -+ loc < (me->module_core_rw + me->core_size_rw));
900 - }
901 -
902 - static inline int in_core(struct module *me, void *loc)
903 - {
904 -- return (loc >= me->module_core &&
905 -- loc <= (me->module_core + me->core_size));
906 -+ return in_core_rx(me, loc) || in_core_rw(me, loc);
907 - }
908 -
909 - static inline int in_local(struct module *me, void *loc)
910 -@@ -296,21 +318,21 @@ int module_frob_arch_sections(CONST Elf_
911 - }
912 -
913 - /* align things a bit */
914 -- me->core_size = ALIGN(me->core_size, 16);
915 -- me->arch.got_offset = me->core_size;
916 -- me->core_size += gots * sizeof(struct got_entry);
917 --
918 -- me->core_size = ALIGN(me->core_size, 16);
919 -- me->arch.fdesc_offset = me->core_size;
920 -- me->core_size += fdescs * sizeof(Elf_Fdesc);
921 --
922 -- me->core_size = ALIGN(me->core_size, 16);
923 -- me->arch.stub_offset = me->core_size;
924 -- me->core_size += stubs * sizeof(struct stub_entry);
925 --
926 -- me->init_size = ALIGN(me->init_size, 16);
927 -- me->arch.init_stub_offset = me->init_size;
928 -- me->init_size += init_stubs * sizeof(struct stub_entry);
929 -+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
930 -+ me->arch.got_offset = me->core_size_rw;
931 -+ me->core_size_rw += gots * sizeof(struct got_entry);
932 -+
933 -+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
934 -+ me->arch.fdesc_offset = me->core_size_rw;
935 -+ me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
936 -+
937 -+ me->core_size_rx = ALIGN(me->core_size_rx, 16);
938 -+ me->arch.stub_offset = me->core_size_rx;
939 -+ me->core_size_rx += stubs * sizeof(struct stub_entry);
940 -+
941 -+ me->init_size_rx = ALIGN(me->init_size_rx, 16);
942 -+ me->arch.init_stub_offset = me->init_size_rx;
943 -+ me->init_size_rx += init_stubs * sizeof(struct stub_entry);
944 -
945 - me->arch.got_max = gots;
946 - me->arch.fdesc_max = fdescs;
947 -@@ -330,7 +352,7 @@ static Elf64_Word get_got(struct module
948 -
949 - BUG_ON(value == 0);
950 -
951 -- got = me->module_core + me->arch.got_offset;
952 -+ got = me->module_core_rw + me->arch.got_offset;
953 - for (i = 0; got[i].addr; i++)
954 - if (got[i].addr == value)
955 - goto out;
956 -@@ -348,7 +370,7 @@ static Elf64_Word get_got(struct module
957 - #ifdef CONFIG_64BIT
958 - static Elf_Addr get_fdesc(struct module *me, unsigned long value)
959 - {
960 -- Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
961 -+ Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
962 -
963 - if (!value) {
964 - printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
965 -@@ -366,7 +388,7 @@ static Elf_Addr get_fdesc(struct module
966 -
967 - /* Create new one */
968 - fdesc->addr = value;
969 -- fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
970 -+ fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
971 - return (Elf_Addr)fdesc;
972 - }
973 - #endif /* CONFIG_64BIT */
974 -@@ -386,12 +408,12 @@ static Elf_Addr get_stub(struct module *
975 - if(init_section) {
976 - i = me->arch.init_stub_count++;
977 - BUG_ON(me->arch.init_stub_count > me->arch.init_stub_max);
978 -- stub = me->module_init + me->arch.init_stub_offset +
979 -+ stub = me->module_init_rx + me->arch.init_stub_offset +
980 - i * sizeof(struct stub_entry);
981 - } else {
982 - i = me->arch.stub_count++;
983 - BUG_ON(me->arch.stub_count > me->arch.stub_max);
984 -- stub = me->module_core + me->arch.stub_offset +
985 -+ stub = me->module_core_rx + me->arch.stub_offset +
986 - i * sizeof(struct stub_entry);
987 - }
988 -
989 -@@ -759,7 +781,7 @@ register_unwind_table(struct module *me,
990 -
991 - table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
992 - end = table + sechdrs[me->arch.unwind_section].sh_size;
993 -- gp = (Elf_Addr)me->module_core + me->arch.got_offset;
994 -+ gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
995 -
996 - DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
997 - me->arch.unwind_section, table, end, gp);
998 -diff -urNp linux-2.6.24.4/arch/parisc/kernel/sys_parisc.c linux-2.6.24.4/arch/parisc/kernel/sys_parisc.c
999 ---- linux-2.6.24.4/arch/parisc/kernel/sys_parisc.c 2008-03-24 14:49:18.000000000 -0400
1000 -+++ linux-2.6.24.4/arch/parisc/kernel/sys_parisc.c 2008-03-26 17:56:55.000000000 -0400
1001 -@@ -111,7 +111,7 @@ unsigned long arch_get_unmapped_area(str
1002 - if (flags & MAP_FIXED)
1003 - return addr;
1004 - if (!addr)
1005 -- addr = TASK_UNMAPPED_BASE;
1006 -+ addr = current->mm->mmap_base;
1007 -
1008 - if (filp) {
1009 - addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1010 -diff -urNp linux-2.6.24.4/arch/parisc/kernel/traps.c linux-2.6.24.4/arch/parisc/kernel/traps.c
1011 ---- linux-2.6.24.4/arch/parisc/kernel/traps.c 2008-03-24 14:49:18.000000000 -0400
1012 -+++ linux-2.6.24.4/arch/parisc/kernel/traps.c 2008-03-26 17:56:55.000000000 -0400
1013 -@@ -713,9 +713,7 @@ void handle_interruption(int code, struc
1014 -
1015 - down_read(&current->mm->mmap_sem);
1016 - vma = find_vma(current->mm,regs->iaoq[0]);
1017 -- if (vma && (regs->iaoq[0] >= vma->vm_start)
1018 -- && (vma->vm_flags & VM_EXEC)) {
1019 --
1020 -+ if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1021 - fault_address = regs->iaoq[0];
1022 - fault_space = regs->iasq[0];
1023 -
1024 -diff -urNp linux-2.6.24.4/arch/parisc/mm/fault.c linux-2.6.24.4/arch/parisc/mm/fault.c
1025 ---- linux-2.6.24.4/arch/parisc/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
1026 -+++ linux-2.6.24.4/arch/parisc/mm/fault.c 2008-03-26 18:53:27.000000000 -0400
1027 -@@ -16,6 +16,8 @@
1028 - #include <linux/sched.h>
1029 - #include <linux/interrupt.h>
1030 - #include <linux/module.h>
1031 -+#include <linux/unistd.h>
1032 -+#include <linux/binfmts.h>
1033 -
1034 - #include <asm/uaccess.h>
1035 - #include <asm/traps.h>
1036 -@@ -53,7 +55,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1037 - static unsigned long
1038 - parisc_acctyp(unsigned long code, unsigned int inst)
1039 - {
1040 -- if (code == 6 || code == 16)
1041 -+ if (code == 6 || code == 7 || code == 16)
1042 - return VM_EXEC;
1043 -
1044 - switch (inst & 0xf0000000) {
1045 -@@ -139,6 +141,116 @@ parisc_acctyp(unsigned long code, unsign
1046 - }
1047 - #endif
1048 -
1049 -+#ifdef CONFIG_PAX_PAGEEXEC
1050 -+/*
1051 -+ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1052 -+ *
1053 -+ * returns 1 when task should be killed
1054 -+ * 2 when rt_sigreturn trampoline was detected
1055 -+ * 3 when unpatched PLT trampoline was detected
1056 -+ */
1057 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
1058 -+{
1059 -+
1060 -+#ifdef CONFIG_PAX_EMUPLT
1061 -+ int err;
1062 -+
1063 -+ do { /* PaX: unpatched PLT emulation */
1064 -+ unsigned int bl, depwi;
1065 -+
1066 -+ err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1067 -+ err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1068 -+
1069 -+ if (err)
1070 -+ break;
1071 -+
1072 -+ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1073 -+ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1074 -+
1075 -+ err = get_user(ldw, (unsigned int *)addr);
1076 -+ err |= get_user(bv, (unsigned int *)(addr+4));
1077 -+ err |= get_user(ldw2, (unsigned int *)(addr+8));
1078 -+
1079 -+ if (err)
1080 -+ break;
1081 -+
1082 -+ if (ldw == 0x0E801096U &&
1083 -+ bv == 0xEAC0C000U &&
1084 -+ ldw2 == 0x0E881095U)
1085 -+ {
1086 -+ unsigned int resolver, map;
1087 -+
1088 -+ err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1089 -+ err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1090 -+ if (err)
1091 -+ break;
1092 -+
1093 -+ regs->gr[20] = instruction_pointer(regs)+8;
1094 -+ regs->gr[21] = map;
1095 -+ regs->gr[22] = resolver;
1096 -+ regs->iaoq[0] = resolver | 3UL;
1097 -+ regs->iaoq[1] = regs->iaoq[0] + 4;
1098 -+ return 3;
1099 -+ }
1100 -+ }
1101 -+ } while (0);
1102 -+#endif
1103 -+
1104 -+#ifdef CONFIG_PAX_EMUTRAMP
1105 -+
1106 -+#ifndef CONFIG_PAX_EMUSIGRT
1107 -+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1108 -+ return 1;
1109 -+#endif
1110 -+
1111 -+ do { /* PaX: rt_sigreturn emulation */
1112 -+ unsigned int ldi1, ldi2, bel, nop;
1113 -+
1114 -+ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1115 -+ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1116 -+ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1117 -+ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1118 -+
1119 -+ if (err)
1120 -+ break;
1121 -+
1122 -+ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1123 -+ ldi2 == 0x3414015AU &&
1124 -+ bel == 0xE4008200U &&
1125 -+ nop == 0x08000240U)
1126 -+ {
1127 -+ regs->gr[25] = (ldi1 & 2) >> 1;
1128 -+ regs->gr[20] = __NR_rt_sigreturn;
1129 -+ regs->gr[31] = regs->iaoq[1] + 16;
1130 -+ regs->sr[0] = regs->iasq[1];
1131 -+ regs->iaoq[0] = 0x100UL;
1132 -+ regs->iaoq[1] = regs->iaoq[0] + 4;
1133 -+ regs->iasq[0] = regs->sr[2];
1134 -+ regs->iasq[1] = regs->sr[2];
1135 -+ return 2;
1136 -+ }
1137 -+ } while (0);
1138 -+#endif
1139 -+
1140 -+ return 1;
1141 -+}
1142 -+
1143 -+void pax_report_insns(void *pc, void *sp)
1144 -+{
1145 -+ unsigned long i;
1146 -+
1147 -+ printk(KERN_ERR "PAX: bytes at PC: ");
1148 -+ for (i = 0; i < 5; i++) {
1149 -+ unsigned int c;
1150 -+ if (get_user(c, (unsigned int *)pc+i))
1151 -+ printk("???????? ");
1152 -+ else
1153 -+ printk("%08x ", c);
1154 -+ }
1155 -+ printk("\n");
1156 -+}
1157 -+#endif
1158 -+
1159 - void do_page_fault(struct pt_regs *regs, unsigned long code,
1160 - unsigned long address)
1161 - {
1162 -@@ -165,8 +277,33 @@ good_area:
1163 -
1164 - acc_type = parisc_acctyp(code,regs->iir);
1165 -
1166 -- if ((vma->vm_flags & acc_type) != acc_type)
1167 -+ if ((vma->vm_flags & acc_type) != acc_type) {
1168 -+
1169 -+#ifdef CONFIG_PAX_PAGEEXEC
1170 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1171 -+ (address & ~3UL) == instruction_pointer(regs))
1172 -+ {
1173 -+ up_read(&mm->mmap_sem);
1174 -+ switch (pax_handle_fetch_fault(regs)) {
1175 -+
1176 -+#ifdef CONFIG_PAX_EMUPLT
1177 -+ case 3:
1178 -+ return;
1179 -+#endif
1180 -+
1181 -+#ifdef CONFIG_PAX_EMUTRAMP
1182 -+ case 2:
1183 -+ return;
1184 -+#endif
1185 -+
1186 -+ }
1187 -+ pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1188 -+ do_group_exit(SIGKILL);
1189 -+ }
1190 -+#endif
1191 -+
1192 - goto bad_area;
1193 -+ }
1194 -
1195 - /*
1196 - * If for any reason at all we couldn't handle the fault, make
1197 -diff -urNp linux-2.6.24.4/arch/powerpc/kernel/module_32.c linux-2.6.24.4/arch/powerpc/kernel/module_32.c
1198 ---- linux-2.6.24.4/arch/powerpc/kernel/module_32.c 2008-03-24 14:49:18.000000000 -0400
1199 -+++ linux-2.6.24.4/arch/powerpc/kernel/module_32.c 2008-03-26 17:56:55.000000000 -0400
1200 -@@ -126,7 +126,7 @@ int module_frob_arch_sections(Elf32_Ehdr
1201 - me->arch.core_plt_section = i;
1202 - }
1203 - if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
1204 -- printk("Module doesn't contain .plt or .init.plt sections.\n");
1205 -+ printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
1206 - return -ENOEXEC;
1207 - }
1208 -
1209 -@@ -167,11 +167,16 @@ static uint32_t do_plt_call(void *locati
1210 -
1211 - DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
1212 - /* Init, or core PLT? */
1213 -- if (location >= mod->module_core
1214 -- && location < mod->module_core + mod->core_size)
1215 -+ if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
1216 -+ (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
1217 - entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
1218 -- else
1219 -+ else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
1220 -+ (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
1221 - entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
1222 -+ else {
1223 -+ printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
1224 -+ return ~0UL;
1225 -+ }
1226 -
1227 - /* Find this entry, or if that fails, the next avail. entry */
1228 - while (entry->jump[0]) {
1229 -diff -urNp linux-2.6.24.4/arch/powerpc/kernel/signal_32.c linux-2.6.24.4/arch/powerpc/kernel/signal_32.c
1230 ---- linux-2.6.24.4/arch/powerpc/kernel/signal_32.c 2008-03-24 14:49:18.000000000 -0400
1231 -+++ linux-2.6.24.4/arch/powerpc/kernel/signal_32.c 2008-03-26 17:56:55.000000000 -0400
1232 -@@ -731,7 +731,7 @@ int handle_rt_signal32(unsigned long sig
1233 - /* Save user registers on the stack */
1234 - frame = &rt_sf->uc.uc_mcontext;
1235 - addr = frame;
1236 -- if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
1237 -+ if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
1238 - if (save_user_regs(regs, frame, 0))
1239 - goto badframe;
1240 - regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
1241 -diff -urNp linux-2.6.24.4/arch/powerpc/kernel/signal_64.c linux-2.6.24.4/arch/powerpc/kernel/signal_64.c
1242 ---- linux-2.6.24.4/arch/powerpc/kernel/signal_64.c 2008-03-24 14:49:18.000000000 -0400
1243 -+++ linux-2.6.24.4/arch/powerpc/kernel/signal_64.c 2008-03-26 17:56:55.000000000 -0400
1244 -@@ -369,7 +369,7 @@ int handle_rt_signal64(int signr, struct
1245 - current->thread.fpscr.val = 0;
1246 -
1247 - /* Set up to return from userspace. */
1248 -- if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
1249 -+ if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
1250 - regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
1251 - } else {
1252 - err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
1253 -diff -urNp linux-2.6.24.4/arch/powerpc/kernel/vdso.c linux-2.6.24.4/arch/powerpc/kernel/vdso.c
1254 ---- linux-2.6.24.4/arch/powerpc/kernel/vdso.c 2008-03-24 14:49:18.000000000 -0400
1255 -+++ linux-2.6.24.4/arch/powerpc/kernel/vdso.c 2008-03-26 17:56:55.000000000 -0400
1256 -@@ -211,7 +211,7 @@ int arch_setup_additional_pages(struct l
1257 - vdso_base = VDSO32_MBASE;
1258 - #endif
1259 -
1260 -- current->mm->context.vdso_base = 0;
1261 -+ current->mm->context.vdso_base = ~0UL;
1262 -
1263 - /* vDSO has a problem and was disabled, just don't "enable" it for the
1264 - * process
1265 -@@ -228,7 +228,7 @@ int arch_setup_additional_pages(struct l
1266 - */
1267 - down_write(&mm->mmap_sem);
1268 - vdso_base = get_unmapped_area(NULL, vdso_base,
1269 -- vdso_pages << PAGE_SHIFT, 0, 0);
1270 -+ vdso_pages << PAGE_SHIFT, 0, MAP_PRIVATE | MAP_EXECUTABLE);
1271 - if (IS_ERR_VALUE(vdso_base)) {
1272 - rc = vdso_base;
1273 - goto fail_mmapsem;
1274 -diff -urNp linux-2.6.24.4/arch/powerpc/mm/fault.c linux-2.6.24.4/arch/powerpc/mm/fault.c
1275 ---- linux-2.6.24.4/arch/powerpc/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
1276 -+++ linux-2.6.24.4/arch/powerpc/mm/fault.c 2008-03-26 18:53:27.000000000 -0400
1277 -@@ -29,6 +29,12 @@
1278 - #include <linux/module.h>
1279 - #include <linux/kprobes.h>
1280 - #include <linux/kdebug.h>
1281 -+#include <linux/binfmts.h>
1282 -+#include <linux/slab.h>
1283 -+#include <linux/pagemap.h>
1284 -+#include <linux/compiler.h>
1285 -+#include <linux/binfmts.h>
1286 -+#include <linux/unistd.h>
1287 -
1288 - #include <asm/page.h>
1289 - #include <asm/pgtable.h>
1290 -@@ -62,6 +68,363 @@ static inline int notify_page_fault(stru
1291 - }
1292 - #endif
1293 -
1294 -+#ifdef CONFIG_PAX_EMUSIGRT
1295 -+void pax_syscall_close(struct vm_area_struct *vma)
1296 -+{
1297 -+ vma->vm_mm->call_syscall = 0UL;
1298 -+}
1299 -+
1300 -+static struct page *pax_syscall_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
1301 -+{
1302 -+ struct page *page;
1303 -+ unsigned int *kaddr;
1304 -+
1305 -+ page = alloc_page(GFP_HIGHUSER);
1306 -+ if (!page)
1307 -+ return NOPAGE_OOM;
1308 -+
1309 -+ kaddr = kmap(page);
1310 -+ memset(kaddr, 0, PAGE_SIZE);
1311 -+ kaddr[0] = 0x44000002U; /* sc */
1312 -+ __flush_dcache_icache(kaddr);
1313 -+ kunmap(page);
1314 -+ if (type)
1315 -+ *type = VM_FAULT_MAJOR;
1316 -+ return page;
1317 -+}
1318 -+
1319 -+static struct vm_operations_struct pax_vm_ops = {
1320 -+ .close = pax_syscall_close,
1321 -+ .nopage = pax_syscall_nopage,
1322 -+};
1323 -+
1324 -+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
1325 -+{
1326 -+ int ret;
1327 -+
1328 -+ vma->vm_mm = current->mm;
1329 -+ vma->vm_start = addr;
1330 -+ vma->vm_end = addr + PAGE_SIZE;
1331 -+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
1332 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1333 -+ vma->vm_ops = &pax_vm_ops;
1334 -+
1335 -+ ret = insert_vm_struct(current->mm, vma);
1336 -+ if (ret)
1337 -+ return ret;
1338 -+
1339 -+ ++current->mm->total_vm;
1340 -+ return 0;
1341 -+}
1342 -+#endif
1343 -+
1344 -+#ifdef CONFIG_PAX_PAGEEXEC
1345 -+/*
1346 -+ * PaX: decide what to do with offenders (regs->nip = fault address)
1347 -+ *
1348 -+ * returns 1 when task should be killed
1349 -+ * 2 when patched GOT trampoline was detected
1350 -+ * 3 when patched PLT trampoline was detected
1351 -+ * 4 when unpatched PLT trampoline was detected
1352 -+ * 5 when sigreturn trampoline was detected
1353 -+ * 6 when rt_sigreturn trampoline was detected
1354 -+ */
1355 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
1356 -+{
1357 -+
1358 -+#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUSIGRT)
1359 -+ int err;
1360 -+#endif
1361 -+
1362 -+#ifdef CONFIG_PAX_EMUPLT
1363 -+ do { /* PaX: patched GOT emulation */
1364 -+ unsigned int blrl;
1365 -+
1366 -+ err = get_user(blrl, (unsigned int *)regs->nip);
1367 -+
1368 -+ if (!err && blrl == 0x4E800021U) {
1369 -+ unsigned long temp = regs->nip;
1370 -+
1371 -+ regs->nip = regs->link & 0xFFFFFFFCUL;
1372 -+ regs->link = temp + 4UL;
1373 -+ return 2;
1374 -+ }
1375 -+ } while (0);
1376 -+
1377 -+ do { /* PaX: patched PLT emulation #1 */
1378 -+ unsigned int b;
1379 -+
1380 -+ err = get_user(b, (unsigned int *)regs->nip);
1381 -+
1382 -+ if (!err && (b & 0xFC000003U) == 0x48000000U) {
1383 -+ regs->nip += (((b | 0xFC000000UL) ^ 0x02000000UL) + 0x02000000UL);
1384 -+ return 3;
1385 -+ }
1386 -+ } while (0);
1387 -+
1388 -+ do { /* PaX: unpatched PLT emulation #1 */
1389 -+ unsigned int li, b;
1390 -+
1391 -+ err = get_user(li, (unsigned int *)regs->nip);
1392 -+ err |= get_user(b, (unsigned int *)(regs->nip+4));
1393 -+
1394 -+ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
1395 -+ unsigned int rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
1396 -+ unsigned long addr = b | 0xFC000000UL;
1397 -+
1398 -+ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
1399 -+ err = get_user(rlwinm, (unsigned int *)addr);
1400 -+ err |= get_user(add, (unsigned int *)(addr+4));
1401 -+ err |= get_user(li2, (unsigned int *)(addr+8));
1402 -+ err |= get_user(addis2, (unsigned int *)(addr+12));
1403 -+ err |= get_user(mtctr, (unsigned int *)(addr+16));
1404 -+ err |= get_user(li3, (unsigned int *)(addr+20));
1405 -+ err |= get_user(addis3, (unsigned int *)(addr+24));
1406 -+ err |= get_user(bctr, (unsigned int *)(addr+28));
1407 -+
1408 -+ if (err)
1409 -+ break;
1410 -+
1411 -+ if (rlwinm == 0x556C083CU &&
1412 -+ add == 0x7D6C5A14U &&
1413 -+ (li2 & 0xFFFF0000U) == 0x39800000U &&
1414 -+ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
1415 -+ mtctr == 0x7D8903A6U &&
1416 -+ (li3 & 0xFFFF0000U) == 0x39800000U &&
1417 -+ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
1418 -+ bctr == 0x4E800420U)
1419 -+ {
1420 -+ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1421 -+ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1422 -+ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
1423 -+ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1424 -+ regs->ctr += (addis2 & 0xFFFFU) << 16;
1425 -+ regs->nip = regs->ctr;
1426 -+ return 4;
1427 -+ }
1428 -+ }
1429 -+ } while (0);
1430 -+
1431 -+#if 0
1432 -+ do { /* PaX: unpatched PLT emulation #2 */
1433 -+ unsigned int lis, lwzu, b, bctr;
1434 -+
1435 -+ err = get_user(lis, (unsigned int *)regs->nip);
1436 -+ err |= get_user(lwzu, (unsigned int *)(regs->nip+4));
1437 -+ err |= get_user(b, (unsigned int *)(regs->nip+8));
1438 -+ err |= get_user(bctr, (unsigned int *)(regs->nip+12));
1439 -+
1440 -+ if (err)
1441 -+ break;
1442 -+
1443 -+ if ((lis & 0xFFFF0000U) == 0x39600000U &&
1444 -+ (lwzu & 0xU) == 0xU &&
1445 -+ (b & 0xFC000003U) == 0x48000000U &&
1446 -+ bctr == 0x4E800420U)
1447 -+ {
1448 -+ unsigned int addis, addi, rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
1449 -+ unsigned long addr = b | 0xFC000000UL;
1450 -+
1451 -+ addr = regs->nip + 12 + ((addr ^ 0x02000000UL) + 0x02000000UL);
1452 -+ err = get_user(addis, (unsigned int*)addr);
1453 -+ err |= get_user(addi, (unsigned int*)(addr+4));
1454 -+ err |= get_user(rlwinm, (unsigned int*)(addr+8));
1455 -+ err |= get_user(add, (unsigned int*)(addr+12));
1456 -+ err |= get_user(li2, (unsigned int*)(addr+16));
1457 -+ err |= get_user(addis2, (unsigned int*)(addr+20));
1458 -+ err |= get_user(mtctr, (unsigned int*)(addr+24));
1459 -+ err |= get_user(li3, (unsigned int*)(addr+28));
1460 -+ err |= get_user(addis3, (unsigned int*)(addr+32));
1461 -+ err |= get_user(bctr, (unsigned int*)(addr+36));
1462 -+
1463 -+ if (err)
1464 -+ break;
1465 -+
1466 -+ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
1467 -+ (addi & 0xFFFF0000U) == 0x396B0000U &&
1468 -+ rlwinm == 0x556C083CU &&
1469 -+ add == 0x7D6C5A14U &&
1470 -+ (li2 & 0xFFFF0000U) == 0x39800000U &&
1471 -+ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
1472 -+ mtctr == 0x7D8903A6U &&
1473 -+ (li3 & 0xFFFF0000U) == 0x39800000U &&
1474 -+ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
1475 -+ bctr == 0x4E800420U)
1476 -+ {
1477 -+ regs->gpr[PT_R11] =
1478 -+ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1479 -+ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1480 -+ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
1481 -+ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1482 -+ regs->ctr += (addis2 & 0xFFFFU) << 16;
1483 -+ regs->nip = regs->ctr;
1484 -+ return 4;
1485 -+ }
1486 -+ }
1487 -+ } while (0);
1488 -+#endif
1489 -+
1490 -+ do { /* PaX: unpatched PLT emulation #3 */
1491 -+ unsigned int li, b;
1492 -+
1493 -+ err = get_user(li, (unsigned int *)regs->nip);
1494 -+ err |= get_user(b, (unsigned int *)(regs->nip+4));
1495 -+
1496 -+ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
1497 -+ unsigned int addis, lwz, mtctr, bctr;
1498 -+ unsigned long addr = b | 0xFC000000UL;
1499 -+
1500 -+ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
1501 -+ err = get_user(addis, (unsigned int *)addr);
1502 -+ err |= get_user(lwz, (unsigned int *)(addr+4));
1503 -+ err |= get_user(mtctr, (unsigned int *)(addr+8));
1504 -+ err |= get_user(bctr, (unsigned int *)(addr+12));
1505 -+
1506 -+ if (err)
1507 -+ break;
1508 -+
1509 -+ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
1510 -+ (lwz & 0xFFFF0000U) == 0x816B0000U &&
1511 -+ mtctr == 0x7D6903A6U &&
1512 -+ bctr == 0x4E800420U)
1513 -+ {
1514 -+ unsigned int r11;
1515 -+
1516 -+ addr = (addis << 16) + (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1517 -+ addr += (((lwz | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1518 -+
1519 -+ err = get_user(r11, (unsigned int *)addr);
1520 -+ if (err)
1521 -+ break;
1522 -+
1523 -+ regs->gpr[PT_R11] = r11;
1524 -+ regs->ctr = r11;
1525 -+ regs->nip = r11;
1526 -+ return 4;
1527 -+ }
1528 -+ }
1529 -+ } while (0);
1530 -+#endif
1531 -+
1532 -+#ifdef CONFIG_PAX_EMUSIGRT
1533 -+ do { /* PaX: sigreturn emulation */
1534 -+ unsigned int li, sc;
1535 -+
1536 -+ err = get_user(li, (unsigned int *)regs->nip);
1537 -+ err |= get_user(sc, (unsigned int *)(regs->nip+4));
1538 -+
1539 -+ if (!err && li == 0x38000000U + __NR_sigreturn && sc == 0x44000002U) {
1540 -+ struct vm_area_struct *vma;
1541 -+ unsigned long call_syscall;
1542 -+
1543 -+ down_read(&current->mm->mmap_sem);
1544 -+ call_syscall = current->mm->call_syscall;
1545 -+ up_read(&current->mm->mmap_sem);
1546 -+ if (likely(call_syscall))
1547 -+ goto emulate;
1548 -+
1549 -+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
1550 -+
1551 -+ down_write(&current->mm->mmap_sem);
1552 -+ if (current->mm->call_syscall) {
1553 -+ call_syscall = current->mm->call_syscall;
1554 -+ up_write(&current->mm->mmap_sem);
1555 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
1556 -+ goto emulate;
1557 -+ }
1558 -+
1559 -+ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
1560 -+ if (!vma || (call_syscall & ~PAGE_MASK)) {
1561 -+ up_write(&current->mm->mmap_sem);
1562 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
1563 -+ return 1;
1564 -+ }
1565 -+
1566 -+ if (pax_insert_vma(vma, call_syscall)) {
1567 -+ up_write(&current->mm->mmap_sem);
1568 -+ kmem_cache_free(vm_area_cachep, vma);
1569 -+ return 1;
1570 -+ }
1571 -+
1572 -+ current->mm->call_syscall = call_syscall;
1573 -+ up_write(&current->mm->mmap_sem);
1574 -+
1575 -+emulate:
1576 -+ regs->gpr[PT_R0] = __NR_sigreturn;
1577 -+ regs->nip = call_syscall;
1578 -+ return 5;
1579 -+ }
1580 -+ } while (0);
1581 -+
1582 -+ do { /* PaX: rt_sigreturn emulation */
1583 -+ unsigned int li, sc;
1584 -+
1585 -+ err = get_user(li, (unsigned int *)regs->nip);
1586 -+ err |= get_user(sc, (unsigned int *)(regs->nip+4));
1587 -+
1588 -+ if (!err && li == 0x38000000U + __NR_rt_sigreturn && sc == 0x44000002U) {
1589 -+ struct vm_area_struct *vma;
1590 -+ unsigned int call_syscall;
1591 -+
1592 -+ down_read(&current->mm->mmap_sem);
1593 -+ call_syscall = current->mm->call_syscall;
1594 -+ up_read(&current->mm->mmap_sem);
1595 -+ if (likely(call_syscall))
1596 -+ goto rt_emulate;
1597 -+
1598 -+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
1599 -+
1600 -+ down_write(&current->mm->mmap_sem);
1601 -+ if (current->mm->call_syscall) {
1602 -+ call_syscall = current->mm->call_syscall;
1603 -+ up_write(&current->mm->mmap_sem);
1604 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
1605 -+ goto rt_emulate;
1606 -+ }
1607 -+
1608 -+ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
1609 -+ if (!vma || (call_syscall & ~PAGE_MASK)) {
1610 -+ up_write(&current->mm->mmap_sem);
1611 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
1612 -+ return 1;
1613 -+ }
1614 -+
1615 -+ if (pax_insert_vma(vma, call_syscall)) {
1616 -+ up_write(&current->mm->mmap_sem);
1617 -+ kmem_cache_free(vm_area_cachep, vma);
1618 -+ return 1;
1619 -+ }
1620 -+
1621 -+ current->mm->call_syscall = call_syscall;
1622 -+ up_write(&current->mm->mmap_sem);
1623 -+
1624 -+rt_emulate:
1625 -+ regs->gpr[PT_R0] = __NR_rt_sigreturn;
1626 -+ regs->nip = call_syscall;
1627 -+ return 6;
1628 -+ }
1629 -+ } while (0);
1630 -+#endif
1631 -+
1632 -+ return 1;
1633 -+}
1634 -+
1635 -+void pax_report_insns(void *pc, void *sp)
1636 -+{
1637 -+ unsigned long i;
1638 -+
1639 -+ printk(KERN_ERR "PAX: bytes at PC: ");
1640 -+ for (i = 0; i < 5; i++) {
1641 -+ unsigned int c;
1642 -+ if (get_user(c, (unsigned int *)pc+i))
1643 -+ printk("???????? ");
1644 -+ else
1645 -+ printk("%08x ", c);
1646 -+ }
1647 -+ printk("\n");
1648 -+}
1649 -+#endif
1650 -+
1651 - /*
1652 - * Check whether the instruction at regs->nip is a store using
1653 - * an update addressing form which will update r1.
1654 -@@ -157,7 +520,7 @@ int __kprobes do_page_fault(struct pt_re
1655 - * indicate errors in DSISR but can validly be set in SRR1.
1656 - */
1657 - if (trap == 0x400)
1658 -- error_code &= 0x48200000;
1659 -+ error_code &= 0x58200000;
1660 - else
1661 - is_write = error_code & DSISR_ISSTORE;
1662 - #else
1663 -@@ -357,6 +720,37 @@ bad_area:
1664 - bad_area_nosemaphore:
1665 - /* User mode accesses cause a SIGSEGV */
1666 - if (user_mode(regs)) {
1667 -+
1668 -+#ifdef CONFIG_PAX_PAGEEXEC
1669 -+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
1670 -+#ifdef CONFIG_PPC64
1671 -+ if (is_exec && (error_code & DSISR_PROTFAULT)) {
1672 -+#else
1673 -+ if (is_exec && regs->nip == address) {
1674 -+#endif
1675 -+ switch (pax_handle_fetch_fault(regs)) {
1676 -+
1677 -+#ifdef CONFIG_PAX_EMUPLT
1678 -+ case 2:
1679 -+ case 3:
1680 -+ case 4:
1681 -+ return 0;
1682 -+#endif
1683 -+
1684 -+#ifdef CONFIG_PAX_EMUSIGRT
1685 -+ case 5:
1686 -+ case 6:
1687 -+ return 0;
1688 -+#endif
1689 -+
1690 -+ }
1691 -+
1692 -+ pax_report_fault(regs, (void*)regs->nip, (void*)regs->gpr[PT_R1]);
1693 -+ do_group_exit(SIGKILL);
1694 -+ }
1695 -+ }
1696 -+#endif
1697 -+
1698 - _exception(SIGSEGV, regs, code, address);
1699 - return 0;
1700 - }
1701 -diff -urNp linux-2.6.24.4/arch/powerpc/mm/mmap.c linux-2.6.24.4/arch/powerpc/mm/mmap.c
1702 ---- linux-2.6.24.4/arch/powerpc/mm/mmap.c 2008-03-24 14:49:18.000000000 -0400
1703 -+++ linux-2.6.24.4/arch/powerpc/mm/mmap.c 2008-03-26 17:56:55.000000000 -0400
1704 -@@ -75,10 +75,22 @@ void arch_pick_mmap_layout(struct mm_str
1705 - */
1706 - if (mmap_is_legacy()) {
1707 - mm->mmap_base = TASK_UNMAPPED_BASE;
1708 -+
1709 -+#ifdef CONFIG_PAX_RANDMMAP
1710 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
1711 -+ mm->mmap_base += mm->delta_mmap;
1712 -+#endif
1713 -+
1714 - mm->get_unmapped_area = arch_get_unmapped_area;
1715 - mm->unmap_area = arch_unmap_area;
1716 - } else {
1717 - mm->mmap_base = mmap_base();
1718 -+
1719 -+#ifdef CONFIG_PAX_RANDMMAP
1720 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
1721 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
1722 -+#endif
1723 -+
1724 - mm->get_unmapped_area = arch_get_unmapped_area_topdown;
1725 - mm->unmap_area = arch_unmap_area_topdown;
1726 - }
1727 -diff -urNp linux-2.6.24.4/arch/ppc/mm/fault.c linux-2.6.24.4/arch/ppc/mm/fault.c
1728 ---- linux-2.6.24.4/arch/ppc/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
1729 -+++ linux-2.6.24.4/arch/ppc/mm/fault.c 2008-03-26 18:53:27.000000000 -0400
1730 -@@ -25,6 +25,11 @@
1731 - #include <linux/interrupt.h>
1732 - #include <linux/highmem.h>
1733 - #include <linux/module.h>
1734 -+#include <linux/slab.h>
1735 -+#include <linux/pagemap.h>
1736 -+#include <linux/compiler.h>
1737 -+#include <linux/binfmts.h>
1738 -+#include <linux/unistd.h>
1739 -
1740 - #include <asm/page.h>
1741 - #include <asm/pgtable.h>
1742 -@@ -48,6 +53,363 @@ unsigned long pte_misses; /* updated by
1743 - unsigned long pte_errors; /* updated by do_page_fault() */
1744 - unsigned int probingmem;
1745 -
1746 -+#ifdef CONFIG_PAX_EMUSIGRT
1747 -+void pax_syscall_close(struct vm_area_struct *vma)
1748 -+{
1749 -+ vma->vm_mm->call_syscall = 0UL;
1750 -+}
1751 -+
1752 -+static struct page *pax_syscall_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
1753 -+{
1754 -+ struct page *page;
1755 -+ unsigned int *kaddr;
1756 -+
1757 -+ page = alloc_page(GFP_HIGHUSER);
1758 -+ if (!page)
1759 -+ return NOPAGE_OOM;
1760 -+
1761 -+ kaddr = kmap(page);
1762 -+ memset(kaddr, 0, PAGE_SIZE);
1763 -+ kaddr[0] = 0x44000002U; /* sc */
1764 -+ __flush_dcache_icache(kaddr);
1765 -+ kunmap(page);
1766 -+ if (type)
1767 -+ *type = VM_FAULT_MAJOR;
1768 -+ return page;
1769 -+}
1770 -+
1771 -+static struct vm_operations_struct pax_vm_ops = {
1772 -+ .close = pax_syscall_close,
1773 -+ .nopage = pax_syscall_nopage,
1774 -+};
1775 -+
1776 -+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
1777 -+{
1778 -+ int ret;
1779 -+
1780 -+ vma->vm_mm = current->mm;
1781 -+ vma->vm_start = addr;
1782 -+ vma->vm_end = addr + PAGE_SIZE;
1783 -+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
1784 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1785 -+ vma->vm_ops = &pax_vm_ops;
1786 -+
1787 -+ ret = insert_vm_struct(current->mm, vma);
1788 -+ if (ret)
1789 -+ return ret;
1790 -+
1791 -+ ++current->mm->total_vm;
1792 -+ return 0;
1793 -+}
1794 -+#endif
1795 -+
1796 -+#ifdef CONFIG_PAX_PAGEEXEC
1797 -+/*
1798 -+ * PaX: decide what to do with offenders (regs->nip = fault address)
1799 -+ *
1800 -+ * returns 1 when task should be killed
1801 -+ * 2 when patched GOT trampoline was detected
1802 -+ * 3 when patched PLT trampoline was detected
1803 -+ * 4 when unpatched PLT trampoline was detected
1804 -+ * 5 when sigreturn trampoline was detected
1805 -+ * 6 when rt_sigreturn trampoline was detected
1806 -+ */
1807 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
1808 -+{
1809 -+
1810 -+#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUSIGRT)
1811 -+ int err;
1812 -+#endif
1813 -+
1814 -+#ifdef CONFIG_PAX_EMUPLT
1815 -+ do { /* PaX: patched GOT emulation */
1816 -+ unsigned int blrl;
1817 -+
1818 -+ err = get_user(blrl, (unsigned int *)regs->nip);
1819 -+
1820 -+ if (!err && blrl == 0x4E800021U) {
1821 -+ unsigned long temp = regs->nip;
1822 -+
1823 -+ regs->nip = regs->link & 0xFFFFFFFCUL;
1824 -+ regs->link = temp + 4UL;
1825 -+ return 2;
1826 -+ }
1827 -+ } while (0);
1828 -+
1829 -+ do { /* PaX: patched PLT emulation #1 */
1830 -+ unsigned int b;
1831 -+
1832 -+ err = get_user(b, (unsigned int *)regs->nip);
1833 -+
1834 -+ if (!err && (b & 0xFC000003U) == 0x48000000U) {
1835 -+ regs->nip += (((b | 0xFC000000UL) ^ 0x02000000UL) + 0x02000000UL);
1836 -+ return 3;
1837 -+ }
1838 -+ } while (0);
1839 -+
1840 -+ do { /* PaX: unpatched PLT emulation #1 */
1841 -+ unsigned int li, b;
1842 -+
1843 -+ err = get_user(li, (unsigned int *)regs->nip);
1844 -+ err |= get_user(b, (unsigned int *)(regs->nip+4));
1845 -+
1846 -+ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
1847 -+ unsigned int rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
1848 -+ unsigned long addr = b | 0xFC000000UL;
1849 -+
1850 -+ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
1851 -+ err = get_user(rlwinm, (unsigned int *)addr);
1852 -+ err |= get_user(add, (unsigned int *)(addr+4));
1853 -+ err |= get_user(li2, (unsigned int *)(addr+8));
1854 -+ err |= get_user(addis2, (unsigned int *)(addr+12));
1855 -+ err |= get_user(mtctr, (unsigned int *)(addr+16));
1856 -+ err |= get_user(li3, (unsigned int *)(addr+20));
1857 -+ err |= get_user(addis3, (unsigned int *)(addr+24));
1858 -+ err |= get_user(bctr, (unsigned int *)(addr+28));
1859 -+
1860 -+ if (err)
1861 -+ break;
1862 -+
1863 -+ if (rlwinm == 0x556C083CU &&
1864 -+ add == 0x7D6C5A14U &&
1865 -+ (li2 & 0xFFFF0000U) == 0x39800000U &&
1866 -+ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
1867 -+ mtctr == 0x7D8903A6U &&
1868 -+ (li3 & 0xFFFF0000U) == 0x39800000U &&
1869 -+ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
1870 -+ bctr == 0x4E800420U)
1871 -+ {
1872 -+ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1873 -+ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1874 -+ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
1875 -+ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1876 -+ regs->ctr += (addis2 & 0xFFFFU) << 16;
1877 -+ regs->nip = regs->ctr;
1878 -+ return 4;
1879 -+ }
1880 -+ }
1881 -+ } while (0);
1882 -+
1883 -+#if 0
1884 -+ do { /* PaX: unpatched PLT emulation #2 */
1885 -+ unsigned int lis, lwzu, b, bctr;
1886 -+
1887 -+ err = get_user(lis, (unsigned int *)regs->nip);
1888 -+ err |= get_user(lwzu, (unsigned int *)(regs->nip+4));
1889 -+ err |= get_user(b, (unsigned int *)(regs->nip+8));
1890 -+ err |= get_user(bctr, (unsigned int *)(regs->nip+12));
1891 -+
1892 -+ if (err)
1893 -+ break;
1894 -+
1895 -+ if ((lis & 0xFFFF0000U) == 0x39600000U &&
1896 -+ (lwzu & 0xU) == 0xU &&
1897 -+ (b & 0xFC000003U) == 0x48000000U &&
1898 -+ bctr == 0x4E800420U)
1899 -+ {
1900 -+ unsigned int addis, addi, rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
1901 -+ unsigned long addr = b | 0xFC000000UL;
1902 -+
1903 -+ addr = regs->nip + 12 + ((addr ^ 0x02000000UL) + 0x02000000UL);
1904 -+ err = get_user(addis, (unsigned int*)addr);
1905 -+ err |= get_user(addi, (unsigned int*)(addr+4));
1906 -+ err |= get_user(rlwinm, (unsigned int*)(addr+8));
1907 -+ err |= get_user(add, (unsigned int*)(addr+12));
1908 -+ err |= get_user(li2, (unsigned int*)(addr+16));
1909 -+ err |= get_user(addis2, (unsigned int*)(addr+20));
1910 -+ err |= get_user(mtctr, (unsigned int*)(addr+24));
1911 -+ err |= get_user(li3, (unsigned int*)(addr+28));
1912 -+ err |= get_user(addis3, (unsigned int*)(addr+32));
1913 -+ err |= get_user(bctr, (unsigned int*)(addr+36));
1914 -+
1915 -+ if (err)
1916 -+ break;
1917 -+
1918 -+ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
1919 -+ (addi & 0xFFFF0000U) == 0x396B0000U &&
1920 -+ rlwinm == 0x556C083CU &&
1921 -+ add == 0x7D6C5A14U &&
1922 -+ (li2 & 0xFFFF0000U) == 0x39800000U &&
1923 -+ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
1924 -+ mtctr == 0x7D8903A6U &&
1925 -+ (li3 & 0xFFFF0000U) == 0x39800000U &&
1926 -+ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
1927 -+ bctr == 0x4E800420U)
1928 -+ {
1929 -+ regs->gpr[PT_R11] =
1930 -+ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1931 -+ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1932 -+ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
1933 -+ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1934 -+ regs->ctr += (addis2 & 0xFFFFU) << 16;
1935 -+ regs->nip = regs->ctr;
1936 -+ return 4;
1937 -+ }
1938 -+ }
1939 -+ } while (0);
1940 -+#endif
1941 -+
1942 -+ do { /* PaX: unpatched PLT emulation #3 */
1943 -+ unsigned int li, b;
1944 -+
1945 -+ err = get_user(li, (unsigned int *)regs->nip);
1946 -+ err |= get_user(b, (unsigned int *)(regs->nip+4));
1947 -+
1948 -+ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
1949 -+ unsigned int addis, lwz, mtctr, bctr;
1950 -+ unsigned long addr = b | 0xFC000000UL;
1951 -+
1952 -+ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
1953 -+ err = get_user(addis, (unsigned int *)addr);
1954 -+ err |= get_user(lwz, (unsigned int *)(addr+4));
1955 -+ err |= get_user(mtctr, (unsigned int *)(addr+8));
1956 -+ err |= get_user(bctr, (unsigned int *)(addr+12));
1957 -+
1958 -+ if (err)
1959 -+ break;
1960 -+
1961 -+ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
1962 -+ (lwz & 0xFFFF0000U) == 0x816B0000U &&
1963 -+ mtctr == 0x7D6903A6U &&
1964 -+ bctr == 0x4E800420U)
1965 -+ {
1966 -+ unsigned int r11;
1967 -+
1968 -+ addr = (addis << 16) + (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1969 -+ addr += (((lwz | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
1970 -+
1971 -+ err = get_user(r11, (unsigned int *)addr);
1972 -+ if (err)
1973 -+ break;
1974 -+
1975 -+ regs->gpr[PT_R11] = r11;
1976 -+ regs->ctr = r11;
1977 -+ regs->nip = r11;
1978 -+ return 4;
1979 -+ }
1980 -+ }
1981 -+ } while (0);
1982 -+#endif
1983 -+
1984 -+#ifdef CONFIG_PAX_EMUSIGRT
1985 -+ do { /* PaX: sigreturn emulation */
1986 -+ unsigned int li, sc;
1987 -+
1988 -+ err = get_user(li, (unsigned int *)regs->nip);
1989 -+ err |= get_user(sc, (unsigned int *)(regs->nip+4));
1990 -+
1991 -+ if (!err && li == 0x38000000U + __NR_sigreturn && sc == 0x44000002U) {
1992 -+ struct vm_area_struct *vma;
1993 -+ unsigned long call_syscall;
1994 -+
1995 -+ down_read(&current->mm->mmap_sem);
1996 -+ call_syscall = current->mm->call_syscall;
1997 -+ up_read(&current->mm->mmap_sem);
1998 -+ if (likely(call_syscall))
1999 -+ goto emulate;
2000 -+
2001 -+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
2002 -+
2003 -+ down_write(&current->mm->mmap_sem);
2004 -+ if (current->mm->call_syscall) {
2005 -+ call_syscall = current->mm->call_syscall;
2006 -+ up_write(&current->mm->mmap_sem);
2007 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
2008 -+ goto emulate;
2009 -+ }
2010 -+
2011 -+ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
2012 -+ if (!vma || (call_syscall & ~PAGE_MASK)) {
2013 -+ up_write(&current->mm->mmap_sem);
2014 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
2015 -+ return 1;
2016 -+ }
2017 -+
2018 -+ if (pax_insert_vma(vma, call_syscall)) {
2019 -+ up_write(&current->mm->mmap_sem);
2020 -+ kmem_cache_free(vm_area_cachep, vma);
2021 -+ return 1;
2022 -+ }
2023 -+
2024 -+ current->mm->call_syscall = call_syscall;
2025 -+ up_write(&current->mm->mmap_sem);
2026 -+
2027 -+emulate:
2028 -+ regs->gpr[PT_R0] = __NR_sigreturn;
2029 -+ regs->nip = call_syscall;
2030 -+ return 5;
2031 -+ }
2032 -+ } while (0);
2033 -+
2034 -+ do { /* PaX: rt_sigreturn emulation */
2035 -+ unsigned int li, sc;
2036 -+
2037 -+ err = get_user(li, (unsigned int *)regs->nip);
2038 -+ err |= get_user(sc, (unsigned int *)(regs->nip+4));
2039 -+
2040 -+ if (!err && li == 0x38000000U + __NR_rt_sigreturn && sc == 0x44000002U) {
2041 -+ struct vm_area_struct *vma;
2042 -+ unsigned int call_syscall;
2043 -+
2044 -+ down_read(&current->mm->mmap_sem);
2045 -+ call_syscall = current->mm->call_syscall;
2046 -+ up_read(&current->mm->mmap_sem);
2047 -+ if (likely(call_syscall))
2048 -+ goto rt_emulate;
2049 -+
2050 -+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
2051 -+
2052 -+ down_write(&current->mm->mmap_sem);
2053 -+ if (current->mm->call_syscall) {
2054 -+ call_syscall = current->mm->call_syscall;
2055 -+ up_write(&current->mm->mmap_sem);
2056 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
2057 -+ goto rt_emulate;
2058 -+ }
2059 -+
2060 -+ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
2061 -+ if (!vma || (call_syscall & ~PAGE_MASK)) {
2062 -+ up_write(&current->mm->mmap_sem);
2063 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
2064 -+ return 1;
2065 -+ }
2066 -+
2067 -+ if (pax_insert_vma(vma, call_syscall)) {
2068 -+ up_write(&current->mm->mmap_sem);
2069 -+ kmem_cache_free(vm_area_cachep, vma);
2070 -+ return 1;
2071 -+ }
2072 -+
2073 -+ current->mm->call_syscall = call_syscall;
2074 -+ up_write(&current->mm->mmap_sem);
2075 -+
2076 -+rt_emulate:
2077 -+ regs->gpr[PT_R0] = __NR_rt_sigreturn;
2078 -+ regs->nip = call_syscall;
2079 -+ return 6;
2080 -+ }
2081 -+ } while (0);
2082 -+#endif
2083 -+
2084 -+ return 1;
2085 -+}
2086 -+
2087 -+void pax_report_insns(void *pc, void *sp)
2088 -+{
2089 -+ unsigned long i;
2090 -+
2091 -+ printk(KERN_ERR "PAX: bytes at PC: ");
2092 -+ for (i = 0; i < 5; i++) {
2093 -+ unsigned int c;
2094 -+ if (get_user(c, (unsigned int *)pc+i))
2095 -+ printk("???????? ");
2096 -+ else
2097 -+ printk("%08x ", c);
2098 -+ }
2099 -+ printk("\n");
2100 -+}
2101 -+#endif
2102 -+
2103 - /*
2104 - * Check whether the instruction at regs->nip is a store using
2105 - * an update addressing form which will update r1.
2106 -@@ -109,7 +471,7 @@ int do_page_fault(struct pt_regs *regs,
2107 - * indicate errors in DSISR but can validly be set in SRR1.
2108 - */
2109 - if (TRAP(regs) == 0x400)
2110 -- error_code &= 0x48200000;
2111 -+ error_code &= 0x58200000;
2112 - else
2113 - is_write = error_code & 0x02000000;
2114 - #endif /* CONFIG_4xx || CONFIG_BOOKE */
2115 -@@ -204,15 +566,14 @@ good_area:
2116 - pte_t *ptep;
2117 - pmd_t *pmdp;
2118 -
2119 --#if 0
2120 -+#if 1
2121 - /* It would be nice to actually enforce the VM execute
2122 - permission on CPUs which can do so, but far too
2123 - much stuff in userspace doesn't get the permissions
2124 - right, so we let any page be executed for now. */
2125 - if (! (vma->vm_flags & VM_EXEC))
2126 - goto bad_area;
2127 --#endif
2128 --
2129 -+#else
2130 - /* Since 4xx/Book-E supports per-page execute permission,
2131 - * we lazily flush dcache to icache. */
2132 - ptep = NULL;
2133 -@@ -235,6 +596,7 @@ good_area:
2134 - pte_unmap_unlock(ptep, ptl);
2135 - }
2136 - #endif
2137 -+#endif
2138 - /* a read */
2139 - } else {
2140 - /* protection fault */
2141 -@@ -278,6 +640,33 @@ bad_area:
2142 -
2143 - /* User mode accesses cause a SIGSEGV */
2144 - if (user_mode(regs)) {
2145 -+
2146 -+#ifdef CONFIG_PAX_PAGEEXEC
2147 -+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2148 -+ if ((TRAP(regs) == 0x400) && (regs->nip == address)) {
2149 -+ switch (pax_handle_fetch_fault(regs)) {
2150 -+
2151 -+#ifdef CONFIG_PAX_EMUPLT
2152 -+ case 2:
2153 -+ case 3:
2154 -+ case 4:
2155 -+ return 0;
2156 -+#endif
2157 -+
2158 -+#ifdef CONFIG_PAX_EMUSIGRT
2159 -+ case 5:
2160 -+ case 6:
2161 -+ return 0;
2162 -+#endif
2163 -+
2164 -+ }
2165 -+
2166 -+ pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[1]);
2167 -+ do_group_exit(SIGKILL);
2168 -+ }
2169 -+ }
2170 -+#endif
2171 -+
2172 - _exception(SIGSEGV, regs, code, address);
2173 - return 0;
2174 - }
2175 -diff -urNp linux-2.6.24.4/arch/s390/kernel/module.c linux-2.6.24.4/arch/s390/kernel/module.c
2176 ---- linux-2.6.24.4/arch/s390/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
2177 -+++ linux-2.6.24.4/arch/s390/kernel/module.c 2008-03-26 17:56:55.000000000 -0400
2178 -@@ -166,11 +166,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
2179 -
2180 - /* Increase core size by size of got & plt and set start
2181 - offsets for got and plt. */
2182 -- me->core_size = ALIGN(me->core_size, 4);
2183 -- me->arch.got_offset = me->core_size;
2184 -- me->core_size += me->arch.got_size;
2185 -- me->arch.plt_offset = me->core_size;
2186 -- me->core_size += me->arch.plt_size;
2187 -+ me->core_size_rw = ALIGN(me->core_size_rw, 4);
2188 -+ me->arch.got_offset = me->core_size_rw;
2189 -+ me->core_size_rw += me->arch.got_size;
2190 -+ me->arch.plt_offset = me->core_size_rx;
2191 -+ me->core_size_rx += me->arch.plt_size;
2192 - return 0;
2193 - }
2194 -
2195 -@@ -256,7 +256,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2196 - if (info->got_initialized == 0) {
2197 - Elf_Addr *gotent;
2198 -
2199 -- gotent = me->module_core + me->arch.got_offset +
2200 -+ gotent = me->module_core_rw + me->arch.got_offset +
2201 - info->got_offset;
2202 - *gotent = val;
2203 - info->got_initialized = 1;
2204 -@@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2205 - else if (r_type == R_390_GOTENT ||
2206 - r_type == R_390_GOTPLTENT)
2207 - *(unsigned int *) loc =
2208 -- (val + (Elf_Addr) me->module_core - loc) >> 1;
2209 -+ (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
2210 - else if (r_type == R_390_GOT64 ||
2211 - r_type == R_390_GOTPLT64)
2212 - *(unsigned long *) loc = val;
2213 -@@ -294,7 +294,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2214 - case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
2215 - if (info->plt_initialized == 0) {
2216 - unsigned int *ip;
2217 -- ip = me->module_core + me->arch.plt_offset +
2218 -+ ip = me->module_core_rx + me->arch.plt_offset +
2219 - info->plt_offset;
2220 - #ifndef CONFIG_64BIT
2221 - ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
2222 -@@ -316,7 +316,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2223 - val = me->arch.plt_offset - me->arch.got_offset +
2224 - info->plt_offset + rela->r_addend;
2225 - else
2226 -- val = (Elf_Addr) me->module_core +
2227 -+ val = (Elf_Addr) me->module_core_rx +
2228 - me->arch.plt_offset + info->plt_offset +
2229 - rela->r_addend - loc;
2230 - if (r_type == R_390_PLT16DBL)
2231 -@@ -336,7 +336,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2232 - case R_390_GOTOFF32: /* 32 bit offset to GOT. */
2233 - case R_390_GOTOFF64: /* 64 bit offset to GOT. */
2234 - val = val + rela->r_addend -
2235 -- ((Elf_Addr) me->module_core + me->arch.got_offset);
2236 -+ ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
2237 - if (r_type == R_390_GOTOFF16)
2238 - *(unsigned short *) loc = val;
2239 - else if (r_type == R_390_GOTOFF32)
2240 -@@ -346,7 +346,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2241 - break;
2242 - case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
2243 - case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
2244 -- val = (Elf_Addr) me->module_core + me->arch.got_offset +
2245 -+ val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
2246 - rela->r_addend - loc;
2247 - if (r_type == R_390_GOTPC)
2248 - *(unsigned int *) loc = val;
2249 -diff -urNp linux-2.6.24.4/arch/sparc/kernel/ptrace.c linux-2.6.24.4/arch/sparc/kernel/ptrace.c
2250 ---- linux-2.6.24.4/arch/sparc/kernel/ptrace.c 2008-03-24 14:49:18.000000000 -0400
2251 -+++ linux-2.6.24.4/arch/sparc/kernel/ptrace.c 2008-03-26 17:56:55.000000000 -0400
2252 -@@ -19,6 +19,7 @@
2253 - #include <linux/smp_lock.h>
2254 - #include <linux/security.h>
2255 - #include <linux/signal.h>
2256 -+#include <linux/grsecurity.h>
2257 -
2258 - #include <asm/pgtable.h>
2259 - #include <asm/system.h>
2260 -@@ -303,6 +304,11 @@ asmlinkage void do_ptrace(struct pt_regs
2261 - goto out;
2262 - }
2263 -
2264 -+ if (gr_handle_ptrace(child, request)) {
2265 -+ pt_error_return(regs, EPERM);
2266 -+ goto out_tsk;
2267 -+ }
2268 -+
2269 - if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
2270 - || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
2271 - if (ptrace_attach(child)) {
2272 -diff -urNp linux-2.6.24.4/arch/sparc/kernel/sys_sparc.c linux-2.6.24.4/arch/sparc/kernel/sys_sparc.c
2273 ---- linux-2.6.24.4/arch/sparc/kernel/sys_sparc.c 2008-03-24 14:49:18.000000000 -0400
2274 -+++ linux-2.6.24.4/arch/sparc/kernel/sys_sparc.c 2008-03-26 17:56:55.000000000 -0400
2275 -@@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
2276 - if (ARCH_SUN4C_SUN4 && len > 0x20000000)
2277 - return -ENOMEM;
2278 - if (!addr)
2279 -- addr = TASK_UNMAPPED_BASE;
2280 -+ addr = current->mm->mmap_base;
2281 -
2282 - if (flags & MAP_SHARED)
2283 - addr = COLOUR_ALIGN(addr);
2284 -diff -urNp linux-2.6.24.4/arch/sparc/Makefile linux-2.6.24.4/arch/sparc/Makefile
2285 ---- linux-2.6.24.4/arch/sparc/Makefile 2008-03-24 14:49:18.000000000 -0400
2286 -+++ linux-2.6.24.4/arch/sparc/Makefile 2008-03-26 17:56:55.000000000 -0400
2287 -@@ -36,7 +36,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
2288 - # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-)
2289 - INIT_Y := $(patsubst %/, %/built-in.o, $(init-y))
2290 - CORE_Y := $(core-y)
2291 --CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
2292 -+CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
2293 - CORE_Y := $(patsubst %/, %/built-in.o, $(CORE_Y))
2294 - DRIVERS_Y := $(patsubst %/, %/built-in.o, $(drivers-y))
2295 - NET_Y := $(patsubst %/, %/built-in.o, $(net-y))
2296 -diff -urNp linux-2.6.24.4/arch/sparc/mm/fault.c linux-2.6.24.4/arch/sparc/mm/fault.c
2297 ---- linux-2.6.24.4/arch/sparc/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
2298 -+++ linux-2.6.24.4/arch/sparc/mm/fault.c 2008-03-26 18:53:27.000000000 -0400
2299 -@@ -21,6 +21,10 @@
2300 - #include <linux/interrupt.h>
2301 - #include <linux/module.h>
2302 - #include <linux/kdebug.h>
2303 -+#include <linux/slab.h>
2304 -+#include <linux/pagemap.h>
2305 -+#include <linux/compiler.h>
2306 -+#include <linux/binfmts.h>
2307 -
2308 - #include <asm/system.h>
2309 - #include <asm/page.h>
2310 -@@ -216,6 +220,251 @@ static unsigned long compute_si_addr(str
2311 - return safe_compute_effective_address(regs, insn);
2312 - }
2313 -
2314 -+#ifdef CONFIG_PAX_PAGEEXEC
2315 -+void pax_emuplt_close(struct vm_area_struct *vma)
2316 -+{
2317 -+ vma->vm_mm->call_dl_resolve = 0UL;
2318 -+}
2319 -+
2320 -+static struct page *pax_emuplt_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
2321 -+{
2322 -+ struct page *page;
2323 -+ unsigned int *kaddr;
2324 -+
2325 -+ page = alloc_page(GFP_HIGHUSER);
2326 -+ if (!page)
2327 -+ return NOPAGE_OOM;
2328 -+
2329 -+ kaddr = kmap(page);
2330 -+ memset(kaddr, 0, PAGE_SIZE);
2331 -+ kaddr[0] = 0x9DE3BFA8U; /* save */
2332 -+ flush_dcache_page(page);
2333 -+ kunmap(page);
2334 -+ if (type)
2335 -+ *type = VM_FAULT_MAJOR;
2336 -+
2337 -+ return page;
2338 -+}
2339 -+
2340 -+static struct vm_operations_struct pax_vm_ops = {
2341 -+ .close = pax_emuplt_close,
2342 -+ .nopage = pax_emuplt_nopage,
2343 -+};
2344 -+
2345 -+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
2346 -+{
2347 -+ int ret;
2348 -+
2349 -+ vma->vm_mm = current->mm;
2350 -+ vma->vm_start = addr;
2351 -+ vma->vm_end = addr + PAGE_SIZE;
2352 -+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
2353 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
2354 -+ vma->vm_ops = &pax_vm_ops;
2355 -+
2356 -+ ret = insert_vm_struct(current->mm, vma);
2357 -+ if (ret)
2358 -+ return ret;
2359 -+
2360 -+ ++current->mm->total_vm;
2361 -+ return 0;
2362 -+}
2363 -+
2364 -+/*
2365 -+ * PaX: decide what to do with offenders (regs->pc = fault address)
2366 -+ *
2367 -+ * returns 1 when task should be killed
2368 -+ * 2 when patched PLT trampoline was detected
2369 -+ * 3 when unpatched PLT trampoline was detected
2370 -+ */
2371 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
2372 -+{
2373 -+
2374 -+#ifdef CONFIG_PAX_EMUPLT
2375 -+ int err;
2376 -+
2377 -+ do { /* PaX: patched PLT emulation #1 */
2378 -+ unsigned int sethi1, sethi2, jmpl;
2379 -+
2380 -+ err = get_user(sethi1, (unsigned int *)regs->pc);
2381 -+ err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
2382 -+ err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
2383 -+
2384 -+ if (err)
2385 -+ break;
2386 -+
2387 -+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
2388 -+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
2389 -+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
2390 -+ {
2391 -+ unsigned int addr;
2392 -+
2393 -+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
2394 -+ addr = regs->u_regs[UREG_G1];
2395 -+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
2396 -+ regs->pc = addr;
2397 -+ regs->npc = addr+4;
2398 -+ return 2;
2399 -+ }
2400 -+ } while (0);
2401 -+
2402 -+ { /* PaX: patched PLT emulation #2 */
2403 -+ unsigned int ba;
2404 -+
2405 -+ err = get_user(ba, (unsigned int *)regs->pc);
2406 -+
2407 -+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
2408 -+ unsigned int addr;
2409 -+
2410 -+ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
2411 -+ regs->pc = addr;
2412 -+ regs->npc = addr+4;
2413 -+ return 2;
2414 -+ }
2415 -+ }
2416 -+
2417 -+ do { /* PaX: patched PLT emulation #3 */
2418 -+ unsigned int sethi, jmpl, nop;
2419 -+
2420 -+ err = get_user(sethi, (unsigned int *)regs->pc);
2421 -+ err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
2422 -+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
2423 -+
2424 -+ if (err)
2425 -+ break;
2426 -+
2427 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
2428 -+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
2429 -+ nop == 0x01000000U)
2430 -+ {
2431 -+ unsigned int addr;
2432 -+
2433 -+ addr = (sethi & 0x003FFFFFU) << 10;
2434 -+ regs->u_regs[UREG_G1] = addr;
2435 -+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
2436 -+ regs->pc = addr;
2437 -+ regs->npc = addr+4;
2438 -+ return 2;
2439 -+ }
2440 -+ } while (0);
2441 -+
2442 -+ do { /* PaX: unpatched PLT emulation step 1 */
2443 -+ unsigned int sethi, ba, nop;
2444 -+
2445 -+ err = get_user(sethi, (unsigned int *)regs->pc);
2446 -+ err |= get_user(ba, (unsigned int *)(regs->pc+4));
2447 -+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
2448 -+
2449 -+ if (err)
2450 -+ break;
2451 -+
2452 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
2453 -+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
2454 -+ nop == 0x01000000U)
2455 -+ {
2456 -+ unsigned int addr, save, call;
2457 -+
2458 -+ if ((ba & 0xFFC00000U) == 0x30800000U)
2459 -+ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
2460 -+ else
2461 -+ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
2462 -+
2463 -+ err = get_user(save, (unsigned int *)addr);
2464 -+ err |= get_user(call, (unsigned int *)(addr+4));
2465 -+ err |= get_user(nop, (unsigned int *)(addr+8));
2466 -+ if (err)
2467 -+ break;
2468 -+
2469 -+ if (save == 0x9DE3BFA8U &&
2470 -+ (call & 0xC0000000U) == 0x40000000U &&
2471 -+ nop == 0x01000000U)
2472 -+ {
2473 -+ struct vm_area_struct *vma;
2474 -+ unsigned long call_dl_resolve;
2475 -+
2476 -+ down_read(&current->mm->mmap_sem);
2477 -+ call_dl_resolve = current->mm->call_dl_resolve;
2478 -+ up_read(&current->mm->mmap_sem);
2479 -+ if (likely(call_dl_resolve))
2480 -+ goto emulate;
2481 -+
2482 -+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
2483 -+
2484 -+ down_write(&current->mm->mmap_sem);
2485 -+ if (current->mm->call_dl_resolve) {
2486 -+ call_dl_resolve = current->mm->call_dl_resolve;
2487 -+ up_write(&current->mm->mmap_sem);
2488 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
2489 -+ goto emulate;
2490 -+ }
2491 -+
2492 -+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
2493 -+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
2494 -+ up_write(&current->mm->mmap_sem);
2495 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
2496 -+ return 1;
2497 -+ }
2498 -+
2499 -+ if (pax_insert_vma(vma, call_dl_resolve)) {
2500 -+ up_write(&current->mm->mmap_sem);
2501 -+ kmem_cache_free(vm_area_cachep, vma);
2502 -+ return 1;
2503 -+ }
2504 -+
2505 -+ current->mm->call_dl_resolve = call_dl_resolve;
2506 -+ up_write(&current->mm->mmap_sem);
2507 -+
2508 -+emulate:
2509 -+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
2510 -+ regs->pc = call_dl_resolve;
2511 -+ regs->npc = addr+4;
2512 -+ return 3;
2513 -+ }
2514 -+ }
2515 -+ } while (0);
2516 -+
2517 -+ do { /* PaX: unpatched PLT emulation step 2 */
2518 -+ unsigned int save, call, nop;
2519 -+
2520 -+ err = get_user(save, (unsigned int *)(regs->pc-4));
2521 -+ err |= get_user(call, (unsigned int *)regs->pc);
2522 -+ err |= get_user(nop, (unsigned int *)(regs->pc+4));
2523 -+ if (err)
2524 -+ break;
2525 -+
2526 -+ if (save == 0x9DE3BFA8U &&
2527 -+ (call & 0xC0000000U) == 0x40000000U &&
2528 -+ nop == 0x01000000U)
2529 -+ {
2530 -+ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
2531 -+
2532 -+ regs->u_regs[UREG_RETPC] = regs->pc;
2533 -+ regs->pc = dl_resolve;
2534 -+ regs->npc = dl_resolve+4;
2535 -+ return 3;
2536 -+ }
2537 -+ } while (0);
2538 -+#endif
2539 -+
2540 -+ return 1;
2541 -+}
2542 -+
2543 -+void pax_report_insns(void *pc, void *sp)
2544 -+{
2545 -+ unsigned long i;
2546 -+
2547 -+ printk(KERN_ERR "PAX: bytes at PC: ");
2548 -+ for (i = 0; i < 5; i++) {
2549 -+ unsigned int c;
2550 -+ if (get_user(c, (unsigned int *)pc+i))
2551 -+ printk("???????? ");
2552 -+ else
2553 -+ printk("%08x ", c);
2554 -+ }
2555 -+ printk("\n");
2556 -+}
2557 -+#endif
2558 -+
2559 - asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
2560 - unsigned long address)
2561 - {
2562 -@@ -280,6 +529,24 @@ good_area:
2563 - if(!(vma->vm_flags & VM_WRITE))
2564 - goto bad_area;
2565 - } else {
2566 -+
2567 -+#ifdef CONFIG_PAX_PAGEEXEC
2568 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
2569 -+ up_read(&mm->mmap_sem);
2570 -+ switch (pax_handle_fetch_fault(regs)) {
2571 -+
2572 -+#ifdef CONFIG_PAX_EMUPLT
2573 -+ case 2:
2574 -+ case 3:
2575 -+ return;
2576 -+#endif
2577 -+
2578 -+ }
2579 -+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
2580 -+ do_group_exit(SIGKILL);
2581 -+ }
2582 -+#endif
2583 -+
2584 - /* Allow reads even for write-only mappings */
2585 - if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
2586 - goto bad_area;
2587 -diff -urNp linux-2.6.24.4/arch/sparc/mm/init.c linux-2.6.24.4/arch/sparc/mm/init.c
2588 ---- linux-2.6.24.4/arch/sparc/mm/init.c 2008-03-24 14:49:18.000000000 -0400
2589 -+++ linux-2.6.24.4/arch/sparc/mm/init.c 2008-03-26 17:56:55.000000000 -0400
2590 -@@ -336,17 +336,17 @@ void __init paging_init(void)
2591 -
2592 - /* Initialize the protection map with non-constant, MMU dependent values. */
2593 - protection_map[0] = PAGE_NONE;
2594 -- protection_map[1] = PAGE_READONLY;
2595 -- protection_map[2] = PAGE_COPY;
2596 -- protection_map[3] = PAGE_COPY;
2597 -+ protection_map[1] = PAGE_READONLY_NOEXEC;
2598 -+ protection_map[2] = PAGE_COPY_NOEXEC;
2599 -+ protection_map[3] = PAGE_COPY_NOEXEC;
2600 - protection_map[4] = PAGE_READONLY;
2601 - protection_map[5] = PAGE_READONLY;
2602 - protection_map[6] = PAGE_COPY;
2603 - protection_map[7] = PAGE_COPY;
2604 - protection_map[8] = PAGE_NONE;
2605 -- protection_map[9] = PAGE_READONLY;
2606 -- protection_map[10] = PAGE_SHARED;
2607 -- protection_map[11] = PAGE_SHARED;
2608 -+ protection_map[9] = PAGE_READONLY_NOEXEC;
2609 -+ protection_map[10] = PAGE_SHARED_NOEXEC;
2610 -+ protection_map[11] = PAGE_SHARED_NOEXEC;
2611 - protection_map[12] = PAGE_READONLY;
2612 - protection_map[13] = PAGE_READONLY;
2613 - protection_map[14] = PAGE_SHARED;
2614 -diff -urNp linux-2.6.24.4/arch/sparc/mm/srmmu.c linux-2.6.24.4/arch/sparc/mm/srmmu.c
2615 ---- linux-2.6.24.4/arch/sparc/mm/srmmu.c 2008-03-24 14:49:18.000000000 -0400
2616 -+++ linux-2.6.24.4/arch/sparc/mm/srmmu.c 2008-03-26 17:56:55.000000000 -0400
2617 -@@ -2157,6 +2157,13 @@ void __init ld_mmu_srmmu(void)
2618 - PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
2619 - BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
2620 - BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
2621 -+
2622 -+#ifdef CONFIG_PAX_PAGEEXEC
2623 -+ PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
2624 -+ BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
2625 -+ BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
2626 -+#endif
2627 -+
2628 - BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
2629 - page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
2630 -
2631 -diff -urNp linux-2.6.24.4/arch/sparc64/kernel/Makefile linux-2.6.24.4/arch/sparc64/kernel/Makefile
2632 ---- linux-2.6.24.4/arch/sparc64/kernel/Makefile 2008-03-24 14:49:18.000000000 -0400
2633 -+++ linux-2.6.24.4/arch/sparc64/kernel/Makefile 2008-03-26 17:56:55.000000000 -0400
2634 -@@ -3,7 +3,7 @@
2635 - #
2636 -
2637 - EXTRA_AFLAGS := -ansi
2638 --EXTRA_CFLAGS := -Werror
2639 -+#EXTRA_CFLAGS := -Werror
2640 -
2641 - extra-y := head.o init_task.o vmlinux.lds
2642 -
2643 -diff -urNp linux-2.6.24.4/arch/sparc64/kernel/ptrace.c linux-2.6.24.4/arch/sparc64/kernel/ptrace.c
2644 ---- linux-2.6.24.4/arch/sparc64/kernel/ptrace.c 2008-03-24 14:49:18.000000000 -0400
2645 -+++ linux-2.6.24.4/arch/sparc64/kernel/ptrace.c 2008-03-26 17:56:55.000000000 -0400
2646 -@@ -22,6 +22,7 @@
2647 - #include <linux/seccomp.h>
2648 - #include <linux/audit.h>
2649 - #include <linux/signal.h>
2650 -+#include <linux/grsecurity.h>
2651 -
2652 - #include <asm/asi.h>
2653 - #include <asm/pgtable.h>
2654 -@@ -216,6 +217,11 @@ asmlinkage void do_ptrace(struct pt_regs
2655 - goto out;
2656 - }
2657 -
2658 -+ if (gr_handle_ptrace(child, (long)request)) {
2659 -+ pt_error_return(regs, EPERM);
2660 -+ goto out_tsk;
2661 -+ }
2662 -+
2663 - if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
2664 - || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
2665 - if (ptrace_attach(child)) {
2666 -diff -urNp linux-2.6.24.4/arch/sparc64/kernel/sys_sparc.c linux-2.6.24.4/arch/sparc64/kernel/sys_sparc.c
2667 ---- linux-2.6.24.4/arch/sparc64/kernel/sys_sparc.c 2008-03-24 14:49:18.000000000 -0400
2668 -+++ linux-2.6.24.4/arch/sparc64/kernel/sys_sparc.c 2008-03-26 17:56:55.000000000 -0400
2669 -@@ -123,7 +123,7 @@ unsigned long arch_get_unmapped_area(str
2670 - /* We do not accept a shared mapping if it would violate
2671 - * cache aliasing constraints.
2672 - */
2673 -- if ((flags & MAP_SHARED) &&
2674 -+ if ((filp || (flags & MAP_SHARED)) &&
2675 - ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
2676 - return -EINVAL;
2677 - return addr;
2678 -@@ -138,6 +138,10 @@ unsigned long arch_get_unmapped_area(str
2679 - if (filp || (flags & MAP_SHARED))
2680 - do_color_align = 1;
2681 -
2682 -+#ifdef CONFIG_PAX_RANDMMAP
2683 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
2684 -+#endif
2685 -+
2686 - if (addr) {
2687 - if (do_color_align)
2688 - addr = COLOUR_ALIGN(addr, pgoff);
2689 -@@ -151,9 +155,9 @@ unsigned long arch_get_unmapped_area(str
2690 - }
2691 -
2692 - if (len > mm->cached_hole_size) {
2693 -- start_addr = addr = mm->free_area_cache;
2694 -+ start_addr = addr = mm->free_area_cache;
2695 - } else {
2696 -- start_addr = addr = TASK_UNMAPPED_BASE;
2697 -+ start_addr = addr = mm->mmap_base;
2698 - mm->cached_hole_size = 0;
2699 - }
2700 -
2701 -@@ -173,8 +177,8 @@ full_search:
2702 - vma = find_vma(mm, VA_EXCLUDE_END);
2703 - }
2704 - if (unlikely(task_size < addr)) {
2705 -- if (start_addr != TASK_UNMAPPED_BASE) {
2706 -- start_addr = addr = TASK_UNMAPPED_BASE;
2707 -+ if (start_addr != mm->mmap_base) {
2708 -+ start_addr = addr = mm->mmap_base;
2709 - mm->cached_hole_size = 0;
2710 - goto full_search;
2711 - }
2712 -@@ -214,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
2713 - /* We do not accept a shared mapping if it would violate
2714 - * cache aliasing constraints.
2715 - */
2716 -- if ((flags & MAP_SHARED) &&
2717 -+ if ((filp || (flags & MAP_SHARED)) &&
2718 - ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
2719 - return -EINVAL;
2720 - return addr;
2721 -@@ -377,6 +381,12 @@ void arch_pick_mmap_layout(struct mm_str
2722 - current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY ||
2723 - sysctl_legacy_va_layout) {
2724 - mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
2725 -+
2726 -+#ifdef CONFIG_PAX_RANDMMAP
2727 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2728 -+ mm->mmap_base += mm->delta_mmap;
2729 -+#endif
2730 -+
2731 - mm->get_unmapped_area = arch_get_unmapped_area;
2732 - mm->unmap_area = arch_unmap_area;
2733 - } else {
2734 -@@ -391,6 +401,12 @@ void arch_pick_mmap_layout(struct mm_str
2735 - gap = (task_size / 6 * 5);
2736 -
2737 - mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
2738 -+
2739 -+#ifdef CONFIG_PAX_RANDMMAP
2740 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2741 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2742 -+#endif
2743 -+
2744 - mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2745 - mm->unmap_area = arch_unmap_area_topdown;
2746 - }
2747 -diff -urNp linux-2.6.24.4/arch/sparc64/mm/fault.c linux-2.6.24.4/arch/sparc64/mm/fault.c
2748 ---- linux-2.6.24.4/arch/sparc64/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
2749 -+++ linux-2.6.24.4/arch/sparc64/mm/fault.c 2008-03-26 18:53:27.000000000 -0400
2750 -@@ -20,6 +20,10 @@
2751 - #include <linux/kprobes.h>
2752 - #include <linux/kallsyms.h>
2753 - #include <linux/kdebug.h>
2754 -+#include <linux/slab.h>
2755 -+#include <linux/pagemap.h>
2756 -+#include <linux/compiler.h>
2757 -+#include <linux/binfmts.h>
2758 -
2759 - #include <asm/page.h>
2760 - #include <asm/pgtable.h>
2761 -@@ -262,6 +266,368 @@ cannot_handle:
2762 - unhandled_fault (address, current, regs);
2763 - }
2764 -
2765 -+#ifdef CONFIG_PAX_PAGEEXEC
2766 -+#ifdef CONFIG_PAX_EMUPLT
2767 -+static void pax_emuplt_close(struct vm_area_struct *vma)
2768 -+{
2769 -+ vma->vm_mm->call_dl_resolve = 0UL;
2770 -+}
2771 -+
2772 -+static struct page *pax_emuplt_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
2773 -+{
2774 -+ struct page *page;
2775 -+ unsigned int *kaddr;
2776 -+
2777 -+ page = alloc_page(GFP_HIGHUSER);
2778 -+ if (!page)
2779 -+ return NOPAGE_OOM;
2780 -+
2781 -+ kaddr = kmap(page);
2782 -+ memset(kaddr, 0, PAGE_SIZE);
2783 -+ kaddr[0] = 0x9DE3BFA8U; /* save */
2784 -+ flush_dcache_page(page);
2785 -+ kunmap(page);
2786 -+ if (type)
2787 -+ *type = VM_FAULT_MAJOR;
2788 -+ return page;
2789 -+}
2790 -+
2791 -+static struct vm_operations_struct pax_vm_ops = {
2792 -+ .close = pax_emuplt_close,
2793 -+ .nopage = pax_emuplt_nopage,
2794 -+};
2795 -+
2796 -+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
2797 -+{
2798 -+ int ret;
2799 -+
2800 -+ vma->vm_mm = current->mm;
2801 -+ vma->vm_start = addr;
2802 -+ vma->vm_end = addr + PAGE_SIZE;
2803 -+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
2804 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
2805 -+ vma->vm_ops = &pax_vm_ops;
2806 -+
2807 -+ ret = insert_vm_struct(current->mm, vma);
2808 -+ if (ret)
2809 -+ return ret;
2810 -+
2811 -+ ++current->mm->total_vm;
2812 -+ return 0;
2813 -+}
2814 -+#endif
2815 -+
2816 -+/*
2817 -+ * PaX: decide what to do with offenders (regs->tpc = fault address)
2818 -+ *
2819 -+ * returns 1 when task should be killed
2820 -+ * 2 when patched PLT trampoline was detected
2821 -+ * 3 when unpatched PLT trampoline was detected
2822 -+ */
2823 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
2824 -+{
2825 -+
2826 -+#ifdef CONFIG_PAX_EMUPLT
2827 -+ int err;
2828 -+
2829 -+ do { /* PaX: patched PLT emulation #1 */
2830 -+ unsigned int sethi1, sethi2, jmpl;
2831 -+
2832 -+ err = get_user(sethi1, (unsigned int *)regs->tpc);
2833 -+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
2834 -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
2835 -+
2836 -+ if (err)
2837 -+ break;
2838 -+
2839 -+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
2840 -+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
2841 -+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
2842 -+ {
2843 -+ unsigned long addr;
2844 -+
2845 -+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
2846 -+ addr = regs->u_regs[UREG_G1];
2847 -+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
2848 -+ regs->tpc = addr;
2849 -+ regs->tnpc = addr+4;
2850 -+ return 2;
2851 -+ }
2852 -+ } while (0);
2853 -+
2854 -+ { /* PaX: patched PLT emulation #2 */
2855 -+ unsigned int ba;
2856 -+
2857 -+ err = get_user(ba, (unsigned int *)regs->tpc);
2858 -+
2859 -+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
2860 -+ unsigned long addr;
2861 -+
2862 -+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
2863 -+ regs->tpc = addr;
2864 -+ regs->tnpc = addr+4;
2865 -+ return 2;
2866 -+ }
2867 -+ }
2868 -+
2869 -+ do { /* PaX: patched PLT emulation #3 */
2870 -+ unsigned int sethi, jmpl, nop;
2871 -+
2872 -+ err = get_user(sethi, (unsigned int *)regs->tpc);
2873 -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
2874 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
2875 -+
2876 -+ if (err)
2877 -+ break;
2878 -+
2879 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
2880 -+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
2881 -+ nop == 0x01000000U)
2882 -+ {
2883 -+ unsigned long addr;
2884 -+
2885 -+ addr = (sethi & 0x003FFFFFU) << 10;
2886 -+ regs->u_regs[UREG_G1] = addr;
2887 -+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
2888 -+ regs->tpc = addr;
2889 -+ regs->tnpc = addr+4;
2890 -+ return 2;
2891 -+ }
2892 -+ } while (0);
2893 -+
2894 -+ do { /* PaX: patched PLT emulation #4 */
2895 -+ unsigned int mov1, call, mov2;
2896 -+
2897 -+ err = get_user(mov1, (unsigned int *)regs->tpc);
2898 -+ err |= get_user(call, (unsigned int *)(regs->tpc+4));
2899 -+ err |= get_user(mov2, (unsigned int *)(regs->tpc+8));
2900 -+
2901 -+ if (err)
2902 -+ break;
2903 -+
2904 -+ if (mov1 == 0x8210000FU &&
2905 -+ (call & 0xC0000000U) == 0x40000000U &&
2906 -+ mov2 == 0x9E100001U)
2907 -+ {
2908 -+ unsigned long addr;
2909 -+
2910 -+ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
2911 -+ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
2912 -+ regs->tpc = addr;
2913 -+ regs->tnpc = addr+4;
2914 -+ return 2;
2915 -+ }
2916 -+ } while (0);
2917 -+
2918 -+ do { /* PaX: patched PLT emulation #5 */
2919 -+ unsigned int sethi1, sethi2, or1, or2, sllx, jmpl, nop;
2920 -+
2921 -+ err = get_user(sethi1, (unsigned int *)regs->tpc);
2922 -+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
2923 -+ err |= get_user(or1, (unsigned int *)(regs->tpc+8));
2924 -+ err |= get_user(or2, (unsigned int *)(regs->tpc+12));
2925 -+ err |= get_user(sllx, (unsigned int *)(regs->tpc+16));
2926 -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
2927 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+24));
2928 -+
2929 -+ if (err)
2930 -+ break;
2931 -+
2932 -+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
2933 -+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
2934 -+ (or1 & 0xFFFFE000U) == 0x82106000U &&
2935 -+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
2936 -+ sllx == 0x83287020 &&
2937 -+ jmpl == 0x81C04005U &&
2938 -+ nop == 0x01000000U)
2939 -+ {
2940 -+ unsigned long addr;
2941 -+
2942 -+ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
2943 -+ regs->u_regs[UREG_G1] <<= 32;
2944 -+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
2945 -+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
2946 -+ regs->tpc = addr;
2947 -+ regs->tnpc = addr+4;
2948 -+ return 2;
2949 -+ }
2950 -+ } while (0);
2951 -+
2952 -+ do { /* PaX: patched PLT emulation #6 */
2953 -+ unsigned int sethi1, sethi2, sllx, or, jmpl, nop;
2954 -+
2955 -+ err = get_user(sethi1, (unsigned int *)regs->tpc);
2956 -+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
2957 -+ err |= get_user(sllx, (unsigned int *)(regs->tpc+8));
2958 -+ err |= get_user(or, (unsigned int *)(regs->tpc+12));
2959 -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+16));
2960 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+20));
2961 -+
2962 -+ if (err)
2963 -+ break;
2964 -+
2965 -+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
2966 -+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
2967 -+ sllx == 0x83287020 &&
2968 -+ (or & 0xFFFFE000U) == 0x8A116000U &&
2969 -+ jmpl == 0x81C04005U &&
2970 -+ nop == 0x01000000U)
2971 -+ {
2972 -+ unsigned long addr;
2973 -+
2974 -+ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
2975 -+ regs->u_regs[UREG_G1] <<= 32;
2976 -+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
2977 -+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
2978 -+ regs->tpc = addr;
2979 -+ regs->tnpc = addr+4;
2980 -+ return 2;
2981 -+ }
2982 -+ } while (0);
2983 -+
2984 -+ do { /* PaX: patched PLT emulation #7 */
2985 -+ unsigned int sethi, ba, nop;
2986 -+
2987 -+ err = get_user(sethi, (unsigned int *)regs->tpc);
2988 -+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
2989 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
2990 -+
2991 -+ if (err)
2992 -+ break;
2993 -+
2994 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
2995 -+ (ba & 0xFFF00000U) == 0x30600000U &&
2996 -+ nop == 0x01000000U)
2997 -+ {
2998 -+ unsigned long addr;
2999 -+
3000 -+ addr = (sethi & 0x003FFFFFU) << 10;
3001 -+ regs->u_regs[UREG_G1] = addr;
3002 -+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
3003 -+ regs->tpc = addr;
3004 -+ regs->tnpc = addr+4;
3005 -+ return 2;
3006 -+ }
3007 -+ } while (0);
3008 -+
3009 -+ do { /* PaX: unpatched PLT emulation step 1 */
3010 -+ unsigned int sethi, ba, nop;
3011 -+
3012 -+ err = get_user(sethi, (unsigned int *)regs->tpc);
3013 -+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
3014 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
3015 -+
3016 -+ if (err)
3017 -+ break;
3018 -+
3019 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
3020 -+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
3021 -+ nop == 0x01000000U)
3022 -+ {
3023 -+ unsigned long addr;
3024 -+ unsigned int save, call;
3025 -+
3026 -+ if ((ba & 0xFFC00000U) == 0x30800000U)
3027 -+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
3028 -+ else
3029 -+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
3030 -+
3031 -+ err = get_user(save, (unsigned int *)addr);
3032 -+ err |= get_user(call, (unsigned int *)(addr+4));
3033 -+ err |= get_user(nop, (unsigned int *)(addr+8));
3034 -+ if (err)
3035 -+ break;
3036 -+
3037 -+ if (save == 0x9DE3BFA8U &&
3038 -+ (call & 0xC0000000U) == 0x40000000U &&
3039 -+ nop == 0x01000000U)
3040 -+ {
3041 -+ struct vm_area_struct *vma;
3042 -+ unsigned long call_dl_resolve;
3043 -+
3044 -+ down_read(&current->mm->mmap_sem);
3045 -+ call_dl_resolve = current->mm->call_dl_resolve;
3046 -+ up_read(&current->mm->mmap_sem);
3047 -+ if (likely(call_dl_resolve))
3048 -+ goto emulate;
3049 -+
3050 -+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
3051 -+
3052 -+ down_write(&current->mm->mmap_sem);
3053 -+ if (current->mm->call_dl_resolve) {
3054 -+ call_dl_resolve = current->mm->call_dl_resolve;
3055 -+ up_write(&current->mm->mmap_sem);
3056 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
3057 -+ goto emulate;
3058 -+ }
3059 -+
3060 -+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
3061 -+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
3062 -+ up_write(&current->mm->mmap_sem);
3063 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
3064 -+ return 1;
3065 -+ }
3066 -+
3067 -+ if (pax_insert_vma(vma, call_dl_resolve)) {
3068 -+ up_write(&current->mm->mmap_sem);
3069 -+ kmem_cache_free(vm_area_cachep, vma);
3070 -+ return 1;
3071 -+ }
3072 -+
3073 -+ current->mm->call_dl_resolve = call_dl_resolve;
3074 -+ up_write(&current->mm->mmap_sem);
3075 -+
3076 -+emulate:
3077 -+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
3078 -+ regs->tpc = call_dl_resolve;
3079 -+ regs->tnpc = addr+4;
3080 -+ return 3;
3081 -+ }
3082 -+ }
3083 -+ } while (0);
3084 -+
3085 -+ do { /* PaX: unpatched PLT emulation step 2 */
3086 -+ unsigned int save, call, nop;
3087 -+
3088 -+ err = get_user(save, (unsigned int *)(regs->tpc-4));
3089 -+ err |= get_user(call, (unsigned int *)regs->tpc);
3090 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+4));
3091 -+ if (err)
3092 -+ break;
3093 -+
3094 -+ if (save == 0x9DE3BFA8U &&
3095 -+ (call & 0xC0000000U) == 0x40000000U &&
3096 -+ nop == 0x01000000U)
3097 -+ {
3098 -+ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
3099 -+
3100 -+ regs->u_regs[UREG_RETPC] = regs->tpc;
3101 -+ regs->tpc = dl_resolve;
3102 -+ regs->tnpc = dl_resolve+4;
3103 -+ return 3;
3104 -+ }
3105 -+ } while (0);
3106 -+#endif
3107 -+
3108 -+ return 1;
3109 -+}
3110 -+
3111 -+void pax_report_insns(void *pc, void *sp)
3112 -+{
3113 -+ unsigned long i;
3114 -+
3115 -+ printk(KERN_ERR "PAX: bytes at PC: ");
3116 -+ for (i = 0; i < 5; i++) {
3117 -+ unsigned int c;
3118 -+ if (get_user(c, (unsigned int *)pc+i))
3119 -+ printk("???????? ");
3120 -+ else
3121 -+ printk("%08x ", c);
3122 -+ }
3123 -+ printk("\n");
3124 -+}
3125 -+#endif
3126 -+
3127 - asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
3128 - {
3129 - struct mm_struct *mm = current->mm;
3130 -@@ -303,8 +669,10 @@ asmlinkage void __kprobes do_sparc64_fau
3131 - goto intr_or_no_mm;
3132 -
3133 - if (test_thread_flag(TIF_32BIT)) {
3134 -- if (!(regs->tstate & TSTATE_PRIV))
3135 -+ if (!(regs->tstate & TSTATE_PRIV)) {
3136 - regs->tpc &= 0xffffffff;
3137 -+ regs->tnpc &= 0xffffffff;
3138 -+ }
3139 - address &= 0xffffffff;
3140 - }
3141 -
3142 -@@ -321,6 +689,29 @@ asmlinkage void __kprobes do_sparc64_fau
3143 - if (!vma)
3144 - goto bad_area;
3145 -
3146 -+#ifdef CONFIG_PAX_PAGEEXEC
3147 -+ /* PaX: detect ITLB misses on non-exec pages */
3148 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
3149 -+ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
3150 -+ {
3151 -+ if (address != regs->tpc)
3152 -+ goto good_area;
3153 -+
3154 -+ up_read(&mm->mmap_sem);
3155 -+ switch (pax_handle_fetch_fault(regs)) {
3156 -+
3157 -+#ifdef CONFIG_PAX_EMUPLT
3158 -+ case 2:
3159 -+ case 3:
3160 -+ return;
3161 -+#endif
3162 -+
3163 -+ }
3164 -+ pax_report_fault(regs, (void*)regs->tpc, (void*)(regs->u_regs[UREG_FP] + STACK_BIAS));
3165 -+ do_group_exit(SIGKILL);
3166 -+ }
3167 -+#endif
3168 -+
3169 - /* Pure DTLB misses do not tell us whether the fault causing
3170 - * load/store/atomic was a write or not, it only says that there
3171 - * was no match. So in such a case we (carefully) read the
3172 -diff -urNp linux-2.6.24.4/arch/sparc64/mm/Makefile linux-2.6.24.4/arch/sparc64/mm/Makefile
3173 ---- linux-2.6.24.4/arch/sparc64/mm/Makefile 2008-03-24 14:49:18.000000000 -0400
3174 -+++ linux-2.6.24.4/arch/sparc64/mm/Makefile 2008-03-26 17:56:55.000000000 -0400
3175 -@@ -3,7 +3,7 @@
3176 - #
3177 -
3178 - EXTRA_AFLAGS := -ansi
3179 --EXTRA_CFLAGS := -Werror
3180 -+#EXTRA_CFLAGS := -Werror
3181 -
3182 - obj-y := ultra.o tlb.o tsb.o fault.o init.o generic.o
3183 -
3184 -diff -urNp linux-2.6.24.4/arch/v850/kernel/module.c linux-2.6.24.4/arch/v850/kernel/module.c
3185 ---- linux-2.6.24.4/arch/v850/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
3186 -+++ linux-2.6.24.4/arch/v850/kernel/module.c 2008-03-26 17:56:55.000000000 -0400
3187 -@@ -150,8 +150,8 @@ static uint32_t do_plt_call (void *locat
3188 - tramp[1] = ((val >> 16) & 0xffff) + 0x610000; /* ...; jmp r1 */
3189 -
3190 - /* Init, or core PLT? */
3191 -- if (location >= mod->module_core
3192 -- && location < mod->module_core + mod->core_size)
3193 -+ if (location >= mod->module_core_rx
3194 -+ && location < mod->module_core_rx + mod->core_size_rx)
3195 - entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
3196 - else
3197 - entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
3198 -diff -urNp linux-2.6.24.4/arch/x86/boot/bitops.h linux-2.6.24.4/arch/x86/boot/bitops.h
3199 ---- linux-2.6.24.4/arch/x86/boot/bitops.h 2008-03-24 14:49:18.000000000 -0400
3200 -+++ linux-2.6.24.4/arch/x86/boot/bitops.h 2008-03-26 17:56:55.000000000 -0400
3201 -@@ -28,7 +28,7 @@ static inline int variable_test_bit(int
3202 - u8 v;
3203 - const u32 *p = (const u32 *)addr;
3204 -
3205 -- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
3206 -+ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
3207 - return v;
3208 - }
3209 -
3210 -@@ -39,7 +39,7 @@ static inline int variable_test_bit(int
3211 -
3212 - static inline void set_bit(int nr, void *addr)
3213 - {
3214 -- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
3215 -+ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
3216 - }
3217 -
3218 - #endif /* BOOT_BITOPS_H */
3219 -diff -urNp linux-2.6.24.4/arch/x86/boot/boot.h linux-2.6.24.4/arch/x86/boot/boot.h
3220 ---- linux-2.6.24.4/arch/x86/boot/boot.h 2008-03-24 14:49:18.000000000 -0400
3221 -+++ linux-2.6.24.4/arch/x86/boot/boot.h 2008-03-26 17:56:55.000000000 -0400
3222 -@@ -78,7 +78,7 @@ static inline void io_delay(void)
3223 - static inline u16 ds(void)
3224 - {
3225 - u16 seg;
3226 -- asm("movw %%ds,%0" : "=rm" (seg));
3227 -+ asm volatile("movw %%ds,%0" : "=rm" (seg));
3228 - return seg;
3229 - }
3230 -
3231 -@@ -174,7 +174,7 @@ static inline void wrgs32(u32 v, addr_t
3232 - static inline int memcmp(const void *s1, const void *s2, size_t len)
3233 - {
3234 - u8 diff;
3235 -- asm("repe; cmpsb; setnz %0"
3236 -+ asm volatile("repe; cmpsb; setnz %0"
3237 - : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
3238 - return diff;
3239 - }
3240 -diff -urNp linux-2.6.24.4/arch/x86/boot/compressed/head_32.S linux-2.6.24.4/arch/x86/boot/compressed/head_32.S
3241 ---- linux-2.6.24.4/arch/x86/boot/compressed/head_32.S 2008-03-24 14:49:18.000000000 -0400
3242 -+++ linux-2.6.24.4/arch/x86/boot/compressed/head_32.S 2008-03-26 17:56:55.000000000 -0400
3243 -@@ -70,7 +70,7 @@ startup_32:
3244 - addl $(CONFIG_PHYSICAL_ALIGN - 1), %ebx
3245 - andl $(~(CONFIG_PHYSICAL_ALIGN - 1)), %ebx
3246 - #else
3247 -- movl $LOAD_PHYSICAL_ADDR, %ebx
3248 -+ movl $____LOAD_PHYSICAL_ADDR, %ebx
3249 - #endif
3250 -
3251 - /* Replace the compressed data size with the uncompressed size */
3252 -@@ -105,7 +105,7 @@ startup_32:
3253 - addl $(CONFIG_PHYSICAL_ALIGN - 1), %ebp
3254 - andl $(~(CONFIG_PHYSICAL_ALIGN - 1)), %ebp
3255 - #else
3256 -- movl $LOAD_PHYSICAL_ADDR, %ebp
3257 -+ movl $____LOAD_PHYSICAL_ADDR, %ebp
3258 - #endif
3259 -
3260 - /*
3261 -@@ -159,16 +159,15 @@ relocated:
3262 - * and where it was actually loaded.
3263 - */
3264 - movl %ebp, %ebx
3265 -- subl $LOAD_PHYSICAL_ADDR, %ebx
3266 -+ subl $____LOAD_PHYSICAL_ADDR, %ebx
3267 - jz 2f /* Nothing to be done if loaded at compiled addr. */
3268 - /*
3269 - * Process relocations.
3270 - */
3271 -
3272 - 1: subl $4, %edi
3273 -- movl 0(%edi), %ecx
3274 -- testl %ecx, %ecx
3275 -- jz 2f
3276 -+ movl (%edi), %ecx
3277 -+ jecxz 2f
3278 - addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
3279 - jmp 1b
3280 - 2:
3281 -diff -urNp linux-2.6.24.4/arch/x86/boot/compressed/misc_32.c linux-2.6.24.4/arch/x86/boot/compressed/misc_32.c
3282 ---- linux-2.6.24.4/arch/x86/boot/compressed/misc_32.c 2008-03-24 14:49:18.000000000 -0400
3283 -+++ linux-2.6.24.4/arch/x86/boot/compressed/misc_32.c 2008-03-26 17:56:55.000000000 -0400
3284 -@@ -113,7 +113,8 @@ typedef unsigned char uch;
3285 - typedef unsigned short ush;
3286 - typedef unsigned long ulg;
3287 -
3288 --#define WSIZE 0x80000000 /* Window size must be at least 32k,
3289 -+#define WSIZE 0x80000000
3290 -+ /* Window size must be at least 32k,
3291 - * and a power of two
3292 - * We don't actually have a window just
3293 - * a huge output buffer so I report
3294 -@@ -370,7 +371,7 @@ asmlinkage void decompress_kernel(void *
3295 - if (end > ((-__PAGE_OFFSET-(512 <<20)-1) & 0x7fffffff))
3296 - error("Destination address too large");
3297 - #ifndef CONFIG_RELOCATABLE
3298 -- if ((u32)output != LOAD_PHYSICAL_ADDR)
3299 -+ if ((u32)output != ____LOAD_PHYSICAL_ADDR)
3300 - error("Wrong destination address");
3301 - #endif
3302 -
3303 -diff -urNp linux-2.6.24.4/arch/x86/boot/compressed/relocs.c linux-2.6.24.4/arch/x86/boot/compressed/relocs.c
3304 ---- linux-2.6.24.4/arch/x86/boot/compressed/relocs.c 2008-03-24 14:49:18.000000000 -0400
3305 -+++ linux-2.6.24.4/arch/x86/boot/compressed/relocs.c 2008-03-26 17:56:55.000000000 -0400
3306 -@@ -10,9 +10,13 @@
3307 - #define USE_BSD
3308 - #include <endian.h>
3309 -
3310 -+#include "../../../../include/linux/autoconf.h"
3311 -+
3312 -+#define MAX_PHDRS 100
3313 - #define MAX_SHDRS 100
3314 - #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
3315 - static Elf32_Ehdr ehdr;
3316 -+static Elf32_Phdr phdr[MAX_PHDRS];
3317 - static Elf32_Shdr shdr[MAX_SHDRS];
3318 - static Elf32_Sym *symtab[MAX_SHDRS];
3319 - static Elf32_Rel *reltab[MAX_SHDRS];
3320 -@@ -244,6 +248,34 @@ static void read_ehdr(FILE *fp)
3321 - }
3322 - }
3323 -
3324 -+static void read_phdrs(FILE *fp)
3325 -+{
3326 -+ int i;
3327 -+ if (ehdr.e_phnum > MAX_PHDRS) {
3328 -+ die("%d program headers supported: %d\n",
3329 -+ ehdr.e_phnum, MAX_PHDRS);
3330 -+ }
3331 -+ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
3332 -+ die("Seek to %d failed: %s\n",
3333 -+ ehdr.e_phoff, strerror(errno));
3334 -+ }
3335 -+ if (fread(&phdr, sizeof(phdr[0]), ehdr.e_phnum, fp) != ehdr.e_phnum) {
3336 -+ die("Cannot read ELF program headers: %s\n",
3337 -+ strerror(errno));
3338 -+ }
3339 -+ for(i = 0; i < ehdr.e_phnum; i++) {
3340 -+ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
3341 -+ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
3342 -+ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
3343 -+ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
3344 -+ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
3345 -+ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
3346 -+ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
3347 -+ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
3348 -+ }
3349 -+
3350 -+}
3351 -+
3352 - static void read_shdrs(FILE *fp)
3353 - {
3354 - int i;
3355 -@@ -330,6 +362,8 @@ static void read_symtabs(FILE *fp)
3356 - static void read_relocs(FILE *fp)
3357 - {
3358 - int i,j;
3359 -+ uint32_t base;
3360 -+
3361 - for(i = 0; i < ehdr.e_shnum; i++) {
3362 - if (shdr[i].sh_type != SHT_REL) {
3363 - continue;
3364 -@@ -347,8 +381,17 @@ static void read_relocs(FILE *fp)
3365 - die("Cannot read symbol table: %s\n",
3366 - strerror(errno));
3367 - }
3368 -+ base = 0;
3369 -+ for (j = 0; j < ehdr.e_phnum; j++) {
3370 -+ if (phdr[j].p_type != PT_LOAD )
3371 -+ continue;
3372 -+ if (shdr[shdr[i].sh_info].sh_offset < phdr[j].p_offset || shdr[shdr[i].sh_info].sh_offset > phdr[j].p_offset + phdr[j].p_filesz)
3373 -+ continue;
3374 -+ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
3375 -+ break;
3376 -+ }
3377 - for(j = 0; j < shdr[i].sh_size/sizeof(reltab[0][0]); j++) {
3378 -- reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset);
3379 -+ reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset) + base;
3380 - reltab[i][j].r_info = elf32_to_cpu(reltab[i][j].r_info);
3381 - }
3382 - }
3383 -@@ -485,6 +528,27 @@ static void walk_relocs(void (*visit)(El
3384 - if (sym->st_shndx == SHN_ABS) {
3385 - continue;
3386 - }
3387 -+ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
3388 -+ if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strncmp(sym_name(sym_strtab, sym), "__per_cpu_", 10)) {
3389 -+ continue;
3390 -+ }
3391 -+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
3392 -+ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
3393 -+ if (!strcmp(sec_name(sym->st_shndx), ".init.text")) {
3394 -+ continue;
3395 -+ }
3396 -+ if (!strcmp(sec_name(sym->st_shndx), ".exit.text")) {
3397 -+ continue;
3398 -+ }
3399 -+ if (!strcmp(sec_name(sym->st_shndx), ".text.head")) {
3400 -+ if (strcmp(sym_name(sym_strtab, sym), "__init_end") &&
3401 -+ strcmp(sym_name(sym_strtab, sym), "KERNEL_TEXT_OFFSET"))
3402 -+ continue;
3403 -+ }
3404 -+ if (!strcmp(sec_name(sym->st_shndx), ".text")) {
3405 -+ continue;
3406 -+ }
3407 -+#endif
3408 - if (r_type == R_386_PC32) {
3409 - /* PC relative relocations don't need to be adjusted */
3410 - }
3411 -@@ -612,6 +676,7 @@ int main(int argc, char **argv)
3412 - fname, strerror(errno));
3413 - }
3414 - read_ehdr(fp);
3415 -+ read_phdrs(fp);
3416 - read_shdrs(fp);
3417 - read_strtabs(fp);
3418 - read_symtabs(fp);
3419 -diff -urNp linux-2.6.24.4/arch/x86/boot/cpucheck.c linux-2.6.24.4/arch/x86/boot/cpucheck.c
3420 ---- linux-2.6.24.4/arch/x86/boot/cpucheck.c 2008-03-24 14:49:18.000000000 -0400
3421 -+++ linux-2.6.24.4/arch/x86/boot/cpucheck.c 2008-03-26 17:56:55.000000000 -0400
3422 -@@ -84,7 +84,7 @@ static int has_fpu(void)
3423 - u16 fcw = -1, fsw = -1;
3424 - u32 cr0;
3425 -
3426 -- asm("movl %%cr0,%0" : "=r" (cr0));
3427 -+ asm volatile("movl %%cr0,%0" : "=r" (cr0));
3428 - if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
3429 - cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
3430 - asm volatile("movl %0,%%cr0" : : "r" (cr0));
3431 -@@ -100,7 +100,7 @@ static int has_eflag(u32 mask)
3432 - {
3433 - u32 f0, f1;
3434 -
3435 -- asm("pushfl ; "
3436 -+ asm volatile("pushfl ; "
3437 - "pushfl ; "
3438 - "popl %0 ; "
3439 - "movl %0,%1 ; "
3440 -@@ -125,7 +125,7 @@ static void get_flags(void)
3441 - set_bit(X86_FEATURE_FPU, cpu.flags);
3442 -
3443 - if (has_eflag(X86_EFLAGS_ID)) {
3444 -- asm("cpuid"
3445 -+ asm volatile("cpuid"
3446 - : "=a" (max_intel_level),
3447 - "=b" (cpu_vendor[0]),
3448 - "=d" (cpu_vendor[1]),
3449 -@@ -134,7 +134,7 @@ static void get_flags(void)
3450 -
3451 - if (max_intel_level >= 0x00000001 &&
3452 - max_intel_level <= 0x0000ffff) {
3453 -- asm("cpuid"
3454 -+ asm volatile("cpuid"
3455 - : "=a" (tfms),
3456 - "=c" (cpu.flags[4]),
3457 - "=d" (cpu.flags[0])
3458 -@@ -146,7 +146,7 @@ static void get_flags(void)
3459 - cpu.model += ((tfms >> 16) & 0xf) << 4;
3460 - }
3461 -
3462 -- asm("cpuid"
3463 -+ asm volatile("cpuid"
3464 - : "=a" (max_amd_level)
3465 - : "a" (0x80000000)
3466 - : "ebx", "ecx", "edx");
3467 -@@ -154,7 +154,7 @@ static void get_flags(void)
3468 - if (max_amd_level >= 0x80000001 &&
3469 - max_amd_level <= 0x8000ffff) {
3470 - u32 eax = 0x80000001;
3471 -- asm("cpuid"
3472 -+ asm volatile("cpuid"
3473 - : "+a" (eax),
3474 - "=c" (cpu.flags[6]),
3475 - "=d" (cpu.flags[1])
3476 -@@ -213,9 +213,9 @@ int check_cpu(int *cpu_level_ptr, int *r
3477 - u32 ecx = MSR_K7_HWCR;
3478 - u32 eax, edx;
3479 -
3480 -- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
3481 -+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
3482 - eax &= ~(1 << 15);
3483 -- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
3484 -+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
3485 -
3486 - get_flags(); /* Make sure it really did something */
3487 - err = check_flags();
3488 -@@ -228,9 +228,9 @@ int check_cpu(int *cpu_level_ptr, int *r
3489 - u32 ecx = MSR_VIA_FCR;
3490 - u32 eax, edx;
3491 -
3492 -- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
3493 -+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
3494 - eax |= (1<<1)|(1<<7);
3495 -- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
3496 -+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
3497 -
3498 - set_bit(X86_FEATURE_CX8, cpu.flags);
3499 - err = check_flags();
3500 -@@ -241,12 +241,12 @@ int check_cpu(int *cpu_level_ptr, int *r
3501 - u32 eax, edx;
3502 - u32 level = 1;
3503 -
3504 -- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
3505 -- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
3506 -- asm("cpuid"
3507 -+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
3508 -+ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
3509 -+ asm volatile("cpuid"
3510 - : "+a" (level), "=d" (cpu.flags[0])
3511 - : : "ecx", "ebx");
3512 -- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
3513 -+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
3514 -
3515 - err = check_flags();
3516 - }
3517 -diff -urNp linux-2.6.24.4/arch/x86/boot/edd.c linux-2.6.24.4/arch/x86/boot/edd.c
3518 ---- linux-2.6.24.4/arch/x86/boot/edd.c 2008-03-24 14:49:18.000000000 -0400
3519 -+++ linux-2.6.24.4/arch/x86/boot/edd.c 2008-03-26 17:56:55.000000000 -0400
3520 -@@ -78,7 +78,7 @@ static int get_edd_info(u8 devno, struct
3521 - ax = 0x4100;
3522 - bx = EDDMAGIC1;
3523 - dx = devno;
3524 -- asm("pushfl; stc; int $0x13; setc %%al; popfl"
3525 -+ asm volatile("pushfl; stc; int $0x13; setc %%al; popfl"
3526 - : "+a" (ax), "+b" (bx), "=c" (cx), "+d" (dx)
3527 - : : "esi", "edi");
3528 -
3529 -@@ -97,7 +97,7 @@ static int get_edd_info(u8 devno, struct
3530 - ei->params.length = sizeof(ei->params);
3531 - ax = 0x4800;
3532 - dx = devno;
3533 -- asm("pushfl; int $0x13; popfl"
3534 -+ asm volatile("pushfl; int $0x13; popfl"
3535 - : "+a" (ax), "+d" (dx), "=m" (ei->params)
3536 - : "S" (&ei->params)
3537 - : "ebx", "ecx", "edi");
3538 -@@ -108,7 +108,7 @@ static int get_edd_info(u8 devno, struct
3539 - ax = 0x0800;
3540 - dx = devno;
3541 - di = 0;
3542 -- asm("pushw %%es; "
3543 -+ asm volatile("pushw %%es; "
3544 - "movw %%di,%%es; "
3545 - "pushfl; stc; int $0x13; setc %%al; popfl; "
3546 - "popw %%es"
3547 -diff -urNp linux-2.6.24.4/arch/x86/boot/main.c linux-2.6.24.4/arch/x86/boot/main.c
3548 ---- linux-2.6.24.4/arch/x86/boot/main.c 2008-03-24 14:49:18.000000000 -0400
3549 -+++ linux-2.6.24.4/arch/x86/boot/main.c 2008-03-26 17:56:55.000000000 -0400
3550 -@@ -75,7 +75,7 @@ static void keyboard_set_repeat(void)
3551 - */
3552 - static void query_ist(void)
3553 - {
3554 -- asm("int $0x15"
3555 -+ asm volatile("int $0x15"
3556 - : "=a" (boot_params.ist_info.signature),
3557 - "=b" (boot_params.ist_info.command),
3558 - "=c" (boot_params.ist_info.event),
3559 -diff -urNp linux-2.6.24.4/arch/x86/boot/mca.c linux-2.6.24.4/arch/x86/boot/mca.c
3560 ---- linux-2.6.24.4/arch/x86/boot/mca.c 2008-03-24 14:49:18.000000000 -0400
3561 -+++ linux-2.6.24.4/arch/x86/boot/mca.c 2008-03-26 17:56:55.000000000 -0400
3562 -@@ -21,7 +21,7 @@ int query_mca(void)
3563 - u8 err;
3564 - u16 es, bx, len;
3565 -
3566 -- asm("pushw %%es ; "
3567 -+ asm volatile("pushw %%es ; "
3568 - "int $0x15 ; "
3569 - "setc %0 ; "
3570 - "movw %%es, %1 ; "
3571 -diff -urNp linux-2.6.24.4/arch/x86/boot/memory.c linux-2.6.24.4/arch/x86/boot/memory.c
3572 ---- linux-2.6.24.4/arch/x86/boot/memory.c 2008-03-24 14:49:18.000000000 -0400
3573 -+++ linux-2.6.24.4/arch/x86/boot/memory.c 2008-03-26 17:56:55.000000000 -0400
3574 -@@ -32,7 +32,7 @@ static int detect_memory_e820(void)
3575 - /* Important: %edx is clobbered by some BIOSes,
3576 - so it must be either used for the error output
3577 - or explicitly marked clobbered. */
3578 -- asm("int $0x15; setc %0"
3579 -+ asm volatile("int $0x15; setc %0"
3580 - : "=d" (err), "+b" (next), "=a" (id), "+c" (size),
3581 - "=m" (*desc)
3582 - : "D" (desc), "d" (SMAP), "a" (0xe820));
3583 -@@ -64,7 +64,7 @@ static int detect_memory_e801(void)
3584 -
3585 - bx = cx = dx = 0;
3586 - ax = 0xe801;
3587 -- asm("stc; int $0x15; setc %0"
3588 -+ asm volatile("stc; int $0x15; setc %0"
3589 - : "=m" (err), "+a" (ax), "+b" (bx), "+c" (cx), "+d" (dx));
3590 -
3591 - if (err)
3592 -@@ -94,7 +94,7 @@ static int detect_memory_88(void)
3593 - u8 err;
3594 -
3595 - ax = 0x8800;
3596 -- asm("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
3597 -+ asm volatile("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
3598 -
3599 - boot_params.screen_info.ext_mem_k = ax;
3600 -
3601 -diff -urNp linux-2.6.24.4/arch/x86/boot/video.c linux-2.6.24.4/arch/x86/boot/video.c
3602 ---- linux-2.6.24.4/arch/x86/boot/video.c 2008-03-24 14:49:18.000000000 -0400
3603 -+++ linux-2.6.24.4/arch/x86/boot/video.c 2008-03-26 17:56:55.000000000 -0400
3604 -@@ -40,7 +40,7 @@ static void store_cursor_position(void)
3605 -
3606 - ax = 0x0300;
3607 - bx = 0;
3608 -- asm(INT10
3609 -+ asm volatile(INT10
3610 - : "=d" (curpos), "+a" (ax), "+b" (bx)
3611 - : : "ecx", "esi", "edi");
3612 -
3613 -@@ -55,7 +55,7 @@ static void store_video_mode(void)
3614 - /* N.B.: the saving of the video page here is a bit silly,
3615 - since we pretty much assume page 0 everywhere. */
3616 - ax = 0x0f00;
3617 -- asm(INT10
3618 -+ asm volatile(INT10
3619 - : "+a" (ax), "=b" (page)
3620 - : : "ecx", "edx", "esi", "edi");
3621 -
3622 -diff -urNp linux-2.6.24.4/arch/x86/boot/video-vesa.c linux-2.6.24.4/arch/x86/boot/video-vesa.c
3623 ---- linux-2.6.24.4/arch/x86/boot/video-vesa.c 2008-03-24 14:49:18.000000000 -0400
3624 -+++ linux-2.6.24.4/arch/x86/boot/video-vesa.c 2008-03-26 17:56:55.000000000 -0400
3625 -@@ -41,7 +41,7 @@ static int vesa_probe(void)
3626 -
3627 - ax = 0x4f00;
3628 - di = (size_t)&vginfo;
3629 -- asm(INT10
3630 -+ asm volatile(INT10
3631 - : "+a" (ax), "+D" (di), "=m" (vginfo)
3632 - : : "ebx", "ecx", "edx", "esi");
3633 -
3634 -@@ -68,7 +68,7 @@ static int vesa_probe(void)
3635 - ax = 0x4f01;
3636 - cx = mode;
3637 - di = (size_t)&vminfo;
3638 -- asm(INT10
3639 -+ asm volatile(INT10
3640 - : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
3641 - : : "ebx", "edx", "esi");
3642 -
3643 -@@ -115,7 +115,7 @@ static int vesa_set_mode(struct mode_inf
3644 - ax = 0x4f01;
3645 - cx = vesa_mode;
3646 - di = (size_t)&vminfo;
3647 -- asm(INT10
3648 -+ asm volatile(INT10
3649 - : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
3650 - : : "ebx", "edx", "esi");
3651 -
3652 -@@ -193,19 +193,20 @@ static void vesa_dac_set_8bits(void)
3653 - /* Save the VESA protected mode info */
3654 - static void vesa_store_pm_info(void)
3655 - {
3656 -- u16 ax, bx, di, es;
3657 -+ u16 ax, bx, cx, di, es;
3658 -
3659 - ax = 0x4f0a;
3660 -- bx = di = 0;
3661 -- asm("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
3662 -- : "=d" (es), "+a" (ax), "+b" (bx), "+D" (di)
3663 -- : : "ecx", "esi");
3664 -+ bx = cx = di = 0;
3665 -+ asm volatile("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
3666 -+ : "=d" (es), "+a" (ax), "+b" (bx), "+c" (cx), "+D" (di)
3667 -+ : : "esi");
3668 -
3669 - if (ax != 0x004f)
3670 - return;
3671 -
3672 - boot_params.screen_info.vesapm_seg = es;
3673 - boot_params.screen_info.vesapm_off = di;
3674 -+ boot_params.screen_info.vesapm_size = cx;
3675 - }
3676 -
3677 - /*
3678 -@@ -259,7 +260,7 @@ void vesa_store_edid(void)
3679 - /* Note: The VBE DDC spec is different from the main VESA spec;
3680 - we genuinely have to assume all registers are destroyed here. */
3681 -
3682 -- asm("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
3683 -+ asm volatile("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
3684 - : "+a" (ax), "+b" (bx)
3685 - : "c" (cx), "D" (di)
3686 - : "esi");
3687 -@@ -275,7 +276,7 @@ void vesa_store_edid(void)
3688 - cx = 0; /* Controller 0 */
3689 - dx = 0; /* EDID block number */
3690 - di =(size_t) &boot_params.edid_info; /* (ES:)Pointer to block */
3691 -- asm(INT10
3692 -+ asm volatile(INT10
3693 - : "+a" (ax), "+b" (bx), "+d" (dx), "=m" (boot_params.edid_info)
3694 - : "c" (cx), "D" (di)
3695 - : "esi");
3696 -diff -urNp linux-2.6.24.4/arch/x86/boot/video-vga.c linux-2.6.24.4/arch/x86/boot/video-vga.c
3697 ---- linux-2.6.24.4/arch/x86/boot/video-vga.c 2008-03-24 14:49:18.000000000 -0400
3698 -+++ linux-2.6.24.4/arch/x86/boot/video-vga.c 2008-03-26 17:56:55.000000000 -0400
3699 -@@ -225,7 +225,7 @@ static int vga_probe(void)
3700 - };
3701 - u8 vga_flag;
3702 -
3703 -- asm(INT10
3704 -+ asm volatile(INT10
3705 - : "=b" (boot_params.screen_info.orig_video_ega_bx)
3706 - : "a" (0x1200), "b" (0x10) /* Check EGA/VGA */
3707 - : "ecx", "edx", "esi", "edi");
3708 -@@ -233,7 +233,7 @@ static int vga_probe(void)
3709 - /* If we have MDA/CGA/HGC then BL will be unchanged at 0x10 */
3710 - if ((u8)boot_params.screen_info.orig_video_ega_bx != 0x10) {
3711 - /* EGA/VGA */
3712 -- asm(INT10
3713 -+ asm volatile(INT10
3714 - : "=a" (vga_flag)
3715 - : "a" (0x1a00)
3716 - : "ebx", "ecx", "edx", "esi", "edi");
3717 -diff -urNp linux-2.6.24.4/arch/x86/boot/voyager.c linux-2.6.24.4/arch/x86/boot/voyager.c
3718 ---- linux-2.6.24.4/arch/x86/boot/voyager.c 2008-03-24 14:49:18.000000000 -0400
3719 -+++ linux-2.6.24.4/arch/x86/boot/voyager.c 2008-03-26 17:56:55.000000000 -0400
3720 -@@ -27,7 +27,7 @@ int query_voyager(void)
3721 -
3722 - data_ptr[0] = 0xff; /* Flag on config not found(?) */
3723 -
3724 -- asm("pushw %%es ; "
3725 -+ asm volatile("pushw %%es ; "
3726 - "int $0x15 ; "
3727 - "setc %0 ; "
3728 - "movw %%es, %1 ; "
3729 -diff -urNp linux-2.6.24.4/arch/x86/ia32/ia32_binfmt.c linux-2.6.24.4/arch/x86/ia32/ia32_binfmt.c
3730 ---- linux-2.6.24.4/arch/x86/ia32/ia32_binfmt.c 2008-03-24 14:49:18.000000000 -0400
3731 -+++ linux-2.6.24.4/arch/x86/ia32/ia32_binfmt.c 2008-03-26 17:56:55.000000000 -0400
3732 -@@ -47,12 +47,12 @@
3733 - #define AT_SYSINFO 32
3734 - #define AT_SYSINFO_EHDR 33
3735 -
3736 --int sysctl_vsyscall32 = 1;
3737 -+int sysctl_vsyscall32;
3738 -
3739 - #undef ARCH_DLINFO
3740 - #define ARCH_DLINFO do { \
3741 - if (sysctl_vsyscall32) { \
3742 -- current->mm->context.vdso = (void *)VSYSCALL32_BASE; \
3743 -+ current->mm->context.vdso = VSYSCALL32_BASE; \
3744 - NEW_AUX_ENT(AT_SYSINFO, (u32)(u64)VSYSCALL32_VSYSCALL); \
3745 - NEW_AUX_ENT(AT_SYSINFO_EHDR, VSYSCALL32_BASE); \
3746 - } \
3747 -@@ -66,6 +66,17 @@ struct file;
3748 -
3749 - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
3750 -
3751 -+#ifdef CONFIG_PAX_ASLR
3752 -+#undef PAX_ELF_ET_DYN_BASE
3753 -+#undef PAX_DELTA_MMAP_LEN
3754 -+#undef PAX_DELTA_STACK_LEN
3755 -+
3756 -+#define PAX_ELF_ET_DYN_BASE 0x08048000UL
3757 -+
3758 -+#define PAX_DELTA_MMAP_LEN 16
3759 -+#define PAX_DELTA_STACK_LEN 16
3760 -+#endif
3761 -+
3762 - #define jiffies_to_timeval(a,b) do { (b)->tv_usec = 0; (b)->tv_sec = (a)/HZ; }while(0)
3763 -
3764 - #define _GET_SEG(x) \
3765 -@@ -263,7 +274,7 @@ static ctl_table abi_table2[] = {
3766 - .mode = 0644,
3767 - .proc_handler = proc_dointvec
3768 - },
3769 -- {}
3770 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
3771 - };
3772 -
3773 - static ctl_table abi_root_table2[] = {
3774 -@@ -273,7 +284,7 @@ static ctl_table abi_root_table2[] = {
3775 - .mode = 0555,
3776 - .child = abi_table2
3777 - },
3778 -- {}
3779 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
3780 - };
3781 -
3782 - static __init int ia32_binfmt_init(void)
3783 -diff -urNp linux-2.6.24.4/arch/x86/ia32/ia32_signal.c linux-2.6.24.4/arch/x86/ia32/ia32_signal.c
3784 ---- linux-2.6.24.4/arch/x86/ia32/ia32_signal.c 2008-03-24 14:49:18.000000000 -0400
3785 -+++ linux-2.6.24.4/arch/x86/ia32/ia32_signal.c 2008-03-26 17:56:55.000000000 -0400
3786 -@@ -573,6 +573,7 @@ int ia32_setup_rt_frame(int sig, struct
3787 - __NR_ia32_rt_sigreturn,
3788 - 0x80cd,
3789 - 0,
3790 -+ 0
3791 - };
3792 - err |= __copy_to_user(frame->retcode, &code, 8);
3793 - }
3794 -diff -urNp linux-2.6.24.4/arch/x86/ia32/mmap32.c linux-2.6.24.4/arch/x86/ia32/mmap32.c
3795 ---- linux-2.6.24.4/arch/x86/ia32/mmap32.c 2008-03-24 14:49:18.000000000 -0400
3796 -+++ linux-2.6.24.4/arch/x86/ia32/mmap32.c 2008-03-26 17:56:55.000000000 -0400
3797 -@@ -69,10 +69,22 @@ void ia32_pick_mmap_layout(struct mm_str
3798 - (current->personality & ADDR_COMPAT_LAYOUT) ||
3799 - current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY) {
3800 - mm->mmap_base = TASK_UNMAPPED_BASE;
3801 -+
3802 -+#ifdef CONFIG_PAX_RANDMMAP
3803 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3804 -+ mm->mmap_base += mm->delta_mmap;
3805 -+#endif
3806 -+
3807 - mm->get_unmapped_area = arch_get_unmapped_area;
3808 - mm->unmap_area = arch_unmap_area;
3809 - } else {
3810 - mm->mmap_base = mmap_base(mm);
3811 -+
3812 -+#ifdef CONFIG_PAX_RANDMMAP
3813 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3814 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3815 -+#endif
3816 -+
3817 - mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3818 - mm->unmap_area = arch_unmap_area_topdown;
3819 - }
3820 -diff -urNp linux-2.6.24.4/arch/x86/ia32/ptrace32.c linux-2.6.24.4/arch/x86/ia32/ptrace32.c
3821 ---- linux-2.6.24.4/arch/x86/ia32/ptrace32.c 2008-03-24 14:49:18.000000000 -0400
3822 -+++ linux-2.6.24.4/arch/x86/ia32/ptrace32.c 2008-03-26 17:56:55.000000000 -0400
3823 -@@ -382,7 +382,7 @@ asmlinkage long sys32_ptrace(long reques
3824 - /* no checking to be bug-to-bug compatible with i386. */
3825 - /* but silence warning */
3826 - if (__copy_from_user(&child->thread.i387.fxsave, u, sizeof(*u)))
3827 -- ;
3828 -+ {}
3829 - set_stopped_child_used_math(child);
3830 - child->thread.i387.fxsave.mxcsr &= mxcsr_feature_mask;
3831 - ret = 0;
3832 -diff -urNp linux-2.6.24.4/arch/x86/ia32/syscall32.c linux-2.6.24.4/arch/x86/ia32/syscall32.c
3833 ---- linux-2.6.24.4/arch/x86/ia32/syscall32.c 2008-03-24 14:49:18.000000000 -0400
3834 -+++ linux-2.6.24.4/arch/x86/ia32/syscall32.c 2008-03-26 17:56:55.000000000 -0400
3835 -@@ -30,6 +30,9 @@ int syscall32_setup_pages(struct linux_b
3836 - struct mm_struct *mm = current->mm;
3837 - int ret;
3838 -
3839 -+ if (!sysctl_vsyscall32)
3840 -+ return 0;
3841 -+
3842 - down_write(&mm->mmap_sem);
3843 - /*
3844 - * MAYWRITE to allow gdb to COW and set breakpoints
3845 -diff -urNp linux-2.6.24.4/arch/x86/Kconfig linux-2.6.24.4/arch/x86/Kconfig
3846 ---- linux-2.6.24.4/arch/x86/Kconfig 2008-03-24 14:49:18.000000000 -0400
3847 -+++ linux-2.6.24.4/arch/x86/Kconfig 2008-03-26 17:56:55.000000000 -0400
3848 -@@ -792,7 +792,7 @@ config PAGE_OFFSET
3849 - hex
3850 - default 0xB0000000 if VMSPLIT_3G_OPT
3851 - default 0x80000000 if VMSPLIT_2G
3852 -- default 0x78000000 if VMSPLIT_2G_OPT
3853 -+ default 0x70000000 if VMSPLIT_2G_OPT
3854 - default 0x40000000 if VMSPLIT_1G
3855 - default 0xC0000000
3856 - depends on X86_32
3857 -@@ -1096,8 +1096,7 @@ config CRASH_DUMP
3858 - config PHYSICAL_START
3859 - hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
3860 - default "0x1000000" if X86_NUMAQ
3861 -- default "0x200000" if X86_64
3862 -- default "0x100000"
3863 -+ default "0x200000"
3864 - help
3865 - This gives the physical address where the kernel is loaded.
3866 -
3867 -@@ -1190,8 +1189,8 @@ config HOTPLUG_CPU
3868 -
3869 - config COMPAT_VDSO
3870 - bool "Compat VDSO support"
3871 -- default y
3872 -- depends on X86_32
3873 -+ default n
3874 -+ depends on X86_32 && !PAX_NOEXEC
3875 - help
3876 - Map the VDSO to the predictable old-style address too.
3877 - ---help---
3878 -@@ -1387,7 +1386,7 @@ config PCI
3879 - choice
3880 - prompt "PCI access mode"
3881 - depends on X86_32 && PCI && !X86_VISWS
3882 -- default PCI_GOANY
3883 -+ default PCI_GODIRECT
3884 - ---help---
3885 - On PCI systems, the BIOS can be used to detect the PCI devices and
3886 - determine their configuration. However, some old PCI motherboards
3887 -diff -urNp linux-2.6.24.4/arch/x86/Kconfig.cpu linux-2.6.24.4/arch/x86/Kconfig.cpu
3888 ---- linux-2.6.24.4/arch/x86/Kconfig.cpu 2008-03-24 14:49:18.000000000 -0400
3889 -+++ linux-2.6.24.4/arch/x86/Kconfig.cpu 2008-03-26 17:56:55.000000000 -0400
3890 -@@ -328,7 +328,7 @@ config X86_PPRO_FENCE
3891 -
3892 - config X86_F00F_BUG
3893 - bool
3894 -- depends on M586MMX || M586TSC || M586 || M486 || M386
3895 -+ depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
3896 - default y
3897 -
3898 - config X86_WP_WORKS_OK
3899 -@@ -353,7 +353,7 @@ config X86_POPAD_OK
3900 -
3901 - config X86_ALIGNMENT_16
3902 - bool
3903 -- depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
3904 -+ depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
3905 - default y
3906 -
3907 - config X86_GOOD_APIC
3908 -diff -urNp linux-2.6.24.4/arch/x86/Kconfig.debug linux-2.6.24.4/arch/x86/Kconfig.debug
3909 ---- linux-2.6.24.4/arch/x86/Kconfig.debug 2008-03-24 14:49:18.000000000 -0400
3910 -+++ linux-2.6.24.4/arch/x86/Kconfig.debug 2008-03-26 17:56:55.000000000 -0400
3911 -@@ -49,7 +49,7 @@ config DEBUG_PAGEALLOC
3912 -
3913 - config DEBUG_RODATA
3914 - bool "Write protect kernel read-only data structures"
3915 -- depends on DEBUG_KERNEL
3916 -+ depends on DEBUG_KERNEL && BROKEN
3917 - help
3918 - Mark the kernel read-only data as write-protected in the pagetables,
3919 - in order to catch accidental (and incorrect) writes to such const
3920 -diff -urNp linux-2.6.24.4/arch/x86/kernel/acpi/boot.c linux-2.6.24.4/arch/x86/kernel/acpi/boot.c
3921 ---- linux-2.6.24.4/arch/x86/kernel/acpi/boot.c 2008-03-24 14:49:18.000000000 -0400
3922 -+++ linux-2.6.24.4/arch/x86/kernel/acpi/boot.c 2008-03-26 17:56:55.000000000 -0400
3923 -@@ -1155,7 +1155,7 @@ static struct dmi_system_id __initdata a
3924 - DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
3925 - },
3926 - },
3927 -- {}
3928 -+ { NULL, NULL, {{0, NULL}}, NULL}
3929 - };
3930 -
3931 - #endif /* __i386__ */
3932 -diff -urNp linux-2.6.24.4/arch/x86/kernel/acpi/sleep_32.c linux-2.6.24.4/arch/x86/kernel/acpi/sleep_32.c
3933 ---- linux-2.6.24.4/arch/x86/kernel/acpi/sleep_32.c 2008-03-24 14:49:18.000000000 -0400
3934 -+++ linux-2.6.24.4/arch/x86/kernel/acpi/sleep_32.c 2008-03-26 17:56:55.000000000 -0400
3935 -@@ -98,7 +98,7 @@ static __initdata struct dmi_system_id a
3936 - DMI_MATCH(DMI_PRODUCT_NAME, "S4030CDT/4.3"),
3937 - },
3938 - },
3939 -- {}
3940 -+ { NULL, NULL, {{0, NULL}}, NULL}
3941 - };
3942 -
3943 - static int __init acpisleep_dmi_init(void)
3944 -diff -urNp linux-2.6.24.4/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.24.4/arch/x86/kernel/acpi/wakeup_32.S
3945 ---- linux-2.6.24.4/arch/x86/kernel/acpi/wakeup_32.S 2008-03-24 14:49:18.000000000 -0400
3946 -+++ linux-2.6.24.4/arch/x86/kernel/acpi/wakeup_32.S 2008-03-26 17:56:55.000000000 -0400
3947 -@@ -2,6 +2,7 @@
3948 - #include <linux/linkage.h>
3949 - #include <asm/segment.h>
3950 - #include <asm/page.h>
3951 -+#include <asm/msr-index.h>
3952 -
3953 - #
3954 - # wakeup_code runs in real mode, and at unknown address (determined at run-time).
3955 -@@ -79,7 +80,7 @@ wakeup_code:
3956 - # restore efer setting
3957 - movl real_save_efer_edx - wakeup_code, %edx
3958 - movl real_save_efer_eax - wakeup_code, %eax
3959 -- mov $0xc0000080, %ecx
3960 -+ mov $MSR_EFER, %ecx
3961 - wrmsr
3962 - 4:
3963 - # make sure %cr4 is set correctly (features, etc)
3964 -@@ -196,13 +197,11 @@ wakeup_pmode_return:
3965 - # and restore the stack ... but you need gdt for this to work
3966 - movl saved_context_esp, %esp
3967 -
3968 -- movl %cs:saved_magic, %eax
3969 -- cmpl $0x12345678, %eax
3970 -+ cmpl $0x12345678, saved_magic
3971 - jne bogus_magic
3972 -
3973 - # jump to place where we left off
3974 -- movl saved_eip,%eax
3975 -- jmp *%eax
3976 -+ jmp *(saved_eip)
3977 -
3978 - bogus_magic:
3979 - jmp bogus_magic
3980 -@@ -233,7 +232,7 @@ ENTRY(acpi_copy_wakeup_routine)
3981 - # save efer setting
3982 - pushl %eax
3983 - movl %eax, %ebx
3984 -- mov $0xc0000080, %ecx
3985 -+ mov $MSR_EFER, %ecx
3986 - rdmsr
3987 - movl %edx, real_save_efer_edx - wakeup_start (%ebx)
3988 - movl %eax, real_save_efer_eax - wakeup_start (%ebx)
3989 -diff -urNp linux-2.6.24.4/arch/x86/kernel/alternative.c linux-2.6.24.4/arch/x86/kernel/alternative.c
3990 ---- linux-2.6.24.4/arch/x86/kernel/alternative.c 2008-03-24 14:49:18.000000000 -0400
3991 -+++ linux-2.6.24.4/arch/x86/kernel/alternative.c 2008-03-26 17:56:55.000000000 -0400
3992 -@@ -389,7 +389,7 @@ void apply_paravirt(struct paravirt_patc
3993 -
3994 - BUG_ON(p->len > MAX_PATCH_LEN);
3995 - /* prep the buffer with the original instructions */
3996 -- memcpy(insnbuf, p->instr, p->len);
3997 -+ memcpy(insnbuf, ktla_ktva(p->instr), p->len);
3998 - used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
3999 - (unsigned long)p->instr, p->len);
4000 -
4001 -@@ -467,7 +467,19 @@ void __init alternative_instructions(voi
4002 - */
4003 - void __kprobes text_poke(void *addr, unsigned char *opcode, int len)
4004 - {
4005 -- memcpy(addr, opcode, len);
4006 -+
4007 -+#ifdef CONFIG_PAX_KERNEXEC
4008 -+ unsigned long cr0;
4009 -+
4010 -+ pax_open_kernel(cr0);
4011 -+#endif
4012 -+
4013 -+ memcpy(ktla_ktva(addr), opcode, len);
4014 -+
4015 -+#ifdef CONFIG_PAX_KERNEXEC
4016 -+ pax_close_kernel(cr0);
4017 -+#endif
4018 -+
4019 - sync_core();
4020 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
4021 - that causes hangs on some VIA CPUs. */
4022 -diff -urNp linux-2.6.24.4/arch/x86/kernel/apm_32.c linux-2.6.24.4/arch/x86/kernel/apm_32.c
4023 ---- linux-2.6.24.4/arch/x86/kernel/apm_32.c 2008-03-24 14:49:18.000000000 -0400
4024 -+++ linux-2.6.24.4/arch/x86/kernel/apm_32.c 2008-03-26 17:56:55.000000000 -0400
4025 -@@ -407,7 +407,7 @@ static DECLARE_WAIT_QUEUE_HEAD(apm_waitq
4026 - static DECLARE_WAIT_QUEUE_HEAD(apm_suspend_waitqueue);
4027 - static struct apm_user * user_list;
4028 - static DEFINE_SPINLOCK(user_list_lock);
4029 --static const struct desc_struct bad_bios_desc = { 0, 0x00409200 };
4030 -+static const struct desc_struct bad_bios_desc = { 0, 0x00409300 };
4031 -
4032 - static const char driver_version[] = "1.16ac"; /* no spaces */
4033 -
4034 -@@ -601,19 +601,42 @@ static u8 apm_bios_call(u32 func, u32 eb
4035 - struct desc_struct save_desc_40;
4036 - struct desc_struct *gdt;
4037 -
4038 -+#ifdef CONFIG_PAX_KERNEXEC
4039 -+ unsigned long cr0;
4040 -+#endif
4041 -+
4042 - cpus = apm_save_cpus();
4043 -
4044 - cpu = get_cpu();
4045 - gdt = get_cpu_gdt_table(cpu);
4046 - save_desc_40 = gdt[0x40 / 8];
4047 -+
4048 -+#ifdef CONFIG_PAX_KERNEXEC
4049 -+ pax_open_kernel(cr0);
4050 -+#endif
4051 -+
4052 - gdt[0x40 / 8] = bad_bios_desc;
4053 -
4054 -+#ifdef CONFIG_PAX_KERNEXEC
4055 -+ pax_close_kernel(cr0);
4056 -+#endif
4057 -+
4058 - apm_irq_save(flags);
4059 - APM_DO_SAVE_SEGS;
4060 - apm_bios_call_asm(func, ebx_in, ecx_in, eax, ebx, ecx, edx, esi);
4061 - APM_DO_RESTORE_SEGS;
4062 - apm_irq_restore(flags);
4063 -+
4064 -+#ifdef CONFIG_PAX_KERNEXEC
4065 -+ pax_open_kernel(cr0);
4066 -+#endif
4067 -+
4068 - gdt[0x40 / 8] = save_desc_40;
4069 -+
4070 -+#ifdef CONFIG_PAX_KERNEXEC
4071 -+ pax_close_kernel(cr0);
4072 -+#endif
4073 -+
4074 - put_cpu();
4075 - apm_restore_cpus(cpus);
4076 -
4077 -@@ -644,19 +667,42 @@ static u8 apm_bios_call_simple(u32 func,
4078 - struct desc_struct save_desc_40;
4079 - struct desc_struct *gdt;
4080 -
4081 -+#ifdef CONFIG_PAX_KERNEXEC
4082 -+ unsigned long cr0;
4083 -+#endif
4084 -+
4085 - cpus = apm_save_cpus();
4086 -
4087 - cpu = get_cpu();
4088 - gdt = get_cpu_gdt_table(cpu);
4089 - save_desc_40 = gdt[0x40 / 8];
4090 -+
4091 -+#ifdef CONFIG_PAX_KERNEXEC
4092 -+ pax_open_kernel(cr0);
4093 -+#endif
4094 -+
4095 - gdt[0x40 / 8] = bad_bios_desc;
4096 -
4097 -+#ifdef CONFIG_PAX_KERNEXEC
4098 -+ pax_close_kernel(cr0);
4099 -+#endif
4100 -+
4101 - apm_irq_save(flags);
4102 - APM_DO_SAVE_SEGS;
4103 - error = apm_bios_call_simple_asm(func, ebx_in, ecx_in, eax);
4104 - APM_DO_RESTORE_SEGS;
4105 - apm_irq_restore(flags);
4106 -+
4107 -+#ifdef CONFIG_PAX_KERNEXEC
4108 -+ pax_open_kernel(cr0);
4109 -+#endif
4110 -+
4111 - gdt[0x40 / 8] = save_desc_40;
4112 -+
4113 -+#ifdef CONFIG_PAX_KERNEXEC
4114 -+ pax_close_kernel(cr0);
4115 -+#endif
4116 -+
4117 - put_cpu();
4118 - apm_restore_cpus(cpus);
4119 - return error;
4120 -@@ -924,7 +970,7 @@ recalc:
4121 -
4122 - static void apm_power_off(void)
4123 - {
4124 -- unsigned char po_bios_call[] = {
4125 -+ const unsigned char po_bios_call[] = {
4126 - 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
4127 - 0x8e, 0xd0, /* movw ax,ss */
4128 - 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
4129 -@@ -1864,7 +1910,10 @@ static const struct file_operations apm_
4130 - static struct miscdevice apm_device = {
4131 - APM_MINOR_DEV,
4132 - "apm_bios",
4133 -- &apm_bios_fops
4134 -+ &apm_bios_fops,
4135 -+ {NULL, NULL},
4136 -+ NULL,
4137 -+ NULL
4138 - };
4139 -
4140 -
4141 -@@ -2177,7 +2226,7 @@ static struct dmi_system_id __initdata a
4142 - { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
4143 - },
4144 -
4145 -- { }
4146 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
4147 - };
4148 -
4149 - /*
4150 -@@ -2196,6 +2245,10 @@ static int __init apm_init(void)
4151 - struct desc_struct *gdt;
4152 - int err;
4153 -
4154 -+#ifdef CONFIG_PAX_KERNEXEC
4155 -+ unsigned long cr0;
4156 -+#endif
4157 -+
4158 - dmi_check_system(apm_dmi_table);
4159 -
4160 - if (apm_info.bios.version == 0 || paravirt_enabled()) {
4161 -@@ -2269,9 +2322,18 @@ static int __init apm_init(void)
4162 - * This is for buggy BIOS's that refer to (real mode) segment 0x40
4163 - * even though they are called in protected mode.
4164 - */
4165 -+
4166 -+#ifdef CONFIG_PAX_KERNEXEC
4167 -+ pax_open_kernel(cr0);
4168 -+#endif
4169 -+
4170 - set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
4171 - _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
4172 -
4173 -+#ifdef CONFIG_PAX_KERNEXEC
4174 -+ pax_close_kernel(cr0);
4175 -+#endif
4176 -+
4177 - /*
4178 - * Set up the long jump entry point to the APM BIOS, which is called
4179 - * from inline assembly.
4180 -@@ -2290,6 +2352,11 @@ static int __init apm_init(void)
4181 - * code to that CPU.
4182 - */
4183 - gdt = get_cpu_gdt_table(0);
4184 -+
4185 -+#ifdef CONFIG_PAX_KERNEXEC
4186 -+ pax_open_kernel(cr0);
4187 -+#endif
4188 -+
4189 - set_base(gdt[APM_CS >> 3],
4190 - __va((unsigned long)apm_info.bios.cseg << 4));
4191 - set_base(gdt[APM_CS_16 >> 3],
4192 -@@ -2297,6 +2364,10 @@ static int __init apm_init(void)
4193 - set_base(gdt[APM_DS >> 3],
4194 - __va((unsigned long)apm_info.bios.dseg << 4));
4195 -
4196 -+#ifdef CONFIG_PAX_KERNEXEC
4197 -+ pax_close_kernel(cr0);
4198 -+#endif
4199 -+
4200 - apm_proc = create_proc_entry("apm", 0, NULL);
4201 - if (apm_proc)
4202 - apm_proc->proc_fops = &apm_file_ops;
4203 -diff -urNp linux-2.6.24.4/arch/x86/kernel/asm-offsets_32.c linux-2.6.24.4/arch/x86/kernel/asm-offsets_32.c
4204 ---- linux-2.6.24.4/arch/x86/kernel/asm-offsets_32.c 2008-03-24 14:49:18.000000000 -0400
4205 -+++ linux-2.6.24.4/arch/x86/kernel/asm-offsets_32.c 2008-03-26 17:56:55.000000000 -0400
4206 -@@ -110,6 +110,7 @@ void foo(void)
4207 - DEFINE(PTRS_PER_PTE, PTRS_PER_PTE);
4208 - DEFINE(PTRS_PER_PMD, PTRS_PER_PMD);
4209 - DEFINE(PTRS_PER_PGD, PTRS_PER_PGD);
4210 -+ DEFINE(PERCPU_MODULE_RESERVE, PERCPU_MODULE_RESERVE);
4211 -
4212 - DEFINE(VDSO_PRELINK_asm, VDSO_PRELINK);
4213 -
4214 -@@ -125,6 +126,7 @@ void foo(void)
4215 - OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
4216 - OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
4217 - OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
4218 -+ OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
4219 - #endif
4220 -
4221 - #ifdef CONFIG_XEN
4222 -diff -urNp linux-2.6.24.4/arch/x86/kernel/asm-offsets_64.c linux-2.6.24.4/arch/x86/kernel/asm-offsets_64.c
4223 ---- linux-2.6.24.4/arch/x86/kernel/asm-offsets_64.c 2008-03-24 14:49:18.000000000 -0400
4224 -+++ linux-2.6.24.4/arch/x86/kernel/asm-offsets_64.c 2008-03-26 17:56:55.000000000 -0400
4225 -@@ -108,6 +108,7 @@ int main(void)
4226 - ENTRY(cr8);
4227 - BLANK();
4228 - #undef ENTRY
4229 -+ DEFINE(TSS_size, sizeof(struct tss_struct));
4230 - DEFINE(TSS_ist, offsetof(struct tss_struct, ist));
4231 - BLANK();
4232 - DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
4233 -diff -urNp linux-2.6.24.4/arch/x86/kernel/cpu/common.c linux-2.6.24.4/arch/x86/kernel/cpu/common.c
4234 ---- linux-2.6.24.4/arch/x86/kernel/cpu/common.c 2008-03-24 14:49:18.000000000 -0400
4235 -+++ linux-2.6.24.4/arch/x86/kernel/cpu/common.c 2008-03-26 17:56:55.000000000 -0400
4236 -@@ -4,7 +4,6 @@
4237 - #include <linux/smp.h>
4238 - #include <linux/module.h>
4239 - #include <linux/percpu.h>
4240 --#include <linux/bootmem.h>
4241 - #include <asm/semaphore.h>
4242 - #include <asm/processor.h>
4243 - #include <asm/i387.h>
4244 -@@ -21,39 +20,15 @@
4245 -
4246 - #include "cpu.h"
4247 -
4248 --DEFINE_PER_CPU(struct gdt_page, gdt_page) = { .gdt = {
4249 -- [GDT_ENTRY_KERNEL_CS] = { 0x0000ffff, 0x00cf9a00 },
4250 -- [GDT_ENTRY_KERNEL_DS] = { 0x0000ffff, 0x00cf9200 },
4251 -- [GDT_ENTRY_DEFAULT_USER_CS] = { 0x0000ffff, 0x00cffa00 },
4252 -- [GDT_ENTRY_DEFAULT_USER_DS] = { 0x0000ffff, 0x00cff200 },
4253 -- /*
4254 -- * Segments used for calling PnP BIOS have byte granularity.
4255 -- * They code segments and data segments have fixed 64k limits,
4256 -- * the transfer segment sizes are set at run time.
4257 -- */
4258 -- [GDT_ENTRY_PNPBIOS_CS32] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
4259 -- [GDT_ENTRY_PNPBIOS_CS16] = { 0x0000ffff, 0x00009a00 },/* 16-bit code */
4260 -- [GDT_ENTRY_PNPBIOS_DS] = { 0x0000ffff, 0x00009200 }, /* 16-bit data */
4261 -- [GDT_ENTRY_PNPBIOS_TS1] = { 0x00000000, 0x00009200 },/* 16-bit data */
4262 -- [GDT_ENTRY_PNPBIOS_TS2] = { 0x00000000, 0x00009200 },/* 16-bit data */
4263 -- /*
4264 -- * The APM segments have byte granularity and their bases
4265 -- * are set at run time. All have 64k limits.
4266 -- */
4267 -- [GDT_ENTRY_APMBIOS_BASE] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
4268 -- /* 16-bit code */
4269 -- [GDT_ENTRY_APMBIOS_BASE+1] = { 0x0000ffff, 0x00009a00 },
4270 -- [GDT_ENTRY_APMBIOS_BASE+2] = { 0x0000ffff, 0x00409200 }, /* data */
4271 --
4272 -- [GDT_ENTRY_ESPFIX_SS] = { 0x00000000, 0x00c09200 },
4273 -- [GDT_ENTRY_PERCPU] = { 0x00000000, 0x00000000 },
4274 --} };
4275 --EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
4276 --
4277 - static int cachesize_override __cpuinitdata = -1;
4278 - static int disable_x86_fxsr __cpuinitdata;
4279 - static int disable_x86_serial_nr __cpuinitdata = 1;
4280 --static int disable_x86_sep __cpuinitdata;
4281 -+
4282 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
4283 -+int disable_x86_sep __cpuinitdata = 1;
4284 -+#else
4285 -+int disable_x86_sep __cpuinitdata;
4286 -+#endif
4287 -
4288 - struct cpu_dev * cpu_devs[X86_VENDOR_NUM] = {};
4289 -
4290 -@@ -262,9 +237,9 @@ void __init cpu_detect(struct cpuinfo_x8
4291 - {
4292 - /* Get vendor name */
4293 - cpuid(0x00000000, &c->cpuid_level,
4294 -- (int *)&c->x86_vendor_id[0],
4295 -- (int *)&c->x86_vendor_id[8],
4296 -- (int *)&c->x86_vendor_id[4]);
4297 -+ (unsigned int *)&c->x86_vendor_id[0],
4298 -+ (unsigned int *)&c->x86_vendor_id[8],
4299 -+ (unsigned int *)&c->x86_vendor_id[4]);
4300 -
4301 - c->x86 = 4;
4302 - if (c->cpuid_level >= 0x00000001) {
4303 -@@ -304,15 +279,14 @@ static void __init early_cpu_detect(void
4304 -
4305 - static void __cpuinit generic_identify(struct cpuinfo_x86 * c)
4306 - {
4307 -- u32 tfms, xlvl;
4308 -- int ebx;
4309 -+ u32 tfms, xlvl, ebx;
4310 -
4311 - if (have_cpuid_p()) {
4312 - /* Get vendor name */
4313 - cpuid(0x00000000, &c->cpuid_level,
4314 -- (int *)&c->x86_vendor_id[0],
4315 -- (int *)&c->x86_vendor_id[8],
4316 -- (int *)&c->x86_vendor_id[4]);
4317 -+ (unsigned int *)&c->x86_vendor_id[0],
4318 -+ (unsigned int *)&c->x86_vendor_id[8],
4319 -+ (unsigned int *)&c->x86_vendor_id[4]);
4320 -
4321 - get_cpu_vendor(c, 0);
4322 - /* Initialize the standard set of capabilities */
4323 -@@ -644,7 +618,7 @@ void switch_to_new_gdt(void)
4324 - {
4325 - struct Xgt_desc_struct gdt_descr;
4326 -
4327 -- gdt_descr.address = (long)get_cpu_gdt_table(smp_processor_id());
4328 -+ gdt_descr.address = get_cpu_gdt_table(smp_processor_id());
4329 - gdt_descr.size = GDT_SIZE - 1;
4330 - load_gdt(&gdt_descr);
4331 - asm("mov %0, %%fs" : : "r" (__KERNEL_PERCPU) : "memory");
4332 -@@ -660,7 +634,7 @@ void __cpuinit cpu_init(void)
4333 - {
4334 - int cpu = smp_processor_id();
4335 - struct task_struct *curr = current;
4336 -- struct tss_struct * t = &per_cpu(init_tss, cpu);
4337 -+ struct tss_struct *t = init_tss + cpu;
4338 - struct thread_struct *thread = &curr->thread;
4339 -
4340 - if (cpu_test_and_set(cpu, cpu_initialized)) {
4341 -diff -urNp linux-2.6.24.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.24.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
4342 ---- linux-2.6.24.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2008-03-24 14:49:18.000000000 -0400
4343 -+++ linux-2.6.24.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2008-03-26 17:56:55.000000000 -0400
4344 -@@ -549,7 +549,7 @@ static const struct dmi_system_id sw_any
4345 - DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
4346 - },
4347 - },
4348 -- { }
4349 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
4350 - };
4351 - #endif
4352 -
4353 -diff -urNp linux-2.6.24.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.24.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
4354 ---- linux-2.6.24.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2008-03-24 14:49:18.000000000 -0400
4355 -+++ linux-2.6.24.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2008-03-26 17:56:55.000000000 -0400
4356 -@@ -223,7 +223,7 @@ static struct cpu_model models[] =
4357 - { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
4358 - { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
4359 -
4360 -- { NULL, }
4361 -+ { NULL, NULL, 0, NULL}
4362 - };
4363 - #undef _BANIAS
4364 - #undef BANIAS
4365 -diff -urNp linux-2.6.24.4/arch/x86/kernel/cpu/intel.c linux-2.6.24.4/arch/x86/kernel/cpu/intel.c
4366 ---- linux-2.6.24.4/arch/x86/kernel/cpu/intel.c 2008-03-24 14:49:18.000000000 -0400
4367 -+++ linux-2.6.24.4/arch/x86/kernel/cpu/intel.c 2008-03-26 17:56:55.000000000 -0400
4368 -@@ -104,6 +104,7 @@ static void __cpuinit trap_init_f00f_bug
4369 - * it uses the read-only mapped virtual address.
4370 - */
4371 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
4372 -+ idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
4373 - load_idt(&idt_descr);
4374 - }
4375 - #endif
4376 -diff -urNp linux-2.6.24.4/arch/x86/kernel/cpu/intel_cacheinfo.c linux-2.6.24.4/arch/x86/kernel/cpu/intel_cacheinfo.c
4377 ---- linux-2.6.24.4/arch/x86/kernel/cpu/intel_cacheinfo.c 2008-03-24 14:49:18.000000000 -0400
4378 -+++ linux-2.6.24.4/arch/x86/kernel/cpu/intel_cacheinfo.c 2008-03-26 17:56:55.000000000 -0400
4379 -@@ -352,8 +352,8 @@ unsigned int __cpuinit init_intel_cachei
4380 - */
4381 - if ((num_cache_leaves == 0 || c->x86 == 15) && c->cpuid_level > 1) {
4382 - /* supports eax=2 call */
4383 -- int i, j, n;
4384 -- int regs[4];
4385 -+ int j, n;
4386 -+ unsigned int regs[4];
4387 - unsigned char *dp = (unsigned char *)regs;
4388 - int only_trace = 0;
4389 -
4390 -@@ -368,7 +368,7 @@ unsigned int __cpuinit init_intel_cachei
4391 -
4392 - /* If bit 31 is set, this is an unknown format */
4393 - for ( j = 0 ; j < 3 ; j++ ) {
4394 -- if ( regs[j] < 0 ) regs[j] = 0;
4395 -+ if ( (int)regs[j] < 0 ) regs[j] = 0;
4396 - }
4397 -
4398 - /* Byte 0 is level count, not a descriptor */
4399 -diff -urNp linux-2.6.24.4/arch/x86/kernel/cpu/mcheck/mce_64.c linux-2.6.24.4/arch/x86/kernel/cpu/mcheck/mce_64.c
4400 ---- linux-2.6.24.4/arch/x86/kernel/cpu/mcheck/mce_64.c 2008-03-24 14:49:18.000000000 -0400
4401 -+++ linux-2.6.24.4/arch/x86/kernel/cpu/mcheck/mce_64.c 2008-03-26 17:56:55.000000000 -0400
4402 -@@ -671,6 +671,7 @@ static struct miscdevice mce_log_device
4403 - MISC_MCELOG_MINOR,
4404 - "mcelog",
4405 - &mce_chrdev_ops,
4406 -+ {NULL, NULL}, NULL, NULL
4407 - };
4408 -
4409 - static unsigned long old_cr4 __initdata;
4410 -diff -urNp linux-2.6.24.4/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.24.4/arch/x86/kernel/cpu/mtrr/generic.c
4411 ---- linux-2.6.24.4/arch/x86/kernel/cpu/mtrr/generic.c 2008-03-24 14:49:18.000000000 -0400
4412 -+++ linux-2.6.24.4/arch/x86/kernel/cpu/mtrr/generic.c 2008-03-26 17:56:55.000000000 -0400
4413 -@@ -29,11 +29,11 @@ static struct fixed_range_block fixed_ra
4414 - { MTRRfix64K_00000_MSR, 1 }, /* one 64k MTRR */
4415 - { MTRRfix16K_80000_MSR, 2 }, /* two 16k MTRRs */
4416 - { MTRRfix4K_C0000_MSR, 8 }, /* eight 4k MTRRs */
4417 -- {}
4418 -+ { 0, 0 }
4419 - };
4420 -
4421 - static unsigned long smp_changes_mask;
4422 --static struct mtrr_state mtrr_state = {};
4423 -+static struct mtrr_state mtrr_state;
4424 -
4425 - #undef MODULE_PARAM_PREFIX
4426 - #define MODULE_PARAM_PREFIX "mtrr."
4427 -diff -urNp linux-2.6.24.4/arch/x86/kernel/crash.c linux-2.6.24.4/arch/x86/kernel/crash.c
4428 ---- linux-2.6.24.4/arch/x86/kernel/crash.c 2008-03-24 14:49:18.000000000 -0400
4429 -+++ linux-2.6.24.4/arch/x86/kernel/crash.c 2008-03-26 17:56:55.000000000 -0400
4430 -@@ -62,7 +62,7 @@ static int crash_nmi_callback(struct not
4431 - local_irq_disable();
4432 -
4433 - #ifdef CONFIG_X86_32
4434 -- if (!user_mode_vm(regs)) {
4435 -+ if (!user_mode(regs)) {
4436 - crash_fixup_ss_esp(&fixed_regs, regs);
4437 - regs = &fixed_regs;
4438 - }
4439 -diff -urNp linux-2.6.24.4/arch/x86/kernel/doublefault_32.c linux-2.6.24.4/arch/x86/kernel/doublefault_32.c
4440 ---- linux-2.6.24.4/arch/x86/kernel/doublefault_32.c 2008-03-24 14:49:18.000000000 -0400
4441 -+++ linux-2.6.24.4/arch/x86/kernel/doublefault_32.c 2008-03-26 17:56:55.000000000 -0400
4442 -@@ -11,17 +11,17 @@
4443 -
4444 - #define DOUBLEFAULT_STACKSIZE (1024)
4445 - static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
4446 --#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
4447 -+#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
4448 -
4449 - #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
4450 -
4451 - static void doublefault_fn(void)
4452 - {
4453 -- struct Xgt_desc_struct gdt_desc = {0, 0};
4454 -+ struct Xgt_desc_struct gdt_desc = {0, NULL, 0};
4455 - unsigned long gdt, tss;
4456 -
4457 - store_gdt(&gdt_desc);
4458 -- gdt = gdt_desc.address;
4459 -+ gdt = (unsigned long)gdt_desc.address;
4460 -
4461 - printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
4462 -
4463 -@@ -59,10 +59,10 @@ struct tss_struct doublefault_tss __cach
4464 - /* 0x2 bit is always set */
4465 - .eflags = X86_EFLAGS_SF | 0x2,
4466 - .esp = STACK_START,
4467 -- .es = __USER_DS,
4468 -+ .es = __KERNEL_DS,
4469 - .cs = __KERNEL_CS,
4470 - .ss = __KERNEL_DS,
4471 -- .ds = __USER_DS,
4472 -+ .ds = __KERNEL_DS,
4473 - .fs = __KERNEL_PERCPU,
4474 -
4475 - .__cr3 = __pa(swapper_pg_dir)
4476 -diff -urNp linux-2.6.24.4/arch/x86/kernel/efi_32.c linux-2.6.24.4/arch/x86/kernel/efi_32.c
4477 ---- linux-2.6.24.4/arch/x86/kernel/efi_32.c 2008-03-24 14:49:18.000000000 -0400
4478 -+++ linux-2.6.24.4/arch/x86/kernel/efi_32.c 2008-03-26 17:56:55.000000000 -0400
4479 -@@ -63,71 +63,38 @@ extern void * boot_ioremap(unsigned long
4480 -
4481 - static unsigned long efi_rt_eflags;
4482 - static DEFINE_SPINLOCK(efi_rt_lock);
4483 --static pgd_t efi_bak_pg_dir_pointer[2];
4484 -+static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS] __attribute__ ((aligned (4096)));
4485 -
4486 --static void efi_call_phys_prelog(void) __acquires(efi_rt_lock)
4487 -+static void __init efi_call_phys_prelog(void) __acquires(efi_rt_lock)
4488 - {
4489 -- unsigned long cr4;
4490 -- unsigned long temp;
4491 - struct Xgt_desc_struct gdt_descr;
4492 -
4493 - spin_lock(&efi_rt_lock);
4494 - local_irq_save(efi_rt_eflags);
4495 -
4496 -- /*
4497 -- * If I don't have PSE, I should just duplicate two entries in page
4498 -- * directory. If I have PSE, I just need to duplicate one entry in
4499 -- * page directory.
4500 -- */
4501 -- cr4 = read_cr4();
4502 --
4503 -- if (cr4 & X86_CR4_PSE) {
4504 -- efi_bak_pg_dir_pointer[0].pgd =
4505 -- swapper_pg_dir[pgd_index(0)].pgd;
4506 -- swapper_pg_dir[0].pgd =
4507 -- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
4508 -- } else {
4509 -- efi_bak_pg_dir_pointer[0].pgd =
4510 -- swapper_pg_dir[pgd_index(0)].pgd;
4511 -- efi_bak_pg_dir_pointer[1].pgd =
4512 -- swapper_pg_dir[pgd_index(0x400000)].pgd;
4513 -- swapper_pg_dir[pgd_index(0)].pgd =
4514 -- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
4515 -- temp = PAGE_OFFSET + 0x400000;
4516 -- swapper_pg_dir[pgd_index(0x400000)].pgd =
4517 -- swapper_pg_dir[pgd_index(temp)].pgd;
4518 -- }
4519 -+ clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
4520 -+ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
4521 -+ min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
4522 -
4523 - /*
4524 - * After the lock is released, the original page table is restored.
4525 - */
4526 - local_flush_tlb();
4527 -
4528 -- gdt_descr.address = __pa(get_cpu_gdt_table(0));
4529 -+ gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
4530 - gdt_descr.size = GDT_SIZE - 1;
4531 - load_gdt(&gdt_descr);
4532 - }
4533 -
4534 --static void efi_call_phys_epilog(void) __releases(efi_rt_lock)
4535 -+static void __init efi_call_phys_epilog(void) __releases(efi_rt_lock)
4536 - {
4537 -- unsigned long cr4;
4538 - struct Xgt_desc_struct gdt_descr;
4539 -
4540 -- gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
4541 -+ gdt_descr.address = get_cpu_gdt_table(0);
4542 - gdt_descr.size = GDT_SIZE - 1;
4543 - load_gdt(&gdt_descr);
4544 -
4545 -- cr4 = read_cr4();
4546 --
4547 -- if (cr4 & X86_CR4_PSE) {
4548 -- swapper_pg_dir[pgd_index(0)].pgd =
4549 -- efi_bak_pg_dir_pointer[0].pgd;
4550 -- } else {
4551 -- swapper_pg_dir[pgd_index(0)].pgd =
4552 -- efi_bak_pg_dir_pointer[0].pgd;
4553 -- swapper_pg_dir[pgd_index(0x400000)].pgd =
4554 -- efi_bak_pg_dir_pointer[1].pgd;
4555 -- }
4556 -+ clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
4557 -
4558 - /*
4559 - * After the lock is released, the original page table is restored.
4560 -@@ -138,7 +105,7 @@ static void efi_call_phys_epilog(void) _
4561 - spin_unlock(&efi_rt_lock);
4562 - }
4563 -
4564 --static efi_status_t
4565 -+static efi_status_t __init
4566 - phys_efi_set_virtual_address_map(unsigned long memory_map_size,
4567 - unsigned long descriptor_size,
4568 - u32 descriptor_version,
4569 -@@ -154,7 +121,7 @@ phys_efi_set_virtual_address_map(unsigne
4570 - return status;
4571 - }
4572 -
4573 --static efi_status_t
4574 -+static noinline efi_status_t __init
4575 - phys_efi_get_time(efi_time_t *tm, efi_time_cap_t *tc)
4576 - {
4577 - efi_status_t status;
4578 -@@ -198,7 +165,7 @@ inline int efi_set_rtc_mmss(unsigned lon
4579 - * services have been remapped and also during suspend, therefore,
4580 - * we'll need to call both in physical and virtual modes.
4581 - */
4582 --inline unsigned long efi_get_time(void)
4583 -+unsigned long efi_get_time(void)
4584 - {
4585 - efi_status_t status;
4586 - efi_time_t eft;
4587 -diff -urNp linux-2.6.24.4/arch/x86/kernel/efi_stub_32.S linux-2.6.24.4/arch/x86/kernel/efi_stub_32.S
4588 ---- linux-2.6.24.4/arch/x86/kernel/efi_stub_32.S 2008-03-24 14:49:18.000000000 -0400
4589 -+++ linux-2.6.24.4/arch/x86/kernel/efi_stub_32.S 2008-03-26 17:56:55.000000000 -0400
4590 -@@ -6,6 +6,7 @@
4591 - */
4592 -
4593 - #include <linux/linkage.h>
4594 -+#include <linux/init.h>
4595 - #include <asm/page.h>
4596 -
4597 - /*
4598 -@@ -20,7 +21,7 @@
4599 - * service functions will comply with gcc calling convention, too.
4600 - */
4601 -
4602 --.text
4603 -+__INIT
4604 - ENTRY(efi_call_phys)
4605 - /*
4606 - * 0. The function can only be called in Linux kernel. So CS has been
4607 -@@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
4608 - * The mapping of lower virtual memory has been created in prelog and
4609 - * epilog.
4610 - */
4611 -- movl $1f, %edx
4612 -- subl $__PAGE_OFFSET, %edx
4613 -- jmp *%edx
4614 -+ jmp 1f-__PAGE_OFFSET
4615 - 1:
4616 -
4617 - /*
4618 -@@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
4619 - * parameter 2, ..., param n. To make things easy, we save the return
4620 - * address of efi_call_phys in a global variable.
4621 - */
4622 -- popl %edx
4623 -- movl %edx, saved_return_addr
4624 -- /* get the function pointer into ECX*/
4625 -- popl %ecx
4626 -- movl %ecx, efi_rt_function_ptr
4627 -- movl $2f, %edx
4628 -- subl $__PAGE_OFFSET, %edx
4629 -- pushl %edx
4630 -+ popl (saved_return_addr)
4631 -+ popl (efi_rt_function_ptr)
4632 -
4633 - /*
4634 - * 3. Clear PG bit in %CR0.
4635 -@@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
4636 - /*
4637 - * 5. Call the physical function.
4638 - */
4639 -- jmp *%ecx
4640 -+ call *(efi_rt_function_ptr-__PAGE_OFFSET)
4641 -
4642 --2:
4643 - /*
4644 - * 6. After EFI runtime service returns, control will return to
4645 - * following instruction. We'd better readjust stack pointer first.
4646 -@@ -88,34 +80,27 @@ ENTRY(efi_call_phys)
4647 - movl %cr0, %edx
4648 - orl $0x80000000, %edx
4649 - movl %edx, %cr0
4650 -- jmp 1f
4651 --1:
4652 -+
4653 - /*
4654 - * 8. Now restore the virtual mode from flat mode by
4655 - * adding EIP with PAGE_OFFSET.
4656 - */
4657 -- movl $1f, %edx
4658 -- jmp *%edx
4659 -+ jmp 1f+__PAGE_OFFSET
4660 - 1:
4661 -
4662 - /*
4663 - * 9. Balance the stack. And because EAX contain the return value,
4664 - * we'd better not clobber it.
4665 - */
4666 -- leal efi_rt_function_ptr, %edx
4667 -- movl (%edx), %ecx
4668 -- pushl %ecx
4669 -+ pushl (efi_rt_function_ptr)
4670 -
4671 - /*
4672 -- * 10. Push the saved return address onto the stack and return.
4673 -+ * 10. Return to the saved return address.
4674 - */
4675 -- leal saved_return_addr, %edx
4676 -- movl (%edx), %ecx
4677 -- pushl %ecx
4678 -- ret
4679 -+ jmpl *(saved_return_addr)
4680 - .previous
4681 -
4682 --.data
4683 -+__INITDATA
4684 - saved_return_addr:
4685 - .long 0
4686 - efi_rt_function_ptr:
4687 -diff -urNp linux-2.6.24.4/arch/x86/kernel/entry_32.S linux-2.6.24.4/arch/x86/kernel/entry_32.S
4688 ---- linux-2.6.24.4/arch/x86/kernel/entry_32.S 2008-03-24 14:49:18.000000000 -0400
4689 -+++ linux-2.6.24.4/arch/x86/kernel/entry_32.S 2008-03-26 17:56:55.000000000 -0400
4690 -@@ -97,7 +97,7 @@ VM_MASK = 0x00020000
4691 - #define resume_userspace_sig resume_userspace
4692 - #endif
4693 -
4694 --#define SAVE_ALL \
4695 -+#define __SAVE_ALL(_DS) \
4696 - cld; \
4697 - pushl %fs; \
4698 - CFI_ADJUST_CFA_OFFSET 4;\
4699 -@@ -129,12 +129,26 @@ VM_MASK = 0x00020000
4700 - pushl %ebx; \
4701 - CFI_ADJUST_CFA_OFFSET 4;\
4702 - CFI_REL_OFFSET ebx, 0;\
4703 -- movl $(__USER_DS), %edx; \
4704 -+ movl $(_DS), %edx; \
4705 - movl %edx, %ds; \
4706 - movl %edx, %es; \
4707 - movl $(__KERNEL_PERCPU), %edx; \
4708 - movl %edx, %fs
4709 -
4710 -+#ifdef CONFIG_PAX_KERNEXEC
4711 -+#define SAVE_ALL \
4712 -+ __SAVE_ALL(__KERNEL_DS); \
4713 -+ GET_CR0_INTO_EDX; \
4714 -+ movl %edx, %esi; \
4715 -+ orl $X86_CR0_WP, %edx; \
4716 -+ xorl %edx, %esi; \
4717 -+ SET_CR0_FROM_EDX
4718 -+#elif defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
4719 -+#define SAVE_ALL __SAVE_ALL(__KERNEL_DS)
4720 -+#else
4721 -+#define SAVE_ALL __SAVE_ALL(__USER_DS)
4722 -+#endif
4723 -+
4724 - #define RESTORE_INT_REGS \
4725 - popl %ebx; \
4726 - CFI_ADJUST_CFA_OFFSET -4;\
4727 -@@ -248,7 +262,17 @@ check_userspace:
4728 - movb PT_CS(%esp), %al
4729 - andl $(VM_MASK | SEGMENT_RPL_MASK), %eax
4730 - cmpl $USER_RPL, %eax
4731 -+
4732 -+#ifdef CONFIG_PAX_KERNEXEC
4733 -+ jae resume_userspace
4734 -+
4735 -+ GET_CR0_INTO_EDX
4736 -+ xorl %esi, %edx
4737 -+ SET_CR0_FROM_EDX
4738 -+ jmp resume_kernel
4739 -+#else
4740 - jb resume_kernel # not returning to v8086 or userspace
4741 -+#endif
4742 -
4743 - ENTRY(resume_userspace)
4744 - LOCKDEP_SYS_EXIT
4745 -@@ -308,10 +332,9 @@ sysenter_past_esp:
4746 - /*CFI_REL_OFFSET cs, 0*/
4747 - /*
4748 - * Push current_thread_info()->sysenter_return to the stack.
4749 -- * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
4750 -- * pushed above; +8 corresponds to copy_thread's esp0 setting.
4751 - */
4752 -- pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
4753 -+ GET_THREAD_INFO(%ebp)
4754 -+ pushl TI_sysenter_return(%ebp)
4755 - CFI_ADJUST_CFA_OFFSET 4
4756 - CFI_REL_OFFSET eip, 0
4757 -
4758 -@@ -319,9 +342,17 @@ sysenter_past_esp:
4759 - * Load the potential sixth argument from user stack.
4760 - * Careful about security.
4761 - */
4762 -+ movl 12(%esp),%ebp
4763 -+
4764 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
4765 -+ mov 16(%esp),%ds
4766 -+1: movl %ds:(%ebp),%ebp
4767 -+#else
4768 - cmpl $__PAGE_OFFSET-3,%ebp
4769 - jae syscall_fault
4770 - 1: movl (%ebp),%ebp
4771 -+#endif
4772 -+
4773 - .section __ex_table,"a"
4774 - .align 4
4775 - .long 1b,syscall_fault
4776 -@@ -345,20 +376,37 @@ sysenter_past_esp:
4777 - movl TI_flags(%ebp), %ecx
4778 - testw $_TIF_ALLWORK_MASK, %cx
4779 - jne syscall_exit_work
4780 -+
4781 -+#ifdef CONFIG_PAX_RANDKSTACK
4782 -+ pushl %eax
4783 -+ CFI_ADJUST_CFA_OFFSET 4
4784 -+ call pax_randomize_kstack
4785 -+ popl %eax
4786 -+ CFI_ADJUST_CFA_OFFSET -4
4787 -+#endif
4788 -+
4789 - /* if something modifies registers it must also disable sysexit */
4790 - movl PT_EIP(%esp), %edx
4791 - movl PT_OLDESP(%esp), %ecx
4792 - xorl %ebp,%ebp
4793 - TRACE_IRQS_ON
4794 - 1: mov PT_FS(%esp), %fs
4795 -+2: mov PT_DS(%esp), %ds
4796 -+3: mov PT_ES(%esp), %es
4797 - ENABLE_INTERRUPTS_SYSEXIT
4798 - CFI_ENDPROC
4799 - .pushsection .fixup,"ax"
4800 --2: movl $0,PT_FS(%esp)
4801 -+4: movl $0,PT_FS(%esp)
4802 - jmp 1b
4803 -+5: movl $0,PT_DS(%esp)
4804 -+ jmp 2b
4805 -+6: movl $0,PT_ES(%esp)
4806 -+ jmp 3b
4807 - .section __ex_table,"a"
4808 - .align 4
4809 -- .long 1b,2b
4810 -+ .long 1b,4b
4811 -+ .long 2b,5b
4812 -+ .long 3b,6b
4813 - .popsection
4814 - ENDPROC(sysenter_entry)
4815 -
4816 -@@ -392,6 +440,10 @@ no_singlestep:
4817 - testw $_TIF_ALLWORK_MASK, %cx # current->work
4818 - jne syscall_exit_work
4819 -
4820 -+#ifdef CONFIG_PAX_RANDKSTACK
4821 -+ call pax_randomize_kstack
4822 -+#endif
4823 -+
4824 - restore_all:
4825 - movl PT_EFLAGS(%esp), %eax # mix EFLAGS, SS and CS
4826 - # Warning: PT_OLDSS(%esp) contains the wrong/random values if we
4827 -@@ -556,17 +608,24 @@ syscall_badsys:
4828 - END(syscall_badsys)
4829 - CFI_ENDPROC
4830 -
4831 --#define FIXUP_ESPFIX_STACK \
4832 -- /* since we are on a wrong stack, we cant make it a C code :( */ \
4833 -- PER_CPU(gdt_page, %ebx); \
4834 -- GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah); \
4835 -- addl %esp, %eax; \
4836 -- pushl $__KERNEL_DS; \
4837 -- CFI_ADJUST_CFA_OFFSET 4; \
4838 -- pushl %eax; \
4839 -- CFI_ADJUST_CFA_OFFSET 4; \
4840 -- lss (%esp), %esp; \
4841 -+.macro FIXUP_ESPFIX_STACK
4842 -+ /* since we are on a wrong stack, we cant make it a C code :( */
4843 -+#ifdef CONFIG_SMP
4844 -+ movl PER_CPU_VAR(cpu_number), %ebx;
4845 -+ shll $PAGE_SHIFT_asm, %ebx;
4846 -+ addl $cpu_gdt_table, %ebx;
4847 -+#else
4848 -+ movl $cpu_gdt_table, %ebx;
4849 -+#endif
4850 -+ GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah);
4851 -+ addl %esp, %eax;
4852 -+ pushl $__KERNEL_DS;
4853 -+ CFI_ADJUST_CFA_OFFSET 4;
4854 -+ pushl %eax;
4855 -+ CFI_ADJUST_CFA_OFFSET 4;
4856 -+ lss (%esp), %esp;
4857 - CFI_ADJUST_CFA_OFFSET -8;
4858 -+.endm
4859 - #define UNWIND_ESPFIX_STACK \
4860 - movl %ss, %eax; \
4861 - /* see if on espfix stack */ \
4862 -@@ -583,7 +642,7 @@ END(syscall_badsys)
4863 - * Build the entry stubs and pointer table with
4864 - * some assembler magic.
4865 - */
4866 --.data
4867 -+.section .rodata,"a",@progbits
4868 - ENTRY(interrupt)
4869 - .text
4870 -
4871 -@@ -683,12 +742,21 @@ error_code:
4872 - popl %ecx
4873 - CFI_ADJUST_CFA_OFFSET -4
4874 - /*CFI_REGISTER es, ecx*/
4875 -+
4876 -+#ifdef CONFIG_PAX_KERNEXEC
4877 -+ GET_CR0_INTO_EDX
4878 -+ movl %edx, %esi
4879 -+ orl $X86_CR0_WP, %edx
4880 -+ xorl %edx, %esi
4881 -+ SET_CR0_FROM_EDX
4882 -+#endif
4883 -+
4884 - movl PT_FS(%esp), %edi # get the function address
4885 - movl PT_ORIG_EAX(%esp), %edx # get the error code
4886 - movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
4887 - mov %ecx, PT_FS(%esp)
4888 - /*CFI_REL_OFFSET fs, ES*/
4889 -- movl $(__USER_DS), %ecx
4890 -+ movl $(__KERNEL_DS), %ecx
4891 - movl %ecx, %ds
4892 - movl %ecx, %es
4893 - movl %esp,%eax # pt_regs pointer
4894 -@@ -822,6 +890,13 @@ nmi_stack_correct:
4895 - xorl %edx,%edx # zero error code
4896 - movl %esp,%eax # pt_regs pointer
4897 - call do_nmi
4898 -+
4899 -+#ifdef CONFIG_PAX_KERNEXEC
4900 -+ GET_CR0_INTO_EDX
4901 -+ xorl %esi, %edx
4902 -+ SET_CR0_FROM_EDX
4903 -+#endif
4904 -+
4905 - jmp restore_nocheck_notrace
4906 - CFI_ENDPROC
4907 -
4908 -@@ -862,6 +937,13 @@ nmi_espfix_stack:
4909 - FIXUP_ESPFIX_STACK # %eax == %esp
4910 - xorl %edx,%edx # zero error code
4911 - call do_nmi
4912 -+
4913 -+#ifdef CONFIG_PAX_KERNEXEC
4914 -+ GET_CR0_INTO_EDX
4915 -+ xorl %esi, %edx
4916 -+ SET_CR0_FROM_EDX
4917 -+#endif
4918 -+
4919 - RESTORE_REGS
4920 - lss 12+4(%esp), %esp # back to espfix stack
4921 - CFI_ADJUST_CFA_OFFSET -24
4922 -@@ -1110,7 +1192,6 @@ ENDPROC(xen_failsafe_callback)
4923 -
4924 - #endif /* CONFIG_XEN */
4925 -
4926 --.section .rodata,"a"
4927 - #include "syscall_table_32.S"
4928 -
4929 - syscall_table_size=(.-sys_call_table)
4930 -diff -urNp linux-2.6.24.4/arch/x86/kernel/entry_64.S linux-2.6.24.4/arch/x86/kernel/entry_64.S
4931 ---- linux-2.6.24.4/arch/x86/kernel/entry_64.S 2008-03-24 14:49:18.000000000 -0400
4932 -+++ linux-2.6.24.4/arch/x86/kernel/entry_64.S 2008-03-26 17:56:55.000000000 -0400
4933 -@@ -440,6 +440,7 @@ ENTRY(stub_execve)
4934 - CFI_REGISTER rip, r11
4935 - SAVE_REST
4936 - FIXUP_TOP_OF_STACK %r11
4937 -+ movq %rsp, %rcx
4938 - call sys_execve
4939 - RESTORE_TOP_OF_STACK %r11
4940 - movq %rax,RAX(%rsp)
4941 -@@ -735,17 +736,18 @@ END(spurious_interrupt)
4942 - xorl %ebx,%ebx
4943 - 1:
4944 - .if \ist
4945 -- movq %gs:pda_data_offset, %rbp
4946 -+ imul $TSS_size, %gs:pda_cpunumber, %ebp
4947 -+ lea init_tss(%rbp), %rbp
4948 - .endif
4949 - movq %rsp,%rdi
4950 - movq ORIG_RAX(%rsp),%rsi
4951 - movq $-1,ORIG_RAX(%rsp)
4952 - .if \ist
4953 -- subq $EXCEPTION_STKSZ, per_cpu__init_tss + TSS_ist + (\ist - 1) * 8(%rbp)
4954 -+ subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
4955 - .endif
4956 - call \sym
4957 - .if \ist
4958 -- addq $EXCEPTION_STKSZ, per_cpu__init_tss + TSS_ist + (\ist - 1) * 8(%rbp)
4959 -+ addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
4960 - .endif
4961 - cli
4962 - .if \irqtrace
4963 -@@ -1003,15 +1005,16 @@ ENDPROC(child_rip)
4964 - * rdi: name, rsi: argv, rdx: envp
4965 - *
4966 - * We want to fallback into:
4967 -- * extern long sys_execve(char *name, char **argv,char **envp, struct pt_regs regs)
4968 -+ * extern long sys_execve(char *name, char **argv,char **envp, struct pt_regs *regs)
4969 - *
4970 - * do_sys_execve asm fallback arguments:
4971 -- * rdi: name, rsi: argv, rdx: envp, fake frame on the stack
4972 -+ * rdi: name, rsi: argv, rdx: envp, rcx: fake frame on the stack
4973 - */
4974 - ENTRY(kernel_execve)
4975 - CFI_STARTPROC
4976 - FAKE_STACK_FRAME $0
4977 - SAVE_ALL
4978 -+ movq %rsp,%rcx
4979 - call sys_execve
4980 - movq %rax, RAX(%rsp)
4981 - RESTORE_REST
4982 -diff -urNp linux-2.6.24.4/arch/x86/kernel/head_32.S linux-2.6.24.4/arch/x86/kernel/head_32.S
4983 ---- linux-2.6.24.4/arch/x86/kernel/head_32.S 2008-03-24 14:49:18.000000000 -0400
4984 -+++ linux-2.6.24.4/arch/x86/kernel/head_32.S 2008-03-26 17:56:55.000000000 -0400
4985 -@@ -18,6 +18,7 @@
4986 - #include <asm/thread_info.h>
4987 - #include <asm/asm-offsets.h>
4988 - #include <asm/setup.h>
4989 -+#include <asm/msr-index.h>
4990 -
4991 - /*
4992 - * References to members of the new_cpu_data structure.
4993 -@@ -60,17 +61,22 @@ LOW_PAGES = 1<<(32-PAGE_SHIFT_asm)
4994 - LOW_PAGES = LOW_PAGES + 0x1000000
4995 - #endif
4996 -
4997 --#if PTRS_PER_PMD > 1
4998 --PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PMD) + PTRS_PER_PGD
4999 --#else
5000 --PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PGD)
5001 --#endif
5002 -+PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PTE)
5003 - BOOTBITMAP_SIZE = LOW_PAGES / 8
5004 - ALLOCATOR_SLOP = 4
5005 -
5006 - INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE + (PAGE_TABLE_SIZE + ALLOCATOR_SLOP)*PAGE_SIZE_asm
5007 -
5008 - /*
5009 -+ * Real beginning of normal "text" segment
5010 -+ */
5011 -+ENTRY(stext)
5012 -+ENTRY(_stext)
5013 -+
5014 -+.section .text.startup,"ax",@progbits
5015 -+ ljmp $(__BOOT_CS),$phys_startup_32
5016 -+
5017 -+/*
5018 - * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
5019 - * %esi points to the real-mode code as a 32-bit pointer.
5020 - * CS and DS must be 4 GB flat segments, but we don't depend on
5021 -@@ -78,6 +84,12 @@ INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE +
5022 - * can.
5023 - */
5024 - .section .text.head,"ax",@progbits
5025 -+
5026 -+#ifdef CONFIG_PAX_KERNEXEC
5027 -+/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
5028 -+.fill 4096,1,0xcc
5029 -+#endif
5030 -+
5031 - ENTRY(startup_32)
5032 - /* check to see if KEEP_SEGMENTS flag is meaningful */
5033 - cmpw $0x207, BP_version(%esi)
5034 -@@ -99,6 +111,43 @@ ENTRY(startup_32)
5035 - movl %eax,%gs
5036 - 2:
5037 -
5038 -+ movl $__per_cpu_start,%eax
5039 -+ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 2)
5040 -+ rorl $16,%eax
5041 -+ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 4)
5042 -+ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 7)
5043 -+ movl $__per_cpu_end + PERCPU_MODULE_RESERVE,%eax
5044 -+ subl $__per_cpu_start,%eax
5045 -+ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 0)
5046 -+
5047 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
5048 -+ /* check for VMware */
5049 -+ movl $0x564d5868,%eax
5050 -+ xorl %ebx,%ebx
5051 -+ movl $0xa,%ecx
5052 -+ movl $0x5658,%edx
5053 -+ in (%dx),%eax
5054 -+ cmpl $0x564d5868,%ebx
5055 -+ jz 1f
5056 -+
5057 -+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),%eax
5058 -+ movl %eax,(cpu_gdt_table - __PAGE_OFFSET + GDT_ENTRY_KERNEL_DS * 8 + 4)
5059 -+1:
5060 -+#endif
5061 -+
5062 -+#ifdef CONFIG_PAX_KERNEXEC
5063 -+ movl $KERNEL_TEXT_OFFSET,%eax
5064 -+ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 2)
5065 -+ rorl $16,%eax
5066 -+ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 4)
5067 -+ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 7)
5068 -+
5069 -+ movb %al,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 4)
5070 -+ movb %ah,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 7)
5071 -+ rorl $16,%eax
5072 -+ movw %ax,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 2)
5073 -+#endif
5074 -+
5075 - /*
5076 - * Clear BSS first so that there are no surprises...
5077 - */
5078 -@@ -141,9 +190,7 @@ ENTRY(startup_32)
5079 - cmpl $num_subarch_entries, %eax
5080 - jae bad_subarch
5081 -
5082 -- movl subarch_entries - __PAGE_OFFSET(,%eax,4), %eax
5083 -- subl $__PAGE_OFFSET, %eax
5084 -- jmp *%eax
5085 -+ jmp *(subarch_entries - __PAGE_OFFSET)(,%eax,4)
5086 -
5087 - bad_subarch:
5088 - WEAK(lguest_entry)
5089 -@@ -151,11 +198,11 @@ WEAK(xen_entry)
5090 - /* Unknown implementation; there's really
5091 - nothing we can do at this point. */
5092 - ud2a
5093 --.data
5094 -+.section .rodata,"a",@progbits
5095 - subarch_entries:
5096 -- .long default_entry /* normal x86/PC */
5097 -- .long lguest_entry /* lguest hypervisor */
5098 -- .long xen_entry /* Xen hypervisor */
5099 -+ .long default_entry - __PAGE_OFFSET /* normal x86/PC */
5100 -+ .long lguest_entry - __PAGE_OFFSET /* lguest hypervisor */
5101 -+ .long xen_entry - __PAGE_OFFSET /* Xen hypervisor */
5102 - num_subarch_entries = (. - subarch_entries) / 4
5103 - .previous
5104 - #endif /* CONFIG_PARAVIRT */
5105 -@@ -170,34 +217,55 @@ num_subarch_entries = (. - subarch_entri
5106 - * Warning: don't use %esi or the stack in this code. However, %esp
5107 - * can be used as a GPR if you really need it...
5108 - */
5109 --page_pde_offset = (__PAGE_OFFSET >> 20);
5110 -+#ifdef CONFIG_X86_PAE
5111 -+page_pde_offset = ((__PAGE_OFFSET >> 21) * (PAGE_SIZE_asm / PTRS_PER_PTE));
5112 -+#else
5113 -+page_pde_offset = ((__PAGE_OFFSET >> 22) * (PAGE_SIZE_asm / PTRS_PER_PTE));
5114 -+#endif
5115 -
5116 - default_entry:
5117 - movl $(pg0 - __PAGE_OFFSET), %edi
5118 -+#ifdef CONFIG_X86_PAE
5119 -+ movl $(swapper_pm_dir - __PAGE_OFFSET), %edx
5120 -+#else
5121 - movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
5122 -- movl $0x007, %eax /* 0x007 = PRESENT+RW+USER */
5123 -+#endif
5124 -+ movl $0x063, %eax /* 0x063 = PRESENT+RW+ACCESSED+DIRTY */
5125 - 10:
5126 -- leal 0x007(%edi),%ecx /* Create PDE entry */
5127 -+ leal 0x063(%edi),%ecx /* Create PDE entry */
5128 - movl %ecx,(%edx) /* Store identity PDE entry */
5129 - movl %ecx,page_pde_offset(%edx) /* Store kernel PDE entry */
5130 -+#ifdef CONFIG_X86_PAE
5131 -+ movl $0,4(%edx)
5132 -+ movl $0,page_pde_offset+4(%edx)
5133 -+ addl $8,%edx
5134 -+ movl $512, %ecx
5135 -+#else
5136 - addl $4,%edx
5137 - movl $1024, %ecx
5138 -+#endif
5139 - 11:
5140 - stosl
5141 -+#ifdef CONFIG_X86_PAE
5142 -+ movl $0,(%edi)
5143 -+ addl $4,%edi
5144 -+#endif
5145 - addl $0x1000,%eax
5146 - loop 11b
5147 - /* End condition: we must map up to and including INIT_MAP_BEYOND_END */
5148 -- /* bytes beyond the end of our own page tables; the +0x007 is the attribute bits */
5149 -- leal (INIT_MAP_BEYOND_END+0x007)(%edi),%ebp
5150 -+ /* bytes beyond the end of our own page tables; the +0x063 is the attribute bits */
5151 -+ leal (INIT_MAP_BEYOND_END+0x063)(%edi),%ebp
5152 - cmpl %ebp,%eax
5153 - jb 10b
5154 - movl %edi,(init_pg_tables_end - __PAGE_OFFSET)
5155 -
5156 - /* Do an early initialization of the fixmap area */
5157 -- movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
5158 -- movl $(swapper_pg_pmd - __PAGE_OFFSET), %eax
5159 -- addl $0x67, %eax /* 0x67 == _PAGE_TABLE */
5160 -- movl %eax, 4092(%edx)
5161 -+ /* 0x067 = PRESENT+RW+USER+ACCESSED+DIRTY */
5162 -+#ifdef CONFIG_X86_PAE
5163 -+ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pm_dir - __PAGE_OFFSET + 4096 - 8)
5164 -+#else
5165 -+ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pg_dir - __PAGE_OFFSET + 4096 - 4)
5166 -+#endif
5167 -
5168 - xorl %ebx,%ebx /* This is the boot CPU (BSP) */
5169 - jmp 3f
5170 -@@ -223,6 +291,11 @@ ENTRY(startup_32_smp)
5171 - movl %eax,%fs
5172 - movl %eax,%gs
5173 -
5174 -+ /* This is a secondary processor (AP) */
5175 -+ xorl %ebx,%ebx
5176 -+ incl %ebx
5177 -+#endif /* CONFIG_SMP */
5178 -+
5179 - /*
5180 - * New page tables may be in 4Mbyte page mode and may
5181 - * be using the global pages.
5182 -@@ -238,42 +311,47 @@ ENTRY(startup_32_smp)
5183 - * not yet offset PAGE_OFFSET..
5184 - */
5185 - #define cr4_bits mmu_cr4_features-__PAGE_OFFSET
5186 -+3:
5187 - movl cr4_bits,%edx
5188 - andl %edx,%edx
5189 -- jz 6f
5190 -+ jz 5f
5191 - movl %cr4,%eax # Turn on paging options (PSE,PAE,..)
5192 - orl %edx,%eax
5193 - movl %eax,%cr4
5194 -
5195 -- btl $5, %eax # check if PAE is enabled
5196 -- jnc 6f
5197 -+#ifdef CONFIG_X86_PAE
5198 -+ movl %ebx,%edi
5199 -
5200 - /* Check if extended functions are implemented */
5201 - movl $0x80000000, %eax
5202 - cpuid
5203 - cmpl $0x80000000, %eax
5204 -- jbe 6f
5205 -+ jbe 4f
5206 - mov $0x80000001, %eax
5207 - cpuid
5208 - /* Execute Disable bit supported? */
5209 - btl $20, %edx
5210 -- jnc 6f
5211 -+ jnc 4f
5212 -
5213 - /* Setup EFER (Extended Feature Enable Register) */
5214 -- movl $0xc0000080, %ecx
5215 -+ movl $MSR_EFER, %ecx
5216 - rdmsr
5217 -
5218 - btsl $11, %eax
5219 - /* Make changes effective */
5220 - wrmsr
5221 -
5222 --6:
5223 -- /* This is a secondary processor (AP) */
5224 -- xorl %ebx,%ebx
5225 -- incl %ebx
5226 -+ btsl $63-32,__supported_pte_mask+4-__PAGE_OFFSET
5227 -+ movl $1,nx_enabled-__PAGE_OFFSET
5228 -
5229 --#endif /* CONFIG_SMP */
5230 --3:
5231 -+#if !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
5232 -+ movl $0,disable_x86_sep-__PAGE_OFFSET
5233 -+#endif
5234 -+
5235 -+4:
5236 -+ movl %edi,%ebx
5237 -+#endif
5238 -+5:
5239 -
5240 - /*
5241 - * Enable paging
5242 -@@ -298,9 +376,7 @@ ENTRY(startup_32_smp)
5243 -
5244 - #ifdef CONFIG_SMP
5245 - andl %ebx,%ebx
5246 -- jz 1f /* Initial CPU cleans BSS */
5247 -- jmp checkCPUtype
5248 --1:
5249 -+ jnz checkCPUtype /* Initial CPU cleans BSS */
5250 - #endif /* CONFIG_SMP */
5251 -
5252 - /*
5253 -@@ -377,12 +453,12 @@ is386: movl $2,%ecx # set MP
5254 - ljmp $(__KERNEL_CS),$1f
5255 - 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
5256 - movl %eax,%ss # after changing gdt.
5257 -- movl %eax,%fs # gets reset once there's real percpu
5258 --
5259 -- movl $(__USER_DS),%eax # DS/ES contains default USER segment
5260 - movl %eax,%ds
5261 - movl %eax,%es
5262 -
5263 -+ movl $(__KERNEL_PERCPU), %eax
5264 -+ movl %eax,%fs # set this cpu's percpu
5265 -+
5266 - xorl %eax,%eax # Clear GS and LDT
5267 - movl %eax,%gs
5268 - lldt %ax
5269 -@@ -393,11 +469,7 @@ is386: movl $2,%ecx # set MP
5270 - movb ready, %cl
5271 - movb $1, ready
5272 - cmpb $0,%cl # the first CPU calls start_kernel
5273 -- je 1f
5274 -- movl $(__KERNEL_PERCPU), %eax
5275 -- movl %eax,%fs # set this cpu's percpu
5276 -- jmp initialize_secondary # all other CPUs call initialize_secondary
5277 --1:
5278 -+ jne initialize_secondary # all other CPUs call initialize_secondary
5279 - #endif /* CONFIG_SMP */
5280 - jmp start_kernel
5281 -
5282 -@@ -483,8 +555,8 @@ early_page_fault:
5283 - jmp early_fault
5284 -
5285 - early_fault:
5286 -- cld
5287 - #ifdef CONFIG_PRINTK
5288 -+ cld
5289 - pusha
5290 - movl $(__KERNEL_DS),%eax
5291 - movl %eax,%ds
5292 -@@ -509,8 +581,8 @@ hlt_loop:
5293 - /* This is the default interrupt "handler" :-) */
5294 - ALIGN
5295 - ignore_int:
5296 -- cld
5297 - #ifdef CONFIG_PRINTK
5298 -+ cld
5299 - pushl %eax
5300 - pushl %ecx
5301 - pushl %edx
5302 -@@ -541,31 +613,58 @@ ignore_int:
5303 - #endif
5304 - iret
5305 -
5306 --.section .text
5307 --/*
5308 -- * Real beginning of normal "text" segment
5309 -- */
5310 --ENTRY(stext)
5311 --ENTRY(_stext)
5312 --
5313 - /*
5314 - * BSS section
5315 - */
5316 --.section ".bss.page_aligned","wa"
5317 -+.section .swapper_pg_dir,"a",@progbits
5318 - .align PAGE_SIZE_asm
5319 - ENTRY(swapper_pg_dir)
5320 -+#ifdef CONFIG_X86_PAE
5321 -+ .long swapper_pm_dir-__PAGE_OFFSET+1
5322 -+ .long 0
5323 -+ .long swapper_pm_dir+512*8-__PAGE_OFFSET+1
5324 -+ .long 0
5325 -+ .long swapper_pm_dir+512*16-__PAGE_OFFSET+1
5326 -+ .long 0
5327 -+ .long swapper_pm_dir+512*24-__PAGE_OFFSET+1
5328 -+ .long 0
5329 -+#else
5330 - .fill 1024,4,0
5331 -+#endif
5332 -+
5333 -+.section .swapper_pm_dir,"a",@progbits
5334 -+#ifdef CONFIG_X86_PAE
5335 -+ENTRY(swapper_pm_dir)
5336 -+ .fill 512,8,0
5337 -+ .fill 512,8,0
5338 -+ .fill 512,8,0
5339 -+ .fill 512,8,0
5340 -+#endif
5341 -+
5342 - ENTRY(swapper_pg_pmd)
5343 - .fill 1024,4,0
5344 -+
5345 -+.section .empty_zero_page,"a",@progbits
5346 - ENTRY(empty_zero_page)
5347 - .fill 4096,1,0
5348 -
5349 - /*
5350 -+ * The IDT has to be page-aligned to simplify the Pentium
5351 -+ * F0 0F bug workaround.. We have a special link segment
5352 -+ * for this.
5353 -+ */
5354 -+.section .idt,"a",@progbits
5355 -+ENTRY(idt_table)
5356 -+ .fill 256,8,0
5357 -+
5358 -+/*
5359 - * This starts the data section.
5360 - */
5361 - .data
5362 -+
5363 -+.section .rodata,"a",@progbits
5364 - ENTRY(stack_start)
5365 -- .long init_thread_union+THREAD_SIZE
5366 -+ .long init_thread_union+THREAD_SIZE-8
5367 - .long __BOOT_DS
5368 -
5369 - ready: .byte 0
5370 -@@ -615,7 +714,7 @@ idt_descr:
5371 - .word 0 # 32 bit align gdt_desc.address
5372 - ENTRY(early_gdt_descr)
5373 - .word GDT_ENTRIES*8-1
5374 -- .long per_cpu__gdt_page /* Overwritten for secondary CPUs */
5375 -+ .long cpu_gdt_table /* Overwritten for secondary CPUs */
5376 -
5377 - /*
5378 - * The boot_gdt must mirror the equivalent in setup.S and is
5379 -@@ -624,5 +723,61 @@ ENTRY(early_gdt_descr)
5380 - .align L1_CACHE_BYTES
5381 - ENTRY(boot_gdt)
5382 - .fill GDT_ENTRY_BOOT_CS,8,0
5383 -- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
5384 -- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
5385 -+ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
5386 -+ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
5387 -+
5388 -+ .align PAGE_SIZE_asm
5389 -+ENTRY(cpu_gdt_table)
5390 -+ .quad 0x0000000000000000 /* NULL descriptor */
5391 -+ .quad 0x0000000000000000 /* 0x0b reserved */
5392 -+ .quad 0x0000000000000000 /* 0x13 reserved */
5393 -+ .quad 0x0000000000000000 /* 0x1b reserved */
5394 -+ .quad 0x0000000000000000 /* 0x20 unused */
5395 -+ .quad 0x0000000000000000 /* 0x28 unused */
5396 -+ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
5397 -+ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
5398 -+ .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
5399 -+ .quad 0x0000000000000000 /* 0x4b reserved */
5400 -+ .quad 0x0000000000000000 /* 0x53 reserved */
5401 -+ .quad 0x0000000000000000 /* 0x5b reserved */
5402 -+
5403 -+ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
5404 -+ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
5405 -+ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
5406 -+ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
5407 -+
5408 -+ .quad 0x0000000000000000 /* 0x80 TSS descriptor */
5409 -+ .quad 0x0000000000000000 /* 0x88 LDT descriptor */
5410 -+
5411 -+ /*
5412 -+ * Segments used for calling PnP BIOS have byte granularity.
5413 -+ * The code segments and data segments have fixed 64k limits,
5414 -+ * the transfer segment sizes are set at run time.
5415 -+ */
5416 -+ .quad 0x00409b000000ffff /* 0x90 32-bit code */
5417 -+ .quad 0x00009b000000ffff /* 0x98 16-bit code */
5418 -+ .quad 0x000093000000ffff /* 0xa0 16-bit data */
5419 -+ .quad 0x0000930000000000 /* 0xa8 16-bit data */
5420 -+ .quad 0x0000930000000000 /* 0xb0 16-bit data */
5421 -+
5422 -+ /*
5423 -+ * The APM segments have byte granularity and their bases
5424 -+ * are set at run time. All have 64k limits.
5425 -+ */
5426 -+ .quad 0x00409b000000ffff /* 0xb8 APM CS code */
5427 -+ .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
5428 -+ .quad 0x004093000000ffff /* 0xc8 APM DS data */
5429 -+
5430 -+ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
5431 -+ .quad 0x0040930000000000 /* 0xd8 - PERCPU */
5432 -+ .quad 0x0000000000000000 /* 0xe0 - PCIBIOS_CS */
5433 -+ .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_DS */
5434 -+ .quad 0x0000000000000000 /* 0xf0 - unused */
5435 -+ .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
5436 -+
5437 -+ /* Be sure this is zeroed to avoid false validations in Xen */
5438 -+ .fill PAGE_SIZE_asm - GDT_ENTRIES,1,0
5439 -+
5440 -+#ifdef CONFIG_SMP
5441 -+ .fill (NR_CPUS-1) * (PAGE_SIZE_asm),1,0 /* other CPU's GDT */
5442 -+#endif
5443 -diff -urNp linux-2.6.24.4/arch/x86/kernel/head64.c linux-2.6.24.4/arch/x86/kernel/head64.c
5444 ---- linux-2.6.24.4/arch/x86/kernel/head64.c 2008-03-24 14:49:18.000000000 -0400
5445 -+++ linux-2.6.24.4/arch/x86/kernel/head64.c 2008-03-26 17:56:55.000000000 -0400
5446 -@@ -24,7 +24,7 @@ static void __init zap_identity_mappings
5447 - {
5448 - pgd_t *pgd = pgd_offset_k(0UL);
5449 - pgd_clear(pgd);
5450 -- __flush_tlb();
5451 -+ __flush_tlb_all();
5452 - }
5453 -
5454 - /* Don't add a printk in there. printk relies on the PDA which is not initialized
5455 -@@ -56,16 +56,17 @@ void __init x86_64_start_kernel(char * r
5456 - /* Make NULL pointers segfault */
5457 - zap_identity_mappings();
5458 -
5459 -+ for (i = 0; i < NR_CPUS; i++)
5460 -+ cpu_pda(i) = &boot_cpu_pda[i];
5461 -+
5462 -+ pda_init(0);
5463 -+
5464 - for (i = 0; i < IDT_ENTRIES; i++)
5465 - set_intr_gate(i, early_idt_handler);
5466 - load_idt((const struct desc_ptr *)&idt_descr);
5467 -
5468 - early_printk("Kernel alive\n");
5469 -
5470 -- for (i = 0; i < NR_CPUS; i++)
5471 -- cpu_pda(i) = &boot_cpu_pda[i];
5472 --
5473 -- pda_init(0);
5474 - copy_bootdata(__va(real_mode_data));
5475 - #ifdef CONFIG_SMP
5476 - cpu_set(0, cpu_online_map);
5477 -diff -urNp linux-2.6.24.4/arch/x86/kernel/head_64.S linux-2.6.24.4/arch/x86/kernel/head_64.S
5478 ---- linux-2.6.24.4/arch/x86/kernel/head_64.S 2008-03-24 14:49:18.000000000 -0400
5479 -+++ linux-2.6.24.4/arch/x86/kernel/head_64.S 2008-03-26 17:56:55.000000000 -0400
5480 -@@ -173,6 +173,10 @@ ENTRY(secondary_startup_64)
5481 - btl $20,%edi /* No Execute supported? */
5482 - jnc 1f
5483 - btsl $_EFER_NX, %eax
5484 -+ movq $(init_level4_pgt), %rdi
5485 -+ addq phys_base(%rip), %rdi
5486 -+ btsq $_PAGE_BIT_NX, 8*258(%rdi)
5487 -+ btsq $_PAGE_BIT_NX, 8*388(%rdi)
5488 - 1: wrmsr /* Make changes effective */
5489 -
5490 - /* Setup cr0 */
5491 -@@ -242,24 +246,25 @@ ENTRY(secondary_startup_64)
5492 - pushq %rax # target address in negative space
5493 - lretq
5494 -
5495 -+bad_address:
5496 -+ jmp bad_address
5497 -+
5498 - /* SMP bootup changes these two */
5499 --#ifndef CONFIG_HOTPLUG_CPU
5500 -- .pushsection .init.data
5501 -+#ifdef CONFIG_HOTPLUG_CPU
5502 -+ __INITDATA_REFOK
5503 -+#else
5504 -+ __INITDATA
5505 - #endif
5506 - .align 8
5507 - .globl initial_code
5508 - initial_code:
5509 - .quad x86_64_start_kernel
5510 --#ifndef CONFIG_HOTPLUG_CPU
5511 -- .popsection
5512 --#endif
5513 -+
5514 - .globl init_rsp
5515 - init_rsp:
5516 - .quad init_thread_union+THREAD_SIZE-8
5517 -
5518 --bad_address:
5519 -- jmp bad_address
5520 --
5521 -+ __INIT
5522 - ENTRY(early_idt_handler)
5523 - cmpl $2,early_recursion_flag(%rip)
5524 - jz 1f
5525 -@@ -280,9 +285,12 @@ ENTRY(early_idt_handler)
5526 - #endif
5527 - 1: hlt
5528 - jmp 1b
5529 -+
5530 -+ __INITDATA
5531 - early_recursion_flag:
5532 - .long 0
5533 -
5534 -+ .section .rodata,"a",@progbits
5535 - early_idt_msg:
5536 - .asciz "PANIC: early exception rip %lx error %lx cr2 %lx\n"
5537 - early_idt_ripmsg:
5538 -@@ -312,7 +320,9 @@ NEXT_PAGE(init_level4_pgt)
5539 - .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
5540 - .fill 257,8,0
5541 - .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
5542 -- .fill 252,8,0
5543 -+ .fill 129,8,0
5544 -+ .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
5545 -+ .fill 122,8,0
5546 - /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
5547 - .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
5548 -
5549 -@@ -320,6 +330,9 @@ NEXT_PAGE(level3_ident_pgt)
5550 - .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
5551 - .fill 511,8,0
5552 -
5553 -+NEXT_PAGE(level3_vmalloc_pgt)
5554 -+ .fill 512,8,0
5555 -+
5556 - NEXT_PAGE(level3_kernel_pgt)
5557 - .fill 510,8,0
5558 - /* (2^48-(2*1024*1024*1024)-((2^39)*511))/(2^30) = 510 */
5559 -@@ -355,19 +368,12 @@ NEXT_PAGE(level2_spare_pgt)
5560 - #undef PMDS
5561 - #undef NEXT_PAGE
5562 -
5563 -- .data
5564 - .align 16
5565 - .globl cpu_gdt_descr
5566 - cpu_gdt_descr:
5567 -- .word gdt_end-cpu_gdt_table-1
5568 -+ .word GDT_SIZE-1
5569 - gdt:
5570 - .quad cpu_gdt_table
5571 --#ifdef CONFIG_SMP
5572 -- .rept NR_CPUS-1
5573 -- .word 0
5574 -- .quad 0
5575 -- .endr
5576 --#endif
5577 -
5578 - ENTRY(phys_base)
5579 - /* This must match the first entry in level2_kernel_pgt */
5580 -@@ -377,8 +383,7 @@ ENTRY(phys_base)
5581 - * IRET will check the segment types kkeil 2000/10/28
5582 - * Also sysret mandates a special GDT layout
5583 - */
5584 --
5585 -- .section .data.page_aligned, "aw"
5586 -+
5587 - .align PAGE_SIZE
5588 -
5589 - /* The TLS descriptors are currently at a different place compared to i386.
5590 -@@ -397,15 +402,15 @@ ENTRY(cpu_gdt_table)
5591 - .quad 0,0 /* LDT */
5592 - .quad 0,0,0 /* three TLS descriptors */
5593 - .quad 0x0000f40000000000 /* node/CPU stored in limit */
5594 --gdt_end:
5595 - /* asm/segment.h:GDT_ENTRIES must match this */
5596 - /* This should be a multiple of the cache line size */
5597 -- /* GDTs of other CPUs are now dynamically allocated */
5598 -
5599 - /* zero the remaining page */
5600 - .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
5601 -+#ifdef CONFIG_SMP
5602 -+ .fill (NR_CPUS-1) * (PAGE_SIZE),1,0 /* other CPU's GDT */
5603 -+#endif
5604 -
5605 -- .section .bss, "aw", @nobits
5606 - .align L1_CACHE_BYTES
5607 - ENTRY(idt_table)
5608 - .skip 256 * 16
5609 -diff -urNp linux-2.6.24.4/arch/x86/kernel/hpet.c linux-2.6.24.4/arch/x86/kernel/hpet.c
5610 ---- linux-2.6.24.4/arch/x86/kernel/hpet.c 2008-03-24 14:49:18.000000000 -0400
5611 -+++ linux-2.6.24.4/arch/x86/kernel/hpet.c 2008-03-26 17:56:55.000000000 -0400
5612 -@@ -137,7 +137,7 @@ static void hpet_reserve_platform_timers
5613 - hd.hd_irq[1] = HPET_LEGACY_RTC;
5614 -
5615 - for (i = 2; i < nrtimers; timer++, i++)
5616 -- hd.hd_irq[i] = (timer->hpet_config & Tn_INT_ROUTE_CNF_MASK) >>
5617 -+ hd.hd_irq[i] = (readl(&timer->hpet_config) & Tn_INT_ROUTE_CNF_MASK) >>
5618 - Tn_INT_ROUTE_CNF_SHIFT;
5619 -
5620 - hpet_alloc(&hd);
5621 -diff -urNp linux-2.6.24.4/arch/x86/kernel/i386_ksyms_32.c linux-2.6.24.4/arch/x86/kernel/i386_ksyms_32.c
5622 ---- linux-2.6.24.4/arch/x86/kernel/i386_ksyms_32.c 2008-03-24 14:49:18.000000000 -0400
5623 -+++ linux-2.6.24.4/arch/x86/kernel/i386_ksyms_32.c 2008-03-26 17:56:55.000000000 -0400
5624 -@@ -4,12 +4,16 @@
5625 - #include <asm/desc.h>
5626 - #include <asm/pgtable.h>
5627 -
5628 -+EXPORT_SYMBOL_GPL(cpu_gdt_table);
5629 -+
5630 - EXPORT_SYMBOL(__down_failed);
5631 - EXPORT_SYMBOL(__down_failed_interruptible);
5632 - EXPORT_SYMBOL(__down_failed_trylock);
5633 - EXPORT_SYMBOL(__up_wakeup);
5634 - /* Networking helper routines. */
5635 - EXPORT_SYMBOL(csum_partial_copy_generic);
5636 -+EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
5637 -+EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
5638 -
5639 - EXPORT_SYMBOL(__get_user_1);
5640 - EXPORT_SYMBOL(__get_user_2);
5641 -@@ -31,3 +35,7 @@ EXPORT_SYMBOL(__read_lock_failed);
5642 -
5643 - EXPORT_SYMBOL(csum_partial);
5644 - EXPORT_SYMBOL(empty_zero_page);
5645 -+
5646 -+#ifdef CONFIG_PAX_KERNEXEC
5647 -+EXPORT_SYMBOL(KERNEL_TEXT_OFFSET);
5648 -+#endif
5649 -diff -urNp linux-2.6.24.4/arch/x86/kernel/init_task.c linux-2.6.24.4/arch/x86/kernel/init_task.c
5650 ---- linux-2.6.24.4/arch/x86/kernel/init_task.c 2008-03-24 14:49:18.000000000 -0400
5651 -+++ linux-2.6.24.4/arch/x86/kernel/init_task.c 2008-03-26 17:56:55.000000000 -0400
5652 -@@ -43,5 +43,4 @@ EXPORT_SYMBOL(init_task);
5653 - * section. Since TSS's are completely CPU-local, we want them
5654 - * on exact cacheline boundaries, to eliminate cacheline ping-pong.
5655 - */
5656 --DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
5657 --
5658 -+struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
5659 -diff -urNp linux-2.6.24.4/arch/x86/kernel/ioport_32.c linux-2.6.24.4/arch/x86/kernel/ioport_32.c
5660 ---- linux-2.6.24.4/arch/x86/kernel/ioport_32.c 2008-03-24 14:49:18.000000000 -0400
5661 -+++ linux-2.6.24.4/arch/x86/kernel/ioport_32.c 2008-03-26 17:56:55.000000000 -0400
5662 -@@ -14,6 +14,7 @@
5663 - #include <linux/slab.h>
5664 - #include <linux/thread_info.h>
5665 - #include <linux/syscalls.h>
5666 -+#include <linux/grsecurity.h>
5667 -
5668 - /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
5669 - static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value)
5670 -@@ -62,9 +63,16 @@ asmlinkage long sys_ioperm(unsigned long
5671 -
5672 - if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
5673 - return -EINVAL;
5674 -+#ifdef CONFIG_GRKERNSEC_IO
5675 -+ if (turn_on) {
5676 -+ gr_handle_ioperm();
5677 -+#else
5678 - if (turn_on && !capable(CAP_SYS_RAWIO))
5679 -+#endif
5680 - return -EPERM;
5681 --
5682 -+#ifdef CONFIG_GRKERNSEC_IO
5683 -+ }
5684 -+#endif
5685 - /*
5686 - * If it's the first ioperm() call in this thread's lifetime, set the
5687 - * IO bitmap up. ioperm() is much less timing critical than clone(),
5688 -@@ -87,7 +95,7 @@ asmlinkage long sys_ioperm(unsigned long
5689 - * because the ->io_bitmap_max value must match the bitmap
5690 - * contents:
5691 - */
5692 -- tss = &per_cpu(init_tss, get_cpu());
5693 -+ tss = init_tss + get_cpu();
5694 -
5695 - set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
5696 -
5697 -@@ -141,8 +149,13 @@ asmlinkage long sys_iopl(unsigned long u
5698 - return -EINVAL;
5699 - /* Trying to gain more privileges? */
5700 - if (level > old) {
5701 -+#ifdef CONFIG_GRKERNSEC_IO
5702 -+ gr_handle_iopl();
5703 -+ return -EPERM;
5704 -+#else
5705 - if (!capable(CAP_SYS_RAWIO))
5706 - return -EPERM;
5707 -+#endif
5708 - }
5709 - t->iopl = level << 12;
5710 - regs->eflags = (regs->eflags & ~X86_EFLAGS_IOPL) | t->iopl;
5711 -diff -urNp linux-2.6.24.4/arch/x86/kernel/ioport_64.c linux-2.6.24.4/arch/x86/kernel/ioport_64.c
5712 ---- linux-2.6.24.4/arch/x86/kernel/ioport_64.c 2008-03-24 14:49:18.000000000 -0400
5713 -+++ linux-2.6.24.4/arch/x86/kernel/ioport_64.c 2008-03-26 17:56:55.000000000 -0400
5714 -@@ -14,6 +14,7 @@
5715 - #include <linux/slab.h>
5716 - #include <linux/thread_info.h>
5717 - #include <linux/syscalls.h>
5718 -+#include <linux/grsecurity.h>
5719 -
5720 - /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
5721 - static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value)
5722 -@@ -39,8 +40,17 @@ asmlinkage long sys_ioperm(unsigned long
5723 -
5724 - if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
5725 - return -EINVAL;
5726 -+
5727 -+#ifdef CONFIG_GRKERNSEC_IO
5728 -+ if (turn_on) {
5729 -+ gr_handle_ioperm();
5730 -+#else
5731 - if (turn_on && !capable(CAP_SYS_RAWIO))
5732 -+#endif
5733 - return -EPERM;
5734 -+#ifdef CONFIG_GRKERNSEC_IO
5735 -+ }
5736 -+#endif
5737 -
5738 - /*
5739 - * If it's the first ioperm() call in this thread's lifetime, set the
5740 -@@ -64,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
5741 - * because the ->io_bitmap_max value must match the bitmap
5742 - * contents:
5743 - */
5744 -- tss = &per_cpu(init_tss, get_cpu());
5745 -+ tss = init_tss + get_cpu();
5746 -
5747 - set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
5748 -
5749 -@@ -109,8 +119,13 @@ asmlinkage long sys_iopl(unsigned int le
5750 - return -EINVAL;
5751 - /* Trying to gain more privileges? */
5752 - if (level > old) {
5753 -+#ifdef CONFIG_GRKERNSEC_IO
5754 -+ gr_handle_iopl();
5755 -+ return -EPERM;
5756 -+#else
5757 - if (!capable(CAP_SYS_RAWIO))
5758 - return -EPERM;
5759 -+#endif
5760 - }
5761 - regs->eflags = (regs->eflags &~ X86_EFLAGS_IOPL) | (level << 12);
5762 - return 0;
5763 -diff -urNp linux-2.6.24.4/arch/x86/kernel/irq_32.c linux-2.6.24.4/arch/x86/kernel/irq_32.c
5764 ---- linux-2.6.24.4/arch/x86/kernel/irq_32.c 2008-03-24 14:49:18.000000000 -0400
5765 -+++ linux-2.6.24.4/arch/x86/kernel/irq_32.c 2008-03-26 17:56:55.000000000 -0400
5766 -@@ -115,7 +115,7 @@ fastcall unsigned int do_IRQ(struct pt_r
5767 - int arg1, arg2, ebx;
5768 -
5769 - /* build the stack frame on the IRQ stack */
5770 -- isp = (u32*) ((char*)irqctx + sizeof(*irqctx));
5771 -+ isp = (u32*) ((char*)irqctx + sizeof(*irqctx) - 8);
5772 - irqctx->tinfo.task = curctx->tinfo.task;
5773 - irqctx->tinfo.previous_esp = current_stack_pointer;
5774 -
5775 -@@ -211,7 +211,7 @@ asmlinkage void do_softirq(void)
5776 - irqctx->tinfo.previous_esp = current_stack_pointer;
5777 -
5778 - /* build the stack frame on the softirq stack */
5779 -- isp = (u32*) ((char*)irqctx + sizeof(*irqctx));
5780 -+ isp = (u32*) ((char*)irqctx + sizeof(*irqctx) - 8);
5781 -
5782 - asm volatile(
5783 - " xchgl %%ebx,%%esp \n"
5784 -diff -urNp linux-2.6.24.4/arch/x86/kernel/kprobes_32.c linux-2.6.24.4/arch/x86/kernel/kprobes_32.c
5785 ---- linux-2.6.24.4/arch/x86/kernel/kprobes_32.c 2008-03-24 14:49:18.000000000 -0400
5786 -+++ linux-2.6.24.4/arch/x86/kernel/kprobes_32.c 2008-03-26 17:56:55.000000000 -0400
5787 -@@ -55,9 +55,24 @@ static __always_inline void set_jmp_op(v
5788 - char op;
5789 - long raddr;
5790 - } __attribute__((packed)) *jop;
5791 -- jop = (struct __arch_jmp_op *)from;
5792 -+
5793 -+#ifdef CONFIG_PAX_KERNEXEC
5794 -+ unsigned long cr0;
5795 -+#endif
5796 -+
5797 -+ jop = (struct __arch_jmp_op *)(ktla_ktva(from));
5798 -+
5799 -+#ifdef CONFIG_PAX_KERNEXEC
5800 -+ pax_open_kernel(cr0);
5801 -+#endif
5802 -+
5803 - jop->raddr = (long)(to) - ((long)(from) + 5);
5804 - jop->op = RELATIVEJUMP_INSTRUCTION;
5805 -+
5806 -+#ifdef CONFIG_PAX_KERNEXEC
5807 -+ pax_close_kernel(cr0);
5808 -+#endif
5809 -+
5810 - }
5811 -
5812 - /*
5813 -@@ -159,14 +174,28 @@ static int __kprobes is_IF_modifier(kpro
5814 -
5815 - int __kprobes arch_prepare_kprobe(struct kprobe *p)
5816 - {
5817 -+
5818 -+#ifdef CONFIG_PAX_KERNEXEC
5819 -+ unsigned long cr0;
5820 -+#endif
5821 -+
5822 - /* insn: must be on special executable page on i386. */
5823 - p->ainsn.insn = get_insn_slot();
5824 - if (!p->ainsn.insn)
5825 - return -ENOMEM;
5826 -
5827 -- memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
5828 -- p->opcode = *p->addr;
5829 -- if (can_boost(p->addr)) {
5830 -+#ifdef CONFIG_PAX_KERNEXEC
5831 -+ pax_open_kernel(cr0);
5832 -+#endif
5833 -+
5834 -+ memcpy(p->ainsn.insn, ktla_ktva(p->addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
5835 -+
5836 -+#ifdef CONFIG_PAX_KERNEXEC
5837 -+ pax_close_kernel(cr0);
5838 -+#endif
5839 -+
5840 -+ p->opcode = *(ktla_ktva(p->addr));
5841 -+ if (can_boost(ktla_ktva(p->addr))) {
5842 - p->ainsn.boostable = 0;
5843 - } else {
5844 - p->ainsn.boostable = -1;
5845 -@@ -225,7 +254,7 @@ static void __kprobes prepare_singlestep
5846 - if (p->opcode == BREAKPOINT_INSTRUCTION)
5847 - regs->eip = (unsigned long)p->addr;
5848 - else
5849 -- regs->eip = (unsigned long)p->ainsn.insn;
5850 -+ regs->eip = ktva_ktla((unsigned long)p->ainsn.insn);
5851 - }
5852 -
5853 - /* Called with kretprobe_lock held */
5854 -@@ -331,7 +360,7 @@ ss_probe:
5855 - if (p->ainsn.boostable == 1 && !p->post_handler){
5856 - /* Boost up -- we can execute copied instructions directly */
5857 - reset_current_kprobe();
5858 -- regs->eip = (unsigned long)p->ainsn.insn;
5859 -+ regs->eip = ktva_ktla((unsigned long)p->ainsn.insn);
5860 - preempt_enable_no_resched();
5861 - return 1;
5862 - }
5863 -@@ -481,7 +510,7 @@ static void __kprobes resume_execution(s
5864 - struct pt_regs *regs, struct kprobe_ctlblk *kcb)
5865 - {
5866 - unsigned long *tos = (unsigned long *)&regs->esp;
5867 -- unsigned long copy_eip = (unsigned long)p->ainsn.insn;
5868 -+ unsigned long copy_eip = ktva_ktla((unsigned long)p->ainsn.insn);
5869 - unsigned long orig_eip = (unsigned long)p->addr;
5870 -
5871 - regs->eflags &= ~TF_MASK;
5872 -@@ -655,7 +684,7 @@ int __kprobes kprobe_exceptions_notify(s
5873 - struct die_args *args = (struct die_args *)data;
5874 - int ret = NOTIFY_DONE;
5875 -
5876 -- if (args->regs && user_mode_vm(args->regs))
5877 -+ if (args->regs && user_mode(args->regs))
5878 - return ret;
5879 -
5880 - switch (val) {
5881 -diff -urNp linux-2.6.24.4/arch/x86/kernel/kprobes_64.c linux-2.6.24.4/arch/x86/kernel/kprobes_64.c
5882 ---- linux-2.6.24.4/arch/x86/kernel/kprobes_64.c 2008-03-24 14:49:18.000000000 -0400
5883 -+++ linux-2.6.24.4/arch/x86/kernel/kprobes_64.c 2008-03-26 17:56:55.000000000 -0400
5884 -@@ -190,7 +190,19 @@ static s32 __kprobes *is_riprel(u8 *insn
5885 - static void __kprobes arch_copy_kprobe(struct kprobe *p)
5886 - {
5887 - s32 *ripdisp;
5888 -+
5889 -+#ifdef CONFIG_PAX_KERNEXEC
5890 -+ unsigned long cr0;
5891 -+
5892 -+ pax_open_kernel(cr0);
5893 -+#endif
5894 -+
5895 - memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE);
5896 -+
5897 -+#ifdef CONFIG_PAX_KERNEXEC
5898 -+ pax_close_kernel(cr0);
5899 -+#endif
5900 -+
5901 - ripdisp = is_riprel(p->ainsn.insn);
5902 - if (ripdisp) {
5903 - /*
5904 -@@ -208,7 +220,17 @@ static void __kprobes arch_copy_kprobe(s
5905 - */
5906 - s64 disp = (u8 *) p->addr + *ripdisp - (u8 *) p->ainsn.insn;
5907 - BUG_ON((s64) (s32) disp != disp); /* Sanity check. */
5908 -+
5909 -+#ifdef CONFIG_PAX_KERNEXEC
5910 -+ pax_open_kernel(cr0);
5911 -+#endif
5912 -+
5913 - *ripdisp = disp;
5914 -+
5915 -+#ifdef CONFIG_PAX_KERNEXEC
5916 -+ pax_close_kernel(cr0);
5917 -+#endif
5918 -+
5919 - }
5920 - p->opcode = *p->addr;
5921 - }
5922 -diff -urNp linux-2.6.24.4/arch/x86/kernel/ldt_32.c linux-2.6.24.4/arch/x86/kernel/ldt_32.c
5923 ---- linux-2.6.24.4/arch/x86/kernel/ldt_32.c 2008-03-24 14:49:18.000000000 -0400
5924 -+++ linux-2.6.24.4/arch/x86/kernel/ldt_32.c 2008-03-26 17:56:55.000000000 -0400
5925 -@@ -56,7 +56,7 @@ static int alloc_ldt(mm_context_t *pc, i
5926 - #ifdef CONFIG_SMP
5927 - cpumask_t mask;
5928 - preempt_disable();
5929 -- load_LDT(pc);
5930 -+ load_LDT_nolock(pc);
5931 - mask = cpumask_of_cpu(smp_processor_id());
5932 - if (!cpus_equal(current->mm->cpu_vm_mask, mask))
5933 - smp_call_function(flush_ldt, NULL, 1, 1);
5934 -@@ -100,6 +100,22 @@ int init_new_context(struct task_struct
5935 - retval = copy_ldt(&mm->context, &old_mm->context);
5936 - mutex_unlock(&old_mm->context.lock);
5937 - }
5938 -+
5939 -+ if (tsk == current) {
5940 -+ mm->context.vdso = ~0UL;
5941 -+
5942 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
5943 -+ mm->context.user_cs_base = 0UL;
5944 -+ mm->context.user_cs_limit = ~0UL;
5945 -+
5946 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
5947 -+ cpus_clear(mm->context.cpu_user_cs_mask);
5948 -+#endif
5949 -+
5950 -+#endif
5951 -+
5952 -+ }
5953 -+
5954 - return retval;
5955 - }
5956 -
5957 -@@ -210,6 +226,13 @@ static int write_ldt(void __user * ptr,
5958 - }
5959 - }
5960 -
5961 -+#ifdef CONFIG_PAX_SEGMEXEC
5962 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
5963 -+ error = -EINVAL;
5964 -+ goto out_unlock;
5965 -+ }
5966 -+#endif
5967 -+
5968 - entry_1 = LDT_entry_a(&ldt_info);
5969 - entry_2 = LDT_entry_b(&ldt_info);
5970 - if (oldmode)
5971 -diff -urNp linux-2.6.24.4/arch/x86/kernel/machine_kexec_32.c linux-2.6.24.4/arch/x86/kernel/machine_kexec_32.c
5972 ---- linux-2.6.24.4/arch/x86/kernel/machine_kexec_32.c 2008-03-24 14:49:18.000000000 -0400
5973 -+++ linux-2.6.24.4/arch/x86/kernel/machine_kexec_32.c 2008-03-26 17:56:55.000000000 -0400
5974 -@@ -30,25 +30,25 @@ static u32 kexec_pmd1[1024] PAGE_ALIGNED
5975 - static u32 kexec_pte0[1024] PAGE_ALIGNED;
5976 - static u32 kexec_pte1[1024] PAGE_ALIGNED;
5977 -
5978 --static void set_idt(void *newidt, __u16 limit)
5979 -+static void set_idt(struct desc_struct *newidt, __u16 limit)
5980 - {
5981 - struct Xgt_desc_struct curidt;
5982 -
5983 - /* ia32 supports unaliged loads & stores */
5984 - curidt.size = limit;
5985 -- curidt.address = (unsigned long)newidt;
5986 -+ curidt.address = newidt;
5987 -
5988 - load_idt(&curidt);
5989 - };
5990 -
5991 -
5992 --static void set_gdt(void *newgdt, __u16 limit)
5993 -+static void set_gdt(struct desc_struct *newgdt, __u16 limit)
5994 - {
5995 - struct Xgt_desc_struct curgdt;
5996 -
5997 - /* ia32 supports unaligned loads & stores */
5998 - curgdt.size = limit;
5999 -- curgdt.address = (unsigned long)newgdt;
6000 -+ curgdt.address = newgdt;
6001 -
6002 - load_gdt(&curgdt);
6003 - };
6004 -@@ -111,10 +111,10 @@ NORET_TYPE void machine_kexec(struct kim
6005 - local_irq_disable();
6006 -
6007 - control_page = page_address(image->control_code_page);
6008 -- memcpy(control_page, relocate_kernel, PAGE_SIZE);
6009 -+ memcpy(control_page, ktla_ktva(relocate_kernel), PAGE_SIZE);
6010 -
6011 - page_list[PA_CONTROL_PAGE] = __pa(control_page);
6012 -- page_list[VA_CONTROL_PAGE] = (unsigned long)relocate_kernel;
6013 -+ page_list[VA_CONTROL_PAGE] = ktla_ktva((unsigned long)relocate_kernel);
6014 - page_list[PA_PGD] = __pa(kexec_pgd);
6015 - page_list[VA_PGD] = (unsigned long)kexec_pgd;
6016 - #ifdef CONFIG_X86_PAE
6017 -diff -urNp linux-2.6.24.4/arch/x86/kernel/Makefile_64 linux-2.6.24.4/arch/x86/kernel/Makefile_64
6018 ---- linux-2.6.24.4/arch/x86/kernel/Makefile_64 2008-03-24 14:49:18.000000000 -0400
6019 -+++ linux-2.6.24.4/arch/x86/kernel/Makefile_64 2008-03-26 17:56:55.000000000 -0400
6020 -@@ -42,4 +42,6 @@ obj-$(CONFIG_PCI) += early-quirks.o
6021 - obj-y += topology.o
6022 - obj-y += pcspeaker.o
6023 -
6024 --CFLAGS_vsyscall_64.o := $(PROFILING) -g0
6025 -+CFLAGS_vsyscall_64.o := $(PROFILING) -g0 -fno-stack-protector
6026 -+CFLAGS_hpet.o := -fno-stack-protector
6027 -+CFLAGS_tsc_64.o := -fno-stack-protector
6028 -diff -urNp linux-2.6.24.4/arch/x86/kernel/module_32.c linux-2.6.24.4/arch/x86/kernel/module_32.c
6029 ---- linux-2.6.24.4/arch/x86/kernel/module_32.c 2008-03-24 14:49:18.000000000 -0400
6030 -+++ linux-2.6.24.4/arch/x86/kernel/module_32.c 2008-03-26 17:56:55.000000000 -0400
6031 -@@ -23,6 +23,8 @@
6032 - #include <linux/kernel.h>
6033 - #include <linux/bug.h>
6034 -
6035 -+#include <asm/desc.h>
6036 -+
6037 - #if 0
6038 - #define DEBUGP printk
6039 - #else
6040 -@@ -33,9 +35,30 @@ void *module_alloc(unsigned long size)
6041 - {
6042 - if (size == 0)
6043 - return NULL;
6044 -+
6045 -+#ifdef CONFIG_PAX_KERNEXEC
6046 -+ return vmalloc(size);
6047 -+#else
6048 - return vmalloc_exec(size);
6049 -+#endif
6050 -+
6051 - }
6052 -
6053 -+#ifdef CONFIG_PAX_KERNEXEC
6054 -+void *module_alloc_exec(unsigned long size)
6055 -+{
6056 -+ struct vm_struct *area;
6057 -+
6058 -+ if (size == 0)
6059 -+ return NULL;
6060 -+
6061 -+ area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_VADDR, (unsigned long)&MODULES_END);
6062 -+ if (area)
6063 -+ return area->addr;
6064 -+
6065 -+ return NULL;
6066 -+}
6067 -+#endif
6068 -
6069 - /* Free memory returned from module_alloc */
6070 - void module_free(struct module *mod, void *module_region)
6071 -@@ -45,6 +68,45 @@ void module_free(struct module *mod, voi
6072 - table entries. */
6073 - }
6074 -
6075 -+#ifdef CONFIG_PAX_KERNEXEC
6076 -+void module_free_exec(struct module *mod, void *module_region)
6077 -+{
6078 -+ struct vm_struct **p, *tmp;
6079 -+
6080 -+ if (!module_region)
6081 -+ return;
6082 -+
6083 -+ if ((PAGE_SIZE-1) & (unsigned long)module_region) {
6084 -+ printk(KERN_ERR "Trying to module_free_exec() bad address (%p)\n", module_region);
6085 -+ WARN_ON(1);
6086 -+ return;
6087 -+ }
6088 -+
6089 -+ write_lock(&vmlist_lock);
6090 -+ for (p = &vmlist; (tmp = *p) != NULL; p = &tmp->next)
6091 -+ if (tmp->addr == module_region)
6092 -+ break;
6093 -+
6094 -+ if (tmp) {
6095 -+ unsigned long cr0;
6096 -+
6097 -+ pax_open_kernel(cr0);
6098 -+ memset(tmp->addr, 0xCC, tmp->size);
6099 -+ pax_close_kernel(cr0);
6100 -+
6101 -+ *p = tmp->next;
6102 -+ kfree(tmp);
6103 -+ }
6104 -+ write_unlock(&vmlist_lock);
6105 -+
6106 -+ if (!tmp) {
6107 -+ printk(KERN_ERR "Trying to module_free_exec() nonexistent vm area (%p)\n",
6108 -+ module_region);
6109 -+ WARN_ON(1);
6110 -+ }
6111 -+}
6112 -+#endif
6113 -+
6114 - /* We don't need anything special. */
6115 - int module_frob_arch_sections(Elf_Ehdr *hdr,
6116 - Elf_Shdr *sechdrs,
6117 -@@ -63,14 +125,20 @@ int apply_relocate(Elf32_Shdr *sechdrs,
6118 - unsigned int i;
6119 - Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
6120 - Elf32_Sym *sym;
6121 -- uint32_t *location;
6122 -+ uint32_t *plocation, location;
6123 -+
6124 -+#ifdef CONFIG_PAX_KERNEXEC
6125 -+ unsigned long cr0;
6126 -+#endif
6127 -
6128 - DEBUGP("Applying relocate section %u to %u\n", relsec,
6129 - sechdrs[relsec].sh_info);
6130 - for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
6131 - /* This is where to make the change */
6132 -- location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
6133 -- + rel[i].r_offset;
6134 -+ plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
6135 -+ location = (uint32_t)plocation;
6136 -+ if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
6137 -+ plocation = ktla_ktva((void *)plocation);
6138 - /* This is the symbol it is referring to. Note that all
6139 - undefined symbols have been resolved. */
6140 - sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
6141 -@@ -78,12 +146,32 @@ int apply_relocate(Elf32_Shdr *sechdrs,
6142 -
6143 - switch (ELF32_R_TYPE(rel[i].r_info)) {
6144 - case R_386_32:
6145 -+
6146 -+#ifdef CONFIG_PAX_KERNEXEC
6147 -+ pax_open_kernel(cr0);
6148 -+#endif
6149 -+
6150 - /* We add the value into the location given */
6151 -- *location += sym->st_value;
6152 -+ *plocation += sym->st_value;
6153 -+
6154 -+#ifdef CONFIG_PAX_KERNEXEC
6155 -+ pax_close_kernel(cr0);
6156 -+#endif
6157 -+
6158 - break;
6159 - case R_386_PC32:
6160 -+
6161 -+#ifdef CONFIG_PAX_KERNEXEC
6162 -+ pax_open_kernel(cr0);
6163 -+#endif
6164 -+
6165 - /* Add the value, subtract its postition */
6166 -- *location += sym->st_value - (uint32_t)location;
6167 -+ *plocation += sym->st_value - location;
6168 -+
6169 -+#ifdef CONFIG_PAX_KERNEXEC
6170 -+ pax_close_kernel(cr0);
6171 -+#endif
6172 -+
6173 - break;
6174 - default:
6175 - printk(KERN_ERR "module %s: Unknown relocation: %u\n",
6176 -diff -urNp linux-2.6.24.4/arch/x86/kernel/module_64.c linux-2.6.24.4/arch/x86/kernel/module_64.c
6177 ---- linux-2.6.24.4/arch/x86/kernel/module_64.c 2008-03-24 14:49:18.000000000 -0400
6178 -+++ linux-2.6.24.4/arch/x86/kernel/module_64.c 2008-03-26 17:56:55.000000000 -0400
6179 -@@ -39,7 +39,7 @@ void module_free(struct module *mod, voi
6180 - table entries. */
6181 - }
6182 -
6183 --void *module_alloc(unsigned long size)
6184 -+static void *__module_alloc(unsigned long size, pgprot_t prot)
6185 - {
6186 - struct vm_struct *area;
6187 -
6188 -@@ -53,8 +53,31 @@ void *module_alloc(unsigned long size)
6189 - if (!area)
6190 - return NULL;
6191 -
6192 -- return __vmalloc_area(area, GFP_KERNEL, PAGE_KERNEL_EXEC);
6193 -+ return __vmalloc_area(area, GFP_KERNEL | __GFP_ZERO, prot);
6194 -+}
6195 -+
6196 -+#ifdef CONFIG_PAX_KERNEXEC
6197 -+void *module_alloc(unsigned long size)
6198 -+{
6199 -+ return __module_alloc(size, PAGE_KERNEL);
6200 -+}
6201 -+
6202 -+void module_free_exec(struct module *mod, void *module_region)
6203 -+{
6204 -+ module_free(mod, module_region);
6205 -+}
6206 -+
6207 -+void *module_alloc_exec(unsigned long size)
6208 -+{
6209 -+ return __module_alloc(size, PAGE_KERNEL_RX);
6210 - }
6211 -+#else
6212 -+void *module_alloc(unsigned long size)
6213 -+{
6214 -+ return __module_alloc(size, PAGE_KERNEL_EXEC);
6215 -+}
6216 -+#endif
6217 -+
6218 - #endif
6219 -
6220 - /* We don't need anything special. */
6221 -@@ -76,7 +99,11 @@ int apply_relocate_add(Elf64_Shdr *sechd
6222 - Elf64_Rela *rel = (void *)sechdrs[relsec].sh_addr;
6223 - Elf64_Sym *sym;
6224 - void *loc;
6225 -- u64 val;
6226 -+ u64 val;
6227 -+
6228 -+#ifdef CONFIG_PAX_KERNEXEC
6229 -+ unsigned long cr0;
6230 -+#endif
6231 -
6232 - DEBUGP("Applying relocate section %u to %u\n", relsec,
6233 - sechdrs[relsec].sh_info);
6234 -@@ -100,21 +127,61 @@ int apply_relocate_add(Elf64_Shdr *sechd
6235 - case R_X86_64_NONE:
6236 - break;
6237 - case R_X86_64_64:
6238 -+
6239 -+#ifdef CONFIG_PAX_KERNEXEC
6240 -+ pax_open_kernel(cr0);
6241 -+#endif
6242 -+
6243 - *(u64 *)loc = val;
6244 -+
6245 -+#ifdef CONFIG_PAX_KERNEXEC
6246 -+ pax_close_kernel(cr0);
6247 -+#endif
6248 -+
6249 - break;
6250 - case R_X86_64_32:
6251 -+
6252 -+#ifdef CONFIG_PAX_KERNEXEC
6253 -+ pax_open_kernel(cr0);
6254 -+#endif
6255 -+
6256 - *(u32 *)loc = val;
6257 -+
6258 -+#ifdef CONFIG_PAX_KERNEXEC
6259 -+ pax_close_kernel(cr0);
6260 -+#endif
6261 -+
6262 - if (val != *(u32 *)loc)
6263 - goto overflow;
6264 - break;
6265 - case R_X86_64_32S:
6266 -+
6267 -+#ifdef CONFIG_PAX_KERNEXEC
6268 -+ pax_open_kernel(cr0);
6269 -+#endif
6270 -+
6271 - *(s32 *)loc = val;
6272 -+
6273 -+#ifdef CONFIG_PAX_KERNEXEC
6274 -+ pax_close_kernel(cr0);
6275 -+#endif
6276 -+
6277 - if ((s64)val != *(s32 *)loc)
6278 - goto overflow;
6279 - break;
6280 - case R_X86_64_PC32:
6281 - val -= (u64)loc;
6282 -+
6283 -+#ifdef CONFIG_PAX_KERNEXEC
6284 -+ pax_open_kernel(cr0);
6285 -+#endif
6286 -+
6287 - *(u32 *)loc = val;
6288 -+
6289 -+#ifdef CONFIG_PAX_KERNEXEC
6290 -+ pax_close_kernel(cr0);
6291 -+#endif
6292 -+
6293 - #if 0
6294 - if ((s64)val != *(s32 *)loc)
6295 - goto overflow;
6296 -diff -urNp linux-2.6.24.4/arch/x86/kernel/paravirt_32.c linux-2.6.24.4/arch/x86/kernel/paravirt_32.c
6297 ---- linux-2.6.24.4/arch/x86/kernel/paravirt_32.c 2008-03-24 14:49:18.000000000 -0400
6298 -+++ linux-2.6.24.4/arch/x86/kernel/paravirt_32.c 2008-03-26 17:56:55.000000000 -0400
6299 -@@ -39,7 +39,7 @@ void _paravirt_nop(void)
6300 - {
6301 - }
6302 -
6303 --static void __init default_banner(void)
6304 -+static void default_banner(void)
6305 - {
6306 - printk(KERN_INFO "Booting paravirtualized kernel on %s\n",
6307 - pv_info.name);
6308 -@@ -206,7 +206,7 @@ unsigned paravirt_patch_insns(void *insn
6309 - if (insn_len > len || start == NULL)
6310 - insn_len = len;
6311 - else
6312 -- memcpy(insnbuf, start, insn_len);
6313 -+ memcpy(insnbuf, ktla_ktva(start), insn_len);
6314 -
6315 - return insn_len;
6316 - }
6317 -@@ -324,21 +324,21 @@ enum paravirt_lazy_mode paravirt_get_laz
6318 - return x86_read_percpu(paravirt_lazy_mode);
6319 - }
6320 -
6321 --struct pv_info pv_info = {
6322 -+struct pv_info pv_info __read_only = {
6323 - .name = "bare hardware",
6324 - .paravirt_enabled = 0,
6325 - .kernel_rpl = 0,
6326 - .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
6327 - };
6328 -
6329 --struct pv_init_ops pv_init_ops = {
6330 -+struct pv_init_ops pv_init_ops __read_only = {
6331 - .patch = native_patch,
6332 - .banner = default_banner,
6333 - .arch_setup = paravirt_nop,
6334 - .memory_setup = machine_specific_memory_setup,
6335 - };
6336 -
6337 --struct pv_time_ops pv_time_ops = {
6338 -+struct pv_time_ops pv_time_ops __read_only = {
6339 - .time_init = hpet_time_init,
6340 - .get_wallclock = native_get_wallclock,
6341 - .set_wallclock = native_set_wallclock,
6342 -@@ -346,7 +346,7 @@ struct pv_time_ops pv_time_ops = {
6343 - .get_cpu_khz = native_calculate_cpu_khz,
6344 - };
6345 -
6346 --struct pv_irq_ops pv_irq_ops = {
6347 -+struct pv_irq_ops pv_irq_ops __read_only = {
6348 - .init_IRQ = native_init_IRQ,
6349 - .save_fl = native_save_fl,
6350 - .restore_fl = native_restore_fl,
6351 -@@ -356,7 +356,7 @@ struct pv_irq_ops pv_irq_ops = {
6352 - .halt = native_halt,
6353 - };
6354 -
6355 --struct pv_cpu_ops pv_cpu_ops = {
6356 -+struct pv_cpu_ops pv_cpu_ops __read_only = {
6357 - .cpuid = native_cpuid,
6358 - .get_debugreg = native_get_debugreg,
6359 - .set_debugreg = native_set_debugreg,
6360 -@@ -396,7 +396,7 @@ struct pv_cpu_ops pv_cpu_ops = {
6361 - },
6362 - };
6363 -
6364 --struct pv_apic_ops pv_apic_ops = {
6365 -+struct pv_apic_ops pv_apic_ops __read_only = {
6366 - #ifdef CONFIG_X86_LOCAL_APIC
6367 - .apic_write = native_apic_write,
6368 - .apic_write_atomic = native_apic_write_atomic,
6369 -@@ -407,7 +407,7 @@ struct pv_apic_ops pv_apic_ops = {
6370 - #endif
6371 - };
6372 -
6373 --struct pv_mmu_ops pv_mmu_ops = {
6374 -+struct pv_mmu_ops pv_mmu_ops __read_only = {
6375 - .pagetable_setup_start = native_pagetable_setup_start,
6376 - .pagetable_setup_done = native_pagetable_setup_done,
6377 -
6378 -diff -urNp linux-2.6.24.4/arch/x86/kernel/process_32.c linux-2.6.24.4/arch/x86/kernel/process_32.c
6379 ---- linux-2.6.24.4/arch/x86/kernel/process_32.c 2008-03-24 14:49:18.000000000 -0400
6380 -+++ linux-2.6.24.4/arch/x86/kernel/process_32.c 2008-03-26 17:56:55.000000000 -0400
6381 -@@ -66,15 +66,17 @@ EXPORT_SYMBOL(boot_option_idle_override)
6382 - DEFINE_PER_CPU(struct task_struct *, current_task) = &init_task;
6383 - EXPORT_PER_CPU_SYMBOL(current_task);
6384 -
6385 -+#ifdef CONFIG_SMP
6386 - DEFINE_PER_CPU(int, cpu_number);
6387 - EXPORT_PER_CPU_SYMBOL(cpu_number);
6388 -+#endif
6389 -
6390 - /*
6391 - * Return saved PC of a blocked thread.
6392 - */
6393 - unsigned long thread_saved_pc(struct task_struct *tsk)
6394 - {
6395 -- return ((unsigned long *)tsk->thread.esp)[3];
6396 -+ return tsk->thread.eip;
6397 - }
6398 -
6399 - /*
6400 -@@ -313,7 +315,7 @@ void __show_registers(struct pt_regs *re
6401 - unsigned long esp;
6402 - unsigned short ss, gs;
6403 -
6404 -- if (user_mode_vm(regs)) {
6405 -+ if (user_mode(regs)) {
6406 - esp = regs->esp;
6407 - ss = regs->xss & 0xffff;
6408 - savesegment(gs, gs);
6409 -@@ -391,8 +393,8 @@ int kernel_thread(int (*fn)(void *), voi
6410 - regs.ebx = (unsigned long) fn;
6411 - regs.edx = (unsigned long) arg;
6412 -
6413 -- regs.xds = __USER_DS;
6414 -- regs.xes = __USER_DS;
6415 -+ regs.xds = __KERNEL_DS;
6416 -+ regs.xes = __KERNEL_DS;
6417 - regs.xfs = __KERNEL_PERCPU;
6418 - regs.orig_eax = -1;
6419 - regs.eip = (unsigned long) kernel_thread_helper;
6420 -@@ -414,7 +416,7 @@ void exit_thread(void)
6421 - struct task_struct *tsk = current;
6422 - struct thread_struct *t = &tsk->thread;
6423 - int cpu = get_cpu();
6424 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
6425 -+ struct tss_struct *tss = init_tss + cpu;
6426 -
6427 - kfree(t->io_bitmap_ptr);
6428 - t->io_bitmap_ptr = NULL;
6429 -@@ -435,6 +437,7 @@ void flush_thread(void)
6430 - {
6431 - struct task_struct *tsk = current;
6432 -
6433 -+ __asm__("mov %0,%%gs\n" : : "r" (0) : "memory");
6434 - memset(tsk->thread.debugreg, 0, sizeof(unsigned long)*8);
6435 - memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
6436 - clear_tsk_thread_flag(tsk, TIF_DEBUG);
6437 -@@ -468,7 +471,7 @@ int copy_thread(int nr, unsigned long cl
6438 - struct task_struct *tsk;
6439 - int err;
6440 -
6441 -- childregs = task_pt_regs(p);
6442 -+ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
6443 - *childregs = *regs;
6444 - childregs->eax = 0;
6445 - childregs->esp = esp;
6446 -@@ -510,6 +513,11 @@ int copy_thread(int nr, unsigned long cl
6447 - if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
6448 - goto out;
6449 -
6450 -+#ifdef CONFIG_PAX_SEGMEXEC
6451 -+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
6452 -+ goto out;
6453 -+#endif
6454 -+
6455 - desc = p->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
6456 - desc->a = LDT_entry_a(&info);
6457 - desc->b = LDT_entry_b(&info);
6458 -@@ -696,7 +704,7 @@ struct task_struct fastcall * __switch_t
6459 - struct thread_struct *prev = &prev_p->thread,
6460 - *next = &next_p->thread;
6461 - int cpu = smp_processor_id();
6462 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
6463 -+ struct tss_struct *tss = init_tss + cpu;
6464 -
6465 - /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
6466 -
6467 -@@ -724,6 +732,11 @@ struct task_struct fastcall * __switch_t
6468 - */
6469 - savesegment(gs, prev->gs);
6470 -
6471 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
6472 -+ if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
6473 -+ __set_fs(task_thread_info(next_p)->addr_limit, cpu);
6474 -+#endif
6475 -+
6476 - /*
6477 - * Load the per-thread Thread-Local Storage descriptor.
6478 - */
6479 -@@ -888,6 +901,12 @@ asmlinkage int sys_set_thread_area(struc
6480 -
6481 - if (copy_from_user(&info, u_info, sizeof(info)))
6482 - return -EFAULT;
6483 -+
6484 -+#ifdef CONFIG_PAX_SEGMEXEC
6485 -+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
6486 -+ return -EINVAL;
6487 -+#endif
6488 -+
6489 - idx = info.entry_number;
6490 -
6491 - /*
6492 -@@ -976,9 +995,27 @@ asmlinkage int sys_get_thread_area(struc
6493 - return 0;
6494 - }
6495 -
6496 --unsigned long arch_align_stack(unsigned long sp)
6497 -+#ifdef CONFIG_PAX_RANDKSTACK
6498 -+asmlinkage void pax_randomize_kstack(void)
6499 - {
6500 -- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
6501 -- sp -= get_random_int() % 8192;
6502 -- return sp & ~0xf;
6503 -+ struct thread_struct *thread = &current->thread;
6504 -+ unsigned long time;
6505 -+
6506 -+ if (!randomize_va_space)
6507 -+ return;
6508 -+
6509 -+ rdtscl(time);
6510 -+
6511 -+ /* P4 seems to return a 0 LSB, ignore it */
6512 -+#ifdef CONFIG_MPENTIUM4
6513 -+ time &= 0x1EUL;
6514 -+ time <<= 2;
6515 -+#else
6516 -+ time &= 0xFUL;
6517 -+ time <<= 3;
6518 -+#endif
6519 -+
6520 -+ thread->esp0 ^= time;
6521 -+ load_esp0(init_tss + smp_processor_id(), thread);
6522 - }
6523 -+#endif
6524 -diff -urNp linux-2.6.24.4/arch/x86/kernel/process_64.c linux-2.6.24.4/arch/x86/kernel/process_64.c
6525 ---- linux-2.6.24.4/arch/x86/kernel/process_64.c 2008-03-24 14:49:18.000000000 -0400
6526 -+++ linux-2.6.24.4/arch/x86/kernel/process_64.c 2008-03-26 17:56:55.000000000 -0400
6527 -@@ -210,6 +210,8 @@ static inline void play_dead(void)
6528 - void cpu_idle (void)
6529 - {
6530 - current_thread_info()->status |= TS_POLLING;
6531 -+ current->stack_canary = pax_get_random_long();
6532 -+ write_pda(stack_canary, current->stack_canary);
6533 - /* endless idle loop with no priority at all */
6534 - while (1) {
6535 - tick_nohz_stop_sched_tick();
6536 -@@ -390,7 +392,7 @@ void exit_thread(void)
6537 - struct thread_struct *t = &me->thread;
6538 -
6539 - if (me->thread.io_bitmap_ptr) {
6540 -- struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
6541 -+ struct tss_struct *tss = init_tss + get_cpu();
6542 -
6543 - kfree(t->io_bitmap_ptr);
6544 - t->io_bitmap_ptr = NULL;
6545 -@@ -597,7 +599,7 @@ __switch_to(struct task_struct *prev_p,
6546 - struct thread_struct *prev = &prev_p->thread,
6547 - *next = &next_p->thread;
6548 - int cpu = smp_processor_id();
6549 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
6550 -+ struct tss_struct *tss = init_tss + cpu;
6551 -
6552 - /* we're going to use this soon, after a few expensive things */
6553 - if (next_p->fpu_counter>5)
6554 -@@ -672,7 +674,6 @@ __switch_to(struct task_struct *prev_p,
6555 - write_pda(kernelstack,
6556 - (unsigned long)task_stack_page(next_p) + THREAD_SIZE - PDA_STACKOFFSET);
6557 - #ifdef CONFIG_CC_STACKPROTECTOR
6558 -- write_pda(stack_canary, next_p->stack_canary);
6559 - /*
6560 - * Build time only check to make sure the stack_canary is at
6561 - * offset 40 in the pda; this is a gcc ABI requirement
6562 -@@ -701,7 +702,7 @@ __switch_to(struct task_struct *prev_p,
6563 - */
6564 - asmlinkage
6565 - long sys_execve(char __user *name, char __user * __user *argv,
6566 -- char __user * __user *envp, struct pt_regs regs)
6567 -+ char __user * __user *envp, struct pt_regs *regs)
6568 - {
6569 - long error;
6570 - char * filename;
6571 -@@ -710,7 +711,7 @@ long sys_execve(char __user *name, char
6572 - error = PTR_ERR(filename);
6573 - if (IS_ERR(filename))
6574 - return error;
6575 -- error = do_execve(filename, argv, envp, &regs);
6576 -+ error = do_execve(filename, argv, envp, regs);
6577 - if (error == 0) {
6578 - task_lock(current);
6579 - current->ptrace &= ~PT_DTRACE;
6580 -@@ -906,10 +907,3 @@ int dump_task_regs(struct task_struct *t
6581 -
6582 - return 1;
6583 - }
6584 --
6585 --unsigned long arch_align_stack(unsigned long sp)
6586 --{
6587 -- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
6588 -- sp -= get_random_int() % 8192;
6589 -- return sp & ~0xf;
6590 --}
6591 -diff -urNp linux-2.6.24.4/arch/x86/kernel/ptrace_32.c linux-2.6.24.4/arch/x86/kernel/ptrace_32.c
6592 ---- linux-2.6.24.4/arch/x86/kernel/ptrace_32.c 2008-03-24 14:49:18.000000000 -0400
6593 -+++ linux-2.6.24.4/arch/x86/kernel/ptrace_32.c 2008-03-26 17:56:55.000000000 -0400
6594 -@@ -160,22 +160,20 @@ static unsigned long convert_eip_to_line
6595 - * and APM bios ones we just ignore here.
6596 - */
6597 - if (seg & LDT_SEGMENT) {
6598 -- u32 *desc;
6599 -+ struct desc_struct *desc;
6600 - unsigned long base;
6601 -
6602 -- seg &= ~7UL;
6603 -+ seg >>= 3;
6604 -
6605 - mutex_lock(&child->mm->context.lock);
6606 -- if (unlikely((seg >> 3) >= child->mm->context.size))
6607 -- addr = -1L; /* bogus selector, access would fault */
6608 -+ if (unlikely(seg >= child->mm->context.size))
6609 -+ addr = -EINVAL;
6610 - else {
6611 -- desc = child->mm->context.ldt + seg;
6612 -- base = ((desc[0] >> 16) |
6613 -- ((desc[1] & 0xff) << 16) |
6614 -- (desc[1] & 0xff000000));
6615 -+ desc = &child->mm->context.ldt[seg];
6616 -+ base = (desc->a >> 16) | ((desc->b & 0xff) << 16) | (desc->b & 0xff000000);
6617 -
6618 - /* 16-bit code segment? */
6619 -- if (!((desc[1] >> 22) & 1))
6620 -+ if (!((desc->b >> 22) & 1))
6621 - addr &= 0xffff;
6622 - addr += base;
6623 - }
6624 -@@ -190,6 +188,9 @@ static inline int is_setting_trap_flag(s
6625 - unsigned char opcode[15];
6626 - unsigned long addr = convert_eip_to_linear(child, regs);
6627 -
6628 -+ if (addr == -EINVAL)
6629 -+ return 0;
6630 -+
6631 - copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
6632 - for (i = 0; i < copied; i++) {
6633 - switch (opcode[i]) {
6634 -@@ -340,6 +341,11 @@ ptrace_set_thread_area(struct task_struc
6635 - if (copy_from_user(&info, user_desc, sizeof(info)))
6636 - return -EFAULT;
6637 -
6638 -+#ifdef CONFIG_PAX_SEGMEXEC
6639 -+ if ((child->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
6640 -+ return -EINVAL;
6641 -+#endif
6642 -+
6643 - if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
6644 - return -EINVAL;
6645 -
6646 -@@ -419,7 +425,17 @@ long arch_ptrace(struct task_struct *chi
6647 - if(addr == (long) &dummy->u_debugreg[5]) break;
6648 - if(addr < (long) &dummy->u_debugreg[4] &&
6649 - ((unsigned long) data) >= TASK_SIZE-3) break;
6650 --
6651 -+
6652 -+#ifdef CONFIG_GRKERNSEC
6653 -+ if(addr >= (long) &dummy->u_debugreg[0] &&
6654 -+ addr <= (long) &dummy->u_debugreg[3]) {
6655 -+ long reg = (addr - (long) &dummy->u_debugreg[0]) >> 2;
6656 -+ long type = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 4*reg)) & 3;
6657 -+ long align = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 2 + 4*reg)) & 3;
6658 -+ if ((type & 1) && (data & align))
6659 -+ break;
6660 -+ }
6661 -+#endif
6662 - /* Sanity-check data. Take one half-byte at once with
6663 - * check = (val >> (16 + 4*i)) & 0xf. It contains the
6664 - * R/Wi and LENi bits; bits 0 and 1 are R/Wi, and bits
6665 -@@ -630,7 +646,7 @@ void send_sigtrap(struct task_struct *ts
6666 - info.si_code = TRAP_BRKPT;
6667 -
6668 - /* User-mode eip? */
6669 -- info.si_addr = user_mode_vm(regs) ? (void __user *) regs->eip : NULL;
6670 -+ info.si_addr = user_mode(regs) ? (void __user *) regs->eip : NULL;
6671 -
6672 - /* Send us the fake SIGTRAP */
6673 - force_sig_info(SIGTRAP, &info, tsk);
6674 -diff -urNp linux-2.6.24.4/arch/x86/kernel/ptrace_64.c linux-2.6.24.4/arch/x86/kernel/ptrace_64.c
6675 ---- linux-2.6.24.4/arch/x86/kernel/ptrace_64.c 2008-03-24 14:49:18.000000000 -0400
6676 -+++ linux-2.6.24.4/arch/x86/kernel/ptrace_64.c 2008-03-26 17:56:55.000000000 -0400
6677 -@@ -98,22 +98,20 @@ unsigned long convert_rip_to_linear(stru
6678 - * and APM bios ones we just ignore here.
6679 - */
6680 - if (seg & LDT_SEGMENT) {
6681 -- u32 *desc;
6682 -+ struct desc_struct *desc;
6683 - unsigned long base;
6684 -
6685 -- seg &= ~7UL;
6686 -+ seg >>= 3;
6687 -
6688 - mutex_lock(&child->mm->context.lock);
6689 -- if (unlikely((seg >> 3) >= child->mm->context.size))
6690 -- addr = -1L; /* bogus selector, access would fault */
6691 -+ if (unlikely(seg >= child->mm->context.size))
6692 -+ addr = -EINVAL; /* bogus selector, access would fault */
6693 - else {
6694 -- desc = child->mm->context.ldt + seg;
6695 -- base = ((desc[0] >> 16) |
6696 -- ((desc[1] & 0xff) << 16) |
6697 -- (desc[1] & 0xff000000));
6698 -+ desc = &child->mm->context.ldt[seg];
6699 -+ base = desc->base0 | (desc->base1 << 16) | (desc->base2 << 24);
6700 -
6701 - /* 16-bit code segment? */
6702 -- if (!((desc[1] >> 22) & 1))
6703 -+ if (!desc->d)
6704 - addr &= 0xffff;
6705 - addr += base;
6706 - }
6707 -@@ -129,6 +127,9 @@ static int is_setting_trap_flag(struct t
6708 - unsigned char opcode[15];
6709 - unsigned long addr = convert_rip_to_linear(child, regs);
6710 -
6711 -+ if (addr == -EINVAL)
6712 -+ return 0;
6713 -+
6714 - copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
6715 - for (i = 0; i < copied; i++) {
6716 - switch (opcode[i]) {
6717 -diff -urNp linux-2.6.24.4/arch/x86/kernel/reboot_32.c linux-2.6.24.4/arch/x86/kernel/reboot_32.c
6718 ---- linux-2.6.24.4/arch/x86/kernel/reboot_32.c 2008-03-24 14:49:18.000000000 -0400
6719 -+++ linux-2.6.24.4/arch/x86/kernel/reboot_32.c 2008-03-26 17:56:55.000000000 -0400
6720 -@@ -23,7 +23,7 @@
6721 - void (*pm_power_off)(void);
6722 - EXPORT_SYMBOL(pm_power_off);
6723 -
6724 --static int reboot_mode;
6725 -+static unsigned short reboot_mode;
6726 - static int reboot_thru_bios;
6727 -
6728 - #ifdef CONFIG_SMP
6729 -@@ -135,7 +135,7 @@ static struct dmi_system_id __initdata r
6730 - DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq"),
6731 - },
6732 - },
6733 -- { }
6734 -+ { NULL, NULL, {{0, NULL}}, NULL}
6735 - };
6736 -
6737 - static int __init reboot_init(void)
6738 -@@ -153,18 +153,18 @@ core_initcall(reboot_init);
6739 - doesn't work with at least one type of 486 motherboard. It is easy
6740 - to stop this code working; hence the copious comments. */
6741 -
6742 --static unsigned long long
6743 --real_mode_gdt_entries [3] =
6744 -+static struct desc_struct
6745 -+real_mode_gdt_entries [3] __read_only =
6746 - {
6747 -- 0x0000000000000000ULL, /* Null descriptor */
6748 -- 0x00009a000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
6749 -- 0x000092000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
6750 -+ {0x00000000, 0x00000000}, /* Null descriptor */
6751 -+ {0x0000ffff, 0x00009b00}, /* 16-bit real-mode 64k code at 0x00000000 */
6752 -+ {0x0100ffff, 0x00009300} /* 16-bit real-mode 64k data at 0x00000100 */
6753 - };
6754 -
6755 --static struct Xgt_desc_struct
6756 --real_mode_gdt = { sizeof (real_mode_gdt_entries) - 1, (long)real_mode_gdt_entries },
6757 --real_mode_idt = { 0x3ff, 0 },
6758 --no_idt = { 0, 0 };
6759 -+static const struct Xgt_desc_struct
6760 -+real_mode_gdt = { sizeof (real_mode_gdt_entries) - 1, (struct desc_struct *)__pa(real_mode_gdt_entries), 0 },
6761 -+real_mode_idt = { 0x3ff, NULL, 0 },
6762 -+no_idt = { 0, NULL, 0 };
6763 -
6764 -
6765 - /* This is 16-bit protected mode code to disable paging and the cache,
6766 -@@ -186,7 +186,7 @@ no_idt = { 0, 0 };
6767 - More could be done here to set up the registers as if a CPU reset had
6768 - occurred; hopefully real BIOSs don't assume much. */
6769 -
6770 --static unsigned char real_mode_switch [] =
6771 -+static const unsigned char real_mode_switch [] =
6772 - {
6773 - 0x66, 0x0f, 0x20, 0xc0, /* movl %cr0,%eax */
6774 - 0x66, 0x83, 0xe0, 0x11, /* andl $0x00000011,%eax */
6775 -@@ -200,7 +200,7 @@ static unsigned char real_mode_switch []
6776 - 0x24, 0x10, /* f: andb $0x10,al */
6777 - 0x66, 0x0f, 0x22, 0xc0 /* movl %eax,%cr0 */
6778 - };
6779 --static unsigned char jump_to_bios [] =
6780 -+static const unsigned char jump_to_bios [] =
6781 - {
6782 - 0xea, 0x00, 0x00, 0xff, 0xff /* ljmp $0xffff,$0x0000 */
6783 - };
6784 -@@ -210,7 +210,7 @@ static unsigned char jump_to_bios [] =
6785 - * specified by the code and length parameters.
6786 - * We assume that length will aways be less that 100!
6787 - */
6788 --void machine_real_restart(unsigned char *code, int length)
6789 -+void machine_real_restart(const unsigned char *code, unsigned int length)
6790 - {
6791 - local_irq_disable();
6792 -
6793 -@@ -232,8 +232,8 @@ void machine_real_restart(unsigned char
6794 - from the kernel segment. This assumes the kernel segment starts at
6795 - virtual address PAGE_OFFSET. */
6796 -
6797 -- memcpy (swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
6798 -- sizeof (swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
6799 -+ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
6800 -+ min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
6801 -
6802 - /*
6803 - * Use `swapper_pg_dir' as our page directory.
6804 -@@ -246,7 +246,7 @@ void machine_real_restart(unsigned char
6805 - REBOOT.COM programs, and the previous reset routine did this
6806 - too. */
6807 -
6808 -- *((unsigned short *)0x472) = reboot_mode;
6809 -+ *(unsigned short *)(__va(0x472)) = reboot_mode;
6810 -
6811 - /* For the switch to real mode, copy some code to low memory. It has
6812 - to be in the first 64k because it is running in 16-bit mode, and it
6813 -@@ -254,9 +254,8 @@ void machine_real_restart(unsigned char
6814 - off paging. Copy it near the end of the first page, out of the way
6815 - of BIOS variables. */
6816 -
6817 -- memcpy ((void *) (0x1000 - sizeof (real_mode_switch) - 100),
6818 -- real_mode_switch, sizeof (real_mode_switch));
6819 -- memcpy ((void *) (0x1000 - 100), code, length);
6820 -+ memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
6821 -+ memcpy(__va(0x1000 - 100), code, length);
6822 -
6823 - /* Set up the IDT for real mode. */
6824 -
6825 -diff -urNp linux-2.6.24.4/arch/x86/kernel/setup_32.c linux-2.6.24.4/arch/x86/kernel/setup_32.c
6826 ---- linux-2.6.24.4/arch/x86/kernel/setup_32.c 2008-03-24 14:49:18.000000000 -0400
6827 -+++ linux-2.6.24.4/arch/x86/kernel/setup_32.c 2008-03-26 17:56:55.000000000 -0400
6828 -@@ -61,6 +61,7 @@
6829 - #include <setup_arch.h>
6830 - #include <bios_ebda.h>
6831 - #include <asm/cacheflush.h>
6832 -+#include <asm/boot.h>
6833 -
6834 - /* This value is set up by the early boot code to point to the value
6835 - immediately after the boot time page tables. It contains a *physical*
6836 -@@ -82,7 +83,11 @@ struct cpuinfo_x86 new_cpu_data __cpuini
6837 - struct cpuinfo_x86 boot_cpu_data __read_mostly = { 0, 0, 0, 0, -1, 1, 0, 0, -1 };
6838 - EXPORT_SYMBOL(boot_cpu_data);
6839 -
6840 -+#ifdef CONFIG_X86_PAE
6841 -+unsigned long mmu_cr4_features = X86_CR4_PAE;
6842 -+#else
6843 - unsigned long mmu_cr4_features;
6844 -+#endif
6845 -
6846 - /* for MCA, but anyone else can use it if they want */
6847 - unsigned int machine_id;
6848 -@@ -436,8 +441,8 @@ void __init setup_bootmem_allocator(void
6849 - * the (very unlikely) case of us accidentally initializing the
6850 - * bootmem allocator with an invalid RAM area.
6851 - */
6852 -- reserve_bootmem(__pa_symbol(_text), (PFN_PHYS(min_low_pfn) +
6853 -- bootmap_size + PAGE_SIZE-1) - __pa_symbol(_text));
6854 -+ reserve_bootmem(LOAD_PHYSICAL_ADDR, (PFN_PHYS(min_low_pfn) +
6855 -+ bootmap_size + PAGE_SIZE-1) - LOAD_PHYSICAL_ADDR);
6856 -
6857 - /*
6858 - * reserve physical page 0 - it's a special BIOS page on many boxes,
6859 -@@ -590,14 +595,14 @@ void __init setup_arch(char **cmdline_p)
6860 -
6861 - if (!boot_params.hdr.root_flags)
6862 - root_mountflags &= ~MS_RDONLY;
6863 -- init_mm.start_code = (unsigned long) _text;
6864 -- init_mm.end_code = (unsigned long) _etext;
6865 -+ init_mm.start_code = ktla_ktva((unsigned long) _text);
6866 -+ init_mm.end_code = ktla_ktva((unsigned long) _etext);
6867 - init_mm.end_data = (unsigned long) _edata;
6868 - init_mm.brk = init_pg_tables_end + PAGE_OFFSET;
6869 -
6870 -- code_resource.start = virt_to_phys(_text);
6871 -- code_resource.end = virt_to_phys(_etext)-1;
6872 -- data_resource.start = virt_to_phys(_etext);
6873 -+ code_resource.start = virt_to_phys(ktla_ktva(_text));
6874 -+ code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
6875 -+ data_resource.start = virt_to_phys(_data);
6876 - data_resource.end = virt_to_phys(_edata)-1;
6877 - bss_resource.start = virt_to_phys(&__bss_start);
6878 - bss_resource.end = virt_to_phys(&__bss_stop)-1;
6879 -@@ -692,3 +697,23 @@ void __init setup_arch(char **cmdline_p)
6880 - #endif
6881 - #endif
6882 - }
6883 -+
6884 -+unsigned long __per_cpu_offset[NR_CPUS] __read_only;
6885 -+
6886 -+EXPORT_SYMBOL(__per_cpu_offset);
6887 -+
6888 -+void __init setup_per_cpu_areas(void)
6889 -+{
6890 -+ unsigned long size, i;
6891 -+ char *ptr;
6892 -+
6893 -+ /* Copy section for each CPU (we discard the original) */
6894 -+ size = ALIGN(PERCPU_ENOUGH_ROOM, PAGE_SIZE);
6895 -+ ptr = alloc_bootmem_pages(size * num_possible_cpus());
6896 -+
6897 -+ for_each_possible_cpu(i) {
6898 -+ __per_cpu_offset[i] = (unsigned long)ptr;
6899 -+ memcpy(ptr, __per_cpu_start, __per_cpu_end - __per_cpu_start);
6900 -+ ptr += size;
6901 -+ }
6902 -+}
6903 -diff -urNp linux-2.6.24.4/arch/x86/kernel/setup64.c linux-2.6.24.4/arch/x86/kernel/setup64.c
6904 ---- linux-2.6.24.4/arch/x86/kernel/setup64.c 2008-03-24 14:49:18.000000000 -0400
6905 -+++ linux-2.6.24.4/arch/x86/kernel/setup64.c 2008-03-26 17:56:55.000000000 -0400
6906 -@@ -32,12 +32,12 @@ struct x8664_pda *_cpu_pda[NR_CPUS] __re
6907 - EXPORT_SYMBOL(_cpu_pda);
6908 - struct x8664_pda boot_cpu_pda[NR_CPUS] __cacheline_aligned;
6909 -
6910 --struct desc_ptr idt_descr = { 256 * 16 - 1, (unsigned long) idt_table };
6911 -+const struct desc_ptr idt_descr = { 256 * 16 - 1, (unsigned long) idt_table };
6912 -
6913 - char boot_cpu_stack[IRQSTACKSIZE] __attribute__((section(".bss.page_aligned")));
6914 -
6915 - unsigned long __supported_pte_mask __read_mostly = ~0UL;
6916 --static int do_not_nx __cpuinitdata = 0;
6917 -+EXPORT_SYMBOL(__supported_pte_mask);
6918 -
6919 - /* noexec=on|off
6920 - Control non executable mappings for 64bit processes.
6921 -@@ -51,16 +51,14 @@ static int __init nonx_setup(char *str)
6922 - return -EINVAL;
6923 - if (!strncmp(str, "on", 2)) {
6924 - __supported_pte_mask |= _PAGE_NX;
6925 -- do_not_nx = 0;
6926 - } else if (!strncmp(str, "off", 3)) {
6927 -- do_not_nx = 1;
6928 - __supported_pte_mask &= ~_PAGE_NX;
6929 - }
6930 - return 0;
6931 - }
6932 - early_param("noexec", nonx_setup);
6933 -
6934 --int force_personality32 = 0;
6935 -+int force_personality32;
6936 -
6937 - /* noexec32=on|off
6938 - Control non executable heap for 32bit processes.
6939 -@@ -177,7 +175,7 @@ void __cpuinit check_efer(void)
6940 - unsigned long efer;
6941 -
6942 - rdmsrl(MSR_EFER, efer);
6943 -- if (!(efer & EFER_NX) || do_not_nx) {
6944 -+ if (!(efer & EFER_NX)) {
6945 - __supported_pte_mask &= ~_PAGE_NX;
6946 - }
6947 - }
6948 -@@ -200,12 +198,13 @@ DEFINE_PER_CPU(struct orig_ist, orig_ist
6949 - void __cpuinit cpu_init (void)
6950 - {
6951 - int cpu = stack_smp_processor_id();
6952 -- struct tss_struct *t = &per_cpu(init_tss, cpu);
6953 -+ struct tss_struct *t = init_tss + cpu;
6954 - struct orig_ist *orig_ist = &per_cpu(orig_ist, cpu);
6955 - unsigned long v;
6956 - char *estacks = NULL;
6957 - struct task_struct *me;
6958 - int i;
6959 -+ struct desc_ptr cpu_gdt_descr = { .size = GDT_SIZE - 1, .address = (unsigned long)cpu_gdt_table[cpu]};
6960 -
6961 - /* CPU 0 is initialised in head64.c */
6962 - if (cpu != 0) {
6963 -@@ -223,14 +222,12 @@ void __cpuinit cpu_init (void)
6964 - clear_in_cr4(X86_CR4_VME|X86_CR4_PVI|X86_CR4_TSD|X86_CR4_DE);
6965 -
6966 - /*
6967 -- * Initialize the per-CPU GDT with the boot GDT,
6968 -- * and set up the GDT descriptor:
6969 -+ * Initialize the per-CPU GDT with the boot GDT:
6970 - */
6971 - if (cpu)
6972 - memcpy(cpu_gdt(cpu), cpu_gdt_table, GDT_SIZE);
6973 -
6974 -- cpu_gdt_descr[cpu].size = GDT_SIZE;
6975 -- load_gdt((const struct desc_ptr *)&cpu_gdt_descr[cpu]);
6976 -+ load_gdt(&cpu_gdt_descr);
6977 - load_idt((const struct desc_ptr *)&idt_descr);
6978 -
6979 - memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
6980 -diff -urNp linux-2.6.24.4/arch/x86/kernel/signal_32.c linux-2.6.24.4/arch/x86/kernel/signal_32.c
6981 ---- linux-2.6.24.4/arch/x86/kernel/signal_32.c 2008-03-24 14:49:18.000000000 -0400
6982 -+++ linux-2.6.24.4/arch/x86/kernel/signal_32.c 2008-03-26 17:56:55.000000000 -0400
6983 -@@ -355,9 +355,9 @@ static int setup_frame(int sig, struct k
6984 - }
6985 -
6986 - if (current->binfmt->hasvdso)
6987 -- restorer = (void *)VDSO_SYM(&__kernel_sigreturn);
6988 -+ restorer = (void __user *)VDSO_SYM(&__kernel_sigreturn);
6989 - else
6990 -- restorer = (void *)&frame->retcode;
6991 -+ restorer = (void __user *)&frame->retcode;
6992 - if (ka->sa.sa_flags & SA_RESTORER)
6993 - restorer = ka->sa.sa_restorer;
6994 -
6995 -@@ -452,7 +452,7 @@ static int setup_rt_frame(int sig, struc
6996 - goto give_sigsegv;
6997 -
6998 - /* Set up to return from userspace. */
6999 -- restorer = (void *)VDSO_SYM(&__kernel_rt_sigreturn);
7000 -+ restorer = (void __user *)VDSO_SYM(&__kernel_rt_sigreturn);
7001 - if (ka->sa.sa_flags & SA_RESTORER)
7002 - restorer = ka->sa.sa_restorer;
7003 - err |= __put_user(restorer, &frame->pretcode);
7004 -@@ -584,7 +584,7 @@ static void fastcall do_signal(struct pt
7005 - * before reaching here, so testing against kernel
7006 - * CS suffices.
7007 - */
7008 -- if (!user_mode(regs))
7009 -+ if (!user_mode_novm(regs))
7010 - return;
7011 -
7012 - if (test_thread_flag(TIF_RESTORE_SIGMASK))
7013 -diff -urNp linux-2.6.24.4/arch/x86/kernel/signal_64.c linux-2.6.24.4/arch/x86/kernel/signal_64.c
7014 ---- linux-2.6.24.4/arch/x86/kernel/signal_64.c 2008-03-24 14:49:18.000000000 -0400
7015 -+++ linux-2.6.24.4/arch/x86/kernel/signal_64.c 2008-03-26 17:56:55.000000000 -0400
7016 -@@ -252,8 +252,8 @@ static int setup_rt_frame(int sig, struc
7017 - err |= setup_sigcontext(&frame->uc.uc_mcontext, regs, set->sig[0], me);
7018 - err |= __put_user(fp, &frame->uc.uc_mcontext.fpstate);
7019 - if (sizeof(*set) == 16) {
7020 -- __put_user(set->sig[0], &frame->uc.uc_sigmask.sig[0]);
7021 -- __put_user(set->sig[1], &frame->uc.uc_sigmask.sig[1]);
7022 -+ err |= __put_user(set->sig[0], &frame->uc.uc_sigmask.sig[0]);
7023 -+ err |= __put_user(set->sig[1], &frame->uc.uc_sigmask.sig[1]);
7024 - } else
7025 - err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
7026 -
7027 -diff -urNp linux-2.6.24.4/arch/x86/kernel/smp_32.c linux-2.6.24.4/arch/x86/kernel/smp_32.c
7028 ---- linux-2.6.24.4/arch/x86/kernel/smp_32.c 2008-03-24 14:49:18.000000000 -0400
7029 -+++ linux-2.6.24.4/arch/x86/kernel/smp_32.c 2008-03-26 17:56:55.000000000 -0400
7030 -@@ -104,7 +104,7 @@
7031 - * about nothing of note with C stepping upwards.
7032 - */
7033 -
7034 --DEFINE_PER_CPU(struct tlb_state, cpu_tlbstate) ____cacheline_aligned = { &init_mm, 0, };
7035 -+DEFINE_PER_CPU(struct tlb_state, cpu_tlbstate) ____cacheline_aligned = { &init_mm, 0, {0} };
7036 -
7037 - /*
7038 - * the following functions deal with sending IPIs between CPUs.
7039 -diff -urNp linux-2.6.24.4/arch/x86/kernel/smpboot_32.c linux-2.6.24.4/arch/x86/kernel/smpboot_32.c
7040 ---- linux-2.6.24.4/arch/x86/kernel/smpboot_32.c 2008-03-24 14:49:18.000000000 -0400
7041 -+++ linux-2.6.24.4/arch/x86/kernel/smpboot_32.c 2008-03-26 17:56:55.000000000 -0400
7042 -@@ -781,6 +781,10 @@ static int __cpuinit do_boot_cpu(int api
7043 - unsigned long start_eip;
7044 - unsigned short nmi_high = 0, nmi_low = 0;
7045 -
7046 -+#ifdef CONFIG_PAX_KERNEXEC
7047 -+ unsigned long cr0;
7048 -+#endif
7049 -+
7050 - /*
7051 - * Save current MTRR state in case it was changed since early boot
7052 - * (e.g. by the ACPI SMI) to initialize new CPUs with MTRRs in sync:
7053 -@@ -797,7 +801,16 @@ static int __cpuinit do_boot_cpu(int api
7054 -
7055 - init_gdt(cpu);
7056 - per_cpu(current_task, cpu) = idle;
7057 -- early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
7058 -+
7059 -+#ifdef CONFIG_PAX_KERNEXEC
7060 -+ pax_open_kernel(cr0);
7061 -+#endif
7062 -+
7063 -+ early_gdt_descr.address = get_cpu_gdt_table(cpu);
7064 -+
7065 -+#ifdef CONFIG_PAX_KERNEXEC
7066 -+ pax_close_kernel(cr0);
7067 -+#endif
7068 -
7069 - idle->thread.eip = (unsigned long) start_secondary;
7070 - /* start_eip had better be page-aligned! */
7071 -@@ -1122,7 +1135,7 @@ static void __init smp_boot_cpus(unsigne
7072 - * construct cpu_sibling_map, so that we can tell sibling CPUs
7073 - * efficiently.
7074 - */
7075 -- for (cpu = 0; cpu < NR_CPUS; cpu++) {
7076 -+ for_each_possible_cpu(cpu) {
7077 - cpus_clear(per_cpu(cpu_sibling_map, cpu));
7078 - cpus_clear(per_cpu(cpu_core_map, cpu));
7079 - }
7080 -diff -urNp linux-2.6.24.4/arch/x86/kernel/smpboot_64.c linux-2.6.24.4/arch/x86/kernel/smpboot_64.c
7081 ---- linux-2.6.24.4/arch/x86/kernel/smpboot_64.c 2008-03-24 14:49:18.000000000 -0400
7082 -+++ linux-2.6.24.4/arch/x86/kernel/smpboot_64.c 2008-03-26 17:56:55.000000000 -0400
7083 -@@ -549,13 +549,6 @@ static int __cpuinit do_boot_cpu(int cpu
7084 - .done = COMPLETION_INITIALIZER_ONSTACK(c_idle.done),
7085 - };
7086 -
7087 -- /* allocate memory for gdts of secondary cpus. Hotplug is considered */
7088 -- if (!cpu_gdt_descr[cpu].address &&
7089 -- !(cpu_gdt_descr[cpu].address = get_zeroed_page(GFP_KERNEL))) {
7090 -- printk(KERN_ERR "Failed to allocate GDT for CPU %d\n", cpu);
7091 -- return -1;
7092 -- }
7093 --
7094 - /* Allocate node local memory for AP pdas */
7095 - if (cpu_pda(cpu) == &boot_cpu_pda[cpu]) {
7096 - struct x8664_pda *newpda, *pda;
7097 -@@ -614,7 +607,7 @@ do_rest:
7098 - start_rip = setup_trampoline();
7099 -
7100 - init_rsp = c_idle.idle->thread.rsp;
7101 -- per_cpu(init_tss,cpu).rsp0 = init_rsp;
7102 -+ init_tss[cpu].rsp0 = init_rsp;
7103 - initial_code = start_secondary;
7104 - clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
7105 -
7106 -diff -urNp linux-2.6.24.4/arch/x86/kernel/smpcommon_32.c linux-2.6.24.4/arch/x86/kernel/smpcommon_32.c
7107 ---- linux-2.6.24.4/arch/x86/kernel/smpcommon_32.c 2008-03-24 14:49:18.000000000 -0400
7108 -+++ linux-2.6.24.4/arch/x86/kernel/smpcommon_32.c 2008-03-26 17:56:55.000000000 -0400
7109 -@@ -3,6 +3,7 @@
7110 - */
7111 - #include <linux/module.h>
7112 - #include <asm/smp.h>
7113 -+#include <asm/sections.h>
7114 -
7115 - DEFINE_PER_CPU(unsigned long, this_cpu_off);
7116 - EXPORT_PER_CPU_SYMBOL(this_cpu_off);
7117 -@@ -14,10 +15,29 @@ __cpuinit void init_gdt(int cpu)
7118 - {
7119 - struct desc_struct *gdt = get_cpu_gdt_table(cpu);
7120 -
7121 -- pack_descriptor((u32 *)&gdt[GDT_ENTRY_PERCPU].a,
7122 -- (u32 *)&gdt[GDT_ENTRY_PERCPU].b,
7123 -- __per_cpu_offset[cpu], 0xFFFFF,
7124 -- 0x80 | DESCTYPE_S | 0x2, 0x8);
7125 -+#ifdef CONFIG_PAX_KERNEXEC
7126 -+ unsigned long cr0;
7127 -+
7128 -+ pax_open_kernel(cr0);
7129 -+#endif
7130 -+
7131 -+ if (cpu)
7132 -+ memcpy(gdt, cpu_gdt_table, GDT_SIZE);
7133 -+
7134 -+ if (PERCPU_ENOUGH_ROOM <= 64*1024*1024)
7135 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PERCPU].a,
7136 -+ (__u32 *)&gdt[GDT_ENTRY_PERCPU].b,
7137 -+ __per_cpu_offset[cpu], PERCPU_ENOUGH_ROOM-1,
7138 -+ 0x80 | DESCTYPE_S | 0x3, 0x4);
7139 -+ else
7140 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PERCPU].a,
7141 -+ (__u32 *)&gdt[GDT_ENTRY_PERCPU].b,
7142 -+ __per_cpu_offset[cpu], ((PERCPU_ENOUGH_ROOM-1) >> PAGE_SHIFT),
7143 -+ 0x80 | DESCTYPE_S | 0x3, 0xC);
7144 -+
7145 -+#ifdef CONFIG_PAX_KERNEXEC
7146 -+ pax_close_kernel(cr0);
7147 -+#endif
7148 -
7149 - per_cpu(this_cpu_off, cpu) = __per_cpu_offset[cpu];
7150 - per_cpu(cpu_number, cpu) = cpu;
7151 -diff -urNp linux-2.6.24.4/arch/x86/kernel/suspend_64.c linux-2.6.24.4/arch/x86/kernel/suspend_64.c
7152 ---- linux-2.6.24.4/arch/x86/kernel/suspend_64.c 2008-03-24 14:49:18.000000000 -0400
7153 -+++ linux-2.6.24.4/arch/x86/kernel/suspend_64.c 2008-03-26 17:56:55.000000000 -0400
7154 -@@ -116,12 +116,22 @@ void restore_processor_state(void)
7155 - void fix_processor_context(void)
7156 - {
7157 - int cpu = smp_processor_id();
7158 -- struct tss_struct *t = &per_cpu(init_tss, cpu);
7159 -+ struct tss_struct *t = init_tss + cpu;
7160 -+
7161 -+#ifdef CONFIG_PAX_KERNEXEC
7162 -+ unsigned long cr0;
7163 -+
7164 -+ pax_open_kernel(cr0);
7165 -+#endif
7166 -
7167 - set_tss_desc(cpu,t); /* This just modifies memory; should not be necessary. But... This is necessary, because 386 hardware has concept of busy TSS or some similar stupidity. */
7168 -
7169 - cpu_gdt(cpu)[GDT_ENTRY_TSS].type = 9;
7170 -
7171 -+#ifdef CONFIG_PAX_KERNEXEC
7172 -+ pax_close_kernel(cr0);
7173 -+#endif
7174 -+
7175 - syscall_init(); /* This sets MSR_*STAR and related */
7176 - load_TR_desc(); /* This does ltr */
7177 - load_LDT(&current->active_mm->context); /* This does lldt */
7178 -diff -urNp linux-2.6.24.4/arch/x86/kernel/syscall_table_32.S linux-2.6.24.4/arch/x86/kernel/syscall_table_32.S
7179 ---- linux-2.6.24.4/arch/x86/kernel/syscall_table_32.S 2008-03-24 14:49:18.000000000 -0400
7180 -+++ linux-2.6.24.4/arch/x86/kernel/syscall_table_32.S 2008-03-26 17:56:55.000000000 -0400
7181 -@@ -1,3 +1,4 @@
7182 -+.section .rodata,"a",@progbits
7183 - ENTRY(sys_call_table)
7184 - .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
7185 - .long sys_exit
7186 -diff -urNp linux-2.6.24.4/arch/x86/kernel/sysenter_32.c linux-2.6.24.4/arch/x86/kernel/sysenter_32.c
7187 ---- linux-2.6.24.4/arch/x86/kernel/sysenter_32.c 2008-03-24 14:49:18.000000000 -0400
7188 -+++ linux-2.6.24.4/arch/x86/kernel/sysenter_32.c 2008-03-26 17:56:55.000000000 -0400
7189 -@@ -175,7 +175,7 @@ static __init void relocate_vdso(Elf32_E
7190 - void enable_sep_cpu(void)
7191 - {
7192 - int cpu = get_cpu();
7193 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
7194 -+ struct tss_struct *tss = init_tss + cpu;
7195 -
7196 - if (!boot_cpu_has(X86_FEATURE_SEP)) {
7197 - put_cpu();
7198 -@@ -198,7 +198,7 @@ static int __init gate_vma_init(void)
7199 - gate_vma.vm_start = FIXADDR_USER_START;
7200 - gate_vma.vm_end = FIXADDR_USER_END;
7201 - gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
7202 -- gate_vma.vm_page_prot = __P101;
7203 -+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
7204 - /*
7205 - * Make sure the vDSO gets into every core dump.
7206 - * Dumping its contents makes post-mortem fully interpretable later
7207 -@@ -281,7 +281,7 @@ int arch_setup_additional_pages(struct l
7208 - if (compat)
7209 - addr = VDSO_HIGH_BASE;
7210 - else {
7211 -- addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
7212 -+ addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
7213 - if (IS_ERR_VALUE(addr)) {
7214 - ret = addr;
7215 - goto up_fail;
7216 -@@ -306,7 +306,7 @@ int arch_setup_additional_pages(struct l
7217 - goto up_fail;
7218 - }
7219 -
7220 -- current->mm->context.vdso = (void *)addr;
7221 -+ current->mm->context.vdso = addr;
7222 - current_thread_info()->sysenter_return =
7223 - (void *)VDSO_SYM(&SYSENTER_RETURN);
7224 -
7225 -@@ -318,8 +318,14 @@ int arch_setup_additional_pages(struct l
7226 -
7227 - const char *arch_vma_name(struct vm_area_struct *vma)
7228 - {
7229 -- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
7230 -+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
7231 - return "[vdso]";
7232 -+
7233 -+#ifdef CONFIG_PAX_SEGMEXEC
7234 -+ if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
7235 -+ return "[vdso]";
7236 -+#endif
7237 -+
7238 - return NULL;
7239 - }
7240 -
7241 -@@ -328,7 +334,7 @@ struct vm_area_struct *get_gate_vma(stru
7242 - struct mm_struct *mm = tsk->mm;
7243 -
7244 - /* Check to see if this task was created in compat vdso mode */
7245 -- if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
7246 -+ if (mm && mm->context.vdso == VDSO_HIGH_BASE)
7247 - return &gate_vma;
7248 - return NULL;
7249 - }
7250 -diff -urNp linux-2.6.24.4/arch/x86/kernel/sys_i386_32.c linux-2.6.24.4/arch/x86/kernel/sys_i386_32.c
7251 ---- linux-2.6.24.4/arch/x86/kernel/sys_i386_32.c 2008-03-24 14:49:18.000000000 -0400
7252 -+++ linux-2.6.24.4/arch/x86/kernel/sys_i386_32.c 2008-03-26 17:56:55.000000000 -0400
7253 -@@ -39,6 +39,21 @@ asmlinkage int sys_pipe(unsigned long __
7254 - return error;
7255 - }
7256 -
7257 -+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
7258 -+{
7259 -+ unsigned long task_size = TASK_SIZE;
7260 -+
7261 -+#ifdef CONFIG_PAX_SEGMEXEC
7262 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
7263 -+ task_size = SEGMEXEC_TASK_SIZE;
7264 -+#endif
7265 -+
7266 -+ if (len > task_size || addr > task_size - len)
7267 -+ return -EINVAL;
7268 -+
7269 -+ return 0;
7270 -+}
7271 -+
7272 - asmlinkage long sys_mmap2(unsigned long addr, unsigned long len,
7273 - unsigned long prot, unsigned long flags,
7274 - unsigned long fd, unsigned long pgoff)
7275 -@@ -98,6 +113,205 @@ out:
7276 - return err;
7277 - }
7278 -
7279 -+unsigned long
7280 -+arch_get_unmapped_area(struct file *filp, unsigned long addr,
7281 -+ unsigned long len, unsigned long pgoff, unsigned long flags)
7282 -+{
7283 -+ struct mm_struct *mm = current->mm;
7284 -+ struct vm_area_struct *vma;
7285 -+ unsigned long start_addr, task_size = TASK_SIZE;
7286 -+
7287 -+#ifdef CONFIG_PAX_SEGMEXEC
7288 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
7289 -+ task_size = SEGMEXEC_TASK_SIZE;
7290 -+#endif
7291 -+
7292 -+ if (len > task_size)
7293 -+ return -ENOMEM;
7294 -+
7295 -+ if (flags & MAP_FIXED)
7296 -+ return addr;
7297 -+
7298 -+#ifdef CONFIG_PAX_RANDMMAP
7299 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
7300 -+#endif
7301 -+
7302 -+ if (addr) {
7303 -+ addr = PAGE_ALIGN(addr);
7304 -+ vma = find_vma(mm, addr);
7305 -+ if (task_size - len >= addr &&
7306 -+ (!vma || addr + len <= vma->vm_start))
7307 -+ return addr;
7308 -+ }
7309 -+ if (len > mm->cached_hole_size) {
7310 -+ start_addr = addr = mm->free_area_cache;
7311 -+ } else {
7312 -+ start_addr = addr = mm->mmap_base;
7313 -+ mm->cached_hole_size = 0;
7314 -+ }
7315 -+
7316 -+#ifdef CONFIG_PAX_PAGEEXEC
7317 -+ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
7318 -+ start_addr = 0x00110000UL;
7319 -+
7320 -+#ifdef CONFIG_PAX_RANDMMAP
7321 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
7322 -+ start_addr += mm->delta_mmap & 0x03FFF000UL;
7323 -+#endif
7324 -+
7325 -+ if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
7326 -+ start_addr = addr = mm->mmap_base;
7327 -+ else
7328 -+ addr = start_addr;
7329 -+ }
7330 -+#endif
7331 -+
7332 -+full_search:
7333 -+ for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
7334 -+ /* At this point: (!vma || addr < vma->vm_end). */
7335 -+ if (task_size - len < addr) {
7336 -+ /*
7337 -+ * Start a new search - just in case we missed
7338 -+ * some holes.
7339 -+ */
7340 -+ if (start_addr != mm->mmap_base) {
7341 -+ start_addr = addr = mm->mmap_base;
7342 -+ mm->cached_hole_size = 0;
7343 -+ goto full_search;
7344 -+ }
7345 -+ return -ENOMEM;
7346 -+ }
7347 -+ if (!vma || addr + len <= vma->vm_start) {
7348 -+ /*
7349 -+ * Remember the place where we stopped the search:
7350 -+ */
7351 -+ mm->free_area_cache = addr + len;
7352 -+ return addr;
7353 -+ }
7354 -+ if (addr + mm->cached_hole_size < vma->vm_start)
7355 -+ mm->cached_hole_size = vma->vm_start - addr;
7356 -+ addr = vma->vm_end;
7357 -+ if (mm->start_brk <= addr && addr < mm->mmap_base) {
7358 -+ start_addr = addr = mm->mmap_base;
7359 -+ mm->cached_hole_size = 0;
7360 -+ goto full_search;
7361 -+ }
7362 -+ }
7363 -+}
7364 -+
7365 -+unsigned long
7366 -+arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
7367 -+ const unsigned long len, const unsigned long pgoff,
7368 -+ const unsigned long flags)
7369 -+{
7370 -+ struct vm_area_struct *vma;
7371 -+ struct mm_struct *mm = current->mm;
7372 -+ unsigned long base = mm->mmap_base, addr = addr0, task_size = TASK_SIZE;
7373 -+
7374 -+#ifdef CONFIG_PAX_SEGMEXEC
7375 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
7376 -+ task_size = SEGMEXEC_TASK_SIZE;
7377 -+#endif
7378 -+
7379 -+ /* requested length too big for entire address space */
7380 -+ if (len > task_size)
7381 -+ return -ENOMEM;
7382 -+
7383 -+ if (flags & MAP_FIXED)
7384 -+ return addr;
7385 -+
7386 -+#ifdef CONFIG_PAX_PAGEEXEC
7387 -+ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
7388 -+ goto bottomup;
7389 -+#endif
7390 -+
7391 -+#ifdef CONFIG_PAX_RANDMMAP
7392 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
7393 -+#endif
7394 -+
7395 -+ /* requesting a specific address */
7396 -+ if (addr) {
7397 -+ addr = PAGE_ALIGN(addr);
7398 -+ vma = find_vma(mm, addr);
7399 -+ if (task_size - len >= addr &&
7400 -+ (!vma || addr + len <= vma->vm_start))
7401 -+ return addr;
7402 -+ }
7403 -+
7404 -+ /* check if free_area_cache is useful for us */
7405 -+ if (len <= mm->cached_hole_size) {
7406 -+ mm->cached_hole_size = 0;
7407 -+ mm->free_area_cache = mm->mmap_base;
7408 -+ }
7409 -+
7410 -+ /* either no address requested or can't fit in requested address hole */
7411 -+ addr = mm->free_area_cache;
7412 -+
7413 -+ /* make sure it can fit in the remaining address space */
7414 -+ if (addr > len) {
7415 -+ vma = find_vma(mm, addr-len);
7416 -+ if (!vma || addr <= vma->vm_start)
7417 -+ /* remember the address as a hint for next time */
7418 -+ return (mm->free_area_cache = addr-len);
7419 -+ }
7420 -+
7421 -+ if (mm->mmap_base < len)
7422 -+ goto bottomup;
7423 -+
7424 -+ addr = mm->mmap_base-len;
7425 -+
7426 -+ do {
7427 -+ /*
7428 -+ * Lookup failure means no vma is above this address,
7429 -+ * else if new region fits below vma->vm_start,
7430 -+ * return with success:
7431 -+ */
7432 -+ vma = find_vma(mm, addr);
7433 -+ if (!vma || addr+len <= vma->vm_start)
7434 -+ /* remember the address as a hint for next time */
7435 -+ return (mm->free_area_cache = addr);
7436 -+
7437 -+ /* remember the largest hole we saw so far */
7438 -+ if (addr + mm->cached_hole_size < vma->vm_start)
7439 -+ mm->cached_hole_size = vma->vm_start - addr;
7440 -+
7441 -+ /* try just below the current vma->vm_start */
7442 -+ addr = vma->vm_start-len;
7443 -+ } while (len < vma->vm_start);
7444 -+
7445 -+bottomup:
7446 -+ /*
7447 -+ * A failed mmap() very likely causes application failure,
7448 -+ * so fall back to the bottom-up function here. This scenario
7449 -+ * can happen with large stack limits and large mmap()
7450 -+ * allocations.
7451 -+ */
7452 -+
7453 -+#ifdef CONFIG_PAX_SEGMEXEC
7454 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
7455 -+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
7456 -+ else
7457 -+#endif
7458 -+
7459 -+ mm->mmap_base = TASK_UNMAPPED_BASE;
7460 -+
7461 -+#ifdef CONFIG_PAX_RANDMMAP
7462 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
7463 -+ mm->mmap_base += mm->delta_mmap;
7464 -+#endif
7465 -+
7466 -+ mm->free_area_cache = mm->mmap_base;
7467 -+ mm->cached_hole_size = ~0UL;
7468 -+ addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
7469 -+ /*
7470 -+ * Restore the topdown base:
7471 -+ */
7472 -+ mm->mmap_base = base;
7473 -+ mm->free_area_cache = base;
7474 -+ mm->cached_hole_size = ~0UL;
7475 -+
7476 -+ return addr;
7477 -+}
7478 -
7479 - struct sel_arg_struct {
7480 - unsigned long n;
7481 -diff -urNp linux-2.6.24.4/arch/x86/kernel/sys_x86_64.c linux-2.6.24.4/arch/x86/kernel/sys_x86_64.c
7482 ---- linux-2.6.24.4/arch/x86/kernel/sys_x86_64.c 2008-03-24 14:49:18.000000000 -0400
7483 -+++ linux-2.6.24.4/arch/x86/kernel/sys_x86_64.c 2008-03-26 17:56:55.000000000 -0400
7484 -@@ -61,8 +61,8 @@ out:
7485 - return error;
7486 - }
7487 -
7488 --static void find_start_end(unsigned long flags, unsigned long *begin,
7489 -- unsigned long *end)
7490 -+static void find_start_end(struct mm_struct *mm, unsigned long flags,
7491 -+ unsigned long *begin, unsigned long *end)
7492 - {
7493 - if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
7494 - /* This is usually used needed to map code in small
7495 -@@ -75,7 +75,7 @@ static void find_start_end(unsigned long
7496 - *begin = 0x40000000;
7497 - *end = 0x80000000;
7498 - } else {
7499 -- *begin = TASK_UNMAPPED_BASE;
7500 -+ *begin = mm->mmap_base;
7501 - *end = TASK_SIZE;
7502 - }
7503 - }
7504 -@@ -92,11 +92,15 @@ arch_get_unmapped_area(struct file *filp
7505 - if (flags & MAP_FIXED)
7506 - return addr;
7507 -
7508 -- find_start_end(flags, &begin, &end);
7509 -+ find_start_end(mm, flags, &begin, &end);
7510 -
7511 - if (len > end)
7512 - return -ENOMEM;
7513 -
7514 -+#ifdef CONFIG_PAX_RANDMMAP
7515 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
7516 -+#endif
7517 -+
7518 - if (addr) {
7519 - addr = PAGE_ALIGN(addr);
7520 - vma = find_vma(mm, addr);
7521 -diff -urNp linux-2.6.24.4/arch/x86/kernel/time_32.c linux-2.6.24.4/arch/x86/kernel/time_32.c
7522 ---- linux-2.6.24.4/arch/x86/kernel/time_32.c 2008-03-24 14:49:18.000000000 -0400
7523 -+++ linux-2.6.24.4/arch/x86/kernel/time_32.c 2008-03-26 17:56:55.000000000 -0400
7524 -@@ -130,20 +130,30 @@ unsigned long profile_pc(struct pt_regs
7525 - if (!v8086_mode(regs) && SEGMENT_IS_KERNEL_CODE(regs->xcs) &&
7526 - in_lock_functions(pc)) {
7527 - #ifdef CONFIG_FRAME_POINTER
7528 -- return *(unsigned long *)(regs->ebp + 4);
7529 -+ return ktla_ktva(*(unsigned long *)(regs->ebp + 4));
7530 - #else
7531 - unsigned long *sp = (unsigned long *)&regs->esp;
7532 -
7533 - /* Return address is either directly at stack pointer
7534 - or above a saved eflags. Eflags has bits 22-31 zero,
7535 - kernel addresses don't. */
7536 -+
7537 -+#ifdef CONFIG_PAX_KERNEXEC
7538 -+ return ktla_ktva(sp[0]);
7539 -+#else
7540 - if (sp[0] >> 22)
7541 - return sp[0];
7542 - if (sp[1] >> 22)
7543 - return sp[1];
7544 - #endif
7545 -+
7546 -+#endif
7547 - }
7548 - #endif
7549 -+
7550 -+ if (!v8086_mode(regs) && SEGMENT_IS_KERNEL_CODE(regs->xcs))
7551 -+ pc = ktla_ktva(pc);
7552 -+
7553 - return pc;
7554 - }
7555 - EXPORT_SYMBOL(profile_pc);
7556 -diff -urNp linux-2.6.24.4/arch/x86/kernel/traps_32.c linux-2.6.24.4/arch/x86/kernel/traps_32.c
7557 ---- linux-2.6.24.4/arch/x86/kernel/traps_32.c 2008-03-24 14:49:18.000000000 -0400
7558 -+++ linux-2.6.24.4/arch/x86/kernel/traps_32.c 2008-03-26 17:56:55.000000000 -0400
7559 -@@ -29,6 +29,7 @@
7560 - #include <linux/uaccess.h>
7561 - #include <linux/nmi.h>
7562 - #include <linux/bug.h>
7563 -+#include <linux/binfmts.h>
7564 -
7565 - #ifdef CONFIG_EISA
7566 - #include <linux/ioport.h>
7567 -@@ -71,12 +72,7 @@ asmlinkage int system_call(void);
7568 - /* Do we ignore FPU interrupts ? */
7569 - char ignore_fpu_irq = 0;
7570 -
7571 --/*
7572 -- * The IDT has to be page-aligned to simplify the Pentium
7573 -- * F0 0F bug workaround.. We have a special link segment
7574 -- * for this.
7575 -- */
7576 --struct desc_struct idt_table[256] __attribute__((__section__(".data.idt"))) = { {0, 0}, };
7577 -+extern struct desc_struct idt_table[256];
7578 -
7579 - asmlinkage void divide_error(void);
7580 - asmlinkage void debug(void);
7581 -@@ -306,22 +302,23 @@ void show_registers(struct pt_regs *regs
7582 - * When in-kernel, we also print out the stack and code at the
7583 - * time of the fault..
7584 - */
7585 -- if (!user_mode_vm(regs)) {
7586 -+ if (!user_mode(regs)) {
7587 - u8 *eip;
7588 - unsigned int code_prologue = code_bytes * 43 / 64;
7589 - unsigned int code_len = code_bytes;
7590 - unsigned char c;
7591 -+ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->xcs) >> 3]);
7592 -
7593 - printk("\n" KERN_EMERG "Stack: ");
7594 - show_stack_log_lvl(NULL, regs, &regs->esp, KERN_EMERG);
7595 -
7596 - printk(KERN_EMERG "Code: ");
7597 -
7598 -- eip = (u8 *)regs->eip - code_prologue;
7599 -+ eip = (u8 *)regs->eip - code_prologue + cs_base;
7600 - if (eip < (u8 *)PAGE_OFFSET ||
7601 - probe_kernel_address(eip, c)) {
7602 - /* try starting at EIP */
7603 -- eip = (u8 *)regs->eip;
7604 -+ eip = (u8 *)regs->eip + cs_base;
7605 - code_len = code_len - code_prologue + 1;
7606 - }
7607 - for (i = 0; i < code_len; i++, eip++) {
7608 -@@ -330,7 +327,7 @@ void show_registers(struct pt_regs *regs
7609 - printk(" Bad EIP value.");
7610 - break;
7611 - }
7612 -- if (eip == (u8 *)regs->eip)
7613 -+ if (eip == (u8 *)regs->eip + cs_base)
7614 - printk("<%02x> ", c);
7615 - else
7616 - printk("%02x ", c);
7617 -@@ -343,6 +340,7 @@ int is_valid_bugaddr(unsigned long eip)
7618 - {
7619 - unsigned short ud2;
7620 -
7621 -+ eip = ktla_ktva(eip);
7622 - if (eip < PAGE_OFFSET)
7623 - return 0;
7624 - if (probe_kernel_address((unsigned short *)eip, ud2))
7625 -@@ -444,7 +442,7 @@ void die(const char * str, struct pt_reg
7626 -
7627 - static inline void die_if_kernel(const char * str, struct pt_regs * regs, long err)
7628 - {
7629 -- if (!user_mode_vm(regs))
7630 -+ if (!user_mode(regs))
7631 - die(str, regs, err);
7632 - }
7633 -
7634 -@@ -460,7 +458,7 @@ static void __kprobes do_trap(int trapnr
7635 - goto trap_signal;
7636 - }
7637 -
7638 -- if (!user_mode(regs))
7639 -+ if (!user_mode_novm(regs))
7640 - goto kernel_trap;
7641 -
7642 - trap_signal: {
7643 -@@ -566,7 +564,7 @@ fastcall void __kprobes do_general_prote
7644 - long error_code)
7645 - {
7646 - int cpu = get_cpu();
7647 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
7648 -+ struct tss_struct *tss = &init_tss[cpu];
7649 - struct thread_struct *thread = &current->thread;
7650 -
7651 - /*
7652 -@@ -599,9 +597,25 @@ fastcall void __kprobes do_general_prote
7653 - if (regs->eflags & VM_MASK)
7654 - goto gp_in_vm86;
7655 -
7656 -- if (!user_mode(regs))
7657 -+ if (!user_mode_novm(regs))
7658 - goto gp_in_kernel;
7659 -
7660 -+#ifdef CONFIG_PAX_PAGEEXEC
7661 -+ if (!nx_enabled && current->mm && (current->mm->pax_flags & MF_PAX_PAGEEXEC)) {
7662 -+ struct mm_struct *mm = current->mm;
7663 -+ unsigned long limit;
7664 -+
7665 -+ down_write(&mm->mmap_sem);
7666 -+ limit = mm->context.user_cs_limit;
7667 -+ if (limit < TASK_SIZE) {
7668 -+ track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
7669 -+ up_write(&mm->mmap_sem);
7670 -+ return;
7671 -+ }
7672 -+ up_write(&mm->mmap_sem);
7673 -+ }
7674 -+#endif
7675 -+
7676 - current->thread.error_code = error_code;
7677 - current->thread.trap_no = 13;
7678 - if (show_unhandled_signals && unhandled_signal(current, SIGSEGV) &&
7679 -@@ -626,6 +640,13 @@ gp_in_kernel:
7680 - if (notify_die(DIE_GPF, "general protection fault", regs,
7681 - error_code, 13, SIGSEGV) == NOTIFY_STOP)
7682 - return;
7683 -+
7684 -+#ifdef CONFIG_PAX_KERNEXEC
7685 -+ if ((regs->xcs & 0xFFFF) == __KERNEL_CS)
7686 -+ die("PAX: suspicious general protection fault", regs, error_code);
7687 -+ else
7688 -+#endif
7689 -+
7690 - die("general protection fault", regs, error_code);
7691 - }
7692 - }
7693 -@@ -715,7 +736,7 @@ void __kprobes die_nmi(struct pt_regs *r
7694 - /* If we are in kernel we are probably nested up pretty bad
7695 - * and might aswell get out now while we still can.
7696 - */
7697 -- if (!user_mode_vm(regs)) {
7698 -+ if (!user_mode(regs)) {
7699 - current->thread.trap_no = 2;
7700 - crash_kexec(regs);
7701 - }
7702 -@@ -866,7 +887,7 @@ fastcall void __kprobes do_debug(struct
7703 - * check for kernel mode by just checking the CPL
7704 - * of CS.
7705 - */
7706 -- if (!user_mode(regs))
7707 -+ if (!user_mode_novm(regs))
7708 - goto clear_TF_reenable;
7709 - }
7710 -
7711 -@@ -1044,18 +1065,14 @@ fastcall void do_spurious_interrupt_bug(
7712 - fastcall unsigned long patch_espfix_desc(unsigned long uesp,
7713 - unsigned long kesp)
7714 - {
7715 -- struct desc_struct *gdt = __get_cpu_var(gdt_page).gdt;
7716 - unsigned long base = (kesp - uesp) & -THREAD_SIZE;
7717 - unsigned long new_kesp = kesp - base;
7718 - unsigned long lim_pages = (new_kesp | (THREAD_SIZE - 1)) >> PAGE_SHIFT;
7719 -- __u64 desc = *(__u64 *)&gdt[GDT_ENTRY_ESPFIX_SS];
7720 -+ __u32 a, b;
7721 -+
7722 - /* Set up base for espfix segment */
7723 -- desc &= 0x00f0ff0000000000ULL;
7724 -- desc |= ((((__u64)base) << 16) & 0x000000ffffff0000ULL) |
7725 -- ((((__u64)base) << 32) & 0xff00000000000000ULL) |
7726 -- ((((__u64)lim_pages) << 32) & 0x000f000000000000ULL) |
7727 -- (lim_pages & 0xffff);
7728 -- *(__u64 *)&gdt[GDT_ENTRY_ESPFIX_SS] = desc;
7729 -+ pack_descriptor(&a, &b, base, lim_pages, 0x93, 0xC);
7730 -+ write_gdt_entry(get_cpu_gdt_table(smp_processor_id()), GDT_ENTRY_ESPFIX_SS, a, b);
7731 - return new_kesp;
7732 - }
7733 -
7734 -diff -urNp linux-2.6.24.4/arch/x86/kernel/tsc_32.c linux-2.6.24.4/arch/x86/kernel/tsc_32.c
7735 ---- linux-2.6.24.4/arch/x86/kernel/tsc_32.c 2008-03-24 14:49:18.000000000 -0400
7736 -+++ linux-2.6.24.4/arch/x86/kernel/tsc_32.c 2008-03-26 17:56:55.000000000 -0400
7737 -@@ -322,7 +322,7 @@ static struct dmi_system_id __initdata b
7738 - DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
7739 - },
7740 - },
7741 -- {}
7742 -+ { NULL, NULL, {{0, NULL}}, NULL}
7743 - };
7744 -
7745 - /*
7746 -diff -urNp linux-2.6.24.4/arch/x86/kernel/vm86_32.c linux-2.6.24.4/arch/x86/kernel/vm86_32.c
7747 ---- linux-2.6.24.4/arch/x86/kernel/vm86_32.c 2008-03-24 14:49:18.000000000 -0400
7748 -+++ linux-2.6.24.4/arch/x86/kernel/vm86_32.c 2008-03-26 17:56:55.000000000 -0400
7749 -@@ -146,7 +146,7 @@ struct pt_regs * fastcall save_v86_state
7750 - do_exit(SIGSEGV);
7751 - }
7752 -
7753 -- tss = &per_cpu(init_tss, get_cpu());
7754 -+ tss = init_tss + get_cpu();
7755 - current->thread.esp0 = current->thread.saved_esp0;
7756 - current->thread.sysenter_cs = __KERNEL_CS;
7757 - load_esp0(tss, &current->thread);
7758 -@@ -322,7 +322,7 @@ static void do_sys_vm86(struct kernel_vm
7759 - tsk->thread.saved_fs = info->regs32->xfs;
7760 - savesegment(gs, tsk->thread.saved_gs);
7761 -
7762 -- tss = &per_cpu(init_tss, get_cpu());
7763 -+ tss = init_tss + get_cpu();
7764 - tsk->thread.esp0 = (unsigned long) &info->VM86_TSS_ESP0;
7765 - if (cpu_has_sep)
7766 - tsk->thread.sysenter_cs = 0;
7767 -diff -urNp linux-2.6.24.4/arch/x86/kernel/vmi_32.c linux-2.6.24.4/arch/x86/kernel/vmi_32.c
7768 ---- linux-2.6.24.4/arch/x86/kernel/vmi_32.c 2008-03-24 14:49:18.000000000 -0400
7769 -+++ linux-2.6.24.4/arch/x86/kernel/vmi_32.c 2008-03-26 17:56:55.000000000 -0400
7770 -@@ -98,18 +98,43 @@ static unsigned patch_internal(int call,
7771 - {
7772 - u64 reloc;
7773 - struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
7774 -+
7775 -+#ifdef CONFIG_PAX_KERNEXEC
7776 -+ unsigned long cr0;
7777 -+#endif
7778 -+
7779 - reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
7780 - switch(rel->type) {
7781 - case VMI_RELOCATION_CALL_REL:
7782 - BUG_ON(len < 5);
7783 -+
7784 -+#ifdef CONFIG_PAX_KERNEXEC
7785 -+ pax_open_kernel(cr0);
7786 -+#endif
7787 -+
7788 - *(char *)insnbuf = MNEM_CALL;
7789 - patch_offset(insnbuf, eip, (unsigned long)rel->eip);
7790 -+
7791 -+#ifdef CONFIG_PAX_KERNEXEC
7792 -+ pax_close_kernel(cr0);
7793 -+#endif
7794 -+
7795 - return 5;
7796 -
7797 - case VMI_RELOCATION_JUMP_REL:
7798 - BUG_ON(len < 5);
7799 -+
7800 -+#ifdef CONFIG_PAX_KERNEXEC
7801 -+ pax_open_kernel(cr0);
7802 -+#endif
7803 -+
7804 - *(char *)insnbuf = MNEM_JMP;
7805 - patch_offset(insnbuf, eip, (unsigned long)rel->eip);
7806 -+
7807 -+#ifdef CONFIG_PAX_KERNEXEC
7808 -+ pax_close_kernel(cr0);
7809 -+#endif
7810 -+
7811 - return 5;
7812 -
7813 - case VMI_RELOCATION_NOP:
7814 -@@ -492,14 +517,14 @@ static void vmi_set_pud(pud_t *pudp, pud
7815 -
7816 - static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
7817 - {
7818 -- const pte_t pte = { 0 };
7819 -+ const pte_t pte = __pte(0ULL);
7820 - vmi_check_page_type(__pa(ptep) >> PAGE_SHIFT, VMI_PAGE_PTE);
7821 - vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
7822 - }
7823 -
7824 - static void vmi_pmd_clear(pmd_t *pmd)
7825 - {
7826 -- const pte_t pte = { 0 };
7827 -+ const pte_t pte = __pte(0ULL);
7828 - vmi_check_page_type(__pa(pmd) >> PAGE_SHIFT, VMI_PAGE_PMD);
7829 - vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
7830 - }
7831 -@@ -528,8 +553,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
7832 - ap.ss = __KERNEL_DS;
7833 - ap.esp = (unsigned long) start_esp;
7834 -
7835 -- ap.ds = __USER_DS;
7836 -- ap.es = __USER_DS;
7837 -+ ap.ds = __KERNEL_DS;
7838 -+ ap.es = __KERNEL_DS;
7839 - ap.fs = __KERNEL_PERCPU;
7840 - ap.gs = 0;
7841 -
7842 -@@ -724,12 +749,20 @@ static inline int __init activate_vmi(vo
7843 - u64 reloc;
7844 - const struct vmi_relocation_info *rel = (struct vmi_relocation_info *)&reloc;
7845 -
7846 -+#ifdef CONFIG_PAX_KERNEXEC
7847 -+ unsigned long cr0;
7848 -+#endif
7849 -+
7850 - if (call_vrom_func(vmi_rom, vmi_init) != 0) {
7851 - printk(KERN_ERR "VMI ROM failed to initialize!");
7852 - return 0;
7853 - }
7854 - savesegment(cs, kernel_cs);
7855 -
7856 -+#ifdef CONFIG_PAX_KERNEXEC
7857 -+ pax_open_kernel(cr0);
7858 -+#endif
7859 -+
7860 - pv_info.paravirt_enabled = 1;
7861 - pv_info.kernel_rpl = kernel_cs & SEGMENT_RPL_MASK;
7862 - pv_info.name = "vmi";
7863 -@@ -917,6 +950,10 @@ static inline int __init activate_vmi(vo
7864 -
7865 - para_fill(pv_irq_ops.safe_halt, Halt);
7866 -
7867 -+#ifdef CONFIG_PAX_KERNEXEC
7868 -+ pax_close_kernel(cr0);
7869 -+#endif
7870 -+
7871 - /*
7872 - * Alternative instruction rewriting doesn't happen soon enough
7873 - * to convert VMI_IRET to a call instead of a jump; so we have
7874 -diff -urNp linux-2.6.24.4/arch/x86/kernel/vmlinux_32.lds.S linux-2.6.24.4/arch/x86/kernel/vmlinux_32.lds.S
7875 ---- linux-2.6.24.4/arch/x86/kernel/vmlinux_32.lds.S 2008-03-24 14:49:18.000000000 -0400
7876 -+++ linux-2.6.24.4/arch/x86/kernel/vmlinux_32.lds.S 2008-03-26 17:56:55.000000000 -0400
7877 -@@ -21,6 +21,20 @@
7878 - #include <asm/page.h>
7879 - #include <asm/cache.h>
7880 - #include <asm/boot.h>
7881 -+#include <asm/segment.h>
7882 -+
7883 -+#ifdef CONFIG_X86_PAE
7884 -+#define PMD_SHIFT 21
7885 -+#else
7886 -+#define PMD_SHIFT 22
7887 -+#endif
7888 -+#define PMD_SIZE (1 << PMD_SHIFT)
7889 -+
7890 -+#ifdef CONFIG_PAX_KERNEXEC
7891 -+#define __KERNEL_TEXT_OFFSET (__PAGE_OFFSET + (((____LOAD_PHYSICAL_ADDR + 2*(PMD_SIZE - 1)) - 1) & ~(PMD_SIZE - 1)))
7892 -+#else
7893 -+#define __KERNEL_TEXT_OFFSET 0
7894 -+#endif
7895 -
7896 - OUTPUT_FORMAT("elf32-i386", "elf32-i386", "elf32-i386")
7897 - OUTPUT_ARCH(i386)
7898 -@@ -28,22 +42,125 @@ ENTRY(phys_startup_32)
7899 - jiffies = jiffies_64;
7900 -
7901 - PHDRS {
7902 -- text PT_LOAD FLAGS(5); /* R_E */
7903 -- data PT_LOAD FLAGS(7); /* RWE */
7904 -- note PT_NOTE FLAGS(0); /* ___ */
7905 -+ initdata PT_LOAD FLAGS(6); /* RW_ */
7906 -+ percpu PT_LOAD FLAGS(6); /* RW_ */
7907 -+ inittext PT_LOAD FLAGS(5); /* R_E */
7908 -+ text PT_LOAD FLAGS(5); /* R_E */
7909 -+ rodata PT_LOAD FLAGS(4); /* R__ */
7910 -+ data PT_LOAD FLAGS(6); /* RW_ */
7911 -+ note PT_NOTE FLAGS(0); /* ___ */
7912 - }
7913 - SECTIONS
7914 - {
7915 -- . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
7916 -- phys_startup_32 = startup_32 - LOAD_OFFSET;
7917 -+ . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
7918 -+
7919 -+ .text.startup : AT(ADDR(.text.startup) - LOAD_OFFSET) {
7920 -+ __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET;
7921 -+ phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
7922 -+ *(.text.startup)
7923 -+ } :initdata
7924 -+
7925 -+ /* might get freed after init */
7926 -+ . = ALIGN(4096);
7927 -+ .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
7928 -+ __smp_locks = .;
7929 -+ *(.smp_locks)
7930 -+ __smp_locks_end = .;
7931 -+ }
7932 -+ /* will be freed after init
7933 -+ * Following ALIGN() is required to make sure no other data falls on the
7934 -+ * same page where __smp_alt_end is pointing as that page might be freed
7935 -+ * after boot. Always make sure that ALIGN() directive is present after
7936 -+ * the section which contains __smp_alt_end.
7937 -+ */
7938 -+ . = ALIGN(4096);
7939 -+
7940 -+ /* will be freed after init */
7941 -+ .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) {
7942 -+ __init_begin = .;
7943 -+ *(.init.data)
7944 -+ }
7945 -+ . = ALIGN(16);
7946 -+ .init.setup : AT(ADDR(.init.setup) - LOAD_OFFSET) {
7947 -+ __setup_start = .;
7948 -+ *(.init.setup)
7949 -+ __setup_end = .;
7950 -+ }
7951 -+ .initcall.init : AT(ADDR(.initcall.init) - LOAD_OFFSET) {
7952 -+ __initcall_start = .;
7953 -+ INITCALLS
7954 -+ __initcall_end = .;
7955 -+ }
7956 -+ .con_initcall.init : AT(ADDR(.con_initcall.init) - LOAD_OFFSET) {
7957 -+ __con_initcall_start = .;
7958 -+ *(.con_initcall.init)
7959 -+ __con_initcall_end = .;
7960 -+ }
7961 -+ SECURITY_INIT
7962 -+ . = ALIGN(4);
7963 -+ .altinstructions : AT(ADDR(.altinstructions) - LOAD_OFFSET) {
7964 -+ __alt_instructions = .;
7965 -+ *(.altinstructions)
7966 -+ __alt_instructions_end = .;
7967 -+ }
7968 -+ .altinstr_replacement : AT(ADDR(.altinstr_replacement) - LOAD_OFFSET) {
7969 -+ *(.altinstr_replacement)
7970 -+ }
7971 -+ . = ALIGN(4);
7972 -+ .parainstructions : AT(ADDR(.parainstructions) - LOAD_OFFSET) {
7973 -+ __parainstructions = .;
7974 -+ *(.parainstructions)
7975 -+ __parainstructions_end = .;
7976 -+ }
7977 -+ .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) { *(.exit.data) }
7978 -+#if defined(CONFIG_BLK_DEV_INITRD)
7979 -+ . = ALIGN(4096);
7980 -+ .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) {
7981 -+ __initramfs_start = .;
7982 -+ *(.init.ramfs)
7983 -+ __initramfs_end = .;
7984 -+ }
7985 -+#endif
7986 -+ . = ALIGN(4096);
7987 -+ per_cpu_start = .;
7988 -+ .data.percpu (0) : AT(ADDR(.data.percpu) - LOAD_OFFSET + per_cpu_start) {
7989 -+ __per_cpu_start = . + per_cpu_start;
7990 -+ LONG(0)
7991 -+ *(.data.percpu)
7992 -+ *(.data.percpu.shared_aligned)
7993 -+ __per_cpu_end = . + per_cpu_start;
7994 -+ } :percpu
7995 -+ . += per_cpu_start;
7996 -+
7997 -+ /* read-only */
7998 -+
7999 -+ . = ALIGN(4096); /* Init code and data */
8000 -+ .init.text (. - __KERNEL_TEXT_OFFSET) : AT(ADDR(.init.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
8001 -+ _sinittext = .;
8002 -+ *(.init.text)
8003 -+ _einittext = .;
8004 -+ } :inittext
8005 -+
8006 -+ /* .exit.text is discard at runtime, not link time, to deal with references
8007 -+ from .altinstructions and .eh_frame */
8008 -+ .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) { *(.exit.text) }
8009 -
8010 -- .text.head : AT(ADDR(.text.head) - LOAD_OFFSET) {
8011 -- _text = .; /* Text and read-only data */
8012 -+ .filler : AT(ADDR(.filler) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
8013 -+ BYTE(0)
8014 -+ . = ALIGN(2*PMD_SIZE) - 1;
8015 -+ }
8016 -+
8017 -+ /* freed after init ends here */
8018 -+
8019 -+ .text.head : AT(ADDR(.text.head) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
8020 -+ __init_end = . + __KERNEL_TEXT_OFFSET;
8021 -+ KERNEL_TEXT_OFFSET = . + __KERNEL_TEXT_OFFSET;
8022 -+ _text = .; /* Text and read-only data */
8023 - *(.text.head)
8024 - } :text = 0x9090
8025 -
8026 - /* read-only */
8027 -- .text : AT(ADDR(.text) - LOAD_OFFSET) {
8028 -+ .text : AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
8029 - TEXT_TEXT
8030 - SCHED_TEXT
8031 - LOCK_TEXT
8032 -@@ -53,16 +170,17 @@ SECTIONS
8033 - _etext = .; /* End of text section */
8034 - } :text = 0x9090
8035 -
8036 -- . = ALIGN(16); /* Exception table */
8037 -+ . += __KERNEL_TEXT_OFFSET;
8038 -+ . = ALIGN(4096); /* Exception table */
8039 - __ex_table : AT(ADDR(__ex_table) - LOAD_OFFSET) {
8040 - __start___ex_table = .;
8041 - *(__ex_table)
8042 - __stop___ex_table = .;
8043 -- }
8044 -+ } :rodata
8045 -
8046 -- NOTES :text :note
8047 -+ NOTES :rodata :note
8048 -
8049 -- BUG_TABLE :text
8050 -+ BUG_TABLE :rodata
8051 -
8052 - . = ALIGN(4);
8053 - .tracedata : AT(ADDR(.tracedata) - LOAD_OFFSET) {
8054 -@@ -71,11 +189,38 @@ SECTIONS
8055 - __tracedata_end = .;
8056 - }
8057 -
8058 -- RODATA
8059 -+ RO_DATA(4096)
8060 -+
8061 -+ . = ALIGN(4096);
8062 -+ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
8063 -+ *(.idt)
8064 -+ . = ALIGN(4096);
8065 -+ *(.empty_zero_page)
8066 -+ *(.swapper_pm_dir)
8067 -+ *(.swapper_pg_dir)
8068 -+ }
8069 -+
8070 -+#ifdef CONFIG_PAX_KERNEXEC
8071 -+
8072 -+#ifdef CONFIG_MODULES
8073 -+ . = ALIGN(4096);
8074 -+ .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
8075 -+ MODULES_VADDR = .;
8076 -+ BYTE(0)
8077 -+ . += (6 * 1024 * 1024);
8078 -+ . = ALIGN( PMD_SIZE) - 1;
8079 -+ MODULES_END = .;
8080 -+ }
8081 -+#else
8082 -+ . = ALIGN(PMD_SIZE) - 1;
8083 -+#endif
8084 -+
8085 -+#endif
8086 -
8087 - /* writeable */
8088 - . = ALIGN(4096);
8089 - .data : AT(ADDR(.data) - LOAD_OFFSET) { /* Data */
8090 -+ _data = .;
8091 - DATA_DATA
8092 - CONSTRUCTORS
8093 - } :data
8094 -@@ -91,7 +236,6 @@ SECTIONS
8095 - . = ALIGN(4096);
8096 - .data.page_aligned : AT(ADDR(.data.page_aligned) - LOAD_OFFSET) {
8097 - *(.data.page_aligned)
8098 -- *(.data.idt)
8099 - }
8100 -
8101 - . = ALIGN(32);
8102 -@@ -111,86 +255,7 @@ SECTIONS
8103 - *(.data.init_task)
8104 - }
8105 -
8106 -- /* might get freed after init */
8107 -- . = ALIGN(4096);
8108 -- .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
8109 -- __smp_locks = .;
8110 -- *(.smp_locks)
8111 -- __smp_locks_end = .;
8112 -- }
8113 -- /* will be freed after init
8114 -- * Following ALIGN() is required to make sure no other data falls on the
8115 -- * same page where __smp_alt_end is pointing as that page might be freed
8116 -- * after boot. Always make sure that ALIGN() directive is present after
8117 -- * the section which contains __smp_alt_end.
8118 -- */
8119 -- . = ALIGN(4096);
8120 --
8121 -- /* will be freed after init */
8122 -- . = ALIGN(4096); /* Init code and data */
8123 -- .init.text : AT(ADDR(.init.text) - LOAD_OFFSET) {
8124 -- __init_begin = .;
8125 -- _sinittext = .;
8126 -- *(.init.text)
8127 -- _einittext = .;
8128 -- }
8129 -- .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) { *(.init.data) }
8130 -- . = ALIGN(16);
8131 -- .init.setup : AT(ADDR(.init.setup) - LOAD_OFFSET) {
8132 -- __setup_start = .;
8133 -- *(.init.setup)
8134 -- __setup_end = .;
8135 -- }
8136 -- .initcall.init : AT(ADDR(.initcall.init) - LOAD_OFFSET) {
8137 -- __initcall_start = .;
8138 -- INITCALLS
8139 -- __initcall_end = .;
8140 -- }
8141 -- .con_initcall.init : AT(ADDR(.con_initcall.init) - LOAD_OFFSET) {
8142 -- __con_initcall_start = .;
8143 -- *(.con_initcall.init)
8144 -- __con_initcall_end = .;
8145 -- }
8146 -- SECURITY_INIT
8147 -- . = ALIGN(4);
8148 -- .altinstructions : AT(ADDR(.altinstructions) - LOAD_OFFSET) {
8149 -- __alt_instructions = .;
8150 -- *(.altinstructions)
8151 -- __alt_instructions_end = .;
8152 -- }
8153 -- .altinstr_replacement : AT(ADDR(.altinstr_replacement) - LOAD_OFFSET) {
8154 -- *(.altinstr_replacement)
8155 -- }
8156 -- . = ALIGN(4);
8157 -- .parainstructions : AT(ADDR(.parainstructions) - LOAD_OFFSET) {
8158 -- __parainstructions = .;
8159 -- *(.parainstructions)
8160 -- __parainstructions_end = .;
8161 -- }
8162 -- /* .exit.text is discard at runtime, not link time, to deal with references
8163 -- from .altinstructions and .eh_frame */
8164 -- .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) { *(.exit.text) }
8165 -- .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) { *(.exit.data) }
8166 --#if defined(CONFIG_BLK_DEV_INITRD)
8167 -- . = ALIGN(4096);
8168 -- .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) {
8169 -- __initramfs_start = .;
8170 -- *(.init.ramfs)
8171 -- __initramfs_end = .;
8172 -- }
8173 --#endif
8174 -- . = ALIGN(4096);
8175 -- .data.percpu : AT(ADDR(.data.percpu) - LOAD_OFFSET) {
8176 -- __per_cpu_start = .;
8177 -- *(.data.percpu)
8178 -- *(.data.percpu.shared_aligned)
8179 -- __per_cpu_end = .;
8180 -- }
8181 -- . = ALIGN(4096);
8182 -- /* freed after init ends here */
8183 --
8184 - .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
8185 -- __init_end = .;
8186 - __bss_start = .; /* BSS */
8187 - *(.bss.page_aligned)
8188 - *(.bss)
8189 -diff -urNp linux-2.6.24.4/arch/x86/kernel/vmlinux_64.lds.S linux-2.6.24.4/arch/x86/kernel/vmlinux_64.lds.S
8190 ---- linux-2.6.24.4/arch/x86/kernel/vmlinux_64.lds.S 2008-03-24 14:49:18.000000000 -0400
8191 -+++ linux-2.6.24.4/arch/x86/kernel/vmlinux_64.lds.S 2008-03-26 17:56:55.000000000 -0400
8192 -@@ -16,8 +16,8 @@ jiffies_64 = jiffies;
8193 - _proxy_pda = 1;
8194 - PHDRS {
8195 - text PT_LOAD FLAGS(5); /* R_E */
8196 -- data PT_LOAD FLAGS(7); /* RWE */
8197 -- user PT_LOAD FLAGS(7); /* RWE */
8198 -+ data PT_LOAD FLAGS(6); /* RW_ */
8199 -+ user PT_LOAD FLAGS(7); /* RWX */
8200 - data.init PT_LOAD FLAGS(7); /* RWE */
8201 - note PT_NOTE FLAGS(4); /* R__ */
8202 - }
8203 -@@ -52,7 +52,7 @@ SECTIONS
8204 -
8205 - BUG_TABLE :text
8206 -
8207 -- RODATA
8208 -+ RO_DATA(4096)
8209 -
8210 - . = ALIGN(4);
8211 - .tracedata : AT(ADDR(.tracedata) - LOAD_OFFSET) {
8212 -@@ -61,15 +61,18 @@ SECTIONS
8213 - __tracedata_end = .;
8214 - }
8215 -
8216 -+#ifdef CONFIG_PAX_KERNEXEC
8217 -+ . = ALIGN(2*1024*1024); /* Align data segment to PMD size boundary */
8218 -+#else
8219 - . = ALIGN(PAGE_SIZE); /* Align data segment to page size boundary */
8220 -+#endif
8221 - /* Data */
8222 -+ _data = .;
8223 - .data : AT(ADDR(.data) - LOAD_OFFSET) {
8224 - DATA_DATA
8225 - CONSTRUCTORS
8226 - } :data
8227 -
8228 -- _edata = .; /* End of data section */
8229 --
8230 - . = ALIGN(PAGE_SIZE);
8231 - . = ALIGN(CONFIG_X86_L1_CACHE_BYTES);
8232 - .data.cacheline_aligned : AT(ADDR(.data.cacheline_aligned) - LOAD_OFFSET) {
8233 -@@ -80,9 +83,27 @@ SECTIONS
8234 - *(.data.read_mostly)
8235 - }
8236 -
8237 -+ . = ALIGN(8192); /* init_task */
8238 -+ .data.init_task : AT(ADDR(.data.init_task) - LOAD_OFFSET) {
8239 -+ *(.data.init_task)
8240 -+ }
8241 -+
8242 -+ . = ALIGN(4096);
8243 -+ .data.page_aligned : AT(ADDR(.data.page_aligned) - LOAD_OFFSET) {
8244 -+ *(.data.page_aligned)
8245 -+ }
8246 -+
8247 -+ . = ALIGN(4096);
8248 -+ __nosave_begin = .;
8249 -+ .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) { *(.data.nosave) }
8250 -+ . = ALIGN(4096);
8251 -+ __nosave_end = .;
8252 -+
8253 -+ _edata = .; /* End of data section */
8254 -+
8255 - #define VSYSCALL_ADDR (-10*1024*1024)
8256 --#define VSYSCALL_PHYS_ADDR ((LOADADDR(.data.read_mostly) + SIZEOF(.data.read_mostly) + 4095) & ~(4095))
8257 --#define VSYSCALL_VIRT_ADDR ((ADDR(.data.read_mostly) + SIZEOF(.data.read_mostly) + 4095) & ~(4095))
8258 -+#define VSYSCALL_PHYS_ADDR ((LOADADDR(.data_nosave) + SIZEOF(.data_nosave) + 4095) & ~(4095))
8259 -+#define VSYSCALL_VIRT_ADDR ((ADDR(.data_nosave) + SIZEOF(.data_nosave) + 4095) & ~(4095))
8260 -
8261 - #define VLOAD_OFFSET (VSYSCALL_ADDR - VSYSCALL_PHYS_ADDR)
8262 - #define VLOAD(x) (ADDR(x) - VLOAD_OFFSET)
8263 -@@ -130,23 +151,13 @@ SECTIONS
8264 - #undef VVIRT_OFFSET
8265 - #undef VVIRT
8266 -
8267 -- . = ALIGN(8192); /* init_task */
8268 -- .data.init_task : AT(ADDR(.data.init_task) - LOAD_OFFSET) {
8269 -- *(.data.init_task)
8270 -- }:data.init
8271 --
8272 -- . = ALIGN(4096);
8273 -- .data.page_aligned : AT(ADDR(.data.page_aligned) - LOAD_OFFSET) {
8274 -- *(.data.page_aligned)
8275 -- }
8276 --
8277 - /* might get freed after init */
8278 - . = ALIGN(4096);
8279 - __smp_alt_begin = .;
8280 - __smp_locks = .;
8281 - .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
8282 - *(.smp_locks)
8283 -- }
8284 -+ } :data.init
8285 - __smp_locks_end = .;
8286 - . = ALIGN(4096);
8287 - __smp_alt_end = .;
8288 -@@ -208,12 +219,6 @@ SECTIONS
8289 - . = ALIGN(4096);
8290 - __init_end = .;
8291 -
8292 -- . = ALIGN(4096);
8293 -- __nosave_begin = .;
8294 -- .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) { *(.data.nosave) }
8295 -- . = ALIGN(4096);
8296 -- __nosave_end = .;
8297 --
8298 - __bss_start = .; /* BSS */
8299 - .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
8300 - *(.bss.page_aligned)
8301 -@@ -221,6 +226,7 @@ SECTIONS
8302 - }
8303 - __bss_stop = .;
8304 -
8305 -+ . = ALIGN(2*1024*1024);
8306 - _end = . ;
8307 -
8308 - /* Sections to be discarded */
8309 -diff -urNp linux-2.6.24.4/arch/x86/kernel/vsyscall_64.c linux-2.6.24.4/arch/x86/kernel/vsyscall_64.c
8310 ---- linux-2.6.24.4/arch/x86/kernel/vsyscall_64.c 2008-03-24 14:49:18.000000000 -0400
8311 -+++ linux-2.6.24.4/arch/x86/kernel/vsyscall_64.c 2008-03-26 17:56:55.000000000 -0400
8312 -@@ -271,13 +271,13 @@ static ctl_table kernel_table2[] = {
8313 - .data = &vsyscall_gtod_data.sysctl_enabled, .maxlen = sizeof(int),
8314 - .mode = 0644,
8315 - .proc_handler = vsyscall_sysctl_change },
8316 -- {}
8317 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
8318 - };
8319 -
8320 - static ctl_table kernel_root_table2[] = {
8321 - { .ctl_name = CTL_KERN, .procname = "kernel", .mode = 0555,
8322 - .child = kernel_table2 },
8323 -- {}
8324 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
8325 - };
8326 -
8327 - #endif
8328 -@@ -288,6 +288,11 @@ static void __cpuinit vsyscall_set_cpu(i
8329 - {
8330 - unsigned long *d;
8331 - unsigned long node = 0;
8332 -+
8333 -+#ifdef CONFIG_PAX_KERNEXEC
8334 -+ unsigned long cr0;
8335 -+#endif
8336 -+
8337 - #ifdef CONFIG_NUMA
8338 - node = cpu_to_node(cpu);
8339 - #endif
8340 -@@ -298,10 +303,20 @@ static void __cpuinit vsyscall_set_cpu(i
8341 - in user space in vgetcpu.
8342 - 12 bits for the CPU and 8 bits for the node. */
8343 - d = (unsigned long *)(cpu_gdt(cpu) + GDT_ENTRY_PER_CPU);
8344 -+
8345 -+#ifdef CONFIG_PAX_KERNEXEC
8346 -+ pax_open_kernel(cr0);
8347 -+#endif
8348 -+
8349 - *d = 0x0f40000000000ULL;
8350 - *d |= cpu;
8351 - *d |= (node & 0xf) << 12;
8352 - *d |= (node >> 4) << 48;
8353 -+
8354 -+#ifdef CONFIG_PAX_KERNEXEC
8355 -+ pax_close_kernel(cr0);
8356 -+#endif
8357 -+
8358 - }
8359 -
8360 - static void __cpuinit cpu_vsyscall_init(void *arg)
8361 -diff -urNp linux-2.6.24.4/arch/x86/lib/checksum_32.S linux-2.6.24.4/arch/x86/lib/checksum_32.S
8362 ---- linux-2.6.24.4/arch/x86/lib/checksum_32.S 2008-03-24 14:49:18.000000000 -0400
8363 -+++ linux-2.6.24.4/arch/x86/lib/checksum_32.S 2008-03-26 17:56:55.000000000 -0400
8364 -@@ -28,7 +28,8 @@
8365 - #include <linux/linkage.h>
8366 - #include <asm/dwarf2.h>
8367 - #include <asm/errno.h>
8368 --
8369 -+#include <asm/segment.h>
8370 -+
8371 - /*
8372 - * computes a partial checksum, e.g. for TCP/UDP fragments
8373 - */
8374 -@@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
8375 -
8376 - #define ARGBASE 16
8377 - #define FP 12
8378 --
8379 --ENTRY(csum_partial_copy_generic)
8380 -+
8381 -+ENTRY(csum_partial_copy_generic_to_user)
8382 - CFI_STARTPROC
8383 -+ pushl $(__USER_DS)
8384 -+ CFI_ADJUST_CFA_OFFSET 4
8385 -+ popl %es
8386 -+ CFI_ADJUST_CFA_OFFSET -4
8387 -+ jmp csum_partial_copy_generic
8388 -+
8389 -+ENTRY(csum_partial_copy_generic_from_user)
8390 -+ pushl $(__USER_DS)
8391 -+ CFI_ADJUST_CFA_OFFSET 4
8392 -+ popl %ds
8393 -+ CFI_ADJUST_CFA_OFFSET -4
8394 -+
8395 -+ENTRY(csum_partial_copy_generic)
8396 - subl $4,%esp
8397 - CFI_ADJUST_CFA_OFFSET 4
8398 - pushl %edi
8399 -@@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
8400 - jmp 4f
8401 - SRC(1: movw (%esi), %bx )
8402 - addl $2, %esi
8403 --DST( movw %bx, (%edi) )
8404 -+DST( movw %bx, %es:(%edi) )
8405 - addl $2, %edi
8406 - addw %bx, %ax
8407 - adcl $0, %eax
8408 -@@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
8409 - SRC(1: movl (%esi), %ebx )
8410 - SRC( movl 4(%esi), %edx )
8411 - adcl %ebx, %eax
8412 --DST( movl %ebx, (%edi) )
8413 -+DST( movl %ebx, %es:(%edi) )
8414 - adcl %edx, %eax
8415 --DST( movl %edx, 4(%edi) )
8416 -+DST( movl %edx, %es:4(%edi) )
8417 -
8418 - SRC( movl 8(%esi), %ebx )
8419 - SRC( movl 12(%esi), %edx )
8420 - adcl %ebx, %eax
8421 --DST( movl %ebx, 8(%edi) )
8422 -+DST( movl %ebx, %es:8(%edi) )
8423 - adcl %edx, %eax
8424 --DST( movl %edx, 12(%edi) )
8425 -+DST( movl %edx, %es:12(%edi) )
8426 -
8427 - SRC( movl 16(%esi), %ebx )
8428 - SRC( movl 20(%esi), %edx )
8429 - adcl %ebx, %eax
8430 --DST( movl %ebx, 16(%edi) )
8431 -+DST( movl %ebx, %es:16(%edi) )
8432 - adcl %edx, %eax
8433 --DST( movl %edx, 20(%edi) )
8434 -+DST( movl %edx, %es:20(%edi) )
8435 -
8436 - SRC( movl 24(%esi), %ebx )
8437 - SRC( movl 28(%esi), %edx )
8438 - adcl %ebx, %eax
8439 --DST( movl %ebx, 24(%edi) )
8440 -+DST( movl %ebx, %es:24(%edi) )
8441 - adcl %edx, %eax
8442 --DST( movl %edx, 28(%edi) )
8443 -+DST( movl %edx, %es:28(%edi) )
8444 -
8445 - lea 32(%esi), %esi
8446 - lea 32(%edi), %edi
8447 -@@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
8448 - shrl $2, %edx # This clears CF
8449 - SRC(3: movl (%esi), %ebx )
8450 - adcl %ebx, %eax
8451 --DST( movl %ebx, (%edi) )
8452 -+DST( movl %ebx, %es:(%edi) )
8453 - lea 4(%esi), %esi
8454 - lea 4(%edi), %edi
8455 - dec %edx
8456 -@@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
8457 - jb 5f
8458 - SRC( movw (%esi), %cx )
8459 - leal 2(%esi), %esi
8460 --DST( movw %cx, (%edi) )
8461 -+DST( movw %cx, %es:(%edi) )
8462 - leal 2(%edi), %edi
8463 - je 6f
8464 - shll $16,%ecx
8465 - SRC(5: movb (%esi), %cl )
8466 --DST( movb %cl, (%edi) )
8467 -+DST( movb %cl, %es:(%edi) )
8468 - 6: addl %ecx, %eax
8469 - adcl $0, %eax
8470 - 7:
8471 -@@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
8472 -
8473 - 6001:
8474 - movl ARGBASE+20(%esp), %ebx # src_err_ptr
8475 -- movl $-EFAULT, (%ebx)
8476 -+ movl $-EFAULT, %ss:(%ebx)
8477 -
8478 - # zero the complete destination - computing the rest
8479 - # is too much work
8480 -@@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
8481 -
8482 - 6002:
8483 - movl ARGBASE+24(%esp), %ebx # dst_err_ptr
8484 -- movl $-EFAULT,(%ebx)
8485 -+ movl $-EFAULT,%ss:(%ebx)
8486 - jmp 5000b
8487 -
8488 - .previous
8489 -
8490 -+ pushl %ss
8491 -+ CFI_ADJUST_CFA_OFFSET 4
8492 -+ popl %ds
8493 -+ CFI_ADJUST_CFA_OFFSET -4
8494 -+ pushl %ss
8495 -+ CFI_ADJUST_CFA_OFFSET 4
8496 -+ popl %es
8497 -+ CFI_ADJUST_CFA_OFFSET -4
8498 - popl %ebx
8499 - CFI_ADJUST_CFA_OFFSET -4
8500 - CFI_RESTORE ebx
8501 -@@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
8502 - CFI_ADJUST_CFA_OFFSET -4
8503 - ret
8504 - CFI_ENDPROC
8505 --ENDPROC(csum_partial_copy_generic)
8506 -+ENDPROC(csum_partial_copy_generic_to_user)
8507 -
8508 - #else
8509 -
8510 - /* Version for PentiumII/PPro */
8511 -
8512 - #define ROUND1(x) \
8513 -+ nop; nop; nop; \
8514 - SRC(movl x(%esi), %ebx ) ; \
8515 - addl %ebx, %eax ; \
8516 -- DST(movl %ebx, x(%edi) ) ;
8517 -+ DST(movl %ebx, %es:x(%edi)) ;
8518 -
8519 - #define ROUND(x) \
8520 -+ nop; nop; nop; \
8521 - SRC(movl x(%esi), %ebx ) ; \
8522 - adcl %ebx, %eax ; \
8523 -- DST(movl %ebx, x(%edi) ) ;
8524 -+ DST(movl %ebx, %es:x(%edi)) ;
8525 -
8526 - #define ARGBASE 12
8527 --
8528 --ENTRY(csum_partial_copy_generic)
8529 -+
8530 -+ENTRY(csum_partial_copy_generic_to_user)
8531 - CFI_STARTPROC
8532 -+ pushl $(__USER_DS)
8533 -+ CFI_ADJUST_CFA_OFFSET 4
8534 -+ popl %es
8535 -+ CFI_ADJUST_CFA_OFFSET -4
8536 -+ jmp csum_partial_copy_generic
8537 -+
8538 -+ENTRY(csum_partial_copy_generic_from_user)
8539 -+ pushl $(__USER_DS)
8540 -+ CFI_ADJUST_CFA_OFFSET 4
8541 -+ popl %ds
8542 -+ CFI_ADJUST_CFA_OFFSET -4
8543 -+
8544 -+ENTRY(csum_partial_copy_generic)
8545 - pushl %ebx
8546 - CFI_ADJUST_CFA_OFFSET 4
8547 - CFI_REL_OFFSET ebx, 0
8548 -@@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
8549 - subl %ebx, %edi
8550 - lea -1(%esi),%edx
8551 - andl $-32,%edx
8552 -- lea 3f(%ebx,%ebx), %ebx
8553 -+ lea 3f(%ebx,%ebx,2), %ebx
8554 - testl %esi, %esi
8555 - jmp *%ebx
8556 - 1: addl $64,%esi
8557 -@@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
8558 - jb 5f
8559 - SRC( movw (%esi), %dx )
8560 - leal 2(%esi), %esi
8561 --DST( movw %dx, (%edi) )
8562 -+DST( movw %dx, %es:(%edi) )
8563 - leal 2(%edi), %edi
8564 - je 6f
8565 - shll $16,%edx
8566 - 5:
8567 - SRC( movb (%esi), %dl )
8568 --DST( movb %dl, (%edi) )
8569 -+DST( movb %dl, %es:(%edi) )
8570 - 6: addl %edx, %eax
8571 - adcl $0, %eax
8572 - 7:
8573 - .section .fixup, "ax"
8574 - 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
8575 -- movl $-EFAULT, (%ebx)
8576 -+ movl $-EFAULT, %ss:(%ebx)
8577 - # zero the complete destination (computing the rest is too much work)
8578 - movl ARGBASE+8(%esp),%edi # dst
8579 - movl ARGBASE+12(%esp),%ecx # len
8580 -@@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
8581 - rep; stosb
8582 - jmp 7b
8583 - 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
8584 -- movl $-EFAULT, (%ebx)
8585 -+ movl $-EFAULT, %ss:(%ebx)
8586 - jmp 7b
8587 - .previous
8588 -
8589 -+ pushl %ss
8590 -+ CFI_ADJUST_CFA_OFFSET 4
8591 -+ popl %ds
8592 -+ CFI_ADJUST_CFA_OFFSET -4
8593 -+ pushl %ss
8594 -+ CFI_ADJUST_CFA_OFFSET 4
8595 -+ popl %es
8596 -+ CFI_ADJUST_CFA_OFFSET -4
8597 - popl %esi
8598 - CFI_ADJUST_CFA_OFFSET -4
8599 - CFI_RESTORE esi
8600 -@@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
8601 - CFI_RESTORE ebx
8602 - ret
8603 - CFI_ENDPROC
8604 --ENDPROC(csum_partial_copy_generic)
8605 -+ENDPROC(csum_partial_copy_generic_to_user)
8606 -
8607 - #undef ROUND
8608 - #undef ROUND1
8609 -diff -urNp linux-2.6.24.4/arch/x86/lib/clear_page_64.S linux-2.6.24.4/arch/x86/lib/clear_page_64.S
8610 ---- linux-2.6.24.4/arch/x86/lib/clear_page_64.S 2008-03-24 14:49:18.000000000 -0400
8611 -+++ linux-2.6.24.4/arch/x86/lib/clear_page_64.S 2008-03-26 17:56:55.000000000 -0400
8612 -@@ -44,7 +44,7 @@ ENDPROC(clear_page)
8613 -
8614 - #include <asm/cpufeature.h>
8615 -
8616 -- .section .altinstr_replacement,"ax"
8617 -+ .section .altinstr_replacement,"a"
8618 - 1: .byte 0xeb /* jmp <disp8> */
8619 - .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
8620 - 2:
8621 -diff -urNp linux-2.6.24.4/arch/x86/lib/copy_page_64.S linux-2.6.24.4/arch/x86/lib/copy_page_64.S
8622 ---- linux-2.6.24.4/arch/x86/lib/copy_page_64.S 2008-03-24 14:49:18.000000000 -0400
8623 -+++ linux-2.6.24.4/arch/x86/lib/copy_page_64.S 2008-03-26 17:56:55.000000000 -0400
8624 -@@ -104,7 +104,7 @@ ENDPROC(copy_page)
8625 -
8626 - #include <asm/cpufeature.h>
8627 -
8628 -- .section .altinstr_replacement,"ax"
8629 -+ .section .altinstr_replacement,"a"
8630 - 1: .byte 0xeb /* jmp <disp8> */
8631 - .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
8632 - 2:
8633 -diff -urNp linux-2.6.24.4/arch/x86/lib/copy_user_64.S linux-2.6.24.4/arch/x86/lib/copy_user_64.S
8634 ---- linux-2.6.24.4/arch/x86/lib/copy_user_64.S 2008-03-24 14:49:18.000000000 -0400
8635 -+++ linux-2.6.24.4/arch/x86/lib/copy_user_64.S 2008-03-26 17:56:55.000000000 -0400
8636 -@@ -19,7 +19,7 @@
8637 - .byte 0xe9 /* 32bit jump */
8638 - .long \orig-1f /* by default jump to orig */
8639 - 1:
8640 -- .section .altinstr_replacement,"ax"
8641 -+ .section .altinstr_replacement,"a"
8642 - 2: .byte 0xe9 /* near jump with 32bit immediate */
8643 - .long \alt-1b /* offset */ /* or alternatively to alt */
8644 - .previous
8645 -diff -urNp linux-2.6.24.4/arch/x86/lib/getuser_32.S linux-2.6.24.4/arch/x86/lib/getuser_32.S
8646 ---- linux-2.6.24.4/arch/x86/lib/getuser_32.S 2008-03-24 14:49:18.000000000 -0400
8647 -+++ linux-2.6.24.4/arch/x86/lib/getuser_32.S 2008-03-26 17:56:55.000000000 -0400
8648 -@@ -11,7 +11,7 @@
8649 - #include <linux/linkage.h>
8650 - #include <asm/dwarf2.h>
8651 - #include <asm/thread_info.h>
8652 --
8653 -+#include <asm/segment.h>
8654 -
8655 - /*
8656 - * __get_user_X
8657 -@@ -31,7 +31,11 @@ ENTRY(__get_user_1)
8658 - GET_THREAD_INFO(%edx)
8659 - cmpl TI_addr_limit(%edx),%eax
8660 - jae bad_get_user
8661 -+ pushl $(__USER_DS)
8662 -+ popl %ds
8663 - 1: movzbl (%eax),%edx
8664 -+ pushl %ss
8665 -+ pop %ds
8666 - xorl %eax,%eax
8667 - ret
8668 - CFI_ENDPROC
8669 -@@ -44,7 +48,11 @@ ENTRY(__get_user_2)
8670 - GET_THREAD_INFO(%edx)
8671 - cmpl TI_addr_limit(%edx),%eax
8672 - jae bad_get_user
8673 -+ pushl $(__USER_DS)
8674 -+ popl %ds
8675 - 2: movzwl -1(%eax),%edx
8676 -+ pushl %ss
8677 -+ pop %ds
8678 - xorl %eax,%eax
8679 - ret
8680 - CFI_ENDPROC
8681 -@@ -57,7 +65,11 @@ ENTRY(__get_user_4)
8682 - GET_THREAD_INFO(%edx)
8683 - cmpl TI_addr_limit(%edx),%eax
8684 - jae bad_get_user
8685 -+ pushl $(__USER_DS)
8686 -+ popl %ds
8687 - 3: movl -3(%eax),%edx
8688 -+ pushl %ss
8689 -+ pop %ds
8690 - xorl %eax,%eax
8691 - ret
8692 - CFI_ENDPROC
8693 -@@ -65,6 +77,8 @@ ENDPROC(__get_user_4)
8694 -
8695 - bad_get_user:
8696 - CFI_STARTPROC
8697 -+ pushl %ss
8698 -+ pop %ds
8699 - xorl %edx,%edx
8700 - movl $-14,%eax
8701 - ret
8702 -diff -urNp linux-2.6.24.4/arch/x86/lib/memcpy_64.S linux-2.6.24.4/arch/x86/lib/memcpy_64.S
8703 ---- linux-2.6.24.4/arch/x86/lib/memcpy_64.S 2008-03-24 14:49:18.000000000 -0400
8704 -+++ linux-2.6.24.4/arch/x86/lib/memcpy_64.S 2008-03-26 17:56:55.000000000 -0400
8705 -@@ -114,7 +114,7 @@ ENDPROC(__memcpy)
8706 - /* Some CPUs run faster using the string copy instructions.
8707 - It is also a lot simpler. Use this when possible */
8708 -
8709 -- .section .altinstr_replacement,"ax"
8710 -+ .section .altinstr_replacement,"a"
8711 - 1: .byte 0xeb /* jmp <disp8> */
8712 - .byte (memcpy_c - memcpy) - (2f - 1b) /* offset */
8713 - 2:
8714 -diff -urNp linux-2.6.24.4/arch/x86/lib/memset_64.S linux-2.6.24.4/arch/x86/lib/memset_64.S
8715 ---- linux-2.6.24.4/arch/x86/lib/memset_64.S 2008-03-24 14:49:18.000000000 -0400
8716 -+++ linux-2.6.24.4/arch/x86/lib/memset_64.S 2008-03-26 17:56:55.000000000 -0400
8717 -@@ -118,7 +118,7 @@ ENDPROC(__memset)
8718 -
8719 - #include <asm/cpufeature.h>
8720 -
8721 -- .section .altinstr_replacement,"ax"
8722 -+ .section .altinstr_replacement,"a"
8723 - 1: .byte 0xeb /* jmp <disp8> */
8724 - .byte (memset_c - memset) - (2f - 1b) /* offset */
8725 - 2:
8726 -diff -urNp linux-2.6.24.4/arch/x86/lib/mmx_32.c linux-2.6.24.4/arch/x86/lib/mmx_32.c
8727 ---- linux-2.6.24.4/arch/x86/lib/mmx_32.c 2008-03-24 14:49:18.000000000 -0400
8728 -+++ linux-2.6.24.4/arch/x86/lib/mmx_32.c 2008-03-26 17:56:55.000000000 -0400
8729 -@@ -30,6 +30,7 @@ void *_mmx_memcpy(void *to, const void *
8730 - {
8731 - void *p;
8732 - int i;
8733 -+ unsigned long cr0;
8734 -
8735 - if (unlikely(in_interrupt()))
8736 - return __memcpy(to, from, len);
8737 -@@ -40,52 +41,80 @@ void *_mmx_memcpy(void *to, const void *
8738 - kernel_fpu_begin();
8739 -
8740 - __asm__ __volatile__ (
8741 -- "1: prefetch (%0)\n" /* This set is 28 bytes */
8742 -- " prefetch 64(%0)\n"
8743 -- " prefetch 128(%0)\n"
8744 -- " prefetch 192(%0)\n"
8745 -- " prefetch 256(%0)\n"
8746 -+ "1: prefetch (%1)\n" /* This set is 28 bytes */
8747 -+ " prefetch 64(%1)\n"
8748 -+ " prefetch 128(%1)\n"
8749 -+ " prefetch 192(%1)\n"
8750 -+ " prefetch 256(%1)\n"
8751 - "2: \n"
8752 - ".section .fixup, \"ax\"\n"
8753 -- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
8754 -+ "3: \n"
8755 -+
8756 -+#ifdef CONFIG_PAX_KERNEXEC
8757 -+ " movl %%cr0, %0\n"
8758 -+ " movl %0, %%eax\n"
8759 -+ " andl $0xFFFEFFFF, %%eax\n"
8760 -+ " movl %%eax, %%cr0\n"
8761 -+#endif
8762 -+
8763 -+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
8764 -+
8765 -+#ifdef CONFIG_PAX_KERNEXEC
8766 -+ " movl %0, %%cr0\n"
8767 -+#endif
8768 -+
8769 - " jmp 2b\n"
8770 - ".previous\n"
8771 - ".section __ex_table,\"a\"\n"
8772 - " .align 4\n"
8773 - " .long 1b, 3b\n"
8774 - ".previous"
8775 -- : : "r" (from) );
8776 -+ : "=&r" (cr0) : "r" (from) : "ax");
8777 -
8778 -
8779 - for(; i>5; i--)
8780 - {
8781 - __asm__ __volatile__ (
8782 -- "1: prefetch 320(%0)\n"
8783 -- "2: movq (%0), %%mm0\n"
8784 -- " movq 8(%0), %%mm1\n"
8785 -- " movq 16(%0), %%mm2\n"
8786 -- " movq 24(%0), %%mm3\n"
8787 -- " movq %%mm0, (%1)\n"
8788 -- " movq %%mm1, 8(%1)\n"
8789 -- " movq %%mm2, 16(%1)\n"
8790 -- " movq %%mm3, 24(%1)\n"
8791 -- " movq 32(%0), %%mm0\n"
8792 -- " movq 40(%0), %%mm1\n"
8793 -- " movq 48(%0), %%mm2\n"
8794 -- " movq 56(%0), %%mm3\n"
8795 -- " movq %%mm0, 32(%1)\n"
8796 -- " movq %%mm1, 40(%1)\n"
8797 -- " movq %%mm2, 48(%1)\n"
8798 -- " movq %%mm3, 56(%1)\n"
8799 -+ "1: prefetch 320(%1)\n"
8800 -+ "2: movq (%1), %%mm0\n"
8801 -+ " movq 8(%1), %%mm1\n"
8802 -+ " movq 16(%1), %%mm2\n"
8803 -+ " movq 24(%1), %%mm3\n"
8804 -+ " movq %%mm0, (%2)\n"
8805 -+ " movq %%mm1, 8(%2)\n"
8806 -+ " movq %%mm2, 16(%2)\n"
8807 -+ " movq %%mm3, 24(%2)\n"
8808 -+ " movq 32(%1), %%mm0\n"
8809 -+ " movq 40(%1), %%mm1\n"
8810 -+ " movq 48(%1), %%mm2\n"
8811 -+ " movq 56(%1), %%mm3\n"
8812 -+ " movq %%mm0, 32(%2)\n"
8813 -+ " movq %%mm1, 40(%2)\n"
8814 -+ " movq %%mm2, 48(%2)\n"
8815 -+ " movq %%mm3, 56(%2)\n"
8816 - ".section .fixup, \"ax\"\n"
8817 -- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
8818 -+ "3:\n"
8819 -+
8820 -+#ifdef CONFIG_PAX_KERNEXEC
8821 -+ " movl %%cr0, %0\n"
8822 -+ " movl %0, %%eax\n"
8823 -+ " andl $0xFFFEFFFF, %%eax\n"
8824 -+ " movl %%eax, %%cr0\n"
8825 -+#endif
8826 -+
8827 -+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
8828 -+
8829 -+#ifdef CONFIG_PAX_KERNEXEC
8830 -+ " movl %0, %%cr0\n"
8831 -+#endif
8832 -+
8833 - " jmp 2b\n"
8834 - ".previous\n"
8835 - ".section __ex_table,\"a\"\n"
8836 - " .align 4\n"
8837 - " .long 1b, 3b\n"
8838 - ".previous"
8839 -- : : "r" (from), "r" (to) : "memory");
8840 -+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
8841 - from+=64;
8842 - to+=64;
8843 - }
8844 -@@ -164,6 +193,7 @@ static void fast_clear_page(void *page)
8845 - static void fast_copy_page(void *to, void *from)
8846 - {
8847 - int i;
8848 -+ unsigned long cr0;
8849 -
8850 - kernel_fpu_begin();
8851 -
8852 -@@ -171,51 +201,79 @@ static void fast_copy_page(void *to, voi
8853 - * but that is for later. -AV
8854 - */
8855 - __asm__ __volatile__ (
8856 -- "1: prefetch (%0)\n"
8857 -- " prefetch 64(%0)\n"
8858 -- " prefetch 128(%0)\n"
8859 -- " prefetch 192(%0)\n"
8860 -- " prefetch 256(%0)\n"
8861 -+ "1: prefetch (%1)\n"
8862 -+ " prefetch 64(%1)\n"
8863 -+ " prefetch 128(%1)\n"
8864 -+ " prefetch 192(%1)\n"
8865 -+ " prefetch 256(%1)\n"
8866 - "2: \n"
8867 - ".section .fixup, \"ax\"\n"
8868 -- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
8869 -+ "3: \n"
8870 -+
8871 -+#ifdef CONFIG_PAX_KERNEXEC
8872 -+ " movl %%cr0, %0\n"
8873 -+ " movl %0, %%eax\n"
8874 -+ " andl $0xFFFEFFFF, %%eax\n"
8875 -+ " movl %%eax, %%cr0\n"
8876 -+#endif
8877 -+
8878 -+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
8879 -+
8880 -+#ifdef CONFIG_PAX_KERNEXEC
8881 -+ " movl %0, %%cr0\n"
8882 -+#endif
8883 -+
8884 - " jmp 2b\n"
8885 - ".previous\n"
8886 - ".section __ex_table,\"a\"\n"
8887 - " .align 4\n"
8888 - " .long 1b, 3b\n"
8889 - ".previous"
8890 -- : : "r" (from) );
8891 -+ : "=&r" (cr0) : "r" (from) : "ax");
8892 -
8893 - for(i=0; i<(4096-320)/64; i++)
8894 - {
8895 - __asm__ __volatile__ (
8896 -- "1: prefetch 320(%0)\n"
8897 -- "2: movq (%0), %%mm0\n"
8898 -- " movntq %%mm0, (%1)\n"
8899 -- " movq 8(%0), %%mm1\n"
8900 -- " movntq %%mm1, 8(%1)\n"
8901 -- " movq 16(%0), %%mm2\n"
8902 -- " movntq %%mm2, 16(%1)\n"
8903 -- " movq 24(%0), %%mm3\n"
8904 -- " movntq %%mm3, 24(%1)\n"
8905 -- " movq 32(%0), %%mm4\n"
8906 -- " movntq %%mm4, 32(%1)\n"
8907 -- " movq 40(%0), %%mm5\n"
8908 -- " movntq %%mm5, 40(%1)\n"
8909 -- " movq 48(%0), %%mm6\n"
8910 -- " movntq %%mm6, 48(%1)\n"
8911 -- " movq 56(%0), %%mm7\n"
8912 -- " movntq %%mm7, 56(%1)\n"
8913 -+ "1: prefetch 320(%1)\n"
8914 -+ "2: movq (%1), %%mm0\n"
8915 -+ " movntq %%mm0, (%2)\n"
8916 -+ " movq 8(%1), %%mm1\n"
8917 -+ " movntq %%mm1, 8(%2)\n"
8918 -+ " movq 16(%1), %%mm2\n"
8919 -+ " movntq %%mm2, 16(%2)\n"
8920 -+ " movq 24(%1), %%mm3\n"
8921 -+ " movntq %%mm3, 24(%2)\n"
8922 -+ " movq 32(%1), %%mm4\n"
8923 -+ " movntq %%mm4, 32(%2)\n"
8924 -+ " movq 40(%1), %%mm5\n"
8925 -+ " movntq %%mm5, 40(%2)\n"
8926 -+ " movq 48(%1), %%mm6\n"
8927 -+ " movntq %%mm6, 48(%2)\n"
8928 -+ " movq 56(%1), %%mm7\n"
8929 -+ " movntq %%mm7, 56(%2)\n"
8930 - ".section .fixup, \"ax\"\n"
8931 -- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
8932 -+ "3:\n"
8933 -+
8934 -+#ifdef CONFIG_PAX_KERNEXEC
8935 -+ " movl %%cr0, %0\n"
8936 -+ " movl %0, %%eax\n"
8937 -+ " andl $0xFFFEFFFF, %%eax\n"
8938 -+ " movl %%eax, %%cr0\n"
8939 -+#endif
8940 -+
8941 -+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
8942 -+
8943 -+#ifdef CONFIG_PAX_KERNEXEC
8944 -+ " movl %0, %%cr0\n"
8945 -+#endif
8946 -+
8947 - " jmp 2b\n"
8948 - ".previous\n"
8949 - ".section __ex_table,\"a\"\n"
8950 - " .align 4\n"
8951 - " .long 1b, 3b\n"
8952 - ".previous"
8953 -- : : "r" (from), "r" (to) : "memory");
8954 -+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
8955 - from+=64;
8956 - to+=64;
8957 - }
8958 -@@ -296,56 +354,84 @@ static void fast_clear_page(void *page)
8959 - static void fast_copy_page(void *to, void *from)
8960 - {
8961 - int i;
8962 --
8963 --
8964 -+ unsigned long cr0;
8965 -+
8966 - kernel_fpu_begin();
8967 -
8968 - __asm__ __volatile__ (
8969 -- "1: prefetch (%0)\n"
8970 -- " prefetch 64(%0)\n"
8971 -- " prefetch 128(%0)\n"
8972 -- " prefetch 192(%0)\n"
8973 -- " prefetch 256(%0)\n"
8974 -+ "1: prefetch (%1)\n"
8975 -+ " prefetch 64(%1)\n"
8976 -+ " prefetch 128(%1)\n"
8977 -+ " prefetch 192(%1)\n"
8978 -+ " prefetch 256(%1)\n"
8979 - "2: \n"
8980 - ".section .fixup, \"ax\"\n"
8981 -- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
8982 -+ "3: \n"
8983 -+
8984 -+#ifdef CONFIG_PAX_KERNEXEC
8985 -+ " movl %%cr0, %0\n"
8986 -+ " movl %0, %%eax\n"
8987 -+ " andl $0xFFFEFFFF, %%eax\n"
8988 -+ " movl %%eax, %%cr0\n"
8989 -+#endif
8990 -+
8991 -+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
8992 -+
8993 -+#ifdef CONFIG_PAX_KERNEXEC
8994 -+ " movl %0, %%cr0\n"
8995 -+#endif
8996 -+
8997 - " jmp 2b\n"
8998 - ".previous\n"
8999 - ".section __ex_table,\"a\"\n"
9000 - " .align 4\n"
9001 - " .long 1b, 3b\n"
9002 - ".previous"
9003 -- : : "r" (from) );
9004 -+ : "=&r" (cr0) : "r" (from) : "ax");
9005 -
9006 - for(i=0; i<4096/64; i++)
9007 - {
9008 - __asm__ __volatile__ (
9009 -- "1: prefetch 320(%0)\n"
9010 -- "2: movq (%0), %%mm0\n"
9011 -- " movq 8(%0), %%mm1\n"
9012 -- " movq 16(%0), %%mm2\n"
9013 -- " movq 24(%0), %%mm3\n"
9014 -- " movq %%mm0, (%1)\n"
9015 -- " movq %%mm1, 8(%1)\n"
9016 -- " movq %%mm2, 16(%1)\n"
9017 -- " movq %%mm3, 24(%1)\n"
9018 -- " movq 32(%0), %%mm0\n"
9019 -- " movq 40(%0), %%mm1\n"
9020 -- " movq 48(%0), %%mm2\n"
9021 -- " movq 56(%0), %%mm3\n"
9022 -- " movq %%mm0, 32(%1)\n"
9023 -- " movq %%mm1, 40(%1)\n"
9024 -- " movq %%mm2, 48(%1)\n"
9025 -- " movq %%mm3, 56(%1)\n"
9026 -+ "1: prefetch 320(%1)\n"
9027 -+ "2: movq (%1), %%mm0\n"
9028 -+ " movq 8(%1), %%mm1\n"
9029 -+ " movq 16(%1), %%mm2\n"
9030 -+ " movq 24(%1), %%mm3\n"
9031 -+ " movq %%mm0, (%2)\n"
9032 -+ " movq %%mm1, 8(%2)\n"
9033 -+ " movq %%mm2, 16(%2)\n"
9034 -+ " movq %%mm3, 24(%2)\n"
9035 -+ " movq 32(%1), %%mm0\n"
9036 -+ " movq 40(%1), %%mm1\n"
9037 -+ " movq 48(%1), %%mm2\n"
9038 -+ " movq 56(%1), %%mm3\n"
9039 -+ " movq %%mm0, 32(%2)\n"
9040 -+ " movq %%mm1, 40(%2)\n"
9041 -+ " movq %%mm2, 48(%2)\n"
9042 -+ " movq %%mm3, 56(%2)\n"
9043 - ".section .fixup, \"ax\"\n"
9044 -- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
9045 -+ "3:\n"
9046 -+
9047 -+#ifdef CONFIG_PAX_KERNEXEC
9048 -+ " movl %%cr0, %0\n"
9049 -+ " movl %0, %%eax\n"
9050 -+ " andl $0xFFFEFFFF, %%eax\n"
9051 -+ " movl %%eax, %%cr0\n"
9052 -+#endif
9053 -+
9054 -+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
9055 -+
9056 -+#ifdef CONFIG_PAX_KERNEXEC
9057 -+ " movl %0, %%cr0\n"
9058 -+#endif
9059 -+
9060 - " jmp 2b\n"
9061 - ".previous\n"
9062 - ".section __ex_table,\"a\"\n"
9063 - " .align 4\n"
9064 - " .long 1b, 3b\n"
9065 - ".previous"
9066 -- : : "r" (from), "r" (to) : "memory");
9067 -+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
9068 - from+=64;
9069 - to+=64;
9070 - }
9071 -diff -urNp linux-2.6.24.4/arch/x86/lib/putuser_32.S linux-2.6.24.4/arch/x86/lib/putuser_32.S
9072 ---- linux-2.6.24.4/arch/x86/lib/putuser_32.S 2008-03-24 14:49:18.000000000 -0400
9073 -+++ linux-2.6.24.4/arch/x86/lib/putuser_32.S 2008-03-26 17:56:55.000000000 -0400
9074 -@@ -11,7 +11,7 @@
9075 - #include <linux/linkage.h>
9076 - #include <asm/dwarf2.h>
9077 - #include <asm/thread_info.h>
9078 --
9079 -+#include <asm/segment.h>
9080 -
9081 - /*
9082 - * __put_user_X
9083 -@@ -41,7 +41,11 @@ ENTRY(__put_user_1)
9084 - ENTER
9085 - cmpl TI_addr_limit(%ebx),%ecx
9086 - jae bad_put_user
9087 -+ pushl $(__USER_DS)
9088 -+ popl %ds
9089 - 1: movb %al,(%ecx)
9090 -+ pushl %ss
9091 -+ popl %ds
9092 - xorl %eax,%eax
9093 - EXIT
9094 - ENDPROC(__put_user_1)
9095 -@@ -52,7 +56,11 @@ ENTRY(__put_user_2)
9096 - subl $1,%ebx
9097 - cmpl %ebx,%ecx
9098 - jae bad_put_user
9099 -+ pushl $(__USER_DS)
9100 -+ popl %ds
9101 - 2: movw %ax,(%ecx)
9102 -+ pushl %ss
9103 -+ popl %ds
9104 - xorl %eax,%eax
9105 - EXIT
9106 - ENDPROC(__put_user_2)
9107 -@@ -63,7 +71,11 @@ ENTRY(__put_user_4)
9108 - subl $3,%ebx
9109 - cmpl %ebx,%ecx
9110 - jae bad_put_user
9111 -+ pushl $(__USER_DS)
9112 -+ popl %ds
9113 - 3: movl %eax,(%ecx)
9114 -+ pushl %ss
9115 -+ popl %ds
9116 - xorl %eax,%eax
9117 - EXIT
9118 - ENDPROC(__put_user_4)
9119 -@@ -74,8 +86,12 @@ ENTRY(__put_user_8)
9120 - subl $7,%ebx
9121 - cmpl %ebx,%ecx
9122 - jae bad_put_user
9123 -+ pushl $(__USER_DS)
9124 -+ popl %ds
9125 - 4: movl %eax,(%ecx)
9126 - 5: movl %edx,4(%ecx)
9127 -+ pushl %ss
9128 -+ popl %ds
9129 - xorl %eax,%eax
9130 - EXIT
9131 - ENDPROC(__put_user_8)
9132 -@@ -85,6 +101,10 @@ bad_put_user:
9133 - CFI_DEF_CFA esp, 2*4
9134 - CFI_OFFSET eip, -1*4
9135 - CFI_OFFSET ebx, -2*4
9136 -+ pushl %ss
9137 -+ CFI_ADJUST_CFA_OFFSET 4
9138 -+ popl %ds
9139 -+ CFI_ADJUST_CFA_OFFSET -4
9140 - movl $-14,%eax
9141 - EXIT
9142 - END(bad_put_user)
9143 -diff -urNp linux-2.6.24.4/arch/x86/lib/usercopy_32.c linux-2.6.24.4/arch/x86/lib/usercopy_32.c
9144 ---- linux-2.6.24.4/arch/x86/lib/usercopy_32.c 2008-03-24 14:49:18.000000000 -0400
9145 -+++ linux-2.6.24.4/arch/x86/lib/usercopy_32.c 2008-03-26 17:56:55.000000000 -0400
9146 -@@ -29,34 +29,41 @@ static inline int __movsl_is_ok(unsigned
9147 - * Copy a null terminated string from userspace.
9148 - */
9149 -
9150 --#define __do_strncpy_from_user(dst,src,count,res) \
9151 --do { \
9152 -- int __d0, __d1, __d2; \
9153 -- might_sleep(); \
9154 -- __asm__ __volatile__( \
9155 -- " testl %1,%1\n" \
9156 -- " jz 2f\n" \
9157 -- "0: lodsb\n" \
9158 -- " stosb\n" \
9159 -- " testb %%al,%%al\n" \
9160 -- " jz 1f\n" \
9161 -- " decl %1\n" \
9162 -- " jnz 0b\n" \
9163 -- "1: subl %1,%0\n" \
9164 -- "2:\n" \
9165 -- ".section .fixup,\"ax\"\n" \
9166 -- "3: movl %5,%0\n" \
9167 -- " jmp 2b\n" \
9168 -- ".previous\n" \
9169 -- ".section __ex_table,\"a\"\n" \
9170 -- " .align 4\n" \
9171 -- " .long 0b,3b\n" \
9172 -- ".previous" \
9173 -- : "=d"(res), "=c"(count), "=&a" (__d0), "=&S" (__d1), \
9174 -- "=&D" (__d2) \
9175 -- : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
9176 -- : "memory"); \
9177 --} while (0)
9178 -+static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
9179 -+{
9180 -+ int __d0, __d1, __d2;
9181 -+ long res = -EFAULT;
9182 -+
9183 -+ might_sleep();
9184 -+ __asm__ __volatile__(
9185 -+ " movw %w10,%%ds\n"
9186 -+ " testl %1,%1\n"
9187 -+ " jz 2f\n"
9188 -+ "0: lodsb\n"
9189 -+ " stosb\n"
9190 -+ " testb %%al,%%al\n"
9191 -+ " jz 1f\n"
9192 -+ " decl %1\n"
9193 -+ " jnz 0b\n"
9194 -+ "1: subl %1,%0\n"
9195 -+ "2:\n"
9196 -+ " pushl %%ss\n"
9197 -+ " popl %%ds\n"
9198 -+ ".section .fixup,\"ax\"\n"
9199 -+ "3: movl %5,%0\n"
9200 -+ " jmp 2b\n"
9201 -+ ".previous\n"
9202 -+ ".section __ex_table,\"a\"\n"
9203 -+ " .align 4\n"
9204 -+ " .long 0b,3b\n"
9205 -+ ".previous"
9206 -+ : "=d"(res), "=c"(count), "=&a" (__d0), "=&S" (__d1),
9207 -+ "=&D" (__d2)
9208 -+ : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
9209 -+ "r"(__USER_DS)
9210 -+ : "memory");
9211 -+ return res;
9212 -+}
9213 -
9214 - /**
9215 - * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
9216 -@@ -81,9 +88,7 @@ do { \
9217 - long
9218 - __strncpy_from_user(char *dst, const char __user *src, long count)
9219 - {
9220 -- long res;
9221 -- __do_strncpy_from_user(dst, src, count, res);
9222 -- return res;
9223 -+ return __do_strncpy_from_user(dst, src, count);
9224 - }
9225 - EXPORT_SYMBOL(__strncpy_from_user);
9226 -
9227 -@@ -110,7 +115,7 @@ strncpy_from_user(char *dst, const char
9228 - {
9229 - long res = -EFAULT;
9230 - if (access_ok(VERIFY_READ, src, 1))
9231 -- __do_strncpy_from_user(dst, src, count, res);
9232 -+ res = __do_strncpy_from_user(dst, src, count);
9233 - return res;
9234 - }
9235 - EXPORT_SYMBOL(strncpy_from_user);
9236 -@@ -119,27 +124,33 @@ EXPORT_SYMBOL(strncpy_from_user);
9237 - * Zero Userspace
9238 - */
9239 -
9240 --#define __do_clear_user(addr,size) \
9241 --do { \
9242 -- int __d0; \
9243 -- might_sleep(); \
9244 -- __asm__ __volatile__( \
9245 -- "0: rep; stosl\n" \
9246 -- " movl %2,%0\n" \
9247 -- "1: rep; stosb\n" \
9248 -- "2:\n" \
9249 -- ".section .fixup,\"ax\"\n" \
9250 -- "3: lea 0(%2,%0,4),%0\n" \
9251 -- " jmp 2b\n" \
9252 -- ".previous\n" \
9253 -- ".section __ex_table,\"a\"\n" \
9254 -- " .align 4\n" \
9255 -- " .long 0b,3b\n" \
9256 -- " .long 1b,2b\n" \
9257 -- ".previous" \
9258 -- : "=&c"(size), "=&D" (__d0) \
9259 -- : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
9260 --} while (0)
9261 -+static unsigned long __do_clear_user(void __user *addr, unsigned long size)
9262 -+{
9263 -+ int __d0;
9264 -+
9265 -+ might_sleep();
9266 -+ __asm__ __volatile__(
9267 -+ " movw %w6,%%es\n"
9268 -+ "0: rep; stosl\n"
9269 -+ " movl %2,%0\n"
9270 -+ "1: rep; stosb\n"
9271 -+ "2:\n"
9272 -+ " pushl %%ss\n"
9273 -+ " popl %%es\n"
9274 -+ ".section .fixup,\"ax\"\n"
9275 -+ "3: lea 0(%2,%0,4),%0\n"
9276 -+ " jmp 2b\n"
9277 -+ ".previous\n"
9278 -+ ".section __ex_table,\"a\"\n"
9279 -+ " .align 4\n"
9280 -+ " .long 0b,3b\n"
9281 -+ " .long 1b,2b\n"
9282 -+ ".previous"
9283 -+ : "=&c"(size), "=&D" (__d0)
9284 -+ : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
9285 -+ "r"(__USER_DS));
9286 -+ return size;
9287 -+}
9288 -
9289 - /**
9290 - * clear_user: - Zero a block of memory in user space.
9291 -@@ -156,7 +167,7 @@ clear_user(void __user *to, unsigned lon
9292 - {
9293 - might_sleep();
9294 - if (access_ok(VERIFY_WRITE, to, n))
9295 -- __do_clear_user(to, n);
9296 -+ n = __do_clear_user(to, n);
9297 - return n;
9298 - }
9299 - EXPORT_SYMBOL(clear_user);
9300 -@@ -175,8 +186,7 @@ EXPORT_SYMBOL(clear_user);
9301 - unsigned long
9302 - __clear_user(void __user *to, unsigned long n)
9303 - {
9304 -- __do_clear_user(to, n);
9305 -- return n;
9306 -+ return __do_clear_user(to, n);
9307 - }
9308 - EXPORT_SYMBOL(__clear_user);
9309 -
9310 -@@ -199,14 +209,17 @@ long strnlen_user(const char __user *s,
9311 - might_sleep();
9312 -
9313 - __asm__ __volatile__(
9314 -+ " movw %w8,%%es\n"
9315 - " testl %0, %0\n"
9316 - " jz 3f\n"
9317 -- " andl %0,%%ecx\n"
9318 -+ " movl %0,%%ecx\n"
9319 - "0: repne; scasb\n"
9320 - " setne %%al\n"
9321 - " subl %%ecx,%0\n"
9322 - " addl %0,%%eax\n"
9323 - "1:\n"
9324 -+ " pushl %%ss\n"
9325 -+ " popl %%es\n"
9326 - ".section .fixup,\"ax\"\n"
9327 - "2: xorl %%eax,%%eax\n"
9328 - " jmp 1b\n"
9329 -@@ -218,7 +231,7 @@ long strnlen_user(const char __user *s,
9330 - " .long 0b,2b\n"
9331 - ".previous"
9332 - :"=r" (n), "=D" (s), "=a" (res), "=c" (tmp)
9333 -- :"0" (n), "1" (s), "2" (0), "3" (mask)
9334 -+ :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
9335 - :"cc");
9336 - return res & mask;
9337 - }
9338 -@@ -226,10 +239,121 @@ EXPORT_SYMBOL(strnlen_user);
9339 -
9340 - #ifdef CONFIG_X86_INTEL_USERCOPY
9341 - static unsigned long
9342 --__copy_user_intel(void __user *to, const void *from, unsigned long size)
9343 -+__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
9344 -+{
9345 -+ int d0, d1;
9346 -+ __asm__ __volatile__(
9347 -+ " movw %w6, %%es\n"
9348 -+ " .align 2,0x90\n"
9349 -+ "1: movl 32(%4), %%eax\n"
9350 -+ " cmpl $67, %0\n"
9351 -+ " jbe 3f\n"
9352 -+ "2: movl 64(%4), %%eax\n"
9353 -+ " .align 2,0x90\n"
9354 -+ "3: movl 0(%4), %%eax\n"
9355 -+ "4: movl 4(%4), %%edx\n"
9356 -+ "5: movl %%eax, %%es:0(%3)\n"
9357 -+ "6: movl %%edx, %%es:4(%3)\n"
9358 -+ "7: movl 8(%4), %%eax\n"
9359 -+ "8: movl 12(%4),%%edx\n"
9360 -+ "9: movl %%eax, %%es:8(%3)\n"
9361 -+ "10: movl %%edx, %%es:12(%3)\n"
9362 -+ "11: movl 16(%4), %%eax\n"
9363 -+ "12: movl 20(%4), %%edx\n"
9364 -+ "13: movl %%eax, %%es:16(%3)\n"
9365 -+ "14: movl %%edx, %%es:20(%3)\n"
9366 -+ "15: movl 24(%4), %%eax\n"
9367 -+ "16: movl 28(%4), %%edx\n"
9368 -+ "17: movl %%eax, %%es:24(%3)\n"
9369 -+ "18: movl %%edx, %%es:28(%3)\n"
9370 -+ "19: movl 32(%4), %%eax\n"
9371 -+ "20: movl 36(%4), %%edx\n"
9372 -+ "21: movl %%eax, %%es:32(%3)\n"
9373 -+ "22: movl %%edx, %%es:36(%3)\n"
9374 -+ "23: movl 40(%4), %%eax\n"
9375 -+ "24: movl 44(%4), %%edx\n"
9376 -+ "25: movl %%eax, %%es:40(%3)\n"
9377 -+ "26: movl %%edx, %%es:44(%3)\n"
9378 -+ "27: movl 48(%4), %%eax\n"
9379 -+ "28: movl 52(%4), %%edx\n"
9380 -+ "29: movl %%eax, %%es:48(%3)\n"
9381 -+ "30: movl %%edx, %%es:52(%3)\n"
9382 -+ "31: movl 56(%4), %%eax\n"
9383 -+ "32: movl 60(%4), %%edx\n"
9384 -+ "33: movl %%eax, %%es:56(%3)\n"
9385 -+ "34: movl %%edx, %%es:60(%3)\n"
9386 -+ " addl $-64, %0\n"
9387 -+ " addl $64, %4\n"
9388 -+ " addl $64, %3\n"
9389 -+ " cmpl $63, %0\n"
9390 -+ " ja 1b\n"
9391 -+ "35: movl %0, %%eax\n"
9392 -+ " shrl $2, %0\n"
9393 -+ " andl $3, %%eax\n"
9394 -+ " cld\n"
9395 -+ "99: rep; movsl\n"
9396 -+ "36: movl %%eax, %0\n"
9397 -+ "37: rep; movsb\n"
9398 -+ "100:\n"
9399 -+ " pushl %%ss\n"
9400 -+ " popl %%es\n"
9401 -+ ".section .fixup,\"ax\"\n"
9402 -+ "101: lea 0(%%eax,%0,4),%0\n"
9403 -+ " jmp 100b\n"
9404 -+ ".previous\n"
9405 -+ ".section __ex_table,\"a\"\n"
9406 -+ " .align 4\n"
9407 -+ " .long 1b,100b\n"
9408 -+ " .long 2b,100b\n"
9409 -+ " .long 3b,100b\n"
9410 -+ " .long 4b,100b\n"
9411 -+ " .long 5b,100b\n"
9412 -+ " .long 6b,100b\n"
9413 -+ " .long 7b,100b\n"
9414 -+ " .long 8b,100b\n"
9415 -+ " .long 9b,100b\n"
9416 -+ " .long 10b,100b\n"
9417 -+ " .long 11b,100b\n"
9418 -+ " .long 12b,100b\n"
9419 -+ " .long 13b,100b\n"
9420 -+ " .long 14b,100b\n"
9421 -+ " .long 15b,100b\n"
9422 -+ " .long 16b,100b\n"
9423 -+ " .long 17b,100b\n"
9424 -+ " .long 18b,100b\n"
9425 -+ " .long 19b,100b\n"
9426 -+ " .long 20b,100b\n"
9427 -+ " .long 21b,100b\n"
9428 -+ " .long 22b,100b\n"
9429 -+ " .long 23b,100b\n"
9430 -+ " .long 24b,100b\n"
9431 -+ " .long 25b,100b\n"
9432 -+ " .long 26b,100b\n"
9433 -+ " .long 27b,100b\n"
9434 -+ " .long 28b,100b\n"
9435 -+ " .long 29b,100b\n"
9436 -+ " .long 30b,100b\n"
9437 -+ " .long 31b,100b\n"
9438 -+ " .long 32b,100b\n"
9439 -+ " .long 33b,100b\n"
9440 -+ " .long 34b,100b\n"
9441 -+ " .long 35b,100b\n"
9442 -+ " .long 36b,100b\n"
9443 -+ " .long 37b,100b\n"
9444 -+ " .long 99b,101b\n"
9445 -+ ".previous"
9446 -+ : "=&c"(size), "=&D" (d0), "=&S" (d1)
9447 -+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
9448 -+ : "eax", "edx", "memory");
9449 -+ return size;
9450 -+}
9451 -+
9452 -+static unsigned long
9453 -+__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
9454 - {
9455 - int d0, d1;
9456 - __asm__ __volatile__(
9457 -+ " movw %w6, %%ds\n"
9458 - " .align 2,0x90\n"
9459 - "1: movl 32(%4), %%eax\n"
9460 - " cmpl $67, %0\n"
9461 -@@ -238,36 +362,36 @@ __copy_user_intel(void __user *to, const
9462 - " .align 2,0x90\n"
9463 - "3: movl 0(%4), %%eax\n"
9464 - "4: movl 4(%4), %%edx\n"
9465 -- "5: movl %%eax, 0(%3)\n"
9466 -- "6: movl %%edx, 4(%3)\n"
9467 -+ "5: movl %%eax, %%es:0(%3)\n"
9468 -+ "6: movl %%edx, %%es:4(%3)\n"
9469 - "7: movl 8(%4), %%eax\n"
9470 - "8: movl 12(%4),%%edx\n"
9471 -- "9: movl %%eax, 8(%3)\n"
9472 -- "10: movl %%edx, 12(%3)\n"
9473 -+ "9: movl %%eax, %%es:8(%3)\n"
9474 -+ "10: movl %%edx, %%es:12(%3)\n"
9475 - "11: movl 16(%4), %%eax\n"
9476 - "12: movl 20(%4), %%edx\n"
9477 -- "13: movl %%eax, 16(%3)\n"
9478 -- "14: movl %%edx, 20(%3)\n"
9479 -+ "13: movl %%eax, %%es:16(%3)\n"
9480 -+ "14: movl %%edx, %%es:20(%3)\n"
9481 - "15: movl 24(%4), %%eax\n"
9482 - "16: movl 28(%4), %%edx\n"
9483 -- "17: movl %%eax, 24(%3)\n"
9484 -- "18: movl %%edx, 28(%3)\n"
9485 -+ "17: movl %%eax, %%es:24(%3)\n"
9486 -+ "18: movl %%edx, %%es:28(%3)\n"
9487 - "19: movl 32(%4), %%eax\n"
9488 - "20: movl 36(%4), %%edx\n"
9489 -- "21: movl %%eax, 32(%3)\n"
9490 -- "22: movl %%edx, 36(%3)\n"
9491 -+ "21: movl %%eax, %%es:32(%3)\n"
9492 -+ "22: movl %%edx, %%es:36(%3)\n"
9493 - "23: movl 40(%4), %%eax\n"
9494 - "24: movl 44(%4), %%edx\n"
9495 -- "25: movl %%eax, 40(%3)\n"
9496 -- "26: movl %%edx, 44(%3)\n"
9497 -+ "25: movl %%eax, %%es:40(%3)\n"
9498 -+ "26: movl %%edx, %%es:44(%3)\n"
9499 - "27: movl 48(%4), %%eax\n"
9500 - "28: movl 52(%4), %%edx\n"
9501 -- "29: movl %%eax, 48(%3)\n"
9502 -- "30: movl %%edx, 52(%3)\n"
9503 -+ "29: movl %%eax, %%es:48(%3)\n"
9504 -+ "30: movl %%edx, %%es:52(%3)\n"
9505 - "31: movl 56(%4), %%eax\n"
9506 - "32: movl 60(%4), %%edx\n"
9507 -- "33: movl %%eax, 56(%3)\n"
9508 -- "34: movl %%edx, 60(%3)\n"
9509 -+ "33: movl %%eax, %%es:56(%3)\n"
9510 -+ "34: movl %%edx, %%es:60(%3)\n"
9511 - " addl $-64, %0\n"
9512 - " addl $64, %4\n"
9513 - " addl $64, %3\n"
9514 -@@ -281,6 +405,8 @@ __copy_user_intel(void __user *to, const
9515 - "36: movl %%eax, %0\n"
9516 - "37: rep; movsb\n"
9517 - "100:\n"
9518 -+ " pushl %%ss\n"
9519 -+ " popl %%ds\n"
9520 - ".section .fixup,\"ax\"\n"
9521 - "101: lea 0(%%eax,%0,4),%0\n"
9522 - " jmp 100b\n"
9523 -@@ -327,7 +453,7 @@ __copy_user_intel(void __user *to, const
9524 - " .long 99b,101b\n"
9525 - ".previous"
9526 - : "=&c"(size), "=&D" (d0), "=&S" (d1)
9527 -- : "1"(to), "2"(from), "0"(size)
9528 -+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
9529 - : "eax", "edx", "memory");
9530 - return size;
9531 - }
9532 -@@ -337,6 +463,7 @@ __copy_user_zeroing_intel(void *to, cons
9533 - {
9534 - int d0, d1;
9535 - __asm__ __volatile__(
9536 -+ " movw %w6, %%ds\n"
9537 - " .align 2,0x90\n"
9538 - "0: movl 32(%4), %%eax\n"
9539 - " cmpl $67, %0\n"
9540 -@@ -345,36 +472,36 @@ __copy_user_zeroing_intel(void *to, cons
9541 - " .align 2,0x90\n"
9542 - "2: movl 0(%4), %%eax\n"
9543 - "21: movl 4(%4), %%edx\n"
9544 -- " movl %%eax, 0(%3)\n"
9545 -- " movl %%edx, 4(%3)\n"
9546 -+ " movl %%eax, %%es:0(%3)\n"
9547 -+ " movl %%edx, %%es:4(%3)\n"
9548 - "3: movl 8(%4), %%eax\n"
9549 - "31: movl 12(%4),%%edx\n"
9550 -- " movl %%eax, 8(%3)\n"
9551 -- " movl %%edx, 12(%3)\n"
9552 -+ " movl %%eax, %%es:8(%3)\n"
9553 -+ " movl %%edx, %%es:12(%3)\n"
9554 - "4: movl 16(%4), %%eax\n"
9555 - "41: movl 20(%4), %%edx\n"
9556 -- " movl %%eax, 16(%3)\n"
9557 -- " movl %%edx, 20(%3)\n"
9558 -+ " movl %%eax, %%es:16(%3)\n"
9559 -+ " movl %%edx, %%es:20(%3)\n"
9560 - "10: movl 24(%4), %%eax\n"
9561 - "51: movl 28(%4), %%edx\n"
9562 -- " movl %%eax, 24(%3)\n"
9563 -- " movl %%edx, 28(%3)\n"
9564 -+ " movl %%eax, %%es:24(%3)\n"
9565 -+ " movl %%edx, %%es:28(%3)\n"
9566 - "11: movl 32(%4), %%eax\n"
9567 - "61: movl 36(%4), %%edx\n"
9568 -- " movl %%eax, 32(%3)\n"
9569 -- " movl %%edx, 36(%3)\n"
9570 -+ " movl %%eax, %%es:32(%3)\n"
9571 -+ " movl %%edx, %%es:36(%3)\n"
9572 - "12: movl 40(%4), %%eax\n"
9573 - "71: movl 44(%4), %%edx\n"
9574 -- " movl %%eax, 40(%3)\n"
9575 -- " movl %%edx, 44(%3)\n"
9576 -+ " movl %%eax, %%es:40(%3)\n"
9577 -+ " movl %%edx, %%es:44(%3)\n"
9578 - "13: movl 48(%4), %%eax\n"
9579 - "81: movl 52(%4), %%edx\n"
9580 -- " movl %%eax, 48(%3)\n"
9581 -- " movl %%edx, 52(%3)\n"
9582 -+ " movl %%eax, %%es:48(%3)\n"
9583 -+ " movl %%edx, %%es:52(%3)\n"
9584 - "14: movl 56(%4), %%eax\n"
9585 - "91: movl 60(%4), %%edx\n"
9586 -- " movl %%eax, 56(%3)\n"
9587 -- " movl %%edx, 60(%3)\n"
9588 -+ " movl %%eax, %%es:56(%3)\n"
9589 -+ " movl %%edx, %%es:60(%3)\n"
9590 - " addl $-64, %0\n"
9591 - " addl $64, %4\n"
9592 - " addl $64, %3\n"
9593 -@@ -388,6 +515,8 @@ __copy_user_zeroing_intel(void *to, cons
9594 - " movl %%eax,%0\n"
9595 - "7: rep; movsb\n"
9596 - "8:\n"
9597 -+ " pushl %%ss\n"
9598 -+ " popl %%ds\n"
9599 - ".section .fixup,\"ax\"\n"
9600 - "9: lea 0(%%eax,%0,4),%0\n"
9601 - "16: pushl %0\n"
9602 -@@ -422,7 +551,7 @@ __copy_user_zeroing_intel(void *to, cons
9603 - " .long 7b,16b\n"
9604 - ".previous"
9605 - : "=&c"(size), "=&D" (d0), "=&S" (d1)
9606 -- : "1"(to), "2"(from), "0"(size)
9607 -+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
9608 - : "eax", "edx", "memory");
9609 - return size;
9610 - }
9611 -@@ -438,6 +567,7 @@ static unsigned long __copy_user_zeroing
9612 - int d0, d1;
9613 -
9614 - __asm__ __volatile__(
9615 -+ " movw %w6, %%ds\n"
9616 - " .align 2,0x90\n"
9617 - "0: movl 32(%4), %%eax\n"
9618 - " cmpl $67, %0\n"
9619 -@@ -446,36 +576,36 @@ static unsigned long __copy_user_zeroing
9620 - " .align 2,0x90\n"
9621 - "2: movl 0(%4), %%eax\n"
9622 - "21: movl 4(%4), %%edx\n"
9623 -- " movnti %%eax, 0(%3)\n"
9624 -- " movnti %%edx, 4(%3)\n"
9625 -+ " movnti %%eax, %%es:0(%3)\n"
9626 -+ " movnti %%edx, %%es:4(%3)\n"
9627 - "3: movl 8(%4), %%eax\n"
9628 - "31: movl 12(%4),%%edx\n"
9629 -- " movnti %%eax, 8(%3)\n"
9630 -- " movnti %%edx, 12(%3)\n"
9631 -+ " movnti %%eax, %%es:8(%3)\n"
9632 -+ " movnti %%edx, %%es:12(%3)\n"
9633 - "4: movl 16(%4), %%eax\n"
9634 - "41: movl 20(%4), %%edx\n"
9635 -- " movnti %%eax, 16(%3)\n"
9636 -- " movnti %%edx, 20(%3)\n"
9637 -+ " movnti %%eax, %%es:16(%3)\n"
9638 -+ " movnti %%edx, %%es:20(%3)\n"
9639 - "10: movl 24(%4), %%eax\n"
9640 - "51: movl 28(%4), %%edx\n"
9641 -- " movnti %%eax, 24(%3)\n"
9642 -- " movnti %%edx, 28(%3)\n"
9643 -+ " movnti %%eax, %%es:24(%3)\n"
9644 -+ " movnti %%edx, %%es:28(%3)\n"
9645 - "11: movl 32(%4), %%eax\n"
9646 - "61: movl 36(%4), %%edx\n"
9647 -- " movnti %%eax, 32(%3)\n"
9648 -- " movnti %%edx, 36(%3)\n"
9649 -+ " movnti %%eax, %%es:32(%3)\n"
9650 -+ " movnti %%edx, %%es:36(%3)\n"
9651 - "12: movl 40(%4), %%eax\n"
9652 - "71: movl 44(%4), %%edx\n"
9653 -- " movnti %%eax, 40(%3)\n"
9654 -- " movnti %%edx, 44(%3)\n"
9655 -+ " movnti %%eax, %%es:40(%3)\n"
9656 -+ " movnti %%edx, %%es:44(%3)\n"
9657 - "13: movl 48(%4), %%eax\n"
9658 - "81: movl 52(%4), %%edx\n"
9659 -- " movnti %%eax, 48(%3)\n"
9660 -- " movnti %%edx, 52(%3)\n"
9661 -+ " movnti %%eax, %%es:48(%3)\n"
9662 -+ " movnti %%edx, %%es:52(%3)\n"
9663 - "14: movl 56(%4), %%eax\n"
9664 - "91: movl 60(%4), %%edx\n"
9665 -- " movnti %%eax, 56(%3)\n"
9666 -- " movnti %%edx, 60(%3)\n"
9667 -+ " movnti %%eax, %%es:56(%3)\n"
9668 -+ " movnti %%edx, %%es:60(%3)\n"
9669 - " addl $-64, %0\n"
9670 - " addl $64, %4\n"
9671 - " addl $64, %3\n"
9672 -@@ -490,6 +620,8 @@ static unsigned long __copy_user_zeroing
9673 - " movl %%eax,%0\n"
9674 - "7: rep; movsb\n"
9675 - "8:\n"
9676 -+ " pushl %%ss\n"
9677 -+ " popl %%ds\n"
9678 - ".section .fixup,\"ax\"\n"
9679 - "9: lea 0(%%eax,%0,4),%0\n"
9680 - "16: pushl %0\n"
9681 -@@ -524,7 +656,7 @@ static unsigned long __copy_user_zeroing
9682 - " .long 7b,16b\n"
9683 - ".previous"
9684 - : "=&c"(size), "=&D" (d0), "=&S" (d1)
9685 -- : "1"(to), "2"(from), "0"(size)
9686 -+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
9687 - : "eax", "edx", "memory");
9688 - return size;
9689 - }
9690 -@@ -535,6 +667,7 @@ static unsigned long __copy_user_intel_n
9691 - int d0, d1;
9692 -
9693 - __asm__ __volatile__(
9694 -+ " movw %w6, %%ds\n"
9695 - " .align 2,0x90\n"
9696 - "0: movl 32(%4), %%eax\n"
9697 - " cmpl $67, %0\n"
9698 -@@ -543,36 +676,36 @@ static unsigned long __copy_user_intel_n
9699 - " .align 2,0x90\n"
9700 - "2: movl 0(%4), %%eax\n"
9701 - "21: movl 4(%4), %%edx\n"
9702 -- " movnti %%eax, 0(%3)\n"
9703 -- " movnti %%edx, 4(%3)\n"
9704 -+ " movnti %%eax, %%es:0(%3)\n"
9705 -+ " movnti %%edx, %%es:4(%3)\n"
9706 - "3: movl 8(%4), %%eax\n"
9707 - "31: movl 12(%4),%%edx\n"
9708 -- " movnti %%eax, 8(%3)\n"
9709 -- " movnti %%edx, 12(%3)\n"
9710 -+ " movnti %%eax, %%es:8(%3)\n"
9711 -+ " movnti %%edx, %%es:12(%3)\n"
9712 - "4: movl 16(%4), %%eax\n"
9713 - "41: movl 20(%4), %%edx\n"
9714 -- " movnti %%eax, 16(%3)\n"
9715 -- " movnti %%edx, 20(%3)\n"
9716 -+ " movnti %%eax, %%es:16(%3)\n"
9717 -+ " movnti %%edx, %%es:20(%3)\n"
9718 - "10: movl 24(%4), %%eax\n"
9719 - "51: movl 28(%4), %%edx\n"
9720 -- " movnti %%eax, 24(%3)\n"
9721 -- " movnti %%edx, 28(%3)\n"
9722 -+ " movnti %%eax, %%es:24(%3)\n"
9723 -+ " movnti %%edx, %%es:28(%3)\n"
9724 - "11: movl 32(%4), %%eax\n"
9725 - "61: movl 36(%4), %%edx\n"
9726 -- " movnti %%eax, 32(%3)\n"
9727 -- " movnti %%edx, 36(%3)\n"
9728 -+ " movnti %%eax, %%es:32(%3)\n"
9729 -+ " movnti %%edx, %%es:36(%3)\n"
9730 - "12: movl 40(%4), %%eax\n"
9731 - "71: movl 44(%4), %%edx\n"
9732 -- " movnti %%eax, 40(%3)\n"
9733 -- " movnti %%edx, 44(%3)\n"
9734 -+ " movnti %%eax, %%es:40(%3)\n"
9735 -+ " movnti %%edx, %%es:44(%3)\n"
9736 - "13: movl 48(%4), %%eax\n"
9737 - "81: movl 52(%4), %%edx\n"
9738 -- " movnti %%eax, 48(%3)\n"
9739 -- " movnti %%edx, 52(%3)\n"
9740 -+ " movnti %%eax, %%es:48(%3)\n"
9741 -+ " movnti %%edx, %%es:52(%3)\n"
9742 - "14: movl 56(%4), %%eax\n"
9743 - "91: movl 60(%4), %%edx\n"
9744 -- " movnti %%eax, 56(%3)\n"
9745 -- " movnti %%edx, 60(%3)\n"
9746 -+ " movnti %%eax, %%es:56(%3)\n"
9747 -+ " movnti %%edx, %%es:60(%3)\n"
9748 - " addl $-64, %0\n"
9749 - " addl $64, %4\n"
9750 - " addl $64, %3\n"
9751 -@@ -587,6 +720,8 @@ static unsigned long __copy_user_intel_n
9752 - " movl %%eax,%0\n"
9753 - "7: rep; movsb\n"
9754 - "8:\n"
9755 -+ " pushl %%ss\n"
9756 -+ " popl %%ds\n"
9757 - ".section .fixup,\"ax\"\n"
9758 - "9: lea 0(%%eax,%0,4),%0\n"
9759 - "16: jmp 8b\n"
9760 -@@ -615,7 +750,7 @@ static unsigned long __copy_user_intel_n
9761 - " .long 7b,16b\n"
9762 - ".previous"
9763 - : "=&c"(size), "=&D" (d0), "=&S" (d1)
9764 -- : "1"(to), "2"(from), "0"(size)
9765 -+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
9766 - : "eax", "edx", "memory");
9767 - return size;
9768 - }
9769 -@@ -628,90 +763,146 @@ static unsigned long __copy_user_intel_n
9770 - */
9771 - unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
9772 - unsigned long size);
9773 --unsigned long __copy_user_intel(void __user *to, const void *from,
9774 -+unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
9775 -+ unsigned long size);
9776 -+unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
9777 - unsigned long size);
9778 - unsigned long __copy_user_zeroing_intel_nocache(void *to,
9779 - const void __user *from, unsigned long size);
9780 - #endif /* CONFIG_X86_INTEL_USERCOPY */
9781 -
9782 - /* Generic arbitrary sized copy. */
9783 --#define __copy_user(to,from,size) \
9784 --do { \
9785 -- int __d0, __d1, __d2; \
9786 -- __asm__ __volatile__( \
9787 -- " cmp $7,%0\n" \
9788 -- " jbe 1f\n" \
9789 -- " movl %1,%0\n" \
9790 -- " negl %0\n" \
9791 -- " andl $7,%0\n" \
9792 -- " subl %0,%3\n" \
9793 -- "4: rep; movsb\n" \
9794 -- " movl %3,%0\n" \
9795 -- " shrl $2,%0\n" \
9796 -- " andl $3,%3\n" \
9797 -- " .align 2,0x90\n" \
9798 -- "0: rep; movsl\n" \
9799 -- " movl %3,%0\n" \
9800 -- "1: rep; movsb\n" \
9801 -- "2:\n" \
9802 -- ".section .fixup,\"ax\"\n" \
9803 -- "5: addl %3,%0\n" \
9804 -- " jmp 2b\n" \
9805 -- "3: lea 0(%3,%0,4),%0\n" \
9806 -- " jmp 2b\n" \
9807 -- ".previous\n" \
9808 -- ".section __ex_table,\"a\"\n" \
9809 -- " .align 4\n" \
9810 -- " .long 4b,5b\n" \
9811 -- " .long 0b,3b\n" \
9812 -- " .long 1b,2b\n" \
9813 -- ".previous" \
9814 -- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
9815 -- : "3"(size), "0"(size), "1"(to), "2"(from) \
9816 -- : "memory"); \
9817 --} while (0)
9818 --
9819 --#define __copy_user_zeroing(to,from,size) \
9820 --do { \
9821 -- int __d0, __d1, __d2; \
9822 -- __asm__ __volatile__( \
9823 -- " cmp $7,%0\n" \
9824 -- " jbe 1f\n" \
9825 -- " movl %1,%0\n" \
9826 -- " negl %0\n" \
9827 -- " andl $7,%0\n" \
9828 -- " subl %0,%3\n" \
9829 -- "4: rep; movsb\n" \
9830 -- " movl %3,%0\n" \
9831 -- " shrl $2,%0\n" \
9832 -- " andl $3,%3\n" \
9833 -- " .align 2,0x90\n" \
9834 -- "0: rep; movsl\n" \
9835 -- " movl %3,%0\n" \
9836 -- "1: rep; movsb\n" \
9837 -- "2:\n" \
9838 -- ".section .fixup,\"ax\"\n" \
9839 -- "5: addl %3,%0\n" \
9840 -- " jmp 6f\n" \
9841 -- "3: lea 0(%3,%0,4),%0\n" \
9842 -- "6: pushl %0\n" \
9843 -- " pushl %%eax\n" \
9844 -- " xorl %%eax,%%eax\n" \
9845 -- " rep; stosb\n" \
9846 -- " popl %%eax\n" \
9847 -- " popl %0\n" \
9848 -- " jmp 2b\n" \
9849 -- ".previous\n" \
9850 -- ".section __ex_table,\"a\"\n" \
9851 -- " .align 4\n" \
9852 -- " .long 4b,5b\n" \
9853 -- " .long 0b,3b\n" \
9854 -- " .long 1b,6b\n" \
9855 -- ".previous" \
9856 -- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
9857 -- : "3"(size), "0"(size), "1"(to), "2"(from) \
9858 -- : "memory"); \
9859 --} while (0)
9860 -+static unsigned long
9861 -+__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
9862 -+{
9863 -+ int __d0, __d1, __d2;
9864 -+
9865 -+ __asm__ __volatile__(
9866 -+ " movw %w8,%%es\n"
9867 -+ " cmp $7,%0\n"
9868 -+ " jbe 1f\n"
9869 -+ " movl %1,%0\n"
9870 -+ " negl %0\n"
9871 -+ " andl $7,%0\n"
9872 -+ " subl %0,%3\n"
9873 -+ "4: rep; movsb\n"
9874 -+ " movl %3,%0\n"
9875 -+ " shrl $2,%0\n"
9876 -+ " andl $3,%3\n"
9877 -+ " .align 2,0x90\n"
9878 -+ "0: rep; movsl\n"
9879 -+ " movl %3,%0\n"
9880 -+ "1: rep; movsb\n"
9881 -+ "2:\n"
9882 -+ " pushl %%ss\n"
9883 -+ " popl %%es\n"
9884 -+ ".section .fixup,\"ax\"\n"
9885 -+ "5: addl %3,%0\n"
9886 -+ " jmp 2b\n"
9887 -+ "3: lea 0(%3,%0,4),%0\n"
9888 -+ " jmp 2b\n"
9889 -+ ".previous\n"
9890 -+ ".section __ex_table,\"a\"\n"
9891 -+ " .align 4\n"
9892 -+ " .long 4b,5b\n"
9893 -+ " .long 0b,3b\n"
9894 -+ " .long 1b,2b\n"
9895 -+ ".previous"
9896 -+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
9897 -+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
9898 -+ : "memory");
9899 -+ return size;
9900 -+}
9901 -+
9902 -+static unsigned long
9903 -+__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
9904 -+{
9905 -+ int __d0, __d1, __d2;
9906 -+
9907 -+ __asm__ __volatile__(
9908 -+ " movw %w8,%%ds\n"
9909 -+ " cmp $7,%0\n"
9910 -+ " jbe 1f\n"
9911 -+ " movl %1,%0\n"
9912 -+ " negl %0\n"
9913 -+ " andl $7,%0\n"
9914 -+ " subl %0,%3\n"
9915 -+ "4: rep; movsb\n"
9916 -+ " movl %3,%0\n"
9917 -+ " shrl $2,%0\n"
9918 -+ " andl $3,%3\n"
9919 -+ " .align 2,0x90\n"
9920 -+ "0: rep; movsl\n"
9921 -+ " movl %3,%0\n"
9922 -+ "1: rep; movsb\n"
9923 -+ "2:\n"
9924 -+ " pushl %%ss\n"
9925 -+ " popl %%ds\n"
9926 -+ ".section .fixup,\"ax\"\n"
9927 -+ "5: addl %3,%0\n"
9928 -+ " jmp 2b\n"
9929 -+ "3: lea 0(%3,%0,4),%0\n"
9930 -+ " jmp 2b\n"
9931 -+ ".previous\n"
9932 -+ ".section __ex_table,\"a\"\n"
9933 -+ " .align 4\n"
9934 -+ " .long 4b,5b\n"
9935 -+ " .long 0b,3b\n"
9936 -+ " .long 1b,2b\n"
9937 -+ ".previous"
9938 -+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
9939 -+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
9940 -+ : "memory");
9941 -+ return size;
9942 -+}
9943 -+
9944 -+static unsigned long
9945 -+__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
9946 -+{
9947 -+ int __d0, __d1, __d2;
9948 -+
9949 -+ __asm__ __volatile__(
9950 -+ " movw %w8,%%ds\n"
9951 -+ " cmp $7,%0\n"
9952 -+ " jbe 1f\n"
9953 -+ " movl %1,%0\n"
9954 -+ " negl %0\n"
9955 -+ " andl $7,%0\n"
9956 -+ " subl %0,%3\n"
9957 -+ "4: rep; movsb\n"
9958 -+ " movl %3,%0\n"
9959 -+ " shrl $2,%0\n"
9960 -+ " andl $3,%3\n"
9961 -+ " .align 2,0x90\n"
9962 -+ "0: rep; movsl\n"
9963 -+ " movl %3,%0\n"
9964 -+ "1: rep; movsb\n"
9965 -+ "2:\n"
9966 -+ " pushl %%ss\n"
9967 -+ " popl %%ds\n"
9968 -+ ".section .fixup,\"ax\"\n"
9969 -+ "5: addl %3,%0\n"
9970 -+ " jmp 6f\n"
9971 -+ "3: lea 0(%3,%0,4),%0\n"
9972 -+ "6: pushl %0\n"
9973 -+ " pushl %%eax\n"
9974 -+ " xorl %%eax,%%eax\n"
9975 -+ " rep; stosb\n"
9976 -+ " popl %%eax\n"
9977 -+ " popl %0\n"
9978 -+ " jmp 2b\n"
9979 -+ ".previous\n"
9980 -+ ".section __ex_table,\"a\"\n"
9981 -+ " .align 4\n"
9982 -+ " .long 4b,5b\n"
9983 -+ " .long 0b,3b\n"
9984 -+ " .long 1b,6b\n"
9985 -+ ".previous"
9986 -+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
9987 -+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
9988 -+ : "memory");
9989 -+ return size;
9990 -+}
9991 -
9992 - unsigned long __copy_to_user_ll(void __user *to, const void *from,
9993 - unsigned long n)
9994 -@@ -774,9 +965,9 @@ survive:
9995 - }
9996 - #endif
9997 - if (movsl_is_ok(to, from, n))
9998 -- __copy_user(to, from, n);
9999 -+ n = __generic_copy_to_user(to, from, n);
10000 - else
10001 -- n = __copy_user_intel(to, from, n);
10002 -+ n = __generic_copy_to_user_intel(to, from, n);
10003 - return n;
10004 - }
10005 - EXPORT_SYMBOL(__copy_to_user_ll);
10006 -@@ -785,7 +976,7 @@ unsigned long __copy_from_user_ll(void *
10007 - unsigned long n)
10008 - {
10009 - if (movsl_is_ok(to, from, n))
10010 -- __copy_user_zeroing(to, from, n);
10011 -+ n = __copy_user_zeroing(to, from, n);
10012 - else
10013 - n = __copy_user_zeroing_intel(to, from, n);
10014 - return n;
10015 -@@ -796,9 +987,9 @@ unsigned long __copy_from_user_ll_nozero
10016 - unsigned long n)
10017 - {
10018 - if (movsl_is_ok(to, from, n))
10019 -- __copy_user(to, from, n);
10020 -+ n = __generic_copy_from_user(to, from, n);
10021 - else
10022 -- n = __copy_user_intel((void __user *)to,
10023 -+ n = __generic_copy_from_user_intel((void __user *)to,
10024 - (const void *)from, n);
10025 - return n;
10026 - }
10027 -@@ -809,9 +1000,9 @@ unsigned long __copy_from_user_ll_nocach
10028 - {
10029 - #ifdef CONFIG_X86_INTEL_USERCOPY
10030 - if ( n > 64 && cpu_has_xmm2)
10031 -- n = __copy_user_zeroing_intel_nocache(to, from, n);
10032 -+ n = __copy_user_zeroing_intel_nocache(to, from, n);
10033 - else
10034 -- __copy_user_zeroing(to, from, n);
10035 -+ n = __copy_user_zeroing(to, from, n);
10036 - #else
10037 - __copy_user_zeroing(to, from, n);
10038 - #endif
10039 -@@ -823,11 +1014,11 @@ unsigned long __copy_from_user_ll_nocach
10040 - {
10041 - #ifdef CONFIG_X86_INTEL_USERCOPY
10042 - if ( n > 64 && cpu_has_xmm2)
10043 -- n = __copy_user_intel_nocache(to, from, n);
10044 -+ n = __copy_user_intel_nocache(to, from, n);
10045 - else
10046 -- __copy_user(to, from, n);
10047 -+ n = __generic_copy_from_user(to, from, n);
10048 - #else
10049 -- __copy_user(to, from, n);
10050 -+ n = __generic_copy_from_user(to, from, n);
10051 - #endif
10052 - return n;
10053 - }
10054 -@@ -880,3 +1071,30 @@ copy_from_user(void *to, const void __us
10055 - return n;
10056 - }
10057 - EXPORT_SYMBOL(copy_from_user);
10058 -+
10059 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
10060 -+void __set_fs(mm_segment_t x, int cpu)
10061 -+{
10062 -+ unsigned long limit = x.seg;
10063 -+ __u32 a, b;
10064 -+
10065 -+ current_thread_info()->addr_limit = x;
10066 -+ if (likely(limit))
10067 -+ limit = (limit - 1UL) >> PAGE_SHIFT;
10068 -+ pack_descriptor(&a, &b, 0UL, limit, 0xF3, 0xC);
10069 -+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, a, b);
10070 -+}
10071 -+
10072 -+void set_fs(mm_segment_t x)
10073 -+{
10074 -+ __set_fs(x, get_cpu());
10075 -+ put_cpu_no_resched();
10076 -+}
10077 -+#else
10078 -+void set_fs(mm_segment_t x)
10079 -+{
10080 -+ current_thread_info()->addr_limit = x;
10081 -+}
10082 -+#endif
10083 -+
10084 -+EXPORT_SYMBOL(set_fs);
10085 -diff -urNp linux-2.6.24.4/arch/x86/mach-voyager/voyager_basic.c linux-2.6.24.4/arch/x86/mach-voyager/voyager_basic.c
10086 ---- linux-2.6.24.4/arch/x86/mach-voyager/voyager_basic.c 2008-03-24 14:49:18.000000000 -0400
10087 -+++ linux-2.6.24.4/arch/x86/mach-voyager/voyager_basic.c 2008-03-26 17:56:55.000000000 -0400
10088 -@@ -130,7 +130,7 @@ voyager_memory_detect(int region, __u32
10089 - __u8 cmos[4];
10090 - ClickMap_t *map;
10091 - unsigned long map_addr;
10092 -- unsigned long old;
10093 -+ pte_t old;
10094 -
10095 - if(region >= CLICK_ENTRIES) {
10096 - printk("Voyager: Illegal ClickMap region %d\n", region);
10097 -@@ -144,7 +144,7 @@ voyager_memory_detect(int region, __u32
10098 -
10099 - /* steal page 0 for this */
10100 - old = pg0[0];
10101 -- pg0[0] = ((map_addr & PAGE_MASK) | _PAGE_RW | _PAGE_PRESENT);
10102 -+ pg0[0] = __pte((map_addr & PAGE_MASK) | _PAGE_RW | _PAGE_PRESENT);
10103 - local_flush_tlb();
10104 - /* now clear everything out but page 0 */
10105 - map = (ClickMap_t *)(map_addr & (~PAGE_MASK));
10106 -diff -urNp linux-2.6.24.4/arch/x86/mach-voyager/voyager_smp.c linux-2.6.24.4/arch/x86/mach-voyager/voyager_smp.c
10107 ---- linux-2.6.24.4/arch/x86/mach-voyager/voyager_smp.c 2008-03-24 14:49:18.000000000 -0400
10108 -+++ linux-2.6.24.4/arch/x86/mach-voyager/voyager_smp.c 2008-03-26 17:56:55.000000000 -0400
10109 -@@ -554,6 +554,10 @@ do_boot_cpu(__u8 cpu)
10110 - __u32 *hijack_vector;
10111 - __u32 start_phys_address = setup_trampoline();
10112 -
10113 -+#ifdef CONFIG_PAX_KERNEXEC
10114 -+ unsigned long cr0;
10115 -+#endif
10116 -+
10117 - /* There's a clever trick to this: The linux trampoline is
10118 - * compiled to begin at absolute location zero, so make the
10119 - * address zero but have the data segment selector compensate
10120 -@@ -573,7 +577,17 @@ do_boot_cpu(__u8 cpu)
10121 -
10122 - init_gdt(cpu);
10123 - per_cpu(current_task, cpu) = idle;
10124 -- early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
10125 -+
10126 -+#ifdef CONFIG_PAX_KERNEXEC
10127 -+ pax_open_kernel(cr0);
10128 -+#endif
10129 -+
10130 -+ early_gdt_descr.address = get_cpu_gdt_table(cpu);
10131 -+
10132 -+#ifdef CONFIG_PAX_KERNEXEC
10133 -+ pax_close_kernel(cr0);
10134 -+#endif
10135 -+
10136 - irq_ctx_init(cpu);
10137 -
10138 - /* Note: Don't modify initial ss override */
10139 -@@ -1277,7 +1291,7 @@ smp_local_timer_interrupt(void)
10140 - per_cpu(prof_counter, cpu);
10141 - }
10142 -
10143 -- update_process_times(user_mode_vm(get_irq_regs()));
10144 -+ update_process_times(user_mode(get_irq_regs()));
10145 - }
10146 -
10147 - if( ((1<<cpu) & voyager_extended_vic_processors) == 0)
10148 -diff -urNp linux-2.6.24.4/arch/x86/mm/boot_ioremap_32.c linux-2.6.24.4/arch/x86/mm/boot_ioremap_32.c
10149 ---- linux-2.6.24.4/arch/x86/mm/boot_ioremap_32.c 2008-03-24 14:49:18.000000000 -0400
10150 -+++ linux-2.6.24.4/arch/x86/mm/boot_ioremap_32.c 2008-03-26 17:56:55.000000000 -0400
10151 -@@ -7,57 +7,37 @@
10152 - * Written by Dave Hansen <haveblue@××××××.com>
10153 - */
10154 -
10155 --
10156 --/*
10157 -- * We need to use the 2-level pagetable functions, but CONFIG_X86_PAE
10158 -- * keeps that from happening. If anyone has a better way, I'm listening.
10159 -- *
10160 -- * boot_pte_t is defined only if this all works correctly
10161 -- */
10162 --
10163 --#undef CONFIG_X86_PAE
10164 - #undef CONFIG_PARAVIRT
10165 - #include <asm/page.h>
10166 - #include <asm/pgtable.h>
10167 - #include <asm/tlbflush.h>
10168 - #include <linux/init.h>
10169 - #include <linux/stddef.h>
10170 --
10171 --/*
10172 -- * I'm cheating here. It is known that the two boot PTE pages are
10173 -- * allocated next to each other. I'm pretending that they're just
10174 -- * one big array.
10175 -- */
10176 --
10177 --#define BOOT_PTE_PTRS (PTRS_PER_PTE*2)
10178 --
10179 --static unsigned long boot_pte_index(unsigned long vaddr)
10180 --{
10181 -- return __pa(vaddr) >> PAGE_SHIFT;
10182 --}
10183 --
10184 --static inline boot_pte_t* boot_vaddr_to_pte(void *address)
10185 --{
10186 -- boot_pte_t* boot_pg = (boot_pte_t*)pg0;
10187 -- return &boot_pg[boot_pte_index((unsigned long)address)];
10188 --}
10189 -+#include <linux/sched.h>
10190 -
10191 - /*
10192 - * This is only for a caller who is clever enough to page-align
10193 - * phys_addr and virtual_source, and who also has a preference
10194 - * about which virtual address from which to steal ptes
10195 - */
10196 --static void __boot_ioremap(unsigned long phys_addr, unsigned long nrpages,
10197 -- void* virtual_source)
10198 -+static void __init __boot_ioremap(unsigned long phys_addr, unsigned long nrpages,
10199 -+ char* virtual_source)
10200 - {
10201 -- boot_pte_t* pte;
10202 -- int i;
10203 -- char *vaddr = virtual_source;
10204 -+ pgd_t *pgd;
10205 -+ pud_t *pud;
10206 -+ pmd_t *pmd;
10207 -+ pte_t* pte;
10208 -+ unsigned int i;
10209 -+ unsigned long vaddr = (unsigned long)virtual_source;
10210 -+
10211 -+ pgd = pgd_offset_k(vaddr);
10212 -+ pud = pud_offset(pgd, vaddr);
10213 -+ pmd = pmd_offset(pud, vaddr);
10214 -+ pte = pte_offset_kernel(pmd, vaddr);
10215 -
10216 -- pte = boot_vaddr_to_pte(virtual_source);
10217 - for (i=0; i < nrpages; i++, phys_addr += PAGE_SIZE, pte++) {
10218 - set_pte(pte, pfn_pte(phys_addr>>PAGE_SHIFT, PAGE_KERNEL));
10219 -- __flush_tlb_one(&vaddr[i*PAGE_SIZE]);
10220 -+ __flush_tlb_one(&virtual_source[i*PAGE_SIZE]);
10221 - }
10222 - }
10223 -
10224 -diff -urNp linux-2.6.24.4/arch/x86/mm/extable_32.c linux-2.6.24.4/arch/x86/mm/extable_32.c
10225 ---- linux-2.6.24.4/arch/x86/mm/extable_32.c 2008-03-24 14:49:18.000000000 -0400
10226 -+++ linux-2.6.24.4/arch/x86/mm/extable_32.c 2008-03-26 17:56:55.000000000 -0400
10227 -@@ -4,14 +4,63 @@
10228 -
10229 - #include <linux/module.h>
10230 - #include <linux/spinlock.h>
10231 -+#include <linux/sort.h>
10232 - #include <asm/uaccess.h>
10233 -
10234 -+/*
10235 -+ * The exception table needs to be sorted so that the binary
10236 -+ * search that we use to find entries in it works properly.
10237 -+ * This is used both for the kernel exception table and for
10238 -+ * the exception tables of modules that get loaded.
10239 -+ */
10240 -+static int cmp_ex(const void *a, const void *b)
10241 -+{
10242 -+ const struct exception_table_entry *x = a, *y = b;
10243 -+
10244 -+ /* avoid overflow */
10245 -+ if (x->insn > y->insn)
10246 -+ return 1;
10247 -+ if (x->insn < y->insn)
10248 -+ return -1;
10249 -+ return 0;
10250 -+}
10251 -+
10252 -+static void swap_ex(void *a, void *b, int size)
10253 -+{
10254 -+ struct exception_table_entry t, *x = a, *y = b;
10255 -+
10256 -+#ifdef CONFIG_PAX_KERNEXEC
10257 -+ unsigned long cr0;
10258 -+#endif
10259 -+
10260 -+ t = *x;
10261 -+
10262 -+#ifdef CONFIG_PAX_KERNEXEC
10263 -+ pax_open_kernel(cr0);
10264 -+#endif
10265 -+
10266 -+ *x = *y;
10267 -+ *y = t;
10268 -+
10269 -+#ifdef CONFIG_PAX_KERNEXEC
10270 -+ pax_close_kernel(cr0);
10271 -+#endif
10272 -+
10273 -+}
10274 -+
10275 -+void sort_extable(struct exception_table_entry *start,
10276 -+ struct exception_table_entry *finish)
10277 -+{
10278 -+ sort(start, finish - start, sizeof(struct exception_table_entry),
10279 -+ cmp_ex, swap_ex);
10280 -+}
10281 -+
10282 - int fixup_exception(struct pt_regs *regs)
10283 - {
10284 - const struct exception_table_entry *fixup;
10285 -
10286 - #ifdef CONFIG_PNPBIOS
10287 -- if (unlikely(SEGMENT_IS_PNP_CODE(regs->xcs)))
10288 -+ if (unlikely(!(regs->eflags & VM_MASK) && SEGMENT_IS_PNP_CODE(regs->xcs)))
10289 - {
10290 - extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
10291 - extern u32 pnp_bios_is_utter_crap;
10292 -diff -urNp linux-2.6.24.4/arch/x86/mm/extable_64.c linux-2.6.24.4/arch/x86/mm/extable_64.c
10293 ---- linux-2.6.24.4/arch/x86/mm/extable_64.c 2008-03-24 14:49:18.000000000 -0400
10294 -+++ linux-2.6.24.4/arch/x86/mm/extable_64.c 2008-03-26 17:56:55.000000000 -0400
10295 -@@ -4,9 +4,58 @@
10296 -
10297 - #include <linux/module.h>
10298 - #include <linux/spinlock.h>
10299 -+#include <linux/sort.h>
10300 - #include <linux/init.h>
10301 - #include <asm/uaccess.h>
10302 -
10303 -+/*
10304 -+ * The exception table needs to be sorted so that the binary
10305 -+ * search that we use to find entries in it works properly.
10306 -+ * This is used both for the kernel exception table and for
10307 -+ * the exception tables of modules that get loaded.
10308 -+ */
10309 -+static int cmp_ex(const void *a, const void *b)
10310 -+{
10311 -+ const struct exception_table_entry *x = a, *y = b;
10312 -+
10313 -+ /* avoid overflow */
10314 -+ if (x->insn > y->insn)
10315 -+ return 1;
10316 -+ if (x->insn < y->insn)
10317 -+ return -1;
10318 -+ return 0;
10319 -+}
10320 -+
10321 -+static void swap_ex(void *a, void *b, int size)
10322 -+{
10323 -+ struct exception_table_entry t, *x = a, *y = b;
10324 -+
10325 -+#ifdef CONFIG_PAX_KERNEXEC
10326 -+ unsigned long cr0;
10327 -+#endif
10328 -+
10329 -+ t = *x;
10330 -+
10331 -+#ifdef CONFIG_PAX_KERNEXEC
10332 -+ pax_open_kernel(cr0);
10333 -+#endif
10334 -+
10335 -+ *x = *y;
10336 -+ *y = t;
10337 -+
10338 -+#ifdef CONFIG_PAX_KERNEXEC
10339 -+ pax_close_kernel(cr0);
10340 -+#endif
10341 -+
10342 -+}
10343 -+
10344 -+void sort_extable(struct exception_table_entry *start,
10345 -+ struct exception_table_entry *finish)
10346 -+{
10347 -+ sort(start, finish - start, sizeof(struct exception_table_entry),
10348 -+ cmp_ex, swap_ex);
10349 -+}
10350 -+
10351 - /* Simple binary search */
10352 - const struct exception_table_entry *
10353 - search_extable(const struct exception_table_entry *first,
10354 -diff -urNp linux-2.6.24.4/arch/x86/mm/fault_32.c linux-2.6.24.4/arch/x86/mm/fault_32.c
10355 ---- linux-2.6.24.4/arch/x86/mm/fault_32.c 2008-03-24 14:49:18.000000000 -0400
10356 -+++ linux-2.6.24.4/arch/x86/mm/fault_32.c 2008-03-26 18:53:27.000000000 -0400
10357 -@@ -26,10 +26,14 @@
10358 - #include <linux/uaccess.h>
10359 - #include <linux/kdebug.h>
10360 - #include <linux/kprobes.h>
10361 -+#include <linux/unistd.h>
10362 -+#include <linux/compiler.h>
10363 -+#include <linux/binfmts.h>
10364 -
10365 - #include <asm/system.h>
10366 - #include <asm/desc.h>
10367 - #include <asm/segment.h>
10368 -+#include <asm/tlbflush.h>
10369 -
10370 - extern void die(const char *,struct pt_regs *,long);
10371 -
10372 -@@ -39,7 +43,7 @@ static inline int notify_page_fault(stru
10373 - int ret = 0;
10374 -
10375 - /* kprobe_running() needs smp_processor_id() */
10376 -- if (!user_mode_vm(regs)) {
10377 -+ if (!user_mode(regs)) {
10378 - preempt_disable();
10379 - if (kprobe_running() && kprobe_fault_handler(regs, 14))
10380 - ret = 1;
10381 -@@ -74,7 +78,8 @@ static inline unsigned long get_segment_
10382 - {
10383 - unsigned long eip = regs->eip;
10384 - unsigned seg = regs->xcs & 0xffff;
10385 -- u32 seg_ar, seg_limit, base, *desc;
10386 -+ u32 seg_ar, seg_limit, base;
10387 -+ struct desc_struct *desc;
10388 -
10389 - /* Unlikely, but must come before segment checks. */
10390 - if (unlikely(regs->eflags & VM_MASK)) {
10391 -@@ -88,7 +93,7 @@ static inline unsigned long get_segment_
10392 -
10393 - /* By far the most common cases. */
10394 - if (likely(SEGMENT_IS_FLAT_CODE(seg)))
10395 -- return eip;
10396 -+ return seg == __KERNEL_CS ? ktla_ktva(eip) : eip;
10397 -
10398 - /* Check the segment exists, is within the current LDT/GDT size,
10399 - that kernel/user (ring 0..3) has the appropriate privilege,
10400 -@@ -103,21 +108,24 @@ static inline unsigned long get_segment_
10401 - /* Get the GDT/LDT descriptor base.
10402 - When you look for races in this code remember that
10403 - LDT and other horrors are only used in user space. */
10404 -- if (seg & (1<<2)) {
10405 -+ if (seg & SEGMENT_LDT) {
10406 - /* Must lock the LDT while reading it. */
10407 - mutex_lock(&current->mm->context.lock);
10408 -- desc = current->mm->context.ldt;
10409 -- desc = (void *)desc + (seg & ~7);
10410 -+ if ((seg >> 3) >= current->mm->context.size) {
10411 -+ mutex_unlock(&current->mm->context.lock);
10412 -+ *eip_limit = 0;
10413 -+ return 1; /* So that returned eip > *eip_limit. */
10414 -+ }
10415 -+ desc = &current->mm->context.ldt[seg >> 3];
10416 - } else {
10417 - /* Must disable preemption while reading the GDT. */
10418 -- desc = (u32 *)get_cpu_gdt_table(get_cpu());
10419 -- desc = (void *)desc + (seg & ~7);
10420 -+ desc = &get_cpu_gdt_table(get_cpu())[seg >> 3];
10421 - }
10422 -
10423 - /* Decode the code segment base from the descriptor */
10424 -- base = get_desc_base((unsigned long *)desc);
10425 -+ base = get_desc_base(desc);
10426 -
10427 -- if (seg & (1<<2)) {
10428 -+ if (seg & SEGMENT_LDT) {
10429 - mutex_unlock(&current->mm->context.lock);
10430 - } else
10431 - put_cpu();
10432 -@@ -216,6 +224,30 @@ static noinline void force_sig_info_faul
10433 -
10434 - fastcall void do_invalid_op(struct pt_regs *, unsigned long);
10435 -
10436 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
10437 -+static int pax_handle_fetch_fault(struct pt_regs *regs);
10438 -+#endif
10439 -+
10440 -+#ifdef CONFIG_PAX_PAGEEXEC
10441 -+static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
10442 -+{
10443 -+ pgd_t *pgd;
10444 -+ pud_t *pud;
10445 -+ pmd_t *pmd;
10446 -+
10447 -+ pgd = pgd_offset(mm, address);
10448 -+ if (!pgd_present(*pgd))
10449 -+ return NULL;
10450 -+ pud = pud_offset(pgd, address);
10451 -+ if (!pud_present(*pud))
10452 -+ return NULL;
10453 -+ pmd = pmd_offset(pud, address);
10454 -+ if (!pmd_present(*pmd))
10455 -+ return NULL;
10456 -+ return pmd;
10457 -+}
10458 -+#endif
10459 -+
10460 - static inline pmd_t *vmalloc_sync_one(pgd_t *pgd, unsigned long address)
10461 - {
10462 - unsigned index = pgd_index(address);
10463 -@@ -299,19 +331,26 @@ fastcall void __kprobes do_page_fault(st
10464 - struct task_struct *tsk;
10465 - struct mm_struct *mm;
10466 - struct vm_area_struct * vma;
10467 -- unsigned long address;
10468 - int write, si_code;
10469 - int fault;
10470 -+ pte_t *pte;
10471 -+
10472 -+#ifdef CONFIG_PAX_PAGEEXEC
10473 -+ pmd_t *pmd;
10474 -+ spinlock_t *ptl;
10475 -+ unsigned char pte_mask;
10476 -+#endif
10477 -+
10478 -+ /* get the address */
10479 -+ const unsigned long address = read_cr2();
10480 -
10481 - /*
10482 - * We can fault from pretty much anywhere, with unknown IRQ state.
10483 - */
10484 - trace_hardirqs_fixup();
10485 -
10486 -- /* get the address */
10487 -- address = read_cr2();
10488 --
10489 - tsk = current;
10490 -+ mm = tsk->mm;
10491 -
10492 - si_code = SEGV_MAPERR;
10493 -
10494 -@@ -348,14 +387,12 @@ fastcall void __kprobes do_page_fault(st
10495 - if (regs->eflags & (X86_EFLAGS_IF|VM_MASK))
10496 - local_irq_enable();
10497 -
10498 -- mm = tsk->mm;
10499 --
10500 - /*
10501 - * If we're in an interrupt, have no user context or are running in an
10502 - * atomic region then we must not take the fault..
10503 - */
10504 - if (in_atomic() || !mm)
10505 -- goto bad_area_nosemaphore;
10506 -+ goto bad_area_nopax;
10507 -
10508 - /* When running in the kernel we expect faults to occur only to
10509 - * addresses in user space. All other faults represent errors in the
10510 -@@ -375,10 +412,104 @@ fastcall void __kprobes do_page_fault(st
10511 - if (!down_read_trylock(&mm->mmap_sem)) {
10512 - if ((error_code & 4) == 0 &&
10513 - !search_exception_tables(regs->eip))
10514 -- goto bad_area_nosemaphore;
10515 -+ goto bad_area_nopax;
10516 - down_read(&mm->mmap_sem);
10517 - }
10518 -
10519 -+#ifdef CONFIG_PAX_PAGEEXEC
10520 -+ if (nx_enabled || (error_code & 5) != 5 || (regs->eflags & X86_EFLAGS_VM) ||
10521 -+ !(mm->pax_flags & MF_PAX_PAGEEXEC))
10522 -+ goto not_pax_fault;
10523 -+
10524 -+ /* PaX: it's our fault, let's handle it if we can */
10525 -+
10526 -+ /* PaX: take a look at read faults before acquiring any locks */
10527 -+ if (unlikely(!(error_code & 2) && (regs->eip == address))) {
10528 -+ /* instruction fetch attempt from a protected page in user mode */
10529 -+ up_read(&mm->mmap_sem);
10530 -+
10531 -+#ifdef CONFIG_PAX_EMUTRAMP
10532 -+ switch (pax_handle_fetch_fault(regs)) {
10533 -+ case 2:
10534 -+ return;
10535 -+ }
10536 -+#endif
10537 -+
10538 -+ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
10539 -+ do_group_exit(SIGKILL);
10540 -+ }
10541 -+
10542 -+ pmd = pax_get_pmd(mm, address);
10543 -+ if (unlikely(!pmd))
10544 -+ goto not_pax_fault;
10545 -+
10546 -+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
10547 -+ if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
10548 -+ pte_unmap_unlock(pte, ptl);
10549 -+ goto not_pax_fault;
10550 -+ }
10551 -+
10552 -+ if (unlikely((error_code & 2) && !pte_write(*pte))) {
10553 -+ /* write attempt to a protected page in user mode */
10554 -+ pte_unmap_unlock(pte, ptl);
10555 -+ goto not_pax_fault;
10556 -+ }
10557 -+
10558 -+#ifdef CONFIG_SMP
10559 -+ if (likely(address > get_limit(regs->xcs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
10560 -+#else
10561 -+ if (likely(address > get_limit(regs->xcs)))
10562 -+#endif
10563 -+ {
10564 -+ set_pte(pte, pte_mkread(*pte));
10565 -+ __flush_tlb_one(address);
10566 -+ pte_unmap_unlock(pte, ptl);
10567 -+ up_read(&mm->mmap_sem);
10568 -+ return;
10569 -+ }
10570 -+
10571 -+ pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & 2) << (_PAGE_BIT_DIRTY-1));
10572 -+
10573 -+ /*
10574 -+ * PaX: fill DTLB with user rights and retry
10575 -+ */
10576 -+ __asm__ __volatile__ (
10577 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
10578 -+ "movw %w4,%%es\n"
10579 -+#endif
10580 -+ "orb %2,(%1)\n"
10581 -+#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
10582 -+/*
10583 -+ * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
10584 -+ * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
10585 -+ * page fault when examined during a TLB load attempt. this is true not only
10586 -+ * for PTEs holding a non-present entry but also present entries that will
10587 -+ * raise a page fault (such as those set up by PaX, or the copy-on-write
10588 -+ * mechanism). in effect it means that we do *not* need to flush the TLBs
10589 -+ * for our target pages since their PTEs are simply not in the TLBs at all.
10590 -+
10591 -+ * the best thing in omitting it is that we gain around 15-20% speed in the
10592 -+ * fast path of the page fault handler and can get rid of tracing since we
10593 -+ * can no longer flush unintended entries.
10594 -+ */
10595 -+ "invlpg (%0)\n"
10596 -+#endif
10597 -+ "testb $0,%%es:(%0)\n"
10598 -+ "xorb %3,(%1)\n"
10599 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
10600 -+ "pushl %%ss\n"
10601 -+ "popl %%es\n"
10602 -+#endif
10603 -+ :
10604 -+ : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
10605 -+ : "memory", "cc");
10606 -+ pte_unmap_unlock(pte, ptl);
10607 -+ up_read(&mm->mmap_sem);
10608 -+ return;
10609 -+
10610 -+not_pax_fault:
10611 -+#endif
10612 -+
10613 - vma = find_vma(mm, address);
10614 - if (!vma)
10615 - goto bad_area;
10616 -@@ -396,6 +527,12 @@ fastcall void __kprobes do_page_fault(st
10617 - if (address + 65536 + 32 * sizeof(unsigned long) < regs->esp)
10618 - goto bad_area;
10619 - }
10620 -+
10621 -+#ifdef CONFIG_PAX_SEGMEXEC
10622 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)
10623 -+ goto bad_area;
10624 -+#endif
10625 -+
10626 - if (expand_stack(vma, address))
10627 - goto bad_area;
10628 - /*
10629 -@@ -405,6 +542,8 @@ fastcall void __kprobes do_page_fault(st
10630 - good_area:
10631 - si_code = SEGV_ACCERR;
10632 - write = 0;
10633 -+ if (nx_enabled && (error_code & 16) && !(vma->vm_flags & VM_EXEC))
10634 -+ goto bad_area;
10635 - switch (error_code & 3) {
10636 - default: /* 3: write, present */
10637 - /* fall through */
10638 -@@ -458,6 +597,49 @@ bad_area:
10639 - up_read(&mm->mmap_sem);
10640 -
10641 - bad_area_nosemaphore:
10642 -+
10643 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
10644 -+ if (mm && (error_code & 4) && !(regs->eflags & X86_EFLAGS_VM)) {
10645 -+ /*
10646 -+ * It's possible to have interrupts off here.
10647 -+ */
10648 -+ local_irq_enable();
10649 -+
10650 -+#ifdef CONFIG_PAX_PAGEEXEC
10651 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
10652 -+ ((nx_enabled && ((error_code & 16) || !(error_code & 3)) && (regs->eip == address)))) {
10653 -+
10654 -+#ifdef CONFIG_PAX_EMUTRAMP
10655 -+ switch (pax_handle_fetch_fault(regs)) {
10656 -+ case 2:
10657 -+ return;
10658 -+ }
10659 -+#endif
10660 -+
10661 -+ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
10662 -+ do_group_exit(SIGKILL);
10663 -+ }
10664 -+#endif
10665 -+
10666 -+#ifdef CONFIG_PAX_SEGMEXEC
10667 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & 3) && (regs->eip + SEGMEXEC_TASK_SIZE == address)) {
10668 -+
10669 -+#ifdef CONFIG_PAX_EMUTRAMP
10670 -+ switch (pax_handle_fetch_fault(regs)) {
10671 -+ case 2:
10672 -+ return;
10673 -+ }
10674 -+#endif
10675 -+
10676 -+ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
10677 -+ do_group_exit(SIGKILL);
10678 -+ }
10679 -+#endif
10680 -+
10681 -+ }
10682 -+#endif
10683 -+
10684 -+bad_area_nopax:
10685 - /* User mode accesses just cause a SIGSEGV */
10686 - if (error_code & 4) {
10687 - /*
10688 -@@ -495,7 +677,7 @@ bad_area_nosemaphore:
10689 - if (boot_cpu_data.f00f_bug) {
10690 - unsigned long nr;
10691 -
10692 -- nr = (address - idt_descr.address) >> 3;
10693 -+ nr = (address - (unsigned long)idt_descr.address) >> 3;
10694 -
10695 - if (nr == 6) {
10696 - do_invalid_op(regs, 0);
10697 -@@ -528,18 +710,34 @@ no_context:
10698 - __typeof__(pte_val(__pte(0))) page;
10699 -
10700 - #ifdef CONFIG_X86_PAE
10701 -- if (error_code & 16) {
10702 -- pte_t *pte = lookup_address(address);
10703 -+ if (nx_enabled && (error_code & 16)) {
10704 -+ pte = lookup_address(address);
10705 -
10706 - if (pte && pte_present(*pte) && !pte_exec_kernel(*pte))
10707 - printk(KERN_CRIT "kernel tried to execute "
10708 - "NX-protected page - exploit attempt? "
10709 -- "(uid: %d)\n", current->uid);
10710 -+ "(uid: %d, task: %s, pid: %d)\n",
10711 -+ tsk->uid, tsk->comm, task_pid_nr(tsk));
10712 - }
10713 - #endif
10714 - if (address < PAGE_SIZE)
10715 - printk(KERN_ALERT "BUG: unable to handle kernel NULL "
10716 - "pointer dereference");
10717 -+
10718 -+#ifdef CONFIG_PAX_KERNEXEC
10719 -+#ifdef CONFIG_MODULES
10720 -+ else if (init_mm.start_code <= address && address < (unsigned long)MODULES_END)
10721 -+#else
10722 -+ else if (init_mm.start_code <= address && address < init_mm.end_code)
10723 -+#endif
10724 -+ if (tsk->signal->curr_ip)
10725 -+ printk(KERN_ERR "PAX: From %u.%u.%u.%u: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
10726 -+ NIPQUAD(tsk->signal->curr_ip), tsk->comm, task_pid_nr(tsk), tsk->uid, tsk->euid);
10727 -+ else
10728 -+ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
10729 -+ tsk->comm, task_pid_nr(tsk), tsk->uid, tsk->euid);
10730 -+#endif
10731 -+
10732 - else
10733 - printk(KERN_ALERT "BUG: unable to handle kernel paging"
10734 - " request");
10735 -@@ -585,7 +783,7 @@ no_context:
10736 - tsk->thread.error_code = error_code;
10737 - die("Oops", regs, error_code);
10738 - bust_spinlocks(0);
10739 -- do_exit(SIGKILL);
10740 -+ do_group_exit(SIGKILL);
10741 -
10742 - /*
10743 - * We ran out of memory, or some other thing happened to us that made
10744 -@@ -657,3 +855,92 @@ void vmalloc_sync_all(void)
10745 - start = address + PGDIR_SIZE;
10746 - }
10747 - }
10748 -+
10749 -+#ifdef CONFIG_PAX_EMUTRAMP
10750 -+/*
10751 -+ * PaX: decide what to do with offenders (regs->eip = fault address)
10752 -+ *
10753 -+ * returns 1 when task should be killed
10754 -+ * 2 when gcc trampoline was detected
10755 -+ */
10756 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
10757 -+{
10758 -+ int err;
10759 -+
10760 -+ if (regs->eflags & X86_EFLAGS_VM)
10761 -+ return 1;
10762 -+
10763 -+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
10764 -+ return 1;
10765 -+
10766 -+ do { /* PaX: gcc trampoline emulation #1 */
10767 -+ unsigned char mov1, mov2;
10768 -+ unsigned short jmp;
10769 -+ unsigned long addr1, addr2;
10770 -+
10771 -+ err = get_user(mov1, (unsigned char __user *)regs->eip);
10772 -+ err |= get_user(addr1, (unsigned long __user *)(regs->eip + 1));
10773 -+ err |= get_user(mov2, (unsigned char __user *)(regs->eip + 5));
10774 -+ err |= get_user(addr2, (unsigned long __user *)(regs->eip + 6));
10775 -+ err |= get_user(jmp, (unsigned short __user *)(regs->eip + 10));
10776 -+
10777 -+ if (err)
10778 -+ break;
10779 -+
10780 -+ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
10781 -+ regs->ecx = addr1;
10782 -+ regs->eax = addr2;
10783 -+ regs->eip = addr2;
10784 -+ return 2;
10785 -+ }
10786 -+ } while (0);
10787 -+
10788 -+ do { /* PaX: gcc trampoline emulation #2 */
10789 -+ unsigned char mov, jmp;
10790 -+ unsigned long addr1, addr2;
10791 -+
10792 -+ err = get_user(mov, (unsigned char __user *)regs->eip);
10793 -+ err |= get_user(addr1, (unsigned long __user *)(regs->eip + 1));
10794 -+ err |= get_user(jmp, (unsigned char __user *)(regs->eip + 5));
10795 -+ err |= get_user(addr2, (unsigned long __user *)(regs->eip + 6));
10796 -+
10797 -+ if (err)
10798 -+ break;
10799 -+
10800 -+ if (mov == 0xB9 && jmp == 0xE9) {
10801 -+ regs->ecx = addr1;
10802 -+ regs->eip += addr2 + 10;
10803 -+ return 2;
10804 -+ }
10805 -+ } while (0);
10806 -+
10807 -+ return 1; /* PaX in action */
10808 -+}
10809 -+#endif
10810 -+
10811 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
10812 -+void pax_report_insns(void *pc, void *sp)
10813 -+{
10814 -+ long i;
10815 -+
10816 -+ printk(KERN_ERR "PAX: bytes at PC: ");
10817 -+ for (i = 0; i < 20; i++) {
10818 -+ unsigned char c;
10819 -+ if (get_user(c, (unsigned char __user *)pc+i))
10820 -+ printk("?? ");
10821 -+ else
10822 -+ printk("%02x ", c);
10823 -+ }
10824 -+ printk("\n");
10825 -+
10826 -+ printk(KERN_ERR "PAX: bytes at SP-4: ");
10827 -+ for (i = -1; i < 20; i++) {
10828 -+ unsigned long c;
10829 -+ if (get_user(c, (unsigned long __user *)sp+i))
10830 -+ printk("???????? ");
10831 -+ else
10832 -+ printk("%08lx ", c);
10833 -+ }
10834 -+ printk("\n");
10835 -+}
10836 -+#endif
10837 -diff -urNp linux-2.6.24.4/arch/x86/mm/fault_64.c linux-2.6.24.4/arch/x86/mm/fault_64.c
10838 ---- linux-2.6.24.4/arch/x86/mm/fault_64.c 2008-03-24 14:49:18.000000000 -0400
10839 -+++ linux-2.6.24.4/arch/x86/mm/fault_64.c 2008-03-26 18:53:27.000000000 -0400
10840 -@@ -26,6 +26,7 @@
10841 - #include <linux/uaccess.h>
10842 - #include <linux/kdebug.h>
10843 - #include <linux/kprobes.h>
10844 -+#include <linux/binfmts.h>
10845 -
10846 - #include <asm/system.h>
10847 - #include <asm/pgalloc.h>
10848 -@@ -285,6 +286,163 @@ static int vmalloc_fault(unsigned long a
10849 - return 0;
10850 - }
10851 -
10852 -+#ifdef CONFIG_PAX_EMUTRAMP
10853 -+static int pax_handle_fetch_fault_32(struct pt_regs *regs)
10854 -+{
10855 -+ int err;
10856 -+
10857 -+ do { /* PaX: gcc trampoline emulation #1 */
10858 -+ unsigned char mov1, mov2;
10859 -+ unsigned short jmp;
10860 -+ unsigned int addr1, addr2;
10861 -+
10862 -+ if ((regs->rip + 11) >> 32)
10863 -+ break;
10864 -+
10865 -+ err = get_user(mov1, (unsigned char __user *)regs->rip);
10866 -+ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 1));
10867 -+ err |= get_user(mov2, (unsigned char __user *)(regs->rip + 5));
10868 -+ err |= get_user(addr2, (unsigned int __user *)(regs->rip + 6));
10869 -+ err |= get_user(jmp, (unsigned short __user *)(regs->rip + 10));
10870 -+
10871 -+ if (err)
10872 -+ break;
10873 -+
10874 -+ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
10875 -+ regs->rcx = addr1;
10876 -+ regs->rax = addr2;
10877 -+ regs->rip = addr2;
10878 -+ return 2;
10879 -+ }
10880 -+ } while (0);
10881 -+
10882 -+ do { /* PaX: gcc trampoline emulation #2 */
10883 -+ unsigned char mov, jmp;
10884 -+ unsigned int addr1, addr2;
10885 -+
10886 -+ if ((regs->rip + 9) >> 32)
10887 -+ break;
10888 -+
10889 -+ err = get_user(mov, (unsigned char __user *)regs->rip);
10890 -+ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 1));
10891 -+ err |= get_user(jmp, (unsigned char __user *)(regs->rip + 5));
10892 -+ err |= get_user(addr2, (unsigned int __user *)(regs->rip + 6));
10893 -+
10894 -+ if (err)
10895 -+ break;
10896 -+
10897 -+ if (mov == 0xB9 && jmp == 0xE9) {
10898 -+ regs->rcx = addr1;
10899 -+ regs->rip = (unsigned int)(regs->rip + addr2 + 10);
10900 -+ return 2;
10901 -+ }
10902 -+ } while (0);
10903 -+
10904 -+ return 1; /* PaX in action */
10905 -+}
10906 -+
10907 -+static int pax_handle_fetch_fault_64(struct pt_regs *regs)
10908 -+{
10909 -+ int err;
10910 -+
10911 -+ do { /* PaX: gcc trampoline emulation #1 */
10912 -+ unsigned short mov1, mov2, jmp1;
10913 -+ unsigned char jmp2;
10914 -+ unsigned int addr1;
10915 -+ unsigned long addr2;
10916 -+
10917 -+ err = get_user(mov1, (unsigned short __user *)regs->rip);
10918 -+ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 2));
10919 -+ err |= get_user(mov2, (unsigned short __user *)(regs->rip + 6));
10920 -+ err |= get_user(addr2, (unsigned long __user *)(regs->rip + 8));
10921 -+ err |= get_user(jmp1, (unsigned short __user *)(regs->rip + 16));
10922 -+ err |= get_user(jmp2, (unsigned char __user *)(regs->rip + 18));
10923 -+
10924 -+ if (err)
10925 -+ break;
10926 -+
10927 -+ if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
10928 -+ regs->r11 = addr1;
10929 -+ regs->r10 = addr2;
10930 -+ regs->rip = addr1;
10931 -+ return 2;
10932 -+ }
10933 -+ } while (0);
10934 -+
10935 -+ do { /* PaX: gcc trampoline emulation #2 */
10936 -+ unsigned short mov1, mov2, jmp1;
10937 -+ unsigned char jmp2;
10938 -+ unsigned long addr1, addr2;
10939 -+
10940 -+ err = get_user(mov1, (unsigned short __user *)regs->rip);
10941 -+ err |= get_user(addr1, (unsigned long __user *)(regs->rip + 2));
10942 -+ err |= get_user(mov2, (unsigned short __user *)(regs->rip + 10));
10943 -+ err |= get_user(addr2, (unsigned long __user *)(regs->rip + 12));
10944 -+ err |= get_user(jmp1, (unsigned short __user *)(regs->rip + 20));
10945 -+ err |= get_user(jmp2, (unsigned char __user *)(regs->rip + 22));
10946 -+
10947 -+ if (err)
10948 -+ break;
10949 -+
10950 -+ if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
10951 -+ regs->r11 = addr1;
10952 -+ regs->r10 = addr2;
10953 -+ regs->rip = addr1;
10954 -+ return 2;
10955 -+ }
10956 -+ } while (0);
10957 -+
10958 -+ return 1; /* PaX in action */
10959 -+}
10960 -+
10961 -+/*
10962 -+ * PaX: decide what to do with offenders (regs->rip = fault address)
10963 -+ *
10964 -+ * returns 1 when task should be killed
10965 -+ * 2 when gcc trampoline was detected
10966 -+ */
10967 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
10968 -+{
10969 -+ if (regs->eflags & X86_EFLAGS_VM)
10970 -+ return 1;
10971 -+
10972 -+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
10973 -+ return 1;
10974 -+
10975 -+ if (regs->cs == __USER32_CS || (regs->cs & (1<<2)))
10976 -+ return pax_handle_fetch_fault_32(regs);
10977 -+ else
10978 -+ return pax_handle_fetch_fault_64(regs);
10979 -+}
10980 -+#endif
10981 -+
10982 -+#ifdef CONFIG_PAX_PAGEEXEC
10983 -+void pax_report_insns(void *pc, void *sp)
10984 -+{
10985 -+ long i;
10986 -+
10987 -+ printk(KERN_ERR "PAX: bytes at PC: ");
10988 -+ for (i = 0; i < 20; i++) {
10989 -+ unsigned char c;
10990 -+ if (get_user(c, (unsigned char __user *)pc+i))
10991 -+ printk("?? ");
10992 -+ else
10993 -+ printk("%02x ", c);
10994 -+ }
10995 -+ printk("\n");
10996 -+
10997 -+ printk(KERN_ERR "PAX: bytes at SP-8: ");
10998 -+ for (i = -1; i < 10; i++) {
10999 -+ unsigned long c;
11000 -+ if (get_user(c, (unsigned long __user *)sp+i))
11001 -+ printk("???????????????? ");
11002 -+ else
11003 -+ printk("%016lx ", c);
11004 -+ }
11005 -+ printk("\n");
11006 -+}
11007 -+#endif
11008 -+
11009 - int show_unhandled_signals = 1;
11010 -
11011 - /*
11012 -@@ -405,7 +563,7 @@ asmlinkage void __kprobes do_page_fault(
11013 - goto good_area;
11014 - if (!(vma->vm_flags & VM_GROWSDOWN))
11015 - goto bad_area;
11016 -- if (error_code & 4) {
11017 -+ if (error_code & PF_USER) {
11018 - /* Allow userspace just enough access below the stack pointer
11019 - * to let the 'enter' instruction work.
11020 - */
11021 -@@ -421,6 +579,8 @@ asmlinkage void __kprobes do_page_fault(
11022 - good_area:
11023 - info.si_code = SEGV_ACCERR;
11024 - write = 0;
11025 -+ if ((error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
11026 -+ goto bad_area;
11027 - switch (error_code & (PF_PROT|PF_WRITE)) {
11028 - default: /* 3: write, present */
11029 - /* fall through */
11030 -@@ -472,6 +632,21 @@ bad_area_nosemaphore:
11031 - */
11032 - local_irq_enable();
11033 -
11034 -+#ifdef CONFIG_PAX_PAGEEXEC
11035 -+ if (mm && (mm->pax_flags & MF_PAX_PAGEEXEC) && (error_code & PF_INSTR)) {
11036 -+
11037 -+#ifdef CONFIG_PAX_EMUTRAMP
11038 -+ switch (pax_handle_fetch_fault(regs)) {
11039 -+ case 2:
11040 -+ return;
11041 -+ }
11042 -+#endif
11043 -+
11044 -+ pax_report_fault(regs, (void*)regs->rip, (void*)regs->rsp);
11045 -+ do_group_exit(SIGKILL);
11046 -+ }
11047 -+#endif
11048 -+
11049 - if (is_prefetch(regs, address, error_code))
11050 - return;
11051 -
11052 -@@ -489,8 +664,8 @@ bad_area_nosemaphore:
11053 - printk_ratelimit()) {
11054 - printk(
11055 - "%s%s[%d]: segfault at %lx rip %lx rsp %lx error %lx\n",
11056 -- tsk->pid > 1 ? KERN_INFO : KERN_EMERG,
11057 -- tsk->comm, tsk->pid, address, regs->rip,
11058 -+ task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG,
11059 -+ tsk->comm, task_pid_nr(tsk), address, regs->rip,
11060 - regs->rsp, error_code);
11061 - }
11062 -
11063 -@@ -534,6 +709,9 @@ no_context:
11064 -
11065 - if (address < PAGE_SIZE)
11066 - printk(KERN_ALERT "Unable to handle kernel NULL pointer dereference");
11067 -+ else if (error_code & PF_INSTR)
11068 -+ printk(KERN_ALERT "PAX: %s:%d, uid/euid: %u/%u, invalid execution attempt",
11069 -+ tsk->comm, task_pid_nr(tsk), tsk->uid, tsk->euid);
11070 - else
11071 - printk(KERN_ALERT "Unable to handle kernel paging request");
11072 - printk(" at %016lx RIP: \n" KERN_ALERT,address);
11073 -@@ -546,7 +724,7 @@ no_context:
11074 - /* Executive summary in case the body of the oops scrolled away */
11075 - printk(KERN_EMERG "CR2: %016lx\n", address);
11076 - oops_end(flags);
11077 -- do_exit(SIGKILL);
11078 -+ do_group_exit(SIGKILL);
11079 -
11080 - /*
11081 - * We ran out of memory, or some other thing happened to us that made
11082 -diff -urNp linux-2.6.24.4/arch/x86/mm/highmem_32.c linux-2.6.24.4/arch/x86/mm/highmem_32.c
11083 ---- linux-2.6.24.4/arch/x86/mm/highmem_32.c 2008-03-24 14:49:18.000000000 -0400
11084 -+++ linux-2.6.24.4/arch/x86/mm/highmem_32.c 2008-03-26 17:56:55.000000000 -0400
11085 -@@ -31,6 +31,10 @@ void *kmap_atomic_prot(struct page *page
11086 - enum fixed_addresses idx;
11087 - unsigned long vaddr;
11088 -
11089 -+#ifdef CONFIG_PAX_KERNEXEC
11090 -+ unsigned long cr0;
11091 -+#endif
11092 -+
11093 - /* even !CONFIG_PREEMPT needs this, for in_atomic in do_page_fault */
11094 - pagefault_disable();
11095 -
11096 -@@ -40,7 +44,17 @@ void *kmap_atomic_prot(struct page *page
11097 - idx = type + KM_TYPE_NR*smp_processor_id();
11098 - vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
11099 - BUG_ON(!pte_none(*(kmap_pte-idx)));
11100 -+
11101 -+#ifdef CONFIG_PAX_KERNEXEC
11102 -+ pax_open_kernel(cr0);
11103 -+#endif
11104 -+
11105 - set_pte(kmap_pte-idx, mk_pte(page, prot));
11106 -+
11107 -+#ifdef CONFIG_PAX_KERNEXEC
11108 -+ pax_close_kernel(cr0);
11109 -+#endif
11110 -+
11111 - arch_flush_lazy_mmu_mode();
11112 -
11113 - return (void *)vaddr;
11114 -@@ -56,15 +70,29 @@ void kunmap_atomic(void *kvaddr, enum km
11115 - unsigned long vaddr = (unsigned long) kvaddr & PAGE_MASK;
11116 - enum fixed_addresses idx = type + KM_TYPE_NR*smp_processor_id();
11117 -
11118 -+#ifdef CONFIG_PAX_KERNEXEC
11119 -+ unsigned long cr0;
11120 -+#endif
11121 -+
11122 - /*
11123 - * Force other mappings to Oops if they'll try to access this pte
11124 - * without first remap it. Keeping stale mappings around is a bad idea
11125 - * also, in case the page changes cacheability attributes or becomes
11126 - * a protected page in a hypervisor.
11127 - */
11128 -- if (vaddr == __fix_to_virt(FIX_KMAP_BEGIN+idx))
11129 -+ if (vaddr == __fix_to_virt(FIX_KMAP_BEGIN+idx)) {
11130 -+
11131 -+#ifdef CONFIG_PAX_KERNEXEC
11132 -+ pax_open_kernel(cr0);
11133 -+#endif
11134 -+
11135 - kpte_clear_flush(kmap_pte-idx, vaddr);
11136 -- else {
11137 -+
11138 -+#ifdef CONFIG_PAX_KERNEXEC
11139 -+ pax_close_kernel(cr0);
11140 -+#endif
11141 -+
11142 -+ } else {
11143 - #ifdef CONFIG_DEBUG_HIGHMEM
11144 - BUG_ON(vaddr < PAGE_OFFSET);
11145 - BUG_ON(vaddr >= (unsigned long)high_memory);
11146 -@@ -83,11 +111,25 @@ void *kmap_atomic_pfn(unsigned long pfn,
11147 - enum fixed_addresses idx;
11148 - unsigned long vaddr;
11149 -
11150 -+#ifdef CONFIG_PAX_KERNEXEC
11151 -+ unsigned long cr0;
11152 -+#endif
11153 -+
11154 - pagefault_disable();
11155 -
11156 - idx = type + KM_TYPE_NR*smp_processor_id();
11157 - vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
11158 -+
11159 -+#ifdef CONFIG_PAX_KERNEXEC
11160 -+ pax_open_kernel(cr0);
11161 -+#endif
11162 -+
11163 - set_pte(kmap_pte-idx, pfn_pte(pfn, kmap_prot));
11164 -+
11165 -+#ifdef CONFIG_PAX_KERNEXEC
11166 -+ pax_close_kernel(cr0);
11167 -+#endif
11168 -+
11169 - arch_flush_lazy_mmu_mode();
11170 -
11171 - return (void*) vaddr;
11172 -diff -urNp linux-2.6.24.4/arch/x86/mm/hugetlbpage.c linux-2.6.24.4/arch/x86/mm/hugetlbpage.c
11173 ---- linux-2.6.24.4/arch/x86/mm/hugetlbpage.c 2008-03-24 14:49:18.000000000 -0400
11174 -+++ linux-2.6.24.4/arch/x86/mm/hugetlbpage.c 2008-03-26 17:56:55.000000000 -0400
11175 -@@ -229,13 +229,18 @@ static unsigned long hugetlb_get_unmappe
11176 - {
11177 - struct mm_struct *mm = current->mm;
11178 - struct vm_area_struct *vma;
11179 -- unsigned long start_addr;
11180 -+ unsigned long start_addr, task_size = TASK_SIZE;
11181 -+
11182 -+#ifdef CONFIG_PAX_SEGMEXEC
11183 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
11184 -+ task_size = SEGMEXEC_TASK_SIZE;
11185 -+#endif
11186 -
11187 - if (len > mm->cached_hole_size) {
11188 -- start_addr = mm->free_area_cache;
11189 -+ start_addr = mm->free_area_cache;
11190 - } else {
11191 -- start_addr = TASK_UNMAPPED_BASE;
11192 -- mm->cached_hole_size = 0;
11193 -+ start_addr = mm->mmap_base;
11194 -+ mm->cached_hole_size = 0;
11195 - }
11196 -
11197 - full_search:
11198 -@@ -243,13 +248,13 @@ full_search:
11199 -
11200 - for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
11201 - /* At this point: (!vma || addr < vma->vm_end). */
11202 -- if (TASK_SIZE - len < addr) {
11203 -+ if (task_size - len < addr) {
11204 - /*
11205 - * Start a new search - just in case we missed
11206 - * some holes.
11207 - */
11208 -- if (start_addr != TASK_UNMAPPED_BASE) {
11209 -- start_addr = TASK_UNMAPPED_BASE;
11210 -+ if (start_addr != mm->mmap_base) {
11211 -+ start_addr = mm->mmap_base;
11212 - mm->cached_hole_size = 0;
11213 - goto full_search;
11214 - }
11215 -@@ -271,9 +276,8 @@ static unsigned long hugetlb_get_unmappe
11216 - {
11217 - struct mm_struct *mm = current->mm;
11218 - struct vm_area_struct *vma, *prev_vma;
11219 -- unsigned long base = mm->mmap_base, addr = addr0;
11220 -+ unsigned long base = mm->mmap_base, addr;
11221 - unsigned long largest_hole = mm->cached_hole_size;
11222 -- int first_time = 1;
11223 -
11224 - /* don't allow allocations above current base */
11225 - if (mm->free_area_cache > base)
11226 -@@ -283,7 +287,7 @@ static unsigned long hugetlb_get_unmappe
11227 - largest_hole = 0;
11228 - mm->free_area_cache = base;
11229 - }
11230 --try_again:
11231 -+
11232 - /* make sure it can fit in the remaining address space */
11233 - if (mm->free_area_cache < len)
11234 - goto fail;
11235 -@@ -325,22 +329,26 @@ try_again:
11236 -
11237 - fail:
11238 - /*
11239 -- * if hint left us with no space for the requested
11240 -- * mapping then try again:
11241 -- */
11242 -- if (first_time) {
11243 -- mm->free_area_cache = base;
11244 -- largest_hole = 0;
11245 -- first_time = 0;
11246 -- goto try_again;
11247 -- }
11248 -- /*
11249 - * A failed mmap() very likely causes application failure,
11250 - * so fall back to the bottom-up function here. This scenario
11251 - * can happen with large stack limits and large mmap()
11252 - * allocations.
11253 - */
11254 -- mm->free_area_cache = TASK_UNMAPPED_BASE;
11255 -+
11256 -+#ifdef CONFIG_PAX_SEGMEXEC
11257 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
11258 -+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
11259 -+ else
11260 -+#endif
11261 -+
11262 -+ mm->mmap_base = TASK_UNMAPPED_BASE;
11263 -+
11264 -+#ifdef CONFIG_PAX_RANDMMAP
11265 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
11266 -+ mm->mmap_base += mm->delta_mmap;
11267 -+#endif
11268 -+
11269 -+ mm->free_area_cache = mm->mmap_base;
11270 - mm->cached_hole_size = ~0UL;
11271 - addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
11272 - len, pgoff, flags);
11273 -@@ -348,6 +356,7 @@ fail:
11274 - /*
11275 - * Restore the topdown base:
11276 - */
11277 -+ mm->mmap_base = base;
11278 - mm->free_area_cache = base;
11279 - mm->cached_hole_size = ~0UL;
11280 -
11281 -@@ -360,10 +369,17 @@ hugetlb_get_unmapped_area(struct file *f
11282 - {
11283 - struct mm_struct *mm = current->mm;
11284 - struct vm_area_struct *vma;
11285 -+ unsigned long task_size = TASK_SIZE;
11286 -
11287 - if (len & ~HPAGE_MASK)
11288 - return -EINVAL;
11289 -- if (len > TASK_SIZE)
11290 -+
11291 -+#ifdef CONFIG_PAX_SEGMEXEC
11292 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
11293 -+ task_size = SEGMEXEC_TASK_SIZE;
11294 -+#endif
11295 -+
11296 -+ if (len > task_size)
11297 - return -ENOMEM;
11298 -
11299 - if (flags & MAP_FIXED) {
11300 -@@ -375,7 +391,7 @@ hugetlb_get_unmapped_area(struct file *f
11301 - if (addr) {
11302 - addr = ALIGN(addr, HPAGE_SIZE);
11303 - vma = find_vma(mm, addr);
11304 -- if (TASK_SIZE - len >= addr &&
11305 -+ if (task_size - len >= addr &&
11306 - (!vma || addr + len <= vma->vm_start))
11307 - return addr;
11308 - }
11309 -diff -urNp linux-2.6.24.4/arch/x86/mm/init_32.c linux-2.6.24.4/arch/x86/mm/init_32.c
11310 ---- linux-2.6.24.4/arch/x86/mm/init_32.c 2008-03-24 14:49:18.000000000 -0400
11311 -+++ linux-2.6.24.4/arch/x86/mm/init_32.c 2008-03-26 17:56:55.000000000 -0400
11312 -@@ -44,6 +44,7 @@
11313 - #include <asm/tlbflush.h>
11314 - #include <asm/sections.h>
11315 - #include <asm/paravirt.h>
11316 -+#include <asm/desc.h>
11317 -
11318 - unsigned int __VMALLOC_RESERVE = 128 << 20;
11319 -
11320 -@@ -53,32 +54,6 @@ unsigned long highstart_pfn, highend_pfn
11321 - static int noinline do_test_wp_bit(void);
11322 -
11323 - /*
11324 -- * Creates a middle page table and puts a pointer to it in the
11325 -- * given global directory entry. This only returns the gd entry
11326 -- * in non-PAE compilation mode, since the middle layer is folded.
11327 -- */
11328 --static pmd_t * __init one_md_table_init(pgd_t *pgd)
11329 --{
11330 -- pud_t *pud;
11331 -- pmd_t *pmd_table;
11332 --
11333 --#ifdef CONFIG_X86_PAE
11334 -- if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
11335 -- pmd_table = (pmd_t *) alloc_bootmem_low_pages(PAGE_SIZE);
11336 --
11337 -- paravirt_alloc_pd(__pa(pmd_table) >> PAGE_SHIFT);
11338 -- set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
11339 -- pud = pud_offset(pgd, 0);
11340 -- if (pmd_table != pmd_offset(pud, 0))
11341 -- BUG();
11342 -- }
11343 --#endif
11344 -- pud = pud_offset(pgd, 0);
11345 -- pmd_table = pmd_offset(pud, 0);
11346 -- return pmd_table;
11347 --}
11348 --
11349 --/*
11350 - * Create a page table and place a pointer to it in a middle page
11351 - * directory entry.
11352 - */
11353 -@@ -95,7 +70,11 @@ static pte_t * __init one_page_table_ini
11354 - (pte_t *)alloc_bootmem_low_pages(PAGE_SIZE);
11355 -
11356 - paravirt_alloc_pt(&init_mm, __pa(page_table) >> PAGE_SHIFT);
11357 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
11358 -+ set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
11359 -+#else
11360 - set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
11361 -+#endif
11362 - BUG_ON(page_table != pte_offset_kernel(pmd, 0));
11363 - }
11364 -
11365 -@@ -116,6 +95,7 @@ static pte_t * __init one_page_table_ini
11366 - static void __init page_table_range_init (unsigned long start, unsigned long end, pgd_t *pgd_base)
11367 - {
11368 - pgd_t *pgd;
11369 -+ pud_t *pud;
11370 - pmd_t *pmd;
11371 - int pgd_idx, pmd_idx;
11372 - unsigned long vaddr;
11373 -@@ -126,8 +106,13 @@ static void __init page_table_range_init
11374 - pgd = pgd_base + pgd_idx;
11375 -
11376 - for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
11377 -- pmd = one_md_table_init(pgd);
11378 -- pmd = pmd + pmd_index(vaddr);
11379 -+ pud = pud_offset(pgd, vaddr);
11380 -+ pmd = pmd_offset(pud, vaddr);
11381 -+
11382 -+#ifdef CONFIG_X86_PAE
11383 -+ paravirt_alloc_pd(__pa(pmd) >> PAGE_SHIFT);
11384 -+#endif
11385 -+
11386 - for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end); pmd++, pmd_idx++) {
11387 - one_page_table_init(pmd);
11388 -
11389 -@@ -137,11 +122,23 @@ static void __init page_table_range_init
11390 - }
11391 - }
11392 -
11393 --static inline int is_kernel_text(unsigned long addr)
11394 -+static inline int is_kernel_text(unsigned long start, unsigned long end)
11395 - {
11396 -- if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
11397 -- return 1;
11398 -- return 0;
11399 -+ unsigned long etext;
11400 -+
11401 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
11402 -+ etext = ktva_ktla((unsigned long)&MODULES_END);
11403 -+#else
11404 -+ etext = (unsigned long)&_etext;
11405 -+#endif
11406 -+
11407 -+ if ((start > ktla_ktva(etext) ||
11408 -+ end <= ktla_ktva((unsigned long)_stext)) &&
11409 -+ (start > ktla_ktva((unsigned long)_einittext) ||
11410 -+ end <= ktla_ktva((unsigned long)_sinittext)) &&
11411 -+ (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
11412 -+ return 0;
11413 -+ return 1;
11414 - }
11415 -
11416 - /*
11417 -@@ -153,25 +150,29 @@ static void __init kernel_physical_mappi
11418 - {
11419 - unsigned long pfn;
11420 - pgd_t *pgd;
11421 -+ pud_t *pud;
11422 - pmd_t *pmd;
11423 - pte_t *pte;
11424 -- int pgd_idx, pmd_idx, pte_ofs;
11425 -+ unsigned int pgd_idx, pmd_idx, pte_ofs;
11426 -
11427 - pgd_idx = pgd_index(PAGE_OFFSET);
11428 - pgd = pgd_base + pgd_idx;
11429 - pfn = 0;
11430 -
11431 -- for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
11432 -- pmd = one_md_table_init(pgd);
11433 -- if (pfn >= max_low_pfn)
11434 -- continue;
11435 -+ for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
11436 -+ pud = pud_offset(pgd, 0);
11437 -+ pmd = pmd_offset(pud, 0);
11438 -+
11439 -+#ifdef CONFIG_X86_PAE
11440 -+ paravirt_alloc_pd(__pa(pmd) >> PAGE_SHIFT);
11441 -+#endif
11442 -+
11443 - for (pmd_idx = 0; pmd_idx < PTRS_PER_PMD && pfn < max_low_pfn; pmd++, pmd_idx++) {
11444 -- unsigned int address = pfn * PAGE_SIZE + PAGE_OFFSET;
11445 -+ unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
11446 -
11447 - /* Map with big pages if possible, otherwise create normal page tables. */
11448 -- if (cpu_has_pse) {
11449 -- unsigned int address2 = (pfn + PTRS_PER_PTE - 1) * PAGE_SIZE + PAGE_OFFSET + PAGE_SIZE-1;
11450 -- if (is_kernel_text(address) || is_kernel_text(address2))
11451 -+ if (cpu_has_pse && address >= (unsigned long)__va(0x100000)) {
11452 -+ if (is_kernel_text(address, address + PMD_SIZE))
11453 - set_pmd(pmd, pfn_pmd(pfn, PAGE_KERNEL_LARGE_EXEC));
11454 - else
11455 - set_pmd(pmd, pfn_pmd(pfn, PAGE_KERNEL_LARGE));
11456 -@@ -183,7 +184,7 @@ static void __init kernel_physical_mappi
11457 - for (pte_ofs = 0;
11458 - pte_ofs < PTRS_PER_PTE && pfn < max_low_pfn;
11459 - pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
11460 -- if (is_kernel_text(address))
11461 -+ if (is_kernel_text(address, address + PAGE_SIZE))
11462 - set_pte(pte, pfn_pte(pfn, PAGE_KERNEL_EXEC));
11463 - else
11464 - set_pte(pte, pfn_pte(pfn, PAGE_KERNEL));
11465 -@@ -338,9 +339,9 @@ static void __init set_highmem_pages_ini
11466 - #define set_highmem_pages_init(bad_ppro) do { } while (0)
11467 - #endif /* CONFIG_HIGHMEM */
11468 -
11469 --unsigned long long __PAGE_KERNEL = _PAGE_KERNEL;
11470 -+unsigned long long __PAGE_KERNEL __read_only = _PAGE_KERNEL;
11471 - EXPORT_SYMBOL(__PAGE_KERNEL);
11472 --unsigned long long __PAGE_KERNEL_EXEC = _PAGE_KERNEL_EXEC;
11473 -+unsigned long long __PAGE_KERNEL_EXEC __read_only = _PAGE_KERNEL_EXEC;
11474 -
11475 - #ifdef CONFIG_NUMA
11476 - extern void __init remap_numa_kva(void);
11477 -@@ -351,26 +352,10 @@ extern void __init remap_numa_kva(void);
11478 - void __init native_pagetable_setup_start(pgd_t *base)
11479 - {
11480 - #ifdef CONFIG_X86_PAE
11481 -- int i;
11482 --
11483 -- /*
11484 -- * Init entries of the first-level page table to the
11485 -- * zero page, if they haven't already been set up.
11486 -- *
11487 -- * In a normal native boot, we'll be running on a
11488 -- * pagetable rooted in swapper_pg_dir, but not in PAE
11489 -- * mode, so this will end up clobbering the mappings
11490 -- * for the lower 24Mbytes of the address space,
11491 -- * without affecting the kernel address space.
11492 -- */
11493 -- for (i = 0; i < USER_PTRS_PER_PGD; i++)
11494 -- set_pgd(&base[i],
11495 -- __pgd(__pa(empty_zero_page) | _PAGE_PRESENT));
11496 -+ unsigned int i;
11497 -
11498 -- /* Make sure kernel address space is empty so that a pagetable
11499 -- will be allocated for it. */
11500 -- memset(&base[USER_PTRS_PER_PGD], 0,
11501 -- KERNEL_PGD_PTRS * sizeof(pgd_t));
11502 -+ for (i = 0; i < PTRS_PER_PGD; i++)
11503 -+ paravirt_alloc_pd(__pa(swapper_pm_dir + i) >> PAGE_SHIFT);
11504 - #else
11505 - paravirt_alloc_pd(__pa(swapper_pg_dir) >> PAGE_SHIFT);
11506 - #endif
11507 -@@ -378,16 +363,6 @@ void __init native_pagetable_setup_start
11508 -
11509 - void __init native_pagetable_setup_done(pgd_t *base)
11510 - {
11511 --#ifdef CONFIG_X86_PAE
11512 -- /*
11513 -- * Add low memory identity-mappings - SMP needs it when
11514 -- * starting up on an AP from real-mode. In the non-PAE
11515 -- * case we already have these mappings through head.S.
11516 -- * All user-space mappings are explicitly cleared after
11517 -- * SMP startup.
11518 -- */
11519 -- set_pgd(&base[0], base[USER_PTRS_PER_PGD]);
11520 --#endif
11521 - }
11522 -
11523 - /*
11524 -@@ -449,12 +424,12 @@ static void __init pagetable_init (void)
11525 - * Swap suspend & friends need this for resume because things like the intel-agp
11526 - * driver might have split up a kernel 4MB mapping.
11527 - */
11528 --char __nosavedata swsusp_pg_dir[PAGE_SIZE]
11529 -+pgd_t __nosavedata swsusp_pg_dir[PTRS_PER_PGD]
11530 - __attribute__ ((aligned (PAGE_SIZE)));
11531 -
11532 - static inline void save_pg_dir(void)
11533 - {
11534 -- memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
11535 -+ clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
11536 - }
11537 - #else
11538 - static inline void save_pg_dir(void)
11539 -@@ -483,12 +458,11 @@ void zap_low_mappings (void)
11540 - flush_tlb_all();
11541 - }
11542 -
11543 --int nx_enabled = 0;
11544 -+int nx_enabled;
11545 -
11546 - #ifdef CONFIG_X86_PAE
11547 -
11548 --static int disable_nx __initdata = 0;
11549 --u64 __supported_pte_mask __read_mostly = ~_PAGE_NX;
11550 -+u64 __supported_pte_mask __read_only = ~_PAGE_NX;
11551 - EXPORT_SYMBOL_GPL(__supported_pte_mask);
11552 -
11553 - /*
11554 -@@ -499,36 +473,31 @@ EXPORT_SYMBOL_GPL(__supported_pte_mask);
11555 - * on Enable
11556 - * off Disable
11557 - */
11558 -+#if !defined(CONFIG_PAX_PAGEEXEC)
11559 - static int __init noexec_setup(char *str)
11560 - {
11561 - if (!str || !strcmp(str, "on")) {
11562 -- if (cpu_has_nx) {
11563 -- __supported_pte_mask |= _PAGE_NX;
11564 -- disable_nx = 0;
11565 -- }
11566 -+ if (cpu_has_nx)
11567 -+ nx_enabled = 1;
11568 - } else if (!strcmp(str,"off")) {
11569 -- disable_nx = 1;
11570 -- __supported_pte_mask &= ~_PAGE_NX;
11571 -+ nx_enabled = 0;
11572 - } else
11573 - return -EINVAL;
11574 -
11575 - return 0;
11576 - }
11577 - early_param("noexec", noexec_setup);
11578 -+#endif
11579 -
11580 - static void __init set_nx(void)
11581 - {
11582 -- unsigned int v[4], l, h;
11583 -+ if (!nx_enabled && cpu_has_nx) {
11584 -+ unsigned l, h;
11585 -
11586 -- if (cpu_has_pae && (cpuid_eax(0x80000000) > 0x80000001)) {
11587 -- cpuid(0x80000001, &v[0], &v[1], &v[2], &v[3]);
11588 -- if ((v[3] & (1 << 20)) && !disable_nx) {
11589 -- rdmsr(MSR_EFER, l, h);
11590 -- l |= EFER_NX;
11591 -- wrmsr(MSR_EFER, l, h);
11592 -- nx_enabled = 1;
11593 -- __supported_pte_mask |= _PAGE_NX;
11594 -- }
11595 -+ __supported_pte_mask &= ~_PAGE_NX;
11596 -+ rdmsr(MSR_EFER, l, h);
11597 -+ l &= ~EFER_NX;
11598 -+ wrmsr(MSR_EFER, l, h);
11599 - }
11600 - }
11601 -
11602 -@@ -581,14 +550,6 @@ void __init paging_init(void)
11603 -
11604 - load_cr3(swapper_pg_dir);
11605 -
11606 --#ifdef CONFIG_X86_PAE
11607 -- /*
11608 -- * We will bail out later - printk doesn't work right now so
11609 -- * the user would just see a hanging kernel.
11610 -- */
11611 -- if (cpu_has_pae)
11612 -- set_in_cr4(X86_CR4_PAE);
11613 --#endif
11614 - __flush_tlb_all();
11615 -
11616 - kmap_init();
11617 -@@ -659,7 +620,7 @@ void __init mem_init(void)
11618 - set_highmem_pages_init(bad_ppro);
11619 -
11620 - codesize = (unsigned long) &_etext - (unsigned long) &_text;
11621 -- datasize = (unsigned long) &_edata - (unsigned long) &_etext;
11622 -+ datasize = (unsigned long) &_edata - (unsigned long) &_data;
11623 - initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
11624 -
11625 - kclist_add(&kcore_mem, __va(0), max_low_pfn << PAGE_SHIFT);
11626 -@@ -704,10 +665,10 @@ void __init mem_init(void)
11627 - (unsigned long)&__init_begin, (unsigned long)&__init_end,
11628 - ((unsigned long)&__init_end - (unsigned long)&__init_begin) >> 10,
11629 -
11630 -- (unsigned long)&_etext, (unsigned long)&_edata,
11631 -- ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
11632 -+ (unsigned long)&_data, (unsigned long)&_edata,
11633 -+ ((unsigned long)&_edata - (unsigned long)&_data) >> 10,
11634 -
11635 -- (unsigned long)&_text, (unsigned long)&_etext,
11636 -+ ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
11637 - ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
11638 -
11639 - #ifdef CONFIG_HIGHMEM
11640 -@@ -718,10 +679,6 @@ void __init mem_init(void)
11641 - BUG_ON((unsigned long)high_memory > VMALLOC_START);
11642 - #endif /* double-sanity-check paranoia */
11643 -
11644 --#ifdef CONFIG_X86_PAE
11645 -- if (!cpu_has_pae)
11646 -- panic("cannot execute a PAE-enabled kernel on a PAE-less CPU!");
11647 --#endif
11648 - if (boot_cpu_data.wp_works_ok < 0)
11649 - test_wp_bit();
11650 -
11651 -@@ -839,6 +796,46 @@ void free_init_pages(char *what, unsigne
11652 -
11653 - void free_initmem(void)
11654 - {
11655 -+
11656 -+#ifdef CONFIG_PAX_KERNEXEC
11657 -+ /* PaX: limit KERNEL_CS to actual size */
11658 -+ unsigned long addr, limit;
11659 -+ __u32 a, b;
11660 -+ int cpu;
11661 -+ pgd_t *pgd;
11662 -+ pud_t *pud;
11663 -+ pmd_t *pmd;
11664 -+
11665 -+#ifdef CONFIG_MODULES
11666 -+ limit = ktva_ktla((unsigned long)&MODULES_END);
11667 -+#else
11668 -+ limit = (unsigned long)&_etext;
11669 -+#endif
11670 -+ limit = (limit - 1UL) >> PAGE_SHIFT;
11671 -+
11672 -+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
11673 -+ pack_descriptor(&a, &b, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
11674 -+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, a, b);
11675 -+ }
11676 -+
11677 -+ /* PaX: make KERNEL_CS read-only */
11678 -+ for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_data; addr += PMD_SIZE) {
11679 -+ pgd = pgd_offset_k(addr);
11680 -+ pud = pud_offset(pgd, addr);
11681 -+ pmd = pmd_offset(pud, addr);
11682 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
11683 -+ }
11684 -+#ifdef CONFIG_X86_PAE
11685 -+ for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
11686 -+ pgd = pgd_offset_k(addr);
11687 -+ pud = pud_offset(pgd, addr);
11688 -+ pmd = pmd_offset(pud, addr);
11689 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
11690 -+ }
11691 -+#endif
11692 -+ flush_tlb_all();
11693 -+#endif
11694 -+
11695 - free_init_pages("unused kernel memory",
11696 - (unsigned long)(&__init_begin),
11697 - (unsigned long)(&__init_end));
11698 -diff -urNp linux-2.6.24.4/arch/x86/mm/init_64.c linux-2.6.24.4/arch/x86/mm/init_64.c
11699 ---- linux-2.6.24.4/arch/x86/mm/init_64.c 2008-03-24 14:49:18.000000000 -0400
11700 -+++ linux-2.6.24.4/arch/x86/mm/init_64.c 2008-03-26 17:56:55.000000000 -0400
11701 -@@ -45,7 +45,7 @@
11702 - #include <asm/sections.h>
11703 -
11704 - #ifndef Dprintk
11705 --#define Dprintk(x...)
11706 -+#define Dprintk(x...) do {} while (0)
11707 - #endif
11708 -
11709 - const struct dma_mapping_ops* dma_ops;
11710 -@@ -121,6 +121,10 @@ static __init void set_pte_phys(unsigned
11711 - pmd_t *pmd;
11712 - pte_t *pte, new_pte;
11713 -
11714 -+#ifdef CONFIG_PAX_KERNEXEC
11715 -+ unsigned long cr0;
11716 -+#endif
11717 -+
11718 - Dprintk("set_pte_phys %lx to %lx\n", vaddr, phys);
11719 -
11720 - pgd = pgd_offset_k(vaddr);
11721 -@@ -131,7 +135,7 @@ static __init void set_pte_phys(unsigned
11722 - pud = pud_offset(pgd, vaddr);
11723 - if (pud_none(*pud)) {
11724 - pmd = (pmd_t *) spp_getpage();
11725 -- set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE | _PAGE_USER));
11726 -+ set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
11727 - if (pmd != pmd_offset(pud, 0)) {
11728 - printk("PAGETABLE BUG #01! %p <-> %p\n", pmd, pmd_offset(pud,0));
11729 - return;
11730 -@@ -140,7 +144,7 @@ static __init void set_pte_phys(unsigned
11731 - pmd = pmd_offset(pud, vaddr);
11732 - if (pmd_none(*pmd)) {
11733 - pte = (pte_t *) spp_getpage();
11734 -- set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE | _PAGE_USER));
11735 -+ set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
11736 - if (pte != pte_offset_kernel(pmd, 0)) {
11737 - printk("PAGETABLE BUG #02!\n");
11738 - return;
11739 -@@ -152,8 +156,17 @@ static __init void set_pte_phys(unsigned
11740 - if (!pte_none(*pte) &&
11741 - pte_val(*pte) != (pte_val(new_pte) & __supported_pte_mask))
11742 - pte_ERROR(*pte);
11743 -+
11744 -+#ifdef CONFIG_PAX_KERNEXEC
11745 -+ pax_open_kernel(cr0);
11746 -+#endif
11747 -+
11748 - set_pte(pte, new_pte);
11749 -
11750 -+#ifdef CONFIG_PAX_KERNEXEC
11751 -+ pax_close_kernel(cr0);
11752 -+#endif
11753 -+
11754 - /*
11755 - * It's enough to flush this one mapping.
11756 - * (PGE mappings get flushed as well)
11757 -@@ -225,7 +238,7 @@ __meminit void *early_ioremap(unsigned l
11758 - addr &= PMD_MASK;
11759 - for (i = 0; i < pmds; i++, addr += PMD_SIZE)
11760 - set_pmd(pmd + i,__pmd(addr | _KERNPG_TABLE | _PAGE_PSE));
11761 -- __flush_tlb();
11762 -+ __flush_tlb_all();
11763 - return (void *)vaddr;
11764 - next:
11765 - ;
11766 -@@ -246,7 +259,7 @@ __meminit void early_iounmap(void *addr,
11767 - pmd = level2_kernel_pgt + pmd_index(vaddr);
11768 - for (i = 0; i < pmds; i++)
11769 - pmd_clear(pmd + i);
11770 -- __flush_tlb();
11771 -+ __flush_tlb_all();
11772 - }
11773 -
11774 - static void __meminit
11775 -@@ -314,7 +327,7 @@ static void __meminit phys_pud_init(pud_
11776 - spin_unlock(&init_mm.page_table_lock);
11777 - unmap_low_page(pmd);
11778 - }
11779 -- __flush_tlb();
11780 -+ __flush_tlb_all();
11781 - }
11782 -
11783 - static void __init find_early_table_space(unsigned long end)
11784 -@@ -583,6 +596,39 @@ void free_init_pages(char *what, unsigne
11785 -
11786 - void free_initmem(void)
11787 - {
11788 -+
11789 -+#ifdef CONFIG_PAX_KERNEXEC
11790 -+ unsigned long addr, end;
11791 -+ pgd_t *pgd;
11792 -+ pud_t *pud;
11793 -+ pmd_t *pmd;
11794 -+
11795 -+ /* PaX: make kernel code/rodata read-only, rest non-executable */
11796 -+ for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_TEXT_SIZE; addr += PMD_SIZE) {
11797 -+ pgd = pgd_offset_k(addr);
11798 -+ pud = pud_offset(pgd, addr);
11799 -+ pmd = pmd_offset(pud, addr);
11800 -+ if ((unsigned long)_text <= addr && addr < (unsigned long)_data)
11801 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
11802 -+ else
11803 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
11804 -+ }
11805 -+
11806 -+ addr = (unsigned long)__va(__pa(__START_KERNEL_map));
11807 -+ end = addr + KERNEL_TEXT_SIZE;
11808 -+ for (; addr < end; addr += PMD_SIZE) {
11809 -+ pgd = pgd_offset_k(addr);
11810 -+ pud = pud_offset(pgd, addr);
11811 -+ pmd = pmd_offset(pud, addr);
11812 -+ if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_data)))
11813 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
11814 -+ else
11815 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
11816 -+ }
11817 -+
11818 -+ flush_tlb_all();
11819 -+#endif
11820 -+
11821 - free_init_pages("unused kernel memory",
11822 - (unsigned long)(&__init_begin),
11823 - (unsigned long)(&__init_end));
11824 -@@ -730,7 +776,7 @@ int in_gate_area_no_task(unsigned long a
11825 -
11826 - const char *arch_vma_name(struct vm_area_struct *vma)
11827 - {
11828 -- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
11829 -+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
11830 - return "[vdso]";
11831 - if (vma == &gate_vma)
11832 - return "[vsyscall]";
11833 -diff -urNp linux-2.6.24.4/arch/x86/mm/ioremap_32.c linux-2.6.24.4/arch/x86/mm/ioremap_32.c
11834 ---- linux-2.6.24.4/arch/x86/mm/ioremap_32.c 2008-03-24 14:49:18.000000000 -0400
11835 -+++ linux-2.6.24.4/arch/x86/mm/ioremap_32.c 2008-03-26 17:56:55.000000000 -0400
11836 -@@ -67,8 +67,11 @@ void __iomem * __ioremap(unsigned long p
11837 - return NULL;
11838 - }
11839 -
11840 -- prot = __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY
11841 -- | _PAGE_ACCESSED | flags);
11842 -+#ifdef CONFIG_X86_PAE
11843 -+ prot = __pgprot((__PAGE_KERNEL | _PAGE_GLOBAL | flags) & __supported_pte_mask);
11844 -+#else
11845 -+ prot = __pgprot(__PAGE_KERNEL | _PAGE_GLOBAL | flags);
11846 -+#endif
11847 -
11848 - /*
11849 - * Mappings have to be page-aligned
11850 -diff -urNp linux-2.6.24.4/arch/x86/mm/ioremap_64.c linux-2.6.24.4/arch/x86/mm/ioremap_64.c
11851 ---- linux-2.6.24.4/arch/x86/mm/ioremap_64.c 2008-03-24 14:49:18.000000000 -0400
11852 -+++ linux-2.6.24.4/arch/x86/mm/ioremap_64.c 2008-03-26 17:56:55.000000000 -0400
11853 -@@ -48,7 +48,7 @@ ioremap_change_attr(unsigned long phys_a
11854 - * Must use a address here and not struct page because the phys addr
11855 - * can be a in hole between nodes and not have an memmap entry.
11856 - */
11857 -- err = change_page_attr_addr(vaddr,npages,__pgprot(__PAGE_KERNEL|flags));
11858 -+ err = change_page_attr_addr(vaddr,npages,__pgprot((__PAGE_KERNEL|_PAGE_GLOBAL|flags) & __supported_pte_mask));
11859 - if (!err)
11860 - global_flush_tlb();
11861 - }
11862 -@@ -103,8 +103,8 @@ void __iomem * __ioremap(unsigned long p
11863 - }
11864 - #endif
11865 -
11866 -- pgprot = __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_GLOBAL
11867 -- | _PAGE_DIRTY | _PAGE_ACCESSED | flags);
11868 -+ pgprot = __pgprot((__PAGE_KERNEL | _PAGE_GLOBAL | flags) & __supported_pte_mask);
11869 -+
11870 - /*
11871 - * Mappings have to be page-aligned
11872 - */
11873 -@@ -126,7 +126,7 @@ void __iomem * __ioremap(unsigned long p
11874 - return NULL;
11875 - }
11876 - if (flags && ioremap_change_attr(phys_addr, size, flags) < 0) {
11877 -- area->flags &= 0xffffff;
11878 -+ area->flags &= 0xfffff;
11879 - vunmap(addr);
11880 - return NULL;
11881 - }
11882 -@@ -199,7 +199,7 @@ void iounmap(volatile void __iomem *addr
11883 -
11884 - /* Reset the direct mapping. Can block */
11885 - if (p->flags >> 20)
11886 -- ioremap_change_attr(p->phys_addr, p->size, 0);
11887 -+ ioremap_change_attr(p->phys_addr, p->size - PAGE_SIZE, 0);
11888 -
11889 - /* Finally remove it */
11890 - o = remove_vm_area((void *)addr);
11891 -diff -urNp linux-2.6.24.4/arch/x86/mm/mmap_32.c linux-2.6.24.4/arch/x86/mm/mmap_32.c
11892 ---- linux-2.6.24.4/arch/x86/mm/mmap_32.c 2008-03-24 14:49:18.000000000 -0400
11893 -+++ linux-2.6.24.4/arch/x86/mm/mmap_32.c 2008-03-26 17:56:55.000000000 -0400
11894 -@@ -35,12 +35,18 @@
11895 - * Leave an at least ~128 MB hole.
11896 - */
11897 - #define MIN_GAP (128*1024*1024)
11898 --#define MAX_GAP (TASK_SIZE/6*5)
11899 -+#define MAX_GAP (task_size/6*5)
11900 -
11901 - static inline unsigned long mmap_base(struct mm_struct *mm)
11902 - {
11903 - unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
11904 - unsigned long random_factor = 0;
11905 -+ unsigned long task_size = TASK_SIZE;
11906 -+
11907 -+#ifdef CONFIG_PAX_SEGMEXEC
11908 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
11909 -+ task_size = SEGMEXEC_TASK_SIZE;
11910 -+#endif
11911 -
11912 - if (current->flags & PF_RANDOMIZE)
11913 - random_factor = get_random_int() % (1024*1024);
11914 -@@ -50,7 +56,7 @@ static inline unsigned long mmap_base(st
11915 - else if (gap > MAX_GAP)
11916 - gap = MAX_GAP;
11917 -
11918 -- return PAGE_ALIGN(TASK_SIZE - gap - random_factor);
11919 -+ return PAGE_ALIGN(task_size - gap - random_factor);
11920 - }
11921 -
11922 - /*
11923 -@@ -66,11 +72,30 @@ void arch_pick_mmap_layout(struct mm_str
11924 - if (sysctl_legacy_va_layout ||
11925 - (current->personality & ADDR_COMPAT_LAYOUT) ||
11926 - current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY) {
11927 -+
11928 -+#ifdef CONFIG_PAX_SEGMEXEC
11929 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
11930 -+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
11931 -+ else
11932 -+#endif
11933 -+
11934 - mm->mmap_base = TASK_UNMAPPED_BASE;
11935 -+
11936 -+#ifdef CONFIG_PAX_RANDMMAP
11937 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
11938 -+ mm->mmap_base += mm->delta_mmap;
11939 -+#endif
11940 -+
11941 - mm->get_unmapped_area = arch_get_unmapped_area;
11942 - mm->unmap_area = arch_unmap_area;
11943 - } else {
11944 - mm->mmap_base = mmap_base(mm);
11945 -+
11946 -+#ifdef CONFIG_PAX_RANDMMAP
11947 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
11948 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
11949 -+#endif
11950 -+
11951 - mm->get_unmapped_area = arch_get_unmapped_area_topdown;
11952 - mm->unmap_area = arch_unmap_area_topdown;
11953 - }
11954 -diff -urNp linux-2.6.24.4/arch/x86/mm/mmap_64.c linux-2.6.24.4/arch/x86/mm/mmap_64.c
11955 ---- linux-2.6.24.4/arch/x86/mm/mmap_64.c 2008-03-24 14:49:18.000000000 -0400
11956 -+++ linux-2.6.24.4/arch/x86/mm/mmap_64.c 2008-03-26 17:56:55.000000000 -0400
11957 -@@ -23,6 +23,12 @@ void arch_pick_mmap_layout(struct mm_str
11958 - unsigned rnd = get_random_int() & 0xfffffff;
11959 - mm->mmap_base += ((unsigned long)rnd) << PAGE_SHIFT;
11960 - }
11961 -+
11962 -+#ifdef CONFIG_PAX_RANDMMAP
11963 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
11964 -+ mm->mmap_base += mm->delta_mmap;
11965 -+#endif
11966 -+
11967 - mm->get_unmapped_area = arch_get_unmapped_area;
11968 - mm->unmap_area = arch_unmap_area;
11969 - }
11970 -diff -urNp linux-2.6.24.4/arch/x86/mm/numa_64.c linux-2.6.24.4/arch/x86/mm/numa_64.c
11971 ---- linux-2.6.24.4/arch/x86/mm/numa_64.c 2008-03-24 14:49:18.000000000 -0400
11972 -+++ linux-2.6.24.4/arch/x86/mm/numa_64.c 2008-03-26 17:56:55.000000000 -0400
11973 -@@ -19,7 +19,7 @@
11974 - #include <asm/acpi.h>
11975 -
11976 - #ifndef Dprintk
11977 --#define Dprintk(x...)
11978 -+#define Dprintk(x...) do {} while (0)
11979 - #endif
11980 -
11981 - struct pglist_data *node_data[MAX_NUMNODES] __read_mostly;
11982 -diff -urNp linux-2.6.24.4/arch/x86/mm/pageattr_32.c linux-2.6.24.4/arch/x86/mm/pageattr_32.c
11983 ---- linux-2.6.24.4/arch/x86/mm/pageattr_32.c 2008-03-24 14:49:18.000000000 -0400
11984 -+++ linux-2.6.24.4/arch/x86/mm/pageattr_32.c 2008-03-26 17:56:55.000000000 -0400
11985 -@@ -13,6 +13,7 @@
11986 - #include <asm/tlbflush.h>
11987 - #include <asm/pgalloc.h>
11988 - #include <asm/sections.h>
11989 -+#include <asm/desc.h>
11990 -
11991 - static DEFINE_SPINLOCK(cpa_lock);
11992 - static struct list_head df_list = LIST_HEAD_INIT(df_list);
11993 -@@ -37,16 +38,16 @@ pte_t *lookup_address(unsigned long addr
11994 - }
11995 -
11996 - static struct page *split_large_page(unsigned long address, pgprot_t prot,
11997 -- pgprot_t ref_prot)
11998 -+ pgprot_t ref_prot, unsigned long flags)
11999 - {
12000 - int i;
12001 - unsigned long addr;
12002 - struct page *base;
12003 - pte_t *pbase;
12004 -
12005 -- spin_unlock_irq(&cpa_lock);
12006 -+ spin_unlock_irqrestore(&cpa_lock, flags);
12007 - base = alloc_pages(GFP_KERNEL, 0);
12008 -- spin_lock_irq(&cpa_lock);
12009 -+ spin_lock_irqsave(&cpa_lock, flags);
12010 - if (!base)
12011 - return NULL;
12012 -
12013 -@@ -99,7 +100,18 @@ static void set_pmd_pte(pte_t *kpte, uns
12014 - struct page *page;
12015 - unsigned long flags;
12016 -
12017 -+#ifdef CONFIG_PAX_KERNEXEC
12018 -+ unsigned long cr0;
12019 -+
12020 -+ pax_open_kernel(cr0);
12021 -+#endif
12022 -+
12023 - set_pte_atomic(kpte, pte); /* change init_mm */
12024 -+
12025 -+#ifdef CONFIG_PAX_KERNEXEC
12026 -+ pax_close_kernel(cr0);
12027 -+#endif
12028 -+
12029 - if (SHARED_KERNEL_PMD)
12030 - return;
12031 -
12032 -@@ -126,7 +138,7 @@ static inline void revert_page(struct pa
12033 - pte_t *linear;
12034 -
12035 - ref_prot =
12036 -- ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext)
12037 -+ ((address & LARGE_PAGE_MASK) < ktla_ktva((unsigned long)&_etext))
12038 - ? PAGE_KERNEL_LARGE_EXEC : PAGE_KERNEL_LARGE;
12039 -
12040 - linear = (pte_t *)
12041 -@@ -143,7 +155,7 @@ static inline void save_page(struct page
12042 - }
12043 -
12044 - static int
12045 --__change_page_attr(struct page *page, pgprot_t prot)
12046 -+__change_page_attr(struct page *page, pgprot_t prot, unsigned long flags)
12047 - {
12048 - pte_t *kpte;
12049 - unsigned long address;
12050 -@@ -167,13 +179,20 @@ __change_page_attr(struct page *page, pg
12051 - struct page *split;
12052 -
12053 - ref_prot =
12054 -- ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext)
12055 -+ ((address & LARGE_PAGE_MASK) < ktla_ktva((unsigned long)&_etext))
12056 - ? PAGE_KERNEL_EXEC : PAGE_KERNEL;
12057 -- split = split_large_page(address, prot, ref_prot);
12058 -+ split = split_large_page(address, prot, ref_prot, flags);
12059 - if (!split)
12060 - return -ENOMEM;
12061 -- set_pmd_pte(kpte,address,mk_pte(split, ref_prot));
12062 -- kpte_page = split;
12063 -+ if (pte_huge(*kpte)) {
12064 -+ set_pmd_pte(kpte,address,mk_pte(split, ref_prot));
12065 -+ kpte_page = split;
12066 -+ } else {
12067 -+ __free_pages(split, 0);
12068 -+ kpte = lookup_address(address);
12069 -+ kpte_page = virt_to_page(kpte);
12070 -+ set_pte_atomic(kpte, mk_pte(page, prot));
12071 -+ }
12072 - }
12073 - page_private(kpte_page)++;
12074 - } else if (!pte_huge(*kpte)) {
12075 -@@ -225,7 +244,7 @@ int change_page_attr(struct page *page,
12076 -
12077 - spin_lock_irqsave(&cpa_lock, flags);
12078 - for (i = 0; i < numpages; i++, page++) {
12079 -- err = __change_page_attr(page, prot);
12080 -+ err = __change_page_attr(page, prot, flags);
12081 - if (err)
12082 - break;
12083 - }
12084 -diff -urNp linux-2.6.24.4/arch/x86/mm/pageattr_64.c linux-2.6.24.4/arch/x86/mm/pageattr_64.c
12085 ---- linux-2.6.24.4/arch/x86/mm/pageattr_64.c 2008-03-24 14:49:18.000000000 -0400
12086 -+++ linux-2.6.24.4/arch/x86/mm/pageattr_64.c 2008-03-26 17:56:55.000000000 -0400
12087 -@@ -110,6 +110,10 @@ static void revert_page(unsigned long ad
12088 - pte_t large_pte;
12089 - unsigned long pfn;
12090 -
12091 -+#ifdef CONFIG_PAX_KERNEXEC
12092 -+ unsigned long cr0;
12093 -+#endif
12094 -+
12095 - pgd = pgd_offset_k(address);
12096 - BUG_ON(pgd_none(*pgd));
12097 - pud = pud_offset(pgd,address);
12098 -@@ -119,8 +123,18 @@ static void revert_page(unsigned long ad
12099 - pfn = (__pa(address) & LARGE_PAGE_MASK) >> PAGE_SHIFT;
12100 - large_pte = pfn_pte(pfn, ref_prot);
12101 - large_pte = pte_mkhuge(large_pte);
12102 -+
12103 -+#ifdef CONFIG_PAX_KERNEXEC
12104 -+ pax_open_kernel(cr0);
12105 -+#endif
12106 -+
12107 - set_pte((pte_t *)pmd, large_pte);
12108 --}
12109 -+
12110 -+#ifdef CONFIG_PAX_KERNEXEC
12111 -+ pax_close_kernel(cr0);
12112 -+#endif
12113 -+
12114 -+}
12115 -
12116 - static int
12117 - __change_page_attr(unsigned long address, unsigned long pfn, pgprot_t prot,
12118 -@@ -136,22 +150,36 @@ __change_page_attr(unsigned long address
12119 - BUG_ON(PageLRU(kpte_page));
12120 - BUG_ON(PageCompound(kpte_page));
12121 - if (pgprot_val(prot) != pgprot_val(ref_prot)) {
12122 -- if (!pte_huge(*kpte)) {
12123 -- set_pte(kpte, pfn_pte(pfn, prot));
12124 -- } else {
12125 -+ if (pte_huge(*kpte)) {
12126 - /*
12127 - * split_large_page will take the reference for this
12128 - * change_page_attr on the split page.
12129 - */
12130 - struct page *split;
12131 -+
12132 -+#ifdef CONFIG_PAX_KERNEXEC
12133 -+ unsigned long cr0;
12134 -+#endif
12135 -+
12136 - ref_prot2 = pte_pgprot(pte_clrhuge(*kpte));
12137 - split = split_large_page(address, prot, ref_prot2);
12138 - if (!split)
12139 - return -ENOMEM;
12140 - pgprot_val(ref_prot2) &= ~_PAGE_NX;
12141 -+
12142 -+#ifdef CONFIG_PAX_KERNEXEC
12143 -+ pax_open_kernel(cr0);
12144 -+#endif
12145 -+
12146 - set_pte(kpte, mk_pte(split, ref_prot2));
12147 -+
12148 -+#ifdef CONFIG_PAX_KERNEXEC
12149 -+ pax_close_kernel(cr0);
12150 -+#endif
12151 -+
12152 - kpte_page = split;
12153 -- }
12154 -+ } else
12155 -+ set_pte(kpte, pfn_pte(pfn, prot));
12156 - page_private(kpte_page)++;
12157 - } else if (!pte_huge(*kpte)) {
12158 - set_pte(kpte, pfn_pte(pfn, ref_prot));
12159 -diff -urNp linux-2.6.24.4/arch/x86/mm/pgtable_32.c linux-2.6.24.4/arch/x86/mm/pgtable_32.c
12160 ---- linux-2.6.24.4/arch/x86/mm/pgtable_32.c 2008-03-24 14:49:18.000000000 -0400
12161 -+++ linux-2.6.24.4/arch/x86/mm/pgtable_32.c 2008-03-26 17:56:55.000000000 -0400
12162 -@@ -83,6 +83,10 @@ static void set_pte_pfn(unsigned long va
12163 - pmd_t *pmd;
12164 - pte_t *pte;
12165 -
12166 -+#ifdef CONFIG_PAX_KERNEXEC
12167 -+ unsigned long cr0;
12168 -+#endif
12169 -+
12170 - pgd = swapper_pg_dir + pgd_index(vaddr);
12171 - if (pgd_none(*pgd)) {
12172 - BUG();
12173 -@@ -99,11 +103,20 @@ static void set_pte_pfn(unsigned long va
12174 - return;
12175 - }
12176 - pte = pte_offset_kernel(pmd, vaddr);
12177 -+
12178 -+#ifdef CONFIG_PAX_KERNEXEC
12179 -+ pax_open_kernel(cr0);
12180 -+#endif
12181 -+
12182 - if (pgprot_val(flags))
12183 - set_pte_present(&init_mm, vaddr, pte, pfn_pte(pfn, flags));
12184 - else
12185 - pte_clear(&init_mm, vaddr, pte);
12186 -
12187 -+#ifdef CONFIG_PAX_KERNEXEC
12188 -+ pax_close_kernel(cr0);
12189 -+#endif
12190 -+
12191 - /*
12192 - * It's enough to flush this one mapping.
12193 - * (PGE mappings get flushed as well)
12194 -diff -urNp linux-2.6.24.4/arch/x86/oprofile/backtrace.c linux-2.6.24.4/arch/x86/oprofile/backtrace.c
12195 ---- linux-2.6.24.4/arch/x86/oprofile/backtrace.c 2008-03-24 14:49:18.000000000 -0400
12196 -+++ linux-2.6.24.4/arch/x86/oprofile/backtrace.c 2008-03-26 17:56:55.000000000 -0400
12197 -@@ -37,7 +37,7 @@ static void backtrace_address(void *data
12198 - unsigned int *depth = data;
12199 -
12200 - if ((*depth)--)
12201 -- oprofile_add_trace(addr);
12202 -+ oprofile_add_trace(ktla_ktva(addr));
12203 - }
12204 -
12205 - static struct stacktrace_ops backtrace_ops = {
12206 -@@ -79,7 +79,7 @@ x86_backtrace(struct pt_regs * const reg
12207 - struct frame_head *head = (struct frame_head *)frame_pointer(regs);
12208 - unsigned long stack = stack_pointer(regs);
12209 -
12210 -- if (!user_mode_vm(regs)) {
12211 -+ if (!user_mode(regs)) {
12212 - if (depth)
12213 - dump_trace(NULL, regs, (unsigned long *)stack,
12214 - &backtrace_ops, &depth);
12215 -diff -urNp linux-2.6.24.4/arch/x86/oprofile/op_model_p4.c linux-2.6.24.4/arch/x86/oprofile/op_model_p4.c
12216 ---- linux-2.6.24.4/arch/x86/oprofile/op_model_p4.c 2008-03-24 14:49:18.000000000 -0400
12217 -+++ linux-2.6.24.4/arch/x86/oprofile/op_model_p4.c 2008-03-26 17:56:55.000000000 -0400
12218 -@@ -47,7 +47,7 @@ static inline void setup_num_counters(vo
12219 - #endif
12220 - }
12221 -
12222 --static int inline addr_increment(void)
12223 -+static inline int addr_increment(void)
12224 - {
12225 - #ifdef CONFIG_SMP
12226 - return smp_num_siblings == 2 ? 2 : 1;
12227 -diff -urNp linux-2.6.24.4/arch/x86/pci/common.c linux-2.6.24.4/arch/x86/pci/common.c
12228 ---- linux-2.6.24.4/arch/x86/pci/common.c 2008-03-24 14:49:18.000000000 -0400
12229 -+++ linux-2.6.24.4/arch/x86/pci/common.c 2008-03-26 17:56:55.000000000 -0400
12230 -@@ -331,7 +331,7 @@ static struct dmi_system_id __devinitdat
12231 - DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
12232 - },
12233 - },
12234 -- {}
12235 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
12236 - };
12237 -
12238 - struct pci_bus * __devinit pcibios_scan_root(int busnum)
12239 -diff -urNp linux-2.6.24.4/arch/x86/pci/early.c linux-2.6.24.4/arch/x86/pci/early.c
12240 ---- linux-2.6.24.4/arch/x86/pci/early.c 2008-03-24 14:49:18.000000000 -0400
12241 -+++ linux-2.6.24.4/arch/x86/pci/early.c 2008-03-26 17:56:55.000000000 -0400
12242 -@@ -7,7 +7,7 @@
12243 - /* Direct PCI access. This is used for PCI accesses in early boot before
12244 - the PCI subsystem works. */
12245 -
12246 --#define PDprintk(x...)
12247 -+#define PDprintk(x...) do {} while (0)
12248 -
12249 - u32 read_pci_config(u8 bus, u8 slot, u8 func, u8 offset)
12250 - {
12251 -diff -urNp linux-2.6.24.4/arch/x86/pci/fixup.c linux-2.6.24.4/arch/x86/pci/fixup.c
12252 ---- linux-2.6.24.4/arch/x86/pci/fixup.c 2008-03-24 14:49:18.000000000 -0400
12253 -+++ linux-2.6.24.4/arch/x86/pci/fixup.c 2008-03-26 17:56:55.000000000 -0400
12254 -@@ -362,7 +362,7 @@ static struct dmi_system_id __devinitdat
12255 - DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
12256 - },
12257 - },
12258 -- {}
12259 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
12260 - };
12261 -
12262 - /*
12263 -@@ -433,7 +433,7 @@ static struct dmi_system_id __devinitdat
12264 - DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
12265 - },
12266 - },
12267 -- { }
12268 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
12269 - };
12270 -
12271 - static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
12272 -diff -urNp linux-2.6.24.4/arch/x86/pci/irq.c linux-2.6.24.4/arch/x86/pci/irq.c
12273 ---- linux-2.6.24.4/arch/x86/pci/irq.c 2008-03-24 14:49:18.000000000 -0400
12274 -+++ linux-2.6.24.4/arch/x86/pci/irq.c 2008-03-26 17:56:55.000000000 -0400
12275 -@@ -528,7 +528,7 @@ static __init int intel_router_probe(str
12276 - static struct pci_device_id __initdata pirq_440gx[] = {
12277 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
12278 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
12279 -- { },
12280 -+ { PCI_DEVICE(0, 0) }
12281 - };
12282 -
12283 - /* 440GX has a proprietary PIRQ router -- don't use it */
12284 -@@ -1090,7 +1090,7 @@ static struct dmi_system_id __initdata p
12285 - DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
12286 - },
12287 - },
12288 -- { }
12289 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
12290 - };
12291 -
12292 - static int __init pcibios_irq_init(void)
12293 -diff -urNp linux-2.6.24.4/arch/x86/pci/pcbios.c linux-2.6.24.4/arch/x86/pci/pcbios.c
12294 ---- linux-2.6.24.4/arch/x86/pci/pcbios.c 2008-03-24 14:49:18.000000000 -0400
12295 -+++ linux-2.6.24.4/arch/x86/pci/pcbios.c 2008-03-26 17:56:55.000000000 -0400
12296 -@@ -57,50 +57,124 @@ union bios32 {
12297 - static struct {
12298 - unsigned long address;
12299 - unsigned short segment;
12300 --} bios32_indirect = { 0, __KERNEL_CS };
12301 -+} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
12302 -
12303 - /*
12304 - * Returns the entry point for the given service, NULL on error
12305 - */
12306 -
12307 --static unsigned long bios32_service(unsigned long service)
12308 -+static unsigned long __devinit bios32_service(unsigned long service)
12309 - {
12310 - unsigned char return_code; /* %al */
12311 - unsigned long address; /* %ebx */
12312 - unsigned long length; /* %ecx */
12313 - unsigned long entry; /* %edx */
12314 - unsigned long flags;
12315 -+ struct desc_struct *gdt;
12316 -+
12317 -+#ifdef CONFIG_PAX_KERNEXEC
12318 -+ unsigned long cr0;
12319 -+#endif
12320 -
12321 - local_irq_save(flags);
12322 -- __asm__("lcall *(%%edi); cld"
12323 -+
12324 -+ gdt = get_cpu_gdt_table(smp_processor_id());
12325 -+
12326 -+#ifdef CONFIG_PAX_KERNEXEC
12327 -+ pax_open_kernel(cr0);
12328 -+#endif
12329 -+
12330 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].a,
12331 -+ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].b,
12332 -+ 0UL, 0xFFFFFUL, 0x9B, 0xC);
12333 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].a,
12334 -+ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].b,
12335 -+ 0UL, 0xFFFFFUL, 0x93, 0xC);
12336 -+
12337 -+#ifdef CONFIG_PAX_KERNEXEC
12338 -+ pax_close_kernel(cr0);
12339 -+#endif
12340 -+
12341 -+ __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
12342 - : "=a" (return_code),
12343 - "=b" (address),
12344 - "=c" (length),
12345 - "=d" (entry)
12346 - : "0" (service),
12347 - "1" (0),
12348 -- "D" (&bios32_indirect));
12349 -+ "D" (&bios32_indirect),
12350 -+ "r"(__PCIBIOS_DS)
12351 -+ : "memory");
12352 -+
12353 -+#ifdef CONFIG_PAX_KERNEXEC
12354 -+ pax_open_kernel(cr0);
12355 -+#endif
12356 -+
12357 -+ gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
12358 -+ gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
12359 -+ gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
12360 -+ gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
12361 -+
12362 -+#ifdef CONFIG_PAX_KERNEXEC
12363 -+ pax_close_kernel(cr0);
12364 -+#endif
12365 -+
12366 - local_irq_restore(flags);
12367 -
12368 - switch (return_code) {
12369 -- case 0:
12370 -- return address + entry;
12371 -- case 0x80: /* Not present */
12372 -- printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
12373 -- return 0;
12374 -- default: /* Shouldn't happen */
12375 -- printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
12376 -- service, return_code);
12377 -+ case 0: {
12378 -+ int cpu;
12379 -+ unsigned char flags;
12380 -+
12381 -+ printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
12382 -+ if (address >= 0xFFFF0 || length >= 0xFFFF0 - address || length <= entry) {
12383 -+ printk(KERN_WARNING "bios32_service: not valid\n");
12384 - return 0;
12385 -+ }
12386 -+ address = address + PAGE_OFFSET;
12387 -+ length += 16UL; /* some BIOSs underreport this... */
12388 -+ flags = 4;
12389 -+ if (length >= 64*1024*1024) {
12390 -+ length >>= PAGE_SHIFT;
12391 -+ flags |= 8;
12392 -+ }
12393 -+
12394 -+#ifdef CONFIG_PAX_KERNEXEC
12395 -+ pax_open_kernel(cr0);
12396 -+#endif
12397 -+
12398 -+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
12399 -+ gdt = get_cpu_gdt_table(cpu);
12400 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].a,
12401 -+ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].b,
12402 -+ address, length, 0x9b, flags);
12403 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].a,
12404 -+ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].b,
12405 -+ address, length, 0x93, flags);
12406 -+ }
12407 -+
12408 -+#ifdef CONFIG_PAX_KERNEXEC
12409 -+ pax_close_kernel(cr0);
12410 -+#endif
12411 -+
12412 -+ return entry;
12413 -+ }
12414 -+ case 0x80: /* Not present */
12415 -+ printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
12416 -+ return 0;
12417 -+ default: /* Shouldn't happen */
12418 -+ printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
12419 -+ service, return_code);
12420 -+ return 0;
12421 - }
12422 - }
12423 -
12424 - static struct {
12425 - unsigned long address;
12426 - unsigned short segment;
12427 --} pci_indirect = { 0, __KERNEL_CS };
12428 -+} pci_indirect __read_only = { 0, __PCIBIOS_CS };
12429 -
12430 --static int pci_bios_present;
12431 -+static int pci_bios_present __read_only;
12432 -
12433 - static int __devinit check_pcibios(void)
12434 - {
12435 -@@ -109,11 +183,13 @@ static int __devinit check_pcibios(void)
12436 - unsigned long flags, pcibios_entry;
12437 -
12438 - if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
12439 -- pci_indirect.address = pcibios_entry + PAGE_OFFSET;
12440 -+ pci_indirect.address = pcibios_entry;
12441 -
12442 - local_irq_save(flags);
12443 -- __asm__(
12444 -- "lcall *(%%edi); cld\n\t"
12445 -+ __asm__("movw %w6, %%ds\n\t"
12446 -+ "lcall *%%ss:(%%edi); cld\n\t"
12447 -+ "push %%ss\n\t"
12448 -+ "pop %%ds\n\t"
12449 - "jc 1f\n\t"
12450 - "xor %%ah, %%ah\n"
12451 - "1:"
12452 -@@ -122,7 +198,8 @@ static int __devinit check_pcibios(void)
12453 - "=b" (ebx),
12454 - "=c" (ecx)
12455 - : "1" (PCIBIOS_PCI_BIOS_PRESENT),
12456 -- "D" (&pci_indirect)
12457 -+ "D" (&pci_indirect),
12458 -+ "r" (__PCIBIOS_DS)
12459 - : "memory");
12460 - local_irq_restore(flags);
12461 -
12462 -@@ -158,7 +235,10 @@ static int __devinit pci_bios_find_devic
12463 - unsigned short bx;
12464 - unsigned short ret;
12465 -
12466 -- __asm__("lcall *(%%edi); cld\n\t"
12467 -+ __asm__("movw %w7, %%ds\n\t"
12468 -+ "lcall *%%ss:(%%edi); cld\n\t"
12469 -+ "push %%ss\n\t"
12470 -+ "pop %%ds\n\t"
12471 - "jc 1f\n\t"
12472 - "xor %%ah, %%ah\n"
12473 - "1:"
12474 -@@ -168,7 +248,8 @@ static int __devinit pci_bios_find_devic
12475 - "c" (device_id),
12476 - "d" (vendor),
12477 - "S" ((int) index),
12478 -- "D" (&pci_indirect));
12479 -+ "D" (&pci_indirect),
12480 -+ "r" (__PCIBIOS_DS));
12481 - *bus = (bx >> 8) & 0xff;
12482 - *device_fn = bx & 0xff;
12483 - return (int) (ret & 0xff00) >> 8;
12484 -@@ -188,7 +269,10 @@ static int pci_bios_read(unsigned int se
12485 -
12486 - switch (len) {
12487 - case 1:
12488 -- __asm__("lcall *(%%esi); cld\n\t"
12489 -+ __asm__("movw %w6, %%ds\n\t"
12490 -+ "lcall *%%ss:(%%esi); cld\n\t"
12491 -+ "push %%ss\n\t"
12492 -+ "pop %%ds\n\t"
12493 - "jc 1f\n\t"
12494 - "xor %%ah, %%ah\n"
12495 - "1:"
12496 -@@ -197,10 +281,14 @@ static int pci_bios_read(unsigned int se
12497 - : "1" (PCIBIOS_READ_CONFIG_BYTE),
12498 - "b" (bx),
12499 - "D" ((long)reg),
12500 -- "S" (&pci_indirect));
12501 -+ "S" (&pci_indirect),
12502 -+ "r" (__PCIBIOS_DS));
12503 - break;
12504 - case 2:
12505 -- __asm__("lcall *(%%esi); cld\n\t"
12506 -+ __asm__("movw %w6, %%ds\n\t"
12507 -+ "lcall *%%ss:(%%esi); cld\n\t"
12508 -+ "push %%ss\n\t"
12509 -+ "pop %%ds\n\t"
12510 - "jc 1f\n\t"
12511 - "xor %%ah, %%ah\n"
12512 - "1:"
12513 -@@ -209,10 +297,14 @@ static int pci_bios_read(unsigned int se
12514 - : "1" (PCIBIOS_READ_CONFIG_WORD),
12515 - "b" (bx),
12516 - "D" ((long)reg),
12517 -- "S" (&pci_indirect));
12518 -+ "S" (&pci_indirect),
12519 -+ "r" (__PCIBIOS_DS));
12520 - break;
12521 - case 4:
12522 -- __asm__("lcall *(%%esi); cld\n\t"
12523 -+ __asm__("movw %w6, %%ds\n\t"
12524 -+ "lcall *%%ss:(%%esi); cld\n\t"
12525 -+ "push %%ss\n\t"
12526 -+ "pop %%ds\n\t"
12527 - "jc 1f\n\t"
12528 - "xor %%ah, %%ah\n"
12529 - "1:"
12530 -@@ -221,7 +313,8 @@ static int pci_bios_read(unsigned int se
12531 - : "1" (PCIBIOS_READ_CONFIG_DWORD),
12532 - "b" (bx),
12533 - "D" ((long)reg),
12534 -- "S" (&pci_indirect));
12535 -+ "S" (&pci_indirect),
12536 -+ "r" (__PCIBIOS_DS));
12537 - break;
12538 - }
12539 -
12540 -@@ -244,7 +337,10 @@ static int pci_bios_write(unsigned int s
12541 -
12542 - switch (len) {
12543 - case 1:
12544 -- __asm__("lcall *(%%esi); cld\n\t"
12545 -+ __asm__("movw %w6, %%ds\n\t"
12546 -+ "lcall *%%ss:(%%esi); cld\n\t"
12547 -+ "push %%ss\n\t"
12548 -+ "pop %%ds\n\t"
12549 - "jc 1f\n\t"
12550 - "xor %%ah, %%ah\n"
12551 - "1:"
12552 -@@ -253,10 +349,14 @@ static int pci_bios_write(unsigned int s
12553 - "c" (value),
12554 - "b" (bx),
12555 - "D" ((long)reg),
12556 -- "S" (&pci_indirect));
12557 -+ "S" (&pci_indirect),
12558 -+ "r" (__PCIBIOS_DS));
12559 - break;
12560 - case 2:
12561 -- __asm__("lcall *(%%esi); cld\n\t"
12562 -+ __asm__("movw %w6, %%ds\n\t"
12563 -+ "lcall *%%ss:(%%esi); cld\n\t"
12564 -+ "push %%ss\n\t"
12565 -+ "pop %%ds\n\t"
12566 - "jc 1f\n\t"
12567 - "xor %%ah, %%ah\n"
12568 - "1:"
12569 -@@ -265,10 +365,14 @@ static int pci_bios_write(unsigned int s
12570 - "c" (value),
12571 - "b" (bx),
12572 - "D" ((long)reg),
12573 -- "S" (&pci_indirect));
12574 -+ "S" (&pci_indirect),
12575 -+ "r" (__PCIBIOS_DS));
12576 - break;
12577 - case 4:
12578 -- __asm__("lcall *(%%esi); cld\n\t"
12579 -+ __asm__("movw %w6, %%ds\n\t"
12580 -+ "lcall *%%ss:(%%esi); cld\n\t"
12581 -+ "push %%ss\n\t"
12582 -+ "pop %%ds\n\t"
12583 - "jc 1f\n\t"
12584 - "xor %%ah, %%ah\n"
12585 - "1:"
12586 -@@ -277,7 +381,8 @@ static int pci_bios_write(unsigned int s
12587 - "c" (value),
12588 - "b" (bx),
12589 - "D" ((long)reg),
12590 -- "S" (&pci_indirect));
12591 -+ "S" (&pci_indirect),
12592 -+ "r" (__PCIBIOS_DS));
12593 - break;
12594 - }
12595 -
12596 -@@ -430,10 +535,13 @@ struct irq_routing_table * pcibios_get_i
12597 -
12598 - DBG("PCI: Fetching IRQ routing table... ");
12599 - __asm__("push %%es\n\t"
12600 -+ "movw %w8, %%ds\n\t"
12601 - "push %%ds\n\t"
12602 - "pop %%es\n\t"
12603 -- "lcall *(%%esi); cld\n\t"
12604 -+ "lcall *%%ss:(%%esi); cld\n\t"
12605 - "pop %%es\n\t"
12606 -+ "push %%ss\n\t"
12607 -+ "pop %%ds\n"
12608 - "jc 1f\n\t"
12609 - "xor %%ah, %%ah\n"
12610 - "1:"
12611 -@@ -444,7 +552,8 @@ struct irq_routing_table * pcibios_get_i
12612 - "1" (0),
12613 - "D" ((long) &opt),
12614 - "S" (&pci_indirect),
12615 -- "m" (opt)
12616 -+ "m" (opt),
12617 -+ "r" (__PCIBIOS_DS)
12618 - : "memory");
12619 - DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
12620 - if (ret & 0xff00)
12621 -@@ -468,7 +577,10 @@ int pcibios_set_irq_routing(struct pci_d
12622 - {
12623 - int ret;
12624 -
12625 -- __asm__("lcall *(%%esi); cld\n\t"
12626 -+ __asm__("movw %w5, %%ds\n\t"
12627 -+ "lcall *%%ss:(%%esi); cld\n\t"
12628 -+ "push %%ss\n\t"
12629 -+ "pop %%ds\n"
12630 - "jc 1f\n\t"
12631 - "xor %%ah, %%ah\n"
12632 - "1:"
12633 -@@ -476,7 +588,8 @@ int pcibios_set_irq_routing(struct pci_d
12634 - : "0" (PCIBIOS_SET_PCI_HW_INT),
12635 - "b" ((dev->bus->number << 8) | dev->devfn),
12636 - "c" ((irq << 8) | (pin + 10)),
12637 -- "S" (&pci_indirect));
12638 -+ "S" (&pci_indirect),
12639 -+ "r" (__PCIBIOS_DS));
12640 - return !(ret & 0xff00);
12641 - }
12642 - EXPORT_SYMBOL(pcibios_set_irq_routing);
12643 -diff -urNp linux-2.6.24.4/arch/x86/power/cpu.c linux-2.6.24.4/arch/x86/power/cpu.c
12644 ---- linux-2.6.24.4/arch/x86/power/cpu.c 2008-03-24 14:49:18.000000000 -0400
12645 -+++ linux-2.6.24.4/arch/x86/power/cpu.c 2008-03-26 17:56:55.000000000 -0400
12646 -@@ -64,10 +64,20 @@ static void do_fpu_end(void)
12647 - static void fix_processor_context(void)
12648 - {
12649 - int cpu = smp_processor_id();
12650 -- struct tss_struct * t = &per_cpu(init_tss, cpu);
12651 -+ struct tss_struct *t = init_tss + cpu;
12652 -+
12653 -+#ifdef CONFIG_PAX_KERNEXEC
12654 -+ unsigned long cr0;
12655 -+
12656 -+ pax_open_kernel(cr0);
12657 -+#endif
12658 -
12659 - set_tss_desc(cpu,t); /* This just modifies memory; should not be necessary. But... This is necessary, because 386 hardware has concept of busy TSS or some similar stupidity. */
12660 -
12661 -+#ifdef CONFIG_PAX_KERNEXEC
12662 -+ pax_close_kernel(cr0);
12663 -+#endif
12664 -+
12665 - load_TR_desc(); /* This does ltr */
12666 - load_LDT(&current->active_mm->context); /* This does lldt */
12667 -
12668 -diff -urNp linux-2.6.24.4/arch/x86/vdso/vma.c linux-2.6.24.4/arch/x86/vdso/vma.c
12669 ---- linux-2.6.24.4/arch/x86/vdso/vma.c 2008-03-24 14:49:18.000000000 -0400
12670 -+++ linux-2.6.24.4/arch/x86/vdso/vma.c 2008-03-26 17:56:55.000000000 -0400
12671 -@@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
12672 - if (ret)
12673 - goto up_fail;
12674 -
12675 -- current->mm->context.vdso = (void *)addr;
12676 -+ current->mm->context.vdso = addr;
12677 - up_fail:
12678 - up_write(&mm->mmap_sem);
12679 - return ret;
12680 -diff -urNp linux-2.6.24.4/arch/x86/xen/enlighten.c linux-2.6.24.4/arch/x86/xen/enlighten.c
12681 ---- linux-2.6.24.4/arch/x86/xen/enlighten.c 2008-03-24 14:49:18.000000000 -0400
12682 -+++ linux-2.6.24.4/arch/x86/xen/enlighten.c 2008-03-26 17:56:55.000000000 -0400
12683 -@@ -298,7 +298,7 @@ static void xen_set_ldt(const void *addr
12684 - static void xen_load_gdt(const struct Xgt_desc_struct *dtr)
12685 - {
12686 - unsigned long *frames;
12687 -- unsigned long va = dtr->address;
12688 -+ unsigned long va = (unsigned long)dtr->address;
12689 - unsigned int size = dtr->size + 1;
12690 - unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE;
12691 - int f;
12692 -@@ -313,7 +313,7 @@ static void xen_load_gdt(const struct Xg
12693 - mcs = xen_mc_entry(sizeof(*frames) * pages);
12694 - frames = mcs.args;
12695 -
12696 -- for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) {
12697 -+ for (f = 0; va < (unsigned long)dtr->address + size; va += PAGE_SIZE, f++) {
12698 - frames[f] = virt_to_mfn(va);
12699 - make_lowmem_page_readonly((void *)va);
12700 - }
12701 -@@ -407,7 +407,7 @@ static void xen_write_idt_entry(struct d
12702 -
12703 - preempt_disable();
12704 -
12705 -- start = __get_cpu_var(idt_desc).address;
12706 -+ start = (unsigned long)__get_cpu_var(idt_desc).address;
12707 - end = start + __get_cpu_var(idt_desc).size + 1;
12708 -
12709 - xen_mc_flush();
12710 -diff -urNp linux-2.6.24.4/arch/x86/xen/smp.c linux-2.6.24.4/arch/x86/xen/smp.c
12711 ---- linux-2.6.24.4/arch/x86/xen/smp.c 2008-03-24 14:49:18.000000000 -0400
12712 -+++ linux-2.6.24.4/arch/x86/xen/smp.c 2008-03-26 17:56:55.000000000 -0400
12713 -@@ -144,7 +144,7 @@ void __init xen_smp_prepare_boot_cpu(voi
12714 -
12715 - /* We've switched to the "real" per-cpu gdt, so make sure the
12716 - old memory can be recycled */
12717 -- make_lowmem_page_readwrite(&per_cpu__gdt_page);
12718 -+ make_lowmem_page_readwrite(get_cpu_gdt_table(smp_processor_id()));
12719 -
12720 - for (cpu = 0; cpu < NR_CPUS; cpu++) {
12721 - cpus_clear(per_cpu(cpu_sibling_map, cpu));
12722 -@@ -208,7 +208,7 @@ static __cpuinit int
12723 - cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
12724 - {
12725 - struct vcpu_guest_context *ctxt;
12726 -- struct gdt_page *gdt = &per_cpu(gdt_page, cpu);
12727 -+ struct desc_struct *gdt = get_cpu_gdt_table(cpu);
12728 -
12729 - if (cpu_test_and_set(cpu, cpu_initialized_map))
12730 - return 0;
12731 -@@ -218,8 +218,8 @@ cpu_initialize_context(unsigned int cpu,
12732 - return -ENOMEM;
12733 -
12734 - ctxt->flags = VGCF_IN_KERNEL;
12735 -- ctxt->user_regs.ds = __USER_DS;
12736 -- ctxt->user_regs.es = __USER_DS;
12737 -+ ctxt->user_regs.ds = __KERNEL_DS;
12738 -+ ctxt->user_regs.es = __KERNEL_DS;
12739 - ctxt->user_regs.fs = __KERNEL_PERCPU;
12740 - ctxt->user_regs.gs = 0;
12741 - ctxt->user_regs.ss = __KERNEL_DS;
12742 -@@ -232,11 +232,11 @@ cpu_initialize_context(unsigned int cpu,
12743 -
12744 - ctxt->ldt_ents = 0;
12745 -
12746 -- BUG_ON((unsigned long)gdt->gdt & ~PAGE_MASK);
12747 -- make_lowmem_page_readonly(gdt->gdt);
12748 -+ BUG_ON((unsigned long)gdt & ~PAGE_MASK);
12749 -+ make_lowmem_page_readonly(gdt);
12750 -
12751 -- ctxt->gdt_frames[0] = virt_to_mfn(gdt->gdt);
12752 -- ctxt->gdt_ents = ARRAY_SIZE(gdt->gdt);
12753 -+ ctxt->gdt_frames[0] = virt_to_mfn(gdt);
12754 -+ ctxt->gdt_ents = GDT_ENTRIES;
12755 -
12756 - ctxt->user_regs.cs = __KERNEL_CS;
12757 - ctxt->user_regs.esp = idle->thread.esp0 - sizeof(struct pt_regs);
12758 -diff -urNp linux-2.6.24.4/crypto/async_tx/async_tx.c linux-2.6.24.4/crypto/async_tx/async_tx.c
12759 ---- linux-2.6.24.4/crypto/async_tx/async_tx.c 2008-03-24 14:49:18.000000000 -0400
12760 -+++ linux-2.6.24.4/crypto/async_tx/async_tx.c 2008-03-26 17:56:55.000000000 -0400
12761 -@@ -342,8 +342,8 @@ async_tx_init(void)
12762 - err:
12763 - printk(KERN_ERR "async_tx: initialization failure\n");
12764 -
12765 -- while (--cap >= 0)
12766 -- free_percpu(channel_table[cap]);
12767 -+ while (cap)
12768 -+ free_percpu(channel_table[--cap]);
12769 -
12770 - return 1;
12771 - }
12772 -diff -urNp linux-2.6.24.4/crypto/lrw.c linux-2.6.24.4/crypto/lrw.c
12773 ---- linux-2.6.24.4/crypto/lrw.c 2008-03-24 14:49:18.000000000 -0400
12774 -+++ linux-2.6.24.4/crypto/lrw.c 2008-03-26 17:56:55.000000000 -0400
12775 -@@ -54,7 +54,7 @@ static int setkey(struct crypto_tfm *par
12776 - struct priv *ctx = crypto_tfm_ctx(parent);
12777 - struct crypto_cipher *child = ctx->child;
12778 - int err, i;
12779 -- be128 tmp = { 0 };
12780 -+ be128 tmp = { 0, 0 };
12781 - int bsize = crypto_cipher_blocksize(child);
12782 -
12783 - crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
12784 -diff -urNp linux-2.6.24.4/Documentation/dontdiff linux-2.6.24.4/Documentation/dontdiff
12785 ---- linux-2.6.24.4/Documentation/dontdiff 2008-03-24 14:49:18.000000000 -0400
12786 -+++ linux-2.6.24.4/Documentation/dontdiff 2008-03-26 17:56:55.000000000 -0400
12787 -@@ -3,6 +3,7 @@
12788 - *.bin
12789 - *.cpio
12790 - *.css
12791 -+*.dbg
12792 - *.dvi
12793 - *.eps
12794 - *.gif
12795 -@@ -183,11 +184,14 @@ version.h*
12796 - vmlinux
12797 - vmlinux-*
12798 - vmlinux.aout
12799 --vmlinux*.lds*
12800 -+vmlinux.bin.all
12801 -+vmlinux*.lds
12802 -+vmlinux.relocs
12803 - vmlinux*.scr
12804 --vsyscall.lds
12805 -+vsyscall*.lds
12806 - wanxlfw.inc
12807 - uImage
12808 - unifdef
12809 -+utsrelease.h
12810 - zImage*
12811 - zconf.hash.c
12812 -diff -urNp linux-2.6.24.4/drivers/acpi/blacklist.c linux-2.6.24.4/drivers/acpi/blacklist.c
12813 ---- linux-2.6.24.4/drivers/acpi/blacklist.c 2008-03-24 14:49:18.000000000 -0400
12814 -+++ linux-2.6.24.4/drivers/acpi/blacklist.c 2008-03-26 17:56:55.000000000 -0400
12815 -@@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
12816 - {"ASUS\0\0", "P2B-S ", 0, ACPI_SIG_DSDT, all_versions,
12817 - "Bogus PCI routing", 1},
12818 -
12819 -- {""}
12820 -+ {"", "", 0, 0, 0, all_versions, 0}
12821 - };
12822 -
12823 - #if CONFIG_ACPI_BLACKLIST_YEAR
12824 -diff -urNp linux-2.6.24.4/drivers/acpi/osl.c linux-2.6.24.4/drivers/acpi/osl.c
12825 ---- linux-2.6.24.4/drivers/acpi/osl.c 2008-03-24 14:49:18.000000000 -0400
12826 -+++ linux-2.6.24.4/drivers/acpi/osl.c 2008-03-26 17:56:55.000000000 -0400
12827 -@@ -470,6 +470,8 @@ acpi_os_read_memory(acpi_physical_addres
12828 - void __iomem *virt_addr;
12829 -
12830 - virt_addr = ioremap(phys_addr, width);
12831 -+ if (!virt_addr)
12832 -+ return AE_NO_MEMORY;
12833 - if (!value)
12834 - value = &dummy;
12835 -
12836 -@@ -498,6 +500,8 @@ acpi_os_write_memory(acpi_physical_addre
12837 - void __iomem *virt_addr;
12838 -
12839 - virt_addr = ioremap(phys_addr, width);
12840 -+ if (!virt_addr)
12841 -+ return AE_NO_MEMORY;
12842 -
12843 - switch (width) {
12844 - case 8:
12845 -@@ -520,7 +524,7 @@ acpi_os_write_memory(acpi_physical_addre
12846 -
12847 - acpi_status
12848 - acpi_os_read_pci_configuration(struct acpi_pci_id * pci_id, u32 reg,
12849 -- void *value, u32 width)
12850 -+ u32 *value, u32 width)
12851 - {
12852 - int result, size;
12853 -
12854 -@@ -592,7 +596,7 @@ static void acpi_os_derive_pci_id_2(acpi
12855 - acpi_status status;
12856 - unsigned long temp;
12857 - acpi_object_type type;
12858 -- u8 tu8;
12859 -+ u32 tu8;
12860 -
12861 - acpi_get_parent(chandle, &handle);
12862 - if (handle != rhandle) {
12863 -diff -urNp linux-2.6.24.4/drivers/acpi/processor_core.c linux-2.6.24.4/drivers/acpi/processor_core.c
12864 ---- linux-2.6.24.4/drivers/acpi/processor_core.c 2008-03-24 14:49:18.000000000 -0400
12865 -+++ linux-2.6.24.4/drivers/acpi/processor_core.c 2008-03-26 17:56:55.000000000 -0400
12866 -@@ -632,7 +632,7 @@ static int __cpuinit acpi_processor_star
12867 - return 0;
12868 - }
12869 -
12870 -- BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
12871 -+ BUG_ON(pr->id >= nr_cpu_ids);
12872 -
12873 - /*
12874 - * Buggy BIOS check
12875 -diff -urNp linux-2.6.24.4/drivers/acpi/processor_idle.c linux-2.6.24.4/drivers/acpi/processor_idle.c
12876 ---- linux-2.6.24.4/drivers/acpi/processor_idle.c 2008-03-24 14:49:18.000000000 -0400
12877 -+++ linux-2.6.24.4/drivers/acpi/processor_idle.c 2008-03-26 17:56:55.000000000 -0400
12878 -@@ -178,7 +178,7 @@ static struct dmi_system_id __cpuinitdat
12879 - DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
12880 - DMI_MATCH(DMI_BIOS_VERSION,"SHE845M0.86C.0013.D.0302131307")},
12881 - (void *)2},
12882 -- {},
12883 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL},
12884 - };
12885 -
12886 - static inline u32 ticks_elapsed(u32 t1, u32 t2)
12887 -diff -urNp linux-2.6.24.4/drivers/acpi/sleep/main.c linux-2.6.24.4/drivers/acpi/sleep/main.c
12888 ---- linux-2.6.24.4/drivers/acpi/sleep/main.c 2008-03-24 14:49:18.000000000 -0400
12889 -+++ linux-2.6.24.4/drivers/acpi/sleep/main.c 2008-03-26 17:56:55.000000000 -0400
12890 -@@ -224,7 +224,7 @@ static struct dmi_system_id __initdata a
12891 - .ident = "Toshiba Satellite 4030cdt",
12892 - .matches = {DMI_MATCH(DMI_PRODUCT_NAME, "S4030CDT/4.3"),},
12893 - },
12894 -- {},
12895 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL},
12896 - };
12897 - #endif /* CONFIG_SUSPEND */
12898 -
12899 -diff -urNp linux-2.6.24.4/drivers/acpi/tables/tbfadt.c linux-2.6.24.4/drivers/acpi/tables/tbfadt.c
12900 ---- linux-2.6.24.4/drivers/acpi/tables/tbfadt.c 2008-03-24 14:49:18.000000000 -0400
12901 -+++ linux-2.6.24.4/drivers/acpi/tables/tbfadt.c 2008-03-26 17:56:55.000000000 -0400
12902 -@@ -48,7 +48,7 @@
12903 - ACPI_MODULE_NAME("tbfadt")
12904 -
12905 - /* Local prototypes */
12906 --static void inline
12907 -+static inline void
12908 - acpi_tb_init_generic_address(struct acpi_generic_address *generic_address,
12909 - u8 bit_width, u64 address);
12910 -
12911 -@@ -122,7 +122,7 @@ static struct acpi_fadt_info fadt_info_t
12912 - *
12913 - ******************************************************************************/
12914 -
12915 --static void inline
12916 -+static inline void
12917 - acpi_tb_init_generic_address(struct acpi_generic_address *generic_address,
12918 - u8 bit_width, u64 address)
12919 - {
12920 -diff -urNp linux-2.6.24.4/drivers/acpi/tables/tbxface.c linux-2.6.24.4/drivers/acpi/tables/tbxface.c
12921 ---- linux-2.6.24.4/drivers/acpi/tables/tbxface.c 2008-03-24 14:49:18.000000000 -0400
12922 -+++ linux-2.6.24.4/drivers/acpi/tables/tbxface.c 2008-03-26 17:56:55.000000000 -0400
12923 -@@ -540,7 +540,7 @@ static acpi_status acpi_tb_load_namespac
12924 - acpi_tb_print_table_header(0, table);
12925 -
12926 - if (no_auto_ssdt == 0) {
12927 -- printk(KERN_WARNING "ACPI: DSDT override uses original SSDTs unless \"acpi_no_auto_ssdt\"");
12928 -+ printk(KERN_WARNING "ACPI: DSDT override uses original SSDTs unless \"acpi_no_auto_ssdt\"\n");
12929 - }
12930 - }
12931 -
12932 -diff -urNp linux-2.6.24.4/drivers/ata/ahci.c linux-2.6.24.4/drivers/ata/ahci.c
12933 ---- linux-2.6.24.4/drivers/ata/ahci.c 2008-03-24 14:49:18.000000000 -0400
12934 -+++ linux-2.6.24.4/drivers/ata/ahci.c 2008-03-26 17:56:55.000000000 -0400
12935 -@@ -563,7 +563,7 @@ static const struct pci_device_id ahci_p
12936 - { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
12937 - PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
12938 -
12939 -- { } /* terminate list */
12940 -+ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
12941 - };
12942 -
12943 -
12944 -diff -urNp linux-2.6.24.4/drivers/ata/ata_piix.c linux-2.6.24.4/drivers/ata/ata_piix.c
12945 ---- linux-2.6.24.4/drivers/ata/ata_piix.c 2008-03-24 14:49:18.000000000 -0400
12946 -+++ linux-2.6.24.4/drivers/ata/ata_piix.c 2008-03-26 17:56:55.000000000 -0400
12947 -@@ -264,7 +264,7 @@ static const struct pci_device_id piix_p
12948 - /* SATA Controller IDE (Tolapai) */
12949 - { 0x8086, 0x5028, PCI_ANY_ID, PCI_ANY_ID, 0, 0, tolapai_sata_ahci },
12950 -
12951 -- { } /* terminate list */
12952 -+ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
12953 - };
12954 -
12955 - static struct pci_driver piix_pci_driver = {
12956 -@@ -701,7 +701,7 @@ static const struct ich_laptop ich_lapto
12957 - { 0x27DF, 0x103C, 0x30A1 }, /* ICH7 on HP Compaq nc2400 */
12958 - { 0x24CA, 0x1025, 0x0061 }, /* ICH4 on ACER Aspire 2023WLMi */
12959 - /* end marker */
12960 -- { 0, }
12961 -+ { 0, 0, 0 }
12962 - };
12963 -
12964 - /**
12965 -@@ -1097,7 +1097,7 @@ static int piix_broken_suspend(void)
12966 - },
12967 - },
12968 -
12969 -- { } /* terminate list */
12970 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL } /* terminate list */
12971 - };
12972 - static const char *oemstrs[] = {
12973 - "Tecra M3,",
12974 -diff -urNp linux-2.6.24.4/drivers/ata/libata-core.c linux-2.6.24.4/drivers/ata/libata-core.c
12975 ---- linux-2.6.24.4/drivers/ata/libata-core.c 2008-03-24 14:49:18.000000000 -0400
12976 -+++ linux-2.6.24.4/drivers/ata/libata-core.c 2008-03-26 17:56:55.000000000 -0400
12977 -@@ -489,7 +489,7 @@ static const struct ata_xfer_ent {
12978 - { ATA_SHIFT_PIO, ATA_BITS_PIO, XFER_PIO_0 },
12979 - { ATA_SHIFT_MWDMA, ATA_BITS_MWDMA, XFER_MW_DMA_0 },
12980 - { ATA_SHIFT_UDMA, ATA_BITS_UDMA, XFER_UDMA_0 },
12981 -- { -1, },
12982 -+ { -1, 0, 0 },
12983 - };
12984 -
12985 - /**
12986 -@@ -2814,7 +2814,7 @@ static const struct ata_timing ata_timin
12987 -
12988 - /* { XFER_PIO_SLOW, 120, 290, 240, 960, 290, 240, 960, 0 }, */
12989 -
12990 -- { 0xFF }
12991 -+ { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
12992 - };
12993 -
12994 - #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
12995 -@@ -4178,7 +4178,7 @@ static const struct ata_blacklist_entry
12996 - { "TSSTcorp CDDVDW SH-S202N", "SB01", ATA_HORKAGE_IVB, },
12997 -
12998 - /* End Marker */
12999 -- { }
13000 -+ { NULL, NULL, 0 }
13001 - };
13002 -
13003 - static int strn_pattern_cmp(const char *patt, const char *name, int wildchar)
13004 -diff -urNp linux-2.6.24.4/drivers/char/agp/frontend.c linux-2.6.24.4/drivers/char/agp/frontend.c
13005 ---- linux-2.6.24.4/drivers/char/agp/frontend.c 2008-03-24 14:49:18.000000000 -0400
13006 -+++ linux-2.6.24.4/drivers/char/agp/frontend.c 2008-03-26 17:56:55.000000000 -0400
13007 -@@ -820,7 +820,7 @@ static int agpioc_reserve_wrap(struct ag
13008 - if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
13009 - return -EFAULT;
13010 -
13011 -- if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
13012 -+ if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
13013 - return -EFAULT;
13014 -
13015 - client = agp_find_client_by_pid(reserve.pid);
13016 -diff -urNp linux-2.6.24.4/drivers/char/agp/intel-agp.c linux-2.6.24.4/drivers/char/agp/intel-agp.c
13017 ---- linux-2.6.24.4/drivers/char/agp/intel-agp.c 2008-03-24 14:49:18.000000000 -0400
13018 -+++ linux-2.6.24.4/drivers/char/agp/intel-agp.c 2008-03-26 17:56:55.000000000 -0400
13019 -@@ -2080,7 +2080,7 @@ static struct pci_device_id agp_intel_pc
13020 - ID(PCI_DEVICE_ID_INTEL_G33_HB),
13021 - ID(PCI_DEVICE_ID_INTEL_Q35_HB),
13022 - ID(PCI_DEVICE_ID_INTEL_Q33_HB),
13023 -- { }
13024 -+ { 0, 0, 0, 0, 0, 0, 0 }
13025 - };
13026 -
13027 - MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
13028 -diff -urNp linux-2.6.24.4/drivers/char/drm/drm_pciids.h linux-2.6.24.4/drivers/char/drm/drm_pciids.h
13029 ---- linux-2.6.24.4/drivers/char/drm/drm_pciids.h 2008-03-24 14:49:18.000000000 -0400
13030 -+++ linux-2.6.24.4/drivers/char/drm/drm_pciids.h 2008-03-26 17:56:55.000000000 -0400
13031 -@@ -249,7 +249,7 @@
13032 - {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
13033 - {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
13034 - {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
13035 -- {0, 0, 0}
13036 -+ {0, 0, 0, 0, 0, 0, 0 }
13037 -
13038 - #define i830_PCI_IDS \
13039 - {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
13040 -diff -urNp linux-2.6.24.4/drivers/char/hpet.c linux-2.6.24.4/drivers/char/hpet.c
13041 ---- linux-2.6.24.4/drivers/char/hpet.c 2008-03-24 14:49:18.000000000 -0400
13042 -+++ linux-2.6.24.4/drivers/char/hpet.c 2008-03-26 17:56:55.000000000 -0400
13043 -@@ -1028,7 +1028,7 @@ static struct acpi_driver hpet_acpi_driv
13044 - },
13045 - };
13046 -
13047 --static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
13048 -+static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
13049 -
13050 - static int __init hpet_init(void)
13051 - {
13052 -diff -urNp linux-2.6.24.4/drivers/char/keyboard.c linux-2.6.24.4/drivers/char/keyboard.c
13053 ---- linux-2.6.24.4/drivers/char/keyboard.c 2008-03-24 14:49:18.000000000 -0400
13054 -+++ linux-2.6.24.4/drivers/char/keyboard.c 2008-03-26 17:56:55.000000000 -0400
13055 -@@ -631,6 +631,16 @@ static void k_spec(struct vc_data *vc, u
13056 - kbd->kbdmode == VC_MEDIUMRAW) &&
13057 - value != KVAL(K_SAK))
13058 - return; /* SAK is allowed even in raw mode */
13059 -+
13060 -+#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
13061 -+ {
13062 -+ void *func = fn_handler[value];
13063 -+ if (func == fn_show_state || func == fn_show_ptregs ||
13064 -+ func == fn_show_mem)
13065 -+ return;
13066 -+ }
13067 -+#endif
13068 -+
13069 - fn_handler[value](vc);
13070 - }
13071 -
13072 -@@ -1385,7 +1395,7 @@ static const struct input_device_id kbd_
13073 - .evbit = { BIT_MASK(EV_SND) },
13074 - },
13075 -
13076 -- { }, /* Terminating entry */
13077 -+ { 0 }, /* Terminating entry */
13078 - };
13079 -
13080 - MODULE_DEVICE_TABLE(input, kbd_ids);
13081 -diff -urNp linux-2.6.24.4/drivers/char/mem.c linux-2.6.24.4/drivers/char/mem.c
13082 ---- linux-2.6.24.4/drivers/char/mem.c 2008-03-24 14:49:18.000000000 -0400
13083 -+++ linux-2.6.24.4/drivers/char/mem.c 2008-03-26 17:56:55.000000000 -0400
13084 -@@ -26,6 +26,7 @@
13085 - #include <linux/bootmem.h>
13086 - #include <linux/splice.h>
13087 - #include <linux/pfn.h>
13088 -+#include <linux/grsecurity.h>
13089 -
13090 - #include <asm/uaccess.h>
13091 - #include <asm/io.h>
13092 -@@ -34,6 +35,10 @@
13093 - # include <linux/efi.h>
13094 - #endif
13095 -
13096 -+#ifdef CONFIG_GRKERNSEC
13097 -+extern struct file_operations grsec_fops;
13098 -+#endif
13099 -+
13100 - /*
13101 - * Architectures vary in how they handle caching for addresses
13102 - * outside of main memory.
13103 -@@ -180,6 +185,11 @@ static ssize_t write_mem(struct file * f
13104 - if (!valid_phys_addr_range(p, count))
13105 - return -EFAULT;
13106 -
13107 -+#ifdef CONFIG_GRKERNSEC_KMEM
13108 -+ gr_handle_mem_write();
13109 -+ return -EPERM;
13110 -+#endif
13111 -+
13112 - written = 0;
13113 -
13114 - #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
13115 -@@ -281,6 +291,11 @@ static int mmap_mem(struct file * file,
13116 - if (!private_mapping_ok(vma))
13117 - return -ENOSYS;
13118 -
13119 -+#ifdef CONFIG_GRKERNSEC_KMEM
13120 -+ if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
13121 -+ return -EPERM;
13122 -+#endif
13123 -+
13124 - vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
13125 - size,
13126 - vma->vm_page_prot);
13127 -@@ -512,6 +527,11 @@ static ssize_t write_kmem(struct file *
13128 - ssize_t written;
13129 - char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
13130 -
13131 -+#ifdef CONFIG_GRKERNSEC_KMEM
13132 -+ gr_handle_kmem_write();
13133 -+ return -EPERM;
13134 -+#endif
13135 -+
13136 - if (p < (unsigned long) high_memory) {
13137 -
13138 - wrote = count;
13139 -@@ -714,6 +734,16 @@ static loff_t memory_lseek(struct file *
13140 -
13141 - static int open_port(struct inode * inode, struct file * filp)
13142 - {
13143 -+#ifdef CONFIG_GRKERNSEC_KMEM
13144 -+ gr_handle_open_port();
13145 -+ return -EPERM;
13146 -+#endif
13147 -+
13148 -+ return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
13149 -+}
13150 -+
13151 -+static int open_mem(struct inode * inode, struct file * filp)
13152 -+{
13153 - return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
13154 - }
13155 -
13156 -@@ -721,7 +751,6 @@ static int open_port(struct inode * inod
13157 - #define full_lseek null_lseek
13158 - #define write_zero write_null
13159 - #define read_full read_zero
13160 --#define open_mem open_port
13161 - #define open_kmem open_mem
13162 - #define open_oldmem open_mem
13163 -
13164 -@@ -854,6 +883,11 @@ static int memory_open(struct inode * in
13165 - filp->f_op = &oldmem_fops;
13166 - break;
13167 - #endif
13168 -+#ifdef CONFIG_GRKERNSEC
13169 -+ case 13:
13170 -+ filp->f_op = &grsec_fops;
13171 -+ break;
13172 -+#endif
13173 - default:
13174 - return -ENXIO;
13175 - }
13176 -@@ -886,6 +920,9 @@ static const struct {
13177 - #ifdef CONFIG_CRASH_DUMP
13178 - {12,"oldmem", S_IRUSR | S_IWUSR | S_IRGRP, &oldmem_fops},
13179 - #endif
13180 -+#ifdef CONFIG_GRKERNSEC
13181 -+ {13,"grsec", S_IRUSR | S_IWUGO, &grsec_fops},
13182 -+#endif
13183 - };
13184 -
13185 - static struct class *mem_class;
13186 -diff -urNp linux-2.6.24.4/drivers/char/nvram.c linux-2.6.24.4/drivers/char/nvram.c
13187 ---- linux-2.6.24.4/drivers/char/nvram.c 2008-03-24 14:49:18.000000000 -0400
13188 -+++ linux-2.6.24.4/drivers/char/nvram.c 2008-03-26 17:56:55.000000000 -0400
13189 -@@ -430,7 +430,10 @@ static const struct file_operations nvra
13190 - static struct miscdevice nvram_dev = {
13191 - NVRAM_MINOR,
13192 - "nvram",
13193 -- &nvram_fops
13194 -+ &nvram_fops,
13195 -+ {NULL, NULL},
13196 -+ NULL,
13197 -+ NULL
13198 - };
13199 -
13200 - static int __init
13201 -diff -urNp linux-2.6.24.4/drivers/char/random.c linux-2.6.24.4/drivers/char/random.c
13202 ---- linux-2.6.24.4/drivers/char/random.c 2008-03-24 14:49:18.000000000 -0400
13203 -+++ linux-2.6.24.4/drivers/char/random.c 2008-03-26 17:56:55.000000000 -0400
13204 -@@ -248,8 +248,13 @@
13205 - /*
13206 - * Configuration information
13207 - */
13208 -+#ifdef CONFIG_GRKERNSEC_RANDNET
13209 -+#define INPUT_POOL_WORDS 512
13210 -+#define OUTPUT_POOL_WORDS 128
13211 -+#else
13212 - #define INPUT_POOL_WORDS 128
13213 - #define OUTPUT_POOL_WORDS 32
13214 -+#endif
13215 - #define SEC_XFER_SIZE 512
13216 -
13217 - /*
13218 -@@ -286,10 +291,17 @@ static struct poolinfo {
13219 - int poolwords;
13220 - int tap1, tap2, tap3, tap4, tap5;
13221 - } poolinfo_table[] = {
13222 -+#ifdef CONFIG_GRKERNSEC_RANDNET
13223 -+ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
13224 -+ { 512, 411, 308, 208, 104, 1 },
13225 -+ /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
13226 -+ { 128, 103, 76, 51, 25, 1 },
13227 -+#else
13228 - /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
13229 - { 128, 103, 76, 51, 25, 1 },
13230 - /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
13231 - { 32, 26, 20, 14, 7, 1 },
13232 -+#endif
13233 - #if 0
13234 - /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
13235 - { 2048, 1638, 1231, 819, 411, 1 },
13236 -@@ -1172,7 +1184,7 @@ EXPORT_SYMBOL(generate_random_uuid);
13237 - #include <linux/sysctl.h>
13238 -
13239 - static int min_read_thresh = 8, min_write_thresh;
13240 --static int max_read_thresh = INPUT_POOL_WORDS * 32;
13241 -+static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
13242 - static int max_write_thresh = INPUT_POOL_WORDS * 32;
13243 - static char sysctl_bootid[16];
13244 -
13245 -diff -urNp linux-2.6.24.4/drivers/char/vt_ioctl.c linux-2.6.24.4/drivers/char/vt_ioctl.c
13246 ---- linux-2.6.24.4/drivers/char/vt_ioctl.c 2008-03-24 14:49:18.000000000 -0400
13247 -+++ linux-2.6.24.4/drivers/char/vt_ioctl.c 2008-03-26 17:56:55.000000000 -0400
13248 -@@ -96,6 +96,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
13249 - case KDSKBENT:
13250 - if (!perm)
13251 - return -EPERM;
13252 -+
13253 -+#ifdef CONFIG_GRKERNSEC
13254 -+ if (!capable(CAP_SYS_TTY_CONFIG))
13255 -+ return -EPERM;
13256 -+#endif
13257 -+
13258 - if (!i && v == K_NOSUCHMAP) {
13259 - /* deallocate map */
13260 - key_map = key_maps[s];
13261 -@@ -236,6 +242,13 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
13262 - goto reterr;
13263 - }
13264 -
13265 -+#ifdef CONFIG_GRKERNSEC
13266 -+ if (!capable(CAP_SYS_TTY_CONFIG)) {
13267 -+ ret = -EPERM;
13268 -+ goto reterr;
13269 -+ }
13270 -+#endif
13271 -+
13272 - q = func_table[i];
13273 - first_free = funcbufptr + (funcbufsize - funcbufleft);
13274 - for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)
13275 -diff -urNp linux-2.6.24.4/drivers/edac/edac_core.h linux-2.6.24.4/drivers/edac/edac_core.h
13276 ---- linux-2.6.24.4/drivers/edac/edac_core.h 2008-03-24 14:49:18.000000000 -0400
13277 -+++ linux-2.6.24.4/drivers/edac/edac_core.h 2008-03-26 17:56:55.000000000 -0400
13278 -@@ -86,11 +86,11 @@ extern int edac_debug_level;
13279 -
13280 - #else /* !CONFIG_EDAC_DEBUG */
13281 -
13282 --#define debugf0( ... )
13283 --#define debugf1( ... )
13284 --#define debugf2( ... )
13285 --#define debugf3( ... )
13286 --#define debugf4( ... )
13287 -+#define debugf0( ... ) do {} while (0)
13288 -+#define debugf1( ... ) do {} while (0)
13289 -+#define debugf2( ... ) do {} while (0)
13290 -+#define debugf3( ... ) do {} while (0)
13291 -+#define debugf4( ... ) do {} while (0)
13292 -
13293 - #endif /* !CONFIG_EDAC_DEBUG */
13294 -
13295 -diff -urNp linux-2.6.24.4/drivers/firmware/dmi_scan.c linux-2.6.24.4/drivers/firmware/dmi_scan.c
13296 ---- linux-2.6.24.4/drivers/firmware/dmi_scan.c 2008-03-24 14:49:18.000000000 -0400
13297 -+++ linux-2.6.24.4/drivers/firmware/dmi_scan.c 2008-03-26 17:56:55.000000000 -0400
13298 -@@ -318,21 +318,19 @@ void __init dmi_scan_machine(void)
13299 - }
13300 - }
13301 - else {
13302 -- /*
13303 -- * no iounmap() for that ioremap(); it would be a no-op, but
13304 -- * it's so early in setup that sucker gets confused into doing
13305 -- * what it shouldn't if we actually call it.
13306 -- */
13307 - p = dmi_ioremap(0xF0000, 0x10000);
13308 - if (p == NULL)
13309 - goto out;
13310 -
13311 - for (q = p; q < p + 0x10000; q += 16) {
13312 - rc = dmi_present(q);
13313 -- if (!rc) {
13314 -- dmi_available = 1;
13315 -- return;
13316 -- }
13317 -+ if (!rc)
13318 -+ break;
13319 -+ }
13320 -+ dmi_iounmap(p, 0x10000);
13321 -+ if (!rc) {
13322 -+ dmi_available = 1;
13323 -+ return;
13324 - }
13325 - }
13326 - out: printk(KERN_INFO "DMI not present or invalid.\n");
13327 -diff -urNp linux-2.6.24.4/drivers/hwmon/fscpos.c linux-2.6.24.4/drivers/hwmon/fscpos.c
13328 ---- linux-2.6.24.4/drivers/hwmon/fscpos.c 2008-03-24 14:49:18.000000000 -0400
13329 -+++ linux-2.6.24.4/drivers/hwmon/fscpos.c 2008-03-26 17:56:55.000000000 -0400
13330 -@@ -231,7 +231,6 @@ static ssize_t set_pwm(struct i2c_client
13331 - unsigned long v = simple_strtoul(buf, NULL, 10);
13332 -
13333 - /* Range: 0..255 */
13334 -- if (v < 0) v = 0;
13335 - if (v > 255) v = 255;
13336 -
13337 - mutex_lock(&data->update_lock);
13338 -diff -urNp linux-2.6.24.4/drivers/hwmon/k8temp.c linux-2.6.24.4/drivers/hwmon/k8temp.c
13339 ---- linux-2.6.24.4/drivers/hwmon/k8temp.c 2008-03-24 14:49:18.000000000 -0400
13340 -+++ linux-2.6.24.4/drivers/hwmon/k8temp.c 2008-03-26 17:56:55.000000000 -0400
13341 -@@ -130,7 +130,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
13342 -
13343 - static struct pci_device_id k8temp_ids[] = {
13344 - { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
13345 -- { 0 },
13346 -+ { 0, 0, 0, 0, 0, 0, 0 },
13347 - };
13348 -
13349 - MODULE_DEVICE_TABLE(pci, k8temp_ids);
13350 -diff -urNp linux-2.6.24.4/drivers/hwmon/sis5595.c linux-2.6.24.4/drivers/hwmon/sis5595.c
13351 ---- linux-2.6.24.4/drivers/hwmon/sis5595.c 2008-03-24 14:49:18.000000000 -0400
13352 -+++ linux-2.6.24.4/drivers/hwmon/sis5595.c 2008-03-26 17:56:55.000000000 -0400
13353 -@@ -698,7 +698,7 @@ static struct sis5595_data *sis5595_upda
13354 -
13355 - static struct pci_device_id sis5595_pci_ids[] = {
13356 - { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
13357 -- { 0, }
13358 -+ { 0, 0, 0, 0, 0, 0, 0 }
13359 - };
13360 -
13361 - MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
13362 -diff -urNp linux-2.6.24.4/drivers/hwmon/thmc50.c linux-2.6.24.4/drivers/hwmon/thmc50.c
13363 ---- linux-2.6.24.4/drivers/hwmon/thmc50.c 2008-03-24 14:49:18.000000000 -0400
13364 -+++ linux-2.6.24.4/drivers/hwmon/thmc50.c 2008-03-26 17:56:55.000000000 -0400
13365 -@@ -52,9 +52,9 @@ I2C_CLIENT_MODULE_PARM(adm1022_temp3, "L
13366 - */
13367 - #define THMC50_REG_INTR 0x41
13368 -
13369 --const static u8 THMC50_REG_TEMP[] = { 0x27, 0x26, 0x20 };
13370 --const static u8 THMC50_REG_TEMP_MIN[] = { 0x3A, 0x38, 0x2C };
13371 --const static u8 THMC50_REG_TEMP_MAX[] = { 0x39, 0x37, 0x2B };
13372 -+static const u8 THMC50_REG_TEMP[] = { 0x27, 0x26, 0x20 };
13373 -+static const u8 THMC50_REG_TEMP_MIN[] = { 0x3A, 0x38, 0x2C };
13374 -+static const u8 THMC50_REG_TEMP_MAX[] = { 0x39, 0x37, 0x2B };
13375 -
13376 - #define THMC50_REG_CONF_nFANOFF 0x20
13377 -
13378 -diff -urNp linux-2.6.24.4/drivers/hwmon/via686a.c linux-2.6.24.4/drivers/hwmon/via686a.c
13379 ---- linux-2.6.24.4/drivers/hwmon/via686a.c 2008-03-24 14:49:18.000000000 -0400
13380 -+++ linux-2.6.24.4/drivers/hwmon/via686a.c 2008-03-26 17:56:55.000000000 -0400
13381 -@@ -740,7 +740,7 @@ static struct via686a_data *via686a_upda
13382 -
13383 - static struct pci_device_id via686a_pci_ids[] = {
13384 - { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
13385 -- { 0, }
13386 -+ { 0, 0, 0, 0, 0, 0, 0 }
13387 - };
13388 -
13389 - MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
13390 -diff -urNp linux-2.6.24.4/drivers/hwmon/vt8231.c linux-2.6.24.4/drivers/hwmon/vt8231.c
13391 ---- linux-2.6.24.4/drivers/hwmon/vt8231.c 2008-03-24 14:49:18.000000000 -0400
13392 -+++ linux-2.6.24.4/drivers/hwmon/vt8231.c 2008-03-26 17:56:55.000000000 -0400
13393 -@@ -662,7 +662,7 @@ static struct platform_driver vt8231_dri
13394 -
13395 - static struct pci_device_id vt8231_pci_ids[] = {
13396 - { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
13397 -- { 0, }
13398 -+ { 0, 0, 0, 0, 0, 0, 0 }
13399 - };
13400 -
13401 - MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
13402 -diff -urNp linux-2.6.24.4/drivers/hwmon/w83791d.c linux-2.6.24.4/drivers/hwmon/w83791d.c
13403 ---- linux-2.6.24.4/drivers/hwmon/w83791d.c 2008-03-24 14:49:18.000000000 -0400
13404 -+++ linux-2.6.24.4/drivers/hwmon/w83791d.c 2008-03-26 17:56:55.000000000 -0400
13405 -@@ -289,8 +289,8 @@ static int w83791d_attach_adapter(struct
13406 - static int w83791d_detect(struct i2c_adapter *adapter, int address, int kind);
13407 - static int w83791d_detach_client(struct i2c_client *client);
13408 -
13409 --static int w83791d_read(struct i2c_client *client, u8 register);
13410 --static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
13411 -+static int w83791d_read(struct i2c_client *client, u8 reg);
13412 -+static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
13413 - static struct w83791d_data *w83791d_update_device(struct device *dev);
13414 -
13415 - #ifdef DEBUG
13416 -diff -urNp linux-2.6.24.4/drivers/i2c/busses/i2c-i801.c linux-2.6.24.4/drivers/i2c/busses/i2c-i801.c
13417 ---- linux-2.6.24.4/drivers/i2c/busses/i2c-i801.c 2008-03-24 14:49:18.000000000 -0400
13418 -+++ linux-2.6.24.4/drivers/i2c/busses/i2c-i801.c 2008-03-26 17:56:55.000000000 -0400
13419 -@@ -545,7 +545,7 @@ static struct pci_device_id i801_ids[] =
13420 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH8_5) },
13421 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH9_6) },
13422 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_TOLAPAI_1) },
13423 -- { 0, }
13424 -+ { 0, 0, 0, 0, 0, 0, 0 }
13425 - };
13426 -
13427 - MODULE_DEVICE_TABLE (pci, i801_ids);
13428 -diff -urNp linux-2.6.24.4/drivers/i2c/busses/i2c-i810.c linux-2.6.24.4/drivers/i2c/busses/i2c-i810.c
13429 ---- linux-2.6.24.4/drivers/i2c/busses/i2c-i810.c 2008-03-24 14:49:18.000000000 -0400
13430 -+++ linux-2.6.24.4/drivers/i2c/busses/i2c-i810.c 2008-03-26 17:56:55.000000000 -0400
13431 -@@ -198,7 +198,7 @@ static struct pci_device_id i810_ids[] _
13432 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82810E_IG) },
13433 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC) },
13434 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82845G_IG) },
13435 -- { 0, },
13436 -+ { 0, 0, 0, 0, 0, 0, 0 },
13437 - };
13438 -
13439 - MODULE_DEVICE_TABLE (pci, i810_ids);
13440 -diff -urNp linux-2.6.24.4/drivers/i2c/busses/i2c-piix4.c linux-2.6.24.4/drivers/i2c/busses/i2c-piix4.c
13441 ---- linux-2.6.24.4/drivers/i2c/busses/i2c-piix4.c 2008-03-24 14:49:18.000000000 -0400
13442 -+++ linux-2.6.24.4/drivers/i2c/busses/i2c-piix4.c 2008-03-26 17:56:55.000000000 -0400
13443 -@@ -113,7 +113,7 @@ static struct dmi_system_id __devinitdat
13444 - .ident = "IBM",
13445 - .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
13446 - },
13447 -- { },
13448 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL },
13449 - };
13450 -
13451 - static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
13452 -@@ -411,7 +411,7 @@ static struct pci_device_id piix4_ids[]
13453 - .driver_data = 3 },
13454 - { PCI_DEVICE(PCI_VENDOR_ID_EFAR, PCI_DEVICE_ID_EFAR_SLC90E66_3),
13455 - .driver_data = 0 },
13456 -- { 0, }
13457 -+ { 0, 0, 0, 0, 0, 0, 0 }
13458 - };
13459 -
13460 - MODULE_DEVICE_TABLE (pci, piix4_ids);
13461 -diff -urNp linux-2.6.24.4/drivers/i2c/busses/i2c-sis630.c linux-2.6.24.4/drivers/i2c/busses/i2c-sis630.c
13462 ---- linux-2.6.24.4/drivers/i2c/busses/i2c-sis630.c 2008-03-24 14:49:18.000000000 -0400
13463 -+++ linux-2.6.24.4/drivers/i2c/busses/i2c-sis630.c 2008-03-26 17:56:56.000000000 -0400
13464 -@@ -465,7 +465,7 @@ static struct i2c_adapter sis630_adapter
13465 - static struct pci_device_id sis630_ids[] __devinitdata = {
13466 - { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
13467 - { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
13468 -- { 0, }
13469 -+ { 0, 0, 0, 0, 0, 0, 0 }
13470 - };
13471 -
13472 - MODULE_DEVICE_TABLE (pci, sis630_ids);
13473 -diff -urNp linux-2.6.24.4/drivers/i2c/busses/i2c-sis96x.c linux-2.6.24.4/drivers/i2c/busses/i2c-sis96x.c
13474 ---- linux-2.6.24.4/drivers/i2c/busses/i2c-sis96x.c 2008-03-24 14:49:18.000000000 -0400
13475 -+++ linux-2.6.24.4/drivers/i2c/busses/i2c-sis96x.c 2008-03-26 17:56:56.000000000 -0400
13476 -@@ -255,7 +255,7 @@ static struct i2c_adapter sis96x_adapter
13477 -
13478 - static struct pci_device_id sis96x_ids[] = {
13479 - { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
13480 -- { 0, }
13481 -+ { 0, 0, 0, 0, 0, 0, 0 }
13482 - };
13483 -
13484 - MODULE_DEVICE_TABLE (pci, sis96x_ids);
13485 -diff -urNp linux-2.6.24.4/drivers/ide/ide-cd.c linux-2.6.24.4/drivers/ide/ide-cd.c
13486 ---- linux-2.6.24.4/drivers/ide/ide-cd.c 2008-03-24 14:49:18.000000000 -0400
13487 -+++ linux-2.6.24.4/drivers/ide/ide-cd.c 2008-03-26 17:56:56.000000000 -0400
13488 -@@ -457,8 +457,6 @@ void cdrom_analyze_sense_data(ide_drive_
13489 - sector &= ~(bio_sectors -1);
13490 - valid = (sector - failed_command->sector) << 9;
13491 -
13492 -- if (valid < 0)
13493 -- valid = 0;
13494 - if (sector < get_capacity(info->disk) &&
13495 - drive->probed_capacity - sector < 4 * 75) {
13496 - set_capacity(info->disk, sector);
13497 -diff -urNp linux-2.6.24.4/drivers/ieee1394/dv1394.c linux-2.6.24.4/drivers/ieee1394/dv1394.c
13498 ---- linux-2.6.24.4/drivers/ieee1394/dv1394.c 2008-03-24 14:49:18.000000000 -0400
13499 -+++ linux-2.6.24.4/drivers/ieee1394/dv1394.c 2008-03-26 17:56:56.000000000 -0400
13500 -@@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
13501 - based upon DIF section and sequence
13502 - */
13503 -
13504 --static void inline
13505 -+static inline void
13506 - frame_put_packet (struct frame *f, struct packet *p)
13507 - {
13508 - int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
13509 -@@ -918,7 +918,7 @@ static int do_dv1394_init(struct video_c
13510 - /* default SYT offset is 3 cycles */
13511 - init->syt_offset = 3;
13512 -
13513 -- if ( (init->channel > 63) || (init->channel < 0) )
13514 -+ if (init->channel > 63)
13515 - init->channel = 63;
13516 -
13517 - chan_mask = (u64)1 << init->channel;
13518 -@@ -2173,7 +2173,7 @@ static struct ieee1394_device_id dv1394_
13519 - .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
13520 - .version = AVC_SW_VERSION_ENTRY & 0xffffff
13521 - },
13522 -- { }
13523 -+ { 0, 0, 0, 0, 0, 0 }
13524 - };
13525 -
13526 - MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
13527 -diff -urNp linux-2.6.24.4/drivers/ieee1394/eth1394.c linux-2.6.24.4/drivers/ieee1394/eth1394.c
13528 ---- linux-2.6.24.4/drivers/ieee1394/eth1394.c 2008-03-24 14:49:18.000000000 -0400
13529 -+++ linux-2.6.24.4/drivers/ieee1394/eth1394.c 2008-03-26 17:56:56.000000000 -0400
13530 -@@ -451,7 +451,7 @@ static struct ieee1394_device_id eth1394
13531 - .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
13532 - .version = ETHER1394_GASP_VERSION,
13533 - },
13534 -- {}
13535 -+ { 0, 0, 0, 0, 0, 0 }
13536 - };
13537 -
13538 - MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
13539 -diff -urNp linux-2.6.24.4/drivers/ieee1394/hosts.c linux-2.6.24.4/drivers/ieee1394/hosts.c
13540 ---- linux-2.6.24.4/drivers/ieee1394/hosts.c 2008-03-24 14:49:18.000000000 -0400
13541 -+++ linux-2.6.24.4/drivers/ieee1394/hosts.c 2008-03-26 17:56:56.000000000 -0400
13542 -@@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
13543 - }
13544 -
13545 - static struct hpsb_host_driver dummy_driver = {
13546 -+ .name = "dummy",
13547 - .transmit_packet = dummy_transmit_packet,
13548 - .devctl = dummy_devctl,
13549 - .isoctl = dummy_isoctl
13550 -diff -urNp linux-2.6.24.4/drivers/ieee1394/ohci1394.c linux-2.6.24.4/drivers/ieee1394/ohci1394.c
13551 ---- linux-2.6.24.4/drivers/ieee1394/ohci1394.c 2008-03-24 14:49:18.000000000 -0400
13552 -+++ linux-2.6.24.4/drivers/ieee1394/ohci1394.c 2008-03-26 17:56:56.000000000 -0400
13553 -@@ -147,9 +147,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
13554 - printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
13555 -
13556 - /* Module Parameters */
13557 --static int phys_dma = 1;
13558 -+static int phys_dma;
13559 - module_param(phys_dma, int, 0444);
13560 --MODULE_PARM_DESC(phys_dma, "Enable physical dma (default = 1).");
13561 -+MODULE_PARM_DESC(phys_dma, "Enable physical dma (default = 0).");
13562 -
13563 - static void dma_trm_tasklet(unsigned long data);
13564 - static void dma_trm_reset(struct dma_trm_ctx *d);
13565 -@@ -3396,7 +3396,7 @@ static struct pci_device_id ohci1394_pci
13566 - .subvendor = PCI_ANY_ID,
13567 - .subdevice = PCI_ANY_ID,
13568 - },
13569 -- { 0, },
13570 -+ { 0, 0, 0, 0, 0, 0, 0 },
13571 - };
13572 -
13573 - MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
13574 -diff -urNp linux-2.6.24.4/drivers/ieee1394/raw1394.c linux-2.6.24.4/drivers/ieee1394/raw1394.c
13575 ---- linux-2.6.24.4/drivers/ieee1394/raw1394.c 2008-03-24 14:49:18.000000000 -0400
13576 -+++ linux-2.6.24.4/drivers/ieee1394/raw1394.c 2008-03-26 17:56:56.000000000 -0400
13577 -@@ -2952,7 +2952,7 @@ static struct ieee1394_device_id raw1394
13578 - .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
13579 - .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
13580 - .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
13581 -- {}
13582 -+ { 0, 0, 0, 0, 0, 0 }
13583 - };
13584 -
13585 - MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
13586 -diff -urNp linux-2.6.24.4/drivers/ieee1394/sbp2.c linux-2.6.24.4/drivers/ieee1394/sbp2.c
13587 ---- linux-2.6.24.4/drivers/ieee1394/sbp2.c 2008-03-24 14:49:18.000000000 -0400
13588 -+++ linux-2.6.24.4/drivers/ieee1394/sbp2.c 2008-03-26 17:56:56.000000000 -0400
13589 -@@ -274,7 +274,7 @@ static struct ieee1394_device_id sbp2_id
13590 - .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
13591 - .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
13592 - .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
13593 -- {}
13594 -+ { 0, 0, 0, 0, 0, 0 }
13595 - };
13596 - MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
13597 -
13598 -@@ -2078,7 +2078,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
13599 - MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
13600 - MODULE_LICENSE("GPL");
13601 -
13602 --static int sbp2_module_init(void)
13603 -+static int __init sbp2_module_init(void)
13604 - {
13605 - int ret;
13606 -
13607 -diff -urNp linux-2.6.24.4/drivers/ieee1394/video1394.c linux-2.6.24.4/drivers/ieee1394/video1394.c
13608 ---- linux-2.6.24.4/drivers/ieee1394/video1394.c 2008-03-24 14:49:18.000000000 -0400
13609 -+++ linux-2.6.24.4/drivers/ieee1394/video1394.c 2008-03-26 17:56:56.000000000 -0400
13610 -@@ -893,7 +893,7 @@ static long video1394_ioctl(struct file
13611 - if (unlikely(d == NULL))
13612 - return -EFAULT;
13613 -
13614 -- if (unlikely((v.buffer<0) || (v.buffer>=d->num_desc - 1))) {
13615 -+ if (unlikely(v.buffer>=d->num_desc - 1)) {
13616 - PRINT(KERN_ERR, ohci->host->id,
13617 - "Buffer %d out of range",v.buffer);
13618 - return -EINVAL;
13619 -@@ -959,7 +959,7 @@ static long video1394_ioctl(struct file
13620 - if (unlikely(d == NULL))
13621 - return -EFAULT;
13622 -
13623 -- if (unlikely((v.buffer<0) || (v.buffer>d->num_desc - 1))) {
13624 -+ if (unlikely(v.buffer>d->num_desc - 1)) {
13625 - PRINT(KERN_ERR, ohci->host->id,
13626 - "Buffer %d out of range",v.buffer);
13627 - return -EINVAL;
13628 -@@ -1030,7 +1030,7 @@ static long video1394_ioctl(struct file
13629 - d = find_ctx(&ctx->context_list, OHCI_ISO_TRANSMIT, v.channel);
13630 - if (d == NULL) return -EFAULT;
13631 -
13632 -- if ((v.buffer<0) || (v.buffer>=d->num_desc - 1)) {
13633 -+ if (v.buffer>=d->num_desc - 1) {
13634 - PRINT(KERN_ERR, ohci->host->id,
13635 - "Buffer %d out of range",v.buffer);
13636 - return -EINVAL;
13637 -@@ -1137,7 +1137,7 @@ static long video1394_ioctl(struct file
13638 - d = find_ctx(&ctx->context_list, OHCI_ISO_TRANSMIT, v.channel);
13639 - if (d == NULL) return -EFAULT;
13640 -
13641 -- if ((v.buffer<0) || (v.buffer>=d->num_desc-1)) {
13642 -+ if (v.buffer>=d->num_desc-1) {
13643 - PRINT(KERN_ERR, ohci->host->id,
13644 - "Buffer %d out of range",v.buffer);
13645 - return -EINVAL;
13646 -@@ -1309,7 +1309,7 @@ static struct ieee1394_device_id video13
13647 - .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
13648 - .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
13649 - },
13650 -- { }
13651 -+ { 0, 0, 0, 0, 0, 0 }
13652 - };
13653 -
13654 - MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
13655 -diff -urNp linux-2.6.24.4/drivers/input/keyboard/atkbd.c linux-2.6.24.4/drivers/input/keyboard/atkbd.c
13656 ---- linux-2.6.24.4/drivers/input/keyboard/atkbd.c 2008-03-24 14:49:18.000000000 -0400
13657 -+++ linux-2.6.24.4/drivers/input/keyboard/atkbd.c 2008-03-26 17:56:56.000000000 -0400
13658 -@@ -1080,7 +1080,7 @@ static struct serio_device_id atkbd_seri
13659 - .id = SERIO_ANY,
13660 - .extra = SERIO_ANY,
13661 - },
13662 -- { 0 }
13663 -+ { 0, 0, 0, 0 }
13664 - };
13665 -
13666 - MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
13667 -diff -urNp linux-2.6.24.4/drivers/input/mouse/lifebook.c linux-2.6.24.4/drivers/input/mouse/lifebook.c
13668 ---- linux-2.6.24.4/drivers/input/mouse/lifebook.c 2008-03-24 14:49:18.000000000 -0400
13669 -+++ linux-2.6.24.4/drivers/input/mouse/lifebook.c 2008-03-26 17:56:56.000000000 -0400
13670 -@@ -110,7 +110,7 @@ static const struct dmi_system_id lifebo
13671 - DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
13672 - },
13673 - },
13674 -- { }
13675 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
13676 - };
13677 -
13678 - static psmouse_ret_t lifebook_process_byte(struct psmouse *psmouse)
13679 -diff -urNp linux-2.6.24.4/drivers/input/mouse/psmouse-base.c linux-2.6.24.4/drivers/input/mouse/psmouse-base.c
13680 ---- linux-2.6.24.4/drivers/input/mouse/psmouse-base.c 2008-03-24 14:49:18.000000000 -0400
13681 -+++ linux-2.6.24.4/drivers/input/mouse/psmouse-base.c 2008-03-26 17:56:56.000000000 -0400
13682 -@@ -1329,7 +1329,7 @@ static struct serio_device_id psmouse_se
13683 - .id = SERIO_ANY,
13684 - .extra = SERIO_ANY,
13685 - },
13686 -- { 0 }
13687 -+ { 0, 0, 0, 0 }
13688 - };
13689 -
13690 - MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
13691 -diff -urNp linux-2.6.24.4/drivers/input/mouse/synaptics.c linux-2.6.24.4/drivers/input/mouse/synaptics.c
13692 ---- linux-2.6.24.4/drivers/input/mouse/synaptics.c 2008-03-24 14:49:18.000000000 -0400
13693 -+++ linux-2.6.24.4/drivers/input/mouse/synaptics.c 2008-03-26 17:56:56.000000000 -0400
13694 -@@ -417,7 +417,7 @@ static void synaptics_process_packet(str
13695 - break;
13696 - case 2:
13697 - if (SYN_MODEL_PEN(priv->model_id))
13698 -- ; /* Nothing, treat a pen as a single finger */
13699 -+ break; /* Nothing, treat a pen as a single finger */
13700 - break;
13701 - case 4 ... 15:
13702 - if (SYN_CAP_PALMDETECT(priv->capabilities))
13703 -@@ -624,7 +624,7 @@ static const struct dmi_system_id toshib
13704 - DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
13705 - },
13706 - },
13707 -- { }
13708 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
13709 - };
13710 - #endif
13711 -
13712 -diff -urNp linux-2.6.24.4/drivers/input/mousedev.c linux-2.6.24.4/drivers/input/mousedev.c
13713 ---- linux-2.6.24.4/drivers/input/mousedev.c 2008-03-24 14:49:18.000000000 -0400
13714 -+++ linux-2.6.24.4/drivers/input/mousedev.c 2008-03-26 17:56:56.000000000 -0400
13715 -@@ -1056,7 +1056,7 @@ static struct input_handler mousedev_han
13716 -
13717 - #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
13718 - static struct miscdevice psaux_mouse = {
13719 -- PSMOUSE_MINOR, "psaux", &mousedev_fops
13720 -+ PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
13721 - };
13722 - static int psaux_registered;
13723 - #endif
13724 -diff -urNp linux-2.6.24.4/drivers/input/serio/i8042-x86ia64io.h linux-2.6.24.4/drivers/input/serio/i8042-x86ia64io.h
13725 ---- linux-2.6.24.4/drivers/input/serio/i8042-x86ia64io.h 2008-03-24 14:49:18.000000000 -0400
13726 -+++ linux-2.6.24.4/drivers/input/serio/i8042-x86ia64io.h 2008-03-26 17:56:56.000000000 -0400
13727 -@@ -118,7 +118,7 @@ static struct dmi_system_id __initdata i
13728 - DMI_MATCH(DMI_PRODUCT_VERSION, "VS2005R2"),
13729 - },
13730 - },
13731 -- { }
13732 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
13733 - };
13734 -
13735 - /*
13736 -@@ -270,7 +270,7 @@ static struct dmi_system_id __initdata i
13737 - DMI_MATCH(DMI_PRODUCT_NAME, "M636/A737 platform"),
13738 - },
13739 - },
13740 -- { }
13741 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
13742 - };
13743 -
13744 -
13745 -diff -urNp linux-2.6.24.4/drivers/input/serio/serio_raw.c linux-2.6.24.4/drivers/input/serio/serio_raw.c
13746 ---- linux-2.6.24.4/drivers/input/serio/serio_raw.c 2008-03-24 14:49:18.000000000 -0400
13747 -+++ linux-2.6.24.4/drivers/input/serio/serio_raw.c 2008-03-26 17:56:56.000000000 -0400
13748 -@@ -369,7 +369,7 @@ static struct serio_device_id serio_raw_
13749 - .id = SERIO_ANY,
13750 - .extra = SERIO_ANY,
13751 - },
13752 -- { 0 }
13753 -+ { 0, 0, 0, 0 }
13754 - };
13755 -
13756 - MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
13757 -diff -urNp linux-2.6.24.4/drivers/kvm/kvm_main.c linux-2.6.24.4/drivers/kvm/kvm_main.c
13758 ---- linux-2.6.24.4/drivers/kvm/kvm_main.c 2008-03-24 14:49:18.000000000 -0400
13759 -+++ linux-2.6.24.4/drivers/kvm/kvm_main.c 2008-03-26 17:56:56.000000000 -0400
13760 -@@ -67,22 +67,22 @@ static struct kvm_stats_debugfs_item {
13761 - int offset;
13762 - struct dentry *dentry;
13763 - } debugfs_entries[] = {
13764 -- { "pf_fixed", STAT_OFFSET(pf_fixed) },
13765 -- { "pf_guest", STAT_OFFSET(pf_guest) },
13766 -- { "tlb_flush", STAT_OFFSET(tlb_flush) },
13767 -- { "invlpg", STAT_OFFSET(invlpg) },
13768 -- { "exits", STAT_OFFSET(exits) },
13769 -- { "io_exits", STAT_OFFSET(io_exits) },
13770 -- { "mmio_exits", STAT_OFFSET(mmio_exits) },
13771 -- { "signal_exits", STAT_OFFSET(signal_exits) },
13772 -- { "irq_window", STAT_OFFSET(irq_window_exits) },
13773 -- { "halt_exits", STAT_OFFSET(halt_exits) },
13774 -- { "halt_wakeup", STAT_OFFSET(halt_wakeup) },
13775 -- { "request_irq", STAT_OFFSET(request_irq_exits) },
13776 -- { "irq_exits", STAT_OFFSET(irq_exits) },
13777 -- { "light_exits", STAT_OFFSET(light_exits) },
13778 -- { "efer_reload", STAT_OFFSET(efer_reload) },
13779 -- { NULL }
13780 -+ { "pf_fixed", STAT_OFFSET(pf_fixed), NULL },
13781 -+ { "pf_guest", STAT_OFFSET(pf_guest), NULL },
13782 -+ { "tlb_flush", STAT_OFFSET(tlb_flush), NULL },
13783 -+ { "invlpg", STAT_OFFSET(invlpg), NULL },
13784 -+ { "exits", STAT_OFFSET(exits), NULL },
13785 -+ { "io_exits", STAT_OFFSET(io_exits), NULL },
13786 -+ { "mmio_exits", STAT_OFFSET(mmio_exits), NULL },
13787 -+ { "signal_exits", STAT_OFFSET(signal_exits), NULL },
13788 -+ { "irq_window", STAT_OFFSET(irq_window_exits), NULL },
13789 -+ { "halt_exits", STAT_OFFSET(halt_exits), NULL },
13790 -+ { "halt_wakeup", STAT_OFFSET(halt_wakeup), NULL },
13791 -+ { "request_irq", STAT_OFFSET(request_irq_exits), NULL },
13792 -+ { "irq_exits", STAT_OFFSET(irq_exits), NULL },
13793 -+ { "light_exits", STAT_OFFSET(light_exits), NULL },
13794 -+ { "efer_reload", STAT_OFFSET(efer_reload), NULL },
13795 -+ { NULL, 0, NULL }
13796 - };
13797 -
13798 - static struct dentry *debugfs_dir;
13799 -@@ -2505,7 +2505,7 @@ static int kvm_vcpu_ioctl_translate(stru
13800 - static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
13801 - struct kvm_interrupt *irq)
13802 - {
13803 -- if (irq->irq < 0 || irq->irq >= 256)
13804 -+ if (irq->irq >= 256)
13805 - return -EINVAL;
13806 - if (irqchip_in_kernel(vcpu->kvm))
13807 - return -ENXIO;
13808 -@@ -3250,6 +3250,9 @@ static struct miscdevice kvm_dev = {
13809 - KVM_MINOR,
13810 - "kvm",
13811 - &kvm_chardev_ops,
13812 -+ {NULL, NULL},
13813 -+ NULL,
13814 -+ NULL
13815 - };
13816 -
13817 - /*
13818 -diff -urNp linux-2.6.24.4/drivers/kvm/svm.c linux-2.6.24.4/drivers/kvm/svm.c
13819 ---- linux-2.6.24.4/drivers/kvm/svm.c 2008-03-24 14:49:18.000000000 -0400
13820 -+++ linux-2.6.24.4/drivers/kvm/svm.c 2008-03-26 17:56:56.000000000 -0400
13821 -@@ -1307,8 +1307,20 @@ static void reload_tss(struct kvm_vcpu *
13822 - int cpu = raw_smp_processor_id();
13823 -
13824 - struct svm_cpu_data *svm_data = per_cpu(svm_data, cpu);
13825 -+
13826 -+#ifdef CONFIG_PAX_KERNEXEC
13827 -+ unsigned long cr0;
13828 -+
13829 -+ pax_open_kernel(cr0);
13830 -+#endif
13831 -+
13832 - svm_data->tss_desc->type = 9; //available 32/64-bit TSS
13833 - load_TR_desc();
13834 -+
13835 -+#ifdef CONFIG_PAX_KERNEXEC
13836 -+ pax_close_kernel(cr0);
13837 -+#endif
13838 -+
13839 - }
13840 -
13841 - static void pre_svm_run(struct vcpu_svm *svm)
13842 -diff -urNp linux-2.6.24.4/drivers/kvm/vmx.c linux-2.6.24.4/drivers/kvm/vmx.c
13843 ---- linux-2.6.24.4/drivers/kvm/vmx.c 2008-03-24 14:49:18.000000000 -0400
13844 -+++ linux-2.6.24.4/drivers/kvm/vmx.c 2008-03-26 17:56:56.000000000 -0400
13845 -@@ -335,10 +335,24 @@ static void reload_tss(void)
13846 - struct descriptor_table gdt;
13847 - struct segment_descriptor *descs;
13848 -
13849 -+#ifdef CONFIG_PAX_KERNEXEC
13850 -+ unsigned long cr0;
13851 -+#endif
13852 -+
13853 - get_gdt(&gdt);
13854 - descs = (void *)gdt.base;
13855 -+
13856 -+#ifdef CONFIG_PAX_KERNEXEC
13857 -+ pax_open_kernel(cr0);
13858 -+#endif
13859 -+
13860 - descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
13861 - load_TR_desc();
13862 -+
13863 -+#ifdef CONFIG_PAX_KERNEXEC
13864 -+ pax_close_kernel(cr0);
13865 -+#endif
13866 -+
13867 - #endif
13868 - }
13869 -
13870 -@@ -2322,7 +2336,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
13871 -
13872 - vcpu->interrupt_window_open = (vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & 3) == 0;
13873 -
13874 -- asm ("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
13875 -+ asm ("mov %0, %%ds; mov %0, %%es" : : "r"(__KERNEL_DS));
13876 - vmx->launched = 1;
13877 -
13878 - intr_info = vmcs_read32(VM_EXIT_INTR_INFO);
13879 -diff -urNp linux-2.6.24.4/drivers/md/bitmap.c linux-2.6.24.4/drivers/md/bitmap.c
13880 ---- linux-2.6.24.4/drivers/md/bitmap.c 2008-03-24 14:49:18.000000000 -0400
13881 -+++ linux-2.6.24.4/drivers/md/bitmap.c 2008-03-26 17:56:56.000000000 -0400
13882 -@@ -57,7 +57,7 @@
13883 - # if DEBUG > 0
13884 - # define PRINTK(x...) printk(KERN_DEBUG x)
13885 - # else
13886 --# define PRINTK(x...)
13887 -+# define PRINTK(x...) do {} while (0)
13888 - # endif
13889 - #endif
13890 -
13891 -diff -urNp linux-2.6.24.4/drivers/mtd/devices/doc2000.c linux-2.6.24.4/drivers/mtd/devices/doc2000.c
13892 ---- linux-2.6.24.4/drivers/mtd/devices/doc2000.c 2008-03-24 14:49:18.000000000 -0400
13893 -+++ linux-2.6.24.4/drivers/mtd/devices/doc2000.c 2008-03-26 17:56:56.000000000 -0400
13894 -@@ -632,7 +632,7 @@ static int doc_read(struct mtd_info *mtd
13895 - len = ((from | 0x1ff) + 1) - from;
13896 -
13897 - /* The ECC will not be calculated correctly if less than 512 is read */
13898 -- if (len != 0x200 && eccbuf)
13899 -+ if (len != 0x200)
13900 - printk(KERN_WARNING
13901 - "ECC needs a full sector read (adr: %lx size %lx)\n",
13902 - (long) from, (long) len);
13903 -diff -urNp linux-2.6.24.4/drivers/mtd/devices/doc2001.c linux-2.6.24.4/drivers/mtd/devices/doc2001.c
13904 ---- linux-2.6.24.4/drivers/mtd/devices/doc2001.c 2008-03-24 14:49:18.000000000 -0400
13905 -+++ linux-2.6.24.4/drivers/mtd/devices/doc2001.c 2008-03-26 17:56:56.000000000 -0400
13906 -@@ -398,6 +398,8 @@ static int doc_read (struct mtd_info *mt
13907 - /* Don't allow read past end of device */
13908 - if (from >= this->totlen)
13909 - return -EINVAL;
13910 -+ if (!len)
13911 -+ return -EINVAL;
13912 -
13913 - /* Don't allow a single read to cross a 512-byte block boundary */
13914 - if (from + len > ((from | 0x1ff) + 1))
13915 -diff -urNp linux-2.6.24.4/drivers/mtd/devices/doc2001plus.c linux-2.6.24.4/drivers/mtd/devices/doc2001plus.c
13916 ---- linux-2.6.24.4/drivers/mtd/devices/doc2001plus.c 2008-03-24 14:49:18.000000000 -0400
13917 -+++ linux-2.6.24.4/drivers/mtd/devices/doc2001plus.c 2008-03-26 17:56:56.000000000 -0400
13918 -@@ -748,7 +748,7 @@ static int doc_write(struct mtd_info *mt
13919 - WriteDOC(DoC_GetDataOffset(mtd, &fto), docptr, Mplus_FlashCmd);
13920 -
13921 - /* On interleaved devices the flags for 2nd half 512 are before data */
13922 -- if (eccbuf && before)
13923 -+ if (before)
13924 - fto -= 2;
13925 -
13926 - /* issue the Serial Data In command to initial the Page Program process */
13927 -diff -urNp linux-2.6.24.4/drivers/mtd/devices/slram.c linux-2.6.24.4/drivers/mtd/devices/slram.c
13928 ---- linux-2.6.24.4/drivers/mtd/devices/slram.c 2008-03-24 14:49:18.000000000 -0400
13929 -+++ linux-2.6.24.4/drivers/mtd/devices/slram.c 2008-03-26 17:56:56.000000000 -0400
13930 -@@ -270,7 +270,7 @@ static int parse_cmdline(char *devname,
13931 - }
13932 - T("slram: devname=%s, devstart=0x%lx, devlength=0x%lx\n",
13933 - devname, devstart, devlength);
13934 -- if ((devstart < 0) || (devlength < 0) || (devlength % SLRAM_BLK_SZ != 0)) {
13935 -+ if (devlength % SLRAM_BLK_SZ != 0) {
13936 - E("slram: Illegal start / length parameter.\n");
13937 - return(-EINVAL);
13938 - }
13939 -diff -urNp linux-2.6.24.4/drivers/mtd/ubi/build.c linux-2.6.24.4/drivers/mtd/ubi/build.c
13940 ---- linux-2.6.24.4/drivers/mtd/ubi/build.c 2008-03-24 14:49:18.000000000 -0400
13941 -+++ linux-2.6.24.4/drivers/mtd/ubi/build.c 2008-03-26 17:56:56.000000000 -0400
13942 -@@ -753,7 +753,7 @@ static int __init bytes_str_to_int(const
13943 - unsigned long result;
13944 -
13945 - result = simple_strtoul(str, &endp, 0);
13946 -- if (str == endp || result < 0) {
13947 -+ if (str == endp) {
13948 - printk("UBI error: incorrect bytes count: \"%s\"\n", str);
13949 - return -EINVAL;
13950 - }
13951 -diff -urNp linux-2.6.24.4/drivers/net/eepro100.c linux-2.6.24.4/drivers/net/eepro100.c
13952 ---- linux-2.6.24.4/drivers/net/eepro100.c 2008-03-24 14:49:18.000000000 -0400
13953 -+++ linux-2.6.24.4/drivers/net/eepro100.c 2008-03-26 17:56:56.000000000 -0400
13954 -@@ -47,7 +47,7 @@ static int rxdmacount /* = 0 */;
13955 - # define rx_align(skb) skb_reserve((skb), 2)
13956 - # define RxFD_ALIGNMENT __attribute__ ((aligned (2), packed))
13957 - #else
13958 --# define rx_align(skb)
13959 -+# define rx_align(skb) do {} while (0)
13960 - # define RxFD_ALIGNMENT
13961 - #endif
13962 -
13963 -@@ -2340,33 +2340,33 @@ static void __devexit eepro100_remove_on
13964 - }
13965 -
13966 - static struct pci_device_id eepro100_pci_tbl[] = {
13967 -- { PCI_VENDOR_ID_INTEL, 0x1229, PCI_ANY_ID, PCI_ANY_ID, },
13968 -- { PCI_VENDOR_ID_INTEL, 0x1209, PCI_ANY_ID, PCI_ANY_ID, },
13969 -- { PCI_VENDOR_ID_INTEL, 0x1029, PCI_ANY_ID, PCI_ANY_ID, },
13970 -- { PCI_VENDOR_ID_INTEL, 0x1030, PCI_ANY_ID, PCI_ANY_ID, },
13971 -- { PCI_VENDOR_ID_INTEL, 0x1031, PCI_ANY_ID, PCI_ANY_ID, },
13972 -- { PCI_VENDOR_ID_INTEL, 0x1032, PCI_ANY_ID, PCI_ANY_ID, },
13973 -- { PCI_VENDOR_ID_INTEL, 0x1033, PCI_ANY_ID, PCI_ANY_ID, },
13974 -- { PCI_VENDOR_ID_INTEL, 0x1034, PCI_ANY_ID, PCI_ANY_ID, },
13975 -- { PCI_VENDOR_ID_INTEL, 0x1035, PCI_ANY_ID, PCI_ANY_ID, },
13976 -- { PCI_VENDOR_ID_INTEL, 0x1036, PCI_ANY_ID, PCI_ANY_ID, },
13977 -- { PCI_VENDOR_ID_INTEL, 0x1037, PCI_ANY_ID, PCI_ANY_ID, },
13978 -- { PCI_VENDOR_ID_INTEL, 0x1038, PCI_ANY_ID, PCI_ANY_ID, },
13979 -- { PCI_VENDOR_ID_INTEL, 0x1039, PCI_ANY_ID, PCI_ANY_ID, },
13980 -- { PCI_VENDOR_ID_INTEL, 0x103A, PCI_ANY_ID, PCI_ANY_ID, },
13981 -- { PCI_VENDOR_ID_INTEL, 0x103B, PCI_ANY_ID, PCI_ANY_ID, },
13982 -- { PCI_VENDOR_ID_INTEL, 0x103C, PCI_ANY_ID, PCI_ANY_ID, },
13983 -- { PCI_VENDOR_ID_INTEL, 0x103D, PCI_ANY_ID, PCI_ANY_ID, },
13984 -- { PCI_VENDOR_ID_INTEL, 0x103E, PCI_ANY_ID, PCI_ANY_ID, },
13985 -- { PCI_VENDOR_ID_INTEL, 0x1050, PCI_ANY_ID, PCI_ANY_ID, },
13986 -- { PCI_VENDOR_ID_INTEL, 0x1059, PCI_ANY_ID, PCI_ANY_ID, },
13987 -- { PCI_VENDOR_ID_INTEL, 0x1227, PCI_ANY_ID, PCI_ANY_ID, },
13988 -- { PCI_VENDOR_ID_INTEL, 0x2449, PCI_ANY_ID, PCI_ANY_ID, },
13989 -- { PCI_VENDOR_ID_INTEL, 0x2459, PCI_ANY_ID, PCI_ANY_ID, },
13990 -- { PCI_VENDOR_ID_INTEL, 0x245D, PCI_ANY_ID, PCI_ANY_ID, },
13991 -- { PCI_VENDOR_ID_INTEL, 0x5200, PCI_ANY_ID, PCI_ANY_ID, },
13992 -- { PCI_VENDOR_ID_INTEL, 0x5201, PCI_ANY_ID, PCI_ANY_ID, },
13993 -- { 0,}
13994 -+ { PCI_VENDOR_ID_INTEL, 0x1229, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
13995 -+ { PCI_VENDOR_ID_INTEL, 0x1209, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
13996 -+ { PCI_VENDOR_ID_INTEL, 0x1029, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
13997 -+ { PCI_VENDOR_ID_INTEL, 0x1030, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
13998 -+ { PCI_VENDOR_ID_INTEL, 0x1031, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
13999 -+ { PCI_VENDOR_ID_INTEL, 0x1032, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14000 -+ { PCI_VENDOR_ID_INTEL, 0x1033, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14001 -+ { PCI_VENDOR_ID_INTEL, 0x1034, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14002 -+ { PCI_VENDOR_ID_INTEL, 0x1035, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14003 -+ { PCI_VENDOR_ID_INTEL, 0x1036, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14004 -+ { PCI_VENDOR_ID_INTEL, 0x1037, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14005 -+ { PCI_VENDOR_ID_INTEL, 0x1038, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14006 -+ { PCI_VENDOR_ID_INTEL, 0x1039, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14007 -+ { PCI_VENDOR_ID_INTEL, 0x103A, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14008 -+ { PCI_VENDOR_ID_INTEL, 0x103B, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14009 -+ { PCI_VENDOR_ID_INTEL, 0x103C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14010 -+ { PCI_VENDOR_ID_INTEL, 0x103D, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14011 -+ { PCI_VENDOR_ID_INTEL, 0x103E, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14012 -+ { PCI_VENDOR_ID_INTEL, 0x1050, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14013 -+ { PCI_VENDOR_ID_INTEL, 0x1059, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14014 -+ { PCI_VENDOR_ID_INTEL, 0x1227, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14015 -+ { PCI_VENDOR_ID_INTEL, 0x2449, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14016 -+ { PCI_VENDOR_ID_INTEL, 0x2459, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14017 -+ { PCI_VENDOR_ID_INTEL, 0x245D, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14018 -+ { PCI_VENDOR_ID_INTEL, 0x5200, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14019 -+ { PCI_VENDOR_ID_INTEL, 0x5201, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
14020 -+ { 0, 0, 0, 0, 0, 0, 0 }
14021 - };
14022 - MODULE_DEVICE_TABLE(pci, eepro100_pci_tbl);
14023 -
14024 -diff -urNp linux-2.6.24.4/drivers/net/irda/vlsi_ir.c linux-2.6.24.4/drivers/net/irda/vlsi_ir.c
14025 ---- linux-2.6.24.4/drivers/net/irda/vlsi_ir.c 2008-03-24 14:49:18.000000000 -0400
14026 -+++ linux-2.6.24.4/drivers/net/irda/vlsi_ir.c 2008-03-26 17:56:56.000000000 -0400
14027 -@@ -906,13 +906,12 @@ static int vlsi_hard_start_xmit(struct s
14028 - /* no race - tx-ring already empty */
14029 - vlsi_set_baud(idev, iobase);
14030 - netif_wake_queue(ndev);
14031 -- }
14032 -- else
14033 -- ;
14034 -+ } else {
14035 - /* keep the speed change pending like it would
14036 - * for any len>0 packet. tx completion interrupt
14037 - * will apply it when the tx ring becomes empty.
14038 - */
14039 -+ }
14040 - spin_unlock_irqrestore(&idev->lock, flags);
14041 - dev_kfree_skb_any(skb);
14042 - return 0;
14043 -diff -urNp linux-2.6.24.4/drivers/net/pcnet32.c linux-2.6.24.4/drivers/net/pcnet32.c
14044 ---- linux-2.6.24.4/drivers/net/pcnet32.c 2008-03-24 14:49:18.000000000 -0400
14045 -+++ linux-2.6.24.4/drivers/net/pcnet32.c 2008-03-26 17:56:56.000000000 -0400
14046 -@@ -82,7 +82,7 @@ static int cards_found;
14047 - /*
14048 - * VLB I/O addresses
14049 - */
14050 --static unsigned int pcnet32_portlist[] __initdata =
14051 -+static unsigned int pcnet32_portlist[] __devinitdata =
14052 - { 0x300, 0x320, 0x340, 0x360, 0 };
14053 -
14054 - static int pcnet32_debug = 0;
14055 -diff -urNp linux-2.6.24.4/drivers/net/tg3.h linux-2.6.24.4/drivers/net/tg3.h
14056 ---- linux-2.6.24.4/drivers/net/tg3.h 2008-03-24 14:49:18.000000000 -0400
14057 -+++ linux-2.6.24.4/drivers/net/tg3.h 2008-03-26 17:56:56.000000000 -0400
14058 -@@ -102,6 +102,7 @@
14059 - #define CHIPREV_ID_5750_A0 0x4000
14060 - #define CHIPREV_ID_5750_A1 0x4001
14061 - #define CHIPREV_ID_5750_A3 0x4003
14062 -+#define CHIPREV_ID_5750_C1 0x4201
14063 - #define CHIPREV_ID_5750_C2 0x4202
14064 - #define CHIPREV_ID_5752_A0_HW 0x5000
14065 - #define CHIPREV_ID_5752_A0 0x6000
14066 -diff -urNp linux-2.6.24.4/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.24.4/drivers/pci/hotplug/cpqphp_nvram.c
14067 ---- linux-2.6.24.4/drivers/pci/hotplug/cpqphp_nvram.c 2008-03-24 14:49:18.000000000 -0400
14068 -+++ linux-2.6.24.4/drivers/pci/hotplug/cpqphp_nvram.c 2008-03-26 17:56:56.000000000 -0400
14069 -@@ -425,9 +425,13 @@ static u32 store_HRT (void __iomem *rom_
14070 -
14071 - void compaq_nvram_init (void __iomem *rom_start)
14072 - {
14073 -+
14074 -+#ifndef CONFIG_PAX_KERNEXEC
14075 - if (rom_start) {
14076 - compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
14077 - }
14078 -+#endif
14079 -+
14080 - dbg("int15 entry = %p\n", compaq_int15_entry_point);
14081 -
14082 - /* initialize our int15 lock */
14083 -diff -urNp linux-2.6.24.4/drivers/pci/pcie/aer/aerdrv.c linux-2.6.24.4/drivers/pci/pcie/aer/aerdrv.c
14084 ---- linux-2.6.24.4/drivers/pci/pcie/aer/aerdrv.c 2008-03-24 14:49:18.000000000 -0400
14085 -+++ linux-2.6.24.4/drivers/pci/pcie/aer/aerdrv.c 2008-03-26 17:56:56.000000000 -0400
14086 -@@ -58,7 +58,7 @@ static struct pcie_port_service_id aer_i
14087 - .port_type = PCIE_RC_PORT,
14088 - .service_type = PCIE_PORT_SERVICE_AER,
14089 - },
14090 -- { /* end: all zeroes */ }
14091 -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0 }
14092 - };
14093 -
14094 - static struct pci_error_handlers aer_error_handlers = {
14095 -diff -urNp linux-2.6.24.4/drivers/pci/pcie/aer/aerdrv_core.c linux-2.6.24.4/drivers/pci/pcie/aer/aerdrv_core.c
14096 ---- linux-2.6.24.4/drivers/pci/pcie/aer/aerdrv_core.c 2008-03-24 14:49:18.000000000 -0400
14097 -+++ linux-2.6.24.4/drivers/pci/pcie/aer/aerdrv_core.c 2008-03-26 17:56:56.000000000 -0400
14098 -@@ -661,7 +661,7 @@ static void aer_isr_one_error(struct pci
14099 - struct aer_err_source *e_src)
14100 - {
14101 - struct device *s_device;
14102 -- struct aer_err_info e_info = {0, 0, 0,};
14103 -+ struct aer_err_info e_info = {0, 0, 0, {0, 0, 0, 0}};
14104 - int i;
14105 - u16 id;
14106 -
14107 -diff -urNp linux-2.6.24.4/drivers/pci/pcie/portdrv_pci.c linux-2.6.24.4/drivers/pci/pcie/portdrv_pci.c
14108 ---- linux-2.6.24.4/drivers/pci/pcie/portdrv_pci.c 2008-03-24 14:49:18.000000000 -0400
14109 -+++ linux-2.6.24.4/drivers/pci/pcie/portdrv_pci.c 2008-03-26 17:56:56.000000000 -0400
14110 -@@ -265,7 +265,7 @@ static void pcie_portdrv_err_resume(stru
14111 - static const struct pci_device_id port_pci_ids[] = { {
14112 - /* handle any PCI-Express port */
14113 - PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
14114 -- }, { /* end: all zeroes */ }
14115 -+ }, { 0, 0, 0, 0, 0, 0, 0 }
14116 - };
14117 - MODULE_DEVICE_TABLE(pci, port_pci_ids);
14118 -
14119 -diff -urNp linux-2.6.24.4/drivers/pci/proc.c linux-2.6.24.4/drivers/pci/proc.c
14120 ---- linux-2.6.24.4/drivers/pci/proc.c 2008-03-24 14:49:18.000000000 -0400
14121 -+++ linux-2.6.24.4/drivers/pci/proc.c 2008-03-26 17:56:56.000000000 -0400
14122 -@@ -467,7 +467,15 @@ static int __init pci_proc_init(void)
14123 - {
14124 - struct proc_dir_entry *entry;
14125 - struct pci_dev *dev = NULL;
14126 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
14127 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
14128 -+ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
14129 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
14130 -+ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
14131 -+#endif
14132 -+#else
14133 - proc_bus_pci_dir = proc_mkdir("pci", proc_bus);
14134 -+#endif
14135 - entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
14136 - if (entry)
14137 - entry->proc_fops = &proc_bus_pci_dev_operations;
14138 -diff -urNp linux-2.6.24.4/drivers/pcmcia/ti113x.h linux-2.6.24.4/drivers/pcmcia/ti113x.h
14139 ---- linux-2.6.24.4/drivers/pcmcia/ti113x.h 2008-03-24 14:49:18.000000000 -0400
14140 -+++ linux-2.6.24.4/drivers/pcmcia/ti113x.h 2008-03-26 17:56:56.000000000 -0400
14141 -@@ -897,7 +897,7 @@ static struct pci_device_id ene_tune_tbl
14142 - DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
14143 - ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
14144 -
14145 -- {}
14146 -+ { 0, 0, 0, 0, 0, 0, 0 }
14147 - };
14148 -
14149 - static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
14150 -diff -urNp linux-2.6.24.4/drivers/pcmcia/yenta_socket.c linux-2.6.24.4/drivers/pcmcia/yenta_socket.c
14151 ---- linux-2.6.24.4/drivers/pcmcia/yenta_socket.c 2008-03-24 14:49:18.000000000 -0400
14152 -+++ linux-2.6.24.4/drivers/pcmcia/yenta_socket.c 2008-03-26 17:56:56.000000000 -0400
14153 -@@ -1358,7 +1358,7 @@ static struct pci_device_id yenta_table
14154 -
14155 - /* match any cardbus bridge */
14156 - CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
14157 -- { /* all zeroes */ }
14158 -+ { 0, 0, 0, 0, 0, 0, 0 }
14159 - };
14160 - MODULE_DEVICE_TABLE(pci, yenta_table);
14161 -
14162 -diff -urNp linux-2.6.24.4/drivers/pnp/pnpbios/bioscalls.c linux-2.6.24.4/drivers/pnp/pnpbios/bioscalls.c
14163 ---- linux-2.6.24.4/drivers/pnp/pnpbios/bioscalls.c 2008-03-24 14:49:18.000000000 -0400
14164 -+++ linux-2.6.24.4/drivers/pnp/pnpbios/bioscalls.c 2008-03-26 17:56:56.000000000 -0400
14165 -@@ -61,7 +61,7 @@ set_base(gdt[(selname) >> 3], (u32)(addr
14166 - set_limit(gdt[(selname) >> 3], size); \
14167 - } while(0)
14168 -
14169 --static struct desc_struct bad_bios_desc = { 0, 0x00409200 };
14170 -+static struct desc_struct bad_bios_desc __read_only = { 0, 0x00409300 };
14171 -
14172 - /*
14173 - * At some point we want to use this stack frame pointer to unwind
14174 -@@ -88,6 +88,10 @@ static inline u16 call_pnp_bios(u16 func
14175 - struct desc_struct save_desc_40;
14176 - int cpu;
14177 -
14178 -+#ifdef CONFIG_PAX_KERNEXEC
14179 -+ unsigned long cr0;
14180 -+#endif
14181 -+
14182 - /*
14183 - * PnP BIOSes are generally not terribly re-entrant.
14184 - * Also, don't rely on them to save everything correctly.
14185 -@@ -97,8 +101,17 @@ static inline u16 call_pnp_bios(u16 func
14186 -
14187 - cpu = get_cpu();
14188 - save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
14189 -+
14190 -+#ifdef CONFIG_PAX_KERNEXEC
14191 -+ pax_open_kernel(cr0);
14192 -+#endif
14193 -+
14194 - get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
14195 -
14196 -+#ifdef CONFIG_PAX_KERNEXEC
14197 -+ pax_close_kernel(cr0);
14198 -+#endif
14199 -+
14200 - /* On some boxes IRQ's during PnP BIOS calls are deadly. */
14201 - spin_lock_irqsave(&pnp_bios_lock, flags);
14202 -
14203 -@@ -135,7 +148,16 @@ static inline u16 call_pnp_bios(u16 func
14204 - :"memory");
14205 - spin_unlock_irqrestore(&pnp_bios_lock, flags);
14206 -
14207 -+#ifdef CONFIG_PAX_KERNEXEC
14208 -+ pax_open_kernel(cr0);
14209 -+#endif
14210 -+
14211 - get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
14212 -+
14213 -+#ifdef CONFIG_PAX_KERNEXEC
14214 -+ pax_close_kernel(cr0);
14215 -+#endif
14216 -+
14217 - put_cpu();
14218 -
14219 - /* If we get here and this is set then the PnP BIOS faulted on us. */
14220 -@@ -469,16 +491,25 @@ int pnp_bios_read_escd(char *data, u32 n
14221 - return status;
14222 - }
14223 -
14224 --void pnpbios_calls_init(union pnp_bios_install_struct *header)
14225 -+void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
14226 - {
14227 - int i;
14228 -
14229 -+#ifdef CONFIG_PAX_KERNEXEC
14230 -+ unsigned long cr0;
14231 -+#endif
14232 -+
14233 - spin_lock_init(&pnp_bios_lock);
14234 - pnp_bios_callpoint.offset = header->fields.pm16offset;
14235 - pnp_bios_callpoint.segment = PNP_CS16;
14236 -
14237 - set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
14238 - _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
14239 -+
14240 -+#ifdef CONFIG_PAX_KERNEXEC
14241 -+ pax_open_kernel(cr0);
14242 -+#endif
14243 -+
14244 - for (i = 0; i < NR_CPUS; i++) {
14245 - struct desc_struct *gdt = get_cpu_gdt_table(i);
14246 - if (!gdt)
14247 -@@ -489,4 +520,9 @@ void pnpbios_calls_init(union pnp_bios_i
14248 - set_base(gdt[GDT_ENTRY_PNPBIOS_DS],
14249 - __va(header->fields.pm16dseg));
14250 - }
14251 -+
14252 -+#ifdef CONFIG_PAX_KERNEXEC
14253 -+ pax_close_kernel(cr0);
14254 -+#endif
14255 -+
14256 - }
14257 -diff -urNp linux-2.6.24.4/drivers/pnp/quirks.c linux-2.6.24.4/drivers/pnp/quirks.c
14258 ---- linux-2.6.24.4/drivers/pnp/quirks.c 2008-03-24 14:49:18.000000000 -0400
14259 -+++ linux-2.6.24.4/drivers/pnp/quirks.c 2008-03-26 17:56:56.000000000 -0400
14260 -@@ -128,7 +128,7 @@ static struct pnp_fixup pnp_fixups[] = {
14261 - {"CTL0043", quirk_sb16audio_resources},
14262 - {"CTL0044", quirk_sb16audio_resources},
14263 - {"CTL0045", quirk_sb16audio_resources},
14264 -- {""}
14265 -+ {"", NULL}
14266 - };
14267 -
14268 - void pnp_fixup_device(struct pnp_dev *dev)
14269 -diff -urNp linux-2.6.24.4/drivers/pnp/resource.c linux-2.6.24.4/drivers/pnp/resource.c
14270 ---- linux-2.6.24.4/drivers/pnp/resource.c 2008-03-24 14:49:18.000000000 -0400
14271 -+++ linux-2.6.24.4/drivers/pnp/resource.c 2008-03-26 17:56:56.000000000 -0400
14272 -@@ -345,7 +345,7 @@ int pnp_check_irq(struct pnp_dev *dev, i
14273 - return 1;
14274 -
14275 - /* check if the resource is valid */
14276 -- if (*irq < 0 || *irq > 15)
14277 -+ if (*irq > 15)
14278 - return 0;
14279 -
14280 - /* check if the resource is reserved */
14281 -@@ -414,7 +414,7 @@ int pnp_check_dma(struct pnp_dev *dev, i
14282 - return 1;
14283 -
14284 - /* check if the resource is valid */
14285 -- if (*dma < 0 || *dma == 4 || *dma > 7)
14286 -+ if (*dma == 4 || *dma > 7)
14287 - return 0;
14288 -
14289 - /* check if the resource is reserved */
14290 -diff -urNp linux-2.6.24.4/drivers/scsi/scsi_logging.h linux-2.6.24.4/drivers/scsi/scsi_logging.h
14291 ---- linux-2.6.24.4/drivers/scsi/scsi_logging.h 2008-03-24 14:49:18.000000000 -0400
14292 -+++ linux-2.6.24.4/drivers/scsi/scsi_logging.h 2008-03-26 17:56:56.000000000 -0400
14293 -@@ -51,7 +51,7 @@ do { \
14294 - } while (0); \
14295 - } while (0)
14296 - #else
14297 --#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
14298 -+#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
14299 - #endif /* CONFIG_SCSI_LOGGING */
14300 -
14301 - /*
14302 -diff -urNp linux-2.6.24.4/drivers/serial/8250_pci.c linux-2.6.24.4/drivers/serial/8250_pci.c
14303 ---- linux-2.6.24.4/drivers/serial/8250_pci.c 2008-03-24 14:49:18.000000000 -0400
14304 -+++ linux-2.6.24.4/drivers/serial/8250_pci.c 2008-03-26 17:56:56.000000000 -0400
14305 -@@ -2712,7 +2712,7 @@ static struct pci_device_id serial_pci_t
14306 - PCI_ANY_ID, PCI_ANY_ID,
14307 - PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
14308 - 0xffff00, pbn_default },
14309 -- { 0, }
14310 -+ { 0, 0, 0, 0, 0, 0, 0 }
14311 - };
14312 -
14313 - static struct pci_driver serial_pci_driver = {
14314 -diff -urNp linux-2.6.24.4/drivers/usb/class/cdc-acm.c linux-2.6.24.4/drivers/usb/class/cdc-acm.c
14315 ---- linux-2.6.24.4/drivers/usb/class/cdc-acm.c 2008-03-24 14:49:18.000000000 -0400
14316 -+++ linux-2.6.24.4/drivers/usb/class/cdc-acm.c 2008-03-26 17:56:56.000000000 -0400
14317 -@@ -1199,7 +1199,7 @@ static struct usb_device_id acm_ids[] =
14318 - USB_CDC_ACM_PROTO_AT_CDMA) },
14319 -
14320 - /* NOTE: COMM/ACM/0xff is likely MSFT RNDIS ... NOT a modem!! */
14321 -- { }
14322 -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
14323 - };
14324 -
14325 - MODULE_DEVICE_TABLE (usb, acm_ids);
14326 -diff -urNp linux-2.6.24.4/drivers/usb/class/usblp.c linux-2.6.24.4/drivers/usb/class/usblp.c
14327 ---- linux-2.6.24.4/drivers/usb/class/usblp.c 2008-03-24 14:49:18.000000000 -0400
14328 -+++ linux-2.6.24.4/drivers/usb/class/usblp.c 2008-03-26 17:56:56.000000000 -0400
14329 -@@ -227,7 +227,7 @@ static const struct quirk_printer_struct
14330 - { 0x0409, 0xf1be, USBLP_QUIRK_BIDIR }, /* NEC Picty800 (HP OEM) */
14331 - { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@×××.de> */
14332 - { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
14333 -- { 0, 0 }
14334 -+ { 0, 0, 0 }
14335 - };
14336 -
14337 - static int usblp_wwait(struct usblp *usblp, int nonblock);
14338 -@@ -1401,7 +1401,7 @@ static struct usb_device_id usblp_ids []
14339 - { USB_INTERFACE_INFO(7, 1, 2) },
14340 - { USB_INTERFACE_INFO(7, 1, 3) },
14341 - { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
14342 -- { } /* Terminating entry */
14343 -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
14344 - };
14345 -
14346 - MODULE_DEVICE_TABLE (usb, usblp_ids);
14347 -diff -urNp linux-2.6.24.4/drivers/usb/core/hub.c linux-2.6.24.4/drivers/usb/core/hub.c
14348 ---- linux-2.6.24.4/drivers/usb/core/hub.c 2008-03-24 14:49:18.000000000 -0400
14349 -+++ linux-2.6.24.4/drivers/usb/core/hub.c 2008-03-26 17:56:56.000000000 -0400
14350 -@@ -2884,7 +2884,7 @@ static struct usb_device_id hub_id_table
14351 - .bDeviceClass = USB_CLASS_HUB},
14352 - { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
14353 - .bInterfaceClass = USB_CLASS_HUB},
14354 -- { } /* Terminating entry */
14355 -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
14356 - };
14357 -
14358 - MODULE_DEVICE_TABLE (usb, hub_id_table);
14359 -diff -urNp linux-2.6.24.4/drivers/usb/host/ehci-pci.c linux-2.6.24.4/drivers/usb/host/ehci-pci.c
14360 ---- linux-2.6.24.4/drivers/usb/host/ehci-pci.c 2008-03-24 14:49:18.000000000 -0400
14361 -+++ linux-2.6.24.4/drivers/usb/host/ehci-pci.c 2008-03-26 17:56:56.000000000 -0400
14362 -@@ -374,7 +374,7 @@ static const struct pci_device_id pci_id
14363 - PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
14364 - .driver_data = (unsigned long) &ehci_pci_hc_driver,
14365 - },
14366 -- { /* end: all zeroes */ }
14367 -+ { 0, 0, 0, 0, 0, 0, 0 }
14368 - };
14369 - MODULE_DEVICE_TABLE(pci, pci_ids);
14370 -
14371 -diff -urNp linux-2.6.24.4/drivers/usb/host/uhci-hcd.c linux-2.6.24.4/drivers/usb/host/uhci-hcd.c
14372 ---- linux-2.6.24.4/drivers/usb/host/uhci-hcd.c 2008-03-24 14:49:18.000000000 -0400
14373 -+++ linux-2.6.24.4/drivers/usb/host/uhci-hcd.c 2008-03-26 17:56:56.000000000 -0400
14374 -@@ -893,7 +893,7 @@ static const struct pci_device_id uhci_p
14375 - /* handle any USB UHCI controller */
14376 - PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
14377 - .driver_data = (unsigned long) &uhci_driver,
14378 -- }, { /* end: all zeroes */ }
14379 -+ }, { 0, 0, 0, 0, 0, 0, 0 }
14380 - };
14381 -
14382 - MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
14383 -diff -urNp linux-2.6.24.4/drivers/usb/storage/debug.h linux-2.6.24.4/drivers/usb/storage/debug.h
14384 ---- linux-2.6.24.4/drivers/usb/storage/debug.h 2008-03-24 14:49:18.000000000 -0400
14385 -+++ linux-2.6.24.4/drivers/usb/storage/debug.h 2008-03-26 17:56:56.000000000 -0400
14386 -@@ -56,9 +56,9 @@ void usb_stor_show_sense( unsigned char
14387 - #define US_DEBUGPX(x...) printk( x )
14388 - #define US_DEBUG(x) x
14389 - #else
14390 --#define US_DEBUGP(x...)
14391 --#define US_DEBUGPX(x...)
14392 --#define US_DEBUG(x)
14393 -+#define US_DEBUGP(x...) do {} while (0)
14394 -+#define US_DEBUGPX(x...) do {} while (0)
14395 -+#define US_DEBUG(x) do {} while (0)
14396 - #endif
14397 -
14398 - #endif
14399 -diff -urNp linux-2.6.24.4/drivers/usb/storage/usb.c linux-2.6.24.4/drivers/usb/storage/usb.c
14400 ---- linux-2.6.24.4/drivers/usb/storage/usb.c 2008-03-24 14:49:18.000000000 -0400
14401 -+++ linux-2.6.24.4/drivers/usb/storage/usb.c 2008-03-26 17:56:56.000000000 -0400
14402 -@@ -134,7 +134,7 @@ static struct usb_device_id storage_usb_
14403 - #undef UNUSUAL_DEV
14404 - #undef USUAL_DEV
14405 - /* Terminating entry */
14406 -- { }
14407 -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
14408 - };
14409 -
14410 - MODULE_DEVICE_TABLE (usb, storage_usb_ids);
14411 -@@ -174,7 +174,7 @@ static struct us_unusual_dev us_unusual_
14412 - # undef USUAL_DEV
14413 -
14414 - /* Terminating entry */
14415 -- { NULL }
14416 -+ { NULL, NULL, 0, 0, NULL }
14417 - };
14418 -
14419 -
14420 -diff -urNp linux-2.6.24.4/drivers/video/fbcmap.c linux-2.6.24.4/drivers/video/fbcmap.c
14421 ---- linux-2.6.24.4/drivers/video/fbcmap.c 2008-03-24 14:49:18.000000000 -0400
14422 -+++ linux-2.6.24.4/drivers/video/fbcmap.c 2008-03-26 17:56:56.000000000 -0400
14423 -@@ -250,8 +250,7 @@ int fb_set_user_cmap(struct fb_cmap_user
14424 - int rc, size = cmap->len * sizeof(u16);
14425 - struct fb_cmap umap;
14426 -
14427 -- if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
14428 -- !info->fbops->fb_setcmap))
14429 -+ if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap)
14430 - return -EINVAL;
14431 -
14432 - memset(&umap, 0, sizeof(struct fb_cmap));
14433 -diff -urNp linux-2.6.24.4/drivers/video/fbmem.c linux-2.6.24.4/drivers/video/fbmem.c
14434 ---- linux-2.6.24.4/drivers/video/fbmem.c 2008-03-24 14:49:18.000000000 -0400
14435 -+++ linux-2.6.24.4/drivers/video/fbmem.c 2008-03-26 17:56:56.000000000 -0400
14436 -@@ -394,7 +394,7 @@ static void fb_do_show_logo(struct fb_in
14437 - image->dx += image->width + 8;
14438 - }
14439 - } else if (rotate == FB_ROTATE_UD) {
14440 -- for (x = 0; x < num && image->dx >= 0; x++) {
14441 -+ for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
14442 - info->fbops->fb_imageblit(info, image);
14443 - image->dx -= image->width + 8;
14444 - }
14445 -@@ -406,7 +406,7 @@ static void fb_do_show_logo(struct fb_in
14446 - image->dy += image->height + 8;
14447 - }
14448 - } else if (rotate == FB_ROTATE_CCW) {
14449 -- for (x = 0; x < num && image->dy >= 0; x++) {
14450 -+ for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
14451 - info->fbops->fb_imageblit(info, image);
14452 - image->dy -= image->height + 8;
14453 - }
14454 -@@ -1057,9 +1057,9 @@ fb_ioctl(struct inode *inode, struct fil
14455 - case FBIOPUT_CON2FBMAP:
14456 - if (copy_from_user(&con2fb, argp, sizeof(con2fb)))
14457 - return - EFAULT;
14458 -- if (con2fb.console < 0 || con2fb.console > MAX_NR_CONSOLES)
14459 -+ if (con2fb.console > MAX_NR_CONSOLES)
14460 - return -EINVAL;
14461 -- if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
14462 -+ if (con2fb.framebuffer >= FB_MAX)
14463 - return -EINVAL;
14464 - #ifdef CONFIG_KMOD
14465 - if (!registered_fb[con2fb.framebuffer])
14466 -diff -urNp linux-2.6.24.4/drivers/video/fbmon.c linux-2.6.24.4/drivers/video/fbmon.c
14467 ---- linux-2.6.24.4/drivers/video/fbmon.c 2008-03-24 14:49:18.000000000 -0400
14468 -+++ linux-2.6.24.4/drivers/video/fbmon.c 2008-03-26 17:56:56.000000000 -0400
14469 -@@ -45,7 +45,7 @@
14470 - #ifdef DEBUG
14471 - #define DPRINTK(fmt, args...) printk(fmt,## args)
14472 - #else
14473 --#define DPRINTK(fmt, args...)
14474 -+#define DPRINTK(fmt, args...) do {} while (0)
14475 - #endif
14476 -
14477 - #define FBMON_FIX_HEADER 1
14478 -diff -urNp linux-2.6.24.4/drivers/video/i810/i810_accel.c linux-2.6.24.4/drivers/video/i810/i810_accel.c
14479 ---- linux-2.6.24.4/drivers/video/i810/i810_accel.c 2008-03-24 14:49:18.000000000 -0400
14480 -+++ linux-2.6.24.4/drivers/video/i810/i810_accel.c 2008-03-26 17:56:56.000000000 -0400
14481 -@@ -73,6 +73,7 @@ static inline int wait_for_space(struct
14482 - }
14483 - }
14484 - printk("ringbuffer lockup!!!\n");
14485 -+ printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
14486 - i810_report_error(mmio);
14487 - par->dev_flags |= LOCKUP;
14488 - info->pixmap.scan_align = 1;
14489 -diff -urNp linux-2.6.24.4/drivers/video/i810/i810_main.c linux-2.6.24.4/drivers/video/i810/i810_main.c
14490 ---- linux-2.6.24.4/drivers/video/i810/i810_main.c 2008-03-24 14:49:18.000000000 -0400
14491 -+++ linux-2.6.24.4/drivers/video/i810/i810_main.c 2008-03-26 17:56:56.000000000 -0400
14492 -@@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
14493 - PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
14494 - { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
14495 - PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
14496 -- { 0 },
14497 -+ { 0, 0, 0, 0, 0, 0, 0 },
14498 - };
14499 -
14500 - static struct pci_driver i810fb_driver = {
14501 -@@ -1509,7 +1509,7 @@ static int i810fb_cursor(struct fb_info
14502 - int size = ((cursor->image.width + 7) >> 3) *
14503 - cursor->image.height;
14504 - int i;
14505 -- u8 *data = kmalloc(64 * 8, GFP_ATOMIC);
14506 -+ u8 *data = kmalloc(64 * 8, GFP_KERNEL);
14507 -
14508 - if (data == NULL)
14509 - return -ENOMEM;
14510 -diff -urNp linux-2.6.24.4/drivers/video/modedb.c linux-2.6.24.4/drivers/video/modedb.c
14511 ---- linux-2.6.24.4/drivers/video/modedb.c 2008-03-24 14:49:18.000000000 -0400
14512 -+++ linux-2.6.24.4/drivers/video/modedb.c 2008-03-26 17:56:56.000000000 -0400
14513 -@@ -37,232 +37,232 @@ static const struct fb_videomode modedb[
14514 - {
14515 - /* 640x400 @ 70 Hz, 31.5 kHz hsync */
14516 - NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
14517 -- 0, FB_VMODE_NONINTERLACED
14518 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14519 - }, {
14520 - /* 640x480 @ 60 Hz, 31.5 kHz hsync */
14521 - NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
14522 -- 0, FB_VMODE_NONINTERLACED
14523 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14524 - }, {
14525 - /* 800x600 @ 56 Hz, 35.15 kHz hsync */
14526 - NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
14527 -- 0, FB_VMODE_NONINTERLACED
14528 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14529 - }, {
14530 - /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
14531 - NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
14532 -- 0, FB_VMODE_INTERLACED
14533 -+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
14534 - }, {
14535 - /* 640x400 @ 85 Hz, 37.86 kHz hsync */
14536 - NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
14537 -- FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14538 -+ FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14539 - }, {
14540 - /* 640x480 @ 72 Hz, 36.5 kHz hsync */
14541 - NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
14542 -- 0, FB_VMODE_NONINTERLACED
14543 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14544 - }, {
14545 - /* 640x480 @ 75 Hz, 37.50 kHz hsync */
14546 - NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
14547 -- 0, FB_VMODE_NONINTERLACED
14548 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14549 - }, {
14550 - /* 800x600 @ 60 Hz, 37.8 kHz hsync */
14551 - NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
14552 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14553 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14554 - }, {
14555 - /* 640x480 @ 85 Hz, 43.27 kHz hsync */
14556 - NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
14557 -- 0, FB_VMODE_NONINTERLACED
14558 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14559 - }, {
14560 - /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
14561 - NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
14562 -- 0, FB_VMODE_INTERLACED
14563 -+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
14564 - }, {
14565 - /* 800x600 @ 72 Hz, 48.0 kHz hsync */
14566 - NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
14567 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14568 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14569 - }, {
14570 - /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
14571 - NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
14572 -- 0, FB_VMODE_NONINTERLACED
14573 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14574 - }, {
14575 - /* 640x480 @ 100 Hz, 53.01 kHz hsync */
14576 - NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
14577 -- 0, FB_VMODE_NONINTERLACED
14578 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14579 - }, {
14580 - /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
14581 - NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
14582 -- 0, FB_VMODE_NONINTERLACED
14583 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14584 - }, {
14585 - /* 800x600 @ 85 Hz, 55.84 kHz hsync */
14586 - NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
14587 -- 0, FB_VMODE_NONINTERLACED
14588 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14589 - }, {
14590 - /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
14591 - NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
14592 -- 0, FB_VMODE_NONINTERLACED
14593 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14594 - }, {
14595 - /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
14596 - NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
14597 -- 0, FB_VMODE_INTERLACED
14598 -+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
14599 - }, {
14600 - /* 800x600 @ 100 Hz, 64.02 kHz hsync */
14601 - NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
14602 -- 0, FB_VMODE_NONINTERLACED
14603 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14604 - }, {
14605 - /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
14606 - NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
14607 -- 0, FB_VMODE_NONINTERLACED
14608 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14609 - }, {
14610 - /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
14611 - NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
14612 -- 0, FB_VMODE_NONINTERLACED
14613 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14614 - }, {
14615 - /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
14616 - NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
14617 -- 0, FB_VMODE_NONINTERLACED
14618 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14619 - }, {
14620 - /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
14621 - NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
14622 -- 0, FB_VMODE_NONINTERLACED
14623 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14624 - }, {
14625 - /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
14626 - NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
14627 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14628 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14629 - }, {
14630 - /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
14631 - NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
14632 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14633 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14634 - }, {
14635 - /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
14636 - NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
14637 -- 0, FB_VMODE_NONINTERLACED
14638 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14639 - }, {
14640 - /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
14641 - NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
14642 -- 0, FB_VMODE_NONINTERLACED
14643 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14644 - }, {
14645 - /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
14646 - NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
14647 -- 0, FB_VMODE_NONINTERLACED
14648 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14649 - }, {
14650 - /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
14651 - NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
14652 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14653 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14654 - }, {
14655 - /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
14656 - NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
14657 -- 0, FB_VMODE_NONINTERLACED
14658 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14659 - }, {
14660 - /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
14661 - NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
14662 -- 0, FB_VMODE_NONINTERLACED
14663 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14664 - }, {
14665 - /* 1024x768 @ 100Hz, 80.21 kHz hsync */
14666 - NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
14667 -- 0, FB_VMODE_NONINTERLACED
14668 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14669 - }, {
14670 - /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
14671 - NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
14672 -- 0, FB_VMODE_NONINTERLACED
14673 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14674 - }, {
14675 - /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
14676 - NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
14677 -- 0, FB_VMODE_NONINTERLACED
14678 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14679 - }, {
14680 - /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
14681 - NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
14682 -- 0, FB_VMODE_NONINTERLACED
14683 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14684 - }, {
14685 - /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
14686 - NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
14687 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14688 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14689 - }, {
14690 - /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
14691 - NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
14692 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14693 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14694 - }, {
14695 - /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
14696 - NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
14697 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14698 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14699 - }, {
14700 - /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
14701 - NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
14702 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14703 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14704 - }, {
14705 - /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
14706 - NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
14707 -- 0, FB_VMODE_NONINTERLACED
14708 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14709 - }, {
14710 - /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
14711 - NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
14712 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14713 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14714 - }, {
14715 - /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
14716 - NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
14717 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14718 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14719 - }, {
14720 - /* 512x384 @ 78 Hz, 31.50 kHz hsync */
14721 - NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
14722 -- 0, FB_VMODE_NONINTERLACED
14723 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14724 - }, {
14725 - /* 512x384 @ 85 Hz, 34.38 kHz hsync */
14726 - NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
14727 -- 0, FB_VMODE_NONINTERLACED
14728 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14729 - }, {
14730 - /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
14731 - NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
14732 -- 0, FB_VMODE_DOUBLE
14733 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
14734 - }, {
14735 - /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
14736 - NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
14737 -- 0, FB_VMODE_DOUBLE
14738 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
14739 - }, {
14740 - /* 320x240 @ 72 Hz, 36.5 kHz hsync */
14741 - NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
14742 -- 0, FB_VMODE_DOUBLE
14743 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
14744 - }, {
14745 - /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
14746 - NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
14747 -- 0, FB_VMODE_DOUBLE
14748 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
14749 - }, {
14750 - /* 400x300 @ 60 Hz, 37.8 kHz hsync */
14751 - NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
14752 -- 0, FB_VMODE_DOUBLE
14753 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
14754 - }, {
14755 - /* 400x300 @ 72 Hz, 48.0 kHz hsync */
14756 - NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
14757 -- 0, FB_VMODE_DOUBLE
14758 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
14759 - }, {
14760 - /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
14761 - NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
14762 -- 0, FB_VMODE_DOUBLE
14763 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
14764 - }, {
14765 - /* 480x300 @ 60 Hz, 37.8 kHz hsync */
14766 - NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
14767 -- 0, FB_VMODE_DOUBLE
14768 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
14769 - }, {
14770 - /* 480x300 @ 63 Hz, 39.6 kHz hsync */
14771 - NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
14772 -- 0, FB_VMODE_DOUBLE
14773 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
14774 - }, {
14775 - /* 480x300 @ 72 Hz, 48.0 kHz hsync */
14776 - NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
14777 -- 0, FB_VMODE_DOUBLE
14778 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
14779 - }, {
14780 - /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
14781 - NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
14782 - FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
14783 -- FB_VMODE_NONINTERLACED
14784 -+ FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14785 - }, {
14786 - /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
14787 - NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
14788 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
14789 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14790 - }, {
14791 - /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
14792 - NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
14793 -- 0, FB_VMODE_NONINTERLACED
14794 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14795 - }, {
14796 - /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
14797 - NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3,
14798 -- 0, FB_VMODE_NONINTERLACED
14799 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
14800 - },
14801 - };
14802 -
14803 -diff -urNp linux-2.6.24.4/drivers/video/uvesafb.c linux-2.6.24.4/drivers/video/uvesafb.c
14804 ---- linux-2.6.24.4/drivers/video/uvesafb.c 2008-03-24 14:49:18.000000000 -0400
14805 -+++ linux-2.6.24.4/drivers/video/uvesafb.c 2008-03-26 17:56:56.000000000 -0400
14806 -@@ -117,7 +117,7 @@ static int uvesafb_helper_start(void)
14807 - NULL,
14808 - };
14809 -
14810 -- return call_usermodehelper(v86d_path, argv, envp, 1);
14811 -+ return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
14812 - }
14813 -
14814 - /*
14815 -diff -urNp linux-2.6.24.4/drivers/video/vesafb.c linux-2.6.24.4/drivers/video/vesafb.c
14816 ---- linux-2.6.24.4/drivers/video/vesafb.c 2008-03-24 14:49:18.000000000 -0400
14817 -+++ linux-2.6.24.4/drivers/video/vesafb.c 2008-03-26 17:56:56.000000000 -0400
14818 -@@ -9,6 +9,7 @@
14819 - */
14820 -
14821 - #include <linux/module.h>
14822 -+#include <linux/moduleloader.h>
14823 - #include <linux/kernel.h>
14824 - #include <linux/errno.h>
14825 - #include <linux/string.h>
14826 -@@ -53,8 +54,8 @@ static int vram_remap __initdata; /*
14827 - static int vram_total __initdata; /* Set total amount of memory */
14828 - static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
14829 - static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
14830 --static void (*pmi_start)(void) __read_mostly;
14831 --static void (*pmi_pal) (void) __read_mostly;
14832 -+static void (*pmi_start)(void) __read_only;
14833 -+static void (*pmi_pal) (void) __read_only;
14834 - static int depth __read_mostly;
14835 - static int vga_compat __read_mostly;
14836 - /* --------------------------------------------------------------------- */
14837 -@@ -224,6 +225,7 @@ static int __init vesafb_probe(struct pl
14838 - unsigned int size_vmode;
14839 - unsigned int size_remap;
14840 - unsigned int size_total;
14841 -+ void *pmi_code = NULL;
14842 -
14843 - if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
14844 - return -ENODEV;
14845 -@@ -266,10 +268,6 @@ static int __init vesafb_probe(struct pl
14846 - size_remap = size_total;
14847 - vesafb_fix.smem_len = size_remap;
14848 -
14849 --#ifndef __i386__
14850 -- screen_info.vesapm_seg = 0;
14851 --#endif
14852 --
14853 - if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
14854 - printk(KERN_WARNING
14855 - "vesafb: cannot reserve video memory at 0x%lx\n",
14856 -@@ -302,9 +300,21 @@ static int __init vesafb_probe(struct pl
14857 - printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
14858 - vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
14859 -
14860 -+#ifdef __i386__
14861 -+
14862 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
14863 -+ pmi_code = module_alloc_exec(screen_info.vesapm_size);
14864 -+ if (!pmi_code)
14865 -+#elif !defined(CONFIG_PAX_KERNEXEC)
14866 -+ if (0)
14867 -+#endif
14868 -+
14869 -+#endif
14870 -+ screen_info.vesapm_seg = 0;
14871 -+
14872 - if (screen_info.vesapm_seg) {
14873 -- printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
14874 -- screen_info.vesapm_seg,screen_info.vesapm_off);
14875 -+ printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
14876 -+ screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
14877 - }
14878 -
14879 - if (screen_info.vesapm_seg < 0xc000)
14880 -@@ -312,9 +322,29 @@ static int __init vesafb_probe(struct pl
14881 -
14882 - if (ypan || pmi_setpal) {
14883 - unsigned short *pmi_base;
14884 -- pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
14885 -- pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
14886 -- pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
14887 -+
14888 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
14889 -+ unsigned long cr0;
14890 -+#endif
14891 -+
14892 -+ pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
14893 -+
14894 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
14895 -+ pax_open_kernel(cr0);
14896 -+ memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
14897 -+#else
14898 -+ pmi_code = pmi_base;
14899 -+#endif
14900 -+
14901 -+ pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
14902 -+ pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
14903 -+
14904 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
14905 -+ pmi_start = ktva_ktla(pmi_start);
14906 -+ pmi_pal = ktva_ktla(pmi_pal);
14907 -+ pax_close_kernel(cr0);
14908 -+#endif
14909 -+
14910 - printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
14911 - if (pmi_base[3]) {
14912 - printk(KERN_INFO "vesafb: pmi: ports = ");
14913 -@@ -456,6 +486,11 @@ static int __init vesafb_probe(struct pl
14914 - info->node, info->fix.id);
14915 - return 0;
14916 - err:
14917 -+
14918 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
14919 -+ module_free_exec(NULL, pmi_code);
14920 -+#endif
14921 -+
14922 - if (info->screen_base)
14923 - iounmap(info->screen_base);
14924 - framebuffer_release(info);
14925 -diff -urNp linux-2.6.24.4/fs/9p/vfs_inode.c linux-2.6.24.4/fs/9p/vfs_inode.c
14926 ---- linux-2.6.24.4/fs/9p/vfs_inode.c 2008-03-24 14:49:18.000000000 -0400
14927 -+++ linux-2.6.24.4/fs/9p/vfs_inode.c 2008-03-26 17:56:56.000000000 -0400
14928 -@@ -996,7 +996,7 @@ static void *v9fs_vfs_follow_link(struct
14929 -
14930 - static void v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
14931 - {
14932 -- char *s = nd_get_link(nd);
14933 -+ const char *s = nd_get_link(nd);
14934 -
14935 - P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name, s);
14936 - if (!IS_ERR(s))
14937 -diff -urNp linux-2.6.24.4/fs/aio.c linux-2.6.24.4/fs/aio.c
14938 ---- linux-2.6.24.4/fs/aio.c 2008-03-24 14:49:18.000000000 -0400
14939 -+++ linux-2.6.24.4/fs/aio.c 2008-03-26 17:56:56.000000000 -0400
14940 -@@ -114,7 +114,7 @@ static int aio_setup_ring(struct kioctx
14941 - size += sizeof(struct io_event) * nr_events;
14942 - nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
14943 -
14944 -- if (nr_pages < 0)
14945 -+ if (nr_pages <= 0)
14946 - return -EINVAL;
14947 -
14948 - nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
14949 -diff -urNp linux-2.6.24.4/fs/autofs4/symlink.c linux-2.6.24.4/fs/autofs4/symlink.c
14950 ---- linux-2.6.24.4/fs/autofs4/symlink.c 2008-03-24 14:49:18.000000000 -0400
14951 -+++ linux-2.6.24.4/fs/autofs4/symlink.c 2008-03-26 17:56:56.000000000 -0400
14952 -@@ -15,7 +15,7 @@
14953 - static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
14954 - {
14955 - struct autofs_info *ino = autofs4_dentry_ino(dentry);
14956 -- nd_set_link(nd, (char *)ino->u.symlink);
14957 -+ nd_set_link(nd, ino->u.symlink);
14958 - return NULL;
14959 - }
14960 -
14961 -diff -urNp linux-2.6.24.4/fs/befs/linuxvfs.c linux-2.6.24.4/fs/befs/linuxvfs.c
14962 ---- linux-2.6.24.4/fs/befs/linuxvfs.c 2008-03-24 14:49:18.000000000 -0400
14963 -+++ linux-2.6.24.4/fs/befs/linuxvfs.c 2008-03-26 17:56:56.000000000 -0400
14964 -@@ -482,7 +482,7 @@ static void befs_put_link(struct dentry
14965 - {
14966 - befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
14967 - if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
14968 -- char *p = nd_get_link(nd);
14969 -+ const char *p = nd_get_link(nd);
14970 - if (!IS_ERR(p))
14971 - kfree(p);
14972 - }
14973 -diff -urNp linux-2.6.24.4/fs/binfmt_aout.c linux-2.6.24.4/fs/binfmt_aout.c
14974 ---- linux-2.6.24.4/fs/binfmt_aout.c 2008-03-24 14:49:18.000000000 -0400
14975 -+++ linux-2.6.24.4/fs/binfmt_aout.c 2008-03-26 17:56:56.000000000 -0400
14976 -@@ -24,6 +24,7 @@
14977 - #include <linux/binfmts.h>
14978 - #include <linux/personality.h>
14979 - #include <linux/init.h>
14980 -+#include <linux/grsecurity.h>
14981 -
14982 - #include <asm/system.h>
14983 - #include <asm/uaccess.h>
14984 -@@ -123,18 +124,22 @@ static int aout_core_dump(long signr, st
14985 - /* If the size of the dump file exceeds the rlimit, then see what would happen
14986 - if we wrote the stack, but not the data area. */
14987 - #ifdef __sparc__
14988 -+ gr_learn_resource(current, RLIMIT_CORE, dump.u_dsize + dump.u_ssize, 1);
14989 - if ((dump.u_dsize + dump.u_ssize) > limit)
14990 - dump.u_dsize = 0;
14991 - #else
14992 -+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
14993 - if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > limit)
14994 - dump.u_dsize = 0;
14995 - #endif
14996 -
14997 - /* Make sure we have enough room to write the stack and data areas. */
14998 - #ifdef __sparc__
14999 -+ gr_learn_resource(current, RLIMIT_CORE, dump.u_ssize, 1);
15000 - if (dump.u_ssize > limit)
15001 - dump.u_ssize = 0;
15002 - #else
15003 -+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
15004 - if ((dump.u_ssize + 1) * PAGE_SIZE > limit)
15005 - dump.u_ssize = 0;
15006 - #endif
15007 -@@ -290,6 +295,8 @@ static int load_aout_binary(struct linux
15008 - rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
15009 - if (rlim >= RLIM_INFINITY)
15010 - rlim = ~0;
15011 -+
15012 -+ gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
15013 - if (ex.a_data + ex.a_bss > rlim)
15014 - return -ENOMEM;
15015 -
15016 -@@ -321,6 +328,28 @@ static int load_aout_binary(struct linux
15017 -
15018 - compute_creds(bprm);
15019 - current->flags &= ~PF_FORKNOEXEC;
15020 -+
15021 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
15022 -+ current->mm->pax_flags = 0UL;
15023 -+#endif
15024 -+
15025 -+#ifdef CONFIG_PAX_PAGEEXEC
15026 -+ if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
15027 -+ current->mm->pax_flags |= MF_PAX_PAGEEXEC;
15028 -+
15029 -+#ifdef CONFIG_PAX_EMUTRAMP
15030 -+ if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
15031 -+ current->mm->pax_flags |= MF_PAX_EMUTRAMP;
15032 -+#endif
15033 -+
15034 -+#ifdef CONFIG_PAX_MPROTECT
15035 -+ if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
15036 -+ current->mm->pax_flags |= MF_PAX_MPROTECT;
15037 -+#endif
15038 -+
15039 -+ }
15040 -+#endif
15041 -+
15042 - #ifdef __sparc__
15043 - if (N_MAGIC(ex) == NMAGIC) {
15044 - loff_t pos = fd_offset;
15045 -@@ -416,7 +445,7 @@ static int load_aout_binary(struct linux
15046 -
15047 - down_write(&current->mm->mmap_sem);
15048 - error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
15049 -- PROT_READ | PROT_WRITE | PROT_EXEC,
15050 -+ PROT_READ | PROT_WRITE,
15051 - MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
15052 - fd_offset + ex.a_text);
15053 - up_write(&current->mm->mmap_sem);
15054 -diff -urNp linux-2.6.24.4/fs/binfmt_elf.c linux-2.6.24.4/fs/binfmt_elf.c
15055 ---- linux-2.6.24.4/fs/binfmt_elf.c 2008-03-24 14:49:18.000000000 -0400
15056 -+++ linux-2.6.24.4/fs/binfmt_elf.c 2008-03-26 17:56:56.000000000 -0400
15057 -@@ -39,10 +39,16 @@
15058 - #include <linux/random.h>
15059 - #include <linux/elf.h>
15060 - #include <linux/utsname.h>
15061 -+#include <linux/grsecurity.h>
15062 -+
15063 - #include <asm/uaccess.h>
15064 - #include <asm/param.h>
15065 - #include <asm/page.h>
15066 -
15067 -+#ifdef CONFIG_PAX_SEGMEXEC
15068 -+#include <asm/desc.h>
15069 -+#endif
15070 -+
15071 - static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs);
15072 - static int load_elf_library(struct file *);
15073 - static unsigned long elf_map (struct file *, unsigned long, struct elf_phdr *, int, int);
15074 -@@ -84,6 +90,8 @@ static struct linux_binfmt elf_format =
15075 -
15076 - static int set_brk(unsigned long start, unsigned long end)
15077 - {
15078 -+ unsigned long e = end;
15079 -+
15080 - start = ELF_PAGEALIGN(start);
15081 - end = ELF_PAGEALIGN(end);
15082 - if (end > start) {
15083 -@@ -94,7 +102,7 @@ static int set_brk(unsigned long start,
15084 - if (BAD_ADDR(addr))
15085 - return addr;
15086 - }
15087 -- current->mm->start_brk = current->mm->brk = end;
15088 -+ current->mm->start_brk = current->mm->brk = e;
15089 - return 0;
15090 - }
15091 -
15092 -@@ -328,10 +336,9 @@ static unsigned long load_elf_interp(str
15093 - {
15094 - struct elf_phdr *elf_phdata;
15095 - struct elf_phdr *eppnt;
15096 -- unsigned long load_addr = 0;
15097 -- int load_addr_set = 0;
15098 -+ unsigned long load_addr = 0, min_addr, max_addr, task_size = TASK_SIZE;
15099 - unsigned long last_bss = 0, elf_bss = 0;
15100 -- unsigned long error = ~0UL;
15101 -+ unsigned long error = -EINVAL;
15102 - int retval, i, size;
15103 -
15104 - /* First of all, some simple consistency checks */
15105 -@@ -370,66 +377,86 @@ static unsigned long load_elf_interp(str
15106 - goto out_close;
15107 - }
15108 -
15109 -+#ifdef CONFIG_PAX_SEGMEXEC
15110 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
15111 -+ task_size = SEGMEXEC_TASK_SIZE;
15112 -+#endif
15113 -+
15114 - eppnt = elf_phdata;
15115 -+ min_addr = task_size;
15116 -+ max_addr = 0;
15117 -+ error = -ENOMEM;
15118 -+
15119 - for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
15120 -- if (eppnt->p_type == PT_LOAD) {
15121 -- int elf_type = MAP_PRIVATE | MAP_DENYWRITE;
15122 -- int elf_prot = 0;
15123 -- unsigned long vaddr = 0;
15124 -- unsigned long k, map_addr;
15125 --
15126 -- if (eppnt->p_flags & PF_R)
15127 -- elf_prot = PROT_READ;
15128 -- if (eppnt->p_flags & PF_W)
15129 -- elf_prot |= PROT_WRITE;
15130 -- if (eppnt->p_flags & PF_X)
15131 -- elf_prot |= PROT_EXEC;
15132 -- vaddr = eppnt->p_vaddr;
15133 -- if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
15134 -- elf_type |= MAP_FIXED;
15135 --
15136 -- map_addr = elf_map(interpreter, load_addr + vaddr,
15137 -- eppnt, elf_prot, elf_type);
15138 -- error = map_addr;
15139 -- if (BAD_ADDR(map_addr))
15140 -- goto out_close;
15141 --
15142 -- if (!load_addr_set &&
15143 -- interp_elf_ex->e_type == ET_DYN) {
15144 -- load_addr = map_addr - ELF_PAGESTART(vaddr);
15145 -- load_addr_set = 1;
15146 -- }
15147 -+ if (eppnt->p_type != PT_LOAD)
15148 -+ continue;
15149 -
15150 -- /*
15151 -- * Check to see if the section's size will overflow the
15152 -- * allowed task size. Note that p_filesz must always be
15153 -- * <= p_memsize so it's only necessary to check p_memsz.
15154 -- */
15155 -- k = load_addr + eppnt->p_vaddr;
15156 -- if (BAD_ADDR(k) ||
15157 -- eppnt->p_filesz > eppnt->p_memsz ||
15158 -- eppnt->p_memsz > TASK_SIZE ||
15159 -- TASK_SIZE - eppnt->p_memsz < k) {
15160 -- error = -ENOMEM;
15161 -- goto out_close;
15162 -- }
15163 -+ /*
15164 -+ * Check to see if the section's size will overflow the
15165 -+ * allowed task size. Note that p_filesz must always be
15166 -+ * <= p_memsize so it is only necessary to check p_memsz.
15167 -+ */
15168 -+ if (eppnt->p_filesz > eppnt->p_memsz || eppnt->p_vaddr >= eppnt->p_vaddr + eppnt->p_memsz)
15169 -+ goto out_close;
15170 -
15171 -- /*
15172 -- * Find the end of the file mapping for this phdr, and
15173 -- * keep track of the largest address we see for this.
15174 -- */
15175 -- k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
15176 -- if (k > elf_bss)
15177 -- elf_bss = k;
15178 -+ if (min_addr > ELF_PAGESTART(eppnt->p_vaddr))
15179 -+ min_addr = ELF_PAGESTART(eppnt->p_vaddr);
15180 -+ if (max_addr < ELF_PAGEALIGN(eppnt->p_vaddr + eppnt->p_memsz))
15181 -+ max_addr = ELF_PAGEALIGN(eppnt->p_vaddr + eppnt->p_memsz);
15182 -+ }
15183 -+ if (min_addr >= max_addr || max_addr > task_size)
15184 -+ goto out_close;
15185 -
15186 -- /*
15187 -- * Do the same thing for the memory mapping - between
15188 -- * elf_bss and last_bss is the bss section.
15189 -- */
15190 -- k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
15191 -- if (k > last_bss)
15192 -- last_bss = k;
15193 -- }
15194 -+ if (interp_elf_ex->e_type == ET_DYN) {
15195 -+ load_addr = get_unmapped_area(interpreter, 0, max_addr - min_addr, 0, MAP_PRIVATE | MAP_EXECUTABLE);
15196 -+
15197 -+ if (load_addr >= task_size)
15198 -+ goto out_close;
15199 -+
15200 -+ load_addr -= min_addr;
15201 -+ }
15202 -+
15203 -+ eppnt = elf_phdata;
15204 -+ for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
15205 -+ int elf_type = MAP_PRIVATE | MAP_DENYWRITE | MAP_FIXED;
15206 -+ int elf_prot = 0;
15207 -+ unsigned long vaddr = 0;
15208 -+ unsigned long k, map_addr;
15209 -+
15210 -+ if (eppnt->p_type != PT_LOAD)
15211 -+ continue;
15212 -+
15213 -+ if (eppnt->p_flags & PF_R)
15214 -+ elf_prot = PROT_READ;
15215 -+ if (eppnt->p_flags & PF_W)
15216 -+ elf_prot |= PROT_WRITE;
15217 -+ if (eppnt->p_flags & PF_X)
15218 -+ elf_prot |= PROT_EXEC;
15219 -+ vaddr = eppnt->p_vaddr;
15220 -+
15221 -+ map_addr = elf_map(interpreter, load_addr + vaddr,
15222 -+ eppnt, elf_prot, elf_type);
15223 -+ error = map_addr;
15224 -+ if (BAD_ADDR(map_addr))
15225 -+ goto out_close;
15226 -+
15227 -+ k = load_addr + eppnt->p_vaddr;
15228 -+
15229 -+ /*
15230 -+ * Find the end of the file mapping for this phdr, and
15231 -+ * keep track of the largest address we see for this.
15232 -+ */
15233 -+ k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
15234 -+ if (k > elf_bss)
15235 -+ elf_bss = k;
15236 -+
15237 -+ /*
15238 -+ * Do the same thing for the memory mapping - between
15239 -+ * elf_bss and last_bss is the bss section.
15240 -+ */
15241 -+ k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
15242 -+ if (k > last_bss)
15243 -+ last_bss = k;
15244 - }
15245 -
15246 - /*
15247 -@@ -457,6 +484,8 @@ static unsigned long load_elf_interp(str
15248 -
15249 - *interp_load_addr = load_addr;
15250 - error = ((unsigned long)interp_elf_ex->e_entry) + load_addr;
15251 -+ if (BAD_ADDR(error))
15252 -+ error = -EFAULT;
15253 -
15254 - out_close:
15255 - kfree(elf_phdata);
15256 -@@ -467,7 +496,7 @@ out:
15257 - static unsigned long load_aout_interp(struct exec *interp_ex,
15258 - struct file *interpreter)
15259 - {
15260 -- unsigned long text_data, elf_entry = ~0UL;
15261 -+ unsigned long text_data, elf_entry = -EINVAL;
15262 - char __user * addr;
15263 - loff_t offset;
15264 -
15265 -@@ -510,6 +539,177 @@ out:
15266 - return elf_entry;
15267 - }
15268 -
15269 -+#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
15270 -+static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
15271 -+{
15272 -+ unsigned long pax_flags = 0UL;
15273 -+
15274 -+#ifdef CONFIG_PAX_PAGEEXEC
15275 -+ if (elf_phdata->p_flags & PF_PAGEEXEC)
15276 -+ pax_flags |= MF_PAX_PAGEEXEC;
15277 -+#endif
15278 -+
15279 -+#ifdef CONFIG_PAX_SEGMEXEC
15280 -+ if (elf_phdata->p_flags & PF_SEGMEXEC)
15281 -+ pax_flags |= MF_PAX_SEGMEXEC;
15282 -+#endif
15283 -+
15284 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
15285 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
15286 -+ if (nx_enabled)
15287 -+ pax_flags &= ~MF_PAX_SEGMEXEC;
15288 -+ else
15289 -+ pax_flags &= ~MF_PAX_PAGEEXEC;
15290 -+ }
15291 -+#endif
15292 -+
15293 -+#ifdef CONFIG_PAX_EMUTRAMP
15294 -+ if (elf_phdata->p_flags & PF_EMUTRAMP)
15295 -+ pax_flags |= MF_PAX_EMUTRAMP;
15296 -+#endif
15297 -+
15298 -+#ifdef CONFIG_PAX_MPROTECT
15299 -+ if (elf_phdata->p_flags & PF_MPROTECT)
15300 -+ pax_flags |= MF_PAX_MPROTECT;
15301 -+#endif
15302 -+
15303 -+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
15304 -+ if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
15305 -+ pax_flags |= MF_PAX_RANDMMAP;
15306 -+#endif
15307 -+
15308 -+ return pax_flags;
15309 -+}
15310 -+#endif
15311 -+
15312 -+#ifdef CONFIG_PAX_PT_PAX_FLAGS
15313 -+static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
15314 -+{
15315 -+ unsigned long pax_flags = 0UL;
15316 -+
15317 -+#ifdef CONFIG_PAX_PAGEEXEC
15318 -+ if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
15319 -+ pax_flags |= MF_PAX_PAGEEXEC;
15320 -+#endif
15321 -+
15322 -+#ifdef CONFIG_PAX_SEGMEXEC
15323 -+ if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
15324 -+ pax_flags |= MF_PAX_SEGMEXEC;
15325 -+#endif
15326 -+
15327 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
15328 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
15329 -+ if (nx_enabled)
15330 -+ pax_flags &= ~MF_PAX_SEGMEXEC;
15331 -+ else
15332 -+ pax_flags &= ~MF_PAX_PAGEEXEC;
15333 -+ }
15334 -+#endif
15335 -+
15336 -+#ifdef CONFIG_PAX_EMUTRAMP
15337 -+ if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
15338 -+ pax_flags |= MF_PAX_EMUTRAMP;
15339 -+#endif
15340 -+
15341 -+#ifdef CONFIG_PAX_MPROTECT
15342 -+ if (!(elf_phdata->p_flags & PF_NOMPROTECT))
15343 -+ pax_flags |= MF_PAX_MPROTECT;
15344 -+#endif
15345 -+
15346 -+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
15347 -+ if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
15348 -+ pax_flags |= MF_PAX_RANDMMAP;
15349 -+#endif
15350 -+
15351 -+ return pax_flags;
15352 -+}
15353 -+#endif
15354 -+
15355 -+#ifdef CONFIG_PAX_EI_PAX
15356 -+static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
15357 -+{
15358 -+ unsigned long pax_flags = 0UL;
15359 -+
15360 -+#ifdef CONFIG_PAX_PAGEEXEC
15361 -+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
15362 -+ pax_flags |= MF_PAX_PAGEEXEC;
15363 -+#endif
15364 -+
15365 -+#ifdef CONFIG_PAX_SEGMEXEC
15366 -+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
15367 -+ pax_flags |= MF_PAX_SEGMEXEC;
15368 -+#endif
15369 -+
15370 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
15371 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
15372 -+ if (nx_enabled)
15373 -+ pax_flags &= ~MF_PAX_SEGMEXEC;
15374 -+ else
15375 -+ pax_flags &= ~MF_PAX_PAGEEXEC;
15376 -+ }
15377 -+#endif
15378 -+
15379 -+#ifdef CONFIG_PAX_EMUTRAMP
15380 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
15381 -+ pax_flags |= MF_PAX_EMUTRAMP;
15382 -+#endif
15383 -+
15384 -+#ifdef CONFIG_PAX_MPROTECT
15385 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
15386 -+ pax_flags |= MF_PAX_MPROTECT;
15387 -+#endif
15388 -+
15389 -+#ifdef CONFIG_PAX_ASLR
15390 -+ if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
15391 -+ pax_flags |= MF_PAX_RANDMMAP;
15392 -+#endif
15393 -+
15394 -+ return pax_flags;
15395 -+}
15396 -+#endif
15397 -+
15398 -+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
15399 -+static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
15400 -+{
15401 -+ unsigned long pax_flags = 0UL;
15402 -+
15403 -+#ifdef CONFIG_PAX_PT_PAX_FLAGS
15404 -+ unsigned long i;
15405 -+#endif
15406 -+
15407 -+#ifdef CONFIG_PAX_EI_PAX
15408 -+ pax_flags = pax_parse_ei_pax(elf_ex);
15409 -+#endif
15410 -+
15411 -+#ifdef CONFIG_PAX_PT_PAX_FLAGS
15412 -+ for (i = 0UL; i < elf_ex->e_phnum; i++)
15413 -+ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
15414 -+ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
15415 -+ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
15416 -+ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
15417 -+ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
15418 -+ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
15419 -+ return -EINVAL;
15420 -+
15421 -+#ifdef CONFIG_PAX_SOFTMODE
15422 -+ if (pax_softmode)
15423 -+ pax_flags = pax_parse_softmode(&elf_phdata[i]);
15424 -+ else
15425 -+#endif
15426 -+
15427 -+ pax_flags = pax_parse_hardmode(&elf_phdata[i]);
15428 -+ break;
15429 -+ }
15430 -+#endif
15431 -+
15432 -+ if (0 > pax_check_flags(&pax_flags))
15433 -+ return -EINVAL;
15434 -+
15435 -+ current->mm->pax_flags = pax_flags;
15436 -+ return 0;
15437 -+}
15438 -+#endif
15439 -+
15440 - /*
15441 - * These are the functions used to load ELF style executables and shared
15442 - * libraries. There is no binary dependent code anywhere else.
15443 -@@ -547,7 +747,7 @@ static int load_elf_binary(struct linux_
15444 - char * elf_interpreter = NULL;
15445 - unsigned int interpreter_type = INTERPRETER_NONE;
15446 - unsigned char ibcs2_interpreter = 0;
15447 -- unsigned long error;
15448 -+ unsigned long error = 0;
15449 - struct elf_phdr *elf_ppnt, *elf_phdata;
15450 - unsigned long elf_bss, elf_brk;
15451 - int elf_exec_fileno;
15452 -@@ -559,12 +759,12 @@ static int load_elf_binary(struct linux_
15453 - char passed_fileno[6];
15454 - struct files_struct *files;
15455 - int executable_stack = EXSTACK_DEFAULT;
15456 -- unsigned long def_flags = 0;
15457 - struct {
15458 - struct elfhdr elf_ex;
15459 - struct elfhdr interp_elf_ex;
15460 - struct exec interp_ex;
15461 - } *loc;
15462 -+ unsigned long task_size = TASK_SIZE;
15463 -
15464 - loc = kmalloc(sizeof(*loc), GFP_KERNEL);
15465 - if (!loc) {
15466 -@@ -799,14 +999,89 @@ static int load_elf_binary(struct linux_
15467 -
15468 - /* OK, This is the point of no return */
15469 - current->flags &= ~PF_FORKNOEXEC;
15470 -- current->mm->def_flags = def_flags;
15471 -+
15472 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
15473 -+ current->mm->pax_flags = 0UL;
15474 -+#endif
15475 -+
15476 -+#ifdef CONFIG_PAX_DLRESOLVE
15477 -+ current->mm->call_dl_resolve = 0UL;
15478 -+#endif
15479 -+
15480 -+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
15481 -+ current->mm->call_syscall = 0UL;
15482 -+#endif
15483 -+
15484 -+#ifdef CONFIG_PAX_ASLR
15485 -+ current->mm->delta_mmap = 0UL;
15486 -+ current->mm->delta_stack = 0UL;
15487 -+#endif
15488 -+
15489 -+ current->mm->def_flags = 0;
15490 -+
15491 -+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
15492 -+ if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
15493 -+ send_sig(SIGKILL, current, 0);
15494 -+ goto out_free_dentry;
15495 -+ }
15496 -+#endif
15497 -+
15498 -+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
15499 -+ pax_set_initial_flags(bprm);
15500 -+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
15501 -+ if (pax_set_initial_flags_func)
15502 -+ (pax_set_initial_flags_func)(bprm);
15503 -+#endif
15504 -+
15505 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
15506 -+ if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !nx_enabled) {
15507 -+ current->mm->context.user_cs_limit = PAGE_SIZE;
15508 -+ current->mm->def_flags |= VM_PAGEEXEC;
15509 -+ }
15510 -+#endif
15511 -+
15512 -+#ifdef CONFIG_PAX_SEGMEXEC
15513 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
15514 -+ current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
15515 -+ current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
15516 -+ task_size = SEGMEXEC_TASK_SIZE;
15517 -+ }
15518 -+#endif
15519 -+
15520 -+#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
15521 -+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
15522 -+ set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
15523 -+ put_cpu_no_resched();
15524 -+ }
15525 -+#endif
15526 -+
15527 -+#ifdef CONFIG_PAX_ASLR
15528 -+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
15529 -+ current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
15530 -+ current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
15531 -+ }
15532 -+#endif
15533 -+
15534 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
15535 -+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
15536 -+ executable_stack = EXSTACK_DEFAULT;
15537 -+#endif
15538 -
15539 - /* Do this immediately, since STACK_TOP as used in setup_arg_pages
15540 - may depend on the personality. */
15541 - SET_PERSONALITY(loc->elf_ex, ibcs2_interpreter);
15542 -+
15543 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
15544 -+ if (!(current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)))
15545 -+#endif
15546 -+
15547 - if (elf_read_implies_exec(loc->elf_ex, executable_stack))
15548 - current->personality |= READ_IMPLIES_EXEC;
15549 -
15550 -+#ifdef CONFIG_PAX_ASLR
15551 -+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
15552 -+#endif
15553 -+
15554 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
15555 - current->flags |= PF_RANDOMIZE;
15556 - arch_pick_mmap_layout(current->mm);
15557 -@@ -882,6 +1157,20 @@ static int load_elf_binary(struct linux_
15558 - * might try to exec. This is because the brk will
15559 - * follow the loader, and is not movable. */
15560 - load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
15561 -+
15562 -+#ifdef CONFIG_PAX_RANDMMAP
15563 -+ /* PaX: randomize base address at the default exe base if requested */
15564 -+ if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
15565 -+#ifdef CONFIG_SPARC64
15566 -+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
15567 -+#else
15568 -+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
15569 -+#endif
15570 -+ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
15571 -+ elf_flags |= MAP_FIXED;
15572 -+ }
15573 -+#endif
15574 -+
15575 - }
15576 -
15577 - error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
15578 -@@ -914,9 +1203,9 @@ static int load_elf_binary(struct linux_
15579 - * allowed task size. Note that p_filesz must always be
15580 - * <= p_memsz so it is only necessary to check p_memsz.
15581 - */
15582 -- if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
15583 -- elf_ppnt->p_memsz > TASK_SIZE ||
15584 -- TASK_SIZE - elf_ppnt->p_memsz < k) {
15585 -+ if (k >= task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
15586 -+ elf_ppnt->p_memsz > task_size ||
15587 -+ task_size - elf_ppnt->p_memsz < k) {
15588 - /* set_brk can never work. Avoid overflows. */
15589 - send_sig(SIGKILL, current, 0);
15590 - retval = -EINVAL;
15591 -@@ -944,6 +1233,11 @@ static int load_elf_binary(struct linux_
15592 - start_data += load_bias;
15593 - end_data += load_bias;
15594 -
15595 -+#ifdef CONFIG_PAX_RANDMMAP
15596 -+ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
15597 -+ elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
15598 -+#endif
15599 -+
15600 - /* Calling set_brk effectively mmaps the pages that we need
15601 - * for the bss and break sections. We must do this before
15602 - * mapping in the interpreter, to make sure it doesn't wind
15603 -@@ -955,9 +1249,11 @@ static int load_elf_binary(struct linux_
15604 - goto out_free_dentry;
15605 - }
15606 - if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
15607 -- send_sig(SIGSEGV, current, 0);
15608 -- retval = -EFAULT; /* Nobody gets to see this, but.. */
15609 -- goto out_free_dentry;
15610 -+ /*
15611 -+ * This bss-zeroing can fail if the ELF
15612 -+ * file specifies odd protections. So
15613 -+ * we don't check the return value
15614 -+ */
15615 - }
15616 -
15617 - if (elf_interpreter) {
15618 -@@ -1194,8 +1490,10 @@ static int dump_seek(struct file *file,
15619 - unsigned long n = off;
15620 - if (n > PAGE_SIZE)
15621 - n = PAGE_SIZE;
15622 -- if (!dump_write(file, buf, n))
15623 -+ if (!dump_write(file, buf, n)) {
15624 -+ free_page((unsigned long)buf);
15625 - return 0;
15626 -+ }
15627 - off -= n;
15628 - }
15629 - free_page((unsigned long)buf);
15630 -@@ -1207,7 +1505,7 @@ static int dump_seek(struct file *file,
15631 - * Decide what to dump of a segment, part, all or none.
15632 - */
15633 - static unsigned long vma_dump_size(struct vm_area_struct *vma,
15634 -- unsigned long mm_flags)
15635 -+ unsigned long mm_flags, long signr)
15636 - {
15637 - /* The vma can be set up to tell us the answer directly. */
15638 - if (vma->vm_flags & VM_ALWAYSDUMP)
15639 -@@ -1233,7 +1531,7 @@ static unsigned long vma_dump_size(struc
15640 - if (vma->vm_file == NULL)
15641 - return 0;
15642 -
15643 -- if (FILTER(MAPPED_PRIVATE))
15644 -+ if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
15645 - goto whole;
15646 -
15647 - /*
15648 -@@ -1319,8 +1617,11 @@ static int writenote(struct memelfnote *
15649 - #undef DUMP_WRITE
15650 -
15651 - #define DUMP_WRITE(addr, nr) \
15652 -+ do { \
15653 -+ gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
15654 - if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \
15655 -- goto end_coredump;
15656 -+ goto end_coredump; \
15657 -+ } while (0);
15658 - #define DUMP_SEEK(off) \
15659 - if (!dump_seek(file, (off))) \
15660 - goto end_coredump;
15661 -@@ -1710,7 +2011,7 @@ static int elf_core_dump(long signr, str
15662 - phdr.p_offset = offset;
15663 - phdr.p_vaddr = vma->vm_start;
15664 - phdr.p_paddr = 0;
15665 -- phdr.p_filesz = vma_dump_size(vma, mm_flags);
15666 -+ phdr.p_filesz = vma_dump_size(vma, mm_flags, signr);
15667 - phdr.p_memsz = vma->vm_end - vma->vm_start;
15668 - offset += phdr.p_filesz;
15669 - phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
15670 -@@ -1753,7 +2054,7 @@ static int elf_core_dump(long signr, str
15671 - unsigned long addr;
15672 - unsigned long end;
15673 -
15674 -- end = vma->vm_start + vma_dump_size(vma, mm_flags);
15675 -+ end = vma->vm_start + vma_dump_size(vma, mm_flags, signr);
15676 -
15677 - for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
15678 - struct page *page;
15679 -@@ -1773,6 +2074,7 @@ static int elf_core_dump(long signr, str
15680 - flush_cache_page(vma, addr,
15681 - page_to_pfn(page));
15682 - kaddr = kmap(page);
15683 -+ gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
15684 - if ((size += PAGE_SIZE) > limit ||
15685 - !dump_write(file, kaddr,
15686 - PAGE_SIZE)) {
15687 -diff -urNp linux-2.6.24.4/fs/binfmt_flat.c linux-2.6.24.4/fs/binfmt_flat.c
15688 ---- linux-2.6.24.4/fs/binfmt_flat.c 2008-03-24 14:49:18.000000000 -0400
15689 -+++ linux-2.6.24.4/fs/binfmt_flat.c 2008-03-26 17:56:56.000000000 -0400
15690 -@@ -561,7 +561,9 @@ static int load_flat_file(struct linux_b
15691 - realdatastart = (unsigned long) -ENOMEM;
15692 - printk("Unable to allocate RAM for process data, errno %d\n",
15693 - (int)-realdatastart);
15694 -+ down_write(&current->mm->mmap_sem);
15695 - do_munmap(current->mm, textpos, text_len);
15696 -+ up_write(&current->mm->mmap_sem);
15697 - ret = realdatastart;
15698 - goto err;
15699 - }
15700 -@@ -583,8 +585,10 @@ static int load_flat_file(struct linux_b
15701 - }
15702 - if (result >= (unsigned long)-4096) {
15703 - printk("Unable to read data+bss, errno %d\n", (int)-result);
15704 -+ down_write(&current->mm->mmap_sem);
15705 - do_munmap(current->mm, textpos, text_len);
15706 - do_munmap(current->mm, realdatastart, data_len + extra);
15707 -+ up_write(&current->mm->mmap_sem);
15708 - ret = result;
15709 - goto err;
15710 - }
15711 -@@ -657,8 +661,10 @@ static int load_flat_file(struct linux_b
15712 - }
15713 - if (result >= (unsigned long)-4096) {
15714 - printk("Unable to read code+data+bss, errno %d\n",(int)-result);
15715 -+ down_write(&current->mm->mmap_sem);
15716 - do_munmap(current->mm, textpos, text_len + data_len + extra +
15717 - MAX_SHARED_LIBS * sizeof(unsigned long));
15718 -+ up_write(&current->mm->mmap_sem);
15719 - ret = result;
15720 - goto err;
15721 - }
15722 -diff -urNp linux-2.6.24.4/fs/binfmt_misc.c linux-2.6.24.4/fs/binfmt_misc.c
15723 ---- linux-2.6.24.4/fs/binfmt_misc.c 2008-03-24 14:49:18.000000000 -0400
15724 -+++ linux-2.6.24.4/fs/binfmt_misc.c 2008-03-26 17:56:56.000000000 -0400
15725 -@@ -113,9 +113,11 @@ static int load_misc_binary(struct linux
15726 - struct files_struct *files = NULL;
15727 -
15728 - retval = -ENOEXEC;
15729 -- if (!enabled)
15730 -+ if (!enabled || bprm->misc)
15731 - goto _ret;
15732 -
15733 -+ bprm->misc++;
15734 -+
15735 - /* to keep locking time low, we copy the interpreter string */
15736 - read_lock(&entries_lock);
15737 - fmt = check_file(bprm);
15738 -@@ -720,7 +722,7 @@ static int bm_fill_super(struct super_bl
15739 - static struct tree_descr bm_files[] = {
15740 - [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
15741 - [3] = {"register", &bm_register_operations, S_IWUSR},
15742 -- /* last one */ {""}
15743 -+ /* last one */ {"", NULL, 0}
15744 - };
15745 - int err = simple_fill_super(sb, 0x42494e4d, bm_files);
15746 - if (!err)
15747 -diff -urNp linux-2.6.24.4/fs/buffer.c linux-2.6.24.4/fs/buffer.c
15748 ---- linux-2.6.24.4/fs/buffer.c 2008-03-24 14:49:18.000000000 -0400
15749 -+++ linux-2.6.24.4/fs/buffer.c 2008-03-26 17:56:56.000000000 -0400
15750 -@@ -41,6 +41,7 @@
15751 - #include <linux/bitops.h>
15752 - #include <linux/mpage.h>
15753 - #include <linux/bit_spinlock.h>
15754 -+#include <linux/grsecurity.h>
15755 -
15756 - static int fsync_buffers_list(spinlock_t *lock, struct list_head *list);
15757 -
15758 -@@ -2170,6 +2171,7 @@ int generic_cont_expand_simple(struct in
15759 -
15760 - err = -EFBIG;
15761 - limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
15762 -+ gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long) size, 1);
15763 - if (limit != RLIM_INFINITY && size > (loff_t)limit) {
15764 - send_sig(SIGXFSZ, current, 0);
15765 - goto out;
15766 -diff -urNp linux-2.6.24.4/fs/cifs/cifs_uniupr.h linux-2.6.24.4/fs/cifs/cifs_uniupr.h
15767 ---- linux-2.6.24.4/fs/cifs/cifs_uniupr.h 2008-03-24 14:49:18.000000000 -0400
15768 -+++ linux-2.6.24.4/fs/cifs/cifs_uniupr.h 2008-03-26 17:56:56.000000000 -0400
15769 -@@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
15770 - {0x0490, 0x04cc, UniCaseRangeU0490},
15771 - {0x1e00, 0x1ffc, UniCaseRangeU1e00},
15772 - {0xff40, 0xff5a, UniCaseRangeUff40},
15773 -- {0}
15774 -+ {0, 0, NULL}
15775 - };
15776 - #endif
15777 -
15778 -diff -urNp linux-2.6.24.4/fs/cifs/link.c linux-2.6.24.4/fs/cifs/link.c
15779 ---- linux-2.6.24.4/fs/cifs/link.c 2008-03-24 14:49:18.000000000 -0400
15780 -+++ linux-2.6.24.4/fs/cifs/link.c 2008-03-26 17:56:56.000000000 -0400
15781 -@@ -355,7 +355,7 @@ cifs_readlink(struct dentry *direntry, c
15782 -
15783 - void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
15784 - {
15785 -- char *p = nd_get_link(nd);
15786 -+ const char *p = nd_get_link(nd);
15787 - if (!IS_ERR(p))
15788 - kfree(p);
15789 - }
15790 -diff -urNp linux-2.6.24.4/fs/compat.c linux-2.6.24.4/fs/compat.c
15791 ---- linux-2.6.24.4/fs/compat.c 2008-03-24 14:49:18.000000000 -0400
15792 -+++ linux-2.6.24.4/fs/compat.c 2008-03-26 17:56:56.000000000 -0400
15793 -@@ -50,6 +50,7 @@
15794 - #include <linux/poll.h>
15795 - #include <linux/mm.h>
15796 - #include <linux/eventpoll.h>
15797 -+#include <linux/grsecurity.h>
15798 -
15799 - #include <asm/uaccess.h>
15800 - #include <asm/mmu_context.h>
15801 -@@ -1300,14 +1301,12 @@ static int compat_copy_strings(int argc,
15802 - if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
15803 - struct page *page;
15804 -
15805 --#ifdef CONFIG_STACK_GROWSUP
15806 - ret = expand_stack_downwards(bprm->vma, pos);
15807 - if (ret < 0) {
15808 - /* We've exceed the stack rlimit. */
15809 - ret = -E2BIG;
15810 - goto out;
15811 - }
15812 --#endif
15813 - ret = get_user_pages(current, bprm->mm, pos,
15814 - 1, 1, 1, &page, NULL);
15815 - if (ret <= 0) {
15816 -@@ -1353,6 +1352,11 @@ int compat_do_execve(char * filename,
15817 - compat_uptr_t __user *envp,
15818 - struct pt_regs * regs)
15819 - {
15820 -+#ifdef CONFIG_GRKERNSEC
15821 -+ struct file *old_exec_file;
15822 -+ struct acl_subject_label *old_acl;
15823 -+ struct rlimit old_rlim[RLIM_NLIMITS];
15824 -+#endif
15825 - struct linux_binprm *bprm;
15826 - struct file *file;
15827 - int retval;
15828 -@@ -1373,6 +1377,14 @@ int compat_do_execve(char * filename,
15829 - bprm->filename = filename;
15830 - bprm->interp = filename;
15831 -
15832 -+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes), 1);
15833 -+ retval = -EAGAIN;
15834 -+ if (gr_handle_nproc())
15835 -+ goto out_file;
15836 -+ retval = -EACCES;
15837 -+ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
15838 -+ goto out_file;
15839 -+
15840 - retval = bprm_mm_init(bprm);
15841 - if (retval)
15842 - goto out_file;
15843 -@@ -1406,8 +1418,36 @@ int compat_do_execve(char * filename,
15844 - if (retval < 0)
15845 - goto out;
15846 -
15847 -+ if (!gr_tpe_allow(file)) {
15848 -+ retval = -EACCES;
15849 -+ goto out;
15850 -+ }
15851 -+
15852 -+ if (gr_check_crash_exec(file)) {
15853 -+ retval = -EACCES;
15854 -+ goto out;
15855 -+ }
15856 -+
15857 -+ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
15858 -+
15859 -+ gr_handle_exec_args(bprm, (char __user * __user *)argv);
15860 -+
15861 -+#ifdef CONFIG_GRKERNSEC
15862 -+ old_acl = current->acl;
15863 -+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
15864 -+ old_exec_file = current->exec_file;
15865 -+ get_file(file);
15866 -+ current->exec_file = file;
15867 -+#endif
15868 -+
15869 -+ gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
15870 -+
15871 - retval = search_binary_handler(bprm, regs);
15872 - if (retval >= 0) {
15873 -+#ifdef CONFIG_GRKERNSEC
15874 -+ if (old_exec_file)
15875 -+ fput(old_exec_file);
15876 -+#endif
15877 - /* execve success */
15878 - security_bprm_free(bprm);
15879 - acct_update_integrals(current);
15880 -@@ -1415,6 +1455,13 @@ int compat_do_execve(char * filename,
15881 - return retval;
15882 - }
15883 -
15884 -+#ifdef CONFIG_GRKERNSEC
15885 -+ current->acl = old_acl;
15886 -+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
15887 -+ fput(current->exec_file);
15888 -+ current->exec_file = old_exec_file;
15889 -+#endif
15890 -+
15891 - out:
15892 - if (bprm->security)
15893 - security_bprm_free(bprm);
15894 -diff -urNp linux-2.6.24.4/fs/compat_ioctl.c linux-2.6.24.4/fs/compat_ioctl.c
15895 ---- linux-2.6.24.4/fs/compat_ioctl.c 2008-03-24 14:49:18.000000000 -0400
15896 -+++ linux-2.6.24.4/fs/compat_ioctl.c 2008-03-26 17:56:56.000000000 -0400
15897 -@@ -1890,15 +1890,15 @@ struct ioctl_trans {
15898 - };
15899 -
15900 - #define HANDLE_IOCTL(cmd,handler) \
15901 -- { (cmd), (ioctl_trans_handler_t)(handler) },
15902 -+ { (cmd), (ioctl_trans_handler_t)(handler), NULL },
15903 -
15904 - /* pointer to compatible structure or no argument */
15905 - #define COMPATIBLE_IOCTL(cmd) \
15906 -- { (cmd), do_ioctl32_pointer },
15907 -+ { (cmd), do_ioctl32_pointer, NULL },
15908 -
15909 - /* argument is an unsigned long integer, not a pointer */
15910 - #define ULONG_IOCTL(cmd) \
15911 -- { (cmd), (ioctl_trans_handler_t)sys_ioctl },
15912 -+ { (cmd), (ioctl_trans_handler_t)sys_ioctl, NULL },
15913 -
15914 - /* ioctl should not be warned about even if it's not implemented.
15915 - Valid reasons to use this:
15916 -diff -urNp linux-2.6.24.4/fs/debugfs/inode.c linux-2.6.24.4/fs/debugfs/inode.c
15917 ---- linux-2.6.24.4/fs/debugfs/inode.c 2008-03-24 14:49:18.000000000 -0400
15918 -+++ linux-2.6.24.4/fs/debugfs/inode.c 2008-03-26 17:56:56.000000000 -0400
15919 -@@ -125,7 +125,7 @@ static inline int debugfs_positive(struc
15920 -
15921 - static int debug_fill_super(struct super_block *sb, void *data, int silent)
15922 - {
15923 -- static struct tree_descr debug_files[] = {{""}};
15924 -+ static struct tree_descr debug_files[] = {{"", NULL, 0}};
15925 -
15926 - return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
15927 - }
15928 -diff -urNp linux-2.6.24.4/fs/exec.c linux-2.6.24.4/fs/exec.c
15929 ---- linux-2.6.24.4/fs/exec.c 2008-03-24 14:49:18.000000000 -0400
15930 -+++ linux-2.6.24.4/fs/exec.c 2008-03-26 18:53:27.000000000 -0400
15931 -@@ -51,6 +51,8 @@
15932 - #include <linux/tsacct_kern.h>
15933 - #include <linux/cn_proc.h>
15934 - #include <linux/audit.h>
15935 -+#include <linux/random.h>
15936 -+#include <linux/grsecurity.h>
15937 -
15938 - #include <asm/uaccess.h>
15939 - #include <asm/mmu_context.h>
15940 -@@ -60,6 +62,11 @@
15941 - #include <linux/kmod.h>
15942 - #endif
15943 -
15944 -+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
15945 -+void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
15946 -+EXPORT_SYMBOL(pax_set_initial_flags_func);
15947 -+#endif
15948 -+
15949 - int core_uses_pid;
15950 - char core_pattern[CORENAME_MAX_SIZE] = "core";
15951 - int suid_dumpable = 0;
15952 -@@ -158,18 +165,10 @@ static struct page *get_arg_page(struct
15953 - int write)
15954 - {
15955 - struct page *page;
15956 -- int ret;
15957 -
15958 --#ifdef CONFIG_STACK_GROWSUP
15959 -- if (write) {
15960 -- ret = expand_stack_downwards(bprm->vma, pos);
15961 -- if (ret < 0)
15962 -- return NULL;
15963 -- }
15964 --#endif
15965 -- ret = get_user_pages(current, bprm->mm, pos,
15966 -- 1, write, 1, &page, NULL);
15967 -- if (ret <= 0)
15968 -+ if (0 > expand_stack_downwards(bprm->vma, pos))
15969 -+ return NULL;
15970 -+ if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
15971 - return NULL;
15972 -
15973 - if (write) {
15974 -@@ -234,6 +233,11 @@ static int __bprm_mm_init(struct linux_b
15975 - vma->vm_start = vma->vm_end - PAGE_SIZE;
15976 -
15977 - vma->vm_flags = VM_STACK_FLAGS;
15978 -+
15979 -+#ifdef CONFIG_PAX_SEGMEXEC
15980 -+ vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
15981 -+#endif
15982 -+
15983 - vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
15984 - err = insert_vm_struct(mm, vma);
15985 - if (err) {
15986 -@@ -246,6 +250,11 @@ static int __bprm_mm_init(struct linux_b
15987 -
15988 - bprm->p = vma->vm_end - sizeof(void *);
15989 -
15990 -+#ifdef CONFIG_PAX_RANDUSTACK
15991 -+ if (randomize_va_space)
15992 -+ bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
15993 -+#endif
15994 -+
15995 - return 0;
15996 -
15997 - err:
15998 -@@ -369,7 +378,7 @@ static int count(char __user * __user *
15999 - if (!p)
16000 - break;
16001 - argv++;
16002 -- if(++i > max)
16003 -+ if (++i > max)
16004 - return -E2BIG;
16005 - cond_resched();
16006 - }
16007 -@@ -509,6 +518,10 @@ static int shift_arg_pages(struct vm_are
16008 - if (vma != find_vma(mm, new_start))
16009 - return -EFAULT;
16010 -
16011 -+#ifdef CONFIG_PAX_SEGMEXEC
16012 -+ BUG_ON(pax_find_mirror_vma(vma));
16013 -+#endif
16014 -+
16015 - /*
16016 - * cover the whole range: [new_start, old_end)
16017 - */
16018 -@@ -597,6 +610,14 @@ int setup_arg_pages(struct linux_binprm
16019 - bprm->exec -= stack_shift;
16020 -
16021 - down_write(&mm->mmap_sem);
16022 -+
16023 -+ /* Move stack pages down in memory. */
16024 -+ if (stack_shift) {
16025 -+ ret = shift_arg_pages(vma, stack_shift);
16026 -+ if (ret)
16027 -+ goto out_unlock;
16028 -+ }
16029 -+
16030 - vm_flags = vma->vm_flags;
16031 -
16032 - /*
16033 -@@ -608,23 +629,28 @@ int setup_arg_pages(struct linux_binprm
16034 - vm_flags |= VM_EXEC;
16035 - else if (executable_stack == EXSTACK_DISABLE_X)
16036 - vm_flags &= ~VM_EXEC;
16037 -+ else
16038 -+ vm_flags = VM_STACK_FLAGS;
16039 - vm_flags |= mm->def_flags;
16040 -
16041 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16042 -+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
16043 -+ vm_flags &= ~VM_EXEC;
16044 -+
16045 -+#ifdef CONFIG_PAX_MPROTECT
16046 -+ if (mm->pax_flags & MF_PAX_MPROTECT)
16047 -+ vm_flags &= ~VM_MAYEXEC;
16048 -+#endif
16049 -+
16050 -+ }
16051 -+#endif
16052 -+
16053 - ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
16054 - vm_flags);
16055 - if (ret)
16056 - goto out_unlock;
16057 - BUG_ON(prev != vma);
16058 -
16059 -- /* Move stack pages down in memory. */
16060 -- if (stack_shift) {
16061 -- ret = shift_arg_pages(vma, stack_shift);
16062 -- if (ret) {
16063 -- up_write(&mm->mmap_sem);
16064 -- return ret;
16065 -- }
16066 -- }
16067 --
16068 - #ifdef CONFIG_STACK_GROWSUP
16069 - stack_base = vma->vm_end + EXTRA_STACK_VM_PAGES * PAGE_SIZE;
16070 - #else
16071 -@@ -636,7 +662,7 @@ int setup_arg_pages(struct linux_binprm
16072 -
16073 - out_unlock:
16074 - up_write(&mm->mmap_sem);
16075 -- return 0;
16076 -+ return ret;
16077 - }
16078 - EXPORT_SYMBOL(setup_arg_pages);
16079 -
16080 -@@ -655,7 +681,7 @@ struct file *open_exec(const char *name)
16081 - struct inode *inode = nd.dentry->d_inode;
16082 - file = ERR_PTR(-EACCES);
16083 - if (S_ISREG(inode->i_mode)) {
16084 -- int err = vfs_permission(&nd, MAY_EXEC);
16085 -+ err = vfs_permission(&nd, MAY_EXEC);
16086 - file = ERR_PTR(err);
16087 - if (!err) {
16088 - file = nameidata_to_filp(&nd, O_RDONLY);
16089 -@@ -1293,6 +1319,11 @@ int do_execve(char * filename,
16090 - char __user *__user *envp,
16091 - struct pt_regs * regs)
16092 - {
16093 -+#ifdef CONFIG_GRKERNSEC
16094 -+ struct file *old_exec_file;
16095 -+ struct acl_subject_label *old_acl;
16096 -+ struct rlimit old_rlim[RLIM_NLIMITS];
16097 -+#endif
16098 - struct linux_binprm *bprm;
16099 - struct file *file;
16100 - unsigned long env_p;
16101 -@@ -1308,6 +1339,20 @@ int do_execve(char * filename,
16102 - if (IS_ERR(file))
16103 - goto out_kfree;
16104 -
16105 -+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes), 1);
16106 -+
16107 -+ if (gr_handle_nproc()) {
16108 -+ allow_write_access(file);
16109 -+ fput(file);
16110 -+ return -EAGAIN;
16111 -+ }
16112 -+
16113 -+ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
16114 -+ allow_write_access(file);
16115 -+ fput(file);
16116 -+ return -EACCES;
16117 -+ }
16118 -+
16119 - sched_exec();
16120 -
16121 - bprm->file = file;
16122 -@@ -1349,8 +1394,38 @@ int do_execve(char * filename,
16123 - goto out;
16124 - bprm->argv_len = env_p - bprm->p;
16125 -
16126 -+ if (!gr_tpe_allow(file)) {
16127 -+ retval = -EACCES;
16128 -+ goto out;
16129 -+ }
16130 -+
16131 -+ if (gr_check_crash_exec(file)) {
16132 -+ retval = -EACCES;
16133 -+ goto out;
16134 -+ }
16135 -+
16136 -+ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
16137 -+
16138 -+ gr_handle_exec_args(bprm, argv);
16139 -+
16140 -+#ifdef CONFIG_GRKERNSEC
16141 -+ old_acl = current->acl;
16142 -+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
16143 -+ old_exec_file = current->exec_file;
16144 -+ get_file(file);
16145 -+ current->exec_file = file;
16146 -+#endif
16147 -+
16148 -+ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
16149 -+ if (retval < 0)
16150 -+ goto out_fail;
16151 -+
16152 - retval = search_binary_handler(bprm,regs);
16153 - if (retval >= 0) {
16154 -+#ifdef CONFIG_GRKERNSEC
16155 -+ if (old_exec_file)
16156 -+ fput(old_exec_file);
16157 -+#endif
16158 - /* execve success */
16159 - free_arg_pages(bprm);
16160 - security_bprm_free(bprm);
16161 -@@ -1359,6 +1434,14 @@ int do_execve(char * filename,
16162 - return retval;
16163 - }
16164 -
16165 -+out_fail:
16166 -+#ifdef CONFIG_GRKERNSEC
16167 -+ current->acl = old_acl;
16168 -+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
16169 -+ fput(current->exec_file);
16170 -+ current->exec_file = old_exec_file;
16171 -+#endif
16172 -+
16173 - out:
16174 - free_arg_pages(bprm);
16175 - if (bprm->security)
16176 -@@ -1523,6 +1606,114 @@ out:
16177 - return ispipe;
16178 - }
16179 -
16180 -+int pax_check_flags(unsigned long *flags)
16181 -+{
16182 -+ int retval = 0;
16183 -+
16184 -+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
16185 -+ if (*flags & MF_PAX_SEGMEXEC)
16186 -+ {
16187 -+ *flags &= ~MF_PAX_SEGMEXEC;
16188 -+ retval = -EINVAL;
16189 -+ }
16190 -+#endif
16191 -+
16192 -+ if ((*flags & MF_PAX_PAGEEXEC)
16193 -+
16194 -+#ifdef CONFIG_PAX_PAGEEXEC
16195 -+ && (*flags & MF_PAX_SEGMEXEC)
16196 -+#endif
16197 -+
16198 -+ )
16199 -+ {
16200 -+ *flags &= ~MF_PAX_PAGEEXEC;
16201 -+ retval = -EINVAL;
16202 -+ }
16203 -+
16204 -+ if ((*flags & MF_PAX_MPROTECT)
16205 -+
16206 -+#ifdef CONFIG_PAX_MPROTECT
16207 -+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
16208 -+#endif
16209 -+
16210 -+ )
16211 -+ {
16212 -+ *flags &= ~MF_PAX_MPROTECT;
16213 -+ retval = -EINVAL;
16214 -+ }
16215 -+
16216 -+ if ((*flags & MF_PAX_EMUTRAMP)
16217 -+
16218 -+#ifdef CONFIG_PAX_EMUTRAMP
16219 -+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
16220 -+#endif
16221 -+
16222 -+ )
16223 -+ {
16224 -+ *flags &= ~MF_PAX_EMUTRAMP;
16225 -+ retval = -EINVAL;
16226 -+ }
16227 -+
16228 -+ return retval;
16229 -+}
16230 -+
16231 -+EXPORT_SYMBOL(pax_check_flags);
16232 -+
16233 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16234 -+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
16235 -+{
16236 -+ struct task_struct *tsk = current;
16237 -+ struct mm_struct *mm = current->mm;
16238 -+ char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
16239 -+ char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
16240 -+ char *path_exec = NULL;
16241 -+ char *path_fault = NULL;
16242 -+ unsigned long start = 0UL, end = 0UL, offset = 0UL;
16243 -+
16244 -+ if (buffer_exec && buffer_fault) {
16245 -+ struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
16246 -+
16247 -+ down_read(&mm->mmap_sem);
16248 -+ vma = mm->mmap;
16249 -+ while (vma && (!vma_exec || !vma_fault)) {
16250 -+ if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
16251 -+ vma_exec = vma;
16252 -+ if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
16253 -+ vma_fault = vma;
16254 -+ vma = vma->vm_next;
16255 -+ }
16256 -+ if (vma_exec) {
16257 -+ path_exec = d_path(vma_exec->vm_file->f_path.dentry, vma_exec->vm_file->f_path.mnt, buffer_exec, PAGE_SIZE);
16258 -+ if (IS_ERR(path_exec))
16259 -+ path_exec = "<path too long>";
16260 -+ }
16261 -+ if (vma_fault) {
16262 -+ start = vma_fault->vm_start;
16263 -+ end = vma_fault->vm_end;
16264 -+ offset = vma_fault->vm_pgoff << PAGE_SHIFT;
16265 -+ if (vma_fault->vm_file) {
16266 -+ path_fault = d_path(vma_fault->vm_file->f_path.dentry, vma_fault->vm_file->f_path.mnt, buffer_fault, PAGE_SIZE);
16267 -+ if (IS_ERR(path_fault))
16268 -+ path_fault = "<path too long>";
16269 -+ } else
16270 -+ path_fault = "<anonymous mapping>";
16271 -+ }
16272 -+ up_read(&mm->mmap_sem);
16273 -+ }
16274 -+ if (tsk->signal->curr_ip)
16275 -+ printk(KERN_ERR "PAX: From %u.%u.%u.%u: execution attempt in: %s, %08lx-%08lx %08lx\n", NIPQUAD(tsk->signal->curr_ip), path_fault, start, end, offset);
16276 -+ else
16277 -+ printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
16278 -+ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
16279 -+ "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
16280 -+ tsk->uid, tsk->euid, pc, sp);
16281 -+ free_page((unsigned long)buffer_exec);
16282 -+ free_page((unsigned long)buffer_fault);
16283 -+ pax_report_insns(pc, sp);
16284 -+ do_coredump(SIGKILL, SIGKILL, regs);
16285 -+}
16286 -+#endif
16287 -+
16288 - static void zap_process(struct task_struct *start)
16289 - {
16290 - struct task_struct *t;
16291 -@@ -1720,6 +1911,10 @@ int do_coredump(long signr, int exit_cod
16292 - */
16293 - clear_thread_flag(TIF_SIGPENDING);
16294 -
16295 -+ if (signr == SIGKILL || signr == SIGILL)
16296 -+ gr_handle_brute_attach(current);
16297 -+ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
16298 -+
16299 - /*
16300 - * lock_kernel() because format_corename() is controlled by sysctl, which
16301 - * uses lock_kernel()
16302 -@@ -1740,6 +1935,8 @@ int do_coredump(long signr, int exit_cod
16303 -
16304 - if (ispipe) {
16305 - helper_argv = argv_split(GFP_KERNEL, corename+1, &helper_argc);
16306 -+ if (!helper_argv)
16307 -+ goto fail_unlock;
16308 - /* Terminate the string before the first option */
16309 - delimit = strchr(corename, ' ');
16310 - if (delimit)
16311 -diff -urNp linux-2.6.24.4/fs/ext2/balloc.c linux-2.6.24.4/fs/ext2/balloc.c
16312 ---- linux-2.6.24.4/fs/ext2/balloc.c 2008-03-24 14:49:18.000000000 -0400
16313 -+++ linux-2.6.24.4/fs/ext2/balloc.c 2008-03-26 17:56:56.000000000 -0400
16314 -@@ -1127,7 +1127,7 @@ static int ext2_has_free_blocks(struct e
16315 -
16316 - free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
16317 - root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
16318 -- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
16319 -+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
16320 - sbi->s_resuid != current->fsuid &&
16321 - (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
16322 - return 0;
16323 -diff -urNp linux-2.6.24.4/fs/ext3/balloc.c linux-2.6.24.4/fs/ext3/balloc.c
16324 ---- linux-2.6.24.4/fs/ext3/balloc.c 2008-03-24 14:49:18.000000000 -0400
16325 -+++ linux-2.6.24.4/fs/ext3/balloc.c 2008-03-26 17:56:56.000000000 -0400
16326 -@@ -1359,7 +1359,7 @@ static int ext3_has_free_blocks(struct e
16327 -
16328 - free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
16329 - root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
16330 -- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
16331 -+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
16332 - sbi->s_resuid != current->fsuid &&
16333 - (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
16334 - return 0;
16335 -diff -urNp linux-2.6.24.4/fs/ext3/namei.c linux-2.6.24.4/fs/ext3/namei.c
16336 ---- linux-2.6.24.4/fs/ext3/namei.c 2008-03-24 14:49:18.000000000 -0400
16337 -+++ linux-2.6.24.4/fs/ext3/namei.c 2008-03-26 17:56:56.000000000 -0400
16338 -@@ -1181,9 +1181,9 @@ static struct ext3_dir_entry_2 *do_split
16339 - u32 hash2;
16340 - struct dx_map_entry *map;
16341 - char *data1 = (*bh)->b_data, *data2;
16342 -- unsigned split, move, size, i;
16343 -+ unsigned split, move, size;
16344 - struct ext3_dir_entry_2 *de = NULL, *de2;
16345 -- int err = 0;
16346 -+ int i, err = 0;
16347 -
16348 - bh2 = ext3_append (handle, dir, &newblock, &err);
16349 - if (!(bh2)) {
16350 -diff -urNp linux-2.6.24.4/fs/ext3/xattr.c linux-2.6.24.4/fs/ext3/xattr.c
16351 ---- linux-2.6.24.4/fs/ext3/xattr.c 2008-03-24 14:49:18.000000000 -0400
16352 -+++ linux-2.6.24.4/fs/ext3/xattr.c 2008-03-26 17:56:56.000000000 -0400
16353 -@@ -89,8 +89,8 @@
16354 - printk("\n"); \
16355 - } while (0)
16356 - #else
16357 --# define ea_idebug(f...)
16358 --# define ea_bdebug(f...)
16359 -+# define ea_idebug(f...) do {} while (0)
16360 -+# define ea_bdebug(f...) do {} while (0)
16361 - #endif
16362 -
16363 - static void ext3_xattr_cache_insert(struct buffer_head *);
16364 -diff -urNp linux-2.6.24.4/fs/ext4/balloc.c linux-2.6.24.4/fs/ext4/balloc.c
16365 ---- linux-2.6.24.4/fs/ext4/balloc.c 2008-03-24 14:49:18.000000000 -0400
16366 -+++ linux-2.6.24.4/fs/ext4/balloc.c 2008-03-26 17:56:56.000000000 -0400
16367 -@@ -1479,7 +1479,7 @@ static int ext4_has_free_blocks(struct e
16368 -
16369 - free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
16370 - root_blocks = ext4_r_blocks_count(sbi->s_es);
16371 -- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
16372 -+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
16373 - sbi->s_resuid != current->fsuid &&
16374 - (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
16375 - return 0;
16376 -diff -urNp linux-2.6.24.4/fs/ext4/namei.c linux-2.6.24.4/fs/ext4/namei.c
16377 ---- linux-2.6.24.4/fs/ext4/namei.c 2008-03-24 14:49:18.000000000 -0400
16378 -+++ linux-2.6.24.4/fs/ext4/namei.c 2008-03-26 17:56:56.000000000 -0400
16379 -@@ -1178,9 +1178,9 @@ static struct ext4_dir_entry_2 *do_split
16380 - u32 hash2;
16381 - struct dx_map_entry *map;
16382 - char *data1 = (*bh)->b_data, *data2;
16383 -- unsigned split, move, size, i;
16384 -+ unsigned split, move, size;
16385 - struct ext4_dir_entry_2 *de = NULL, *de2;
16386 -- int err = 0;
16387 -+ int i, err = 0;
16388 -
16389 - bh2 = ext4_append (handle, dir, &newblock, &err);
16390 - if (!(bh2)) {
16391 -diff -urNp linux-2.6.24.4/fs/fcntl.c linux-2.6.24.4/fs/fcntl.c
16392 ---- linux-2.6.24.4/fs/fcntl.c 2008-03-24 14:49:18.000000000 -0400
16393 -+++ linux-2.6.24.4/fs/fcntl.c 2008-03-26 17:56:56.000000000 -0400
16394 -@@ -19,6 +19,7 @@
16395 - #include <linux/signal.h>
16396 - #include <linux/rcupdate.h>
16397 - #include <linux/pid_namespace.h>
16398 -+#include <linux/grsecurity.h>
16399 -
16400 - #include <asm/poll.h>
16401 - #include <asm/siginfo.h>
16402 -@@ -64,6 +65,7 @@ static int locate_fd(struct files_struct
16403 - struct fdtable *fdt;
16404 -
16405 - error = -EINVAL;
16406 -+ gr_learn_resource(current, RLIMIT_NOFILE, orig_start, 0);
16407 - if (orig_start >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
16408 - goto out;
16409 -
16410 -@@ -83,6 +85,7 @@ repeat:
16411 - fdt->max_fds, start);
16412 -
16413 - error = -EMFILE;
16414 -+ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
16415 - if (newfd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
16416 - goto out;
16417 -
16418 -@@ -144,6 +147,8 @@ asmlinkage long sys_dup2(unsigned int ol
16419 - struct files_struct * files = current->files;
16420 - struct fdtable *fdt;
16421 -
16422 -+ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
16423 -+
16424 - spin_lock(&files->file_lock);
16425 - if (!(file = fcheck(oldfd)))
16426 - goto out_unlock;
16427 -@@ -463,7 +468,8 @@ static inline int sigio_perm(struct task
16428 - return (((fown->euid == 0) ||
16429 - (fown->euid == p->suid) || (fown->euid == p->uid) ||
16430 - (fown->uid == p->suid) || (fown->uid == p->uid)) &&
16431 -- !security_file_send_sigiotask(p, fown, sig));
16432 -+ !security_file_send_sigiotask(p, fown, sig) &&
16433 -+ !gr_check_protected_task(p) && !gr_pid_is_chrooted(p));
16434 - }
16435 -
16436 - static void send_sigio_to_task(struct task_struct *p,
16437 -diff -urNp linux-2.6.24.4/fs/fuse/control.c linux-2.6.24.4/fs/fuse/control.c
16438 ---- linux-2.6.24.4/fs/fuse/control.c 2008-03-24 14:49:18.000000000 -0400
16439 -+++ linux-2.6.24.4/fs/fuse/control.c 2008-03-26 17:56:56.000000000 -0400
16440 -@@ -159,7 +159,7 @@ void fuse_ctl_remove_conn(struct fuse_co
16441 -
16442 - static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
16443 - {
16444 -- struct tree_descr empty_descr = {""};
16445 -+ struct tree_descr empty_descr = {"", NULL, 0};
16446 - struct fuse_conn *fc;
16447 - int err;
16448 -
16449 -diff -urNp linux-2.6.24.4/fs/fuse/dir.c linux-2.6.24.4/fs/fuse/dir.c
16450 ---- linux-2.6.24.4/fs/fuse/dir.c 2008-03-24 14:49:18.000000000 -0400
16451 -+++ linux-2.6.24.4/fs/fuse/dir.c 2008-03-26 17:56:56.000000000 -0400
16452 -@@ -1030,7 +1030,7 @@ static char *read_link(struct dentry *de
16453 - return link;
16454 - }
16455 -
16456 --static void free_link(char *link)
16457 -+static void free_link(const char *link)
16458 - {
16459 - if (!IS_ERR(link))
16460 - free_page((unsigned long) link);
16461 -diff -urNp linux-2.6.24.4/fs/hfs/inode.c linux-2.6.24.4/fs/hfs/inode.c
16462 ---- linux-2.6.24.4/fs/hfs/inode.c 2008-03-24 14:49:18.000000000 -0400
16463 -+++ linux-2.6.24.4/fs/hfs/inode.c 2008-03-26 17:56:56.000000000 -0400
16464 -@@ -419,7 +419,7 @@ int hfs_write_inode(struct inode *inode,
16465 -
16466 - if (S_ISDIR(main_inode->i_mode)) {
16467 - if (fd.entrylength < sizeof(struct hfs_cat_dir))
16468 -- /* panic? */;
16469 -+ {/* panic? */}
16470 - hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
16471 - sizeof(struct hfs_cat_dir));
16472 - if (rec.type != HFS_CDR_DIR ||
16473 -@@ -440,7 +440,7 @@ int hfs_write_inode(struct inode *inode,
16474 - sizeof(struct hfs_cat_file));
16475 - } else {
16476 - if (fd.entrylength < sizeof(struct hfs_cat_file))
16477 -- /* panic? */;
16478 -+ {/* panic? */}
16479 - hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
16480 - sizeof(struct hfs_cat_file));
16481 - if (rec.type != HFS_CDR_FIL ||
16482 -diff -urNp linux-2.6.24.4/fs/hfsplus/inode.c linux-2.6.24.4/fs/hfsplus/inode.c
16483 ---- linux-2.6.24.4/fs/hfsplus/inode.c 2008-03-24 14:49:18.000000000 -0400
16484 -+++ linux-2.6.24.4/fs/hfsplus/inode.c 2008-03-26 17:56:56.000000000 -0400
16485 -@@ -422,7 +422,7 @@ int hfsplus_cat_read_inode(struct inode
16486 - struct hfsplus_cat_folder *folder = &entry.folder;
16487 -
16488 - if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
16489 -- /* panic? */;
16490 -+ {/* panic? */}
16491 - hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
16492 - sizeof(struct hfsplus_cat_folder));
16493 - hfsplus_get_perms(inode, &folder->permissions, 1);
16494 -@@ -439,7 +439,7 @@ int hfsplus_cat_read_inode(struct inode
16495 - struct hfsplus_cat_file *file = &entry.file;
16496 -
16497 - if (fd->entrylength < sizeof(struct hfsplus_cat_file))
16498 -- /* panic? */;
16499 -+ {/* panic? */}
16500 - hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
16501 - sizeof(struct hfsplus_cat_file));
16502 -
16503 -@@ -495,7 +495,7 @@ int hfsplus_cat_write_inode(struct inode
16504 - struct hfsplus_cat_folder *folder = &entry.folder;
16505 -
16506 - if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
16507 -- /* panic? */;
16508 -+ {/* panic? */}
16509 - hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
16510 - sizeof(struct hfsplus_cat_folder));
16511 - /* simple node checks? */
16512 -@@ -517,7 +517,7 @@ int hfsplus_cat_write_inode(struct inode
16513 - struct hfsplus_cat_file *file = &entry.file;
16514 -
16515 - if (fd.entrylength < sizeof(struct hfsplus_cat_file))
16516 -- /* panic? */;
16517 -+ {/* panic? */}
16518 - hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
16519 - sizeof(struct hfsplus_cat_file));
16520 - hfsplus_inode_write_fork(inode, &file->data_fork);
16521 -diff -urNp linux-2.6.24.4/fs/jffs2/debug.h linux-2.6.24.4/fs/jffs2/debug.h
16522 ---- linux-2.6.24.4/fs/jffs2/debug.h 2008-03-24 14:49:18.000000000 -0400
16523 -+++ linux-2.6.24.4/fs/jffs2/debug.h 2008-03-26 17:56:56.000000000 -0400
16524 -@@ -51,13 +51,13 @@
16525 - #if CONFIG_JFFS2_FS_DEBUG > 0
16526 - #define D1(x) x
16527 - #else
16528 --#define D1(x)
16529 -+#define D1(x) do {} while (0);
16530 - #endif
16531 -
16532 - #if CONFIG_JFFS2_FS_DEBUG > 1
16533 - #define D2(x) x
16534 - #else
16535 --#define D2(x)
16536 -+#define D2(x) do {} while (0);
16537 - #endif
16538 -
16539 - /* The prefixes of JFFS2 messages */
16540 -@@ -113,68 +113,68 @@
16541 - #ifdef JFFS2_DBG_READINODE_MESSAGES
16542 - #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
16543 - #else
16544 --#define dbg_readinode(fmt, ...)
16545 -+#define dbg_readinode(fmt, ...) do {} while (0)
16546 - #endif
16547 -
16548 - /* Fragtree build debugging messages */
16549 - #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
16550 - #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
16551 - #else
16552 --#define dbg_fragtree(fmt, ...)
16553 -+#define dbg_fragtree(fmt, ...) do {} while (0)
16554 - #endif
16555 - #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
16556 - #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
16557 - #else
16558 --#define dbg_fragtree2(fmt, ...)
16559 -+#define dbg_fragtree2(fmt, ...) do {} while (0)
16560 - #endif
16561 -
16562 - /* Directory entry list manilulation debugging messages */
16563 - #ifdef JFFS2_DBG_DENTLIST_MESSAGES
16564 - #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
16565 - #else
16566 --#define dbg_dentlist(fmt, ...)
16567 -+#define dbg_dentlist(fmt, ...) do {} while (0)
16568 - #endif
16569 -
16570 - /* Print the messages about manipulating node_refs */
16571 - #ifdef JFFS2_DBG_NODEREF_MESSAGES
16572 - #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
16573 - #else
16574 --#define dbg_noderef(fmt, ...)
16575 -+#define dbg_noderef(fmt, ...) do {} while (0)
16576 - #endif
16577 -
16578 - /* Manipulations with the list of inodes (JFFS2 inocache) */
16579 - #ifdef JFFS2_DBG_INOCACHE_MESSAGES
16580 - #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
16581 - #else
16582 --#define dbg_inocache(fmt, ...)
16583 -+#define dbg_inocache(fmt, ...) do {} while (0)
16584 - #endif
16585 -
16586 - /* Summary debugging messages */
16587 - #ifdef JFFS2_DBG_SUMMARY_MESSAGES
16588 - #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
16589 - #else
16590 --#define dbg_summary(fmt, ...)
16591 -+#define dbg_summary(fmt, ...) do {} while (0)
16592 - #endif
16593 -
16594 - /* File system build messages */
16595 - #ifdef JFFS2_DBG_FSBUILD_MESSAGES
16596 - #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
16597 - #else
16598 --#define dbg_fsbuild(fmt, ...)
16599 -+#define dbg_fsbuild(fmt, ...) do {} while (0)
16600 - #endif
16601 -
16602 - /* Watch the object allocations */
16603 - #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
16604 - #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
16605 - #else
16606 --#define dbg_memalloc(fmt, ...)
16607 -+#define dbg_memalloc(fmt, ...) do {} while (0)
16608 - #endif
16609 -
16610 - /* Watch the XATTR subsystem */
16611 - #ifdef JFFS2_DBG_XATTR_MESSAGES
16612 - #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
16613 - #else
16614 --#define dbg_xattr(fmt, ...)
16615 -+#define dbg_xattr(fmt, ...) do {} while (0)
16616 - #endif
16617 -
16618 - /* "Sanity" checks */
16619 -diff -urNp linux-2.6.24.4/fs/jffs2/erase.c linux-2.6.24.4/fs/jffs2/erase.c
16620 ---- linux-2.6.24.4/fs/jffs2/erase.c 2008-03-24 14:49:18.000000000 -0400
16621 -+++ linux-2.6.24.4/fs/jffs2/erase.c 2008-03-26 17:56:56.000000000 -0400
16622 -@@ -428,7 +428,8 @@ static void jffs2_mark_erased_block(stru
16623 - struct jffs2_unknown_node marker = {
16624 - .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
16625 - .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
16626 -- .totlen = cpu_to_je32(c->cleanmarker_size)
16627 -+ .totlen = cpu_to_je32(c->cleanmarker_size),
16628 -+ .hdr_crc = cpu_to_je32(0)
16629 - };
16630 -
16631 - jffs2_prealloc_raw_node_refs(c, jeb, 1);
16632 -diff -urNp linux-2.6.24.4/fs/jffs2/summary.h linux-2.6.24.4/fs/jffs2/summary.h
16633 ---- linux-2.6.24.4/fs/jffs2/summary.h 2008-03-24 14:49:18.000000000 -0400
16634 -+++ linux-2.6.24.4/fs/jffs2/summary.h 2008-03-26 17:56:56.000000000 -0400
16635 -@@ -188,18 +188,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
16636 -
16637 - #define jffs2_sum_active() (0)
16638 - #define jffs2_sum_init(a) (0)
16639 --#define jffs2_sum_exit(a)
16640 --#define jffs2_sum_disable_collecting(a)
16641 -+#define jffs2_sum_exit(a) do {} while (0)
16642 -+#define jffs2_sum_disable_collecting(a) do {} while (0)
16643 - #define jffs2_sum_is_disabled(a) (0)
16644 --#define jffs2_sum_reset_collected(a)
16645 -+#define jffs2_sum_reset_collected(a) do {} while (0)
16646 - #define jffs2_sum_add_kvec(a,b,c,d) (0)
16647 --#define jffs2_sum_move_collected(a,b)
16648 -+#define jffs2_sum_move_collected(a,b) do {} while (0)
16649 - #define jffs2_sum_write_sumnode(a) (0)
16650 --#define jffs2_sum_add_padding_mem(a,b)
16651 --#define jffs2_sum_add_inode_mem(a,b,c)
16652 --#define jffs2_sum_add_dirent_mem(a,b,c)
16653 --#define jffs2_sum_add_xattr_mem(a,b,c)
16654 --#define jffs2_sum_add_xref_mem(a,b,c)
16655 -+#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
16656 -+#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
16657 -+#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
16658 -+#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
16659 -+#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
16660 - #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
16661 -
16662 - #endif /* CONFIG_JFFS2_SUMMARY */
16663 -diff -urNp linux-2.6.24.4/fs/jffs2/wbuf.c linux-2.6.24.4/fs/jffs2/wbuf.c
16664 ---- linux-2.6.24.4/fs/jffs2/wbuf.c 2008-03-24 14:49:18.000000000 -0400
16665 -+++ linux-2.6.24.4/fs/jffs2/wbuf.c 2008-03-26 17:56:56.000000000 -0400
16666 -@@ -1015,7 +1015,8 @@ static const struct jffs2_unknown_node o
16667 - {
16668 - .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
16669 - .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
16670 -- .totlen = constant_cpu_to_je32(8)
16671 -+ .totlen = constant_cpu_to_je32(8),
16672 -+ .hdr_crc = constant_cpu_to_je32(0)
16673 - };
16674 -
16675 - /*
16676 -diff -urNp linux-2.6.24.4/fs/Kconfig linux-2.6.24.4/fs/Kconfig
16677 ---- linux-2.6.24.4/fs/Kconfig 2008-03-24 14:49:18.000000000 -0400
16678 -+++ linux-2.6.24.4/fs/Kconfig 2008-03-26 17:56:56.000000000 -0400
16679 -@@ -937,7 +937,7 @@ config PROC_FS
16680 -
16681 - config PROC_KCORE
16682 - bool "/proc/kcore support" if !ARM
16683 -- depends on PROC_FS && MMU
16684 -+ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
16685 -
16686 - config PROC_VMCORE
16687 - bool "/proc/vmcore support (EXPERIMENTAL)"
16688 -diff -urNp linux-2.6.24.4/fs/namei.c linux-2.6.24.4/fs/namei.c
16689 ---- linux-2.6.24.4/fs/namei.c 2008-03-24 14:49:18.000000000 -0400
16690 -+++ linux-2.6.24.4/fs/namei.c 2008-03-26 17:56:56.000000000 -0400
16691 -@@ -30,6 +30,7 @@
16692 - #include <linux/capability.h>
16693 - #include <linux/file.h>
16694 - #include <linux/fcntl.h>
16695 -+#include <linux/grsecurity.h>
16696 - #include <asm/namei.h>
16697 - #include <asm/uaccess.h>
16698 -
16699 -@@ -621,7 +622,7 @@ static __always_inline int __do_follow_l
16700 - cookie = dentry->d_inode->i_op->follow_link(dentry, nd);
16701 - error = PTR_ERR(cookie);
16702 - if (!IS_ERR(cookie)) {
16703 -- char *s = nd_get_link(nd);
16704 -+ const char *s = nd_get_link(nd);
16705 - error = 0;
16706 - if (s)
16707 - error = __vfs_follow_link(nd, s);
16708 -@@ -653,6 +654,13 @@ static inline int do_follow_link(struct
16709 - err = security_inode_follow_link(path->dentry, nd);
16710 - if (err)
16711 - goto loop;
16712 -+
16713 -+ if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
16714 -+ path->dentry->d_inode, path->dentry, nd->mnt)) {
16715 -+ err = -EACCES;
16716 -+ goto loop;
16717 -+ }
16718 -+
16719 - current->link_count++;
16720 - current->total_link_count++;
16721 - nd->depth++;
16722 -@@ -998,11 +1006,18 @@ return_reval:
16723 - break;
16724 - }
16725 - return_base:
16726 -+ if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt)) {
16727 -+ path_release(nd);
16728 -+ return -ENOENT;
16729 -+ }
16730 - return 0;
16731 - out_dput:
16732 - dput_path(&next, nd);
16733 - break;
16734 - }
16735 -+ if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt))
16736 -+ err = -ENOENT;
16737 -+
16738 - path_release(nd);
16739 - return_err:
16740 - return err;
16741 -@@ -1680,9 +1695,17 @@ static int open_namei_create(struct name
16742 - int error;
16743 - struct dentry *dir = nd->dentry;
16744 -
16745 -+ if (!gr_acl_handle_creat(path->dentry, nd->dentry, nd->mnt, flag, mode)) {
16746 -+ error = -EACCES;
16747 -+ goto out_unlock_dput;
16748 -+ }
16749 -+
16750 - if (!IS_POSIXACL(dir->d_inode))
16751 - mode &= ~current->fs->umask;
16752 - error = vfs_create(dir->d_inode, path->dentry, mode, nd);
16753 -+ if (!error)
16754 -+ gr_handle_create(path->dentry, nd->mnt);
16755 -+out_unlock_dput:
16756 - mutex_unlock(&dir->d_inode->i_mutex);
16757 - dput(nd->dentry);
16758 - nd->dentry = path->dentry;
16759 -@@ -1733,6 +1756,17 @@ int open_namei(int dfd, const char *path
16760 - nd, flag);
16761 - if (error)
16762 - return error;
16763 -+
16764 -+ if (gr_handle_rawio(nd->dentry->d_inode)) {
16765 -+ error = -EPERM;
16766 -+ goto exit;
16767 -+ }
16768 -+
16769 -+ if (!gr_acl_handle_open(nd->dentry, nd->mnt, flag)) {
16770 -+ error = -EACCES;
16771 -+ goto exit;
16772 -+ }
16773 -+
16774 - goto ok;
16775 - }
16776 -
16777 -@@ -1782,6 +1816,23 @@ do_last:
16778 - /*
16779 - * It already exists.
16780 - */
16781 -+
16782 -+ if (gr_handle_rawio(path.dentry->d_inode)) {
16783 -+ mutex_unlock(&dir->d_inode->i_mutex);
16784 -+ error = -EPERM;
16785 -+ goto exit_dput;
16786 -+ }
16787 -+ if (!gr_acl_handle_open(path.dentry, nd->mnt, flag)) {
16788 -+ mutex_unlock(&dir->d_inode->i_mutex);
16789 -+ error = -EACCES;
16790 -+ goto exit_dput;
16791 -+ }
16792 -+ if (gr_handle_fifo(path.dentry, nd->mnt, dir, flag, acc_mode)) {
16793 -+ mutex_unlock(&dir->d_inode->i_mutex);
16794 -+ error = -EACCES;
16795 -+ goto exit_dput;
16796 -+ }
16797 -+
16798 - mutex_unlock(&dir->d_inode->i_mutex);
16799 - audit_inode(pathname, path.dentry);
16800 -
16801 -@@ -1837,6 +1888,13 @@ do_link:
16802 - error = security_inode_follow_link(path.dentry, nd);
16803 - if (error)
16804 - goto exit_dput;
16805 -+
16806 -+ if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
16807 -+ path.dentry, nd->mnt)) {
16808 -+ error = -EACCES;
16809 -+ goto exit_dput;
16810 -+ }
16811 -+
16812 - error = __do_follow_link(&path, nd);
16813 - if (error) {
16814 - /* Does someone understand code flow here? Or it is only
16815 -@@ -1965,6 +2023,22 @@ asmlinkage long sys_mknodat(int dfd, con
16816 - if (!IS_POSIXACL(nd.dentry->d_inode))
16817 - mode &= ~current->fs->umask;
16818 - if (!IS_ERR(dentry)) {
16819 -+ if (gr_handle_chroot_mknod(dentry, nd.mnt, mode)) {
16820 -+ error = -EPERM;
16821 -+ dput(dentry);
16822 -+ mutex_unlock(&nd.dentry->d_inode->i_mutex);
16823 -+ path_release(&nd);
16824 -+ goto out;
16825 -+ }
16826 -+
16827 -+ if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
16828 -+ error = -EACCES;
16829 -+ dput(dentry);
16830 -+ mutex_unlock(&nd.dentry->d_inode->i_mutex);
16831 -+ path_release(&nd);
16832 -+ goto out;
16833 -+ }
16834 -+
16835 - switch (mode & S_IFMT) {
16836 - case 0: case S_IFREG:
16837 - error = vfs_create(nd.dentry->d_inode,dentry,mode,&nd);
16838 -@@ -1982,6 +2056,10 @@ asmlinkage long sys_mknodat(int dfd, con
16839 - default:
16840 - error = -EINVAL;
16841 - }
16842 -+
16843 -+ if (!error)
16844 -+ gr_handle_create(dentry, nd.mnt);
16845 -+
16846 - dput(dentry);
16847 - }
16848 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
16849 -@@ -2039,9 +2117,18 @@ asmlinkage long sys_mkdirat(int dfd, con
16850 - if (IS_ERR(dentry))
16851 - goto out_unlock;
16852 -
16853 -+ if (!gr_acl_handle_mkdir(dentry, nd.dentry, nd.mnt)) {
16854 -+ error = -EACCES;
16855 -+ goto out_unlock_dput;
16856 -+ }
16857 -+
16858 - if (!IS_POSIXACL(nd.dentry->d_inode))
16859 - mode &= ~current->fs->umask;
16860 - error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
16861 -+
16862 -+ if (!error)
16863 -+ gr_handle_create(dentry, nd.mnt);
16864 -+out_unlock_dput:
16865 - dput(dentry);
16866 - out_unlock:
16867 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
16868 -@@ -2123,6 +2210,8 @@ static long do_rmdir(int dfd, const char
16869 - char * name;
16870 - struct dentry *dentry;
16871 - struct nameidata nd;
16872 -+ ino_t saved_ino = 0;
16873 -+ dev_t saved_dev = 0;
16874 -
16875 - name = getname(pathname);
16876 - if(IS_ERR(name))
16877 -@@ -2148,7 +2237,22 @@ static long do_rmdir(int dfd, const char
16878 - error = PTR_ERR(dentry);
16879 - if (IS_ERR(dentry))
16880 - goto exit2;
16881 -+
16882 -+ if (dentry->d_inode != NULL) {
16883 -+ if (dentry->d_inode->i_nlink <= 1) {
16884 -+ saved_ino = dentry->d_inode->i_ino;
16885 -+ saved_dev = dentry->d_inode->i_sb->s_dev;
16886 -+ }
16887 -+
16888 -+ if (!gr_acl_handle_rmdir(dentry, nd.mnt)) {
16889 -+ error = -EACCES;
16890 -+ goto dput_exit2;
16891 -+ }
16892 -+ }
16893 - error = vfs_rmdir(nd.dentry->d_inode, dentry);
16894 -+ if (!error && (saved_dev || saved_ino))
16895 -+ gr_handle_delete(saved_ino, saved_dev);
16896 -+dput_exit2:
16897 - dput(dentry);
16898 - exit2:
16899 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
16900 -@@ -2207,6 +2311,8 @@ static long do_unlinkat(int dfd, const c
16901 - struct dentry *dentry;
16902 - struct nameidata nd;
16903 - struct inode *inode = NULL;
16904 -+ ino_t saved_ino = 0;
16905 -+ dev_t saved_dev = 0;
16906 -
16907 - name = getname(pathname);
16908 - if(IS_ERR(name))
16909 -@@ -2222,13 +2328,26 @@ static long do_unlinkat(int dfd, const c
16910 - dentry = lookup_hash(&nd);
16911 - error = PTR_ERR(dentry);
16912 - if (!IS_ERR(dentry)) {
16913 -+ error = 0;
16914 - /* Why not before? Because we want correct error value */
16915 - if (nd.last.name[nd.last.len])
16916 - goto slashes;
16917 - inode = dentry->d_inode;
16918 -- if (inode)
16919 -+ if (inode) {
16920 -+ if (inode->i_nlink <= 1) {
16921 -+ saved_ino = inode->i_ino;
16922 -+ saved_dev = inode->i_sb->s_dev;
16923 -+ }
16924 -+
16925 -+ if (!gr_acl_handle_unlink(dentry, nd.mnt))
16926 -+ error = -EACCES;
16927 -+
16928 - atomic_inc(&inode->i_count);
16929 -- error = vfs_unlink(nd.dentry->d_inode, dentry);
16930 -+ }
16931 -+ if (!error)
16932 -+ error = vfs_unlink(nd.dentry->d_inode, dentry);
16933 -+ if (!error && (saved_ino || saved_dev))
16934 -+ gr_handle_delete(saved_ino, saved_dev);
16935 - exit2:
16936 - dput(dentry);
16937 - }
16938 -@@ -2309,7 +2428,16 @@ asmlinkage long sys_symlinkat(const char
16939 - if (IS_ERR(dentry))
16940 - goto out_unlock;
16941 -
16942 -+ if (!gr_acl_handle_symlink(dentry, nd.dentry, nd.mnt, from)) {
16943 -+ error = -EACCES;
16944 -+ goto out_dput_unlock;
16945 -+ }
16946 -+
16947 - error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO);
16948 -+
16949 -+ if (!error)
16950 -+ gr_handle_create(dentry, nd.mnt);
16951 -+out_dput_unlock:
16952 - dput(dentry);
16953 - out_unlock:
16954 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
16955 -@@ -2404,7 +2532,25 @@ asmlinkage long sys_linkat(int olddfd, c
16956 - error = PTR_ERR(new_dentry);
16957 - if (IS_ERR(new_dentry))
16958 - goto out_unlock;
16959 -+
16960 -+ if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt,
16961 -+ old_nd.dentry->d_inode,
16962 -+ old_nd.dentry->d_inode->i_mode, to)) {
16963 -+ error = -EACCES;
16964 -+ goto out_unlock_dput;
16965 -+ }
16966 -+
16967 -+ if (!gr_acl_handle_link(new_dentry, nd.dentry, nd.mnt,
16968 -+ old_nd.dentry, old_nd.mnt, to)) {
16969 -+ error = -EACCES;
16970 -+ goto out_unlock_dput;
16971 -+ }
16972 -+
16973 - error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
16974 -+
16975 -+ if (!error)
16976 -+ gr_handle_create(new_dentry, nd.mnt);
16977 -+out_unlock_dput:
16978 - dput(new_dentry);
16979 - out_unlock:
16980 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
16981 -@@ -2630,8 +2776,16 @@ static int do_rename(int olddfd, const c
16982 - if (new_dentry == trap)
16983 - goto exit5;
16984 -
16985 -- error = vfs_rename(old_dir->d_inode, old_dentry,
16986 -+ error = gr_acl_handle_rename(new_dentry, newnd.dentry, newnd.mnt,
16987 -+ old_dentry, old_dir->d_inode, oldnd.mnt,
16988 -+ newname);
16989 -+
16990 -+ if (!error)
16991 -+ error = vfs_rename(old_dir->d_inode, old_dentry,
16992 - new_dir->d_inode, new_dentry);
16993 -+ if (!error)
16994 -+ gr_handle_rename(old_dir->d_inode, newnd.dentry->d_inode, old_dentry,
16995 -+ new_dentry, oldnd.mnt, new_dentry->d_inode ? 1 : 0);
16996 - exit5:
16997 - dput(new_dentry);
16998 - exit4:
16999 -diff -urNp linux-2.6.24.4/fs/namespace.c linux-2.6.24.4/fs/namespace.c
17000 ---- linux-2.6.24.4/fs/namespace.c 2008-03-24 14:49:18.000000000 -0400
17001 -+++ linux-2.6.24.4/fs/namespace.c 2008-03-26 17:56:56.000000000 -0400
17002 -@@ -25,6 +25,7 @@
17003 - #include <linux/security.h>
17004 - #include <linux/mount.h>
17005 - #include <linux/ramfs.h>
17006 -+#include <linux/grsecurity.h>
17007 - #include <asm/uaccess.h>
17008 - #include <asm/unistd.h>
17009 - #include "pnode.h"
17010 -@@ -597,6 +598,8 @@ static int do_umount(struct vfsmount *mn
17011 - DQUOT_OFF(sb);
17012 - retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
17013 - unlock_kernel();
17014 -+
17015 -+ gr_log_remount(mnt->mnt_devname, retval);
17016 - }
17017 - up_write(&sb->s_umount);
17018 - return retval;
17019 -@@ -617,6 +620,9 @@ static int do_umount(struct vfsmount *mn
17020 - security_sb_umount_busy(mnt);
17021 - up_write(&namespace_sem);
17022 - release_mounts(&umount_list);
17023 -+
17024 -+ gr_log_unmount(mnt->mnt_devname, retval);
17025 -+
17026 - return retval;
17027 - }
17028 -
17029 -@@ -1442,6 +1448,11 @@ long do_mount(char *dev_name, char *dir_
17030 - if (retval)
17031 - goto dput_out;
17032 -
17033 -+ if (gr_handle_chroot_mount(nd.dentry, nd.mnt, dev_name)) {
17034 -+ retval = -EPERM;
17035 -+ goto dput_out;
17036 -+ }
17037 -+
17038 - if (flags & MS_REMOUNT)
17039 - retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags,
17040 - data_page);
17041 -@@ -1456,6 +1467,9 @@ long do_mount(char *dev_name, char *dir_
17042 - dev_name, data_page);
17043 - dput_out:
17044 - path_release(&nd);
17045 -+
17046 -+ gr_log_mount(dev_name, dir_name, retval);
17047 -+
17048 - return retval;
17049 - }
17050 -
17051 -@@ -1693,6 +1707,9 @@ asmlinkage long sys_pivot_root(const cha
17052 - if (!capable(CAP_SYS_ADMIN))
17053 - return -EPERM;
17054 -
17055 -+ if (gr_handle_chroot_pivot())
17056 -+ return -EPERM;
17057 -+
17058 - lock_kernel();
17059 -
17060 - error = __user_walk(new_root, LOOKUP_FOLLOW | LOOKUP_DIRECTORY,
17061 -diff -urNp linux-2.6.24.4/fs/nfs/callback_xdr.c linux-2.6.24.4/fs/nfs/callback_xdr.c
17062 ---- linux-2.6.24.4/fs/nfs/callback_xdr.c 2008-03-24 14:49:18.000000000 -0400
17063 -+++ linux-2.6.24.4/fs/nfs/callback_xdr.c 2008-03-26 17:56:56.000000000 -0400
17064 -@@ -139,7 +139,7 @@ static __be32 decode_compound_hdr_arg(st
17065 - if (unlikely(status != 0))
17066 - return status;
17067 - /* We do not like overly long tags! */
17068 -- if (hdr->taglen > CB_OP_TAGLEN_MAXSZ-12 || hdr->taglen < 0) {
17069 -+ if (hdr->taglen > CB_OP_TAGLEN_MAXSZ-12) {
17070 - printk("NFSv4 CALLBACK %s: client sent tag of length %u\n",
17071 - __FUNCTION__, hdr->taglen);
17072 - return htonl(NFS4ERR_RESOURCE);
17073 -diff -urNp linux-2.6.24.4/fs/nfs/nfs4proc.c linux-2.6.24.4/fs/nfs/nfs4proc.c
17074 ---- linux-2.6.24.4/fs/nfs/nfs4proc.c 2008-03-24 14:49:18.000000000 -0400
17075 -+++ linux-2.6.24.4/fs/nfs/nfs4proc.c 2008-03-26 17:56:56.000000000 -0400
17076 -@@ -656,7 +656,7 @@ static int _nfs4_do_open_reclaim(struct
17077 - static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
17078 - {
17079 - struct nfs_server *server = NFS_SERVER(state->inode);
17080 -- struct nfs4_exception exception = { };
17081 -+ struct nfs4_exception exception = {0, 0};
17082 - int err;
17083 - do {
17084 - err = _nfs4_do_open_reclaim(ctx, state);
17085 -@@ -698,7 +698,7 @@ static int _nfs4_open_delegation_recall(
17086 -
17087 - int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
17088 - {
17089 -- struct nfs4_exception exception = { };
17090 -+ struct nfs4_exception exception = {0, 0};
17091 - struct nfs_server *server = NFS_SERVER(state->inode);
17092 - int err;
17093 - do {
17094 -@@ -987,7 +987,7 @@ static int _nfs4_open_expired(struct nfs
17095 - static inline int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
17096 - {
17097 - struct nfs_server *server = NFS_SERVER(state->inode);
17098 -- struct nfs4_exception exception = { };
17099 -+ struct nfs4_exception exception = {0, 0};
17100 - int err;
17101 -
17102 - do {
17103 -@@ -1089,7 +1089,7 @@ out_err:
17104 -
17105 - static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, int flags, struct iattr *sattr, struct rpc_cred *cred)
17106 - {
17107 -- struct nfs4_exception exception = { };
17108 -+ struct nfs4_exception exception = {0, 0};
17109 - struct nfs4_state *res;
17110 - int status;
17111 -
17112 -@@ -1178,7 +1178,7 @@ static int nfs4_do_setattr(struct inode
17113 - struct iattr *sattr, struct nfs4_state *state)
17114 - {
17115 - struct nfs_server *server = NFS_SERVER(inode);
17116 -- struct nfs4_exception exception = { };
17117 -+ struct nfs4_exception exception = {0, 0};
17118 - int err;
17119 - do {
17120 - err = nfs4_handle_exception(server,
17121 -@@ -1484,7 +1484,7 @@ static int _nfs4_server_capabilities(str
17122 -
17123 - int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
17124 - {
17125 -- struct nfs4_exception exception = { };
17126 -+ struct nfs4_exception exception = {0, 0};
17127 - int err;
17128 - do {
17129 - err = nfs4_handle_exception(server,
17130 -@@ -1517,7 +1517,7 @@ static int _nfs4_lookup_root(struct nfs_
17131 - static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
17132 - struct nfs_fsinfo *info)
17133 - {
17134 -- struct nfs4_exception exception = { };
17135 -+ struct nfs4_exception exception = {0, 0};
17136 - int err;
17137 - do {
17138 - err = nfs4_handle_exception(server,
17139 -@@ -1606,7 +1606,7 @@ static int _nfs4_proc_getattr(struct nfs
17140 -
17141 - static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
17142 - {
17143 -- struct nfs4_exception exception = { };
17144 -+ struct nfs4_exception exception = {0, 0};
17145 - int err;
17146 - do {
17147 - err = nfs4_handle_exception(server,
17148 -@@ -1696,7 +1696,7 @@ static int nfs4_proc_lookupfh(struct nfs
17149 - struct qstr *name, struct nfs_fh *fhandle,
17150 - struct nfs_fattr *fattr)
17151 - {
17152 -- struct nfs4_exception exception = { };
17153 -+ struct nfs4_exception exception = {0, 0};
17154 - int err;
17155 - do {
17156 - err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
17157 -@@ -1725,7 +1725,7 @@ static int _nfs4_proc_lookup(struct inod
17158 -
17159 - static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
17160 - {
17161 -- struct nfs4_exception exception = { };
17162 -+ struct nfs4_exception exception = {0, 0};
17163 - int err;
17164 - do {
17165 - err = nfs4_handle_exception(NFS_SERVER(dir),
17166 -@@ -1789,7 +1789,7 @@ static int _nfs4_proc_access(struct inod
17167 -
17168 - static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
17169 - {
17170 -- struct nfs4_exception exception = { };
17171 -+ struct nfs4_exception exception = {0, 0};
17172 - int err;
17173 - do {
17174 - err = nfs4_handle_exception(NFS_SERVER(inode),
17175 -@@ -1844,7 +1844,7 @@ static int _nfs4_proc_readlink(struct in
17176 - static int nfs4_proc_readlink(struct inode *inode, struct page *page,
17177 - unsigned int pgbase, unsigned int pglen)
17178 - {
17179 -- struct nfs4_exception exception = { };
17180 -+ struct nfs4_exception exception = {0, 0};
17181 - int err;
17182 - do {
17183 - err = nfs4_handle_exception(NFS_SERVER(inode),
17184 -@@ -1940,7 +1940,7 @@ static int _nfs4_proc_remove(struct inod
17185 -
17186 - static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
17187 - {
17188 -- struct nfs4_exception exception = { };
17189 -+ struct nfs4_exception exception = {0, 0};
17190 - int err;
17191 - do {
17192 - err = nfs4_handle_exception(NFS_SERVER(dir),
17193 -@@ -2012,7 +2012,7 @@ static int _nfs4_proc_rename(struct inod
17194 - static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
17195 - struct inode *new_dir, struct qstr *new_name)
17196 - {
17197 -- struct nfs4_exception exception = { };
17198 -+ struct nfs4_exception exception = {0, 0};
17199 - int err;
17200 - do {
17201 - err = nfs4_handle_exception(NFS_SERVER(old_dir),
17202 -@@ -2059,7 +2059,7 @@ static int _nfs4_proc_link(struct inode
17203 -
17204 - static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
17205 - {
17206 -- struct nfs4_exception exception = { };
17207 -+ struct nfs4_exception exception = {0, 0};
17208 - int err;
17209 - do {
17210 - err = nfs4_handle_exception(NFS_SERVER(inode),
17211 -@@ -2116,7 +2116,7 @@ static int _nfs4_proc_symlink(struct ino
17212 - static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
17213 - struct page *page, unsigned int len, struct iattr *sattr)
17214 - {
17215 -- struct nfs4_exception exception = { };
17216 -+ struct nfs4_exception exception = {0, 0};
17217 - int err;
17218 - do {
17219 - err = nfs4_handle_exception(NFS_SERVER(dir),
17220 -@@ -2169,7 +2169,7 @@ static int _nfs4_proc_mkdir(struct inode
17221 - static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
17222 - struct iattr *sattr)
17223 - {
17224 -- struct nfs4_exception exception = { };
17225 -+ struct nfs4_exception exception = {0, 0};
17226 - int err;
17227 - do {
17228 - err = nfs4_handle_exception(NFS_SERVER(dir),
17229 -@@ -2218,7 +2218,7 @@ static int _nfs4_proc_readdir(struct den
17230 - static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
17231 - u64 cookie, struct page *page, unsigned int count, int plus)
17232 - {
17233 -- struct nfs4_exception exception = { };
17234 -+ struct nfs4_exception exception = {0, 0};
17235 - int err;
17236 - do {
17237 - err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
17238 -@@ -2288,7 +2288,7 @@ static int _nfs4_proc_mknod(struct inode
17239 - static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
17240 - struct iattr *sattr, dev_t rdev)
17241 - {
17242 -- struct nfs4_exception exception = { };
17243 -+ struct nfs4_exception exception = {0, 0};
17244 - int err;
17245 - do {
17246 - err = nfs4_handle_exception(NFS_SERVER(dir),
17247 -@@ -2317,7 +2317,7 @@ static int _nfs4_proc_statfs(struct nfs_
17248 -
17249 - static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
17250 - {
17251 -- struct nfs4_exception exception = { };
17252 -+ struct nfs4_exception exception = {0, 0};
17253 - int err;
17254 - do {
17255 - err = nfs4_handle_exception(server,
17256 -@@ -2345,7 +2345,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
17257 -
17258 - static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
17259 - {
17260 -- struct nfs4_exception exception = { };
17261 -+ struct nfs4_exception exception = {0, 0};
17262 - int err;
17263 -
17264 - do {
17265 -@@ -2388,7 +2388,7 @@ static int _nfs4_proc_pathconf(struct nf
17266 - static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
17267 - struct nfs_pathconf *pathconf)
17268 - {
17269 -- struct nfs4_exception exception = { };
17270 -+ struct nfs4_exception exception = {0, 0};
17271 - int err;
17272 -
17273 - do {
17274 -@@ -2708,7 +2708,7 @@ out_free:
17275 -
17276 - static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
17277 - {
17278 -- struct nfs4_exception exception = { };
17279 -+ struct nfs4_exception exception = {0, 0};
17280 - ssize_t ret;
17281 - do {
17282 - ret = __nfs4_get_acl_uncached(inode, buf, buflen);
17283 -@@ -2762,7 +2762,7 @@ static int __nfs4_proc_set_acl(struct in
17284 -
17285 - static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
17286 - {
17287 -- struct nfs4_exception exception = { };
17288 -+ struct nfs4_exception exception = {0, 0};
17289 - int err;
17290 - do {
17291 - err = nfs4_handle_exception(NFS_SERVER(inode),
17292 -@@ -3059,7 +3059,7 @@ static int _nfs4_proc_delegreturn(struct
17293 - int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid)
17294 - {
17295 - struct nfs_server *server = NFS_SERVER(inode);
17296 -- struct nfs4_exception exception = { };
17297 -+ struct nfs4_exception exception = {0, 0};
17298 - int err;
17299 - do {
17300 - err = _nfs4_proc_delegreturn(inode, cred, stateid);
17301 -@@ -3134,7 +3134,7 @@ out:
17302 -
17303 - static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
17304 - {
17305 -- struct nfs4_exception exception = { };
17306 -+ struct nfs4_exception exception = {0, 0};
17307 - int err;
17308 -
17309 - do {
17310 -@@ -3476,7 +3476,7 @@ static int _nfs4_do_setlk(struct nfs4_st
17311 - static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
17312 - {
17313 - struct nfs_server *server = NFS_SERVER(state->inode);
17314 -- struct nfs4_exception exception = { };
17315 -+ struct nfs4_exception exception = {0, 0};
17316 - int err;
17317 -
17318 - do {
17319 -@@ -3494,7 +3494,7 @@ static int nfs4_lock_reclaim(struct nfs4
17320 - static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
17321 - {
17322 - struct nfs_server *server = NFS_SERVER(state->inode);
17323 -- struct nfs4_exception exception = { };
17324 -+ struct nfs4_exception exception = {0, 0};
17325 - int err;
17326 -
17327 - err = nfs4_set_lock_state(state, request);
17328 -@@ -3555,7 +3555,7 @@ out:
17329 -
17330 - static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
17331 - {
17332 -- struct nfs4_exception exception = { };
17333 -+ struct nfs4_exception exception = {0, 0};
17334 - int err;
17335 -
17336 - do {
17337 -@@ -3605,7 +3605,7 @@ nfs4_proc_lock(struct file *filp, int cm
17338 - int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
17339 - {
17340 - struct nfs_server *server = NFS_SERVER(state->inode);
17341 -- struct nfs4_exception exception = { };
17342 -+ struct nfs4_exception exception = {0, 0};
17343 - int err;
17344 -
17345 - err = nfs4_set_lock_state(state, fl);
17346 -diff -urNp linux-2.6.24.4/fs/nfsd/export.c linux-2.6.24.4/fs/nfsd/export.c
17347 ---- linux-2.6.24.4/fs/nfsd/export.c 2008-03-24 14:49:18.000000000 -0400
17348 -+++ linux-2.6.24.4/fs/nfsd/export.c 2008-03-26 17:56:56.000000000 -0400
17349 -@@ -476,7 +476,7 @@ static int secinfo_parse(char **mesg, ch
17350 - * probably discover the problem when someone fails to
17351 - * authenticate.
17352 - */
17353 -- if (f->pseudoflavor < 0)
17354 -+ if ((s32)f->pseudoflavor < 0)
17355 - return -EINVAL;
17356 - err = get_int(mesg, &f->flags);
17357 - if (err)
17358 -diff -urNp linux-2.6.24.4/fs/nfsd/nfs4state.c linux-2.6.24.4/fs/nfsd/nfs4state.c
17359 ---- linux-2.6.24.4/fs/nfsd/nfs4state.c 2008-03-24 14:49:18.000000000 -0400
17360 -+++ linux-2.6.24.4/fs/nfsd/nfs4state.c 2008-03-26 17:56:56.000000000 -0400
17361 -@@ -1233,7 +1233,7 @@ static int access_valid(u32 x)
17362 -
17363 - static int deny_valid(u32 x)
17364 - {
17365 -- return (x >= 0 && x < 5);
17366 -+ return (x < 5);
17367 - }
17368 -
17369 - static void
17370 -diff -urNp linux-2.6.24.4/fs/nls/nls_base.c linux-2.6.24.4/fs/nls/nls_base.c
17371 ---- linux-2.6.24.4/fs/nls/nls_base.c 2008-03-24 14:49:18.000000000 -0400
17372 -+++ linux-2.6.24.4/fs/nls/nls_base.c 2008-03-26 17:56:56.000000000 -0400
17373 -@@ -42,7 +42,7 @@ static const struct utf8_table utf8_tabl
17374 - {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
17375 - {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
17376 - {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
17377 -- {0, /* end of table */}
17378 -+ {0, 0, 0, 0, 0, /* end of table */}
17379 - };
17380 -
17381 - int
17382 -diff -urNp linux-2.6.24.4/fs/ntfs/file.c linux-2.6.24.4/fs/ntfs/file.c
17383 ---- linux-2.6.24.4/fs/ntfs/file.c 2008-03-24 14:49:18.000000000 -0400
17384 -+++ linux-2.6.24.4/fs/ntfs/file.c 2008-03-26 17:56:56.000000000 -0400
17385 -@@ -2293,6 +2293,6 @@ const struct inode_operations ntfs_file_
17386 - #endif /* NTFS_RW */
17387 - };
17388 -
17389 --const struct file_operations ntfs_empty_file_ops = {};
17390 -+const struct file_operations ntfs_empty_file_ops;
17391 -
17392 --const struct inode_operations ntfs_empty_inode_ops = {};
17393 -+const struct inode_operations ntfs_empty_inode_ops;
17394 -diff -urNp linux-2.6.24.4/fs/open.c linux-2.6.24.4/fs/open.c
17395 ---- linux-2.6.24.4/fs/open.c 2008-03-24 14:49:18.000000000 -0400
17396 -+++ linux-2.6.24.4/fs/open.c 2008-03-26 17:56:56.000000000 -0400
17397 -@@ -27,6 +27,7 @@
17398 - #include <linux/rcupdate.h>
17399 - #include <linux/audit.h>
17400 - #include <linux/falloc.h>
17401 -+#include <linux/grsecurity.h>
17402 -
17403 - int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
17404 - {
17405 -@@ -204,6 +205,9 @@ int do_truncate(struct dentry *dentry, l
17406 - if (length < 0)
17407 - return -EINVAL;
17408 -
17409 -+ if (filp && !gr_acl_handle_truncate(dentry, filp->f_vfsmnt))
17410 -+ return -EACCES;
17411 -+
17412 - newattrs.ia_size = length;
17413 - newattrs.ia_valid = ATTR_SIZE | time_attrs;
17414 - if (filp) {
17415 -@@ -461,6 +465,9 @@ asmlinkage long sys_faccessat(int dfd, c
17416 - if(IS_RDONLY(nd.dentry->d_inode))
17417 - res = -EROFS;
17418 -
17419 -+ if (!res && !gr_acl_handle_access(nd.dentry, nd.mnt, mode))
17420 -+ res = -EACCES;
17421 -+
17422 - out_path_release:
17423 - path_release(&nd);
17424 - out:
17425 -@@ -490,6 +497,8 @@ asmlinkage long sys_chdir(const char __u
17426 - if (error)
17427 - goto dput_and_out;
17428 -
17429 -+ gr_log_chdir(nd.dentry, nd.mnt);
17430 -+
17431 - set_fs_pwd(current->fs, nd.mnt, nd.dentry);
17432 -
17433 - dput_and_out:
17434 -@@ -520,6 +529,13 @@ asmlinkage long sys_fchdir(unsigned int
17435 - goto out_putf;
17436 -
17437 - error = file_permission(file, MAY_EXEC);
17438 -+
17439 -+ if (!error && !gr_chroot_fchdir(dentry, mnt))
17440 -+ error = -EPERM;
17441 -+
17442 -+ if (!error)
17443 -+ gr_log_chdir(dentry, mnt);
17444 -+
17445 - if (!error)
17446 - set_fs_pwd(current->fs, mnt, dentry);
17447 - out_putf:
17448 -@@ -545,8 +561,16 @@ asmlinkage long sys_chroot(const char __
17449 - if (!capable(CAP_SYS_CHROOT))
17450 - goto dput_and_out;
17451 -
17452 -+ if (gr_handle_chroot_chroot(nd.dentry, nd.mnt))
17453 -+ goto dput_and_out;
17454 -+
17455 - set_fs_root(current->fs, nd.mnt, nd.dentry);
17456 - set_fs_altroot();
17457 -+
17458 -+ gr_handle_chroot_caps(current);
17459 -+
17460 -+ gr_handle_chroot_chdir(nd.dentry, nd.mnt);
17461 -+
17462 - error = 0;
17463 - dput_and_out:
17464 - path_release(&nd);
17465 -@@ -577,9 +601,22 @@ asmlinkage long sys_fchmod(unsigned int
17466 - err = -EPERM;
17467 - if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
17468 - goto out_putf;
17469 -+
17470 -+ if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
17471 -+ err = -EACCES;
17472 -+ goto out_putf;
17473 -+ }
17474 -+
17475 - mutex_lock(&inode->i_mutex);
17476 - if (mode == (mode_t) -1)
17477 - mode = inode->i_mode;
17478 -+
17479 -+ if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
17480 -+ err = -EPERM;
17481 -+ mutex_unlock(&inode->i_mutex);
17482 -+ goto out_putf;
17483 -+ }
17484 -+
17485 - newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
17486 - newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
17487 - err = notify_change(dentry, &newattrs);
17488 -@@ -612,9 +649,21 @@ asmlinkage long sys_fchmodat(int dfd, co
17489 - if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
17490 - goto dput_and_out;
17491 -
17492 -+ if (!gr_acl_handle_chmod(nd.dentry, nd.mnt, mode)) {
17493 -+ error = -EACCES;
17494 -+ goto dput_and_out;
17495 -+ };
17496 -+
17497 - mutex_lock(&inode->i_mutex);
17498 - if (mode == (mode_t) -1)
17499 - mode = inode->i_mode;
17500 -+
17501 -+ if (gr_handle_chroot_chmod(nd.dentry, nd.mnt, mode)) {
17502 -+ error = -EACCES;
17503 -+ mutex_unlock(&inode->i_mutex);
17504 -+ goto dput_and_out;
17505 -+ }
17506 -+
17507 - newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
17508 - newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
17509 - error = notify_change(nd.dentry, &newattrs);
17510 -@@ -631,7 +680,7 @@ asmlinkage long sys_chmod(const char __u
17511 - return sys_fchmodat(AT_FDCWD, filename, mode);
17512 - }
17513 -
17514 --static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
17515 -+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
17516 - {
17517 - struct inode * inode;
17518 - int error;
17519 -@@ -648,6 +697,12 @@ static int chown_common(struct dentry *
17520 - error = -EPERM;
17521 - if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
17522 - goto out;
17523 -+
17524 -+ if (!gr_acl_handle_chown(dentry, mnt)) {
17525 -+ error = -EACCES;
17526 -+ goto out;
17527 -+ }
17528 -+
17529 - newattrs.ia_valid = ATTR_CTIME;
17530 - if (user != (uid_t) -1) {
17531 - newattrs.ia_valid |= ATTR_UID;
17532 -@@ -675,7 +730,7 @@ asmlinkage long sys_chown(const char __u
17533 - error = user_path_walk(filename, &nd);
17534 - if (error)
17535 - goto out;
17536 -- error = chown_common(nd.dentry, user, group);
17537 -+ error = chown_common(nd.dentry, user, group, nd.mnt);
17538 - path_release(&nd);
17539 - out:
17540 - return error;
17541 -@@ -695,7 +750,7 @@ asmlinkage long sys_fchownat(int dfd, co
17542 - error = __user_walk_fd(dfd, filename, follow, &nd);
17543 - if (error)
17544 - goto out;
17545 -- error = chown_common(nd.dentry, user, group);
17546 -+ error = chown_common(nd.dentry, user, group, nd.mnt);
17547 - path_release(&nd);
17548 - out:
17549 - return error;
17550 -@@ -709,7 +764,7 @@ asmlinkage long sys_lchown(const char __
17551 - error = user_path_walk_link(filename, &nd);
17552 - if (error)
17553 - goto out;
17554 -- error = chown_common(nd.dentry, user, group);
17555 -+ error = chown_common(nd.dentry, user, group, nd.mnt);
17556 - path_release(&nd);
17557 - out:
17558 - return error;
17559 -@@ -728,7 +783,7 @@ asmlinkage long sys_fchown(unsigned int
17560 -
17561 - dentry = file->f_path.dentry;
17562 - audit_inode(NULL, dentry);
17563 -- error = chown_common(dentry, user, group);
17564 -+ error = chown_common(dentry, user, group, file->f_vfsmnt);
17565 - fput(file);
17566 - out:
17567 - return error;
17568 -@@ -939,6 +994,7 @@ repeat:
17569 - * N.B. For clone tasks sharing a files structure, this test
17570 - * will limit the total number of files that can be opened.
17571 - */
17572 -+ gr_learn_resource(current, RLIMIT_NOFILE, fd, 0);
17573 - if (fd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
17574 - goto out;
17575 -
17576 -diff -urNp linux-2.6.24.4/fs/partitions/efi.c linux-2.6.24.4/fs/partitions/efi.c
17577 ---- linux-2.6.24.4/fs/partitions/efi.c 2008-03-24 14:49:18.000000000 -0400
17578 -+++ linux-2.6.24.4/fs/partitions/efi.c 2008-03-26 17:56:56.000000000 -0400
17579 -@@ -99,7 +99,7 @@
17580 - #ifdef EFI_DEBUG
17581 - #define Dprintk(x...) printk(KERN_DEBUG x)
17582 - #else
17583 --#define Dprintk(x...)
17584 -+#define Dprintk(x...) do {} while (0)
17585 - #endif
17586 -
17587 - /* This allows a kernel command line option 'gpt' to override
17588 -diff -urNp linux-2.6.24.4/fs/pipe.c linux-2.6.24.4/fs/pipe.c
17589 ---- linux-2.6.24.4/fs/pipe.c 2008-03-24 14:49:18.000000000 -0400
17590 -+++ linux-2.6.24.4/fs/pipe.c 2008-03-26 17:56:56.000000000 -0400
17591 -@@ -887,7 +887,7 @@ void free_pipe_info(struct inode *inode)
17592 - inode->i_pipe = NULL;
17593 - }
17594 -
17595 --static struct vfsmount *pipe_mnt __read_mostly;
17596 -+struct vfsmount *pipe_mnt __read_mostly;
17597 - static int pipefs_delete_dentry(struct dentry *dentry)
17598 - {
17599 - /*
17600 -diff -urNp linux-2.6.24.4/fs/proc/array.c linux-2.6.24.4/fs/proc/array.c
17601 ---- linux-2.6.24.4/fs/proc/array.c 2008-03-24 14:49:18.000000000 -0400
17602 -+++ linux-2.6.24.4/fs/proc/array.c 2008-03-26 17:56:56.000000000 -0400
17603 -@@ -305,6 +305,21 @@ static inline char *task_context_switch_
17604 - p->nivcsw);
17605 - }
17606 -
17607 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
17608 -+static inline char *task_pax(struct task_struct *p, char *buffer)
17609 -+{
17610 -+ if (p->mm)
17611 -+ return buffer + sprintf(buffer, "PaX:\t%c%c%c%c%c\n",
17612 -+ p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
17613 -+ p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
17614 -+ p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
17615 -+ p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
17616 -+ p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
17617 -+ else
17618 -+ return buffer + sprintf(buffer, "PaX:\t-----\n");
17619 -+}
17620 -+#endif
17621 -+
17622 - int proc_pid_status(struct task_struct *task, char *buffer)
17623 - {
17624 - char *orig = buffer;
17625 -@@ -324,6 +339,11 @@ int proc_pid_status(struct task_struct *
17626 - buffer = task_show_regs(task, buffer);
17627 - #endif
17628 - buffer = task_context_switch_counts(task, buffer);
17629 -+
17630 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
17631 -+ buffer = task_pax(task, buffer);
17632 -+#endif
17633 -+
17634 - return buffer - orig;
17635 - }
17636 -
17637 -@@ -386,6 +406,12 @@ static cputime_t task_gtime(struct task_
17638 - return p->gtime;
17639 - }
17640 -
17641 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
17642 -+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
17643 -+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
17644 -+ _mm->pax_flags & MF_PAX_SEGMEXEC))
17645 -+#endif
17646 -+
17647 - static int do_task_stat(struct task_struct *task, char *buffer, int whole)
17648 - {
17649 - unsigned long vsize, eip, esp, wchan = ~0UL;
17650 -@@ -481,6 +507,19 @@ static int do_task_stat(struct task_stru
17651 - gtime = task_gtime(task);
17652 - }
17653 -
17654 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
17655 -+ if (PAX_RAND_FLAGS(mm)) {
17656 -+ eip = 0;
17657 -+ esp = 0;
17658 -+ wchan = 0;
17659 -+ }
17660 -+#endif
17661 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
17662 -+ wchan = 0;
17663 -+ eip =0;
17664 -+ esp =0;
17665 -+#endif
17666 -+
17667 - /* scale priority and nice values from timeslices to -20..20 */
17668 - /* to make it look like a "normal" Unix priority/nice value */
17669 - priority = task_prio(task);
17670 -@@ -521,9 +560,15 @@ static int do_task_stat(struct task_stru
17671 - vsize,
17672 - mm ? get_mm_rss(mm) : 0,
17673 - rsslim,
17674 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
17675 -+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
17676 -+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
17677 -+ PAX_RAND_FLAGS(mm) ? 0 : (mm ? mm->start_stack : 0),
17678 -+#else
17679 - mm ? mm->start_code : 0,
17680 - mm ? mm->end_code : 0,
17681 - mm ? mm->start_stack : 0,
17682 -+#endif
17683 - esp,
17684 - eip,
17685 - /* The signal information here is obsolete.
17686 -@@ -572,3 +617,14 @@ int proc_pid_statm(struct task_struct *t
17687 - return sprintf(buffer, "%d %d %d %d %d %d %d\n",
17688 - size, resident, shared, text, lib, data, 0);
17689 - }
17690 -+
17691 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
17692 -+int proc_pid_ipaddr(struct task_struct *task, char * buffer)
17693 -+{
17694 -+ int len;
17695 -+
17696 -+ len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
17697 -+ return len;
17698 -+}
17699 -+#endif
17700 -+
17701 -diff -urNp linux-2.6.24.4/fs/proc/base.c linux-2.6.24.4/fs/proc/base.c
17702 ---- linux-2.6.24.4/fs/proc/base.c 2008-03-24 14:49:18.000000000 -0400
17703 -+++ linux-2.6.24.4/fs/proc/base.c 2008-03-26 19:57:50.000000000 -0400
17704 -@@ -76,6 +76,8 @@
17705 - #include <linux/oom.h>
17706 - #include <linux/elf.h>
17707 - #include <linux/pid_namespace.h>
17708 -+#include <linux/grsecurity.h>
17709 -+
17710 - #include "internal.h"
17711 -
17712 - /* NOTE:
17713 -@@ -126,7 +128,7 @@ struct pid_entry {
17714 - NULL, &proc_info_file_operations, \
17715 - { .proc_read = &proc_##OTYPE } )
17716 -
17717 --int maps_protect;
17718 -+int maps_protect = 1;
17719 - EXPORT_SYMBOL(maps_protect);
17720 -
17721 - static struct fs_struct *get_fs_struct(struct task_struct *task)
17722 -@@ -200,7 +202,7 @@ static int proc_root_link(struct inode *
17723 - (task->parent == current && \
17724 - (task->ptrace & PT_PTRACED) && \
17725 - (task->state == TASK_STOPPED || task->state == TASK_TRACED) && \
17726 -- security_ptrace(current,task) == 0))
17727 -+ security_ptrace(current,task) == 0 && !gr_handle_proc_ptrace(task)))
17728 -
17729 - struct mm_struct *mm_for_maps(struct task_struct *task)
17730 - {
17731 -@@ -265,9 +267,9 @@ static int proc_pid_auxv(struct task_str
17732 - struct mm_struct *mm = get_task_mm(task);
17733 - if (mm) {
17734 - unsigned int nwords = 0;
17735 -- do
17736 -+ do {
17737 - nwords += 2;
17738 -- while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
17739 -+ } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
17740 - res = nwords * sizeof(mm->saved_auxv[0]);
17741 - if (res > PAGE_SIZE)
17742 - res = PAGE_SIZE;
17743 -@@ -609,7 +611,7 @@ static ssize_t mem_read(struct file * fi
17744 - if (!task)
17745 - goto out_no_task;
17746 -
17747 -- if (!MAY_PTRACE(task) || !ptrace_may_attach(task))
17748 -+ if (!MAY_PTRACE(task) || !ptrace_may_attach(task) || gr_acl_handle_procpidmem(task))
17749 - goto out;
17750 -
17751 - ret = -ENOMEM;
17752 -@@ -679,7 +681,7 @@ static ssize_t mem_write(struct file * f
17753 - if (!task)
17754 - goto out_no_task;
17755 -
17756 -- if (!MAY_PTRACE(task) || !ptrace_may_attach(task))
17757 -+ if (!MAY_PTRACE(task) || !ptrace_may_attach(task) || gr_acl_handle_procpidmem(task))
17758 - goto out;
17759 -
17760 - copied = -ENOMEM;
17761 -@@ -1202,7 +1204,11 @@ static struct inode *proc_pid_make_inode
17762 - inode->i_gid = 0;
17763 - if (task_dumpable(task)) {
17764 - inode->i_uid = task->euid;
17765 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
17766 -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
17767 -+#else
17768 - inode->i_gid = task->egid;
17769 -+#endif
17770 - }
17771 - security_task_to_inode(task, inode);
17772 -
17773 -@@ -1218,17 +1224,45 @@ static int pid_getattr(struct vfsmount *
17774 - {
17775 - struct inode *inode = dentry->d_inode;
17776 - struct task_struct *task;
17777 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
17778 -+ struct task_struct *tmp = current;
17779 -+#endif
17780 -+
17781 - generic_fillattr(inode, stat);
17782 -
17783 - rcu_read_lock();
17784 - stat->uid = 0;
17785 - stat->gid = 0;
17786 - task = pid_task(proc_pid(inode), PIDTYPE_PID);
17787 -- if (task) {
17788 -+
17789 -+ if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
17790 -+ rcu_read_unlock();
17791 -+ return -ENOENT;
17792 -+ }
17793 -+
17794 -+
17795 -+ if (task
17796 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
17797 -+ && (!tmp->uid || (tmp->uid == task->uid)
17798 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
17799 -+ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
17800 -+#endif
17801 -+ )
17802 -+#endif
17803 -+ ) {
17804 - if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
17805 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
17806 -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
17807 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
17808 -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
17809 -+#endif
17810 - task_dumpable(task)) {
17811 - stat->uid = task->euid;
17812 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
17813 -+ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
17814 -+#else
17815 - stat->gid = task->egid;
17816 -+#endif
17817 - }
17818 - }
17819 - rcu_read_unlock();
17820 -@@ -1256,11 +1290,21 @@ static int pid_revalidate(struct dentry
17821 - {
17822 - struct inode *inode = dentry->d_inode;
17823 - struct task_struct *task = get_proc_task(inode);
17824 -+
17825 - if (task) {
17826 - if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
17827 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
17828 -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
17829 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
17830 -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
17831 -+#endif
17832 - task_dumpable(task)) {
17833 - inode->i_uid = task->euid;
17834 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
17835 -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
17836 -+#else
17837 - inode->i_gid = task->egid;
17838 -+#endif
17839 - } else {
17840 - inode->i_uid = 0;
17841 - inode->i_gid = 0;
17842 -@@ -1633,12 +1677,22 @@ static int proc_fd_permission(struct ino
17843 - struct nameidata *nd)
17844 - {
17845 - int rv;
17846 -+ struct task_struct *task;
17847 -
17848 - rv = generic_permission(inode, mask, NULL);
17849 -- if (rv == 0)
17850 -- return 0;
17851 -+
17852 - if (task_pid(current) == proc_pid(inode))
17853 - rv = 0;
17854 -+
17855 -+ task = get_proc_task(inode);
17856 -+ if (task == NULL)
17857 -+ return rv;
17858 -+
17859 -+ if (gr_acl_handle_procpidmem(task))
17860 -+ rv = -EACCES;
17861 -+
17862 -+ put_task_struct(task);
17863 -+
17864 - return rv;
17865 - }
17866 -
17867 -@@ -1749,6 +1803,9 @@ static struct dentry *proc_pident_lookup
17868 - if (!task)
17869 - goto out_no_task;
17870 -
17871 -+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
17872 -+ goto out;
17873 -+
17874 - /*
17875 - * Yes, it does not scale. And it should not. Don't add
17876 - * new entries into /proc/<tgid>/ without very good reasons.
17877 -@@ -1793,6 +1850,9 @@ static int proc_pident_readdir(struct fi
17878 - if (!task)
17879 - goto out_no_task;
17880 -
17881 -+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
17882 -+ goto out;
17883 -+
17884 - ret = 0;
17885 - i = filp->f_pos;
17886 - switch (i) {
17887 -@@ -2147,6 +2207,9 @@ static struct dentry *proc_base_lookup(s
17888 - if (p > last)
17889 - goto out;
17890 -
17891 -+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
17892 -+ goto out;
17893 -+
17894 - error = proc_base_instantiate(dir, dentry, task, p);
17895 -
17896 - out:
17897 -@@ -2250,6 +2313,9 @@ static const struct pid_entry tgid_base_
17898 - #ifdef CONFIG_TASK_IO_ACCOUNTING
17899 - INF("io", S_IRUGO, pid_io_accounting),
17900 - #endif
17901 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
17902 -+ INF("ipaddr", S_IRUSR, pid_ipaddr),
17903 -+#endif
17904 - };
17905 -
17906 - static int proc_tgid_base_readdir(struct file * filp,
17907 -@@ -2378,7 +2444,14 @@ static struct dentry *proc_pid_instantia
17908 - if (!inode)
17909 - goto out;
17910 -
17911 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
17912 -+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
17913 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
17914 -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
17915 -+ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
17916 -+#else
17917 - inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
17918 -+#endif
17919 - inode->i_op = &proc_tgid_base_inode_operations;
17920 - inode->i_fop = &proc_tgid_base_operations;
17921 - inode->i_flags|=S_IMMUTABLE;
17922 -@@ -2421,7 +2494,11 @@ struct dentry *proc_pid_lookup(struct in
17923 - if (!task)
17924 - goto out;
17925 -
17926 -+ if (gr_check_hidden_task(task))
17927 -+ goto out_put_task;
17928 -+
17929 - result = proc_pid_instantiate(dir, dentry, task, NULL);
17930 -+out_put_task:
17931 - put_task_struct(task);
17932 - out:
17933 - return result;
17934 -@@ -2486,6 +2563,9 @@ int proc_pid_readdir(struct file * filp,
17935 - {
17936 - unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
17937 - struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
17938 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
17939 -+ struct task_struct *tmp = current;
17940 -+#endif
17941 - struct tgid_iter iter;
17942 - struct pid_namespace *ns;
17943 -
17944 -@@ -2504,6 +2584,17 @@ int proc_pid_readdir(struct file * filp,
17945 - for (iter = next_tgid(ns, iter);
17946 - iter.task;
17947 - iter.tgid += 1, iter = next_tgid(ns, iter)) {
17948 -+ if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
17949 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
17950 -+ || (tmp->uid && (iter.task->uid != tmp->uid)
17951 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
17952 -+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
17953 -+#endif
17954 -+ )
17955 -+#endif
17956 -+ )
17957 -+ continue;
17958 -+
17959 - filp->f_pos = iter.tgid + TGID_OFFSET;
17960 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
17961 - put_task_struct(iter.task);
17962 -diff -urNp linux-2.6.24.4/fs/proc/inode.c linux-2.6.24.4/fs/proc/inode.c
17963 ---- linux-2.6.24.4/fs/proc/inode.c 2008-03-24 14:49:18.000000000 -0400
17964 -+++ linux-2.6.24.4/fs/proc/inode.c 2008-03-26 17:56:56.000000000 -0400
17965 -@@ -411,7 +411,11 @@ struct inode *proc_get_inode(struct supe
17966 - if (de->mode) {
17967 - inode->i_mode = de->mode;
17968 - inode->i_uid = de->uid;
17969 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
17970 -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
17971 -+#else
17972 - inode->i_gid = de->gid;
17973 -+#endif
17974 - }
17975 - if (de->size)
17976 - inode->i_size = de->size;
17977 -diff -urNp linux-2.6.24.4/fs/proc/internal.h linux-2.6.24.4/fs/proc/internal.h
17978 ---- linux-2.6.24.4/fs/proc/internal.h 2008-03-24 14:49:18.000000000 -0400
17979 -+++ linux-2.6.24.4/fs/proc/internal.h 2008-03-26 17:56:56.000000000 -0400
17980 -@@ -52,6 +52,9 @@ extern int proc_tid_stat(struct task_str
17981 - extern int proc_tgid_stat(struct task_struct *, char *);
17982 - extern int proc_pid_status(struct task_struct *, char *);
17983 - extern int proc_pid_statm(struct task_struct *, char *);
17984 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
17985 -+extern int proc_pid_ipaddr(struct task_struct*,char*);
17986 -+#endif
17987 -
17988 - extern const struct file_operations proc_maps_operations;
17989 - extern const struct file_operations proc_numa_maps_operations;
17990 -diff -urNp linux-2.6.24.4/fs/proc/proc_misc.c linux-2.6.24.4/fs/proc/proc_misc.c
17991 ---- linux-2.6.24.4/fs/proc/proc_misc.c 2008-03-24 14:49:18.000000000 -0400
17992 -+++ linux-2.6.24.4/fs/proc/proc_misc.c 2008-03-26 17:56:56.000000000 -0400
17993 -@@ -687,6 +687,8 @@ void create_seq_entry(char *name, mode_t
17994 -
17995 - void __init proc_misc_init(void)
17996 - {
17997 -+ int gr_mode = 0;
17998 -+
17999 - static struct {
18000 - char *name;
18001 - int (*read_proc)(char*,char**,off_t,int,int*,void*);
18002 -@@ -702,13 +704,24 @@ void __init proc_misc_init(void)
18003 - {"stram", stram_read_proc},
18004 - #endif
18005 - {"filesystems", filesystems_read_proc},
18006 -+#ifndef CONFIG_GRKERNSEC_PROC_ADD
18007 - {"cmdline", cmdline_read_proc},
18008 -+#endif
18009 - {"execdomains", execdomains_read_proc},
18010 - {NULL,}
18011 - };
18012 - for (p = simple_ones; p->name; p++)
18013 - create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
18014 -
18015 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
18016 -+ gr_mode = S_IRUSR;
18017 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
18018 -+ gr_mode = S_IRUSR | S_IRGRP;
18019 -+#endif
18020 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
18021 -+ create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL);
18022 -+#endif
18023 -+
18024 - proc_symlink("mounts", NULL, "self/mounts");
18025 -
18026 - /* And now for trickier ones */
18027 -@@ -721,7 +734,11 @@ void __init proc_misc_init(void)
18028 - }
18029 - #endif
18030 - create_seq_entry("locks", 0, &proc_locks_operations);
18031 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
18032 -+ create_seq_entry("devices", gr_mode, &proc_devinfo_operations);
18033 -+#else
18034 - create_seq_entry("devices", 0, &proc_devinfo_operations);
18035 -+#endif
18036 - create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
18037 - #ifdef CONFIG_BLOCK
18038 - create_seq_entry("partitions", 0, &proc_partitions_operations);
18039 -@@ -729,7 +746,11 @@ void __init proc_misc_init(void)
18040 - create_seq_entry("stat", 0, &proc_stat_operations);
18041 - create_seq_entry("interrupts", 0, &proc_interrupts_operations);
18042 - #ifdef CONFIG_SLABINFO
18043 -+#ifdef CONFIG_GRKRENSEC_PROC_ADD
18044 -+ create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
18045 -+#else
18046 - create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
18047 -+#endif
18048 - #ifdef CONFIG_DEBUG_SLAB_LEAK
18049 - create_seq_entry("slab_allocators", 0 ,&proc_slabstats_operations);
18050 - #endif
18051 -@@ -747,7 +768,7 @@ void __init proc_misc_init(void)
18052 - #ifdef CONFIG_SCHEDSTATS
18053 - create_seq_entry("schedstat", 0, &proc_schedstat_operations);
18054 - #endif
18055 --#ifdef CONFIG_PROC_KCORE
18056 -+#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
18057 - proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
18058 - if (proc_root_kcore) {
18059 - proc_root_kcore->proc_fops = &proc_kcore_operations;
18060 -diff -urNp linux-2.6.24.4/fs/proc/proc_net.c linux-2.6.24.4/fs/proc/proc_net.c
18061 ---- linux-2.6.24.4/fs/proc/proc_net.c 2008-03-24 14:49:18.000000000 -0400
18062 -+++ linux-2.6.24.4/fs/proc/proc_net.c 2008-03-26 17:56:56.000000000 -0400
18063 -@@ -69,7 +69,13 @@ static __net_init int proc_net_ns_init(s
18064 - goto out;
18065 -
18066 - err = -EEXIST;
18067 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
18068 -+ netd = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, root);
18069 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
18070 -+ netd = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, root);
18071 -+#else
18072 - netd = proc_mkdir("net", root);
18073 -+#endif
18074 - if (!netd)
18075 - goto free_root;
18076 -
18077 -diff -urNp linux-2.6.24.4/fs/proc/proc_sysctl.c linux-2.6.24.4/fs/proc/proc_sysctl.c
18078 ---- linux-2.6.24.4/fs/proc/proc_sysctl.c 2008-03-24 14:49:18.000000000 -0400
18079 -+++ linux-2.6.24.4/fs/proc/proc_sysctl.c 2008-03-26 17:56:56.000000000 -0400
18080 -@@ -7,6 +7,8 @@
18081 - #include <linux/security.h>
18082 - #include "internal.h"
18083 -
18084 -+extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
18085 -+
18086 - static struct dentry_operations proc_sys_dentry_operations;
18087 - static const struct file_operations proc_sys_file_operations;
18088 - static struct inode_operations proc_sys_inode_operations;
18089 -@@ -151,6 +153,9 @@ static struct dentry *proc_sys_lookup(st
18090 - if (!table)
18091 - goto out;
18092 -
18093 -+ if (gr_handle_sysctl(table, 001))
18094 -+ goto out;
18095 -+
18096 - err = ERR_PTR(-ENOMEM);
18097 - inode = proc_sys_make_inode(dir, table);
18098 - if (!inode)
18099 -@@ -360,6 +365,9 @@ static int proc_sys_readdir(struct file
18100 - if (pos < filp->f_pos)
18101 - continue;
18102 -
18103 -+ if (gr_handle_sysctl(table, 0))
18104 -+ continue;
18105 -+
18106 - if (proc_sys_fill_cache(filp, dirent, filldir, table) < 0)
18107 - goto out;
18108 - filp->f_pos = pos + 1;
18109 -@@ -422,6 +430,30 @@ out:
18110 - return error;
18111 - }
18112 -
18113 -+/* Eric Biederman is to blame */
18114 -+static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
18115 -+{
18116 -+ int error = 0;
18117 -+ struct ctl_table_header *head;
18118 -+ struct ctl_table *table;
18119 -+
18120 -+ table = do_proc_sys_lookup(dentry->d_parent, &dentry->d_name, &head);
18121 -+ /* Has the sysctl entry disappeared on us? */
18122 -+ if (!table)
18123 -+ goto out;
18124 -+
18125 -+ if (gr_handle_sysctl(table, 001)) {
18126 -+ error = -ENOENT;
18127 -+ goto out;
18128 -+ }
18129 -+
18130 -+out:
18131 -+ sysctl_head_finish(head);
18132 -+
18133 -+ generic_fillattr(dentry->d_inode, stat);
18134 -+
18135 -+ return error;
18136 -+}
18137 - static int proc_sys_setattr(struct dentry *dentry, struct iattr *attr)
18138 - {
18139 - struct inode *inode = dentry->d_inode;
18140 -@@ -450,6 +482,7 @@ static struct inode_operations proc_sys_
18141 - .lookup = proc_sys_lookup,
18142 - .permission = proc_sys_permission,
18143 - .setattr = proc_sys_setattr,
18144 -+ .getattr = proc_sys_getattr,
18145 - };
18146 -
18147 - static int proc_sys_revalidate(struct dentry *dentry, struct nameidata *nd)
18148 -diff -urNp linux-2.6.24.4/fs/proc/root.c linux-2.6.24.4/fs/proc/root.c
18149 ---- linux-2.6.24.4/fs/proc/root.c 2008-03-24 14:49:18.000000000 -0400
18150 -+++ linux-2.6.24.4/fs/proc/root.c 2008-03-26 17:56:56.000000000 -0400
18151 -@@ -137,7 +137,15 @@ void __init proc_root_init(void)
18152 - #ifdef CONFIG_PROC_DEVICETREE
18153 - proc_device_tree_init();
18154 - #endif
18155 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
18156 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
18157 -+ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
18158 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
18159 -+ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
18160 -+#endif
18161 -+#else
18162 - proc_bus = proc_mkdir("bus", NULL);
18163 -+#endif
18164 - proc_sys_init();
18165 - }
18166 -
18167 -diff -urNp linux-2.6.24.4/fs/proc/task_mmu.c linux-2.6.24.4/fs/proc/task_mmu.c
18168 ---- linux-2.6.24.4/fs/proc/task_mmu.c 2008-03-24 14:49:18.000000000 -0400
18169 -+++ linux-2.6.24.4/fs/proc/task_mmu.c 2008-03-26 17:56:56.000000000 -0400
18170 -@@ -44,15 +44,27 @@ char *task_mem(struct mm_struct *mm, cha
18171 - "VmStk:\t%8lu kB\n"
18172 - "VmExe:\t%8lu kB\n"
18173 - "VmLib:\t%8lu kB\n"
18174 -- "VmPTE:\t%8lu kB\n",
18175 -- hiwater_vm << (PAGE_SHIFT-10),
18176 -+ "VmPTE:\t%8lu kB\n"
18177 -+
18178 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
18179 -+ "CsBase:\t%8lx\nCsLim:\t%8lx\n"
18180 -+#endif
18181 -+
18182 -+ ,hiwater_vm << (PAGE_SHIFT-10),
18183 - (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
18184 - mm->locked_vm << (PAGE_SHIFT-10),
18185 - hiwater_rss << (PAGE_SHIFT-10),
18186 - total_rss << (PAGE_SHIFT-10),
18187 - data << (PAGE_SHIFT-10),
18188 - mm->stack_vm << (PAGE_SHIFT-10), text, lib,
18189 -- (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
18190 -+ (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
18191 -+
18192 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
18193 -+ , mm->context.user_cs_base, mm->context.user_cs_limit
18194 -+#endif
18195 -+
18196 -+ );
18197 -+
18198 - return buffer;
18199 - }
18200 -
18201 -@@ -131,6 +143,12 @@ struct pmd_walker {
18202 - unsigned long, void *);
18203 - };
18204 -
18205 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
18206 -+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
18207 -+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
18208 -+ _mm->pax_flags & MF_PAX_SEGMEXEC))
18209 -+#endif
18210 -+
18211 - static int show_map_internal(struct seq_file *m, void *v, struct mem_size_stats *mss)
18212 - {
18213 - struct proc_maps_private *priv = m->private;
18214 -@@ -153,13 +171,22 @@ static int show_map_internal(struct seq_
18215 - }
18216 -
18217 - seq_printf(m, "%08lx-%08lx %c%c%c%c %08lx %02x:%02x %lu %n",
18218 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
18219 -+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
18220 -+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
18221 -+#else
18222 - vma->vm_start,
18223 - vma->vm_end,
18224 -+#endif
18225 - flags & VM_READ ? 'r' : '-',
18226 - flags & VM_WRITE ? 'w' : '-',
18227 - flags & VM_EXEC ? 'x' : '-',
18228 - flags & VM_MAYSHARE ? 's' : 'p',
18229 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
18230 -+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_pgoff << PAGE_SHIFT,
18231 -+#else
18232 - vma->vm_pgoff << PAGE_SHIFT,
18233 -+#endif
18234 - MAJOR(dev), MINOR(dev), ino, &len);
18235 -
18236 - /*
18237 -@@ -173,11 +200,11 @@ static int show_map_internal(struct seq_
18238 - const char *name = arch_vma_name(vma);
18239 - if (!name) {
18240 - if (mm) {
18241 -- if (vma->vm_start <= mm->start_brk &&
18242 -- vma->vm_end >= mm->brk) {
18243 -+ if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
18244 - name = "[heap]";
18245 -- } else if (vma->vm_start <= mm->start_stack &&
18246 -- vma->vm_end >= mm->start_stack) {
18247 -+ } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
18248 -+ (vma->vm_start <= mm->start_stack &&
18249 -+ vma->vm_end >= mm->start_stack)) {
18250 - name = "[stack]";
18251 - }
18252 - } else {
18253 -@@ -191,7 +218,27 @@ static int show_map_internal(struct seq_
18254 - }
18255 - seq_putc(m, '\n');
18256 -
18257 -- if (mss)
18258 -+
18259 -+ if (mss) {
18260 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
18261 -+ if (PAX_RAND_FLAGS(mm))
18262 -+ seq_printf(m,
18263 -+ "Size: %8lu kB\n"
18264 -+ "Rss: %8lu kB\n"
18265 -+ "Shared_Clean: %8lu kB\n"
18266 -+ "Shared_Dirty: %8lu kB\n"
18267 -+ "Private_Clean: %8lu kB\n"
18268 -+ "Private_Dirty: %8lu kB\n",
18269 -+ "Referenced: %8lu kB\n",
18270 -+ 0UL,
18271 -+ 0UL,
18272 -+ 0UL,
18273 -+ 0UL,
18274 -+ 0UL,
18275 -+ 0UL,
18276 -+ 0UL);
18277 -+ else
18278 -+#endif
18279 - seq_printf(m,
18280 - "Size: %8lu kB\n"
18281 - "Rss: %8lu kB\n"
18282 -@@ -207,6 +254,7 @@ static int show_map_internal(struct seq_
18283 - mss->private_clean >> 10,
18284 - mss->private_dirty >> 10,
18285 - mss->referenced >> 10);
18286 -+ }
18287 -
18288 - if (m->count < m->size) /* vma is copied successfully */
18289 - m->version = (vma != get_gate_vma(task))? vma->vm_start: 0;
18290 -diff -urNp linux-2.6.24.4/fs/readdir.c linux-2.6.24.4/fs/readdir.c
18291 ---- linux-2.6.24.4/fs/readdir.c 2008-03-24 14:49:18.000000000 -0400
18292 -+++ linux-2.6.24.4/fs/readdir.c 2008-03-26 17:56:56.000000000 -0400
18293 -@@ -16,6 +16,8 @@
18294 - #include <linux/security.h>
18295 - #include <linux/syscalls.h>
18296 - #include <linux/unistd.h>
18297 -+#include <linux/namei.h>
18298 -+#include <linux/grsecurity.h>
18299 -
18300 - #include <asm/uaccess.h>
18301 -
18302 -@@ -64,6 +66,7 @@ struct old_linux_dirent {
18303 -
18304 - struct readdir_callback {
18305 - struct old_linux_dirent __user * dirent;
18306 -+ struct file * file;
18307 - int result;
18308 - };
18309 -
18310 -@@ -79,6 +82,10 @@ static int fillonedir(void * __buf, cons
18311 - d_ino = ino;
18312 - if (sizeof(d_ino) < sizeof(ino) && d_ino != ino)
18313 - return -EOVERFLOW;
18314 -+
18315 -+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
18316 -+ return 0;
18317 -+
18318 - buf->result++;
18319 - dirent = buf->dirent;
18320 - if (!access_ok(VERIFY_WRITE, dirent,
18321 -@@ -110,6 +117,7 @@ asmlinkage long old_readdir(unsigned int
18322 -
18323 - buf.result = 0;
18324 - buf.dirent = dirent;
18325 -+ buf.file = file;
18326 -
18327 - error = vfs_readdir(file, fillonedir, &buf);
18328 - if (error >= 0)
18329 -@@ -136,6 +144,7 @@ struct linux_dirent {
18330 - struct getdents_callback {
18331 - struct linux_dirent __user * current_dir;
18332 - struct linux_dirent __user * previous;
18333 -+ struct file * file;
18334 - int count;
18335 - int error;
18336 - };
18337 -@@ -154,6 +163,10 @@ static int filldir(void * __buf, const c
18338 - d_ino = ino;
18339 - if (sizeof(d_ino) < sizeof(ino) && d_ino != ino)
18340 - return -EOVERFLOW;
18341 -+
18342 -+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
18343 -+ return 0;
18344 -+
18345 - dirent = buf->previous;
18346 - if (dirent) {
18347 - if (__put_user(offset, &dirent->d_off))
18348 -@@ -200,6 +213,7 @@ asmlinkage long sys_getdents(unsigned in
18349 - buf.previous = NULL;
18350 - buf.count = count;
18351 - buf.error = 0;
18352 -+ buf.file = file;
18353 -
18354 - error = vfs_readdir(file, filldir, &buf);
18355 - if (error < 0)
18356 -@@ -222,6 +236,7 @@ out:
18357 - struct getdents_callback64 {
18358 - struct linux_dirent64 __user * current_dir;
18359 - struct linux_dirent64 __user * previous;
18360 -+ struct file *file;
18361 - int count;
18362 - int error;
18363 - };
18364 -@@ -236,6 +251,10 @@ static int filldir64(void * __buf, const
18365 - buf->error = -EINVAL; /* only used if we fail.. */
18366 - if (reclen > buf->count)
18367 - return -EINVAL;
18368 -+
18369 -+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
18370 -+ return 0;
18371 -+
18372 - dirent = buf->previous;
18373 - if (dirent) {
18374 - if (__put_user(offset, &dirent->d_off))
18375 -@@ -282,6 +301,7 @@ asmlinkage long sys_getdents64(unsigned
18376 -
18377 - buf.current_dir = dirent;
18378 - buf.previous = NULL;
18379 -+ buf.file = file;
18380 - buf.count = count;
18381 - buf.error = 0;
18382 -
18383 -diff -urNp linux-2.6.24.4/fs/smbfs/symlink.c linux-2.6.24.4/fs/smbfs/symlink.c
18384 ---- linux-2.6.24.4/fs/smbfs/symlink.c 2008-03-24 14:49:18.000000000 -0400
18385 -+++ linux-2.6.24.4/fs/smbfs/symlink.c 2008-03-26 17:56:56.000000000 -0400
18386 -@@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
18387 -
18388 - static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
18389 - {
18390 -- char *s = nd_get_link(nd);
18391 -+ const char *s = nd_get_link(nd);
18392 - if (!IS_ERR(s))
18393 - __putname(s);
18394 - }
18395 -diff -urNp linux-2.6.24.4/fs/sysfs/symlink.c linux-2.6.24.4/fs/sysfs/symlink.c
18396 ---- linux-2.6.24.4/fs/sysfs/symlink.c 2008-03-24 14:49:18.000000000 -0400
18397 -+++ linux-2.6.24.4/fs/sysfs/symlink.c 2008-03-26 17:56:56.000000000 -0400
18398 -@@ -172,7 +172,7 @@ static void *sysfs_follow_link(struct de
18399 -
18400 - static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
18401 - {
18402 -- char *page = nd_get_link(nd);
18403 -+ const char *page = nd_get_link(nd);
18404 - if (!IS_ERR(page))
18405 - free_page((unsigned long)page);
18406 - }
18407 -diff -urNp linux-2.6.24.4/fs/udf/balloc.c linux-2.6.24.4/fs/udf/balloc.c
18408 ---- linux-2.6.24.4/fs/udf/balloc.c 2008-03-24 14:49:18.000000000 -0400
18409 -+++ linux-2.6.24.4/fs/udf/balloc.c 2008-03-26 17:56:56.000000000 -0400
18410 -@@ -154,8 +154,7 @@ static void udf_bitmap_free_blocks(struc
18411 - unsigned long overflow;
18412 -
18413 - mutex_lock(&sbi->s_alloc_mutex);
18414 -- if (bloc.logicalBlockNum < 0 ||
18415 -- (bloc.logicalBlockNum + count) > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
18416 -+ if (bloc.logicalBlockNum + count > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
18417 - udf_debug("%d < %d || %d + %d > %d\n",
18418 - bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
18419 - UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum));
18420 -@@ -221,7 +220,7 @@ static int udf_bitmap_prealloc_blocks(st
18421 - struct buffer_head *bh;
18422 -
18423 - mutex_lock(&sbi->s_alloc_mutex);
18424 -- if (first_block < 0 || first_block >= UDF_SB_PARTLEN(sb, partition))
18425 -+ if (first_block >= UDF_SB_PARTLEN(sb, partition))
18426 - goto out;
18427 -
18428 - if (first_block + block_count > UDF_SB_PARTLEN(sb, partition))
18429 -@@ -287,7 +286,7 @@ static int udf_bitmap_new_block(struct s
18430 - mutex_lock(&sbi->s_alloc_mutex);
18431 -
18432 - repeat:
18433 -- if (goal < 0 || goal >= UDF_SB_PARTLEN(sb, partition))
18434 -+ if (goal >= UDF_SB_PARTLEN(sb, partition))
18435 - goal = 0;
18436 -
18437 - nr_groups = bitmap->s_nr_groups;
18438 -@@ -420,8 +419,7 @@ static void udf_table_free_blocks(struct
18439 - int i;
18440 -
18441 - mutex_lock(&sbi->s_alloc_mutex);
18442 -- if (bloc.logicalBlockNum < 0 ||
18443 -- (bloc.logicalBlockNum + count) > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
18444 -+ if (bloc.logicalBlockNum + count > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
18445 - udf_debug("%d < %d || %d + %d > %d\n",
18446 - bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
18447 - UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum));
18448 -@@ -627,7 +625,7 @@ static int udf_table_prealloc_blocks(str
18449 - struct extent_position epos;
18450 - int8_t etype = -1;
18451 -
18452 -- if (first_block < 0 || first_block >= UDF_SB_PARTLEN(sb, partition))
18453 -+ if (first_block >= UDF_SB_PARTLEN(sb, partition))
18454 - return 0;
18455 -
18456 - if (UDF_I_ALLOCTYPE(table) == ICBTAG_FLAG_AD_SHORT)
18457 -@@ -703,7 +701,7 @@ static int udf_table_new_block(struct su
18458 - return newblock;
18459 -
18460 - mutex_lock(&sbi->s_alloc_mutex);
18461 -- if (goal < 0 || goal >= UDF_SB_PARTLEN(sb, partition))
18462 -+ if (goal >= UDF_SB_PARTLEN(sb, partition))
18463 - goal = 0;
18464 -
18465 - /* We search for the closest matching block to goal. If we find a exact hit,
18466 -diff -urNp linux-2.6.24.4/fs/udf/inode.c linux-2.6.24.4/fs/udf/inode.c
18467 ---- linux-2.6.24.4/fs/udf/inode.c 2008-03-24 14:49:18.000000000 -0400
18468 -+++ linux-2.6.24.4/fs/udf/inode.c 2008-03-26 17:56:56.000000000 -0400
18469 -@@ -311,9 +311,6 @@ static int udf_get_block(struct inode *i
18470 -
18471 - lock_kernel();
18472 -
18473 -- if (block < 0)
18474 -- goto abort_negative;
18475 --
18476 - if (block == UDF_I_NEXT_ALLOC_BLOCK(inode) + 1) {
18477 - UDF_I_NEXT_ALLOC_BLOCK(inode)++;
18478 - UDF_I_NEXT_ALLOC_GOAL(inode)++;
18479 -@@ -334,10 +331,6 @@ static int udf_get_block(struct inode *i
18480 - abort:
18481 - unlock_kernel();
18482 - return err;
18483 --
18484 --abort_negative:
18485 -- udf_warning(inode->i_sb, "udf_get_block", "block < 0");
18486 -- goto abort;
18487 - }
18488 -
18489 - static struct buffer_head *udf_getblk(struct inode *inode, long block,
18490 -diff -urNp linux-2.6.24.4/fs/ufs/inode.c linux-2.6.24.4/fs/ufs/inode.c
18491 ---- linux-2.6.24.4/fs/ufs/inode.c 2008-03-24 14:49:18.000000000 -0400
18492 -+++ linux-2.6.24.4/fs/ufs/inode.c 2008-03-26 17:56:56.000000000 -0400
18493 -@@ -56,9 +56,7 @@ static int ufs_block_to_path(struct inod
18494 -
18495 -
18496 - UFSD("ptrs=uspi->s_apb = %d,double_blocks=%ld \n",ptrs,double_blocks);
18497 -- if (i_block < 0) {
18498 -- ufs_warning(inode->i_sb, "ufs_block_to_path", "block < 0");
18499 -- } else if (i_block < direct_blocks) {
18500 -+ if (i_block < direct_blocks) {
18501 - offsets[n++] = i_block;
18502 - } else if ((i_block -= direct_blocks) < indirect_blocks) {
18503 - offsets[n++] = UFS_IND_BLOCK;
18504 -@@ -440,8 +438,6 @@ int ufs_getfrag_block(struct inode *inod
18505 - lock_kernel();
18506 -
18507 - UFSD("ENTER, ino %lu, fragment %llu\n", inode->i_ino, (unsigned long long)fragment);
18508 -- if (fragment < 0)
18509 -- goto abort_negative;
18510 - if (fragment >
18511 - ((UFS_NDADDR + uspi->s_apb + uspi->s_2apb + uspi->s_3apb)
18512 - << uspi->s_fpbshift))
18513 -@@ -504,10 +500,6 @@ abort:
18514 - unlock_kernel();
18515 - return err;
18516 -
18517 --abort_negative:
18518 -- ufs_warning(sb, "ufs_get_block", "block < 0");
18519 -- goto abort;
18520 --
18521 - abort_too_big:
18522 - ufs_warning(sb, "ufs_get_block", "block > big");
18523 - goto abort;
18524 -diff -urNp linux-2.6.24.4/fs/utimes.c linux-2.6.24.4/fs/utimes.c
18525 ---- linux-2.6.24.4/fs/utimes.c 2008-03-24 14:49:18.000000000 -0400
18526 -+++ linux-2.6.24.4/fs/utimes.c 2008-03-26 17:56:56.000000000 -0400
18527 -@@ -6,6 +6,7 @@
18528 - #include <linux/sched.h>
18529 - #include <linux/stat.h>
18530 - #include <linux/utime.h>
18531 -+#include <linux/grsecurity.h>
18532 - #include <asm/uaccess.h>
18533 - #include <asm/unistd.h>
18534 -
18535 -@@ -55,6 +56,7 @@ long do_utimes(int dfd, char __user *fil
18536 - int error;
18537 - struct nameidata nd;
18538 - struct dentry *dentry;
18539 -+ struct vfsmount *mnt;
18540 - struct inode *inode;
18541 - struct iattr newattrs;
18542 - struct file *f = NULL;
18543 -@@ -78,12 +80,14 @@ long do_utimes(int dfd, char __user *fil
18544 - if (!f)
18545 - goto out;
18546 - dentry = f->f_path.dentry;
18547 -+ mnt = f->f_path.mnt;
18548 - } else {
18549 - error = __user_walk_fd(dfd, filename, (flags & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW, &nd);
18550 - if (error)
18551 - goto out;
18552 -
18553 - dentry = nd.dentry;
18554 -+ mnt = nd.mnt;
18555 - }
18556 -
18557 - inode = dentry->d_inode;
18558 -@@ -130,6 +134,12 @@ long do_utimes(int dfd, char __user *fil
18559 - }
18560 - }
18561 - }
18562 -+
18563 -+ if (!gr_acl_handle_utime(dentry, mnt)) {
18564 -+ error = -EACCES;
18565 -+ goto dput_and_out;
18566 -+ }
18567 -+
18568 - mutex_lock(&inode->i_mutex);
18569 - error = notify_change(dentry, &newattrs);
18570 - mutex_unlock(&inode->i_mutex);
18571 -diff -urNp linux-2.6.24.4/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.24.4/fs/xfs/linux-2.6/xfs_iops.c
18572 ---- linux-2.6.24.4/fs/xfs/linux-2.6/xfs_iops.c 2008-03-24 14:49:18.000000000 -0400
18573 -+++ linux-2.6.24.4/fs/xfs/linux-2.6/xfs_iops.c 2008-03-26 17:56:56.000000000 -0400
18574 -@@ -534,7 +534,7 @@ xfs_vn_put_link(
18575 - struct nameidata *nd,
18576 - void *p)
18577 - {
18578 -- char *s = nd_get_link(nd);
18579 -+ const char *s = nd_get_link(nd);
18580 -
18581 - if (!IS_ERR(s))
18582 - kfree(s);
18583 -diff -urNp linux-2.6.24.4/fs/xfs/xfs_bmap.c linux-2.6.24.4/fs/xfs/xfs_bmap.c
18584 ---- linux-2.6.24.4/fs/xfs/xfs_bmap.c 2008-03-24 14:49:18.000000000 -0400
18585 -+++ linux-2.6.24.4/fs/xfs/xfs_bmap.c 2008-03-26 17:56:56.000000000 -0400
18586 -@@ -360,7 +360,7 @@ xfs_bmap_validate_ret(
18587 - int nmap,
18588 - int ret_nmap);
18589 - #else
18590 --#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
18591 -+#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
18592 - #endif /* DEBUG */
18593 -
18594 - #if defined(XFS_RW_TRACE)
18595 -diff -urNp linux-2.6.24.4/grsecurity/gracl_alloc.c linux-2.6.24.4/grsecurity/gracl_alloc.c
18596 ---- linux-2.6.24.4/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
18597 -+++ linux-2.6.24.4/grsecurity/gracl_alloc.c 2008-03-26 17:56:56.000000000 -0400
18598 -@@ -0,0 +1,91 @@
18599 -+#include <linux/kernel.h>
18600 -+#include <linux/mm.h>
18601 -+#include <linux/slab.h>
18602 -+#include <linux/vmalloc.h>
18603 -+#include <linux/gracl.h>
18604 -+#include <linux/grsecurity.h>
18605 -+
18606 -+static unsigned long alloc_stack_next = 1;
18607 -+static unsigned long alloc_stack_size = 1;
18608 -+static void **alloc_stack;
18609 -+
18610 -+static __inline__ int
18611 -+alloc_pop(void)
18612 -+{
18613 -+ if (alloc_stack_next == 1)
18614 -+ return 0;
18615 -+
18616 -+ kfree(alloc_stack[alloc_stack_next - 2]);
18617 -+
18618 -+ alloc_stack_next--;
18619 -+
18620 -+ return 1;
18621 -+}
18622 -+
18623 -+static __inline__ void
18624 -+alloc_push(void *buf)
18625 -+{
18626 -+ if (alloc_stack_next >= alloc_stack_size)
18627 -+ BUG();
18628 -+
18629 -+ alloc_stack[alloc_stack_next - 1] = buf;
18630 -+
18631 -+ alloc_stack_next++;
18632 -+
18633 -+ return;
18634 -+}
18635 -+
18636 -+void *
18637 -+acl_alloc(unsigned long len)
18638 -+{
18639 -+ void *ret;
18640 -+
18641 -+ if (len > PAGE_SIZE)
18642 -+ BUG();
18643 -+
18644 -+ ret = kmalloc(len, GFP_KERNEL);
18645 -+
18646 -+ if (ret)
18647 -+ alloc_push(ret);
18648 -+
18649 -+ return ret;
18650 -+}
18651 -+
18652 -+void
18653 -+acl_free_all(void)
18654 -+{
18655 -+ if (gr_acl_is_enabled() || !alloc_stack)
18656 -+ return;
18657 -+
18658 -+ while (alloc_pop()) ;
18659 -+
18660 -+ if (alloc_stack) {
18661 -+ if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
18662 -+ kfree(alloc_stack);
18663 -+ else
18664 -+ vfree(alloc_stack);
18665 -+ }
18666 -+
18667 -+ alloc_stack = NULL;
18668 -+ alloc_stack_size = 1;
18669 -+ alloc_stack_next = 1;
18670 -+
18671 -+ return;
18672 -+}
18673 -+
18674 -+int
18675 -+acl_alloc_stack_init(unsigned long size)
18676 -+{
18677 -+ if ((size * sizeof (void *)) <= PAGE_SIZE)
18678 -+ alloc_stack =
18679 -+ (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
18680 -+ else
18681 -+ alloc_stack = (void **) vmalloc(size * sizeof (void *));
18682 -+
18683 -+ alloc_stack_size = size;
18684 -+
18685 -+ if (!alloc_stack)
18686 -+ return 0;
18687 -+ else
18688 -+ return 1;
18689 -+}
18690 -diff -urNp linux-2.6.24.4/grsecurity/gracl.c linux-2.6.24.4/grsecurity/gracl.c
18691 ---- linux-2.6.24.4/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
18692 -+++ linux-2.6.24.4/grsecurity/gracl.c 2008-03-26 17:56:56.000000000 -0400
18693 -@@ -0,0 +1,3722 @@
18694 -+#include <linux/kernel.h>
18695 -+#include <linux/module.h>
18696 -+#include <linux/sched.h>
18697 -+#include <linux/mm.h>
18698 -+#include <linux/file.h>
18699 -+#include <linux/fs.h>
18700 -+#include <linux/namei.h>
18701 -+#include <linux/mount.h>
18702 -+#include <linux/tty.h>
18703 -+#include <linux/proc_fs.h>
18704 -+#include <linux/smp_lock.h>
18705 -+#include <linux/slab.h>
18706 -+#include <linux/vmalloc.h>
18707 -+#include <linux/types.h>
18708 -+#include <linux/capability.h>
18709 -+#include <linux/sysctl.h>
18710 -+#include <linux/netdevice.h>
18711 -+#include <linux/ptrace.h>
18712 -+#include <linux/gracl.h>
18713 -+#include <linux/gralloc.h>
18714 -+#include <linux/grsecurity.h>
18715 -+#include <linux/grinternal.h>
18716 -+#include <linux/pid_namespace.h>
18717 -+#include <linux/percpu.h>
18718 -+
18719 -+#include <asm/uaccess.h>
18720 -+#include <asm/errno.h>
18721 -+#include <asm/mman.h>
18722 -+
18723 -+static struct acl_role_db acl_role_set;
18724 -+static struct name_db name_set;
18725 -+static struct inodev_db inodev_set;
18726 -+
18727 -+/* for keeping track of userspace pointers used for subjects, so we
18728 -+ can share references in the kernel as well
18729 -+*/
18730 -+
18731 -+static struct dentry *real_root;
18732 -+static struct vfsmount *real_root_mnt;
18733 -+
18734 -+static struct acl_subj_map_db subj_map_set;
18735 -+
18736 -+static struct acl_role_label *default_role;
18737 -+
18738 -+static u16 acl_sp_role_value;
18739 -+
18740 -+extern char *gr_shared_page[4];
18741 -+static DECLARE_MUTEX(gr_dev_sem);
18742 -+rwlock_t gr_inode_lock = RW_LOCK_UNLOCKED;
18743 -+
18744 -+struct gr_arg *gr_usermode;
18745 -+
18746 -+static unsigned int gr_status = GR_STATUS_INIT;
18747 -+
18748 -+extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
18749 -+extern void gr_clear_learn_entries(void);
18750 -+
18751 -+#ifdef CONFIG_GRKERNSEC_RESLOG
18752 -+extern void gr_log_resource(const struct task_struct *task,
18753 -+ const int res, const unsigned long wanted, const int gt);
18754 -+#endif
18755 -+
18756 -+unsigned char *gr_system_salt;
18757 -+unsigned char *gr_system_sum;
18758 -+
18759 -+static struct sprole_pw **acl_special_roles = NULL;
18760 -+static __u16 num_sprole_pws = 0;
18761 -+
18762 -+static struct acl_role_label *kernel_role = NULL;
18763 -+
18764 -+static unsigned int gr_auth_attempts = 0;
18765 -+static unsigned long gr_auth_expires = 0UL;
18766 -+
18767 -+extern struct vfsmount *sock_mnt;
18768 -+extern struct vfsmount *pipe_mnt;
18769 -+extern struct vfsmount *shm_mnt;
18770 -+static struct acl_object_label *fakefs_obj;
18771 -+
18772 -+extern int gr_init_uidset(void);
18773 -+extern void gr_free_uidset(void);
18774 -+extern void gr_remove_uid(uid_t uid);
18775 -+extern int gr_find_uid(uid_t uid);
18776 -+
18777 -+__inline__ int
18778 -+gr_acl_is_enabled(void)
18779 -+{
18780 -+ return (gr_status & GR_READY);
18781 -+}
18782 -+
18783 -+char gr_roletype_to_char(void)
18784 -+{
18785 -+ switch (current->role->roletype &
18786 -+ (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
18787 -+ GR_ROLE_SPECIAL)) {
18788 -+ case GR_ROLE_DEFAULT:
18789 -+ return 'D';
18790 -+ case GR_ROLE_USER:
18791 -+ return 'U';
18792 -+ case GR_ROLE_GROUP:
18793 -+ return 'G';
18794 -+ case GR_ROLE_SPECIAL:
18795 -+ return 'S';
18796 -+ }
18797 -+
18798 -+ return 'X';
18799 -+}
18800 -+
18801 -+__inline__ int
18802 -+gr_acl_tpe_check(void)
18803 -+{
18804 -+ if (unlikely(!(gr_status & GR_READY)))
18805 -+ return 0;
18806 -+ if (current->role->roletype & GR_ROLE_TPE)
18807 -+ return 1;
18808 -+ else
18809 -+ return 0;
18810 -+}
18811 -+
18812 -+int
18813 -+gr_handle_rawio(const struct inode *inode)
18814 -+{
18815 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
18816 -+ if (inode && S_ISBLK(inode->i_mode) &&
18817 -+ grsec_enable_chroot_caps && proc_is_chrooted(current) &&
18818 -+ !capable(CAP_SYS_RAWIO))
18819 -+ return 1;
18820 -+#endif
18821 -+ return 0;
18822 -+}
18823 -+
18824 -+static int
18825 -+gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
18826 -+{
18827 -+ int i;
18828 -+ unsigned long *l1;
18829 -+ unsigned long *l2;
18830 -+ unsigned char *c1;
18831 -+ unsigned char *c2;
18832 -+ int num_longs;
18833 -+
18834 -+ if (likely(lena != lenb))
18835 -+ return 0;
18836 -+
18837 -+ l1 = (unsigned long *)a;
18838 -+ l2 = (unsigned long *)b;
18839 -+
18840 -+ num_longs = lena / sizeof(unsigned long);
18841 -+
18842 -+ for (i = num_longs; i--; l1++, l2++) {
18843 -+ if (unlikely(*l1 != *l2))
18844 -+ return 0;
18845 -+ }
18846 -+
18847 -+ c1 = (unsigned char *) l1;
18848 -+ c2 = (unsigned char *) l2;
18849 -+
18850 -+ i = lena - (num_longs * sizeof(unsigned long));
18851 -+
18852 -+ for (; i--; c1++, c2++) {
18853 -+ if (unlikely(*c1 != *c2))
18854 -+ return 0;
18855 -+ }
18856 -+
18857 -+ return 1;
18858 -+}
18859 -+
18860 -+static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
18861 -+ struct dentry *root, struct vfsmount *rootmnt,
18862 -+ char *buffer, int buflen)
18863 -+{
18864 -+ char * end = buffer+buflen;
18865 -+ char * retval;
18866 -+ int namelen;
18867 -+
18868 -+ *--end = '\0';
18869 -+ buflen--;
18870 -+
18871 -+ if (buflen < 1)
18872 -+ goto Elong;
18873 -+ /* Get '/' right */
18874 -+ retval = end-1;
18875 -+ *retval = '/';
18876 -+
18877 -+ for (;;) {
18878 -+ struct dentry * parent;
18879 -+
18880 -+ if (dentry == root && vfsmnt == rootmnt)
18881 -+ break;
18882 -+ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
18883 -+ /* Global root? */
18884 -+ spin_lock(&vfsmount_lock);
18885 -+ if (vfsmnt->mnt_parent == vfsmnt) {
18886 -+ spin_unlock(&vfsmount_lock);
18887 -+ goto global_root;
18888 -+ }
18889 -+ dentry = vfsmnt->mnt_mountpoint;
18890 -+ vfsmnt = vfsmnt->mnt_parent;
18891 -+ spin_unlock(&vfsmount_lock);
18892 -+ continue;
18893 -+ }
18894 -+ parent = dentry->d_parent;
18895 -+ prefetch(parent);
18896 -+ namelen = dentry->d_name.len;
18897 -+ buflen -= namelen + 1;
18898 -+ if (buflen < 0)
18899 -+ goto Elong;
18900 -+ end -= namelen;
18901 -+ memcpy(end, dentry->d_name.name, namelen);
18902 -+ *--end = '/';
18903 -+ retval = end;
18904 -+ dentry = parent;
18905 -+ }
18906 -+
18907 -+ return retval;
18908 -+
18909 -+global_root:
18910 -+ namelen = dentry->d_name.len;
18911 -+ buflen -= namelen;
18912 -+ if (buflen < 0)
18913 -+ goto Elong;
18914 -+ retval -= namelen-1; /* hit the slash */
18915 -+ memcpy(retval, dentry->d_name.name, namelen);
18916 -+ return retval;
18917 -+Elong:
18918 -+ return ERR_PTR(-ENAMETOOLONG);
18919 -+}
18920 -+
18921 -+static char *
18922 -+gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
18923 -+ struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
18924 -+{
18925 -+ char *retval;
18926 -+
18927 -+ retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
18928 -+ if (unlikely(IS_ERR(retval)))
18929 -+ retval = strcpy(buf, "<path too long>");
18930 -+ else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
18931 -+ retval[1] = '\0';
18932 -+
18933 -+ return retval;
18934 -+}
18935 -+
18936 -+static char *
18937 -+__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
18938 -+ char *buf, int buflen)
18939 -+{
18940 -+ char *res;
18941 -+
18942 -+ /* we can use real_root, real_root_mnt, because this is only called
18943 -+ by the RBAC system */
18944 -+ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
18945 -+
18946 -+ return res;
18947 -+}
18948 -+
18949 -+static char *
18950 -+d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
18951 -+ char *buf, int buflen)
18952 -+{
18953 -+ char *res;
18954 -+ struct dentry *root;
18955 -+ struct vfsmount *rootmnt;
18956 -+ struct task_struct *reaper = current->nsproxy->pid_ns->child_reaper;
18957 -+
18958 -+ /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
18959 -+ read_lock(&reaper->fs->lock);
18960 -+ root = dget(reaper->fs->root);
18961 -+ rootmnt = mntget(reaper->fs->rootmnt);
18962 -+ read_unlock(&reaper->fs->lock);
18963 -+
18964 -+ spin_lock(&dcache_lock);
18965 -+ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
18966 -+ spin_unlock(&dcache_lock);
18967 -+
18968 -+ dput(root);
18969 -+ mntput(rootmnt);
18970 -+ return res;
18971 -+}
18972 -+
18973 -+static char *
18974 -+gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
18975 -+{
18976 -+ char *ret;
18977 -+ spin_lock(&dcache_lock);
18978 -+ ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
18979 -+ PAGE_SIZE);
18980 -+ spin_unlock(&dcache_lock);
18981 -+ return ret;
18982 -+}
18983 -+
18984 -+char *
18985 -+gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
18986 -+{
18987 -+ return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
18988 -+ PAGE_SIZE);
18989 -+}
18990 -+
18991 -+char *
18992 -+gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
18993 -+{
18994 -+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
18995 -+ PAGE_SIZE);
18996 -+}
18997 -+
18998 -+char *
18999 -+gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
19000 -+{
19001 -+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
19002 -+ PAGE_SIZE);
19003 -+}
19004 -+
19005 -+char *
19006 -+gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
19007 -+{
19008 -+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
19009 -+ PAGE_SIZE);
19010 -+}
19011 -+
19012 -+char *
19013 -+gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
19014 -+{
19015 -+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
19016 -+ PAGE_SIZE);
19017 -+}
19018 -+
19019 -+__inline__ __u32
19020 -+to_gr_audit(const __u32 reqmode)
19021 -+{
19022 -+ /* masks off auditable permission flags, then shifts them to create
19023 -+ auditing flags, and adds the special case of append auditing if
19024 -+ we're requesting write */
19025 -+ return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
19026 -+}
19027 -+
19028 -+struct acl_subject_label *
19029 -+lookup_subject_map(const struct acl_subject_label *userp)
19030 -+{
19031 -+ unsigned int index = shash(userp, subj_map_set.s_size);
19032 -+ struct subject_map *match;
19033 -+
19034 -+ match = subj_map_set.s_hash[index];
19035 -+
19036 -+ while (match && match->user != userp)
19037 -+ match = match->next;
19038 -+
19039 -+ if (match != NULL)
19040 -+ return match->kernel;
19041 -+ else
19042 -+ return NULL;
19043 -+}
19044 -+
19045 -+static void
19046 -+insert_subj_map_entry(struct subject_map *subjmap)
19047 -+{
19048 -+ unsigned int index = shash(subjmap->user, subj_map_set.s_size);
19049 -+ struct subject_map **curr;
19050 -+
19051 -+ subjmap->prev = NULL;
19052 -+
19053 -+ curr = &subj_map_set.s_hash[index];
19054 -+ if (*curr != NULL)
19055 -+ (*curr)->prev = subjmap;
19056 -+
19057 -+ subjmap->next = *curr;
19058 -+ *curr = subjmap;
19059 -+
19060 -+ return;
19061 -+}
19062 -+
19063 -+static struct acl_role_label *
19064 -+lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
19065 -+ const gid_t gid)
19066 -+{
19067 -+ unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
19068 -+ struct acl_role_label *match;
19069 -+ struct role_allowed_ip *ipp;
19070 -+ unsigned int x;
19071 -+
19072 -+ match = acl_role_set.r_hash[index];
19073 -+
19074 -+ while (match) {
19075 -+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
19076 -+ for (x = 0; x < match->domain_child_num; x++) {
19077 -+ if (match->domain_children[x] == uid)
19078 -+ goto found;
19079 -+ }
19080 -+ } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
19081 -+ break;
19082 -+ match = match->next;
19083 -+ }
19084 -+found:
19085 -+ if (match == NULL) {
19086 -+ try_group:
19087 -+ index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
19088 -+ match = acl_role_set.r_hash[index];
19089 -+
19090 -+ while (match) {
19091 -+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
19092 -+ for (x = 0; x < match->domain_child_num; x++) {
19093 -+ if (match->domain_children[x] == gid)
19094 -+ goto found2;
19095 -+ }
19096 -+ } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
19097 -+ break;
19098 -+ match = match->next;
19099 -+ }
19100 -+found2:
19101 -+ if (match == NULL)
19102 -+ match = default_role;
19103 -+ if (match->allowed_ips == NULL)
19104 -+ return match;
19105 -+ else {
19106 -+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
19107 -+ if (likely
19108 -+ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
19109 -+ (ntohl(ipp->addr) & ipp->netmask)))
19110 -+ return match;
19111 -+ }
19112 -+ match = default_role;
19113 -+ }
19114 -+ } else if (match->allowed_ips == NULL) {
19115 -+ return match;
19116 -+ } else {
19117 -+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
19118 -+ if (likely
19119 -+ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
19120 -+ (ntohl(ipp->addr) & ipp->netmask)))
19121 -+ return match;
19122 -+ }
19123 -+ goto try_group;
19124 -+ }
19125 -+
19126 -+ return match;
19127 -+}
19128 -+
19129 -+struct acl_subject_label *
19130 -+lookup_acl_subj_label(const ino_t ino, const dev_t dev,
19131 -+ const struct acl_role_label *role)
19132 -+{
19133 -+ unsigned int index = fhash(ino, dev, role->subj_hash_size);
19134 -+ struct acl_subject_label *match;
19135 -+
19136 -+ match = role->subj_hash[index];
19137 -+
19138 -+ while (match && (match->inode != ino || match->device != dev ||
19139 -+ (match->mode & GR_DELETED))) {
19140 -+ match = match->next;
19141 -+ }
19142 -+
19143 -+ if (match && !(match->mode & GR_DELETED))
19144 -+ return match;
19145 -+ else
19146 -+ return NULL;
19147 -+}
19148 -+
19149 -+static struct acl_object_label *
19150 -+lookup_acl_obj_label(const ino_t ino, const dev_t dev,
19151 -+ const struct acl_subject_label *subj)
19152 -+{
19153 -+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
19154 -+ struct acl_object_label *match;
19155 -+
19156 -+ match = subj->obj_hash[index];
19157 -+
19158 -+ while (match && (match->inode != ino || match->device != dev ||
19159 -+ (match->mode & GR_DELETED))) {
19160 -+ match = match->next;
19161 -+ }
19162 -+
19163 -+ if (match && !(match->mode & GR_DELETED))
19164 -+ return match;
19165 -+ else
19166 -+ return NULL;
19167 -+}
19168 -+
19169 -+static struct acl_object_label *
19170 -+lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
19171 -+ const struct acl_subject_label *subj)
19172 -+{
19173 -+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
19174 -+ struct acl_object_label *match;
19175 -+
19176 -+ match = subj->obj_hash[index];
19177 -+
19178 -+ while (match && (match->inode != ino || match->device != dev ||
19179 -+ !(match->mode & GR_DELETED))) {
19180 -+ match = match->next;
19181 -+ }
19182 -+
19183 -+ if (match && (match->mode & GR_DELETED))
19184 -+ return match;
19185 -+
19186 -+ match = subj->obj_hash[index];
19187 -+
19188 -+ while (match && (match->inode != ino || match->device != dev ||
19189 -+ (match->mode & GR_DELETED))) {
19190 -+ match = match->next;
19191 -+ }
19192 -+
19193 -+ if (match && !(match->mode & GR_DELETED))
19194 -+ return match;
19195 -+ else
19196 -+ return NULL;
19197 -+}
19198 -+
19199 -+static struct name_entry *
19200 -+lookup_name_entry(const char *name)
19201 -+{
19202 -+ unsigned int len = strlen(name);
19203 -+ unsigned int key = full_name_hash(name, len);
19204 -+ unsigned int index = key % name_set.n_size;
19205 -+ struct name_entry *match;
19206 -+
19207 -+ match = name_set.n_hash[index];
19208 -+
19209 -+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
19210 -+ match = match->next;
19211 -+
19212 -+ return match;
19213 -+}
19214 -+
19215 -+static struct name_entry *
19216 -+lookup_name_entry_create(const char *name)
19217 -+{
19218 -+ unsigned int len = strlen(name);
19219 -+ unsigned int key = full_name_hash(name, len);
19220 -+ unsigned int index = key % name_set.n_size;
19221 -+ struct name_entry *match;
19222 -+
19223 -+ match = name_set.n_hash[index];
19224 -+
19225 -+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
19226 -+ !match->deleted))
19227 -+ match = match->next;
19228 -+
19229 -+ if (match && match->deleted)
19230 -+ return match;
19231 -+
19232 -+ match = name_set.n_hash[index];
19233 -+
19234 -+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
19235 -+ match->deleted))
19236 -+ match = match->next;
19237 -+
19238 -+ if (match && !match->deleted)
19239 -+ return match;
19240 -+ else
19241 -+ return NULL;
19242 -+}
19243 -+
19244 -+static struct inodev_entry *
19245 -+lookup_inodev_entry(const ino_t ino, const dev_t dev)
19246 -+{
19247 -+ unsigned int index = fhash(ino, dev, inodev_set.i_size);
19248 -+ struct inodev_entry *match;
19249 -+
19250 -+ match = inodev_set.i_hash[index];
19251 -+
19252 -+ while (match && (match->nentry->inode != ino || match->nentry->device != dev))
19253 -+ match = match->next;
19254 -+
19255 -+ return match;
19256 -+}
19257 -+
19258 -+static void
19259 -+insert_inodev_entry(struct inodev_entry *entry)
19260 -+{
19261 -+ unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
19262 -+ inodev_set.i_size);
19263 -+ struct inodev_entry **curr;
19264 -+
19265 -+ entry->prev = NULL;
19266 -+
19267 -+ curr = &inodev_set.i_hash[index];
19268 -+ if (*curr != NULL)
19269 -+ (*curr)->prev = entry;
19270 -+
19271 -+ entry->next = *curr;
19272 -+ *curr = entry;
19273 -+
19274 -+ return;
19275 -+}
19276 -+
19277 -+static void
19278 -+__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
19279 -+{
19280 -+ unsigned int index =
19281 -+ rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
19282 -+ struct acl_role_label **curr;
19283 -+
19284 -+ role->prev = NULL;
19285 -+
19286 -+ curr = &acl_role_set.r_hash[index];
19287 -+ if (*curr != NULL)
19288 -+ (*curr)->prev = role;
19289 -+
19290 -+ role->next = *curr;
19291 -+ *curr = role;
19292 -+
19293 -+ return;
19294 -+}
19295 -+
19296 -+static void
19297 -+insert_acl_role_label(struct acl_role_label *role)
19298 -+{
19299 -+ int i;
19300 -+
19301 -+ if (role->roletype & GR_ROLE_DOMAIN) {
19302 -+ for (i = 0; i < role->domain_child_num; i++)
19303 -+ __insert_acl_role_label(role, role->domain_children[i]);
19304 -+ } else
19305 -+ __insert_acl_role_label(role, role->uidgid);
19306 -+}
19307 -+
19308 -+static int
19309 -+insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
19310 -+{
19311 -+ struct name_entry **curr, *nentry;
19312 -+ struct inodev_entry *ientry;
19313 -+ unsigned int len = strlen(name);
19314 -+ unsigned int key = full_name_hash(name, len);
19315 -+ unsigned int index = key % name_set.n_size;
19316 -+
19317 -+ curr = &name_set.n_hash[index];
19318 -+
19319 -+ while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
19320 -+ curr = &((*curr)->next);
19321 -+
19322 -+ if (*curr != NULL)
19323 -+ return 1;
19324 -+
19325 -+ nentry = acl_alloc(sizeof (struct name_entry));
19326 -+ if (nentry == NULL)
19327 -+ return 0;
19328 -+ ientry = acl_alloc(sizeof (struct inodev_entry));
19329 -+ if (ientry == NULL)
19330 -+ return 0;
19331 -+ ientry->nentry = nentry;
19332 -+
19333 -+ nentry->key = key;
19334 -+ nentry->name = name;
19335 -+ nentry->inode = inode;
19336 -+ nentry->device = device;
19337 -+ nentry->len = len;
19338 -+ nentry->deleted = deleted;
19339 -+
19340 -+ nentry->prev = NULL;
19341 -+ curr = &name_set.n_hash[index];
19342 -+ if (*curr != NULL)
19343 -+ (*curr)->prev = nentry;
19344 -+ nentry->next = *curr;
19345 -+ *curr = nentry;
19346 -+
19347 -+ /* insert us into the table searchable by inode/dev */
19348 -+ insert_inodev_entry(ientry);
19349 -+
19350 -+ return 1;
19351 -+}
19352 -+
19353 -+static void
19354 -+insert_acl_obj_label(struct acl_object_label *obj,
19355 -+ struct acl_subject_label *subj)
19356 -+{
19357 -+ unsigned int index =
19358 -+ fhash(obj->inode, obj->device, subj->obj_hash_size);
19359 -+ struct acl_object_label **curr;
19360 -+
19361 -+
19362 -+ obj->prev = NULL;
19363 -+
19364 -+ curr = &subj->obj_hash[index];
19365 -+ if (*curr != NULL)
19366 -+ (*curr)->prev = obj;
19367 -+
19368 -+ obj->next = *curr;
19369 -+ *curr = obj;
19370 -+
19371 -+ return;
19372 -+}
19373 -+
19374 -+static void
19375 -+insert_acl_subj_label(struct acl_subject_label *obj,
19376 -+ struct acl_role_label *role)
19377 -+{
19378 -+ unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
19379 -+ struct acl_subject_label **curr;
19380 -+
19381 -+ obj->prev = NULL;
19382 -+
19383 -+ curr = &role->subj_hash[index];
19384 -+ if (*curr != NULL)
19385 -+ (*curr)->prev = obj;
19386 -+
19387 -+ obj->next = *curr;
19388 -+ *curr = obj;
19389 -+
19390 -+ return;
19391 -+}
19392 -+
19393 -+/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
19394 -+
19395 -+static void *
19396 -+create_table(__u32 * len, int elementsize)
19397 -+{
19398 -+ unsigned int table_sizes[] = {
19399 -+ 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
19400 -+ 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
19401 -+ 4194301, 8388593, 16777213, 33554393, 67108859, 134217689,
19402 -+ 268435399, 536870909, 1073741789, 2147483647
19403 -+ };
19404 -+ void *newtable = NULL;
19405 -+ unsigned int pwr = 0;
19406 -+
19407 -+ while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
19408 -+ table_sizes[pwr] <= *len)
19409 -+ pwr++;
19410 -+
19411 -+ if (table_sizes[pwr] <= *len)
19412 -+ return newtable;
19413 -+
19414 -+ if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
19415 -+ newtable =
19416 -+ kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
19417 -+ else
19418 -+ newtable = vmalloc(table_sizes[pwr] * elementsize);
19419 -+
19420 -+ *len = table_sizes[pwr];
19421 -+
19422 -+ return newtable;
19423 -+}
19424 -+
19425 -+static int
19426 -+init_variables(const struct gr_arg *arg)
19427 -+{
19428 -+ struct task_struct *reaper = current->nsproxy->pid_ns->child_reaper;
19429 -+ unsigned int stacksize;
19430 -+
19431 -+ subj_map_set.s_size = arg->role_db.num_subjects;
19432 -+ acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
19433 -+ name_set.n_size = arg->role_db.num_objects;
19434 -+ inodev_set.i_size = arg->role_db.num_objects;
19435 -+
19436 -+ if (!subj_map_set.s_size || !acl_role_set.r_size ||
19437 -+ !name_set.n_size || !inodev_set.i_size)
19438 -+ return 1;
19439 -+
19440 -+ if (!gr_init_uidset())
19441 -+ return 1;
19442 -+
19443 -+ /* set up the stack that holds allocation info */
19444 -+
19445 -+ stacksize = arg->role_db.num_pointers + 5;
19446 -+
19447 -+ if (!acl_alloc_stack_init(stacksize))
19448 -+ return 1;
19449 -+
19450 -+ /* grab reference for the real root dentry and vfsmount */
19451 -+ read_lock(&reaper->fs->lock);
19452 -+ real_root_mnt = mntget(reaper->fs->rootmnt);
19453 -+ real_root = dget(reaper->fs->root);
19454 -+ read_unlock(&reaper->fs->lock);
19455 -+
19456 -+ fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
19457 -+ if (fakefs_obj == NULL)
19458 -+ return 1;
19459 -+ fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
19460 -+
19461 -+ subj_map_set.s_hash =
19462 -+ (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
19463 -+ acl_role_set.r_hash =
19464 -+ (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
19465 -+ name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
19466 -+ inodev_set.i_hash =
19467 -+ (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
19468 -+
19469 -+ if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
19470 -+ !name_set.n_hash || !inodev_set.i_hash)
19471 -+ return 1;
19472 -+
19473 -+ memset(subj_map_set.s_hash, 0,
19474 -+ sizeof(struct subject_map *) * subj_map_set.s_size);
19475 -+ memset(acl_role_set.r_hash, 0,
19476 -+ sizeof (struct acl_role_label *) * acl_role_set.r_size);
19477 -+ memset(name_set.n_hash, 0,
19478 -+ sizeof (struct name_entry *) * name_set.n_size);
19479 -+ memset(inodev_set.i_hash, 0,
19480 -+ sizeof (struct inodev_entry *) * inodev_set.i_size);
19481 -+
19482 -+ return 0;
19483 -+}
19484 -+
19485 -+/* free information not needed after startup
19486 -+ currently contains user->kernel pointer mappings for subjects
19487 -+*/
19488 -+
19489 -+static void
19490 -+free_init_variables(void)
19491 -+{
19492 -+ __u32 i;
19493 -+
19494 -+ if (subj_map_set.s_hash) {
19495 -+ for (i = 0; i < subj_map_set.s_size; i++) {
19496 -+ if (subj_map_set.s_hash[i]) {
19497 -+ kfree(subj_map_set.s_hash[i]);
19498 -+ subj_map_set.s_hash[i] = NULL;
19499 -+ }
19500 -+ }
19501 -+
19502 -+ if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
19503 -+ PAGE_SIZE)
19504 -+ kfree(subj_map_set.s_hash);
19505 -+ else
19506 -+ vfree(subj_map_set.s_hash);
19507 -+ }
19508 -+
19509 -+ return;
19510 -+}
19511 -+
19512 -+static void
19513 -+free_variables(void)
19514 -+{
19515 -+ struct acl_subject_label *s;
19516 -+ struct acl_role_label *r;
19517 -+ struct task_struct *task, *task2;
19518 -+ unsigned int i, x;
19519 -+
19520 -+ gr_clear_learn_entries();
19521 -+
19522 -+ read_lock(&tasklist_lock);
19523 -+ do_each_thread(task2, task) {
19524 -+ task->acl_sp_role = 0;
19525 -+ task->acl_role_id = 0;
19526 -+ task->acl = NULL;
19527 -+ task->role = NULL;
19528 -+ } while_each_thread(task2, task);
19529 -+ read_unlock(&tasklist_lock);
19530 -+
19531 -+ /* release the reference to the real root dentry and vfsmount */
19532 -+ if (real_root)
19533 -+ dput(real_root);
19534 -+ real_root = NULL;
19535 -+ if (real_root_mnt)
19536 -+ mntput(real_root_mnt);
19537 -+ real_root_mnt = NULL;
19538 -+
19539 -+ /* free all object hash tables */
19540 -+
19541 -+ FOR_EACH_ROLE_START(r, i)
19542 -+ if (r->subj_hash == NULL)
19543 -+ break;
19544 -+ FOR_EACH_SUBJECT_START(r, s, x)
19545 -+ if (s->obj_hash == NULL)
19546 -+ break;
19547 -+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
19548 -+ kfree(s->obj_hash);
19549 -+ else
19550 -+ vfree(s->obj_hash);
19551 -+ FOR_EACH_SUBJECT_END(s, x)
19552 -+ FOR_EACH_NESTED_SUBJECT_START(r, s)
19553 -+ if (s->obj_hash == NULL)
19554 -+ break;
19555 -+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
19556 -+ kfree(s->obj_hash);
19557 -+ else
19558 -+ vfree(s->obj_hash);
19559 -+ FOR_EACH_NESTED_SUBJECT_END(s)
19560 -+ if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
19561 -+ kfree(r->subj_hash);
19562 -+ else
19563 -+ vfree(r->subj_hash);
19564 -+ r->subj_hash = NULL;
19565 -+ FOR_EACH_ROLE_END(r,i)
19566 -+
19567 -+ acl_free_all();
19568 -+
19569 -+ if (acl_role_set.r_hash) {
19570 -+ if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
19571 -+ PAGE_SIZE)
19572 -+ kfree(acl_role_set.r_hash);
19573 -+ else
19574 -+ vfree(acl_role_set.r_hash);
19575 -+ }
19576 -+ if (name_set.n_hash) {
19577 -+ if ((name_set.n_size * sizeof (struct name_entry *)) <=
19578 -+ PAGE_SIZE)
19579 -+ kfree(name_set.n_hash);
19580 -+ else
19581 -+ vfree(name_set.n_hash);
19582 -+ }
19583 -+
19584 -+ if (inodev_set.i_hash) {
19585 -+ if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
19586 -+ PAGE_SIZE)
19587 -+ kfree(inodev_set.i_hash);
19588 -+ else
19589 -+ vfree(inodev_set.i_hash);
19590 -+ }
19591 -+
19592 -+ gr_free_uidset();
19593 -+
19594 -+ memset(&name_set, 0, sizeof (struct name_db));
19595 -+ memset(&inodev_set, 0, sizeof (struct inodev_db));
19596 -+ memset(&acl_role_set, 0, sizeof (struct acl_role_db));
19597 -+ memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
19598 -+
19599 -+ default_role = NULL;
19600 -+
19601 -+ return;
19602 -+}
19603 -+
19604 -+static __u32
19605 -+count_user_objs(struct acl_object_label *userp)
19606 -+{
19607 -+ struct acl_object_label o_tmp;
19608 -+ __u32 num = 0;
19609 -+
19610 -+ while (userp) {
19611 -+ if (copy_from_user(&o_tmp, userp,
19612 -+ sizeof (struct acl_object_label)))
19613 -+ break;
19614 -+
19615 -+ userp = o_tmp.prev;
19616 -+ num++;
19617 -+ }
19618 -+
19619 -+ return num;
19620 -+}
19621 -+
19622 -+static struct acl_subject_label *
19623 -+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
19624 -+
19625 -+static int
19626 -+copy_user_glob(struct acl_object_label *obj)
19627 -+{
19628 -+ struct acl_object_label *g_tmp, **guser;
19629 -+ unsigned int len;
19630 -+ char *tmp;
19631 -+
19632 -+ if (obj->globbed == NULL)
19633 -+ return 0;
19634 -+
19635 -+ guser = &obj->globbed;
19636 -+ while (*guser) {
19637 -+ g_tmp = (struct acl_object_label *)
19638 -+ acl_alloc(sizeof (struct acl_object_label));
19639 -+ if (g_tmp == NULL)
19640 -+ return -ENOMEM;
19641 -+
19642 -+ if (copy_from_user(g_tmp, *guser,
19643 -+ sizeof (struct acl_object_label)))
19644 -+ return -EFAULT;
19645 -+
19646 -+ len = strnlen_user(g_tmp->filename, PATH_MAX);
19647 -+
19648 -+ if (!len || len >= PATH_MAX)
19649 -+ return -EINVAL;
19650 -+
19651 -+ if ((tmp = (char *) acl_alloc(len)) == NULL)
19652 -+ return -ENOMEM;
19653 -+
19654 -+ if (copy_from_user(tmp, g_tmp->filename, len))
19655 -+ return -EFAULT;
19656 -+
19657 -+ g_tmp->filename = tmp;
19658 -+
19659 -+ *guser = g_tmp;
19660 -+ guser = &(g_tmp->next);
19661 -+ }
19662 -+
19663 -+ return 0;
19664 -+}
19665 -+
19666 -+static int
19667 -+copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
19668 -+ struct acl_role_label *role)
19669 -+{
19670 -+ struct acl_object_label *o_tmp;
19671 -+ unsigned int len;
19672 -+ int ret;
19673 -+ char *tmp;
19674 -+
19675 -+ while (userp) {
19676 -+ if ((o_tmp = (struct acl_object_label *)
19677 -+ acl_alloc(sizeof (struct acl_object_label))) == NULL)
19678 -+ return -ENOMEM;
19679 -+
19680 -+ if (copy_from_user(o_tmp, userp,
19681 -+ sizeof (struct acl_object_label)))
19682 -+ return -EFAULT;
19683 -+
19684 -+ userp = o_tmp->prev;
19685 -+
19686 -+ len = strnlen_user(o_tmp->filename, PATH_MAX);
19687 -+
19688 -+ if (!len || len >= PATH_MAX)
19689 -+ return -EINVAL;
19690 -+
19691 -+ if ((tmp = (char *) acl_alloc(len)) == NULL)
19692 -+ return -ENOMEM;
19693 -+
19694 -+ if (copy_from_user(tmp, o_tmp->filename, len))
19695 -+ return -EFAULT;
19696 -+
19697 -+ o_tmp->filename = tmp;
19698 -+
19699 -+ insert_acl_obj_label(o_tmp, subj);
19700 -+ if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
19701 -+ o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
19702 -+ return -ENOMEM;
19703 -+
19704 -+ ret = copy_user_glob(o_tmp);
19705 -+ if (ret)
19706 -+ return ret;
19707 -+
19708 -+ if (o_tmp->nested) {
19709 -+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
19710 -+ if (IS_ERR(o_tmp->nested))
19711 -+ return PTR_ERR(o_tmp->nested);
19712 -+
19713 -+ /* insert into nested subject list */
19714 -+ o_tmp->nested->next = role->hash->first;
19715 -+ role->hash->first = o_tmp->nested;
19716 -+ }
19717 -+ }
19718 -+
19719 -+ return 0;
19720 -+}
19721 -+
19722 -+static __u32
19723 -+count_user_subjs(struct acl_subject_label *userp)
19724 -+{
19725 -+ struct acl_subject_label s_tmp;
19726 -+ __u32 num = 0;
19727 -+
19728 -+ while (userp) {
19729 -+ if (copy_from_user(&s_tmp, userp,
19730 -+ sizeof (struct acl_subject_label)))
19731 -+ break;
19732 -+
19733 -+ userp = s_tmp.prev;
19734 -+ /* do not count nested subjects against this count, since
19735 -+ they are not included in the hash table, but are
19736 -+ attached to objects. We have already counted
19737 -+ the subjects in userspace for the allocation
19738 -+ stack
19739 -+ */
19740 -+ if (!(s_tmp.mode & GR_NESTED))
19741 -+ num++;
19742 -+ }
19743 -+
19744 -+ return num;
19745 -+}
19746 -+
19747 -+static int
19748 -+copy_user_allowedips(struct acl_role_label *rolep)
19749 -+{
19750 -+ struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
19751 -+
19752 -+ ruserip = rolep->allowed_ips;
19753 -+
19754 -+ while (ruserip) {
19755 -+ rlast = rtmp;
19756 -+
19757 -+ if ((rtmp = (struct role_allowed_ip *)
19758 -+ acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
19759 -+ return -ENOMEM;
19760 -+
19761 -+ if (copy_from_user(rtmp, ruserip,
19762 -+ sizeof (struct role_allowed_ip)))
19763 -+ return -EFAULT;
19764 -+
19765 -+ ruserip = rtmp->prev;
19766 -+
19767 -+ if (!rlast) {
19768 -+ rtmp->prev = NULL;
19769 -+ rolep->allowed_ips = rtmp;
19770 -+ } else {
19771 -+ rlast->next = rtmp;
19772 -+ rtmp->prev = rlast;
19773 -+ }
19774 -+
19775 -+ if (!ruserip)
19776 -+ rtmp->next = NULL;
19777 -+ }
19778 -+
19779 -+ return 0;
19780 -+}
19781 -+
19782 -+static int
19783 -+copy_user_transitions(struct acl_role_label *rolep)
19784 -+{
19785 -+ struct role_transition *rusertp, *rtmp = NULL, *rlast;
19786 -+
19787 -+ unsigned int len;
19788 -+ char *tmp;
19789 -+
19790 -+ rusertp = rolep->transitions;
19791 -+
19792 -+ while (rusertp) {
19793 -+ rlast = rtmp;
19794 -+
19795 -+ if ((rtmp = (struct role_transition *)
19796 -+ acl_alloc(sizeof (struct role_transition))) == NULL)
19797 -+ return -ENOMEM;
19798 -+
19799 -+ if (copy_from_user(rtmp, rusertp,
19800 -+ sizeof (struct role_transition)))
19801 -+ return -EFAULT;
19802 -+
19803 -+ rusertp = rtmp->prev;
19804 -+
19805 -+ len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
19806 -+
19807 -+ if (!len || len >= GR_SPROLE_LEN)
19808 -+ return -EINVAL;
19809 -+
19810 -+ if ((tmp = (char *) acl_alloc(len)) == NULL)
19811 -+ return -ENOMEM;
19812 -+
19813 -+ if (copy_from_user(tmp, rtmp->rolename, len))
19814 -+ return -EFAULT;
19815 -+
19816 -+ rtmp->rolename = tmp;
19817 -+
19818 -+ if (!rlast) {
19819 -+ rtmp->prev = NULL;
19820 -+ rolep->transitions = rtmp;
19821 -+ } else {
19822 -+ rlast->next = rtmp;
19823 -+ rtmp->prev = rlast;
19824 -+ }
19825 -+
19826 -+ if (!rusertp)
19827 -+ rtmp->next = NULL;
19828 -+ }
19829 -+
19830 -+ return 0;
19831 -+}
19832 -+
19833 -+static struct acl_subject_label *
19834 -+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
19835 -+{
19836 -+ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
19837 -+ unsigned int len;
19838 -+ char *tmp;
19839 -+ __u32 num_objs;
19840 -+ struct acl_ip_label **i_tmp, *i_utmp2;
19841 -+ struct gr_hash_struct ghash;
19842 -+ struct subject_map *subjmap;
19843 -+ unsigned int i_num;
19844 -+ int err;
19845 -+
19846 -+ s_tmp = lookup_subject_map(userp);
19847 -+
19848 -+ /* we've already copied this subject into the kernel, just return
19849 -+ the reference to it, and don't copy it over again
19850 -+ */
19851 -+ if (s_tmp)
19852 -+ return(s_tmp);
19853 -+
19854 -+ if ((s_tmp = (struct acl_subject_label *)
19855 -+ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
19856 -+ return ERR_PTR(-ENOMEM);
19857 -+
19858 -+ subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
19859 -+ if (subjmap == NULL)
19860 -+ return ERR_PTR(-ENOMEM);
19861 -+
19862 -+ subjmap->user = userp;
19863 -+ subjmap->kernel = s_tmp;
19864 -+ insert_subj_map_entry(subjmap);
19865 -+
19866 -+ if (copy_from_user(s_tmp, userp,
19867 -+ sizeof (struct acl_subject_label)))
19868 -+ return ERR_PTR(-EFAULT);
19869 -+
19870 -+ len = strnlen_user(s_tmp->filename, PATH_MAX);
19871 -+
19872 -+ if (!len || len >= PATH_MAX)
19873 -+ return ERR_PTR(-EINVAL);
19874 -+
19875 -+ if ((tmp = (char *) acl_alloc(len)) == NULL)
19876 -+ return ERR_PTR(-ENOMEM);
19877 -+
19878 -+ if (copy_from_user(tmp, s_tmp->filename, len))
19879 -+ return ERR_PTR(-EFAULT);
19880 -+
19881 -+ s_tmp->filename = tmp;
19882 -+
19883 -+ if (!strcmp(s_tmp->filename, "/"))
19884 -+ role->root_label = s_tmp;
19885 -+
19886 -+ if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
19887 -+ return ERR_PTR(-EFAULT);
19888 -+
19889 -+ /* copy user and group transition tables */
19890 -+
19891 -+ if (s_tmp->user_trans_num) {
19892 -+ uid_t *uidlist;
19893 -+
19894 -+ uidlist = (uid_t *)acl_alloc(s_tmp->user_trans_num * sizeof(uid_t));
19895 -+ if (uidlist == NULL)
19896 -+ return ERR_PTR(-ENOMEM);
19897 -+ if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
19898 -+ return ERR_PTR(-EFAULT);
19899 -+
19900 -+ s_tmp->user_transitions = uidlist;
19901 -+ }
19902 -+
19903 -+ if (s_tmp->group_trans_num) {
19904 -+ gid_t *gidlist;
19905 -+
19906 -+ gidlist = (gid_t *)acl_alloc(s_tmp->group_trans_num * sizeof(gid_t));
19907 -+ if (gidlist == NULL)
19908 -+ return ERR_PTR(-ENOMEM);
19909 -+ if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
19910 -+ return ERR_PTR(-EFAULT);
19911 -+
19912 -+ s_tmp->group_transitions = gidlist;
19913 -+ }
19914 -+
19915 -+ /* set up object hash table */
19916 -+ num_objs = count_user_objs(ghash.first);
19917 -+
19918 -+ s_tmp->obj_hash_size = num_objs;
19919 -+ s_tmp->obj_hash =
19920 -+ (struct acl_object_label **)
19921 -+ create_table(&(s_tmp->obj_hash_size), sizeof(void *));
19922 -+
19923 -+ if (!s_tmp->obj_hash)
19924 -+ return ERR_PTR(-ENOMEM);
19925 -+
19926 -+ memset(s_tmp->obj_hash, 0,
19927 -+ s_tmp->obj_hash_size *
19928 -+ sizeof (struct acl_object_label *));
19929 -+
19930 -+ /* add in objects */
19931 -+ err = copy_user_objs(ghash.first, s_tmp, role);
19932 -+
19933 -+ if (err)
19934 -+ return ERR_PTR(err);
19935 -+
19936 -+ /* set pointer for parent subject */
19937 -+ if (s_tmp->parent_subject) {
19938 -+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
19939 -+
19940 -+ if (IS_ERR(s_tmp2))
19941 -+ return s_tmp2;
19942 -+
19943 -+ s_tmp->parent_subject = s_tmp2;
19944 -+ }
19945 -+
19946 -+ /* add in ip acls */
19947 -+
19948 -+ if (!s_tmp->ip_num) {
19949 -+ s_tmp->ips = NULL;
19950 -+ goto insert;
19951 -+ }
19952 -+
19953 -+ i_tmp =
19954 -+ (struct acl_ip_label **) acl_alloc(s_tmp->ip_num *
19955 -+ sizeof (struct
19956 -+ acl_ip_label *));
19957 -+
19958 -+ if (!i_tmp)
19959 -+ return ERR_PTR(-ENOMEM);
19960 -+
19961 -+ for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
19962 -+ *(i_tmp + i_num) =
19963 -+ (struct acl_ip_label *)
19964 -+ acl_alloc(sizeof (struct acl_ip_label));
19965 -+ if (!*(i_tmp + i_num))
19966 -+ return ERR_PTR(-ENOMEM);
19967 -+
19968 -+ if (copy_from_user
19969 -+ (&i_utmp2, s_tmp->ips + i_num,
19970 -+ sizeof (struct acl_ip_label *)))
19971 -+ return ERR_PTR(-EFAULT);
19972 -+
19973 -+ if (copy_from_user
19974 -+ (*(i_tmp + i_num), i_utmp2,
19975 -+ sizeof (struct acl_ip_label)))
19976 -+ return ERR_PTR(-EFAULT);
19977 -+
19978 -+ if ((*(i_tmp + i_num))->iface == NULL)
19979 -+ continue;
19980 -+
19981 -+ len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
19982 -+ if (!len || len >= IFNAMSIZ)
19983 -+ return ERR_PTR(-EINVAL);
19984 -+ tmp = acl_alloc(len);
19985 -+ if (tmp == NULL)
19986 -+ return ERR_PTR(-ENOMEM);
19987 -+ if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
19988 -+ return ERR_PTR(-EFAULT);
19989 -+ (*(i_tmp + i_num))->iface = tmp;
19990 -+ }
19991 -+
19992 -+ s_tmp->ips = i_tmp;
19993 -+
19994 -+insert:
19995 -+ if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
19996 -+ s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
19997 -+ return ERR_PTR(-ENOMEM);
19998 -+
19999 -+ return s_tmp;
20000 -+}
20001 -+
20002 -+static int
20003 -+copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
20004 -+{
20005 -+ struct acl_subject_label s_pre;
20006 -+ struct acl_subject_label * ret;
20007 -+ int err;
20008 -+
20009 -+ while (userp) {
20010 -+ if (copy_from_user(&s_pre, userp,
20011 -+ sizeof (struct acl_subject_label)))
20012 -+ return -EFAULT;
20013 -+
20014 -+ /* do not add nested subjects here, add
20015 -+ while parsing objects
20016 -+ */
20017 -+
20018 -+ if (s_pre.mode & GR_NESTED) {
20019 -+ userp = s_pre.prev;
20020 -+ continue;
20021 -+ }
20022 -+
20023 -+ ret = do_copy_user_subj(userp, role);
20024 -+
20025 -+ err = PTR_ERR(ret);
20026 -+ if (IS_ERR(ret))
20027 -+ return err;
20028 -+
20029 -+ insert_acl_subj_label(ret, role);
20030 -+
20031 -+ userp = s_pre.prev;
20032 -+ }
20033 -+
20034 -+ return 0;
20035 -+}
20036 -+
20037 -+static int
20038 -+copy_user_acl(struct gr_arg *arg)
20039 -+{
20040 -+ struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
20041 -+ struct sprole_pw *sptmp;
20042 -+ struct gr_hash_struct *ghash;
20043 -+ uid_t *domainlist;
20044 -+ unsigned int r_num;
20045 -+ unsigned int len;
20046 -+ char *tmp;
20047 -+ int err = 0;
20048 -+ __u16 i;
20049 -+ __u32 num_subjs;
20050 -+
20051 -+ /* we need a default and kernel role */
20052 -+ if (arg->role_db.num_roles < 2)
20053 -+ return -EINVAL;
20054 -+
20055 -+ /* copy special role authentication info from userspace */
20056 -+
20057 -+ num_sprole_pws = arg->num_sprole_pws;
20058 -+ acl_special_roles = (struct sprole_pw **) acl_alloc(num_sprole_pws * sizeof(struct sprole_pw *));
20059 -+
20060 -+ if (!acl_special_roles) {
20061 -+ err = -ENOMEM;
20062 -+ goto cleanup;
20063 -+ }
20064 -+
20065 -+ for (i = 0; i < num_sprole_pws; i++) {
20066 -+ sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
20067 -+ if (!sptmp) {
20068 -+ err = -ENOMEM;
20069 -+ goto cleanup;
20070 -+ }
20071 -+ if (copy_from_user(sptmp, arg->sprole_pws + i,
20072 -+ sizeof (struct sprole_pw))) {
20073 -+ err = -EFAULT;
20074 -+ goto cleanup;
20075 -+ }
20076 -+
20077 -+ len =
20078 -+ strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
20079 -+
20080 -+ if (!len || len >= GR_SPROLE_LEN) {
20081 -+ err = -EINVAL;
20082 -+ goto cleanup;
20083 -+ }
20084 -+
20085 -+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
20086 -+ err = -ENOMEM;
20087 -+ goto cleanup;
20088 -+ }
20089 -+
20090 -+ if (copy_from_user(tmp, sptmp->rolename, len)) {
20091 -+ err = -EFAULT;
20092 -+ goto cleanup;
20093 -+ }
20094 -+
20095 -+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
20096 -+ printk(KERN_ALERT "Copying special role %s\n", tmp);
20097 -+#endif
20098 -+ sptmp->rolename = tmp;
20099 -+ acl_special_roles[i] = sptmp;
20100 -+ }
20101 -+
20102 -+ r_utmp = (struct acl_role_label **) arg->role_db.r_table;
20103 -+
20104 -+ for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
20105 -+ r_tmp = acl_alloc(sizeof (struct acl_role_label));
20106 -+
20107 -+ if (!r_tmp) {
20108 -+ err = -ENOMEM;
20109 -+ goto cleanup;
20110 -+ }
20111 -+
20112 -+ if (copy_from_user(&r_utmp2, r_utmp + r_num,
20113 -+ sizeof (struct acl_role_label *))) {
20114 -+ err = -EFAULT;
20115 -+ goto cleanup;
20116 -+ }
20117 -+
20118 -+ if (copy_from_user(r_tmp, r_utmp2,
20119 -+ sizeof (struct acl_role_label))) {
20120 -+ err = -EFAULT;
20121 -+ goto cleanup;
20122 -+ }
20123 -+
20124 -+ len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
20125 -+
20126 -+ if (!len || len >= PATH_MAX) {
20127 -+ err = -EINVAL;
20128 -+ goto cleanup;
20129 -+ }
20130 -+
20131 -+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
20132 -+ err = -ENOMEM;
20133 -+ goto cleanup;
20134 -+ }
20135 -+ if (copy_from_user(tmp, r_tmp->rolename, len)) {
20136 -+ err = -EFAULT;
20137 -+ goto cleanup;
20138 -+ }
20139 -+ r_tmp->rolename = tmp;
20140 -+
20141 -+ if (!strcmp(r_tmp->rolename, "default")
20142 -+ && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
20143 -+ default_role = r_tmp;
20144 -+ } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
20145 -+ kernel_role = r_tmp;
20146 -+ }
20147 -+
20148 -+ if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
20149 -+ err = -ENOMEM;
20150 -+ goto cleanup;
20151 -+ }
20152 -+ if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
20153 -+ err = -EFAULT;
20154 -+ goto cleanup;
20155 -+ }
20156 -+
20157 -+ r_tmp->hash = ghash;
20158 -+
20159 -+ num_subjs = count_user_subjs(r_tmp->hash->first);
20160 -+
20161 -+ r_tmp->subj_hash_size = num_subjs;
20162 -+ r_tmp->subj_hash =
20163 -+ (struct acl_subject_label **)
20164 -+ create_table(&(r_tmp->subj_hash_size), sizeof(void *));
20165 -+
20166 -+ if (!r_tmp->subj_hash) {
20167 -+ err = -ENOMEM;
20168 -+ goto cleanup;
20169 -+ }
20170 -+
20171 -+ err = copy_user_allowedips(r_tmp);
20172 -+ if (err)
20173 -+ goto cleanup;
20174 -+
20175 -+ /* copy domain info */
20176 -+ if (r_tmp->domain_children != NULL) {
20177 -+ domainlist = acl_alloc(r_tmp->domain_child_num * sizeof(uid_t));
20178 -+ if (domainlist == NULL) {
20179 -+ err = -ENOMEM;
20180 -+ goto cleanup;
20181 -+ }
20182 -+ if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
20183 -+ err = -EFAULT;
20184 -+ goto cleanup;
20185 -+ }
20186 -+ r_tmp->domain_children = domainlist;
20187 -+ }
20188 -+
20189 -+ err = copy_user_transitions(r_tmp);
20190 -+ if (err)
20191 -+ goto cleanup;
20192 -+
20193 -+ memset(r_tmp->subj_hash, 0,
20194 -+ r_tmp->subj_hash_size *
20195 -+ sizeof (struct acl_subject_label *));
20196 -+
20197 -+ err = copy_user_subjs(r_tmp->hash->first, r_tmp);
20198 -+
20199 -+ if (err)
20200 -+ goto cleanup;
20201 -+
20202 -+ /* set nested subject list to null */
20203 -+ r_tmp->hash->first = NULL;
20204 -+
20205 -+ insert_acl_role_label(r_tmp);
20206 -+ }
20207 -+
20208 -+ goto return_err;
20209 -+ cleanup:
20210 -+ free_variables();
20211 -+ return_err:
20212 -+ return err;
20213 -+
20214 -+}
20215 -+
20216 -+static int
20217 -+gracl_init(struct gr_arg *args)
20218 -+{
20219 -+ int error = 0;
20220 -+
20221 -+ memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
20222 -+ memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
20223 -+
20224 -+ if (init_variables(args)) {
20225 -+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
20226 -+ error = -ENOMEM;
20227 -+ free_variables();
20228 -+ goto out;
20229 -+ }
20230 -+
20231 -+ error = copy_user_acl(args);
20232 -+ free_init_variables();
20233 -+ if (error) {
20234 -+ free_variables();
20235 -+ goto out;
20236 -+ }
20237 -+
20238 -+ if ((error = gr_set_acls(0))) {
20239 -+ free_variables();
20240 -+ goto out;
20241 -+ }
20242 -+
20243 -+ gr_status |= GR_READY;
20244 -+ out:
20245 -+ return error;
20246 -+}
20247 -+
20248 -+/* derived from glibc fnmatch() 0: match, 1: no match*/
20249 -+
20250 -+static int
20251 -+glob_match(const char *p, const char *n)
20252 -+{
20253 -+ char c;
20254 -+
20255 -+ while ((c = *p++) != '\0') {
20256 -+ switch (c) {
20257 -+ case '?':
20258 -+ if (*n == '\0')
20259 -+ return 1;
20260 -+ else if (*n == '/')
20261 -+ return 1;
20262 -+ break;
20263 -+ case '\\':
20264 -+ if (*n != c)
20265 -+ return 1;
20266 -+ break;
20267 -+ case '*':
20268 -+ for (c = *p++; c == '?' || c == '*'; c = *p++) {
20269 -+ if (*n == '/')
20270 -+ return 1;
20271 -+ else if (c == '?') {
20272 -+ if (*n == '\0')
20273 -+ return 1;
20274 -+ else
20275 -+ ++n;
20276 -+ }
20277 -+ }
20278 -+ if (c == '\0') {
20279 -+ return 0;
20280 -+ } else {
20281 -+ const char *endp;
20282 -+
20283 -+ if ((endp = strchr(n, '/')) == NULL)
20284 -+ endp = n + strlen(n);
20285 -+
20286 -+ if (c == '[') {
20287 -+ for (--p; n < endp; ++n)
20288 -+ if (!glob_match(p, n))
20289 -+ return 0;
20290 -+ } else if (c == '/') {
20291 -+ while (*n != '\0' && *n != '/')
20292 -+ ++n;
20293 -+ if (*n == '/' && !glob_match(p, n + 1))
20294 -+ return 0;
20295 -+ } else {
20296 -+ for (--p; n < endp; ++n)
20297 -+ if (*n == c && !glob_match(p, n))
20298 -+ return 0;
20299 -+ }
20300 -+
20301 -+ return 1;
20302 -+ }
20303 -+ case '[':
20304 -+ {
20305 -+ int not;
20306 -+ char cold;
20307 -+
20308 -+ if (*n == '\0' || *n == '/')
20309 -+ return 1;
20310 -+
20311 -+ not = (*p == '!' || *p == '^');
20312 -+ if (not)
20313 -+ ++p;
20314 -+
20315 -+ c = *p++;
20316 -+ for (;;) {
20317 -+ unsigned char fn = (unsigned char)*n;
20318 -+
20319 -+ if (c == '\0')
20320 -+ return 1;
20321 -+ else {
20322 -+ if (c == fn)
20323 -+ goto matched;
20324 -+ cold = c;
20325 -+ c = *p++;
20326 -+
20327 -+ if (c == '-' && *p != ']') {
20328 -+ unsigned char cend = *p++;
20329 -+
20330 -+ if (cend == '\0')
20331 -+ return 1;
20332 -+
20333 -+ if (cold <= fn && fn <= cend)
20334 -+ goto matched;
20335 -+
20336 -+ c = *p++;
20337 -+ }
20338 -+ }
20339 -+
20340 -+ if (c == ']')
20341 -+ break;
20342 -+ }
20343 -+ if (!not)
20344 -+ return 1;
20345 -+ break;
20346 -+ matched:
20347 -+ while (c != ']') {
20348 -+ if (c == '\0')
20349 -+ return 1;
20350 -+
20351 -+ c = *p++;
20352 -+ }
20353 -+ if (not)
20354 -+ return 1;
20355 -+ }
20356 -+ break;
20357 -+ default:
20358 -+ if (c != *n)
20359 -+ return 1;
20360 -+ }
20361 -+
20362 -+ ++n;
20363 -+ }
20364 -+
20365 -+ if (*n == '\0')
20366 -+ return 0;
20367 -+
20368 -+ if (*n == '/')
20369 -+ return 0;
20370 -+
20371 -+ return 1;
20372 -+}
20373 -+
20374 -+static struct acl_object_label *
20375 -+chk_glob_label(struct acl_object_label *globbed,
20376 -+ struct dentry *dentry, struct vfsmount *mnt, char **path)
20377 -+{
20378 -+ struct acl_object_label *tmp;
20379 -+
20380 -+ if (*path == NULL)
20381 -+ *path = gr_to_filename_nolock(dentry, mnt);
20382 -+
20383 -+ tmp = globbed;
20384 -+
20385 -+ while (tmp) {
20386 -+ if (!glob_match(tmp->filename, *path))
20387 -+ return tmp;
20388 -+ tmp = tmp->next;
20389 -+ }
20390 -+
20391 -+ return NULL;
20392 -+}
20393 -+
20394 -+static struct acl_object_label *
20395 -+__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
20396 -+ const ino_t curr_ino, const dev_t curr_dev,
20397 -+ const struct acl_subject_label *subj, char **path)
20398 -+{
20399 -+ struct acl_subject_label *tmpsubj;
20400 -+ struct acl_object_label *retval;
20401 -+ struct acl_object_label *retval2;
20402 -+
20403 -+ tmpsubj = (struct acl_subject_label *) subj;
20404 -+ read_lock(&gr_inode_lock);
20405 -+ do {
20406 -+ retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
20407 -+ if (retval) {
20408 -+ if (retval->globbed) {
20409 -+ retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
20410 -+ (struct vfsmount *)orig_mnt, path);
20411 -+ if (retval2)
20412 -+ retval = retval2;
20413 -+ }
20414 -+ break;
20415 -+ }
20416 -+ } while ((tmpsubj = tmpsubj->parent_subject));
20417 -+ read_unlock(&gr_inode_lock);
20418 -+
20419 -+ return retval;
20420 -+}
20421 -+
20422 -+static __inline__ struct acl_object_label *
20423 -+full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
20424 -+ const struct dentry *curr_dentry,
20425 -+ const struct acl_subject_label *subj, char **path)
20426 -+{
20427 -+ return __full_lookup(orig_dentry, orig_mnt,
20428 -+ curr_dentry->d_inode->i_ino,
20429 -+ curr_dentry->d_inode->i_sb->s_dev, subj, path);
20430 -+}
20431 -+
20432 -+static struct acl_object_label *
20433 -+__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
20434 -+ const struct acl_subject_label *subj, char *path)
20435 -+{
20436 -+ struct dentry *dentry = (struct dentry *) l_dentry;
20437 -+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
20438 -+ struct acl_object_label *retval;
20439 -+
20440 -+ spin_lock(&dcache_lock);
20441 -+
20442 -+ if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
20443 -+ /* ignore Eric Biederman */
20444 -+ IS_PRIVATE(l_dentry->d_inode))) {
20445 -+ retval = fakefs_obj;
20446 -+ goto out;
20447 -+ }
20448 -+
20449 -+ for (;;) {
20450 -+ if (dentry == real_root && mnt == real_root_mnt)
20451 -+ break;
20452 -+
20453 -+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
20454 -+ if (mnt->mnt_parent == mnt)
20455 -+ break;
20456 -+
20457 -+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
20458 -+ if (retval != NULL)
20459 -+ goto out;
20460 -+
20461 -+ dentry = mnt->mnt_mountpoint;
20462 -+ mnt = mnt->mnt_parent;
20463 -+ continue;
20464 -+ }
20465 -+
20466 -+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
20467 -+ if (retval != NULL)
20468 -+ goto out;
20469 -+
20470 -+ dentry = dentry->d_parent;
20471 -+ }
20472 -+
20473 -+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
20474 -+
20475 -+ if (retval == NULL)
20476 -+ retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path);
20477 -+out:
20478 -+ spin_unlock(&dcache_lock);
20479 -+ return retval;
20480 -+}
20481 -+
20482 -+static __inline__ struct acl_object_label *
20483 -+chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
20484 -+ const struct acl_subject_label *subj)
20485 -+{
20486 -+ char *path = NULL;
20487 -+ return __chk_obj_label(l_dentry, l_mnt, subj, path);
20488 -+}
20489 -+
20490 -+static __inline__ struct acl_object_label *
20491 -+chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
20492 -+ const struct acl_subject_label *subj, char *path)
20493 -+{
20494 -+ return __chk_obj_label(l_dentry, l_mnt, subj, path);
20495 -+}
20496 -+
20497 -+static struct acl_subject_label *
20498 -+chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
20499 -+ const struct acl_role_label *role)
20500 -+{
20501 -+ struct dentry *dentry = (struct dentry *) l_dentry;
20502 -+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
20503 -+ struct acl_subject_label *retval;
20504 -+
20505 -+ spin_lock(&dcache_lock);
20506 -+
20507 -+ for (;;) {
20508 -+ if (dentry == real_root && mnt == real_root_mnt)
20509 -+ break;
20510 -+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
20511 -+ if (mnt->mnt_parent == mnt)
20512 -+ break;
20513 -+
20514 -+ read_lock(&gr_inode_lock);
20515 -+ retval =
20516 -+ lookup_acl_subj_label(dentry->d_inode->i_ino,
20517 -+ dentry->d_inode->i_sb->s_dev, role);
20518 -+ read_unlock(&gr_inode_lock);
20519 -+ if (retval != NULL)
20520 -+ goto out;
20521 -+
20522 -+ dentry = mnt->mnt_mountpoint;
20523 -+ mnt = mnt->mnt_parent;
20524 -+ continue;
20525 -+ }
20526 -+
20527 -+ read_lock(&gr_inode_lock);
20528 -+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
20529 -+ dentry->d_inode->i_sb->s_dev, role);
20530 -+ read_unlock(&gr_inode_lock);
20531 -+ if (retval != NULL)
20532 -+ goto out;
20533 -+
20534 -+ dentry = dentry->d_parent;
20535 -+ }
20536 -+
20537 -+ read_lock(&gr_inode_lock);
20538 -+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
20539 -+ dentry->d_inode->i_sb->s_dev, role);
20540 -+ read_unlock(&gr_inode_lock);
20541 -+
20542 -+ if (unlikely(retval == NULL)) {
20543 -+ read_lock(&gr_inode_lock);
20544 -+ retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
20545 -+ real_root->d_inode->i_sb->s_dev, role);
20546 -+ read_unlock(&gr_inode_lock);
20547 -+ }
20548 -+out:
20549 -+ spin_unlock(&dcache_lock);
20550 -+
20551 -+ return retval;
20552 -+}
20553 -+
20554 -+static void
20555 -+gr_log_learn(const struct task_struct *task, const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
20556 -+{
20557 -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
20558 -+ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
20559 -+ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
20560 -+ 1, 1, gr_to_filename(dentry, mnt), (unsigned long) mode, NIPQUAD(task->signal->curr_ip));
20561 -+
20562 -+ return;
20563 -+}
20564 -+
20565 -+static void
20566 -+gr_log_learn_sysctl(const struct task_struct *task, const char *path, const __u32 mode)
20567 -+{
20568 -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
20569 -+ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
20570 -+ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
20571 -+ 1, 1, path, (unsigned long) mode, NIPQUAD(task->signal->curr_ip));
20572 -+
20573 -+ return;
20574 -+}
20575 -+
20576 -+static void
20577 -+gr_log_learn_id_change(const struct task_struct *task, const char type, const unsigned int real,
20578 -+ const unsigned int effective, const unsigned int fs)
20579 -+{
20580 -+ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
20581 -+ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
20582 -+ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
20583 -+ type, real, effective, fs, NIPQUAD(task->signal->curr_ip));
20584 -+
20585 -+ return;
20586 -+}
20587 -+
20588 -+__u32
20589 -+gr_check_link(const struct dentry * new_dentry,
20590 -+ const struct dentry * parent_dentry,
20591 -+ const struct vfsmount * parent_mnt,
20592 -+ const struct dentry * old_dentry, const struct vfsmount * old_mnt)
20593 -+{
20594 -+ struct acl_object_label *obj;
20595 -+ __u32 oldmode, newmode;
20596 -+ __u32 needmode;
20597 -+
20598 -+ if (unlikely(!(gr_status & GR_READY)))
20599 -+ return (GR_CREATE | GR_LINK);
20600 -+
20601 -+ obj = chk_obj_label(old_dentry, old_mnt, current->acl);
20602 -+ oldmode = obj->mode;
20603 -+
20604 -+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
20605 -+ oldmode |= (GR_CREATE | GR_LINK);
20606 -+
20607 -+ needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
20608 -+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
20609 -+ needmode |= GR_SETID | GR_AUDIT_SETID;
20610 -+
20611 -+ newmode =
20612 -+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
20613 -+ oldmode | needmode);
20614 -+
20615 -+ needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
20616 -+ GR_SETID | GR_READ | GR_FIND | GR_DELETE |
20617 -+ GR_INHERIT | GR_AUDIT_INHERIT);
20618 -+
20619 -+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
20620 -+ goto bad;
20621 -+
20622 -+ if ((oldmode & needmode) != needmode)
20623 -+ goto bad;
20624 -+
20625 -+ needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
20626 -+ if ((newmode & needmode) != needmode)
20627 -+ goto bad;
20628 -+
20629 -+ if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
20630 -+ return newmode;
20631 -+bad:
20632 -+ needmode = oldmode;
20633 -+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
20634 -+ needmode |= GR_SETID;
20635 -+
20636 -+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
20637 -+ gr_log_learn(current, old_dentry, old_mnt, needmode);
20638 -+ return (GR_CREATE | GR_LINK);
20639 -+ } else if (newmode & GR_SUPPRESS)
20640 -+ return GR_SUPPRESS;
20641 -+ else
20642 -+ return 0;
20643 -+}
20644 -+
20645 -+__u32
20646 -+gr_search_file(const struct dentry * dentry, const __u32 mode,
20647 -+ const struct vfsmount * mnt)
20648 -+{
20649 -+ __u32 retval = mode;
20650 -+ struct acl_subject_label *curracl;
20651 -+ struct acl_object_label *currobj;
20652 -+
20653 -+ if (unlikely(!(gr_status & GR_READY)))
20654 -+ return (mode & ~GR_AUDITS);
20655 -+
20656 -+ curracl = current->acl;
20657 -+
20658 -+ currobj = chk_obj_label(dentry, mnt, curracl);
20659 -+ retval = currobj->mode & mode;
20660 -+
20661 -+ if (unlikely
20662 -+ ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
20663 -+ && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
20664 -+ __u32 new_mode = mode;
20665 -+
20666 -+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
20667 -+
20668 -+ retval = new_mode;
20669 -+
20670 -+ if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
20671 -+ new_mode |= GR_INHERIT;
20672 -+
20673 -+ if (!(mode & GR_NOLEARN))
20674 -+ gr_log_learn(current, dentry, mnt, new_mode);
20675 -+ }
20676 -+
20677 -+ return retval;
20678 -+}
20679 -+
20680 -+__u32
20681 -+gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
20682 -+ const struct vfsmount * mnt, const __u32 mode)
20683 -+{
20684 -+ struct name_entry *match;
20685 -+ struct acl_object_label *matchpo;
20686 -+ struct acl_subject_label *curracl;
20687 -+ char *path;
20688 -+ __u32 retval;
20689 -+
20690 -+ if (unlikely(!(gr_status & GR_READY)))
20691 -+ return (mode & ~GR_AUDITS);
20692 -+
20693 -+ preempt_disable();
20694 -+ path = gr_to_filename_rbac(new_dentry, mnt);
20695 -+ match = lookup_name_entry_create(path);
20696 -+
20697 -+ if (!match)
20698 -+ goto check_parent;
20699 -+
20700 -+ curracl = current->acl;
20701 -+
20702 -+ read_lock(&gr_inode_lock);
20703 -+ matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
20704 -+ read_unlock(&gr_inode_lock);
20705 -+
20706 -+ if (matchpo) {
20707 -+ if ((matchpo->mode & mode) !=
20708 -+ (mode & ~(GR_AUDITS | GR_SUPPRESS))
20709 -+ && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
20710 -+ __u32 new_mode = mode;
20711 -+
20712 -+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
20713 -+
20714 -+ gr_log_learn(current, new_dentry, mnt, new_mode);
20715 -+
20716 -+ preempt_enable();
20717 -+ return new_mode;
20718 -+ }
20719 -+ preempt_enable();
20720 -+ return (matchpo->mode & mode);
20721 -+ }
20722 -+
20723 -+ check_parent:
20724 -+ curracl = current->acl;
20725 -+
20726 -+ matchpo = chk_obj_create_label(parent, mnt, curracl, path);
20727 -+ retval = matchpo->mode & mode;
20728 -+
20729 -+ if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
20730 -+ && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
20731 -+ __u32 new_mode = mode;
20732 -+
20733 -+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
20734 -+
20735 -+ gr_log_learn(current, new_dentry, mnt, new_mode);
20736 -+ preempt_enable();
20737 -+ return new_mode;
20738 -+ }
20739 -+
20740 -+ preempt_enable();
20741 -+ return retval;
20742 -+}
20743 -+
20744 -+int
20745 -+gr_check_hidden_task(const struct task_struct *task)
20746 -+{
20747 -+ if (unlikely(!(gr_status & GR_READY)))
20748 -+ return 0;
20749 -+
20750 -+ if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
20751 -+ return 1;
20752 -+
20753 -+ return 0;
20754 -+}
20755 -+
20756 -+int
20757 -+gr_check_protected_task(const struct task_struct *task)
20758 -+{
20759 -+ if (unlikely(!(gr_status & GR_READY) || !task))
20760 -+ return 0;
20761 -+
20762 -+ if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
20763 -+ task->acl != current->acl)
20764 -+ return 1;
20765 -+
20766 -+ return 0;
20767 -+}
20768 -+
20769 -+void
20770 -+gr_copy_label(struct task_struct *tsk)
20771 -+{
20772 -+ tsk->signal->used_accept = 0;
20773 -+ tsk->acl_sp_role = 0;
20774 -+ tsk->acl_role_id = current->acl_role_id;
20775 -+ tsk->acl = current->acl;
20776 -+ tsk->role = current->role;
20777 -+ tsk->signal->curr_ip = current->signal->curr_ip;
20778 -+ if (current->exec_file)
20779 -+ get_file(current->exec_file);
20780 -+ tsk->exec_file = current->exec_file;
20781 -+ tsk->is_writable = current->is_writable;
20782 -+ if (unlikely(current->signal->used_accept))
20783 -+ current->signal->curr_ip = 0;
20784 -+
20785 -+ return;
20786 -+}
20787 -+
20788 -+static void
20789 -+gr_set_proc_res(struct task_struct *task)
20790 -+{
20791 -+ struct acl_subject_label *proc;
20792 -+ unsigned short i;
20793 -+
20794 -+ proc = task->acl;
20795 -+
20796 -+ if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
20797 -+ return;
20798 -+
20799 -+ for (i = 0; i < (GR_NLIMITS - 1); i++) {
20800 -+ if (!(proc->resmask & (1 << i)))
20801 -+ continue;
20802 -+
20803 -+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
20804 -+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
20805 -+ }
20806 -+
20807 -+ return;
20808 -+}
20809 -+
20810 -+int
20811 -+gr_check_user_change(int real, int effective, int fs)
20812 -+{
20813 -+ unsigned int i;
20814 -+ __u16 num;
20815 -+ uid_t *uidlist;
20816 -+ int curuid;
20817 -+ int realok = 0;
20818 -+ int effectiveok = 0;
20819 -+ int fsok = 0;
20820 -+
20821 -+ if (unlikely(!(gr_status & GR_READY)))
20822 -+ return 0;
20823 -+
20824 -+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
20825 -+ gr_log_learn_id_change(current, 'u', real, effective, fs);
20826 -+
20827 -+ num = current->acl->user_trans_num;
20828 -+ uidlist = current->acl->user_transitions;
20829 -+
20830 -+ if (uidlist == NULL)
20831 -+ return 0;
20832 -+
20833 -+ if (real == -1)
20834 -+ realok = 1;
20835 -+ if (effective == -1)
20836 -+ effectiveok = 1;
20837 -+ if (fs == -1)
20838 -+ fsok = 1;
20839 -+
20840 -+ if (current->acl->user_trans_type & GR_ID_ALLOW) {
20841 -+ for (i = 0; i < num; i++) {
20842 -+ curuid = (int)uidlist[i];
20843 -+ if (real == curuid)
20844 -+ realok = 1;
20845 -+ if (effective == curuid)
20846 -+ effectiveok = 1;
20847 -+ if (fs == curuid)
20848 -+ fsok = 1;
20849 -+ }
20850 -+ } else if (current->acl->user_trans_type & GR_ID_DENY) {
20851 -+ for (i = 0; i < num; i++) {
20852 -+ curuid = (int)uidlist[i];
20853 -+ if (real == curuid)
20854 -+ break;
20855 -+ if (effective == curuid)
20856 -+ break;
20857 -+ if (fs == curuid)
20858 -+ break;
20859 -+ }
20860 -+ /* not in deny list */
20861 -+ if (i == num) {
20862 -+ realok = 1;
20863 -+ effectiveok = 1;
20864 -+ fsok = 1;
20865 -+ }
20866 -+ }
20867 -+
20868 -+ if (realok && effectiveok && fsok)
20869 -+ return 0;
20870 -+ else {
20871 -+ gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
20872 -+ return 1;
20873 -+ }
20874 -+}
20875 -+
20876 -+int
20877 -+gr_check_group_change(int real, int effective, int fs)
20878 -+{
20879 -+ unsigned int i;
20880 -+ __u16 num;
20881 -+ gid_t *gidlist;
20882 -+ int curgid;
20883 -+ int realok = 0;
20884 -+ int effectiveok = 0;
20885 -+ int fsok = 0;
20886 -+
20887 -+ if (unlikely(!(gr_status & GR_READY)))
20888 -+ return 0;
20889 -+
20890 -+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
20891 -+ gr_log_learn_id_change(current, 'g', real, effective, fs);
20892 -+
20893 -+ num = current->acl->group_trans_num;
20894 -+ gidlist = current->acl->group_transitions;
20895 -+
20896 -+ if (gidlist == NULL)
20897 -+ return 0;
20898 -+
20899 -+ if (real == -1)
20900 -+ realok = 1;
20901 -+ if (effective == -1)
20902 -+ effectiveok = 1;
20903 -+ if (fs == -1)
20904 -+ fsok = 1;
20905 -+
20906 -+ if (current->acl->group_trans_type & GR_ID_ALLOW) {
20907 -+ for (i = 0; i < num; i++) {
20908 -+ curgid = (int)gidlist[i];
20909 -+ if (real == curgid)
20910 -+ realok = 1;
20911 -+ if (effective == curgid)
20912 -+ effectiveok = 1;
20913 -+ if (fs == curgid)
20914 -+ fsok = 1;
20915 -+ }
20916 -+ } else if (current->acl->group_trans_type & GR_ID_DENY) {
20917 -+ for (i = 0; i < num; i++) {
20918 -+ curgid = (int)gidlist[i];
20919 -+ if (real == curgid)
20920 -+ break;
20921 -+ if (effective == curgid)
20922 -+ break;
20923 -+ if (fs == curgid)
20924 -+ break;
20925 -+ }
20926 -+ /* not in deny list */
20927 -+ if (i == num) {
20928 -+ realok = 1;
20929 -+ effectiveok = 1;
20930 -+ fsok = 1;
20931 -+ }
20932 -+ }
20933 -+
20934 -+ if (realok && effectiveok && fsok)
20935 -+ return 0;
20936 -+ else {
20937 -+ gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
20938 -+ return 1;
20939 -+ }
20940 -+}
20941 -+
20942 -+void
20943 -+gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
20944 -+{
20945 -+ struct acl_role_label *role = task->role;
20946 -+ struct acl_subject_label *subj = NULL;
20947 -+ struct acl_object_label *obj;
20948 -+ struct file *filp;
20949 -+
20950 -+ if (unlikely(!(gr_status & GR_READY)))
20951 -+ return;
20952 -+
20953 -+ filp = task->exec_file;
20954 -+
20955 -+ /* kernel process, we'll give them the kernel role */
20956 -+ if (unlikely(!filp)) {
20957 -+ task->role = kernel_role;
20958 -+ task->acl = kernel_role->root_label;
20959 -+ return;
20960 -+ } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
20961 -+ role = lookup_acl_role_label(task, uid, gid);
20962 -+
20963 -+ /* perform subject lookup in possibly new role
20964 -+ we can use this result below in the case where role == task->role
20965 -+ */
20966 -+ subj = chk_subj_label(filp->f_dentry, filp->f_vfsmnt, role);
20967 -+
20968 -+ /* if we changed uid/gid, but result in the same role
20969 -+ and are using inheritance, don't lose the inherited subject
20970 -+ if current subject is other than what normal lookup
20971 -+ would result in, we arrived via inheritance, don't
20972 -+ lose subject
20973 -+ */
20974 -+ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
20975 -+ (subj == task->acl)))
20976 -+ task->acl = subj;
20977 -+
20978 -+ task->role = role;
20979 -+
20980 -+ task->is_writable = 0;
20981 -+
20982 -+ /* ignore additional mmap checks for processes that are writable
20983 -+ by the default ACL */
20984 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
20985 -+ if (unlikely(obj->mode & GR_WRITE))
20986 -+ task->is_writable = 1;
20987 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
20988 -+ if (unlikely(obj->mode & GR_WRITE))
20989 -+ task->is_writable = 1;
20990 -+
20991 -+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
20992 -+ printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
20993 -+#endif
20994 -+
20995 -+ gr_set_proc_res(task);
20996 -+
20997 -+ return;
20998 -+}
20999 -+
21000 -+int
21001 -+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
21002 -+{
21003 -+ struct task_struct *task = current;
21004 -+ struct acl_subject_label *newacl;
21005 -+ struct acl_object_label *obj;
21006 -+ __u32 retmode;
21007 -+
21008 -+ if (unlikely(!(gr_status & GR_READY)))
21009 -+ return 0;
21010 -+
21011 -+ newacl = chk_subj_label(dentry, mnt, task->role);
21012 -+
21013 -+ task_lock(task);
21014 -+ if (((task->ptrace & PT_PTRACED) && !(task->acl->mode &
21015 -+ GR_POVERRIDE) && (task->acl != newacl) &&
21016 -+ !(task->role->roletype & GR_ROLE_GOD) &&
21017 -+ !gr_search_file(dentry, GR_PTRACERD, mnt) &&
21018 -+ !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN))) ||
21019 -+ (atomic_read(&task->fs->count) > 1 ||
21020 -+ atomic_read(&task->files->count) > 1 ||
21021 -+ atomic_read(&task->sighand->count) > 1)) {
21022 -+ task_unlock(task);
21023 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
21024 -+ return -EACCES;
21025 -+ }
21026 -+ task_unlock(task);
21027 -+
21028 -+ obj = chk_obj_label(dentry, mnt, task->acl);
21029 -+ retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
21030 -+
21031 -+ if (!(task->acl->mode & GR_INHERITLEARN) &&
21032 -+ ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
21033 -+ if (obj->nested)
21034 -+ task->acl = obj->nested;
21035 -+ else
21036 -+ task->acl = newacl;
21037 -+ } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
21038 -+ gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
21039 -+
21040 -+ task->is_writable = 0;
21041 -+
21042 -+ /* ignore additional mmap checks for processes that are writable
21043 -+ by the default ACL */
21044 -+ obj = chk_obj_label(dentry, mnt, default_role->root_label);
21045 -+ if (unlikely(obj->mode & GR_WRITE))
21046 -+ task->is_writable = 1;
21047 -+ obj = chk_obj_label(dentry, mnt, task->role->root_label);
21048 -+ if (unlikely(obj->mode & GR_WRITE))
21049 -+ task->is_writable = 1;
21050 -+
21051 -+ gr_set_proc_res(task);
21052 -+
21053 -+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
21054 -+ printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
21055 -+#endif
21056 -+ return 0;
21057 -+}
21058 -+
21059 -+/* always called with valid inodev ptr */
21060 -+static void
21061 -+do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
21062 -+{
21063 -+ struct acl_object_label *matchpo;
21064 -+ struct acl_subject_label *matchps;
21065 -+ struct acl_subject_label *subj;
21066 -+ struct acl_role_label *role;
21067 -+ unsigned int i, x;
21068 -+
21069 -+ FOR_EACH_ROLE_START(role, i)
21070 -+ FOR_EACH_SUBJECT_START(role, subj, x)
21071 -+ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
21072 -+ matchpo->mode |= GR_DELETED;
21073 -+ FOR_EACH_SUBJECT_END(subj,x)
21074 -+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
21075 -+ if (subj->inode == ino && subj->device == dev)
21076 -+ subj->mode |= GR_DELETED;
21077 -+ FOR_EACH_NESTED_SUBJECT_END(subj)
21078 -+ if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
21079 -+ matchps->mode |= GR_DELETED;
21080 -+ FOR_EACH_ROLE_END(role,i)
21081 -+
21082 -+ inodev->nentry->deleted = 1;
21083 -+
21084 -+ return;
21085 -+}
21086 -+
21087 -+void
21088 -+gr_handle_delete(const ino_t ino, const dev_t dev)
21089 -+{
21090 -+ struct inodev_entry *inodev;
21091 -+
21092 -+ if (unlikely(!(gr_status & GR_READY)))
21093 -+ return;
21094 -+
21095 -+ write_lock(&gr_inode_lock);
21096 -+ inodev = lookup_inodev_entry(ino, dev);
21097 -+ if (inodev != NULL)
21098 -+ do_handle_delete(inodev, ino, dev);
21099 -+ write_unlock(&gr_inode_lock);
21100 -+
21101 -+ return;
21102 -+}
21103 -+
21104 -+static void
21105 -+update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
21106 -+ const ino_t newinode, const dev_t newdevice,
21107 -+ struct acl_subject_label *subj)
21108 -+{
21109 -+ unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
21110 -+ struct acl_object_label *match;
21111 -+
21112 -+ match = subj->obj_hash[index];
21113 -+
21114 -+ while (match && (match->inode != oldinode ||
21115 -+ match->device != olddevice ||
21116 -+ !(match->mode & GR_DELETED)))
21117 -+ match = match->next;
21118 -+
21119 -+ if (match && (match->inode == oldinode)
21120 -+ && (match->device == olddevice)
21121 -+ && (match->mode & GR_DELETED)) {
21122 -+ if (match->prev == NULL) {
21123 -+ subj->obj_hash[index] = match->next;
21124 -+ if (match->next != NULL)
21125 -+ match->next->prev = NULL;
21126 -+ } else {
21127 -+ match->prev->next = match->next;
21128 -+ if (match->next != NULL)
21129 -+ match->next->prev = match->prev;
21130 -+ }
21131 -+ match->prev = NULL;
21132 -+ match->next = NULL;
21133 -+ match->inode = newinode;
21134 -+ match->device = newdevice;
21135 -+ match->mode &= ~GR_DELETED;
21136 -+
21137 -+ insert_acl_obj_label(match, subj);
21138 -+ }
21139 -+
21140 -+ return;
21141 -+}
21142 -+
21143 -+static void
21144 -+update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
21145 -+ const ino_t newinode, const dev_t newdevice,
21146 -+ struct acl_role_label *role)
21147 -+{
21148 -+ unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
21149 -+ struct acl_subject_label *match;
21150 -+
21151 -+ match = role->subj_hash[index];
21152 -+
21153 -+ while (match && (match->inode != oldinode ||
21154 -+ match->device != olddevice ||
21155 -+ !(match->mode & GR_DELETED)))
21156 -+ match = match->next;
21157 -+
21158 -+ if (match && (match->inode == oldinode)
21159 -+ && (match->device == olddevice)
21160 -+ && (match->mode & GR_DELETED)) {
21161 -+ if (match->prev == NULL) {
21162 -+ role->subj_hash[index] = match->next;
21163 -+ if (match->next != NULL)
21164 -+ match->next->prev = NULL;
21165 -+ } else {
21166 -+ match->prev->next = match->next;
21167 -+ if (match->next != NULL)
21168 -+ match->next->prev = match->prev;
21169 -+ }
21170 -+ match->prev = NULL;
21171 -+ match->next = NULL;
21172 -+ match->inode = newinode;
21173 -+ match->device = newdevice;
21174 -+ match->mode &= ~GR_DELETED;
21175 -+
21176 -+ insert_acl_subj_label(match, role);
21177 -+ }
21178 -+
21179 -+ return;
21180 -+}
21181 -+
21182 -+static void
21183 -+update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
21184 -+ const ino_t newinode, const dev_t newdevice)
21185 -+{
21186 -+ unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
21187 -+ struct inodev_entry *match;
21188 -+
21189 -+ match = inodev_set.i_hash[index];
21190 -+
21191 -+ while (match && (match->nentry->inode != oldinode ||
21192 -+ match->nentry->device != olddevice || !match->nentry->deleted))
21193 -+ match = match->next;
21194 -+
21195 -+ if (match && (match->nentry->inode == oldinode)
21196 -+ && (match->nentry->device == olddevice) &&
21197 -+ match->nentry->deleted) {
21198 -+ if (match->prev == NULL) {
21199 -+ inodev_set.i_hash[index] = match->next;
21200 -+ if (match->next != NULL)
21201 -+ match->next->prev = NULL;
21202 -+ } else {
21203 -+ match->prev->next = match->next;
21204 -+ if (match->next != NULL)
21205 -+ match->next->prev = match->prev;
21206 -+ }
21207 -+ match->prev = NULL;
21208 -+ match->next = NULL;
21209 -+ match->nentry->inode = newinode;
21210 -+ match->nentry->device = newdevice;
21211 -+ match->nentry->deleted = 0;
21212 -+
21213 -+ insert_inodev_entry(match);
21214 -+ }
21215 -+
21216 -+ return;
21217 -+}
21218 -+
21219 -+static void
21220 -+do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
21221 -+ const struct vfsmount *mnt)
21222 -+{
21223 -+ struct acl_subject_label *subj;
21224 -+ struct acl_role_label *role;
21225 -+ unsigned int i, x;
21226 -+
21227 -+ FOR_EACH_ROLE_START(role, i)
21228 -+ update_acl_subj_label(matchn->inode, matchn->device,
21229 -+ dentry->d_inode->i_ino,
21230 -+ dentry->d_inode->i_sb->s_dev, role);
21231 -+
21232 -+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
21233 -+ if ((subj->inode == dentry->d_inode->i_ino) &&
21234 -+ (subj->device == dentry->d_inode->i_sb->s_dev)) {
21235 -+ subj->inode = dentry->d_inode->i_ino;
21236 -+ subj->device = dentry->d_inode->i_sb->s_dev;
21237 -+ }
21238 -+ FOR_EACH_NESTED_SUBJECT_END(subj)
21239 -+ FOR_EACH_SUBJECT_START(role, subj, x)
21240 -+ update_acl_obj_label(matchn->inode, matchn->device,
21241 -+ dentry->d_inode->i_ino,
21242 -+ dentry->d_inode->i_sb->s_dev, subj);
21243 -+ FOR_EACH_SUBJECT_END(subj,x)
21244 -+ FOR_EACH_ROLE_END(role,i)
21245 -+
21246 -+ update_inodev_entry(matchn->inode, matchn->device,
21247 -+ dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
21248 -+
21249 -+ return;
21250 -+}
21251 -+
21252 -+void
21253 -+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
21254 -+{
21255 -+ struct name_entry *matchn;
21256 -+
21257 -+ if (unlikely(!(gr_status & GR_READY)))
21258 -+ return;
21259 -+
21260 -+ preempt_disable();
21261 -+ matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
21262 -+
21263 -+ if (unlikely((unsigned long)matchn)) {
21264 -+ write_lock(&gr_inode_lock);
21265 -+ do_handle_create(matchn, dentry, mnt);
21266 -+ write_unlock(&gr_inode_lock);
21267 -+ }
21268 -+ preempt_enable();
21269 -+
21270 -+ return;
21271 -+}
21272 -+
21273 -+void
21274 -+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
21275 -+ struct dentry *old_dentry,
21276 -+ struct dentry *new_dentry,
21277 -+ struct vfsmount *mnt, const __u8 replace)
21278 -+{
21279 -+ struct name_entry *matchn;
21280 -+ struct inodev_entry *inodev;
21281 -+
21282 -+ /* vfs_rename swaps the name and parent link for old_dentry and
21283 -+ new_dentry
21284 -+ at this point, old_dentry has the new name, parent link, and inode
21285 -+ for the renamed file
21286 -+ if a file is being replaced by a rename, new_dentry has the inode
21287 -+ and name for the replaced file
21288 -+ */
21289 -+
21290 -+ if (unlikely(!(gr_status & GR_READY)))
21291 -+ return;
21292 -+
21293 -+ preempt_disable();
21294 -+ matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
21295 -+
21296 -+ /* we wouldn't have to check d_inode if it weren't for
21297 -+ NFS silly-renaming
21298 -+ */
21299 -+
21300 -+ write_lock(&gr_inode_lock);
21301 -+ if (unlikely(replace && new_dentry->d_inode)) {
21302 -+ inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
21303 -+ new_dentry->d_inode->i_sb->s_dev);
21304 -+ if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
21305 -+ do_handle_delete(inodev, new_dentry->d_inode->i_ino,
21306 -+ new_dentry->d_inode->i_sb->s_dev);
21307 -+ }
21308 -+
21309 -+ inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
21310 -+ old_dentry->d_inode->i_sb->s_dev);
21311 -+ if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
21312 -+ do_handle_delete(inodev, old_dentry->d_inode->i_ino,
21313 -+ old_dentry->d_inode->i_sb->s_dev);
21314 -+
21315 -+ if (unlikely((unsigned long)matchn))
21316 -+ do_handle_create(matchn, old_dentry, mnt);
21317 -+
21318 -+ write_unlock(&gr_inode_lock);
21319 -+ preempt_enable();
21320 -+
21321 -+ return;
21322 -+}
21323 -+
21324 -+static int
21325 -+lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
21326 -+ unsigned char **sum)
21327 -+{
21328 -+ struct acl_role_label *r;
21329 -+ struct role_allowed_ip *ipp;
21330 -+ struct role_transition *trans;
21331 -+ unsigned int i;
21332 -+ int found = 0;
21333 -+
21334 -+ /* check transition table */
21335 -+
21336 -+ for (trans = current->role->transitions; trans; trans = trans->next) {
21337 -+ if (!strcmp(rolename, trans->rolename)) {
21338 -+ found = 1;
21339 -+ break;
21340 -+ }
21341 -+ }
21342 -+
21343 -+ if (!found)
21344 -+ return 0;
21345 -+
21346 -+ /* handle special roles that do not require authentication
21347 -+ and check ip */
21348 -+
21349 -+ FOR_EACH_ROLE_START(r, i)
21350 -+ if (!strcmp(rolename, r->rolename) &&
21351 -+ (r->roletype & GR_ROLE_SPECIAL)) {
21352 -+ found = 0;
21353 -+ if (r->allowed_ips != NULL) {
21354 -+ for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
21355 -+ if ((ntohl(current->signal->curr_ip) & ipp->netmask) ==
21356 -+ (ntohl(ipp->addr) & ipp->netmask))
21357 -+ found = 1;
21358 -+ }
21359 -+ } else
21360 -+ found = 2;
21361 -+ if (!found)
21362 -+ return 0;
21363 -+
21364 -+ if (((mode == SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
21365 -+ ((mode == SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
21366 -+ *salt = NULL;
21367 -+ *sum = NULL;
21368 -+ return 1;
21369 -+ }
21370 -+ }
21371 -+ FOR_EACH_ROLE_END(r,i)
21372 -+
21373 -+ for (i = 0; i < num_sprole_pws; i++) {
21374 -+ if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
21375 -+ *salt = acl_special_roles[i]->salt;
21376 -+ *sum = acl_special_roles[i]->sum;
21377 -+ return 1;
21378 -+ }
21379 -+ }
21380 -+
21381 -+ return 0;
21382 -+}
21383 -+
21384 -+static void
21385 -+assign_special_role(char *rolename)
21386 -+{
21387 -+ struct acl_object_label *obj;
21388 -+ struct acl_role_label *r;
21389 -+ struct acl_role_label *assigned = NULL;
21390 -+ struct task_struct *tsk;
21391 -+ struct file *filp;
21392 -+ unsigned int i;
21393 -+
21394 -+ FOR_EACH_ROLE_START(r, i)
21395 -+ if (!strcmp(rolename, r->rolename) &&
21396 -+ (r->roletype & GR_ROLE_SPECIAL))
21397 -+ assigned = r;
21398 -+ FOR_EACH_ROLE_END(r,i)
21399 -+
21400 -+ if (!assigned)
21401 -+ return;
21402 -+
21403 -+ read_lock(&tasklist_lock);
21404 -+ read_lock(&grsec_exec_file_lock);
21405 -+
21406 -+ tsk = current->parent;
21407 -+ if (tsk == NULL)
21408 -+ goto out_unlock;
21409 -+
21410 -+ filp = tsk->exec_file;
21411 -+ if (filp == NULL)
21412 -+ goto out_unlock;
21413 -+
21414 -+ tsk->is_writable = 0;
21415 -+
21416 -+ tsk->acl_sp_role = 1;
21417 -+ tsk->acl_role_id = ++acl_sp_role_value;
21418 -+ tsk->role = assigned;
21419 -+ tsk->acl = chk_subj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role);
21420 -+
21421 -+ /* ignore additional mmap checks for processes that are writable
21422 -+ by the default ACL */
21423 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
21424 -+ if (unlikely(obj->mode & GR_WRITE))
21425 -+ tsk->is_writable = 1;
21426 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role->root_label);
21427 -+ if (unlikely(obj->mode & GR_WRITE))
21428 -+ tsk->is_writable = 1;
21429 -+
21430 -+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
21431 -+ printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
21432 -+#endif
21433 -+
21434 -+out_unlock:
21435 -+ read_unlock(&grsec_exec_file_lock);
21436 -+ read_unlock(&tasklist_lock);
21437 -+ return;
21438 -+}
21439 -+
21440 -+int gr_check_secure_terminal(struct task_struct *task)
21441 -+{
21442 -+ struct task_struct *p, *p2, *p3;
21443 -+ struct files_struct *files;
21444 -+ struct fdtable *fdt;
21445 -+ struct file *our_file = NULL, *file;
21446 -+ int i;
21447 -+
21448 -+ if (task->signal->tty == NULL)
21449 -+ return 1;
21450 -+
21451 -+ files = get_files_struct(task);
21452 -+ if (files != NULL) {
21453 -+ rcu_read_lock();
21454 -+ fdt = files_fdtable(files);
21455 -+ for (i=0; i < fdt->max_fds; i++) {
21456 -+ file = fcheck_files(files, i);
21457 -+ if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
21458 -+ get_file(file);
21459 -+ our_file = file;
21460 -+ }
21461 -+ }
21462 -+ rcu_read_unlock();
21463 -+ put_files_struct(files);
21464 -+ }
21465 -+
21466 -+ if (our_file == NULL)
21467 -+ return 1;
21468 -+
21469 -+ read_lock(&tasklist_lock);
21470 -+ do_each_thread(p2, p) {
21471 -+ files = get_files_struct(p);
21472 -+ if (files == NULL ||
21473 -+ (p->signal && p->signal->tty == task->signal->tty)) {
21474 -+ if (files != NULL)
21475 -+ put_files_struct(files);
21476 -+ continue;
21477 -+ }
21478 -+ rcu_read_lock();
21479 -+ fdt = files_fdtable(files);
21480 -+ for (i=0; i < fdt->max_fds; i++) {
21481 -+ file = fcheck_files(files, i);
21482 -+ if (file && S_ISCHR(file->f_dentry->d_inode->i_mode) &&
21483 -+ file->f_dentry->d_inode->i_rdev == our_file->f_dentry->d_inode->i_rdev) {
21484 -+ p3 = task;
21485 -+ while (p3->pid > 0) {
21486 -+ if (p3 == p)
21487 -+ break;
21488 -+ p3 = p3->parent;
21489 -+ }
21490 -+ if (p3 == p)
21491 -+ break;
21492 -+ gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
21493 -+ gr_handle_alertkill(p);
21494 -+ rcu_read_unlock();
21495 -+ put_files_struct(files);
21496 -+ read_unlock(&tasklist_lock);
21497 -+ fput(our_file);
21498 -+ return 0;
21499 -+ }
21500 -+ }
21501 -+ rcu_read_unlock();
21502 -+ put_files_struct(files);
21503 -+ } while_each_thread(p2, p);
21504 -+ read_unlock(&tasklist_lock);
21505 -+
21506 -+ fput(our_file);
21507 -+ return 1;
21508 -+}
21509 -+
21510 -+ssize_t
21511 -+write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
21512 -+{
21513 -+ struct gr_arg_wrapper uwrap;
21514 -+ unsigned char *sprole_salt;
21515 -+ unsigned char *sprole_sum;
21516 -+ int error = sizeof (struct gr_arg_wrapper);
21517 -+ int error2 = 0;
21518 -+
21519 -+ down(&gr_dev_sem);
21520 -+
21521 -+ if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
21522 -+ error = -EPERM;
21523 -+ goto out;
21524 -+ }
21525 -+
21526 -+ if (count != sizeof (struct gr_arg_wrapper)) {
21527 -+ gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
21528 -+ error = -EINVAL;
21529 -+ goto out;
21530 -+ }
21531 -+
21532 -+
21533 -+ if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
21534 -+ gr_auth_expires = 0;
21535 -+ gr_auth_attempts = 0;
21536 -+ }
21537 -+
21538 -+ if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
21539 -+ error = -EFAULT;
21540 -+ goto out;
21541 -+ }
21542 -+
21543 -+ if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
21544 -+ error = -EINVAL;
21545 -+ goto out;
21546 -+ }
21547 -+
21548 -+ if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
21549 -+ error = -EFAULT;
21550 -+ goto out;
21551 -+ }
21552 -+
21553 -+ if (gr_usermode->mode != SPROLE && gr_usermode->mode != SPROLEPAM &&
21554 -+ gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
21555 -+ time_after(gr_auth_expires, get_seconds())) {
21556 -+ error = -EBUSY;
21557 -+ goto out;
21558 -+ }
21559 -+
21560 -+ /* if non-root trying to do anything other than use a special role,
21561 -+ do not attempt authentication, do not count towards authentication
21562 -+ locking
21563 -+ */
21564 -+
21565 -+ if (gr_usermode->mode != SPROLE && gr_usermode->mode != STATUS &&
21566 -+ gr_usermode->mode != UNSPROLE && gr_usermode->mode != SPROLEPAM &&
21567 -+ current->uid) {
21568 -+ error = -EPERM;
21569 -+ goto out;
21570 -+ }
21571 -+
21572 -+ /* ensure pw and special role name are null terminated */
21573 -+
21574 -+ gr_usermode->pw[GR_PW_LEN - 1] = '\0';
21575 -+ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
21576 -+
21577 -+ /* Okay.
21578 -+ * We have our enough of the argument structure..(we have yet
21579 -+ * to copy_from_user the tables themselves) . Copy the tables
21580 -+ * only if we need them, i.e. for loading operations. */
21581 -+
21582 -+ switch (gr_usermode->mode) {
21583 -+ case STATUS:
21584 -+ if (gr_status & GR_READY) {
21585 -+ error = 1;
21586 -+ if (!gr_check_secure_terminal(current))
21587 -+ error = 3;
21588 -+ } else
21589 -+ error = 2;
21590 -+ goto out;
21591 -+ case SHUTDOWN:
21592 -+ if ((gr_status & GR_READY)
21593 -+ && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
21594 -+ gr_status &= ~GR_READY;
21595 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
21596 -+ free_variables();
21597 -+ memset(gr_usermode, 0, sizeof (struct gr_arg));
21598 -+ memset(gr_system_salt, 0, GR_SALT_LEN);
21599 -+ memset(gr_system_sum, 0, GR_SHA_LEN);
21600 -+ } else if (gr_status & GR_READY) {
21601 -+ gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
21602 -+ error = -EPERM;
21603 -+ } else {
21604 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
21605 -+ error = -EAGAIN;
21606 -+ }
21607 -+ break;
21608 -+ case ENABLE:
21609 -+ if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
21610 -+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
21611 -+ else {
21612 -+ if (gr_status & GR_READY)
21613 -+ error = -EAGAIN;
21614 -+ else
21615 -+ error = error2;
21616 -+ gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
21617 -+ }
21618 -+ break;
21619 -+ case RELOAD:
21620 -+ if (!(gr_status & GR_READY)) {
21621 -+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
21622 -+ error = -EAGAIN;
21623 -+ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
21624 -+ lock_kernel();
21625 -+ gr_status &= ~GR_READY;
21626 -+ free_variables();
21627 -+ if (!(error2 = gracl_init(gr_usermode))) {
21628 -+ unlock_kernel();
21629 -+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
21630 -+ } else {
21631 -+ unlock_kernel();
21632 -+ error = error2;
21633 -+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
21634 -+ }
21635 -+ } else {
21636 -+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
21637 -+ error = -EPERM;
21638 -+ }
21639 -+ break;
21640 -+ case SEGVMOD:
21641 -+ if (unlikely(!(gr_status & GR_READY))) {
21642 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
21643 -+ error = -EAGAIN;
21644 -+ break;
21645 -+ }
21646 -+
21647 -+ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
21648 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
21649 -+ if (gr_usermode->segv_device && gr_usermode->segv_inode) {
21650 -+ struct acl_subject_label *segvacl;
21651 -+ segvacl =
21652 -+ lookup_acl_subj_label(gr_usermode->segv_inode,
21653 -+ gr_usermode->segv_device,
21654 -+ current->role);
21655 -+ if (segvacl) {
21656 -+ segvacl->crashes = 0;
21657 -+ segvacl->expires = 0;
21658 -+ }
21659 -+ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
21660 -+ gr_remove_uid(gr_usermode->segv_uid);
21661 -+ }
21662 -+ } else {
21663 -+ gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
21664 -+ error = -EPERM;
21665 -+ }
21666 -+ break;
21667 -+ case SPROLE:
21668 -+ case SPROLEPAM:
21669 -+ if (unlikely(!(gr_status & GR_READY))) {
21670 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
21671 -+ error = -EAGAIN;
21672 -+ break;
21673 -+ }
21674 -+
21675 -+ if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
21676 -+ current->role->expires = 0;
21677 -+ current->role->auth_attempts = 0;
21678 -+ }
21679 -+
21680 -+ if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
21681 -+ time_after(current->role->expires, get_seconds())) {
21682 -+ error = -EBUSY;
21683 -+ goto out;
21684 -+ }
21685 -+
21686 -+ if (lookup_special_role_auth
21687 -+ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
21688 -+ && ((!sprole_salt && !sprole_sum)
21689 -+ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
21690 -+ char *p = "";
21691 -+ assign_special_role(gr_usermode->sp_role);
21692 -+ read_lock(&tasklist_lock);
21693 -+ if (current->parent)
21694 -+ p = current->parent->role->rolename;
21695 -+ read_unlock(&tasklist_lock);
21696 -+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
21697 -+ p, acl_sp_role_value);
21698 -+ } else {
21699 -+ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
21700 -+ error = -EPERM;
21701 -+ if(!(current->role->auth_attempts++))
21702 -+ current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
21703 -+
21704 -+ goto out;
21705 -+ }
21706 -+ break;
21707 -+ case UNSPROLE:
21708 -+ if (unlikely(!(gr_status & GR_READY))) {
21709 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
21710 -+ error = -EAGAIN;
21711 -+ break;
21712 -+ }
21713 -+
21714 -+ if (current->role->roletype & GR_ROLE_SPECIAL) {
21715 -+ char *p = "";
21716 -+ int i = 0;
21717 -+
21718 -+ read_lock(&tasklist_lock);
21719 -+ if (current->parent) {
21720 -+ p = current->parent->role->rolename;
21721 -+ i = current->parent->acl_role_id;
21722 -+ }
21723 -+ read_unlock(&tasklist_lock);
21724 -+
21725 -+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
21726 -+ gr_set_acls(1);
21727 -+ } else {
21728 -+ gr_log_str(GR_DONT_AUDIT, GR_UNSPROLEF_ACL_MSG, current->role->rolename);
21729 -+ error = -EPERM;
21730 -+ goto out;
21731 -+ }
21732 -+ break;
21733 -+ default:
21734 -+ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
21735 -+ error = -EINVAL;
21736 -+ break;
21737 -+ }
21738 -+
21739 -+ if (error != -EPERM)
21740 -+ goto out;
21741 -+
21742 -+ if(!(gr_auth_attempts++))
21743 -+ gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
21744 -+
21745 -+ out:
21746 -+ up(&gr_dev_sem);
21747 -+ return error;
21748 -+}
21749 -+
21750 -+int
21751 -+gr_set_acls(const int type)
21752 -+{
21753 -+ struct acl_object_label *obj;
21754 -+ struct task_struct *task, *task2;
21755 -+ struct file *filp;
21756 -+ struct acl_role_label *role = current->role;
21757 -+ __u16 acl_role_id = current->acl_role_id;
21758 -+
21759 -+ read_lock(&tasklist_lock);
21760 -+ read_lock(&grsec_exec_file_lock);
21761 -+ do_each_thread(task2, task) {
21762 -+ /* check to see if we're called from the exit handler,
21763 -+ if so, only replace ACLs that have inherited the admin
21764 -+ ACL */
21765 -+
21766 -+ if (type && (task->role != role ||
21767 -+ task->acl_role_id != acl_role_id))
21768 -+ continue;
21769 -+
21770 -+ task->acl_role_id = 0;
21771 -+ task->acl_sp_role = 0;
21772 -+
21773 -+ if ((filp = task->exec_file)) {
21774 -+ task->role = lookup_acl_role_label(task, task->uid, task->gid);
21775 -+
21776 -+ task->acl =
21777 -+ chk_subj_label(filp->f_dentry, filp->f_vfsmnt,
21778 -+ task->role);
21779 -+ if (task->acl) {
21780 -+ struct acl_subject_label *curr;
21781 -+ curr = task->acl;
21782 -+
21783 -+ task->is_writable = 0;
21784 -+ /* ignore additional mmap checks for processes that are writable
21785 -+ by the default ACL */
21786 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
21787 -+ if (unlikely(obj->mode & GR_WRITE))
21788 -+ task->is_writable = 1;
21789 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
21790 -+ if (unlikely(obj->mode & GR_WRITE))
21791 -+ task->is_writable = 1;
21792 -+
21793 -+ gr_set_proc_res(task);
21794 -+
21795 -+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
21796 -+ printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
21797 -+#endif
21798 -+ } else {
21799 -+ read_unlock(&grsec_exec_file_lock);
21800 -+ read_unlock(&tasklist_lock);
21801 -+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
21802 -+ return 1;
21803 -+ }
21804 -+ } else {
21805 -+ // it's a kernel process
21806 -+ task->role = kernel_role;
21807 -+ task->acl = kernel_role->root_label;
21808 -+#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
21809 -+ task->acl->mode &= ~GR_PROCFIND;
21810 -+#endif
21811 -+ }
21812 -+ } while_each_thread(task2, task);
21813 -+ read_unlock(&grsec_exec_file_lock);
21814 -+ read_unlock(&tasklist_lock);
21815 -+ return 0;
21816 -+}
21817 -+
21818 -+void
21819 -+gr_learn_resource(const struct task_struct *task,
21820 -+ const int res, const unsigned long wanted, const int gt)
21821 -+{
21822 -+ struct acl_subject_label *acl;
21823 -+
21824 -+ if (unlikely((gr_status & GR_READY) &&
21825 -+ task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
21826 -+ goto skip_reslog;
21827 -+
21828 -+#ifdef CONFIG_GRKERNSEC_RESLOG
21829 -+ gr_log_resource(task, res, wanted, gt);
21830 -+#endif
21831 -+ skip_reslog:
21832 -+
21833 -+ if (unlikely(!(gr_status & GR_READY) || !wanted))
21834 -+ return;
21835 -+
21836 -+ acl = task->acl;
21837 -+
21838 -+ if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
21839 -+ !(acl->resmask & (1 << (unsigned short) res))))
21840 -+ return;
21841 -+
21842 -+ if (wanted >= acl->res[res].rlim_cur) {
21843 -+ unsigned long res_add;
21844 -+
21845 -+ res_add = wanted;
21846 -+ switch (res) {
21847 -+ case RLIMIT_CPU:
21848 -+ res_add += GR_RLIM_CPU_BUMP;
21849 -+ break;
21850 -+ case RLIMIT_FSIZE:
21851 -+ res_add += GR_RLIM_FSIZE_BUMP;
21852 -+ break;
21853 -+ case RLIMIT_DATA:
21854 -+ res_add += GR_RLIM_DATA_BUMP;
21855 -+ break;
21856 -+ case RLIMIT_STACK:
21857 -+ res_add += GR_RLIM_STACK_BUMP;
21858 -+ break;
21859 -+ case RLIMIT_CORE:
21860 -+ res_add += GR_RLIM_CORE_BUMP;
21861 -+ break;
21862 -+ case RLIMIT_RSS:
21863 -+ res_add += GR_RLIM_RSS_BUMP;
21864 -+ break;
21865 -+ case RLIMIT_NPROC:
21866 -+ res_add += GR_RLIM_NPROC_BUMP;
21867 -+ break;
21868 -+ case RLIMIT_NOFILE:
21869 -+ res_add += GR_RLIM_NOFILE_BUMP;
21870 -+ break;
21871 -+ case RLIMIT_MEMLOCK:
21872 -+ res_add += GR_RLIM_MEMLOCK_BUMP;
21873 -+ break;
21874 -+ case RLIMIT_AS:
21875 -+ res_add += GR_RLIM_AS_BUMP;
21876 -+ break;
21877 -+ case RLIMIT_LOCKS:
21878 -+ res_add += GR_RLIM_LOCKS_BUMP;
21879 -+ break;
21880 -+ }
21881 -+
21882 -+ acl->res[res].rlim_cur = res_add;
21883 -+
21884 -+ if (wanted > acl->res[res].rlim_max)
21885 -+ acl->res[res].rlim_max = res_add;
21886 -+
21887 -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
21888 -+ task->role->roletype, acl->filename,
21889 -+ acl->res[res].rlim_cur, acl->res[res].rlim_max,
21890 -+ "", (unsigned long) res);
21891 -+ }
21892 -+
21893 -+ return;
21894 -+}
21895 -+
21896 -+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
21897 -+void
21898 -+pax_set_initial_flags(struct linux_binprm *bprm)
21899 -+{
21900 -+ struct task_struct *task = current;
21901 -+ struct acl_subject_label *proc;
21902 -+ unsigned long flags;
21903 -+
21904 -+ if (unlikely(!(gr_status & GR_READY)))
21905 -+ return;
21906 -+
21907 -+ flags = pax_get_flags(task);
21908 -+
21909 -+ proc = task->acl;
21910 -+
21911 -+ if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
21912 -+ flags &= ~MF_PAX_PAGEEXEC;
21913 -+ if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
21914 -+ flags &= ~MF_PAX_SEGMEXEC;
21915 -+ if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
21916 -+ flags &= ~MF_PAX_RANDMMAP;
21917 -+ if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
21918 -+ flags &= ~MF_PAX_EMUTRAMP;
21919 -+ if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
21920 -+ flags &= ~MF_PAX_MPROTECT;
21921 -+
21922 -+ if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
21923 -+ flags |= MF_PAX_PAGEEXEC;
21924 -+ if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
21925 -+ flags |= MF_PAX_SEGMEXEC;
21926 -+ if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
21927 -+ flags |= MF_PAX_RANDMMAP;
21928 -+ if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
21929 -+ flags |= MF_PAX_EMUTRAMP;
21930 -+ if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
21931 -+ flags |= MF_PAX_MPROTECT;
21932 -+
21933 -+ pax_set_flags(task, flags);
21934 -+
21935 -+ return;
21936 -+}
21937 -+#endif
21938 -+
21939 -+#ifdef CONFIG_SYSCTL
21940 -+/* Eric Biederman likes breaking userland ABI and every inode-based security
21941 -+ system to save 35kb of memory */
21942 -+
21943 -+/* we modify the passed in filename, but adjust it back before returning */
21944 -+static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
21945 -+{
21946 -+ struct name_entry *nmatch;
21947 -+ char *p, *lastp = NULL;
21948 -+ struct acl_object_label *obj = NULL, *tmp;
21949 -+ struct acl_subject_label *tmpsubj;
21950 -+ char c = '\0';
21951 -+
21952 -+ read_lock(&gr_inode_lock);
21953 -+
21954 -+ p = name + len - 1;
21955 -+ do {
21956 -+ nmatch = lookup_name_entry(name);
21957 -+ if (lastp != NULL)
21958 -+ *lastp = c;
21959 -+
21960 -+ if (nmatch == NULL)
21961 -+ goto next_component;
21962 -+ tmpsubj = current->acl;
21963 -+ do {
21964 -+ obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
21965 -+ if (obj != NULL) {
21966 -+ tmp = obj->globbed;
21967 -+ while (tmp) {
21968 -+ if (!glob_match(tmp->filename, name)) {
21969 -+ obj = tmp;
21970 -+ goto found_obj;
21971 -+ }
21972 -+ tmp = tmp->next;
21973 -+ }
21974 -+ goto found_obj;
21975 -+ }
21976 -+ } while ((tmpsubj = tmpsubj->parent_subject));
21977 -+next_component:
21978 -+ /* end case */
21979 -+ if (p == name)
21980 -+ break;
21981 -+
21982 -+ while (*p != '/')
21983 -+ p--;
21984 -+ if (p == name)
21985 -+ lastp = p + 1;
21986 -+ else {
21987 -+ lastp = p;
21988 -+ p--;
21989 -+ }
21990 -+ c = *lastp;
21991 -+ *lastp = '\0';
21992 -+ } while (1);
21993 -+found_obj:
21994 -+ read_unlock(&gr_inode_lock);
21995 -+ /* obj returned will always be non-null */
21996 -+ return obj;
21997 -+}
21998 -+
21999 -+/* returns 0 when allowing, non-zero on error
22000 -+ op of 0 is used for readdir, so we don't log the names of hidden files
22001 -+*/
22002 -+__u32
22003 -+gr_handle_sysctl(const struct ctl_table *table, const int op)
22004 -+{
22005 -+ ctl_table *tmp;
22006 -+ const char *proc_sys = "/proc/sys";
22007 -+ char *path;
22008 -+ struct acl_object_label *obj;
22009 -+ unsigned short len = 0, pos = 0, depth = 0, i;
22010 -+ __u32 err = 0;
22011 -+ __u32 mode = 0;
22012 -+
22013 -+ if (unlikely(!(gr_status & GR_READY)))
22014 -+ return 0;
22015 -+
22016 -+ /* for now, ignore operations on non-sysctl entries if it's not a
22017 -+ readdir*/
22018 -+ if (table->child != NULL && op != 0)
22019 -+ return 0;
22020 -+
22021 -+ mode |= GR_FIND;
22022 -+ /* it's only a read if it's an entry, read on dirs is for readdir */
22023 -+ if (op & 004)
22024 -+ mode |= GR_READ;
22025 -+ if (op & 002)
22026 -+ mode |= GR_WRITE;
22027 -+
22028 -+ preempt_disable();
22029 -+
22030 -+ path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
22031 -+
22032 -+ /* it's only a read/write if it's an actual entry, not a dir
22033 -+ (which are opened for readdir)
22034 -+ */
22035 -+
22036 -+ /* convert the requested sysctl entry into a pathname */
22037 -+
22038 -+ for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
22039 -+ len += strlen(tmp->procname);
22040 -+ len++;
22041 -+ depth++;
22042 -+ }
22043 -+
22044 -+ if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
22045 -+ /* deny */
22046 -+ goto out;
22047 -+ }
22048 -+
22049 -+ memset(path, 0, PAGE_SIZE);
22050 -+
22051 -+ memcpy(path, proc_sys, strlen(proc_sys));
22052 -+
22053 -+ pos += strlen(proc_sys);
22054 -+
22055 -+ for (; depth > 0; depth--) {
22056 -+ path[pos] = '/';
22057 -+ pos++;
22058 -+ for (i = 1, tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
22059 -+ if (depth == i) {
22060 -+ memcpy(path + pos, tmp->procname,
22061 -+ strlen(tmp->procname));
22062 -+ pos += strlen(tmp->procname);
22063 -+ }
22064 -+ i++;
22065 -+ }
22066 -+ }
22067 -+
22068 -+ obj = gr_lookup_by_name(path, pos);
22069 -+ err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
22070 -+
22071 -+ if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
22072 -+ ((err & mode) != mode))) {
22073 -+ __u32 new_mode = mode;
22074 -+
22075 -+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
22076 -+
22077 -+ err = 0;
22078 -+ gr_log_learn_sysctl(current, path, new_mode);
22079 -+ } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
22080 -+ gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
22081 -+ err = -ENOENT;
22082 -+ } else if (!(err & GR_FIND)) {
22083 -+ err = -ENOENT;
22084 -+ } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
22085 -+ gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
22086 -+ path, (mode & GR_READ) ? " reading" : "",
22087 -+ (mode & GR_WRITE) ? " writing" : "");
22088 -+ err = -EACCES;
22089 -+ } else if ((err & mode) != mode) {
22090 -+ err = -EACCES;
22091 -+ } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
22092 -+ gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
22093 -+ path, (mode & GR_READ) ? " reading" : "",
22094 -+ (mode & GR_WRITE) ? " writing" : "");
22095 -+ err = 0;
22096 -+ } else
22097 -+ err = 0;
22098 -+
22099 -+ out:
22100 -+ preempt_enable();
22101 -+
22102 -+ return err;
22103 -+}
22104 -+#endif
22105 -+
22106 -+int
22107 -+gr_handle_proc_ptrace(struct task_struct *task)
22108 -+{
22109 -+ struct file *filp;
22110 -+ struct task_struct *tmp = task;
22111 -+ struct task_struct *curtemp = current;
22112 -+ __u32 retmode;
22113 -+
22114 -+ if (unlikely(!(gr_status & GR_READY)))
22115 -+ return 0;
22116 -+
22117 -+ read_lock(&tasklist_lock);
22118 -+ read_lock(&grsec_exec_file_lock);
22119 -+ filp = task->exec_file;
22120 -+
22121 -+ while (tmp->pid > 0) {
22122 -+ if (tmp == curtemp)
22123 -+ break;
22124 -+ tmp = tmp->parent;
22125 -+ }
22126 -+
22127 -+ if (!filp || (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE))) {
22128 -+ read_unlock(&grsec_exec_file_lock);
22129 -+ read_unlock(&tasklist_lock);
22130 -+ return 1;
22131 -+ }
22132 -+
22133 -+ retmode = gr_search_file(filp->f_dentry, GR_NOPTRACE, filp->f_vfsmnt);
22134 -+ read_unlock(&grsec_exec_file_lock);
22135 -+ read_unlock(&tasklist_lock);
22136 -+
22137 -+ if (retmode & GR_NOPTRACE)
22138 -+ return 1;
22139 -+
22140 -+ if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
22141 -+ && (current->acl != task->acl || (current->acl != current->role->root_label
22142 -+ && current->pid != task->pid)))
22143 -+ return 1;
22144 -+
22145 -+ return 0;
22146 -+}
22147 -+
22148 -+int
22149 -+gr_handle_ptrace(struct task_struct *task, const long request)
22150 -+{
22151 -+ struct task_struct *tmp = task;
22152 -+ struct task_struct *curtemp = current;
22153 -+ __u32 retmode;
22154 -+
22155 -+ if (unlikely(!(gr_status & GR_READY)))
22156 -+ return 0;
22157 -+
22158 -+ read_lock(&tasklist_lock);
22159 -+ while (tmp->pid > 0) {
22160 -+ if (tmp == curtemp)
22161 -+ break;
22162 -+ tmp = tmp->parent;
22163 -+ }
22164 -+
22165 -+ if (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE)) {
22166 -+ read_unlock(&tasklist_lock);
22167 -+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
22168 -+ return 1;
22169 -+ }
22170 -+ read_unlock(&tasklist_lock);
22171 -+
22172 -+ read_lock(&grsec_exec_file_lock);
22173 -+ if (unlikely(!task->exec_file)) {
22174 -+ read_unlock(&grsec_exec_file_lock);
22175 -+ return 0;
22176 -+ }
22177 -+
22178 -+ retmode = gr_search_file(task->exec_file->f_dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_vfsmnt);
22179 -+ read_unlock(&grsec_exec_file_lock);
22180 -+
22181 -+ if (retmode & GR_NOPTRACE) {
22182 -+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
22183 -+ return 1;
22184 -+ }
22185 -+
22186 -+ if (retmode & GR_PTRACERD) {
22187 -+ switch (request) {
22188 -+ case PTRACE_POKETEXT:
22189 -+ case PTRACE_POKEDATA:
22190 -+ case PTRACE_POKEUSR:
22191 -+#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
22192 -+ case PTRACE_SETREGS:
22193 -+ case PTRACE_SETFPREGS:
22194 -+#endif
22195 -+#ifdef CONFIG_X86
22196 -+ case PTRACE_SETFPXREGS:
22197 -+#endif
22198 -+#ifdef CONFIG_ALTIVEC
22199 -+ case PTRACE_SETVRREGS:
22200 -+#endif
22201 -+ return 1;
22202 -+ default:
22203 -+ return 0;
22204 -+ }
22205 -+ } else if (!(current->acl->mode & GR_POVERRIDE) &&
22206 -+ !(current->role->roletype & GR_ROLE_GOD) &&
22207 -+ (current->acl != task->acl)) {
22208 -+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
22209 -+ return 1;
22210 -+ }
22211 -+
22212 -+ return 0;
22213 -+}
22214 -+
22215 -+static int is_writable_mmap(const struct file *filp)
22216 -+{
22217 -+ struct task_struct *task = current;
22218 -+ struct acl_object_label *obj, *obj2;
22219 -+
22220 -+ if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
22221 -+ !task->is_writable && S_ISREG(filp->f_dentry->d_inode->i_mode)) {
22222 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
22223 -+ obj2 = chk_obj_label(filp->f_dentry, filp->f_vfsmnt,
22224 -+ task->role->root_label);
22225 -+ if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
22226 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_dentry, filp->f_vfsmnt);
22227 -+ return 1;
22228 -+ }
22229 -+ }
22230 -+ return 0;
22231 -+}
22232 -+
22233 -+int
22234 -+gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
22235 -+{
22236 -+ __u32 mode;
22237 -+
22238 -+ if (unlikely(!file || !(prot & PROT_EXEC)))
22239 -+ return 1;
22240 -+
22241 -+ if (is_writable_mmap(file))
22242 -+ return 0;
22243 -+
22244 -+ mode =
22245 -+ gr_search_file(file->f_dentry,
22246 -+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
22247 -+ file->f_vfsmnt);
22248 -+
22249 -+ if (!gr_tpe_allow(file))
22250 -+ return 0;
22251 -+
22252 -+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
22253 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_dentry, file->f_vfsmnt);
22254 -+ return 0;
22255 -+ } else if (unlikely(!(mode & GR_EXEC))) {
22256 -+ return 0;
22257 -+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
22258 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_dentry, file->f_vfsmnt);
22259 -+ return 1;
22260 -+ }
22261 -+
22262 -+ return 1;
22263 -+}
22264 -+
22265 -+int
22266 -+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
22267 -+{
22268 -+ __u32 mode;
22269 -+
22270 -+ if (unlikely(!file || !(prot & PROT_EXEC)))
22271 -+ return 1;
22272 -+
22273 -+ if (is_writable_mmap(file))
22274 -+ return 0;
22275 -+
22276 -+ mode =
22277 -+ gr_search_file(file->f_dentry,
22278 -+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
22279 -+ file->f_vfsmnt);
22280 -+
22281 -+ if (!gr_tpe_allow(file))
22282 -+ return 0;
22283 -+
22284 -+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
22285 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_dentry, file->f_vfsmnt);
22286 -+ return 0;
22287 -+ } else if (unlikely(!(mode & GR_EXEC))) {
22288 -+ return 0;
22289 -+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
22290 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_dentry, file->f_vfsmnt);
22291 -+ return 1;
22292 -+ }
22293 -+
22294 -+ return 1;
22295 -+}
22296 -+
22297 -+void
22298 -+gr_acl_handle_psacct(struct task_struct *task, const long code)
22299 -+{
22300 -+ unsigned long runtime;
22301 -+ unsigned long cputime;
22302 -+ unsigned int wday, cday;
22303 -+ __u8 whr, chr;
22304 -+ __u8 wmin, cmin;
22305 -+ __u8 wsec, csec;
22306 -+ struct timespec timeval;
22307 -+
22308 -+ if (unlikely(!(gr_status & GR_READY) || !task->acl ||
22309 -+ !(task->acl->mode & GR_PROCACCT)))
22310 -+ return;
22311 -+
22312 -+ do_posix_clock_monotonic_gettime(&timeval);
22313 -+ runtime = timeval.tv_sec - task->start_time.tv_sec;
22314 -+ wday = runtime / (3600 * 24);
22315 -+ runtime -= wday * (3600 * 24);
22316 -+ whr = runtime / 3600;
22317 -+ runtime -= whr * 3600;
22318 -+ wmin = runtime / 60;
22319 -+ runtime -= wmin * 60;
22320 -+ wsec = runtime;
22321 -+
22322 -+ cputime = (task->utime + task->stime) / HZ;
22323 -+ cday = cputime / (3600 * 24);
22324 -+ cputime -= cday * (3600 * 24);
22325 -+ chr = cputime / 3600;
22326 -+ cputime -= chr * 3600;
22327 -+ cmin = cputime / 60;
22328 -+ cputime -= cmin * 60;
22329 -+ csec = cputime;
22330 -+
22331 -+ gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
22332 -+
22333 -+ return;
22334 -+}
22335 -+
22336 -+void gr_set_kernel_label(struct task_struct *task)
22337 -+{
22338 -+ if (gr_status & GR_READY) {
22339 -+ task->role = kernel_role;
22340 -+ task->acl = kernel_role->root_label;
22341 -+ }
22342 -+ return;
22343 -+}
22344 -+
22345 -+int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
22346 -+{
22347 -+ struct task_struct *task = current;
22348 -+ struct dentry *dentry = file->f_dentry;
22349 -+ struct vfsmount *mnt = file->f_vfsmnt;
22350 -+ struct acl_object_label *obj, *tmp;
22351 -+ struct acl_subject_label *subj;
22352 -+ unsigned int bufsize;
22353 -+ int is_not_root;
22354 -+ char *path;
22355 -+
22356 -+ if (unlikely(!(gr_status & GR_READY)))
22357 -+ return 1;
22358 -+
22359 -+ if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
22360 -+ return 1;
22361 -+
22362 -+ /* ignore Eric Biederman */
22363 -+ if (IS_PRIVATE(dentry->d_inode))
22364 -+ return 1;
22365 -+
22366 -+ subj = task->acl;
22367 -+ do {
22368 -+ obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
22369 -+ if (obj != NULL)
22370 -+ return (obj->mode & GR_FIND) ? 1 : 0;
22371 -+ } while ((subj = subj->parent_subject));
22372 -+
22373 -+ obj = chk_obj_label(dentry, mnt, task->acl);
22374 -+ if (obj->globbed == NULL)
22375 -+ return (obj->mode & GR_FIND) ? 1 : 0;
22376 -+
22377 -+ is_not_root = ((obj->filename[0] == '/') &&
22378 -+ (obj->filename[1] == '\0')) ? 0 : 1;
22379 -+ bufsize = PAGE_SIZE - namelen - is_not_root;
22380 -+
22381 -+ /* check bufsize > PAGE_SIZE || bufsize == 0 */
22382 -+ if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
22383 -+ return 1;
22384 -+
22385 -+ preempt_disable();
22386 -+ path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
22387 -+ bufsize);
22388 -+
22389 -+ bufsize = strlen(path);
22390 -+
22391 -+ /* if base is "/", don't append an additional slash */
22392 -+ if (is_not_root)
22393 -+ *(path + bufsize) = '/';
22394 -+ memcpy(path + bufsize + is_not_root, name, namelen);
22395 -+ *(path + bufsize + namelen + is_not_root) = '\0';
22396 -+
22397 -+ tmp = obj->globbed;
22398 -+ while (tmp) {
22399 -+ if (!glob_match(tmp->filename, path)) {
22400 -+ preempt_enable();
22401 -+ return (tmp->mode & GR_FIND) ? 1 : 0;
22402 -+ }
22403 -+ tmp = tmp->next;
22404 -+ }
22405 -+ preempt_enable();
22406 -+ return (obj->mode & GR_FIND) ? 1 : 0;
22407 -+}
22408 -+
22409 -+EXPORT_SYMBOL(gr_learn_resource);
22410 -+EXPORT_SYMBOL(gr_set_kernel_label);
22411 -+#ifdef CONFIG_SECURITY
22412 -+EXPORT_SYMBOL(gr_check_user_change);
22413 -+EXPORT_SYMBOL(gr_check_group_change);
22414 -+#endif
22415 -+
22416 -diff -urNp linux-2.6.24.4/grsecurity/gracl_cap.c linux-2.6.24.4/grsecurity/gracl_cap.c
22417 ---- linux-2.6.24.4/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
22418 -+++ linux-2.6.24.4/grsecurity/gracl_cap.c 2008-03-26 17:56:56.000000000 -0400
22419 -@@ -0,0 +1,112 @@
22420 -+#include <linux/kernel.h>
22421 -+#include <linux/module.h>
22422 -+#include <linux/sched.h>
22423 -+#include <linux/capability.h>
22424 -+#include <linux/gracl.h>
22425 -+#include <linux/grsecurity.h>
22426 -+#include <linux/grinternal.h>
22427 -+
22428 -+static const char *captab_log[] = {
22429 -+ "CAP_CHOWN",
22430 -+ "CAP_DAC_OVERRIDE",
22431 -+ "CAP_DAC_READ_SEARCH",
22432 -+ "CAP_FOWNER",
22433 -+ "CAP_FSETID",
22434 -+ "CAP_KILL",
22435 -+ "CAP_SETGID",
22436 -+ "CAP_SETUID",
22437 -+ "CAP_SETPCAP",
22438 -+ "CAP_LINUX_IMMUTABLE",
22439 -+ "CAP_NET_BIND_SERVICE",
22440 -+ "CAP_NET_BROADCAST",
22441 -+ "CAP_NET_ADMIN",
22442 -+ "CAP_NET_RAW",
22443 -+ "CAP_IPC_LOCK",
22444 -+ "CAP_IPC_OWNER",
22445 -+ "CAP_SYS_MODULE",
22446 -+ "CAP_SYS_RAWIO",
22447 -+ "CAP_SYS_CHROOT",
22448 -+ "CAP_SYS_PTRACE",
22449 -+ "CAP_SYS_PACCT",
22450 -+ "CAP_SYS_ADMIN",
22451 -+ "CAP_SYS_BOOT",
22452 -+ "CAP_SYS_NICE",
22453 -+ "CAP_SYS_RESOURCE",
22454 -+ "CAP_SYS_TIME",
22455 -+ "CAP_SYS_TTY_CONFIG",
22456 -+ "CAP_MKNOD",
22457 -+ "CAP_LEASE",
22458 -+ "CAP_AUDIT_WRITE",
22459 -+ "CAP_AUDIT_CONTROL"
22460 -+};
22461 -+
22462 -+EXPORT_SYMBOL(gr_task_is_capable);
22463 -+EXPORT_SYMBOL(gr_is_capable_nolog);
22464 -+
22465 -+int
22466 -+gr_task_is_capable(struct task_struct *task, const int cap)
22467 -+{
22468 -+ struct acl_subject_label *curracl;
22469 -+ __u32 cap_drop = 0, cap_mask = 0;
22470 -+
22471 -+ if (!gr_acl_is_enabled())
22472 -+ return 1;
22473 -+
22474 -+ curracl = task->acl;
22475 -+
22476 -+ cap_drop = curracl->cap_lower;
22477 -+ cap_mask = curracl->cap_mask;
22478 -+
22479 -+ while ((curracl = curracl->parent_subject)) {
22480 -+ if (!(cap_mask & (1 << cap)) && (curracl->cap_mask & (1 << cap)))
22481 -+ cap_drop |= curracl->cap_lower & (1 << cap);
22482 -+ cap_mask |= curracl->cap_mask;
22483 -+ }
22484 -+
22485 -+ if (!cap_raised(cap_drop, cap))
22486 -+ return 1;
22487 -+
22488 -+ curracl = task->acl;
22489 -+
22490 -+ if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
22491 -+ && cap_raised(task->cap_effective, cap)) {
22492 -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
22493 -+ task->role->roletype, task->uid,
22494 -+ task->gid, task->exec_file ?
22495 -+ gr_to_filename(task->exec_file->f_dentry,
22496 -+ task->exec_file->f_vfsmnt) : curracl->filename,
22497 -+ curracl->filename, 0UL,
22498 -+ 0UL, "", (unsigned long) cap, NIPQUAD(task->signal->curr_ip));
22499 -+ return 1;
22500 -+ }
22501 -+
22502 -+ if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(task->cap_effective, cap))
22503 -+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
22504 -+ return 0;
22505 -+}
22506 -+
22507 -+int
22508 -+gr_is_capable_nolog(const int cap)
22509 -+{
22510 -+ struct acl_subject_label *curracl;
22511 -+ __u32 cap_drop = 0, cap_mask = 0;
22512 -+
22513 -+ if (!gr_acl_is_enabled())
22514 -+ return 1;
22515 -+
22516 -+ curracl = current->acl;
22517 -+
22518 -+ cap_drop = curracl->cap_lower;
22519 -+ cap_mask = curracl->cap_mask;
22520 -+
22521 -+ while ((curracl = curracl->parent_subject)) {
22522 -+ cap_drop |= curracl->cap_lower & (cap_mask & ~curracl->cap_mask);
22523 -+ cap_mask |= curracl->cap_mask;
22524 -+ }
22525 -+
22526 -+ if (!cap_raised(cap_drop, cap))
22527 -+ return 1;
22528 -+
22529 -+ return 0;
22530 -+}
22531 -+
22532 -diff -urNp linux-2.6.24.4/grsecurity/gracl_fs.c linux-2.6.24.4/grsecurity/gracl_fs.c
22533 ---- linux-2.6.24.4/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
22534 -+++ linux-2.6.24.4/grsecurity/gracl_fs.c 2008-03-26 18:14:13.000000000 -0400
22535 -@@ -0,0 +1,423 @@
22536 -+#include <linux/kernel.h>
22537 -+#include <linux/sched.h>
22538 -+#include <linux/types.h>
22539 -+#include <linux/fs.h>
22540 -+#include <linux/file.h>
22541 -+#include <linux/stat.h>
22542 -+#include <linux/grsecurity.h>
22543 -+#include <linux/grinternal.h>
22544 -+#include <linux/gracl.h>
22545 -+
22546 -+__u32
22547 -+gr_acl_handle_hidden_file(const struct dentry * dentry,
22548 -+ const struct vfsmount * mnt)
22549 -+{
22550 -+ __u32 mode;
22551 -+
22552 -+ if (unlikely(!dentry->d_inode))
22553 -+ return GR_FIND;
22554 -+
22555 -+ mode =
22556 -+ gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
22557 -+
22558 -+ if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
22559 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
22560 -+ return mode;
22561 -+ } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
22562 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
22563 -+ return 0;
22564 -+ } else if (unlikely(!(mode & GR_FIND)))
22565 -+ return 0;
22566 -+
22567 -+ return GR_FIND;
22568 -+}
22569 -+
22570 -+__u32
22571 -+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
22572 -+ const int fmode)
22573 -+{
22574 -+ __u32 reqmode = GR_FIND;
22575 -+ __u32 mode;
22576 -+
22577 -+ if (unlikely(!dentry->d_inode))
22578 -+ return reqmode;
22579 -+
22580 -+ if (unlikely(fmode & O_APPEND))
22581 -+ reqmode |= GR_APPEND;
22582 -+ else if (unlikely(fmode & FMODE_WRITE))
22583 -+ reqmode |= GR_WRITE;
22584 -+ if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
22585 -+ reqmode |= GR_READ;
22586 -+
22587 -+ mode =
22588 -+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
22589 -+ mnt);
22590 -+
22591 -+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
22592 -+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
22593 -+ reqmode & GR_READ ? " reading" : "",
22594 -+ reqmode & GR_WRITE ? " writing" : reqmode &
22595 -+ GR_APPEND ? " appending" : "");
22596 -+ return reqmode;
22597 -+ } else
22598 -+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
22599 -+ {
22600 -+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
22601 -+ reqmode & GR_READ ? " reading" : "",
22602 -+ reqmode & GR_WRITE ? " writing" : reqmode &
22603 -+ GR_APPEND ? " appending" : "");
22604 -+ return 0;
22605 -+ } else if (unlikely((mode & reqmode) != reqmode))
22606 -+ return 0;
22607 -+
22608 -+ return reqmode;
22609 -+}
22610 -+
22611 -+__u32
22612 -+gr_acl_handle_creat(const struct dentry * dentry,
22613 -+ const struct dentry * p_dentry,
22614 -+ const struct vfsmount * p_mnt, const int fmode,
22615 -+ const int imode)
22616 -+{
22617 -+ __u32 reqmode = GR_WRITE | GR_CREATE;
22618 -+ __u32 mode;
22619 -+
22620 -+ if (unlikely(fmode & O_APPEND))
22621 -+ reqmode |= GR_APPEND;
22622 -+ if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
22623 -+ reqmode |= GR_READ;
22624 -+ if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
22625 -+ reqmode |= GR_SETID;
22626 -+
22627 -+ mode =
22628 -+ gr_check_create(dentry, p_dentry, p_mnt,
22629 -+ reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
22630 -+
22631 -+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
22632 -+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
22633 -+ reqmode & GR_READ ? " reading" : "",
22634 -+ reqmode & GR_WRITE ? " writing" : reqmode &
22635 -+ GR_APPEND ? " appending" : "");
22636 -+ return reqmode;
22637 -+ } else
22638 -+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
22639 -+ {
22640 -+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
22641 -+ reqmode & GR_READ ? " reading" : "",
22642 -+ reqmode & GR_WRITE ? " writing" : reqmode &
22643 -+ GR_APPEND ? " appending" : "");
22644 -+ return 0;
22645 -+ } else if (unlikely((mode & reqmode) != reqmode))
22646 -+ return 0;
22647 -+
22648 -+ return reqmode;
22649 -+}
22650 -+
22651 -+__u32
22652 -+gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
22653 -+ const int fmode)
22654 -+{
22655 -+ __u32 mode, reqmode = GR_FIND;
22656 -+
22657 -+ if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
22658 -+ reqmode |= GR_EXEC;
22659 -+ if (fmode & S_IWOTH)
22660 -+ reqmode |= GR_WRITE;
22661 -+ if (fmode & S_IROTH)
22662 -+ reqmode |= GR_READ;
22663 -+
22664 -+ mode =
22665 -+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
22666 -+ mnt);
22667 -+
22668 -+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
22669 -+ gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
22670 -+ reqmode & GR_READ ? " reading" : "",
22671 -+ reqmode & GR_WRITE ? " writing" : "",
22672 -+ reqmode & GR_EXEC ? " executing" : "");
22673 -+ return reqmode;
22674 -+ } else
22675 -+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
22676 -+ {
22677 -+ gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
22678 -+ reqmode & GR_READ ? " reading" : "",
22679 -+ reqmode & GR_WRITE ? " writing" : "",
22680 -+ reqmode & GR_EXEC ? " executing" : "");
22681 -+ return 0;
22682 -+ } else if (unlikely((mode & reqmode) != reqmode))
22683 -+ return 0;
22684 -+
22685 -+ return reqmode;
22686 -+}
22687 -+
22688 -+static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
22689 -+{
22690 -+ __u32 mode;
22691 -+
22692 -+ mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
22693 -+
22694 -+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
22695 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
22696 -+ return mode;
22697 -+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
22698 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
22699 -+ return 0;
22700 -+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
22701 -+ return 0;
22702 -+
22703 -+ return (reqmode);
22704 -+}
22705 -+
22706 -+__u32
22707 -+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
22708 -+{
22709 -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
22710 -+}
22711 -+
22712 -+__u32
22713 -+gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
22714 -+{
22715 -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
22716 -+}
22717 -+
22718 -+__u32
22719 -+gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
22720 -+{
22721 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
22722 -+}
22723 -+
22724 -+__u32
22725 -+gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
22726 -+{
22727 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
22728 -+}
22729 -+
22730 -+__u32
22731 -+gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
22732 -+ mode_t mode)
22733 -+{
22734 -+ if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
22735 -+ return 1;
22736 -+
22737 -+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
22738 -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
22739 -+ GR_FCHMOD_ACL_MSG);
22740 -+ } else {
22741 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
22742 -+ }
22743 -+}
22744 -+
22745 -+__u32
22746 -+gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
22747 -+ mode_t mode)
22748 -+{
22749 -+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
22750 -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
22751 -+ GR_CHMOD_ACL_MSG);
22752 -+ } else {
22753 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
22754 -+ }
22755 -+}
22756 -+
22757 -+__u32
22758 -+gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
22759 -+{
22760 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
22761 -+}
22762 -+
22763 -+__u32
22764 -+gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
22765 -+{
22766 -+ return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
22767 -+}
22768 -+
22769 -+__u32
22770 -+gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
22771 -+{
22772 -+ return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
22773 -+ GR_UNIXCONNECT_ACL_MSG);
22774 -+}
22775 -+
22776 -+/* hardlinks require at minimum create permission,
22777 -+ any additional privilege required is based on the
22778 -+ privilege of the file being linked to
22779 -+*/
22780 -+__u32
22781 -+gr_acl_handle_link(const struct dentry * new_dentry,
22782 -+ const struct dentry * parent_dentry,
22783 -+ const struct vfsmount * parent_mnt,
22784 -+ const struct dentry * old_dentry,
22785 -+ const struct vfsmount * old_mnt, const char *to)
22786 -+{
22787 -+ __u32 mode;
22788 -+ __u32 needmode = GR_CREATE | GR_LINK;
22789 -+ __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
22790 -+
22791 -+ mode =
22792 -+ gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
22793 -+ old_mnt);
22794 -+
22795 -+ if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
22796 -+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
22797 -+ return mode;
22798 -+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
22799 -+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
22800 -+ return 0;
22801 -+ } else if (unlikely((mode & needmode) != needmode))
22802 -+ return 0;
22803 -+
22804 -+ return 1;
22805 -+}
22806 -+
22807 -+__u32
22808 -+gr_acl_handle_symlink(const struct dentry * new_dentry,
22809 -+ const struct dentry * parent_dentry,
22810 -+ const struct vfsmount * parent_mnt, const char *from)
22811 -+{
22812 -+ __u32 needmode = GR_WRITE | GR_CREATE;
22813 -+ __u32 mode;
22814 -+
22815 -+ mode =
22816 -+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
22817 -+ GR_CREATE | GR_AUDIT_CREATE |
22818 -+ GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
22819 -+
22820 -+ if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
22821 -+ gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
22822 -+ return mode;
22823 -+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
22824 -+ gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
22825 -+ return 0;
22826 -+ } else if (unlikely((mode & needmode) != needmode))
22827 -+ return 0;
22828 -+
22829 -+ return (GR_WRITE | GR_CREATE);
22830 -+}
22831 -+
22832 -+static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
22833 -+{
22834 -+ __u32 mode;
22835 -+
22836 -+ mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
22837 -+
22838 -+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
22839 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
22840 -+ return mode;
22841 -+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
22842 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
22843 -+ return 0;
22844 -+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
22845 -+ return 0;
22846 -+
22847 -+ return (reqmode);
22848 -+}
22849 -+
22850 -+__u32
22851 -+gr_acl_handle_mknod(const struct dentry * new_dentry,
22852 -+ const struct dentry * parent_dentry,
22853 -+ const struct vfsmount * parent_mnt,
22854 -+ const int mode)
22855 -+{
22856 -+ __u32 reqmode = GR_WRITE | GR_CREATE;
22857 -+ if (unlikely(mode & (S_ISUID | S_ISGID)))
22858 -+ reqmode |= GR_SETID;
22859 -+
22860 -+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
22861 -+ reqmode, GR_MKNOD_ACL_MSG);
22862 -+}
22863 -+
22864 -+__u32
22865 -+gr_acl_handle_mkdir(const struct dentry *new_dentry,
22866 -+ const struct dentry *parent_dentry,
22867 -+ const struct vfsmount *parent_mnt)
22868 -+{
22869 -+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
22870 -+ GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
22871 -+}
22872 -+
22873 -+#define RENAME_CHECK_SUCCESS(old, new) \
22874 -+ (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
22875 -+ ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
22876 -+
22877 -+int
22878 -+gr_acl_handle_rename(struct dentry *new_dentry,
22879 -+ struct dentry *parent_dentry,
22880 -+ const struct vfsmount *parent_mnt,
22881 -+ struct dentry *old_dentry,
22882 -+ struct inode *old_parent_inode,
22883 -+ struct vfsmount *old_mnt, const char *newname)
22884 -+{
22885 -+ __u32 comp1, comp2;
22886 -+ int error = 0;
22887 -+
22888 -+ if (unlikely(!gr_acl_is_enabled()))
22889 -+ return 0;
22890 -+
22891 -+ if (!new_dentry->d_inode) {
22892 -+ comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
22893 -+ GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
22894 -+ GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
22895 -+ comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
22896 -+ GR_DELETE | GR_AUDIT_DELETE |
22897 -+ GR_AUDIT_READ | GR_AUDIT_WRITE |
22898 -+ GR_SUPPRESS, old_mnt);
22899 -+ } else {
22900 -+ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
22901 -+ GR_CREATE | GR_DELETE |
22902 -+ GR_AUDIT_CREATE | GR_AUDIT_DELETE |
22903 -+ GR_AUDIT_READ | GR_AUDIT_WRITE |
22904 -+ GR_SUPPRESS, parent_mnt);
22905 -+ comp2 =
22906 -+ gr_search_file(old_dentry,
22907 -+ GR_READ | GR_WRITE | GR_AUDIT_READ |
22908 -+ GR_DELETE | GR_AUDIT_DELETE |
22909 -+ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
22910 -+ }
22911 -+
22912 -+ if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
22913 -+ ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
22914 -+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
22915 -+ else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
22916 -+ && !(comp2 & GR_SUPPRESS)) {
22917 -+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
22918 -+ error = -EACCES;
22919 -+ } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
22920 -+ error = -EACCES;
22921 -+
22922 -+ return error;
22923 -+}
22924 -+
22925 -+void
22926 -+gr_acl_handle_exit(void)
22927 -+{
22928 -+ u16 id;
22929 -+ char *rolename;
22930 -+ struct file *exec_file;
22931 -+
22932 -+ if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
22933 -+ id = current->acl_role_id;
22934 -+ rolename = current->role->rolename;
22935 -+ gr_set_acls(1);
22936 -+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
22937 -+ }
22938 -+
22939 -+ write_lock(&grsec_exec_file_lock);
22940 -+ exec_file = current->exec_file;
22941 -+ current->exec_file = NULL;
22942 -+ write_unlock(&grsec_exec_file_lock);
22943 -+
22944 -+ if (exec_file)
22945 -+ fput(exec_file);
22946 -+}
22947 -+
22948 -+int
22949 -+gr_acl_handle_procpidmem(const struct task_struct *task)
22950 -+{
22951 -+ if (unlikely(!gr_acl_is_enabled()))
22952 -+ return 0;
22953 -+
22954 -+ if (task != current && task->acl->mode & GR_PROTPROCFD)
22955 -+ return -EACCES;
22956 -+
22957 -+ return 0;
22958 -+}
22959 -diff -urNp linux-2.6.24.4/grsecurity/gracl_ip.c linux-2.6.24.4/grsecurity/gracl_ip.c
22960 ---- linux-2.6.24.4/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
22961 -+++ linux-2.6.24.4/grsecurity/gracl_ip.c 2008-03-26 17:56:56.000000000 -0400
22962 -@@ -0,0 +1,313 @@
22963 -+#include <linux/kernel.h>
22964 -+#include <asm/uaccess.h>
22965 -+#include <asm/errno.h>
22966 -+#include <net/sock.h>
22967 -+#include <linux/file.h>
22968 -+#include <linux/fs.h>
22969 -+#include <linux/net.h>
22970 -+#include <linux/in.h>
22971 -+#include <linux/skbuff.h>
22972 -+#include <linux/ip.h>
22973 -+#include <linux/udp.h>
22974 -+#include <linux/smp_lock.h>
22975 -+#include <linux/types.h>
22976 -+#include <linux/sched.h>
22977 -+#include <linux/netdevice.h>
22978 -+#include <linux/inetdevice.h>
22979 -+#include <linux/gracl.h>
22980 -+#include <linux/grsecurity.h>
22981 -+#include <linux/grinternal.h>
22982 -+
22983 -+#define GR_BIND 0x01
22984 -+#define GR_CONNECT 0x02
22985 -+#define GR_INVERT 0x04
22986 -+
22987 -+static const char * gr_protocols[256] = {
22988 -+ "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
22989 -+ "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
22990 -+ "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
22991 -+ "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
22992 -+ "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
22993 -+ "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
22994 -+ "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
22995 -+ "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
22996 -+ "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
22997 -+ "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
22998 -+ "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
22999 -+ "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
23000 -+ "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
23001 -+ "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
23002 -+ "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
23003 -+ "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
23004 -+ "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
23005 -+ "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
23006 -+ "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
23007 -+ "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
23008 -+ "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
23009 -+ "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
23010 -+ "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
23011 -+ "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
23012 -+ "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
23013 -+ "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
23014 -+ "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
23015 -+ "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
23016 -+ "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
23017 -+ "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
23018 -+ "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
23019 -+ "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
23020 -+ };
23021 -+
23022 -+static const char * gr_socktypes[11] = {
23023 -+ "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
23024 -+ "unknown:7", "unknown:8", "unknown:9", "packet"
23025 -+ };
23026 -+
23027 -+const char *
23028 -+gr_proto_to_name(unsigned char proto)
23029 -+{
23030 -+ return gr_protocols[proto];
23031 -+}
23032 -+
23033 -+const char *
23034 -+gr_socktype_to_name(unsigned char type)
23035 -+{
23036 -+ return gr_socktypes[type];
23037 -+}
23038 -+
23039 -+int
23040 -+gr_search_socket(const int domain, const int type, const int protocol)
23041 -+{
23042 -+ struct acl_subject_label *curr;
23043 -+
23044 -+ if (unlikely(!gr_acl_is_enabled()))
23045 -+ goto exit;
23046 -+
23047 -+ if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
23048 -+ || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
23049 -+ goto exit; // let the kernel handle it
23050 -+
23051 -+ curr = current->acl;
23052 -+
23053 -+ if (!curr->ips)
23054 -+ goto exit;
23055 -+
23056 -+ if ((curr->ip_type & (1 << type)) &&
23057 -+ (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
23058 -+ goto exit;
23059 -+
23060 -+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
23061 -+ /* we don't place acls on raw sockets , and sometimes
23062 -+ dgram/ip sockets are opened for ioctl and not
23063 -+ bind/connect, so we'll fake a bind learn log */
23064 -+ if (type == SOCK_RAW || type == SOCK_PACKET) {
23065 -+ __u32 fakeip = 0;
23066 -+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
23067 -+ current->role->roletype, current->uid,
23068 -+ current->gid, current->exec_file ?
23069 -+ gr_to_filename(current->exec_file->f_dentry,
23070 -+ current->exec_file->f_vfsmnt) :
23071 -+ curr->filename, curr->filename,
23072 -+ NIPQUAD(fakeip), 0, type,
23073 -+ protocol, GR_CONNECT,
23074 -+NIPQUAD(current->signal->curr_ip));
23075 -+ } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
23076 -+ __u32 fakeip = 0;
23077 -+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
23078 -+ current->role->roletype, current->uid,
23079 -+ current->gid, current->exec_file ?
23080 -+ gr_to_filename(current->exec_file->f_dentry,
23081 -+ current->exec_file->f_vfsmnt) :
23082 -+ curr->filename, curr->filename,
23083 -+ NIPQUAD(fakeip), 0, type,
23084 -+ protocol, GR_BIND, NIPQUAD(current->signal->curr_ip));
23085 -+ }
23086 -+ /* we'll log when they use connect or bind */
23087 -+ goto exit;
23088 -+ }
23089 -+
23090 -+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, "inet",
23091 -+ gr_socktype_to_name(type), gr_proto_to_name(protocol));
23092 -+
23093 -+ return 0;
23094 -+ exit:
23095 -+ return 1;
23096 -+}
23097 -+
23098 -+int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
23099 -+{
23100 -+ if ((ip->mode & mode) &&
23101 -+ (ip_port >= ip->low) &&
23102 -+ (ip_port <= ip->high) &&
23103 -+ ((ntohl(ip_addr) & our_netmask) ==
23104 -+ (ntohl(our_addr) & our_netmask))
23105 -+ && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
23106 -+ && (ip->type & (1 << type))) {
23107 -+ if (ip->mode & GR_INVERT)
23108 -+ return 2; // specifically denied
23109 -+ else
23110 -+ return 1; // allowed
23111 -+ }
23112 -+
23113 -+ return 0; // not specifically allowed, may continue parsing
23114 -+}
23115 -+
23116 -+static int
23117 -+gr_search_connectbind(const int mode, const struct sock *sk,
23118 -+ const struct sockaddr_in *addr, const int type)
23119 -+{
23120 -+ char iface[IFNAMSIZ] = {0};
23121 -+ struct acl_subject_label *curr;
23122 -+ struct acl_ip_label *ip;
23123 -+ struct net_device *dev;
23124 -+ struct in_device *idev;
23125 -+ unsigned long i;
23126 -+ int ret;
23127 -+ __u32 ip_addr = 0;
23128 -+ __u32 our_addr;
23129 -+ __u32 our_netmask;
23130 -+ char *p;
23131 -+ __u16 ip_port = 0;
23132 -+
23133 -+ if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
23134 -+ return 1;
23135 -+
23136 -+ curr = current->acl;
23137 -+
23138 -+ if (!curr->ips)
23139 -+ return 1;
23140 -+
23141 -+ ip_addr = addr->sin_addr.s_addr;
23142 -+ ip_port = ntohs(addr->sin_port);
23143 -+
23144 -+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
23145 -+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
23146 -+ current->role->roletype, current->uid,
23147 -+ current->gid, current->exec_file ?
23148 -+ gr_to_filename(current->exec_file->f_dentry,
23149 -+ current->exec_file->f_vfsmnt) :
23150 -+ curr->filename, curr->filename,
23151 -+ NIPQUAD(ip_addr), ip_port, type,
23152 -+ sk->sk_protocol, mode, NIPQUAD(current->signal->curr_ip));
23153 -+ return 1;
23154 -+ }
23155 -+
23156 -+ for (i = 0; i < curr->ip_num; i++) {
23157 -+ ip = *(curr->ips + i);
23158 -+ if (ip->iface != NULL) {
23159 -+ strncpy(iface, ip->iface, IFNAMSIZ - 1);
23160 -+ p = strchr(iface, ':');
23161 -+ if (p != NULL)
23162 -+ *p = '\0';
23163 -+ dev = dev_get_by_name(sk->sk_net, iface);
23164 -+ if (dev == NULL)
23165 -+ continue;
23166 -+ idev = in_dev_get(dev);
23167 -+ if (idev == NULL) {
23168 -+ dev_put(dev);
23169 -+ continue;
23170 -+ }
23171 -+ rcu_read_lock();
23172 -+ for_ifa(idev) {
23173 -+ if (!strcmp(ip->iface, ifa->ifa_label)) {
23174 -+ our_addr = ifa->ifa_address;
23175 -+ our_netmask = 0xffffffff;
23176 -+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
23177 -+ if (ret == 1) {
23178 -+ rcu_read_unlock();
23179 -+ in_dev_put(idev);
23180 -+ dev_put(dev);
23181 -+ return 1;
23182 -+ } else if (ret == 2) {
23183 -+ rcu_read_unlock();
23184 -+ in_dev_put(idev);
23185 -+ dev_put(dev);
23186 -+ goto denied;
23187 -+ }
23188 -+ }
23189 -+ } endfor_ifa(idev);
23190 -+ rcu_read_unlock();
23191 -+ in_dev_put(idev);
23192 -+ dev_put(dev);
23193 -+ } else {
23194 -+ our_addr = ip->addr;
23195 -+ our_netmask = ip->netmask;
23196 -+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
23197 -+ if (ret == 1)
23198 -+ return 1;
23199 -+ else if (ret == 2)
23200 -+ goto denied;
23201 -+ }
23202 -+ }
23203 -+
23204 -+denied:
23205 -+ if (mode == GR_BIND)
23206 -+ gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, NIPQUAD(ip_addr), ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
23207 -+ else if (mode == GR_CONNECT)
23208 -+ gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, NIPQUAD(ip_addr), ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
23209 -+
23210 -+ return 0;
23211 -+}
23212 -+
23213 -+int
23214 -+gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
23215 -+{
23216 -+ return gr_search_connectbind(GR_CONNECT, sock->sk, addr, sock->type);
23217 -+}
23218 -+
23219 -+int
23220 -+gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
23221 -+{
23222 -+ return gr_search_connectbind(GR_BIND, sock->sk, addr, sock->type);
23223 -+}
23224 -+
23225 -+int gr_search_listen(const struct socket *sock)
23226 -+{
23227 -+ struct sock *sk = sock->sk;
23228 -+ struct sockaddr_in addr;
23229 -+
23230 -+ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
23231 -+ addr.sin_port = inet_sk(sk)->sport;
23232 -+
23233 -+ return gr_search_connectbind(GR_BIND, sock->sk, &addr, sock->type);
23234 -+}
23235 -+
23236 -+int gr_search_accept(const struct socket *sock)
23237 -+{
23238 -+ struct sock *sk = sock->sk;
23239 -+ struct sockaddr_in addr;
23240 -+
23241 -+ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
23242 -+ addr.sin_port = inet_sk(sk)->sport;
23243 -+
23244 -+ return gr_search_connectbind(GR_BIND, sock->sk, &addr, sock->type);
23245 -+}
23246 -+
23247 -+int
23248 -+gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
23249 -+{
23250 -+ if (addr)
23251 -+ return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
23252 -+ else {
23253 -+ struct sockaddr_in sin;
23254 -+ const struct inet_sock *inet = inet_sk(sk);
23255 -+
23256 -+ sin.sin_addr.s_addr = inet->daddr;
23257 -+ sin.sin_port = inet->dport;
23258 -+
23259 -+ return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
23260 -+ }
23261 -+}
23262 -+
23263 -+int
23264 -+gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
23265 -+{
23266 -+ struct sockaddr_in sin;
23267 -+
23268 -+ if (unlikely(skb->len < sizeof (struct udphdr)))
23269 -+ return 1; // skip this packet
23270 -+
23271 -+ sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
23272 -+ sin.sin_port = udp_hdr(skb)->source;
23273 -+
23274 -+ return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
23275 -+}
23276 -diff -urNp linux-2.6.24.4/grsecurity/gracl_learn.c linux-2.6.24.4/grsecurity/gracl_learn.c
23277 ---- linux-2.6.24.4/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
23278 -+++ linux-2.6.24.4/grsecurity/gracl_learn.c 2008-03-26 17:56:56.000000000 -0400
23279 -@@ -0,0 +1,211 @@
23280 -+#include <linux/kernel.h>
23281 -+#include <linux/mm.h>
23282 -+#include <linux/sched.h>
23283 -+#include <linux/poll.h>
23284 -+#include <linux/smp_lock.h>
23285 -+#include <linux/string.h>
23286 -+#include <linux/file.h>
23287 -+#include <linux/types.h>
23288 -+#include <linux/vmalloc.h>
23289 -+#include <linux/grinternal.h>
23290 -+
23291 -+extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
23292 -+ size_t count, loff_t *ppos);
23293 -+extern int gr_acl_is_enabled(void);
23294 -+
23295 -+static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
23296 -+static int gr_learn_attached;
23297 -+
23298 -+/* use a 512k buffer */
23299 -+#define LEARN_BUFFER_SIZE (512 * 1024)
23300 -+
23301 -+static spinlock_t gr_learn_lock = SPIN_LOCK_UNLOCKED;
23302 -+static DECLARE_MUTEX(gr_learn_user_sem);
23303 -+
23304 -+/* we need to maintain two buffers, so that the kernel context of grlearn
23305 -+ uses a semaphore around the userspace copying, and the other kernel contexts
23306 -+ use a spinlock when copying into the buffer, since they cannot sleep
23307 -+*/
23308 -+static char *learn_buffer;
23309 -+static char *learn_buffer_user;
23310 -+static int learn_buffer_len;
23311 -+static int learn_buffer_user_len;
23312 -+
23313 -+static ssize_t
23314 -+read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
23315 -+{
23316 -+ DECLARE_WAITQUEUE(wait, current);
23317 -+ ssize_t retval = 0;
23318 -+
23319 -+ add_wait_queue(&learn_wait, &wait);
23320 -+ set_current_state(TASK_INTERRUPTIBLE);
23321 -+ do {
23322 -+ down(&gr_learn_user_sem);
23323 -+ spin_lock(&gr_learn_lock);
23324 -+ if (learn_buffer_len)
23325 -+ break;
23326 -+ spin_unlock(&gr_learn_lock);
23327 -+ up(&gr_learn_user_sem);
23328 -+ if (file->f_flags & O_NONBLOCK) {
23329 -+ retval = -EAGAIN;
23330 -+ goto out;
23331 -+ }
23332 -+ if (signal_pending(current)) {
23333 -+ retval = -ERESTARTSYS;
23334 -+ goto out;
23335 -+ }
23336 -+
23337 -+ schedule();
23338 -+ } while (1);
23339 -+
23340 -+ memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
23341 -+ learn_buffer_user_len = learn_buffer_len;
23342 -+ retval = learn_buffer_len;
23343 -+ learn_buffer_len = 0;
23344 -+
23345 -+ spin_unlock(&gr_learn_lock);
23346 -+
23347 -+ if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
23348 -+ retval = -EFAULT;
23349 -+
23350 -+ up(&gr_learn_user_sem);
23351 -+out:
23352 -+ set_current_state(TASK_RUNNING);
23353 -+ remove_wait_queue(&learn_wait, &wait);
23354 -+ return retval;
23355 -+}
23356 -+
23357 -+static unsigned int
23358 -+poll_learn(struct file * file, poll_table * wait)
23359 -+{
23360 -+ poll_wait(file, &learn_wait, wait);
23361 -+
23362 -+ if (learn_buffer_len)
23363 -+ return (POLLIN | POLLRDNORM);
23364 -+
23365 -+ return 0;
23366 -+}
23367 -+
23368 -+void
23369 -+gr_clear_learn_entries(void)
23370 -+{
23371 -+ char *tmp;
23372 -+
23373 -+ down(&gr_learn_user_sem);
23374 -+ if (learn_buffer != NULL) {
23375 -+ spin_lock(&gr_learn_lock);
23376 -+ tmp = learn_buffer;
23377 -+ learn_buffer = NULL;
23378 -+ spin_unlock(&gr_learn_lock);
23379 -+ vfree(learn_buffer);
23380 -+ }
23381 -+ if (learn_buffer_user != NULL) {
23382 -+ vfree(learn_buffer_user);
23383 -+ learn_buffer_user = NULL;
23384 -+ }
23385 -+ learn_buffer_len = 0;
23386 -+ up(&gr_learn_user_sem);
23387 -+
23388 -+ return;
23389 -+}
23390 -+
23391 -+void
23392 -+gr_add_learn_entry(const char *fmt, ...)
23393 -+{
23394 -+ va_list args;
23395 -+ unsigned int len;
23396 -+
23397 -+ if (!gr_learn_attached)
23398 -+ return;
23399 -+
23400 -+ spin_lock(&gr_learn_lock);
23401 -+
23402 -+ /* leave a gap at the end so we know when it's "full" but don't have to
23403 -+ compute the exact length of the string we're trying to append
23404 -+ */
23405 -+ if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
23406 -+ spin_unlock(&gr_learn_lock);
23407 -+ wake_up_interruptible(&learn_wait);
23408 -+ return;
23409 -+ }
23410 -+ if (learn_buffer == NULL) {
23411 -+ spin_unlock(&gr_learn_lock);
23412 -+ return;
23413 -+ }
23414 -+
23415 -+ va_start(args, fmt);
23416 -+ len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
23417 -+ va_end(args);
23418 -+
23419 -+ learn_buffer_len += len + 1;
23420 -+
23421 -+ spin_unlock(&gr_learn_lock);
23422 -+ wake_up_interruptible(&learn_wait);
23423 -+
23424 -+ return;
23425 -+}
23426 -+
23427 -+static int
23428 -+open_learn(struct inode *inode, struct file *file)
23429 -+{
23430 -+ if (file->f_mode & FMODE_READ && gr_learn_attached)
23431 -+ return -EBUSY;
23432 -+ if (file->f_mode & FMODE_READ) {
23433 -+ int retval = 0;
23434 -+ down(&gr_learn_user_sem);
23435 -+ if (learn_buffer == NULL)
23436 -+ learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
23437 -+ if (learn_buffer_user == NULL)
23438 -+ learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
23439 -+ if (learn_buffer == NULL) {
23440 -+ retval = -ENOMEM;
23441 -+ goto out_error;
23442 -+ }
23443 -+ if (learn_buffer_user == NULL) {
23444 -+ retval = -ENOMEM;
23445 -+ goto out_error;
23446 -+ }
23447 -+ learn_buffer_len = 0;
23448 -+ learn_buffer_user_len = 0;
23449 -+ gr_learn_attached = 1;
23450 -+out_error:
23451 -+ up(&gr_learn_user_sem);
23452 -+ return retval;
23453 -+ }
23454 -+ return 0;
23455 -+}
23456 -+
23457 -+static int
23458 -+close_learn(struct inode *inode, struct file *file)
23459 -+{
23460 -+ char *tmp;
23461 -+
23462 -+ if (file->f_mode & FMODE_READ) {
23463 -+ down(&gr_learn_user_sem);
23464 -+ if (learn_buffer != NULL) {
23465 -+ spin_lock(&gr_learn_lock);
23466 -+ tmp = learn_buffer;
23467 -+ learn_buffer = NULL;
23468 -+ spin_unlock(&gr_learn_lock);
23469 -+ vfree(tmp);
23470 -+ }
23471 -+ if (learn_buffer_user != NULL) {
23472 -+ vfree(learn_buffer_user);
23473 -+ learn_buffer_user = NULL;
23474 -+ }
23475 -+ learn_buffer_len = 0;
23476 -+ learn_buffer_user_len = 0;
23477 -+ gr_learn_attached = 0;
23478 -+ up(&gr_learn_user_sem);
23479 -+ }
23480 -+
23481 -+ return 0;
23482 -+}
23483 -+
23484 -+struct file_operations grsec_fops = {
23485 -+ .read = read_learn,
23486 -+ .write = write_grsec_handler,
23487 -+ .open = open_learn,
23488 -+ .release = close_learn,
23489 -+ .poll = poll_learn,
23490 -+};
23491 -diff -urNp linux-2.6.24.4/grsecurity/gracl_res.c linux-2.6.24.4/grsecurity/gracl_res.c
23492 ---- linux-2.6.24.4/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
23493 -+++ linux-2.6.24.4/grsecurity/gracl_res.c 2008-03-26 17:56:56.000000000 -0400
23494 -@@ -0,0 +1,45 @@
23495 -+#include <linux/kernel.h>
23496 -+#include <linux/sched.h>
23497 -+#include <linux/gracl.h>
23498 -+#include <linux/grinternal.h>
23499 -+
23500 -+static const char *restab_log[] = {
23501 -+ [RLIMIT_CPU] = "RLIMIT_CPU",
23502 -+ [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
23503 -+ [RLIMIT_DATA] = "RLIMIT_DATA",
23504 -+ [RLIMIT_STACK] = "RLIMIT_STACK",
23505 -+ [RLIMIT_CORE] = "RLIMIT_CORE",
23506 -+ [RLIMIT_RSS] = "RLIMIT_RSS",
23507 -+ [RLIMIT_NPROC] = "RLIMIT_NPROC",
23508 -+ [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
23509 -+ [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
23510 -+ [RLIMIT_AS] = "RLIMIT_AS",
23511 -+ [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
23512 -+ [RLIMIT_LOCKS + 1] = "RLIMIT_CRASH"
23513 -+};
23514 -+
23515 -+void
23516 -+gr_log_resource(const struct task_struct *task,
23517 -+ const int res, const unsigned long wanted, const int gt)
23518 -+{
23519 -+ if (res == RLIMIT_NPROC &&
23520 -+ (cap_raised(task->cap_effective, CAP_SYS_ADMIN) ||
23521 -+ cap_raised(task->cap_effective, CAP_SYS_RESOURCE)))
23522 -+ return;
23523 -+ else if (res == RLIMIT_MEMLOCK &&
23524 -+ cap_raised(task->cap_effective, CAP_IPC_LOCK))
23525 -+ return;
23526 -+
23527 -+ if (!gr_acl_is_enabled() && !grsec_resource_logging)
23528 -+ return;
23529 -+
23530 -+ preempt_disable();
23531 -+
23532 -+ if (unlikely(((gt && wanted > task->signal->rlim[res].rlim_cur) ||
23533 -+ (!gt && wanted >= task->signal->rlim[res].rlim_cur)) &&
23534 -+ task->signal->rlim[res].rlim_cur != RLIM_INFINITY))
23535 -+ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], task->signal->rlim[res].rlim_cur);
23536 -+ preempt_enable_no_resched();
23537 -+
23538 -+ return;
23539 -+}
23540 -diff -urNp linux-2.6.24.4/grsecurity/gracl_segv.c linux-2.6.24.4/grsecurity/gracl_segv.c
23541 ---- linux-2.6.24.4/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
23542 -+++ linux-2.6.24.4/grsecurity/gracl_segv.c 2008-03-26 17:56:56.000000000 -0400
23543 -@@ -0,0 +1,301 @@
23544 -+#include <linux/kernel.h>
23545 -+#include <linux/mm.h>
23546 -+#include <asm/uaccess.h>
23547 -+#include <asm/errno.h>
23548 -+#include <asm/mman.h>
23549 -+#include <net/sock.h>
23550 -+#include <linux/file.h>
23551 -+#include <linux/fs.h>
23552 -+#include <linux/net.h>
23553 -+#include <linux/in.h>
23554 -+#include <linux/smp_lock.h>
23555 -+#include <linux/slab.h>
23556 -+#include <linux/types.h>
23557 -+#include <linux/sched.h>
23558 -+#include <linux/timer.h>
23559 -+#include <linux/gracl.h>
23560 -+#include <linux/grsecurity.h>
23561 -+#include <linux/grinternal.h>
23562 -+
23563 -+static struct crash_uid *uid_set;
23564 -+static unsigned short uid_used;
23565 -+static spinlock_t gr_uid_lock = SPIN_LOCK_UNLOCKED;
23566 -+extern rwlock_t gr_inode_lock;
23567 -+extern struct acl_subject_label *
23568 -+ lookup_acl_subj_label(const ino_t inode, const dev_t dev,
23569 -+ struct acl_role_label *role);
23570 -+extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
23571 -+
23572 -+int
23573 -+gr_init_uidset(void)
23574 -+{
23575 -+ uid_set =
23576 -+ kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
23577 -+ uid_used = 0;
23578 -+
23579 -+ return uid_set ? 1 : 0;
23580 -+}
23581 -+
23582 -+void
23583 -+gr_free_uidset(void)
23584 -+{
23585 -+ if (uid_set)
23586 -+ kfree(uid_set);
23587 -+
23588 -+ return;
23589 -+}
23590 -+
23591 -+int
23592 -+gr_find_uid(const uid_t uid)
23593 -+{
23594 -+ struct crash_uid *tmp = uid_set;
23595 -+ uid_t buid;
23596 -+ int low = 0, high = uid_used - 1, mid;
23597 -+
23598 -+ while (high >= low) {
23599 -+ mid = (low + high) >> 1;
23600 -+ buid = tmp[mid].uid;
23601 -+ if (buid == uid)
23602 -+ return mid;
23603 -+ if (buid > uid)
23604 -+ high = mid - 1;
23605 -+ if (buid < uid)
23606 -+ low = mid + 1;
23607 -+ }
23608 -+
23609 -+ return -1;
23610 -+}
23611 -+
23612 -+static __inline__ void
23613 -+gr_insertsort(void)
23614 -+{
23615 -+ unsigned short i, j;
23616 -+ struct crash_uid index;
23617 -+
23618 -+ for (i = 1; i < uid_used; i++) {
23619 -+ index = uid_set[i];
23620 -+ j = i;
23621 -+ while ((j > 0) && uid_set[j - 1].uid > index.uid) {
23622 -+ uid_set[j] = uid_set[j - 1];
23623 -+ j--;
23624 -+ }
23625 -+ uid_set[j] = index;
23626 -+ }
23627 -+
23628 -+ return;
23629 -+}
23630 -+
23631 -+static __inline__ void
23632 -+gr_insert_uid(const uid_t uid, const unsigned long expires)
23633 -+{
23634 -+ int loc;
23635 -+
23636 -+ if (uid_used == GR_UIDTABLE_MAX)
23637 -+ return;
23638 -+
23639 -+ loc = gr_find_uid(uid);
23640 -+
23641 -+ if (loc >= 0) {
23642 -+ uid_set[loc].expires = expires;
23643 -+ return;
23644 -+ }
23645 -+
23646 -+ uid_set[uid_used].uid = uid;
23647 -+ uid_set[uid_used].expires = expires;
23648 -+ uid_used++;
23649 -+
23650 -+ gr_insertsort();
23651 -+
23652 -+ return;
23653 -+}
23654 -+
23655 -+void
23656 -+gr_remove_uid(const unsigned short loc)
23657 -+{
23658 -+ unsigned short i;
23659 -+
23660 -+ for (i = loc + 1; i < uid_used; i++)
23661 -+ uid_set[i - 1] = uid_set[i];
23662 -+
23663 -+ uid_used--;
23664 -+
23665 -+ return;
23666 -+}
23667 -+
23668 -+int
23669 -+gr_check_crash_uid(const uid_t uid)
23670 -+{
23671 -+ int loc;
23672 -+ int ret = 0;
23673 -+
23674 -+ if (unlikely(!gr_acl_is_enabled()))
23675 -+ return 0;
23676 -+
23677 -+ spin_lock(&gr_uid_lock);
23678 -+ loc = gr_find_uid(uid);
23679 -+
23680 -+ if (loc < 0)
23681 -+ goto out_unlock;
23682 -+
23683 -+ if (time_before_eq(uid_set[loc].expires, get_seconds()))
23684 -+ gr_remove_uid(loc);
23685 -+ else
23686 -+ ret = 1;
23687 -+
23688 -+out_unlock:
23689 -+ spin_unlock(&gr_uid_lock);
23690 -+ return ret;
23691 -+}
23692 -+
23693 -+static __inline__ int
23694 -+proc_is_setxid(const struct task_struct *task)
23695 -+{
23696 -+ if (task->uid != task->euid || task->uid != task->suid ||
23697 -+ task->uid != task->fsuid)
23698 -+ return 1;
23699 -+ if (task->gid != task->egid || task->gid != task->sgid ||
23700 -+ task->gid != task->fsgid)
23701 -+ return 1;
23702 -+
23703 -+ return 0;
23704 -+}
23705 -+static __inline__ int
23706 -+gr_fake_force_sig(int sig, struct task_struct *t)
23707 -+{
23708 -+ unsigned long int flags;
23709 -+ int ret, blocked, ignored;
23710 -+ struct k_sigaction *action;
23711 -+
23712 -+ spin_lock_irqsave(&t->sighand->siglock, flags);
23713 -+ action = &t->sighand->action[sig-1];
23714 -+ ignored = action->sa.sa_handler == SIG_IGN;
23715 -+ blocked = sigismember(&t->blocked, sig);
23716 -+ if (blocked || ignored) {
23717 -+ action->sa.sa_handler = SIG_DFL;
23718 -+ if (blocked) {
23719 -+ sigdelset(&t->blocked, sig);
23720 -+ recalc_sigpending_and_wake(t);
23721 -+ }
23722 -+ }
23723 -+ ret = specific_send_sig_info(sig, (void*)1L, t);
23724 -+ spin_unlock_irqrestore(&t->sighand->siglock, flags);
23725 -+
23726 -+ return ret;
23727 -+}
23728 -+
23729 -+void
23730 -+gr_handle_crash(struct task_struct *task, const int sig)
23731 -+{
23732 -+ struct acl_subject_label *curr;
23733 -+ struct acl_subject_label *curr2;
23734 -+ struct task_struct *tsk, *tsk2;
23735 -+
23736 -+ if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
23737 -+ return;
23738 -+
23739 -+ if (unlikely(!gr_acl_is_enabled()))
23740 -+ return;
23741 -+
23742 -+ curr = task->acl;
23743 -+
23744 -+ if (!(curr->resmask & (1 << GR_CRASH_RES)))
23745 -+ return;
23746 -+
23747 -+ if (time_before_eq(curr->expires, get_seconds())) {
23748 -+ curr->expires = 0;
23749 -+ curr->crashes = 0;
23750 -+ }
23751 -+
23752 -+ curr->crashes++;
23753 -+
23754 -+ if (!curr->expires)
23755 -+ curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
23756 -+
23757 -+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
23758 -+ time_after(curr->expires, get_seconds())) {
23759 -+ if (task->uid && proc_is_setxid(task)) {
23760 -+ gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
23761 -+ spin_lock(&gr_uid_lock);
23762 -+ gr_insert_uid(task->uid, curr->expires);
23763 -+ spin_unlock(&gr_uid_lock);
23764 -+ curr->expires = 0;
23765 -+ curr->crashes = 0;
23766 -+ read_lock(&tasklist_lock);
23767 -+ do_each_thread(tsk2, tsk) {
23768 -+ if (tsk != task && tsk->uid == task->uid)
23769 -+ gr_fake_force_sig(SIGKILL, tsk);
23770 -+ } while_each_thread(tsk2, tsk);
23771 -+ read_unlock(&tasklist_lock);
23772 -+ } else {
23773 -+ gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
23774 -+ read_lock(&tasklist_lock);
23775 -+ do_each_thread(tsk2, tsk) {
23776 -+ if (likely(tsk != task)) {
23777 -+ curr2 = tsk->acl;
23778 -+
23779 -+ if (curr2->device == curr->device &&
23780 -+ curr2->inode == curr->inode)
23781 -+ gr_fake_force_sig(SIGKILL, tsk);
23782 -+ }
23783 -+ } while_each_thread(tsk2, tsk);
23784 -+ read_unlock(&tasklist_lock);
23785 -+ }
23786 -+ }
23787 -+
23788 -+ return;
23789 -+}
23790 -+
23791 -+int
23792 -+gr_check_crash_exec(const struct file *filp)
23793 -+{
23794 -+ struct acl_subject_label *curr;
23795 -+
23796 -+ if (unlikely(!gr_acl_is_enabled()))
23797 -+ return 0;
23798 -+
23799 -+ read_lock(&gr_inode_lock);
23800 -+ curr = lookup_acl_subj_label(filp->f_dentry->d_inode->i_ino,
23801 -+ filp->f_dentry->d_inode->i_sb->s_dev,
23802 -+ current->role);
23803 -+ read_unlock(&gr_inode_lock);
23804 -+
23805 -+ if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
23806 -+ (!curr->crashes && !curr->expires))
23807 -+ return 0;
23808 -+
23809 -+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
23810 -+ time_after(curr->expires, get_seconds()))
23811 -+ return 1;
23812 -+ else if (time_before_eq(curr->expires, get_seconds())) {
23813 -+ curr->crashes = 0;
23814 -+ curr->expires = 0;
23815 -+ }
23816 -+
23817 -+ return 0;
23818 -+}
23819 -+
23820 -+void
23821 -+gr_handle_alertkill(struct task_struct *task)
23822 -+{
23823 -+ struct acl_subject_label *curracl;
23824 -+ __u32 curr_ip;
23825 -+ struct task_struct *p, *p2;
23826 -+
23827 -+ if (unlikely(!gr_acl_is_enabled()))
23828 -+ return;
23829 -+
23830 -+ curracl = task->acl;
23831 -+ curr_ip = task->signal->curr_ip;
23832 -+
23833 -+ if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
23834 -+ read_lock(&tasklist_lock);
23835 -+ do_each_thread(p2, p) {
23836 -+ if (p->signal->curr_ip == curr_ip)
23837 -+ gr_fake_force_sig(SIGKILL, p);
23838 -+ } while_each_thread(p2, p);
23839 -+ read_unlock(&tasklist_lock);
23840 -+ } else if (curracl->mode & GR_KILLPROC)
23841 -+ gr_fake_force_sig(SIGKILL, task);
23842 -+
23843 -+ return;
23844 -+}
23845 -diff -urNp linux-2.6.24.4/grsecurity/gracl_shm.c linux-2.6.24.4/grsecurity/gracl_shm.c
23846 ---- linux-2.6.24.4/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
23847 -+++ linux-2.6.24.4/grsecurity/gracl_shm.c 2008-03-26 17:56:56.000000000 -0400
23848 -@@ -0,0 +1,33 @@
23849 -+#include <linux/kernel.h>
23850 -+#include <linux/mm.h>
23851 -+#include <linux/sched.h>
23852 -+#include <linux/file.h>
23853 -+#include <linux/ipc.h>
23854 -+#include <linux/gracl.h>
23855 -+#include <linux/grsecurity.h>
23856 -+#include <linux/grinternal.h>
23857 -+
23858 -+int
23859 -+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
23860 -+ const time_t shm_createtime, const uid_t cuid, const int shmid)
23861 -+{
23862 -+ struct task_struct *task;
23863 -+
23864 -+ if (!gr_acl_is_enabled())
23865 -+ return 1;
23866 -+
23867 -+ task = find_task_by_pid(shm_cprid);
23868 -+
23869 -+ if (unlikely(!task))
23870 -+ task = find_task_by_pid(shm_lapid);
23871 -+
23872 -+ if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
23873 -+ (task->pid == shm_lapid)) &&
23874 -+ (task->acl->mode & GR_PROTSHM) &&
23875 -+ (task->acl != current->acl))) {
23876 -+ gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
23877 -+ return 0;
23878 -+ }
23879 -+
23880 -+ return 1;
23881 -+}
23882 -diff -urNp linux-2.6.24.4/grsecurity/grsec_chdir.c linux-2.6.24.4/grsecurity/grsec_chdir.c
23883 ---- linux-2.6.24.4/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
23884 -+++ linux-2.6.24.4/grsecurity/grsec_chdir.c 2008-03-26 17:56:56.000000000 -0400
23885 -@@ -0,0 +1,19 @@
23886 -+#include <linux/kernel.h>
23887 -+#include <linux/sched.h>
23888 -+#include <linux/fs.h>
23889 -+#include <linux/file.h>
23890 -+#include <linux/grsecurity.h>
23891 -+#include <linux/grinternal.h>
23892 -+
23893 -+void
23894 -+gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
23895 -+{
23896 -+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
23897 -+ if ((grsec_enable_chdir && grsec_enable_group &&
23898 -+ in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
23899 -+ !grsec_enable_group)) {
23900 -+ gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
23901 -+ }
23902 -+#endif
23903 -+ return;
23904 -+}
23905 -diff -urNp linux-2.6.24.4/grsecurity/grsec_chroot.c linux-2.6.24.4/grsecurity/grsec_chroot.c
23906 ---- linux-2.6.24.4/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
23907 -+++ linux-2.6.24.4/grsecurity/grsec_chroot.c 2008-03-26 17:56:56.000000000 -0400
23908 -@@ -0,0 +1,335 @@
23909 -+#include <linux/kernel.h>
23910 -+#include <linux/module.h>
23911 -+#include <linux/sched.h>
23912 -+#include <linux/file.h>
23913 -+#include <linux/fs.h>
23914 -+#include <linux/mount.h>
23915 -+#include <linux/types.h>
23916 -+#include <linux/pid_namespace.h>
23917 -+#include <linux/grsecurity.h>
23918 -+#include <linux/grinternal.h>
23919 -+
23920 -+int
23921 -+gr_handle_chroot_unix(const pid_t pid)
23922 -+{
23923 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
23924 -+ struct pid *spid = NULL;
23925 -+
23926 -+ if (unlikely(!grsec_enable_chroot_unix))
23927 -+ return 1;
23928 -+
23929 -+ if (likely(!proc_is_chrooted(current)))
23930 -+ return 1;
23931 -+
23932 -+ read_lock(&tasklist_lock);
23933 -+
23934 -+ spid = find_pid(pid);
23935 -+ if (spid) {
23936 -+ struct task_struct *p;
23937 -+ p = pid_task(spid, PIDTYPE_PID);
23938 -+ task_lock(p);
23939 -+ if (unlikely(!have_same_root(current, p))) {
23940 -+ task_unlock(p);
23941 -+ read_unlock(&tasklist_lock);
23942 -+ gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
23943 -+ return 0;
23944 -+ }
23945 -+ task_unlock(p);
23946 -+ }
23947 -+ read_unlock(&tasklist_lock);
23948 -+#endif
23949 -+ return 1;
23950 -+}
23951 -+
23952 -+int
23953 -+gr_handle_chroot_nice(void)
23954 -+{
23955 -+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
23956 -+ if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
23957 -+ gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
23958 -+ return -EPERM;
23959 -+ }
23960 -+#endif
23961 -+ return 0;
23962 -+}
23963 -+
23964 -+int
23965 -+gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
23966 -+{
23967 -+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
23968 -+ if (grsec_enable_chroot_nice && (niceval < task_nice(p))
23969 -+ && proc_is_chrooted(current)) {
23970 -+ gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
23971 -+ return -EACCES;
23972 -+ }
23973 -+#endif
23974 -+ return 0;
23975 -+}
23976 -+
23977 -+int
23978 -+gr_handle_chroot_rawio(const struct inode *inode)
23979 -+{
23980 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
23981 -+ if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
23982 -+ inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
23983 -+ return 1;
23984 -+#endif
23985 -+ return 0;
23986 -+}
23987 -+
23988 -+int
23989 -+gr_pid_is_chrooted(struct task_struct *p)
23990 -+{
23991 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
23992 -+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
23993 -+ return 0;
23994 -+
23995 -+ task_lock(p);
23996 -+ if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
23997 -+ !have_same_root(current, p)) {
23998 -+ task_unlock(p);
23999 -+ return 1;
24000 -+ }
24001 -+ task_unlock(p);
24002 -+#endif
24003 -+ return 0;
24004 -+}
24005 -+
24006 -+EXPORT_SYMBOL(gr_pid_is_chrooted);
24007 -+
24008 -+#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
24009 -+int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
24010 -+{
24011 -+ struct dentry *dentry = (struct dentry *)u_dentry;
24012 -+ struct vfsmount *mnt = (struct vfsmount *)u_mnt;
24013 -+ struct dentry *realroot;
24014 -+ struct vfsmount *realrootmnt;
24015 -+ struct dentry *currentroot;
24016 -+ struct vfsmount *currentmnt;
24017 -+ struct task_struct *reaper = current->nsproxy->pid_ns->child_reaper;
24018 -+ int ret = 1;
24019 -+
24020 -+ read_lock(&reaper->fs->lock);
24021 -+ realrootmnt = mntget(reaper->fs->rootmnt);
24022 -+ realroot = dget(reaper->fs->root);
24023 -+ read_unlock(&reaper->fs->lock);
24024 -+
24025 -+ read_lock(&current->fs->lock);
24026 -+ currentmnt = mntget(current->fs->rootmnt);
24027 -+ currentroot = dget(current->fs->root);
24028 -+ read_unlock(&current->fs->lock);
24029 -+
24030 -+ spin_lock(&dcache_lock);
24031 -+ for (;;) {
24032 -+ if (unlikely((dentry == realroot && mnt == realrootmnt)
24033 -+ || (dentry == currentroot && mnt == currentmnt)))
24034 -+ break;
24035 -+ if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
24036 -+ if (mnt->mnt_parent == mnt)
24037 -+ break;
24038 -+ dentry = mnt->mnt_mountpoint;
24039 -+ mnt = mnt->mnt_parent;
24040 -+ continue;
24041 -+ }
24042 -+ dentry = dentry->d_parent;
24043 -+ }
24044 -+ spin_unlock(&dcache_lock);
24045 -+
24046 -+ dput(currentroot);
24047 -+ mntput(currentmnt);
24048 -+
24049 -+ /* access is outside of chroot */
24050 -+ if (dentry == realroot && mnt == realrootmnt)
24051 -+ ret = 0;
24052 -+
24053 -+ dput(realroot);
24054 -+ mntput(realrootmnt);
24055 -+ return ret;
24056 -+}
24057 -+#endif
24058 -+
24059 -+int
24060 -+gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
24061 -+{
24062 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
24063 -+ if (!grsec_enable_chroot_fchdir)
24064 -+ return 1;
24065 -+
24066 -+ if (!proc_is_chrooted(current))
24067 -+ return 1;
24068 -+ else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
24069 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
24070 -+ return 0;
24071 -+ }
24072 -+#endif
24073 -+ return 1;
24074 -+}
24075 -+
24076 -+int
24077 -+gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
24078 -+ const time_t shm_createtime)
24079 -+{
24080 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
24081 -+ struct pid *pid = NULL;
24082 -+ time_t starttime;
24083 -+
24084 -+ if (unlikely(!grsec_enable_chroot_shmat))
24085 -+ return 1;
24086 -+
24087 -+ if (likely(!proc_is_chrooted(current)))
24088 -+ return 1;
24089 -+
24090 -+ read_lock(&tasklist_lock);
24091 -+
24092 -+ pid = find_pid(shm_cprid);
24093 -+ if (pid) {
24094 -+ struct task_struct *p;
24095 -+ p = pid_task(pid, PIDTYPE_PID);
24096 -+ task_lock(p);
24097 -+ starttime = p->start_time.tv_sec;
24098 -+ if (unlikely(!have_same_root(current, p) &&
24099 -+ time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
24100 -+ task_unlock(p);
24101 -+ read_unlock(&tasklist_lock);
24102 -+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
24103 -+ return 0;
24104 -+ }
24105 -+ task_unlock(p);
24106 -+ } else {
24107 -+ pid = find_pid(shm_lapid);
24108 -+ if (pid) {
24109 -+ struct task_struct *p;
24110 -+ p = pid_task(pid, PIDTYPE_PID);
24111 -+ task_lock(p);
24112 -+ if (unlikely(!have_same_root(current, p))) {
24113 -+ task_unlock(p);
24114 -+ read_unlock(&tasklist_lock);
24115 -+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
24116 -+ return 0;
24117 -+ }
24118 -+ task_unlock(p);
24119 -+ }
24120 -+ }
24121 -+
24122 -+ read_unlock(&tasklist_lock);
24123 -+#endif
24124 -+ return 1;
24125 -+}
24126 -+
24127 -+void
24128 -+gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
24129 -+{
24130 -+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
24131 -+ if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
24132 -+ gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
24133 -+#endif
24134 -+ return;
24135 -+}
24136 -+
24137 -+int
24138 -+gr_handle_chroot_mknod(const struct dentry *dentry,
24139 -+ const struct vfsmount *mnt, const int mode)
24140 -+{
24141 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
24142 -+ if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
24143 -+ proc_is_chrooted(current)) {
24144 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
24145 -+ return -EPERM;
24146 -+ }
24147 -+#endif
24148 -+ return 0;
24149 -+}
24150 -+
24151 -+int
24152 -+gr_handle_chroot_mount(const struct dentry *dentry,
24153 -+ const struct vfsmount *mnt, const char *dev_name)
24154 -+{
24155 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
24156 -+ if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
24157 -+ gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
24158 -+ return -EPERM;
24159 -+ }
24160 -+#endif
24161 -+ return 0;
24162 -+}
24163 -+
24164 -+int
24165 -+gr_handle_chroot_pivot(void)
24166 -+{
24167 -+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
24168 -+ if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
24169 -+ gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
24170 -+ return -EPERM;
24171 -+ }
24172 -+#endif
24173 -+ return 0;
24174 -+}
24175 -+
24176 -+int
24177 -+gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
24178 -+{
24179 -+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
24180 -+ if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
24181 -+ !gr_is_outside_chroot(dentry, mnt)) {
24182 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
24183 -+ return -EPERM;
24184 -+ }
24185 -+#endif
24186 -+ return 0;
24187 -+}
24188 -+
24189 -+void
24190 -+gr_handle_chroot_caps(struct task_struct *task)
24191 -+{
24192 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
24193 -+ if (grsec_enable_chroot_caps && proc_is_chrooted(task)) {
24194 -+ task->cap_permitted =
24195 -+ cap_drop(task->cap_permitted, GR_CHROOT_CAPS);
24196 -+ task->cap_inheritable =
24197 -+ cap_drop(task->cap_inheritable, GR_CHROOT_CAPS);
24198 -+ task->cap_effective =
24199 -+ cap_drop(task->cap_effective, GR_CHROOT_CAPS);
24200 -+ }
24201 -+#endif
24202 -+ return;
24203 -+}
24204 -+
24205 -+int
24206 -+gr_handle_chroot_sysctl(const int op)
24207 -+{
24208 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
24209 -+ if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
24210 -+ && (op & 002))
24211 -+ return -EACCES;
24212 -+#endif
24213 -+ return 0;
24214 -+}
24215 -+
24216 -+void
24217 -+gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt)
24218 -+{
24219 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
24220 -+ if (grsec_enable_chroot_chdir)
24221 -+ set_fs_pwd(current->fs, mnt, dentry);
24222 -+#endif
24223 -+ return;
24224 -+}
24225 -+
24226 -+int
24227 -+gr_handle_chroot_chmod(const struct dentry *dentry,
24228 -+ const struct vfsmount *mnt, const int mode)
24229 -+{
24230 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
24231 -+ if (grsec_enable_chroot_chmod &&
24232 -+ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
24233 -+ proc_is_chrooted(current)) {
24234 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
24235 -+ return -EPERM;
24236 -+ }
24237 -+#endif
24238 -+ return 0;
24239 -+}
24240 -+
24241 -+#ifdef CONFIG_SECURITY
24242 -+EXPORT_SYMBOL(gr_handle_chroot_caps);
24243 -+#endif
24244 -diff -urNp linux-2.6.24.4/grsecurity/grsec_disabled.c linux-2.6.24.4/grsecurity/grsec_disabled.c
24245 ---- linux-2.6.24.4/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
24246 -+++ linux-2.6.24.4/grsecurity/grsec_disabled.c 2008-03-26 17:56:56.000000000 -0400
24247 -@@ -0,0 +1,418 @@
24248 -+#include <linux/kernel.h>
24249 -+#include <linux/module.h>
24250 -+#include <linux/sched.h>
24251 -+#include <linux/file.h>
24252 -+#include <linux/fs.h>
24253 -+#include <linux/kdev_t.h>
24254 -+#include <linux/net.h>
24255 -+#include <linux/in.h>
24256 -+#include <linux/ip.h>
24257 -+#include <linux/skbuff.h>
24258 -+#include <linux/sysctl.h>
24259 -+
24260 -+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
24261 -+void
24262 -+pax_set_initial_flags(struct linux_binprm *bprm)
24263 -+{
24264 -+ return;
24265 -+}
24266 -+#endif
24267 -+
24268 -+#ifdef CONFIG_SYSCTL
24269 -+__u32
24270 -+gr_handle_sysctl(const struct ctl_table * table, const int op)
24271 -+{
24272 -+ return 0;
24273 -+}
24274 -+#endif
24275 -+
24276 -+int
24277 -+gr_acl_is_enabled(void)
24278 -+{
24279 -+ return 0;
24280 -+}
24281 -+
24282 -+int
24283 -+gr_handle_rawio(const struct inode *inode)
24284 -+{
24285 -+ return 0;
24286 -+}
24287 -+
24288 -+void
24289 -+gr_acl_handle_psacct(struct task_struct *task, const long code)
24290 -+{
24291 -+ return;
24292 -+}
24293 -+
24294 -+int
24295 -+gr_handle_ptrace(struct task_struct *task, const long request)
24296 -+{
24297 -+ return 0;
24298 -+}
24299 -+
24300 -+int
24301 -+gr_handle_proc_ptrace(struct task_struct *task)
24302 -+{
24303 -+ return 0;
24304 -+}
24305 -+
24306 -+void
24307 -+gr_learn_resource(const struct task_struct *task,
24308 -+ const int res, const unsigned long wanted, const int gt)
24309 -+{
24310 -+ return;
24311 -+}
24312 -+
24313 -+int
24314 -+gr_set_acls(const int type)
24315 -+{
24316 -+ return 0;
24317 -+}
24318 -+
24319 -+int
24320 -+gr_check_hidden_task(const struct task_struct *tsk)
24321 -+{
24322 -+ return 0;
24323 -+}
24324 -+
24325 -+int
24326 -+gr_check_protected_task(const struct task_struct *task)
24327 -+{
24328 -+ return 0;
24329 -+}
24330 -+
24331 -+void
24332 -+gr_copy_label(struct task_struct *tsk)
24333 -+{
24334 -+ return;
24335 -+}
24336 -+
24337 -+void
24338 -+gr_set_pax_flags(struct task_struct *task)
24339 -+{
24340 -+ return;
24341 -+}
24342 -+
24343 -+int
24344 -+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
24345 -+{
24346 -+ return 0;
24347 -+}
24348 -+
24349 -+void
24350 -+gr_handle_delete(const ino_t ino, const dev_t dev)
24351 -+{
24352 -+ return;
24353 -+}
24354 -+
24355 -+void
24356 -+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
24357 -+{
24358 -+ return;
24359 -+}
24360 -+
24361 -+void
24362 -+gr_handle_crash(struct task_struct *task, const int sig)
24363 -+{
24364 -+ return;
24365 -+}
24366 -+
24367 -+int
24368 -+gr_check_crash_exec(const struct file *filp)
24369 -+{
24370 -+ return 0;
24371 -+}
24372 -+
24373 -+int
24374 -+gr_check_crash_uid(const uid_t uid)
24375 -+{
24376 -+ return 0;
24377 -+}
24378 -+
24379 -+void
24380 -+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
24381 -+ struct dentry *old_dentry,
24382 -+ struct dentry *new_dentry,
24383 -+ struct vfsmount *mnt, const __u8 replace)
24384 -+{
24385 -+ return;
24386 -+}
24387 -+
24388 -+int
24389 -+gr_search_socket(const int family, const int type, const int protocol)
24390 -+{
24391 -+ return 1;
24392 -+}
24393 -+
24394 -+int
24395 -+gr_search_connectbind(const int mode, const struct socket *sock,
24396 -+ const struct sockaddr_in *addr)
24397 -+{
24398 -+ return 1;
24399 -+}
24400 -+
24401 -+int
24402 -+gr_task_is_capable(struct task_struct *task, const int cap)
24403 -+{
24404 -+ return 1;
24405 -+}
24406 -+
24407 -+int
24408 -+gr_is_capable_nolog(const int cap)
24409 -+{
24410 -+ return 1;
24411 -+}
24412 -+
24413 -+void
24414 -+gr_handle_alertkill(struct task_struct *task)
24415 -+{
24416 -+ return;
24417 -+}
24418 -+
24419 -+__u32
24420 -+gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
24421 -+{
24422 -+ return 1;
24423 -+}
24424 -+
24425 -+__u32
24426 -+gr_acl_handle_hidden_file(const struct dentry * dentry,
24427 -+ const struct vfsmount * mnt)
24428 -+{
24429 -+ return 1;
24430 -+}
24431 -+
24432 -+__u32
24433 -+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
24434 -+ const int fmode)
24435 -+{
24436 -+ return 1;
24437 -+}
24438 -+
24439 -+__u32
24440 -+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
24441 -+{
24442 -+ return 1;
24443 -+}
24444 -+
24445 -+__u32
24446 -+gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
24447 -+{
24448 -+ return 1;
24449 -+}
24450 -+
24451 -+int
24452 -+gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
24453 -+ unsigned int *vm_flags)
24454 -+{
24455 -+ return 1;
24456 -+}
24457 -+
24458 -+__u32
24459 -+gr_acl_handle_truncate(const struct dentry * dentry,
24460 -+ const struct vfsmount * mnt)
24461 -+{
24462 -+ return 1;
24463 -+}
24464 -+
24465 -+__u32
24466 -+gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
24467 -+{
24468 -+ return 1;
24469 -+}
24470 -+
24471 -+__u32
24472 -+gr_acl_handle_access(const struct dentry * dentry,
24473 -+ const struct vfsmount * mnt, const int fmode)
24474 -+{
24475 -+ return 1;
24476 -+}
24477 -+
24478 -+__u32
24479 -+gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
24480 -+ mode_t mode)
24481 -+{
24482 -+ return 1;
24483 -+}
24484 -+
24485 -+__u32
24486 -+gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
24487 -+ mode_t mode)
24488 -+{
24489 -+ return 1;
24490 -+}
24491 -+
24492 -+__u32
24493 -+gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
24494 -+{
24495 -+ return 1;
24496 -+}
24497 -+
24498 -+void
24499 -+grsecurity_init(void)
24500 -+{
24501 -+ return;
24502 -+}
24503 -+
24504 -+__u32
24505 -+gr_acl_handle_mknod(const struct dentry * new_dentry,
24506 -+ const struct dentry * parent_dentry,
24507 -+ const struct vfsmount * parent_mnt,
24508 -+ const int mode)
24509 -+{
24510 -+ return 1;
24511 -+}
24512 -+
24513 -+__u32
24514 -+gr_acl_handle_mkdir(const struct dentry * new_dentry,
24515 -+ const struct dentry * parent_dentry,
24516 -+ const struct vfsmount * parent_mnt)
24517 -+{
24518 -+ return 1;
24519 -+}
24520 -+
24521 -+__u32
24522 -+gr_acl_handle_symlink(const struct dentry * new_dentry,
24523 -+ const struct dentry * parent_dentry,
24524 -+ const struct vfsmount * parent_mnt, const char *from)
24525 -+{
24526 -+ return 1;
24527 -+}
24528 -+
24529 -+__u32
24530 -+gr_acl_handle_link(const struct dentry * new_dentry,
24531 -+ const struct dentry * parent_dentry,
24532 -+ const struct vfsmount * parent_mnt,
24533 -+ const struct dentry * old_dentry,
24534 -+ const struct vfsmount * old_mnt, const char *to)
24535 -+{
24536 -+ return 1;
24537 -+}
24538 -+
24539 -+int
24540 -+gr_acl_handle_rename(const struct dentry *new_dentry,
24541 -+ const struct dentry *parent_dentry,
24542 -+ const struct vfsmount *parent_mnt,
24543 -+ const struct dentry *old_dentry,
24544 -+ const struct inode *old_parent_inode,
24545 -+ const struct vfsmount *old_mnt, const char *newname)
24546 -+{
24547 -+ return 0;
24548 -+}
24549 -+
24550 -+int
24551 -+gr_acl_handle_filldir(const struct file *file, const char *name,
24552 -+ const int namelen, const ino_t ino)
24553 -+{
24554 -+ return 1;
24555 -+}
24556 -+
24557 -+int
24558 -+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
24559 -+ const time_t shm_createtime, const uid_t cuid, const int shmid)
24560 -+{
24561 -+ return 1;
24562 -+}
24563 -+
24564 -+int
24565 -+gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
24566 -+{
24567 -+ return 1;
24568 -+}
24569 -+
24570 -+int
24571 -+gr_search_accept(const struct socket *sock)
24572 -+{
24573 -+ return 1;
24574 -+}
24575 -+
24576 -+int
24577 -+gr_search_listen(const struct socket *sock)
24578 -+{
24579 -+ return 1;
24580 -+}
24581 -+
24582 -+int
24583 -+gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
24584 -+{
24585 -+ return 1;
24586 -+}
24587 -+
24588 -+__u32
24589 -+gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
24590 -+{
24591 -+ return 1;
24592 -+}
24593 -+
24594 -+__u32
24595 -+gr_acl_handle_creat(const struct dentry * dentry,
24596 -+ const struct dentry * p_dentry,
24597 -+ const struct vfsmount * p_mnt, const int fmode,
24598 -+ const int imode)
24599 -+{
24600 -+ return 1;
24601 -+}
24602 -+
24603 -+void
24604 -+gr_acl_handle_exit(void)
24605 -+{
24606 -+ return;
24607 -+}
24608 -+
24609 -+int
24610 -+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
24611 -+{
24612 -+ return 1;
24613 -+}
24614 -+
24615 -+void
24616 -+gr_set_role_label(const uid_t uid, const gid_t gid)
24617 -+{
24618 -+ return;
24619 -+}
24620 -+
24621 -+int
24622 -+gr_acl_handle_procpidmem(const struct task_struct *task)
24623 -+{
24624 -+ return 0;
24625 -+}
24626 -+
24627 -+int
24628 -+gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
24629 -+{
24630 -+ return 1;
24631 -+}
24632 -+
24633 -+int
24634 -+gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
24635 -+{
24636 -+ return 1;
24637 -+}
24638 -+
24639 -+void
24640 -+gr_set_kernel_label(struct task_struct *task)
24641 -+{
24642 -+ return;
24643 -+}
24644 -+
24645 -+int
24646 -+gr_check_user_change(int real, int effective, int fs)
24647 -+{
24648 -+ return 0;
24649 -+}
24650 -+
24651 -+int
24652 -+gr_check_group_change(int real, int effective, int fs)
24653 -+{
24654 -+ return 0;
24655 -+}
24656 -+
24657 -+
24658 -+EXPORT_SYMBOL(gr_task_is_capable);
24659 -+EXPORT_SYMBOL(gr_is_capable_nolog);
24660 -+EXPORT_SYMBOL(gr_learn_resource);
24661 -+EXPORT_SYMBOL(gr_set_kernel_label);
24662 -+#ifdef CONFIG_SECURITY
24663 -+EXPORT_SYMBOL(gr_check_user_change);
24664 -+EXPORT_SYMBOL(gr_check_group_change);
24665 -+#endif
24666 -diff -urNp linux-2.6.24.4/grsecurity/grsec_exec.c linux-2.6.24.4/grsecurity/grsec_exec.c
24667 ---- linux-2.6.24.4/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
24668 -+++ linux-2.6.24.4/grsecurity/grsec_exec.c 2008-03-26 17:56:56.000000000 -0400
24669 -@@ -0,0 +1,88 @@
24670 -+#include <linux/kernel.h>
24671 -+#include <linux/sched.h>
24672 -+#include <linux/file.h>
24673 -+#include <linux/binfmts.h>
24674 -+#include <linux/smp_lock.h>
24675 -+#include <linux/fs.h>
24676 -+#include <linux/types.h>
24677 -+#include <linux/grdefs.h>
24678 -+#include <linux/grinternal.h>
24679 -+#include <linux/capability.h>
24680 -+
24681 -+#include <asm/uaccess.h>
24682 -+
24683 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
24684 -+static char gr_exec_arg_buf[132];
24685 -+static DECLARE_MUTEX(gr_exec_arg_sem);
24686 -+#endif
24687 -+
24688 -+int
24689 -+gr_handle_nproc(void)
24690 -+{
24691 -+#ifdef CONFIG_GRKERNSEC_EXECVE
24692 -+ if (grsec_enable_execve && current->user &&
24693 -+ (atomic_read(&current->user->processes) >
24694 -+ current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
24695 -+ !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
24696 -+ gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
24697 -+ return -EAGAIN;
24698 -+ }
24699 -+#endif
24700 -+ return 0;
24701 -+}
24702 -+
24703 -+void
24704 -+gr_handle_exec_args(struct linux_binprm *bprm, const char __user *__user *argv)
24705 -+{
24706 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
24707 -+ char *grarg = gr_exec_arg_buf;
24708 -+ unsigned int i, x, execlen = 0;
24709 -+ char c;
24710 -+
24711 -+ if (!((grsec_enable_execlog && grsec_enable_group &&
24712 -+ in_group_p(grsec_audit_gid))
24713 -+ || (grsec_enable_execlog && !grsec_enable_group)))
24714 -+ return;
24715 -+
24716 -+ down(&gr_exec_arg_sem);
24717 -+ memset(grarg, 0, sizeof(gr_exec_arg_buf));
24718 -+
24719 -+ if (unlikely(argv == NULL))
24720 -+ goto log;
24721 -+
24722 -+ for (i = 0; i < bprm->argc && execlen < 128; i++) {
24723 -+ const char __user *p;
24724 -+ unsigned int len;
24725 -+
24726 -+ if (copy_from_user(&p, argv + i, sizeof(p)))
24727 -+ goto log;
24728 -+ if (!p)
24729 -+ goto log;
24730 -+ len = strnlen_user(p, 128 - execlen);
24731 -+ if (len > 128 - execlen)
24732 -+ len = 128 - execlen;
24733 -+ else if (len > 0)
24734 -+ len--;
24735 -+ if (copy_from_user(grarg + execlen, p, len))
24736 -+ goto log;
24737 -+
24738 -+ /* rewrite unprintable characters */
24739 -+ for (x = 0; x < len; x++) {
24740 -+ c = *(grarg + execlen + x);
24741 -+ if (c < 32 || c > 126)
24742 -+ *(grarg + execlen + x) = ' ';
24743 -+ }
24744 -+
24745 -+ execlen += len;
24746 -+ *(grarg + execlen) = ' ';
24747 -+ *(grarg + execlen + 1) = '\0';
24748 -+ execlen++;
24749 -+ }
24750 -+
24751 -+ log:
24752 -+ gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_dentry,
24753 -+ bprm->file->f_vfsmnt, grarg);
24754 -+ up(&gr_exec_arg_sem);
24755 -+#endif
24756 -+ return;
24757 -+}
24758 -diff -urNp linux-2.6.24.4/grsecurity/grsec_fifo.c linux-2.6.24.4/grsecurity/grsec_fifo.c
24759 ---- linux-2.6.24.4/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
24760 -+++ linux-2.6.24.4/grsecurity/grsec_fifo.c 2008-03-26 17:56:56.000000000 -0400
24761 -@@ -0,0 +1,22 @@
24762 -+#include <linux/kernel.h>
24763 -+#include <linux/sched.h>
24764 -+#include <linux/fs.h>
24765 -+#include <linux/file.h>
24766 -+#include <linux/grinternal.h>
24767 -+
24768 -+int
24769 -+gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
24770 -+ const struct dentry *dir, const int flag, const int acc_mode)
24771 -+{
24772 -+#ifdef CONFIG_GRKERNSEC_FIFO
24773 -+ if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
24774 -+ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
24775 -+ (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
24776 -+ (current->fsuid != dentry->d_inode->i_uid)) {
24777 -+ if (!generic_permission(dentry->d_inode, acc_mode, NULL))
24778 -+ gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
24779 -+ return -EACCES;
24780 -+ }
24781 -+#endif
24782 -+ return 0;
24783 -+}
24784 -diff -urNp linux-2.6.24.4/grsecurity/grsec_fork.c linux-2.6.24.4/grsecurity/grsec_fork.c
24785 ---- linux-2.6.24.4/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
24786 -+++ linux-2.6.24.4/grsecurity/grsec_fork.c 2008-03-26 17:56:56.000000000 -0400
24787 -@@ -0,0 +1,15 @@
24788 -+#include <linux/kernel.h>
24789 -+#include <linux/sched.h>
24790 -+#include <linux/grsecurity.h>
24791 -+#include <linux/grinternal.h>
24792 -+#include <linux/errno.h>
24793 -+
24794 -+void
24795 -+gr_log_forkfail(const int retval)
24796 -+{
24797 -+#ifdef CONFIG_GRKERNSEC_FORKFAIL
24798 -+ if (grsec_enable_forkfail && retval != -ERESTARTNOINTR)
24799 -+ gr_log_int(GR_DONT_AUDIT, GR_FAILFORK_MSG, retval);
24800 -+#endif
24801 -+ return;
24802 -+}
24803 -diff -urNp linux-2.6.24.4/grsecurity/grsec_init.c linux-2.6.24.4/grsecurity/grsec_init.c
24804 ---- linux-2.6.24.4/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
24805 -+++ linux-2.6.24.4/grsecurity/grsec_init.c 2008-03-26 17:56:56.000000000 -0400
24806 -@@ -0,0 +1,226 @@
24807 -+#include <linux/kernel.h>
24808 -+#include <linux/sched.h>
24809 -+#include <linux/mm.h>
24810 -+#include <linux/smp_lock.h>
24811 -+#include <linux/gracl.h>
24812 -+#include <linux/slab.h>
24813 -+#include <linux/vmalloc.h>
24814 -+#include <linux/percpu.h>
24815 -+
24816 -+int grsec_enable_link;
24817 -+int grsec_enable_dmesg;
24818 -+int grsec_enable_fifo;
24819 -+int grsec_enable_execve;
24820 -+int grsec_enable_execlog;
24821 -+int grsec_enable_signal;
24822 -+int grsec_enable_forkfail;
24823 -+int grsec_enable_time;
24824 -+int grsec_enable_audit_textrel;
24825 -+int grsec_enable_group;
24826 -+int grsec_audit_gid;
24827 -+int grsec_enable_chdir;
24828 -+int grsec_enable_audit_ipc;
24829 -+int grsec_enable_mount;
24830 -+int grsec_enable_chroot_findtask;
24831 -+int grsec_enable_chroot_mount;
24832 -+int grsec_enable_chroot_shmat;
24833 -+int grsec_enable_chroot_fchdir;
24834 -+int grsec_enable_chroot_double;
24835 -+int grsec_enable_chroot_pivot;
24836 -+int grsec_enable_chroot_chdir;
24837 -+int grsec_enable_chroot_chmod;
24838 -+int grsec_enable_chroot_mknod;
24839 -+int grsec_enable_chroot_nice;
24840 -+int grsec_enable_chroot_execlog;
24841 -+int grsec_enable_chroot_caps;
24842 -+int grsec_enable_chroot_sysctl;
24843 -+int grsec_enable_chroot_unix;
24844 -+int grsec_enable_tpe;
24845 -+int grsec_tpe_gid;
24846 -+int grsec_enable_tpe_all;
24847 -+int grsec_enable_socket_all;
24848 -+int grsec_socket_all_gid;
24849 -+int grsec_enable_socket_client;
24850 -+int grsec_socket_client_gid;
24851 -+int grsec_enable_socket_server;
24852 -+int grsec_socket_server_gid;
24853 -+int grsec_resource_logging;
24854 -+int grsec_lock;
24855 -+
24856 -+spinlock_t grsec_alert_lock = SPIN_LOCK_UNLOCKED;
24857 -+unsigned long grsec_alert_wtime = 0;
24858 -+unsigned long grsec_alert_fyet = 0;
24859 -+
24860 -+spinlock_t grsec_audit_lock = SPIN_LOCK_UNLOCKED;
24861 -+
24862 -+rwlock_t grsec_exec_file_lock = RW_LOCK_UNLOCKED;
24863 -+
24864 -+char *gr_shared_page[4];
24865 -+
24866 -+char *gr_alert_log_fmt;
24867 -+char *gr_audit_log_fmt;
24868 -+char *gr_alert_log_buf;
24869 -+char *gr_audit_log_buf;
24870 -+
24871 -+extern struct gr_arg *gr_usermode;
24872 -+extern unsigned char *gr_system_salt;
24873 -+extern unsigned char *gr_system_sum;
24874 -+
24875 -+void
24876 -+grsecurity_init(void)
24877 -+{
24878 -+ int j;
24879 -+ /* create the per-cpu shared pages */
24880 -+
24881 -+ for (j = 0; j < 4; j++) {
24882 -+ gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE);
24883 -+ if (gr_shared_page[j] == NULL) {
24884 -+ panic("Unable to allocate grsecurity shared page");
24885 -+ return;
24886 -+ }
24887 -+ }
24888 -+
24889 -+ /* allocate log buffers */
24890 -+ gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
24891 -+ if (!gr_alert_log_fmt) {
24892 -+ panic("Unable to allocate grsecurity alert log format buffer");
24893 -+ return;
24894 -+ }
24895 -+ gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
24896 -+ if (!gr_audit_log_fmt) {
24897 -+ panic("Unable to allocate grsecurity audit log format buffer");
24898 -+ return;
24899 -+ }
24900 -+ gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
24901 -+ if (!gr_alert_log_buf) {
24902 -+ panic("Unable to allocate grsecurity alert log buffer");
24903 -+ return;
24904 -+ }
24905 -+ gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
24906 -+ if (!gr_audit_log_buf) {
24907 -+ panic("Unable to allocate grsecurity audit log buffer");
24908 -+ return;
24909 -+ }
24910 -+
24911 -+ /* allocate memory for authentication structure */
24912 -+ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
24913 -+ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
24914 -+ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
24915 -+
24916 -+ if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
24917 -+ panic("Unable to allocate grsecurity authentication structure");
24918 -+ return;
24919 -+ }
24920 -+
24921 -+#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
24922 -+#ifndef CONFIG_GRKERNSEC_SYSCTL
24923 -+ grsec_lock = 1;
24924 -+#endif
24925 -+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
24926 -+ grsec_enable_audit_textrel = 1;
24927 -+#endif
24928 -+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
24929 -+ grsec_enable_group = 1;
24930 -+ grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
24931 -+#endif
24932 -+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
24933 -+ grsec_enable_chdir = 1;
24934 -+#endif
24935 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
24936 -+ grsec_enable_audit_ipc = 1;
24937 -+#endif
24938 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
24939 -+ grsec_enable_mount = 1;
24940 -+#endif
24941 -+#ifdef CONFIG_GRKERNSEC_LINK
24942 -+ grsec_enable_link = 1;
24943 -+#endif
24944 -+#ifdef CONFIG_GRKERNSEC_DMESG
24945 -+ grsec_enable_dmesg = 1;
24946 -+#endif
24947 -+#ifdef CONFIG_GRKERNSEC_FIFO
24948 -+ grsec_enable_fifo = 1;
24949 -+#endif
24950 -+#ifdef CONFIG_GRKERNSEC_EXECVE
24951 -+ grsec_enable_execve = 1;
24952 -+#endif
24953 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
24954 -+ grsec_enable_execlog = 1;
24955 -+#endif
24956 -+#ifdef CONFIG_GRKERNSEC_SIGNAL
24957 -+ grsec_enable_signal = 1;
24958 -+#endif
24959 -+#ifdef CONFIG_GRKERNSEC_FORKFAIL
24960 -+ grsec_enable_forkfail = 1;
24961 -+#endif
24962 -+#ifdef CONFIG_GRKERNSEC_TIME
24963 -+ grsec_enable_time = 1;
24964 -+#endif
24965 -+#ifdef CONFIG_GRKERNSEC_RESLOG
24966 -+ grsec_resource_logging = 1;
24967 -+#endif
24968 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
24969 -+ grsec_enable_chroot_findtask = 1;
24970 -+#endif
24971 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
24972 -+ grsec_enable_chroot_unix = 1;
24973 -+#endif
24974 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
24975 -+ grsec_enable_chroot_mount = 1;
24976 -+#endif
24977 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
24978 -+ grsec_enable_chroot_fchdir = 1;
24979 -+#endif
24980 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
24981 -+ grsec_enable_chroot_shmat = 1;
24982 -+#endif
24983 -+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
24984 -+ grsec_enable_chroot_double = 1;
24985 -+#endif
24986 -+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
24987 -+ grsec_enable_chroot_pivot = 1;
24988 -+#endif
24989 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
24990 -+ grsec_enable_chroot_chdir = 1;
24991 -+#endif
24992 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
24993 -+ grsec_enable_chroot_chmod = 1;
24994 -+#endif
24995 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
24996 -+ grsec_enable_chroot_mknod = 1;
24997 -+#endif
24998 -+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
24999 -+ grsec_enable_chroot_nice = 1;
25000 -+#endif
25001 -+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
25002 -+ grsec_enable_chroot_execlog = 1;
25003 -+#endif
25004 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
25005 -+ grsec_enable_chroot_caps = 1;
25006 -+#endif
25007 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
25008 -+ grsec_enable_chroot_sysctl = 1;
25009 -+#endif
25010 -+#ifdef CONFIG_GRKERNSEC_TPE
25011 -+ grsec_enable_tpe = 1;
25012 -+ grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
25013 -+#ifdef CONFIG_GRKERNSEC_TPE_ALL
25014 -+ grsec_enable_tpe_all = 1;
25015 -+#endif
25016 -+#endif
25017 -+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
25018 -+ grsec_enable_socket_all = 1;
25019 -+ grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
25020 -+#endif
25021 -+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
25022 -+ grsec_enable_socket_client = 1;
25023 -+ grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
25024 -+#endif
25025 -+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
25026 -+ grsec_enable_socket_server = 1;
25027 -+ grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
25028 -+#endif
25029 -+#endif
25030 -+
25031 -+ return;
25032 -+}
25033 -diff -urNp linux-2.6.24.4/grsecurity/grsec_ipc.c linux-2.6.24.4/grsecurity/grsec_ipc.c
25034 ---- linux-2.6.24.4/grsecurity/grsec_ipc.c 1969-12-31 19:00:00.000000000 -0500
25035 -+++ linux-2.6.24.4/grsecurity/grsec_ipc.c 2008-03-26 17:56:56.000000000 -0400
25036 -@@ -0,0 +1,81 @@
25037 -+#include <linux/kernel.h>
25038 -+#include <linux/sched.h>
25039 -+#include <linux/types.h>
25040 -+#include <linux/ipc.h>
25041 -+#include <linux/grsecurity.h>
25042 -+#include <linux/grinternal.h>
25043 -+
25044 -+void
25045 -+gr_log_msgget(const int ret, const int msgflg)
25046 -+{
25047 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
25048 -+ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
25049 -+ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
25050 -+ !grsec_enable_group)) && (ret >= 0)
25051 -+ && (msgflg & IPC_CREAT))
25052 -+ gr_log_noargs(GR_DO_AUDIT, GR_MSGQ_AUDIT_MSG);
25053 -+#endif
25054 -+ return;
25055 -+}
25056 -+
25057 -+void
25058 -+gr_log_msgrm(const uid_t uid, const uid_t cuid)
25059 -+{
25060 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
25061 -+ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
25062 -+ grsec_enable_audit_ipc) ||
25063 -+ (grsec_enable_audit_ipc && !grsec_enable_group))
25064 -+ gr_log_int_int(GR_DO_AUDIT, GR_MSGQR_AUDIT_MSG, uid, cuid);
25065 -+#endif
25066 -+ return;
25067 -+}
25068 -+
25069 -+void
25070 -+gr_log_semget(const int err, const int semflg)
25071 -+{
25072 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
25073 -+ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
25074 -+ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
25075 -+ !grsec_enable_group)) && (err >= 0)
25076 -+ && (semflg & IPC_CREAT))
25077 -+ gr_log_noargs(GR_DO_AUDIT, GR_SEM_AUDIT_MSG);
25078 -+#endif
25079 -+ return;
25080 -+}
25081 -+
25082 -+void
25083 -+gr_log_semrm(const uid_t uid, const uid_t cuid)
25084 -+{
25085 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
25086 -+ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
25087 -+ grsec_enable_audit_ipc) ||
25088 -+ (grsec_enable_audit_ipc && !grsec_enable_group))
25089 -+ gr_log_int_int(GR_DO_AUDIT, GR_SEMR_AUDIT_MSG, uid, cuid);
25090 -+#endif
25091 -+ return;
25092 -+}
25093 -+
25094 -+void
25095 -+gr_log_shmget(const int err, const int shmflg, const size_t size)
25096 -+{
25097 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
25098 -+ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
25099 -+ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
25100 -+ !grsec_enable_group)) && (err >= 0)
25101 -+ && (shmflg & IPC_CREAT))
25102 -+ gr_log_int(GR_DO_AUDIT, GR_SHM_AUDIT_MSG, size);
25103 -+#endif
25104 -+ return;
25105 -+}
25106 -+
25107 -+void
25108 -+gr_log_shmrm(const uid_t uid, const uid_t cuid)
25109 -+{
25110 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
25111 -+ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
25112 -+ grsec_enable_audit_ipc) ||
25113 -+ (grsec_enable_audit_ipc && !grsec_enable_group))
25114 -+ gr_log_int_int(GR_DO_AUDIT, GR_SHMR_AUDIT_MSG, uid, cuid);
25115 -+#endif
25116 -+ return;
25117 -+}
25118 -diff -urNp linux-2.6.24.4/grsecurity/grsec_link.c linux-2.6.24.4/grsecurity/grsec_link.c
25119 ---- linux-2.6.24.4/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
25120 -+++ linux-2.6.24.4/grsecurity/grsec_link.c 2008-03-26 17:56:56.000000000 -0400
25121 -@@ -0,0 +1,39 @@
25122 -+#include <linux/kernel.h>
25123 -+#include <linux/sched.h>
25124 -+#include <linux/fs.h>
25125 -+#include <linux/file.h>
25126 -+#include <linux/grinternal.h>
25127 -+
25128 -+int
25129 -+gr_handle_follow_link(const struct inode *parent,
25130 -+ const struct inode *inode,
25131 -+ const struct dentry *dentry, const struct vfsmount *mnt)
25132 -+{
25133 -+#ifdef CONFIG_GRKERNSEC_LINK
25134 -+ if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
25135 -+ (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
25136 -+ (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) {
25137 -+ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
25138 -+ return -EACCES;
25139 -+ }
25140 -+#endif
25141 -+ return 0;
25142 -+}
25143 -+
25144 -+int
25145 -+gr_handle_hardlink(const struct dentry *dentry,
25146 -+ const struct vfsmount *mnt,
25147 -+ struct inode *inode, const int mode, const char *to)
25148 -+{
25149 -+#ifdef CONFIG_GRKERNSEC_LINK
25150 -+ if (grsec_enable_link && current->fsuid != inode->i_uid &&
25151 -+ (!S_ISREG(mode) || (mode & S_ISUID) ||
25152 -+ ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
25153 -+ (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
25154 -+ !capable(CAP_FOWNER) && current->uid) {
25155 -+ gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
25156 -+ return -EPERM;
25157 -+ }
25158 -+#endif
25159 -+ return 0;
25160 -+}
25161 -diff -urNp linux-2.6.24.4/grsecurity/grsec_log.c linux-2.6.24.4/grsecurity/grsec_log.c
25162 ---- linux-2.6.24.4/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
25163 -+++ linux-2.6.24.4/grsecurity/grsec_log.c 2008-03-26 17:56:56.000000000 -0400
25164 -@@ -0,0 +1,269 @@
25165 -+#include <linux/kernel.h>
25166 -+#include <linux/sched.h>
25167 -+#include <linux/file.h>
25168 -+#include <linux/tty.h>
25169 -+#include <linux/fs.h>
25170 -+#include <linux/grinternal.h>
25171 -+
25172 -+#define BEGIN_LOCKS(x) \
25173 -+ read_lock(&tasklist_lock); \
25174 -+ read_lock(&grsec_exec_file_lock); \
25175 -+ if (x != GR_DO_AUDIT) \
25176 -+ spin_lock(&grsec_alert_lock); \
25177 -+ else \
25178 -+ spin_lock(&grsec_audit_lock)
25179 -+
25180 -+#define END_LOCKS(x) \
25181 -+ if (x != GR_DO_AUDIT) \
25182 -+ spin_unlock(&grsec_alert_lock); \
25183 -+ else \
25184 -+ spin_unlock(&grsec_audit_lock); \
25185 -+ read_unlock(&grsec_exec_file_lock); \
25186 -+ read_unlock(&tasklist_lock); \
25187 -+ if (x == GR_DONT_AUDIT) \
25188 -+ gr_handle_alertkill(current)
25189 -+
25190 -+enum {
25191 -+ FLOODING,
25192 -+ NO_FLOODING
25193 -+};
25194 -+
25195 -+extern char *gr_alert_log_fmt;
25196 -+extern char *gr_audit_log_fmt;
25197 -+extern char *gr_alert_log_buf;
25198 -+extern char *gr_audit_log_buf;
25199 -+
25200 -+static int gr_log_start(int audit)
25201 -+{
25202 -+ char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
25203 -+ char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
25204 -+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
25205 -+
25206 -+ if (audit == GR_DO_AUDIT)
25207 -+ goto set_fmt;
25208 -+
25209 -+ if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
25210 -+ grsec_alert_wtime = jiffies;
25211 -+ grsec_alert_fyet = 0;
25212 -+ } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
25213 -+ grsec_alert_fyet++;
25214 -+ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
25215 -+ grsec_alert_wtime = jiffies;
25216 -+ grsec_alert_fyet++;
25217 -+ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
25218 -+ return FLOODING;
25219 -+ } else return FLOODING;
25220 -+
25221 -+set_fmt:
25222 -+ memset(buf, 0, PAGE_SIZE);
25223 -+ if (current->signal->curr_ip && gr_acl_is_enabled()) {
25224 -+ sprintf(fmt, "%s%s", loglevel, "grsec: From %u.%u.%u.%u: (%.64s:%c:%.950s) ");
25225 -+ snprintf(buf, PAGE_SIZE - 1, fmt, NIPQUAD(current->signal->curr_ip), current->role->rolename, gr_roletype_to_char(), current->acl->filename);
25226 -+ } else if (current->signal->curr_ip) {
25227 -+ sprintf(fmt, "%s%s", loglevel, "grsec: From %u.%u.%u.%u: ");
25228 -+ snprintf(buf, PAGE_SIZE - 1, fmt, NIPQUAD(current->signal->curr_ip));
25229 -+ } else if (gr_acl_is_enabled()) {
25230 -+ sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
25231 -+ snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
25232 -+ } else {
25233 -+ sprintf(fmt, "%s%s", loglevel, "grsec: ");
25234 -+ strcpy(buf, fmt);
25235 -+ }
25236 -+
25237 -+ return NO_FLOODING;
25238 -+}
25239 -+
25240 -+static void gr_log_middle(int audit, const char *msg, va_list ap)
25241 -+{
25242 -+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
25243 -+ unsigned int len = strlen(buf);
25244 -+
25245 -+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
25246 -+
25247 -+ return;
25248 -+}
25249 -+
25250 -+static void gr_log_middle_varargs(int audit, const char *msg, ...)
25251 -+{
25252 -+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
25253 -+ unsigned int len = strlen(buf);
25254 -+ va_list ap;
25255 -+
25256 -+ va_start(ap, msg);
25257 -+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
25258 -+ va_end(ap);
25259 -+
25260 -+ return;
25261 -+}
25262 -+
25263 -+static void gr_log_end(int audit)
25264 -+{
25265 -+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
25266 -+ unsigned int len = strlen(buf);
25267 -+
25268 -+ snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current));
25269 -+ printk("%s\n", buf);
25270 -+
25271 -+ return;
25272 -+}
25273 -+
25274 -+void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
25275 -+{
25276 -+ int logtype;
25277 -+ char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
25278 -+ char *str1, *str2, *str3;
25279 -+ int num1, num2;
25280 -+ unsigned long ulong1, ulong2;
25281 -+ struct dentry *dentry;
25282 -+ struct vfsmount *mnt;
25283 -+ struct file *file;
25284 -+ struct task_struct *task;
25285 -+ va_list ap;
25286 -+
25287 -+ BEGIN_LOCKS(audit);
25288 -+ logtype = gr_log_start(audit);
25289 -+ if (logtype == FLOODING) {
25290 -+ END_LOCKS(audit);
25291 -+ return;
25292 -+ }
25293 -+ va_start(ap, argtypes);
25294 -+ switch (argtypes) {
25295 -+ case GR_TTYSNIFF:
25296 -+ task = va_arg(ap, struct task_struct *);
25297 -+ gr_log_middle_varargs(audit, msg, NIPQUAD(task->signal->curr_ip), gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid);
25298 -+ break;
25299 -+ case GR_SYSCTL_HIDDEN:
25300 -+ str1 = va_arg(ap, char *);
25301 -+ gr_log_middle_varargs(audit, msg, result, str1);
25302 -+ break;
25303 -+ case GR_RBAC:
25304 -+ dentry = va_arg(ap, struct dentry *);
25305 -+ mnt = va_arg(ap, struct vfsmount *);
25306 -+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
25307 -+ break;
25308 -+ case GR_RBAC_STR:
25309 -+ dentry = va_arg(ap, struct dentry *);
25310 -+ mnt = va_arg(ap, struct vfsmount *);
25311 -+ str1 = va_arg(ap, char *);
25312 -+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
25313 -+ break;
25314 -+ case GR_STR_RBAC:
25315 -+ str1 = va_arg(ap, char *);
25316 -+ dentry = va_arg(ap, struct dentry *);
25317 -+ mnt = va_arg(ap, struct vfsmount *);
25318 -+ gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
25319 -+ break;
25320 -+ case GR_RBAC_MODE2:
25321 -+ dentry = va_arg(ap, struct dentry *);
25322 -+ mnt = va_arg(ap, struct vfsmount *);
25323 -+ str1 = va_arg(ap, char *);
25324 -+ str2 = va_arg(ap, char *);
25325 -+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
25326 -+ break;
25327 -+ case GR_RBAC_MODE3:
25328 -+ dentry = va_arg(ap, struct dentry *);
25329 -+ mnt = va_arg(ap, struct vfsmount *);
25330 -+ str1 = va_arg(ap, char *);
25331 -+ str2 = va_arg(ap, char *);
25332 -+ str3 = va_arg(ap, char *);
25333 -+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
25334 -+ break;
25335 -+ case GR_FILENAME:
25336 -+ dentry = va_arg(ap, struct dentry *);
25337 -+ mnt = va_arg(ap, struct vfsmount *);
25338 -+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
25339 -+ break;
25340 -+ case GR_STR_FILENAME:
25341 -+ str1 = va_arg(ap, char *);
25342 -+ dentry = va_arg(ap, struct dentry *);
25343 -+ mnt = va_arg(ap, struct vfsmount *);
25344 -+ gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
25345 -+ break;
25346 -+ case GR_FILENAME_STR:
25347 -+ dentry = va_arg(ap, struct dentry *);
25348 -+ mnt = va_arg(ap, struct vfsmount *);
25349 -+ str1 = va_arg(ap, char *);
25350 -+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
25351 -+ break;
25352 -+ case GR_FILENAME_TWO_INT:
25353 -+ dentry = va_arg(ap, struct dentry *);
25354 -+ mnt = va_arg(ap, struct vfsmount *);
25355 -+ num1 = va_arg(ap, int);
25356 -+ num2 = va_arg(ap, int);
25357 -+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
25358 -+ break;
25359 -+ case GR_FILENAME_TWO_INT_STR:
25360 -+ dentry = va_arg(ap, struct dentry *);
25361 -+ mnt = va_arg(ap, struct vfsmount *);
25362 -+ num1 = va_arg(ap, int);
25363 -+ num2 = va_arg(ap, int);
25364 -+ str1 = va_arg(ap, char *);
25365 -+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
25366 -+ break;
25367 -+ case GR_TEXTREL:
25368 -+ file = va_arg(ap, struct file *);
25369 -+ ulong1 = va_arg(ap, unsigned long);
25370 -+ ulong2 = va_arg(ap, unsigned long);
25371 -+ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_dentry, file->f_vfsmnt) : "<anonymous mapping>", ulong1, ulong2);
25372 -+ break;
25373 -+ case GR_PTRACE:
25374 -+ task = va_arg(ap, struct task_struct *);
25375 -+ gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_dentry, task->exec_file->f_vfsmnt) : "(none)", task->comm, task->pid);
25376 -+ break;
25377 -+ case GR_RESOURCE:
25378 -+ task = va_arg(ap, struct task_struct *);
25379 -+ ulong1 = va_arg(ap, unsigned long);
25380 -+ str1 = va_arg(ap, char *);
25381 -+ ulong2 = va_arg(ap, unsigned long);
25382 -+ gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
25383 -+ break;
25384 -+ case GR_CAP:
25385 -+ task = va_arg(ap, struct task_struct *);
25386 -+ str1 = va_arg(ap, char *);
25387 -+ gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
25388 -+ break;
25389 -+ case GR_SIG:
25390 -+ task = va_arg(ap, struct task_struct *);
25391 -+ num1 = va_arg(ap, int);
25392 -+ gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
25393 -+ break;
25394 -+ case GR_CRASH1:
25395 -+ task = va_arg(ap, struct task_struct *);
25396 -+ ulong1 = va_arg(ap, unsigned long);
25397 -+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid, task->uid, ulong1);
25398 -+ break;
25399 -+ case GR_CRASH2:
25400 -+ task = va_arg(ap, struct task_struct *);
25401 -+ ulong1 = va_arg(ap, unsigned long);
25402 -+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid, ulong1);
25403 -+ break;
25404 -+ case GR_PSACCT:
25405 -+ {
25406 -+ unsigned int wday, cday;
25407 -+ __u8 whr, chr;
25408 -+ __u8 wmin, cmin;
25409 -+ __u8 wsec, csec;
25410 -+ char cur_tty[64] = { 0 };
25411 -+ char parent_tty[64] = { 0 };
25412 -+
25413 -+ task = va_arg(ap, struct task_struct *);
25414 -+ wday = va_arg(ap, unsigned int);
25415 -+ cday = va_arg(ap, unsigned int);
25416 -+ whr = va_arg(ap, int);
25417 -+ chr = va_arg(ap, int);
25418 -+ wmin = va_arg(ap, int);
25419 -+ cmin = va_arg(ap, int);
25420 -+ wsec = va_arg(ap, int);
25421 -+ csec = va_arg(ap, int);
25422 -+ ulong1 = va_arg(ap, unsigned long);
25423 -+
25424 -+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, NIPQUAD(task->signal->curr_ip), tty_name(task->signal->tty, cur_tty), task->uid, task->euid, task->gid, task->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, NIPQUAD(task->parent->signal->curr_ip), tty_name(task->parent->signal->tty, parent_tty), task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
25425 -+ }
25426 -+ break;
25427 -+ default:
25428 -+ gr_log_middle(audit, msg, ap);
25429 -+ }
25430 -+ va_end(ap);
25431 -+ gr_log_end(audit);
25432 -+ END_LOCKS(audit);
25433 -+}
25434 -diff -urNp linux-2.6.24.4/grsecurity/grsec_mem.c linux-2.6.24.4/grsecurity/grsec_mem.c
25435 ---- linux-2.6.24.4/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
25436 -+++ linux-2.6.24.4/grsecurity/grsec_mem.c 2008-03-26 17:56:56.000000000 -0400
25437 -@@ -0,0 +1,71 @@
25438 -+#include <linux/kernel.h>
25439 -+#include <linux/sched.h>
25440 -+#include <linux/mm.h>
25441 -+#include <linux/mman.h>
25442 -+#include <linux/grinternal.h>
25443 -+
25444 -+void
25445 -+gr_handle_ioperm(void)
25446 -+{
25447 -+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
25448 -+ return;
25449 -+}
25450 -+
25451 -+void
25452 -+gr_handle_iopl(void)
25453 -+{
25454 -+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
25455 -+ return;
25456 -+}
25457 -+
25458 -+void
25459 -+gr_handle_mem_write(void)
25460 -+{
25461 -+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
25462 -+ return;
25463 -+}
25464 -+
25465 -+void
25466 -+gr_handle_kmem_write(void)
25467 -+{
25468 -+ gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
25469 -+ return;
25470 -+}
25471 -+
25472 -+void
25473 -+gr_handle_open_port(void)
25474 -+{
25475 -+ gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
25476 -+ return;
25477 -+}
25478 -+
25479 -+int
25480 -+gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
25481 -+{
25482 -+ unsigned long start, end;
25483 -+
25484 -+ start = offset;
25485 -+ end = start + vma->vm_end - vma->vm_start;
25486 -+
25487 -+ if (start > end) {
25488 -+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
25489 -+ return -EPERM;
25490 -+ }
25491 -+
25492 -+ /* allowed ranges : ISA I/O BIOS */
25493 -+ if ((start >= __pa(high_memory))
25494 -+#ifdef CONFIG_X86
25495 -+ || (start >= 0x000a0000 && end <= 0x00100000)
25496 -+ || (start >= 0x00000000 && end <= 0x00001000)
25497 -+#endif
25498 -+ )
25499 -+ return 0;
25500 -+
25501 -+ if (vma->vm_flags & VM_WRITE) {
25502 -+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
25503 -+ return -EPERM;
25504 -+ } else
25505 -+ vma->vm_flags &= ~VM_MAYWRITE;
25506 -+
25507 -+ return 0;
25508 -+}
25509 -diff -urNp linux-2.6.24.4/grsecurity/grsec_mount.c linux-2.6.24.4/grsecurity/grsec_mount.c
25510 ---- linux-2.6.24.4/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
25511 -+++ linux-2.6.24.4/grsecurity/grsec_mount.c 2008-03-26 17:56:56.000000000 -0400
25512 -@@ -0,0 +1,34 @@
25513 -+#include <linux/kernel.h>
25514 -+#include <linux/sched.h>
25515 -+#include <linux/grsecurity.h>
25516 -+#include <linux/grinternal.h>
25517 -+
25518 -+void
25519 -+gr_log_remount(const char *devname, const int retval)
25520 -+{
25521 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
25522 -+ if (grsec_enable_mount && (retval >= 0))
25523 -+ gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
25524 -+#endif
25525 -+ return;
25526 -+}
25527 -+
25528 -+void
25529 -+gr_log_unmount(const char *devname, const int retval)
25530 -+{
25531 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
25532 -+ if (grsec_enable_mount && (retval >= 0))
25533 -+ gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
25534 -+#endif
25535 -+ return;
25536 -+}
25537 -+
25538 -+void
25539 -+gr_log_mount(const char *from, const char *to, const int retval)
25540 -+{
25541 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
25542 -+ if (grsec_enable_mount && (retval >= 0))
25543 -+ gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
25544 -+#endif
25545 -+ return;
25546 -+}
25547 -diff -urNp linux-2.6.24.4/grsecurity/grsec_sig.c linux-2.6.24.4/grsecurity/grsec_sig.c
25548 ---- linux-2.6.24.4/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
25549 -+++ linux-2.6.24.4/grsecurity/grsec_sig.c 2008-03-26 17:56:56.000000000 -0400
25550 -@@ -0,0 +1,58 @@
25551 -+#include <linux/kernel.h>
25552 -+#include <linux/sched.h>
25553 -+#include <linux/delay.h>
25554 -+#include <linux/grsecurity.h>
25555 -+#include <linux/grinternal.h>
25556 -+
25557 -+void
25558 -+gr_log_signal(const int sig, const struct task_struct *t)
25559 -+{
25560 -+#ifdef CONFIG_GRKERNSEC_SIGNAL
25561 -+ if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
25562 -+ (sig == SIGABRT) || (sig == SIGBUS))) {
25563 -+ if (t->pid == current->pid) {
25564 -+ gr_log_int(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, sig);
25565 -+ } else {
25566 -+ gr_log_sig(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
25567 -+ }
25568 -+ }
25569 -+#endif
25570 -+ return;
25571 -+}
25572 -+
25573 -+int
25574 -+gr_handle_signal(const struct task_struct *p, const int sig)
25575 -+{
25576 -+#ifdef CONFIG_GRKERNSEC
25577 -+ if (current->pid > 1 && gr_check_protected_task(p)) {
25578 -+ gr_log_sig(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
25579 -+ return -EPERM;
25580 -+ } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
25581 -+ return -EPERM;
25582 -+ }
25583 -+#endif
25584 -+ return 0;
25585 -+}
25586 -+
25587 -+void gr_handle_brute_attach(struct task_struct *p)
25588 -+{
25589 -+#ifdef CONFIG_GRKERNSEC_BRUTE
25590 -+ read_lock(&tasklist_lock);
25591 -+ read_lock(&grsec_exec_file_lock);
25592 -+ if (p->parent && p->parent->exec_file == p->exec_file)
25593 -+ p->parent->brute = 1;
25594 -+ read_unlock(&grsec_exec_file_lock);
25595 -+ read_unlock(&tasklist_lock);
25596 -+#endif
25597 -+ return;
25598 -+}
25599 -+
25600 -+void gr_handle_brute_check(void)
25601 -+{
25602 -+#ifdef CONFIG_GRKERNSEC_BRUTE
25603 -+ if (current->brute)
25604 -+ msleep(30 * 1000);
25605 -+#endif
25606 -+ return;
25607 -+}
25608 -+
25609 -diff -urNp linux-2.6.24.4/grsecurity/grsec_sock.c linux-2.6.24.4/grsecurity/grsec_sock.c
25610 ---- linux-2.6.24.4/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
25611 -+++ linux-2.6.24.4/grsecurity/grsec_sock.c 2008-03-26 17:56:56.000000000 -0400
25612 -@@ -0,0 +1,274 @@
25613 -+#include <linux/kernel.h>
25614 -+#include <linux/module.h>
25615 -+#include <linux/sched.h>
25616 -+#include <linux/file.h>
25617 -+#include <linux/net.h>
25618 -+#include <linux/in.h>
25619 -+#include <linux/ip.h>
25620 -+#include <net/sock.h>
25621 -+#include <net/inet_sock.h>
25622 -+#include <linux/grsecurity.h>
25623 -+#include <linux/grinternal.h>
25624 -+#include <linux/gracl.h>
25625 -+
25626 -+#if defined(CONFIG_IP_NF_MATCH_STEALTH_MODULE)
25627 -+extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
25628 -+EXPORT_SYMBOL(udp_v4_lookup);
25629 -+#endif
25630 -+
25631 -+__u32 gr_cap_rtnetlink(struct sock *sock);
25632 -+EXPORT_SYMBOL(gr_cap_rtnetlink);
25633 -+
25634 -+extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
25635 -+extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
25636 -+
25637 -+EXPORT_SYMBOL(gr_search_udp_recvmsg);
25638 -+EXPORT_SYMBOL(gr_search_udp_sendmsg);
25639 -+
25640 -+#ifdef CONFIG_UNIX_MODULE
25641 -+EXPORT_SYMBOL(gr_acl_handle_unix);
25642 -+EXPORT_SYMBOL(gr_acl_handle_mknod);
25643 -+EXPORT_SYMBOL(gr_handle_chroot_unix);
25644 -+EXPORT_SYMBOL(gr_handle_create);
25645 -+#endif
25646 -+
25647 -+#ifdef CONFIG_GRKERNSEC
25648 -+#define gr_conn_table_size 32749
25649 -+struct conn_table_entry {
25650 -+ struct conn_table_entry *next;
25651 -+ struct signal_struct *sig;
25652 -+};
25653 -+
25654 -+struct conn_table_entry *gr_conn_table[gr_conn_table_size];
25655 -+spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED;
25656 -+
25657 -+extern const char * gr_socktype_to_name(unsigned char type);
25658 -+extern const char * gr_proto_to_name(unsigned char proto);
25659 -+
25660 -+static __inline__ int
25661 -+conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
25662 -+{
25663 -+ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
25664 -+}
25665 -+
25666 -+static __inline__ int
25667 -+conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
25668 -+ __u16 sport, __u16 dport)
25669 -+{
25670 -+ if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
25671 -+ sig->gr_sport == sport && sig->gr_dport == dport))
25672 -+ return 1;
25673 -+ else
25674 -+ return 0;
25675 -+}
25676 -+
25677 -+static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
25678 -+{
25679 -+ struct conn_table_entry **match;
25680 -+ unsigned int index;
25681 -+
25682 -+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
25683 -+ sig->gr_sport, sig->gr_dport,
25684 -+ gr_conn_table_size);
25685 -+
25686 -+ newent->sig = sig;
25687 -+
25688 -+ match = &gr_conn_table[index];
25689 -+ newent->next = *match;
25690 -+ *match = newent;
25691 -+
25692 -+ return;
25693 -+}
25694 -+
25695 -+static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
25696 -+{
25697 -+ struct conn_table_entry *match, *last = NULL;
25698 -+ unsigned int index;
25699 -+
25700 -+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
25701 -+ sig->gr_sport, sig->gr_dport,
25702 -+ gr_conn_table_size);
25703 -+
25704 -+ match = gr_conn_table[index];
25705 -+ while (match && !conn_match(match->sig,
25706 -+ sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
25707 -+ sig->gr_dport)) {
25708 -+ last = match;
25709 -+ match = match->next;
25710 -+ }
25711 -+
25712 -+ if (match) {
25713 -+ if (last)
25714 -+ last->next = match->next;
25715 -+ else
25716 -+ gr_conn_table[index] = NULL;
25717 -+ kfree(match);
25718 -+ }
25719 -+
25720 -+ return;
25721 -+}
25722 -+
25723 -+static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
25724 -+ __u16 sport, __u16 dport)
25725 -+{
25726 -+ struct conn_table_entry *match;
25727 -+ unsigned int index;
25728 -+
25729 -+ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
25730 -+
25731 -+ match = gr_conn_table[index];
25732 -+ while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
25733 -+ match = match->next;
25734 -+
25735 -+ if (match)
25736 -+ return match->sig;
25737 -+ else
25738 -+ return NULL;
25739 -+}
25740 -+
25741 -+#endif
25742 -+
25743 -+void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
25744 -+{
25745 -+#ifdef CONFIG_GRKERNSEC
25746 -+ struct signal_struct *sig = task->signal;
25747 -+ struct conn_table_entry *newent;
25748 -+
25749 -+ newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
25750 -+ if (newent == NULL)
25751 -+ return;
25752 -+ /* no bh lock needed since we are called with bh disabled */
25753 -+ spin_lock(&gr_conn_table_lock);
25754 -+ gr_del_task_from_ip_table_nolock(sig);
25755 -+ sig->gr_saddr = inet->rcv_saddr;
25756 -+ sig->gr_daddr = inet->daddr;
25757 -+ sig->gr_sport = inet->sport;
25758 -+ sig->gr_dport = inet->dport;
25759 -+ gr_add_to_task_ip_table_nolock(sig, newent);
25760 -+ spin_unlock(&gr_conn_table_lock);
25761 -+#endif
25762 -+ return;
25763 -+}
25764 -+
25765 -+void gr_del_task_from_ip_table(struct task_struct *task)
25766 -+{
25767 -+#ifdef CONFIG_GRKERNSEC
25768 -+ spin_lock(&gr_conn_table_lock);
25769 -+ gr_del_task_from_ip_table_nolock(task->signal);
25770 -+ spin_unlock(&gr_conn_table_lock);
25771 -+#endif
25772 -+ return;
25773 -+}
25774 -+
25775 -+void
25776 -+gr_attach_curr_ip(const struct sock *sk)
25777 -+{
25778 -+#ifdef CONFIG_GRKERNSEC
25779 -+ struct signal_struct *p, *set;
25780 -+ const struct inet_sock *inet = inet_sk(sk);
25781 -+
25782 -+ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
25783 -+ return;
25784 -+
25785 -+ set = current->signal;
25786 -+
25787 -+ spin_lock_bh(&gr_conn_table_lock);
25788 -+ p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
25789 -+ inet->dport, inet->sport);
25790 -+ if (unlikely(p != NULL)) {
25791 -+ set->curr_ip = p->curr_ip;
25792 -+ set->used_accept = 1;
25793 -+ gr_del_task_from_ip_table_nolock(p);
25794 -+ spin_unlock_bh(&gr_conn_table_lock);
25795 -+ return;
25796 -+ }
25797 -+ spin_unlock_bh(&gr_conn_table_lock);
25798 -+
25799 -+ set->curr_ip = inet->daddr;
25800 -+ set->used_accept = 1;
25801 -+#endif
25802 -+ return;
25803 -+}
25804 -+
25805 -+int
25806 -+gr_handle_sock_all(const int family, const int type, const int protocol)
25807 -+{
25808 -+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
25809 -+ if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
25810 -+ (family != AF_UNIX) && (family != AF_LOCAL)) {
25811 -+ gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
25812 -+ return -EACCES;
25813 -+ }
25814 -+#endif
25815 -+ return 0;
25816 -+}
25817 -+
25818 -+int
25819 -+gr_handle_sock_server(const struct sockaddr *sck)
25820 -+{
25821 -+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
25822 -+ if (grsec_enable_socket_server &&
25823 -+ in_group_p(grsec_socket_server_gid) &&
25824 -+ sck && (sck->sa_family != AF_UNIX) &&
25825 -+ (sck->sa_family != AF_LOCAL)) {
25826 -+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
25827 -+ return -EACCES;
25828 -+ }
25829 -+#endif
25830 -+ return 0;
25831 -+}
25832 -+
25833 -+int
25834 -+gr_handle_sock_server_other(const struct sock *sck)
25835 -+{
25836 -+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
25837 -+ if (grsec_enable_socket_server &&
25838 -+ in_group_p(grsec_socket_server_gid) &&
25839 -+ sck && (sck->sk_family != AF_UNIX) &&
25840 -+ (sck->sk_family != AF_LOCAL)) {
25841 -+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
25842 -+ return -EACCES;
25843 -+ }
25844 -+#endif
25845 -+ return 0;
25846 -+}
25847 -+
25848 -+int
25849 -+gr_handle_sock_client(const struct sockaddr *sck)
25850 -+{
25851 -+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
25852 -+ if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
25853 -+ sck && (sck->sa_family != AF_UNIX) &&
25854 -+ (sck->sa_family != AF_LOCAL)) {
25855 -+ gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
25856 -+ return -EACCES;
25857 -+ }
25858 -+#endif
25859 -+ return 0;
25860 -+}
25861 -+
25862 -+__u32
25863 -+gr_cap_rtnetlink(struct sock *sock)
25864 -+{
25865 -+#ifdef CONFIG_GRKERNSEC
25866 -+ if (!gr_acl_is_enabled())
25867 -+ return current->cap_effective;
25868 -+ else if (sock->sk_protocol == NETLINK_ISCSI &&
25869 -+ cap_raised(current->cap_effective, CAP_SYS_ADMIN) &&
25870 -+ gr_task_is_capable(current, CAP_SYS_ADMIN))
25871 -+ return current->cap_effective;
25872 -+ else if (sock->sk_protocol == NETLINK_AUDIT &&
25873 -+ cap_raised(current->cap_effective, CAP_AUDIT_WRITE) &&
25874 -+ gr_task_is_capable(current, CAP_AUDIT_WRITE) &&
25875 -+ cap_raised(current->cap_effective, CAP_AUDIT_CONTROL) &&
25876 -+ gr_task_is_capable(current, CAP_AUDIT_CONTROL))
25877 -+ return current->cap_effective;
25878 -+ else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) &&
25879 -+ gr_task_is_capable(current, CAP_NET_ADMIN))
25880 -+ return current->cap_effective;
25881 -+ else
25882 -+ return 0;
25883 -+#else
25884 -+ return current->cap_effective;
25885 -+#endif
25886 -+}
25887 -diff -urNp linux-2.6.24.4/grsecurity/grsec_sysctl.c linux-2.6.24.4/grsecurity/grsec_sysctl.c
25888 ---- linux-2.6.24.4/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
25889 -+++ linux-2.6.24.4/grsecurity/grsec_sysctl.c 2008-03-26 17:56:56.000000000 -0400
25890 -@@ -0,0 +1,435 @@
25891 -+#include <linux/kernel.h>
25892 -+#include <linux/sched.h>
25893 -+#include <linux/sysctl.h>
25894 -+#include <linux/grsecurity.h>
25895 -+#include <linux/grinternal.h>
25896 -+
25897 -+#ifdef CONFIG_GRKERNSEC_MODSTOP
25898 -+int grsec_modstop;
25899 -+#endif
25900 -+
25901 -+int
25902 -+gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
25903 -+{
25904 -+#ifdef CONFIG_GRKERNSEC_SYSCTL
25905 -+ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) {
25906 -+ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
25907 -+ return -EACCES;
25908 -+ }
25909 -+#endif
25910 -+#ifdef CONFIG_GRKERNSEC_MODSTOP
25911 -+ if (!strcmp(dirname, "grsecurity") && !strcmp(name, "disable_modules") &&
25912 -+ grsec_modstop && (op & 002)) {
25913 -+ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
25914 -+ return -EACCES;
25915 -+ }
25916 -+#endif
25917 -+ return 0;
25918 -+}
25919 -+
25920 -+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_MODSTOP)
25921 -+ctl_table grsecurity_table[] = {
25922 -+#ifdef CONFIG_GRKERNSEC_SYSCTL
25923 -+#ifdef CONFIG_GRKERNSEC_LINK
25924 -+ {
25925 -+ .ctl_name = CTL_UNNUMBERED,
25926 -+ .procname = "linking_restrictions",
25927 -+ .data = &grsec_enable_link,
25928 -+ .maxlen = sizeof(int),
25929 -+ .mode = 0600,
25930 -+ .proc_handler = &proc_dointvec,
25931 -+ },
25932 -+#endif
25933 -+#ifdef CONFIG_GRKERNSEC_FIFO
25934 -+ {
25935 -+ .ctl_name = CTL_UNNUMBERED,
25936 -+ .procname = "fifo_restrictions",
25937 -+ .data = &grsec_enable_fifo,
25938 -+ .maxlen = sizeof(int),
25939 -+ .mode = 0600,
25940 -+ .proc_handler = &proc_dointvec,
25941 -+ },
25942 -+#endif
25943 -+#ifdef CONFIG_GRKERNSEC_EXECVE
25944 -+ {
25945 -+ .ctl_name = CTL_UNNUMBERED,
25946 -+ .procname = "execve_limiting",
25947 -+ .data = &grsec_enable_execve,
25948 -+ .maxlen = sizeof(int),
25949 -+ .mode = 0600,
25950 -+ .proc_handler = &proc_dointvec,
25951 -+ },
25952 -+#endif
25953 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
25954 -+ {
25955 -+ .ctl_name = CTL_UNNUMBERED,
25956 -+ .procname = "exec_logging",
25957 -+ .data = &grsec_enable_execlog,
25958 -+ .maxlen = sizeof(int),
25959 -+ .mode = 0600,
25960 -+ .proc_handler = &proc_dointvec,
25961 -+ },
25962 -+#endif
25963 -+#ifdef CONFIG_GRKERNSEC_SIGNAL
25964 -+ {
25965 -+ .ctl_name = CTL_UNNUMBERED,
25966 -+ .procname = "signal_logging",
25967 -+ .data = &grsec_enable_signal,
25968 -+ .maxlen = sizeof(int),
25969 -+ .mode = 0600,
25970 -+ .proc_handler = &proc_dointvec,
25971 -+ },
25972 -+#endif
25973 -+#ifdef CONFIG_GRKERNSEC_FORKFAIL
25974 -+ {
25975 -+ .ctl_name = CTL_UNNUMBERED,
25976 -+ .procname = "forkfail_logging",
25977 -+ .data = &grsec_enable_forkfail,
25978 -+ .maxlen = sizeof(int),
25979 -+ .mode = 0600,
25980 -+ .proc_handler = &proc_dointvec,
25981 -+ },
25982 -+#endif
25983 -+#ifdef CONFIG_GRKERNSEC_TIME
25984 -+ {
25985 -+ .ctl_name = CTL_UNNUMBERED,
25986 -+ .procname = "timechange_logging",
25987 -+ .data = &grsec_enable_time,
25988 -+ .maxlen = sizeof(int),
25989 -+ .mode = 0600,
25990 -+ .proc_handler = &proc_dointvec,
25991 -+ },
25992 -+#endif
25993 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
25994 -+ {
25995 -+ .ctl_name = CTL_UNNUMBERED,
25996 -+ .procname = "chroot_deny_shmat",
25997 -+ .data = &grsec_enable_chroot_shmat,
25998 -+ .maxlen = sizeof(int),
25999 -+ .mode = 0600,
26000 -+ .proc_handler = &proc_dointvec,
26001 -+ },
26002 -+#endif
26003 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
26004 -+ {
26005 -+ .ctl_name = CTL_UNNUMBERED,
26006 -+ .procname = "chroot_deny_unix",
26007 -+ .data = &grsec_enable_chroot_unix,
26008 -+ .maxlen = sizeof(int),
26009 -+ .mode = 0600,
26010 -+ .proc_handler = &proc_dointvec,
26011 -+ },
26012 -+#endif
26013 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
26014 -+ {
26015 -+ .ctl_name = CTL_UNNUMBERED,
26016 -+ .procname = "chroot_deny_mount",
26017 -+ .data = &grsec_enable_chroot_mount,
26018 -+ .maxlen = sizeof(int),
26019 -+ .mode = 0600,
26020 -+ .proc_handler = &proc_dointvec,
26021 -+ },
26022 -+#endif
26023 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
26024 -+ {
26025 -+ .ctl_name = CTL_UNNUMBERED,
26026 -+ .procname = "chroot_deny_fchdir",
26027 -+ .data = &grsec_enable_chroot_fchdir,
26028 -+ .maxlen = sizeof(int),
26029 -+ .mode = 0600,
26030 -+ .proc_handler = &proc_dointvec,
26031 -+ },
26032 -+#endif
26033 -+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
26034 -+ {
26035 -+ .ctl_name = CTL_UNNUMBERED,
26036 -+ .procname = "chroot_deny_chroot",
26037 -+ .data = &grsec_enable_chroot_double,
26038 -+ .maxlen = sizeof(int),
26039 -+ .mode = 0600,
26040 -+ .proc_handler = &proc_dointvec,
26041 -+ },
26042 -+#endif
26043 -+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
26044 -+ {
26045 -+ .ctl_name = CTL_UNNUMBERED,
26046 -+ .procname = "chroot_deny_pivot",
26047 -+ .data = &grsec_enable_chroot_pivot,
26048 -+ .maxlen = sizeof(int),
26049 -+ .mode = 0600,
26050 -+ .proc_handler = &proc_dointvec,
26051 -+ },
26052 -+#endif
26053 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
26054 -+ {
26055 -+ .ctl_name = CTL_UNNUMBERED,
26056 -+ .procname = "chroot_enforce_chdir",
26057 -+ .data = &grsec_enable_chroot_chdir,
26058 -+ .maxlen = sizeof(int),
26059 -+ .mode = 0600,
26060 -+ .proc_handler = &proc_dointvec,
26061 -+ },
26062 -+#endif
26063 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
26064 -+ {
26065 -+ .ctl_name = CTL_UNNUMBERED,
26066 -+ .procname = "chroot_deny_chmod",
26067 -+ .data = &grsec_enable_chroot_chmod,
26068 -+ .maxlen = sizeof(int),
26069 -+ .mode = 0600,
26070 -+ .proc_handler = &proc_dointvec,
26071 -+ },
26072 -+#endif
26073 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
26074 -+ {
26075 -+ .ctl_name = CTL_UNNUMBERED,
26076 -+ .procname = "chroot_deny_mknod",
26077 -+ .data = &grsec_enable_chroot_mknod,
26078 -+ .maxlen = sizeof(int),
26079 -+ .mode = 0600,
26080 -+ .proc_handler = &proc_dointvec,
26081 -+ },
26082 -+#endif
26083 -+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
26084 -+ {
26085 -+ .ctl_name = CTL_UNNUMBERED,
26086 -+ .procname = "chroot_restrict_nice",
26087 -+ .data = &grsec_enable_chroot_nice,
26088 -+ .maxlen = sizeof(int),
26089 -+ .mode = 0600,
26090 -+ .proc_handler = &proc_dointvec,
26091 -+ },
26092 -+#endif
26093 -+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
26094 -+ {
26095 -+ .ctl_name = CTL_UNNUMBERED,
26096 -+ .procname = "chroot_execlog",
26097 -+ .data = &grsec_enable_chroot_execlog,
26098 -+ .maxlen = sizeof(int),
26099 -+ .mode = 0600,
26100 -+ .proc_handler = &proc_dointvec,
26101 -+ },
26102 -+#endif
26103 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
26104 -+ {
26105 -+ .ctl_name = CTL_UNNUMBERED,
26106 -+ .procname = "chroot_caps",
26107 -+ .data = &grsec_enable_chroot_caps,
26108 -+ .maxlen = sizeof(int),
26109 -+ .mode = 0600,
26110 -+ .proc_handler = &proc_dointvec,
26111 -+ },
26112 -+#endif
26113 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
26114 -+ {
26115 -+ .ctl_name = CTL_UNNUMBERED,
26116 -+ .procname = "chroot_deny_sysctl",
26117 -+ .data = &grsec_enable_chroot_sysctl,
26118 -+ .maxlen = sizeof(int),
26119 -+ .mode = 0600,
26120 -+ .proc_handler = &proc_dointvec,
26121 -+ },
26122 -+#endif
26123 -+#ifdef CONFIG_GRKERNSEC_TPE
26124 -+ {
26125 -+ .ctl_name = CTL_UNNUMBERED,
26126 -+ .procname = "tpe",
26127 -+ .data = &grsec_enable_tpe,
26128 -+ .maxlen = sizeof(int),
26129 -+ .mode = 0600,
26130 -+ .proc_handler = &proc_dointvec,
26131 -+ },
26132 -+ {
26133 -+ .ctl_name = CTL_UNNUMBERED,
26134 -+ .procname = "tpe_gid",
26135 -+ .data = &grsec_tpe_gid,
26136 -+ .maxlen = sizeof(int),
26137 -+ .mode = 0600,
26138 -+ .proc_handler = &proc_dointvec,
26139 -+ },
26140 -+#endif
26141 -+#ifdef CONFIG_GRKERNSEC_TPE_ALL
26142 -+ {
26143 -+ .ctl_name = CTL_UNNUMBERED,
26144 -+ .procname = "tpe_restrict_all",
26145 -+ .data = &grsec_enable_tpe_all,
26146 -+ .maxlen = sizeof(int),
26147 -+ .mode = 0600,
26148 -+ .proc_handler = &proc_dointvec,
26149 -+ },
26150 -+#endif
26151 -+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
26152 -+ {
26153 -+ .ctl_name = CTL_UNNUMBERED,
26154 -+ .procname = "socket_all",
26155 -+ .data = &grsec_enable_socket_all,
26156 -+ .maxlen = sizeof(int),
26157 -+ .mode = 0600,
26158 -+ .proc_handler = &proc_dointvec,
26159 -+ },
26160 -+ {
26161 -+ .ctl_name = CTL_UNNUMBERED,
26162 -+ .procname = "socket_all_gid",
26163 -+ .data = &grsec_socket_all_gid,
26164 -+ .maxlen = sizeof(int),
26165 -+ .mode = 0600,
26166 -+ .proc_handler = &proc_dointvec,
26167 -+ },
26168 -+#endif
26169 -+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
26170 -+ {
26171 -+ .ctl_name = CTL_UNNUMBERED,
26172 -+ .procname = "socket_client",
26173 -+ .data = &grsec_enable_socket_client,
26174 -+ .maxlen = sizeof(int),
26175 -+ .mode = 0600,
26176 -+ .proc_handler = &proc_dointvec,
26177 -+ },
26178 -+ {
26179 -+ .ctl_name = CTL_UNNUMBERED,
26180 -+ .procname = "socket_client_gid",
26181 -+ .data = &grsec_socket_client_gid,
26182 -+ .maxlen = sizeof(int),
26183 -+ .mode = 0600,
26184 -+ .proc_handler = &proc_dointvec,
26185 -+ },
26186 -+#endif
26187 -+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
26188 -+ {
26189 -+ .ctl_name = CTL_UNNUMBERED,
26190 -+ .procname = "socket_server",
26191 -+ .data = &grsec_enable_socket_server,
26192 -+ .maxlen = sizeof(int),
26193 -+ .mode = 0600,
26194 -+ .proc_handler = &proc_dointvec,
26195 -+ },
26196 -+ {
26197 -+ .ctl_name = CTL_UNNUMBERED,
26198 -+ .procname = "socket_server_gid",
26199 -+ .data = &grsec_socket_server_gid,
26200 -+ .maxlen = sizeof(int),
26201 -+ .mode = 0600,
26202 -+ .proc_handler = &proc_dointvec,
26203 -+ },
26204 -+#endif
26205 -+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
26206 -+ {
26207 -+ .ctl_name = CTL_UNNUMBERED,
26208 -+ .procname = "audit_group",
26209 -+ .data = &grsec_enable_group,
26210 -+ .maxlen = sizeof(int),
26211 -+ .mode = 0600,
26212 -+ .proc_handler = &proc_dointvec,
26213 -+ },
26214 -+ {
26215 -+ .ctl_name = CTL_UNNUMBERED,
26216 -+ .procname = "audit_gid",
26217 -+ .data = &grsec_audit_gid,
26218 -+ .maxlen = sizeof(int),
26219 -+ .mode = 0600,
26220 -+ .proc_handler = &proc_dointvec,
26221 -+ },
26222 -+#endif
26223 -+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
26224 -+ {
26225 -+ .ctl_name = CTL_UNNUMBERED,
26226 -+ .procname = "audit_chdir",
26227 -+ .data = &grsec_enable_chdir,
26228 -+ .maxlen = sizeof(int),
26229 -+ .mode = 0600,
26230 -+ .proc_handler = &proc_dointvec,
26231 -+ },
26232 -+#endif
26233 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
26234 -+ {
26235 -+ .ctl_name = CTL_UNNUMBERED,
26236 -+ .procname = "audit_mount",
26237 -+ .data = &grsec_enable_mount,
26238 -+ .maxlen = sizeof(int),
26239 -+ .mode = 0600,
26240 -+ .proc_handler = &proc_dointvec,
26241 -+ },
26242 -+#endif
26243 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
26244 -+ {
26245 -+ .ctl_name = CTL_UNNUMBERED,
26246 -+ .procname = "audit_ipc",
26247 -+ .data = &grsec_enable_audit_ipc,
26248 -+ .maxlen = sizeof(int),
26249 -+ .mode = 0600,
26250 -+ .proc_handler = &proc_dointvec,
26251 -+ },
26252 -+#endif
26253 -+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
26254 -+ {
26255 -+ .ctl_name = CTL_UNNUMBERED,
26256 -+ .procname = "audit_textrel",
26257 -+ .data = &grsec_enable_audit_textrel,
26258 -+ .maxlen = sizeof(int),
26259 -+ .mode = 0600,
26260 -+ .proc_handler = &proc_dointvec,
26261 -+ },
26262 -+#endif
26263 -+#ifdef CONFIG_GRKERNSEC_DMESG
26264 -+ {
26265 -+ .ctl_name = CTL_UNNUMBERED,
26266 -+ .procname = "dmesg",
26267 -+ .data = &grsec_enable_dmesg,
26268 -+ .maxlen = sizeof(int),
26269 -+ .mode = 0600,
26270 -+ .proc_handler = &proc_dointvec,
26271 -+ },
26272 -+#endif
26273 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
26274 -+ {
26275 -+ .ctl_name = CTL_UNNUMBERED,
26276 -+ .procname = "chroot_findtask",
26277 -+ .data = &grsec_enable_chroot_findtask,
26278 -+ .maxlen = sizeof(int),
26279 -+ .mode = 0600,
26280 -+ .proc_handler = &proc_dointvec,
26281 -+ },
26282 -+#endif
26283 -+#ifdef CONFIG_GRKERNSEC_RESLOG
26284 -+ {
26285 -+ .ctl_name = CTL_UNNUMBERED,
26286 -+ .procname = "resource_logging",
26287 -+ .data = &grsec_resource_logging,
26288 -+ .maxlen = sizeof(int),
26289 -+ .mode = 0600,
26290 -+ .proc_handler = &proc_dointvec,
26291 -+ },
26292 -+#endif
26293 -+ {
26294 -+ .ctl_name = CTL_UNNUMBERED,
26295 -+ .procname = "grsec_lock",
26296 -+ .data = &grsec_lock,
26297 -+ .maxlen = sizeof(int),
26298 -+ .mode = 0600,
26299 -+ .proc_handler = &proc_dointvec,
26300 -+ },
26301 -+#endif
26302 -+#ifdef CONFIG_GRKERNSEC_MODSTOP
26303 -+ {
26304 -+ .ctl_name = CTL_UNNUMBERED,
26305 -+ .procname = "disable_modules",
26306 -+ .data = &grsec_modstop,
26307 -+ .maxlen = sizeof(int),
26308 -+ .mode = 0600,
26309 -+ .proc_handler = &proc_dointvec,
26310 -+ },
26311 -+#endif
26312 -+ { .ctl_name = 0 }
26313 -+};
26314 -+#endif
26315 -+
26316 -+int gr_check_modstop(void)
26317 -+{
26318 -+#ifdef CONFIG_GRKERNSEC_MODSTOP
26319 -+ if (grsec_modstop == 1) {
26320 -+ gr_log_noargs(GR_DONT_AUDIT, GR_STOPMOD_MSG);
26321 -+ return 1;
26322 -+ }
26323 -+#endif
26324 -+ return 0;
26325 -+}
26326 -diff -urNp linux-2.6.24.4/grsecurity/grsec_textrel.c linux-2.6.24.4/grsecurity/grsec_textrel.c
26327 ---- linux-2.6.24.4/grsecurity/grsec_textrel.c 1969-12-31 19:00:00.000000000 -0500
26328 -+++ linux-2.6.24.4/grsecurity/grsec_textrel.c 2008-03-26 17:56:56.000000000 -0400
26329 -@@ -0,0 +1,16 @@
26330 -+#include <linux/kernel.h>
26331 -+#include <linux/sched.h>
26332 -+#include <linux/mm.h>
26333 -+#include <linux/file.h>
26334 -+#include <linux/grinternal.h>
26335 -+#include <linux/grsecurity.h>
26336 -+
26337 -+void
26338 -+gr_log_textrel(struct vm_area_struct * vma)
26339 -+{
26340 -+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
26341 -+ if (grsec_enable_audit_textrel)
26342 -+ gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
26343 -+#endif
26344 -+ return;
26345 -+}
26346 -diff -urNp linux-2.6.24.4/grsecurity/grsec_time.c linux-2.6.24.4/grsecurity/grsec_time.c
26347 ---- linux-2.6.24.4/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
26348 -+++ linux-2.6.24.4/grsecurity/grsec_time.c 2008-03-26 17:56:56.000000000 -0400
26349 -@@ -0,0 +1,13 @@
26350 -+#include <linux/kernel.h>
26351 -+#include <linux/sched.h>
26352 -+#include <linux/grinternal.h>
26353 -+
26354 -+void
26355 -+gr_log_timechange(void)
26356 -+{
26357 -+#ifdef CONFIG_GRKERNSEC_TIME
26358 -+ if (grsec_enable_time)
26359 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
26360 -+#endif
26361 -+ return;
26362 -+}
26363 -diff -urNp linux-2.6.24.4/grsecurity/grsec_tpe.c linux-2.6.24.4/grsecurity/grsec_tpe.c
26364 ---- linux-2.6.24.4/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
26365 -+++ linux-2.6.24.4/grsecurity/grsec_tpe.c 2008-03-26 17:56:56.000000000 -0400
26366 -@@ -0,0 +1,37 @@
26367 -+#include <linux/kernel.h>
26368 -+#include <linux/sched.h>
26369 -+#include <linux/file.h>
26370 -+#include <linux/fs.h>
26371 -+#include <linux/grinternal.h>
26372 -+
26373 -+extern int gr_acl_tpe_check(void);
26374 -+
26375 -+int
26376 -+gr_tpe_allow(const struct file *file)
26377 -+{
26378 -+#ifdef CONFIG_GRKERNSEC
26379 -+ struct inode *inode = file->f_dentry->d_parent->d_inode;
26380 -+
26381 -+ if (current->uid && ((grsec_enable_tpe &&
26382 -+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
26383 -+ !in_group_p(grsec_tpe_gid)
26384 -+#else
26385 -+ in_group_p(grsec_tpe_gid)
26386 -+#endif
26387 -+ ) || gr_acl_tpe_check()) &&
26388 -+ (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
26389 -+ (inode->i_mode & S_IWOTH))))) {
26390 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_dentry, file->f_vfsmnt);
26391 -+ return 0;
26392 -+ }
26393 -+#ifdef CONFIG_GRKERNSEC_TPE_ALL
26394 -+ if (current->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
26395 -+ ((inode->i_uid && (inode->i_uid != current->uid)) ||
26396 -+ (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
26397 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_dentry, file->f_vfsmnt);
26398 -+ return 0;
26399 -+ }
26400 -+#endif
26401 -+#endif
26402 -+ return 1;
26403 -+}
26404 -diff -urNp linux-2.6.24.4/grsecurity/grsum.c linux-2.6.24.4/grsecurity/grsum.c
26405 ---- linux-2.6.24.4/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
26406 -+++ linux-2.6.24.4/grsecurity/grsum.c 2008-03-26 17:56:56.000000000 -0400
26407 -@@ -0,0 +1,59 @@
26408 -+#include <linux/err.h>
26409 -+#include <linux/kernel.h>
26410 -+#include <linux/sched.h>
26411 -+#include <linux/mm.h>
26412 -+#include <linux/scatterlist.h>
26413 -+#include <linux/crypto.h>
26414 -+#include <linux/gracl.h>
26415 -+
26416 -+
26417 -+#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
26418 -+#error "crypto and sha256 must be built into the kernel"
26419 -+#endif
26420 -+
26421 -+int
26422 -+chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
26423 -+{
26424 -+ char *p;
26425 -+ struct crypto_hash *tfm;
26426 -+ struct hash_desc desc;
26427 -+ struct scatterlist sg;
26428 -+ unsigned char temp_sum[GR_SHA_LEN];
26429 -+ volatile int retval = 0;
26430 -+ volatile int dummy = 0;
26431 -+ unsigned int i;
26432 -+
26433 -+ tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
26434 -+ if (IS_ERR(tfm)) {
26435 -+ /* should never happen, since sha256 should be built in */
26436 -+ return 1;
26437 -+ }
26438 -+
26439 -+ desc.tfm = tfm;
26440 -+ desc.flags = 0;
26441 -+
26442 -+ crypto_hash_init(&desc);
26443 -+
26444 -+ p = salt;
26445 -+ sg_set_buf(&sg, p, GR_SALT_LEN);
26446 -+ crypto_hash_update(&desc, &sg, sg.length);
26447 -+
26448 -+ p = entry->pw;
26449 -+ sg_set_buf(&sg, p, strlen(p));
26450 -+
26451 -+ crypto_hash_update(&desc, &sg, sg.length);
26452 -+
26453 -+ crypto_hash_final(&desc, temp_sum);
26454 -+
26455 -+ memset(entry->pw, 0, GR_PW_LEN);
26456 -+
26457 -+ for (i = 0; i < GR_SHA_LEN; i++)
26458 -+ if (sum[i] != temp_sum[i])
26459 -+ retval = 1;
26460 -+ else
26461 -+ dummy = 1; // waste a cycle
26462 -+
26463 -+ crypto_free_hash(tfm);
26464 -+
26465 -+ return retval;
26466 -+}
26467 -diff -urNp linux-2.6.24.4/grsecurity/Kconfig linux-2.6.24.4/grsecurity/Kconfig
26468 ---- linux-2.6.24.4/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
26469 -+++ linux-2.6.24.4/grsecurity/Kconfig 2008-03-26 17:56:56.000000000 -0400
26470 -@@ -0,0 +1,861 @@
26471 -+#
26472 -+# grecurity configuration
26473 -+#
26474 -+
26475 -+menu "Grsecurity"
26476 -+
26477 -+config GRKERNSEC
26478 -+ bool "Grsecurity"
26479 -+ select CRYPTO
26480 -+ select CRYPTO_SHA256
26481 -+ select SECURITY
26482 -+ select SECURITY_CAPABILITIES
26483 -+ help
26484 -+ If you say Y here, you will be able to configure many features
26485 -+ that will enhance the security of your system. It is highly
26486 -+ recommended that you say Y here and read through the help
26487 -+ for each option so that you fully understand the features and
26488 -+ can evaluate their usefulness for your machine.
26489 -+
26490 -+choice
26491 -+ prompt "Security Level"
26492 -+ depends on GRKERNSEC
26493 -+ default GRKERNSEC_CUSTOM
26494 -+
26495 -+config GRKERNSEC_LOW
26496 -+ bool "Low"
26497 -+ select GRKERNSEC_LINK
26498 -+ select GRKERNSEC_FIFO
26499 -+ select GRKERNSEC_EXECVE
26500 -+ select GRKERNSEC_RANDNET
26501 -+ select GRKERNSEC_DMESG
26502 -+ select GRKERNSEC_CHROOT_CHDIR
26503 -+ select GRKERNSEC_MODSTOP if (MODULES)
26504 -+
26505 -+ help
26506 -+ If you choose this option, several of the grsecurity options will
26507 -+ be enabled that will give you greater protection against a number
26508 -+ of attacks, while assuring that none of your software will have any
26509 -+ conflicts with the additional security measures. If you run a lot
26510 -+ of unusual software, or you are having problems with the higher
26511 -+ security levels, you should say Y here. With this option, the
26512 -+ following features are enabled:
26513 -+
26514 -+ - Linking restrictions
26515 -+ - FIFO restrictions
26516 -+ - Enforcing RLIMIT_NPROC on execve
26517 -+ - Restricted dmesg
26518 -+ - Enforced chdir("/") on chroot
26519 -+ - Runtime module disabling
26520 -+
26521 -+config GRKERNSEC_MEDIUM
26522 -+ bool "Medium"
26523 -+ select PAX
26524 -+ select PAX_EI_PAX
26525 -+ select PAX_PT_PAX_FLAGS
26526 -+ select PAX_HAVE_ACL_FLAGS
26527 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
26528 -+ select GRKERNSEC_CHROOT_SYSCTL
26529 -+ select GRKERNSEC_LINK
26530 -+ select GRKERNSEC_FIFO
26531 -+ select GRKERNSEC_EXECVE
26532 -+ select GRKERNSEC_DMESG
26533 -+ select GRKERNSEC_RANDNET
26534 -+ select GRKERNSEC_FORKFAIL
26535 -+ select GRKERNSEC_TIME
26536 -+ select GRKERNSEC_SIGNAL
26537 -+ select GRKERNSEC_CHROOT
26538 -+ select GRKERNSEC_CHROOT_UNIX
26539 -+ select GRKERNSEC_CHROOT_MOUNT
26540 -+ select GRKERNSEC_CHROOT_PIVOT
26541 -+ select GRKERNSEC_CHROOT_DOUBLE
26542 -+ select GRKERNSEC_CHROOT_CHDIR
26543 -+ select GRKERNSEC_CHROOT_MKNOD
26544 -+ select GRKERNSEC_PROC
26545 -+ select GRKERNSEC_PROC_USERGROUP
26546 -+ select GRKERNSEC_MODSTOP if (MODULES)
26547 -+ select PAX_RANDUSTACK
26548 -+ select PAX_ASLR
26549 -+ select PAX_RANDMMAP
26550 -+
26551 -+ help
26552 -+ If you say Y here, several features in addition to those included
26553 -+ in the low additional security level will be enabled. These
26554 -+ features provide even more security to your system, though in rare
26555 -+ cases they may be incompatible with very old or poorly written
26556 -+ software. If you enable this option, make sure that your auth
26557 -+ service (identd) is running as gid 1001. With this option,
26558 -+ the following features (in addition to those provided in the
26559 -+ low additional security level) will be enabled:
26560 -+
26561 -+ - Failed fork logging
26562 -+ - Time change logging
26563 -+ - Signal logging
26564 -+ - Deny mounts in chroot
26565 -+ - Deny double chrooting
26566 -+ - Deny sysctl writes in chroot
26567 -+ - Deny mknod in chroot
26568 -+ - Deny access to abstract AF_UNIX sockets out of chroot
26569 -+ - Deny pivot_root in chroot
26570 -+ - Denied writes of /dev/kmem, /dev/mem, and /dev/port
26571 -+ - /proc restrictions with special GID set to 10 (usually wheel)
26572 -+ - Address Space Layout Randomization (ASLR)
26573 -+
26574 -+config GRKERNSEC_HIGH
26575 -+ bool "High"
26576 -+ select GRKERNSEC_LINK
26577 -+ select GRKERNSEC_FIFO
26578 -+ select GRKERNSEC_EXECVE
26579 -+ select GRKERNSEC_DMESG
26580 -+ select GRKERNSEC_FORKFAIL
26581 -+ select GRKERNSEC_TIME
26582 -+ select GRKERNSEC_SIGNAL
26583 -+ select GRKERNSEC_CHROOT_SHMAT
26584 -+ select GRKERNSEC_CHROOT_UNIX
26585 -+ select GRKERNSEC_CHROOT_MOUNT
26586 -+ select GRKERNSEC_CHROOT_FCHDIR
26587 -+ select GRKERNSEC_CHROOT_PIVOT
26588 -+ select GRKERNSEC_CHROOT_DOUBLE
26589 -+ select GRKERNSEC_CHROOT_CHDIR
26590 -+ select GRKERNSEC_CHROOT_MKNOD
26591 -+ select GRKERNSEC_CHROOT_CAPS
26592 -+ select GRKERNSEC_CHROOT_SYSCTL
26593 -+ select GRKERNSEC_CHROOT_FINDTASK
26594 -+ select GRKERNSEC_PROC
26595 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
26596 -+ select GRKERNSEC_HIDESYM
26597 -+ select GRKERNSEC_BRUTE
26598 -+ select GRKERNSEC_PROC_USERGROUP
26599 -+ select GRKERNSEC_KMEM
26600 -+ select GRKERNSEC_RESLOG
26601 -+ select GRKERNSEC_RANDNET
26602 -+ select GRKERNSEC_PROC_ADD
26603 -+ select GRKERNSEC_CHROOT_CHMOD
26604 -+ select GRKERNSEC_CHROOT_NICE
26605 -+ select GRKERNSEC_AUDIT_MOUNT
26606 -+ select GRKERNSEC_MODSTOP if (MODULES)
26607 -+ select PAX
26608 -+ select PAX_RANDUSTACK
26609 -+ select PAX_ASLR
26610 -+ select PAX_RANDMMAP
26611 -+ select PAX_NOEXEC
26612 -+ select PAX_MPROTECT
26613 -+ select PAX_EI_PAX
26614 -+ select PAX_PT_PAX_FLAGS
26615 -+ select PAX_HAVE_ACL_FLAGS
26616 -+ select PAX_KERNEXEC if (X86 && !EFI && !COMPAT_VDSO && !PARAVIRT && (!X86_32 || X86_WP_WORKS_OK))
26617 -+ select PAX_MEMORY_UDEREF if (!X86_64 && !COMPAT_VDSO)
26618 -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
26619 -+ select PAX_SEGMEXEC if (X86 && !X86_64)
26620 -+ select PAX_PAGEEXEC if (!X86)
26621 -+ select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
26622 -+ select PAX_DLRESOLVE if (SPARC32 || SPARC64)
26623 -+ select PAX_SYSCALL if (PPC32)
26624 -+ select PAX_EMUTRAMP if (PARISC)
26625 -+ select PAX_EMUSIGRT if (PARISC)
26626 -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
26627 -+ help
26628 -+ If you say Y here, many of the features of grsecurity will be
26629 -+ enabled, which will protect you against many kinds of attacks
26630 -+ against your system. The heightened security comes at a cost
26631 -+ of an increased chance of incompatibilities with rare software
26632 -+ on your machine. Since this security level enables PaX, you should
26633 -+ view <http://pax.grsecurity.net> and read about the PaX
26634 -+ project. While you are there, download chpax and run it on
26635 -+ binaries that cause problems with PaX. Also remember that
26636 -+ since the /proc restrictions are enabled, you must run your
26637 -+ identd as gid 1001. This security level enables the following
26638 -+ features in addition to those listed in the low and medium
26639 -+ security levels:
26640 -+
26641 -+ - Additional /proc restrictions
26642 -+ - Chmod restrictions in chroot
26643 -+ - No signals, ptrace, or viewing of processes outside of chroot
26644 -+ - Capability restrictions in chroot
26645 -+ - Deny fchdir out of chroot
26646 -+ - Priority restrictions in chroot
26647 -+ - Segmentation-based implementation of PaX
26648 -+ - Mprotect restrictions
26649 -+ - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
26650 -+ - Kernel stack randomization
26651 -+ - Mount/unmount/remount logging
26652 -+ - Kernel symbol hiding
26653 -+ - Prevention of memory exhaustion-based exploits
26654 -+config GRKERNSEC_CUSTOM
26655 -+ bool "Custom"
26656 -+ help
26657 -+ If you say Y here, you will be able to configure every grsecurity
26658 -+ option, which allows you to enable many more features that aren't
26659 -+ covered in the basic security levels. These additional features
26660 -+ include TPE, socket restrictions, and the sysctl system for
26661 -+ grsecurity. It is advised that you read through the help for
26662 -+ each option to determine its usefulness in your situation.
26663 -+
26664 -+endchoice
26665 -+
26666 -+menu "Address Space Protection"
26667 -+depends on GRKERNSEC
26668 -+
26669 -+config GRKERNSEC_KMEM
26670 -+ bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
26671 -+ help
26672 -+ If you say Y here, /dev/kmem and /dev/mem won't be allowed to
26673 -+ be written to via mmap or otherwise to modify the running kernel.
26674 -+ /dev/port will also not be allowed to be opened. If you have module
26675 -+ support disabled, enabling this will close up four ways that are
26676 -+ currently used to insert malicious code into the running kernel.
26677 -+ Even with all these features enabled, we still highly recommend that
26678 -+ you use the RBAC system, as it is still possible for an attacker to
26679 -+ modify the running kernel through privileged I/O granted by ioperm/iopl.
26680 -+ If you are not using XFree86, you may be able to stop this additional
26681 -+ case by enabling the 'Disable privileged I/O' option. Though nothing
26682 -+ legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
26683 -+ but only to video memory, which is the only writing we allow in this
26684 -+ case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
26685 -+ not be allowed to mprotect it with PROT_WRITE later.
26686 -+ It is highly recommended that you say Y here if you meet all the
26687 -+ conditions above.
26688 -+
26689 -+config GRKERNSEC_IO
26690 -+ bool "Disable privileged I/O"
26691 -+ depends on X86
26692 -+ select RTC
26693 -+ help
26694 -+ If you say Y here, all ioperm and iopl calls will return an error.
26695 -+ Ioperm and iopl can be used to modify the running kernel.
26696 -+ Unfortunately, some programs need this access to operate properly,
26697 -+ the most notable of which are XFree86 and hwclock. hwclock can be
26698 -+ remedied by having RTC support in the kernel, so CONFIG_RTC is
26699 -+ enabled if this option is enabled, to ensure that hwclock operates
26700 -+ correctly. XFree86 still will not operate correctly with this option
26701 -+ enabled, so DO NOT CHOOSE Y IF YOU USE XFree86. If you use XFree86
26702 -+ and you still want to protect your kernel against modification,
26703 -+ use the RBAC system.
26704 -+
26705 -+config GRKERNSEC_PROC_MEMMAP
26706 -+ bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
26707 -+ depends on PAX_NOEXEC || PAX_ASLR
26708 -+ help
26709 -+ If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
26710 -+ give no information about the addresses of its mappings if
26711 -+ PaX features that rely on random addresses are enabled on the task.
26712 -+ If you use PaX it is greatly recommended that you say Y here as it
26713 -+ closes up a hole that makes the full ASLR useless for suid
26714 -+ binaries.
26715 -+
26716 -+config GRKERNSEC_BRUTE
26717 -+ bool "Deter exploit bruteforcing"
26718 -+ help
26719 -+ If you say Y here, attempts to bruteforce exploits against forking
26720 -+ daemons such as apache or sshd will be deterred. When a child of a
26721 -+ forking daemon is killed by PaX or crashes due to an illegal
26722 -+ instruction, the parent process will be delayed 30 seconds upon every
26723 -+ subsequent fork until the administrator is able to assess the
26724 -+ situation and restart the daemon. It is recommended that you also
26725 -+ enable signal logging in the auditing section so that logs are
26726 -+ generated when a process performs an illegal instruction.
26727 -+
26728 -+config GRKERNSEC_MODSTOP
26729 -+ bool "Runtime module disabling"
26730 -+ depends on MODULES
26731 -+ help
26732 -+ If you say Y here, you will be able to disable the ability to (un)load
26733 -+ modules at runtime. This feature is useful if you need the ability
26734 -+ to load kernel modules at boot time, but do not want to allow an
26735 -+ attacker to load a rootkit kernel module into the system, or to remove
26736 -+ a loaded kernel module important to system functioning. You should
26737 -+ enable the /dev/mem protection feature as well, since rootkits can be
26738 -+ inserted into the kernel via other methods than kernel modules. Since
26739 -+ an untrusted module could still be loaded by modifying init scripts and
26740 -+ rebooting the system, it is also recommended that you enable the RBAC
26741 -+ system. If you enable this option, a sysctl option with name
26742 -+ "disable_modules" will be created. Setting this option to "1" disables
26743 -+ module loading. After this option is set, no further writes to it are
26744 -+ allowed until the system is rebooted.
26745 -+
26746 -+config GRKERNSEC_HIDESYM
26747 -+ bool "Hide kernel symbols"
26748 -+ help
26749 -+ If you say Y here, getting information on loaded modules, and
26750 -+ displaying all kernel symbols through a syscall will be restricted
26751 -+ to users with CAP_SYS_MODULE. This option is only effective
26752 -+ provided the following conditions are met:
26753 -+ 1) The kernel using grsecurity is not precompiled by some distribution
26754 -+ 2) You are using the RBAC system and hiding other files such as your
26755 -+ kernel image and System.map
26756 -+ 3) You have the additional /proc restrictions enabled, which removes
26757 -+ /proc/kcore
26758 -+ If the above conditions are met, this option will aid to provide a
26759 -+ useful protection against local and remote kernel exploitation of
26760 -+ overflows and arbitrary read/write vulnerabilities.
26761 -+
26762 -+endmenu
26763 -+menu "Role Based Access Control Options"
26764 -+depends on GRKERNSEC
26765 -+
26766 -+config GRKERNSEC_ACL_HIDEKERN
26767 -+ bool "Hide kernel processes"
26768 -+ help
26769 -+ If you say Y here, all kernel threads will be hidden to all
26770 -+ processes but those whose subject has the "view hidden processes"
26771 -+ flag.
26772 -+
26773 -+config GRKERNSEC_ACL_MAXTRIES
26774 -+ int "Maximum tries before password lockout"
26775 -+ default 3
26776 -+ help
26777 -+ This option enforces the maximum number of times a user can attempt
26778 -+ to authorize themselves with the grsecurity RBAC system before being
26779 -+ denied the ability to attempt authorization again for a specified time.
26780 -+ The lower the number, the harder it will be to brute-force a password.
26781 -+
26782 -+config GRKERNSEC_ACL_TIMEOUT
26783 -+ int "Time to wait after max password tries, in seconds"
26784 -+ default 30
26785 -+ help
26786 -+ This option specifies the time the user must wait after attempting to
26787 -+ authorize to the RBAC system with the maximum number of invalid
26788 -+ passwords. The higher the number, the harder it will be to brute-force
26789 -+ a password.
26790 -+
26791 -+endmenu
26792 -+menu "Filesystem Protections"
26793 -+depends on GRKERNSEC
26794 -+
26795 -+config GRKERNSEC_PROC
26796 -+ bool "Proc restrictions"
26797 -+ help
26798 -+ If you say Y here, the permissions of the /proc filesystem
26799 -+ will be altered to enhance system security and privacy. You MUST
26800 -+ choose either a user only restriction or a user and group restriction.
26801 -+ Depending upon the option you choose, you can either restrict users to
26802 -+ see only the processes they themselves run, or choose a group that can
26803 -+ view all processes and files normally restricted to root if you choose
26804 -+ the "restrict to user only" option. NOTE: If you're running identd as
26805 -+ a non-root user, you will have to run it as the group you specify here.
26806 -+
26807 -+config GRKERNSEC_PROC_USER
26808 -+ bool "Restrict /proc to user only"
26809 -+ depends on GRKERNSEC_PROC
26810 -+ help
26811 -+ If you say Y here, non-root users will only be able to view their own
26812 -+ processes, and restricts them from viewing network-related information,
26813 -+ and viewing kernel symbol and module information.
26814 -+
26815 -+config GRKERNSEC_PROC_USERGROUP
26816 -+ bool "Allow special group"
26817 -+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
26818 -+ help
26819 -+ If you say Y here, you will be able to select a group that will be
26820 -+ able to view all processes, network-related information, and
26821 -+ kernel and symbol information. This option is useful if you want
26822 -+ to run identd as a non-root user.
26823 -+
26824 -+config GRKERNSEC_PROC_GID
26825 -+ int "GID for special group"
26826 -+ depends on GRKERNSEC_PROC_USERGROUP
26827 -+ default 1001
26828 -+
26829 -+config GRKERNSEC_PROC_ADD
26830 -+ bool "Additional restrictions"
26831 -+ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
26832 -+ help
26833 -+ If you say Y here, additional restrictions will be placed on
26834 -+ /proc that keep normal users from viewing device information and
26835 -+ slabinfo information that could be useful for exploits.
26836 -+
26837 -+config GRKERNSEC_LINK
26838 -+ bool "Linking restrictions"
26839 -+ help
26840 -+ If you say Y here, /tmp race exploits will be prevented, since users
26841 -+ will no longer be able to follow symlinks owned by other users in
26842 -+ world-writable +t directories (i.e. /tmp), unless the owner of the
26843 -+ symlink is the owner of the directory. users will also not be
26844 -+ able to hardlink to files they do not own. If the sysctl option is
26845 -+ enabled, a sysctl option with name "linking_restrictions" is created.
26846 -+
26847 -+config GRKERNSEC_FIFO
26848 -+ bool "FIFO restrictions"
26849 -+ help
26850 -+ If you say Y here, users will not be able to write to FIFOs they don't
26851 -+ own in world-writable +t directories (i.e. /tmp), unless the owner of
26852 -+ the FIFO is the same owner of the directory it's held in. If the sysctl
26853 -+ option is enabled, a sysctl option with name "fifo_restrictions" is
26854 -+ created.
26855 -+
26856 -+config GRKERNSEC_CHROOT
26857 -+ bool "Chroot jail restrictions"
26858 -+ help
26859 -+ If you say Y here, you will be able to choose several options that will
26860 -+ make breaking out of a chrooted jail much more difficult. If you
26861 -+ encounter no software incompatibilities with the following options, it
26862 -+ is recommended that you enable each one.
26863 -+
26864 -+config GRKERNSEC_CHROOT_MOUNT
26865 -+ bool "Deny mounts"
26866 -+ depends on GRKERNSEC_CHROOT
26867 -+ help
26868 -+ If you say Y here, processes inside a chroot will not be able to
26869 -+ mount or remount filesystems. If the sysctl option is enabled, a
26870 -+ sysctl option with name "chroot_deny_mount" is created.
26871 -+
26872 -+config GRKERNSEC_CHROOT_DOUBLE
26873 -+ bool "Deny double-chroots"
26874 -+ depends on GRKERNSEC_CHROOT
26875 -+ help
26876 -+ If you say Y here, processes inside a chroot will not be able to chroot
26877 -+ again outside the chroot. This is a widely used method of breaking
26878 -+ out of a chroot jail and should not be allowed. If the sysctl
26879 -+ option is enabled, a sysctl option with name
26880 -+ "chroot_deny_chroot" is created.
26881 -+
26882 -+config GRKERNSEC_CHROOT_PIVOT
26883 -+ bool "Deny pivot_root in chroot"
26884 -+ depends on GRKERNSEC_CHROOT
26885 -+ help
26886 -+ If you say Y here, processes inside a chroot will not be able to use
26887 -+ a function called pivot_root() that was introduced in Linux 2.3.41. It
26888 -+ works similar to chroot in that it changes the root filesystem. This
26889 -+ function could be misused in a chrooted process to attempt to break out
26890 -+ of the chroot, and therefore should not be allowed. If the sysctl
26891 -+ option is enabled, a sysctl option with name "chroot_deny_pivot" is
26892 -+ created.
26893 -+
26894 -+config GRKERNSEC_CHROOT_CHDIR
26895 -+ bool "Enforce chdir(\"/\") on all chroots"
26896 -+ depends on GRKERNSEC_CHROOT
26897 -+ help
26898 -+ If you say Y here, the current working directory of all newly-chrooted
26899 -+ applications will be set to the the root directory of the chroot.
26900 -+ The man page on chroot(2) states:
26901 -+ Note that this call does not change the current working
26902 -+ directory, so that `.' can be outside the tree rooted at
26903 -+ `/'. In particular, the super-user can escape from a
26904 -+ `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
26905 -+
26906 -+ It is recommended that you say Y here, since it's not known to break
26907 -+ any software. If the sysctl option is enabled, a sysctl option with
26908 -+ name "chroot_enforce_chdir" is created.
26909 -+
26910 -+config GRKERNSEC_CHROOT_CHMOD
26911 -+ bool "Deny (f)chmod +s"
26912 -+ depends on GRKERNSEC_CHROOT
26913 -+ help
26914 -+ If you say Y here, processes inside a chroot will not be able to chmod
26915 -+ or fchmod files to make them have suid or sgid bits. This protects
26916 -+ against another published method of breaking a chroot. If the sysctl
26917 -+ option is enabled, a sysctl option with name "chroot_deny_chmod" is
26918 -+ created.
26919 -+
26920 -+config GRKERNSEC_CHROOT_FCHDIR
26921 -+ bool "Deny fchdir out of chroot"
26922 -+ depends on GRKERNSEC_CHROOT
26923 -+ help
26924 -+ If you say Y here, a well-known method of breaking chroots by fchdir'ing
26925 -+ to a file descriptor of the chrooting process that points to a directory
26926 -+ outside the filesystem will be stopped. If the sysctl option
26927 -+ is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
26928 -+
26929 -+config GRKERNSEC_CHROOT_MKNOD
26930 -+ bool "Deny mknod"
26931 -+ depends on GRKERNSEC_CHROOT
26932 -+ help
26933 -+ If you say Y here, processes inside a chroot will not be allowed to
26934 -+ mknod. The problem with using mknod inside a chroot is that it
26935 -+ would allow an attacker to create a device entry that is the same
26936 -+ as one on the physical root of your system, which could range from
26937 -+ anything from the console device to a device for your harddrive (which
26938 -+ they could then use to wipe the drive or steal data). It is recommended
26939 -+ that you say Y here, unless you run into software incompatibilities.
26940 -+ If the sysctl option is enabled, a sysctl option with name
26941 -+ "chroot_deny_mknod" is created.
26942 -+
26943 -+config GRKERNSEC_CHROOT_SHMAT
26944 -+ bool "Deny shmat() out of chroot"
26945 -+ depends on GRKERNSEC_CHROOT
26946 -+ help
26947 -+ If you say Y here, processes inside a chroot will not be able to attach
26948 -+ to shared memory segments that were created outside of the chroot jail.
26949 -+ It is recommended that you say Y here. If the sysctl option is enabled,
26950 -+ a sysctl option with name "chroot_deny_shmat" is created.
26951 -+
26952 -+config GRKERNSEC_CHROOT_UNIX
26953 -+ bool "Deny access to abstract AF_UNIX sockets out of chroot"
26954 -+ depends on GRKERNSEC_CHROOT
26955 -+ help
26956 -+ If you say Y here, processes inside a chroot will not be able to
26957 -+ connect to abstract (meaning not belonging to a filesystem) Unix
26958 -+ domain sockets that were bound outside of a chroot. It is recommended
26959 -+ that you say Y here. If the sysctl option is enabled, a sysctl option
26960 -+ with name "chroot_deny_unix" is created.
26961 -+
26962 -+config GRKERNSEC_CHROOT_FINDTASK
26963 -+ bool "Protect outside processes"
26964 -+ depends on GRKERNSEC_CHROOT
26965 -+ help
26966 -+ If you say Y here, processes inside a chroot will not be able to
26967 -+ kill, send signals with fcntl, ptrace, capget, getpgid, getsid,
26968 -+ or view any process outside of the chroot. If the sysctl
26969 -+ option is enabled, a sysctl option with name "chroot_findtask" is
26970 -+ created.
26971 -+
26972 -+config GRKERNSEC_CHROOT_NICE
26973 -+ bool "Restrict priority changes"
26974 -+ depends on GRKERNSEC_CHROOT
26975 -+ help
26976 -+ If you say Y here, processes inside a chroot will not be able to raise
26977 -+ the priority of processes in the chroot, or alter the priority of
26978 -+ processes outside the chroot. This provides more security than simply
26979 -+ removing CAP_SYS_NICE from the process' capability set. If the
26980 -+ sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
26981 -+ is created.
26982 -+
26983 -+config GRKERNSEC_CHROOT_SYSCTL
26984 -+ bool "Deny sysctl writes"
26985 -+ depends on GRKERNSEC_CHROOT
26986 -+ help
26987 -+ If you say Y here, an attacker in a chroot will not be able to
26988 -+ write to sysctl entries, either by sysctl(2) or through a /proc
26989 -+ interface. It is strongly recommended that you say Y here. If the
26990 -+ sysctl option is enabled, a sysctl option with name
26991 -+ "chroot_deny_sysctl" is created.
26992 -+
26993 -+config GRKERNSEC_CHROOT_CAPS
26994 -+ bool "Capability restrictions"
26995 -+ depends on GRKERNSEC_CHROOT
26996 -+ help
26997 -+ If you say Y here, the capabilities on all root processes within a
26998 -+ chroot jail will be lowered to stop module insertion, raw i/o,
26999 -+ system and net admin tasks, rebooting the system, modifying immutable
27000 -+ files, modifying IPC owned by another, and changing the system time.
27001 -+ This is left an option because it can break some apps. Disable this
27002 -+ if your chrooted apps are having problems performing those kinds of
27003 -+ tasks. If the sysctl option is enabled, a sysctl option with
27004 -+ name "chroot_caps" is created.
27005 -+
27006 -+endmenu
27007 -+menu "Kernel Auditing"
27008 -+depends on GRKERNSEC
27009 -+
27010 -+config GRKERNSEC_AUDIT_GROUP
27011 -+ bool "Single group for auditing"
27012 -+ help
27013 -+ If you say Y here, the exec, chdir, (un)mount, and ipc logging features
27014 -+ will only operate on a group you specify. This option is recommended
27015 -+ if you only want to watch certain users instead of having a large
27016 -+ amount of logs from the entire system. If the sysctl option is enabled,
27017 -+ a sysctl option with name "audit_group" is created.
27018 -+
27019 -+config GRKERNSEC_AUDIT_GID
27020 -+ int "GID for auditing"
27021 -+ depends on GRKERNSEC_AUDIT_GROUP
27022 -+ default 1007
27023 -+
27024 -+config GRKERNSEC_EXECLOG
27025 -+ bool "Exec logging"
27026 -+ help
27027 -+ If you say Y here, all execve() calls will be logged (since the
27028 -+ other exec*() calls are frontends to execve(), all execution
27029 -+ will be logged). Useful for shell-servers that like to keep track
27030 -+ of their users. If the sysctl option is enabled, a sysctl option with
27031 -+ name "exec_logging" is created.
27032 -+ WARNING: This option when enabled will produce a LOT of logs, especially
27033 -+ on an active system.
27034 -+
27035 -+config GRKERNSEC_RESLOG
27036 -+ bool "Resource logging"
27037 -+ help
27038 -+ If you say Y here, all attempts to overstep resource limits will
27039 -+ be logged with the resource name, the requested size, and the current
27040 -+ limit. It is highly recommended that you say Y here. If the sysctl
27041 -+ option is enabled, a sysctl option with name "resource_logging" is
27042 -+ created. If the RBAC system is enabled, the sysctl value is ignored.
27043 -+
27044 -+config GRKERNSEC_CHROOT_EXECLOG
27045 -+ bool "Log execs within chroot"
27046 -+ help
27047 -+ If you say Y here, all executions inside a chroot jail will be logged
27048 -+ to syslog. This can cause a large amount of logs if certain
27049 -+ applications (eg. djb's daemontools) are installed on the system, and
27050 -+ is therefore left as an option. If the sysctl option is enabled, a
27051 -+ sysctl option with name "chroot_execlog" is created.
27052 -+
27053 -+config GRKERNSEC_AUDIT_CHDIR
27054 -+ bool "Chdir logging"
27055 -+ help
27056 -+ If you say Y here, all chdir() calls will be logged. If the sysctl
27057 -+ option is enabled, a sysctl option with name "audit_chdir" is created.
27058 -+
27059 -+config GRKERNSEC_AUDIT_MOUNT
27060 -+ bool "(Un)Mount logging"
27061 -+ help
27062 -+ If you say Y here, all mounts and unmounts will be logged. If the
27063 -+ sysctl option is enabled, a sysctl option with name "audit_mount" is
27064 -+ created.
27065 -+
27066 -+config GRKERNSEC_AUDIT_IPC
27067 -+ bool "IPC logging"
27068 -+ help
27069 -+ If you say Y here, creation and removal of message queues, semaphores,
27070 -+ and shared memory will be logged. If the sysctl option is enabled, a
27071 -+ sysctl option with name "audit_ipc" is created.
27072 -+
27073 -+config GRKERNSEC_SIGNAL
27074 -+ bool "Signal logging"
27075 -+ help
27076 -+ If you say Y here, certain important signals will be logged, such as
27077 -+ SIGSEGV, which will as a result inform you of when a error in a program
27078 -+ occurred, which in some cases could mean a possible exploit attempt.
27079 -+ If the sysctl option is enabled, a sysctl option with name
27080 -+ "signal_logging" is created.
27081 -+
27082 -+config GRKERNSEC_FORKFAIL
27083 -+ bool "Fork failure logging"
27084 -+ help
27085 -+ If you say Y here, all failed fork() attempts will be logged.
27086 -+ This could suggest a fork bomb, or someone attempting to overstep
27087 -+ their process limit. If the sysctl option is enabled, a sysctl option
27088 -+ with name "forkfail_logging" is created.
27089 -+
27090 -+config GRKERNSEC_TIME
27091 -+ bool "Time change logging"
27092 -+ help
27093 -+ If you say Y here, any changes of the system clock will be logged.
27094 -+ If the sysctl option is enabled, a sysctl option with name
27095 -+ "timechange_logging" is created.
27096 -+
27097 -+config GRKERNSEC_PROC_IPADDR
27098 -+ bool "/proc/<pid>/ipaddr support"
27099 -+ help
27100 -+ If you say Y here, a new entry will be added to each /proc/<pid>
27101 -+ directory that contains the IP address of the person using the task.
27102 -+ The IP is carried across local TCP and AF_UNIX stream sockets.
27103 -+ This information can be useful for IDS/IPSes to perform remote response
27104 -+ to a local attack. The entry is readable by only the owner of the
27105 -+ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
27106 -+ the RBAC system), and thus does not create privacy concerns.
27107 -+
27108 -+config GRKERNSEC_AUDIT_TEXTREL
27109 -+ bool 'ELF text relocations logging (READ HELP)'
27110 -+ depends on PAX_MPROTECT
27111 -+ help
27112 -+ If you say Y here, text relocations will be logged with the filename
27113 -+ of the offending library or binary. The purpose of the feature is
27114 -+ to help Linux distribution developers get rid of libraries and
27115 -+ binaries that need text relocations which hinder the future progress
27116 -+ of PaX. Only Linux distribution developers should say Y here, and
27117 -+ never on a production machine, as this option creates an information
27118 -+ leak that could aid an attacker in defeating the randomization of
27119 -+ a single memory region. If the sysctl option is enabled, a sysctl
27120 -+ option with name "audit_textrel" is created.
27121 -+
27122 -+endmenu
27123 -+
27124 -+menu "Executable Protections"
27125 -+depends on GRKERNSEC
27126 -+
27127 -+config GRKERNSEC_EXECVE
27128 -+ bool "Enforce RLIMIT_NPROC on execs"
27129 -+ help
27130 -+ If you say Y here, users with a resource limit on processes will
27131 -+ have the value checked during execve() calls. The current system
27132 -+ only checks the system limit during fork() calls. If the sysctl option
27133 -+ is enabled, a sysctl option with name "execve_limiting" is created.
27134 -+
27135 -+config GRKERNSEC_DMESG
27136 -+ bool "Dmesg(8) restriction"
27137 -+ help
27138 -+ If you say Y here, non-root users will not be able to use dmesg(8)
27139 -+ to view up to the last 4kb of messages in the kernel's log buffer.
27140 -+ If the sysctl option is enabled, a sysctl option with name "dmesg" is
27141 -+ created.
27142 -+
27143 -+config GRKERNSEC_TPE
27144 -+ bool "Trusted Path Execution (TPE)"
27145 -+ help
27146 -+ If you say Y here, you will be able to choose a gid to add to the
27147 -+ supplementary groups of users you want to mark as "untrusted."
27148 -+ These users will not be able to execute any files that are not in
27149 -+ root-owned directories writable only by root. If the sysctl option
27150 -+ is enabled, a sysctl option with name "tpe" is created.
27151 -+
27152 -+config GRKERNSEC_TPE_ALL
27153 -+ bool "Partially restrict non-root users"
27154 -+ depends on GRKERNSEC_TPE
27155 -+ help
27156 -+ If you say Y here, All non-root users other than the ones in the
27157 -+ group specified in the main TPE option will only be allowed to
27158 -+ execute files in directories they own that are not group or
27159 -+ world-writable, or in directories owned by root and writable only by
27160 -+ root. If the sysctl option is enabled, a sysctl option with name
27161 -+ "tpe_restrict_all" is created.
27162 -+
27163 -+config GRKERNSEC_TPE_INVERT
27164 -+ bool "Invert GID option"
27165 -+ depends on GRKERNSEC_TPE
27166 -+ help
27167 -+ If you say Y here, the group you specify in the TPE configuration will
27168 -+ decide what group TPE restrictions will be *disabled* for. This
27169 -+ option is useful if you want TPE restrictions to be applied to most
27170 -+ users on the system.
27171 -+
27172 -+config GRKERNSEC_TPE_GID
27173 -+ int "GID for untrusted users"
27174 -+ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
27175 -+ default 1005
27176 -+ help
27177 -+ If you have selected the "Invert GID option" above, setting this
27178 -+ GID determines what group TPE restrictions will be *disabled* for.
27179 -+ If you have not selected the "Invert GID option" above, setting this
27180 -+ GID determines what group TPE restrictions will be *enabled* for.
27181 -+ If the sysctl option is enabled, a sysctl option with name "tpe_gid"
27182 -+ is created.
27183 -+
27184 -+config GRKERNSEC_TPE_GID
27185 -+ int "GID for trusted users"
27186 -+ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
27187 -+ default 1005
27188 -+ help
27189 -+ If you have selected the "Invert GID option" above, setting this
27190 -+ GID determines what group TPE restrictions will be *disabled* for.
27191 -+ If you have not selected the "Invert GID option" above, setting this
27192 -+ GID determines what group TPE restrictions will be *enabled* for.
27193 -+ If the sysctl option is enabled, a sysctl option with name "tpe_gid"
27194 -+ is created.
27195 -+
27196 -+endmenu
27197 -+menu "Network Protections"
27198 -+depends on GRKERNSEC
27199 -+
27200 -+config GRKERNSEC_RANDNET
27201 -+ bool "Larger entropy pools"
27202 -+ help
27203 -+ If you say Y here, the entropy pools used for many features of Linux
27204 -+ and grsecurity will be doubled in size. Since several grsecurity
27205 -+ features use additional randomness, it is recommended that you say Y
27206 -+ here. Saying Y here has a similar effect as modifying
27207 -+ /proc/sys/kernel/random/poolsize.
27208 -+
27209 -+config GRKERNSEC_SOCKET
27210 -+ bool "Socket restrictions"
27211 -+ help
27212 -+ If you say Y here, you will be able to choose from several options.
27213 -+ If you assign a GID on your system and add it to the supplementary
27214 -+ groups of users you want to restrict socket access to, this patch
27215 -+ will perform up to three things, based on the option(s) you choose.
27216 -+
27217 -+config GRKERNSEC_SOCKET_ALL
27218 -+ bool "Deny any sockets to group"
27219 -+ depends on GRKERNSEC_SOCKET
27220 -+ help
27221 -+ If you say Y here, you will be able to choose a GID of whose users will
27222 -+ be unable to connect to other hosts from your machine or run server
27223 -+ applications from your machine. If the sysctl option is enabled, a
27224 -+ sysctl option with name "socket_all" is created.
27225 -+
27226 -+config GRKERNSEC_SOCKET_ALL_GID
27227 -+ int "GID to deny all sockets for"
27228 -+ depends on GRKERNSEC_SOCKET_ALL
27229 -+ default 1004
27230 -+ help
27231 -+ Here you can choose the GID to disable socket access for. Remember to
27232 -+ add the users you want socket access disabled for to the GID
27233 -+ specified here. If the sysctl option is enabled, a sysctl option
27234 -+ with name "socket_all_gid" is created.
27235 -+
27236 -+config GRKERNSEC_SOCKET_CLIENT
27237 -+ bool "Deny client sockets to group"
27238 -+ depends on GRKERNSEC_SOCKET
27239 -+ help
27240 -+ If you say Y here, you will be able to choose a GID of whose users will
27241 -+ be unable to connect to other hosts from your machine, but will be
27242 -+ able to run servers. If this option is enabled, all users in the group
27243 -+ you specify will have to use passive mode when initiating ftp transfers
27244 -+ from the shell on your machine. If the sysctl option is enabled, a
27245 -+ sysctl option with name "socket_client" is created.
27246 -+
27247 -+config GRKERNSEC_SOCKET_CLIENT_GID
27248 -+ int "GID to deny client sockets for"
27249 -+ depends on GRKERNSEC_SOCKET_CLIENT
27250 -+ default 1003
27251 -+ help
27252 -+ Here you can choose the GID to disable client socket access for.
27253 -+ Remember to add the users you want client socket access disabled for to
27254 -+ the GID specified here. If the sysctl option is enabled, a sysctl
27255 -+ option with name "socket_client_gid" is created.
27256 -+
27257 -+config GRKERNSEC_SOCKET_SERVER
27258 -+ bool "Deny server sockets to group"
27259 -+ depends on GRKERNSEC_SOCKET
27260 -+ help
27261 -+ If you say Y here, you will be able to choose a GID of whose users will
27262 -+ be unable to run server applications from your machine. If the sysctl
27263 -+ option is enabled, a sysctl option with name "socket_server" is created.
27264 -+
27265 -+config GRKERNSEC_SOCKET_SERVER_GID
27266 -+ int "GID to deny server sockets for"
27267 -+ depends on GRKERNSEC_SOCKET_SERVER
27268 -+ default 1002
27269 -+ help
27270 -+ Here you can choose the GID to disable server socket access for.
27271 -+ Remember to add the users you want server socket access disabled for to
27272 -+ the GID specified here. If the sysctl option is enabled, a sysctl
27273 -+ option with name "socket_server_gid" is created.
27274 -+
27275 -+endmenu
27276 -+menu "Sysctl support"
27277 -+depends on GRKERNSEC && SYSCTL
27278 -+
27279 -+config GRKERNSEC_SYSCTL
27280 -+ bool "Sysctl support"
27281 -+ help
27282 -+ If you say Y here, you will be able to change the options that
27283 -+ grsecurity runs with at bootup, without having to recompile your
27284 -+ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
27285 -+ to enable (1) or disable (0) various features. All the sysctl entries
27286 -+ are mutable until the "grsec_lock" entry is set to a non-zero value.
27287 -+ All features enabled in the kernel configuration are disabled at boot
27288 -+ if you do not say Y to the "Turn on features by default" option.
27289 -+ All options should be set at startup, and the grsec_lock entry should
27290 -+ be set to a non-zero value after all the options are set.
27291 -+ *THIS IS EXTREMELY IMPORTANT*
27292 -+
27293 -+config GRKERNSEC_SYSCTL_ON
27294 -+ bool "Turn on features by default"
27295 -+ depends on GRKERNSEC_SYSCTL
27296 -+ help
27297 -+ If you say Y here, instead of having all features enabled in the
27298 -+ kernel configuration disabled at boot time, the features will be
27299 -+ enabled at boot time. It is recommended you say Y here unless
27300 -+ there is some reason you would want all sysctl-tunable features to
27301 -+ be disabled by default. As mentioned elsewhere, it is important
27302 -+ to enable the grsec_lock entry once you have finished modifying
27303 -+ the sysctl entries.
27304 -+
27305 -+endmenu
27306 -+menu "Logging Options"
27307 -+depends on GRKERNSEC
27308 -+
27309 -+config GRKERNSEC_FLOODTIME
27310 -+ int "Seconds in between log messages (minimum)"
27311 -+ default 10
27312 -+ help
27313 -+ This option allows you to enforce the number of seconds between
27314 -+ grsecurity log messages. The default should be suitable for most
27315 -+ people, however, if you choose to change it, choose a value small enough
27316 -+ to allow informative logs to be produced, but large enough to
27317 -+ prevent flooding.
27318 -+
27319 -+config GRKERNSEC_FLOODBURST
27320 -+ int "Number of messages in a burst (maximum)"
27321 -+ default 4
27322 -+ help
27323 -+ This option allows you to choose the maximum number of messages allowed
27324 -+ within the flood time interval you chose in a separate option. The
27325 -+ default should be suitable for most people, however if you find that
27326 -+ many of your logs are being interpreted as flooding, you may want to
27327 -+ raise this value.
27328 -+
27329 -+endmenu
27330 -+
27331 -+endmenu
27332 -diff -urNp linux-2.6.24.4/grsecurity/Makefile linux-2.6.24.4/grsecurity/Makefile
27333 ---- linux-2.6.24.4/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
27334 -+++ linux-2.6.24.4/grsecurity/Makefile 2008-03-26 17:56:56.000000000 -0400
27335 -@@ -0,0 +1,20 @@
27336 -+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
27337 -+# during 2001-2005 it has been completely redesigned by Brad Spengler
27338 -+# into an RBAC system
27339 -+#
27340 -+# All code in this directory and various hooks inserted throughout the kernel
27341 -+# are copyright Brad Spengler, and released under the GPL v2 or higher
27342 -+
27343 -+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
27344 -+ grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
27345 -+ grsec_time.o grsec_tpe.o grsec_ipc.o grsec_link.o grsec_textrel.o
27346 -+
27347 -+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
27348 -+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
27349 -+ gracl_learn.o grsec_log.o
27350 -+obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
27351 -+
27352 -+ifndef CONFIG_GRKERNSEC
27353 -+obj-y += grsec_disabled.o
27354 -+endif
27355 -+
27356 -diff -urNp linux-2.6.24.4/include/acpi/acpiosxf.h linux-2.6.24.4/include/acpi/acpiosxf.h
27357 ---- linux-2.6.24.4/include/acpi/acpiosxf.h 2008-03-24 14:49:18.000000000 -0400
27358 -+++ linux-2.6.24.4/include/acpi/acpiosxf.h 2008-03-26 17:56:56.000000000 -0400
27359 -@@ -219,7 +219,7 @@ acpi_os_write_memory(acpi_physical_addre
27360 - */
27361 - acpi_status
27362 - acpi_os_read_pci_configuration(struct acpi_pci_id *pci_id,
27363 -- u32 reg, void *value, u32 width);
27364 -+ u32 reg, u32 *value, u32 width);
27365 -
27366 - acpi_status
27367 - acpi_os_write_pci_configuration(struct acpi_pci_id *pci_id,
27368 -diff -urNp linux-2.6.24.4/include/asm-alpha/a.out.h linux-2.6.24.4/include/asm-alpha/a.out.h
27369 ---- linux-2.6.24.4/include/asm-alpha/a.out.h 2008-03-24 14:49:18.000000000 -0400
27370 -+++ linux-2.6.24.4/include/asm-alpha/a.out.h 2008-03-26 17:56:56.000000000 -0400
27371 -@@ -98,7 +98,7 @@ struct exec
27372 - set_personality (((BFPM->sh_bang || EX.ah.entry < 0x100000000L \
27373 - ? ADDR_LIMIT_32BIT : 0) | PER_OSF4))
27374 -
27375 --#define STACK_TOP \
27376 -+#define __STACK_TOP \
27377 - (current->personality & ADDR_LIMIT_32BIT ? 0x80000000 : 0x00120000000UL)
27378 -
27379 - #define STACK_TOP_MAX 0x00120000000UL
27380 -diff -urNp linux-2.6.24.4/include/asm-alpha/elf.h linux-2.6.24.4/include/asm-alpha/elf.h
27381 ---- linux-2.6.24.4/include/asm-alpha/elf.h 2008-03-24 14:49:18.000000000 -0400
27382 -+++ linux-2.6.24.4/include/asm-alpha/elf.h 2008-03-26 17:56:56.000000000 -0400
27383 -@@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
27384 -
27385 - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
27386 -
27387 -+#ifdef CONFIG_PAX_ASLR
27388 -+#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
27389 -+
27390 -+#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27391 -+#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
27392 -+#endif
27393 -+
27394 - /* $0 is set by ld.so to a pointer to a function which might be
27395 - registered using atexit. This provides a mean for the dynamic
27396 - linker to call DT_FINI functions for shared libraries that have
27397 -diff -urNp linux-2.6.24.4/include/asm-alpha/kmap_types.h linux-2.6.24.4/include/asm-alpha/kmap_types.h
27398 ---- linux-2.6.24.4/include/asm-alpha/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27399 -+++ linux-2.6.24.4/include/asm-alpha/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27400 -@@ -24,7 +24,8 @@ D(9) KM_IRQ0,
27401 - D(10) KM_IRQ1,
27402 - D(11) KM_SOFTIRQ0,
27403 - D(12) KM_SOFTIRQ1,
27404 --D(13) KM_TYPE_NR
27405 -+D(13) KM_CLEARPAGE,
27406 -+D(14) KM_TYPE_NR
27407 - };
27408 -
27409 - #undef D
27410 -diff -urNp linux-2.6.24.4/include/asm-alpha/pgtable.h linux-2.6.24.4/include/asm-alpha/pgtable.h
27411 ---- linux-2.6.24.4/include/asm-alpha/pgtable.h 2008-03-24 14:49:18.000000000 -0400
27412 -+++ linux-2.6.24.4/include/asm-alpha/pgtable.h 2008-03-26 17:56:56.000000000 -0400
27413 -@@ -101,6 +101,17 @@ struct vm_area_struct;
27414 - #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
27415 - #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
27416 - #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
27417 -+
27418 -+#ifdef CONFIG_PAX_PAGEEXEC
27419 -+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
27420 -+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
27421 -+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
27422 -+#else
27423 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
27424 -+# define PAGE_COPY_NOEXEC PAGE_COPY
27425 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
27426 -+#endif
27427 -+
27428 - #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
27429 -
27430 - #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
27431 -diff -urNp linux-2.6.24.4/include/asm-arm/a.out.h linux-2.6.24.4/include/asm-arm/a.out.h
27432 ---- linux-2.6.24.4/include/asm-arm/a.out.h 2008-03-24 14:49:18.000000000 -0400
27433 -+++ linux-2.6.24.4/include/asm-arm/a.out.h 2008-03-26 17:56:56.000000000 -0400
27434 -@@ -28,7 +28,7 @@ struct exec
27435 - #define M_ARM 103
27436 -
27437 - #ifdef __KERNEL__
27438 --#define STACK_TOP ((current->personality == PER_LINUX_32BIT) ? \
27439 -+#define __STACK_TOP ((current->personality == PER_LINUX_32BIT) ? \
27440 - TASK_SIZE : TASK_SIZE_26)
27441 - #define STACK_TOP_MAX TASK_SIZE
27442 - #endif
27443 -diff -urNp linux-2.6.24.4/include/asm-arm/elf.h linux-2.6.24.4/include/asm-arm/elf.h
27444 ---- linux-2.6.24.4/include/asm-arm/elf.h 2008-03-24 14:49:18.000000000 -0400
27445 -+++ linux-2.6.24.4/include/asm-arm/elf.h 2008-03-26 17:56:56.000000000 -0400
27446 -@@ -88,7 +88,14 @@ extern char elf_platform[];
27447 - the loader. We need to make sure that it is out of the way of the program
27448 - that it will "exec", and that there is sufficient room for the brk. */
27449 -
27450 --#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
27451 -+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
27452 -+
27453 -+#ifdef CONFIG_PAX_ASLR
27454 -+#define PAX_ELF_ET_DYN_BASE 0x00008000UL
27455 -+
27456 -+#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
27457 -+#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
27458 -+#endif
27459 -
27460 - /* When the program starts, a1 contains a pointer to a function to be
27461 - registered with atexit, as per the SVR4 ABI. A value of 0 means we
27462 -diff -urNp linux-2.6.24.4/include/asm-arm/kmap_types.h linux-2.6.24.4/include/asm-arm/kmap_types.h
27463 ---- linux-2.6.24.4/include/asm-arm/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27464 -+++ linux-2.6.24.4/include/asm-arm/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27465 -@@ -18,6 +18,7 @@ enum km_type {
27466 - KM_IRQ1,
27467 - KM_SOFTIRQ0,
27468 - KM_SOFTIRQ1,
27469 -+ KM_CLEARPAGE,
27470 - KM_TYPE_NR
27471 - };
27472 -
27473 -diff -urNp linux-2.6.24.4/include/asm-avr32/a.out.h linux-2.6.24.4/include/asm-avr32/a.out.h
27474 ---- linux-2.6.24.4/include/asm-avr32/a.out.h 2008-03-24 14:49:18.000000000 -0400
27475 -+++ linux-2.6.24.4/include/asm-avr32/a.out.h 2008-03-26 17:56:56.000000000 -0400
27476 -@@ -19,8 +19,8 @@ struct exec
27477 -
27478 - #ifdef __KERNEL__
27479 -
27480 --#define STACK_TOP TASK_SIZE
27481 --#define STACK_TOP_MAX STACK_TOP
27482 -+#define __STACK_TOP TASK_SIZE
27483 -+#define STACK_TOP_MAX __STACK_TOP
27484 -
27485 - #endif
27486 -
27487 -diff -urNp linux-2.6.24.4/include/asm-avr32/elf.h linux-2.6.24.4/include/asm-avr32/elf.h
27488 ---- linux-2.6.24.4/include/asm-avr32/elf.h 2008-03-24 14:49:18.000000000 -0400
27489 -+++ linux-2.6.24.4/include/asm-avr32/elf.h 2008-03-26 17:56:56.000000000 -0400
27490 -@@ -85,8 +85,14 @@ typedef struct user_fpu_struct elf_fpreg
27491 - the loader. We need to make sure that it is out of the way of the program
27492 - that it will "exec", and that there is sufficient room for the brk. */
27493 -
27494 --#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
27495 -+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
27496 -
27497 -+#ifdef CONFIG_PAX_ASLR
27498 -+#define PAX_ELF_ET_DYN_BASE 0x00001000UL
27499 -+
27500 -+#define PAX_DELTA_MMAP_LEN 15
27501 -+#define PAX_DELTA_STACK_LEN 15
27502 -+#endif
27503 -
27504 - /* This yields a mask that user programs can use to figure out what
27505 - instruction set this CPU supports. This could be done in user space,
27506 -diff -urNp linux-2.6.24.4/include/asm-avr32/kmap_types.h linux-2.6.24.4/include/asm-avr32/kmap_types.h
27507 ---- linux-2.6.24.4/include/asm-avr32/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27508 -+++ linux-2.6.24.4/include/asm-avr32/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27509 -@@ -22,7 +22,8 @@ D(10) KM_IRQ0,
27510 - D(11) KM_IRQ1,
27511 - D(12) KM_SOFTIRQ0,
27512 - D(13) KM_SOFTIRQ1,
27513 --D(14) KM_TYPE_NR
27514 -+D(14) KM_CLEARPAGE,
27515 -+D(15) KM_TYPE_NR
27516 - };
27517 -
27518 - #undef D
27519 -diff -urNp linux-2.6.24.4/include/asm-blackfin/kmap_types.h linux-2.6.24.4/include/asm-blackfin/kmap_types.h
27520 ---- linux-2.6.24.4/include/asm-blackfin/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27521 -+++ linux-2.6.24.4/include/asm-blackfin/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27522 -@@ -15,6 +15,7 @@ enum km_type {
27523 - KM_IRQ1,
27524 - KM_SOFTIRQ0,
27525 - KM_SOFTIRQ1,
27526 -+ KM_CLEARPAGE,
27527 - KM_TYPE_NR
27528 - };
27529 -
27530 -diff -urNp linux-2.6.24.4/include/asm-cris/kmap_types.h linux-2.6.24.4/include/asm-cris/kmap_types.h
27531 ---- linux-2.6.24.4/include/asm-cris/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27532 -+++ linux-2.6.24.4/include/asm-cris/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27533 -@@ -19,6 +19,7 @@ enum km_type {
27534 - KM_IRQ1,
27535 - KM_SOFTIRQ0,
27536 - KM_SOFTIRQ1,
27537 -+ KM_CLEARPAGE,
27538 - KM_TYPE_NR
27539 - };
27540 -
27541 -diff -urNp linux-2.6.24.4/include/asm-frv/kmap_types.h linux-2.6.24.4/include/asm-frv/kmap_types.h
27542 ---- linux-2.6.24.4/include/asm-frv/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27543 -+++ linux-2.6.24.4/include/asm-frv/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27544 -@@ -23,6 +23,7 @@ enum km_type {
27545 - KM_IRQ1,
27546 - KM_SOFTIRQ0,
27547 - KM_SOFTIRQ1,
27548 -+ KM_CLEARPAGE,
27549 - KM_TYPE_NR
27550 - };
27551 -
27552 -diff -urNp linux-2.6.24.4/include/asm-generic/futex.h linux-2.6.24.4/include/asm-generic/futex.h
27553 ---- linux-2.6.24.4/include/asm-generic/futex.h 2008-03-24 14:49:18.000000000 -0400
27554 -+++ linux-2.6.24.4/include/asm-generic/futex.h 2008-03-26 17:56:56.000000000 -0400
27555 -@@ -8,7 +8,7 @@
27556 - #include <asm/uaccess.h>
27557 -
27558 - static inline int
27559 --futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
27560 -+futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
27561 - {
27562 - int op = (encoded_op >> 28) & 7;
27563 - int cmp = (encoded_op >> 24) & 15;
27564 -@@ -50,7 +50,7 @@ futex_atomic_op_inuser (int encoded_op,
27565 - }
27566 -
27567 - static inline int
27568 --futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
27569 -+futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
27570 - {
27571 - return -ENOSYS;
27572 - }
27573 -diff -urNp linux-2.6.24.4/include/asm-generic/vmlinux.lds.h linux-2.6.24.4/include/asm-generic/vmlinux.lds.h
27574 ---- linux-2.6.24.4/include/asm-generic/vmlinux.lds.h 2008-03-24 14:49:18.000000000 -0400
27575 -+++ linux-2.6.24.4/include/asm-generic/vmlinux.lds.h 2008-03-26 17:56:56.000000000 -0400
27576 -@@ -23,6 +23,7 @@
27577 - .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
27578 - VMLINUX_SYMBOL(__start_rodata) = .; \
27579 - *(.rodata) *(.rodata.*) \
27580 -+ *(.data.read_only) \
27581 - *(__vermagic) /* Kernel version magic */ \
27582 - *(__markers_strings) /* Markers: strings */ \
27583 - } \
27584 -diff -urNp linux-2.6.24.4/include/asm-h8300/kmap_types.h linux-2.6.24.4/include/asm-h8300/kmap_types.h
27585 ---- linux-2.6.24.4/include/asm-h8300/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27586 -+++ linux-2.6.24.4/include/asm-h8300/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27587 -@@ -15,6 +15,7 @@ enum km_type {
27588 - KM_IRQ1,
27589 - KM_SOFTIRQ0,
27590 - KM_SOFTIRQ1,
27591 -+ KM_CLEARPAGE,
27592 - KM_TYPE_NR
27593 - };
27594 -
27595 -diff -urNp linux-2.6.24.4/include/asm-ia64/elf.h linux-2.6.24.4/include/asm-ia64/elf.h
27596 ---- linux-2.6.24.4/include/asm-ia64/elf.h 2008-03-24 14:49:18.000000000 -0400
27597 -+++ linux-2.6.24.4/include/asm-ia64/elf.h 2008-03-26 17:56:56.000000000 -0400
27598 -@@ -162,7 +162,12 @@ typedef elf_greg_t elf_gregset_t[ELF_NGR
27599 - typedef struct ia64_fpreg elf_fpreg_t;
27600 - typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
27601 -
27602 -+#ifdef CONFIG_PAX_ASLR
27603 -+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
27604 -
27605 -+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
27606 -+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
27607 -+#endif
27608 -
27609 - struct pt_regs; /* forward declaration... */
27610 - extern void ia64_elf_core_copy_regs (struct pt_regs *src, elf_gregset_t dst);
27611 -diff -urNp linux-2.6.24.4/include/asm-ia64/kmap_types.h linux-2.6.24.4/include/asm-ia64/kmap_types.h
27612 ---- linux-2.6.24.4/include/asm-ia64/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27613 -+++ linux-2.6.24.4/include/asm-ia64/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27614 -@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
27615 - D(10) KM_IRQ1,
27616 - D(11) KM_SOFTIRQ0,
27617 - D(12) KM_SOFTIRQ1,
27618 --D(13) KM_TYPE_NR
27619 -+D(13) KM_CLEARPAGE,
27620 -+D(14) KM_TYPE_NR
27621 - };
27622 -
27623 - #undef D
27624 -diff -urNp linux-2.6.24.4/include/asm-ia64/pgtable.h linux-2.6.24.4/include/asm-ia64/pgtable.h
27625 ---- linux-2.6.24.4/include/asm-ia64/pgtable.h 2008-03-24 14:49:18.000000000 -0400
27626 -+++ linux-2.6.24.4/include/asm-ia64/pgtable.h 2008-03-26 17:56:56.000000000 -0400
27627 -@@ -143,6 +143,17 @@
27628 - #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
27629 - #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
27630 - #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
27631 -+
27632 -+#ifdef CONFIG_PAX_PAGEEXEC
27633 -+# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
27634 -+# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
27635 -+# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
27636 -+#else
27637 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
27638 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
27639 -+# define PAGE_COPY_NOEXEC PAGE_COPY
27640 -+#endif
27641 -+
27642 - #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
27643 - #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
27644 - #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
27645 -diff -urNp linux-2.6.24.4/include/asm-ia64/processor.h linux-2.6.24.4/include/asm-ia64/processor.h
27646 ---- linux-2.6.24.4/include/asm-ia64/processor.h 2008-03-24 14:49:18.000000000 -0400
27647 -+++ linux-2.6.24.4/include/asm-ia64/processor.h 2008-03-26 17:56:56.000000000 -0400
27648 -@@ -275,7 +275,7 @@ struct thread_struct {
27649 - .on_ustack = 0, \
27650 - .ksp = 0, \
27651 - .map_base = DEFAULT_MAP_BASE, \
27652 -- .rbs_bot = STACK_TOP - DEFAULT_USER_STACK_SIZE, \
27653 -+ .rbs_bot = __STACK_TOP - DEFAULT_USER_STACK_SIZE, \
27654 - .task_size = DEFAULT_TASK_SIZE, \
27655 - .last_fph_cpu = -1, \
27656 - INIT_THREAD_IA32 \
27657 -diff -urNp linux-2.6.24.4/include/asm-ia64/ustack.h linux-2.6.24.4/include/asm-ia64/ustack.h
27658 ---- linux-2.6.24.4/include/asm-ia64/ustack.h 2008-03-24 14:49:18.000000000 -0400
27659 -+++ linux-2.6.24.4/include/asm-ia64/ustack.h 2008-03-26 17:56:56.000000000 -0400
27660 -@@ -10,8 +10,8 @@
27661 -
27662 - /* The absolute hard limit for stack size is 1/2 of the mappable space in the region */
27663 - #define MAX_USER_STACK_SIZE (RGN_MAP_LIMIT/2)
27664 --#define STACK_TOP (0x6000000000000000UL + RGN_MAP_LIMIT)
27665 --#define STACK_TOP_MAX STACK_TOP
27666 -+#define __STACK_TOP (0x6000000000000000UL + RGN_MAP_LIMIT)
27667 -+#define STACK_TOP_MAX __STACK_TOP
27668 - #endif
27669 -
27670 - /* Make a default stack size of 2GiB */
27671 -diff -urNp linux-2.6.24.4/include/asm-m32r/kmap_types.h linux-2.6.24.4/include/asm-m32r/kmap_types.h
27672 ---- linux-2.6.24.4/include/asm-m32r/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27673 -+++ linux-2.6.24.4/include/asm-m32r/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27674 -@@ -21,7 +21,8 @@ D(9) KM_IRQ0,
27675 - D(10) KM_IRQ1,
27676 - D(11) KM_SOFTIRQ0,
27677 - D(12) KM_SOFTIRQ1,
27678 --D(13) KM_TYPE_NR
27679 -+D(13) KM_CLEARPAGE,
27680 -+D(14) KM_TYPE_NR
27681 - };
27682 -
27683 - #undef D
27684 -diff -urNp linux-2.6.24.4/include/asm-m68k/kmap_types.h linux-2.6.24.4/include/asm-m68k/kmap_types.h
27685 ---- linux-2.6.24.4/include/asm-m68k/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27686 -+++ linux-2.6.24.4/include/asm-m68k/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27687 -@@ -15,6 +15,7 @@ enum km_type {
27688 - KM_IRQ1,
27689 - KM_SOFTIRQ0,
27690 - KM_SOFTIRQ1,
27691 -+ KM_CLEARPAGE,
27692 - KM_TYPE_NR
27693 - };
27694 -
27695 -diff -urNp linux-2.6.24.4/include/asm-m68knommu/kmap_types.h linux-2.6.24.4/include/asm-m68knommu/kmap_types.h
27696 ---- linux-2.6.24.4/include/asm-m68knommu/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27697 -+++ linux-2.6.24.4/include/asm-m68knommu/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27698 -@@ -15,6 +15,7 @@ enum km_type {
27699 - KM_IRQ1,
27700 - KM_SOFTIRQ0,
27701 - KM_SOFTIRQ1,
27702 -+ KM_CLEARPAGE,
27703 - KM_TYPE_NR
27704 - };
27705 -
27706 -diff -urNp linux-2.6.24.4/include/asm-mips/a.out.h linux-2.6.24.4/include/asm-mips/a.out.h
27707 ---- linux-2.6.24.4/include/asm-mips/a.out.h 2008-03-24 14:49:18.000000000 -0400
27708 -+++ linux-2.6.24.4/include/asm-mips/a.out.h 2008-03-26 17:56:56.000000000 -0400
27709 -@@ -35,10 +35,10 @@ struct exec
27710 - #ifdef __KERNEL__
27711 -
27712 - #ifdef CONFIG_32BIT
27713 --#define STACK_TOP TASK_SIZE
27714 -+#define __STACK_TOP TASK_SIZE
27715 - #endif
27716 - #ifdef CONFIG_64BIT
27717 --#define STACK_TOP \
27718 -+#define __STACK_TOP \
27719 - (test_thread_flag(TIF_32BIT_ADDR) ? TASK_SIZE32 : TASK_SIZE)
27720 - #endif
27721 - #define STACK_TOP_MAX TASK_SIZE
27722 -diff -urNp linux-2.6.24.4/include/asm-mips/elf.h linux-2.6.24.4/include/asm-mips/elf.h
27723 ---- linux-2.6.24.4/include/asm-mips/elf.h 2008-03-24 14:49:18.000000000 -0400
27724 -+++ linux-2.6.24.4/include/asm-mips/elf.h 2008-03-26 17:56:56.000000000 -0400
27725 -@@ -372,4 +372,11 @@ extern int dump_task_fpu(struct task_str
27726 - #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
27727 - #endif
27728 -
27729 -+#ifdef CONFIG_PAX_ASLR
27730 -+#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
27731 -+
27732 -+#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
27733 -+#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
27734 -+#endif
27735 -+
27736 - #endif /* _ASM_ELF_H */
27737 -diff -urNp linux-2.6.24.4/include/asm-mips/kmap_types.h linux-2.6.24.4/include/asm-mips/kmap_types.h
27738 ---- linux-2.6.24.4/include/asm-mips/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27739 -+++ linux-2.6.24.4/include/asm-mips/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27740 -@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
27741 - D(10) KM_IRQ1,
27742 - D(11) KM_SOFTIRQ0,
27743 - D(12) KM_SOFTIRQ1,
27744 --D(13) KM_TYPE_NR
27745 -+D(13) KM_CLEARPAGE,
27746 -+D(14) KM_TYPE_NR
27747 - };
27748 -
27749 - #undef D
27750 -diff -urNp linux-2.6.24.4/include/asm-mips/page.h linux-2.6.24.4/include/asm-mips/page.h
27751 ---- linux-2.6.24.4/include/asm-mips/page.h 2008-03-24 14:49:18.000000000 -0400
27752 -+++ linux-2.6.24.4/include/asm-mips/page.h 2008-03-26 17:56:56.000000000 -0400
27753 -@@ -82,7 +82,7 @@ extern void copy_user_highpage(struct pa
27754 - #ifdef CONFIG_CPU_MIPS32
27755 - typedef struct { unsigned long pte_low, pte_high; } pte_t;
27756 - #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
27757 -- #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
27758 -+ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
27759 - #else
27760 - typedef struct { unsigned long long pte; } pte_t;
27761 - #define pte_val(x) ((x).pte)
27762 -diff -urNp linux-2.6.24.4/include/asm-mips/system.h linux-2.6.24.4/include/asm-mips/system.h
27763 ---- linux-2.6.24.4/include/asm-mips/system.h 2008-03-24 14:49:18.000000000 -0400
27764 -+++ linux-2.6.24.4/include/asm-mips/system.h 2008-03-26 17:56:56.000000000 -0400
27765 -@@ -215,6 +215,6 @@ extern void per_cpu_trap_init(void);
27766 - */
27767 - #define __ARCH_WANT_UNLOCKED_CTXSW
27768 -
27769 --extern unsigned long arch_align_stack(unsigned long sp);
27770 -+#define arch_align_stack(x) (x)
27771 -
27772 - #endif /* _ASM_SYSTEM_H */
27773 -diff -urNp linux-2.6.24.4/include/asm-parisc/a.out.h linux-2.6.24.4/include/asm-parisc/a.out.h
27774 ---- linux-2.6.24.4/include/asm-parisc/a.out.h 2008-03-24 14:49:18.000000000 -0400
27775 -+++ linux-2.6.24.4/include/asm-parisc/a.out.h 2008-03-26 17:56:56.000000000 -0400
27776 -@@ -22,7 +22,7 @@ struct exec
27777 - /* XXX: STACK_TOP actually should be STACK_BOTTOM for parisc.
27778 - * prumpf */
27779 -
27780 --#define STACK_TOP TASK_SIZE
27781 -+#define __STACK_TOP TASK_SIZE
27782 - #define STACK_TOP_MAX DEFAULT_TASK_SIZE
27783 -
27784 - #endif
27785 -diff -urNp linux-2.6.24.4/include/asm-parisc/elf.h linux-2.6.24.4/include/asm-parisc/elf.h
27786 ---- linux-2.6.24.4/include/asm-parisc/elf.h 2008-03-24 14:49:18.000000000 -0400
27787 -+++ linux-2.6.24.4/include/asm-parisc/elf.h 2008-03-26 17:56:56.000000000 -0400
27788 -@@ -337,6 +337,13 @@ struct pt_regs; /* forward declaration..
27789 -
27790 - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
27791 -
27792 -+#ifdef CONFIG_PAX_ASLR
27793 -+#define PAX_ELF_ET_DYN_BASE 0x10000UL
27794 -+
27795 -+#define PAX_DELTA_MMAP_LEN 16
27796 -+#define PAX_DELTA_STACK_LEN 16
27797 -+#endif
27798 -+
27799 - /* This yields a mask that user programs can use to figure out what
27800 - instruction set this CPU supports. This could be done in user space,
27801 - but it's not easy, and we've already done it here. */
27802 -diff -urNp linux-2.6.24.4/include/asm-parisc/kmap_types.h linux-2.6.24.4/include/asm-parisc/kmap_types.h
27803 ---- linux-2.6.24.4/include/asm-parisc/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27804 -+++ linux-2.6.24.4/include/asm-parisc/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27805 -@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
27806 - D(10) KM_IRQ1,
27807 - D(11) KM_SOFTIRQ0,
27808 - D(12) KM_SOFTIRQ1,
27809 --D(13) KM_TYPE_NR
27810 -+D(13) KM_CLEARPAGE,
27811 -+D(14) KM_TYPE_NR
27812 - };
27813 -
27814 - #undef D
27815 -diff -urNp linux-2.6.24.4/include/asm-parisc/pgtable.h linux-2.6.24.4/include/asm-parisc/pgtable.h
27816 ---- linux-2.6.24.4/include/asm-parisc/pgtable.h 2008-03-24 14:49:18.000000000 -0400
27817 -+++ linux-2.6.24.4/include/asm-parisc/pgtable.h 2008-03-26 17:56:56.000000000 -0400
27818 -@@ -210,6 +210,17 @@ extern void *vmalloc_start;
27819 - #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
27820 - #define PAGE_COPY PAGE_EXECREAD
27821 - #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
27822 -+
27823 -+#ifdef CONFIG_PAX_PAGEEXEC
27824 -+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
27825 -+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
27826 -+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
27827 -+#else
27828 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
27829 -+# define PAGE_COPY_NOEXEC PAGE_COPY
27830 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
27831 -+#endif
27832 -+
27833 - #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
27834 - #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
27835 - #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
27836 -diff -urNp linux-2.6.24.4/include/asm-powerpc/a.out.h linux-2.6.24.4/include/asm-powerpc/a.out.h
27837 ---- linux-2.6.24.4/include/asm-powerpc/a.out.h 2008-03-24 14:49:18.000000000 -0400
27838 -+++ linux-2.6.24.4/include/asm-powerpc/a.out.h 2008-03-26 17:56:56.000000000 -0400
27839 -@@ -23,15 +23,15 @@ struct exec
27840 - #define STACK_TOP_USER64 TASK_SIZE_USER64
27841 - #define STACK_TOP_USER32 TASK_SIZE_USER32
27842 -
27843 --#define STACK_TOP (test_thread_flag(TIF_32BIT) ? \
27844 -+#define __STACK_TOP (test_thread_flag(TIF_32BIT) ? \
27845 - STACK_TOP_USER32 : STACK_TOP_USER64)
27846 -
27847 - #define STACK_TOP_MAX STACK_TOP_USER64
27848 -
27849 - #else /* __powerpc64__ */
27850 -
27851 --#define STACK_TOP TASK_SIZE
27852 --#define STACK_TOP_MAX STACK_TOP
27853 -+#define __STACK_TOP TASK_SIZE
27854 -+#define STACK_TOP_MAX __STACK_TOP
27855 -
27856 - #endif /* __powerpc64__ */
27857 - #endif /* __KERNEL__ */
27858 -diff -urNp linux-2.6.24.4/include/asm-powerpc/elf.h linux-2.6.24.4/include/asm-powerpc/elf.h
27859 ---- linux-2.6.24.4/include/asm-powerpc/elf.h 2008-03-24 14:49:18.000000000 -0400
27860 -+++ linux-2.6.24.4/include/asm-powerpc/elf.h 2008-03-26 17:56:56.000000000 -0400
27861 -@@ -160,6 +160,18 @@ typedef elf_vrreg_t elf_vrregset_t[ELF_N
27862 - typedef elf_vrreg_t elf_vrregset_t32[ELF_NVRREG32];
27863 - #endif
27864 -
27865 -+#ifdef CONFIG_PAX_ASLR
27866 -+#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
27867 -+
27868 -+#ifdef __powerpc64__
27869 -+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
27870 -+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
27871 -+#else
27872 -+#define PAX_DELTA_MMAP_LEN 15
27873 -+#define PAX_DELTA_STACK_LEN 15
27874 -+#endif
27875 -+#endif
27876 -+
27877 - #ifdef __KERNEL__
27878 - /*
27879 - * This is used to ensure we don't load something for the wrong architecture.
27880 -diff -urNp linux-2.6.24.4/include/asm-powerpc/kmap_types.h linux-2.6.24.4/include/asm-powerpc/kmap_types.h
27881 ---- linux-2.6.24.4/include/asm-powerpc/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
27882 -+++ linux-2.6.24.4/include/asm-powerpc/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
27883 -@@ -26,6 +26,7 @@ enum km_type {
27884 - KM_SOFTIRQ1,
27885 - KM_PPC_SYNC_PAGE,
27886 - KM_PPC_SYNC_ICACHE,
27887 -+ KM_CLEARPAGE,
27888 - KM_TYPE_NR
27889 - };
27890 -
27891 -diff -urNp linux-2.6.24.4/include/asm-powerpc/page_64.h linux-2.6.24.4/include/asm-powerpc/page_64.h
27892 ---- linux-2.6.24.4/include/asm-powerpc/page_64.h 2008-03-24 14:49:18.000000000 -0400
27893 -+++ linux-2.6.24.4/include/asm-powerpc/page_64.h 2008-03-26 17:56:56.000000000 -0400
27894 -@@ -171,15 +171,18 @@ do { \
27895 - * stack by default, so in the absense of a PT_GNU_STACK program header
27896 - * we turn execute permission off.
27897 - */
27898 --#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
27899 -- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27900 -+#define VM_STACK_DEFAULT_FLAGS32 \
27901 -+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
27902 -+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27903 -
27904 - #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
27905 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27906 -
27907 -+#ifndef CONFIG_PAX_PAGEEXEC
27908 - #define VM_STACK_DEFAULT_FLAGS \
27909 - (test_thread_flag(TIF_32BIT) ? \
27910 - VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
27911 -+#endif
27912 -
27913 - #include <asm-generic/page.h>
27914 -
27915 -diff -urNp linux-2.6.24.4/include/asm-powerpc/page.h linux-2.6.24.4/include/asm-powerpc/page.h
27916 ---- linux-2.6.24.4/include/asm-powerpc/page.h 2008-03-24 14:49:18.000000000 -0400
27917 -+++ linux-2.6.24.4/include/asm-powerpc/page.h 2008-03-26 17:56:56.000000000 -0400
27918 -@@ -71,8 +71,9 @@
27919 - * and needs to be executable. This means the whole heap ends
27920 - * up being executable.
27921 - */
27922 --#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
27923 -- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27924 -+#define VM_DATA_DEFAULT_FLAGS32 \
27925 -+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
27926 -+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27927 -
27928 - #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
27929 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27930 -diff -urNp linux-2.6.24.4/include/asm-ppc/mmu_context.h linux-2.6.24.4/include/asm-ppc/mmu_context.h
27931 ---- linux-2.6.24.4/include/asm-ppc/mmu_context.h 2008-03-24 14:49:18.000000000 -0400
27932 -+++ linux-2.6.24.4/include/asm-ppc/mmu_context.h 2008-03-26 17:56:56.000000000 -0400
27933 -@@ -146,7 +146,8 @@ static inline void get_mmu_context(struc
27934 - static inline int init_new_context(struct task_struct *t, struct mm_struct *mm)
27935 - {
27936 - mm->context.id = NO_CONTEXT;
27937 -- mm->context.vdso_base = 0;
27938 -+ if (t == current)
27939 -+ mm->context.vdso_base = ~0UL;
27940 - return 0;
27941 - }
27942 -
27943 -diff -urNp linux-2.6.24.4/include/asm-ppc/pgtable.h linux-2.6.24.4/include/asm-ppc/pgtable.h
27944 ---- linux-2.6.24.4/include/asm-ppc/pgtable.h 2008-03-24 14:49:18.000000000 -0400
27945 -+++ linux-2.6.24.4/include/asm-ppc/pgtable.h 2008-03-26 17:56:56.000000000 -0400
27946 -@@ -440,11 +440,21 @@ extern unsigned long ioremap_bot, iorema
27947 -
27948 - #define PAGE_NONE __pgprot(_PAGE_BASE)
27949 - #define PAGE_READONLY __pgprot(_PAGE_BASE | _PAGE_USER)
27950 --#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC)
27951 -+#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC | _PAGE_HWEXEC)
27952 - #define PAGE_SHARED __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW)
27953 --#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC)
27954 -+#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC | _PAGE_HWEXEC)
27955 - #define PAGE_COPY __pgprot(_PAGE_BASE | _PAGE_USER)
27956 --#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC)
27957 -+#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC | _PAGE_HWEXEC)
27958 -+
27959 -+#if defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_40x) && !defined(CONFIG_44x)
27960 -+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_GUARDED)
27961 -+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_GUARDED)
27962 -+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_GUARDED)
27963 -+#else
27964 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
27965 -+# define PAGE_COPY_NOEXEC PAGE_COPY
27966 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
27967 -+#endif
27968 -
27969 - #define PAGE_KERNEL __pgprot(_PAGE_RAM)
27970 - #define PAGE_KERNEL_NOCACHE __pgprot(_PAGE_IO)
27971 -@@ -456,21 +466,21 @@ extern unsigned long ioremap_bot, iorema
27972 - * This is the closest we can get..
27973 - */
27974 - #define __P000 PAGE_NONE
27975 --#define __P001 PAGE_READONLY_X
27976 --#define __P010 PAGE_COPY
27977 --#define __P011 PAGE_COPY_X
27978 --#define __P100 PAGE_READONLY
27979 -+#define __P001 PAGE_READONLY_NOEXEC
27980 -+#define __P010 PAGE_COPY_NOEXEC
27981 -+#define __P011 PAGE_COPY_NOEXEC
27982 -+#define __P100 PAGE_READONLY_X
27983 - #define __P101 PAGE_READONLY_X
27984 --#define __P110 PAGE_COPY
27985 -+#define __P110 PAGE_COPY_X
27986 - #define __P111 PAGE_COPY_X
27987 -
27988 - #define __S000 PAGE_NONE
27989 --#define __S001 PAGE_READONLY_X
27990 --#define __S010 PAGE_SHARED
27991 --#define __S011 PAGE_SHARED_X
27992 --#define __S100 PAGE_READONLY
27993 -+#define __S001 PAGE_READONLY_NOEXEC
27994 -+#define __S010 PAGE_SHARED_NOEXEC
27995 -+#define __S011 PAGE_SHARED_NOEXEC
27996 -+#define __S100 PAGE_READONLY_X
27997 - #define __S101 PAGE_READONLY_X
27998 --#define __S110 PAGE_SHARED
27999 -+#define __S110 PAGE_SHARED_X
28000 - #define __S111 PAGE_SHARED_X
28001 -
28002 - #ifndef __ASSEMBLY__
28003 -diff -urNp linux-2.6.24.4/include/asm-s390/kmap_types.h linux-2.6.24.4/include/asm-s390/kmap_types.h
28004 ---- linux-2.6.24.4/include/asm-s390/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
28005 -+++ linux-2.6.24.4/include/asm-s390/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
28006 -@@ -16,6 +16,7 @@ enum km_type {
28007 - KM_IRQ1,
28008 - KM_SOFTIRQ0,
28009 - KM_SOFTIRQ1,
28010 -+ KM_CLEARPAGE,
28011 - KM_TYPE_NR
28012 - };
28013 -
28014 -diff -urNp linux-2.6.24.4/include/asm-sh/kmap_types.h linux-2.6.24.4/include/asm-sh/kmap_types.h
28015 ---- linux-2.6.24.4/include/asm-sh/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
28016 -+++ linux-2.6.24.4/include/asm-sh/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
28017 -@@ -24,7 +24,8 @@ D(9) KM_IRQ0,
28018 - D(10) KM_IRQ1,
28019 - D(11) KM_SOFTIRQ0,
28020 - D(12) KM_SOFTIRQ1,
28021 --D(13) KM_TYPE_NR
28022 -+D(13) KM_CLEARPAGE,
28023 -+D(14) KM_TYPE_NR
28024 - };
28025 -
28026 - #undef D
28027 -diff -urNp linux-2.6.24.4/include/asm-sparc/a.out.h linux-2.6.24.4/include/asm-sparc/a.out.h
28028 ---- linux-2.6.24.4/include/asm-sparc/a.out.h 2008-03-24 14:49:18.000000000 -0400
28029 -+++ linux-2.6.24.4/include/asm-sparc/a.out.h 2008-03-26 17:56:56.000000000 -0400
28030 -@@ -91,8 +91,8 @@ struct relocation_info /* used when head
28031 -
28032 - #include <asm/page.h>
28033 -
28034 --#define STACK_TOP (PAGE_OFFSET - PAGE_SIZE)
28035 --#define STACK_TOP_MAX STACK_TOP
28036 -+#define __STACK_TOP (PAGE_OFFSET - PAGE_SIZE)
28037 -+#define STACK_TOP_MAX __STACK_TOP
28038 -
28039 - #endif /* __KERNEL__ */
28040 -
28041 -diff -urNp linux-2.6.24.4/include/asm-sparc/elf.h linux-2.6.24.4/include/asm-sparc/elf.h
28042 ---- linux-2.6.24.4/include/asm-sparc/elf.h 2008-03-24 14:49:18.000000000 -0400
28043 -+++ linux-2.6.24.4/include/asm-sparc/elf.h 2008-03-26 17:56:56.000000000 -0400
28044 -@@ -143,6 +143,13 @@ do { unsigned long *dest = &(__elf_regs[
28045 -
28046 - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
28047 -
28048 -+#ifdef CONFIG_PAX_ASLR
28049 -+#define PAX_ELF_ET_DYN_BASE 0x10000UL
28050 -+
28051 -+#define PAX_DELTA_MMAP_LEN 16
28052 -+#define PAX_DELTA_STACK_LEN 16
28053 -+#endif
28054 -+
28055 - /* This yields a mask that user programs can use to figure out what
28056 - instruction set this cpu supports. This can NOT be done in userspace
28057 - on Sparc. */
28058 -diff -urNp linux-2.6.24.4/include/asm-sparc/kmap_types.h linux-2.6.24.4/include/asm-sparc/kmap_types.h
28059 ---- linux-2.6.24.4/include/asm-sparc/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
28060 -+++ linux-2.6.24.4/include/asm-sparc/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
28061 -@@ -15,6 +15,7 @@ enum km_type {
28062 - KM_IRQ1,
28063 - KM_SOFTIRQ0,
28064 - KM_SOFTIRQ1,
28065 -+ KM_CLEARPAGE,
28066 - KM_TYPE_NR
28067 - };
28068 -
28069 -diff -urNp linux-2.6.24.4/include/asm-sparc/pgtable.h linux-2.6.24.4/include/asm-sparc/pgtable.h
28070 ---- linux-2.6.24.4/include/asm-sparc/pgtable.h 2008-03-24 14:49:18.000000000 -0400
28071 -+++ linux-2.6.24.4/include/asm-sparc/pgtable.h 2008-03-26 17:56:56.000000000 -0400
28072 -@@ -69,6 +69,16 @@ extern pgprot_t PAGE_SHARED;
28073 - #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
28074 - #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
28075 -
28076 -+#ifdef CONFIG_PAX_PAGEEXEC
28077 -+extern pgprot_t PAGE_SHARED_NOEXEC;
28078 -+# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
28079 -+# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
28080 -+#else
28081 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
28082 -+# define PAGE_COPY_NOEXEC PAGE_COPY
28083 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
28084 -+#endif
28085 -+
28086 - extern unsigned long page_kernel;
28087 -
28088 - #ifdef MODULE
28089 -diff -urNp linux-2.6.24.4/include/asm-sparc/pgtsrmmu.h linux-2.6.24.4/include/asm-sparc/pgtsrmmu.h
28090 ---- linux-2.6.24.4/include/asm-sparc/pgtsrmmu.h 2008-03-24 14:49:18.000000000 -0400
28091 -+++ linux-2.6.24.4/include/asm-sparc/pgtsrmmu.h 2008-03-26 17:56:56.000000000 -0400
28092 -@@ -115,6 +115,16 @@
28093 - SRMMU_EXEC | SRMMU_REF)
28094 - #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
28095 - SRMMU_EXEC | SRMMU_REF)
28096 -+
28097 -+#ifdef CONFIG_PAX_PAGEEXEC
28098 -+#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
28099 -+ SRMMU_WRITE | SRMMU_REF)
28100 -+#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
28101 -+ SRMMU_REF)
28102 -+#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
28103 -+ SRMMU_REF)
28104 -+#endif
28105 -+
28106 - #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
28107 - SRMMU_DIRTY | SRMMU_REF)
28108 -
28109 -diff -urNp linux-2.6.24.4/include/asm-sparc/uaccess.h linux-2.6.24.4/include/asm-sparc/uaccess.h
28110 ---- linux-2.6.24.4/include/asm-sparc/uaccess.h 2008-03-24 14:49:18.000000000 -0400
28111 -+++ linux-2.6.24.4/include/asm-sparc/uaccess.h 2008-03-26 17:56:56.000000000 -0400
28112 -@@ -41,7 +41,7 @@
28113 - * No one can read/write anything from userland in the kernel space by setting
28114 - * large size and address near to PAGE_OFFSET - a fault will break his intentions.
28115 - */
28116 --#define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; })
28117 -+#define __user_ok(addr, size) ({ (void)(size); (addr) < __STACK_TOP; })
28118 - #define __kernel_ok (segment_eq(get_fs(), KERNEL_DS))
28119 - #define __access_ok(addr,size) (__user_ok((addr) & get_fs().seg,(size)))
28120 - #define access_ok(type, addr, size) \
28121 -diff -urNp linux-2.6.24.4/include/asm-sparc64/a.out.h linux-2.6.24.4/include/asm-sparc64/a.out.h
28122 ---- linux-2.6.24.4/include/asm-sparc64/a.out.h 2008-03-24 14:49:18.000000000 -0400
28123 -+++ linux-2.6.24.4/include/asm-sparc64/a.out.h 2008-03-26 17:56:56.000000000 -0400
28124 -@@ -98,7 +98,7 @@ struct relocation_info /* used when head
28125 - #define STACK_TOP32 ((1UL << 32UL) - PAGE_SIZE)
28126 - #define STACK_TOP64 (0x0000080000000000UL - (1UL << 32UL))
28127 -
28128 --#define STACK_TOP (test_thread_flag(TIF_32BIT) ? \
28129 -+#define __STACK_TOP (test_thread_flag(TIF_32BIT) ? \
28130 - STACK_TOP32 : STACK_TOP64)
28131 -
28132 - #define STACK_TOP_MAX STACK_TOP64
28133 -diff -urNp linux-2.6.24.4/include/asm-sparc64/elf.h linux-2.6.24.4/include/asm-sparc64/elf.h
28134 ---- linux-2.6.24.4/include/asm-sparc64/elf.h 2008-03-24 14:49:18.000000000 -0400
28135 -+++ linux-2.6.24.4/include/asm-sparc64/elf.h 2008-03-26 17:56:56.000000000 -0400
28136 -@@ -143,6 +143,12 @@ typedef struct {
28137 - #define ELF_ET_DYN_BASE 0x0000010000000000UL
28138 - #endif
28139 -
28140 -+#ifdef CONFIG_PAX_ASLR
28141 -+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
28142 -+
28143 -+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28 )
28144 -+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29 )
28145 -+#endif
28146 -
28147 - /* This yields a mask that user programs can use to figure out what
28148 - instruction set this cpu supports. */
28149 -diff -urNp linux-2.6.24.4/include/asm-sparc64/kmap_types.h linux-2.6.24.4/include/asm-sparc64/kmap_types.h
28150 ---- linux-2.6.24.4/include/asm-sparc64/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
28151 -+++ linux-2.6.24.4/include/asm-sparc64/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
28152 -@@ -19,6 +19,7 @@ enum km_type {
28153 - KM_IRQ1,
28154 - KM_SOFTIRQ0,
28155 - KM_SOFTIRQ1,
28156 -+ KM_CLEARPAGE,
28157 - KM_TYPE_NR
28158 - };
28159 -
28160 -diff -urNp linux-2.6.24.4/include/asm-um/kmap_types.h linux-2.6.24.4/include/asm-um/kmap_types.h
28161 ---- linux-2.6.24.4/include/asm-um/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
28162 -+++ linux-2.6.24.4/include/asm-um/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
28163 -@@ -23,6 +23,7 @@ enum km_type {
28164 - KM_IRQ1,
28165 - KM_SOFTIRQ0,
28166 - KM_SOFTIRQ1,
28167 -+ KM_CLEARPAGE,
28168 - KM_TYPE_NR
28169 - };
28170 -
28171 -diff -urNp linux-2.6.24.4/include/asm-v850/kmap_types.h linux-2.6.24.4/include/asm-v850/kmap_types.h
28172 ---- linux-2.6.24.4/include/asm-v850/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
28173 -+++ linux-2.6.24.4/include/asm-v850/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
28174 -@@ -13,6 +13,7 @@ enum km_type {
28175 - KM_PTE1,
28176 - KM_IRQ0,
28177 - KM_IRQ1,
28178 -+ KM_CLEARPAGE,
28179 - KM_TYPE_NR
28180 - };
28181 -
28182 -diff -urNp linux-2.6.24.4/include/asm-x86/alternative_32.h linux-2.6.24.4/include/asm-x86/alternative_32.h
28183 ---- linux-2.6.24.4/include/asm-x86/alternative_32.h 2008-03-24 14:49:18.000000000 -0400
28184 -+++ linux-2.6.24.4/include/asm-x86/alternative_32.h 2008-03-26 17:56:56.000000000 -0400
28185 -@@ -54,7 +54,7 @@ static inline void alternatives_smp_swit
28186 - " .byte 662b-661b\n" /* sourcelen */ \
28187 - " .byte 664f-663f\n" /* replacementlen */ \
28188 - ".previous\n" \
28189 -- ".section .altinstr_replacement,\"ax\"\n" \
28190 -+ ".section .altinstr_replacement,\"a\"\n" \
28191 - "663:\n\t" newinstr "\n664:\n" /* replacement */\
28192 - ".previous" :: "i" (feature) : "memory")
28193 -
28194 -@@ -78,7 +78,7 @@ static inline void alternatives_smp_swit
28195 - " .byte 662b-661b\n" /* sourcelen */ \
28196 - " .byte 664f-663f\n" /* replacementlen */ \
28197 - ".previous\n" \
28198 -- ".section .altinstr_replacement,\"ax\"\n" \
28199 -+ ".section .altinstr_replacement,\"a\"\n" \
28200 - "663:\n\t" newinstr "\n664:\n" /* replacement */\
28201 - ".previous" :: "i" (feature), ##input)
28202 -
28203 -@@ -93,7 +93,7 @@ static inline void alternatives_smp_swit
28204 - " .byte 662b-661b\n" /* sourcelen */ \
28205 - " .byte 664f-663f\n" /* replacementlen */ \
28206 - ".previous\n" \
28207 -- ".section .altinstr_replacement,\"ax\"\n" \
28208 -+ ".section .altinstr_replacement,\"a\"\n" \
28209 - "663:\n\t" newinstr "\n664:\n" /* replacement */ \
28210 - ".previous" : output : [feat] "i" (feature), ##input)
28211 -
28212 -diff -urNp linux-2.6.24.4/include/asm-x86/alternative_64.h linux-2.6.24.4/include/asm-x86/alternative_64.h
28213 ---- linux-2.6.24.4/include/asm-x86/alternative_64.h 2008-03-24 14:49:18.000000000 -0400
28214 -+++ linux-2.6.24.4/include/asm-x86/alternative_64.h 2008-03-26 17:56:56.000000000 -0400
28215 -@@ -94,7 +94,7 @@ static inline void alternatives_smp_swit
28216 - " .byte 662b-661b\n" /* sourcelen */ \
28217 - " .byte 664f-663f\n" /* replacementlen */ \
28218 - ".previous\n" \
28219 -- ".section .altinstr_replacement,\"ax\"\n" \
28220 -+ ".section .altinstr_replacement,\"a\"\n" \
28221 - "663:\n\t" newinstr "\n664:\n" /* replacement */ \
28222 - ".previous" :: "i" (feature) : "memory")
28223 -
28224 -@@ -118,7 +118,7 @@ static inline void alternatives_smp_swit
28225 - " .byte 662b-661b\n" /* sourcelen */ \
28226 - " .byte 664f-663f\n" /* replacementlen */ \
28227 - ".previous\n" \
28228 -- ".section .altinstr_replacement,\"ax\"\n" \
28229 -+ ".section .altinstr_replacement,\"a\"\n" \
28230 - "663:\n\t" newinstr "\n664:\n" /* replacement */ \
28231 - ".previous" :: "i" (feature), ##input)
28232 -
28233 -@@ -133,7 +133,7 @@ static inline void alternatives_smp_swit
28234 - " .byte 662b-661b\n" /* sourcelen */ \
28235 - " .byte 664f-663f\n" /* replacementlen */ \
28236 - ".previous\n" \
28237 -- ".section .altinstr_replacement,\"ax\"\n" \
28238 -+ ".section .altinstr_replacement,\"a\"\n" \
28239 - "663:\n\t" newinstr "\n664:\n" /* replacement */ \
28240 - ".previous" : output : [feat] "i" (feature), ##input)
28241 -
28242 -diff -urNp linux-2.6.24.4/include/asm-x86/a.out.h linux-2.6.24.4/include/asm-x86/a.out.h
28243 ---- linux-2.6.24.4/include/asm-x86/a.out.h 2008-03-24 14:49:18.000000000 -0400
28244 -+++ linux-2.6.24.4/include/asm-x86/a.out.h 2008-03-26 17:56:56.000000000 -0400
28245 -@@ -19,9 +19,13 @@ struct exec
28246 -
28247 - #ifdef __KERNEL__
28248 - # include <linux/thread_info.h>
28249 --# define STACK_TOP TASK_SIZE
28250 -+# ifdef CONFIG_PAX_SEGMEXEC
28251 -+# define __STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?TASK_SIZE/2:TASK_SIZE)
28252 -+# else
28253 -+# define __STACK_TOP TASK_SIZE
28254 -+# endif
28255 - # ifdef CONFIG_X86_32
28256 --# define STACK_TOP_MAX STACK_TOP
28257 -+# define STACK_TOP_MAX TASK_SIZE
28258 - # else
28259 - # define STACK_TOP_MAX TASK_SIZE64
28260 - # endif
28261 -diff -urNp linux-2.6.24.4/include/asm-x86/apic_32.h linux-2.6.24.4/include/asm-x86/apic_32.h
28262 ---- linux-2.6.24.4/include/asm-x86/apic_32.h 2008-03-24 14:49:18.000000000 -0400
28263 -+++ linux-2.6.24.4/include/asm-x86/apic_32.h 2008-03-26 17:56:56.000000000 -0400
28264 -@@ -8,7 +8,7 @@
28265 - #include <asm/processor.h>
28266 - #include <asm/system.h>
28267 -
28268 --#define Dprintk(x...)
28269 -+#define Dprintk(x...) do {} while (0)
28270 -
28271 - /*
28272 - * Debugging macros
28273 -diff -urNp linux-2.6.24.4/include/asm-x86/apic_64.h linux-2.6.24.4/include/asm-x86/apic_64.h
28274 ---- linux-2.6.24.4/include/asm-x86/apic_64.h 2008-03-24 14:49:18.000000000 -0400
28275 -+++ linux-2.6.24.4/include/asm-x86/apic_64.h 2008-03-26 17:56:56.000000000 -0400
28276 -@@ -7,7 +7,7 @@
28277 - #include <asm/apicdef.h>
28278 - #include <asm/system.h>
28279 -
28280 --#define Dprintk(x...)
28281 -+#define Dprintk(x...) do {} while (0)
28282 -
28283 - /*
28284 - * Debugging macros
28285 -diff -urNp linux-2.6.24.4/include/asm-x86/boot.h linux-2.6.24.4/include/asm-x86/boot.h
28286 ---- linux-2.6.24.4/include/asm-x86/boot.h 2008-03-24 14:49:18.000000000 -0400
28287 -+++ linux-2.6.24.4/include/asm-x86/boot.h 2008-03-26 17:56:56.000000000 -0400
28288 -@@ -13,8 +13,13 @@
28289 - #define ASK_VGA 0xfffd /* ask for it at bootup */
28290 -
28291 - /* Physical address where kernel should be loaded. */
28292 --#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
28293 -+#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
28294 - + (CONFIG_PHYSICAL_ALIGN - 1)) \
28295 - & ~(CONFIG_PHYSICAL_ALIGN - 1))
28296 -
28297 -+#ifndef __ASSEMBLY__
28298 -+extern unsigned char __LOAD_PHYSICAL_ADDR[];
28299 -+#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
28300 -+#endif
28301 -+
28302 - #endif /* _ASM_BOOT_H */
28303 -diff -urNp linux-2.6.24.4/include/asm-x86/cache.h linux-2.6.24.4/include/asm-x86/cache.h
28304 ---- linux-2.6.24.4/include/asm-x86/cache.h 2008-03-24 14:49:18.000000000 -0400
28305 -+++ linux-2.6.24.4/include/asm-x86/cache.h 2008-03-26 17:56:56.000000000 -0400
28306 -@@ -6,6 +6,7 @@
28307 - #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
28308 -
28309 - #define __read_mostly __attribute__((__section__(".data.read_mostly")))
28310 -+#define __read_only __attribute__((__section__(".data.read_only")))
28311 -
28312 - #ifdef CONFIG_X86_VSMP
28313 - /* vSMP Internode cacheline shift */
28314 -diff -urNp linux-2.6.24.4/include/asm-x86/checksum_32.h linux-2.6.24.4/include/asm-x86/checksum_32.h
28315 ---- linux-2.6.24.4/include/asm-x86/checksum_32.h 2008-03-24 14:49:18.000000000 -0400
28316 -+++ linux-2.6.24.4/include/asm-x86/checksum_32.h 2008-03-26 17:56:56.000000000 -0400
28317 -@@ -30,6 +30,12 @@ asmlinkage __wsum csum_partial(const voi
28318 - asmlinkage __wsum csum_partial_copy_generic(const void *src, void *dst,
28319 - int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
28320 -
28321 -+asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
28322 -+ int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
28323 -+
28324 -+asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
28325 -+ int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
28326 -+
28327 - /*
28328 - * Note: when you get a NULL pointer exception here this means someone
28329 - * passed in an incorrect kernel address to one of these functions.
28330 -@@ -49,7 +55,7 @@ __wsum csum_partial_copy_from_user(const
28331 - int len, __wsum sum, int *err_ptr)
28332 - {
28333 - might_sleep();
28334 -- return csum_partial_copy_generic((__force void *)src, dst,
28335 -+ return csum_partial_copy_generic_from_user((__force void *)src, dst,
28336 - len, sum, err_ptr, NULL);
28337 - }
28338 -
28339 -@@ -180,7 +186,7 @@ static __inline__ __wsum csum_and_copy_t
28340 - {
28341 - might_sleep();
28342 - if (access_ok(VERIFY_WRITE, dst, len))
28343 -- return csum_partial_copy_generic(src, (__force void *)dst, len, sum, NULL, err_ptr);
28344 -+ return csum_partial_copy_generic_to_user(src, (__force void *)dst, len, sum, NULL, err_ptr);
28345 -
28346 - if (len)
28347 - *err_ptr = -EFAULT;
28348 -diff -urNp linux-2.6.24.4/include/asm-x86/desc_32.h linux-2.6.24.4/include/asm-x86/desc_32.h
28349 ---- linux-2.6.24.4/include/asm-x86/desc_32.h 2008-03-24 14:49:18.000000000 -0400
28350 -+++ linux-2.6.24.4/include/asm-x86/desc_32.h 2008-03-26 17:56:56.000000000 -0400
28351 -@@ -7,30 +7,26 @@
28352 - #ifndef __ASSEMBLY__
28353 -
28354 - #include <linux/preempt.h>
28355 --#include <linux/smp.h>
28356 - #include <linux/percpu.h>
28357 -+#include <linux/smp.h>
28358 -
28359 - #include <asm/mmu.h>
28360 -
28361 -+extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
28362 -+
28363 - struct Xgt_desc_struct {
28364 - unsigned short size;
28365 -- unsigned long address __attribute__((packed));
28366 -+ struct desc_struct *address __attribute__((packed));
28367 - unsigned short pad;
28368 - } __attribute__ ((packed));
28369 -
28370 --struct gdt_page
28371 --{
28372 -- struct desc_struct gdt[GDT_ENTRIES];
28373 --} __attribute__((aligned(PAGE_SIZE)));
28374 --DECLARE_PER_CPU(struct gdt_page, gdt_page);
28375 --
28376 - static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
28377 - {
28378 -- return per_cpu(gdt_page, cpu).gdt;
28379 -+ return cpu_gdt_table[cpu];
28380 - }
28381 -
28382 - extern struct Xgt_desc_struct idt_descr;
28383 --extern struct desc_struct idt_table[];
28384 -+extern struct desc_struct idt_table[256];
28385 - extern void set_intr_gate(unsigned int irq, void * addr);
28386 -
28387 - static inline void pack_descriptor(__u32 *a, __u32 *b,
28388 -@@ -81,8 +77,20 @@ static inline void pack_gate(__u32 *a, _
28389 - static inline void write_dt_entry(struct desc_struct *dt,
28390 - int entry, u32 entry_low, u32 entry_high)
28391 - {
28392 -+
28393 -+#ifdef CONFIG_PAX_KERNEXEC
28394 -+ unsigned long cr0;
28395 -+
28396 -+ pax_open_kernel(cr0);
28397 -+#endif
28398 -+
28399 - dt[entry].a = entry_low;
28400 - dt[entry].b = entry_high;
28401 -+
28402 -+#ifdef CONFIG_PAX_KERNEXEC
28403 -+ pax_close_kernel(cr0);
28404 -+#endif
28405 -+
28406 - }
28407 -
28408 - static inline void native_set_ldt(const void *addr, unsigned int entries)
28409 -@@ -139,8 +147,19 @@ static inline void native_load_tls(struc
28410 - unsigned int i;
28411 - struct desc_struct *gdt = get_cpu_gdt_table(cpu);
28412 -
28413 -+#ifdef CONFIG_PAX_KERNEXEC
28414 -+ unsigned long cr0;
28415 -+
28416 -+ pax_open_kernel(cr0);
28417 -+#endif
28418 -+
28419 - for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
28420 - gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
28421 -+
28422 -+#ifdef CONFIG_PAX_KERNEXEC
28423 -+ pax_close_kernel(cr0);
28424 -+#endif
28425 -+
28426 - }
28427 -
28428 - static inline void _set_gate(int gate, unsigned int type, void *addr, unsigned short seg)
28429 -@@ -175,7 +194,7 @@ static inline void __set_tss_desc(unsign
28430 - ((info)->seg_32bit << 22) | \
28431 - ((info)->limit_in_pages << 23) | \
28432 - ((info)->useable << 20) | \
28433 -- 0x7000)
28434 -+ 0x7100)
28435 -
28436 - #define LDT_empty(info) (\
28437 - (info)->base_addr == 0 && \
28438 -@@ -207,15 +226,25 @@ static inline void load_LDT(mm_context_t
28439 - preempt_enable();
28440 - }
28441 -
28442 --static inline unsigned long get_desc_base(unsigned long *desc)
28443 -+static inline unsigned long get_desc_base(struct desc_struct *desc)
28444 - {
28445 - unsigned long base;
28446 -- base = ((desc[0] >> 16) & 0x0000ffff) |
28447 -- ((desc[1] << 16) & 0x00ff0000) |
28448 -- (desc[1] & 0xff000000);
28449 -+ base = ((desc->a >> 16) & 0x0000ffff) |
28450 -+ ((desc->b << 16) & 0x00ff0000) |
28451 -+ (desc->b & 0xff000000);
28452 - return base;
28453 - }
28454 -
28455 -+static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
28456 -+{
28457 -+ __u32 a, b;
28458 -+
28459 -+ if (likely(limit))
28460 -+ limit = (limit - 1UL) >> PAGE_SHIFT;
28461 -+ pack_descriptor(&a, &b, base, limit, 0xFB, 0xC);
28462 -+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, a, b);
28463 -+}
28464 -+
28465 - #else /* __ASSEMBLY__ */
28466 -
28467 - /*
28468 -diff -urNp linux-2.6.24.4/include/asm-x86/desc_64.h linux-2.6.24.4/include/asm-x86/desc_64.h
28469 ---- linux-2.6.24.4/include/asm-x86/desc_64.h 2008-03-24 14:49:18.000000000 -0400
28470 -+++ linux-2.6.24.4/include/asm-x86/desc_64.h 2008-03-26 17:56:56.000000000 -0400
28471 -@@ -14,7 +14,7 @@
28472 - #include <asm/segment.h>
28473 - #include <asm/mmu.h>
28474 -
28475 --extern struct desc_struct cpu_gdt_table[GDT_ENTRIES];
28476 -+extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
28477 -
28478 - #define load_TR_desc() asm volatile("ltr %w0"::"r" (GDT_ENTRY_TSS*8))
28479 - #define load_LDT_desc() asm volatile("lldt %w0"::"r" (GDT_ENTRY_LDT*8))
28480 -@@ -34,12 +34,10 @@ static inline unsigned long __store_tr(v
28481 - * This is the ldt that every process will get unless we need
28482 - * something other than this.
28483 - */
28484 --extern struct desc_struct default_ldt[];
28485 - extern struct gate_struct idt_table[];
28486 --extern struct desc_ptr cpu_gdt_descr[];
28487 -
28488 - /* the cpu gdt accessor */
28489 --#define cpu_gdt(_cpu) ((struct desc_struct *)cpu_gdt_descr[_cpu].address)
28490 -+#define cpu_gdt(_cpu) (cpu_gdt_table[_cpu])
28491 -
28492 - static inline void load_gdt(const struct desc_ptr *ptr)
28493 - {
28494 -@@ -54,6 +52,11 @@ static inline void store_gdt(struct desc
28495 - static inline void _set_gate(void *adr, unsigned type, unsigned long func, unsigned dpl, unsigned ist)
28496 - {
28497 - struct gate_struct s;
28498 -+
28499 -+#ifdef CONFIG_PAX_KERNEXEC
28500 -+ unsigned long cr0;
28501 -+#endif
28502 -+
28503 - s.offset_low = PTR_LOW(func);
28504 - s.segment = __KERNEL_CS;
28505 - s.ist = ist;
28506 -@@ -65,7 +68,17 @@ static inline void _set_gate(void *adr,
28507 - s.offset_middle = PTR_MIDDLE(func);
28508 - s.offset_high = PTR_HIGH(func);
28509 - /* does not need to be atomic because it is only done once at setup time */
28510 -+
28511 -+#ifdef CONFIG_PAX_KERNEXEC
28512 -+ pax_open_kernel(cr0);
28513 -+#endif
28514 -+
28515 - memcpy(adr, &s, 16);
28516 -+
28517 -+#ifdef CONFIG_PAX_KERNEXEC
28518 -+ pax_close_kernel(cr0);
28519 -+#endif
28520 -+
28521 - }
28522 -
28523 - static inline void set_intr_gate(int nr, void *func)
28524 -@@ -105,6 +118,11 @@ static inline void set_tssldt_descriptor
28525 - unsigned size)
28526 - {
28527 - struct ldttss_desc d;
28528 -+
28529 -+#ifdef CONFIG_PAX_KERNEXEC
28530 -+ unsigned long cr0;
28531 -+#endif
28532 -+
28533 - memset(&d,0,sizeof(d));
28534 - d.limit0 = size & 0xFFFF;
28535 - d.base0 = PTR_LOW(tss);
28536 -@@ -114,7 +132,17 @@ static inline void set_tssldt_descriptor
28537 - d.limit1 = (size >> 16) & 0xF;
28538 - d.base2 = (PTR_MIDDLE(tss) >> 8) & 0xFF;
28539 - d.base3 = PTR_HIGH(tss);
28540 -+
28541 -+#ifdef CONFIG_PAX_KERNEXEC
28542 -+ pax_open_kernel(cr0);
28543 -+#endif
28544 -+
28545 - memcpy(ptr, &d, 16);
28546 -+
28547 -+#ifdef CONFIG_PAX_KERNEXEC
28548 -+ pax_close_kernel(cr0);
28549 -+#endif
28550 -+
28551 - }
28552 -
28553 - static inline void set_tss_desc(unsigned cpu, void *addr)
28554 -@@ -152,7 +180,7 @@ static inline void set_ldt_desc(unsigned
28555 - ((info)->limit_in_pages << 23) | \
28556 - ((info)->useable << 20) | \
28557 - /* ((info)->lm << 21) | */ \
28558 -- 0x7000)
28559 -+ 0x7100)
28560 -
28561 - #define LDT_empty(info) (\
28562 - (info)->base_addr == 0 && \
28563 -@@ -170,8 +198,19 @@ static inline void load_TLS(struct threa
28564 - unsigned int i;
28565 - u64 *gdt = (u64 *)(cpu_gdt(cpu) + GDT_ENTRY_TLS_MIN);
28566 -
28567 -+#ifdef CONFIG_PAX_KERNEXEC
28568 -+ unsigned long cr0;
28569 -+
28570 -+ pax_open_kernel(cr0);
28571 -+#endif
28572 -+
28573 - for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
28574 - gdt[i] = t->tls_array[i];
28575 -+
28576 -+#ifdef CONFIG_PAX_KERNEXEC
28577 -+ pax_close_kernel(cr0);
28578 -+#endif
28579 -+
28580 - }
28581 -
28582 - /*
28583 -@@ -197,7 +236,7 @@ static inline void load_LDT(mm_context_t
28584 - put_cpu();
28585 - }
28586 -
28587 --extern struct desc_ptr idt_descr;
28588 -+extern const struct desc_ptr idt_descr;
28589 -
28590 - #endif /* !__ASSEMBLY__ */
28591 -
28592 -diff -urNp linux-2.6.24.4/include/asm-x86/elf.h linux-2.6.24.4/include/asm-x86/elf.h
28593 ---- linux-2.6.24.4/include/asm-x86/elf.h 2008-03-24 14:49:18.000000000 -0400
28594 -+++ linux-2.6.24.4/include/asm-x86/elf.h 2008-03-26 17:56:56.000000000 -0400
28595 -@@ -206,7 +206,25 @@ extern int vdso_enabled;
28596 - the loader. We need to make sure that it is out of the way of the program
28597 - that it will "exec", and that there is sufficient room for the brk. */
28598 -
28599 -+#ifdef CONFIG_PAX_SEGMEXEC
28600 -+#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
28601 -+#else
28602 - #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
28603 -+#endif
28604 -+
28605 -+#ifdef CONFIG_PAX_ASLR
28606 -+#ifdef CONFIG_X86_32
28607 -+#define PAX_ELF_ET_DYN_BASE 0x10000000UL
28608 -+
28609 -+#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
28610 -+#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
28611 -+#else
28612 -+#define PAX_ELF_ET_DYN_BASE 0x400000UL
28613 -+
28614 -+#define PAX_DELTA_MMAP_LEN 32
28615 -+#define PAX_DELTA_STACK_LEN 32
28616 -+#endif
28617 -+#endif
28618 -
28619 - /* This yields a mask that user programs can use to figure out what
28620 - instruction set this CPU supports. This could be done in user space,
28621 -@@ -246,7 +264,7 @@ extern int dump_task_extended_fpu (struc
28622 - #define ELF_CORE_XFPREG_TYPE NT_PRXFPREG
28623 -
28624 - #define VDSO_HIGH_BASE (__fix_to_virt(FIX_VDSO))
28625 --#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
28626 -+#define VDSO_CURRENT_BASE (current->mm->context.vdso)
28627 - #define VDSO_PRELINK 0
28628 -
28629 - #define VDSO_SYM(x) \
28630 -@@ -274,7 +292,7 @@ do if (vdso_enabled) { \
28631 -
28632 - #define ARCH_DLINFO \
28633 - do if (vdso_enabled) { \
28634 -- NEW_AUX_ENT(AT_SYSINFO_EHDR,(unsigned long)current->mm->context.vdso);\
28635 -+ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
28636 - } while (0)
28637 -
28638 - #endif /* !CONFIG_X86_32 */
28639 -diff -urNp linux-2.6.24.4/include/asm-x86/futex_32.h linux-2.6.24.4/include/asm-x86/futex_32.h
28640 ---- linux-2.6.24.4/include/asm-x86/futex_32.h 2008-03-24 14:49:18.000000000 -0400
28641 -+++ linux-2.6.24.4/include/asm-x86/futex_32.h 2008-03-26 17:56:56.000000000 -0400
28642 -@@ -11,8 +11,11 @@
28643 -
28644 - #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
28645 - __asm__ __volatile ( \
28646 -+ "movw %w6, %%ds\n"\
28647 - "1: " insn "\n" \
28648 --"2: .section .fixup,\"ax\"\n\
28649 -+"2: pushl %%ss\n\
28650 -+ popl %%ds\n\
28651 -+ .section .fixup,\"ax\"\n\
28652 - 3: mov %3, %1\n\
28653 - jmp 2b\n\
28654 - .previous\n\
28655 -@@ -21,16 +24,19 @@
28656 - .long 1b,3b\n\
28657 - .previous" \
28658 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
28659 -- : "i" (-EFAULT), "0" (oparg), "1" (0))
28660 -+ : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
28661 -
28662 - #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
28663 - __asm__ __volatile ( \
28664 --"1: movl %2, %0\n\
28665 -+" movw %w7, %%es\n\
28666 -+1: movl %%es:%2, %0\n\
28667 - movl %0, %3\n" \
28668 - insn "\n" \
28669 --"2: lock ; cmpxchgl %3, %2\n\
28670 -+"2: lock ; cmpxchgl %3, %%es:%2\n\
28671 - jnz 1b\n\
28672 --3: .section .fixup,\"ax\"\n\
28673 -+3: pushl %%ss\n\
28674 -+ popl %%es\n\
28675 -+ .section .fixup,\"ax\"\n\
28676 - 4: mov %5, %1\n\
28677 - jmp 3b\n\
28678 - .previous\n\
28679 -@@ -40,10 +46,10 @@
28680 - .previous" \
28681 - : "=&a" (oldval), "=&r" (ret), "+m" (*uaddr), \
28682 - "=&r" (tem) \
28683 -- : "r" (oparg), "i" (-EFAULT), "1" (0))
28684 -+ : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
28685 -
28686 - static inline int
28687 --futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
28688 -+futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
28689 - {
28690 - int op = (encoded_op >> 28) & 7;
28691 - int cmp = (encoded_op >> 24) & 15;
28692 -@@ -59,7 +65,7 @@ futex_atomic_op_inuser (int encoded_op,
28693 - pagefault_disable();
28694 -
28695 - if (op == FUTEX_OP_SET)
28696 -- __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
28697 -+ __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
28698 - else {
28699 - #ifndef CONFIG_X86_BSWAP
28700 - if (boot_cpu_data.x86 == 3)
28701 -@@ -68,7 +74,7 @@ futex_atomic_op_inuser (int encoded_op,
28702 - #endif
28703 - switch (op) {
28704 - case FUTEX_OP_ADD:
28705 -- __futex_atomic_op1("lock ; xaddl %0, %2", ret,
28706 -+ __futex_atomic_op1("lock ; xaddl %0, %%ds:%2", ret,
28707 - oldval, uaddr, oparg);
28708 - break;
28709 - case FUTEX_OP_OR:
28710 -@@ -105,15 +111,17 @@ futex_atomic_op_inuser (int encoded_op,
28711 - }
28712 -
28713 - static inline int
28714 --futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
28715 -+futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
28716 - {
28717 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
28718 - return -EFAULT;
28719 -
28720 - __asm__ __volatile__(
28721 -- "1: lock ; cmpxchgl %3, %1 \n"
28722 --
28723 -- "2: .section .fixup, \"ax\" \n"
28724 -+ " movw %w5, %%ds \n"
28725 -+ "1: lock ; cmpxchgl %3, %%ds:%1 \n"
28726 -+ "2: pushl %%ss \n"
28727 -+ " popl %%ds \n"
28728 -+ " .section .fixup, \"ax\" \n"
28729 - "3: mov %2, %0 \n"
28730 - " jmp 2b \n"
28731 - " .previous \n"
28732 -@@ -124,7 +132,7 @@ futex_atomic_cmpxchg_inatomic(int __user
28733 - " .previous \n"
28734 -
28735 - : "=a" (oldval), "+m" (*uaddr)
28736 -- : "i" (-EFAULT), "r" (newval), "0" (oldval)
28737 -+ : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
28738 - : "memory"
28739 - );
28740 -
28741 -diff -urNp linux-2.6.24.4/include/asm-x86/futex_64.h linux-2.6.24.4/include/asm-x86/futex_64.h
28742 ---- linux-2.6.24.4/include/asm-x86/futex_64.h 2008-03-24 14:49:18.000000000 -0400
28743 -+++ linux-2.6.24.4/include/asm-x86/futex_64.h 2008-03-26 17:56:56.000000000 -0400
28744 -@@ -42,7 +42,7 @@
28745 - : "r" (oparg), "i" (-EFAULT), "m" (*uaddr), "1" (0))
28746 -
28747 - static inline int
28748 --futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
28749 -+futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
28750 - {
28751 - int op = (encoded_op >> 28) & 7;
28752 - int cmp = (encoded_op >> 24) & 15;
28753 -@@ -95,7 +95,7 @@ futex_atomic_op_inuser (int encoded_op,
28754 - }
28755 -
28756 - static inline int
28757 --futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
28758 -+futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
28759 - {
28760 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
28761 - return -EFAULT;
28762 -diff -urNp linux-2.6.24.4/include/asm-x86/i387_32.h linux-2.6.24.4/include/asm-x86/i387_32.h
28763 ---- linux-2.6.24.4/include/asm-x86/i387_32.h 2008-03-24 14:49:18.000000000 -0400
28764 -+++ linux-2.6.24.4/include/asm-x86/i387_32.h 2008-03-26 17:56:56.000000000 -0400
28765 -@@ -40,13 +40,8 @@ extern void kernel_fpu_begin(void);
28766 - #define kernel_fpu_end() do { stts(); preempt_enable(); } while(0)
28767 -
28768 - /* We need a safe address that is cheap to find and that is already
28769 -- in L1 during context switch. The best choices are unfortunately
28770 -- different for UP and SMP */
28771 --#ifdef CONFIG_SMP
28772 --#define safe_address (__per_cpu_offset[0])
28773 --#else
28774 --#define safe_address (kstat_cpu(0).cpustat.user)
28775 --#endif
28776 -+ in L1 during context switch. */
28777 -+#define safe_address (init_tss[smp_processor_id()].x86_tss.esp0)
28778 -
28779 - /*
28780 - * These must be called with preempt disabled
28781 -diff -urNp linux-2.6.24.4/include/asm-x86/io_64.h linux-2.6.24.4/include/asm-x86/io_64.h
28782 ---- linux-2.6.24.4/include/asm-x86/io_64.h 2008-03-24 14:49:18.000000000 -0400
28783 -+++ linux-2.6.24.4/include/asm-x86/io_64.h 2008-03-26 17:56:56.000000000 -0400
28784 -@@ -120,6 +120,17 @@ static inline void * phys_to_virt(unsign
28785 - }
28786 - #endif
28787 -
28788 -+#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
28789 -+static inline int valid_phys_addr_range (unsigned long addr, size_t count)
28790 -+{
28791 -+ return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
28792 -+}
28793 -+
28794 -+static inline int valid_mmap_phys_addr_range (unsigned long pfn, size_t count)
28795 -+{
28796 -+ return (pfn + (count >> PAGE_SHIFT)) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
28797 -+}
28798 -+
28799 - /*
28800 - * Change "struct page" to physical address.
28801 - */
28802 -diff -urNp linux-2.6.24.4/include/asm-x86/irqflags_32.h linux-2.6.24.4/include/asm-x86/irqflags_32.h
28803 ---- linux-2.6.24.4/include/asm-x86/irqflags_32.h 2008-03-24 14:49:18.000000000 -0400
28804 -+++ linux-2.6.24.4/include/asm-x86/irqflags_32.h 2008-03-26 17:56:56.000000000 -0400
28805 -@@ -108,6 +108,8 @@ static inline unsigned long __raw_local_
28806 - #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
28807 - #define INTERRUPT_RETURN iret
28808 - #define GET_CR0_INTO_EAX movl %cr0, %eax
28809 -+#define GET_CR0_INTO_EDX movl %cr0, %edx
28810 -+#define SET_CR0_FROM_EDX movl %edx, %cr0
28811 - #endif /* __ASSEMBLY__ */
28812 - #endif /* CONFIG_PARAVIRT */
28813 -
28814 -diff -urNp linux-2.6.24.4/include/asm-x86/kmap_types.h linux-2.6.24.4/include/asm-x86/kmap_types.h
28815 ---- linux-2.6.24.4/include/asm-x86/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
28816 -+++ linux-2.6.24.4/include/asm-x86/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
28817 -@@ -21,7 +21,8 @@ D(9) KM_IRQ0,
28818 - D(10) KM_IRQ1,
28819 - D(11) KM_SOFTIRQ0,
28820 - D(12) KM_SOFTIRQ1,
28821 --D(13) KM_TYPE_NR
28822 -+D(13) KM_CLEARPAGE,
28823 -+D(14) KM_TYPE_NR
28824 - };
28825 -
28826 - #undef D
28827 -diff -urNp linux-2.6.24.4/include/asm-x86/mach-default/apm.h linux-2.6.24.4/include/asm-x86/mach-default/apm.h
28828 ---- linux-2.6.24.4/include/asm-x86/mach-default/apm.h 2008-03-24 14:49:18.000000000 -0400
28829 -+++ linux-2.6.24.4/include/asm-x86/mach-default/apm.h 2008-03-26 17:56:56.000000000 -0400
28830 -@@ -36,7 +36,7 @@ static inline void apm_bios_call_asm(u32
28831 - __asm__ __volatile__(APM_DO_ZERO_SEGS
28832 - "pushl %%edi\n\t"
28833 - "pushl %%ebp\n\t"
28834 -- "lcall *%%cs:apm_bios_entry\n\t"
28835 -+ "lcall *%%ss:apm_bios_entry\n\t"
28836 - "setc %%al\n\t"
28837 - "popl %%ebp\n\t"
28838 - "popl %%edi\n\t"
28839 -@@ -60,7 +60,7 @@ static inline u8 apm_bios_call_simple_as
28840 - __asm__ __volatile__(APM_DO_ZERO_SEGS
28841 - "pushl %%edi\n\t"
28842 - "pushl %%ebp\n\t"
28843 -- "lcall *%%cs:apm_bios_entry\n\t"
28844 -+ "lcall *%%ss:apm_bios_entry\n\t"
28845 - "setc %%bl\n\t"
28846 - "popl %%ebp\n\t"
28847 - "popl %%edi\n\t"
28848 -diff -urNp linux-2.6.24.4/include/asm-x86/mman.h linux-2.6.24.4/include/asm-x86/mman.h
28849 ---- linux-2.6.24.4/include/asm-x86/mman.h 2008-03-24 14:49:18.000000000 -0400
28850 -+++ linux-2.6.24.4/include/asm-x86/mman.h 2008-03-26 17:56:56.000000000 -0400
28851 -@@ -16,4 +16,14 @@
28852 - #define MCL_CURRENT 1 /* lock all current mappings */
28853 - #define MCL_FUTURE 2 /* lock all future mappings */
28854 -
28855 -+#ifdef __KERNEL__
28856 -+#ifndef __ASSEMBLY__
28857 -+#ifdef CONFIG_X86_32
28858 -+#define arch_mmap_check i386_mmap_check
28859 -+int i386_mmap_check(unsigned long addr, unsigned long len,
28860 -+ unsigned long flags);
28861 -+#endif
28862 -+#endif
28863 -+#endif
28864 -+
28865 - #endif /* _ASM_X86_MMAN_H */
28866 -diff -urNp linux-2.6.24.4/include/asm-x86/mmu_context_32.h linux-2.6.24.4/include/asm-x86/mmu_context_32.h
28867 ---- linux-2.6.24.4/include/asm-x86/mmu_context_32.h 2008-03-24 14:49:18.000000000 -0400
28868 -+++ linux-2.6.24.4/include/asm-x86/mmu_context_32.h 2008-03-26 17:56:56.000000000 -0400
28869 -@@ -57,6 +57,22 @@ static inline void switch_mm(struct mm_s
28870 - */
28871 - if (unlikely(prev->context.ldt != next->context.ldt))
28872 - load_LDT_nolock(&next->context);
28873 -+
28874 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
28875 -+ if (!nx_enabled) {
28876 -+ smp_mb__before_clear_bit();
28877 -+ cpu_clear(cpu, prev->context.cpu_user_cs_mask);
28878 -+ smp_mb__after_clear_bit();
28879 -+ cpu_set(cpu, next->context.cpu_user_cs_mask);
28880 -+ }
28881 -+#endif
28882 -+
28883 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
28884 -+ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
28885 -+ prev->context.user_cs_limit != next->context.user_cs_limit))
28886 -+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
28887 -+#endif
28888 -+
28889 - }
28890 - #ifdef CONFIG_SMP
28891 - else {
28892 -@@ -69,6 +85,19 @@ static inline void switch_mm(struct mm_s
28893 - */
28894 - load_cr3(next->pgd);
28895 - load_LDT_nolock(&next->context);
28896 -+
28897 -+#ifdef CONFIG_PAX_PAGEEXEC
28898 -+ if (!nx_enabled)
28899 -+ cpu_set(cpu, next->context.cpu_user_cs_mask);
28900 -+#endif
28901 -+
28902 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
28903 -+#ifdef CONFIG_PAX_PAGEEXEC
28904 -+ if (!((next->pax_flags & MF_PAX_PAGEEXEC) && nx_enabled))
28905 -+#endif
28906 -+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
28907 -+#endif
28908 -+
28909 - }
28910 - }
28911 - #endif
28912 -diff -urNp linux-2.6.24.4/include/asm-x86/mmu.h linux-2.6.24.4/include/asm-x86/mmu.h
28913 ---- linux-2.6.24.4/include/asm-x86/mmu.h 2008-03-24 14:49:18.000000000 -0400
28914 -+++ linux-2.6.24.4/include/asm-x86/mmu.h 2008-03-26 17:56:56.000000000 -0400
28915 -@@ -11,13 +11,26 @@
28916 - * cpu_vm_mask is used to optimize ldt flushing.
28917 - */
28918 - typedef struct {
28919 -- void *ldt;
28920 -+ struct desc_struct *ldt;
28921 - #ifdef CONFIG_X86_64
28922 - rwlock_t ldtlock;
28923 - #endif
28924 - int size;
28925 - struct mutex lock;
28926 -- void *vdso;
28927 -+ unsigned long vdso;
28928 -+
28929 -+#ifdef CONFIG_X86_32
28930 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
28931 -+ unsigned long user_cs_base;
28932 -+ unsigned long user_cs_limit;
28933 -+
28934 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
28935 -+ cpumask_t cpu_user_cs_mask;
28936 -+#endif
28937 -+
28938 -+#endif
28939 -+#endif
28940 -+
28941 - } mm_context_t;
28942 -
28943 - #endif /* _ASM_X86_MMU_H */
28944 -diff -urNp linux-2.6.24.4/include/asm-x86/module_32.h linux-2.6.24.4/include/asm-x86/module_32.h
28945 ---- linux-2.6.24.4/include/asm-x86/module_32.h 2008-03-24 14:49:18.000000000 -0400
28946 -+++ linux-2.6.24.4/include/asm-x86/module_32.h 2008-03-26 17:56:56.000000000 -0400
28947 -@@ -70,6 +70,12 @@ struct mod_arch_specific
28948 - #define MODULE_STACKSIZE ""
28949 - #endif
28950 -
28951 --#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
28952 -+#ifdef CONFIG_GRKERNSEC
28953 -+#define MODULE_GRSEC "GRSECURITY "
28954 -+#else
28955 -+#define MODULE_GRSEC ""
28956 -+#endif
28957 -+
28958 -+#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC
28959 -
28960 - #endif /* _ASM_I386_MODULE_H */
28961 -diff -urNp linux-2.6.24.4/include/asm-x86/page_32.h linux-2.6.24.4/include/asm-x86/page_32.h
28962 ---- linux-2.6.24.4/include/asm-x86/page_32.h 2008-03-24 14:49:18.000000000 -0400
28963 -+++ linux-2.6.24.4/include/asm-x86/page_32.h 2008-03-26 17:56:56.000000000 -0400
28964 -@@ -90,7 +90,6 @@ static inline pte_t native_make_pte(unsi
28965 - typedef struct { unsigned long pte_low; } pte_t;
28966 - typedef struct { unsigned long pgd; } pgd_t;
28967 - typedef struct { unsigned long pgprot; } pgprot_t;
28968 --#define boot_pte_t pte_t /* or would you rather have a typedef */
28969 -
28970 - static inline unsigned long native_pgd_val(pgd_t pgd)
28971 - {
28972 -@@ -175,6 +174,18 @@ extern int page_is_ram(unsigned long pag
28973 - #define __PAGE_OFFSET ((unsigned long)CONFIG_PAGE_OFFSET)
28974 - #endif
28975 -
28976 -+#ifdef CONFIG_PAX_KERNEXEC
28977 -+#ifndef __ASSEMBLY__
28978 -+extern unsigned char MODULES_VADDR[];
28979 -+extern unsigned char MODULES_END[];
28980 -+extern unsigned char KERNEL_TEXT_OFFSET[];
28981 -+#define ktla_ktva(addr) (addr + (unsigned long)KERNEL_TEXT_OFFSET)
28982 -+#define ktva_ktla(addr) (addr - (unsigned long)KERNEL_TEXT_OFFSET)
28983 -+#endif
28984 -+#else
28985 -+#define ktla_ktva(addr) (addr)
28986 -+#define ktva_ktla(addr) (addr)
28987 -+#endif
28988 -
28989 - #define PAGE_OFFSET ((unsigned long)__PAGE_OFFSET)
28990 - #define VMALLOC_RESERVE ((unsigned long)__VMALLOC_RESERVE)
28991 -@@ -197,6 +208,10 @@ extern int page_is_ram(unsigned long pag
28992 - ((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
28993 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
28994 -
28995 -+#ifdef CONFIG_PAX_PAGEEXEC
28996 -+#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
28997 -+#endif
28998 -+
28999 - #include <asm-generic/memory_model.h>
29000 - #include <asm-generic/page.h>
29001 -
29002 -diff -urNp linux-2.6.24.4/include/asm-x86/page_64.h linux-2.6.24.4/include/asm-x86/page_64.h
29003 ---- linux-2.6.24.4/include/asm-x86/page_64.h 2008-03-24 14:49:18.000000000 -0400
29004 -+++ linux-2.6.24.4/include/asm-x86/page_64.h 2008-03-26 17:56:56.000000000 -0400
29005 -@@ -94,6 +94,9 @@ extern unsigned long phys_base;
29006 - #define __START_KERNEL_map _AC(0xffffffff80000000, UL)
29007 - #define __PAGE_OFFSET _AC(0xffff810000000000, UL)
29008 -
29009 -+#define ktla_ktva(addr) (addr)
29010 -+#define ktva_ktla(addr) (addr)
29011 -+
29012 - /* to align the pointer to the (next) page boundary */
29013 - #define PAGE_ALIGN(addr) (((addr)+PAGE_SIZE-1)&PAGE_MASK)
29014 -
29015 -diff -urNp linux-2.6.24.4/include/asm-x86/paravirt.h linux-2.6.24.4/include/asm-x86/paravirt.h
29016 ---- linux-2.6.24.4/include/asm-x86/paravirt.h 2008-03-24 14:49:18.000000000 -0400
29017 -+++ linux-2.6.24.4/include/asm-x86/paravirt.h 2008-03-26 17:56:56.000000000 -0400
29018 -@@ -1124,23 +1124,23 @@ static inline unsigned long __raw_local_
29019 -
29020 - #define INTERRUPT_RETURN \
29021 - PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_iret), CLBR_NONE, \
29022 -- jmp *%cs:pv_cpu_ops+PV_CPU_iret)
29023 -+ jmp *%ss:pv_cpu_ops+PV_CPU_iret)
29024 -
29025 - #define DISABLE_INTERRUPTS(clobbers) \
29026 - PARA_SITE(PARA_PATCH(pv_irq_ops, PV_IRQ_irq_disable), clobbers, \
29027 - pushl %eax; pushl %ecx; pushl %edx; \
29028 -- call *%cs:pv_irq_ops+PV_IRQ_irq_disable; \
29029 -+ call *%ss:pv_irq_ops+PV_IRQ_irq_disable; \
29030 - popl %edx; popl %ecx; popl %eax) \
29031 -
29032 - #define ENABLE_INTERRUPTS(clobbers) \
29033 - PARA_SITE(PARA_PATCH(pv_irq_ops, PV_IRQ_irq_enable), clobbers, \
29034 - pushl %eax; pushl %ecx; pushl %edx; \
29035 -- call *%cs:pv_irq_ops+PV_IRQ_irq_enable; \
29036 -+ call *%ss:pv_irq_ops+PV_IRQ_irq_enable; \
29037 - popl %edx; popl %ecx; popl %eax)
29038 -
29039 - #define ENABLE_INTERRUPTS_SYSEXIT \
29040 - PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), CLBR_NONE,\
29041 -- jmp *%cs:pv_cpu_ops+PV_CPU_irq_enable_sysexit)
29042 -+ jmp *%ss:pv_cpu_ops+PV_CPU_irq_enable_sysexit)
29043 -
29044 - #define GET_CR0_INTO_EAX \
29045 - push %ecx; push %edx; \
29046 -diff -urNp linux-2.6.24.4/include/asm-x86/pda.h linux-2.6.24.4/include/asm-x86/pda.h
29047 ---- linux-2.6.24.4/include/asm-x86/pda.h 2008-03-24 14:49:18.000000000 -0400
29048 -+++ linux-2.6.24.4/include/asm-x86/pda.h 2008-03-26 17:56:56.000000000 -0400
29049 -@@ -16,11 +16,9 @@ struct x8664_pda {
29050 - unsigned long oldrsp; /* 24 user rsp for system call */
29051 - int irqcount; /* 32 Irq nesting counter. Starts with -1 */
29052 - int cpunumber; /* 36 Logical CPU number */
29053 --#ifdef CONFIG_CC_STACKPROTECTOR
29054 - unsigned long stack_canary; /* 40 stack canary value */
29055 - /* gcc-ABI: this canary MUST be at
29056 - offset 40!!! */
29057 --#endif
29058 - char *irqstackptr;
29059 - int nodenumber; /* number of current node */
29060 - unsigned int __softirq_pending;
29061 -diff -urNp linux-2.6.24.4/include/asm-x86/percpu_32.h linux-2.6.24.4/include/asm-x86/percpu_32.h
29062 ---- linux-2.6.24.4/include/asm-x86/percpu_32.h 2008-03-24 14:49:18.000000000 -0400
29063 -+++ linux-2.6.24.4/include/asm-x86/percpu_32.h 2008-03-26 17:56:56.000000000 -0400
29064 -@@ -22,7 +22,7 @@
29065 - #define PER_CPU_VAR(var) %fs:per_cpu__##var
29066 - #else /* ! SMP */
29067 - #define PER_CPU(var, reg) \
29068 -- movl $per_cpu__##var, reg
29069 -+ movl per_cpu__##var, reg
29070 - #define PER_CPU_VAR(var) per_cpu__##var
29071 - #endif /* SMP */
29072 -
29073 -@@ -42,12 +42,12 @@
29074 - */
29075 - #ifdef CONFIG_SMP
29076 - /* Same as generic implementation except for optimized local access. */
29077 --#define __GENERIC_PER_CPU
29078 -
29079 - /* This is used for other cpus to find our section. */
29080 - extern unsigned long __per_cpu_offset[];
29081 -+extern void setup_per_cpu_areas(void);
29082 -
29083 --#define per_cpu_offset(x) (__per_cpu_offset[x])
29084 -+#define per_cpu_offset(x) (__per_cpu_offset[x] - (unsigned long)__per_cpu_start)
29085 -
29086 - /* Separate out the type, so (int[3], foo) works. */
29087 - #define DECLARE_PER_CPU(type, name) extern __typeof__(type) per_cpu__##name
29088 -@@ -64,11 +64,11 @@ DECLARE_PER_CPU(unsigned long, this_cpu_
29089 -
29090 - /* var is in discarded region: offset to particular copy we want */
29091 - #define per_cpu(var, cpu) (*({ \
29092 -- extern int simple_indentifier_##var(void); \
29093 -+ extern int simple_identifier_##var(void); \
29094 - RELOC_HIDE(&per_cpu__##var, __per_cpu_offset[cpu]); }))
29095 -
29096 - #define __raw_get_cpu_var(var) (*({ \
29097 -- extern int simple_indentifier_##var(void); \
29098 -+ extern int simple_identifier_##var(void); \
29099 - RELOC_HIDE(&per_cpu__##var, x86_read_percpu(this_cpu_off)); \
29100 - }))
29101 -
29102 -@@ -79,7 +79,7 @@ DECLARE_PER_CPU(unsigned long, this_cpu_
29103 - do { \
29104 - unsigned int __i; \
29105 - for_each_possible_cpu(__i) \
29106 -- memcpy((pcpudst)+__per_cpu_offset[__i], \
29107 -+ memcpy((pcpudst)+per_cpu_offset(__i), \
29108 - (src), (size)); \
29109 - } while (0)
29110 -
29111 -diff -urNp linux-2.6.24.4/include/asm-x86/pgalloc_32.h linux-2.6.24.4/include/asm-x86/pgalloc_32.h
29112 ---- linux-2.6.24.4/include/asm-x86/pgalloc_32.h 2008-03-24 14:49:18.000000000 -0400
29113 -+++ linux-2.6.24.4/include/asm-x86/pgalloc_32.h 2008-03-26 17:56:56.000000000 -0400
29114 -@@ -15,11 +15,19 @@
29115 - #define paravirt_release_pd(pfn) do { } while (0)
29116 - #endif
29117 -
29118 -+#ifdef CONFIG_COMPAT_VDSO
29119 - #define pmd_populate_kernel(mm, pmd, pte) \
29120 - do { \
29121 - paravirt_alloc_pt(mm, __pa(pte) >> PAGE_SHIFT); \
29122 - set_pmd(pmd, __pmd(_PAGE_TABLE + __pa(pte))); \
29123 - } while (0)
29124 -+#else
29125 -+#define pmd_populate_kernel(mm, pmd, pte) \
29126 -+do { \
29127 -+ paravirt_alloc_pt(mm, __pa(pte) >> PAGE_SHIFT); \
29128 -+ set_pmd(pmd, __pmd(_KERNPG_TABLE + __pa(pte))); \
29129 -+} while (0)
29130 -+#endif
29131 -
29132 - #define pmd_populate(mm, pmd, pte) \
29133 - do { \
29134 -diff -urNp linux-2.6.24.4/include/asm-x86/pgalloc_64.h linux-2.6.24.4/include/asm-x86/pgalloc_64.h
29135 ---- linux-2.6.24.4/include/asm-x86/pgalloc_64.h 2008-03-24 14:49:18.000000000 -0400
29136 -+++ linux-2.6.24.4/include/asm-x86/pgalloc_64.h 2008-03-26 17:56:56.000000000 -0400
29137 -@@ -6,7 +6,7 @@
29138 - #include <linux/mm.h>
29139 -
29140 - #define pmd_populate_kernel(mm, pmd, pte) \
29141 -- set_pmd(pmd, __pmd(_PAGE_TABLE | __pa(pte)))
29142 -+ set_pmd(pmd, __pmd(_KERNPG_TABLE | __pa(pte)))
29143 - #define pud_populate(mm, pud, pmd) \
29144 - set_pud(pud, __pud(_PAGE_TABLE | __pa(pmd)))
29145 - #define pgd_populate(mm, pgd, pud) \
29146 -diff -urNp linux-2.6.24.4/include/asm-x86/pgtable-2level.h linux-2.6.24.4/include/asm-x86/pgtable-2level.h
29147 ---- linux-2.6.24.4/include/asm-x86/pgtable-2level.h 2008-03-24 14:49:18.000000000 -0400
29148 -+++ linux-2.6.24.4/include/asm-x86/pgtable-2level.h 2008-03-26 17:56:56.000000000 -0400
29149 -@@ -22,7 +22,19 @@ static inline void native_set_pte_at(str
29150 - }
29151 - static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
29152 - {
29153 -+
29154 -+#ifdef CONFIG_PAX_KERNEXEC
29155 -+ unsigned long cr0;
29156 -+
29157 -+ pax_open_kernel(cr0);
29158 -+#endif
29159 -+
29160 - *pmdp = pmd;
29161 -+
29162 -+#ifdef CONFIG_PAX_KERNEXEC
29163 -+ pax_close_kernel(cr0);
29164 -+#endif
29165 -+
29166 - }
29167 - #ifndef CONFIG_PARAVIRT
29168 - #define set_pte(pteptr, pteval) native_set_pte(pteptr, pteval)
29169 -diff -urNp linux-2.6.24.4/include/asm-x86/pgtable_32.h linux-2.6.24.4/include/asm-x86/pgtable_32.h
29170 ---- linux-2.6.24.4/include/asm-x86/pgtable_32.h 2008-03-24 14:49:18.000000000 -0400
29171 -+++ linux-2.6.24.4/include/asm-x86/pgtable_32.h 2008-03-26 17:56:56.000000000 -0400
29172 -@@ -31,7 +31,6 @@ struct vm_area_struct;
29173 - */
29174 - #define ZERO_PAGE(vaddr) (virt_to_page(empty_zero_page))
29175 - extern unsigned long empty_zero_page[1024];
29176 --extern pgd_t swapper_pg_dir[1024];
29177 - extern struct kmem_cache *pmd_cache;
29178 - extern spinlock_t pgd_lock;
29179 - extern struct page *pgd_list;
29180 -@@ -55,6 +54,11 @@ void paging_init(void);
29181 - # include <asm/pgtable-2level-defs.h>
29182 - #endif
29183 -
29184 -+extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
29185 -+#ifdef CONFIG_X86_PAE
29186 -+extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
29187 -+#endif
29188 -+
29189 - #define PGDIR_SIZE (1UL << PGDIR_SHIFT)
29190 - #define PGDIR_MASK (~(PGDIR_SIZE-1))
29191 -
29192 -@@ -64,9 +68,11 @@ void paging_init(void);
29193 - #define USER_PGD_PTRS (PAGE_OFFSET >> PGDIR_SHIFT)
29194 - #define KERNEL_PGD_PTRS (PTRS_PER_PGD-USER_PGD_PTRS)
29195 -
29196 -+#ifndef CONFIG_X86_PAE
29197 - #define TWOLEVEL_PGDIR_SHIFT 22
29198 - #define BOOT_USER_PGD_PTRS (__PAGE_OFFSET >> TWOLEVEL_PGDIR_SHIFT)
29199 - #define BOOT_KERNEL_PGD_PTRS (1024-BOOT_USER_PGD_PTRS)
29200 -+#endif
29201 -
29202 - /* Just any arbitrary offset to the start of the vmalloc VM area: the
29203 - * current 8MB value just means that there will be a 8MB "hole" after the
29204 -@@ -133,7 +139,7 @@ void paging_init(void);
29205 - #define PAGE_NONE \
29206 - __pgprot(_PAGE_PROTNONE | _PAGE_ACCESSED)
29207 - #define PAGE_SHARED \
29208 -- __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED)
29209 -+ __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
29210 -
29211 - #define PAGE_SHARED_EXEC \
29212 - __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED)
29213 -@@ -199,7 +205,7 @@ extern unsigned long long __PAGE_KERNEL,
29214 - #undef TEST_ACCESS_OK
29215 -
29216 - /* The boot page tables (all created as a single array) */
29217 --extern unsigned long pg0[];
29218 -+extern pte_t pg0[];
29219 -
29220 - #define pte_present(x) ((x).pte_low & (_PAGE_PRESENT | _PAGE_PROTNONE))
29221 -
29222 -@@ -215,30 +221,55 @@ extern unsigned long pg0[];
29223 - * The following only work if pte_present() is true.
29224 - * Undefined behaviour if not..
29225 - */
29226 -+static inline int pte_user(pte_t pte) { return (pte).pte_low & _PAGE_USER; }
29227 - static inline int pte_dirty(pte_t pte) { return (pte).pte_low & _PAGE_DIRTY; }
29228 - static inline int pte_young(pte_t pte) { return (pte).pte_low & _PAGE_ACCESSED; }
29229 - static inline int pte_write(pte_t pte) { return (pte).pte_low & _PAGE_RW; }
29230 - static inline int pte_huge(pte_t pte) { return (pte).pte_low & _PAGE_PSE; }
29231 -
29232 -+#ifdef CONFIG_X86_PAE
29233 -+# include <asm/pgtable-3level.h>
29234 -+#else
29235 -+# include <asm/pgtable-2level.h>
29236 -+#endif
29237 -+
29238 - /*
29239 - * The following only works if pte_present() is not true.
29240 - */
29241 - static inline int pte_file(pte_t pte) { return (pte).pte_low & _PAGE_FILE; }
29242 -
29243 -+static inline pte_t pte_exprotect(pte_t pte)
29244 -+{
29245 -+#ifdef CONFIG_X86_PAE
29246 -+ if (__supported_pte_mask & _PAGE_NX)
29247 -+ set_pte(&pte, __pte(pte_val(pte) | _PAGE_NX));
29248 -+ else
29249 -+#endif
29250 -+ set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_USER));
29251 -+ return pte;
29252 -+}
29253 -+
29254 - static inline pte_t pte_mkclean(pte_t pte) { (pte).pte_low &= ~_PAGE_DIRTY; return pte; }
29255 - static inline pte_t pte_mkold(pte_t pte) { (pte).pte_low &= ~_PAGE_ACCESSED; return pte; }
29256 - static inline pte_t pte_wrprotect(pte_t pte) { (pte).pte_low &= ~_PAGE_RW; return pte; }
29257 -+static inline pte_t pte_mkread(pte_t pte) { (pte).pte_low |= _PAGE_USER; return pte; }
29258 -+
29259 -+static inline pte_t pte_mkexec(pte_t pte)
29260 -+{
29261 -+#ifdef CONFIG_X86_PAE
29262 -+ if (__supported_pte_mask & _PAGE_NX)
29263 -+ set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_NX));
29264 -+ else
29265 -+#endif
29266 -+ set_pte(&pte, __pte(pte_val(pte) | _PAGE_USER));
29267 -+ return pte;
29268 -+}
29269 -+
29270 - static inline pte_t pte_mkdirty(pte_t pte) { (pte).pte_low |= _PAGE_DIRTY; return pte; }
29271 - static inline pte_t pte_mkyoung(pte_t pte) { (pte).pte_low |= _PAGE_ACCESSED; return pte; }
29272 - static inline pte_t pte_mkwrite(pte_t pte) { (pte).pte_low |= _PAGE_RW; return pte; }
29273 - static inline pte_t pte_mkhuge(pte_t pte) { (pte).pte_low |= _PAGE_PSE; return pte; }
29274 -
29275 --#ifdef CONFIG_X86_PAE
29276 --# include <asm/pgtable-3level.h>
29277 --#else
29278 --# include <asm/pgtable-2level.h>
29279 --#endif
29280 --
29281 - #ifndef CONFIG_PARAVIRT
29282 - /*
29283 - * Rules for using pte_update - it must be called after any PTE update which
29284 -@@ -350,7 +381,19 @@ static inline void ptep_set_wrprotect(st
29285 - */
29286 - static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
29287 - {
29288 -- memcpy(dst, src, count * sizeof(pgd_t));
29289 -+
29290 -+#ifdef CONFIG_PAX_KERNEXEC
29291 -+ unsigned long cr0;
29292 -+
29293 -+ pax_open_kernel(cr0);
29294 -+#endif
29295 -+
29296 -+ memcpy(dst, src, count * sizeof(pgd_t));
29297 -+
29298 -+#ifdef CONFIG_PAX_KERNEXEC
29299 -+ pax_close_kernel(cr0);
29300 -+#endif
29301 -+
29302 - }
29303 -
29304 - /*
29305 -@@ -497,6 +540,9 @@ static inline void paravirt_pagetable_se
29306 -
29307 - #endif /* !__ASSEMBLY__ */
29308 -
29309 -+#define HAVE_ARCH_UNMAPPED_AREA
29310 -+#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
29311 -+
29312 - #ifdef CONFIG_FLATMEM
29313 - #define kern_addr_valid(addr) (1)
29314 - #endif /* CONFIG_FLATMEM */
29315 -diff -urNp linux-2.6.24.4/include/asm-x86/pgtable-3level.h linux-2.6.24.4/include/asm-x86/pgtable-3level.h
29316 ---- linux-2.6.24.4/include/asm-x86/pgtable-3level.h 2008-03-24 14:49:18.000000000 -0400
29317 -+++ linux-2.6.24.4/include/asm-x86/pgtable-3level.h 2008-03-26 17:56:56.000000000 -0400
29318 -@@ -67,11 +67,35 @@ static inline void native_set_pte_atomic
29319 - }
29320 - static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
29321 - {
29322 -+
29323 -+#ifdef CONFIG_PAX_KERNEXEC
29324 -+ unsigned long cr0;
29325 -+
29326 -+ pax_open_kernel(cr0);
29327 -+#endif
29328 -+
29329 - set_64bit((unsigned long long *)(pmdp),native_pmd_val(pmd));
29330 -+
29331 -+#ifdef CONFIG_PAX_KERNEXEC
29332 -+ pax_close_kernel(cr0);
29333 -+#endif
29334 -+
29335 - }
29336 - static inline void native_set_pud(pud_t *pudp, pud_t pud)
29337 - {
29338 -+
29339 -+#ifdef CONFIG_PAX_KERNEXEC
29340 -+ unsigned long cr0;
29341 -+
29342 -+ pax_open_kernel(cr0);
29343 -+#endif
29344 -+
29345 - *pudp = pud;
29346 -+
29347 -+#ifdef CONFIG_PAX_KERNEXEC
29348 -+ pax_close_kernel(cr0);
29349 -+#endif
29350 -+
29351 - }
29352 -
29353 - /*
29354 -diff -urNp linux-2.6.24.4/include/asm-x86/pgtable_64.h linux-2.6.24.4/include/asm-x86/pgtable_64.h
29355 ---- linux-2.6.24.4/include/asm-x86/pgtable_64.h 2008-03-24 14:49:18.000000000 -0400
29356 -+++ linux-2.6.24.4/include/asm-x86/pgtable_64.h 2008-03-26 17:56:56.000000000 -0400
29357 -@@ -79,7 +79,19 @@ static inline void set_pte(pte_t *dst, p
29358 -
29359 - static inline void set_pmd(pmd_t *dst, pmd_t val)
29360 - {
29361 -+
29362 -+#ifdef CONFIG_PAX_KERNEXEC
29363 -+ unsigned long cr0;
29364 -+
29365 -+ pax_open_kernel(cr0);
29366 -+#endif
29367 -+
29368 - pmd_val(*dst) = pmd_val(val);
29369 -+
29370 -+#ifdef CONFIG_PAX_KERNEXEC
29371 -+ pax_close_kernel(cr0);
29372 -+#endif
29373 -+
29374 - }
29375 -
29376 - static inline void set_pud(pud_t *dst, pud_t val)
29377 -@@ -180,6 +192,10 @@ static inline pte_t ptep_get_and_clear_f
29378 - #define PAGE_COPY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
29379 - #define PAGE_READONLY __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
29380 - #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
29381 -+
29382 -+#define PAGE_READONLY_NOEXEC PAGE_READONLY
29383 -+#define PAGE_SHARED_NOEXEC PAGE_SHARED
29384 -+
29385 - #define __PAGE_KERNEL \
29386 - (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_NX)
29387 - #define __PAGE_KERNEL_EXEC \
29388 -@@ -188,10 +204,12 @@ static inline pte_t ptep_get_and_clear_f
29389 - (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_PCD | _PAGE_ACCESSED | _PAGE_NX)
29390 - #define __PAGE_KERNEL_RO \
29391 - (_PAGE_PRESENT | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_NX)
29392 -+#define __PAGE_KERNEL_RX \
29393 -+ (_PAGE_PRESENT | _PAGE_DIRTY | _PAGE_ACCESSED)
29394 - #define __PAGE_KERNEL_VSYSCALL \
29395 - (_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
29396 - #define __PAGE_KERNEL_VSYSCALL_NOCACHE \
29397 -- (_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_PCD)
29398 -+ (_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_PCD | _PAGE_NX)
29399 - #define __PAGE_KERNEL_LARGE \
29400 - (__PAGE_KERNEL | _PAGE_PSE)
29401 - #define __PAGE_KERNEL_LARGE_EXEC \
29402 -@@ -202,6 +220,7 @@ static inline pte_t ptep_get_and_clear_f
29403 - #define PAGE_KERNEL MAKE_GLOBAL(__PAGE_KERNEL)
29404 - #define PAGE_KERNEL_EXEC MAKE_GLOBAL(__PAGE_KERNEL_EXEC)
29405 - #define PAGE_KERNEL_RO MAKE_GLOBAL(__PAGE_KERNEL_RO)
29406 -+#define PAGE_KERNEL_RX MAKE_GLOBAL(__PAGE_KERNEL_RX)
29407 - #define PAGE_KERNEL_NOCACHE MAKE_GLOBAL(__PAGE_KERNEL_NOCACHE)
29408 - #define PAGE_KERNEL_VSYSCALL32 __pgprot(__PAGE_KERNEL_VSYSCALL)
29409 - #define PAGE_KERNEL_VSYSCALL MAKE_GLOBAL(__PAGE_KERNEL_VSYSCALL)
29410 -@@ -231,17 +250,17 @@ static inline pte_t ptep_get_and_clear_f
29411 -
29412 - static inline unsigned long pgd_bad(pgd_t pgd)
29413 - {
29414 -- return pgd_val(pgd) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER);
29415 -+ return pgd_val(pgd) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER | _PAGE_NX);
29416 - }
29417 -
29418 - static inline unsigned long pud_bad(pud_t pud)
29419 - {
29420 -- return pud_val(pud) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER);
29421 -+ return pud_val(pud) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER | _PAGE_NX);
29422 - }
29423 -
29424 - static inline unsigned long pmd_bad(pmd_t pmd)
29425 - {
29426 -- return pmd_val(pmd) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER);
29427 -+ return pmd_val(pmd) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER | _PAGE_NX);
29428 - }
29429 -
29430 - #define pte_none(x) (!pte_val(x))
29431 -diff -urNp linux-2.6.24.4/include/asm-x86/processor_32.h linux-2.6.24.4/include/asm-x86/processor_32.h
29432 ---- linux-2.6.24.4/include/asm-x86/processor_32.h 2008-03-24 14:49:18.000000000 -0400
29433 -+++ linux-2.6.24.4/include/asm-x86/processor_32.h 2008-03-26 17:56:56.000000000 -0400
29434 -@@ -100,8 +100,6 @@ struct cpuinfo_x86 {
29435 -
29436 - extern struct cpuinfo_x86 boot_cpu_data;
29437 - extern struct cpuinfo_x86 new_cpu_data;
29438 --extern struct tss_struct doublefault_tss;
29439 --DECLARE_PER_CPU(struct tss_struct, init_tss);
29440 -
29441 - #ifdef CONFIG_SMP
29442 - DECLARE_PER_CPU(struct cpuinfo_x86, cpu_info);
29443 -@@ -215,11 +213,19 @@ extern int bootloader_type;
29444 - */
29445 - #define TASK_SIZE (PAGE_OFFSET)
29446 -
29447 -+#ifdef CONFIG_PAX_SEGMEXEC
29448 -+#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
29449 -+#endif
29450 -+
29451 - /* This decides where the kernel will search for a free chunk of vm
29452 - * space during mmap's.
29453 - */
29454 - #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
29455 -
29456 -+#ifdef CONFIG_PAX_SEGMEXEC
29457 -+#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
29458 -+#endif
29459 -+
29460 - #define HAVE_ARCH_PICK_MMAP_LAYOUT
29461 -
29462 - extern void hard_disable_TSC(void);
29463 -@@ -344,6 +350,9 @@ struct tss_struct {
29464 -
29465 - #define ARCH_MIN_TASKALIGN 16
29466 -
29467 -+extern struct tss_struct doublefault_tss;
29468 -+extern struct tss_struct init_tss[NR_CPUS];
29469 -+
29470 - struct thread_struct {
29471 - /* cached TLS descriptors. */
29472 - struct desc_struct tls_array[GDT_ENTRY_TLS_ENTRIES];
29473 -@@ -372,7 +381,7 @@ struct thread_struct {
29474 - };
29475 -
29476 - #define INIT_THREAD { \
29477 -- .esp0 = sizeof(init_stack) + (long)&init_stack, \
29478 -+ .esp0 = sizeof(init_stack) + (long)&init_stack - 8, \
29479 - .vm86_info = NULL, \
29480 - .sysenter_cs = __KERNEL_CS, \
29481 - .io_bitmap_ptr = NULL, \
29482 -@@ -387,7 +396,7 @@ struct thread_struct {
29483 - */
29484 - #define INIT_TSS { \
29485 - .x86_tss = { \
29486 -- .esp0 = sizeof(init_stack) + (long)&init_stack, \
29487 -+ .esp0 = sizeof(init_stack) + (long)&init_stack - 8, \
29488 - .ss0 = __KERNEL_DS, \
29489 - .ss1 = __KERNEL_CS, \
29490 - .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
29491 -@@ -428,11 +437,7 @@ void show_trace(struct task_struct *task
29492 - unsigned long get_wchan(struct task_struct *p);
29493 -
29494 - #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
29495 --#define KSTK_TOP(info) \
29496 --({ \
29497 -- unsigned long *__ptr = (unsigned long *)(info); \
29498 -- (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
29499 --})
29500 -+#define KSTK_TOP(info) ((info)->task.thread.esp0)
29501 -
29502 - /*
29503 - * The below -8 is to reserve 8 bytes on top of the ring0 stack.
29504 -@@ -447,7 +452,7 @@ unsigned long get_wchan(struct task_stru
29505 - #define task_pt_regs(task) \
29506 - ({ \
29507 - struct pt_regs *__regs__; \
29508 -- __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
29509 -+ __regs__ = (struct pt_regs *)((task)->thread.esp0); \
29510 - __regs__ - 1; \
29511 - })
29512 -
29513 -diff -urNp linux-2.6.24.4/include/asm-x86/processor_64.h linux-2.6.24.4/include/asm-x86/processor_64.h
29514 ---- linux-2.6.24.4/include/asm-x86/processor_64.h 2008-03-24 14:49:18.000000000 -0400
29515 -+++ linux-2.6.24.4/include/asm-x86/processor_64.h 2008-03-26 17:56:56.000000000 -0400
29516 -@@ -142,7 +142,7 @@ static inline void clear_in_cr4 (unsigne
29517 - /* This decides where the kernel will search for a free chunk of vm
29518 - * space during mmap's.
29519 - */
29520 --#define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? 0xc0000000 : 0xFFFFe000)
29521 -+#define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? 0xc0000000 : 0xFFFFf000)
29522 -
29523 - #define TASK_SIZE (test_thread_flag(TIF_IA32) ? IA32_PAGE_OFFSET : TASK_SIZE64)
29524 - #define TASK_SIZE_OF(child) ((test_tsk_thread_flag(child, TIF_IA32)) ? IA32_PAGE_OFFSET : TASK_SIZE64)
29525 -@@ -201,7 +201,7 @@ struct tss_struct {
29526 -
29527 -
29528 - extern struct cpuinfo_x86 boot_cpu_data;
29529 --DECLARE_PER_CPU(struct tss_struct,init_tss);
29530 -+extern struct tss_struct init_tss[NR_CPUS];
29531 - /* Save the original ist values for checking stack pointers during debugging */
29532 - struct orig_ist {
29533 - unsigned long ist[7];
29534 -diff -urNp linux-2.6.24.4/include/asm-x86/ptrace.h linux-2.6.24.4/include/asm-x86/ptrace.h
29535 ---- linux-2.6.24.4/include/asm-x86/ptrace.h 2008-03-24 14:49:18.000000000 -0400
29536 -+++ linux-2.6.24.4/include/asm-x86/ptrace.h 2008-03-26 17:56:56.000000000 -0400
29537 -@@ -39,17 +39,18 @@ struct task_struct;
29538 - extern void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, int error_code);
29539 -
29540 - /*
29541 -- * user_mode_vm(regs) determines whether a register set came from user mode.
29542 -+ * user_mode(regs) determines whether a register set came from user mode.
29543 - * This is true if V8086 mode was enabled OR if the register set was from
29544 - * protected mode with RPL-3 CS value. This tricky test checks that with
29545 - * one comparison. Many places in the kernel can bypass this full check
29546 -- * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
29547 -+ * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
29548 -+ * be used.
29549 - */
29550 --static inline int user_mode(struct pt_regs *regs)
29551 -+static inline int user_mode_novm(struct pt_regs *regs)
29552 - {
29553 - return (regs->xcs & SEGMENT_RPL_MASK) == USER_RPL;
29554 - }
29555 --static inline int user_mode_vm(struct pt_regs *regs)
29556 -+static inline int user_mode(struct pt_regs *regs)
29557 - {
29558 - return ((regs->xcs & SEGMENT_RPL_MASK) | (regs->eflags & VM_MASK)) >= USER_RPL;
29559 - }
29560 -diff -urNp linux-2.6.24.4/include/asm-x86/reboot.h linux-2.6.24.4/include/asm-x86/reboot.h
29561 ---- linux-2.6.24.4/include/asm-x86/reboot.h 2008-03-24 14:49:18.000000000 -0400
29562 -+++ linux-2.6.24.4/include/asm-x86/reboot.h 2008-03-26 17:56:56.000000000 -0400
29563 -@@ -15,6 +15,6 @@ struct machine_ops
29564 -
29565 - extern struct machine_ops machine_ops;
29566 -
29567 --void machine_real_restart(unsigned char *code, int length);
29568 -+void machine_real_restart(const unsigned char *code, unsigned int length);
29569 -
29570 - #endif /* _ASM_REBOOT_H */
29571 -diff -urNp linux-2.6.24.4/include/asm-x86/segment_32.h linux-2.6.24.4/include/asm-x86/segment_32.h
29572 ---- linux-2.6.24.4/include/asm-x86/segment_32.h 2008-03-24 14:49:18.000000000 -0400
29573 -+++ linux-2.6.24.4/include/asm-x86/segment_32.h 2008-03-26 17:56:56.000000000 -0400
29574 -@@ -81,6 +81,12 @@
29575 - #define __KERNEL_PERCPU 0
29576 - #endif
29577 -
29578 -+#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 16)
29579 -+#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
29580 -+
29581 -+#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 17)
29582 -+#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
29583 -+
29584 - #define GDT_ENTRY_DOUBLEFAULT_TSS 31
29585 -
29586 - /*
29587 -@@ -140,9 +146,9 @@
29588 - #define SEGMENT_IS_KERNEL_CODE(x) (((x) & 0xfc) == GDT_ENTRY_KERNEL_CS * 8)
29589 -
29590 - /* Matches __KERNEL_CS and __USER_CS (they must be 2 entries apart) */
29591 --#define SEGMENT_IS_FLAT_CODE(x) (((x) & 0xec) == GDT_ENTRY_KERNEL_CS * 8)
29592 -+#define SEGMENT_IS_FLAT_CODE(x) (((x) & 0xFFFCU) == __KERNEL_CS || ((x) & 0xFFFCU) == __USER_CS)
29593 -
29594 - /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
29595 --#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
29596 -+#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
29597 -
29598 - #endif
29599 -diff -urNp linux-2.6.24.4/include/asm-x86/system_32.h linux-2.6.24.4/include/asm-x86/system_32.h
29600 ---- linux-2.6.24.4/include/asm-x86/system_32.h 2008-03-24 14:49:18.000000000 -0400
29601 -+++ linux-2.6.24.4/include/asm-x86/system_32.h 2008-03-26 17:56:56.000000000 -0400
29602 -@@ -188,6 +188,21 @@ static inline void clflush(volatile void
29603 - /* Set the 'TS' bit */
29604 - #define stts() write_cr0(8 | read_cr0())
29605 -
29606 -+#define pax_open_kernel(cr0) \
29607 -+do { \
29608 -+ typecheck(unsigned long, cr0); \
29609 -+ preempt_disable(); \
29610 -+ cr0 = read_cr0(); \
29611 -+ write_cr0(cr0 & ~X86_CR0_WP); \
29612 -+} while (0)
29613 -+
29614 -+#define pax_close_kernel(cr0) \
29615 -+do { \
29616 -+ typecheck(unsigned long, cr0); \
29617 -+ write_cr0(cr0); \
29618 -+ preempt_enable_no_resched(); \
29619 -+} while (0)
29620 -+
29621 - #endif /* __KERNEL__ */
29622 -
29623 - static inline unsigned long get_limit(unsigned long segment)
29624 -@@ -195,7 +210,7 @@ static inline unsigned long get_limit(un
29625 - unsigned long __limit;
29626 - __asm__("lsll %1,%0"
29627 - :"=r" (__limit):"r" (segment));
29628 -- return __limit+1;
29629 -+ return __limit;
29630 - }
29631 -
29632 - #define nop() __asm__ __volatile__ ("nop")
29633 -@@ -311,7 +326,7 @@ void enable_hlt(void);
29634 - extern int es7000_plat;
29635 - void cpu_idle_wait(void);
29636 -
29637 --extern unsigned long arch_align_stack(unsigned long sp);
29638 -+#define arch_align_stack(x) (x)
29639 - extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
29640 -
29641 - void default_idle(void);
29642 -diff -urNp linux-2.6.24.4/include/asm-x86/system_64.h linux-2.6.24.4/include/asm-x86/system_64.h
29643 ---- linux-2.6.24.4/include/asm-x86/system_64.h 2008-03-24 14:49:18.000000000 -0400
29644 -+++ linux-2.6.24.4/include/asm-x86/system_64.h 2008-03-26 17:56:56.000000000 -0400
29645 -@@ -33,6 +33,8 @@
29646 - ".globl thread_return\n" \
29647 - "thread_return:\n\t" \
29648 - "movq %%gs:%P[pda_pcurrent],%%rsi\n\t" \
29649 -+ "movq %P[task_canary](%%rsi),%%r8\n\t" \
29650 -+ "movq %%r8,%%gs:%P[pda_canary]\n\t" \
29651 - "movq %P[thread_info](%%rsi),%%r8\n\t" \
29652 - LOCK_PREFIX "btr %[tif_fork],%P[ti_flags](%%r8)\n\t" \
29653 - "movq %%rax,%%rdi\n\t" \
29654 -@@ -44,7 +46,9 @@
29655 - [ti_flags] "i" (offsetof(struct thread_info, flags)),\
29656 - [tif_fork] "i" (TIF_FORK), \
29657 - [thread_info] "i" (offsetof(struct task_struct, stack)), \
29658 -- [pda_pcurrent] "i" (offsetof(struct x8664_pda, pcurrent)) \
29659 -+ [task_canary] "i" (offsetof(struct task_struct, stack_canary)), \
29660 -+ [pda_pcurrent] "i" (offsetof(struct x8664_pda, pcurrent)), \
29661 -+ [pda_canary] "i" (offsetof(struct x8664_pda, stack_canary)) \
29662 - : "memory", "cc" __EXTRA_CLOBBER)
29663 -
29664 - extern void load_gs_index(unsigned);
29665 -@@ -139,6 +143,21 @@ static inline void write_cr8(unsigned lo
29666 - #define wbinvd() \
29667 - __asm__ __volatile__ ("wbinvd": : :"memory")
29668 -
29669 -+#define pax_open_kernel(cr0) \
29670 -+do { \
29671 -+ typecheck(unsigned long, cr0); \
29672 -+ preempt_disable(); \
29673 -+ cr0 = read_cr0(); \
29674 -+ write_cr0(cr0 & ~X86_CR0_WP); \
29675 -+} while (0)
29676 -+
29677 -+#define pax_close_kernel(cr0) \
29678 -+do { \
29679 -+ typecheck(unsigned long, cr0); \
29680 -+ write_cr0(cr0); \
29681 -+ preempt_enable_no_resched(); \
29682 -+} while (0)
29683 -+
29684 - #endif /* __KERNEL__ */
29685 -
29686 - static inline void clflush(volatile void *__p)
29687 -@@ -179,7 +198,7 @@ static inline void clflush(volatile void
29688 -
29689 - void cpu_idle_wait(void);
29690 -
29691 --extern unsigned long arch_align_stack(unsigned long sp);
29692 -+#define arch_align_stack(x) (x)
29693 - extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
29694 -
29695 - #endif
29696 -diff -urNp linux-2.6.24.4/include/asm-x86/uaccess_32.h linux-2.6.24.4/include/asm-x86/uaccess_32.h
29697 ---- linux-2.6.24.4/include/asm-x86/uaccess_32.h 2008-03-24 14:49:18.000000000 -0400
29698 -+++ linux-2.6.24.4/include/asm-x86/uaccess_32.h 2008-03-26 17:56:56.000000000 -0400
29699 -@@ -9,6 +9,7 @@
29700 - #include <linux/prefetch.h>
29701 - #include <linux/string.h>
29702 - #include <asm/page.h>
29703 -+#include <asm/segment.h>
29704 -
29705 - #define VERIFY_READ 0
29706 - #define VERIFY_WRITE 1
29707 -@@ -29,7 +30,8 @@
29708 -
29709 - #define get_ds() (KERNEL_DS)
29710 - #define get_fs() (current_thread_info()->addr_limit)
29711 --#define set_fs(x) (current_thread_info()->addr_limit = (x))
29712 -+void __set_fs(mm_segment_t x, int cpu);
29713 -+void set_fs(mm_segment_t x);
29714 -
29715 - #define segment_eq(a,b) ((a).seg == (b).seg)
29716 -
29717 -@@ -101,6 +103,7 @@ struct exception_table_entry
29718 - };
29719 -
29720 - extern int fixup_exception(struct pt_regs *regs);
29721 -+#define ARCH_HAS_SORT_EXTABLE
29722 -
29723 - /*
29724 - * These are the main single-value transfer routines. They automatically
29725 -@@ -280,9 +283,12 @@ extern void __put_user_8(void);
29726 -
29727 - #define __put_user_u64(x, addr, err) \
29728 - __asm__ __volatile__( \
29729 -- "1: movl %%eax,0(%2)\n" \
29730 -- "2: movl %%edx,4(%2)\n" \
29731 -+ " movw %w5,%%ds\n" \
29732 -+ "1: movl %%eax,%%ds:0(%2)\n" \
29733 -+ "2: movl %%edx,%%ds:4(%2)\n" \
29734 - "3:\n" \
29735 -+ " pushl %%ss\n" \
29736 -+ " popl %%ds\n" \
29737 - ".section .fixup,\"ax\"\n" \
29738 - "4: movl %3,%0\n" \
29739 - " jmp 3b\n" \
29740 -@@ -293,7 +299,8 @@ extern void __put_user_8(void);
29741 - " .long 2b,4b\n" \
29742 - ".previous" \
29743 - : "=r"(err) \
29744 -- : "A" (x), "r" (addr), "i"(-EFAULT), "0"(err))
29745 -+ : "A" (x), "r" (addr), "i"(-EFAULT), "0"(err), \
29746 -+ "r"(__USER_DS))
29747 -
29748 - #ifdef CONFIG_X86_WP_WORKS_OK
29749 -
29750 -@@ -332,8 +339,11 @@ struct __large_struct { unsigned long bu
29751 - */
29752 - #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
29753 - __asm__ __volatile__( \
29754 -- "1: mov"itype" %"rtype"1,%2\n" \
29755 -+ " movw %w5,%%ds\n" \
29756 -+ "1: mov"itype" %"rtype"1,%%ds:%2\n" \
29757 - "2:\n" \
29758 -+ " pushl %%ss\n" \
29759 -+ " popl %%ds\n" \
29760 - ".section .fixup,\"ax\"\n" \
29761 - "3: movl %3,%0\n" \
29762 - " jmp 2b\n" \
29763 -@@ -343,7 +353,8 @@ struct __large_struct { unsigned long bu
29764 - " .long 1b,3b\n" \
29765 - ".previous" \
29766 - : "=r"(err) \
29767 -- : ltype (x), "m"(__m(addr)), "i"(errret), "0"(err))
29768 -+ : ltype (x), "m"(__m(addr)), "i"(errret), "0"(err), \
29769 -+ "r"(__USER_DS))
29770 -
29771 -
29772 - #define __get_user_nocheck(x,ptr,size) \
29773 -@@ -371,8 +382,11 @@ do { \
29774 -
29775 - #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
29776 - __asm__ __volatile__( \
29777 -- "1: mov"itype" %2,%"rtype"1\n" \
29778 -+ " movw %w5,%%ds\n" \
29779 -+ "1: mov"itype" %%ds:%2,%"rtype"1\n" \
29780 - "2:\n" \
29781 -+ " pushl %%ss\n" \
29782 -+ " popl %%ds\n" \
29783 - ".section .fixup,\"ax\"\n" \
29784 - "3: movl %3,%0\n" \
29785 - " xor"itype" %"rtype"1,%"rtype"1\n" \
29786 -@@ -383,7 +397,7 @@ do { \
29787 - " .long 1b,3b\n" \
29788 - ".previous" \
29789 - : "=r"(err), ltype (x) \
29790 -- : "m"(__m(addr)), "i"(errret), "0"(err))
29791 -+ : "m"(__m(addr)), "i"(errret), "0"(err), "r"(__USER_DS))
29792 -
29793 -
29794 - unsigned long __must_check __copy_to_user_ll(void __user *to,
29795 -diff -urNp linux-2.6.24.4/include/asm-x86/uaccess_64.h linux-2.6.24.4/include/asm-x86/uaccess_64.h
29796 ---- linux-2.6.24.4/include/asm-x86/uaccess_64.h 2008-03-24 14:49:18.000000000 -0400
29797 -+++ linux-2.6.24.4/include/asm-x86/uaccess_64.h 2008-03-26 17:56:56.000000000 -0400
29798 -@@ -66,6 +66,7 @@ struct exception_table_entry
29799 - };
29800 -
29801 - #define ARCH_HAS_SEARCH_EXTABLE
29802 -+#define ARCH_HAS_SORT_EXTABLE
29803 -
29804 - /*
29805 - * These are the main single-value transfer routines. They automatically
29806 -diff -urNp linux-2.6.24.4/include/asm-xtensa/kmap_types.h linux-2.6.24.4/include/asm-xtensa/kmap_types.h
29807 ---- linux-2.6.24.4/include/asm-xtensa/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
29808 -+++ linux-2.6.24.4/include/asm-xtensa/kmap_types.h 2008-03-26 17:56:56.000000000 -0400
29809 -@@ -25,6 +25,7 @@ enum km_type {
29810 - KM_IRQ1,
29811 - KM_SOFTIRQ0,
29812 - KM_SOFTIRQ1,
29813 -+ KM_CLEARPAGE,
29814 - KM_TYPE_NR
29815 - };
29816 -
29817 -diff -urNp linux-2.6.24.4/include/linux/a.out.h linux-2.6.24.4/include/linux/a.out.h
29818 ---- linux-2.6.24.4/include/linux/a.out.h 2008-03-24 14:49:18.000000000 -0400
29819 -+++ linux-2.6.24.4/include/linux/a.out.h 2008-03-26 17:56:56.000000000 -0400
29820 -@@ -7,6 +7,16 @@
29821 -
29822 - #include <asm/a.out.h>
29823 -
29824 -+#ifdef CONFIG_PAX_RANDUSTACK
29825 -+#define __DELTA_STACK (current->mm->delta_stack)
29826 -+#else
29827 -+#define __DELTA_STACK 0UL
29828 -+#endif
29829 -+
29830 -+#ifndef STACK_TOP
29831 -+#define STACK_TOP (__STACK_TOP - __DELTA_STACK)
29832 -+#endif
29833 -+
29834 - #endif /* __STRUCT_EXEC_OVERRIDE__ */
29835 -
29836 - /* these go in the N_MACHTYPE field */
29837 -@@ -37,6 +47,14 @@ enum machine_type {
29838 - M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
29839 - };
29840 -
29841 -+/* Constants for the N_FLAGS field */
29842 -+#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
29843 -+#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
29844 -+#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
29845 -+#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
29846 -+/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
29847 -+#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
29848 -+
29849 - #if !defined (N_MAGIC)
29850 - #define N_MAGIC(exec) ((exec).a_info & 0xffff)
29851 - #endif
29852 -diff -urNp linux-2.6.24.4/include/linux/binfmts.h linux-2.6.24.4/include/linux/binfmts.h
29853 ---- linux-2.6.24.4/include/linux/binfmts.h 2008-03-24 14:49:18.000000000 -0400
29854 -+++ linux-2.6.24.4/include/linux/binfmts.h 2008-03-26 17:56:56.000000000 -0400
29855 -@@ -49,6 +49,7 @@ struct linux_binprm{
29856 - unsigned interp_data;
29857 - unsigned long loader, exec;
29858 - unsigned long argv_len;
29859 -+ int misc;
29860 - };
29861 -
29862 - #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0
29863 -@@ -100,5 +101,8 @@ extern void compute_creds(struct linux_b
29864 - extern int do_coredump(long signr, int exit_code, struct pt_regs * regs);
29865 - extern int set_binfmt(struct linux_binfmt *new);
29866 -
29867 -+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
29868 -+void pax_report_insns(void *pc, void *sp);
29869 -+
29870 - #endif /* __KERNEL__ */
29871 - #endif /* _LINUX_BINFMTS_H */
29872 -diff -urNp linux-2.6.24.4/include/linux/cache.h linux-2.6.24.4/include/linux/cache.h
29873 ---- linux-2.6.24.4/include/linux/cache.h 2008-03-24 14:49:18.000000000 -0400
29874 -+++ linux-2.6.24.4/include/linux/cache.h 2008-03-26 17:56:56.000000000 -0400
29875 -@@ -16,6 +16,10 @@
29876 - #define __read_mostly
29877 - #endif
29878 -
29879 -+#ifndef __read_only
29880 -+#define __read_only __read_mostly
29881 -+#endif
29882 -+
29883 - #ifndef ____cacheline_aligned
29884 - #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
29885 - #endif
29886 -diff -urNp linux-2.6.24.4/include/linux/capability.h linux-2.6.24.4/include/linux/capability.h
29887 ---- linux-2.6.24.4/include/linux/capability.h 2008-03-24 14:49:18.000000000 -0400
29888 -+++ linux-2.6.24.4/include/linux/capability.h 2008-03-26 17:56:56.000000000 -0400
29889 -@@ -373,6 +373,7 @@ static inline kernel_cap_t cap_invert(ke
29890 - #define cap_is_fs_cap(c) (CAP_TO_MASK(c) & CAP_FS_MASK)
29891 -
29892 - int capable(int cap);
29893 -+int capable_nolog(int cap);
29894 - int __capable(struct task_struct *t, int cap);
29895 -
29896 - #endif /* __KERNEL__ */
29897 -diff -urNp linux-2.6.24.4/include/linux/elf.h linux-2.6.24.4/include/linux/elf.h
29898 ---- linux-2.6.24.4/include/linux/elf.h 2008-03-24 14:49:18.000000000 -0400
29899 -+++ linux-2.6.24.4/include/linux/elf.h 2008-03-26 17:56:56.000000000 -0400
29900 -@@ -7,6 +7,10 @@
29901 -
29902 - struct file;
29903 -
29904 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
29905 -+#undef elf_read_implies_exec
29906 -+#endif
29907 -+
29908 - #ifndef elf_read_implies_exec
29909 - /* Executables for which elf_read_implies_exec() returns TRUE will
29910 - have the READ_IMPLIES_EXEC personality flag set automatically.
29911 -@@ -48,6 +52,16 @@ typedef __s64 Elf64_Sxword;
29912 -
29913 - #define PT_GNU_STACK (PT_LOOS + 0x474e551)
29914 -
29915 -+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
29916 -+
29917 -+/* Constants for the e_flags field */
29918 -+#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
29919 -+#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
29920 -+#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
29921 -+#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
29922 -+/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
29923 -+#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
29924 -+
29925 - /* These constants define the different elf file types */
29926 - #define ET_NONE 0
29927 - #define ET_REL 1
29928 -@@ -82,6 +96,8 @@ typedef __s64 Elf64_Sxword;
29929 - #define DT_DEBUG 21
29930 - #define DT_TEXTREL 22
29931 - #define DT_JMPREL 23
29932 -+#define DT_FLAGS 30
29933 -+ #define DF_TEXTREL 0x00000004
29934 - #define DT_ENCODING 32
29935 - #define OLD_DT_LOOS 0x60000000
29936 - #define DT_LOOS 0x6000000d
29937 -@@ -228,6 +244,19 @@ typedef struct elf64_hdr {
29938 - #define PF_W 0x2
29939 - #define PF_X 0x1
29940 -
29941 -+#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
29942 -+#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
29943 -+#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
29944 -+#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
29945 -+#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
29946 -+#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
29947 -+/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
29948 -+/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
29949 -+#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
29950 -+#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
29951 -+#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
29952 -+#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
29953 -+
29954 - typedef struct elf32_phdr{
29955 - Elf32_Word p_type;
29956 - Elf32_Off p_offset;
29957 -@@ -320,6 +349,8 @@ typedef struct elf64_shdr {
29958 - #define EI_OSABI 7
29959 - #define EI_PAD 8
29960 -
29961 -+#define EI_PAX 14
29962 -+
29963 - #define ELFMAG0 0x7f /* EI_MAG */
29964 - #define ELFMAG1 'E'
29965 - #define ELFMAG2 'L'
29966 -@@ -378,6 +409,7 @@ extern Elf32_Dyn _DYNAMIC [];
29967 - #define elf_phdr elf32_phdr
29968 - #define elf_note elf32_note
29969 - #define elf_addr_t Elf32_Off
29970 -+#define elf_dyn Elf32_Dyn
29971 -
29972 - #else
29973 -
29974 -@@ -386,6 +418,7 @@ extern Elf64_Dyn _DYNAMIC [];
29975 - #define elf_phdr elf64_phdr
29976 - #define elf_note elf64_note
29977 - #define elf_addr_t Elf64_Off
29978 -+#define elf_dyn Elf64_Dyn
29979 -
29980 - #endif
29981 -
29982 -diff -urNp linux-2.6.24.4/include/linux/ext4_fs_extents.h linux-2.6.24.4/include/linux/ext4_fs_extents.h
29983 ---- linux-2.6.24.4/include/linux/ext4_fs_extents.h 2008-03-24 14:49:18.000000000 -0400
29984 -+++ linux-2.6.24.4/include/linux/ext4_fs_extents.h 2008-03-26 17:56:56.000000000 -0400
29985 -@@ -50,7 +50,7 @@
29986 - #ifdef EXT_DEBUG
29987 - #define ext_debug(a...) printk(a)
29988 - #else
29989 --#define ext_debug(a...)
29990 -+#define ext_debug(a...) do {} while (0)
29991 - #endif
29992 -
29993 - /*
29994 -diff -urNp linux-2.6.24.4/include/linux/gracl.h linux-2.6.24.4/include/linux/gracl.h
29995 ---- linux-2.6.24.4/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
29996 -+++ linux-2.6.24.4/include/linux/gracl.h 2008-03-26 17:56:56.000000000 -0400
29997 -@@ -0,0 +1,317 @@
29998 -+#ifndef GR_ACL_H
29999 -+#define GR_ACL_H
30000 -+
30001 -+#include <linux/grdefs.h>
30002 -+#include <linux/resource.h>
30003 -+#include <linux/dcache.h>
30004 -+#include <asm/resource.h>
30005 -+
30006 -+/* Major status information */
30007 -+
30008 -+#define GR_VERSION "grsecurity 2.1.11"
30009 -+#define GRSECURITY_VERSION 0x2111
30010 -+
30011 -+enum {
30012 -+
30013 -+ SHUTDOWN = 0,
30014 -+ ENABLE = 1,
30015 -+ SPROLE = 2,
30016 -+ RELOAD = 3,
30017 -+ SEGVMOD = 4,
30018 -+ STATUS = 5,
30019 -+ UNSPROLE = 6,
30020 -+ PASSSET = 7,
30021 -+ SPROLEPAM = 8
30022 -+};
30023 -+
30024 -+/* Password setup definitions
30025 -+ * kernel/grhash.c */
30026 -+enum {
30027 -+ GR_PW_LEN = 128,
30028 -+ GR_SALT_LEN = 16,
30029 -+ GR_SHA_LEN = 32,
30030 -+};
30031 -+
30032 -+enum {
30033 -+ GR_SPROLE_LEN = 64,
30034 -+};
30035 -+
30036 -+#define GR_NLIMITS (RLIMIT_LOCKS + 2)
30037 -+
30038 -+/* Begin Data Structures */
30039 -+
30040 -+struct sprole_pw {
30041 -+ unsigned char *rolename;
30042 -+ unsigned char salt[GR_SALT_LEN];
30043 -+ unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
30044 -+};
30045 -+
30046 -+struct name_entry {
30047 -+ __u32 key;
30048 -+ ino_t inode;
30049 -+ dev_t device;
30050 -+ char *name;
30051 -+ __u16 len;
30052 -+ __u8 deleted;
30053 -+ struct name_entry *prev;
30054 -+ struct name_entry *next;
30055 -+};
30056 -+
30057 -+struct inodev_entry {
30058 -+ struct name_entry *nentry;
30059 -+ struct inodev_entry *prev;
30060 -+ struct inodev_entry *next;
30061 -+};
30062 -+
30063 -+struct acl_role_db {
30064 -+ struct acl_role_label **r_hash;
30065 -+ __u32 r_size;
30066 -+};
30067 -+
30068 -+struct inodev_db {
30069 -+ struct inodev_entry **i_hash;
30070 -+ __u32 i_size;
30071 -+};
30072 -+
30073 -+struct name_db {
30074 -+ struct name_entry **n_hash;
30075 -+ __u32 n_size;
30076 -+};
30077 -+
30078 -+struct crash_uid {
30079 -+ uid_t uid;
30080 -+ unsigned long expires;
30081 -+};
30082 -+
30083 -+struct gr_hash_struct {
30084 -+ void **table;
30085 -+ void **nametable;
30086 -+ void *first;
30087 -+ __u32 table_size;
30088 -+ __u32 used_size;
30089 -+ int type;
30090 -+};
30091 -+
30092 -+/* Userspace Grsecurity ACL data structures */
30093 -+
30094 -+struct acl_subject_label {
30095 -+ char *filename;
30096 -+ ino_t inode;
30097 -+ dev_t device;
30098 -+ __u32 mode;
30099 -+ __u32 cap_mask;
30100 -+ __u32 cap_lower;
30101 -+
30102 -+ struct rlimit res[GR_NLIMITS];
30103 -+ __u16 resmask;
30104 -+
30105 -+ __u8 user_trans_type;
30106 -+ __u8 group_trans_type;
30107 -+ uid_t *user_transitions;
30108 -+ gid_t *group_transitions;
30109 -+ __u16 user_trans_num;
30110 -+ __u16 group_trans_num;
30111 -+
30112 -+ __u32 ip_proto[8];
30113 -+ __u32 ip_type;
30114 -+ struct acl_ip_label **ips;
30115 -+ __u32 ip_num;
30116 -+
30117 -+ __u32 crashes;
30118 -+ unsigned long expires;
30119 -+
30120 -+ struct acl_subject_label *parent_subject;
30121 -+ struct gr_hash_struct *hash;
30122 -+ struct acl_subject_label *prev;
30123 -+ struct acl_subject_label *next;
30124 -+
30125 -+ struct acl_object_label **obj_hash;
30126 -+ __u32 obj_hash_size;
30127 -+ __u16 pax_flags;
30128 -+};
30129 -+
30130 -+struct role_allowed_ip {
30131 -+ __u32 addr;
30132 -+ __u32 netmask;
30133 -+
30134 -+ struct role_allowed_ip *prev;
30135 -+ struct role_allowed_ip *next;
30136 -+};
30137 -+
30138 -+struct role_transition {
30139 -+ char *rolename;
30140 -+
30141 -+ struct role_transition *prev;
30142 -+ struct role_transition *next;
30143 -+};
30144 -+
30145 -+struct acl_role_label {
30146 -+ char *rolename;
30147 -+ uid_t uidgid;
30148 -+ __u16 roletype;
30149 -+
30150 -+ __u16 auth_attempts;
30151 -+ unsigned long expires;
30152 -+
30153 -+ struct acl_subject_label *root_label;
30154 -+ struct gr_hash_struct *hash;
30155 -+
30156 -+ struct acl_role_label *prev;
30157 -+ struct acl_role_label *next;
30158 -+
30159 -+ struct role_transition *transitions;
30160 -+ struct role_allowed_ip *allowed_ips;
30161 -+ uid_t *domain_children;
30162 -+ __u16 domain_child_num;
30163 -+
30164 -+ struct acl_subject_label **subj_hash;
30165 -+ __u32 subj_hash_size;
30166 -+};
30167 -+
30168 -+struct user_acl_role_db {
30169 -+ struct acl_role_label **r_table;
30170 -+ __u32 num_pointers; /* Number of allocations to track */
30171 -+ __u32 num_roles; /* Number of roles */
30172 -+ __u32 num_domain_children; /* Number of domain children */
30173 -+ __u32 num_subjects; /* Number of subjects */
30174 -+ __u32 num_objects; /* Number of objects */
30175 -+};
30176 -+
30177 -+struct acl_object_label {
30178 -+ char *filename;
30179 -+ ino_t inode;
30180 -+ dev_t device;
30181 -+ __u32 mode;
30182 -+
30183 -+ struct acl_subject_label *nested;
30184 -+ struct acl_object_label *globbed;
30185 -+
30186 -+ /* next two structures not used */
30187 -+
30188 -+ struct acl_object_label *prev;
30189 -+ struct acl_object_label *next;
30190 -+};
30191 -+
30192 -+struct acl_ip_label {
30193 -+ char *iface;
30194 -+ __u32 addr;
30195 -+ __u32 netmask;
30196 -+ __u16 low, high;
30197 -+ __u8 mode;
30198 -+ __u32 type;
30199 -+ __u32 proto[8];
30200 -+
30201 -+ /* next two structures not used */
30202 -+
30203 -+ struct acl_ip_label *prev;
30204 -+ struct acl_ip_label *next;
30205 -+};
30206 -+
30207 -+struct gr_arg {
30208 -+ struct user_acl_role_db role_db;
30209 -+ unsigned char pw[GR_PW_LEN];
30210 -+ unsigned char salt[GR_SALT_LEN];
30211 -+ unsigned char sum[GR_SHA_LEN];
30212 -+ unsigned char sp_role[GR_SPROLE_LEN];
30213 -+ struct sprole_pw *sprole_pws;
30214 -+ dev_t segv_device;
30215 -+ ino_t segv_inode;
30216 -+ uid_t segv_uid;
30217 -+ __u16 num_sprole_pws;
30218 -+ __u16 mode;
30219 -+};
30220 -+
30221 -+struct gr_arg_wrapper {
30222 -+ struct gr_arg *arg;
30223 -+ __u32 version;
30224 -+ __u32 size;
30225 -+};
30226 -+
30227 -+struct subject_map {
30228 -+ struct acl_subject_label *user;
30229 -+ struct acl_subject_label *kernel;
30230 -+ struct subject_map *prev;
30231 -+ struct subject_map *next;
30232 -+};
30233 -+
30234 -+struct acl_subj_map_db {
30235 -+ struct subject_map **s_hash;
30236 -+ __u32 s_size;
30237 -+};
30238 -+
30239 -+/* End Data Structures Section */
30240 -+
30241 -+/* Hash functions generated by empirical testing by Brad Spengler
30242 -+ Makes good use of the low bits of the inode. Generally 0-1 times
30243 -+ in loop for successful match. 0-3 for unsuccessful match.
30244 -+ Shift/add algorithm with modulus of table size and an XOR*/
30245 -+
30246 -+static __inline__ unsigned int
30247 -+rhash(const uid_t uid, const __u16 type, const unsigned int sz)
30248 -+{
30249 -+ return (((uid << type) + (uid ^ type)) % sz);
30250 -+}
30251 -+
30252 -+ static __inline__ unsigned int
30253 -+shash(const struct acl_subject_label *userp, const unsigned int sz)
30254 -+{
30255 -+ return ((const unsigned long)userp % sz);
30256 -+}
30257 -+
30258 -+static __inline__ unsigned int
30259 -+fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
30260 -+{
30261 -+ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
30262 -+}
30263 -+
30264 -+static __inline__ unsigned int
30265 -+nhash(const char *name, const __u16 len, const unsigned int sz)
30266 -+{
30267 -+ return full_name_hash(name, len) % sz;
30268 -+}
30269 -+
30270 -+#define FOR_EACH_ROLE_START(role,iter) \
30271 -+ role = NULL; \
30272 -+ iter = 0; \
30273 -+ while (iter < acl_role_set.r_size) { \
30274 -+ if (role == NULL) \
30275 -+ role = acl_role_set.r_hash[iter]; \
30276 -+ if (role == NULL) { \
30277 -+ iter++; \
30278 -+ continue; \
30279 -+ }
30280 -+
30281 -+#define FOR_EACH_ROLE_END(role,iter) \
30282 -+ role = role->next; \
30283 -+ if (role == NULL) \
30284 -+ iter++; \
30285 -+ }
30286 -+
30287 -+#define FOR_EACH_SUBJECT_START(role,subj,iter) \
30288 -+ subj = NULL; \
30289 -+ iter = 0; \
30290 -+ while (iter < role->subj_hash_size) { \
30291 -+ if (subj == NULL) \
30292 -+ subj = role->subj_hash[iter]; \
30293 -+ if (subj == NULL) { \
30294 -+ iter++; \
30295 -+ continue; \
30296 -+ }
30297 -+
30298 -+#define FOR_EACH_SUBJECT_END(subj,iter) \
30299 -+ subj = subj->next; \
30300 -+ if (subj == NULL) \
30301 -+ iter++; \
30302 -+ }
30303 -+
30304 -+
30305 -+#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
30306 -+ subj = role->hash->first; \
30307 -+ while (subj != NULL) {
30308 -+
30309 -+#define FOR_EACH_NESTED_SUBJECT_END(subj) \
30310 -+ subj = subj->next; \
30311 -+ }
30312 -+
30313 -+#endif
30314 -+
30315 -diff -urNp linux-2.6.24.4/include/linux/gralloc.h linux-2.6.24.4/include/linux/gralloc.h
30316 ---- linux-2.6.24.4/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
30317 -+++ linux-2.6.24.4/include/linux/gralloc.h 2008-03-26 17:56:56.000000000 -0400
30318 -@@ -0,0 +1,8 @@
30319 -+#ifndef __GRALLOC_H
30320 -+#define __GRALLOC_H
30321 -+
30322 -+void acl_free_all(void);
30323 -+int acl_alloc_stack_init(unsigned long size);
30324 -+void *acl_alloc(unsigned long len);
30325 -+
30326 -+#endif
30327 -diff -urNp linux-2.6.24.4/include/linux/grdefs.h linux-2.6.24.4/include/linux/grdefs.h
30328 ---- linux-2.6.24.4/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
30329 -+++ linux-2.6.24.4/include/linux/grdefs.h 2008-03-26 17:56:56.000000000 -0400
30330 -@@ -0,0 +1,131 @@
30331 -+#ifndef GRDEFS_H
30332 -+#define GRDEFS_H
30333 -+
30334 -+/* Begin grsecurity status declarations */
30335 -+
30336 -+enum {
30337 -+ GR_READY = 0x01,
30338 -+ GR_STATUS_INIT = 0x00 // disabled state
30339 -+};
30340 -+
30341 -+/* Begin ACL declarations */
30342 -+
30343 -+/* Role flags */
30344 -+
30345 -+enum {
30346 -+ GR_ROLE_USER = 0x0001,
30347 -+ GR_ROLE_GROUP = 0x0002,
30348 -+ GR_ROLE_DEFAULT = 0x0004,
30349 -+ GR_ROLE_SPECIAL = 0x0008,
30350 -+ GR_ROLE_AUTH = 0x0010,
30351 -+ GR_ROLE_NOPW = 0x0020,
30352 -+ GR_ROLE_GOD = 0x0040,
30353 -+ GR_ROLE_LEARN = 0x0080,
30354 -+ GR_ROLE_TPE = 0x0100,
30355 -+ GR_ROLE_DOMAIN = 0x0200,
30356 -+ GR_ROLE_PAM = 0x0400
30357 -+};
30358 -+
30359 -+/* ACL Subject and Object mode flags */
30360 -+enum {
30361 -+ GR_DELETED = 0x80000000
30362 -+};
30363 -+
30364 -+/* ACL Object-only mode flags */
30365 -+enum {
30366 -+ GR_READ = 0x00000001,
30367 -+ GR_APPEND = 0x00000002,
30368 -+ GR_WRITE = 0x00000004,
30369 -+ GR_EXEC = 0x00000008,
30370 -+ GR_FIND = 0x00000010,
30371 -+ GR_INHERIT = 0x00000020,
30372 -+ GR_SETID = 0x00000040,
30373 -+ GR_CREATE = 0x00000080,
30374 -+ GR_DELETE = 0x00000100,
30375 -+ GR_LINK = 0x00000200,
30376 -+ GR_AUDIT_READ = 0x00000400,
30377 -+ GR_AUDIT_APPEND = 0x00000800,
30378 -+ GR_AUDIT_WRITE = 0x00001000,
30379 -+ GR_AUDIT_EXEC = 0x00002000,
30380 -+ GR_AUDIT_FIND = 0x00004000,
30381 -+ GR_AUDIT_INHERIT= 0x00008000,
30382 -+ GR_AUDIT_SETID = 0x00010000,
30383 -+ GR_AUDIT_CREATE = 0x00020000,
30384 -+ GR_AUDIT_DELETE = 0x00040000,
30385 -+ GR_AUDIT_LINK = 0x00080000,
30386 -+ GR_PTRACERD = 0x00100000,
30387 -+ GR_NOPTRACE = 0x00200000,
30388 -+ GR_SUPPRESS = 0x00400000,
30389 -+ GR_NOLEARN = 0x00800000
30390 -+};
30391 -+
30392 -+#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
30393 -+ GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
30394 -+ GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
30395 -+
30396 -+/* ACL subject-only mode flags */
30397 -+enum {
30398 -+ GR_KILL = 0x00000001,
30399 -+ GR_VIEW = 0x00000002,
30400 -+ GR_PROTECTED = 0x00000004,
30401 -+ GR_LEARN = 0x00000008,
30402 -+ GR_OVERRIDE = 0x00000010,
30403 -+ /* just a placeholder, this mode is only used in userspace */
30404 -+ GR_DUMMY = 0x00000020,
30405 -+ GR_PROTSHM = 0x00000040,
30406 -+ GR_KILLPROC = 0x00000080,
30407 -+ GR_KILLIPPROC = 0x00000100,
30408 -+ /* just a placeholder, this mode is only used in userspace */
30409 -+ GR_NOTROJAN = 0x00000200,
30410 -+ GR_PROTPROCFD = 0x00000400,
30411 -+ GR_PROCACCT = 0x00000800,
30412 -+ GR_RELAXPTRACE = 0x00001000,
30413 -+ GR_NESTED = 0x00002000,
30414 -+ GR_INHERITLEARN = 0x00004000,
30415 -+ GR_PROCFIND = 0x00008000,
30416 -+ GR_POVERRIDE = 0x00010000,
30417 -+ GR_KERNELAUTH = 0x00020000,
30418 -+};
30419 -+
30420 -+enum {
30421 -+ GR_PAX_ENABLE_SEGMEXEC = 0x0001,
30422 -+ GR_PAX_ENABLE_PAGEEXEC = 0x0002,
30423 -+ GR_PAX_ENABLE_MPROTECT = 0x0004,
30424 -+ GR_PAX_ENABLE_RANDMMAP = 0x0008,
30425 -+ GR_PAX_ENABLE_EMUTRAMP = 0x0010,
30426 -+ GR_PAX_DISABLE_SEGMEXEC = 0x0100,
30427 -+ GR_PAX_DISABLE_PAGEEXEC = 0x0200,
30428 -+ GR_PAX_DISABLE_MPROTECT = 0x0400,
30429 -+ GR_PAX_DISABLE_RANDMMAP = 0x0800,
30430 -+ GR_PAX_DISABLE_EMUTRAMP = 0x1000,
30431 -+};
30432 -+
30433 -+enum {
30434 -+ GR_ID_USER = 0x01,
30435 -+ GR_ID_GROUP = 0x02,
30436 -+};
30437 -+
30438 -+enum {
30439 -+ GR_ID_ALLOW = 0x01,
30440 -+ GR_ID_DENY = 0x02,
30441 -+};
30442 -+
30443 -+#define GR_CRASH_RES 11
30444 -+#define GR_UIDTABLE_MAX 500
30445 -+
30446 -+/* begin resource learning section */
30447 -+enum {
30448 -+ GR_RLIM_CPU_BUMP = 60,
30449 -+ GR_RLIM_FSIZE_BUMP = 50000,
30450 -+ GR_RLIM_DATA_BUMP = 10000,
30451 -+ GR_RLIM_STACK_BUMP = 1000,
30452 -+ GR_RLIM_CORE_BUMP = 10000,
30453 -+ GR_RLIM_RSS_BUMP = 500000,
30454 -+ GR_RLIM_NPROC_BUMP = 1,
30455 -+ GR_RLIM_NOFILE_BUMP = 5,
30456 -+ GR_RLIM_MEMLOCK_BUMP = 50000,
30457 -+ GR_RLIM_AS_BUMP = 500000,
30458 -+ GR_RLIM_LOCKS_BUMP = 2
30459 -+};
30460 -+
30461 -+#endif
30462 -diff -urNp linux-2.6.24.4/include/linux/grinternal.h linux-2.6.24.4/include/linux/grinternal.h
30463 ---- linux-2.6.24.4/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
30464 -+++ linux-2.6.24.4/include/linux/grinternal.h 2008-03-26 17:56:56.000000000 -0400
30465 -@@ -0,0 +1,210 @@
30466 -+#ifndef __GRINTERNAL_H
30467 -+#define __GRINTERNAL_H
30468 -+
30469 -+#ifdef CONFIG_GRKERNSEC
30470 -+
30471 -+#include <linux/fs.h>
30472 -+#include <linux/gracl.h>
30473 -+#include <linux/grdefs.h>
30474 -+#include <linux/grmsg.h>
30475 -+
30476 -+void gr_add_learn_entry(const char *fmt, ...);
30477 -+__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
30478 -+ const struct vfsmount *mnt);
30479 -+__u32 gr_check_create(const struct dentry *new_dentry,
30480 -+ const struct dentry *parent,
30481 -+ const struct vfsmount *mnt, const __u32 mode);
30482 -+int gr_check_protected_task(const struct task_struct *task);
30483 -+__u32 to_gr_audit(const __u32 reqmode);
30484 -+int gr_set_acls(const int type);
30485 -+
30486 -+int gr_acl_is_enabled(void);
30487 -+char gr_roletype_to_char(void);
30488 -+
30489 -+void gr_handle_alertkill(struct task_struct *task);
30490 -+char *gr_to_filename(const struct dentry *dentry,
30491 -+ const struct vfsmount *mnt);
30492 -+char *gr_to_filename1(const struct dentry *dentry,
30493 -+ const struct vfsmount *mnt);
30494 -+char *gr_to_filename2(const struct dentry *dentry,
30495 -+ const struct vfsmount *mnt);
30496 -+char *gr_to_filename3(const struct dentry *dentry,
30497 -+ const struct vfsmount *mnt);
30498 -+
30499 -+extern int grsec_enable_link;
30500 -+extern int grsec_enable_fifo;
30501 -+extern int grsec_enable_execve;
30502 -+extern int grsec_enable_shm;
30503 -+extern int grsec_enable_execlog;
30504 -+extern int grsec_enable_signal;
30505 -+extern int grsec_enable_forkfail;
30506 -+extern int grsec_enable_time;
30507 -+extern int grsec_enable_chroot_shmat;
30508 -+extern int grsec_enable_chroot_findtask;
30509 -+extern int grsec_enable_chroot_mount;
30510 -+extern int grsec_enable_chroot_double;
30511 -+extern int grsec_enable_chroot_pivot;
30512 -+extern int grsec_enable_chroot_chdir;
30513 -+extern int grsec_enable_chroot_chmod;
30514 -+extern int grsec_enable_chroot_mknod;
30515 -+extern int grsec_enable_chroot_fchdir;
30516 -+extern int grsec_enable_chroot_nice;
30517 -+extern int grsec_enable_chroot_execlog;
30518 -+extern int grsec_enable_chroot_caps;
30519 -+extern int grsec_enable_chroot_sysctl;
30520 -+extern int grsec_enable_chroot_unix;
30521 -+extern int grsec_enable_tpe;
30522 -+extern int grsec_tpe_gid;
30523 -+extern int grsec_enable_tpe_all;
30524 -+extern int grsec_enable_sidcaps;
30525 -+extern int grsec_enable_socket_all;
30526 -+extern int grsec_socket_all_gid;
30527 -+extern int grsec_enable_socket_client;
30528 -+extern int grsec_socket_client_gid;
30529 -+extern int grsec_enable_socket_server;
30530 -+extern int grsec_socket_server_gid;
30531 -+extern int grsec_audit_gid;
30532 -+extern int grsec_enable_group;
30533 -+extern int grsec_enable_audit_ipc;
30534 -+extern int grsec_enable_audit_textrel;
30535 -+extern int grsec_enable_mount;
30536 -+extern int grsec_enable_chdir;
30537 -+extern int grsec_resource_logging;
30538 -+extern int grsec_lock;
30539 -+
30540 -+extern spinlock_t grsec_alert_lock;
30541 -+extern unsigned long grsec_alert_wtime;
30542 -+extern unsigned long grsec_alert_fyet;
30543 -+
30544 -+extern spinlock_t grsec_audit_lock;
30545 -+
30546 -+extern rwlock_t grsec_exec_file_lock;
30547 -+
30548 -+#define gr_task_fullpath(tsk) (tsk->exec_file ? \
30549 -+ gr_to_filename2(tsk->exec_file->f_dentry, \
30550 -+ tsk->exec_file->f_vfsmnt) : "/")
30551 -+
30552 -+#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \
30553 -+ gr_to_filename3(tsk->parent->exec_file->f_dentry, \
30554 -+ tsk->parent->exec_file->f_vfsmnt) : "/")
30555 -+
30556 -+#define gr_task_fullpath0(tsk) (tsk->exec_file ? \
30557 -+ gr_to_filename(tsk->exec_file->f_dentry, \
30558 -+ tsk->exec_file->f_vfsmnt) : "/")
30559 -+
30560 -+#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \
30561 -+ gr_to_filename1(tsk->parent->exec_file->f_dentry, \
30562 -+ tsk->parent->exec_file->f_vfsmnt) : "/")
30563 -+
30564 -+#define proc_is_chrooted(tsk_a) ((tsk_a->pid > 1) && (tsk_a->fs != NULL) && \
30565 -+ ((tsk_a->fs->root->d_inode->i_sb->s_dev != \
30566 -+ tsk_a->nsproxy->pid_ns->child_reaper->fs->root->d_inode->i_sb->s_dev) || \
30567 -+ (tsk_a->fs->root->d_inode->i_ino != \
30568 -+ tsk_a->nsproxy->pid_ns->child_reaper->fs->root->d_inode->i_ino)))
30569 -+
30570 -+#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs != NULL) && (tsk_b->fs != NULL) && \
30571 -+ (tsk_a->fs->root->d_inode->i_sb->s_dev == \
30572 -+ tsk_b->fs->root->d_inode->i_sb->s_dev) && \
30573 -+ (tsk_a->fs->root->d_inode->i_ino == \
30574 -+ tsk_b->fs->root->d_inode->i_ino))
30575 -+
30576 -+#define DEFAULTSECARGS(task) gr_task_fullpath(task), task->comm, \
30577 -+ task->pid, task->uid, \
30578 -+ task->euid, task->gid, task->egid, \
30579 -+ gr_parent_task_fullpath(task), \
30580 -+ task->parent->comm, task->parent->pid, \
30581 -+ task->parent->uid, task->parent->euid, \
30582 -+ task->parent->gid, task->parent->egid
30583 -+
30584 -+#define GR_CHROOT_CAPS ( \
30585 -+ CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
30586 -+ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
30587 -+ CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
30588 -+ CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
30589 -+ CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
30590 -+ CAP_TO_MASK(CAP_IPC_OWNER))
30591 -+
30592 -+#define security_learn(normal_msg,args...) \
30593 -+({ \
30594 -+ read_lock(&grsec_exec_file_lock); \
30595 -+ gr_add_learn_entry(normal_msg "\n", ## args); \
30596 -+ read_unlock(&grsec_exec_file_lock); \
30597 -+})
30598 -+
30599 -+enum {
30600 -+ GR_DO_AUDIT,
30601 -+ GR_DONT_AUDIT,
30602 -+ GR_DONT_AUDIT_GOOD
30603 -+};
30604 -+
30605 -+enum {
30606 -+ GR_TTYSNIFF,
30607 -+ GR_RBAC,
30608 -+ GR_RBAC_STR,
30609 -+ GR_STR_RBAC,
30610 -+ GR_RBAC_MODE2,
30611 -+ GR_RBAC_MODE3,
30612 -+ GR_FILENAME,
30613 -+ GR_SYSCTL_HIDDEN,
30614 -+ GR_NOARGS,
30615 -+ GR_ONE_INT,
30616 -+ GR_ONE_INT_TWO_STR,
30617 -+ GR_ONE_STR,
30618 -+ GR_STR_INT,
30619 -+ GR_TWO_INT,
30620 -+ GR_THREE_INT,
30621 -+ GR_FIVE_INT_TWO_STR,
30622 -+ GR_TWO_STR,
30623 -+ GR_THREE_STR,
30624 -+ GR_FOUR_STR,
30625 -+ GR_STR_FILENAME,
30626 -+ GR_FILENAME_STR,
30627 -+ GR_FILENAME_TWO_INT,
30628 -+ GR_FILENAME_TWO_INT_STR,
30629 -+ GR_TEXTREL,
30630 -+ GR_PTRACE,
30631 -+ GR_RESOURCE,
30632 -+ GR_CAP,
30633 -+ GR_SIG,
30634 -+ GR_CRASH1,
30635 -+ GR_CRASH2,
30636 -+ GR_PSACCT
30637 -+};
30638 -+
30639 -+#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
30640 -+#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
30641 -+#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
30642 -+#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
30643 -+#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
30644 -+#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
30645 -+#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
30646 -+#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
30647 -+#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
30648 -+#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
30649 -+#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
30650 -+#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
30651 -+#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
30652 -+#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
30653 -+#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
30654 -+#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
30655 -+#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
30656 -+#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
30657 -+#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
30658 -+#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
30659 -+#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
30660 -+#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
30661 -+#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
30662 -+#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
30663 -+#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
30664 -+#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
30665 -+#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
30666 -+#define gr_log_sig(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG, task, num)
30667 -+#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
30668 -+#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
30669 -+#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
30670 -+
30671 -+void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
30672 -+
30673 -+#endif
30674 -+
30675 -+#endif
30676 -diff -urNp linux-2.6.24.4/include/linux/grmsg.h linux-2.6.24.4/include/linux/grmsg.h
30677 ---- linux-2.6.24.4/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
30678 -+++ linux-2.6.24.4/include/linux/grmsg.h 2008-03-26 17:56:56.000000000 -0400
30679 -@@ -0,0 +1,108 @@
30680 -+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
30681 -+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
30682 -+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
30683 -+#define GR_STOPMOD_MSG "denied modification of module state by "
30684 -+#define GR_IOPERM_MSG "denied use of ioperm() by "
30685 -+#define GR_IOPL_MSG "denied use of iopl() by "
30686 -+#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
30687 -+#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
30688 -+#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
30689 -+#define GR_KMEM_MSG "denied write of /dev/kmem by "
30690 -+#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
30691 -+#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
30692 -+#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
30693 -+#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
30694 -+#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%u.%u.%u.%u"
30695 -+#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%u.%u.%u.%u"
30696 -+#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
30697 -+#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
30698 -+#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
30699 -+#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
30700 -+#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
30701 -+#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
30702 -+#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
30703 -+#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%u.%u.%u.%u %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
30704 -+#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
30705 -+#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
30706 -+#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
30707 -+#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
30708 -+#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
30709 -+#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
30710 -+#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
30711 -+#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
30712 -+#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
30713 -+#define GR_NPROC_MSG "denied overstep of process limit by "
30714 -+#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
30715 -+#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
30716 -+#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
30717 -+#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
30718 -+#define GR_MOUNT_CHROOT_MSG "denied mount of %.30s as %.930s from chroot by "
30719 -+#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
30720 -+#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
30721 -+#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
30722 -+#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
30723 -+#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
30724 -+#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
30725 -+#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
30726 -+#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
30727 -+#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
30728 -+#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
30729 -+#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
30730 -+#define GR_INITF_ACL_MSG "init_variables() failed %s by "
30731 -+#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
30732 -+#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
30733 -+#define GR_SHUTS_ACL_MSG "shutdown auth success for "
30734 -+#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
30735 -+#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
30736 -+#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
30737 -+#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
30738 -+#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
30739 -+#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
30740 -+#define GR_ENABLEF_ACL_MSG "unable to load %s for "
30741 -+#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
30742 -+#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
30743 -+#define GR_RELOADF_ACL_MSG "failed reload of %s for "
30744 -+#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
30745 -+#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
30746 -+#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
30747 -+#define GR_SPROLEF_ACL_MSG "special role %s failure for "
30748 -+#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
30749 -+#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
30750 -+#define GR_UNSPROLEF_ACL_MSG "special role unauth of %s failure for "
30751 -+#define GR_INVMODE_ACL_MSG "invalid mode %d by "
30752 -+#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
30753 -+#define GR_FAILFORK_MSG "failed fork with errno %d by "
30754 -+#define GR_NICE_CHROOT_MSG "denied priority change by "
30755 -+#define GR_UNISIGLOG_MSG "signal %d sent to "
30756 -+#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
30757 -+#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
30758 -+#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
30759 -+#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
30760 -+#define GR_TIME_MSG "time set by "
30761 -+#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
30762 -+#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
30763 -+#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
30764 -+#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
30765 -+#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
30766 -+#define GR_BIND_MSG "denied bind() by "
30767 -+#define GR_CONNECT_MSG "denied connect() by "
30768 -+#define GR_BIND_ACL_MSG "denied bind() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
30769 -+#define GR_CONNECT_ACL_MSG "denied connect() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
30770 -+#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%u.%u.%u.%u\t%u\t%u\t%u\t%u\t%u.%u.%u.%u"
30771 -+#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
30772 -+#define GR_CAP_ACL_MSG "use of %s denied for "
30773 -+#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
30774 -+#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
30775 -+#define GR_REMOUNT_AUDIT_MSG "remount of %.30s by "
30776 -+#define GR_UNMOUNT_AUDIT_MSG "unmount of %.30s by "
30777 -+#define GR_MOUNT_AUDIT_MSG "mount of %.30s to %.64s by "
30778 -+#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
30779 -+#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
30780 -+#define GR_MSGQ_AUDIT_MSG "message queue created by "
30781 -+#define GR_MSGQR_AUDIT_MSG "message queue of uid:%u euid:%u removed by "
30782 -+#define GR_SEM_AUDIT_MSG "semaphore created by "
30783 -+#define GR_SEMR_AUDIT_MSG "semaphore of uid:%u euid:%u removed by "
30784 -+#define GR_SHM_AUDIT_MSG "shared memory of size %d created by "
30785 -+#define GR_SHMR_AUDIT_MSG "shared memory of uid:%u euid:%u removed by "
30786 -+#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
30787 -+#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
30788 -diff -urNp linux-2.6.24.4/include/linux/grsecurity.h linux-2.6.24.4/include/linux/grsecurity.h
30789 ---- linux-2.6.24.4/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
30790 -+++ linux-2.6.24.4/include/linux/grsecurity.h 2008-03-26 17:56:56.000000000 -0400
30791 -@@ -0,0 +1,197 @@
30792 -+#ifndef GR_SECURITY_H
30793 -+#define GR_SECURITY_H
30794 -+#include <linux/fs.h>
30795 -+#include <linux/binfmts.h>
30796 -+#include <linux/gracl.h>
30797 -+
30798 -+/* notify of brain-dead configs */
30799 -+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC)
30800 -+#error "CONFIG_PAX_NOEXEC enabled, but neither PAGEEXEC nor SEGMEXEC are enabled."
30801 -+#endif
30802 -+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
30803 -+#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
30804 -+#endif
30805 -+#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
30806 -+#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
30807 -+#endif
30808 -+#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
30809 -+#error "CONFIG_PAX enabled, but no PaX options are enabled."
30810 -+#endif
30811 -+
30812 -+void gr_handle_brute_attach(struct task_struct *p);
30813 -+void gr_handle_brute_check(void);
30814 -+
30815 -+char gr_roletype_to_char(void);
30816 -+
30817 -+int gr_check_user_change(int real, int effective, int fs);
30818 -+int gr_check_group_change(int real, int effective, int fs);
30819 -+
30820 -+void gr_del_task_from_ip_table(struct task_struct *p);
30821 -+
30822 -+int gr_pid_is_chrooted(struct task_struct *p);
30823 -+int gr_handle_chroot_nice(void);
30824 -+int gr_handle_chroot_sysctl(const int op);
30825 -+int gr_handle_chroot_setpriority(struct task_struct *p,
30826 -+ const int niceval);
30827 -+int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
30828 -+int gr_handle_chroot_chroot(const struct dentry *dentry,
30829 -+ const struct vfsmount *mnt);
30830 -+void gr_handle_chroot_caps(struct task_struct *task);
30831 -+void gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt);
30832 -+int gr_handle_chroot_chmod(const struct dentry *dentry,
30833 -+ const struct vfsmount *mnt, const int mode);
30834 -+int gr_handle_chroot_mknod(const struct dentry *dentry,
30835 -+ const struct vfsmount *mnt, const int mode);
30836 -+int gr_handle_chroot_mount(const struct dentry *dentry,
30837 -+ const struct vfsmount *mnt,
30838 -+ const char *dev_name);
30839 -+int gr_handle_chroot_pivot(void);
30840 -+int gr_handle_chroot_unix(const pid_t pid);
30841 -+
30842 -+int gr_handle_rawio(const struct inode *inode);
30843 -+int gr_handle_nproc(void);
30844 -+
30845 -+void gr_handle_ioperm(void);
30846 -+void gr_handle_iopl(void);
30847 -+
30848 -+int gr_tpe_allow(const struct file *file);
30849 -+
30850 -+int gr_random_pid(void);
30851 -+
30852 -+void gr_log_forkfail(const int retval);
30853 -+void gr_log_timechange(void);
30854 -+void gr_log_signal(const int sig, const struct task_struct *t);
30855 -+void gr_log_chdir(const struct dentry *dentry,
30856 -+ const struct vfsmount *mnt);
30857 -+void gr_log_chroot_exec(const struct dentry *dentry,
30858 -+ const struct vfsmount *mnt);
30859 -+void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
30860 -+void gr_log_remount(const char *devname, const int retval);
30861 -+void gr_log_unmount(const char *devname, const int retval);
30862 -+void gr_log_mount(const char *from, const char *to, const int retval);
30863 -+void gr_log_msgget(const int ret, const int msgflg);
30864 -+void gr_log_msgrm(const uid_t uid, const uid_t cuid);
30865 -+void gr_log_semget(const int err, const int semflg);
30866 -+void gr_log_semrm(const uid_t uid, const uid_t cuid);
30867 -+void gr_log_shmget(const int err, const int shmflg, const size_t size);
30868 -+void gr_log_shmrm(const uid_t uid, const uid_t cuid);
30869 -+void gr_log_textrel(struct vm_area_struct *vma);
30870 -+
30871 -+int gr_handle_follow_link(const struct inode *parent,
30872 -+ const struct inode *inode,
30873 -+ const struct dentry *dentry,
30874 -+ const struct vfsmount *mnt);
30875 -+int gr_handle_fifo(const struct dentry *dentry,
30876 -+ const struct vfsmount *mnt,
30877 -+ const struct dentry *dir, const int flag,
30878 -+ const int acc_mode);
30879 -+int gr_handle_hardlink(const struct dentry *dentry,
30880 -+ const struct vfsmount *mnt,
30881 -+ struct inode *inode,
30882 -+ const int mode, const char *to);
30883 -+
30884 -+int gr_task_is_capable(struct task_struct *task, const int cap);
30885 -+int gr_is_capable_nolog(const int cap);
30886 -+void gr_learn_resource(const struct task_struct *task, const int limit,
30887 -+ const unsigned long wanted, const int gt);
30888 -+void gr_copy_label(struct task_struct *tsk);
30889 -+void gr_handle_crash(struct task_struct *task, const int sig);
30890 -+int gr_handle_signal(const struct task_struct *p, const int sig);
30891 -+int gr_check_crash_uid(const uid_t uid);
30892 -+int gr_check_protected_task(const struct task_struct *task);
30893 -+int gr_acl_handle_mmap(const struct file *file,
30894 -+ const unsigned long prot);
30895 -+int gr_acl_handle_mprotect(const struct file *file,
30896 -+ const unsigned long prot);
30897 -+int gr_check_hidden_task(const struct task_struct *tsk);
30898 -+__u32 gr_acl_handle_truncate(const struct dentry *dentry,
30899 -+ const struct vfsmount *mnt);
30900 -+__u32 gr_acl_handle_utime(const struct dentry *dentry,
30901 -+ const struct vfsmount *mnt);
30902 -+__u32 gr_acl_handle_access(const struct dentry *dentry,
30903 -+ const struct vfsmount *mnt, const int fmode);
30904 -+__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
30905 -+ const struct vfsmount *mnt, mode_t mode);
30906 -+__u32 gr_acl_handle_chmod(const struct dentry *dentry,
30907 -+ const struct vfsmount *mnt, mode_t mode);
30908 -+__u32 gr_acl_handle_chown(const struct dentry *dentry,
30909 -+ const struct vfsmount *mnt);
30910 -+int gr_handle_ptrace(struct task_struct *task, const long request);
30911 -+int gr_handle_proc_ptrace(struct task_struct *task);
30912 -+__u32 gr_acl_handle_execve(const struct dentry *dentry,
30913 -+ const struct vfsmount *mnt);
30914 -+int gr_check_crash_exec(const struct file *filp);
30915 -+int gr_acl_is_enabled(void);
30916 -+void gr_set_kernel_label(struct task_struct *task);
30917 -+void gr_set_role_label(struct task_struct *task, const uid_t uid,
30918 -+ const gid_t gid);
30919 -+int gr_set_proc_label(const struct dentry *dentry,
30920 -+ const struct vfsmount *mnt);
30921 -+__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
30922 -+ const struct vfsmount *mnt);
30923 -+__u32 gr_acl_handle_open(const struct dentry *dentry,
30924 -+ const struct vfsmount *mnt, const int fmode);
30925 -+__u32 gr_acl_handle_creat(const struct dentry *dentry,
30926 -+ const struct dentry *p_dentry,
30927 -+ const struct vfsmount *p_mnt, const int fmode,
30928 -+ const int imode);
30929 -+void gr_handle_create(const struct dentry *dentry,
30930 -+ const struct vfsmount *mnt);
30931 -+__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
30932 -+ const struct dentry *parent_dentry,
30933 -+ const struct vfsmount *parent_mnt,
30934 -+ const int mode);
30935 -+__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
30936 -+ const struct dentry *parent_dentry,
30937 -+ const struct vfsmount *parent_mnt);
30938 -+__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
30939 -+ const struct vfsmount *mnt);
30940 -+void gr_handle_delete(const ino_t ino, const dev_t dev);
30941 -+__u32 gr_acl_handle_unlink(const struct dentry *dentry,
30942 -+ const struct vfsmount *mnt);
30943 -+__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
30944 -+ const struct dentry *parent_dentry,
30945 -+ const struct vfsmount *parent_mnt,
30946 -+ const char *from);
30947 -+__u32 gr_acl_handle_link(const struct dentry *new_dentry,
30948 -+ const struct dentry *parent_dentry,
30949 -+ const struct vfsmount *parent_mnt,
30950 -+ const struct dentry *old_dentry,
30951 -+ const struct vfsmount *old_mnt, const char *to);
30952 -+int gr_acl_handle_rename(struct dentry *new_dentry,
30953 -+ struct dentry *parent_dentry,
30954 -+ const struct vfsmount *parent_mnt,
30955 -+ struct dentry *old_dentry,
30956 -+ struct inode *old_parent_inode,
30957 -+ struct vfsmount *old_mnt, const char *newname);
30958 -+void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
30959 -+ struct dentry *old_dentry,
30960 -+ struct dentry *new_dentry,
30961 -+ struct vfsmount *mnt, const __u8 replace);
30962 -+__u32 gr_check_link(const struct dentry *new_dentry,
30963 -+ const struct dentry *parent_dentry,
30964 -+ const struct vfsmount *parent_mnt,
30965 -+ const struct dentry *old_dentry,
30966 -+ const struct vfsmount *old_mnt);
30967 -+int gr_acl_handle_filldir(const struct file *file, const char *name,
30968 -+ const unsigned int namelen, const ino_t ino);
30969 -+
30970 -+__u32 gr_acl_handle_unix(const struct dentry *dentry,
30971 -+ const struct vfsmount *mnt);
30972 -+void gr_acl_handle_exit(void);
30973 -+void gr_acl_handle_psacct(struct task_struct *task, const long code);
30974 -+int gr_acl_handle_procpidmem(const struct task_struct *task);
30975 -+
30976 -+#ifdef CONFIG_GRKERNSEC
30977 -+void gr_handle_mem_write(void);
30978 -+void gr_handle_kmem_write(void);
30979 -+void gr_handle_open_port(void);
30980 -+int gr_handle_mem_mmap(const unsigned long offset,
30981 -+ struct vm_area_struct *vma);
30982 -+
30983 -+extern int grsec_enable_dmesg;
30984 -+extern int grsec_enable_randsrc;
30985 -+extern int grsec_enable_shm;
30986 -+#endif
30987 -+
30988 -+#endif
30989 -diff -urNp linux-2.6.24.4/include/linux/highmem.h linux-2.6.24.4/include/linux/highmem.h
30990 ---- linux-2.6.24.4/include/linux/highmem.h 2008-03-24 14:49:18.000000000 -0400
30991 -+++ linux-2.6.24.4/include/linux/highmem.h 2008-03-26 17:56:56.000000000 -0400
30992 -@@ -124,6 +124,13 @@ static inline void clear_highpage(struct
30993 - kunmap_atomic(kaddr, KM_USER0);
30994 - }
30995 -
30996 -+static inline void sanitize_highpage(struct page *page)
30997 -+{
30998 -+ void *kaddr = kmap_atomic(page, KM_CLEARPAGE);
30999 -+ clear_page(kaddr);
31000 -+ kunmap_atomic(kaddr, KM_CLEARPAGE);
31001 -+}
31002 -+
31003 - /*
31004 - * Same but also flushes aliased cache contents to RAM.
31005 - *
31006 -@@ -132,14 +139,14 @@ static inline void clear_highpage(struct
31007 - */
31008 - #define zero_user_page(page, offset, size, km_type) \
31009 - do { \
31010 -- void *kaddr; \
31011 -+ void *__kaddr; \
31012 - \
31013 - BUG_ON((offset) + (size) > PAGE_SIZE); \
31014 - \
31015 -- kaddr = kmap_atomic(page, km_type); \
31016 -- memset((char *)kaddr + (offset), 0, (size)); \
31017 -+ __kaddr = kmap_atomic(page, km_type); \
31018 -+ memset((char *)__kaddr + (offset), 0, (size)); \
31019 - flush_dcache_page(page); \
31020 -- kunmap_atomic(kaddr, (km_type)); \
31021 -+ kunmap_atomic(__kaddr, (km_type)); \
31022 - } while (0)
31023 -
31024 - static inline void __deprecated memclear_highpage_flush(struct page *page,
31025 -diff -urNp linux-2.6.24.4/include/linux/init_task.h linux-2.6.24.4/include/linux/init_task.h
31026 ---- linux-2.6.24.4/include/linux/init_task.h 2008-03-24 14:49:18.000000000 -0400
31027 -+++ linux-2.6.24.4/include/linux/init_task.h 2008-03-26 17:56:56.000000000 -0400
31028 -@@ -121,7 +121,7 @@ extern struct group_info init_groups;
31029 - #define INIT_TASK(tsk) \
31030 - { \
31031 - .state = 0, \
31032 -- .stack = &init_thread_info, \
31033 -+ .stack = &init_thread_union, \
31034 - .usage = ATOMIC_INIT(2), \
31035 - .flags = 0, \
31036 - .lock_depth = -1, \
31037 -diff -urNp linux-2.6.24.4/include/linux/irqflags.h linux-2.6.24.4/include/linux/irqflags.h
31038 ---- linux-2.6.24.4/include/linux/irqflags.h 2008-03-24 14:49:18.000000000 -0400
31039 -+++ linux-2.6.24.4/include/linux/irqflags.h 2008-03-26 17:56:56.000000000 -0400
31040 -@@ -84,10 +84,10 @@
31041 -
31042 - #define irqs_disabled() \
31043 - ({ \
31044 -- unsigned long flags; \
31045 -+ unsigned long __flags; \
31046 - \
31047 -- raw_local_save_flags(flags); \
31048 -- raw_irqs_disabled_flags(flags); \
31049 -+ raw_local_save_flags(__flags); \
31050 -+ raw_irqs_disabled_flags(__flags); \
31051 - })
31052 -
31053 - #define irqs_disabled_flags(flags) raw_irqs_disabled_flags(flags)
31054 -diff -urNp linux-2.6.24.4/include/linux/jbd2.h linux-2.6.24.4/include/linux/jbd2.h
31055 ---- linux-2.6.24.4/include/linux/jbd2.h 2008-03-24 14:49:18.000000000 -0400
31056 -+++ linux-2.6.24.4/include/linux/jbd2.h 2008-03-26 17:56:56.000000000 -0400
31057 -@@ -68,7 +68,7 @@ extern u8 jbd2_journal_enable_debug;
31058 - } \
31059 - } while (0)
31060 - #else
31061 --#define jbd_debug(f, a...) /**/
31062 -+#define jbd_debug(f, a...) do {} while (0)
31063 - #endif
31064 -
31065 - static inline void *jbd2_alloc(size_t size, gfp_t flags)
31066 -diff -urNp linux-2.6.24.4/include/linux/jbd.h linux-2.6.24.4/include/linux/jbd.h
31067 ---- linux-2.6.24.4/include/linux/jbd.h 2008-03-24 14:49:18.000000000 -0400
31068 -+++ linux-2.6.24.4/include/linux/jbd.h 2008-03-26 17:56:56.000000000 -0400
31069 -@@ -69,7 +69,7 @@ extern u8 journal_enable_debug;
31070 - } \
31071 - } while (0)
31072 - #else
31073 --#define jbd_debug(f, a...) /**/
31074 -+#define jbd_debug(f, a...) do {} while (0)
31075 - #endif
31076 -
31077 - static inline void *jbd_alloc(size_t size, gfp_t flags)
31078 -diff -urNp linux-2.6.24.4/include/linux/libata.h linux-2.6.24.4/include/linux/libata.h
31079 ---- linux-2.6.24.4/include/linux/libata.h 2008-03-24 14:49:18.000000000 -0400
31080 -+++ linux-2.6.24.4/include/linux/libata.h 2008-03-26 17:56:56.000000000 -0400
31081 -@@ -62,11 +62,11 @@
31082 - #ifdef ATA_VERBOSE_DEBUG
31083 - #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __FUNCTION__, ## args)
31084 - #else
31085 --#define VPRINTK(fmt, args...)
31086 -+#define VPRINTK(fmt, args...) do {} while (0)
31087 - #endif /* ATA_VERBOSE_DEBUG */
31088 - #else
31089 --#define DPRINTK(fmt, args...)
31090 --#define VPRINTK(fmt, args...)
31091 -+#define DPRINTK(fmt, args...) do {} while (0)
31092 -+#define VPRINTK(fmt, args...) do {} while (0)
31093 - #endif /* ATA_DEBUG */
31094 -
31095 - #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __FUNCTION__, ## args)
31096 -diff -urNp linux-2.6.24.4/include/linux/mm.h linux-2.6.24.4/include/linux/mm.h
31097 ---- linux-2.6.24.4/include/linux/mm.h 2008-03-24 14:49:18.000000000 -0400
31098 -+++ linux-2.6.24.4/include/linux/mm.h 2008-03-26 17:56:56.000000000 -0400
31099 -@@ -37,6 +37,7 @@ extern int sysctl_legacy_va_layout;
31100 - #include <asm/page.h>
31101 - #include <asm/pgtable.h>
31102 - #include <asm/processor.h>
31103 -+#include <asm/mman.h>
31104 -
31105 - #define nth_page(page,n) pfn_to_page(page_to_pfn((page)) + (n))
31106 -
31107 -@@ -107,6 +108,14 @@ extern unsigned int kobjsize(const void
31108 -
31109 - #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
31110 -
31111 -+#ifdef CONFIG_PAX_PAGEEXEC
31112 -+#define VM_PAGEEXEC 0x10000000 /* vma->vm_page_prot needs special handling */
31113 -+#endif
31114 -+
31115 -+#ifdef CONFIG_PAX_MPROTECT
31116 -+#define VM_MAYNOTWRITE 0x20000000 /* vma cannot be granted VM_WRITE any more */
31117 -+#endif
31118 -+
31119 - #ifndef VM_STACK_DEFAULT_FLAGS /* arch can override this */
31120 - #define VM_STACK_DEFAULT_FLAGS VM_DATA_DEFAULT_FLAGS
31121 - #endif
31122 -@@ -792,6 +801,8 @@ struct shrinker {
31123 - extern void register_shrinker(struct shrinker *);
31124 - extern void unregister_shrinker(struct shrinker *);
31125 -
31126 -+pgprot_t vm_get_page_prot(unsigned long vm_flags);
31127 -+
31128 - int vma_wants_writenotify(struct vm_area_struct *vma);
31129 -
31130 - extern pte_t *FASTCALL(get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl));
31131 -@@ -1018,6 +1029,7 @@ out:
31132 - }
31133 -
31134 - extern int do_munmap(struct mm_struct *, unsigned long, size_t);
31135 -+extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
31136 -
31137 - extern unsigned long do_brk(unsigned long, unsigned long);
31138 -
31139 -@@ -1070,6 +1082,10 @@ extern struct vm_area_struct * find_vma(
31140 - extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
31141 - struct vm_area_struct **pprev);
31142 -
31143 -+extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
31144 -+extern void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
31145 -+extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
31146 -+
31147 - /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
31148 - NULL if none. Assume start_addr < end_addr. */
31149 - static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
31150 -@@ -1086,7 +1102,6 @@ static inline unsigned long vma_pages(st
31151 - return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
31152 - }
31153 -
31154 --pgprot_t vm_get_page_prot(unsigned long vm_flags);
31155 - struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
31156 - struct page *vmalloc_to_page(void *addr);
31157 - unsigned long vmalloc_to_pfn(void *addr);
31158 -@@ -1157,5 +1172,11 @@ int vmemmap_populate_basepages(struct pa
31159 - unsigned long pages, int node);
31160 - int vmemmap_populate(struct page *start_page, unsigned long pages, int node);
31161 -
31162 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
31163 -+extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
31164 -+#else
31165 -+static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
31166 -+#endif
31167 -+
31168 - #endif /* __KERNEL__ */
31169 - #endif /* _LINUX_MM_H */
31170 -diff -urNp linux-2.6.24.4/include/linux/mm_types.h linux-2.6.24.4/include/linux/mm_types.h
31171 ---- linux-2.6.24.4/include/linux/mm_types.h 2008-03-24 14:49:18.000000000 -0400
31172 -+++ linux-2.6.24.4/include/linux/mm_types.h 2008-03-26 17:56:56.000000000 -0400
31173 -@@ -151,6 +151,8 @@ struct vm_area_struct {
31174 - #ifdef CONFIG_NUMA
31175 - struct mempolicy *vm_policy; /* NUMA policy for the VMA */
31176 - #endif
31177 -+
31178 -+ struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
31179 - };
31180 -
31181 - struct mm_struct {
31182 -@@ -219,6 +221,24 @@ struct mm_struct {
31183 - /* aio bits */
31184 - rwlock_t ioctx_list_lock;
31185 - struct kioctx *ioctx_list;
31186 -+
31187 -+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
31188 -+ unsigned long pax_flags;
31189 -+#endif
31190 -+
31191 -+#ifdef CONFIG_PAX_DLRESOLVE
31192 -+ unsigned long call_dl_resolve;
31193 -+#endif
31194 -+
31195 -+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
31196 -+ unsigned long call_syscall;
31197 -+#endif
31198 -+
31199 -+#ifdef CONFIG_PAX_ASLR
31200 -+ unsigned long delta_mmap; /* randomized offset */
31201 -+ unsigned long delta_stack; /* randomized offset */
31202 -+#endif
31203 -+
31204 - };
31205 -
31206 - #endif /* _LINUX_MM_TYPES_H */
31207 -diff -urNp linux-2.6.24.4/include/linux/module.h linux-2.6.24.4/include/linux/module.h
31208 ---- linux-2.6.24.4/include/linux/module.h 2008-03-24 14:49:18.000000000 -0400
31209 -+++ linux-2.6.24.4/include/linux/module.h 2008-03-26 17:56:56.000000000 -0400
31210 -@@ -296,16 +296,16 @@ struct module
31211 - int (*init)(void);
31212 -
31213 - /* If this is non-NULL, vfree after init() returns */
31214 -- void *module_init;
31215 -+ void *module_init_rx, *module_init_rw;
31216 -
31217 - /* Here is the actual code + data, vfree'd on unload. */
31218 -- void *module_core;
31219 -+ void *module_core_rx, *module_core_rw;
31220 -
31221 - /* Here are the sizes of the init and core sections */
31222 -- unsigned long init_size, core_size;
31223 -+ unsigned long init_size_rw, core_size_rw;
31224 -
31225 - /* The size of the executable code in each section. */
31226 -- unsigned long init_text_size, core_text_size;
31227 -+ unsigned long init_size_rx, core_size_rx;
31228 -
31229 - /* The handle returned from unwind_add_table. */
31230 - void *unwind_info;
31231 -diff -urNp linux-2.6.24.4/include/linux/moduleloader.h linux-2.6.24.4/include/linux/moduleloader.h
31232 ---- linux-2.6.24.4/include/linux/moduleloader.h 2008-03-24 14:49:18.000000000 -0400
31233 -+++ linux-2.6.24.4/include/linux/moduleloader.h 2008-03-26 17:56:56.000000000 -0400
31234 -@@ -17,9 +17,21 @@ int module_frob_arch_sections(Elf_Ehdr *
31235 - sections. Returns NULL on failure. */
31236 - void *module_alloc(unsigned long size);
31237 -
31238 -+#ifdef CONFIG_PAX_KERNEXEC
31239 -+void *module_alloc_exec(unsigned long size);
31240 -+#else
31241 -+#define module_alloc_exec(x) module_alloc(x)
31242 -+#endif
31243 -+
31244 - /* Free memory returned from module_alloc. */
31245 - void module_free(struct module *mod, void *module_region);
31246 -
31247 -+#ifdef CONFIG_PAX_KERNEXEC
31248 -+void module_free_exec(struct module *mod, void *module_region);
31249 -+#else
31250 -+#define module_free_exec(x, y) module_free(x, y)
31251 -+#endif
31252 -+
31253 - /* Apply the given relocation to the (simplified) ELF. Return -error
31254 - or 0. */
31255 - int apply_relocate(Elf_Shdr *sechdrs,
31256 -diff -urNp linux-2.6.24.4/include/linux/namei.h linux-2.6.24.4/include/linux/namei.h
31257 ---- linux-2.6.24.4/include/linux/namei.h 2008-03-24 14:49:18.000000000 -0400
31258 -+++ linux-2.6.24.4/include/linux/namei.h 2008-03-26 17:56:56.000000000 -0400
31259 -@@ -21,7 +21,7 @@ struct nameidata {
31260 - unsigned int flags;
31261 - int last_type;
31262 - unsigned depth;
31263 -- char *saved_names[MAX_NESTED_LINKS + 1];
31264 -+ const char *saved_names[MAX_NESTED_LINKS + 1];
31265 -
31266 - /* Intent data */
31267 - union {
31268 -@@ -90,12 +90,12 @@ extern int follow_up(struct vfsmount **,
31269 - extern struct dentry *lock_rename(struct dentry *, struct dentry *);
31270 - extern void unlock_rename(struct dentry *, struct dentry *);
31271 -
31272 --static inline void nd_set_link(struct nameidata *nd, char *path)
31273 -+static inline void nd_set_link(struct nameidata *nd, const char *path)
31274 - {
31275 - nd->saved_names[nd->depth] = path;
31276 - }
31277 -
31278 --static inline char *nd_get_link(struct nameidata *nd)
31279 -+static inline const char *nd_get_link(struct nameidata *nd)
31280 - {
31281 - return nd->saved_names[nd->depth];
31282 - }
31283 -diff -urNp linux-2.6.24.4/include/linux/percpu.h linux-2.6.24.4/include/linux/percpu.h
31284 ---- linux-2.6.24.4/include/linux/percpu.h 2008-03-24 14:49:18.000000000 -0400
31285 -+++ linux-2.6.24.4/include/linux/percpu.h 2008-03-26 17:56:56.000000000 -0400
31286 -@@ -18,7 +18,7 @@
31287 - #endif
31288 -
31289 - #define PERCPU_ENOUGH_ROOM \
31290 -- (__per_cpu_end - __per_cpu_start + PERCPU_MODULE_RESERVE)
31291 -+ ((unsigned long)(__per_cpu_end - __per_cpu_start + PERCPU_MODULE_RESERVE))
31292 - #endif /* PERCPU_ENOUGH_ROOM */
31293 -
31294 - /*
31295 -diff -urNp linux-2.6.24.4/include/linux/poison.h linux-2.6.24.4/include/linux/poison.h
31296 ---- linux-2.6.24.4/include/linux/poison.h 2008-03-24 14:49:18.000000000 -0400
31297 -+++ linux-2.6.24.4/include/linux/poison.h 2008-03-26 17:56:56.000000000 -0400
31298 -@@ -7,8 +7,8 @@
31299 - * under normal circumstances, used to verify that nobody uses
31300 - * non-initialized list entries.
31301 - */
31302 --#define LIST_POISON1 ((void *) 0x00100100)
31303 --#define LIST_POISON2 ((void *) 0x00200200)
31304 -+#define LIST_POISON1 ((void *) 0xFF1001FFFF1001FFULL)
31305 -+#define LIST_POISON2 ((void *) 0xFF2002FFFF2002FFULL)
31306 -
31307 - /********** mm/slab.c **********/
31308 - /*
31309 -diff -urNp linux-2.6.24.4/include/linux/random.h linux-2.6.24.4/include/linux/random.h
31310 ---- linux-2.6.24.4/include/linux/random.h 2008-03-24 14:49:18.000000000 -0400
31311 -+++ linux-2.6.24.4/include/linux/random.h 2008-03-26 17:56:56.000000000 -0400
31312 -@@ -72,6 +72,11 @@ unsigned long randomize_range(unsigned l
31313 - u32 random32(void);
31314 - void srandom32(u32 seed);
31315 -
31316 -+static inline unsigned long pax_get_random_long(void)
31317 -+{
31318 -+ return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
31319 -+}
31320 -+
31321 - #endif /* __KERNEL___ */
31322 -
31323 - #endif /* _LINUX_RANDOM_H */
31324 -diff -urNp linux-2.6.24.4/include/linux/sched.h linux-2.6.24.4/include/linux/sched.h
31325 ---- linux-2.6.24.4/include/linux/sched.h 2008-03-24 14:49:18.000000000 -0400
31326 -+++ linux-2.6.24.4/include/linux/sched.h 2008-03-26 17:56:56.000000000 -0400
31327 -@@ -94,6 +94,7 @@ struct sched_param {
31328 - struct exec_domain;
31329 - struct futex_pi_state;
31330 - struct bio;
31331 -+struct linux_binprm;
31332 -
31333 - /*
31334 - * List of flags we want to share for kernel threads,
31335 -@@ -507,6 +508,15 @@ struct signal_struct {
31336 - unsigned audit_tty;
31337 - struct tty_audit_buf *tty_audit_buf;
31338 - #endif
31339 -+
31340 -+#ifdef CONFIG_GRKERNSEC
31341 -+ u32 curr_ip;
31342 -+ u32 gr_saddr;
31343 -+ u32 gr_daddr;
31344 -+ u16 gr_sport;
31345 -+ u16 gr_dport;
31346 -+ u8 used_accept:1;
31347 -+#endif
31348 - };
31349 -
31350 - /* Context switch must be unlocked if interrupts are to be enabled */
31351 -@@ -916,7 +926,7 @@ struct sched_entity {
31352 -
31353 - struct task_struct {
31354 - volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
31355 -- void *stack;
31356 -+ union thread_union *stack;
31357 - atomic_t usage;
31358 - unsigned int flags; /* per process flags, defined below */
31359 - unsigned int ptrace;
31360 -@@ -983,10 +993,9 @@ struct task_struct {
31361 - pid_t pid;
31362 - pid_t tgid;
31363 -
31364 --#ifdef CONFIG_CC_STACKPROTECTOR
31365 - /* Canary value for the -fstack-protector gcc feature */
31366 - unsigned long stack_canary;
31367 --#endif
31368 -+
31369 - /*
31370 - * pointers to (original) parent process, youngest child, younger sibling,
31371 - * older sibling, respectively. (p->father can be replaced with
31372 -@@ -1007,8 +1016,8 @@ struct task_struct {
31373 - struct list_head thread_group;
31374 -
31375 - struct completion *vfork_done; /* for vfork() */
31376 -- int __user *set_child_tid; /* CLONE_CHILD_SETTID */
31377 -- int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
31378 -+ pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
31379 -+ pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
31380 -
31381 - unsigned int rt_priority;
31382 - cputime_t utime, stime, utimescaled, stimescaled;
31383 -@@ -1178,8 +1187,60 @@ struct task_struct {
31384 - int make_it_fail;
31385 - #endif
31386 - struct prop_local_single dirties;
31387 -+
31388 -+#ifdef CONFIG_GRKERNSEC
31389 -+ /* grsecurity */
31390 -+ struct acl_subject_label *acl;
31391 -+ struct acl_role_label *role;
31392 -+ struct file *exec_file;
31393 -+ u16 acl_role_id;
31394 -+ u8 acl_sp_role;
31395 -+ u8 is_writable;
31396 -+ u8 brute;
31397 -+#endif
31398 -+
31399 - };
31400 -
31401 -+#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
31402 -+#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
31403 -+#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
31404 -+#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
31405 -+/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
31406 -+#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
31407 -+
31408 -+#ifdef CONFIG_PAX_SOFTMODE
31409 -+extern unsigned int pax_softmode;
31410 -+#endif
31411 -+
31412 -+extern int pax_check_flags(unsigned long *);
31413 -+
31414 -+/* if tsk != current then task_lock must be held on it */
31415 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
31416 -+static inline unsigned long pax_get_flags(struct task_struct *tsk)
31417 -+{
31418 -+ if (likely(tsk->mm))
31419 -+ return tsk->mm->pax_flags;
31420 -+ else
31421 -+ return 0UL;
31422 -+}
31423 -+
31424 -+/* if tsk != current then task_lock must be held on it */
31425 -+static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
31426 -+{
31427 -+ if (likely(tsk->mm)) {
31428 -+ tsk->mm->pax_flags = flags;
31429 -+ return 0;
31430 -+ }
31431 -+ return -EINVAL;
31432 -+}
31433 -+#endif
31434 -+
31435 -+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
31436 -+extern void pax_set_initial_flags(struct linux_binprm *bprm);
31437 -+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
31438 -+extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
31439 -+#endif
31440 -+
31441 - /*
31442 - * Priority of a process goes from 0..MAX_PRIO-1, valid RT
31443 - * priority is 0..MAX_RT_PRIO-1, and SCHED_NORMAL/SCHED_BATCH
31444 -@@ -1779,8 +1840,8 @@ static inline void unlock_task_sighand(s
31445 -
31446 - #ifndef __HAVE_THREAD_FUNCTIONS
31447 -
31448 --#define task_thread_info(task) ((struct thread_info *)(task)->stack)
31449 --#define task_stack_page(task) ((task)->stack)
31450 -+#define task_thread_info(task) (&(task)->stack->thread_info)
31451 -+#define task_stack_page(task) ((void *)(task)->stack)
31452 -
31453 - static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
31454 - {
31455 -@@ -1917,6 +1978,12 @@ extern void arch_pick_mmap_layout(struct
31456 - static inline void arch_pick_mmap_layout(struct mm_struct *mm)
31457 - {
31458 - mm->mmap_base = TASK_UNMAPPED_BASE;
31459 -+
31460 -+#ifdef CONFIG_PAX_RANDMMAP
31461 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
31462 -+ mm->mmap_base += mm->delta_mmap;
31463 -+#endif
31464 -+
31465 - mm->get_unmapped_area = arch_get_unmapped_area;
31466 - mm->unmap_area = arch_unmap_area;
31467 - }
31468 -diff -urNp linux-2.6.24.4/include/linux/screen_info.h linux-2.6.24.4/include/linux/screen_info.h
31469 ---- linux-2.6.24.4/include/linux/screen_info.h 2008-03-24 14:49:18.000000000 -0400
31470 -+++ linux-2.6.24.4/include/linux/screen_info.h 2008-03-26 17:56:56.000000000 -0400
31471 -@@ -42,7 +42,8 @@ struct screen_info {
31472 - __u16 pages; /* 0x32 */
31473 - __u16 vesa_attributes; /* 0x34 */
31474 - __u32 capabilities; /* 0x36 */
31475 -- __u8 _reserved[6]; /* 0x3a */
31476 -+ __u16 vesapm_size; /* 0x3a */
31477 -+ __u8 _reserved[4]; /* 0x3c */
31478 - } __attribute__((packed));
31479 -
31480 - #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
31481 -diff -urNp linux-2.6.24.4/include/linux/security.h linux-2.6.24.4/include/linux/security.h
31482 ---- linux-2.6.24.4/include/linux/security.h 2008-03-24 14:49:18.000000000 -0400
31483 -+++ linux-2.6.24.4/include/linux/security.h 2008-03-26 17:56:56.000000000 -0400
31484 -@@ -2266,7 +2266,7 @@ static inline struct dentry *securityfs_
31485 - mode_t mode,
31486 - struct dentry *parent,
31487 - void *data,
31488 -- struct file_operations *fops)
31489 -+ const struct file_operations *fops)
31490 - {
31491 - return ERR_PTR(-ENODEV);
31492 - }
31493 -diff -urNp linux-2.6.24.4/include/linux/shm.h linux-2.6.24.4/include/linux/shm.h
31494 ---- linux-2.6.24.4/include/linux/shm.h 2008-03-24 14:49:18.000000000 -0400
31495 -+++ linux-2.6.24.4/include/linux/shm.h 2008-03-26 17:56:56.000000000 -0400
31496 -@@ -87,6 +87,10 @@ struct shmid_kernel /* private to the ke
31497 - pid_t shm_cprid;
31498 - pid_t shm_lprid;
31499 - struct user_struct *mlock_user;
31500 -+#ifdef CONFIG_GRKERNSEC
31501 -+ time_t shm_createtime;
31502 -+ pid_t shm_lapid;
31503 -+#endif
31504 - };
31505 -
31506 - /* shm_mode upper byte flags */
31507 -diff -urNp linux-2.6.24.4/include/linux/sysctl.h linux-2.6.24.4/include/linux/sysctl.h
31508 ---- linux-2.6.24.4/include/linux/sysctl.h 2008-03-24 14:49:18.000000000 -0400
31509 -+++ linux-2.6.24.4/include/linux/sysctl.h 2008-03-26 17:56:56.000000000 -0400
31510 -@@ -164,9 +164,21 @@ enum
31511 - KERN_MAX_LOCK_DEPTH=74,
31512 - KERN_NMI_WATCHDOG=75, /* int: enable/disable nmi watchdog */
31513 - KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
31514 --};
31515 -+#ifdef CONFIG_GRKERNSEC
31516 -+ KERN_GRSECURITY=98, /* grsecurity */
31517 -+#endif
31518 -+
31519 -+#ifdef CONFIG_PAX_SOFTMODE
31520 -+ KERN_PAX=99, /* PaX control */
31521 -+#endif
31522 -
31523 -+};
31524 -
31525 -+#ifdef CONFIG_PAX_SOFTMODE
31526 -+enum {
31527 -+ PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
31528 -+};
31529 -+#endif
31530 -
31531 - /* CTL_VM names: */
31532 - enum
31533 -diff -urNp linux-2.6.24.4/include/linux/uaccess.h linux-2.6.24.4/include/linux/uaccess.h
31534 ---- linux-2.6.24.4/include/linux/uaccess.h 2008-03-24 14:49:18.000000000 -0400
31535 -+++ linux-2.6.24.4/include/linux/uaccess.h 2008-03-26 17:56:56.000000000 -0400
31536 -@@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
31537 - long ret; \
31538 - mm_segment_t old_fs = get_fs(); \
31539 - \
31540 -- set_fs(KERNEL_DS); \
31541 - pagefault_disable(); \
31542 -+ set_fs(KERNEL_DS); \
31543 - ret = __get_user(retval, (__force typeof(retval) __user *)(addr)); \
31544 -- pagefault_enable(); \
31545 - set_fs(old_fs); \
31546 -+ pagefault_enable(); \
31547 - ret; \
31548 - })
31549 -
31550 -diff -urNp linux-2.6.24.4/include/linux/udf_fs.h linux-2.6.24.4/include/linux/udf_fs.h
31551 ---- linux-2.6.24.4/include/linux/udf_fs.h 2008-03-24 14:49:18.000000000 -0400
31552 -+++ linux-2.6.24.4/include/linux/udf_fs.h 2008-03-26 17:56:56.000000000 -0400
31553 -@@ -45,7 +45,7 @@
31554 - printk (f, ##a); \
31555 - }
31556 - #else
31557 --#define udf_debug(f, a...) /**/
31558 -+#define udf_debug(f, a...) do {} while (0)
31559 - #endif
31560 -
31561 - #define udf_info(f, a...) \
31562 -diff -urNp linux-2.6.24.4/include/net/sctp/sctp.h linux-2.6.24.4/include/net/sctp/sctp.h
31563 ---- linux-2.6.24.4/include/net/sctp/sctp.h 2008-03-24 14:49:18.000000000 -0400
31564 -+++ linux-2.6.24.4/include/net/sctp/sctp.h 2008-03-26 17:56:56.000000000 -0400
31565 -@@ -316,8 +316,8 @@ extern int sctp_debug_flag;
31566 -
31567 - #else /* SCTP_DEBUG */
31568 -
31569 --#define SCTP_DEBUG_PRINTK(whatever...)
31570 --#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
31571 -+#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
31572 -+#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
31573 - #define SCTP_ENABLE_DEBUG
31574 - #define SCTP_DISABLE_DEBUG
31575 - #define SCTP_ASSERT(expr, str, func)
31576 -diff -urNp linux-2.6.24.4/include/sound/core.h linux-2.6.24.4/include/sound/core.h
31577 ---- linux-2.6.24.4/include/sound/core.h 2008-03-24 14:49:18.000000000 -0400
31578 -+++ linux-2.6.24.4/include/sound/core.h 2008-03-26 17:56:56.000000000 -0400
31579 -@@ -396,9 +396,9 @@ void snd_verbose_printd(const char *file
31580 -
31581 - #else /* !CONFIG_SND_DEBUG */
31582 -
31583 --#define snd_printd(fmt, args...) /* nothing */
31584 -+#define snd_printd(fmt, args...) do {} while (0)
31585 - #define snd_assert(expr, args...) (void)(expr)
31586 --#define snd_BUG() /* nothing */
31587 -+#define snd_BUG() do {} while (0)
31588 -
31589 - #endif /* CONFIG_SND_DEBUG */
31590 -
31591 -@@ -412,7 +412,7 @@ void snd_verbose_printd(const char *file
31592 - */
31593 - #define snd_printdd(format, args...) snd_printk(format, ##args)
31594 - #else
31595 --#define snd_printdd(format, args...) /* nothing */
31596 -+#define snd_printdd(format, args...) do {} while (0)
31597 - #endif
31598 -
31599 -
31600 -diff -urNp linux-2.6.24.4/init/do_mounts.c linux-2.6.24.4/init/do_mounts.c
31601 ---- linux-2.6.24.4/init/do_mounts.c 2008-03-24 14:49:18.000000000 -0400
31602 -+++ linux-2.6.24.4/init/do_mounts.c 2008-03-26 17:56:56.000000000 -0400
31603 -@@ -68,11 +68,12 @@ static dev_t try_name(char *name, int pa
31604 -
31605 - /* read device number from .../dev */
31606 -
31607 -- sprintf(path, "/sys/block/%s/dev", name);
31608 -- fd = sys_open(path, 0, 0);
31609 -+ if (sizeof path <= snprintf(path, sizeof path, "/sys/block/%s/dev", name))
31610 -+ goto fail;
31611 -+ fd = sys_open((char __user *)path, 0, 0);
31612 - if (fd < 0)
31613 - goto fail;
31614 -- len = sys_read(fd, buf, 32);
31615 -+ len = sys_read(fd, (char __user *)buf, 32);
31616 - sys_close(fd);
31617 - if (len <= 0 || len == 32 || buf[len - 1] != '\n')
31618 - goto fail;
31619 -@@ -98,11 +99,12 @@ static dev_t try_name(char *name, int pa
31620 - return res;
31621 -
31622 - /* otherwise read range from .../range */
31623 -- sprintf(path, "/sys/block/%s/range", name);
31624 -- fd = sys_open(path, 0, 0);
31625 -+ if (sizeof path <= snprintf(path, sizeof path, "/sys/block/%s/range", name))
31626 -+ goto fail;
31627 -+ fd = sys_open((char __user *)path, 0, 0);
31628 - if (fd < 0)
31629 - goto fail;
31630 -- len = sys_read(fd, buf, 32);
31631 -+ len = sys_read(fd, (char __user *)buf, 32);
31632 - sys_close(fd);
31633 - if (len <= 0 || len == 32 || buf[len - 1] != '\n')
31634 - goto fail;
31635 -@@ -145,8 +147,8 @@ dev_t name_to_dev_t(char *name)
31636 - int part;
31637 -
31638 - #ifdef CONFIG_SYSFS
31639 -- int mkdir_err = sys_mkdir("/sys", 0700);
31640 -- if (sys_mount("sysfs", "/sys", "sysfs", 0, NULL) < 0)
31641 -+ int mkdir_err = sys_mkdir((char __user *)"/sys", 0700);
31642 -+ if (sys_mount((char __user *)"sysfs", (char __user *)"/sys", (char __user *)"sysfs", 0, NULL) < 0)
31643 - goto out;
31644 - #endif
31645 -
31646 -@@ -198,10 +200,10 @@ dev_t name_to_dev_t(char *name)
31647 - res = try_name(s, part);
31648 - done:
31649 - #ifdef CONFIG_SYSFS
31650 -- sys_umount("/sys", 0);
31651 -+ sys_umount((char __user *)"/sys", 0);
31652 - out:
31653 - if (!mkdir_err)
31654 -- sys_rmdir("/sys");
31655 -+ sys_rmdir((char __user *)"/sys");
31656 - #endif
31657 - return res;
31658 - fail:
31659 -@@ -281,11 +283,11 @@ static void __init get_fs_names(char *pa
31660 -
31661 - static int __init do_mount_root(char *name, char *fs, int flags, void *data)
31662 - {
31663 -- int err = sys_mount(name, "/root", fs, flags, data);
31664 -+ int err = sys_mount((char __user *)name, (char __user *)"/root", (char __user *)fs, flags, (void __user *)data);
31665 - if (err)
31666 - return err;
31667 -
31668 -- sys_chdir("/root");
31669 -+ sys_chdir((char __user *)"/root");
31670 - ROOT_DEV = current->fs->pwdmnt->mnt_sb->s_dev;
31671 - printk("VFS: Mounted root (%s filesystem)%s.\n",
31672 - current->fs->pwdmnt->mnt_sb->s_type->name,
31673 -@@ -371,18 +373,18 @@ void __init change_floppy(char *fmt, ...
31674 - va_start(args, fmt);
31675 - vsprintf(buf, fmt, args);
31676 - va_end(args);
31677 -- fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
31678 -+ fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
31679 - if (fd >= 0) {
31680 - sys_ioctl(fd, FDEJECT, 0);
31681 - sys_close(fd);
31682 - }
31683 - printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
31684 -- fd = sys_open("/dev/console", O_RDWR, 0);
31685 -+ fd = sys_open((char __user *)"/dev/console", O_RDWR, 0);
31686 - if (fd >= 0) {
31687 - sys_ioctl(fd, TCGETS, (long)&termios);
31688 - termios.c_lflag &= ~ICANON;
31689 - sys_ioctl(fd, TCSETSF, (long)&termios);
31690 -- sys_read(fd, &c, 1);
31691 -+ sys_read(fd, (char __user *)&c, 1);
31692 - termios.c_lflag |= ICANON;
31693 - sys_ioctl(fd, TCSETSF, (long)&termios);
31694 - sys_close(fd);
31695 -@@ -468,8 +470,8 @@ void __init prepare_namespace(void)
31696 -
31697 - mount_root();
31698 - out:
31699 -- sys_mount(".", "/", NULL, MS_MOVE, NULL);
31700 -- sys_chroot(".");
31701 -+ sys_mount((char __user *)".", (char __user *)"/", NULL, MS_MOVE, NULL);
31702 -+ sys_chroot((char __user *)".");
31703 - security_sb_post_mountroot();
31704 - }
31705 -
31706 -diff -urNp linux-2.6.24.4/init/do_mounts.h linux-2.6.24.4/init/do_mounts.h
31707 ---- linux-2.6.24.4/init/do_mounts.h 2008-03-24 14:49:18.000000000 -0400
31708 -+++ linux-2.6.24.4/init/do_mounts.h 2008-03-26 17:56:56.000000000 -0400
31709 -@@ -15,15 +15,15 @@ extern char *root_device_name;
31710 -
31711 - static inline int create_dev(char *name, dev_t dev)
31712 - {
31713 -- sys_unlink(name);
31714 -- return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
31715 -+ sys_unlink((char __user *)name);
31716 -+ return sys_mknod((char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
31717 - }
31718 -
31719 - #if BITS_PER_LONG == 32
31720 - static inline u32 bstat(char *name)
31721 - {
31722 - struct stat64 stat;
31723 -- if (sys_stat64(name, &stat) != 0)
31724 -+ if (sys_stat64((char __user *)name, (struct stat64 __user *)&stat) != 0)
31725 - return 0;
31726 - if (!S_ISBLK(stat.st_mode))
31727 - return 0;
31728 -diff -urNp linux-2.6.24.4/init/do_mounts_md.c linux-2.6.24.4/init/do_mounts_md.c
31729 ---- linux-2.6.24.4/init/do_mounts_md.c 2008-03-24 14:49:18.000000000 -0400
31730 -+++ linux-2.6.24.4/init/do_mounts_md.c 2008-03-26 17:56:56.000000000 -0400
31731 -@@ -167,7 +167,7 @@ static void __init md_setup_drive(void)
31732 - partitioned ? "_d" : "", minor,
31733 - md_setup_args[ent].device_names);
31734 -
31735 -- fd = sys_open(name, 0, 0);
31736 -+ fd = sys_open((char __user *)name, 0, 0);
31737 - if (fd < 0) {
31738 - printk(KERN_ERR "md: open failed - cannot start "
31739 - "array %s\n", name);
31740 -@@ -230,7 +230,7 @@ static void __init md_setup_drive(void)
31741 - * array without it
31742 - */
31743 - sys_close(fd);
31744 -- fd = sys_open(name, 0, 0);
31745 -+ fd = sys_open((char __user *)name, 0, 0);
31746 - sys_ioctl(fd, BLKRRPART, 0);
31747 - }
31748 - sys_close(fd);
31749 -@@ -271,7 +271,7 @@ void __init md_run_setup(void)
31750 - if (raid_noautodetect)
31751 - printk(KERN_INFO "md: Skipping autodetection of RAID arrays. (raid=noautodetect)\n");
31752 - else {
31753 -- int fd = sys_open("/dev/md0", 0, 0);
31754 -+ int fd = sys_open((char __user *)"/dev/md0", 0, 0);
31755 - if (fd >= 0) {
31756 - sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
31757 - sys_close(fd);
31758 -diff -urNp linux-2.6.24.4/init/initramfs.c linux-2.6.24.4/init/initramfs.c
31759 ---- linux-2.6.24.4/init/initramfs.c 2008-03-24 14:49:18.000000000 -0400
31760 -+++ linux-2.6.24.4/init/initramfs.c 2008-03-26 17:56:56.000000000 -0400
31761 -@@ -240,7 +240,7 @@ static int __init maybe_link(void)
31762 - if (nlink >= 2) {
31763 - char *old = find_link(major, minor, ino, mode, collected);
31764 - if (old)
31765 -- return (sys_link(old, collected) < 0) ? -1 : 1;
31766 -+ return (sys_link((char __user *)old, (char __user *)collected) < 0) ? -1 : 1;
31767 - }
31768 - return 0;
31769 - }
31770 -@@ -249,11 +249,11 @@ static void __init clean_path(char *path
31771 - {
31772 - struct stat st;
31773 -
31774 -- if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
31775 -+ if (!sys_newlstat((char __user *)path, (struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
31776 - if (S_ISDIR(st.st_mode))
31777 -- sys_rmdir(path);
31778 -+ sys_rmdir((char __user *)path);
31779 - else
31780 -- sys_unlink(path);
31781 -+ sys_unlink((char __user *)path);
31782 - }
31783 - }
31784 -
31785 -@@ -276,7 +276,7 @@ static int __init do_name(void)
31786 - int openflags = O_WRONLY|O_CREAT;
31787 - if (ml != 1)
31788 - openflags |= O_TRUNC;
31789 -- wfd = sys_open(collected, openflags, mode);
31790 -+ wfd = sys_open((char __user *)collected, openflags, mode);
31791 -
31792 - if (wfd >= 0) {
31793 - sys_fchown(wfd, uid, gid);
31794 -@@ -285,15 +285,15 @@ static int __init do_name(void)
31795 - }
31796 - }
31797 - } else if (S_ISDIR(mode)) {
31798 -- sys_mkdir(collected, mode);
31799 -- sys_chown(collected, uid, gid);
31800 -- sys_chmod(collected, mode);
31801 -+ sys_mkdir((char __user *)collected, mode);
31802 -+ sys_chown((char __user *)collected, uid, gid);
31803 -+ sys_chmod((char __user *)collected, mode);
31804 - } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
31805 - S_ISFIFO(mode) || S_ISSOCK(mode)) {
31806 - if (maybe_link() == 0) {
31807 -- sys_mknod(collected, mode, rdev);
31808 -- sys_chown(collected, uid, gid);
31809 -- sys_chmod(collected, mode);
31810 -+ sys_mknod((char __user *)collected, mode, rdev);
31811 -+ sys_chown((char __user *)collected, uid, gid);
31812 -+ sys_chmod((char __user *)collected, mode);
31813 - }
31814 - }
31815 - return 0;
31816 -@@ -302,13 +302,13 @@ static int __init do_name(void)
31817 - static int __init do_copy(void)
31818 - {
31819 - if (count >= body_len) {
31820 -- sys_write(wfd, victim, body_len);
31821 -+ sys_write(wfd, (char __user *)victim, body_len);
31822 - sys_close(wfd);
31823 - eat(body_len);
31824 - state = SkipIt;
31825 - return 0;
31826 - } else {
31827 -- sys_write(wfd, victim, count);
31828 -+ sys_write(wfd, (char __user *)victim, count);
31829 - body_len -= count;
31830 - eat(count);
31831 - return 1;
31832 -@@ -319,8 +319,8 @@ static int __init do_symlink(void)
31833 - {
31834 - collected[N_ALIGN(name_len) + body_len] = '\0';
31835 - clean_path(collected, 0);
31836 -- sys_symlink(collected + N_ALIGN(name_len), collected);
31837 -- sys_lchown(collected, uid, gid);
31838 -+ sys_symlink((char __user *)collected + N_ALIGN(name_len), (char __user *)collected);
31839 -+ sys_lchown((char __user *)collected, uid, gid);
31840 - state = SkipIt;
31841 - next_state = Reset;
31842 - return 0;
31843 -diff -urNp linux-2.6.24.4/init/Kconfig linux-2.6.24.4/init/Kconfig
31844 ---- linux-2.6.24.4/init/Kconfig 2008-03-24 14:49:18.000000000 -0400
31845 -+++ linux-2.6.24.4/init/Kconfig 2008-03-26 17:56:56.000000000 -0400
31846 -@@ -469,6 +469,7 @@ config SYSCTL_SYSCALL
31847 - config KALLSYMS
31848 - bool "Load all symbols for debugging/ksymoops" if EMBEDDED
31849 - default y
31850 -+ depends on !GRKERNSEC_HIDESYM
31851 - help
31852 - Say Y here to let the kernel print out symbolic crash information and
31853 - symbolic stack backtraces. This increases the size of the kernel
31854 -diff -urNp linux-2.6.24.4/init/main.c linux-2.6.24.4/init/main.c
31855 ---- linux-2.6.24.4/init/main.c 2008-03-24 14:49:18.000000000 -0400
31856 -+++ linux-2.6.24.4/init/main.c 2008-03-26 17:56:56.000000000 -0400
31857 -@@ -101,6 +101,7 @@ static inline void mark_rodata_ro(void)
31858 - #ifdef CONFIG_TC
31859 - extern void tc_init(void);
31860 - #endif
31861 -+extern void grsecurity_init(void);
31862 -
31863 - enum system_states system_state;
31864 - EXPORT_SYMBOL(system_state);
31865 -@@ -187,6 +188,17 @@ static int __init set_reset_devices(char
31866 -
31867 - __setup("reset_devices", set_reset_devices);
31868 -
31869 -+#ifdef CONFIG_PAX_SOFTMODE
31870 -+unsigned int pax_softmode;
31871 -+
31872 -+static int __init setup_pax_softmode(char *str)
31873 -+{
31874 -+ get_option(&str, &pax_softmode);
31875 -+ return 1;
31876 -+}
31877 -+__setup("pax_softmode=", setup_pax_softmode);
31878 -+#endif
31879 -+
31880 - static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
31881 - char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
31882 - static const char *panic_later, *panic_param;
31883 -@@ -847,6 +859,8 @@ static int __init kernel_init(void * unu
31884 - prepare_namespace();
31885 - }
31886 -
31887 -+ grsecurity_init();
31888 -+
31889 - /*
31890 - * Ok, we have completed the initial bootup, and
31891 - * we're essentially up and running. Get rid of the
31892 -diff -urNp linux-2.6.24.4/init/noinitramfs.c linux-2.6.24.4/init/noinitramfs.c
31893 ---- linux-2.6.24.4/init/noinitramfs.c 2008-03-24 14:49:18.000000000 -0400
31894 -+++ linux-2.6.24.4/init/noinitramfs.c 2008-03-26 17:56:56.000000000 -0400
31895 -@@ -29,7 +29,7 @@ static int __init default_rootfs(void)
31896 - {
31897 - int err;
31898 -
31899 -- err = sys_mkdir("/dev", 0755);
31900 -+ err = sys_mkdir((const char __user *)"/dev", 0755);
31901 - if (err < 0)
31902 - goto out;
31903 -
31904 -@@ -39,7 +39,7 @@ static int __init default_rootfs(void)
31905 - if (err < 0)
31906 - goto out;
31907 -
31908 -- err = sys_mkdir("/root", 0700);
31909 -+ err = sys_mkdir((const char __user *)"/root", 0700);
31910 - if (err < 0)
31911 - goto out;
31912 -
31913 -diff -urNp linux-2.6.24.4/ipc/ipc_sysctl.c linux-2.6.24.4/ipc/ipc_sysctl.c
31914 ---- linux-2.6.24.4/ipc/ipc_sysctl.c 2008-03-24 14:49:18.000000000 -0400
31915 -+++ linux-2.6.24.4/ipc/ipc_sysctl.c 2008-03-26 17:56:56.000000000 -0400
31916 -@@ -157,7 +157,7 @@ static struct ctl_table ipc_kern_table[]
31917 - .proc_handler = proc_ipc_dointvec,
31918 - .strategy = sysctl_ipc_data,
31919 - },
31920 -- {}
31921 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
31922 - };
31923 -
31924 - static struct ctl_table ipc_root_table[] = {
31925 -@@ -167,7 +167,7 @@ static struct ctl_table ipc_root_table[]
31926 - .mode = 0555,
31927 - .child = ipc_kern_table,
31928 - },
31929 -- {}
31930 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
31931 - };
31932 -
31933 - static int __init ipc_sysctl_init(void)
31934 -diff -urNp linux-2.6.24.4/ipc/msg.c linux-2.6.24.4/ipc/msg.c
31935 ---- linux-2.6.24.4/ipc/msg.c 2008-03-24 14:49:18.000000000 -0400
31936 -+++ linux-2.6.24.4/ipc/msg.c 2008-03-26 17:56:56.000000000 -0400
31937 -@@ -36,6 +36,7 @@
31938 - #include <linux/seq_file.h>
31939 - #include <linux/rwsem.h>
31940 - #include <linux/nsproxy.h>
31941 -+#include <linux/grsecurity.h>
31942 -
31943 - #include <asm/current.h>
31944 - #include <asm/uaccess.h>
31945 -@@ -315,6 +316,7 @@ asmlinkage long sys_msgget(key_t key, in
31946 - struct ipc_namespace *ns;
31947 - struct ipc_ops msg_ops;
31948 - struct ipc_params msg_params;
31949 -+ long err;
31950 -
31951 - ns = current->nsproxy->ipc_ns;
31952 -
31953 -@@ -325,7 +327,11 @@ asmlinkage long sys_msgget(key_t key, in
31954 - msg_params.key = key;
31955 - msg_params.flg = msgflg;
31956 -
31957 -- return ipcget(ns, &msg_ids(ns), &msg_ops, &msg_params);
31958 -+ err = ipcget(ns, &msg_ids(ns), &msg_ops, &msg_params);
31959 -+
31960 -+ gr_log_msgget(err, msgflg);
31961 -+
31962 -+ return err;
31963 - }
31964 -
31965 - static inline unsigned long
31966 -@@ -586,6 +592,7 @@ asmlinkage long sys_msgctl(int msqid, in
31967 - break;
31968 - }
31969 - case IPC_RMID:
31970 -+ gr_log_msgrm(ipcp->uid, ipcp->cuid);
31971 - freeque(ns, msq);
31972 - break;
31973 - }
31974 -diff -urNp linux-2.6.24.4/ipc/sem.c linux-2.6.24.4/ipc/sem.c
31975 ---- linux-2.6.24.4/ipc/sem.c 2008-03-24 14:49:18.000000000 -0400
31976 -+++ linux-2.6.24.4/ipc/sem.c 2008-03-26 17:56:56.000000000 -0400
31977 -@@ -82,6 +82,7 @@
31978 - #include <linux/seq_file.h>
31979 - #include <linux/rwsem.h>
31980 - #include <linux/nsproxy.h>
31981 -+#include <linux/grsecurity.h>
31982 -
31983 - #include <asm/uaccess.h>
31984 - #include "util.h"
31985 -@@ -334,6 +335,7 @@ asmlinkage long sys_semget(key_t key, in
31986 - struct ipc_namespace *ns;
31987 - struct ipc_ops sem_ops;
31988 - struct ipc_params sem_params;
31989 -+ long err;
31990 -
31991 - ns = current->nsproxy->ipc_ns;
31992 -
31993 -@@ -348,7 +350,11 @@ asmlinkage long sys_semget(key_t key, in
31994 - sem_params.flg = semflg;
31995 - sem_params.u.nsems = nsems;
31996 -
31997 -- return ipcget(ns, &sem_ids(ns), &sem_ops, &sem_params);
31998 -+ err = ipcget(ns, &sem_ids(ns), &sem_ops, &sem_params);
31999 -+
32000 -+ gr_log_semget(err, semflg);
32001 -+
32002 -+ return err;
32003 - }
32004 -
32005 - /* Manage the doubly linked list sma->sem_pending as a FIFO:
32006 -@@ -936,6 +942,7 @@ static int semctl_down(struct ipc_namesp
32007 -
32008 - switch(cmd){
32009 - case IPC_RMID:
32010 -+ gr_log_semrm(ipcp->uid, ipcp->cuid);
32011 - freeary(ns, sma);
32012 - err = 0;
32013 - break;
32014 -diff -urNp linux-2.6.24.4/ipc/shm.c linux-2.6.24.4/ipc/shm.c
32015 ---- linux-2.6.24.4/ipc/shm.c 2008-03-24 14:49:18.000000000 -0400
32016 -+++ linux-2.6.24.4/ipc/shm.c 2008-03-26 17:56:56.000000000 -0400
32017 -@@ -38,6 +38,7 @@
32018 - #include <linux/rwsem.h>
32019 - #include <linux/nsproxy.h>
32020 - #include <linux/mount.h>
32021 -+#include <linux/grsecurity.h>
32022 -
32023 - #include <asm/uaccess.h>
32024 -
32025 -@@ -71,6 +72,14 @@ static void shm_destroy (struct ipc_name
32026 - static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
32027 - #endif
32028 -
32029 -+#ifdef CONFIG_GRKERNSEC
32030 -+extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
32031 -+ const time_t shm_createtime, const uid_t cuid,
32032 -+ const int shmid);
32033 -+extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
32034 -+ const time_t shm_createtime);
32035 -+#endif
32036 -+
32037 - static void __shm_init_ns(struct ipc_namespace *ns, struct ipc_ids *ids)
32038 - {
32039 - ns->ids[IPC_SHM_IDS] = ids;
32040 -@@ -87,6 +96,8 @@ static void __shm_init_ns(struct ipc_nam
32041 - */
32042 - static void do_shm_rmid(struct ipc_namespace *ns, struct shmid_kernel *shp)
32043 - {
32044 -+ gr_log_shmrm(shp->shm_perm.uid, shp->shm_perm.cuid);
32045 -+
32046 - if (shp->shm_nattch){
32047 - shp->shm_perm.mode |= SHM_DEST;
32048 - /* Do not find it any more */
32049 -@@ -443,6 +454,14 @@ static int newseg(struct ipc_namespace *
32050 - shp->shm_lprid = 0;
32051 - shp->shm_atim = shp->shm_dtim = 0;
32052 - shp->shm_ctim = get_seconds();
32053 -+#ifdef CONFIG_GRKERNSEC
32054 -+ {
32055 -+ struct timespec timeval;
32056 -+ do_posix_clock_monotonic_gettime(&timeval);
32057 -+
32058 -+ shp->shm_createtime = timeval.tv_sec;
32059 -+ }
32060 -+#endif
32061 - shp->shm_segsz = size;
32062 - shp->shm_nattch = 0;
32063 - shp->shm_perm.id = shm_buildid(id, shp->shm_perm.seq);
32064 -@@ -497,6 +516,7 @@ asmlinkage long sys_shmget (key_t key, s
32065 - struct ipc_namespace *ns;
32066 - struct ipc_ops shm_ops;
32067 - struct ipc_params shm_params;
32068 -+ long err;
32069 -
32070 - ns = current->nsproxy->ipc_ns;
32071 -
32072 -@@ -508,7 +528,11 @@ asmlinkage long sys_shmget (key_t key, s
32073 - shm_params.flg = shmflg;
32074 - shm_params.u.size = size;
32075 -
32076 -- return ipcget(ns, &shm_ids(ns), &shm_ops, &shm_params);
32077 -+ err = ipcget(ns, &shm_ids(ns), &shm_ops, &shm_params);
32078 -+
32079 -+ gr_log_shmget(err, shmflg, size);
32080 -+
32081 -+ return err;
32082 - }
32083 -
32084 - static inline unsigned long copy_shmid_to_user(void __user *buf, struct shmid64_ds *in, int version)
32085 -@@ -974,9 +998,21 @@ long do_shmat(int shmid, char __user *sh
32086 - if (err)
32087 - goto out_unlock;
32088 -
32089 -+#ifdef CONFIG_GRKERNSEC
32090 -+ if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
32091 -+ shp->shm_perm.cuid, shmid) ||
32092 -+ !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
32093 -+ err = -EACCES;
32094 -+ goto out_unlock;
32095 -+ }
32096 -+#endif
32097 -+
32098 - path.dentry = dget(shp->shm_file->f_path.dentry);
32099 - path.mnt = shp->shm_file->f_path.mnt;
32100 - shp->shm_nattch++;
32101 -+#ifdef CONFIG_GRKERNSEC
32102 -+ shp->shm_lapid = current->pid;
32103 -+#endif
32104 - size = i_size_read(path.dentry->d_inode);
32105 - shm_unlock(shp);
32106 -
32107 -diff -urNp linux-2.6.24.4/kernel/acct.c linux-2.6.24.4/kernel/acct.c
32108 ---- linux-2.6.24.4/kernel/acct.c 2008-03-24 14:49:18.000000000 -0400
32109 -+++ linux-2.6.24.4/kernel/acct.c 2008-03-26 17:56:56.000000000 -0400
32110 -@@ -511,7 +511,7 @@ static void do_acct_process(struct file
32111 - */
32112 - flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
32113 - current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
32114 -- file->f_op->write(file, (char *)&ac,
32115 -+ file->f_op->write(file, (char __user *)&ac,
32116 - sizeof(acct_t), &file->f_pos);
32117 - current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
32118 - set_fs(fs);
32119 -diff -urNp linux-2.6.24.4/kernel/capability.c linux-2.6.24.4/kernel/capability.c
32120 ---- linux-2.6.24.4/kernel/capability.c 2008-03-24 14:49:18.000000000 -0400
32121 -+++ linux-2.6.24.4/kernel/capability.c 2008-03-26 17:56:56.000000000 -0400
32122 -@@ -13,6 +13,7 @@
32123 - #include <linux/security.h>
32124 - #include <linux/syscalls.h>
32125 - #include <linux/pid_namespace.h>
32126 -+#include <linux/grsecurity.h>
32127 - #include <asm/uaccess.h>
32128 -
32129 - /*
32130 -@@ -233,15 +234,25 @@ out:
32131 -
32132 - int __capable(struct task_struct *t, int cap)
32133 - {
32134 -- if (security_capable(t, cap) == 0) {
32135 -+ if ((security_capable(t, cap) == 0) && gr_task_is_capable(t, cap)) {
32136 - t->flags |= PF_SUPERPRIV;
32137 - return 1;
32138 - }
32139 - return 0;
32140 - }
32141 -
32142 -+int capable_nolog(int cap)
32143 -+{
32144 -+ if ((security_capable(current, cap) == 0) && gr_is_capable_nolog(cap)) {
32145 -+ current->flags |= PF_SUPERPRIV;
32146 -+ return 1;
32147 -+ }
32148 -+ return 0;
32149 -+}
32150 -+
32151 - int capable(int cap)
32152 - {
32153 - return __capable(current, cap);
32154 - }
32155 - EXPORT_SYMBOL(capable);
32156 -+EXPORT_SYMBOL(capable_nolog);
32157 -diff -urNp linux-2.6.24.4/kernel/configs.c linux-2.6.24.4/kernel/configs.c
32158 ---- linux-2.6.24.4/kernel/configs.c 2008-03-24 14:49:18.000000000 -0400
32159 -+++ linux-2.6.24.4/kernel/configs.c 2008-03-26 17:56:56.000000000 -0400
32160 -@@ -79,8 +79,16 @@ static int __init ikconfig_init(void)
32161 - struct proc_dir_entry *entry;
32162 -
32163 - /* create the current config file */
32164 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
32165 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
32166 -+ entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR, &proc_root);
32167 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32168 -+ entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR | S_IRGRP, &proc_root);
32169 -+#endif
32170 -+#else
32171 - entry = create_proc_entry("config.gz", S_IFREG | S_IRUGO,
32172 - &proc_root);
32173 -+#endif
32174 - if (!entry)
32175 - return -ENOMEM;
32176 -
32177 -diff -urNp linux-2.6.24.4/kernel/exit.c linux-2.6.24.4/kernel/exit.c
32178 ---- linux-2.6.24.4/kernel/exit.c 2008-03-24 14:49:18.000000000 -0400
32179 -+++ linux-2.6.24.4/kernel/exit.c 2008-03-26 17:56:56.000000000 -0400
32180 -@@ -44,6 +44,11 @@
32181 - #include <linux/resource.h>
32182 - #include <linux/blkdev.h>
32183 - #include <linux/task_io_accounting_ops.h>
32184 -+#include <linux/grsecurity.h>
32185 -+
32186 -+#ifdef CONFIG_GRKERNSEC
32187 -+extern rwlock_t grsec_exec_file_lock;
32188 -+#endif
32189 -
32190 - #include <asm/uaccess.h>
32191 - #include <asm/unistd.h>
32192 -@@ -122,6 +127,7 @@ static void __exit_signal(struct task_st
32193 -
32194 - __unhash_process(tsk);
32195 -
32196 -+ gr_del_task_from_ip_table(tsk);
32197 - tsk->signal = NULL;
32198 - tsk->sighand = NULL;
32199 - spin_unlock(&sighand->siglock);
32200 -@@ -273,12 +279,23 @@ static void reparent_to_kthreadd(void)
32201 - {
32202 - write_lock_irq(&tasklist_lock);
32203 -
32204 -+#ifdef CONFIG_GRKERNSEC
32205 -+ write_lock(&grsec_exec_file_lock);
32206 -+ if (current->exec_file) {
32207 -+ fput(current->exec_file);
32208 -+ current->exec_file = NULL;
32209 -+ }
32210 -+ write_unlock(&grsec_exec_file_lock);
32211 -+#endif
32212 -+
32213 - ptrace_unlink(current);
32214 - /* Reparent to init */
32215 - remove_parent(current);
32216 - current->real_parent = current->parent = kthreadd_task;
32217 - add_parent(current);
32218 -
32219 -+ gr_set_kernel_label(current);
32220 -+
32221 - /* Set the exit signal to SIGCHLD so we signal init on exit */
32222 - current->exit_signal = SIGCHLD;
32223 -
32224 -@@ -373,6 +390,17 @@ void daemonize(const char *name, ...)
32225 - vsnprintf(current->comm, sizeof(current->comm), name, args);
32226 - va_end(args);
32227 -
32228 -+#ifdef CONFIG_GRKERNSEC
32229 -+ write_lock(&grsec_exec_file_lock);
32230 -+ if (current->exec_file) {
32231 -+ fput(current->exec_file);
32232 -+ current->exec_file = NULL;
32233 -+ }
32234 -+ write_unlock(&grsec_exec_file_lock);
32235 -+#endif
32236 -+
32237 -+ gr_set_kernel_label(current);
32238 -+
32239 - /*
32240 - * If we were started as result of loading a module, close all of the
32241 - * user space pages. We don't need them, and if we didn't close them
32242 -@@ -990,6 +1018,9 @@ fastcall NORET_TYPE void do_exit(long co
32243 - tsk->exit_code = code;
32244 - taskstats_exit(tsk, group_dead);
32245 -
32246 -+ gr_acl_handle_psacct(tsk, code);
32247 -+ gr_acl_handle_exit();
32248 -+
32249 - exit_mm(tsk);
32250 -
32251 - if (group_dead)
32252 -@@ -1200,7 +1231,7 @@ static int wait_task_zombie(struct task_
32253 - pid_t pid = task_pid_nr_ns(p, ns);
32254 - uid_t uid = p->uid;
32255 - int exit_code = p->exit_code;
32256 -- int why, status;
32257 -+ int why;
32258 -
32259 - if (unlikely(p->exit_state != EXIT_ZOMBIE))
32260 - return 0;
32261 -diff -urNp linux-2.6.24.4/kernel/fork.c linux-2.6.24.4/kernel/fork.c
32262 ---- linux-2.6.24.4/kernel/fork.c 2008-03-24 14:49:18.000000000 -0400
32263 -+++ linux-2.6.24.4/kernel/fork.c 2008-03-26 17:56:56.000000000 -0400
32264 -@@ -51,6 +51,7 @@
32265 - #include <linux/random.h>
32266 - #include <linux/tty.h>
32267 - #include <linux/proc_fs.h>
32268 -+#include <linux/grsecurity.h>
32269 -
32270 - #include <asm/pgtable.h>
32271 - #include <asm/pgalloc.h>
32272 -@@ -180,7 +181,7 @@ static struct task_struct *dup_task_stru
32273 - }
32274 -
32275 - *tsk = *orig;
32276 -- tsk->stack = ti;
32277 -+ tsk->stack = (union thread_union *)ti;
32278 -
32279 - err = prop_local_init_single(&tsk->dirties);
32280 - if (err) {
32281 -@@ -192,7 +193,7 @@ static struct task_struct *dup_task_stru
32282 - setup_thread_stack(tsk, orig);
32283 -
32284 - #ifdef CONFIG_CC_STACKPROTECTOR
32285 -- tsk->stack_canary = get_random_int();
32286 -+ tsk->stack_canary = pax_get_random_long();
32287 - #endif
32288 -
32289 - /* One for us, one for whoever does the "release_task()" (usually parent) */
32290 -@@ -224,8 +225,8 @@ static int dup_mmap(struct mm_struct *mm
32291 - mm->locked_vm = 0;
32292 - mm->mmap = NULL;
32293 - mm->mmap_cache = NULL;
32294 -- mm->free_area_cache = oldmm->mmap_base;
32295 -- mm->cached_hole_size = ~0UL;
32296 -+ mm->free_area_cache = oldmm->free_area_cache;
32297 -+ mm->cached_hole_size = oldmm->cached_hole_size;
32298 - mm->map_count = 0;
32299 - cpus_clear(mm->cpu_vm_mask);
32300 - mm->mm_rb = RB_ROOT;
32301 -@@ -262,6 +263,7 @@ static int dup_mmap(struct mm_struct *mm
32302 - tmp->vm_flags &= ~VM_LOCKED;
32303 - tmp->vm_mm = mm;
32304 - tmp->vm_next = NULL;
32305 -+ tmp->vm_mirror = NULL;
32306 - anon_vma_link(tmp);
32307 - file = tmp->vm_file;
32308 - if (file) {
32309 -@@ -298,6 +300,31 @@ static int dup_mmap(struct mm_struct *mm
32310 - if (retval)
32311 - goto out;
32312 - }
32313 -+
32314 -+#ifdef CONFIG_PAX_SEGMEXEC
32315 -+ if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
32316 -+ struct vm_area_struct *mpnt_m;
32317 -+
32318 -+ for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
32319 -+ BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
32320 -+
32321 -+ if (!mpnt->vm_mirror)
32322 -+ continue;
32323 -+
32324 -+ if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
32325 -+ BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
32326 -+ mpnt->vm_mirror = mpnt_m;
32327 -+ } else {
32328 -+ BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
32329 -+ mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
32330 -+ mpnt_m->vm_mirror->vm_mirror = mpnt_m;
32331 -+ mpnt->vm_mirror->vm_mirror = mpnt;
32332 -+ }
32333 -+ }
32334 -+ BUG_ON(mpnt_m);
32335 -+ }
32336 -+#endif
32337 -+
32338 - /* a new mm has just been created */
32339 - arch_dup_mmap(oldmm, mm);
32340 - retval = 0;
32341 -@@ -475,7 +502,7 @@ void mm_release(struct task_struct *tsk,
32342 - if (tsk->clear_child_tid
32343 - && !(tsk->flags & PF_SIGNALED)
32344 - && atomic_read(&mm->mm_users) > 1) {
32345 -- u32 __user * tidptr = tsk->clear_child_tid;
32346 -+ pid_t __user * tidptr = tsk->clear_child_tid;
32347 - tsk->clear_child_tid = NULL;
32348 -
32349 - /*
32350 -@@ -483,7 +510,7 @@ void mm_release(struct task_struct *tsk,
32351 - * not set up a proper pointer then tough luck.
32352 - */
32353 - put_user(0, tidptr);
32354 -- sys_futex(tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);
32355 -+ sys_futex((u32 __user *)tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);
32356 - }
32357 - }
32358 -
32359 -@@ -1015,6 +1042,9 @@ static struct task_struct *copy_process(
32360 - DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
32361 - #endif
32362 - retval = -EAGAIN;
32363 -+
32364 -+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0);
32365 -+
32366 - if (atomic_read(&p->user->processes) >=
32367 - p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
32368 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
32369 -@@ -1169,6 +1199,8 @@ static struct task_struct *copy_process(
32370 - if (clone_flags & CLONE_THREAD)
32371 - p->tgid = current->tgid;
32372 -
32373 -+ gr_copy_label(p);
32374 -+
32375 - p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
32376 - /*
32377 - * Clear TID on mm_release()?
32378 -@@ -1356,6 +1388,8 @@ bad_fork_cleanup_count:
32379 - bad_fork_free:
32380 - free_task(p);
32381 - fork_out:
32382 -+ gr_log_forkfail(retval);
32383 -+
32384 - return ERR_PTR(retval);
32385 - }
32386 -
32387 -@@ -1437,6 +1471,8 @@ long do_fork(unsigned long clone_flags,
32388 - if (clone_flags & CLONE_PARENT_SETTID)
32389 - put_user(nr, parent_tidptr);
32390 -
32391 -+ gr_handle_brute_check();
32392 -+
32393 - if (clone_flags & CLONE_VFORK) {
32394 - p->vfork_done = &vfork;
32395 - init_completion(&vfork);
32396 -diff -urNp linux-2.6.24.4/kernel/futex.c linux-2.6.24.4/kernel/futex.c
32397 ---- linux-2.6.24.4/kernel/futex.c 2008-03-24 14:49:18.000000000 -0400
32398 -+++ linux-2.6.24.4/kernel/futex.c 2008-03-26 17:56:56.000000000 -0400
32399 -@@ -192,6 +192,11 @@ static int get_futex_key(u32 __user *uad
32400 - struct page *page;
32401 - int err;
32402 -
32403 -+#ifdef CONFIG_PAX_SEGMEXEC
32404 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
32405 -+ return -EFAULT;
32406 -+#endif
32407 -+
32408 - /*
32409 - * The futex address must be "naturally" aligned.
32410 - */
32411 -@@ -218,8 +223,8 @@ static int get_futex_key(u32 __user *uad
32412 - * The futex is hashed differently depending on whether
32413 - * it's in a shared or private mapping. So check vma first.
32414 - */
32415 -- vma = find_extend_vma(mm, address);
32416 -- if (unlikely(!vma))
32417 -+ vma = find_vma(mm, address);
32418 -+ if (unlikely(!vma || address < vma->vm_start))
32419 - return -EFAULT;
32420 -
32421 - /*
32422 -@@ -1962,7 +1967,7 @@ retry:
32423 - */
32424 - static inline int fetch_robust_entry(struct robust_list __user **entry,
32425 - struct robust_list __user * __user *head,
32426 -- int *pi)
32427 -+ unsigned int *pi)
32428 - {
32429 - unsigned long uentry;
32430 -
32431 -diff -urNp linux-2.6.24.4/kernel/irq/handle.c linux-2.6.24.4/kernel/irq/handle.c
32432 ---- linux-2.6.24.4/kernel/irq/handle.c 2008-03-24 14:49:18.000000000 -0400
32433 -+++ linux-2.6.24.4/kernel/irq/handle.c 2008-03-26 17:56:56.000000000 -0400
32434 -@@ -55,7 +55,8 @@ struct irq_desc irq_desc[NR_IRQS] __cach
32435 - .depth = 1,
32436 - .lock = __SPIN_LOCK_UNLOCKED(irq_desc->lock),
32437 - #ifdef CONFIG_SMP
32438 -- .affinity = CPU_MASK_ALL
32439 -+ .affinity = CPU_MASK_ALL,
32440 -+ .cpu = 0,
32441 - #endif
32442 - }
32443 - };
32444 -diff -urNp linux-2.6.24.4/kernel/kallsyms.c linux-2.6.24.4/kernel/kallsyms.c
32445 ---- linux-2.6.24.4/kernel/kallsyms.c 2008-03-24 14:49:18.000000000 -0400
32446 -+++ linux-2.6.24.4/kernel/kallsyms.c 2008-03-26 17:56:56.000000000 -0400
32447 -@@ -70,6 +70,19 @@ static inline int is_kernel_text(unsigne
32448 -
32449 - static inline int is_kernel(unsigned long addr)
32450 - {
32451 -+
32452 -+#ifdef CONFIG_PAX_KERNEXEC
32453 -+
32454 -+#ifdef CONFIG_MODULES
32455 -+ if ((unsigned long)MODULES_VADDR <= ktla_ktva(addr) &&
32456 -+ ktla_ktva(addr) < (unsigned long)MODULES_END)
32457 -+ return 0;
32458 -+#endif
32459 -+
32460 -+ if (is_kernel_inittext(addr))
32461 -+ return 1;
32462 -+#endif
32463 -+
32464 - if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
32465 - return 1;
32466 - return in_gate_area_no_task(addr);
32467 -@@ -378,7 +391,6 @@ static unsigned long get_ksymbol_core(st
32468 -
32469 - static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
32470 - {
32471 -- iter->name[0] = '\0';
32472 - iter->nameoff = get_symbol_offset(new_pos);
32473 - iter->pos = new_pos;
32474 - }
32475 -@@ -462,7 +474,7 @@ static int kallsyms_open(struct inode *i
32476 - struct kallsym_iter *iter;
32477 - int ret;
32478 -
32479 -- iter = kmalloc(sizeof(*iter), GFP_KERNEL);
32480 -+ iter = kzalloc(sizeof(*iter), GFP_KERNEL);
32481 - if (!iter)
32482 - return -ENOMEM;
32483 - reset_iter(iter, 0);
32484 -@@ -486,7 +498,15 @@ static int __init kallsyms_init(void)
32485 - {
32486 - struct proc_dir_entry *entry;
32487 -
32488 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
32489 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
32490 -+ entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR, NULL);
32491 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32492 -+ entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL);
32493 -+#endif
32494 -+#else
32495 - entry = create_proc_entry("kallsyms", 0444, NULL);
32496 -+#endif
32497 - if (entry)
32498 - entry->proc_fops = &kallsyms_operations;
32499 - return 0;
32500 -diff -urNp linux-2.6.24.4/kernel/kmod.c linux-2.6.24.4/kernel/kmod.c
32501 ---- linux-2.6.24.4/kernel/kmod.c 2008-03-24 14:49:18.000000000 -0400
32502 -+++ linux-2.6.24.4/kernel/kmod.c 2008-03-26 17:56:56.000000000 -0400
32503 -@@ -107,7 +107,7 @@ int request_module(const char *fmt, ...)
32504 - return -ENOMEM;
32505 - }
32506 -
32507 -- ret = call_usermodehelper(modprobe_path, argv, envp, 1);
32508 -+ ret = call_usermodehelper(modprobe_path, argv, envp, UMH_WAIT_PROC);
32509 - atomic_dec(&kmod_concurrent);
32510 - return ret;
32511 - }
32512 -diff -urNp linux-2.6.24.4/kernel/kprobes.c linux-2.6.24.4/kernel/kprobes.c
32513 ---- linux-2.6.24.4/kernel/kprobes.c 2008-03-24 14:49:18.000000000 -0400
32514 -+++ linux-2.6.24.4/kernel/kprobes.c 2008-03-26 17:56:56.000000000 -0400
32515 -@@ -162,7 +162,7 @@ kprobe_opcode_t __kprobes *get_insn_slot
32516 - * kernel image and loaded module images reside. This is required
32517 - * so x86_64 can correctly handle the %rip-relative fixups.
32518 - */
32519 -- kip->insns = module_alloc(PAGE_SIZE);
32520 -+ kip->insns = module_alloc_exec(PAGE_SIZE);
32521 - if (!kip->insns) {
32522 - kfree(kip);
32523 - return NULL;
32524 -@@ -194,7 +194,7 @@ static int __kprobes collect_one_slot(st
32525 - hlist_add_head(&kip->hlist,
32526 - &kprobe_insn_pages);
32527 - } else {
32528 -- module_free(NULL, kip->insns);
32529 -+ module_free_exec(NULL, kip->insns);
32530 - kfree(kip);
32531 - }
32532 - return 1;
32533 -diff -urNp linux-2.6.24.4/kernel/module.c linux-2.6.24.4/kernel/module.c
32534 ---- linux-2.6.24.4/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
32535 -+++ linux-2.6.24.4/kernel/module.c 2008-03-26 17:56:56.000000000 -0400
32536 -@@ -45,6 +45,11 @@
32537 - #include <asm/uaccess.h>
32538 - #include <asm/semaphore.h>
32539 - #include <asm/cacheflush.h>
32540 -+
32541 -+#ifdef CONFIG_PAX_KERNEXEC
32542 -+#include <asm/desc.h>
32543 -+#endif
32544 -+
32545 - #include <linux/license.h>
32546 -
32547 - extern int module_sysfs_initialized;
32548 -@@ -69,6 +74,8 @@ static LIST_HEAD(modules);
32549 -
32550 - static BLOCKING_NOTIFIER_HEAD(module_notify_list);
32551 -
32552 -+extern int gr_check_modstop(void);
32553 -+
32554 - int register_module_notifier(struct notifier_block * nb)
32555 - {
32556 - return blocking_notifier_chain_register(&module_notify_list, nb);
32557 -@@ -349,7 +356,7 @@ static void *percpu_modalloc(unsigned lo
32558 - unsigned int i;
32559 - void *ptr;
32560 -
32561 -- if (align > PAGE_SIZE) {
32562 -+ if (align-1 >= PAGE_SIZE) {
32563 - printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
32564 - name, align, PAGE_SIZE);
32565 - align = PAGE_SIZE;
32566 -@@ -662,6 +669,9 @@ sys_delete_module(const char __user *nam
32567 - char name[MODULE_NAME_LEN];
32568 - int ret, forced = 0;
32569 -
32570 -+ if (gr_check_modstop())
32571 -+ return -EPERM;
32572 -+
32573 - if (!capable(CAP_SYS_MODULE))
32574 - return -EPERM;
32575 -
32576 -@@ -1310,16 +1320,19 @@ static void free_module(struct module *m
32577 - module_unload_free(mod);
32578 -
32579 - /* This may be NULL, but that's OK */
32580 -- module_free(mod, mod->module_init);
32581 -+ module_free(mod, mod->module_init_rw);
32582 -+ module_free_exec(mod, mod->module_init_rx);
32583 - kfree(mod->args);
32584 - if (mod->percpu)
32585 - percpu_modfree(mod->percpu);
32586 -
32587 - /* Free lock-classes: */
32588 -- lockdep_free_key_range(mod->module_core, mod->core_size);
32589 -+ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
32590 -+ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
32591 -
32592 - /* Finally, free the core (containing the module structure) */
32593 -- module_free(mod, mod->module_core);
32594 -+ module_free_exec(mod, mod->module_core_rx);
32595 -+ module_free(mod, mod->module_core_rw);
32596 - }
32597 -
32598 - void *__symbol_get(const char *symbol)
32599 -@@ -1380,10 +1393,14 @@ static int simplify_symbols(Elf_Shdr *se
32600 - struct module *mod)
32601 - {
32602 - Elf_Sym *sym = (void *)sechdrs[symindex].sh_addr;
32603 -- unsigned long secbase;
32604 -+ unsigned long secbase, symbol;
32605 - unsigned int i, n = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
32606 - int ret = 0;
32607 -
32608 -+#ifdef CONFIG_PAX_KERNEXEC
32609 -+ unsigned long cr0;
32610 -+#endif
32611 -+
32612 - for (i = 1; i < n; i++) {
32613 - switch (sym[i].st_shndx) {
32614 - case SHN_COMMON:
32615 -@@ -1402,10 +1419,19 @@ static int simplify_symbols(Elf_Shdr *se
32616 - break;
32617 -
32618 - case SHN_UNDEF:
32619 -- sym[i].st_value
32620 -- = resolve_symbol(sechdrs, versindex,
32621 -+ symbol = resolve_symbol(sechdrs, versindex,
32622 - strtab + sym[i].st_name, mod);
32623 -
32624 -+#ifdef CONFIG_PAX_KERNEXEC
32625 -+ pax_open_kernel(cr0);
32626 -+#endif
32627 -+
32628 -+ sym[i].st_value = symbol;
32629 -+
32630 -+#ifdef CONFIG_PAX_KERNEXEC
32631 -+ pax_close_kernel(cr0);
32632 -+#endif
32633 -+
32634 - /* Ok if resolved. */
32635 - if (sym[i].st_value != 0)
32636 - break;
32637 -@@ -1420,11 +1446,27 @@ static int simplify_symbols(Elf_Shdr *se
32638 -
32639 - default:
32640 - /* Divert to percpu allocation if a percpu var. */
32641 -- if (sym[i].st_shndx == pcpuindex)
32642 -+ if (sym[i].st_shndx == pcpuindex) {
32643 -+
32644 -+#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
32645 -+ secbase = (unsigned long)mod->percpu - (unsigned long)__per_cpu_start;
32646 -+#else
32647 - secbase = (unsigned long)mod->percpu;
32648 -- else
32649 -+#endif
32650 -+
32651 -+ } else
32652 - secbase = sechdrs[sym[i].st_shndx].sh_addr;
32653 -+
32654 -+#ifdef CONFIG_PAX_KERNEXEC
32655 -+ pax_open_kernel(cr0);
32656 -+#endif
32657 -+
32658 - sym[i].st_value += secbase;
32659 -+
32660 -+#ifdef CONFIG_PAX_KERNEXEC
32661 -+ pax_close_kernel(cr0);
32662 -+#endif
32663 -+
32664 - break;
32665 - }
32666 - }
32667 -@@ -1476,11 +1518,14 @@ static void layout_sections(struct modul
32668 - || strncmp(secstrings + s->sh_name,
32669 - ".init", 5) == 0)
32670 - continue;
32671 -- s->sh_entsize = get_offset(&mod->core_size, s);
32672 -+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
32673 -+ s->sh_entsize = get_offset(&mod->core_size_rw, s);
32674 -+ else
32675 -+ s->sh_entsize = get_offset(&mod->core_size_rx, s);
32676 - DEBUGP("\t%s\n", secstrings + s->sh_name);
32677 - }
32678 - if (m == 0)
32679 -- mod->core_text_size = mod->core_size;
32680 -+ mod->core_size_rx = mod->core_size_rx;
32681 - }
32682 -
32683 - DEBUGP("Init section allocation order:\n");
32684 -@@ -1494,12 +1539,15 @@ static void layout_sections(struct modul
32685 - || strncmp(secstrings + s->sh_name,
32686 - ".init", 5) != 0)
32687 - continue;
32688 -- s->sh_entsize = (get_offset(&mod->init_size, s)
32689 -- | INIT_OFFSET_MASK);
32690 -+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
32691 -+ s->sh_entsize = get_offset(&mod->init_size_rw, s);
32692 -+ else
32693 -+ s->sh_entsize = get_offset(&mod->init_size_rx, s);
32694 -+ s->sh_entsize |= INIT_OFFSET_MASK;
32695 - DEBUGP("\t%s\n", secstrings + s->sh_name);
32696 - }
32697 - if (m == 0)
32698 -- mod->init_text_size = mod->init_size;
32699 -+ mod->init_size_rx = mod->init_size_rx;
32700 - }
32701 - }
32702 -
32703 -@@ -1626,14 +1674,31 @@ static void add_kallsyms(struct module *
32704 - {
32705 - unsigned int i;
32706 -
32707 -+#ifdef CONFIG_PAX_KERNEXEC
32708 -+ unsigned long cr0;
32709 -+#endif
32710 -+
32711 - mod->symtab = (void *)sechdrs[symindex].sh_addr;
32712 - mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
32713 - mod->strtab = (void *)sechdrs[strindex].sh_addr;
32714 -
32715 - /* Set types up while we still have access to sections. */
32716 -- for (i = 0; i < mod->num_symtab; i++)
32717 -- mod->symtab[i].st_info
32718 -- = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
32719 -+
32720 -+ for (i = 0; i < mod->num_symtab; i++) {
32721 -+ char type = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
32722 -+
32723 -+#ifdef CONFIG_PAX_KERNEXEC
32724 -+ pax_open_kernel(cr0);
32725 -+#endif
32726 -+
32727 -+ mod->symtab[i].st_info = type;
32728 -+
32729 -+#ifdef CONFIG_PAX_KERNEXEC
32730 -+ pax_close_kernel(cr0);
32731 -+#endif
32732 -+
32733 -+ }
32734 -+
32735 - }
32736 - #else
32737 - static inline void add_kallsyms(struct module *mod,
32738 -@@ -1683,6 +1748,10 @@ static struct module *load_module(void _
32739 - struct exception_table_entry *extable;
32740 - mm_segment_t old_fs;
32741 -
32742 -+#ifdef CONFIG_PAX_KERNEXEC
32743 -+ unsigned long cr0;
32744 -+#endif
32745 -+
32746 - DEBUGP("load_module: umod=%p, len=%lu, uargs=%p\n",
32747 - umod, len, uargs);
32748 - if (len < sizeof(*hdr))
32749 -@@ -1841,21 +1910,57 @@ static struct module *load_module(void _
32750 - layout_sections(mod, hdr, sechdrs, secstrings);
32751 -
32752 - /* Do the allocs. */
32753 -- ptr = module_alloc(mod->core_size);
32754 -+ ptr = module_alloc(mod->core_size_rw);
32755 - if (!ptr) {
32756 - err = -ENOMEM;
32757 - goto free_percpu;
32758 - }
32759 -- memset(ptr, 0, mod->core_size);
32760 -- mod->module_core = ptr;
32761 -+ memset(ptr, 0, mod->core_size_rw);
32762 -+ mod->module_core_rw = ptr;
32763 -
32764 -- ptr = module_alloc(mod->init_size);
32765 -- if (!ptr && mod->init_size) {
32766 -+ ptr = module_alloc(mod->init_size_rw);
32767 -+ if (!ptr && mod->init_size_rw) {
32768 -+ err = -ENOMEM;
32769 -+ goto free_core_rw;
32770 -+ }
32771 -+ memset(ptr, 0, mod->init_size_rw);
32772 -+ mod->module_init_rw = ptr;
32773 -+
32774 -+ ptr = module_alloc_exec(mod->core_size_rx);
32775 -+ if (!ptr) {
32776 - err = -ENOMEM;
32777 -- goto free_core;
32778 -+ goto free_init_rw;
32779 - }
32780 -- memset(ptr, 0, mod->init_size);
32781 -- mod->module_init = ptr;
32782 -+
32783 -+#ifdef CONFIG_PAX_KERNEXEC
32784 -+ pax_open_kernel(cr0);
32785 -+#endif
32786 -+
32787 -+ memset(ptr, 0, mod->core_size_rx);
32788 -+
32789 -+#ifdef CONFIG_PAX_KERNEXEC
32790 -+ pax_close_kernel(cr0);
32791 -+#endif
32792 -+
32793 -+ mod->module_core_rx = ptr;
32794 -+
32795 -+ ptr = module_alloc_exec(mod->init_size_rx);
32796 -+ if (!ptr && mod->init_size_rx) {
32797 -+ err = -ENOMEM;
32798 -+ goto free_core_rx;
32799 -+ }
32800 -+
32801 -+#ifdef CONFIG_PAX_KERNEXEC
32802 -+ pax_open_kernel(cr0);
32803 -+#endif
32804 -+
32805 -+ memset(ptr, 0, mod->init_size_rx);
32806 -+
32807 -+#ifdef CONFIG_PAX_KERNEXEC
32808 -+ pax_close_kernel(cr0);
32809 -+#endif
32810 -+
32811 -+ mod->module_init_rx = ptr;
32812 -
32813 - /* Transfer each section which specifies SHF_ALLOC */
32814 - DEBUGP("final section addresses:\n");
32815 -@@ -1865,17 +1970,41 @@ static struct module *load_module(void _
32816 - if (!(sechdrs[i].sh_flags & SHF_ALLOC))
32817 - continue;
32818 -
32819 -- if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
32820 -- dest = mod->module_init
32821 -- + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
32822 -- else
32823 -- dest = mod->module_core + sechdrs[i].sh_entsize;
32824 -+ if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
32825 -+ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
32826 -+ dest = mod->module_init_rw
32827 -+ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
32828 -+ else
32829 -+ dest = mod->module_init_rx
32830 -+ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
32831 -+ } else {
32832 -+ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
32833 -+ dest = mod->module_core_rw + sechdrs[i].sh_entsize;
32834 -+ else
32835 -+ dest = mod->module_core_rx + sechdrs[i].sh_entsize;
32836 -+ }
32837 -
32838 -- if (sechdrs[i].sh_type != SHT_NOBITS)
32839 -- memcpy(dest, (void *)sechdrs[i].sh_addr,
32840 -- sechdrs[i].sh_size);
32841 -+ if (sechdrs[i].sh_type != SHT_NOBITS) {
32842 -+
32843 -+#ifdef CONFIG_PAX_KERNEXEC
32844 -+ if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
32845 -+ pax_open_kernel(cr0);
32846 -+ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
32847 -+ pax_close_kernel(cr0);
32848 -+ } else
32849 -+#endif
32850 -+
32851 -+ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
32852 -+ }
32853 - /* Update sh_addr to point to copy in image. */
32854 -- sechdrs[i].sh_addr = (unsigned long)dest;
32855 -+
32856 -+#ifdef CONFIG_PAX_KERNEXEC
32857 -+ if (sechdrs[i].sh_flags & SHF_EXECINSTR)
32858 -+ sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
32859 -+ else
32860 -+#endif
32861 -+
32862 -+ sechdrs[i].sh_addr = (unsigned long)dest;
32863 - DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
32864 - }
32865 - /* Module has been moved. */
32866 -@@ -2009,12 +2138,12 @@ static struct module *load_module(void _
32867 - * Do it before processing of module parameters, so the module
32868 - * can provide parameter accessor functions of its own.
32869 - */
32870 -- if (mod->module_init)
32871 -- flush_icache_range((unsigned long)mod->module_init,
32872 -- (unsigned long)mod->module_init
32873 -- + mod->init_size);
32874 -- flush_icache_range((unsigned long)mod->module_core,
32875 -- (unsigned long)mod->module_core + mod->core_size);
32876 -+ if (mod->module_init_rx)
32877 -+ flush_icache_range((unsigned long)mod->module_init_rx,
32878 -+ (unsigned long)mod->module_init_rx
32879 -+ + mod->init_size_rx);
32880 -+ flush_icache_range((unsigned long)mod->module_core_rx,
32881 -+ (unsigned long)mod->module_core_rx + mod->core_size_rx);
32882 -
32883 - set_fs(old_fs);
32884 -
32885 -@@ -2058,9 +2187,13 @@ static struct module *load_module(void _
32886 - module_arch_cleanup(mod);
32887 - cleanup:
32888 - module_unload_free(mod);
32889 -- module_free(mod, mod->module_init);
32890 -- free_core:
32891 -- module_free(mod, mod->module_core);
32892 -+ module_free_exec(mod, mod->module_init_rx);
32893 -+ free_core_rx:
32894 -+ module_free_exec(mod, mod->module_core_rx);
32895 -+ free_init_rw:
32896 -+ module_free(mod, mod->module_init_rw);
32897 -+ free_core_rw:
32898 -+ module_free(mod, mod->module_core_rw);
32899 - free_percpu:
32900 - if (percpu)
32901 - percpu_modfree(percpu);
32902 -@@ -2096,6 +2229,9 @@ sys_init_module(void __user *umod,
32903 - struct module *mod;
32904 - int ret = 0;
32905 -
32906 -+ if (gr_check_modstop())
32907 -+ return -EPERM;
32908 -+
32909 - /* Must have permission */
32910 - if (!capable(CAP_SYS_MODULE))
32911 - return -EPERM;
32912 -@@ -2142,10 +2278,12 @@ sys_init_module(void __user *umod,
32913 - /* Drop initial reference. */
32914 - module_put(mod);
32915 - unwind_remove_table(mod->unwind_info, 1);
32916 -- module_free(mod, mod->module_init);
32917 -- mod->module_init = NULL;
32918 -- mod->init_size = 0;
32919 -- mod->init_text_size = 0;
32920 -+ module_free(mod, mod->module_init_rw);
32921 -+ module_free_exec(mod, mod->module_init_rx);
32922 -+ mod->module_init_rw = NULL;
32923 -+ mod->module_init_rx = NULL;
32924 -+ mod->init_size_rw = 0;
32925 -+ mod->init_size_rx = 0;
32926 - mutex_unlock(&module_mutex);
32927 -
32928 - return 0;
32929 -@@ -2153,6 +2291,13 @@ sys_init_module(void __user *umod,
32930 -
32931 - static inline int within(unsigned long addr, void *start, unsigned long size)
32932 - {
32933 -+
32934 -+#ifdef CONFIG_PAX_KERNEXEC
32935 -+ if (ktla_ktva(addr) >= (unsigned long)start &&
32936 -+ ktla_ktva(addr) < (unsigned long)start + size)
32937 -+ return 1;
32938 -+#endif
32939 -+
32940 - return ((void *)addr >= start && (void *)addr < start + size);
32941 - }
32942 -
32943 -@@ -2176,10 +2321,14 @@ static const char *get_ksymbol(struct mo
32944 - unsigned long nextval;
32945 -
32946 - /* At worse, next value is at end of module */
32947 -- if (within(addr, mod->module_init, mod->init_size))
32948 -- nextval = (unsigned long)mod->module_init+mod->init_text_size;
32949 -+ if (within(addr, mod->module_init_rx, mod->init_size_rx))
32950 -+ nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
32951 -+ else if (within(addr, mod->module_init_rw, mod->init_size_rw))
32952 -+ nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
32953 -+ else if (within(addr, mod->module_core_rx, mod->core_size_rx))
32954 -+ nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
32955 - else
32956 -- nextval = (unsigned long)mod->module_core+mod->core_text_size;
32957 -+ nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
32958 -
32959 - /* Scan for closest preceeding symbol, and next symbol. (ELF
32960 - starts real symbols at 1). */
32961 -@@ -2225,8 +2374,10 @@ const char *module_address_lookup(unsign
32962 -
32963 - preempt_disable();
32964 - list_for_each_entry(mod, &modules, list) {
32965 -- if (within(addr, mod->module_init, mod->init_size)
32966 -- || within(addr, mod->module_core, mod->core_size)) {
32967 -+ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
32968 -+ within(addr, mod->module_init_rw, mod->init_size_rw) ||
32969 -+ within(addr, mod->module_core_rx, mod->core_size_rx) ||
32970 -+ within(addr, mod->module_core_rw, mod->core_size_rw)) {
32971 - if (modname)
32972 - *modname = mod->name;
32973 - ret = get_ksymbol(mod, addr, size, offset);
32974 -@@ -2243,8 +2394,10 @@ int lookup_module_symbol_name(unsigned l
32975 -
32976 - preempt_disable();
32977 - list_for_each_entry(mod, &modules, list) {
32978 -- if (within(addr, mod->module_init, mod->init_size) ||
32979 -- within(addr, mod->module_core, mod->core_size)) {
32980 -+ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
32981 -+ within(addr, mod->module_init_rw, mod->init_size_rw) ||
32982 -+ within(addr, mod->module_core_rx, mod->core_size_rx) ||
32983 -+ within(addr, mod->module_core_rw, mod->core_size_rw)) {
32984 - const char *sym;
32985 -
32986 - sym = get_ksymbol(mod, addr, NULL, NULL);
32987 -@@ -2267,8 +2420,10 @@ int lookup_module_symbol_attrs(unsigned
32988 -
32989 - preempt_disable();
32990 - list_for_each_entry(mod, &modules, list) {
32991 -- if (within(addr, mod->module_init, mod->init_size) ||
32992 -- within(addr, mod->module_core, mod->core_size)) {
32993 -+ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
32994 -+ within(addr, mod->module_init_rw, mod->init_size_rw) ||
32995 -+ within(addr, mod->module_core_rx, mod->core_size_rx) ||
32996 -+ within(addr, mod->module_core_rw, mod->core_size_rw)) {
32997 - const char *sym;
32998 -
32999 - sym = get_ksymbol(mod, addr, size, offset);
33000 -@@ -2390,7 +2545,7 @@ static int m_show(struct seq_file *m, vo
33001 - char buf[8];
33002 -
33003 - seq_printf(m, "%s %lu",
33004 -- mod->name, mod->init_size + mod->core_size);
33005 -+ mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
33006 - print_unload_info(m, mod);
33007 -
33008 - /* Informative for users. */
33009 -@@ -2399,7 +2554,7 @@ static int m_show(struct seq_file *m, vo
33010 - mod->state == MODULE_STATE_COMING ? "Loading":
33011 - "Live");
33012 - /* Used by oprofile and other similar tools. */
33013 -- seq_printf(m, " 0x%p", mod->module_core);
33014 -+ seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
33015 -
33016 - /* Taints info */
33017 - if (mod->taints)
33018 -@@ -2455,7 +2610,8 @@ int is_module_address(unsigned long addr
33019 - preempt_disable();
33020 -
33021 - list_for_each_entry(mod, &modules, list) {
33022 -- if (within(addr, mod->module_core, mod->core_size)) {
33023 -+ if (within(addr, mod->module_core_rx, mod->core_size_rx) ||
33024 -+ within(addr, mod->module_core_rw, mod->core_size_rw)) {
33025 - preempt_enable();
33026 - return 1;
33027 - }
33028 -@@ -2473,8 +2629,8 @@ struct module *__module_text_address(uns
33029 - struct module *mod;
33030 -
33031 - list_for_each_entry(mod, &modules, list)
33032 -- if (within(addr, mod->module_init, mod->init_text_size)
33033 -- || within(addr, mod->module_core, mod->core_text_size))
33034 -+ if (within(addr, mod->module_init_rx, mod->init_size_rx)
33035 -+ || within(addr, mod->module_core_rx, mod->core_size_rx))
33036 - return mod;
33037 - return NULL;
33038 - }
33039 -diff -urNp linux-2.6.24.4/kernel/mutex.c linux-2.6.24.4/kernel/mutex.c
33040 ---- linux-2.6.24.4/kernel/mutex.c 2008-03-24 14:49:18.000000000 -0400
33041 -+++ linux-2.6.24.4/kernel/mutex.c 2008-03-26 17:56:56.000000000 -0400
33042 -@@ -82,7 +82,7 @@ __mutex_lock_slowpath(atomic_t *lock_cou
33043 - *
33044 - * This function is similar to (but not equivalent to) down().
33045 - */
33046 --void inline fastcall __sched mutex_lock(struct mutex *lock)
33047 -+inline void fastcall __sched mutex_lock(struct mutex *lock)
33048 - {
33049 - might_sleep();
33050 - /*
33051 -diff -urNp linux-2.6.24.4/kernel/panic.c linux-2.6.24.4/kernel/panic.c
33052 ---- linux-2.6.24.4/kernel/panic.c 2008-03-24 14:49:18.000000000 -0400
33053 -+++ linux-2.6.24.4/kernel/panic.c 2008-03-26 17:56:56.000000000 -0400
33054 -@@ -20,6 +20,7 @@
33055 - #include <linux/kexec.h>
33056 - #include <linux/debug_locks.h>
33057 - #include <linux/random.h>
33058 -+#include <linux/kallsyms.h>
33059 -
33060 - int panic_on_oops;
33061 - int tainted;
33062 -@@ -299,6 +300,8 @@ void oops_exit(void)
33063 - */
33064 - void __stack_chk_fail(void)
33065 - {
33066 -+ print_symbol("stack corrupted in: %s\n", (unsigned long)__builtin_return_address(0));
33067 -+ dump_stack();
33068 - panic("stack-protector: Kernel stack is corrupted");
33069 - }
33070 - EXPORT_SYMBOL(__stack_chk_fail);
33071 -diff -urNp linux-2.6.24.4/kernel/params.c linux-2.6.24.4/kernel/params.c
33072 ---- linux-2.6.24.4/kernel/params.c 2008-03-24 14:49:18.000000000 -0400
33073 -+++ linux-2.6.24.4/kernel/params.c 2008-03-26 17:56:56.000000000 -0400
33074 -@@ -272,7 +272,7 @@ static int param_array(const char *name,
33075 - unsigned int min, unsigned int max,
33076 - void *elem, int elemsize,
33077 - int (*set)(const char *, struct kernel_param *kp),
33078 -- int *num)
33079 -+ unsigned int *num)
33080 - {
33081 - int ret;
33082 - struct kernel_param kp;
33083 -diff -urNp linux-2.6.24.4/kernel/pid.c linux-2.6.24.4/kernel/pid.c
33084 ---- linux-2.6.24.4/kernel/pid.c 2008-03-24 14:49:18.000000000 -0400
33085 -+++ linux-2.6.24.4/kernel/pid.c 2008-03-26 17:56:56.000000000 -0400
33086 -@@ -35,6 +35,7 @@
33087 - #include <linux/pid_namespace.h>
33088 - #include <linux/init_task.h>
33089 - #include <linux/syscalls.h>
33090 -+#include <linux/grsecurity.h>
33091 -
33092 - #define pid_hashfn(nr, ns) \
33093 - hash_long((unsigned long)nr + (unsigned long)ns, pidhash_shift)
33094 -@@ -45,7 +46,7 @@ static struct kmem_cache *pid_ns_cachep;
33095 -
33096 - int pid_max = PID_MAX_DEFAULT;
33097 -
33098 --#define RESERVED_PIDS 300
33099 -+#define RESERVED_PIDS 500
33100 -
33101 - int pid_max_min = RESERVED_PIDS + 1;
33102 - int pid_max_max = PID_MAX_LIMIT;
33103 -@@ -375,7 +376,14 @@ struct task_struct * fastcall pid_task(s
33104 - struct task_struct *find_task_by_pid_type_ns(int type, int nr,
33105 - struct pid_namespace *ns)
33106 - {
33107 -- return pid_task(find_pid_ns(nr, ns), type);
33108 -+ struct task_struct *task;
33109 -+
33110 -+ task = pid_task(find_pid_ns(nr, ns), type);
33111 -+
33112 -+ if (gr_pid_is_chrooted(task))
33113 -+ return NULL;
33114 -+
33115 -+ return task;
33116 - }
33117 -
33118 - EXPORT_SYMBOL(find_task_by_pid_type_ns);
33119 -diff -urNp linux-2.6.24.4/kernel/posix-cpu-timers.c linux-2.6.24.4/kernel/posix-cpu-timers.c
33120 ---- linux-2.6.24.4/kernel/posix-cpu-timers.c 2008-03-24 14:49:18.000000000 -0400
33121 -+++ linux-2.6.24.4/kernel/posix-cpu-timers.c 2008-03-26 17:56:56.000000000 -0400
33122 -@@ -6,6 +6,7 @@
33123 - #include <linux/posix-timers.h>
33124 - #include <asm/uaccess.h>
33125 - #include <linux/errno.h>
33126 -+#include <linux/grsecurity.h>
33127 -
33128 - static int check_clock(const clockid_t which_clock)
33129 - {
33130 -@@ -1144,6 +1145,7 @@ static void check_process_timers(struct
33131 - __group_send_sig_info(SIGKILL, SEND_SIG_PRIV, tsk);
33132 - return;
33133 - }
33134 -+ gr_learn_resource(tsk, RLIMIT_CPU, psecs, 1);
33135 - if (psecs >= sig->rlim[RLIMIT_CPU].rlim_cur) {
33136 - /*
33137 - * At the soft limit, send a SIGXCPU every second.
33138 -diff -urNp linux-2.6.24.4/kernel/power/poweroff.c linux-2.6.24.4/kernel/power/poweroff.c
33139 ---- linux-2.6.24.4/kernel/power/poweroff.c 2008-03-24 14:49:18.000000000 -0400
33140 -+++ linux-2.6.24.4/kernel/power/poweroff.c 2008-03-26 17:56:56.000000000 -0400
33141 -@@ -35,7 +35,7 @@ static struct sysrq_key_op sysrq_powerof
33142 - .enable_mask = SYSRQ_ENABLE_BOOT,
33143 - };
33144 -
33145 --static int pm_sysrq_init(void)
33146 -+static int __init pm_sysrq_init(void)
33147 - {
33148 - register_sysrq_key('o', &sysrq_poweroff_op);
33149 - return 0;
33150 -diff -urNp linux-2.6.24.4/kernel/printk.c linux-2.6.24.4/kernel/printk.c
33151 ---- linux-2.6.24.4/kernel/printk.c 2008-03-24 14:49:18.000000000 -0400
33152 -+++ linux-2.6.24.4/kernel/printk.c 2008-03-26 17:56:56.000000000 -0400
33153 -@@ -33,6 +33,7 @@
33154 - #include <linux/bootmem.h>
33155 - #include <linux/syscalls.h>
33156 - #include <linux/jiffies.h>
33157 -+#include <linux/grsecurity.h>
33158 -
33159 - #include <asm/uaccess.h>
33160 -
33161 -@@ -293,6 +294,11 @@ int do_syslog(int type, char __user *buf
33162 - char c;
33163 - int error = 0;
33164 -
33165 -+#ifdef CONFIG_GRKERNSEC_DMESG
33166 -+ if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
33167 -+ return -EPERM;
33168 -+#endif
33169 -+
33170 - error = security_syslog(type);
33171 - if (error)
33172 - return error;
33173 -diff -urNp linux-2.6.24.4/kernel/ptrace.c linux-2.6.24.4/kernel/ptrace.c
33174 ---- linux-2.6.24.4/kernel/ptrace.c 2008-03-24 14:49:18.000000000 -0400
33175 -+++ linux-2.6.24.4/kernel/ptrace.c 2008-03-26 17:56:56.000000000 -0400
33176 -@@ -20,6 +20,7 @@
33177 - #include <linux/signal.h>
33178 - #include <linux/audit.h>
33179 - #include <linux/pid_namespace.h>
33180 -+#include <linux/grsecurity.h>
33181 -
33182 - #include <asm/pgtable.h>
33183 - #include <asm/uaccess.h>
33184 -@@ -139,12 +140,12 @@ int __ptrace_may_attach(struct task_stru
33185 - (current->uid != task->uid) ||
33186 - (current->gid != task->egid) ||
33187 - (current->gid != task->sgid) ||
33188 -- (current->gid != task->gid)) && !capable(CAP_SYS_PTRACE))
33189 -+ (current->gid != task->gid)) && !capable_nolog(CAP_SYS_PTRACE))
33190 - return -EPERM;
33191 - smp_rmb();
33192 - if (task->mm)
33193 - dumpable = get_dumpable(task->mm);
33194 -- if (!dumpable && !capable(CAP_SYS_PTRACE))
33195 -+ if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
33196 - return -EPERM;
33197 -
33198 - return security_ptrace(current, task);
33199 -@@ -203,7 +204,7 @@ repeat:
33200 - /* Go */
33201 - task->ptrace |= PT_PTRACED | ((task->real_parent != current)
33202 - ? PT_ATTACHED : 0);
33203 -- if (capable(CAP_SYS_PTRACE))
33204 -+ if (capable_nolog(CAP_SYS_PTRACE))
33205 - task->ptrace |= PT_PTRACE_CAP;
33206 -
33207 - __ptrace_link(task, current);
33208 -@@ -494,6 +495,11 @@ asmlinkage long sys_ptrace(long request,
33209 - if (ret < 0)
33210 - goto out_put_task_struct;
33211 -
33212 -+ if (gr_handle_ptrace(child, request)) {
33213 -+ ret = -EPERM;
33214 -+ goto out_put_task_struct;
33215 -+ }
33216 -+
33217 - ret = arch_ptrace(child, request, addr, data);
33218 - if (ret < 0)
33219 - goto out_put_task_struct;
33220 -diff -urNp linux-2.6.24.4/kernel/rcupdate.c linux-2.6.24.4/kernel/rcupdate.c
33221 ---- linux-2.6.24.4/kernel/rcupdate.c 2008-03-24 14:49:18.000000000 -0400
33222 -+++ linux-2.6.24.4/kernel/rcupdate.c 2008-03-26 17:56:56.000000000 -0400
33223 -@@ -70,11 +70,11 @@ static struct rcu_ctrlblk rcu_bh_ctrlblk
33224 - .cpumask = CPU_MASK_NONE,
33225 - };
33226 -
33227 --DEFINE_PER_CPU(struct rcu_data, rcu_data) = { 0L };
33228 --DEFINE_PER_CPU(struct rcu_data, rcu_bh_data) = { 0L };
33229 -+DEFINE_PER_CPU(struct rcu_data, rcu_data);
33230 -+DEFINE_PER_CPU(struct rcu_data, rcu_bh_data);
33231 -
33232 - /* Fake initialization required by compiler */
33233 --static DEFINE_PER_CPU(struct tasklet_struct, rcu_tasklet) = {NULL};
33234 -+static DEFINE_PER_CPU(struct tasklet_struct, rcu_tasklet);
33235 - static int blimit = 10;
33236 - static int qhimark = 10000;
33237 - static int qlowmark = 100;
33238 -diff -urNp linux-2.6.24.4/kernel/relay.c linux-2.6.24.4/kernel/relay.c
33239 ---- linux-2.6.24.4/kernel/relay.c 2008-03-24 14:49:18.000000000 -0400
33240 -+++ linux-2.6.24.4/kernel/relay.c 2008-03-26 17:56:56.000000000 -0400
33241 -@@ -1141,7 +1141,7 @@ static int subbuf_splice_actor(struct fi
33242 - return 0;
33243 -
33244 - ret = *nonpad_ret = splice_to_pipe(pipe, &spd);
33245 -- if (ret < 0 || ret < total_len)
33246 -+ if ((int)ret < 0 || ret < total_len)
33247 - return ret;
33248 -
33249 - if (read_start + ret == nonpad_end)
33250 -diff -urNp linux-2.6.24.4/kernel/resource.c linux-2.6.24.4/kernel/resource.c
33251 ---- linux-2.6.24.4/kernel/resource.c 2008-03-24 14:49:18.000000000 -0400
33252 -+++ linux-2.6.24.4/kernel/resource.c 2008-03-26 17:56:56.000000000 -0400
33253 -@@ -133,10 +133,27 @@ static int __init ioresources_init(void)
33254 - {
33255 - struct proc_dir_entry *entry;
33256 -
33257 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
33258 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
33259 -+ entry = create_proc_entry("ioports", S_IRUSR, NULL);
33260 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33261 -+ entry = create_proc_entry("ioports", S_IRUSR | S_IRGRP, NULL);
33262 -+#endif
33263 -+#else
33264 - entry = create_proc_entry("ioports", 0, NULL);
33265 -+#endif
33266 - if (entry)
33267 - entry->proc_fops = &proc_ioports_operations;
33268 -+
33269 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
33270 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
33271 -+ entry = create_proc_entry("iomem", S_IRUSR, NULL);
33272 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33273 -+ entry = create_proc_entry("iomem", S_IRUSR | S_IRGRP, NULL);
33274 -+#endif
33275 -+#else
33276 - entry = create_proc_entry("iomem", 0, NULL);
33277 -+#endif
33278 - if (entry)
33279 - entry->proc_fops = &proc_iomem_operations;
33280 - return 0;
33281 -diff -urNp linux-2.6.24.4/kernel/sched.c linux-2.6.24.4/kernel/sched.c
33282 ---- linux-2.6.24.4/kernel/sched.c 2008-03-24 14:49:18.000000000 -0400
33283 -+++ linux-2.6.24.4/kernel/sched.c 2008-03-26 17:56:56.000000000 -0400
33284 -@@ -63,6 +63,7 @@
33285 - #include <linux/reciprocal_div.h>
33286 - #include <linux/unistd.h>
33287 - #include <linux/pagemap.h>
33288 -+#include <linux/grsecurity.h>
33289 -
33290 - #include <asm/tlb.h>
33291 - #include <asm/irq_regs.h>
33292 -@@ -3619,7 +3620,7 @@ pick_next_task(struct rq *rq, struct tas
33293 - asmlinkage void __sched schedule(void)
33294 - {
33295 - struct task_struct *prev, *next;
33296 -- long *switch_count;
33297 -+ unsigned long *switch_count;
33298 - struct rq *rq;
33299 - int cpu;
33300 -
33301 -@@ -4155,7 +4156,8 @@ asmlinkage long sys_nice(int increment)
33302 - if (nice > 19)
33303 - nice = 19;
33304 -
33305 -- if (increment < 0 && !can_nice(current, nice))
33306 -+ if (increment < 0 && (!can_nice(current, nice) ||
33307 -+ gr_handle_chroot_nice()))
33308 - return -EPERM;
33309 -
33310 - retval = security_task_setnice(current, nice);
33311 -@@ -5396,7 +5398,7 @@ static struct ctl_table sd_ctl_dir[] = {
33312 - .procname = "sched_domain",
33313 - .mode = 0555,
33314 - },
33315 -- {0, },
33316 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL },
33317 - };
33318 -
33319 - static struct ctl_table sd_ctl_root[] = {
33320 -@@ -5406,7 +5408,7 @@ static struct ctl_table sd_ctl_root[] =
33321 - .mode = 0555,
33322 - .child = sd_ctl_dir,
33323 - },
33324 -- {0, },
33325 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL },
33326 - };
33327 -
33328 - static struct ctl_table *sd_alloc_ctl_entry(int n)
33329 -diff -urNp linux-2.6.24.4/kernel/signal.c linux-2.6.24.4/kernel/signal.c
33330 ---- linux-2.6.24.4/kernel/signal.c 2008-03-24 14:49:18.000000000 -0400
33331 -+++ linux-2.6.24.4/kernel/signal.c 2008-03-26 17:56:56.000000000 -0400
33332 -@@ -25,6 +25,7 @@
33333 - #include <linux/capability.h>
33334 - #include <linux/freezer.h>
33335 - #include <linux/pid_namespace.h>
33336 -+#include <linux/grsecurity.h>
33337 - #include <linux/nsproxy.h>
33338 -
33339 - #include <asm/param.h>
33340 -@@ -540,7 +541,9 @@ static int check_kill_permission(int sig
33341 - && (current->euid ^ t->suid) && (current->euid ^ t->uid)
33342 - && (current->uid ^ t->suid) && (current->uid ^ t->uid)
33343 - && !capable(CAP_KILL))
33344 -- return error;
33345 -+ return error;
33346 -+ if (gr_handle_signal(t, sig))
33347 -+ return error;
33348 - }
33349 -
33350 - return security_task_kill(t, info, sig, 0);
33351 -@@ -757,7 +760,7 @@ static int __init setup_print_fatal_sign
33352 -
33353 - __setup("print-fatal-signals=", setup_print_fatal_signals);
33354 -
33355 --static int
33356 -+int
33357 - specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
33358 - {
33359 - int ret = 0;
33360 -@@ -811,8 +814,12 @@ force_sig_info(int sig, struct siginfo *
33361 - }
33362 - }
33363 - ret = specific_send_sig_info(sig, info, t);
33364 -+
33365 - spin_unlock_irqrestore(&t->sighand->siglock, flags);
33366 -
33367 -+ gr_log_signal(sig, t);
33368 -+ gr_handle_crash(t, sig);
33369 -+
33370 - return ret;
33371 - }
33372 -
33373 -diff -urNp linux-2.6.24.4/kernel/softirq.c linux-2.6.24.4/kernel/softirq.c
33374 ---- linux-2.6.24.4/kernel/softirq.c 2008-03-24 14:49:18.000000000 -0400
33375 -+++ linux-2.6.24.4/kernel/softirq.c 2008-03-26 17:56:56.000000000 -0400
33376 -@@ -467,9 +467,9 @@ void tasklet_kill(struct tasklet_struct
33377 - printk("Attempt to kill tasklet from interrupt\n");
33378 -
33379 - while (test_and_set_bit(TASKLET_STATE_SCHED, &t->state)) {
33380 -- do
33381 -+ do {
33382 - yield();
33383 -- while (test_bit(TASKLET_STATE_SCHED, &t->state));
33384 -+ } while (test_bit(TASKLET_STATE_SCHED, &t->state));
33385 - }
33386 - tasklet_unlock_wait(t);
33387 - clear_bit(TASKLET_STATE_SCHED, &t->state);
33388 -diff -urNp linux-2.6.24.4/kernel/sys.c linux-2.6.24.4/kernel/sys.c
33389 ---- linux-2.6.24.4/kernel/sys.c 2008-03-24 14:49:18.000000000 -0400
33390 -+++ linux-2.6.24.4/kernel/sys.c 2008-03-26 17:56:56.000000000 -0400
33391 -@@ -33,6 +33,7 @@
33392 - #include <linux/task_io_accounting_ops.h>
33393 - #include <linux/seccomp.h>
33394 - #include <linux/cpu.h>
33395 -+#include <linux/grsecurity.h>
33396 -
33397 - #include <linux/compat.h>
33398 - #include <linux/syscalls.h>
33399 -@@ -119,6 +120,12 @@ static int set_one_prio(struct task_stru
33400 - error = -EACCES;
33401 - goto out;
33402 - }
33403 -+
33404 -+ if (gr_handle_chroot_setpriority(p, niceval)) {
33405 -+ error = -EACCES;
33406 -+ goto out;
33407 -+ }
33408 -+
33409 - no_nice = security_task_setnice(p, niceval);
33410 - if (no_nice) {
33411 - error = no_nice;
33412 -@@ -175,10 +182,10 @@ asmlinkage long sys_setpriority(int whic
33413 - if ((who != current->uid) && !(user = find_user(who)))
33414 - goto out_unlock; /* No processes for this user */
33415 -
33416 -- do_each_thread(g, p)
33417 -+ do_each_thread(g, p) {
33418 - if (p->uid == who)
33419 - error = set_one_prio(p, niceval, error);
33420 -- while_each_thread(g, p);
33421 -+ } while_each_thread(g, p);
33422 - if (who != current->uid)
33423 - free_uid(user); /* For find_user() */
33424 - break;
33425 -@@ -237,13 +244,13 @@ asmlinkage long sys_getpriority(int whic
33426 - if ((who != current->uid) && !(user = find_user(who)))
33427 - goto out_unlock; /* No processes for this user */
33428 -
33429 -- do_each_thread(g, p)
33430 -+ do_each_thread(g, p) {
33431 - if (p->uid == who) {
33432 - niceval = 20 - task_nice(p);
33433 - if (niceval > retval)
33434 - retval = niceval;
33435 - }
33436 -- while_each_thread(g, p);
33437 -+ } while_each_thread(g, p);
33438 - if (who != current->uid)
33439 - free_uid(user); /* for find_user() */
33440 - break;
33441 -@@ -515,6 +522,9 @@ asmlinkage long sys_setregid(gid_t rgid,
33442 - if (rgid != (gid_t) -1 ||
33443 - (egid != (gid_t) -1 && egid != old_rgid))
33444 - current->sgid = new_egid;
33445 -+
33446 -+ gr_set_role_label(current, current->uid, new_rgid);
33447 -+
33448 - current->fsgid = new_egid;
33449 - current->egid = new_egid;
33450 - current->gid = new_rgid;
33451 -@@ -542,6 +552,9 @@ asmlinkage long sys_setgid(gid_t gid)
33452 - set_dumpable(current->mm, suid_dumpable);
33453 - smp_wmb();
33454 - }
33455 -+
33456 -+ gr_set_role_label(current, current->uid, gid);
33457 -+
33458 - current->gid = current->egid = current->sgid = current->fsgid = gid;
33459 - } else if ((gid == current->gid) || (gid == current->sgid)) {
33460 - if (old_egid != gid) {
33461 -@@ -579,6 +592,9 @@ static int set_user(uid_t new_ruid, int
33462 - set_dumpable(current->mm, suid_dumpable);
33463 - smp_wmb();
33464 - }
33465 -+
33466 -+ gr_set_role_label(current, new_ruid, current->gid);
33467 -+
33468 - current->uid = new_ruid;
33469 - return 0;
33470 - }
33471 -@@ -681,6 +697,9 @@ asmlinkage long sys_setuid(uid_t uid)
33472 - } else if ((uid != current->uid) && (uid != new_suid))
33473 - return -EPERM;
33474 -
33475 -+ if (gr_check_crash_uid(uid))
33476 -+ return -EPERM;
33477 -+
33478 - if (old_euid != uid) {
33479 - set_dumpable(current->mm, suid_dumpable);
33480 - smp_wmb();
33481 -@@ -783,8 +802,10 @@ asmlinkage long sys_setresgid(gid_t rgid
33482 - current->egid = egid;
33483 - }
33484 - current->fsgid = current->egid;
33485 -- if (rgid != (gid_t) -1)
33486 -+ if (rgid != (gid_t) -1) {
33487 -+ gr_set_role_label(current, current->uid, rgid);
33488 - current->gid = rgid;
33489 -+ }
33490 - if (sgid != (gid_t) -1)
33491 - current->sgid = sgid;
33492 -
33493 -@@ -934,7 +955,10 @@ asmlinkage long sys_setpgid(pid_t pid, p
33494 - write_lock_irq(&tasklist_lock);
33495 -
33496 - err = -ESRCH;
33497 -- p = find_task_by_pid_ns(pid, ns);
33498 -+ /* grsec: replaced find_task_by_pid_ns with equivalent call which
33499 -+ lacks the chroot restriction
33500 -+ */
33501 -+ p = pid_task(find_pid_ns(pid, ns), PIDTYPE_PID);
33502 - if (!p)
33503 - goto out;
33504 -
33505 -@@ -1662,7 +1686,7 @@ asmlinkage long sys_prctl(int option, un
33506 - error = get_dumpable(current->mm);
33507 - break;
33508 - case PR_SET_DUMPABLE:
33509 -- if (arg2 < 0 || arg2 > 1) {
33510 -+ if (arg2 > 1) {
33511 - error = -EINVAL;
33512 - break;
33513 - }
33514 -diff -urNp linux-2.6.24.4/kernel/sysctl.c linux-2.6.24.4/kernel/sysctl.c
33515 ---- linux-2.6.24.4/kernel/sysctl.c 2008-03-24 14:49:18.000000000 -0400
33516 -+++ linux-2.6.24.4/kernel/sysctl.c 2008-03-26 17:56:56.000000000 -0400
33517 -@@ -58,6 +58,13 @@
33518 - static int deprecated_sysctl_warning(struct __sysctl_args *args);
33519 -
33520 - #if defined(CONFIG_SYSCTL)
33521 -+#include <linux/grsecurity.h>
33522 -+#include <linux/grinternal.h>
33523 -+
33524 -+extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
33525 -+extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
33526 -+ const int op);
33527 -+extern int gr_handle_chroot_sysctl(const int op);
33528 -
33529 - /* External variables not in a header file. */
33530 - extern int C_A_D;
33531 -@@ -154,10 +161,11 @@ static int proc_do_cad_pid(struct ctl_ta
33532 - static int proc_dointvec_taint(struct ctl_table *table, int write, struct file *filp,
33533 - void __user *buffer, size_t *lenp, loff_t *ppos);
33534 - #endif
33535 -+extern ctl_table grsecurity_table[];
33536 -
33537 - static struct ctl_table root_table[];
33538 - static struct ctl_table_header root_table_header =
33539 -- { root_table, LIST_HEAD_INIT(root_table_header.ctl_entry) };
33540 -+ { root_table, LIST_HEAD_INIT(root_table_header.ctl_entry), 0, NULL };
33541 -
33542 - static struct ctl_table kern_table[];
33543 - static struct ctl_table vm_table[];
33544 -@@ -173,6 +181,21 @@ extern struct ctl_table inotify_table[];
33545 - int sysctl_legacy_va_layout;
33546 - #endif
33547 -
33548 -+#ifdef CONFIG_PAX_SOFTMODE
33549 -+static ctl_table pax_table[] = {
33550 -+ {
33551 -+ .ctl_name = CTL_UNNUMBERED,
33552 -+ .procname = "softmode",
33553 -+ .data = &pax_softmode,
33554 -+ .maxlen = sizeof(unsigned int),
33555 -+ .mode = 0600,
33556 -+ .proc_handler = &proc_dointvec,
33557 -+ },
33558 -+
33559 -+ { .ctl_name = 0 }
33560 -+};
33561 -+#endif
33562 -+
33563 - extern int prove_locking;
33564 - extern int lock_stat;
33565 -
33566 -@@ -217,6 +240,16 @@ static struct ctl_table root_table[] = {
33567 - .mode = 0555,
33568 - .child = dev_table,
33569 - },
33570 -+
33571 -+#ifdef CONFIG_PAX_SOFTMODE
33572 -+ {
33573 -+ .ctl_name = CTL_UNNUMBERED,
33574 -+ .procname = "pax",
33575 -+ .mode = 0500,
33576 -+ .child = pax_table,
33577 -+ },
33578 -+#endif
33579 -+
33580 - /*
33581 - * NOTE: do not add new entries to this table unless you have read
33582 - * Documentation/sysctl/ctl_unnumbered.txt
33583 -@@ -775,6 +808,14 @@ static struct ctl_table kern_table[] = {
33584 - .proc_handler = &proc_dostring,
33585 - .strategy = &sysctl_string,
33586 - },
33587 -+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_MODSTOP)
33588 -+ {
33589 -+ .ctl_name = CTL_UNNUMBERED,
33590 -+ .procname = "grsecurity",
33591 -+ .mode = 0500,
33592 -+ .child = grsecurity_table,
33593 -+ },
33594 -+#endif
33595 - /*
33596 - * NOTE: do not add new entries to this table unless you have read
33597 - * Documentation/sysctl/ctl_unnumbered.txt
33598 -@@ -1394,6 +1435,25 @@ static int test_perm(int mode, int op)
33599 - int sysctl_perm(struct ctl_table *table, int op)
33600 - {
33601 - int error;
33602 -+ if (table->parent != NULL && table->parent->procname != NULL &&
33603 -+ table->procname != NULL &&
33604 -+ gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
33605 -+ return -EACCES;
33606 -+ if (gr_handle_chroot_sysctl(op))
33607 -+ return -EACCES;
33608 -+ error = gr_handle_sysctl(table, op);
33609 -+ if (error)
33610 -+ return error;
33611 -+ error = security_sysctl(table, op);
33612 -+ if (error)
33613 -+ return error;
33614 -+ return test_perm(table->mode, op);
33615 -+}
33616 -+
33617 -+int sysctl_perm_nochk(ctl_table *table, int op)
33618 -+{
33619 -+ int error;
33620 -+
33621 - error = security_sysctl(table, op);
33622 - if (error)
33623 - return error;
33624 -@@ -1418,13 +1478,14 @@ repeat:
33625 - if (n == table->ctl_name) {
33626 - int error;
33627 - if (table->child) {
33628 -- if (sysctl_perm(table, 001))
33629 -+ if (sysctl_perm_nochk(table, 001))
33630 - return -EPERM;
33631 - name++;
33632 - nlen--;
33633 - table = table->child;
33634 - goto repeat;
33635 - }
33636 -+
33637 - error = do_sysctl_strategy(table, name, nlen,
33638 - oldval, oldlenp,
33639 - newval, newlen);
33640 -diff -urNp linux-2.6.24.4/kernel/time.c linux-2.6.24.4/kernel/time.c
33641 ---- linux-2.6.24.4/kernel/time.c 2008-03-24 14:49:18.000000000 -0400
33642 -+++ linux-2.6.24.4/kernel/time.c 2008-03-26 17:56:56.000000000 -0400
33643 -@@ -35,6 +35,7 @@
33644 - #include <linux/syscalls.h>
33645 - #include <linux/security.h>
33646 - #include <linux/fs.h>
33647 -+#include <linux/grsecurity.h>
33648 -
33649 - #include <asm/uaccess.h>
33650 - #include <asm/unistd.h>
33651 -@@ -88,6 +89,9 @@ asmlinkage long sys_stime(time_t __user
33652 - return err;
33653 -
33654 - do_settimeofday(&tv);
33655 -+
33656 -+ gr_log_timechange();
33657 -+
33658 - return 0;
33659 - }
33660 -
33661 -@@ -194,6 +198,8 @@ asmlinkage long sys_settimeofday(struct
33662 - return -EFAULT;
33663 - }
33664 -
33665 -+ gr_log_timechange();
33666 -+
33667 - return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
33668 - }
33669 -
33670 -@@ -232,7 +238,7 @@ EXPORT_SYMBOL(current_fs_time);
33671 - * Avoid unnecessary multiplications/divisions in the
33672 - * two most common HZ cases:
33673 - */
33674 --unsigned int inline jiffies_to_msecs(const unsigned long j)
33675 -+inline unsigned int jiffies_to_msecs(const unsigned long j)
33676 - {
33677 - #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
33678 - return (MSEC_PER_SEC / HZ) * j;
33679 -@@ -244,7 +250,7 @@ unsigned int inline jiffies_to_msecs(con
33680 - }
33681 - EXPORT_SYMBOL(jiffies_to_msecs);
33682 -
33683 --unsigned int inline jiffies_to_usecs(const unsigned long j)
33684 -+inline unsigned int jiffies_to_usecs(const unsigned long j)
33685 - {
33686 - #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
33687 - return (USEC_PER_SEC / HZ) * j;
33688 -diff -urNp linux-2.6.24.4/kernel/utsname_sysctl.c linux-2.6.24.4/kernel/utsname_sysctl.c
33689 ---- linux-2.6.24.4/kernel/utsname_sysctl.c 2008-03-24 14:49:18.000000000 -0400
33690 -+++ linux-2.6.24.4/kernel/utsname_sysctl.c 2008-03-26 17:56:56.000000000 -0400
33691 -@@ -125,7 +125,7 @@ static struct ctl_table uts_kern_table[]
33692 - .proc_handler = proc_do_uts_string,
33693 - .strategy = sysctl_uts_string,
33694 - },
33695 -- {}
33696 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
33697 - };
33698 -
33699 - static struct ctl_table uts_root_table[] = {
33700 -@@ -135,7 +135,7 @@ static struct ctl_table uts_root_table[]
33701 - .mode = 0555,
33702 - .child = uts_kern_table,
33703 - },
33704 -- {}
33705 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
33706 - };
33707 -
33708 - static int __init utsname_sysctl_init(void)
33709 -diff -urNp linux-2.6.24.4/lib/radix-tree.c linux-2.6.24.4/lib/radix-tree.c
33710 ---- linux-2.6.24.4/lib/radix-tree.c 2008-03-24 14:49:18.000000000 -0400
33711 -+++ linux-2.6.24.4/lib/radix-tree.c 2008-03-26 17:56:56.000000000 -0400
33712 -@@ -81,7 +81,7 @@ struct radix_tree_preload {
33713 - int nr;
33714 - struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
33715 - };
33716 --DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
33717 -+DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, {NULL} };
33718 -
33719 - static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
33720 - {
33721 -diff -urNp linux-2.6.24.4/localversion-grsec linux-2.6.24.4/localversion-grsec
33722 ---- linux-2.6.24.4/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
33723 -+++ linux-2.6.24.4/localversion-grsec 2008-03-26 17:56:56.000000000 -0400
33724 -@@ -0,0 +1 @@
33725 -+-grsec
33726 -diff -urNp linux-2.6.24.4/Makefile linux-2.6.24.4/Makefile
33727 ---- linux-2.6.24.4/Makefile 2008-03-24 14:49:18.000000000 -0400
33728 -+++ linux-2.6.24.4/Makefile 2008-03-26 17:56:55.000000000 -0400
33729 -@@ -214,7 +214,7 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
33730 -
33731 - HOSTCC = gcc
33732 - HOSTCXX = g++
33733 --HOSTCFLAGS = -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer
33734 -+HOSTCFLAGS = -Wall -W -Wno-unused -Wno-sign-compare -Wstrict-prototypes -O2 -fomit-frame-pointer
33735 - HOSTCXXFLAGS = -O2
33736 -
33737 - # Decide whether to build built-in, modular, or both.
33738 -@@ -507,6 +507,9 @@ else
33739 - KBUILD_CFLAGS += -O2
33740 - endif
33741 -
33742 -+# Force gcc to behave correct even for buggy distributions
33743 -+KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
33744 -+
33745 - include $(srctree)/arch/$(SRCARCH)/Makefile
33746 -
33747 - ifdef CONFIG_FRAME_POINTER
33748 -@@ -520,9 +523,6 @@ KBUILD_CFLAGS += -g
33749 - KBUILD_AFLAGS += -gdwarf-2
33750 - endif
33751 -
33752 --# Force gcc to behave correct even for buggy distributions
33753 --KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
33754 --
33755 - # arch Makefile may override CC so keep this after arch Makefile is included
33756 - NOSTDINC_FLAGS += -nostdinc -isystem $(shell $(CC) -print-file-name=include)
33757 - CHECKFLAGS += $(NOSTDINC_FLAGS)
33758 -@@ -597,7 +597,7 @@ export mod_strip_cmd
33759 -
33760 -
33761 - ifeq ($(KBUILD_EXTMOD),)
33762 --core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
33763 -+core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
33764 -
33765 - vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
33766 - $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
33767 -diff -urNp linux-2.6.24.4/mm/filemap.c linux-2.6.24.4/mm/filemap.c
33768 ---- linux-2.6.24.4/mm/filemap.c 2008-03-24 14:49:18.000000000 -0400
33769 -+++ linux-2.6.24.4/mm/filemap.c 2008-03-26 17:56:56.000000000 -0400
33770 -@@ -33,6 +33,7 @@
33771 - #include <linux/syscalls.h>
33772 - #include <linux/cpuset.h>
33773 - #include <linux/hardirq.h> /* for BUG_ON(!in_atomic()) only */
33774 -+#include <linux/grsecurity.h>
33775 - #include "internal.h"
33776 -
33777 - /*
33778 -@@ -1461,7 +1462,7 @@ int generic_file_mmap(struct file * file
33779 - struct address_space *mapping = file->f_mapping;
33780 -
33781 - if (!mapping->a_ops->readpage)
33782 -- return -ENOEXEC;
33783 -+ return -ENODEV;
33784 - file_accessed(file);
33785 - vma->vm_ops = &generic_file_vm_ops;
33786 - vma->vm_flags |= VM_CAN_NONLINEAR;
33787 -@@ -1810,6 +1811,7 @@ inline int generic_write_checks(struct f
33788 - *pos = i_size_read(inode);
33789 -
33790 - if (limit != RLIM_INFINITY) {
33791 -+ gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
33792 - if (*pos >= limit) {
33793 - send_sig(SIGXFSZ, current, 0);
33794 - return -EFBIG;
33795 -diff -urNp linux-2.6.24.4/mm/fremap.c linux-2.6.24.4/mm/fremap.c
33796 ---- linux-2.6.24.4/mm/fremap.c 2008-03-24 14:49:18.000000000 -0400
33797 -+++ linux-2.6.24.4/mm/fremap.c 2008-03-26 17:56:56.000000000 -0400
33798 -@@ -150,6 +150,13 @@ asmlinkage long sys_remap_file_pages(uns
33799 - retry:
33800 - vma = find_vma(mm, start);
33801 -
33802 -+#ifdef CONFIG_PAX_SEGMEXEC
33803 -+ if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC)) {
33804 -+ up_read(&mm->mmap_sem);
33805 -+ return err;
33806 -+ }
33807 -+#endif
33808 -+
33809 - /*
33810 - * Make sure the vma is shared, that it supports prefaulting,
33811 - * and that the remapped range is valid and fully within
33812 -diff -urNp linux-2.6.24.4/mm/hugetlb.c linux-2.6.24.4/mm/hugetlb.c
33813 ---- linux-2.6.24.4/mm/hugetlb.c 2008-03-24 14:49:18.000000000 -0400
33814 -+++ linux-2.6.24.4/mm/hugetlb.c 2008-03-26 17:56:56.000000000 -0400
33815 -@@ -797,6 +797,26 @@ void unmap_hugepage_range(struct vm_area
33816 - }
33817 - }
33818 -
33819 -+#ifdef CONFIG_PAX_SEGMEXEC
33820 -+static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
33821 -+{
33822 -+ struct mm_struct *mm = vma->vm_mm;
33823 -+ struct vm_area_struct *vma_m;
33824 -+ unsigned long address_m;
33825 -+ pte_t *ptep_m;
33826 -+
33827 -+ vma_m = pax_find_mirror_vma(vma);
33828 -+ if (!vma_m)
33829 -+ return;
33830 -+
33831 -+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
33832 -+ address_m = address + SEGMEXEC_TASK_SIZE;
33833 -+ ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
33834 -+ get_page(page_m);
33835 -+ set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
33836 -+}
33837 -+#endif
33838 -+
33839 - static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
33840 - unsigned long address, pte_t *ptep, pte_t pte)
33841 - {
33842 -@@ -830,6 +850,11 @@ static int hugetlb_cow(struct mm_struct
33843 - /* Break COW */
33844 - set_huge_pte_at(mm, address, ptep,
33845 - make_huge_pte(vma, new_page, 1));
33846 -+
33847 -+#ifdef CONFIG_PAX_SEGMEXEC
33848 -+ pax_mirror_huge_pte(vma, address, new_page);
33849 -+#endif
33850 -+
33851 - /* Make the old page be freed below */
33852 - new_page = old_page;
33853 - }
33854 -@@ -901,6 +926,10 @@ retry:
33855 - && (vma->vm_flags & VM_SHARED)));
33856 - set_huge_pte_at(mm, address, ptep, new_pte);
33857 -
33858 -+#ifdef CONFIG_PAX_SEGMEXEC
33859 -+ pax_mirror_huge_pte(vma, address, page);
33860 -+#endif
33861 -+
33862 - if (write_access && !(vma->vm_flags & VM_SHARED)) {
33863 - /* Optimization, do the COW without a second fault */
33864 - ret = hugetlb_cow(mm, vma, address, ptep, new_pte);
33865 -@@ -926,6 +955,27 @@ int hugetlb_fault(struct mm_struct *mm,
33866 - int ret;
33867 - static DEFINE_MUTEX(hugetlb_instantiation_mutex);
33868 -
33869 -+#ifdef CONFIG_PAX_SEGMEXEC
33870 -+ struct vm_area_struct *vma_m;
33871 -+
33872 -+ vma_m = pax_find_mirror_vma(vma);
33873 -+ if (vma_m) {
33874 -+ unsigned long address_m;
33875 -+
33876 -+ if (vma->vm_start > vma_m->vm_start) {
33877 -+ address_m = address;
33878 -+ address -= SEGMEXEC_TASK_SIZE;
33879 -+ vma = vma_m;
33880 -+ } else
33881 -+ address_m = address + SEGMEXEC_TASK_SIZE;
33882 -+
33883 -+ if (!huge_pte_alloc(mm, address_m))
33884 -+ return VM_FAULT_OOM;
33885 -+ address_m &= HPAGE_MASK;
33886 -+ unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE);
33887 -+ }
33888 -+#endif
33889 -+
33890 - ptep = huge_pte_alloc(mm, address);
33891 - if (!ptep)
33892 - return VM_FAULT_OOM;
33893 -diff -urNp linux-2.6.24.4/mm/madvise.c linux-2.6.24.4/mm/madvise.c
33894 ---- linux-2.6.24.4/mm/madvise.c 2008-03-24 14:49:18.000000000 -0400
33895 -+++ linux-2.6.24.4/mm/madvise.c 2008-03-26 17:56:56.000000000 -0400
33896 -@@ -43,6 +43,10 @@ static long madvise_behavior(struct vm_a
33897 - pgoff_t pgoff;
33898 - int new_flags = vma->vm_flags;
33899 -
33900 -+#ifdef CONFIG_PAX_SEGMEXEC
33901 -+ struct vm_area_struct *vma_m;
33902 -+#endif
33903 -+
33904 - switch (behavior) {
33905 - case MADV_NORMAL:
33906 - new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
33907 -@@ -92,6 +96,13 @@ success:
33908 - /*
33909 - * vm_flags is protected by the mmap_sem held in write mode.
33910 - */
33911 -+
33912 -+#ifdef CONFIG_PAX_SEGMEXEC
33913 -+ vma_m = pax_find_mirror_vma(vma);
33914 -+ if (vma_m)
33915 -+ vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
33916 -+#endif
33917 -+
33918 - vma->vm_flags = new_flags;
33919 -
33920 - out:
33921 -@@ -236,6 +247,17 @@ madvise_vma(struct vm_area_struct *vma,
33922 -
33923 - case MADV_DONTNEED:
33924 - error = madvise_dontneed(vma, prev, start, end);
33925 -+
33926 -+#ifdef CONFIG_PAX_SEGMEXEC
33927 -+ if (!error) {
33928 -+ struct vm_area_struct *vma_m, *prev_m;
33929 -+
33930 -+ vma_m = pax_find_mirror_vma(vma);
33931 -+ if (vma_m)
33932 -+ error = madvise_dontneed(vma_m, &prev_m, start + SEGMEXEC_TASK_SIZE, end + SEGMEXEC_TASK_SIZE);
33933 -+ }
33934 -+#endif
33935 -+
33936 - break;
33937 -
33938 - default:
33939 -@@ -308,6 +330,16 @@ asmlinkage long sys_madvise(unsigned lon
33940 - if (end < start)
33941 - goto out;
33942 -
33943 -+#ifdef CONFIG_PAX_SEGMEXEC
33944 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
33945 -+ if (end > SEGMEXEC_TASK_SIZE)
33946 -+ goto out;
33947 -+ } else
33948 -+#endif
33949 -+
33950 -+ if (end > TASK_SIZE)
33951 -+ goto out;
33952 -+
33953 - error = 0;
33954 - if (end == start)
33955 - goto out;
33956 -diff -urNp linux-2.6.24.4/mm/memory.c linux-2.6.24.4/mm/memory.c
33957 ---- linux-2.6.24.4/mm/memory.c 2008-03-24 14:49:18.000000000 -0400
33958 -+++ linux-2.6.24.4/mm/memory.c 2008-03-26 17:56:56.000000000 -0400
33959 -@@ -50,6 +50,7 @@
33960 - #include <linux/delayacct.h>
33961 - #include <linux/init.h>
33962 - #include <linux/writeback.h>
33963 -+#include <linux/grsecurity.h>
33964 -
33965 - #include <asm/pgalloc.h>
33966 - #include <asm/uaccess.h>
33967 -@@ -990,11 +991,11 @@ int get_user_pages(struct task_struct *t
33968 - vm_flags &= force ? (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
33969 - i = 0;
33970 -
33971 -- do {
33972 -+ while (len) {
33973 - struct vm_area_struct *vma;
33974 - unsigned int foll_flags;
33975 -
33976 -- vma = find_extend_vma(mm, start);
33977 -+ vma = find_vma(mm, start);
33978 - if (!vma && in_gate_area(tsk, start)) {
33979 - unsigned long pg = start & PAGE_MASK;
33980 - struct vm_area_struct *gate_vma = get_gate_vma(tsk);
33981 -@@ -1034,7 +1035,7 @@ int get_user_pages(struct task_struct *t
33982 - continue;
33983 - }
33984 -
33985 -- if (!vma || (vma->vm_flags & (VM_IO | VM_PFNMAP))
33986 -+ if (!vma || start < vma->vm_start || (vma->vm_flags & (VM_IO | VM_PFNMAP))
33987 - || !(vm_flags & vma->vm_flags))
33988 - return i ? : -EFAULT;
33989 -
33990 -@@ -1107,7 +1108,7 @@ int get_user_pages(struct task_struct *t
33991 - start += PAGE_SIZE;
33992 - len--;
33993 - } while (len && start < vma->vm_end);
33994 -- } while (len);
33995 -+ }
33996 - return i;
33997 - }
33998 - EXPORT_SYMBOL(get_user_pages);
33999 -@@ -1526,6 +1527,196 @@ static inline void cow_user_page(struct
34000 - copy_user_highpage(dst, src, va, vma);
34001 - }
34002 -
34003 -+#ifdef CONFIG_PAX_SEGMEXEC
34004 -+static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
34005 -+{
34006 -+ struct mm_struct *mm = vma->vm_mm;
34007 -+ spinlock_t *ptl;
34008 -+ pte_t *pte, entry;
34009 -+
34010 -+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
34011 -+ entry = *pte;
34012 -+ if (!pte_present(entry)) {
34013 -+ if (!pte_none(entry)) {
34014 -+ BUG_ON(pte_file(entry));
34015 -+ free_swap_and_cache(pte_to_swp_entry(entry));
34016 -+ pte_clear_not_present_full(mm, address, pte, 0);
34017 -+ }
34018 -+ } else {
34019 -+ struct page *page;
34020 -+
34021 -+ page = vm_normal_page(vma, address, entry);
34022 -+ if (page) {
34023 -+ flush_cache_page(vma, address, pte_pfn(entry));
34024 -+ flush_icache_page(vma, page);
34025 -+ }
34026 -+ ptep_clear_flush(vma, address, pte);
34027 -+ BUG_ON(pte_dirty(entry));
34028 -+ if (page) {
34029 -+ update_hiwater_rss(mm);
34030 -+ if (PageAnon(page))
34031 -+ dec_mm_counter(mm, anon_rss);
34032 -+ else
34033 -+ dec_mm_counter(mm, file_rss);
34034 -+ page_remove_rmap(page, vma);
34035 -+ page_cache_release(page);
34036 -+ }
34037 -+ }
34038 -+ pte_unmap_unlock(pte, ptl);
34039 -+}
34040 -+
34041 -+/* PaX: if vma is mirrored, synchronize the mirror's PTE
34042 -+ *
34043 -+ * the ptl of the lower mapped page is held on entry and is not released on exit
34044 -+ * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
34045 -+ */
34046 -+static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
34047 -+{
34048 -+ struct mm_struct *mm = vma->vm_mm;
34049 -+ unsigned long address_m;
34050 -+ spinlock_t *ptl_m;
34051 -+ struct vm_area_struct *vma_m;
34052 -+ pmd_t *pmd_m;
34053 -+ pte_t *pte_m, entry_m;
34054 -+
34055 -+ BUG_ON(!page_m || !PageAnon(page_m));
34056 -+
34057 -+ vma_m = pax_find_mirror_vma(vma);
34058 -+ if (!vma_m)
34059 -+ return;
34060 -+
34061 -+ BUG_ON(!PageLocked(page_m));
34062 -+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
34063 -+ address_m = address + SEGMEXEC_TASK_SIZE;
34064 -+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
34065 -+ pte_m = pte_offset_map_nested(pmd_m, address_m);
34066 -+ ptl_m = pte_lockptr(mm, pmd_m);
34067 -+ if (ptl != ptl_m) {
34068 -+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
34069 -+ if (!pte_none(*pte_m)) {
34070 -+ spin_unlock(ptl_m);
34071 -+ pte_unmap_nested(pte_m);
34072 -+ unlock_page(page_m);
34073 -+ return;
34074 -+ }
34075 -+ }
34076 -+
34077 -+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
34078 -+ page_cache_get(page_m);
34079 -+ page_add_anon_rmap(page_m, vma_m, address_m);
34080 -+ inc_mm_counter(mm, anon_rss);
34081 -+ set_pte_at(mm, address_m, pte_m, entry_m);
34082 -+ update_mmu_cache(vma_m, address_m, entry_m);
34083 -+ if (ptl != ptl_m)
34084 -+ spin_unlock(ptl_m);
34085 -+ pte_unmap_nested(pte_m);
34086 -+ unlock_page(page_m);
34087 -+}
34088 -+
34089 -+void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
34090 -+{
34091 -+ struct mm_struct *mm = vma->vm_mm;
34092 -+ unsigned long address_m;
34093 -+ spinlock_t *ptl_m;
34094 -+ struct vm_area_struct *vma_m;
34095 -+ pmd_t *pmd_m;
34096 -+ pte_t *pte_m, entry_m;
34097 -+
34098 -+ BUG_ON(!page_m || PageAnon(page_m));
34099 -+
34100 -+ vma_m = pax_find_mirror_vma(vma);
34101 -+ if (!vma_m)
34102 -+ return;
34103 -+
34104 -+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
34105 -+ address_m = address + SEGMEXEC_TASK_SIZE;
34106 -+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
34107 -+ pte_m = pte_offset_map_nested(pmd_m, address_m);
34108 -+ ptl_m = pte_lockptr(mm, pmd_m);
34109 -+ if (ptl != ptl_m) {
34110 -+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
34111 -+ if (!pte_none(*pte_m)) {
34112 -+ spin_unlock(ptl_m);
34113 -+ pte_unmap_nested(pte_m);
34114 -+ return;
34115 -+ }
34116 -+ }
34117 -+
34118 -+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
34119 -+ page_cache_get(page_m);
34120 -+ page_add_file_rmap(page_m);
34121 -+ inc_mm_counter(mm, file_rss);
34122 -+ set_pte_at(mm, address_m, pte_m, entry_m);
34123 -+ update_mmu_cache(vma_m, address_m, entry_m);
34124 -+ if (ptl != ptl_m)
34125 -+ spin_unlock(ptl_m);
34126 -+ pte_unmap_nested(pte_m);
34127 -+}
34128 -+
34129 -+static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
34130 -+{
34131 -+ struct mm_struct *mm = vma->vm_mm;
34132 -+ unsigned long address_m;
34133 -+ spinlock_t *ptl_m;
34134 -+ struct vm_area_struct *vma_m;
34135 -+ pmd_t *pmd_m;
34136 -+ pte_t *pte_m, entry_m;
34137 -+
34138 -+ vma_m = pax_find_mirror_vma(vma);
34139 -+ if (!vma_m)
34140 -+ return;
34141 -+
34142 -+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
34143 -+ address_m = address + SEGMEXEC_TASK_SIZE;
34144 -+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
34145 -+ pte_m = pte_offset_map_nested(pmd_m, address_m);
34146 -+ ptl_m = pte_lockptr(mm, pmd_m);
34147 -+ if (ptl != ptl_m) {
34148 -+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
34149 -+ if (!pte_none(*pte_m)) {
34150 -+ spin_unlock(ptl_m);
34151 -+ pte_unmap_nested(pte_m);
34152 -+ return;
34153 -+ }
34154 -+ }
34155 -+
34156 -+ entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
34157 -+ set_pte_at(mm, address_m, pte_m, entry_m);
34158 -+ if (ptl != ptl_m)
34159 -+ spin_unlock(ptl_m);
34160 -+ pte_unmap_nested(pte_m);
34161 -+}
34162 -+
34163 -+static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
34164 -+{
34165 -+ struct page *page_m;
34166 -+ pte_t entry;
34167 -+
34168 -+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
34169 -+ goto out;
34170 -+
34171 -+ entry = *pte;
34172 -+ page_m = vm_normal_page(vma, address, entry);
34173 -+ if (!page_m)
34174 -+ pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
34175 -+ else if (PageAnon(page_m)) {
34176 -+ if (pax_find_mirror_vma(vma)) {
34177 -+ pte_unmap_unlock(pte, ptl);
34178 -+ lock_page(page_m);
34179 -+ pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
34180 -+ if (pte_same(entry, *pte))
34181 -+ pax_mirror_anon_pte(vma, address, page_m, ptl);
34182 -+ else
34183 -+ unlock_page(page_m);
34184 -+ }
34185 -+ } else
34186 -+ pax_mirror_file_pte(vma, address, page_m, ptl);
34187 -+
34188 -+out:
34189 -+ pte_unmap_unlock(pte, ptl);
34190 -+}
34191 -+#endif
34192 -+
34193 - /*
34194 - * This routine handles present pages, when users try to write
34195 - * to a shared page. It is done by copying the page to a new address
34196 -@@ -1638,6 +1829,12 @@ gotten:
34197 - */
34198 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
34199 - if (likely(pte_same(*page_table, orig_pte))) {
34200 -+
34201 -+#ifdef CONFIG_PAX_SEGMEXEC
34202 -+ if (pax_find_mirror_vma(vma))
34203 -+ BUG_ON(TestSetPageLocked(new_page));
34204 -+#endif
34205 -+
34206 - if (old_page) {
34207 - page_remove_rmap(old_page, vma);
34208 - if (!PageAnon(old_page)) {
34209 -@@ -1661,6 +1858,10 @@ gotten:
34210 - lru_cache_add_active(new_page);
34211 - page_add_new_anon_rmap(new_page, vma, address);
34212 -
34213 -+#ifdef CONFIG_PAX_SEGMEXEC
34214 -+ pax_mirror_anon_pte(vma, address, new_page, ptl);
34215 -+#endif
34216 -+
34217 - /* Free the old page.. */
34218 - new_page = old_page;
34219 - ret |= VM_FAULT_WRITE;
34220 -@@ -1941,6 +2142,7 @@ int vmtruncate(struct inode * inode, lof
34221 -
34222 - do_expand:
34223 - limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
34224 -+ gr_learn_resource(current, RLIMIT_FSIZE, offset, 1);
34225 - if (limit != RLIM_INFINITY && offset > limit)
34226 - goto out_sig;
34227 - if (offset > inode->i_sb->s_maxbytes)
34228 -@@ -2123,6 +2325,11 @@ static int do_swap_page(struct mm_struct
34229 - swap_free(entry);
34230 - if (vm_swap_full())
34231 - remove_exclusive_swap_page(page);
34232 -+
34233 -+#ifdef CONFIG_PAX_SEGMEXEC
34234 -+ if (write_access || !pax_find_mirror_vma(vma))
34235 -+#endif
34236 -+
34237 - unlock_page(page);
34238 -
34239 - if (write_access) {
34240 -@@ -2135,6 +2342,11 @@ static int do_swap_page(struct mm_struct
34241 -
34242 - /* No need to invalidate - it was non-present before */
34243 - update_mmu_cache(vma, address, pte);
34244 -+
34245 -+#ifdef CONFIG_PAX_SEGMEXEC
34246 -+ pax_mirror_anon_pte(vma, address, page, ptl);
34247 -+#endif
34248 -+
34249 - unlock:
34250 - pte_unmap_unlock(page_table, ptl);
34251 - out:
34252 -@@ -2174,6 +2386,12 @@ static int do_anonymous_page(struct mm_s
34253 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
34254 - if (!pte_none(*page_table))
34255 - goto release;
34256 -+
34257 -+#ifdef CONFIG_PAX_SEGMEXEC
34258 -+ if (pax_find_mirror_vma(vma))
34259 -+ BUG_ON(TestSetPageLocked(page));
34260 -+#endif
34261 -+
34262 - inc_mm_counter(mm, anon_rss);
34263 - lru_cache_add_active(page);
34264 - page_add_new_anon_rmap(page, vma, address);
34265 -@@ -2181,6 +2399,11 @@ static int do_anonymous_page(struct mm_s
34266 -
34267 - /* No need to invalidate - it was non-present before */
34268 - update_mmu_cache(vma, address, entry);
34269 -+
34270 -+#ifdef CONFIG_PAX_SEGMEXEC
34271 -+ pax_mirror_anon_pte(vma, address, page, ptl);
34272 -+#endif
34273 -+
34274 - unlock:
34275 - pte_unmap_unlock(page_table, ptl);
34276 - return 0;
34277 -@@ -2313,6 +2536,12 @@ static int __do_fault(struct mm_struct *
34278 - */
34279 - /* Only go through if we didn't race with anybody else... */
34280 - if (likely(pte_same(*page_table, orig_pte))) {
34281 -+
34282 -+#ifdef CONFIG_PAX_SEGMEXEC
34283 -+ if (anon && pax_find_mirror_vma(vma))
34284 -+ BUG_ON(TestSetPageLocked(page));
34285 -+#endif
34286 -+
34287 - flush_icache_page(vma, page);
34288 - entry = mk_pte(page, vma->vm_page_prot);
34289 - if (flags & FAULT_FLAG_WRITE)
34290 -@@ -2333,6 +2562,14 @@ static int __do_fault(struct mm_struct *
34291 -
34292 - /* no need to invalidate: a not-present page won't be cached */
34293 - update_mmu_cache(vma, address, entry);
34294 -+
34295 -+#ifdef CONFIG_PAX_SEGMEXEC
34296 -+ if (anon)
34297 -+ pax_mirror_anon_pte(vma, address, page, ptl);
34298 -+ else
34299 -+ pax_mirror_file_pte(vma, address, page, ptl);
34300 -+#endif
34301 -+
34302 - } else {
34303 - if (anon)
34304 - page_cache_release(page);
34305 -@@ -2415,6 +2652,11 @@ static noinline int do_no_pfn(struct mm_
34306 - if (write_access)
34307 - entry = maybe_mkwrite(pte_mkdirty(entry), vma);
34308 - set_pte_at(mm, address, page_table, entry);
34309 -+
34310 -+#ifdef CONFIG_PAX_SEGMEXEC
34311 -+ pax_mirror_pfn_pte(vma, address, pfn, ptl);
34312 -+#endif
34313 -+
34314 - }
34315 - pte_unmap_unlock(page_table, ptl);
34316 - return 0;
34317 -@@ -2517,6 +2759,12 @@ static inline int handle_pte_fault(struc
34318 - if (write_access)
34319 - flush_tlb_page(vma, address);
34320 - }
34321 -+
34322 -+#ifdef CONFIG_PAX_SEGMEXEC
34323 -+ pax_mirror_pte(vma, address, pte, pmd, ptl);
34324 -+ return 0;
34325 -+#endif
34326 -+
34327 - unlock:
34328 - pte_unmap_unlock(pte, ptl);
34329 - return 0;
34330 -@@ -2533,6 +2781,10 @@ int handle_mm_fault(struct mm_struct *mm
34331 - pmd_t *pmd;
34332 - pte_t *pte;
34333 -
34334 -+#ifdef CONFIG_PAX_SEGMEXEC
34335 -+ struct vm_area_struct *vma_m;
34336 -+#endif
34337 -+
34338 - __set_current_state(TASK_RUNNING);
34339 -
34340 - count_vm_event(PGFAULT);
34341 -@@ -2540,6 +2792,34 @@ int handle_mm_fault(struct mm_struct *mm
34342 - if (unlikely(is_vm_hugetlb_page(vma)))
34343 - return hugetlb_fault(mm, vma, address, write_access);
34344 -
34345 -+#ifdef CONFIG_PAX_SEGMEXEC
34346 -+ vma_m = pax_find_mirror_vma(vma);
34347 -+ if (vma_m) {
34348 -+ unsigned long address_m;
34349 -+ pgd_t *pgd_m;
34350 -+ pud_t *pud_m;
34351 -+ pmd_t *pmd_m;
34352 -+
34353 -+ if (vma->vm_start > vma_m->vm_start) {
34354 -+ address_m = address;
34355 -+ address -= SEGMEXEC_TASK_SIZE;
34356 -+ vma = vma_m;
34357 -+ } else
34358 -+ address_m = address + SEGMEXEC_TASK_SIZE;
34359 -+
34360 -+ pgd_m = pgd_offset(mm, address_m);
34361 -+ pud_m = pud_alloc(mm, pgd_m, address_m);
34362 -+ if (!pud_m)
34363 -+ return VM_FAULT_OOM;
34364 -+ pmd_m = pmd_alloc(mm, pud_m, address_m);
34365 -+ if (!pmd_m)
34366 -+ return VM_FAULT_OOM;
34367 -+ if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
34368 -+ return VM_FAULT_OOM;
34369 -+ pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
34370 -+ }
34371 -+#endif
34372 -+
34373 - pgd = pgd_offset(mm, address);
34374 - pud = pud_alloc(mm, pgd, address);
34375 - if (!pud)
34376 -@@ -2673,7 +2953,7 @@ static int __init gate_vma_init(void)
34377 - gate_vma.vm_start = FIXADDR_USER_START;
34378 - gate_vma.vm_end = FIXADDR_USER_END;
34379 - gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
34380 -- gate_vma.vm_page_prot = __P101;
34381 -+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
34382 - /*
34383 - * Make sure the vDSO gets into every core dump.
34384 - * Dumping its contents makes post-mortem fully interpretable later
34385 -diff -urNp linux-2.6.24.4/mm/mempolicy.c linux-2.6.24.4/mm/mempolicy.c
34386 ---- linux-2.6.24.4/mm/mempolicy.c 2008-03-24 14:49:18.000000000 -0400
34387 -+++ linux-2.6.24.4/mm/mempolicy.c 2008-03-26 17:56:56.000000000 -0400
34388 -@@ -406,6 +406,10 @@ static int mbind_range(struct vm_area_st
34389 - struct vm_area_struct *next;
34390 - int err;
34391 -
34392 -+#ifdef CONFIG_PAX_SEGMEXEC
34393 -+ struct vm_area_struct *vma_m;
34394 -+#endif
34395 -+
34396 - err = 0;
34397 - for (; vma && vma->vm_start < end; vma = next) {
34398 - next = vma->vm_next;
34399 -@@ -417,6 +421,16 @@ static int mbind_range(struct vm_area_st
34400 - err = policy_vma(vma, new);
34401 - if (err)
34402 - break;
34403 -+
34404 -+#ifdef CONFIG_PAX_SEGMEXEC
34405 -+ vma_m = pax_find_mirror_vma(vma);
34406 -+ if (vma_m) {
34407 -+ err = policy_vma(vma_m, new);
34408 -+ if (err)
34409 -+ break;
34410 -+ }
34411 -+#endif
34412 -+
34413 - }
34414 - return err;
34415 - }
34416 -@@ -794,6 +808,17 @@ static long do_mbind(unsigned long start
34417 -
34418 - if (end < start)
34419 - return -EINVAL;
34420 -+
34421 -+#ifdef CONFIG_PAX_SEGMEXEC
34422 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
34423 -+ if (end > SEGMEXEC_TASK_SIZE)
34424 -+ return -EINVAL;
34425 -+ } else
34426 -+#endif
34427 -+
34428 -+ if (end > TASK_SIZE)
34429 -+ return -EINVAL;
34430 -+
34431 - if (end == start)
34432 - return 0;
34433 -
34434 -diff -urNp linux-2.6.24.4/mm/mlock.c linux-2.6.24.4/mm/mlock.c
34435 ---- linux-2.6.24.4/mm/mlock.c 2008-03-24 14:49:18.000000000 -0400
34436 -+++ linux-2.6.24.4/mm/mlock.c 2008-03-26 17:56:56.000000000 -0400
34437 -@@ -12,6 +12,7 @@
34438 - #include <linux/syscalls.h>
34439 - #include <linux/sched.h>
34440 - #include <linux/module.h>
34441 -+#include <linux/grsecurity.h>
34442 -
34443 - int can_do_mlock(void)
34444 - {
34445 -@@ -95,6 +96,17 @@ static int do_mlock(unsigned long start,
34446 - return -EINVAL;
34447 - if (end == start)
34448 - return 0;
34449 -+
34450 -+#ifdef CONFIG_PAX_SEGMEXEC
34451 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
34452 -+ if (end > SEGMEXEC_TASK_SIZE)
34453 -+ return -EINVAL;
34454 -+ } else
34455 -+#endif
34456 -+
34457 -+ if (end > TASK_SIZE)
34458 -+ return -EINVAL;
34459 -+
34460 - vma = find_vma_prev(current->mm, start, &prev);
34461 - if (!vma || vma->vm_start > start)
34462 - return -ENOMEM;
34463 -@@ -152,6 +164,7 @@ asmlinkage long sys_mlock(unsigned long
34464 - lock_limit >>= PAGE_SHIFT;
34465 -
34466 - /* check against resource limits */
34467 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
34468 - if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
34469 - error = do_mlock(start, len, 1);
34470 - up_write(&current->mm->mmap_sem);
34471 -@@ -173,10 +186,10 @@ asmlinkage long sys_munlock(unsigned lon
34472 - static int do_mlockall(int flags)
34473 - {
34474 - struct vm_area_struct * vma, * prev = NULL;
34475 -- unsigned int def_flags = 0;
34476 -+ unsigned int def_flags = current->mm->def_flags & ~VM_LOCKED;
34477 -
34478 - if (flags & MCL_FUTURE)
34479 -- def_flags = VM_LOCKED;
34480 -+ def_flags |= VM_LOCKED;
34481 - current->mm->def_flags = def_flags;
34482 - if (flags == MCL_FUTURE)
34483 - goto out;
34484 -@@ -184,6 +197,12 @@ static int do_mlockall(int flags)
34485 - for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
34486 - unsigned int newflags;
34487 -
34488 -+#ifdef CONFIG_PAX_SEGMEXEC
34489 -+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
34490 -+ break;
34491 -+#endif
34492 -+
34493 -+ BUG_ON(vma->vm_end > TASK_SIZE);
34494 - newflags = vma->vm_flags | VM_LOCKED;
34495 - if (!(flags & MCL_CURRENT))
34496 - newflags &= ~VM_LOCKED;
34497 -@@ -213,6 +232,7 @@ asmlinkage long sys_mlockall(int flags)
34498 - lock_limit >>= PAGE_SHIFT;
34499 -
34500 - ret = -ENOMEM;
34501 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
34502 - if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
34503 - capable(CAP_IPC_LOCK))
34504 - ret = do_mlockall(flags);
34505 -diff -urNp linux-2.6.24.4/mm/mmap.c linux-2.6.24.4/mm/mmap.c
34506 ---- linux-2.6.24.4/mm/mmap.c 2008-03-24 14:49:18.000000000 -0400
34507 -+++ linux-2.6.24.4/mm/mmap.c 2008-03-26 17:56:56.000000000 -0400
34508 -@@ -26,6 +26,7 @@
34509 - #include <linux/mount.h>
34510 - #include <linux/mempolicy.h>
34511 - #include <linux/rmap.h>
34512 -+#include <linux/grsecurity.h>
34513 -
34514 - #include <asm/uaccess.h>
34515 - #include <asm/cacheflush.h>
34516 -@@ -36,6 +37,16 @@
34517 - #define arch_mmap_check(addr, len, flags) (0)
34518 - #endif
34519 -
34520 -+static inline void verify_mm_writelocked(struct mm_struct *mm)
34521 -+{
34522 -+#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
34523 -+ if (unlikely(down_read_trylock(&mm->mmap_sem))) {
34524 -+ up_read(&mm->mmap_sem);
34525 -+ BUG();
34526 -+ }
34527 -+#endif
34528 -+}
34529 -+
34530 - static void unmap_region(struct mm_struct *mm,
34531 - struct vm_area_struct *vma, struct vm_area_struct *prev,
34532 - unsigned long start, unsigned long end);
34533 -@@ -61,15 +72,23 @@ static void unmap_region(struct mm_struc
34534 - * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
34535 - *
34536 - */
34537 --pgprot_t protection_map[16] = {
34538 -+pgprot_t protection_map[16] __read_only = {
34539 - __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
34540 - __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
34541 - };
34542 -
34543 - pgprot_t vm_get_page_prot(unsigned long vm_flags)
34544 - {
34545 -- return protection_map[vm_flags &
34546 -- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
34547 -+ pgprot_t prot = protection_map[vm_flags & (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
34548 -+
34549 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
34550 -+ if (!nx_enabled &&
34551 -+ (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
34552 -+ (vm_flags & (VM_READ | VM_WRITE)))
34553 -+ prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
34554 -+#endif
34555 -+
34556 -+ return prot;
34557 - }
34558 - EXPORT_SYMBOL(vm_get_page_prot);
34559 -
34560 -@@ -224,6 +243,7 @@ static struct vm_area_struct *remove_vma
34561 - struct vm_area_struct *next = vma->vm_next;
34562 -
34563 - might_sleep();
34564 -+ BUG_ON(vma->vm_mirror);
34565 - if (vma->vm_ops && vma->vm_ops->close)
34566 - vma->vm_ops->close(vma);
34567 - if (vma->vm_file)
34568 -@@ -251,6 +271,7 @@ asmlinkage unsigned long sys_brk(unsigne
34569 - * not page aligned -Ram Gupta
34570 - */
34571 - rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
34572 -+ gr_learn_resource(current, RLIMIT_DATA, brk - mm->start_data, 1);
34573 - if (rlim < RLIM_INFINITY && brk - mm->start_data > rlim)
34574 - goto out;
34575 -
34576 -@@ -351,8 +372,12 @@ find_vma_prepare(struct mm_struct *mm, u
34577 -
34578 - if (vma_tmp->vm_end > addr) {
34579 - vma = vma_tmp;
34580 -- if (vma_tmp->vm_start <= addr)
34581 -- return vma;
34582 -+ if (vma_tmp->vm_start <= addr) {
34583 -+//printk("PAX: prep: %08lx-%08lx %08lx pr:%p l:%p pa:%p ",
34584 -+//vma->vm_start, vma->vm_end, addr, *pprev, *rb_link, *rb_parent);
34585 -+//__print_symbol("%s\n", __builtin_extract_return_addr(__builtin_return_address(0)));
34586 -+ break;
34587 -+ }
34588 - __rb_link = &__rb_parent->rb_left;
34589 - } else {
34590 - rb_prev = __rb_parent;
34591 -@@ -676,6 +701,12 @@ static int
34592 - can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
34593 - struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
34594 - {
34595 -+
34596 -+#ifdef CONFIG_PAX_SEGMEXEC
34597 -+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
34598 -+ return 0;
34599 -+#endif
34600 -+
34601 - if (is_mergeable_vma(vma, file, vm_flags) &&
34602 - is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
34603 - if (vma->vm_pgoff == vm_pgoff)
34604 -@@ -695,6 +726,12 @@ static int
34605 - can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
34606 - struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
34607 - {
34608 -+
34609 -+#ifdef CONFIG_PAX_SEGMEXEC
34610 -+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
34611 -+ return 0;
34612 -+#endif
34613 -+
34614 - if (is_mergeable_vma(vma, file, vm_flags) &&
34615 - is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
34616 - pgoff_t vm_pglen;
34617 -@@ -737,12 +774,19 @@ can_vma_merge_after(struct vm_area_struc
34618 - struct vm_area_struct *vma_merge(struct mm_struct *mm,
34619 - struct vm_area_struct *prev, unsigned long addr,
34620 - unsigned long end, unsigned long vm_flags,
34621 -- struct anon_vma *anon_vma, struct file *file,
34622 -+ struct anon_vma *anon_vma, struct file *file,
34623 - pgoff_t pgoff, struct mempolicy *policy)
34624 - {
34625 - pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
34626 - struct vm_area_struct *area, *next;
34627 -
34628 -+#ifdef CONFIG_PAX_SEGMEXEC
34629 -+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
34630 -+ struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
34631 -+
34632 -+ BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
34633 -+#endif
34634 -+
34635 - /*
34636 - * We later require that vma->vm_flags == vm_flags,
34637 - * so this tests vma->vm_flags & VM_SPECIAL, too.
34638 -@@ -758,6 +802,15 @@ struct vm_area_struct *vma_merge(struct
34639 - if (next && next->vm_end == end) /* cases 6, 7, 8 */
34640 - next = next->vm_next;
34641 -
34642 -+#ifdef CONFIG_PAX_SEGMEXEC
34643 -+ if (prev)
34644 -+ prev_m = pax_find_mirror_vma(prev);
34645 -+ if (area)
34646 -+ area_m = pax_find_mirror_vma(area);
34647 -+ if (next)
34648 -+ next_m = pax_find_mirror_vma(next);
34649 -+#endif
34650 -+
34651 - /*
34652 - * Can it merge with the predecessor?
34653 - */
34654 -@@ -777,9 +830,24 @@ struct vm_area_struct *vma_merge(struct
34655 - /* cases 1, 6 */
34656 - vma_adjust(prev, prev->vm_start,
34657 - next->vm_end, prev->vm_pgoff, NULL);
34658 -- } else /* cases 2, 5, 7 */
34659 -+
34660 -+#ifdef CONFIG_PAX_SEGMEXEC
34661 -+ if (prev_m)
34662 -+ vma_adjust(prev_m, prev_m->vm_start,
34663 -+ next_m->vm_end, prev_m->vm_pgoff, NULL);
34664 -+#endif
34665 -+
34666 -+ } else { /* cases 2, 5, 7 */
34667 - vma_adjust(prev, prev->vm_start,
34668 - end, prev->vm_pgoff, NULL);
34669 -+
34670 -+#ifdef CONFIG_PAX_SEGMEXEC
34671 -+ if (prev_m)
34672 -+ vma_adjust(prev_m, prev_m->vm_start,
34673 -+ end_m, prev_m->vm_pgoff, NULL);
34674 -+#endif
34675 -+
34676 -+ }
34677 - return prev;
34678 - }
34679 -
34680 -@@ -790,12 +858,43 @@ struct vm_area_struct *vma_merge(struct
34681 - mpol_equal(policy, vma_policy(next)) &&
34682 - can_vma_merge_before(next, vm_flags,
34683 - anon_vma, file, pgoff+pglen)) {
34684 -- if (prev && addr < prev->vm_end) /* case 4 */
34685 -+ if (prev && addr < prev->vm_end) { /* case 4 */
34686 - vma_adjust(prev, prev->vm_start,
34687 - addr, prev->vm_pgoff, NULL);
34688 -- else /* cases 3, 8 */
34689 -+
34690 -+#ifdef CONFIG_PAX_SEGMEXEC
34691 -+ if (prev_m)
34692 -+ vma_adjust(prev_m, prev_m->vm_start,
34693 -+ addr_m, prev_m->vm_pgoff, NULL);
34694 -+#endif
34695 -+
34696 -+ } else { /* cases 3, 8 */
34697 - vma_adjust(area, addr, next->vm_end,
34698 - next->vm_pgoff - pglen, NULL);
34699 -+
34700 -+#ifdef CONFIG_PAX_SEGMEXEC
34701 -+ if (area_m)
34702 -+ vma_adjust(area_m, addr_m, next_m->vm_end,
34703 -+ next_m->vm_pgoff - pglen, NULL);
34704 -+ else if (next_m) {
34705 -+ vma_adjust(next_m, addr_m, next_m->vm_end,
34706 -+ next_m->vm_pgoff - pglen, NULL);
34707 -+ BUG_ON(area == next);
34708 -+ BUG_ON(area->vm_mirror);
34709 -+ BUG_ON(next_m->anon_vma && next_m->anon_vma != area->anon_vma);
34710 -+ BUG_ON(area->vm_file != next_m->vm_file);
34711 -+ BUG_ON(area->vm_end - area->vm_start != next_m->vm_end - next_m->vm_start);
34712 -+ BUG_ON(area->vm_pgoff != next_m->vm_pgoff);
34713 -+ area->vm_mirror = next_m;
34714 -+ next_m->vm_mirror = area;
34715 -+ if (area->anon_vma && !next_m->anon_vma) {
34716 -+ next_m->anon_vma = area->anon_vma;
34717 -+ anon_vma_link(next_m);
34718 -+ }
34719 -+ }
34720 -+#endif
34721 -+
34722 -+ }
34723 - return area;
34724 - }
34725 -
34726 -@@ -870,14 +969,11 @@ none:
34727 - void vm_stat_account(struct mm_struct *mm, unsigned long flags,
34728 - struct file *file, long pages)
34729 - {
34730 -- const unsigned long stack_flags
34731 -- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
34732 --
34733 - if (file) {
34734 - mm->shared_vm += pages;
34735 - if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
34736 - mm->exec_vm += pages;
34737 -- } else if (flags & stack_flags)
34738 -+ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
34739 - mm->stack_vm += pages;
34740 - if (flags & (VM_RESERVED|VM_IO))
34741 - mm->reserved_vm += pages;
34742 -@@ -905,7 +1001,7 @@ unsigned long do_mmap_pgoff(struct file
34743 - * (the exception is when the underlying filesystem is noexec
34744 - * mounted, in which case we dont add PROT_EXEC.)
34745 - */
34746 -- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
34747 -+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
34748 - if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
34749 - prot |= PROT_EXEC;
34750 -
34751 -@@ -915,15 +1011,15 @@ unsigned long do_mmap_pgoff(struct file
34752 - if (!(flags & MAP_FIXED))
34753 - addr = round_hint_to_min(addr);
34754 -
34755 -- error = arch_mmap_check(addr, len, flags);
34756 -- if (error)
34757 -- return error;
34758 --
34759 - /* Careful about overflows.. */
34760 - len = PAGE_ALIGN(len);
34761 - if (!len || len > TASK_SIZE)
34762 - return -ENOMEM;
34763 -
34764 -+ error = arch_mmap_check(addr, len, flags);
34765 -+ if (error)
34766 -+ return error;
34767 -+
34768 - /* offset overflow? */
34769 - if ((pgoff + (len >> PAGE_SHIFT)) < pgoff)
34770 - return -EOVERFLOW;
34771 -@@ -935,7 +1031,7 @@ unsigned long do_mmap_pgoff(struct file
34772 - /* Obtain the address to map to. we verify (or select) it and ensure
34773 - * that it represents a valid section of the address space.
34774 - */
34775 -- addr = get_unmapped_area(file, addr, len, pgoff, flags);
34776 -+ addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
34777 - if (addr & ~PAGE_MASK)
34778 - return addr;
34779 -
34780 -@@ -946,6 +1042,26 @@ unsigned long do_mmap_pgoff(struct file
34781 - vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
34782 - mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
34783 -
34784 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
34785 -+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
34786 -+
34787 -+#ifdef CONFIG_PAX_MPROTECT
34788 -+ if (mm->pax_flags & MF_PAX_MPROTECT) {
34789 -+ if ((prot & (PROT_WRITE | PROT_EXEC)) != PROT_EXEC)
34790 -+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
34791 -+ else
34792 -+ vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
34793 -+ }
34794 -+#endif
34795 -+
34796 -+ }
34797 -+#endif
34798 -+
34799 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
34800 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
34801 -+ vm_flags &= ~VM_PAGEEXEC;
34802 -+#endif
34803 -+
34804 - if (flags & MAP_LOCKED) {
34805 - if (!can_do_mlock())
34806 - return -EPERM;
34807 -@@ -958,6 +1074,7 @@ unsigned long do_mmap_pgoff(struct file
34808 - locked += mm->locked_vm;
34809 - lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
34810 - lock_limit >>= PAGE_SHIFT;
34811 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
34812 - if (locked > lock_limit && !capable(CAP_IPC_LOCK))
34813 - return -EAGAIN;
34814 - }
34815 -@@ -1026,6 +1143,9 @@ unsigned long do_mmap_pgoff(struct file
34816 - if (error)
34817 - return error;
34818 -
34819 -+ if (!gr_acl_handle_mmap(file, prot))
34820 -+ return -EACCES;
34821 -+
34822 - return mmap_region(file, addr, len, flags, vm_flags, pgoff,
34823 - accountable);
34824 - }
34825 -@@ -1039,10 +1159,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
34826 - */
34827 - int vma_wants_writenotify(struct vm_area_struct *vma)
34828 - {
34829 -- unsigned int vm_flags = vma->vm_flags;
34830 -+ unsigned long vm_flags = vma->vm_flags;
34831 -
34832 - /* If it was private or non-writable, the write bit is already clear */
34833 -- if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
34834 -+ if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
34835 - return 0;
34836 -
34837 - /* The backer wishes to know when pages are first written to? */
34838 -@@ -1077,14 +1197,24 @@ unsigned long mmap_region(struct file *f
34839 - unsigned long charged = 0;
34840 - struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
34841 -
34842 -+#ifdef CONFIG_PAX_SEGMEXEC
34843 -+ struct vm_area_struct *vma_m = NULL;
34844 -+#endif
34845 -+
34846 -+ /*
34847 -+ * mm->mmap_sem is required to protect against another thread
34848 -+ * changing the mappings in case we sleep.
34849 -+ */
34850 -+ verify_mm_writelocked(mm);
34851 -+
34852 - /* Clear old maps */
34853 - error = -ENOMEM;
34854 --munmap_back:
34855 - vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
34856 - if (vma && vma->vm_start < addr + len) {
34857 - if (do_munmap(mm, addr, len))
34858 - return -ENOMEM;
34859 -- goto munmap_back;
34860 -+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
34861 -+ BUG_ON(vma && vma->vm_start < addr + len);
34862 - }
34863 -
34864 - /* Check against address space limit. */
34865 -@@ -1128,6 +1258,16 @@ munmap_back:
34866 - goto unacct_error;
34867 - }
34868 -
34869 -+#ifdef CONFIG_PAX_SEGMEXEC
34870 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
34871 -+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
34872 -+ if (!vma_m) {
34873 -+ error = -ENOMEM;
34874 -+ goto free_vma;
34875 -+ }
34876 -+ }
34877 -+#endif
34878 -+
34879 - vma->vm_mm = mm;
34880 - vma->vm_start = addr;
34881 - vma->vm_end = addr + len;
34882 -@@ -1150,6 +1290,27 @@ munmap_back:
34883 - error = file->f_op->mmap(file, vma);
34884 - if (error)
34885 - goto unmap_and_free_vma;
34886 -+
34887 -+#ifdef CONFIG_PAX_SEGMEXEC
34888 -+ if (vma_m) {
34889 -+ struct mempolicy *pol;
34890 -+
34891 -+ pol = mpol_copy(vma_policy(vma));
34892 -+ if (IS_ERR(pol)) {
34893 -+ mpol_free(vma_policy(vma));
34894 -+ goto unmap_and_free_vma;
34895 -+ }
34896 -+ vma_set_policy(vma_m, pol);
34897 -+ }
34898 -+#endif
34899 -+
34900 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
34901 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
34902 -+ vma->vm_flags |= VM_PAGEEXEC;
34903 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
34904 -+ }
34905 -+#endif
34906 -+
34907 - } else if (vm_flags & VM_SHARED) {
34908 - error = shmem_zero_setup(vma);
34909 - if (error)
34910 -@@ -1180,6 +1341,12 @@ munmap_back:
34911 - vma->vm_flags, NULL, file, pgoff, vma_policy(vma))) {
34912 - file = vma->vm_file;
34913 - vma_link(mm, vma, prev, rb_link, rb_parent);
34914 -+
34915 -+#ifdef CONFIG_PAX_SEGMEXEC
34916 -+ if (vma_m)
34917 -+ pax_mirror_vma(vma_m, vma);
34918 -+#endif
34919 -+
34920 - if (correct_wcount)
34921 - atomic_inc(&inode->i_writecount);
34922 - } else {
34923 -@@ -1190,10 +1357,20 @@ munmap_back:
34924 - }
34925 - mpol_free(vma_policy(vma));
34926 - kmem_cache_free(vm_area_cachep, vma);
34927 -+ vma = NULL;
34928 -+
34929 -+#ifdef CONFIG_PAX_SEGMEXEC
34930 -+ if (vma_m) {
34931 -+ mpol_free(vma_policy(vma_m));
34932 -+ kmem_cache_free(vm_area_cachep, vma_m);
34933 -+ }
34934 -+#endif
34935 -+
34936 - }
34937 - out:
34938 - mm->total_vm += len >> PAGE_SHIFT;
34939 - vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
34940 -+ track_exec_limit(mm, addr, addr + len, vm_flags);
34941 - if (vm_flags & VM_LOCKED) {
34942 - mm->locked_vm += len >> PAGE_SHIFT;
34943 - make_pages_present(addr, addr + len);
34944 -@@ -1212,6 +1389,12 @@ unmap_and_free_vma:
34945 - unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
34946 - charged = 0;
34947 - free_vma:
34948 -+
34949 -+#ifdef CONFIG_PAX_SEGMEXEC
34950 -+ if (vma_m)
34951 -+ kmem_cache_free(vm_area_cachep, vma_m);
34952 -+#endif
34953 -+
34954 - kmem_cache_free(vm_area_cachep, vma);
34955 - unacct_error:
34956 - if (charged)
34957 -@@ -1245,6 +1428,10 @@ arch_get_unmapped_area(struct file *filp
34958 - if (flags & MAP_FIXED)
34959 - return addr;
34960 -
34961 -+#ifdef CONFIG_PAX_RANDMMAP
34962 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
34963 -+#endif
34964 -+
34965 - if (addr) {
34966 - addr = PAGE_ALIGN(addr);
34967 - vma = find_vma(mm, addr);
34968 -@@ -1253,10 +1440,10 @@ arch_get_unmapped_area(struct file *filp
34969 - return addr;
34970 - }
34971 - if (len > mm->cached_hole_size) {
34972 -- start_addr = addr = mm->free_area_cache;
34973 -+ start_addr = addr = mm->free_area_cache;
34974 - } else {
34975 -- start_addr = addr = TASK_UNMAPPED_BASE;
34976 -- mm->cached_hole_size = 0;
34977 -+ start_addr = addr = mm->mmap_base;
34978 -+ mm->cached_hole_size = 0;
34979 - }
34980 -
34981 - full_search:
34982 -@@ -1267,9 +1454,8 @@ full_search:
34983 - * Start a new search - just in case we missed
34984 - * some holes.
34985 - */
34986 -- if (start_addr != TASK_UNMAPPED_BASE) {
34987 -- addr = TASK_UNMAPPED_BASE;
34988 -- start_addr = addr;
34989 -+ if (start_addr != mm->mmap_base) {
34990 -+ start_addr = addr = mm->mmap_base;
34991 - mm->cached_hole_size = 0;
34992 - goto full_search;
34993 - }
34994 -@@ -1291,10 +1477,16 @@ full_search:
34995 -
34996 - void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
34997 - {
34998 -+
34999 -+#ifdef CONFIG_PAX_SEGMEXEC
35000 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
35001 -+ return;
35002 -+#endif
35003 -+
35004 - /*
35005 - * Is this a new hole at the lowest possible address?
35006 - */
35007 -- if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
35008 -+ if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
35009 - mm->free_area_cache = addr;
35010 - mm->cached_hole_size = ~0UL;
35011 - }
35012 -@@ -1312,7 +1504,7 @@ arch_get_unmapped_area_topdown(struct fi
35013 - {
35014 - struct vm_area_struct *vma;
35015 - struct mm_struct *mm = current->mm;
35016 -- unsigned long addr = addr0;
35017 -+ unsigned long base = mm->mmap_base, addr = addr0;
35018 -
35019 - /* requested length too big for entire address space */
35020 - if (len > TASK_SIZE)
35021 -@@ -1321,6 +1513,10 @@ arch_get_unmapped_area_topdown(struct fi
35022 - if (flags & MAP_FIXED)
35023 - return addr;
35024 -
35025 -+#ifdef CONFIG_PAX_RANDMMAP
35026 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
35027 -+#endif
35028 -+
35029 - /* requesting a specific address */
35030 - if (addr) {
35031 - addr = PAGE_ALIGN(addr);
35032 -@@ -1378,13 +1574,21 @@ bottomup:
35033 - * can happen with large stack limits and large mmap()
35034 - * allocations.
35035 - */
35036 -+ mm->mmap_base = TASK_UNMAPPED_BASE;
35037 -+
35038 -+#ifdef CONFIG_PAX_RANDMMAP
35039 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
35040 -+ mm->mmap_base += mm->delta_mmap;
35041 -+#endif
35042 -+
35043 -+ mm->free_area_cache = mm->mmap_base;
35044 - mm->cached_hole_size = ~0UL;
35045 -- mm->free_area_cache = TASK_UNMAPPED_BASE;
35046 - addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
35047 - /*
35048 - * Restore the topdown base:
35049 - */
35050 -- mm->free_area_cache = mm->mmap_base;
35051 -+ mm->mmap_base = base;
35052 -+ mm->free_area_cache = base;
35053 - mm->cached_hole_size = ~0UL;
35054 -
35055 - return addr;
35056 -@@ -1393,6 +1597,12 @@ bottomup:
35057 -
35058 - void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
35059 - {
35060 -+
35061 -+#ifdef CONFIG_PAX_SEGMEXEC
35062 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
35063 -+ return;
35064 -+#endif
35065 -+
35066 - /*
35067 - * Is this a new hole at the highest possible address?
35068 - */
35069 -@@ -1400,8 +1610,10 @@ void arch_unmap_area_topdown(struct mm_s
35070 - mm->free_area_cache = addr;
35071 -
35072 - /* dont allow allocations above current base */
35073 -- if (mm->free_area_cache > mm->mmap_base)
35074 -+ if (mm->free_area_cache > mm->mmap_base) {
35075 - mm->free_area_cache = mm->mmap_base;
35076 -+ mm->cached_hole_size = ~0UL;
35077 -+ }
35078 - }
35079 -
35080 - unsigned long
35081 -@@ -1501,6 +1713,33 @@ out:
35082 - return prev ? prev->vm_next : vma;
35083 - }
35084 -
35085 -+#ifdef CONFIG_PAX_SEGMEXEC
35086 -+struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
35087 -+{
35088 -+ struct vm_area_struct *vma_m;
35089 -+
35090 -+ BUG_ON(!vma || vma->vm_start >= vma->vm_end);
35091 -+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
35092 -+ BUG_ON(vma->vm_mirror);
35093 -+ return NULL;
35094 -+ }
35095 -+ BUG_ON(vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < vma->vm_start - SEGMEXEC_TASK_SIZE - 1);
35096 -+ vma_m = vma->vm_mirror;
35097 -+ BUG_ON(!vma_m || vma_m->vm_mirror != vma);
35098 -+ BUG_ON(vma->vm_file != vma_m->vm_file);
35099 -+ BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
35100 -+ BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff || vma->anon_vma != vma_m->anon_vma);
35101 -+
35102 -+#ifdef CONFIG_PAX_MPROTECT
35103 -+ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_MAYNOTWRITE));
35104 -+#else
35105 -+ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
35106 -+#endif
35107 -+
35108 -+ return vma_m;
35109 -+}
35110 -+#endif
35111 -+
35112 - /*
35113 - * Verify that the stack growth is acceptable and
35114 - * update accounting. This is shared with both the
35115 -@@ -1517,6 +1756,7 @@ static int acct_stack_growth(struct vm_a
35116 - return -ENOMEM;
35117 -
35118 - /* Stack limit test */
35119 -+ gr_learn_resource(current, RLIMIT_STACK, size, 1);
35120 - if (size > rlim[RLIMIT_STACK].rlim_cur)
35121 - return -ENOMEM;
35122 -
35123 -@@ -1526,6 +1766,7 @@ static int acct_stack_growth(struct vm_a
35124 - unsigned long limit;
35125 - locked = mm->locked_vm + grow;
35126 - limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
35127 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
35128 - if (locked > limit && !capable(CAP_IPC_LOCK))
35129 - return -ENOMEM;
35130 - }
35131 -@@ -1540,7 +1781,7 @@ static int acct_stack_growth(struct vm_a
35132 - * Overcommit.. This must be the final test, as it will
35133 - * update security statistics.
35134 - */
35135 -- if (security_vm_enough_memory(grow))
35136 -+ if (security_vm_enough_memory_mm(mm, grow))
35137 - return -ENOMEM;
35138 -
35139 - /* Ok, everything looks good - let it rip */
35140 -@@ -1561,35 +1802,40 @@ static inline
35141 - #endif
35142 - int expand_upwards(struct vm_area_struct *vma, unsigned long address)
35143 - {
35144 -- int error;
35145 -+ int error, locknext;
35146 -
35147 - if (!(vma->vm_flags & VM_GROWSUP))
35148 - return -EFAULT;
35149 -
35150 -+ /* Also guard against wrapping around to address 0. */
35151 -+ if (address < PAGE_ALIGN(address+1))
35152 -+ address = PAGE_ALIGN(address+1);
35153 -+ else
35154 -+ return -ENOMEM;
35155 -+
35156 - /*
35157 - * We must make sure the anon_vma is allocated
35158 - * so that the anon_vma locking is not a noop.
35159 - */
35160 - if (unlikely(anon_vma_prepare(vma)))
35161 - return -ENOMEM;
35162 -+ locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
35163 -+ if (locknext && unlikely(anon_vma_prepare(vma->vm_next)))
35164 -+ return -ENOMEM;
35165 - anon_vma_lock(vma);
35166 -+ if (locknext)
35167 -+ anon_vma_lock(vma->vm_next);
35168 -
35169 - /*
35170 - * vma->vm_start/vm_end cannot change under us because the caller
35171 - * is required to hold the mmap_sem in read mode. We need the
35172 -- * anon_vma lock to serialize against concurrent expand_stacks.
35173 -- * Also guard against wrapping around to address 0.
35174 -+ * anon_vma locks to serialize against concurrent expand_stacks
35175 -+ * and expand_upwards.
35176 - */
35177 -- if (address < PAGE_ALIGN(address+4))
35178 -- address = PAGE_ALIGN(address+4);
35179 -- else {
35180 -- anon_vma_unlock(vma);
35181 -- return -ENOMEM;
35182 -- }
35183 - error = 0;
35184 -
35185 - /* Somebody else might have raced and expanded it already */
35186 -- if (address > vma->vm_end) {
35187 -+ if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
35188 - unsigned long size, grow;
35189 -
35190 - size = address - vma->vm_start;
35191 -@@ -1599,6 +1845,8 @@ int expand_upwards(struct vm_area_struct
35192 - if (!error)
35193 - vma->vm_end = address;
35194 - }
35195 -+ if (locknext)
35196 -+ anon_vma_unlock(vma->vm_next);
35197 - anon_vma_unlock(vma);
35198 - return error;
35199 - }
35200 -@@ -1610,7 +1858,8 @@ int expand_upwards(struct vm_area_struct
35201 - static inline int expand_downwards(struct vm_area_struct *vma,
35202 - unsigned long address)
35203 - {
35204 -- int error;
35205 -+ int error, lockprev = 0;
35206 -+ struct vm_area_struct *prev = NULL;
35207 -
35208 - /*
35209 - * We must make sure the anon_vma is allocated
35210 -@@ -1624,6 +1873,15 @@ static inline int expand_downwards(struc
35211 - if (error)
35212 - return error;
35213 -
35214 -+#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
35215 -+ find_vma_prev(address, &prev);
35216 -+ lockprev = prev && (prev->vm_flags & VM_GROWSUP);
35217 -+#endif
35218 -+ if (lockprev && unlikely(anon_vma_prepare(prev)))
35219 -+ return -ENOMEM;
35220 -+ if (lockprev)
35221 -+ anon_vma_lock(prev);
35222 -+
35223 - anon_vma_lock(vma);
35224 -
35225 - /*
35226 -@@ -1633,9 +1891,15 @@ static inline int expand_downwards(struc
35227 - */
35228 -
35229 - /* Somebody else might have raced and expanded it already */
35230 -- if (address < vma->vm_start) {
35231 -+ if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
35232 - unsigned long size, grow;
35233 -
35234 -+#ifdef CONFIG_PAX_SEGMEXEC
35235 -+ struct vm_area_struct *vma_m;
35236 -+
35237 -+ vma_m = pax_find_mirror_vma(vma);
35238 -+#endif
35239 -+
35240 - size = vma->vm_end - address;
35241 - grow = (vma->vm_start - address) >> PAGE_SHIFT;
35242 -
35243 -@@ -1643,9 +1907,20 @@ static inline int expand_downwards(struc
35244 - if (!error) {
35245 - vma->vm_start = address;
35246 - vma->vm_pgoff -= grow;
35247 -+ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
35248 -+
35249 -+#ifdef CONFIG_PAX_SEGMEXEC
35250 -+ if (vma_m) {
35251 -+ vma_m->vm_start -= grow << PAGE_SHIFT;
35252 -+ vma_m->vm_pgoff -= grow;
35253 -+ }
35254 -+#endif
35255 -+
35256 - }
35257 - }
35258 - anon_vma_unlock(vma);
35259 -+ if (lockprev)
35260 -+ anon_vma_unlock(prev);
35261 - return error;
35262 - }
35263 -
35264 -@@ -1717,6 +1992,13 @@ static void remove_vma_list(struct mm_st
35265 - do {
35266 - long nrpages = vma_pages(vma);
35267 -
35268 -+#ifdef CONFIG_PAX_SEGMEXEC
35269 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
35270 -+ vma = remove_vma(vma);
35271 -+ continue;
35272 -+ }
35273 -+#endif
35274 -+
35275 - mm->total_vm -= nrpages;
35276 - if (vma->vm_flags & VM_LOCKED)
35277 - mm->locked_vm -= nrpages;
35278 -@@ -1763,6 +2045,16 @@ detach_vmas_to_be_unmapped(struct mm_str
35279 -
35280 - insertion_point = (prev ? &prev->vm_next : &mm->mmap);
35281 - do {
35282 -+
35283 -+#ifdef CONFIG_PAX_SEGMEXEC
35284 -+ if (vma->vm_mirror) {
35285 -+ BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
35286 -+ vma->vm_mirror->vm_mirror = NULL;
35287 -+ vma->vm_mirror->vm_flags &= ~VM_EXEC;
35288 -+ vma->vm_mirror = NULL;
35289 -+ }
35290 -+#endif
35291 -+
35292 - rb_erase(&vma->vm_rb, &mm->mm_rb);
35293 - mm->map_count--;
35294 - tail_vma = vma;
35295 -@@ -1782,6 +2074,112 @@ detach_vmas_to_be_unmapped(struct mm_str
35296 - * Split a vma into two pieces at address 'addr', a new vma is allocated
35297 - * either for the first part or the tail.
35298 - */
35299 -+
35300 -+#ifdef CONFIG_PAX_SEGMEXEC
35301 -+int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
35302 -+ unsigned long addr, int new_below)
35303 -+{
35304 -+ struct mempolicy *pol, *pol_m;
35305 -+ struct vm_area_struct *new, *vma_m, *new_m = NULL;
35306 -+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
35307 -+
35308 -+ if (is_vm_hugetlb_page(vma) && (addr & ~HPAGE_MASK))
35309 -+ return -EINVAL;
35310 -+
35311 -+ vma_m = pax_find_mirror_vma(vma);
35312 -+ if (vma_m) {
35313 -+ BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
35314 -+ if (mm->map_count >= sysctl_max_map_count-1)
35315 -+ return -ENOMEM;
35316 -+ } else if (mm->map_count >= sysctl_max_map_count)
35317 -+ return -ENOMEM;
35318 -+
35319 -+ new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
35320 -+ if (!new)
35321 -+ return -ENOMEM;
35322 -+
35323 -+ if (vma_m) {
35324 -+ new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
35325 -+ if (!new_m) {
35326 -+ kmem_cache_free(vm_area_cachep, new);
35327 -+ return -ENOMEM;
35328 -+ }
35329 -+ }
35330 -+
35331 -+ /* most fields are the same, copy all, and then fixup */
35332 -+ *new = *vma;
35333 -+
35334 -+ if (new_below)
35335 -+ new->vm_end = addr;
35336 -+ else {
35337 -+ new->vm_start = addr;
35338 -+ new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
35339 -+ }
35340 -+
35341 -+ if (vma_m) {
35342 -+ *new_m = *vma_m;
35343 -+ new_m->vm_mirror = new;
35344 -+ new->vm_mirror = new_m;
35345 -+
35346 -+ if (new_below)
35347 -+ new_m->vm_end = addr_m;
35348 -+ else {
35349 -+ new_m->vm_start = addr_m;
35350 -+ new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
35351 -+ }
35352 -+ }
35353 -+
35354 -+ pol = mpol_copy(vma_policy(vma));
35355 -+ if (IS_ERR(pol)) {
35356 -+ if (new_m)
35357 -+ kmem_cache_free(vm_area_cachep, new_m);
35358 -+ kmem_cache_free(vm_area_cachep, new);
35359 -+ return PTR_ERR(pol);
35360 -+ }
35361 -+
35362 -+ if (vma_m) {
35363 -+ pol_m = mpol_copy(vma_policy(vma_m));
35364 -+ if (IS_ERR(pol_m)) {
35365 -+ mpol_free(pol);
35366 -+ kmem_cache_free(vm_area_cachep, new_m);
35367 -+ kmem_cache_free(vm_area_cachep, new);
35368 -+ return PTR_ERR(pol);
35369 -+ }
35370 -+ }
35371 -+
35372 -+ vma_set_policy(new, pol);
35373 -+
35374 -+ if (new->vm_file)
35375 -+ get_file(new->vm_file);
35376 -+
35377 -+ if (new->vm_ops && new->vm_ops->open)
35378 -+ new->vm_ops->open(new);
35379 -+
35380 -+ if (new_below)
35381 -+ vma_adjust(vma, addr, vma->vm_end, vma->vm_pgoff +
35382 -+ ((addr - new->vm_start) >> PAGE_SHIFT), new);
35383 -+ else
35384 -+ vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
35385 -+
35386 -+ if (vma_m) {
35387 -+ vma_set_policy(new_m, pol_m);
35388 -+
35389 -+ if (new_m->vm_file)
35390 -+ get_file(new_m->vm_file);
35391 -+
35392 -+ if (new_m->vm_ops && new_m->vm_ops->open)
35393 -+ new_m->vm_ops->open(new_m);
35394 -+
35395 -+ if (new_below)
35396 -+ vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
35397 -+ ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
35398 -+ else
35399 -+ vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
35400 -+ }
35401 -+
35402 -+ return 0;
35403 -+}
35404 -+#else
35405 - int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
35406 - unsigned long addr, int new_below)
35407 - {
35408 -@@ -1829,17 +2227,37 @@ int split_vma(struct mm_struct * mm, str
35409 -
35410 - return 0;
35411 - }
35412 -+#endif
35413 -
35414 - /* Munmap is split into 2 main parts -- this part which finds
35415 - * what needs doing, and the areas themselves, which do the
35416 - * work. This now handles partial unmappings.
35417 - * Jeremy Fitzhardinge <jeremy@××××.org>
35418 - */
35419 -+#ifdef CONFIG_PAX_SEGMEXEC
35420 -+int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
35421 -+{
35422 -+ int ret = __do_munmap(mm, start, len);
35423 -+ if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
35424 -+ return ret;
35425 -+
35426 -+ return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
35427 -+}
35428 -+
35429 -+int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
35430 -+#else
35431 - int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
35432 -+#endif
35433 - {
35434 - unsigned long end;
35435 - struct vm_area_struct *vma, *prev, *last;
35436 -
35437 -+ /*
35438 -+ * mm->mmap_sem is required to protect against another thread
35439 -+ * changing the mappings in case we sleep.
35440 -+ */
35441 -+ verify_mm_writelocked(mm);
35442 -+
35443 - if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
35444 - return -EINVAL;
35445 -
35446 -@@ -1889,6 +2307,8 @@ int do_munmap(struct mm_struct *mm, unsi
35447 - /* Fix up all other VM information */
35448 - remove_vma_list(mm, vma);
35449 -
35450 -+ track_exec_limit(mm, start, end, 0UL);
35451 -+
35452 - return 0;
35453 - }
35454 -
35455 -@@ -1901,22 +2321,18 @@ asmlinkage long sys_munmap(unsigned long
35456 -
35457 - profile_munmap(addr);
35458 -
35459 -+#ifdef CONFIG_PAX_SEGMEXEC
35460 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
35461 -+ (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
35462 -+ return -EINVAL;
35463 -+#endif
35464 -+
35465 - down_write(&mm->mmap_sem);
35466 - ret = do_munmap(mm, addr, len);
35467 - up_write(&mm->mmap_sem);
35468 - return ret;
35469 - }
35470 -
35471 --static inline void verify_mm_writelocked(struct mm_struct *mm)
35472 --{
35473 --#ifdef CONFIG_DEBUG_VM
35474 -- if (unlikely(down_read_trylock(&mm->mmap_sem))) {
35475 -- WARN_ON(1);
35476 -- up_read(&mm->mmap_sem);
35477 -- }
35478 --#endif
35479 --}
35480 --
35481 - /*
35482 - * this is really a simplified "do_mmap". it only handles
35483 - * anonymous maps. eventually we may be able to do some
35484 -@@ -1930,6 +2346,11 @@ unsigned long do_brk(unsigned long addr,
35485 - struct rb_node ** rb_link, * rb_parent;
35486 - pgoff_t pgoff = addr >> PAGE_SHIFT;
35487 - int error;
35488 -+ unsigned long charged;
35489 -+
35490 -+#ifdef CONFIG_PAX_SEGMEXEC
35491 -+ struct vm_area_struct *vma_m = NULL;
35492 -+#endif
35493 -
35494 - len = PAGE_ALIGN(len);
35495 - if (!len)
35496 -@@ -1947,19 +2368,34 @@ unsigned long do_brk(unsigned long addr,
35497 -
35498 - flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
35499 -
35500 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
35501 -+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
35502 -+ flags &= ~VM_EXEC;
35503 -+
35504 -+#ifdef CONFIG_PAX_MPROTECT
35505 -+ if (mm->pax_flags & MF_PAX_MPROTECT)
35506 -+ flags &= ~VM_MAYEXEC;
35507 -+#endif
35508 -+
35509 -+ }
35510 -+#endif
35511 -+
35512 - error = arch_mmap_check(addr, len, flags);
35513 - if (error)
35514 - return error;
35515 -
35516 -+ charged = len >> PAGE_SHIFT;
35517 -+
35518 - /*
35519 - * mlock MCL_FUTURE?
35520 - */
35521 - if (mm->def_flags & VM_LOCKED) {
35522 - unsigned long locked, lock_limit;
35523 -- locked = len >> PAGE_SHIFT;
35524 -+ locked = charged;
35525 - locked += mm->locked_vm;
35526 - lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
35527 - lock_limit >>= PAGE_SHIFT;
35528 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
35529 - if (locked > lock_limit && !capable(CAP_IPC_LOCK))
35530 - return -EAGAIN;
35531 - }
35532 -@@ -1973,22 +2409,22 @@ unsigned long do_brk(unsigned long addr,
35533 - /*
35534 - * Clear old maps. this also does some error checking for us
35535 - */
35536 -- munmap_back:
35537 - vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
35538 - if (vma && vma->vm_start < addr + len) {
35539 - if (do_munmap(mm, addr, len))
35540 - return -ENOMEM;
35541 -- goto munmap_back;
35542 -+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
35543 -+ BUG_ON(vma && vma->vm_start < addr + len);
35544 - }
35545 -
35546 - /* Check against address space limits *after* clearing old maps... */
35547 -- if (!may_expand_vm(mm, len >> PAGE_SHIFT))
35548 -+ if (!may_expand_vm(mm, charged))
35549 - return -ENOMEM;
35550 -
35551 - if (mm->map_count > sysctl_max_map_count)
35552 - return -ENOMEM;
35553 -
35554 -- if (security_vm_enough_memory(len >> PAGE_SHIFT))
35555 -+ if (security_vm_enough_memory(charged))
35556 - return -ENOMEM;
35557 -
35558 - /* Can we just expand an old private anonymous mapping? */
35559 -@@ -2001,10 +2437,21 @@ unsigned long do_brk(unsigned long addr,
35560 - */
35561 - vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
35562 - if (!vma) {
35563 -- vm_unacct_memory(len >> PAGE_SHIFT);
35564 -+ vm_unacct_memory(charged);
35565 - return -ENOMEM;
35566 - }
35567 -
35568 -+#ifdef CONFIG_PAX_SEGMEXEC
35569 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (flags & VM_EXEC)) {
35570 -+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
35571 -+ if (!vma_m) {
35572 -+ kmem_cache_free(vm_area_cachep, vma);
35573 -+ vm_unacct_memory(charged);
35574 -+ return -ENOMEM;
35575 -+ }
35576 -+ }
35577 -+#endif
35578 -+
35579 - vma->vm_mm = mm;
35580 - vma->vm_start = addr;
35581 - vma->vm_end = addr + len;
35582 -@@ -2012,12 +2459,19 @@ unsigned long do_brk(unsigned long addr,
35583 - vma->vm_flags = flags;
35584 - vma->vm_page_prot = vm_get_page_prot(flags);
35585 - vma_link(mm, vma, prev, rb_link, rb_parent);
35586 -+
35587 -+#ifdef CONFIG_PAX_SEGMEXEC
35588 -+ if (vma_m)
35589 -+ pax_mirror_vma(vma_m, vma);
35590 -+#endif
35591 -+
35592 - out:
35593 -- mm->total_vm += len >> PAGE_SHIFT;
35594 -+ mm->total_vm += charged;
35595 - if (flags & VM_LOCKED) {
35596 -- mm->locked_vm += len >> PAGE_SHIFT;
35597 -+ mm->locked_vm += charged;
35598 - make_pages_present(addr, addr + len);
35599 - }
35600 -+ track_exec_limit(mm, addr, addr + len, flags);
35601 - return addr;
35602 - }
35603 -
35604 -@@ -2048,8 +2502,10 @@ void exit_mmap(struct mm_struct *mm)
35605 - * Walk the list again, actually closing and freeing it,
35606 - * with preemption enabled, without holding any MM locks.
35607 - */
35608 -- while (vma)
35609 -+ while (vma) {
35610 -+ vma->vm_mirror = NULL;
35611 - vma = remove_vma(vma);
35612 -+ }
35613 -
35614 - BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
35615 - }
35616 -@@ -2063,6 +2519,10 @@ int insert_vm_struct(struct mm_struct *
35617 - struct vm_area_struct * __vma, * prev;
35618 - struct rb_node ** rb_link, * rb_parent;
35619 -
35620 -+#ifdef CONFIG_PAX_SEGMEXEC
35621 -+ struct vm_area_struct *vma_m = NULL;
35622 -+#endif
35623 -+
35624 - /*
35625 - * The vm_pgoff of a purely anonymous vma should be irrelevant
35626 - * until its first write fault, when page's anon_vma and index
35627 -@@ -2085,7 +2545,22 @@ int insert_vm_struct(struct mm_struct *
35628 - if ((vma->vm_flags & VM_ACCOUNT) &&
35629 - security_vm_enough_memory_mm(mm, vma_pages(vma)))
35630 - return -ENOMEM;
35631 -+
35632 -+#ifdef CONFIG_PAX_SEGMEXEC
35633 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
35634 -+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
35635 -+ if (!vma_m)
35636 -+ return -ENOMEM;
35637 -+ }
35638 -+#endif
35639 -+
35640 - vma_link(mm, vma, prev, rb_link, rb_parent);
35641 -+
35642 -+#ifdef CONFIG_PAX_SEGMEXEC
35643 -+ if (vma_m)
35644 -+ pax_mirror_vma(vma_m, vma);
35645 -+#endif
35646 -+
35647 - return 0;
35648 - }
35649 -
35650 -@@ -2103,6 +2578,8 @@ struct vm_area_struct *copy_vma(struct v
35651 - struct rb_node **rb_link, *rb_parent;
35652 - struct mempolicy *pol;
35653 -
35654 -+ BUG_ON(vma->vm_mirror);
35655 -+
35656 - /*
35657 - * If anonymous vma has not yet been faulted, update new pgoff
35658 - * to match new location, to increase its chance of merging.
35659 -@@ -2143,6 +2620,34 @@ struct vm_area_struct *copy_vma(struct v
35660 - return new_vma;
35661 - }
35662 -
35663 -+#ifdef CONFIG_PAX_SEGMEXEC
35664 -+void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
35665 -+{
35666 -+ struct vm_area_struct *prev_m;
35667 -+ struct rb_node **rb_link_m, *rb_parent_m;
35668 -+ struct mempolicy *pol_m;
35669 -+
35670 -+ BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
35671 -+ BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
35672 -+ BUG_ON(!vma_mpol_equal(vma, vma_m));
35673 -+ pol_m = vma_policy(vma_m);
35674 -+ *vma_m = *vma;
35675 -+ vma_set_policy(vma_m, pol_m);
35676 -+ vma_m->vm_start += SEGMEXEC_TASK_SIZE;
35677 -+ vma_m->vm_end += SEGMEXEC_TASK_SIZE;
35678 -+ vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
35679 -+ vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
35680 -+ if (vma_m->vm_file)
35681 -+ get_file(vma_m->vm_file);
35682 -+ if (vma_m->vm_ops && vma_m->vm_ops->open)
35683 -+ vma_m->vm_ops->open(vma_m);
35684 -+ find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
35685 -+ vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
35686 -+ vma_m->vm_mirror = vma;
35687 -+ vma->vm_mirror = vma_m;
35688 -+}
35689 -+#endif
35690 -+
35691 - /*
35692 - * Return true if the calling process may expand its vm space by the passed
35693 - * number of pages
35694 -@@ -2153,7 +2658,7 @@ int may_expand_vm(struct mm_struct *mm,
35695 - unsigned long lim;
35696 -
35697 - lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
35698 --
35699 -+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
35700 - if (cur + npages > lim)
35701 - return 0;
35702 - return 1;
35703 -@@ -2165,7 +2670,7 @@ static struct page *special_mapping_nopa
35704 - {
35705 - struct page **pages;
35706 -
35707 -- BUG_ON(address < vma->vm_start || address >= vma->vm_end);
35708 -+ BUG_ON(address < vma->vm_start || address >= vma->vm_end || (address & ~PAGE_MASK));
35709 -
35710 - address -= vma->vm_start;
35711 - for (pages = vma->vm_private_data; address > 0 && *pages; ++pages)
35712 -@@ -2215,6 +2720,15 @@ int install_special_mapping(struct mm_st
35713 - vma->vm_start = addr;
35714 - vma->vm_end = addr + len;
35715 -
35716 -+#ifdef CONFIG_PAX_MPROTECT
35717 -+ if (mm->pax_flags & MF_PAX_MPROTECT) {
35718 -+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
35719 -+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
35720 -+ else
35721 -+ vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
35722 -+ }
35723 -+#endif
35724 -+
35725 - vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
35726 - vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
35727 -
35728 -diff -urNp linux-2.6.24.4/mm/mprotect.c linux-2.6.24.4/mm/mprotect.c
35729 ---- linux-2.6.24.4/mm/mprotect.c 2008-03-24 14:49:18.000000000 -0400
35730 -+++ linux-2.6.24.4/mm/mprotect.c 2008-03-26 17:56:56.000000000 -0400
35731 -@@ -21,10 +21,17 @@
35732 - #include <linux/syscalls.h>
35733 - #include <linux/swap.h>
35734 - #include <linux/swapops.h>
35735 -+#include <linux/grsecurity.h>
35736 -+
35737 -+#ifdef CONFIG_PAX_MPROTECT
35738 -+#include <linux/elf.h>
35739 -+#endif
35740 -+
35741 - #include <asm/uaccess.h>
35742 - #include <asm/pgtable.h>
35743 - #include <asm/cacheflush.h>
35744 - #include <asm/tlbflush.h>
35745 -+#include <asm/mmu_context.h>
35746 -
35747 - static void change_pte_range(struct mm_struct *mm, pmd_t *pmd,
35748 - unsigned long addr, unsigned long end, pgprot_t newprot,
35749 -@@ -127,6 +134,48 @@ static void change_protection(struct vm_
35750 - flush_tlb_range(vma, start, end);
35751 - }
35752 -
35753 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
35754 -+/* called while holding the mmap semaphor for writing except stack expansion */
35755 -+void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
35756 -+{
35757 -+ unsigned long oldlimit, newlimit = 0UL;
35758 -+
35759 -+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || nx_enabled)
35760 -+ return;
35761 -+
35762 -+ spin_lock(&mm->page_table_lock);
35763 -+ oldlimit = mm->context.user_cs_limit;
35764 -+ if ((prot & VM_EXEC) && oldlimit < end)
35765 -+ /* USER_CS limit moved up */
35766 -+ newlimit = end;
35767 -+ else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
35768 -+ /* USER_CS limit moved down */
35769 -+ newlimit = start;
35770 -+
35771 -+ if (newlimit) {
35772 -+ mm->context.user_cs_limit = newlimit;
35773 -+
35774 -+#ifdef CONFIG_SMP
35775 -+ wmb();
35776 -+ cpus_clear(mm->context.cpu_user_cs_mask);
35777 -+ cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
35778 -+#endif
35779 -+
35780 -+ set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
35781 -+ }
35782 -+ spin_unlock(&mm->page_table_lock);
35783 -+ if (newlimit == end) {
35784 -+ struct vm_area_struct *vma = find_vma(mm, oldlimit);
35785 -+
35786 -+ for (; vma && vma->vm_start < end; vma = vma->vm_next)
35787 -+ if (is_vm_hugetlb_page(vma))
35788 -+ hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
35789 -+ else
35790 -+ change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
35791 -+ }
35792 -+}
35793 -+#endif
35794 -+
35795 - int
35796 - mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
35797 - unsigned long start, unsigned long end, unsigned long newflags)
35798 -@@ -139,11 +188,41 @@ mprotect_fixup(struct vm_area_struct *vm
35799 - int error;
35800 - int dirty_accountable = 0;
35801 -
35802 -+#ifdef CONFIG_PAX_SEGMEXEC
35803 -+ struct vm_area_struct *vma_m = NULL;
35804 -+ unsigned long start_m, end_m;
35805 -+
35806 -+ start_m = start + SEGMEXEC_TASK_SIZE;
35807 -+ end_m = end + SEGMEXEC_TASK_SIZE;
35808 -+#endif
35809 -+
35810 - if (newflags == oldflags) {
35811 - *pprev = vma;
35812 - return 0;
35813 - }
35814 -
35815 -+#ifdef CONFIG_PAX_SEGMEXEC
35816 -+ if (pax_find_mirror_vma(vma) && !(newflags & VM_EXEC)) {
35817 -+ if (start != vma->vm_start) {
35818 -+ error = split_vma(mm, vma, start, 1);
35819 -+ if (error)
35820 -+ return -ENOMEM;
35821 -+ BUG_ON(!*pprev || (*pprev)->vm_next == vma);
35822 -+ *pprev = (*pprev)->vm_next;
35823 -+ }
35824 -+
35825 -+ if (end != vma->vm_end) {
35826 -+ error = split_vma(mm, vma, end, 0);
35827 -+ if (error)
35828 -+ return -ENOMEM;
35829 -+ }
35830 -+
35831 -+ error = __do_munmap(mm, start_m, end_m - start_m);
35832 -+ if (error)
35833 -+ return -ENOMEM;
35834 -+ }
35835 -+#endif
35836 -+
35837 - /*
35838 - * If we make a private mapping writable we increase our commit;
35839 - * but (without finer accounting) cannot reduce our commit if we
35840 -@@ -186,6 +265,25 @@ mprotect_fixup(struct vm_area_struct *vm
35841 - goto fail;
35842 - }
35843 -
35844 -+#ifdef CONFIG_PAX_SEGMEXEC
35845 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(oldflags & VM_EXEC) && (newflags & VM_EXEC)) {
35846 -+ struct mempolicy *pol;
35847 -+
35848 -+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
35849 -+ if (!vma_m) {
35850 -+ error = -ENOMEM;
35851 -+ goto fail;
35852 -+ }
35853 -+ pol = mpol_copy(vma_policy(vma));
35854 -+ if (IS_ERR(pol)) {
35855 -+ kmem_cache_free(vm_area_cachep, vma_m);
35856 -+ error = -ENOMEM;
35857 -+ goto fail;
35858 -+ }
35859 -+ vma_set_policy(vma_m, pol);
35860 -+ }
35861 -+#endif
35862 -+
35863 - success:
35864 - /*
35865 - * vm_flags and vm_page_prot are protected by the mmap_sem
35866 -@@ -202,6 +300,12 @@ success:
35867 - hugetlb_change_protection(vma, start, end, vma->vm_page_prot);
35868 - else
35869 - change_protection(vma, start, end, vma->vm_page_prot, dirty_accountable);
35870 -+
35871 -+#ifdef CONFIG_PAX_SEGMEXEC
35872 -+ if (vma_m)
35873 -+ pax_mirror_vma(vma_m, vma);
35874 -+#endif
35875 -+
35876 - vm_stat_account(mm, oldflags, vma->vm_file, -nrpages);
35877 - vm_stat_account(mm, newflags, vma->vm_file, nrpages);
35878 - return 0;
35879 -@@ -211,6 +315,70 @@ fail:
35880 - return error;
35881 - }
35882 -
35883 -+#ifdef CONFIG_PAX_MPROTECT
35884 -+/* PaX: non-PIC ELF libraries need relocations on their executable segments
35885 -+ * therefore we'll grant them VM_MAYWRITE once during their life.
35886 -+ *
35887 -+ * The checks favour ld-linux.so behaviour which operates on a per ELF segment
35888 -+ * basis because we want to allow the common case and not the special ones.
35889 -+ */
35890 -+static inline void pax_handle_maywrite(struct vm_area_struct *vma, unsigned long start)
35891 -+{
35892 -+ struct elfhdr elf_h;
35893 -+ struct elf_phdr elf_p;
35894 -+ elf_addr_t dyn_offset = 0UL;
35895 -+ elf_dyn dyn;
35896 -+ unsigned long i, j = 65536UL / sizeof(struct elf_phdr);
35897 -+
35898 -+#ifndef CONFIG_PAX_NOELFRELOCS
35899 -+ if ((vma->vm_start != start) ||
35900 -+ !vma->vm_file ||
35901 -+ !(vma->vm_flags & VM_MAYEXEC) ||
35902 -+ (vma->vm_flags & VM_MAYNOTWRITE))
35903 -+#endif
35904 -+
35905 -+ return;
35906 -+
35907 -+ if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
35908 -+ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
35909 -+
35910 -+#ifdef CONFIG_PAX_ETEXECRELOCS
35911 -+ (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC) ||
35912 -+#else
35913 -+ elf_h.e_type != ET_DYN ||
35914 -+#endif
35915 -+
35916 -+ !elf_check_arch(&elf_h) ||
35917 -+ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
35918 -+ elf_h.e_phnum > j)
35919 -+ return;
35920 -+
35921 -+ for (i = 0UL; i < elf_h.e_phnum; i++) {
35922 -+ if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
35923 -+ return;
35924 -+ if (elf_p.p_type == PT_DYNAMIC) {
35925 -+ dyn_offset = elf_p.p_offset;
35926 -+ j = i;
35927 -+ }
35928 -+ }
35929 -+ if (elf_h.e_phnum <= j)
35930 -+ return;
35931 -+
35932 -+ i = 0UL;
35933 -+ do {
35934 -+ if (sizeof(dyn) != kernel_read(vma->vm_file, dyn_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
35935 -+ return;
35936 -+ if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
35937 -+ gr_log_textrel(vma);
35938 -+ vma->vm_flags |= VM_MAYWRITE | VM_MAYNOTWRITE;
35939 -+ return;
35940 -+ }
35941 -+ i++;
35942 -+ } while (dyn.d_tag != DT_NULL);
35943 -+ return;
35944 -+}
35945 -+#endif
35946 -+
35947 - asmlinkage long
35948 - sys_mprotect(unsigned long start, size_t len, unsigned long prot)
35949 - {
35950 -@@ -230,6 +398,17 @@ sys_mprotect(unsigned long start, size_t
35951 - end = start + len;
35952 - if (end <= start)
35953 - return -ENOMEM;
35954 -+
35955 -+#ifdef CONFIG_PAX_SEGMEXEC
35956 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
35957 -+ if (end > SEGMEXEC_TASK_SIZE)
35958 -+ return -EINVAL;
35959 -+ } else
35960 -+#endif
35961 -+
35962 -+ if (end > TASK_SIZE)
35963 -+ return -EINVAL;
35964 -+
35965 - if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC | PROT_SEM))
35966 - return -EINVAL;
35967 -
35968 -@@ -237,7 +416,7 @@ sys_mprotect(unsigned long start, size_t
35969 - /*
35970 - * Does the application expect PROT_READ to imply PROT_EXEC:
35971 - */
35972 -- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
35973 -+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
35974 - prot |= PROT_EXEC;
35975 -
35976 - vm_flags = calc_vm_prot_bits(prot);
35977 -@@ -269,6 +448,16 @@ sys_mprotect(unsigned long start, size_t
35978 - if (start > vma->vm_start)
35979 - prev = vma;
35980 -
35981 -+ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
35982 -+ error = -EACCES;
35983 -+ goto out;
35984 -+ }
35985 -+
35986 -+#ifdef CONFIG_PAX_MPROTECT
35987 -+ if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && (prot & PROT_WRITE))
35988 -+ pax_handle_maywrite(vma, start);
35989 -+#endif
35990 -+
35991 - for (nstart = start ; ; ) {
35992 - unsigned long newflags;
35993 -
35994 -@@ -282,6 +471,12 @@ sys_mprotect(unsigned long start, size_t
35995 - goto out;
35996 - }
35997 -
35998 -+#ifdef CONFIG_PAX_MPROTECT
35999 -+ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
36000 -+ if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && !(prot & PROT_WRITE) && (vma->vm_flags & VM_MAYNOTWRITE))
36001 -+ newflags &= ~VM_MAYWRITE;
36002 -+#endif
36003 -+
36004 - error = security_file_mprotect(vma, reqprot, prot);
36005 - if (error)
36006 - goto out;
36007 -@@ -292,6 +487,9 @@ sys_mprotect(unsigned long start, size_t
36008 - error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
36009 - if (error)
36010 - goto out;
36011 -+
36012 -+ track_exec_limit(current->mm, nstart, tmp, vm_flags);
36013 -+
36014 - nstart = tmp;
36015 -
36016 - if (nstart < prev->vm_end)
36017 -diff -urNp linux-2.6.24.4/mm/mremap.c linux-2.6.24.4/mm/mremap.c
36018 ---- linux-2.6.24.4/mm/mremap.c 2008-03-24 14:49:18.000000000 -0400
36019 -+++ linux-2.6.24.4/mm/mremap.c 2008-03-26 17:56:56.000000000 -0400
36020 -@@ -106,6 +106,12 @@ static void move_ptes(struct vm_area_str
36021 - continue;
36022 - pte = ptep_clear_flush(vma, old_addr, old_pte);
36023 - pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
36024 -+
36025 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
36026 -+ if (!nx_enabled && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
36027 -+ pte = pte_exprotect(pte);
36028 -+#endif
36029 -+
36030 - set_pte_at(mm, new_addr, new_pte, pte);
36031 - }
36032 -
36033 -@@ -254,6 +260,7 @@ unsigned long do_mremap(unsigned long ad
36034 - struct vm_area_struct *vma;
36035 - unsigned long ret = -EINVAL;
36036 - unsigned long charged = 0;
36037 -+ unsigned long task_size = TASK_SIZE;
36038 -
36039 - if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
36040 - goto out;
36041 -@@ -272,6 +279,15 @@ unsigned long do_mremap(unsigned long ad
36042 - if (!new_len)
36043 - goto out;
36044 -
36045 -+#ifdef CONFIG_PAX_SEGMEXEC
36046 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
36047 -+ task_size = SEGMEXEC_TASK_SIZE;
36048 -+#endif
36049 -+
36050 -+ if (new_len > task_size || addr > task_size-new_len ||
36051 -+ old_len > task_size || addr > task_size-old_len)
36052 -+ goto out;
36053 -+
36054 - /* new_addr is only valid if MREMAP_FIXED is specified */
36055 - if (flags & MREMAP_FIXED) {
36056 - if (new_addr & ~PAGE_MASK)
36057 -@@ -279,16 +295,13 @@ unsigned long do_mremap(unsigned long ad
36058 - if (!(flags & MREMAP_MAYMOVE))
36059 - goto out;
36060 -
36061 -- if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
36062 -+ if (new_addr > task_size - new_len)
36063 - goto out;
36064 -
36065 - /* Check if the location we're moving into overlaps the
36066 - * old location at all, and fail if it does.
36067 - */
36068 -- if ((new_addr <= addr) && (new_addr+new_len) > addr)
36069 -- goto out;
36070 --
36071 -- if ((addr <= new_addr) && (addr+old_len) > new_addr)
36072 -+ if (addr + old_len > new_addr && new_addr + new_len > addr)
36073 - goto out;
36074 -
36075 - ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
36076 -@@ -326,6 +339,14 @@ unsigned long do_mremap(unsigned long ad
36077 - ret = -EINVAL;
36078 - goto out;
36079 - }
36080 -+
36081 -+#ifdef CONFIG_PAX_SEGMEXEC
36082 -+ if (pax_find_mirror_vma(vma)) {
36083 -+ ret = -EINVAL;
36084 -+ goto out;
36085 -+ }
36086 -+#endif
36087 -+
36088 - /* We can't remap across vm area boundaries */
36089 - if (old_len > vma->vm_end - addr)
36090 - goto out;
36091 -@@ -359,7 +380,7 @@ unsigned long do_mremap(unsigned long ad
36092 - if (old_len == vma->vm_end - addr &&
36093 - !((flags & MREMAP_FIXED) && (addr != new_addr)) &&
36094 - (old_len != new_len || !(flags & MREMAP_MAYMOVE))) {
36095 -- unsigned long max_addr = TASK_SIZE;
36096 -+ unsigned long max_addr = task_size;
36097 - if (vma->vm_next)
36098 - max_addr = vma->vm_next->vm_start;
36099 - /* can we just expand the current mapping? */
36100 -@@ -377,6 +398,7 @@ unsigned long do_mremap(unsigned long ad
36101 - addr + new_len);
36102 - }
36103 - ret = addr;
36104 -+ track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
36105 - goto out;
36106 - }
36107 - }
36108 -@@ -387,8 +409,8 @@ unsigned long do_mremap(unsigned long ad
36109 - */
36110 - ret = -ENOMEM;
36111 - if (flags & MREMAP_MAYMOVE) {
36112 -+ unsigned long map_flags = 0;
36113 - if (!(flags & MREMAP_FIXED)) {
36114 -- unsigned long map_flags = 0;
36115 - if (vma->vm_flags & VM_MAYSHARE)
36116 - map_flags |= MAP_SHARED;
36117 -
36118 -@@ -403,7 +425,12 @@ unsigned long do_mremap(unsigned long ad
36119 - if (ret)
36120 - goto out;
36121 - }
36122 -+ map_flags = vma->vm_flags;
36123 - ret = move_vma(vma, addr, old_len, new_len, new_addr);
36124 -+ if (!(ret & ~PAGE_MASK)) {
36125 -+ track_exec_limit(current->mm, addr, addr + old_len, 0UL);
36126 -+ track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
36127 -+ }
36128 - }
36129 - out:
36130 - if (ret & ~PAGE_MASK)
36131 -diff -urNp linux-2.6.24.4/mm/nommu.c linux-2.6.24.4/mm/nommu.c
36132 ---- linux-2.6.24.4/mm/nommu.c 2008-03-24 14:49:18.000000000 -0400
36133 -+++ linux-2.6.24.4/mm/nommu.c 2008-03-26 17:56:56.000000000 -0400
36134 -@@ -377,15 +377,6 @@ struct vm_area_struct *find_vma(struct m
36135 - }
36136 - EXPORT_SYMBOL(find_vma);
36137 -
36138 --/*
36139 -- * find a VMA
36140 -- * - we don't extend stack VMAs under NOMMU conditions
36141 -- */
36142 --struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
36143 --{
36144 -- return find_vma(mm, addr);
36145 --}
36146 --
36147 - int expand_stack(struct vm_area_struct *vma, unsigned long address)
36148 - {
36149 - return -ENOMEM;
36150 -diff -urNp linux-2.6.24.4/mm/page_alloc.c linux-2.6.24.4/mm/page_alloc.c
36151 ---- linux-2.6.24.4/mm/page_alloc.c 2008-03-24 14:49:18.000000000 -0400
36152 -+++ linux-2.6.24.4/mm/page_alloc.c 2008-03-26 17:56:56.000000000 -0400
36153 -@@ -505,9 +505,20 @@ static void free_pages_bulk(struct zone
36154 -
36155 - static void free_one_page(struct zone *zone, struct page *page, int order)
36156 - {
36157 -+
36158 -+#ifdef CONFIG_PAX_MEMORY_SANITIZE
36159 -+ unsigned long index = 1UL << order;
36160 -+#endif
36161 -+
36162 - spin_lock(&zone->lock);
36163 - zone_clear_flag(zone, ZONE_ALL_UNRECLAIMABLE);
36164 - zone->pages_scanned = 0;
36165 -+
36166 -+#ifdef CONFIG_PAX_MEMORY_SANITIZE
36167 -+ for (; index; --index)
36168 -+ sanitize_highpage(page + index - 1);
36169 -+#endif
36170 -+
36171 - __free_one_page(page, zone, order);
36172 - spin_unlock(&zone->lock);
36173 - }
36174 -@@ -631,8 +642,10 @@ static int prep_new_page(struct page *pa
36175 - arch_alloc_page(page, order);
36176 - kernel_map_pages(page, 1 << order, 1);
36177 -
36178 -+#ifndef CONFIG_PAX_MEMORY_SANITIZE
36179 - if (gfp_flags & __GFP_ZERO)
36180 - prep_zero_page(page, order, gfp_flags);
36181 -+#endif
36182 -
36183 - if (order && (gfp_flags & __GFP_COMP))
36184 - prep_compound_page(page, order);
36185 -@@ -1007,6 +1020,11 @@ static void fastcall free_hot_cold_page(
36186 - list_add(&page->lru, &pcp->list);
36187 - set_page_private(page, get_pageblock_migratetype(page));
36188 - pcp->count++;
36189 -+
36190 -+#ifdef CONFIG_PAX_MEMORY_SANITIZE
36191 -+ sanitize_highpage(page);
36192 -+#endif
36193 -+
36194 - if (pcp->count >= pcp->high) {
36195 - free_pages_bulk(zone, pcp->batch, &pcp->list, 0);
36196 - pcp->count -= pcp->batch;
36197 -diff -urNp linux-2.6.24.4/mm/rmap.c linux-2.6.24.4/mm/rmap.c
36198 ---- linux-2.6.24.4/mm/rmap.c 2008-03-24 14:49:18.000000000 -0400
36199 -+++ linux-2.6.24.4/mm/rmap.c 2008-03-26 17:56:56.000000000 -0400
36200 -@@ -64,6 +64,10 @@ int anon_vma_prepare(struct vm_area_stru
36201 - struct mm_struct *mm = vma->vm_mm;
36202 - struct anon_vma *allocated, *locked;
36203 -
36204 -+#ifdef CONFIG_PAX_SEGMEXEC
36205 -+ struct vm_area_struct *vma_m;
36206 -+#endif
36207 -+
36208 - anon_vma = find_mergeable_anon_vma(vma);
36209 - if (anon_vma) {
36210 - allocated = NULL;
36211 -@@ -80,6 +84,15 @@ int anon_vma_prepare(struct vm_area_stru
36212 - /* page_table_lock to protect against threads */
36213 - spin_lock(&mm->page_table_lock);
36214 - if (likely(!vma->anon_vma)) {
36215 -+
36216 -+#ifdef CONFIG_PAX_SEGMEXEC
36217 -+ vma_m = pax_find_mirror_vma(vma);
36218 -+ if (vma_m) {
36219 -+ vma_m->anon_vma = anon_vma;
36220 -+ __anon_vma_link(vma_m);
36221 -+ }
36222 -+#endif
36223 -+
36224 - vma->anon_vma = anon_vma;
36225 - list_add_tail(&vma->anon_vma_node, &anon_vma->head);
36226 - allocated = NULL;
36227 -diff -urNp linux-2.6.24.4/mm/shmem.c linux-2.6.24.4/mm/shmem.c
36228 ---- linux-2.6.24.4/mm/shmem.c 2008-03-24 14:49:18.000000000 -0400
36229 -+++ linux-2.6.24.4/mm/shmem.c 2008-03-26 17:56:56.000000000 -0400
36230 -@@ -2462,7 +2462,7 @@ static struct file_system_type tmpfs_fs_
36231 - .get_sb = shmem_get_sb,
36232 - .kill_sb = kill_litter_super,
36233 - };
36234 --static struct vfsmount *shm_mnt;
36235 -+struct vfsmount *shm_mnt;
36236 -
36237 - static int __init init_tmpfs(void)
36238 - {
36239 -diff -urNp linux-2.6.24.4/mm/slab.c linux-2.6.24.4/mm/slab.c
36240 ---- linux-2.6.24.4/mm/slab.c 2008-03-24 14:49:18.000000000 -0400
36241 -+++ linux-2.6.24.4/mm/slab.c 2008-03-26 17:56:56.000000000 -0400
36242 -@@ -305,7 +305,7 @@ struct kmem_list3 {
36243 - * Need this for bootstrapping a per node allocator.
36244 - */
36245 - #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
36246 --struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
36247 -+struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
36248 - #define CACHE_CACHE 0
36249 - #define SIZE_AC MAX_NUMNODES
36250 - #define SIZE_L3 (2 * MAX_NUMNODES)
36251 -@@ -654,14 +654,14 @@ struct cache_names {
36252 - static struct cache_names __initdata cache_names[] = {
36253 - #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
36254 - #include <linux/kmalloc_sizes.h>
36255 -- {NULL,}
36256 -+ {NULL, NULL}
36257 - #undef CACHE
36258 - };
36259 -
36260 - static struct arraycache_init initarray_cache __initdata =
36261 -- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
36262 -+ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
36263 - static struct arraycache_init initarray_generic =
36264 -- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
36265 -+ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
36266 -
36267 - /* internal cache of cache description objs */
36268 - static struct kmem_cache cache_cache = {
36269 -@@ -3004,7 +3004,7 @@ retry:
36270 - * there must be at least one object available for
36271 - * allocation.
36272 - */
36273 -- BUG_ON(slabp->inuse < 0 || slabp->inuse >= cachep->num);
36274 -+ BUG_ON(slabp->inuse >= cachep->num);
36275 -
36276 - while (slabp->inuse < cachep->num && batchcount--) {
36277 - STATS_INC_ALLOCED(cachep);
36278 -diff -urNp linux-2.6.24.4/mm/slub.c linux-2.6.24.4/mm/slub.c
36279 ---- linux-2.6.24.4/mm/slub.c 2008-03-24 14:49:18.000000000 -0400
36280 -+++ linux-2.6.24.4/mm/slub.c 2008-03-26 17:56:56.000000000 -0400
36281 -@@ -1539,7 +1539,7 @@ debug:
36282 - *
36283 - * Otherwise we can simply pick the next object from the lockless free list.
36284 - */
36285 --static void __always_inline *slab_alloc(struct kmem_cache *s,
36286 -+static __always_inline void *slab_alloc(struct kmem_cache *s,
36287 - gfp_t gfpflags, int node, void *addr)
36288 - {
36289 - void **object;
36290 -@@ -1647,7 +1647,7 @@ debug:
36291 - * If fastpath is not possible then fall back to __slab_free where we deal
36292 - * with all sorts of special processing.
36293 - */
36294 --static void __always_inline slab_free(struct kmem_cache *s,
36295 -+static __always_inline void slab_free(struct kmem_cache *s,
36296 - struct page *page, void *x, void *addr)
36297 - {
36298 - void **object = (void *)x;
36299 -diff -urNp linux-2.6.24.4/mm/swap.c linux-2.6.24.4/mm/swap.c
36300 ---- linux-2.6.24.4/mm/swap.c 2008-03-24 14:49:18.000000000 -0400
36301 -+++ linux-2.6.24.4/mm/swap.c 2008-03-26 17:56:56.000000000 -0400
36302 -@@ -33,9 +33,9 @@
36303 - /* How many pages do we try to swap or page in/out together? */
36304 - int page_cluster;
36305 -
36306 --static DEFINE_PER_CPU(struct pagevec, lru_add_pvecs) = { 0, };
36307 --static DEFINE_PER_CPU(struct pagevec, lru_add_active_pvecs) = { 0, };
36308 --static DEFINE_PER_CPU(struct pagevec, lru_rotate_pvecs) = { 0, };
36309 -+static DEFINE_PER_CPU(struct pagevec, lru_add_pvecs) = { 0, 0, {NULL} };
36310 -+static DEFINE_PER_CPU(struct pagevec, lru_add_active_pvecs) = { 0, 0, {NULL} };
36311 -+static DEFINE_PER_CPU(struct pagevec, lru_rotate_pvecs) = { 0, 0, {NULL} };
36312 -
36313 - /*
36314 - * This path almost never happens for VM activity - pages are normally
36315 -diff -urNp linux-2.6.24.4/mm/tiny-shmem.c linux-2.6.24.4/mm/tiny-shmem.c
36316 ---- linux-2.6.24.4/mm/tiny-shmem.c 2008-03-24 14:49:18.000000000 -0400
36317 -+++ linux-2.6.24.4/mm/tiny-shmem.c 2008-03-26 17:56:56.000000000 -0400
36318 -@@ -26,7 +26,7 @@ static struct file_system_type tmpfs_fs_
36319 - .kill_sb = kill_litter_super,
36320 - };
36321 -
36322 --static struct vfsmount *shm_mnt;
36323 -+struct vfsmount *shm_mnt;
36324 -
36325 - static int __init init_tmpfs(void)
36326 - {
36327 -diff -urNp linux-2.6.24.4/mm/vmalloc.c linux-2.6.24.4/mm/vmalloc.c
36328 ---- linux-2.6.24.4/mm/vmalloc.c 2008-03-24 14:49:18.000000000 -0400
36329 -+++ linux-2.6.24.4/mm/vmalloc.c 2008-03-26 17:56:56.000000000 -0400
36330 -@@ -202,6 +202,8 @@ static struct vm_struct *__get_vm_area_n
36331 -
36332 - write_lock(&vmlist_lock);
36333 - for (p = &vmlist; (tmp = *p) != NULL ;p = &tmp->next) {
36334 -+ if (addr > end - size)
36335 -+ goto out;
36336 - if ((unsigned long)tmp->addr < addr) {
36337 - if((unsigned long)tmp->addr + tmp->size >= addr)
36338 - addr = ALIGN(tmp->size +
36339 -@@ -213,8 +215,6 @@ static struct vm_struct *__get_vm_area_n
36340 - if (size + addr <= (unsigned long)tmp->addr)
36341 - goto found;
36342 - addr = ALIGN(tmp->size + (unsigned long)tmp->addr, align);
36343 -- if (addr > end - size)
36344 -- goto out;
36345 - }
36346 -
36347 - found:
36348 -diff -urNp linux-2.6.24.4/net/bridge/br_stp_if.c linux-2.6.24.4/net/bridge/br_stp_if.c
36349 ---- linux-2.6.24.4/net/bridge/br_stp_if.c 2008-03-24 14:49:18.000000000 -0400
36350 -+++ linux-2.6.24.4/net/bridge/br_stp_if.c 2008-03-26 17:56:56.000000000 -0400
36351 -@@ -148,7 +148,7 @@ static void br_stp_stop(struct net_bridg
36352 - char *envp[] = { NULL };
36353 -
36354 - if (br->stp_enabled == BR_USER_STP) {
36355 -- r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
36356 -+ r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
36357 - printk(KERN_INFO "%s: userspace STP stopped, return code %d\n",
36358 - br->dev->name, r);
36359 -
36360 -diff -urNp linux-2.6.24.4/net/core/flow.c linux-2.6.24.4/net/core/flow.c
36361 ---- linux-2.6.24.4/net/core/flow.c 2008-03-24 14:49:18.000000000 -0400
36362 -+++ linux-2.6.24.4/net/core/flow.c 2008-03-26 17:56:56.000000000 -0400
36363 -@@ -40,7 +40,7 @@ atomic_t flow_cache_genid = ATOMIC_INIT(
36364 -
36365 - static u32 flow_hash_shift;
36366 - #define flow_hash_size (1 << flow_hash_shift)
36367 --static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables) = { NULL };
36368 -+static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables);
36369 -
36370 - #define flow_table(cpu) (per_cpu(flow_tables, cpu))
36371 -
36372 -@@ -53,7 +53,7 @@ struct flow_percpu_info {
36373 - u32 hash_rnd;
36374 - int count;
36375 - } ____cacheline_aligned;
36376 --static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info) = { 0 };
36377 -+static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info);
36378 -
36379 - #define flow_hash_rnd_recalc(cpu) \
36380 - (per_cpu(flow_hash_info, cpu).hash_rnd_recalc)
36381 -@@ -70,7 +70,7 @@ struct flow_flush_info {
36382 - atomic_t cpuleft;
36383 - struct completion completion;
36384 - };
36385 --static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets) = { NULL };
36386 -+static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets);
36387 -
36388 - #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
36389 -
36390 -diff -urNp linux-2.6.24.4/net/dccp/ccids/ccid3.c linux-2.6.24.4/net/dccp/ccids/ccid3.c
36391 ---- linux-2.6.24.4/net/dccp/ccids/ccid3.c 2008-03-24 14:49:18.000000000 -0400
36392 -+++ linux-2.6.24.4/net/dccp/ccids/ccid3.c 2008-03-26 17:56:56.000000000 -0400
36393 -@@ -46,7 +46,7 @@
36394 - static int ccid3_debug;
36395 - #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
36396 - #else
36397 --#define ccid3_pr_debug(format, a...)
36398 -+#define ccid3_pr_debug(format, a...) do {} while (0)
36399 - #endif
36400 -
36401 - static struct dccp_tx_hist *ccid3_tx_hist;
36402 -diff -urNp linux-2.6.24.4/net/dccp/dccp.h linux-2.6.24.4/net/dccp/dccp.h
36403 ---- linux-2.6.24.4/net/dccp/dccp.h 2008-03-24 14:49:18.000000000 -0400
36404 -+++ linux-2.6.24.4/net/dccp/dccp.h 2008-03-26 17:56:56.000000000 -0400
36405 -@@ -43,8 +43,8 @@ extern int dccp_debug;
36406 - #define dccp_pr_debug(format, a...) DCCP_PR_DEBUG(dccp_debug, format, ##a)
36407 - #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
36408 - #else
36409 --#define dccp_pr_debug(format, a...)
36410 --#define dccp_pr_debug_cat(format, a...)
36411 -+#define dccp_pr_debug(format, a...) do {} while (0)
36412 -+#define dccp_pr_debug_cat(format, a...) do {} while (0)
36413 - #endif
36414 -
36415 - extern struct inet_hashinfo dccp_hashinfo;
36416 -diff -urNp linux-2.6.24.4/net/ipv4/inet_connection_sock.c linux-2.6.24.4/net/ipv4/inet_connection_sock.c
36417 ---- linux-2.6.24.4/net/ipv4/inet_connection_sock.c 2008-03-24 14:49:18.000000000 -0400
36418 -+++ linux-2.6.24.4/net/ipv4/inet_connection_sock.c 2008-03-26 17:56:56.000000000 -0400
36419 -@@ -15,6 +15,7 @@
36420 -
36421 - #include <linux/module.h>
36422 - #include <linux/jhash.h>
36423 -+#include <linux/grsecurity.h>
36424 -
36425 - #include <net/inet_connection_sock.h>
36426 - #include <net/inet_hashtables.h>
36427 -diff -urNp linux-2.6.24.4/net/ipv4/inet_hashtables.c linux-2.6.24.4/net/ipv4/inet_hashtables.c
36428 ---- linux-2.6.24.4/net/ipv4/inet_hashtables.c 2008-03-24 14:49:18.000000000 -0400
36429 -+++ linux-2.6.24.4/net/ipv4/inet_hashtables.c 2008-03-26 17:56:56.000000000 -0400
36430 -@@ -18,11 +18,14 @@
36431 - #include <linux/sched.h>
36432 - #include <linux/slab.h>
36433 - #include <linux/wait.h>
36434 -+#include <linux/grsecurity.h>
36435 -
36436 - #include <net/inet_connection_sock.h>
36437 - #include <net/inet_hashtables.h>
36438 - #include <net/ip.h>
36439 -
36440 -+extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
36441 -+
36442 - /*
36443 - * Allocate and initialize a new local port bind bucket.
36444 - * The bindhash mutex for snum's hash chain must be held here.
36445 -@@ -338,6 +341,8 @@ ok:
36446 - }
36447 - spin_unlock(&head->lock);
36448 -
36449 -+ gr_update_task_in_ip_table(current, inet_sk(sk));
36450 -+
36451 - if (tw) {
36452 - inet_twsk_deschedule(tw, death_row);
36453 - inet_twsk_put(tw);
36454 -diff -urNp linux-2.6.24.4/net/ipv4/netfilter/ipt_stealth.c linux-2.6.24.4/net/ipv4/netfilter/ipt_stealth.c
36455 ---- linux-2.6.24.4/net/ipv4/netfilter/ipt_stealth.c 1969-12-31 19:00:00.000000000 -0500
36456 -+++ linux-2.6.24.4/net/ipv4/netfilter/ipt_stealth.c 2008-03-26 17:56:56.000000000 -0400
36457 -@@ -0,0 +1,114 @@
36458 -+/* Kernel module to add stealth support.
36459 -+ *
36460 -+ * Copyright (C) 2002-2006 Brad Spengler <spender@××××××××××.net>
36461 -+ *
36462 -+ */
36463 -+
36464 -+#include <linux/kernel.h>
36465 -+#include <linux/module.h>
36466 -+#include <linux/skbuff.h>
36467 -+#include <linux/net.h>
36468 -+#include <linux/sched.h>
36469 -+#include <linux/inet.h>
36470 -+#include <linux/stddef.h>
36471 -+
36472 -+#include <net/ip.h>
36473 -+#include <net/sock.h>
36474 -+#include <net/tcp.h>
36475 -+#include <net/udp.h>
36476 -+#include <net/route.h>
36477 -+#include <net/inet_common.h>
36478 -+
36479 -+#include <linux/netfilter_ipv4/ip_tables.h>
36480 -+
36481 -+MODULE_LICENSE("GPL");
36482 -+
36483 -+extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
36484 -+
36485 -+static int
36486 -+match(const struct sk_buff *skb,
36487 -+ const struct net_device *in,
36488 -+ const struct net_device *out,
36489 -+ const struct xt_match *match,
36490 -+ const void *matchinfo,
36491 -+ int offset,
36492 -+ unsigned int protoff,
36493 -+ int *hotdrop)
36494 -+{
36495 -+ struct iphdr *ip = ip_hdr(skb);
36496 -+ struct tcphdr th;
36497 -+ struct udphdr uh;
36498 -+ struct sock *sk = NULL;
36499 -+
36500 -+ if (!ip || offset) return 0;
36501 -+
36502 -+ switch(ip->protocol) {
36503 -+ case IPPROTO_TCP:
36504 -+ if (skb_copy_bits(skb, (ip_hdr(skb))->ihl*4, &th, sizeof(th)) < 0) {
36505 -+ *hotdrop = 1;
36506 -+ return 0;
36507 -+ }
36508 -+ if (!(th.syn && !th.ack)) return 0;
36509 -+ sk = inet_lookup_listener(&tcp_hashinfo, ip->daddr, th.dest, inet_iif(skb));
36510 -+ break;
36511 -+ case IPPROTO_UDP:
36512 -+ if (skb_copy_bits(skb, (ip_hdr(skb))->ihl*4, &uh, sizeof(uh)) < 0) {
36513 -+ *hotdrop = 1;
36514 -+ return 0;
36515 -+ }
36516 -+ sk = udp_v4_lookup(ip->saddr, uh.source, ip->daddr, uh.dest, skb->dev->ifindex);
36517 -+ break;
36518 -+ default:
36519 -+ return 0;
36520 -+ }
36521 -+
36522 -+ if(!sk) // port is being listened on, match this
36523 -+ return 1;
36524 -+ else {
36525 -+ sock_put(sk);
36526 -+ return 0;
36527 -+ }
36528 -+}
36529 -+
36530 -+/* Called when user tries to insert an entry of this type. */
36531 -+static int
36532 -+checkentry(const char *tablename,
36533 -+ const void *nip,
36534 -+ const struct xt_match *match,
36535 -+ void *matchinfo,
36536 -+ unsigned int hook_mask)
36537 -+{
36538 -+ const struct ipt_ip *ip = (const struct ipt_ip *)nip;
36539 -+
36540 -+ if(((ip->proto == IPPROTO_TCP && !(ip->invflags & IPT_INV_PROTO)) ||
36541 -+ ((ip->proto == IPPROTO_UDP) && !(ip->invflags & IPT_INV_PROTO)))
36542 -+ && (hook_mask & (1 << NF_IP_LOCAL_IN)))
36543 -+ return 1;
36544 -+
36545 -+ printk("stealth: Only works on TCP and UDP for the INPUT chain.\n");
36546 -+
36547 -+ return 0;
36548 -+}
36549 -+
36550 -+
36551 -+static struct xt_match stealth_match = {
36552 -+ .name = "stealth",
36553 -+ .family = AF_INET,
36554 -+ .match = match,
36555 -+ .checkentry = checkentry,
36556 -+ .destroy = NULL,
36557 -+ .me = THIS_MODULE
36558 -+};
36559 -+
36560 -+static int __init init(void)
36561 -+{
36562 -+ return xt_register_match(&stealth_match);
36563 -+}
36564 -+
36565 -+static void __exit fini(void)
36566 -+{
36567 -+ xt_unregister_match(&stealth_match);
36568 -+}
36569 -+
36570 -+module_init(init);
36571 -+module_exit(fini);
36572 -diff -urNp linux-2.6.24.4/net/ipv4/netfilter/Kconfig linux-2.6.24.4/net/ipv4/netfilter/Kconfig
36573 ---- linux-2.6.24.4/net/ipv4/netfilter/Kconfig 2008-03-24 14:49:18.000000000 -0400
36574 -+++ linux-2.6.24.4/net/ipv4/netfilter/Kconfig 2008-03-26 17:56:56.000000000 -0400
36575 -@@ -130,6 +130,21 @@ config IP_NF_MATCH_ADDRTYPE
36576 - If you want to compile it as a module, say M here and read
36577 - <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
36578 -
36579 -+config IP_NF_MATCH_STEALTH
36580 -+ tristate "stealth match support"
36581 -+ depends on IP_NF_IPTABLES
36582 -+ help
36583 -+ Enabling this option will drop all syn packets coming to unserved tcp
36584 -+ ports as well as all packets coming to unserved udp ports. If you
36585 -+ are using your system to route any type of packets (ie. via NAT)
36586 -+ you should put this module at the end of your ruleset, since it will
36587 -+ drop packets that aren't going to ports that are listening on your
36588 -+ machine itself, it doesn't take into account that the packet might be
36589 -+ destined for someone on your internal network if you're using NAT for
36590 -+ instance.
36591 -+
36592 -+ To compile it as a module, choose M here. If unsure, say N.
36593 -+
36594 - # `filter', generic and specific targets
36595 - config IP_NF_FILTER
36596 - tristate "Packet filtering"
36597 -@@ -403,4 +418,3 @@ config IP_NF_ARP_MANGLE
36598 - hardware and network addresses.
36599 -
36600 - endmenu
36601 --
36602 -diff -urNp linux-2.6.24.4/net/ipv4/netfilter/Makefile linux-2.6.24.4/net/ipv4/netfilter/Makefile
36603 ---- linux-2.6.24.4/net/ipv4/netfilter/Makefile 2008-03-24 14:49:18.000000000 -0400
36604 -+++ linux-2.6.24.4/net/ipv4/netfilter/Makefile 2008-03-26 17:56:56.000000000 -0400
36605 -@@ -47,6 +47,7 @@ obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn
36606 - obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
36607 - obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
36608 - obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
36609 -+obj-$(CONFIG_IP_NF_MATCH_STEALTH) += ipt_stealth.o
36610 - obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
36611 - obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
36612 -
36613 -diff -urNp linux-2.6.24.4/net/ipv4/tcp.c linux-2.6.24.4/net/ipv4/tcp.c
36614 ---- linux-2.6.24.4/net/ipv4/tcp.c 2008-03-24 14:49:18.000000000 -0400
36615 -+++ linux-2.6.24.4/net/ipv4/tcp.c 2008-03-26 17:56:56.000000000 -0400
36616 -@@ -1054,7 +1054,8 @@ int tcp_read_sock(struct sock *sk, read_
36617 - return -ENOTCONN;
36618 - while ((skb = tcp_recv_skb(sk, seq, &offset)) != NULL) {
36619 - if (offset < skb->len) {
36620 -- size_t used, len;
36621 -+ int used;
36622 -+ size_t len;
36623 -
36624 - len = skb->len - offset;
36625 - /* Stop reading if we hit a patch of urgent data */
36626 -diff -urNp linux-2.6.24.4/net/ipv4/tcp_ipv4.c linux-2.6.24.4/net/ipv4/tcp_ipv4.c
36627 ---- linux-2.6.24.4/net/ipv4/tcp_ipv4.c 2008-03-24 14:49:18.000000000 -0400
36628 -+++ linux-2.6.24.4/net/ipv4/tcp_ipv4.c 2008-03-26 17:56:56.000000000 -0400
36629 -@@ -61,6 +61,7 @@
36630 - #include <linux/jhash.h>
36631 - #include <linux/init.h>
36632 - #include <linux/times.h>
36633 -+#include <linux/grsecurity.h>
36634 -
36635 - #include <net/net_namespace.h>
36636 - #include <net/icmp.h>
36637 -diff -urNp linux-2.6.24.4/net/ipv4/udp.c linux-2.6.24.4/net/ipv4/udp.c
36638 ---- linux-2.6.24.4/net/ipv4/udp.c 2008-03-24 14:49:18.000000000 -0400
36639 -+++ linux-2.6.24.4/net/ipv4/udp.c 2008-03-26 17:56:56.000000000 -0400
36640 -@@ -98,6 +98,7 @@
36641 - #include <linux/skbuff.h>
36642 - #include <linux/proc_fs.h>
36643 - #include <linux/seq_file.h>
36644 -+#include <linux/grsecurity.h>
36645 - #include <net/net_namespace.h>
36646 - #include <net/icmp.h>
36647 - #include <net/route.h>
36648 -@@ -105,6 +106,11 @@
36649 - #include <net/xfrm.h>
36650 - #include "udp_impl.h"
36651 -
36652 -+extern int gr_search_udp_recvmsg(const struct sock *sk,
36653 -+ const struct sk_buff *skb);
36654 -+extern int gr_search_udp_sendmsg(const struct sock *sk,
36655 -+ const struct sockaddr_in *addr);
36656 -+
36657 - /*
36658 - * Snmp MIB for the UDP layer
36659 - */
36660 -@@ -295,6 +301,13 @@ static struct sock *__udp4_lib_lookup(__
36661 - return result;
36662 - }
36663 -
36664 -+struct sock *udp_v4_lookup(__be32 saddr, __be16 sport,
36665 -+ __be32 daddr, __be16 dport, int dif)
36666 -+{
36667 -+ return __udp4_lib_lookup(saddr, sport, daddr, dport, dif, udp_hash);
36668 -+}
36669 -+
36670 -+
36671 - static inline struct sock *udp_v4_mcast_next(struct sock *sk,
36672 - __be16 loc_port, __be32 loc_addr,
36673 - __be16 rmt_port, __be32 rmt_addr,
36674 -@@ -580,9 +593,16 @@ int udp_sendmsg(struct kiocb *iocb, stru
36675 - dport = usin->sin_port;
36676 - if (dport == 0)
36677 - return -EINVAL;
36678 -+
36679 -+ if (!gr_search_udp_sendmsg(sk, usin))
36680 -+ return -EPERM;
36681 - } else {
36682 - if (sk->sk_state != TCP_ESTABLISHED)
36683 - return -EDESTADDRREQ;
36684 -+
36685 -+ if (!gr_search_udp_sendmsg(sk, NULL))
36686 -+ return -EPERM;
36687 -+
36688 - daddr = inet->daddr;
36689 - dport = inet->dport;
36690 - /* Open fast path for connected socket.
36691 -@@ -842,6 +862,11 @@ try_again:
36692 - if (!skb)
36693 - goto out;
36694 -
36695 -+ if (!gr_search_udp_recvmsg(sk, skb)) {
36696 -+ err = -EPERM;
36697 -+ goto out_free;
36698 -+ }
36699 -+
36700 - ulen = skb->len - sizeof(struct udphdr);
36701 - copied = len;
36702 - if (copied > ulen)
36703 -diff -urNp linux-2.6.24.4/net/ipv6/exthdrs.c linux-2.6.24.4/net/ipv6/exthdrs.c
36704 ---- linux-2.6.24.4/net/ipv6/exthdrs.c 2008-03-24 14:49:18.000000000 -0400
36705 -+++ linux-2.6.24.4/net/ipv6/exthdrs.c 2008-03-26 17:56:56.000000000 -0400
36706 -@@ -621,7 +621,7 @@ static struct tlvtype_proc tlvprochopopt
36707 - .type = IPV6_TLV_JUMBO,
36708 - .func = ipv6_hop_jumbo,
36709 - },
36710 -- { -1, }
36711 -+ { -1, NULL }
36712 - };
36713 -
36714 - int ipv6_parse_hopopts(struct sk_buff *skb)
36715 -diff -urNp linux-2.6.24.4/net/ipv6/raw.c linux-2.6.24.4/net/ipv6/raw.c
36716 ---- linux-2.6.24.4/net/ipv6/raw.c 2008-03-24 14:49:18.000000000 -0400
36717 -+++ linux-2.6.24.4/net/ipv6/raw.c 2008-03-26 17:56:56.000000000 -0400
36718 -@@ -578,7 +578,7 @@ out:
36719 - return err;
36720 - }
36721 -
36722 --static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
36723 -+static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
36724 - struct flowi *fl, struct rt6_info *rt,
36725 - unsigned int flags)
36726 - {
36727 -diff -urNp linux-2.6.24.4/net/irda/ircomm/ircomm_tty.c linux-2.6.24.4/net/irda/ircomm/ircomm_tty.c
36728 ---- linux-2.6.24.4/net/irda/ircomm/ircomm_tty.c 2008-03-24 14:49:18.000000000 -0400
36729 -+++ linux-2.6.24.4/net/irda/ircomm/ircomm_tty.c 2008-03-26 17:56:56.000000000 -0400
36730 -@@ -371,7 +371,7 @@ static int ircomm_tty_open(struct tty_st
36731 - IRDA_DEBUG(2, "%s()\n", __FUNCTION__ );
36732 -
36733 - line = tty->index;
36734 -- if ((line < 0) || (line >= IRCOMM_TTY_PORTS)) {
36735 -+ if (line >= IRCOMM_TTY_PORTS) {
36736 - return -ENODEV;
36737 - }
36738 -
36739 -diff -urNp linux-2.6.24.4/net/mac80211/regdomain.c linux-2.6.24.4/net/mac80211/regdomain.c
36740 ---- linux-2.6.24.4/net/mac80211/regdomain.c 2008-03-24 14:49:18.000000000 -0400
36741 -+++ linux-2.6.24.4/net/mac80211/regdomain.c 2008-03-26 17:56:56.000000000 -0400
36742 -@@ -61,14 +61,14 @@ static const struct ieee80211_channel_ra
36743 - { 5180, 5240, 17, 6 } /* IEEE 802.11a, channels 36..48 */,
36744 - { 5260, 5320, 23, 6 } /* IEEE 802.11a, channels 52..64 */,
36745 - { 5745, 5825, 30, 6 } /* IEEE 802.11a, channels 149..165, outdoor */,
36746 -- { 0 }
36747 -+ { 0, 0, 0, 0 }
36748 - };
36749 -
36750 - static const struct ieee80211_channel_range ieee80211_mkk_channels[] = {
36751 - { 2412, 2472, 20, 6 } /* IEEE 802.11b/g, channels 1..13 */,
36752 - { 5170, 5240, 20, 6 } /* IEEE 802.11a, channels 34..48 */,
36753 - { 5260, 5320, 20, 6 } /* IEEE 802.11a, channels 52..64 */,
36754 -- { 0 }
36755 -+ { 0, 0, 0, 0 }
36756 - };
36757 -
36758 -
36759 -diff -urNp linux-2.6.24.4/net/sctp/socket.c linux-2.6.24.4/net/sctp/socket.c
36760 ---- linux-2.6.24.4/net/sctp/socket.c 2008-03-24 14:49:18.000000000 -0400
36761 -+++ linux-2.6.24.4/net/sctp/socket.c 2008-03-26 17:56:56.000000000 -0400
36762 -@@ -1390,7 +1390,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
36763 - struct sctp_sndrcvinfo *sinfo;
36764 - struct sctp_initmsg *sinit;
36765 - sctp_assoc_t associd = 0;
36766 -- sctp_cmsgs_t cmsgs = { NULL };
36767 -+ sctp_cmsgs_t cmsgs = { NULL, NULL };
36768 - int err;
36769 - sctp_scope_t scope;
36770 - long timeo;
36771 -diff -urNp linux-2.6.24.4/net/socket.c linux-2.6.24.4/net/socket.c
36772 ---- linux-2.6.24.4/net/socket.c 2008-03-24 14:49:18.000000000 -0400
36773 -+++ linux-2.6.24.4/net/socket.c 2008-03-26 17:56:56.000000000 -0400
36774 -@@ -85,6 +85,7 @@
36775 - #include <linux/audit.h>
36776 - #include <linux/wireless.h>
36777 - #include <linux/nsproxy.h>
36778 -+#include <linux/in.h>
36779 -
36780 - #include <asm/uaccess.h>
36781 - #include <asm/unistd.h>
36782 -@@ -94,6 +95,21 @@
36783 - #include <net/sock.h>
36784 - #include <linux/netfilter.h>
36785 -
36786 -+extern void gr_attach_curr_ip(const struct sock *sk);
36787 -+extern int gr_handle_sock_all(const int family, const int type,
36788 -+ const int protocol);
36789 -+extern int gr_handle_sock_server(const struct sockaddr *sck);
36790 -+extern int gr_handle_sock_server_other(const struct socket *sck);
36791 -+extern int gr_handle_sock_client(const struct sockaddr *sck);
36792 -+extern int gr_search_connect(const struct socket * sock,
36793 -+ const struct sockaddr_in * addr);
36794 -+extern int gr_search_bind(const struct socket * sock,
36795 -+ const struct sockaddr_in * addr);
36796 -+extern int gr_search_listen(const struct socket * sock);
36797 -+extern int gr_search_accept(const struct socket * sock);
36798 -+extern int gr_search_socket(const int domain, const int type,
36799 -+ const int protocol);
36800 -+
36801 - static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
36802 - static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
36803 - unsigned long nr_segs, loff_t pos);
36804 -@@ -293,7 +309,7 @@ static int sockfs_get_sb(struct file_sys
36805 - mnt);
36806 - }
36807 -
36808 --static struct vfsmount *sock_mnt __read_mostly;
36809 -+struct vfsmount *sock_mnt __read_mostly;
36810 -
36811 - static struct file_system_type sock_fs_type = {
36812 - .name = "sockfs",
36813 -@@ -1204,6 +1220,16 @@ asmlinkage long sys_socket(int family, i
36814 - int retval;
36815 - struct socket *sock;
36816 -
36817 -+ if(!gr_search_socket(family, type, protocol)) {
36818 -+ retval = -EACCES;
36819 -+ goto out;
36820 -+ }
36821 -+
36822 -+ if (gr_handle_sock_all(family, type, protocol)) {
36823 -+ retval = -EACCES;
36824 -+ goto out;
36825 -+ }
36826 -+
36827 - retval = sock_create(family, type, protocol, &sock);
36828 - if (retval < 0)
36829 - goto out;
36830 -@@ -1334,6 +1360,12 @@ asmlinkage long sys_bind(int fd, struct
36831 - if (sock) {
36832 - err = move_addr_to_kernel(umyaddr, addrlen, address);
36833 - if (err >= 0) {
36834 -+ if (!gr_search_bind(sock, (struct sockaddr_in *)address) ||
36835 -+ gr_handle_sock_server((struct sockaddr *)address)) {
36836 -+ err = -EACCES;
36837 -+ goto error;
36838 -+ }
36839 -+
36840 - err = security_socket_bind(sock,
36841 - (struct sockaddr *)address,
36842 - addrlen);
36843 -@@ -1342,6 +1374,7 @@ asmlinkage long sys_bind(int fd, struct
36844 - (struct sockaddr *)
36845 - address, addrlen);
36846 - }
36847 -+error:
36848 - fput_light(sock->file, fput_needed);
36849 - }
36850 - return err;
36851 -@@ -1365,10 +1398,17 @@ asmlinkage long sys_listen(int fd, int b
36852 - if ((unsigned)backlog > sysctl_somaxconn)
36853 - backlog = sysctl_somaxconn;
36854 -
36855 -+ if (gr_handle_sock_server_other(sock) ||
36856 -+ !gr_search_listen(sock)) {
36857 -+ err = -EPERM;
36858 -+ goto error;
36859 -+ }
36860 -+
36861 - err = security_socket_listen(sock, backlog);
36862 - if (!err)
36863 - err = sock->ops->listen(sock, backlog);
36864 -
36865 -+error:
36866 - fput_light(sock->file, fput_needed);
36867 - }
36868 - return err;
36869 -@@ -1405,6 +1445,13 @@ asmlinkage long sys_accept(int fd, struc
36870 - newsock->type = sock->type;
36871 - newsock->ops = sock->ops;
36872 -
36873 -+ if (gr_handle_sock_server_other(sock) ||
36874 -+ !gr_search_accept(sock)) {
36875 -+ err = -EPERM;
36876 -+ sock_release(newsock);
36877 -+ goto out_put;
36878 -+ }
36879 -+
36880 - /*
36881 - * We don't need try_module_get here, as the listening socket (sock)
36882 - * has the protocol module (sock->ops->owner) held.
36883 -@@ -1448,6 +1495,7 @@ asmlinkage long sys_accept(int fd, struc
36884 - err = newfd;
36885 -
36886 - security_socket_post_accept(sock, newsock);
36887 -+ gr_attach_curr_ip(newsock->sk);
36888 -
36889 - out_put:
36890 - fput_light(sock->file, fput_needed);
36891 -@@ -1481,6 +1529,7 @@ asmlinkage long sys_connect(int fd, stru
36892 - {
36893 - struct socket *sock;
36894 - char address[MAX_SOCK_ADDR];
36895 -+ struct sockaddr *sck;
36896 - int err, fput_needed;
36897 -
36898 - sock = sockfd_lookup_light(fd, &err, &fput_needed);
36899 -@@ -1490,6 +1539,13 @@ asmlinkage long sys_connect(int fd, stru
36900 - if (err < 0)
36901 - goto out_put;
36902 -
36903 -+ sck = (struct sockaddr *)address;
36904 -+ if (!gr_search_connect(sock, (struct sockaddr_in *)sck) ||
36905 -+ gr_handle_sock_client(sck)) {
36906 -+ err = -EACCES;
36907 -+ goto out_put;
36908 -+ }
36909 -+
36910 - err =
36911 - security_socket_connect(sock, (struct sockaddr *)address, addrlen);
36912 - if (err)
36913 -@@ -1767,6 +1823,7 @@ asmlinkage long sys_shutdown(int fd, int
36914 - err = sock->ops->shutdown(sock, how);
36915 - fput_light(sock->file, fput_needed);
36916 - }
36917 -+
36918 - return err;
36919 - }
36920 -
36921 -diff -urNp linux-2.6.24.4/net/unix/af_unix.c linux-2.6.24.4/net/unix/af_unix.c
36922 ---- linux-2.6.24.4/net/unix/af_unix.c 2008-03-24 14:49:18.000000000 -0400
36923 -+++ linux-2.6.24.4/net/unix/af_unix.c 2008-03-26 17:56:56.000000000 -0400
36924 -@@ -116,6 +116,7 @@
36925 - #include <linux/mount.h>
36926 - #include <net/checksum.h>
36927 - #include <linux/security.h>
36928 -+#include <linux/grsecurity.h>
36929 -
36930 - int sysctl_unix_max_dgram_qlen __read_mostly = 10;
36931 -
36932 -@@ -738,6 +739,11 @@ static struct sock *unix_find_other(stru
36933 - if (err)
36934 - goto put_fail;
36935 -
36936 -+ if (!gr_acl_handle_unix(nd.dentry, nd.mnt)) {
36937 -+ err = -EACCES;
36938 -+ goto put_fail;
36939 -+ }
36940 -+
36941 - err = -ECONNREFUSED;
36942 - if (!S_ISSOCK(nd.dentry->d_inode->i_mode))
36943 - goto put_fail;
36944 -@@ -761,6 +767,13 @@ static struct sock *unix_find_other(stru
36945 - if (u) {
36946 - struct dentry *dentry;
36947 - dentry = unix_sk(u)->dentry;
36948 -+
36949 -+ if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
36950 -+ err = -EPERM;
36951 -+ sock_put(u);
36952 -+ goto fail;
36953 -+ }
36954 -+
36955 - if (dentry)
36956 - touch_atime(unix_sk(u)->mnt, dentry);
36957 - } else
36958 -@@ -839,9 +852,18 @@ static int unix_bind(struct socket *sock
36959 - */
36960 - mode = S_IFSOCK |
36961 - (SOCK_INODE(sock)->i_mode & ~current->fs->umask);
36962 -+
36963 -+ if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
36964 -+ err = -EACCES;
36965 -+ goto out_mknod_dput;
36966 -+ }
36967 -+
36968 - err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0);
36969 - if (err)
36970 - goto out_mknod_dput;
36971 -+
36972 -+ gr_handle_create(dentry, nd.mnt);
36973 -+
36974 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
36975 - dput(nd.dentry);
36976 - nd.dentry = dentry;
36977 -@@ -859,6 +881,10 @@ static int unix_bind(struct socket *sock
36978 - goto out_unlock;
36979 - }
36980 -
36981 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
36982 -+ sk->sk_peercred.pid = current->pid;
36983 -+#endif
36984 -+
36985 - list = &unix_socket_table[addr->hash];
36986 - } else {
36987 - list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
36988 -diff -urNp linux-2.6.24.4/scripts/pnmtologo.c linux-2.6.24.4/scripts/pnmtologo.c
36989 ---- linux-2.6.24.4/scripts/pnmtologo.c 2008-03-24 14:49:18.000000000 -0400
36990 -+++ linux-2.6.24.4/scripts/pnmtologo.c 2008-03-26 17:56:56.000000000 -0400
36991 -@@ -237,14 +237,14 @@ static void write_header(void)
36992 - fprintf(out, " * Linux logo %s\n", logoname);
36993 - fputs(" */\n\n", out);
36994 - fputs("#include <linux/linux_logo.h>\n\n", out);
36995 -- fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
36996 -+ fprintf(out, "static unsigned char %s_data[] = {\n",
36997 - logoname);
36998 - }
36999 -
37000 - static void write_footer(void)
37001 - {
37002 - fputs("\n};\n\n", out);
37003 -- fprintf(out, "struct linux_logo %s __initdata = {\n", logoname);
37004 -+ fprintf(out, "struct linux_logo %s = {\n", logoname);
37005 - fprintf(out, " .type\t= %s,\n", logo_types[logo_type]);
37006 - fprintf(out, " .width\t= %d,\n", logo_width);
37007 - fprintf(out, " .height\t= %d,\n", logo_height);
37008 -@@ -374,7 +374,7 @@ static void write_logo_clut224(void)
37009 - fputs("\n};\n\n", out);
37010 -
37011 - /* write logo clut */
37012 -- fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
37013 -+ fprintf(out, "static unsigned char %s_clut[] = {\n",
37014 - logoname);
37015 - write_hex_cnt = 0;
37016 - for (i = 0; i < logo_clutsize; i++) {
37017 -diff -urNp linux-2.6.24.4/security/commoncap.c linux-2.6.24.4/security/commoncap.c
37018 ---- linux-2.6.24.4/security/commoncap.c 2008-03-24 14:49:18.000000000 -0400
37019 -+++ linux-2.6.24.4/security/commoncap.c 2008-03-26 17:56:56.000000000 -0400
37020 -@@ -24,6 +24,7 @@
37021 - #include <linux/hugetlb.h>
37022 - #include <linux/mount.h>
37023 - #include <linux/sched.h>
37024 -+#include <linux/grsecurity.h>
37025 -
37026 - #ifdef CONFIG_SECURITY_FILE_CAPABILITIES
37027 - /*
37028 -@@ -44,9 +45,11 @@ EXPORT_SYMBOL(cap_bset);
37029 - unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */
37030 - EXPORT_SYMBOL(securebits);
37031 -
37032 -+extern __u32 gr_cap_rtnetlink(struct sock *sk);
37033 -+
37034 - int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
37035 - {
37036 -- NETLINK_CB(skb).eff_cap = current->cap_effective;
37037 -+ NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
37038 - return 0;
37039 - }
37040 -
37041 -@@ -68,7 +71,15 @@ EXPORT_SYMBOL(cap_netlink_recv);
37042 - int cap_capable (struct task_struct *tsk, int cap)
37043 - {
37044 - /* Derived from include/linux/sched.h:capable. */
37045 -- if (cap_raised(tsk->cap_effective, cap))
37046 -+ if (cap_raised (tsk->cap_effective, cap))
37047 -+ return 0;
37048 -+ return -EPERM;
37049 -+}
37050 -+
37051 -+int cap_capable_nolog (struct task_struct *tsk, int cap)
37052 -+{
37053 -+ /* tsk = current for all callers */
37054 -+ if (cap_raised(tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
37055 - return 0;
37056 - return -EPERM;
37057 - }
37058 -@@ -343,8 +354,11 @@ void cap_bprm_apply_creds (struct linux_
37059 - }
37060 - }
37061 -
37062 -- current->suid = current->euid = current->fsuid = bprm->e_uid;
37063 -- current->sgid = current->egid = current->fsgid = bprm->e_gid;
37064 -+ if (!gr_check_user_change(-1, bprm->e_uid, bprm->e_uid))
37065 -+ current->suid = current->euid = current->fsuid = bprm->e_uid;
37066 -+
37067 -+ if (!gr_check_group_change(-1, bprm->e_gid, bprm->e_gid))
37068 -+ current->sgid = current->egid = current->fsgid = bprm->e_gid;
37069 -
37070 - /* For init, we want to retain the capabilities set
37071 - * in the init_task struct. Thus we skip the usual
37072 -@@ -355,6 +369,8 @@ void cap_bprm_apply_creds (struct linux_
37073 - new_permitted : 0;
37074 - }
37075 -
37076 -+ gr_handle_chroot_caps(current);
37077 -+
37078 - /* AUD: Audit candidate if current->cap_effective is set */
37079 -
37080 - current->keep_capabilities = 0;
37081 -@@ -602,7 +618,7 @@ int cap_vm_enough_memory(struct mm_struc
37082 - {
37083 - int cap_sys_admin = 0;
37084 -
37085 -- if (cap_capable(current, CAP_SYS_ADMIN) == 0)
37086 -+ if (cap_capable_nolog(current, CAP_SYS_ADMIN) == 0)
37087 - cap_sys_admin = 1;
37088 - return __vm_enough_memory(mm, pages, cap_sys_admin);
37089 - }
37090 -diff -urNp linux-2.6.24.4/security/dummy.c linux-2.6.24.4/security/dummy.c
37091 ---- linux-2.6.24.4/security/dummy.c 2008-03-24 14:49:18.000000000 -0400
37092 -+++ linux-2.6.24.4/security/dummy.c 2008-03-26 17:56:56.000000000 -0400
37093 -@@ -27,6 +27,7 @@
37094 - #include <linux/hugetlb.h>
37095 - #include <linux/ptrace.h>
37096 - #include <linux/file.h>
37097 -+#include <linux/grsecurity.h>
37098 -
37099 - static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
37100 - {
37101 -@@ -135,8 +136,11 @@ static void dummy_bprm_apply_creds (stru
37102 - }
37103 - }
37104 -
37105 -- current->suid = current->euid = current->fsuid = bprm->e_uid;
37106 -- current->sgid = current->egid = current->fsgid = bprm->e_gid;
37107 -+ if (!gr_check_user_change(-1, bprm->e_uid, bprm->e_uid))
37108 -+ current->suid = current->euid = current->fsuid = bprm->e_uid;
37109 -+
37110 -+ if (!gr_check_group_change(-1, bprm->e_gid, bprm->e_gid))
37111 -+ current->sgid = current->egid = current->fsgid = bprm->e_gid;
37112 -
37113 - dummy_capget(current, &current->cap_effective, &current->cap_inheritable, &current->cap_permitted);
37114 - }
37115 -diff -urNp linux-2.6.24.4/security/Kconfig linux-2.6.24.4/security/Kconfig
37116 ---- linux-2.6.24.4/security/Kconfig 2008-03-24 14:49:18.000000000 -0400
37117 -+++ linux-2.6.24.4/security/Kconfig 2008-03-26 17:56:56.000000000 -0400
37118 -@@ -4,6 +4,429 @@
37119 -
37120 - menu "Security options"
37121 -
37122 -+source grsecurity/Kconfig
37123 -+
37124 -+menu "PaX"
37125 -+
37126 -+config PAX
37127 -+ bool "Enable various PaX features"
37128 -+ depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
37129 -+ help
37130 -+ This allows you to enable various PaX features. PaX adds
37131 -+ intrusion prevention mechanisms to the kernel that reduce
37132 -+ the risks posed by exploitable memory corruption bugs.
37133 -+
37134 -+menu "PaX Control"
37135 -+ depends on PAX
37136 -+
37137 -+config PAX_SOFTMODE
37138 -+ bool 'Support soft mode'
37139 -+ help
37140 -+ Enabling this option will allow you to run PaX in soft mode, that
37141 -+ is, PaX features will not be enforced by default, only on executables
37142 -+ marked explicitly. You must also enable PT_PAX_FLAGS support as it
37143 -+ is the only way to mark executables for soft mode use.
37144 -+
37145 -+ Soft mode can be activated by using the "pax_softmode=1" kernel command
37146 -+ line option on boot. Furthermore you can control various PaX features
37147 -+ at runtime via the entries in /proc/sys/kernel/pax.
37148 -+
37149 -+config PAX_EI_PAX
37150 -+ bool 'Use legacy ELF header marking'
37151 -+ help
37152 -+ Enabling this option will allow you to control PaX features on
37153 -+ a per executable basis via the 'chpax' utility available at
37154 -+ http://pax.grsecurity.net/. The control flags will be read from
37155 -+ an otherwise reserved part of the ELF header. This marking has
37156 -+ numerous drawbacks (no support for soft-mode, toolchain does not
37157 -+ know about the non-standard use of the ELF header) therefore it
37158 -+ has been deprecated in favour of PT_PAX_FLAGS support.
37159 -+
37160 -+ If you have applications not marked by the PT_PAX_FLAGS ELF
37161 -+ program header then you MUST enable this option otherwise they
37162 -+ will not get any protection.
37163 -+
37164 -+ Note that if you enable PT_PAX_FLAGS marking support as well,
37165 -+ the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
37166 -+
37167 -+config PAX_PT_PAX_FLAGS
37168 -+ bool 'Use ELF program header marking'
37169 -+ help
37170 -+ Enabling this option will allow you to control PaX features on
37171 -+ a per executable basis via the 'paxctl' utility available at
37172 -+ http://pax.grsecurity.net/. The control flags will be read from
37173 -+ a PaX specific ELF program header (PT_PAX_FLAGS). This marking
37174 -+ has the benefits of supporting both soft mode and being fully
37175 -+ integrated into the toolchain (the binutils patch is available
37176 -+ from http://pax.grsecurity.net).
37177 -+
37178 -+ If you have applications not marked by the PT_PAX_FLAGS ELF
37179 -+ program header then you MUST enable the EI_PAX marking support
37180 -+ otherwise they will not get any protection.
37181 -+
37182 -+ Note that if you enable the legacy EI_PAX marking support as well,
37183 -+ the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
37184 -+
37185 -+choice
37186 -+ prompt 'MAC system integration'
37187 -+ default PAX_HAVE_ACL_FLAGS
37188 -+ help
37189 -+ Mandatory Access Control systems have the option of controlling
37190 -+ PaX flags on a per executable basis, choose the method supported
37191 -+ by your particular system.
37192 -+
37193 -+ - "none": if your MAC system does not interact with PaX,
37194 -+ - "direct": if your MAC system defines pax_set_initial_flags() itself,
37195 -+ - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
37196 -+
37197 -+ NOTE: this option is for developers/integrators only.
37198 -+
37199 -+ config PAX_NO_ACL_FLAGS
37200 -+ bool 'none'
37201 -+
37202 -+ config PAX_HAVE_ACL_FLAGS
37203 -+ bool 'direct'
37204 -+
37205 -+ config PAX_HOOK_ACL_FLAGS
37206 -+ bool 'hook'
37207 -+endchoice
37208 -+
37209 -+endmenu
37210 -+
37211 -+menu "Non-executable pages"
37212 -+ depends on PAX
37213 -+
37214 -+config PAX_NOEXEC
37215 -+ bool "Enforce non-executable pages"
37216 -+ depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
37217 -+ help
37218 -+ By design some architectures do not allow for protecting memory
37219 -+ pages against execution or even if they do, Linux does not make
37220 -+ use of this feature. In practice this means that if a page is
37221 -+ readable (such as the stack or heap) it is also executable.
37222 -+
37223 -+ There is a well known exploit technique that makes use of this
37224 -+ fact and a common programming mistake where an attacker can
37225 -+ introduce code of his choice somewhere in the attacked program's
37226 -+ memory (typically the stack or the heap) and then execute it.
37227 -+
37228 -+ If the attacked program was running with different (typically
37229 -+ higher) privileges than that of the attacker, then he can elevate
37230 -+ his own privilege level (e.g. get a root shell, write to files for
37231 -+ which he does not have write access to, etc).
37232 -+
37233 -+ Enabling this option will let you choose from various features
37234 -+ that prevent the injection and execution of 'foreign' code in
37235 -+ a program.
37236 -+
37237 -+ This will also break programs that rely on the old behaviour and
37238 -+ expect that dynamically allocated memory via the malloc() family
37239 -+ of functions is executable (which it is not). Notable examples
37240 -+ are the XFree86 4.x server, the java runtime and wine.
37241 -+
37242 -+config PAX_PAGEEXEC
37243 -+ bool "Paging based non-executable pages"
37244 -+ depends on !COMPAT_VDSO && PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MPENTIUM4 || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2)
37245 -+ help
37246 -+ This implementation is based on the paging feature of the CPU.
37247 -+ On i386 without hardware non-executable bit support there is a
37248 -+ variable but usually low performance impact, however on Intel's
37249 -+ P4 core based CPUs it is very high so you should not enable this
37250 -+ for kernels meant to be used on such CPUs.
37251 -+
37252 -+ On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
37253 -+ with hardware non-executable bit support there is no performance
37254 -+ impact, on ppc the impact is negligible.
37255 -+
37256 -+ Note that several architectures require various emulations due to
37257 -+ badly designed userland ABIs, this will cause a performance impact
37258 -+ but will disappear as soon as userland is fixed (e.g., ppc users
37259 -+ can make use of the secure-plt feature found in binutils).
37260 -+
37261 -+config PAX_SEGMEXEC
37262 -+ bool "Segmentation based non-executable pages"
37263 -+ depends on !COMPAT_VDSO && PAX_NOEXEC && X86_32
37264 -+ help
37265 -+ This implementation is based on the segmentation feature of the
37266 -+ CPU and has a very small performance impact, however applications
37267 -+ will be limited to a 1.5 GB address space instead of the normal
37268 -+ 3 GB.
37269 -+
37270 -+config PAX_EMUTRAMP
37271 -+ bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || PPC32 || X86)
37272 -+ default y if PARISC || PPC32
37273 -+ help
37274 -+ There are some programs and libraries that for one reason or
37275 -+ another attempt to execute special small code snippets from
37276 -+ non-executable memory pages. Most notable examples are the
37277 -+ signal handler return code generated by the kernel itself and
37278 -+ the GCC trampolines.
37279 -+
37280 -+ If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
37281 -+ such programs will no longer work under your kernel.
37282 -+
37283 -+ As a remedy you can say Y here and use the 'chpax' or 'paxctl'
37284 -+ utilities to enable trampoline emulation for the affected programs
37285 -+ yet still have the protection provided by the non-executable pages.
37286 -+
37287 -+ On parisc and ppc you MUST enable this option and EMUSIGRT as
37288 -+ well, otherwise your system will not even boot.
37289 -+
37290 -+ Alternatively you can say N here and use the 'chpax' or 'paxctl'
37291 -+ utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
37292 -+ for the affected files.
37293 -+
37294 -+ NOTE: enabling this feature *may* open up a loophole in the
37295 -+ protection provided by non-executable pages that an attacker
37296 -+ could abuse. Therefore the best solution is to not have any
37297 -+ files on your system that would require this option. This can
37298 -+ be achieved by not using libc5 (which relies on the kernel
37299 -+ signal handler return code) and not using or rewriting programs
37300 -+ that make use of the nested function implementation of GCC.
37301 -+ Skilled users can just fix GCC itself so that it implements
37302 -+ nested function calls in a way that does not interfere with PaX.
37303 -+
37304 -+config PAX_EMUSIGRT
37305 -+ bool "Automatically emulate sigreturn trampolines"
37306 -+ depends on PAX_EMUTRAMP && (PARISC || PPC32)
37307 -+ default y
37308 -+ help
37309 -+ Enabling this option will have the kernel automatically detect
37310 -+ and emulate signal return trampolines executing on the stack
37311 -+ that would otherwise lead to task termination.
37312 -+
37313 -+ This solution is intended as a temporary one for users with
37314 -+ legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
37315 -+ Modula-3 runtime, etc) or executables linked to such, basically
37316 -+ everything that does not specify its own SA_RESTORER function in
37317 -+ normal executable memory like glibc 2.1+ does.
37318 -+
37319 -+ On parisc and ppc you MUST enable this option, otherwise your
37320 -+ system will not even boot.
37321 -+
37322 -+ NOTE: this feature cannot be disabled on a per executable basis
37323 -+ and since it *does* open up a loophole in the protection provided
37324 -+ by non-executable pages, the best solution is to not have any
37325 -+ files on your system that would require this option.
37326 -+
37327 -+config PAX_MPROTECT
37328 -+ bool "Restrict mprotect()"
37329 -+ depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && !PPC64
37330 -+ help
37331 -+ Enabling this option will prevent programs from
37332 -+ - changing the executable status of memory pages that were
37333 -+ not originally created as executable,
37334 -+ - making read-only executable pages writable again,
37335 -+ - creating executable pages from anonymous memory.
37336 -+
37337 -+ You should say Y here to complete the protection provided by
37338 -+ the enforcement of non-executable pages.
37339 -+
37340 -+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
37341 -+ this feature on a per file basis.
37342 -+
37343 -+config PAX_NOELFRELOCS
37344 -+ bool "Disallow ELF text relocations"
37345 -+ depends on PAX_MPROTECT && !PAX_ETEXECRELOCS && (IA64 || X86 || X86_64)
37346 -+ help
37347 -+ Non-executable pages and mprotect() restrictions are effective
37348 -+ in preventing the introduction of new executable code into an
37349 -+ attacked task's address space. There remain only two venues
37350 -+ for this kind of attack: if the attacker can execute already
37351 -+ existing code in the attacked task then he can either have it
37352 -+ create and mmap() a file containing his code or have it mmap()
37353 -+ an already existing ELF library that does not have position
37354 -+ independent code in it and use mprotect() on it to make it
37355 -+ writable and copy his code there. While protecting against
37356 -+ the former approach is beyond PaX, the latter can be prevented
37357 -+ by having only PIC ELF libraries on one's system (which do not
37358 -+ need to relocate their code). If you are sure this is your case,
37359 -+ then enable this option otherwise be careful as you may not even
37360 -+ be able to boot or log on your system (for example, some PAM
37361 -+ modules are erroneously compiled as non-PIC by default).
37362 -+
37363 -+ NOTE: if you are using dynamic ELF executables (as suggested
37364 -+ when using ASLR) then you must have made sure that you linked
37365 -+ your files using the PIC version of crt1 (the et_dyn.tar.gz package
37366 -+ referenced there has already been updated to support this).
37367 -+
37368 -+config PAX_ETEXECRELOCS
37369 -+ bool "Allow ELF ET_EXEC text relocations"
37370 -+ depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
37371 -+ default y
37372 -+ help
37373 -+ On some architectures there are incorrectly created applications
37374 -+ that require text relocations and would not work without enabling
37375 -+ this option. If you are an alpha, ia64 or parisc user, you should
37376 -+ enable this option and disable it once you have made sure that
37377 -+ none of your applications need it.
37378 -+
37379 -+config PAX_EMUPLT
37380 -+ bool "Automatically emulate ELF PLT"
37381 -+ depends on PAX_MPROTECT && (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
37382 -+ default y
37383 -+ help
37384 -+ Enabling this option will have the kernel automatically detect
37385 -+ and emulate the Procedure Linkage Table entries in ELF files.
37386 -+ On some architectures such entries are in writable memory, and
37387 -+ become non-executable leading to task termination. Therefore
37388 -+ it is mandatory that you enable this option on alpha, parisc,
37389 -+ ppc (if secure-plt is not used throughout in userland), sparc
37390 -+ and sparc64, otherwise your system would not even boot.
37391 -+
37392 -+ NOTE: this feature *does* open up a loophole in the protection
37393 -+ provided by the non-executable pages, therefore the proper
37394 -+ solution is to modify the toolchain to produce a PLT that does
37395 -+ not need to be writable.
37396 -+
37397 -+config PAX_DLRESOLVE
37398 -+ bool
37399 -+ depends on PAX_EMUPLT && (SPARC32 || SPARC64)
37400 -+ default y
37401 -+
37402 -+config PAX_SYSCALL
37403 -+ bool
37404 -+ depends on PAX_PAGEEXEC && PPC32
37405 -+ default y
37406 -+
37407 -+config PAX_KERNEXEC
37408 -+ bool "Enforce non-executable kernel pages"
37409 -+ depends on PAX_NOEXEC && X86 && !EFI && !COMPAT_VDSO && (!X86_32 || X86_WP_WORKS_OK) && !PARAVIRT
37410 -+ help
37411 -+ This is the kernel land equivalent of PAGEEXEC and MPROTECT,
37412 -+ that is, enabling this option will make it harder to inject
37413 -+ and execute 'foreign' code in kernel memory itself.
37414 -+
37415 -+endmenu
37416 -+
37417 -+menu "Address Space Layout Randomization"
37418 -+ depends on PAX
37419 -+
37420 -+config PAX_ASLR
37421 -+ bool "Address Space Layout Randomization"
37422 -+ depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
37423 -+ help
37424 -+ Many if not most exploit techniques rely on the knowledge of
37425 -+ certain addresses in the attacked program. The following options
37426 -+ will allow the kernel to apply a certain amount of randomization
37427 -+ to specific parts of the program thereby forcing an attacker to
37428 -+ guess them in most cases. Any failed guess will most likely crash
37429 -+ the attacked program which allows the kernel to detect such attempts
37430 -+ and react on them. PaX itself provides no reaction mechanisms,
37431 -+ instead it is strongly encouraged that you make use of Nergal's
37432 -+ segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
37433 -+ (http://www.grsecurity.net/) built-in crash detection features or
37434 -+ develop one yourself.
37435 -+
37436 -+ By saying Y here you can choose to randomize the following areas:
37437 -+ - top of the task's kernel stack
37438 -+ - top of the task's userland stack
37439 -+ - base address for mmap() requests that do not specify one
37440 -+ (this includes all libraries)
37441 -+ - base address of the main executable
37442 -+
37443 -+ It is strongly recommended to say Y here as address space layout
37444 -+ randomization has negligible impact on performance yet it provides
37445 -+ a very effective protection.
37446 -+
37447 -+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
37448 -+ this feature on a per file basis.
37449 -+
37450 -+config PAX_RANDKSTACK
37451 -+ bool "Randomize kernel stack base"
37452 -+ depends on PAX_ASLR && X86_TSC && X86_32
37453 -+ help
37454 -+ By saying Y here the kernel will randomize every task's kernel
37455 -+ stack on every system call. This will not only force an attacker
37456 -+ to guess it but also prevent him from making use of possible
37457 -+ leaked information about it.
37458 -+
37459 -+ Since the kernel stack is a rather scarce resource, randomization
37460 -+ may cause unexpected stack overflows, therefore you should very
37461 -+ carefully test your system. Note that once enabled in the kernel
37462 -+ configuration, this feature cannot be disabled on a per file basis.
37463 -+
37464 -+config PAX_RANDUSTACK
37465 -+ bool "Randomize user stack base"
37466 -+ depends on PAX_ASLR
37467 -+ help
37468 -+ By saying Y here the kernel will randomize every task's userland
37469 -+ stack. The randomization is done in two steps where the second
37470 -+ one may apply a big amount of shift to the top of the stack and
37471 -+ cause problems for programs that want to use lots of memory (more
37472 -+ than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
37473 -+ For this reason the second step can be controlled by 'chpax' or
37474 -+ 'paxctl' on a per file basis.
37475 -+
37476 -+config PAX_RANDMMAP
37477 -+ bool "Randomize mmap() base"
37478 -+ depends on PAX_ASLR
37479 -+ help
37480 -+ By saying Y here the kernel will use a randomized base address for
37481 -+ mmap() requests that do not specify one themselves. As a result
37482 -+ all dynamically loaded libraries will appear at random addresses
37483 -+ and therefore be harder to exploit by a technique where an attacker
37484 -+ attempts to execute library code for his purposes (e.g. spawn a
37485 -+ shell from an exploited program that is running at an elevated
37486 -+ privilege level).
37487 -+
37488 -+ Furthermore, if a program is relinked as a dynamic ELF file, its
37489 -+ base address will be randomized as well, completing the full
37490 -+ randomization of the address space layout. Attacking such programs
37491 -+ becomes a guess game. You can find an example of doing this at
37492 -+ http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
37493 -+ http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
37494 -+
37495 -+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
37496 -+ feature on a per file basis.
37497 -+
37498 -+endmenu
37499 -+
37500 -+menu "Miscellaneous hardening features"
37501 -+
37502 -+config PAX_MEMORY_SANITIZE
37503 -+ bool "Sanitize all freed memory"
37504 -+ help
37505 -+ By saying Y here the kernel will erase memory pages as soon as they
37506 -+ are freed. This in turn reduces the lifetime of data stored in the
37507 -+ pages, making it less likely that sensitive information such as
37508 -+ passwords, cryptographic secrets, etc stay in memory for too long.
37509 -+
37510 -+ This is especially useful for programs whose runtime is short, long
37511 -+ lived processes and the kernel itself benefit from this as long as
37512 -+ they operate on whole memory pages and ensure timely freeing of pages
37513 -+ that may hold sensitive information.
37514 -+
37515 -+ The tradeoff is performance impact, on a single CPU system kernel
37516 -+ compilation sees a 3% slowdown, other systems and workloads may vary
37517 -+ and you are advised to test this feature on your expected workload
37518 -+ before deploying it.
37519 -+
37520 -+ Note that this feature does not protect data stored in live pages,
37521 -+ e.g., process memory swapped to disk may stay there for a long time.
37522 -+
37523 -+config PAX_MEMORY_UDEREF
37524 -+ bool "Prevent invalid userland pointer dereference"
37525 -+ depends on X86_32 && !COMPAT_VDSO
37526 -+ help
37527 -+ By saying Y here the kernel will be prevented from dereferencing
37528 -+ userland pointers in contexts where the kernel expects only kernel
37529 -+ pointers. This is both a useful runtime debugging feature and a
37530 -+ security measure that prevents exploiting a class of kernel bugs.
37531 -+
37532 -+ The tradeoff is that some virtualization solutions may experience
37533 -+ a huge slowdown and therefore you should not enable this feature
37534 -+ for kernels meant to run in such environments. Whether a given VM
37535 -+ solution is affected or not is best determined by simply trying it
37536 -+ out, the performance impact will be obvious right on boot as this
37537 -+ mechanism engages from very early on. A good rule of thumb is that
37538 -+ VMs running on CPUs without hardware virtualization support (i.e.,
37539 -+ the majority of IA-32 CPUs) will likely experience the slowdown.
37540 -+
37541 -+endmenu
37542 -+
37543 -+endmenu
37544 -+
37545 - config KEYS
37546 - bool "Enable access key retention support"
37547 - help
37548 -diff -urNp linux-2.6.24.4/sound/core/oss/pcm_oss.c linux-2.6.24.4/sound/core/oss/pcm_oss.c
37549 ---- linux-2.6.24.4/sound/core/oss/pcm_oss.c 2008-03-24 14:49:18.000000000 -0400
37550 -+++ linux-2.6.24.4/sound/core/oss/pcm_oss.c 2008-03-26 17:56:56.000000000 -0400
37551 -@@ -2913,8 +2913,8 @@ static void snd_pcm_oss_proc_done(struct
37552 - }
37553 - }
37554 - #else /* !CONFIG_SND_VERBOSE_PROCFS */
37555 --#define snd_pcm_oss_proc_init(pcm)
37556 --#define snd_pcm_oss_proc_done(pcm)
37557 -+#define snd_pcm_oss_proc_init(pcm) do {} while (0)
37558 -+#define snd_pcm_oss_proc_done(pcm) do {} while (0)
37559 - #endif /* CONFIG_SND_VERBOSE_PROCFS */
37560 -
37561 - /*
37562 -diff -urNp linux-2.6.24.4/sound/core/seq/seq_lock.h linux-2.6.24.4/sound/core/seq/seq_lock.h
37563 ---- linux-2.6.24.4/sound/core/seq/seq_lock.h 2008-03-24 14:49:18.000000000 -0400
37564 -+++ linux-2.6.24.4/sound/core/seq/seq_lock.h 2008-03-26 17:56:56.000000000 -0400
37565 -@@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
37566 - #else /* SMP || CONFIG_SND_DEBUG */
37567 -
37568 - typedef spinlock_t snd_use_lock_t; /* dummy */
37569 --#define snd_use_lock_init(lockp) /**/
37570 --#define snd_use_lock_use(lockp) /**/
37571 --#define snd_use_lock_free(lockp) /**/
37572 --#define snd_use_lock_sync(lockp) /**/
37573 -+#define snd_use_lock_init(lockp) do {} while (0)
37574 -+#define snd_use_lock_use(lockp) do {} while (0)
37575 -+#define snd_use_lock_free(lockp) do {} while (0)
37576 -+#define snd_use_lock_sync(lockp) do {} while (0)
37577 -
37578 - #endif /* SMP || CONFIG_SND_DEBUG */
37579 -
37580 -diff -urNp linux-2.6.24.4/sound/pci/ac97/ac97_patch.c linux-2.6.24.4/sound/pci/ac97/ac97_patch.c
37581 ---- linux-2.6.24.4/sound/pci/ac97/ac97_patch.c 2008-03-24 14:49:18.000000000 -0400
37582 -+++ linux-2.6.24.4/sound/pci/ac97/ac97_patch.c 2008-03-26 17:56:56.000000000 -0400
37583 -@@ -1478,7 +1478,7 @@ static const struct snd_ac97_res_table a
37584 - { AC97_VIDEO, 0x9f1f },
37585 - { AC97_AUX, 0x9f1f },
37586 - { AC97_PCM, 0x9f1f },
37587 -- { } /* terminator */
37588 -+ { 0, 0 } /* terminator */
37589 - };
37590 -
37591 - static int patch_ad1819(struct snd_ac97 * ac97)
37592 -@@ -3537,7 +3537,7 @@ static struct snd_ac97_res_table lm4550_
37593 - { AC97_AUX, 0x1f1f },
37594 - { AC97_PCM, 0x1f1f },
37595 - { AC97_REC_GAIN, 0x0f0f },
37596 -- { } /* terminator */
37597 -+ { 0, 0 } /* terminator */
37598 - };
37599 -
37600 - static int patch_lm4550(struct snd_ac97 *ac97)
37601 -diff -urNp linux-2.6.24.4/sound/pci/ens1370.c linux-2.6.24.4/sound/pci/ens1370.c
37602 ---- linux-2.6.24.4/sound/pci/ens1370.c 2008-03-24 14:49:18.000000000 -0400
37603 -+++ linux-2.6.24.4/sound/pci/ens1370.c 2008-03-26 17:56:56.000000000 -0400
37604 -@@ -453,7 +453,7 @@ static struct pci_device_id snd_audiopci
37605 - { 0x1274, 0x5880, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0, }, /* ES1373 - CT5880 */
37606 - { 0x1102, 0x8938, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0, }, /* Ectiva EV1938 */
37607 - #endif
37608 -- { 0, }
37609 -+ { 0, 0, 0, 0, 0, 0, 0 }
37610 - };
37611 -
37612 - MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
37613 -diff -urNp linux-2.6.24.4/sound/pci/intel8x0.c linux-2.6.24.4/sound/pci/intel8x0.c
37614 ---- linux-2.6.24.4/sound/pci/intel8x0.c 2008-03-24 14:49:18.000000000 -0400
37615 -+++ linux-2.6.24.4/sound/pci/intel8x0.c 2008-03-26 17:56:56.000000000 -0400
37616 -@@ -436,7 +436,7 @@ static struct pci_device_id snd_intel8x0
37617 - { 0x1022, 0x746d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD8111 */
37618 - { 0x1022, 0x7445, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD768 */
37619 - { 0x10b9, 0x5455, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_ALI }, /* Ali5455 */
37620 -- { 0, }
37621 -+ { 0, 0, 0, 0, 0, 0, 0 }
37622 - };
37623 -
37624 - MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
37625 -@@ -2044,7 +2044,7 @@ static struct ac97_quirk ac97_quirks[] _
37626 - .type = AC97_TUNE_HP_ONLY
37627 - },
37628 - #endif
37629 -- { } /* terminator */
37630 -+ { 0, 0, 0, 0, NULL, 0 } /* terminator */
37631 - };
37632 -
37633 - static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
37634 -diff -urNp linux-2.6.24.4/sound/pci/intel8x0m.c linux-2.6.24.4/sound/pci/intel8x0m.c
37635 ---- linux-2.6.24.4/sound/pci/intel8x0m.c 2008-03-24 14:49:18.000000000 -0400
37636 -+++ linux-2.6.24.4/sound/pci/intel8x0m.c 2008-03-26 17:56:56.000000000 -0400
37637 -@@ -240,7 +240,7 @@ static struct pci_device_id snd_intel8x0
37638 - { 0x1022, 0x746d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD8111 */
37639 - { 0x10b9, 0x5455, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_ALI }, /* Ali5455 */
37640 - #endif
37641 -- { 0, }
37642 -+ { 0, 0, 0, 0, 0, 0, 0 }
37643 - };
37644 -
37645 - MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
37646 -@@ -1261,7 +1261,7 @@ static struct shortname_table {
37647 - { 0x5455, "ALi M5455" },
37648 - { 0x746d, "AMD AMD8111" },
37649 - #endif
37650 -- { 0 },
37651 -+ { 0, NULL },
37652 - };
37653 -
37654 - static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
37655
37656 Copied: hardened-sources/2.6/tags/2.6.24-2/4420_grsec-2.1.11-2.6.24.5-200804211829.patch (from rev 92, hardened-sources/2.6/trunk/2.6.24/4420_grsec-2.1.11-2.6.24.5-200804211829.patch)
37657 ===================================================================
37658 --- hardened-sources/2.6/tags/2.6.24-2/4420_grsec-2.1.11-2.6.24.5-200804211829.patch (rev 0)
37659 +++ hardened-sources/2.6/tags/2.6.24-2/4420_grsec-2.1.11-2.6.24.5-200804211829.patch 2008-04-30 11:37:34 UTC (rev 93)
37660 @@ -0,0 +1,37587 @@
37661 +diff -urNp linux-2.6.24.5/arch/alpha/kernel/module.c linux-2.6.24.5/arch/alpha/kernel/module.c
37662 +--- linux-2.6.24.5/arch/alpha/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
37663 ++++ linux-2.6.24.5/arch/alpha/kernel/module.c 2008-03-26 20:21:07.000000000 -0400
37664 +@@ -176,7 +176,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
37665 +
37666 + /* The small sections were sorted to the end of the segment.
37667 + The following should definitely cover them. */
37668 +- gp = (u64)me->module_core + me->core_size - 0x8000;
37669 ++ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
37670 + got = sechdrs[me->arch.gotsecindex].sh_addr;
37671 +
37672 + for (i = 0; i < n; i++) {
37673 +diff -urNp linux-2.6.24.5/arch/alpha/kernel/osf_sys.c linux-2.6.24.5/arch/alpha/kernel/osf_sys.c
37674 +--- linux-2.6.24.5/arch/alpha/kernel/osf_sys.c 2008-03-24 14:49:18.000000000 -0400
37675 ++++ linux-2.6.24.5/arch/alpha/kernel/osf_sys.c 2008-03-26 20:21:07.000000000 -0400
37676 +@@ -1288,6 +1288,10 @@ arch_get_unmapped_area(struct file *filp
37677 + merely specific addresses, but regions of memory -- perhaps
37678 + this feature should be incorporated into all ports? */
37679 +
37680 ++#ifdef CONFIG_PAX_RANDMMAP
37681 ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
37682 ++#endif
37683 ++
37684 + if (addr) {
37685 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
37686 + if (addr != (unsigned long) -ENOMEM)
37687 +@@ -1295,8 +1299,8 @@ arch_get_unmapped_area(struct file *filp
37688 + }
37689 +
37690 + /* Next, try allocating at TASK_UNMAPPED_BASE. */
37691 +- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
37692 +- len, limit);
37693 ++ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
37694 ++
37695 + if (addr != (unsigned long) -ENOMEM)
37696 + return addr;
37697 +
37698 +diff -urNp linux-2.6.24.5/arch/alpha/kernel/ptrace.c linux-2.6.24.5/arch/alpha/kernel/ptrace.c
37699 +--- linux-2.6.24.5/arch/alpha/kernel/ptrace.c 2008-03-24 14:49:18.000000000 -0400
37700 ++++ linux-2.6.24.5/arch/alpha/kernel/ptrace.c 2008-03-26 20:21:07.000000000 -0400
37701 +@@ -15,6 +15,7 @@
37702 + #include <linux/slab.h>
37703 + #include <linux/security.h>
37704 + #include <linux/signal.h>
37705 ++#include <linux/grsecurity.h>
37706 +
37707 + #include <asm/uaccess.h>
37708 + #include <asm/pgtable.h>
37709 +@@ -266,6 +267,9 @@ long arch_ptrace(struct task_struct *chi
37710 + size_t copied;
37711 + long ret;
37712 +
37713 ++ if (gr_handle_ptrace(child, request))
37714 ++ return -EPERM;
37715 ++
37716 + switch (request) {
37717 + /* When I and D space are separate, these will need to be fixed. */
37718 + case PTRACE_PEEKTEXT: /* read word at location addr. */
37719 +diff -urNp linux-2.6.24.5/arch/alpha/mm/fault.c linux-2.6.24.5/arch/alpha/mm/fault.c
37720 +--- linux-2.6.24.5/arch/alpha/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
37721 ++++ linux-2.6.24.5/arch/alpha/mm/fault.c 2008-03-26 20:21:07.000000000 -0400
37722 +@@ -23,6 +23,7 @@
37723 + #include <linux/smp.h>
37724 + #include <linux/interrupt.h>
37725 + #include <linux/module.h>
37726 ++#include <linux/binfmts.h>
37727 +
37728 + #include <asm/system.h>
37729 + #include <asm/uaccess.h>
37730 +@@ -54,6 +55,124 @@ __load_new_mm_context(struct mm_struct *
37731 + __reload_thread(pcb);
37732 + }
37733 +
37734 ++#ifdef CONFIG_PAX_PAGEEXEC
37735 ++/*
37736 ++ * PaX: decide what to do with offenders (regs->pc = fault address)
37737 ++ *
37738 ++ * returns 1 when task should be killed
37739 ++ * 2 when patched PLT trampoline was detected
37740 ++ * 3 when unpatched PLT trampoline was detected
37741 ++ */
37742 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
37743 ++{
37744 ++
37745 ++#ifdef CONFIG_PAX_EMUPLT
37746 ++ int err;
37747 ++
37748 ++ do { /* PaX: patched PLT emulation #1 */
37749 ++ unsigned int ldah, ldq, jmp;
37750 ++
37751 ++ err = get_user(ldah, (unsigned int *)regs->pc);
37752 ++ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
37753 ++ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
37754 ++
37755 ++ if (err)
37756 ++ break;
37757 ++
37758 ++ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
37759 ++ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
37760 ++ jmp == 0x6BFB0000U)
37761 ++ {
37762 ++ unsigned long r27, addr;
37763 ++ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
37764 ++ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
37765 ++
37766 ++ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
37767 ++ err = get_user(r27, (unsigned long *)addr);
37768 ++ if (err)
37769 ++ break;
37770 ++
37771 ++ regs->r27 = r27;
37772 ++ regs->pc = r27;
37773 ++ return 2;
37774 ++ }
37775 ++ } while (0);
37776 ++
37777 ++ do { /* PaX: patched PLT emulation #2 */
37778 ++ unsigned int ldah, lda, br;
37779 ++
37780 ++ err = get_user(ldah, (unsigned int *)regs->pc);
37781 ++ err |= get_user(lda, (unsigned int *)(regs->pc+4));
37782 ++ err |= get_user(br, (unsigned int *)(regs->pc+8));
37783 ++
37784 ++ if (err)
37785 ++ break;
37786 ++
37787 ++ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
37788 ++ (lda & 0xFFFF0000U) == 0xA77B0000U &&
37789 ++ (br & 0xFFE00000U) == 0xC3E00000U)
37790 ++ {
37791 ++ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
37792 ++ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
37793 ++ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
37794 ++
37795 ++ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
37796 ++ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
37797 ++ return 2;
37798 ++ }
37799 ++ } while (0);
37800 ++
37801 ++ do { /* PaX: unpatched PLT emulation */
37802 ++ unsigned int br;
37803 ++
37804 ++ err = get_user(br, (unsigned int *)regs->pc);
37805 ++
37806 ++ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
37807 ++ unsigned int br2, ldq, nop, jmp;
37808 ++ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
37809 ++
37810 ++ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
37811 ++ err = get_user(br2, (unsigned int *)addr);
37812 ++ err |= get_user(ldq, (unsigned int *)(addr+4));
37813 ++ err |= get_user(nop, (unsigned int *)(addr+8));
37814 ++ err |= get_user(jmp, (unsigned int *)(addr+12));
37815 ++ err |= get_user(resolver, (unsigned long *)(addr+16));
37816 ++
37817 ++ if (err)
37818 ++ break;
37819 ++
37820 ++ if (br2 == 0xC3600000U &&
37821 ++ ldq == 0xA77B000CU &&
37822 ++ nop == 0x47FF041FU &&
37823 ++ jmp == 0x6B7B0000U)
37824 ++ {
37825 ++ regs->r28 = regs->pc+4;
37826 ++ regs->r27 = addr+16;
37827 ++ regs->pc = resolver;
37828 ++ return 3;
37829 ++ }
37830 ++ }
37831 ++ } while (0);
37832 ++#endif
37833 ++
37834 ++ return 1;
37835 ++}
37836 ++
37837 ++void pax_report_insns(void *pc, void *sp)
37838 ++{
37839 ++ unsigned long i;
37840 ++
37841 ++ printk(KERN_ERR "PAX: bytes at PC: ");
37842 ++ for (i = 0; i < 5; i++) {
37843 ++ unsigned int c;
37844 ++ if (get_user(c, (unsigned int *)pc+i))
37845 ++ printk("???????? ");
37846 ++ else
37847 ++ printk("%08x ", c);
37848 ++ }
37849 ++ printk("\n");
37850 ++}
37851 ++#endif
37852 +
37853 + /*
37854 + * This routine handles page faults. It determines the address,
37855 +@@ -131,8 +250,29 @@ do_page_fault(unsigned long address, uns
37856 + good_area:
37857 + si_code = SEGV_ACCERR;
37858 + if (cause < 0) {
37859 +- if (!(vma->vm_flags & VM_EXEC))
37860 ++ if (!(vma->vm_flags & VM_EXEC)) {
37861 ++
37862 ++#ifdef CONFIG_PAX_PAGEEXEC
37863 ++ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
37864 ++ goto bad_area;
37865 ++
37866 ++ up_read(&mm->mmap_sem);
37867 ++ switch (pax_handle_fetch_fault(regs)) {
37868 ++
37869 ++#ifdef CONFIG_PAX_EMUPLT
37870 ++ case 2:
37871 ++ case 3:
37872 ++ return;
37873 ++#endif
37874 ++
37875 ++ }
37876 ++ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
37877 ++ do_group_exit(SIGKILL);
37878 ++#else
37879 + goto bad_area;
37880 ++#endif
37881 ++
37882 ++ }
37883 + } else if (!cause) {
37884 + /* Allow reads even for write-only mappings */
37885 + if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
37886 +diff -urNp linux-2.6.24.5/arch/arm/mm/mmap.c linux-2.6.24.5/arch/arm/mm/mmap.c
37887 +--- linux-2.6.24.5/arch/arm/mm/mmap.c 2008-03-24 14:49:18.000000000 -0400
37888 ++++ linux-2.6.24.5/arch/arm/mm/mmap.c 2008-03-26 20:21:07.000000000 -0400
37889 +@@ -60,6 +60,10 @@ arch_get_unmapped_area(struct file *filp
37890 + if (len > TASK_SIZE)
37891 + return -ENOMEM;
37892 +
37893 ++#ifdef CONFIG_PAX_RANDMMAP
37894 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
37895 ++#endif
37896 ++
37897 + if (addr) {
37898 + if (do_align)
37899 + addr = COLOUR_ALIGN(addr, pgoff);
37900 +@@ -72,10 +76,10 @@ arch_get_unmapped_area(struct file *filp
37901 + return addr;
37902 + }
37903 + if (len > mm->cached_hole_size) {
37904 +- start_addr = addr = mm->free_area_cache;
37905 ++ start_addr = addr = mm->free_area_cache;
37906 + } else {
37907 +- start_addr = addr = TASK_UNMAPPED_BASE;
37908 +- mm->cached_hole_size = 0;
37909 ++ start_addr = addr = mm->mmap_base;
37910 ++ mm->cached_hole_size = 0;
37911 + }
37912 +
37913 + full_search:
37914 +@@ -91,8 +95,8 @@ full_search:
37915 + * Start a new search - just in case we missed
37916 + * some holes.
37917 + */
37918 +- if (start_addr != TASK_UNMAPPED_BASE) {
37919 +- start_addr = addr = TASK_UNMAPPED_BASE;
37920 ++ if (start_addr != mm->mmap_base) {
37921 ++ start_addr = addr = mm->mmap_base;
37922 + mm->cached_hole_size = 0;
37923 + goto full_search;
37924 + }
37925 +diff -urNp linux-2.6.24.5/arch/avr32/mm/fault.c linux-2.6.24.5/arch/avr32/mm/fault.c
37926 +--- linux-2.6.24.5/arch/avr32/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
37927 ++++ linux-2.6.24.5/arch/avr32/mm/fault.c 2008-03-26 20:21:07.000000000 -0400
37928 +@@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
37929 +
37930 + int exception_trace = 1;
37931 +
37932 ++#ifdef CONFIG_PAX_PAGEEXEC
37933 ++void pax_report_insns(void *pc, void *sp)
37934 ++{
37935 ++ unsigned long i;
37936 ++
37937 ++ printk(KERN_ERR "PAX: bytes at PC: ");
37938 ++ for (i = 0; i < 20; i++) {
37939 ++ unsigned char c;
37940 ++ if (get_user(c, (unsigned char *)pc+i))
37941 ++ printk("???????? ");
37942 ++ else
37943 ++ printk("%02x ", c);
37944 ++ }
37945 ++ printk("\n");
37946 ++}
37947 ++#endif
37948 ++
37949 + /*
37950 + * This routine handles page faults. It determines the address and the
37951 + * problem, and then passes it off to one of the appropriate routines.
37952 +@@ -157,6 +174,16 @@ bad_area:
37953 + up_read(&mm->mmap_sem);
37954 +
37955 + if (user_mode(regs)) {
37956 ++
37957 ++#ifdef CONFIG_PAX_PAGEEXEC
37958 ++ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
37959 ++ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
37960 ++ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
37961 ++ do_group_exit(SIGKILL);
37962 ++ }
37963 ++ }
37964 ++#endif
37965 ++
37966 + if (exception_trace && printk_ratelimit())
37967 + printk("%s%s[%d]: segfault at %08lx pc %08lx "
37968 + "sp %08lx ecr %lu\n",
37969 +diff -urNp linux-2.6.24.5/arch/ia64/ia32/binfmt_elf32.c linux-2.6.24.5/arch/ia64/ia32/binfmt_elf32.c
37970 +--- linux-2.6.24.5/arch/ia64/ia32/binfmt_elf32.c 2008-03-24 14:49:18.000000000 -0400
37971 ++++ linux-2.6.24.5/arch/ia64/ia32/binfmt_elf32.c 2008-03-26 20:21:07.000000000 -0400
37972 +@@ -45,6 +45,13 @@ randomize_stack_top(unsigned long stack_
37973 +
37974 + #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
37975 +
37976 ++#ifdef CONFIG_PAX_ASLR
37977 ++#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
37978 ++
37979 ++#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
37980 ++#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
37981 ++#endif
37982 ++
37983 + /* Ugly but avoids duplication */
37984 + #include "../../../fs/binfmt_elf.c"
37985 +
37986 +diff -urNp linux-2.6.24.5/arch/ia64/ia32/ia32priv.h linux-2.6.24.5/arch/ia64/ia32/ia32priv.h
37987 +--- linux-2.6.24.5/arch/ia64/ia32/ia32priv.h 2008-03-24 14:49:18.000000000 -0400
37988 ++++ linux-2.6.24.5/arch/ia64/ia32/ia32priv.h 2008-03-26 20:21:07.000000000 -0400
37989 +@@ -303,7 +303,14 @@ struct old_linux32_dirent {
37990 + #define ELF_DATA ELFDATA2LSB
37991 + #define ELF_ARCH EM_386
37992 +
37993 +-#define IA32_STACK_TOP IA32_PAGE_OFFSET
37994 ++#ifdef CONFIG_PAX_RANDUSTACK
37995 ++#define __IA32_DELTA_STACK (current->mm->delta_stack)
37996 ++#else
37997 ++#define __IA32_DELTA_STACK 0UL
37998 ++#endif
37999 ++
38000 ++#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
38001 ++
38002 + #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
38003 + #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
38004 +
38005 +diff -urNp linux-2.6.24.5/arch/ia64/kernel/module.c linux-2.6.24.5/arch/ia64/kernel/module.c
38006 +--- linux-2.6.24.5/arch/ia64/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
38007 ++++ linux-2.6.24.5/arch/ia64/kernel/module.c 2008-03-26 20:21:07.000000000 -0400
38008 +@@ -321,7 +321,7 @@ module_alloc (unsigned long size)
38009 + void
38010 + module_free (struct module *mod, void *module_region)
38011 + {
38012 +- if (mod->arch.init_unw_table && module_region == mod->module_init) {
38013 ++ if (mod->arch.init_unw_table && module_region == mod->module_init_rx) {
38014 + unw_remove_unwind_table(mod->arch.init_unw_table);
38015 + mod->arch.init_unw_table = NULL;
38016 + }
38017 +@@ -499,15 +499,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
38018 + }
38019 +
38020 + static inline int
38021 ++in_init_rx (const struct module *mod, uint64_t addr)
38022 ++{
38023 ++ return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
38024 ++}
38025 ++
38026 ++static inline int
38027 ++in_init_rw (const struct module *mod, uint64_t addr)
38028 ++{
38029 ++ return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
38030 ++}
38031 ++
38032 ++static inline int
38033 + in_init (const struct module *mod, uint64_t addr)
38034 + {
38035 +- return addr - (uint64_t) mod->module_init < mod->init_size;
38036 ++ return in_init_rx(mod, value) || in_init_rw(mod, value);
38037 ++}
38038 ++
38039 ++static inline int
38040 ++in_core_rx (const struct module *mod, uint64_t addr)
38041 ++{
38042 ++ return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
38043 ++}
38044 ++
38045 ++static inline int
38046 ++in_core_rw (const struct module *mod, uint64_t addr)
38047 ++{
38048 ++ return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
38049 + }
38050 +
38051 + static inline int
38052 + in_core (const struct module *mod, uint64_t addr)
38053 + {
38054 +- return addr - (uint64_t) mod->module_core < mod->core_size;
38055 ++ return in_core_rx(mod, addr) || in_core_rw(mod, addr);
38056 + }
38057 +
38058 + static inline int
38059 +@@ -691,7 +715,14 @@ do_reloc (struct module *mod, uint8_t r_
38060 + break;
38061 +
38062 + case RV_BDREL:
38063 +- val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
38064 ++ if (in_init_rx(mod, val))
38065 ++ val -= (uint64_t) mod->module_init_rx;
38066 ++ else if (in_init_rw(mod, val))
38067 ++ val -= (uint64_t) mod->module_init_rw;
38068 ++ else if (in_core_rx(mod, val))
38069 ++ val -= (uint64_t) mod->module_core_rx;
38070 ++ else if (in_core_rw(mod, val))
38071 ++ val -= (uint64_t) mod->module_core_rw;
38072 + break;
38073 +
38074 + case RV_LTV:
38075 +@@ -825,15 +856,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
38076 + * addresses have been selected...
38077 + */
38078 + uint64_t gp;
38079 +- if (mod->core_size > MAX_LTOFF)
38080 ++ if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
38081 + /*
38082 + * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
38083 + * at the end of the module.
38084 + */
38085 +- gp = mod->core_size - MAX_LTOFF / 2;
38086 ++ gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
38087 + else
38088 +- gp = mod->core_size / 2;
38089 +- gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
38090 ++ gp = (mod->core_size_rx + mod->core_size_rw) / 2;
38091 ++ gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
38092 + mod->arch.gp = gp;
38093 + DEBUGP("%s: placing gp at 0x%lx\n", __FUNCTION__, gp);
38094 + }
38095 +diff -urNp linux-2.6.24.5/arch/ia64/kernel/ptrace.c linux-2.6.24.5/arch/ia64/kernel/ptrace.c
38096 +--- linux-2.6.24.5/arch/ia64/kernel/ptrace.c 2008-03-24 14:49:18.000000000 -0400
38097 ++++ linux-2.6.24.5/arch/ia64/kernel/ptrace.c 2008-03-26 20:21:07.000000000 -0400
38098 +@@ -17,6 +17,7 @@
38099 + #include <linux/security.h>
38100 + #include <linux/audit.h>
38101 + #include <linux/signal.h>
38102 ++#include <linux/grsecurity.h>
38103 +
38104 + #include <asm/pgtable.h>
38105 + #include <asm/processor.h>
38106 +@@ -1451,6 +1452,9 @@ sys_ptrace (long request, pid_t pid, uns
38107 + if (pid == 1) /* no messing around with init! */
38108 + goto out_tsk;
38109 +
38110 ++ if (gr_handle_ptrace(child, request))
38111 ++ goto out_tsk;
38112 ++
38113 + if (request == PTRACE_ATTACH) {
38114 + ret = ptrace_attach(child);
38115 + goto out_tsk;
38116 +diff -urNp linux-2.6.24.5/arch/ia64/kernel/sys_ia64.c linux-2.6.24.5/arch/ia64/kernel/sys_ia64.c
38117 +--- linux-2.6.24.5/arch/ia64/kernel/sys_ia64.c 2008-03-24 14:49:18.000000000 -0400
38118 ++++ linux-2.6.24.5/arch/ia64/kernel/sys_ia64.c 2008-03-26 20:21:07.000000000 -0400
38119 +@@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
38120 + if (REGION_NUMBER(addr) == RGN_HPAGE)
38121 + addr = 0;
38122 + #endif
38123 ++
38124 ++#ifdef CONFIG_PAX_RANDMMAP
38125 ++ if ((mm->pax_flags & MF_PAX_RANDMMAP) && addr && filp)
38126 ++ addr = mm->free_area_cache;
38127 ++ else
38128 ++#endif
38129 ++
38130 + if (!addr)
38131 + addr = mm->free_area_cache;
38132 +
38133 +@@ -61,9 +68,9 @@ arch_get_unmapped_area (struct file *fil
38134 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
38135 + /* At this point: (!vma || addr < vma->vm_end). */
38136 + if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
38137 +- if (start_addr != TASK_UNMAPPED_BASE) {
38138 ++ if (start_addr != mm->mmap_base) {
38139 + /* Start a new search --- just in case we missed some holes. */
38140 +- addr = TASK_UNMAPPED_BASE;
38141 ++ addr = mm->mmap_base;
38142 + goto full_search;
38143 + }
38144 + return -ENOMEM;
38145 +diff -urNp linux-2.6.24.5/arch/ia64/mm/fault.c linux-2.6.24.5/arch/ia64/mm/fault.c
38146 +--- linux-2.6.24.5/arch/ia64/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
38147 ++++ linux-2.6.24.5/arch/ia64/mm/fault.c 2008-03-26 20:21:07.000000000 -0400
38148 +@@ -10,6 +10,7 @@
38149 + #include <linux/interrupt.h>
38150 + #include <linux/kprobes.h>
38151 + #include <linux/kdebug.h>
38152 ++#include <linux/binfmts.h>
38153 +
38154 + #include <asm/pgtable.h>
38155 + #include <asm/processor.h>
38156 +@@ -72,6 +73,23 @@ mapped_kernel_page_is_present (unsigned
38157 + return pte_present(pte);
38158 + }
38159 +
38160 ++#ifdef CONFIG_PAX_PAGEEXEC
38161 ++void pax_report_insns(void *pc, void *sp)
38162 ++{
38163 ++ unsigned long i;
38164 ++
38165 ++ printk(KERN_ERR "PAX: bytes at PC: ");
38166 ++ for (i = 0; i < 8; i++) {
38167 ++ unsigned int c;
38168 ++ if (get_user(c, (unsigned int *)pc+i))
38169 ++ printk("???????? ");
38170 ++ else
38171 ++ printk("%08x ", c);
38172 ++ }
38173 ++ printk("\n");
38174 ++}
38175 ++#endif
38176 ++
38177 + void __kprobes
38178 + ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
38179 + {
38180 +@@ -145,9 +163,23 @@ ia64_do_page_fault (unsigned long addres
38181 + mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
38182 + | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
38183 +
38184 +- if ((vma->vm_flags & mask) != mask)
38185 ++ if ((vma->vm_flags & mask) != mask) {
38186 ++
38187 ++#ifdef CONFIG_PAX_PAGEEXEC
38188 ++ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
38189 ++ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
38190 ++ goto bad_area;
38191 ++
38192 ++ up_read(&mm->mmap_sem);
38193 ++ pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
38194 ++ do_group_exit(SIGKILL);
38195 ++ }
38196 ++#endif
38197 ++
38198 + goto bad_area;
38199 +
38200 ++ }
38201 ++
38202 + survive:
38203 + /*
38204 + * If for any reason at all we couldn't handle the fault, make
38205 +diff -urNp linux-2.6.24.5/arch/ia64/mm/init.c linux-2.6.24.5/arch/ia64/mm/init.c
38206 +--- linux-2.6.24.5/arch/ia64/mm/init.c 2008-03-24 14:49:18.000000000 -0400
38207 ++++ linux-2.6.24.5/arch/ia64/mm/init.c 2008-03-26 20:21:07.000000000 -0400
38208 +@@ -20,8 +20,8 @@
38209 + #include <linux/proc_fs.h>
38210 + #include <linux/bitops.h>
38211 + #include <linux/kexec.h>
38212 ++#include <linux/a.out.h>
38213 +
38214 +-#include <asm/a.out.h>
38215 + #include <asm/dma.h>
38216 + #include <asm/ia32.h>
38217 + #include <asm/io.h>
38218 +@@ -128,6 +128,19 @@ ia64_init_addr_space (void)
38219 + vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
38220 + vma->vm_end = vma->vm_start + PAGE_SIZE;
38221 + vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
38222 ++
38223 ++#ifdef CONFIG_PAX_PAGEEXEC
38224 ++ if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
38225 ++ vm->vm_flags &= ~VM_EXEC;
38226 ++
38227 ++#ifdef CONFIG_PAX_MPROTECT
38228 ++ if (current->mm->pax_flags & MF_PAX_MPROTECT)
38229 ++ vma->vm_flags &= ~VM_MAYEXEC;
38230 ++#endif
38231 ++
38232 ++ }
38233 ++#endif
38234 ++
38235 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
38236 + down_write(&current->mm->mmap_sem);
38237 + if (insert_vm_struct(current->mm, vma)) {
38238 +diff -urNp linux-2.6.24.5/arch/mips/kernel/binfmt_elfn32.c linux-2.6.24.5/arch/mips/kernel/binfmt_elfn32.c
38239 +--- linux-2.6.24.5/arch/mips/kernel/binfmt_elfn32.c 2008-03-24 14:49:18.000000000 -0400
38240 ++++ linux-2.6.24.5/arch/mips/kernel/binfmt_elfn32.c 2008-03-26 20:21:07.000000000 -0400
38241 +@@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
38242 + #undef ELF_ET_DYN_BASE
38243 + #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
38244 +
38245 ++#ifdef CONFIG_PAX_ASLR
38246 ++#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
38247 ++
38248 ++#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
38249 ++#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
38250 ++#endif
38251 ++
38252 + #include <asm/processor.h>
38253 + #include <linux/module.h>
38254 + #include <linux/elfcore.h>
38255 +diff -urNp linux-2.6.24.5/arch/mips/kernel/binfmt_elfo32.c linux-2.6.24.5/arch/mips/kernel/binfmt_elfo32.c
38256 +--- linux-2.6.24.5/arch/mips/kernel/binfmt_elfo32.c 2008-03-24 14:49:18.000000000 -0400
38257 ++++ linux-2.6.24.5/arch/mips/kernel/binfmt_elfo32.c 2008-03-26 20:21:07.000000000 -0400
38258 +@@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
38259 + #undef ELF_ET_DYN_BASE
38260 + #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
38261 +
38262 ++#ifdef CONFIG_PAX_ASLR
38263 ++#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
38264 ++
38265 ++#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
38266 ++#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
38267 ++#endif
38268 ++
38269 + #include <asm/processor.h>
38270 + #include <linux/module.h>
38271 + #include <linux/elfcore.h>
38272 +diff -urNp linux-2.6.24.5/arch/mips/kernel/syscall.c linux-2.6.24.5/arch/mips/kernel/syscall.c
38273 +--- linux-2.6.24.5/arch/mips/kernel/syscall.c 2008-03-24 14:49:18.000000000 -0400
38274 ++++ linux-2.6.24.5/arch/mips/kernel/syscall.c 2008-03-26 20:21:07.000000000 -0400
38275 +@@ -93,6 +93,11 @@ unsigned long arch_get_unmapped_area(str
38276 + do_color_align = 0;
38277 + if (filp || (flags & MAP_SHARED))
38278 + do_color_align = 1;
38279 ++
38280 ++#ifdef CONFIG_PAX_RANDMMAP
38281 ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
38282 ++#endif
38283 ++
38284 + if (addr) {
38285 + if (do_color_align)
38286 + addr = COLOUR_ALIGN(addr, pgoff);
38287 +@@ -103,7 +108,7 @@ unsigned long arch_get_unmapped_area(str
38288 + (!vmm || addr + len <= vmm->vm_start))
38289 + return addr;
38290 + }
38291 +- addr = TASK_UNMAPPED_BASE;
38292 ++ addr = current->mm->mmap_base;
38293 + if (do_color_align)
38294 + addr = COLOUR_ALIGN(addr, pgoff);
38295 + else
38296 +diff -urNp linux-2.6.24.5/arch/mips/mm/fault.c linux-2.6.24.5/arch/mips/mm/fault.c
38297 +--- linux-2.6.24.5/arch/mips/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
38298 ++++ linux-2.6.24.5/arch/mips/mm/fault.c 2008-03-26 20:21:07.000000000 -0400
38299 +@@ -26,6 +26,23 @@
38300 + #include <asm/ptrace.h>
38301 + #include <asm/highmem.h> /* For VMALLOC_END */
38302 +
38303 ++#ifdef CONFIG_PAX_PAGEEXEC
38304 ++void pax_report_insns(void *pc)
38305 ++{
38306 ++ unsigned long i;
38307 ++
38308 ++ printk(KERN_ERR "PAX: bytes at PC: ");
38309 ++ for (i = 0; i < 5; i++) {
38310 ++ unsigned int c;
38311 ++ if (get_user(c, (unsigned int *)pc+i))
38312 ++ printk("???????? ");
38313 ++ else
38314 ++ printk("%08x ", c);
38315 ++ }
38316 ++ printk("\n");
38317 ++}
38318 ++#endif
38319 ++
38320 + /*
38321 + * This routine handles page faults. It determines the address,
38322 + * and the problem, and then passes it off to one of the appropriate
38323 +diff -urNp linux-2.6.24.5/arch/parisc/kernel/module.c linux-2.6.24.5/arch/parisc/kernel/module.c
38324 +--- linux-2.6.24.5/arch/parisc/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
38325 ++++ linux-2.6.24.5/arch/parisc/kernel/module.c 2008-03-26 20:21:07.000000000 -0400
38326 +@@ -73,16 +73,38 @@
38327 +
38328 + /* three functions to determine where in the module core
38329 + * or init pieces the location is */
38330 ++static inline int in_init_rx(struct module *me, void *loc)
38331 ++{
38332 ++ return (loc >= me->module_init_rx &&
38333 ++ loc < (me->module_init_rx + me->init_size_rx));
38334 ++}
38335 ++
38336 ++static inline int in_init_rw(struct module *me, void *loc)
38337 ++{
38338 ++ return (loc >= me->module_init_rw &&
38339 ++ loc < (me->module_init_rw + me->init_size_rw));
38340 ++}
38341 ++
38342 + static inline int in_init(struct module *me, void *loc)
38343 + {
38344 +- return (loc >= me->module_init &&
38345 +- loc <= (me->module_init + me->init_size));
38346 ++ return in_init_rx(me, loc) || in_init_rw(me, loc);
38347 ++}
38348 ++
38349 ++static inline int in_core_rx(struct module *me, void *loc)
38350 ++{
38351 ++ return (loc >= me->module_core_rx &&
38352 ++ loc < (me->module_core_rx + me->core_size_rx));
38353 ++}
38354 ++
38355 ++static inline int in_core_rw(struct module *me, void *loc)
38356 ++{
38357 ++ return (loc >= me->module_core_rw &&
38358 ++ loc < (me->module_core_rw + me->core_size_rw));
38359 + }
38360 +
38361 + static inline int in_core(struct module *me, void *loc)
38362 + {
38363 +- return (loc >= me->module_core &&
38364 +- loc <= (me->module_core + me->core_size));
38365 ++ return in_core_rx(me, loc) || in_core_rw(me, loc);
38366 + }
38367 +
38368 + static inline int in_local(struct module *me, void *loc)
38369 +@@ -296,21 +318,21 @@ int module_frob_arch_sections(CONST Elf_
38370 + }
38371 +
38372 + /* align things a bit */
38373 +- me->core_size = ALIGN(me->core_size, 16);
38374 +- me->arch.got_offset = me->core_size;
38375 +- me->core_size += gots * sizeof(struct got_entry);
38376 +-
38377 +- me->core_size = ALIGN(me->core_size, 16);
38378 +- me->arch.fdesc_offset = me->core_size;
38379 +- me->core_size += fdescs * sizeof(Elf_Fdesc);
38380 +-
38381 +- me->core_size = ALIGN(me->core_size, 16);
38382 +- me->arch.stub_offset = me->core_size;
38383 +- me->core_size += stubs * sizeof(struct stub_entry);
38384 +-
38385 +- me->init_size = ALIGN(me->init_size, 16);
38386 +- me->arch.init_stub_offset = me->init_size;
38387 +- me->init_size += init_stubs * sizeof(struct stub_entry);
38388 ++ me->core_size_rw = ALIGN(me->core_size_rw, 16);
38389 ++ me->arch.got_offset = me->core_size_rw;
38390 ++ me->core_size_rw += gots * sizeof(struct got_entry);
38391 ++
38392 ++ me->core_size_rw = ALIGN(me->core_size_rw, 16);
38393 ++ me->arch.fdesc_offset = me->core_size_rw;
38394 ++ me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
38395 ++
38396 ++ me->core_size_rx = ALIGN(me->core_size_rx, 16);
38397 ++ me->arch.stub_offset = me->core_size_rx;
38398 ++ me->core_size_rx += stubs * sizeof(struct stub_entry);
38399 ++
38400 ++ me->init_size_rx = ALIGN(me->init_size_rx, 16);
38401 ++ me->arch.init_stub_offset = me->init_size_rx;
38402 ++ me->init_size_rx += init_stubs * sizeof(struct stub_entry);
38403 +
38404 + me->arch.got_max = gots;
38405 + me->arch.fdesc_max = fdescs;
38406 +@@ -330,7 +352,7 @@ static Elf64_Word get_got(struct module
38407 +
38408 + BUG_ON(value == 0);
38409 +
38410 +- got = me->module_core + me->arch.got_offset;
38411 ++ got = me->module_core_rw + me->arch.got_offset;
38412 + for (i = 0; got[i].addr; i++)
38413 + if (got[i].addr == value)
38414 + goto out;
38415 +@@ -348,7 +370,7 @@ static Elf64_Word get_got(struct module
38416 + #ifdef CONFIG_64BIT
38417 + static Elf_Addr get_fdesc(struct module *me, unsigned long value)
38418 + {
38419 +- Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
38420 ++ Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
38421 +
38422 + if (!value) {
38423 + printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
38424 +@@ -366,7 +388,7 @@ static Elf_Addr get_fdesc(struct module
38425 +
38426 + /* Create new one */
38427 + fdesc->addr = value;
38428 +- fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
38429 ++ fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
38430 + return (Elf_Addr)fdesc;
38431 + }
38432 + #endif /* CONFIG_64BIT */
38433 +@@ -386,12 +408,12 @@ static Elf_Addr get_stub(struct module *
38434 + if(init_section) {
38435 + i = me->arch.init_stub_count++;
38436 + BUG_ON(me->arch.init_stub_count > me->arch.init_stub_max);
38437 +- stub = me->module_init + me->arch.init_stub_offset +
38438 ++ stub = me->module_init_rx + me->arch.init_stub_offset +
38439 + i * sizeof(struct stub_entry);
38440 + } else {
38441 + i = me->arch.stub_count++;
38442 + BUG_ON(me->arch.stub_count > me->arch.stub_max);
38443 +- stub = me->module_core + me->arch.stub_offset +
38444 ++ stub = me->module_core_rx + me->arch.stub_offset +
38445 + i * sizeof(struct stub_entry);
38446 + }
38447 +
38448 +@@ -759,7 +781,7 @@ register_unwind_table(struct module *me,
38449 +
38450 + table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
38451 + end = table + sechdrs[me->arch.unwind_section].sh_size;
38452 +- gp = (Elf_Addr)me->module_core + me->arch.got_offset;
38453 ++ gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
38454 +
38455 + DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
38456 + me->arch.unwind_section, table, end, gp);
38457 +diff -urNp linux-2.6.24.5/arch/parisc/kernel/sys_parisc.c linux-2.6.24.5/arch/parisc/kernel/sys_parisc.c
38458 +--- linux-2.6.24.5/arch/parisc/kernel/sys_parisc.c 2008-03-24 14:49:18.000000000 -0400
38459 ++++ linux-2.6.24.5/arch/parisc/kernel/sys_parisc.c 2008-03-26 20:21:07.000000000 -0400
38460 +@@ -111,7 +111,7 @@ unsigned long arch_get_unmapped_area(str
38461 + if (flags & MAP_FIXED)
38462 + return addr;
38463 + if (!addr)
38464 +- addr = TASK_UNMAPPED_BASE;
38465 ++ addr = current->mm->mmap_base;
38466 +
38467 + if (filp) {
38468 + addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
38469 +diff -urNp linux-2.6.24.5/arch/parisc/kernel/traps.c linux-2.6.24.5/arch/parisc/kernel/traps.c
38470 +--- linux-2.6.24.5/arch/parisc/kernel/traps.c 2008-03-24 14:49:18.000000000 -0400
38471 ++++ linux-2.6.24.5/arch/parisc/kernel/traps.c 2008-03-26 20:21:07.000000000 -0400
38472 +@@ -713,9 +713,7 @@ void handle_interruption(int code, struc
38473 +
38474 + down_read(&current->mm->mmap_sem);
38475 + vma = find_vma(current->mm,regs->iaoq[0]);
38476 +- if (vma && (regs->iaoq[0] >= vma->vm_start)
38477 +- && (vma->vm_flags & VM_EXEC)) {
38478 +-
38479 ++ if (vma && (regs->iaoq[0] >= vma->vm_start)) {
38480 + fault_address = regs->iaoq[0];
38481 + fault_space = regs->iasq[0];
38482 +
38483 +diff -urNp linux-2.6.24.5/arch/parisc/mm/fault.c linux-2.6.24.5/arch/parisc/mm/fault.c
38484 +--- linux-2.6.24.5/arch/parisc/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
38485 ++++ linux-2.6.24.5/arch/parisc/mm/fault.c 2008-03-26 20:21:07.000000000 -0400
38486 +@@ -16,6 +16,8 @@
38487 + #include <linux/sched.h>
38488 + #include <linux/interrupt.h>
38489 + #include <linux/module.h>
38490 ++#include <linux/unistd.h>
38491 ++#include <linux/binfmts.h>
38492 +
38493 + #include <asm/uaccess.h>
38494 + #include <asm/traps.h>
38495 +@@ -53,7 +55,7 @@ DEFINE_PER_CPU(struct exception_data, ex
38496 + static unsigned long
38497 + parisc_acctyp(unsigned long code, unsigned int inst)
38498 + {
38499 +- if (code == 6 || code == 16)
38500 ++ if (code == 6 || code == 7 || code == 16)
38501 + return VM_EXEC;
38502 +
38503 + switch (inst & 0xf0000000) {
38504 +@@ -139,6 +141,116 @@ parisc_acctyp(unsigned long code, unsign
38505 + }
38506 + #endif
38507 +
38508 ++#ifdef CONFIG_PAX_PAGEEXEC
38509 ++/*
38510 ++ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
38511 ++ *
38512 ++ * returns 1 when task should be killed
38513 ++ * 2 when rt_sigreturn trampoline was detected
38514 ++ * 3 when unpatched PLT trampoline was detected
38515 ++ */
38516 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
38517 ++{
38518 ++
38519 ++#ifdef CONFIG_PAX_EMUPLT
38520 ++ int err;
38521 ++
38522 ++ do { /* PaX: unpatched PLT emulation */
38523 ++ unsigned int bl, depwi;
38524 ++
38525 ++ err = get_user(bl, (unsigned int *)instruction_pointer(regs));
38526 ++ err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
38527 ++
38528 ++ if (err)
38529 ++ break;
38530 ++
38531 ++ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
38532 ++ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
38533 ++
38534 ++ err = get_user(ldw, (unsigned int *)addr);
38535 ++ err |= get_user(bv, (unsigned int *)(addr+4));
38536 ++ err |= get_user(ldw2, (unsigned int *)(addr+8));
38537 ++
38538 ++ if (err)
38539 ++ break;
38540 ++
38541 ++ if (ldw == 0x0E801096U &&
38542 ++ bv == 0xEAC0C000U &&
38543 ++ ldw2 == 0x0E881095U)
38544 ++ {
38545 ++ unsigned int resolver, map;
38546 ++
38547 ++ err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
38548 ++ err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
38549 ++ if (err)
38550 ++ break;
38551 ++
38552 ++ regs->gr[20] = instruction_pointer(regs)+8;
38553 ++ regs->gr[21] = map;
38554 ++ regs->gr[22] = resolver;
38555 ++ regs->iaoq[0] = resolver | 3UL;
38556 ++ regs->iaoq[1] = regs->iaoq[0] + 4;
38557 ++ return 3;
38558 ++ }
38559 ++ }
38560 ++ } while (0);
38561 ++#endif
38562 ++
38563 ++#ifdef CONFIG_PAX_EMUTRAMP
38564 ++
38565 ++#ifndef CONFIG_PAX_EMUSIGRT
38566 ++ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
38567 ++ return 1;
38568 ++#endif
38569 ++
38570 ++ do { /* PaX: rt_sigreturn emulation */
38571 ++ unsigned int ldi1, ldi2, bel, nop;
38572 ++
38573 ++ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
38574 ++ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
38575 ++ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
38576 ++ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
38577 ++
38578 ++ if (err)
38579 ++ break;
38580 ++
38581 ++ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
38582 ++ ldi2 == 0x3414015AU &&
38583 ++ bel == 0xE4008200U &&
38584 ++ nop == 0x08000240U)
38585 ++ {
38586 ++ regs->gr[25] = (ldi1 & 2) >> 1;
38587 ++ regs->gr[20] = __NR_rt_sigreturn;
38588 ++ regs->gr[31] = regs->iaoq[1] + 16;
38589 ++ regs->sr[0] = regs->iasq[1];
38590 ++ regs->iaoq[0] = 0x100UL;
38591 ++ regs->iaoq[1] = regs->iaoq[0] + 4;
38592 ++ regs->iasq[0] = regs->sr[2];
38593 ++ regs->iasq[1] = regs->sr[2];
38594 ++ return 2;
38595 ++ }
38596 ++ } while (0);
38597 ++#endif
38598 ++
38599 ++ return 1;
38600 ++}
38601 ++
38602 ++void pax_report_insns(void *pc, void *sp)
38603 ++{
38604 ++ unsigned long i;
38605 ++
38606 ++ printk(KERN_ERR "PAX: bytes at PC: ");
38607 ++ for (i = 0; i < 5; i++) {
38608 ++ unsigned int c;
38609 ++ if (get_user(c, (unsigned int *)pc+i))
38610 ++ printk("???????? ");
38611 ++ else
38612 ++ printk("%08x ", c);
38613 ++ }
38614 ++ printk("\n");
38615 ++}
38616 ++#endif
38617 ++
38618 + void do_page_fault(struct pt_regs *regs, unsigned long code,
38619 + unsigned long address)
38620 + {
38621 +@@ -165,8 +277,33 @@ good_area:
38622 +
38623 + acc_type = parisc_acctyp(code,regs->iir);
38624 +
38625 +- if ((vma->vm_flags & acc_type) != acc_type)
38626 ++ if ((vma->vm_flags & acc_type) != acc_type) {
38627 ++
38628 ++#ifdef CONFIG_PAX_PAGEEXEC
38629 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
38630 ++ (address & ~3UL) == instruction_pointer(regs))
38631 ++ {
38632 ++ up_read(&mm->mmap_sem);
38633 ++ switch (pax_handle_fetch_fault(regs)) {
38634 ++
38635 ++#ifdef CONFIG_PAX_EMUPLT
38636 ++ case 3:
38637 ++ return;
38638 ++#endif
38639 ++
38640 ++#ifdef CONFIG_PAX_EMUTRAMP
38641 ++ case 2:
38642 ++ return;
38643 ++#endif
38644 ++
38645 ++ }
38646 ++ pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
38647 ++ do_group_exit(SIGKILL);
38648 ++ }
38649 ++#endif
38650 ++
38651 + goto bad_area;
38652 ++ }
38653 +
38654 + /*
38655 + * If for any reason at all we couldn't handle the fault, make
38656 +diff -urNp linux-2.6.24.5/arch/powerpc/kernel/module_32.c linux-2.6.24.5/arch/powerpc/kernel/module_32.c
38657 +--- linux-2.6.24.5/arch/powerpc/kernel/module_32.c 2008-03-24 14:49:18.000000000 -0400
38658 ++++ linux-2.6.24.5/arch/powerpc/kernel/module_32.c 2008-03-26 20:21:07.000000000 -0400
38659 +@@ -126,7 +126,7 @@ int module_frob_arch_sections(Elf32_Ehdr
38660 + me->arch.core_plt_section = i;
38661 + }
38662 + if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
38663 +- printk("Module doesn't contain .plt or .init.plt sections.\n");
38664 ++ printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
38665 + return -ENOEXEC;
38666 + }
38667 +
38668 +@@ -167,11 +167,16 @@ static uint32_t do_plt_call(void *locati
38669 +
38670 + DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
38671 + /* Init, or core PLT? */
38672 +- if (location >= mod->module_core
38673 +- && location < mod->module_core + mod->core_size)
38674 ++ if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
38675 ++ (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
38676 + entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
38677 +- else
38678 ++ else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
38679 ++ (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
38680 + entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
38681 ++ else {
38682 ++ printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
38683 ++ return ~0UL;
38684 ++ }
38685 +
38686 + /* Find this entry, or if that fails, the next avail. entry */
38687 + while (entry->jump[0]) {
38688 +diff -urNp linux-2.6.24.5/arch/powerpc/kernel/signal_32.c linux-2.6.24.5/arch/powerpc/kernel/signal_32.c
38689 +--- linux-2.6.24.5/arch/powerpc/kernel/signal_32.c 2008-03-24 14:49:18.000000000 -0400
38690 ++++ linux-2.6.24.5/arch/powerpc/kernel/signal_32.c 2008-03-26 20:21:07.000000000 -0400
38691 +@@ -731,7 +731,7 @@ int handle_rt_signal32(unsigned long sig
38692 + /* Save user registers on the stack */
38693 + frame = &rt_sf->uc.uc_mcontext;
38694 + addr = frame;
38695 +- if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
38696 ++ if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
38697 + if (save_user_regs(regs, frame, 0))
38698 + goto badframe;
38699 + regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
38700 +diff -urNp linux-2.6.24.5/arch/powerpc/kernel/signal_64.c linux-2.6.24.5/arch/powerpc/kernel/signal_64.c
38701 +--- linux-2.6.24.5/arch/powerpc/kernel/signal_64.c 2008-03-24 14:49:18.000000000 -0400
38702 ++++ linux-2.6.24.5/arch/powerpc/kernel/signal_64.c 2008-03-26 20:21:07.000000000 -0400
38703 +@@ -369,7 +369,7 @@ int handle_rt_signal64(int signr, struct
38704 + current->thread.fpscr.val = 0;
38705 +
38706 + /* Set up to return from userspace. */
38707 +- if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
38708 ++ if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
38709 + regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
38710 + } else {
38711 + err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
38712 +diff -urNp linux-2.6.24.5/arch/powerpc/kernel/vdso.c linux-2.6.24.5/arch/powerpc/kernel/vdso.c
38713 +--- linux-2.6.24.5/arch/powerpc/kernel/vdso.c 2008-03-24 14:49:18.000000000 -0400
38714 ++++ linux-2.6.24.5/arch/powerpc/kernel/vdso.c 2008-03-26 20:21:07.000000000 -0400
38715 +@@ -211,7 +211,7 @@ int arch_setup_additional_pages(struct l
38716 + vdso_base = VDSO32_MBASE;
38717 + #endif
38718 +
38719 +- current->mm->context.vdso_base = 0;
38720 ++ current->mm->context.vdso_base = ~0UL;
38721 +
38722 + /* vDSO has a problem and was disabled, just don't "enable" it for the
38723 + * process
38724 +@@ -228,7 +228,7 @@ int arch_setup_additional_pages(struct l
38725 + */
38726 + down_write(&mm->mmap_sem);
38727 + vdso_base = get_unmapped_area(NULL, vdso_base,
38728 +- vdso_pages << PAGE_SHIFT, 0, 0);
38729 ++ vdso_pages << PAGE_SHIFT, 0, MAP_PRIVATE | MAP_EXECUTABLE);
38730 + if (IS_ERR_VALUE(vdso_base)) {
38731 + rc = vdso_base;
38732 + goto fail_mmapsem;
38733 +diff -urNp linux-2.6.24.5/arch/powerpc/mm/fault.c linux-2.6.24.5/arch/powerpc/mm/fault.c
38734 +--- linux-2.6.24.5/arch/powerpc/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
38735 ++++ linux-2.6.24.5/arch/powerpc/mm/fault.c 2008-03-26 20:21:07.000000000 -0400
38736 +@@ -29,6 +29,12 @@
38737 + #include <linux/module.h>
38738 + #include <linux/kprobes.h>
38739 + #include <linux/kdebug.h>
38740 ++#include <linux/binfmts.h>
38741 ++#include <linux/slab.h>
38742 ++#include <linux/pagemap.h>
38743 ++#include <linux/compiler.h>
38744 ++#include <linux/binfmts.h>
38745 ++#include <linux/unistd.h>
38746 +
38747 + #include <asm/page.h>
38748 + #include <asm/pgtable.h>
38749 +@@ -62,6 +68,363 @@ static inline int notify_page_fault(stru
38750 + }
38751 + #endif
38752 +
38753 ++#ifdef CONFIG_PAX_EMUSIGRT
38754 ++void pax_syscall_close(struct vm_area_struct *vma)
38755 ++{
38756 ++ vma->vm_mm->call_syscall = 0UL;
38757 ++}
38758 ++
38759 ++static struct page *pax_syscall_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
38760 ++{
38761 ++ struct page *page;
38762 ++ unsigned int *kaddr;
38763 ++
38764 ++ page = alloc_page(GFP_HIGHUSER);
38765 ++ if (!page)
38766 ++ return NOPAGE_OOM;
38767 ++
38768 ++ kaddr = kmap(page);
38769 ++ memset(kaddr, 0, PAGE_SIZE);
38770 ++ kaddr[0] = 0x44000002U; /* sc */
38771 ++ __flush_dcache_icache(kaddr);
38772 ++ kunmap(page);
38773 ++ if (type)
38774 ++ *type = VM_FAULT_MAJOR;
38775 ++ return page;
38776 ++}
38777 ++
38778 ++static struct vm_operations_struct pax_vm_ops = {
38779 ++ .close = pax_syscall_close,
38780 ++ .nopage = pax_syscall_nopage,
38781 ++};
38782 ++
38783 ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
38784 ++{
38785 ++ int ret;
38786 ++
38787 ++ vma->vm_mm = current->mm;
38788 ++ vma->vm_start = addr;
38789 ++ vma->vm_end = addr + PAGE_SIZE;
38790 ++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
38791 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
38792 ++ vma->vm_ops = &pax_vm_ops;
38793 ++
38794 ++ ret = insert_vm_struct(current->mm, vma);
38795 ++ if (ret)
38796 ++ return ret;
38797 ++
38798 ++ ++current->mm->total_vm;
38799 ++ return 0;
38800 ++}
38801 ++#endif
38802 ++
38803 ++#ifdef CONFIG_PAX_PAGEEXEC
38804 ++/*
38805 ++ * PaX: decide what to do with offenders (regs->nip = fault address)
38806 ++ *
38807 ++ * returns 1 when task should be killed
38808 ++ * 2 when patched GOT trampoline was detected
38809 ++ * 3 when patched PLT trampoline was detected
38810 ++ * 4 when unpatched PLT trampoline was detected
38811 ++ * 5 when sigreturn trampoline was detected
38812 ++ * 6 when rt_sigreturn trampoline was detected
38813 ++ */
38814 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
38815 ++{
38816 ++
38817 ++#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUSIGRT)
38818 ++ int err;
38819 ++#endif
38820 ++
38821 ++#ifdef CONFIG_PAX_EMUPLT
38822 ++ do { /* PaX: patched GOT emulation */
38823 ++ unsigned int blrl;
38824 ++
38825 ++ err = get_user(blrl, (unsigned int *)regs->nip);
38826 ++
38827 ++ if (!err && blrl == 0x4E800021U) {
38828 ++ unsigned long temp = regs->nip;
38829 ++
38830 ++ regs->nip = regs->link & 0xFFFFFFFCUL;
38831 ++ regs->link = temp + 4UL;
38832 ++ return 2;
38833 ++ }
38834 ++ } while (0);
38835 ++
38836 ++ do { /* PaX: patched PLT emulation #1 */
38837 ++ unsigned int b;
38838 ++
38839 ++ err = get_user(b, (unsigned int *)regs->nip);
38840 ++
38841 ++ if (!err && (b & 0xFC000003U) == 0x48000000U) {
38842 ++ regs->nip += (((b | 0xFC000000UL) ^ 0x02000000UL) + 0x02000000UL);
38843 ++ return 3;
38844 ++ }
38845 ++ } while (0);
38846 ++
38847 ++ do { /* PaX: unpatched PLT emulation #1 */
38848 ++ unsigned int li, b;
38849 ++
38850 ++ err = get_user(li, (unsigned int *)regs->nip);
38851 ++ err |= get_user(b, (unsigned int *)(regs->nip+4));
38852 ++
38853 ++ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
38854 ++ unsigned int rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
38855 ++ unsigned long addr = b | 0xFC000000UL;
38856 ++
38857 ++ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
38858 ++ err = get_user(rlwinm, (unsigned int *)addr);
38859 ++ err |= get_user(add, (unsigned int *)(addr+4));
38860 ++ err |= get_user(li2, (unsigned int *)(addr+8));
38861 ++ err |= get_user(addis2, (unsigned int *)(addr+12));
38862 ++ err |= get_user(mtctr, (unsigned int *)(addr+16));
38863 ++ err |= get_user(li3, (unsigned int *)(addr+20));
38864 ++ err |= get_user(addis3, (unsigned int *)(addr+24));
38865 ++ err |= get_user(bctr, (unsigned int *)(addr+28));
38866 ++
38867 ++ if (err)
38868 ++ break;
38869 ++
38870 ++ if (rlwinm == 0x556C083CU &&
38871 ++ add == 0x7D6C5A14U &&
38872 ++ (li2 & 0xFFFF0000U) == 0x39800000U &&
38873 ++ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
38874 ++ mtctr == 0x7D8903A6U &&
38875 ++ (li3 & 0xFFFF0000U) == 0x39800000U &&
38876 ++ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
38877 ++ bctr == 0x4E800420U)
38878 ++ {
38879 ++ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
38880 ++ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
38881 ++ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
38882 ++ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
38883 ++ regs->ctr += (addis2 & 0xFFFFU) << 16;
38884 ++ regs->nip = regs->ctr;
38885 ++ return 4;
38886 ++ }
38887 ++ }
38888 ++ } while (0);
38889 ++
38890 ++#if 0
38891 ++ do { /* PaX: unpatched PLT emulation #2 */
38892 ++ unsigned int lis, lwzu, b, bctr;
38893 ++
38894 ++ err = get_user(lis, (unsigned int *)regs->nip);
38895 ++ err |= get_user(lwzu, (unsigned int *)(regs->nip+4));
38896 ++ err |= get_user(b, (unsigned int *)(regs->nip+8));
38897 ++ err |= get_user(bctr, (unsigned int *)(regs->nip+12));
38898 ++
38899 ++ if (err)
38900 ++ break;
38901 ++
38902 ++ if ((lis & 0xFFFF0000U) == 0x39600000U &&
38903 ++ (lwzu & 0xU) == 0xU &&
38904 ++ (b & 0xFC000003U) == 0x48000000U &&
38905 ++ bctr == 0x4E800420U)
38906 ++ {
38907 ++ unsigned int addis, addi, rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
38908 ++ unsigned long addr = b | 0xFC000000UL;
38909 ++
38910 ++ addr = regs->nip + 12 + ((addr ^ 0x02000000UL) + 0x02000000UL);
38911 ++ err = get_user(addis, (unsigned int*)addr);
38912 ++ err |= get_user(addi, (unsigned int*)(addr+4));
38913 ++ err |= get_user(rlwinm, (unsigned int*)(addr+8));
38914 ++ err |= get_user(add, (unsigned int*)(addr+12));
38915 ++ err |= get_user(li2, (unsigned int*)(addr+16));
38916 ++ err |= get_user(addis2, (unsigned int*)(addr+20));
38917 ++ err |= get_user(mtctr, (unsigned int*)(addr+24));
38918 ++ err |= get_user(li3, (unsigned int*)(addr+28));
38919 ++ err |= get_user(addis3, (unsigned int*)(addr+32));
38920 ++ err |= get_user(bctr, (unsigned int*)(addr+36));
38921 ++
38922 ++ if (err)
38923 ++ break;
38924 ++
38925 ++ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
38926 ++ (addi & 0xFFFF0000U) == 0x396B0000U &&
38927 ++ rlwinm == 0x556C083CU &&
38928 ++ add == 0x7D6C5A14U &&
38929 ++ (li2 & 0xFFFF0000U) == 0x39800000U &&
38930 ++ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
38931 ++ mtctr == 0x7D8903A6U &&
38932 ++ (li3 & 0xFFFF0000U) == 0x39800000U &&
38933 ++ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
38934 ++ bctr == 0x4E800420U)
38935 ++ {
38936 ++ regs->gpr[PT_R11] =
38937 ++ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
38938 ++ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
38939 ++ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
38940 ++ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
38941 ++ regs->ctr += (addis2 & 0xFFFFU) << 16;
38942 ++ regs->nip = regs->ctr;
38943 ++ return 4;
38944 ++ }
38945 ++ }
38946 ++ } while (0);
38947 ++#endif
38948 ++
38949 ++ do { /* PaX: unpatched PLT emulation #3 */
38950 ++ unsigned int li, b;
38951 ++
38952 ++ err = get_user(li, (unsigned int *)regs->nip);
38953 ++ err |= get_user(b, (unsigned int *)(regs->nip+4));
38954 ++
38955 ++ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
38956 ++ unsigned int addis, lwz, mtctr, bctr;
38957 ++ unsigned long addr = b | 0xFC000000UL;
38958 ++
38959 ++ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
38960 ++ err = get_user(addis, (unsigned int *)addr);
38961 ++ err |= get_user(lwz, (unsigned int *)(addr+4));
38962 ++ err |= get_user(mtctr, (unsigned int *)(addr+8));
38963 ++ err |= get_user(bctr, (unsigned int *)(addr+12));
38964 ++
38965 ++ if (err)
38966 ++ break;
38967 ++
38968 ++ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
38969 ++ (lwz & 0xFFFF0000U) == 0x816B0000U &&
38970 ++ mtctr == 0x7D6903A6U &&
38971 ++ bctr == 0x4E800420U)
38972 ++ {
38973 ++ unsigned int r11;
38974 ++
38975 ++ addr = (addis << 16) + (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
38976 ++ addr += (((lwz | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
38977 ++
38978 ++ err = get_user(r11, (unsigned int *)addr);
38979 ++ if (err)
38980 ++ break;
38981 ++
38982 ++ regs->gpr[PT_R11] = r11;
38983 ++ regs->ctr = r11;
38984 ++ regs->nip = r11;
38985 ++ return 4;
38986 ++ }
38987 ++ }
38988 ++ } while (0);
38989 ++#endif
38990 ++
38991 ++#ifdef CONFIG_PAX_EMUSIGRT
38992 ++ do { /* PaX: sigreturn emulation */
38993 ++ unsigned int li, sc;
38994 ++
38995 ++ err = get_user(li, (unsigned int *)regs->nip);
38996 ++ err |= get_user(sc, (unsigned int *)(regs->nip+4));
38997 ++
38998 ++ if (!err && li == 0x38000000U + __NR_sigreturn && sc == 0x44000002U) {
38999 ++ struct vm_area_struct *vma;
39000 ++ unsigned long call_syscall;
39001 ++
39002 ++ down_read(&current->mm->mmap_sem);
39003 ++ call_syscall = current->mm->call_syscall;
39004 ++ up_read(&current->mm->mmap_sem);
39005 ++ if (likely(call_syscall))
39006 ++ goto emulate;
39007 ++
39008 ++ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
39009 ++
39010 ++ down_write(&current->mm->mmap_sem);
39011 ++ if (current->mm->call_syscall) {
39012 ++ call_syscall = current->mm->call_syscall;
39013 ++ up_write(&current->mm->mmap_sem);
39014 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
39015 ++ goto emulate;
39016 ++ }
39017 ++
39018 ++ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
39019 ++ if (!vma || (call_syscall & ~PAGE_MASK)) {
39020 ++ up_write(&current->mm->mmap_sem);
39021 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
39022 ++ return 1;
39023 ++ }
39024 ++
39025 ++ if (pax_insert_vma(vma, call_syscall)) {
39026 ++ up_write(&current->mm->mmap_sem);
39027 ++ kmem_cache_free(vm_area_cachep, vma);
39028 ++ return 1;
39029 ++ }
39030 ++
39031 ++ current->mm->call_syscall = call_syscall;
39032 ++ up_write(&current->mm->mmap_sem);
39033 ++
39034 ++emulate:
39035 ++ regs->gpr[PT_R0] = __NR_sigreturn;
39036 ++ regs->nip = call_syscall;
39037 ++ return 5;
39038 ++ }
39039 ++ } while (0);
39040 ++
39041 ++ do { /* PaX: rt_sigreturn emulation */
39042 ++ unsigned int li, sc;
39043 ++
39044 ++ err = get_user(li, (unsigned int *)regs->nip);
39045 ++ err |= get_user(sc, (unsigned int *)(regs->nip+4));
39046 ++
39047 ++ if (!err && li == 0x38000000U + __NR_rt_sigreturn && sc == 0x44000002U) {
39048 ++ struct vm_area_struct *vma;
39049 ++ unsigned int call_syscall;
39050 ++
39051 ++ down_read(&current->mm->mmap_sem);
39052 ++ call_syscall = current->mm->call_syscall;
39053 ++ up_read(&current->mm->mmap_sem);
39054 ++ if (likely(call_syscall))
39055 ++ goto rt_emulate;
39056 ++
39057 ++ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
39058 ++
39059 ++ down_write(&current->mm->mmap_sem);
39060 ++ if (current->mm->call_syscall) {
39061 ++ call_syscall = current->mm->call_syscall;
39062 ++ up_write(&current->mm->mmap_sem);
39063 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
39064 ++ goto rt_emulate;
39065 ++ }
39066 ++
39067 ++ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
39068 ++ if (!vma || (call_syscall & ~PAGE_MASK)) {
39069 ++ up_write(&current->mm->mmap_sem);
39070 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
39071 ++ return 1;
39072 ++ }
39073 ++
39074 ++ if (pax_insert_vma(vma, call_syscall)) {
39075 ++ up_write(&current->mm->mmap_sem);
39076 ++ kmem_cache_free(vm_area_cachep, vma);
39077 ++ return 1;
39078 ++ }
39079 ++
39080 ++ current->mm->call_syscall = call_syscall;
39081 ++ up_write(&current->mm->mmap_sem);
39082 ++
39083 ++rt_emulate:
39084 ++ regs->gpr[PT_R0] = __NR_rt_sigreturn;
39085 ++ regs->nip = call_syscall;
39086 ++ return 6;
39087 ++ }
39088 ++ } while (0);
39089 ++#endif
39090 ++
39091 ++ return 1;
39092 ++}
39093 ++
39094 ++void pax_report_insns(void *pc, void *sp)
39095 ++{
39096 ++ unsigned long i;
39097 ++
39098 ++ printk(KERN_ERR "PAX: bytes at PC: ");
39099 ++ for (i = 0; i < 5; i++) {
39100 ++ unsigned int c;
39101 ++ if (get_user(c, (unsigned int *)pc+i))
39102 ++ printk("???????? ");
39103 ++ else
39104 ++ printk("%08x ", c);
39105 ++ }
39106 ++ printk("\n");
39107 ++}
39108 ++#endif
39109 ++
39110 + /*
39111 + * Check whether the instruction at regs->nip is a store using
39112 + * an update addressing form which will update r1.
39113 +@@ -157,7 +520,7 @@ int __kprobes do_page_fault(struct pt_re
39114 + * indicate errors in DSISR but can validly be set in SRR1.
39115 + */
39116 + if (trap == 0x400)
39117 +- error_code &= 0x48200000;
39118 ++ error_code &= 0x58200000;
39119 + else
39120 + is_write = error_code & DSISR_ISSTORE;
39121 + #else
39122 +@@ -357,6 +720,37 @@ bad_area:
39123 + bad_area_nosemaphore:
39124 + /* User mode accesses cause a SIGSEGV */
39125 + if (user_mode(regs)) {
39126 ++
39127 ++#ifdef CONFIG_PAX_PAGEEXEC
39128 ++ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
39129 ++#ifdef CONFIG_PPC64
39130 ++ if (is_exec && (error_code & DSISR_PROTFAULT)) {
39131 ++#else
39132 ++ if (is_exec && regs->nip == address) {
39133 ++#endif
39134 ++ switch (pax_handle_fetch_fault(regs)) {
39135 ++
39136 ++#ifdef CONFIG_PAX_EMUPLT
39137 ++ case 2:
39138 ++ case 3:
39139 ++ case 4:
39140 ++ return 0;
39141 ++#endif
39142 ++
39143 ++#ifdef CONFIG_PAX_EMUSIGRT
39144 ++ case 5:
39145 ++ case 6:
39146 ++ return 0;
39147 ++#endif
39148 ++
39149 ++ }
39150 ++
39151 ++ pax_report_fault(regs, (void*)regs->nip, (void*)regs->gpr[PT_R1]);
39152 ++ do_group_exit(SIGKILL);
39153 ++ }
39154 ++ }
39155 ++#endif
39156 ++
39157 + _exception(SIGSEGV, regs, code, address);
39158 + return 0;
39159 + }
39160 +diff -urNp linux-2.6.24.5/arch/powerpc/mm/mmap.c linux-2.6.24.5/arch/powerpc/mm/mmap.c
39161 +--- linux-2.6.24.5/arch/powerpc/mm/mmap.c 2008-03-24 14:49:18.000000000 -0400
39162 ++++ linux-2.6.24.5/arch/powerpc/mm/mmap.c 2008-03-26 20:21:07.000000000 -0400
39163 +@@ -75,10 +75,22 @@ void arch_pick_mmap_layout(struct mm_str
39164 + */
39165 + if (mmap_is_legacy()) {
39166 + mm->mmap_base = TASK_UNMAPPED_BASE;
39167 ++
39168 ++#ifdef CONFIG_PAX_RANDMMAP
39169 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
39170 ++ mm->mmap_base += mm->delta_mmap;
39171 ++#endif
39172 ++
39173 + mm->get_unmapped_area = arch_get_unmapped_area;
39174 + mm->unmap_area = arch_unmap_area;
39175 + } else {
39176 + mm->mmap_base = mmap_base();
39177 ++
39178 ++#ifdef CONFIG_PAX_RANDMMAP
39179 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
39180 ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
39181 ++#endif
39182 ++
39183 + mm->get_unmapped_area = arch_get_unmapped_area_topdown;
39184 + mm->unmap_area = arch_unmap_area_topdown;
39185 + }
39186 +diff -urNp linux-2.6.24.5/arch/ppc/mm/fault.c linux-2.6.24.5/arch/ppc/mm/fault.c
39187 +--- linux-2.6.24.5/arch/ppc/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
39188 ++++ linux-2.6.24.5/arch/ppc/mm/fault.c 2008-03-26 20:21:07.000000000 -0400
39189 +@@ -25,6 +25,11 @@
39190 + #include <linux/interrupt.h>
39191 + #include <linux/highmem.h>
39192 + #include <linux/module.h>
39193 ++#include <linux/slab.h>
39194 ++#include <linux/pagemap.h>
39195 ++#include <linux/compiler.h>
39196 ++#include <linux/binfmts.h>
39197 ++#include <linux/unistd.h>
39198 +
39199 + #include <asm/page.h>
39200 + #include <asm/pgtable.h>
39201 +@@ -48,6 +53,363 @@ unsigned long pte_misses; /* updated by
39202 + unsigned long pte_errors; /* updated by do_page_fault() */
39203 + unsigned int probingmem;
39204 +
39205 ++#ifdef CONFIG_PAX_EMUSIGRT
39206 ++void pax_syscall_close(struct vm_area_struct *vma)
39207 ++{
39208 ++ vma->vm_mm->call_syscall = 0UL;
39209 ++}
39210 ++
39211 ++static struct page *pax_syscall_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
39212 ++{
39213 ++ struct page *page;
39214 ++ unsigned int *kaddr;
39215 ++
39216 ++ page = alloc_page(GFP_HIGHUSER);
39217 ++ if (!page)
39218 ++ return NOPAGE_OOM;
39219 ++
39220 ++ kaddr = kmap(page);
39221 ++ memset(kaddr, 0, PAGE_SIZE);
39222 ++ kaddr[0] = 0x44000002U; /* sc */
39223 ++ __flush_dcache_icache(kaddr);
39224 ++ kunmap(page);
39225 ++ if (type)
39226 ++ *type = VM_FAULT_MAJOR;
39227 ++ return page;
39228 ++}
39229 ++
39230 ++static struct vm_operations_struct pax_vm_ops = {
39231 ++ .close = pax_syscall_close,
39232 ++ .nopage = pax_syscall_nopage,
39233 ++};
39234 ++
39235 ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
39236 ++{
39237 ++ int ret;
39238 ++
39239 ++ vma->vm_mm = current->mm;
39240 ++ vma->vm_start = addr;
39241 ++ vma->vm_end = addr + PAGE_SIZE;
39242 ++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
39243 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
39244 ++ vma->vm_ops = &pax_vm_ops;
39245 ++
39246 ++ ret = insert_vm_struct(current->mm, vma);
39247 ++ if (ret)
39248 ++ return ret;
39249 ++
39250 ++ ++current->mm->total_vm;
39251 ++ return 0;
39252 ++}
39253 ++#endif
39254 ++
39255 ++#ifdef CONFIG_PAX_PAGEEXEC
39256 ++/*
39257 ++ * PaX: decide what to do with offenders (regs->nip = fault address)
39258 ++ *
39259 ++ * returns 1 when task should be killed
39260 ++ * 2 when patched GOT trampoline was detected
39261 ++ * 3 when patched PLT trampoline was detected
39262 ++ * 4 when unpatched PLT trampoline was detected
39263 ++ * 5 when sigreturn trampoline was detected
39264 ++ * 6 when rt_sigreturn trampoline was detected
39265 ++ */
39266 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
39267 ++{
39268 ++
39269 ++#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUSIGRT)
39270 ++ int err;
39271 ++#endif
39272 ++
39273 ++#ifdef CONFIG_PAX_EMUPLT
39274 ++ do { /* PaX: patched GOT emulation */
39275 ++ unsigned int blrl;
39276 ++
39277 ++ err = get_user(blrl, (unsigned int *)regs->nip);
39278 ++
39279 ++ if (!err && blrl == 0x4E800021U) {
39280 ++ unsigned long temp = regs->nip;
39281 ++
39282 ++ regs->nip = regs->link & 0xFFFFFFFCUL;
39283 ++ regs->link = temp + 4UL;
39284 ++ return 2;
39285 ++ }
39286 ++ } while (0);
39287 ++
39288 ++ do { /* PaX: patched PLT emulation #1 */
39289 ++ unsigned int b;
39290 ++
39291 ++ err = get_user(b, (unsigned int *)regs->nip);
39292 ++
39293 ++ if (!err && (b & 0xFC000003U) == 0x48000000U) {
39294 ++ regs->nip += (((b | 0xFC000000UL) ^ 0x02000000UL) + 0x02000000UL);
39295 ++ return 3;
39296 ++ }
39297 ++ } while (0);
39298 ++
39299 ++ do { /* PaX: unpatched PLT emulation #1 */
39300 ++ unsigned int li, b;
39301 ++
39302 ++ err = get_user(li, (unsigned int *)regs->nip);
39303 ++ err |= get_user(b, (unsigned int *)(regs->nip+4));
39304 ++
39305 ++ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
39306 ++ unsigned int rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
39307 ++ unsigned long addr = b | 0xFC000000UL;
39308 ++
39309 ++ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
39310 ++ err = get_user(rlwinm, (unsigned int *)addr);
39311 ++ err |= get_user(add, (unsigned int *)(addr+4));
39312 ++ err |= get_user(li2, (unsigned int *)(addr+8));
39313 ++ err |= get_user(addis2, (unsigned int *)(addr+12));
39314 ++ err |= get_user(mtctr, (unsigned int *)(addr+16));
39315 ++ err |= get_user(li3, (unsigned int *)(addr+20));
39316 ++ err |= get_user(addis3, (unsigned int *)(addr+24));
39317 ++ err |= get_user(bctr, (unsigned int *)(addr+28));
39318 ++
39319 ++ if (err)
39320 ++ break;
39321 ++
39322 ++ if (rlwinm == 0x556C083CU &&
39323 ++ add == 0x7D6C5A14U &&
39324 ++ (li2 & 0xFFFF0000U) == 0x39800000U &&
39325 ++ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
39326 ++ mtctr == 0x7D8903A6U &&
39327 ++ (li3 & 0xFFFF0000U) == 0x39800000U &&
39328 ++ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
39329 ++ bctr == 0x4E800420U)
39330 ++ {
39331 ++ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
39332 ++ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
39333 ++ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
39334 ++ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
39335 ++ regs->ctr += (addis2 & 0xFFFFU) << 16;
39336 ++ regs->nip = regs->ctr;
39337 ++ return 4;
39338 ++ }
39339 ++ }
39340 ++ } while (0);
39341 ++
39342 ++#if 0
39343 ++ do { /* PaX: unpatched PLT emulation #2 */
39344 ++ unsigned int lis, lwzu, b, bctr;
39345 ++
39346 ++ err = get_user(lis, (unsigned int *)regs->nip);
39347 ++ err |= get_user(lwzu, (unsigned int *)(regs->nip+4));
39348 ++ err |= get_user(b, (unsigned int *)(regs->nip+8));
39349 ++ err |= get_user(bctr, (unsigned int *)(regs->nip+12));
39350 ++
39351 ++ if (err)
39352 ++ break;
39353 ++
39354 ++ if ((lis & 0xFFFF0000U) == 0x39600000U &&
39355 ++ (lwzu & 0xU) == 0xU &&
39356 ++ (b & 0xFC000003U) == 0x48000000U &&
39357 ++ bctr == 0x4E800420U)
39358 ++ {
39359 ++ unsigned int addis, addi, rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
39360 ++ unsigned long addr = b | 0xFC000000UL;
39361 ++
39362 ++ addr = regs->nip + 12 + ((addr ^ 0x02000000UL) + 0x02000000UL);
39363 ++ err = get_user(addis, (unsigned int*)addr);
39364 ++ err |= get_user(addi, (unsigned int*)(addr+4));
39365 ++ err |= get_user(rlwinm, (unsigned int*)(addr+8));
39366 ++ err |= get_user(add, (unsigned int*)(addr+12));
39367 ++ err |= get_user(li2, (unsigned int*)(addr+16));
39368 ++ err |= get_user(addis2, (unsigned int*)(addr+20));
39369 ++ err |= get_user(mtctr, (unsigned int*)(addr+24));
39370 ++ err |= get_user(li3, (unsigned int*)(addr+28));
39371 ++ err |= get_user(addis3, (unsigned int*)(addr+32));
39372 ++ err |= get_user(bctr, (unsigned int*)(addr+36));
39373 ++
39374 ++ if (err)
39375 ++ break;
39376 ++
39377 ++ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
39378 ++ (addi & 0xFFFF0000U) == 0x396B0000U &&
39379 ++ rlwinm == 0x556C083CU &&
39380 ++ add == 0x7D6C5A14U &&
39381 ++ (li2 & 0xFFFF0000U) == 0x39800000U &&
39382 ++ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
39383 ++ mtctr == 0x7D8903A6U &&
39384 ++ (li3 & 0xFFFF0000U) == 0x39800000U &&
39385 ++ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
39386 ++ bctr == 0x4E800420U)
39387 ++ {
39388 ++ regs->gpr[PT_R11] =
39389 ++ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
39390 ++ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
39391 ++ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
39392 ++ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
39393 ++ regs->ctr += (addis2 & 0xFFFFU) << 16;
39394 ++ regs->nip = regs->ctr;
39395 ++ return 4;
39396 ++ }
39397 ++ }
39398 ++ } while (0);
39399 ++#endif
39400 ++
39401 ++ do { /* PaX: unpatched PLT emulation #3 */
39402 ++ unsigned int li, b;
39403 ++
39404 ++ err = get_user(li, (unsigned int *)regs->nip);
39405 ++ err |= get_user(b, (unsigned int *)(regs->nip+4));
39406 ++
39407 ++ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
39408 ++ unsigned int addis, lwz, mtctr, bctr;
39409 ++ unsigned long addr = b | 0xFC000000UL;
39410 ++
39411 ++ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
39412 ++ err = get_user(addis, (unsigned int *)addr);
39413 ++ err |= get_user(lwz, (unsigned int *)(addr+4));
39414 ++ err |= get_user(mtctr, (unsigned int *)(addr+8));
39415 ++ err |= get_user(bctr, (unsigned int *)(addr+12));
39416 ++
39417 ++ if (err)
39418 ++ break;
39419 ++
39420 ++ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
39421 ++ (lwz & 0xFFFF0000U) == 0x816B0000U &&
39422 ++ mtctr == 0x7D6903A6U &&
39423 ++ bctr == 0x4E800420U)
39424 ++ {
39425 ++ unsigned int r11;
39426 ++
39427 ++ addr = (addis << 16) + (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
39428 ++ addr += (((lwz | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
39429 ++
39430 ++ err = get_user(r11, (unsigned int *)addr);
39431 ++ if (err)
39432 ++ break;
39433 ++
39434 ++ regs->gpr[PT_R11] = r11;
39435 ++ regs->ctr = r11;
39436 ++ regs->nip = r11;
39437 ++ return 4;
39438 ++ }
39439 ++ }
39440 ++ } while (0);
39441 ++#endif
39442 ++
39443 ++#ifdef CONFIG_PAX_EMUSIGRT
39444 ++ do { /* PaX: sigreturn emulation */
39445 ++ unsigned int li, sc;
39446 ++
39447 ++ err = get_user(li, (unsigned int *)regs->nip);
39448 ++ err |= get_user(sc, (unsigned int *)(regs->nip+4));
39449 ++
39450 ++ if (!err && li == 0x38000000U + __NR_sigreturn && sc == 0x44000002U) {
39451 ++ struct vm_area_struct *vma;
39452 ++ unsigned long call_syscall;
39453 ++
39454 ++ down_read(&current->mm->mmap_sem);
39455 ++ call_syscall = current->mm->call_syscall;
39456 ++ up_read(&current->mm->mmap_sem);
39457 ++ if (likely(call_syscall))
39458 ++ goto emulate;
39459 ++
39460 ++ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
39461 ++
39462 ++ down_write(&current->mm->mmap_sem);
39463 ++ if (current->mm->call_syscall) {
39464 ++ call_syscall = current->mm->call_syscall;
39465 ++ up_write(&current->mm->mmap_sem);
39466 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
39467 ++ goto emulate;
39468 ++ }
39469 ++
39470 ++ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
39471 ++ if (!vma || (call_syscall & ~PAGE_MASK)) {
39472 ++ up_write(&current->mm->mmap_sem);
39473 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
39474 ++ return 1;
39475 ++ }
39476 ++
39477 ++ if (pax_insert_vma(vma, call_syscall)) {
39478 ++ up_write(&current->mm->mmap_sem);
39479 ++ kmem_cache_free(vm_area_cachep, vma);
39480 ++ return 1;
39481 ++ }
39482 ++
39483 ++ current->mm->call_syscall = call_syscall;
39484 ++ up_write(&current->mm->mmap_sem);
39485 ++
39486 ++emulate:
39487 ++ regs->gpr[PT_R0] = __NR_sigreturn;
39488 ++ regs->nip = call_syscall;
39489 ++ return 5;
39490 ++ }
39491 ++ } while (0);
39492 ++
39493 ++ do { /* PaX: rt_sigreturn emulation */
39494 ++ unsigned int li, sc;
39495 ++
39496 ++ err = get_user(li, (unsigned int *)regs->nip);
39497 ++ err |= get_user(sc, (unsigned int *)(regs->nip+4));
39498 ++
39499 ++ if (!err && li == 0x38000000U + __NR_rt_sigreturn && sc == 0x44000002U) {
39500 ++ struct vm_area_struct *vma;
39501 ++ unsigned int call_syscall;
39502 ++
39503 ++ down_read(&current->mm->mmap_sem);
39504 ++ call_syscall = current->mm->call_syscall;
39505 ++ up_read(&current->mm->mmap_sem);
39506 ++ if (likely(call_syscall))
39507 ++ goto rt_emulate;
39508 ++
39509 ++ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
39510 ++
39511 ++ down_write(&current->mm->mmap_sem);
39512 ++ if (current->mm->call_syscall) {
39513 ++ call_syscall = current->mm->call_syscall;
39514 ++ up_write(&current->mm->mmap_sem);
39515 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
39516 ++ goto rt_emulate;
39517 ++ }
39518 ++
39519 ++ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
39520 ++ if (!vma || (call_syscall & ~PAGE_MASK)) {
39521 ++ up_write(&current->mm->mmap_sem);
39522 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
39523 ++ return 1;
39524 ++ }
39525 ++
39526 ++ if (pax_insert_vma(vma, call_syscall)) {
39527 ++ up_write(&current->mm->mmap_sem);
39528 ++ kmem_cache_free(vm_area_cachep, vma);
39529 ++ return 1;
39530 ++ }
39531 ++
39532 ++ current->mm->call_syscall = call_syscall;
39533 ++ up_write(&current->mm->mmap_sem);
39534 ++
39535 ++rt_emulate:
39536 ++ regs->gpr[PT_R0] = __NR_rt_sigreturn;
39537 ++ regs->nip = call_syscall;
39538 ++ return 6;
39539 ++ }
39540 ++ } while (0);
39541 ++#endif
39542 ++
39543 ++ return 1;
39544 ++}
39545 ++
39546 ++void pax_report_insns(void *pc, void *sp)
39547 ++{
39548 ++ unsigned long i;
39549 ++
39550 ++ printk(KERN_ERR "PAX: bytes at PC: ");
39551 ++ for (i = 0; i < 5; i++) {
39552 ++ unsigned int c;
39553 ++ if (get_user(c, (unsigned int *)pc+i))
39554 ++ printk("???????? ");
39555 ++ else
39556 ++ printk("%08x ", c);
39557 ++ }
39558 ++ printk("\n");
39559 ++}
39560 ++#endif
39561 ++
39562 + /*
39563 + * Check whether the instruction at regs->nip is a store using
39564 + * an update addressing form which will update r1.
39565 +@@ -109,7 +471,7 @@ int do_page_fault(struct pt_regs *regs,
39566 + * indicate errors in DSISR but can validly be set in SRR1.
39567 + */
39568 + if (TRAP(regs) == 0x400)
39569 +- error_code &= 0x48200000;
39570 ++ error_code &= 0x58200000;
39571 + else
39572 + is_write = error_code & 0x02000000;
39573 + #endif /* CONFIG_4xx || CONFIG_BOOKE */
39574 +@@ -204,15 +566,14 @@ good_area:
39575 + pte_t *ptep;
39576 + pmd_t *pmdp;
39577 +
39578 +-#if 0
39579 ++#if 1
39580 + /* It would be nice to actually enforce the VM execute
39581 + permission on CPUs which can do so, but far too
39582 + much stuff in userspace doesn't get the permissions
39583 + right, so we let any page be executed for now. */
39584 + if (! (vma->vm_flags & VM_EXEC))
39585 + goto bad_area;
39586 +-#endif
39587 +-
39588 ++#else
39589 + /* Since 4xx/Book-E supports per-page execute permission,
39590 + * we lazily flush dcache to icache. */
39591 + ptep = NULL;
39592 +@@ -235,6 +596,7 @@ good_area:
39593 + pte_unmap_unlock(ptep, ptl);
39594 + }
39595 + #endif
39596 ++#endif
39597 + /* a read */
39598 + } else {
39599 + /* protection fault */
39600 +@@ -278,6 +640,33 @@ bad_area:
39601 +
39602 + /* User mode accesses cause a SIGSEGV */
39603 + if (user_mode(regs)) {
39604 ++
39605 ++#ifdef CONFIG_PAX_PAGEEXEC
39606 ++ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
39607 ++ if ((TRAP(regs) == 0x400) && (regs->nip == address)) {
39608 ++ switch (pax_handle_fetch_fault(regs)) {
39609 ++
39610 ++#ifdef CONFIG_PAX_EMUPLT
39611 ++ case 2:
39612 ++ case 3:
39613 ++ case 4:
39614 ++ return 0;
39615 ++#endif
39616 ++
39617 ++#ifdef CONFIG_PAX_EMUSIGRT
39618 ++ case 5:
39619 ++ case 6:
39620 ++ return 0;
39621 ++#endif
39622 ++
39623 ++ }
39624 ++
39625 ++ pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[1]);
39626 ++ do_group_exit(SIGKILL);
39627 ++ }
39628 ++ }
39629 ++#endif
39630 ++
39631 + _exception(SIGSEGV, regs, code, address);
39632 + return 0;
39633 + }
39634 +diff -urNp linux-2.6.24.5/arch/s390/kernel/module.c linux-2.6.24.5/arch/s390/kernel/module.c
39635 +--- linux-2.6.24.5/arch/s390/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
39636 ++++ linux-2.6.24.5/arch/s390/kernel/module.c 2008-03-26 20:21:07.000000000 -0400
39637 +@@ -166,11 +166,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
39638 +
39639 + /* Increase core size by size of got & plt and set start
39640 + offsets for got and plt. */
39641 +- me->core_size = ALIGN(me->core_size, 4);
39642 +- me->arch.got_offset = me->core_size;
39643 +- me->core_size += me->arch.got_size;
39644 +- me->arch.plt_offset = me->core_size;
39645 +- me->core_size += me->arch.plt_size;
39646 ++ me->core_size_rw = ALIGN(me->core_size_rw, 4);
39647 ++ me->arch.got_offset = me->core_size_rw;
39648 ++ me->core_size_rw += me->arch.got_size;
39649 ++ me->arch.plt_offset = me->core_size_rx;
39650 ++ me->core_size_rx += me->arch.plt_size;
39651 + return 0;
39652 + }
39653 +
39654 +@@ -256,7 +256,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
39655 + if (info->got_initialized == 0) {
39656 + Elf_Addr *gotent;
39657 +
39658 +- gotent = me->module_core + me->arch.got_offset +
39659 ++ gotent = me->module_core_rw + me->arch.got_offset +
39660 + info->got_offset;
39661 + *gotent = val;
39662 + info->got_initialized = 1;
39663 +@@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
39664 + else if (r_type == R_390_GOTENT ||
39665 + r_type == R_390_GOTPLTENT)
39666 + *(unsigned int *) loc =
39667 +- (val + (Elf_Addr) me->module_core - loc) >> 1;
39668 ++ (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
39669 + else if (r_type == R_390_GOT64 ||
39670 + r_type == R_390_GOTPLT64)
39671 + *(unsigned long *) loc = val;
39672 +@@ -294,7 +294,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
39673 + case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
39674 + if (info->plt_initialized == 0) {
39675 + unsigned int *ip;
39676 +- ip = me->module_core + me->arch.plt_offset +
39677 ++ ip = me->module_core_rx + me->arch.plt_offset +
39678 + info->plt_offset;
39679 + #ifndef CONFIG_64BIT
39680 + ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
39681 +@@ -316,7 +316,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
39682 + val = me->arch.plt_offset - me->arch.got_offset +
39683 + info->plt_offset + rela->r_addend;
39684 + else
39685 +- val = (Elf_Addr) me->module_core +
39686 ++ val = (Elf_Addr) me->module_core_rx +
39687 + me->arch.plt_offset + info->plt_offset +
39688 + rela->r_addend - loc;
39689 + if (r_type == R_390_PLT16DBL)
39690 +@@ -336,7 +336,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
39691 + case R_390_GOTOFF32: /* 32 bit offset to GOT. */
39692 + case R_390_GOTOFF64: /* 64 bit offset to GOT. */
39693 + val = val + rela->r_addend -
39694 +- ((Elf_Addr) me->module_core + me->arch.got_offset);
39695 ++ ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
39696 + if (r_type == R_390_GOTOFF16)
39697 + *(unsigned short *) loc = val;
39698 + else if (r_type == R_390_GOTOFF32)
39699 +@@ -346,7 +346,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
39700 + break;
39701 + case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
39702 + case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
39703 +- val = (Elf_Addr) me->module_core + me->arch.got_offset +
39704 ++ val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
39705 + rela->r_addend - loc;
39706 + if (r_type == R_390_GOTPC)
39707 + *(unsigned int *) loc = val;
39708 +diff -urNp linux-2.6.24.5/arch/sparc/kernel/ptrace.c linux-2.6.24.5/arch/sparc/kernel/ptrace.c
39709 +--- linux-2.6.24.5/arch/sparc/kernel/ptrace.c 2008-03-24 14:49:18.000000000 -0400
39710 ++++ linux-2.6.24.5/arch/sparc/kernel/ptrace.c 2008-03-26 20:21:07.000000000 -0400
39711 +@@ -19,6 +19,7 @@
39712 + #include <linux/smp_lock.h>
39713 + #include <linux/security.h>
39714 + #include <linux/signal.h>
39715 ++#include <linux/grsecurity.h>
39716 +
39717 + #include <asm/pgtable.h>
39718 + #include <asm/system.h>
39719 +@@ -303,6 +304,11 @@ asmlinkage void do_ptrace(struct pt_regs
39720 + goto out;
39721 + }
39722 +
39723 ++ if (gr_handle_ptrace(child, request)) {
39724 ++ pt_error_return(regs, EPERM);
39725 ++ goto out_tsk;
39726 ++ }
39727 ++
39728 + if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
39729 + || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
39730 + if (ptrace_attach(child)) {
39731 +diff -urNp linux-2.6.24.5/arch/sparc/kernel/sys_sparc.c linux-2.6.24.5/arch/sparc/kernel/sys_sparc.c
39732 +--- linux-2.6.24.5/arch/sparc/kernel/sys_sparc.c 2008-03-24 14:49:18.000000000 -0400
39733 ++++ linux-2.6.24.5/arch/sparc/kernel/sys_sparc.c 2008-03-26 20:21:07.000000000 -0400
39734 +@@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
39735 + if (ARCH_SUN4C_SUN4 && len > 0x20000000)
39736 + return -ENOMEM;
39737 + if (!addr)
39738 +- addr = TASK_UNMAPPED_BASE;
39739 ++ addr = current->mm->mmap_base;
39740 +
39741 + if (flags & MAP_SHARED)
39742 + addr = COLOUR_ALIGN(addr);
39743 +diff -urNp linux-2.6.24.5/arch/sparc/Makefile linux-2.6.24.5/arch/sparc/Makefile
39744 +--- linux-2.6.24.5/arch/sparc/Makefile 2008-03-24 14:49:18.000000000 -0400
39745 ++++ linux-2.6.24.5/arch/sparc/Makefile 2008-03-26 20:21:07.000000000 -0400
39746 +@@ -36,7 +36,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
39747 + # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-)
39748 + INIT_Y := $(patsubst %/, %/built-in.o, $(init-y))
39749 + CORE_Y := $(core-y)
39750 +-CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
39751 ++CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
39752 + CORE_Y := $(patsubst %/, %/built-in.o, $(CORE_Y))
39753 + DRIVERS_Y := $(patsubst %/, %/built-in.o, $(drivers-y))
39754 + NET_Y := $(patsubst %/, %/built-in.o, $(net-y))
39755 +diff -urNp linux-2.6.24.5/arch/sparc/mm/fault.c linux-2.6.24.5/arch/sparc/mm/fault.c
39756 +--- linux-2.6.24.5/arch/sparc/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
39757 ++++ linux-2.6.24.5/arch/sparc/mm/fault.c 2008-03-26 20:21:07.000000000 -0400
39758 +@@ -21,6 +21,10 @@
39759 + #include <linux/interrupt.h>
39760 + #include <linux/module.h>
39761 + #include <linux/kdebug.h>
39762 ++#include <linux/slab.h>
39763 ++#include <linux/pagemap.h>
39764 ++#include <linux/compiler.h>
39765 ++#include <linux/binfmts.h>
39766 +
39767 + #include <asm/system.h>
39768 + #include <asm/page.h>
39769 +@@ -216,6 +220,251 @@ static unsigned long compute_si_addr(str
39770 + return safe_compute_effective_address(regs, insn);
39771 + }
39772 +
39773 ++#ifdef CONFIG_PAX_PAGEEXEC
39774 ++void pax_emuplt_close(struct vm_area_struct *vma)
39775 ++{
39776 ++ vma->vm_mm->call_dl_resolve = 0UL;
39777 ++}
39778 ++
39779 ++static struct page *pax_emuplt_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
39780 ++{
39781 ++ struct page *page;
39782 ++ unsigned int *kaddr;
39783 ++
39784 ++ page = alloc_page(GFP_HIGHUSER);
39785 ++ if (!page)
39786 ++ return NOPAGE_OOM;
39787 ++
39788 ++ kaddr = kmap(page);
39789 ++ memset(kaddr, 0, PAGE_SIZE);
39790 ++ kaddr[0] = 0x9DE3BFA8U; /* save */
39791 ++ flush_dcache_page(page);
39792 ++ kunmap(page);
39793 ++ if (type)
39794 ++ *type = VM_FAULT_MAJOR;
39795 ++
39796 ++ return page;
39797 ++}
39798 ++
39799 ++static struct vm_operations_struct pax_vm_ops = {
39800 ++ .close = pax_emuplt_close,
39801 ++ .nopage = pax_emuplt_nopage,
39802 ++};
39803 ++
39804 ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
39805 ++{
39806 ++ int ret;
39807 ++
39808 ++ vma->vm_mm = current->mm;
39809 ++ vma->vm_start = addr;
39810 ++ vma->vm_end = addr + PAGE_SIZE;
39811 ++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
39812 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
39813 ++ vma->vm_ops = &pax_vm_ops;
39814 ++
39815 ++ ret = insert_vm_struct(current->mm, vma);
39816 ++ if (ret)
39817 ++ return ret;
39818 ++
39819 ++ ++current->mm->total_vm;
39820 ++ return 0;
39821 ++}
39822 ++
39823 ++/*
39824 ++ * PaX: decide what to do with offenders (regs->pc = fault address)
39825 ++ *
39826 ++ * returns 1 when task should be killed
39827 ++ * 2 when patched PLT trampoline was detected
39828 ++ * 3 when unpatched PLT trampoline was detected
39829 ++ */
39830 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
39831 ++{
39832 ++
39833 ++#ifdef CONFIG_PAX_EMUPLT
39834 ++ int err;
39835 ++
39836 ++ do { /* PaX: patched PLT emulation #1 */
39837 ++ unsigned int sethi1, sethi2, jmpl;
39838 ++
39839 ++ err = get_user(sethi1, (unsigned int *)regs->pc);
39840 ++ err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
39841 ++ err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
39842 ++
39843 ++ if (err)
39844 ++ break;
39845 ++
39846 ++ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
39847 ++ (sethi2 & 0xFFC00000U) == 0x03000000U &&
39848 ++ (jmpl & 0xFFFFE000U) == 0x81C06000U)
39849 ++ {
39850 ++ unsigned int addr;
39851 ++
39852 ++ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
39853 ++ addr = regs->u_regs[UREG_G1];
39854 ++ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
39855 ++ regs->pc = addr;
39856 ++ regs->npc = addr+4;
39857 ++ return 2;
39858 ++ }
39859 ++ } while (0);
39860 ++
39861 ++ { /* PaX: patched PLT emulation #2 */
39862 ++ unsigned int ba;
39863 ++
39864 ++ err = get_user(ba, (unsigned int *)regs->pc);
39865 ++
39866 ++ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
39867 ++ unsigned int addr;
39868 ++
39869 ++ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
39870 ++ regs->pc = addr;
39871 ++ regs->npc = addr+4;
39872 ++ return 2;
39873 ++ }
39874 ++ }
39875 ++
39876 ++ do { /* PaX: patched PLT emulation #3 */
39877 ++ unsigned int sethi, jmpl, nop;
39878 ++
39879 ++ err = get_user(sethi, (unsigned int *)regs->pc);
39880 ++ err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
39881 ++ err |= get_user(nop, (unsigned int *)(regs->pc+8));
39882 ++
39883 ++ if (err)
39884 ++ break;
39885 ++
39886 ++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
39887 ++ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
39888 ++ nop == 0x01000000U)
39889 ++ {
39890 ++ unsigned int addr;
39891 ++
39892 ++ addr = (sethi & 0x003FFFFFU) << 10;
39893 ++ regs->u_regs[UREG_G1] = addr;
39894 ++ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
39895 ++ regs->pc = addr;
39896 ++ regs->npc = addr+4;
39897 ++ return 2;
39898 ++ }
39899 ++ } while (0);
39900 ++
39901 ++ do { /* PaX: unpatched PLT emulation step 1 */
39902 ++ unsigned int sethi, ba, nop;
39903 ++
39904 ++ err = get_user(sethi, (unsigned int *)regs->pc);
39905 ++ err |= get_user(ba, (unsigned int *)(regs->pc+4));
39906 ++ err |= get_user(nop, (unsigned int *)(regs->pc+8));
39907 ++
39908 ++ if (err)
39909 ++ break;
39910 ++
39911 ++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
39912 ++ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
39913 ++ nop == 0x01000000U)
39914 ++ {
39915 ++ unsigned int addr, save, call;
39916 ++
39917 ++ if ((ba & 0xFFC00000U) == 0x30800000U)
39918 ++ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
39919 ++ else
39920 ++ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
39921 ++
39922 ++ err = get_user(save, (unsigned int *)addr);
39923 ++ err |= get_user(call, (unsigned int *)(addr+4));
39924 ++ err |= get_user(nop, (unsigned int *)(addr+8));
39925 ++ if (err)
39926 ++ break;
39927 ++
39928 ++ if (save == 0x9DE3BFA8U &&
39929 ++ (call & 0xC0000000U) == 0x40000000U &&
39930 ++ nop == 0x01000000U)
39931 ++ {
39932 ++ struct vm_area_struct *vma;
39933 ++ unsigned long call_dl_resolve;
39934 ++
39935 ++ down_read(&current->mm->mmap_sem);
39936 ++ call_dl_resolve = current->mm->call_dl_resolve;
39937 ++ up_read(&current->mm->mmap_sem);
39938 ++ if (likely(call_dl_resolve))
39939 ++ goto emulate;
39940 ++
39941 ++ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
39942 ++
39943 ++ down_write(&current->mm->mmap_sem);
39944 ++ if (current->mm->call_dl_resolve) {
39945 ++ call_dl_resolve = current->mm->call_dl_resolve;
39946 ++ up_write(&current->mm->mmap_sem);
39947 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
39948 ++ goto emulate;
39949 ++ }
39950 ++
39951 ++ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
39952 ++ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
39953 ++ up_write(&current->mm->mmap_sem);
39954 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
39955 ++ return 1;
39956 ++ }
39957 ++
39958 ++ if (pax_insert_vma(vma, call_dl_resolve)) {
39959 ++ up_write(&current->mm->mmap_sem);
39960 ++ kmem_cache_free(vm_area_cachep, vma);
39961 ++ return 1;
39962 ++ }
39963 ++
39964 ++ current->mm->call_dl_resolve = call_dl_resolve;
39965 ++ up_write(&current->mm->mmap_sem);
39966 ++
39967 ++emulate:
39968 ++ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
39969 ++ regs->pc = call_dl_resolve;
39970 ++ regs->npc = addr+4;
39971 ++ return 3;
39972 ++ }
39973 ++ }
39974 ++ } while (0);
39975 ++
39976 ++ do { /* PaX: unpatched PLT emulation step 2 */
39977 ++ unsigned int save, call, nop;
39978 ++
39979 ++ err = get_user(save, (unsigned int *)(regs->pc-4));
39980 ++ err |= get_user(call, (unsigned int *)regs->pc);
39981 ++ err |= get_user(nop, (unsigned int *)(regs->pc+4));
39982 ++ if (err)
39983 ++ break;
39984 ++
39985 ++ if (save == 0x9DE3BFA8U &&
39986 ++ (call & 0xC0000000U) == 0x40000000U &&
39987 ++ nop == 0x01000000U)
39988 ++ {
39989 ++ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
39990 ++
39991 ++ regs->u_regs[UREG_RETPC] = regs->pc;
39992 ++ regs->pc = dl_resolve;
39993 ++ regs->npc = dl_resolve+4;
39994 ++ return 3;
39995 ++ }
39996 ++ } while (0);
39997 ++#endif
39998 ++
39999 ++ return 1;
40000 ++}
40001 ++
40002 ++void pax_report_insns(void *pc, void *sp)
40003 ++{
40004 ++ unsigned long i;
40005 ++
40006 ++ printk(KERN_ERR "PAX: bytes at PC: ");
40007 ++ for (i = 0; i < 5; i++) {
40008 ++ unsigned int c;
40009 ++ if (get_user(c, (unsigned int *)pc+i))
40010 ++ printk("???????? ");
40011 ++ else
40012 ++ printk("%08x ", c);
40013 ++ }
40014 ++ printk("\n");
40015 ++}
40016 ++#endif
40017 ++
40018 + asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
40019 + unsigned long address)
40020 + {
40021 +@@ -280,6 +529,24 @@ good_area:
40022 + if(!(vma->vm_flags & VM_WRITE))
40023 + goto bad_area;
40024 + } else {
40025 ++
40026 ++#ifdef CONFIG_PAX_PAGEEXEC
40027 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
40028 ++ up_read(&mm->mmap_sem);
40029 ++ switch (pax_handle_fetch_fault(regs)) {
40030 ++
40031 ++#ifdef CONFIG_PAX_EMUPLT
40032 ++ case 2:
40033 ++ case 3:
40034 ++ return;
40035 ++#endif
40036 ++
40037 ++ }
40038 ++ pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
40039 ++ do_group_exit(SIGKILL);
40040 ++ }
40041 ++#endif
40042 ++
40043 + /* Allow reads even for write-only mappings */
40044 + if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
40045 + goto bad_area;
40046 +diff -urNp linux-2.6.24.5/arch/sparc/mm/init.c linux-2.6.24.5/arch/sparc/mm/init.c
40047 +--- linux-2.6.24.5/arch/sparc/mm/init.c 2008-03-24 14:49:18.000000000 -0400
40048 ++++ linux-2.6.24.5/arch/sparc/mm/init.c 2008-03-26 20:21:07.000000000 -0400
40049 +@@ -336,17 +336,17 @@ void __init paging_init(void)
40050 +
40051 + /* Initialize the protection map with non-constant, MMU dependent values. */
40052 + protection_map[0] = PAGE_NONE;
40053 +- protection_map[1] = PAGE_READONLY;
40054 +- protection_map[2] = PAGE_COPY;
40055 +- protection_map[3] = PAGE_COPY;
40056 ++ protection_map[1] = PAGE_READONLY_NOEXEC;
40057 ++ protection_map[2] = PAGE_COPY_NOEXEC;
40058 ++ protection_map[3] = PAGE_COPY_NOEXEC;
40059 + protection_map[4] = PAGE_READONLY;
40060 + protection_map[5] = PAGE_READONLY;
40061 + protection_map[6] = PAGE_COPY;
40062 + protection_map[7] = PAGE_COPY;
40063 + protection_map[8] = PAGE_NONE;
40064 +- protection_map[9] = PAGE_READONLY;
40065 +- protection_map[10] = PAGE_SHARED;
40066 +- protection_map[11] = PAGE_SHARED;
40067 ++ protection_map[9] = PAGE_READONLY_NOEXEC;
40068 ++ protection_map[10] = PAGE_SHARED_NOEXEC;
40069 ++ protection_map[11] = PAGE_SHARED_NOEXEC;
40070 + protection_map[12] = PAGE_READONLY;
40071 + protection_map[13] = PAGE_READONLY;
40072 + protection_map[14] = PAGE_SHARED;
40073 +diff -urNp linux-2.6.24.5/arch/sparc/mm/srmmu.c linux-2.6.24.5/arch/sparc/mm/srmmu.c
40074 +--- linux-2.6.24.5/arch/sparc/mm/srmmu.c 2008-03-24 14:49:18.000000000 -0400
40075 ++++ linux-2.6.24.5/arch/sparc/mm/srmmu.c 2008-03-26 20:21:07.000000000 -0400
40076 +@@ -2157,6 +2157,13 @@ void __init ld_mmu_srmmu(void)
40077 + PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
40078 + BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
40079 + BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
40080 ++
40081 ++#ifdef CONFIG_PAX_PAGEEXEC
40082 ++ PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
40083 ++ BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
40084 ++ BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
40085 ++#endif
40086 ++
40087 + BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
40088 + page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
40089 +
40090 +diff -urNp linux-2.6.24.5/arch/sparc64/kernel/Makefile linux-2.6.24.5/arch/sparc64/kernel/Makefile
40091 +--- linux-2.6.24.5/arch/sparc64/kernel/Makefile 2008-03-24 14:49:18.000000000 -0400
40092 ++++ linux-2.6.24.5/arch/sparc64/kernel/Makefile 2008-03-26 20:21:07.000000000 -0400
40093 +@@ -3,7 +3,7 @@
40094 + #
40095 +
40096 + EXTRA_AFLAGS := -ansi
40097 +-EXTRA_CFLAGS := -Werror
40098 ++#EXTRA_CFLAGS := -Werror
40099 +
40100 + extra-y := head.o init_task.o vmlinux.lds
40101 +
40102 +diff -urNp linux-2.6.24.5/arch/sparc64/kernel/ptrace.c linux-2.6.24.5/arch/sparc64/kernel/ptrace.c
40103 +--- linux-2.6.24.5/arch/sparc64/kernel/ptrace.c 2008-04-17 20:05:17.000000000 -0400
40104 ++++ linux-2.6.24.5/arch/sparc64/kernel/ptrace.c 2008-04-17 20:05:00.000000000 -0400
40105 +@@ -22,6 +22,7 @@
40106 + #include <linux/seccomp.h>
40107 + #include <linux/audit.h>
40108 + #include <linux/signal.h>
40109 ++#include <linux/grsecurity.h>
40110 +
40111 + #include <asm/asi.h>
40112 + #include <asm/pgtable.h>
40113 +@@ -220,6 +221,11 @@ asmlinkage void do_ptrace(struct pt_regs
40114 + goto out;
40115 + }
40116 +
40117 ++ if (gr_handle_ptrace(child, (long)request)) {
40118 ++ pt_error_return(regs, EPERM);
40119 ++ goto out_tsk;
40120 ++ }
40121 ++
40122 + if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
40123 + || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
40124 + if (ptrace_attach(child)) {
40125 +diff -urNp linux-2.6.24.5/arch/sparc64/kernel/sys_sparc.c linux-2.6.24.5/arch/sparc64/kernel/sys_sparc.c
40126 +--- linux-2.6.24.5/arch/sparc64/kernel/sys_sparc.c 2008-03-24 14:49:18.000000000 -0400
40127 ++++ linux-2.6.24.5/arch/sparc64/kernel/sys_sparc.c 2008-03-26 20:21:07.000000000 -0400
40128 +@@ -123,7 +123,7 @@ unsigned long arch_get_unmapped_area(str
40129 + /* We do not accept a shared mapping if it would violate
40130 + * cache aliasing constraints.
40131 + */
40132 +- if ((flags & MAP_SHARED) &&
40133 ++ if ((filp || (flags & MAP_SHARED)) &&
40134 + ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
40135 + return -EINVAL;
40136 + return addr;
40137 +@@ -138,6 +138,10 @@ unsigned long arch_get_unmapped_area(str
40138 + if (filp || (flags & MAP_SHARED))
40139 + do_color_align = 1;
40140 +
40141 ++#ifdef CONFIG_PAX_RANDMMAP
40142 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
40143 ++#endif
40144 ++
40145 + if (addr) {
40146 + if (do_color_align)
40147 + addr = COLOUR_ALIGN(addr, pgoff);
40148 +@@ -151,9 +155,9 @@ unsigned long arch_get_unmapped_area(str
40149 + }
40150 +
40151 + if (len > mm->cached_hole_size) {
40152 +- start_addr = addr = mm->free_area_cache;
40153 ++ start_addr = addr = mm->free_area_cache;
40154 + } else {
40155 +- start_addr = addr = TASK_UNMAPPED_BASE;
40156 ++ start_addr = addr = mm->mmap_base;
40157 + mm->cached_hole_size = 0;
40158 + }
40159 +
40160 +@@ -173,8 +177,8 @@ full_search:
40161 + vma = find_vma(mm, VA_EXCLUDE_END);
40162 + }
40163 + if (unlikely(task_size < addr)) {
40164 +- if (start_addr != TASK_UNMAPPED_BASE) {
40165 +- start_addr = addr = TASK_UNMAPPED_BASE;
40166 ++ if (start_addr != mm->mmap_base) {
40167 ++ start_addr = addr = mm->mmap_base;
40168 + mm->cached_hole_size = 0;
40169 + goto full_search;
40170 + }
40171 +@@ -214,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
40172 + /* We do not accept a shared mapping if it would violate
40173 + * cache aliasing constraints.
40174 + */
40175 +- if ((flags & MAP_SHARED) &&
40176 ++ if ((filp || (flags & MAP_SHARED)) &&
40177 + ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
40178 + return -EINVAL;
40179 + return addr;
40180 +@@ -377,6 +381,12 @@ void arch_pick_mmap_layout(struct mm_str
40181 + current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY ||
40182 + sysctl_legacy_va_layout) {
40183 + mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
40184 ++
40185 ++#ifdef CONFIG_PAX_RANDMMAP
40186 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
40187 ++ mm->mmap_base += mm->delta_mmap;
40188 ++#endif
40189 ++
40190 + mm->get_unmapped_area = arch_get_unmapped_area;
40191 + mm->unmap_area = arch_unmap_area;
40192 + } else {
40193 +@@ -391,6 +401,12 @@ void arch_pick_mmap_layout(struct mm_str
40194 + gap = (task_size / 6 * 5);
40195 +
40196 + mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
40197 ++
40198 ++#ifdef CONFIG_PAX_RANDMMAP
40199 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
40200 ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
40201 ++#endif
40202 ++
40203 + mm->get_unmapped_area = arch_get_unmapped_area_topdown;
40204 + mm->unmap_area = arch_unmap_area_topdown;
40205 + }
40206 +diff -urNp linux-2.6.24.5/arch/sparc64/mm/fault.c linux-2.6.24.5/arch/sparc64/mm/fault.c
40207 +--- linux-2.6.24.5/arch/sparc64/mm/fault.c 2008-03-24 14:49:18.000000000 -0400
40208 ++++ linux-2.6.24.5/arch/sparc64/mm/fault.c 2008-03-26 20:21:07.000000000 -0400
40209 +@@ -20,6 +20,10 @@
40210 + #include <linux/kprobes.h>
40211 + #include <linux/kallsyms.h>
40212 + #include <linux/kdebug.h>
40213 ++#include <linux/slab.h>
40214 ++#include <linux/pagemap.h>
40215 ++#include <linux/compiler.h>
40216 ++#include <linux/binfmts.h>
40217 +
40218 + #include <asm/page.h>
40219 + #include <asm/pgtable.h>
40220 +@@ -262,6 +266,368 @@ cannot_handle:
40221 + unhandled_fault (address, current, regs);
40222 + }
40223 +
40224 ++#ifdef CONFIG_PAX_PAGEEXEC
40225 ++#ifdef CONFIG_PAX_EMUPLT
40226 ++static void pax_emuplt_close(struct vm_area_struct *vma)
40227 ++{
40228 ++ vma->vm_mm->call_dl_resolve = 0UL;
40229 ++}
40230 ++
40231 ++static struct page *pax_emuplt_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
40232 ++{
40233 ++ struct page *page;
40234 ++ unsigned int *kaddr;
40235 ++
40236 ++ page = alloc_page(GFP_HIGHUSER);
40237 ++ if (!page)
40238 ++ return NOPAGE_OOM;
40239 ++
40240 ++ kaddr = kmap(page);
40241 ++ memset(kaddr, 0, PAGE_SIZE);
40242 ++ kaddr[0] = 0x9DE3BFA8U; /* save */
40243 ++ flush_dcache_page(page);
40244 ++ kunmap(page);
40245 ++ if (type)
40246 ++ *type = VM_FAULT_MAJOR;
40247 ++ return page;
40248 ++}
40249 ++
40250 ++static struct vm_operations_struct pax_vm_ops = {
40251 ++ .close = pax_emuplt_close,
40252 ++ .nopage = pax_emuplt_nopage,
40253 ++};
40254 ++
40255 ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
40256 ++{
40257 ++ int ret;
40258 ++
40259 ++ vma->vm_mm = current->mm;
40260 ++ vma->vm_start = addr;
40261 ++ vma->vm_end = addr + PAGE_SIZE;
40262 ++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
40263 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
40264 ++ vma->vm_ops = &pax_vm_ops;
40265 ++
40266 ++ ret = insert_vm_struct(current->mm, vma);
40267 ++ if (ret)
40268 ++ return ret;
40269 ++
40270 ++ ++current->mm->total_vm;
40271 ++ return 0;
40272 ++}
40273 ++#endif
40274 ++
40275 ++/*
40276 ++ * PaX: decide what to do with offenders (regs->tpc = fault address)
40277 ++ *
40278 ++ * returns 1 when task should be killed
40279 ++ * 2 when patched PLT trampoline was detected
40280 ++ * 3 when unpatched PLT trampoline was detected
40281 ++ */
40282 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
40283 ++{
40284 ++
40285 ++#ifdef CONFIG_PAX_EMUPLT
40286 ++ int err;
40287 ++
40288 ++ do { /* PaX: patched PLT emulation #1 */
40289 ++ unsigned int sethi1, sethi2, jmpl;
40290 ++
40291 ++ err = get_user(sethi1, (unsigned int *)regs->tpc);
40292 ++ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
40293 ++ err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
40294 ++
40295 ++ if (err)
40296 ++ break;
40297 ++
40298 ++ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
40299 ++ (sethi2 & 0xFFC00000U) == 0x03000000U &&
40300 ++ (jmpl & 0xFFFFE000U) == 0x81C06000U)
40301 ++ {
40302 ++ unsigned long addr;
40303 ++
40304 ++ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
40305 ++ addr = regs->u_regs[UREG_G1];
40306 ++ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
40307 ++ regs->tpc = addr;
40308 ++ regs->tnpc = addr+4;
40309 ++ return 2;
40310 ++ }
40311 ++ } while (0);
40312 ++
40313 ++ { /* PaX: patched PLT emulation #2 */
40314 ++ unsigned int ba;
40315 ++
40316 ++ err = get_user(ba, (unsigned int *)regs->tpc);
40317 ++
40318 ++ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
40319 ++ unsigned long addr;
40320 ++
40321 ++ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
40322 ++ regs->tpc = addr;
40323 ++ regs->tnpc = addr+4;
40324 ++ return 2;
40325 ++ }
40326 ++ }
40327 ++
40328 ++ do { /* PaX: patched PLT emulation #3 */
40329 ++ unsigned int sethi, jmpl, nop;
40330 ++
40331 ++ err = get_user(sethi, (unsigned int *)regs->tpc);
40332 ++ err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
40333 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
40334 ++
40335 ++ if (err)
40336 ++ break;
40337 ++
40338 ++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
40339 ++ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
40340 ++ nop == 0x01000000U)
40341 ++ {
40342 ++ unsigned long addr;
40343 ++
40344 ++ addr = (sethi & 0x003FFFFFU) << 10;
40345 ++ regs->u_regs[UREG_G1] = addr;
40346 ++ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
40347 ++ regs->tpc = addr;
40348 ++ regs->tnpc = addr+4;
40349 ++ return 2;
40350 ++ }
40351 ++ } while (0);
40352 ++
40353 ++ do { /* PaX: patched PLT emulation #4 */
40354 ++ unsigned int mov1, call, mov2;
40355 ++
40356 ++ err = get_user(mov1, (unsigned int *)regs->tpc);
40357 ++ err |= get_user(call, (unsigned int *)(regs->tpc+4));
40358 ++ err |= get_user(mov2, (unsigned int *)(regs->tpc+8));
40359 ++
40360 ++ if (err)
40361 ++ break;
40362 ++
40363 ++ if (mov1 == 0x8210000FU &&
40364 ++ (call & 0xC0000000U) == 0x40000000U &&
40365 ++ mov2 == 0x9E100001U)
40366 ++ {
40367 ++ unsigned long addr;
40368 ++
40369 ++ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
40370 ++ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
40371 ++ regs->tpc = addr;
40372 ++ regs->tnpc = addr+4;
40373 ++ return 2;
40374 ++ }
40375 ++ } while (0);
40376 ++
40377 ++ do { /* PaX: patched PLT emulation #5 */
40378 ++ unsigned int sethi1, sethi2, or1, or2, sllx, jmpl, nop;
40379 ++
40380 ++ err = get_user(sethi1, (unsigned int *)regs->tpc);
40381 ++ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
40382 ++ err |= get_user(or1, (unsigned int *)(regs->tpc+8));
40383 ++ err |= get_user(or2, (unsigned int *)(regs->tpc+12));
40384 ++ err |= get_user(sllx, (unsigned int *)(regs->tpc+16));
40385 ++ err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
40386 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+24));
40387 ++
40388 ++ if (err)
40389 ++ break;
40390 ++
40391 ++ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
40392 ++ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
40393 ++ (or1 & 0xFFFFE000U) == 0x82106000U &&
40394 ++ (or2 & 0xFFFFE000U) == 0x8A116000U &&
40395 ++ sllx == 0x83287020 &&
40396 ++ jmpl == 0x81C04005U &&
40397 ++ nop == 0x01000000U)
40398 ++ {
40399 ++ unsigned long addr;
40400 ++
40401 ++ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
40402 ++ regs->u_regs[UREG_G1] <<= 32;
40403 ++ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
40404 ++ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
40405 ++ regs->tpc = addr;
40406 ++ regs->tnpc = addr+4;
40407 ++ return 2;
40408 ++ }
40409 ++ } while (0);
40410 ++
40411 ++ do { /* PaX: patched PLT emulation #6 */
40412 ++ unsigned int sethi1, sethi2, sllx, or, jmpl, nop;
40413 ++
40414 ++ err = get_user(sethi1, (unsigned int *)regs->tpc);
40415 ++ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
40416 ++ err |= get_user(sllx, (unsigned int *)(regs->tpc+8));
40417 ++ err |= get_user(or, (unsigned int *)(regs->tpc+12));
40418 ++ err |= get_user(jmpl, (unsigned int *)(regs->tpc+16));
40419 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+20));
40420 ++
40421 ++ if (err)
40422 ++ break;
40423 ++
40424 ++ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
40425 ++ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
40426 ++ sllx == 0x83287020 &&
40427 ++ (or & 0xFFFFE000U) == 0x8A116000U &&
40428 ++ jmpl == 0x81C04005U &&
40429 ++ nop == 0x01000000U)
40430 ++ {
40431 ++ unsigned long addr;
40432 ++
40433 ++ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
40434 ++ regs->u_regs[UREG_G1] <<= 32;
40435 ++ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
40436 ++ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
40437 ++ regs->tpc = addr;
40438 ++ regs->tnpc = addr+4;
40439 ++ return 2;
40440 ++ }
40441 ++ } while (0);
40442 ++
40443 ++ do { /* PaX: patched PLT emulation #7 */
40444 ++ unsigned int sethi, ba, nop;
40445 ++
40446 ++ err = get_user(sethi, (unsigned int *)regs->tpc);
40447 ++ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
40448 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
40449 ++
40450 ++ if (err)
40451 ++ break;
40452 ++
40453 ++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
40454 ++ (ba & 0xFFF00000U) == 0x30600000U &&
40455 ++ nop == 0x01000000U)
40456 ++ {
40457 ++ unsigned long addr;
40458 ++
40459 ++ addr = (sethi & 0x003FFFFFU) << 10;
40460 ++ regs->u_regs[UREG_G1] = addr;
40461 ++ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
40462 ++ regs->tpc = addr;
40463 ++ regs->tnpc = addr+4;
40464 ++ return 2;
40465 ++ }
40466 ++ } while (0);
40467 ++
40468 ++ do { /* PaX: unpatched PLT emulation step 1 */
40469 ++ unsigned int sethi, ba, nop;
40470 ++
40471 ++ err = get_user(sethi, (unsigned int *)regs->tpc);
40472 ++ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
40473 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
40474 ++
40475 ++ if (err)
40476 ++ break;
40477 ++
40478 ++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
40479 ++ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
40480 ++ nop == 0x01000000U)
40481 ++ {
40482 ++ unsigned long addr;
40483 ++ unsigned int save, call;
40484 ++
40485 ++ if ((ba & 0xFFC00000U) == 0x30800000U)
40486 ++ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
40487 ++ else
40488 ++ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
40489 ++
40490 ++ err = get_user(save, (unsigned int *)addr);
40491 ++ err |= get_user(call, (unsigned int *)(addr+4));
40492 ++ err |= get_user(nop, (unsigned int *)(addr+8));
40493 ++ if (err)
40494 ++ break;
40495 ++
40496 ++ if (save == 0x9DE3BFA8U &&
40497 ++ (call & 0xC0000000U) == 0x40000000U &&
40498 ++ nop == 0x01000000U)
40499 ++ {
40500 ++ struct vm_area_struct *vma;
40501 ++ unsigned long call_dl_resolve;
40502 ++
40503 ++ down_read(&current->mm->mmap_sem);
40504 ++ call_dl_resolve = current->mm->call_dl_resolve;
40505 ++ up_read(&current->mm->mmap_sem);
40506 ++ if (likely(call_dl_resolve))
40507 ++ goto emulate;
40508 ++
40509 ++ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
40510 ++
40511 ++ down_write(&current->mm->mmap_sem);
40512 ++ if (current->mm->call_dl_resolve) {
40513 ++ call_dl_resolve = current->mm->call_dl_resolve;
40514 ++ up_write(&current->mm->mmap_sem);
40515 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
40516 ++ goto emulate;
40517 ++ }
40518 ++
40519 ++ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
40520 ++ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
40521 ++ up_write(&current->mm->mmap_sem);
40522 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
40523 ++ return 1;
40524 ++ }
40525 ++
40526 ++ if (pax_insert_vma(vma, call_dl_resolve)) {
40527 ++ up_write(&current->mm->mmap_sem);
40528 ++ kmem_cache_free(vm_area_cachep, vma);
40529 ++ return 1;
40530 ++ }
40531 ++
40532 ++ current->mm->call_dl_resolve = call_dl_resolve;
40533 ++ up_write(&current->mm->mmap_sem);
40534 ++
40535 ++emulate:
40536 ++ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
40537 ++ regs->tpc = call_dl_resolve;
40538 ++ regs->tnpc = addr+4;
40539 ++ return 3;
40540 ++ }
40541 ++ }
40542 ++ } while (0);
40543 ++
40544 ++ do { /* PaX: unpatched PLT emulation step 2 */
40545 ++ unsigned int save, call, nop;
40546 ++
40547 ++ err = get_user(save, (unsigned int *)(regs->tpc-4));
40548 ++ err |= get_user(call, (unsigned int *)regs->tpc);
40549 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+4));
40550 ++ if (err)
40551 ++ break;
40552 ++
40553 ++ if (save == 0x9DE3BFA8U &&
40554 ++ (call & 0xC0000000U) == 0x40000000U &&
40555 ++ nop == 0x01000000U)
40556 ++ {
40557 ++ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
40558 ++
40559 ++ regs->u_regs[UREG_RETPC] = regs->tpc;
40560 ++ regs->tpc = dl_resolve;
40561 ++ regs->tnpc = dl_resolve+4;
40562 ++ return 3;
40563 ++ }
40564 ++ } while (0);
40565 ++#endif
40566 ++
40567 ++ return 1;
40568 ++}
40569 ++
40570 ++void pax_report_insns(void *pc, void *sp)
40571 ++{
40572 ++ unsigned long i;
40573 ++
40574 ++ printk(KERN_ERR "PAX: bytes at PC: ");
40575 ++ for (i = 0; i < 5; i++) {
40576 ++ unsigned int c;
40577 ++ if (get_user(c, (unsigned int *)pc+i))
40578 ++ printk("???????? ");
40579 ++ else
40580 ++ printk("%08x ", c);
40581 ++ }
40582 ++ printk("\n");
40583 ++}
40584 ++#endif
40585 ++
40586 + asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
40587 + {
40588 + struct mm_struct *mm = current->mm;
40589 +@@ -303,8 +669,10 @@ asmlinkage void __kprobes do_sparc64_fau
40590 + goto intr_or_no_mm;
40591 +
40592 + if (test_thread_flag(TIF_32BIT)) {
40593 +- if (!(regs->tstate & TSTATE_PRIV))
40594 ++ if (!(regs->tstate & TSTATE_PRIV)) {
40595 + regs->tpc &= 0xffffffff;
40596 ++ regs->tnpc &= 0xffffffff;
40597 ++ }
40598 + address &= 0xffffffff;
40599 + }
40600 +
40601 +@@ -321,6 +689,29 @@ asmlinkage void __kprobes do_sparc64_fau
40602 + if (!vma)
40603 + goto bad_area;
40604 +
40605 ++#ifdef CONFIG_PAX_PAGEEXEC
40606 ++ /* PaX: detect ITLB misses on non-exec pages */
40607 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
40608 ++ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
40609 ++ {
40610 ++ if (address != regs->tpc)
40611 ++ goto good_area;
40612 ++
40613 ++ up_read(&mm->mmap_sem);
40614 ++ switch (pax_handle_fetch_fault(regs)) {
40615 ++
40616 ++#ifdef CONFIG_PAX_EMUPLT
40617 ++ case 2:
40618 ++ case 3:
40619 ++ return;
40620 ++#endif
40621 ++
40622 ++ }
40623 ++ pax_report_fault(regs, (void*)regs->tpc, (void*)(regs->u_regs[UREG_FP] + STACK_BIAS));
40624 ++ do_group_exit(SIGKILL);
40625 ++ }
40626 ++#endif
40627 ++
40628 + /* Pure DTLB misses do not tell us whether the fault causing
40629 + * load/store/atomic was a write or not, it only says that there
40630 + * was no match. So in such a case we (carefully) read the
40631 +diff -urNp linux-2.6.24.5/arch/sparc64/mm/Makefile linux-2.6.24.5/arch/sparc64/mm/Makefile
40632 +--- linux-2.6.24.5/arch/sparc64/mm/Makefile 2008-03-24 14:49:18.000000000 -0400
40633 ++++ linux-2.6.24.5/arch/sparc64/mm/Makefile 2008-03-26 20:21:07.000000000 -0400
40634 +@@ -3,7 +3,7 @@
40635 + #
40636 +
40637 + EXTRA_AFLAGS := -ansi
40638 +-EXTRA_CFLAGS := -Werror
40639 ++#EXTRA_CFLAGS := -Werror
40640 +
40641 + obj-y := ultra.o tlb.o tsb.o fault.o init.o generic.o
40642 +
40643 +diff -urNp linux-2.6.24.5/arch/v850/kernel/module.c linux-2.6.24.5/arch/v850/kernel/module.c
40644 +--- linux-2.6.24.5/arch/v850/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
40645 ++++ linux-2.6.24.5/arch/v850/kernel/module.c 2008-03-26 20:21:07.000000000 -0400
40646 +@@ -150,8 +150,8 @@ static uint32_t do_plt_call (void *locat
40647 + tramp[1] = ((val >> 16) & 0xffff) + 0x610000; /* ...; jmp r1 */
40648 +
40649 + /* Init, or core PLT? */
40650 +- if (location >= mod->module_core
40651 +- && location < mod->module_core + mod->core_size)
40652 ++ if (location >= mod->module_core_rx
40653 ++ && location < mod->module_core_rx + mod->core_size_rx)
40654 + entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
40655 + else
40656 + entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
40657 +diff -urNp linux-2.6.24.5/arch/x86/boot/bitops.h linux-2.6.24.5/arch/x86/boot/bitops.h
40658 +--- linux-2.6.24.5/arch/x86/boot/bitops.h 2008-03-24 14:49:18.000000000 -0400
40659 ++++ linux-2.6.24.5/arch/x86/boot/bitops.h 2008-03-26 20:21:07.000000000 -0400
40660 +@@ -28,7 +28,7 @@ static inline int variable_test_bit(int
40661 + u8 v;
40662 + const u32 *p = (const u32 *)addr;
40663 +
40664 +- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
40665 ++ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
40666 + return v;
40667 + }
40668 +
40669 +@@ -39,7 +39,7 @@ static inline int variable_test_bit(int
40670 +
40671 + static inline void set_bit(int nr, void *addr)
40672 + {
40673 +- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
40674 ++ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
40675 + }
40676 +
40677 + #endif /* BOOT_BITOPS_H */
40678 +diff -urNp linux-2.6.24.5/arch/x86/boot/boot.h linux-2.6.24.5/arch/x86/boot/boot.h
40679 +--- linux-2.6.24.5/arch/x86/boot/boot.h 2008-03-24 14:49:18.000000000 -0400
40680 ++++ linux-2.6.24.5/arch/x86/boot/boot.h 2008-03-26 20:21:07.000000000 -0400
40681 +@@ -78,7 +78,7 @@ static inline void io_delay(void)
40682 + static inline u16 ds(void)
40683 + {
40684 + u16 seg;
40685 +- asm("movw %%ds,%0" : "=rm" (seg));
40686 ++ asm volatile("movw %%ds,%0" : "=rm" (seg));
40687 + return seg;
40688 + }
40689 +
40690 +@@ -174,7 +174,7 @@ static inline void wrgs32(u32 v, addr_t
40691 + static inline int memcmp(const void *s1, const void *s2, size_t len)
40692 + {
40693 + u8 diff;
40694 +- asm("repe; cmpsb; setnz %0"
40695 ++ asm volatile("repe; cmpsb; setnz %0"
40696 + : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
40697 + return diff;
40698 + }
40699 +diff -urNp linux-2.6.24.5/arch/x86/boot/compressed/head_32.S linux-2.6.24.5/arch/x86/boot/compressed/head_32.S
40700 +--- linux-2.6.24.5/arch/x86/boot/compressed/head_32.S 2008-03-24 14:49:18.000000000 -0400
40701 ++++ linux-2.6.24.5/arch/x86/boot/compressed/head_32.S 2008-03-26 20:21:07.000000000 -0400
40702 +@@ -70,7 +70,7 @@ startup_32:
40703 + addl $(CONFIG_PHYSICAL_ALIGN - 1), %ebx
40704 + andl $(~(CONFIG_PHYSICAL_ALIGN - 1)), %ebx
40705 + #else
40706 +- movl $LOAD_PHYSICAL_ADDR, %ebx
40707 ++ movl $____LOAD_PHYSICAL_ADDR, %ebx
40708 + #endif
40709 +
40710 + /* Replace the compressed data size with the uncompressed size */
40711 +@@ -105,7 +105,7 @@ startup_32:
40712 + addl $(CONFIG_PHYSICAL_ALIGN - 1), %ebp
40713 + andl $(~(CONFIG_PHYSICAL_ALIGN - 1)), %ebp
40714 + #else
40715 +- movl $LOAD_PHYSICAL_ADDR, %ebp
40716 ++ movl $____LOAD_PHYSICAL_ADDR, %ebp
40717 + #endif
40718 +
40719 + /*
40720 +@@ -159,16 +159,15 @@ relocated:
40721 + * and where it was actually loaded.
40722 + */
40723 + movl %ebp, %ebx
40724 +- subl $LOAD_PHYSICAL_ADDR, %ebx
40725 ++ subl $____LOAD_PHYSICAL_ADDR, %ebx
40726 + jz 2f /* Nothing to be done if loaded at compiled addr. */
40727 + /*
40728 + * Process relocations.
40729 + */
40730 +
40731 + 1: subl $4, %edi
40732 +- movl 0(%edi), %ecx
40733 +- testl %ecx, %ecx
40734 +- jz 2f
40735 ++ movl (%edi), %ecx
40736 ++ jecxz 2f
40737 + addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
40738 + jmp 1b
40739 + 2:
40740 +diff -urNp linux-2.6.24.5/arch/x86/boot/compressed/misc_32.c linux-2.6.24.5/arch/x86/boot/compressed/misc_32.c
40741 +--- linux-2.6.24.5/arch/x86/boot/compressed/misc_32.c 2008-03-24 14:49:18.000000000 -0400
40742 ++++ linux-2.6.24.5/arch/x86/boot/compressed/misc_32.c 2008-03-26 20:21:07.000000000 -0400
40743 +@@ -113,7 +113,8 @@ typedef unsigned char uch;
40744 + typedef unsigned short ush;
40745 + typedef unsigned long ulg;
40746 +
40747 +-#define WSIZE 0x80000000 /* Window size must be at least 32k,
40748 ++#define WSIZE 0x80000000
40749 ++ /* Window size must be at least 32k,
40750 + * and a power of two
40751 + * We don't actually have a window just
40752 + * a huge output buffer so I report
40753 +@@ -370,7 +371,7 @@ asmlinkage void decompress_kernel(void *
40754 + if (end > ((-__PAGE_OFFSET-(512 <<20)-1) & 0x7fffffff))
40755 + error("Destination address too large");
40756 + #ifndef CONFIG_RELOCATABLE
40757 +- if ((u32)output != LOAD_PHYSICAL_ADDR)
40758 ++ if ((u32)output != ____LOAD_PHYSICAL_ADDR)
40759 + error("Wrong destination address");
40760 + #endif
40761 +
40762 +diff -urNp linux-2.6.24.5/arch/x86/boot/compressed/relocs.c linux-2.6.24.5/arch/x86/boot/compressed/relocs.c
40763 +--- linux-2.6.24.5/arch/x86/boot/compressed/relocs.c 2008-03-24 14:49:18.000000000 -0400
40764 ++++ linux-2.6.24.5/arch/x86/boot/compressed/relocs.c 2008-03-26 20:21:07.000000000 -0400
40765 +@@ -10,9 +10,13 @@
40766 + #define USE_BSD
40767 + #include <endian.h>
40768 +
40769 ++#include "../../../../include/linux/autoconf.h"
40770 ++
40771 ++#define MAX_PHDRS 100
40772 + #define MAX_SHDRS 100
40773 + #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
40774 + static Elf32_Ehdr ehdr;
40775 ++static Elf32_Phdr phdr[MAX_PHDRS];
40776 + static Elf32_Shdr shdr[MAX_SHDRS];
40777 + static Elf32_Sym *symtab[MAX_SHDRS];
40778 + static Elf32_Rel *reltab[MAX_SHDRS];
40779 +@@ -244,6 +248,34 @@ static void read_ehdr(FILE *fp)
40780 + }
40781 + }
40782 +
40783 ++static void read_phdrs(FILE *fp)
40784 ++{
40785 ++ int i;
40786 ++ if (ehdr.e_phnum > MAX_PHDRS) {
40787 ++ die("%d program headers supported: %d\n",
40788 ++ ehdr.e_phnum, MAX_PHDRS);
40789 ++ }
40790 ++ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
40791 ++ die("Seek to %d failed: %s\n",
40792 ++ ehdr.e_phoff, strerror(errno));
40793 ++ }
40794 ++ if (fread(&phdr, sizeof(phdr[0]), ehdr.e_phnum, fp) != ehdr.e_phnum) {
40795 ++ die("Cannot read ELF program headers: %s\n",
40796 ++ strerror(errno));
40797 ++ }
40798 ++ for(i = 0; i < ehdr.e_phnum; i++) {
40799 ++ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
40800 ++ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
40801 ++ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
40802 ++ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
40803 ++ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
40804 ++ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
40805 ++ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
40806 ++ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
40807 ++ }
40808 ++
40809 ++}
40810 ++
40811 + static void read_shdrs(FILE *fp)
40812 + {
40813 + int i;
40814 +@@ -330,6 +362,8 @@ static void read_symtabs(FILE *fp)
40815 + static void read_relocs(FILE *fp)
40816 + {
40817 + int i,j;
40818 ++ uint32_t base;
40819 ++
40820 + for(i = 0; i < ehdr.e_shnum; i++) {
40821 + if (shdr[i].sh_type != SHT_REL) {
40822 + continue;
40823 +@@ -347,8 +381,17 @@ static void read_relocs(FILE *fp)
40824 + die("Cannot read symbol table: %s\n",
40825 + strerror(errno));
40826 + }
40827 ++ base = 0;
40828 ++ for (j = 0; j < ehdr.e_phnum; j++) {
40829 ++ if (phdr[j].p_type != PT_LOAD )
40830 ++ continue;
40831 ++ if (shdr[shdr[i].sh_info].sh_offset < phdr[j].p_offset || shdr[shdr[i].sh_info].sh_offset > phdr[j].p_offset + phdr[j].p_filesz)
40832 ++ continue;
40833 ++ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
40834 ++ break;
40835 ++ }
40836 + for(j = 0; j < shdr[i].sh_size/sizeof(reltab[0][0]); j++) {
40837 +- reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset);
40838 ++ reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset) + base;
40839 + reltab[i][j].r_info = elf32_to_cpu(reltab[i][j].r_info);
40840 + }
40841 + }
40842 +@@ -485,6 +528,27 @@ static void walk_relocs(void (*visit)(El
40843 + if (sym->st_shndx == SHN_ABS) {
40844 + continue;
40845 + }
40846 ++ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
40847 ++ if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strncmp(sym_name(sym_strtab, sym), "__per_cpu_", 10)) {
40848 ++ continue;
40849 ++ }
40850 ++#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
40851 ++ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
40852 ++ if (!strcmp(sec_name(sym->st_shndx), ".init.text")) {
40853 ++ continue;
40854 ++ }
40855 ++ if (!strcmp(sec_name(sym->st_shndx), ".exit.text")) {
40856 ++ continue;
40857 ++ }
40858 ++ if (!strcmp(sec_name(sym->st_shndx), ".text.head")) {
40859 ++ if (strcmp(sym_name(sym_strtab, sym), "__init_end") &&
40860 ++ strcmp(sym_name(sym_strtab, sym), "KERNEL_TEXT_OFFSET"))
40861 ++ continue;
40862 ++ }
40863 ++ if (!strcmp(sec_name(sym->st_shndx), ".text")) {
40864 ++ continue;
40865 ++ }
40866 ++#endif
40867 + if (r_type == R_386_PC32) {
40868 + /* PC relative relocations don't need to be adjusted */
40869 + }
40870 +@@ -612,6 +676,7 @@ int main(int argc, char **argv)
40871 + fname, strerror(errno));
40872 + }
40873 + read_ehdr(fp);
40874 ++ read_phdrs(fp);
40875 + read_shdrs(fp);
40876 + read_strtabs(fp);
40877 + read_symtabs(fp);
40878 +diff -urNp linux-2.6.24.5/arch/x86/boot/cpucheck.c linux-2.6.24.5/arch/x86/boot/cpucheck.c
40879 +--- linux-2.6.24.5/arch/x86/boot/cpucheck.c 2008-03-24 14:49:18.000000000 -0400
40880 ++++ linux-2.6.24.5/arch/x86/boot/cpucheck.c 2008-03-26 20:21:07.000000000 -0400
40881 +@@ -84,7 +84,7 @@ static int has_fpu(void)
40882 + u16 fcw = -1, fsw = -1;
40883 + u32 cr0;
40884 +
40885 +- asm("movl %%cr0,%0" : "=r" (cr0));
40886 ++ asm volatile("movl %%cr0,%0" : "=r" (cr0));
40887 + if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
40888 + cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
40889 + asm volatile("movl %0,%%cr0" : : "r" (cr0));
40890 +@@ -100,7 +100,7 @@ static int has_eflag(u32 mask)
40891 + {
40892 + u32 f0, f1;
40893 +
40894 +- asm("pushfl ; "
40895 ++ asm volatile("pushfl ; "
40896 + "pushfl ; "
40897 + "popl %0 ; "
40898 + "movl %0,%1 ; "
40899 +@@ -125,7 +125,7 @@ static void get_flags(void)
40900 + set_bit(X86_FEATURE_FPU, cpu.flags);
40901 +
40902 + if (has_eflag(X86_EFLAGS_ID)) {
40903 +- asm("cpuid"
40904 ++ asm volatile("cpuid"
40905 + : "=a" (max_intel_level),
40906 + "=b" (cpu_vendor[0]),
40907 + "=d" (cpu_vendor[1]),
40908 +@@ -134,7 +134,7 @@ static void get_flags(void)
40909 +
40910 + if (max_intel_level >= 0x00000001 &&
40911 + max_intel_level <= 0x0000ffff) {
40912 +- asm("cpuid"
40913 ++ asm volatile("cpuid"
40914 + : "=a" (tfms),
40915 + "=c" (cpu.flags[4]),
40916 + "=d" (cpu.flags[0])
40917 +@@ -146,7 +146,7 @@ static void get_flags(void)
40918 + cpu.model += ((tfms >> 16) & 0xf) << 4;
40919 + }
40920 +
40921 +- asm("cpuid"
40922 ++ asm volatile("cpuid"
40923 + : "=a" (max_amd_level)
40924 + : "a" (0x80000000)
40925 + : "ebx", "ecx", "edx");
40926 +@@ -154,7 +154,7 @@ static void get_flags(void)
40927 + if (max_amd_level >= 0x80000001 &&
40928 + max_amd_level <= 0x8000ffff) {
40929 + u32 eax = 0x80000001;
40930 +- asm("cpuid"
40931 ++ asm volatile("cpuid"
40932 + : "+a" (eax),
40933 + "=c" (cpu.flags[6]),
40934 + "=d" (cpu.flags[1])
40935 +@@ -213,9 +213,9 @@ int check_cpu(int *cpu_level_ptr, int *r
40936 + u32 ecx = MSR_K7_HWCR;
40937 + u32 eax, edx;
40938 +
40939 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
40940 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
40941 + eax &= ~(1 << 15);
40942 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
40943 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
40944 +
40945 + get_flags(); /* Make sure it really did something */
40946 + err = check_flags();
40947 +@@ -228,9 +228,9 @@ int check_cpu(int *cpu_level_ptr, int *r
40948 + u32 ecx = MSR_VIA_FCR;
40949 + u32 eax, edx;
40950 +
40951 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
40952 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
40953 + eax |= (1<<1)|(1<<7);
40954 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
40955 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
40956 +
40957 + set_bit(X86_FEATURE_CX8, cpu.flags);
40958 + err = check_flags();
40959 +@@ -241,12 +241,12 @@ int check_cpu(int *cpu_level_ptr, int *r
40960 + u32 eax, edx;
40961 + u32 level = 1;
40962 +
40963 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
40964 +- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
40965 +- asm("cpuid"
40966 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
40967 ++ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
40968 ++ asm volatile("cpuid"
40969 + : "+a" (level), "=d" (cpu.flags[0])
40970 + : : "ecx", "ebx");
40971 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
40972 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
40973 +
40974 + err = check_flags();
40975 + }
40976 +diff -urNp linux-2.6.24.5/arch/x86/boot/edd.c linux-2.6.24.5/arch/x86/boot/edd.c
40977 +--- linux-2.6.24.5/arch/x86/boot/edd.c 2008-03-24 14:49:18.000000000 -0400
40978 ++++ linux-2.6.24.5/arch/x86/boot/edd.c 2008-03-26 20:21:07.000000000 -0400
40979 +@@ -78,7 +78,7 @@ static int get_edd_info(u8 devno, struct
40980 + ax = 0x4100;
40981 + bx = EDDMAGIC1;
40982 + dx = devno;
40983 +- asm("pushfl; stc; int $0x13; setc %%al; popfl"
40984 ++ asm volatile("pushfl; stc; int $0x13; setc %%al; popfl"
40985 + : "+a" (ax), "+b" (bx), "=c" (cx), "+d" (dx)
40986 + : : "esi", "edi");
40987 +
40988 +@@ -97,7 +97,7 @@ static int get_edd_info(u8 devno, struct
40989 + ei->params.length = sizeof(ei->params);
40990 + ax = 0x4800;
40991 + dx = devno;
40992 +- asm("pushfl; int $0x13; popfl"
40993 ++ asm volatile("pushfl; int $0x13; popfl"
40994 + : "+a" (ax), "+d" (dx), "=m" (ei->params)
40995 + : "S" (&ei->params)
40996 + : "ebx", "ecx", "edi");
40997 +@@ -108,7 +108,7 @@ static int get_edd_info(u8 devno, struct
40998 + ax = 0x0800;
40999 + dx = devno;
41000 + di = 0;
41001 +- asm("pushw %%es; "
41002 ++ asm volatile("pushw %%es; "
41003 + "movw %%di,%%es; "
41004 + "pushfl; stc; int $0x13; setc %%al; popfl; "
41005 + "popw %%es"
41006 +diff -urNp linux-2.6.24.5/arch/x86/boot/main.c linux-2.6.24.5/arch/x86/boot/main.c
41007 +--- linux-2.6.24.5/arch/x86/boot/main.c 2008-03-24 14:49:18.000000000 -0400
41008 ++++ linux-2.6.24.5/arch/x86/boot/main.c 2008-03-26 20:21:07.000000000 -0400
41009 +@@ -75,7 +75,7 @@ static void keyboard_set_repeat(void)
41010 + */
41011 + static void query_ist(void)
41012 + {
41013 +- asm("int $0x15"
41014 ++ asm volatile("int $0x15"
41015 + : "=a" (boot_params.ist_info.signature),
41016 + "=b" (boot_params.ist_info.command),
41017 + "=c" (boot_params.ist_info.event),
41018 +diff -urNp linux-2.6.24.5/arch/x86/boot/mca.c linux-2.6.24.5/arch/x86/boot/mca.c
41019 +--- linux-2.6.24.5/arch/x86/boot/mca.c 2008-03-24 14:49:18.000000000 -0400
41020 ++++ linux-2.6.24.5/arch/x86/boot/mca.c 2008-03-26 20:21:07.000000000 -0400
41021 +@@ -21,7 +21,7 @@ int query_mca(void)
41022 + u8 err;
41023 + u16 es, bx, len;
41024 +
41025 +- asm("pushw %%es ; "
41026 ++ asm volatile("pushw %%es ; "
41027 + "int $0x15 ; "
41028 + "setc %0 ; "
41029 + "movw %%es, %1 ; "
41030 +diff -urNp linux-2.6.24.5/arch/x86/boot/memory.c linux-2.6.24.5/arch/x86/boot/memory.c
41031 +--- linux-2.6.24.5/arch/x86/boot/memory.c 2008-03-24 14:49:18.000000000 -0400
41032 ++++ linux-2.6.24.5/arch/x86/boot/memory.c 2008-03-26 20:21:07.000000000 -0400
41033 +@@ -32,7 +32,7 @@ static int detect_memory_e820(void)
41034 + /* Important: %edx is clobbered by some BIOSes,
41035 + so it must be either used for the error output
41036 + or explicitly marked clobbered. */
41037 +- asm("int $0x15; setc %0"
41038 ++ asm volatile("int $0x15; setc %0"
41039 + : "=d" (err), "+b" (next), "=a" (id), "+c" (size),
41040 + "=m" (*desc)
41041 + : "D" (desc), "d" (SMAP), "a" (0xe820));
41042 +@@ -64,7 +64,7 @@ static int detect_memory_e801(void)
41043 +
41044 + bx = cx = dx = 0;
41045 + ax = 0xe801;
41046 +- asm("stc; int $0x15; setc %0"
41047 ++ asm volatile("stc; int $0x15; setc %0"
41048 + : "=m" (err), "+a" (ax), "+b" (bx), "+c" (cx), "+d" (dx));
41049 +
41050 + if (err)
41051 +@@ -94,7 +94,7 @@ static int detect_memory_88(void)
41052 + u8 err;
41053 +
41054 + ax = 0x8800;
41055 +- asm("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
41056 ++ asm volatile("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
41057 +
41058 + boot_params.screen_info.ext_mem_k = ax;
41059 +
41060 +diff -urNp linux-2.6.24.5/arch/x86/boot/video.c linux-2.6.24.5/arch/x86/boot/video.c
41061 +--- linux-2.6.24.5/arch/x86/boot/video.c 2008-03-24 14:49:18.000000000 -0400
41062 ++++ linux-2.6.24.5/arch/x86/boot/video.c 2008-03-26 20:21:07.000000000 -0400
41063 +@@ -40,7 +40,7 @@ static void store_cursor_position(void)
41064 +
41065 + ax = 0x0300;
41066 + bx = 0;
41067 +- asm(INT10
41068 ++ asm volatile(INT10
41069 + : "=d" (curpos), "+a" (ax), "+b" (bx)
41070 + : : "ecx", "esi", "edi");
41071 +
41072 +@@ -55,7 +55,7 @@ static void store_video_mode(void)
41073 + /* N.B.: the saving of the video page here is a bit silly,
41074 + since we pretty much assume page 0 everywhere. */
41075 + ax = 0x0f00;
41076 +- asm(INT10
41077 ++ asm volatile(INT10
41078 + : "+a" (ax), "=b" (page)
41079 + : : "ecx", "edx", "esi", "edi");
41080 +
41081 +diff -urNp linux-2.6.24.5/arch/x86/boot/video-vesa.c linux-2.6.24.5/arch/x86/boot/video-vesa.c
41082 +--- linux-2.6.24.5/arch/x86/boot/video-vesa.c 2008-03-24 14:49:18.000000000 -0400
41083 ++++ linux-2.6.24.5/arch/x86/boot/video-vesa.c 2008-03-26 20:21:07.000000000 -0400
41084 +@@ -41,7 +41,7 @@ static int vesa_probe(void)
41085 +
41086 + ax = 0x4f00;
41087 + di = (size_t)&vginfo;
41088 +- asm(INT10
41089 ++ asm volatile(INT10
41090 + : "+a" (ax), "+D" (di), "=m" (vginfo)
41091 + : : "ebx", "ecx", "edx", "esi");
41092 +
41093 +@@ -68,7 +68,7 @@ static int vesa_probe(void)
41094 + ax = 0x4f01;
41095 + cx = mode;
41096 + di = (size_t)&vminfo;
41097 +- asm(INT10
41098 ++ asm volatile(INT10
41099 + : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
41100 + : : "ebx", "edx", "esi");
41101 +
41102 +@@ -115,7 +115,7 @@ static int vesa_set_mode(struct mode_inf
41103 + ax = 0x4f01;
41104 + cx = vesa_mode;
41105 + di = (size_t)&vminfo;
41106 +- asm(INT10
41107 ++ asm volatile(INT10
41108 + : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
41109 + : : "ebx", "edx", "esi");
41110 +
41111 +@@ -193,19 +193,20 @@ static void vesa_dac_set_8bits(void)
41112 + /* Save the VESA protected mode info */
41113 + static void vesa_store_pm_info(void)
41114 + {
41115 +- u16 ax, bx, di, es;
41116 ++ u16 ax, bx, cx, di, es;
41117 +
41118 + ax = 0x4f0a;
41119 +- bx = di = 0;
41120 +- asm("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
41121 +- : "=d" (es), "+a" (ax), "+b" (bx), "+D" (di)
41122 +- : : "ecx", "esi");
41123 ++ bx = cx = di = 0;
41124 ++ asm volatile("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
41125 ++ : "=d" (es), "+a" (ax), "+b" (bx), "+c" (cx), "+D" (di)
41126 ++ : : "esi");
41127 +
41128 + if (ax != 0x004f)
41129 + return;
41130 +
41131 + boot_params.screen_info.vesapm_seg = es;
41132 + boot_params.screen_info.vesapm_off = di;
41133 ++ boot_params.screen_info.vesapm_size = cx;
41134 + }
41135 +
41136 + /*
41137 +@@ -259,7 +260,7 @@ void vesa_store_edid(void)
41138 + /* Note: The VBE DDC spec is different from the main VESA spec;
41139 + we genuinely have to assume all registers are destroyed here. */
41140 +
41141 +- asm("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
41142 ++ asm volatile("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
41143 + : "+a" (ax), "+b" (bx)
41144 + : "c" (cx), "D" (di)
41145 + : "esi");
41146 +@@ -275,7 +276,7 @@ void vesa_store_edid(void)
41147 + cx = 0; /* Controller 0 */
41148 + dx = 0; /* EDID block number */
41149 + di =(size_t) &boot_params.edid_info; /* (ES:)Pointer to block */
41150 +- asm(INT10
41151 ++ asm volatile(INT10
41152 + : "+a" (ax), "+b" (bx), "+d" (dx), "=m" (boot_params.edid_info)
41153 + : "c" (cx), "D" (di)
41154 + : "esi");
41155 +diff -urNp linux-2.6.24.5/arch/x86/boot/video-vga.c linux-2.6.24.5/arch/x86/boot/video-vga.c
41156 +--- linux-2.6.24.5/arch/x86/boot/video-vga.c 2008-03-24 14:49:18.000000000 -0400
41157 ++++ linux-2.6.24.5/arch/x86/boot/video-vga.c 2008-03-26 20:21:07.000000000 -0400
41158 +@@ -225,7 +225,7 @@ static int vga_probe(void)
41159 + };
41160 + u8 vga_flag;
41161 +
41162 +- asm(INT10
41163 ++ asm volatile(INT10
41164 + : "=b" (boot_params.screen_info.orig_video_ega_bx)
41165 + : "a" (0x1200), "b" (0x10) /* Check EGA/VGA */
41166 + : "ecx", "edx", "esi", "edi");
41167 +@@ -233,7 +233,7 @@ static int vga_probe(void)
41168 + /* If we have MDA/CGA/HGC then BL will be unchanged at 0x10 */
41169 + if ((u8)boot_params.screen_info.orig_video_ega_bx != 0x10) {
41170 + /* EGA/VGA */
41171 +- asm(INT10
41172 ++ asm volatile(INT10
41173 + : "=a" (vga_flag)
41174 + : "a" (0x1a00)
41175 + : "ebx", "ecx", "edx", "esi", "edi");
41176 +diff -urNp linux-2.6.24.5/arch/x86/boot/voyager.c linux-2.6.24.5/arch/x86/boot/voyager.c
41177 +--- linux-2.6.24.5/arch/x86/boot/voyager.c 2008-03-24 14:49:18.000000000 -0400
41178 ++++ linux-2.6.24.5/arch/x86/boot/voyager.c 2008-03-26 20:21:07.000000000 -0400
41179 +@@ -27,7 +27,7 @@ int query_voyager(void)
41180 +
41181 + data_ptr[0] = 0xff; /* Flag on config not found(?) */
41182 +
41183 +- asm("pushw %%es ; "
41184 ++ asm volatile("pushw %%es ; "
41185 + "int $0x15 ; "
41186 + "setc %0 ; "
41187 + "movw %%es, %1 ; "
41188 +diff -urNp linux-2.6.24.5/arch/x86/ia32/ia32_binfmt.c linux-2.6.24.5/arch/x86/ia32/ia32_binfmt.c
41189 +--- linux-2.6.24.5/arch/x86/ia32/ia32_binfmt.c 2008-03-24 14:49:18.000000000 -0400
41190 ++++ linux-2.6.24.5/arch/x86/ia32/ia32_binfmt.c 2008-03-26 20:21:07.000000000 -0400
41191 +@@ -47,12 +47,12 @@
41192 + #define AT_SYSINFO 32
41193 + #define AT_SYSINFO_EHDR 33
41194 +
41195 +-int sysctl_vsyscall32 = 1;
41196 ++int sysctl_vsyscall32;
41197 +
41198 + #undef ARCH_DLINFO
41199 + #define ARCH_DLINFO do { \
41200 + if (sysctl_vsyscall32) { \
41201 +- current->mm->context.vdso = (void *)VSYSCALL32_BASE; \
41202 ++ current->mm->context.vdso = VSYSCALL32_BASE; \
41203 + NEW_AUX_ENT(AT_SYSINFO, (u32)(u64)VSYSCALL32_VSYSCALL); \
41204 + NEW_AUX_ENT(AT_SYSINFO_EHDR, VSYSCALL32_BASE); \
41205 + } \
41206 +@@ -66,6 +66,17 @@ struct file;
41207 +
41208 + #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
41209 +
41210 ++#ifdef CONFIG_PAX_ASLR
41211 ++#undef PAX_ELF_ET_DYN_BASE
41212 ++#undef PAX_DELTA_MMAP_LEN
41213 ++#undef PAX_DELTA_STACK_LEN
41214 ++
41215 ++#define PAX_ELF_ET_DYN_BASE 0x08048000UL
41216 ++
41217 ++#define PAX_DELTA_MMAP_LEN 16
41218 ++#define PAX_DELTA_STACK_LEN 16
41219 ++#endif
41220 ++
41221 + #define jiffies_to_timeval(a,b) do { (b)->tv_usec = 0; (b)->tv_sec = (a)/HZ; }while(0)
41222 +
41223 + #define _GET_SEG(x) \
41224 +@@ -263,7 +274,7 @@ static ctl_table abi_table2[] = {
41225 + .mode = 0644,
41226 + .proc_handler = proc_dointvec
41227 + },
41228 +- {}
41229 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
41230 + };
41231 +
41232 + static ctl_table abi_root_table2[] = {
41233 +@@ -273,7 +284,7 @@ static ctl_table abi_root_table2[] = {
41234 + .mode = 0555,
41235 + .child = abi_table2
41236 + },
41237 +- {}
41238 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
41239 + };
41240 +
41241 + static __init int ia32_binfmt_init(void)
41242 +diff -urNp linux-2.6.24.5/arch/x86/ia32/ia32_signal.c linux-2.6.24.5/arch/x86/ia32/ia32_signal.c
41243 +--- linux-2.6.24.5/arch/x86/ia32/ia32_signal.c 2008-03-24 14:49:18.000000000 -0400
41244 ++++ linux-2.6.24.5/arch/x86/ia32/ia32_signal.c 2008-03-26 20:21:07.000000000 -0400
41245 +@@ -573,6 +573,7 @@ int ia32_setup_rt_frame(int sig, struct
41246 + __NR_ia32_rt_sigreturn,
41247 + 0x80cd,
41248 + 0,
41249 ++ 0
41250 + };
41251 + err |= __copy_to_user(frame->retcode, &code, 8);
41252 + }
41253 +diff -urNp linux-2.6.24.5/arch/x86/ia32/mmap32.c linux-2.6.24.5/arch/x86/ia32/mmap32.c
41254 +--- linux-2.6.24.5/arch/x86/ia32/mmap32.c 2008-03-24 14:49:18.000000000 -0400
41255 ++++ linux-2.6.24.5/arch/x86/ia32/mmap32.c 2008-03-26 20:21:07.000000000 -0400
41256 +@@ -69,10 +69,22 @@ void ia32_pick_mmap_layout(struct mm_str
41257 + (current->personality & ADDR_COMPAT_LAYOUT) ||
41258 + current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY) {
41259 + mm->mmap_base = TASK_UNMAPPED_BASE;
41260 ++
41261 ++#ifdef CONFIG_PAX_RANDMMAP
41262 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
41263 ++ mm->mmap_base += mm->delta_mmap;
41264 ++#endif
41265 ++
41266 + mm->get_unmapped_area = arch_get_unmapped_area;
41267 + mm->unmap_area = arch_unmap_area;
41268 + } else {
41269 + mm->mmap_base = mmap_base(mm);
41270 ++
41271 ++#ifdef CONFIG_PAX_RANDMMAP
41272 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
41273 ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
41274 ++#endif
41275 ++
41276 + mm->get_unmapped_area = arch_get_unmapped_area_topdown;
41277 + mm->unmap_area = arch_unmap_area_topdown;
41278 + }
41279 +diff -urNp linux-2.6.24.5/arch/x86/ia32/ptrace32.c linux-2.6.24.5/arch/x86/ia32/ptrace32.c
41280 +--- linux-2.6.24.5/arch/x86/ia32/ptrace32.c 2008-03-24 14:49:18.000000000 -0400
41281 ++++ linux-2.6.24.5/arch/x86/ia32/ptrace32.c 2008-03-26 20:21:07.000000000 -0400
41282 +@@ -382,7 +382,7 @@ asmlinkage long sys32_ptrace(long reques
41283 + /* no checking to be bug-to-bug compatible with i386. */
41284 + /* but silence warning */
41285 + if (__copy_from_user(&child->thread.i387.fxsave, u, sizeof(*u)))
41286 +- ;
41287 ++ {}
41288 + set_stopped_child_used_math(child);
41289 + child->thread.i387.fxsave.mxcsr &= mxcsr_feature_mask;
41290 + ret = 0;
41291 +diff -urNp linux-2.6.24.5/arch/x86/ia32/syscall32.c linux-2.6.24.5/arch/x86/ia32/syscall32.c
41292 +--- linux-2.6.24.5/arch/x86/ia32/syscall32.c 2008-03-24 14:49:18.000000000 -0400
41293 ++++ linux-2.6.24.5/arch/x86/ia32/syscall32.c 2008-03-26 20:21:07.000000000 -0400
41294 +@@ -30,6 +30,9 @@ int syscall32_setup_pages(struct linux_b
41295 + struct mm_struct *mm = current->mm;
41296 + int ret;
41297 +
41298 ++ if (!sysctl_vsyscall32)
41299 ++ return 0;
41300 ++
41301 + down_write(&mm->mmap_sem);
41302 + /*
41303 + * MAYWRITE to allow gdb to COW and set breakpoints
41304 +diff -urNp linux-2.6.24.5/arch/x86/Kconfig linux-2.6.24.5/arch/x86/Kconfig
41305 +--- linux-2.6.24.5/arch/x86/Kconfig 2008-03-24 14:49:18.000000000 -0400
41306 ++++ linux-2.6.24.5/arch/x86/Kconfig 2008-03-26 20:21:07.000000000 -0400
41307 +@@ -792,7 +792,7 @@ config PAGE_OFFSET
41308 + hex
41309 + default 0xB0000000 if VMSPLIT_3G_OPT
41310 + default 0x80000000 if VMSPLIT_2G
41311 +- default 0x78000000 if VMSPLIT_2G_OPT
41312 ++ default 0x70000000 if VMSPLIT_2G_OPT
41313 + default 0x40000000 if VMSPLIT_1G
41314 + default 0xC0000000
41315 + depends on X86_32
41316 +@@ -1096,8 +1096,7 @@ config CRASH_DUMP
41317 + config PHYSICAL_START
41318 + hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
41319 + default "0x1000000" if X86_NUMAQ
41320 +- default "0x200000" if X86_64
41321 +- default "0x100000"
41322 ++ default "0x200000"
41323 + help
41324 + This gives the physical address where the kernel is loaded.
41325 +
41326 +@@ -1190,8 +1189,8 @@ config HOTPLUG_CPU
41327 +
41328 + config COMPAT_VDSO
41329 + bool "Compat VDSO support"
41330 +- default y
41331 +- depends on X86_32
41332 ++ default n
41333 ++ depends on X86_32 && !PAX_NOEXEC
41334 + help
41335 + Map the VDSO to the predictable old-style address too.
41336 + ---help---
41337 +@@ -1387,7 +1386,7 @@ config PCI
41338 + choice
41339 + prompt "PCI access mode"
41340 + depends on X86_32 && PCI && !X86_VISWS
41341 +- default PCI_GOANY
41342 ++ default PCI_GODIRECT
41343 + ---help---
41344 + On PCI systems, the BIOS can be used to detect the PCI devices and
41345 + determine their configuration. However, some old PCI motherboards
41346 +diff -urNp linux-2.6.24.5/arch/x86/Kconfig.cpu linux-2.6.24.5/arch/x86/Kconfig.cpu
41347 +--- linux-2.6.24.5/arch/x86/Kconfig.cpu 2008-03-24 14:49:18.000000000 -0400
41348 ++++ linux-2.6.24.5/arch/x86/Kconfig.cpu 2008-03-26 20:21:16.000000000 -0400
41349 +@@ -328,7 +328,7 @@ config X86_PPRO_FENCE
41350 +
41351 + config X86_F00F_BUG
41352 + bool
41353 +- depends on M586MMX || M586TSC || M586 || M486 || M386
41354 ++ depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
41355 + default y
41356 +
41357 + config X86_WP_WORKS_OK
41358 +@@ -353,7 +353,7 @@ config X86_POPAD_OK
41359 +
41360 + config X86_ALIGNMENT_16
41361 + bool
41362 +- depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
41363 ++ depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
41364 + default y
41365 +
41366 + config X86_GOOD_APIC
41367 +@@ -390,7 +390,7 @@ config X86_TSC
41368 + # generates cmov.
41369 + config X86_CMOV
41370 + bool
41371 +- depends on (MK7 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7)
41372 ++ depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7)
41373 + default y
41374 +
41375 + config X86_MINIMUM_CPU_FAMILY
41376 +diff -urNp linux-2.6.24.5/arch/x86/Kconfig.debug linux-2.6.24.5/arch/x86/Kconfig.debug
41377 +--- linux-2.6.24.5/arch/x86/Kconfig.debug 2008-03-24 14:49:18.000000000 -0400
41378 ++++ linux-2.6.24.5/arch/x86/Kconfig.debug 2008-03-26 20:21:07.000000000 -0400
41379 +@@ -49,7 +49,7 @@ config DEBUG_PAGEALLOC
41380 +
41381 + config DEBUG_RODATA
41382 + bool "Write protect kernel read-only data structures"
41383 +- depends on DEBUG_KERNEL
41384 ++ depends on DEBUG_KERNEL && BROKEN
41385 + help
41386 + Mark the kernel read-only data as write-protected in the pagetables,
41387 + in order to catch accidental (and incorrect) writes to such const
41388 +diff -urNp linux-2.6.24.5/arch/x86/kernel/acpi/boot.c linux-2.6.24.5/arch/x86/kernel/acpi/boot.c
41389 +--- linux-2.6.24.5/arch/x86/kernel/acpi/boot.c 2008-03-24 14:49:18.000000000 -0400
41390 ++++ linux-2.6.24.5/arch/x86/kernel/acpi/boot.c 2008-03-26 20:21:07.000000000 -0400
41391 +@@ -1155,7 +1155,7 @@ static struct dmi_system_id __initdata a
41392 + DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
41393 + },
41394 + },
41395 +- {}
41396 ++ { NULL, NULL, {{0, NULL}}, NULL}
41397 + };
41398 +
41399 + #endif /* __i386__ */
41400 +diff -urNp linux-2.6.24.5/arch/x86/kernel/acpi/sleep_32.c linux-2.6.24.5/arch/x86/kernel/acpi/sleep_32.c
41401 +--- linux-2.6.24.5/arch/x86/kernel/acpi/sleep_32.c 2008-03-24 14:49:18.000000000 -0400
41402 ++++ linux-2.6.24.5/arch/x86/kernel/acpi/sleep_32.c 2008-03-26 20:21:07.000000000 -0400
41403 +@@ -98,7 +98,7 @@ static __initdata struct dmi_system_id a
41404 + DMI_MATCH(DMI_PRODUCT_NAME, "S4030CDT/4.3"),
41405 + },
41406 + },
41407 +- {}
41408 ++ { NULL, NULL, {{0, NULL}}, NULL}
41409 + };
41410 +
41411 + static int __init acpisleep_dmi_init(void)
41412 +diff -urNp linux-2.6.24.5/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.24.5/arch/x86/kernel/acpi/wakeup_32.S
41413 +--- linux-2.6.24.5/arch/x86/kernel/acpi/wakeup_32.S 2008-03-24 14:49:18.000000000 -0400
41414 ++++ linux-2.6.24.5/arch/x86/kernel/acpi/wakeup_32.S 2008-03-26 20:21:07.000000000 -0400
41415 +@@ -2,6 +2,7 @@
41416 + #include <linux/linkage.h>
41417 + #include <asm/segment.h>
41418 + #include <asm/page.h>
41419 ++#include <asm/msr-index.h>
41420 +
41421 + #
41422 + # wakeup_code runs in real mode, and at unknown address (determined at run-time).
41423 +@@ -79,7 +80,7 @@ wakeup_code:
41424 + # restore efer setting
41425 + movl real_save_efer_edx - wakeup_code, %edx
41426 + movl real_save_efer_eax - wakeup_code, %eax
41427 +- mov $0xc0000080, %ecx
41428 ++ mov $MSR_EFER, %ecx
41429 + wrmsr
41430 + 4:
41431 + # make sure %cr4 is set correctly (features, etc)
41432 +@@ -196,13 +197,11 @@ wakeup_pmode_return:
41433 + # and restore the stack ... but you need gdt for this to work
41434 + movl saved_context_esp, %esp
41435 +
41436 +- movl %cs:saved_magic, %eax
41437 +- cmpl $0x12345678, %eax
41438 ++ cmpl $0x12345678, saved_magic
41439 + jne bogus_magic
41440 +
41441 + # jump to place where we left off
41442 +- movl saved_eip,%eax
41443 +- jmp *%eax
41444 ++ jmp *(saved_eip)
41445 +
41446 + bogus_magic:
41447 + jmp bogus_magic
41448 +@@ -233,7 +232,7 @@ ENTRY(acpi_copy_wakeup_routine)
41449 + # save efer setting
41450 + pushl %eax
41451 + movl %eax, %ebx
41452 +- mov $0xc0000080, %ecx
41453 ++ mov $MSR_EFER, %ecx
41454 + rdmsr
41455 + movl %edx, real_save_efer_edx - wakeup_start (%ebx)
41456 + movl %eax, real_save_efer_eax - wakeup_start (%ebx)
41457 +diff -urNp linux-2.6.24.5/arch/x86/kernel/alternative.c linux-2.6.24.5/arch/x86/kernel/alternative.c
41458 +--- linux-2.6.24.5/arch/x86/kernel/alternative.c 2008-03-24 14:49:18.000000000 -0400
41459 ++++ linux-2.6.24.5/arch/x86/kernel/alternative.c 2008-03-26 20:21:07.000000000 -0400
41460 +@@ -389,7 +389,7 @@ void apply_paravirt(struct paravirt_patc
41461 +
41462 + BUG_ON(p->len > MAX_PATCH_LEN);
41463 + /* prep the buffer with the original instructions */
41464 +- memcpy(insnbuf, p->instr, p->len);
41465 ++ memcpy(insnbuf, ktla_ktva(p->instr), p->len);
41466 + used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
41467 + (unsigned long)p->instr, p->len);
41468 +
41469 +@@ -467,7 +467,19 @@ void __init alternative_instructions(voi
41470 + */
41471 + void __kprobes text_poke(void *addr, unsigned char *opcode, int len)
41472 + {
41473 +- memcpy(addr, opcode, len);
41474 ++
41475 ++#ifdef CONFIG_PAX_KERNEXEC
41476 ++ unsigned long cr0;
41477 ++
41478 ++ pax_open_kernel(cr0);
41479 ++#endif
41480 ++
41481 ++ memcpy(ktla_ktva(addr), opcode, len);
41482 ++
41483 ++#ifdef CONFIG_PAX_KERNEXEC
41484 ++ pax_close_kernel(cr0);
41485 ++#endif
41486 ++
41487 + sync_core();
41488 + /* Could also do a CLFLUSH here to speed up CPU recovery; but
41489 + that causes hangs on some VIA CPUs. */
41490 +diff -urNp linux-2.6.24.5/arch/x86/kernel/apm_32.c linux-2.6.24.5/arch/x86/kernel/apm_32.c
41491 +--- linux-2.6.24.5/arch/x86/kernel/apm_32.c 2008-03-24 14:49:18.000000000 -0400
41492 ++++ linux-2.6.24.5/arch/x86/kernel/apm_32.c 2008-03-26 20:21:07.000000000 -0400
41493 +@@ -407,7 +407,7 @@ static DECLARE_WAIT_QUEUE_HEAD(apm_waitq
41494 + static DECLARE_WAIT_QUEUE_HEAD(apm_suspend_waitqueue);
41495 + static struct apm_user * user_list;
41496 + static DEFINE_SPINLOCK(user_list_lock);
41497 +-static const struct desc_struct bad_bios_desc = { 0, 0x00409200 };
41498 ++static const struct desc_struct bad_bios_desc = { 0, 0x00409300 };
41499 +
41500 + static const char driver_version[] = "1.16ac"; /* no spaces */
41501 +
41502 +@@ -601,19 +601,42 @@ static u8 apm_bios_call(u32 func, u32 eb
41503 + struct desc_struct save_desc_40;
41504 + struct desc_struct *gdt;
41505 +
41506 ++#ifdef CONFIG_PAX_KERNEXEC
41507 ++ unsigned long cr0;
41508 ++#endif
41509 ++
41510 + cpus = apm_save_cpus();
41511 +
41512 + cpu = get_cpu();
41513 + gdt = get_cpu_gdt_table(cpu);
41514 + save_desc_40 = gdt[0x40 / 8];
41515 ++
41516 ++#ifdef CONFIG_PAX_KERNEXEC
41517 ++ pax_open_kernel(cr0);
41518 ++#endif
41519 ++
41520 + gdt[0x40 / 8] = bad_bios_desc;
41521 +
41522 ++#ifdef CONFIG_PAX_KERNEXEC
41523 ++ pax_close_kernel(cr0);
41524 ++#endif
41525 ++
41526 + apm_irq_save(flags);
41527 + APM_DO_SAVE_SEGS;
41528 + apm_bios_call_asm(func, ebx_in, ecx_in, eax, ebx, ecx, edx, esi);
41529 + APM_DO_RESTORE_SEGS;
41530 + apm_irq_restore(flags);
41531 ++
41532 ++#ifdef CONFIG_PAX_KERNEXEC
41533 ++ pax_open_kernel(cr0);
41534 ++#endif
41535 ++
41536 + gdt[0x40 / 8] = save_desc_40;
41537 ++
41538 ++#ifdef CONFIG_PAX_KERNEXEC
41539 ++ pax_close_kernel(cr0);
41540 ++#endif
41541 ++
41542 + put_cpu();
41543 + apm_restore_cpus(cpus);
41544 +
41545 +@@ -644,19 +667,42 @@ static u8 apm_bios_call_simple(u32 func,
41546 + struct desc_struct save_desc_40;
41547 + struct desc_struct *gdt;
41548 +
41549 ++#ifdef CONFIG_PAX_KERNEXEC
41550 ++ unsigned long cr0;
41551 ++#endif
41552 ++
41553 + cpus = apm_save_cpus();
41554 +
41555 + cpu = get_cpu();
41556 + gdt = get_cpu_gdt_table(cpu);
41557 + save_desc_40 = gdt[0x40 / 8];
41558 ++
41559 ++#ifdef CONFIG_PAX_KERNEXEC
41560 ++ pax_open_kernel(cr0);
41561 ++#endif
41562 ++
41563 + gdt[0x40 / 8] = bad_bios_desc;
41564 +
41565 ++#ifdef CONFIG_PAX_KERNEXEC
41566 ++ pax_close_kernel(cr0);
41567 ++#endif
41568 ++
41569 + apm_irq_save(flags);
41570 + APM_DO_SAVE_SEGS;
41571 + error = apm_bios_call_simple_asm(func, ebx_in, ecx_in, eax);
41572 + APM_DO_RESTORE_SEGS;
41573 + apm_irq_restore(flags);
41574 ++
41575 ++#ifdef CONFIG_PAX_KERNEXEC
41576 ++ pax_open_kernel(cr0);
41577 ++#endif
41578 ++
41579 + gdt[0x40 / 8] = save_desc_40;
41580 ++
41581 ++#ifdef CONFIG_PAX_KERNEXEC
41582 ++ pax_close_kernel(cr0);
41583 ++#endif
41584 ++
41585 + put_cpu();
41586 + apm_restore_cpus(cpus);
41587 + return error;
41588 +@@ -924,7 +970,7 @@ recalc:
41589 +
41590 + static void apm_power_off(void)
41591 + {
41592 +- unsigned char po_bios_call[] = {
41593 ++ const unsigned char po_bios_call[] = {
41594 + 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
41595 + 0x8e, 0xd0, /* movw ax,ss */
41596 + 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
41597 +@@ -1864,7 +1910,10 @@ static const struct file_operations apm_
41598 + static struct miscdevice apm_device = {
41599 + APM_MINOR_DEV,
41600 + "apm_bios",
41601 +- &apm_bios_fops
41602 ++ &apm_bios_fops,
41603 ++ {NULL, NULL},
41604 ++ NULL,
41605 ++ NULL
41606 + };
41607 +
41608 +
41609 +@@ -2177,7 +2226,7 @@ static struct dmi_system_id __initdata a
41610 + { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
41611 + },
41612 +
41613 +- { }
41614 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
41615 + };
41616 +
41617 + /*
41618 +@@ -2196,6 +2245,10 @@ static int __init apm_init(void)
41619 + struct desc_struct *gdt;
41620 + int err;
41621 +
41622 ++#ifdef CONFIG_PAX_KERNEXEC
41623 ++ unsigned long cr0;
41624 ++#endif
41625 ++
41626 + dmi_check_system(apm_dmi_table);
41627 +
41628 + if (apm_info.bios.version == 0 || paravirt_enabled()) {
41629 +@@ -2269,9 +2322,18 @@ static int __init apm_init(void)
41630 + * This is for buggy BIOS's that refer to (real mode) segment 0x40
41631 + * even though they are called in protected mode.
41632 + */
41633 ++
41634 ++#ifdef CONFIG_PAX_KERNEXEC
41635 ++ pax_open_kernel(cr0);
41636 ++#endif
41637 ++
41638 + set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
41639 + _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
41640 +
41641 ++#ifdef CONFIG_PAX_KERNEXEC
41642 ++ pax_close_kernel(cr0);
41643 ++#endif
41644 ++
41645 + /*
41646 + * Set up the long jump entry point to the APM BIOS, which is called
41647 + * from inline assembly.
41648 +@@ -2290,6 +2352,11 @@ static int __init apm_init(void)
41649 + * code to that CPU.
41650 + */
41651 + gdt = get_cpu_gdt_table(0);
41652 ++
41653 ++#ifdef CONFIG_PAX_KERNEXEC
41654 ++ pax_open_kernel(cr0);
41655 ++#endif
41656 ++
41657 + set_base(gdt[APM_CS >> 3],
41658 + __va((unsigned long)apm_info.bios.cseg << 4));
41659 + set_base(gdt[APM_CS_16 >> 3],
41660 +@@ -2297,6 +2364,10 @@ static int __init apm_init(void)
41661 + set_base(gdt[APM_DS >> 3],
41662 + __va((unsigned long)apm_info.bios.dseg << 4));
41663 +
41664 ++#ifdef CONFIG_PAX_KERNEXEC
41665 ++ pax_close_kernel(cr0);
41666 ++#endif
41667 ++
41668 + apm_proc = create_proc_entry("apm", 0, NULL);
41669 + if (apm_proc)
41670 + apm_proc->proc_fops = &apm_file_ops;
41671 +diff -urNp linux-2.6.24.5/arch/x86/kernel/asm-offsets_32.c linux-2.6.24.5/arch/x86/kernel/asm-offsets_32.c
41672 +--- linux-2.6.24.5/arch/x86/kernel/asm-offsets_32.c 2008-03-24 14:49:18.000000000 -0400
41673 ++++ linux-2.6.24.5/arch/x86/kernel/asm-offsets_32.c 2008-03-26 20:21:07.000000000 -0400
41674 +@@ -110,6 +110,7 @@ void foo(void)
41675 + DEFINE(PTRS_PER_PTE, PTRS_PER_PTE);
41676 + DEFINE(PTRS_PER_PMD, PTRS_PER_PMD);
41677 + DEFINE(PTRS_PER_PGD, PTRS_PER_PGD);
41678 ++ DEFINE(PERCPU_MODULE_RESERVE, PERCPU_MODULE_RESERVE);
41679 +
41680 + DEFINE(VDSO_PRELINK_asm, VDSO_PRELINK);
41681 +
41682 +@@ -125,6 +126,7 @@ void foo(void)
41683 + OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
41684 + OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
41685 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
41686 ++ OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
41687 + #endif
41688 +
41689 + #ifdef CONFIG_XEN
41690 +diff -urNp linux-2.6.24.5/arch/x86/kernel/asm-offsets_64.c linux-2.6.24.5/arch/x86/kernel/asm-offsets_64.c
41691 +--- linux-2.6.24.5/arch/x86/kernel/asm-offsets_64.c 2008-03-24 14:49:18.000000000 -0400
41692 ++++ linux-2.6.24.5/arch/x86/kernel/asm-offsets_64.c 2008-03-26 20:21:07.000000000 -0400
41693 +@@ -108,6 +108,7 @@ int main(void)
41694 + ENTRY(cr8);
41695 + BLANK();
41696 + #undef ENTRY
41697 ++ DEFINE(TSS_size, sizeof(struct tss_struct));
41698 + DEFINE(TSS_ist, offsetof(struct tss_struct, ist));
41699 + BLANK();
41700 + DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
41701 +diff -urNp linux-2.6.24.5/arch/x86/kernel/cpu/common.c linux-2.6.24.5/arch/x86/kernel/cpu/common.c
41702 +--- linux-2.6.24.5/arch/x86/kernel/cpu/common.c 2008-03-24 14:49:18.000000000 -0400
41703 ++++ linux-2.6.24.5/arch/x86/kernel/cpu/common.c 2008-03-26 20:21:07.000000000 -0400
41704 +@@ -4,7 +4,6 @@
41705 + #include <linux/smp.h>
41706 + #include <linux/module.h>
41707 + #include <linux/percpu.h>
41708 +-#include <linux/bootmem.h>
41709 + #include <asm/semaphore.h>
41710 + #include <asm/processor.h>
41711 + #include <asm/i387.h>
41712 +@@ -21,39 +20,15 @@
41713 +
41714 + #include "cpu.h"
41715 +
41716 +-DEFINE_PER_CPU(struct gdt_page, gdt_page) = { .gdt = {
41717 +- [GDT_ENTRY_KERNEL_CS] = { 0x0000ffff, 0x00cf9a00 },
41718 +- [GDT_ENTRY_KERNEL_DS] = { 0x0000ffff, 0x00cf9200 },
41719 +- [GDT_ENTRY_DEFAULT_USER_CS] = { 0x0000ffff, 0x00cffa00 },
41720 +- [GDT_ENTRY_DEFAULT_USER_DS] = { 0x0000ffff, 0x00cff200 },
41721 +- /*
41722 +- * Segments used for calling PnP BIOS have byte granularity.
41723 +- * They code segments and data segments have fixed 64k limits,
41724 +- * the transfer segment sizes are set at run time.
41725 +- */
41726 +- [GDT_ENTRY_PNPBIOS_CS32] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
41727 +- [GDT_ENTRY_PNPBIOS_CS16] = { 0x0000ffff, 0x00009a00 },/* 16-bit code */
41728 +- [GDT_ENTRY_PNPBIOS_DS] = { 0x0000ffff, 0x00009200 }, /* 16-bit data */
41729 +- [GDT_ENTRY_PNPBIOS_TS1] = { 0x00000000, 0x00009200 },/* 16-bit data */
41730 +- [GDT_ENTRY_PNPBIOS_TS2] = { 0x00000000, 0x00009200 },/* 16-bit data */
41731 +- /*
41732 +- * The APM segments have byte granularity and their bases
41733 +- * are set at run time. All have 64k limits.
41734 +- */
41735 +- [GDT_ENTRY_APMBIOS_BASE] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
41736 +- /* 16-bit code */
41737 +- [GDT_ENTRY_APMBIOS_BASE+1] = { 0x0000ffff, 0x00009a00 },
41738 +- [GDT_ENTRY_APMBIOS_BASE+2] = { 0x0000ffff, 0x00409200 }, /* data */
41739 +-
41740 +- [GDT_ENTRY_ESPFIX_SS] = { 0x00000000, 0x00c09200 },
41741 +- [GDT_ENTRY_PERCPU] = { 0x00000000, 0x00000000 },
41742 +-} };
41743 +-EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
41744 +-
41745 + static int cachesize_override __cpuinitdata = -1;
41746 + static int disable_x86_fxsr __cpuinitdata;
41747 + static int disable_x86_serial_nr __cpuinitdata = 1;
41748 +-static int disable_x86_sep __cpuinitdata;
41749 ++
41750 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
41751 ++int disable_x86_sep __cpuinitdata = 1;
41752 ++#else
41753 ++int disable_x86_sep __cpuinitdata;
41754 ++#endif
41755 +
41756 + struct cpu_dev * cpu_devs[X86_VENDOR_NUM] = {};
41757 +
41758 +@@ -262,9 +237,9 @@ void __init cpu_detect(struct cpuinfo_x8
41759 + {
41760 + /* Get vendor name */
41761 + cpuid(0x00000000, &c->cpuid_level,
41762 +- (int *)&c->x86_vendor_id[0],
41763 +- (int *)&c->x86_vendor_id[8],
41764 +- (int *)&c->x86_vendor_id[4]);
41765 ++ (unsigned int *)&c->x86_vendor_id[0],
41766 ++ (unsigned int *)&c->x86_vendor_id[8],
41767 ++ (unsigned int *)&c->x86_vendor_id[4]);
41768 +
41769 + c->x86 = 4;
41770 + if (c->cpuid_level >= 0x00000001) {
41771 +@@ -304,15 +279,14 @@ static void __init early_cpu_detect(void
41772 +
41773 + static void __cpuinit generic_identify(struct cpuinfo_x86 * c)
41774 + {
41775 +- u32 tfms, xlvl;
41776 +- int ebx;
41777 ++ u32 tfms, xlvl, ebx;
41778 +
41779 + if (have_cpuid_p()) {
41780 + /* Get vendor name */
41781 + cpuid(0x00000000, &c->cpuid_level,
41782 +- (int *)&c->x86_vendor_id[0],
41783 +- (int *)&c->x86_vendor_id[8],
41784 +- (int *)&c->x86_vendor_id[4]);
41785 ++ (unsigned int *)&c->x86_vendor_id[0],
41786 ++ (unsigned int *)&c->x86_vendor_id[8],
41787 ++ (unsigned int *)&c->x86_vendor_id[4]);
41788 +
41789 + get_cpu_vendor(c, 0);
41790 + /* Initialize the standard set of capabilities */
41791 +@@ -644,7 +618,7 @@ void switch_to_new_gdt(void)
41792 + {
41793 + struct Xgt_desc_struct gdt_descr;
41794 +
41795 +- gdt_descr.address = (long)get_cpu_gdt_table(smp_processor_id());
41796 ++ gdt_descr.address = get_cpu_gdt_table(smp_processor_id());
41797 + gdt_descr.size = GDT_SIZE - 1;
41798 + load_gdt(&gdt_descr);
41799 + asm("mov %0, %%fs" : : "r" (__KERNEL_PERCPU) : "memory");
41800 +@@ -660,7 +634,7 @@ void __cpuinit cpu_init(void)
41801 + {
41802 + int cpu = smp_processor_id();
41803 + struct task_struct *curr = current;
41804 +- struct tss_struct * t = &per_cpu(init_tss, cpu);
41805 ++ struct tss_struct *t = init_tss + cpu;
41806 + struct thread_struct *thread = &curr->thread;
41807 +
41808 + if (cpu_test_and_set(cpu, cpu_initialized)) {
41809 +diff -urNp linux-2.6.24.5/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.24.5/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
41810 +--- linux-2.6.24.5/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2008-03-24 14:49:18.000000000 -0400
41811 ++++ linux-2.6.24.5/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2008-03-26 20:21:07.000000000 -0400
41812 +@@ -549,7 +549,7 @@ static const struct dmi_system_id sw_any
41813 + DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
41814 + },
41815 + },
41816 +- { }
41817 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
41818 + };
41819 + #endif
41820 +
41821 +diff -urNp linux-2.6.24.5/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.24.5/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
41822 +--- linux-2.6.24.5/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2008-03-24 14:49:18.000000000 -0400
41823 ++++ linux-2.6.24.5/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2008-03-26 20:21:07.000000000 -0400
41824 +@@ -223,7 +223,7 @@ static struct cpu_model models[] =
41825 + { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
41826 + { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
41827 +
41828 +- { NULL, }
41829 ++ { NULL, NULL, 0, NULL}
41830 + };
41831 + #undef _BANIAS
41832 + #undef BANIAS
41833 +diff -urNp linux-2.6.24.5/arch/x86/kernel/cpu/intel.c linux-2.6.24.5/arch/x86/kernel/cpu/intel.c
41834 +--- linux-2.6.24.5/arch/x86/kernel/cpu/intel.c 2008-03-24 14:49:18.000000000 -0400
41835 ++++ linux-2.6.24.5/arch/x86/kernel/cpu/intel.c 2008-03-26 20:21:07.000000000 -0400
41836 +@@ -104,6 +104,7 @@ static void __cpuinit trap_init_f00f_bug
41837 + * it uses the read-only mapped virtual address.
41838 + */
41839 + idt_descr.address = fix_to_virt(FIX_F00F_IDT);
41840 ++ idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
41841 + load_idt(&idt_descr);
41842 + }
41843 + #endif
41844 +diff -urNp linux-2.6.24.5/arch/x86/kernel/cpu/intel_cacheinfo.c linux-2.6.24.5/arch/x86/kernel/cpu/intel_cacheinfo.c
41845 +--- linux-2.6.24.5/arch/x86/kernel/cpu/intel_cacheinfo.c 2008-03-24 14:49:18.000000000 -0400
41846 ++++ linux-2.6.24.5/arch/x86/kernel/cpu/intel_cacheinfo.c 2008-03-26 20:21:07.000000000 -0400
41847 +@@ -352,8 +352,8 @@ unsigned int __cpuinit init_intel_cachei
41848 + */
41849 + if ((num_cache_leaves == 0 || c->x86 == 15) && c->cpuid_level > 1) {
41850 + /* supports eax=2 call */
41851 +- int i, j, n;
41852 +- int regs[4];
41853 ++ int j, n;
41854 ++ unsigned int regs[4];
41855 + unsigned char *dp = (unsigned char *)regs;
41856 + int only_trace = 0;
41857 +
41858 +@@ -368,7 +368,7 @@ unsigned int __cpuinit init_intel_cachei
41859 +
41860 + /* If bit 31 is set, this is an unknown format */
41861 + for ( j = 0 ; j < 3 ; j++ ) {
41862 +- if ( regs[j] < 0 ) regs[j] = 0;
41863 ++ if ( (int)regs[j] < 0 ) regs[j] = 0;
41864 + }
41865 +
41866 + /* Byte 0 is level count, not a descriptor */
41867 +diff -urNp linux-2.6.24.5/arch/x86/kernel/cpu/mcheck/mce_64.c linux-2.6.24.5/arch/x86/kernel/cpu/mcheck/mce_64.c
41868 +--- linux-2.6.24.5/arch/x86/kernel/cpu/mcheck/mce_64.c 2008-03-24 14:49:18.000000000 -0400
41869 ++++ linux-2.6.24.5/arch/x86/kernel/cpu/mcheck/mce_64.c 2008-03-26 20:21:08.000000000 -0400
41870 +@@ -671,6 +671,7 @@ static struct miscdevice mce_log_device
41871 + MISC_MCELOG_MINOR,
41872 + "mcelog",
41873 + &mce_chrdev_ops,
41874 ++ {NULL, NULL}, NULL, NULL
41875 + };
41876 +
41877 + static unsigned long old_cr4 __initdata;
41878 +diff -urNp linux-2.6.24.5/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.24.5/arch/x86/kernel/cpu/mtrr/generic.c
41879 +--- linux-2.6.24.5/arch/x86/kernel/cpu/mtrr/generic.c 2008-03-24 14:49:18.000000000 -0400
41880 ++++ linux-2.6.24.5/arch/x86/kernel/cpu/mtrr/generic.c 2008-03-26 20:21:08.000000000 -0400
41881 +@@ -29,11 +29,11 @@ static struct fixed_range_block fixed_ra
41882 + { MTRRfix64K_00000_MSR, 1 }, /* one 64k MTRR */
41883 + { MTRRfix16K_80000_MSR, 2 }, /* two 16k MTRRs */
41884 + { MTRRfix4K_C0000_MSR, 8 }, /* eight 4k MTRRs */
41885 +- {}
41886 ++ { 0, 0 }
41887 + };
41888 +
41889 + static unsigned long smp_changes_mask;
41890 +-static struct mtrr_state mtrr_state = {};
41891 ++static struct mtrr_state mtrr_state;
41892 +
41893 + #undef MODULE_PARAM_PREFIX
41894 + #define MODULE_PARAM_PREFIX "mtrr."
41895 +diff -urNp linux-2.6.24.5/arch/x86/kernel/crash.c linux-2.6.24.5/arch/x86/kernel/crash.c
41896 +--- linux-2.6.24.5/arch/x86/kernel/crash.c 2008-03-24 14:49:18.000000000 -0400
41897 ++++ linux-2.6.24.5/arch/x86/kernel/crash.c 2008-03-26 20:21:08.000000000 -0400
41898 +@@ -62,7 +62,7 @@ static int crash_nmi_callback(struct not
41899 + local_irq_disable();
41900 +
41901 + #ifdef CONFIG_X86_32
41902 +- if (!user_mode_vm(regs)) {
41903 ++ if (!user_mode(regs)) {
41904 + crash_fixup_ss_esp(&fixed_regs, regs);
41905 + regs = &fixed_regs;
41906 + }
41907 +diff -urNp linux-2.6.24.5/arch/x86/kernel/doublefault_32.c linux-2.6.24.5/arch/x86/kernel/doublefault_32.c
41908 +--- linux-2.6.24.5/arch/x86/kernel/doublefault_32.c 2008-03-24 14:49:18.000000000 -0400
41909 ++++ linux-2.6.24.5/arch/x86/kernel/doublefault_32.c 2008-03-26 20:21:08.000000000 -0400
41910 +@@ -11,17 +11,17 @@
41911 +
41912 + #define DOUBLEFAULT_STACKSIZE (1024)
41913 + static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
41914 +-#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
41915 ++#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
41916 +
41917 + #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
41918 +
41919 + static void doublefault_fn(void)
41920 + {
41921 +- struct Xgt_desc_struct gdt_desc = {0, 0};
41922 ++ struct Xgt_desc_struct gdt_desc = {0, NULL, 0};
41923 + unsigned long gdt, tss;
41924 +
41925 + store_gdt(&gdt_desc);
41926 +- gdt = gdt_desc.address;
41927 ++ gdt = (unsigned long)gdt_desc.address;
41928 +
41929 + printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
41930 +
41931 +@@ -59,10 +59,10 @@ struct tss_struct doublefault_tss __cach
41932 + /* 0x2 bit is always set */
41933 + .eflags = X86_EFLAGS_SF | 0x2,
41934 + .esp = STACK_START,
41935 +- .es = __USER_DS,
41936 ++ .es = __KERNEL_DS,
41937 + .cs = __KERNEL_CS,
41938 + .ss = __KERNEL_DS,
41939 +- .ds = __USER_DS,
41940 ++ .ds = __KERNEL_DS,
41941 + .fs = __KERNEL_PERCPU,
41942 +
41943 + .__cr3 = __pa(swapper_pg_dir)
41944 +diff -urNp linux-2.6.24.5/arch/x86/kernel/efi_32.c linux-2.6.24.5/arch/x86/kernel/efi_32.c
41945 +--- linux-2.6.24.5/arch/x86/kernel/efi_32.c 2008-03-24 14:49:18.000000000 -0400
41946 ++++ linux-2.6.24.5/arch/x86/kernel/efi_32.c 2008-03-26 20:21:08.000000000 -0400
41947 +@@ -63,71 +63,38 @@ extern void * boot_ioremap(unsigned long
41948 +
41949 + static unsigned long efi_rt_eflags;
41950 + static DEFINE_SPINLOCK(efi_rt_lock);
41951 +-static pgd_t efi_bak_pg_dir_pointer[2];
41952 ++static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS] __attribute__ ((aligned (4096)));
41953 +
41954 +-static void efi_call_phys_prelog(void) __acquires(efi_rt_lock)
41955 ++static void __init efi_call_phys_prelog(void) __acquires(efi_rt_lock)
41956 + {
41957 +- unsigned long cr4;
41958 +- unsigned long temp;
41959 + struct Xgt_desc_struct gdt_descr;
41960 +
41961 + spin_lock(&efi_rt_lock);
41962 + local_irq_save(efi_rt_eflags);
41963 +
41964 +- /*
41965 +- * If I don't have PSE, I should just duplicate two entries in page
41966 +- * directory. If I have PSE, I just need to duplicate one entry in
41967 +- * page directory.
41968 +- */
41969 +- cr4 = read_cr4();
41970 +-
41971 +- if (cr4 & X86_CR4_PSE) {
41972 +- efi_bak_pg_dir_pointer[0].pgd =
41973 +- swapper_pg_dir[pgd_index(0)].pgd;
41974 +- swapper_pg_dir[0].pgd =
41975 +- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
41976 +- } else {
41977 +- efi_bak_pg_dir_pointer[0].pgd =
41978 +- swapper_pg_dir[pgd_index(0)].pgd;
41979 +- efi_bak_pg_dir_pointer[1].pgd =
41980 +- swapper_pg_dir[pgd_index(0x400000)].pgd;
41981 +- swapper_pg_dir[pgd_index(0)].pgd =
41982 +- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
41983 +- temp = PAGE_OFFSET + 0x400000;
41984 +- swapper_pg_dir[pgd_index(0x400000)].pgd =
41985 +- swapper_pg_dir[pgd_index(temp)].pgd;
41986 +- }
41987 ++ clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
41988 ++ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
41989 ++ min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
41990 +
41991 + /*
41992 + * After the lock is released, the original page table is restored.
41993 + */
41994 + local_flush_tlb();
41995 +
41996 +- gdt_descr.address = __pa(get_cpu_gdt_table(0));
41997 ++ gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
41998 + gdt_descr.size = GDT_SIZE - 1;
41999 + load_gdt(&gdt_descr);
42000 + }
42001 +
42002 +-static void efi_call_phys_epilog(void) __releases(efi_rt_lock)
42003 ++static void __init efi_call_phys_epilog(void) __releases(efi_rt_lock)
42004 + {
42005 +- unsigned long cr4;
42006 + struct Xgt_desc_struct gdt_descr;
42007 +
42008 +- gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
42009 ++ gdt_descr.address = get_cpu_gdt_table(0);
42010 + gdt_descr.size = GDT_SIZE - 1;
42011 + load_gdt(&gdt_descr);
42012 +
42013 +- cr4 = read_cr4();
42014 +-
42015 +- if (cr4 & X86_CR4_PSE) {
42016 +- swapper_pg_dir[pgd_index(0)].pgd =
42017 +- efi_bak_pg_dir_pointer[0].pgd;
42018 +- } else {
42019 +- swapper_pg_dir[pgd_index(0)].pgd =
42020 +- efi_bak_pg_dir_pointer[0].pgd;
42021 +- swapper_pg_dir[pgd_index(0x400000)].pgd =
42022 +- efi_bak_pg_dir_pointer[1].pgd;
42023 +- }
42024 ++ clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
42025 +
42026 + /*
42027 + * After the lock is released, the original page table is restored.
42028 +@@ -138,7 +105,7 @@ static void efi_call_phys_epilog(void) _
42029 + spin_unlock(&efi_rt_lock);
42030 + }
42031 +
42032 +-static efi_status_t
42033 ++static efi_status_t __init
42034 + phys_efi_set_virtual_address_map(unsigned long memory_map_size,
42035 + unsigned long descriptor_size,
42036 + u32 descriptor_version,
42037 +@@ -154,7 +121,7 @@ phys_efi_set_virtual_address_map(unsigne
42038 + return status;
42039 + }
42040 +
42041 +-static efi_status_t
42042 ++static noinline efi_status_t __init
42043 + phys_efi_get_time(efi_time_t *tm, efi_time_cap_t *tc)
42044 + {
42045 + efi_status_t status;
42046 +@@ -198,7 +165,7 @@ inline int efi_set_rtc_mmss(unsigned lon
42047 + * services have been remapped and also during suspend, therefore,
42048 + * we'll need to call both in physical and virtual modes.
42049 + */
42050 +-inline unsigned long efi_get_time(void)
42051 ++unsigned long efi_get_time(void)
42052 + {
42053 + efi_status_t status;
42054 + efi_time_t eft;
42055 +diff -urNp linux-2.6.24.5/arch/x86/kernel/efi_stub_32.S linux-2.6.24.5/arch/x86/kernel/efi_stub_32.S
42056 +--- linux-2.6.24.5/arch/x86/kernel/efi_stub_32.S 2008-03-24 14:49:18.000000000 -0400
42057 ++++ linux-2.6.24.5/arch/x86/kernel/efi_stub_32.S 2008-03-26 20:21:08.000000000 -0400
42058 +@@ -6,6 +6,7 @@
42059 + */
42060 +
42061 + #include <linux/linkage.h>
42062 ++#include <linux/init.h>
42063 + #include <asm/page.h>
42064 +
42065 + /*
42066 +@@ -20,7 +21,7 @@
42067 + * service functions will comply with gcc calling convention, too.
42068 + */
42069 +
42070 +-.text
42071 ++__INIT
42072 + ENTRY(efi_call_phys)
42073 + /*
42074 + * 0. The function can only be called in Linux kernel. So CS has been
42075 +@@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
42076 + * The mapping of lower virtual memory has been created in prelog and
42077 + * epilog.
42078 + */
42079 +- movl $1f, %edx
42080 +- subl $__PAGE_OFFSET, %edx
42081 +- jmp *%edx
42082 ++ jmp 1f-__PAGE_OFFSET
42083 + 1:
42084 +
42085 + /*
42086 +@@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
42087 + * parameter 2, ..., param n. To make things easy, we save the return
42088 + * address of efi_call_phys in a global variable.
42089 + */
42090 +- popl %edx
42091 +- movl %edx, saved_return_addr
42092 +- /* get the function pointer into ECX*/
42093 +- popl %ecx
42094 +- movl %ecx, efi_rt_function_ptr
42095 +- movl $2f, %edx
42096 +- subl $__PAGE_OFFSET, %edx
42097 +- pushl %edx
42098 ++ popl (saved_return_addr)
42099 ++ popl (efi_rt_function_ptr)
42100 +
42101 + /*
42102 + * 3. Clear PG bit in %CR0.
42103 +@@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
42104 + /*
42105 + * 5. Call the physical function.
42106 + */
42107 +- jmp *%ecx
42108 ++ call *(efi_rt_function_ptr-__PAGE_OFFSET)
42109 +
42110 +-2:
42111 + /*
42112 + * 6. After EFI runtime service returns, control will return to
42113 + * following instruction. We'd better readjust stack pointer first.
42114 +@@ -88,34 +80,27 @@ ENTRY(efi_call_phys)
42115 + movl %cr0, %edx
42116 + orl $0x80000000, %edx
42117 + movl %edx, %cr0
42118 +- jmp 1f
42119 +-1:
42120 ++
42121 + /*
42122 + * 8. Now restore the virtual mode from flat mode by
42123 + * adding EIP with PAGE_OFFSET.
42124 + */
42125 +- movl $1f, %edx
42126 +- jmp *%edx
42127 ++ jmp 1f+__PAGE_OFFSET
42128 + 1:
42129 +
42130 + /*
42131 + * 9. Balance the stack. And because EAX contain the return value,
42132 + * we'd better not clobber it.
42133 + */
42134 +- leal efi_rt_function_ptr, %edx
42135 +- movl (%edx), %ecx
42136 +- pushl %ecx
42137 ++ pushl (efi_rt_function_ptr)
42138 +
42139 + /*
42140 +- * 10. Push the saved return address onto the stack and return.
42141 ++ * 10. Return to the saved return address.
42142 + */
42143 +- leal saved_return_addr, %edx
42144 +- movl (%edx), %ecx
42145 +- pushl %ecx
42146 +- ret
42147 ++ jmpl *(saved_return_addr)
42148 + .previous
42149 +
42150 +-.data
42151 ++__INITDATA
42152 + saved_return_addr:
42153 + .long 0
42154 + efi_rt_function_ptr:
42155 +diff -urNp linux-2.6.24.5/arch/x86/kernel/entry_32.S linux-2.6.24.5/arch/x86/kernel/entry_32.S
42156 +--- linux-2.6.24.5/arch/x86/kernel/entry_32.S 2008-03-24 14:49:18.000000000 -0400
42157 ++++ linux-2.6.24.5/arch/x86/kernel/entry_32.S 2008-03-26 20:21:08.000000000 -0400
42158 +@@ -97,7 +97,7 @@ VM_MASK = 0x00020000
42159 + #define resume_userspace_sig resume_userspace
42160 + #endif
42161 +
42162 +-#define SAVE_ALL \
42163 ++#define __SAVE_ALL(_DS) \
42164 + cld; \
42165 + pushl %fs; \
42166 + CFI_ADJUST_CFA_OFFSET 4;\
42167 +@@ -129,12 +129,26 @@ VM_MASK = 0x00020000
42168 + pushl %ebx; \
42169 + CFI_ADJUST_CFA_OFFSET 4;\
42170 + CFI_REL_OFFSET ebx, 0;\
42171 +- movl $(__USER_DS), %edx; \
42172 ++ movl $(_DS), %edx; \
42173 + movl %edx, %ds; \
42174 + movl %edx, %es; \
42175 + movl $(__KERNEL_PERCPU), %edx; \
42176 + movl %edx, %fs
42177 +
42178 ++#ifdef CONFIG_PAX_KERNEXEC
42179 ++#define SAVE_ALL \
42180 ++ __SAVE_ALL(__KERNEL_DS); \
42181 ++ GET_CR0_INTO_EDX; \
42182 ++ movl %edx, %esi; \
42183 ++ orl $X86_CR0_WP, %edx; \
42184 ++ xorl %edx, %esi; \
42185 ++ SET_CR0_FROM_EDX
42186 ++#elif defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
42187 ++#define SAVE_ALL __SAVE_ALL(__KERNEL_DS)
42188 ++#else
42189 ++#define SAVE_ALL __SAVE_ALL(__USER_DS)
42190 ++#endif
42191 ++
42192 + #define RESTORE_INT_REGS \
42193 + popl %ebx; \
42194 + CFI_ADJUST_CFA_OFFSET -4;\
42195 +@@ -248,7 +262,17 @@ check_userspace:
42196 + movb PT_CS(%esp), %al
42197 + andl $(VM_MASK | SEGMENT_RPL_MASK), %eax
42198 + cmpl $USER_RPL, %eax
42199 ++
42200 ++#ifdef CONFIG_PAX_KERNEXEC
42201 ++ jae resume_userspace
42202 ++
42203 ++ GET_CR0_INTO_EDX
42204 ++ xorl %esi, %edx
42205 ++ SET_CR0_FROM_EDX
42206 ++ jmp resume_kernel
42207 ++#else
42208 + jb resume_kernel # not returning to v8086 or userspace
42209 ++#endif
42210 +
42211 + ENTRY(resume_userspace)
42212 + LOCKDEP_SYS_EXIT
42213 +@@ -308,10 +332,9 @@ sysenter_past_esp:
42214 + /*CFI_REL_OFFSET cs, 0*/
42215 + /*
42216 + * Push current_thread_info()->sysenter_return to the stack.
42217 +- * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
42218 +- * pushed above; +8 corresponds to copy_thread's esp0 setting.
42219 + */
42220 +- pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
42221 ++ GET_THREAD_INFO(%ebp)
42222 ++ pushl TI_sysenter_return(%ebp)
42223 + CFI_ADJUST_CFA_OFFSET 4
42224 + CFI_REL_OFFSET eip, 0
42225 +
42226 +@@ -319,9 +342,17 @@ sysenter_past_esp:
42227 + * Load the potential sixth argument from user stack.
42228 + * Careful about security.
42229 + */
42230 ++ movl 12(%esp),%ebp
42231 ++
42232 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
42233 ++ mov 16(%esp),%ds
42234 ++1: movl %ds:(%ebp),%ebp
42235 ++#else
42236 + cmpl $__PAGE_OFFSET-3,%ebp
42237 + jae syscall_fault
42238 + 1: movl (%ebp),%ebp
42239 ++#endif
42240 ++
42241 + .section __ex_table,"a"
42242 + .align 4
42243 + .long 1b,syscall_fault
42244 +@@ -345,20 +376,37 @@ sysenter_past_esp:
42245 + movl TI_flags(%ebp), %ecx
42246 + testw $_TIF_ALLWORK_MASK, %cx
42247 + jne syscall_exit_work
42248 ++
42249 ++#ifdef CONFIG_PAX_RANDKSTACK
42250 ++ pushl %eax
42251 ++ CFI_ADJUST_CFA_OFFSET 4
42252 ++ call pax_randomize_kstack
42253 ++ popl %eax
42254 ++ CFI_ADJUST_CFA_OFFSET -4
42255 ++#endif
42256 ++
42257 + /* if something modifies registers it must also disable sysexit */
42258 + movl PT_EIP(%esp), %edx
42259 + movl PT_OLDESP(%esp), %ecx
42260 + xorl %ebp,%ebp
42261 + TRACE_IRQS_ON
42262 + 1: mov PT_FS(%esp), %fs
42263 ++2: mov PT_DS(%esp), %ds
42264 ++3: mov PT_ES(%esp), %es
42265 + ENABLE_INTERRUPTS_SYSEXIT
42266 + CFI_ENDPROC
42267 + .pushsection .fixup,"ax"
42268 +-2: movl $0,PT_FS(%esp)
42269 ++4: movl $0,PT_FS(%esp)
42270 + jmp 1b
42271 ++5: movl $0,PT_DS(%esp)
42272 ++ jmp 2b
42273 ++6: movl $0,PT_ES(%esp)
42274 ++ jmp 3b
42275 + .section __ex_table,"a"
42276 + .align 4
42277 +- .long 1b,2b
42278 ++ .long 1b,4b
42279 ++ .long 2b,5b
42280 ++ .long 3b,6b
42281 + .popsection
42282 + ENDPROC(sysenter_entry)
42283 +
42284 +@@ -392,6 +440,10 @@ no_singlestep:
42285 + testw $_TIF_ALLWORK_MASK, %cx # current->work
42286 + jne syscall_exit_work
42287 +
42288 ++#ifdef CONFIG_PAX_RANDKSTACK
42289 ++ call pax_randomize_kstack
42290 ++#endif
42291 ++
42292 + restore_all:
42293 + movl PT_EFLAGS(%esp), %eax # mix EFLAGS, SS and CS
42294 + # Warning: PT_OLDSS(%esp) contains the wrong/random values if we
42295 +@@ -556,17 +608,24 @@ syscall_badsys:
42296 + END(syscall_badsys)
42297 + CFI_ENDPROC
42298 +
42299 +-#define FIXUP_ESPFIX_STACK \
42300 +- /* since we are on a wrong stack, we cant make it a C code :( */ \
42301 +- PER_CPU(gdt_page, %ebx); \
42302 +- GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah); \
42303 +- addl %esp, %eax; \
42304 +- pushl $__KERNEL_DS; \
42305 +- CFI_ADJUST_CFA_OFFSET 4; \
42306 +- pushl %eax; \
42307 +- CFI_ADJUST_CFA_OFFSET 4; \
42308 +- lss (%esp), %esp; \
42309 ++.macro FIXUP_ESPFIX_STACK
42310 ++ /* since we are on a wrong stack, we cant make it a C code :( */
42311 ++#ifdef CONFIG_SMP
42312 ++ movl PER_CPU_VAR(cpu_number), %ebx;
42313 ++ shll $PAGE_SHIFT_asm, %ebx;
42314 ++ addl $cpu_gdt_table, %ebx;
42315 ++#else
42316 ++ movl $cpu_gdt_table, %ebx;
42317 ++#endif
42318 ++ GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah);
42319 ++ addl %esp, %eax;
42320 ++ pushl $__KERNEL_DS;
42321 ++ CFI_ADJUST_CFA_OFFSET 4;
42322 ++ pushl %eax;
42323 ++ CFI_ADJUST_CFA_OFFSET 4;
42324 ++ lss (%esp), %esp;
42325 + CFI_ADJUST_CFA_OFFSET -8;
42326 ++.endm
42327 + #define UNWIND_ESPFIX_STACK \
42328 + movl %ss, %eax; \
42329 + /* see if on espfix stack */ \
42330 +@@ -583,7 +642,7 @@ END(syscall_badsys)
42331 + * Build the entry stubs and pointer table with
42332 + * some assembler magic.
42333 + */
42334 +-.data
42335 ++.section .rodata,"a",@progbits
42336 + ENTRY(interrupt)
42337 + .text
42338 +
42339 +@@ -683,12 +742,21 @@ error_code:
42340 + popl %ecx
42341 + CFI_ADJUST_CFA_OFFSET -4
42342 + /*CFI_REGISTER es, ecx*/
42343 ++
42344 ++#ifdef CONFIG_PAX_KERNEXEC
42345 ++ GET_CR0_INTO_EDX
42346 ++ movl %edx, %esi
42347 ++ orl $X86_CR0_WP, %edx
42348 ++ xorl %edx, %esi
42349 ++ SET_CR0_FROM_EDX
42350 ++#endif
42351 ++
42352 + movl PT_FS(%esp), %edi # get the function address
42353 + movl PT_ORIG_EAX(%esp), %edx # get the error code
42354 + movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
42355 + mov %ecx, PT_FS(%esp)
42356 + /*CFI_REL_OFFSET fs, ES*/
42357 +- movl $(__USER_DS), %ecx
42358 ++ movl $(__KERNEL_DS), %ecx
42359 + movl %ecx, %ds
42360 + movl %ecx, %es
42361 + movl %esp,%eax # pt_regs pointer
42362 +@@ -822,6 +890,13 @@ nmi_stack_correct:
42363 + xorl %edx,%edx # zero error code
42364 + movl %esp,%eax # pt_regs pointer
42365 + call do_nmi
42366 ++
42367 ++#ifdef CONFIG_PAX_KERNEXEC
42368 ++ GET_CR0_INTO_EDX
42369 ++ xorl %esi, %edx
42370 ++ SET_CR0_FROM_EDX
42371 ++#endif
42372 ++
42373 + jmp restore_nocheck_notrace
42374 + CFI_ENDPROC
42375 +
42376 +@@ -862,6 +937,13 @@ nmi_espfix_stack:
42377 + FIXUP_ESPFIX_STACK # %eax == %esp
42378 + xorl %edx,%edx # zero error code
42379 + call do_nmi
42380 ++
42381 ++#ifdef CONFIG_PAX_KERNEXEC
42382 ++ GET_CR0_INTO_EDX
42383 ++ xorl %esi, %edx
42384 ++ SET_CR0_FROM_EDX
42385 ++#endif
42386 ++
42387 + RESTORE_REGS
42388 + lss 12+4(%esp), %esp # back to espfix stack
42389 + CFI_ADJUST_CFA_OFFSET -24
42390 +@@ -1110,7 +1192,6 @@ ENDPROC(xen_failsafe_callback)
42391 +
42392 + #endif /* CONFIG_XEN */
42393 +
42394 +-.section .rodata,"a"
42395 + #include "syscall_table_32.S"
42396 +
42397 + syscall_table_size=(.-sys_call_table)
42398 +diff -urNp linux-2.6.24.5/arch/x86/kernel/entry_64.S linux-2.6.24.5/arch/x86/kernel/entry_64.S
42399 +--- linux-2.6.24.5/arch/x86/kernel/entry_64.S 2008-03-24 14:49:18.000000000 -0400
42400 ++++ linux-2.6.24.5/arch/x86/kernel/entry_64.S 2008-03-26 20:21:08.000000000 -0400
42401 +@@ -440,6 +440,7 @@ ENTRY(stub_execve)
42402 + CFI_REGISTER rip, r11
42403 + SAVE_REST
42404 + FIXUP_TOP_OF_STACK %r11
42405 ++ movq %rsp, %rcx
42406 + call sys_execve
42407 + RESTORE_TOP_OF_STACK %r11
42408 + movq %rax,RAX(%rsp)
42409 +@@ -735,17 +736,18 @@ END(spurious_interrupt)
42410 + xorl %ebx,%ebx
42411 + 1:
42412 + .if \ist
42413 +- movq %gs:pda_data_offset, %rbp
42414 ++ imul $TSS_size, %gs:pda_cpunumber, %ebp
42415 ++ lea init_tss(%rbp), %rbp
42416 + .endif
42417 + movq %rsp,%rdi
42418 + movq ORIG_RAX(%rsp),%rsi
42419 + movq $-1,ORIG_RAX(%rsp)
42420 + .if \ist
42421 +- subq $EXCEPTION_STKSZ, per_cpu__init_tss + TSS_ist + (\ist - 1) * 8(%rbp)
42422 ++ subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
42423 + .endif
42424 + call \sym
42425 + .if \ist
42426 +- addq $EXCEPTION_STKSZ, per_cpu__init_tss + TSS_ist + (\ist - 1) * 8(%rbp)
42427 ++ addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
42428 + .endif
42429 + cli
42430 + .if \irqtrace
42431 +@@ -1003,15 +1005,16 @@ ENDPROC(child_rip)
42432 + * rdi: name, rsi: argv, rdx: envp
42433 + *
42434 + * We want to fallback into:
42435 +- * extern long sys_execve(char *name, char **argv,char **envp, struct pt_regs regs)
42436 ++ * extern long sys_execve(char *name, char **argv,char **envp, struct pt_regs *regs)
42437 + *
42438 + * do_sys_execve asm fallback arguments:
42439 +- * rdi: name, rsi: argv, rdx: envp, fake frame on the stack
42440 ++ * rdi: name, rsi: argv, rdx: envp, rcx: fake frame on the stack
42441 + */
42442 + ENTRY(kernel_execve)
42443 + CFI_STARTPROC
42444 + FAKE_STACK_FRAME $0
42445 + SAVE_ALL
42446 ++ movq %rsp,%rcx
42447 + call sys_execve
42448 + movq %rax, RAX(%rsp)
42449 + RESTORE_REST
42450 +diff -urNp linux-2.6.24.5/arch/x86/kernel/head_32.S linux-2.6.24.5/arch/x86/kernel/head_32.S
42451 +--- linux-2.6.24.5/arch/x86/kernel/head_32.S 2008-03-24 14:49:18.000000000 -0400
42452 ++++ linux-2.6.24.5/arch/x86/kernel/head_32.S 2008-03-26 20:21:08.000000000 -0400
42453 +@@ -18,6 +18,7 @@
42454 + #include <asm/thread_info.h>
42455 + #include <asm/asm-offsets.h>
42456 + #include <asm/setup.h>
42457 ++#include <asm/msr-index.h>
42458 +
42459 + /*
42460 + * References to members of the new_cpu_data structure.
42461 +@@ -60,17 +61,22 @@ LOW_PAGES = 1<<(32-PAGE_SHIFT_asm)
42462 + LOW_PAGES = LOW_PAGES + 0x1000000
42463 + #endif
42464 +
42465 +-#if PTRS_PER_PMD > 1
42466 +-PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PMD) + PTRS_PER_PGD
42467 +-#else
42468 +-PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PGD)
42469 +-#endif
42470 ++PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PTE)
42471 + BOOTBITMAP_SIZE = LOW_PAGES / 8
42472 + ALLOCATOR_SLOP = 4
42473 +
42474 + INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE + (PAGE_TABLE_SIZE + ALLOCATOR_SLOP)*PAGE_SIZE_asm
42475 +
42476 + /*
42477 ++ * Real beginning of normal "text" segment
42478 ++ */
42479 ++ENTRY(stext)
42480 ++ENTRY(_stext)
42481 ++
42482 ++.section .text.startup,"ax",@progbits
42483 ++ ljmp $(__BOOT_CS),$phys_startup_32
42484 ++
42485 ++/*
42486 + * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
42487 + * %esi points to the real-mode code as a 32-bit pointer.
42488 + * CS and DS must be 4 GB flat segments, but we don't depend on
42489 +@@ -78,6 +84,12 @@ INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE +
42490 + * can.
42491 + */
42492 + .section .text.head,"ax",@progbits
42493 ++
42494 ++#ifdef CONFIG_PAX_KERNEXEC
42495 ++/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
42496 ++.fill 4096,1,0xcc
42497 ++#endif
42498 ++
42499 + ENTRY(startup_32)
42500 + /* check to see if KEEP_SEGMENTS flag is meaningful */
42501 + cmpw $0x207, BP_version(%esi)
42502 +@@ -99,6 +111,43 @@ ENTRY(startup_32)
42503 + movl %eax,%gs
42504 + 2:
42505 +
42506 ++ movl $__per_cpu_start,%eax
42507 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 2)
42508 ++ rorl $16,%eax
42509 ++ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 4)
42510 ++ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 7)
42511 ++ movl $__per_cpu_end + PERCPU_MODULE_RESERVE,%eax
42512 ++ subl $__per_cpu_start,%eax
42513 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 0)
42514 ++
42515 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
42516 ++ /* check for VMware */
42517 ++ movl $0x564d5868,%eax
42518 ++ xorl %ebx,%ebx
42519 ++ movl $0xa,%ecx
42520 ++ movl $0x5658,%edx
42521 ++ in (%dx),%eax
42522 ++ cmpl $0x564d5868,%ebx
42523 ++ jz 1f
42524 ++
42525 ++ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),%eax
42526 ++ movl %eax,(cpu_gdt_table - __PAGE_OFFSET + GDT_ENTRY_KERNEL_DS * 8 + 4)
42527 ++1:
42528 ++#endif
42529 ++
42530 ++#ifdef CONFIG_PAX_KERNEXEC
42531 ++ movl $KERNEL_TEXT_OFFSET,%eax
42532 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 2)
42533 ++ rorl $16,%eax
42534 ++ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 4)
42535 ++ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 7)
42536 ++
42537 ++ movb %al,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 4)
42538 ++ movb %ah,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 7)
42539 ++ rorl $16,%eax
42540 ++ movw %ax,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 2)
42541 ++#endif
42542 ++
42543 + /*
42544 + * Clear BSS first so that there are no surprises...
42545 + */
42546 +@@ -141,9 +190,7 @@ ENTRY(startup_32)
42547 + cmpl $num_subarch_entries, %eax
42548 + jae bad_subarch
42549 +
42550 +- movl subarch_entries - __PAGE_OFFSET(,%eax,4), %eax
42551 +- subl $__PAGE_OFFSET, %eax
42552 +- jmp *%eax
42553 ++ jmp *(subarch_entries - __PAGE_OFFSET)(,%eax,4)
42554 +
42555 + bad_subarch:
42556 + WEAK(lguest_entry)
42557 +@@ -151,11 +198,11 @@ WEAK(xen_entry)
42558 + /* Unknown implementation; there's really
42559 + nothing we can do at this point. */
42560 + ud2a
42561 +-.data
42562 ++.section .rodata,"a",@progbits
42563 + subarch_entries:
42564 +- .long default_entry /* normal x86/PC */
42565 +- .long lguest_entry /* lguest hypervisor */
42566 +- .long xen_entry /* Xen hypervisor */
42567 ++ .long default_entry - __PAGE_OFFSET /* normal x86/PC */
42568 ++ .long lguest_entry - __PAGE_OFFSET /* lguest hypervisor */
42569 ++ .long xen_entry - __PAGE_OFFSET /* Xen hypervisor */
42570 + num_subarch_entries = (. - subarch_entries) / 4
42571 + .previous
42572 + #endif /* CONFIG_PARAVIRT */
42573 +@@ -170,34 +217,55 @@ num_subarch_entries = (. - subarch_entri
42574 + * Warning: don't use %esi or the stack in this code. However, %esp
42575 + * can be used as a GPR if you really need it...
42576 + */
42577 +-page_pde_offset = (__PAGE_OFFSET >> 20);
42578 ++#ifdef CONFIG_X86_PAE
42579 ++page_pde_offset = ((__PAGE_OFFSET >> 21) * (PAGE_SIZE_asm / PTRS_PER_PTE));
42580 ++#else
42581 ++page_pde_offset = ((__PAGE_OFFSET >> 22) * (PAGE_SIZE_asm / PTRS_PER_PTE));
42582 ++#endif
42583 +
42584 + default_entry:
42585 + movl $(pg0 - __PAGE_OFFSET), %edi
42586 ++#ifdef CONFIG_X86_PAE
42587 ++ movl $(swapper_pm_dir - __PAGE_OFFSET), %edx
42588 ++#else
42589 + movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
42590 +- movl $0x007, %eax /* 0x007 = PRESENT+RW+USER */
42591 ++#endif
42592 ++ movl $0x063, %eax /* 0x063 = PRESENT+RW+ACCESSED+DIRTY */
42593 + 10:
42594 +- leal 0x007(%edi),%ecx /* Create PDE entry */
42595 ++ leal 0x063(%edi),%ecx /* Create PDE entry */
42596 + movl %ecx,(%edx) /* Store identity PDE entry */
42597 + movl %ecx,page_pde_offset(%edx) /* Store kernel PDE entry */
42598 ++#ifdef CONFIG_X86_PAE
42599 ++ movl $0,4(%edx)
42600 ++ movl $0,page_pde_offset+4(%edx)
42601 ++ addl $8,%edx
42602 ++ movl $512, %ecx
42603 ++#else
42604 + addl $4,%edx
42605 + movl $1024, %ecx
42606 ++#endif
42607 + 11:
42608 + stosl
42609 ++#ifdef CONFIG_X86_PAE
42610 ++ movl $0,(%edi)
42611 ++ addl $4,%edi
42612 ++#endif
42613 + addl $0x1000,%eax
42614 + loop 11b
42615 + /* End condition: we must map up to and including INIT_MAP_BEYOND_END */
42616 +- /* bytes beyond the end of our own page tables; the +0x007 is the attribute bits */
42617 +- leal (INIT_MAP_BEYOND_END+0x007)(%edi),%ebp
42618 ++ /* bytes beyond the end of our own page tables; the +0x063 is the attribute bits */
42619 ++ leal (INIT_MAP_BEYOND_END+0x063)(%edi),%ebp
42620 + cmpl %ebp,%eax
42621 + jb 10b
42622 + movl %edi,(init_pg_tables_end - __PAGE_OFFSET)
42623 +
42624 + /* Do an early initialization of the fixmap area */
42625 +- movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
42626 +- movl $(swapper_pg_pmd - __PAGE_OFFSET), %eax
42627 +- addl $0x67, %eax /* 0x67 == _PAGE_TABLE */
42628 +- movl %eax, 4092(%edx)
42629 ++ /* 0x067 = PRESENT+RW+USER+ACCESSED+DIRTY */
42630 ++#ifdef CONFIG_X86_PAE
42631 ++ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pm_dir - __PAGE_OFFSET + 4096 - 8)
42632 ++#else
42633 ++ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pg_dir - __PAGE_OFFSET + 4096 - 4)
42634 ++#endif
42635 +
42636 + xorl %ebx,%ebx /* This is the boot CPU (BSP) */
42637 + jmp 3f
42638 +@@ -223,6 +291,11 @@ ENTRY(startup_32_smp)
42639 + movl %eax,%fs
42640 + movl %eax,%gs
42641 +
42642 ++ /* This is a secondary processor (AP) */
42643 ++ xorl %ebx,%ebx
42644 ++ incl %ebx
42645 ++#endif /* CONFIG_SMP */
42646 ++
42647 + /*
42648 + * New page tables may be in 4Mbyte page mode and may
42649 + * be using the global pages.
42650 +@@ -238,42 +311,47 @@ ENTRY(startup_32_smp)
42651 + * not yet offset PAGE_OFFSET..
42652 + */
42653 + #define cr4_bits mmu_cr4_features-__PAGE_OFFSET
42654 ++3:
42655 + movl cr4_bits,%edx
42656 + andl %edx,%edx
42657 +- jz 6f
42658 ++ jz 5f
42659 + movl %cr4,%eax # Turn on paging options (PSE,PAE,..)
42660 + orl %edx,%eax
42661 + movl %eax,%cr4
42662 +
42663 +- btl $5, %eax # check if PAE is enabled
42664 +- jnc 6f
42665 ++#ifdef CONFIG_X86_PAE
42666 ++ movl %ebx,%edi
42667 +
42668 + /* Check if extended functions are implemented */
42669 + movl $0x80000000, %eax
42670 + cpuid
42671 + cmpl $0x80000000, %eax
42672 +- jbe 6f
42673 ++ jbe 4f
42674 + mov $0x80000001, %eax
42675 + cpuid
42676 + /* Execute Disable bit supported? */
42677 + btl $20, %edx
42678 +- jnc 6f
42679 ++ jnc 4f
42680 +
42681 + /* Setup EFER (Extended Feature Enable Register) */
42682 +- movl $0xc0000080, %ecx
42683 ++ movl $MSR_EFER, %ecx
42684 + rdmsr
42685 +
42686 + btsl $11, %eax
42687 + /* Make changes effective */
42688 + wrmsr
42689 +
42690 +-6:
42691 +- /* This is a secondary processor (AP) */
42692 +- xorl %ebx,%ebx
42693 +- incl %ebx
42694 ++ btsl $63-32,__supported_pte_mask+4-__PAGE_OFFSET
42695 ++ movl $1,nx_enabled-__PAGE_OFFSET
42696 +
42697 +-#endif /* CONFIG_SMP */
42698 +-3:
42699 ++#if !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
42700 ++ movl $0,disable_x86_sep-__PAGE_OFFSET
42701 ++#endif
42702 ++
42703 ++4:
42704 ++ movl %edi,%ebx
42705 ++#endif
42706 ++5:
42707 +
42708 + /*
42709 + * Enable paging
42710 +@@ -298,9 +376,7 @@ ENTRY(startup_32_smp)
42711 +
42712 + #ifdef CONFIG_SMP
42713 + andl %ebx,%ebx
42714 +- jz 1f /* Initial CPU cleans BSS */
42715 +- jmp checkCPUtype
42716 +-1:
42717 ++ jnz checkCPUtype /* Initial CPU cleans BSS */
42718 + #endif /* CONFIG_SMP */
42719 +
42720 + /*
42721 +@@ -377,12 +453,12 @@ is386: movl $2,%ecx # set MP
42722 + ljmp $(__KERNEL_CS),$1f
42723 + 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
42724 + movl %eax,%ss # after changing gdt.
42725 +- movl %eax,%fs # gets reset once there's real percpu
42726 +-
42727 +- movl $(__USER_DS),%eax # DS/ES contains default USER segment
42728 + movl %eax,%ds
42729 + movl %eax,%es
42730 +
42731 ++ movl $(__KERNEL_PERCPU), %eax
42732 ++ movl %eax,%fs # set this cpu's percpu
42733 ++
42734 + xorl %eax,%eax # Clear GS and LDT
42735 + movl %eax,%gs
42736 + lldt %ax
42737 +@@ -393,11 +469,7 @@ is386: movl $2,%ecx # set MP
42738 + movb ready, %cl
42739 + movb $1, ready
42740 + cmpb $0,%cl # the first CPU calls start_kernel
42741 +- je 1f
42742 +- movl $(__KERNEL_PERCPU), %eax
42743 +- movl %eax,%fs # set this cpu's percpu
42744 +- jmp initialize_secondary # all other CPUs call initialize_secondary
42745 +-1:
42746 ++ jne initialize_secondary # all other CPUs call initialize_secondary
42747 + #endif /* CONFIG_SMP */
42748 + jmp start_kernel
42749 +
42750 +@@ -483,8 +555,8 @@ early_page_fault:
42751 + jmp early_fault
42752 +
42753 + early_fault:
42754 +- cld
42755 + #ifdef CONFIG_PRINTK
42756 ++ cld
42757 + pusha
42758 + movl $(__KERNEL_DS),%eax
42759 + movl %eax,%ds
42760 +@@ -509,8 +581,8 @@ hlt_loop:
42761 + /* This is the default interrupt "handler" :-) */
42762 + ALIGN
42763 + ignore_int:
42764 +- cld
42765 + #ifdef CONFIG_PRINTK
42766 ++ cld
42767 + pushl %eax
42768 + pushl %ecx
42769 + pushl %edx
42770 +@@ -541,31 +613,58 @@ ignore_int:
42771 + #endif
42772 + iret
42773 +
42774 +-.section .text
42775 +-/*
42776 +- * Real beginning of normal "text" segment
42777 +- */
42778 +-ENTRY(stext)
42779 +-ENTRY(_stext)
42780 +-
42781 + /*
42782 + * BSS section
42783 + */
42784 +-.section ".bss.page_aligned","wa"
42785 ++.section .swapper_pg_dir,"a",@progbits
42786 + .align PAGE_SIZE_asm
42787 + ENTRY(swapper_pg_dir)
42788 ++#ifdef CONFIG_X86_PAE
42789 ++ .long swapper_pm_dir-__PAGE_OFFSET+1
42790 ++ .long 0
42791 ++ .long swapper_pm_dir+512*8-__PAGE_OFFSET+1
42792 ++ .long 0
42793 ++ .long swapper_pm_dir+512*16-__PAGE_OFFSET+1
42794 ++ .long 0
42795 ++ .long swapper_pm_dir+512*24-__PAGE_OFFSET+1
42796 ++ .long 0
42797 ++#else
42798 + .fill 1024,4,0
42799 ++#endif
42800 ++
42801 ++.section .swapper_pm_dir,"a",@progbits
42802 ++#ifdef CONFIG_X86_PAE
42803 ++ENTRY(swapper_pm_dir)
42804 ++ .fill 512,8,0
42805 ++ .fill 512,8,0
42806 ++ .fill 512,8,0
42807 ++ .fill 512,8,0
42808 ++#endif
42809 ++
42810 + ENTRY(swapper_pg_pmd)
42811 + .fill 1024,4,0
42812 ++
42813 ++.section .empty_zero_page,"a",@progbits
42814 + ENTRY(empty_zero_page)
42815 + .fill 4096,1,0
42816 +
42817 + /*
42818 ++ * The IDT has to be page-aligned to simplify the Pentium
42819 ++ * F0 0F bug workaround.. We have a special link segment
42820 ++ * for this.
42821 ++ */
42822 ++.section .idt,"a",@progbits
42823 ++ENTRY(idt_table)
42824 ++ .fill 256,8,0
42825 ++
42826 ++/*
42827 + * This starts the data section.
42828 + */
42829 + .data
42830 ++
42831 ++.section .rodata,"a",@progbits
42832 + ENTRY(stack_start)
42833 +- .long init_thread_union+THREAD_SIZE
42834 ++ .long init_thread_union+THREAD_SIZE-8
42835 + .long __BOOT_DS
42836 +
42837 + ready: .byte 0
42838 +@@ -615,7 +714,7 @@ idt_descr:
42839 + .word 0 # 32 bit align gdt_desc.address
42840 + ENTRY(early_gdt_descr)
42841 + .word GDT_ENTRIES*8-1
42842 +- .long per_cpu__gdt_page /* Overwritten for secondary CPUs */
42843 ++ .long cpu_gdt_table /* Overwritten for secondary CPUs */
42844 +
42845 + /*
42846 + * The boot_gdt must mirror the equivalent in setup.S and is
42847 +@@ -624,5 +723,61 @@ ENTRY(early_gdt_descr)
42848 + .align L1_CACHE_BYTES
42849 + ENTRY(boot_gdt)
42850 + .fill GDT_ENTRY_BOOT_CS,8,0
42851 +- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
42852 +- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
42853 ++ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
42854 ++ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
42855 ++
42856 ++ .align PAGE_SIZE_asm
42857 ++ENTRY(cpu_gdt_table)
42858 ++ .quad 0x0000000000000000 /* NULL descriptor */
42859 ++ .quad 0x0000000000000000 /* 0x0b reserved */
42860 ++ .quad 0x0000000000000000 /* 0x13 reserved */
42861 ++ .quad 0x0000000000000000 /* 0x1b reserved */
42862 ++ .quad 0x0000000000000000 /* 0x20 unused */
42863 ++ .quad 0x0000000000000000 /* 0x28 unused */
42864 ++ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
42865 ++ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
42866 ++ .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
42867 ++ .quad 0x0000000000000000 /* 0x4b reserved */
42868 ++ .quad 0x0000000000000000 /* 0x53 reserved */
42869 ++ .quad 0x0000000000000000 /* 0x5b reserved */
42870 ++
42871 ++ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
42872 ++ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
42873 ++ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
42874 ++ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
42875 ++
42876 ++ .quad 0x0000000000000000 /* 0x80 TSS descriptor */
42877 ++ .quad 0x0000000000000000 /* 0x88 LDT descriptor */
42878 ++
42879 ++ /*
42880 ++ * Segments used for calling PnP BIOS have byte granularity.
42881 ++ * The code segments and data segments have fixed 64k limits,
42882 ++ * the transfer segment sizes are set at run time.
42883 ++ */
42884 ++ .quad 0x00409b000000ffff /* 0x90 32-bit code */
42885 ++ .quad 0x00009b000000ffff /* 0x98 16-bit code */
42886 ++ .quad 0x000093000000ffff /* 0xa0 16-bit data */
42887 ++ .quad 0x0000930000000000 /* 0xa8 16-bit data */
42888 ++ .quad 0x0000930000000000 /* 0xb0 16-bit data */
42889 ++
42890 ++ /*
42891 ++ * The APM segments have byte granularity and their bases
42892 ++ * are set at run time. All have 64k limits.
42893 ++ */
42894 ++ .quad 0x00409b000000ffff /* 0xb8 APM CS code */
42895 ++ .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
42896 ++ .quad 0x004093000000ffff /* 0xc8 APM DS data */
42897 ++
42898 ++ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
42899 ++ .quad 0x0040930000000000 /* 0xd8 - PERCPU */
42900 ++ .quad 0x0000000000000000 /* 0xe0 - PCIBIOS_CS */
42901 ++ .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_DS */
42902 ++ .quad 0x0000000000000000 /* 0xf0 - unused */
42903 ++ .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
42904 ++
42905 ++ /* Be sure this is zeroed to avoid false validations in Xen */
42906 ++ .fill PAGE_SIZE_asm - GDT_ENTRIES,1,0
42907 ++
42908 ++#ifdef CONFIG_SMP
42909 ++ .fill (NR_CPUS-1) * (PAGE_SIZE_asm),1,0 /* other CPU's GDT */
42910 ++#endif
42911 +diff -urNp linux-2.6.24.5/arch/x86/kernel/head64.c linux-2.6.24.5/arch/x86/kernel/head64.c
42912 +--- linux-2.6.24.5/arch/x86/kernel/head64.c 2008-03-24 14:49:18.000000000 -0400
42913 ++++ linux-2.6.24.5/arch/x86/kernel/head64.c 2008-03-26 20:21:08.000000000 -0400
42914 +@@ -24,7 +24,7 @@ static void __init zap_identity_mappings
42915 + {
42916 + pgd_t *pgd = pgd_offset_k(0UL);
42917 + pgd_clear(pgd);
42918 +- __flush_tlb();
42919 ++ __flush_tlb_all();
42920 + }
42921 +
42922 + /* Don't add a printk in there. printk relies on the PDA which is not initialized
42923 +@@ -56,16 +56,17 @@ void __init x86_64_start_kernel(char * r
42924 + /* Make NULL pointers segfault */
42925 + zap_identity_mappings();
42926 +
42927 ++ for (i = 0; i < NR_CPUS; i++)
42928 ++ cpu_pda(i) = &boot_cpu_pda[i];
42929 ++
42930 ++ pda_init(0);
42931 ++
42932 + for (i = 0; i < IDT_ENTRIES; i++)
42933 + set_intr_gate(i, early_idt_handler);
42934 + load_idt((const struct desc_ptr *)&idt_descr);
42935 +
42936 + early_printk("Kernel alive\n");
42937 +
42938 +- for (i = 0; i < NR_CPUS; i++)
42939 +- cpu_pda(i) = &boot_cpu_pda[i];
42940 +-
42941 +- pda_init(0);
42942 + copy_bootdata(__va(real_mode_data));
42943 + #ifdef CONFIG_SMP
42944 + cpu_set(0, cpu_online_map);
42945 +diff -urNp linux-2.6.24.5/arch/x86/kernel/head_64.S linux-2.6.24.5/arch/x86/kernel/head_64.S
42946 +--- linux-2.6.24.5/arch/x86/kernel/head_64.S 2008-03-24 14:49:18.000000000 -0400
42947 ++++ linux-2.6.24.5/arch/x86/kernel/head_64.S 2008-03-26 20:21:08.000000000 -0400
42948 +@@ -173,6 +173,10 @@ ENTRY(secondary_startup_64)
42949 + btl $20,%edi /* No Execute supported? */
42950 + jnc 1f
42951 + btsl $_EFER_NX, %eax
42952 ++ movq $(init_level4_pgt), %rdi
42953 ++ addq phys_base(%rip), %rdi
42954 ++ btsq $_PAGE_BIT_NX, 8*258(%rdi)
42955 ++ btsq $_PAGE_BIT_NX, 8*388(%rdi)
42956 + 1: wrmsr /* Make changes effective */
42957 +
42958 + /* Setup cr0 */
42959 +@@ -242,24 +246,25 @@ ENTRY(secondary_startup_64)
42960 + pushq %rax # target address in negative space
42961 + lretq
42962 +
42963 ++bad_address:
42964 ++ jmp bad_address
42965 ++
42966 + /* SMP bootup changes these two */
42967 +-#ifndef CONFIG_HOTPLUG_CPU
42968 +- .pushsection .init.data
42969 ++#ifdef CONFIG_HOTPLUG_CPU
42970 ++ __INITDATA_REFOK
42971 ++#else
42972 ++ __INITDATA
42973 + #endif
42974 + .align 8
42975 + .globl initial_code
42976 + initial_code:
42977 + .quad x86_64_start_kernel
42978 +-#ifndef CONFIG_HOTPLUG_CPU
42979 +- .popsection
42980 +-#endif
42981 ++
42982 + .globl init_rsp
42983 + init_rsp:
42984 + .quad init_thread_union+THREAD_SIZE-8
42985 +
42986 +-bad_address:
42987 +- jmp bad_address
42988 +-
42989 ++ __INIT
42990 + ENTRY(early_idt_handler)
42991 + cmpl $2,early_recursion_flag(%rip)
42992 + jz 1f
42993 +@@ -280,9 +285,12 @@ ENTRY(early_idt_handler)
42994 + #endif
42995 + 1: hlt
42996 + jmp 1b
42997 ++
42998 ++ __INITDATA
42999 + early_recursion_flag:
43000 + .long 0
43001 +
43002 ++ .section .rodata,"a",@progbits
43003 + early_idt_msg:
43004 + .asciz "PANIC: early exception rip %lx error %lx cr2 %lx\n"
43005 + early_idt_ripmsg:
43006 +@@ -312,7 +320,9 @@ NEXT_PAGE(init_level4_pgt)
43007 + .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
43008 + .fill 257,8,0
43009 + .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
43010 +- .fill 252,8,0
43011 ++ .fill 129,8,0
43012 ++ .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
43013 ++ .fill 122,8,0
43014 + /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
43015 + .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
43016 +
43017 +@@ -320,6 +330,9 @@ NEXT_PAGE(level3_ident_pgt)
43018 + .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
43019 + .fill 511,8,0
43020 +
43021 ++NEXT_PAGE(level3_vmalloc_pgt)
43022 ++ .fill 512,8,0
43023 ++
43024 + NEXT_PAGE(level3_kernel_pgt)
43025 + .fill 510,8,0
43026 + /* (2^48-(2*1024*1024*1024)-((2^39)*511))/(2^30) = 510 */
43027 +@@ -355,19 +368,12 @@ NEXT_PAGE(level2_spare_pgt)
43028 + #undef PMDS
43029 + #undef NEXT_PAGE
43030 +
43031 +- .data
43032 + .align 16
43033 + .globl cpu_gdt_descr
43034 + cpu_gdt_descr:
43035 +- .word gdt_end-cpu_gdt_table-1
43036 ++ .word GDT_SIZE-1
43037 + gdt:
43038 + .quad cpu_gdt_table
43039 +-#ifdef CONFIG_SMP
43040 +- .rept NR_CPUS-1
43041 +- .word 0
43042 +- .quad 0
43043 +- .endr
43044 +-#endif
43045 +
43046 + ENTRY(phys_base)
43047 + /* This must match the first entry in level2_kernel_pgt */
43048 +@@ -377,8 +383,7 @@ ENTRY(phys_base)
43049 + * IRET will check the segment types kkeil 2000/10/28
43050 + * Also sysret mandates a special GDT layout
43051 + */
43052 +-
43053 +- .section .data.page_aligned, "aw"
43054 ++
43055 + .align PAGE_SIZE
43056 +
43057 + /* The TLS descriptors are currently at a different place compared to i386.
43058 +@@ -397,15 +402,15 @@ ENTRY(cpu_gdt_table)
43059 + .quad 0,0 /* LDT */
43060 + .quad 0,0,0 /* three TLS descriptors */
43061 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
43062 +-gdt_end:
43063 + /* asm/segment.h:GDT_ENTRIES must match this */
43064 + /* This should be a multiple of the cache line size */
43065 +- /* GDTs of other CPUs are now dynamically allocated */
43066 +
43067 + /* zero the remaining page */
43068 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
43069 ++#ifdef CONFIG_SMP
43070 ++ .fill (NR_CPUS-1) * (PAGE_SIZE),1,0 /* other CPU's GDT */
43071 ++#endif
43072 +
43073 +- .section .bss, "aw", @nobits
43074 + .align L1_CACHE_BYTES
43075 + ENTRY(idt_table)
43076 + .skip 256 * 16
43077 +diff -urNp linux-2.6.24.5/arch/x86/kernel/hpet.c linux-2.6.24.5/arch/x86/kernel/hpet.c
43078 +--- linux-2.6.24.5/arch/x86/kernel/hpet.c 2008-03-24 14:49:18.000000000 -0400
43079 ++++ linux-2.6.24.5/arch/x86/kernel/hpet.c 2008-03-26 20:21:08.000000000 -0400
43080 +@@ -137,7 +137,7 @@ static void hpet_reserve_platform_timers
43081 + hd.hd_irq[1] = HPET_LEGACY_RTC;
43082 +
43083 + for (i = 2; i < nrtimers; timer++, i++)
43084 +- hd.hd_irq[i] = (timer->hpet_config & Tn_INT_ROUTE_CNF_MASK) >>
43085 ++ hd.hd_irq[i] = (readl(&timer->hpet_config) & Tn_INT_ROUTE_CNF_MASK) >>
43086 + Tn_INT_ROUTE_CNF_SHIFT;
43087 +
43088 + hpet_alloc(&hd);
43089 +diff -urNp linux-2.6.24.5/arch/x86/kernel/i386_ksyms_32.c linux-2.6.24.5/arch/x86/kernel/i386_ksyms_32.c
43090 +--- linux-2.6.24.5/arch/x86/kernel/i386_ksyms_32.c 2008-03-24 14:49:18.000000000 -0400
43091 ++++ linux-2.6.24.5/arch/x86/kernel/i386_ksyms_32.c 2008-03-26 20:21:08.000000000 -0400
43092 +@@ -4,12 +4,16 @@
43093 + #include <asm/desc.h>
43094 + #include <asm/pgtable.h>
43095 +
43096 ++EXPORT_SYMBOL_GPL(cpu_gdt_table);
43097 ++
43098 + EXPORT_SYMBOL(__down_failed);
43099 + EXPORT_SYMBOL(__down_failed_interruptible);
43100 + EXPORT_SYMBOL(__down_failed_trylock);
43101 + EXPORT_SYMBOL(__up_wakeup);
43102 + /* Networking helper routines. */
43103 + EXPORT_SYMBOL(csum_partial_copy_generic);
43104 ++EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
43105 ++EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
43106 +
43107 + EXPORT_SYMBOL(__get_user_1);
43108 + EXPORT_SYMBOL(__get_user_2);
43109 +@@ -31,3 +35,7 @@ EXPORT_SYMBOL(__read_lock_failed);
43110 +
43111 + EXPORT_SYMBOL(csum_partial);
43112 + EXPORT_SYMBOL(empty_zero_page);
43113 ++
43114 ++#ifdef CONFIG_PAX_KERNEXEC
43115 ++EXPORT_SYMBOL(KERNEL_TEXT_OFFSET);
43116 ++#endif
43117 +diff -urNp linux-2.6.24.5/arch/x86/kernel/init_task.c linux-2.6.24.5/arch/x86/kernel/init_task.c
43118 +--- linux-2.6.24.5/arch/x86/kernel/init_task.c 2008-03-24 14:49:18.000000000 -0400
43119 ++++ linux-2.6.24.5/arch/x86/kernel/init_task.c 2008-03-26 20:21:08.000000000 -0400
43120 +@@ -43,5 +43,4 @@ EXPORT_SYMBOL(init_task);
43121 + * section. Since TSS's are completely CPU-local, we want them
43122 + * on exact cacheline boundaries, to eliminate cacheline ping-pong.
43123 + */
43124 +-DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
43125 +-
43126 ++struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
43127 +diff -urNp linux-2.6.24.5/arch/x86/kernel/ioport_32.c linux-2.6.24.5/arch/x86/kernel/ioport_32.c
43128 +--- linux-2.6.24.5/arch/x86/kernel/ioport_32.c 2008-03-24 14:49:18.000000000 -0400
43129 ++++ linux-2.6.24.5/arch/x86/kernel/ioport_32.c 2008-03-26 20:21:08.000000000 -0400
43130 +@@ -14,6 +14,7 @@
43131 + #include <linux/slab.h>
43132 + #include <linux/thread_info.h>
43133 + #include <linux/syscalls.h>
43134 ++#include <linux/grsecurity.h>
43135 +
43136 + /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
43137 + static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value)
43138 +@@ -62,9 +63,16 @@ asmlinkage long sys_ioperm(unsigned long
43139 +
43140 + if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
43141 + return -EINVAL;
43142 ++#ifdef CONFIG_GRKERNSEC_IO
43143 ++ if (turn_on) {
43144 ++ gr_handle_ioperm();
43145 ++#else
43146 + if (turn_on && !capable(CAP_SYS_RAWIO))
43147 ++#endif
43148 + return -EPERM;
43149 +-
43150 ++#ifdef CONFIG_GRKERNSEC_IO
43151 ++ }
43152 ++#endif
43153 + /*
43154 + * If it's the first ioperm() call in this thread's lifetime, set the
43155 + * IO bitmap up. ioperm() is much less timing critical than clone(),
43156 +@@ -87,7 +95,7 @@ asmlinkage long sys_ioperm(unsigned long
43157 + * because the ->io_bitmap_max value must match the bitmap
43158 + * contents:
43159 + */
43160 +- tss = &per_cpu(init_tss, get_cpu());
43161 ++ tss = init_tss + get_cpu();
43162 +
43163 + set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
43164 +
43165 +@@ -141,8 +149,13 @@ asmlinkage long sys_iopl(unsigned long u
43166 + return -EINVAL;
43167 + /* Trying to gain more privileges? */
43168 + if (level > old) {
43169 ++#ifdef CONFIG_GRKERNSEC_IO
43170 ++ gr_handle_iopl();
43171 ++ return -EPERM;
43172 ++#else
43173 + if (!capable(CAP_SYS_RAWIO))
43174 + return -EPERM;
43175 ++#endif
43176 + }
43177 + t->iopl = level << 12;
43178 + regs->eflags = (regs->eflags & ~X86_EFLAGS_IOPL) | t->iopl;
43179 +diff -urNp linux-2.6.24.5/arch/x86/kernel/ioport_64.c linux-2.6.24.5/arch/x86/kernel/ioport_64.c
43180 +--- linux-2.6.24.5/arch/x86/kernel/ioport_64.c 2008-03-24 14:49:18.000000000 -0400
43181 ++++ linux-2.6.24.5/arch/x86/kernel/ioport_64.c 2008-03-26 20:21:08.000000000 -0400
43182 +@@ -14,6 +14,7 @@
43183 + #include <linux/slab.h>
43184 + #include <linux/thread_info.h>
43185 + #include <linux/syscalls.h>
43186 ++#include <linux/grsecurity.h>
43187 +
43188 + /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
43189 + static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value)
43190 +@@ -39,8 +40,17 @@ asmlinkage long sys_ioperm(unsigned long
43191 +
43192 + if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
43193 + return -EINVAL;
43194 ++
43195 ++#ifdef CONFIG_GRKERNSEC_IO
43196 ++ if (turn_on) {
43197 ++ gr_handle_ioperm();
43198 ++#else
43199 + if (turn_on && !capable(CAP_SYS_RAWIO))
43200 ++#endif
43201 + return -EPERM;
43202 ++#ifdef CONFIG_GRKERNSEC_IO
43203 ++ }
43204 ++#endif
43205 +
43206 + /*
43207 + * If it's the first ioperm() call in this thread's lifetime, set the
43208 +@@ -64,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
43209 + * because the ->io_bitmap_max value must match the bitmap
43210 + * contents:
43211 + */
43212 +- tss = &per_cpu(init_tss, get_cpu());
43213 ++ tss = init_tss + get_cpu();
43214 +
43215 + set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
43216 +
43217 +@@ -109,8 +119,13 @@ asmlinkage long sys_iopl(unsigned int le
43218 + return -EINVAL;
43219 + /* Trying to gain more privileges? */
43220 + if (level > old) {
43221 ++#ifdef CONFIG_GRKERNSEC_IO
43222 ++ gr_handle_iopl();
43223 ++ return -EPERM;
43224 ++#else
43225 + if (!capable(CAP_SYS_RAWIO))
43226 + return -EPERM;
43227 ++#endif
43228 + }
43229 + regs->eflags = (regs->eflags &~ X86_EFLAGS_IOPL) | (level << 12);
43230 + return 0;
43231 +diff -urNp linux-2.6.24.5/arch/x86/kernel/irq_32.c linux-2.6.24.5/arch/x86/kernel/irq_32.c
43232 +--- linux-2.6.24.5/arch/x86/kernel/irq_32.c 2008-03-24 14:49:18.000000000 -0400
43233 ++++ linux-2.6.24.5/arch/x86/kernel/irq_32.c 2008-03-26 20:21:08.000000000 -0400
43234 +@@ -115,7 +115,7 @@ fastcall unsigned int do_IRQ(struct pt_r
43235 + int arg1, arg2, ebx;
43236 +
43237 + /* build the stack frame on the IRQ stack */
43238 +- isp = (u32*) ((char*)irqctx + sizeof(*irqctx));
43239 ++ isp = (u32*) ((char*)irqctx + sizeof(*irqctx) - 8);
43240 + irqctx->tinfo.task = curctx->tinfo.task;
43241 + irqctx->tinfo.previous_esp = current_stack_pointer;
43242 +
43243 +@@ -211,7 +211,7 @@ asmlinkage void do_softirq(void)
43244 + irqctx->tinfo.previous_esp = current_stack_pointer;
43245 +
43246 + /* build the stack frame on the softirq stack */
43247 +- isp = (u32*) ((char*)irqctx + sizeof(*irqctx));
43248 ++ isp = (u32*) ((char*)irqctx + sizeof(*irqctx) - 8);
43249 +
43250 + asm volatile(
43251 + " xchgl %%ebx,%%esp \n"
43252 +diff -urNp linux-2.6.24.5/arch/x86/kernel/kprobes_32.c linux-2.6.24.5/arch/x86/kernel/kprobes_32.c
43253 +--- linux-2.6.24.5/arch/x86/kernel/kprobes_32.c 2008-03-24 14:49:18.000000000 -0400
43254 ++++ linux-2.6.24.5/arch/x86/kernel/kprobes_32.c 2008-03-26 20:21:08.000000000 -0400
43255 +@@ -55,9 +55,24 @@ static __always_inline void set_jmp_op(v
43256 + char op;
43257 + long raddr;
43258 + } __attribute__((packed)) *jop;
43259 +- jop = (struct __arch_jmp_op *)from;
43260 ++
43261 ++#ifdef CONFIG_PAX_KERNEXEC
43262 ++ unsigned long cr0;
43263 ++#endif
43264 ++
43265 ++ jop = (struct __arch_jmp_op *)(ktla_ktva(from));
43266 ++
43267 ++#ifdef CONFIG_PAX_KERNEXEC
43268 ++ pax_open_kernel(cr0);
43269 ++#endif
43270 ++
43271 + jop->raddr = (long)(to) - ((long)(from) + 5);
43272 + jop->op = RELATIVEJUMP_INSTRUCTION;
43273 ++
43274 ++#ifdef CONFIG_PAX_KERNEXEC
43275 ++ pax_close_kernel(cr0);
43276 ++#endif
43277 ++
43278 + }
43279 +
43280 + /*
43281 +@@ -159,14 +174,28 @@ static int __kprobes is_IF_modifier(kpro
43282 +
43283 + int __kprobes arch_prepare_kprobe(struct kprobe *p)
43284 + {
43285 ++
43286 ++#ifdef CONFIG_PAX_KERNEXEC
43287 ++ unsigned long cr0;
43288 ++#endif
43289 ++
43290 + /* insn: must be on special executable page on i386. */
43291 + p->ainsn.insn = get_insn_slot();
43292 + if (!p->ainsn.insn)
43293 + return -ENOMEM;
43294 +
43295 +- memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
43296 +- p->opcode = *p->addr;
43297 +- if (can_boost(p->addr)) {
43298 ++#ifdef CONFIG_PAX_KERNEXEC
43299 ++ pax_open_kernel(cr0);
43300 ++#endif
43301 ++
43302 ++ memcpy(p->ainsn.insn, ktla_ktva(p->addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
43303 ++
43304 ++#ifdef CONFIG_PAX_KERNEXEC
43305 ++ pax_close_kernel(cr0);
43306 ++#endif
43307 ++
43308 ++ p->opcode = *(ktla_ktva(p->addr));
43309 ++ if (can_boost(ktla_ktva(p->addr))) {
43310 + p->ainsn.boostable = 0;
43311 + } else {
43312 + p->ainsn.boostable = -1;
43313 +@@ -225,7 +254,7 @@ static void __kprobes prepare_singlestep
43314 + if (p->opcode == BREAKPOINT_INSTRUCTION)
43315 + regs->eip = (unsigned long)p->addr;
43316 + else
43317 +- regs->eip = (unsigned long)p->ainsn.insn;
43318 ++ regs->eip = ktva_ktla((unsigned long)p->ainsn.insn);
43319 + }
43320 +
43321 + /* Called with kretprobe_lock held */
43322 +@@ -331,7 +360,7 @@ ss_probe:
43323 + if (p->ainsn.boostable == 1 && !p->post_handler){
43324 + /* Boost up -- we can execute copied instructions directly */
43325 + reset_current_kprobe();
43326 +- regs->eip = (unsigned long)p->ainsn.insn;
43327 ++ regs->eip = ktva_ktla((unsigned long)p->ainsn.insn);
43328 + preempt_enable_no_resched();
43329 + return 1;
43330 + }
43331 +@@ -481,7 +510,7 @@ static void __kprobes resume_execution(s
43332 + struct pt_regs *regs, struct kprobe_ctlblk *kcb)
43333 + {
43334 + unsigned long *tos = (unsigned long *)&regs->esp;
43335 +- unsigned long copy_eip = (unsigned long)p->ainsn.insn;
43336 ++ unsigned long copy_eip = ktva_ktla((unsigned long)p->ainsn.insn);
43337 + unsigned long orig_eip = (unsigned long)p->addr;
43338 +
43339 + regs->eflags &= ~TF_MASK;
43340 +@@ -655,7 +684,7 @@ int __kprobes kprobe_exceptions_notify(s
43341 + struct die_args *args = (struct die_args *)data;
43342 + int ret = NOTIFY_DONE;
43343 +
43344 +- if (args->regs && user_mode_vm(args->regs))
43345 ++ if (args->regs && user_mode(args->regs))
43346 + return ret;
43347 +
43348 + switch (val) {
43349 +diff -urNp linux-2.6.24.5/arch/x86/kernel/kprobes_64.c linux-2.6.24.5/arch/x86/kernel/kprobes_64.c
43350 +--- linux-2.6.24.5/arch/x86/kernel/kprobes_64.c 2008-03-24 14:49:18.000000000 -0400
43351 ++++ linux-2.6.24.5/arch/x86/kernel/kprobes_64.c 2008-03-26 20:21:08.000000000 -0400
43352 +@@ -190,7 +190,19 @@ static s32 __kprobes *is_riprel(u8 *insn
43353 + static void __kprobes arch_copy_kprobe(struct kprobe *p)
43354 + {
43355 + s32 *ripdisp;
43356 ++
43357 ++#ifdef CONFIG_PAX_KERNEXEC
43358 ++ unsigned long cr0;
43359 ++
43360 ++ pax_open_kernel(cr0);
43361 ++#endif
43362 ++
43363 + memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE);
43364 ++
43365 ++#ifdef CONFIG_PAX_KERNEXEC
43366 ++ pax_close_kernel(cr0);
43367 ++#endif
43368 ++
43369 + ripdisp = is_riprel(p->ainsn.insn);
43370 + if (ripdisp) {
43371 + /*
43372 +@@ -208,7 +220,17 @@ static void __kprobes arch_copy_kprobe(s
43373 + */
43374 + s64 disp = (u8 *) p->addr + *ripdisp - (u8 *) p->ainsn.insn;
43375 + BUG_ON((s64) (s32) disp != disp); /* Sanity check. */
43376 ++
43377 ++#ifdef CONFIG_PAX_KERNEXEC
43378 ++ pax_open_kernel(cr0);
43379 ++#endif
43380 ++
43381 + *ripdisp = disp;
43382 ++
43383 ++#ifdef CONFIG_PAX_KERNEXEC
43384 ++ pax_close_kernel(cr0);
43385 ++#endif
43386 ++
43387 + }
43388 + p->opcode = *p->addr;
43389 + }
43390 +diff -urNp linux-2.6.24.5/arch/x86/kernel/ldt_32.c linux-2.6.24.5/arch/x86/kernel/ldt_32.c
43391 +--- linux-2.6.24.5/arch/x86/kernel/ldt_32.c 2008-03-24 14:49:18.000000000 -0400
43392 ++++ linux-2.6.24.5/arch/x86/kernel/ldt_32.c 2008-03-26 20:21:08.000000000 -0400
43393 +@@ -56,7 +56,7 @@ static int alloc_ldt(mm_context_t *pc, i
43394 + #ifdef CONFIG_SMP
43395 + cpumask_t mask;
43396 + preempt_disable();
43397 +- load_LDT(pc);
43398 ++ load_LDT_nolock(pc);
43399 + mask = cpumask_of_cpu(smp_processor_id());
43400 + if (!cpus_equal(current->mm->cpu_vm_mask, mask))
43401 + smp_call_function(flush_ldt, NULL, 1, 1);
43402 +@@ -100,6 +100,22 @@ int init_new_context(struct task_struct
43403 + retval = copy_ldt(&mm->context, &old_mm->context);
43404 + mutex_unlock(&old_mm->context.lock);
43405 + }
43406 ++
43407 ++ if (tsk == current) {
43408 ++ mm->context.vdso = ~0UL;
43409 ++
43410 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
43411 ++ mm->context.user_cs_base = 0UL;
43412 ++ mm->context.user_cs_limit = ~0UL;
43413 ++
43414 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
43415 ++ cpus_clear(mm->context.cpu_user_cs_mask);
43416 ++#endif
43417 ++
43418 ++#endif
43419 ++
43420 ++ }
43421 ++
43422 + return retval;
43423 + }
43424 +
43425 +@@ -210,6 +226,13 @@ static int write_ldt(void __user * ptr,
43426 + }
43427 + }
43428 +
43429 ++#ifdef CONFIG_PAX_SEGMEXEC
43430 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
43431 ++ error = -EINVAL;
43432 ++ goto out_unlock;
43433 ++ }
43434 ++#endif
43435 ++
43436 + entry_1 = LDT_entry_a(&ldt_info);
43437 + entry_2 = LDT_entry_b(&ldt_info);
43438 + if (oldmode)
43439 +diff -urNp linux-2.6.24.5/arch/x86/kernel/machine_kexec_32.c linux-2.6.24.5/arch/x86/kernel/machine_kexec_32.c
43440 +--- linux-2.6.24.5/arch/x86/kernel/machine_kexec_32.c 2008-03-24 14:49:18.000000000 -0400
43441 ++++ linux-2.6.24.5/arch/x86/kernel/machine_kexec_32.c 2008-03-26 20:21:08.000000000 -0400
43442 +@@ -30,25 +30,25 @@ static u32 kexec_pmd1[1024] PAGE_ALIGNED
43443 + static u32 kexec_pte0[1024] PAGE_ALIGNED;
43444 + static u32 kexec_pte1[1024] PAGE_ALIGNED;
43445 +
43446 +-static void set_idt(void *newidt, __u16 limit)
43447 ++static void set_idt(struct desc_struct *newidt, __u16 limit)
43448 + {
43449 + struct Xgt_desc_struct curidt;
43450 +
43451 + /* ia32 supports unaliged loads & stores */
43452 + curidt.size = limit;
43453 +- curidt.address = (unsigned long)newidt;
43454 ++ curidt.address = newidt;
43455 +
43456 + load_idt(&curidt);
43457 + };
43458 +
43459 +
43460 +-static void set_gdt(void *newgdt, __u16 limit)
43461 ++static void set_gdt(struct desc_struct *newgdt, __u16 limit)
43462 + {
43463 + struct Xgt_desc_struct curgdt;
43464 +
43465 + /* ia32 supports unaligned loads & stores */
43466 + curgdt.size = limit;
43467 +- curgdt.address = (unsigned long)newgdt;
43468 ++ curgdt.address = newgdt;
43469 +
43470 + load_gdt(&curgdt);
43471 + };
43472 +@@ -111,10 +111,10 @@ NORET_TYPE void machine_kexec(struct kim
43473 + local_irq_disable();
43474 +
43475 + control_page = page_address(image->control_code_page);
43476 +- memcpy(control_page, relocate_kernel, PAGE_SIZE);
43477 ++ memcpy(control_page, ktla_ktva(relocate_kernel), PAGE_SIZE);
43478 +
43479 + page_list[PA_CONTROL_PAGE] = __pa(control_page);
43480 +- page_list[VA_CONTROL_PAGE] = (unsigned long)relocate_kernel;
43481 ++ page_list[VA_CONTROL_PAGE] = ktla_ktva((unsigned long)relocate_kernel);
43482 + page_list[PA_PGD] = __pa(kexec_pgd);
43483 + page_list[VA_PGD] = (unsigned long)kexec_pgd;
43484 + #ifdef CONFIG_X86_PAE
43485 +diff -urNp linux-2.6.24.5/arch/x86/kernel/Makefile_64 linux-2.6.24.5/arch/x86/kernel/Makefile_64
43486 +--- linux-2.6.24.5/arch/x86/kernel/Makefile_64 2008-03-24 14:49:18.000000000 -0400
43487 ++++ linux-2.6.24.5/arch/x86/kernel/Makefile_64 2008-03-26 20:21:08.000000000 -0400
43488 +@@ -42,4 +42,6 @@ obj-$(CONFIG_PCI) += early-quirks.o
43489 + obj-y += topology.o
43490 + obj-y += pcspeaker.o
43491 +
43492 +-CFLAGS_vsyscall_64.o := $(PROFILING) -g0
43493 ++CFLAGS_vsyscall_64.o := $(PROFILING) -g0 -fno-stack-protector
43494 ++CFLAGS_hpet.o := -fno-stack-protector
43495 ++CFLAGS_tsc_64.o := -fno-stack-protector
43496 +diff -urNp linux-2.6.24.5/arch/x86/kernel/module_32.c linux-2.6.24.5/arch/x86/kernel/module_32.c
43497 +--- linux-2.6.24.5/arch/x86/kernel/module_32.c 2008-03-24 14:49:18.000000000 -0400
43498 ++++ linux-2.6.24.5/arch/x86/kernel/module_32.c 2008-03-26 20:21:08.000000000 -0400
43499 +@@ -23,6 +23,8 @@
43500 + #include <linux/kernel.h>
43501 + #include <linux/bug.h>
43502 +
43503 ++#include <asm/desc.h>
43504 ++
43505 + #if 0
43506 + #define DEBUGP printk
43507 + #else
43508 +@@ -33,9 +35,30 @@ void *module_alloc(unsigned long size)
43509 + {
43510 + if (size == 0)
43511 + return NULL;
43512 ++
43513 ++#ifdef CONFIG_PAX_KERNEXEC
43514 ++ return vmalloc(size);
43515 ++#else
43516 + return vmalloc_exec(size);
43517 ++#endif
43518 ++
43519 + }
43520 +
43521 ++#ifdef CONFIG_PAX_KERNEXEC
43522 ++void *module_alloc_exec(unsigned long size)
43523 ++{
43524 ++ struct vm_struct *area;
43525 ++
43526 ++ if (size == 0)
43527 ++ return NULL;
43528 ++
43529 ++ area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_VADDR, (unsigned long)&MODULES_END);
43530 ++ if (area)
43531 ++ return area->addr;
43532 ++
43533 ++ return NULL;
43534 ++}
43535 ++#endif
43536 +
43537 + /* Free memory returned from module_alloc */
43538 + void module_free(struct module *mod, void *module_region)
43539 +@@ -45,6 +68,45 @@ void module_free(struct module *mod, voi
43540 + table entries. */
43541 + }
43542 +
43543 ++#ifdef CONFIG_PAX_KERNEXEC
43544 ++void module_free_exec(struct module *mod, void *module_region)
43545 ++{
43546 ++ struct vm_struct **p, *tmp;
43547 ++
43548 ++ if (!module_region)
43549 ++ return;
43550 ++
43551 ++ if ((PAGE_SIZE-1) & (unsigned long)module_region) {
43552 ++ printk(KERN_ERR "Trying to module_free_exec() bad address (%p)\n", module_region);
43553 ++ WARN_ON(1);
43554 ++ return;
43555 ++ }
43556 ++
43557 ++ write_lock(&vmlist_lock);
43558 ++ for (p = &vmlist; (tmp = *p) != NULL; p = &tmp->next)
43559 ++ if (tmp->addr == module_region)
43560 ++ break;
43561 ++
43562 ++ if (tmp) {
43563 ++ unsigned long cr0;
43564 ++
43565 ++ pax_open_kernel(cr0);
43566 ++ memset(tmp->addr, 0xCC, tmp->size);
43567 ++ pax_close_kernel(cr0);
43568 ++
43569 ++ *p = tmp->next;
43570 ++ kfree(tmp);
43571 ++ }
43572 ++ write_unlock(&vmlist_lock);
43573 ++
43574 ++ if (!tmp) {
43575 ++ printk(KERN_ERR "Trying to module_free_exec() nonexistent vm area (%p)\n",
43576 ++ module_region);
43577 ++ WARN_ON(1);
43578 ++ }
43579 ++}
43580 ++#endif
43581 ++
43582 + /* We don't need anything special. */
43583 + int module_frob_arch_sections(Elf_Ehdr *hdr,
43584 + Elf_Shdr *sechdrs,
43585 +@@ -63,14 +125,20 @@ int apply_relocate(Elf32_Shdr *sechdrs,
43586 + unsigned int i;
43587 + Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
43588 + Elf32_Sym *sym;
43589 +- uint32_t *location;
43590 ++ uint32_t *plocation, location;
43591 ++
43592 ++#ifdef CONFIG_PAX_KERNEXEC
43593 ++ unsigned long cr0;
43594 ++#endif
43595 +
43596 + DEBUGP("Applying relocate section %u to %u\n", relsec,
43597 + sechdrs[relsec].sh_info);
43598 + for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
43599 + /* This is where to make the change */
43600 +- location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
43601 +- + rel[i].r_offset;
43602 ++ plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
43603 ++ location = (uint32_t)plocation;
43604 ++ if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
43605 ++ plocation = ktla_ktva((void *)plocation);
43606 + /* This is the symbol it is referring to. Note that all
43607 + undefined symbols have been resolved. */
43608 + sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
43609 +@@ -78,12 +146,32 @@ int apply_relocate(Elf32_Shdr *sechdrs,
43610 +
43611 + switch (ELF32_R_TYPE(rel[i].r_info)) {
43612 + case R_386_32:
43613 ++
43614 ++#ifdef CONFIG_PAX_KERNEXEC
43615 ++ pax_open_kernel(cr0);
43616 ++#endif
43617 ++
43618 + /* We add the value into the location given */
43619 +- *location += sym->st_value;
43620 ++ *plocation += sym->st_value;
43621 ++
43622 ++#ifdef CONFIG_PAX_KERNEXEC
43623 ++ pax_close_kernel(cr0);
43624 ++#endif
43625 ++
43626 + break;
43627 + case R_386_PC32:
43628 ++
43629 ++#ifdef CONFIG_PAX_KERNEXEC
43630 ++ pax_open_kernel(cr0);
43631 ++#endif
43632 ++
43633 + /* Add the value, subtract its postition */
43634 +- *location += sym->st_value - (uint32_t)location;
43635 ++ *plocation += sym->st_value - location;
43636 ++
43637 ++#ifdef CONFIG_PAX_KERNEXEC
43638 ++ pax_close_kernel(cr0);
43639 ++#endif
43640 ++
43641 + break;
43642 + default:
43643 + printk(KERN_ERR "module %s: Unknown relocation: %u\n",
43644 +diff -urNp linux-2.6.24.5/arch/x86/kernel/module_64.c linux-2.6.24.5/arch/x86/kernel/module_64.c
43645 +--- linux-2.6.24.5/arch/x86/kernel/module_64.c 2008-03-24 14:49:18.000000000 -0400
43646 ++++ linux-2.6.24.5/arch/x86/kernel/module_64.c 2008-03-26 20:21:08.000000000 -0400
43647 +@@ -39,7 +39,7 @@ void module_free(struct module *mod, voi
43648 + table entries. */
43649 + }
43650 +
43651 +-void *module_alloc(unsigned long size)
43652 ++static void *__module_alloc(unsigned long size, pgprot_t prot)
43653 + {
43654 + struct vm_struct *area;
43655 +
43656 +@@ -53,8 +53,31 @@ void *module_alloc(unsigned long size)
43657 + if (!area)
43658 + return NULL;
43659 +
43660 +- return __vmalloc_area(area, GFP_KERNEL, PAGE_KERNEL_EXEC);
43661 ++ return __vmalloc_area(area, GFP_KERNEL | __GFP_ZERO, prot);
43662 ++}
43663 ++
43664 ++#ifdef CONFIG_PAX_KERNEXEC
43665 ++void *module_alloc(unsigned long size)
43666 ++{
43667 ++ return __module_alloc(size, PAGE_KERNEL);
43668 ++}
43669 ++
43670 ++void module_free_exec(struct module *mod, void *module_region)
43671 ++{
43672 ++ module_free(mod, module_region);
43673 ++}
43674 ++
43675 ++void *module_alloc_exec(unsigned long size)
43676 ++{
43677 ++ return __module_alloc(size, PAGE_KERNEL_RX);
43678 + }
43679 ++#else
43680 ++void *module_alloc(unsigned long size)
43681 ++{
43682 ++ return __module_alloc(size, PAGE_KERNEL_EXEC);
43683 ++}
43684 ++#endif
43685 ++
43686 + #endif
43687 +
43688 + /* We don't need anything special. */
43689 +@@ -76,7 +99,11 @@ int apply_relocate_add(Elf64_Shdr *sechd
43690 + Elf64_Rela *rel = (void *)sechdrs[relsec].sh_addr;
43691 + Elf64_Sym *sym;
43692 + void *loc;
43693 +- u64 val;
43694 ++ u64 val;
43695 ++
43696 ++#ifdef CONFIG_PAX_KERNEXEC
43697 ++ unsigned long cr0;
43698 ++#endif
43699 +
43700 + DEBUGP("Applying relocate section %u to %u\n", relsec,
43701 + sechdrs[relsec].sh_info);
43702 +@@ -100,21 +127,61 @@ int apply_relocate_add(Elf64_Shdr *sechd
43703 + case R_X86_64_NONE:
43704 + break;
43705 + case R_X86_64_64:
43706 ++
43707 ++#ifdef CONFIG_PAX_KERNEXEC
43708 ++ pax_open_kernel(cr0);
43709 ++#endif
43710 ++
43711 + *(u64 *)loc = val;
43712 ++
43713 ++#ifdef CONFIG_PAX_KERNEXEC
43714 ++ pax_close_kernel(cr0);
43715 ++#endif
43716 ++
43717 + break;
43718 + case R_X86_64_32:
43719 ++
43720 ++#ifdef CONFIG_PAX_KERNEXEC
43721 ++ pax_open_kernel(cr0);
43722 ++#endif
43723 ++
43724 + *(u32 *)loc = val;
43725 ++
43726 ++#ifdef CONFIG_PAX_KERNEXEC
43727 ++ pax_close_kernel(cr0);
43728 ++#endif
43729 ++
43730 + if (val != *(u32 *)loc)
43731 + goto overflow;
43732 + break;
43733 + case R_X86_64_32S:
43734 ++
43735 ++#ifdef CONFIG_PAX_KERNEXEC
43736 ++ pax_open_kernel(cr0);
43737 ++#endif
43738 ++
43739 + *(s32 *)loc = val;
43740 ++
43741 ++#ifdef CONFIG_PAX_KERNEXEC
43742 ++ pax_close_kernel(cr0);
43743 ++#endif
43744 ++
43745 + if ((s64)val != *(s32 *)loc)
43746 + goto overflow;
43747 + break;
43748 + case R_X86_64_PC32:
43749 + val -= (u64)loc;
43750 ++
43751 ++#ifdef CONFIG_PAX_KERNEXEC
43752 ++ pax_open_kernel(cr0);
43753 ++#endif
43754 ++
43755 + *(u32 *)loc = val;
43756 ++
43757 ++#ifdef CONFIG_PAX_KERNEXEC
43758 ++ pax_close_kernel(cr0);
43759 ++#endif
43760 ++
43761 + #if 0
43762 + if ((s64)val != *(s32 *)loc)
43763 + goto overflow;
43764 +diff -urNp linux-2.6.24.5/arch/x86/kernel/paravirt_32.c linux-2.6.24.5/arch/x86/kernel/paravirt_32.c
43765 +--- linux-2.6.24.5/arch/x86/kernel/paravirt_32.c 2008-03-24 14:49:18.000000000 -0400
43766 ++++ linux-2.6.24.5/arch/x86/kernel/paravirt_32.c 2008-03-26 20:21:08.000000000 -0400
43767 +@@ -39,7 +39,7 @@ void _paravirt_nop(void)
43768 + {
43769 + }
43770 +
43771 +-static void __init default_banner(void)
43772 ++static void default_banner(void)
43773 + {
43774 + printk(KERN_INFO "Booting paravirtualized kernel on %s\n",
43775 + pv_info.name);
43776 +@@ -206,7 +206,7 @@ unsigned paravirt_patch_insns(void *insn
43777 + if (insn_len > len || start == NULL)
43778 + insn_len = len;
43779 + else
43780 +- memcpy(insnbuf, start, insn_len);
43781 ++ memcpy(insnbuf, ktla_ktva(start), insn_len);
43782 +
43783 + return insn_len;
43784 + }
43785 +@@ -324,21 +324,21 @@ enum paravirt_lazy_mode paravirt_get_laz
43786 + return x86_read_percpu(paravirt_lazy_mode);
43787 + }
43788 +
43789 +-struct pv_info pv_info = {
43790 ++struct pv_info pv_info __read_only = {
43791 + .name = "bare hardware",
43792 + .paravirt_enabled = 0,
43793 + .kernel_rpl = 0,
43794 + .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
43795 + };
43796 +
43797 +-struct pv_init_ops pv_init_ops = {
43798 ++struct pv_init_ops pv_init_ops __read_only = {
43799 + .patch = native_patch,
43800 + .banner = default_banner,
43801 + .arch_setup = paravirt_nop,
43802 + .memory_setup = machine_specific_memory_setup,
43803 + };
43804 +
43805 +-struct pv_time_ops pv_time_ops = {
43806 ++struct pv_time_ops pv_time_ops __read_only = {
43807 + .time_init = hpet_time_init,
43808 + .get_wallclock = native_get_wallclock,
43809 + .set_wallclock = native_set_wallclock,
43810 +@@ -346,7 +346,7 @@ struct pv_time_ops pv_time_ops = {
43811 + .get_cpu_khz = native_calculate_cpu_khz,
43812 + };
43813 +
43814 +-struct pv_irq_ops pv_irq_ops = {
43815 ++struct pv_irq_ops pv_irq_ops __read_only = {
43816 + .init_IRQ = native_init_IRQ,
43817 + .save_fl = native_save_fl,
43818 + .restore_fl = native_restore_fl,
43819 +@@ -356,7 +356,7 @@ struct pv_irq_ops pv_irq_ops = {
43820 + .halt = native_halt,
43821 + };
43822 +
43823 +-struct pv_cpu_ops pv_cpu_ops = {
43824 ++struct pv_cpu_ops pv_cpu_ops __read_only = {
43825 + .cpuid = native_cpuid,
43826 + .get_debugreg = native_get_debugreg,
43827 + .set_debugreg = native_set_debugreg,
43828 +@@ -396,7 +396,7 @@ struct pv_cpu_ops pv_cpu_ops = {
43829 + },
43830 + };
43831 +
43832 +-struct pv_apic_ops pv_apic_ops = {
43833 ++struct pv_apic_ops pv_apic_ops __read_only = {
43834 + #ifdef CONFIG_X86_LOCAL_APIC
43835 + .apic_write = native_apic_write,
43836 + .apic_write_atomic = native_apic_write_atomic,
43837 +@@ -407,7 +407,7 @@ struct pv_apic_ops pv_apic_ops = {
43838 + #endif
43839 + };
43840 +
43841 +-struct pv_mmu_ops pv_mmu_ops = {
43842 ++struct pv_mmu_ops pv_mmu_ops __read_only = {
43843 + .pagetable_setup_start = native_pagetable_setup_start,
43844 + .pagetable_setup_done = native_pagetable_setup_done,
43845 +
43846 +diff -urNp linux-2.6.24.5/arch/x86/kernel/process_32.c linux-2.6.24.5/arch/x86/kernel/process_32.c
43847 +--- linux-2.6.24.5/arch/x86/kernel/process_32.c 2008-03-24 14:49:18.000000000 -0400
43848 ++++ linux-2.6.24.5/arch/x86/kernel/process_32.c 2008-03-26 20:21:08.000000000 -0400
43849 +@@ -66,15 +66,17 @@ EXPORT_SYMBOL(boot_option_idle_override)
43850 + DEFINE_PER_CPU(struct task_struct *, current_task) = &init_task;
43851 + EXPORT_PER_CPU_SYMBOL(current_task);
43852 +
43853 ++#ifdef CONFIG_SMP
43854 + DEFINE_PER_CPU(int, cpu_number);
43855 + EXPORT_PER_CPU_SYMBOL(cpu_number);
43856 ++#endif
43857 +
43858 + /*
43859 + * Return saved PC of a blocked thread.
43860 + */
43861 + unsigned long thread_saved_pc(struct task_struct *tsk)
43862 + {
43863 +- return ((unsigned long *)tsk->thread.esp)[3];
43864 ++ return tsk->thread.eip;
43865 + }
43866 +
43867 + /*
43868 +@@ -313,7 +315,7 @@ void __show_registers(struct pt_regs *re
43869 + unsigned long esp;
43870 + unsigned short ss, gs;
43871 +
43872 +- if (user_mode_vm(regs)) {
43873 ++ if (user_mode(regs)) {
43874 + esp = regs->esp;
43875 + ss = regs->xss & 0xffff;
43876 + savesegment(gs, gs);
43877 +@@ -391,8 +393,8 @@ int kernel_thread(int (*fn)(void *), voi
43878 + regs.ebx = (unsigned long) fn;
43879 + regs.edx = (unsigned long) arg;
43880 +
43881 +- regs.xds = __USER_DS;
43882 +- regs.xes = __USER_DS;
43883 ++ regs.xds = __KERNEL_DS;
43884 ++ regs.xes = __KERNEL_DS;
43885 + regs.xfs = __KERNEL_PERCPU;
43886 + regs.orig_eax = -1;
43887 + regs.eip = (unsigned long) kernel_thread_helper;
43888 +@@ -414,7 +416,7 @@ void exit_thread(void)
43889 + struct task_struct *tsk = current;
43890 + struct thread_struct *t = &tsk->thread;
43891 + int cpu = get_cpu();
43892 +- struct tss_struct *tss = &per_cpu(init_tss, cpu);
43893 ++ struct tss_struct *tss = init_tss + cpu;
43894 +
43895 + kfree(t->io_bitmap_ptr);
43896 + t->io_bitmap_ptr = NULL;
43897 +@@ -435,6 +437,7 @@ void flush_thread(void)
43898 + {
43899 + struct task_struct *tsk = current;
43900 +
43901 ++ __asm__("mov %0,%%gs\n" : : "r" (0) : "memory");
43902 + memset(tsk->thread.debugreg, 0, sizeof(unsigned long)*8);
43903 + memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
43904 + clear_tsk_thread_flag(tsk, TIF_DEBUG);
43905 +@@ -468,7 +471,7 @@ int copy_thread(int nr, unsigned long cl
43906 + struct task_struct *tsk;
43907 + int err;
43908 +
43909 +- childregs = task_pt_regs(p);
43910 ++ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
43911 + *childregs = *regs;
43912 + childregs->eax = 0;
43913 + childregs->esp = esp;
43914 +@@ -510,6 +513,11 @@ int copy_thread(int nr, unsigned long cl
43915 + if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
43916 + goto out;
43917 +
43918 ++#ifdef CONFIG_PAX_SEGMEXEC
43919 ++ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
43920 ++ goto out;
43921 ++#endif
43922 ++
43923 + desc = p->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
43924 + desc->a = LDT_entry_a(&info);
43925 + desc->b = LDT_entry_b(&info);
43926 +@@ -696,7 +704,7 @@ struct task_struct fastcall * __switch_t
43927 + struct thread_struct *prev = &prev_p->thread,
43928 + *next = &next_p->thread;
43929 + int cpu = smp_processor_id();
43930 +- struct tss_struct *tss = &per_cpu(init_tss, cpu);
43931 ++ struct tss_struct *tss = init_tss + cpu;
43932 +
43933 + /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
43934 +
43935 +@@ -724,6 +732,11 @@ struct task_struct fastcall * __switch_t
43936 + */
43937 + savesegment(gs, prev->gs);
43938 +
43939 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
43940 ++ if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
43941 ++ __set_fs(task_thread_info(next_p)->addr_limit, cpu);
43942 ++#endif
43943 ++
43944 + /*
43945 + * Load the per-thread Thread-Local Storage descriptor.
43946 + */
43947 +@@ -888,6 +901,12 @@ asmlinkage int sys_set_thread_area(struc
43948 +
43949 + if (copy_from_user(&info, u_info, sizeof(info)))
43950 + return -EFAULT;
43951 ++
43952 ++#ifdef CONFIG_PAX_SEGMEXEC
43953 ++ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
43954 ++ return -EINVAL;
43955 ++#endif
43956 ++
43957 + idx = info.entry_number;
43958 +
43959 + /*
43960 +@@ -976,9 +995,27 @@ asmlinkage int sys_get_thread_area(struc
43961 + return 0;
43962 + }
43963 +
43964 +-unsigned long arch_align_stack(unsigned long sp)
43965 ++#ifdef CONFIG_PAX_RANDKSTACK
43966 ++asmlinkage void pax_randomize_kstack(void)
43967 + {
43968 +- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
43969 +- sp -= get_random_int() % 8192;
43970 +- return sp & ~0xf;
43971 ++ struct thread_struct *thread = &current->thread;
43972 ++ unsigned long time;
43973 ++
43974 ++ if (!randomize_va_space)
43975 ++ return;
43976 ++
43977 ++ rdtscl(time);
43978 ++
43979 ++ /* P4 seems to return a 0 LSB, ignore it */
43980 ++#ifdef CONFIG_MPENTIUM4
43981 ++ time &= 0x1EUL;
43982 ++ time <<= 2;
43983 ++#else
43984 ++ time &= 0xFUL;
43985 ++ time <<= 3;
43986 ++#endif
43987 ++
43988 ++ thread->esp0 ^= time;
43989 ++ load_esp0(init_tss + smp_processor_id(), thread);
43990 + }
43991 ++#endif
43992 +diff -urNp linux-2.6.24.5/arch/x86/kernel/process_64.c linux-2.6.24.5/arch/x86/kernel/process_64.c
43993 +--- linux-2.6.24.5/arch/x86/kernel/process_64.c 2008-03-24 14:49:18.000000000 -0400
43994 ++++ linux-2.6.24.5/arch/x86/kernel/process_64.c 2008-03-26 20:21:08.000000000 -0400
43995 +@@ -210,6 +210,8 @@ static inline void play_dead(void)
43996 + void cpu_idle (void)
43997 + {
43998 + current_thread_info()->status |= TS_POLLING;
43999 ++ current->stack_canary = pax_get_random_long();
44000 ++ write_pda(stack_canary, current->stack_canary);
44001 + /* endless idle loop with no priority at all */
44002 + while (1) {
44003 + tick_nohz_stop_sched_tick();
44004 +@@ -390,7 +392,7 @@ void exit_thread(void)
44005 + struct thread_struct *t = &me->thread;
44006 +
44007 + if (me->thread.io_bitmap_ptr) {
44008 +- struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
44009 ++ struct tss_struct *tss = init_tss + get_cpu();
44010 +
44011 + kfree(t->io_bitmap_ptr);
44012 + t->io_bitmap_ptr = NULL;
44013 +@@ -597,7 +599,7 @@ __switch_to(struct task_struct *prev_p,
44014 + struct thread_struct *prev = &prev_p->thread,
44015 + *next = &next_p->thread;
44016 + int cpu = smp_processor_id();
44017 +- struct tss_struct *tss = &per_cpu(init_tss, cpu);
44018 ++ struct tss_struct *tss = init_tss + cpu;
44019 +
44020 + /* we're going to use this soon, after a few expensive things */
44021 + if (next_p->fpu_counter>5)
44022 +@@ -672,7 +674,6 @@ __switch_to(struct task_struct *prev_p,
44023 + write_pda(kernelstack,
44024 + (unsigned long)task_stack_page(next_p) + THREAD_SIZE - PDA_STACKOFFSET);
44025 + #ifdef CONFIG_CC_STACKPROTECTOR
44026 +- write_pda(stack_canary, next_p->stack_canary);
44027 + /*
44028 + * Build time only check to make sure the stack_canary is at
44029 + * offset 40 in the pda; this is a gcc ABI requirement
44030 +@@ -701,7 +702,7 @@ __switch_to(struct task_struct *prev_p,
44031 + */
44032 + asmlinkage
44033 + long sys_execve(char __user *name, char __user * __user *argv,
44034 +- char __user * __user *envp, struct pt_regs regs)
44035 ++ char __user * __user *envp, struct pt_regs *regs)
44036 + {
44037 + long error;
44038 + char * filename;
44039 +@@ -710,7 +711,7 @@ long sys_execve(char __user *name, char
44040 + error = PTR_ERR(filename);
44041 + if (IS_ERR(filename))
44042 + return error;
44043 +- error = do_execve(filename, argv, envp, &regs);
44044 ++ error = do_execve(filename, argv, envp, regs);
44045 + if (error == 0) {
44046 + task_lock(current);
44047 + current->ptrace &= ~PT_DTRACE;
44048 +@@ -906,10 +907,3 @@ int dump_task_regs(struct task_struct *t
44049 +
44050 + return 1;
44051 + }
44052 +-
44053 +-unsigned long arch_align_stack(unsigned long sp)
44054 +-{
44055 +- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
44056 +- sp -= get_random_int() % 8192;
44057 +- return sp & ~0xf;
44058 +-}
44059 +diff -urNp linux-2.6.24.5/arch/x86/kernel/ptrace_32.c linux-2.6.24.5/arch/x86/kernel/ptrace_32.c
44060 +--- linux-2.6.24.5/arch/x86/kernel/ptrace_32.c 2008-03-24 14:49:18.000000000 -0400
44061 ++++ linux-2.6.24.5/arch/x86/kernel/ptrace_32.c 2008-03-26 20:21:08.000000000 -0400
44062 +@@ -160,22 +160,20 @@ static unsigned long convert_eip_to_line
44063 + * and APM bios ones we just ignore here.
44064 + */
44065 + if (seg & LDT_SEGMENT) {
44066 +- u32 *desc;
44067 ++ struct desc_struct *desc;
44068 + unsigned long base;
44069 +
44070 +- seg &= ~7UL;
44071 ++ seg >>= 3;
44072 +
44073 + mutex_lock(&child->mm->context.lock);
44074 +- if (unlikely((seg >> 3) >= child->mm->context.size))
44075 +- addr = -1L; /* bogus selector, access would fault */
44076 ++ if (unlikely(seg >= child->mm->context.size))
44077 ++ addr = -EINVAL;
44078 + else {
44079 +- desc = child->mm->context.ldt + seg;
44080 +- base = ((desc[0] >> 16) |
44081 +- ((desc[1] & 0xff) << 16) |
44082 +- (desc[1] & 0xff000000));
44083 ++ desc = &child->mm->context.ldt[seg];
44084 ++ base = (desc->a >> 16) | ((desc->b & 0xff) << 16) | (desc->b & 0xff000000);
44085 +
44086 + /* 16-bit code segment? */
44087 +- if (!((desc[1] >> 22) & 1))
44088 ++ if (!((desc->b >> 22) & 1))
44089 + addr &= 0xffff;
44090 + addr += base;
44091 + }
44092 +@@ -190,6 +188,9 @@ static inline int is_setting_trap_flag(s
44093 + unsigned char opcode[15];
44094 + unsigned long addr = convert_eip_to_linear(child, regs);
44095 +
44096 ++ if (addr == -EINVAL)
44097 ++ return 0;
44098 ++
44099 + copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
44100 + for (i = 0; i < copied; i++) {
44101 + switch (opcode[i]) {
44102 +@@ -340,6 +341,11 @@ ptrace_set_thread_area(struct task_struc
44103 + if (copy_from_user(&info, user_desc, sizeof(info)))
44104 + return -EFAULT;
44105 +
44106 ++#ifdef CONFIG_PAX_SEGMEXEC
44107 ++ if ((child->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
44108 ++ return -EINVAL;
44109 ++#endif
44110 ++
44111 + if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
44112 + return -EINVAL;
44113 +
44114 +@@ -419,7 +425,17 @@ long arch_ptrace(struct task_struct *chi
44115 + if(addr == (long) &dummy->u_debugreg[5]) break;
44116 + if(addr < (long) &dummy->u_debugreg[4] &&
44117 + ((unsigned long) data) >= TASK_SIZE-3) break;
44118 +-
44119 ++
44120 ++#ifdef CONFIG_GRKERNSEC
44121 ++ if(addr >= (long) &dummy->u_debugreg[0] &&
44122 ++ addr <= (long) &dummy->u_debugreg[3]) {
44123 ++ long reg = (addr - (long) &dummy->u_debugreg[0]) >> 2;
44124 ++ long type = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 4*reg)) & 3;
44125 ++ long align = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 2 + 4*reg)) & 3;
44126 ++ if ((type & 1) && (data & align))
44127 ++ break;
44128 ++ }
44129 ++#endif
44130 + /* Sanity-check data. Take one half-byte at once with
44131 + * check = (val >> (16 + 4*i)) & 0xf. It contains the
44132 + * R/Wi and LENi bits; bits 0 and 1 are R/Wi, and bits
44133 +@@ -630,7 +646,7 @@ void send_sigtrap(struct task_struct *ts
44134 + info.si_code = TRAP_BRKPT;
44135 +
44136 + /* User-mode eip? */
44137 +- info.si_addr = user_mode_vm(regs) ? (void __user *) regs->eip : NULL;
44138 ++ info.si_addr = user_mode(regs) ? (void __user *) regs->eip : NULL;
44139 +
44140 + /* Send us the fake SIGTRAP */
44141 + force_sig_info(SIGTRAP, &info, tsk);
44142 +diff -urNp linux-2.6.24.5/arch/x86/kernel/ptrace_64.c linux-2.6.24.5/arch/x86/kernel/ptrace_64.c
44143 +--- linux-2.6.24.5/arch/x86/kernel/ptrace_64.c 2008-03-24 14:49:18.000000000 -0400
44144 ++++ linux-2.6.24.5/arch/x86/kernel/ptrace_64.c 2008-03-26 20:21:08.000000000 -0400
44145 +@@ -98,22 +98,20 @@ unsigned long convert_rip_to_linear(stru
44146 + * and APM bios ones we just ignore here.
44147 + */
44148 + if (seg & LDT_SEGMENT) {
44149 +- u32 *desc;
44150 ++ struct desc_struct *desc;
44151 + unsigned long base;
44152 +
44153 +- seg &= ~7UL;
44154 ++ seg >>= 3;
44155 +
44156 + mutex_lock(&child->mm->context.lock);
44157 +- if (unlikely((seg >> 3) >= child->mm->context.size))
44158 +- addr = -1L; /* bogus selector, access would fault */
44159 ++ if (unlikely(seg >= child->mm->context.size))
44160 ++ addr = -EINVAL; /* bogus selector, access would fault */
44161 + else {
44162 +- desc = child->mm->context.ldt + seg;
44163 +- base = ((desc[0] >> 16) |
44164 +- ((desc[1] & 0xff) << 16) |
44165 +- (desc[1] & 0xff000000));
44166 ++ desc = &child->mm->context.ldt[seg];
44167 ++ base = desc->base0 | (desc->base1 << 16) | (desc->base2 << 24);
44168 +
44169 + /* 16-bit code segment? */
44170 +- if (!((desc[1] >> 22) & 1))
44171 ++ if (!desc->d)
44172 + addr &= 0xffff;
44173 + addr += base;
44174 + }
44175 +@@ -129,6 +127,9 @@ static int is_setting_trap_flag(struct t
44176 + unsigned char opcode[15];
44177 + unsigned long addr = convert_rip_to_linear(child, regs);
44178 +
44179 ++ if (addr == -EINVAL)
44180 ++ return 0;
44181 ++
44182 + copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
44183 + for (i = 0; i < copied; i++) {
44184 + switch (opcode[i]) {
44185 +diff -urNp linux-2.6.24.5/arch/x86/kernel/reboot_32.c linux-2.6.24.5/arch/x86/kernel/reboot_32.c
44186 +--- linux-2.6.24.5/arch/x86/kernel/reboot_32.c 2008-03-24 14:49:18.000000000 -0400
44187 ++++ linux-2.6.24.5/arch/x86/kernel/reboot_32.c 2008-03-26 20:21:08.000000000 -0400
44188 +@@ -23,7 +23,7 @@
44189 + void (*pm_power_off)(void);
44190 + EXPORT_SYMBOL(pm_power_off);
44191 +
44192 +-static int reboot_mode;
44193 ++static unsigned short reboot_mode;
44194 + static int reboot_thru_bios;
44195 +
44196 + #ifdef CONFIG_SMP
44197 +@@ -135,7 +135,7 @@ static struct dmi_system_id __initdata r
44198 + DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq"),
44199 + },
44200 + },
44201 +- { }
44202 ++ { NULL, NULL, {{0, NULL}}, NULL}
44203 + };
44204 +
44205 + static int __init reboot_init(void)
44206 +@@ -153,18 +153,18 @@ core_initcall(reboot_init);
44207 + doesn't work with at least one type of 486 motherboard. It is easy
44208 + to stop this code working; hence the copious comments. */
44209 +
44210 +-static unsigned long long
44211 +-real_mode_gdt_entries [3] =
44212 ++static struct desc_struct
44213 ++real_mode_gdt_entries [3] __read_only =
44214 + {
44215 +- 0x0000000000000000ULL, /* Null descriptor */
44216 +- 0x00009a000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
44217 +- 0x000092000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
44218 ++ {0x00000000, 0x00000000}, /* Null descriptor */
44219 ++ {0x0000ffff, 0x00009b00}, /* 16-bit real-mode 64k code at 0x00000000 */
44220 ++ {0x0100ffff, 0x00009300} /* 16-bit real-mode 64k data at 0x00000100 */
44221 + };
44222 +
44223 +-static struct Xgt_desc_struct
44224 +-real_mode_gdt = { sizeof (real_mode_gdt_entries) - 1, (long)real_mode_gdt_entries },
44225 +-real_mode_idt = { 0x3ff, 0 },
44226 +-no_idt = { 0, 0 };
44227 ++static const struct Xgt_desc_struct
44228 ++real_mode_gdt = { sizeof (real_mode_gdt_entries) - 1, (struct desc_struct *)__pa(real_mode_gdt_entries), 0 },
44229 ++real_mode_idt = { 0x3ff, NULL, 0 },
44230 ++no_idt = { 0, NULL, 0 };
44231 +
44232 +
44233 + /* This is 16-bit protected mode code to disable paging and the cache,
44234 +@@ -186,7 +186,7 @@ no_idt = { 0, 0 };
44235 + More could be done here to set up the registers as if a CPU reset had
44236 + occurred; hopefully real BIOSs don't assume much. */
44237 +
44238 +-static unsigned char real_mode_switch [] =
44239 ++static const unsigned char real_mode_switch [] =
44240 + {
44241 + 0x66, 0x0f, 0x20, 0xc0, /* movl %cr0,%eax */
44242 + 0x66, 0x83, 0xe0, 0x11, /* andl $0x00000011,%eax */
44243 +@@ -200,7 +200,7 @@ static unsigned char real_mode_switch []
44244 + 0x24, 0x10, /* f: andb $0x10,al */
44245 + 0x66, 0x0f, 0x22, 0xc0 /* movl %eax,%cr0 */
44246 + };
44247 +-static unsigned char jump_to_bios [] =
44248 ++static const unsigned char jump_to_bios [] =
44249 + {
44250 + 0xea, 0x00, 0x00, 0xff, 0xff /* ljmp $0xffff,$0x0000 */
44251 + };
44252 +@@ -210,7 +210,7 @@ static unsigned char jump_to_bios [] =
44253 + * specified by the code and length parameters.
44254 + * We assume that length will aways be less that 100!
44255 + */
44256 +-void machine_real_restart(unsigned char *code, int length)
44257 ++void machine_real_restart(const unsigned char *code, unsigned int length)
44258 + {
44259 + local_irq_disable();
44260 +
44261 +@@ -232,8 +232,8 @@ void machine_real_restart(unsigned char
44262 + from the kernel segment. This assumes the kernel segment starts at
44263 + virtual address PAGE_OFFSET. */
44264 +
44265 +- memcpy (swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
44266 +- sizeof (swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
44267 ++ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
44268 ++ min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
44269 +
44270 + /*
44271 + * Use `swapper_pg_dir' as our page directory.
44272 +@@ -246,7 +246,7 @@ void machine_real_restart(unsigned char
44273 + REBOOT.COM programs, and the previous reset routine did this
44274 + too. */
44275 +
44276 +- *((unsigned short *)0x472) = reboot_mode;
44277 ++ *(unsigned short *)(__va(0x472)) = reboot_mode;
44278 +
44279 + /* For the switch to real mode, copy some code to low memory. It has
44280 + to be in the first 64k because it is running in 16-bit mode, and it
44281 +@@ -254,9 +254,8 @@ void machine_real_restart(unsigned char
44282 + off paging. Copy it near the end of the first page, out of the way
44283 + of BIOS variables. */
44284 +
44285 +- memcpy ((void *) (0x1000 - sizeof (real_mode_switch) - 100),
44286 +- real_mode_switch, sizeof (real_mode_switch));
44287 +- memcpy ((void *) (0x1000 - 100), code, length);
44288 ++ memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
44289 ++ memcpy(__va(0x1000 - 100), code, length);
44290 +
44291 + /* Set up the IDT for real mode. */
44292 +
44293 +diff -urNp linux-2.6.24.5/arch/x86/kernel/setup_32.c linux-2.6.24.5/arch/x86/kernel/setup_32.c
44294 +--- linux-2.6.24.5/arch/x86/kernel/setup_32.c 2008-03-24 14:49:18.000000000 -0400
44295 ++++ linux-2.6.24.5/arch/x86/kernel/setup_32.c 2008-03-26 20:21:08.000000000 -0400
44296 +@@ -61,6 +61,7 @@
44297 + #include <setup_arch.h>
44298 + #include <bios_ebda.h>
44299 + #include <asm/cacheflush.h>
44300 ++#include <asm/boot.h>
44301 +
44302 + /* This value is set up by the early boot code to point to the value
44303 + immediately after the boot time page tables. It contains a *physical*
44304 +@@ -82,7 +83,11 @@ struct cpuinfo_x86 new_cpu_data __cpuini
44305 + struct cpuinfo_x86 boot_cpu_data __read_mostly = { 0, 0, 0, 0, -1, 1, 0, 0, -1 };
44306 + EXPORT_SYMBOL(boot_cpu_data);
44307 +
44308 ++#ifdef CONFIG_X86_PAE
44309 ++unsigned long mmu_cr4_features = X86_CR4_PAE;
44310 ++#else
44311 + unsigned long mmu_cr4_features;
44312 ++#endif
44313 +
44314 + /* for MCA, but anyone else can use it if they want */
44315 + unsigned int machine_id;
44316 +@@ -436,8 +441,8 @@ void __init setup_bootmem_allocator(void
44317 + * the (very unlikely) case of us accidentally initializing the
44318 + * bootmem allocator with an invalid RAM area.
44319 + */
44320 +- reserve_bootmem(__pa_symbol(_text), (PFN_PHYS(min_low_pfn) +
44321 +- bootmap_size + PAGE_SIZE-1) - __pa_symbol(_text));
44322 ++ reserve_bootmem(LOAD_PHYSICAL_ADDR, (PFN_PHYS(min_low_pfn) +
44323 ++ bootmap_size + PAGE_SIZE-1) - LOAD_PHYSICAL_ADDR);
44324 +
44325 + /*
44326 + * reserve physical page 0 - it's a special BIOS page on many boxes,
44327 +@@ -590,14 +595,14 @@ void __init setup_arch(char **cmdline_p)
44328 +
44329 + if (!boot_params.hdr.root_flags)
44330 + root_mountflags &= ~MS_RDONLY;
44331 +- init_mm.start_code = (unsigned long) _text;
44332 +- init_mm.end_code = (unsigned long) _etext;
44333 ++ init_mm.start_code = ktla_ktva((unsigned long) _text);
44334 ++ init_mm.end_code = ktla_ktva((unsigned long) _etext);
44335 + init_mm.end_data = (unsigned long) _edata;
44336 + init_mm.brk = init_pg_tables_end + PAGE_OFFSET;
44337 +
44338 +- code_resource.start = virt_to_phys(_text);
44339 +- code_resource.end = virt_to_phys(_etext)-1;
44340 +- data_resource.start = virt_to_phys(_etext);
44341 ++ code_resource.start = virt_to_phys(ktla_ktva(_text));
44342 ++ code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
44343 ++ data_resource.start = virt_to_phys(_data);
44344 + data_resource.end = virt_to_phys(_edata)-1;
44345 + bss_resource.start = virt_to_phys(&__bss_start);
44346 + bss_resource.end = virt_to_phys(&__bss_stop)-1;
44347 +@@ -692,3 +697,23 @@ void __init setup_arch(char **cmdline_p)
44348 + #endif
44349 + #endif
44350 + }
44351 ++
44352 ++unsigned long __per_cpu_offset[NR_CPUS] __read_only;
44353 ++
44354 ++EXPORT_SYMBOL(__per_cpu_offset);
44355 ++
44356 ++void __init setup_per_cpu_areas(void)
44357 ++{
44358 ++ unsigned long size, i;
44359 ++ char *ptr;
44360 ++
44361 ++ /* Copy section for each CPU (we discard the original) */
44362 ++ size = ALIGN(PERCPU_ENOUGH_ROOM, PAGE_SIZE);
44363 ++ ptr = alloc_bootmem_pages(size * num_possible_cpus());
44364 ++
44365 ++ for_each_possible_cpu(i) {
44366 ++ __per_cpu_offset[i] = (unsigned long)ptr;
44367 ++ memcpy(ptr, __per_cpu_start, __per_cpu_end - __per_cpu_start);
44368 ++ ptr += size;
44369 ++ }
44370 ++}
44371 +diff -urNp linux-2.6.24.5/arch/x86/kernel/setup64.c linux-2.6.24.5/arch/x86/kernel/setup64.c
44372 +--- linux-2.6.24.5/arch/x86/kernel/setup64.c 2008-03-24 14:49:18.000000000 -0400
44373 ++++ linux-2.6.24.5/arch/x86/kernel/setup64.c 2008-03-26 20:21:08.000000000 -0400
44374 +@@ -32,12 +32,12 @@ struct x8664_pda *_cpu_pda[NR_CPUS] __re
44375 + EXPORT_SYMBOL(_cpu_pda);
44376 + struct x8664_pda boot_cpu_pda[NR_CPUS] __cacheline_aligned;
44377 +
44378 +-struct desc_ptr idt_descr = { 256 * 16 - 1, (unsigned long) idt_table };
44379 ++const struct desc_ptr idt_descr = { 256 * 16 - 1, (unsigned long) idt_table };
44380 +
44381 + char boot_cpu_stack[IRQSTACKSIZE] __attribute__((section(".bss.page_aligned")));
44382 +
44383 + unsigned long __supported_pte_mask __read_mostly = ~0UL;
44384 +-static int do_not_nx __cpuinitdata = 0;
44385 ++EXPORT_SYMBOL(__supported_pte_mask);
44386 +
44387 + /* noexec=on|off
44388 + Control non executable mappings for 64bit processes.
44389 +@@ -51,16 +51,14 @@ static int __init nonx_setup(char *str)
44390 + return -EINVAL;
44391 + if (!strncmp(str, "on", 2)) {
44392 + __supported_pte_mask |= _PAGE_NX;
44393 +- do_not_nx = 0;
44394 + } else if (!strncmp(str, "off", 3)) {
44395 +- do_not_nx = 1;
44396 + __supported_pte_mask &= ~_PAGE_NX;
44397 + }
44398 + return 0;
44399 + }
44400 + early_param("noexec", nonx_setup);
44401 +
44402 +-int force_personality32 = 0;
44403 ++int force_personality32;
44404 +
44405 + /* noexec32=on|off
44406 + Control non executable heap for 32bit processes.
44407 +@@ -177,7 +175,7 @@ void __cpuinit check_efer(void)
44408 + unsigned long efer;
44409 +
44410 + rdmsrl(MSR_EFER, efer);
44411 +- if (!(efer & EFER_NX) || do_not_nx) {
44412 ++ if (!(efer & EFER_NX)) {
44413 + __supported_pte_mask &= ~_PAGE_NX;
44414 + }
44415 + }
44416 +@@ -200,12 +198,13 @@ DEFINE_PER_CPU(struct orig_ist, orig_ist
44417 + void __cpuinit cpu_init (void)
44418 + {
44419 + int cpu = stack_smp_processor_id();
44420 +- struct tss_struct *t = &per_cpu(init_tss, cpu);
44421 ++ struct tss_struct *t = init_tss + cpu;
44422 + struct orig_ist *orig_ist = &per_cpu(orig_ist, cpu);
44423 + unsigned long v;
44424 + char *estacks = NULL;
44425 + struct task_struct *me;
44426 + int i;
44427 ++ struct desc_ptr cpu_gdt_descr = { .size = GDT_SIZE - 1, .address = (unsigned long)cpu_gdt_table[cpu]};
44428 +
44429 + /* CPU 0 is initialised in head64.c */
44430 + if (cpu != 0) {
44431 +@@ -223,14 +222,12 @@ void __cpuinit cpu_init (void)
44432 + clear_in_cr4(X86_CR4_VME|X86_CR4_PVI|X86_CR4_TSD|X86_CR4_DE);
44433 +
44434 + /*
44435 +- * Initialize the per-CPU GDT with the boot GDT,
44436 +- * and set up the GDT descriptor:
44437 ++ * Initialize the per-CPU GDT with the boot GDT:
44438 + */
44439 + if (cpu)
44440 + memcpy(cpu_gdt(cpu), cpu_gdt_table, GDT_SIZE);
44441 +
44442 +- cpu_gdt_descr[cpu].size = GDT_SIZE;
44443 +- load_gdt((const struct desc_ptr *)&cpu_gdt_descr[cpu]);
44444 ++ load_gdt(&cpu_gdt_descr);
44445 + load_idt((const struct desc_ptr *)&idt_descr);
44446 +
44447 + memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
44448 +diff -urNp linux-2.6.24.5/arch/x86/kernel/signal_32.c linux-2.6.24.5/arch/x86/kernel/signal_32.c
44449 +--- linux-2.6.24.5/arch/x86/kernel/signal_32.c 2008-03-24 14:49:18.000000000 -0400
44450 ++++ linux-2.6.24.5/arch/x86/kernel/signal_32.c 2008-03-26 20:21:08.000000000 -0400
44451 +@@ -355,9 +355,9 @@ static int setup_frame(int sig, struct k
44452 + }
44453 +
44454 + if (current->binfmt->hasvdso)
44455 +- restorer = (void *)VDSO_SYM(&__kernel_sigreturn);
44456 ++ restorer = (void __user *)VDSO_SYM(&__kernel_sigreturn);
44457 + else
44458 +- restorer = (void *)&frame->retcode;
44459 ++ restorer = (void __user *)&frame->retcode;
44460 + if (ka->sa.sa_flags & SA_RESTORER)
44461 + restorer = ka->sa.sa_restorer;
44462 +
44463 +@@ -452,7 +452,7 @@ static int setup_rt_frame(int sig, struc
44464 + goto give_sigsegv;
44465 +
44466 + /* Set up to return from userspace. */
44467 +- restorer = (void *)VDSO_SYM(&__kernel_rt_sigreturn);
44468 ++ restorer = (void __user *)VDSO_SYM(&__kernel_rt_sigreturn);
44469 + if (ka->sa.sa_flags & SA_RESTORER)
44470 + restorer = ka->sa.sa_restorer;
44471 + err |= __put_user(restorer, &frame->pretcode);
44472 +@@ -584,7 +584,7 @@ static void fastcall do_signal(struct pt
44473 + * before reaching here, so testing against kernel
44474 + * CS suffices.
44475 + */
44476 +- if (!user_mode(regs))
44477 ++ if (!user_mode_novm(regs))
44478 + return;
44479 +
44480 + if (test_thread_flag(TIF_RESTORE_SIGMASK))
44481 +diff -urNp linux-2.6.24.5/arch/x86/kernel/signal_64.c linux-2.6.24.5/arch/x86/kernel/signal_64.c
44482 +--- linux-2.6.24.5/arch/x86/kernel/signal_64.c 2008-03-24 14:49:18.000000000 -0400
44483 ++++ linux-2.6.24.5/arch/x86/kernel/signal_64.c 2008-03-26 20:21:08.000000000 -0400
44484 +@@ -252,8 +252,8 @@ static int setup_rt_frame(int sig, struc
44485 + err |= setup_sigcontext(&frame->uc.uc_mcontext, regs, set->sig[0], me);
44486 + err |= __put_user(fp, &frame->uc.uc_mcontext.fpstate);
44487 + if (sizeof(*set) == 16) {
44488 +- __put_user(set->sig[0], &frame->uc.uc_sigmask.sig[0]);
44489 +- __put_user(set->sig[1], &frame->uc.uc_sigmask.sig[1]);
44490 ++ err |= __put_user(set->sig[0], &frame->uc.uc_sigmask.sig[0]);
44491 ++ err |= __put_user(set->sig[1], &frame->uc.uc_sigmask.sig[1]);
44492 + } else
44493 + err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
44494 +
44495 +diff -urNp linux-2.6.24.5/arch/x86/kernel/smp_32.c linux-2.6.24.5/arch/x86/kernel/smp_32.c
44496 +--- linux-2.6.24.5/arch/x86/kernel/smp_32.c 2008-03-24 14:49:18.000000000 -0400
44497 ++++ linux-2.6.24.5/arch/x86/kernel/smp_32.c 2008-03-26 20:21:08.000000000 -0400
44498 +@@ -104,7 +104,7 @@
44499 + * about nothing of note with C stepping upwards.
44500 + */
44501 +
44502 +-DEFINE_PER_CPU(struct tlb_state, cpu_tlbstate) ____cacheline_aligned = { &init_mm, 0, };
44503 ++DEFINE_PER_CPU(struct tlb_state, cpu_tlbstate) ____cacheline_aligned = { &init_mm, 0, {0} };
44504 +
44505 + /*
44506 + * the following functions deal with sending IPIs between CPUs.
44507 +diff -urNp linux-2.6.24.5/arch/x86/kernel/smpboot_32.c linux-2.6.24.5/arch/x86/kernel/smpboot_32.c
44508 +--- linux-2.6.24.5/arch/x86/kernel/smpboot_32.c 2008-03-24 14:49:18.000000000 -0400
44509 ++++ linux-2.6.24.5/arch/x86/kernel/smpboot_32.c 2008-03-26 20:21:08.000000000 -0400
44510 +@@ -781,6 +781,10 @@ static int __cpuinit do_boot_cpu(int api
44511 + unsigned long start_eip;
44512 + unsigned short nmi_high = 0, nmi_low = 0;
44513 +
44514 ++#ifdef CONFIG_PAX_KERNEXEC
44515 ++ unsigned long cr0;
44516 ++#endif
44517 ++
44518 + /*
44519 + * Save current MTRR state in case it was changed since early boot
44520 + * (e.g. by the ACPI SMI) to initialize new CPUs with MTRRs in sync:
44521 +@@ -797,7 +801,16 @@ static int __cpuinit do_boot_cpu(int api
44522 +
44523 + init_gdt(cpu);
44524 + per_cpu(current_task, cpu) = idle;
44525 +- early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
44526 ++
44527 ++#ifdef CONFIG_PAX_KERNEXEC
44528 ++ pax_open_kernel(cr0);
44529 ++#endif
44530 ++
44531 ++ early_gdt_descr.address = get_cpu_gdt_table(cpu);
44532 ++
44533 ++#ifdef CONFIG_PAX_KERNEXEC
44534 ++ pax_close_kernel(cr0);
44535 ++#endif
44536 +
44537 + idle->thread.eip = (unsigned long) start_secondary;
44538 + /* start_eip had better be page-aligned! */
44539 +@@ -1122,7 +1135,7 @@ static void __init smp_boot_cpus(unsigne
44540 + * construct cpu_sibling_map, so that we can tell sibling CPUs
44541 + * efficiently.
44542 + */
44543 +- for (cpu = 0; cpu < NR_CPUS; cpu++) {
44544 ++ for_each_possible_cpu(cpu) {
44545 + cpus_clear(per_cpu(cpu_sibling_map, cpu));
44546 + cpus_clear(per_cpu(cpu_core_map, cpu));
44547 + }
44548 +diff -urNp linux-2.6.24.5/arch/x86/kernel/smpboot_64.c linux-2.6.24.5/arch/x86/kernel/smpboot_64.c
44549 +--- linux-2.6.24.5/arch/x86/kernel/smpboot_64.c 2008-03-24 14:49:18.000000000 -0400
44550 ++++ linux-2.6.24.5/arch/x86/kernel/smpboot_64.c 2008-03-26 20:21:08.000000000 -0400
44551 +@@ -549,13 +549,6 @@ static int __cpuinit do_boot_cpu(int cpu
44552 + .done = COMPLETION_INITIALIZER_ONSTACK(c_idle.done),
44553 + };
44554 +
44555 +- /* allocate memory for gdts of secondary cpus. Hotplug is considered */
44556 +- if (!cpu_gdt_descr[cpu].address &&
44557 +- !(cpu_gdt_descr[cpu].address = get_zeroed_page(GFP_KERNEL))) {
44558 +- printk(KERN_ERR "Failed to allocate GDT for CPU %d\n", cpu);
44559 +- return -1;
44560 +- }
44561 +-
44562 + /* Allocate node local memory for AP pdas */
44563 + if (cpu_pda(cpu) == &boot_cpu_pda[cpu]) {
44564 + struct x8664_pda *newpda, *pda;
44565 +@@ -614,7 +607,7 @@ do_rest:
44566 + start_rip = setup_trampoline();
44567 +
44568 + init_rsp = c_idle.idle->thread.rsp;
44569 +- per_cpu(init_tss,cpu).rsp0 = init_rsp;
44570 ++ init_tss[cpu].rsp0 = init_rsp;
44571 + initial_code = start_secondary;
44572 + clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
44573 +
44574 +diff -urNp linux-2.6.24.5/arch/x86/kernel/smpcommon_32.c linux-2.6.24.5/arch/x86/kernel/smpcommon_32.c
44575 +--- linux-2.6.24.5/arch/x86/kernel/smpcommon_32.c 2008-03-24 14:49:18.000000000 -0400
44576 ++++ linux-2.6.24.5/arch/x86/kernel/smpcommon_32.c 2008-03-26 20:21:16.000000000 -0400
44577 +@@ -3,8 +3,9 @@
44578 + */
44579 + #include <linux/module.h>
44580 + #include <asm/smp.h>
44581 ++#include <asm/sections.h>
44582 +
44583 +-DEFINE_PER_CPU(unsigned long, this_cpu_off);
44584 ++DEFINE_PER_CPU(unsigned long, this_cpu_off) = (unsigned long)__per_cpu_start;
44585 + EXPORT_PER_CPU_SYMBOL(this_cpu_off);
44586 +
44587 + /* Initialize the CPU's GDT. This is either the boot CPU doing itself
44588 +@@ -14,10 +15,29 @@ __cpuinit void init_gdt(int cpu)
44589 + {
44590 + struct desc_struct *gdt = get_cpu_gdt_table(cpu);
44591 +
44592 +- pack_descriptor((u32 *)&gdt[GDT_ENTRY_PERCPU].a,
44593 +- (u32 *)&gdt[GDT_ENTRY_PERCPU].b,
44594 +- __per_cpu_offset[cpu], 0xFFFFF,
44595 +- 0x80 | DESCTYPE_S | 0x2, 0x8);
44596 ++#ifdef CONFIG_PAX_KERNEXEC
44597 ++ unsigned long cr0;
44598 ++
44599 ++ pax_open_kernel(cr0);
44600 ++#endif
44601 ++
44602 ++ if (cpu)
44603 ++ memcpy(gdt, cpu_gdt_table, GDT_SIZE);
44604 ++
44605 ++ if (PERCPU_ENOUGH_ROOM <= 64*1024*1024)
44606 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PERCPU].a,
44607 ++ (__u32 *)&gdt[GDT_ENTRY_PERCPU].b,
44608 ++ __per_cpu_offset[cpu], PERCPU_ENOUGH_ROOM-1,
44609 ++ 0x80 | DESCTYPE_S | 0x3, 0x4);
44610 ++ else
44611 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PERCPU].a,
44612 ++ (__u32 *)&gdt[GDT_ENTRY_PERCPU].b,
44613 ++ __per_cpu_offset[cpu], ((PERCPU_ENOUGH_ROOM-1) >> PAGE_SHIFT),
44614 ++ 0x80 | DESCTYPE_S | 0x3, 0xC);
44615 ++
44616 ++#ifdef CONFIG_PAX_KERNEXEC
44617 ++ pax_close_kernel(cr0);
44618 ++#endif
44619 +
44620 + per_cpu(this_cpu_off, cpu) = __per_cpu_offset[cpu];
44621 + per_cpu(cpu_number, cpu) = cpu;
44622 +diff -urNp linux-2.6.24.5/arch/x86/kernel/suspend_64.c linux-2.6.24.5/arch/x86/kernel/suspend_64.c
44623 +--- linux-2.6.24.5/arch/x86/kernel/suspend_64.c 2008-03-24 14:49:18.000000000 -0400
44624 ++++ linux-2.6.24.5/arch/x86/kernel/suspend_64.c 2008-03-26 20:21:08.000000000 -0400
44625 +@@ -116,12 +116,22 @@ void restore_processor_state(void)
44626 + void fix_processor_context(void)
44627 + {
44628 + int cpu = smp_processor_id();
44629 +- struct tss_struct *t = &per_cpu(init_tss, cpu);
44630 ++ struct tss_struct *t = init_tss + cpu;
44631 ++
44632 ++#ifdef CONFIG_PAX_KERNEXEC
44633 ++ unsigned long cr0;
44634 ++
44635 ++ pax_open_kernel(cr0);
44636 ++#endif
44637 +
44638 + set_tss_desc(cpu,t); /* This just modifies memory; should not be necessary. But... This is necessary, because 386 hardware has concept of busy TSS or some similar stupidity. */
44639 +
44640 + cpu_gdt(cpu)[GDT_ENTRY_TSS].type = 9;
44641 +
44642 ++#ifdef CONFIG_PAX_KERNEXEC
44643 ++ pax_close_kernel(cr0);
44644 ++#endif
44645 ++
44646 + syscall_init(); /* This sets MSR_*STAR and related */
44647 + load_TR_desc(); /* This does ltr */
44648 + load_LDT(&current->active_mm->context); /* This does lldt */
44649 +diff -urNp linux-2.6.24.5/arch/x86/kernel/syscall_table_32.S linux-2.6.24.5/arch/x86/kernel/syscall_table_32.S
44650 +--- linux-2.6.24.5/arch/x86/kernel/syscall_table_32.S 2008-03-24 14:49:18.000000000 -0400
44651 ++++ linux-2.6.24.5/arch/x86/kernel/syscall_table_32.S 2008-03-26 20:21:08.000000000 -0400
44652 +@@ -1,3 +1,4 @@
44653 ++.section .rodata,"a",@progbits
44654 + ENTRY(sys_call_table)
44655 + .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
44656 + .long sys_exit
44657 +diff -urNp linux-2.6.24.5/arch/x86/kernel/sysenter_32.c linux-2.6.24.5/arch/x86/kernel/sysenter_32.c
44658 +--- linux-2.6.24.5/arch/x86/kernel/sysenter_32.c 2008-03-24 14:49:18.000000000 -0400
44659 ++++ linux-2.6.24.5/arch/x86/kernel/sysenter_32.c 2008-03-26 20:21:08.000000000 -0400
44660 +@@ -175,7 +175,7 @@ static __init void relocate_vdso(Elf32_E
44661 + void enable_sep_cpu(void)
44662 + {
44663 + int cpu = get_cpu();
44664 +- struct tss_struct *tss = &per_cpu(init_tss, cpu);
44665 ++ struct tss_struct *tss = init_tss + cpu;
44666 +
44667 + if (!boot_cpu_has(X86_FEATURE_SEP)) {
44668 + put_cpu();
44669 +@@ -198,7 +198,7 @@ static int __init gate_vma_init(void)
44670 + gate_vma.vm_start = FIXADDR_USER_START;
44671 + gate_vma.vm_end = FIXADDR_USER_END;
44672 + gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
44673 +- gate_vma.vm_page_prot = __P101;
44674 ++ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
44675 + /*
44676 + * Make sure the vDSO gets into every core dump.
44677 + * Dumping its contents makes post-mortem fully interpretable later
44678 +@@ -281,7 +281,7 @@ int arch_setup_additional_pages(struct l
44679 + if (compat)
44680 + addr = VDSO_HIGH_BASE;
44681 + else {
44682 +- addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
44683 ++ addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
44684 + if (IS_ERR_VALUE(addr)) {
44685 + ret = addr;
44686 + goto up_fail;
44687 +@@ -306,7 +306,7 @@ int arch_setup_additional_pages(struct l
44688 + goto up_fail;
44689 + }
44690 +
44691 +- current->mm->context.vdso = (void *)addr;
44692 ++ current->mm->context.vdso = addr;
44693 + current_thread_info()->sysenter_return =
44694 + (void *)VDSO_SYM(&SYSENTER_RETURN);
44695 +
44696 +@@ -318,8 +318,14 @@ int arch_setup_additional_pages(struct l
44697 +
44698 + const char *arch_vma_name(struct vm_area_struct *vma)
44699 + {
44700 +- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
44701 ++ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
44702 + return "[vdso]";
44703 ++
44704 ++#ifdef CONFIG_PAX_SEGMEXEC
44705 ++ if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
44706 ++ return "[vdso]";
44707 ++#endif
44708 ++
44709 + return NULL;
44710 + }
44711 +
44712 +@@ -328,7 +334,7 @@ struct vm_area_struct *get_gate_vma(stru
44713 + struct mm_struct *mm = tsk->mm;
44714 +
44715 + /* Check to see if this task was created in compat vdso mode */
44716 +- if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
44717 ++ if (mm && mm->context.vdso == VDSO_HIGH_BASE)
44718 + return &gate_vma;
44719 + return NULL;
44720 + }
44721 +diff -urNp linux-2.6.24.5/arch/x86/kernel/sys_i386_32.c linux-2.6.24.5/arch/x86/kernel/sys_i386_32.c
44722 +--- linux-2.6.24.5/arch/x86/kernel/sys_i386_32.c 2008-03-24 14:49:18.000000000 -0400
44723 ++++ linux-2.6.24.5/arch/x86/kernel/sys_i386_32.c 2008-03-26 20:21:08.000000000 -0400
44724 +@@ -39,6 +39,21 @@ asmlinkage int sys_pipe(unsigned long __
44725 + return error;
44726 + }
44727 +
44728 ++int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
44729 ++{
44730 ++ unsigned long pax_task_size = TASK_SIZE;
44731 ++
44732 ++#ifdef CONFIG_PAX_SEGMEXEC
44733 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
44734 ++ pax_task_size = SEGMEXEC_TASK_SIZE;
44735 ++#endif
44736 ++
44737 ++ if (len > pax_task_size || addr > pax_task_size - len)
44738 ++ return -EINVAL;
44739 ++
44740 ++ return 0;
44741 ++}
44742 ++
44743 + asmlinkage long sys_mmap2(unsigned long addr, unsigned long len,
44744 + unsigned long prot, unsigned long flags,
44745 + unsigned long fd, unsigned long pgoff)
44746 +@@ -98,6 +113,205 @@ out:
44747 + return err;
44748 + }
44749 +
44750 ++unsigned long
44751 ++arch_get_unmapped_area(struct file *filp, unsigned long addr,
44752 ++ unsigned long len, unsigned long pgoff, unsigned long flags)
44753 ++{
44754 ++ struct mm_struct *mm = current->mm;
44755 ++ struct vm_area_struct *vma;
44756 ++ unsigned long start_addr, pax_task_size = TASK_SIZE;
44757 ++
44758 ++#ifdef CONFIG_PAX_SEGMEXEC
44759 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
44760 ++ pax_task_size = SEGMEXEC_TASK_SIZE;
44761 ++#endif
44762 ++
44763 ++ if (len > pax_task_size)
44764 ++ return -ENOMEM;
44765 ++
44766 ++ if (flags & MAP_FIXED)
44767 ++ return addr;
44768 ++
44769 ++#ifdef CONFIG_PAX_RANDMMAP
44770 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
44771 ++#endif
44772 ++
44773 ++ if (addr) {
44774 ++ addr = PAGE_ALIGN(addr);
44775 ++ vma = find_vma(mm, addr);
44776 ++ if (pax_task_size - len >= addr &&
44777 ++ (!vma || addr + len <= vma->vm_start))
44778 ++ return addr;
44779 ++ }
44780 ++ if (len > mm->cached_hole_size) {
44781 ++ start_addr = addr = mm->free_area_cache;
44782 ++ } else {
44783 ++ start_addr = addr = mm->mmap_base;
44784 ++ mm->cached_hole_size = 0;
44785 ++ }
44786 ++
44787 ++#ifdef CONFIG_PAX_PAGEEXEC
44788 ++ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
44789 ++ start_addr = 0x00110000UL;
44790 ++
44791 ++#ifdef CONFIG_PAX_RANDMMAP
44792 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
44793 ++ start_addr += mm->delta_mmap & 0x03FFF000UL;
44794 ++#endif
44795 ++
44796 ++ if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
44797 ++ start_addr = addr = mm->mmap_base;
44798 ++ else
44799 ++ addr = start_addr;
44800 ++ }
44801 ++#endif
44802 ++
44803 ++full_search:
44804 ++ for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
44805 ++ /* At this point: (!vma || addr < vma->vm_end). */
44806 ++ if (pax_task_size - len < addr) {
44807 ++ /*
44808 ++ * Start a new search - just in case we missed
44809 ++ * some holes.
44810 ++ */
44811 ++ if (start_addr != mm->mmap_base) {
44812 ++ start_addr = addr = mm->mmap_base;
44813 ++ mm->cached_hole_size = 0;
44814 ++ goto full_search;
44815 ++ }
44816 ++ return -ENOMEM;
44817 ++ }
44818 ++ if (!vma || addr + len <= vma->vm_start) {
44819 ++ /*
44820 ++ * Remember the place where we stopped the search:
44821 ++ */
44822 ++ mm->free_area_cache = addr + len;
44823 ++ return addr;
44824 ++ }
44825 ++ if (addr + mm->cached_hole_size < vma->vm_start)
44826 ++ mm->cached_hole_size = vma->vm_start - addr;
44827 ++ addr = vma->vm_end;
44828 ++ if (mm->start_brk <= addr && addr < mm->mmap_base) {
44829 ++ start_addr = addr = mm->mmap_base;
44830 ++ mm->cached_hole_size = 0;
44831 ++ goto full_search;
44832 ++ }
44833 ++ }
44834 ++}
44835 ++
44836 ++unsigned long
44837 ++arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
44838 ++ const unsigned long len, const unsigned long pgoff,
44839 ++ const unsigned long flags)
44840 ++{
44841 ++ struct vm_area_struct *vma;
44842 ++ struct mm_struct *mm = current->mm;
44843 ++ unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
44844 ++
44845 ++#ifdef CONFIG_PAX_SEGMEXEC
44846 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
44847 ++ pax_task_size = SEGMEXEC_TASK_SIZE;
44848 ++#endif
44849 ++
44850 ++ /* requested length too big for entire address space */
44851 ++ if (len > pax_task_size)
44852 ++ return -ENOMEM;
44853 ++
44854 ++ if (flags & MAP_FIXED)
44855 ++ return addr;
44856 ++
44857 ++#ifdef CONFIG_PAX_PAGEEXEC
44858 ++ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
44859 ++ goto bottomup;
44860 ++#endif
44861 ++
44862 ++#ifdef CONFIG_PAX_RANDMMAP
44863 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
44864 ++#endif
44865 ++
44866 ++ /* requesting a specific address */
44867 ++ if (addr) {
44868 ++ addr = PAGE_ALIGN(addr);
44869 ++ vma = find_vma(mm, addr);
44870 ++ if (pax_task_size - len >= addr &&
44871 ++ (!vma || addr + len <= vma->vm_start))
44872 ++ return addr;
44873 ++ }
44874 ++
44875 ++ /* check if free_area_cache is useful for us */
44876 ++ if (len <= mm->cached_hole_size) {
44877 ++ mm->cached_hole_size = 0;
44878 ++ mm->free_area_cache = mm->mmap_base;
44879 ++ }
44880 ++
44881 ++ /* either no address requested or can't fit in requested address hole */
44882 ++ addr = mm->free_area_cache;
44883 ++
44884 ++ /* make sure it can fit in the remaining address space */
44885 ++ if (addr > len) {
44886 ++ vma = find_vma(mm, addr-len);
44887 ++ if (!vma || addr <= vma->vm_start)
44888 ++ /* remember the address as a hint for next time */
44889 ++ return (mm->free_area_cache = addr-len);
44890 ++ }
44891 ++
44892 ++ if (mm->mmap_base < len)
44893 ++ goto bottomup;
44894 ++
44895 ++ addr = mm->mmap_base-len;
44896 ++
44897 ++ do {
44898 ++ /*
44899 ++ * Lookup failure means no vma is above this address,
44900 ++ * else if new region fits below vma->vm_start,
44901 ++ * return with success:
44902 ++ */
44903 ++ vma = find_vma(mm, addr);
44904 ++ if (!vma || addr+len <= vma->vm_start)
44905 ++ /* remember the address as a hint for next time */
44906 ++ return (mm->free_area_cache = addr);
44907 ++
44908 ++ /* remember the largest hole we saw so far */
44909 ++ if (addr + mm->cached_hole_size < vma->vm_start)
44910 ++ mm->cached_hole_size = vma->vm_start - addr;
44911 ++
44912 ++ /* try just below the current vma->vm_start */
44913 ++ addr = vma->vm_start-len;
44914 ++ } while (len < vma->vm_start);
44915 ++
44916 ++bottomup:
44917 ++ /*
44918 ++ * A failed mmap() very likely causes application failure,
44919 ++ * so fall back to the bottom-up function here. This scenario
44920 ++ * can happen with large stack limits and large mmap()
44921 ++ * allocations.
44922 ++ */
44923 ++
44924 ++#ifdef CONFIG_PAX_SEGMEXEC
44925 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
44926 ++ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
44927 ++ else
44928 ++#endif
44929 ++
44930 ++ mm->mmap_base = TASK_UNMAPPED_BASE;
44931 ++
44932 ++#ifdef CONFIG_PAX_RANDMMAP
44933 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
44934 ++ mm->mmap_base += mm->delta_mmap;
44935 ++#endif
44936 ++
44937 ++ mm->free_area_cache = mm->mmap_base;
44938 ++ mm->cached_hole_size = ~0UL;
44939 ++ addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
44940 ++ /*
44941 ++ * Restore the topdown base:
44942 ++ */
44943 ++ mm->mmap_base = base;
44944 ++ mm->free_area_cache = base;
44945 ++ mm->cached_hole_size = ~0UL;
44946 ++
44947 ++ return addr;
44948 ++}
44949 +
44950 + struct sel_arg_struct {
44951 + unsigned long n;
44952 +diff -urNp linux-2.6.24.5/arch/x86/kernel/sys_x86_64.c linux-2.6.24.5/arch/x86/kernel/sys_x86_64.c
44953 +--- linux-2.6.24.5/arch/x86/kernel/sys_x86_64.c 2008-03-24 14:49:18.000000000 -0400
44954 ++++ linux-2.6.24.5/arch/x86/kernel/sys_x86_64.c 2008-03-26 20:21:08.000000000 -0400
44955 +@@ -61,8 +61,8 @@ out:
44956 + return error;
44957 + }
44958 +
44959 +-static void find_start_end(unsigned long flags, unsigned long *begin,
44960 +- unsigned long *end)
44961 ++static void find_start_end(struct mm_struct *mm, unsigned long flags,
44962 ++ unsigned long *begin, unsigned long *end)
44963 + {
44964 + if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
44965 + /* This is usually used needed to map code in small
44966 +@@ -75,7 +75,7 @@ static void find_start_end(unsigned long
44967 + *begin = 0x40000000;
44968 + *end = 0x80000000;
44969 + } else {
44970 +- *begin = TASK_UNMAPPED_BASE;
44971 ++ *begin = mm->mmap_base;
44972 + *end = TASK_SIZE;
44973 + }
44974 + }
44975 +@@ -92,11 +92,15 @@ arch_get_unmapped_area(struct file *filp
44976 + if (flags & MAP_FIXED)
44977 + return addr;
44978 +
44979 +- find_start_end(flags, &begin, &end);
44980 ++ find_start_end(mm, flags, &begin, &end);
44981 +
44982 + if (len > end)
44983 + return -ENOMEM;
44984 +
44985 ++#ifdef CONFIG_PAX_RANDMMAP
44986 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
44987 ++#endif
44988 ++
44989 + if (addr) {
44990 + addr = PAGE_ALIGN(addr);
44991 + vma = find_vma(mm, addr);
44992 +diff -urNp linux-2.6.24.5/arch/x86/kernel/time_32.c linux-2.6.24.5/arch/x86/kernel/time_32.c
44993 +--- linux-2.6.24.5/arch/x86/kernel/time_32.c 2008-03-24 14:49:18.000000000 -0400
44994 ++++ linux-2.6.24.5/arch/x86/kernel/time_32.c 2008-03-26 20:21:08.000000000 -0400
44995 +@@ -130,20 +130,30 @@ unsigned long profile_pc(struct pt_regs
44996 + if (!v8086_mode(regs) && SEGMENT_IS_KERNEL_CODE(regs->xcs) &&
44997 + in_lock_functions(pc)) {
44998 + #ifdef CONFIG_FRAME_POINTER
44999 +- return *(unsigned long *)(regs->ebp + 4);
45000 ++ return ktla_ktva(*(unsigned long *)(regs->ebp + 4));
45001 + #else
45002 + unsigned long *sp = (unsigned long *)&regs->esp;
45003 +
45004 + /* Return address is either directly at stack pointer
45005 + or above a saved eflags. Eflags has bits 22-31 zero,
45006 + kernel addresses don't. */
45007 ++
45008 ++#ifdef CONFIG_PAX_KERNEXEC
45009 ++ return ktla_ktva(sp[0]);
45010 ++#else
45011 + if (sp[0] >> 22)
45012 + return sp[0];
45013 + if (sp[1] >> 22)
45014 + return sp[1];
45015 + #endif
45016 ++
45017 ++#endif
45018 + }
45019 + #endif
45020 ++
45021 ++ if (!v8086_mode(regs) && SEGMENT_IS_KERNEL_CODE(regs->xcs))
45022 ++ pc = ktla_ktva(pc);
45023 ++
45024 + return pc;
45025 + }
45026 + EXPORT_SYMBOL(profile_pc);
45027 +diff -urNp linux-2.6.24.5/arch/x86/kernel/traps_32.c linux-2.6.24.5/arch/x86/kernel/traps_32.c
45028 +--- linux-2.6.24.5/arch/x86/kernel/traps_32.c 2008-03-24 14:49:18.000000000 -0400
45029 ++++ linux-2.6.24.5/arch/x86/kernel/traps_32.c 2008-03-26 20:21:08.000000000 -0400
45030 +@@ -29,6 +29,7 @@
45031 + #include <linux/uaccess.h>
45032 + #include <linux/nmi.h>
45033 + #include <linux/bug.h>
45034 ++#include <linux/binfmts.h>
45035 +
45036 + #ifdef CONFIG_EISA
45037 + #include <linux/ioport.h>
45038 +@@ -71,12 +72,7 @@ asmlinkage int system_call(void);
45039 + /* Do we ignore FPU interrupts ? */
45040 + char ignore_fpu_irq = 0;
45041 +
45042 +-/*
45043 +- * The IDT has to be page-aligned to simplify the Pentium
45044 +- * F0 0F bug workaround.. We have a special link segment
45045 +- * for this.
45046 +- */
45047 +-struct desc_struct idt_table[256] __attribute__((__section__(".data.idt"))) = { {0, 0}, };
45048 ++extern struct desc_struct idt_table[256];
45049 +
45050 + asmlinkage void divide_error(void);
45051 + asmlinkage void debug(void);
45052 +@@ -306,22 +302,23 @@ void show_registers(struct pt_regs *regs
45053 + * When in-kernel, we also print out the stack and code at the
45054 + * time of the fault..
45055 + */
45056 +- if (!user_mode_vm(regs)) {
45057 ++ if (!user_mode(regs)) {
45058 + u8 *eip;
45059 + unsigned int code_prologue = code_bytes * 43 / 64;
45060 + unsigned int code_len = code_bytes;
45061 + unsigned char c;
45062 ++ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->xcs) >> 3]);
45063 +
45064 + printk("\n" KERN_EMERG "Stack: ");
45065 + show_stack_log_lvl(NULL, regs, &regs->esp, KERN_EMERG);
45066 +
45067 + printk(KERN_EMERG "Code: ");
45068 +
45069 +- eip = (u8 *)regs->eip - code_prologue;
45070 ++ eip = (u8 *)regs->eip - code_prologue + cs_base;
45071 + if (eip < (u8 *)PAGE_OFFSET ||
45072 + probe_kernel_address(eip, c)) {
45073 + /* try starting at EIP */
45074 +- eip = (u8 *)regs->eip;
45075 ++ eip = (u8 *)regs->eip + cs_base;
45076 + code_len = code_len - code_prologue + 1;
45077 + }
45078 + for (i = 0; i < code_len; i++, eip++) {
45079 +@@ -330,7 +327,7 @@ void show_registers(struct pt_regs *regs
45080 + printk(" Bad EIP value.");
45081 + break;
45082 + }
45083 +- if (eip == (u8 *)regs->eip)
45084 ++ if (eip == (u8 *)regs->eip + cs_base)
45085 + printk("<%02x> ", c);
45086 + else
45087 + printk("%02x ", c);
45088 +@@ -343,6 +340,7 @@ int is_valid_bugaddr(unsigned long eip)
45089 + {
45090 + unsigned short ud2;
45091 +
45092 ++ eip = ktla_ktva(eip);
45093 + if (eip < PAGE_OFFSET)
45094 + return 0;
45095 + if (probe_kernel_address((unsigned short *)eip, ud2))
45096 +@@ -444,7 +442,7 @@ void die(const char * str, struct pt_reg
45097 +
45098 + static inline void die_if_kernel(const char * str, struct pt_regs * regs, long err)
45099 + {
45100 +- if (!user_mode_vm(regs))
45101 ++ if (!user_mode(regs))
45102 + die(str, regs, err);
45103 + }
45104 +
45105 +@@ -460,7 +458,7 @@ static void __kprobes do_trap(int trapnr
45106 + goto trap_signal;
45107 + }
45108 +
45109 +- if (!user_mode(regs))
45110 ++ if (!user_mode_novm(regs))
45111 + goto kernel_trap;
45112 +
45113 + trap_signal: {
45114 +@@ -566,7 +564,7 @@ fastcall void __kprobes do_general_prote
45115 + long error_code)
45116 + {
45117 + int cpu = get_cpu();
45118 +- struct tss_struct *tss = &per_cpu(init_tss, cpu);
45119 ++ struct tss_struct *tss = &init_tss[cpu];
45120 + struct thread_struct *thread = &current->thread;
45121 +
45122 + /*
45123 +@@ -599,9 +597,25 @@ fastcall void __kprobes do_general_prote
45124 + if (regs->eflags & VM_MASK)
45125 + goto gp_in_vm86;
45126 +
45127 +- if (!user_mode(regs))
45128 ++ if (!user_mode_novm(regs))
45129 + goto gp_in_kernel;
45130 +
45131 ++#ifdef CONFIG_PAX_PAGEEXEC
45132 ++ if (!nx_enabled && current->mm && (current->mm->pax_flags & MF_PAX_PAGEEXEC)) {
45133 ++ struct mm_struct *mm = current->mm;
45134 ++ unsigned long limit;
45135 ++
45136 ++ down_write(&mm->mmap_sem);
45137 ++ limit = mm->context.user_cs_limit;
45138 ++ if (limit < TASK_SIZE) {
45139 ++ track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
45140 ++ up_write(&mm->mmap_sem);
45141 ++ return;
45142 ++ }
45143 ++ up_write(&mm->mmap_sem);
45144 ++ }
45145 ++#endif
45146 ++
45147 + current->thread.error_code = error_code;
45148 + current->thread.trap_no = 13;
45149 + if (show_unhandled_signals && unhandled_signal(current, SIGSEGV) &&
45150 +@@ -626,6 +640,13 @@ gp_in_kernel:
45151 + if (notify_die(DIE_GPF, "general protection fault", regs,
45152 + error_code, 13, SIGSEGV) == NOTIFY_STOP)
45153 + return;
45154 ++
45155 ++#ifdef CONFIG_PAX_KERNEXEC
45156 ++ if ((regs->xcs & 0xFFFF) == __KERNEL_CS)
45157 ++ die("PAX: suspicious general protection fault", regs, error_code);
45158 ++ else
45159 ++#endif
45160 ++
45161 + die("general protection fault", regs, error_code);
45162 + }
45163 + }
45164 +@@ -715,7 +736,7 @@ void __kprobes die_nmi(struct pt_regs *r
45165 + /* If we are in kernel we are probably nested up pretty bad
45166 + * and might aswell get out now while we still can.
45167 + */
45168 +- if (!user_mode_vm(regs)) {
45169 ++ if (!user_mode(regs)) {
45170 + current->thread.trap_no = 2;
45171 + crash_kexec(regs);
45172 + }
45173 +@@ -866,7 +887,7 @@ fastcall void __kprobes do_debug(struct
45174 + * check for kernel mode by just checking the CPL
45175 + * of CS.
45176 + */
45177 +- if (!user_mode(regs))
45178 ++ if (!user_mode_novm(regs))
45179 + goto clear_TF_reenable;
45180 + }
45181 +
45182 +@@ -1044,18 +1065,14 @@ fastcall void do_spurious_interrupt_bug(
45183 + fastcall unsigned long patch_espfix_desc(unsigned long uesp,
45184 + unsigned long kesp)
45185 + {
45186 +- struct desc_struct *gdt = __get_cpu_var(gdt_page).gdt;
45187 + unsigned long base = (kesp - uesp) & -THREAD_SIZE;
45188 + unsigned long new_kesp = kesp - base;
45189 + unsigned long lim_pages = (new_kesp | (THREAD_SIZE - 1)) >> PAGE_SHIFT;
45190 +- __u64 desc = *(__u64 *)&gdt[GDT_ENTRY_ESPFIX_SS];
45191 ++ __u32 a, b;
45192 ++
45193 + /* Set up base for espfix segment */
45194 +- desc &= 0x00f0ff0000000000ULL;
45195 +- desc |= ((((__u64)base) << 16) & 0x000000ffffff0000ULL) |
45196 +- ((((__u64)base) << 32) & 0xff00000000000000ULL) |
45197 +- ((((__u64)lim_pages) << 32) & 0x000f000000000000ULL) |
45198 +- (lim_pages & 0xffff);
45199 +- *(__u64 *)&gdt[GDT_ENTRY_ESPFIX_SS] = desc;
45200 ++ pack_descriptor(&a, &b, base, lim_pages, 0x93, 0xC);
45201 ++ write_gdt_entry(get_cpu_gdt_table(smp_processor_id()), GDT_ENTRY_ESPFIX_SS, a, b);
45202 + return new_kesp;
45203 + }
45204 +
45205 +diff -urNp linux-2.6.24.5/arch/x86/kernel/tsc_32.c linux-2.6.24.5/arch/x86/kernel/tsc_32.c
45206 +--- linux-2.6.24.5/arch/x86/kernel/tsc_32.c 2008-03-24 14:49:18.000000000 -0400
45207 ++++ linux-2.6.24.5/arch/x86/kernel/tsc_32.c 2008-03-26 20:21:08.000000000 -0400
45208 +@@ -322,7 +322,7 @@ static struct dmi_system_id __initdata b
45209 + DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
45210 + },
45211 + },
45212 +- {}
45213 ++ { NULL, NULL, {{0, NULL}}, NULL}
45214 + };
45215 +
45216 + /*
45217 +diff -urNp linux-2.6.24.5/arch/x86/kernel/vm86_32.c linux-2.6.24.5/arch/x86/kernel/vm86_32.c
45218 +--- linux-2.6.24.5/arch/x86/kernel/vm86_32.c 2008-03-24 14:49:18.000000000 -0400
45219 ++++ linux-2.6.24.5/arch/x86/kernel/vm86_32.c 2008-03-26 20:21:08.000000000 -0400
45220 +@@ -146,7 +146,7 @@ struct pt_regs * fastcall save_v86_state
45221 + do_exit(SIGSEGV);
45222 + }
45223 +
45224 +- tss = &per_cpu(init_tss, get_cpu());
45225 ++ tss = init_tss + get_cpu();
45226 + current->thread.esp0 = current->thread.saved_esp0;
45227 + current->thread.sysenter_cs = __KERNEL_CS;
45228 + load_esp0(tss, &current->thread);
45229 +@@ -322,7 +322,7 @@ static void do_sys_vm86(struct kernel_vm
45230 + tsk->thread.saved_fs = info->regs32->xfs;
45231 + savesegment(gs, tsk->thread.saved_gs);
45232 +
45233 +- tss = &per_cpu(init_tss, get_cpu());
45234 ++ tss = init_tss + get_cpu();
45235 + tsk->thread.esp0 = (unsigned long) &info->VM86_TSS_ESP0;
45236 + if (cpu_has_sep)
45237 + tsk->thread.sysenter_cs = 0;
45238 +diff -urNp linux-2.6.24.5/arch/x86/kernel/vmi_32.c linux-2.6.24.5/arch/x86/kernel/vmi_32.c
45239 +--- linux-2.6.24.5/arch/x86/kernel/vmi_32.c 2008-03-24 14:49:18.000000000 -0400
45240 ++++ linux-2.6.24.5/arch/x86/kernel/vmi_32.c 2008-03-26 20:21:08.000000000 -0400
45241 +@@ -98,18 +98,43 @@ static unsigned patch_internal(int call,
45242 + {
45243 + u64 reloc;
45244 + struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
45245 ++
45246 ++#ifdef CONFIG_PAX_KERNEXEC
45247 ++ unsigned long cr0;
45248 ++#endif
45249 ++
45250 + reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
45251 + switch(rel->type) {
45252 + case VMI_RELOCATION_CALL_REL:
45253 + BUG_ON(len < 5);
45254 ++
45255 ++#ifdef CONFIG_PAX_KERNEXEC
45256 ++ pax_open_kernel(cr0);
45257 ++#endif
45258 ++
45259 + *(char *)insnbuf = MNEM_CALL;
45260 + patch_offset(insnbuf, eip, (unsigned long)rel->eip);
45261 ++
45262 ++#ifdef CONFIG_PAX_KERNEXEC
45263 ++ pax_close_kernel(cr0);
45264 ++#endif
45265 ++
45266 + return 5;
45267 +
45268 + case VMI_RELOCATION_JUMP_REL:
45269 + BUG_ON(len < 5);
45270 ++
45271 ++#ifdef CONFIG_PAX_KERNEXEC
45272 ++ pax_open_kernel(cr0);
45273 ++#endif
45274 ++
45275 + *(char *)insnbuf = MNEM_JMP;
45276 + patch_offset(insnbuf, eip, (unsigned long)rel->eip);
45277 ++
45278 ++#ifdef CONFIG_PAX_KERNEXEC
45279 ++ pax_close_kernel(cr0);
45280 ++#endif
45281 ++
45282 + return 5;
45283 +
45284 + case VMI_RELOCATION_NOP:
45285 +@@ -492,14 +517,14 @@ static void vmi_set_pud(pud_t *pudp, pud
45286 +
45287 + static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
45288 + {
45289 +- const pte_t pte = { 0 };
45290 ++ const pte_t pte = __pte(0ULL);
45291 + vmi_check_page_type(__pa(ptep) >> PAGE_SHIFT, VMI_PAGE_PTE);
45292 + vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
45293 + }
45294 +
45295 + static void vmi_pmd_clear(pmd_t *pmd)
45296 + {
45297 +- const pte_t pte = { 0 };
45298 ++ const pte_t pte = __pte(0ULL);
45299 + vmi_check_page_type(__pa(pmd) >> PAGE_SHIFT, VMI_PAGE_PMD);
45300 + vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
45301 + }
45302 +@@ -528,8 +553,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
45303 + ap.ss = __KERNEL_DS;
45304 + ap.esp = (unsigned long) start_esp;
45305 +
45306 +- ap.ds = __USER_DS;
45307 +- ap.es = __USER_DS;
45308 ++ ap.ds = __KERNEL_DS;
45309 ++ ap.es = __KERNEL_DS;
45310 + ap.fs = __KERNEL_PERCPU;
45311 + ap.gs = 0;
45312 +
45313 +@@ -724,12 +749,20 @@ static inline int __init activate_vmi(vo
45314 + u64 reloc;
45315 + const struct vmi_relocation_info *rel = (struct vmi_relocation_info *)&reloc;
45316 +
45317 ++#ifdef CONFIG_PAX_KERNEXEC
45318 ++ unsigned long cr0;
45319 ++#endif
45320 ++
45321 + if (call_vrom_func(vmi_rom, vmi_init) != 0) {
45322 + printk(KERN_ERR "VMI ROM failed to initialize!");
45323 + return 0;
45324 + }
45325 + savesegment(cs, kernel_cs);
45326 +
45327 ++#ifdef CONFIG_PAX_KERNEXEC
45328 ++ pax_open_kernel(cr0);
45329 ++#endif
45330 ++
45331 + pv_info.paravirt_enabled = 1;
45332 + pv_info.kernel_rpl = kernel_cs & SEGMENT_RPL_MASK;
45333 + pv_info.name = "vmi";
45334 +@@ -917,6 +950,10 @@ static inline int __init activate_vmi(vo
45335 +
45336 + para_fill(pv_irq_ops.safe_halt, Halt);
45337 +
45338 ++#ifdef CONFIG_PAX_KERNEXEC
45339 ++ pax_close_kernel(cr0);
45340 ++#endif
45341 ++
45342 + /*
45343 + * Alternative instruction rewriting doesn't happen soon enough
45344 + * to convert VMI_IRET to a call instead of a jump; so we have
45345 +diff -urNp linux-2.6.24.5/arch/x86/kernel/vmlinux_32.lds.S linux-2.6.24.5/arch/x86/kernel/vmlinux_32.lds.S
45346 +--- linux-2.6.24.5/arch/x86/kernel/vmlinux_32.lds.S 2008-03-24 14:49:18.000000000 -0400
45347 ++++ linux-2.6.24.5/arch/x86/kernel/vmlinux_32.lds.S 2008-03-26 20:21:08.000000000 -0400
45348 +@@ -21,6 +21,20 @@
45349 + #include <asm/page.h>
45350 + #include <asm/cache.h>
45351 + #include <asm/boot.h>
45352 ++#include <asm/segment.h>
45353 ++
45354 ++#ifdef CONFIG_X86_PAE
45355 ++#define PMD_SHIFT 21
45356 ++#else
45357 ++#define PMD_SHIFT 22
45358 ++#endif
45359 ++#define PMD_SIZE (1 << PMD_SHIFT)
45360 ++
45361 ++#ifdef CONFIG_PAX_KERNEXEC
45362 ++#define __KERNEL_TEXT_OFFSET (__PAGE_OFFSET + (((____LOAD_PHYSICAL_ADDR + 2*(PMD_SIZE - 1)) - 1) & ~(PMD_SIZE - 1)))
45363 ++#else
45364 ++#define __KERNEL_TEXT_OFFSET 0
45365 ++#endif
45366 +
45367 + OUTPUT_FORMAT("elf32-i386", "elf32-i386", "elf32-i386")
45368 + OUTPUT_ARCH(i386)
45369 +@@ -28,22 +42,125 @@ ENTRY(phys_startup_32)
45370 + jiffies = jiffies_64;
45371 +
45372 + PHDRS {
45373 +- text PT_LOAD FLAGS(5); /* R_E */
45374 +- data PT_LOAD FLAGS(7); /* RWE */
45375 +- note PT_NOTE FLAGS(0); /* ___ */
45376 ++ initdata PT_LOAD FLAGS(6); /* RW_ */
45377 ++ percpu PT_LOAD FLAGS(6); /* RW_ */
45378 ++ inittext PT_LOAD FLAGS(5); /* R_E */
45379 ++ text PT_LOAD FLAGS(5); /* R_E */
45380 ++ rodata PT_LOAD FLAGS(4); /* R__ */
45381 ++ data PT_LOAD FLAGS(6); /* RW_ */
45382 ++ note PT_NOTE FLAGS(0); /* ___ */
45383 + }
45384 + SECTIONS
45385 + {
45386 +- . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
45387 +- phys_startup_32 = startup_32 - LOAD_OFFSET;
45388 ++ . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
45389 ++
45390 ++ .text.startup : AT(ADDR(.text.startup) - LOAD_OFFSET) {
45391 ++ __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET;
45392 ++ phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
45393 ++ *(.text.startup)
45394 ++ } :initdata
45395 ++
45396 ++ /* might get freed after init */
45397 ++ . = ALIGN(4096);
45398 ++ .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
45399 ++ __smp_locks = .;
45400 ++ *(.smp_locks)
45401 ++ __smp_locks_end = .;
45402 ++ }
45403 ++ /* will be freed after init
45404 ++ * Following ALIGN() is required to make sure no other data falls on the
45405 ++ * same page where __smp_alt_end is pointing as that page might be freed
45406 ++ * after boot. Always make sure that ALIGN() directive is present after
45407 ++ * the section which contains __smp_alt_end.
45408 ++ */
45409 ++ . = ALIGN(4096);
45410 ++
45411 ++ /* will be freed after init */
45412 ++ .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) {
45413 ++ __init_begin = .;
45414 ++ *(.init.data)
45415 ++ }
45416 ++ . = ALIGN(16);
45417 ++ .init.setup : AT(ADDR(.init.setup) - LOAD_OFFSET) {
45418 ++ __setup_start = .;
45419 ++ *(.init.setup)
45420 ++ __setup_end = .;
45421 ++ }
45422 ++ .initcall.init : AT(ADDR(.initcall.init) - LOAD_OFFSET) {
45423 ++ __initcall_start = .;
45424 ++ INITCALLS
45425 ++ __initcall_end = .;
45426 ++ }
45427 ++ .con_initcall.init : AT(ADDR(.con_initcall.init) - LOAD_OFFSET) {
45428 ++ __con_initcall_start = .;
45429 ++ *(.con_initcall.init)
45430 ++ __con_initcall_end = .;
45431 ++ }
45432 ++ SECURITY_INIT
45433 ++ . = ALIGN(4);
45434 ++ .altinstructions : AT(ADDR(.altinstructions) - LOAD_OFFSET) {
45435 ++ __alt_instructions = .;
45436 ++ *(.altinstructions)
45437 ++ __alt_instructions_end = .;
45438 ++ }
45439 ++ .altinstr_replacement : AT(ADDR(.altinstr_replacement) - LOAD_OFFSET) {
45440 ++ *(.altinstr_replacement)
45441 ++ }
45442 ++ . = ALIGN(4);
45443 ++ .parainstructions : AT(ADDR(.parainstructions) - LOAD_OFFSET) {
45444 ++ __parainstructions = .;
45445 ++ *(.parainstructions)
45446 ++ __parainstructions_end = .;
45447 ++ }
45448 ++ .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) { *(.exit.data) }
45449 ++#if defined(CONFIG_BLK_DEV_INITRD)
45450 ++ . = ALIGN(4096);
45451 ++ .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) {
45452 ++ __initramfs_start = .;
45453 ++ *(.init.ramfs)
45454 ++ __initramfs_end = .;
45455 ++ }
45456 ++#endif
45457 ++ . = ALIGN(4096);
45458 ++ per_cpu_start = .;
45459 ++ .data.percpu (0) : AT(ADDR(.data.percpu) - LOAD_OFFSET + per_cpu_start) {
45460 ++ __per_cpu_start = . + per_cpu_start;
45461 ++ LONG(0)
45462 ++ *(.data.percpu)
45463 ++ *(.data.percpu.shared_aligned)
45464 ++ __per_cpu_end = . + per_cpu_start;
45465 ++ } :percpu
45466 ++ . += per_cpu_start;
45467 ++
45468 ++ /* read-only */
45469 ++
45470 ++ . = ALIGN(4096); /* Init code and data */
45471 ++ .init.text (. - __KERNEL_TEXT_OFFSET) : AT(ADDR(.init.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
45472 ++ _sinittext = .;
45473 ++ *(.init.text)
45474 ++ _einittext = .;
45475 ++ } :inittext
45476 ++
45477 ++ /* .exit.text is discard at runtime, not link time, to deal with references
45478 ++ from .altinstructions and .eh_frame */
45479 ++ .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) { *(.exit.text) }
45480 +
45481 +- .text.head : AT(ADDR(.text.head) - LOAD_OFFSET) {
45482 +- _text = .; /* Text and read-only data */
45483 ++ .filler : AT(ADDR(.filler) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
45484 ++ BYTE(0)
45485 ++ . = ALIGN(2*PMD_SIZE) - 1;
45486 ++ }
45487 ++
45488 ++ /* freed after init ends here */
45489 ++
45490 ++ .text.head : AT(ADDR(.text.head) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
45491 ++ __init_end = . + __KERNEL_TEXT_OFFSET;
45492 ++ KERNEL_TEXT_OFFSET = . + __KERNEL_TEXT_OFFSET;
45493 ++ _text = .; /* Text and read-only data */
45494 + *(.text.head)
45495 + } :text = 0x9090
45496 +
45497 + /* read-only */
45498 +- .text : AT(ADDR(.text) - LOAD_OFFSET) {
45499 ++ .text : AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
45500 + TEXT_TEXT
45501 + SCHED_TEXT
45502 + LOCK_TEXT
45503 +@@ -53,16 +170,17 @@ SECTIONS
45504 + _etext = .; /* End of text section */
45505 + } :text = 0x9090
45506 +
45507 +- . = ALIGN(16); /* Exception table */
45508 ++ . += __KERNEL_TEXT_OFFSET;
45509 ++ . = ALIGN(4096); /* Exception table */
45510 + __ex_table : AT(ADDR(__ex_table) - LOAD_OFFSET) {
45511 + __start___ex_table = .;
45512 + *(__ex_table)
45513 + __stop___ex_table = .;
45514 +- }
45515 ++ } :rodata
45516 +
45517 +- NOTES :text :note
45518 ++ NOTES :rodata :note
45519 +
45520 +- BUG_TABLE :text
45521 ++ BUG_TABLE :rodata
45522 +
45523 + . = ALIGN(4);
45524 + .tracedata : AT(ADDR(.tracedata) - LOAD_OFFSET) {
45525 +@@ -71,11 +189,38 @@ SECTIONS
45526 + __tracedata_end = .;
45527 + }
45528 +
45529 +- RODATA
45530 ++ RO_DATA(4096)
45531 ++
45532 ++ . = ALIGN(4096);
45533 ++ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
45534 ++ *(.idt)
45535 ++ . = ALIGN(4096);
45536 ++ *(.empty_zero_page)
45537 ++ *(.swapper_pm_dir)
45538 ++ *(.swapper_pg_dir)
45539 ++ }
45540 ++
45541 ++#ifdef CONFIG_PAX_KERNEXEC
45542 ++
45543 ++#ifdef CONFIG_MODULES
45544 ++ . = ALIGN(4096);
45545 ++ .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
45546 ++ MODULES_VADDR = .;
45547 ++ BYTE(0)
45548 ++ . += (6 * 1024 * 1024);
45549 ++ . = ALIGN( PMD_SIZE) - 1;
45550 ++ MODULES_END = .;
45551 ++ }
45552 ++#else
45553 ++ . = ALIGN(PMD_SIZE) - 1;
45554 ++#endif
45555 ++
45556 ++#endif
45557 +
45558 + /* writeable */
45559 + . = ALIGN(4096);
45560 + .data : AT(ADDR(.data) - LOAD_OFFSET) { /* Data */
45561 ++ _data = .;
45562 + DATA_DATA
45563 + CONSTRUCTORS
45564 + } :data
45565 +@@ -91,7 +236,6 @@ SECTIONS
45566 + . = ALIGN(4096);
45567 + .data.page_aligned : AT(ADDR(.data.page_aligned) - LOAD_OFFSET) {
45568 + *(.data.page_aligned)
45569 +- *(.data.idt)
45570 + }
45571 +
45572 + . = ALIGN(32);
45573 +@@ -111,86 +255,7 @@ SECTIONS
45574 + *(.data.init_task)
45575 + }
45576 +
45577 +- /* might get freed after init */
45578 +- . = ALIGN(4096);
45579 +- .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
45580 +- __smp_locks = .;
45581 +- *(.smp_locks)
45582 +- __smp_locks_end = .;
45583 +- }
45584 +- /* will be freed after init
45585 +- * Following ALIGN() is required to make sure no other data falls on the
45586 +- * same page where __smp_alt_end is pointing as that page might be freed
45587 +- * after boot. Always make sure that ALIGN() directive is present after
45588 +- * the section which contains __smp_alt_end.
45589 +- */
45590 +- . = ALIGN(4096);
45591 +-
45592 +- /* will be freed after init */
45593 +- . = ALIGN(4096); /* Init code and data */
45594 +- .init.text : AT(ADDR(.init.text) - LOAD_OFFSET) {
45595 +- __init_begin = .;
45596 +- _sinittext = .;
45597 +- *(.init.text)
45598 +- _einittext = .;
45599 +- }
45600 +- .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) { *(.init.data) }
45601 +- . = ALIGN(16);
45602 +- .init.setup : AT(ADDR(.init.setup) - LOAD_OFFSET) {
45603 +- __setup_start = .;
45604 +- *(.init.setup)
45605 +- __setup_end = .;
45606 +- }
45607 +- .initcall.init : AT(ADDR(.initcall.init) - LOAD_OFFSET) {
45608 +- __initcall_start = .;
45609 +- INITCALLS
45610 +- __initcall_end = .;
45611 +- }
45612 +- .con_initcall.init : AT(ADDR(.con_initcall.init) - LOAD_OFFSET) {
45613 +- __con_initcall_start = .;
45614 +- *(.con_initcall.init)
45615 +- __con_initcall_end = .;
45616 +- }
45617 +- SECURITY_INIT
45618 +- . = ALIGN(4);
45619 +- .altinstructions : AT(ADDR(.altinstructions) - LOAD_OFFSET) {
45620 +- __alt_instructions = .;
45621 +- *(.altinstructions)
45622 +- __alt_instructions_end = .;
45623 +- }
45624 +- .altinstr_replacement : AT(ADDR(.altinstr_replacement) - LOAD_OFFSET) {
45625 +- *(.altinstr_replacement)
45626 +- }
45627 +- . = ALIGN(4);
45628 +- .parainstructions : AT(ADDR(.parainstructions) - LOAD_OFFSET) {
45629 +- __parainstructions = .;
45630 +- *(.parainstructions)
45631 +- __parainstructions_end = .;
45632 +- }
45633 +- /* .exit.text is discard at runtime, not link time, to deal with references
45634 +- from .altinstructions and .eh_frame */
45635 +- .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) { *(.exit.text) }
45636 +- .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) { *(.exit.data) }
45637 +-#if defined(CONFIG_BLK_DEV_INITRD)
45638 +- . = ALIGN(4096);
45639 +- .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) {
45640 +- __initramfs_start = .;
45641 +- *(.init.ramfs)
45642 +- __initramfs_end = .;
45643 +- }
45644 +-#endif
45645 +- . = ALIGN(4096);
45646 +- .data.percpu : AT(ADDR(.data.percpu) - LOAD_OFFSET) {
45647 +- __per_cpu_start = .;
45648 +- *(.data.percpu)
45649 +- *(.data.percpu.shared_aligned)
45650 +- __per_cpu_end = .;
45651 +- }
45652 +- . = ALIGN(4096);
45653 +- /* freed after init ends here */
45654 +-
45655 + .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
45656 +- __init_end = .;
45657 + __bss_start = .; /* BSS */
45658 + *(.bss.page_aligned)
45659 + *(.bss)
45660 +diff -urNp linux-2.6.24.5/arch/x86/kernel/vmlinux_64.lds.S linux-2.6.24.5/arch/x86/kernel/vmlinux_64.lds.S
45661 +--- linux-2.6.24.5/arch/x86/kernel/vmlinux_64.lds.S 2008-03-24 14:49:18.000000000 -0400
45662 ++++ linux-2.6.24.5/arch/x86/kernel/vmlinux_64.lds.S 2008-03-26 20:21:08.000000000 -0400
45663 +@@ -16,8 +16,8 @@ jiffies_64 = jiffies;
45664 + _proxy_pda = 1;
45665 + PHDRS {
45666 + text PT_LOAD FLAGS(5); /* R_E */
45667 +- data PT_LOAD FLAGS(7); /* RWE */
45668 +- user PT_LOAD FLAGS(7); /* RWE */
45669 ++ data PT_LOAD FLAGS(6); /* RW_ */
45670 ++ user PT_LOAD FLAGS(7); /* RWX */
45671 + data.init PT_LOAD FLAGS(7); /* RWE */
45672 + note PT_NOTE FLAGS(4); /* R__ */
45673 + }
45674 +@@ -52,7 +52,7 @@ SECTIONS
45675 +
45676 + BUG_TABLE :text
45677 +
45678 +- RODATA
45679 ++ RO_DATA(4096)
45680 +
45681 + . = ALIGN(4);
45682 + .tracedata : AT(ADDR(.tracedata) - LOAD_OFFSET) {
45683 +@@ -61,15 +61,18 @@ SECTIONS
45684 + __tracedata_end = .;
45685 + }
45686 +
45687 ++#ifdef CONFIG_PAX_KERNEXEC
45688 ++ . = ALIGN(2*1024*1024); /* Align data segment to PMD size boundary */
45689 ++#else
45690 + . = ALIGN(PAGE_SIZE); /* Align data segment to page size boundary */
45691 ++#endif
45692 + /* Data */
45693 ++ _data = .;
45694 + .data : AT(ADDR(.data) - LOAD_OFFSET) {
45695 + DATA_DATA
45696 + CONSTRUCTORS
45697 + } :data
45698 +
45699 +- _edata = .; /* End of data section */
45700 +-
45701 + . = ALIGN(PAGE_SIZE);
45702 + . = ALIGN(CONFIG_X86_L1_CACHE_BYTES);
45703 + .data.cacheline_aligned : AT(ADDR(.data.cacheline_aligned) - LOAD_OFFSET) {
45704 +@@ -80,9 +83,27 @@ SECTIONS
45705 + *(.data.read_mostly)
45706 + }
45707 +
45708 ++ . = ALIGN(8192); /* init_task */
45709 ++ .data.init_task : AT(ADDR(.data.init_task) - LOAD_OFFSET) {
45710 ++ *(.data.init_task)
45711 ++ }
45712 ++
45713 ++ . = ALIGN(4096);
45714 ++ .data.page_aligned : AT(ADDR(.data.page_aligned) - LOAD_OFFSET) {
45715 ++ *(.data.page_aligned)
45716 ++ }
45717 ++
45718 ++ . = ALIGN(4096);
45719 ++ __nosave_begin = .;
45720 ++ .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) { *(.data.nosave) }
45721 ++ . = ALIGN(4096);
45722 ++ __nosave_end = .;
45723 ++
45724 ++ _edata = .; /* End of data section */
45725 ++
45726 + #define VSYSCALL_ADDR (-10*1024*1024)
45727 +-#define VSYSCALL_PHYS_ADDR ((LOADADDR(.data.read_mostly) + SIZEOF(.data.read_mostly) + 4095) & ~(4095))
45728 +-#define VSYSCALL_VIRT_ADDR ((ADDR(.data.read_mostly) + SIZEOF(.data.read_mostly) + 4095) & ~(4095))
45729 ++#define VSYSCALL_PHYS_ADDR ((LOADADDR(.data_nosave) + SIZEOF(.data_nosave) + 4095) & ~(4095))
45730 ++#define VSYSCALL_VIRT_ADDR ((ADDR(.data_nosave) + SIZEOF(.data_nosave) + 4095) & ~(4095))
45731 +
45732 + #define VLOAD_OFFSET (VSYSCALL_ADDR - VSYSCALL_PHYS_ADDR)
45733 + #define VLOAD(x) (ADDR(x) - VLOAD_OFFSET)
45734 +@@ -130,23 +151,13 @@ SECTIONS
45735 + #undef VVIRT_OFFSET
45736 + #undef VVIRT
45737 +
45738 +- . = ALIGN(8192); /* init_task */
45739 +- .data.init_task : AT(ADDR(.data.init_task) - LOAD_OFFSET) {
45740 +- *(.data.init_task)
45741 +- }:data.init
45742 +-
45743 +- . = ALIGN(4096);
45744 +- .data.page_aligned : AT(ADDR(.data.page_aligned) - LOAD_OFFSET) {
45745 +- *(.data.page_aligned)
45746 +- }
45747 +-
45748 + /* might get freed after init */
45749 + . = ALIGN(4096);
45750 + __smp_alt_begin = .;
45751 + __smp_locks = .;
45752 + .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
45753 + *(.smp_locks)
45754 +- }
45755 ++ } :data.init
45756 + __smp_locks_end = .;
45757 + . = ALIGN(4096);
45758 + __smp_alt_end = .;
45759 +@@ -208,12 +219,6 @@ SECTIONS
45760 + . = ALIGN(4096);
45761 + __init_end = .;
45762 +
45763 +- . = ALIGN(4096);
45764 +- __nosave_begin = .;
45765 +- .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) { *(.data.nosave) }
45766 +- . = ALIGN(4096);
45767 +- __nosave_end = .;
45768 +-
45769 + __bss_start = .; /* BSS */
45770 + .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
45771 + *(.bss.page_aligned)
45772 +@@ -221,6 +226,7 @@ SECTIONS
45773 + }
45774 + __bss_stop = .;
45775 +
45776 ++ . = ALIGN(2*1024*1024);
45777 + _end = . ;
45778 +
45779 + /* Sections to be discarded */
45780 +diff -urNp linux-2.6.24.5/arch/x86/kernel/vsyscall_64.c linux-2.6.24.5/arch/x86/kernel/vsyscall_64.c
45781 +--- linux-2.6.24.5/arch/x86/kernel/vsyscall_64.c 2008-03-24 14:49:18.000000000 -0400
45782 ++++ linux-2.6.24.5/arch/x86/kernel/vsyscall_64.c 2008-03-26 20:21:08.000000000 -0400
45783 +@@ -271,13 +271,13 @@ static ctl_table kernel_table2[] = {
45784 + .data = &vsyscall_gtod_data.sysctl_enabled, .maxlen = sizeof(int),
45785 + .mode = 0644,
45786 + .proc_handler = vsyscall_sysctl_change },
45787 +- {}
45788 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
45789 + };
45790 +
45791 + static ctl_table kernel_root_table2[] = {
45792 + { .ctl_name = CTL_KERN, .procname = "kernel", .mode = 0555,
45793 + .child = kernel_table2 },
45794 +- {}
45795 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
45796 + };
45797 +
45798 + #endif
45799 +@@ -288,6 +288,11 @@ static void __cpuinit vsyscall_set_cpu(i
45800 + {
45801 + unsigned long *d;
45802 + unsigned long node = 0;
45803 ++
45804 ++#ifdef CONFIG_PAX_KERNEXEC
45805 ++ unsigned long cr0;
45806 ++#endif
45807 ++
45808 + #ifdef CONFIG_NUMA
45809 + node = cpu_to_node(cpu);
45810 + #endif
45811 +@@ -298,10 +303,20 @@ static void __cpuinit vsyscall_set_cpu(i
45812 + in user space in vgetcpu.
45813 + 12 bits for the CPU and 8 bits for the node. */
45814 + d = (unsigned long *)(cpu_gdt(cpu) + GDT_ENTRY_PER_CPU);
45815 ++
45816 ++#ifdef CONFIG_PAX_KERNEXEC
45817 ++ pax_open_kernel(cr0);
45818 ++#endif
45819 ++
45820 + *d = 0x0f40000000000ULL;
45821 + *d |= cpu;
45822 + *d |= (node & 0xf) << 12;
45823 + *d |= (node >> 4) << 48;
45824 ++
45825 ++#ifdef CONFIG_PAX_KERNEXEC
45826 ++ pax_close_kernel(cr0);
45827 ++#endif
45828 ++
45829 + }
45830 +
45831 + static void __cpuinit cpu_vsyscall_init(void *arg)
45832 +diff -urNp linux-2.6.24.5/arch/x86/lib/checksum_32.S linux-2.6.24.5/arch/x86/lib/checksum_32.S
45833 +--- linux-2.6.24.5/arch/x86/lib/checksum_32.S 2008-03-24 14:49:18.000000000 -0400
45834 ++++ linux-2.6.24.5/arch/x86/lib/checksum_32.S 2008-03-26 20:21:08.000000000 -0400
45835 +@@ -28,7 +28,8 @@
45836 + #include <linux/linkage.h>
45837 + #include <asm/dwarf2.h>
45838 + #include <asm/errno.h>
45839 +-
45840 ++#include <asm/segment.h>
45841 ++
45842 + /*
45843 + * computes a partial checksum, e.g. for TCP/UDP fragments
45844 + */
45845 +@@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
45846 +
45847 + #define ARGBASE 16
45848 + #define FP 12
45849 +-
45850 +-ENTRY(csum_partial_copy_generic)
45851 ++
45852 ++ENTRY(csum_partial_copy_generic_to_user)
45853 + CFI_STARTPROC
45854 ++ pushl $(__USER_DS)
45855 ++ CFI_ADJUST_CFA_OFFSET 4
45856 ++ popl %es
45857 ++ CFI_ADJUST_CFA_OFFSET -4
45858 ++ jmp csum_partial_copy_generic
45859 ++
45860 ++ENTRY(csum_partial_copy_generic_from_user)
45861 ++ pushl $(__USER_DS)
45862 ++ CFI_ADJUST_CFA_OFFSET 4
45863 ++ popl %ds
45864 ++ CFI_ADJUST_CFA_OFFSET -4
45865 ++
45866 ++ENTRY(csum_partial_copy_generic)
45867 + subl $4,%esp
45868 + CFI_ADJUST_CFA_OFFSET 4
45869 + pushl %edi
45870 +@@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
45871 + jmp 4f
45872 + SRC(1: movw (%esi), %bx )
45873 + addl $2, %esi
45874 +-DST( movw %bx, (%edi) )
45875 ++DST( movw %bx, %es:(%edi) )
45876 + addl $2, %edi
45877 + addw %bx, %ax
45878 + adcl $0, %eax
45879 +@@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
45880 + SRC(1: movl (%esi), %ebx )
45881 + SRC( movl 4(%esi), %edx )
45882 + adcl %ebx, %eax
45883 +-DST( movl %ebx, (%edi) )
45884 ++DST( movl %ebx, %es:(%edi) )
45885 + adcl %edx, %eax
45886 +-DST( movl %edx, 4(%edi) )
45887 ++DST( movl %edx, %es:4(%edi) )
45888 +
45889 + SRC( movl 8(%esi), %ebx )
45890 + SRC( movl 12(%esi), %edx )
45891 + adcl %ebx, %eax
45892 +-DST( movl %ebx, 8(%edi) )
45893 ++DST( movl %ebx, %es:8(%edi) )
45894 + adcl %edx, %eax
45895 +-DST( movl %edx, 12(%edi) )
45896 ++DST( movl %edx, %es:12(%edi) )
45897 +
45898 + SRC( movl 16(%esi), %ebx )
45899 + SRC( movl 20(%esi), %edx )
45900 + adcl %ebx, %eax
45901 +-DST( movl %ebx, 16(%edi) )
45902 ++DST( movl %ebx, %es:16(%edi) )
45903 + adcl %edx, %eax
45904 +-DST( movl %edx, 20(%edi) )
45905 ++DST( movl %edx, %es:20(%edi) )
45906 +
45907 + SRC( movl 24(%esi), %ebx )
45908 + SRC( movl 28(%esi), %edx )
45909 + adcl %ebx, %eax
45910 +-DST( movl %ebx, 24(%edi) )
45911 ++DST( movl %ebx, %es:24(%edi) )
45912 + adcl %edx, %eax
45913 +-DST( movl %edx, 28(%edi) )
45914 ++DST( movl %edx, %es:28(%edi) )
45915 +
45916 + lea 32(%esi), %esi
45917 + lea 32(%edi), %edi
45918 +@@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
45919 + shrl $2, %edx # This clears CF
45920 + SRC(3: movl (%esi), %ebx )
45921 + adcl %ebx, %eax
45922 +-DST( movl %ebx, (%edi) )
45923 ++DST( movl %ebx, %es:(%edi) )
45924 + lea 4(%esi), %esi
45925 + lea 4(%edi), %edi
45926 + dec %edx
45927 +@@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
45928 + jb 5f
45929 + SRC( movw (%esi), %cx )
45930 + leal 2(%esi), %esi
45931 +-DST( movw %cx, (%edi) )
45932 ++DST( movw %cx, %es:(%edi) )
45933 + leal 2(%edi), %edi
45934 + je 6f
45935 + shll $16,%ecx
45936 + SRC(5: movb (%esi), %cl )
45937 +-DST( movb %cl, (%edi) )
45938 ++DST( movb %cl, %es:(%edi) )
45939 + 6: addl %ecx, %eax
45940 + adcl $0, %eax
45941 + 7:
45942 +@@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
45943 +
45944 + 6001:
45945 + movl ARGBASE+20(%esp), %ebx # src_err_ptr
45946 +- movl $-EFAULT, (%ebx)
45947 ++ movl $-EFAULT, %ss:(%ebx)
45948 +
45949 + # zero the complete destination - computing the rest
45950 + # is too much work
45951 +@@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
45952 +
45953 + 6002:
45954 + movl ARGBASE+24(%esp), %ebx # dst_err_ptr
45955 +- movl $-EFAULT,(%ebx)
45956 ++ movl $-EFAULT,%ss:(%ebx)
45957 + jmp 5000b
45958 +
45959 + .previous
45960 +
45961 ++ pushl %ss
45962 ++ CFI_ADJUST_CFA_OFFSET 4
45963 ++ popl %ds
45964 ++ CFI_ADJUST_CFA_OFFSET -4
45965 ++ pushl %ss
45966 ++ CFI_ADJUST_CFA_OFFSET 4
45967 ++ popl %es
45968 ++ CFI_ADJUST_CFA_OFFSET -4
45969 + popl %ebx
45970 + CFI_ADJUST_CFA_OFFSET -4
45971 + CFI_RESTORE ebx
45972 +@@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
45973 + CFI_ADJUST_CFA_OFFSET -4
45974 + ret
45975 + CFI_ENDPROC
45976 +-ENDPROC(csum_partial_copy_generic)
45977 ++ENDPROC(csum_partial_copy_generic_to_user)
45978 +
45979 + #else
45980 +
45981 + /* Version for PentiumII/PPro */
45982 +
45983 + #define ROUND1(x) \
45984 ++ nop; nop; nop; \
45985 + SRC(movl x(%esi), %ebx ) ; \
45986 + addl %ebx, %eax ; \
45987 +- DST(movl %ebx, x(%edi) ) ;
45988 ++ DST(movl %ebx, %es:x(%edi)) ;
45989 +
45990 + #define ROUND(x) \
45991 ++ nop; nop; nop; \
45992 + SRC(movl x(%esi), %ebx ) ; \
45993 + adcl %ebx, %eax ; \
45994 +- DST(movl %ebx, x(%edi) ) ;
45995 ++ DST(movl %ebx, %es:x(%edi)) ;
45996 +
45997 + #define ARGBASE 12
45998 +-
45999 +-ENTRY(csum_partial_copy_generic)
46000 ++
46001 ++ENTRY(csum_partial_copy_generic_to_user)
46002 + CFI_STARTPROC
46003 ++ pushl $(__USER_DS)
46004 ++ CFI_ADJUST_CFA_OFFSET 4
46005 ++ popl %es
46006 ++ CFI_ADJUST_CFA_OFFSET -4
46007 ++ jmp csum_partial_copy_generic
46008 ++
46009 ++ENTRY(csum_partial_copy_generic_from_user)
46010 ++ pushl $(__USER_DS)
46011 ++ CFI_ADJUST_CFA_OFFSET 4
46012 ++ popl %ds
46013 ++ CFI_ADJUST_CFA_OFFSET -4
46014 ++
46015 ++ENTRY(csum_partial_copy_generic)
46016 + pushl %ebx
46017 + CFI_ADJUST_CFA_OFFSET 4
46018 + CFI_REL_OFFSET ebx, 0
46019 +@@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
46020 + subl %ebx, %edi
46021 + lea -1(%esi),%edx
46022 + andl $-32,%edx
46023 +- lea 3f(%ebx,%ebx), %ebx
46024 ++ lea 3f(%ebx,%ebx,2), %ebx
46025 + testl %esi, %esi
46026 + jmp *%ebx
46027 + 1: addl $64,%esi
46028 +@@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
46029 + jb 5f
46030 + SRC( movw (%esi), %dx )
46031 + leal 2(%esi), %esi
46032 +-DST( movw %dx, (%edi) )
46033 ++DST( movw %dx, %es:(%edi) )
46034 + leal 2(%edi), %edi
46035 + je 6f
46036 + shll $16,%edx
46037 + 5:
46038 + SRC( movb (%esi), %dl )
46039 +-DST( movb %dl, (%edi) )
46040 ++DST( movb %dl, %es:(%edi) )
46041 + 6: addl %edx, %eax
46042 + adcl $0, %eax
46043 + 7:
46044 + .section .fixup, "ax"
46045 + 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
46046 +- movl $-EFAULT, (%ebx)
46047 ++ movl $-EFAULT, %ss:(%ebx)
46048 + # zero the complete destination (computing the rest is too much work)
46049 + movl ARGBASE+8(%esp),%edi # dst
46050 + movl ARGBASE+12(%esp),%ecx # len
46051 +@@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
46052 + rep; stosb
46053 + jmp 7b
46054 + 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
46055 +- movl $-EFAULT, (%ebx)
46056 ++ movl $-EFAULT, %ss:(%ebx)
46057 + jmp 7b
46058 + .previous
46059 +
46060 ++ pushl %ss
46061 ++ CFI_ADJUST_CFA_OFFSET 4
46062 ++ popl %ds
46063 ++ CFI_ADJUST_CFA_OFFSET -4
46064 ++ pushl %ss
46065 ++ CFI_ADJUST_CFA_OFFSET 4
46066 ++ popl %es
46067 ++ CFI_ADJUST_CFA_OFFSET -4
46068 + popl %esi
46069 + CFI_ADJUST_CFA_OFFSET -4
46070 + CFI_RESTORE esi
46071 +@@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
46072 + CFI_RESTORE ebx
46073 + ret
46074 + CFI_ENDPROC
46075 +-ENDPROC(csum_partial_copy_generic)
46076 ++ENDPROC(csum_partial_copy_generic_to_user)
46077 +
46078 + #undef ROUND
46079 + #undef ROUND1
46080 +diff -urNp linux-2.6.24.5/arch/x86/lib/clear_page_64.S linux-2.6.24.5/arch/x86/lib/clear_page_64.S
46081 +--- linux-2.6.24.5/arch/x86/lib/clear_page_64.S 2008-03-24 14:49:18.000000000 -0400
46082 ++++ linux-2.6.24.5/arch/x86/lib/clear_page_64.S 2008-03-26 20:21:08.000000000 -0400
46083 +@@ -44,7 +44,7 @@ ENDPROC(clear_page)
46084 +
46085 + #include <asm/cpufeature.h>
46086 +
46087 +- .section .altinstr_replacement,"ax"
46088 ++ .section .altinstr_replacement,"a"
46089 + 1: .byte 0xeb /* jmp <disp8> */
46090 + .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
46091 + 2:
46092 +diff -urNp linux-2.6.24.5/arch/x86/lib/copy_page_64.S linux-2.6.24.5/arch/x86/lib/copy_page_64.S
46093 +--- linux-2.6.24.5/arch/x86/lib/copy_page_64.S 2008-03-24 14:49:18.000000000 -0400
46094 ++++ linux-2.6.24.5/arch/x86/lib/copy_page_64.S 2008-03-26 20:21:08.000000000 -0400
46095 +@@ -104,7 +104,7 @@ ENDPROC(copy_page)
46096 +
46097 + #include <asm/cpufeature.h>
46098 +
46099 +- .section .altinstr_replacement,"ax"
46100 ++ .section .altinstr_replacement,"a"
46101 + 1: .byte 0xeb /* jmp <disp8> */
46102 + .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
46103 + 2:
46104 +diff -urNp linux-2.6.24.5/arch/x86/lib/copy_user_64.S linux-2.6.24.5/arch/x86/lib/copy_user_64.S
46105 +--- linux-2.6.24.5/arch/x86/lib/copy_user_64.S 2008-03-24 14:49:18.000000000 -0400
46106 ++++ linux-2.6.24.5/arch/x86/lib/copy_user_64.S 2008-03-26 20:21:08.000000000 -0400
46107 +@@ -19,7 +19,7 @@
46108 + .byte 0xe9 /* 32bit jump */
46109 + .long \orig-1f /* by default jump to orig */
46110 + 1:
46111 +- .section .altinstr_replacement,"ax"
46112 ++ .section .altinstr_replacement,"a"
46113 + 2: .byte 0xe9 /* near jump with 32bit immediate */
46114 + .long \alt-1b /* offset */ /* or alternatively to alt */
46115 + .previous
46116 +diff -urNp linux-2.6.24.5/arch/x86/lib/getuser_32.S linux-2.6.24.5/arch/x86/lib/getuser_32.S
46117 +--- linux-2.6.24.5/arch/x86/lib/getuser_32.S 2008-03-24 14:49:18.000000000 -0400
46118 ++++ linux-2.6.24.5/arch/x86/lib/getuser_32.S 2008-03-26 20:21:08.000000000 -0400
46119 +@@ -11,7 +11,7 @@
46120 + #include <linux/linkage.h>
46121 + #include <asm/dwarf2.h>
46122 + #include <asm/thread_info.h>
46123 +-
46124 ++#include <asm/segment.h>
46125 +
46126 + /*
46127 + * __get_user_X
46128 +@@ -31,7 +31,11 @@ ENTRY(__get_user_1)
46129 + GET_THREAD_INFO(%edx)
46130 + cmpl TI_addr_limit(%edx),%eax
46131 + jae bad_get_user
46132 ++ pushl $(__USER_DS)
46133 ++ popl %ds
46134 + 1: movzbl (%eax),%edx
46135 ++ pushl %ss
46136 ++ pop %ds
46137 + xorl %eax,%eax
46138 + ret
46139 + CFI_ENDPROC
46140 +@@ -44,7 +48,11 @@ ENTRY(__get_user_2)
46141 + GET_THREAD_INFO(%edx)
46142 + cmpl TI_addr_limit(%edx),%eax
46143 + jae bad_get_user
46144 ++ pushl $(__USER_DS)
46145 ++ popl %ds
46146 + 2: movzwl -1(%eax),%edx
46147 ++ pushl %ss
46148 ++ pop %ds
46149 + xorl %eax,%eax
46150 + ret
46151 + CFI_ENDPROC
46152 +@@ -57,7 +65,11 @@ ENTRY(__get_user_4)
46153 + GET_THREAD_INFO(%edx)
46154 + cmpl TI_addr_limit(%edx),%eax
46155 + jae bad_get_user
46156 ++ pushl $(__USER_DS)
46157 ++ popl %ds
46158 + 3: movl -3(%eax),%edx
46159 ++ pushl %ss
46160 ++ pop %ds
46161 + xorl %eax,%eax
46162 + ret
46163 + CFI_ENDPROC
46164 +@@ -65,6 +77,8 @@ ENDPROC(__get_user_4)
46165 +
46166 + bad_get_user:
46167 + CFI_STARTPROC
46168 ++ pushl %ss
46169 ++ pop %ds
46170 + xorl %edx,%edx
46171 + movl $-14,%eax
46172 + ret
46173 +diff -urNp linux-2.6.24.5/arch/x86/lib/memcpy_64.S linux-2.6.24.5/arch/x86/lib/memcpy_64.S
46174 +--- linux-2.6.24.5/arch/x86/lib/memcpy_64.S 2008-03-24 14:49:18.000000000 -0400
46175 ++++ linux-2.6.24.5/arch/x86/lib/memcpy_64.S 2008-03-26 20:21:08.000000000 -0400
46176 +@@ -114,7 +114,7 @@ ENDPROC(__memcpy)
46177 + /* Some CPUs run faster using the string copy instructions.
46178 + It is also a lot simpler. Use this when possible */
46179 +
46180 +- .section .altinstr_replacement,"ax"
46181 ++ .section .altinstr_replacement,"a"
46182 + 1: .byte 0xeb /* jmp <disp8> */
46183 + .byte (memcpy_c - memcpy) - (2f - 1b) /* offset */
46184 + 2:
46185 +diff -urNp linux-2.6.24.5/arch/x86/lib/memset_64.S linux-2.6.24.5/arch/x86/lib/memset_64.S
46186 +--- linux-2.6.24.5/arch/x86/lib/memset_64.S 2008-03-24 14:49:18.000000000 -0400
46187 ++++ linux-2.6.24.5/arch/x86/lib/memset_64.S 2008-03-26 20:21:08.000000000 -0400
46188 +@@ -118,7 +118,7 @@ ENDPROC(__memset)
46189 +
46190 + #include <asm/cpufeature.h>
46191 +
46192 +- .section .altinstr_replacement,"ax"
46193 ++ .section .altinstr_replacement,"a"
46194 + 1: .byte 0xeb /* jmp <disp8> */
46195 + .byte (memset_c - memset) - (2f - 1b) /* offset */
46196 + 2:
46197 +diff -urNp linux-2.6.24.5/arch/x86/lib/mmx_32.c linux-2.6.24.5/arch/x86/lib/mmx_32.c
46198 +--- linux-2.6.24.5/arch/x86/lib/mmx_32.c 2008-03-24 14:49:18.000000000 -0400
46199 ++++ linux-2.6.24.5/arch/x86/lib/mmx_32.c 2008-03-26 20:21:08.000000000 -0400
46200 +@@ -30,6 +30,7 @@ void *_mmx_memcpy(void *to, const void *
46201 + {
46202 + void *p;
46203 + int i;
46204 ++ unsigned long cr0;
46205 +
46206 + if (unlikely(in_interrupt()))
46207 + return __memcpy(to, from, len);
46208 +@@ -40,52 +41,80 @@ void *_mmx_memcpy(void *to, const void *
46209 + kernel_fpu_begin();
46210 +
46211 + __asm__ __volatile__ (
46212 +- "1: prefetch (%0)\n" /* This set is 28 bytes */
46213 +- " prefetch 64(%0)\n"
46214 +- " prefetch 128(%0)\n"
46215 +- " prefetch 192(%0)\n"
46216 +- " prefetch 256(%0)\n"
46217 ++ "1: prefetch (%1)\n" /* This set is 28 bytes */
46218 ++ " prefetch 64(%1)\n"
46219 ++ " prefetch 128(%1)\n"
46220 ++ " prefetch 192(%1)\n"
46221 ++ " prefetch 256(%1)\n"
46222 + "2: \n"
46223 + ".section .fixup, \"ax\"\n"
46224 +- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
46225 ++ "3: \n"
46226 ++
46227 ++#ifdef CONFIG_PAX_KERNEXEC
46228 ++ " movl %%cr0, %0\n"
46229 ++ " movl %0, %%eax\n"
46230 ++ " andl $0xFFFEFFFF, %%eax\n"
46231 ++ " movl %%eax, %%cr0\n"
46232 ++#endif
46233 ++
46234 ++ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
46235 ++
46236 ++#ifdef CONFIG_PAX_KERNEXEC
46237 ++ " movl %0, %%cr0\n"
46238 ++#endif
46239 ++
46240 + " jmp 2b\n"
46241 + ".previous\n"
46242 + ".section __ex_table,\"a\"\n"
46243 + " .align 4\n"
46244 + " .long 1b, 3b\n"
46245 + ".previous"
46246 +- : : "r" (from) );
46247 ++ : "=&r" (cr0) : "r" (from) : "ax");
46248 +
46249 +
46250 + for(; i>5; i--)
46251 + {
46252 + __asm__ __volatile__ (
46253 +- "1: prefetch 320(%0)\n"
46254 +- "2: movq (%0), %%mm0\n"
46255 +- " movq 8(%0), %%mm1\n"
46256 +- " movq 16(%0), %%mm2\n"
46257 +- " movq 24(%0), %%mm3\n"
46258 +- " movq %%mm0, (%1)\n"
46259 +- " movq %%mm1, 8(%1)\n"
46260 +- " movq %%mm2, 16(%1)\n"
46261 +- " movq %%mm3, 24(%1)\n"
46262 +- " movq 32(%0), %%mm0\n"
46263 +- " movq 40(%0), %%mm1\n"
46264 +- " movq 48(%0), %%mm2\n"
46265 +- " movq 56(%0), %%mm3\n"
46266 +- " movq %%mm0, 32(%1)\n"
46267 +- " movq %%mm1, 40(%1)\n"
46268 +- " movq %%mm2, 48(%1)\n"
46269 +- " movq %%mm3, 56(%1)\n"
46270 ++ "1: prefetch 320(%1)\n"
46271 ++ "2: movq (%1), %%mm0\n"
46272 ++ " movq 8(%1), %%mm1\n"
46273 ++ " movq 16(%1), %%mm2\n"
46274 ++ " movq 24(%1), %%mm3\n"
46275 ++ " movq %%mm0, (%2)\n"
46276 ++ " movq %%mm1, 8(%2)\n"
46277 ++ " movq %%mm2, 16(%2)\n"
46278 ++ " movq %%mm3, 24(%2)\n"
46279 ++ " movq 32(%1), %%mm0\n"
46280 ++ " movq 40(%1), %%mm1\n"
46281 ++ " movq 48(%1), %%mm2\n"
46282 ++ " movq 56(%1), %%mm3\n"
46283 ++ " movq %%mm0, 32(%2)\n"
46284 ++ " movq %%mm1, 40(%2)\n"
46285 ++ " movq %%mm2, 48(%2)\n"
46286 ++ " movq %%mm3, 56(%2)\n"
46287 + ".section .fixup, \"ax\"\n"
46288 +- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
46289 ++ "3:\n"
46290 ++
46291 ++#ifdef CONFIG_PAX_KERNEXEC
46292 ++ " movl %%cr0, %0\n"
46293 ++ " movl %0, %%eax\n"
46294 ++ " andl $0xFFFEFFFF, %%eax\n"
46295 ++ " movl %%eax, %%cr0\n"
46296 ++#endif
46297 ++
46298 ++ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
46299 ++
46300 ++#ifdef CONFIG_PAX_KERNEXEC
46301 ++ " movl %0, %%cr0\n"
46302 ++#endif
46303 ++
46304 + " jmp 2b\n"
46305 + ".previous\n"
46306 + ".section __ex_table,\"a\"\n"
46307 + " .align 4\n"
46308 + " .long 1b, 3b\n"
46309 + ".previous"
46310 +- : : "r" (from), "r" (to) : "memory");
46311 ++ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
46312 + from+=64;
46313 + to+=64;
46314 + }
46315 +@@ -164,6 +193,7 @@ static void fast_clear_page(void *page)
46316 + static void fast_copy_page(void *to, void *from)
46317 + {
46318 + int i;
46319 ++ unsigned long cr0;
46320 +
46321 + kernel_fpu_begin();
46322 +
46323 +@@ -171,51 +201,79 @@ static void fast_copy_page(void *to, voi
46324 + * but that is for later. -AV
46325 + */
46326 + __asm__ __volatile__ (
46327 +- "1: prefetch (%0)\n"
46328 +- " prefetch 64(%0)\n"
46329 +- " prefetch 128(%0)\n"
46330 +- " prefetch 192(%0)\n"
46331 +- " prefetch 256(%0)\n"
46332 ++ "1: prefetch (%1)\n"
46333 ++ " prefetch 64(%1)\n"
46334 ++ " prefetch 128(%1)\n"
46335 ++ " prefetch 192(%1)\n"
46336 ++ " prefetch 256(%1)\n"
46337 + "2: \n"
46338 + ".section .fixup, \"ax\"\n"
46339 +- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
46340 ++ "3: \n"
46341 ++
46342 ++#ifdef CONFIG_PAX_KERNEXEC
46343 ++ " movl %%cr0, %0\n"
46344 ++ " movl %0, %%eax\n"
46345 ++ " andl $0xFFFEFFFF, %%eax\n"
46346 ++ " movl %%eax, %%cr0\n"
46347 ++#endif
46348 ++
46349 ++ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
46350 ++
46351 ++#ifdef CONFIG_PAX_KERNEXEC
46352 ++ " movl %0, %%cr0\n"
46353 ++#endif
46354 ++
46355 + " jmp 2b\n"
46356 + ".previous\n"
46357 + ".section __ex_table,\"a\"\n"
46358 + " .align 4\n"
46359 + " .long 1b, 3b\n"
46360 + ".previous"
46361 +- : : "r" (from) );
46362 ++ : "=&r" (cr0) : "r" (from) : "ax");
46363 +
46364 + for(i=0; i<(4096-320)/64; i++)
46365 + {
46366 + __asm__ __volatile__ (
46367 +- "1: prefetch 320(%0)\n"
46368 +- "2: movq (%0), %%mm0\n"
46369 +- " movntq %%mm0, (%1)\n"
46370 +- " movq 8(%0), %%mm1\n"
46371 +- " movntq %%mm1, 8(%1)\n"
46372 +- " movq 16(%0), %%mm2\n"
46373 +- " movntq %%mm2, 16(%1)\n"
46374 +- " movq 24(%0), %%mm3\n"
46375 +- " movntq %%mm3, 24(%1)\n"
46376 +- " movq 32(%0), %%mm4\n"
46377 +- " movntq %%mm4, 32(%1)\n"
46378 +- " movq 40(%0), %%mm5\n"
46379 +- " movntq %%mm5, 40(%1)\n"
46380 +- " movq 48(%0), %%mm6\n"
46381 +- " movntq %%mm6, 48(%1)\n"
46382 +- " movq 56(%0), %%mm7\n"
46383 +- " movntq %%mm7, 56(%1)\n"
46384 ++ "1: prefetch 320(%1)\n"
46385 ++ "2: movq (%1), %%mm0\n"
46386 ++ " movntq %%mm0, (%2)\n"
46387 ++ " movq 8(%1), %%mm1\n"
46388 ++ " movntq %%mm1, 8(%2)\n"
46389 ++ " movq 16(%1), %%mm2\n"
46390 ++ " movntq %%mm2, 16(%2)\n"
46391 ++ " movq 24(%1), %%mm3\n"
46392 ++ " movntq %%mm3, 24(%2)\n"
46393 ++ " movq 32(%1), %%mm4\n"
46394 ++ " movntq %%mm4, 32(%2)\n"
46395 ++ " movq 40(%1), %%mm5\n"
46396 ++ " movntq %%mm5, 40(%2)\n"
46397 ++ " movq 48(%1), %%mm6\n"
46398 ++ " movntq %%mm6, 48(%2)\n"
46399 ++ " movq 56(%1), %%mm7\n"
46400 ++ " movntq %%mm7, 56(%2)\n"
46401 + ".section .fixup, \"ax\"\n"
46402 +- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
46403 ++ "3:\n"
46404 ++
46405 ++#ifdef CONFIG_PAX_KERNEXEC
46406 ++ " movl %%cr0, %0\n"
46407 ++ " movl %0, %%eax\n"
46408 ++ " andl $0xFFFEFFFF, %%eax\n"
46409 ++ " movl %%eax, %%cr0\n"
46410 ++#endif
46411 ++
46412 ++ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
46413 ++
46414 ++#ifdef CONFIG_PAX_KERNEXEC
46415 ++ " movl %0, %%cr0\n"
46416 ++#endif
46417 ++
46418 + " jmp 2b\n"
46419 + ".previous\n"
46420 + ".section __ex_table,\"a\"\n"
46421 + " .align 4\n"
46422 + " .long 1b, 3b\n"
46423 + ".previous"
46424 +- : : "r" (from), "r" (to) : "memory");
46425 ++ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
46426 + from+=64;
46427 + to+=64;
46428 + }
46429 +@@ -296,56 +354,84 @@ static void fast_clear_page(void *page)
46430 + static void fast_copy_page(void *to, void *from)
46431 + {
46432 + int i;
46433 +-
46434 +-
46435 ++ unsigned long cr0;
46436 ++
46437 + kernel_fpu_begin();
46438 +
46439 + __asm__ __volatile__ (
46440 +- "1: prefetch (%0)\n"
46441 +- " prefetch 64(%0)\n"
46442 +- " prefetch 128(%0)\n"
46443 +- " prefetch 192(%0)\n"
46444 +- " prefetch 256(%0)\n"
46445 ++ "1: prefetch (%1)\n"
46446 ++ " prefetch 64(%1)\n"
46447 ++ " prefetch 128(%1)\n"
46448 ++ " prefetch 192(%1)\n"
46449 ++ " prefetch 256(%1)\n"
46450 + "2: \n"
46451 + ".section .fixup, \"ax\"\n"
46452 +- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
46453 ++ "3: \n"
46454 ++
46455 ++#ifdef CONFIG_PAX_KERNEXEC
46456 ++ " movl %%cr0, %0\n"
46457 ++ " movl %0, %%eax\n"
46458 ++ " andl $0xFFFEFFFF, %%eax\n"
46459 ++ " movl %%eax, %%cr0\n"
46460 ++#endif
46461 ++
46462 ++ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
46463 ++
46464 ++#ifdef CONFIG_PAX_KERNEXEC
46465 ++ " movl %0, %%cr0\n"
46466 ++#endif
46467 ++
46468 + " jmp 2b\n"
46469 + ".previous\n"
46470 + ".section __ex_table,\"a\"\n"
46471 + " .align 4\n"
46472 + " .long 1b, 3b\n"
46473 + ".previous"
46474 +- : : "r" (from) );
46475 ++ : "=&r" (cr0) : "r" (from) : "ax");
46476 +
46477 + for(i=0; i<4096/64; i++)
46478 + {
46479 + __asm__ __volatile__ (
46480 +- "1: prefetch 320(%0)\n"
46481 +- "2: movq (%0), %%mm0\n"
46482 +- " movq 8(%0), %%mm1\n"
46483 +- " movq 16(%0), %%mm2\n"
46484 +- " movq 24(%0), %%mm3\n"
46485 +- " movq %%mm0, (%1)\n"
46486 +- " movq %%mm1, 8(%1)\n"
46487 +- " movq %%mm2, 16(%1)\n"
46488 +- " movq %%mm3, 24(%1)\n"
46489 +- " movq 32(%0), %%mm0\n"
46490 +- " movq 40(%0), %%mm1\n"
46491 +- " movq 48(%0), %%mm2\n"
46492 +- " movq 56(%0), %%mm3\n"
46493 +- " movq %%mm0, 32(%1)\n"
46494 +- " movq %%mm1, 40(%1)\n"
46495 +- " movq %%mm2, 48(%1)\n"
46496 +- " movq %%mm3, 56(%1)\n"
46497 ++ "1: prefetch 320(%1)\n"
46498 ++ "2: movq (%1), %%mm0\n"
46499 ++ " movq 8(%1), %%mm1\n"
46500 ++ " movq 16(%1), %%mm2\n"
46501 ++ " movq 24(%1), %%mm3\n"
46502 ++ " movq %%mm0, (%2)\n"
46503 ++ " movq %%mm1, 8(%2)\n"
46504 ++ " movq %%mm2, 16(%2)\n"
46505 ++ " movq %%mm3, 24(%2)\n"
46506 ++ " movq 32(%1), %%mm0\n"
46507 ++ " movq 40(%1), %%mm1\n"
46508 ++ " movq 48(%1), %%mm2\n"
46509 ++ " movq 56(%1), %%mm3\n"
46510 ++ " movq %%mm0, 32(%2)\n"
46511 ++ " movq %%mm1, 40(%2)\n"
46512 ++ " movq %%mm2, 48(%2)\n"
46513 ++ " movq %%mm3, 56(%2)\n"
46514 + ".section .fixup, \"ax\"\n"
46515 +- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
46516 ++ "3:\n"
46517 ++
46518 ++#ifdef CONFIG_PAX_KERNEXEC
46519 ++ " movl %%cr0, %0\n"
46520 ++ " movl %0, %%eax\n"
46521 ++ " andl $0xFFFEFFFF, %%eax\n"
46522 ++ " movl %%eax, %%cr0\n"
46523 ++#endif
46524 ++
46525 ++ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
46526 ++
46527 ++#ifdef CONFIG_PAX_KERNEXEC
46528 ++ " movl %0, %%cr0\n"
46529 ++#endif
46530 ++
46531 + " jmp 2b\n"
46532 + ".previous\n"
46533 + ".section __ex_table,\"a\"\n"
46534 + " .align 4\n"
46535 + " .long 1b, 3b\n"
46536 + ".previous"
46537 +- : : "r" (from), "r" (to) : "memory");
46538 ++ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
46539 + from+=64;
46540 + to+=64;
46541 + }
46542 +diff -urNp linux-2.6.24.5/arch/x86/lib/putuser_32.S linux-2.6.24.5/arch/x86/lib/putuser_32.S
46543 +--- linux-2.6.24.5/arch/x86/lib/putuser_32.S 2008-03-24 14:49:18.000000000 -0400
46544 ++++ linux-2.6.24.5/arch/x86/lib/putuser_32.S 2008-03-26 20:21:08.000000000 -0400
46545 +@@ -11,7 +11,7 @@
46546 + #include <linux/linkage.h>
46547 + #include <asm/dwarf2.h>
46548 + #include <asm/thread_info.h>
46549 +-
46550 ++#include <asm/segment.h>
46551 +
46552 + /*
46553 + * __put_user_X
46554 +@@ -41,7 +41,11 @@ ENTRY(__put_user_1)
46555 + ENTER
46556 + cmpl TI_addr_limit(%ebx),%ecx
46557 + jae bad_put_user
46558 ++ pushl $(__USER_DS)
46559 ++ popl %ds
46560 + 1: movb %al,(%ecx)
46561 ++ pushl %ss
46562 ++ popl %ds
46563 + xorl %eax,%eax
46564 + EXIT
46565 + ENDPROC(__put_user_1)
46566 +@@ -52,7 +56,11 @@ ENTRY(__put_user_2)
46567 + subl $1,%ebx
46568 + cmpl %ebx,%ecx
46569 + jae bad_put_user
46570 ++ pushl $(__USER_DS)
46571 ++ popl %ds
46572 + 2: movw %ax,(%ecx)
46573 ++ pushl %ss
46574 ++ popl %ds
46575 + xorl %eax,%eax
46576 + EXIT
46577 + ENDPROC(__put_user_2)
46578 +@@ -63,7 +71,11 @@ ENTRY(__put_user_4)
46579 + subl $3,%ebx
46580 + cmpl %ebx,%ecx
46581 + jae bad_put_user
46582 ++ pushl $(__USER_DS)
46583 ++ popl %ds
46584 + 3: movl %eax,(%ecx)
46585 ++ pushl %ss
46586 ++ popl %ds
46587 + xorl %eax,%eax
46588 + EXIT
46589 + ENDPROC(__put_user_4)
46590 +@@ -74,8 +86,12 @@ ENTRY(__put_user_8)
46591 + subl $7,%ebx
46592 + cmpl %ebx,%ecx
46593 + jae bad_put_user
46594 ++ pushl $(__USER_DS)
46595 ++ popl %ds
46596 + 4: movl %eax,(%ecx)
46597 + 5: movl %edx,4(%ecx)
46598 ++ pushl %ss
46599 ++ popl %ds
46600 + xorl %eax,%eax
46601 + EXIT
46602 + ENDPROC(__put_user_8)
46603 +@@ -85,6 +101,10 @@ bad_put_user:
46604 + CFI_DEF_CFA esp, 2*4
46605 + CFI_OFFSET eip, -1*4
46606 + CFI_OFFSET ebx, -2*4
46607 ++ pushl %ss
46608 ++ CFI_ADJUST_CFA_OFFSET 4
46609 ++ popl %ds
46610 ++ CFI_ADJUST_CFA_OFFSET -4
46611 + movl $-14,%eax
46612 + EXIT
46613 + END(bad_put_user)
46614 +diff -urNp linux-2.6.24.5/arch/x86/lib/usercopy_32.c linux-2.6.24.5/arch/x86/lib/usercopy_32.c
46615 +--- linux-2.6.24.5/arch/x86/lib/usercopy_32.c 2008-03-24 14:49:18.000000000 -0400
46616 ++++ linux-2.6.24.5/arch/x86/lib/usercopy_32.c 2008-03-26 20:21:08.000000000 -0400
46617 +@@ -29,34 +29,41 @@ static inline int __movsl_is_ok(unsigned
46618 + * Copy a null terminated string from userspace.
46619 + */
46620 +
46621 +-#define __do_strncpy_from_user(dst,src,count,res) \
46622 +-do { \
46623 +- int __d0, __d1, __d2; \
46624 +- might_sleep(); \
46625 +- __asm__ __volatile__( \
46626 +- " testl %1,%1\n" \
46627 +- " jz 2f\n" \
46628 +- "0: lodsb\n" \
46629 +- " stosb\n" \
46630 +- " testb %%al,%%al\n" \
46631 +- " jz 1f\n" \
46632 +- " decl %1\n" \
46633 +- " jnz 0b\n" \
46634 +- "1: subl %1,%0\n" \
46635 +- "2:\n" \
46636 +- ".section .fixup,\"ax\"\n" \
46637 +- "3: movl %5,%0\n" \
46638 +- " jmp 2b\n" \
46639 +- ".previous\n" \
46640 +- ".section __ex_table,\"a\"\n" \
46641 +- " .align 4\n" \
46642 +- " .long 0b,3b\n" \
46643 +- ".previous" \
46644 +- : "=d"(res), "=c"(count), "=&a" (__d0), "=&S" (__d1), \
46645 +- "=&D" (__d2) \
46646 +- : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
46647 +- : "memory"); \
46648 +-} while (0)
46649 ++static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
46650 ++{
46651 ++ int __d0, __d1, __d2;
46652 ++ long res = -EFAULT;
46653 ++
46654 ++ might_sleep();
46655 ++ __asm__ __volatile__(
46656 ++ " movw %w10,%%ds\n"
46657 ++ " testl %1,%1\n"
46658 ++ " jz 2f\n"
46659 ++ "0: lodsb\n"
46660 ++ " stosb\n"
46661 ++ " testb %%al,%%al\n"
46662 ++ " jz 1f\n"
46663 ++ " decl %1\n"
46664 ++ " jnz 0b\n"
46665 ++ "1: subl %1,%0\n"
46666 ++ "2:\n"
46667 ++ " pushl %%ss\n"
46668 ++ " popl %%ds\n"
46669 ++ ".section .fixup,\"ax\"\n"
46670 ++ "3: movl %5,%0\n"
46671 ++ " jmp 2b\n"
46672 ++ ".previous\n"
46673 ++ ".section __ex_table,\"a\"\n"
46674 ++ " .align 4\n"
46675 ++ " .long 0b,3b\n"
46676 ++ ".previous"
46677 ++ : "=d"(res), "=c"(count), "=&a" (__d0), "=&S" (__d1),
46678 ++ "=&D" (__d2)
46679 ++ : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
46680 ++ "r"(__USER_DS)
46681 ++ : "memory");
46682 ++ return res;
46683 ++}
46684 +
46685 + /**
46686 + * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
46687 +@@ -81,9 +88,7 @@ do { \
46688 + long
46689 + __strncpy_from_user(char *dst, const char __user *src, long count)
46690 + {
46691 +- long res;
46692 +- __do_strncpy_from_user(dst, src, count, res);
46693 +- return res;
46694 ++ return __do_strncpy_from_user(dst, src, count);
46695 + }
46696 + EXPORT_SYMBOL(__strncpy_from_user);
46697 +
46698 +@@ -110,7 +115,7 @@ strncpy_from_user(char *dst, const char
46699 + {
46700 + long res = -EFAULT;
46701 + if (access_ok(VERIFY_READ, src, 1))
46702 +- __do_strncpy_from_user(dst, src, count, res);
46703 ++ res = __do_strncpy_from_user(dst, src, count);
46704 + return res;
46705 + }
46706 + EXPORT_SYMBOL(strncpy_from_user);
46707 +@@ -119,27 +124,33 @@ EXPORT_SYMBOL(strncpy_from_user);
46708 + * Zero Userspace
46709 + */
46710 +
46711 +-#define __do_clear_user(addr,size) \
46712 +-do { \
46713 +- int __d0; \
46714 +- might_sleep(); \
46715 +- __asm__ __volatile__( \
46716 +- "0: rep; stosl\n" \
46717 +- " movl %2,%0\n" \
46718 +- "1: rep; stosb\n" \
46719 +- "2:\n" \
46720 +- ".section .fixup,\"ax\"\n" \
46721 +- "3: lea 0(%2,%0,4),%0\n" \
46722 +- " jmp 2b\n" \
46723 +- ".previous\n" \
46724 +- ".section __ex_table,\"a\"\n" \
46725 +- " .align 4\n" \
46726 +- " .long 0b,3b\n" \
46727 +- " .long 1b,2b\n" \
46728 +- ".previous" \
46729 +- : "=&c"(size), "=&D" (__d0) \
46730 +- : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
46731 +-} while (0)
46732 ++static unsigned long __do_clear_user(void __user *addr, unsigned long size)
46733 ++{
46734 ++ int __d0;
46735 ++
46736 ++ might_sleep();
46737 ++ __asm__ __volatile__(
46738 ++ " movw %w6,%%es\n"
46739 ++ "0: rep; stosl\n"
46740 ++ " movl %2,%0\n"
46741 ++ "1: rep; stosb\n"
46742 ++ "2:\n"
46743 ++ " pushl %%ss\n"
46744 ++ " popl %%es\n"
46745 ++ ".section .fixup,\"ax\"\n"
46746 ++ "3: lea 0(%2,%0,4),%0\n"
46747 ++ " jmp 2b\n"
46748 ++ ".previous\n"
46749 ++ ".section __ex_table,\"a\"\n"
46750 ++ " .align 4\n"
46751 ++ " .long 0b,3b\n"
46752 ++ " .long 1b,2b\n"
46753 ++ ".previous"
46754 ++ : "=&c"(size), "=&D" (__d0)
46755 ++ : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
46756 ++ "r"(__USER_DS));
46757 ++ return size;
46758 ++}
46759 +
46760 + /**
46761 + * clear_user: - Zero a block of memory in user space.
46762 +@@ -156,7 +167,7 @@ clear_user(void __user *to, unsigned lon
46763 + {
46764 + might_sleep();
46765 + if (access_ok(VERIFY_WRITE, to, n))
46766 +- __do_clear_user(to, n);
46767 ++ n = __do_clear_user(to, n);
46768 + return n;
46769 + }
46770 + EXPORT_SYMBOL(clear_user);
46771 +@@ -175,8 +186,7 @@ EXPORT_SYMBOL(clear_user);
46772 + unsigned long
46773 + __clear_user(void __user *to, unsigned long n)
46774 + {
46775 +- __do_clear_user(to, n);
46776 +- return n;
46777 ++ return __do_clear_user(to, n);
46778 + }
46779 + EXPORT_SYMBOL(__clear_user);
46780 +
46781 +@@ -199,14 +209,17 @@ long strnlen_user(const char __user *s,
46782 + might_sleep();
46783 +
46784 + __asm__ __volatile__(
46785 ++ " movw %w8,%%es\n"
46786 + " testl %0, %0\n"
46787 + " jz 3f\n"
46788 +- " andl %0,%%ecx\n"
46789 ++ " movl %0,%%ecx\n"
46790 + "0: repne; scasb\n"
46791 + " setne %%al\n"
46792 + " subl %%ecx,%0\n"
46793 + " addl %0,%%eax\n"
46794 + "1:\n"
46795 ++ " pushl %%ss\n"
46796 ++ " popl %%es\n"
46797 + ".section .fixup,\"ax\"\n"
46798 + "2: xorl %%eax,%%eax\n"
46799 + " jmp 1b\n"
46800 +@@ -218,7 +231,7 @@ long strnlen_user(const char __user *s,
46801 + " .long 0b,2b\n"
46802 + ".previous"
46803 + :"=r" (n), "=D" (s), "=a" (res), "=c" (tmp)
46804 +- :"0" (n), "1" (s), "2" (0), "3" (mask)
46805 ++ :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
46806 + :"cc");
46807 + return res & mask;
46808 + }
46809 +@@ -226,10 +239,121 @@ EXPORT_SYMBOL(strnlen_user);
46810 +
46811 + #ifdef CONFIG_X86_INTEL_USERCOPY
46812 + static unsigned long
46813 +-__copy_user_intel(void __user *to, const void *from, unsigned long size)
46814 ++__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
46815 ++{
46816 ++ int d0, d1;
46817 ++ __asm__ __volatile__(
46818 ++ " movw %w6, %%es\n"
46819 ++ " .align 2,0x90\n"
46820 ++ "1: movl 32(%4), %%eax\n"
46821 ++ " cmpl $67, %0\n"
46822 ++ " jbe 3f\n"
46823 ++ "2: movl 64(%4), %%eax\n"
46824 ++ " .align 2,0x90\n"
46825 ++ "3: movl 0(%4), %%eax\n"
46826 ++ "4: movl 4(%4), %%edx\n"
46827 ++ "5: movl %%eax, %%es:0(%3)\n"
46828 ++ "6: movl %%edx, %%es:4(%3)\n"
46829 ++ "7: movl 8(%4), %%eax\n"
46830 ++ "8: movl 12(%4),%%edx\n"
46831 ++ "9: movl %%eax, %%es:8(%3)\n"
46832 ++ "10: movl %%edx, %%es:12(%3)\n"
46833 ++ "11: movl 16(%4), %%eax\n"
46834 ++ "12: movl 20(%4), %%edx\n"
46835 ++ "13: movl %%eax, %%es:16(%3)\n"
46836 ++ "14: movl %%edx, %%es:20(%3)\n"
46837 ++ "15: movl 24(%4), %%eax\n"
46838 ++ "16: movl 28(%4), %%edx\n"
46839 ++ "17: movl %%eax, %%es:24(%3)\n"
46840 ++ "18: movl %%edx, %%es:28(%3)\n"
46841 ++ "19: movl 32(%4), %%eax\n"
46842 ++ "20: movl 36(%4), %%edx\n"
46843 ++ "21: movl %%eax, %%es:32(%3)\n"
46844 ++ "22: movl %%edx, %%es:36(%3)\n"
46845 ++ "23: movl 40(%4), %%eax\n"
46846 ++ "24: movl 44(%4), %%edx\n"
46847 ++ "25: movl %%eax, %%es:40(%3)\n"
46848 ++ "26: movl %%edx, %%es:44(%3)\n"
46849 ++ "27: movl 48(%4), %%eax\n"
46850 ++ "28: movl 52(%4), %%edx\n"
46851 ++ "29: movl %%eax, %%es:48(%3)\n"
46852 ++ "30: movl %%edx, %%es:52(%3)\n"
46853 ++ "31: movl 56(%4), %%eax\n"
46854 ++ "32: movl 60(%4), %%edx\n"
46855 ++ "33: movl %%eax, %%es:56(%3)\n"
46856 ++ "34: movl %%edx, %%es:60(%3)\n"
46857 ++ " addl $-64, %0\n"
46858 ++ " addl $64, %4\n"
46859 ++ " addl $64, %3\n"
46860 ++ " cmpl $63, %0\n"
46861 ++ " ja 1b\n"
46862 ++ "35: movl %0, %%eax\n"
46863 ++ " shrl $2, %0\n"
46864 ++ " andl $3, %%eax\n"
46865 ++ " cld\n"
46866 ++ "99: rep; movsl\n"
46867 ++ "36: movl %%eax, %0\n"
46868 ++ "37: rep; movsb\n"
46869 ++ "100:\n"
46870 ++ " pushl %%ss\n"
46871 ++ " popl %%es\n"
46872 ++ ".section .fixup,\"ax\"\n"
46873 ++ "101: lea 0(%%eax,%0,4),%0\n"
46874 ++ " jmp 100b\n"
46875 ++ ".previous\n"
46876 ++ ".section __ex_table,\"a\"\n"
46877 ++ " .align 4\n"
46878 ++ " .long 1b,100b\n"
46879 ++ " .long 2b,100b\n"
46880 ++ " .long 3b,100b\n"
46881 ++ " .long 4b,100b\n"
46882 ++ " .long 5b,100b\n"
46883 ++ " .long 6b,100b\n"
46884 ++ " .long 7b,100b\n"
46885 ++ " .long 8b,100b\n"
46886 ++ " .long 9b,100b\n"
46887 ++ " .long 10b,100b\n"
46888 ++ " .long 11b,100b\n"
46889 ++ " .long 12b,100b\n"
46890 ++ " .long 13b,100b\n"
46891 ++ " .long 14b,100b\n"
46892 ++ " .long 15b,100b\n"
46893 ++ " .long 16b,100b\n"
46894 ++ " .long 17b,100b\n"
46895 ++ " .long 18b,100b\n"
46896 ++ " .long 19b,100b\n"
46897 ++ " .long 20b,100b\n"
46898 ++ " .long 21b,100b\n"
46899 ++ " .long 22b,100b\n"
46900 ++ " .long 23b,100b\n"
46901 ++ " .long 24b,100b\n"
46902 ++ " .long 25b,100b\n"
46903 ++ " .long 26b,100b\n"
46904 ++ " .long 27b,100b\n"
46905 ++ " .long 28b,100b\n"
46906 ++ " .long 29b,100b\n"
46907 ++ " .long 30b,100b\n"
46908 ++ " .long 31b,100b\n"
46909 ++ " .long 32b,100b\n"
46910 ++ " .long 33b,100b\n"
46911 ++ " .long 34b,100b\n"
46912 ++ " .long 35b,100b\n"
46913 ++ " .long 36b,100b\n"
46914 ++ " .long 37b,100b\n"
46915 ++ " .long 99b,101b\n"
46916 ++ ".previous"
46917 ++ : "=&c"(size), "=&D" (d0), "=&S" (d1)
46918 ++ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
46919 ++ : "eax", "edx", "memory");
46920 ++ return size;
46921 ++}
46922 ++
46923 ++static unsigned long
46924 ++__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
46925 + {
46926 + int d0, d1;
46927 + __asm__ __volatile__(
46928 ++ " movw %w6, %%ds\n"
46929 + " .align 2,0x90\n"
46930 + "1: movl 32(%4), %%eax\n"
46931 + " cmpl $67, %0\n"
46932 +@@ -238,36 +362,36 @@ __copy_user_intel(void __user *to, const
46933 + " .align 2,0x90\n"
46934 + "3: movl 0(%4), %%eax\n"
46935 + "4: movl 4(%4), %%edx\n"
46936 +- "5: movl %%eax, 0(%3)\n"
46937 +- "6: movl %%edx, 4(%3)\n"
46938 ++ "5: movl %%eax, %%es:0(%3)\n"
46939 ++ "6: movl %%edx, %%es:4(%3)\n"
46940 + "7: movl 8(%4), %%eax\n"
46941 + "8: movl 12(%4),%%edx\n"
46942 +- "9: movl %%eax, 8(%3)\n"
46943 +- "10: movl %%edx, 12(%3)\n"
46944 ++ "9: movl %%eax, %%es:8(%3)\n"
46945 ++ "10: movl %%edx, %%es:12(%3)\n"
46946 + "11: movl 16(%4), %%eax\n"
46947 + "12: movl 20(%4), %%edx\n"
46948 +- "13: movl %%eax, 16(%3)\n"
46949 +- "14: movl %%edx, 20(%3)\n"
46950 ++ "13: movl %%eax, %%es:16(%3)\n"
46951 ++ "14: movl %%edx, %%es:20(%3)\n"
46952 + "15: movl 24(%4), %%eax\n"
46953 + "16: movl 28(%4), %%edx\n"
46954 +- "17: movl %%eax, 24(%3)\n"
46955 +- "18: movl %%edx, 28(%3)\n"
46956 ++ "17: movl %%eax, %%es:24(%3)\n"
46957 ++ "18: movl %%edx, %%es:28(%3)\n"
46958 + "19: movl 32(%4), %%eax\n"
46959 + "20: movl 36(%4), %%edx\n"
46960 +- "21: movl %%eax, 32(%3)\n"
46961 +- "22: movl %%edx, 36(%3)\n"
46962 ++ "21: movl %%eax, %%es:32(%3)\n"
46963 ++ "22: movl %%edx, %%es:36(%3)\n"
46964 + "23: movl 40(%4), %%eax\n"
46965 + "24: movl 44(%4), %%edx\n"
46966 +- "25: movl %%eax, 40(%3)\n"
46967 +- "26: movl %%edx, 44(%3)\n"
46968 ++ "25: movl %%eax, %%es:40(%3)\n"
46969 ++ "26: movl %%edx, %%es:44(%3)\n"
46970 + "27: movl 48(%4), %%eax\n"
46971 + "28: movl 52(%4), %%edx\n"
46972 +- "29: movl %%eax, 48(%3)\n"
46973 +- "30: movl %%edx, 52(%3)\n"
46974 ++ "29: movl %%eax, %%es:48(%3)\n"
46975 ++ "30: movl %%edx, %%es:52(%3)\n"
46976 + "31: movl 56(%4), %%eax\n"
46977 + "32: movl 60(%4), %%edx\n"
46978 +- "33: movl %%eax, 56(%3)\n"
46979 +- "34: movl %%edx, 60(%3)\n"
46980 ++ "33: movl %%eax, %%es:56(%3)\n"
46981 ++ "34: movl %%edx, %%es:60(%3)\n"
46982 + " addl $-64, %0\n"
46983 + " addl $64, %4\n"
46984 + " addl $64, %3\n"
46985 +@@ -281,6 +405,8 @@ __copy_user_intel(void __user *to, const
46986 + "36: movl %%eax, %0\n"
46987 + "37: rep; movsb\n"
46988 + "100:\n"
46989 ++ " pushl %%ss\n"
46990 ++ " popl %%ds\n"
46991 + ".section .fixup,\"ax\"\n"
46992 + "101: lea 0(%%eax,%0,4),%0\n"
46993 + " jmp 100b\n"
46994 +@@ -327,7 +453,7 @@ __copy_user_intel(void __user *to, const
46995 + " .long 99b,101b\n"
46996 + ".previous"
46997 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
46998 +- : "1"(to), "2"(from), "0"(size)
46999 ++ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
47000 + : "eax", "edx", "memory");
47001 + return size;
47002 + }
47003 +@@ -337,6 +463,7 @@ __copy_user_zeroing_intel(void *to, cons
47004 + {
47005 + int d0, d1;
47006 + __asm__ __volatile__(
47007 ++ " movw %w6, %%ds\n"
47008 + " .align 2,0x90\n"
47009 + "0: movl 32(%4), %%eax\n"
47010 + " cmpl $67, %0\n"
47011 +@@ -345,36 +472,36 @@ __copy_user_zeroing_intel(void *to, cons
47012 + " .align 2,0x90\n"
47013 + "2: movl 0(%4), %%eax\n"
47014 + "21: movl 4(%4), %%edx\n"
47015 +- " movl %%eax, 0(%3)\n"
47016 +- " movl %%edx, 4(%3)\n"
47017 ++ " movl %%eax, %%es:0(%3)\n"
47018 ++ " movl %%edx, %%es:4(%3)\n"
47019 + "3: movl 8(%4), %%eax\n"
47020 + "31: movl 12(%4),%%edx\n"
47021 +- " movl %%eax, 8(%3)\n"
47022 +- " movl %%edx, 12(%3)\n"
47023 ++ " movl %%eax, %%es:8(%3)\n"
47024 ++ " movl %%edx, %%es:12(%3)\n"
47025 + "4: movl 16(%4), %%eax\n"
47026 + "41: movl 20(%4), %%edx\n"
47027 +- " movl %%eax, 16(%3)\n"
47028 +- " movl %%edx, 20(%3)\n"
47029 ++ " movl %%eax, %%es:16(%3)\n"
47030 ++ " movl %%edx, %%es:20(%3)\n"
47031 + "10: movl 24(%4), %%eax\n"
47032 + "51: movl 28(%4), %%edx\n"
47033 +- " movl %%eax, 24(%3)\n"
47034 +- " movl %%edx, 28(%3)\n"
47035 ++ " movl %%eax, %%es:24(%3)\n"
47036 ++ " movl %%edx, %%es:28(%3)\n"
47037 + "11: movl 32(%4), %%eax\n"
47038 + "61: movl 36(%4), %%edx\n"
47039 +- " movl %%eax, 32(%3)\n"
47040 +- " movl %%edx, 36(%3)\n"
47041 ++ " movl %%eax, %%es:32(%3)\n"
47042 ++ " movl %%edx, %%es:36(%3)\n"
47043 + "12: movl 40(%4), %%eax\n"
47044 + "71: movl 44(%4), %%edx\n"
47045 +- " movl %%eax, 40(%3)\n"
47046 +- " movl %%edx, 44(%3)\n"
47047 ++ " movl %%eax, %%es:40(%3)\n"
47048 ++ " movl %%edx, %%es:44(%3)\n"
47049 + "13: movl 48(%4), %%eax\n"
47050 + "81: movl 52(%4), %%edx\n"
47051 +- " movl %%eax, 48(%3)\n"
47052 +- " movl %%edx, 52(%3)\n"
47053 ++ " movl %%eax, %%es:48(%3)\n"
47054 ++ " movl %%edx, %%es:52(%3)\n"
47055 + "14: movl 56(%4), %%eax\n"
47056 + "91: movl 60(%4), %%edx\n"
47057 +- " movl %%eax, 56(%3)\n"
47058 +- " movl %%edx, 60(%3)\n"
47059 ++ " movl %%eax, %%es:56(%3)\n"
47060 ++ " movl %%edx, %%es:60(%3)\n"
47061 + " addl $-64, %0\n"
47062 + " addl $64, %4\n"
47063 + " addl $64, %3\n"
47064 +@@ -388,6 +515,8 @@ __copy_user_zeroing_intel(void *to, cons
47065 + " movl %%eax,%0\n"
47066 + "7: rep; movsb\n"
47067 + "8:\n"
47068 ++ " pushl %%ss\n"
47069 ++ " popl %%ds\n"
47070 + ".section .fixup,\"ax\"\n"
47071 + "9: lea 0(%%eax,%0,4),%0\n"
47072 + "16: pushl %0\n"
47073 +@@ -422,7 +551,7 @@ __copy_user_zeroing_intel(void *to, cons
47074 + " .long 7b,16b\n"
47075 + ".previous"
47076 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
47077 +- : "1"(to), "2"(from), "0"(size)
47078 ++ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
47079 + : "eax", "edx", "memory");
47080 + return size;
47081 + }
47082 +@@ -438,6 +567,7 @@ static unsigned long __copy_user_zeroing
47083 + int d0, d1;
47084 +
47085 + __asm__ __volatile__(
47086 ++ " movw %w6, %%ds\n"
47087 + " .align 2,0x90\n"
47088 + "0: movl 32(%4), %%eax\n"
47089 + " cmpl $67, %0\n"
47090 +@@ -446,36 +576,36 @@ static unsigned long __copy_user_zeroing
47091 + " .align 2,0x90\n"
47092 + "2: movl 0(%4), %%eax\n"
47093 + "21: movl 4(%4), %%edx\n"
47094 +- " movnti %%eax, 0(%3)\n"
47095 +- " movnti %%edx, 4(%3)\n"
47096 ++ " movnti %%eax, %%es:0(%3)\n"
47097 ++ " movnti %%edx, %%es:4(%3)\n"
47098 + "3: movl 8(%4), %%eax\n"
47099 + "31: movl 12(%4),%%edx\n"
47100 +- " movnti %%eax, 8(%3)\n"
47101 +- " movnti %%edx, 12(%3)\n"
47102 ++ " movnti %%eax, %%es:8(%3)\n"
47103 ++ " movnti %%edx, %%es:12(%3)\n"
47104 + "4: movl 16(%4), %%eax\n"
47105 + "41: movl 20(%4), %%edx\n"
47106 +- " movnti %%eax, 16(%3)\n"
47107 +- " movnti %%edx, 20(%3)\n"
47108 ++ " movnti %%eax, %%es:16(%3)\n"
47109 ++ " movnti %%edx, %%es:20(%3)\n"
47110 + "10: movl 24(%4), %%eax\n"
47111 + "51: movl 28(%4), %%edx\n"
47112 +- " movnti %%eax, 24(%3)\n"
47113 +- " movnti %%edx, 28(%3)\n"
47114 ++ " movnti %%eax, %%es:24(%3)\n"
47115 ++ " movnti %%edx, %%es:28(%3)\n"
47116 + "11: movl 32(%4), %%eax\n"
47117 + "61: movl 36(%4), %%edx\n"
47118 +- " movnti %%eax, 32(%3)\n"
47119 +- " movnti %%edx, 36(%3)\n"
47120 ++ " movnti %%eax, %%es:32(%3)\n"
47121 ++ " movnti %%edx, %%es:36(%3)\n"
47122 + "12: movl 40(%4), %%eax\n"
47123 + "71: movl 44(%4), %%edx\n"
47124 +- " movnti %%eax, 40(%3)\n"
47125 +- " movnti %%edx, 44(%3)\n"
47126 ++ " movnti %%eax, %%es:40(%3)\n"
47127 ++ " movnti %%edx, %%es:44(%3)\n"
47128 + "13: movl 48(%4), %%eax\n"
47129 + "81: movl 52(%4), %%edx\n"
47130 +- " movnti %%eax, 48(%3)\n"
47131 +- " movnti %%edx, 52(%3)\n"
47132 ++ " movnti %%eax, %%es:48(%3)\n"
47133 ++ " movnti %%edx, %%es:52(%3)\n"
47134 + "14: movl 56(%4), %%eax\n"
47135 + "91: movl 60(%4), %%edx\n"
47136 +- " movnti %%eax, 56(%3)\n"
47137 +- " movnti %%edx, 60(%3)\n"
47138 ++ " movnti %%eax, %%es:56(%3)\n"
47139 ++ " movnti %%edx, %%es:60(%3)\n"
47140 + " addl $-64, %0\n"
47141 + " addl $64, %4\n"
47142 + " addl $64, %3\n"
47143 +@@ -490,6 +620,8 @@ static unsigned long __copy_user_zeroing
47144 + " movl %%eax,%0\n"
47145 + "7: rep; movsb\n"
47146 + "8:\n"
47147 ++ " pushl %%ss\n"
47148 ++ " popl %%ds\n"
47149 + ".section .fixup,\"ax\"\n"
47150 + "9: lea 0(%%eax,%0,4),%0\n"
47151 + "16: pushl %0\n"
47152 +@@ -524,7 +656,7 @@ static unsigned long __copy_user_zeroing
47153 + " .long 7b,16b\n"
47154 + ".previous"
47155 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
47156 +- : "1"(to), "2"(from), "0"(size)
47157 ++ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
47158 + : "eax", "edx", "memory");
47159 + return size;
47160 + }
47161 +@@ -535,6 +667,7 @@ static unsigned long __copy_user_intel_n
47162 + int d0, d1;
47163 +
47164 + __asm__ __volatile__(
47165 ++ " movw %w6, %%ds\n"
47166 + " .align 2,0x90\n"
47167 + "0: movl 32(%4), %%eax\n"
47168 + " cmpl $67, %0\n"
47169 +@@ -543,36 +676,36 @@ static unsigned long __copy_user_intel_n
47170 + " .align 2,0x90\n"
47171 + "2: movl 0(%4), %%eax\n"
47172 + "21: movl 4(%4), %%edx\n"
47173 +- " movnti %%eax, 0(%3)\n"
47174 +- " movnti %%edx, 4(%3)\n"
47175 ++ " movnti %%eax, %%es:0(%3)\n"
47176 ++ " movnti %%edx, %%es:4(%3)\n"
47177 + "3: movl 8(%4), %%eax\n"
47178 + "31: movl 12(%4),%%edx\n"
47179 +- " movnti %%eax, 8(%3)\n"
47180 +- " movnti %%edx, 12(%3)\n"
47181 ++ " movnti %%eax, %%es:8(%3)\n"
47182 ++ " movnti %%edx, %%es:12(%3)\n"
47183 + "4: movl 16(%4), %%eax\n"
47184 + "41: movl 20(%4), %%edx\n"
47185 +- " movnti %%eax, 16(%3)\n"
47186 +- " movnti %%edx, 20(%3)\n"
47187 ++ " movnti %%eax, %%es:16(%3)\n"
47188 ++ " movnti %%edx, %%es:20(%3)\n"
47189 + "10: movl 24(%4), %%eax\n"
47190 + "51: movl 28(%4), %%edx\n"
47191 +- " movnti %%eax, 24(%3)\n"
47192 +- " movnti %%edx, 28(%3)\n"
47193 ++ " movnti %%eax, %%es:24(%3)\n"
47194 ++ " movnti %%edx, %%es:28(%3)\n"
47195 + "11: movl 32(%4), %%eax\n"
47196 + "61: movl 36(%4), %%edx\n"
47197 +- " movnti %%eax, 32(%3)\n"
47198 +- " movnti %%edx, 36(%3)\n"
47199 ++ " movnti %%eax, %%es:32(%3)\n"
47200 ++ " movnti %%edx, %%es:36(%3)\n"
47201 + "12: movl 40(%4), %%eax\n"
47202 + "71: movl 44(%4), %%edx\n"
47203 +- " movnti %%eax, 40(%3)\n"
47204 +- " movnti %%edx, 44(%3)\n"
47205 ++ " movnti %%eax, %%es:40(%3)\n"
47206 ++ " movnti %%edx, %%es:44(%3)\n"
47207 + "13: movl 48(%4), %%eax\n"
47208 + "81: movl 52(%4), %%edx\n"
47209 +- " movnti %%eax, 48(%3)\n"
47210 +- " movnti %%edx, 52(%3)\n"
47211 ++ " movnti %%eax, %%es:48(%3)\n"
47212 ++ " movnti %%edx, %%es:52(%3)\n"
47213 + "14: movl 56(%4), %%eax\n"
47214 + "91: movl 60(%4), %%edx\n"
47215 +- " movnti %%eax, 56(%3)\n"
47216 +- " movnti %%edx, 60(%3)\n"
47217 ++ " movnti %%eax, %%es:56(%3)\n"
47218 ++ " movnti %%edx, %%es:60(%3)\n"
47219 + " addl $-64, %0\n"
47220 + " addl $64, %4\n"
47221 + " addl $64, %3\n"
47222 +@@ -587,6 +720,8 @@ static unsigned long __copy_user_intel_n
47223 + " movl %%eax,%0\n"
47224 + "7: rep; movsb\n"
47225 + "8:\n"
47226 ++ " pushl %%ss\n"
47227 ++ " popl %%ds\n"
47228 + ".section .fixup,\"ax\"\n"
47229 + "9: lea 0(%%eax,%0,4),%0\n"
47230 + "16: jmp 8b\n"
47231 +@@ -615,7 +750,7 @@ static unsigned long __copy_user_intel_n
47232 + " .long 7b,16b\n"
47233 + ".previous"
47234 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
47235 +- : "1"(to), "2"(from), "0"(size)
47236 ++ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
47237 + : "eax", "edx", "memory");
47238 + return size;
47239 + }
47240 +@@ -628,90 +763,146 @@ static unsigned long __copy_user_intel_n
47241 + */
47242 + unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
47243 + unsigned long size);
47244 +-unsigned long __copy_user_intel(void __user *to, const void *from,
47245 ++unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
47246 ++ unsigned long size);
47247 ++unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
47248 + unsigned long size);
47249 + unsigned long __copy_user_zeroing_intel_nocache(void *to,
47250 + const void __user *from, unsigned long size);
47251 + #endif /* CONFIG_X86_INTEL_USERCOPY */
47252 +
47253 + /* Generic arbitrary sized copy. */
47254 +-#define __copy_user(to,from,size) \
47255 +-do { \
47256 +- int __d0, __d1, __d2; \
47257 +- __asm__ __volatile__( \
47258 +- " cmp $7,%0\n" \
47259 +- " jbe 1f\n" \
47260 +- " movl %1,%0\n" \
47261 +- " negl %0\n" \
47262 +- " andl $7,%0\n" \
47263 +- " subl %0,%3\n" \
47264 +- "4: rep; movsb\n" \
47265 +- " movl %3,%0\n" \
47266 +- " shrl $2,%0\n" \
47267 +- " andl $3,%3\n" \
47268 +- " .align 2,0x90\n" \
47269 +- "0: rep; movsl\n" \
47270 +- " movl %3,%0\n" \
47271 +- "1: rep; movsb\n" \
47272 +- "2:\n" \
47273 +- ".section .fixup,\"ax\"\n" \
47274 +- "5: addl %3,%0\n" \
47275 +- " jmp 2b\n" \
47276 +- "3: lea 0(%3,%0,4),%0\n" \
47277 +- " jmp 2b\n" \
47278 +- ".previous\n" \
47279 +- ".section __ex_table,\"a\"\n" \
47280 +- " .align 4\n" \
47281 +- " .long 4b,5b\n" \
47282 +- " .long 0b,3b\n" \
47283 +- " .long 1b,2b\n" \
47284 +- ".previous" \
47285 +- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
47286 +- : "3"(size), "0"(size), "1"(to), "2"(from) \
47287 +- : "memory"); \
47288 +-} while (0)
47289 +-
47290 +-#define __copy_user_zeroing(to,from,size) \
47291 +-do { \
47292 +- int __d0, __d1, __d2; \
47293 +- __asm__ __volatile__( \
47294 +- " cmp $7,%0\n" \
47295 +- " jbe 1f\n" \
47296 +- " movl %1,%0\n" \
47297 +- " negl %0\n" \
47298 +- " andl $7,%0\n" \
47299 +- " subl %0,%3\n" \
47300 +- "4: rep; movsb\n" \
47301 +- " movl %3,%0\n" \
47302 +- " shrl $2,%0\n" \
47303 +- " andl $3,%3\n" \
47304 +- " .align 2,0x90\n" \
47305 +- "0: rep; movsl\n" \
47306 +- " movl %3,%0\n" \
47307 +- "1: rep; movsb\n" \
47308 +- "2:\n" \
47309 +- ".section .fixup,\"ax\"\n" \
47310 +- "5: addl %3,%0\n" \
47311 +- " jmp 6f\n" \
47312 +- "3: lea 0(%3,%0,4),%0\n" \
47313 +- "6: pushl %0\n" \
47314 +- " pushl %%eax\n" \
47315 +- " xorl %%eax,%%eax\n" \
47316 +- " rep; stosb\n" \
47317 +- " popl %%eax\n" \
47318 +- " popl %0\n" \
47319 +- " jmp 2b\n" \
47320 +- ".previous\n" \
47321 +- ".section __ex_table,\"a\"\n" \
47322 +- " .align 4\n" \
47323 +- " .long 4b,5b\n" \
47324 +- " .long 0b,3b\n" \
47325 +- " .long 1b,6b\n" \
47326 +- ".previous" \
47327 +- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
47328 +- : "3"(size), "0"(size), "1"(to), "2"(from) \
47329 +- : "memory"); \
47330 +-} while (0)
47331 ++static unsigned long
47332 ++__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
47333 ++{
47334 ++ int __d0, __d1, __d2;
47335 ++
47336 ++ __asm__ __volatile__(
47337 ++ " movw %w8,%%es\n"
47338 ++ " cmp $7,%0\n"
47339 ++ " jbe 1f\n"
47340 ++ " movl %1,%0\n"
47341 ++ " negl %0\n"
47342 ++ " andl $7,%0\n"
47343 ++ " subl %0,%3\n"
47344 ++ "4: rep; movsb\n"
47345 ++ " movl %3,%0\n"
47346 ++ " shrl $2,%0\n"
47347 ++ " andl $3,%3\n"
47348 ++ " .align 2,0x90\n"
47349 ++ "0: rep; movsl\n"
47350 ++ " movl %3,%0\n"
47351 ++ "1: rep; movsb\n"
47352 ++ "2:\n"
47353 ++ " pushl %%ss\n"
47354 ++ " popl %%es\n"
47355 ++ ".section .fixup,\"ax\"\n"
47356 ++ "5: addl %3,%0\n"
47357 ++ " jmp 2b\n"
47358 ++ "3: lea 0(%3,%0,4),%0\n"
47359 ++ " jmp 2b\n"
47360 ++ ".previous\n"
47361 ++ ".section __ex_table,\"a\"\n"
47362 ++ " .align 4\n"
47363 ++ " .long 4b,5b\n"
47364 ++ " .long 0b,3b\n"
47365 ++ " .long 1b,2b\n"
47366 ++ ".previous"
47367 ++ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
47368 ++ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
47369 ++ : "memory");
47370 ++ return size;
47371 ++}
47372 ++
47373 ++static unsigned long
47374 ++__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
47375 ++{
47376 ++ int __d0, __d1, __d2;
47377 ++
47378 ++ __asm__ __volatile__(
47379 ++ " movw %w8,%%ds\n"
47380 ++ " cmp $7,%0\n"
47381 ++ " jbe 1f\n"
47382 ++ " movl %1,%0\n"
47383 ++ " negl %0\n"
47384 ++ " andl $7,%0\n"
47385 ++ " subl %0,%3\n"
47386 ++ "4: rep; movsb\n"
47387 ++ " movl %3,%0\n"
47388 ++ " shrl $2,%0\n"
47389 ++ " andl $3,%3\n"
47390 ++ " .align 2,0x90\n"
47391 ++ "0: rep; movsl\n"
47392 ++ " movl %3,%0\n"
47393 ++ "1: rep; movsb\n"
47394 ++ "2:\n"
47395 ++ " pushl %%ss\n"
47396 ++ " popl %%ds\n"
47397 ++ ".section .fixup,\"ax\"\n"
47398 ++ "5: addl %3,%0\n"
47399 ++ " jmp 2b\n"
47400 ++ "3: lea 0(%3,%0,4),%0\n"
47401 ++ " jmp 2b\n"
47402 ++ ".previous\n"
47403 ++ ".section __ex_table,\"a\"\n"
47404 ++ " .align 4\n"
47405 ++ " .long 4b,5b\n"
47406 ++ " .long 0b,3b\n"
47407 ++ " .long 1b,2b\n"
47408 ++ ".previous"
47409 ++ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
47410 ++ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
47411 ++ : "memory");
47412 ++ return size;
47413 ++}
47414 ++
47415 ++static unsigned long
47416 ++__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
47417 ++{
47418 ++ int __d0, __d1, __d2;
47419 ++
47420 ++ __asm__ __volatile__(
47421 ++ " movw %w8,%%ds\n"
47422 ++ " cmp $7,%0\n"
47423 ++ " jbe 1f\n"
47424 ++ " movl %1,%0\n"
47425 ++ " negl %0\n"
47426 ++ " andl $7,%0\n"
47427 ++ " subl %0,%3\n"
47428 ++ "4: rep; movsb\n"
47429 ++ " movl %3,%0\n"
47430 ++ " shrl $2,%0\n"
47431 ++ " andl $3,%3\n"
47432 ++ " .align 2,0x90\n"
47433 ++ "0: rep; movsl\n"
47434 ++ " movl %3,%0\n"
47435 ++ "1: rep; movsb\n"
47436 ++ "2:\n"
47437 ++ " pushl %%ss\n"
47438 ++ " popl %%ds\n"
47439 ++ ".section .fixup,\"ax\"\n"
47440 ++ "5: addl %3,%0\n"
47441 ++ " jmp 6f\n"
47442 ++ "3: lea 0(%3,%0,4),%0\n"
47443 ++ "6: pushl %0\n"
47444 ++ " pushl %%eax\n"
47445 ++ " xorl %%eax,%%eax\n"
47446 ++ " rep; stosb\n"
47447 ++ " popl %%eax\n"
47448 ++ " popl %0\n"
47449 ++ " jmp 2b\n"
47450 ++ ".previous\n"
47451 ++ ".section __ex_table,\"a\"\n"
47452 ++ " .align 4\n"
47453 ++ " .long 4b,5b\n"
47454 ++ " .long 0b,3b\n"
47455 ++ " .long 1b,6b\n"
47456 ++ ".previous"
47457 ++ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
47458 ++ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
47459 ++ : "memory");
47460 ++ return size;
47461 ++}
47462 +
47463 + unsigned long __copy_to_user_ll(void __user *to, const void *from,
47464 + unsigned long n)
47465 +@@ -774,9 +965,9 @@ survive:
47466 + }
47467 + #endif
47468 + if (movsl_is_ok(to, from, n))
47469 +- __copy_user(to, from, n);
47470 ++ n = __generic_copy_to_user(to, from, n);
47471 + else
47472 +- n = __copy_user_intel(to, from, n);
47473 ++ n = __generic_copy_to_user_intel(to, from, n);
47474 + return n;
47475 + }
47476 + EXPORT_SYMBOL(__copy_to_user_ll);
47477 +@@ -785,7 +976,7 @@ unsigned long __copy_from_user_ll(void *
47478 + unsigned long n)
47479 + {
47480 + if (movsl_is_ok(to, from, n))
47481 +- __copy_user_zeroing(to, from, n);
47482 ++ n = __copy_user_zeroing(to, from, n);
47483 + else
47484 + n = __copy_user_zeroing_intel(to, from, n);
47485 + return n;
47486 +@@ -796,9 +987,9 @@ unsigned long __copy_from_user_ll_nozero
47487 + unsigned long n)
47488 + {
47489 + if (movsl_is_ok(to, from, n))
47490 +- __copy_user(to, from, n);
47491 ++ n = __generic_copy_from_user(to, from, n);
47492 + else
47493 +- n = __copy_user_intel((void __user *)to,
47494 ++ n = __generic_copy_from_user_intel((void __user *)to,
47495 + (const void *)from, n);
47496 + return n;
47497 + }
47498 +@@ -809,9 +1000,9 @@ unsigned long __copy_from_user_ll_nocach
47499 + {
47500 + #ifdef CONFIG_X86_INTEL_USERCOPY
47501 + if ( n > 64 && cpu_has_xmm2)
47502 +- n = __copy_user_zeroing_intel_nocache(to, from, n);
47503 ++ n = __copy_user_zeroing_intel_nocache(to, from, n);
47504 + else
47505 +- __copy_user_zeroing(to, from, n);
47506 ++ n = __copy_user_zeroing(to, from, n);
47507 + #else
47508 + __copy_user_zeroing(to, from, n);
47509 + #endif
47510 +@@ -823,11 +1014,11 @@ unsigned long __copy_from_user_ll_nocach
47511 + {
47512 + #ifdef CONFIG_X86_INTEL_USERCOPY
47513 + if ( n > 64 && cpu_has_xmm2)
47514 +- n = __copy_user_intel_nocache(to, from, n);
47515 ++ n = __copy_user_intel_nocache(to, from, n);
47516 + else
47517 +- __copy_user(to, from, n);
47518 ++ n = __generic_copy_from_user(to, from, n);
47519 + #else
47520 +- __copy_user(to, from, n);
47521 ++ n = __generic_copy_from_user(to, from, n);
47522 + #endif
47523 + return n;
47524 + }
47525 +@@ -880,3 +1071,30 @@ copy_from_user(void *to, const void __us
47526 + return n;
47527 + }
47528 + EXPORT_SYMBOL(copy_from_user);
47529 ++
47530 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
47531 ++void __set_fs(mm_segment_t x, int cpu)
47532 ++{
47533 ++ unsigned long limit = x.seg;
47534 ++ __u32 a, b;
47535 ++
47536 ++ current_thread_info()->addr_limit = x;
47537 ++ if (likely(limit))
47538 ++ limit = (limit - 1UL) >> PAGE_SHIFT;
47539 ++ pack_descriptor(&a, &b, 0UL, limit, 0xF3, 0xC);
47540 ++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, a, b);
47541 ++}
47542 ++
47543 ++void set_fs(mm_segment_t x)
47544 ++{
47545 ++ __set_fs(x, get_cpu());
47546 ++ put_cpu_no_resched();
47547 ++}
47548 ++#else
47549 ++void set_fs(mm_segment_t x)
47550 ++{
47551 ++ current_thread_info()->addr_limit = x;
47552 ++}
47553 ++#endif
47554 ++
47555 ++EXPORT_SYMBOL(set_fs);
47556 +diff -urNp linux-2.6.24.5/arch/x86/mach-voyager/voyager_basic.c linux-2.6.24.5/arch/x86/mach-voyager/voyager_basic.c
47557 +--- linux-2.6.24.5/arch/x86/mach-voyager/voyager_basic.c 2008-03-24 14:49:18.000000000 -0400
47558 ++++ linux-2.6.24.5/arch/x86/mach-voyager/voyager_basic.c 2008-03-26 20:21:08.000000000 -0400
47559 +@@ -130,7 +130,7 @@ voyager_memory_detect(int region, __u32
47560 + __u8 cmos[4];
47561 + ClickMap_t *map;
47562 + unsigned long map_addr;
47563 +- unsigned long old;
47564 ++ pte_t old;
47565 +
47566 + if(region >= CLICK_ENTRIES) {
47567 + printk("Voyager: Illegal ClickMap region %d\n", region);
47568 +@@ -144,7 +144,7 @@ voyager_memory_detect(int region, __u32
47569 +
47570 + /* steal page 0 for this */
47571 + old = pg0[0];
47572 +- pg0[0] = ((map_addr & PAGE_MASK) | _PAGE_RW | _PAGE_PRESENT);
47573 ++ pg0[0] = __pte((map_addr & PAGE_MASK) | _PAGE_RW | _PAGE_PRESENT);
47574 + local_flush_tlb();
47575 + /* now clear everything out but page 0 */
47576 + map = (ClickMap_t *)(map_addr & (~PAGE_MASK));
47577 +diff -urNp linux-2.6.24.5/arch/x86/mach-voyager/voyager_smp.c linux-2.6.24.5/arch/x86/mach-voyager/voyager_smp.c
47578 +--- linux-2.6.24.5/arch/x86/mach-voyager/voyager_smp.c 2008-03-24 14:49:18.000000000 -0400
47579 ++++ linux-2.6.24.5/arch/x86/mach-voyager/voyager_smp.c 2008-03-26 20:21:08.000000000 -0400
47580 +@@ -554,6 +554,10 @@ do_boot_cpu(__u8 cpu)
47581 + __u32 *hijack_vector;
47582 + __u32 start_phys_address = setup_trampoline();
47583 +
47584 ++#ifdef CONFIG_PAX_KERNEXEC
47585 ++ unsigned long cr0;
47586 ++#endif
47587 ++
47588 + /* There's a clever trick to this: The linux trampoline is
47589 + * compiled to begin at absolute location zero, so make the
47590 + * address zero but have the data segment selector compensate
47591 +@@ -573,7 +577,17 @@ do_boot_cpu(__u8 cpu)
47592 +
47593 + init_gdt(cpu);
47594 + per_cpu(current_task, cpu) = idle;
47595 +- early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
47596 ++
47597 ++#ifdef CONFIG_PAX_KERNEXEC
47598 ++ pax_open_kernel(cr0);
47599 ++#endif
47600 ++
47601 ++ early_gdt_descr.address = get_cpu_gdt_table(cpu);
47602 ++
47603 ++#ifdef CONFIG_PAX_KERNEXEC
47604 ++ pax_close_kernel(cr0);
47605 ++#endif
47606 ++
47607 + irq_ctx_init(cpu);
47608 +
47609 + /* Note: Don't modify initial ss override */
47610 +@@ -1277,7 +1291,7 @@ smp_local_timer_interrupt(void)
47611 + per_cpu(prof_counter, cpu);
47612 + }
47613 +
47614 +- update_process_times(user_mode_vm(get_irq_regs()));
47615 ++ update_process_times(user_mode(get_irq_regs()));
47616 + }
47617 +
47618 + if( ((1<<cpu) & voyager_extended_vic_processors) == 0)
47619 +diff -urNp linux-2.6.24.5/arch/x86/mm/boot_ioremap_32.c linux-2.6.24.5/arch/x86/mm/boot_ioremap_32.c
47620 +--- linux-2.6.24.5/arch/x86/mm/boot_ioremap_32.c 2008-03-24 14:49:18.000000000 -0400
47621 ++++ linux-2.6.24.5/arch/x86/mm/boot_ioremap_32.c 2008-03-26 20:21:08.000000000 -0400
47622 +@@ -7,57 +7,37 @@
47623 + * Written by Dave Hansen <haveblue@××××××.com>
47624 + */
47625 +
47626 +-
47627 +-/*
47628 +- * We need to use the 2-level pagetable functions, but CONFIG_X86_PAE
47629 +- * keeps that from happening. If anyone has a better way, I'm listening.
47630 +- *
47631 +- * boot_pte_t is defined only if this all works correctly
47632 +- */
47633 +-
47634 +-#undef CONFIG_X86_PAE
47635 + #undef CONFIG_PARAVIRT
47636 + #include <asm/page.h>
47637 + #include <asm/pgtable.h>
47638 + #include <asm/tlbflush.h>
47639 + #include <linux/init.h>
47640 + #include <linux/stddef.h>
47641 +-
47642 +-/*
47643 +- * I'm cheating here. It is known that the two boot PTE pages are
47644 +- * allocated next to each other. I'm pretending that they're just
47645 +- * one big array.
47646 +- */
47647 +-
47648 +-#define BOOT_PTE_PTRS (PTRS_PER_PTE*2)
47649 +-
47650 +-static unsigned long boot_pte_index(unsigned long vaddr)
47651 +-{
47652 +- return __pa(vaddr) >> PAGE_SHIFT;
47653 +-}
47654 +-
47655 +-static inline boot_pte_t* boot_vaddr_to_pte(void *address)
47656 +-{
47657 +- boot_pte_t* boot_pg = (boot_pte_t*)pg0;
47658 +- return &boot_pg[boot_pte_index((unsigned long)address)];
47659 +-}
47660 ++#include <linux/sched.h>
47661 +
47662 + /*
47663 + * This is only for a caller who is clever enough to page-align
47664 + * phys_addr and virtual_source, and who also has a preference
47665 + * about which virtual address from which to steal ptes
47666 + */
47667 +-static void __boot_ioremap(unsigned long phys_addr, unsigned long nrpages,
47668 +- void* virtual_source)
47669 ++static void __init __boot_ioremap(unsigned long phys_addr, unsigned long nrpages,
47670 ++ char* virtual_source)
47671 + {
47672 +- boot_pte_t* pte;
47673 +- int i;
47674 +- char *vaddr = virtual_source;
47675 ++ pgd_t *pgd;
47676 ++ pud_t *pud;
47677 ++ pmd_t *pmd;
47678 ++ pte_t* pte;
47679 ++ unsigned int i;
47680 ++ unsigned long vaddr = (unsigned long)virtual_source;
47681 ++
47682 ++ pgd = pgd_offset_k(vaddr);
47683 ++ pud = pud_offset(pgd, vaddr);
47684 ++ pmd = pmd_offset(pud, vaddr);
47685 ++ pte = pte_offset_kernel(pmd, vaddr);
47686 +
47687 +- pte = boot_vaddr_to_pte(virtual_source);
47688 + for (i=0; i < nrpages; i++, phys_addr += PAGE_SIZE, pte++) {
47689 + set_pte(pte, pfn_pte(phys_addr>>PAGE_SHIFT, PAGE_KERNEL));
47690 +- __flush_tlb_one(&vaddr[i*PAGE_SIZE]);
47691 ++ __flush_tlb_one(&virtual_source[i*PAGE_SIZE]);
47692 + }
47693 + }
47694 +
47695 +diff -urNp linux-2.6.24.5/arch/x86/mm/extable_32.c linux-2.6.24.5/arch/x86/mm/extable_32.c
47696 +--- linux-2.6.24.5/arch/x86/mm/extable_32.c 2008-03-24 14:49:18.000000000 -0400
47697 ++++ linux-2.6.24.5/arch/x86/mm/extable_32.c 2008-03-26 20:21:08.000000000 -0400
47698 +@@ -4,14 +4,63 @@
47699 +
47700 + #include <linux/module.h>
47701 + #include <linux/spinlock.h>
47702 ++#include <linux/sort.h>
47703 + #include <asm/uaccess.h>
47704 +
47705 ++/*
47706 ++ * The exception table needs to be sorted so that the binary
47707 ++ * search that we use to find entries in it works properly.
47708 ++ * This is used both for the kernel exception table and for
47709 ++ * the exception tables of modules that get loaded.
47710 ++ */
47711 ++static int cmp_ex(const void *a, const void *b)
47712 ++{
47713 ++ const struct exception_table_entry *x = a, *y = b;
47714 ++
47715 ++ /* avoid overflow */
47716 ++ if (x->insn > y->insn)
47717 ++ return 1;
47718 ++ if (x->insn < y->insn)
47719 ++ return -1;
47720 ++ return 0;
47721 ++}
47722 ++
47723 ++static void swap_ex(void *a, void *b, int size)
47724 ++{
47725 ++ struct exception_table_entry t, *x = a, *y = b;
47726 ++
47727 ++#ifdef CONFIG_PAX_KERNEXEC
47728 ++ unsigned long cr0;
47729 ++#endif
47730 ++
47731 ++ t = *x;
47732 ++
47733 ++#ifdef CONFIG_PAX_KERNEXEC
47734 ++ pax_open_kernel(cr0);
47735 ++#endif
47736 ++
47737 ++ *x = *y;
47738 ++ *y = t;
47739 ++
47740 ++#ifdef CONFIG_PAX_KERNEXEC
47741 ++ pax_close_kernel(cr0);
47742 ++#endif
47743 ++
47744 ++}
47745 ++
47746 ++void sort_extable(struct exception_table_entry *start,
47747 ++ struct exception_table_entry *finish)
47748 ++{
47749 ++ sort(start, finish - start, sizeof(struct exception_table_entry),
47750 ++ cmp_ex, swap_ex);
47751 ++}
47752 ++
47753 + int fixup_exception(struct pt_regs *regs)
47754 + {
47755 + const struct exception_table_entry *fixup;
47756 +
47757 + #ifdef CONFIG_PNPBIOS
47758 +- if (unlikely(SEGMENT_IS_PNP_CODE(regs->xcs)))
47759 ++ if (unlikely(!(regs->eflags & VM_MASK) && SEGMENT_IS_PNP_CODE(regs->xcs)))
47760 + {
47761 + extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
47762 + extern u32 pnp_bios_is_utter_crap;
47763 +diff -urNp linux-2.6.24.5/arch/x86/mm/extable_64.c linux-2.6.24.5/arch/x86/mm/extable_64.c
47764 +--- linux-2.6.24.5/arch/x86/mm/extable_64.c 2008-03-24 14:49:18.000000000 -0400
47765 ++++ linux-2.6.24.5/arch/x86/mm/extable_64.c 2008-03-26 20:21:08.000000000 -0400
47766 +@@ -4,9 +4,58 @@
47767 +
47768 + #include <linux/module.h>
47769 + #include <linux/spinlock.h>
47770 ++#include <linux/sort.h>
47771 + #include <linux/init.h>
47772 + #include <asm/uaccess.h>
47773 +
47774 ++/*
47775 ++ * The exception table needs to be sorted so that the binary
47776 ++ * search that we use to find entries in it works properly.
47777 ++ * This is used both for the kernel exception table and for
47778 ++ * the exception tables of modules that get loaded.
47779 ++ */
47780 ++static int cmp_ex(const void *a, const void *b)
47781 ++{
47782 ++ const struct exception_table_entry *x = a, *y = b;
47783 ++
47784 ++ /* avoid overflow */
47785 ++ if (x->insn > y->insn)
47786 ++ return 1;
47787 ++ if (x->insn < y->insn)
47788 ++ return -1;
47789 ++ return 0;
47790 ++}
47791 ++
47792 ++static void swap_ex(void *a, void *b, int size)
47793 ++{
47794 ++ struct exception_table_entry t, *x = a, *y = b;
47795 ++
47796 ++#ifdef CONFIG_PAX_KERNEXEC
47797 ++ unsigned long cr0;
47798 ++#endif
47799 ++
47800 ++ t = *x;
47801 ++
47802 ++#ifdef CONFIG_PAX_KERNEXEC
47803 ++ pax_open_kernel(cr0);
47804 ++#endif
47805 ++
47806 ++ *x = *y;
47807 ++ *y = t;
47808 ++
47809 ++#ifdef CONFIG_PAX_KERNEXEC
47810 ++ pax_close_kernel(cr0);
47811 ++#endif
47812 ++
47813 ++}
47814 ++
47815 ++void sort_extable(struct exception_table_entry *start,
47816 ++ struct exception_table_entry *finish)
47817 ++{
47818 ++ sort(start, finish - start, sizeof(struct exception_table_entry),
47819 ++ cmp_ex, swap_ex);
47820 ++}
47821 ++
47822 + /* Simple binary search */
47823 + const struct exception_table_entry *
47824 + search_extable(const struct exception_table_entry *first,
47825 +diff -urNp linux-2.6.24.5/arch/x86/mm/fault_32.c linux-2.6.24.5/arch/x86/mm/fault_32.c
47826 +--- linux-2.6.24.5/arch/x86/mm/fault_32.c 2008-03-24 14:49:18.000000000 -0400
47827 ++++ linux-2.6.24.5/arch/x86/mm/fault_32.c 2008-03-26 20:21:16.000000000 -0400
47828 +@@ -26,10 +26,14 @@
47829 + #include <linux/uaccess.h>
47830 + #include <linux/kdebug.h>
47831 + #include <linux/kprobes.h>
47832 ++#include <linux/unistd.h>
47833 ++#include <linux/compiler.h>
47834 ++#include <linux/binfmts.h>
47835 +
47836 + #include <asm/system.h>
47837 + #include <asm/desc.h>
47838 + #include <asm/segment.h>
47839 ++#include <asm/tlbflush.h>
47840 +
47841 + extern void die(const char *,struct pt_regs *,long);
47842 +
47843 +@@ -39,7 +43,7 @@ static inline int notify_page_fault(stru
47844 + int ret = 0;
47845 +
47846 + /* kprobe_running() needs smp_processor_id() */
47847 +- if (!user_mode_vm(regs)) {
47848 ++ if (!user_mode(regs)) {
47849 + preempt_disable();
47850 + if (kprobe_running() && kprobe_fault_handler(regs, 14))
47851 + ret = 1;
47852 +@@ -74,7 +78,8 @@ static inline unsigned long get_segment_
47853 + {
47854 + unsigned long eip = regs->eip;
47855 + unsigned seg = regs->xcs & 0xffff;
47856 +- u32 seg_ar, seg_limit, base, *desc;
47857 ++ u32 seg_ar, seg_limit, base;
47858 ++ struct desc_struct *desc;
47859 +
47860 + /* Unlikely, but must come before segment checks. */
47861 + if (unlikely(regs->eflags & VM_MASK)) {
47862 +@@ -88,7 +93,7 @@ static inline unsigned long get_segment_
47863 +
47864 + /* By far the most common cases. */
47865 + if (likely(SEGMENT_IS_FLAT_CODE(seg)))
47866 +- return eip;
47867 ++ return seg == __KERNEL_CS ? ktla_ktva(eip) : eip;
47868 +
47869 + /* Check the segment exists, is within the current LDT/GDT size,
47870 + that kernel/user (ring 0..3) has the appropriate privilege,
47871 +@@ -103,21 +108,24 @@ static inline unsigned long get_segment_
47872 + /* Get the GDT/LDT descriptor base.
47873 + When you look for races in this code remember that
47874 + LDT and other horrors are only used in user space. */
47875 +- if (seg & (1<<2)) {
47876 ++ if (seg & SEGMENT_LDT) {
47877 + /* Must lock the LDT while reading it. */
47878 + mutex_lock(&current->mm->context.lock);
47879 +- desc = current->mm->context.ldt;
47880 +- desc = (void *)desc + (seg & ~7);
47881 ++ if ((seg >> 3) >= current->mm->context.size) {
47882 ++ mutex_unlock(&current->mm->context.lock);
47883 ++ *eip_limit = 0;
47884 ++ return 1; /* So that returned eip > *eip_limit. */
47885 ++ }
47886 ++ desc = &current->mm->context.ldt[seg >> 3];
47887 + } else {
47888 + /* Must disable preemption while reading the GDT. */
47889 +- desc = (u32 *)get_cpu_gdt_table(get_cpu());
47890 +- desc = (void *)desc + (seg & ~7);
47891 ++ desc = &get_cpu_gdt_table(get_cpu())[seg >> 3];
47892 + }
47893 +
47894 + /* Decode the code segment base from the descriptor */
47895 +- base = get_desc_base((unsigned long *)desc);
47896 ++ base = get_desc_base(desc);
47897 +
47898 +- if (seg & (1<<2)) {
47899 ++ if (seg & SEGMENT_LDT) {
47900 + mutex_unlock(&current->mm->context.lock);
47901 + } else
47902 + put_cpu();
47903 +@@ -216,6 +224,30 @@ static noinline void force_sig_info_faul
47904 +
47905 + fastcall void do_invalid_op(struct pt_regs *, unsigned long);
47906 +
47907 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
47908 ++static int pax_handle_fetch_fault(struct pt_regs *regs);
47909 ++#endif
47910 ++
47911 ++#ifdef CONFIG_PAX_PAGEEXEC
47912 ++static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
47913 ++{
47914 ++ pgd_t *pgd;
47915 ++ pud_t *pud;
47916 ++ pmd_t *pmd;
47917 ++
47918 ++ pgd = pgd_offset(mm, address);
47919 ++ if (!pgd_present(*pgd))
47920 ++ return NULL;
47921 ++ pud = pud_offset(pgd, address);
47922 ++ if (!pud_present(*pud))
47923 ++ return NULL;
47924 ++ pmd = pmd_offset(pud, address);
47925 ++ if (!pmd_present(*pmd))
47926 ++ return NULL;
47927 ++ return pmd;
47928 ++}
47929 ++#endif
47930 ++
47931 + static inline pmd_t *vmalloc_sync_one(pgd_t *pgd, unsigned long address)
47932 + {
47933 + unsigned index = pgd_index(address);
47934 +@@ -299,19 +331,26 @@ fastcall void __kprobes do_page_fault(st
47935 + struct task_struct *tsk;
47936 + struct mm_struct *mm;
47937 + struct vm_area_struct * vma;
47938 +- unsigned long address;
47939 + int write, si_code;
47940 + int fault;
47941 ++ pte_t *pte;
47942 ++
47943 ++#ifdef CONFIG_PAX_PAGEEXEC
47944 ++ pmd_t *pmd;
47945 ++ spinlock_t *ptl;
47946 ++ unsigned char pte_mask;
47947 ++#endif
47948 ++
47949 ++ /* get the address */
47950 ++ const unsigned long address = read_cr2();
47951 +
47952 + /*
47953 + * We can fault from pretty much anywhere, with unknown IRQ state.
47954 + */
47955 + trace_hardirqs_fixup();
47956 +
47957 +- /* get the address */
47958 +- address = read_cr2();
47959 +-
47960 + tsk = current;
47961 ++ mm = tsk->mm;
47962 +
47963 + si_code = SEGV_MAPERR;
47964 +
47965 +@@ -348,14 +387,12 @@ fastcall void __kprobes do_page_fault(st
47966 + if (regs->eflags & (X86_EFLAGS_IF|VM_MASK))
47967 + local_irq_enable();
47968 +
47969 +- mm = tsk->mm;
47970 +-
47971 + /*
47972 + * If we're in an interrupt, have no user context or are running in an
47973 + * atomic region then we must not take the fault..
47974 + */
47975 + if (in_atomic() || !mm)
47976 +- goto bad_area_nosemaphore;
47977 ++ goto bad_area_nopax;
47978 +
47979 + /* When running in the kernel we expect faults to occur only to
47980 + * addresses in user space. All other faults represent errors in the
47981 +@@ -375,10 +412,104 @@ fastcall void __kprobes do_page_fault(st
47982 + if (!down_read_trylock(&mm->mmap_sem)) {
47983 + if ((error_code & 4) == 0 &&
47984 + !search_exception_tables(regs->eip))
47985 +- goto bad_area_nosemaphore;
47986 ++ goto bad_area_nopax;
47987 + down_read(&mm->mmap_sem);
47988 + }
47989 +
47990 ++#ifdef CONFIG_PAX_PAGEEXEC
47991 ++ if (nx_enabled || (error_code & 5) != 5 || (regs->eflags & X86_EFLAGS_VM) ||
47992 ++ !(mm->pax_flags & MF_PAX_PAGEEXEC))
47993 ++ goto not_pax_fault;
47994 ++
47995 ++ /* PaX: it's our fault, let's handle it if we can */
47996 ++
47997 ++ /* PaX: take a look at read faults before acquiring any locks */
47998 ++ if (unlikely(!(error_code & 2) && (regs->eip == address))) {
47999 ++ /* instruction fetch attempt from a protected page in user mode */
48000 ++ up_read(&mm->mmap_sem);
48001 ++
48002 ++#ifdef CONFIG_PAX_EMUTRAMP
48003 ++ switch (pax_handle_fetch_fault(regs)) {
48004 ++ case 2:
48005 ++ return;
48006 ++ }
48007 ++#endif
48008 ++
48009 ++ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
48010 ++ do_group_exit(SIGKILL);
48011 ++ }
48012 ++
48013 ++ pmd = pax_get_pmd(mm, address);
48014 ++ if (unlikely(!pmd))
48015 ++ goto not_pax_fault;
48016 ++
48017 ++ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
48018 ++ if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
48019 ++ pte_unmap_unlock(pte, ptl);
48020 ++ goto not_pax_fault;
48021 ++ }
48022 ++
48023 ++ if (unlikely((error_code & 2) && !pte_write(*pte))) {
48024 ++ /* write attempt to a protected page in user mode */
48025 ++ pte_unmap_unlock(pte, ptl);
48026 ++ goto not_pax_fault;
48027 ++ }
48028 ++
48029 ++#ifdef CONFIG_SMP
48030 ++ if (likely(address > get_limit(regs->xcs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
48031 ++#else
48032 ++ if (likely(address > get_limit(regs->xcs)))
48033 ++#endif
48034 ++ {
48035 ++ set_pte(pte, pte_mkread(*pte));
48036 ++ __flush_tlb_one(address);
48037 ++ pte_unmap_unlock(pte, ptl);
48038 ++ up_read(&mm->mmap_sem);
48039 ++ return;
48040 ++ }
48041 ++
48042 ++ pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & 2) << (_PAGE_BIT_DIRTY-1));
48043 ++
48044 ++ /*
48045 ++ * PaX: fill DTLB with user rights and retry
48046 ++ */
48047 ++ __asm__ __volatile__ (
48048 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
48049 ++ "movw %w4,%%es\n"
48050 ++#endif
48051 ++ "orb %2,(%1)\n"
48052 ++#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
48053 ++/*
48054 ++ * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
48055 ++ * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
48056 ++ * page fault when examined during a TLB load attempt. this is true not only
48057 ++ * for PTEs holding a non-present entry but also present entries that will
48058 ++ * raise a page fault (such as those set up by PaX, or the copy-on-write
48059 ++ * mechanism). in effect it means that we do *not* need to flush the TLBs
48060 ++ * for our target pages since their PTEs are simply not in the TLBs at all.
48061 ++
48062 ++ * the best thing in omitting it is that we gain around 15-20% speed in the
48063 ++ * fast path of the page fault handler and can get rid of tracing since we
48064 ++ * can no longer flush unintended entries.
48065 ++ */
48066 ++ "invlpg (%0)\n"
48067 ++#endif
48068 ++ "testb $0,%%es:(%0)\n"
48069 ++ "xorb %3,(%1)\n"
48070 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
48071 ++ "pushl %%ss\n"
48072 ++ "popl %%es\n"
48073 ++#endif
48074 ++ :
48075 ++ : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
48076 ++ : "memory", "cc");
48077 ++ pte_unmap_unlock(pte, ptl);
48078 ++ up_read(&mm->mmap_sem);
48079 ++ return;
48080 ++
48081 ++not_pax_fault:
48082 ++#endif
48083 ++
48084 + vma = find_vma(mm, address);
48085 + if (!vma)
48086 + goto bad_area;
48087 +@@ -396,6 +527,12 @@ fastcall void __kprobes do_page_fault(st
48088 + if (address + 65536 + 32 * sizeof(unsigned long) < regs->esp)
48089 + goto bad_area;
48090 + }
48091 ++
48092 ++#ifdef CONFIG_PAX_SEGMEXEC
48093 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)
48094 ++ goto bad_area;
48095 ++#endif
48096 ++
48097 + if (expand_stack(vma, address))
48098 + goto bad_area;
48099 + /*
48100 +@@ -405,6 +542,8 @@ fastcall void __kprobes do_page_fault(st
48101 + good_area:
48102 + si_code = SEGV_ACCERR;
48103 + write = 0;
48104 ++ if (nx_enabled && (error_code & 16) && !(vma->vm_flags & VM_EXEC))
48105 ++ goto bad_area;
48106 + switch (error_code & 3) {
48107 + default: /* 3: write, present */
48108 + /* fall through */
48109 +@@ -458,6 +597,49 @@ bad_area:
48110 + up_read(&mm->mmap_sem);
48111 +
48112 + bad_area_nosemaphore:
48113 ++
48114 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
48115 ++ if (mm && (error_code & 4) && !(regs->eflags & X86_EFLAGS_VM)) {
48116 ++ /*
48117 ++ * It's possible to have interrupts off here.
48118 ++ */
48119 ++ local_irq_enable();
48120 ++
48121 ++#ifdef CONFIG_PAX_PAGEEXEC
48122 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
48123 ++ ((nx_enabled && ((error_code & 16) || !(error_code & 3)) && (regs->eip == address)))) {
48124 ++
48125 ++#ifdef CONFIG_PAX_EMUTRAMP
48126 ++ switch (pax_handle_fetch_fault(regs)) {
48127 ++ case 2:
48128 ++ return;
48129 ++ }
48130 ++#endif
48131 ++
48132 ++ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
48133 ++ do_group_exit(SIGKILL);
48134 ++ }
48135 ++#endif
48136 ++
48137 ++#ifdef CONFIG_PAX_SEGMEXEC
48138 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & 3) && (regs->eip + SEGMEXEC_TASK_SIZE == address)) {
48139 ++
48140 ++#ifdef CONFIG_PAX_EMUTRAMP
48141 ++ switch (pax_handle_fetch_fault(regs)) {
48142 ++ case 2:
48143 ++ return;
48144 ++ }
48145 ++#endif
48146 ++
48147 ++ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
48148 ++ do_group_exit(SIGKILL);
48149 ++ }
48150 ++#endif
48151 ++
48152 ++ }
48153 ++#endif
48154 ++
48155 ++bad_area_nopax:
48156 + /* User mode accesses just cause a SIGSEGV */
48157 + if (error_code & 4) {
48158 + /*
48159 +@@ -495,7 +677,7 @@ bad_area_nosemaphore:
48160 + if (boot_cpu_data.f00f_bug) {
48161 + unsigned long nr;
48162 +
48163 +- nr = (address - idt_descr.address) >> 3;
48164 ++ nr = (address - (unsigned long)idt_descr.address) >> 3;
48165 +
48166 + if (nr == 6) {
48167 + do_invalid_op(regs, 0);
48168 +@@ -528,18 +710,34 @@ no_context:
48169 + __typeof__(pte_val(__pte(0))) page;
48170 +
48171 + #ifdef CONFIG_X86_PAE
48172 +- if (error_code & 16) {
48173 +- pte_t *pte = lookup_address(address);
48174 ++ if (nx_enabled && (error_code & 16)) {
48175 ++ pte = lookup_address(address);
48176 +
48177 + if (pte && pte_present(*pte) && !pte_exec_kernel(*pte))
48178 + printk(KERN_CRIT "kernel tried to execute "
48179 + "NX-protected page - exploit attempt? "
48180 +- "(uid: %d)\n", current->uid);
48181 ++ "(uid: %d, task: %s, pid: %d)\n",
48182 ++ tsk->uid, tsk->comm, task_pid_nr(tsk));
48183 + }
48184 + #endif
48185 + if (address < PAGE_SIZE)
48186 + printk(KERN_ALERT "BUG: unable to handle kernel NULL "
48187 + "pointer dereference");
48188 ++
48189 ++#ifdef CONFIG_PAX_KERNEXEC
48190 ++#ifdef CONFIG_MODULES
48191 ++ else if (init_mm.start_code <= address && address < (unsigned long)MODULES_END)
48192 ++#else
48193 ++ else if (init_mm.start_code <= address && address < init_mm.end_code)
48194 ++#endif
48195 ++ if (tsk->signal->curr_ip)
48196 ++ printk(KERN_ERR "PAX: From %u.%u.%u.%u: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
48197 ++ NIPQUAD(tsk->signal->curr_ip), tsk->comm, task_pid_nr(tsk), tsk->uid, tsk->euid);
48198 ++ else
48199 ++ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
48200 ++ tsk->comm, task_pid_nr(tsk), tsk->uid, tsk->euid);
48201 ++#endif
48202 ++
48203 + else
48204 + printk(KERN_ALERT "BUG: unable to handle kernel paging"
48205 + " request");
48206 +@@ -585,19 +783,18 @@ no_context:
48207 + tsk->thread.error_code = error_code;
48208 + die("Oops", regs, error_code);
48209 + bust_spinlocks(0);
48210 +- do_exit(SIGKILL);
48211 ++ do_group_exit(SIGKILL);
48212 +
48213 + /*
48214 + * We ran out of memory, or some other thing happened to us that made
48215 + * us unable to handle the page fault gracefully.
48216 + */
48217 + out_of_memory:
48218 +- up_read(&mm->mmap_sem);
48219 + if (is_global_init(tsk)) {
48220 + yield();
48221 +- down_read(&mm->mmap_sem);
48222 + goto survive;
48223 + }
48224 ++ up_read(&mm->mmap_sem);
48225 + printk("VM: killing process %s\n", tsk->comm);
48226 + if (error_code & 4)
48227 + do_group_exit(SIGKILL);
48228 +@@ -657,3 +854,92 @@ void vmalloc_sync_all(void)
48229 + start = address + PGDIR_SIZE;
48230 + }
48231 + }
48232 ++
48233 ++#ifdef CONFIG_PAX_EMUTRAMP
48234 ++/*
48235 ++ * PaX: decide what to do with offenders (regs->eip = fault address)
48236 ++ *
48237 ++ * returns 1 when task should be killed
48238 ++ * 2 when gcc trampoline was detected
48239 ++ */
48240 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
48241 ++{
48242 ++ int err;
48243 ++
48244 ++ if (regs->eflags & X86_EFLAGS_VM)
48245 ++ return 1;
48246 ++
48247 ++ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
48248 ++ return 1;
48249 ++
48250 ++ do { /* PaX: gcc trampoline emulation #1 */
48251 ++ unsigned char mov1, mov2;
48252 ++ unsigned short jmp;
48253 ++ unsigned long addr1, addr2;
48254 ++
48255 ++ err = get_user(mov1, (unsigned char __user *)regs->eip);
48256 ++ err |= get_user(addr1, (unsigned long __user *)(regs->eip + 1));
48257 ++ err |= get_user(mov2, (unsigned char __user *)(regs->eip + 5));
48258 ++ err |= get_user(addr2, (unsigned long __user *)(regs->eip + 6));
48259 ++ err |= get_user(jmp, (unsigned short __user *)(regs->eip + 10));
48260 ++
48261 ++ if (err)
48262 ++ break;
48263 ++
48264 ++ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
48265 ++ regs->ecx = addr1;
48266 ++ regs->eax = addr2;
48267 ++ regs->eip = addr2;
48268 ++ return 2;
48269 ++ }
48270 ++ } while (0);
48271 ++
48272 ++ do { /* PaX: gcc trampoline emulation #2 */
48273 ++ unsigned char mov, jmp;
48274 ++ unsigned long addr1, addr2;
48275 ++
48276 ++ err = get_user(mov, (unsigned char __user *)regs->eip);
48277 ++ err |= get_user(addr1, (unsigned long __user *)(regs->eip + 1));
48278 ++ err |= get_user(jmp, (unsigned char __user *)(regs->eip + 5));
48279 ++ err |= get_user(addr2, (unsigned long __user *)(regs->eip + 6));
48280 ++
48281 ++ if (err)
48282 ++ break;
48283 ++
48284 ++ if (mov == 0xB9 && jmp == 0xE9) {
48285 ++ regs->ecx = addr1;
48286 ++ regs->eip += addr2 + 10;
48287 ++ return 2;
48288 ++ }
48289 ++ } while (0);
48290 ++
48291 ++ return 1; /* PaX in action */
48292 ++}
48293 ++#endif
48294 ++
48295 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
48296 ++void pax_report_insns(void *pc, void *sp)
48297 ++{
48298 ++ long i;
48299 ++
48300 ++ printk(KERN_ERR "PAX: bytes at PC: ");
48301 ++ for (i = 0; i < 20; i++) {
48302 ++ unsigned char c;
48303 ++ if (get_user(c, (unsigned char __user *)pc+i))
48304 ++ printk("?? ");
48305 ++ else
48306 ++ printk("%02x ", c);
48307 ++ }
48308 ++ printk("\n");
48309 ++
48310 ++ printk(KERN_ERR "PAX: bytes at SP-4: ");
48311 ++ for (i = -1; i < 20; i++) {
48312 ++ unsigned long c;
48313 ++ if (get_user(c, (unsigned long __user *)sp+i))
48314 ++ printk("???????? ");
48315 ++ else
48316 ++ printk("%08lx ", c);
48317 ++ }
48318 ++ printk("\n");
48319 ++}
48320 ++#endif
48321 +diff -urNp linux-2.6.24.5/arch/x86/mm/fault_64.c linux-2.6.24.5/arch/x86/mm/fault_64.c
48322 +--- linux-2.6.24.5/arch/x86/mm/fault_64.c 2008-03-24 14:49:18.000000000 -0400
48323 ++++ linux-2.6.24.5/arch/x86/mm/fault_64.c 2008-03-26 20:21:08.000000000 -0400
48324 +@@ -26,6 +26,7 @@
48325 + #include <linux/uaccess.h>
48326 + #include <linux/kdebug.h>
48327 + #include <linux/kprobes.h>
48328 ++#include <linux/binfmts.h>
48329 +
48330 + #include <asm/system.h>
48331 + #include <asm/pgalloc.h>
48332 +@@ -285,6 +286,163 @@ static int vmalloc_fault(unsigned long a
48333 + return 0;
48334 + }
48335 +
48336 ++#ifdef CONFIG_PAX_EMUTRAMP
48337 ++static int pax_handle_fetch_fault_32(struct pt_regs *regs)
48338 ++{
48339 ++ int err;
48340 ++
48341 ++ do { /* PaX: gcc trampoline emulation #1 */
48342 ++ unsigned char mov1, mov2;
48343 ++ unsigned short jmp;
48344 ++ unsigned int addr1, addr2;
48345 ++
48346 ++ if ((regs->rip + 11) >> 32)
48347 ++ break;
48348 ++
48349 ++ err = get_user(mov1, (unsigned char __user *)regs->rip);
48350 ++ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 1));
48351 ++ err |= get_user(mov2, (unsigned char __user *)(regs->rip + 5));
48352 ++ err |= get_user(addr2, (unsigned int __user *)(regs->rip + 6));
48353 ++ err |= get_user(jmp, (unsigned short __user *)(regs->rip + 10));
48354 ++
48355 ++ if (err)
48356 ++ break;
48357 ++
48358 ++ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
48359 ++ regs->rcx = addr1;
48360 ++ regs->rax = addr2;
48361 ++ regs->rip = addr2;
48362 ++ return 2;
48363 ++ }
48364 ++ } while (0);
48365 ++
48366 ++ do { /* PaX: gcc trampoline emulation #2 */
48367 ++ unsigned char mov, jmp;
48368 ++ unsigned int addr1, addr2;
48369 ++
48370 ++ if ((regs->rip + 9) >> 32)
48371 ++ break;
48372 ++
48373 ++ err = get_user(mov, (unsigned char __user *)regs->rip);
48374 ++ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 1));
48375 ++ err |= get_user(jmp, (unsigned char __user *)(regs->rip + 5));
48376 ++ err |= get_user(addr2, (unsigned int __user *)(regs->rip + 6));
48377 ++
48378 ++ if (err)
48379 ++ break;
48380 ++
48381 ++ if (mov == 0xB9 && jmp == 0xE9) {
48382 ++ regs->rcx = addr1;
48383 ++ regs->rip = (unsigned int)(regs->rip + addr2 + 10);
48384 ++ return 2;
48385 ++ }
48386 ++ } while (0);
48387 ++
48388 ++ return 1; /* PaX in action */
48389 ++}
48390 ++
48391 ++static int pax_handle_fetch_fault_64(struct pt_regs *regs)
48392 ++{
48393 ++ int err;
48394 ++
48395 ++ do { /* PaX: gcc trampoline emulation #1 */
48396 ++ unsigned short mov1, mov2, jmp1;
48397 ++ unsigned char jmp2;
48398 ++ unsigned int addr1;
48399 ++ unsigned long addr2;
48400 ++
48401 ++ err = get_user(mov1, (unsigned short __user *)regs->rip);
48402 ++ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 2));
48403 ++ err |= get_user(mov2, (unsigned short __user *)(regs->rip + 6));
48404 ++ err |= get_user(addr2, (unsigned long __user *)(regs->rip + 8));
48405 ++ err |= get_user(jmp1, (unsigned short __user *)(regs->rip + 16));
48406 ++ err |= get_user(jmp2, (unsigned char __user *)(regs->rip + 18));
48407 ++
48408 ++ if (err)
48409 ++ break;
48410 ++
48411 ++ if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
48412 ++ regs->r11 = addr1;
48413 ++ regs->r10 = addr2;
48414 ++ regs->rip = addr1;
48415 ++ return 2;
48416 ++ }
48417 ++ } while (0);
48418 ++
48419 ++ do { /* PaX: gcc trampoline emulation #2 */
48420 ++ unsigned short mov1, mov2, jmp1;
48421 ++ unsigned char jmp2;
48422 ++ unsigned long addr1, addr2;
48423 ++
48424 ++ err = get_user(mov1, (unsigned short __user *)regs->rip);
48425 ++ err |= get_user(addr1, (unsigned long __user *)(regs->rip + 2));
48426 ++ err |= get_user(mov2, (unsigned short __user *)(regs->rip + 10));
48427 ++ err |= get_user(addr2, (unsigned long __user *)(regs->rip + 12));
48428 ++ err |= get_user(jmp1, (unsigned short __user *)(regs->rip + 20));
48429 ++ err |= get_user(jmp2, (unsigned char __user *)(regs->rip + 22));
48430 ++
48431 ++ if (err)
48432 ++ break;
48433 ++
48434 ++ if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
48435 ++ regs->r11 = addr1;
48436 ++ regs->r10 = addr2;
48437 ++ regs->rip = addr1;
48438 ++ return 2;
48439 ++ }
48440 ++ } while (0);
48441 ++
48442 ++ return 1; /* PaX in action */
48443 ++}
48444 ++
48445 ++/*
48446 ++ * PaX: decide what to do with offenders (regs->rip = fault address)
48447 ++ *
48448 ++ * returns 1 when task should be killed
48449 ++ * 2 when gcc trampoline was detected
48450 ++ */
48451 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
48452 ++{
48453 ++ if (regs->eflags & X86_EFLAGS_VM)
48454 ++ return 1;
48455 ++
48456 ++ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
48457 ++ return 1;
48458 ++
48459 ++ if (regs->cs == __USER32_CS || (regs->cs & (1<<2)))
48460 ++ return pax_handle_fetch_fault_32(regs);
48461 ++ else
48462 ++ return pax_handle_fetch_fault_64(regs);
48463 ++}
48464 ++#endif
48465 ++
48466 ++#ifdef CONFIG_PAX_PAGEEXEC
48467 ++void pax_report_insns(void *pc, void *sp)
48468 ++{
48469 ++ long i;
48470 ++
48471 ++ printk(KERN_ERR "PAX: bytes at PC: ");
48472 ++ for (i = 0; i < 20; i++) {
48473 ++ unsigned char c;
48474 ++ if (get_user(c, (unsigned char __user *)pc+i))
48475 ++ printk("?? ");
48476 ++ else
48477 ++ printk("%02x ", c);
48478 ++ }
48479 ++ printk("\n");
48480 ++
48481 ++ printk(KERN_ERR "PAX: bytes at SP-8: ");
48482 ++ for (i = -1; i < 10; i++) {
48483 ++ unsigned long c;
48484 ++ if (get_user(c, (unsigned long __user *)sp+i))
48485 ++ printk("???????????????? ");
48486 ++ else
48487 ++ printk("%016lx ", c);
48488 ++ }
48489 ++ printk("\n");
48490 ++}
48491 ++#endif
48492 ++
48493 + int show_unhandled_signals = 1;
48494 +
48495 + /*
48496 +@@ -405,7 +563,7 @@ asmlinkage void __kprobes do_page_fault(
48497 + goto good_area;
48498 + if (!(vma->vm_flags & VM_GROWSDOWN))
48499 + goto bad_area;
48500 +- if (error_code & 4) {
48501 ++ if (error_code & PF_USER) {
48502 + /* Allow userspace just enough access below the stack pointer
48503 + * to let the 'enter' instruction work.
48504 + */
48505 +@@ -421,6 +579,8 @@ asmlinkage void __kprobes do_page_fault(
48506 + good_area:
48507 + info.si_code = SEGV_ACCERR;
48508 + write = 0;
48509 ++ if ((error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
48510 ++ goto bad_area;
48511 + switch (error_code & (PF_PROT|PF_WRITE)) {
48512 + default: /* 3: write, present */
48513 + /* fall through */
48514 +@@ -472,6 +632,21 @@ bad_area_nosemaphore:
48515 + */
48516 + local_irq_enable();
48517 +
48518 ++#ifdef CONFIG_PAX_PAGEEXEC
48519 ++ if (mm && (mm->pax_flags & MF_PAX_PAGEEXEC) && (error_code & PF_INSTR)) {
48520 ++
48521 ++#ifdef CONFIG_PAX_EMUTRAMP
48522 ++ switch (pax_handle_fetch_fault(regs)) {
48523 ++ case 2:
48524 ++ return;
48525 ++ }
48526 ++#endif
48527 ++
48528 ++ pax_report_fault(regs, (void*)regs->rip, (void*)regs->rsp);
48529 ++ do_group_exit(SIGKILL);
48530 ++ }
48531 ++#endif
48532 ++
48533 + if (is_prefetch(regs, address, error_code))
48534 + return;
48535 +
48536 +@@ -489,8 +664,8 @@ bad_area_nosemaphore:
48537 + printk_ratelimit()) {
48538 + printk(
48539 + "%s%s[%d]: segfault at %lx rip %lx rsp %lx error %lx\n",
48540 +- tsk->pid > 1 ? KERN_INFO : KERN_EMERG,
48541 +- tsk->comm, tsk->pid, address, regs->rip,
48542 ++ task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG,
48543 ++ tsk->comm, task_pid_nr(tsk), address, regs->rip,
48544 + regs->rsp, error_code);
48545 + }
48546 +
48547 +@@ -534,6 +709,9 @@ no_context:
48548 +
48549 + if (address < PAGE_SIZE)
48550 + printk(KERN_ALERT "Unable to handle kernel NULL pointer dereference");
48551 ++ else if (error_code & PF_INSTR)
48552 ++ printk(KERN_ALERT "PAX: %s:%d, uid/euid: %u/%u, invalid execution attempt",
48553 ++ tsk->comm, task_pid_nr(tsk), tsk->uid, tsk->euid);
48554 + else
48555 + printk(KERN_ALERT "Unable to handle kernel paging request");
48556 + printk(" at %016lx RIP: \n" KERN_ALERT,address);
48557 +@@ -546,7 +724,7 @@ no_context:
48558 + /* Executive summary in case the body of the oops scrolled away */
48559 + printk(KERN_EMERG "CR2: %016lx\n", address);
48560 + oops_end(flags);
48561 +- do_exit(SIGKILL);
48562 ++ do_group_exit(SIGKILL);
48563 +
48564 + /*
48565 + * We ran out of memory, or some other thing happened to us that made
48566 +diff -urNp linux-2.6.24.5/arch/x86/mm/highmem_32.c linux-2.6.24.5/arch/x86/mm/highmem_32.c
48567 +--- linux-2.6.24.5/arch/x86/mm/highmem_32.c 2008-03-24 14:49:18.000000000 -0400
48568 ++++ linux-2.6.24.5/arch/x86/mm/highmem_32.c 2008-03-26 20:21:08.000000000 -0400
48569 +@@ -31,6 +31,10 @@ void *kmap_atomic_prot(struct page *page
48570 + enum fixed_addresses idx;
48571 + unsigned long vaddr;
48572 +
48573 ++#ifdef CONFIG_PAX_KERNEXEC
48574 ++ unsigned long cr0;
48575 ++#endif
48576 ++
48577 + /* even !CONFIG_PREEMPT needs this, for in_atomic in do_page_fault */
48578 + pagefault_disable();
48579 +
48580 +@@ -40,7 +44,17 @@ void *kmap_atomic_prot(struct page *page
48581 + idx = type + KM_TYPE_NR*smp_processor_id();
48582 + vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
48583 + BUG_ON(!pte_none(*(kmap_pte-idx)));
48584 ++
48585 ++#ifdef CONFIG_PAX_KERNEXEC
48586 ++ pax_open_kernel(cr0);
48587 ++#endif
48588 ++
48589 + set_pte(kmap_pte-idx, mk_pte(page, prot));
48590 ++
48591 ++#ifdef CONFIG_PAX_KERNEXEC
48592 ++ pax_close_kernel(cr0);
48593 ++#endif
48594 ++
48595 + arch_flush_lazy_mmu_mode();
48596 +
48597 + return (void *)vaddr;
48598 +@@ -56,15 +70,29 @@ void kunmap_atomic(void *kvaddr, enum km
48599 + unsigned long vaddr = (unsigned long) kvaddr & PAGE_MASK;
48600 + enum fixed_addresses idx = type + KM_TYPE_NR*smp_processor_id();
48601 +
48602 ++#ifdef CONFIG_PAX_KERNEXEC
48603 ++ unsigned long cr0;
48604 ++#endif
48605 ++
48606 + /*
48607 + * Force other mappings to Oops if they'll try to access this pte
48608 + * without first remap it. Keeping stale mappings around is a bad idea
48609 + * also, in case the page changes cacheability attributes or becomes
48610 + * a protected page in a hypervisor.
48611 + */
48612 +- if (vaddr == __fix_to_virt(FIX_KMAP_BEGIN+idx))
48613 ++ if (vaddr == __fix_to_virt(FIX_KMAP_BEGIN+idx)) {
48614 ++
48615 ++#ifdef CONFIG_PAX_KERNEXEC
48616 ++ pax_open_kernel(cr0);
48617 ++#endif
48618 ++
48619 + kpte_clear_flush(kmap_pte-idx, vaddr);
48620 +- else {
48621 ++
48622 ++#ifdef CONFIG_PAX_KERNEXEC
48623 ++ pax_close_kernel(cr0);
48624 ++#endif
48625 ++
48626 ++ } else {
48627 + #ifdef CONFIG_DEBUG_HIGHMEM
48628 + BUG_ON(vaddr < PAGE_OFFSET);
48629 + BUG_ON(vaddr >= (unsigned long)high_memory);
48630 +@@ -83,11 +111,25 @@ void *kmap_atomic_pfn(unsigned long pfn,
48631 + enum fixed_addresses idx;
48632 + unsigned long vaddr;
48633 +
48634 ++#ifdef CONFIG_PAX_KERNEXEC
48635 ++ unsigned long cr0;
48636 ++#endif
48637 ++
48638 + pagefault_disable();
48639 +
48640 + idx = type + KM_TYPE_NR*smp_processor_id();
48641 + vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
48642 ++
48643 ++#ifdef CONFIG_PAX_KERNEXEC
48644 ++ pax_open_kernel(cr0);
48645 ++#endif
48646 ++
48647 + set_pte(kmap_pte-idx, pfn_pte(pfn, kmap_prot));
48648 ++
48649 ++#ifdef CONFIG_PAX_KERNEXEC
48650 ++ pax_close_kernel(cr0);
48651 ++#endif
48652 ++
48653 + arch_flush_lazy_mmu_mode();
48654 +
48655 + return (void*) vaddr;
48656 +diff -urNp linux-2.6.24.5/arch/x86/mm/hugetlbpage.c linux-2.6.24.5/arch/x86/mm/hugetlbpage.c
48657 +--- linux-2.6.24.5/arch/x86/mm/hugetlbpage.c 2008-03-24 14:49:18.000000000 -0400
48658 ++++ linux-2.6.24.5/arch/x86/mm/hugetlbpage.c 2008-03-26 20:21:08.000000000 -0400
48659 +@@ -229,13 +229,18 @@ static unsigned long hugetlb_get_unmappe
48660 + {
48661 + struct mm_struct *mm = current->mm;
48662 + struct vm_area_struct *vma;
48663 +- unsigned long start_addr;
48664 ++ unsigned long start_addr, pax_task_size = TASK_SIZE;
48665 ++
48666 ++#ifdef CONFIG_PAX_SEGMEXEC
48667 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
48668 ++ pax_task_size = SEGMEXEC_TASK_SIZE;
48669 ++#endif
48670 +
48671 + if (len > mm->cached_hole_size) {
48672 +- start_addr = mm->free_area_cache;
48673 ++ start_addr = mm->free_area_cache;
48674 + } else {
48675 +- start_addr = TASK_UNMAPPED_BASE;
48676 +- mm->cached_hole_size = 0;
48677 ++ start_addr = mm->mmap_base;
48678 ++ mm->cached_hole_size = 0;
48679 + }
48680 +
48681 + full_search:
48682 +@@ -243,13 +248,13 @@ full_search:
48683 +
48684 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
48685 + /* At this point: (!vma || addr < vma->vm_end). */
48686 +- if (TASK_SIZE - len < addr) {
48687 ++ if (pax_task_size - len < addr) {
48688 + /*
48689 + * Start a new search - just in case we missed
48690 + * some holes.
48691 + */
48692 +- if (start_addr != TASK_UNMAPPED_BASE) {
48693 +- start_addr = TASK_UNMAPPED_BASE;
48694 ++ if (start_addr != mm->mmap_base) {
48695 ++ start_addr = mm->mmap_base;
48696 + mm->cached_hole_size = 0;
48697 + goto full_search;
48698 + }
48699 +@@ -271,9 +276,8 @@ static unsigned long hugetlb_get_unmappe
48700 + {
48701 + struct mm_struct *mm = current->mm;
48702 + struct vm_area_struct *vma, *prev_vma;
48703 +- unsigned long base = mm->mmap_base, addr = addr0;
48704 ++ unsigned long base = mm->mmap_base, addr;
48705 + unsigned long largest_hole = mm->cached_hole_size;
48706 +- int first_time = 1;
48707 +
48708 + /* don't allow allocations above current base */
48709 + if (mm->free_area_cache > base)
48710 +@@ -283,7 +287,7 @@ static unsigned long hugetlb_get_unmappe
48711 + largest_hole = 0;
48712 + mm->free_area_cache = base;
48713 + }
48714 +-try_again:
48715 ++
48716 + /* make sure it can fit in the remaining address space */
48717 + if (mm->free_area_cache < len)
48718 + goto fail;
48719 +@@ -325,22 +329,26 @@ try_again:
48720 +
48721 + fail:
48722 + /*
48723 +- * if hint left us with no space for the requested
48724 +- * mapping then try again:
48725 +- */
48726 +- if (first_time) {
48727 +- mm->free_area_cache = base;
48728 +- largest_hole = 0;
48729 +- first_time = 0;
48730 +- goto try_again;
48731 +- }
48732 +- /*
48733 + * A failed mmap() very likely causes application failure,
48734 + * so fall back to the bottom-up function here. This scenario
48735 + * can happen with large stack limits and large mmap()
48736 + * allocations.
48737 + */
48738 +- mm->free_area_cache = TASK_UNMAPPED_BASE;
48739 ++
48740 ++#ifdef CONFIG_PAX_SEGMEXEC
48741 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
48742 ++ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
48743 ++ else
48744 ++#endif
48745 ++
48746 ++ mm->mmap_base = TASK_UNMAPPED_BASE;
48747 ++
48748 ++#ifdef CONFIG_PAX_RANDMMAP
48749 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
48750 ++ mm->mmap_base += mm->delta_mmap;
48751 ++#endif
48752 ++
48753 ++ mm->free_area_cache = mm->mmap_base;
48754 + mm->cached_hole_size = ~0UL;
48755 + addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
48756 + len, pgoff, flags);
48757 +@@ -348,6 +356,7 @@ fail:
48758 + /*
48759 + * Restore the topdown base:
48760 + */
48761 ++ mm->mmap_base = base;
48762 + mm->free_area_cache = base;
48763 + mm->cached_hole_size = ~0UL;
48764 +
48765 +@@ -360,10 +369,17 @@ hugetlb_get_unmapped_area(struct file *f
48766 + {
48767 + struct mm_struct *mm = current->mm;
48768 + struct vm_area_struct *vma;
48769 ++ unsigned long pax_task_size = TASK_SIZE;
48770 +
48771 + if (len & ~HPAGE_MASK)
48772 + return -EINVAL;
48773 +- if (len > TASK_SIZE)
48774 ++
48775 ++#ifdef CONFIG_PAX_SEGMEXEC
48776 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
48777 ++ pax_task_size = SEGMEXEC_TASK_SIZE;
48778 ++#endif
48779 ++
48780 ++ if (len > pax_task_size)
48781 + return -ENOMEM;
48782 +
48783 + if (flags & MAP_FIXED) {
48784 +@@ -375,7 +391,7 @@ hugetlb_get_unmapped_area(struct file *f
48785 + if (addr) {
48786 + addr = ALIGN(addr, HPAGE_SIZE);
48787 + vma = find_vma(mm, addr);
48788 +- if (TASK_SIZE - len >= addr &&
48789 ++ if (pax_task_size - len >= addr &&
48790 + (!vma || addr + len <= vma->vm_start))
48791 + return addr;
48792 + }
48793 +diff -urNp linux-2.6.24.5/arch/x86/mm/init_32.c linux-2.6.24.5/arch/x86/mm/init_32.c
48794 +--- linux-2.6.24.5/arch/x86/mm/init_32.c 2008-03-24 14:49:18.000000000 -0400
48795 ++++ linux-2.6.24.5/arch/x86/mm/init_32.c 2008-03-26 20:21:08.000000000 -0400
48796 +@@ -44,6 +44,7 @@
48797 + #include <asm/tlbflush.h>
48798 + #include <asm/sections.h>
48799 + #include <asm/paravirt.h>
48800 ++#include <asm/desc.h>
48801 +
48802 + unsigned int __VMALLOC_RESERVE = 128 << 20;
48803 +
48804 +@@ -53,32 +54,6 @@ unsigned long highstart_pfn, highend_pfn
48805 + static int noinline do_test_wp_bit(void);
48806 +
48807 + /*
48808 +- * Creates a middle page table and puts a pointer to it in the
48809 +- * given global directory entry. This only returns the gd entry
48810 +- * in non-PAE compilation mode, since the middle layer is folded.
48811 +- */
48812 +-static pmd_t * __init one_md_table_init(pgd_t *pgd)
48813 +-{
48814 +- pud_t *pud;
48815 +- pmd_t *pmd_table;
48816 +-
48817 +-#ifdef CONFIG_X86_PAE
48818 +- if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
48819 +- pmd_table = (pmd_t *) alloc_bootmem_low_pages(PAGE_SIZE);
48820 +-
48821 +- paravirt_alloc_pd(__pa(pmd_table) >> PAGE_SHIFT);
48822 +- set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
48823 +- pud = pud_offset(pgd, 0);
48824 +- if (pmd_table != pmd_offset(pud, 0))
48825 +- BUG();
48826 +- }
48827 +-#endif
48828 +- pud = pud_offset(pgd, 0);
48829 +- pmd_table = pmd_offset(pud, 0);
48830 +- return pmd_table;
48831 +-}
48832 +-
48833 +-/*
48834 + * Create a page table and place a pointer to it in a middle page
48835 + * directory entry.
48836 + */
48837 +@@ -95,7 +70,11 @@ static pte_t * __init one_page_table_ini
48838 + (pte_t *)alloc_bootmem_low_pages(PAGE_SIZE);
48839 +
48840 + paravirt_alloc_pt(&init_mm, __pa(page_table) >> PAGE_SHIFT);
48841 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
48842 ++ set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
48843 ++#else
48844 + set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
48845 ++#endif
48846 + BUG_ON(page_table != pte_offset_kernel(pmd, 0));
48847 + }
48848 +
48849 +@@ -116,6 +95,7 @@ static pte_t * __init one_page_table_ini
48850 + static void __init page_table_range_init (unsigned long start, unsigned long end, pgd_t *pgd_base)
48851 + {
48852 + pgd_t *pgd;
48853 ++ pud_t *pud;
48854 + pmd_t *pmd;
48855 + int pgd_idx, pmd_idx;
48856 + unsigned long vaddr;
48857 +@@ -126,8 +106,13 @@ static void __init page_table_range_init
48858 + pgd = pgd_base + pgd_idx;
48859 +
48860 + for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
48861 +- pmd = one_md_table_init(pgd);
48862 +- pmd = pmd + pmd_index(vaddr);
48863 ++ pud = pud_offset(pgd, vaddr);
48864 ++ pmd = pmd_offset(pud, vaddr);
48865 ++
48866 ++#ifdef CONFIG_X86_PAE
48867 ++ paravirt_alloc_pd(__pa(pmd) >> PAGE_SHIFT);
48868 ++#endif
48869 ++
48870 + for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end); pmd++, pmd_idx++) {
48871 + one_page_table_init(pmd);
48872 +
48873 +@@ -137,11 +122,23 @@ static void __init page_table_range_init
48874 + }
48875 + }
48876 +
48877 +-static inline int is_kernel_text(unsigned long addr)
48878 ++static inline int is_kernel_text(unsigned long start, unsigned long end)
48879 + {
48880 +- if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
48881 +- return 1;
48882 +- return 0;
48883 ++ unsigned long etext;
48884 ++
48885 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
48886 ++ etext = ktva_ktla((unsigned long)&MODULES_END);
48887 ++#else
48888 ++ etext = (unsigned long)&_etext;
48889 ++#endif
48890 ++
48891 ++ if ((start > ktla_ktva(etext) ||
48892 ++ end <= ktla_ktva((unsigned long)_stext)) &&
48893 ++ (start > ktla_ktva((unsigned long)_einittext) ||
48894 ++ end <= ktla_ktva((unsigned long)_sinittext)) &&
48895 ++ (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
48896 ++ return 0;
48897 ++ return 1;
48898 + }
48899 +
48900 + /*
48901 +@@ -153,25 +150,29 @@ static void __init kernel_physical_mappi
48902 + {
48903 + unsigned long pfn;
48904 + pgd_t *pgd;
48905 ++ pud_t *pud;
48906 + pmd_t *pmd;
48907 + pte_t *pte;
48908 +- int pgd_idx, pmd_idx, pte_ofs;
48909 ++ unsigned int pgd_idx, pmd_idx, pte_ofs;
48910 +
48911 + pgd_idx = pgd_index(PAGE_OFFSET);
48912 + pgd = pgd_base + pgd_idx;
48913 + pfn = 0;
48914 +
48915 +- for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
48916 +- pmd = one_md_table_init(pgd);
48917 +- if (pfn >= max_low_pfn)
48918 +- continue;
48919 ++ for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
48920 ++ pud = pud_offset(pgd, 0);
48921 ++ pmd = pmd_offset(pud, 0);
48922 ++
48923 ++#ifdef CONFIG_X86_PAE
48924 ++ paravirt_alloc_pd(__pa(pmd) >> PAGE_SHIFT);
48925 ++#endif
48926 ++
48927 + for (pmd_idx = 0; pmd_idx < PTRS_PER_PMD && pfn < max_low_pfn; pmd++, pmd_idx++) {
48928 +- unsigned int address = pfn * PAGE_SIZE + PAGE_OFFSET;
48929 ++ unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
48930 +
48931 + /* Map with big pages if possible, otherwise create normal page tables. */
48932 +- if (cpu_has_pse) {
48933 +- unsigned int address2 = (pfn + PTRS_PER_PTE - 1) * PAGE_SIZE + PAGE_OFFSET + PAGE_SIZE-1;
48934 +- if (is_kernel_text(address) || is_kernel_text(address2))
48935 ++ if (cpu_has_pse && address >= (unsigned long)__va(0x100000)) {
48936 ++ if (is_kernel_text(address, address + PMD_SIZE))
48937 + set_pmd(pmd, pfn_pmd(pfn, PAGE_KERNEL_LARGE_EXEC));
48938 + else
48939 + set_pmd(pmd, pfn_pmd(pfn, PAGE_KERNEL_LARGE));
48940 +@@ -183,7 +184,7 @@ static void __init kernel_physical_mappi
48941 + for (pte_ofs = 0;
48942 + pte_ofs < PTRS_PER_PTE && pfn < max_low_pfn;
48943 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
48944 +- if (is_kernel_text(address))
48945 ++ if (is_kernel_text(address, address + PAGE_SIZE))
48946 + set_pte(pte, pfn_pte(pfn, PAGE_KERNEL_EXEC));
48947 + else
48948 + set_pte(pte, pfn_pte(pfn, PAGE_KERNEL));
48949 +@@ -338,9 +339,9 @@ static void __init set_highmem_pages_ini
48950 + #define set_highmem_pages_init(bad_ppro) do { } while (0)
48951 + #endif /* CONFIG_HIGHMEM */
48952 +
48953 +-unsigned long long __PAGE_KERNEL = _PAGE_KERNEL;
48954 ++unsigned long long __PAGE_KERNEL __read_only = _PAGE_KERNEL;
48955 + EXPORT_SYMBOL(__PAGE_KERNEL);
48956 +-unsigned long long __PAGE_KERNEL_EXEC = _PAGE_KERNEL_EXEC;
48957 ++unsigned long long __PAGE_KERNEL_EXEC __read_only = _PAGE_KERNEL_EXEC;
48958 +
48959 + #ifdef CONFIG_NUMA
48960 + extern void __init remap_numa_kva(void);
48961 +@@ -351,26 +352,10 @@ extern void __init remap_numa_kva(void);
48962 + void __init native_pagetable_setup_start(pgd_t *base)
48963 + {
48964 + #ifdef CONFIG_X86_PAE
48965 +- int i;
48966 +-
48967 +- /*
48968 +- * Init entries of the first-level page table to the
48969 +- * zero page, if they haven't already been set up.
48970 +- *
48971 +- * In a normal native boot, we'll be running on a
48972 +- * pagetable rooted in swapper_pg_dir, but not in PAE
48973 +- * mode, so this will end up clobbering the mappings
48974 +- * for the lower 24Mbytes of the address space,
48975 +- * without affecting the kernel address space.
48976 +- */
48977 +- for (i = 0; i < USER_PTRS_PER_PGD; i++)
48978 +- set_pgd(&base[i],
48979 +- __pgd(__pa(empty_zero_page) | _PAGE_PRESENT));
48980 ++ unsigned int i;
48981 +
48982 +- /* Make sure kernel address space is empty so that a pagetable
48983 +- will be allocated for it. */
48984 +- memset(&base[USER_PTRS_PER_PGD], 0,
48985 +- KERNEL_PGD_PTRS * sizeof(pgd_t));
48986 ++ for (i = 0; i < PTRS_PER_PGD; i++)
48987 ++ paravirt_alloc_pd(__pa(swapper_pm_dir + i) >> PAGE_SHIFT);
48988 + #else
48989 + paravirt_alloc_pd(__pa(swapper_pg_dir) >> PAGE_SHIFT);
48990 + #endif
48991 +@@ -378,16 +363,6 @@ void __init native_pagetable_setup_start
48992 +
48993 + void __init native_pagetable_setup_done(pgd_t *base)
48994 + {
48995 +-#ifdef CONFIG_X86_PAE
48996 +- /*
48997 +- * Add low memory identity-mappings - SMP needs it when
48998 +- * starting up on an AP from real-mode. In the non-PAE
48999 +- * case we already have these mappings through head.S.
49000 +- * All user-space mappings are explicitly cleared after
49001 +- * SMP startup.
49002 +- */
49003 +- set_pgd(&base[0], base[USER_PTRS_PER_PGD]);
49004 +-#endif
49005 + }
49006 +
49007 + /*
49008 +@@ -449,12 +424,12 @@ static void __init pagetable_init (void)
49009 + * Swap suspend & friends need this for resume because things like the intel-agp
49010 + * driver might have split up a kernel 4MB mapping.
49011 + */
49012 +-char __nosavedata swsusp_pg_dir[PAGE_SIZE]
49013 ++pgd_t __nosavedata swsusp_pg_dir[PTRS_PER_PGD]
49014 + __attribute__ ((aligned (PAGE_SIZE)));
49015 +
49016 + static inline void save_pg_dir(void)
49017 + {
49018 +- memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
49019 ++ clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
49020 + }
49021 + #else
49022 + static inline void save_pg_dir(void)
49023 +@@ -483,12 +458,11 @@ void zap_low_mappings (void)
49024 + flush_tlb_all();
49025 + }
49026 +
49027 +-int nx_enabled = 0;
49028 ++int nx_enabled;
49029 +
49030 + #ifdef CONFIG_X86_PAE
49031 +
49032 +-static int disable_nx __initdata = 0;
49033 +-u64 __supported_pte_mask __read_mostly = ~_PAGE_NX;
49034 ++u64 __supported_pte_mask __read_only = ~_PAGE_NX;
49035 + EXPORT_SYMBOL_GPL(__supported_pte_mask);
49036 +
49037 + /*
49038 +@@ -499,36 +473,31 @@ EXPORT_SYMBOL_GPL(__supported_pte_mask);
49039 + * on Enable
49040 + * off Disable
49041 + */
49042 ++#if !defined(CONFIG_PAX_PAGEEXEC)
49043 + static int __init noexec_setup(char *str)
49044 + {
49045 + if (!str || !strcmp(str, "on")) {
49046 +- if (cpu_has_nx) {
49047 +- __supported_pte_mask |= _PAGE_NX;
49048 +- disable_nx = 0;
49049 +- }
49050 ++ if (cpu_has_nx)
49051 ++ nx_enabled = 1;
49052 + } else if (!strcmp(str,"off")) {
49053 +- disable_nx = 1;
49054 +- __supported_pte_mask &= ~_PAGE_NX;
49055 ++ nx_enabled = 0;
49056 + } else
49057 + return -EINVAL;
49058 +
49059 + return 0;
49060 + }
49061 + early_param("noexec", noexec_setup);
49062 ++#endif
49063 +
49064 + static void __init set_nx(void)
49065 + {
49066 +- unsigned int v[4], l, h;
49067 ++ if (!nx_enabled && cpu_has_nx) {
49068 ++ unsigned l, h;
49069 +
49070 +- if (cpu_has_pae && (cpuid_eax(0x80000000) > 0x80000001)) {
49071 +- cpuid(0x80000001, &v[0], &v[1], &v[2], &v[3]);
49072 +- if ((v[3] & (1 << 20)) && !disable_nx) {
49073 +- rdmsr(MSR_EFER, l, h);
49074 +- l |= EFER_NX;
49075 +- wrmsr(MSR_EFER, l, h);
49076 +- nx_enabled = 1;
49077 +- __supported_pte_mask |= _PAGE_NX;
49078 +- }
49079 ++ __supported_pte_mask &= ~_PAGE_NX;
49080 ++ rdmsr(MSR_EFER, l, h);
49081 ++ l &= ~EFER_NX;
49082 ++ wrmsr(MSR_EFER, l, h);
49083 + }
49084 + }
49085 +
49086 +@@ -581,14 +550,6 @@ void __init paging_init(void)
49087 +
49088 + load_cr3(swapper_pg_dir);
49089 +
49090 +-#ifdef CONFIG_X86_PAE
49091 +- /*
49092 +- * We will bail out later - printk doesn't work right now so
49093 +- * the user would just see a hanging kernel.
49094 +- */
49095 +- if (cpu_has_pae)
49096 +- set_in_cr4(X86_CR4_PAE);
49097 +-#endif
49098 + __flush_tlb_all();
49099 +
49100 + kmap_init();
49101 +@@ -659,7 +620,7 @@ void __init mem_init(void)
49102 + set_highmem_pages_init(bad_ppro);
49103 +
49104 + codesize = (unsigned long) &_etext - (unsigned long) &_text;
49105 +- datasize = (unsigned long) &_edata - (unsigned long) &_etext;
49106 ++ datasize = (unsigned long) &_edata - (unsigned long) &_data;
49107 + initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
49108 +
49109 + kclist_add(&kcore_mem, __va(0), max_low_pfn << PAGE_SHIFT);
49110 +@@ -704,10 +665,10 @@ void __init mem_init(void)
49111 + (unsigned long)&__init_begin, (unsigned long)&__init_end,
49112 + ((unsigned long)&__init_end - (unsigned long)&__init_begin) >> 10,
49113 +
49114 +- (unsigned long)&_etext, (unsigned long)&_edata,
49115 +- ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
49116 ++ (unsigned long)&_data, (unsigned long)&_edata,
49117 ++ ((unsigned long)&_edata - (unsigned long)&_data) >> 10,
49118 +
49119 +- (unsigned long)&_text, (unsigned long)&_etext,
49120 ++ ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
49121 + ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
49122 +
49123 + #ifdef CONFIG_HIGHMEM
49124 +@@ -718,10 +679,6 @@ void __init mem_init(void)
49125 + BUG_ON((unsigned long)high_memory > VMALLOC_START);
49126 + #endif /* double-sanity-check paranoia */
49127 +
49128 +-#ifdef CONFIG_X86_PAE
49129 +- if (!cpu_has_pae)
49130 +- panic("cannot execute a PAE-enabled kernel on a PAE-less CPU!");
49131 +-#endif
49132 + if (boot_cpu_data.wp_works_ok < 0)
49133 + test_wp_bit();
49134 +
49135 +@@ -839,6 +796,46 @@ void free_init_pages(char *what, unsigne
49136 +
49137 + void free_initmem(void)
49138 + {
49139 ++
49140 ++#ifdef CONFIG_PAX_KERNEXEC
49141 ++ /* PaX: limit KERNEL_CS to actual size */
49142 ++ unsigned long addr, limit;
49143 ++ __u32 a, b;
49144 ++ int cpu;
49145 ++ pgd_t *pgd;
49146 ++ pud_t *pud;
49147 ++ pmd_t *pmd;
49148 ++
49149 ++#ifdef CONFIG_MODULES
49150 ++ limit = ktva_ktla((unsigned long)&MODULES_END);
49151 ++#else
49152 ++ limit = (unsigned long)&_etext;
49153 ++#endif
49154 ++ limit = (limit - 1UL) >> PAGE_SHIFT;
49155 ++
49156 ++ for (cpu = 0; cpu < NR_CPUS; cpu++) {
49157 ++ pack_descriptor(&a, &b, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
49158 ++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, a, b);
49159 ++ }
49160 ++
49161 ++ /* PaX: make KERNEL_CS read-only */
49162 ++ for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_data; addr += PMD_SIZE) {
49163 ++ pgd = pgd_offset_k(addr);
49164 ++ pud = pud_offset(pgd, addr);
49165 ++ pmd = pmd_offset(pud, addr);
49166 ++ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
49167 ++ }
49168 ++#ifdef CONFIG_X86_PAE
49169 ++ for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
49170 ++ pgd = pgd_offset_k(addr);
49171 ++ pud = pud_offset(pgd, addr);
49172 ++ pmd = pmd_offset(pud, addr);
49173 ++ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
49174 ++ }
49175 ++#endif
49176 ++ flush_tlb_all();
49177 ++#endif
49178 ++
49179 + free_init_pages("unused kernel memory",
49180 + (unsigned long)(&__init_begin),
49181 + (unsigned long)(&__init_end));
49182 +diff -urNp linux-2.6.24.5/arch/x86/mm/init_64.c linux-2.6.24.5/arch/x86/mm/init_64.c
49183 +--- linux-2.6.24.5/arch/x86/mm/init_64.c 2008-03-24 14:49:18.000000000 -0400
49184 ++++ linux-2.6.24.5/arch/x86/mm/init_64.c 2008-03-26 20:21:08.000000000 -0400
49185 +@@ -45,7 +45,7 @@
49186 + #include <asm/sections.h>
49187 +
49188 + #ifndef Dprintk
49189 +-#define Dprintk(x...)
49190 ++#define Dprintk(x...) do {} while (0)
49191 + #endif
49192 +
49193 + const struct dma_mapping_ops* dma_ops;
49194 +@@ -121,6 +121,10 @@ static __init void set_pte_phys(unsigned
49195 + pmd_t *pmd;
49196 + pte_t *pte, new_pte;
49197 +
49198 ++#ifdef CONFIG_PAX_KERNEXEC
49199 ++ unsigned long cr0;
49200 ++#endif
49201 ++
49202 + Dprintk("set_pte_phys %lx to %lx\n", vaddr, phys);
49203 +
49204 + pgd = pgd_offset_k(vaddr);
49205 +@@ -131,7 +135,7 @@ static __init void set_pte_phys(unsigned
49206 + pud = pud_offset(pgd, vaddr);
49207 + if (pud_none(*pud)) {
49208 + pmd = (pmd_t *) spp_getpage();
49209 +- set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE | _PAGE_USER));
49210 ++ set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
49211 + if (pmd != pmd_offset(pud, 0)) {
49212 + printk("PAGETABLE BUG #01! %p <-> %p\n", pmd, pmd_offset(pud,0));
49213 + return;
49214 +@@ -140,7 +144,7 @@ static __init void set_pte_phys(unsigned
49215 + pmd = pmd_offset(pud, vaddr);
49216 + if (pmd_none(*pmd)) {
49217 + pte = (pte_t *) spp_getpage();
49218 +- set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE | _PAGE_USER));
49219 ++ set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
49220 + if (pte != pte_offset_kernel(pmd, 0)) {
49221 + printk("PAGETABLE BUG #02!\n");
49222 + return;
49223 +@@ -152,8 +156,17 @@ static __init void set_pte_phys(unsigned
49224 + if (!pte_none(*pte) &&
49225 + pte_val(*pte) != (pte_val(new_pte) & __supported_pte_mask))
49226 + pte_ERROR(*pte);
49227 ++
49228 ++#ifdef CONFIG_PAX_KERNEXEC
49229 ++ pax_open_kernel(cr0);
49230 ++#endif
49231 ++
49232 + set_pte(pte, new_pte);
49233 +
49234 ++#ifdef CONFIG_PAX_KERNEXEC
49235 ++ pax_close_kernel(cr0);
49236 ++#endif
49237 ++
49238 + /*
49239 + * It's enough to flush this one mapping.
49240 + * (PGE mappings get flushed as well)
49241 +@@ -225,7 +238,7 @@ __meminit void *early_ioremap(unsigned l
49242 + addr &= PMD_MASK;
49243 + for (i = 0; i < pmds; i++, addr += PMD_SIZE)
49244 + set_pmd(pmd + i,__pmd(addr | _KERNPG_TABLE | _PAGE_PSE));
49245 +- __flush_tlb();
49246 ++ __flush_tlb_all();
49247 + return (void *)vaddr;
49248 + next:
49249 + ;
49250 +@@ -246,7 +259,7 @@ __meminit void early_iounmap(void *addr,
49251 + pmd = level2_kernel_pgt + pmd_index(vaddr);
49252 + for (i = 0; i < pmds; i++)
49253 + pmd_clear(pmd + i);
49254 +- __flush_tlb();
49255 ++ __flush_tlb_all();
49256 + }
49257 +
49258 + static void __meminit
49259 +@@ -314,7 +327,7 @@ static void __meminit phys_pud_init(pud_
49260 + spin_unlock(&init_mm.page_table_lock);
49261 + unmap_low_page(pmd);
49262 + }
49263 +- __flush_tlb();
49264 ++ __flush_tlb_all();
49265 + }
49266 +
49267 + static void __init find_early_table_space(unsigned long end)
49268 +@@ -583,6 +596,39 @@ void free_init_pages(char *what, unsigne
49269 +
49270 + void free_initmem(void)
49271 + {
49272 ++
49273 ++#ifdef CONFIG_PAX_KERNEXEC
49274 ++ unsigned long addr, end;
49275 ++ pgd_t *pgd;
49276 ++ pud_t *pud;
49277 ++ pmd_t *pmd;
49278 ++
49279 ++ /* PaX: make kernel code/rodata read-only, rest non-executable */
49280 ++ for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_TEXT_SIZE; addr += PMD_SIZE) {
49281 ++ pgd = pgd_offset_k(addr);
49282 ++ pud = pud_offset(pgd, addr);
49283 ++ pmd = pmd_offset(pud, addr);
49284 ++ if ((unsigned long)_text <= addr && addr < (unsigned long)_data)
49285 ++ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
49286 ++ else
49287 ++ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
49288 ++ }
49289 ++
49290 ++ addr = (unsigned long)__va(__pa(__START_KERNEL_map));
49291 ++ end = addr + KERNEL_TEXT_SIZE;
49292 ++ for (; addr < end; addr += PMD_SIZE) {
49293 ++ pgd = pgd_offset_k(addr);
49294 ++ pud = pud_offset(pgd, addr);
49295 ++ pmd = pmd_offset(pud, addr);
49296 ++ if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_data)))
49297 ++ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
49298 ++ else
49299 ++ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
49300 ++ }
49301 ++
49302 ++ flush_tlb_all();
49303 ++#endif
49304 ++
49305 + free_init_pages("unused kernel memory",
49306 + (unsigned long)(&__init_begin),
49307 + (unsigned long)(&__init_end));
49308 +@@ -730,7 +776,7 @@ int in_gate_area_no_task(unsigned long a
49309 +
49310 + const char *arch_vma_name(struct vm_area_struct *vma)
49311 + {
49312 +- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
49313 ++ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
49314 + return "[vdso]";
49315 + if (vma == &gate_vma)
49316 + return "[vsyscall]";
49317 +diff -urNp linux-2.6.24.5/arch/x86/mm/ioremap_32.c linux-2.6.24.5/arch/x86/mm/ioremap_32.c
49318 +--- linux-2.6.24.5/arch/x86/mm/ioremap_32.c 2008-03-24 14:49:18.000000000 -0400
49319 ++++ linux-2.6.24.5/arch/x86/mm/ioremap_32.c 2008-03-26 20:21:08.000000000 -0400
49320 +@@ -67,8 +67,11 @@ void __iomem * __ioremap(unsigned long p
49321 + return NULL;
49322 + }
49323 +
49324 +- prot = __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY
49325 +- | _PAGE_ACCESSED | flags);
49326 ++#ifdef CONFIG_X86_PAE
49327 ++ prot = __pgprot((__PAGE_KERNEL | _PAGE_GLOBAL | flags) & __supported_pte_mask);
49328 ++#else
49329 ++ prot = __pgprot(__PAGE_KERNEL | _PAGE_GLOBAL | flags);
49330 ++#endif
49331 +
49332 + /*
49333 + * Mappings have to be page-aligned
49334 +diff -urNp linux-2.6.24.5/arch/x86/mm/ioremap_64.c linux-2.6.24.5/arch/x86/mm/ioremap_64.c
49335 +--- linux-2.6.24.5/arch/x86/mm/ioremap_64.c 2008-03-24 14:49:18.000000000 -0400
49336 ++++ linux-2.6.24.5/arch/x86/mm/ioremap_64.c 2008-03-26 20:21:08.000000000 -0400
49337 +@@ -48,7 +48,7 @@ ioremap_change_attr(unsigned long phys_a
49338 + * Must use a address here and not struct page because the phys addr
49339 + * can be a in hole between nodes and not have an memmap entry.
49340 + */
49341 +- err = change_page_attr_addr(vaddr,npages,__pgprot(__PAGE_KERNEL|flags));
49342 ++ err = change_page_attr_addr(vaddr,npages,__pgprot((__PAGE_KERNEL|_PAGE_GLOBAL|flags) & __supported_pte_mask));
49343 + if (!err)
49344 + global_flush_tlb();
49345 + }
49346 +@@ -103,8 +103,8 @@ void __iomem * __ioremap(unsigned long p
49347 + }
49348 + #endif
49349 +
49350 +- pgprot = __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_GLOBAL
49351 +- | _PAGE_DIRTY | _PAGE_ACCESSED | flags);
49352 ++ pgprot = __pgprot((__PAGE_KERNEL | _PAGE_GLOBAL | flags) & __supported_pte_mask);
49353 ++
49354 + /*
49355 + * Mappings have to be page-aligned
49356 + */
49357 +@@ -126,7 +126,7 @@ void __iomem * __ioremap(unsigned long p
49358 + return NULL;
49359 + }
49360 + if (flags && ioremap_change_attr(phys_addr, size, flags) < 0) {
49361 +- area->flags &= 0xffffff;
49362 ++ area->flags &= 0xfffff;
49363 + vunmap(addr);
49364 + return NULL;
49365 + }
49366 +@@ -199,7 +199,7 @@ void iounmap(volatile void __iomem *addr
49367 +
49368 + /* Reset the direct mapping. Can block */
49369 + if (p->flags >> 20)
49370 +- ioremap_change_attr(p->phys_addr, p->size, 0);
49371 ++ ioremap_change_attr(p->phys_addr, p->size - PAGE_SIZE, 0);
49372 +
49373 + /* Finally remove it */
49374 + o = remove_vm_area((void *)addr);
49375 +diff -urNp linux-2.6.24.5/arch/x86/mm/mmap_32.c linux-2.6.24.5/arch/x86/mm/mmap_32.c
49376 +--- linux-2.6.24.5/arch/x86/mm/mmap_32.c 2008-03-24 14:49:18.000000000 -0400
49377 ++++ linux-2.6.24.5/arch/x86/mm/mmap_32.c 2008-03-26 20:21:08.000000000 -0400
49378 +@@ -35,12 +35,18 @@
49379 + * Leave an at least ~128 MB hole.
49380 + */
49381 + #define MIN_GAP (128*1024*1024)
49382 +-#define MAX_GAP (TASK_SIZE/6*5)
49383 ++#define MAX_GAP (pax_task_size/6*5)
49384 +
49385 + static inline unsigned long mmap_base(struct mm_struct *mm)
49386 + {
49387 + unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
49388 + unsigned long random_factor = 0;
49389 ++ unsigned long pax_task_size = TASK_SIZE;
49390 ++
49391 ++#ifdef CONFIG_PAX_SEGMEXEC
49392 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
49393 ++ pax_task_size = SEGMEXEC_TASK_SIZE;
49394 ++#endif
49395 +
49396 + if (current->flags & PF_RANDOMIZE)
49397 + random_factor = get_random_int() % (1024*1024);
49398 +@@ -50,7 +56,7 @@ static inline unsigned long mmap_base(st
49399 + else if (gap > MAX_GAP)
49400 + gap = MAX_GAP;
49401 +
49402 +- return PAGE_ALIGN(TASK_SIZE - gap - random_factor);
49403 ++ return PAGE_ALIGN(pax_task_size - gap - random_factor);
49404 + }
49405 +
49406 + /*
49407 +@@ -66,11 +72,30 @@ void arch_pick_mmap_layout(struct mm_str
49408 + if (sysctl_legacy_va_layout ||
49409 + (current->personality & ADDR_COMPAT_LAYOUT) ||
49410 + current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY) {
49411 ++
49412 ++#ifdef CONFIG_PAX_SEGMEXEC
49413 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
49414 ++ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
49415 ++ else
49416 ++#endif
49417 ++
49418 + mm->mmap_base = TASK_UNMAPPED_BASE;
49419 ++
49420 ++#ifdef CONFIG_PAX_RANDMMAP
49421 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
49422 ++ mm->mmap_base += mm->delta_mmap;
49423 ++#endif
49424 ++
49425 + mm->get_unmapped_area = arch_get_unmapped_area;
49426 + mm->unmap_area = arch_unmap_area;
49427 + } else {
49428 + mm->mmap_base = mmap_base(mm);
49429 ++
49430 ++#ifdef CONFIG_PAX_RANDMMAP
49431 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
49432 ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
49433 ++#endif
49434 ++
49435 + mm->get_unmapped_area = arch_get_unmapped_area_topdown;
49436 + mm->unmap_area = arch_unmap_area_topdown;
49437 + }
49438 +diff -urNp linux-2.6.24.5/arch/x86/mm/mmap_64.c linux-2.6.24.5/arch/x86/mm/mmap_64.c
49439 +--- linux-2.6.24.5/arch/x86/mm/mmap_64.c 2008-03-24 14:49:18.000000000 -0400
49440 ++++ linux-2.6.24.5/arch/x86/mm/mmap_64.c 2008-03-26 20:21:08.000000000 -0400
49441 +@@ -23,6 +23,12 @@ void arch_pick_mmap_layout(struct mm_str
49442 + unsigned rnd = get_random_int() & 0xfffffff;
49443 + mm->mmap_base += ((unsigned long)rnd) << PAGE_SHIFT;
49444 + }
49445 ++
49446 ++#ifdef CONFIG_PAX_RANDMMAP
49447 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
49448 ++ mm->mmap_base += mm->delta_mmap;
49449 ++#endif
49450 ++
49451 + mm->get_unmapped_area = arch_get_unmapped_area;
49452 + mm->unmap_area = arch_unmap_area;
49453 + }
49454 +diff -urNp linux-2.6.24.5/arch/x86/mm/numa_64.c linux-2.6.24.5/arch/x86/mm/numa_64.c
49455 +--- linux-2.6.24.5/arch/x86/mm/numa_64.c 2008-03-24 14:49:18.000000000 -0400
49456 ++++ linux-2.6.24.5/arch/x86/mm/numa_64.c 2008-03-26 20:21:08.000000000 -0400
49457 +@@ -19,7 +19,7 @@
49458 + #include <asm/acpi.h>
49459 +
49460 + #ifndef Dprintk
49461 +-#define Dprintk(x...)
49462 ++#define Dprintk(x...) do {} while (0)
49463 + #endif
49464 +
49465 + struct pglist_data *node_data[MAX_NUMNODES] __read_mostly;
49466 +diff -urNp linux-2.6.24.5/arch/x86/mm/pageattr_32.c linux-2.6.24.5/arch/x86/mm/pageattr_32.c
49467 +--- linux-2.6.24.5/arch/x86/mm/pageattr_32.c 2008-03-24 14:49:18.000000000 -0400
49468 ++++ linux-2.6.24.5/arch/x86/mm/pageattr_32.c 2008-03-26 20:21:08.000000000 -0400
49469 +@@ -13,6 +13,7 @@
49470 + #include <asm/tlbflush.h>
49471 + #include <asm/pgalloc.h>
49472 + #include <asm/sections.h>
49473 ++#include <asm/desc.h>
49474 +
49475 + static DEFINE_SPINLOCK(cpa_lock);
49476 + static struct list_head df_list = LIST_HEAD_INIT(df_list);
49477 +@@ -37,16 +38,16 @@ pte_t *lookup_address(unsigned long addr
49478 + }
49479 +
49480 + static struct page *split_large_page(unsigned long address, pgprot_t prot,
49481 +- pgprot_t ref_prot)
49482 ++ pgprot_t ref_prot, unsigned long flags)
49483 + {
49484 + int i;
49485 + unsigned long addr;
49486 + struct page *base;
49487 + pte_t *pbase;
49488 +
49489 +- spin_unlock_irq(&cpa_lock);
49490 ++ spin_unlock_irqrestore(&cpa_lock, flags);
49491 + base = alloc_pages(GFP_KERNEL, 0);
49492 +- spin_lock_irq(&cpa_lock);
49493 ++ spin_lock_irqsave(&cpa_lock, flags);
49494 + if (!base)
49495 + return NULL;
49496 +
49497 +@@ -99,7 +100,18 @@ static void set_pmd_pte(pte_t *kpte, uns
49498 + struct page *page;
49499 + unsigned long flags;
49500 +
49501 ++#ifdef CONFIG_PAX_KERNEXEC
49502 ++ unsigned long cr0;
49503 ++
49504 ++ pax_open_kernel(cr0);
49505 ++#endif
49506 ++
49507 + set_pte_atomic(kpte, pte); /* change init_mm */
49508 ++
49509 ++#ifdef CONFIG_PAX_KERNEXEC
49510 ++ pax_close_kernel(cr0);
49511 ++#endif
49512 ++
49513 + if (SHARED_KERNEL_PMD)
49514 + return;
49515 +
49516 +@@ -126,7 +138,7 @@ static inline void revert_page(struct pa
49517 + pte_t *linear;
49518 +
49519 + ref_prot =
49520 +- ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext)
49521 ++ ((address & LARGE_PAGE_MASK) < ktla_ktva((unsigned long)&_etext))
49522 + ? PAGE_KERNEL_LARGE_EXEC : PAGE_KERNEL_LARGE;
49523 +
49524 + linear = (pte_t *)
49525 +@@ -143,7 +155,7 @@ static inline void save_page(struct page
49526 + }
49527 +
49528 + static int
49529 +-__change_page_attr(struct page *page, pgprot_t prot)
49530 ++__change_page_attr(struct page *page, pgprot_t prot, unsigned long flags)
49531 + {
49532 + pte_t *kpte;
49533 + unsigned long address;
49534 +@@ -167,13 +179,20 @@ __change_page_attr(struct page *page, pg
49535 + struct page *split;
49536 +
49537 + ref_prot =
49538 +- ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext)
49539 ++ ((address & LARGE_PAGE_MASK) < ktla_ktva((unsigned long)&_etext))
49540 + ? PAGE_KERNEL_EXEC : PAGE_KERNEL;
49541 +- split = split_large_page(address, prot, ref_prot);
49542 ++ split = split_large_page(address, prot, ref_prot, flags);
49543 + if (!split)
49544 + return -ENOMEM;
49545 +- set_pmd_pte(kpte,address,mk_pte(split, ref_prot));
49546 +- kpte_page = split;
49547 ++ if (pte_huge(*kpte)) {
49548 ++ set_pmd_pte(kpte,address,mk_pte(split, ref_prot));
49549 ++ kpte_page = split;
49550 ++ } else {
49551 ++ __free_pages(split, 0);
49552 ++ kpte = lookup_address(address);
49553 ++ kpte_page = virt_to_page(kpte);
49554 ++ set_pte_atomic(kpte, mk_pte(page, prot));
49555 ++ }
49556 + }
49557 + page_private(kpte_page)++;
49558 + } else if (!pte_huge(*kpte)) {
49559 +@@ -225,7 +244,7 @@ int change_page_attr(struct page *page,
49560 +
49561 + spin_lock_irqsave(&cpa_lock, flags);
49562 + for (i = 0; i < numpages; i++, page++) {
49563 +- err = __change_page_attr(page, prot);
49564 ++ err = __change_page_attr(page, prot, flags);
49565 + if (err)
49566 + break;
49567 + }
49568 +diff -urNp linux-2.6.24.5/arch/x86/mm/pageattr_64.c linux-2.6.24.5/arch/x86/mm/pageattr_64.c
49569 +--- linux-2.6.24.5/arch/x86/mm/pageattr_64.c 2008-03-24 14:49:18.000000000 -0400
49570 ++++ linux-2.6.24.5/arch/x86/mm/pageattr_64.c 2008-03-26 20:21:08.000000000 -0400
49571 +@@ -110,6 +110,10 @@ static void revert_page(unsigned long ad
49572 + pte_t large_pte;
49573 + unsigned long pfn;
49574 +
49575 ++#ifdef CONFIG_PAX_KERNEXEC
49576 ++ unsigned long cr0;
49577 ++#endif
49578 ++
49579 + pgd = pgd_offset_k(address);
49580 + BUG_ON(pgd_none(*pgd));
49581 + pud = pud_offset(pgd,address);
49582 +@@ -119,8 +123,18 @@ static void revert_page(unsigned long ad
49583 + pfn = (__pa(address) & LARGE_PAGE_MASK) >> PAGE_SHIFT;
49584 + large_pte = pfn_pte(pfn, ref_prot);
49585 + large_pte = pte_mkhuge(large_pte);
49586 ++
49587 ++#ifdef CONFIG_PAX_KERNEXEC
49588 ++ pax_open_kernel(cr0);
49589 ++#endif
49590 ++
49591 + set_pte((pte_t *)pmd, large_pte);
49592 +-}
49593 ++
49594 ++#ifdef CONFIG_PAX_KERNEXEC
49595 ++ pax_close_kernel(cr0);
49596 ++#endif
49597 ++
49598 ++}
49599 +
49600 + static int
49601 + __change_page_attr(unsigned long address, unsigned long pfn, pgprot_t prot,
49602 +@@ -136,22 +150,36 @@ __change_page_attr(unsigned long address
49603 + BUG_ON(PageLRU(kpte_page));
49604 + BUG_ON(PageCompound(kpte_page));
49605 + if (pgprot_val(prot) != pgprot_val(ref_prot)) {
49606 +- if (!pte_huge(*kpte)) {
49607 +- set_pte(kpte, pfn_pte(pfn, prot));
49608 +- } else {
49609 ++ if (pte_huge(*kpte)) {
49610 + /*
49611 + * split_large_page will take the reference for this
49612 + * change_page_attr on the split page.
49613 + */
49614 + struct page *split;
49615 ++
49616 ++#ifdef CONFIG_PAX_KERNEXEC
49617 ++ unsigned long cr0;
49618 ++#endif
49619 ++
49620 + ref_prot2 = pte_pgprot(pte_clrhuge(*kpte));
49621 + split = split_large_page(address, prot, ref_prot2);
49622 + if (!split)
49623 + return -ENOMEM;
49624 + pgprot_val(ref_prot2) &= ~_PAGE_NX;
49625 ++
49626 ++#ifdef CONFIG_PAX_KERNEXEC
49627 ++ pax_open_kernel(cr0);
49628 ++#endif
49629 ++
49630 + set_pte(kpte, mk_pte(split, ref_prot2));
49631 ++
49632 ++#ifdef CONFIG_PAX_KERNEXEC
49633 ++ pax_close_kernel(cr0);
49634 ++#endif
49635 ++
49636 + kpte_page = split;
49637 +- }
49638 ++ } else
49639 ++ set_pte(kpte, pfn_pte(pfn, prot));
49640 + page_private(kpte_page)++;
49641 + } else if (!pte_huge(*kpte)) {
49642 + set_pte(kpte, pfn_pte(pfn, ref_prot));
49643 +diff -urNp linux-2.6.24.5/arch/x86/mm/pgtable_32.c linux-2.6.24.5/arch/x86/mm/pgtable_32.c
49644 +--- linux-2.6.24.5/arch/x86/mm/pgtable_32.c 2008-03-24 14:49:18.000000000 -0400
49645 ++++ linux-2.6.24.5/arch/x86/mm/pgtable_32.c 2008-03-26 20:21:08.000000000 -0400
49646 +@@ -83,6 +83,10 @@ static void set_pte_pfn(unsigned long va
49647 + pmd_t *pmd;
49648 + pte_t *pte;
49649 +
49650 ++#ifdef CONFIG_PAX_KERNEXEC
49651 ++ unsigned long cr0;
49652 ++#endif
49653 ++
49654 + pgd = swapper_pg_dir + pgd_index(vaddr);
49655 + if (pgd_none(*pgd)) {
49656 + BUG();
49657 +@@ -99,11 +103,20 @@ static void set_pte_pfn(unsigned long va
49658 + return;
49659 + }
49660 + pte = pte_offset_kernel(pmd, vaddr);
49661 ++
49662 ++#ifdef CONFIG_PAX_KERNEXEC
49663 ++ pax_open_kernel(cr0);
49664 ++#endif
49665 ++
49666 + if (pgprot_val(flags))
49667 + set_pte_present(&init_mm, vaddr, pte, pfn_pte(pfn, flags));
49668 + else
49669 + pte_clear(&init_mm, vaddr, pte);
49670 +
49671 ++#ifdef CONFIG_PAX_KERNEXEC
49672 ++ pax_close_kernel(cr0);
49673 ++#endif
49674 ++
49675 + /*
49676 + * It's enough to flush this one mapping.
49677 + * (PGE mappings get flushed as well)
49678 +diff -urNp linux-2.6.24.5/arch/x86/oprofile/backtrace.c linux-2.6.24.5/arch/x86/oprofile/backtrace.c
49679 +--- linux-2.6.24.5/arch/x86/oprofile/backtrace.c 2008-03-24 14:49:18.000000000 -0400
49680 ++++ linux-2.6.24.5/arch/x86/oprofile/backtrace.c 2008-03-26 20:21:08.000000000 -0400
49681 +@@ -37,7 +37,7 @@ static void backtrace_address(void *data
49682 + unsigned int *depth = data;
49683 +
49684 + if ((*depth)--)
49685 +- oprofile_add_trace(addr);
49686 ++ oprofile_add_trace(ktla_ktva(addr));
49687 + }
49688 +
49689 + static struct stacktrace_ops backtrace_ops = {
49690 +@@ -79,7 +79,7 @@ x86_backtrace(struct pt_regs * const reg
49691 + struct frame_head *head = (struct frame_head *)frame_pointer(regs);
49692 + unsigned long stack = stack_pointer(regs);
49693 +
49694 +- if (!user_mode_vm(regs)) {
49695 ++ if (!user_mode(regs)) {
49696 + if (depth)
49697 + dump_trace(NULL, regs, (unsigned long *)stack,
49698 + &backtrace_ops, &depth);
49699 +diff -urNp linux-2.6.24.5/arch/x86/oprofile/op_model_p4.c linux-2.6.24.5/arch/x86/oprofile/op_model_p4.c
49700 +--- linux-2.6.24.5/arch/x86/oprofile/op_model_p4.c 2008-03-24 14:49:18.000000000 -0400
49701 ++++ linux-2.6.24.5/arch/x86/oprofile/op_model_p4.c 2008-03-26 20:21:08.000000000 -0400
49702 +@@ -47,7 +47,7 @@ static inline void setup_num_counters(vo
49703 + #endif
49704 + }
49705 +
49706 +-static int inline addr_increment(void)
49707 ++static inline int addr_increment(void)
49708 + {
49709 + #ifdef CONFIG_SMP
49710 + return smp_num_siblings == 2 ? 2 : 1;
49711 +diff -urNp linux-2.6.24.5/arch/x86/pci/common.c linux-2.6.24.5/arch/x86/pci/common.c
49712 +--- linux-2.6.24.5/arch/x86/pci/common.c 2008-03-24 14:49:18.000000000 -0400
49713 ++++ linux-2.6.24.5/arch/x86/pci/common.c 2008-03-26 20:21:08.000000000 -0400
49714 +@@ -331,7 +331,7 @@ static struct dmi_system_id __devinitdat
49715 + DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
49716 + },
49717 + },
49718 +- {}
49719 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
49720 + };
49721 +
49722 + struct pci_bus * __devinit pcibios_scan_root(int busnum)
49723 +diff -urNp linux-2.6.24.5/arch/x86/pci/early.c linux-2.6.24.5/arch/x86/pci/early.c
49724 +--- linux-2.6.24.5/arch/x86/pci/early.c 2008-03-24 14:49:18.000000000 -0400
49725 ++++ linux-2.6.24.5/arch/x86/pci/early.c 2008-03-26 20:21:08.000000000 -0400
49726 +@@ -7,7 +7,7 @@
49727 + /* Direct PCI access. This is used for PCI accesses in early boot before
49728 + the PCI subsystem works. */
49729 +
49730 +-#define PDprintk(x...)
49731 ++#define PDprintk(x...) do {} while (0)
49732 +
49733 + u32 read_pci_config(u8 bus, u8 slot, u8 func, u8 offset)
49734 + {
49735 +diff -urNp linux-2.6.24.5/arch/x86/pci/fixup.c linux-2.6.24.5/arch/x86/pci/fixup.c
49736 +--- linux-2.6.24.5/arch/x86/pci/fixup.c 2008-03-24 14:49:18.000000000 -0400
49737 ++++ linux-2.6.24.5/arch/x86/pci/fixup.c 2008-03-26 20:21:08.000000000 -0400
49738 +@@ -362,7 +362,7 @@ static struct dmi_system_id __devinitdat
49739 + DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
49740 + },
49741 + },
49742 +- {}
49743 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
49744 + };
49745 +
49746 + /*
49747 +@@ -433,7 +433,7 @@ static struct dmi_system_id __devinitdat
49748 + DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
49749 + },
49750 + },
49751 +- { }
49752 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
49753 + };
49754 +
49755 + static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
49756 +diff -urNp linux-2.6.24.5/arch/x86/pci/irq.c linux-2.6.24.5/arch/x86/pci/irq.c
49757 +--- linux-2.6.24.5/arch/x86/pci/irq.c 2008-03-24 14:49:18.000000000 -0400
49758 ++++ linux-2.6.24.5/arch/x86/pci/irq.c 2008-03-26 20:21:08.000000000 -0400
49759 +@@ -528,7 +528,7 @@ static __init int intel_router_probe(str
49760 + static struct pci_device_id __initdata pirq_440gx[] = {
49761 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
49762 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
49763 +- { },
49764 ++ { PCI_DEVICE(0, 0) }
49765 + };
49766 +
49767 + /* 440GX has a proprietary PIRQ router -- don't use it */
49768 +@@ -1090,7 +1090,7 @@ static struct dmi_system_id __initdata p
49769 + DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
49770 + },
49771 + },
49772 +- { }
49773 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
49774 + };
49775 +
49776 + static int __init pcibios_irq_init(void)
49777 +diff -urNp linux-2.6.24.5/arch/x86/pci/pcbios.c linux-2.6.24.5/arch/x86/pci/pcbios.c
49778 +--- linux-2.6.24.5/arch/x86/pci/pcbios.c 2008-03-24 14:49:18.000000000 -0400
49779 ++++ linux-2.6.24.5/arch/x86/pci/pcbios.c 2008-03-26 20:21:08.000000000 -0400
49780 +@@ -57,50 +57,124 @@ union bios32 {
49781 + static struct {
49782 + unsigned long address;
49783 + unsigned short segment;
49784 +-} bios32_indirect = { 0, __KERNEL_CS };
49785 ++} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
49786 +
49787 + /*
49788 + * Returns the entry point for the given service, NULL on error
49789 + */
49790 +
49791 +-static unsigned long bios32_service(unsigned long service)
49792 ++static unsigned long __devinit bios32_service(unsigned long service)
49793 + {
49794 + unsigned char return_code; /* %al */
49795 + unsigned long address; /* %ebx */
49796 + unsigned long length; /* %ecx */
49797 + unsigned long entry; /* %edx */
49798 + unsigned long flags;
49799 ++ struct desc_struct *gdt;
49800 ++
49801 ++#ifdef CONFIG_PAX_KERNEXEC
49802 ++ unsigned long cr0;
49803 ++#endif
49804 +
49805 + local_irq_save(flags);
49806 +- __asm__("lcall *(%%edi); cld"
49807 ++
49808 ++ gdt = get_cpu_gdt_table(smp_processor_id());
49809 ++
49810 ++#ifdef CONFIG_PAX_KERNEXEC
49811 ++ pax_open_kernel(cr0);
49812 ++#endif
49813 ++
49814 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].a,
49815 ++ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].b,
49816 ++ 0UL, 0xFFFFFUL, 0x9B, 0xC);
49817 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].a,
49818 ++ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].b,
49819 ++ 0UL, 0xFFFFFUL, 0x93, 0xC);
49820 ++
49821 ++#ifdef CONFIG_PAX_KERNEXEC
49822 ++ pax_close_kernel(cr0);
49823 ++#endif
49824 ++
49825 ++ __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
49826 + : "=a" (return_code),
49827 + "=b" (address),
49828 + "=c" (length),
49829 + "=d" (entry)
49830 + : "0" (service),
49831 + "1" (0),
49832 +- "D" (&bios32_indirect));
49833 ++ "D" (&bios32_indirect),
49834 ++ "r"(__PCIBIOS_DS)
49835 ++ : "memory");
49836 ++
49837 ++#ifdef CONFIG_PAX_KERNEXEC
49838 ++ pax_open_kernel(cr0);
49839 ++#endif
49840 ++
49841 ++ gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
49842 ++ gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
49843 ++ gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
49844 ++ gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
49845 ++
49846 ++#ifdef CONFIG_PAX_KERNEXEC
49847 ++ pax_close_kernel(cr0);
49848 ++#endif
49849 ++
49850 + local_irq_restore(flags);
49851 +
49852 + switch (return_code) {
49853 +- case 0:
49854 +- return address + entry;
49855 +- case 0x80: /* Not present */
49856 +- printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
49857 +- return 0;
49858 +- default: /* Shouldn't happen */
49859 +- printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
49860 +- service, return_code);
49861 ++ case 0: {
49862 ++ int cpu;
49863 ++ unsigned char flags;
49864 ++
49865 ++ printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
49866 ++ if (address >= 0xFFFF0 || length >= 0xFFFF0 - address || length <= entry) {
49867 ++ printk(KERN_WARNING "bios32_service: not valid\n");
49868 + return 0;
49869 ++ }
49870 ++ address = address + PAGE_OFFSET;
49871 ++ length += 16UL; /* some BIOSs underreport this... */
49872 ++ flags = 4;
49873 ++ if (length >= 64*1024*1024) {
49874 ++ length >>= PAGE_SHIFT;
49875 ++ flags |= 8;
49876 ++ }
49877 ++
49878 ++#ifdef CONFIG_PAX_KERNEXEC
49879 ++ pax_open_kernel(cr0);
49880 ++#endif
49881 ++
49882 ++ for (cpu = 0; cpu < NR_CPUS; cpu++) {
49883 ++ gdt = get_cpu_gdt_table(cpu);
49884 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].a,
49885 ++ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].b,
49886 ++ address, length, 0x9b, flags);
49887 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].a,
49888 ++ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].b,
49889 ++ address, length, 0x93, flags);
49890 ++ }
49891 ++
49892 ++#ifdef CONFIG_PAX_KERNEXEC
49893 ++ pax_close_kernel(cr0);
49894 ++#endif
49895 ++
49896 ++ return entry;
49897 ++ }
49898 ++ case 0x80: /* Not present */
49899 ++ printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
49900 ++ return 0;
49901 ++ default: /* Shouldn't happen */
49902 ++ printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
49903 ++ service, return_code);
49904 ++ return 0;
49905 + }
49906 + }
49907 +
49908 + static struct {
49909 + unsigned long address;
49910 + unsigned short segment;
49911 +-} pci_indirect = { 0, __KERNEL_CS };
49912 ++} pci_indirect __read_only = { 0, __PCIBIOS_CS };
49913 +
49914 +-static int pci_bios_present;
49915 ++static int pci_bios_present __read_only;
49916 +
49917 + static int __devinit check_pcibios(void)
49918 + {
49919 +@@ -109,11 +183,13 @@ static int __devinit check_pcibios(void)
49920 + unsigned long flags, pcibios_entry;
49921 +
49922 + if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
49923 +- pci_indirect.address = pcibios_entry + PAGE_OFFSET;
49924 ++ pci_indirect.address = pcibios_entry;
49925 +
49926 + local_irq_save(flags);
49927 +- __asm__(
49928 +- "lcall *(%%edi); cld\n\t"
49929 ++ __asm__("movw %w6, %%ds\n\t"
49930 ++ "lcall *%%ss:(%%edi); cld\n\t"
49931 ++ "push %%ss\n\t"
49932 ++ "pop %%ds\n\t"
49933 + "jc 1f\n\t"
49934 + "xor %%ah, %%ah\n"
49935 + "1:"
49936 +@@ -122,7 +198,8 @@ static int __devinit check_pcibios(void)
49937 + "=b" (ebx),
49938 + "=c" (ecx)
49939 + : "1" (PCIBIOS_PCI_BIOS_PRESENT),
49940 +- "D" (&pci_indirect)
49941 ++ "D" (&pci_indirect),
49942 ++ "r" (__PCIBIOS_DS)
49943 + : "memory");
49944 + local_irq_restore(flags);
49945 +
49946 +@@ -158,7 +235,10 @@ static int __devinit pci_bios_find_devic
49947 + unsigned short bx;
49948 + unsigned short ret;
49949 +
49950 +- __asm__("lcall *(%%edi); cld\n\t"
49951 ++ __asm__("movw %w7, %%ds\n\t"
49952 ++ "lcall *%%ss:(%%edi); cld\n\t"
49953 ++ "push %%ss\n\t"
49954 ++ "pop %%ds\n\t"
49955 + "jc 1f\n\t"
49956 + "xor %%ah, %%ah\n"
49957 + "1:"
49958 +@@ -168,7 +248,8 @@ static int __devinit pci_bios_find_devic
49959 + "c" (device_id),
49960 + "d" (vendor),
49961 + "S" ((int) index),
49962 +- "D" (&pci_indirect));
49963 ++ "D" (&pci_indirect),
49964 ++ "r" (__PCIBIOS_DS));
49965 + *bus = (bx >> 8) & 0xff;
49966 + *device_fn = bx & 0xff;
49967 + return (int) (ret & 0xff00) >> 8;
49968 +@@ -188,7 +269,10 @@ static int pci_bios_read(unsigned int se
49969 +
49970 + switch (len) {
49971 + case 1:
49972 +- __asm__("lcall *(%%esi); cld\n\t"
49973 ++ __asm__("movw %w6, %%ds\n\t"
49974 ++ "lcall *%%ss:(%%esi); cld\n\t"
49975 ++ "push %%ss\n\t"
49976 ++ "pop %%ds\n\t"
49977 + "jc 1f\n\t"
49978 + "xor %%ah, %%ah\n"
49979 + "1:"
49980 +@@ -197,10 +281,14 @@ static int pci_bios_read(unsigned int se
49981 + : "1" (PCIBIOS_READ_CONFIG_BYTE),
49982 + "b" (bx),
49983 + "D" ((long)reg),
49984 +- "S" (&pci_indirect));
49985 ++ "S" (&pci_indirect),
49986 ++ "r" (__PCIBIOS_DS));
49987 + break;
49988 + case 2:
49989 +- __asm__("lcall *(%%esi); cld\n\t"
49990 ++ __asm__("movw %w6, %%ds\n\t"
49991 ++ "lcall *%%ss:(%%esi); cld\n\t"
49992 ++ "push %%ss\n\t"
49993 ++ "pop %%ds\n\t"
49994 + "jc 1f\n\t"
49995 + "xor %%ah, %%ah\n"
49996 + "1:"
49997 +@@ -209,10 +297,14 @@ static int pci_bios_read(unsigned int se
49998 + : "1" (PCIBIOS_READ_CONFIG_WORD),
49999 + "b" (bx),
50000 + "D" ((long)reg),
50001 +- "S" (&pci_indirect));
50002 ++ "S" (&pci_indirect),
50003 ++ "r" (__PCIBIOS_DS));
50004 + break;
50005 + case 4:
50006 +- __asm__("lcall *(%%esi); cld\n\t"
50007 ++ __asm__("movw %w6, %%ds\n\t"
50008 ++ "lcall *%%ss:(%%esi); cld\n\t"
50009 ++ "push %%ss\n\t"
50010 ++ "pop %%ds\n\t"
50011 + "jc 1f\n\t"
50012 + "xor %%ah, %%ah\n"
50013 + "1:"
50014 +@@ -221,7 +313,8 @@ static int pci_bios_read(unsigned int se
50015 + : "1" (PCIBIOS_READ_CONFIG_DWORD),
50016 + "b" (bx),
50017 + "D" ((long)reg),
50018 +- "S" (&pci_indirect));
50019 ++ "S" (&pci_indirect),
50020 ++ "r" (__PCIBIOS_DS));
50021 + break;
50022 + }
50023 +
50024 +@@ -244,7 +337,10 @@ static int pci_bios_write(unsigned int s
50025 +
50026 + switch (len) {
50027 + case 1:
50028 +- __asm__("lcall *(%%esi); cld\n\t"
50029 ++ __asm__("movw %w6, %%ds\n\t"
50030 ++ "lcall *%%ss:(%%esi); cld\n\t"
50031 ++ "push %%ss\n\t"
50032 ++ "pop %%ds\n\t"
50033 + "jc 1f\n\t"
50034 + "xor %%ah, %%ah\n"
50035 + "1:"
50036 +@@ -253,10 +349,14 @@ static int pci_bios_write(unsigned int s
50037 + "c" (value),
50038 + "b" (bx),
50039 + "D" ((long)reg),
50040 +- "S" (&pci_indirect));
50041 ++ "S" (&pci_indirect),
50042 ++ "r" (__PCIBIOS_DS));
50043 + break;
50044 + case 2:
50045 +- __asm__("lcall *(%%esi); cld\n\t"
50046 ++ __asm__("movw %w6, %%ds\n\t"
50047 ++ "lcall *%%ss:(%%esi); cld\n\t"
50048 ++ "push %%ss\n\t"
50049 ++ "pop %%ds\n\t"
50050 + "jc 1f\n\t"
50051 + "xor %%ah, %%ah\n"
50052 + "1:"
50053 +@@ -265,10 +365,14 @@ static int pci_bios_write(unsigned int s
50054 + "c" (value),
50055 + "b" (bx),
50056 + "D" ((long)reg),
50057 +- "S" (&pci_indirect));
50058 ++ "S" (&pci_indirect),
50059 ++ "r" (__PCIBIOS_DS));
50060 + break;
50061 + case 4:
50062 +- __asm__("lcall *(%%esi); cld\n\t"
50063 ++ __asm__("movw %w6, %%ds\n\t"
50064 ++ "lcall *%%ss:(%%esi); cld\n\t"
50065 ++ "push %%ss\n\t"
50066 ++ "pop %%ds\n\t"
50067 + "jc 1f\n\t"
50068 + "xor %%ah, %%ah\n"
50069 + "1:"
50070 +@@ -277,7 +381,8 @@ static int pci_bios_write(unsigned int s
50071 + "c" (value),
50072 + "b" (bx),
50073 + "D" ((long)reg),
50074 +- "S" (&pci_indirect));
50075 ++ "S" (&pci_indirect),
50076 ++ "r" (__PCIBIOS_DS));
50077 + break;
50078 + }
50079 +
50080 +@@ -430,10 +535,13 @@ struct irq_routing_table * pcibios_get_i
50081 +
50082 + DBG("PCI: Fetching IRQ routing table... ");
50083 + __asm__("push %%es\n\t"
50084 ++ "movw %w8, %%ds\n\t"
50085 + "push %%ds\n\t"
50086 + "pop %%es\n\t"
50087 +- "lcall *(%%esi); cld\n\t"
50088 ++ "lcall *%%ss:(%%esi); cld\n\t"
50089 + "pop %%es\n\t"
50090 ++ "push %%ss\n\t"
50091 ++ "pop %%ds\n"
50092 + "jc 1f\n\t"
50093 + "xor %%ah, %%ah\n"
50094 + "1:"
50095 +@@ -444,7 +552,8 @@ struct irq_routing_table * pcibios_get_i
50096 + "1" (0),
50097 + "D" ((long) &opt),
50098 + "S" (&pci_indirect),
50099 +- "m" (opt)
50100 ++ "m" (opt),
50101 ++ "r" (__PCIBIOS_DS)
50102 + : "memory");
50103 + DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
50104 + if (ret & 0xff00)
50105 +@@ -468,7 +577,10 @@ int pcibios_set_irq_routing(struct pci_d
50106 + {
50107 + int ret;
50108 +
50109 +- __asm__("lcall *(%%esi); cld\n\t"
50110 ++ __asm__("movw %w5, %%ds\n\t"
50111 ++ "lcall *%%ss:(%%esi); cld\n\t"
50112 ++ "push %%ss\n\t"
50113 ++ "pop %%ds\n"
50114 + "jc 1f\n\t"
50115 + "xor %%ah, %%ah\n"
50116 + "1:"
50117 +@@ -476,7 +588,8 @@ int pcibios_set_irq_routing(struct pci_d
50118 + : "0" (PCIBIOS_SET_PCI_HW_INT),
50119 + "b" ((dev->bus->number << 8) | dev->devfn),
50120 + "c" ((irq << 8) | (pin + 10)),
50121 +- "S" (&pci_indirect));
50122 ++ "S" (&pci_indirect),
50123 ++ "r" (__PCIBIOS_DS));
50124 + return !(ret & 0xff00);
50125 + }
50126 + EXPORT_SYMBOL(pcibios_set_irq_routing);
50127 +diff -urNp linux-2.6.24.5/arch/x86/power/cpu.c linux-2.6.24.5/arch/x86/power/cpu.c
50128 +--- linux-2.6.24.5/arch/x86/power/cpu.c 2008-03-24 14:49:18.000000000 -0400
50129 ++++ linux-2.6.24.5/arch/x86/power/cpu.c 2008-03-26 20:21:08.000000000 -0400
50130 +@@ -64,10 +64,20 @@ static void do_fpu_end(void)
50131 + static void fix_processor_context(void)
50132 + {
50133 + int cpu = smp_processor_id();
50134 +- struct tss_struct * t = &per_cpu(init_tss, cpu);
50135 ++ struct tss_struct *t = init_tss + cpu;
50136 ++
50137 ++#ifdef CONFIG_PAX_KERNEXEC
50138 ++ unsigned long cr0;
50139 ++
50140 ++ pax_open_kernel(cr0);
50141 ++#endif
50142 +
50143 + set_tss_desc(cpu,t); /* This just modifies memory; should not be necessary. But... This is necessary, because 386 hardware has concept of busy TSS or some similar stupidity. */
50144 +
50145 ++#ifdef CONFIG_PAX_KERNEXEC
50146 ++ pax_close_kernel(cr0);
50147 ++#endif
50148 ++
50149 + load_TR_desc(); /* This does ltr */
50150 + load_LDT(&current->active_mm->context); /* This does lldt */
50151 +
50152 +diff -urNp linux-2.6.24.5/arch/x86/vdso/vma.c linux-2.6.24.5/arch/x86/vdso/vma.c
50153 +--- linux-2.6.24.5/arch/x86/vdso/vma.c 2008-03-24 14:49:18.000000000 -0400
50154 ++++ linux-2.6.24.5/arch/x86/vdso/vma.c 2008-03-26 20:21:08.000000000 -0400
50155 +@@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
50156 + if (ret)
50157 + goto up_fail;
50158 +
50159 +- current->mm->context.vdso = (void *)addr;
50160 ++ current->mm->context.vdso = addr;
50161 + up_fail:
50162 + up_write(&mm->mmap_sem);
50163 + return ret;
50164 +diff -urNp linux-2.6.24.5/arch/x86/xen/enlighten.c linux-2.6.24.5/arch/x86/xen/enlighten.c
50165 +--- linux-2.6.24.5/arch/x86/xen/enlighten.c 2008-04-17 20:05:17.000000000 -0400
50166 ++++ linux-2.6.24.5/arch/x86/xen/enlighten.c 2008-04-17 20:05:01.000000000 -0400
50167 +@@ -300,7 +300,7 @@ static void xen_set_ldt(const void *addr
50168 + static void xen_load_gdt(const struct Xgt_desc_struct *dtr)
50169 + {
50170 + unsigned long *frames;
50171 +- unsigned long va = dtr->address;
50172 ++ unsigned long va = (unsigned long)dtr->address;
50173 + unsigned int size = dtr->size + 1;
50174 + unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE;
50175 + int f;
50176 +@@ -315,7 +315,7 @@ static void xen_load_gdt(const struct Xg
50177 + mcs = xen_mc_entry(sizeof(*frames) * pages);
50178 + frames = mcs.args;
50179 +
50180 +- for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) {
50181 ++ for (f = 0; va < (unsigned long)dtr->address + size; va += PAGE_SIZE, f++) {
50182 + frames[f] = virt_to_mfn(va);
50183 + make_lowmem_page_readonly((void *)va);
50184 + }
50185 +@@ -409,7 +409,7 @@ static void xen_write_idt_entry(struct d
50186 +
50187 + preempt_disable();
50188 +
50189 +- start = __get_cpu_var(idt_desc).address;
50190 ++ start = (unsigned long)__get_cpu_var(idt_desc).address;
50191 + end = start + __get_cpu_var(idt_desc).size + 1;
50192 +
50193 + xen_mc_flush();
50194 +diff -urNp linux-2.6.24.5/arch/x86/xen/smp.c linux-2.6.24.5/arch/x86/xen/smp.c
50195 +--- linux-2.6.24.5/arch/x86/xen/smp.c 2008-03-24 14:49:18.000000000 -0400
50196 ++++ linux-2.6.24.5/arch/x86/xen/smp.c 2008-03-26 20:21:08.000000000 -0400
50197 +@@ -144,7 +144,7 @@ void __init xen_smp_prepare_boot_cpu(voi
50198 +
50199 + /* We've switched to the "real" per-cpu gdt, so make sure the
50200 + old memory can be recycled */
50201 +- make_lowmem_page_readwrite(&per_cpu__gdt_page);
50202 ++ make_lowmem_page_readwrite(get_cpu_gdt_table(smp_processor_id()));
50203 +
50204 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
50205 + cpus_clear(per_cpu(cpu_sibling_map, cpu));
50206 +@@ -208,7 +208,7 @@ static __cpuinit int
50207 + cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
50208 + {
50209 + struct vcpu_guest_context *ctxt;
50210 +- struct gdt_page *gdt = &per_cpu(gdt_page, cpu);
50211 ++ struct desc_struct *gdt = get_cpu_gdt_table(cpu);
50212 +
50213 + if (cpu_test_and_set(cpu, cpu_initialized_map))
50214 + return 0;
50215 +@@ -218,8 +218,8 @@ cpu_initialize_context(unsigned int cpu,
50216 + return -ENOMEM;
50217 +
50218 + ctxt->flags = VGCF_IN_KERNEL;
50219 +- ctxt->user_regs.ds = __USER_DS;
50220 +- ctxt->user_regs.es = __USER_DS;
50221 ++ ctxt->user_regs.ds = __KERNEL_DS;
50222 ++ ctxt->user_regs.es = __KERNEL_DS;
50223 + ctxt->user_regs.fs = __KERNEL_PERCPU;
50224 + ctxt->user_regs.gs = 0;
50225 + ctxt->user_regs.ss = __KERNEL_DS;
50226 +@@ -232,11 +232,11 @@ cpu_initialize_context(unsigned int cpu,
50227 +
50228 + ctxt->ldt_ents = 0;
50229 +
50230 +- BUG_ON((unsigned long)gdt->gdt & ~PAGE_MASK);
50231 +- make_lowmem_page_readonly(gdt->gdt);
50232 ++ BUG_ON((unsigned long)gdt & ~PAGE_MASK);
50233 ++ make_lowmem_page_readonly(gdt);
50234 +
50235 +- ctxt->gdt_frames[0] = virt_to_mfn(gdt->gdt);
50236 +- ctxt->gdt_ents = ARRAY_SIZE(gdt->gdt);
50237 ++ ctxt->gdt_frames[0] = virt_to_mfn(gdt);
50238 ++ ctxt->gdt_ents = GDT_ENTRIES;
50239 +
50240 + ctxt->user_regs.cs = __KERNEL_CS;
50241 + ctxt->user_regs.esp = idle->thread.esp0 - sizeof(struct pt_regs);
50242 +diff -urNp linux-2.6.24.5/crypto/async_tx/async_tx.c linux-2.6.24.5/crypto/async_tx/async_tx.c
50243 +--- linux-2.6.24.5/crypto/async_tx/async_tx.c 2008-03-24 14:49:18.000000000 -0400
50244 ++++ linux-2.6.24.5/crypto/async_tx/async_tx.c 2008-03-26 20:21:08.000000000 -0400
50245 +@@ -342,8 +342,8 @@ async_tx_init(void)
50246 + err:
50247 + printk(KERN_ERR "async_tx: initialization failure\n");
50248 +
50249 +- while (--cap >= 0)
50250 +- free_percpu(channel_table[cap]);
50251 ++ while (cap)
50252 ++ free_percpu(channel_table[--cap]);
50253 +
50254 + return 1;
50255 + }
50256 +diff -urNp linux-2.6.24.5/crypto/lrw.c linux-2.6.24.5/crypto/lrw.c
50257 +--- linux-2.6.24.5/crypto/lrw.c 2008-03-24 14:49:18.000000000 -0400
50258 ++++ linux-2.6.24.5/crypto/lrw.c 2008-03-26 20:21:08.000000000 -0400
50259 +@@ -54,7 +54,7 @@ static int setkey(struct crypto_tfm *par
50260 + struct priv *ctx = crypto_tfm_ctx(parent);
50261 + struct crypto_cipher *child = ctx->child;
50262 + int err, i;
50263 +- be128 tmp = { 0 };
50264 ++ be128 tmp = { 0, 0 };
50265 + int bsize = crypto_cipher_blocksize(child);
50266 +
50267 + crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
50268 +diff -urNp linux-2.6.24.5/Documentation/dontdiff linux-2.6.24.5/Documentation/dontdiff
50269 +--- linux-2.6.24.5/Documentation/dontdiff 2008-03-24 14:49:18.000000000 -0400
50270 ++++ linux-2.6.24.5/Documentation/dontdiff 2008-03-26 20:21:08.000000000 -0400
50271 +@@ -3,6 +3,7 @@
50272 + *.bin
50273 + *.cpio
50274 + *.css
50275 ++*.dbg
50276 + *.dvi
50277 + *.eps
50278 + *.gif
50279 +@@ -183,11 +184,14 @@ version.h*
50280 + vmlinux
50281 + vmlinux-*
50282 + vmlinux.aout
50283 +-vmlinux*.lds*
50284 ++vmlinux.bin.all
50285 ++vmlinux*.lds
50286 ++vmlinux.relocs
50287 + vmlinux*.scr
50288 +-vsyscall.lds
50289 ++vsyscall*.lds
50290 + wanxlfw.inc
50291 + uImage
50292 + unifdef
50293 ++utsrelease.h
50294 + zImage*
50295 + zconf.hash.c
50296 +diff -urNp linux-2.6.24.5/drivers/acpi/blacklist.c linux-2.6.24.5/drivers/acpi/blacklist.c
50297 +--- linux-2.6.24.5/drivers/acpi/blacklist.c 2008-03-24 14:49:18.000000000 -0400
50298 ++++ linux-2.6.24.5/drivers/acpi/blacklist.c 2008-03-26 20:21:08.000000000 -0400
50299 +@@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
50300 + {"ASUS\0\0", "P2B-S ", 0, ACPI_SIG_DSDT, all_versions,
50301 + "Bogus PCI routing", 1},
50302 +
50303 +- {""}
50304 ++ {"", "", 0, 0, 0, all_versions, 0}
50305 + };
50306 +
50307 + #if CONFIG_ACPI_BLACKLIST_YEAR
50308 +diff -urNp linux-2.6.24.5/drivers/acpi/osl.c linux-2.6.24.5/drivers/acpi/osl.c
50309 +--- linux-2.6.24.5/drivers/acpi/osl.c 2008-03-24 14:49:18.000000000 -0400
50310 ++++ linux-2.6.24.5/drivers/acpi/osl.c 2008-03-26 20:21:08.000000000 -0400
50311 +@@ -470,6 +470,8 @@ acpi_os_read_memory(acpi_physical_addres
50312 + void __iomem *virt_addr;
50313 +
50314 + virt_addr = ioremap(phys_addr, width);
50315 ++ if (!virt_addr)
50316 ++ return AE_NO_MEMORY;
50317 + if (!value)
50318 + value = &dummy;
50319 +
50320 +@@ -498,6 +500,8 @@ acpi_os_write_memory(acpi_physical_addre
50321 + void __iomem *virt_addr;
50322 +
50323 + virt_addr = ioremap(phys_addr, width);
50324 ++ if (!virt_addr)
50325 ++ return AE_NO_MEMORY;
50326 +
50327 + switch (width) {
50328 + case 8:
50329 +@@ -520,7 +524,7 @@ acpi_os_write_memory(acpi_physical_addre
50330 +
50331 + acpi_status
50332 + acpi_os_read_pci_configuration(struct acpi_pci_id * pci_id, u32 reg,
50333 +- void *value, u32 width)
50334 ++ u32 *value, u32 width)
50335 + {
50336 + int result, size;
50337 +
50338 +@@ -592,7 +596,7 @@ static void acpi_os_derive_pci_id_2(acpi
50339 + acpi_status status;
50340 + unsigned long temp;
50341 + acpi_object_type type;
50342 +- u8 tu8;
50343 ++ u32 tu8;
50344 +
50345 + acpi_get_parent(chandle, &handle);
50346 + if (handle != rhandle) {
50347 +diff -urNp linux-2.6.24.5/drivers/acpi/processor_core.c linux-2.6.24.5/drivers/acpi/processor_core.c
50348 +--- linux-2.6.24.5/drivers/acpi/processor_core.c 2008-04-17 20:05:17.000000000 -0400
50349 ++++ linux-2.6.24.5/drivers/acpi/processor_core.c 2008-04-17 20:05:01.000000000 -0400
50350 +@@ -632,7 +632,7 @@ static int __cpuinit acpi_processor_star
50351 + return 0;
50352 + }
50353 +
50354 +- BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
50355 ++ BUG_ON(pr->id >= nr_cpu_ids);
50356 +
50357 + /*
50358 + * Buggy BIOS check
50359 +diff -urNp linux-2.6.24.5/drivers/acpi/processor_idle.c linux-2.6.24.5/drivers/acpi/processor_idle.c
50360 +--- linux-2.6.24.5/drivers/acpi/processor_idle.c 2008-03-24 14:49:18.000000000 -0400
50361 ++++ linux-2.6.24.5/drivers/acpi/processor_idle.c 2008-03-26 20:21:08.000000000 -0400
50362 +@@ -178,7 +178,7 @@ static struct dmi_system_id __cpuinitdat
50363 + DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
50364 + DMI_MATCH(DMI_BIOS_VERSION,"SHE845M0.86C.0013.D.0302131307")},
50365 + (void *)2},
50366 +- {},
50367 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL},
50368 + };
50369 +
50370 + static inline u32 ticks_elapsed(u32 t1, u32 t2)
50371 +diff -urNp linux-2.6.24.5/drivers/acpi/sleep/main.c linux-2.6.24.5/drivers/acpi/sleep/main.c
50372 +--- linux-2.6.24.5/drivers/acpi/sleep/main.c 2008-03-24 14:49:18.000000000 -0400
50373 ++++ linux-2.6.24.5/drivers/acpi/sleep/main.c 2008-03-26 20:21:08.000000000 -0400
50374 +@@ -224,7 +224,7 @@ static struct dmi_system_id __initdata a
50375 + .ident = "Toshiba Satellite 4030cdt",
50376 + .matches = {DMI_MATCH(DMI_PRODUCT_NAME, "S4030CDT/4.3"),},
50377 + },
50378 +- {},
50379 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL},
50380 + };
50381 + #endif /* CONFIG_SUSPEND */
50382 +
50383 +diff -urNp linux-2.6.24.5/drivers/acpi/tables/tbfadt.c linux-2.6.24.5/drivers/acpi/tables/tbfadt.c
50384 +--- linux-2.6.24.5/drivers/acpi/tables/tbfadt.c 2008-03-24 14:49:18.000000000 -0400
50385 ++++ linux-2.6.24.5/drivers/acpi/tables/tbfadt.c 2008-03-26 20:21:08.000000000 -0400
50386 +@@ -48,7 +48,7 @@
50387 + ACPI_MODULE_NAME("tbfadt")
50388 +
50389 + /* Local prototypes */
50390 +-static void inline
50391 ++static inline void
50392 + acpi_tb_init_generic_address(struct acpi_generic_address *generic_address,
50393 + u8 bit_width, u64 address);
50394 +
50395 +@@ -122,7 +122,7 @@ static struct acpi_fadt_info fadt_info_t
50396 + *
50397 + ******************************************************************************/
50398 +
50399 +-static void inline
50400 ++static inline void
50401 + acpi_tb_init_generic_address(struct acpi_generic_address *generic_address,
50402 + u8 bit_width, u64 address)
50403 + {
50404 +diff -urNp linux-2.6.24.5/drivers/acpi/tables/tbxface.c linux-2.6.24.5/drivers/acpi/tables/tbxface.c
50405 +--- linux-2.6.24.5/drivers/acpi/tables/tbxface.c 2008-03-24 14:49:18.000000000 -0400
50406 ++++ linux-2.6.24.5/drivers/acpi/tables/tbxface.c 2008-03-26 20:21:08.000000000 -0400
50407 +@@ -540,7 +540,7 @@ static acpi_status acpi_tb_load_namespac
50408 + acpi_tb_print_table_header(0, table);
50409 +
50410 + if (no_auto_ssdt == 0) {
50411 +- printk(KERN_WARNING "ACPI: DSDT override uses original SSDTs unless \"acpi_no_auto_ssdt\"");
50412 ++ printk(KERN_WARNING "ACPI: DSDT override uses original SSDTs unless \"acpi_no_auto_ssdt\"\n");
50413 + }
50414 + }
50415 +
50416 +diff -urNp linux-2.6.24.5/drivers/ata/ahci.c linux-2.6.24.5/drivers/ata/ahci.c
50417 +--- linux-2.6.24.5/drivers/ata/ahci.c 2008-03-24 14:49:18.000000000 -0400
50418 ++++ linux-2.6.24.5/drivers/ata/ahci.c 2008-03-26 20:21:08.000000000 -0400
50419 +@@ -563,7 +563,7 @@ static const struct pci_device_id ahci_p
50420 + { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
50421 + PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
50422 +
50423 +- { } /* terminate list */
50424 ++ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
50425 + };
50426 +
50427 +
50428 +diff -urNp linux-2.6.24.5/drivers/ata/ata_piix.c linux-2.6.24.5/drivers/ata/ata_piix.c
50429 +--- linux-2.6.24.5/drivers/ata/ata_piix.c 2008-03-24 14:49:18.000000000 -0400
50430 ++++ linux-2.6.24.5/drivers/ata/ata_piix.c 2008-03-26 20:21:08.000000000 -0400
50431 +@@ -264,7 +264,7 @@ static const struct pci_device_id piix_p
50432 + /* SATA Controller IDE (Tolapai) */
50433 + { 0x8086, 0x5028, PCI_ANY_ID, PCI_ANY_ID, 0, 0, tolapai_sata_ahci },
50434 +
50435 +- { } /* terminate list */
50436 ++ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
50437 + };
50438 +
50439 + static struct pci_driver piix_pci_driver = {
50440 +@@ -701,7 +701,7 @@ static const struct ich_laptop ich_lapto
50441 + { 0x27DF, 0x103C, 0x30A1 }, /* ICH7 on HP Compaq nc2400 */
50442 + { 0x24CA, 0x1025, 0x0061 }, /* ICH4 on ACER Aspire 2023WLMi */
50443 + /* end marker */
50444 +- { 0, }
50445 ++ { 0, 0, 0 }
50446 + };
50447 +
50448 + /**
50449 +@@ -1097,7 +1097,7 @@ static int piix_broken_suspend(void)
50450 + },
50451 + },
50452 +
50453 +- { } /* terminate list */
50454 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL } /* terminate list */
50455 + };
50456 + static const char *oemstrs[] = {
50457 + "Tecra M3,",
50458 +diff -urNp linux-2.6.24.5/drivers/ata/libata-core.c linux-2.6.24.5/drivers/ata/libata-core.c
50459 +--- linux-2.6.24.5/drivers/ata/libata-core.c 2008-04-17 20:05:17.000000000 -0400
50460 ++++ linux-2.6.24.5/drivers/ata/libata-core.c 2008-04-17 20:05:01.000000000 -0400
50461 +@@ -489,7 +489,7 @@ static const struct ata_xfer_ent {
50462 + { ATA_SHIFT_PIO, ATA_BITS_PIO, XFER_PIO_0 },
50463 + { ATA_SHIFT_MWDMA, ATA_BITS_MWDMA, XFER_MW_DMA_0 },
50464 + { ATA_SHIFT_UDMA, ATA_BITS_UDMA, XFER_UDMA_0 },
50465 +- { -1, },
50466 ++ { -1, 0, 0 },
50467 + };
50468 +
50469 + /**
50470 +@@ -2824,7 +2824,7 @@ static const struct ata_timing ata_timin
50471 +
50472 + /* { XFER_PIO_SLOW, 120, 290, 240, 960, 290, 240, 960, 0 }, */
50473 +
50474 +- { 0xFF }
50475 ++ { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
50476 + };
50477 +
50478 + #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
50479 +@@ -4188,7 +4188,7 @@ static const struct ata_blacklist_entry
50480 + { "TSSTcorp CDDVDW SH-S202N", "SB01", ATA_HORKAGE_IVB, },
50481 +
50482 + /* End Marker */
50483 +- { }
50484 ++ { NULL, NULL, 0 }
50485 + };
50486 +
50487 + static int strn_pattern_cmp(const char *patt, const char *name, int wildchar)
50488 +diff -urNp linux-2.6.24.5/drivers/char/agp/frontend.c linux-2.6.24.5/drivers/char/agp/frontend.c
50489 +--- linux-2.6.24.5/drivers/char/agp/frontend.c 2008-03-24 14:49:18.000000000 -0400
50490 ++++ linux-2.6.24.5/drivers/char/agp/frontend.c 2008-03-26 20:21:08.000000000 -0400
50491 +@@ -820,7 +820,7 @@ static int agpioc_reserve_wrap(struct ag
50492 + if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
50493 + return -EFAULT;
50494 +
50495 +- if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
50496 ++ if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
50497 + return -EFAULT;
50498 +
50499 + client = agp_find_client_by_pid(reserve.pid);
50500 +diff -urNp linux-2.6.24.5/drivers/char/agp/intel-agp.c linux-2.6.24.5/drivers/char/agp/intel-agp.c
50501 +--- linux-2.6.24.5/drivers/char/agp/intel-agp.c 2008-03-24 14:49:18.000000000 -0400
50502 ++++ linux-2.6.24.5/drivers/char/agp/intel-agp.c 2008-03-26 20:21:08.000000000 -0400
50503 +@@ -2080,7 +2080,7 @@ static struct pci_device_id agp_intel_pc
50504 + ID(PCI_DEVICE_ID_INTEL_G33_HB),
50505 + ID(PCI_DEVICE_ID_INTEL_Q35_HB),
50506 + ID(PCI_DEVICE_ID_INTEL_Q33_HB),
50507 +- { }
50508 ++ { 0, 0, 0, 0, 0, 0, 0 }
50509 + };
50510 +
50511 + MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
50512 +diff -urNp linux-2.6.24.5/drivers/char/drm/drm_pciids.h linux-2.6.24.5/drivers/char/drm/drm_pciids.h
50513 +--- linux-2.6.24.5/drivers/char/drm/drm_pciids.h 2008-03-24 14:49:18.000000000 -0400
50514 ++++ linux-2.6.24.5/drivers/char/drm/drm_pciids.h 2008-03-26 20:21:08.000000000 -0400
50515 +@@ -249,7 +249,7 @@
50516 + {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
50517 + {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
50518 + {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
50519 +- {0, 0, 0}
50520 ++ {0, 0, 0, 0, 0, 0, 0 }
50521 +
50522 + #define i830_PCI_IDS \
50523 + {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
50524 +diff -urNp linux-2.6.24.5/drivers/char/hpet.c linux-2.6.24.5/drivers/char/hpet.c
50525 +--- linux-2.6.24.5/drivers/char/hpet.c 2008-03-24 14:49:18.000000000 -0400
50526 ++++ linux-2.6.24.5/drivers/char/hpet.c 2008-03-26 20:21:08.000000000 -0400
50527 +@@ -1028,7 +1028,7 @@ static struct acpi_driver hpet_acpi_driv
50528 + },
50529 + };
50530 +
50531 +-static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
50532 ++static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
50533 +
50534 + static int __init hpet_init(void)
50535 + {
50536 +diff -urNp linux-2.6.24.5/drivers/char/keyboard.c linux-2.6.24.5/drivers/char/keyboard.c
50537 +--- linux-2.6.24.5/drivers/char/keyboard.c 2008-03-24 14:49:18.000000000 -0400
50538 ++++ linux-2.6.24.5/drivers/char/keyboard.c 2008-03-26 20:21:08.000000000 -0400
50539 +@@ -631,6 +631,16 @@ static void k_spec(struct vc_data *vc, u
50540 + kbd->kbdmode == VC_MEDIUMRAW) &&
50541 + value != KVAL(K_SAK))
50542 + return; /* SAK is allowed even in raw mode */
50543 ++
50544 ++#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
50545 ++ {
50546 ++ void *func = fn_handler[value];
50547 ++ if (func == fn_show_state || func == fn_show_ptregs ||
50548 ++ func == fn_show_mem)
50549 ++ return;
50550 ++ }
50551 ++#endif
50552 ++
50553 + fn_handler[value](vc);
50554 + }
50555 +
50556 +@@ -1385,7 +1395,7 @@ static const struct input_device_id kbd_
50557 + .evbit = { BIT_MASK(EV_SND) },
50558 + },
50559 +
50560 +- { }, /* Terminating entry */
50561 ++ { 0 }, /* Terminating entry */
50562 + };
50563 +
50564 + MODULE_DEVICE_TABLE(input, kbd_ids);
50565 +diff -urNp linux-2.6.24.5/drivers/char/mem.c linux-2.6.24.5/drivers/char/mem.c
50566 +--- linux-2.6.24.5/drivers/char/mem.c 2008-03-24 14:49:18.000000000 -0400
50567 ++++ linux-2.6.24.5/drivers/char/mem.c 2008-03-26 20:21:08.000000000 -0400
50568 +@@ -26,6 +26,7 @@
50569 + #include <linux/bootmem.h>
50570 + #include <linux/splice.h>
50571 + #include <linux/pfn.h>
50572 ++#include <linux/grsecurity.h>
50573 +
50574 + #include <asm/uaccess.h>
50575 + #include <asm/io.h>
50576 +@@ -34,6 +35,10 @@
50577 + # include <linux/efi.h>
50578 + #endif
50579 +
50580 ++#ifdef CONFIG_GRKERNSEC
50581 ++extern struct file_operations grsec_fops;
50582 ++#endif
50583 ++
50584 + /*
50585 + * Architectures vary in how they handle caching for addresses
50586 + * outside of main memory.
50587 +@@ -180,6 +185,11 @@ static ssize_t write_mem(struct file * f
50588 + if (!valid_phys_addr_range(p, count))
50589 + return -EFAULT;
50590 +
50591 ++#ifdef CONFIG_GRKERNSEC_KMEM
50592 ++ gr_handle_mem_write();
50593 ++ return -EPERM;
50594 ++#endif
50595 ++
50596 + written = 0;
50597 +
50598 + #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
50599 +@@ -281,6 +291,11 @@ static int mmap_mem(struct file * file,
50600 + if (!private_mapping_ok(vma))
50601 + return -ENOSYS;
50602 +
50603 ++#ifdef CONFIG_GRKERNSEC_KMEM
50604 ++ if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
50605 ++ return -EPERM;
50606 ++#endif
50607 ++
50608 + vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
50609 + size,
50610 + vma->vm_page_prot);
50611 +@@ -512,6 +527,11 @@ static ssize_t write_kmem(struct file *
50612 + ssize_t written;
50613 + char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
50614 +
50615 ++#ifdef CONFIG_GRKERNSEC_KMEM
50616 ++ gr_handle_kmem_write();
50617 ++ return -EPERM;
50618 ++#endif
50619 ++
50620 + if (p < (unsigned long) high_memory) {
50621 +
50622 + wrote = count;
50623 +@@ -714,6 +734,16 @@ static loff_t memory_lseek(struct file *
50624 +
50625 + static int open_port(struct inode * inode, struct file * filp)
50626 + {
50627 ++#ifdef CONFIG_GRKERNSEC_KMEM
50628 ++ gr_handle_open_port();
50629 ++ return -EPERM;
50630 ++#endif
50631 ++
50632 ++ return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
50633 ++}
50634 ++
50635 ++static int open_mem(struct inode * inode, struct file * filp)
50636 ++{
50637 + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
50638 + }
50639 +
50640 +@@ -721,7 +751,6 @@ static int open_port(struct inode * inod
50641 + #define full_lseek null_lseek
50642 + #define write_zero write_null
50643 + #define read_full read_zero
50644 +-#define open_mem open_port
50645 + #define open_kmem open_mem
50646 + #define open_oldmem open_mem
50647 +
50648 +@@ -854,6 +883,11 @@ static int memory_open(struct inode * in
50649 + filp->f_op = &oldmem_fops;
50650 + break;
50651 + #endif
50652 ++#ifdef CONFIG_GRKERNSEC
50653 ++ case 13:
50654 ++ filp->f_op = &grsec_fops;
50655 ++ break;
50656 ++#endif
50657 + default:
50658 + return -ENXIO;
50659 + }
50660 +@@ -886,6 +920,9 @@ static const struct {
50661 + #ifdef CONFIG_CRASH_DUMP
50662 + {12,"oldmem", S_IRUSR | S_IWUSR | S_IRGRP, &oldmem_fops},
50663 + #endif
50664 ++#ifdef CONFIG_GRKERNSEC
50665 ++ {13,"grsec", S_IRUSR | S_IWUGO, &grsec_fops},
50666 ++#endif
50667 + };
50668 +
50669 + static struct class *mem_class;
50670 +diff -urNp linux-2.6.24.5/drivers/char/nvram.c linux-2.6.24.5/drivers/char/nvram.c
50671 +--- linux-2.6.24.5/drivers/char/nvram.c 2008-03-24 14:49:18.000000000 -0400
50672 ++++ linux-2.6.24.5/drivers/char/nvram.c 2008-03-26 20:21:08.000000000 -0400
50673 +@@ -430,7 +430,10 @@ static const struct file_operations nvra
50674 + static struct miscdevice nvram_dev = {
50675 + NVRAM_MINOR,
50676 + "nvram",
50677 +- &nvram_fops
50678 ++ &nvram_fops,
50679 ++ {NULL, NULL},
50680 ++ NULL,
50681 ++ NULL
50682 + };
50683 +
50684 + static int __init
50685 +diff -urNp linux-2.6.24.5/drivers/char/random.c linux-2.6.24.5/drivers/char/random.c
50686 +--- linux-2.6.24.5/drivers/char/random.c 2008-03-24 14:49:18.000000000 -0400
50687 ++++ linux-2.6.24.5/drivers/char/random.c 2008-03-26 20:21:08.000000000 -0400
50688 +@@ -248,8 +248,13 @@
50689 + /*
50690 + * Configuration information
50691 + */
50692 ++#ifdef CONFIG_GRKERNSEC_RANDNET
50693 ++#define INPUT_POOL_WORDS 512
50694 ++#define OUTPUT_POOL_WORDS 128
50695 ++#else
50696 + #define INPUT_POOL_WORDS 128
50697 + #define OUTPUT_POOL_WORDS 32
50698 ++#endif
50699 + #define SEC_XFER_SIZE 512
50700 +
50701 + /*
50702 +@@ -286,10 +291,17 @@ static struct poolinfo {
50703 + int poolwords;
50704 + int tap1, tap2, tap3, tap4, tap5;
50705 + } poolinfo_table[] = {
50706 ++#ifdef CONFIG_GRKERNSEC_RANDNET
50707 ++ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
50708 ++ { 512, 411, 308, 208, 104, 1 },
50709 ++ /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
50710 ++ { 128, 103, 76, 51, 25, 1 },
50711 ++#else
50712 + /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
50713 + { 128, 103, 76, 51, 25, 1 },
50714 + /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
50715 + { 32, 26, 20, 14, 7, 1 },
50716 ++#endif
50717 + #if 0
50718 + /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
50719 + { 2048, 1638, 1231, 819, 411, 1 },
50720 +@@ -1172,7 +1184,7 @@ EXPORT_SYMBOL(generate_random_uuid);
50721 + #include <linux/sysctl.h>
50722 +
50723 + static int min_read_thresh = 8, min_write_thresh;
50724 +-static int max_read_thresh = INPUT_POOL_WORDS * 32;
50725 ++static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
50726 + static int max_write_thresh = INPUT_POOL_WORDS * 32;
50727 + static char sysctl_bootid[16];
50728 +
50729 +diff -urNp linux-2.6.24.5/drivers/char/vt_ioctl.c linux-2.6.24.5/drivers/char/vt_ioctl.c
50730 +--- linux-2.6.24.5/drivers/char/vt_ioctl.c 2008-03-24 14:49:18.000000000 -0400
50731 ++++ linux-2.6.24.5/drivers/char/vt_ioctl.c 2008-03-26 20:21:08.000000000 -0400
50732 +@@ -96,6 +96,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
50733 + case KDSKBENT:
50734 + if (!perm)
50735 + return -EPERM;
50736 ++
50737 ++#ifdef CONFIG_GRKERNSEC
50738 ++ if (!capable(CAP_SYS_TTY_CONFIG))
50739 ++ return -EPERM;
50740 ++#endif
50741 ++
50742 + if (!i && v == K_NOSUCHMAP) {
50743 + /* deallocate map */
50744 + key_map = key_maps[s];
50745 +@@ -236,6 +242,13 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
50746 + goto reterr;
50747 + }
50748 +
50749 ++#ifdef CONFIG_GRKERNSEC
50750 ++ if (!capable(CAP_SYS_TTY_CONFIG)) {
50751 ++ ret = -EPERM;
50752 ++ goto reterr;
50753 ++ }
50754 ++#endif
50755 ++
50756 + q = func_table[i];
50757 + first_free = funcbufptr + (funcbufsize - funcbufleft);
50758 + for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)
50759 +diff -urNp linux-2.6.24.5/drivers/edac/edac_core.h linux-2.6.24.5/drivers/edac/edac_core.h
50760 +--- linux-2.6.24.5/drivers/edac/edac_core.h 2008-03-24 14:49:18.000000000 -0400
50761 ++++ linux-2.6.24.5/drivers/edac/edac_core.h 2008-03-26 20:21:08.000000000 -0400
50762 +@@ -86,11 +86,11 @@ extern int edac_debug_level;
50763 +
50764 + #else /* !CONFIG_EDAC_DEBUG */
50765 +
50766 +-#define debugf0( ... )
50767 +-#define debugf1( ... )
50768 +-#define debugf2( ... )
50769 +-#define debugf3( ... )
50770 +-#define debugf4( ... )
50771 ++#define debugf0( ... ) do {} while (0)
50772 ++#define debugf1( ... ) do {} while (0)
50773 ++#define debugf2( ... ) do {} while (0)
50774 ++#define debugf3( ... ) do {} while (0)
50775 ++#define debugf4( ... ) do {} while (0)
50776 +
50777 + #endif /* !CONFIG_EDAC_DEBUG */
50778 +
50779 +diff -urNp linux-2.6.24.5/drivers/firmware/dmi_scan.c linux-2.6.24.5/drivers/firmware/dmi_scan.c
50780 +--- linux-2.6.24.5/drivers/firmware/dmi_scan.c 2008-04-17 20:05:17.000000000 -0400
50781 ++++ linux-2.6.24.5/drivers/firmware/dmi_scan.c 2008-04-17 20:05:01.000000000 -0400
50782 +@@ -318,21 +318,19 @@ void __init dmi_scan_machine(void)
50783 + }
50784 + }
50785 + else {
50786 +- /*
50787 +- * no iounmap() for that ioremap(); it would be a no-op, but
50788 +- * it's so early in setup that sucker gets confused into doing
50789 +- * what it shouldn't if we actually call it.
50790 +- */
50791 + p = dmi_ioremap(0xF0000, 0x10000);
50792 + if (p == NULL)
50793 + goto out;
50794 +
50795 + for (q = p; q < p + 0x10000; q += 16) {
50796 + rc = dmi_present(q);
50797 +- if (!rc) {
50798 +- dmi_available = 1;
50799 +- return;
50800 +- }
50801 ++ if (!rc)
50802 ++ break;
50803 ++ }
50804 ++ dmi_iounmap(p, 0x10000);
50805 ++ if (!rc) {
50806 ++ dmi_available = 1;
50807 ++ return;
50808 + }
50809 + }
50810 + out: printk(KERN_INFO "DMI not present or invalid.\n");
50811 +diff -urNp linux-2.6.24.5/drivers/hwmon/fscpos.c linux-2.6.24.5/drivers/hwmon/fscpos.c
50812 +--- linux-2.6.24.5/drivers/hwmon/fscpos.c 2008-03-24 14:49:18.000000000 -0400
50813 ++++ linux-2.6.24.5/drivers/hwmon/fscpos.c 2008-03-26 20:21:08.000000000 -0400
50814 +@@ -231,7 +231,6 @@ static ssize_t set_pwm(struct i2c_client
50815 + unsigned long v = simple_strtoul(buf, NULL, 10);
50816 +
50817 + /* Range: 0..255 */
50818 +- if (v < 0) v = 0;
50819 + if (v > 255) v = 255;
50820 +
50821 + mutex_lock(&data->update_lock);
50822 +diff -urNp linux-2.6.24.5/drivers/hwmon/k8temp.c linux-2.6.24.5/drivers/hwmon/k8temp.c
50823 +--- linux-2.6.24.5/drivers/hwmon/k8temp.c 2008-03-24 14:49:18.000000000 -0400
50824 ++++ linux-2.6.24.5/drivers/hwmon/k8temp.c 2008-03-26 20:21:08.000000000 -0400
50825 +@@ -130,7 +130,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
50826 +
50827 + static struct pci_device_id k8temp_ids[] = {
50828 + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
50829 +- { 0 },
50830 ++ { 0, 0, 0, 0, 0, 0, 0 },
50831 + };
50832 +
50833 + MODULE_DEVICE_TABLE(pci, k8temp_ids);
50834 +diff -urNp linux-2.6.24.5/drivers/hwmon/sis5595.c linux-2.6.24.5/drivers/hwmon/sis5595.c
50835 +--- linux-2.6.24.5/drivers/hwmon/sis5595.c 2008-03-24 14:49:18.000000000 -0400
50836 ++++ linux-2.6.24.5/drivers/hwmon/sis5595.c 2008-03-26 20:21:08.000000000 -0400
50837 +@@ -698,7 +698,7 @@ static struct sis5595_data *sis5595_upda
50838 +
50839 + static struct pci_device_id sis5595_pci_ids[] = {
50840 + { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
50841 +- { 0, }
50842 ++ { 0, 0, 0, 0, 0, 0, 0 }
50843 + };
50844 +
50845 + MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
50846 +diff -urNp linux-2.6.24.5/drivers/hwmon/thmc50.c linux-2.6.24.5/drivers/hwmon/thmc50.c
50847 +--- linux-2.6.24.5/drivers/hwmon/thmc50.c 2008-03-24 14:49:18.000000000 -0400
50848 ++++ linux-2.6.24.5/drivers/hwmon/thmc50.c 2008-03-26 20:21:08.000000000 -0400
50849 +@@ -52,9 +52,9 @@ I2C_CLIENT_MODULE_PARM(adm1022_temp3, "L
50850 + */
50851 + #define THMC50_REG_INTR 0x41
50852 +
50853 +-const static u8 THMC50_REG_TEMP[] = { 0x27, 0x26, 0x20 };
50854 +-const static u8 THMC50_REG_TEMP_MIN[] = { 0x3A, 0x38, 0x2C };
50855 +-const static u8 THMC50_REG_TEMP_MAX[] = { 0x39, 0x37, 0x2B };
50856 ++static const u8 THMC50_REG_TEMP[] = { 0x27, 0x26, 0x20 };
50857 ++static const u8 THMC50_REG_TEMP_MIN[] = { 0x3A, 0x38, 0x2C };
50858 ++static const u8 THMC50_REG_TEMP_MAX[] = { 0x39, 0x37, 0x2B };
50859 +
50860 + #define THMC50_REG_CONF_nFANOFF 0x20
50861 +
50862 +diff -urNp linux-2.6.24.5/drivers/hwmon/via686a.c linux-2.6.24.5/drivers/hwmon/via686a.c
50863 +--- linux-2.6.24.5/drivers/hwmon/via686a.c 2008-03-24 14:49:18.000000000 -0400
50864 ++++ linux-2.6.24.5/drivers/hwmon/via686a.c 2008-03-26 20:21:08.000000000 -0400
50865 +@@ -740,7 +740,7 @@ static struct via686a_data *via686a_upda
50866 +
50867 + static struct pci_device_id via686a_pci_ids[] = {
50868 + { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
50869 +- { 0, }
50870 ++ { 0, 0, 0, 0, 0, 0, 0 }
50871 + };
50872 +
50873 + MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
50874 +diff -urNp linux-2.6.24.5/drivers/hwmon/vt8231.c linux-2.6.24.5/drivers/hwmon/vt8231.c
50875 +--- linux-2.6.24.5/drivers/hwmon/vt8231.c 2008-03-24 14:49:18.000000000 -0400
50876 ++++ linux-2.6.24.5/drivers/hwmon/vt8231.c 2008-03-26 20:21:08.000000000 -0400
50877 +@@ -662,7 +662,7 @@ static struct platform_driver vt8231_dri
50878 +
50879 + static struct pci_device_id vt8231_pci_ids[] = {
50880 + { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
50881 +- { 0, }
50882 ++ { 0, 0, 0, 0, 0, 0, 0 }
50883 + };
50884 +
50885 + MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
50886 +diff -urNp linux-2.6.24.5/drivers/hwmon/w83791d.c linux-2.6.24.5/drivers/hwmon/w83791d.c
50887 +--- linux-2.6.24.5/drivers/hwmon/w83791d.c 2008-03-24 14:49:18.000000000 -0400
50888 ++++ linux-2.6.24.5/drivers/hwmon/w83791d.c 2008-03-26 20:21:08.000000000 -0400
50889 +@@ -289,8 +289,8 @@ static int w83791d_attach_adapter(struct
50890 + static int w83791d_detect(struct i2c_adapter *adapter, int address, int kind);
50891 + static int w83791d_detach_client(struct i2c_client *client);
50892 +
50893 +-static int w83791d_read(struct i2c_client *client, u8 register);
50894 +-static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
50895 ++static int w83791d_read(struct i2c_client *client, u8 reg);
50896 ++static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
50897 + static struct w83791d_data *w83791d_update_device(struct device *dev);
50898 +
50899 + #ifdef DEBUG
50900 +diff -urNp linux-2.6.24.5/drivers/i2c/busses/i2c-i801.c linux-2.6.24.5/drivers/i2c/busses/i2c-i801.c
50901 +--- linux-2.6.24.5/drivers/i2c/busses/i2c-i801.c 2008-03-24 14:49:18.000000000 -0400
50902 ++++ linux-2.6.24.5/drivers/i2c/busses/i2c-i801.c 2008-03-26 20:21:08.000000000 -0400
50903 +@@ -545,7 +545,7 @@ static struct pci_device_id i801_ids[] =
50904 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH8_5) },
50905 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH9_6) },
50906 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_TOLAPAI_1) },
50907 +- { 0, }
50908 ++ { 0, 0, 0, 0, 0, 0, 0 }
50909 + };
50910 +
50911 + MODULE_DEVICE_TABLE (pci, i801_ids);
50912 +diff -urNp linux-2.6.24.5/drivers/i2c/busses/i2c-i810.c linux-2.6.24.5/drivers/i2c/busses/i2c-i810.c
50913 +--- linux-2.6.24.5/drivers/i2c/busses/i2c-i810.c 2008-03-24 14:49:18.000000000 -0400
50914 ++++ linux-2.6.24.5/drivers/i2c/busses/i2c-i810.c 2008-03-26 20:21:08.000000000 -0400
50915 +@@ -198,7 +198,7 @@ static struct pci_device_id i810_ids[] _
50916 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82810E_IG) },
50917 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC) },
50918 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82845G_IG) },
50919 +- { 0, },
50920 ++ { 0, 0, 0, 0, 0, 0, 0 },
50921 + };
50922 +
50923 + MODULE_DEVICE_TABLE (pci, i810_ids);
50924 +diff -urNp linux-2.6.24.5/drivers/i2c/busses/i2c-piix4.c linux-2.6.24.5/drivers/i2c/busses/i2c-piix4.c
50925 +--- linux-2.6.24.5/drivers/i2c/busses/i2c-piix4.c 2008-03-24 14:49:18.000000000 -0400
50926 ++++ linux-2.6.24.5/drivers/i2c/busses/i2c-piix4.c 2008-03-26 20:21:08.000000000 -0400
50927 +@@ -113,7 +113,7 @@ static struct dmi_system_id __devinitdat
50928 + .ident = "IBM",
50929 + .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
50930 + },
50931 +- { },
50932 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL },
50933 + };
50934 +
50935 + static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
50936 +@@ -411,7 +411,7 @@ static struct pci_device_id piix4_ids[]
50937 + .driver_data = 3 },
50938 + { PCI_DEVICE(PCI_VENDOR_ID_EFAR, PCI_DEVICE_ID_EFAR_SLC90E66_3),
50939 + .driver_data = 0 },
50940 +- { 0, }
50941 ++ { 0, 0, 0, 0, 0, 0, 0 }
50942 + };
50943 +
50944 + MODULE_DEVICE_TABLE (pci, piix4_ids);
50945 +diff -urNp linux-2.6.24.5/drivers/i2c/busses/i2c-sis630.c linux-2.6.24.5/drivers/i2c/busses/i2c-sis630.c
50946 +--- linux-2.6.24.5/drivers/i2c/busses/i2c-sis630.c 2008-03-24 14:49:18.000000000 -0400
50947 ++++ linux-2.6.24.5/drivers/i2c/busses/i2c-sis630.c 2008-03-26 20:21:08.000000000 -0400
50948 +@@ -465,7 +465,7 @@ static struct i2c_adapter sis630_adapter
50949 + static struct pci_device_id sis630_ids[] __devinitdata = {
50950 + { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
50951 + { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
50952 +- { 0, }
50953 ++ { 0, 0, 0, 0, 0, 0, 0 }
50954 + };
50955 +
50956 + MODULE_DEVICE_TABLE (pci, sis630_ids);
50957 +diff -urNp linux-2.6.24.5/drivers/i2c/busses/i2c-sis96x.c linux-2.6.24.5/drivers/i2c/busses/i2c-sis96x.c
50958 +--- linux-2.6.24.5/drivers/i2c/busses/i2c-sis96x.c 2008-03-24 14:49:18.000000000 -0400
50959 ++++ linux-2.6.24.5/drivers/i2c/busses/i2c-sis96x.c 2008-03-26 20:21:08.000000000 -0400
50960 +@@ -255,7 +255,7 @@ static struct i2c_adapter sis96x_adapter
50961 +
50962 + static struct pci_device_id sis96x_ids[] = {
50963 + { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
50964 +- { 0, }
50965 ++ { 0, 0, 0, 0, 0, 0, 0 }
50966 + };
50967 +
50968 + MODULE_DEVICE_TABLE (pci, sis96x_ids);
50969 +diff -urNp linux-2.6.24.5/drivers/ide/ide-cd.c linux-2.6.24.5/drivers/ide/ide-cd.c
50970 +--- linux-2.6.24.5/drivers/ide/ide-cd.c 2008-03-24 14:49:18.000000000 -0400
50971 ++++ linux-2.6.24.5/drivers/ide/ide-cd.c 2008-03-26 20:21:08.000000000 -0400
50972 +@@ -457,8 +457,6 @@ void cdrom_analyze_sense_data(ide_drive_
50973 + sector &= ~(bio_sectors -1);
50974 + valid = (sector - failed_command->sector) << 9;
50975 +
50976 +- if (valid < 0)
50977 +- valid = 0;
50978 + if (sector < get_capacity(info->disk) &&
50979 + drive->probed_capacity - sector < 4 * 75) {
50980 + set_capacity(info->disk, sector);
50981 +diff -urNp linux-2.6.24.5/drivers/ieee1394/dv1394.c linux-2.6.24.5/drivers/ieee1394/dv1394.c
50982 +--- linux-2.6.24.5/drivers/ieee1394/dv1394.c 2008-03-24 14:49:18.000000000 -0400
50983 ++++ linux-2.6.24.5/drivers/ieee1394/dv1394.c 2008-03-26 20:21:08.000000000 -0400
50984 +@@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
50985 + based upon DIF section and sequence
50986 + */
50987 +
50988 +-static void inline
50989 ++static inline void
50990 + frame_put_packet (struct frame *f, struct packet *p)
50991 + {
50992 + int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
50993 +@@ -918,7 +918,7 @@ static int do_dv1394_init(struct video_c
50994 + /* default SYT offset is 3 cycles */
50995 + init->syt_offset = 3;
50996 +
50997 +- if ( (init->channel > 63) || (init->channel < 0) )
50998 ++ if (init->channel > 63)
50999 + init->channel = 63;
51000 +
51001 + chan_mask = (u64)1 << init->channel;
51002 +@@ -2173,7 +2173,7 @@ static struct ieee1394_device_id dv1394_
51003 + .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
51004 + .version = AVC_SW_VERSION_ENTRY & 0xffffff
51005 + },
51006 +- { }
51007 ++ { 0, 0, 0, 0, 0, 0 }
51008 + };
51009 +
51010 + MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
51011 +diff -urNp linux-2.6.24.5/drivers/ieee1394/eth1394.c linux-2.6.24.5/drivers/ieee1394/eth1394.c
51012 +--- linux-2.6.24.5/drivers/ieee1394/eth1394.c 2008-03-24 14:49:18.000000000 -0400
51013 ++++ linux-2.6.24.5/drivers/ieee1394/eth1394.c 2008-03-26 20:21:08.000000000 -0400
51014 +@@ -451,7 +451,7 @@ static struct ieee1394_device_id eth1394
51015 + .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
51016 + .version = ETHER1394_GASP_VERSION,
51017 + },
51018 +- {}
51019 ++ { 0, 0, 0, 0, 0, 0 }
51020 + };
51021 +
51022 + MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
51023 +diff -urNp linux-2.6.24.5/drivers/ieee1394/hosts.c linux-2.6.24.5/drivers/ieee1394/hosts.c
51024 +--- linux-2.6.24.5/drivers/ieee1394/hosts.c 2008-03-24 14:49:18.000000000 -0400
51025 ++++ linux-2.6.24.5/drivers/ieee1394/hosts.c 2008-03-26 20:21:08.000000000 -0400
51026 +@@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
51027 + }
51028 +
51029 + static struct hpsb_host_driver dummy_driver = {
51030 ++ .name = "dummy",
51031 + .transmit_packet = dummy_transmit_packet,
51032 + .devctl = dummy_devctl,
51033 + .isoctl = dummy_isoctl
51034 +diff -urNp linux-2.6.24.5/drivers/ieee1394/ohci1394.c linux-2.6.24.5/drivers/ieee1394/ohci1394.c
51035 +--- linux-2.6.24.5/drivers/ieee1394/ohci1394.c 2008-03-24 14:49:18.000000000 -0400
51036 ++++ linux-2.6.24.5/drivers/ieee1394/ohci1394.c 2008-03-26 20:21:08.000000000 -0400
51037 +@@ -147,9 +147,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
51038 + printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
51039 +
51040 + /* Module Parameters */
51041 +-static int phys_dma = 1;
51042 ++static int phys_dma;
51043 + module_param(phys_dma, int, 0444);
51044 +-MODULE_PARM_DESC(phys_dma, "Enable physical dma (default = 1).");
51045 ++MODULE_PARM_DESC(phys_dma, "Enable physical dma (default = 0).");
51046 +
51047 + static void dma_trm_tasklet(unsigned long data);
51048 + static void dma_trm_reset(struct dma_trm_ctx *d);
51049 +@@ -3396,7 +3396,7 @@ static struct pci_device_id ohci1394_pci
51050 + .subvendor = PCI_ANY_ID,
51051 + .subdevice = PCI_ANY_ID,
51052 + },
51053 +- { 0, },
51054 ++ { 0, 0, 0, 0, 0, 0, 0 },
51055 + };
51056 +
51057 + MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
51058 +diff -urNp linux-2.6.24.5/drivers/ieee1394/raw1394.c linux-2.6.24.5/drivers/ieee1394/raw1394.c
51059 +--- linux-2.6.24.5/drivers/ieee1394/raw1394.c 2008-03-24 14:49:18.000000000 -0400
51060 ++++ linux-2.6.24.5/drivers/ieee1394/raw1394.c 2008-03-26 20:21:08.000000000 -0400
51061 +@@ -2952,7 +2952,7 @@ static struct ieee1394_device_id raw1394
51062 + .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
51063 + .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
51064 + .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
51065 +- {}
51066 ++ { 0, 0, 0, 0, 0, 0 }
51067 + };
51068 +
51069 + MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
51070 +diff -urNp linux-2.6.24.5/drivers/ieee1394/sbp2.c linux-2.6.24.5/drivers/ieee1394/sbp2.c
51071 +--- linux-2.6.24.5/drivers/ieee1394/sbp2.c 2008-03-24 14:49:18.000000000 -0400
51072 ++++ linux-2.6.24.5/drivers/ieee1394/sbp2.c 2008-03-26 20:21:08.000000000 -0400
51073 +@@ -274,7 +274,7 @@ static struct ieee1394_device_id sbp2_id
51074 + .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
51075 + .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
51076 + .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
51077 +- {}
51078 ++ { 0, 0, 0, 0, 0, 0 }
51079 + };
51080 + MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
51081 +
51082 +@@ -2078,7 +2078,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
51083 + MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
51084 + MODULE_LICENSE("GPL");
51085 +
51086 +-static int sbp2_module_init(void)
51087 ++static int __init sbp2_module_init(void)
51088 + {
51089 + int ret;
51090 +
51091 +diff -urNp linux-2.6.24.5/drivers/ieee1394/video1394.c linux-2.6.24.5/drivers/ieee1394/video1394.c
51092 +--- linux-2.6.24.5/drivers/ieee1394/video1394.c 2008-03-24 14:49:18.000000000 -0400
51093 ++++ linux-2.6.24.5/drivers/ieee1394/video1394.c 2008-03-26 20:21:08.000000000 -0400
51094 +@@ -893,7 +893,7 @@ static long video1394_ioctl(struct file
51095 + if (unlikely(d == NULL))
51096 + return -EFAULT;
51097 +
51098 +- if (unlikely((v.buffer<0) || (v.buffer>=d->num_desc - 1))) {
51099 ++ if (unlikely(v.buffer>=d->num_desc - 1)) {
51100 + PRINT(KERN_ERR, ohci->host->id,
51101 + "Buffer %d out of range",v.buffer);
51102 + return -EINVAL;
51103 +@@ -959,7 +959,7 @@ static long video1394_ioctl(struct file
51104 + if (unlikely(d == NULL))
51105 + return -EFAULT;
51106 +
51107 +- if (unlikely((v.buffer<0) || (v.buffer>d->num_desc - 1))) {
51108 ++ if (unlikely(v.buffer>d->num_desc - 1)) {
51109 + PRINT(KERN_ERR, ohci->host->id,
51110 + "Buffer %d out of range",v.buffer);
51111 + return -EINVAL;
51112 +@@ -1030,7 +1030,7 @@ static long video1394_ioctl(struct file
51113 + d = find_ctx(&ctx->context_list, OHCI_ISO_TRANSMIT, v.channel);
51114 + if (d == NULL) return -EFAULT;
51115 +
51116 +- if ((v.buffer<0) || (v.buffer>=d->num_desc - 1)) {
51117 ++ if (v.buffer>=d->num_desc - 1) {
51118 + PRINT(KERN_ERR, ohci->host->id,
51119 + "Buffer %d out of range",v.buffer);
51120 + return -EINVAL;
51121 +@@ -1137,7 +1137,7 @@ static long video1394_ioctl(struct file
51122 + d = find_ctx(&ctx->context_list, OHCI_ISO_TRANSMIT, v.channel);
51123 + if (d == NULL) return -EFAULT;
51124 +
51125 +- if ((v.buffer<0) || (v.buffer>=d->num_desc-1)) {
51126 ++ if (v.buffer>=d->num_desc-1) {
51127 + PRINT(KERN_ERR, ohci->host->id,
51128 + "Buffer %d out of range",v.buffer);
51129 + return -EINVAL;
51130 +@@ -1309,7 +1309,7 @@ static struct ieee1394_device_id video13
51131 + .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
51132 + .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
51133 + },
51134 +- { }
51135 ++ { 0, 0, 0, 0, 0, 0 }
51136 + };
51137 +
51138 + MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
51139 +diff -urNp linux-2.6.24.5/drivers/input/keyboard/atkbd.c linux-2.6.24.5/drivers/input/keyboard/atkbd.c
51140 +--- linux-2.6.24.5/drivers/input/keyboard/atkbd.c 2008-03-24 14:49:18.000000000 -0400
51141 ++++ linux-2.6.24.5/drivers/input/keyboard/atkbd.c 2008-03-26 20:21:08.000000000 -0400
51142 +@@ -1080,7 +1080,7 @@ static struct serio_device_id atkbd_seri
51143 + .id = SERIO_ANY,
51144 + .extra = SERIO_ANY,
51145 + },
51146 +- { 0 }
51147 ++ { 0, 0, 0, 0 }
51148 + };
51149 +
51150 + MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
51151 +diff -urNp linux-2.6.24.5/drivers/input/mouse/lifebook.c linux-2.6.24.5/drivers/input/mouse/lifebook.c
51152 +--- linux-2.6.24.5/drivers/input/mouse/lifebook.c 2008-03-24 14:49:18.000000000 -0400
51153 ++++ linux-2.6.24.5/drivers/input/mouse/lifebook.c 2008-03-26 20:21:08.000000000 -0400
51154 +@@ -110,7 +110,7 @@ static const struct dmi_system_id lifebo
51155 + DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
51156 + },
51157 + },
51158 +- { }
51159 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
51160 + };
51161 +
51162 + static psmouse_ret_t lifebook_process_byte(struct psmouse *psmouse)
51163 +diff -urNp linux-2.6.24.5/drivers/input/mouse/psmouse-base.c linux-2.6.24.5/drivers/input/mouse/psmouse-base.c
51164 +--- linux-2.6.24.5/drivers/input/mouse/psmouse-base.c 2008-03-24 14:49:18.000000000 -0400
51165 ++++ linux-2.6.24.5/drivers/input/mouse/psmouse-base.c 2008-03-26 20:21:08.000000000 -0400
51166 +@@ -1329,7 +1329,7 @@ static struct serio_device_id psmouse_se
51167 + .id = SERIO_ANY,
51168 + .extra = SERIO_ANY,
51169 + },
51170 +- { 0 }
51171 ++ { 0, 0, 0, 0 }
51172 + };
51173 +
51174 + MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
51175 +diff -urNp linux-2.6.24.5/drivers/input/mouse/synaptics.c linux-2.6.24.5/drivers/input/mouse/synaptics.c
51176 +--- linux-2.6.24.5/drivers/input/mouse/synaptics.c 2008-03-24 14:49:18.000000000 -0400
51177 ++++ linux-2.6.24.5/drivers/input/mouse/synaptics.c 2008-03-26 20:21:08.000000000 -0400
51178 +@@ -417,7 +417,7 @@ static void synaptics_process_packet(str
51179 + break;
51180 + case 2:
51181 + if (SYN_MODEL_PEN(priv->model_id))
51182 +- ; /* Nothing, treat a pen as a single finger */
51183 ++ break; /* Nothing, treat a pen as a single finger */
51184 + break;
51185 + case 4 ... 15:
51186 + if (SYN_CAP_PALMDETECT(priv->capabilities))
51187 +@@ -624,7 +624,7 @@ static const struct dmi_system_id toshib
51188 + DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
51189 + },
51190 + },
51191 +- { }
51192 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
51193 + };
51194 + #endif
51195 +
51196 +diff -urNp linux-2.6.24.5/drivers/input/mousedev.c linux-2.6.24.5/drivers/input/mousedev.c
51197 +--- linux-2.6.24.5/drivers/input/mousedev.c 2008-03-24 14:49:18.000000000 -0400
51198 ++++ linux-2.6.24.5/drivers/input/mousedev.c 2008-03-26 20:21:08.000000000 -0400
51199 +@@ -1056,7 +1056,7 @@ static struct input_handler mousedev_han
51200 +
51201 + #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
51202 + static struct miscdevice psaux_mouse = {
51203 +- PSMOUSE_MINOR, "psaux", &mousedev_fops
51204 ++ PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
51205 + };
51206 + static int psaux_registered;
51207 + #endif
51208 +diff -urNp linux-2.6.24.5/drivers/input/serio/i8042-x86ia64io.h linux-2.6.24.5/drivers/input/serio/i8042-x86ia64io.h
51209 +--- linux-2.6.24.5/drivers/input/serio/i8042-x86ia64io.h 2008-03-24 14:49:18.000000000 -0400
51210 ++++ linux-2.6.24.5/drivers/input/serio/i8042-x86ia64io.h 2008-03-26 20:21:08.000000000 -0400
51211 +@@ -118,7 +118,7 @@ static struct dmi_system_id __initdata i
51212 + DMI_MATCH(DMI_PRODUCT_VERSION, "VS2005R2"),
51213 + },
51214 + },
51215 +- { }
51216 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
51217 + };
51218 +
51219 + /*
51220 +@@ -270,7 +270,7 @@ static struct dmi_system_id __initdata i
51221 + DMI_MATCH(DMI_PRODUCT_NAME, "M636/A737 platform"),
51222 + },
51223 + },
51224 +- { }
51225 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
51226 + };
51227 +
51228 +
51229 +diff -urNp linux-2.6.24.5/drivers/input/serio/serio_raw.c linux-2.6.24.5/drivers/input/serio/serio_raw.c
51230 +--- linux-2.6.24.5/drivers/input/serio/serio_raw.c 2008-03-24 14:49:18.000000000 -0400
51231 ++++ linux-2.6.24.5/drivers/input/serio/serio_raw.c 2008-03-26 20:21:08.000000000 -0400
51232 +@@ -369,7 +369,7 @@ static struct serio_device_id serio_raw_
51233 + .id = SERIO_ANY,
51234 + .extra = SERIO_ANY,
51235 + },
51236 +- { 0 }
51237 ++ { 0, 0, 0, 0 }
51238 + };
51239 +
51240 + MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
51241 +diff -urNp linux-2.6.24.5/drivers/kvm/kvm_main.c linux-2.6.24.5/drivers/kvm/kvm_main.c
51242 +--- linux-2.6.24.5/drivers/kvm/kvm_main.c 2008-03-24 14:49:18.000000000 -0400
51243 ++++ linux-2.6.24.5/drivers/kvm/kvm_main.c 2008-03-26 20:21:08.000000000 -0400
51244 +@@ -67,22 +67,22 @@ static struct kvm_stats_debugfs_item {
51245 + int offset;
51246 + struct dentry *dentry;
51247 + } debugfs_entries[] = {
51248 +- { "pf_fixed", STAT_OFFSET(pf_fixed) },
51249 +- { "pf_guest", STAT_OFFSET(pf_guest) },
51250 +- { "tlb_flush", STAT_OFFSET(tlb_flush) },
51251 +- { "invlpg", STAT_OFFSET(invlpg) },
51252 +- { "exits", STAT_OFFSET(exits) },
51253 +- { "io_exits", STAT_OFFSET(io_exits) },
51254 +- { "mmio_exits", STAT_OFFSET(mmio_exits) },
51255 +- { "signal_exits", STAT_OFFSET(signal_exits) },
51256 +- { "irq_window", STAT_OFFSET(irq_window_exits) },
51257 +- { "halt_exits", STAT_OFFSET(halt_exits) },
51258 +- { "halt_wakeup", STAT_OFFSET(halt_wakeup) },
51259 +- { "request_irq", STAT_OFFSET(request_irq_exits) },
51260 +- { "irq_exits", STAT_OFFSET(irq_exits) },
51261 +- { "light_exits", STAT_OFFSET(light_exits) },
51262 +- { "efer_reload", STAT_OFFSET(efer_reload) },
51263 +- { NULL }
51264 ++ { "pf_fixed", STAT_OFFSET(pf_fixed), NULL },
51265 ++ { "pf_guest", STAT_OFFSET(pf_guest), NULL },
51266 ++ { "tlb_flush", STAT_OFFSET(tlb_flush), NULL },
51267 ++ { "invlpg", STAT_OFFSET(invlpg), NULL },
51268 ++ { "exits", STAT_OFFSET(exits), NULL },
51269 ++ { "io_exits", STAT_OFFSET(io_exits), NULL },
51270 ++ { "mmio_exits", STAT_OFFSET(mmio_exits), NULL },
51271 ++ { "signal_exits", STAT_OFFSET(signal_exits), NULL },
51272 ++ { "irq_window", STAT_OFFSET(irq_window_exits), NULL },
51273 ++ { "halt_exits", STAT_OFFSET(halt_exits), NULL },
51274 ++ { "halt_wakeup", STAT_OFFSET(halt_wakeup), NULL },
51275 ++ { "request_irq", STAT_OFFSET(request_irq_exits), NULL },
51276 ++ { "irq_exits", STAT_OFFSET(irq_exits), NULL },
51277 ++ { "light_exits", STAT_OFFSET(light_exits), NULL },
51278 ++ { "efer_reload", STAT_OFFSET(efer_reload), NULL },
51279 ++ { NULL, 0, NULL }
51280 + };
51281 +
51282 + static struct dentry *debugfs_dir;
51283 +@@ -2505,7 +2505,7 @@ static int kvm_vcpu_ioctl_translate(stru
51284 + static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
51285 + struct kvm_interrupt *irq)
51286 + {
51287 +- if (irq->irq < 0 || irq->irq >= 256)
51288 ++ if (irq->irq >= 256)
51289 + return -EINVAL;
51290 + if (irqchip_in_kernel(vcpu->kvm))
51291 + return -ENXIO;
51292 +@@ -3250,6 +3250,9 @@ static struct miscdevice kvm_dev = {
51293 + KVM_MINOR,
51294 + "kvm",
51295 + &kvm_chardev_ops,
51296 ++ {NULL, NULL},
51297 ++ NULL,
51298 ++ NULL
51299 + };
51300 +
51301 + /*
51302 +diff -urNp linux-2.6.24.5/drivers/kvm/svm.c linux-2.6.24.5/drivers/kvm/svm.c
51303 +--- linux-2.6.24.5/drivers/kvm/svm.c 2008-03-24 14:49:18.000000000 -0400
51304 ++++ linux-2.6.24.5/drivers/kvm/svm.c 2008-03-26 20:21:08.000000000 -0400
51305 +@@ -1307,8 +1307,20 @@ static void reload_tss(struct kvm_vcpu *
51306 + int cpu = raw_smp_processor_id();
51307 +
51308 + struct svm_cpu_data *svm_data = per_cpu(svm_data, cpu);
51309 ++
51310 ++#ifdef CONFIG_PAX_KERNEXEC
51311 ++ unsigned long cr0;
51312 ++
51313 ++ pax_open_kernel(cr0);
51314 ++#endif
51315 ++
51316 + svm_data->tss_desc->type = 9; //available 32/64-bit TSS
51317 + load_TR_desc();
51318 ++
51319 ++#ifdef CONFIG_PAX_KERNEXEC
51320 ++ pax_close_kernel(cr0);
51321 ++#endif
51322 ++
51323 + }
51324 +
51325 + static void pre_svm_run(struct vcpu_svm *svm)
51326 +diff -urNp linux-2.6.24.5/drivers/kvm/vmx.c linux-2.6.24.5/drivers/kvm/vmx.c
51327 +--- linux-2.6.24.5/drivers/kvm/vmx.c 2008-03-24 14:49:18.000000000 -0400
51328 ++++ linux-2.6.24.5/drivers/kvm/vmx.c 2008-03-26 20:21:08.000000000 -0400
51329 +@@ -335,10 +335,24 @@ static void reload_tss(void)
51330 + struct descriptor_table gdt;
51331 + struct segment_descriptor *descs;
51332 +
51333 ++#ifdef CONFIG_PAX_KERNEXEC
51334 ++ unsigned long cr0;
51335 ++#endif
51336 ++
51337 + get_gdt(&gdt);
51338 + descs = (void *)gdt.base;
51339 ++
51340 ++#ifdef CONFIG_PAX_KERNEXEC
51341 ++ pax_open_kernel(cr0);
51342 ++#endif
51343 ++
51344 + descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
51345 + load_TR_desc();
51346 ++
51347 ++#ifdef CONFIG_PAX_KERNEXEC
51348 ++ pax_close_kernel(cr0);
51349 ++#endif
51350 ++
51351 + #endif
51352 + }
51353 +
51354 +@@ -2322,7 +2336,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
51355 +
51356 + vcpu->interrupt_window_open = (vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & 3) == 0;
51357 +
51358 +- asm ("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
51359 ++ asm ("mov %0, %%ds; mov %0, %%es" : : "r"(__KERNEL_DS));
51360 + vmx->launched = 1;
51361 +
51362 + intr_info = vmcs_read32(VM_EXIT_INTR_INFO);
51363 +diff -urNp linux-2.6.24.5/drivers/md/bitmap.c linux-2.6.24.5/drivers/md/bitmap.c
51364 +--- linux-2.6.24.5/drivers/md/bitmap.c 2008-03-24 14:49:18.000000000 -0400
51365 ++++ linux-2.6.24.5/drivers/md/bitmap.c 2008-03-26 20:21:08.000000000 -0400
51366 +@@ -57,7 +57,7 @@
51367 + # if DEBUG > 0
51368 + # define PRINTK(x...) printk(KERN_DEBUG x)
51369 + # else
51370 +-# define PRINTK(x...)
51371 ++# define PRINTK(x...) do {} while (0)
51372 + # endif
51373 + #endif
51374 +
51375 +diff -urNp linux-2.6.24.5/drivers/mtd/devices/doc2000.c linux-2.6.24.5/drivers/mtd/devices/doc2000.c
51376 +--- linux-2.6.24.5/drivers/mtd/devices/doc2000.c 2008-03-24 14:49:18.000000000 -0400
51377 ++++ linux-2.6.24.5/drivers/mtd/devices/doc2000.c 2008-03-26 20:21:08.000000000 -0400
51378 +@@ -632,7 +632,7 @@ static int doc_read(struct mtd_info *mtd
51379 + len = ((from | 0x1ff) + 1) - from;
51380 +
51381 + /* The ECC will not be calculated correctly if less than 512 is read */
51382 +- if (len != 0x200 && eccbuf)
51383 ++ if (len != 0x200)
51384 + printk(KERN_WARNING
51385 + "ECC needs a full sector read (adr: %lx size %lx)\n",
51386 + (long) from, (long) len);
51387 +diff -urNp linux-2.6.24.5/drivers/mtd/devices/doc2001.c linux-2.6.24.5/drivers/mtd/devices/doc2001.c
51388 +--- linux-2.6.24.5/drivers/mtd/devices/doc2001.c 2008-03-24 14:49:18.000000000 -0400
51389 ++++ linux-2.6.24.5/drivers/mtd/devices/doc2001.c 2008-03-26 20:21:08.000000000 -0400
51390 +@@ -398,6 +398,8 @@ static int doc_read (struct mtd_info *mt
51391 + /* Don't allow read past end of device */
51392 + if (from >= this->totlen)
51393 + return -EINVAL;
51394 ++ if (!len)
51395 ++ return -EINVAL;
51396 +
51397 + /* Don't allow a single read to cross a 512-byte block boundary */
51398 + if (from + len > ((from | 0x1ff) + 1))
51399 +diff -urNp linux-2.6.24.5/drivers/mtd/devices/doc2001plus.c linux-2.6.24.5/drivers/mtd/devices/doc2001plus.c
51400 +--- linux-2.6.24.5/drivers/mtd/devices/doc2001plus.c 2008-03-24 14:49:18.000000000 -0400
51401 ++++ linux-2.6.24.5/drivers/mtd/devices/doc2001plus.c 2008-03-26 20:21:08.000000000 -0400
51402 +@@ -748,7 +748,7 @@ static int doc_write(struct mtd_info *mt
51403 + WriteDOC(DoC_GetDataOffset(mtd, &fto), docptr, Mplus_FlashCmd);
51404 +
51405 + /* On interleaved devices the flags for 2nd half 512 are before data */
51406 +- if (eccbuf && before)
51407 ++ if (before)
51408 + fto -= 2;
51409 +
51410 + /* issue the Serial Data In command to initial the Page Program process */
51411 +diff -urNp linux-2.6.24.5/drivers/mtd/devices/slram.c linux-2.6.24.5/drivers/mtd/devices/slram.c
51412 +--- linux-2.6.24.5/drivers/mtd/devices/slram.c 2008-03-24 14:49:18.000000000 -0400
51413 ++++ linux-2.6.24.5/drivers/mtd/devices/slram.c 2008-03-26 20:21:08.000000000 -0400
51414 +@@ -270,7 +270,7 @@ static int parse_cmdline(char *devname,
51415 + }
51416 + T("slram: devname=%s, devstart=0x%lx, devlength=0x%lx\n",
51417 + devname, devstart, devlength);
51418 +- if ((devstart < 0) || (devlength < 0) || (devlength % SLRAM_BLK_SZ != 0)) {
51419 ++ if (devlength % SLRAM_BLK_SZ != 0) {
51420 + E("slram: Illegal start / length parameter.\n");
51421 + return(-EINVAL);
51422 + }
51423 +diff -urNp linux-2.6.24.5/drivers/mtd/ubi/build.c linux-2.6.24.5/drivers/mtd/ubi/build.c
51424 +--- linux-2.6.24.5/drivers/mtd/ubi/build.c 2008-03-24 14:49:18.000000000 -0400
51425 ++++ linux-2.6.24.5/drivers/mtd/ubi/build.c 2008-03-26 20:21:08.000000000 -0400
51426 +@@ -753,7 +753,7 @@ static int __init bytes_str_to_int(const
51427 + unsigned long result;
51428 +
51429 + result = simple_strtoul(str, &endp, 0);
51430 +- if (str == endp || result < 0) {
51431 ++ if (str == endp) {
51432 + printk("UBI error: incorrect bytes count: \"%s\"\n", str);
51433 + return -EINVAL;
51434 + }
51435 +diff -urNp linux-2.6.24.5/drivers/net/eepro100.c linux-2.6.24.5/drivers/net/eepro100.c
51436 +--- linux-2.6.24.5/drivers/net/eepro100.c 2008-03-24 14:49:18.000000000 -0400
51437 ++++ linux-2.6.24.5/drivers/net/eepro100.c 2008-03-26 20:21:08.000000000 -0400
51438 +@@ -47,7 +47,7 @@ static int rxdmacount /* = 0 */;
51439 + # define rx_align(skb) skb_reserve((skb), 2)
51440 + # define RxFD_ALIGNMENT __attribute__ ((aligned (2), packed))
51441 + #else
51442 +-# define rx_align(skb)
51443 ++# define rx_align(skb) do {} while (0)
51444 + # define RxFD_ALIGNMENT
51445 + #endif
51446 +
51447 +@@ -2340,33 +2340,33 @@ static void __devexit eepro100_remove_on
51448 + }
51449 +
51450 + static struct pci_device_id eepro100_pci_tbl[] = {
51451 +- { PCI_VENDOR_ID_INTEL, 0x1229, PCI_ANY_ID, PCI_ANY_ID, },
51452 +- { PCI_VENDOR_ID_INTEL, 0x1209, PCI_ANY_ID, PCI_ANY_ID, },
51453 +- { PCI_VENDOR_ID_INTEL, 0x1029, PCI_ANY_ID, PCI_ANY_ID, },
51454 +- { PCI_VENDOR_ID_INTEL, 0x1030, PCI_ANY_ID, PCI_ANY_ID, },
51455 +- { PCI_VENDOR_ID_INTEL, 0x1031, PCI_ANY_ID, PCI_ANY_ID, },
51456 +- { PCI_VENDOR_ID_INTEL, 0x1032, PCI_ANY_ID, PCI_ANY_ID, },
51457 +- { PCI_VENDOR_ID_INTEL, 0x1033, PCI_ANY_ID, PCI_ANY_ID, },
51458 +- { PCI_VENDOR_ID_INTEL, 0x1034, PCI_ANY_ID, PCI_ANY_ID, },
51459 +- { PCI_VENDOR_ID_INTEL, 0x1035, PCI_ANY_ID, PCI_ANY_ID, },
51460 +- { PCI_VENDOR_ID_INTEL, 0x1036, PCI_ANY_ID, PCI_ANY_ID, },
51461 +- { PCI_VENDOR_ID_INTEL, 0x1037, PCI_ANY_ID, PCI_ANY_ID, },
51462 +- { PCI_VENDOR_ID_INTEL, 0x1038, PCI_ANY_ID, PCI_ANY_ID, },
51463 +- { PCI_VENDOR_ID_INTEL, 0x1039, PCI_ANY_ID, PCI_ANY_ID, },
51464 +- { PCI_VENDOR_ID_INTEL, 0x103A, PCI_ANY_ID, PCI_ANY_ID, },
51465 +- { PCI_VENDOR_ID_INTEL, 0x103B, PCI_ANY_ID, PCI_ANY_ID, },
51466 +- { PCI_VENDOR_ID_INTEL, 0x103C, PCI_ANY_ID, PCI_ANY_ID, },
51467 +- { PCI_VENDOR_ID_INTEL, 0x103D, PCI_ANY_ID, PCI_ANY_ID, },
51468 +- { PCI_VENDOR_ID_INTEL, 0x103E, PCI_ANY_ID, PCI_ANY_ID, },
51469 +- { PCI_VENDOR_ID_INTEL, 0x1050, PCI_ANY_ID, PCI_ANY_ID, },
51470 +- { PCI_VENDOR_ID_INTEL, 0x1059, PCI_ANY_ID, PCI_ANY_ID, },
51471 +- { PCI_VENDOR_ID_INTEL, 0x1227, PCI_ANY_ID, PCI_ANY_ID, },
51472 +- { PCI_VENDOR_ID_INTEL, 0x2449, PCI_ANY_ID, PCI_ANY_ID, },
51473 +- { PCI_VENDOR_ID_INTEL, 0x2459, PCI_ANY_ID, PCI_ANY_ID, },
51474 +- { PCI_VENDOR_ID_INTEL, 0x245D, PCI_ANY_ID, PCI_ANY_ID, },
51475 +- { PCI_VENDOR_ID_INTEL, 0x5200, PCI_ANY_ID, PCI_ANY_ID, },
51476 +- { PCI_VENDOR_ID_INTEL, 0x5201, PCI_ANY_ID, PCI_ANY_ID, },
51477 +- { 0,}
51478 ++ { PCI_VENDOR_ID_INTEL, 0x1229, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51479 ++ { PCI_VENDOR_ID_INTEL, 0x1209, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51480 ++ { PCI_VENDOR_ID_INTEL, 0x1029, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51481 ++ { PCI_VENDOR_ID_INTEL, 0x1030, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51482 ++ { PCI_VENDOR_ID_INTEL, 0x1031, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51483 ++ { PCI_VENDOR_ID_INTEL, 0x1032, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51484 ++ { PCI_VENDOR_ID_INTEL, 0x1033, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51485 ++ { PCI_VENDOR_ID_INTEL, 0x1034, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51486 ++ { PCI_VENDOR_ID_INTEL, 0x1035, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51487 ++ { PCI_VENDOR_ID_INTEL, 0x1036, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51488 ++ { PCI_VENDOR_ID_INTEL, 0x1037, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51489 ++ { PCI_VENDOR_ID_INTEL, 0x1038, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51490 ++ { PCI_VENDOR_ID_INTEL, 0x1039, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51491 ++ { PCI_VENDOR_ID_INTEL, 0x103A, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51492 ++ { PCI_VENDOR_ID_INTEL, 0x103B, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51493 ++ { PCI_VENDOR_ID_INTEL, 0x103C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51494 ++ { PCI_VENDOR_ID_INTEL, 0x103D, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51495 ++ { PCI_VENDOR_ID_INTEL, 0x103E, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51496 ++ { PCI_VENDOR_ID_INTEL, 0x1050, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51497 ++ { PCI_VENDOR_ID_INTEL, 0x1059, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51498 ++ { PCI_VENDOR_ID_INTEL, 0x1227, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51499 ++ { PCI_VENDOR_ID_INTEL, 0x2449, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51500 ++ { PCI_VENDOR_ID_INTEL, 0x2459, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51501 ++ { PCI_VENDOR_ID_INTEL, 0x245D, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51502 ++ { PCI_VENDOR_ID_INTEL, 0x5200, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51503 ++ { PCI_VENDOR_ID_INTEL, 0x5201, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
51504 ++ { 0, 0, 0, 0, 0, 0, 0 }
51505 + };
51506 + MODULE_DEVICE_TABLE(pci, eepro100_pci_tbl);
51507 +
51508 +diff -urNp linux-2.6.24.5/drivers/net/irda/vlsi_ir.c linux-2.6.24.5/drivers/net/irda/vlsi_ir.c
51509 +--- linux-2.6.24.5/drivers/net/irda/vlsi_ir.c 2008-03-24 14:49:18.000000000 -0400
51510 ++++ linux-2.6.24.5/drivers/net/irda/vlsi_ir.c 2008-03-26 20:21:08.000000000 -0400
51511 +@@ -906,13 +906,12 @@ static int vlsi_hard_start_xmit(struct s
51512 + /* no race - tx-ring already empty */
51513 + vlsi_set_baud(idev, iobase);
51514 + netif_wake_queue(ndev);
51515 +- }
51516 +- else
51517 +- ;
51518 ++ } else {
51519 + /* keep the speed change pending like it would
51520 + * for any len>0 packet. tx completion interrupt
51521 + * will apply it when the tx ring becomes empty.
51522 + */
51523 ++ }
51524 + spin_unlock_irqrestore(&idev->lock, flags);
51525 + dev_kfree_skb_any(skb);
51526 + return 0;
51527 +diff -urNp linux-2.6.24.5/drivers/net/pcnet32.c linux-2.6.24.5/drivers/net/pcnet32.c
51528 +--- linux-2.6.24.5/drivers/net/pcnet32.c 2008-03-24 14:49:18.000000000 -0400
51529 ++++ linux-2.6.24.5/drivers/net/pcnet32.c 2008-03-26 20:21:08.000000000 -0400
51530 +@@ -82,7 +82,7 @@ static int cards_found;
51531 + /*
51532 + * VLB I/O addresses
51533 + */
51534 +-static unsigned int pcnet32_portlist[] __initdata =
51535 ++static unsigned int pcnet32_portlist[] __devinitdata =
51536 + { 0x300, 0x320, 0x340, 0x360, 0 };
51537 +
51538 + static int pcnet32_debug = 0;
51539 +diff -urNp linux-2.6.24.5/drivers/net/tg3.h linux-2.6.24.5/drivers/net/tg3.h
51540 +--- linux-2.6.24.5/drivers/net/tg3.h 2008-03-24 14:49:18.000000000 -0400
51541 ++++ linux-2.6.24.5/drivers/net/tg3.h 2008-03-26 20:21:08.000000000 -0400
51542 +@@ -102,6 +102,7 @@
51543 + #define CHIPREV_ID_5750_A0 0x4000
51544 + #define CHIPREV_ID_5750_A1 0x4001
51545 + #define CHIPREV_ID_5750_A3 0x4003
51546 ++#define CHIPREV_ID_5750_C1 0x4201
51547 + #define CHIPREV_ID_5750_C2 0x4202
51548 + #define CHIPREV_ID_5752_A0_HW 0x5000
51549 + #define CHIPREV_ID_5752_A0 0x6000
51550 +diff -urNp linux-2.6.24.5/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.24.5/drivers/pci/hotplug/cpqphp_nvram.c
51551 +--- linux-2.6.24.5/drivers/pci/hotplug/cpqphp_nvram.c 2008-03-24 14:49:18.000000000 -0400
51552 ++++ linux-2.6.24.5/drivers/pci/hotplug/cpqphp_nvram.c 2008-03-26 20:21:08.000000000 -0400
51553 +@@ -425,9 +425,13 @@ static u32 store_HRT (void __iomem *rom_
51554 +
51555 + void compaq_nvram_init (void __iomem *rom_start)
51556 + {
51557 ++
51558 ++#ifndef CONFIG_PAX_KERNEXEC
51559 + if (rom_start) {
51560 + compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
51561 + }
51562 ++#endif
51563 ++
51564 + dbg("int15 entry = %p\n", compaq_int15_entry_point);
51565 +
51566 + /* initialize our int15 lock */
51567 +diff -urNp linux-2.6.24.5/drivers/pci/pcie/aer/aerdrv.c linux-2.6.24.5/drivers/pci/pcie/aer/aerdrv.c
51568 +--- linux-2.6.24.5/drivers/pci/pcie/aer/aerdrv.c 2008-03-24 14:49:18.000000000 -0400
51569 ++++ linux-2.6.24.5/drivers/pci/pcie/aer/aerdrv.c 2008-03-26 20:21:08.000000000 -0400
51570 +@@ -58,7 +58,7 @@ static struct pcie_port_service_id aer_i
51571 + .port_type = PCIE_RC_PORT,
51572 + .service_type = PCIE_PORT_SERVICE_AER,
51573 + },
51574 +- { /* end: all zeroes */ }
51575 ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0 }
51576 + };
51577 +
51578 + static struct pci_error_handlers aer_error_handlers = {
51579 +diff -urNp linux-2.6.24.5/drivers/pci/pcie/aer/aerdrv_core.c linux-2.6.24.5/drivers/pci/pcie/aer/aerdrv_core.c
51580 +--- linux-2.6.24.5/drivers/pci/pcie/aer/aerdrv_core.c 2008-03-24 14:49:18.000000000 -0400
51581 ++++ linux-2.6.24.5/drivers/pci/pcie/aer/aerdrv_core.c 2008-03-26 20:21:08.000000000 -0400
51582 +@@ -661,7 +661,7 @@ static void aer_isr_one_error(struct pci
51583 + struct aer_err_source *e_src)
51584 + {
51585 + struct device *s_device;
51586 +- struct aer_err_info e_info = {0, 0, 0,};
51587 ++ struct aer_err_info e_info = {0, 0, 0, {0, 0, 0, 0}};
51588 + int i;
51589 + u16 id;
51590 +
51591 +diff -urNp linux-2.6.24.5/drivers/pci/pcie/portdrv_pci.c linux-2.6.24.5/drivers/pci/pcie/portdrv_pci.c
51592 +--- linux-2.6.24.5/drivers/pci/pcie/portdrv_pci.c 2008-03-24 14:49:18.000000000 -0400
51593 ++++ linux-2.6.24.5/drivers/pci/pcie/portdrv_pci.c 2008-03-26 20:21:08.000000000 -0400
51594 +@@ -265,7 +265,7 @@ static void pcie_portdrv_err_resume(stru
51595 + static const struct pci_device_id port_pci_ids[] = { {
51596 + /* handle any PCI-Express port */
51597 + PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
51598 +- }, { /* end: all zeroes */ }
51599 ++ }, { 0, 0, 0, 0, 0, 0, 0 }
51600 + };
51601 + MODULE_DEVICE_TABLE(pci, port_pci_ids);
51602 +
51603 +diff -urNp linux-2.6.24.5/drivers/pci/proc.c linux-2.6.24.5/drivers/pci/proc.c
51604 +--- linux-2.6.24.5/drivers/pci/proc.c 2008-03-24 14:49:18.000000000 -0400
51605 ++++ linux-2.6.24.5/drivers/pci/proc.c 2008-03-26 20:21:08.000000000 -0400
51606 +@@ -467,7 +467,15 @@ static int __init pci_proc_init(void)
51607 + {
51608 + struct proc_dir_entry *entry;
51609 + struct pci_dev *dev = NULL;
51610 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
51611 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
51612 ++ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
51613 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
51614 ++ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
51615 ++#endif
51616 ++#else
51617 + proc_bus_pci_dir = proc_mkdir("pci", proc_bus);
51618 ++#endif
51619 + entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
51620 + if (entry)
51621 + entry->proc_fops = &proc_bus_pci_dev_operations;
51622 +diff -urNp linux-2.6.24.5/drivers/pcmcia/ti113x.h linux-2.6.24.5/drivers/pcmcia/ti113x.h
51623 +--- linux-2.6.24.5/drivers/pcmcia/ti113x.h 2008-03-24 14:49:18.000000000 -0400
51624 ++++ linux-2.6.24.5/drivers/pcmcia/ti113x.h 2008-03-26 20:21:08.000000000 -0400
51625 +@@ -897,7 +897,7 @@ static struct pci_device_id ene_tune_tbl
51626 + DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
51627 + ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
51628 +
51629 +- {}
51630 ++ { 0, 0, 0, 0, 0, 0, 0 }
51631 + };
51632 +
51633 + static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
51634 +diff -urNp linux-2.6.24.5/drivers/pcmcia/yenta_socket.c linux-2.6.24.5/drivers/pcmcia/yenta_socket.c
51635 +--- linux-2.6.24.5/drivers/pcmcia/yenta_socket.c 2008-03-24 14:49:18.000000000 -0400
51636 ++++ linux-2.6.24.5/drivers/pcmcia/yenta_socket.c 2008-03-26 20:21:08.000000000 -0400
51637 +@@ -1358,7 +1358,7 @@ static struct pci_device_id yenta_table
51638 +
51639 + /* match any cardbus bridge */
51640 + CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
51641 +- { /* all zeroes */ }
51642 ++ { 0, 0, 0, 0, 0, 0, 0 }
51643 + };
51644 + MODULE_DEVICE_TABLE(pci, yenta_table);
51645 +
51646 +diff -urNp linux-2.6.24.5/drivers/pnp/pnpbios/bioscalls.c linux-2.6.24.5/drivers/pnp/pnpbios/bioscalls.c
51647 +--- linux-2.6.24.5/drivers/pnp/pnpbios/bioscalls.c 2008-03-24 14:49:18.000000000 -0400
51648 ++++ linux-2.6.24.5/drivers/pnp/pnpbios/bioscalls.c 2008-03-26 20:21:08.000000000 -0400
51649 +@@ -61,7 +61,7 @@ set_base(gdt[(selname) >> 3], (u32)(addr
51650 + set_limit(gdt[(selname) >> 3], size); \
51651 + } while(0)
51652 +
51653 +-static struct desc_struct bad_bios_desc = { 0, 0x00409200 };
51654 ++static struct desc_struct bad_bios_desc __read_only = { 0, 0x00409300 };
51655 +
51656 + /*
51657 + * At some point we want to use this stack frame pointer to unwind
51658 +@@ -88,6 +88,10 @@ static inline u16 call_pnp_bios(u16 func
51659 + struct desc_struct save_desc_40;
51660 + int cpu;
51661 +
51662 ++#ifdef CONFIG_PAX_KERNEXEC
51663 ++ unsigned long cr0;
51664 ++#endif
51665 ++
51666 + /*
51667 + * PnP BIOSes are generally not terribly re-entrant.
51668 + * Also, don't rely on them to save everything correctly.
51669 +@@ -97,8 +101,17 @@ static inline u16 call_pnp_bios(u16 func
51670 +
51671 + cpu = get_cpu();
51672 + save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
51673 ++
51674 ++#ifdef CONFIG_PAX_KERNEXEC
51675 ++ pax_open_kernel(cr0);
51676 ++#endif
51677 ++
51678 + get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
51679 +
51680 ++#ifdef CONFIG_PAX_KERNEXEC
51681 ++ pax_close_kernel(cr0);
51682 ++#endif
51683 ++
51684 + /* On some boxes IRQ's during PnP BIOS calls are deadly. */
51685 + spin_lock_irqsave(&pnp_bios_lock, flags);
51686 +
51687 +@@ -135,7 +148,16 @@ static inline u16 call_pnp_bios(u16 func
51688 + :"memory");
51689 + spin_unlock_irqrestore(&pnp_bios_lock, flags);
51690 +
51691 ++#ifdef CONFIG_PAX_KERNEXEC
51692 ++ pax_open_kernel(cr0);
51693 ++#endif
51694 ++
51695 + get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
51696 ++
51697 ++#ifdef CONFIG_PAX_KERNEXEC
51698 ++ pax_close_kernel(cr0);
51699 ++#endif
51700 ++
51701 + put_cpu();
51702 +
51703 + /* If we get here and this is set then the PnP BIOS faulted on us. */
51704 +@@ -469,14 +491,22 @@ int pnp_bios_read_escd(char *data, u32 n
51705 + return status;
51706 + }
51707 +
51708 +-void pnpbios_calls_init(union pnp_bios_install_struct *header)
51709 ++void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
51710 + {
51711 + int i;
51712 +
51713 ++#ifdef CONFIG_PAX_KERNEXEC
51714 ++ unsigned long cr0;
51715 ++#endif
51716 ++
51717 + spin_lock_init(&pnp_bios_lock);
51718 + pnp_bios_callpoint.offset = header->fields.pm16offset;
51719 + pnp_bios_callpoint.segment = PNP_CS16;
51720 +
51721 ++#ifdef CONFIG_PAX_KERNEXEC
51722 ++ pax_open_kernel(cr0);
51723 ++#endif
51724 ++
51725 + set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
51726 + _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
51727 + for (i = 0; i < NR_CPUS; i++) {
51728 +@@ -489,4 +519,9 @@ void pnpbios_calls_init(union pnp_bios_i
51729 + set_base(gdt[GDT_ENTRY_PNPBIOS_DS],
51730 + __va(header->fields.pm16dseg));
51731 + }
51732 ++
51733 ++#ifdef CONFIG_PAX_KERNEXEC
51734 ++ pax_close_kernel(cr0);
51735 ++#endif
51736 ++
51737 + }
51738 +diff -urNp linux-2.6.24.5/drivers/pnp/quirks.c linux-2.6.24.5/drivers/pnp/quirks.c
51739 +--- linux-2.6.24.5/drivers/pnp/quirks.c 2008-03-24 14:49:18.000000000 -0400
51740 ++++ linux-2.6.24.5/drivers/pnp/quirks.c 2008-03-26 20:21:08.000000000 -0400
51741 +@@ -128,7 +128,7 @@ static struct pnp_fixup pnp_fixups[] = {
51742 + {"CTL0043", quirk_sb16audio_resources},
51743 + {"CTL0044", quirk_sb16audio_resources},
51744 + {"CTL0045", quirk_sb16audio_resources},
51745 +- {""}
51746 ++ {"", NULL}
51747 + };
51748 +
51749 + void pnp_fixup_device(struct pnp_dev *dev)
51750 +diff -urNp linux-2.6.24.5/drivers/pnp/resource.c linux-2.6.24.5/drivers/pnp/resource.c
51751 +--- linux-2.6.24.5/drivers/pnp/resource.c 2008-03-24 14:49:18.000000000 -0400
51752 ++++ linux-2.6.24.5/drivers/pnp/resource.c 2008-03-26 20:21:08.000000000 -0400
51753 +@@ -345,7 +345,7 @@ int pnp_check_irq(struct pnp_dev *dev, i
51754 + return 1;
51755 +
51756 + /* check if the resource is valid */
51757 +- if (*irq < 0 || *irq > 15)
51758 ++ if (*irq > 15)
51759 + return 0;
51760 +
51761 + /* check if the resource is reserved */
51762 +@@ -414,7 +414,7 @@ int pnp_check_dma(struct pnp_dev *dev, i
51763 + return 1;
51764 +
51765 + /* check if the resource is valid */
51766 +- if (*dma < 0 || *dma == 4 || *dma > 7)
51767 ++ if (*dma == 4 || *dma > 7)
51768 + return 0;
51769 +
51770 + /* check if the resource is reserved */
51771 +diff -urNp linux-2.6.24.5/drivers/scsi/scsi_logging.h linux-2.6.24.5/drivers/scsi/scsi_logging.h
51772 +--- linux-2.6.24.5/drivers/scsi/scsi_logging.h 2008-03-24 14:49:18.000000000 -0400
51773 ++++ linux-2.6.24.5/drivers/scsi/scsi_logging.h 2008-03-26 20:21:08.000000000 -0400
51774 +@@ -51,7 +51,7 @@ do { \
51775 + } while (0); \
51776 + } while (0)
51777 + #else
51778 +-#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
51779 ++#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
51780 + #endif /* CONFIG_SCSI_LOGGING */
51781 +
51782 + /*
51783 +diff -urNp linux-2.6.24.5/drivers/serial/8250_pci.c linux-2.6.24.5/drivers/serial/8250_pci.c
51784 +--- linux-2.6.24.5/drivers/serial/8250_pci.c 2008-03-24 14:49:18.000000000 -0400
51785 ++++ linux-2.6.24.5/drivers/serial/8250_pci.c 2008-03-26 20:21:08.000000000 -0400
51786 +@@ -2712,7 +2712,7 @@ static struct pci_device_id serial_pci_t
51787 + PCI_ANY_ID, PCI_ANY_ID,
51788 + PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
51789 + 0xffff00, pbn_default },
51790 +- { 0, }
51791 ++ { 0, 0, 0, 0, 0, 0, 0 }
51792 + };
51793 +
51794 + static struct pci_driver serial_pci_driver = {
51795 +diff -urNp linux-2.6.24.5/drivers/usb/class/cdc-acm.c linux-2.6.24.5/drivers/usb/class/cdc-acm.c
51796 +--- linux-2.6.24.5/drivers/usb/class/cdc-acm.c 2008-03-24 14:49:18.000000000 -0400
51797 ++++ linux-2.6.24.5/drivers/usb/class/cdc-acm.c 2008-03-26 20:21:08.000000000 -0400
51798 +@@ -1199,7 +1199,7 @@ static struct usb_device_id acm_ids[] =
51799 + USB_CDC_ACM_PROTO_AT_CDMA) },
51800 +
51801 + /* NOTE: COMM/ACM/0xff is likely MSFT RNDIS ... NOT a modem!! */
51802 +- { }
51803 ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
51804 + };
51805 +
51806 + MODULE_DEVICE_TABLE (usb, acm_ids);
51807 +diff -urNp linux-2.6.24.5/drivers/usb/class/usblp.c linux-2.6.24.5/drivers/usb/class/usblp.c
51808 +--- linux-2.6.24.5/drivers/usb/class/usblp.c 2008-03-24 14:49:18.000000000 -0400
51809 ++++ linux-2.6.24.5/drivers/usb/class/usblp.c 2008-03-26 20:21:08.000000000 -0400
51810 +@@ -227,7 +227,7 @@ static const struct quirk_printer_struct
51811 + { 0x0409, 0xf1be, USBLP_QUIRK_BIDIR }, /* NEC Picty800 (HP OEM) */
51812 + { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@×××.de> */
51813 + { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
51814 +- { 0, 0 }
51815 ++ { 0, 0, 0 }
51816 + };
51817 +
51818 + static int usblp_wwait(struct usblp *usblp, int nonblock);
51819 +@@ -1401,7 +1401,7 @@ static struct usb_device_id usblp_ids []
51820 + { USB_INTERFACE_INFO(7, 1, 2) },
51821 + { USB_INTERFACE_INFO(7, 1, 3) },
51822 + { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
51823 +- { } /* Terminating entry */
51824 ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
51825 + };
51826 +
51827 + MODULE_DEVICE_TABLE (usb, usblp_ids);
51828 +diff -urNp linux-2.6.24.5/drivers/usb/core/hub.c linux-2.6.24.5/drivers/usb/core/hub.c
51829 +--- linux-2.6.24.5/drivers/usb/core/hub.c 2008-03-24 14:49:18.000000000 -0400
51830 ++++ linux-2.6.24.5/drivers/usb/core/hub.c 2008-03-26 20:21:08.000000000 -0400
51831 +@@ -2884,7 +2884,7 @@ static struct usb_device_id hub_id_table
51832 + .bDeviceClass = USB_CLASS_HUB},
51833 + { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
51834 + .bInterfaceClass = USB_CLASS_HUB},
51835 +- { } /* Terminating entry */
51836 ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
51837 + };
51838 +
51839 + MODULE_DEVICE_TABLE (usb, hub_id_table);
51840 +diff -urNp linux-2.6.24.5/drivers/usb/host/ehci-pci.c linux-2.6.24.5/drivers/usb/host/ehci-pci.c
51841 +--- linux-2.6.24.5/drivers/usb/host/ehci-pci.c 2008-03-24 14:49:18.000000000 -0400
51842 ++++ linux-2.6.24.5/drivers/usb/host/ehci-pci.c 2008-03-26 20:21:08.000000000 -0400
51843 +@@ -374,7 +374,7 @@ static const struct pci_device_id pci_id
51844 + PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
51845 + .driver_data = (unsigned long) &ehci_pci_hc_driver,
51846 + },
51847 +- { /* end: all zeroes */ }
51848 ++ { 0, 0, 0, 0, 0, 0, 0 }
51849 + };
51850 + MODULE_DEVICE_TABLE(pci, pci_ids);
51851 +
51852 +diff -urNp linux-2.6.24.5/drivers/usb/host/uhci-hcd.c linux-2.6.24.5/drivers/usb/host/uhci-hcd.c
51853 +--- linux-2.6.24.5/drivers/usb/host/uhci-hcd.c 2008-03-24 14:49:18.000000000 -0400
51854 ++++ linux-2.6.24.5/drivers/usb/host/uhci-hcd.c 2008-03-26 20:21:08.000000000 -0400
51855 +@@ -893,7 +893,7 @@ static const struct pci_device_id uhci_p
51856 + /* handle any USB UHCI controller */
51857 + PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
51858 + .driver_data = (unsigned long) &uhci_driver,
51859 +- }, { /* end: all zeroes */ }
51860 ++ }, { 0, 0, 0, 0, 0, 0, 0 }
51861 + };
51862 +
51863 + MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
51864 +diff -urNp linux-2.6.24.5/drivers/usb/storage/debug.h linux-2.6.24.5/drivers/usb/storage/debug.h
51865 +--- linux-2.6.24.5/drivers/usb/storage/debug.h 2008-03-24 14:49:18.000000000 -0400
51866 ++++ linux-2.6.24.5/drivers/usb/storage/debug.h 2008-03-26 20:21:08.000000000 -0400
51867 +@@ -56,9 +56,9 @@ void usb_stor_show_sense( unsigned char
51868 + #define US_DEBUGPX(x...) printk( x )
51869 + #define US_DEBUG(x) x
51870 + #else
51871 +-#define US_DEBUGP(x...)
51872 +-#define US_DEBUGPX(x...)
51873 +-#define US_DEBUG(x)
51874 ++#define US_DEBUGP(x...) do {} while (0)
51875 ++#define US_DEBUGPX(x...) do {} while (0)
51876 ++#define US_DEBUG(x) do {} while (0)
51877 + #endif
51878 +
51879 + #endif
51880 +diff -urNp linux-2.6.24.5/drivers/usb/storage/usb.c linux-2.6.24.5/drivers/usb/storage/usb.c
51881 +--- linux-2.6.24.5/drivers/usb/storage/usb.c 2008-03-24 14:49:18.000000000 -0400
51882 ++++ linux-2.6.24.5/drivers/usb/storage/usb.c 2008-03-26 20:21:08.000000000 -0400
51883 +@@ -134,7 +134,7 @@ static struct usb_device_id storage_usb_
51884 + #undef UNUSUAL_DEV
51885 + #undef USUAL_DEV
51886 + /* Terminating entry */
51887 +- { }
51888 ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
51889 + };
51890 +
51891 + MODULE_DEVICE_TABLE (usb, storage_usb_ids);
51892 +@@ -174,7 +174,7 @@ static struct us_unusual_dev us_unusual_
51893 + # undef USUAL_DEV
51894 +
51895 + /* Terminating entry */
51896 +- { NULL }
51897 ++ { NULL, NULL, 0, 0, NULL }
51898 + };
51899 +
51900 +
51901 +diff -urNp linux-2.6.24.5/drivers/video/fbcmap.c linux-2.6.24.5/drivers/video/fbcmap.c
51902 +--- linux-2.6.24.5/drivers/video/fbcmap.c 2008-03-24 14:49:18.000000000 -0400
51903 ++++ linux-2.6.24.5/drivers/video/fbcmap.c 2008-03-26 20:21:08.000000000 -0400
51904 +@@ -250,8 +250,7 @@ int fb_set_user_cmap(struct fb_cmap_user
51905 + int rc, size = cmap->len * sizeof(u16);
51906 + struct fb_cmap umap;
51907 +
51908 +- if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
51909 +- !info->fbops->fb_setcmap))
51910 ++ if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap)
51911 + return -EINVAL;
51912 +
51913 + memset(&umap, 0, sizeof(struct fb_cmap));
51914 +diff -urNp linux-2.6.24.5/drivers/video/fbmem.c linux-2.6.24.5/drivers/video/fbmem.c
51915 +--- linux-2.6.24.5/drivers/video/fbmem.c 2008-04-17 20:05:17.000000000 -0400
51916 ++++ linux-2.6.24.5/drivers/video/fbmem.c 2008-04-17 20:05:01.000000000 -0400
51917 +@@ -394,7 +394,7 @@ static void fb_do_show_logo(struct fb_in
51918 + image->dx += image->width + 8;
51919 + }
51920 + } else if (rotate == FB_ROTATE_UD) {
51921 +- for (x = 0; x < num && image->dx >= 0; x++) {
51922 ++ for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
51923 + info->fbops->fb_imageblit(info, image);
51924 + image->dx -= image->width + 8;
51925 + }
51926 +@@ -406,7 +406,7 @@ static void fb_do_show_logo(struct fb_in
51927 + image->dy += image->height + 8;
51928 + }
51929 + } else if (rotate == FB_ROTATE_CCW) {
51930 +- for (x = 0; x < num && image->dy >= 0; x++) {
51931 ++ for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
51932 + info->fbops->fb_imageblit(info, image);
51933 + image->dy -= image->height + 8;
51934 + }
51935 +@@ -1057,9 +1057,9 @@ fb_ioctl(struct inode *inode, struct fil
51936 + case FBIOPUT_CON2FBMAP:
51937 + if (copy_from_user(&con2fb, argp, sizeof(con2fb)))
51938 + return - EFAULT;
51939 +- if (con2fb.console < 0 || con2fb.console > MAX_NR_CONSOLES)
51940 ++ if (con2fb.console > MAX_NR_CONSOLES)
51941 + return -EINVAL;
51942 +- if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
51943 ++ if (con2fb.framebuffer >= FB_MAX)
51944 + return -EINVAL;
51945 + #ifdef CONFIG_KMOD
51946 + if (!registered_fb[con2fb.framebuffer])
51947 +diff -urNp linux-2.6.24.5/drivers/video/fbmon.c linux-2.6.24.5/drivers/video/fbmon.c
51948 +--- linux-2.6.24.5/drivers/video/fbmon.c 2008-03-24 14:49:18.000000000 -0400
51949 ++++ linux-2.6.24.5/drivers/video/fbmon.c 2008-03-26 20:21:08.000000000 -0400
51950 +@@ -45,7 +45,7 @@
51951 + #ifdef DEBUG
51952 + #define DPRINTK(fmt, args...) printk(fmt,## args)
51953 + #else
51954 +-#define DPRINTK(fmt, args...)
51955 ++#define DPRINTK(fmt, args...) do {} while (0)
51956 + #endif
51957 +
51958 + #define FBMON_FIX_HEADER 1
51959 +diff -urNp linux-2.6.24.5/drivers/video/i810/i810_accel.c linux-2.6.24.5/drivers/video/i810/i810_accel.c
51960 +--- linux-2.6.24.5/drivers/video/i810/i810_accel.c 2008-03-24 14:49:18.000000000 -0400
51961 ++++ linux-2.6.24.5/drivers/video/i810/i810_accel.c 2008-03-26 20:21:08.000000000 -0400
51962 +@@ -73,6 +73,7 @@ static inline int wait_for_space(struct
51963 + }
51964 + }
51965 + printk("ringbuffer lockup!!!\n");
51966 ++ printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
51967 + i810_report_error(mmio);
51968 + par->dev_flags |= LOCKUP;
51969 + info->pixmap.scan_align = 1;
51970 +diff -urNp linux-2.6.24.5/drivers/video/i810/i810_main.c linux-2.6.24.5/drivers/video/i810/i810_main.c
51971 +--- linux-2.6.24.5/drivers/video/i810/i810_main.c 2008-03-24 14:49:18.000000000 -0400
51972 ++++ linux-2.6.24.5/drivers/video/i810/i810_main.c 2008-03-26 20:21:08.000000000 -0400
51973 +@@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
51974 + PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
51975 + { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
51976 + PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
51977 +- { 0 },
51978 ++ { 0, 0, 0, 0, 0, 0, 0 },
51979 + };
51980 +
51981 + static struct pci_driver i810fb_driver = {
51982 +@@ -1509,7 +1509,7 @@ static int i810fb_cursor(struct fb_info
51983 + int size = ((cursor->image.width + 7) >> 3) *
51984 + cursor->image.height;
51985 + int i;
51986 +- u8 *data = kmalloc(64 * 8, GFP_ATOMIC);
51987 ++ u8 *data = kmalloc(64 * 8, GFP_KERNEL);
51988 +
51989 + if (data == NULL)
51990 + return -ENOMEM;
51991 +diff -urNp linux-2.6.24.5/drivers/video/modedb.c linux-2.6.24.5/drivers/video/modedb.c
51992 +--- linux-2.6.24.5/drivers/video/modedb.c 2008-03-24 14:49:18.000000000 -0400
51993 ++++ linux-2.6.24.5/drivers/video/modedb.c 2008-03-26 20:21:08.000000000 -0400
51994 +@@ -37,232 +37,232 @@ static const struct fb_videomode modedb[
51995 + {
51996 + /* 640x400 @ 70 Hz, 31.5 kHz hsync */
51997 + NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
51998 +- 0, FB_VMODE_NONINTERLACED
51999 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52000 + }, {
52001 + /* 640x480 @ 60 Hz, 31.5 kHz hsync */
52002 + NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
52003 +- 0, FB_VMODE_NONINTERLACED
52004 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52005 + }, {
52006 + /* 800x600 @ 56 Hz, 35.15 kHz hsync */
52007 + NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
52008 +- 0, FB_VMODE_NONINTERLACED
52009 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52010 + }, {
52011 + /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
52012 + NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
52013 +- 0, FB_VMODE_INTERLACED
52014 ++ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
52015 + }, {
52016 + /* 640x400 @ 85 Hz, 37.86 kHz hsync */
52017 + NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
52018 +- FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52019 ++ FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52020 + }, {
52021 + /* 640x480 @ 72 Hz, 36.5 kHz hsync */
52022 + NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
52023 +- 0, FB_VMODE_NONINTERLACED
52024 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52025 + }, {
52026 + /* 640x480 @ 75 Hz, 37.50 kHz hsync */
52027 + NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
52028 +- 0, FB_VMODE_NONINTERLACED
52029 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52030 + }, {
52031 + /* 800x600 @ 60 Hz, 37.8 kHz hsync */
52032 + NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
52033 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52034 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52035 + }, {
52036 + /* 640x480 @ 85 Hz, 43.27 kHz hsync */
52037 + NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
52038 +- 0, FB_VMODE_NONINTERLACED
52039 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52040 + }, {
52041 + /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
52042 + NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
52043 +- 0, FB_VMODE_INTERLACED
52044 ++ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
52045 + }, {
52046 + /* 800x600 @ 72 Hz, 48.0 kHz hsync */
52047 + NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
52048 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52049 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52050 + }, {
52051 + /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
52052 + NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
52053 +- 0, FB_VMODE_NONINTERLACED
52054 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52055 + }, {
52056 + /* 640x480 @ 100 Hz, 53.01 kHz hsync */
52057 + NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
52058 +- 0, FB_VMODE_NONINTERLACED
52059 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52060 + }, {
52061 + /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
52062 + NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
52063 +- 0, FB_VMODE_NONINTERLACED
52064 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52065 + }, {
52066 + /* 800x600 @ 85 Hz, 55.84 kHz hsync */
52067 + NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
52068 +- 0, FB_VMODE_NONINTERLACED
52069 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52070 + }, {
52071 + /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
52072 + NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
52073 +- 0, FB_VMODE_NONINTERLACED
52074 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52075 + }, {
52076 + /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
52077 + NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
52078 +- 0, FB_VMODE_INTERLACED
52079 ++ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
52080 + }, {
52081 + /* 800x600 @ 100 Hz, 64.02 kHz hsync */
52082 + NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
52083 +- 0, FB_VMODE_NONINTERLACED
52084 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52085 + }, {
52086 + /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
52087 + NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
52088 +- 0, FB_VMODE_NONINTERLACED
52089 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52090 + }, {
52091 + /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
52092 + NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
52093 +- 0, FB_VMODE_NONINTERLACED
52094 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52095 + }, {
52096 + /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
52097 + NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
52098 +- 0, FB_VMODE_NONINTERLACED
52099 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52100 + }, {
52101 + /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
52102 + NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
52103 +- 0, FB_VMODE_NONINTERLACED
52104 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52105 + }, {
52106 + /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
52107 + NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
52108 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52109 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52110 + }, {
52111 + /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
52112 + NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
52113 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52114 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52115 + }, {
52116 + /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
52117 + NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
52118 +- 0, FB_VMODE_NONINTERLACED
52119 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52120 + }, {
52121 + /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
52122 + NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
52123 +- 0, FB_VMODE_NONINTERLACED
52124 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52125 + }, {
52126 + /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
52127 + NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
52128 +- 0, FB_VMODE_NONINTERLACED
52129 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52130 + }, {
52131 + /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
52132 + NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
52133 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52134 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52135 + }, {
52136 + /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
52137 + NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
52138 +- 0, FB_VMODE_NONINTERLACED
52139 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52140 + }, {
52141 + /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
52142 + NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
52143 +- 0, FB_VMODE_NONINTERLACED
52144 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52145 + }, {
52146 + /* 1024x768 @ 100Hz, 80.21 kHz hsync */
52147 + NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
52148 +- 0, FB_VMODE_NONINTERLACED
52149 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52150 + }, {
52151 + /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
52152 + NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
52153 +- 0, FB_VMODE_NONINTERLACED
52154 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52155 + }, {
52156 + /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
52157 + NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
52158 +- 0, FB_VMODE_NONINTERLACED
52159 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52160 + }, {
52161 + /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
52162 + NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
52163 +- 0, FB_VMODE_NONINTERLACED
52164 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52165 + }, {
52166 + /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
52167 + NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
52168 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52169 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52170 + }, {
52171 + /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
52172 + NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
52173 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52174 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52175 + }, {
52176 + /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
52177 + NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
52178 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52179 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52180 + }, {
52181 + /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
52182 + NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
52183 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52184 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52185 + }, {
52186 + /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
52187 + NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
52188 +- 0, FB_VMODE_NONINTERLACED
52189 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52190 + }, {
52191 + /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
52192 + NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
52193 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52194 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52195 + }, {
52196 + /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
52197 + NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
52198 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52199 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52200 + }, {
52201 + /* 512x384 @ 78 Hz, 31.50 kHz hsync */
52202 + NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
52203 +- 0, FB_VMODE_NONINTERLACED
52204 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52205 + }, {
52206 + /* 512x384 @ 85 Hz, 34.38 kHz hsync */
52207 + NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
52208 +- 0, FB_VMODE_NONINTERLACED
52209 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52210 + }, {
52211 + /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
52212 + NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
52213 +- 0, FB_VMODE_DOUBLE
52214 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
52215 + }, {
52216 + /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
52217 + NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
52218 +- 0, FB_VMODE_DOUBLE
52219 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
52220 + }, {
52221 + /* 320x240 @ 72 Hz, 36.5 kHz hsync */
52222 + NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
52223 +- 0, FB_VMODE_DOUBLE
52224 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
52225 + }, {
52226 + /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
52227 + NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
52228 +- 0, FB_VMODE_DOUBLE
52229 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
52230 + }, {
52231 + /* 400x300 @ 60 Hz, 37.8 kHz hsync */
52232 + NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
52233 +- 0, FB_VMODE_DOUBLE
52234 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
52235 + }, {
52236 + /* 400x300 @ 72 Hz, 48.0 kHz hsync */
52237 + NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
52238 +- 0, FB_VMODE_DOUBLE
52239 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
52240 + }, {
52241 + /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
52242 + NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
52243 +- 0, FB_VMODE_DOUBLE
52244 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
52245 + }, {
52246 + /* 480x300 @ 60 Hz, 37.8 kHz hsync */
52247 + NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
52248 +- 0, FB_VMODE_DOUBLE
52249 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
52250 + }, {
52251 + /* 480x300 @ 63 Hz, 39.6 kHz hsync */
52252 + NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
52253 +- 0, FB_VMODE_DOUBLE
52254 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
52255 + }, {
52256 + /* 480x300 @ 72 Hz, 48.0 kHz hsync */
52257 + NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
52258 +- 0, FB_VMODE_DOUBLE
52259 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
52260 + }, {
52261 + /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
52262 + NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
52263 + FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
52264 +- FB_VMODE_NONINTERLACED
52265 ++ FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52266 + }, {
52267 + /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
52268 + NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
52269 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
52270 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52271 + }, {
52272 + /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
52273 + NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
52274 +- 0, FB_VMODE_NONINTERLACED
52275 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52276 + }, {
52277 + /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
52278 + NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3,
52279 +- 0, FB_VMODE_NONINTERLACED
52280 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
52281 + },
52282 + };
52283 +
52284 +diff -urNp linux-2.6.24.5/drivers/video/uvesafb.c linux-2.6.24.5/drivers/video/uvesafb.c
52285 +--- linux-2.6.24.5/drivers/video/uvesafb.c 2008-03-24 14:49:18.000000000 -0400
52286 ++++ linux-2.6.24.5/drivers/video/uvesafb.c 2008-03-26 20:21:08.000000000 -0400
52287 +@@ -117,7 +117,7 @@ static int uvesafb_helper_start(void)
52288 + NULL,
52289 + };
52290 +
52291 +- return call_usermodehelper(v86d_path, argv, envp, 1);
52292 ++ return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
52293 + }
52294 +
52295 + /*
52296 +diff -urNp linux-2.6.24.5/drivers/video/vesafb.c linux-2.6.24.5/drivers/video/vesafb.c
52297 +--- linux-2.6.24.5/drivers/video/vesafb.c 2008-03-24 14:49:18.000000000 -0400
52298 ++++ linux-2.6.24.5/drivers/video/vesafb.c 2008-03-26 20:21:08.000000000 -0400
52299 +@@ -9,6 +9,7 @@
52300 + */
52301 +
52302 + #include <linux/module.h>
52303 ++#include <linux/moduleloader.h>
52304 + #include <linux/kernel.h>
52305 + #include <linux/errno.h>
52306 + #include <linux/string.h>
52307 +@@ -53,8 +54,8 @@ static int vram_remap __initdata; /*
52308 + static int vram_total __initdata; /* Set total amount of memory */
52309 + static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
52310 + static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
52311 +-static void (*pmi_start)(void) __read_mostly;
52312 +-static void (*pmi_pal) (void) __read_mostly;
52313 ++static void (*pmi_start)(void) __read_only;
52314 ++static void (*pmi_pal) (void) __read_only;
52315 + static int depth __read_mostly;
52316 + static int vga_compat __read_mostly;
52317 + /* --------------------------------------------------------------------- */
52318 +@@ -224,6 +225,7 @@ static int __init vesafb_probe(struct pl
52319 + unsigned int size_vmode;
52320 + unsigned int size_remap;
52321 + unsigned int size_total;
52322 ++ void *pmi_code = NULL;
52323 +
52324 + if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
52325 + return -ENODEV;
52326 +@@ -266,10 +268,6 @@ static int __init vesafb_probe(struct pl
52327 + size_remap = size_total;
52328 + vesafb_fix.smem_len = size_remap;
52329 +
52330 +-#ifndef __i386__
52331 +- screen_info.vesapm_seg = 0;
52332 +-#endif
52333 +-
52334 + if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
52335 + printk(KERN_WARNING
52336 + "vesafb: cannot reserve video memory at 0x%lx\n",
52337 +@@ -302,9 +300,21 @@ static int __init vesafb_probe(struct pl
52338 + printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
52339 + vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
52340 +
52341 ++#ifdef __i386__
52342 ++
52343 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
52344 ++ pmi_code = module_alloc_exec(screen_info.vesapm_size);
52345 ++ if (!pmi_code)
52346 ++#elif !defined(CONFIG_PAX_KERNEXEC)
52347 ++ if (0)
52348 ++#endif
52349 ++
52350 ++#endif
52351 ++ screen_info.vesapm_seg = 0;
52352 ++
52353 + if (screen_info.vesapm_seg) {
52354 +- printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
52355 +- screen_info.vesapm_seg,screen_info.vesapm_off);
52356 ++ printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
52357 ++ screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
52358 + }
52359 +
52360 + if (screen_info.vesapm_seg < 0xc000)
52361 +@@ -312,9 +322,29 @@ static int __init vesafb_probe(struct pl
52362 +
52363 + if (ypan || pmi_setpal) {
52364 + unsigned short *pmi_base;
52365 +- pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
52366 +- pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
52367 +- pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
52368 ++
52369 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
52370 ++ unsigned long cr0;
52371 ++#endif
52372 ++
52373 ++ pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
52374 ++
52375 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
52376 ++ pax_open_kernel(cr0);
52377 ++ memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
52378 ++#else
52379 ++ pmi_code = pmi_base;
52380 ++#endif
52381 ++
52382 ++ pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
52383 ++ pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
52384 ++
52385 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
52386 ++ pmi_start = ktva_ktla(pmi_start);
52387 ++ pmi_pal = ktva_ktla(pmi_pal);
52388 ++ pax_close_kernel(cr0);
52389 ++#endif
52390 ++
52391 + printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
52392 + if (pmi_base[3]) {
52393 + printk(KERN_INFO "vesafb: pmi: ports = ");
52394 +@@ -456,6 +486,11 @@ static int __init vesafb_probe(struct pl
52395 + info->node, info->fix.id);
52396 + return 0;
52397 + err:
52398 ++
52399 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
52400 ++ module_free_exec(NULL, pmi_code);
52401 ++#endif
52402 ++
52403 + if (info->screen_base)
52404 + iounmap(info->screen_base);
52405 + framebuffer_release(info);
52406 +diff -urNp linux-2.6.24.5/fs/9p/vfs_inode.c linux-2.6.24.5/fs/9p/vfs_inode.c
52407 +--- linux-2.6.24.5/fs/9p/vfs_inode.c 2008-03-24 14:49:18.000000000 -0400
52408 ++++ linux-2.6.24.5/fs/9p/vfs_inode.c 2008-03-26 20:21:08.000000000 -0400
52409 +@@ -996,7 +996,7 @@ static void *v9fs_vfs_follow_link(struct
52410 +
52411 + static void v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
52412 + {
52413 +- char *s = nd_get_link(nd);
52414 ++ const char *s = nd_get_link(nd);
52415 +
52416 + P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name, s);
52417 + if (!IS_ERR(s))
52418 +diff -urNp linux-2.6.24.5/fs/aio.c linux-2.6.24.5/fs/aio.c
52419 +--- linux-2.6.24.5/fs/aio.c 2008-03-24 14:49:18.000000000 -0400
52420 ++++ linux-2.6.24.5/fs/aio.c 2008-03-26 20:21:08.000000000 -0400
52421 +@@ -114,7 +114,7 @@ static int aio_setup_ring(struct kioctx
52422 + size += sizeof(struct io_event) * nr_events;
52423 + nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
52424 +
52425 +- if (nr_pages < 0)
52426 ++ if (nr_pages <= 0)
52427 + return -EINVAL;
52428 +
52429 + nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
52430 +diff -urNp linux-2.6.24.5/fs/autofs4/symlink.c linux-2.6.24.5/fs/autofs4/symlink.c
52431 +--- linux-2.6.24.5/fs/autofs4/symlink.c 2008-03-24 14:49:18.000000000 -0400
52432 ++++ linux-2.6.24.5/fs/autofs4/symlink.c 2008-03-26 20:21:08.000000000 -0400
52433 +@@ -15,7 +15,7 @@
52434 + static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
52435 + {
52436 + struct autofs_info *ino = autofs4_dentry_ino(dentry);
52437 +- nd_set_link(nd, (char *)ino->u.symlink);
52438 ++ nd_set_link(nd, ino->u.symlink);
52439 + return NULL;
52440 + }
52441 +
52442 +diff -urNp linux-2.6.24.5/fs/befs/linuxvfs.c linux-2.6.24.5/fs/befs/linuxvfs.c
52443 +--- linux-2.6.24.5/fs/befs/linuxvfs.c 2008-03-24 14:49:18.000000000 -0400
52444 ++++ linux-2.6.24.5/fs/befs/linuxvfs.c 2008-03-26 20:21:08.000000000 -0400
52445 +@@ -482,7 +482,7 @@ static void befs_put_link(struct dentry
52446 + {
52447 + befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
52448 + if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
52449 +- char *p = nd_get_link(nd);
52450 ++ const char *p = nd_get_link(nd);
52451 + if (!IS_ERR(p))
52452 + kfree(p);
52453 + }
52454 +diff -urNp linux-2.6.24.5/fs/binfmt_aout.c linux-2.6.24.5/fs/binfmt_aout.c
52455 +--- linux-2.6.24.5/fs/binfmt_aout.c 2008-03-24 14:49:18.000000000 -0400
52456 ++++ linux-2.6.24.5/fs/binfmt_aout.c 2008-03-26 20:21:08.000000000 -0400
52457 +@@ -24,6 +24,7 @@
52458 + #include <linux/binfmts.h>
52459 + #include <linux/personality.h>
52460 + #include <linux/init.h>
52461 ++#include <linux/grsecurity.h>
52462 +
52463 + #include <asm/system.h>
52464 + #include <asm/uaccess.h>
52465 +@@ -123,18 +124,22 @@ static int aout_core_dump(long signr, st
52466 + /* If the size of the dump file exceeds the rlimit, then see what would happen
52467 + if we wrote the stack, but not the data area. */
52468 + #ifdef __sparc__
52469 ++ gr_learn_resource(current, RLIMIT_CORE, dump.u_dsize + dump.u_ssize, 1);
52470 + if ((dump.u_dsize + dump.u_ssize) > limit)
52471 + dump.u_dsize = 0;
52472 + #else
52473 ++ gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
52474 + if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > limit)
52475 + dump.u_dsize = 0;
52476 + #endif
52477 +
52478 + /* Make sure we have enough room to write the stack and data areas. */
52479 + #ifdef __sparc__
52480 ++ gr_learn_resource(current, RLIMIT_CORE, dump.u_ssize, 1);
52481 + if (dump.u_ssize > limit)
52482 + dump.u_ssize = 0;
52483 + #else
52484 ++ gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
52485 + if ((dump.u_ssize + 1) * PAGE_SIZE > limit)
52486 + dump.u_ssize = 0;
52487 + #endif
52488 +@@ -290,6 +295,8 @@ static int load_aout_binary(struct linux
52489 + rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
52490 + if (rlim >= RLIM_INFINITY)
52491 + rlim = ~0;
52492 ++
52493 ++ gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
52494 + if (ex.a_data + ex.a_bss > rlim)
52495 + return -ENOMEM;
52496 +
52497 +@@ -321,6 +328,28 @@ static int load_aout_binary(struct linux
52498 +
52499 + compute_creds(bprm);
52500 + current->flags &= ~PF_FORKNOEXEC;
52501 ++
52502 ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
52503 ++ current->mm->pax_flags = 0UL;
52504 ++#endif
52505 ++
52506 ++#ifdef CONFIG_PAX_PAGEEXEC
52507 ++ if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
52508 ++ current->mm->pax_flags |= MF_PAX_PAGEEXEC;
52509 ++
52510 ++#ifdef CONFIG_PAX_EMUTRAMP
52511 ++ if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
52512 ++ current->mm->pax_flags |= MF_PAX_EMUTRAMP;
52513 ++#endif
52514 ++
52515 ++#ifdef CONFIG_PAX_MPROTECT
52516 ++ if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
52517 ++ current->mm->pax_flags |= MF_PAX_MPROTECT;
52518 ++#endif
52519 ++
52520 ++ }
52521 ++#endif
52522 ++
52523 + #ifdef __sparc__
52524 + if (N_MAGIC(ex) == NMAGIC) {
52525 + loff_t pos = fd_offset;
52526 +@@ -416,7 +445,7 @@ static int load_aout_binary(struct linux
52527 +
52528 + down_write(&current->mm->mmap_sem);
52529 + error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
52530 +- PROT_READ | PROT_WRITE | PROT_EXEC,
52531 ++ PROT_READ | PROT_WRITE,
52532 + MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
52533 + fd_offset + ex.a_text);
52534 + up_write(&current->mm->mmap_sem);
52535 +diff -urNp linux-2.6.24.5/fs/binfmt_elf.c linux-2.6.24.5/fs/binfmt_elf.c
52536 +--- linux-2.6.24.5/fs/binfmt_elf.c 2008-03-24 14:49:18.000000000 -0400
52537 ++++ linux-2.6.24.5/fs/binfmt_elf.c 2008-03-26 20:21:08.000000000 -0400
52538 +@@ -39,10 +39,16 @@
52539 + #include <linux/random.h>
52540 + #include <linux/elf.h>
52541 + #include <linux/utsname.h>
52542 ++#include <linux/grsecurity.h>
52543 ++
52544 + #include <asm/uaccess.h>
52545 + #include <asm/param.h>
52546 + #include <asm/page.h>
52547 +
52548 ++#ifdef CONFIG_PAX_SEGMEXEC
52549 ++#include <asm/desc.h>
52550 ++#endif
52551 ++
52552 + static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs);
52553 + static int load_elf_library(struct file *);
52554 + static unsigned long elf_map (struct file *, unsigned long, struct elf_phdr *, int, int);
52555 +@@ -84,6 +90,8 @@ static struct linux_binfmt elf_format =
52556 +
52557 + static int set_brk(unsigned long start, unsigned long end)
52558 + {
52559 ++ unsigned long e = end;
52560 ++
52561 + start = ELF_PAGEALIGN(start);
52562 + end = ELF_PAGEALIGN(end);
52563 + if (end > start) {
52564 +@@ -94,7 +102,7 @@ static int set_brk(unsigned long start,
52565 + if (BAD_ADDR(addr))
52566 + return addr;
52567 + }
52568 +- current->mm->start_brk = current->mm->brk = end;
52569 ++ current->mm->start_brk = current->mm->brk = e;
52570 + return 0;
52571 + }
52572 +
52573 +@@ -328,10 +336,9 @@ static unsigned long load_elf_interp(str
52574 + {
52575 + struct elf_phdr *elf_phdata;
52576 + struct elf_phdr *eppnt;
52577 +- unsigned long load_addr = 0;
52578 +- int load_addr_set = 0;
52579 ++ unsigned long load_addr = 0, min_addr, max_addr, pax_task_size = TASK_SIZE;
52580 + unsigned long last_bss = 0, elf_bss = 0;
52581 +- unsigned long error = ~0UL;
52582 ++ unsigned long error = -EINVAL;
52583 + int retval, i, size;
52584 +
52585 + /* First of all, some simple consistency checks */
52586 +@@ -370,66 +377,86 @@ static unsigned long load_elf_interp(str
52587 + goto out_close;
52588 + }
52589 +
52590 ++#ifdef CONFIG_PAX_SEGMEXEC
52591 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
52592 ++ pax_task_size = SEGMEXEC_TASK_SIZE;
52593 ++#endif
52594 ++
52595 + eppnt = elf_phdata;
52596 ++ min_addr = pax_task_size;
52597 ++ max_addr = 0;
52598 ++ error = -ENOMEM;
52599 ++
52600 + for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
52601 +- if (eppnt->p_type == PT_LOAD) {
52602 +- int elf_type = MAP_PRIVATE | MAP_DENYWRITE;
52603 +- int elf_prot = 0;
52604 +- unsigned long vaddr = 0;
52605 +- unsigned long k, map_addr;
52606 +-
52607 +- if (eppnt->p_flags & PF_R)
52608 +- elf_prot = PROT_READ;
52609 +- if (eppnt->p_flags & PF_W)
52610 +- elf_prot |= PROT_WRITE;
52611 +- if (eppnt->p_flags & PF_X)
52612 +- elf_prot |= PROT_EXEC;
52613 +- vaddr = eppnt->p_vaddr;
52614 +- if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
52615 +- elf_type |= MAP_FIXED;
52616 +-
52617 +- map_addr = elf_map(interpreter, load_addr + vaddr,
52618 +- eppnt, elf_prot, elf_type);
52619 +- error = map_addr;
52620 +- if (BAD_ADDR(map_addr))
52621 +- goto out_close;
52622 +-
52623 +- if (!load_addr_set &&
52624 +- interp_elf_ex->e_type == ET_DYN) {
52625 +- load_addr = map_addr - ELF_PAGESTART(vaddr);
52626 +- load_addr_set = 1;
52627 +- }
52628 ++ if (eppnt->p_type != PT_LOAD)
52629 ++ continue;
52630 +
52631 +- /*
52632 +- * Check to see if the section's size will overflow the
52633 +- * allowed task size. Note that p_filesz must always be
52634 +- * <= p_memsize so it's only necessary to check p_memsz.
52635 +- */
52636 +- k = load_addr + eppnt->p_vaddr;
52637 +- if (BAD_ADDR(k) ||
52638 +- eppnt->p_filesz > eppnt->p_memsz ||
52639 +- eppnt->p_memsz > TASK_SIZE ||
52640 +- TASK_SIZE - eppnt->p_memsz < k) {
52641 +- error = -ENOMEM;
52642 +- goto out_close;
52643 +- }
52644 ++ /*
52645 ++ * Check to see if the section's size will overflow the
52646 ++ * allowed task size. Note that p_filesz must always be
52647 ++ * <= p_memsize so it is only necessary to check p_memsz.
52648 ++ */
52649 ++ if (eppnt->p_filesz > eppnt->p_memsz || eppnt->p_vaddr >= eppnt->p_vaddr + eppnt->p_memsz)
52650 ++ goto out_close;
52651 +
52652 +- /*
52653 +- * Find the end of the file mapping for this phdr, and
52654 +- * keep track of the largest address we see for this.
52655 +- */
52656 +- k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
52657 +- if (k > elf_bss)
52658 +- elf_bss = k;
52659 ++ if (min_addr > ELF_PAGESTART(eppnt->p_vaddr))
52660 ++ min_addr = ELF_PAGESTART(eppnt->p_vaddr);
52661 ++ if (max_addr < ELF_PAGEALIGN(eppnt->p_vaddr + eppnt->p_memsz))
52662 ++ max_addr = ELF_PAGEALIGN(eppnt->p_vaddr + eppnt->p_memsz);
52663 ++ }
52664 ++ if (min_addr >= max_addr || max_addr > pax_task_size)
52665 ++ goto out_close;
52666 +
52667 +- /*
52668 +- * Do the same thing for the memory mapping - between
52669 +- * elf_bss and last_bss is the bss section.
52670 +- */
52671 +- k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
52672 +- if (k > last_bss)
52673 +- last_bss = k;
52674 +- }
52675 ++ if (interp_elf_ex->e_type == ET_DYN) {
52676 ++ load_addr = get_unmapped_area(interpreter, 0, max_addr - min_addr, 0, MAP_PRIVATE | MAP_EXECUTABLE);
52677 ++
52678 ++ if (load_addr >= pax_task_size)
52679 ++ goto out_close;
52680 ++
52681 ++ load_addr -= min_addr;
52682 ++ }
52683 ++
52684 ++ eppnt = elf_phdata;
52685 ++ for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
52686 ++ int elf_type = MAP_PRIVATE | MAP_DENYWRITE | MAP_FIXED;
52687 ++ int elf_prot = 0;
52688 ++ unsigned long vaddr = 0;
52689 ++ unsigned long k, map_addr;
52690 ++
52691 ++ if (eppnt->p_type != PT_LOAD)
52692 ++ continue;
52693 ++
52694 ++ if (eppnt->p_flags & PF_R)
52695 ++ elf_prot = PROT_READ;
52696 ++ if (eppnt->p_flags & PF_W)
52697 ++ elf_prot |= PROT_WRITE;
52698 ++ if (eppnt->p_flags & PF_X)
52699 ++ elf_prot |= PROT_EXEC;
52700 ++ vaddr = eppnt->p_vaddr;
52701 ++
52702 ++ map_addr = elf_map(interpreter, load_addr + vaddr,
52703 ++ eppnt, elf_prot, elf_type);
52704 ++ error = map_addr;
52705 ++ if (BAD_ADDR(map_addr))
52706 ++ goto out_close;
52707 ++
52708 ++ k = load_addr + eppnt->p_vaddr;
52709 ++
52710 ++ /*
52711 ++ * Find the end of the file mapping for this phdr, and
52712 ++ * keep track of the largest address we see for this.
52713 ++ */
52714 ++ k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
52715 ++ if (k > elf_bss)
52716 ++ elf_bss = k;
52717 ++
52718 ++ /*
52719 ++ * Do the same thing for the memory mapping - between
52720 ++ * elf_bss and last_bss is the bss section.
52721 ++ */
52722 ++ k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
52723 ++ if (k > last_bss)
52724 ++ last_bss = k;
52725 + }
52726 +
52727 + /*
52728 +@@ -457,6 +484,8 @@ static unsigned long load_elf_interp(str
52729 +
52730 + *interp_load_addr = load_addr;
52731 + error = ((unsigned long)interp_elf_ex->e_entry) + load_addr;
52732 ++ if (BAD_ADDR(error))
52733 ++ error = -EFAULT;
52734 +
52735 + out_close:
52736 + kfree(elf_phdata);
52737 +@@ -467,7 +496,7 @@ out:
52738 + static unsigned long load_aout_interp(struct exec *interp_ex,
52739 + struct file *interpreter)
52740 + {
52741 +- unsigned long text_data, elf_entry = ~0UL;
52742 ++ unsigned long text_data, elf_entry = -EINVAL;
52743 + char __user * addr;
52744 + loff_t offset;
52745 +
52746 +@@ -510,6 +539,177 @@ out:
52747 + return elf_entry;
52748 + }
52749 +
52750 ++#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
52751 ++static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
52752 ++{
52753 ++ unsigned long pax_flags = 0UL;
52754 ++
52755 ++#ifdef CONFIG_PAX_PAGEEXEC
52756 ++ if (elf_phdata->p_flags & PF_PAGEEXEC)
52757 ++ pax_flags |= MF_PAX_PAGEEXEC;
52758 ++#endif
52759 ++
52760 ++#ifdef CONFIG_PAX_SEGMEXEC
52761 ++ if (elf_phdata->p_flags & PF_SEGMEXEC)
52762 ++ pax_flags |= MF_PAX_SEGMEXEC;
52763 ++#endif
52764 ++
52765 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
52766 ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
52767 ++ if (nx_enabled)
52768 ++ pax_flags &= ~MF_PAX_SEGMEXEC;
52769 ++ else
52770 ++ pax_flags &= ~MF_PAX_PAGEEXEC;
52771 ++ }
52772 ++#endif
52773 ++
52774 ++#ifdef CONFIG_PAX_EMUTRAMP
52775 ++ if (elf_phdata->p_flags & PF_EMUTRAMP)
52776 ++ pax_flags |= MF_PAX_EMUTRAMP;
52777 ++#endif
52778 ++
52779 ++#ifdef CONFIG_PAX_MPROTECT
52780 ++ if (elf_phdata->p_flags & PF_MPROTECT)
52781 ++ pax_flags |= MF_PAX_MPROTECT;
52782 ++#endif
52783 ++
52784 ++#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
52785 ++ if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
52786 ++ pax_flags |= MF_PAX_RANDMMAP;
52787 ++#endif
52788 ++
52789 ++ return pax_flags;
52790 ++}
52791 ++#endif
52792 ++
52793 ++#ifdef CONFIG_PAX_PT_PAX_FLAGS
52794 ++static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
52795 ++{
52796 ++ unsigned long pax_flags = 0UL;
52797 ++
52798 ++#ifdef CONFIG_PAX_PAGEEXEC
52799 ++ if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
52800 ++ pax_flags |= MF_PAX_PAGEEXEC;
52801 ++#endif
52802 ++
52803 ++#ifdef CONFIG_PAX_SEGMEXEC
52804 ++ if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
52805 ++ pax_flags |= MF_PAX_SEGMEXEC;
52806 ++#endif
52807 ++
52808 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
52809 ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
52810 ++ if (nx_enabled)
52811 ++ pax_flags &= ~MF_PAX_SEGMEXEC;
52812 ++ else
52813 ++ pax_flags &= ~MF_PAX_PAGEEXEC;
52814 ++ }
52815 ++#endif
52816 ++
52817 ++#ifdef CONFIG_PAX_EMUTRAMP
52818 ++ if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
52819 ++ pax_flags |= MF_PAX_EMUTRAMP;
52820 ++#endif
52821 ++
52822 ++#ifdef CONFIG_PAX_MPROTECT
52823 ++ if (!(elf_phdata->p_flags & PF_NOMPROTECT))
52824 ++ pax_flags |= MF_PAX_MPROTECT;
52825 ++#endif
52826 ++
52827 ++#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
52828 ++ if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
52829 ++ pax_flags |= MF_PAX_RANDMMAP;
52830 ++#endif
52831 ++
52832 ++ return pax_flags;
52833 ++}
52834 ++#endif
52835 ++
52836 ++#ifdef CONFIG_PAX_EI_PAX
52837 ++static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
52838 ++{
52839 ++ unsigned long pax_flags = 0UL;
52840 ++
52841 ++#ifdef CONFIG_PAX_PAGEEXEC
52842 ++ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
52843 ++ pax_flags |= MF_PAX_PAGEEXEC;
52844 ++#endif
52845 ++
52846 ++#ifdef CONFIG_PAX_SEGMEXEC
52847 ++ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
52848 ++ pax_flags |= MF_PAX_SEGMEXEC;
52849 ++#endif
52850 ++
52851 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
52852 ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
52853 ++ if (nx_enabled)
52854 ++ pax_flags &= ~MF_PAX_SEGMEXEC;
52855 ++ else
52856 ++ pax_flags &= ~MF_PAX_PAGEEXEC;
52857 ++ }
52858 ++#endif
52859 ++
52860 ++#ifdef CONFIG_PAX_EMUTRAMP
52861 ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
52862 ++ pax_flags |= MF_PAX_EMUTRAMP;
52863 ++#endif
52864 ++
52865 ++#ifdef CONFIG_PAX_MPROTECT
52866 ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
52867 ++ pax_flags |= MF_PAX_MPROTECT;
52868 ++#endif
52869 ++
52870 ++#ifdef CONFIG_PAX_ASLR
52871 ++ if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
52872 ++ pax_flags |= MF_PAX_RANDMMAP;
52873 ++#endif
52874 ++
52875 ++ return pax_flags;
52876 ++}
52877 ++#endif
52878 ++
52879 ++#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
52880 ++static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
52881 ++{
52882 ++ unsigned long pax_flags = 0UL;
52883 ++
52884 ++#ifdef CONFIG_PAX_PT_PAX_FLAGS
52885 ++ unsigned long i;
52886 ++#endif
52887 ++
52888 ++#ifdef CONFIG_PAX_EI_PAX
52889 ++ pax_flags = pax_parse_ei_pax(elf_ex);
52890 ++#endif
52891 ++
52892 ++#ifdef CONFIG_PAX_PT_PAX_FLAGS
52893 ++ for (i = 0UL; i < elf_ex->e_phnum; i++)
52894 ++ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
52895 ++ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
52896 ++ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
52897 ++ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
52898 ++ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
52899 ++ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
52900 ++ return -EINVAL;
52901 ++
52902 ++#ifdef CONFIG_PAX_SOFTMODE
52903 ++ if (pax_softmode)
52904 ++ pax_flags = pax_parse_softmode(&elf_phdata[i]);
52905 ++ else
52906 ++#endif
52907 ++
52908 ++ pax_flags = pax_parse_hardmode(&elf_phdata[i]);
52909 ++ break;
52910 ++ }
52911 ++#endif
52912 ++
52913 ++ if (0 > pax_check_flags(&pax_flags))
52914 ++ return -EINVAL;
52915 ++
52916 ++ current->mm->pax_flags = pax_flags;
52917 ++ return 0;
52918 ++}
52919 ++#endif
52920 ++
52921 + /*
52922 + * These are the functions used to load ELF style executables and shared
52923 + * libraries. There is no binary dependent code anywhere else.
52924 +@@ -547,7 +747,7 @@ static int load_elf_binary(struct linux_
52925 + char * elf_interpreter = NULL;
52926 + unsigned int interpreter_type = INTERPRETER_NONE;
52927 + unsigned char ibcs2_interpreter = 0;
52928 +- unsigned long error;
52929 ++ unsigned long error = 0;
52930 + struct elf_phdr *elf_ppnt, *elf_phdata;
52931 + unsigned long elf_bss, elf_brk;
52932 + int elf_exec_fileno;
52933 +@@ -559,12 +759,12 @@ static int load_elf_binary(struct linux_
52934 + char passed_fileno[6];
52935 + struct files_struct *files;
52936 + int executable_stack = EXSTACK_DEFAULT;
52937 +- unsigned long def_flags = 0;
52938 + struct {
52939 + struct elfhdr elf_ex;
52940 + struct elfhdr interp_elf_ex;
52941 + struct exec interp_ex;
52942 + } *loc;
52943 ++ unsigned long pax_task_size = TASK_SIZE;
52944 +
52945 + loc = kmalloc(sizeof(*loc), GFP_KERNEL);
52946 + if (!loc) {
52947 +@@ -799,14 +999,89 @@ static int load_elf_binary(struct linux_
52948 +
52949 + /* OK, This is the point of no return */
52950 + current->flags &= ~PF_FORKNOEXEC;
52951 +- current->mm->def_flags = def_flags;
52952 ++
52953 ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
52954 ++ current->mm->pax_flags = 0UL;
52955 ++#endif
52956 ++
52957 ++#ifdef CONFIG_PAX_DLRESOLVE
52958 ++ current->mm->call_dl_resolve = 0UL;
52959 ++#endif
52960 ++
52961 ++#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
52962 ++ current->mm->call_syscall = 0UL;
52963 ++#endif
52964 ++
52965 ++#ifdef CONFIG_PAX_ASLR
52966 ++ current->mm->delta_mmap = 0UL;
52967 ++ current->mm->delta_stack = 0UL;
52968 ++#endif
52969 ++
52970 ++ current->mm->def_flags = 0;
52971 ++
52972 ++#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
52973 ++ if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
52974 ++ send_sig(SIGKILL, current, 0);
52975 ++ goto out_free_dentry;
52976 ++ }
52977 ++#endif
52978 ++
52979 ++#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
52980 ++ pax_set_initial_flags(bprm);
52981 ++#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
52982 ++ if (pax_set_initial_flags_func)
52983 ++ (pax_set_initial_flags_func)(bprm);
52984 ++#endif
52985 ++
52986 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
52987 ++ if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !nx_enabled) {
52988 ++ current->mm->context.user_cs_limit = PAGE_SIZE;
52989 ++ current->mm->def_flags |= VM_PAGEEXEC;
52990 ++ }
52991 ++#endif
52992 ++
52993 ++#ifdef CONFIG_PAX_SEGMEXEC
52994 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
52995 ++ current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
52996 ++ current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
52997 ++ pax_task_size = SEGMEXEC_TASK_SIZE;
52998 ++ }
52999 ++#endif
53000 ++
53001 ++#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
53002 ++ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
53003 ++ set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
53004 ++ put_cpu_no_resched();
53005 ++ }
53006 ++#endif
53007 ++
53008 ++#ifdef CONFIG_PAX_ASLR
53009 ++ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
53010 ++ current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
53011 ++ current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
53012 ++ }
53013 ++#endif
53014 ++
53015 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
53016 ++ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
53017 ++ executable_stack = EXSTACK_DEFAULT;
53018 ++#endif
53019 +
53020 + /* Do this immediately, since STACK_TOP as used in setup_arg_pages
53021 + may depend on the personality. */
53022 + SET_PERSONALITY(loc->elf_ex, ibcs2_interpreter);
53023 ++
53024 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
53025 ++ if (!(current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)))
53026 ++#endif
53027 ++
53028 + if (elf_read_implies_exec(loc->elf_ex, executable_stack))
53029 + current->personality |= READ_IMPLIES_EXEC;
53030 +
53031 ++#ifdef CONFIG_PAX_ASLR
53032 ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
53033 ++#endif
53034 ++
53035 + if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
53036 + current->flags |= PF_RANDOMIZE;
53037 + arch_pick_mmap_layout(current->mm);
53038 +@@ -882,6 +1157,20 @@ static int load_elf_binary(struct linux_
53039 + * might try to exec. This is because the brk will
53040 + * follow the loader, and is not movable. */
53041 + load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
53042 ++
53043 ++#ifdef CONFIG_PAX_RANDMMAP
53044 ++ /* PaX: randomize base address at the default exe base if requested */
53045 ++ if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
53046 ++#ifdef CONFIG_SPARC64
53047 ++ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
53048 ++#else
53049 ++ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
53050 ++#endif
53051 ++ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
53052 ++ elf_flags |= MAP_FIXED;
53053 ++ }
53054 ++#endif
53055 ++
53056 + }
53057 +
53058 + error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
53059 +@@ -914,9 +1203,9 @@ static int load_elf_binary(struct linux_
53060 + * allowed task size. Note that p_filesz must always be
53061 + * <= p_memsz so it is only necessary to check p_memsz.
53062 + */
53063 +- if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
53064 +- elf_ppnt->p_memsz > TASK_SIZE ||
53065 +- TASK_SIZE - elf_ppnt->p_memsz < k) {
53066 ++ if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
53067 ++ elf_ppnt->p_memsz > pax_task_size ||
53068 ++ pax_task_size - elf_ppnt->p_memsz < k) {
53069 + /* set_brk can never work. Avoid overflows. */
53070 + send_sig(SIGKILL, current, 0);
53071 + retval = -EINVAL;
53072 +@@ -944,6 +1233,11 @@ static int load_elf_binary(struct linux_
53073 + start_data += load_bias;
53074 + end_data += load_bias;
53075 +
53076 ++#ifdef CONFIG_PAX_RANDMMAP
53077 ++ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
53078 ++ elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
53079 ++#endif
53080 ++
53081 + /* Calling set_brk effectively mmaps the pages that we need
53082 + * for the bss and break sections. We must do this before
53083 + * mapping in the interpreter, to make sure it doesn't wind
53084 +@@ -955,9 +1249,11 @@ static int load_elf_binary(struct linux_
53085 + goto out_free_dentry;
53086 + }
53087 + if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
53088 +- send_sig(SIGSEGV, current, 0);
53089 +- retval = -EFAULT; /* Nobody gets to see this, but.. */
53090 +- goto out_free_dentry;
53091 ++ /*
53092 ++ * This bss-zeroing can fail if the ELF
53093 ++ * file specifies odd protections. So
53094 ++ * we don't check the return value
53095 ++ */
53096 + }
53097 +
53098 + if (elf_interpreter) {
53099 +@@ -1194,8 +1490,10 @@ static int dump_seek(struct file *file,
53100 + unsigned long n = off;
53101 + if (n > PAGE_SIZE)
53102 + n = PAGE_SIZE;
53103 +- if (!dump_write(file, buf, n))
53104 ++ if (!dump_write(file, buf, n)) {
53105 ++ free_page((unsigned long)buf);
53106 + return 0;
53107 ++ }
53108 + off -= n;
53109 + }
53110 + free_page((unsigned long)buf);
53111 +@@ -1207,7 +1505,7 @@ static int dump_seek(struct file *file,
53112 + * Decide what to dump of a segment, part, all or none.
53113 + */
53114 + static unsigned long vma_dump_size(struct vm_area_struct *vma,
53115 +- unsigned long mm_flags)
53116 ++ unsigned long mm_flags, long signr)
53117 + {
53118 + /* The vma can be set up to tell us the answer directly. */
53119 + if (vma->vm_flags & VM_ALWAYSDUMP)
53120 +@@ -1233,7 +1531,7 @@ static unsigned long vma_dump_size(struc
53121 + if (vma->vm_file == NULL)
53122 + return 0;
53123 +
53124 +- if (FILTER(MAPPED_PRIVATE))
53125 ++ if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
53126 + goto whole;
53127 +
53128 + /*
53129 +@@ -1319,8 +1617,11 @@ static int writenote(struct memelfnote *
53130 + #undef DUMP_WRITE
53131 +
53132 + #define DUMP_WRITE(addr, nr) \
53133 ++ do { \
53134 ++ gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
53135 + if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \
53136 +- goto end_coredump;
53137 ++ goto end_coredump; \
53138 ++ } while (0);
53139 + #define DUMP_SEEK(off) \
53140 + if (!dump_seek(file, (off))) \
53141 + goto end_coredump;
53142 +@@ -1710,7 +2011,7 @@ static int elf_core_dump(long signr, str
53143 + phdr.p_offset = offset;
53144 + phdr.p_vaddr = vma->vm_start;
53145 + phdr.p_paddr = 0;
53146 +- phdr.p_filesz = vma_dump_size(vma, mm_flags);
53147 ++ phdr.p_filesz = vma_dump_size(vma, mm_flags, signr);
53148 + phdr.p_memsz = vma->vm_end - vma->vm_start;
53149 + offset += phdr.p_filesz;
53150 + phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
53151 +@@ -1753,7 +2054,7 @@ static int elf_core_dump(long signr, str
53152 + unsigned long addr;
53153 + unsigned long end;
53154 +
53155 +- end = vma->vm_start + vma_dump_size(vma, mm_flags);
53156 ++ end = vma->vm_start + vma_dump_size(vma, mm_flags, signr);
53157 +
53158 + for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
53159 + struct page *page;
53160 +@@ -1773,6 +2074,7 @@ static int elf_core_dump(long signr, str
53161 + flush_cache_page(vma, addr,
53162 + page_to_pfn(page));
53163 + kaddr = kmap(page);
53164 ++ gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
53165 + if ((size += PAGE_SIZE) > limit ||
53166 + !dump_write(file, kaddr,
53167 + PAGE_SIZE)) {
53168 +diff -urNp linux-2.6.24.5/fs/binfmt_flat.c linux-2.6.24.5/fs/binfmt_flat.c
53169 +--- linux-2.6.24.5/fs/binfmt_flat.c 2008-03-24 14:49:18.000000000 -0400
53170 ++++ linux-2.6.24.5/fs/binfmt_flat.c 2008-03-26 20:21:08.000000000 -0400
53171 +@@ -561,7 +561,9 @@ static int load_flat_file(struct linux_b
53172 + realdatastart = (unsigned long) -ENOMEM;
53173 + printk("Unable to allocate RAM for process data, errno %d\n",
53174 + (int)-realdatastart);
53175 ++ down_write(&current->mm->mmap_sem);
53176 + do_munmap(current->mm, textpos, text_len);
53177 ++ up_write(&current->mm->mmap_sem);
53178 + ret = realdatastart;
53179 + goto err;
53180 + }
53181 +@@ -583,8 +585,10 @@ static int load_flat_file(struct linux_b
53182 + }
53183 + if (result >= (unsigned long)-4096) {
53184 + printk("Unable to read data+bss, errno %d\n", (int)-result);
53185 ++ down_write(&current->mm->mmap_sem);
53186 + do_munmap(current->mm, textpos, text_len);
53187 + do_munmap(current->mm, realdatastart, data_len + extra);
53188 ++ up_write(&current->mm->mmap_sem);
53189 + ret = result;
53190 + goto err;
53191 + }
53192 +@@ -657,8 +661,10 @@ static int load_flat_file(struct linux_b
53193 + }
53194 + if (result >= (unsigned long)-4096) {
53195 + printk("Unable to read code+data+bss, errno %d\n",(int)-result);
53196 ++ down_write(&current->mm->mmap_sem);
53197 + do_munmap(current->mm, textpos, text_len + data_len + extra +
53198 + MAX_SHARED_LIBS * sizeof(unsigned long));
53199 ++ up_write(&current->mm->mmap_sem);
53200 + ret = result;
53201 + goto err;
53202 + }
53203 +diff -urNp linux-2.6.24.5/fs/binfmt_misc.c linux-2.6.24.5/fs/binfmt_misc.c
53204 +--- linux-2.6.24.5/fs/binfmt_misc.c 2008-03-24 14:49:18.000000000 -0400
53205 ++++ linux-2.6.24.5/fs/binfmt_misc.c 2008-03-26 20:21:08.000000000 -0400
53206 +@@ -113,9 +113,11 @@ static int load_misc_binary(struct linux
53207 + struct files_struct *files = NULL;
53208 +
53209 + retval = -ENOEXEC;
53210 +- if (!enabled)
53211 ++ if (!enabled || bprm->misc)
53212 + goto _ret;
53213 +
53214 ++ bprm->misc++;
53215 ++
53216 + /* to keep locking time low, we copy the interpreter string */
53217 + read_lock(&entries_lock);
53218 + fmt = check_file(bprm);
53219 +@@ -720,7 +722,7 @@ static int bm_fill_super(struct super_bl
53220 + static struct tree_descr bm_files[] = {
53221 + [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
53222 + [3] = {"register", &bm_register_operations, S_IWUSR},
53223 +- /* last one */ {""}
53224 ++ /* last one */ {"", NULL, 0}
53225 + };
53226 + int err = simple_fill_super(sb, 0x42494e4d, bm_files);
53227 + if (!err)
53228 +diff -urNp linux-2.6.24.5/fs/buffer.c linux-2.6.24.5/fs/buffer.c
53229 +--- linux-2.6.24.5/fs/buffer.c 2008-04-17 20:05:17.000000000 -0400
53230 ++++ linux-2.6.24.5/fs/buffer.c 2008-04-17 20:05:01.000000000 -0400
53231 +@@ -41,6 +41,7 @@
53232 + #include <linux/bitops.h>
53233 + #include <linux/mpage.h>
53234 + #include <linux/bit_spinlock.h>
53235 ++#include <linux/grsecurity.h>
53236 +
53237 + static int fsync_buffers_list(spinlock_t *lock, struct list_head *list);
53238 +
53239 +@@ -2170,6 +2171,7 @@ int generic_cont_expand_simple(struct in
53240 +
53241 + err = -EFBIG;
53242 + limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
53243 ++ gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long) size, 1);
53244 + if (limit != RLIM_INFINITY && size > (loff_t)limit) {
53245 + send_sig(SIGXFSZ, current, 0);
53246 + goto out;
53247 +diff -urNp linux-2.6.24.5/fs/cifs/cifs_uniupr.h linux-2.6.24.5/fs/cifs/cifs_uniupr.h
53248 +--- linux-2.6.24.5/fs/cifs/cifs_uniupr.h 2008-03-24 14:49:18.000000000 -0400
53249 ++++ linux-2.6.24.5/fs/cifs/cifs_uniupr.h 2008-03-26 20:21:08.000000000 -0400
53250 +@@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
53251 + {0x0490, 0x04cc, UniCaseRangeU0490},
53252 + {0x1e00, 0x1ffc, UniCaseRangeU1e00},
53253 + {0xff40, 0xff5a, UniCaseRangeUff40},
53254 +- {0}
53255 ++ {0, 0, NULL}
53256 + };
53257 + #endif
53258 +
53259 +diff -urNp linux-2.6.24.5/fs/cifs/link.c linux-2.6.24.5/fs/cifs/link.c
53260 +--- linux-2.6.24.5/fs/cifs/link.c 2008-03-24 14:49:18.000000000 -0400
53261 ++++ linux-2.6.24.5/fs/cifs/link.c 2008-03-26 20:21:08.000000000 -0400
53262 +@@ -355,7 +355,7 @@ cifs_readlink(struct dentry *direntry, c
53263 +
53264 + void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
53265 + {
53266 +- char *p = nd_get_link(nd);
53267 ++ const char *p = nd_get_link(nd);
53268 + if (!IS_ERR(p))
53269 + kfree(p);
53270 + }
53271 +diff -urNp linux-2.6.24.5/fs/compat.c linux-2.6.24.5/fs/compat.c
53272 +--- linux-2.6.24.5/fs/compat.c 2008-03-24 14:49:18.000000000 -0400
53273 ++++ linux-2.6.24.5/fs/compat.c 2008-03-26 20:21:08.000000000 -0400
53274 +@@ -50,6 +50,7 @@
53275 + #include <linux/poll.h>
53276 + #include <linux/mm.h>
53277 + #include <linux/eventpoll.h>
53278 ++#include <linux/grsecurity.h>
53279 +
53280 + #include <asm/uaccess.h>
53281 + #include <asm/mmu_context.h>
53282 +@@ -1300,14 +1301,12 @@ static int compat_copy_strings(int argc,
53283 + if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
53284 + struct page *page;
53285 +
53286 +-#ifdef CONFIG_STACK_GROWSUP
53287 + ret = expand_stack_downwards(bprm->vma, pos);
53288 + if (ret < 0) {
53289 + /* We've exceed the stack rlimit. */
53290 + ret = -E2BIG;
53291 + goto out;
53292 + }
53293 +-#endif
53294 + ret = get_user_pages(current, bprm->mm, pos,
53295 + 1, 1, 1, &page, NULL);
53296 + if (ret <= 0) {
53297 +@@ -1353,6 +1352,11 @@ int compat_do_execve(char * filename,
53298 + compat_uptr_t __user *envp,
53299 + struct pt_regs * regs)
53300 + {
53301 ++#ifdef CONFIG_GRKERNSEC
53302 ++ struct file *old_exec_file;
53303 ++ struct acl_subject_label *old_acl;
53304 ++ struct rlimit old_rlim[RLIM_NLIMITS];
53305 ++#endif
53306 + struct linux_binprm *bprm;
53307 + struct file *file;
53308 + int retval;
53309 +@@ -1373,6 +1377,14 @@ int compat_do_execve(char * filename,
53310 + bprm->filename = filename;
53311 + bprm->interp = filename;
53312 +
53313 ++ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes), 1);
53314 ++ retval = -EAGAIN;
53315 ++ if (gr_handle_nproc())
53316 ++ goto out_file;
53317 ++ retval = -EACCES;
53318 ++ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
53319 ++ goto out_file;
53320 ++
53321 + retval = bprm_mm_init(bprm);
53322 + if (retval)
53323 + goto out_file;
53324 +@@ -1406,8 +1418,36 @@ int compat_do_execve(char * filename,
53325 + if (retval < 0)
53326 + goto out;
53327 +
53328 ++ if (!gr_tpe_allow(file)) {
53329 ++ retval = -EACCES;
53330 ++ goto out;
53331 ++ }
53332 ++
53333 ++ if (gr_check_crash_exec(file)) {
53334 ++ retval = -EACCES;
53335 ++ goto out;
53336 ++ }
53337 ++
53338 ++ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
53339 ++
53340 ++ gr_handle_exec_args(bprm, (char __user * __user *)argv);
53341 ++
53342 ++#ifdef CONFIG_GRKERNSEC
53343 ++ old_acl = current->acl;
53344 ++ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
53345 ++ old_exec_file = current->exec_file;
53346 ++ get_file(file);
53347 ++ current->exec_file = file;
53348 ++#endif
53349 ++
53350 ++ gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
53351 ++
53352 + retval = search_binary_handler(bprm, regs);
53353 + if (retval >= 0) {
53354 ++#ifdef CONFIG_GRKERNSEC
53355 ++ if (old_exec_file)
53356 ++ fput(old_exec_file);
53357 ++#endif
53358 + /* execve success */
53359 + security_bprm_free(bprm);
53360 + acct_update_integrals(current);
53361 +@@ -1415,6 +1455,13 @@ int compat_do_execve(char * filename,
53362 + return retval;
53363 + }
53364 +
53365 ++#ifdef CONFIG_GRKERNSEC
53366 ++ current->acl = old_acl;
53367 ++ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
53368 ++ fput(current->exec_file);
53369 ++ current->exec_file = old_exec_file;
53370 ++#endif
53371 ++
53372 + out:
53373 + if (bprm->security)
53374 + security_bprm_free(bprm);
53375 +diff -urNp linux-2.6.24.5/fs/compat_ioctl.c linux-2.6.24.5/fs/compat_ioctl.c
53376 +--- linux-2.6.24.5/fs/compat_ioctl.c 2008-03-24 14:49:18.000000000 -0400
53377 ++++ linux-2.6.24.5/fs/compat_ioctl.c 2008-03-26 20:21:08.000000000 -0400
53378 +@@ -1890,15 +1890,15 @@ struct ioctl_trans {
53379 + };
53380 +
53381 + #define HANDLE_IOCTL(cmd,handler) \
53382 +- { (cmd), (ioctl_trans_handler_t)(handler) },
53383 ++ { (cmd), (ioctl_trans_handler_t)(handler), NULL },
53384 +
53385 + /* pointer to compatible structure or no argument */
53386 + #define COMPATIBLE_IOCTL(cmd) \
53387 +- { (cmd), do_ioctl32_pointer },
53388 ++ { (cmd), do_ioctl32_pointer, NULL },
53389 +
53390 + /* argument is an unsigned long integer, not a pointer */
53391 + #define ULONG_IOCTL(cmd) \
53392 +- { (cmd), (ioctl_trans_handler_t)sys_ioctl },
53393 ++ { (cmd), (ioctl_trans_handler_t)sys_ioctl, NULL },
53394 +
53395 + /* ioctl should not be warned about even if it's not implemented.
53396 + Valid reasons to use this:
53397 +diff -urNp linux-2.6.24.5/fs/debugfs/inode.c linux-2.6.24.5/fs/debugfs/inode.c
53398 +--- linux-2.6.24.5/fs/debugfs/inode.c 2008-03-24 14:49:18.000000000 -0400
53399 ++++ linux-2.6.24.5/fs/debugfs/inode.c 2008-03-26 20:21:08.000000000 -0400
53400 +@@ -125,7 +125,7 @@ static inline int debugfs_positive(struc
53401 +
53402 + static int debug_fill_super(struct super_block *sb, void *data, int silent)
53403 + {
53404 +- static struct tree_descr debug_files[] = {{""}};
53405 ++ static struct tree_descr debug_files[] = {{"", NULL, 0}};
53406 +
53407 + return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
53408 + }
53409 +diff -urNp linux-2.6.24.5/fs/exec.c linux-2.6.24.5/fs/exec.c
53410 +--- linux-2.6.24.5/fs/exec.c 2008-03-24 14:49:18.000000000 -0400
53411 ++++ linux-2.6.24.5/fs/exec.c 2008-03-26 20:21:08.000000000 -0400
53412 +@@ -51,6 +51,8 @@
53413 + #include <linux/tsacct_kern.h>
53414 + #include <linux/cn_proc.h>
53415 + #include <linux/audit.h>
53416 ++#include <linux/random.h>
53417 ++#include <linux/grsecurity.h>
53418 +
53419 + #include <asm/uaccess.h>
53420 + #include <asm/mmu_context.h>
53421 +@@ -60,6 +62,11 @@
53422 + #include <linux/kmod.h>
53423 + #endif
53424 +
53425 ++#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
53426 ++void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
53427 ++EXPORT_SYMBOL(pax_set_initial_flags_func);
53428 ++#endif
53429 ++
53430 + int core_uses_pid;
53431 + char core_pattern[CORENAME_MAX_SIZE] = "core";
53432 + int suid_dumpable = 0;
53433 +@@ -158,18 +165,10 @@ static struct page *get_arg_page(struct
53434 + int write)
53435 + {
53436 + struct page *page;
53437 +- int ret;
53438 +
53439 +-#ifdef CONFIG_STACK_GROWSUP
53440 +- if (write) {
53441 +- ret = expand_stack_downwards(bprm->vma, pos);
53442 +- if (ret < 0)
53443 +- return NULL;
53444 +- }
53445 +-#endif
53446 +- ret = get_user_pages(current, bprm->mm, pos,
53447 +- 1, write, 1, &page, NULL);
53448 +- if (ret <= 0)
53449 ++ if (0 > expand_stack_downwards(bprm->vma, pos))
53450 ++ return NULL;
53451 ++ if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
53452 + return NULL;
53453 +
53454 + if (write) {
53455 +@@ -234,6 +233,11 @@ static int __bprm_mm_init(struct linux_b
53456 + vma->vm_start = vma->vm_end - PAGE_SIZE;
53457 +
53458 + vma->vm_flags = VM_STACK_FLAGS;
53459 ++
53460 ++#ifdef CONFIG_PAX_SEGMEXEC
53461 ++ vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
53462 ++#endif
53463 ++
53464 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
53465 + err = insert_vm_struct(mm, vma);
53466 + if (err) {
53467 +@@ -246,6 +250,11 @@ static int __bprm_mm_init(struct linux_b
53468 +
53469 + bprm->p = vma->vm_end - sizeof(void *);
53470 +
53471 ++#ifdef CONFIG_PAX_RANDUSTACK
53472 ++ if (randomize_va_space)
53473 ++ bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
53474 ++#endif
53475 ++
53476 + return 0;
53477 +
53478 + err:
53479 +@@ -369,7 +378,7 @@ static int count(char __user * __user *
53480 + if (!p)
53481 + break;
53482 + argv++;
53483 +- if(++i > max)
53484 ++ if (++i > max)
53485 + return -E2BIG;
53486 + cond_resched();
53487 + }
53488 +@@ -509,6 +518,10 @@ static int shift_arg_pages(struct vm_are
53489 + if (vma != find_vma(mm, new_start))
53490 + return -EFAULT;
53491 +
53492 ++#ifdef CONFIG_PAX_SEGMEXEC
53493 ++ BUG_ON(pax_find_mirror_vma(vma));
53494 ++#endif
53495 ++
53496 + /*
53497 + * cover the whole range: [new_start, old_end)
53498 + */
53499 +@@ -597,6 +610,14 @@ int setup_arg_pages(struct linux_binprm
53500 + bprm->exec -= stack_shift;
53501 +
53502 + down_write(&mm->mmap_sem);
53503 ++
53504 ++ /* Move stack pages down in memory. */
53505 ++ if (stack_shift) {
53506 ++ ret = shift_arg_pages(vma, stack_shift);
53507 ++ if (ret)
53508 ++ goto out_unlock;
53509 ++ }
53510 ++
53511 + vm_flags = vma->vm_flags;
53512 +
53513 + /*
53514 +@@ -608,23 +629,28 @@ int setup_arg_pages(struct linux_binprm
53515 + vm_flags |= VM_EXEC;
53516 + else if (executable_stack == EXSTACK_DISABLE_X)
53517 + vm_flags &= ~VM_EXEC;
53518 ++ else
53519 ++ vm_flags = VM_STACK_FLAGS;
53520 + vm_flags |= mm->def_flags;
53521 +
53522 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
53523 ++ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
53524 ++ vm_flags &= ~VM_EXEC;
53525 ++
53526 ++#ifdef CONFIG_PAX_MPROTECT
53527 ++ if (mm->pax_flags & MF_PAX_MPROTECT)
53528 ++ vm_flags &= ~VM_MAYEXEC;
53529 ++#endif
53530 ++
53531 ++ }
53532 ++#endif
53533 ++
53534 + ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
53535 + vm_flags);
53536 + if (ret)
53537 + goto out_unlock;
53538 + BUG_ON(prev != vma);
53539 +
53540 +- /* Move stack pages down in memory. */
53541 +- if (stack_shift) {
53542 +- ret = shift_arg_pages(vma, stack_shift);
53543 +- if (ret) {
53544 +- up_write(&mm->mmap_sem);
53545 +- return ret;
53546 +- }
53547 +- }
53548 +-
53549 + #ifdef CONFIG_STACK_GROWSUP
53550 + stack_base = vma->vm_end + EXTRA_STACK_VM_PAGES * PAGE_SIZE;
53551 + #else
53552 +@@ -636,7 +662,7 @@ int setup_arg_pages(struct linux_binprm
53553 +
53554 + out_unlock:
53555 + up_write(&mm->mmap_sem);
53556 +- return 0;
53557 ++ return ret;
53558 + }
53559 + EXPORT_SYMBOL(setup_arg_pages);
53560 +
53561 +@@ -655,7 +681,7 @@ struct file *open_exec(const char *name)
53562 + struct inode *inode = nd.dentry->d_inode;
53563 + file = ERR_PTR(-EACCES);
53564 + if (S_ISREG(inode->i_mode)) {
53565 +- int err = vfs_permission(&nd, MAY_EXEC);
53566 ++ err = vfs_permission(&nd, MAY_EXEC);
53567 + file = ERR_PTR(err);
53568 + if (!err) {
53569 + file = nameidata_to_filp(&nd, O_RDONLY);
53570 +@@ -1293,6 +1319,11 @@ int do_execve(char * filename,
53571 + char __user *__user *envp,
53572 + struct pt_regs * regs)
53573 + {
53574 ++#ifdef CONFIG_GRKERNSEC
53575 ++ struct file *old_exec_file;
53576 ++ struct acl_subject_label *old_acl;
53577 ++ struct rlimit old_rlim[RLIM_NLIMITS];
53578 ++#endif
53579 + struct linux_binprm *bprm;
53580 + struct file *file;
53581 + unsigned long env_p;
53582 +@@ -1308,6 +1339,20 @@ int do_execve(char * filename,
53583 + if (IS_ERR(file))
53584 + goto out_kfree;
53585 +
53586 ++ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes), 1);
53587 ++
53588 ++ if (gr_handle_nproc()) {
53589 ++ allow_write_access(file);
53590 ++ fput(file);
53591 ++ return -EAGAIN;
53592 ++ }
53593 ++
53594 ++ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
53595 ++ allow_write_access(file);
53596 ++ fput(file);
53597 ++ return -EACCES;
53598 ++ }
53599 ++
53600 + sched_exec();
53601 +
53602 + bprm->file = file;
53603 +@@ -1349,8 +1394,38 @@ int do_execve(char * filename,
53604 + goto out;
53605 + bprm->argv_len = env_p - bprm->p;
53606 +
53607 ++ if (!gr_tpe_allow(file)) {
53608 ++ retval = -EACCES;
53609 ++ goto out;
53610 ++ }
53611 ++
53612 ++ if (gr_check_crash_exec(file)) {
53613 ++ retval = -EACCES;
53614 ++ goto out;
53615 ++ }
53616 ++
53617 ++ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
53618 ++
53619 ++ gr_handle_exec_args(bprm, argv);
53620 ++
53621 ++#ifdef CONFIG_GRKERNSEC
53622 ++ old_acl = current->acl;
53623 ++ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
53624 ++ old_exec_file = current->exec_file;
53625 ++ get_file(file);
53626 ++ current->exec_file = file;
53627 ++#endif
53628 ++
53629 ++ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
53630 ++ if (retval < 0)
53631 ++ goto out_fail;
53632 ++
53633 + retval = search_binary_handler(bprm,regs);
53634 + if (retval >= 0) {
53635 ++#ifdef CONFIG_GRKERNSEC
53636 ++ if (old_exec_file)
53637 ++ fput(old_exec_file);
53638 ++#endif
53639 + /* execve success */
53640 + free_arg_pages(bprm);
53641 + security_bprm_free(bprm);
53642 +@@ -1359,6 +1434,14 @@ int do_execve(char * filename,
53643 + return retval;
53644 + }
53645 +
53646 ++out_fail:
53647 ++#ifdef CONFIG_GRKERNSEC
53648 ++ current->acl = old_acl;
53649 ++ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
53650 ++ fput(current->exec_file);
53651 ++ current->exec_file = old_exec_file;
53652 ++#endif
53653 ++
53654 + out:
53655 + free_arg_pages(bprm);
53656 + if (bprm->security)
53657 +@@ -1523,6 +1606,114 @@ out:
53658 + return ispipe;
53659 + }
53660 +
53661 ++int pax_check_flags(unsigned long *flags)
53662 ++{
53663 ++ int retval = 0;
53664 ++
53665 ++#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
53666 ++ if (*flags & MF_PAX_SEGMEXEC)
53667 ++ {
53668 ++ *flags &= ~MF_PAX_SEGMEXEC;
53669 ++ retval = -EINVAL;
53670 ++ }
53671 ++#endif
53672 ++
53673 ++ if ((*flags & MF_PAX_PAGEEXEC)
53674 ++
53675 ++#ifdef CONFIG_PAX_PAGEEXEC
53676 ++ && (*flags & MF_PAX_SEGMEXEC)
53677 ++#endif
53678 ++
53679 ++ )
53680 ++ {
53681 ++ *flags &= ~MF_PAX_PAGEEXEC;
53682 ++ retval = -EINVAL;
53683 ++ }
53684 ++
53685 ++ if ((*flags & MF_PAX_MPROTECT)
53686 ++
53687 ++#ifdef CONFIG_PAX_MPROTECT
53688 ++ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
53689 ++#endif
53690 ++
53691 ++ )
53692 ++ {
53693 ++ *flags &= ~MF_PAX_MPROTECT;
53694 ++ retval = -EINVAL;
53695 ++ }
53696 ++
53697 ++ if ((*flags & MF_PAX_EMUTRAMP)
53698 ++
53699 ++#ifdef CONFIG_PAX_EMUTRAMP
53700 ++ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
53701 ++#endif
53702 ++
53703 ++ )
53704 ++ {
53705 ++ *flags &= ~MF_PAX_EMUTRAMP;
53706 ++ retval = -EINVAL;
53707 ++ }
53708 ++
53709 ++ return retval;
53710 ++}
53711 ++
53712 ++EXPORT_SYMBOL(pax_check_flags);
53713 ++
53714 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
53715 ++void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
53716 ++{
53717 ++ struct task_struct *tsk = current;
53718 ++ struct mm_struct *mm = current->mm;
53719 ++ char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
53720 ++ char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
53721 ++ char *path_exec = NULL;
53722 ++ char *path_fault = NULL;
53723 ++ unsigned long start = 0UL, end = 0UL, offset = 0UL;
53724 ++
53725 ++ if (buffer_exec && buffer_fault) {
53726 ++ struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
53727 ++
53728 ++ down_read(&mm->mmap_sem);
53729 ++ vma = mm->mmap;
53730 ++ while (vma && (!vma_exec || !vma_fault)) {
53731 ++ if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
53732 ++ vma_exec = vma;
53733 ++ if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
53734 ++ vma_fault = vma;
53735 ++ vma = vma->vm_next;
53736 ++ }
53737 ++ if (vma_exec) {
53738 ++ path_exec = d_path(vma_exec->vm_file->f_path.dentry, vma_exec->vm_file->f_path.mnt, buffer_exec, PAGE_SIZE);
53739 ++ if (IS_ERR(path_exec))
53740 ++ path_exec = "<path too long>";
53741 ++ }
53742 ++ if (vma_fault) {
53743 ++ start = vma_fault->vm_start;
53744 ++ end = vma_fault->vm_end;
53745 ++ offset = vma_fault->vm_pgoff << PAGE_SHIFT;
53746 ++ if (vma_fault->vm_file) {
53747 ++ path_fault = d_path(vma_fault->vm_file->f_path.dentry, vma_fault->vm_file->f_path.mnt, buffer_fault, PAGE_SIZE);
53748 ++ if (IS_ERR(path_fault))
53749 ++ path_fault = "<path too long>";
53750 ++ } else
53751 ++ path_fault = "<anonymous mapping>";
53752 ++ }
53753 ++ up_read(&mm->mmap_sem);
53754 ++ }
53755 ++ if (tsk->signal->curr_ip)
53756 ++ printk(KERN_ERR "PAX: From %u.%u.%u.%u: execution attempt in: %s, %08lx-%08lx %08lx\n", NIPQUAD(tsk->signal->curr_ip), path_fault, start, end, offset);
53757 ++ else
53758 ++ printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
53759 ++ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
53760 ++ "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
53761 ++ tsk->uid, tsk->euid, pc, sp);
53762 ++ free_page((unsigned long)buffer_exec);
53763 ++ free_page((unsigned long)buffer_fault);
53764 ++ pax_report_insns(pc, sp);
53765 ++ do_coredump(SIGKILL, SIGKILL, regs);
53766 ++}
53767 ++#endif
53768 ++
53769 + static void zap_process(struct task_struct *start)
53770 + {
53771 + struct task_struct *t;
53772 +@@ -1720,6 +1911,10 @@ int do_coredump(long signr, int exit_cod
53773 + */
53774 + clear_thread_flag(TIF_SIGPENDING);
53775 +
53776 ++ if (signr == SIGKILL || signr == SIGILL)
53777 ++ gr_handle_brute_attach(current);
53778 ++ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
53779 ++
53780 + /*
53781 + * lock_kernel() because format_corename() is controlled by sysctl, which
53782 + * uses lock_kernel()
53783 +@@ -1740,6 +1935,8 @@ int do_coredump(long signr, int exit_cod
53784 +
53785 + if (ispipe) {
53786 + helper_argv = argv_split(GFP_KERNEL, corename+1, &helper_argc);
53787 ++ if (!helper_argv)
53788 ++ goto fail_unlock;
53789 + /* Terminate the string before the first option */
53790 + delimit = strchr(corename, ' ');
53791 + if (delimit)
53792 +diff -urNp linux-2.6.24.5/fs/ext2/balloc.c linux-2.6.24.5/fs/ext2/balloc.c
53793 +--- linux-2.6.24.5/fs/ext2/balloc.c 2008-03-24 14:49:18.000000000 -0400
53794 ++++ linux-2.6.24.5/fs/ext2/balloc.c 2008-03-26 20:21:08.000000000 -0400
53795 +@@ -1127,7 +1127,7 @@ static int ext2_has_free_blocks(struct e
53796 +
53797 + free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
53798 + root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
53799 +- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
53800 ++ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
53801 + sbi->s_resuid != current->fsuid &&
53802 + (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
53803 + return 0;
53804 +diff -urNp linux-2.6.24.5/fs/ext3/balloc.c linux-2.6.24.5/fs/ext3/balloc.c
53805 +--- linux-2.6.24.5/fs/ext3/balloc.c 2008-03-24 14:49:18.000000000 -0400
53806 ++++ linux-2.6.24.5/fs/ext3/balloc.c 2008-03-26 20:21:08.000000000 -0400
53807 +@@ -1359,7 +1359,7 @@ static int ext3_has_free_blocks(struct e
53808 +
53809 + free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
53810 + root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
53811 +- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
53812 ++ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
53813 + sbi->s_resuid != current->fsuid &&
53814 + (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
53815 + return 0;
53816 +diff -urNp linux-2.6.24.5/fs/ext3/namei.c linux-2.6.24.5/fs/ext3/namei.c
53817 +--- linux-2.6.24.5/fs/ext3/namei.c 2008-03-24 14:49:18.000000000 -0400
53818 ++++ linux-2.6.24.5/fs/ext3/namei.c 2008-03-26 20:21:08.000000000 -0400
53819 +@@ -1181,9 +1181,9 @@ static struct ext3_dir_entry_2 *do_split
53820 + u32 hash2;
53821 + struct dx_map_entry *map;
53822 + char *data1 = (*bh)->b_data, *data2;
53823 +- unsigned split, move, size, i;
53824 ++ unsigned split, move, size;
53825 + struct ext3_dir_entry_2 *de = NULL, *de2;
53826 +- int err = 0;
53827 ++ int i, err = 0;
53828 +
53829 + bh2 = ext3_append (handle, dir, &newblock, &err);
53830 + if (!(bh2)) {
53831 +diff -urNp linux-2.6.24.5/fs/ext3/xattr.c linux-2.6.24.5/fs/ext3/xattr.c
53832 +--- linux-2.6.24.5/fs/ext3/xattr.c 2008-03-24 14:49:18.000000000 -0400
53833 ++++ linux-2.6.24.5/fs/ext3/xattr.c 2008-03-26 20:21:08.000000000 -0400
53834 +@@ -89,8 +89,8 @@
53835 + printk("\n"); \
53836 + } while (0)
53837 + #else
53838 +-# define ea_idebug(f...)
53839 +-# define ea_bdebug(f...)
53840 ++# define ea_idebug(f...) do {} while (0)
53841 ++# define ea_bdebug(f...) do {} while (0)
53842 + #endif
53843 +
53844 + static void ext3_xattr_cache_insert(struct buffer_head *);
53845 +diff -urNp linux-2.6.24.5/fs/ext4/balloc.c linux-2.6.24.5/fs/ext4/balloc.c
53846 +--- linux-2.6.24.5/fs/ext4/balloc.c 2008-03-24 14:49:18.000000000 -0400
53847 ++++ linux-2.6.24.5/fs/ext4/balloc.c 2008-03-26 20:21:08.000000000 -0400
53848 +@@ -1479,7 +1479,7 @@ static int ext4_has_free_blocks(struct e
53849 +
53850 + free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
53851 + root_blocks = ext4_r_blocks_count(sbi->s_es);
53852 +- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
53853 ++ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
53854 + sbi->s_resuid != current->fsuid &&
53855 + (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
53856 + return 0;
53857 +diff -urNp linux-2.6.24.5/fs/ext4/namei.c linux-2.6.24.5/fs/ext4/namei.c
53858 +--- linux-2.6.24.5/fs/ext4/namei.c 2008-03-24 14:49:18.000000000 -0400
53859 ++++ linux-2.6.24.5/fs/ext4/namei.c 2008-03-26 20:21:08.000000000 -0400
53860 +@@ -1178,9 +1178,9 @@ static struct ext4_dir_entry_2 *do_split
53861 + u32 hash2;
53862 + struct dx_map_entry *map;
53863 + char *data1 = (*bh)->b_data, *data2;
53864 +- unsigned split, move, size, i;
53865 ++ unsigned split, move, size;
53866 + struct ext4_dir_entry_2 *de = NULL, *de2;
53867 +- int err = 0;
53868 ++ int i, err = 0;
53869 +
53870 + bh2 = ext4_append (handle, dir, &newblock, &err);
53871 + if (!(bh2)) {
53872 +diff -urNp linux-2.6.24.5/fs/fcntl.c linux-2.6.24.5/fs/fcntl.c
53873 +--- linux-2.6.24.5/fs/fcntl.c 2008-03-24 14:49:18.000000000 -0400
53874 ++++ linux-2.6.24.5/fs/fcntl.c 2008-03-26 20:21:08.000000000 -0400
53875 +@@ -19,6 +19,7 @@
53876 + #include <linux/signal.h>
53877 + #include <linux/rcupdate.h>
53878 + #include <linux/pid_namespace.h>
53879 ++#include <linux/grsecurity.h>
53880 +
53881 + #include <asm/poll.h>
53882 + #include <asm/siginfo.h>
53883 +@@ -64,6 +65,7 @@ static int locate_fd(struct files_struct
53884 + struct fdtable *fdt;
53885 +
53886 + error = -EINVAL;
53887 ++ gr_learn_resource(current, RLIMIT_NOFILE, orig_start, 0);
53888 + if (orig_start >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
53889 + goto out;
53890 +
53891 +@@ -83,6 +85,7 @@ repeat:
53892 + fdt->max_fds, start);
53893 +
53894 + error = -EMFILE;
53895 ++ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
53896 + if (newfd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
53897 + goto out;
53898 +
53899 +@@ -144,6 +147,8 @@ asmlinkage long sys_dup2(unsigned int ol
53900 + struct files_struct * files = current->files;
53901 + struct fdtable *fdt;
53902 +
53903 ++ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
53904 ++
53905 + spin_lock(&files->file_lock);
53906 + if (!(file = fcheck(oldfd)))
53907 + goto out_unlock;
53908 +@@ -463,7 +468,8 @@ static inline int sigio_perm(struct task
53909 + return (((fown->euid == 0) ||
53910 + (fown->euid == p->suid) || (fown->euid == p->uid) ||
53911 + (fown->uid == p->suid) || (fown->uid == p->uid)) &&
53912 +- !security_file_send_sigiotask(p, fown, sig));
53913 ++ !security_file_send_sigiotask(p, fown, sig) &&
53914 ++ !gr_check_protected_task(p) && !gr_pid_is_chrooted(p));
53915 + }
53916 +
53917 + static void send_sigio_to_task(struct task_struct *p,
53918 +diff -urNp linux-2.6.24.5/fs/fuse/control.c linux-2.6.24.5/fs/fuse/control.c
53919 +--- linux-2.6.24.5/fs/fuse/control.c 2008-03-24 14:49:18.000000000 -0400
53920 ++++ linux-2.6.24.5/fs/fuse/control.c 2008-03-26 20:21:08.000000000 -0400
53921 +@@ -159,7 +159,7 @@ void fuse_ctl_remove_conn(struct fuse_co
53922 +
53923 + static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
53924 + {
53925 +- struct tree_descr empty_descr = {""};
53926 ++ struct tree_descr empty_descr = {"", NULL, 0};
53927 + struct fuse_conn *fc;
53928 + int err;
53929 +
53930 +diff -urNp linux-2.6.24.5/fs/fuse/dir.c linux-2.6.24.5/fs/fuse/dir.c
53931 +--- linux-2.6.24.5/fs/fuse/dir.c 2008-03-24 14:49:18.000000000 -0400
53932 ++++ linux-2.6.24.5/fs/fuse/dir.c 2008-03-26 20:21:08.000000000 -0400
53933 +@@ -1030,7 +1030,7 @@ static char *read_link(struct dentry *de
53934 + return link;
53935 + }
53936 +
53937 +-static void free_link(char *link)
53938 ++static void free_link(const char *link)
53939 + {
53940 + if (!IS_ERR(link))
53941 + free_page((unsigned long) link);
53942 +diff -urNp linux-2.6.24.5/fs/hfs/inode.c linux-2.6.24.5/fs/hfs/inode.c
53943 +--- linux-2.6.24.5/fs/hfs/inode.c 2008-03-24 14:49:18.000000000 -0400
53944 ++++ linux-2.6.24.5/fs/hfs/inode.c 2008-03-26 20:21:08.000000000 -0400
53945 +@@ -419,7 +419,7 @@ int hfs_write_inode(struct inode *inode,
53946 +
53947 + if (S_ISDIR(main_inode->i_mode)) {
53948 + if (fd.entrylength < sizeof(struct hfs_cat_dir))
53949 +- /* panic? */;
53950 ++ {/* panic? */}
53951 + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
53952 + sizeof(struct hfs_cat_dir));
53953 + if (rec.type != HFS_CDR_DIR ||
53954 +@@ -440,7 +440,7 @@ int hfs_write_inode(struct inode *inode,
53955 + sizeof(struct hfs_cat_file));
53956 + } else {
53957 + if (fd.entrylength < sizeof(struct hfs_cat_file))
53958 +- /* panic? */;
53959 ++ {/* panic? */}
53960 + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
53961 + sizeof(struct hfs_cat_file));
53962 + if (rec.type != HFS_CDR_FIL ||
53963 +diff -urNp linux-2.6.24.5/fs/hfsplus/inode.c linux-2.6.24.5/fs/hfsplus/inode.c
53964 +--- linux-2.6.24.5/fs/hfsplus/inode.c 2008-03-24 14:49:18.000000000 -0400
53965 ++++ linux-2.6.24.5/fs/hfsplus/inode.c 2008-03-26 20:21:08.000000000 -0400
53966 +@@ -422,7 +422,7 @@ int hfsplus_cat_read_inode(struct inode
53967 + struct hfsplus_cat_folder *folder = &entry.folder;
53968 +
53969 + if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
53970 +- /* panic? */;
53971 ++ {/* panic? */}
53972 + hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
53973 + sizeof(struct hfsplus_cat_folder));
53974 + hfsplus_get_perms(inode, &folder->permissions, 1);
53975 +@@ -439,7 +439,7 @@ int hfsplus_cat_read_inode(struct inode
53976 + struct hfsplus_cat_file *file = &entry.file;
53977 +
53978 + if (fd->entrylength < sizeof(struct hfsplus_cat_file))
53979 +- /* panic? */;
53980 ++ {/* panic? */}
53981 + hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
53982 + sizeof(struct hfsplus_cat_file));
53983 +
53984 +@@ -495,7 +495,7 @@ int hfsplus_cat_write_inode(struct inode
53985 + struct hfsplus_cat_folder *folder = &entry.folder;
53986 +
53987 + if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
53988 +- /* panic? */;
53989 ++ {/* panic? */}
53990 + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
53991 + sizeof(struct hfsplus_cat_folder));
53992 + /* simple node checks? */
53993 +@@ -517,7 +517,7 @@ int hfsplus_cat_write_inode(struct inode
53994 + struct hfsplus_cat_file *file = &entry.file;
53995 +
53996 + if (fd.entrylength < sizeof(struct hfsplus_cat_file))
53997 +- /* panic? */;
53998 ++ {/* panic? */}
53999 + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
54000 + sizeof(struct hfsplus_cat_file));
54001 + hfsplus_inode_write_fork(inode, &file->data_fork);
54002 +diff -urNp linux-2.6.24.5/fs/jffs2/debug.h linux-2.6.24.5/fs/jffs2/debug.h
54003 +--- linux-2.6.24.5/fs/jffs2/debug.h 2008-03-24 14:49:18.000000000 -0400
54004 ++++ linux-2.6.24.5/fs/jffs2/debug.h 2008-03-26 20:21:08.000000000 -0400
54005 +@@ -51,13 +51,13 @@
54006 + #if CONFIG_JFFS2_FS_DEBUG > 0
54007 + #define D1(x) x
54008 + #else
54009 +-#define D1(x)
54010 ++#define D1(x) do {} while (0);
54011 + #endif
54012 +
54013 + #if CONFIG_JFFS2_FS_DEBUG > 1
54014 + #define D2(x) x
54015 + #else
54016 +-#define D2(x)
54017 ++#define D2(x) do {} while (0);
54018 + #endif
54019 +
54020 + /* The prefixes of JFFS2 messages */
54021 +@@ -113,68 +113,68 @@
54022 + #ifdef JFFS2_DBG_READINODE_MESSAGES
54023 + #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
54024 + #else
54025 +-#define dbg_readinode(fmt, ...)
54026 ++#define dbg_readinode(fmt, ...) do {} while (0)
54027 + #endif
54028 +
54029 + /* Fragtree build debugging messages */
54030 + #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
54031 + #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
54032 + #else
54033 +-#define dbg_fragtree(fmt, ...)
54034 ++#define dbg_fragtree(fmt, ...) do {} while (0)
54035 + #endif
54036 + #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
54037 + #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
54038 + #else
54039 +-#define dbg_fragtree2(fmt, ...)
54040 ++#define dbg_fragtree2(fmt, ...) do {} while (0)
54041 + #endif
54042 +
54043 + /* Directory entry list manilulation debugging messages */
54044 + #ifdef JFFS2_DBG_DENTLIST_MESSAGES
54045 + #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
54046 + #else
54047 +-#define dbg_dentlist(fmt, ...)
54048 ++#define dbg_dentlist(fmt, ...) do {} while (0)
54049 + #endif
54050 +
54051 + /* Print the messages about manipulating node_refs */
54052 + #ifdef JFFS2_DBG_NODEREF_MESSAGES
54053 + #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
54054 + #else
54055 +-#define dbg_noderef(fmt, ...)
54056 ++#define dbg_noderef(fmt, ...) do {} while (0)
54057 + #endif
54058 +
54059 + /* Manipulations with the list of inodes (JFFS2 inocache) */
54060 + #ifdef JFFS2_DBG_INOCACHE_MESSAGES
54061 + #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
54062 + #else
54063 +-#define dbg_inocache(fmt, ...)
54064 ++#define dbg_inocache(fmt, ...) do {} while (0)
54065 + #endif
54066 +
54067 + /* Summary debugging messages */
54068 + #ifdef JFFS2_DBG_SUMMARY_MESSAGES
54069 + #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
54070 + #else
54071 +-#define dbg_summary(fmt, ...)
54072 ++#define dbg_summary(fmt, ...) do {} while (0)
54073 + #endif
54074 +
54075 + /* File system build messages */
54076 + #ifdef JFFS2_DBG_FSBUILD_MESSAGES
54077 + #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
54078 + #else
54079 +-#define dbg_fsbuild(fmt, ...)
54080 ++#define dbg_fsbuild(fmt, ...) do {} while (0)
54081 + #endif
54082 +
54083 + /* Watch the object allocations */
54084 + #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
54085 + #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
54086 + #else
54087 +-#define dbg_memalloc(fmt, ...)
54088 ++#define dbg_memalloc(fmt, ...) do {} while (0)
54089 + #endif
54090 +
54091 + /* Watch the XATTR subsystem */
54092 + #ifdef JFFS2_DBG_XATTR_MESSAGES
54093 + #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
54094 + #else
54095 +-#define dbg_xattr(fmt, ...)
54096 ++#define dbg_xattr(fmt, ...) do {} while (0)
54097 + #endif
54098 +
54099 + /* "Sanity" checks */
54100 +diff -urNp linux-2.6.24.5/fs/jffs2/erase.c linux-2.6.24.5/fs/jffs2/erase.c
54101 +--- linux-2.6.24.5/fs/jffs2/erase.c 2008-03-24 14:49:18.000000000 -0400
54102 ++++ linux-2.6.24.5/fs/jffs2/erase.c 2008-03-26 20:21:08.000000000 -0400
54103 +@@ -428,7 +428,8 @@ static void jffs2_mark_erased_block(stru
54104 + struct jffs2_unknown_node marker = {
54105 + .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
54106 + .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
54107 +- .totlen = cpu_to_je32(c->cleanmarker_size)
54108 ++ .totlen = cpu_to_je32(c->cleanmarker_size),
54109 ++ .hdr_crc = cpu_to_je32(0)
54110 + };
54111 +
54112 + jffs2_prealloc_raw_node_refs(c, jeb, 1);
54113 +diff -urNp linux-2.6.24.5/fs/jffs2/summary.h linux-2.6.24.5/fs/jffs2/summary.h
54114 +--- linux-2.6.24.5/fs/jffs2/summary.h 2008-03-24 14:49:18.000000000 -0400
54115 ++++ linux-2.6.24.5/fs/jffs2/summary.h 2008-03-26 20:21:08.000000000 -0400
54116 +@@ -188,18 +188,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
54117 +
54118 + #define jffs2_sum_active() (0)
54119 + #define jffs2_sum_init(a) (0)
54120 +-#define jffs2_sum_exit(a)
54121 +-#define jffs2_sum_disable_collecting(a)
54122 ++#define jffs2_sum_exit(a) do {} while (0)
54123 ++#define jffs2_sum_disable_collecting(a) do {} while (0)
54124 + #define jffs2_sum_is_disabled(a) (0)
54125 +-#define jffs2_sum_reset_collected(a)
54126 ++#define jffs2_sum_reset_collected(a) do {} while (0)
54127 + #define jffs2_sum_add_kvec(a,b,c,d) (0)
54128 +-#define jffs2_sum_move_collected(a,b)
54129 ++#define jffs2_sum_move_collected(a,b) do {} while (0)
54130 + #define jffs2_sum_write_sumnode(a) (0)
54131 +-#define jffs2_sum_add_padding_mem(a,b)
54132 +-#define jffs2_sum_add_inode_mem(a,b,c)
54133 +-#define jffs2_sum_add_dirent_mem(a,b,c)
54134 +-#define jffs2_sum_add_xattr_mem(a,b,c)
54135 +-#define jffs2_sum_add_xref_mem(a,b,c)
54136 ++#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
54137 ++#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
54138 ++#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
54139 ++#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
54140 ++#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
54141 + #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
54142 +
54143 + #endif /* CONFIG_JFFS2_SUMMARY */
54144 +diff -urNp linux-2.6.24.5/fs/jffs2/wbuf.c linux-2.6.24.5/fs/jffs2/wbuf.c
54145 +--- linux-2.6.24.5/fs/jffs2/wbuf.c 2008-03-24 14:49:18.000000000 -0400
54146 ++++ linux-2.6.24.5/fs/jffs2/wbuf.c 2008-03-26 20:21:08.000000000 -0400
54147 +@@ -1015,7 +1015,8 @@ static const struct jffs2_unknown_node o
54148 + {
54149 + .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
54150 + .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
54151 +- .totlen = constant_cpu_to_je32(8)
54152 ++ .totlen = constant_cpu_to_je32(8),
54153 ++ .hdr_crc = constant_cpu_to_je32(0)
54154 + };
54155 +
54156 + /*
54157 +diff -urNp linux-2.6.24.5/fs/Kconfig linux-2.6.24.5/fs/Kconfig
54158 +--- linux-2.6.24.5/fs/Kconfig 2008-03-24 14:49:18.000000000 -0400
54159 ++++ linux-2.6.24.5/fs/Kconfig 2008-03-26 20:21:08.000000000 -0400
54160 +@@ -937,7 +937,7 @@ config PROC_FS
54161 +
54162 + config PROC_KCORE
54163 + bool "/proc/kcore support" if !ARM
54164 +- depends on PROC_FS && MMU
54165 ++ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
54166 +
54167 + config PROC_VMCORE
54168 + bool "/proc/vmcore support (EXPERIMENTAL)"
54169 +diff -urNp linux-2.6.24.5/fs/namei.c linux-2.6.24.5/fs/namei.c
54170 +--- linux-2.6.24.5/fs/namei.c 2008-03-24 14:49:18.000000000 -0400
54171 ++++ linux-2.6.24.5/fs/namei.c 2008-03-26 20:21:08.000000000 -0400
54172 +@@ -30,6 +30,7 @@
54173 + #include <linux/capability.h>
54174 + #include <linux/file.h>
54175 + #include <linux/fcntl.h>
54176 ++#include <linux/grsecurity.h>
54177 + #include <asm/namei.h>
54178 + #include <asm/uaccess.h>
54179 +
54180 +@@ -621,7 +622,7 @@ static __always_inline int __do_follow_l
54181 + cookie = dentry->d_inode->i_op->follow_link(dentry, nd);
54182 + error = PTR_ERR(cookie);
54183 + if (!IS_ERR(cookie)) {
54184 +- char *s = nd_get_link(nd);
54185 ++ const char *s = nd_get_link(nd);
54186 + error = 0;
54187 + if (s)
54188 + error = __vfs_follow_link(nd, s);
54189 +@@ -653,6 +654,13 @@ static inline int do_follow_link(struct
54190 + err = security_inode_follow_link(path->dentry, nd);
54191 + if (err)
54192 + goto loop;
54193 ++
54194 ++ if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
54195 ++ path->dentry->d_inode, path->dentry, nd->mnt)) {
54196 ++ err = -EACCES;
54197 ++ goto loop;
54198 ++ }
54199 ++
54200 + current->link_count++;
54201 + current->total_link_count++;
54202 + nd->depth++;
54203 +@@ -998,11 +1006,18 @@ return_reval:
54204 + break;
54205 + }
54206 + return_base:
54207 ++ if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt)) {
54208 ++ path_release(nd);
54209 ++ return -ENOENT;
54210 ++ }
54211 + return 0;
54212 + out_dput:
54213 + dput_path(&next, nd);
54214 + break;
54215 + }
54216 ++ if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt))
54217 ++ err = -ENOENT;
54218 ++
54219 + path_release(nd);
54220 + return_err:
54221 + return err;
54222 +@@ -1680,9 +1695,17 @@ static int open_namei_create(struct name
54223 + int error;
54224 + struct dentry *dir = nd->dentry;
54225 +
54226 ++ if (!gr_acl_handle_creat(path->dentry, nd->dentry, nd->mnt, flag, mode)) {
54227 ++ error = -EACCES;
54228 ++ goto out_unlock_dput;
54229 ++ }
54230 ++
54231 + if (!IS_POSIXACL(dir->d_inode))
54232 + mode &= ~current->fs->umask;
54233 + error = vfs_create(dir->d_inode, path->dentry, mode, nd);
54234 ++ if (!error)
54235 ++ gr_handle_create(path->dentry, nd->mnt);
54236 ++out_unlock_dput:
54237 + mutex_unlock(&dir->d_inode->i_mutex);
54238 + dput(nd->dentry);
54239 + nd->dentry = path->dentry;
54240 +@@ -1733,6 +1756,17 @@ int open_namei(int dfd, const char *path
54241 + nd, flag);
54242 + if (error)
54243 + return error;
54244 ++
54245 ++ if (gr_handle_rawio(nd->dentry->d_inode)) {
54246 ++ error = -EPERM;
54247 ++ goto exit;
54248 ++ }
54249 ++
54250 ++ if (!gr_acl_handle_open(nd->dentry, nd->mnt, flag)) {
54251 ++ error = -EACCES;
54252 ++ goto exit;
54253 ++ }
54254 ++
54255 + goto ok;
54256 + }
54257 +
54258 +@@ -1782,6 +1816,23 @@ do_last:
54259 + /*
54260 + * It already exists.
54261 + */
54262 ++
54263 ++ if (gr_handle_rawio(path.dentry->d_inode)) {
54264 ++ mutex_unlock(&dir->d_inode->i_mutex);
54265 ++ error = -EPERM;
54266 ++ goto exit_dput;
54267 ++ }
54268 ++ if (!gr_acl_handle_open(path.dentry, nd->mnt, flag)) {
54269 ++ mutex_unlock(&dir->d_inode->i_mutex);
54270 ++ error = -EACCES;
54271 ++ goto exit_dput;
54272 ++ }
54273 ++ if (gr_handle_fifo(path.dentry, nd->mnt, dir, flag, acc_mode)) {
54274 ++ mutex_unlock(&dir->d_inode->i_mutex);
54275 ++ error = -EACCES;
54276 ++ goto exit_dput;
54277 ++ }
54278 ++
54279 + mutex_unlock(&dir->d_inode->i_mutex);
54280 + audit_inode(pathname, path.dentry);
54281 +
54282 +@@ -1837,6 +1888,13 @@ do_link:
54283 + error = security_inode_follow_link(path.dentry, nd);
54284 + if (error)
54285 + goto exit_dput;
54286 ++
54287 ++ if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
54288 ++ path.dentry, nd->mnt)) {
54289 ++ error = -EACCES;
54290 ++ goto exit_dput;
54291 ++ }
54292 ++
54293 + error = __do_follow_link(&path, nd);
54294 + if (error) {
54295 + /* Does someone understand code flow here? Or it is only
54296 +@@ -1965,6 +2023,22 @@ asmlinkage long sys_mknodat(int dfd, con
54297 + if (!IS_POSIXACL(nd.dentry->d_inode))
54298 + mode &= ~current->fs->umask;
54299 + if (!IS_ERR(dentry)) {
54300 ++ if (gr_handle_chroot_mknod(dentry, nd.mnt, mode)) {
54301 ++ error = -EPERM;
54302 ++ dput(dentry);
54303 ++ mutex_unlock(&nd.dentry->d_inode->i_mutex);
54304 ++ path_release(&nd);
54305 ++ goto out;
54306 ++ }
54307 ++
54308 ++ if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
54309 ++ error = -EACCES;
54310 ++ dput(dentry);
54311 ++ mutex_unlock(&nd.dentry->d_inode->i_mutex);
54312 ++ path_release(&nd);
54313 ++ goto out;
54314 ++ }
54315 ++
54316 + switch (mode & S_IFMT) {
54317 + case 0: case S_IFREG:
54318 + error = vfs_create(nd.dentry->d_inode,dentry,mode,&nd);
54319 +@@ -1982,6 +2056,10 @@ asmlinkage long sys_mknodat(int dfd, con
54320 + default:
54321 + error = -EINVAL;
54322 + }
54323 ++
54324 ++ if (!error)
54325 ++ gr_handle_create(dentry, nd.mnt);
54326 ++
54327 + dput(dentry);
54328 + }
54329 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
54330 +@@ -2039,9 +2117,18 @@ asmlinkage long sys_mkdirat(int dfd, con
54331 + if (IS_ERR(dentry))
54332 + goto out_unlock;
54333 +
54334 ++ if (!gr_acl_handle_mkdir(dentry, nd.dentry, nd.mnt)) {
54335 ++ error = -EACCES;
54336 ++ goto out_unlock_dput;
54337 ++ }
54338 ++
54339 + if (!IS_POSIXACL(nd.dentry->d_inode))
54340 + mode &= ~current->fs->umask;
54341 + error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
54342 ++
54343 ++ if (!error)
54344 ++ gr_handle_create(dentry, nd.mnt);
54345 ++out_unlock_dput:
54346 + dput(dentry);
54347 + out_unlock:
54348 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
54349 +@@ -2123,6 +2210,8 @@ static long do_rmdir(int dfd, const char
54350 + char * name;
54351 + struct dentry *dentry;
54352 + struct nameidata nd;
54353 ++ ino_t saved_ino = 0;
54354 ++ dev_t saved_dev = 0;
54355 +
54356 + name = getname(pathname);
54357 + if(IS_ERR(name))
54358 +@@ -2148,7 +2237,22 @@ static long do_rmdir(int dfd, const char
54359 + error = PTR_ERR(dentry);
54360 + if (IS_ERR(dentry))
54361 + goto exit2;
54362 ++
54363 ++ if (dentry->d_inode != NULL) {
54364 ++ if (dentry->d_inode->i_nlink <= 1) {
54365 ++ saved_ino = dentry->d_inode->i_ino;
54366 ++ saved_dev = dentry->d_inode->i_sb->s_dev;
54367 ++ }
54368 ++
54369 ++ if (!gr_acl_handle_rmdir(dentry, nd.mnt)) {
54370 ++ error = -EACCES;
54371 ++ goto dput_exit2;
54372 ++ }
54373 ++ }
54374 + error = vfs_rmdir(nd.dentry->d_inode, dentry);
54375 ++ if (!error && (saved_dev || saved_ino))
54376 ++ gr_handle_delete(saved_ino, saved_dev);
54377 ++dput_exit2:
54378 + dput(dentry);
54379 + exit2:
54380 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
54381 +@@ -2207,6 +2311,8 @@ static long do_unlinkat(int dfd, const c
54382 + struct dentry *dentry;
54383 + struct nameidata nd;
54384 + struct inode *inode = NULL;
54385 ++ ino_t saved_ino = 0;
54386 ++ dev_t saved_dev = 0;
54387 +
54388 + name = getname(pathname);
54389 + if(IS_ERR(name))
54390 +@@ -2222,13 +2328,26 @@ static long do_unlinkat(int dfd, const c
54391 + dentry = lookup_hash(&nd);
54392 + error = PTR_ERR(dentry);
54393 + if (!IS_ERR(dentry)) {
54394 ++ error = 0;
54395 + /* Why not before? Because we want correct error value */
54396 + if (nd.last.name[nd.last.len])
54397 + goto slashes;
54398 + inode = dentry->d_inode;
54399 +- if (inode)
54400 ++ if (inode) {
54401 ++ if (inode->i_nlink <= 1) {
54402 ++ saved_ino = inode->i_ino;
54403 ++ saved_dev = inode->i_sb->s_dev;
54404 ++ }
54405 ++
54406 ++ if (!gr_acl_handle_unlink(dentry, nd.mnt))
54407 ++ error = -EACCES;
54408 ++
54409 + atomic_inc(&inode->i_count);
54410 +- error = vfs_unlink(nd.dentry->d_inode, dentry);
54411 ++ }
54412 ++ if (!error)
54413 ++ error = vfs_unlink(nd.dentry->d_inode, dentry);
54414 ++ if (!error && (saved_ino || saved_dev))
54415 ++ gr_handle_delete(saved_ino, saved_dev);
54416 + exit2:
54417 + dput(dentry);
54418 + }
54419 +@@ -2309,7 +2428,16 @@ asmlinkage long sys_symlinkat(const char
54420 + if (IS_ERR(dentry))
54421 + goto out_unlock;
54422 +
54423 ++ if (!gr_acl_handle_symlink(dentry, nd.dentry, nd.mnt, from)) {
54424 ++ error = -EACCES;
54425 ++ goto out_dput_unlock;
54426 ++ }
54427 ++
54428 + error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO);
54429 ++
54430 ++ if (!error)
54431 ++ gr_handle_create(dentry, nd.mnt);
54432 ++out_dput_unlock:
54433 + dput(dentry);
54434 + out_unlock:
54435 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
54436 +@@ -2404,7 +2532,25 @@ asmlinkage long sys_linkat(int olddfd, c
54437 + error = PTR_ERR(new_dentry);
54438 + if (IS_ERR(new_dentry))
54439 + goto out_unlock;
54440 ++
54441 ++ if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt,
54442 ++ old_nd.dentry->d_inode,
54443 ++ old_nd.dentry->d_inode->i_mode, to)) {
54444 ++ error = -EACCES;
54445 ++ goto out_unlock_dput;
54446 ++ }
54447 ++
54448 ++ if (!gr_acl_handle_link(new_dentry, nd.dentry, nd.mnt,
54449 ++ old_nd.dentry, old_nd.mnt, to)) {
54450 ++ error = -EACCES;
54451 ++ goto out_unlock_dput;
54452 ++ }
54453 ++
54454 + error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
54455 ++
54456 ++ if (!error)
54457 ++ gr_handle_create(new_dentry, nd.mnt);
54458 ++out_unlock_dput:
54459 + dput(new_dentry);
54460 + out_unlock:
54461 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
54462 +@@ -2630,8 +2776,16 @@ static int do_rename(int olddfd, const c
54463 + if (new_dentry == trap)
54464 + goto exit5;
54465 +
54466 +- error = vfs_rename(old_dir->d_inode, old_dentry,
54467 ++ error = gr_acl_handle_rename(new_dentry, newnd.dentry, newnd.mnt,
54468 ++ old_dentry, old_dir->d_inode, oldnd.mnt,
54469 ++ newname);
54470 ++
54471 ++ if (!error)
54472 ++ error = vfs_rename(old_dir->d_inode, old_dentry,
54473 + new_dir->d_inode, new_dentry);
54474 ++ if (!error)
54475 ++ gr_handle_rename(old_dir->d_inode, newnd.dentry->d_inode, old_dentry,
54476 ++ new_dentry, oldnd.mnt, new_dentry->d_inode ? 1 : 0);
54477 + exit5:
54478 + dput(new_dentry);
54479 + exit4:
54480 +diff -urNp linux-2.6.24.5/fs/namespace.c linux-2.6.24.5/fs/namespace.c
54481 +--- linux-2.6.24.5/fs/namespace.c 2008-03-24 14:49:18.000000000 -0400
54482 ++++ linux-2.6.24.5/fs/namespace.c 2008-03-26 20:21:08.000000000 -0400
54483 +@@ -25,6 +25,7 @@
54484 + #include <linux/security.h>
54485 + #include <linux/mount.h>
54486 + #include <linux/ramfs.h>
54487 ++#include <linux/grsecurity.h>
54488 + #include <asm/uaccess.h>
54489 + #include <asm/unistd.h>
54490 + #include "pnode.h"
54491 +@@ -597,6 +598,8 @@ static int do_umount(struct vfsmount *mn
54492 + DQUOT_OFF(sb);
54493 + retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
54494 + unlock_kernel();
54495 ++
54496 ++ gr_log_remount(mnt->mnt_devname, retval);
54497 + }
54498 + up_write(&sb->s_umount);
54499 + return retval;
54500 +@@ -617,6 +620,9 @@ static int do_umount(struct vfsmount *mn
54501 + security_sb_umount_busy(mnt);
54502 + up_write(&namespace_sem);
54503 + release_mounts(&umount_list);
54504 ++
54505 ++ gr_log_unmount(mnt->mnt_devname, retval);
54506 ++
54507 + return retval;
54508 + }
54509 +
54510 +@@ -1442,6 +1448,11 @@ long do_mount(char *dev_name, char *dir_
54511 + if (retval)
54512 + goto dput_out;
54513 +
54514 ++ if (gr_handle_chroot_mount(nd.dentry, nd.mnt, dev_name)) {
54515 ++ retval = -EPERM;
54516 ++ goto dput_out;
54517 ++ }
54518 ++
54519 + if (flags & MS_REMOUNT)
54520 + retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags,
54521 + data_page);
54522 +@@ -1456,6 +1467,9 @@ long do_mount(char *dev_name, char *dir_
54523 + dev_name, data_page);
54524 + dput_out:
54525 + path_release(&nd);
54526 ++
54527 ++ gr_log_mount(dev_name, dir_name, retval);
54528 ++
54529 + return retval;
54530 + }
54531 +
54532 +@@ -1693,6 +1707,9 @@ asmlinkage long sys_pivot_root(const cha
54533 + if (!capable(CAP_SYS_ADMIN))
54534 + return -EPERM;
54535 +
54536 ++ if (gr_handle_chroot_pivot())
54537 ++ return -EPERM;
54538 ++
54539 + lock_kernel();
54540 +
54541 + error = __user_walk(new_root, LOOKUP_FOLLOW | LOOKUP_DIRECTORY,
54542 +diff -urNp linux-2.6.24.5/fs/nfs/callback_xdr.c linux-2.6.24.5/fs/nfs/callback_xdr.c
54543 +--- linux-2.6.24.5/fs/nfs/callback_xdr.c 2008-03-24 14:49:18.000000000 -0400
54544 ++++ linux-2.6.24.5/fs/nfs/callback_xdr.c 2008-03-26 20:21:08.000000000 -0400
54545 +@@ -139,7 +139,7 @@ static __be32 decode_compound_hdr_arg(st
54546 + if (unlikely(status != 0))
54547 + return status;
54548 + /* We do not like overly long tags! */
54549 +- if (hdr->taglen > CB_OP_TAGLEN_MAXSZ-12 || hdr->taglen < 0) {
54550 ++ if (hdr->taglen > CB_OP_TAGLEN_MAXSZ-12) {
54551 + printk("NFSv4 CALLBACK %s: client sent tag of length %u\n",
54552 + __FUNCTION__, hdr->taglen);
54553 + return htonl(NFS4ERR_RESOURCE);
54554 +diff -urNp linux-2.6.24.5/fs/nfs/nfs4proc.c linux-2.6.24.5/fs/nfs/nfs4proc.c
54555 +--- linux-2.6.24.5/fs/nfs/nfs4proc.c 2008-03-24 14:49:18.000000000 -0400
54556 ++++ linux-2.6.24.5/fs/nfs/nfs4proc.c 2008-03-26 20:21:08.000000000 -0400
54557 +@@ -656,7 +656,7 @@ static int _nfs4_do_open_reclaim(struct
54558 + static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
54559 + {
54560 + struct nfs_server *server = NFS_SERVER(state->inode);
54561 +- struct nfs4_exception exception = { };
54562 ++ struct nfs4_exception exception = {0, 0};
54563 + int err;
54564 + do {
54565 + err = _nfs4_do_open_reclaim(ctx, state);
54566 +@@ -698,7 +698,7 @@ static int _nfs4_open_delegation_recall(
54567 +
54568 + int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
54569 + {
54570 +- struct nfs4_exception exception = { };
54571 ++ struct nfs4_exception exception = {0, 0};
54572 + struct nfs_server *server = NFS_SERVER(state->inode);
54573 + int err;
54574 + do {
54575 +@@ -987,7 +987,7 @@ static int _nfs4_open_expired(struct nfs
54576 + static inline int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
54577 + {
54578 + struct nfs_server *server = NFS_SERVER(state->inode);
54579 +- struct nfs4_exception exception = { };
54580 ++ struct nfs4_exception exception = {0, 0};
54581 + int err;
54582 +
54583 + do {
54584 +@@ -1089,7 +1089,7 @@ out_err:
54585 +
54586 + static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, int flags, struct iattr *sattr, struct rpc_cred *cred)
54587 + {
54588 +- struct nfs4_exception exception = { };
54589 ++ struct nfs4_exception exception = {0, 0};
54590 + struct nfs4_state *res;
54591 + int status;
54592 +
54593 +@@ -1178,7 +1178,7 @@ static int nfs4_do_setattr(struct inode
54594 + struct iattr *sattr, struct nfs4_state *state)
54595 + {
54596 + struct nfs_server *server = NFS_SERVER(inode);
54597 +- struct nfs4_exception exception = { };
54598 ++ struct nfs4_exception exception = {0, 0};
54599 + int err;
54600 + do {
54601 + err = nfs4_handle_exception(server,
54602 +@@ -1484,7 +1484,7 @@ static int _nfs4_server_capabilities(str
54603 +
54604 + int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
54605 + {
54606 +- struct nfs4_exception exception = { };
54607 ++ struct nfs4_exception exception = {0, 0};
54608 + int err;
54609 + do {
54610 + err = nfs4_handle_exception(server,
54611 +@@ -1517,7 +1517,7 @@ static int _nfs4_lookup_root(struct nfs_
54612 + static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
54613 + struct nfs_fsinfo *info)
54614 + {
54615 +- struct nfs4_exception exception = { };
54616 ++ struct nfs4_exception exception = {0, 0};
54617 + int err;
54618 + do {
54619 + err = nfs4_handle_exception(server,
54620 +@@ -1606,7 +1606,7 @@ static int _nfs4_proc_getattr(struct nfs
54621 +
54622 + static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
54623 + {
54624 +- struct nfs4_exception exception = { };
54625 ++ struct nfs4_exception exception = {0, 0};
54626 + int err;
54627 + do {
54628 + err = nfs4_handle_exception(server,
54629 +@@ -1696,7 +1696,7 @@ static int nfs4_proc_lookupfh(struct nfs
54630 + struct qstr *name, struct nfs_fh *fhandle,
54631 + struct nfs_fattr *fattr)
54632 + {
54633 +- struct nfs4_exception exception = { };
54634 ++ struct nfs4_exception exception = {0, 0};
54635 + int err;
54636 + do {
54637 + err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
54638 +@@ -1725,7 +1725,7 @@ static int _nfs4_proc_lookup(struct inod
54639 +
54640 + static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
54641 + {
54642 +- struct nfs4_exception exception = { };
54643 ++ struct nfs4_exception exception = {0, 0};
54644 + int err;
54645 + do {
54646 + err = nfs4_handle_exception(NFS_SERVER(dir),
54647 +@@ -1789,7 +1789,7 @@ static int _nfs4_proc_access(struct inod
54648 +
54649 + static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
54650 + {
54651 +- struct nfs4_exception exception = { };
54652 ++ struct nfs4_exception exception = {0, 0};
54653 + int err;
54654 + do {
54655 + err = nfs4_handle_exception(NFS_SERVER(inode),
54656 +@@ -1844,7 +1844,7 @@ static int _nfs4_proc_readlink(struct in
54657 + static int nfs4_proc_readlink(struct inode *inode, struct page *page,
54658 + unsigned int pgbase, unsigned int pglen)
54659 + {
54660 +- struct nfs4_exception exception = { };
54661 ++ struct nfs4_exception exception = {0, 0};
54662 + int err;
54663 + do {
54664 + err = nfs4_handle_exception(NFS_SERVER(inode),
54665 +@@ -1940,7 +1940,7 @@ static int _nfs4_proc_remove(struct inod
54666 +
54667 + static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
54668 + {
54669 +- struct nfs4_exception exception = { };
54670 ++ struct nfs4_exception exception = {0, 0};
54671 + int err;
54672 + do {
54673 + err = nfs4_handle_exception(NFS_SERVER(dir),
54674 +@@ -2012,7 +2012,7 @@ static int _nfs4_proc_rename(struct inod
54675 + static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
54676 + struct inode *new_dir, struct qstr *new_name)
54677 + {
54678 +- struct nfs4_exception exception = { };
54679 ++ struct nfs4_exception exception = {0, 0};
54680 + int err;
54681 + do {
54682 + err = nfs4_handle_exception(NFS_SERVER(old_dir),
54683 +@@ -2059,7 +2059,7 @@ static int _nfs4_proc_link(struct inode
54684 +
54685 + static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
54686 + {
54687 +- struct nfs4_exception exception = { };
54688 ++ struct nfs4_exception exception = {0, 0};
54689 + int err;
54690 + do {
54691 + err = nfs4_handle_exception(NFS_SERVER(inode),
54692 +@@ -2116,7 +2116,7 @@ static int _nfs4_proc_symlink(struct ino
54693 + static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
54694 + struct page *page, unsigned int len, struct iattr *sattr)
54695 + {
54696 +- struct nfs4_exception exception = { };
54697 ++ struct nfs4_exception exception = {0, 0};
54698 + int err;
54699 + do {
54700 + err = nfs4_handle_exception(NFS_SERVER(dir),
54701 +@@ -2169,7 +2169,7 @@ static int _nfs4_proc_mkdir(struct inode
54702 + static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
54703 + struct iattr *sattr)
54704 + {
54705 +- struct nfs4_exception exception = { };
54706 ++ struct nfs4_exception exception = {0, 0};
54707 + int err;
54708 + do {
54709 + err = nfs4_handle_exception(NFS_SERVER(dir),
54710 +@@ -2218,7 +2218,7 @@ static int _nfs4_proc_readdir(struct den
54711 + static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
54712 + u64 cookie, struct page *page, unsigned int count, int plus)
54713 + {
54714 +- struct nfs4_exception exception = { };
54715 ++ struct nfs4_exception exception = {0, 0};
54716 + int err;
54717 + do {
54718 + err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
54719 +@@ -2288,7 +2288,7 @@ static int _nfs4_proc_mknod(struct inode
54720 + static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
54721 + struct iattr *sattr, dev_t rdev)
54722 + {
54723 +- struct nfs4_exception exception = { };
54724 ++ struct nfs4_exception exception = {0, 0};
54725 + int err;
54726 + do {
54727 + err = nfs4_handle_exception(NFS_SERVER(dir),
54728 +@@ -2317,7 +2317,7 @@ static int _nfs4_proc_statfs(struct nfs_
54729 +
54730 + static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
54731 + {
54732 +- struct nfs4_exception exception = { };
54733 ++ struct nfs4_exception exception = {0, 0};
54734 + int err;
54735 + do {
54736 + err = nfs4_handle_exception(server,
54737 +@@ -2345,7 +2345,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
54738 +
54739 + static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
54740 + {
54741 +- struct nfs4_exception exception = { };
54742 ++ struct nfs4_exception exception = {0, 0};
54743 + int err;
54744 +
54745 + do {
54746 +@@ -2388,7 +2388,7 @@ static int _nfs4_proc_pathconf(struct nf
54747 + static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
54748 + struct nfs_pathconf *pathconf)
54749 + {
54750 +- struct nfs4_exception exception = { };
54751 ++ struct nfs4_exception exception = {0, 0};
54752 + int err;
54753 +
54754 + do {
54755 +@@ -2708,7 +2708,7 @@ out_free:
54756 +
54757 + static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
54758 + {
54759 +- struct nfs4_exception exception = { };
54760 ++ struct nfs4_exception exception = {0, 0};
54761 + ssize_t ret;
54762 + do {
54763 + ret = __nfs4_get_acl_uncached(inode, buf, buflen);
54764 +@@ -2762,7 +2762,7 @@ static int __nfs4_proc_set_acl(struct in
54765 +
54766 + static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
54767 + {
54768 +- struct nfs4_exception exception = { };
54769 ++ struct nfs4_exception exception = {0, 0};
54770 + int err;
54771 + do {
54772 + err = nfs4_handle_exception(NFS_SERVER(inode),
54773 +@@ -3059,7 +3059,7 @@ static int _nfs4_proc_delegreturn(struct
54774 + int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid)
54775 + {
54776 + struct nfs_server *server = NFS_SERVER(inode);
54777 +- struct nfs4_exception exception = { };
54778 ++ struct nfs4_exception exception = {0, 0};
54779 + int err;
54780 + do {
54781 + err = _nfs4_proc_delegreturn(inode, cred, stateid);
54782 +@@ -3134,7 +3134,7 @@ out:
54783 +
54784 + static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
54785 + {
54786 +- struct nfs4_exception exception = { };
54787 ++ struct nfs4_exception exception = {0, 0};
54788 + int err;
54789 +
54790 + do {
54791 +@@ -3476,7 +3476,7 @@ static int _nfs4_do_setlk(struct nfs4_st
54792 + static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
54793 + {
54794 + struct nfs_server *server = NFS_SERVER(state->inode);
54795 +- struct nfs4_exception exception = { };
54796 ++ struct nfs4_exception exception = {0, 0};
54797 + int err;
54798 +
54799 + do {
54800 +@@ -3494,7 +3494,7 @@ static int nfs4_lock_reclaim(struct nfs4
54801 + static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
54802 + {
54803 + struct nfs_server *server = NFS_SERVER(state->inode);
54804 +- struct nfs4_exception exception = { };
54805 ++ struct nfs4_exception exception = {0, 0};
54806 + int err;
54807 +
54808 + err = nfs4_set_lock_state(state, request);
54809 +@@ -3555,7 +3555,7 @@ out:
54810 +
54811 + static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
54812 + {
54813 +- struct nfs4_exception exception = { };
54814 ++ struct nfs4_exception exception = {0, 0};
54815 + int err;
54816 +
54817 + do {
54818 +@@ -3605,7 +3605,7 @@ nfs4_proc_lock(struct file *filp, int cm
54819 + int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
54820 + {
54821 + struct nfs_server *server = NFS_SERVER(state->inode);
54822 +- struct nfs4_exception exception = { };
54823 ++ struct nfs4_exception exception = {0, 0};
54824 + int err;
54825 +
54826 + err = nfs4_set_lock_state(state, fl);
54827 +diff -urNp linux-2.6.24.5/fs/nfsd/export.c linux-2.6.24.5/fs/nfsd/export.c
54828 +--- linux-2.6.24.5/fs/nfsd/export.c 2008-03-24 14:49:18.000000000 -0400
54829 ++++ linux-2.6.24.5/fs/nfsd/export.c 2008-03-26 20:21:08.000000000 -0400
54830 +@@ -476,7 +476,7 @@ static int secinfo_parse(char **mesg, ch
54831 + * probably discover the problem when someone fails to
54832 + * authenticate.
54833 + */
54834 +- if (f->pseudoflavor < 0)
54835 ++ if ((s32)f->pseudoflavor < 0)
54836 + return -EINVAL;
54837 + err = get_int(mesg, &f->flags);
54838 + if (err)
54839 +diff -urNp linux-2.6.24.5/fs/nfsd/nfs4state.c linux-2.6.24.5/fs/nfsd/nfs4state.c
54840 +--- linux-2.6.24.5/fs/nfsd/nfs4state.c 2008-03-24 14:49:18.000000000 -0400
54841 ++++ linux-2.6.24.5/fs/nfsd/nfs4state.c 2008-03-26 20:21:08.000000000 -0400
54842 +@@ -1233,7 +1233,7 @@ static int access_valid(u32 x)
54843 +
54844 + static int deny_valid(u32 x)
54845 + {
54846 +- return (x >= 0 && x < 5);
54847 ++ return (x < 5);
54848 + }
54849 +
54850 + static void
54851 +diff -urNp linux-2.6.24.5/fs/nls/nls_base.c linux-2.6.24.5/fs/nls/nls_base.c
54852 +--- linux-2.6.24.5/fs/nls/nls_base.c 2008-03-24 14:49:18.000000000 -0400
54853 ++++ linux-2.6.24.5/fs/nls/nls_base.c 2008-03-26 20:21:08.000000000 -0400
54854 +@@ -42,7 +42,7 @@ static const struct utf8_table utf8_tabl
54855 + {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
54856 + {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
54857 + {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
54858 +- {0, /* end of table */}
54859 ++ {0, 0, 0, 0, 0, /* end of table */}
54860 + };
54861 +
54862 + int
54863 +diff -urNp linux-2.6.24.5/fs/ntfs/file.c linux-2.6.24.5/fs/ntfs/file.c
54864 +--- linux-2.6.24.5/fs/ntfs/file.c 2008-03-24 14:49:18.000000000 -0400
54865 ++++ linux-2.6.24.5/fs/ntfs/file.c 2008-03-26 20:21:08.000000000 -0400
54866 +@@ -2293,6 +2293,6 @@ const struct inode_operations ntfs_file_
54867 + #endif /* NTFS_RW */
54868 + };
54869 +
54870 +-const struct file_operations ntfs_empty_file_ops = {};
54871 ++const struct file_operations ntfs_empty_file_ops;
54872 +
54873 +-const struct inode_operations ntfs_empty_inode_ops = {};
54874 ++const struct inode_operations ntfs_empty_inode_ops;
54875 +diff -urNp linux-2.6.24.5/fs/open.c linux-2.6.24.5/fs/open.c
54876 +--- linux-2.6.24.5/fs/open.c 2008-03-24 14:49:18.000000000 -0400
54877 ++++ linux-2.6.24.5/fs/open.c 2008-03-26 20:21:08.000000000 -0400
54878 +@@ -27,6 +27,7 @@
54879 + #include <linux/rcupdate.h>
54880 + #include <linux/audit.h>
54881 + #include <linux/falloc.h>
54882 ++#include <linux/grsecurity.h>
54883 +
54884 + int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
54885 + {
54886 +@@ -204,6 +205,9 @@ int do_truncate(struct dentry *dentry, l
54887 + if (length < 0)
54888 + return -EINVAL;
54889 +
54890 ++ if (filp && !gr_acl_handle_truncate(dentry, filp->f_vfsmnt))
54891 ++ return -EACCES;
54892 ++
54893 + newattrs.ia_size = length;
54894 + newattrs.ia_valid = ATTR_SIZE | time_attrs;
54895 + if (filp) {
54896 +@@ -461,6 +465,9 @@ asmlinkage long sys_faccessat(int dfd, c
54897 + if(IS_RDONLY(nd.dentry->d_inode))
54898 + res = -EROFS;
54899 +
54900 ++ if (!res && !gr_acl_handle_access(nd.dentry, nd.mnt, mode))
54901 ++ res = -EACCES;
54902 ++
54903 + out_path_release:
54904 + path_release(&nd);
54905 + out:
54906 +@@ -490,6 +497,8 @@ asmlinkage long sys_chdir(const char __u
54907 + if (error)
54908 + goto dput_and_out;
54909 +
54910 ++ gr_log_chdir(nd.dentry, nd.mnt);
54911 ++
54912 + set_fs_pwd(current->fs, nd.mnt, nd.dentry);
54913 +
54914 + dput_and_out:
54915 +@@ -520,6 +529,13 @@ asmlinkage long sys_fchdir(unsigned int
54916 + goto out_putf;
54917 +
54918 + error = file_permission(file, MAY_EXEC);
54919 ++
54920 ++ if (!error && !gr_chroot_fchdir(dentry, mnt))
54921 ++ error = -EPERM;
54922 ++
54923 ++ if (!error)
54924 ++ gr_log_chdir(dentry, mnt);
54925 ++
54926 + if (!error)
54927 + set_fs_pwd(current->fs, mnt, dentry);
54928 + out_putf:
54929 +@@ -545,8 +561,16 @@ asmlinkage long sys_chroot(const char __
54930 + if (!capable(CAP_SYS_CHROOT))
54931 + goto dput_and_out;
54932 +
54933 ++ if (gr_handle_chroot_chroot(nd.dentry, nd.mnt))
54934 ++ goto dput_and_out;
54935 ++
54936 + set_fs_root(current->fs, nd.mnt, nd.dentry);
54937 + set_fs_altroot();
54938 ++
54939 ++ gr_handle_chroot_caps(current);
54940 ++
54941 ++ gr_handle_chroot_chdir(nd.dentry, nd.mnt);
54942 ++
54943 + error = 0;
54944 + dput_and_out:
54945 + path_release(&nd);
54946 +@@ -577,9 +601,22 @@ asmlinkage long sys_fchmod(unsigned int
54947 + err = -EPERM;
54948 + if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
54949 + goto out_putf;
54950 ++
54951 ++ if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
54952 ++ err = -EACCES;
54953 ++ goto out_putf;
54954 ++ }
54955 ++
54956 + mutex_lock(&inode->i_mutex);
54957 + if (mode == (mode_t) -1)
54958 + mode = inode->i_mode;
54959 ++
54960 ++ if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
54961 ++ err = -EPERM;
54962 ++ mutex_unlock(&inode->i_mutex);
54963 ++ goto out_putf;
54964 ++ }
54965 ++
54966 + newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
54967 + newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
54968 + err = notify_change(dentry, &newattrs);
54969 +@@ -612,9 +649,21 @@ asmlinkage long sys_fchmodat(int dfd, co
54970 + if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
54971 + goto dput_and_out;
54972 +
54973 ++ if (!gr_acl_handle_chmod(nd.dentry, nd.mnt, mode)) {
54974 ++ error = -EACCES;
54975 ++ goto dput_and_out;
54976 ++ };
54977 ++
54978 + mutex_lock(&inode->i_mutex);
54979 + if (mode == (mode_t) -1)
54980 + mode = inode->i_mode;
54981 ++
54982 ++ if (gr_handle_chroot_chmod(nd.dentry, nd.mnt, mode)) {
54983 ++ error = -EACCES;
54984 ++ mutex_unlock(&inode->i_mutex);
54985 ++ goto dput_and_out;
54986 ++ }
54987 ++
54988 + newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
54989 + newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
54990 + error = notify_change(nd.dentry, &newattrs);
54991 +@@ -631,7 +680,7 @@ asmlinkage long sys_chmod(const char __u
54992 + return sys_fchmodat(AT_FDCWD, filename, mode);
54993 + }
54994 +
54995 +-static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
54996 ++static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
54997 + {
54998 + struct inode * inode;
54999 + int error;
55000 +@@ -648,6 +697,12 @@ static int chown_common(struct dentry *
55001 + error = -EPERM;
55002 + if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
55003 + goto out;
55004 ++
55005 ++ if (!gr_acl_handle_chown(dentry, mnt)) {
55006 ++ error = -EACCES;
55007 ++ goto out;
55008 ++ }
55009 ++
55010 + newattrs.ia_valid = ATTR_CTIME;
55011 + if (user != (uid_t) -1) {
55012 + newattrs.ia_valid |= ATTR_UID;
55013 +@@ -675,7 +730,7 @@ asmlinkage long sys_chown(const char __u
55014 + error = user_path_walk(filename, &nd);
55015 + if (error)
55016 + goto out;
55017 +- error = chown_common(nd.dentry, user, group);
55018 ++ error = chown_common(nd.dentry, user, group, nd.mnt);
55019 + path_release(&nd);
55020 + out:
55021 + return error;
55022 +@@ -695,7 +750,7 @@ asmlinkage long sys_fchownat(int dfd, co
55023 + error = __user_walk_fd(dfd, filename, follow, &nd);
55024 + if (error)
55025 + goto out;
55026 +- error = chown_common(nd.dentry, user, group);
55027 ++ error = chown_common(nd.dentry, user, group, nd.mnt);
55028 + path_release(&nd);
55029 + out:
55030 + return error;
55031 +@@ -709,7 +764,7 @@ asmlinkage long sys_lchown(const char __
55032 + error = user_path_walk_link(filename, &nd);
55033 + if (error)
55034 + goto out;
55035 +- error = chown_common(nd.dentry, user, group);
55036 ++ error = chown_common(nd.dentry, user, group, nd.mnt);
55037 + path_release(&nd);
55038 + out:
55039 + return error;
55040 +@@ -728,7 +783,7 @@ asmlinkage long sys_fchown(unsigned int
55041 +
55042 + dentry = file->f_path.dentry;
55043 + audit_inode(NULL, dentry);
55044 +- error = chown_common(dentry, user, group);
55045 ++ error = chown_common(dentry, user, group, file->f_vfsmnt);
55046 + fput(file);
55047 + out:
55048 + return error;
55049 +@@ -939,6 +994,7 @@ repeat:
55050 + * N.B. For clone tasks sharing a files structure, this test
55051 + * will limit the total number of files that can be opened.
55052 + */
55053 ++ gr_learn_resource(current, RLIMIT_NOFILE, fd, 0);
55054 + if (fd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
55055 + goto out;
55056 +
55057 +diff -urNp linux-2.6.24.5/fs/partitions/efi.c linux-2.6.24.5/fs/partitions/efi.c
55058 +--- linux-2.6.24.5/fs/partitions/efi.c 2008-03-24 14:49:18.000000000 -0400
55059 ++++ linux-2.6.24.5/fs/partitions/efi.c 2008-03-26 20:21:08.000000000 -0400
55060 +@@ -99,7 +99,7 @@
55061 + #ifdef EFI_DEBUG
55062 + #define Dprintk(x...) printk(KERN_DEBUG x)
55063 + #else
55064 +-#define Dprintk(x...)
55065 ++#define Dprintk(x...) do {} while (0)
55066 + #endif
55067 +
55068 + /* This allows a kernel command line option 'gpt' to override
55069 +diff -urNp linux-2.6.24.5/fs/pipe.c linux-2.6.24.5/fs/pipe.c
55070 +--- linux-2.6.24.5/fs/pipe.c 2008-03-24 14:49:18.000000000 -0400
55071 ++++ linux-2.6.24.5/fs/pipe.c 2008-03-26 20:21:08.000000000 -0400
55072 +@@ -887,7 +887,7 @@ void free_pipe_info(struct inode *inode)
55073 + inode->i_pipe = NULL;
55074 + }
55075 +
55076 +-static struct vfsmount *pipe_mnt __read_mostly;
55077 ++struct vfsmount *pipe_mnt __read_mostly;
55078 + static int pipefs_delete_dentry(struct dentry *dentry)
55079 + {
55080 + /*
55081 +diff -urNp linux-2.6.24.5/fs/proc/array.c linux-2.6.24.5/fs/proc/array.c
55082 +--- linux-2.6.24.5/fs/proc/array.c 2008-03-24 14:49:18.000000000 -0400
55083 ++++ linux-2.6.24.5/fs/proc/array.c 2008-03-26 20:21:08.000000000 -0400
55084 +@@ -305,6 +305,21 @@ static inline char *task_context_switch_
55085 + p->nivcsw);
55086 + }
55087 +
55088 ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
55089 ++static inline char *task_pax(struct task_struct *p, char *buffer)
55090 ++{
55091 ++ if (p->mm)
55092 ++ return buffer + sprintf(buffer, "PaX:\t%c%c%c%c%c\n",
55093 ++ p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
55094 ++ p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
55095 ++ p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
55096 ++ p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
55097 ++ p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
55098 ++ else
55099 ++ return buffer + sprintf(buffer, "PaX:\t-----\n");
55100 ++}
55101 ++#endif
55102 ++
55103 + int proc_pid_status(struct task_struct *task, char *buffer)
55104 + {
55105 + char *orig = buffer;
55106 +@@ -324,6 +339,11 @@ int proc_pid_status(struct task_struct *
55107 + buffer = task_show_regs(task, buffer);
55108 + #endif
55109 + buffer = task_context_switch_counts(task, buffer);
55110 ++
55111 ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
55112 ++ buffer = task_pax(task, buffer);
55113 ++#endif
55114 ++
55115 + return buffer - orig;
55116 + }
55117 +
55118 +@@ -386,6 +406,12 @@ static cputime_t task_gtime(struct task_
55119 + return p->gtime;
55120 + }
55121 +
55122 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
55123 ++#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
55124 ++ (_mm->pax_flags & MF_PAX_RANDMMAP || \
55125 ++ _mm->pax_flags & MF_PAX_SEGMEXEC))
55126 ++#endif
55127 ++
55128 + static int do_task_stat(struct task_struct *task, char *buffer, int whole)
55129 + {
55130 + unsigned long vsize, eip, esp, wchan = ~0UL;
55131 +@@ -481,6 +507,19 @@ static int do_task_stat(struct task_stru
55132 + gtime = task_gtime(task);
55133 + }
55134 +
55135 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
55136 ++ if (PAX_RAND_FLAGS(mm)) {
55137 ++ eip = 0;
55138 ++ esp = 0;
55139 ++ wchan = 0;
55140 ++ }
55141 ++#endif
55142 ++#ifdef CONFIG_GRKERNSEC_HIDESYM
55143 ++ wchan = 0;
55144 ++ eip =0;
55145 ++ esp =0;
55146 ++#endif
55147 ++
55148 + /* scale priority and nice values from timeslices to -20..20 */
55149 + /* to make it look like a "normal" Unix priority/nice value */
55150 + priority = task_prio(task);
55151 +@@ -521,9 +560,15 @@ static int do_task_stat(struct task_stru
55152 + vsize,
55153 + mm ? get_mm_rss(mm) : 0,
55154 + rsslim,
55155 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
55156 ++ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
55157 ++ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
55158 ++ PAX_RAND_FLAGS(mm) ? 0 : (mm ? mm->start_stack : 0),
55159 ++#else
55160 + mm ? mm->start_code : 0,
55161 + mm ? mm->end_code : 0,
55162 + mm ? mm->start_stack : 0,
55163 ++#endif
55164 + esp,
55165 + eip,
55166 + /* The signal information here is obsolete.
55167 +@@ -572,3 +617,14 @@ int proc_pid_statm(struct task_struct *t
55168 + return sprintf(buffer, "%d %d %d %d %d %d %d\n",
55169 + size, resident, shared, text, lib, data, 0);
55170 + }
55171 ++
55172 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
55173 ++int proc_pid_ipaddr(struct task_struct *task, char * buffer)
55174 ++{
55175 ++ int len;
55176 ++
55177 ++ len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
55178 ++ return len;
55179 ++}
55180 ++#endif
55181 ++
55182 +diff -urNp linux-2.6.24.5/fs/proc/base.c linux-2.6.24.5/fs/proc/base.c
55183 +--- linux-2.6.24.5/fs/proc/base.c 2008-03-24 14:49:18.000000000 -0400
55184 ++++ linux-2.6.24.5/fs/proc/base.c 2008-03-26 20:21:08.000000000 -0400
55185 +@@ -76,6 +76,8 @@
55186 + #include <linux/oom.h>
55187 + #include <linux/elf.h>
55188 + #include <linux/pid_namespace.h>
55189 ++#include <linux/grsecurity.h>
55190 ++
55191 + #include "internal.h"
55192 +
55193 + /* NOTE:
55194 +@@ -126,7 +128,7 @@ struct pid_entry {
55195 + NULL, &proc_info_file_operations, \
55196 + { .proc_read = &proc_##OTYPE } )
55197 +
55198 +-int maps_protect;
55199 ++int maps_protect = 1;
55200 + EXPORT_SYMBOL(maps_protect);
55201 +
55202 + static struct fs_struct *get_fs_struct(struct task_struct *task)
55203 +@@ -200,7 +202,7 @@ static int proc_root_link(struct inode *
55204 + (task->parent == current && \
55205 + (task->ptrace & PT_PTRACED) && \
55206 + (task->state == TASK_STOPPED || task->state == TASK_TRACED) && \
55207 +- security_ptrace(current,task) == 0))
55208 ++ security_ptrace(current,task) == 0 && !gr_handle_proc_ptrace(task)))
55209 +
55210 + struct mm_struct *mm_for_maps(struct task_struct *task)
55211 + {
55212 +@@ -265,9 +267,9 @@ static int proc_pid_auxv(struct task_str
55213 + struct mm_struct *mm = get_task_mm(task);
55214 + if (mm) {
55215 + unsigned int nwords = 0;
55216 +- do
55217 ++ do {
55218 + nwords += 2;
55219 +- while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
55220 ++ } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
55221 + res = nwords * sizeof(mm->saved_auxv[0]);
55222 + if (res > PAGE_SIZE)
55223 + res = PAGE_SIZE;
55224 +@@ -609,7 +611,7 @@ static ssize_t mem_read(struct file * fi
55225 + if (!task)
55226 + goto out_no_task;
55227 +
55228 +- if (!MAY_PTRACE(task) || !ptrace_may_attach(task))
55229 ++ if (!MAY_PTRACE(task) || !ptrace_may_attach(task) || gr_acl_handle_procpidmem(task))
55230 + goto out;
55231 +
55232 + ret = -ENOMEM;
55233 +@@ -679,7 +681,7 @@ static ssize_t mem_write(struct file * f
55234 + if (!task)
55235 + goto out_no_task;
55236 +
55237 +- if (!MAY_PTRACE(task) || !ptrace_may_attach(task))
55238 ++ if (!MAY_PTRACE(task) || !ptrace_may_attach(task) || gr_acl_handle_procpidmem(task))
55239 + goto out;
55240 +
55241 + copied = -ENOMEM;
55242 +@@ -1202,7 +1204,11 @@ static struct inode *proc_pid_make_inode
55243 + inode->i_gid = 0;
55244 + if (task_dumpable(task)) {
55245 + inode->i_uid = task->euid;
55246 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
55247 ++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
55248 ++#else
55249 + inode->i_gid = task->egid;
55250 ++#endif
55251 + }
55252 + security_task_to_inode(task, inode);
55253 +
55254 +@@ -1218,17 +1224,45 @@ static int pid_getattr(struct vfsmount *
55255 + {
55256 + struct inode *inode = dentry->d_inode;
55257 + struct task_struct *task;
55258 ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55259 ++ struct task_struct *tmp = current;
55260 ++#endif
55261 ++
55262 + generic_fillattr(inode, stat);
55263 +
55264 + rcu_read_lock();
55265 + stat->uid = 0;
55266 + stat->gid = 0;
55267 + task = pid_task(proc_pid(inode), PIDTYPE_PID);
55268 +- if (task) {
55269 ++
55270 ++ if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
55271 ++ rcu_read_unlock();
55272 ++ return -ENOENT;
55273 ++ }
55274 ++
55275 ++
55276 ++ if (task
55277 ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55278 ++ && (!tmp->uid || (tmp->uid == task->uid)
55279 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
55280 ++ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
55281 ++#endif
55282 ++ )
55283 ++#endif
55284 ++ ) {
55285 + if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
55286 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
55287 ++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
55288 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55289 ++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
55290 ++#endif
55291 + task_dumpable(task)) {
55292 + stat->uid = task->euid;
55293 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
55294 ++ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
55295 ++#else
55296 + stat->gid = task->egid;
55297 ++#endif
55298 + }
55299 + }
55300 + rcu_read_unlock();
55301 +@@ -1256,11 +1290,21 @@ static int pid_revalidate(struct dentry
55302 + {
55303 + struct inode *inode = dentry->d_inode;
55304 + struct task_struct *task = get_proc_task(inode);
55305 ++
55306 + if (task) {
55307 + if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
55308 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
55309 ++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
55310 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55311 ++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
55312 ++#endif
55313 + task_dumpable(task)) {
55314 + inode->i_uid = task->euid;
55315 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
55316 ++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
55317 ++#else
55318 + inode->i_gid = task->egid;
55319 ++#endif
55320 + } else {
55321 + inode->i_uid = 0;
55322 + inode->i_gid = 0;
55323 +@@ -1633,12 +1677,22 @@ static int proc_fd_permission(struct ino
55324 + struct nameidata *nd)
55325 + {
55326 + int rv;
55327 ++ struct task_struct *task;
55328 +
55329 + rv = generic_permission(inode, mask, NULL);
55330 +- if (rv == 0)
55331 +- return 0;
55332 ++
55333 + if (task_pid(current) == proc_pid(inode))
55334 + rv = 0;
55335 ++
55336 ++ task = get_proc_task(inode);
55337 ++ if (task == NULL)
55338 ++ return rv;
55339 ++
55340 ++ if (gr_acl_handle_procpidmem(task))
55341 ++ rv = -EACCES;
55342 ++
55343 ++ put_task_struct(task);
55344 ++
55345 + return rv;
55346 + }
55347 +
55348 +@@ -1749,6 +1803,9 @@ static struct dentry *proc_pident_lookup
55349 + if (!task)
55350 + goto out_no_task;
55351 +
55352 ++ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
55353 ++ goto out;
55354 ++
55355 + /*
55356 + * Yes, it does not scale. And it should not. Don't add
55357 + * new entries into /proc/<tgid>/ without very good reasons.
55358 +@@ -1793,6 +1850,9 @@ static int proc_pident_readdir(struct fi
55359 + if (!task)
55360 + goto out_no_task;
55361 +
55362 ++ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
55363 ++ goto out;
55364 ++
55365 + ret = 0;
55366 + i = filp->f_pos;
55367 + switch (i) {
55368 +@@ -2147,6 +2207,9 @@ static struct dentry *proc_base_lookup(s
55369 + if (p > last)
55370 + goto out;
55371 +
55372 ++ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
55373 ++ goto out;
55374 ++
55375 + error = proc_base_instantiate(dir, dentry, task, p);
55376 +
55377 + out:
55378 +@@ -2250,6 +2313,9 @@ static const struct pid_entry tgid_base_
55379 + #ifdef CONFIG_TASK_IO_ACCOUNTING
55380 + INF("io", S_IRUGO, pid_io_accounting),
55381 + #endif
55382 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
55383 ++ INF("ipaddr", S_IRUSR, pid_ipaddr),
55384 ++#endif
55385 + };
55386 +
55387 + static int proc_tgid_base_readdir(struct file * filp,
55388 +@@ -2378,7 +2444,14 @@ static struct dentry *proc_pid_instantia
55389 + if (!inode)
55390 + goto out;
55391 +
55392 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
55393 ++ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
55394 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55395 ++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
55396 ++ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
55397 ++#else
55398 + inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
55399 ++#endif
55400 + inode->i_op = &proc_tgid_base_inode_operations;
55401 + inode->i_fop = &proc_tgid_base_operations;
55402 + inode->i_flags|=S_IMMUTABLE;
55403 +@@ -2421,7 +2494,11 @@ struct dentry *proc_pid_lookup(struct in
55404 + if (!task)
55405 + goto out;
55406 +
55407 ++ if (gr_check_hidden_task(task))
55408 ++ goto out_put_task;
55409 ++
55410 + result = proc_pid_instantiate(dir, dentry, task, NULL);
55411 ++out_put_task:
55412 + put_task_struct(task);
55413 + out:
55414 + return result;
55415 +@@ -2486,6 +2563,9 @@ int proc_pid_readdir(struct file * filp,
55416 + {
55417 + unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
55418 + struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
55419 ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55420 ++ struct task_struct *tmp = current;
55421 ++#endif
55422 + struct tgid_iter iter;
55423 + struct pid_namespace *ns;
55424 +
55425 +@@ -2504,6 +2584,17 @@ int proc_pid_readdir(struct file * filp,
55426 + for (iter = next_tgid(ns, iter);
55427 + iter.task;
55428 + iter.tgid += 1, iter = next_tgid(ns, iter)) {
55429 ++ if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
55430 ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55431 ++ || (tmp->uid && (iter.task->uid != tmp->uid)
55432 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
55433 ++ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
55434 ++#endif
55435 ++ )
55436 ++#endif
55437 ++ )
55438 ++ continue;
55439 ++
55440 + filp->f_pos = iter.tgid + TGID_OFFSET;
55441 + if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
55442 + put_task_struct(iter.task);
55443 +diff -urNp linux-2.6.24.5/fs/proc/inode.c linux-2.6.24.5/fs/proc/inode.c
55444 +--- linux-2.6.24.5/fs/proc/inode.c 2008-03-24 14:49:18.000000000 -0400
55445 ++++ linux-2.6.24.5/fs/proc/inode.c 2008-03-26 20:21:08.000000000 -0400
55446 +@@ -411,7 +411,11 @@ struct inode *proc_get_inode(struct supe
55447 + if (de->mode) {
55448 + inode->i_mode = de->mode;
55449 + inode->i_uid = de->uid;
55450 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
55451 ++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
55452 ++#else
55453 + inode->i_gid = de->gid;
55454 ++#endif
55455 + }
55456 + if (de->size)
55457 + inode->i_size = de->size;
55458 +diff -urNp linux-2.6.24.5/fs/proc/internal.h linux-2.6.24.5/fs/proc/internal.h
55459 +--- linux-2.6.24.5/fs/proc/internal.h 2008-03-24 14:49:18.000000000 -0400
55460 ++++ linux-2.6.24.5/fs/proc/internal.h 2008-03-26 20:21:08.000000000 -0400
55461 +@@ -52,6 +52,9 @@ extern int proc_tid_stat(struct task_str
55462 + extern int proc_tgid_stat(struct task_struct *, char *);
55463 + extern int proc_pid_status(struct task_struct *, char *);
55464 + extern int proc_pid_statm(struct task_struct *, char *);
55465 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
55466 ++extern int proc_pid_ipaddr(struct task_struct*,char*);
55467 ++#endif
55468 +
55469 + extern const struct file_operations proc_maps_operations;
55470 + extern const struct file_operations proc_numa_maps_operations;
55471 +diff -urNp linux-2.6.24.5/fs/proc/proc_misc.c linux-2.6.24.5/fs/proc/proc_misc.c
55472 +--- linux-2.6.24.5/fs/proc/proc_misc.c 2008-03-24 14:49:18.000000000 -0400
55473 ++++ linux-2.6.24.5/fs/proc/proc_misc.c 2008-03-26 20:21:08.000000000 -0400
55474 +@@ -687,6 +687,8 @@ void create_seq_entry(char *name, mode_t
55475 +
55476 + void __init proc_misc_init(void)
55477 + {
55478 ++ int gr_mode = 0;
55479 ++
55480 + static struct {
55481 + char *name;
55482 + int (*read_proc)(char*,char**,off_t,int,int*,void*);
55483 +@@ -702,13 +704,24 @@ void __init proc_misc_init(void)
55484 + {"stram", stram_read_proc},
55485 + #endif
55486 + {"filesystems", filesystems_read_proc},
55487 ++#ifndef CONFIG_GRKERNSEC_PROC_ADD
55488 + {"cmdline", cmdline_read_proc},
55489 ++#endif
55490 + {"execdomains", execdomains_read_proc},
55491 + {NULL,}
55492 + };
55493 + for (p = simple_ones; p->name; p++)
55494 + create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
55495 +
55496 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
55497 ++ gr_mode = S_IRUSR;
55498 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55499 ++ gr_mode = S_IRUSR | S_IRGRP;
55500 ++#endif
55501 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
55502 ++ create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL);
55503 ++#endif
55504 ++
55505 + proc_symlink("mounts", NULL, "self/mounts");
55506 +
55507 + /* And now for trickier ones */
55508 +@@ -721,7 +734,11 @@ void __init proc_misc_init(void)
55509 + }
55510 + #endif
55511 + create_seq_entry("locks", 0, &proc_locks_operations);
55512 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
55513 ++ create_seq_entry("devices", gr_mode, &proc_devinfo_operations);
55514 ++#else
55515 + create_seq_entry("devices", 0, &proc_devinfo_operations);
55516 ++#endif
55517 + create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
55518 + #ifdef CONFIG_BLOCK
55519 + create_seq_entry("partitions", 0, &proc_partitions_operations);
55520 +@@ -729,7 +746,11 @@ void __init proc_misc_init(void)
55521 + create_seq_entry("stat", 0, &proc_stat_operations);
55522 + create_seq_entry("interrupts", 0, &proc_interrupts_operations);
55523 + #ifdef CONFIG_SLABINFO
55524 ++#ifdef CONFIG_GRKRENSEC_PROC_ADD
55525 ++ create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
55526 ++#else
55527 + create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
55528 ++#endif
55529 + #ifdef CONFIG_DEBUG_SLAB_LEAK
55530 + create_seq_entry("slab_allocators", 0 ,&proc_slabstats_operations);
55531 + #endif
55532 +@@ -747,7 +768,7 @@ void __init proc_misc_init(void)
55533 + #ifdef CONFIG_SCHEDSTATS
55534 + create_seq_entry("schedstat", 0, &proc_schedstat_operations);
55535 + #endif
55536 +-#ifdef CONFIG_PROC_KCORE
55537 ++#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
55538 + proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
55539 + if (proc_root_kcore) {
55540 + proc_root_kcore->proc_fops = &proc_kcore_operations;
55541 +diff -urNp linux-2.6.24.5/fs/proc/proc_net.c linux-2.6.24.5/fs/proc/proc_net.c
55542 +--- linux-2.6.24.5/fs/proc/proc_net.c 2008-03-24 14:49:18.000000000 -0400
55543 ++++ linux-2.6.24.5/fs/proc/proc_net.c 2008-03-26 20:21:08.000000000 -0400
55544 +@@ -69,7 +69,13 @@ static __net_init int proc_net_ns_init(s
55545 + goto out;
55546 +
55547 + err = -EEXIST;
55548 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
55549 ++ netd = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, root);
55550 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55551 ++ netd = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, root);
55552 ++#else
55553 + netd = proc_mkdir("net", root);
55554 ++#endif
55555 + if (!netd)
55556 + goto free_root;
55557 +
55558 +diff -urNp linux-2.6.24.5/fs/proc/proc_sysctl.c linux-2.6.24.5/fs/proc/proc_sysctl.c
55559 +--- linux-2.6.24.5/fs/proc/proc_sysctl.c 2008-03-24 14:49:18.000000000 -0400
55560 ++++ linux-2.6.24.5/fs/proc/proc_sysctl.c 2008-03-26 20:21:08.000000000 -0400
55561 +@@ -7,6 +7,8 @@
55562 + #include <linux/security.h>
55563 + #include "internal.h"
55564 +
55565 ++extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
55566 ++
55567 + static struct dentry_operations proc_sys_dentry_operations;
55568 + static const struct file_operations proc_sys_file_operations;
55569 + static struct inode_operations proc_sys_inode_operations;
55570 +@@ -151,6 +153,9 @@ static struct dentry *proc_sys_lookup(st
55571 + if (!table)
55572 + goto out;
55573 +
55574 ++ if (gr_handle_sysctl(table, 001))
55575 ++ goto out;
55576 ++
55577 + err = ERR_PTR(-ENOMEM);
55578 + inode = proc_sys_make_inode(dir, table);
55579 + if (!inode)
55580 +@@ -360,6 +365,9 @@ static int proc_sys_readdir(struct file
55581 + if (pos < filp->f_pos)
55582 + continue;
55583 +
55584 ++ if (gr_handle_sysctl(table, 0))
55585 ++ continue;
55586 ++
55587 + if (proc_sys_fill_cache(filp, dirent, filldir, table) < 0)
55588 + goto out;
55589 + filp->f_pos = pos + 1;
55590 +@@ -422,6 +430,30 @@ out:
55591 + return error;
55592 + }
55593 +
55594 ++/* Eric Biederman is to blame */
55595 ++static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
55596 ++{
55597 ++ int error = 0;
55598 ++ struct ctl_table_header *head;
55599 ++ struct ctl_table *table;
55600 ++
55601 ++ table = do_proc_sys_lookup(dentry->d_parent, &dentry->d_name, &head);
55602 ++ /* Has the sysctl entry disappeared on us? */
55603 ++ if (!table)
55604 ++ goto out;
55605 ++
55606 ++ if (gr_handle_sysctl(table, 001)) {
55607 ++ error = -ENOENT;
55608 ++ goto out;
55609 ++ }
55610 ++
55611 ++out:
55612 ++ sysctl_head_finish(head);
55613 ++
55614 ++ generic_fillattr(dentry->d_inode, stat);
55615 ++
55616 ++ return error;
55617 ++}
55618 + static int proc_sys_setattr(struct dentry *dentry, struct iattr *attr)
55619 + {
55620 + struct inode *inode = dentry->d_inode;
55621 +@@ -450,6 +482,7 @@ static struct inode_operations proc_sys_
55622 + .lookup = proc_sys_lookup,
55623 + .permission = proc_sys_permission,
55624 + .setattr = proc_sys_setattr,
55625 ++ .getattr = proc_sys_getattr,
55626 + };
55627 +
55628 + static int proc_sys_revalidate(struct dentry *dentry, struct nameidata *nd)
55629 +diff -urNp linux-2.6.24.5/fs/proc/root.c linux-2.6.24.5/fs/proc/root.c
55630 +--- linux-2.6.24.5/fs/proc/root.c 2008-03-24 14:49:18.000000000 -0400
55631 ++++ linux-2.6.24.5/fs/proc/root.c 2008-03-26 20:21:08.000000000 -0400
55632 +@@ -137,7 +137,15 @@ void __init proc_root_init(void)
55633 + #ifdef CONFIG_PROC_DEVICETREE
55634 + proc_device_tree_init();
55635 + #endif
55636 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
55637 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
55638 ++ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
55639 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55640 ++ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
55641 ++#endif
55642 ++#else
55643 + proc_bus = proc_mkdir("bus", NULL);
55644 ++#endif
55645 + proc_sys_init();
55646 + }
55647 +
55648 +diff -urNp linux-2.6.24.5/fs/proc/task_mmu.c linux-2.6.24.5/fs/proc/task_mmu.c
55649 +--- linux-2.6.24.5/fs/proc/task_mmu.c 2008-03-24 14:49:18.000000000 -0400
55650 ++++ linux-2.6.24.5/fs/proc/task_mmu.c 2008-03-26 20:21:08.000000000 -0400
55651 +@@ -44,15 +44,27 @@ char *task_mem(struct mm_struct *mm, cha
55652 + "VmStk:\t%8lu kB\n"
55653 + "VmExe:\t%8lu kB\n"
55654 + "VmLib:\t%8lu kB\n"
55655 +- "VmPTE:\t%8lu kB\n",
55656 +- hiwater_vm << (PAGE_SHIFT-10),
55657 ++ "VmPTE:\t%8lu kB\n"
55658 ++
55659 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
55660 ++ "CsBase:\t%8lx\nCsLim:\t%8lx\n"
55661 ++#endif
55662 ++
55663 ++ ,hiwater_vm << (PAGE_SHIFT-10),
55664 + (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
55665 + mm->locked_vm << (PAGE_SHIFT-10),
55666 + hiwater_rss << (PAGE_SHIFT-10),
55667 + total_rss << (PAGE_SHIFT-10),
55668 + data << (PAGE_SHIFT-10),
55669 + mm->stack_vm << (PAGE_SHIFT-10), text, lib,
55670 +- (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
55671 ++ (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
55672 ++
55673 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
55674 ++ , mm->context.user_cs_base, mm->context.user_cs_limit
55675 ++#endif
55676 ++
55677 ++ );
55678 ++
55679 + return buffer;
55680 + }
55681 +
55682 +@@ -131,6 +143,12 @@ struct pmd_walker {
55683 + unsigned long, void *);
55684 + };
55685 +
55686 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
55687 ++#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
55688 ++ (_mm->pax_flags & MF_PAX_RANDMMAP || \
55689 ++ _mm->pax_flags & MF_PAX_SEGMEXEC))
55690 ++#endif
55691 ++
55692 + static int show_map_internal(struct seq_file *m, void *v, struct mem_size_stats *mss)
55693 + {
55694 + struct proc_maps_private *priv = m->private;
55695 +@@ -153,13 +171,22 @@ static int show_map_internal(struct seq_
55696 + }
55697 +
55698 + seq_printf(m, "%08lx-%08lx %c%c%c%c %08lx %02x:%02x %lu %n",
55699 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
55700 ++ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
55701 ++ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
55702 ++#else
55703 + vma->vm_start,
55704 + vma->vm_end,
55705 ++#endif
55706 + flags & VM_READ ? 'r' : '-',
55707 + flags & VM_WRITE ? 'w' : '-',
55708 + flags & VM_EXEC ? 'x' : '-',
55709 + flags & VM_MAYSHARE ? 's' : 'p',
55710 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
55711 ++ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_pgoff << PAGE_SHIFT,
55712 ++#else
55713 + vma->vm_pgoff << PAGE_SHIFT,
55714 ++#endif
55715 + MAJOR(dev), MINOR(dev), ino, &len);
55716 +
55717 + /*
55718 +@@ -173,11 +200,11 @@ static int show_map_internal(struct seq_
55719 + const char *name = arch_vma_name(vma);
55720 + if (!name) {
55721 + if (mm) {
55722 +- if (vma->vm_start <= mm->start_brk &&
55723 +- vma->vm_end >= mm->brk) {
55724 ++ if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
55725 + name = "[heap]";
55726 +- } else if (vma->vm_start <= mm->start_stack &&
55727 +- vma->vm_end >= mm->start_stack) {
55728 ++ } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
55729 ++ (vma->vm_start <= mm->start_stack &&
55730 ++ vma->vm_end >= mm->start_stack)) {
55731 + name = "[stack]";
55732 + }
55733 + } else {
55734 +@@ -191,7 +218,27 @@ static int show_map_internal(struct seq_
55735 + }
55736 + seq_putc(m, '\n');
55737 +
55738 +- if (mss)
55739 ++
55740 ++ if (mss) {
55741 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
55742 ++ if (PAX_RAND_FLAGS(mm))
55743 ++ seq_printf(m,
55744 ++ "Size: %8lu kB\n"
55745 ++ "Rss: %8lu kB\n"
55746 ++ "Shared_Clean: %8lu kB\n"
55747 ++ "Shared_Dirty: %8lu kB\n"
55748 ++ "Private_Clean: %8lu kB\n"
55749 ++ "Private_Dirty: %8lu kB\n",
55750 ++ "Referenced: %8lu kB\n",
55751 ++ 0UL,
55752 ++ 0UL,
55753 ++ 0UL,
55754 ++ 0UL,
55755 ++ 0UL,
55756 ++ 0UL,
55757 ++ 0UL);
55758 ++ else
55759 ++#endif
55760 + seq_printf(m,
55761 + "Size: %8lu kB\n"
55762 + "Rss: %8lu kB\n"
55763 +@@ -207,6 +254,7 @@ static int show_map_internal(struct seq_
55764 + mss->private_clean >> 10,
55765 + mss->private_dirty >> 10,
55766 + mss->referenced >> 10);
55767 ++ }
55768 +
55769 + if (m->count < m->size) /* vma is copied successfully */
55770 + m->version = (vma != get_gate_vma(task))? vma->vm_start: 0;
55771 +diff -urNp linux-2.6.24.5/fs/readdir.c linux-2.6.24.5/fs/readdir.c
55772 +--- linux-2.6.24.5/fs/readdir.c 2008-03-24 14:49:18.000000000 -0400
55773 ++++ linux-2.6.24.5/fs/readdir.c 2008-03-26 20:21:08.000000000 -0400
55774 +@@ -16,6 +16,8 @@
55775 + #include <linux/security.h>
55776 + #include <linux/syscalls.h>
55777 + #include <linux/unistd.h>
55778 ++#include <linux/namei.h>
55779 ++#include <linux/grsecurity.h>
55780 +
55781 + #include <asm/uaccess.h>
55782 +
55783 +@@ -64,6 +66,7 @@ struct old_linux_dirent {
55784 +
55785 + struct readdir_callback {
55786 + struct old_linux_dirent __user * dirent;
55787 ++ struct file * file;
55788 + int result;
55789 + };
55790 +
55791 +@@ -79,6 +82,10 @@ static int fillonedir(void * __buf, cons
55792 + d_ino = ino;
55793 + if (sizeof(d_ino) < sizeof(ino) && d_ino != ino)
55794 + return -EOVERFLOW;
55795 ++
55796 ++ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
55797 ++ return 0;
55798 ++
55799 + buf->result++;
55800 + dirent = buf->dirent;
55801 + if (!access_ok(VERIFY_WRITE, dirent,
55802 +@@ -110,6 +117,7 @@ asmlinkage long old_readdir(unsigned int
55803 +
55804 + buf.result = 0;
55805 + buf.dirent = dirent;
55806 ++ buf.file = file;
55807 +
55808 + error = vfs_readdir(file, fillonedir, &buf);
55809 + if (error >= 0)
55810 +@@ -136,6 +144,7 @@ struct linux_dirent {
55811 + struct getdents_callback {
55812 + struct linux_dirent __user * current_dir;
55813 + struct linux_dirent __user * previous;
55814 ++ struct file * file;
55815 + int count;
55816 + int error;
55817 + };
55818 +@@ -154,6 +163,10 @@ static int filldir(void * __buf, const c
55819 + d_ino = ino;
55820 + if (sizeof(d_ino) < sizeof(ino) && d_ino != ino)
55821 + return -EOVERFLOW;
55822 ++
55823 ++ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
55824 ++ return 0;
55825 ++
55826 + dirent = buf->previous;
55827 + if (dirent) {
55828 + if (__put_user(offset, &dirent->d_off))
55829 +@@ -200,6 +213,7 @@ asmlinkage long sys_getdents(unsigned in
55830 + buf.previous = NULL;
55831 + buf.count = count;
55832 + buf.error = 0;
55833 ++ buf.file = file;
55834 +
55835 + error = vfs_readdir(file, filldir, &buf);
55836 + if (error < 0)
55837 +@@ -222,6 +236,7 @@ out:
55838 + struct getdents_callback64 {
55839 + struct linux_dirent64 __user * current_dir;
55840 + struct linux_dirent64 __user * previous;
55841 ++ struct file *file;
55842 + int count;
55843 + int error;
55844 + };
55845 +@@ -236,6 +251,10 @@ static int filldir64(void * __buf, const
55846 + buf->error = -EINVAL; /* only used if we fail.. */
55847 + if (reclen > buf->count)
55848 + return -EINVAL;
55849 ++
55850 ++ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
55851 ++ return 0;
55852 ++
55853 + dirent = buf->previous;
55854 + if (dirent) {
55855 + if (__put_user(offset, &dirent->d_off))
55856 +@@ -282,6 +301,7 @@ asmlinkage long sys_getdents64(unsigned
55857 +
55858 + buf.current_dir = dirent;
55859 + buf.previous = NULL;
55860 ++ buf.file = file;
55861 + buf.count = count;
55862 + buf.error = 0;
55863 +
55864 +diff -urNp linux-2.6.24.5/fs/smbfs/symlink.c linux-2.6.24.5/fs/smbfs/symlink.c
55865 +--- linux-2.6.24.5/fs/smbfs/symlink.c 2008-03-24 14:49:18.000000000 -0400
55866 ++++ linux-2.6.24.5/fs/smbfs/symlink.c 2008-03-26 20:21:08.000000000 -0400
55867 +@@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
55868 +
55869 + static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
55870 + {
55871 +- char *s = nd_get_link(nd);
55872 ++ const char *s = nd_get_link(nd);
55873 + if (!IS_ERR(s))
55874 + __putname(s);
55875 + }
55876 +diff -urNp linux-2.6.24.5/fs/sysfs/symlink.c linux-2.6.24.5/fs/sysfs/symlink.c
55877 +--- linux-2.6.24.5/fs/sysfs/symlink.c 2008-03-24 14:49:18.000000000 -0400
55878 ++++ linux-2.6.24.5/fs/sysfs/symlink.c 2008-03-26 20:21:08.000000000 -0400
55879 +@@ -172,7 +172,7 @@ static void *sysfs_follow_link(struct de
55880 +
55881 + static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
55882 + {
55883 +- char *page = nd_get_link(nd);
55884 ++ const char *page = nd_get_link(nd);
55885 + if (!IS_ERR(page))
55886 + free_page((unsigned long)page);
55887 + }
55888 +diff -urNp linux-2.6.24.5/fs/udf/balloc.c linux-2.6.24.5/fs/udf/balloc.c
55889 +--- linux-2.6.24.5/fs/udf/balloc.c 2008-03-24 14:49:18.000000000 -0400
55890 ++++ linux-2.6.24.5/fs/udf/balloc.c 2008-03-26 20:21:08.000000000 -0400
55891 +@@ -154,8 +154,7 @@ static void udf_bitmap_free_blocks(struc
55892 + unsigned long overflow;
55893 +
55894 + mutex_lock(&sbi->s_alloc_mutex);
55895 +- if (bloc.logicalBlockNum < 0 ||
55896 +- (bloc.logicalBlockNum + count) > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
55897 ++ if (bloc.logicalBlockNum + count > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
55898 + udf_debug("%d < %d || %d + %d > %d\n",
55899 + bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
55900 + UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum));
55901 +@@ -221,7 +220,7 @@ static int udf_bitmap_prealloc_blocks(st
55902 + struct buffer_head *bh;
55903 +
55904 + mutex_lock(&sbi->s_alloc_mutex);
55905 +- if (first_block < 0 || first_block >= UDF_SB_PARTLEN(sb, partition))
55906 ++ if (first_block >= UDF_SB_PARTLEN(sb, partition))
55907 + goto out;
55908 +
55909 + if (first_block + block_count > UDF_SB_PARTLEN(sb, partition))
55910 +@@ -287,7 +286,7 @@ static int udf_bitmap_new_block(struct s
55911 + mutex_lock(&sbi->s_alloc_mutex);
55912 +
55913 + repeat:
55914 +- if (goal < 0 || goal >= UDF_SB_PARTLEN(sb, partition))
55915 ++ if (goal >= UDF_SB_PARTLEN(sb, partition))
55916 + goal = 0;
55917 +
55918 + nr_groups = bitmap->s_nr_groups;
55919 +@@ -420,8 +419,7 @@ static void udf_table_free_blocks(struct
55920 + int i;
55921 +
55922 + mutex_lock(&sbi->s_alloc_mutex);
55923 +- if (bloc.logicalBlockNum < 0 ||
55924 +- (bloc.logicalBlockNum + count) > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
55925 ++ if (bloc.logicalBlockNum + count > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
55926 + udf_debug("%d < %d || %d + %d > %d\n",
55927 + bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
55928 + UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum));
55929 +@@ -627,7 +625,7 @@ static int udf_table_prealloc_blocks(str
55930 + struct extent_position epos;
55931 + int8_t etype = -1;
55932 +
55933 +- if (first_block < 0 || first_block >= UDF_SB_PARTLEN(sb, partition))
55934 ++ if (first_block >= UDF_SB_PARTLEN(sb, partition))
55935 + return 0;
55936 +
55937 + if (UDF_I_ALLOCTYPE(table) == ICBTAG_FLAG_AD_SHORT)
55938 +@@ -703,7 +701,7 @@ static int udf_table_new_block(struct su
55939 + return newblock;
55940 +
55941 + mutex_lock(&sbi->s_alloc_mutex);
55942 +- if (goal < 0 || goal >= UDF_SB_PARTLEN(sb, partition))
55943 ++ if (goal >= UDF_SB_PARTLEN(sb, partition))
55944 + goal = 0;
55945 +
55946 + /* We search for the closest matching block to goal. If we find a exact hit,
55947 +diff -urNp linux-2.6.24.5/fs/udf/inode.c linux-2.6.24.5/fs/udf/inode.c
55948 +--- linux-2.6.24.5/fs/udf/inode.c 2008-03-24 14:49:18.000000000 -0400
55949 ++++ linux-2.6.24.5/fs/udf/inode.c 2008-03-26 20:21:08.000000000 -0400
55950 +@@ -311,9 +311,6 @@ static int udf_get_block(struct inode *i
55951 +
55952 + lock_kernel();
55953 +
55954 +- if (block < 0)
55955 +- goto abort_negative;
55956 +-
55957 + if (block == UDF_I_NEXT_ALLOC_BLOCK(inode) + 1) {
55958 + UDF_I_NEXT_ALLOC_BLOCK(inode)++;
55959 + UDF_I_NEXT_ALLOC_GOAL(inode)++;
55960 +@@ -334,10 +331,6 @@ static int udf_get_block(struct inode *i
55961 + abort:
55962 + unlock_kernel();
55963 + return err;
55964 +-
55965 +-abort_negative:
55966 +- udf_warning(inode->i_sb, "udf_get_block", "block < 0");
55967 +- goto abort;
55968 + }
55969 +
55970 + static struct buffer_head *udf_getblk(struct inode *inode, long block,
55971 +diff -urNp linux-2.6.24.5/fs/ufs/inode.c linux-2.6.24.5/fs/ufs/inode.c
55972 +--- linux-2.6.24.5/fs/ufs/inode.c 2008-03-24 14:49:18.000000000 -0400
55973 ++++ linux-2.6.24.5/fs/ufs/inode.c 2008-03-26 20:21:08.000000000 -0400
55974 +@@ -56,9 +56,7 @@ static int ufs_block_to_path(struct inod
55975 +
55976 +
55977 + UFSD("ptrs=uspi->s_apb = %d,double_blocks=%ld \n",ptrs,double_blocks);
55978 +- if (i_block < 0) {
55979 +- ufs_warning(inode->i_sb, "ufs_block_to_path", "block < 0");
55980 +- } else if (i_block < direct_blocks) {
55981 ++ if (i_block < direct_blocks) {
55982 + offsets[n++] = i_block;
55983 + } else if ((i_block -= direct_blocks) < indirect_blocks) {
55984 + offsets[n++] = UFS_IND_BLOCK;
55985 +@@ -440,8 +438,6 @@ int ufs_getfrag_block(struct inode *inod
55986 + lock_kernel();
55987 +
55988 + UFSD("ENTER, ino %lu, fragment %llu\n", inode->i_ino, (unsigned long long)fragment);
55989 +- if (fragment < 0)
55990 +- goto abort_negative;
55991 + if (fragment >
55992 + ((UFS_NDADDR + uspi->s_apb + uspi->s_2apb + uspi->s_3apb)
55993 + << uspi->s_fpbshift))
55994 +@@ -504,10 +500,6 @@ abort:
55995 + unlock_kernel();
55996 + return err;
55997 +
55998 +-abort_negative:
55999 +- ufs_warning(sb, "ufs_get_block", "block < 0");
56000 +- goto abort;
56001 +-
56002 + abort_too_big:
56003 + ufs_warning(sb, "ufs_get_block", "block > big");
56004 + goto abort;
56005 +diff -urNp linux-2.6.24.5/fs/utimes.c linux-2.6.24.5/fs/utimes.c
56006 +--- linux-2.6.24.5/fs/utimes.c 2008-03-24 14:49:18.000000000 -0400
56007 ++++ linux-2.6.24.5/fs/utimes.c 2008-03-26 20:21:08.000000000 -0400
56008 +@@ -6,6 +6,7 @@
56009 + #include <linux/sched.h>
56010 + #include <linux/stat.h>
56011 + #include <linux/utime.h>
56012 ++#include <linux/grsecurity.h>
56013 + #include <asm/uaccess.h>
56014 + #include <asm/unistd.h>
56015 +
56016 +@@ -55,6 +56,7 @@ long do_utimes(int dfd, char __user *fil
56017 + int error;
56018 + struct nameidata nd;
56019 + struct dentry *dentry;
56020 ++ struct vfsmount *mnt;
56021 + struct inode *inode;
56022 + struct iattr newattrs;
56023 + struct file *f = NULL;
56024 +@@ -78,12 +80,14 @@ long do_utimes(int dfd, char __user *fil
56025 + if (!f)
56026 + goto out;
56027 + dentry = f->f_path.dentry;
56028 ++ mnt = f->f_path.mnt;
56029 + } else {
56030 + error = __user_walk_fd(dfd, filename, (flags & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW, &nd);
56031 + if (error)
56032 + goto out;
56033 +
56034 + dentry = nd.dentry;
56035 ++ mnt = nd.mnt;
56036 + }
56037 +
56038 + inode = dentry->d_inode;
56039 +@@ -130,6 +134,12 @@ long do_utimes(int dfd, char __user *fil
56040 + }
56041 + }
56042 + }
56043 ++
56044 ++ if (!gr_acl_handle_utime(dentry, mnt)) {
56045 ++ error = -EACCES;
56046 ++ goto dput_and_out;
56047 ++ }
56048 ++
56049 + mutex_lock(&inode->i_mutex);
56050 + error = notify_change(dentry, &newattrs);
56051 + mutex_unlock(&inode->i_mutex);
56052 +diff -urNp linux-2.6.24.5/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.24.5/fs/xfs/linux-2.6/xfs_iops.c
56053 +--- linux-2.6.24.5/fs/xfs/linux-2.6/xfs_iops.c 2008-03-24 14:49:18.000000000 -0400
56054 ++++ linux-2.6.24.5/fs/xfs/linux-2.6/xfs_iops.c 2008-03-26 20:21:09.000000000 -0400
56055 +@@ -534,7 +534,7 @@ xfs_vn_put_link(
56056 + struct nameidata *nd,
56057 + void *p)
56058 + {
56059 +- char *s = nd_get_link(nd);
56060 ++ const char *s = nd_get_link(nd);
56061 +
56062 + if (!IS_ERR(s))
56063 + kfree(s);
56064 +diff -urNp linux-2.6.24.5/fs/xfs/xfs_bmap.c linux-2.6.24.5/fs/xfs/xfs_bmap.c
56065 +--- linux-2.6.24.5/fs/xfs/xfs_bmap.c 2008-03-24 14:49:18.000000000 -0400
56066 ++++ linux-2.6.24.5/fs/xfs/xfs_bmap.c 2008-03-26 20:21:09.000000000 -0400
56067 +@@ -360,7 +360,7 @@ xfs_bmap_validate_ret(
56068 + int nmap,
56069 + int ret_nmap);
56070 + #else
56071 +-#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
56072 ++#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
56073 + #endif /* DEBUG */
56074 +
56075 + #if defined(XFS_RW_TRACE)
56076 +diff -urNp linux-2.6.24.5/grsecurity/gracl_alloc.c linux-2.6.24.5/grsecurity/gracl_alloc.c
56077 +--- linux-2.6.24.5/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
56078 ++++ linux-2.6.24.5/grsecurity/gracl_alloc.c 2008-03-26 20:21:09.000000000 -0400
56079 +@@ -0,0 +1,91 @@
56080 ++#include <linux/kernel.h>
56081 ++#include <linux/mm.h>
56082 ++#include <linux/slab.h>
56083 ++#include <linux/vmalloc.h>
56084 ++#include <linux/gracl.h>
56085 ++#include <linux/grsecurity.h>
56086 ++
56087 ++static unsigned long alloc_stack_next = 1;
56088 ++static unsigned long alloc_stack_size = 1;
56089 ++static void **alloc_stack;
56090 ++
56091 ++static __inline__ int
56092 ++alloc_pop(void)
56093 ++{
56094 ++ if (alloc_stack_next == 1)
56095 ++ return 0;
56096 ++
56097 ++ kfree(alloc_stack[alloc_stack_next - 2]);
56098 ++
56099 ++ alloc_stack_next--;
56100 ++
56101 ++ return 1;
56102 ++}
56103 ++
56104 ++static __inline__ void
56105 ++alloc_push(void *buf)
56106 ++{
56107 ++ if (alloc_stack_next >= alloc_stack_size)
56108 ++ BUG();
56109 ++
56110 ++ alloc_stack[alloc_stack_next - 1] = buf;
56111 ++
56112 ++ alloc_stack_next++;
56113 ++
56114 ++ return;
56115 ++}
56116 ++
56117 ++void *
56118 ++acl_alloc(unsigned long len)
56119 ++{
56120 ++ void *ret;
56121 ++
56122 ++ if (len > PAGE_SIZE)
56123 ++ BUG();
56124 ++
56125 ++ ret = kmalloc(len, GFP_KERNEL);
56126 ++
56127 ++ if (ret)
56128 ++ alloc_push(ret);
56129 ++
56130 ++ return ret;
56131 ++}
56132 ++
56133 ++void
56134 ++acl_free_all(void)
56135 ++{
56136 ++ if (gr_acl_is_enabled() || !alloc_stack)
56137 ++ return;
56138 ++
56139 ++ while (alloc_pop()) ;
56140 ++
56141 ++ if (alloc_stack) {
56142 ++ if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
56143 ++ kfree(alloc_stack);
56144 ++ else
56145 ++ vfree(alloc_stack);
56146 ++ }
56147 ++
56148 ++ alloc_stack = NULL;
56149 ++ alloc_stack_size = 1;
56150 ++ alloc_stack_next = 1;
56151 ++
56152 ++ return;
56153 ++}
56154 ++
56155 ++int
56156 ++acl_alloc_stack_init(unsigned long size)
56157 ++{
56158 ++ if ((size * sizeof (void *)) <= PAGE_SIZE)
56159 ++ alloc_stack =
56160 ++ (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
56161 ++ else
56162 ++ alloc_stack = (void **) vmalloc(size * sizeof (void *));
56163 ++
56164 ++ alloc_stack_size = size;
56165 ++
56166 ++ if (!alloc_stack)
56167 ++ return 0;
56168 ++ else
56169 ++ return 1;
56170 ++}
56171 +diff -urNp linux-2.6.24.5/grsecurity/gracl.c linux-2.6.24.5/grsecurity/gracl.c
56172 +--- linux-2.6.24.5/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
56173 ++++ linux-2.6.24.5/grsecurity/gracl.c 2008-03-26 20:21:09.000000000 -0400
56174 +@@ -0,0 +1,3722 @@
56175 ++#include <linux/kernel.h>
56176 ++#include <linux/module.h>
56177 ++#include <linux/sched.h>
56178 ++#include <linux/mm.h>
56179 ++#include <linux/file.h>
56180 ++#include <linux/fs.h>
56181 ++#include <linux/namei.h>
56182 ++#include <linux/mount.h>
56183 ++#include <linux/tty.h>
56184 ++#include <linux/proc_fs.h>
56185 ++#include <linux/smp_lock.h>
56186 ++#include <linux/slab.h>
56187 ++#include <linux/vmalloc.h>
56188 ++#include <linux/types.h>
56189 ++#include <linux/capability.h>
56190 ++#include <linux/sysctl.h>
56191 ++#include <linux/netdevice.h>
56192 ++#include <linux/ptrace.h>
56193 ++#include <linux/gracl.h>
56194 ++#include <linux/gralloc.h>
56195 ++#include <linux/grsecurity.h>
56196 ++#include <linux/grinternal.h>
56197 ++#include <linux/pid_namespace.h>
56198 ++#include <linux/percpu.h>
56199 ++
56200 ++#include <asm/uaccess.h>
56201 ++#include <asm/errno.h>
56202 ++#include <asm/mman.h>
56203 ++
56204 ++static struct acl_role_db acl_role_set;
56205 ++static struct name_db name_set;
56206 ++static struct inodev_db inodev_set;
56207 ++
56208 ++/* for keeping track of userspace pointers used for subjects, so we
56209 ++ can share references in the kernel as well
56210 ++*/
56211 ++
56212 ++static struct dentry *real_root;
56213 ++static struct vfsmount *real_root_mnt;
56214 ++
56215 ++static struct acl_subj_map_db subj_map_set;
56216 ++
56217 ++static struct acl_role_label *default_role;
56218 ++
56219 ++static u16 acl_sp_role_value;
56220 ++
56221 ++extern char *gr_shared_page[4];
56222 ++static DECLARE_MUTEX(gr_dev_sem);
56223 ++rwlock_t gr_inode_lock = RW_LOCK_UNLOCKED;
56224 ++
56225 ++struct gr_arg *gr_usermode;
56226 ++
56227 ++static unsigned int gr_status = GR_STATUS_INIT;
56228 ++
56229 ++extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
56230 ++extern void gr_clear_learn_entries(void);
56231 ++
56232 ++#ifdef CONFIG_GRKERNSEC_RESLOG
56233 ++extern void gr_log_resource(const struct task_struct *task,
56234 ++ const int res, const unsigned long wanted, const int gt);
56235 ++#endif
56236 ++
56237 ++unsigned char *gr_system_salt;
56238 ++unsigned char *gr_system_sum;
56239 ++
56240 ++static struct sprole_pw **acl_special_roles = NULL;
56241 ++static __u16 num_sprole_pws = 0;
56242 ++
56243 ++static struct acl_role_label *kernel_role = NULL;
56244 ++
56245 ++static unsigned int gr_auth_attempts = 0;
56246 ++static unsigned long gr_auth_expires = 0UL;
56247 ++
56248 ++extern struct vfsmount *sock_mnt;
56249 ++extern struct vfsmount *pipe_mnt;
56250 ++extern struct vfsmount *shm_mnt;
56251 ++static struct acl_object_label *fakefs_obj;
56252 ++
56253 ++extern int gr_init_uidset(void);
56254 ++extern void gr_free_uidset(void);
56255 ++extern void gr_remove_uid(uid_t uid);
56256 ++extern int gr_find_uid(uid_t uid);
56257 ++
56258 ++__inline__ int
56259 ++gr_acl_is_enabled(void)
56260 ++{
56261 ++ return (gr_status & GR_READY);
56262 ++}
56263 ++
56264 ++char gr_roletype_to_char(void)
56265 ++{
56266 ++ switch (current->role->roletype &
56267 ++ (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
56268 ++ GR_ROLE_SPECIAL)) {
56269 ++ case GR_ROLE_DEFAULT:
56270 ++ return 'D';
56271 ++ case GR_ROLE_USER:
56272 ++ return 'U';
56273 ++ case GR_ROLE_GROUP:
56274 ++ return 'G';
56275 ++ case GR_ROLE_SPECIAL:
56276 ++ return 'S';
56277 ++ }
56278 ++
56279 ++ return 'X';
56280 ++}
56281 ++
56282 ++__inline__ int
56283 ++gr_acl_tpe_check(void)
56284 ++{
56285 ++ if (unlikely(!(gr_status & GR_READY)))
56286 ++ return 0;
56287 ++ if (current->role->roletype & GR_ROLE_TPE)
56288 ++ return 1;
56289 ++ else
56290 ++ return 0;
56291 ++}
56292 ++
56293 ++int
56294 ++gr_handle_rawio(const struct inode *inode)
56295 ++{
56296 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
56297 ++ if (inode && S_ISBLK(inode->i_mode) &&
56298 ++ grsec_enable_chroot_caps && proc_is_chrooted(current) &&
56299 ++ !capable(CAP_SYS_RAWIO))
56300 ++ return 1;
56301 ++#endif
56302 ++ return 0;
56303 ++}
56304 ++
56305 ++static int
56306 ++gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
56307 ++{
56308 ++ int i;
56309 ++ unsigned long *l1;
56310 ++ unsigned long *l2;
56311 ++ unsigned char *c1;
56312 ++ unsigned char *c2;
56313 ++ int num_longs;
56314 ++
56315 ++ if (likely(lena != lenb))
56316 ++ return 0;
56317 ++
56318 ++ l1 = (unsigned long *)a;
56319 ++ l2 = (unsigned long *)b;
56320 ++
56321 ++ num_longs = lena / sizeof(unsigned long);
56322 ++
56323 ++ for (i = num_longs; i--; l1++, l2++) {
56324 ++ if (unlikely(*l1 != *l2))
56325 ++ return 0;
56326 ++ }
56327 ++
56328 ++ c1 = (unsigned char *) l1;
56329 ++ c2 = (unsigned char *) l2;
56330 ++
56331 ++ i = lena - (num_longs * sizeof(unsigned long));
56332 ++
56333 ++ for (; i--; c1++, c2++) {
56334 ++ if (unlikely(*c1 != *c2))
56335 ++ return 0;
56336 ++ }
56337 ++
56338 ++ return 1;
56339 ++}
56340 ++
56341 ++static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
56342 ++ struct dentry *root, struct vfsmount *rootmnt,
56343 ++ char *buffer, int buflen)
56344 ++{
56345 ++ char * end = buffer+buflen;
56346 ++ char * retval;
56347 ++ int namelen;
56348 ++
56349 ++ *--end = '\0';
56350 ++ buflen--;
56351 ++
56352 ++ if (buflen < 1)
56353 ++ goto Elong;
56354 ++ /* Get '/' right */
56355 ++ retval = end-1;
56356 ++ *retval = '/';
56357 ++
56358 ++ for (;;) {
56359 ++ struct dentry * parent;
56360 ++
56361 ++ if (dentry == root && vfsmnt == rootmnt)
56362 ++ break;
56363 ++ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
56364 ++ /* Global root? */
56365 ++ spin_lock(&vfsmount_lock);
56366 ++ if (vfsmnt->mnt_parent == vfsmnt) {
56367 ++ spin_unlock(&vfsmount_lock);
56368 ++ goto global_root;
56369 ++ }
56370 ++ dentry = vfsmnt->mnt_mountpoint;
56371 ++ vfsmnt = vfsmnt->mnt_parent;
56372 ++ spin_unlock(&vfsmount_lock);
56373 ++ continue;
56374 ++ }
56375 ++ parent = dentry->d_parent;
56376 ++ prefetch(parent);
56377 ++ namelen = dentry->d_name.len;
56378 ++ buflen -= namelen + 1;
56379 ++ if (buflen < 0)
56380 ++ goto Elong;
56381 ++ end -= namelen;
56382 ++ memcpy(end, dentry->d_name.name, namelen);
56383 ++ *--end = '/';
56384 ++ retval = end;
56385 ++ dentry = parent;
56386 ++ }
56387 ++
56388 ++ return retval;
56389 ++
56390 ++global_root:
56391 ++ namelen = dentry->d_name.len;
56392 ++ buflen -= namelen;
56393 ++ if (buflen < 0)
56394 ++ goto Elong;
56395 ++ retval -= namelen-1; /* hit the slash */
56396 ++ memcpy(retval, dentry->d_name.name, namelen);
56397 ++ return retval;
56398 ++Elong:
56399 ++ return ERR_PTR(-ENAMETOOLONG);
56400 ++}
56401 ++
56402 ++static char *
56403 ++gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
56404 ++ struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
56405 ++{
56406 ++ char *retval;
56407 ++
56408 ++ retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
56409 ++ if (unlikely(IS_ERR(retval)))
56410 ++ retval = strcpy(buf, "<path too long>");
56411 ++ else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
56412 ++ retval[1] = '\0';
56413 ++
56414 ++ return retval;
56415 ++}
56416 ++
56417 ++static char *
56418 ++__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
56419 ++ char *buf, int buflen)
56420 ++{
56421 ++ char *res;
56422 ++
56423 ++ /* we can use real_root, real_root_mnt, because this is only called
56424 ++ by the RBAC system */
56425 ++ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
56426 ++
56427 ++ return res;
56428 ++}
56429 ++
56430 ++static char *
56431 ++d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
56432 ++ char *buf, int buflen)
56433 ++{
56434 ++ char *res;
56435 ++ struct dentry *root;
56436 ++ struct vfsmount *rootmnt;
56437 ++ struct task_struct *reaper = current->nsproxy->pid_ns->child_reaper;
56438 ++
56439 ++ /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
56440 ++ read_lock(&reaper->fs->lock);
56441 ++ root = dget(reaper->fs->root);
56442 ++ rootmnt = mntget(reaper->fs->rootmnt);
56443 ++ read_unlock(&reaper->fs->lock);
56444 ++
56445 ++ spin_lock(&dcache_lock);
56446 ++ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
56447 ++ spin_unlock(&dcache_lock);
56448 ++
56449 ++ dput(root);
56450 ++ mntput(rootmnt);
56451 ++ return res;
56452 ++}
56453 ++
56454 ++static char *
56455 ++gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
56456 ++{
56457 ++ char *ret;
56458 ++ spin_lock(&dcache_lock);
56459 ++ ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
56460 ++ PAGE_SIZE);
56461 ++ spin_unlock(&dcache_lock);
56462 ++ return ret;
56463 ++}
56464 ++
56465 ++char *
56466 ++gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
56467 ++{
56468 ++ return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
56469 ++ PAGE_SIZE);
56470 ++}
56471 ++
56472 ++char *
56473 ++gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
56474 ++{
56475 ++ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
56476 ++ PAGE_SIZE);
56477 ++}
56478 ++
56479 ++char *
56480 ++gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
56481 ++{
56482 ++ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
56483 ++ PAGE_SIZE);
56484 ++}
56485 ++
56486 ++char *
56487 ++gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
56488 ++{
56489 ++ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
56490 ++ PAGE_SIZE);
56491 ++}
56492 ++
56493 ++char *
56494 ++gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
56495 ++{
56496 ++ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
56497 ++ PAGE_SIZE);
56498 ++}
56499 ++
56500 ++__inline__ __u32
56501 ++to_gr_audit(const __u32 reqmode)
56502 ++{
56503 ++ /* masks off auditable permission flags, then shifts them to create
56504 ++ auditing flags, and adds the special case of append auditing if
56505 ++ we're requesting write */
56506 ++ return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
56507 ++}
56508 ++
56509 ++struct acl_subject_label *
56510 ++lookup_subject_map(const struct acl_subject_label *userp)
56511 ++{
56512 ++ unsigned int index = shash(userp, subj_map_set.s_size);
56513 ++ struct subject_map *match;
56514 ++
56515 ++ match = subj_map_set.s_hash[index];
56516 ++
56517 ++ while (match && match->user != userp)
56518 ++ match = match->next;
56519 ++
56520 ++ if (match != NULL)
56521 ++ return match->kernel;
56522 ++ else
56523 ++ return NULL;
56524 ++}
56525 ++
56526 ++static void
56527 ++insert_subj_map_entry(struct subject_map *subjmap)
56528 ++{
56529 ++ unsigned int index = shash(subjmap->user, subj_map_set.s_size);
56530 ++ struct subject_map **curr;
56531 ++
56532 ++ subjmap->prev = NULL;
56533 ++
56534 ++ curr = &subj_map_set.s_hash[index];
56535 ++ if (*curr != NULL)
56536 ++ (*curr)->prev = subjmap;
56537 ++
56538 ++ subjmap->next = *curr;
56539 ++ *curr = subjmap;
56540 ++
56541 ++ return;
56542 ++}
56543 ++
56544 ++static struct acl_role_label *
56545 ++lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
56546 ++ const gid_t gid)
56547 ++{
56548 ++ unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
56549 ++ struct acl_role_label *match;
56550 ++ struct role_allowed_ip *ipp;
56551 ++ unsigned int x;
56552 ++
56553 ++ match = acl_role_set.r_hash[index];
56554 ++
56555 ++ while (match) {
56556 ++ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
56557 ++ for (x = 0; x < match->domain_child_num; x++) {
56558 ++ if (match->domain_children[x] == uid)
56559 ++ goto found;
56560 ++ }
56561 ++ } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
56562 ++ break;
56563 ++ match = match->next;
56564 ++ }
56565 ++found:
56566 ++ if (match == NULL) {
56567 ++ try_group:
56568 ++ index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
56569 ++ match = acl_role_set.r_hash[index];
56570 ++
56571 ++ while (match) {
56572 ++ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
56573 ++ for (x = 0; x < match->domain_child_num; x++) {
56574 ++ if (match->domain_children[x] == gid)
56575 ++ goto found2;
56576 ++ }
56577 ++ } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
56578 ++ break;
56579 ++ match = match->next;
56580 ++ }
56581 ++found2:
56582 ++ if (match == NULL)
56583 ++ match = default_role;
56584 ++ if (match->allowed_ips == NULL)
56585 ++ return match;
56586 ++ else {
56587 ++ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
56588 ++ if (likely
56589 ++ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
56590 ++ (ntohl(ipp->addr) & ipp->netmask)))
56591 ++ return match;
56592 ++ }
56593 ++ match = default_role;
56594 ++ }
56595 ++ } else if (match->allowed_ips == NULL) {
56596 ++ return match;
56597 ++ } else {
56598 ++ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
56599 ++ if (likely
56600 ++ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
56601 ++ (ntohl(ipp->addr) & ipp->netmask)))
56602 ++ return match;
56603 ++ }
56604 ++ goto try_group;
56605 ++ }
56606 ++
56607 ++ return match;
56608 ++}
56609 ++
56610 ++struct acl_subject_label *
56611 ++lookup_acl_subj_label(const ino_t ino, const dev_t dev,
56612 ++ const struct acl_role_label *role)
56613 ++{
56614 ++ unsigned int index = fhash(ino, dev, role->subj_hash_size);
56615 ++ struct acl_subject_label *match;
56616 ++
56617 ++ match = role->subj_hash[index];
56618 ++
56619 ++ while (match && (match->inode != ino || match->device != dev ||
56620 ++ (match->mode & GR_DELETED))) {
56621 ++ match = match->next;
56622 ++ }
56623 ++
56624 ++ if (match && !(match->mode & GR_DELETED))
56625 ++ return match;
56626 ++ else
56627 ++ return NULL;
56628 ++}
56629 ++
56630 ++static struct acl_object_label *
56631 ++lookup_acl_obj_label(const ino_t ino, const dev_t dev,
56632 ++ const struct acl_subject_label *subj)
56633 ++{
56634 ++ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
56635 ++ struct acl_object_label *match;
56636 ++
56637 ++ match = subj->obj_hash[index];
56638 ++
56639 ++ while (match && (match->inode != ino || match->device != dev ||
56640 ++ (match->mode & GR_DELETED))) {
56641 ++ match = match->next;
56642 ++ }
56643 ++
56644 ++ if (match && !(match->mode & GR_DELETED))
56645 ++ return match;
56646 ++ else
56647 ++ return NULL;
56648 ++}
56649 ++
56650 ++static struct acl_object_label *
56651 ++lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
56652 ++ const struct acl_subject_label *subj)
56653 ++{
56654 ++ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
56655 ++ struct acl_object_label *match;
56656 ++
56657 ++ match = subj->obj_hash[index];
56658 ++
56659 ++ while (match && (match->inode != ino || match->device != dev ||
56660 ++ !(match->mode & GR_DELETED))) {
56661 ++ match = match->next;
56662 ++ }
56663 ++
56664 ++ if (match && (match->mode & GR_DELETED))
56665 ++ return match;
56666 ++
56667 ++ match = subj->obj_hash[index];
56668 ++
56669 ++ while (match && (match->inode != ino || match->device != dev ||
56670 ++ (match->mode & GR_DELETED))) {
56671 ++ match = match->next;
56672 ++ }
56673 ++
56674 ++ if (match && !(match->mode & GR_DELETED))
56675 ++ return match;
56676 ++ else
56677 ++ return NULL;
56678 ++}
56679 ++
56680 ++static struct name_entry *
56681 ++lookup_name_entry(const char *name)
56682 ++{
56683 ++ unsigned int len = strlen(name);
56684 ++ unsigned int key = full_name_hash(name, len);
56685 ++ unsigned int index = key % name_set.n_size;
56686 ++ struct name_entry *match;
56687 ++
56688 ++ match = name_set.n_hash[index];
56689 ++
56690 ++ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
56691 ++ match = match->next;
56692 ++
56693 ++ return match;
56694 ++}
56695 ++
56696 ++static struct name_entry *
56697 ++lookup_name_entry_create(const char *name)
56698 ++{
56699 ++ unsigned int len = strlen(name);
56700 ++ unsigned int key = full_name_hash(name, len);
56701 ++ unsigned int index = key % name_set.n_size;
56702 ++ struct name_entry *match;
56703 ++
56704 ++ match = name_set.n_hash[index];
56705 ++
56706 ++ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
56707 ++ !match->deleted))
56708 ++ match = match->next;
56709 ++
56710 ++ if (match && match->deleted)
56711 ++ return match;
56712 ++
56713 ++ match = name_set.n_hash[index];
56714 ++
56715 ++ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
56716 ++ match->deleted))
56717 ++ match = match->next;
56718 ++
56719 ++ if (match && !match->deleted)
56720 ++ return match;
56721 ++ else
56722 ++ return NULL;
56723 ++}
56724 ++
56725 ++static struct inodev_entry *
56726 ++lookup_inodev_entry(const ino_t ino, const dev_t dev)
56727 ++{
56728 ++ unsigned int index = fhash(ino, dev, inodev_set.i_size);
56729 ++ struct inodev_entry *match;
56730 ++
56731 ++ match = inodev_set.i_hash[index];
56732 ++
56733 ++ while (match && (match->nentry->inode != ino || match->nentry->device != dev))
56734 ++ match = match->next;
56735 ++
56736 ++ return match;
56737 ++}
56738 ++
56739 ++static void
56740 ++insert_inodev_entry(struct inodev_entry *entry)
56741 ++{
56742 ++ unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
56743 ++ inodev_set.i_size);
56744 ++ struct inodev_entry **curr;
56745 ++
56746 ++ entry->prev = NULL;
56747 ++
56748 ++ curr = &inodev_set.i_hash[index];
56749 ++ if (*curr != NULL)
56750 ++ (*curr)->prev = entry;
56751 ++
56752 ++ entry->next = *curr;
56753 ++ *curr = entry;
56754 ++
56755 ++ return;
56756 ++}
56757 ++
56758 ++static void
56759 ++__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
56760 ++{
56761 ++ unsigned int index =
56762 ++ rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
56763 ++ struct acl_role_label **curr;
56764 ++
56765 ++ role->prev = NULL;
56766 ++
56767 ++ curr = &acl_role_set.r_hash[index];
56768 ++ if (*curr != NULL)
56769 ++ (*curr)->prev = role;
56770 ++
56771 ++ role->next = *curr;
56772 ++ *curr = role;
56773 ++
56774 ++ return;
56775 ++}
56776 ++
56777 ++static void
56778 ++insert_acl_role_label(struct acl_role_label *role)
56779 ++{
56780 ++ int i;
56781 ++
56782 ++ if (role->roletype & GR_ROLE_DOMAIN) {
56783 ++ for (i = 0; i < role->domain_child_num; i++)
56784 ++ __insert_acl_role_label(role, role->domain_children[i]);
56785 ++ } else
56786 ++ __insert_acl_role_label(role, role->uidgid);
56787 ++}
56788 ++
56789 ++static int
56790 ++insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
56791 ++{
56792 ++ struct name_entry **curr, *nentry;
56793 ++ struct inodev_entry *ientry;
56794 ++ unsigned int len = strlen(name);
56795 ++ unsigned int key = full_name_hash(name, len);
56796 ++ unsigned int index = key % name_set.n_size;
56797 ++
56798 ++ curr = &name_set.n_hash[index];
56799 ++
56800 ++ while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
56801 ++ curr = &((*curr)->next);
56802 ++
56803 ++ if (*curr != NULL)
56804 ++ return 1;
56805 ++
56806 ++ nentry = acl_alloc(sizeof (struct name_entry));
56807 ++ if (nentry == NULL)
56808 ++ return 0;
56809 ++ ientry = acl_alloc(sizeof (struct inodev_entry));
56810 ++ if (ientry == NULL)
56811 ++ return 0;
56812 ++ ientry->nentry = nentry;
56813 ++
56814 ++ nentry->key = key;
56815 ++ nentry->name = name;
56816 ++ nentry->inode = inode;
56817 ++ nentry->device = device;
56818 ++ nentry->len = len;
56819 ++ nentry->deleted = deleted;
56820 ++
56821 ++ nentry->prev = NULL;
56822 ++ curr = &name_set.n_hash[index];
56823 ++ if (*curr != NULL)
56824 ++ (*curr)->prev = nentry;
56825 ++ nentry->next = *curr;
56826 ++ *curr = nentry;
56827 ++
56828 ++ /* insert us into the table searchable by inode/dev */
56829 ++ insert_inodev_entry(ientry);
56830 ++
56831 ++ return 1;
56832 ++}
56833 ++
56834 ++static void
56835 ++insert_acl_obj_label(struct acl_object_label *obj,
56836 ++ struct acl_subject_label *subj)
56837 ++{
56838 ++ unsigned int index =
56839 ++ fhash(obj->inode, obj->device, subj->obj_hash_size);
56840 ++ struct acl_object_label **curr;
56841 ++
56842 ++
56843 ++ obj->prev = NULL;
56844 ++
56845 ++ curr = &subj->obj_hash[index];
56846 ++ if (*curr != NULL)
56847 ++ (*curr)->prev = obj;
56848 ++
56849 ++ obj->next = *curr;
56850 ++ *curr = obj;
56851 ++
56852 ++ return;
56853 ++}
56854 ++
56855 ++static void
56856 ++insert_acl_subj_label(struct acl_subject_label *obj,
56857 ++ struct acl_role_label *role)
56858 ++{
56859 ++ unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
56860 ++ struct acl_subject_label **curr;
56861 ++
56862 ++ obj->prev = NULL;
56863 ++
56864 ++ curr = &role->subj_hash[index];
56865 ++ if (*curr != NULL)
56866 ++ (*curr)->prev = obj;
56867 ++
56868 ++ obj->next = *curr;
56869 ++ *curr = obj;
56870 ++
56871 ++ return;
56872 ++}
56873 ++
56874 ++/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
56875 ++
56876 ++static void *
56877 ++create_table(__u32 * len, int elementsize)
56878 ++{
56879 ++ unsigned int table_sizes[] = {
56880 ++ 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
56881 ++ 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
56882 ++ 4194301, 8388593, 16777213, 33554393, 67108859, 134217689,
56883 ++ 268435399, 536870909, 1073741789, 2147483647
56884 ++ };
56885 ++ void *newtable = NULL;
56886 ++ unsigned int pwr = 0;
56887 ++
56888 ++ while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
56889 ++ table_sizes[pwr] <= *len)
56890 ++ pwr++;
56891 ++
56892 ++ if (table_sizes[pwr] <= *len)
56893 ++ return newtable;
56894 ++
56895 ++ if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
56896 ++ newtable =
56897 ++ kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
56898 ++ else
56899 ++ newtable = vmalloc(table_sizes[pwr] * elementsize);
56900 ++
56901 ++ *len = table_sizes[pwr];
56902 ++
56903 ++ return newtable;
56904 ++}
56905 ++
56906 ++static int
56907 ++init_variables(const struct gr_arg *arg)
56908 ++{
56909 ++ struct task_struct *reaper = current->nsproxy->pid_ns->child_reaper;
56910 ++ unsigned int stacksize;
56911 ++
56912 ++ subj_map_set.s_size = arg->role_db.num_subjects;
56913 ++ acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
56914 ++ name_set.n_size = arg->role_db.num_objects;
56915 ++ inodev_set.i_size = arg->role_db.num_objects;
56916 ++
56917 ++ if (!subj_map_set.s_size || !acl_role_set.r_size ||
56918 ++ !name_set.n_size || !inodev_set.i_size)
56919 ++ return 1;
56920 ++
56921 ++ if (!gr_init_uidset())
56922 ++ return 1;
56923 ++
56924 ++ /* set up the stack that holds allocation info */
56925 ++
56926 ++ stacksize = arg->role_db.num_pointers + 5;
56927 ++
56928 ++ if (!acl_alloc_stack_init(stacksize))
56929 ++ return 1;
56930 ++
56931 ++ /* grab reference for the real root dentry and vfsmount */
56932 ++ read_lock(&reaper->fs->lock);
56933 ++ real_root_mnt = mntget(reaper->fs->rootmnt);
56934 ++ real_root = dget(reaper->fs->root);
56935 ++ read_unlock(&reaper->fs->lock);
56936 ++
56937 ++ fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
56938 ++ if (fakefs_obj == NULL)
56939 ++ return 1;
56940 ++ fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
56941 ++
56942 ++ subj_map_set.s_hash =
56943 ++ (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
56944 ++ acl_role_set.r_hash =
56945 ++ (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
56946 ++ name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
56947 ++ inodev_set.i_hash =
56948 ++ (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
56949 ++
56950 ++ if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
56951 ++ !name_set.n_hash || !inodev_set.i_hash)
56952 ++ return 1;
56953 ++
56954 ++ memset(subj_map_set.s_hash, 0,
56955 ++ sizeof(struct subject_map *) * subj_map_set.s_size);
56956 ++ memset(acl_role_set.r_hash, 0,
56957 ++ sizeof (struct acl_role_label *) * acl_role_set.r_size);
56958 ++ memset(name_set.n_hash, 0,
56959 ++ sizeof (struct name_entry *) * name_set.n_size);
56960 ++ memset(inodev_set.i_hash, 0,
56961 ++ sizeof (struct inodev_entry *) * inodev_set.i_size);
56962 ++
56963 ++ return 0;
56964 ++}
56965 ++
56966 ++/* free information not needed after startup
56967 ++ currently contains user->kernel pointer mappings for subjects
56968 ++*/
56969 ++
56970 ++static void
56971 ++free_init_variables(void)
56972 ++{
56973 ++ __u32 i;
56974 ++
56975 ++ if (subj_map_set.s_hash) {
56976 ++ for (i = 0; i < subj_map_set.s_size; i++) {
56977 ++ if (subj_map_set.s_hash[i]) {
56978 ++ kfree(subj_map_set.s_hash[i]);
56979 ++ subj_map_set.s_hash[i] = NULL;
56980 ++ }
56981 ++ }
56982 ++
56983 ++ if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
56984 ++ PAGE_SIZE)
56985 ++ kfree(subj_map_set.s_hash);
56986 ++ else
56987 ++ vfree(subj_map_set.s_hash);
56988 ++ }
56989 ++
56990 ++ return;
56991 ++}
56992 ++
56993 ++static void
56994 ++free_variables(void)
56995 ++{
56996 ++ struct acl_subject_label *s;
56997 ++ struct acl_role_label *r;
56998 ++ struct task_struct *task, *task2;
56999 ++ unsigned int i, x;
57000 ++
57001 ++ gr_clear_learn_entries();
57002 ++
57003 ++ read_lock(&tasklist_lock);
57004 ++ do_each_thread(task2, task) {
57005 ++ task->acl_sp_role = 0;
57006 ++ task->acl_role_id = 0;
57007 ++ task->acl = NULL;
57008 ++ task->role = NULL;
57009 ++ } while_each_thread(task2, task);
57010 ++ read_unlock(&tasklist_lock);
57011 ++
57012 ++ /* release the reference to the real root dentry and vfsmount */
57013 ++ if (real_root)
57014 ++ dput(real_root);
57015 ++ real_root = NULL;
57016 ++ if (real_root_mnt)
57017 ++ mntput(real_root_mnt);
57018 ++ real_root_mnt = NULL;
57019 ++
57020 ++ /* free all object hash tables */
57021 ++
57022 ++ FOR_EACH_ROLE_START(r, i)
57023 ++ if (r->subj_hash == NULL)
57024 ++ break;
57025 ++ FOR_EACH_SUBJECT_START(r, s, x)
57026 ++ if (s->obj_hash == NULL)
57027 ++ break;
57028 ++ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
57029 ++ kfree(s->obj_hash);
57030 ++ else
57031 ++ vfree(s->obj_hash);
57032 ++ FOR_EACH_SUBJECT_END(s, x)
57033 ++ FOR_EACH_NESTED_SUBJECT_START(r, s)
57034 ++ if (s->obj_hash == NULL)
57035 ++ break;
57036 ++ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
57037 ++ kfree(s->obj_hash);
57038 ++ else
57039 ++ vfree(s->obj_hash);
57040 ++ FOR_EACH_NESTED_SUBJECT_END(s)
57041 ++ if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
57042 ++ kfree(r->subj_hash);
57043 ++ else
57044 ++ vfree(r->subj_hash);
57045 ++ r->subj_hash = NULL;
57046 ++ FOR_EACH_ROLE_END(r,i)
57047 ++
57048 ++ acl_free_all();
57049 ++
57050 ++ if (acl_role_set.r_hash) {
57051 ++ if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
57052 ++ PAGE_SIZE)
57053 ++ kfree(acl_role_set.r_hash);
57054 ++ else
57055 ++ vfree(acl_role_set.r_hash);
57056 ++ }
57057 ++ if (name_set.n_hash) {
57058 ++ if ((name_set.n_size * sizeof (struct name_entry *)) <=
57059 ++ PAGE_SIZE)
57060 ++ kfree(name_set.n_hash);
57061 ++ else
57062 ++ vfree(name_set.n_hash);
57063 ++ }
57064 ++
57065 ++ if (inodev_set.i_hash) {
57066 ++ if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
57067 ++ PAGE_SIZE)
57068 ++ kfree(inodev_set.i_hash);
57069 ++ else
57070 ++ vfree(inodev_set.i_hash);
57071 ++ }
57072 ++
57073 ++ gr_free_uidset();
57074 ++
57075 ++ memset(&name_set, 0, sizeof (struct name_db));
57076 ++ memset(&inodev_set, 0, sizeof (struct inodev_db));
57077 ++ memset(&acl_role_set, 0, sizeof (struct acl_role_db));
57078 ++ memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
57079 ++
57080 ++ default_role = NULL;
57081 ++
57082 ++ return;
57083 ++}
57084 ++
57085 ++static __u32
57086 ++count_user_objs(struct acl_object_label *userp)
57087 ++{
57088 ++ struct acl_object_label o_tmp;
57089 ++ __u32 num = 0;
57090 ++
57091 ++ while (userp) {
57092 ++ if (copy_from_user(&o_tmp, userp,
57093 ++ sizeof (struct acl_object_label)))
57094 ++ break;
57095 ++
57096 ++ userp = o_tmp.prev;
57097 ++ num++;
57098 ++ }
57099 ++
57100 ++ return num;
57101 ++}
57102 ++
57103 ++static struct acl_subject_label *
57104 ++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
57105 ++
57106 ++static int
57107 ++copy_user_glob(struct acl_object_label *obj)
57108 ++{
57109 ++ struct acl_object_label *g_tmp, **guser;
57110 ++ unsigned int len;
57111 ++ char *tmp;
57112 ++
57113 ++ if (obj->globbed == NULL)
57114 ++ return 0;
57115 ++
57116 ++ guser = &obj->globbed;
57117 ++ while (*guser) {
57118 ++ g_tmp = (struct acl_object_label *)
57119 ++ acl_alloc(sizeof (struct acl_object_label));
57120 ++ if (g_tmp == NULL)
57121 ++ return -ENOMEM;
57122 ++
57123 ++ if (copy_from_user(g_tmp, *guser,
57124 ++ sizeof (struct acl_object_label)))
57125 ++ return -EFAULT;
57126 ++
57127 ++ len = strnlen_user(g_tmp->filename, PATH_MAX);
57128 ++
57129 ++ if (!len || len >= PATH_MAX)
57130 ++ return -EINVAL;
57131 ++
57132 ++ if ((tmp = (char *) acl_alloc(len)) == NULL)
57133 ++ return -ENOMEM;
57134 ++
57135 ++ if (copy_from_user(tmp, g_tmp->filename, len))
57136 ++ return -EFAULT;
57137 ++
57138 ++ g_tmp->filename = tmp;
57139 ++
57140 ++ *guser = g_tmp;
57141 ++ guser = &(g_tmp->next);
57142 ++ }
57143 ++
57144 ++ return 0;
57145 ++}
57146 ++
57147 ++static int
57148 ++copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
57149 ++ struct acl_role_label *role)
57150 ++{
57151 ++ struct acl_object_label *o_tmp;
57152 ++ unsigned int len;
57153 ++ int ret;
57154 ++ char *tmp;
57155 ++
57156 ++ while (userp) {
57157 ++ if ((o_tmp = (struct acl_object_label *)
57158 ++ acl_alloc(sizeof (struct acl_object_label))) == NULL)
57159 ++ return -ENOMEM;
57160 ++
57161 ++ if (copy_from_user(o_tmp, userp,
57162 ++ sizeof (struct acl_object_label)))
57163 ++ return -EFAULT;
57164 ++
57165 ++ userp = o_tmp->prev;
57166 ++
57167 ++ len = strnlen_user(o_tmp->filename, PATH_MAX);
57168 ++
57169 ++ if (!len || len >= PATH_MAX)
57170 ++ return -EINVAL;
57171 ++
57172 ++ if ((tmp = (char *) acl_alloc(len)) == NULL)
57173 ++ return -ENOMEM;
57174 ++
57175 ++ if (copy_from_user(tmp, o_tmp->filename, len))
57176 ++ return -EFAULT;
57177 ++
57178 ++ o_tmp->filename = tmp;
57179 ++
57180 ++ insert_acl_obj_label(o_tmp, subj);
57181 ++ if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
57182 ++ o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
57183 ++ return -ENOMEM;
57184 ++
57185 ++ ret = copy_user_glob(o_tmp);
57186 ++ if (ret)
57187 ++ return ret;
57188 ++
57189 ++ if (o_tmp->nested) {
57190 ++ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
57191 ++ if (IS_ERR(o_tmp->nested))
57192 ++ return PTR_ERR(o_tmp->nested);
57193 ++
57194 ++ /* insert into nested subject list */
57195 ++ o_tmp->nested->next = role->hash->first;
57196 ++ role->hash->first = o_tmp->nested;
57197 ++ }
57198 ++ }
57199 ++
57200 ++ return 0;
57201 ++}
57202 ++
57203 ++static __u32
57204 ++count_user_subjs(struct acl_subject_label *userp)
57205 ++{
57206 ++ struct acl_subject_label s_tmp;
57207 ++ __u32 num = 0;
57208 ++
57209 ++ while (userp) {
57210 ++ if (copy_from_user(&s_tmp, userp,
57211 ++ sizeof (struct acl_subject_label)))
57212 ++ break;
57213 ++
57214 ++ userp = s_tmp.prev;
57215 ++ /* do not count nested subjects against this count, since
57216 ++ they are not included in the hash table, but are
57217 ++ attached to objects. We have already counted
57218 ++ the subjects in userspace for the allocation
57219 ++ stack
57220 ++ */
57221 ++ if (!(s_tmp.mode & GR_NESTED))
57222 ++ num++;
57223 ++ }
57224 ++
57225 ++ return num;
57226 ++}
57227 ++
57228 ++static int
57229 ++copy_user_allowedips(struct acl_role_label *rolep)
57230 ++{
57231 ++ struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
57232 ++
57233 ++ ruserip = rolep->allowed_ips;
57234 ++
57235 ++ while (ruserip) {
57236 ++ rlast = rtmp;
57237 ++
57238 ++ if ((rtmp = (struct role_allowed_ip *)
57239 ++ acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
57240 ++ return -ENOMEM;
57241 ++
57242 ++ if (copy_from_user(rtmp, ruserip,
57243 ++ sizeof (struct role_allowed_ip)))
57244 ++ return -EFAULT;
57245 ++
57246 ++ ruserip = rtmp->prev;
57247 ++
57248 ++ if (!rlast) {
57249 ++ rtmp->prev = NULL;
57250 ++ rolep->allowed_ips = rtmp;
57251 ++ } else {
57252 ++ rlast->next = rtmp;
57253 ++ rtmp->prev = rlast;
57254 ++ }
57255 ++
57256 ++ if (!ruserip)
57257 ++ rtmp->next = NULL;
57258 ++ }
57259 ++
57260 ++ return 0;
57261 ++}
57262 ++
57263 ++static int
57264 ++copy_user_transitions(struct acl_role_label *rolep)
57265 ++{
57266 ++ struct role_transition *rusertp, *rtmp = NULL, *rlast;
57267 ++
57268 ++ unsigned int len;
57269 ++ char *tmp;
57270 ++
57271 ++ rusertp = rolep->transitions;
57272 ++
57273 ++ while (rusertp) {
57274 ++ rlast = rtmp;
57275 ++
57276 ++ if ((rtmp = (struct role_transition *)
57277 ++ acl_alloc(sizeof (struct role_transition))) == NULL)
57278 ++ return -ENOMEM;
57279 ++
57280 ++ if (copy_from_user(rtmp, rusertp,
57281 ++ sizeof (struct role_transition)))
57282 ++ return -EFAULT;
57283 ++
57284 ++ rusertp = rtmp->prev;
57285 ++
57286 ++ len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
57287 ++
57288 ++ if (!len || len >= GR_SPROLE_LEN)
57289 ++ return -EINVAL;
57290 ++
57291 ++ if ((tmp = (char *) acl_alloc(len)) == NULL)
57292 ++ return -ENOMEM;
57293 ++
57294 ++ if (copy_from_user(tmp, rtmp->rolename, len))
57295 ++ return -EFAULT;
57296 ++
57297 ++ rtmp->rolename = tmp;
57298 ++
57299 ++ if (!rlast) {
57300 ++ rtmp->prev = NULL;
57301 ++ rolep->transitions = rtmp;
57302 ++ } else {
57303 ++ rlast->next = rtmp;
57304 ++ rtmp->prev = rlast;
57305 ++ }
57306 ++
57307 ++ if (!rusertp)
57308 ++ rtmp->next = NULL;
57309 ++ }
57310 ++
57311 ++ return 0;
57312 ++}
57313 ++
57314 ++static struct acl_subject_label *
57315 ++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
57316 ++{
57317 ++ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
57318 ++ unsigned int len;
57319 ++ char *tmp;
57320 ++ __u32 num_objs;
57321 ++ struct acl_ip_label **i_tmp, *i_utmp2;
57322 ++ struct gr_hash_struct ghash;
57323 ++ struct subject_map *subjmap;
57324 ++ unsigned int i_num;
57325 ++ int err;
57326 ++
57327 ++ s_tmp = lookup_subject_map(userp);
57328 ++
57329 ++ /* we've already copied this subject into the kernel, just return
57330 ++ the reference to it, and don't copy it over again
57331 ++ */
57332 ++ if (s_tmp)
57333 ++ return(s_tmp);
57334 ++
57335 ++ if ((s_tmp = (struct acl_subject_label *)
57336 ++ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
57337 ++ return ERR_PTR(-ENOMEM);
57338 ++
57339 ++ subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
57340 ++ if (subjmap == NULL)
57341 ++ return ERR_PTR(-ENOMEM);
57342 ++
57343 ++ subjmap->user = userp;
57344 ++ subjmap->kernel = s_tmp;
57345 ++ insert_subj_map_entry(subjmap);
57346 ++
57347 ++ if (copy_from_user(s_tmp, userp,
57348 ++ sizeof (struct acl_subject_label)))
57349 ++ return ERR_PTR(-EFAULT);
57350 ++
57351 ++ len = strnlen_user(s_tmp->filename, PATH_MAX);
57352 ++
57353 ++ if (!len || len >= PATH_MAX)
57354 ++ return ERR_PTR(-EINVAL);
57355 ++
57356 ++ if ((tmp = (char *) acl_alloc(len)) == NULL)
57357 ++ return ERR_PTR(-ENOMEM);
57358 ++
57359 ++ if (copy_from_user(tmp, s_tmp->filename, len))
57360 ++ return ERR_PTR(-EFAULT);
57361 ++
57362 ++ s_tmp->filename = tmp;
57363 ++
57364 ++ if (!strcmp(s_tmp->filename, "/"))
57365 ++ role->root_label = s_tmp;
57366 ++
57367 ++ if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
57368 ++ return ERR_PTR(-EFAULT);
57369 ++
57370 ++ /* copy user and group transition tables */
57371 ++
57372 ++ if (s_tmp->user_trans_num) {
57373 ++ uid_t *uidlist;
57374 ++
57375 ++ uidlist = (uid_t *)acl_alloc(s_tmp->user_trans_num * sizeof(uid_t));
57376 ++ if (uidlist == NULL)
57377 ++ return ERR_PTR(-ENOMEM);
57378 ++ if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
57379 ++ return ERR_PTR(-EFAULT);
57380 ++
57381 ++ s_tmp->user_transitions = uidlist;
57382 ++ }
57383 ++
57384 ++ if (s_tmp->group_trans_num) {
57385 ++ gid_t *gidlist;
57386 ++
57387 ++ gidlist = (gid_t *)acl_alloc(s_tmp->group_trans_num * sizeof(gid_t));
57388 ++ if (gidlist == NULL)
57389 ++ return ERR_PTR(-ENOMEM);
57390 ++ if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
57391 ++ return ERR_PTR(-EFAULT);
57392 ++
57393 ++ s_tmp->group_transitions = gidlist;
57394 ++ }
57395 ++
57396 ++ /* set up object hash table */
57397 ++ num_objs = count_user_objs(ghash.first);
57398 ++
57399 ++ s_tmp->obj_hash_size = num_objs;
57400 ++ s_tmp->obj_hash =
57401 ++ (struct acl_object_label **)
57402 ++ create_table(&(s_tmp->obj_hash_size), sizeof(void *));
57403 ++
57404 ++ if (!s_tmp->obj_hash)
57405 ++ return ERR_PTR(-ENOMEM);
57406 ++
57407 ++ memset(s_tmp->obj_hash, 0,
57408 ++ s_tmp->obj_hash_size *
57409 ++ sizeof (struct acl_object_label *));
57410 ++
57411 ++ /* add in objects */
57412 ++ err = copy_user_objs(ghash.first, s_tmp, role);
57413 ++
57414 ++ if (err)
57415 ++ return ERR_PTR(err);
57416 ++
57417 ++ /* set pointer for parent subject */
57418 ++ if (s_tmp->parent_subject) {
57419 ++ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
57420 ++
57421 ++ if (IS_ERR(s_tmp2))
57422 ++ return s_tmp2;
57423 ++
57424 ++ s_tmp->parent_subject = s_tmp2;
57425 ++ }
57426 ++
57427 ++ /* add in ip acls */
57428 ++
57429 ++ if (!s_tmp->ip_num) {
57430 ++ s_tmp->ips = NULL;
57431 ++ goto insert;
57432 ++ }
57433 ++
57434 ++ i_tmp =
57435 ++ (struct acl_ip_label **) acl_alloc(s_tmp->ip_num *
57436 ++ sizeof (struct
57437 ++ acl_ip_label *));
57438 ++
57439 ++ if (!i_tmp)
57440 ++ return ERR_PTR(-ENOMEM);
57441 ++
57442 ++ for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
57443 ++ *(i_tmp + i_num) =
57444 ++ (struct acl_ip_label *)
57445 ++ acl_alloc(sizeof (struct acl_ip_label));
57446 ++ if (!*(i_tmp + i_num))
57447 ++ return ERR_PTR(-ENOMEM);
57448 ++
57449 ++ if (copy_from_user
57450 ++ (&i_utmp2, s_tmp->ips + i_num,
57451 ++ sizeof (struct acl_ip_label *)))
57452 ++ return ERR_PTR(-EFAULT);
57453 ++
57454 ++ if (copy_from_user
57455 ++ (*(i_tmp + i_num), i_utmp2,
57456 ++ sizeof (struct acl_ip_label)))
57457 ++ return ERR_PTR(-EFAULT);
57458 ++
57459 ++ if ((*(i_tmp + i_num))->iface == NULL)
57460 ++ continue;
57461 ++
57462 ++ len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
57463 ++ if (!len || len >= IFNAMSIZ)
57464 ++ return ERR_PTR(-EINVAL);
57465 ++ tmp = acl_alloc(len);
57466 ++ if (tmp == NULL)
57467 ++ return ERR_PTR(-ENOMEM);
57468 ++ if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
57469 ++ return ERR_PTR(-EFAULT);
57470 ++ (*(i_tmp + i_num))->iface = tmp;
57471 ++ }
57472 ++
57473 ++ s_tmp->ips = i_tmp;
57474 ++
57475 ++insert:
57476 ++ if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
57477 ++ s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
57478 ++ return ERR_PTR(-ENOMEM);
57479 ++
57480 ++ return s_tmp;
57481 ++}
57482 ++
57483 ++static int
57484 ++copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
57485 ++{
57486 ++ struct acl_subject_label s_pre;
57487 ++ struct acl_subject_label * ret;
57488 ++ int err;
57489 ++
57490 ++ while (userp) {
57491 ++ if (copy_from_user(&s_pre, userp,
57492 ++ sizeof (struct acl_subject_label)))
57493 ++ return -EFAULT;
57494 ++
57495 ++ /* do not add nested subjects here, add
57496 ++ while parsing objects
57497 ++ */
57498 ++
57499 ++ if (s_pre.mode & GR_NESTED) {
57500 ++ userp = s_pre.prev;
57501 ++ continue;
57502 ++ }
57503 ++
57504 ++ ret = do_copy_user_subj(userp, role);
57505 ++
57506 ++ err = PTR_ERR(ret);
57507 ++ if (IS_ERR(ret))
57508 ++ return err;
57509 ++
57510 ++ insert_acl_subj_label(ret, role);
57511 ++
57512 ++ userp = s_pre.prev;
57513 ++ }
57514 ++
57515 ++ return 0;
57516 ++}
57517 ++
57518 ++static int
57519 ++copy_user_acl(struct gr_arg *arg)
57520 ++{
57521 ++ struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
57522 ++ struct sprole_pw *sptmp;
57523 ++ struct gr_hash_struct *ghash;
57524 ++ uid_t *domainlist;
57525 ++ unsigned int r_num;
57526 ++ unsigned int len;
57527 ++ char *tmp;
57528 ++ int err = 0;
57529 ++ __u16 i;
57530 ++ __u32 num_subjs;
57531 ++
57532 ++ /* we need a default and kernel role */
57533 ++ if (arg->role_db.num_roles < 2)
57534 ++ return -EINVAL;
57535 ++
57536 ++ /* copy special role authentication info from userspace */
57537 ++
57538 ++ num_sprole_pws = arg->num_sprole_pws;
57539 ++ acl_special_roles = (struct sprole_pw **) acl_alloc(num_sprole_pws * sizeof(struct sprole_pw *));
57540 ++
57541 ++ if (!acl_special_roles) {
57542 ++ err = -ENOMEM;
57543 ++ goto cleanup;
57544 ++ }
57545 ++
57546 ++ for (i = 0; i < num_sprole_pws; i++) {
57547 ++ sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
57548 ++ if (!sptmp) {
57549 ++ err = -ENOMEM;
57550 ++ goto cleanup;
57551 ++ }
57552 ++ if (copy_from_user(sptmp, arg->sprole_pws + i,
57553 ++ sizeof (struct sprole_pw))) {
57554 ++ err = -EFAULT;
57555 ++ goto cleanup;
57556 ++ }
57557 ++
57558 ++ len =
57559 ++ strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
57560 ++
57561 ++ if (!len || len >= GR_SPROLE_LEN) {
57562 ++ err = -EINVAL;
57563 ++ goto cleanup;
57564 ++ }
57565 ++
57566 ++ if ((tmp = (char *) acl_alloc(len)) == NULL) {
57567 ++ err = -ENOMEM;
57568 ++ goto cleanup;
57569 ++ }
57570 ++
57571 ++ if (copy_from_user(tmp, sptmp->rolename, len)) {
57572 ++ err = -EFAULT;
57573 ++ goto cleanup;
57574 ++ }
57575 ++
57576 ++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
57577 ++ printk(KERN_ALERT "Copying special role %s\n", tmp);
57578 ++#endif
57579 ++ sptmp->rolename = tmp;
57580 ++ acl_special_roles[i] = sptmp;
57581 ++ }
57582 ++
57583 ++ r_utmp = (struct acl_role_label **) arg->role_db.r_table;
57584 ++
57585 ++ for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
57586 ++ r_tmp = acl_alloc(sizeof (struct acl_role_label));
57587 ++
57588 ++ if (!r_tmp) {
57589 ++ err = -ENOMEM;
57590 ++ goto cleanup;
57591 ++ }
57592 ++
57593 ++ if (copy_from_user(&r_utmp2, r_utmp + r_num,
57594 ++ sizeof (struct acl_role_label *))) {
57595 ++ err = -EFAULT;
57596 ++ goto cleanup;
57597 ++ }
57598 ++
57599 ++ if (copy_from_user(r_tmp, r_utmp2,
57600 ++ sizeof (struct acl_role_label))) {
57601 ++ err = -EFAULT;
57602 ++ goto cleanup;
57603 ++ }
57604 ++
57605 ++ len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
57606 ++
57607 ++ if (!len || len >= PATH_MAX) {
57608 ++ err = -EINVAL;
57609 ++ goto cleanup;
57610 ++ }
57611 ++
57612 ++ if ((tmp = (char *) acl_alloc(len)) == NULL) {
57613 ++ err = -ENOMEM;
57614 ++ goto cleanup;
57615 ++ }
57616 ++ if (copy_from_user(tmp, r_tmp->rolename, len)) {
57617 ++ err = -EFAULT;
57618 ++ goto cleanup;
57619 ++ }
57620 ++ r_tmp->rolename = tmp;
57621 ++
57622 ++ if (!strcmp(r_tmp->rolename, "default")
57623 ++ && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
57624 ++ default_role = r_tmp;
57625 ++ } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
57626 ++ kernel_role = r_tmp;
57627 ++ }
57628 ++
57629 ++ if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
57630 ++ err = -ENOMEM;
57631 ++ goto cleanup;
57632 ++ }
57633 ++ if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
57634 ++ err = -EFAULT;
57635 ++ goto cleanup;
57636 ++ }
57637 ++
57638 ++ r_tmp->hash = ghash;
57639 ++
57640 ++ num_subjs = count_user_subjs(r_tmp->hash->first);
57641 ++
57642 ++ r_tmp->subj_hash_size = num_subjs;
57643 ++ r_tmp->subj_hash =
57644 ++ (struct acl_subject_label **)
57645 ++ create_table(&(r_tmp->subj_hash_size), sizeof(void *));
57646 ++
57647 ++ if (!r_tmp->subj_hash) {
57648 ++ err = -ENOMEM;
57649 ++ goto cleanup;
57650 ++ }
57651 ++
57652 ++ err = copy_user_allowedips(r_tmp);
57653 ++ if (err)
57654 ++ goto cleanup;
57655 ++
57656 ++ /* copy domain info */
57657 ++ if (r_tmp->domain_children != NULL) {
57658 ++ domainlist = acl_alloc(r_tmp->domain_child_num * sizeof(uid_t));
57659 ++ if (domainlist == NULL) {
57660 ++ err = -ENOMEM;
57661 ++ goto cleanup;
57662 ++ }
57663 ++ if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
57664 ++ err = -EFAULT;
57665 ++ goto cleanup;
57666 ++ }
57667 ++ r_tmp->domain_children = domainlist;
57668 ++ }
57669 ++
57670 ++ err = copy_user_transitions(r_tmp);
57671 ++ if (err)
57672 ++ goto cleanup;
57673 ++
57674 ++ memset(r_tmp->subj_hash, 0,
57675 ++ r_tmp->subj_hash_size *
57676 ++ sizeof (struct acl_subject_label *));
57677 ++
57678 ++ err = copy_user_subjs(r_tmp->hash->first, r_tmp);
57679 ++
57680 ++ if (err)
57681 ++ goto cleanup;
57682 ++
57683 ++ /* set nested subject list to null */
57684 ++ r_tmp->hash->first = NULL;
57685 ++
57686 ++ insert_acl_role_label(r_tmp);
57687 ++ }
57688 ++
57689 ++ goto return_err;
57690 ++ cleanup:
57691 ++ free_variables();
57692 ++ return_err:
57693 ++ return err;
57694 ++
57695 ++}
57696 ++
57697 ++static int
57698 ++gracl_init(struct gr_arg *args)
57699 ++{
57700 ++ int error = 0;
57701 ++
57702 ++ memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
57703 ++ memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
57704 ++
57705 ++ if (init_variables(args)) {
57706 ++ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
57707 ++ error = -ENOMEM;
57708 ++ free_variables();
57709 ++ goto out;
57710 ++ }
57711 ++
57712 ++ error = copy_user_acl(args);
57713 ++ free_init_variables();
57714 ++ if (error) {
57715 ++ free_variables();
57716 ++ goto out;
57717 ++ }
57718 ++
57719 ++ if ((error = gr_set_acls(0))) {
57720 ++ free_variables();
57721 ++ goto out;
57722 ++ }
57723 ++
57724 ++ gr_status |= GR_READY;
57725 ++ out:
57726 ++ return error;
57727 ++}
57728 ++
57729 ++/* derived from glibc fnmatch() 0: match, 1: no match*/
57730 ++
57731 ++static int
57732 ++glob_match(const char *p, const char *n)
57733 ++{
57734 ++ char c;
57735 ++
57736 ++ while ((c = *p++) != '\0') {
57737 ++ switch (c) {
57738 ++ case '?':
57739 ++ if (*n == '\0')
57740 ++ return 1;
57741 ++ else if (*n == '/')
57742 ++ return 1;
57743 ++ break;
57744 ++ case '\\':
57745 ++ if (*n != c)
57746 ++ return 1;
57747 ++ break;
57748 ++ case '*':
57749 ++ for (c = *p++; c == '?' || c == '*'; c = *p++) {
57750 ++ if (*n == '/')
57751 ++ return 1;
57752 ++ else if (c == '?') {
57753 ++ if (*n == '\0')
57754 ++ return 1;
57755 ++ else
57756 ++ ++n;
57757 ++ }
57758 ++ }
57759 ++ if (c == '\0') {
57760 ++ return 0;
57761 ++ } else {
57762 ++ const char *endp;
57763 ++
57764 ++ if ((endp = strchr(n, '/')) == NULL)
57765 ++ endp = n + strlen(n);
57766 ++
57767 ++ if (c == '[') {
57768 ++ for (--p; n < endp; ++n)
57769 ++ if (!glob_match(p, n))
57770 ++ return 0;
57771 ++ } else if (c == '/') {
57772 ++ while (*n != '\0' && *n != '/')
57773 ++ ++n;
57774 ++ if (*n == '/' && !glob_match(p, n + 1))
57775 ++ return 0;
57776 ++ } else {
57777 ++ for (--p; n < endp; ++n)
57778 ++ if (*n == c && !glob_match(p, n))
57779 ++ return 0;
57780 ++ }
57781 ++
57782 ++ return 1;
57783 ++ }
57784 ++ case '[':
57785 ++ {
57786 ++ int not;
57787 ++ char cold;
57788 ++
57789 ++ if (*n == '\0' || *n == '/')
57790 ++ return 1;
57791 ++
57792 ++ not = (*p == '!' || *p == '^');
57793 ++ if (not)
57794 ++ ++p;
57795 ++
57796 ++ c = *p++;
57797 ++ for (;;) {
57798 ++ unsigned char fn = (unsigned char)*n;
57799 ++
57800 ++ if (c == '\0')
57801 ++ return 1;
57802 ++ else {
57803 ++ if (c == fn)
57804 ++ goto matched;
57805 ++ cold = c;
57806 ++ c = *p++;
57807 ++
57808 ++ if (c == '-' && *p != ']') {
57809 ++ unsigned char cend = *p++;
57810 ++
57811 ++ if (cend == '\0')
57812 ++ return 1;
57813 ++
57814 ++ if (cold <= fn && fn <= cend)
57815 ++ goto matched;
57816 ++
57817 ++ c = *p++;
57818 ++ }
57819 ++ }
57820 ++
57821 ++ if (c == ']')
57822 ++ break;
57823 ++ }
57824 ++ if (!not)
57825 ++ return 1;
57826 ++ break;
57827 ++ matched:
57828 ++ while (c != ']') {
57829 ++ if (c == '\0')
57830 ++ return 1;
57831 ++
57832 ++ c = *p++;
57833 ++ }
57834 ++ if (not)
57835 ++ return 1;
57836 ++ }
57837 ++ break;
57838 ++ default:
57839 ++ if (c != *n)
57840 ++ return 1;
57841 ++ }
57842 ++
57843 ++ ++n;
57844 ++ }
57845 ++
57846 ++ if (*n == '\0')
57847 ++ return 0;
57848 ++
57849 ++ if (*n == '/')
57850 ++ return 0;
57851 ++
57852 ++ return 1;
57853 ++}
57854 ++
57855 ++static struct acl_object_label *
57856 ++chk_glob_label(struct acl_object_label *globbed,
57857 ++ struct dentry *dentry, struct vfsmount *mnt, char **path)
57858 ++{
57859 ++ struct acl_object_label *tmp;
57860 ++
57861 ++ if (*path == NULL)
57862 ++ *path = gr_to_filename_nolock(dentry, mnt);
57863 ++
57864 ++ tmp = globbed;
57865 ++
57866 ++ while (tmp) {
57867 ++ if (!glob_match(tmp->filename, *path))
57868 ++ return tmp;
57869 ++ tmp = tmp->next;
57870 ++ }
57871 ++
57872 ++ return NULL;
57873 ++}
57874 ++
57875 ++static struct acl_object_label *
57876 ++__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
57877 ++ const ino_t curr_ino, const dev_t curr_dev,
57878 ++ const struct acl_subject_label *subj, char **path)
57879 ++{
57880 ++ struct acl_subject_label *tmpsubj;
57881 ++ struct acl_object_label *retval;
57882 ++ struct acl_object_label *retval2;
57883 ++
57884 ++ tmpsubj = (struct acl_subject_label *) subj;
57885 ++ read_lock(&gr_inode_lock);
57886 ++ do {
57887 ++ retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
57888 ++ if (retval) {
57889 ++ if (retval->globbed) {
57890 ++ retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
57891 ++ (struct vfsmount *)orig_mnt, path);
57892 ++ if (retval2)
57893 ++ retval = retval2;
57894 ++ }
57895 ++ break;
57896 ++ }
57897 ++ } while ((tmpsubj = tmpsubj->parent_subject));
57898 ++ read_unlock(&gr_inode_lock);
57899 ++
57900 ++ return retval;
57901 ++}
57902 ++
57903 ++static __inline__ struct acl_object_label *
57904 ++full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
57905 ++ const struct dentry *curr_dentry,
57906 ++ const struct acl_subject_label *subj, char **path)
57907 ++{
57908 ++ return __full_lookup(orig_dentry, orig_mnt,
57909 ++ curr_dentry->d_inode->i_ino,
57910 ++ curr_dentry->d_inode->i_sb->s_dev, subj, path);
57911 ++}
57912 ++
57913 ++static struct acl_object_label *
57914 ++__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
57915 ++ const struct acl_subject_label *subj, char *path)
57916 ++{
57917 ++ struct dentry *dentry = (struct dentry *) l_dentry;
57918 ++ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
57919 ++ struct acl_object_label *retval;
57920 ++
57921 ++ spin_lock(&dcache_lock);
57922 ++
57923 ++ if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
57924 ++ /* ignore Eric Biederman */
57925 ++ IS_PRIVATE(l_dentry->d_inode))) {
57926 ++ retval = fakefs_obj;
57927 ++ goto out;
57928 ++ }
57929 ++
57930 ++ for (;;) {
57931 ++ if (dentry == real_root && mnt == real_root_mnt)
57932 ++ break;
57933 ++
57934 ++ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
57935 ++ if (mnt->mnt_parent == mnt)
57936 ++ break;
57937 ++
57938 ++ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
57939 ++ if (retval != NULL)
57940 ++ goto out;
57941 ++
57942 ++ dentry = mnt->mnt_mountpoint;
57943 ++ mnt = mnt->mnt_parent;
57944 ++ continue;
57945 ++ }
57946 ++
57947 ++ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
57948 ++ if (retval != NULL)
57949 ++ goto out;
57950 ++
57951 ++ dentry = dentry->d_parent;
57952 ++ }
57953 ++
57954 ++ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
57955 ++
57956 ++ if (retval == NULL)
57957 ++ retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path);
57958 ++out:
57959 ++ spin_unlock(&dcache_lock);
57960 ++ return retval;
57961 ++}
57962 ++
57963 ++static __inline__ struct acl_object_label *
57964 ++chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
57965 ++ const struct acl_subject_label *subj)
57966 ++{
57967 ++ char *path = NULL;
57968 ++ return __chk_obj_label(l_dentry, l_mnt, subj, path);
57969 ++}
57970 ++
57971 ++static __inline__ struct acl_object_label *
57972 ++chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
57973 ++ const struct acl_subject_label *subj, char *path)
57974 ++{
57975 ++ return __chk_obj_label(l_dentry, l_mnt, subj, path);
57976 ++}
57977 ++
57978 ++static struct acl_subject_label *
57979 ++chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
57980 ++ const struct acl_role_label *role)
57981 ++{
57982 ++ struct dentry *dentry = (struct dentry *) l_dentry;
57983 ++ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
57984 ++ struct acl_subject_label *retval;
57985 ++
57986 ++ spin_lock(&dcache_lock);
57987 ++
57988 ++ for (;;) {
57989 ++ if (dentry == real_root && mnt == real_root_mnt)
57990 ++ break;
57991 ++ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
57992 ++ if (mnt->mnt_parent == mnt)
57993 ++ break;
57994 ++
57995 ++ read_lock(&gr_inode_lock);
57996 ++ retval =
57997 ++ lookup_acl_subj_label(dentry->d_inode->i_ino,
57998 ++ dentry->d_inode->i_sb->s_dev, role);
57999 ++ read_unlock(&gr_inode_lock);
58000 ++ if (retval != NULL)
58001 ++ goto out;
58002 ++
58003 ++ dentry = mnt->mnt_mountpoint;
58004 ++ mnt = mnt->mnt_parent;
58005 ++ continue;
58006 ++ }
58007 ++
58008 ++ read_lock(&gr_inode_lock);
58009 ++ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
58010 ++ dentry->d_inode->i_sb->s_dev, role);
58011 ++ read_unlock(&gr_inode_lock);
58012 ++ if (retval != NULL)
58013 ++ goto out;
58014 ++
58015 ++ dentry = dentry->d_parent;
58016 ++ }
58017 ++
58018 ++ read_lock(&gr_inode_lock);
58019 ++ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
58020 ++ dentry->d_inode->i_sb->s_dev, role);
58021 ++ read_unlock(&gr_inode_lock);
58022 ++
58023 ++ if (unlikely(retval == NULL)) {
58024 ++ read_lock(&gr_inode_lock);
58025 ++ retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
58026 ++ real_root->d_inode->i_sb->s_dev, role);
58027 ++ read_unlock(&gr_inode_lock);
58028 ++ }
58029 ++out:
58030 ++ spin_unlock(&dcache_lock);
58031 ++
58032 ++ return retval;
58033 ++}
58034 ++
58035 ++static void
58036 ++gr_log_learn(const struct task_struct *task, const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
58037 ++{
58038 ++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
58039 ++ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
58040 ++ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
58041 ++ 1, 1, gr_to_filename(dentry, mnt), (unsigned long) mode, NIPQUAD(task->signal->curr_ip));
58042 ++
58043 ++ return;
58044 ++}
58045 ++
58046 ++static void
58047 ++gr_log_learn_sysctl(const struct task_struct *task, const char *path, const __u32 mode)
58048 ++{
58049 ++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
58050 ++ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
58051 ++ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
58052 ++ 1, 1, path, (unsigned long) mode, NIPQUAD(task->signal->curr_ip));
58053 ++
58054 ++ return;
58055 ++}
58056 ++
58057 ++static void
58058 ++gr_log_learn_id_change(const struct task_struct *task, const char type, const unsigned int real,
58059 ++ const unsigned int effective, const unsigned int fs)
58060 ++{
58061 ++ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
58062 ++ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
58063 ++ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
58064 ++ type, real, effective, fs, NIPQUAD(task->signal->curr_ip));
58065 ++
58066 ++ return;
58067 ++}
58068 ++
58069 ++__u32
58070 ++gr_check_link(const struct dentry * new_dentry,
58071 ++ const struct dentry * parent_dentry,
58072 ++ const struct vfsmount * parent_mnt,
58073 ++ const struct dentry * old_dentry, const struct vfsmount * old_mnt)
58074 ++{
58075 ++ struct acl_object_label *obj;
58076 ++ __u32 oldmode, newmode;
58077 ++ __u32 needmode;
58078 ++
58079 ++ if (unlikely(!(gr_status & GR_READY)))
58080 ++ return (GR_CREATE | GR_LINK);
58081 ++
58082 ++ obj = chk_obj_label(old_dentry, old_mnt, current->acl);
58083 ++ oldmode = obj->mode;
58084 ++
58085 ++ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
58086 ++ oldmode |= (GR_CREATE | GR_LINK);
58087 ++
58088 ++ needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
58089 ++ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
58090 ++ needmode |= GR_SETID | GR_AUDIT_SETID;
58091 ++
58092 ++ newmode =
58093 ++ gr_check_create(new_dentry, parent_dentry, parent_mnt,
58094 ++ oldmode | needmode);
58095 ++
58096 ++ needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
58097 ++ GR_SETID | GR_READ | GR_FIND | GR_DELETE |
58098 ++ GR_INHERIT | GR_AUDIT_INHERIT);
58099 ++
58100 ++ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
58101 ++ goto bad;
58102 ++
58103 ++ if ((oldmode & needmode) != needmode)
58104 ++ goto bad;
58105 ++
58106 ++ needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
58107 ++ if ((newmode & needmode) != needmode)
58108 ++ goto bad;
58109 ++
58110 ++ if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
58111 ++ return newmode;
58112 ++bad:
58113 ++ needmode = oldmode;
58114 ++ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
58115 ++ needmode |= GR_SETID;
58116 ++
58117 ++ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
58118 ++ gr_log_learn(current, old_dentry, old_mnt, needmode);
58119 ++ return (GR_CREATE | GR_LINK);
58120 ++ } else if (newmode & GR_SUPPRESS)
58121 ++ return GR_SUPPRESS;
58122 ++ else
58123 ++ return 0;
58124 ++}
58125 ++
58126 ++__u32
58127 ++gr_search_file(const struct dentry * dentry, const __u32 mode,
58128 ++ const struct vfsmount * mnt)
58129 ++{
58130 ++ __u32 retval = mode;
58131 ++ struct acl_subject_label *curracl;
58132 ++ struct acl_object_label *currobj;
58133 ++
58134 ++ if (unlikely(!(gr_status & GR_READY)))
58135 ++ return (mode & ~GR_AUDITS);
58136 ++
58137 ++ curracl = current->acl;
58138 ++
58139 ++ currobj = chk_obj_label(dentry, mnt, curracl);
58140 ++ retval = currobj->mode & mode;
58141 ++
58142 ++ if (unlikely
58143 ++ ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
58144 ++ && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
58145 ++ __u32 new_mode = mode;
58146 ++
58147 ++ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
58148 ++
58149 ++ retval = new_mode;
58150 ++
58151 ++ if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
58152 ++ new_mode |= GR_INHERIT;
58153 ++
58154 ++ if (!(mode & GR_NOLEARN))
58155 ++ gr_log_learn(current, dentry, mnt, new_mode);
58156 ++ }
58157 ++
58158 ++ return retval;
58159 ++}
58160 ++
58161 ++__u32
58162 ++gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
58163 ++ const struct vfsmount * mnt, const __u32 mode)
58164 ++{
58165 ++ struct name_entry *match;
58166 ++ struct acl_object_label *matchpo;
58167 ++ struct acl_subject_label *curracl;
58168 ++ char *path;
58169 ++ __u32 retval;
58170 ++
58171 ++ if (unlikely(!(gr_status & GR_READY)))
58172 ++ return (mode & ~GR_AUDITS);
58173 ++
58174 ++ preempt_disable();
58175 ++ path = gr_to_filename_rbac(new_dentry, mnt);
58176 ++ match = lookup_name_entry_create(path);
58177 ++
58178 ++ if (!match)
58179 ++ goto check_parent;
58180 ++
58181 ++ curracl = current->acl;
58182 ++
58183 ++ read_lock(&gr_inode_lock);
58184 ++ matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
58185 ++ read_unlock(&gr_inode_lock);
58186 ++
58187 ++ if (matchpo) {
58188 ++ if ((matchpo->mode & mode) !=
58189 ++ (mode & ~(GR_AUDITS | GR_SUPPRESS))
58190 ++ && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
58191 ++ __u32 new_mode = mode;
58192 ++
58193 ++ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
58194 ++
58195 ++ gr_log_learn(current, new_dentry, mnt, new_mode);
58196 ++
58197 ++ preempt_enable();
58198 ++ return new_mode;
58199 ++ }
58200 ++ preempt_enable();
58201 ++ return (matchpo->mode & mode);
58202 ++ }
58203 ++
58204 ++ check_parent:
58205 ++ curracl = current->acl;
58206 ++
58207 ++ matchpo = chk_obj_create_label(parent, mnt, curracl, path);
58208 ++ retval = matchpo->mode & mode;
58209 ++
58210 ++ if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
58211 ++ && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
58212 ++ __u32 new_mode = mode;
58213 ++
58214 ++ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
58215 ++
58216 ++ gr_log_learn(current, new_dentry, mnt, new_mode);
58217 ++ preempt_enable();
58218 ++ return new_mode;
58219 ++ }
58220 ++
58221 ++ preempt_enable();
58222 ++ return retval;
58223 ++}
58224 ++
58225 ++int
58226 ++gr_check_hidden_task(const struct task_struct *task)
58227 ++{
58228 ++ if (unlikely(!(gr_status & GR_READY)))
58229 ++ return 0;
58230 ++
58231 ++ if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
58232 ++ return 1;
58233 ++
58234 ++ return 0;
58235 ++}
58236 ++
58237 ++int
58238 ++gr_check_protected_task(const struct task_struct *task)
58239 ++{
58240 ++ if (unlikely(!(gr_status & GR_READY) || !task))
58241 ++ return 0;
58242 ++
58243 ++ if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
58244 ++ task->acl != current->acl)
58245 ++ return 1;
58246 ++
58247 ++ return 0;
58248 ++}
58249 ++
58250 ++void
58251 ++gr_copy_label(struct task_struct *tsk)
58252 ++{
58253 ++ tsk->signal->used_accept = 0;
58254 ++ tsk->acl_sp_role = 0;
58255 ++ tsk->acl_role_id = current->acl_role_id;
58256 ++ tsk->acl = current->acl;
58257 ++ tsk->role = current->role;
58258 ++ tsk->signal->curr_ip = current->signal->curr_ip;
58259 ++ if (current->exec_file)
58260 ++ get_file(current->exec_file);
58261 ++ tsk->exec_file = current->exec_file;
58262 ++ tsk->is_writable = current->is_writable;
58263 ++ if (unlikely(current->signal->used_accept))
58264 ++ current->signal->curr_ip = 0;
58265 ++
58266 ++ return;
58267 ++}
58268 ++
58269 ++static void
58270 ++gr_set_proc_res(struct task_struct *task)
58271 ++{
58272 ++ struct acl_subject_label *proc;
58273 ++ unsigned short i;
58274 ++
58275 ++ proc = task->acl;
58276 ++
58277 ++ if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
58278 ++ return;
58279 ++
58280 ++ for (i = 0; i < (GR_NLIMITS - 1); i++) {
58281 ++ if (!(proc->resmask & (1 << i)))
58282 ++ continue;
58283 ++
58284 ++ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
58285 ++ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
58286 ++ }
58287 ++
58288 ++ return;
58289 ++}
58290 ++
58291 ++int
58292 ++gr_check_user_change(int real, int effective, int fs)
58293 ++{
58294 ++ unsigned int i;
58295 ++ __u16 num;
58296 ++ uid_t *uidlist;
58297 ++ int curuid;
58298 ++ int realok = 0;
58299 ++ int effectiveok = 0;
58300 ++ int fsok = 0;
58301 ++
58302 ++ if (unlikely(!(gr_status & GR_READY)))
58303 ++ return 0;
58304 ++
58305 ++ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
58306 ++ gr_log_learn_id_change(current, 'u', real, effective, fs);
58307 ++
58308 ++ num = current->acl->user_trans_num;
58309 ++ uidlist = current->acl->user_transitions;
58310 ++
58311 ++ if (uidlist == NULL)
58312 ++ return 0;
58313 ++
58314 ++ if (real == -1)
58315 ++ realok = 1;
58316 ++ if (effective == -1)
58317 ++ effectiveok = 1;
58318 ++ if (fs == -1)
58319 ++ fsok = 1;
58320 ++
58321 ++ if (current->acl->user_trans_type & GR_ID_ALLOW) {
58322 ++ for (i = 0; i < num; i++) {
58323 ++ curuid = (int)uidlist[i];
58324 ++ if (real == curuid)
58325 ++ realok = 1;
58326 ++ if (effective == curuid)
58327 ++ effectiveok = 1;
58328 ++ if (fs == curuid)
58329 ++ fsok = 1;
58330 ++ }
58331 ++ } else if (current->acl->user_trans_type & GR_ID_DENY) {
58332 ++ for (i = 0; i < num; i++) {
58333 ++ curuid = (int)uidlist[i];
58334 ++ if (real == curuid)
58335 ++ break;
58336 ++ if (effective == curuid)
58337 ++ break;
58338 ++ if (fs == curuid)
58339 ++ break;
58340 ++ }
58341 ++ /* not in deny list */
58342 ++ if (i == num) {
58343 ++ realok = 1;
58344 ++ effectiveok = 1;
58345 ++ fsok = 1;
58346 ++ }
58347 ++ }
58348 ++
58349 ++ if (realok && effectiveok && fsok)
58350 ++ return 0;
58351 ++ else {
58352 ++ gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
58353 ++ return 1;
58354 ++ }
58355 ++}
58356 ++
58357 ++int
58358 ++gr_check_group_change(int real, int effective, int fs)
58359 ++{
58360 ++ unsigned int i;
58361 ++ __u16 num;
58362 ++ gid_t *gidlist;
58363 ++ int curgid;
58364 ++ int realok = 0;
58365 ++ int effectiveok = 0;
58366 ++ int fsok = 0;
58367 ++
58368 ++ if (unlikely(!(gr_status & GR_READY)))
58369 ++ return 0;
58370 ++
58371 ++ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
58372 ++ gr_log_learn_id_change(current, 'g', real, effective, fs);
58373 ++
58374 ++ num = current->acl->group_trans_num;
58375 ++ gidlist = current->acl->group_transitions;
58376 ++
58377 ++ if (gidlist == NULL)
58378 ++ return 0;
58379 ++
58380 ++ if (real == -1)
58381 ++ realok = 1;
58382 ++ if (effective == -1)
58383 ++ effectiveok = 1;
58384 ++ if (fs == -1)
58385 ++ fsok = 1;
58386 ++
58387 ++ if (current->acl->group_trans_type & GR_ID_ALLOW) {
58388 ++ for (i = 0; i < num; i++) {
58389 ++ curgid = (int)gidlist[i];
58390 ++ if (real == curgid)
58391 ++ realok = 1;
58392 ++ if (effective == curgid)
58393 ++ effectiveok = 1;
58394 ++ if (fs == curgid)
58395 ++ fsok = 1;
58396 ++ }
58397 ++ } else if (current->acl->group_trans_type & GR_ID_DENY) {
58398 ++ for (i = 0; i < num; i++) {
58399 ++ curgid = (int)gidlist[i];
58400 ++ if (real == curgid)
58401 ++ break;
58402 ++ if (effective == curgid)
58403 ++ break;
58404 ++ if (fs == curgid)
58405 ++ break;
58406 ++ }
58407 ++ /* not in deny list */
58408 ++ if (i == num) {
58409 ++ realok = 1;
58410 ++ effectiveok = 1;
58411 ++ fsok = 1;
58412 ++ }
58413 ++ }
58414 ++
58415 ++ if (realok && effectiveok && fsok)
58416 ++ return 0;
58417 ++ else {
58418 ++ gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
58419 ++ return 1;
58420 ++ }
58421 ++}
58422 ++
58423 ++void
58424 ++gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
58425 ++{
58426 ++ struct acl_role_label *role = task->role;
58427 ++ struct acl_subject_label *subj = NULL;
58428 ++ struct acl_object_label *obj;
58429 ++ struct file *filp;
58430 ++
58431 ++ if (unlikely(!(gr_status & GR_READY)))
58432 ++ return;
58433 ++
58434 ++ filp = task->exec_file;
58435 ++
58436 ++ /* kernel process, we'll give them the kernel role */
58437 ++ if (unlikely(!filp)) {
58438 ++ task->role = kernel_role;
58439 ++ task->acl = kernel_role->root_label;
58440 ++ return;
58441 ++ } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
58442 ++ role = lookup_acl_role_label(task, uid, gid);
58443 ++
58444 ++ /* perform subject lookup in possibly new role
58445 ++ we can use this result below in the case where role == task->role
58446 ++ */
58447 ++ subj = chk_subj_label(filp->f_dentry, filp->f_vfsmnt, role);
58448 ++
58449 ++ /* if we changed uid/gid, but result in the same role
58450 ++ and are using inheritance, don't lose the inherited subject
58451 ++ if current subject is other than what normal lookup
58452 ++ would result in, we arrived via inheritance, don't
58453 ++ lose subject
58454 ++ */
58455 ++ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
58456 ++ (subj == task->acl)))
58457 ++ task->acl = subj;
58458 ++
58459 ++ task->role = role;
58460 ++
58461 ++ task->is_writable = 0;
58462 ++
58463 ++ /* ignore additional mmap checks for processes that are writable
58464 ++ by the default ACL */
58465 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
58466 ++ if (unlikely(obj->mode & GR_WRITE))
58467 ++ task->is_writable = 1;
58468 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
58469 ++ if (unlikely(obj->mode & GR_WRITE))
58470 ++ task->is_writable = 1;
58471 ++
58472 ++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
58473 ++ printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
58474 ++#endif
58475 ++
58476 ++ gr_set_proc_res(task);
58477 ++
58478 ++ return;
58479 ++}
58480 ++
58481 ++int
58482 ++gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
58483 ++{
58484 ++ struct task_struct *task = current;
58485 ++ struct acl_subject_label *newacl;
58486 ++ struct acl_object_label *obj;
58487 ++ __u32 retmode;
58488 ++
58489 ++ if (unlikely(!(gr_status & GR_READY)))
58490 ++ return 0;
58491 ++
58492 ++ newacl = chk_subj_label(dentry, mnt, task->role);
58493 ++
58494 ++ task_lock(task);
58495 ++ if (((task->ptrace & PT_PTRACED) && !(task->acl->mode &
58496 ++ GR_POVERRIDE) && (task->acl != newacl) &&
58497 ++ !(task->role->roletype & GR_ROLE_GOD) &&
58498 ++ !gr_search_file(dentry, GR_PTRACERD, mnt) &&
58499 ++ !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN))) ||
58500 ++ (atomic_read(&task->fs->count) > 1 ||
58501 ++ atomic_read(&task->files->count) > 1 ||
58502 ++ atomic_read(&task->sighand->count) > 1)) {
58503 ++ task_unlock(task);
58504 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
58505 ++ return -EACCES;
58506 ++ }
58507 ++ task_unlock(task);
58508 ++
58509 ++ obj = chk_obj_label(dentry, mnt, task->acl);
58510 ++ retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
58511 ++
58512 ++ if (!(task->acl->mode & GR_INHERITLEARN) &&
58513 ++ ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
58514 ++ if (obj->nested)
58515 ++ task->acl = obj->nested;
58516 ++ else
58517 ++ task->acl = newacl;
58518 ++ } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
58519 ++ gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
58520 ++
58521 ++ task->is_writable = 0;
58522 ++
58523 ++ /* ignore additional mmap checks for processes that are writable
58524 ++ by the default ACL */
58525 ++ obj = chk_obj_label(dentry, mnt, default_role->root_label);
58526 ++ if (unlikely(obj->mode & GR_WRITE))
58527 ++ task->is_writable = 1;
58528 ++ obj = chk_obj_label(dentry, mnt, task->role->root_label);
58529 ++ if (unlikely(obj->mode & GR_WRITE))
58530 ++ task->is_writable = 1;
58531 ++
58532 ++ gr_set_proc_res(task);
58533 ++
58534 ++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
58535 ++ printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
58536 ++#endif
58537 ++ return 0;
58538 ++}
58539 ++
58540 ++/* always called with valid inodev ptr */
58541 ++static void
58542 ++do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
58543 ++{
58544 ++ struct acl_object_label *matchpo;
58545 ++ struct acl_subject_label *matchps;
58546 ++ struct acl_subject_label *subj;
58547 ++ struct acl_role_label *role;
58548 ++ unsigned int i, x;
58549 ++
58550 ++ FOR_EACH_ROLE_START(role, i)
58551 ++ FOR_EACH_SUBJECT_START(role, subj, x)
58552 ++ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
58553 ++ matchpo->mode |= GR_DELETED;
58554 ++ FOR_EACH_SUBJECT_END(subj,x)
58555 ++ FOR_EACH_NESTED_SUBJECT_START(role, subj)
58556 ++ if (subj->inode == ino && subj->device == dev)
58557 ++ subj->mode |= GR_DELETED;
58558 ++ FOR_EACH_NESTED_SUBJECT_END(subj)
58559 ++ if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
58560 ++ matchps->mode |= GR_DELETED;
58561 ++ FOR_EACH_ROLE_END(role,i)
58562 ++
58563 ++ inodev->nentry->deleted = 1;
58564 ++
58565 ++ return;
58566 ++}
58567 ++
58568 ++void
58569 ++gr_handle_delete(const ino_t ino, const dev_t dev)
58570 ++{
58571 ++ struct inodev_entry *inodev;
58572 ++
58573 ++ if (unlikely(!(gr_status & GR_READY)))
58574 ++ return;
58575 ++
58576 ++ write_lock(&gr_inode_lock);
58577 ++ inodev = lookup_inodev_entry(ino, dev);
58578 ++ if (inodev != NULL)
58579 ++ do_handle_delete(inodev, ino, dev);
58580 ++ write_unlock(&gr_inode_lock);
58581 ++
58582 ++ return;
58583 ++}
58584 ++
58585 ++static void
58586 ++update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
58587 ++ const ino_t newinode, const dev_t newdevice,
58588 ++ struct acl_subject_label *subj)
58589 ++{
58590 ++ unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
58591 ++ struct acl_object_label *match;
58592 ++
58593 ++ match = subj->obj_hash[index];
58594 ++
58595 ++ while (match && (match->inode != oldinode ||
58596 ++ match->device != olddevice ||
58597 ++ !(match->mode & GR_DELETED)))
58598 ++ match = match->next;
58599 ++
58600 ++ if (match && (match->inode == oldinode)
58601 ++ && (match->device == olddevice)
58602 ++ && (match->mode & GR_DELETED)) {
58603 ++ if (match->prev == NULL) {
58604 ++ subj->obj_hash[index] = match->next;
58605 ++ if (match->next != NULL)
58606 ++ match->next->prev = NULL;
58607 ++ } else {
58608 ++ match->prev->next = match->next;
58609 ++ if (match->next != NULL)
58610 ++ match->next->prev = match->prev;
58611 ++ }
58612 ++ match->prev = NULL;
58613 ++ match->next = NULL;
58614 ++ match->inode = newinode;
58615 ++ match->device = newdevice;
58616 ++ match->mode &= ~GR_DELETED;
58617 ++
58618 ++ insert_acl_obj_label(match, subj);
58619 ++ }
58620 ++
58621 ++ return;
58622 ++}
58623 ++
58624 ++static void
58625 ++update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
58626 ++ const ino_t newinode, const dev_t newdevice,
58627 ++ struct acl_role_label *role)
58628 ++{
58629 ++ unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
58630 ++ struct acl_subject_label *match;
58631 ++
58632 ++ match = role->subj_hash[index];
58633 ++
58634 ++ while (match && (match->inode != oldinode ||
58635 ++ match->device != olddevice ||
58636 ++ !(match->mode & GR_DELETED)))
58637 ++ match = match->next;
58638 ++
58639 ++ if (match && (match->inode == oldinode)
58640 ++ && (match->device == olddevice)
58641 ++ && (match->mode & GR_DELETED)) {
58642 ++ if (match->prev == NULL) {
58643 ++ role->subj_hash[index] = match->next;
58644 ++ if (match->next != NULL)
58645 ++ match->next->prev = NULL;
58646 ++ } else {
58647 ++ match->prev->next = match->next;
58648 ++ if (match->next != NULL)
58649 ++ match->next->prev = match->prev;
58650 ++ }
58651 ++ match->prev = NULL;
58652 ++ match->next = NULL;
58653 ++ match->inode = newinode;
58654 ++ match->device = newdevice;
58655 ++ match->mode &= ~GR_DELETED;
58656 ++
58657 ++ insert_acl_subj_label(match, role);
58658 ++ }
58659 ++
58660 ++ return;
58661 ++}
58662 ++
58663 ++static void
58664 ++update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
58665 ++ const ino_t newinode, const dev_t newdevice)
58666 ++{
58667 ++ unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
58668 ++ struct inodev_entry *match;
58669 ++
58670 ++ match = inodev_set.i_hash[index];
58671 ++
58672 ++ while (match && (match->nentry->inode != oldinode ||
58673 ++ match->nentry->device != olddevice || !match->nentry->deleted))
58674 ++ match = match->next;
58675 ++
58676 ++ if (match && (match->nentry->inode == oldinode)
58677 ++ && (match->nentry->device == olddevice) &&
58678 ++ match->nentry->deleted) {
58679 ++ if (match->prev == NULL) {
58680 ++ inodev_set.i_hash[index] = match->next;
58681 ++ if (match->next != NULL)
58682 ++ match->next->prev = NULL;
58683 ++ } else {
58684 ++ match->prev->next = match->next;
58685 ++ if (match->next != NULL)
58686 ++ match->next->prev = match->prev;
58687 ++ }
58688 ++ match->prev = NULL;
58689 ++ match->next = NULL;
58690 ++ match->nentry->inode = newinode;
58691 ++ match->nentry->device = newdevice;
58692 ++ match->nentry->deleted = 0;
58693 ++
58694 ++ insert_inodev_entry(match);
58695 ++ }
58696 ++
58697 ++ return;
58698 ++}
58699 ++
58700 ++static void
58701 ++do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
58702 ++ const struct vfsmount *mnt)
58703 ++{
58704 ++ struct acl_subject_label *subj;
58705 ++ struct acl_role_label *role;
58706 ++ unsigned int i, x;
58707 ++
58708 ++ FOR_EACH_ROLE_START(role, i)
58709 ++ update_acl_subj_label(matchn->inode, matchn->device,
58710 ++ dentry->d_inode->i_ino,
58711 ++ dentry->d_inode->i_sb->s_dev, role);
58712 ++
58713 ++ FOR_EACH_NESTED_SUBJECT_START(role, subj)
58714 ++ if ((subj->inode == dentry->d_inode->i_ino) &&
58715 ++ (subj->device == dentry->d_inode->i_sb->s_dev)) {
58716 ++ subj->inode = dentry->d_inode->i_ino;
58717 ++ subj->device = dentry->d_inode->i_sb->s_dev;
58718 ++ }
58719 ++ FOR_EACH_NESTED_SUBJECT_END(subj)
58720 ++ FOR_EACH_SUBJECT_START(role, subj, x)
58721 ++ update_acl_obj_label(matchn->inode, matchn->device,
58722 ++ dentry->d_inode->i_ino,
58723 ++ dentry->d_inode->i_sb->s_dev, subj);
58724 ++ FOR_EACH_SUBJECT_END(subj,x)
58725 ++ FOR_EACH_ROLE_END(role,i)
58726 ++
58727 ++ update_inodev_entry(matchn->inode, matchn->device,
58728 ++ dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
58729 ++
58730 ++ return;
58731 ++}
58732 ++
58733 ++void
58734 ++gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
58735 ++{
58736 ++ struct name_entry *matchn;
58737 ++
58738 ++ if (unlikely(!(gr_status & GR_READY)))
58739 ++ return;
58740 ++
58741 ++ preempt_disable();
58742 ++ matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
58743 ++
58744 ++ if (unlikely((unsigned long)matchn)) {
58745 ++ write_lock(&gr_inode_lock);
58746 ++ do_handle_create(matchn, dentry, mnt);
58747 ++ write_unlock(&gr_inode_lock);
58748 ++ }
58749 ++ preempt_enable();
58750 ++
58751 ++ return;
58752 ++}
58753 ++
58754 ++void
58755 ++gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
58756 ++ struct dentry *old_dentry,
58757 ++ struct dentry *new_dentry,
58758 ++ struct vfsmount *mnt, const __u8 replace)
58759 ++{
58760 ++ struct name_entry *matchn;
58761 ++ struct inodev_entry *inodev;
58762 ++
58763 ++ /* vfs_rename swaps the name and parent link for old_dentry and
58764 ++ new_dentry
58765 ++ at this point, old_dentry has the new name, parent link, and inode
58766 ++ for the renamed file
58767 ++ if a file is being replaced by a rename, new_dentry has the inode
58768 ++ and name for the replaced file
58769 ++ */
58770 ++
58771 ++ if (unlikely(!(gr_status & GR_READY)))
58772 ++ return;
58773 ++
58774 ++ preempt_disable();
58775 ++ matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
58776 ++
58777 ++ /* we wouldn't have to check d_inode if it weren't for
58778 ++ NFS silly-renaming
58779 ++ */
58780 ++
58781 ++ write_lock(&gr_inode_lock);
58782 ++ if (unlikely(replace && new_dentry->d_inode)) {
58783 ++ inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
58784 ++ new_dentry->d_inode->i_sb->s_dev);
58785 ++ if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
58786 ++ do_handle_delete(inodev, new_dentry->d_inode->i_ino,
58787 ++ new_dentry->d_inode->i_sb->s_dev);
58788 ++ }
58789 ++
58790 ++ inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
58791 ++ old_dentry->d_inode->i_sb->s_dev);
58792 ++ if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
58793 ++ do_handle_delete(inodev, old_dentry->d_inode->i_ino,
58794 ++ old_dentry->d_inode->i_sb->s_dev);
58795 ++
58796 ++ if (unlikely((unsigned long)matchn))
58797 ++ do_handle_create(matchn, old_dentry, mnt);
58798 ++
58799 ++ write_unlock(&gr_inode_lock);
58800 ++ preempt_enable();
58801 ++
58802 ++ return;
58803 ++}
58804 ++
58805 ++static int
58806 ++lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
58807 ++ unsigned char **sum)
58808 ++{
58809 ++ struct acl_role_label *r;
58810 ++ struct role_allowed_ip *ipp;
58811 ++ struct role_transition *trans;
58812 ++ unsigned int i;
58813 ++ int found = 0;
58814 ++
58815 ++ /* check transition table */
58816 ++
58817 ++ for (trans = current->role->transitions; trans; trans = trans->next) {
58818 ++ if (!strcmp(rolename, trans->rolename)) {
58819 ++ found = 1;
58820 ++ break;
58821 ++ }
58822 ++ }
58823 ++
58824 ++ if (!found)
58825 ++ return 0;
58826 ++
58827 ++ /* handle special roles that do not require authentication
58828 ++ and check ip */
58829 ++
58830 ++ FOR_EACH_ROLE_START(r, i)
58831 ++ if (!strcmp(rolename, r->rolename) &&
58832 ++ (r->roletype & GR_ROLE_SPECIAL)) {
58833 ++ found = 0;
58834 ++ if (r->allowed_ips != NULL) {
58835 ++ for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
58836 ++ if ((ntohl(current->signal->curr_ip) & ipp->netmask) ==
58837 ++ (ntohl(ipp->addr) & ipp->netmask))
58838 ++ found = 1;
58839 ++ }
58840 ++ } else
58841 ++ found = 2;
58842 ++ if (!found)
58843 ++ return 0;
58844 ++
58845 ++ if (((mode == SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
58846 ++ ((mode == SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
58847 ++ *salt = NULL;
58848 ++ *sum = NULL;
58849 ++ return 1;
58850 ++ }
58851 ++ }
58852 ++ FOR_EACH_ROLE_END(r,i)
58853 ++
58854 ++ for (i = 0; i < num_sprole_pws; i++) {
58855 ++ if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
58856 ++ *salt = acl_special_roles[i]->salt;
58857 ++ *sum = acl_special_roles[i]->sum;
58858 ++ return 1;
58859 ++ }
58860 ++ }
58861 ++
58862 ++ return 0;
58863 ++}
58864 ++
58865 ++static void
58866 ++assign_special_role(char *rolename)
58867 ++{
58868 ++ struct acl_object_label *obj;
58869 ++ struct acl_role_label *r;
58870 ++ struct acl_role_label *assigned = NULL;
58871 ++ struct task_struct *tsk;
58872 ++ struct file *filp;
58873 ++ unsigned int i;
58874 ++
58875 ++ FOR_EACH_ROLE_START(r, i)
58876 ++ if (!strcmp(rolename, r->rolename) &&
58877 ++ (r->roletype & GR_ROLE_SPECIAL))
58878 ++ assigned = r;
58879 ++ FOR_EACH_ROLE_END(r,i)
58880 ++
58881 ++ if (!assigned)
58882 ++ return;
58883 ++
58884 ++ read_lock(&tasklist_lock);
58885 ++ read_lock(&grsec_exec_file_lock);
58886 ++
58887 ++ tsk = current->parent;
58888 ++ if (tsk == NULL)
58889 ++ goto out_unlock;
58890 ++
58891 ++ filp = tsk->exec_file;
58892 ++ if (filp == NULL)
58893 ++ goto out_unlock;
58894 ++
58895 ++ tsk->is_writable = 0;
58896 ++
58897 ++ tsk->acl_sp_role = 1;
58898 ++ tsk->acl_role_id = ++acl_sp_role_value;
58899 ++ tsk->role = assigned;
58900 ++ tsk->acl = chk_subj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role);
58901 ++
58902 ++ /* ignore additional mmap checks for processes that are writable
58903 ++ by the default ACL */
58904 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
58905 ++ if (unlikely(obj->mode & GR_WRITE))
58906 ++ tsk->is_writable = 1;
58907 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role->root_label);
58908 ++ if (unlikely(obj->mode & GR_WRITE))
58909 ++ tsk->is_writable = 1;
58910 ++
58911 ++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
58912 ++ printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
58913 ++#endif
58914 ++
58915 ++out_unlock:
58916 ++ read_unlock(&grsec_exec_file_lock);
58917 ++ read_unlock(&tasklist_lock);
58918 ++ return;
58919 ++}
58920 ++
58921 ++int gr_check_secure_terminal(struct task_struct *task)
58922 ++{
58923 ++ struct task_struct *p, *p2, *p3;
58924 ++ struct files_struct *files;
58925 ++ struct fdtable *fdt;
58926 ++ struct file *our_file = NULL, *file;
58927 ++ int i;
58928 ++
58929 ++ if (task->signal->tty == NULL)
58930 ++ return 1;
58931 ++
58932 ++ files = get_files_struct(task);
58933 ++ if (files != NULL) {
58934 ++ rcu_read_lock();
58935 ++ fdt = files_fdtable(files);
58936 ++ for (i=0; i < fdt->max_fds; i++) {
58937 ++ file = fcheck_files(files, i);
58938 ++ if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
58939 ++ get_file(file);
58940 ++ our_file = file;
58941 ++ }
58942 ++ }
58943 ++ rcu_read_unlock();
58944 ++ put_files_struct(files);
58945 ++ }
58946 ++
58947 ++ if (our_file == NULL)
58948 ++ return 1;
58949 ++
58950 ++ read_lock(&tasklist_lock);
58951 ++ do_each_thread(p2, p) {
58952 ++ files = get_files_struct(p);
58953 ++ if (files == NULL ||
58954 ++ (p->signal && p->signal->tty == task->signal->tty)) {
58955 ++ if (files != NULL)
58956 ++ put_files_struct(files);
58957 ++ continue;
58958 ++ }
58959 ++ rcu_read_lock();
58960 ++ fdt = files_fdtable(files);
58961 ++ for (i=0; i < fdt->max_fds; i++) {
58962 ++ file = fcheck_files(files, i);
58963 ++ if (file && S_ISCHR(file->f_dentry->d_inode->i_mode) &&
58964 ++ file->f_dentry->d_inode->i_rdev == our_file->f_dentry->d_inode->i_rdev) {
58965 ++ p3 = task;
58966 ++ while (p3->pid > 0) {
58967 ++ if (p3 == p)
58968 ++ break;
58969 ++ p3 = p3->parent;
58970 ++ }
58971 ++ if (p3 == p)
58972 ++ break;
58973 ++ gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
58974 ++ gr_handle_alertkill(p);
58975 ++ rcu_read_unlock();
58976 ++ put_files_struct(files);
58977 ++ read_unlock(&tasklist_lock);
58978 ++ fput(our_file);
58979 ++ return 0;
58980 ++ }
58981 ++ }
58982 ++ rcu_read_unlock();
58983 ++ put_files_struct(files);
58984 ++ } while_each_thread(p2, p);
58985 ++ read_unlock(&tasklist_lock);
58986 ++
58987 ++ fput(our_file);
58988 ++ return 1;
58989 ++}
58990 ++
58991 ++ssize_t
58992 ++write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
58993 ++{
58994 ++ struct gr_arg_wrapper uwrap;
58995 ++ unsigned char *sprole_salt;
58996 ++ unsigned char *sprole_sum;
58997 ++ int error = sizeof (struct gr_arg_wrapper);
58998 ++ int error2 = 0;
58999 ++
59000 ++ down(&gr_dev_sem);
59001 ++
59002 ++ if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
59003 ++ error = -EPERM;
59004 ++ goto out;
59005 ++ }
59006 ++
59007 ++ if (count != sizeof (struct gr_arg_wrapper)) {
59008 ++ gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
59009 ++ error = -EINVAL;
59010 ++ goto out;
59011 ++ }
59012 ++
59013 ++
59014 ++ if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
59015 ++ gr_auth_expires = 0;
59016 ++ gr_auth_attempts = 0;
59017 ++ }
59018 ++
59019 ++ if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
59020 ++ error = -EFAULT;
59021 ++ goto out;
59022 ++ }
59023 ++
59024 ++ if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
59025 ++ error = -EINVAL;
59026 ++ goto out;
59027 ++ }
59028 ++
59029 ++ if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
59030 ++ error = -EFAULT;
59031 ++ goto out;
59032 ++ }
59033 ++
59034 ++ if (gr_usermode->mode != SPROLE && gr_usermode->mode != SPROLEPAM &&
59035 ++ gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
59036 ++ time_after(gr_auth_expires, get_seconds())) {
59037 ++ error = -EBUSY;
59038 ++ goto out;
59039 ++ }
59040 ++
59041 ++ /* if non-root trying to do anything other than use a special role,
59042 ++ do not attempt authentication, do not count towards authentication
59043 ++ locking
59044 ++ */
59045 ++
59046 ++ if (gr_usermode->mode != SPROLE && gr_usermode->mode != STATUS &&
59047 ++ gr_usermode->mode != UNSPROLE && gr_usermode->mode != SPROLEPAM &&
59048 ++ current->uid) {
59049 ++ error = -EPERM;
59050 ++ goto out;
59051 ++ }
59052 ++
59053 ++ /* ensure pw and special role name are null terminated */
59054 ++
59055 ++ gr_usermode->pw[GR_PW_LEN - 1] = '\0';
59056 ++ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
59057 ++
59058 ++ /* Okay.
59059 ++ * We have our enough of the argument structure..(we have yet
59060 ++ * to copy_from_user the tables themselves) . Copy the tables
59061 ++ * only if we need them, i.e. for loading operations. */
59062 ++
59063 ++ switch (gr_usermode->mode) {
59064 ++ case STATUS:
59065 ++ if (gr_status & GR_READY) {
59066 ++ error = 1;
59067 ++ if (!gr_check_secure_terminal(current))
59068 ++ error = 3;
59069 ++ } else
59070 ++ error = 2;
59071 ++ goto out;
59072 ++ case SHUTDOWN:
59073 ++ if ((gr_status & GR_READY)
59074 ++ && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
59075 ++ gr_status &= ~GR_READY;
59076 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
59077 ++ free_variables();
59078 ++ memset(gr_usermode, 0, sizeof (struct gr_arg));
59079 ++ memset(gr_system_salt, 0, GR_SALT_LEN);
59080 ++ memset(gr_system_sum, 0, GR_SHA_LEN);
59081 ++ } else if (gr_status & GR_READY) {
59082 ++ gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
59083 ++ error = -EPERM;
59084 ++ } else {
59085 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
59086 ++ error = -EAGAIN;
59087 ++ }
59088 ++ break;
59089 ++ case ENABLE:
59090 ++ if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
59091 ++ gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
59092 ++ else {
59093 ++ if (gr_status & GR_READY)
59094 ++ error = -EAGAIN;
59095 ++ else
59096 ++ error = error2;
59097 ++ gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
59098 ++ }
59099 ++ break;
59100 ++ case RELOAD:
59101 ++ if (!(gr_status & GR_READY)) {
59102 ++ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
59103 ++ error = -EAGAIN;
59104 ++ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
59105 ++ lock_kernel();
59106 ++ gr_status &= ~GR_READY;
59107 ++ free_variables();
59108 ++ if (!(error2 = gracl_init(gr_usermode))) {
59109 ++ unlock_kernel();
59110 ++ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
59111 ++ } else {
59112 ++ unlock_kernel();
59113 ++ error = error2;
59114 ++ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
59115 ++ }
59116 ++ } else {
59117 ++ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
59118 ++ error = -EPERM;
59119 ++ }
59120 ++ break;
59121 ++ case SEGVMOD:
59122 ++ if (unlikely(!(gr_status & GR_READY))) {
59123 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
59124 ++ error = -EAGAIN;
59125 ++ break;
59126 ++ }
59127 ++
59128 ++ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
59129 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
59130 ++ if (gr_usermode->segv_device && gr_usermode->segv_inode) {
59131 ++ struct acl_subject_label *segvacl;
59132 ++ segvacl =
59133 ++ lookup_acl_subj_label(gr_usermode->segv_inode,
59134 ++ gr_usermode->segv_device,
59135 ++ current->role);
59136 ++ if (segvacl) {
59137 ++ segvacl->crashes = 0;
59138 ++ segvacl->expires = 0;
59139 ++ }
59140 ++ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
59141 ++ gr_remove_uid(gr_usermode->segv_uid);
59142 ++ }
59143 ++ } else {
59144 ++ gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
59145 ++ error = -EPERM;
59146 ++ }
59147 ++ break;
59148 ++ case SPROLE:
59149 ++ case SPROLEPAM:
59150 ++ if (unlikely(!(gr_status & GR_READY))) {
59151 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
59152 ++ error = -EAGAIN;
59153 ++ break;
59154 ++ }
59155 ++
59156 ++ if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
59157 ++ current->role->expires = 0;
59158 ++ current->role->auth_attempts = 0;
59159 ++ }
59160 ++
59161 ++ if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
59162 ++ time_after(current->role->expires, get_seconds())) {
59163 ++ error = -EBUSY;
59164 ++ goto out;
59165 ++ }
59166 ++
59167 ++ if (lookup_special_role_auth
59168 ++ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
59169 ++ && ((!sprole_salt && !sprole_sum)
59170 ++ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
59171 ++ char *p = "";
59172 ++ assign_special_role(gr_usermode->sp_role);
59173 ++ read_lock(&tasklist_lock);
59174 ++ if (current->parent)
59175 ++ p = current->parent->role->rolename;
59176 ++ read_unlock(&tasklist_lock);
59177 ++ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
59178 ++ p, acl_sp_role_value);
59179 ++ } else {
59180 ++ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
59181 ++ error = -EPERM;
59182 ++ if(!(current->role->auth_attempts++))
59183 ++ current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
59184 ++
59185 ++ goto out;
59186 ++ }
59187 ++ break;
59188 ++ case UNSPROLE:
59189 ++ if (unlikely(!(gr_status & GR_READY))) {
59190 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
59191 ++ error = -EAGAIN;
59192 ++ break;
59193 ++ }
59194 ++
59195 ++ if (current->role->roletype & GR_ROLE_SPECIAL) {
59196 ++ char *p = "";
59197 ++ int i = 0;
59198 ++
59199 ++ read_lock(&tasklist_lock);
59200 ++ if (current->parent) {
59201 ++ p = current->parent->role->rolename;
59202 ++ i = current->parent->acl_role_id;
59203 ++ }
59204 ++ read_unlock(&tasklist_lock);
59205 ++
59206 ++ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
59207 ++ gr_set_acls(1);
59208 ++ } else {
59209 ++ gr_log_str(GR_DONT_AUDIT, GR_UNSPROLEF_ACL_MSG, current->role->rolename);
59210 ++ error = -EPERM;
59211 ++ goto out;
59212 ++ }
59213 ++ break;
59214 ++ default:
59215 ++ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
59216 ++ error = -EINVAL;
59217 ++ break;
59218 ++ }
59219 ++
59220 ++ if (error != -EPERM)
59221 ++ goto out;
59222 ++
59223 ++ if(!(gr_auth_attempts++))
59224 ++ gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
59225 ++
59226 ++ out:
59227 ++ up(&gr_dev_sem);
59228 ++ return error;
59229 ++}
59230 ++
59231 ++int
59232 ++gr_set_acls(const int type)
59233 ++{
59234 ++ struct acl_object_label *obj;
59235 ++ struct task_struct *task, *task2;
59236 ++ struct file *filp;
59237 ++ struct acl_role_label *role = current->role;
59238 ++ __u16 acl_role_id = current->acl_role_id;
59239 ++
59240 ++ read_lock(&tasklist_lock);
59241 ++ read_lock(&grsec_exec_file_lock);
59242 ++ do_each_thread(task2, task) {
59243 ++ /* check to see if we're called from the exit handler,
59244 ++ if so, only replace ACLs that have inherited the admin
59245 ++ ACL */
59246 ++
59247 ++ if (type && (task->role != role ||
59248 ++ task->acl_role_id != acl_role_id))
59249 ++ continue;
59250 ++
59251 ++ task->acl_role_id = 0;
59252 ++ task->acl_sp_role = 0;
59253 ++
59254 ++ if ((filp = task->exec_file)) {
59255 ++ task->role = lookup_acl_role_label(task, task->uid, task->gid);
59256 ++
59257 ++ task->acl =
59258 ++ chk_subj_label(filp->f_dentry, filp->f_vfsmnt,
59259 ++ task->role);
59260 ++ if (task->acl) {
59261 ++ struct acl_subject_label *curr;
59262 ++ curr = task->acl;
59263 ++
59264 ++ task->is_writable = 0;
59265 ++ /* ignore additional mmap checks for processes that are writable
59266 ++ by the default ACL */
59267 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
59268 ++ if (unlikely(obj->mode & GR_WRITE))
59269 ++ task->is_writable = 1;
59270 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
59271 ++ if (unlikely(obj->mode & GR_WRITE))
59272 ++ task->is_writable = 1;
59273 ++
59274 ++ gr_set_proc_res(task);
59275 ++
59276 ++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
59277 ++ printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
59278 ++#endif
59279 ++ } else {
59280 ++ read_unlock(&grsec_exec_file_lock);
59281 ++ read_unlock(&tasklist_lock);
59282 ++ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
59283 ++ return 1;
59284 ++ }
59285 ++ } else {
59286 ++ // it's a kernel process
59287 ++ task->role = kernel_role;
59288 ++ task->acl = kernel_role->root_label;
59289 ++#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
59290 ++ task->acl->mode &= ~GR_PROCFIND;
59291 ++#endif
59292 ++ }
59293 ++ } while_each_thread(task2, task);
59294 ++ read_unlock(&grsec_exec_file_lock);
59295 ++ read_unlock(&tasklist_lock);
59296 ++ return 0;
59297 ++}
59298 ++
59299 ++void
59300 ++gr_learn_resource(const struct task_struct *task,
59301 ++ const int res, const unsigned long wanted, const int gt)
59302 ++{
59303 ++ struct acl_subject_label *acl;
59304 ++
59305 ++ if (unlikely((gr_status & GR_READY) &&
59306 ++ task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
59307 ++ goto skip_reslog;
59308 ++
59309 ++#ifdef CONFIG_GRKERNSEC_RESLOG
59310 ++ gr_log_resource(task, res, wanted, gt);
59311 ++#endif
59312 ++ skip_reslog:
59313 ++
59314 ++ if (unlikely(!(gr_status & GR_READY) || !wanted))
59315 ++ return;
59316 ++
59317 ++ acl = task->acl;
59318 ++
59319 ++ if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
59320 ++ !(acl->resmask & (1 << (unsigned short) res))))
59321 ++ return;
59322 ++
59323 ++ if (wanted >= acl->res[res].rlim_cur) {
59324 ++ unsigned long res_add;
59325 ++
59326 ++ res_add = wanted;
59327 ++ switch (res) {
59328 ++ case RLIMIT_CPU:
59329 ++ res_add += GR_RLIM_CPU_BUMP;
59330 ++ break;
59331 ++ case RLIMIT_FSIZE:
59332 ++ res_add += GR_RLIM_FSIZE_BUMP;
59333 ++ break;
59334 ++ case RLIMIT_DATA:
59335 ++ res_add += GR_RLIM_DATA_BUMP;
59336 ++ break;
59337 ++ case RLIMIT_STACK:
59338 ++ res_add += GR_RLIM_STACK_BUMP;
59339 ++ break;
59340 ++ case RLIMIT_CORE:
59341 ++ res_add += GR_RLIM_CORE_BUMP;
59342 ++ break;
59343 ++ case RLIMIT_RSS:
59344 ++ res_add += GR_RLIM_RSS_BUMP;
59345 ++ break;
59346 ++ case RLIMIT_NPROC:
59347 ++ res_add += GR_RLIM_NPROC_BUMP;
59348 ++ break;
59349 ++ case RLIMIT_NOFILE:
59350 ++ res_add += GR_RLIM_NOFILE_BUMP;
59351 ++ break;
59352 ++ case RLIMIT_MEMLOCK:
59353 ++ res_add += GR_RLIM_MEMLOCK_BUMP;
59354 ++ break;
59355 ++ case RLIMIT_AS:
59356 ++ res_add += GR_RLIM_AS_BUMP;
59357 ++ break;
59358 ++ case RLIMIT_LOCKS:
59359 ++ res_add += GR_RLIM_LOCKS_BUMP;
59360 ++ break;
59361 ++ }
59362 ++
59363 ++ acl->res[res].rlim_cur = res_add;
59364 ++
59365 ++ if (wanted > acl->res[res].rlim_max)
59366 ++ acl->res[res].rlim_max = res_add;
59367 ++
59368 ++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
59369 ++ task->role->roletype, acl->filename,
59370 ++ acl->res[res].rlim_cur, acl->res[res].rlim_max,
59371 ++ "", (unsigned long) res);
59372 ++ }
59373 ++
59374 ++ return;
59375 ++}
59376 ++
59377 ++#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
59378 ++void
59379 ++pax_set_initial_flags(struct linux_binprm *bprm)
59380 ++{
59381 ++ struct task_struct *task = current;
59382 ++ struct acl_subject_label *proc;
59383 ++ unsigned long flags;
59384 ++
59385 ++ if (unlikely(!(gr_status & GR_READY)))
59386 ++ return;
59387 ++
59388 ++ flags = pax_get_flags(task);
59389 ++
59390 ++ proc = task->acl;
59391 ++
59392 ++ if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
59393 ++ flags &= ~MF_PAX_PAGEEXEC;
59394 ++ if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
59395 ++ flags &= ~MF_PAX_SEGMEXEC;
59396 ++ if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
59397 ++ flags &= ~MF_PAX_RANDMMAP;
59398 ++ if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
59399 ++ flags &= ~MF_PAX_EMUTRAMP;
59400 ++ if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
59401 ++ flags &= ~MF_PAX_MPROTECT;
59402 ++
59403 ++ if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
59404 ++ flags |= MF_PAX_PAGEEXEC;
59405 ++ if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
59406 ++ flags |= MF_PAX_SEGMEXEC;
59407 ++ if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
59408 ++ flags |= MF_PAX_RANDMMAP;
59409 ++ if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
59410 ++ flags |= MF_PAX_EMUTRAMP;
59411 ++ if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
59412 ++ flags |= MF_PAX_MPROTECT;
59413 ++
59414 ++ pax_set_flags(task, flags);
59415 ++
59416 ++ return;
59417 ++}
59418 ++#endif
59419 ++
59420 ++#ifdef CONFIG_SYSCTL
59421 ++/* Eric Biederman likes breaking userland ABI and every inode-based security
59422 ++ system to save 35kb of memory */
59423 ++
59424 ++/* we modify the passed in filename, but adjust it back before returning */
59425 ++static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
59426 ++{
59427 ++ struct name_entry *nmatch;
59428 ++ char *p, *lastp = NULL;
59429 ++ struct acl_object_label *obj = NULL, *tmp;
59430 ++ struct acl_subject_label *tmpsubj;
59431 ++ char c = '\0';
59432 ++
59433 ++ read_lock(&gr_inode_lock);
59434 ++
59435 ++ p = name + len - 1;
59436 ++ do {
59437 ++ nmatch = lookup_name_entry(name);
59438 ++ if (lastp != NULL)
59439 ++ *lastp = c;
59440 ++
59441 ++ if (nmatch == NULL)
59442 ++ goto next_component;
59443 ++ tmpsubj = current->acl;
59444 ++ do {
59445 ++ obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
59446 ++ if (obj != NULL) {
59447 ++ tmp = obj->globbed;
59448 ++ while (tmp) {
59449 ++ if (!glob_match(tmp->filename, name)) {
59450 ++ obj = tmp;
59451 ++ goto found_obj;
59452 ++ }
59453 ++ tmp = tmp->next;
59454 ++ }
59455 ++ goto found_obj;
59456 ++ }
59457 ++ } while ((tmpsubj = tmpsubj->parent_subject));
59458 ++next_component:
59459 ++ /* end case */
59460 ++ if (p == name)
59461 ++ break;
59462 ++
59463 ++ while (*p != '/')
59464 ++ p--;
59465 ++ if (p == name)
59466 ++ lastp = p + 1;
59467 ++ else {
59468 ++ lastp = p;
59469 ++ p--;
59470 ++ }
59471 ++ c = *lastp;
59472 ++ *lastp = '\0';
59473 ++ } while (1);
59474 ++found_obj:
59475 ++ read_unlock(&gr_inode_lock);
59476 ++ /* obj returned will always be non-null */
59477 ++ return obj;
59478 ++}
59479 ++
59480 ++/* returns 0 when allowing, non-zero on error
59481 ++ op of 0 is used for readdir, so we don't log the names of hidden files
59482 ++*/
59483 ++__u32
59484 ++gr_handle_sysctl(const struct ctl_table *table, const int op)
59485 ++{
59486 ++ ctl_table *tmp;
59487 ++ const char *proc_sys = "/proc/sys";
59488 ++ char *path;
59489 ++ struct acl_object_label *obj;
59490 ++ unsigned short len = 0, pos = 0, depth = 0, i;
59491 ++ __u32 err = 0;
59492 ++ __u32 mode = 0;
59493 ++
59494 ++ if (unlikely(!(gr_status & GR_READY)))
59495 ++ return 0;
59496 ++
59497 ++ /* for now, ignore operations on non-sysctl entries if it's not a
59498 ++ readdir*/
59499 ++ if (table->child != NULL && op != 0)
59500 ++ return 0;
59501 ++
59502 ++ mode |= GR_FIND;
59503 ++ /* it's only a read if it's an entry, read on dirs is for readdir */
59504 ++ if (op & 004)
59505 ++ mode |= GR_READ;
59506 ++ if (op & 002)
59507 ++ mode |= GR_WRITE;
59508 ++
59509 ++ preempt_disable();
59510 ++
59511 ++ path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
59512 ++
59513 ++ /* it's only a read/write if it's an actual entry, not a dir
59514 ++ (which are opened for readdir)
59515 ++ */
59516 ++
59517 ++ /* convert the requested sysctl entry into a pathname */
59518 ++
59519 ++ for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
59520 ++ len += strlen(tmp->procname);
59521 ++ len++;
59522 ++ depth++;
59523 ++ }
59524 ++
59525 ++ if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
59526 ++ /* deny */
59527 ++ goto out;
59528 ++ }
59529 ++
59530 ++ memset(path, 0, PAGE_SIZE);
59531 ++
59532 ++ memcpy(path, proc_sys, strlen(proc_sys));
59533 ++
59534 ++ pos += strlen(proc_sys);
59535 ++
59536 ++ for (; depth > 0; depth--) {
59537 ++ path[pos] = '/';
59538 ++ pos++;
59539 ++ for (i = 1, tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
59540 ++ if (depth == i) {
59541 ++ memcpy(path + pos, tmp->procname,
59542 ++ strlen(tmp->procname));
59543 ++ pos += strlen(tmp->procname);
59544 ++ }
59545 ++ i++;
59546 ++ }
59547 ++ }
59548 ++
59549 ++ obj = gr_lookup_by_name(path, pos);
59550 ++ err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
59551 ++
59552 ++ if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
59553 ++ ((err & mode) != mode))) {
59554 ++ __u32 new_mode = mode;
59555 ++
59556 ++ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
59557 ++
59558 ++ err = 0;
59559 ++ gr_log_learn_sysctl(current, path, new_mode);
59560 ++ } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
59561 ++ gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
59562 ++ err = -ENOENT;
59563 ++ } else if (!(err & GR_FIND)) {
59564 ++ err = -ENOENT;
59565 ++ } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
59566 ++ gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
59567 ++ path, (mode & GR_READ) ? " reading" : "",
59568 ++ (mode & GR_WRITE) ? " writing" : "");
59569 ++ err = -EACCES;
59570 ++ } else if ((err & mode) != mode) {
59571 ++ err = -EACCES;
59572 ++ } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
59573 ++ gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
59574 ++ path, (mode & GR_READ) ? " reading" : "",
59575 ++ (mode & GR_WRITE) ? " writing" : "");
59576 ++ err = 0;
59577 ++ } else
59578 ++ err = 0;
59579 ++
59580 ++ out:
59581 ++ preempt_enable();
59582 ++
59583 ++ return err;
59584 ++}
59585 ++#endif
59586 ++
59587 ++int
59588 ++gr_handle_proc_ptrace(struct task_struct *task)
59589 ++{
59590 ++ struct file *filp;
59591 ++ struct task_struct *tmp = task;
59592 ++ struct task_struct *curtemp = current;
59593 ++ __u32 retmode;
59594 ++
59595 ++ if (unlikely(!(gr_status & GR_READY)))
59596 ++ return 0;
59597 ++
59598 ++ read_lock(&tasklist_lock);
59599 ++ read_lock(&grsec_exec_file_lock);
59600 ++ filp = task->exec_file;
59601 ++
59602 ++ while (tmp->pid > 0) {
59603 ++ if (tmp == curtemp)
59604 ++ break;
59605 ++ tmp = tmp->parent;
59606 ++ }
59607 ++
59608 ++ if (!filp || (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE))) {
59609 ++ read_unlock(&grsec_exec_file_lock);
59610 ++ read_unlock(&tasklist_lock);
59611 ++ return 1;
59612 ++ }
59613 ++
59614 ++ retmode = gr_search_file(filp->f_dentry, GR_NOPTRACE, filp->f_vfsmnt);
59615 ++ read_unlock(&grsec_exec_file_lock);
59616 ++ read_unlock(&tasklist_lock);
59617 ++
59618 ++ if (retmode & GR_NOPTRACE)
59619 ++ return 1;
59620 ++
59621 ++ if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
59622 ++ && (current->acl != task->acl || (current->acl != current->role->root_label
59623 ++ && current->pid != task->pid)))
59624 ++ return 1;
59625 ++
59626 ++ return 0;
59627 ++}
59628 ++
59629 ++int
59630 ++gr_handle_ptrace(struct task_struct *task, const long request)
59631 ++{
59632 ++ struct task_struct *tmp = task;
59633 ++ struct task_struct *curtemp = current;
59634 ++ __u32 retmode;
59635 ++
59636 ++ if (unlikely(!(gr_status & GR_READY)))
59637 ++ return 0;
59638 ++
59639 ++ read_lock(&tasklist_lock);
59640 ++ while (tmp->pid > 0) {
59641 ++ if (tmp == curtemp)
59642 ++ break;
59643 ++ tmp = tmp->parent;
59644 ++ }
59645 ++
59646 ++ if (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE)) {
59647 ++ read_unlock(&tasklist_lock);
59648 ++ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
59649 ++ return 1;
59650 ++ }
59651 ++ read_unlock(&tasklist_lock);
59652 ++
59653 ++ read_lock(&grsec_exec_file_lock);
59654 ++ if (unlikely(!task->exec_file)) {
59655 ++ read_unlock(&grsec_exec_file_lock);
59656 ++ return 0;
59657 ++ }
59658 ++
59659 ++ retmode = gr_search_file(task->exec_file->f_dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_vfsmnt);
59660 ++ read_unlock(&grsec_exec_file_lock);
59661 ++
59662 ++ if (retmode & GR_NOPTRACE) {
59663 ++ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
59664 ++ return 1;
59665 ++ }
59666 ++
59667 ++ if (retmode & GR_PTRACERD) {
59668 ++ switch (request) {
59669 ++ case PTRACE_POKETEXT:
59670 ++ case PTRACE_POKEDATA:
59671 ++ case PTRACE_POKEUSR:
59672 ++#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
59673 ++ case PTRACE_SETREGS:
59674 ++ case PTRACE_SETFPREGS:
59675 ++#endif
59676 ++#ifdef CONFIG_X86
59677 ++ case PTRACE_SETFPXREGS:
59678 ++#endif
59679 ++#ifdef CONFIG_ALTIVEC
59680 ++ case PTRACE_SETVRREGS:
59681 ++#endif
59682 ++ return 1;
59683 ++ default:
59684 ++ return 0;
59685 ++ }
59686 ++ } else if (!(current->acl->mode & GR_POVERRIDE) &&
59687 ++ !(current->role->roletype & GR_ROLE_GOD) &&
59688 ++ (current->acl != task->acl)) {
59689 ++ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
59690 ++ return 1;
59691 ++ }
59692 ++
59693 ++ return 0;
59694 ++}
59695 ++
59696 ++static int is_writable_mmap(const struct file *filp)
59697 ++{
59698 ++ struct task_struct *task = current;
59699 ++ struct acl_object_label *obj, *obj2;
59700 ++
59701 ++ if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
59702 ++ !task->is_writable && S_ISREG(filp->f_dentry->d_inode->i_mode)) {
59703 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
59704 ++ obj2 = chk_obj_label(filp->f_dentry, filp->f_vfsmnt,
59705 ++ task->role->root_label);
59706 ++ if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
59707 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_dentry, filp->f_vfsmnt);
59708 ++ return 1;
59709 ++ }
59710 ++ }
59711 ++ return 0;
59712 ++}
59713 ++
59714 ++int
59715 ++gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
59716 ++{
59717 ++ __u32 mode;
59718 ++
59719 ++ if (unlikely(!file || !(prot & PROT_EXEC)))
59720 ++ return 1;
59721 ++
59722 ++ if (is_writable_mmap(file))
59723 ++ return 0;
59724 ++
59725 ++ mode =
59726 ++ gr_search_file(file->f_dentry,
59727 ++ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
59728 ++ file->f_vfsmnt);
59729 ++
59730 ++ if (!gr_tpe_allow(file))
59731 ++ return 0;
59732 ++
59733 ++ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
59734 ++ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_dentry, file->f_vfsmnt);
59735 ++ return 0;
59736 ++ } else if (unlikely(!(mode & GR_EXEC))) {
59737 ++ return 0;
59738 ++ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
59739 ++ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_dentry, file->f_vfsmnt);
59740 ++ return 1;
59741 ++ }
59742 ++
59743 ++ return 1;
59744 ++}
59745 ++
59746 ++int
59747 ++gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
59748 ++{
59749 ++ __u32 mode;
59750 ++
59751 ++ if (unlikely(!file || !(prot & PROT_EXEC)))
59752 ++ return 1;
59753 ++
59754 ++ if (is_writable_mmap(file))
59755 ++ return 0;
59756 ++
59757 ++ mode =
59758 ++ gr_search_file(file->f_dentry,
59759 ++ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
59760 ++ file->f_vfsmnt);
59761 ++
59762 ++ if (!gr_tpe_allow(file))
59763 ++ return 0;
59764 ++
59765 ++ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
59766 ++ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_dentry, file->f_vfsmnt);
59767 ++ return 0;
59768 ++ } else if (unlikely(!(mode & GR_EXEC))) {
59769 ++ return 0;
59770 ++ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
59771 ++ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_dentry, file->f_vfsmnt);
59772 ++ return 1;
59773 ++ }
59774 ++
59775 ++ return 1;
59776 ++}
59777 ++
59778 ++void
59779 ++gr_acl_handle_psacct(struct task_struct *task, const long code)
59780 ++{
59781 ++ unsigned long runtime;
59782 ++ unsigned long cputime;
59783 ++ unsigned int wday, cday;
59784 ++ __u8 whr, chr;
59785 ++ __u8 wmin, cmin;
59786 ++ __u8 wsec, csec;
59787 ++ struct timespec timeval;
59788 ++
59789 ++ if (unlikely(!(gr_status & GR_READY) || !task->acl ||
59790 ++ !(task->acl->mode & GR_PROCACCT)))
59791 ++ return;
59792 ++
59793 ++ do_posix_clock_monotonic_gettime(&timeval);
59794 ++ runtime = timeval.tv_sec - task->start_time.tv_sec;
59795 ++ wday = runtime / (3600 * 24);
59796 ++ runtime -= wday * (3600 * 24);
59797 ++ whr = runtime / 3600;
59798 ++ runtime -= whr * 3600;
59799 ++ wmin = runtime / 60;
59800 ++ runtime -= wmin * 60;
59801 ++ wsec = runtime;
59802 ++
59803 ++ cputime = (task->utime + task->stime) / HZ;
59804 ++ cday = cputime / (3600 * 24);
59805 ++ cputime -= cday * (3600 * 24);
59806 ++ chr = cputime / 3600;
59807 ++ cputime -= chr * 3600;
59808 ++ cmin = cputime / 60;
59809 ++ cputime -= cmin * 60;
59810 ++ csec = cputime;
59811 ++
59812 ++ gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
59813 ++
59814 ++ return;
59815 ++}
59816 ++
59817 ++void gr_set_kernel_label(struct task_struct *task)
59818 ++{
59819 ++ if (gr_status & GR_READY) {
59820 ++ task->role = kernel_role;
59821 ++ task->acl = kernel_role->root_label;
59822 ++ }
59823 ++ return;
59824 ++}
59825 ++
59826 ++int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
59827 ++{
59828 ++ struct task_struct *task = current;
59829 ++ struct dentry *dentry = file->f_dentry;
59830 ++ struct vfsmount *mnt = file->f_vfsmnt;
59831 ++ struct acl_object_label *obj, *tmp;
59832 ++ struct acl_subject_label *subj;
59833 ++ unsigned int bufsize;
59834 ++ int is_not_root;
59835 ++ char *path;
59836 ++
59837 ++ if (unlikely(!(gr_status & GR_READY)))
59838 ++ return 1;
59839 ++
59840 ++ if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
59841 ++ return 1;
59842 ++
59843 ++ /* ignore Eric Biederman */
59844 ++ if (IS_PRIVATE(dentry->d_inode))
59845 ++ return 1;
59846 ++
59847 ++ subj = task->acl;
59848 ++ do {
59849 ++ obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
59850 ++ if (obj != NULL)
59851 ++ return (obj->mode & GR_FIND) ? 1 : 0;
59852 ++ } while ((subj = subj->parent_subject));
59853 ++
59854 ++ obj = chk_obj_label(dentry, mnt, task->acl);
59855 ++ if (obj->globbed == NULL)
59856 ++ return (obj->mode & GR_FIND) ? 1 : 0;
59857 ++
59858 ++ is_not_root = ((obj->filename[0] == '/') &&
59859 ++ (obj->filename[1] == '\0')) ? 0 : 1;
59860 ++ bufsize = PAGE_SIZE - namelen - is_not_root;
59861 ++
59862 ++ /* check bufsize > PAGE_SIZE || bufsize == 0 */
59863 ++ if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
59864 ++ return 1;
59865 ++
59866 ++ preempt_disable();
59867 ++ path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
59868 ++ bufsize);
59869 ++
59870 ++ bufsize = strlen(path);
59871 ++
59872 ++ /* if base is "/", don't append an additional slash */
59873 ++ if (is_not_root)
59874 ++ *(path + bufsize) = '/';
59875 ++ memcpy(path + bufsize + is_not_root, name, namelen);
59876 ++ *(path + bufsize + namelen + is_not_root) = '\0';
59877 ++
59878 ++ tmp = obj->globbed;
59879 ++ while (tmp) {
59880 ++ if (!glob_match(tmp->filename, path)) {
59881 ++ preempt_enable();
59882 ++ return (tmp->mode & GR_FIND) ? 1 : 0;
59883 ++ }
59884 ++ tmp = tmp->next;
59885 ++ }
59886 ++ preempt_enable();
59887 ++ return (obj->mode & GR_FIND) ? 1 : 0;
59888 ++}
59889 ++
59890 ++EXPORT_SYMBOL(gr_learn_resource);
59891 ++EXPORT_SYMBOL(gr_set_kernel_label);
59892 ++#ifdef CONFIG_SECURITY
59893 ++EXPORT_SYMBOL(gr_check_user_change);
59894 ++EXPORT_SYMBOL(gr_check_group_change);
59895 ++#endif
59896 ++
59897 +diff -urNp linux-2.6.24.5/grsecurity/gracl_cap.c linux-2.6.24.5/grsecurity/gracl_cap.c
59898 +--- linux-2.6.24.5/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
59899 ++++ linux-2.6.24.5/grsecurity/gracl_cap.c 2008-03-26 23:01:12.000000000 -0400
59900 +@@ -0,0 +1,113 @@
59901 ++#include <linux/kernel.h>
59902 ++#include <linux/module.h>
59903 ++#include <linux/sched.h>
59904 ++#include <linux/capability.h>
59905 ++#include <linux/gracl.h>
59906 ++#include <linux/grsecurity.h>
59907 ++#include <linux/grinternal.h>
59908 ++
59909 ++static const char *captab_log[] = {
59910 ++ "CAP_CHOWN",
59911 ++ "CAP_DAC_OVERRIDE",
59912 ++ "CAP_DAC_READ_SEARCH",
59913 ++ "CAP_FOWNER",
59914 ++ "CAP_FSETID",
59915 ++ "CAP_KILL",
59916 ++ "CAP_SETGID",
59917 ++ "CAP_SETUID",
59918 ++ "CAP_SETPCAP",
59919 ++ "CAP_LINUX_IMMUTABLE",
59920 ++ "CAP_NET_BIND_SERVICE",
59921 ++ "CAP_NET_BROADCAST",
59922 ++ "CAP_NET_ADMIN",
59923 ++ "CAP_NET_RAW",
59924 ++ "CAP_IPC_LOCK",
59925 ++ "CAP_IPC_OWNER",
59926 ++ "CAP_SYS_MODULE",
59927 ++ "CAP_SYS_RAWIO",
59928 ++ "CAP_SYS_CHROOT",
59929 ++ "CAP_SYS_PTRACE",
59930 ++ "CAP_SYS_PACCT",
59931 ++ "CAP_SYS_ADMIN",
59932 ++ "CAP_SYS_BOOT",
59933 ++ "CAP_SYS_NICE",
59934 ++ "CAP_SYS_RESOURCE",
59935 ++ "CAP_SYS_TIME",
59936 ++ "CAP_SYS_TTY_CONFIG",
59937 ++ "CAP_MKNOD",
59938 ++ "CAP_LEASE",
59939 ++ "CAP_AUDIT_WRITE",
59940 ++ "CAP_AUDIT_CONTROL",
59941 ++ "CAP_SETFCAP"
59942 ++};
59943 ++
59944 ++EXPORT_SYMBOL(gr_task_is_capable);
59945 ++EXPORT_SYMBOL(gr_is_capable_nolog);
59946 ++
59947 ++int
59948 ++gr_task_is_capable(struct task_struct *task, const int cap)
59949 ++{
59950 ++ struct acl_subject_label *curracl;
59951 ++ __u32 cap_drop = 0, cap_mask = 0;
59952 ++
59953 ++ if (!gr_acl_is_enabled())
59954 ++ return 1;
59955 ++
59956 ++ curracl = task->acl;
59957 ++
59958 ++ cap_drop = curracl->cap_lower;
59959 ++ cap_mask = curracl->cap_mask;
59960 ++
59961 ++ while ((curracl = curracl->parent_subject)) {
59962 ++ if (!(cap_mask & (1 << cap)) && (curracl->cap_mask & (1 << cap)))
59963 ++ cap_drop |= curracl->cap_lower & (1 << cap);
59964 ++ cap_mask |= curracl->cap_mask;
59965 ++ }
59966 ++
59967 ++ if (!cap_raised(cap_drop, cap))
59968 ++ return 1;
59969 ++
59970 ++ curracl = task->acl;
59971 ++
59972 ++ if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
59973 ++ && cap_raised(task->cap_effective, cap)) {
59974 ++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
59975 ++ task->role->roletype, task->uid,
59976 ++ task->gid, task->exec_file ?
59977 ++ gr_to_filename(task->exec_file->f_dentry,
59978 ++ task->exec_file->f_vfsmnt) : curracl->filename,
59979 ++ curracl->filename, 0UL,
59980 ++ 0UL, "", (unsigned long) cap, NIPQUAD(task->signal->curr_ip));
59981 ++ return 1;
59982 ++ }
59983 ++
59984 ++ if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(task->cap_effective, cap))
59985 ++ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
59986 ++ return 0;
59987 ++}
59988 ++
59989 ++int
59990 ++gr_is_capable_nolog(const int cap)
59991 ++{
59992 ++ struct acl_subject_label *curracl;
59993 ++ __u32 cap_drop = 0, cap_mask = 0;
59994 ++
59995 ++ if (!gr_acl_is_enabled())
59996 ++ return 1;
59997 ++
59998 ++ curracl = current->acl;
59999 ++
60000 ++ cap_drop = curracl->cap_lower;
60001 ++ cap_mask = curracl->cap_mask;
60002 ++
60003 ++ while ((curracl = curracl->parent_subject)) {
60004 ++ cap_drop |= curracl->cap_lower & (cap_mask & ~curracl->cap_mask);
60005 ++ cap_mask |= curracl->cap_mask;
60006 ++ }
60007 ++
60008 ++ if (!cap_raised(cap_drop, cap))
60009 ++ return 1;
60010 ++
60011 ++ return 0;
60012 ++}
60013 ++
60014 +diff -urNp linux-2.6.24.5/grsecurity/gracl_fs.c linux-2.6.24.5/grsecurity/gracl_fs.c
60015 +--- linux-2.6.24.5/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
60016 ++++ linux-2.6.24.5/grsecurity/gracl_fs.c 2008-03-26 20:21:09.000000000 -0400
60017 +@@ -0,0 +1,423 @@
60018 ++#include <linux/kernel.h>
60019 ++#include <linux/sched.h>
60020 ++#include <linux/types.h>
60021 ++#include <linux/fs.h>
60022 ++#include <linux/file.h>
60023 ++#include <linux/stat.h>
60024 ++#include <linux/grsecurity.h>
60025 ++#include <linux/grinternal.h>
60026 ++#include <linux/gracl.h>
60027 ++
60028 ++__u32
60029 ++gr_acl_handle_hidden_file(const struct dentry * dentry,
60030 ++ const struct vfsmount * mnt)
60031 ++{
60032 ++ __u32 mode;
60033 ++
60034 ++ if (unlikely(!dentry->d_inode))
60035 ++ return GR_FIND;
60036 ++
60037 ++ mode =
60038 ++ gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
60039 ++
60040 ++ if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
60041 ++ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
60042 ++ return mode;
60043 ++ } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
60044 ++ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
60045 ++ return 0;
60046 ++ } else if (unlikely(!(mode & GR_FIND)))
60047 ++ return 0;
60048 ++
60049 ++ return GR_FIND;
60050 ++}
60051 ++
60052 ++__u32
60053 ++gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
60054 ++ const int fmode)
60055 ++{
60056 ++ __u32 reqmode = GR_FIND;
60057 ++ __u32 mode;
60058 ++
60059 ++ if (unlikely(!dentry->d_inode))
60060 ++ return reqmode;
60061 ++
60062 ++ if (unlikely(fmode & O_APPEND))
60063 ++ reqmode |= GR_APPEND;
60064 ++ else if (unlikely(fmode & FMODE_WRITE))
60065 ++ reqmode |= GR_WRITE;
60066 ++ if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
60067 ++ reqmode |= GR_READ;
60068 ++
60069 ++ mode =
60070 ++ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
60071 ++ mnt);
60072 ++
60073 ++ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
60074 ++ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
60075 ++ reqmode & GR_READ ? " reading" : "",
60076 ++ reqmode & GR_WRITE ? " writing" : reqmode &
60077 ++ GR_APPEND ? " appending" : "");
60078 ++ return reqmode;
60079 ++ } else
60080 ++ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
60081 ++ {
60082 ++ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
60083 ++ reqmode & GR_READ ? " reading" : "",
60084 ++ reqmode & GR_WRITE ? " writing" : reqmode &
60085 ++ GR_APPEND ? " appending" : "");
60086 ++ return 0;
60087 ++ } else if (unlikely((mode & reqmode) != reqmode))
60088 ++ return 0;
60089 ++
60090 ++ return reqmode;
60091 ++}
60092 ++
60093 ++__u32
60094 ++gr_acl_handle_creat(const struct dentry * dentry,
60095 ++ const struct dentry * p_dentry,
60096 ++ const struct vfsmount * p_mnt, const int fmode,
60097 ++ const int imode)
60098 ++{
60099 ++ __u32 reqmode = GR_WRITE | GR_CREATE;
60100 ++ __u32 mode;
60101 ++
60102 ++ if (unlikely(fmode & O_APPEND))
60103 ++ reqmode |= GR_APPEND;
60104 ++ if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
60105 ++ reqmode |= GR_READ;
60106 ++ if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
60107 ++ reqmode |= GR_SETID;
60108 ++
60109 ++ mode =
60110 ++ gr_check_create(dentry, p_dentry, p_mnt,
60111 ++ reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
60112 ++
60113 ++ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
60114 ++ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
60115 ++ reqmode & GR_READ ? " reading" : "",
60116 ++ reqmode & GR_WRITE ? " writing" : reqmode &
60117 ++ GR_APPEND ? " appending" : "");
60118 ++ return reqmode;
60119 ++ } else
60120 ++ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
60121 ++ {
60122 ++ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
60123 ++ reqmode & GR_READ ? " reading" : "",
60124 ++ reqmode & GR_WRITE ? " writing" : reqmode &
60125 ++ GR_APPEND ? " appending" : "");
60126 ++ return 0;
60127 ++ } else if (unlikely((mode & reqmode) != reqmode))
60128 ++ return 0;
60129 ++
60130 ++ return reqmode;
60131 ++}
60132 ++
60133 ++__u32
60134 ++gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
60135 ++ const int fmode)
60136 ++{
60137 ++ __u32 mode, reqmode = GR_FIND;
60138 ++
60139 ++ if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
60140 ++ reqmode |= GR_EXEC;
60141 ++ if (fmode & S_IWOTH)
60142 ++ reqmode |= GR_WRITE;
60143 ++ if (fmode & S_IROTH)
60144 ++ reqmode |= GR_READ;
60145 ++
60146 ++ mode =
60147 ++ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
60148 ++ mnt);
60149 ++
60150 ++ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
60151 ++ gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
60152 ++ reqmode & GR_READ ? " reading" : "",
60153 ++ reqmode & GR_WRITE ? " writing" : "",
60154 ++ reqmode & GR_EXEC ? " executing" : "");
60155 ++ return reqmode;
60156 ++ } else
60157 ++ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
60158 ++ {
60159 ++ gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
60160 ++ reqmode & GR_READ ? " reading" : "",
60161 ++ reqmode & GR_WRITE ? " writing" : "",
60162 ++ reqmode & GR_EXEC ? " executing" : "");
60163 ++ return 0;
60164 ++ } else if (unlikely((mode & reqmode) != reqmode))
60165 ++ return 0;
60166 ++
60167 ++ return reqmode;
60168 ++}
60169 ++
60170 ++static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
60171 ++{
60172 ++ __u32 mode;
60173 ++
60174 ++ mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
60175 ++
60176 ++ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
60177 ++ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
60178 ++ return mode;
60179 ++ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
60180 ++ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
60181 ++ return 0;
60182 ++ } else if (unlikely((mode & (reqmode)) != (reqmode)))
60183 ++ return 0;
60184 ++
60185 ++ return (reqmode);
60186 ++}
60187 ++
60188 ++__u32
60189 ++gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
60190 ++{
60191 ++ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
60192 ++}
60193 ++
60194 ++__u32
60195 ++gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
60196 ++{
60197 ++ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
60198 ++}
60199 ++
60200 ++__u32
60201 ++gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
60202 ++{
60203 ++ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
60204 ++}
60205 ++
60206 ++__u32
60207 ++gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
60208 ++{
60209 ++ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
60210 ++}
60211 ++
60212 ++__u32
60213 ++gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
60214 ++ mode_t mode)
60215 ++{
60216 ++ if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
60217 ++ return 1;
60218 ++
60219 ++ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
60220 ++ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
60221 ++ GR_FCHMOD_ACL_MSG);
60222 ++ } else {
60223 ++ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
60224 ++ }
60225 ++}
60226 ++
60227 ++__u32
60228 ++gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
60229 ++ mode_t mode)
60230 ++{
60231 ++ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
60232 ++ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
60233 ++ GR_CHMOD_ACL_MSG);
60234 ++ } else {
60235 ++ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
60236 ++ }
60237 ++}
60238 ++
60239 ++__u32
60240 ++gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
60241 ++{
60242 ++ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
60243 ++}
60244 ++
60245 ++__u32
60246 ++gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
60247 ++{
60248 ++ return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
60249 ++}
60250 ++
60251 ++__u32
60252 ++gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
60253 ++{
60254 ++ return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
60255 ++ GR_UNIXCONNECT_ACL_MSG);
60256 ++}
60257 ++
60258 ++/* hardlinks require at minimum create permission,
60259 ++ any additional privilege required is based on the
60260 ++ privilege of the file being linked to
60261 ++*/
60262 ++__u32
60263 ++gr_acl_handle_link(const struct dentry * new_dentry,
60264 ++ const struct dentry * parent_dentry,
60265 ++ const struct vfsmount * parent_mnt,
60266 ++ const struct dentry * old_dentry,
60267 ++ const struct vfsmount * old_mnt, const char *to)
60268 ++{
60269 ++ __u32 mode;
60270 ++ __u32 needmode = GR_CREATE | GR_LINK;
60271 ++ __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
60272 ++
60273 ++ mode =
60274 ++ gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
60275 ++ old_mnt);
60276 ++
60277 ++ if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
60278 ++ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
60279 ++ return mode;
60280 ++ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
60281 ++ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
60282 ++ return 0;
60283 ++ } else if (unlikely((mode & needmode) != needmode))
60284 ++ return 0;
60285 ++
60286 ++ return 1;
60287 ++}
60288 ++
60289 ++__u32
60290 ++gr_acl_handle_symlink(const struct dentry * new_dentry,
60291 ++ const struct dentry * parent_dentry,
60292 ++ const struct vfsmount * parent_mnt, const char *from)
60293 ++{
60294 ++ __u32 needmode = GR_WRITE | GR_CREATE;
60295 ++ __u32 mode;
60296 ++
60297 ++ mode =
60298 ++ gr_check_create(new_dentry, parent_dentry, parent_mnt,
60299 ++ GR_CREATE | GR_AUDIT_CREATE |
60300 ++ GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
60301 ++
60302 ++ if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
60303 ++ gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
60304 ++ return mode;
60305 ++ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
60306 ++ gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
60307 ++ return 0;
60308 ++ } else if (unlikely((mode & needmode) != needmode))
60309 ++ return 0;
60310 ++
60311 ++ return (GR_WRITE | GR_CREATE);
60312 ++}
60313 ++
60314 ++static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
60315 ++{
60316 ++ __u32 mode;
60317 ++
60318 ++ mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
60319 ++
60320 ++ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
60321 ++ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
60322 ++ return mode;
60323 ++ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
60324 ++ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
60325 ++ return 0;
60326 ++ } else if (unlikely((mode & (reqmode)) != (reqmode)))
60327 ++ return 0;
60328 ++
60329 ++ return (reqmode);
60330 ++}
60331 ++
60332 ++__u32
60333 ++gr_acl_handle_mknod(const struct dentry * new_dentry,
60334 ++ const struct dentry * parent_dentry,
60335 ++ const struct vfsmount * parent_mnt,
60336 ++ const int mode)
60337 ++{
60338 ++ __u32 reqmode = GR_WRITE | GR_CREATE;
60339 ++ if (unlikely(mode & (S_ISUID | S_ISGID)))
60340 ++ reqmode |= GR_SETID;
60341 ++
60342 ++ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
60343 ++ reqmode, GR_MKNOD_ACL_MSG);
60344 ++}
60345 ++
60346 ++__u32
60347 ++gr_acl_handle_mkdir(const struct dentry *new_dentry,
60348 ++ const struct dentry *parent_dentry,
60349 ++ const struct vfsmount *parent_mnt)
60350 ++{
60351 ++ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
60352 ++ GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
60353 ++}
60354 ++
60355 ++#define RENAME_CHECK_SUCCESS(old, new) \
60356 ++ (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
60357 ++ ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
60358 ++
60359 ++int
60360 ++gr_acl_handle_rename(struct dentry *new_dentry,
60361 ++ struct dentry *parent_dentry,
60362 ++ const struct vfsmount *parent_mnt,
60363 ++ struct dentry *old_dentry,
60364 ++ struct inode *old_parent_inode,
60365 ++ struct vfsmount *old_mnt, const char *newname)
60366 ++{
60367 ++ __u32 comp1, comp2;
60368 ++ int error = 0;
60369 ++
60370 ++ if (unlikely(!gr_acl_is_enabled()))
60371 ++ return 0;
60372 ++
60373 ++ if (!new_dentry->d_inode) {
60374 ++ comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
60375 ++ GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
60376 ++ GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
60377 ++ comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
60378 ++ GR_DELETE | GR_AUDIT_DELETE |
60379 ++ GR_AUDIT_READ | GR_AUDIT_WRITE |
60380 ++ GR_SUPPRESS, old_mnt);
60381 ++ } else {
60382 ++ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
60383 ++ GR_CREATE | GR_DELETE |
60384 ++ GR_AUDIT_CREATE | GR_AUDIT_DELETE |
60385 ++ GR_AUDIT_READ | GR_AUDIT_WRITE |
60386 ++ GR_SUPPRESS, parent_mnt);
60387 ++ comp2 =
60388 ++ gr_search_file(old_dentry,
60389 ++ GR_READ | GR_WRITE | GR_AUDIT_READ |
60390 ++ GR_DELETE | GR_AUDIT_DELETE |
60391 ++ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
60392 ++ }
60393 ++
60394 ++ if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
60395 ++ ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
60396 ++ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
60397 ++ else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
60398 ++ && !(comp2 & GR_SUPPRESS)) {
60399 ++ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
60400 ++ error = -EACCES;
60401 ++ } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
60402 ++ error = -EACCES;
60403 ++
60404 ++ return error;
60405 ++}
60406 ++
60407 ++void
60408 ++gr_acl_handle_exit(void)
60409 ++{
60410 ++ u16 id;
60411 ++ char *rolename;
60412 ++ struct file *exec_file;
60413 ++
60414 ++ if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
60415 ++ id = current->acl_role_id;
60416 ++ rolename = current->role->rolename;
60417 ++ gr_set_acls(1);
60418 ++ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
60419 ++ }
60420 ++
60421 ++ write_lock(&grsec_exec_file_lock);
60422 ++ exec_file = current->exec_file;
60423 ++ current->exec_file = NULL;
60424 ++ write_unlock(&grsec_exec_file_lock);
60425 ++
60426 ++ if (exec_file)
60427 ++ fput(exec_file);
60428 ++}
60429 ++
60430 ++int
60431 ++gr_acl_handle_procpidmem(const struct task_struct *task)
60432 ++{
60433 ++ if (unlikely(!gr_acl_is_enabled()))
60434 ++ return 0;
60435 ++
60436 ++ if (task != current && task->acl->mode & GR_PROTPROCFD)
60437 ++ return -EACCES;
60438 ++
60439 ++ return 0;
60440 ++}
60441 +diff -urNp linux-2.6.24.5/grsecurity/gracl_ip.c linux-2.6.24.5/grsecurity/gracl_ip.c
60442 +--- linux-2.6.24.5/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
60443 ++++ linux-2.6.24.5/grsecurity/gracl_ip.c 2008-03-26 20:21:09.000000000 -0400
60444 +@@ -0,0 +1,313 @@
60445 ++#include <linux/kernel.h>
60446 ++#include <asm/uaccess.h>
60447 ++#include <asm/errno.h>
60448 ++#include <net/sock.h>
60449 ++#include <linux/file.h>
60450 ++#include <linux/fs.h>
60451 ++#include <linux/net.h>
60452 ++#include <linux/in.h>
60453 ++#include <linux/skbuff.h>
60454 ++#include <linux/ip.h>
60455 ++#include <linux/udp.h>
60456 ++#include <linux/smp_lock.h>
60457 ++#include <linux/types.h>
60458 ++#include <linux/sched.h>
60459 ++#include <linux/netdevice.h>
60460 ++#include <linux/inetdevice.h>
60461 ++#include <linux/gracl.h>
60462 ++#include <linux/grsecurity.h>
60463 ++#include <linux/grinternal.h>
60464 ++
60465 ++#define GR_BIND 0x01
60466 ++#define GR_CONNECT 0x02
60467 ++#define GR_INVERT 0x04
60468 ++
60469 ++static const char * gr_protocols[256] = {
60470 ++ "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
60471 ++ "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
60472 ++ "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
60473 ++ "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
60474 ++ "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
60475 ++ "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
60476 ++ "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
60477 ++ "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
60478 ++ "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
60479 ++ "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
60480 ++ "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
60481 ++ "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
60482 ++ "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
60483 ++ "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
60484 ++ "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
60485 ++ "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
60486 ++ "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
60487 ++ "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
60488 ++ "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
60489 ++ "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
60490 ++ "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
60491 ++ "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
60492 ++ "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
60493 ++ "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
60494 ++ "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
60495 ++ "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
60496 ++ "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
60497 ++ "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
60498 ++ "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
60499 ++ "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
60500 ++ "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
60501 ++ "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
60502 ++ };
60503 ++
60504 ++static const char * gr_socktypes[11] = {
60505 ++ "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
60506 ++ "unknown:7", "unknown:8", "unknown:9", "packet"
60507 ++ };
60508 ++
60509 ++const char *
60510 ++gr_proto_to_name(unsigned char proto)
60511 ++{
60512 ++ return gr_protocols[proto];
60513 ++}
60514 ++
60515 ++const char *
60516 ++gr_socktype_to_name(unsigned char type)
60517 ++{
60518 ++ return gr_socktypes[type];
60519 ++}
60520 ++
60521 ++int
60522 ++gr_search_socket(const int domain, const int type, const int protocol)
60523 ++{
60524 ++ struct acl_subject_label *curr;
60525 ++
60526 ++ if (unlikely(!gr_acl_is_enabled()))
60527 ++ goto exit;
60528 ++
60529 ++ if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
60530 ++ || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
60531 ++ goto exit; // let the kernel handle it
60532 ++
60533 ++ curr = current->acl;
60534 ++
60535 ++ if (!curr->ips)
60536 ++ goto exit;
60537 ++
60538 ++ if ((curr->ip_type & (1 << type)) &&
60539 ++ (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
60540 ++ goto exit;
60541 ++
60542 ++ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
60543 ++ /* we don't place acls on raw sockets , and sometimes
60544 ++ dgram/ip sockets are opened for ioctl and not
60545 ++ bind/connect, so we'll fake a bind learn log */
60546 ++ if (type == SOCK_RAW || type == SOCK_PACKET) {
60547 ++ __u32 fakeip = 0;
60548 ++ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
60549 ++ current->role->roletype, current->uid,
60550 ++ current->gid, current->exec_file ?
60551 ++ gr_to_filename(current->exec_file->f_dentry,
60552 ++ current->exec_file->f_vfsmnt) :
60553 ++ curr->filename, curr->filename,
60554 ++ NIPQUAD(fakeip), 0, type,
60555 ++ protocol, GR_CONNECT,
60556 ++NIPQUAD(current->signal->curr_ip));
60557 ++ } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
60558 ++ __u32 fakeip = 0;
60559 ++ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
60560 ++ current->role->roletype, current->uid,
60561 ++ current->gid, current->exec_file ?
60562 ++ gr_to_filename(current->exec_file->f_dentry,
60563 ++ current->exec_file->f_vfsmnt) :
60564 ++ curr->filename, curr->filename,
60565 ++ NIPQUAD(fakeip), 0, type,
60566 ++ protocol, GR_BIND, NIPQUAD(current->signal->curr_ip));
60567 ++ }
60568 ++ /* we'll log when they use connect or bind */
60569 ++ goto exit;
60570 ++ }
60571 ++
60572 ++ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, "inet",
60573 ++ gr_socktype_to_name(type), gr_proto_to_name(protocol));
60574 ++
60575 ++ return 0;
60576 ++ exit:
60577 ++ return 1;
60578 ++}
60579 ++
60580 ++int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
60581 ++{
60582 ++ if ((ip->mode & mode) &&
60583 ++ (ip_port >= ip->low) &&
60584 ++ (ip_port <= ip->high) &&
60585 ++ ((ntohl(ip_addr) & our_netmask) ==
60586 ++ (ntohl(our_addr) & our_netmask))
60587 ++ && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
60588 ++ && (ip->type & (1 << type))) {
60589 ++ if (ip->mode & GR_INVERT)
60590 ++ return 2; // specifically denied
60591 ++ else
60592 ++ return 1; // allowed
60593 ++ }
60594 ++
60595 ++ return 0; // not specifically allowed, may continue parsing
60596 ++}
60597 ++
60598 ++static int
60599 ++gr_search_connectbind(const int mode, const struct sock *sk,
60600 ++ const struct sockaddr_in *addr, const int type)
60601 ++{
60602 ++ char iface[IFNAMSIZ] = {0};
60603 ++ struct acl_subject_label *curr;
60604 ++ struct acl_ip_label *ip;
60605 ++ struct net_device *dev;
60606 ++ struct in_device *idev;
60607 ++ unsigned long i;
60608 ++ int ret;
60609 ++ __u32 ip_addr = 0;
60610 ++ __u32 our_addr;
60611 ++ __u32 our_netmask;
60612 ++ char *p;
60613 ++ __u16 ip_port = 0;
60614 ++
60615 ++ if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
60616 ++ return 1;
60617 ++
60618 ++ curr = current->acl;
60619 ++
60620 ++ if (!curr->ips)
60621 ++ return 1;
60622 ++
60623 ++ ip_addr = addr->sin_addr.s_addr;
60624 ++ ip_port = ntohs(addr->sin_port);
60625 ++
60626 ++ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
60627 ++ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
60628 ++ current->role->roletype, current->uid,
60629 ++ current->gid, current->exec_file ?
60630 ++ gr_to_filename(current->exec_file->f_dentry,
60631 ++ current->exec_file->f_vfsmnt) :
60632 ++ curr->filename, curr->filename,
60633 ++ NIPQUAD(ip_addr), ip_port, type,
60634 ++ sk->sk_protocol, mode, NIPQUAD(current->signal->curr_ip));
60635 ++ return 1;
60636 ++ }
60637 ++
60638 ++ for (i = 0; i < curr->ip_num; i++) {
60639 ++ ip = *(curr->ips + i);
60640 ++ if (ip->iface != NULL) {
60641 ++ strncpy(iface, ip->iface, IFNAMSIZ - 1);
60642 ++ p = strchr(iface, ':');
60643 ++ if (p != NULL)
60644 ++ *p = '\0';
60645 ++ dev = dev_get_by_name(sk->sk_net, iface);
60646 ++ if (dev == NULL)
60647 ++ continue;
60648 ++ idev = in_dev_get(dev);
60649 ++ if (idev == NULL) {
60650 ++ dev_put(dev);
60651 ++ continue;
60652 ++ }
60653 ++ rcu_read_lock();
60654 ++ for_ifa(idev) {
60655 ++ if (!strcmp(ip->iface, ifa->ifa_label)) {
60656 ++ our_addr = ifa->ifa_address;
60657 ++ our_netmask = 0xffffffff;
60658 ++ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
60659 ++ if (ret == 1) {
60660 ++ rcu_read_unlock();
60661 ++ in_dev_put(idev);
60662 ++ dev_put(dev);
60663 ++ return 1;
60664 ++ } else if (ret == 2) {
60665 ++ rcu_read_unlock();
60666 ++ in_dev_put(idev);
60667 ++ dev_put(dev);
60668 ++ goto denied;
60669 ++ }
60670 ++ }
60671 ++ } endfor_ifa(idev);
60672 ++ rcu_read_unlock();
60673 ++ in_dev_put(idev);
60674 ++ dev_put(dev);
60675 ++ } else {
60676 ++ our_addr = ip->addr;
60677 ++ our_netmask = ip->netmask;
60678 ++ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
60679 ++ if (ret == 1)
60680 ++ return 1;
60681 ++ else if (ret == 2)
60682 ++ goto denied;
60683 ++ }
60684 ++ }
60685 ++
60686 ++denied:
60687 ++ if (mode == GR_BIND)
60688 ++ gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, NIPQUAD(ip_addr), ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
60689 ++ else if (mode == GR_CONNECT)
60690 ++ gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, NIPQUAD(ip_addr), ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
60691 ++
60692 ++ return 0;
60693 ++}
60694 ++
60695 ++int
60696 ++gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
60697 ++{
60698 ++ return gr_search_connectbind(GR_CONNECT, sock->sk, addr, sock->type);
60699 ++}
60700 ++
60701 ++int
60702 ++gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
60703 ++{
60704 ++ return gr_search_connectbind(GR_BIND, sock->sk, addr, sock->type);
60705 ++}
60706 ++
60707 ++int gr_search_listen(const struct socket *sock)
60708 ++{
60709 ++ struct sock *sk = sock->sk;
60710 ++ struct sockaddr_in addr;
60711 ++
60712 ++ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
60713 ++ addr.sin_port = inet_sk(sk)->sport;
60714 ++
60715 ++ return gr_search_connectbind(GR_BIND, sock->sk, &addr, sock->type);
60716 ++}
60717 ++
60718 ++int gr_search_accept(const struct socket *sock)
60719 ++{
60720 ++ struct sock *sk = sock->sk;
60721 ++ struct sockaddr_in addr;
60722 ++
60723 ++ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
60724 ++ addr.sin_port = inet_sk(sk)->sport;
60725 ++
60726 ++ return gr_search_connectbind(GR_BIND, sock->sk, &addr, sock->type);
60727 ++}
60728 ++
60729 ++int
60730 ++gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
60731 ++{
60732 ++ if (addr)
60733 ++ return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
60734 ++ else {
60735 ++ struct sockaddr_in sin;
60736 ++ const struct inet_sock *inet = inet_sk(sk);
60737 ++
60738 ++ sin.sin_addr.s_addr = inet->daddr;
60739 ++ sin.sin_port = inet->dport;
60740 ++
60741 ++ return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
60742 ++ }
60743 ++}
60744 ++
60745 ++int
60746 ++gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
60747 ++{
60748 ++ struct sockaddr_in sin;
60749 ++
60750 ++ if (unlikely(skb->len < sizeof (struct udphdr)))
60751 ++ return 1; // skip this packet
60752 ++
60753 ++ sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
60754 ++ sin.sin_port = udp_hdr(skb)->source;
60755 ++
60756 ++ return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
60757 ++}
60758 +diff -urNp linux-2.6.24.5/grsecurity/gracl_learn.c linux-2.6.24.5/grsecurity/gracl_learn.c
60759 +--- linux-2.6.24.5/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
60760 ++++ linux-2.6.24.5/grsecurity/gracl_learn.c 2008-03-26 20:21:09.000000000 -0400
60761 +@@ -0,0 +1,211 @@
60762 ++#include <linux/kernel.h>
60763 ++#include <linux/mm.h>
60764 ++#include <linux/sched.h>
60765 ++#include <linux/poll.h>
60766 ++#include <linux/smp_lock.h>
60767 ++#include <linux/string.h>
60768 ++#include <linux/file.h>
60769 ++#include <linux/types.h>
60770 ++#include <linux/vmalloc.h>
60771 ++#include <linux/grinternal.h>
60772 ++
60773 ++extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
60774 ++ size_t count, loff_t *ppos);
60775 ++extern int gr_acl_is_enabled(void);
60776 ++
60777 ++static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
60778 ++static int gr_learn_attached;
60779 ++
60780 ++/* use a 512k buffer */
60781 ++#define LEARN_BUFFER_SIZE (512 * 1024)
60782 ++
60783 ++static spinlock_t gr_learn_lock = SPIN_LOCK_UNLOCKED;
60784 ++static DECLARE_MUTEX(gr_learn_user_sem);
60785 ++
60786 ++/* we need to maintain two buffers, so that the kernel context of grlearn
60787 ++ uses a semaphore around the userspace copying, and the other kernel contexts
60788 ++ use a spinlock when copying into the buffer, since they cannot sleep
60789 ++*/
60790 ++static char *learn_buffer;
60791 ++static char *learn_buffer_user;
60792 ++static int learn_buffer_len;
60793 ++static int learn_buffer_user_len;
60794 ++
60795 ++static ssize_t
60796 ++read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
60797 ++{
60798 ++ DECLARE_WAITQUEUE(wait, current);
60799 ++ ssize_t retval = 0;
60800 ++
60801 ++ add_wait_queue(&learn_wait, &wait);
60802 ++ set_current_state(TASK_INTERRUPTIBLE);
60803 ++ do {
60804 ++ down(&gr_learn_user_sem);
60805 ++ spin_lock(&gr_learn_lock);
60806 ++ if (learn_buffer_len)
60807 ++ break;
60808 ++ spin_unlock(&gr_learn_lock);
60809 ++ up(&gr_learn_user_sem);
60810 ++ if (file->f_flags & O_NONBLOCK) {
60811 ++ retval = -EAGAIN;
60812 ++ goto out;
60813 ++ }
60814 ++ if (signal_pending(current)) {
60815 ++ retval = -ERESTARTSYS;
60816 ++ goto out;
60817 ++ }
60818 ++
60819 ++ schedule();
60820 ++ } while (1);
60821 ++
60822 ++ memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
60823 ++ learn_buffer_user_len = learn_buffer_len;
60824 ++ retval = learn_buffer_len;
60825 ++ learn_buffer_len = 0;
60826 ++
60827 ++ spin_unlock(&gr_learn_lock);
60828 ++
60829 ++ if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
60830 ++ retval = -EFAULT;
60831 ++
60832 ++ up(&gr_learn_user_sem);
60833 ++out:
60834 ++ set_current_state(TASK_RUNNING);
60835 ++ remove_wait_queue(&learn_wait, &wait);
60836 ++ return retval;
60837 ++}
60838 ++
60839 ++static unsigned int
60840 ++poll_learn(struct file * file, poll_table * wait)
60841 ++{
60842 ++ poll_wait(file, &learn_wait, wait);
60843 ++
60844 ++ if (learn_buffer_len)
60845 ++ return (POLLIN | POLLRDNORM);
60846 ++
60847 ++ return 0;
60848 ++}
60849 ++
60850 ++void
60851 ++gr_clear_learn_entries(void)
60852 ++{
60853 ++ char *tmp;
60854 ++
60855 ++ down(&gr_learn_user_sem);
60856 ++ if (learn_buffer != NULL) {
60857 ++ spin_lock(&gr_learn_lock);
60858 ++ tmp = learn_buffer;
60859 ++ learn_buffer = NULL;
60860 ++ spin_unlock(&gr_learn_lock);
60861 ++ vfree(learn_buffer);
60862 ++ }
60863 ++ if (learn_buffer_user != NULL) {
60864 ++ vfree(learn_buffer_user);
60865 ++ learn_buffer_user = NULL;
60866 ++ }
60867 ++ learn_buffer_len = 0;
60868 ++ up(&gr_learn_user_sem);
60869 ++
60870 ++ return;
60871 ++}
60872 ++
60873 ++void
60874 ++gr_add_learn_entry(const char *fmt, ...)
60875 ++{
60876 ++ va_list args;
60877 ++ unsigned int len;
60878 ++
60879 ++ if (!gr_learn_attached)
60880 ++ return;
60881 ++
60882 ++ spin_lock(&gr_learn_lock);
60883 ++
60884 ++ /* leave a gap at the end so we know when it's "full" but don't have to
60885 ++ compute the exact length of the string we're trying to append
60886 ++ */
60887 ++ if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
60888 ++ spin_unlock(&gr_learn_lock);
60889 ++ wake_up_interruptible(&learn_wait);
60890 ++ return;
60891 ++ }
60892 ++ if (learn_buffer == NULL) {
60893 ++ spin_unlock(&gr_learn_lock);
60894 ++ return;
60895 ++ }
60896 ++
60897 ++ va_start(args, fmt);
60898 ++ len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
60899 ++ va_end(args);
60900 ++
60901 ++ learn_buffer_len += len + 1;
60902 ++
60903 ++ spin_unlock(&gr_learn_lock);
60904 ++ wake_up_interruptible(&learn_wait);
60905 ++
60906 ++ return;
60907 ++}
60908 ++
60909 ++static int
60910 ++open_learn(struct inode *inode, struct file *file)
60911 ++{
60912 ++ if (file->f_mode & FMODE_READ && gr_learn_attached)
60913 ++ return -EBUSY;
60914 ++ if (file->f_mode & FMODE_READ) {
60915 ++ int retval = 0;
60916 ++ down(&gr_learn_user_sem);
60917 ++ if (learn_buffer == NULL)
60918 ++ learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
60919 ++ if (learn_buffer_user == NULL)
60920 ++ learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
60921 ++ if (learn_buffer == NULL) {
60922 ++ retval = -ENOMEM;
60923 ++ goto out_error;
60924 ++ }
60925 ++ if (learn_buffer_user == NULL) {
60926 ++ retval = -ENOMEM;
60927 ++ goto out_error;
60928 ++ }
60929 ++ learn_buffer_len = 0;
60930 ++ learn_buffer_user_len = 0;
60931 ++ gr_learn_attached = 1;
60932 ++out_error:
60933 ++ up(&gr_learn_user_sem);
60934 ++ return retval;
60935 ++ }
60936 ++ return 0;
60937 ++}
60938 ++
60939 ++static int
60940 ++close_learn(struct inode *inode, struct file *file)
60941 ++{
60942 ++ char *tmp;
60943 ++
60944 ++ if (file->f_mode & FMODE_READ) {
60945 ++ down(&gr_learn_user_sem);
60946 ++ if (learn_buffer != NULL) {
60947 ++ spin_lock(&gr_learn_lock);
60948 ++ tmp = learn_buffer;
60949 ++ learn_buffer = NULL;
60950 ++ spin_unlock(&gr_learn_lock);
60951 ++ vfree(tmp);
60952 ++ }
60953 ++ if (learn_buffer_user != NULL) {
60954 ++ vfree(learn_buffer_user);
60955 ++ learn_buffer_user = NULL;
60956 ++ }
60957 ++ learn_buffer_len = 0;
60958 ++ learn_buffer_user_len = 0;
60959 ++ gr_learn_attached = 0;
60960 ++ up(&gr_learn_user_sem);
60961 ++ }
60962 ++
60963 ++ return 0;
60964 ++}
60965 ++
60966 ++struct file_operations grsec_fops = {
60967 ++ .read = read_learn,
60968 ++ .write = write_grsec_handler,
60969 ++ .open = open_learn,
60970 ++ .release = close_learn,
60971 ++ .poll = poll_learn,
60972 ++};
60973 +diff -urNp linux-2.6.24.5/grsecurity/gracl_res.c linux-2.6.24.5/grsecurity/gracl_res.c
60974 +--- linux-2.6.24.5/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
60975 ++++ linux-2.6.24.5/grsecurity/gracl_res.c 2008-03-26 20:21:09.000000000 -0400
60976 +@@ -0,0 +1,45 @@
60977 ++#include <linux/kernel.h>
60978 ++#include <linux/sched.h>
60979 ++#include <linux/gracl.h>
60980 ++#include <linux/grinternal.h>
60981 ++
60982 ++static const char *restab_log[] = {
60983 ++ [RLIMIT_CPU] = "RLIMIT_CPU",
60984 ++ [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
60985 ++ [RLIMIT_DATA] = "RLIMIT_DATA",
60986 ++ [RLIMIT_STACK] = "RLIMIT_STACK",
60987 ++ [RLIMIT_CORE] = "RLIMIT_CORE",
60988 ++ [RLIMIT_RSS] = "RLIMIT_RSS",
60989 ++ [RLIMIT_NPROC] = "RLIMIT_NPROC",
60990 ++ [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
60991 ++ [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
60992 ++ [RLIMIT_AS] = "RLIMIT_AS",
60993 ++ [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
60994 ++ [RLIMIT_LOCKS + 1] = "RLIMIT_CRASH"
60995 ++};
60996 ++
60997 ++void
60998 ++gr_log_resource(const struct task_struct *task,
60999 ++ const int res, const unsigned long wanted, const int gt)
61000 ++{
61001 ++ if (res == RLIMIT_NPROC &&
61002 ++ (cap_raised(task->cap_effective, CAP_SYS_ADMIN) ||
61003 ++ cap_raised(task->cap_effective, CAP_SYS_RESOURCE)))
61004 ++ return;
61005 ++ else if (res == RLIMIT_MEMLOCK &&
61006 ++ cap_raised(task->cap_effective, CAP_IPC_LOCK))
61007 ++ return;
61008 ++
61009 ++ if (!gr_acl_is_enabled() && !grsec_resource_logging)
61010 ++ return;
61011 ++
61012 ++ preempt_disable();
61013 ++
61014 ++ if (unlikely(((gt && wanted > task->signal->rlim[res].rlim_cur) ||
61015 ++ (!gt && wanted >= task->signal->rlim[res].rlim_cur)) &&
61016 ++ task->signal->rlim[res].rlim_cur != RLIM_INFINITY))
61017 ++ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], task->signal->rlim[res].rlim_cur);
61018 ++ preempt_enable_no_resched();
61019 ++
61020 ++ return;
61021 ++}
61022 +diff -urNp linux-2.6.24.5/grsecurity/gracl_segv.c linux-2.6.24.5/grsecurity/gracl_segv.c
61023 +--- linux-2.6.24.5/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
61024 ++++ linux-2.6.24.5/grsecurity/gracl_segv.c 2008-03-26 20:21:09.000000000 -0400
61025 +@@ -0,0 +1,301 @@
61026 ++#include <linux/kernel.h>
61027 ++#include <linux/mm.h>
61028 ++#include <asm/uaccess.h>
61029 ++#include <asm/errno.h>
61030 ++#include <asm/mman.h>
61031 ++#include <net/sock.h>
61032 ++#include <linux/file.h>
61033 ++#include <linux/fs.h>
61034 ++#include <linux/net.h>
61035 ++#include <linux/in.h>
61036 ++#include <linux/smp_lock.h>
61037 ++#include <linux/slab.h>
61038 ++#include <linux/types.h>
61039 ++#include <linux/sched.h>
61040 ++#include <linux/timer.h>
61041 ++#include <linux/gracl.h>
61042 ++#include <linux/grsecurity.h>
61043 ++#include <linux/grinternal.h>
61044 ++
61045 ++static struct crash_uid *uid_set;
61046 ++static unsigned short uid_used;
61047 ++static spinlock_t gr_uid_lock = SPIN_LOCK_UNLOCKED;
61048 ++extern rwlock_t gr_inode_lock;
61049 ++extern struct acl_subject_label *
61050 ++ lookup_acl_subj_label(const ino_t inode, const dev_t dev,
61051 ++ struct acl_role_label *role);
61052 ++extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
61053 ++
61054 ++int
61055 ++gr_init_uidset(void)
61056 ++{
61057 ++ uid_set =
61058 ++ kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
61059 ++ uid_used = 0;
61060 ++
61061 ++ return uid_set ? 1 : 0;
61062 ++}
61063 ++
61064 ++void
61065 ++gr_free_uidset(void)
61066 ++{
61067 ++ if (uid_set)
61068 ++ kfree(uid_set);
61069 ++
61070 ++ return;
61071 ++}
61072 ++
61073 ++int
61074 ++gr_find_uid(const uid_t uid)
61075 ++{
61076 ++ struct crash_uid *tmp = uid_set;
61077 ++ uid_t buid;
61078 ++ int low = 0, high = uid_used - 1, mid;
61079 ++
61080 ++ while (high >= low) {
61081 ++ mid = (low + high) >> 1;
61082 ++ buid = tmp[mid].uid;
61083 ++ if (buid == uid)
61084 ++ return mid;
61085 ++ if (buid > uid)
61086 ++ high = mid - 1;
61087 ++ if (buid < uid)
61088 ++ low = mid + 1;
61089 ++ }
61090 ++
61091 ++ return -1;
61092 ++}
61093 ++
61094 ++static __inline__ void
61095 ++gr_insertsort(void)
61096 ++{
61097 ++ unsigned short i, j;
61098 ++ struct crash_uid index;
61099 ++
61100 ++ for (i = 1; i < uid_used; i++) {
61101 ++ index = uid_set[i];
61102 ++ j = i;
61103 ++ while ((j > 0) && uid_set[j - 1].uid > index.uid) {
61104 ++ uid_set[j] = uid_set[j - 1];
61105 ++ j--;
61106 ++ }
61107 ++ uid_set[j] = index;
61108 ++ }
61109 ++
61110 ++ return;
61111 ++}
61112 ++
61113 ++static __inline__ void
61114 ++gr_insert_uid(const uid_t uid, const unsigned long expires)
61115 ++{
61116 ++ int loc;
61117 ++
61118 ++ if (uid_used == GR_UIDTABLE_MAX)
61119 ++ return;
61120 ++
61121 ++ loc = gr_find_uid(uid);
61122 ++
61123 ++ if (loc >= 0) {
61124 ++ uid_set[loc].expires = expires;
61125 ++ return;
61126 ++ }
61127 ++
61128 ++ uid_set[uid_used].uid = uid;
61129 ++ uid_set[uid_used].expires = expires;
61130 ++ uid_used++;
61131 ++
61132 ++ gr_insertsort();
61133 ++
61134 ++ return;
61135 ++}
61136 ++
61137 ++void
61138 ++gr_remove_uid(const unsigned short loc)
61139 ++{
61140 ++ unsigned short i;
61141 ++
61142 ++ for (i = loc + 1; i < uid_used; i++)
61143 ++ uid_set[i - 1] = uid_set[i];
61144 ++
61145 ++ uid_used--;
61146 ++
61147 ++ return;
61148 ++}
61149 ++
61150 ++int
61151 ++gr_check_crash_uid(const uid_t uid)
61152 ++{
61153 ++ int loc;
61154 ++ int ret = 0;
61155 ++
61156 ++ if (unlikely(!gr_acl_is_enabled()))
61157 ++ return 0;
61158 ++
61159 ++ spin_lock(&gr_uid_lock);
61160 ++ loc = gr_find_uid(uid);
61161 ++
61162 ++ if (loc < 0)
61163 ++ goto out_unlock;
61164 ++
61165 ++ if (time_before_eq(uid_set[loc].expires, get_seconds()))
61166 ++ gr_remove_uid(loc);
61167 ++ else
61168 ++ ret = 1;
61169 ++
61170 ++out_unlock:
61171 ++ spin_unlock(&gr_uid_lock);
61172 ++ return ret;
61173 ++}
61174 ++
61175 ++static __inline__ int
61176 ++proc_is_setxid(const struct task_struct *task)
61177 ++{
61178 ++ if (task->uid != task->euid || task->uid != task->suid ||
61179 ++ task->uid != task->fsuid)
61180 ++ return 1;
61181 ++ if (task->gid != task->egid || task->gid != task->sgid ||
61182 ++ task->gid != task->fsgid)
61183 ++ return 1;
61184 ++
61185 ++ return 0;
61186 ++}
61187 ++static __inline__ int
61188 ++gr_fake_force_sig(int sig, struct task_struct *t)
61189 ++{
61190 ++ unsigned long int flags;
61191 ++ int ret, blocked, ignored;
61192 ++ struct k_sigaction *action;
61193 ++
61194 ++ spin_lock_irqsave(&t->sighand->siglock, flags);
61195 ++ action = &t->sighand->action[sig-1];
61196 ++ ignored = action->sa.sa_handler == SIG_IGN;
61197 ++ blocked = sigismember(&t->blocked, sig);
61198 ++ if (blocked || ignored) {
61199 ++ action->sa.sa_handler = SIG_DFL;
61200 ++ if (blocked) {
61201 ++ sigdelset(&t->blocked, sig);
61202 ++ recalc_sigpending_and_wake(t);
61203 ++ }
61204 ++ }
61205 ++ ret = specific_send_sig_info(sig, (void*)1L, t);
61206 ++ spin_unlock_irqrestore(&t->sighand->siglock, flags);
61207 ++
61208 ++ return ret;
61209 ++}
61210 ++
61211 ++void
61212 ++gr_handle_crash(struct task_struct *task, const int sig)
61213 ++{
61214 ++ struct acl_subject_label *curr;
61215 ++ struct acl_subject_label *curr2;
61216 ++ struct task_struct *tsk, *tsk2;
61217 ++
61218 ++ if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
61219 ++ return;
61220 ++
61221 ++ if (unlikely(!gr_acl_is_enabled()))
61222 ++ return;
61223 ++
61224 ++ curr = task->acl;
61225 ++
61226 ++ if (!(curr->resmask & (1 << GR_CRASH_RES)))
61227 ++ return;
61228 ++
61229 ++ if (time_before_eq(curr->expires, get_seconds())) {
61230 ++ curr->expires = 0;
61231 ++ curr->crashes = 0;
61232 ++ }
61233 ++
61234 ++ curr->crashes++;
61235 ++
61236 ++ if (!curr->expires)
61237 ++ curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
61238 ++
61239 ++ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
61240 ++ time_after(curr->expires, get_seconds())) {
61241 ++ if (task->uid && proc_is_setxid(task)) {
61242 ++ gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
61243 ++ spin_lock(&gr_uid_lock);
61244 ++ gr_insert_uid(task->uid, curr->expires);
61245 ++ spin_unlock(&gr_uid_lock);
61246 ++ curr->expires = 0;
61247 ++ curr->crashes = 0;
61248 ++ read_lock(&tasklist_lock);
61249 ++ do_each_thread(tsk2, tsk) {
61250 ++ if (tsk != task && tsk->uid == task->uid)
61251 ++ gr_fake_force_sig(SIGKILL, tsk);
61252 ++ } while_each_thread(tsk2, tsk);
61253 ++ read_unlock(&tasklist_lock);
61254 ++ } else {
61255 ++ gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
61256 ++ read_lock(&tasklist_lock);
61257 ++ do_each_thread(tsk2, tsk) {
61258 ++ if (likely(tsk != task)) {
61259 ++ curr2 = tsk->acl;
61260 ++
61261 ++ if (curr2->device == curr->device &&
61262 ++ curr2->inode == curr->inode)
61263 ++ gr_fake_force_sig(SIGKILL, tsk);
61264 ++ }
61265 ++ } while_each_thread(tsk2, tsk);
61266 ++ read_unlock(&tasklist_lock);
61267 ++ }
61268 ++ }
61269 ++
61270 ++ return;
61271 ++}
61272 ++
61273 ++int
61274 ++gr_check_crash_exec(const struct file *filp)
61275 ++{
61276 ++ struct acl_subject_label *curr;
61277 ++
61278 ++ if (unlikely(!gr_acl_is_enabled()))
61279 ++ return 0;
61280 ++
61281 ++ read_lock(&gr_inode_lock);
61282 ++ curr = lookup_acl_subj_label(filp->f_dentry->d_inode->i_ino,
61283 ++ filp->f_dentry->d_inode->i_sb->s_dev,
61284 ++ current->role);
61285 ++ read_unlock(&gr_inode_lock);
61286 ++
61287 ++ if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
61288 ++ (!curr->crashes && !curr->expires))
61289 ++ return 0;
61290 ++
61291 ++ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
61292 ++ time_after(curr->expires, get_seconds()))
61293 ++ return 1;
61294 ++ else if (time_before_eq(curr->expires, get_seconds())) {
61295 ++ curr->crashes = 0;
61296 ++ curr->expires = 0;
61297 ++ }
61298 ++
61299 ++ return 0;
61300 ++}
61301 ++
61302 ++void
61303 ++gr_handle_alertkill(struct task_struct *task)
61304 ++{
61305 ++ struct acl_subject_label *curracl;
61306 ++ __u32 curr_ip;
61307 ++ struct task_struct *p, *p2;
61308 ++
61309 ++ if (unlikely(!gr_acl_is_enabled()))
61310 ++ return;
61311 ++
61312 ++ curracl = task->acl;
61313 ++ curr_ip = task->signal->curr_ip;
61314 ++
61315 ++ if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
61316 ++ read_lock(&tasklist_lock);
61317 ++ do_each_thread(p2, p) {
61318 ++ if (p->signal->curr_ip == curr_ip)
61319 ++ gr_fake_force_sig(SIGKILL, p);
61320 ++ } while_each_thread(p2, p);
61321 ++ read_unlock(&tasklist_lock);
61322 ++ } else if (curracl->mode & GR_KILLPROC)
61323 ++ gr_fake_force_sig(SIGKILL, task);
61324 ++
61325 ++ return;
61326 ++}
61327 +diff -urNp linux-2.6.24.5/grsecurity/gracl_shm.c linux-2.6.24.5/grsecurity/gracl_shm.c
61328 +--- linux-2.6.24.5/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
61329 ++++ linux-2.6.24.5/grsecurity/gracl_shm.c 2008-03-26 20:21:09.000000000 -0400
61330 +@@ -0,0 +1,33 @@
61331 ++#include <linux/kernel.h>
61332 ++#include <linux/mm.h>
61333 ++#include <linux/sched.h>
61334 ++#include <linux/file.h>
61335 ++#include <linux/ipc.h>
61336 ++#include <linux/gracl.h>
61337 ++#include <linux/grsecurity.h>
61338 ++#include <linux/grinternal.h>
61339 ++
61340 ++int
61341 ++gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
61342 ++ const time_t shm_createtime, const uid_t cuid, const int shmid)
61343 ++{
61344 ++ struct task_struct *task;
61345 ++
61346 ++ if (!gr_acl_is_enabled())
61347 ++ return 1;
61348 ++
61349 ++ task = find_task_by_pid(shm_cprid);
61350 ++
61351 ++ if (unlikely(!task))
61352 ++ task = find_task_by_pid(shm_lapid);
61353 ++
61354 ++ if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
61355 ++ (task->pid == shm_lapid)) &&
61356 ++ (task->acl->mode & GR_PROTSHM) &&
61357 ++ (task->acl != current->acl))) {
61358 ++ gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
61359 ++ return 0;
61360 ++ }
61361 ++
61362 ++ return 1;
61363 ++}
61364 +diff -urNp linux-2.6.24.5/grsecurity/grsec_chdir.c linux-2.6.24.5/grsecurity/grsec_chdir.c
61365 +--- linux-2.6.24.5/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
61366 ++++ linux-2.6.24.5/grsecurity/grsec_chdir.c 2008-03-26 20:21:09.000000000 -0400
61367 +@@ -0,0 +1,19 @@
61368 ++#include <linux/kernel.h>
61369 ++#include <linux/sched.h>
61370 ++#include <linux/fs.h>
61371 ++#include <linux/file.h>
61372 ++#include <linux/grsecurity.h>
61373 ++#include <linux/grinternal.h>
61374 ++
61375 ++void
61376 ++gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
61377 ++{
61378 ++#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
61379 ++ if ((grsec_enable_chdir && grsec_enable_group &&
61380 ++ in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
61381 ++ !grsec_enable_group)) {
61382 ++ gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
61383 ++ }
61384 ++#endif
61385 ++ return;
61386 ++}
61387 +diff -urNp linux-2.6.24.5/grsecurity/grsec_chroot.c linux-2.6.24.5/grsecurity/grsec_chroot.c
61388 +--- linux-2.6.24.5/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
61389 ++++ linux-2.6.24.5/grsecurity/grsec_chroot.c 2008-03-26 20:21:09.000000000 -0400
61390 +@@ -0,0 +1,335 @@
61391 ++#include <linux/kernel.h>
61392 ++#include <linux/module.h>
61393 ++#include <linux/sched.h>
61394 ++#include <linux/file.h>
61395 ++#include <linux/fs.h>
61396 ++#include <linux/mount.h>
61397 ++#include <linux/types.h>
61398 ++#include <linux/pid_namespace.h>
61399 ++#include <linux/grsecurity.h>
61400 ++#include <linux/grinternal.h>
61401 ++
61402 ++int
61403 ++gr_handle_chroot_unix(const pid_t pid)
61404 ++{
61405 ++#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
61406 ++ struct pid *spid = NULL;
61407 ++
61408 ++ if (unlikely(!grsec_enable_chroot_unix))
61409 ++ return 1;
61410 ++
61411 ++ if (likely(!proc_is_chrooted(current)))
61412 ++ return 1;
61413 ++
61414 ++ read_lock(&tasklist_lock);
61415 ++
61416 ++ spid = find_pid(pid);
61417 ++ if (spid) {
61418 ++ struct task_struct *p;
61419 ++ p = pid_task(spid, PIDTYPE_PID);
61420 ++ task_lock(p);
61421 ++ if (unlikely(!have_same_root(current, p))) {
61422 ++ task_unlock(p);
61423 ++ read_unlock(&tasklist_lock);
61424 ++ gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
61425 ++ return 0;
61426 ++ }
61427 ++ task_unlock(p);
61428 ++ }
61429 ++ read_unlock(&tasklist_lock);
61430 ++#endif
61431 ++ return 1;
61432 ++}
61433 ++
61434 ++int
61435 ++gr_handle_chroot_nice(void)
61436 ++{
61437 ++#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
61438 ++ if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
61439 ++ gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
61440 ++ return -EPERM;
61441 ++ }
61442 ++#endif
61443 ++ return 0;
61444 ++}
61445 ++
61446 ++int
61447 ++gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
61448 ++{
61449 ++#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
61450 ++ if (grsec_enable_chroot_nice && (niceval < task_nice(p))
61451 ++ && proc_is_chrooted(current)) {
61452 ++ gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
61453 ++ return -EACCES;
61454 ++ }
61455 ++#endif
61456 ++ return 0;
61457 ++}
61458 ++
61459 ++int
61460 ++gr_handle_chroot_rawio(const struct inode *inode)
61461 ++{
61462 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
61463 ++ if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
61464 ++ inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
61465 ++ return 1;
61466 ++#endif
61467 ++ return 0;
61468 ++}
61469 ++
61470 ++int
61471 ++gr_pid_is_chrooted(struct task_struct *p)
61472 ++{
61473 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
61474 ++ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
61475 ++ return 0;
61476 ++
61477 ++ task_lock(p);
61478 ++ if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
61479 ++ !have_same_root(current, p)) {
61480 ++ task_unlock(p);
61481 ++ return 1;
61482 ++ }
61483 ++ task_unlock(p);
61484 ++#endif
61485 ++ return 0;
61486 ++}
61487 ++
61488 ++EXPORT_SYMBOL(gr_pid_is_chrooted);
61489 ++
61490 ++#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
61491 ++int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
61492 ++{
61493 ++ struct dentry *dentry = (struct dentry *)u_dentry;
61494 ++ struct vfsmount *mnt = (struct vfsmount *)u_mnt;
61495 ++ struct dentry *realroot;
61496 ++ struct vfsmount *realrootmnt;
61497 ++ struct dentry *currentroot;
61498 ++ struct vfsmount *currentmnt;
61499 ++ struct task_struct *reaper = current->nsproxy->pid_ns->child_reaper;
61500 ++ int ret = 1;
61501 ++
61502 ++ read_lock(&reaper->fs->lock);
61503 ++ realrootmnt = mntget(reaper->fs->rootmnt);
61504 ++ realroot = dget(reaper->fs->root);
61505 ++ read_unlock(&reaper->fs->lock);
61506 ++
61507 ++ read_lock(&current->fs->lock);
61508 ++ currentmnt = mntget(current->fs->rootmnt);
61509 ++ currentroot = dget(current->fs->root);
61510 ++ read_unlock(&current->fs->lock);
61511 ++
61512 ++ spin_lock(&dcache_lock);
61513 ++ for (;;) {
61514 ++ if (unlikely((dentry == realroot && mnt == realrootmnt)
61515 ++ || (dentry == currentroot && mnt == currentmnt)))
61516 ++ break;
61517 ++ if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
61518 ++ if (mnt->mnt_parent == mnt)
61519 ++ break;
61520 ++ dentry = mnt->mnt_mountpoint;
61521 ++ mnt = mnt->mnt_parent;
61522 ++ continue;
61523 ++ }
61524 ++ dentry = dentry->d_parent;
61525 ++ }
61526 ++ spin_unlock(&dcache_lock);
61527 ++
61528 ++ dput(currentroot);
61529 ++ mntput(currentmnt);
61530 ++
61531 ++ /* access is outside of chroot */
61532 ++ if (dentry == realroot && mnt == realrootmnt)
61533 ++ ret = 0;
61534 ++
61535 ++ dput(realroot);
61536 ++ mntput(realrootmnt);
61537 ++ return ret;
61538 ++}
61539 ++#endif
61540 ++
61541 ++int
61542 ++gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
61543 ++{
61544 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
61545 ++ if (!grsec_enable_chroot_fchdir)
61546 ++ return 1;
61547 ++
61548 ++ if (!proc_is_chrooted(current))
61549 ++ return 1;
61550 ++ else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
61551 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
61552 ++ return 0;
61553 ++ }
61554 ++#endif
61555 ++ return 1;
61556 ++}
61557 ++
61558 ++int
61559 ++gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
61560 ++ const time_t shm_createtime)
61561 ++{
61562 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
61563 ++ struct pid *pid = NULL;
61564 ++ time_t starttime;
61565 ++
61566 ++ if (unlikely(!grsec_enable_chroot_shmat))
61567 ++ return 1;
61568 ++
61569 ++ if (likely(!proc_is_chrooted(current)))
61570 ++ return 1;
61571 ++
61572 ++ read_lock(&tasklist_lock);
61573 ++
61574 ++ pid = find_pid(shm_cprid);
61575 ++ if (pid) {
61576 ++ struct task_struct *p;
61577 ++ p = pid_task(pid, PIDTYPE_PID);
61578 ++ task_lock(p);
61579 ++ starttime = p->start_time.tv_sec;
61580 ++ if (unlikely(!have_same_root(current, p) &&
61581 ++ time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
61582 ++ task_unlock(p);
61583 ++ read_unlock(&tasklist_lock);
61584 ++ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
61585 ++ return 0;
61586 ++ }
61587 ++ task_unlock(p);
61588 ++ } else {
61589 ++ pid = find_pid(shm_lapid);
61590 ++ if (pid) {
61591 ++ struct task_struct *p;
61592 ++ p = pid_task(pid, PIDTYPE_PID);
61593 ++ task_lock(p);
61594 ++ if (unlikely(!have_same_root(current, p))) {
61595 ++ task_unlock(p);
61596 ++ read_unlock(&tasklist_lock);
61597 ++ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
61598 ++ return 0;
61599 ++ }
61600 ++ task_unlock(p);
61601 ++ }
61602 ++ }
61603 ++
61604 ++ read_unlock(&tasklist_lock);
61605 ++#endif
61606 ++ return 1;
61607 ++}
61608 ++
61609 ++void
61610 ++gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
61611 ++{
61612 ++#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
61613 ++ if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
61614 ++ gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
61615 ++#endif
61616 ++ return;
61617 ++}
61618 ++
61619 ++int
61620 ++gr_handle_chroot_mknod(const struct dentry *dentry,
61621 ++ const struct vfsmount *mnt, const int mode)
61622 ++{
61623 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
61624 ++ if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
61625 ++ proc_is_chrooted(current)) {
61626 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
61627 ++ return -EPERM;
61628 ++ }
61629 ++#endif
61630 ++ return 0;
61631 ++}
61632 ++
61633 ++int
61634 ++gr_handle_chroot_mount(const struct dentry *dentry,
61635 ++ const struct vfsmount *mnt, const char *dev_name)
61636 ++{
61637 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
61638 ++ if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
61639 ++ gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
61640 ++ return -EPERM;
61641 ++ }
61642 ++#endif
61643 ++ return 0;
61644 ++}
61645 ++
61646 ++int
61647 ++gr_handle_chroot_pivot(void)
61648 ++{
61649 ++#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
61650 ++ if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
61651 ++ gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
61652 ++ return -EPERM;
61653 ++ }
61654 ++#endif
61655 ++ return 0;
61656 ++}
61657 ++
61658 ++int
61659 ++gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
61660 ++{
61661 ++#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
61662 ++ if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
61663 ++ !gr_is_outside_chroot(dentry, mnt)) {
61664 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
61665 ++ return -EPERM;
61666 ++ }
61667 ++#endif
61668 ++ return 0;
61669 ++}
61670 ++
61671 ++void
61672 ++gr_handle_chroot_caps(struct task_struct *task)
61673 ++{
61674 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
61675 ++ if (grsec_enable_chroot_caps && proc_is_chrooted(task)) {
61676 ++ task->cap_permitted =
61677 ++ cap_drop(task->cap_permitted, GR_CHROOT_CAPS);
61678 ++ task->cap_inheritable =
61679 ++ cap_drop(task->cap_inheritable, GR_CHROOT_CAPS);
61680 ++ task->cap_effective =
61681 ++ cap_drop(task->cap_effective, GR_CHROOT_CAPS);
61682 ++ }
61683 ++#endif
61684 ++ return;
61685 ++}
61686 ++
61687 ++int
61688 ++gr_handle_chroot_sysctl(const int op)
61689 ++{
61690 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
61691 ++ if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
61692 ++ && (op & 002))
61693 ++ return -EACCES;
61694 ++#endif
61695 ++ return 0;
61696 ++}
61697 ++
61698 ++void
61699 ++gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt)
61700 ++{
61701 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
61702 ++ if (grsec_enable_chroot_chdir)
61703 ++ set_fs_pwd(current->fs, mnt, dentry);
61704 ++#endif
61705 ++ return;
61706 ++}
61707 ++
61708 ++int
61709 ++gr_handle_chroot_chmod(const struct dentry *dentry,
61710 ++ const struct vfsmount *mnt, const int mode)
61711 ++{
61712 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
61713 ++ if (grsec_enable_chroot_chmod &&
61714 ++ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
61715 ++ proc_is_chrooted(current)) {
61716 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
61717 ++ return -EPERM;
61718 ++ }
61719 ++#endif
61720 ++ return 0;
61721 ++}
61722 ++
61723 ++#ifdef CONFIG_SECURITY
61724 ++EXPORT_SYMBOL(gr_handle_chroot_caps);
61725 ++#endif
61726 +diff -urNp linux-2.6.24.5/grsecurity/grsec_disabled.c linux-2.6.24.5/grsecurity/grsec_disabled.c
61727 +--- linux-2.6.24.5/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
61728 ++++ linux-2.6.24.5/grsecurity/grsec_disabled.c 2008-03-26 20:21:09.000000000 -0400
61729 +@@ -0,0 +1,418 @@
61730 ++#include <linux/kernel.h>
61731 ++#include <linux/module.h>
61732 ++#include <linux/sched.h>
61733 ++#include <linux/file.h>
61734 ++#include <linux/fs.h>
61735 ++#include <linux/kdev_t.h>
61736 ++#include <linux/net.h>
61737 ++#include <linux/in.h>
61738 ++#include <linux/ip.h>
61739 ++#include <linux/skbuff.h>
61740 ++#include <linux/sysctl.h>
61741 ++
61742 ++#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
61743 ++void
61744 ++pax_set_initial_flags(struct linux_binprm *bprm)
61745 ++{
61746 ++ return;
61747 ++}
61748 ++#endif
61749 ++
61750 ++#ifdef CONFIG_SYSCTL
61751 ++__u32
61752 ++gr_handle_sysctl(const struct ctl_table * table, const int op)
61753 ++{
61754 ++ return 0;
61755 ++}
61756 ++#endif
61757 ++
61758 ++int
61759 ++gr_acl_is_enabled(void)
61760 ++{
61761 ++ return 0;
61762 ++}
61763 ++
61764 ++int
61765 ++gr_handle_rawio(const struct inode *inode)
61766 ++{
61767 ++ return 0;
61768 ++}
61769 ++
61770 ++void
61771 ++gr_acl_handle_psacct(struct task_struct *task, const long code)
61772 ++{
61773 ++ return;
61774 ++}
61775 ++
61776 ++int
61777 ++gr_handle_ptrace(struct task_struct *task, const long request)
61778 ++{
61779 ++ return 0;
61780 ++}
61781 ++
61782 ++int
61783 ++gr_handle_proc_ptrace(struct task_struct *task)
61784 ++{
61785 ++ return 0;
61786 ++}
61787 ++
61788 ++void
61789 ++gr_learn_resource(const struct task_struct *task,
61790 ++ const int res, const unsigned long wanted, const int gt)
61791 ++{
61792 ++ return;
61793 ++}
61794 ++
61795 ++int
61796 ++gr_set_acls(const int type)
61797 ++{
61798 ++ return 0;
61799 ++}
61800 ++
61801 ++int
61802 ++gr_check_hidden_task(const struct task_struct *tsk)
61803 ++{
61804 ++ return 0;
61805 ++}
61806 ++
61807 ++int
61808 ++gr_check_protected_task(const struct task_struct *task)
61809 ++{
61810 ++ return 0;
61811 ++}
61812 ++
61813 ++void
61814 ++gr_copy_label(struct task_struct *tsk)
61815 ++{
61816 ++ return;
61817 ++}
61818 ++
61819 ++void
61820 ++gr_set_pax_flags(struct task_struct *task)
61821 ++{
61822 ++ return;
61823 ++}
61824 ++
61825 ++int
61826 ++gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
61827 ++{
61828 ++ return 0;
61829 ++}
61830 ++
61831 ++void
61832 ++gr_handle_delete(const ino_t ino, const dev_t dev)
61833 ++{
61834 ++ return;
61835 ++}
61836 ++
61837 ++void
61838 ++gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
61839 ++{
61840 ++ return;
61841 ++}
61842 ++
61843 ++void
61844 ++gr_handle_crash(struct task_struct *task, const int sig)
61845 ++{
61846 ++ return;
61847 ++}
61848 ++
61849 ++int
61850 ++gr_check_crash_exec(const struct file *filp)
61851 ++{
61852 ++ return 0;
61853 ++}
61854 ++
61855 ++int
61856 ++gr_check_crash_uid(const uid_t uid)
61857 ++{
61858 ++ return 0;
61859 ++}
61860 ++
61861 ++void
61862 ++gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
61863 ++ struct dentry *old_dentry,
61864 ++ struct dentry *new_dentry,
61865 ++ struct vfsmount *mnt, const __u8 replace)
61866 ++{
61867 ++ return;
61868 ++}
61869 ++
61870 ++int
61871 ++gr_search_socket(const int family, const int type, const int protocol)
61872 ++{
61873 ++ return 1;
61874 ++}
61875 ++
61876 ++int
61877 ++gr_search_connectbind(const int mode, const struct socket *sock,
61878 ++ const struct sockaddr_in *addr)
61879 ++{
61880 ++ return 1;
61881 ++}
61882 ++
61883 ++int
61884 ++gr_task_is_capable(struct task_struct *task, const int cap)
61885 ++{
61886 ++ return 1;
61887 ++}
61888 ++
61889 ++int
61890 ++gr_is_capable_nolog(const int cap)
61891 ++{
61892 ++ return 1;
61893 ++}
61894 ++
61895 ++void
61896 ++gr_handle_alertkill(struct task_struct *task)
61897 ++{
61898 ++ return;
61899 ++}
61900 ++
61901 ++__u32
61902 ++gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
61903 ++{
61904 ++ return 1;
61905 ++}
61906 ++
61907 ++__u32
61908 ++gr_acl_handle_hidden_file(const struct dentry * dentry,
61909 ++ const struct vfsmount * mnt)
61910 ++{
61911 ++ return 1;
61912 ++}
61913 ++
61914 ++__u32
61915 ++gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
61916 ++ const int fmode)
61917 ++{
61918 ++ return 1;
61919 ++}
61920 ++
61921 ++__u32
61922 ++gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
61923 ++{
61924 ++ return 1;
61925 ++}
61926 ++
61927 ++__u32
61928 ++gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
61929 ++{
61930 ++ return 1;
61931 ++}
61932 ++
61933 ++int
61934 ++gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
61935 ++ unsigned int *vm_flags)
61936 ++{
61937 ++ return 1;
61938 ++}
61939 ++
61940 ++__u32
61941 ++gr_acl_handle_truncate(const struct dentry * dentry,
61942 ++ const struct vfsmount * mnt)
61943 ++{
61944 ++ return 1;
61945 ++}
61946 ++
61947 ++__u32
61948 ++gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
61949 ++{
61950 ++ return 1;
61951 ++}
61952 ++
61953 ++__u32
61954 ++gr_acl_handle_access(const struct dentry * dentry,
61955 ++ const struct vfsmount * mnt, const int fmode)
61956 ++{
61957 ++ return 1;
61958 ++}
61959 ++
61960 ++__u32
61961 ++gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
61962 ++ mode_t mode)
61963 ++{
61964 ++ return 1;
61965 ++}
61966 ++
61967 ++__u32
61968 ++gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
61969 ++ mode_t mode)
61970 ++{
61971 ++ return 1;
61972 ++}
61973 ++
61974 ++__u32
61975 ++gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
61976 ++{
61977 ++ return 1;
61978 ++}
61979 ++
61980 ++void
61981 ++grsecurity_init(void)
61982 ++{
61983 ++ return;
61984 ++}
61985 ++
61986 ++__u32
61987 ++gr_acl_handle_mknod(const struct dentry * new_dentry,
61988 ++ const struct dentry * parent_dentry,
61989 ++ const struct vfsmount * parent_mnt,
61990 ++ const int mode)
61991 ++{
61992 ++ return 1;
61993 ++}
61994 ++
61995 ++__u32
61996 ++gr_acl_handle_mkdir(const struct dentry * new_dentry,
61997 ++ const struct dentry * parent_dentry,
61998 ++ const struct vfsmount * parent_mnt)
61999 ++{
62000 ++ return 1;
62001 ++}
62002 ++
62003 ++__u32
62004 ++gr_acl_handle_symlink(const struct dentry * new_dentry,
62005 ++ const struct dentry * parent_dentry,
62006 ++ const struct vfsmount * parent_mnt, const char *from)
62007 ++{
62008 ++ return 1;
62009 ++}
62010 ++
62011 ++__u32
62012 ++gr_acl_handle_link(const struct dentry * new_dentry,
62013 ++ const struct dentry * parent_dentry,
62014 ++ const struct vfsmount * parent_mnt,
62015 ++ const struct dentry * old_dentry,
62016 ++ const struct vfsmount * old_mnt, const char *to)
62017 ++{
62018 ++ return 1;
62019 ++}
62020 ++
62021 ++int
62022 ++gr_acl_handle_rename(const struct dentry *new_dentry,
62023 ++ const struct dentry *parent_dentry,
62024 ++ const struct vfsmount *parent_mnt,
62025 ++ const struct dentry *old_dentry,
62026 ++ const struct inode *old_parent_inode,
62027 ++ const struct vfsmount *old_mnt, const char *newname)
62028 ++{
62029 ++ return 0;
62030 ++}
62031 ++
62032 ++int
62033 ++gr_acl_handle_filldir(const struct file *file, const char *name,
62034 ++ const int namelen, const ino_t ino)
62035 ++{
62036 ++ return 1;
62037 ++}
62038 ++
62039 ++int
62040 ++gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
62041 ++ const time_t shm_createtime, const uid_t cuid, const int shmid)
62042 ++{
62043 ++ return 1;
62044 ++}
62045 ++
62046 ++int
62047 ++gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
62048 ++{
62049 ++ return 1;
62050 ++}
62051 ++
62052 ++int
62053 ++gr_search_accept(const struct socket *sock)
62054 ++{
62055 ++ return 1;
62056 ++}
62057 ++
62058 ++int
62059 ++gr_search_listen(const struct socket *sock)
62060 ++{
62061 ++ return 1;
62062 ++}
62063 ++
62064 ++int
62065 ++gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
62066 ++{
62067 ++ return 1;
62068 ++}
62069 ++
62070 ++__u32
62071 ++gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
62072 ++{
62073 ++ return 1;
62074 ++}
62075 ++
62076 ++__u32
62077 ++gr_acl_handle_creat(const struct dentry * dentry,
62078 ++ const struct dentry * p_dentry,
62079 ++ const struct vfsmount * p_mnt, const int fmode,
62080 ++ const int imode)
62081 ++{
62082 ++ return 1;
62083 ++}
62084 ++
62085 ++void
62086 ++gr_acl_handle_exit(void)
62087 ++{
62088 ++ return;
62089 ++}
62090 ++
62091 ++int
62092 ++gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
62093 ++{
62094 ++ return 1;
62095 ++}
62096 ++
62097 ++void
62098 ++gr_set_role_label(const uid_t uid, const gid_t gid)
62099 ++{
62100 ++ return;
62101 ++}
62102 ++
62103 ++int
62104 ++gr_acl_handle_procpidmem(const struct task_struct *task)
62105 ++{
62106 ++ return 0;
62107 ++}
62108 ++
62109 ++int
62110 ++gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
62111 ++{
62112 ++ return 1;
62113 ++}
62114 ++
62115 ++int
62116 ++gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
62117 ++{
62118 ++ return 1;
62119 ++}
62120 ++
62121 ++void
62122 ++gr_set_kernel_label(struct task_struct *task)
62123 ++{
62124 ++ return;
62125 ++}
62126 ++
62127 ++int
62128 ++gr_check_user_change(int real, int effective, int fs)
62129 ++{
62130 ++ return 0;
62131 ++}
62132 ++
62133 ++int
62134 ++gr_check_group_change(int real, int effective, int fs)
62135 ++{
62136 ++ return 0;
62137 ++}
62138 ++
62139 ++
62140 ++EXPORT_SYMBOL(gr_task_is_capable);
62141 ++EXPORT_SYMBOL(gr_is_capable_nolog);
62142 ++EXPORT_SYMBOL(gr_learn_resource);
62143 ++EXPORT_SYMBOL(gr_set_kernel_label);
62144 ++#ifdef CONFIG_SECURITY
62145 ++EXPORT_SYMBOL(gr_check_user_change);
62146 ++EXPORT_SYMBOL(gr_check_group_change);
62147 ++#endif
62148 +diff -urNp linux-2.6.24.5/grsecurity/grsec_exec.c linux-2.6.24.5/grsecurity/grsec_exec.c
62149 +--- linux-2.6.24.5/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
62150 ++++ linux-2.6.24.5/grsecurity/grsec_exec.c 2008-03-26 20:21:09.000000000 -0400
62151 +@@ -0,0 +1,88 @@
62152 ++#include <linux/kernel.h>
62153 ++#include <linux/sched.h>
62154 ++#include <linux/file.h>
62155 ++#include <linux/binfmts.h>
62156 ++#include <linux/smp_lock.h>
62157 ++#include <linux/fs.h>
62158 ++#include <linux/types.h>
62159 ++#include <linux/grdefs.h>
62160 ++#include <linux/grinternal.h>
62161 ++#include <linux/capability.h>
62162 ++
62163 ++#include <asm/uaccess.h>
62164 ++
62165 ++#ifdef CONFIG_GRKERNSEC_EXECLOG
62166 ++static char gr_exec_arg_buf[132];
62167 ++static DECLARE_MUTEX(gr_exec_arg_sem);
62168 ++#endif
62169 ++
62170 ++int
62171 ++gr_handle_nproc(void)
62172 ++{
62173 ++#ifdef CONFIG_GRKERNSEC_EXECVE
62174 ++ if (grsec_enable_execve && current->user &&
62175 ++ (atomic_read(&current->user->processes) >
62176 ++ current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
62177 ++ !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
62178 ++ gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
62179 ++ return -EAGAIN;
62180 ++ }
62181 ++#endif
62182 ++ return 0;
62183 ++}
62184 ++
62185 ++void
62186 ++gr_handle_exec_args(struct linux_binprm *bprm, const char __user *__user *argv)
62187 ++{
62188 ++#ifdef CONFIG_GRKERNSEC_EXECLOG
62189 ++ char *grarg = gr_exec_arg_buf;
62190 ++ unsigned int i, x, execlen = 0;
62191 ++ char c;
62192 ++
62193 ++ if (!((grsec_enable_execlog && grsec_enable_group &&
62194 ++ in_group_p(grsec_audit_gid))
62195 ++ || (grsec_enable_execlog && !grsec_enable_group)))
62196 ++ return;
62197 ++
62198 ++ down(&gr_exec_arg_sem);
62199 ++ memset(grarg, 0, sizeof(gr_exec_arg_buf));
62200 ++
62201 ++ if (unlikely(argv == NULL))
62202 ++ goto log;
62203 ++
62204 ++ for (i = 0; i < bprm->argc && execlen < 128; i++) {
62205 ++ const char __user *p;
62206 ++ unsigned int len;
62207 ++
62208 ++ if (copy_from_user(&p, argv + i, sizeof(p)))
62209 ++ goto log;
62210 ++ if (!p)
62211 ++ goto log;
62212 ++ len = strnlen_user(p, 128 - execlen);
62213 ++ if (len > 128 - execlen)
62214 ++ len = 128 - execlen;
62215 ++ else if (len > 0)
62216 ++ len--;
62217 ++ if (copy_from_user(grarg + execlen, p, len))
62218 ++ goto log;
62219 ++
62220 ++ /* rewrite unprintable characters */
62221 ++ for (x = 0; x < len; x++) {
62222 ++ c = *(grarg + execlen + x);
62223 ++ if (c < 32 || c > 126)
62224 ++ *(grarg + execlen + x) = ' ';
62225 ++ }
62226 ++
62227 ++ execlen += len;
62228 ++ *(grarg + execlen) = ' ';
62229 ++ *(grarg + execlen + 1) = '\0';
62230 ++ execlen++;
62231 ++ }
62232 ++
62233 ++ log:
62234 ++ gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_dentry,
62235 ++ bprm->file->f_vfsmnt, grarg);
62236 ++ up(&gr_exec_arg_sem);
62237 ++#endif
62238 ++ return;
62239 ++}
62240 +diff -urNp linux-2.6.24.5/grsecurity/grsec_fifo.c linux-2.6.24.5/grsecurity/grsec_fifo.c
62241 +--- linux-2.6.24.5/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
62242 ++++ linux-2.6.24.5/grsecurity/grsec_fifo.c 2008-03-26 20:21:09.000000000 -0400
62243 +@@ -0,0 +1,22 @@
62244 ++#include <linux/kernel.h>
62245 ++#include <linux/sched.h>
62246 ++#include <linux/fs.h>
62247 ++#include <linux/file.h>
62248 ++#include <linux/grinternal.h>
62249 ++
62250 ++int
62251 ++gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
62252 ++ const struct dentry *dir, const int flag, const int acc_mode)
62253 ++{
62254 ++#ifdef CONFIG_GRKERNSEC_FIFO
62255 ++ if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
62256 ++ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
62257 ++ (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
62258 ++ (current->fsuid != dentry->d_inode->i_uid)) {
62259 ++ if (!generic_permission(dentry->d_inode, acc_mode, NULL))
62260 ++ gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
62261 ++ return -EACCES;
62262 ++ }
62263 ++#endif
62264 ++ return 0;
62265 ++}
62266 +diff -urNp linux-2.6.24.5/grsecurity/grsec_fork.c linux-2.6.24.5/grsecurity/grsec_fork.c
62267 +--- linux-2.6.24.5/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
62268 ++++ linux-2.6.24.5/grsecurity/grsec_fork.c 2008-03-26 20:21:09.000000000 -0400
62269 +@@ -0,0 +1,15 @@
62270 ++#include <linux/kernel.h>
62271 ++#include <linux/sched.h>
62272 ++#include <linux/grsecurity.h>
62273 ++#include <linux/grinternal.h>
62274 ++#include <linux/errno.h>
62275 ++
62276 ++void
62277 ++gr_log_forkfail(const int retval)
62278 ++{
62279 ++#ifdef CONFIG_GRKERNSEC_FORKFAIL
62280 ++ if (grsec_enable_forkfail && retval != -ERESTARTNOINTR)
62281 ++ gr_log_int(GR_DONT_AUDIT, GR_FAILFORK_MSG, retval);
62282 ++#endif
62283 ++ return;
62284 ++}
62285 +diff -urNp linux-2.6.24.5/grsecurity/grsec_init.c linux-2.6.24.5/grsecurity/grsec_init.c
62286 +--- linux-2.6.24.5/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
62287 ++++ linux-2.6.24.5/grsecurity/grsec_init.c 2008-03-26 20:21:09.000000000 -0400
62288 +@@ -0,0 +1,226 @@
62289 ++#include <linux/kernel.h>
62290 ++#include <linux/sched.h>
62291 ++#include <linux/mm.h>
62292 ++#include <linux/smp_lock.h>
62293 ++#include <linux/gracl.h>
62294 ++#include <linux/slab.h>
62295 ++#include <linux/vmalloc.h>
62296 ++#include <linux/percpu.h>
62297 ++
62298 ++int grsec_enable_link;
62299 ++int grsec_enable_dmesg;
62300 ++int grsec_enable_fifo;
62301 ++int grsec_enable_execve;
62302 ++int grsec_enable_execlog;
62303 ++int grsec_enable_signal;
62304 ++int grsec_enable_forkfail;
62305 ++int grsec_enable_time;
62306 ++int grsec_enable_audit_textrel;
62307 ++int grsec_enable_group;
62308 ++int grsec_audit_gid;
62309 ++int grsec_enable_chdir;
62310 ++int grsec_enable_audit_ipc;
62311 ++int grsec_enable_mount;
62312 ++int grsec_enable_chroot_findtask;
62313 ++int grsec_enable_chroot_mount;
62314 ++int grsec_enable_chroot_shmat;
62315 ++int grsec_enable_chroot_fchdir;
62316 ++int grsec_enable_chroot_double;
62317 ++int grsec_enable_chroot_pivot;
62318 ++int grsec_enable_chroot_chdir;
62319 ++int grsec_enable_chroot_chmod;
62320 ++int grsec_enable_chroot_mknod;
62321 ++int grsec_enable_chroot_nice;
62322 ++int grsec_enable_chroot_execlog;
62323 ++int grsec_enable_chroot_caps;
62324 ++int grsec_enable_chroot_sysctl;
62325 ++int grsec_enable_chroot_unix;
62326 ++int grsec_enable_tpe;
62327 ++int grsec_tpe_gid;
62328 ++int grsec_enable_tpe_all;
62329 ++int grsec_enable_socket_all;
62330 ++int grsec_socket_all_gid;
62331 ++int grsec_enable_socket_client;
62332 ++int grsec_socket_client_gid;
62333 ++int grsec_enable_socket_server;
62334 ++int grsec_socket_server_gid;
62335 ++int grsec_resource_logging;
62336 ++int grsec_lock;
62337 ++
62338 ++spinlock_t grsec_alert_lock = SPIN_LOCK_UNLOCKED;
62339 ++unsigned long grsec_alert_wtime = 0;
62340 ++unsigned long grsec_alert_fyet = 0;
62341 ++
62342 ++spinlock_t grsec_audit_lock = SPIN_LOCK_UNLOCKED;
62343 ++
62344 ++rwlock_t grsec_exec_file_lock = RW_LOCK_UNLOCKED;
62345 ++
62346 ++char *gr_shared_page[4];
62347 ++
62348 ++char *gr_alert_log_fmt;
62349 ++char *gr_audit_log_fmt;
62350 ++char *gr_alert_log_buf;
62351 ++char *gr_audit_log_buf;
62352 ++
62353 ++extern struct gr_arg *gr_usermode;
62354 ++extern unsigned char *gr_system_salt;
62355 ++extern unsigned char *gr_system_sum;
62356 ++
62357 ++void
62358 ++grsecurity_init(void)
62359 ++{
62360 ++ int j;
62361 ++ /* create the per-cpu shared pages */
62362 ++
62363 ++ for (j = 0; j < 4; j++) {
62364 ++ gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE);
62365 ++ if (gr_shared_page[j] == NULL) {
62366 ++ panic("Unable to allocate grsecurity shared page");
62367 ++ return;
62368 ++ }
62369 ++ }
62370 ++
62371 ++ /* allocate log buffers */
62372 ++ gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
62373 ++ if (!gr_alert_log_fmt) {
62374 ++ panic("Unable to allocate grsecurity alert log format buffer");
62375 ++ return;
62376 ++ }
62377 ++ gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
62378 ++ if (!gr_audit_log_fmt) {
62379 ++ panic("Unable to allocate grsecurity audit log format buffer");
62380 ++ return;
62381 ++ }
62382 ++ gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
62383 ++ if (!gr_alert_log_buf) {
62384 ++ panic("Unable to allocate grsecurity alert log buffer");
62385 ++ return;
62386 ++ }
62387 ++ gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
62388 ++ if (!gr_audit_log_buf) {
62389 ++ panic("Unable to allocate grsecurity audit log buffer");
62390 ++ return;
62391 ++ }
62392 ++
62393 ++ /* allocate memory for authentication structure */
62394 ++ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
62395 ++ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
62396 ++ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
62397 ++
62398 ++ if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
62399 ++ panic("Unable to allocate grsecurity authentication structure");
62400 ++ return;
62401 ++ }
62402 ++
62403 ++#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
62404 ++#ifndef CONFIG_GRKERNSEC_SYSCTL
62405 ++ grsec_lock = 1;
62406 ++#endif
62407 ++#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
62408 ++ grsec_enable_audit_textrel = 1;
62409 ++#endif
62410 ++#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
62411 ++ grsec_enable_group = 1;
62412 ++ grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
62413 ++#endif
62414 ++#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
62415 ++ grsec_enable_chdir = 1;
62416 ++#endif
62417 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
62418 ++ grsec_enable_audit_ipc = 1;
62419 ++#endif
62420 ++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
62421 ++ grsec_enable_mount = 1;
62422 ++#endif
62423 ++#ifdef CONFIG_GRKERNSEC_LINK
62424 ++ grsec_enable_link = 1;
62425 ++#endif
62426 ++#ifdef CONFIG_GRKERNSEC_DMESG
62427 ++ grsec_enable_dmesg = 1;
62428 ++#endif
62429 ++#ifdef CONFIG_GRKERNSEC_FIFO
62430 ++ grsec_enable_fifo = 1;
62431 ++#endif
62432 ++#ifdef CONFIG_GRKERNSEC_EXECVE
62433 ++ grsec_enable_execve = 1;
62434 ++#endif
62435 ++#ifdef CONFIG_GRKERNSEC_EXECLOG
62436 ++ grsec_enable_execlog = 1;
62437 ++#endif
62438 ++#ifdef CONFIG_GRKERNSEC_SIGNAL
62439 ++ grsec_enable_signal = 1;
62440 ++#endif
62441 ++#ifdef CONFIG_GRKERNSEC_FORKFAIL
62442 ++ grsec_enable_forkfail = 1;
62443 ++#endif
62444 ++#ifdef CONFIG_GRKERNSEC_TIME
62445 ++ grsec_enable_time = 1;
62446 ++#endif
62447 ++#ifdef CONFIG_GRKERNSEC_RESLOG
62448 ++ grsec_resource_logging = 1;
62449 ++#endif
62450 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
62451 ++ grsec_enable_chroot_findtask = 1;
62452 ++#endif
62453 ++#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
62454 ++ grsec_enable_chroot_unix = 1;
62455 ++#endif
62456 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
62457 ++ grsec_enable_chroot_mount = 1;
62458 ++#endif
62459 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
62460 ++ grsec_enable_chroot_fchdir = 1;
62461 ++#endif
62462 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
62463 ++ grsec_enable_chroot_shmat = 1;
62464 ++#endif
62465 ++#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
62466 ++ grsec_enable_chroot_double = 1;
62467 ++#endif
62468 ++#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
62469 ++ grsec_enable_chroot_pivot = 1;
62470 ++#endif
62471 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
62472 ++ grsec_enable_chroot_chdir = 1;
62473 ++#endif
62474 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
62475 ++ grsec_enable_chroot_chmod = 1;
62476 ++#endif
62477 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
62478 ++ grsec_enable_chroot_mknod = 1;
62479 ++#endif
62480 ++#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
62481 ++ grsec_enable_chroot_nice = 1;
62482 ++#endif
62483 ++#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
62484 ++ grsec_enable_chroot_execlog = 1;
62485 ++#endif
62486 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
62487 ++ grsec_enable_chroot_caps = 1;
62488 ++#endif
62489 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
62490 ++ grsec_enable_chroot_sysctl = 1;
62491 ++#endif
62492 ++#ifdef CONFIG_GRKERNSEC_TPE
62493 ++ grsec_enable_tpe = 1;
62494 ++ grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
62495 ++#ifdef CONFIG_GRKERNSEC_TPE_ALL
62496 ++ grsec_enable_tpe_all = 1;
62497 ++#endif
62498 ++#endif
62499 ++#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
62500 ++ grsec_enable_socket_all = 1;
62501 ++ grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
62502 ++#endif
62503 ++#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
62504 ++ grsec_enable_socket_client = 1;
62505 ++ grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
62506 ++#endif
62507 ++#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
62508 ++ grsec_enable_socket_server = 1;
62509 ++ grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
62510 ++#endif
62511 ++#endif
62512 ++
62513 ++ return;
62514 ++}
62515 +diff -urNp linux-2.6.24.5/grsecurity/grsec_ipc.c linux-2.6.24.5/grsecurity/grsec_ipc.c
62516 +--- linux-2.6.24.5/grsecurity/grsec_ipc.c 1969-12-31 19:00:00.000000000 -0500
62517 ++++ linux-2.6.24.5/grsecurity/grsec_ipc.c 2008-03-26 20:21:09.000000000 -0400
62518 +@@ -0,0 +1,81 @@
62519 ++#include <linux/kernel.h>
62520 ++#include <linux/sched.h>
62521 ++#include <linux/types.h>
62522 ++#include <linux/ipc.h>
62523 ++#include <linux/grsecurity.h>
62524 ++#include <linux/grinternal.h>
62525 ++
62526 ++void
62527 ++gr_log_msgget(const int ret, const int msgflg)
62528 ++{
62529 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
62530 ++ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
62531 ++ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
62532 ++ !grsec_enable_group)) && (ret >= 0)
62533 ++ && (msgflg & IPC_CREAT))
62534 ++ gr_log_noargs(GR_DO_AUDIT, GR_MSGQ_AUDIT_MSG);
62535 ++#endif
62536 ++ return;
62537 ++}
62538 ++
62539 ++void
62540 ++gr_log_msgrm(const uid_t uid, const uid_t cuid)
62541 ++{
62542 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
62543 ++ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
62544 ++ grsec_enable_audit_ipc) ||
62545 ++ (grsec_enable_audit_ipc && !grsec_enable_group))
62546 ++ gr_log_int_int(GR_DO_AUDIT, GR_MSGQR_AUDIT_MSG, uid, cuid);
62547 ++#endif
62548 ++ return;
62549 ++}
62550 ++
62551 ++void
62552 ++gr_log_semget(const int err, const int semflg)
62553 ++{
62554 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
62555 ++ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
62556 ++ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
62557 ++ !grsec_enable_group)) && (err >= 0)
62558 ++ && (semflg & IPC_CREAT))
62559 ++ gr_log_noargs(GR_DO_AUDIT, GR_SEM_AUDIT_MSG);
62560 ++#endif
62561 ++ return;
62562 ++}
62563 ++
62564 ++void
62565 ++gr_log_semrm(const uid_t uid, const uid_t cuid)
62566 ++{
62567 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
62568 ++ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
62569 ++ grsec_enable_audit_ipc) ||
62570 ++ (grsec_enable_audit_ipc && !grsec_enable_group))
62571 ++ gr_log_int_int(GR_DO_AUDIT, GR_SEMR_AUDIT_MSG, uid, cuid);
62572 ++#endif
62573 ++ return;
62574 ++}
62575 ++
62576 ++void
62577 ++gr_log_shmget(const int err, const int shmflg, const size_t size)
62578 ++{
62579 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
62580 ++ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
62581 ++ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
62582 ++ !grsec_enable_group)) && (err >= 0)
62583 ++ && (shmflg & IPC_CREAT))
62584 ++ gr_log_int(GR_DO_AUDIT, GR_SHM_AUDIT_MSG, size);
62585 ++#endif
62586 ++ return;
62587 ++}
62588 ++
62589 ++void
62590 ++gr_log_shmrm(const uid_t uid, const uid_t cuid)
62591 ++{
62592 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
62593 ++ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
62594 ++ grsec_enable_audit_ipc) ||
62595 ++ (grsec_enable_audit_ipc && !grsec_enable_group))
62596 ++ gr_log_int_int(GR_DO_AUDIT, GR_SHMR_AUDIT_MSG, uid, cuid);
62597 ++#endif
62598 ++ return;
62599 ++}
62600 +diff -urNp linux-2.6.24.5/grsecurity/grsec_link.c linux-2.6.24.5/grsecurity/grsec_link.c
62601 +--- linux-2.6.24.5/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
62602 ++++ linux-2.6.24.5/grsecurity/grsec_link.c 2008-03-26 20:21:09.000000000 -0400
62603 +@@ -0,0 +1,39 @@
62604 ++#include <linux/kernel.h>
62605 ++#include <linux/sched.h>
62606 ++#include <linux/fs.h>
62607 ++#include <linux/file.h>
62608 ++#include <linux/grinternal.h>
62609 ++
62610 ++int
62611 ++gr_handle_follow_link(const struct inode *parent,
62612 ++ const struct inode *inode,
62613 ++ const struct dentry *dentry, const struct vfsmount *mnt)
62614 ++{
62615 ++#ifdef CONFIG_GRKERNSEC_LINK
62616 ++ if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
62617 ++ (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
62618 ++ (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) {
62619 ++ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
62620 ++ return -EACCES;
62621 ++ }
62622 ++#endif
62623 ++ return 0;
62624 ++}
62625 ++
62626 ++int
62627 ++gr_handle_hardlink(const struct dentry *dentry,
62628 ++ const struct vfsmount *mnt,
62629 ++ struct inode *inode, const int mode, const char *to)
62630 ++{
62631 ++#ifdef CONFIG_GRKERNSEC_LINK
62632 ++ if (grsec_enable_link && current->fsuid != inode->i_uid &&
62633 ++ (!S_ISREG(mode) || (mode & S_ISUID) ||
62634 ++ ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
62635 ++ (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
62636 ++ !capable(CAP_FOWNER) && current->uid) {
62637 ++ gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
62638 ++ return -EPERM;
62639 ++ }
62640 ++#endif
62641 ++ return 0;
62642 ++}
62643 +diff -urNp linux-2.6.24.5/grsecurity/grsec_log.c linux-2.6.24.5/grsecurity/grsec_log.c
62644 +--- linux-2.6.24.5/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
62645 ++++ linux-2.6.24.5/grsecurity/grsec_log.c 2008-03-26 20:21:09.000000000 -0400
62646 +@@ -0,0 +1,269 @@
62647 ++#include <linux/kernel.h>
62648 ++#include <linux/sched.h>
62649 ++#include <linux/file.h>
62650 ++#include <linux/tty.h>
62651 ++#include <linux/fs.h>
62652 ++#include <linux/grinternal.h>
62653 ++
62654 ++#define BEGIN_LOCKS(x) \
62655 ++ read_lock(&tasklist_lock); \
62656 ++ read_lock(&grsec_exec_file_lock); \
62657 ++ if (x != GR_DO_AUDIT) \
62658 ++ spin_lock(&grsec_alert_lock); \
62659 ++ else \
62660 ++ spin_lock(&grsec_audit_lock)
62661 ++
62662 ++#define END_LOCKS(x) \
62663 ++ if (x != GR_DO_AUDIT) \
62664 ++ spin_unlock(&grsec_alert_lock); \
62665 ++ else \
62666 ++ spin_unlock(&grsec_audit_lock); \
62667 ++ read_unlock(&grsec_exec_file_lock); \
62668 ++ read_unlock(&tasklist_lock); \
62669 ++ if (x == GR_DONT_AUDIT) \
62670 ++ gr_handle_alertkill(current)
62671 ++
62672 ++enum {
62673 ++ FLOODING,
62674 ++ NO_FLOODING
62675 ++};
62676 ++
62677 ++extern char *gr_alert_log_fmt;
62678 ++extern char *gr_audit_log_fmt;
62679 ++extern char *gr_alert_log_buf;
62680 ++extern char *gr_audit_log_buf;
62681 ++
62682 ++static int gr_log_start(int audit)
62683 ++{
62684 ++ char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
62685 ++ char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
62686 ++ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
62687 ++
62688 ++ if (audit == GR_DO_AUDIT)
62689 ++ goto set_fmt;
62690 ++
62691 ++ if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
62692 ++ grsec_alert_wtime = jiffies;
62693 ++ grsec_alert_fyet = 0;
62694 ++ } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
62695 ++ grsec_alert_fyet++;
62696 ++ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
62697 ++ grsec_alert_wtime = jiffies;
62698 ++ grsec_alert_fyet++;
62699 ++ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
62700 ++ return FLOODING;
62701 ++ } else return FLOODING;
62702 ++
62703 ++set_fmt:
62704 ++ memset(buf, 0, PAGE_SIZE);
62705 ++ if (current->signal->curr_ip && gr_acl_is_enabled()) {
62706 ++ sprintf(fmt, "%s%s", loglevel, "grsec: From %u.%u.%u.%u: (%.64s:%c:%.950s) ");
62707 ++ snprintf(buf, PAGE_SIZE - 1, fmt, NIPQUAD(current->signal->curr_ip), current->role->rolename, gr_roletype_to_char(), current->acl->filename);
62708 ++ } else if (current->signal->curr_ip) {
62709 ++ sprintf(fmt, "%s%s", loglevel, "grsec: From %u.%u.%u.%u: ");
62710 ++ snprintf(buf, PAGE_SIZE - 1, fmt, NIPQUAD(current->signal->curr_ip));
62711 ++ } else if (gr_acl_is_enabled()) {
62712 ++ sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
62713 ++ snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
62714 ++ } else {
62715 ++ sprintf(fmt, "%s%s", loglevel, "grsec: ");
62716 ++ strcpy(buf, fmt);
62717 ++ }
62718 ++
62719 ++ return NO_FLOODING;
62720 ++}
62721 ++
62722 ++static void gr_log_middle(int audit, const char *msg, va_list ap)
62723 ++{
62724 ++ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
62725 ++ unsigned int len = strlen(buf);
62726 ++
62727 ++ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
62728 ++
62729 ++ return;
62730 ++}
62731 ++
62732 ++static void gr_log_middle_varargs(int audit, const char *msg, ...)
62733 ++{
62734 ++ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
62735 ++ unsigned int len = strlen(buf);
62736 ++ va_list ap;
62737 ++
62738 ++ va_start(ap, msg);
62739 ++ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
62740 ++ va_end(ap);
62741 ++
62742 ++ return;
62743 ++}
62744 ++
62745 ++static void gr_log_end(int audit)
62746 ++{
62747 ++ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
62748 ++ unsigned int len = strlen(buf);
62749 ++
62750 ++ snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current));
62751 ++ printk("%s\n", buf);
62752 ++
62753 ++ return;
62754 ++}
62755 ++
62756 ++void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
62757 ++{
62758 ++ int logtype;
62759 ++ char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
62760 ++ char *str1, *str2, *str3;
62761 ++ int num1, num2;
62762 ++ unsigned long ulong1, ulong2;
62763 ++ struct dentry *dentry;
62764 ++ struct vfsmount *mnt;
62765 ++ struct file *file;
62766 ++ struct task_struct *task;
62767 ++ va_list ap;
62768 ++
62769 ++ BEGIN_LOCKS(audit);
62770 ++ logtype = gr_log_start(audit);
62771 ++ if (logtype == FLOODING) {
62772 ++ END_LOCKS(audit);
62773 ++ return;
62774 ++ }
62775 ++ va_start(ap, argtypes);
62776 ++ switch (argtypes) {
62777 ++ case GR_TTYSNIFF:
62778 ++ task = va_arg(ap, struct task_struct *);
62779 ++ gr_log_middle_varargs(audit, msg, NIPQUAD(task->signal->curr_ip), gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid);
62780 ++ break;
62781 ++ case GR_SYSCTL_HIDDEN:
62782 ++ str1 = va_arg(ap, char *);
62783 ++ gr_log_middle_varargs(audit, msg, result, str1);
62784 ++ break;
62785 ++ case GR_RBAC:
62786 ++ dentry = va_arg(ap, struct dentry *);
62787 ++ mnt = va_arg(ap, struct vfsmount *);
62788 ++ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
62789 ++ break;
62790 ++ case GR_RBAC_STR:
62791 ++ dentry = va_arg(ap, struct dentry *);
62792 ++ mnt = va_arg(ap, struct vfsmount *);
62793 ++ str1 = va_arg(ap, char *);
62794 ++ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
62795 ++ break;
62796 ++ case GR_STR_RBAC:
62797 ++ str1 = va_arg(ap, char *);
62798 ++ dentry = va_arg(ap, struct dentry *);
62799 ++ mnt = va_arg(ap, struct vfsmount *);
62800 ++ gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
62801 ++ break;
62802 ++ case GR_RBAC_MODE2:
62803 ++ dentry = va_arg(ap, struct dentry *);
62804 ++ mnt = va_arg(ap, struct vfsmount *);
62805 ++ str1 = va_arg(ap, char *);
62806 ++ str2 = va_arg(ap, char *);
62807 ++ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
62808 ++ break;
62809 ++ case GR_RBAC_MODE3:
62810 ++ dentry = va_arg(ap, struct dentry *);
62811 ++ mnt = va_arg(ap, struct vfsmount *);
62812 ++ str1 = va_arg(ap, char *);
62813 ++ str2 = va_arg(ap, char *);
62814 ++ str3 = va_arg(ap, char *);
62815 ++ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
62816 ++ break;
62817 ++ case GR_FILENAME:
62818 ++ dentry = va_arg(ap, struct dentry *);
62819 ++ mnt = va_arg(ap, struct vfsmount *);
62820 ++ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
62821 ++ break;
62822 ++ case GR_STR_FILENAME:
62823 ++ str1 = va_arg(ap, char *);
62824 ++ dentry = va_arg(ap, struct dentry *);
62825 ++ mnt = va_arg(ap, struct vfsmount *);
62826 ++ gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
62827 ++ break;
62828 ++ case GR_FILENAME_STR:
62829 ++ dentry = va_arg(ap, struct dentry *);
62830 ++ mnt = va_arg(ap, struct vfsmount *);
62831 ++ str1 = va_arg(ap, char *);
62832 ++ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
62833 ++ break;
62834 ++ case GR_FILENAME_TWO_INT:
62835 ++ dentry = va_arg(ap, struct dentry *);
62836 ++ mnt = va_arg(ap, struct vfsmount *);
62837 ++ num1 = va_arg(ap, int);
62838 ++ num2 = va_arg(ap, int);
62839 ++ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
62840 ++ break;
62841 ++ case GR_FILENAME_TWO_INT_STR:
62842 ++ dentry = va_arg(ap, struct dentry *);
62843 ++ mnt = va_arg(ap, struct vfsmount *);
62844 ++ num1 = va_arg(ap, int);
62845 ++ num2 = va_arg(ap, int);
62846 ++ str1 = va_arg(ap, char *);
62847 ++ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
62848 ++ break;
62849 ++ case GR_TEXTREL:
62850 ++ file = va_arg(ap, struct file *);
62851 ++ ulong1 = va_arg(ap, unsigned long);
62852 ++ ulong2 = va_arg(ap, unsigned long);
62853 ++ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_dentry, file->f_vfsmnt) : "<anonymous mapping>", ulong1, ulong2);
62854 ++ break;
62855 ++ case GR_PTRACE:
62856 ++ task = va_arg(ap, struct task_struct *);
62857 ++ gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_dentry, task->exec_file->f_vfsmnt) : "(none)", task->comm, task->pid);
62858 ++ break;
62859 ++ case GR_RESOURCE:
62860 ++ task = va_arg(ap, struct task_struct *);
62861 ++ ulong1 = va_arg(ap, unsigned long);
62862 ++ str1 = va_arg(ap, char *);
62863 ++ ulong2 = va_arg(ap, unsigned long);
62864 ++ gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
62865 ++ break;
62866 ++ case GR_CAP:
62867 ++ task = va_arg(ap, struct task_struct *);
62868 ++ str1 = va_arg(ap, char *);
62869 ++ gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
62870 ++ break;
62871 ++ case GR_SIG:
62872 ++ task = va_arg(ap, struct task_struct *);
62873 ++ num1 = va_arg(ap, int);
62874 ++ gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
62875 ++ break;
62876 ++ case GR_CRASH1:
62877 ++ task = va_arg(ap, struct task_struct *);
62878 ++ ulong1 = va_arg(ap, unsigned long);
62879 ++ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid, task->uid, ulong1);
62880 ++ break;
62881 ++ case GR_CRASH2:
62882 ++ task = va_arg(ap, struct task_struct *);
62883 ++ ulong1 = va_arg(ap, unsigned long);
62884 ++ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid, ulong1);
62885 ++ break;
62886 ++ case GR_PSACCT:
62887 ++ {
62888 ++ unsigned int wday, cday;
62889 ++ __u8 whr, chr;
62890 ++ __u8 wmin, cmin;
62891 ++ __u8 wsec, csec;
62892 ++ char cur_tty[64] = { 0 };
62893 ++ char parent_tty[64] = { 0 };
62894 ++
62895 ++ task = va_arg(ap, struct task_struct *);
62896 ++ wday = va_arg(ap, unsigned int);
62897 ++ cday = va_arg(ap, unsigned int);
62898 ++ whr = va_arg(ap, int);
62899 ++ chr = va_arg(ap, int);
62900 ++ wmin = va_arg(ap, int);
62901 ++ cmin = va_arg(ap, int);
62902 ++ wsec = va_arg(ap, int);
62903 ++ csec = va_arg(ap, int);
62904 ++ ulong1 = va_arg(ap, unsigned long);
62905 ++
62906 ++ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, NIPQUAD(task->signal->curr_ip), tty_name(task->signal->tty, cur_tty), task->uid, task->euid, task->gid, task->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, NIPQUAD(task->parent->signal->curr_ip), tty_name(task->parent->signal->tty, parent_tty), task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
62907 ++ }
62908 ++ break;
62909 ++ default:
62910 ++ gr_log_middle(audit, msg, ap);
62911 ++ }
62912 ++ va_end(ap);
62913 ++ gr_log_end(audit);
62914 ++ END_LOCKS(audit);
62915 ++}
62916 +diff -urNp linux-2.6.24.5/grsecurity/grsec_mem.c linux-2.6.24.5/grsecurity/grsec_mem.c
62917 +--- linux-2.6.24.5/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
62918 ++++ linux-2.6.24.5/grsecurity/grsec_mem.c 2008-03-26 20:21:09.000000000 -0400
62919 +@@ -0,0 +1,71 @@
62920 ++#include <linux/kernel.h>
62921 ++#include <linux/sched.h>
62922 ++#include <linux/mm.h>
62923 ++#include <linux/mman.h>
62924 ++#include <linux/grinternal.h>
62925 ++
62926 ++void
62927 ++gr_handle_ioperm(void)
62928 ++{
62929 ++ gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
62930 ++ return;
62931 ++}
62932 ++
62933 ++void
62934 ++gr_handle_iopl(void)
62935 ++{
62936 ++ gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
62937 ++ return;
62938 ++}
62939 ++
62940 ++void
62941 ++gr_handle_mem_write(void)
62942 ++{
62943 ++ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
62944 ++ return;
62945 ++}
62946 ++
62947 ++void
62948 ++gr_handle_kmem_write(void)
62949 ++{
62950 ++ gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
62951 ++ return;
62952 ++}
62953 ++
62954 ++void
62955 ++gr_handle_open_port(void)
62956 ++{
62957 ++ gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
62958 ++ return;
62959 ++}
62960 ++
62961 ++int
62962 ++gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
62963 ++{
62964 ++ unsigned long start, end;
62965 ++
62966 ++ start = offset;
62967 ++ end = start + vma->vm_end - vma->vm_start;
62968 ++
62969 ++ if (start > end) {
62970 ++ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
62971 ++ return -EPERM;
62972 ++ }
62973 ++
62974 ++ /* allowed ranges : ISA I/O BIOS */
62975 ++ if ((start >= __pa(high_memory))
62976 ++#ifdef CONFIG_X86
62977 ++ || (start >= 0x000a0000 && end <= 0x00100000)
62978 ++ || (start >= 0x00000000 && end <= 0x00001000)
62979 ++#endif
62980 ++ )
62981 ++ return 0;
62982 ++
62983 ++ if (vma->vm_flags & VM_WRITE) {
62984 ++ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
62985 ++ return -EPERM;
62986 ++ } else
62987 ++ vma->vm_flags &= ~VM_MAYWRITE;
62988 ++
62989 ++ return 0;
62990 ++}
62991 +diff -urNp linux-2.6.24.5/grsecurity/grsec_mount.c linux-2.6.24.5/grsecurity/grsec_mount.c
62992 +--- linux-2.6.24.5/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
62993 ++++ linux-2.6.24.5/grsecurity/grsec_mount.c 2008-03-26 20:21:09.000000000 -0400
62994 +@@ -0,0 +1,34 @@
62995 ++#include <linux/kernel.h>
62996 ++#include <linux/sched.h>
62997 ++#include <linux/grsecurity.h>
62998 ++#include <linux/grinternal.h>
62999 ++
63000 ++void
63001 ++gr_log_remount(const char *devname, const int retval)
63002 ++{
63003 ++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
63004 ++ if (grsec_enable_mount && (retval >= 0))
63005 ++ gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
63006 ++#endif
63007 ++ return;
63008 ++}
63009 ++
63010 ++void
63011 ++gr_log_unmount(const char *devname, const int retval)
63012 ++{
63013 ++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
63014 ++ if (grsec_enable_mount && (retval >= 0))
63015 ++ gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
63016 ++#endif
63017 ++ return;
63018 ++}
63019 ++
63020 ++void
63021 ++gr_log_mount(const char *from, const char *to, const int retval)
63022 ++{
63023 ++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
63024 ++ if (grsec_enable_mount && (retval >= 0))
63025 ++ gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
63026 ++#endif
63027 ++ return;
63028 ++}
63029 +diff -urNp linux-2.6.24.5/grsecurity/grsec_sig.c linux-2.6.24.5/grsecurity/grsec_sig.c
63030 +--- linux-2.6.24.5/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
63031 ++++ linux-2.6.24.5/grsecurity/grsec_sig.c 2008-03-26 20:21:09.000000000 -0400
63032 +@@ -0,0 +1,58 @@
63033 ++#include <linux/kernel.h>
63034 ++#include <linux/sched.h>
63035 ++#include <linux/delay.h>
63036 ++#include <linux/grsecurity.h>
63037 ++#include <linux/grinternal.h>
63038 ++
63039 ++void
63040 ++gr_log_signal(const int sig, const struct task_struct *t)
63041 ++{
63042 ++#ifdef CONFIG_GRKERNSEC_SIGNAL
63043 ++ if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
63044 ++ (sig == SIGABRT) || (sig == SIGBUS))) {
63045 ++ if (t->pid == current->pid) {
63046 ++ gr_log_int(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, sig);
63047 ++ } else {
63048 ++ gr_log_sig(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
63049 ++ }
63050 ++ }
63051 ++#endif
63052 ++ return;
63053 ++}
63054 ++
63055 ++int
63056 ++gr_handle_signal(const struct task_struct *p, const int sig)
63057 ++{
63058 ++#ifdef CONFIG_GRKERNSEC
63059 ++ if (current->pid > 1 && gr_check_protected_task(p)) {
63060 ++ gr_log_sig(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
63061 ++ return -EPERM;
63062 ++ } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
63063 ++ return -EPERM;
63064 ++ }
63065 ++#endif
63066 ++ return 0;
63067 ++}
63068 ++
63069 ++void gr_handle_brute_attach(struct task_struct *p)
63070 ++{
63071 ++#ifdef CONFIG_GRKERNSEC_BRUTE
63072 ++ read_lock(&tasklist_lock);
63073 ++ read_lock(&grsec_exec_file_lock);
63074 ++ if (p->parent && p->parent->exec_file == p->exec_file)
63075 ++ p->parent->brute = 1;
63076 ++ read_unlock(&grsec_exec_file_lock);
63077 ++ read_unlock(&tasklist_lock);
63078 ++#endif
63079 ++ return;
63080 ++}
63081 ++
63082 ++void gr_handle_brute_check(void)
63083 ++{
63084 ++#ifdef CONFIG_GRKERNSEC_BRUTE
63085 ++ if (current->brute)
63086 ++ msleep(30 * 1000);
63087 ++#endif
63088 ++ return;
63089 ++}
63090 ++
63091 +diff -urNp linux-2.6.24.5/grsecurity/grsec_sock.c linux-2.6.24.5/grsecurity/grsec_sock.c
63092 +--- linux-2.6.24.5/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
63093 ++++ linux-2.6.24.5/grsecurity/grsec_sock.c 2008-03-26 20:21:09.000000000 -0400
63094 +@@ -0,0 +1,274 @@
63095 ++#include <linux/kernel.h>
63096 ++#include <linux/module.h>
63097 ++#include <linux/sched.h>
63098 ++#include <linux/file.h>
63099 ++#include <linux/net.h>
63100 ++#include <linux/in.h>
63101 ++#include <linux/ip.h>
63102 ++#include <net/sock.h>
63103 ++#include <net/inet_sock.h>
63104 ++#include <linux/grsecurity.h>
63105 ++#include <linux/grinternal.h>
63106 ++#include <linux/gracl.h>
63107 ++
63108 ++#if defined(CONFIG_IP_NF_MATCH_STEALTH_MODULE)
63109 ++extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
63110 ++EXPORT_SYMBOL(udp_v4_lookup);
63111 ++#endif
63112 ++
63113 ++__u32 gr_cap_rtnetlink(struct sock *sock);
63114 ++EXPORT_SYMBOL(gr_cap_rtnetlink);
63115 ++
63116 ++extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
63117 ++extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
63118 ++
63119 ++EXPORT_SYMBOL(gr_search_udp_recvmsg);
63120 ++EXPORT_SYMBOL(gr_search_udp_sendmsg);
63121 ++
63122 ++#ifdef CONFIG_UNIX_MODULE
63123 ++EXPORT_SYMBOL(gr_acl_handle_unix);
63124 ++EXPORT_SYMBOL(gr_acl_handle_mknod);
63125 ++EXPORT_SYMBOL(gr_handle_chroot_unix);
63126 ++EXPORT_SYMBOL(gr_handle_create);
63127 ++#endif
63128 ++
63129 ++#ifdef CONFIG_GRKERNSEC
63130 ++#define gr_conn_table_size 32749
63131 ++struct conn_table_entry {
63132 ++ struct conn_table_entry *next;
63133 ++ struct signal_struct *sig;
63134 ++};
63135 ++
63136 ++struct conn_table_entry *gr_conn_table[gr_conn_table_size];
63137 ++spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED;
63138 ++
63139 ++extern const char * gr_socktype_to_name(unsigned char type);
63140 ++extern const char * gr_proto_to_name(unsigned char proto);
63141 ++
63142 ++static __inline__ int
63143 ++conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
63144 ++{
63145 ++ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
63146 ++}
63147 ++
63148 ++static __inline__ int
63149 ++conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
63150 ++ __u16 sport, __u16 dport)
63151 ++{
63152 ++ if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
63153 ++ sig->gr_sport == sport && sig->gr_dport == dport))
63154 ++ return 1;
63155 ++ else
63156 ++ return 0;
63157 ++}
63158 ++
63159 ++static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
63160 ++{
63161 ++ struct conn_table_entry **match;
63162 ++ unsigned int index;
63163 ++
63164 ++ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
63165 ++ sig->gr_sport, sig->gr_dport,
63166 ++ gr_conn_table_size);
63167 ++
63168 ++ newent->sig = sig;
63169 ++
63170 ++ match = &gr_conn_table[index];
63171 ++ newent->next = *match;
63172 ++ *match = newent;
63173 ++
63174 ++ return;
63175 ++}
63176 ++
63177 ++static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
63178 ++{
63179 ++ struct conn_table_entry *match, *last = NULL;
63180 ++ unsigned int index;
63181 ++
63182 ++ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
63183 ++ sig->gr_sport, sig->gr_dport,
63184 ++ gr_conn_table_size);
63185 ++
63186 ++ match = gr_conn_table[index];
63187 ++ while (match && !conn_match(match->sig,
63188 ++ sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
63189 ++ sig->gr_dport)) {
63190 ++ last = match;
63191 ++ match = match->next;
63192 ++ }
63193 ++
63194 ++ if (match) {
63195 ++ if (last)
63196 ++ last->next = match->next;
63197 ++ else
63198 ++ gr_conn_table[index] = NULL;
63199 ++ kfree(match);
63200 ++ }
63201 ++
63202 ++ return;
63203 ++}
63204 ++
63205 ++static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
63206 ++ __u16 sport, __u16 dport)
63207 ++{
63208 ++ struct conn_table_entry *match;
63209 ++ unsigned int index;
63210 ++
63211 ++ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
63212 ++
63213 ++ match = gr_conn_table[index];
63214 ++ while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
63215 ++ match = match->next;
63216 ++
63217 ++ if (match)
63218 ++ return match->sig;
63219 ++ else
63220 ++ return NULL;
63221 ++}
63222 ++
63223 ++#endif
63224 ++
63225 ++void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
63226 ++{
63227 ++#ifdef CONFIG_GRKERNSEC
63228 ++ struct signal_struct *sig = task->signal;
63229 ++ struct conn_table_entry *newent;
63230 ++
63231 ++ newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
63232 ++ if (newent == NULL)
63233 ++ return;
63234 ++ /* no bh lock needed since we are called with bh disabled */
63235 ++ spin_lock(&gr_conn_table_lock);
63236 ++ gr_del_task_from_ip_table_nolock(sig);
63237 ++ sig->gr_saddr = inet->rcv_saddr;
63238 ++ sig->gr_daddr = inet->daddr;
63239 ++ sig->gr_sport = inet->sport;
63240 ++ sig->gr_dport = inet->dport;
63241 ++ gr_add_to_task_ip_table_nolock(sig, newent);
63242 ++ spin_unlock(&gr_conn_table_lock);
63243 ++#endif
63244 ++ return;
63245 ++}
63246 ++
63247 ++void gr_del_task_from_ip_table(struct task_struct *task)
63248 ++{
63249 ++#ifdef CONFIG_GRKERNSEC
63250 ++ spin_lock(&gr_conn_table_lock);
63251 ++ gr_del_task_from_ip_table_nolock(task->signal);
63252 ++ spin_unlock(&gr_conn_table_lock);
63253 ++#endif
63254 ++ return;
63255 ++}
63256 ++
63257 ++void
63258 ++gr_attach_curr_ip(const struct sock *sk)
63259 ++{
63260 ++#ifdef CONFIG_GRKERNSEC
63261 ++ struct signal_struct *p, *set;
63262 ++ const struct inet_sock *inet = inet_sk(sk);
63263 ++
63264 ++ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
63265 ++ return;
63266 ++
63267 ++ set = current->signal;
63268 ++
63269 ++ spin_lock_bh(&gr_conn_table_lock);
63270 ++ p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
63271 ++ inet->dport, inet->sport);
63272 ++ if (unlikely(p != NULL)) {
63273 ++ set->curr_ip = p->curr_ip;
63274 ++ set->used_accept = 1;
63275 ++ gr_del_task_from_ip_table_nolock(p);
63276 ++ spin_unlock_bh(&gr_conn_table_lock);
63277 ++ return;
63278 ++ }
63279 ++ spin_unlock_bh(&gr_conn_table_lock);
63280 ++
63281 ++ set->curr_ip = inet->daddr;
63282 ++ set->used_accept = 1;
63283 ++#endif
63284 ++ return;
63285 ++}
63286 ++
63287 ++int
63288 ++gr_handle_sock_all(const int family, const int type, const int protocol)
63289 ++{
63290 ++#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
63291 ++ if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
63292 ++ (family != AF_UNIX) && (family != AF_LOCAL)) {
63293 ++ gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
63294 ++ return -EACCES;
63295 ++ }
63296 ++#endif
63297 ++ return 0;
63298 ++}
63299 ++
63300 ++int
63301 ++gr_handle_sock_server(const struct sockaddr *sck)
63302 ++{
63303 ++#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
63304 ++ if (grsec_enable_socket_server &&
63305 ++ in_group_p(grsec_socket_server_gid) &&
63306 ++ sck && (sck->sa_family != AF_UNIX) &&
63307 ++ (sck->sa_family != AF_LOCAL)) {
63308 ++ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
63309 ++ return -EACCES;
63310 ++ }
63311 ++#endif
63312 ++ return 0;
63313 ++}
63314 ++
63315 ++int
63316 ++gr_handle_sock_server_other(const struct sock *sck)
63317 ++{
63318 ++#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
63319 ++ if (grsec_enable_socket_server &&
63320 ++ in_group_p(grsec_socket_server_gid) &&
63321 ++ sck && (sck->sk_family != AF_UNIX) &&
63322 ++ (sck->sk_family != AF_LOCAL)) {
63323 ++ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
63324 ++ return -EACCES;
63325 ++ }
63326 ++#endif
63327 ++ return 0;
63328 ++}
63329 ++
63330 ++int
63331 ++gr_handle_sock_client(const struct sockaddr *sck)
63332 ++{
63333 ++#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
63334 ++ if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
63335 ++ sck && (sck->sa_family != AF_UNIX) &&
63336 ++ (sck->sa_family != AF_LOCAL)) {
63337 ++ gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
63338 ++ return -EACCES;
63339 ++ }
63340 ++#endif
63341 ++ return 0;
63342 ++}
63343 ++
63344 ++__u32
63345 ++gr_cap_rtnetlink(struct sock *sock)
63346 ++{
63347 ++#ifdef CONFIG_GRKERNSEC
63348 ++ if (!gr_acl_is_enabled())
63349 ++ return current->cap_effective;
63350 ++ else if (sock->sk_protocol == NETLINK_ISCSI &&
63351 ++ cap_raised(current->cap_effective, CAP_SYS_ADMIN) &&
63352 ++ gr_task_is_capable(current, CAP_SYS_ADMIN))
63353 ++ return current->cap_effective;
63354 ++ else if (sock->sk_protocol == NETLINK_AUDIT &&
63355 ++ cap_raised(current->cap_effective, CAP_AUDIT_WRITE) &&
63356 ++ gr_task_is_capable(current, CAP_AUDIT_WRITE) &&
63357 ++ cap_raised(current->cap_effective, CAP_AUDIT_CONTROL) &&
63358 ++ gr_task_is_capable(current, CAP_AUDIT_CONTROL))
63359 ++ return current->cap_effective;
63360 ++ else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) &&
63361 ++ gr_task_is_capable(current, CAP_NET_ADMIN))
63362 ++ return current->cap_effective;
63363 ++ else
63364 ++ return 0;
63365 ++#else
63366 ++ return current->cap_effective;
63367 ++#endif
63368 ++}
63369 +diff -urNp linux-2.6.24.5/grsecurity/grsec_sysctl.c linux-2.6.24.5/grsecurity/grsec_sysctl.c
63370 +--- linux-2.6.24.5/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
63371 ++++ linux-2.6.24.5/grsecurity/grsec_sysctl.c 2008-03-26 20:21:09.000000000 -0400
63372 +@@ -0,0 +1,435 @@
63373 ++#include <linux/kernel.h>
63374 ++#include <linux/sched.h>
63375 ++#include <linux/sysctl.h>
63376 ++#include <linux/grsecurity.h>
63377 ++#include <linux/grinternal.h>
63378 ++
63379 ++#ifdef CONFIG_GRKERNSEC_MODSTOP
63380 ++int grsec_modstop;
63381 ++#endif
63382 ++
63383 ++int
63384 ++gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
63385 ++{
63386 ++#ifdef CONFIG_GRKERNSEC_SYSCTL
63387 ++ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) {
63388 ++ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
63389 ++ return -EACCES;
63390 ++ }
63391 ++#endif
63392 ++#ifdef CONFIG_GRKERNSEC_MODSTOP
63393 ++ if (!strcmp(dirname, "grsecurity") && !strcmp(name, "disable_modules") &&
63394 ++ grsec_modstop && (op & 002)) {
63395 ++ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
63396 ++ return -EACCES;
63397 ++ }
63398 ++#endif
63399 ++ return 0;
63400 ++}
63401 ++
63402 ++#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_MODSTOP)
63403 ++ctl_table grsecurity_table[] = {
63404 ++#ifdef CONFIG_GRKERNSEC_SYSCTL
63405 ++#ifdef CONFIG_GRKERNSEC_LINK
63406 ++ {
63407 ++ .ctl_name = CTL_UNNUMBERED,
63408 ++ .procname = "linking_restrictions",
63409 ++ .data = &grsec_enable_link,
63410 ++ .maxlen = sizeof(int),
63411 ++ .mode = 0600,
63412 ++ .proc_handler = &proc_dointvec,
63413 ++ },
63414 ++#endif
63415 ++#ifdef CONFIG_GRKERNSEC_FIFO
63416 ++ {
63417 ++ .ctl_name = CTL_UNNUMBERED,
63418 ++ .procname = "fifo_restrictions",
63419 ++ .data = &grsec_enable_fifo,
63420 ++ .maxlen = sizeof(int),
63421 ++ .mode = 0600,
63422 ++ .proc_handler = &proc_dointvec,
63423 ++ },
63424 ++#endif
63425 ++#ifdef CONFIG_GRKERNSEC_EXECVE
63426 ++ {
63427 ++ .ctl_name = CTL_UNNUMBERED,
63428 ++ .procname = "execve_limiting",
63429 ++ .data = &grsec_enable_execve,
63430 ++ .maxlen = sizeof(int),
63431 ++ .mode = 0600,
63432 ++ .proc_handler = &proc_dointvec,
63433 ++ },
63434 ++#endif
63435 ++#ifdef CONFIG_GRKERNSEC_EXECLOG
63436 ++ {
63437 ++ .ctl_name = CTL_UNNUMBERED,
63438 ++ .procname = "exec_logging",
63439 ++ .data = &grsec_enable_execlog,
63440 ++ .maxlen = sizeof(int),
63441 ++ .mode = 0600,
63442 ++ .proc_handler = &proc_dointvec,
63443 ++ },
63444 ++#endif
63445 ++#ifdef CONFIG_GRKERNSEC_SIGNAL
63446 ++ {
63447 ++ .ctl_name = CTL_UNNUMBERED,
63448 ++ .procname = "signal_logging",
63449 ++ .data = &grsec_enable_signal,
63450 ++ .maxlen = sizeof(int),
63451 ++ .mode = 0600,
63452 ++ .proc_handler = &proc_dointvec,
63453 ++ },
63454 ++#endif
63455 ++#ifdef CONFIG_GRKERNSEC_FORKFAIL
63456 ++ {
63457 ++ .ctl_name = CTL_UNNUMBERED,
63458 ++ .procname = "forkfail_logging",
63459 ++ .data = &grsec_enable_forkfail,
63460 ++ .maxlen = sizeof(int),
63461 ++ .mode = 0600,
63462 ++ .proc_handler = &proc_dointvec,
63463 ++ },
63464 ++#endif
63465 ++#ifdef CONFIG_GRKERNSEC_TIME
63466 ++ {
63467 ++ .ctl_name = CTL_UNNUMBERED,
63468 ++ .procname = "timechange_logging",
63469 ++ .data = &grsec_enable_time,
63470 ++ .maxlen = sizeof(int),
63471 ++ .mode = 0600,
63472 ++ .proc_handler = &proc_dointvec,
63473 ++ },
63474 ++#endif
63475 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
63476 ++ {
63477 ++ .ctl_name = CTL_UNNUMBERED,
63478 ++ .procname = "chroot_deny_shmat",
63479 ++ .data = &grsec_enable_chroot_shmat,
63480 ++ .maxlen = sizeof(int),
63481 ++ .mode = 0600,
63482 ++ .proc_handler = &proc_dointvec,
63483 ++ },
63484 ++#endif
63485 ++#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
63486 ++ {
63487 ++ .ctl_name = CTL_UNNUMBERED,
63488 ++ .procname = "chroot_deny_unix",
63489 ++ .data = &grsec_enable_chroot_unix,
63490 ++ .maxlen = sizeof(int),
63491 ++ .mode = 0600,
63492 ++ .proc_handler = &proc_dointvec,
63493 ++ },
63494 ++#endif
63495 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
63496 ++ {
63497 ++ .ctl_name = CTL_UNNUMBERED,
63498 ++ .procname = "chroot_deny_mount",
63499 ++ .data = &grsec_enable_chroot_mount,
63500 ++ .maxlen = sizeof(int),
63501 ++ .mode = 0600,
63502 ++ .proc_handler = &proc_dointvec,
63503 ++ },
63504 ++#endif
63505 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
63506 ++ {
63507 ++ .ctl_name = CTL_UNNUMBERED,
63508 ++ .procname = "chroot_deny_fchdir",
63509 ++ .data = &grsec_enable_chroot_fchdir,
63510 ++ .maxlen = sizeof(int),
63511 ++ .mode = 0600,
63512 ++ .proc_handler = &proc_dointvec,
63513 ++ },
63514 ++#endif
63515 ++#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
63516 ++ {
63517 ++ .ctl_name = CTL_UNNUMBERED,
63518 ++ .procname = "chroot_deny_chroot",
63519 ++ .data = &grsec_enable_chroot_double,
63520 ++ .maxlen = sizeof(int),
63521 ++ .mode = 0600,
63522 ++ .proc_handler = &proc_dointvec,
63523 ++ },
63524 ++#endif
63525 ++#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
63526 ++ {
63527 ++ .ctl_name = CTL_UNNUMBERED,
63528 ++ .procname = "chroot_deny_pivot",
63529 ++ .data = &grsec_enable_chroot_pivot,
63530 ++ .maxlen = sizeof(int),
63531 ++ .mode = 0600,
63532 ++ .proc_handler = &proc_dointvec,
63533 ++ },
63534 ++#endif
63535 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
63536 ++ {
63537 ++ .ctl_name = CTL_UNNUMBERED,
63538 ++ .procname = "chroot_enforce_chdir",
63539 ++ .data = &grsec_enable_chroot_chdir,
63540 ++ .maxlen = sizeof(int),
63541 ++ .mode = 0600,
63542 ++ .proc_handler = &proc_dointvec,
63543 ++ },
63544 ++#endif
63545 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
63546 ++ {
63547 ++ .ctl_name = CTL_UNNUMBERED,
63548 ++ .procname = "chroot_deny_chmod",
63549 ++ .data = &grsec_enable_chroot_chmod,
63550 ++ .maxlen = sizeof(int),
63551 ++ .mode = 0600,
63552 ++ .proc_handler = &proc_dointvec,
63553 ++ },
63554 ++#endif
63555 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
63556 ++ {
63557 ++ .ctl_name = CTL_UNNUMBERED,
63558 ++ .procname = "chroot_deny_mknod",
63559 ++ .data = &grsec_enable_chroot_mknod,
63560 ++ .maxlen = sizeof(int),
63561 ++ .mode = 0600,
63562 ++ .proc_handler = &proc_dointvec,
63563 ++ },
63564 ++#endif
63565 ++#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
63566 ++ {
63567 ++ .ctl_name = CTL_UNNUMBERED,
63568 ++ .procname = "chroot_restrict_nice",
63569 ++ .data = &grsec_enable_chroot_nice,
63570 ++ .maxlen = sizeof(int),
63571 ++ .mode = 0600,
63572 ++ .proc_handler = &proc_dointvec,
63573 ++ },
63574 ++#endif
63575 ++#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
63576 ++ {
63577 ++ .ctl_name = CTL_UNNUMBERED,
63578 ++ .procname = "chroot_execlog",
63579 ++ .data = &grsec_enable_chroot_execlog,
63580 ++ .maxlen = sizeof(int),
63581 ++ .mode = 0600,
63582 ++ .proc_handler = &proc_dointvec,
63583 ++ },
63584 ++#endif
63585 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
63586 ++ {
63587 ++ .ctl_name = CTL_UNNUMBERED,
63588 ++ .procname = "chroot_caps",
63589 ++ .data = &grsec_enable_chroot_caps,
63590 ++ .maxlen = sizeof(int),
63591 ++ .mode = 0600,
63592 ++ .proc_handler = &proc_dointvec,
63593 ++ },
63594 ++#endif
63595 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
63596 ++ {
63597 ++ .ctl_name = CTL_UNNUMBERED,
63598 ++ .procname = "chroot_deny_sysctl",
63599 ++ .data = &grsec_enable_chroot_sysctl,
63600 ++ .maxlen = sizeof(int),
63601 ++ .mode = 0600,
63602 ++ .proc_handler = &proc_dointvec,
63603 ++ },
63604 ++#endif
63605 ++#ifdef CONFIG_GRKERNSEC_TPE
63606 ++ {
63607 ++ .ctl_name = CTL_UNNUMBERED,
63608 ++ .procname = "tpe",
63609 ++ .data = &grsec_enable_tpe,
63610 ++ .maxlen = sizeof(int),
63611 ++ .mode = 0600,
63612 ++ .proc_handler = &proc_dointvec,
63613 ++ },
63614 ++ {
63615 ++ .ctl_name = CTL_UNNUMBERED,
63616 ++ .procname = "tpe_gid",
63617 ++ .data = &grsec_tpe_gid,
63618 ++ .maxlen = sizeof(int),
63619 ++ .mode = 0600,
63620 ++ .proc_handler = &proc_dointvec,
63621 ++ },
63622 ++#endif
63623 ++#ifdef CONFIG_GRKERNSEC_TPE_ALL
63624 ++ {
63625 ++ .ctl_name = CTL_UNNUMBERED,
63626 ++ .procname = "tpe_restrict_all",
63627 ++ .data = &grsec_enable_tpe_all,
63628 ++ .maxlen = sizeof(int),
63629 ++ .mode = 0600,
63630 ++ .proc_handler = &proc_dointvec,
63631 ++ },
63632 ++#endif
63633 ++#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
63634 ++ {
63635 ++ .ctl_name = CTL_UNNUMBERED,
63636 ++ .procname = "socket_all",
63637 ++ .data = &grsec_enable_socket_all,
63638 ++ .maxlen = sizeof(int),
63639 ++ .mode = 0600,
63640 ++ .proc_handler = &proc_dointvec,
63641 ++ },
63642 ++ {
63643 ++ .ctl_name = CTL_UNNUMBERED,
63644 ++ .procname = "socket_all_gid",
63645 ++ .data = &grsec_socket_all_gid,
63646 ++ .maxlen = sizeof(int),
63647 ++ .mode = 0600,
63648 ++ .proc_handler = &proc_dointvec,
63649 ++ },
63650 ++#endif
63651 ++#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
63652 ++ {
63653 ++ .ctl_name = CTL_UNNUMBERED,
63654 ++ .procname = "socket_client",
63655 ++ .data = &grsec_enable_socket_client,
63656 ++ .maxlen = sizeof(int),
63657 ++ .mode = 0600,
63658 ++ .proc_handler = &proc_dointvec,
63659 ++ },
63660 ++ {
63661 ++ .ctl_name = CTL_UNNUMBERED,
63662 ++ .procname = "socket_client_gid",
63663 ++ .data = &grsec_socket_client_gid,
63664 ++ .maxlen = sizeof(int),
63665 ++ .mode = 0600,
63666 ++ .proc_handler = &proc_dointvec,
63667 ++ },
63668 ++#endif
63669 ++#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
63670 ++ {
63671 ++ .ctl_name = CTL_UNNUMBERED,
63672 ++ .procname = "socket_server",
63673 ++ .data = &grsec_enable_socket_server,
63674 ++ .maxlen = sizeof(int),
63675 ++ .mode = 0600,
63676 ++ .proc_handler = &proc_dointvec,
63677 ++ },
63678 ++ {
63679 ++ .ctl_name = CTL_UNNUMBERED,
63680 ++ .procname = "socket_server_gid",
63681 ++ .data = &grsec_socket_server_gid,
63682 ++ .maxlen = sizeof(int),
63683 ++ .mode = 0600,
63684 ++ .proc_handler = &proc_dointvec,
63685 ++ },
63686 ++#endif
63687 ++#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
63688 ++ {
63689 ++ .ctl_name = CTL_UNNUMBERED,
63690 ++ .procname = "audit_group",
63691 ++ .data = &grsec_enable_group,
63692 ++ .maxlen = sizeof(int),
63693 ++ .mode = 0600,
63694 ++ .proc_handler = &proc_dointvec,
63695 ++ },
63696 ++ {
63697 ++ .ctl_name = CTL_UNNUMBERED,
63698 ++ .procname = "audit_gid",
63699 ++ .data = &grsec_audit_gid,
63700 ++ .maxlen = sizeof(int),
63701 ++ .mode = 0600,
63702 ++ .proc_handler = &proc_dointvec,
63703 ++ },
63704 ++#endif
63705 ++#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
63706 ++ {
63707 ++ .ctl_name = CTL_UNNUMBERED,
63708 ++ .procname = "audit_chdir",
63709 ++ .data = &grsec_enable_chdir,
63710 ++ .maxlen = sizeof(int),
63711 ++ .mode = 0600,
63712 ++ .proc_handler = &proc_dointvec,
63713 ++ },
63714 ++#endif
63715 ++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
63716 ++ {
63717 ++ .ctl_name = CTL_UNNUMBERED,
63718 ++ .procname = "audit_mount",
63719 ++ .data = &grsec_enable_mount,
63720 ++ .maxlen = sizeof(int),
63721 ++ .mode = 0600,
63722 ++ .proc_handler = &proc_dointvec,
63723 ++ },
63724 ++#endif
63725 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
63726 ++ {
63727 ++ .ctl_name = CTL_UNNUMBERED,
63728 ++ .procname = "audit_ipc",
63729 ++ .data = &grsec_enable_audit_ipc,
63730 ++ .maxlen = sizeof(int),
63731 ++ .mode = 0600,
63732 ++ .proc_handler = &proc_dointvec,
63733 ++ },
63734 ++#endif
63735 ++#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
63736 ++ {
63737 ++ .ctl_name = CTL_UNNUMBERED,
63738 ++ .procname = "audit_textrel",
63739 ++ .data = &grsec_enable_audit_textrel,
63740 ++ .maxlen = sizeof(int),
63741 ++ .mode = 0600,
63742 ++ .proc_handler = &proc_dointvec,
63743 ++ },
63744 ++#endif
63745 ++#ifdef CONFIG_GRKERNSEC_DMESG
63746 ++ {
63747 ++ .ctl_name = CTL_UNNUMBERED,
63748 ++ .procname = "dmesg",
63749 ++ .data = &grsec_enable_dmesg,
63750 ++ .maxlen = sizeof(int),
63751 ++ .mode = 0600,
63752 ++ .proc_handler = &proc_dointvec,
63753 ++ },
63754 ++#endif
63755 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
63756 ++ {
63757 ++ .ctl_name = CTL_UNNUMBERED,
63758 ++ .procname = "chroot_findtask",
63759 ++ .data = &grsec_enable_chroot_findtask,
63760 ++ .maxlen = sizeof(int),
63761 ++ .mode = 0600,
63762 ++ .proc_handler = &proc_dointvec,
63763 ++ },
63764 ++#endif
63765 ++#ifdef CONFIG_GRKERNSEC_RESLOG
63766 ++ {
63767 ++ .ctl_name = CTL_UNNUMBERED,
63768 ++ .procname = "resource_logging",
63769 ++ .data = &grsec_resource_logging,
63770 ++ .maxlen = sizeof(int),
63771 ++ .mode = 0600,
63772 ++ .proc_handler = &proc_dointvec,
63773 ++ },
63774 ++#endif
63775 ++ {
63776 ++ .ctl_name = CTL_UNNUMBERED,
63777 ++ .procname = "grsec_lock",
63778 ++ .data = &grsec_lock,
63779 ++ .maxlen = sizeof(int),
63780 ++ .mode = 0600,
63781 ++ .proc_handler = &proc_dointvec,
63782 ++ },
63783 ++#endif
63784 ++#ifdef CONFIG_GRKERNSEC_MODSTOP
63785 ++ {
63786 ++ .ctl_name = CTL_UNNUMBERED,
63787 ++ .procname = "disable_modules",
63788 ++ .data = &grsec_modstop,
63789 ++ .maxlen = sizeof(int),
63790 ++ .mode = 0600,
63791 ++ .proc_handler = &proc_dointvec,
63792 ++ },
63793 ++#endif
63794 ++ { .ctl_name = 0 }
63795 ++};
63796 ++#endif
63797 ++
63798 ++int gr_check_modstop(void)
63799 ++{
63800 ++#ifdef CONFIG_GRKERNSEC_MODSTOP
63801 ++ if (grsec_modstop == 1) {
63802 ++ gr_log_noargs(GR_DONT_AUDIT, GR_STOPMOD_MSG);
63803 ++ return 1;
63804 ++ }
63805 ++#endif
63806 ++ return 0;
63807 ++}
63808 +diff -urNp linux-2.6.24.5/grsecurity/grsec_textrel.c linux-2.6.24.5/grsecurity/grsec_textrel.c
63809 +--- linux-2.6.24.5/grsecurity/grsec_textrel.c 1969-12-31 19:00:00.000000000 -0500
63810 ++++ linux-2.6.24.5/grsecurity/grsec_textrel.c 2008-03-26 20:21:09.000000000 -0400
63811 +@@ -0,0 +1,16 @@
63812 ++#include <linux/kernel.h>
63813 ++#include <linux/sched.h>
63814 ++#include <linux/mm.h>
63815 ++#include <linux/file.h>
63816 ++#include <linux/grinternal.h>
63817 ++#include <linux/grsecurity.h>
63818 ++
63819 ++void
63820 ++gr_log_textrel(struct vm_area_struct * vma)
63821 ++{
63822 ++#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
63823 ++ if (grsec_enable_audit_textrel)
63824 ++ gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
63825 ++#endif
63826 ++ return;
63827 ++}
63828 +diff -urNp linux-2.6.24.5/grsecurity/grsec_time.c linux-2.6.24.5/grsecurity/grsec_time.c
63829 +--- linux-2.6.24.5/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
63830 ++++ linux-2.6.24.5/grsecurity/grsec_time.c 2008-03-26 20:21:09.000000000 -0400
63831 +@@ -0,0 +1,13 @@
63832 ++#include <linux/kernel.h>
63833 ++#include <linux/sched.h>
63834 ++#include <linux/grinternal.h>
63835 ++
63836 ++void
63837 ++gr_log_timechange(void)
63838 ++{
63839 ++#ifdef CONFIG_GRKERNSEC_TIME
63840 ++ if (grsec_enable_time)
63841 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
63842 ++#endif
63843 ++ return;
63844 ++}
63845 +diff -urNp linux-2.6.24.5/grsecurity/grsec_tpe.c linux-2.6.24.5/grsecurity/grsec_tpe.c
63846 +--- linux-2.6.24.5/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
63847 ++++ linux-2.6.24.5/grsecurity/grsec_tpe.c 2008-03-26 20:21:09.000000000 -0400
63848 +@@ -0,0 +1,37 @@
63849 ++#include <linux/kernel.h>
63850 ++#include <linux/sched.h>
63851 ++#include <linux/file.h>
63852 ++#include <linux/fs.h>
63853 ++#include <linux/grinternal.h>
63854 ++
63855 ++extern int gr_acl_tpe_check(void);
63856 ++
63857 ++int
63858 ++gr_tpe_allow(const struct file *file)
63859 ++{
63860 ++#ifdef CONFIG_GRKERNSEC
63861 ++ struct inode *inode = file->f_dentry->d_parent->d_inode;
63862 ++
63863 ++ if (current->uid && ((grsec_enable_tpe &&
63864 ++#ifdef CONFIG_GRKERNSEC_TPE_INVERT
63865 ++ !in_group_p(grsec_tpe_gid)
63866 ++#else
63867 ++ in_group_p(grsec_tpe_gid)
63868 ++#endif
63869 ++ ) || gr_acl_tpe_check()) &&
63870 ++ (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
63871 ++ (inode->i_mode & S_IWOTH))))) {
63872 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_dentry, file->f_vfsmnt);
63873 ++ return 0;
63874 ++ }
63875 ++#ifdef CONFIG_GRKERNSEC_TPE_ALL
63876 ++ if (current->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
63877 ++ ((inode->i_uid && (inode->i_uid != current->uid)) ||
63878 ++ (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
63879 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_dentry, file->f_vfsmnt);
63880 ++ return 0;
63881 ++ }
63882 ++#endif
63883 ++#endif
63884 ++ return 1;
63885 ++}
63886 +diff -urNp linux-2.6.24.5/grsecurity/grsum.c linux-2.6.24.5/grsecurity/grsum.c
63887 +--- linux-2.6.24.5/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
63888 ++++ linux-2.6.24.5/grsecurity/grsum.c 2008-03-26 20:21:09.000000000 -0400
63889 +@@ -0,0 +1,59 @@
63890 ++#include <linux/err.h>
63891 ++#include <linux/kernel.h>
63892 ++#include <linux/sched.h>
63893 ++#include <linux/mm.h>
63894 ++#include <linux/scatterlist.h>
63895 ++#include <linux/crypto.h>
63896 ++#include <linux/gracl.h>
63897 ++
63898 ++
63899 ++#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
63900 ++#error "crypto and sha256 must be built into the kernel"
63901 ++#endif
63902 ++
63903 ++int
63904 ++chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
63905 ++{
63906 ++ char *p;
63907 ++ struct crypto_hash *tfm;
63908 ++ struct hash_desc desc;
63909 ++ struct scatterlist sg;
63910 ++ unsigned char temp_sum[GR_SHA_LEN];
63911 ++ volatile int retval = 0;
63912 ++ volatile int dummy = 0;
63913 ++ unsigned int i;
63914 ++
63915 ++ tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
63916 ++ if (IS_ERR(tfm)) {
63917 ++ /* should never happen, since sha256 should be built in */
63918 ++ return 1;
63919 ++ }
63920 ++
63921 ++ desc.tfm = tfm;
63922 ++ desc.flags = 0;
63923 ++
63924 ++ crypto_hash_init(&desc);
63925 ++
63926 ++ p = salt;
63927 ++ sg_set_buf(&sg, p, GR_SALT_LEN);
63928 ++ crypto_hash_update(&desc, &sg, sg.length);
63929 ++
63930 ++ p = entry->pw;
63931 ++ sg_set_buf(&sg, p, strlen(p));
63932 ++
63933 ++ crypto_hash_update(&desc, &sg, sg.length);
63934 ++
63935 ++ crypto_hash_final(&desc, temp_sum);
63936 ++
63937 ++ memset(entry->pw, 0, GR_PW_LEN);
63938 ++
63939 ++ for (i = 0; i < GR_SHA_LEN; i++)
63940 ++ if (sum[i] != temp_sum[i])
63941 ++ retval = 1;
63942 ++ else
63943 ++ dummy = 1; // waste a cycle
63944 ++
63945 ++ crypto_free_hash(tfm);
63946 ++
63947 ++ return retval;
63948 ++}
63949 +diff -urNp linux-2.6.24.5/grsecurity/Kconfig linux-2.6.24.5/grsecurity/Kconfig
63950 +--- linux-2.6.24.5/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
63951 ++++ linux-2.6.24.5/grsecurity/Kconfig 2008-03-26 20:21:09.000000000 -0400
63952 +@@ -0,0 +1,861 @@
63953 ++#
63954 ++# grecurity configuration
63955 ++#
63956 ++
63957 ++menu "Grsecurity"
63958 ++
63959 ++config GRKERNSEC
63960 ++ bool "Grsecurity"
63961 ++ select CRYPTO
63962 ++ select CRYPTO_SHA256
63963 ++ select SECURITY
63964 ++ select SECURITY_CAPABILITIES
63965 ++ help
63966 ++ If you say Y here, you will be able to configure many features
63967 ++ that will enhance the security of your system. It is highly
63968 ++ recommended that you say Y here and read through the help
63969 ++ for each option so that you fully understand the features and
63970 ++ can evaluate their usefulness for your machine.
63971 ++
63972 ++choice
63973 ++ prompt "Security Level"
63974 ++ depends on GRKERNSEC
63975 ++ default GRKERNSEC_CUSTOM
63976 ++
63977 ++config GRKERNSEC_LOW
63978 ++ bool "Low"
63979 ++ select GRKERNSEC_LINK
63980 ++ select GRKERNSEC_FIFO
63981 ++ select GRKERNSEC_EXECVE
63982 ++ select GRKERNSEC_RANDNET
63983 ++ select GRKERNSEC_DMESG
63984 ++ select GRKERNSEC_CHROOT_CHDIR
63985 ++ select GRKERNSEC_MODSTOP if (MODULES)
63986 ++
63987 ++ help
63988 ++ If you choose this option, several of the grsecurity options will
63989 ++ be enabled that will give you greater protection against a number
63990 ++ of attacks, while assuring that none of your software will have any
63991 ++ conflicts with the additional security measures. If you run a lot
63992 ++ of unusual software, or you are having problems with the higher
63993 ++ security levels, you should say Y here. With this option, the
63994 ++ following features are enabled:
63995 ++
63996 ++ - Linking restrictions
63997 ++ - FIFO restrictions
63998 ++ - Enforcing RLIMIT_NPROC on execve
63999 ++ - Restricted dmesg
64000 ++ - Enforced chdir("/") on chroot
64001 ++ - Runtime module disabling
64002 ++
64003 ++config GRKERNSEC_MEDIUM
64004 ++ bool "Medium"
64005 ++ select PAX
64006 ++ select PAX_EI_PAX
64007 ++ select PAX_PT_PAX_FLAGS
64008 ++ select PAX_HAVE_ACL_FLAGS
64009 ++ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
64010 ++ select GRKERNSEC_CHROOT_SYSCTL
64011 ++ select GRKERNSEC_LINK
64012 ++ select GRKERNSEC_FIFO
64013 ++ select GRKERNSEC_EXECVE
64014 ++ select GRKERNSEC_DMESG
64015 ++ select GRKERNSEC_RANDNET
64016 ++ select GRKERNSEC_FORKFAIL
64017 ++ select GRKERNSEC_TIME
64018 ++ select GRKERNSEC_SIGNAL
64019 ++ select GRKERNSEC_CHROOT
64020 ++ select GRKERNSEC_CHROOT_UNIX
64021 ++ select GRKERNSEC_CHROOT_MOUNT
64022 ++ select GRKERNSEC_CHROOT_PIVOT
64023 ++ select GRKERNSEC_CHROOT_DOUBLE
64024 ++ select GRKERNSEC_CHROOT_CHDIR
64025 ++ select GRKERNSEC_CHROOT_MKNOD
64026 ++ select GRKERNSEC_PROC
64027 ++ select GRKERNSEC_PROC_USERGROUP
64028 ++ select GRKERNSEC_MODSTOP if (MODULES)
64029 ++ select PAX_RANDUSTACK
64030 ++ select PAX_ASLR
64031 ++ select PAX_RANDMMAP
64032 ++
64033 ++ help
64034 ++ If you say Y here, several features in addition to those included
64035 ++ in the low additional security level will be enabled. These
64036 ++ features provide even more security to your system, though in rare
64037 ++ cases they may be incompatible with very old or poorly written
64038 ++ software. If you enable this option, make sure that your auth
64039 ++ service (identd) is running as gid 1001. With this option,
64040 ++ the following features (in addition to those provided in the
64041 ++ low additional security level) will be enabled:
64042 ++
64043 ++ - Failed fork logging
64044 ++ - Time change logging
64045 ++ - Signal logging
64046 ++ - Deny mounts in chroot
64047 ++ - Deny double chrooting
64048 ++ - Deny sysctl writes in chroot
64049 ++ - Deny mknod in chroot
64050 ++ - Deny access to abstract AF_UNIX sockets out of chroot
64051 ++ - Deny pivot_root in chroot
64052 ++ - Denied writes of /dev/kmem, /dev/mem, and /dev/port
64053 ++ - /proc restrictions with special GID set to 10 (usually wheel)
64054 ++ - Address Space Layout Randomization (ASLR)
64055 ++
64056 ++config GRKERNSEC_HIGH
64057 ++ bool "High"
64058 ++ select GRKERNSEC_LINK
64059 ++ select GRKERNSEC_FIFO
64060 ++ select GRKERNSEC_EXECVE
64061 ++ select GRKERNSEC_DMESG
64062 ++ select GRKERNSEC_FORKFAIL
64063 ++ select GRKERNSEC_TIME
64064 ++ select GRKERNSEC_SIGNAL
64065 ++ select GRKERNSEC_CHROOT_SHMAT
64066 ++ select GRKERNSEC_CHROOT_UNIX
64067 ++ select GRKERNSEC_CHROOT_MOUNT
64068 ++ select GRKERNSEC_CHROOT_FCHDIR
64069 ++ select GRKERNSEC_CHROOT_PIVOT
64070 ++ select GRKERNSEC_CHROOT_DOUBLE
64071 ++ select GRKERNSEC_CHROOT_CHDIR
64072 ++ select GRKERNSEC_CHROOT_MKNOD
64073 ++ select GRKERNSEC_CHROOT_CAPS
64074 ++ select GRKERNSEC_CHROOT_SYSCTL
64075 ++ select GRKERNSEC_CHROOT_FINDTASK
64076 ++ select GRKERNSEC_PROC
64077 ++ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
64078 ++ select GRKERNSEC_HIDESYM
64079 ++ select GRKERNSEC_BRUTE
64080 ++ select GRKERNSEC_PROC_USERGROUP
64081 ++ select GRKERNSEC_KMEM
64082 ++ select GRKERNSEC_RESLOG
64083 ++ select GRKERNSEC_RANDNET
64084 ++ select GRKERNSEC_PROC_ADD
64085 ++ select GRKERNSEC_CHROOT_CHMOD
64086 ++ select GRKERNSEC_CHROOT_NICE
64087 ++ select GRKERNSEC_AUDIT_MOUNT
64088 ++ select GRKERNSEC_MODSTOP if (MODULES)
64089 ++ select PAX
64090 ++ select PAX_RANDUSTACK
64091 ++ select PAX_ASLR
64092 ++ select PAX_RANDMMAP
64093 ++ select PAX_NOEXEC
64094 ++ select PAX_MPROTECT
64095 ++ select PAX_EI_PAX
64096 ++ select PAX_PT_PAX_FLAGS
64097 ++ select PAX_HAVE_ACL_FLAGS
64098 ++ select PAX_KERNEXEC if (X86 && !EFI && !COMPAT_VDSO && !PARAVIRT && (!X86_32 || X86_WP_WORKS_OK))
64099 ++ select PAX_MEMORY_UDEREF if (!X86_64 && !COMPAT_VDSO)
64100 ++ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
64101 ++ select PAX_SEGMEXEC if (X86 && !X86_64)
64102 ++ select PAX_PAGEEXEC if (!X86)
64103 ++ select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
64104 ++ select PAX_DLRESOLVE if (SPARC32 || SPARC64)
64105 ++ select PAX_SYSCALL if (PPC32)
64106 ++ select PAX_EMUTRAMP if (PARISC)
64107 ++ select PAX_EMUSIGRT if (PARISC)
64108 ++ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
64109 ++ help
64110 ++ If you say Y here, many of the features of grsecurity will be
64111 ++ enabled, which will protect you against many kinds of attacks
64112 ++ against your system. The heightened security comes at a cost
64113 ++ of an increased chance of incompatibilities with rare software
64114 ++ on your machine. Since this security level enables PaX, you should
64115 ++ view <http://pax.grsecurity.net> and read about the PaX
64116 ++ project. While you are there, download chpax and run it on
64117 ++ binaries that cause problems with PaX. Also remember that
64118 ++ since the /proc restrictions are enabled, you must run your
64119 ++ identd as gid 1001. This security level enables the following
64120 ++ features in addition to those listed in the low and medium
64121 ++ security levels:
64122 ++
64123 ++ - Additional /proc restrictions
64124 ++ - Chmod restrictions in chroot
64125 ++ - No signals, ptrace, or viewing of processes outside of chroot
64126 ++ - Capability restrictions in chroot
64127 ++ - Deny fchdir out of chroot
64128 ++ - Priority restrictions in chroot
64129 ++ - Segmentation-based implementation of PaX
64130 ++ - Mprotect restrictions
64131 ++ - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
64132 ++ - Kernel stack randomization
64133 ++ - Mount/unmount/remount logging
64134 ++ - Kernel symbol hiding
64135 ++ - Prevention of memory exhaustion-based exploits
64136 ++config GRKERNSEC_CUSTOM
64137 ++ bool "Custom"
64138 ++ help
64139 ++ If you say Y here, you will be able to configure every grsecurity
64140 ++ option, which allows you to enable many more features that aren't
64141 ++ covered in the basic security levels. These additional features
64142 ++ include TPE, socket restrictions, and the sysctl system for
64143 ++ grsecurity. It is advised that you read through the help for
64144 ++ each option to determine its usefulness in your situation.
64145 ++
64146 ++endchoice
64147 ++
64148 ++menu "Address Space Protection"
64149 ++depends on GRKERNSEC
64150 ++
64151 ++config GRKERNSEC_KMEM
64152 ++ bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
64153 ++ help
64154 ++ If you say Y here, /dev/kmem and /dev/mem won't be allowed to
64155 ++ be written to via mmap or otherwise to modify the running kernel.
64156 ++ /dev/port will also not be allowed to be opened. If you have module
64157 ++ support disabled, enabling this will close up four ways that are
64158 ++ currently used to insert malicious code into the running kernel.
64159 ++ Even with all these features enabled, we still highly recommend that
64160 ++ you use the RBAC system, as it is still possible for an attacker to
64161 ++ modify the running kernel through privileged I/O granted by ioperm/iopl.
64162 ++ If you are not using XFree86, you may be able to stop this additional
64163 ++ case by enabling the 'Disable privileged I/O' option. Though nothing
64164 ++ legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
64165 ++ but only to video memory, which is the only writing we allow in this
64166 ++ case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
64167 ++ not be allowed to mprotect it with PROT_WRITE later.
64168 ++ It is highly recommended that you say Y here if you meet all the
64169 ++ conditions above.
64170 ++
64171 ++config GRKERNSEC_IO
64172 ++ bool "Disable privileged I/O"
64173 ++ depends on X86
64174 ++ select RTC
64175 ++ help
64176 ++ If you say Y here, all ioperm and iopl calls will return an error.
64177 ++ Ioperm and iopl can be used to modify the running kernel.
64178 ++ Unfortunately, some programs need this access to operate properly,
64179 ++ the most notable of which are XFree86 and hwclock. hwclock can be
64180 ++ remedied by having RTC support in the kernel, so CONFIG_RTC is
64181 ++ enabled if this option is enabled, to ensure that hwclock operates
64182 ++ correctly. XFree86 still will not operate correctly with this option
64183 ++ enabled, so DO NOT CHOOSE Y IF YOU USE XFree86. If you use XFree86
64184 ++ and you still want to protect your kernel against modification,
64185 ++ use the RBAC system.
64186 ++
64187 ++config GRKERNSEC_PROC_MEMMAP
64188 ++ bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
64189 ++ depends on PAX_NOEXEC || PAX_ASLR
64190 ++ help
64191 ++ If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
64192 ++ give no information about the addresses of its mappings if
64193 ++ PaX features that rely on random addresses are enabled on the task.
64194 ++ If you use PaX it is greatly recommended that you say Y here as it
64195 ++ closes up a hole that makes the full ASLR useless for suid
64196 ++ binaries.
64197 ++
64198 ++config GRKERNSEC_BRUTE
64199 ++ bool "Deter exploit bruteforcing"
64200 ++ help
64201 ++ If you say Y here, attempts to bruteforce exploits against forking
64202 ++ daemons such as apache or sshd will be deterred. When a child of a
64203 ++ forking daemon is killed by PaX or crashes due to an illegal
64204 ++ instruction, the parent process will be delayed 30 seconds upon every
64205 ++ subsequent fork until the administrator is able to assess the
64206 ++ situation and restart the daemon. It is recommended that you also
64207 ++ enable signal logging in the auditing section so that logs are
64208 ++ generated when a process performs an illegal instruction.
64209 ++
64210 ++config GRKERNSEC_MODSTOP
64211 ++ bool "Runtime module disabling"
64212 ++ depends on MODULES
64213 ++ help
64214 ++ If you say Y here, you will be able to disable the ability to (un)load
64215 ++ modules at runtime. This feature is useful if you need the ability
64216 ++ to load kernel modules at boot time, but do not want to allow an
64217 ++ attacker to load a rootkit kernel module into the system, or to remove
64218 ++ a loaded kernel module important to system functioning. You should
64219 ++ enable the /dev/mem protection feature as well, since rootkits can be
64220 ++ inserted into the kernel via other methods than kernel modules. Since
64221 ++ an untrusted module could still be loaded by modifying init scripts and
64222 ++ rebooting the system, it is also recommended that you enable the RBAC
64223 ++ system. If you enable this option, a sysctl option with name
64224 ++ "disable_modules" will be created. Setting this option to "1" disables
64225 ++ module loading. After this option is set, no further writes to it are
64226 ++ allowed until the system is rebooted.
64227 ++
64228 ++config GRKERNSEC_HIDESYM
64229 ++ bool "Hide kernel symbols"
64230 ++ help
64231 ++ If you say Y here, getting information on loaded modules, and
64232 ++ displaying all kernel symbols through a syscall will be restricted
64233 ++ to users with CAP_SYS_MODULE. This option is only effective
64234 ++ provided the following conditions are met:
64235 ++ 1) The kernel using grsecurity is not precompiled by some distribution
64236 ++ 2) You are using the RBAC system and hiding other files such as your
64237 ++ kernel image and System.map
64238 ++ 3) You have the additional /proc restrictions enabled, which removes
64239 ++ /proc/kcore
64240 ++ If the above conditions are met, this option will aid to provide a
64241 ++ useful protection against local and remote kernel exploitation of
64242 ++ overflows and arbitrary read/write vulnerabilities.
64243 ++
64244 ++endmenu
64245 ++menu "Role Based Access Control Options"
64246 ++depends on GRKERNSEC
64247 ++
64248 ++config GRKERNSEC_ACL_HIDEKERN
64249 ++ bool "Hide kernel processes"
64250 ++ help
64251 ++ If you say Y here, all kernel threads will be hidden to all
64252 ++ processes but those whose subject has the "view hidden processes"
64253 ++ flag.
64254 ++
64255 ++config GRKERNSEC_ACL_MAXTRIES
64256 ++ int "Maximum tries before password lockout"
64257 ++ default 3
64258 ++ help
64259 ++ This option enforces the maximum number of times a user can attempt
64260 ++ to authorize themselves with the grsecurity RBAC system before being
64261 ++ denied the ability to attempt authorization again for a specified time.
64262 ++ The lower the number, the harder it will be to brute-force a password.
64263 ++
64264 ++config GRKERNSEC_ACL_TIMEOUT
64265 ++ int "Time to wait after max password tries, in seconds"
64266 ++ default 30
64267 ++ help
64268 ++ This option specifies the time the user must wait after attempting to
64269 ++ authorize to the RBAC system with the maximum number of invalid
64270 ++ passwords. The higher the number, the harder it will be to brute-force
64271 ++ a password.
64272 ++
64273 ++endmenu
64274 ++menu "Filesystem Protections"
64275 ++depends on GRKERNSEC
64276 ++
64277 ++config GRKERNSEC_PROC
64278 ++ bool "Proc restrictions"
64279 ++ help
64280 ++ If you say Y here, the permissions of the /proc filesystem
64281 ++ will be altered to enhance system security and privacy. You MUST
64282 ++ choose either a user only restriction or a user and group restriction.
64283 ++ Depending upon the option you choose, you can either restrict users to
64284 ++ see only the processes they themselves run, or choose a group that can
64285 ++ view all processes and files normally restricted to root if you choose
64286 ++ the "restrict to user only" option. NOTE: If you're running identd as
64287 ++ a non-root user, you will have to run it as the group you specify here.
64288 ++
64289 ++config GRKERNSEC_PROC_USER
64290 ++ bool "Restrict /proc to user only"
64291 ++ depends on GRKERNSEC_PROC
64292 ++ help
64293 ++ If you say Y here, non-root users will only be able to view their own
64294 ++ processes, and restricts them from viewing network-related information,
64295 ++ and viewing kernel symbol and module information.
64296 ++
64297 ++config GRKERNSEC_PROC_USERGROUP
64298 ++ bool "Allow special group"
64299 ++ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
64300 ++ help
64301 ++ If you say Y here, you will be able to select a group that will be
64302 ++ able to view all processes, network-related information, and
64303 ++ kernel and symbol information. This option is useful if you want
64304 ++ to run identd as a non-root user.
64305 ++
64306 ++config GRKERNSEC_PROC_GID
64307 ++ int "GID for special group"
64308 ++ depends on GRKERNSEC_PROC_USERGROUP
64309 ++ default 1001
64310 ++
64311 ++config GRKERNSEC_PROC_ADD
64312 ++ bool "Additional restrictions"
64313 ++ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
64314 ++ help
64315 ++ If you say Y here, additional restrictions will be placed on
64316 ++ /proc that keep normal users from viewing device information and
64317 ++ slabinfo information that could be useful for exploits.
64318 ++
64319 ++config GRKERNSEC_LINK
64320 ++ bool "Linking restrictions"
64321 ++ help
64322 ++ If you say Y here, /tmp race exploits will be prevented, since users
64323 ++ will no longer be able to follow symlinks owned by other users in
64324 ++ world-writable +t directories (i.e. /tmp), unless the owner of the
64325 ++ symlink is the owner of the directory. users will also not be
64326 ++ able to hardlink to files they do not own. If the sysctl option is
64327 ++ enabled, a sysctl option with name "linking_restrictions" is created.
64328 ++
64329 ++config GRKERNSEC_FIFO
64330 ++ bool "FIFO restrictions"
64331 ++ help
64332 ++ If you say Y here, users will not be able to write to FIFOs they don't
64333 ++ own in world-writable +t directories (i.e. /tmp), unless the owner of
64334 ++ the FIFO is the same owner of the directory it's held in. If the sysctl
64335 ++ option is enabled, a sysctl option with name "fifo_restrictions" is
64336 ++ created.
64337 ++
64338 ++config GRKERNSEC_CHROOT
64339 ++ bool "Chroot jail restrictions"
64340 ++ help
64341 ++ If you say Y here, you will be able to choose several options that will
64342 ++ make breaking out of a chrooted jail much more difficult. If you
64343 ++ encounter no software incompatibilities with the following options, it
64344 ++ is recommended that you enable each one.
64345 ++
64346 ++config GRKERNSEC_CHROOT_MOUNT
64347 ++ bool "Deny mounts"
64348 ++ depends on GRKERNSEC_CHROOT
64349 ++ help
64350 ++ If you say Y here, processes inside a chroot will not be able to
64351 ++ mount or remount filesystems. If the sysctl option is enabled, a
64352 ++ sysctl option with name "chroot_deny_mount" is created.
64353 ++
64354 ++config GRKERNSEC_CHROOT_DOUBLE
64355 ++ bool "Deny double-chroots"
64356 ++ depends on GRKERNSEC_CHROOT
64357 ++ help
64358 ++ If you say Y here, processes inside a chroot will not be able to chroot
64359 ++ again outside the chroot. This is a widely used method of breaking
64360 ++ out of a chroot jail and should not be allowed. If the sysctl
64361 ++ option is enabled, a sysctl option with name
64362 ++ "chroot_deny_chroot" is created.
64363 ++
64364 ++config GRKERNSEC_CHROOT_PIVOT
64365 ++ bool "Deny pivot_root in chroot"
64366 ++ depends on GRKERNSEC_CHROOT
64367 ++ help
64368 ++ If you say Y here, processes inside a chroot will not be able to use
64369 ++ a function called pivot_root() that was introduced in Linux 2.3.41. It
64370 ++ works similar to chroot in that it changes the root filesystem. This
64371 ++ function could be misused in a chrooted process to attempt to break out
64372 ++ of the chroot, and therefore should not be allowed. If the sysctl
64373 ++ option is enabled, a sysctl option with name "chroot_deny_pivot" is
64374 ++ created.
64375 ++
64376 ++config GRKERNSEC_CHROOT_CHDIR
64377 ++ bool "Enforce chdir(\"/\") on all chroots"
64378 ++ depends on GRKERNSEC_CHROOT
64379 ++ help
64380 ++ If you say Y here, the current working directory of all newly-chrooted
64381 ++ applications will be set to the the root directory of the chroot.
64382 ++ The man page on chroot(2) states:
64383 ++ Note that this call does not change the current working
64384 ++ directory, so that `.' can be outside the tree rooted at
64385 ++ `/'. In particular, the super-user can escape from a
64386 ++ `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
64387 ++
64388 ++ It is recommended that you say Y here, since it's not known to break
64389 ++ any software. If the sysctl option is enabled, a sysctl option with
64390 ++ name "chroot_enforce_chdir" is created.
64391 ++
64392 ++config GRKERNSEC_CHROOT_CHMOD
64393 ++ bool "Deny (f)chmod +s"
64394 ++ depends on GRKERNSEC_CHROOT
64395 ++ help
64396 ++ If you say Y here, processes inside a chroot will not be able to chmod
64397 ++ or fchmod files to make them have suid or sgid bits. This protects
64398 ++ against another published method of breaking a chroot. If the sysctl
64399 ++ option is enabled, a sysctl option with name "chroot_deny_chmod" is
64400 ++ created.
64401 ++
64402 ++config GRKERNSEC_CHROOT_FCHDIR
64403 ++ bool "Deny fchdir out of chroot"
64404 ++ depends on GRKERNSEC_CHROOT
64405 ++ help
64406 ++ If you say Y here, a well-known method of breaking chroots by fchdir'ing
64407 ++ to a file descriptor of the chrooting process that points to a directory
64408 ++ outside the filesystem will be stopped. If the sysctl option
64409 ++ is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
64410 ++
64411 ++config GRKERNSEC_CHROOT_MKNOD
64412 ++ bool "Deny mknod"
64413 ++ depends on GRKERNSEC_CHROOT
64414 ++ help
64415 ++ If you say Y here, processes inside a chroot will not be allowed to
64416 ++ mknod. The problem with using mknod inside a chroot is that it
64417 ++ would allow an attacker to create a device entry that is the same
64418 ++ as one on the physical root of your system, which could range from
64419 ++ anything from the console device to a device for your harddrive (which
64420 ++ they could then use to wipe the drive or steal data). It is recommended
64421 ++ that you say Y here, unless you run into software incompatibilities.
64422 ++ If the sysctl option is enabled, a sysctl option with name
64423 ++ "chroot_deny_mknod" is created.
64424 ++
64425 ++config GRKERNSEC_CHROOT_SHMAT
64426 ++ bool "Deny shmat() out of chroot"
64427 ++ depends on GRKERNSEC_CHROOT
64428 ++ help
64429 ++ If you say Y here, processes inside a chroot will not be able to attach
64430 ++ to shared memory segments that were created outside of the chroot jail.
64431 ++ It is recommended that you say Y here. If the sysctl option is enabled,
64432 ++ a sysctl option with name "chroot_deny_shmat" is created.
64433 ++
64434 ++config GRKERNSEC_CHROOT_UNIX
64435 ++ bool "Deny access to abstract AF_UNIX sockets out of chroot"
64436 ++ depends on GRKERNSEC_CHROOT
64437 ++ help
64438 ++ If you say Y here, processes inside a chroot will not be able to
64439 ++ connect to abstract (meaning not belonging to a filesystem) Unix
64440 ++ domain sockets that were bound outside of a chroot. It is recommended
64441 ++ that you say Y here. If the sysctl option is enabled, a sysctl option
64442 ++ with name "chroot_deny_unix" is created.
64443 ++
64444 ++config GRKERNSEC_CHROOT_FINDTASK
64445 ++ bool "Protect outside processes"
64446 ++ depends on GRKERNSEC_CHROOT
64447 ++ help
64448 ++ If you say Y here, processes inside a chroot will not be able to
64449 ++ kill, send signals with fcntl, ptrace, capget, getpgid, getsid,
64450 ++ or view any process outside of the chroot. If the sysctl
64451 ++ option is enabled, a sysctl option with name "chroot_findtask" is
64452 ++ created.
64453 ++
64454 ++config GRKERNSEC_CHROOT_NICE
64455 ++ bool "Restrict priority changes"
64456 ++ depends on GRKERNSEC_CHROOT
64457 ++ help
64458 ++ If you say Y here, processes inside a chroot will not be able to raise
64459 ++ the priority of processes in the chroot, or alter the priority of
64460 ++ processes outside the chroot. This provides more security than simply
64461 ++ removing CAP_SYS_NICE from the process' capability set. If the
64462 ++ sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
64463 ++ is created.
64464 ++
64465 ++config GRKERNSEC_CHROOT_SYSCTL
64466 ++ bool "Deny sysctl writes"
64467 ++ depends on GRKERNSEC_CHROOT
64468 ++ help
64469 ++ If you say Y here, an attacker in a chroot will not be able to
64470 ++ write to sysctl entries, either by sysctl(2) or through a /proc
64471 ++ interface. It is strongly recommended that you say Y here. If the
64472 ++ sysctl option is enabled, a sysctl option with name
64473 ++ "chroot_deny_sysctl" is created.
64474 ++
64475 ++config GRKERNSEC_CHROOT_CAPS
64476 ++ bool "Capability restrictions"
64477 ++ depends on GRKERNSEC_CHROOT
64478 ++ help
64479 ++ If you say Y here, the capabilities on all root processes within a
64480 ++ chroot jail will be lowered to stop module insertion, raw i/o,
64481 ++ system and net admin tasks, rebooting the system, modifying immutable
64482 ++ files, modifying IPC owned by another, and changing the system time.
64483 ++ This is left an option because it can break some apps. Disable this
64484 ++ if your chrooted apps are having problems performing those kinds of
64485 ++ tasks. If the sysctl option is enabled, a sysctl option with
64486 ++ name "chroot_caps" is created.
64487 ++
64488 ++endmenu
64489 ++menu "Kernel Auditing"
64490 ++depends on GRKERNSEC
64491 ++
64492 ++config GRKERNSEC_AUDIT_GROUP
64493 ++ bool "Single group for auditing"
64494 ++ help
64495 ++ If you say Y here, the exec, chdir, (un)mount, and ipc logging features
64496 ++ will only operate on a group you specify. This option is recommended
64497 ++ if you only want to watch certain users instead of having a large
64498 ++ amount of logs from the entire system. If the sysctl option is enabled,
64499 ++ a sysctl option with name "audit_group" is created.
64500 ++
64501 ++config GRKERNSEC_AUDIT_GID
64502 ++ int "GID for auditing"
64503 ++ depends on GRKERNSEC_AUDIT_GROUP
64504 ++ default 1007
64505 ++
64506 ++config GRKERNSEC_EXECLOG
64507 ++ bool "Exec logging"
64508 ++ help
64509 ++ If you say Y here, all execve() calls will be logged (since the
64510 ++ other exec*() calls are frontends to execve(), all execution
64511 ++ will be logged). Useful for shell-servers that like to keep track
64512 ++ of their users. If the sysctl option is enabled, a sysctl option with
64513 ++ name "exec_logging" is created.
64514 ++ WARNING: This option when enabled will produce a LOT of logs, especially
64515 ++ on an active system.
64516 ++
64517 ++config GRKERNSEC_RESLOG
64518 ++ bool "Resource logging"
64519 ++ help
64520 ++ If you say Y here, all attempts to overstep resource limits will
64521 ++ be logged with the resource name, the requested size, and the current
64522 ++ limit. It is highly recommended that you say Y here. If the sysctl
64523 ++ option is enabled, a sysctl option with name "resource_logging" is
64524 ++ created. If the RBAC system is enabled, the sysctl value is ignored.
64525 ++
64526 ++config GRKERNSEC_CHROOT_EXECLOG
64527 ++ bool "Log execs within chroot"
64528 ++ help
64529 ++ If you say Y here, all executions inside a chroot jail will be logged
64530 ++ to syslog. This can cause a large amount of logs if certain
64531 ++ applications (eg. djb's daemontools) are installed on the system, and
64532 ++ is therefore left as an option. If the sysctl option is enabled, a
64533 ++ sysctl option with name "chroot_execlog" is created.
64534 ++
64535 ++config GRKERNSEC_AUDIT_CHDIR
64536 ++ bool "Chdir logging"
64537 ++ help
64538 ++ If you say Y here, all chdir() calls will be logged. If the sysctl
64539 ++ option is enabled, a sysctl option with name "audit_chdir" is created.
64540 ++
64541 ++config GRKERNSEC_AUDIT_MOUNT
64542 ++ bool "(Un)Mount logging"
64543 ++ help
64544 ++ If you say Y here, all mounts and unmounts will be logged. If the
64545 ++ sysctl option is enabled, a sysctl option with name "audit_mount" is
64546 ++ created.
64547 ++
64548 ++config GRKERNSEC_AUDIT_IPC
64549 ++ bool "IPC logging"
64550 ++ help
64551 ++ If you say Y here, creation and removal of message queues, semaphores,
64552 ++ and shared memory will be logged. If the sysctl option is enabled, a
64553 ++ sysctl option with name "audit_ipc" is created.
64554 ++
64555 ++config GRKERNSEC_SIGNAL
64556 ++ bool "Signal logging"
64557 ++ help
64558 ++ If you say Y here, certain important signals will be logged, such as
64559 ++ SIGSEGV, which will as a result inform you of when a error in a program
64560 ++ occurred, which in some cases could mean a possible exploit attempt.
64561 ++ If the sysctl option is enabled, a sysctl option with name
64562 ++ "signal_logging" is created.
64563 ++
64564 ++config GRKERNSEC_FORKFAIL
64565 ++ bool "Fork failure logging"
64566 ++ help
64567 ++ If you say Y here, all failed fork() attempts will be logged.
64568 ++ This could suggest a fork bomb, or someone attempting to overstep
64569 ++ their process limit. If the sysctl option is enabled, a sysctl option
64570 ++ with name "forkfail_logging" is created.
64571 ++
64572 ++config GRKERNSEC_TIME
64573 ++ bool "Time change logging"
64574 ++ help
64575 ++ If you say Y here, any changes of the system clock will be logged.
64576 ++ If the sysctl option is enabled, a sysctl option with name
64577 ++ "timechange_logging" is created.
64578 ++
64579 ++config GRKERNSEC_PROC_IPADDR
64580 ++ bool "/proc/<pid>/ipaddr support"
64581 ++ help
64582 ++ If you say Y here, a new entry will be added to each /proc/<pid>
64583 ++ directory that contains the IP address of the person using the task.
64584 ++ The IP is carried across local TCP and AF_UNIX stream sockets.
64585 ++ This information can be useful for IDS/IPSes to perform remote response
64586 ++ to a local attack. The entry is readable by only the owner of the
64587 ++ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
64588 ++ the RBAC system), and thus does not create privacy concerns.
64589 ++
64590 ++config GRKERNSEC_AUDIT_TEXTREL
64591 ++ bool 'ELF text relocations logging (READ HELP)'
64592 ++ depends on PAX_MPROTECT
64593 ++ help
64594 ++ If you say Y here, text relocations will be logged with the filename
64595 ++ of the offending library or binary. The purpose of the feature is
64596 ++ to help Linux distribution developers get rid of libraries and
64597 ++ binaries that need text relocations which hinder the future progress
64598 ++ of PaX. Only Linux distribution developers should say Y here, and
64599 ++ never on a production machine, as this option creates an information
64600 ++ leak that could aid an attacker in defeating the randomization of
64601 ++ a single memory region. If the sysctl option is enabled, a sysctl
64602 ++ option with name "audit_textrel" is created.
64603 ++
64604 ++endmenu
64605 ++
64606 ++menu "Executable Protections"
64607 ++depends on GRKERNSEC
64608 ++
64609 ++config GRKERNSEC_EXECVE
64610 ++ bool "Enforce RLIMIT_NPROC on execs"
64611 ++ help
64612 ++ If you say Y here, users with a resource limit on processes will
64613 ++ have the value checked during execve() calls. The current system
64614 ++ only checks the system limit during fork() calls. If the sysctl option
64615 ++ is enabled, a sysctl option with name "execve_limiting" is created.
64616 ++
64617 ++config GRKERNSEC_DMESG
64618 ++ bool "Dmesg(8) restriction"
64619 ++ help
64620 ++ If you say Y here, non-root users will not be able to use dmesg(8)
64621 ++ to view up to the last 4kb of messages in the kernel's log buffer.
64622 ++ If the sysctl option is enabled, a sysctl option with name "dmesg" is
64623 ++ created.
64624 ++
64625 ++config GRKERNSEC_TPE
64626 ++ bool "Trusted Path Execution (TPE)"
64627 ++ help
64628 ++ If you say Y here, you will be able to choose a gid to add to the
64629 ++ supplementary groups of users you want to mark as "untrusted."
64630 ++ These users will not be able to execute any files that are not in
64631 ++ root-owned directories writable only by root. If the sysctl option
64632 ++ is enabled, a sysctl option with name "tpe" is created.
64633 ++
64634 ++config GRKERNSEC_TPE_ALL
64635 ++ bool "Partially restrict non-root users"
64636 ++ depends on GRKERNSEC_TPE
64637 ++ help
64638 ++ If you say Y here, All non-root users other than the ones in the
64639 ++ group specified in the main TPE option will only be allowed to
64640 ++ execute files in directories they own that are not group or
64641 ++ world-writable, or in directories owned by root and writable only by
64642 ++ root. If the sysctl option is enabled, a sysctl option with name
64643 ++ "tpe_restrict_all" is created.
64644 ++
64645 ++config GRKERNSEC_TPE_INVERT
64646 ++ bool "Invert GID option"
64647 ++ depends on GRKERNSEC_TPE
64648 ++ help
64649 ++ If you say Y here, the group you specify in the TPE configuration will
64650 ++ decide what group TPE restrictions will be *disabled* for. This
64651 ++ option is useful if you want TPE restrictions to be applied to most
64652 ++ users on the system.
64653 ++
64654 ++config GRKERNSEC_TPE_GID
64655 ++ int "GID for untrusted users"
64656 ++ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
64657 ++ default 1005
64658 ++ help
64659 ++ If you have selected the "Invert GID option" above, setting this
64660 ++ GID determines what group TPE restrictions will be *disabled* for.
64661 ++ If you have not selected the "Invert GID option" above, setting this
64662 ++ GID determines what group TPE restrictions will be *enabled* for.
64663 ++ If the sysctl option is enabled, a sysctl option with name "tpe_gid"
64664 ++ is created.
64665 ++
64666 ++config GRKERNSEC_TPE_GID
64667 ++ int "GID for trusted users"
64668 ++ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
64669 ++ default 1005
64670 ++ help
64671 ++ If you have selected the "Invert GID option" above, setting this
64672 ++ GID determines what group TPE restrictions will be *disabled* for.
64673 ++ If you have not selected the "Invert GID option" above, setting this
64674 ++ GID determines what group TPE restrictions will be *enabled* for.
64675 ++ If the sysctl option is enabled, a sysctl option with name "tpe_gid"
64676 ++ is created.
64677 ++
64678 ++endmenu
64679 ++menu "Network Protections"
64680 ++depends on GRKERNSEC
64681 ++
64682 ++config GRKERNSEC_RANDNET
64683 ++ bool "Larger entropy pools"
64684 ++ help
64685 ++ If you say Y here, the entropy pools used for many features of Linux
64686 ++ and grsecurity will be doubled in size. Since several grsecurity
64687 ++ features use additional randomness, it is recommended that you say Y
64688 ++ here. Saying Y here has a similar effect as modifying
64689 ++ /proc/sys/kernel/random/poolsize.
64690 ++
64691 ++config GRKERNSEC_SOCKET
64692 ++ bool "Socket restrictions"
64693 ++ help
64694 ++ If you say Y here, you will be able to choose from several options.
64695 ++ If you assign a GID on your system and add it to the supplementary
64696 ++ groups of users you want to restrict socket access to, this patch
64697 ++ will perform up to three things, based on the option(s) you choose.
64698 ++
64699 ++config GRKERNSEC_SOCKET_ALL
64700 ++ bool "Deny any sockets to group"
64701 ++ depends on GRKERNSEC_SOCKET
64702 ++ help
64703 ++ If you say Y here, you will be able to choose a GID of whose users will
64704 ++ be unable to connect to other hosts from your machine or run server
64705 ++ applications from your machine. If the sysctl option is enabled, a
64706 ++ sysctl option with name "socket_all" is created.
64707 ++
64708 ++config GRKERNSEC_SOCKET_ALL_GID
64709 ++ int "GID to deny all sockets for"
64710 ++ depends on GRKERNSEC_SOCKET_ALL
64711 ++ default 1004
64712 ++ help
64713 ++ Here you can choose the GID to disable socket access for. Remember to
64714 ++ add the users you want socket access disabled for to the GID
64715 ++ specified here. If the sysctl option is enabled, a sysctl option
64716 ++ with name "socket_all_gid" is created.
64717 ++
64718 ++config GRKERNSEC_SOCKET_CLIENT
64719 ++ bool "Deny client sockets to group"
64720 ++ depends on GRKERNSEC_SOCKET
64721 ++ help
64722 ++ If you say Y here, you will be able to choose a GID of whose users will
64723 ++ be unable to connect to other hosts from your machine, but will be
64724 ++ able to run servers. If this option is enabled, all users in the group
64725 ++ you specify will have to use passive mode when initiating ftp transfers
64726 ++ from the shell on your machine. If the sysctl option is enabled, a
64727 ++ sysctl option with name "socket_client" is created.
64728 ++
64729 ++config GRKERNSEC_SOCKET_CLIENT_GID
64730 ++ int "GID to deny client sockets for"
64731 ++ depends on GRKERNSEC_SOCKET_CLIENT
64732 ++ default 1003
64733 ++ help
64734 ++ Here you can choose the GID to disable client socket access for.
64735 ++ Remember to add the users you want client socket access disabled for to
64736 ++ the GID specified here. If the sysctl option is enabled, a sysctl
64737 ++ option with name "socket_client_gid" is created.
64738 ++
64739 ++config GRKERNSEC_SOCKET_SERVER
64740 ++ bool "Deny server sockets to group"
64741 ++ depends on GRKERNSEC_SOCKET
64742 ++ help
64743 ++ If you say Y here, you will be able to choose a GID of whose users will
64744 ++ be unable to run server applications from your machine. If the sysctl
64745 ++ option is enabled, a sysctl option with name "socket_server" is created.
64746 ++
64747 ++config GRKERNSEC_SOCKET_SERVER_GID
64748 ++ int "GID to deny server sockets for"
64749 ++ depends on GRKERNSEC_SOCKET_SERVER
64750 ++ default 1002
64751 ++ help
64752 ++ Here you can choose the GID to disable server socket access for.
64753 ++ Remember to add the users you want server socket access disabled for to
64754 ++ the GID specified here. If the sysctl option is enabled, a sysctl
64755 ++ option with name "socket_server_gid" is created.
64756 ++
64757 ++endmenu
64758 ++menu "Sysctl support"
64759 ++depends on GRKERNSEC && SYSCTL
64760 ++
64761 ++config GRKERNSEC_SYSCTL
64762 ++ bool "Sysctl support"
64763 ++ help
64764 ++ If you say Y here, you will be able to change the options that
64765 ++ grsecurity runs with at bootup, without having to recompile your
64766 ++ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
64767 ++ to enable (1) or disable (0) various features. All the sysctl entries
64768 ++ are mutable until the "grsec_lock" entry is set to a non-zero value.
64769 ++ All features enabled in the kernel configuration are disabled at boot
64770 ++ if you do not say Y to the "Turn on features by default" option.
64771 ++ All options should be set at startup, and the grsec_lock entry should
64772 ++ be set to a non-zero value after all the options are set.
64773 ++ *THIS IS EXTREMELY IMPORTANT*
64774 ++
64775 ++config GRKERNSEC_SYSCTL_ON
64776 ++ bool "Turn on features by default"
64777 ++ depends on GRKERNSEC_SYSCTL
64778 ++ help
64779 ++ If you say Y here, instead of having all features enabled in the
64780 ++ kernel configuration disabled at boot time, the features will be
64781 ++ enabled at boot time. It is recommended you say Y here unless
64782 ++ there is some reason you would want all sysctl-tunable features to
64783 ++ be disabled by default. As mentioned elsewhere, it is important
64784 ++ to enable the grsec_lock entry once you have finished modifying
64785 ++ the sysctl entries.
64786 ++
64787 ++endmenu
64788 ++menu "Logging Options"
64789 ++depends on GRKERNSEC
64790 ++
64791 ++config GRKERNSEC_FLOODTIME
64792 ++ int "Seconds in between log messages (minimum)"
64793 ++ default 10
64794 ++ help
64795 ++ This option allows you to enforce the number of seconds between
64796 ++ grsecurity log messages. The default should be suitable for most
64797 ++ people, however, if you choose to change it, choose a value small enough
64798 ++ to allow informative logs to be produced, but large enough to
64799 ++ prevent flooding.
64800 ++
64801 ++config GRKERNSEC_FLOODBURST
64802 ++ int "Number of messages in a burst (maximum)"
64803 ++ default 4
64804 ++ help
64805 ++ This option allows you to choose the maximum number of messages allowed
64806 ++ within the flood time interval you chose in a separate option. The
64807 ++ default should be suitable for most people, however if you find that
64808 ++ many of your logs are being interpreted as flooding, you may want to
64809 ++ raise this value.
64810 ++
64811 ++endmenu
64812 ++
64813 ++endmenu
64814 +diff -urNp linux-2.6.24.5/grsecurity/Makefile linux-2.6.24.5/grsecurity/Makefile
64815 +--- linux-2.6.24.5/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
64816 ++++ linux-2.6.24.5/grsecurity/Makefile 2008-03-26 20:21:09.000000000 -0400
64817 +@@ -0,0 +1,20 @@
64818 ++# grsecurity's ACL system was originally written in 2001 by Michael Dalton
64819 ++# during 2001-2005 it has been completely redesigned by Brad Spengler
64820 ++# into an RBAC system
64821 ++#
64822 ++# All code in this directory and various hooks inserted throughout the kernel
64823 ++# are copyright Brad Spengler, and released under the GPL v2 or higher
64824 ++
64825 ++obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
64826 ++ grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
64827 ++ grsec_time.o grsec_tpe.o grsec_ipc.o grsec_link.o grsec_textrel.o
64828 ++
64829 ++obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
64830 ++ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
64831 ++ gracl_learn.o grsec_log.o
64832 ++obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
64833 ++
64834 ++ifndef CONFIG_GRKERNSEC
64835 ++obj-y += grsec_disabled.o
64836 ++endif
64837 ++
64838 +diff -urNp linux-2.6.24.5/include/acpi/acpiosxf.h linux-2.6.24.5/include/acpi/acpiosxf.h
64839 +--- linux-2.6.24.5/include/acpi/acpiosxf.h 2008-03-24 14:49:18.000000000 -0400
64840 ++++ linux-2.6.24.5/include/acpi/acpiosxf.h 2008-03-26 20:21:09.000000000 -0400
64841 +@@ -219,7 +219,7 @@ acpi_os_write_memory(acpi_physical_addre
64842 + */
64843 + acpi_status
64844 + acpi_os_read_pci_configuration(struct acpi_pci_id *pci_id,
64845 +- u32 reg, void *value, u32 width);
64846 ++ u32 reg, u32 *value, u32 width);
64847 +
64848 + acpi_status
64849 + acpi_os_write_pci_configuration(struct acpi_pci_id *pci_id,
64850 +diff -urNp linux-2.6.24.5/include/asm-alpha/a.out.h linux-2.6.24.5/include/asm-alpha/a.out.h
64851 +--- linux-2.6.24.5/include/asm-alpha/a.out.h 2008-03-24 14:49:18.000000000 -0400
64852 ++++ linux-2.6.24.5/include/asm-alpha/a.out.h 2008-03-26 20:21:09.000000000 -0400
64853 +@@ -98,7 +98,7 @@ struct exec
64854 + set_personality (((BFPM->sh_bang || EX.ah.entry < 0x100000000L \
64855 + ? ADDR_LIMIT_32BIT : 0) | PER_OSF4))
64856 +
64857 +-#define STACK_TOP \
64858 ++#define __STACK_TOP \
64859 + (current->personality & ADDR_LIMIT_32BIT ? 0x80000000 : 0x00120000000UL)
64860 +
64861 + #define STACK_TOP_MAX 0x00120000000UL
64862 +diff -urNp linux-2.6.24.5/include/asm-alpha/elf.h linux-2.6.24.5/include/asm-alpha/elf.h
64863 +--- linux-2.6.24.5/include/asm-alpha/elf.h 2008-03-24 14:49:18.000000000 -0400
64864 ++++ linux-2.6.24.5/include/asm-alpha/elf.h 2008-03-26 20:21:09.000000000 -0400
64865 +@@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
64866 +
64867 + #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
64868 +
64869 ++#ifdef CONFIG_PAX_ASLR
64870 ++#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
64871 ++
64872 ++#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
64873 ++#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
64874 ++#endif
64875 ++
64876 + /* $0 is set by ld.so to a pointer to a function which might be
64877 + registered using atexit. This provides a mean for the dynamic
64878 + linker to call DT_FINI functions for shared libraries that have
64879 +diff -urNp linux-2.6.24.5/include/asm-alpha/kmap_types.h linux-2.6.24.5/include/asm-alpha/kmap_types.h
64880 +--- linux-2.6.24.5/include/asm-alpha/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
64881 ++++ linux-2.6.24.5/include/asm-alpha/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
64882 +@@ -24,7 +24,8 @@ D(9) KM_IRQ0,
64883 + D(10) KM_IRQ1,
64884 + D(11) KM_SOFTIRQ0,
64885 + D(12) KM_SOFTIRQ1,
64886 +-D(13) KM_TYPE_NR
64887 ++D(13) KM_CLEARPAGE,
64888 ++D(14) KM_TYPE_NR
64889 + };
64890 +
64891 + #undef D
64892 +diff -urNp linux-2.6.24.5/include/asm-alpha/pgtable.h linux-2.6.24.5/include/asm-alpha/pgtable.h
64893 +--- linux-2.6.24.5/include/asm-alpha/pgtable.h 2008-03-24 14:49:18.000000000 -0400
64894 ++++ linux-2.6.24.5/include/asm-alpha/pgtable.h 2008-03-26 20:21:09.000000000 -0400
64895 +@@ -101,6 +101,17 @@ struct vm_area_struct;
64896 + #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
64897 + #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
64898 + #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
64899 ++
64900 ++#ifdef CONFIG_PAX_PAGEEXEC
64901 ++# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
64902 ++# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
64903 ++# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
64904 ++#else
64905 ++# define PAGE_SHARED_NOEXEC PAGE_SHARED
64906 ++# define PAGE_COPY_NOEXEC PAGE_COPY
64907 ++# define PAGE_READONLY_NOEXEC PAGE_READONLY
64908 ++#endif
64909 ++
64910 + #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
64911 +
64912 + #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
64913 +diff -urNp linux-2.6.24.5/include/asm-arm/a.out.h linux-2.6.24.5/include/asm-arm/a.out.h
64914 +--- linux-2.6.24.5/include/asm-arm/a.out.h 2008-03-24 14:49:18.000000000 -0400
64915 ++++ linux-2.6.24.5/include/asm-arm/a.out.h 2008-03-26 20:21:09.000000000 -0400
64916 +@@ -28,7 +28,7 @@ struct exec
64917 + #define M_ARM 103
64918 +
64919 + #ifdef __KERNEL__
64920 +-#define STACK_TOP ((current->personality == PER_LINUX_32BIT) ? \
64921 ++#define __STACK_TOP ((current->personality == PER_LINUX_32BIT) ? \
64922 + TASK_SIZE : TASK_SIZE_26)
64923 + #define STACK_TOP_MAX TASK_SIZE
64924 + #endif
64925 +diff -urNp linux-2.6.24.5/include/asm-arm/elf.h linux-2.6.24.5/include/asm-arm/elf.h
64926 +--- linux-2.6.24.5/include/asm-arm/elf.h 2008-03-24 14:49:18.000000000 -0400
64927 ++++ linux-2.6.24.5/include/asm-arm/elf.h 2008-03-26 20:21:09.000000000 -0400
64928 +@@ -88,7 +88,14 @@ extern char elf_platform[];
64929 + the loader. We need to make sure that it is out of the way of the program
64930 + that it will "exec", and that there is sufficient room for the brk. */
64931 +
64932 +-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
64933 ++#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
64934 ++
64935 ++#ifdef CONFIG_PAX_ASLR
64936 ++#define PAX_ELF_ET_DYN_BASE 0x00008000UL
64937 ++
64938 ++#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
64939 ++#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
64940 ++#endif
64941 +
64942 + /* When the program starts, a1 contains a pointer to a function to be
64943 + registered with atexit, as per the SVR4 ABI. A value of 0 means we
64944 +diff -urNp linux-2.6.24.5/include/asm-arm/kmap_types.h linux-2.6.24.5/include/asm-arm/kmap_types.h
64945 +--- linux-2.6.24.5/include/asm-arm/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
64946 ++++ linux-2.6.24.5/include/asm-arm/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
64947 +@@ -18,6 +18,7 @@ enum km_type {
64948 + KM_IRQ1,
64949 + KM_SOFTIRQ0,
64950 + KM_SOFTIRQ1,
64951 ++ KM_CLEARPAGE,
64952 + KM_TYPE_NR
64953 + };
64954 +
64955 +diff -urNp linux-2.6.24.5/include/asm-avr32/a.out.h linux-2.6.24.5/include/asm-avr32/a.out.h
64956 +--- linux-2.6.24.5/include/asm-avr32/a.out.h 2008-03-24 14:49:18.000000000 -0400
64957 ++++ linux-2.6.24.5/include/asm-avr32/a.out.h 2008-03-26 20:21:09.000000000 -0400
64958 +@@ -19,8 +19,8 @@ struct exec
64959 +
64960 + #ifdef __KERNEL__
64961 +
64962 +-#define STACK_TOP TASK_SIZE
64963 +-#define STACK_TOP_MAX STACK_TOP
64964 ++#define __STACK_TOP TASK_SIZE
64965 ++#define STACK_TOP_MAX __STACK_TOP
64966 +
64967 + #endif
64968 +
64969 +diff -urNp linux-2.6.24.5/include/asm-avr32/elf.h linux-2.6.24.5/include/asm-avr32/elf.h
64970 +--- linux-2.6.24.5/include/asm-avr32/elf.h 2008-03-24 14:49:18.000000000 -0400
64971 ++++ linux-2.6.24.5/include/asm-avr32/elf.h 2008-03-26 20:21:09.000000000 -0400
64972 +@@ -85,8 +85,14 @@ typedef struct user_fpu_struct elf_fpreg
64973 + the loader. We need to make sure that it is out of the way of the program
64974 + that it will "exec", and that there is sufficient room for the brk. */
64975 +
64976 +-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
64977 ++#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
64978 +
64979 ++#ifdef CONFIG_PAX_ASLR
64980 ++#define PAX_ELF_ET_DYN_BASE 0x00001000UL
64981 ++
64982 ++#define PAX_DELTA_MMAP_LEN 15
64983 ++#define PAX_DELTA_STACK_LEN 15
64984 ++#endif
64985 +
64986 + /* This yields a mask that user programs can use to figure out what
64987 + instruction set this CPU supports. This could be done in user space,
64988 +diff -urNp linux-2.6.24.5/include/asm-avr32/kmap_types.h linux-2.6.24.5/include/asm-avr32/kmap_types.h
64989 +--- linux-2.6.24.5/include/asm-avr32/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
64990 ++++ linux-2.6.24.5/include/asm-avr32/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
64991 +@@ -22,7 +22,8 @@ D(10) KM_IRQ0,
64992 + D(11) KM_IRQ1,
64993 + D(12) KM_SOFTIRQ0,
64994 + D(13) KM_SOFTIRQ1,
64995 +-D(14) KM_TYPE_NR
64996 ++D(14) KM_CLEARPAGE,
64997 ++D(15) KM_TYPE_NR
64998 + };
64999 +
65000 + #undef D
65001 +diff -urNp linux-2.6.24.5/include/asm-blackfin/kmap_types.h linux-2.6.24.5/include/asm-blackfin/kmap_types.h
65002 +--- linux-2.6.24.5/include/asm-blackfin/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65003 ++++ linux-2.6.24.5/include/asm-blackfin/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65004 +@@ -15,6 +15,7 @@ enum km_type {
65005 + KM_IRQ1,
65006 + KM_SOFTIRQ0,
65007 + KM_SOFTIRQ1,
65008 ++ KM_CLEARPAGE,
65009 + KM_TYPE_NR
65010 + };
65011 +
65012 +diff -urNp linux-2.6.24.5/include/asm-cris/kmap_types.h linux-2.6.24.5/include/asm-cris/kmap_types.h
65013 +--- linux-2.6.24.5/include/asm-cris/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65014 ++++ linux-2.6.24.5/include/asm-cris/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65015 +@@ -19,6 +19,7 @@ enum km_type {
65016 + KM_IRQ1,
65017 + KM_SOFTIRQ0,
65018 + KM_SOFTIRQ1,
65019 ++ KM_CLEARPAGE,
65020 + KM_TYPE_NR
65021 + };
65022 +
65023 +diff -urNp linux-2.6.24.5/include/asm-frv/kmap_types.h linux-2.6.24.5/include/asm-frv/kmap_types.h
65024 +--- linux-2.6.24.5/include/asm-frv/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65025 ++++ linux-2.6.24.5/include/asm-frv/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65026 +@@ -23,6 +23,7 @@ enum km_type {
65027 + KM_IRQ1,
65028 + KM_SOFTIRQ0,
65029 + KM_SOFTIRQ1,
65030 ++ KM_CLEARPAGE,
65031 + KM_TYPE_NR
65032 + };
65033 +
65034 +diff -urNp linux-2.6.24.5/include/asm-generic/futex.h linux-2.6.24.5/include/asm-generic/futex.h
65035 +--- linux-2.6.24.5/include/asm-generic/futex.h 2008-03-24 14:49:18.000000000 -0400
65036 ++++ linux-2.6.24.5/include/asm-generic/futex.h 2008-03-26 20:21:09.000000000 -0400
65037 +@@ -8,7 +8,7 @@
65038 + #include <asm/uaccess.h>
65039 +
65040 + static inline int
65041 +-futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
65042 ++futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
65043 + {
65044 + int op = (encoded_op >> 28) & 7;
65045 + int cmp = (encoded_op >> 24) & 15;
65046 +@@ -50,7 +50,7 @@ futex_atomic_op_inuser (int encoded_op,
65047 + }
65048 +
65049 + static inline int
65050 +-futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
65051 ++futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
65052 + {
65053 + return -ENOSYS;
65054 + }
65055 +diff -urNp linux-2.6.24.5/include/asm-generic/vmlinux.lds.h linux-2.6.24.5/include/asm-generic/vmlinux.lds.h
65056 +--- linux-2.6.24.5/include/asm-generic/vmlinux.lds.h 2008-03-24 14:49:18.000000000 -0400
65057 ++++ linux-2.6.24.5/include/asm-generic/vmlinux.lds.h 2008-03-26 20:21:09.000000000 -0400
65058 +@@ -23,6 +23,7 @@
65059 + .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
65060 + VMLINUX_SYMBOL(__start_rodata) = .; \
65061 + *(.rodata) *(.rodata.*) \
65062 ++ *(.data.read_only) \
65063 + *(__vermagic) /* Kernel version magic */ \
65064 + *(__markers_strings) /* Markers: strings */ \
65065 + } \
65066 +diff -urNp linux-2.6.24.5/include/asm-h8300/kmap_types.h linux-2.6.24.5/include/asm-h8300/kmap_types.h
65067 +--- linux-2.6.24.5/include/asm-h8300/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65068 ++++ linux-2.6.24.5/include/asm-h8300/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65069 +@@ -15,6 +15,7 @@ enum km_type {
65070 + KM_IRQ1,
65071 + KM_SOFTIRQ0,
65072 + KM_SOFTIRQ1,
65073 ++ KM_CLEARPAGE,
65074 + KM_TYPE_NR
65075 + };
65076 +
65077 +diff -urNp linux-2.6.24.5/include/asm-ia64/elf.h linux-2.6.24.5/include/asm-ia64/elf.h
65078 +--- linux-2.6.24.5/include/asm-ia64/elf.h 2008-03-24 14:49:18.000000000 -0400
65079 ++++ linux-2.6.24.5/include/asm-ia64/elf.h 2008-03-26 20:21:09.000000000 -0400
65080 +@@ -162,7 +162,12 @@ typedef elf_greg_t elf_gregset_t[ELF_NGR
65081 + typedef struct ia64_fpreg elf_fpreg_t;
65082 + typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
65083 +
65084 ++#ifdef CONFIG_PAX_ASLR
65085 ++#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
65086 +
65087 ++#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
65088 ++#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
65089 ++#endif
65090 +
65091 + struct pt_regs; /* forward declaration... */
65092 + extern void ia64_elf_core_copy_regs (struct pt_regs *src, elf_gregset_t dst);
65093 +diff -urNp linux-2.6.24.5/include/asm-ia64/kmap_types.h linux-2.6.24.5/include/asm-ia64/kmap_types.h
65094 +--- linux-2.6.24.5/include/asm-ia64/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65095 ++++ linux-2.6.24.5/include/asm-ia64/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65096 +@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
65097 + D(10) KM_IRQ1,
65098 + D(11) KM_SOFTIRQ0,
65099 + D(12) KM_SOFTIRQ1,
65100 +-D(13) KM_TYPE_NR
65101 ++D(13) KM_CLEARPAGE,
65102 ++D(14) KM_TYPE_NR
65103 + };
65104 +
65105 + #undef D
65106 +diff -urNp linux-2.6.24.5/include/asm-ia64/pgtable.h linux-2.6.24.5/include/asm-ia64/pgtable.h
65107 +--- linux-2.6.24.5/include/asm-ia64/pgtable.h 2008-03-24 14:49:18.000000000 -0400
65108 ++++ linux-2.6.24.5/include/asm-ia64/pgtable.h 2008-03-26 20:21:09.000000000 -0400
65109 +@@ -143,6 +143,17 @@
65110 + #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
65111 + #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
65112 + #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
65113 ++
65114 ++#ifdef CONFIG_PAX_PAGEEXEC
65115 ++# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
65116 ++# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
65117 ++# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
65118 ++#else
65119 ++# define PAGE_SHARED_NOEXEC PAGE_SHARED
65120 ++# define PAGE_READONLY_NOEXEC PAGE_READONLY
65121 ++# define PAGE_COPY_NOEXEC PAGE_COPY
65122 ++#endif
65123 ++
65124 + #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
65125 + #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
65126 + #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
65127 +diff -urNp linux-2.6.24.5/include/asm-ia64/processor.h linux-2.6.24.5/include/asm-ia64/processor.h
65128 +--- linux-2.6.24.5/include/asm-ia64/processor.h 2008-03-24 14:49:18.000000000 -0400
65129 ++++ linux-2.6.24.5/include/asm-ia64/processor.h 2008-03-26 20:21:09.000000000 -0400
65130 +@@ -275,7 +275,7 @@ struct thread_struct {
65131 + .on_ustack = 0, \
65132 + .ksp = 0, \
65133 + .map_base = DEFAULT_MAP_BASE, \
65134 +- .rbs_bot = STACK_TOP - DEFAULT_USER_STACK_SIZE, \
65135 ++ .rbs_bot = __STACK_TOP - DEFAULT_USER_STACK_SIZE, \
65136 + .task_size = DEFAULT_TASK_SIZE, \
65137 + .last_fph_cpu = -1, \
65138 + INIT_THREAD_IA32 \
65139 +diff -urNp linux-2.6.24.5/include/asm-ia64/ustack.h linux-2.6.24.5/include/asm-ia64/ustack.h
65140 +--- linux-2.6.24.5/include/asm-ia64/ustack.h 2008-03-24 14:49:18.000000000 -0400
65141 ++++ linux-2.6.24.5/include/asm-ia64/ustack.h 2008-03-26 20:21:09.000000000 -0400
65142 +@@ -10,8 +10,8 @@
65143 +
65144 + /* The absolute hard limit for stack size is 1/2 of the mappable space in the region */
65145 + #define MAX_USER_STACK_SIZE (RGN_MAP_LIMIT/2)
65146 +-#define STACK_TOP (0x6000000000000000UL + RGN_MAP_LIMIT)
65147 +-#define STACK_TOP_MAX STACK_TOP
65148 ++#define __STACK_TOP (0x6000000000000000UL + RGN_MAP_LIMIT)
65149 ++#define STACK_TOP_MAX __STACK_TOP
65150 + #endif
65151 +
65152 + /* Make a default stack size of 2GiB */
65153 +diff -urNp linux-2.6.24.5/include/asm-m32r/kmap_types.h linux-2.6.24.5/include/asm-m32r/kmap_types.h
65154 +--- linux-2.6.24.5/include/asm-m32r/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65155 ++++ linux-2.6.24.5/include/asm-m32r/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65156 +@@ -21,7 +21,8 @@ D(9) KM_IRQ0,
65157 + D(10) KM_IRQ1,
65158 + D(11) KM_SOFTIRQ0,
65159 + D(12) KM_SOFTIRQ1,
65160 +-D(13) KM_TYPE_NR
65161 ++D(13) KM_CLEARPAGE,
65162 ++D(14) KM_TYPE_NR
65163 + };
65164 +
65165 + #undef D
65166 +diff -urNp linux-2.6.24.5/include/asm-m68k/kmap_types.h linux-2.6.24.5/include/asm-m68k/kmap_types.h
65167 +--- linux-2.6.24.5/include/asm-m68k/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65168 ++++ linux-2.6.24.5/include/asm-m68k/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65169 +@@ -15,6 +15,7 @@ enum km_type {
65170 + KM_IRQ1,
65171 + KM_SOFTIRQ0,
65172 + KM_SOFTIRQ1,
65173 ++ KM_CLEARPAGE,
65174 + KM_TYPE_NR
65175 + };
65176 +
65177 +diff -urNp linux-2.6.24.5/include/asm-m68knommu/kmap_types.h linux-2.6.24.5/include/asm-m68knommu/kmap_types.h
65178 +--- linux-2.6.24.5/include/asm-m68knommu/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65179 ++++ linux-2.6.24.5/include/asm-m68knommu/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65180 +@@ -15,6 +15,7 @@ enum km_type {
65181 + KM_IRQ1,
65182 + KM_SOFTIRQ0,
65183 + KM_SOFTIRQ1,
65184 ++ KM_CLEARPAGE,
65185 + KM_TYPE_NR
65186 + };
65187 +
65188 +diff -urNp linux-2.6.24.5/include/asm-mips/a.out.h linux-2.6.24.5/include/asm-mips/a.out.h
65189 +--- linux-2.6.24.5/include/asm-mips/a.out.h 2008-03-24 14:49:18.000000000 -0400
65190 ++++ linux-2.6.24.5/include/asm-mips/a.out.h 2008-03-26 20:21:09.000000000 -0400
65191 +@@ -35,10 +35,10 @@ struct exec
65192 + #ifdef __KERNEL__
65193 +
65194 + #ifdef CONFIG_32BIT
65195 +-#define STACK_TOP TASK_SIZE
65196 ++#define __STACK_TOP TASK_SIZE
65197 + #endif
65198 + #ifdef CONFIG_64BIT
65199 +-#define STACK_TOP \
65200 ++#define __STACK_TOP \
65201 + (test_thread_flag(TIF_32BIT_ADDR) ? TASK_SIZE32 : TASK_SIZE)
65202 + #endif
65203 + #define STACK_TOP_MAX TASK_SIZE
65204 +diff -urNp linux-2.6.24.5/include/asm-mips/elf.h linux-2.6.24.5/include/asm-mips/elf.h
65205 +--- linux-2.6.24.5/include/asm-mips/elf.h 2008-03-24 14:49:18.000000000 -0400
65206 ++++ linux-2.6.24.5/include/asm-mips/elf.h 2008-03-26 20:21:09.000000000 -0400
65207 +@@ -372,4 +372,11 @@ extern int dump_task_fpu(struct task_str
65208 + #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
65209 + #endif
65210 +
65211 ++#ifdef CONFIG_PAX_ASLR
65212 ++#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
65213 ++
65214 ++#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
65215 ++#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
65216 ++#endif
65217 ++
65218 + #endif /* _ASM_ELF_H */
65219 +diff -urNp linux-2.6.24.5/include/asm-mips/kmap_types.h linux-2.6.24.5/include/asm-mips/kmap_types.h
65220 +--- linux-2.6.24.5/include/asm-mips/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65221 ++++ linux-2.6.24.5/include/asm-mips/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65222 +@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
65223 + D(10) KM_IRQ1,
65224 + D(11) KM_SOFTIRQ0,
65225 + D(12) KM_SOFTIRQ1,
65226 +-D(13) KM_TYPE_NR
65227 ++D(13) KM_CLEARPAGE,
65228 ++D(14) KM_TYPE_NR
65229 + };
65230 +
65231 + #undef D
65232 +diff -urNp linux-2.6.24.5/include/asm-mips/page.h linux-2.6.24.5/include/asm-mips/page.h
65233 +--- linux-2.6.24.5/include/asm-mips/page.h 2008-03-24 14:49:18.000000000 -0400
65234 ++++ linux-2.6.24.5/include/asm-mips/page.h 2008-03-26 20:21:09.000000000 -0400
65235 +@@ -82,7 +82,7 @@ extern void copy_user_highpage(struct pa
65236 + #ifdef CONFIG_CPU_MIPS32
65237 + typedef struct { unsigned long pte_low, pte_high; } pte_t;
65238 + #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
65239 +- #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
65240 ++ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
65241 + #else
65242 + typedef struct { unsigned long long pte; } pte_t;
65243 + #define pte_val(x) ((x).pte)
65244 +diff -urNp linux-2.6.24.5/include/asm-mips/system.h linux-2.6.24.5/include/asm-mips/system.h
65245 +--- linux-2.6.24.5/include/asm-mips/system.h 2008-03-24 14:49:18.000000000 -0400
65246 ++++ linux-2.6.24.5/include/asm-mips/system.h 2008-03-26 20:21:09.000000000 -0400
65247 +@@ -215,6 +215,6 @@ extern void per_cpu_trap_init(void);
65248 + */
65249 + #define __ARCH_WANT_UNLOCKED_CTXSW
65250 +
65251 +-extern unsigned long arch_align_stack(unsigned long sp);
65252 ++#define arch_align_stack(x) (x)
65253 +
65254 + #endif /* _ASM_SYSTEM_H */
65255 +diff -urNp linux-2.6.24.5/include/asm-parisc/a.out.h linux-2.6.24.5/include/asm-parisc/a.out.h
65256 +--- linux-2.6.24.5/include/asm-parisc/a.out.h 2008-03-24 14:49:18.000000000 -0400
65257 ++++ linux-2.6.24.5/include/asm-parisc/a.out.h 2008-03-26 20:21:09.000000000 -0400
65258 +@@ -22,7 +22,7 @@ struct exec
65259 + /* XXX: STACK_TOP actually should be STACK_BOTTOM for parisc.
65260 + * prumpf */
65261 +
65262 +-#define STACK_TOP TASK_SIZE
65263 ++#define __STACK_TOP TASK_SIZE
65264 + #define STACK_TOP_MAX DEFAULT_TASK_SIZE
65265 +
65266 + #endif
65267 +diff -urNp linux-2.6.24.5/include/asm-parisc/elf.h linux-2.6.24.5/include/asm-parisc/elf.h
65268 +--- linux-2.6.24.5/include/asm-parisc/elf.h 2008-03-24 14:49:18.000000000 -0400
65269 ++++ linux-2.6.24.5/include/asm-parisc/elf.h 2008-03-26 20:21:09.000000000 -0400
65270 +@@ -337,6 +337,13 @@ struct pt_regs; /* forward declaration..
65271 +
65272 + #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
65273 +
65274 ++#ifdef CONFIG_PAX_ASLR
65275 ++#define PAX_ELF_ET_DYN_BASE 0x10000UL
65276 ++
65277 ++#define PAX_DELTA_MMAP_LEN 16
65278 ++#define PAX_DELTA_STACK_LEN 16
65279 ++#endif
65280 ++
65281 + /* This yields a mask that user programs can use to figure out what
65282 + instruction set this CPU supports. This could be done in user space,
65283 + but it's not easy, and we've already done it here. */
65284 +diff -urNp linux-2.6.24.5/include/asm-parisc/kmap_types.h linux-2.6.24.5/include/asm-parisc/kmap_types.h
65285 +--- linux-2.6.24.5/include/asm-parisc/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65286 ++++ linux-2.6.24.5/include/asm-parisc/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65287 +@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
65288 + D(10) KM_IRQ1,
65289 + D(11) KM_SOFTIRQ0,
65290 + D(12) KM_SOFTIRQ1,
65291 +-D(13) KM_TYPE_NR
65292 ++D(13) KM_CLEARPAGE,
65293 ++D(14) KM_TYPE_NR
65294 + };
65295 +
65296 + #undef D
65297 +diff -urNp linux-2.6.24.5/include/asm-parisc/pgtable.h linux-2.6.24.5/include/asm-parisc/pgtable.h
65298 +--- linux-2.6.24.5/include/asm-parisc/pgtable.h 2008-03-24 14:49:18.000000000 -0400
65299 ++++ linux-2.6.24.5/include/asm-parisc/pgtable.h 2008-03-26 20:21:09.000000000 -0400
65300 +@@ -210,6 +210,17 @@ extern void *vmalloc_start;
65301 + #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
65302 + #define PAGE_COPY PAGE_EXECREAD
65303 + #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
65304 ++
65305 ++#ifdef CONFIG_PAX_PAGEEXEC
65306 ++# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
65307 ++# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
65308 ++# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
65309 ++#else
65310 ++# define PAGE_SHARED_NOEXEC PAGE_SHARED
65311 ++# define PAGE_COPY_NOEXEC PAGE_COPY
65312 ++# define PAGE_READONLY_NOEXEC PAGE_READONLY
65313 ++#endif
65314 ++
65315 + #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
65316 + #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
65317 + #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
65318 +diff -urNp linux-2.6.24.5/include/asm-powerpc/a.out.h linux-2.6.24.5/include/asm-powerpc/a.out.h
65319 +--- linux-2.6.24.5/include/asm-powerpc/a.out.h 2008-03-24 14:49:18.000000000 -0400
65320 ++++ linux-2.6.24.5/include/asm-powerpc/a.out.h 2008-03-26 20:21:09.000000000 -0400
65321 +@@ -23,15 +23,15 @@ struct exec
65322 + #define STACK_TOP_USER64 TASK_SIZE_USER64
65323 + #define STACK_TOP_USER32 TASK_SIZE_USER32
65324 +
65325 +-#define STACK_TOP (test_thread_flag(TIF_32BIT) ? \
65326 ++#define __STACK_TOP (test_thread_flag(TIF_32BIT) ? \
65327 + STACK_TOP_USER32 : STACK_TOP_USER64)
65328 +
65329 + #define STACK_TOP_MAX STACK_TOP_USER64
65330 +
65331 + #else /* __powerpc64__ */
65332 +
65333 +-#define STACK_TOP TASK_SIZE
65334 +-#define STACK_TOP_MAX STACK_TOP
65335 ++#define __STACK_TOP TASK_SIZE
65336 ++#define STACK_TOP_MAX __STACK_TOP
65337 +
65338 + #endif /* __powerpc64__ */
65339 + #endif /* __KERNEL__ */
65340 +diff -urNp linux-2.6.24.5/include/asm-powerpc/elf.h linux-2.6.24.5/include/asm-powerpc/elf.h
65341 +--- linux-2.6.24.5/include/asm-powerpc/elf.h 2008-03-24 14:49:18.000000000 -0400
65342 ++++ linux-2.6.24.5/include/asm-powerpc/elf.h 2008-03-26 20:21:09.000000000 -0400
65343 +@@ -160,6 +160,18 @@ typedef elf_vrreg_t elf_vrregset_t[ELF_N
65344 + typedef elf_vrreg_t elf_vrregset_t32[ELF_NVRREG32];
65345 + #endif
65346 +
65347 ++#ifdef CONFIG_PAX_ASLR
65348 ++#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
65349 ++
65350 ++#ifdef __powerpc64__
65351 ++#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
65352 ++#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
65353 ++#else
65354 ++#define PAX_DELTA_MMAP_LEN 15
65355 ++#define PAX_DELTA_STACK_LEN 15
65356 ++#endif
65357 ++#endif
65358 ++
65359 + #ifdef __KERNEL__
65360 + /*
65361 + * This is used to ensure we don't load something for the wrong architecture.
65362 +diff -urNp linux-2.6.24.5/include/asm-powerpc/kmap_types.h linux-2.6.24.5/include/asm-powerpc/kmap_types.h
65363 +--- linux-2.6.24.5/include/asm-powerpc/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65364 ++++ linux-2.6.24.5/include/asm-powerpc/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65365 +@@ -26,6 +26,7 @@ enum km_type {
65366 + KM_SOFTIRQ1,
65367 + KM_PPC_SYNC_PAGE,
65368 + KM_PPC_SYNC_ICACHE,
65369 ++ KM_CLEARPAGE,
65370 + KM_TYPE_NR
65371 + };
65372 +
65373 +diff -urNp linux-2.6.24.5/include/asm-powerpc/page_64.h linux-2.6.24.5/include/asm-powerpc/page_64.h
65374 +--- linux-2.6.24.5/include/asm-powerpc/page_64.h 2008-03-24 14:49:18.000000000 -0400
65375 ++++ linux-2.6.24.5/include/asm-powerpc/page_64.h 2008-03-26 20:21:09.000000000 -0400
65376 +@@ -171,15 +171,18 @@ do { \
65377 + * stack by default, so in the absense of a PT_GNU_STACK program header
65378 + * we turn execute permission off.
65379 + */
65380 +-#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
65381 +- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
65382 ++#define VM_STACK_DEFAULT_FLAGS32 \
65383 ++ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
65384 ++ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
65385 +
65386 + #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
65387 + VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
65388 +
65389 ++#ifndef CONFIG_PAX_PAGEEXEC
65390 + #define VM_STACK_DEFAULT_FLAGS \
65391 + (test_thread_flag(TIF_32BIT) ? \
65392 + VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
65393 ++#endif
65394 +
65395 + #include <asm-generic/page.h>
65396 +
65397 +diff -urNp linux-2.6.24.5/include/asm-powerpc/page.h linux-2.6.24.5/include/asm-powerpc/page.h
65398 +--- linux-2.6.24.5/include/asm-powerpc/page.h 2008-03-24 14:49:18.000000000 -0400
65399 ++++ linux-2.6.24.5/include/asm-powerpc/page.h 2008-03-26 20:21:09.000000000 -0400
65400 +@@ -71,8 +71,9 @@
65401 + * and needs to be executable. This means the whole heap ends
65402 + * up being executable.
65403 + */
65404 +-#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
65405 +- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
65406 ++#define VM_DATA_DEFAULT_FLAGS32 \
65407 ++ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
65408 ++ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
65409 +
65410 + #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
65411 + VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
65412 +diff -urNp linux-2.6.24.5/include/asm-ppc/mmu_context.h linux-2.6.24.5/include/asm-ppc/mmu_context.h
65413 +--- linux-2.6.24.5/include/asm-ppc/mmu_context.h 2008-03-24 14:49:18.000000000 -0400
65414 ++++ linux-2.6.24.5/include/asm-ppc/mmu_context.h 2008-03-26 20:21:09.000000000 -0400
65415 +@@ -146,7 +146,8 @@ static inline void get_mmu_context(struc
65416 + static inline int init_new_context(struct task_struct *t, struct mm_struct *mm)
65417 + {
65418 + mm->context.id = NO_CONTEXT;
65419 +- mm->context.vdso_base = 0;
65420 ++ if (t == current)
65421 ++ mm->context.vdso_base = ~0UL;
65422 + return 0;
65423 + }
65424 +
65425 +diff -urNp linux-2.6.24.5/include/asm-ppc/pgtable.h linux-2.6.24.5/include/asm-ppc/pgtable.h
65426 +--- linux-2.6.24.5/include/asm-ppc/pgtable.h 2008-03-24 14:49:18.000000000 -0400
65427 ++++ linux-2.6.24.5/include/asm-ppc/pgtable.h 2008-03-26 20:21:09.000000000 -0400
65428 +@@ -440,11 +440,21 @@ extern unsigned long ioremap_bot, iorema
65429 +
65430 + #define PAGE_NONE __pgprot(_PAGE_BASE)
65431 + #define PAGE_READONLY __pgprot(_PAGE_BASE | _PAGE_USER)
65432 +-#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC)
65433 ++#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC | _PAGE_HWEXEC)
65434 + #define PAGE_SHARED __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW)
65435 +-#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC)
65436 ++#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC | _PAGE_HWEXEC)
65437 + #define PAGE_COPY __pgprot(_PAGE_BASE | _PAGE_USER)
65438 +-#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC)
65439 ++#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC | _PAGE_HWEXEC)
65440 ++
65441 ++#if defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_40x) && !defined(CONFIG_44x)
65442 ++# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_GUARDED)
65443 ++# define PAGE_COPY_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_GUARDED)
65444 ++# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_GUARDED)
65445 ++#else
65446 ++# define PAGE_SHARED_NOEXEC PAGE_SHARED
65447 ++# define PAGE_COPY_NOEXEC PAGE_COPY
65448 ++# define PAGE_READONLY_NOEXEC PAGE_READONLY
65449 ++#endif
65450 +
65451 + #define PAGE_KERNEL __pgprot(_PAGE_RAM)
65452 + #define PAGE_KERNEL_NOCACHE __pgprot(_PAGE_IO)
65453 +@@ -456,21 +466,21 @@ extern unsigned long ioremap_bot, iorema
65454 + * This is the closest we can get..
65455 + */
65456 + #define __P000 PAGE_NONE
65457 +-#define __P001 PAGE_READONLY_X
65458 +-#define __P010 PAGE_COPY
65459 +-#define __P011 PAGE_COPY_X
65460 +-#define __P100 PAGE_READONLY
65461 ++#define __P001 PAGE_READONLY_NOEXEC
65462 ++#define __P010 PAGE_COPY_NOEXEC
65463 ++#define __P011 PAGE_COPY_NOEXEC
65464 ++#define __P100 PAGE_READONLY_X
65465 + #define __P101 PAGE_READONLY_X
65466 +-#define __P110 PAGE_COPY
65467 ++#define __P110 PAGE_COPY_X
65468 + #define __P111 PAGE_COPY_X
65469 +
65470 + #define __S000 PAGE_NONE
65471 +-#define __S001 PAGE_READONLY_X
65472 +-#define __S010 PAGE_SHARED
65473 +-#define __S011 PAGE_SHARED_X
65474 +-#define __S100 PAGE_READONLY
65475 ++#define __S001 PAGE_READONLY_NOEXEC
65476 ++#define __S010 PAGE_SHARED_NOEXEC
65477 ++#define __S011 PAGE_SHARED_NOEXEC
65478 ++#define __S100 PAGE_READONLY_X
65479 + #define __S101 PAGE_READONLY_X
65480 +-#define __S110 PAGE_SHARED
65481 ++#define __S110 PAGE_SHARED_X
65482 + #define __S111 PAGE_SHARED_X
65483 +
65484 + #ifndef __ASSEMBLY__
65485 +diff -urNp linux-2.6.24.5/include/asm-s390/kmap_types.h linux-2.6.24.5/include/asm-s390/kmap_types.h
65486 +--- linux-2.6.24.5/include/asm-s390/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65487 ++++ linux-2.6.24.5/include/asm-s390/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65488 +@@ -16,6 +16,7 @@ enum km_type {
65489 + KM_IRQ1,
65490 + KM_SOFTIRQ0,
65491 + KM_SOFTIRQ1,
65492 ++ KM_CLEARPAGE,
65493 + KM_TYPE_NR
65494 + };
65495 +
65496 +diff -urNp linux-2.6.24.5/include/asm-sh/kmap_types.h linux-2.6.24.5/include/asm-sh/kmap_types.h
65497 +--- linux-2.6.24.5/include/asm-sh/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65498 ++++ linux-2.6.24.5/include/asm-sh/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65499 +@@ -24,7 +24,8 @@ D(9) KM_IRQ0,
65500 + D(10) KM_IRQ1,
65501 + D(11) KM_SOFTIRQ0,
65502 + D(12) KM_SOFTIRQ1,
65503 +-D(13) KM_TYPE_NR
65504 ++D(13) KM_CLEARPAGE,
65505 ++D(14) KM_TYPE_NR
65506 + };
65507 +
65508 + #undef D
65509 +diff -urNp linux-2.6.24.5/include/asm-sparc/a.out.h linux-2.6.24.5/include/asm-sparc/a.out.h
65510 +--- linux-2.6.24.5/include/asm-sparc/a.out.h 2008-03-24 14:49:18.000000000 -0400
65511 ++++ linux-2.6.24.5/include/asm-sparc/a.out.h 2008-03-26 20:21:09.000000000 -0400
65512 +@@ -91,8 +91,8 @@ struct relocation_info /* used when head
65513 +
65514 + #include <asm/page.h>
65515 +
65516 +-#define STACK_TOP (PAGE_OFFSET - PAGE_SIZE)
65517 +-#define STACK_TOP_MAX STACK_TOP
65518 ++#define __STACK_TOP (PAGE_OFFSET - PAGE_SIZE)
65519 ++#define STACK_TOP_MAX __STACK_TOP
65520 +
65521 + #endif /* __KERNEL__ */
65522 +
65523 +diff -urNp linux-2.6.24.5/include/asm-sparc/elf.h linux-2.6.24.5/include/asm-sparc/elf.h
65524 +--- linux-2.6.24.5/include/asm-sparc/elf.h 2008-03-24 14:49:18.000000000 -0400
65525 ++++ linux-2.6.24.5/include/asm-sparc/elf.h 2008-03-26 20:21:09.000000000 -0400
65526 +@@ -143,6 +143,13 @@ do { unsigned long *dest = &(__elf_regs[
65527 +
65528 + #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
65529 +
65530 ++#ifdef CONFIG_PAX_ASLR
65531 ++#define PAX_ELF_ET_DYN_BASE 0x10000UL
65532 ++
65533 ++#define PAX_DELTA_MMAP_LEN 16
65534 ++#define PAX_DELTA_STACK_LEN 16
65535 ++#endif
65536 ++
65537 + /* This yields a mask that user programs can use to figure out what
65538 + instruction set this cpu supports. This can NOT be done in userspace
65539 + on Sparc. */
65540 +diff -urNp linux-2.6.24.5/include/asm-sparc/kmap_types.h linux-2.6.24.5/include/asm-sparc/kmap_types.h
65541 +--- linux-2.6.24.5/include/asm-sparc/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65542 ++++ linux-2.6.24.5/include/asm-sparc/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65543 +@@ -15,6 +15,7 @@ enum km_type {
65544 + KM_IRQ1,
65545 + KM_SOFTIRQ0,
65546 + KM_SOFTIRQ1,
65547 ++ KM_CLEARPAGE,
65548 + KM_TYPE_NR
65549 + };
65550 +
65551 +diff -urNp linux-2.6.24.5/include/asm-sparc/pgtable.h linux-2.6.24.5/include/asm-sparc/pgtable.h
65552 +--- linux-2.6.24.5/include/asm-sparc/pgtable.h 2008-03-24 14:49:18.000000000 -0400
65553 ++++ linux-2.6.24.5/include/asm-sparc/pgtable.h 2008-03-26 20:21:09.000000000 -0400
65554 +@@ -69,6 +69,16 @@ extern pgprot_t PAGE_SHARED;
65555 + #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
65556 + #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
65557 +
65558 ++#ifdef CONFIG_PAX_PAGEEXEC
65559 ++extern pgprot_t PAGE_SHARED_NOEXEC;
65560 ++# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
65561 ++# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
65562 ++#else
65563 ++# define PAGE_SHARED_NOEXEC PAGE_SHARED
65564 ++# define PAGE_COPY_NOEXEC PAGE_COPY
65565 ++# define PAGE_READONLY_NOEXEC PAGE_READONLY
65566 ++#endif
65567 ++
65568 + extern unsigned long page_kernel;
65569 +
65570 + #ifdef MODULE
65571 +diff -urNp linux-2.6.24.5/include/asm-sparc/pgtsrmmu.h linux-2.6.24.5/include/asm-sparc/pgtsrmmu.h
65572 +--- linux-2.6.24.5/include/asm-sparc/pgtsrmmu.h 2008-03-24 14:49:18.000000000 -0400
65573 ++++ linux-2.6.24.5/include/asm-sparc/pgtsrmmu.h 2008-03-26 20:21:09.000000000 -0400
65574 +@@ -115,6 +115,16 @@
65575 + SRMMU_EXEC | SRMMU_REF)
65576 + #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
65577 + SRMMU_EXEC | SRMMU_REF)
65578 ++
65579 ++#ifdef CONFIG_PAX_PAGEEXEC
65580 ++#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
65581 ++ SRMMU_WRITE | SRMMU_REF)
65582 ++#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
65583 ++ SRMMU_REF)
65584 ++#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
65585 ++ SRMMU_REF)
65586 ++#endif
65587 ++
65588 + #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
65589 + SRMMU_DIRTY | SRMMU_REF)
65590 +
65591 +diff -urNp linux-2.6.24.5/include/asm-sparc/uaccess.h linux-2.6.24.5/include/asm-sparc/uaccess.h
65592 +--- linux-2.6.24.5/include/asm-sparc/uaccess.h 2008-03-24 14:49:18.000000000 -0400
65593 ++++ linux-2.6.24.5/include/asm-sparc/uaccess.h 2008-03-26 20:21:09.000000000 -0400
65594 +@@ -41,7 +41,7 @@
65595 + * No one can read/write anything from userland in the kernel space by setting
65596 + * large size and address near to PAGE_OFFSET - a fault will break his intentions.
65597 + */
65598 +-#define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; })
65599 ++#define __user_ok(addr, size) ({ (void)(size); (addr) < __STACK_TOP; })
65600 + #define __kernel_ok (segment_eq(get_fs(), KERNEL_DS))
65601 + #define __access_ok(addr,size) (__user_ok((addr) & get_fs().seg,(size)))
65602 + #define access_ok(type, addr, size) \
65603 +diff -urNp linux-2.6.24.5/include/asm-sparc64/a.out.h linux-2.6.24.5/include/asm-sparc64/a.out.h
65604 +--- linux-2.6.24.5/include/asm-sparc64/a.out.h 2008-03-24 14:49:18.000000000 -0400
65605 ++++ linux-2.6.24.5/include/asm-sparc64/a.out.h 2008-03-26 20:21:09.000000000 -0400
65606 +@@ -98,7 +98,7 @@ struct relocation_info /* used when head
65607 + #define STACK_TOP32 ((1UL << 32UL) - PAGE_SIZE)
65608 + #define STACK_TOP64 (0x0000080000000000UL - (1UL << 32UL))
65609 +
65610 +-#define STACK_TOP (test_thread_flag(TIF_32BIT) ? \
65611 ++#define __STACK_TOP (test_thread_flag(TIF_32BIT) ? \
65612 + STACK_TOP32 : STACK_TOP64)
65613 +
65614 + #define STACK_TOP_MAX STACK_TOP64
65615 +diff -urNp linux-2.6.24.5/include/asm-sparc64/elf.h linux-2.6.24.5/include/asm-sparc64/elf.h
65616 +--- linux-2.6.24.5/include/asm-sparc64/elf.h 2008-03-24 14:49:18.000000000 -0400
65617 ++++ linux-2.6.24.5/include/asm-sparc64/elf.h 2008-03-26 20:21:09.000000000 -0400
65618 +@@ -143,6 +143,12 @@ typedef struct {
65619 + #define ELF_ET_DYN_BASE 0x0000010000000000UL
65620 + #endif
65621 +
65622 ++#ifdef CONFIG_PAX_ASLR
65623 ++#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
65624 ++
65625 ++#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28 )
65626 ++#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29 )
65627 ++#endif
65628 +
65629 + /* This yields a mask that user programs can use to figure out what
65630 + instruction set this cpu supports. */
65631 +diff -urNp linux-2.6.24.5/include/asm-sparc64/kmap_types.h linux-2.6.24.5/include/asm-sparc64/kmap_types.h
65632 +--- linux-2.6.24.5/include/asm-sparc64/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65633 ++++ linux-2.6.24.5/include/asm-sparc64/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65634 +@@ -19,6 +19,7 @@ enum km_type {
65635 + KM_IRQ1,
65636 + KM_SOFTIRQ0,
65637 + KM_SOFTIRQ1,
65638 ++ KM_CLEARPAGE,
65639 + KM_TYPE_NR
65640 + };
65641 +
65642 +diff -urNp linux-2.6.24.5/include/asm-um/kmap_types.h linux-2.6.24.5/include/asm-um/kmap_types.h
65643 +--- linux-2.6.24.5/include/asm-um/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65644 ++++ linux-2.6.24.5/include/asm-um/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65645 +@@ -23,6 +23,7 @@ enum km_type {
65646 + KM_IRQ1,
65647 + KM_SOFTIRQ0,
65648 + KM_SOFTIRQ1,
65649 ++ KM_CLEARPAGE,
65650 + KM_TYPE_NR
65651 + };
65652 +
65653 +diff -urNp linux-2.6.24.5/include/asm-v850/kmap_types.h linux-2.6.24.5/include/asm-v850/kmap_types.h
65654 +--- linux-2.6.24.5/include/asm-v850/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
65655 ++++ linux-2.6.24.5/include/asm-v850/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
65656 +@@ -13,6 +13,7 @@ enum km_type {
65657 + KM_PTE1,
65658 + KM_IRQ0,
65659 + KM_IRQ1,
65660 ++ KM_CLEARPAGE,
65661 + KM_TYPE_NR
65662 + };
65663 +
65664 +diff -urNp linux-2.6.24.5/include/asm-x86/alternative_32.h linux-2.6.24.5/include/asm-x86/alternative_32.h
65665 +--- linux-2.6.24.5/include/asm-x86/alternative_32.h 2008-03-24 14:49:18.000000000 -0400
65666 ++++ linux-2.6.24.5/include/asm-x86/alternative_32.h 2008-03-26 20:21:09.000000000 -0400
65667 +@@ -54,7 +54,7 @@ static inline void alternatives_smp_swit
65668 + " .byte 662b-661b\n" /* sourcelen */ \
65669 + " .byte 664f-663f\n" /* replacementlen */ \
65670 + ".previous\n" \
65671 +- ".section .altinstr_replacement,\"ax\"\n" \
65672 ++ ".section .altinstr_replacement,\"a\"\n" \
65673 + "663:\n\t" newinstr "\n664:\n" /* replacement */\
65674 + ".previous" :: "i" (feature) : "memory")
65675 +
65676 +@@ -78,7 +78,7 @@ static inline void alternatives_smp_swit
65677 + " .byte 662b-661b\n" /* sourcelen */ \
65678 + " .byte 664f-663f\n" /* replacementlen */ \
65679 + ".previous\n" \
65680 +- ".section .altinstr_replacement,\"ax\"\n" \
65681 ++ ".section .altinstr_replacement,\"a\"\n" \
65682 + "663:\n\t" newinstr "\n664:\n" /* replacement */\
65683 + ".previous" :: "i" (feature), ##input)
65684 +
65685 +@@ -93,7 +93,7 @@ static inline void alternatives_smp_swit
65686 + " .byte 662b-661b\n" /* sourcelen */ \
65687 + " .byte 664f-663f\n" /* replacementlen */ \
65688 + ".previous\n" \
65689 +- ".section .altinstr_replacement,\"ax\"\n" \
65690 ++ ".section .altinstr_replacement,\"a\"\n" \
65691 + "663:\n\t" newinstr "\n664:\n" /* replacement */ \
65692 + ".previous" : output : [feat] "i" (feature), ##input)
65693 +
65694 +diff -urNp linux-2.6.24.5/include/asm-x86/alternative_64.h linux-2.6.24.5/include/asm-x86/alternative_64.h
65695 +--- linux-2.6.24.5/include/asm-x86/alternative_64.h 2008-03-24 14:49:18.000000000 -0400
65696 ++++ linux-2.6.24.5/include/asm-x86/alternative_64.h 2008-03-26 20:21:09.000000000 -0400
65697 +@@ -94,7 +94,7 @@ static inline void alternatives_smp_swit
65698 + " .byte 662b-661b\n" /* sourcelen */ \
65699 + " .byte 664f-663f\n" /* replacementlen */ \
65700 + ".previous\n" \
65701 +- ".section .altinstr_replacement,\"ax\"\n" \
65702 ++ ".section .altinstr_replacement,\"a\"\n" \
65703 + "663:\n\t" newinstr "\n664:\n" /* replacement */ \
65704 + ".previous" :: "i" (feature) : "memory")
65705 +
65706 +@@ -118,7 +118,7 @@ static inline void alternatives_smp_swit
65707 + " .byte 662b-661b\n" /* sourcelen */ \
65708 + " .byte 664f-663f\n" /* replacementlen */ \
65709 + ".previous\n" \
65710 +- ".section .altinstr_replacement,\"ax\"\n" \
65711 ++ ".section .altinstr_replacement,\"a\"\n" \
65712 + "663:\n\t" newinstr "\n664:\n" /* replacement */ \
65713 + ".previous" :: "i" (feature), ##input)
65714 +
65715 +@@ -133,7 +133,7 @@ static inline void alternatives_smp_swit
65716 + " .byte 662b-661b\n" /* sourcelen */ \
65717 + " .byte 664f-663f\n" /* replacementlen */ \
65718 + ".previous\n" \
65719 +- ".section .altinstr_replacement,\"ax\"\n" \
65720 ++ ".section .altinstr_replacement,\"a\"\n" \
65721 + "663:\n\t" newinstr "\n664:\n" /* replacement */ \
65722 + ".previous" : output : [feat] "i" (feature), ##input)
65723 +
65724 +diff -urNp linux-2.6.24.5/include/asm-x86/a.out.h linux-2.6.24.5/include/asm-x86/a.out.h
65725 +--- linux-2.6.24.5/include/asm-x86/a.out.h 2008-03-24 14:49:18.000000000 -0400
65726 ++++ linux-2.6.24.5/include/asm-x86/a.out.h 2008-03-26 20:21:09.000000000 -0400
65727 +@@ -19,9 +19,13 @@ struct exec
65728 +
65729 + #ifdef __KERNEL__
65730 + # include <linux/thread_info.h>
65731 +-# define STACK_TOP TASK_SIZE
65732 ++# ifdef CONFIG_PAX_SEGMEXEC
65733 ++# define __STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?TASK_SIZE/2:TASK_SIZE)
65734 ++# else
65735 ++# define __STACK_TOP TASK_SIZE
65736 ++# endif
65737 + # ifdef CONFIG_X86_32
65738 +-# define STACK_TOP_MAX STACK_TOP
65739 ++# define STACK_TOP_MAX TASK_SIZE
65740 + # else
65741 + # define STACK_TOP_MAX TASK_SIZE64
65742 + # endif
65743 +diff -urNp linux-2.6.24.5/include/asm-x86/apic_32.h linux-2.6.24.5/include/asm-x86/apic_32.h
65744 +--- linux-2.6.24.5/include/asm-x86/apic_32.h 2008-03-24 14:49:18.000000000 -0400
65745 ++++ linux-2.6.24.5/include/asm-x86/apic_32.h 2008-03-26 20:21:09.000000000 -0400
65746 +@@ -8,7 +8,7 @@
65747 + #include <asm/processor.h>
65748 + #include <asm/system.h>
65749 +
65750 +-#define Dprintk(x...)
65751 ++#define Dprintk(x...) do {} while (0)
65752 +
65753 + /*
65754 + * Debugging macros
65755 +diff -urNp linux-2.6.24.5/include/asm-x86/apic_64.h linux-2.6.24.5/include/asm-x86/apic_64.h
65756 +--- linux-2.6.24.5/include/asm-x86/apic_64.h 2008-03-24 14:49:18.000000000 -0400
65757 ++++ linux-2.6.24.5/include/asm-x86/apic_64.h 2008-03-26 20:21:09.000000000 -0400
65758 +@@ -7,7 +7,7 @@
65759 + #include <asm/apicdef.h>
65760 + #include <asm/system.h>
65761 +
65762 +-#define Dprintk(x...)
65763 ++#define Dprintk(x...) do {} while (0)
65764 +
65765 + /*
65766 + * Debugging macros
65767 +diff -urNp linux-2.6.24.5/include/asm-x86/boot.h linux-2.6.24.5/include/asm-x86/boot.h
65768 +--- linux-2.6.24.5/include/asm-x86/boot.h 2008-03-24 14:49:18.000000000 -0400
65769 ++++ linux-2.6.24.5/include/asm-x86/boot.h 2008-03-26 20:21:09.000000000 -0400
65770 +@@ -13,8 +13,13 @@
65771 + #define ASK_VGA 0xfffd /* ask for it at bootup */
65772 +
65773 + /* Physical address where kernel should be loaded. */
65774 +-#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
65775 ++#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
65776 + + (CONFIG_PHYSICAL_ALIGN - 1)) \
65777 + & ~(CONFIG_PHYSICAL_ALIGN - 1))
65778 +
65779 ++#ifndef __ASSEMBLY__
65780 ++extern unsigned char __LOAD_PHYSICAL_ADDR[];
65781 ++#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
65782 ++#endif
65783 ++
65784 + #endif /* _ASM_BOOT_H */
65785 +diff -urNp linux-2.6.24.5/include/asm-x86/cache.h linux-2.6.24.5/include/asm-x86/cache.h
65786 +--- linux-2.6.24.5/include/asm-x86/cache.h 2008-03-24 14:49:18.000000000 -0400
65787 ++++ linux-2.6.24.5/include/asm-x86/cache.h 2008-03-26 20:21:09.000000000 -0400
65788 +@@ -6,6 +6,7 @@
65789 + #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
65790 +
65791 + #define __read_mostly __attribute__((__section__(".data.read_mostly")))
65792 ++#define __read_only __attribute__((__section__(".data.read_only")))
65793 +
65794 + #ifdef CONFIG_X86_VSMP
65795 + /* vSMP Internode cacheline shift */
65796 +diff -urNp linux-2.6.24.5/include/asm-x86/checksum_32.h linux-2.6.24.5/include/asm-x86/checksum_32.h
65797 +--- linux-2.6.24.5/include/asm-x86/checksum_32.h 2008-03-24 14:49:18.000000000 -0400
65798 ++++ linux-2.6.24.5/include/asm-x86/checksum_32.h 2008-03-26 20:21:09.000000000 -0400
65799 +@@ -30,6 +30,12 @@ asmlinkage __wsum csum_partial(const voi
65800 + asmlinkage __wsum csum_partial_copy_generic(const void *src, void *dst,
65801 + int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
65802 +
65803 ++asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
65804 ++ int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
65805 ++
65806 ++asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
65807 ++ int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
65808 ++
65809 + /*
65810 + * Note: when you get a NULL pointer exception here this means someone
65811 + * passed in an incorrect kernel address to one of these functions.
65812 +@@ -49,7 +55,7 @@ __wsum csum_partial_copy_from_user(const
65813 + int len, __wsum sum, int *err_ptr)
65814 + {
65815 + might_sleep();
65816 +- return csum_partial_copy_generic((__force void *)src, dst,
65817 ++ return csum_partial_copy_generic_from_user((__force void *)src, dst,
65818 + len, sum, err_ptr, NULL);
65819 + }
65820 +
65821 +@@ -180,7 +186,7 @@ static __inline__ __wsum csum_and_copy_t
65822 + {
65823 + might_sleep();
65824 + if (access_ok(VERIFY_WRITE, dst, len))
65825 +- return csum_partial_copy_generic(src, (__force void *)dst, len, sum, NULL, err_ptr);
65826 ++ return csum_partial_copy_generic_to_user(src, (__force void *)dst, len, sum, NULL, err_ptr);
65827 +
65828 + if (len)
65829 + *err_ptr = -EFAULT;
65830 +diff -urNp linux-2.6.24.5/include/asm-x86/desc_32.h linux-2.6.24.5/include/asm-x86/desc_32.h
65831 +--- linux-2.6.24.5/include/asm-x86/desc_32.h 2008-03-24 14:49:18.000000000 -0400
65832 ++++ linux-2.6.24.5/include/asm-x86/desc_32.h 2008-03-26 20:21:09.000000000 -0400
65833 +@@ -7,30 +7,26 @@
65834 + #ifndef __ASSEMBLY__
65835 +
65836 + #include <linux/preempt.h>
65837 +-#include <linux/smp.h>
65838 + #include <linux/percpu.h>
65839 ++#include <linux/smp.h>
65840 +
65841 + #include <asm/mmu.h>
65842 +
65843 ++extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
65844 ++
65845 + struct Xgt_desc_struct {
65846 + unsigned short size;
65847 +- unsigned long address __attribute__((packed));
65848 ++ struct desc_struct *address __attribute__((packed));
65849 + unsigned short pad;
65850 + } __attribute__ ((packed));
65851 +
65852 +-struct gdt_page
65853 +-{
65854 +- struct desc_struct gdt[GDT_ENTRIES];
65855 +-} __attribute__((aligned(PAGE_SIZE)));
65856 +-DECLARE_PER_CPU(struct gdt_page, gdt_page);
65857 +-
65858 + static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
65859 + {
65860 +- return per_cpu(gdt_page, cpu).gdt;
65861 ++ return cpu_gdt_table[cpu];
65862 + }
65863 +
65864 + extern struct Xgt_desc_struct idt_descr;
65865 +-extern struct desc_struct idt_table[];
65866 ++extern struct desc_struct idt_table[256];
65867 + extern void set_intr_gate(unsigned int irq, void * addr);
65868 +
65869 + static inline void pack_descriptor(__u32 *a, __u32 *b,
65870 +@@ -81,8 +77,20 @@ static inline void pack_gate(__u32 *a, _
65871 + static inline void write_dt_entry(struct desc_struct *dt,
65872 + int entry, u32 entry_low, u32 entry_high)
65873 + {
65874 ++
65875 ++#ifdef CONFIG_PAX_KERNEXEC
65876 ++ unsigned long cr0;
65877 ++
65878 ++ pax_open_kernel(cr0);
65879 ++#endif
65880 ++
65881 + dt[entry].a = entry_low;
65882 + dt[entry].b = entry_high;
65883 ++
65884 ++#ifdef CONFIG_PAX_KERNEXEC
65885 ++ pax_close_kernel(cr0);
65886 ++#endif
65887 ++
65888 + }
65889 +
65890 + static inline void native_set_ldt(const void *addr, unsigned int entries)
65891 +@@ -139,8 +147,19 @@ static inline void native_load_tls(struc
65892 + unsigned int i;
65893 + struct desc_struct *gdt = get_cpu_gdt_table(cpu);
65894 +
65895 ++#ifdef CONFIG_PAX_KERNEXEC
65896 ++ unsigned long cr0;
65897 ++
65898 ++ pax_open_kernel(cr0);
65899 ++#endif
65900 ++
65901 + for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
65902 + gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
65903 ++
65904 ++#ifdef CONFIG_PAX_KERNEXEC
65905 ++ pax_close_kernel(cr0);
65906 ++#endif
65907 ++
65908 + }
65909 +
65910 + static inline void _set_gate(int gate, unsigned int type, void *addr, unsigned short seg)
65911 +@@ -175,7 +194,7 @@ static inline void __set_tss_desc(unsign
65912 + ((info)->seg_32bit << 22) | \
65913 + ((info)->limit_in_pages << 23) | \
65914 + ((info)->useable << 20) | \
65915 +- 0x7000)
65916 ++ 0x7100)
65917 +
65918 + #define LDT_empty(info) (\
65919 + (info)->base_addr == 0 && \
65920 +@@ -207,15 +226,25 @@ static inline void load_LDT(mm_context_t
65921 + preempt_enable();
65922 + }
65923 +
65924 +-static inline unsigned long get_desc_base(unsigned long *desc)
65925 ++static inline unsigned long get_desc_base(struct desc_struct *desc)
65926 + {
65927 + unsigned long base;
65928 +- base = ((desc[0] >> 16) & 0x0000ffff) |
65929 +- ((desc[1] << 16) & 0x00ff0000) |
65930 +- (desc[1] & 0xff000000);
65931 ++ base = ((desc->a >> 16) & 0x0000ffff) |
65932 ++ ((desc->b << 16) & 0x00ff0000) |
65933 ++ (desc->b & 0xff000000);
65934 + return base;
65935 + }
65936 +
65937 ++static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
65938 ++{
65939 ++ __u32 a, b;
65940 ++
65941 ++ if (likely(limit))
65942 ++ limit = (limit - 1UL) >> PAGE_SHIFT;
65943 ++ pack_descriptor(&a, &b, base, limit, 0xFB, 0xC);
65944 ++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, a, b);
65945 ++}
65946 ++
65947 + #else /* __ASSEMBLY__ */
65948 +
65949 + /*
65950 +diff -urNp linux-2.6.24.5/include/asm-x86/desc_64.h linux-2.6.24.5/include/asm-x86/desc_64.h
65951 +--- linux-2.6.24.5/include/asm-x86/desc_64.h 2008-03-24 14:49:18.000000000 -0400
65952 ++++ linux-2.6.24.5/include/asm-x86/desc_64.h 2008-03-26 20:21:09.000000000 -0400
65953 +@@ -14,7 +14,7 @@
65954 + #include <asm/segment.h>
65955 + #include <asm/mmu.h>
65956 +
65957 +-extern struct desc_struct cpu_gdt_table[GDT_ENTRIES];
65958 ++extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
65959 +
65960 + #define load_TR_desc() asm volatile("ltr %w0"::"r" (GDT_ENTRY_TSS*8))
65961 + #define load_LDT_desc() asm volatile("lldt %w0"::"r" (GDT_ENTRY_LDT*8))
65962 +@@ -34,12 +34,10 @@ static inline unsigned long __store_tr(v
65963 + * This is the ldt that every process will get unless we need
65964 + * something other than this.
65965 + */
65966 +-extern struct desc_struct default_ldt[];
65967 + extern struct gate_struct idt_table[];
65968 +-extern struct desc_ptr cpu_gdt_descr[];
65969 +
65970 + /* the cpu gdt accessor */
65971 +-#define cpu_gdt(_cpu) ((struct desc_struct *)cpu_gdt_descr[_cpu].address)
65972 ++#define cpu_gdt(_cpu) (cpu_gdt_table[_cpu])
65973 +
65974 + static inline void load_gdt(const struct desc_ptr *ptr)
65975 + {
65976 +@@ -54,6 +52,11 @@ static inline void store_gdt(struct desc
65977 + static inline void _set_gate(void *adr, unsigned type, unsigned long func, unsigned dpl, unsigned ist)
65978 + {
65979 + struct gate_struct s;
65980 ++
65981 ++#ifdef CONFIG_PAX_KERNEXEC
65982 ++ unsigned long cr0;
65983 ++#endif
65984 ++
65985 + s.offset_low = PTR_LOW(func);
65986 + s.segment = __KERNEL_CS;
65987 + s.ist = ist;
65988 +@@ -65,7 +68,17 @@ static inline void _set_gate(void *adr,
65989 + s.offset_middle = PTR_MIDDLE(func);
65990 + s.offset_high = PTR_HIGH(func);
65991 + /* does not need to be atomic because it is only done once at setup time */
65992 ++
65993 ++#ifdef CONFIG_PAX_KERNEXEC
65994 ++ pax_open_kernel(cr0);
65995 ++#endif
65996 ++
65997 + memcpy(adr, &s, 16);
65998 ++
65999 ++#ifdef CONFIG_PAX_KERNEXEC
66000 ++ pax_close_kernel(cr0);
66001 ++#endif
66002 ++
66003 + }
66004 +
66005 + static inline void set_intr_gate(int nr, void *func)
66006 +@@ -105,6 +118,11 @@ static inline void set_tssldt_descriptor
66007 + unsigned size)
66008 + {
66009 + struct ldttss_desc d;
66010 ++
66011 ++#ifdef CONFIG_PAX_KERNEXEC
66012 ++ unsigned long cr0;
66013 ++#endif
66014 ++
66015 + memset(&d,0,sizeof(d));
66016 + d.limit0 = size & 0xFFFF;
66017 + d.base0 = PTR_LOW(tss);
66018 +@@ -114,7 +132,17 @@ static inline void set_tssldt_descriptor
66019 + d.limit1 = (size >> 16) & 0xF;
66020 + d.base2 = (PTR_MIDDLE(tss) >> 8) & 0xFF;
66021 + d.base3 = PTR_HIGH(tss);
66022 ++
66023 ++#ifdef CONFIG_PAX_KERNEXEC
66024 ++ pax_open_kernel(cr0);
66025 ++#endif
66026 ++
66027 + memcpy(ptr, &d, 16);
66028 ++
66029 ++#ifdef CONFIG_PAX_KERNEXEC
66030 ++ pax_close_kernel(cr0);
66031 ++#endif
66032 ++
66033 + }
66034 +
66035 + static inline void set_tss_desc(unsigned cpu, void *addr)
66036 +@@ -152,7 +180,7 @@ static inline void set_ldt_desc(unsigned
66037 + ((info)->limit_in_pages << 23) | \
66038 + ((info)->useable << 20) | \
66039 + /* ((info)->lm << 21) | */ \
66040 +- 0x7000)
66041 ++ 0x7100)
66042 +
66043 + #define LDT_empty(info) (\
66044 + (info)->base_addr == 0 && \
66045 +@@ -170,8 +198,19 @@ static inline void load_TLS(struct threa
66046 + unsigned int i;
66047 + u64 *gdt = (u64 *)(cpu_gdt(cpu) + GDT_ENTRY_TLS_MIN);
66048 +
66049 ++#ifdef CONFIG_PAX_KERNEXEC
66050 ++ unsigned long cr0;
66051 ++
66052 ++ pax_open_kernel(cr0);
66053 ++#endif
66054 ++
66055 + for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
66056 + gdt[i] = t->tls_array[i];
66057 ++
66058 ++#ifdef CONFIG_PAX_KERNEXEC
66059 ++ pax_close_kernel(cr0);
66060 ++#endif
66061 ++
66062 + }
66063 +
66064 + /*
66065 +@@ -197,7 +236,7 @@ static inline void load_LDT(mm_context_t
66066 + put_cpu();
66067 + }
66068 +
66069 +-extern struct desc_ptr idt_descr;
66070 ++extern const struct desc_ptr idt_descr;
66071 +
66072 + #endif /* !__ASSEMBLY__ */
66073 +
66074 +diff -urNp linux-2.6.24.5/include/asm-x86/elf.h linux-2.6.24.5/include/asm-x86/elf.h
66075 +--- linux-2.6.24.5/include/asm-x86/elf.h 2008-03-24 14:49:18.000000000 -0400
66076 ++++ linux-2.6.24.5/include/asm-x86/elf.h 2008-03-26 20:21:09.000000000 -0400
66077 +@@ -206,7 +206,25 @@ extern int vdso_enabled;
66078 + the loader. We need to make sure that it is out of the way of the program
66079 + that it will "exec", and that there is sufficient room for the brk. */
66080 +
66081 ++#ifdef CONFIG_PAX_SEGMEXEC
66082 ++#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
66083 ++#else
66084 + #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
66085 ++#endif
66086 ++
66087 ++#ifdef CONFIG_PAX_ASLR
66088 ++#ifdef CONFIG_X86_32
66089 ++#define PAX_ELF_ET_DYN_BASE 0x10000000UL
66090 ++
66091 ++#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
66092 ++#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
66093 ++#else
66094 ++#define PAX_ELF_ET_DYN_BASE 0x400000UL
66095 ++
66096 ++#define PAX_DELTA_MMAP_LEN 32
66097 ++#define PAX_DELTA_STACK_LEN 32
66098 ++#endif
66099 ++#endif
66100 +
66101 + /* This yields a mask that user programs can use to figure out what
66102 + instruction set this CPU supports. This could be done in user space,
66103 +@@ -246,7 +264,7 @@ extern int dump_task_extended_fpu (struc
66104 + #define ELF_CORE_XFPREG_TYPE NT_PRXFPREG
66105 +
66106 + #define VDSO_HIGH_BASE (__fix_to_virt(FIX_VDSO))
66107 +-#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
66108 ++#define VDSO_CURRENT_BASE (current->mm->context.vdso)
66109 + #define VDSO_PRELINK 0
66110 +
66111 + #define VDSO_SYM(x) \
66112 +@@ -274,7 +292,7 @@ do if (vdso_enabled) { \
66113 +
66114 + #define ARCH_DLINFO \
66115 + do if (vdso_enabled) { \
66116 +- NEW_AUX_ENT(AT_SYSINFO_EHDR,(unsigned long)current->mm->context.vdso);\
66117 ++ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
66118 + } while (0)
66119 +
66120 + #endif /* !CONFIG_X86_32 */
66121 +diff -urNp linux-2.6.24.5/include/asm-x86/futex_32.h linux-2.6.24.5/include/asm-x86/futex_32.h
66122 +--- linux-2.6.24.5/include/asm-x86/futex_32.h 2008-03-24 14:49:18.000000000 -0400
66123 ++++ linux-2.6.24.5/include/asm-x86/futex_32.h 2008-03-26 20:21:09.000000000 -0400
66124 +@@ -11,8 +11,11 @@
66125 +
66126 + #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
66127 + __asm__ __volatile ( \
66128 ++ "movw %w6, %%ds\n"\
66129 + "1: " insn "\n" \
66130 +-"2: .section .fixup,\"ax\"\n\
66131 ++"2: pushl %%ss\n\
66132 ++ popl %%ds\n\
66133 ++ .section .fixup,\"ax\"\n\
66134 + 3: mov %3, %1\n\
66135 + jmp 2b\n\
66136 + .previous\n\
66137 +@@ -21,16 +24,19 @@
66138 + .long 1b,3b\n\
66139 + .previous" \
66140 + : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
66141 +- : "i" (-EFAULT), "0" (oparg), "1" (0))
66142 ++ : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
66143 +
66144 + #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
66145 + __asm__ __volatile ( \
66146 +-"1: movl %2, %0\n\
66147 ++" movw %w7, %%es\n\
66148 ++1: movl %%es:%2, %0\n\
66149 + movl %0, %3\n" \
66150 + insn "\n" \
66151 +-"2: lock ; cmpxchgl %3, %2\n\
66152 ++"2: lock ; cmpxchgl %3, %%es:%2\n\
66153 + jnz 1b\n\
66154 +-3: .section .fixup,\"ax\"\n\
66155 ++3: pushl %%ss\n\
66156 ++ popl %%es\n\
66157 ++ .section .fixup,\"ax\"\n\
66158 + 4: mov %5, %1\n\
66159 + jmp 3b\n\
66160 + .previous\n\
66161 +@@ -40,10 +46,10 @@
66162 + .previous" \
66163 + : "=&a" (oldval), "=&r" (ret), "+m" (*uaddr), \
66164 + "=&r" (tem) \
66165 +- : "r" (oparg), "i" (-EFAULT), "1" (0))
66166 ++ : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
66167 +
66168 + static inline int
66169 +-futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
66170 ++futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
66171 + {
66172 + int op = (encoded_op >> 28) & 7;
66173 + int cmp = (encoded_op >> 24) & 15;
66174 +@@ -59,7 +65,7 @@ futex_atomic_op_inuser (int encoded_op,
66175 + pagefault_disable();
66176 +
66177 + if (op == FUTEX_OP_SET)
66178 +- __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
66179 ++ __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
66180 + else {
66181 + #ifndef CONFIG_X86_BSWAP
66182 + if (boot_cpu_data.x86 == 3)
66183 +@@ -68,7 +74,7 @@ futex_atomic_op_inuser (int encoded_op,
66184 + #endif
66185 + switch (op) {
66186 + case FUTEX_OP_ADD:
66187 +- __futex_atomic_op1("lock ; xaddl %0, %2", ret,
66188 ++ __futex_atomic_op1("lock ; xaddl %0, %%ds:%2", ret,
66189 + oldval, uaddr, oparg);
66190 + break;
66191 + case FUTEX_OP_OR:
66192 +@@ -105,15 +111,17 @@ futex_atomic_op_inuser (int encoded_op,
66193 + }
66194 +
66195 + static inline int
66196 +-futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
66197 ++futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
66198 + {
66199 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
66200 + return -EFAULT;
66201 +
66202 + __asm__ __volatile__(
66203 +- "1: lock ; cmpxchgl %3, %1 \n"
66204 +-
66205 +- "2: .section .fixup, \"ax\" \n"
66206 ++ " movw %w5, %%ds \n"
66207 ++ "1: lock ; cmpxchgl %3, %%ds:%1 \n"
66208 ++ "2: pushl %%ss \n"
66209 ++ " popl %%ds \n"
66210 ++ " .section .fixup, \"ax\" \n"
66211 + "3: mov %2, %0 \n"
66212 + " jmp 2b \n"
66213 + " .previous \n"
66214 +@@ -124,7 +132,7 @@ futex_atomic_cmpxchg_inatomic(int __user
66215 + " .previous \n"
66216 +
66217 + : "=a" (oldval), "+m" (*uaddr)
66218 +- : "i" (-EFAULT), "r" (newval), "0" (oldval)
66219 ++ : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
66220 + : "memory"
66221 + );
66222 +
66223 +diff -urNp linux-2.6.24.5/include/asm-x86/futex_64.h linux-2.6.24.5/include/asm-x86/futex_64.h
66224 +--- linux-2.6.24.5/include/asm-x86/futex_64.h 2008-03-24 14:49:18.000000000 -0400
66225 ++++ linux-2.6.24.5/include/asm-x86/futex_64.h 2008-03-26 20:21:09.000000000 -0400
66226 +@@ -42,7 +42,7 @@
66227 + : "r" (oparg), "i" (-EFAULT), "m" (*uaddr), "1" (0))
66228 +
66229 + static inline int
66230 +-futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
66231 ++futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
66232 + {
66233 + int op = (encoded_op >> 28) & 7;
66234 + int cmp = (encoded_op >> 24) & 15;
66235 +@@ -95,7 +95,7 @@ futex_atomic_op_inuser (int encoded_op,
66236 + }
66237 +
66238 + static inline int
66239 +-futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
66240 ++futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
66241 + {
66242 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
66243 + return -EFAULT;
66244 +diff -urNp linux-2.6.24.5/include/asm-x86/i387_32.h linux-2.6.24.5/include/asm-x86/i387_32.h
66245 +--- linux-2.6.24.5/include/asm-x86/i387_32.h 2008-03-24 14:49:18.000000000 -0400
66246 ++++ linux-2.6.24.5/include/asm-x86/i387_32.h 2008-03-26 20:21:09.000000000 -0400
66247 +@@ -40,13 +40,8 @@ extern void kernel_fpu_begin(void);
66248 + #define kernel_fpu_end() do { stts(); preempt_enable(); } while(0)
66249 +
66250 + /* We need a safe address that is cheap to find and that is already
66251 +- in L1 during context switch. The best choices are unfortunately
66252 +- different for UP and SMP */
66253 +-#ifdef CONFIG_SMP
66254 +-#define safe_address (__per_cpu_offset[0])
66255 +-#else
66256 +-#define safe_address (kstat_cpu(0).cpustat.user)
66257 +-#endif
66258 ++ in L1 during context switch. */
66259 ++#define safe_address (init_tss[smp_processor_id()].x86_tss.esp0)
66260 +
66261 + /*
66262 + * These must be called with preempt disabled
66263 +diff -urNp linux-2.6.24.5/include/asm-x86/io_64.h linux-2.6.24.5/include/asm-x86/io_64.h
66264 +--- linux-2.6.24.5/include/asm-x86/io_64.h 2008-03-24 14:49:18.000000000 -0400
66265 ++++ linux-2.6.24.5/include/asm-x86/io_64.h 2008-03-26 20:21:09.000000000 -0400
66266 +@@ -120,6 +120,17 @@ static inline void * phys_to_virt(unsign
66267 + }
66268 + #endif
66269 +
66270 ++#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
66271 ++static inline int valid_phys_addr_range (unsigned long addr, size_t count)
66272 ++{
66273 ++ return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
66274 ++}
66275 ++
66276 ++static inline int valid_mmap_phys_addr_range (unsigned long pfn, size_t count)
66277 ++{
66278 ++ return (pfn + (count >> PAGE_SHIFT)) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
66279 ++}
66280 ++
66281 + /*
66282 + * Change "struct page" to physical address.
66283 + */
66284 +diff -urNp linux-2.6.24.5/include/asm-x86/irqflags_32.h linux-2.6.24.5/include/asm-x86/irqflags_32.h
66285 +--- linux-2.6.24.5/include/asm-x86/irqflags_32.h 2008-03-24 14:49:18.000000000 -0400
66286 ++++ linux-2.6.24.5/include/asm-x86/irqflags_32.h 2008-03-26 20:21:09.000000000 -0400
66287 +@@ -108,6 +108,8 @@ static inline unsigned long __raw_local_
66288 + #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
66289 + #define INTERRUPT_RETURN iret
66290 + #define GET_CR0_INTO_EAX movl %cr0, %eax
66291 ++#define GET_CR0_INTO_EDX movl %cr0, %edx
66292 ++#define SET_CR0_FROM_EDX movl %edx, %cr0
66293 + #endif /* __ASSEMBLY__ */
66294 + #endif /* CONFIG_PARAVIRT */
66295 +
66296 +diff -urNp linux-2.6.24.5/include/asm-x86/kmap_types.h linux-2.6.24.5/include/asm-x86/kmap_types.h
66297 +--- linux-2.6.24.5/include/asm-x86/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
66298 ++++ linux-2.6.24.5/include/asm-x86/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
66299 +@@ -21,7 +21,8 @@ D(9) KM_IRQ0,
66300 + D(10) KM_IRQ1,
66301 + D(11) KM_SOFTIRQ0,
66302 + D(12) KM_SOFTIRQ1,
66303 +-D(13) KM_TYPE_NR
66304 ++D(13) KM_CLEARPAGE,
66305 ++D(14) KM_TYPE_NR
66306 + };
66307 +
66308 + #undef D
66309 +diff -urNp linux-2.6.24.5/include/asm-x86/mach-default/apm.h linux-2.6.24.5/include/asm-x86/mach-default/apm.h
66310 +--- linux-2.6.24.5/include/asm-x86/mach-default/apm.h 2008-03-24 14:49:18.000000000 -0400
66311 ++++ linux-2.6.24.5/include/asm-x86/mach-default/apm.h 2008-03-26 20:21:09.000000000 -0400
66312 +@@ -36,7 +36,7 @@ static inline void apm_bios_call_asm(u32
66313 + __asm__ __volatile__(APM_DO_ZERO_SEGS
66314 + "pushl %%edi\n\t"
66315 + "pushl %%ebp\n\t"
66316 +- "lcall *%%cs:apm_bios_entry\n\t"
66317 ++ "lcall *%%ss:apm_bios_entry\n\t"
66318 + "setc %%al\n\t"
66319 + "popl %%ebp\n\t"
66320 + "popl %%edi\n\t"
66321 +@@ -60,7 +60,7 @@ static inline u8 apm_bios_call_simple_as
66322 + __asm__ __volatile__(APM_DO_ZERO_SEGS
66323 + "pushl %%edi\n\t"
66324 + "pushl %%ebp\n\t"
66325 +- "lcall *%%cs:apm_bios_entry\n\t"
66326 ++ "lcall *%%ss:apm_bios_entry\n\t"
66327 + "setc %%bl\n\t"
66328 + "popl %%ebp\n\t"
66329 + "popl %%edi\n\t"
66330 +diff -urNp linux-2.6.24.5/include/asm-x86/mman.h linux-2.6.24.5/include/asm-x86/mman.h
66331 +--- linux-2.6.24.5/include/asm-x86/mman.h 2008-03-24 14:49:18.000000000 -0400
66332 ++++ linux-2.6.24.5/include/asm-x86/mman.h 2008-03-26 20:21:09.000000000 -0400
66333 +@@ -16,4 +16,14 @@
66334 + #define MCL_CURRENT 1 /* lock all current mappings */
66335 + #define MCL_FUTURE 2 /* lock all future mappings */
66336 +
66337 ++#ifdef __KERNEL__
66338 ++#ifndef __ASSEMBLY__
66339 ++#ifdef CONFIG_X86_32
66340 ++#define arch_mmap_check i386_mmap_check
66341 ++int i386_mmap_check(unsigned long addr, unsigned long len,
66342 ++ unsigned long flags);
66343 ++#endif
66344 ++#endif
66345 ++#endif
66346 ++
66347 + #endif /* _ASM_X86_MMAN_H */
66348 +diff -urNp linux-2.6.24.5/include/asm-x86/mmu_context_32.h linux-2.6.24.5/include/asm-x86/mmu_context_32.h
66349 +--- linux-2.6.24.5/include/asm-x86/mmu_context_32.h 2008-03-24 14:49:18.000000000 -0400
66350 ++++ linux-2.6.24.5/include/asm-x86/mmu_context_32.h 2008-03-26 20:21:09.000000000 -0400
66351 +@@ -57,6 +57,22 @@ static inline void switch_mm(struct mm_s
66352 + */
66353 + if (unlikely(prev->context.ldt != next->context.ldt))
66354 + load_LDT_nolock(&next->context);
66355 ++
66356 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
66357 ++ if (!nx_enabled) {
66358 ++ smp_mb__before_clear_bit();
66359 ++ cpu_clear(cpu, prev->context.cpu_user_cs_mask);
66360 ++ smp_mb__after_clear_bit();
66361 ++ cpu_set(cpu, next->context.cpu_user_cs_mask);
66362 ++ }
66363 ++#endif
66364 ++
66365 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
66366 ++ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
66367 ++ prev->context.user_cs_limit != next->context.user_cs_limit))
66368 ++ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
66369 ++#endif
66370 ++
66371 + }
66372 + #ifdef CONFIG_SMP
66373 + else {
66374 +@@ -69,6 +85,19 @@ static inline void switch_mm(struct mm_s
66375 + */
66376 + load_cr3(next->pgd);
66377 + load_LDT_nolock(&next->context);
66378 ++
66379 ++#ifdef CONFIG_PAX_PAGEEXEC
66380 ++ if (!nx_enabled)
66381 ++ cpu_set(cpu, next->context.cpu_user_cs_mask);
66382 ++#endif
66383 ++
66384 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
66385 ++#ifdef CONFIG_PAX_PAGEEXEC
66386 ++ if (!((next->pax_flags & MF_PAX_PAGEEXEC) && nx_enabled))
66387 ++#endif
66388 ++ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
66389 ++#endif
66390 ++
66391 + }
66392 + }
66393 + #endif
66394 +diff -urNp linux-2.6.24.5/include/asm-x86/mmu.h linux-2.6.24.5/include/asm-x86/mmu.h
66395 +--- linux-2.6.24.5/include/asm-x86/mmu.h 2008-03-24 14:49:18.000000000 -0400
66396 ++++ linux-2.6.24.5/include/asm-x86/mmu.h 2008-03-26 20:21:09.000000000 -0400
66397 +@@ -11,13 +11,26 @@
66398 + * cpu_vm_mask is used to optimize ldt flushing.
66399 + */
66400 + typedef struct {
66401 +- void *ldt;
66402 ++ struct desc_struct *ldt;
66403 + #ifdef CONFIG_X86_64
66404 + rwlock_t ldtlock;
66405 + #endif
66406 + int size;
66407 + struct mutex lock;
66408 +- void *vdso;
66409 ++ unsigned long vdso;
66410 ++
66411 ++#ifdef CONFIG_X86_32
66412 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
66413 ++ unsigned long user_cs_base;
66414 ++ unsigned long user_cs_limit;
66415 ++
66416 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
66417 ++ cpumask_t cpu_user_cs_mask;
66418 ++#endif
66419 ++
66420 ++#endif
66421 ++#endif
66422 ++
66423 + } mm_context_t;
66424 +
66425 + #endif /* _ASM_X86_MMU_H */
66426 +diff -urNp linux-2.6.24.5/include/asm-x86/module_32.h linux-2.6.24.5/include/asm-x86/module_32.h
66427 +--- linux-2.6.24.5/include/asm-x86/module_32.h 2008-03-24 14:49:18.000000000 -0400
66428 ++++ linux-2.6.24.5/include/asm-x86/module_32.h 2008-03-26 20:21:09.000000000 -0400
66429 +@@ -70,6 +70,12 @@ struct mod_arch_specific
66430 + #define MODULE_STACKSIZE ""
66431 + #endif
66432 +
66433 +-#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
66434 ++#ifdef CONFIG_GRKERNSEC
66435 ++#define MODULE_GRSEC "GRSECURITY "
66436 ++#else
66437 ++#define MODULE_GRSEC ""
66438 ++#endif
66439 ++
66440 ++#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC
66441 +
66442 + #endif /* _ASM_I386_MODULE_H */
66443 +diff -urNp linux-2.6.24.5/include/asm-x86/page_32.h linux-2.6.24.5/include/asm-x86/page_32.h
66444 +--- linux-2.6.24.5/include/asm-x86/page_32.h 2008-03-24 14:49:18.000000000 -0400
66445 ++++ linux-2.6.24.5/include/asm-x86/page_32.h 2008-03-26 20:21:09.000000000 -0400
66446 +@@ -90,7 +90,6 @@ static inline pte_t native_make_pte(unsi
66447 + typedef struct { unsigned long pte_low; } pte_t;
66448 + typedef struct { unsigned long pgd; } pgd_t;
66449 + typedef struct { unsigned long pgprot; } pgprot_t;
66450 +-#define boot_pte_t pte_t /* or would you rather have a typedef */
66451 +
66452 + static inline unsigned long native_pgd_val(pgd_t pgd)
66453 + {
66454 +@@ -175,6 +174,18 @@ extern int page_is_ram(unsigned long pag
66455 + #define __PAGE_OFFSET ((unsigned long)CONFIG_PAGE_OFFSET)
66456 + #endif
66457 +
66458 ++#ifdef CONFIG_PAX_KERNEXEC
66459 ++#ifndef __ASSEMBLY__
66460 ++extern unsigned char MODULES_VADDR[];
66461 ++extern unsigned char MODULES_END[];
66462 ++extern unsigned char KERNEL_TEXT_OFFSET[];
66463 ++#define ktla_ktva(addr) (addr + (unsigned long)KERNEL_TEXT_OFFSET)
66464 ++#define ktva_ktla(addr) (addr - (unsigned long)KERNEL_TEXT_OFFSET)
66465 ++#endif
66466 ++#else
66467 ++#define ktla_ktva(addr) (addr)
66468 ++#define ktva_ktla(addr) (addr)
66469 ++#endif
66470 +
66471 + #define PAGE_OFFSET ((unsigned long)__PAGE_OFFSET)
66472 + #define VMALLOC_RESERVE ((unsigned long)__VMALLOC_RESERVE)
66473 +@@ -197,6 +208,10 @@ extern int page_is_ram(unsigned long pag
66474 + ((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
66475 + VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
66476 +
66477 ++#ifdef CONFIG_PAX_PAGEEXEC
66478 ++#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
66479 ++#endif
66480 ++
66481 + #include <asm-generic/memory_model.h>
66482 + #include <asm-generic/page.h>
66483 +
66484 +diff -urNp linux-2.6.24.5/include/asm-x86/page_64.h linux-2.6.24.5/include/asm-x86/page_64.h
66485 +--- linux-2.6.24.5/include/asm-x86/page_64.h 2008-03-24 14:49:18.000000000 -0400
66486 ++++ linux-2.6.24.5/include/asm-x86/page_64.h 2008-03-26 20:21:09.000000000 -0400
66487 +@@ -94,6 +94,9 @@ extern unsigned long phys_base;
66488 + #define __START_KERNEL_map _AC(0xffffffff80000000, UL)
66489 + #define __PAGE_OFFSET _AC(0xffff810000000000, UL)
66490 +
66491 ++#define ktla_ktva(addr) (addr)
66492 ++#define ktva_ktla(addr) (addr)
66493 ++
66494 + /* to align the pointer to the (next) page boundary */
66495 + #define PAGE_ALIGN(addr) (((addr)+PAGE_SIZE-1)&PAGE_MASK)
66496 +
66497 +diff -urNp linux-2.6.24.5/include/asm-x86/paravirt.h linux-2.6.24.5/include/asm-x86/paravirt.h
66498 +--- linux-2.6.24.5/include/asm-x86/paravirt.h 2008-03-24 14:49:18.000000000 -0400
66499 ++++ linux-2.6.24.5/include/asm-x86/paravirt.h 2008-03-26 20:21:09.000000000 -0400
66500 +@@ -1124,23 +1124,23 @@ static inline unsigned long __raw_local_
66501 +
66502 + #define INTERRUPT_RETURN \
66503 + PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_iret), CLBR_NONE, \
66504 +- jmp *%cs:pv_cpu_ops+PV_CPU_iret)
66505 ++ jmp *%ss:pv_cpu_ops+PV_CPU_iret)
66506 +
66507 + #define DISABLE_INTERRUPTS(clobbers) \
66508 + PARA_SITE(PARA_PATCH(pv_irq_ops, PV_IRQ_irq_disable), clobbers, \
66509 + pushl %eax; pushl %ecx; pushl %edx; \
66510 +- call *%cs:pv_irq_ops+PV_IRQ_irq_disable; \
66511 ++ call *%ss:pv_irq_ops+PV_IRQ_irq_disable; \
66512 + popl %edx; popl %ecx; popl %eax) \
66513 +
66514 + #define ENABLE_INTERRUPTS(clobbers) \
66515 + PARA_SITE(PARA_PATCH(pv_irq_ops, PV_IRQ_irq_enable), clobbers, \
66516 + pushl %eax; pushl %ecx; pushl %edx; \
66517 +- call *%cs:pv_irq_ops+PV_IRQ_irq_enable; \
66518 ++ call *%ss:pv_irq_ops+PV_IRQ_irq_enable; \
66519 + popl %edx; popl %ecx; popl %eax)
66520 +
66521 + #define ENABLE_INTERRUPTS_SYSEXIT \
66522 + PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), CLBR_NONE,\
66523 +- jmp *%cs:pv_cpu_ops+PV_CPU_irq_enable_sysexit)
66524 ++ jmp *%ss:pv_cpu_ops+PV_CPU_irq_enable_sysexit)
66525 +
66526 + #define GET_CR0_INTO_EAX \
66527 + push %ecx; push %edx; \
66528 +diff -urNp linux-2.6.24.5/include/asm-x86/pda.h linux-2.6.24.5/include/asm-x86/pda.h
66529 +--- linux-2.6.24.5/include/asm-x86/pda.h 2008-03-24 14:49:18.000000000 -0400
66530 ++++ linux-2.6.24.5/include/asm-x86/pda.h 2008-03-26 20:21:09.000000000 -0400
66531 +@@ -16,11 +16,9 @@ struct x8664_pda {
66532 + unsigned long oldrsp; /* 24 user rsp for system call */
66533 + int irqcount; /* 32 Irq nesting counter. Starts with -1 */
66534 + int cpunumber; /* 36 Logical CPU number */
66535 +-#ifdef CONFIG_CC_STACKPROTECTOR
66536 + unsigned long stack_canary; /* 40 stack canary value */
66537 + /* gcc-ABI: this canary MUST be at
66538 + offset 40!!! */
66539 +-#endif
66540 + char *irqstackptr;
66541 + int nodenumber; /* number of current node */
66542 + unsigned int __softirq_pending;
66543 +diff -urNp linux-2.6.24.5/include/asm-x86/percpu_32.h linux-2.6.24.5/include/asm-x86/percpu_32.h
66544 +--- linux-2.6.24.5/include/asm-x86/percpu_32.h 2008-03-24 14:49:18.000000000 -0400
66545 ++++ linux-2.6.24.5/include/asm-x86/percpu_32.h 2008-03-26 20:21:16.000000000 -0400
66546 +@@ -42,12 +42,12 @@
66547 + */
66548 + #ifdef CONFIG_SMP
66549 + /* Same as generic implementation except for optimized local access. */
66550 +-#define __GENERIC_PER_CPU
66551 +
66552 + /* This is used for other cpus to find our section. */
66553 + extern unsigned long __per_cpu_offset[];
66554 ++extern void setup_per_cpu_areas(void);
66555 +
66556 +-#define per_cpu_offset(x) (__per_cpu_offset[x])
66557 ++#define per_cpu_offset(x) (__per_cpu_offset[x] - (unsigned long)__per_cpu_start)
66558 +
66559 + /* Separate out the type, so (int[3], foo) works. */
66560 + #define DECLARE_PER_CPU(type, name) extern __typeof__(type) per_cpu__##name
66561 +@@ -64,11 +64,11 @@ DECLARE_PER_CPU(unsigned long, this_cpu_
66562 +
66563 + /* var is in discarded region: offset to particular copy we want */
66564 + #define per_cpu(var, cpu) (*({ \
66565 +- extern int simple_indentifier_##var(void); \
66566 ++ extern int simple_identifier_##var(void); \
66567 + RELOC_HIDE(&per_cpu__##var, __per_cpu_offset[cpu]); }))
66568 +
66569 + #define __raw_get_cpu_var(var) (*({ \
66570 +- extern int simple_indentifier_##var(void); \
66571 ++ extern int simple_identifier_##var(void); \
66572 + RELOC_HIDE(&per_cpu__##var, x86_read_percpu(this_cpu_off)); \
66573 + }))
66574 +
66575 +@@ -79,7 +79,7 @@ DECLARE_PER_CPU(unsigned long, this_cpu_
66576 + do { \
66577 + unsigned int __i; \
66578 + for_each_possible_cpu(__i) \
66579 +- memcpy((pcpudst)+__per_cpu_offset[__i], \
66580 ++ memcpy((pcpudst)+per_cpu_offset(__i), \
66581 + (src), (size)); \
66582 + } while (0)
66583 +
66584 +diff -urNp linux-2.6.24.5/include/asm-x86/pgalloc_32.h linux-2.6.24.5/include/asm-x86/pgalloc_32.h
66585 +--- linux-2.6.24.5/include/asm-x86/pgalloc_32.h 2008-03-24 14:49:18.000000000 -0400
66586 ++++ linux-2.6.24.5/include/asm-x86/pgalloc_32.h 2008-03-26 20:21:09.000000000 -0400
66587 +@@ -15,11 +15,19 @@
66588 + #define paravirt_release_pd(pfn) do { } while (0)
66589 + #endif
66590 +
66591 ++#ifdef CONFIG_COMPAT_VDSO
66592 + #define pmd_populate_kernel(mm, pmd, pte) \
66593 + do { \
66594 + paravirt_alloc_pt(mm, __pa(pte) >> PAGE_SHIFT); \
66595 + set_pmd(pmd, __pmd(_PAGE_TABLE + __pa(pte))); \
66596 + } while (0)
66597 ++#else
66598 ++#define pmd_populate_kernel(mm, pmd, pte) \
66599 ++do { \
66600 ++ paravirt_alloc_pt(mm, __pa(pte) >> PAGE_SHIFT); \
66601 ++ set_pmd(pmd, __pmd(_KERNPG_TABLE + __pa(pte))); \
66602 ++} while (0)
66603 ++#endif
66604 +
66605 + #define pmd_populate(mm, pmd, pte) \
66606 + do { \
66607 +diff -urNp linux-2.6.24.5/include/asm-x86/pgalloc_64.h linux-2.6.24.5/include/asm-x86/pgalloc_64.h
66608 +--- linux-2.6.24.5/include/asm-x86/pgalloc_64.h 2008-03-24 14:49:18.000000000 -0400
66609 ++++ linux-2.6.24.5/include/asm-x86/pgalloc_64.h 2008-03-26 20:21:09.000000000 -0400
66610 +@@ -6,7 +6,7 @@
66611 + #include <linux/mm.h>
66612 +
66613 + #define pmd_populate_kernel(mm, pmd, pte) \
66614 +- set_pmd(pmd, __pmd(_PAGE_TABLE | __pa(pte)))
66615 ++ set_pmd(pmd, __pmd(_KERNPG_TABLE | __pa(pte)))
66616 + #define pud_populate(mm, pud, pmd) \
66617 + set_pud(pud, __pud(_PAGE_TABLE | __pa(pmd)))
66618 + #define pgd_populate(mm, pgd, pud) \
66619 +diff -urNp linux-2.6.24.5/include/asm-x86/pgtable-2level.h linux-2.6.24.5/include/asm-x86/pgtable-2level.h
66620 +--- linux-2.6.24.5/include/asm-x86/pgtable-2level.h 2008-03-24 14:49:18.000000000 -0400
66621 ++++ linux-2.6.24.5/include/asm-x86/pgtable-2level.h 2008-03-26 20:21:09.000000000 -0400
66622 +@@ -22,7 +22,19 @@ static inline void native_set_pte_at(str
66623 + }
66624 + static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
66625 + {
66626 ++
66627 ++#ifdef CONFIG_PAX_KERNEXEC
66628 ++ unsigned long cr0;
66629 ++
66630 ++ pax_open_kernel(cr0);
66631 ++#endif
66632 ++
66633 + *pmdp = pmd;
66634 ++
66635 ++#ifdef CONFIG_PAX_KERNEXEC
66636 ++ pax_close_kernel(cr0);
66637 ++#endif
66638 ++
66639 + }
66640 + #ifndef CONFIG_PARAVIRT
66641 + #define set_pte(pteptr, pteval) native_set_pte(pteptr, pteval)
66642 +diff -urNp linux-2.6.24.5/include/asm-x86/pgtable_32.h linux-2.6.24.5/include/asm-x86/pgtable_32.h
66643 +--- linux-2.6.24.5/include/asm-x86/pgtable_32.h 2008-03-24 14:49:18.000000000 -0400
66644 ++++ linux-2.6.24.5/include/asm-x86/pgtable_32.h 2008-03-26 20:21:09.000000000 -0400
66645 +@@ -31,7 +31,6 @@ struct vm_area_struct;
66646 + */
66647 + #define ZERO_PAGE(vaddr) (virt_to_page(empty_zero_page))
66648 + extern unsigned long empty_zero_page[1024];
66649 +-extern pgd_t swapper_pg_dir[1024];
66650 + extern struct kmem_cache *pmd_cache;
66651 + extern spinlock_t pgd_lock;
66652 + extern struct page *pgd_list;
66653 +@@ -55,6 +54,11 @@ void paging_init(void);
66654 + # include <asm/pgtable-2level-defs.h>
66655 + #endif
66656 +
66657 ++extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
66658 ++#ifdef CONFIG_X86_PAE
66659 ++extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
66660 ++#endif
66661 ++
66662 + #define PGDIR_SIZE (1UL << PGDIR_SHIFT)
66663 + #define PGDIR_MASK (~(PGDIR_SIZE-1))
66664 +
66665 +@@ -64,9 +68,11 @@ void paging_init(void);
66666 + #define USER_PGD_PTRS (PAGE_OFFSET >> PGDIR_SHIFT)
66667 + #define KERNEL_PGD_PTRS (PTRS_PER_PGD-USER_PGD_PTRS)
66668 +
66669 ++#ifndef CONFIG_X86_PAE
66670 + #define TWOLEVEL_PGDIR_SHIFT 22
66671 + #define BOOT_USER_PGD_PTRS (__PAGE_OFFSET >> TWOLEVEL_PGDIR_SHIFT)
66672 + #define BOOT_KERNEL_PGD_PTRS (1024-BOOT_USER_PGD_PTRS)
66673 ++#endif
66674 +
66675 + /* Just any arbitrary offset to the start of the vmalloc VM area: the
66676 + * current 8MB value just means that there will be a 8MB "hole" after the
66677 +@@ -133,7 +139,7 @@ void paging_init(void);
66678 + #define PAGE_NONE \
66679 + __pgprot(_PAGE_PROTNONE | _PAGE_ACCESSED)
66680 + #define PAGE_SHARED \
66681 +- __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED)
66682 ++ __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
66683 +
66684 + #define PAGE_SHARED_EXEC \
66685 + __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED)
66686 +@@ -199,7 +205,7 @@ extern unsigned long long __PAGE_KERNEL,
66687 + #undef TEST_ACCESS_OK
66688 +
66689 + /* The boot page tables (all created as a single array) */
66690 +-extern unsigned long pg0[];
66691 ++extern pte_t pg0[];
66692 +
66693 + #define pte_present(x) ((x).pte_low & (_PAGE_PRESENT | _PAGE_PROTNONE))
66694 +
66695 +@@ -215,30 +221,55 @@ extern unsigned long pg0[];
66696 + * The following only work if pte_present() is true.
66697 + * Undefined behaviour if not..
66698 + */
66699 ++static inline int pte_user(pte_t pte) { return (pte).pte_low & _PAGE_USER; }
66700 + static inline int pte_dirty(pte_t pte) { return (pte).pte_low & _PAGE_DIRTY; }
66701 + static inline int pte_young(pte_t pte) { return (pte).pte_low & _PAGE_ACCESSED; }
66702 + static inline int pte_write(pte_t pte) { return (pte).pte_low & _PAGE_RW; }
66703 + static inline int pte_huge(pte_t pte) { return (pte).pte_low & _PAGE_PSE; }
66704 +
66705 ++#ifdef CONFIG_X86_PAE
66706 ++# include <asm/pgtable-3level.h>
66707 ++#else
66708 ++# include <asm/pgtable-2level.h>
66709 ++#endif
66710 ++
66711 + /*
66712 + * The following only works if pte_present() is not true.
66713 + */
66714 + static inline int pte_file(pte_t pte) { return (pte).pte_low & _PAGE_FILE; }
66715 +
66716 ++static inline pte_t pte_exprotect(pte_t pte)
66717 ++{
66718 ++#ifdef CONFIG_X86_PAE
66719 ++ if (__supported_pte_mask & _PAGE_NX)
66720 ++ set_pte(&pte, __pte(pte_val(pte) | _PAGE_NX));
66721 ++ else
66722 ++#endif
66723 ++ set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_USER));
66724 ++ return pte;
66725 ++}
66726 ++
66727 + static inline pte_t pte_mkclean(pte_t pte) { (pte).pte_low &= ~_PAGE_DIRTY; return pte; }
66728 + static inline pte_t pte_mkold(pte_t pte) { (pte).pte_low &= ~_PAGE_ACCESSED; return pte; }
66729 + static inline pte_t pte_wrprotect(pte_t pte) { (pte).pte_low &= ~_PAGE_RW; return pte; }
66730 ++static inline pte_t pte_mkread(pte_t pte) { (pte).pte_low |= _PAGE_USER; return pte; }
66731 ++
66732 ++static inline pte_t pte_mkexec(pte_t pte)
66733 ++{
66734 ++#ifdef CONFIG_X86_PAE
66735 ++ if (__supported_pte_mask & _PAGE_NX)
66736 ++ set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_NX));
66737 ++ else
66738 ++#endif
66739 ++ set_pte(&pte, __pte(pte_val(pte) | _PAGE_USER));
66740 ++ return pte;
66741 ++}
66742 ++
66743 + static inline pte_t pte_mkdirty(pte_t pte) { (pte).pte_low |= _PAGE_DIRTY; return pte; }
66744 + static inline pte_t pte_mkyoung(pte_t pte) { (pte).pte_low |= _PAGE_ACCESSED; return pte; }
66745 + static inline pte_t pte_mkwrite(pte_t pte) { (pte).pte_low |= _PAGE_RW; return pte; }
66746 + static inline pte_t pte_mkhuge(pte_t pte) { (pte).pte_low |= _PAGE_PSE; return pte; }
66747 +
66748 +-#ifdef CONFIG_X86_PAE
66749 +-# include <asm/pgtable-3level.h>
66750 +-#else
66751 +-# include <asm/pgtable-2level.h>
66752 +-#endif
66753 +-
66754 + #ifndef CONFIG_PARAVIRT
66755 + /*
66756 + * Rules for using pte_update - it must be called after any PTE update which
66757 +@@ -350,7 +381,19 @@ static inline void ptep_set_wrprotect(st
66758 + */
66759 + static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
66760 + {
66761 +- memcpy(dst, src, count * sizeof(pgd_t));
66762 ++
66763 ++#ifdef CONFIG_PAX_KERNEXEC
66764 ++ unsigned long cr0;
66765 ++
66766 ++ pax_open_kernel(cr0);
66767 ++#endif
66768 ++
66769 ++ memcpy(dst, src, count * sizeof(pgd_t));
66770 ++
66771 ++#ifdef CONFIG_PAX_KERNEXEC
66772 ++ pax_close_kernel(cr0);
66773 ++#endif
66774 ++
66775 + }
66776 +
66777 + /*
66778 +@@ -497,6 +540,9 @@ static inline void paravirt_pagetable_se
66779 +
66780 + #endif /* !__ASSEMBLY__ */
66781 +
66782 ++#define HAVE_ARCH_UNMAPPED_AREA
66783 ++#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
66784 ++
66785 + #ifdef CONFIG_FLATMEM
66786 + #define kern_addr_valid(addr) (1)
66787 + #endif /* CONFIG_FLATMEM */
66788 +diff -urNp linux-2.6.24.5/include/asm-x86/pgtable-3level.h linux-2.6.24.5/include/asm-x86/pgtable-3level.h
66789 +--- linux-2.6.24.5/include/asm-x86/pgtable-3level.h 2008-03-24 14:49:18.000000000 -0400
66790 ++++ linux-2.6.24.5/include/asm-x86/pgtable-3level.h 2008-03-26 20:21:09.000000000 -0400
66791 +@@ -67,11 +67,35 @@ static inline void native_set_pte_atomic
66792 + }
66793 + static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
66794 + {
66795 ++
66796 ++#ifdef CONFIG_PAX_KERNEXEC
66797 ++ unsigned long cr0;
66798 ++
66799 ++ pax_open_kernel(cr0);
66800 ++#endif
66801 ++
66802 + set_64bit((unsigned long long *)(pmdp),native_pmd_val(pmd));
66803 ++
66804 ++#ifdef CONFIG_PAX_KERNEXEC
66805 ++ pax_close_kernel(cr0);
66806 ++#endif
66807 ++
66808 + }
66809 + static inline void native_set_pud(pud_t *pudp, pud_t pud)
66810 + {
66811 ++
66812 ++#ifdef CONFIG_PAX_KERNEXEC
66813 ++ unsigned long cr0;
66814 ++
66815 ++ pax_open_kernel(cr0);
66816 ++#endif
66817 ++
66818 + *pudp = pud;
66819 ++
66820 ++#ifdef CONFIG_PAX_KERNEXEC
66821 ++ pax_close_kernel(cr0);
66822 ++#endif
66823 ++
66824 + }
66825 +
66826 + /*
66827 +diff -urNp linux-2.6.24.5/include/asm-x86/pgtable_64.h linux-2.6.24.5/include/asm-x86/pgtable_64.h
66828 +--- linux-2.6.24.5/include/asm-x86/pgtable_64.h 2008-03-24 14:49:18.000000000 -0400
66829 ++++ linux-2.6.24.5/include/asm-x86/pgtable_64.h 2008-03-26 20:21:09.000000000 -0400
66830 +@@ -79,7 +79,19 @@ static inline void set_pte(pte_t *dst, p
66831 +
66832 + static inline void set_pmd(pmd_t *dst, pmd_t val)
66833 + {
66834 ++
66835 ++#ifdef CONFIG_PAX_KERNEXEC
66836 ++ unsigned long cr0;
66837 ++
66838 ++ pax_open_kernel(cr0);
66839 ++#endif
66840 ++
66841 + pmd_val(*dst) = pmd_val(val);
66842 ++
66843 ++#ifdef CONFIG_PAX_KERNEXEC
66844 ++ pax_close_kernel(cr0);
66845 ++#endif
66846 ++
66847 + }
66848 +
66849 + static inline void set_pud(pud_t *dst, pud_t val)
66850 +@@ -180,6 +192,10 @@ static inline pte_t ptep_get_and_clear_f
66851 + #define PAGE_COPY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
66852 + #define PAGE_READONLY __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
66853 + #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
66854 ++
66855 ++#define PAGE_READONLY_NOEXEC PAGE_READONLY
66856 ++#define PAGE_SHARED_NOEXEC PAGE_SHARED
66857 ++
66858 + #define __PAGE_KERNEL \
66859 + (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_NX)
66860 + #define __PAGE_KERNEL_EXEC \
66861 +@@ -188,10 +204,12 @@ static inline pte_t ptep_get_and_clear_f
66862 + (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_PCD | _PAGE_ACCESSED | _PAGE_NX)
66863 + #define __PAGE_KERNEL_RO \
66864 + (_PAGE_PRESENT | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_NX)
66865 ++#define __PAGE_KERNEL_RX \
66866 ++ (_PAGE_PRESENT | _PAGE_DIRTY | _PAGE_ACCESSED)
66867 + #define __PAGE_KERNEL_VSYSCALL \
66868 + (_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
66869 + #define __PAGE_KERNEL_VSYSCALL_NOCACHE \
66870 +- (_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_PCD)
66871 ++ (_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_PCD | _PAGE_NX)
66872 + #define __PAGE_KERNEL_LARGE \
66873 + (__PAGE_KERNEL | _PAGE_PSE)
66874 + #define __PAGE_KERNEL_LARGE_EXEC \
66875 +@@ -202,6 +220,7 @@ static inline pte_t ptep_get_and_clear_f
66876 + #define PAGE_KERNEL MAKE_GLOBAL(__PAGE_KERNEL)
66877 + #define PAGE_KERNEL_EXEC MAKE_GLOBAL(__PAGE_KERNEL_EXEC)
66878 + #define PAGE_KERNEL_RO MAKE_GLOBAL(__PAGE_KERNEL_RO)
66879 ++#define PAGE_KERNEL_RX MAKE_GLOBAL(__PAGE_KERNEL_RX)
66880 + #define PAGE_KERNEL_NOCACHE MAKE_GLOBAL(__PAGE_KERNEL_NOCACHE)
66881 + #define PAGE_KERNEL_VSYSCALL32 __pgprot(__PAGE_KERNEL_VSYSCALL)
66882 + #define PAGE_KERNEL_VSYSCALL MAKE_GLOBAL(__PAGE_KERNEL_VSYSCALL)
66883 +@@ -231,17 +250,17 @@ static inline pte_t ptep_get_and_clear_f
66884 +
66885 + static inline unsigned long pgd_bad(pgd_t pgd)
66886 + {
66887 +- return pgd_val(pgd) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER);
66888 ++ return pgd_val(pgd) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER | _PAGE_NX);
66889 + }
66890 +
66891 + static inline unsigned long pud_bad(pud_t pud)
66892 + {
66893 +- return pud_val(pud) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER);
66894 ++ return pud_val(pud) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER | _PAGE_NX);
66895 + }
66896 +
66897 + static inline unsigned long pmd_bad(pmd_t pmd)
66898 + {
66899 +- return pmd_val(pmd) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER);
66900 ++ return pmd_val(pmd) & ~(PTE_MASK | _KERNPG_TABLE | _PAGE_USER | _PAGE_NX);
66901 + }
66902 +
66903 + #define pte_none(x) (!pte_val(x))
66904 +diff -urNp linux-2.6.24.5/include/asm-x86/processor_32.h linux-2.6.24.5/include/asm-x86/processor_32.h
66905 +--- linux-2.6.24.5/include/asm-x86/processor_32.h 2008-03-24 14:49:18.000000000 -0400
66906 ++++ linux-2.6.24.5/include/asm-x86/processor_32.h 2008-03-26 20:21:09.000000000 -0400
66907 +@@ -100,8 +100,6 @@ struct cpuinfo_x86 {
66908 +
66909 + extern struct cpuinfo_x86 boot_cpu_data;
66910 + extern struct cpuinfo_x86 new_cpu_data;
66911 +-extern struct tss_struct doublefault_tss;
66912 +-DECLARE_PER_CPU(struct tss_struct, init_tss);
66913 +
66914 + #ifdef CONFIG_SMP
66915 + DECLARE_PER_CPU(struct cpuinfo_x86, cpu_info);
66916 +@@ -215,11 +213,19 @@ extern int bootloader_type;
66917 + */
66918 + #define TASK_SIZE (PAGE_OFFSET)
66919 +
66920 ++#ifdef CONFIG_PAX_SEGMEXEC
66921 ++#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
66922 ++#endif
66923 ++
66924 + /* This decides where the kernel will search for a free chunk of vm
66925 + * space during mmap's.
66926 + */
66927 + #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
66928 +
66929 ++#ifdef CONFIG_PAX_SEGMEXEC
66930 ++#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
66931 ++#endif
66932 ++
66933 + #define HAVE_ARCH_PICK_MMAP_LAYOUT
66934 +
66935 + extern void hard_disable_TSC(void);
66936 +@@ -344,6 +350,9 @@ struct tss_struct {
66937 +
66938 + #define ARCH_MIN_TASKALIGN 16
66939 +
66940 ++extern struct tss_struct doublefault_tss;
66941 ++extern struct tss_struct init_tss[NR_CPUS];
66942 ++
66943 + struct thread_struct {
66944 + /* cached TLS descriptors. */
66945 + struct desc_struct tls_array[GDT_ENTRY_TLS_ENTRIES];
66946 +@@ -372,7 +381,7 @@ struct thread_struct {
66947 + };
66948 +
66949 + #define INIT_THREAD { \
66950 +- .esp0 = sizeof(init_stack) + (long)&init_stack, \
66951 ++ .esp0 = sizeof(init_stack) + (long)&init_stack - 8, \
66952 + .vm86_info = NULL, \
66953 + .sysenter_cs = __KERNEL_CS, \
66954 + .io_bitmap_ptr = NULL, \
66955 +@@ -387,7 +396,7 @@ struct thread_struct {
66956 + */
66957 + #define INIT_TSS { \
66958 + .x86_tss = { \
66959 +- .esp0 = sizeof(init_stack) + (long)&init_stack, \
66960 ++ .esp0 = sizeof(init_stack) + (long)&init_stack - 8, \
66961 + .ss0 = __KERNEL_DS, \
66962 + .ss1 = __KERNEL_CS, \
66963 + .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
66964 +@@ -428,11 +437,7 @@ void show_trace(struct task_struct *task
66965 + unsigned long get_wchan(struct task_struct *p);
66966 +
66967 + #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
66968 +-#define KSTK_TOP(info) \
66969 +-({ \
66970 +- unsigned long *__ptr = (unsigned long *)(info); \
66971 +- (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
66972 +-})
66973 ++#define KSTK_TOP(info) ((info)->task.thread.esp0)
66974 +
66975 + /*
66976 + * The below -8 is to reserve 8 bytes on top of the ring0 stack.
66977 +@@ -447,7 +452,7 @@ unsigned long get_wchan(struct task_stru
66978 + #define task_pt_regs(task) \
66979 + ({ \
66980 + struct pt_regs *__regs__; \
66981 +- __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
66982 ++ __regs__ = (struct pt_regs *)((task)->thread.esp0); \
66983 + __regs__ - 1; \
66984 + })
66985 +
66986 +diff -urNp linux-2.6.24.5/include/asm-x86/processor_64.h linux-2.6.24.5/include/asm-x86/processor_64.h
66987 +--- linux-2.6.24.5/include/asm-x86/processor_64.h 2008-03-24 14:49:18.000000000 -0400
66988 ++++ linux-2.6.24.5/include/asm-x86/processor_64.h 2008-03-26 20:21:09.000000000 -0400
66989 +@@ -142,7 +142,7 @@ static inline void clear_in_cr4 (unsigne
66990 + /* This decides where the kernel will search for a free chunk of vm
66991 + * space during mmap's.
66992 + */
66993 +-#define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? 0xc0000000 : 0xFFFFe000)
66994 ++#define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? 0xc0000000 : 0xFFFFf000)
66995 +
66996 + #define TASK_SIZE (test_thread_flag(TIF_IA32) ? IA32_PAGE_OFFSET : TASK_SIZE64)
66997 + #define TASK_SIZE_OF(child) ((test_tsk_thread_flag(child, TIF_IA32)) ? IA32_PAGE_OFFSET : TASK_SIZE64)
66998 +@@ -201,7 +201,7 @@ struct tss_struct {
66999 +
67000 +
67001 + extern struct cpuinfo_x86 boot_cpu_data;
67002 +-DECLARE_PER_CPU(struct tss_struct,init_tss);
67003 ++extern struct tss_struct init_tss[NR_CPUS];
67004 + /* Save the original ist values for checking stack pointers during debugging */
67005 + struct orig_ist {
67006 + unsigned long ist[7];
67007 +diff -urNp linux-2.6.24.5/include/asm-x86/ptrace.h linux-2.6.24.5/include/asm-x86/ptrace.h
67008 +--- linux-2.6.24.5/include/asm-x86/ptrace.h 2008-03-24 14:49:18.000000000 -0400
67009 ++++ linux-2.6.24.5/include/asm-x86/ptrace.h 2008-03-26 20:21:09.000000000 -0400
67010 +@@ -39,17 +39,18 @@ struct task_struct;
67011 + extern void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, int error_code);
67012 +
67013 + /*
67014 +- * user_mode_vm(regs) determines whether a register set came from user mode.
67015 ++ * user_mode(regs) determines whether a register set came from user mode.
67016 + * This is true if V8086 mode was enabled OR if the register set was from
67017 + * protected mode with RPL-3 CS value. This tricky test checks that with
67018 + * one comparison. Many places in the kernel can bypass this full check
67019 +- * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
67020 ++ * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
67021 ++ * be used.
67022 + */
67023 +-static inline int user_mode(struct pt_regs *regs)
67024 ++static inline int user_mode_novm(struct pt_regs *regs)
67025 + {
67026 + return (regs->xcs & SEGMENT_RPL_MASK) == USER_RPL;
67027 + }
67028 +-static inline int user_mode_vm(struct pt_regs *regs)
67029 ++static inline int user_mode(struct pt_regs *regs)
67030 + {
67031 + return ((regs->xcs & SEGMENT_RPL_MASK) | (regs->eflags & VM_MASK)) >= USER_RPL;
67032 + }
67033 +diff -urNp linux-2.6.24.5/include/asm-x86/reboot.h linux-2.6.24.5/include/asm-x86/reboot.h
67034 +--- linux-2.6.24.5/include/asm-x86/reboot.h 2008-03-24 14:49:18.000000000 -0400
67035 ++++ linux-2.6.24.5/include/asm-x86/reboot.h 2008-03-26 20:21:09.000000000 -0400
67036 +@@ -15,6 +15,6 @@ struct machine_ops
67037 +
67038 + extern struct machine_ops machine_ops;
67039 +
67040 +-void machine_real_restart(unsigned char *code, int length);
67041 ++void machine_real_restart(const unsigned char *code, unsigned int length);
67042 +
67043 + #endif /* _ASM_REBOOT_H */
67044 +diff -urNp linux-2.6.24.5/include/asm-x86/segment_32.h linux-2.6.24.5/include/asm-x86/segment_32.h
67045 +--- linux-2.6.24.5/include/asm-x86/segment_32.h 2008-03-24 14:49:18.000000000 -0400
67046 ++++ linux-2.6.24.5/include/asm-x86/segment_32.h 2008-03-26 20:21:09.000000000 -0400
67047 +@@ -81,6 +81,12 @@
67048 + #define __KERNEL_PERCPU 0
67049 + #endif
67050 +
67051 ++#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 16)
67052 ++#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
67053 ++
67054 ++#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 17)
67055 ++#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
67056 ++
67057 + #define GDT_ENTRY_DOUBLEFAULT_TSS 31
67058 +
67059 + /*
67060 +@@ -140,9 +146,9 @@
67061 + #define SEGMENT_IS_KERNEL_CODE(x) (((x) & 0xfc) == GDT_ENTRY_KERNEL_CS * 8)
67062 +
67063 + /* Matches __KERNEL_CS and __USER_CS (they must be 2 entries apart) */
67064 +-#define SEGMENT_IS_FLAT_CODE(x) (((x) & 0xec) == GDT_ENTRY_KERNEL_CS * 8)
67065 ++#define SEGMENT_IS_FLAT_CODE(x) (((x) & 0xFFFCU) == __KERNEL_CS || ((x) & 0xFFFCU) == __USER_CS)
67066 +
67067 + /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
67068 +-#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
67069 ++#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
67070 +
67071 + #endif
67072 +diff -urNp linux-2.6.24.5/include/asm-x86/system_32.h linux-2.6.24.5/include/asm-x86/system_32.h
67073 +--- linux-2.6.24.5/include/asm-x86/system_32.h 2008-03-24 14:49:18.000000000 -0400
67074 ++++ linux-2.6.24.5/include/asm-x86/system_32.h 2008-03-26 20:21:09.000000000 -0400
67075 +@@ -188,6 +188,21 @@ static inline void clflush(volatile void
67076 + /* Set the 'TS' bit */
67077 + #define stts() write_cr0(8 | read_cr0())
67078 +
67079 ++#define pax_open_kernel(cr0) \
67080 ++do { \
67081 ++ typecheck(unsigned long, cr0); \
67082 ++ preempt_disable(); \
67083 ++ cr0 = read_cr0(); \
67084 ++ write_cr0(cr0 & ~X86_CR0_WP); \
67085 ++} while (0)
67086 ++
67087 ++#define pax_close_kernel(cr0) \
67088 ++do { \
67089 ++ typecheck(unsigned long, cr0); \
67090 ++ write_cr0(cr0); \
67091 ++ preempt_enable_no_resched(); \
67092 ++} while (0)
67093 ++
67094 + #endif /* __KERNEL__ */
67095 +
67096 + static inline unsigned long get_limit(unsigned long segment)
67097 +@@ -195,7 +210,7 @@ static inline unsigned long get_limit(un
67098 + unsigned long __limit;
67099 + __asm__("lsll %1,%0"
67100 + :"=r" (__limit):"r" (segment));
67101 +- return __limit+1;
67102 ++ return __limit;
67103 + }
67104 +
67105 + #define nop() __asm__ __volatile__ ("nop")
67106 +@@ -311,7 +326,7 @@ void enable_hlt(void);
67107 + extern int es7000_plat;
67108 + void cpu_idle_wait(void);
67109 +
67110 +-extern unsigned long arch_align_stack(unsigned long sp);
67111 ++#define arch_align_stack(x) (x)
67112 + extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
67113 +
67114 + void default_idle(void);
67115 +diff -urNp linux-2.6.24.5/include/asm-x86/system_64.h linux-2.6.24.5/include/asm-x86/system_64.h
67116 +--- linux-2.6.24.5/include/asm-x86/system_64.h 2008-03-24 14:49:18.000000000 -0400
67117 ++++ linux-2.6.24.5/include/asm-x86/system_64.h 2008-03-26 20:21:09.000000000 -0400
67118 +@@ -33,6 +33,8 @@
67119 + ".globl thread_return\n" \
67120 + "thread_return:\n\t" \
67121 + "movq %%gs:%P[pda_pcurrent],%%rsi\n\t" \
67122 ++ "movq %P[task_canary](%%rsi),%%r8\n\t" \
67123 ++ "movq %%r8,%%gs:%P[pda_canary]\n\t" \
67124 + "movq %P[thread_info](%%rsi),%%r8\n\t" \
67125 + LOCK_PREFIX "btr %[tif_fork],%P[ti_flags](%%r8)\n\t" \
67126 + "movq %%rax,%%rdi\n\t" \
67127 +@@ -44,7 +46,9 @@
67128 + [ti_flags] "i" (offsetof(struct thread_info, flags)),\
67129 + [tif_fork] "i" (TIF_FORK), \
67130 + [thread_info] "i" (offsetof(struct task_struct, stack)), \
67131 +- [pda_pcurrent] "i" (offsetof(struct x8664_pda, pcurrent)) \
67132 ++ [task_canary] "i" (offsetof(struct task_struct, stack_canary)), \
67133 ++ [pda_pcurrent] "i" (offsetof(struct x8664_pda, pcurrent)), \
67134 ++ [pda_canary] "i" (offsetof(struct x8664_pda, stack_canary)) \
67135 + : "memory", "cc" __EXTRA_CLOBBER)
67136 +
67137 + extern void load_gs_index(unsigned);
67138 +@@ -139,6 +143,21 @@ static inline void write_cr8(unsigned lo
67139 + #define wbinvd() \
67140 + __asm__ __volatile__ ("wbinvd": : :"memory")
67141 +
67142 ++#define pax_open_kernel(cr0) \
67143 ++do { \
67144 ++ typecheck(unsigned long, cr0); \
67145 ++ preempt_disable(); \
67146 ++ cr0 = read_cr0(); \
67147 ++ write_cr0(cr0 & ~X86_CR0_WP); \
67148 ++} while (0)
67149 ++
67150 ++#define pax_close_kernel(cr0) \
67151 ++do { \
67152 ++ typecheck(unsigned long, cr0); \
67153 ++ write_cr0(cr0); \
67154 ++ preempt_enable_no_resched(); \
67155 ++} while (0)
67156 ++
67157 + #endif /* __KERNEL__ */
67158 +
67159 + static inline void clflush(volatile void *__p)
67160 +@@ -179,7 +198,7 @@ static inline void clflush(volatile void
67161 +
67162 + void cpu_idle_wait(void);
67163 +
67164 +-extern unsigned long arch_align_stack(unsigned long sp);
67165 ++#define arch_align_stack(x) (x)
67166 + extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
67167 +
67168 + #endif
67169 +diff -urNp linux-2.6.24.5/include/asm-x86/uaccess_32.h linux-2.6.24.5/include/asm-x86/uaccess_32.h
67170 +--- linux-2.6.24.5/include/asm-x86/uaccess_32.h 2008-03-24 14:49:18.000000000 -0400
67171 ++++ linux-2.6.24.5/include/asm-x86/uaccess_32.h 2008-03-26 20:21:09.000000000 -0400
67172 +@@ -9,6 +9,7 @@
67173 + #include <linux/prefetch.h>
67174 + #include <linux/string.h>
67175 + #include <asm/page.h>
67176 ++#include <asm/segment.h>
67177 +
67178 + #define VERIFY_READ 0
67179 + #define VERIFY_WRITE 1
67180 +@@ -29,7 +30,8 @@
67181 +
67182 + #define get_ds() (KERNEL_DS)
67183 + #define get_fs() (current_thread_info()->addr_limit)
67184 +-#define set_fs(x) (current_thread_info()->addr_limit = (x))
67185 ++void __set_fs(mm_segment_t x, int cpu);
67186 ++void set_fs(mm_segment_t x);
67187 +
67188 + #define segment_eq(a,b) ((a).seg == (b).seg)
67189 +
67190 +@@ -101,6 +103,7 @@ struct exception_table_entry
67191 + };
67192 +
67193 + extern int fixup_exception(struct pt_regs *regs);
67194 ++#define ARCH_HAS_SORT_EXTABLE
67195 +
67196 + /*
67197 + * These are the main single-value transfer routines. They automatically
67198 +@@ -280,9 +283,12 @@ extern void __put_user_8(void);
67199 +
67200 + #define __put_user_u64(x, addr, err) \
67201 + __asm__ __volatile__( \
67202 +- "1: movl %%eax,0(%2)\n" \
67203 +- "2: movl %%edx,4(%2)\n" \
67204 ++ " movw %w5,%%ds\n" \
67205 ++ "1: movl %%eax,%%ds:0(%2)\n" \
67206 ++ "2: movl %%edx,%%ds:4(%2)\n" \
67207 + "3:\n" \
67208 ++ " pushl %%ss\n" \
67209 ++ " popl %%ds\n" \
67210 + ".section .fixup,\"ax\"\n" \
67211 + "4: movl %3,%0\n" \
67212 + " jmp 3b\n" \
67213 +@@ -293,7 +299,8 @@ extern void __put_user_8(void);
67214 + " .long 2b,4b\n" \
67215 + ".previous" \
67216 + : "=r"(err) \
67217 +- : "A" (x), "r" (addr), "i"(-EFAULT), "0"(err))
67218 ++ : "A" (x), "r" (addr), "i"(-EFAULT), "0"(err), \
67219 ++ "r"(__USER_DS))
67220 +
67221 + #ifdef CONFIG_X86_WP_WORKS_OK
67222 +
67223 +@@ -332,8 +339,11 @@ struct __large_struct { unsigned long bu
67224 + */
67225 + #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
67226 + __asm__ __volatile__( \
67227 +- "1: mov"itype" %"rtype"1,%2\n" \
67228 ++ " movw %w5,%%ds\n" \
67229 ++ "1: mov"itype" %"rtype"1,%%ds:%2\n" \
67230 + "2:\n" \
67231 ++ " pushl %%ss\n" \
67232 ++ " popl %%ds\n" \
67233 + ".section .fixup,\"ax\"\n" \
67234 + "3: movl %3,%0\n" \
67235 + " jmp 2b\n" \
67236 +@@ -343,7 +353,8 @@ struct __large_struct { unsigned long bu
67237 + " .long 1b,3b\n" \
67238 + ".previous" \
67239 + : "=r"(err) \
67240 +- : ltype (x), "m"(__m(addr)), "i"(errret), "0"(err))
67241 ++ : ltype (x), "m"(__m(addr)), "i"(errret), "0"(err), \
67242 ++ "r"(__USER_DS))
67243 +
67244 +
67245 + #define __get_user_nocheck(x,ptr,size) \
67246 +@@ -371,8 +382,11 @@ do { \
67247 +
67248 + #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
67249 + __asm__ __volatile__( \
67250 +- "1: mov"itype" %2,%"rtype"1\n" \
67251 ++ " movw %w5,%%ds\n" \
67252 ++ "1: mov"itype" %%ds:%2,%"rtype"1\n" \
67253 + "2:\n" \
67254 ++ " pushl %%ss\n" \
67255 ++ " popl %%ds\n" \
67256 + ".section .fixup,\"ax\"\n" \
67257 + "3: movl %3,%0\n" \
67258 + " xor"itype" %"rtype"1,%"rtype"1\n" \
67259 +@@ -383,7 +397,7 @@ do { \
67260 + " .long 1b,3b\n" \
67261 + ".previous" \
67262 + : "=r"(err), ltype (x) \
67263 +- : "m"(__m(addr)), "i"(errret), "0"(err))
67264 ++ : "m"(__m(addr)), "i"(errret), "0"(err), "r"(__USER_DS))
67265 +
67266 +
67267 + unsigned long __must_check __copy_to_user_ll(void __user *to,
67268 +diff -urNp linux-2.6.24.5/include/asm-x86/uaccess_64.h linux-2.6.24.5/include/asm-x86/uaccess_64.h
67269 +--- linux-2.6.24.5/include/asm-x86/uaccess_64.h 2008-03-24 14:49:18.000000000 -0400
67270 ++++ linux-2.6.24.5/include/asm-x86/uaccess_64.h 2008-03-26 20:21:09.000000000 -0400
67271 +@@ -66,6 +66,7 @@ struct exception_table_entry
67272 + };
67273 +
67274 + #define ARCH_HAS_SEARCH_EXTABLE
67275 ++#define ARCH_HAS_SORT_EXTABLE
67276 +
67277 + /*
67278 + * These are the main single-value transfer routines. They automatically
67279 +diff -urNp linux-2.6.24.5/include/asm-xtensa/kmap_types.h linux-2.6.24.5/include/asm-xtensa/kmap_types.h
67280 +--- linux-2.6.24.5/include/asm-xtensa/kmap_types.h 2008-03-24 14:49:18.000000000 -0400
67281 ++++ linux-2.6.24.5/include/asm-xtensa/kmap_types.h 2008-03-26 20:21:09.000000000 -0400
67282 +@@ -25,6 +25,7 @@ enum km_type {
67283 + KM_IRQ1,
67284 + KM_SOFTIRQ0,
67285 + KM_SOFTIRQ1,
67286 ++ KM_CLEARPAGE,
67287 + KM_TYPE_NR
67288 + };
67289 +
67290 +diff -urNp linux-2.6.24.5/include/linux/a.out.h linux-2.6.24.5/include/linux/a.out.h
67291 +--- linux-2.6.24.5/include/linux/a.out.h 2008-03-24 14:49:18.000000000 -0400
67292 ++++ linux-2.6.24.5/include/linux/a.out.h 2008-03-26 20:21:09.000000000 -0400
67293 +@@ -7,6 +7,16 @@
67294 +
67295 + #include <asm/a.out.h>
67296 +
67297 ++#ifdef CONFIG_PAX_RANDUSTACK
67298 ++#define __DELTA_STACK (current->mm->delta_stack)
67299 ++#else
67300 ++#define __DELTA_STACK 0UL
67301 ++#endif
67302 ++
67303 ++#ifndef STACK_TOP
67304 ++#define STACK_TOP (__STACK_TOP - __DELTA_STACK)
67305 ++#endif
67306 ++
67307 + #endif /* __STRUCT_EXEC_OVERRIDE__ */
67308 +
67309 + /* these go in the N_MACHTYPE field */
67310 +@@ -37,6 +47,14 @@ enum machine_type {
67311 + M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
67312 + };
67313 +
67314 ++/* Constants for the N_FLAGS field */
67315 ++#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
67316 ++#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
67317 ++#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
67318 ++#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
67319 ++/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
67320 ++#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
67321 ++
67322 + #if !defined (N_MAGIC)
67323 + #define N_MAGIC(exec) ((exec).a_info & 0xffff)
67324 + #endif
67325 +diff -urNp linux-2.6.24.5/include/linux/binfmts.h linux-2.6.24.5/include/linux/binfmts.h
67326 +--- linux-2.6.24.5/include/linux/binfmts.h 2008-03-24 14:49:18.000000000 -0400
67327 ++++ linux-2.6.24.5/include/linux/binfmts.h 2008-03-26 20:21:09.000000000 -0400
67328 +@@ -49,6 +49,7 @@ struct linux_binprm{
67329 + unsigned interp_data;
67330 + unsigned long loader, exec;
67331 + unsigned long argv_len;
67332 ++ int misc;
67333 + };
67334 +
67335 + #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0
67336 +@@ -100,5 +101,8 @@ extern void compute_creds(struct linux_b
67337 + extern int do_coredump(long signr, int exit_code, struct pt_regs * regs);
67338 + extern int set_binfmt(struct linux_binfmt *new);
67339 +
67340 ++void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
67341 ++void pax_report_insns(void *pc, void *sp);
67342 ++
67343 + #endif /* __KERNEL__ */
67344 + #endif /* _LINUX_BINFMTS_H */
67345 +diff -urNp linux-2.6.24.5/include/linux/cache.h linux-2.6.24.5/include/linux/cache.h
67346 +--- linux-2.6.24.5/include/linux/cache.h 2008-03-24 14:49:18.000000000 -0400
67347 ++++ linux-2.6.24.5/include/linux/cache.h 2008-03-26 20:21:09.000000000 -0400
67348 +@@ -16,6 +16,10 @@
67349 + #define __read_mostly
67350 + #endif
67351 +
67352 ++#ifndef __read_only
67353 ++#define __read_only __read_mostly
67354 ++#endif
67355 ++
67356 + #ifndef ____cacheline_aligned
67357 + #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
67358 + #endif
67359 +diff -urNp linux-2.6.24.5/include/linux/capability.h linux-2.6.24.5/include/linux/capability.h
67360 +--- linux-2.6.24.5/include/linux/capability.h 2008-03-24 14:49:18.000000000 -0400
67361 ++++ linux-2.6.24.5/include/linux/capability.h 2008-03-26 20:21:09.000000000 -0400
67362 +@@ -373,6 +373,7 @@ static inline kernel_cap_t cap_invert(ke
67363 + #define cap_is_fs_cap(c) (CAP_TO_MASK(c) & CAP_FS_MASK)
67364 +
67365 + int capable(int cap);
67366 ++int capable_nolog(int cap);
67367 + int __capable(struct task_struct *t, int cap);
67368 +
67369 + #endif /* __KERNEL__ */
67370 +diff -urNp linux-2.6.24.5/include/linux/elf.h linux-2.6.24.5/include/linux/elf.h
67371 +--- linux-2.6.24.5/include/linux/elf.h 2008-03-24 14:49:18.000000000 -0400
67372 ++++ linux-2.6.24.5/include/linux/elf.h 2008-03-26 20:21:09.000000000 -0400
67373 +@@ -7,6 +7,10 @@
67374 +
67375 + struct file;
67376 +
67377 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
67378 ++#undef elf_read_implies_exec
67379 ++#endif
67380 ++
67381 + #ifndef elf_read_implies_exec
67382 + /* Executables for which elf_read_implies_exec() returns TRUE will
67383 + have the READ_IMPLIES_EXEC personality flag set automatically.
67384 +@@ -48,6 +52,16 @@ typedef __s64 Elf64_Sxword;
67385 +
67386 + #define PT_GNU_STACK (PT_LOOS + 0x474e551)
67387 +
67388 ++#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
67389 ++
67390 ++/* Constants for the e_flags field */
67391 ++#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
67392 ++#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
67393 ++#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
67394 ++#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
67395 ++/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
67396 ++#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
67397 ++
67398 + /* These constants define the different elf file types */
67399 + #define ET_NONE 0
67400 + #define ET_REL 1
67401 +@@ -82,6 +96,8 @@ typedef __s64 Elf64_Sxword;
67402 + #define DT_DEBUG 21
67403 + #define DT_TEXTREL 22
67404 + #define DT_JMPREL 23
67405 ++#define DT_FLAGS 30
67406 ++ #define DF_TEXTREL 0x00000004
67407 + #define DT_ENCODING 32
67408 + #define OLD_DT_LOOS 0x60000000
67409 + #define DT_LOOS 0x6000000d
67410 +@@ -228,6 +244,19 @@ typedef struct elf64_hdr {
67411 + #define PF_W 0x2
67412 + #define PF_X 0x1
67413 +
67414 ++#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
67415 ++#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
67416 ++#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
67417 ++#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
67418 ++#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
67419 ++#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
67420 ++/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
67421 ++/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
67422 ++#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
67423 ++#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
67424 ++#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
67425 ++#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
67426 ++
67427 + typedef struct elf32_phdr{
67428 + Elf32_Word p_type;
67429 + Elf32_Off p_offset;
67430 +@@ -320,6 +349,8 @@ typedef struct elf64_shdr {
67431 + #define EI_OSABI 7
67432 + #define EI_PAD 8
67433 +
67434 ++#define EI_PAX 14
67435 ++
67436 + #define ELFMAG0 0x7f /* EI_MAG */
67437 + #define ELFMAG1 'E'
67438 + #define ELFMAG2 'L'
67439 +@@ -378,6 +409,7 @@ extern Elf32_Dyn _DYNAMIC [];
67440 + #define elf_phdr elf32_phdr
67441 + #define elf_note elf32_note
67442 + #define elf_addr_t Elf32_Off
67443 ++#define elf_dyn Elf32_Dyn
67444 +
67445 + #else
67446 +
67447 +@@ -386,6 +418,7 @@ extern Elf64_Dyn _DYNAMIC [];
67448 + #define elf_phdr elf64_phdr
67449 + #define elf_note elf64_note
67450 + #define elf_addr_t Elf64_Off
67451 ++#define elf_dyn Elf64_Dyn
67452 +
67453 + #endif
67454 +
67455 +diff -urNp linux-2.6.24.5/include/linux/ext4_fs_extents.h linux-2.6.24.5/include/linux/ext4_fs_extents.h
67456 +--- linux-2.6.24.5/include/linux/ext4_fs_extents.h 2008-03-24 14:49:18.000000000 -0400
67457 ++++ linux-2.6.24.5/include/linux/ext4_fs_extents.h 2008-03-26 20:21:09.000000000 -0400
67458 +@@ -50,7 +50,7 @@
67459 + #ifdef EXT_DEBUG
67460 + #define ext_debug(a...) printk(a)
67461 + #else
67462 +-#define ext_debug(a...)
67463 ++#define ext_debug(a...) do {} while (0)
67464 + #endif
67465 +
67466 + /*
67467 +diff -urNp linux-2.6.24.5/include/linux/gracl.h linux-2.6.24.5/include/linux/gracl.h
67468 +--- linux-2.6.24.5/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
67469 ++++ linux-2.6.24.5/include/linux/gracl.h 2008-03-26 20:21:09.000000000 -0400
67470 +@@ -0,0 +1,317 @@
67471 ++#ifndef GR_ACL_H
67472 ++#define GR_ACL_H
67473 ++
67474 ++#include <linux/grdefs.h>
67475 ++#include <linux/resource.h>
67476 ++#include <linux/dcache.h>
67477 ++#include <asm/resource.h>
67478 ++
67479 ++/* Major status information */
67480 ++
67481 ++#define GR_VERSION "grsecurity 2.1.11"
67482 ++#define GRSECURITY_VERSION 0x2111
67483 ++
67484 ++enum {
67485 ++
67486 ++ SHUTDOWN = 0,
67487 ++ ENABLE = 1,
67488 ++ SPROLE = 2,
67489 ++ RELOAD = 3,
67490 ++ SEGVMOD = 4,
67491 ++ STATUS = 5,
67492 ++ UNSPROLE = 6,
67493 ++ PASSSET = 7,
67494 ++ SPROLEPAM = 8
67495 ++};
67496 ++
67497 ++/* Password setup definitions
67498 ++ * kernel/grhash.c */
67499 ++enum {
67500 ++ GR_PW_LEN = 128,
67501 ++ GR_SALT_LEN = 16,
67502 ++ GR_SHA_LEN = 32,
67503 ++};
67504 ++
67505 ++enum {
67506 ++ GR_SPROLE_LEN = 64,
67507 ++};
67508 ++
67509 ++#define GR_NLIMITS (RLIMIT_LOCKS + 2)
67510 ++
67511 ++/* Begin Data Structures */
67512 ++
67513 ++struct sprole_pw {
67514 ++ unsigned char *rolename;
67515 ++ unsigned char salt[GR_SALT_LEN];
67516 ++ unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
67517 ++};
67518 ++
67519 ++struct name_entry {
67520 ++ __u32 key;
67521 ++ ino_t inode;
67522 ++ dev_t device;
67523 ++ char *name;
67524 ++ __u16 len;
67525 ++ __u8 deleted;
67526 ++ struct name_entry *prev;
67527 ++ struct name_entry *next;
67528 ++};
67529 ++
67530 ++struct inodev_entry {
67531 ++ struct name_entry *nentry;
67532 ++ struct inodev_entry *prev;
67533 ++ struct inodev_entry *next;
67534 ++};
67535 ++
67536 ++struct acl_role_db {
67537 ++ struct acl_role_label **r_hash;
67538 ++ __u32 r_size;
67539 ++};
67540 ++
67541 ++struct inodev_db {
67542 ++ struct inodev_entry **i_hash;
67543 ++ __u32 i_size;
67544 ++};
67545 ++
67546 ++struct name_db {
67547 ++ struct name_entry **n_hash;
67548 ++ __u32 n_size;
67549 ++};
67550 ++
67551 ++struct crash_uid {
67552 ++ uid_t uid;
67553 ++ unsigned long expires;
67554 ++};
67555 ++
67556 ++struct gr_hash_struct {
67557 ++ void **table;
67558 ++ void **nametable;
67559 ++ void *first;
67560 ++ __u32 table_size;
67561 ++ __u32 used_size;
67562 ++ int type;
67563 ++};
67564 ++
67565 ++/* Userspace Grsecurity ACL data structures */
67566 ++
67567 ++struct acl_subject_label {
67568 ++ char *filename;
67569 ++ ino_t inode;
67570 ++ dev_t device;
67571 ++ __u32 mode;
67572 ++ __u32 cap_mask;
67573 ++ __u32 cap_lower;
67574 ++
67575 ++ struct rlimit res[GR_NLIMITS];
67576 ++ __u16 resmask;
67577 ++
67578 ++ __u8 user_trans_type;
67579 ++ __u8 group_trans_type;
67580 ++ uid_t *user_transitions;
67581 ++ gid_t *group_transitions;
67582 ++ __u16 user_trans_num;
67583 ++ __u16 group_trans_num;
67584 ++
67585 ++ __u32 ip_proto[8];
67586 ++ __u32 ip_type;
67587 ++ struct acl_ip_label **ips;
67588 ++ __u32 ip_num;
67589 ++
67590 ++ __u32 crashes;
67591 ++ unsigned long expires;
67592 ++
67593 ++ struct acl_subject_label *parent_subject;
67594 ++ struct gr_hash_struct *hash;
67595 ++ struct acl_subject_label *prev;
67596 ++ struct acl_subject_label *next;
67597 ++
67598 ++ struct acl_object_label **obj_hash;
67599 ++ __u32 obj_hash_size;
67600 ++ __u16 pax_flags;
67601 ++};
67602 ++
67603 ++struct role_allowed_ip {
67604 ++ __u32 addr;
67605 ++ __u32 netmask;
67606 ++
67607 ++ struct role_allowed_ip *prev;
67608 ++ struct role_allowed_ip *next;
67609 ++};
67610 ++
67611 ++struct role_transition {
67612 ++ char *rolename;
67613 ++
67614 ++ struct role_transition *prev;
67615 ++ struct role_transition *next;
67616 ++};
67617 ++
67618 ++struct acl_role_label {
67619 ++ char *rolename;
67620 ++ uid_t uidgid;
67621 ++ __u16 roletype;
67622 ++
67623 ++ __u16 auth_attempts;
67624 ++ unsigned long expires;
67625 ++
67626 ++ struct acl_subject_label *root_label;
67627 ++ struct gr_hash_struct *hash;
67628 ++
67629 ++ struct acl_role_label *prev;
67630 ++ struct acl_role_label *next;
67631 ++
67632 ++ struct role_transition *transitions;
67633 ++ struct role_allowed_ip *allowed_ips;
67634 ++ uid_t *domain_children;
67635 ++ __u16 domain_child_num;
67636 ++
67637 ++ struct acl_subject_label **subj_hash;
67638 ++ __u32 subj_hash_size;
67639 ++};
67640 ++
67641 ++struct user_acl_role_db {
67642 ++ struct acl_role_label **r_table;
67643 ++ __u32 num_pointers; /* Number of allocations to track */
67644 ++ __u32 num_roles; /* Number of roles */
67645 ++ __u32 num_domain_children; /* Number of domain children */
67646 ++ __u32 num_subjects; /* Number of subjects */
67647 ++ __u32 num_objects; /* Number of objects */
67648 ++};
67649 ++
67650 ++struct acl_object_label {
67651 ++ char *filename;
67652 ++ ino_t inode;
67653 ++ dev_t device;
67654 ++ __u32 mode;
67655 ++
67656 ++ struct acl_subject_label *nested;
67657 ++ struct acl_object_label *globbed;
67658 ++
67659 ++ /* next two structures not used */
67660 ++
67661 ++ struct acl_object_label *prev;
67662 ++ struct acl_object_label *next;
67663 ++};
67664 ++
67665 ++struct acl_ip_label {
67666 ++ char *iface;
67667 ++ __u32 addr;
67668 ++ __u32 netmask;
67669 ++ __u16 low, high;
67670 ++ __u8 mode;
67671 ++ __u32 type;
67672 ++ __u32 proto[8];
67673 ++
67674 ++ /* next two structures not used */
67675 ++
67676 ++ struct acl_ip_label *prev;
67677 ++ struct acl_ip_label *next;
67678 ++};
67679 ++
67680 ++struct gr_arg {
67681 ++ struct user_acl_role_db role_db;
67682 ++ unsigned char pw[GR_PW_LEN];
67683 ++ unsigned char salt[GR_SALT_LEN];
67684 ++ unsigned char sum[GR_SHA_LEN];
67685 ++ unsigned char sp_role[GR_SPROLE_LEN];
67686 ++ struct sprole_pw *sprole_pws;
67687 ++ dev_t segv_device;
67688 ++ ino_t segv_inode;
67689 ++ uid_t segv_uid;
67690 ++ __u16 num_sprole_pws;
67691 ++ __u16 mode;
67692 ++};
67693 ++
67694 ++struct gr_arg_wrapper {
67695 ++ struct gr_arg *arg;
67696 ++ __u32 version;
67697 ++ __u32 size;
67698 ++};
67699 ++
67700 ++struct subject_map {
67701 ++ struct acl_subject_label *user;
67702 ++ struct acl_subject_label *kernel;
67703 ++ struct subject_map *prev;
67704 ++ struct subject_map *next;
67705 ++};
67706 ++
67707 ++struct acl_subj_map_db {
67708 ++ struct subject_map **s_hash;
67709 ++ __u32 s_size;
67710 ++};
67711 ++
67712 ++/* End Data Structures Section */
67713 ++
67714 ++/* Hash functions generated by empirical testing by Brad Spengler
67715 ++ Makes good use of the low bits of the inode. Generally 0-1 times
67716 ++ in loop for successful match. 0-3 for unsuccessful match.
67717 ++ Shift/add algorithm with modulus of table size and an XOR*/
67718 ++
67719 ++static __inline__ unsigned int
67720 ++rhash(const uid_t uid, const __u16 type, const unsigned int sz)
67721 ++{
67722 ++ return (((uid << type) + (uid ^ type)) % sz);
67723 ++}
67724 ++
67725 ++ static __inline__ unsigned int
67726 ++shash(const struct acl_subject_label *userp, const unsigned int sz)
67727 ++{
67728 ++ return ((const unsigned long)userp % sz);
67729 ++}
67730 ++
67731 ++static __inline__ unsigned int
67732 ++fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
67733 ++{
67734 ++ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
67735 ++}
67736 ++
67737 ++static __inline__ unsigned int
67738 ++nhash(const char *name, const __u16 len, const unsigned int sz)
67739 ++{
67740 ++ return full_name_hash(name, len) % sz;
67741 ++}
67742 ++
67743 ++#define FOR_EACH_ROLE_START(role,iter) \
67744 ++ role = NULL; \
67745 ++ iter = 0; \
67746 ++ while (iter < acl_role_set.r_size) { \
67747 ++ if (role == NULL) \
67748 ++ role = acl_role_set.r_hash[iter]; \
67749 ++ if (role == NULL) { \
67750 ++ iter++; \
67751 ++ continue; \
67752 ++ }
67753 ++
67754 ++#define FOR_EACH_ROLE_END(role,iter) \
67755 ++ role = role->next; \
67756 ++ if (role == NULL) \
67757 ++ iter++; \
67758 ++ }
67759 ++
67760 ++#define FOR_EACH_SUBJECT_START(role,subj,iter) \
67761 ++ subj = NULL; \
67762 ++ iter = 0; \
67763 ++ while (iter < role->subj_hash_size) { \
67764 ++ if (subj == NULL) \
67765 ++ subj = role->subj_hash[iter]; \
67766 ++ if (subj == NULL) { \
67767 ++ iter++; \
67768 ++ continue; \
67769 ++ }
67770 ++
67771 ++#define FOR_EACH_SUBJECT_END(subj,iter) \
67772 ++ subj = subj->next; \
67773 ++ if (subj == NULL) \
67774 ++ iter++; \
67775 ++ }
67776 ++
67777 ++
67778 ++#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
67779 ++ subj = role->hash->first; \
67780 ++ while (subj != NULL) {
67781 ++
67782 ++#define FOR_EACH_NESTED_SUBJECT_END(subj) \
67783 ++ subj = subj->next; \
67784 ++ }
67785 ++
67786 ++#endif
67787 ++
67788 +diff -urNp linux-2.6.24.5/include/linux/gralloc.h linux-2.6.24.5/include/linux/gralloc.h
67789 +--- linux-2.6.24.5/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
67790 ++++ linux-2.6.24.5/include/linux/gralloc.h 2008-03-26 20:21:09.000000000 -0400
67791 +@@ -0,0 +1,8 @@
67792 ++#ifndef __GRALLOC_H
67793 ++#define __GRALLOC_H
67794 ++
67795 ++void acl_free_all(void);
67796 ++int acl_alloc_stack_init(unsigned long size);
67797 ++void *acl_alloc(unsigned long len);
67798 ++
67799 ++#endif
67800 +diff -urNp linux-2.6.24.5/include/linux/grdefs.h linux-2.6.24.5/include/linux/grdefs.h
67801 +--- linux-2.6.24.5/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
67802 ++++ linux-2.6.24.5/include/linux/grdefs.h 2008-03-26 20:21:09.000000000 -0400
67803 +@@ -0,0 +1,131 @@
67804 ++#ifndef GRDEFS_H
67805 ++#define GRDEFS_H
67806 ++
67807 ++/* Begin grsecurity status declarations */
67808 ++
67809 ++enum {
67810 ++ GR_READY = 0x01,
67811 ++ GR_STATUS_INIT = 0x00 // disabled state
67812 ++};
67813 ++
67814 ++/* Begin ACL declarations */
67815 ++
67816 ++/* Role flags */
67817 ++
67818 ++enum {
67819 ++ GR_ROLE_USER = 0x0001,
67820 ++ GR_ROLE_GROUP = 0x0002,
67821 ++ GR_ROLE_DEFAULT = 0x0004,
67822 ++ GR_ROLE_SPECIAL = 0x0008,
67823 ++ GR_ROLE_AUTH = 0x0010,
67824 ++ GR_ROLE_NOPW = 0x0020,
67825 ++ GR_ROLE_GOD = 0x0040,
67826 ++ GR_ROLE_LEARN = 0x0080,
67827 ++ GR_ROLE_TPE = 0x0100,
67828 ++ GR_ROLE_DOMAIN = 0x0200,
67829 ++ GR_ROLE_PAM = 0x0400
67830 ++};
67831 ++
67832 ++/* ACL Subject and Object mode flags */
67833 ++enum {
67834 ++ GR_DELETED = 0x80000000
67835 ++};
67836 ++
67837 ++/* ACL Object-only mode flags */
67838 ++enum {
67839 ++ GR_READ = 0x00000001,
67840 ++ GR_APPEND = 0x00000002,
67841 ++ GR_WRITE = 0x00000004,
67842 ++ GR_EXEC = 0x00000008,
67843 ++ GR_FIND = 0x00000010,
67844 ++ GR_INHERIT = 0x00000020,
67845 ++ GR_SETID = 0x00000040,
67846 ++ GR_CREATE = 0x00000080,
67847 ++ GR_DELETE = 0x00000100,
67848 ++ GR_LINK = 0x00000200,
67849 ++ GR_AUDIT_READ = 0x00000400,
67850 ++ GR_AUDIT_APPEND = 0x00000800,
67851 ++ GR_AUDIT_WRITE = 0x00001000,
67852 ++ GR_AUDIT_EXEC = 0x00002000,
67853 ++ GR_AUDIT_FIND = 0x00004000,
67854 ++ GR_AUDIT_INHERIT= 0x00008000,
67855 ++ GR_AUDIT_SETID = 0x00010000,
67856 ++ GR_AUDIT_CREATE = 0x00020000,
67857 ++ GR_AUDIT_DELETE = 0x00040000,
67858 ++ GR_AUDIT_LINK = 0x00080000,
67859 ++ GR_PTRACERD = 0x00100000,
67860 ++ GR_NOPTRACE = 0x00200000,
67861 ++ GR_SUPPRESS = 0x00400000,
67862 ++ GR_NOLEARN = 0x00800000
67863 ++};
67864 ++
67865 ++#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
67866 ++ GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
67867 ++ GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
67868 ++
67869 ++/* ACL subject-only mode flags */
67870 ++enum {
67871 ++ GR_KILL = 0x00000001,
67872 ++ GR_VIEW = 0x00000002,
67873 ++ GR_PROTECTED = 0x00000004,
67874 ++ GR_LEARN = 0x00000008,
67875 ++ GR_OVERRIDE = 0x00000010,
67876 ++ /* just a placeholder, this mode is only used in userspace */
67877 ++ GR_DUMMY = 0x00000020,
67878 ++ GR_PROTSHM = 0x00000040,
67879 ++ GR_KILLPROC = 0x00000080,
67880 ++ GR_KILLIPPROC = 0x00000100,
67881 ++ /* just a placeholder, this mode is only used in userspace */
67882 ++ GR_NOTROJAN = 0x00000200,
67883 ++ GR_PROTPROCFD = 0x00000400,
67884 ++ GR_PROCACCT = 0x00000800,
67885 ++ GR_RELAXPTRACE = 0x00001000,
67886 ++ GR_NESTED = 0x00002000,
67887 ++ GR_INHERITLEARN = 0x00004000,
67888 ++ GR_PROCFIND = 0x00008000,
67889 ++ GR_POVERRIDE = 0x00010000,
67890 ++ GR_KERNELAUTH = 0x00020000,
67891 ++};
67892 ++
67893 ++enum {
67894 ++ GR_PAX_ENABLE_SEGMEXEC = 0x0001,
67895 ++ GR_PAX_ENABLE_PAGEEXEC = 0x0002,
67896 ++ GR_PAX_ENABLE_MPROTECT = 0x0004,
67897 ++ GR_PAX_ENABLE_RANDMMAP = 0x0008,
67898 ++ GR_PAX_ENABLE_EMUTRAMP = 0x0010,
67899 ++ GR_PAX_DISABLE_SEGMEXEC = 0x0100,
67900 ++ GR_PAX_DISABLE_PAGEEXEC = 0x0200,
67901 ++ GR_PAX_DISABLE_MPROTECT = 0x0400,
67902 ++ GR_PAX_DISABLE_RANDMMAP = 0x0800,
67903 ++ GR_PAX_DISABLE_EMUTRAMP = 0x1000,
67904 ++};
67905 ++
67906 ++enum {
67907 ++ GR_ID_USER = 0x01,
67908 ++ GR_ID_GROUP = 0x02,
67909 ++};
67910 ++
67911 ++enum {
67912 ++ GR_ID_ALLOW = 0x01,
67913 ++ GR_ID_DENY = 0x02,
67914 ++};
67915 ++
67916 ++#define GR_CRASH_RES 11
67917 ++#define GR_UIDTABLE_MAX 500
67918 ++
67919 ++/* begin resource learning section */
67920 ++enum {
67921 ++ GR_RLIM_CPU_BUMP = 60,
67922 ++ GR_RLIM_FSIZE_BUMP = 50000,
67923 ++ GR_RLIM_DATA_BUMP = 10000,
67924 ++ GR_RLIM_STACK_BUMP = 1000,
67925 ++ GR_RLIM_CORE_BUMP = 10000,
67926 ++ GR_RLIM_RSS_BUMP = 500000,
67927 ++ GR_RLIM_NPROC_BUMP = 1,
67928 ++ GR_RLIM_NOFILE_BUMP = 5,
67929 ++ GR_RLIM_MEMLOCK_BUMP = 50000,
67930 ++ GR_RLIM_AS_BUMP = 500000,
67931 ++ GR_RLIM_LOCKS_BUMP = 2
67932 ++};
67933 ++
67934 ++#endif
67935 +diff -urNp linux-2.6.24.5/include/linux/grinternal.h linux-2.6.24.5/include/linux/grinternal.h
67936 +--- linux-2.6.24.5/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
67937 ++++ linux-2.6.24.5/include/linux/grinternal.h 2008-03-26 20:21:09.000000000 -0400
67938 +@@ -0,0 +1,210 @@
67939 ++#ifndef __GRINTERNAL_H
67940 ++#define __GRINTERNAL_H
67941 ++
67942 ++#ifdef CONFIG_GRKERNSEC
67943 ++
67944 ++#include <linux/fs.h>
67945 ++#include <linux/gracl.h>
67946 ++#include <linux/grdefs.h>
67947 ++#include <linux/grmsg.h>
67948 ++
67949 ++void gr_add_learn_entry(const char *fmt, ...);
67950 ++__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
67951 ++ const struct vfsmount *mnt);
67952 ++__u32 gr_check_create(const struct dentry *new_dentry,
67953 ++ const struct dentry *parent,
67954 ++ const struct vfsmount *mnt, const __u32 mode);
67955 ++int gr_check_protected_task(const struct task_struct *task);
67956 ++__u32 to_gr_audit(const __u32 reqmode);
67957 ++int gr_set_acls(const int type);
67958 ++
67959 ++int gr_acl_is_enabled(void);
67960 ++char gr_roletype_to_char(void);
67961 ++
67962 ++void gr_handle_alertkill(struct task_struct *task);
67963 ++char *gr_to_filename(const struct dentry *dentry,
67964 ++ const struct vfsmount *mnt);
67965 ++char *gr_to_filename1(const struct dentry *dentry,
67966 ++ const struct vfsmount *mnt);
67967 ++char *gr_to_filename2(const struct dentry *dentry,
67968 ++ const struct vfsmount *mnt);
67969 ++char *gr_to_filename3(const struct dentry *dentry,
67970 ++ const struct vfsmount *mnt);
67971 ++
67972 ++extern int grsec_enable_link;
67973 ++extern int grsec_enable_fifo;
67974 ++extern int grsec_enable_execve;
67975 ++extern int grsec_enable_shm;
67976 ++extern int grsec_enable_execlog;
67977 ++extern int grsec_enable_signal;
67978 ++extern int grsec_enable_forkfail;
67979 ++extern int grsec_enable_time;
67980 ++extern int grsec_enable_chroot_shmat;
67981 ++extern int grsec_enable_chroot_findtask;
67982 ++extern int grsec_enable_chroot_mount;
67983 ++extern int grsec_enable_chroot_double;
67984 ++extern int grsec_enable_chroot_pivot;
67985 ++extern int grsec_enable_chroot_chdir;
67986 ++extern int grsec_enable_chroot_chmod;
67987 ++extern int grsec_enable_chroot_mknod;
67988 ++extern int grsec_enable_chroot_fchdir;
67989 ++extern int grsec_enable_chroot_nice;
67990 ++extern int grsec_enable_chroot_execlog;
67991 ++extern int grsec_enable_chroot_caps;
67992 ++extern int grsec_enable_chroot_sysctl;
67993 ++extern int grsec_enable_chroot_unix;
67994 ++extern int grsec_enable_tpe;
67995 ++extern int grsec_tpe_gid;
67996 ++extern int grsec_enable_tpe_all;
67997 ++extern int grsec_enable_sidcaps;
67998 ++extern int grsec_enable_socket_all;
67999 ++extern int grsec_socket_all_gid;
68000 ++extern int grsec_enable_socket_client;
68001 ++extern int grsec_socket_client_gid;
68002 ++extern int grsec_enable_socket_server;
68003 ++extern int grsec_socket_server_gid;
68004 ++extern int grsec_audit_gid;
68005 ++extern int grsec_enable_group;
68006 ++extern int grsec_enable_audit_ipc;
68007 ++extern int grsec_enable_audit_textrel;
68008 ++extern int grsec_enable_mount;
68009 ++extern int grsec_enable_chdir;
68010 ++extern int grsec_resource_logging;
68011 ++extern int grsec_lock;
68012 ++
68013 ++extern spinlock_t grsec_alert_lock;
68014 ++extern unsigned long grsec_alert_wtime;
68015 ++extern unsigned long grsec_alert_fyet;
68016 ++
68017 ++extern spinlock_t grsec_audit_lock;
68018 ++
68019 ++extern rwlock_t grsec_exec_file_lock;
68020 ++
68021 ++#define gr_task_fullpath(tsk) (tsk->exec_file ? \
68022 ++ gr_to_filename2(tsk->exec_file->f_dentry, \
68023 ++ tsk->exec_file->f_vfsmnt) : "/")
68024 ++
68025 ++#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \
68026 ++ gr_to_filename3(tsk->parent->exec_file->f_dentry, \
68027 ++ tsk->parent->exec_file->f_vfsmnt) : "/")
68028 ++
68029 ++#define gr_task_fullpath0(tsk) (tsk->exec_file ? \
68030 ++ gr_to_filename(tsk->exec_file->f_dentry, \
68031 ++ tsk->exec_file->f_vfsmnt) : "/")
68032 ++
68033 ++#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \
68034 ++ gr_to_filename1(tsk->parent->exec_file->f_dentry, \
68035 ++ tsk->parent->exec_file->f_vfsmnt) : "/")
68036 ++
68037 ++#define proc_is_chrooted(tsk_a) ((tsk_a->pid > 1) && (tsk_a->fs != NULL) && \
68038 ++ ((tsk_a->fs->root->d_inode->i_sb->s_dev != \
68039 ++ tsk_a->nsproxy->pid_ns->child_reaper->fs->root->d_inode->i_sb->s_dev) || \
68040 ++ (tsk_a->fs->root->d_inode->i_ino != \
68041 ++ tsk_a->nsproxy->pid_ns->child_reaper->fs->root->d_inode->i_ino)))
68042 ++
68043 ++#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs != NULL) && (tsk_b->fs != NULL) && \
68044 ++ (tsk_a->fs->root->d_inode->i_sb->s_dev == \
68045 ++ tsk_b->fs->root->d_inode->i_sb->s_dev) && \
68046 ++ (tsk_a->fs->root->d_inode->i_ino == \
68047 ++ tsk_b->fs->root->d_inode->i_ino))
68048 ++
68049 ++#define DEFAULTSECARGS(task) gr_task_fullpath(task), task->comm, \
68050 ++ task->pid, task->uid, \
68051 ++ task->euid, task->gid, task->egid, \
68052 ++ gr_parent_task_fullpath(task), \
68053 ++ task->parent->comm, task->parent->pid, \
68054 ++ task->parent->uid, task->parent->euid, \
68055 ++ task->parent->gid, task->parent->egid
68056 ++
68057 ++#define GR_CHROOT_CAPS ( \
68058 ++ CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
68059 ++ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
68060 ++ CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
68061 ++ CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
68062 ++ CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
68063 ++ CAP_TO_MASK(CAP_IPC_OWNER))
68064 ++
68065 ++#define security_learn(normal_msg,args...) \
68066 ++({ \
68067 ++ read_lock(&grsec_exec_file_lock); \
68068 ++ gr_add_learn_entry(normal_msg "\n", ## args); \
68069 ++ read_unlock(&grsec_exec_file_lock); \
68070 ++})
68071 ++
68072 ++enum {
68073 ++ GR_DO_AUDIT,
68074 ++ GR_DONT_AUDIT,
68075 ++ GR_DONT_AUDIT_GOOD
68076 ++};
68077 ++
68078 ++enum {
68079 ++ GR_TTYSNIFF,
68080 ++ GR_RBAC,
68081 ++ GR_RBAC_STR,
68082 ++ GR_STR_RBAC,
68083 ++ GR_RBAC_MODE2,
68084 ++ GR_RBAC_MODE3,
68085 ++ GR_FILENAME,
68086 ++ GR_SYSCTL_HIDDEN,
68087 ++ GR_NOARGS,
68088 ++ GR_ONE_INT,
68089 ++ GR_ONE_INT_TWO_STR,
68090 ++ GR_ONE_STR,
68091 ++ GR_STR_INT,
68092 ++ GR_TWO_INT,
68093 ++ GR_THREE_INT,
68094 ++ GR_FIVE_INT_TWO_STR,
68095 ++ GR_TWO_STR,
68096 ++ GR_THREE_STR,
68097 ++ GR_FOUR_STR,
68098 ++ GR_STR_FILENAME,
68099 ++ GR_FILENAME_STR,
68100 ++ GR_FILENAME_TWO_INT,
68101 ++ GR_FILENAME_TWO_INT_STR,
68102 ++ GR_TEXTREL,
68103 ++ GR_PTRACE,
68104 ++ GR_RESOURCE,
68105 ++ GR_CAP,
68106 ++ GR_SIG,
68107 ++ GR_CRASH1,
68108 ++ GR_CRASH2,
68109 ++ GR_PSACCT
68110 ++};
68111 ++
68112 ++#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
68113 ++#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
68114 ++#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
68115 ++#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
68116 ++#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
68117 ++#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
68118 ++#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
68119 ++#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
68120 ++#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
68121 ++#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
68122 ++#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
68123 ++#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
68124 ++#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
68125 ++#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
68126 ++#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
68127 ++#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
68128 ++#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
68129 ++#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
68130 ++#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
68131 ++#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
68132 ++#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
68133 ++#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
68134 ++#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
68135 ++#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
68136 ++#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
68137 ++#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
68138 ++#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
68139 ++#define gr_log_sig(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG, task, num)
68140 ++#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
68141 ++#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
68142 ++#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
68143 ++
68144 ++void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
68145 ++
68146 ++#endif
68147 ++
68148 ++#endif
68149 +diff -urNp linux-2.6.24.5/include/linux/grmsg.h linux-2.6.24.5/include/linux/grmsg.h
68150 +--- linux-2.6.24.5/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
68151 ++++ linux-2.6.24.5/include/linux/grmsg.h 2008-03-26 20:21:09.000000000 -0400
68152 +@@ -0,0 +1,108 @@
68153 ++#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
68154 ++#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
68155 ++#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
68156 ++#define GR_STOPMOD_MSG "denied modification of module state by "
68157 ++#define GR_IOPERM_MSG "denied use of ioperm() by "
68158 ++#define GR_IOPL_MSG "denied use of iopl() by "
68159 ++#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
68160 ++#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
68161 ++#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
68162 ++#define GR_KMEM_MSG "denied write of /dev/kmem by "
68163 ++#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
68164 ++#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
68165 ++#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
68166 ++#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
68167 ++#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%u.%u.%u.%u"
68168 ++#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%u.%u.%u.%u"
68169 ++#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
68170 ++#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
68171 ++#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
68172 ++#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
68173 ++#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
68174 ++#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
68175 ++#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
68176 ++#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%u.%u.%u.%u %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
68177 ++#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
68178 ++#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
68179 ++#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
68180 ++#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
68181 ++#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
68182 ++#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
68183 ++#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
68184 ++#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
68185 ++#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
68186 ++#define GR_NPROC_MSG "denied overstep of process limit by "
68187 ++#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
68188 ++#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
68189 ++#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
68190 ++#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
68191 ++#define GR_MOUNT_CHROOT_MSG "denied mount of %.30s as %.930s from chroot by "
68192 ++#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
68193 ++#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
68194 ++#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
68195 ++#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
68196 ++#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
68197 ++#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
68198 ++#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
68199 ++#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
68200 ++#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
68201 ++#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
68202 ++#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
68203 ++#define GR_INITF_ACL_MSG "init_variables() failed %s by "
68204 ++#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
68205 ++#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
68206 ++#define GR_SHUTS_ACL_MSG "shutdown auth success for "
68207 ++#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
68208 ++#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
68209 ++#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
68210 ++#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
68211 ++#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
68212 ++#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
68213 ++#define GR_ENABLEF_ACL_MSG "unable to load %s for "
68214 ++#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
68215 ++#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
68216 ++#define GR_RELOADF_ACL_MSG "failed reload of %s for "
68217 ++#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
68218 ++#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
68219 ++#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
68220 ++#define GR_SPROLEF_ACL_MSG "special role %s failure for "
68221 ++#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
68222 ++#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
68223 ++#define GR_UNSPROLEF_ACL_MSG "special role unauth of %s failure for "
68224 ++#define GR_INVMODE_ACL_MSG "invalid mode %d by "
68225 ++#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
68226 ++#define GR_FAILFORK_MSG "failed fork with errno %d by "
68227 ++#define GR_NICE_CHROOT_MSG "denied priority change by "
68228 ++#define GR_UNISIGLOG_MSG "signal %d sent to "
68229 ++#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
68230 ++#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
68231 ++#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
68232 ++#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
68233 ++#define GR_TIME_MSG "time set by "
68234 ++#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
68235 ++#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
68236 ++#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
68237 ++#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
68238 ++#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
68239 ++#define GR_BIND_MSG "denied bind() by "
68240 ++#define GR_CONNECT_MSG "denied connect() by "
68241 ++#define GR_BIND_ACL_MSG "denied bind() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
68242 ++#define GR_CONNECT_ACL_MSG "denied connect() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
68243 ++#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%u.%u.%u.%u\t%u\t%u\t%u\t%u\t%u.%u.%u.%u"
68244 ++#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
68245 ++#define GR_CAP_ACL_MSG "use of %s denied for "
68246 ++#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
68247 ++#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
68248 ++#define GR_REMOUNT_AUDIT_MSG "remount of %.30s by "
68249 ++#define GR_UNMOUNT_AUDIT_MSG "unmount of %.30s by "
68250 ++#define GR_MOUNT_AUDIT_MSG "mount of %.30s to %.64s by "
68251 ++#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
68252 ++#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
68253 ++#define GR_MSGQ_AUDIT_MSG "message queue created by "
68254 ++#define GR_MSGQR_AUDIT_MSG "message queue of uid:%u euid:%u removed by "
68255 ++#define GR_SEM_AUDIT_MSG "semaphore created by "
68256 ++#define GR_SEMR_AUDIT_MSG "semaphore of uid:%u euid:%u removed by "
68257 ++#define GR_SHM_AUDIT_MSG "shared memory of size %d created by "
68258 ++#define GR_SHMR_AUDIT_MSG "shared memory of uid:%u euid:%u removed by "
68259 ++#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
68260 ++#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
68261 +diff -urNp linux-2.6.24.5/include/linux/grsecurity.h linux-2.6.24.5/include/linux/grsecurity.h
68262 +--- linux-2.6.24.5/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
68263 ++++ linux-2.6.24.5/include/linux/grsecurity.h 2008-03-26 20:21:09.000000000 -0400
68264 +@@ -0,0 +1,197 @@
68265 ++#ifndef GR_SECURITY_H
68266 ++#define GR_SECURITY_H
68267 ++#include <linux/fs.h>
68268 ++#include <linux/binfmts.h>
68269 ++#include <linux/gracl.h>
68270 ++
68271 ++/* notify of brain-dead configs */
68272 ++#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC)
68273 ++#error "CONFIG_PAX_NOEXEC enabled, but neither PAGEEXEC nor SEGMEXEC are enabled."
68274 ++#endif
68275 ++#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
68276 ++#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
68277 ++#endif
68278 ++#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
68279 ++#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
68280 ++#endif
68281 ++#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
68282 ++#error "CONFIG_PAX enabled, but no PaX options are enabled."
68283 ++#endif
68284 ++
68285 ++void gr_handle_brute_attach(struct task_struct *p);
68286 ++void gr_handle_brute_check(void);
68287 ++
68288 ++char gr_roletype_to_char(void);
68289 ++
68290 ++int gr_check_user_change(int real, int effective, int fs);
68291 ++int gr_check_group_change(int real, int effective, int fs);
68292 ++
68293 ++void gr_del_task_from_ip_table(struct task_struct *p);
68294 ++
68295 ++int gr_pid_is_chrooted(struct task_struct *p);
68296 ++int gr_handle_chroot_nice(void);
68297 ++int gr_handle_chroot_sysctl(const int op);
68298 ++int gr_handle_chroot_setpriority(struct task_struct *p,
68299 ++ const int niceval);
68300 ++int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
68301 ++int gr_handle_chroot_chroot(const struct dentry *dentry,
68302 ++ const struct vfsmount *mnt);
68303 ++void gr_handle_chroot_caps(struct task_struct *task);
68304 ++void gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt);
68305 ++int gr_handle_chroot_chmod(const struct dentry *dentry,
68306 ++ const struct vfsmount *mnt, const int mode);
68307 ++int gr_handle_chroot_mknod(const struct dentry *dentry,
68308 ++ const struct vfsmount *mnt, const int mode);
68309 ++int gr_handle_chroot_mount(const struct dentry *dentry,
68310 ++ const struct vfsmount *mnt,
68311 ++ const char *dev_name);
68312 ++int gr_handle_chroot_pivot(void);
68313 ++int gr_handle_chroot_unix(const pid_t pid);
68314 ++
68315 ++int gr_handle_rawio(const struct inode *inode);
68316 ++int gr_handle_nproc(void);
68317 ++
68318 ++void gr_handle_ioperm(void);
68319 ++void gr_handle_iopl(void);
68320 ++
68321 ++int gr_tpe_allow(const struct file *file);
68322 ++
68323 ++int gr_random_pid(void);
68324 ++
68325 ++void gr_log_forkfail(const int retval);
68326 ++void gr_log_timechange(void);
68327 ++void gr_log_signal(const int sig, const struct task_struct *t);
68328 ++void gr_log_chdir(const struct dentry *dentry,
68329 ++ const struct vfsmount *mnt);
68330 ++void gr_log_chroot_exec(const struct dentry *dentry,
68331 ++ const struct vfsmount *mnt);
68332 ++void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
68333 ++void gr_log_remount(const char *devname, const int retval);
68334 ++void gr_log_unmount(const char *devname, const int retval);
68335 ++void gr_log_mount(const char *from, const char *to, const int retval);
68336 ++void gr_log_msgget(const int ret, const int msgflg);
68337 ++void gr_log_msgrm(const uid_t uid, const uid_t cuid);
68338 ++void gr_log_semget(const int err, const int semflg);
68339 ++void gr_log_semrm(const uid_t uid, const uid_t cuid);
68340 ++void gr_log_shmget(const int err, const int shmflg, const size_t size);
68341 ++void gr_log_shmrm(const uid_t uid, const uid_t cuid);
68342 ++void gr_log_textrel(struct vm_area_struct *vma);
68343 ++
68344 ++int gr_handle_follow_link(const struct inode *parent,
68345 ++ const struct inode *inode,
68346 ++ const struct dentry *dentry,
68347 ++ const struct vfsmount *mnt);
68348 ++int gr_handle_fifo(const struct dentry *dentry,
68349 ++ const struct vfsmount *mnt,
68350 ++ const struct dentry *dir, const int flag,
68351 ++ const int acc_mode);
68352 ++int gr_handle_hardlink(const struct dentry *dentry,
68353 ++ const struct vfsmount *mnt,
68354 ++ struct inode *inode,
68355 ++ const int mode, const char *to);
68356 ++
68357 ++int gr_task_is_capable(struct task_struct *task, const int cap);
68358 ++int gr_is_capable_nolog(const int cap);
68359 ++void gr_learn_resource(const struct task_struct *task, const int limit,
68360 ++ const unsigned long wanted, const int gt);
68361 ++void gr_copy_label(struct task_struct *tsk);
68362 ++void gr_handle_crash(struct task_struct *task, const int sig);
68363 ++int gr_handle_signal(const struct task_struct *p, const int sig);
68364 ++int gr_check_crash_uid(const uid_t uid);
68365 ++int gr_check_protected_task(const struct task_struct *task);
68366 ++int gr_acl_handle_mmap(const struct file *file,
68367 ++ const unsigned long prot);
68368 ++int gr_acl_handle_mprotect(const struct file *file,
68369 ++ const unsigned long prot);
68370 ++int gr_check_hidden_task(const struct task_struct *tsk);
68371 ++__u32 gr_acl_handle_truncate(const struct dentry *dentry,
68372 ++ const struct vfsmount *mnt);
68373 ++__u32 gr_acl_handle_utime(const struct dentry *dentry,
68374 ++ const struct vfsmount *mnt);
68375 ++__u32 gr_acl_handle_access(const struct dentry *dentry,
68376 ++ const struct vfsmount *mnt, const int fmode);
68377 ++__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
68378 ++ const struct vfsmount *mnt, mode_t mode);
68379 ++__u32 gr_acl_handle_chmod(const struct dentry *dentry,
68380 ++ const struct vfsmount *mnt, mode_t mode);
68381 ++__u32 gr_acl_handle_chown(const struct dentry *dentry,
68382 ++ const struct vfsmount *mnt);
68383 ++int gr_handle_ptrace(struct task_struct *task, const long request);
68384 ++int gr_handle_proc_ptrace(struct task_struct *task);
68385 ++__u32 gr_acl_handle_execve(const struct dentry *dentry,
68386 ++ const struct vfsmount *mnt);
68387 ++int gr_check_crash_exec(const struct file *filp);
68388 ++int gr_acl_is_enabled(void);
68389 ++void gr_set_kernel_label(struct task_struct *task);
68390 ++void gr_set_role_label(struct task_struct *task, const uid_t uid,
68391 ++ const gid_t gid);
68392 ++int gr_set_proc_label(const struct dentry *dentry,
68393 ++ const struct vfsmount *mnt);
68394 ++__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
68395 ++ const struct vfsmount *mnt);
68396 ++__u32 gr_acl_handle_open(const struct dentry *dentry,
68397 ++ const struct vfsmount *mnt, const int fmode);
68398 ++__u32 gr_acl_handle_creat(const struct dentry *dentry,
68399 ++ const struct dentry *p_dentry,
68400 ++ const struct vfsmount *p_mnt, const int fmode,
68401 ++ const int imode);
68402 ++void gr_handle_create(const struct dentry *dentry,
68403 ++ const struct vfsmount *mnt);
68404 ++__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
68405 ++ const struct dentry *parent_dentry,
68406 ++ const struct vfsmount *parent_mnt,
68407 ++ const int mode);
68408 ++__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
68409 ++ const struct dentry *parent_dentry,
68410 ++ const struct vfsmount *parent_mnt);
68411 ++__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
68412 ++ const struct vfsmount *mnt);
68413 ++void gr_handle_delete(const ino_t ino, const dev_t dev);
68414 ++__u32 gr_acl_handle_unlink(const struct dentry *dentry,
68415 ++ const struct vfsmount *mnt);
68416 ++__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
68417 ++ const struct dentry *parent_dentry,
68418 ++ const struct vfsmount *parent_mnt,
68419 ++ const char *from);
68420 ++__u32 gr_acl_handle_link(const struct dentry *new_dentry,
68421 ++ const struct dentry *parent_dentry,
68422 ++ const struct vfsmount *parent_mnt,
68423 ++ const struct dentry *old_dentry,
68424 ++ const struct vfsmount *old_mnt, const char *to);
68425 ++int gr_acl_handle_rename(struct dentry *new_dentry,
68426 ++ struct dentry *parent_dentry,
68427 ++ const struct vfsmount *parent_mnt,
68428 ++ struct dentry *old_dentry,
68429 ++ struct inode *old_parent_inode,
68430 ++ struct vfsmount *old_mnt, const char *newname);
68431 ++void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
68432 ++ struct dentry *old_dentry,
68433 ++ struct dentry *new_dentry,
68434 ++ struct vfsmount *mnt, const __u8 replace);
68435 ++__u32 gr_check_link(const struct dentry *new_dentry,
68436 ++ const struct dentry *parent_dentry,
68437 ++ const struct vfsmount *parent_mnt,
68438 ++ const struct dentry *old_dentry,
68439 ++ const struct vfsmount *old_mnt);
68440 ++int gr_acl_handle_filldir(const struct file *file, const char *name,
68441 ++ const unsigned int namelen, const ino_t ino);
68442 ++
68443 ++__u32 gr_acl_handle_unix(const struct dentry *dentry,
68444 ++ const struct vfsmount *mnt);
68445 ++void gr_acl_handle_exit(void);
68446 ++void gr_acl_handle_psacct(struct task_struct *task, const long code);
68447 ++int gr_acl_handle_procpidmem(const struct task_struct *task);
68448 ++
68449 ++#ifdef CONFIG_GRKERNSEC
68450 ++void gr_handle_mem_write(void);
68451 ++void gr_handle_kmem_write(void);
68452 ++void gr_handle_open_port(void);
68453 ++int gr_handle_mem_mmap(const unsigned long offset,
68454 ++ struct vm_area_struct *vma);
68455 ++
68456 ++extern int grsec_enable_dmesg;
68457 ++extern int grsec_enable_randsrc;
68458 ++extern int grsec_enable_shm;
68459 ++#endif
68460 ++
68461 ++#endif
68462 +diff -urNp linux-2.6.24.5/include/linux/highmem.h linux-2.6.24.5/include/linux/highmem.h
68463 +--- linux-2.6.24.5/include/linux/highmem.h 2008-03-24 14:49:18.000000000 -0400
68464 ++++ linux-2.6.24.5/include/linux/highmem.h 2008-03-26 20:21:09.000000000 -0400
68465 +@@ -124,6 +124,13 @@ static inline void clear_highpage(struct
68466 + kunmap_atomic(kaddr, KM_USER0);
68467 + }
68468 +
68469 ++static inline void sanitize_highpage(struct page *page)
68470 ++{
68471 ++ void *kaddr = kmap_atomic(page, KM_CLEARPAGE);
68472 ++ clear_page(kaddr);
68473 ++ kunmap_atomic(kaddr, KM_CLEARPAGE);
68474 ++}
68475 ++
68476 + /*
68477 + * Same but also flushes aliased cache contents to RAM.
68478 + *
68479 +@@ -132,14 +139,14 @@ static inline void clear_highpage(struct
68480 + */
68481 + #define zero_user_page(page, offset, size, km_type) \
68482 + do { \
68483 +- void *kaddr; \
68484 ++ void *__kaddr; \
68485 + \
68486 + BUG_ON((offset) + (size) > PAGE_SIZE); \
68487 + \
68488 +- kaddr = kmap_atomic(page, km_type); \
68489 +- memset((char *)kaddr + (offset), 0, (size)); \
68490 ++ __kaddr = kmap_atomic(page, km_type); \
68491 ++ memset((char *)__kaddr + (offset), 0, (size)); \
68492 + flush_dcache_page(page); \
68493 +- kunmap_atomic(kaddr, (km_type)); \
68494 ++ kunmap_atomic(__kaddr, (km_type)); \
68495 + } while (0)
68496 +
68497 + static inline void __deprecated memclear_highpage_flush(struct page *page,
68498 +diff -urNp linux-2.6.24.5/include/linux/init_task.h linux-2.6.24.5/include/linux/init_task.h
68499 +--- linux-2.6.24.5/include/linux/init_task.h 2008-03-24 14:49:18.000000000 -0400
68500 ++++ linux-2.6.24.5/include/linux/init_task.h 2008-03-26 20:21:09.000000000 -0400
68501 +@@ -121,7 +121,7 @@ extern struct group_info init_groups;
68502 + #define INIT_TASK(tsk) \
68503 + { \
68504 + .state = 0, \
68505 +- .stack = &init_thread_info, \
68506 ++ .stack = &init_thread_union, \
68507 + .usage = ATOMIC_INIT(2), \
68508 + .flags = 0, \
68509 + .lock_depth = -1, \
68510 +diff -urNp linux-2.6.24.5/include/linux/irqflags.h linux-2.6.24.5/include/linux/irqflags.h
68511 +--- linux-2.6.24.5/include/linux/irqflags.h 2008-03-24 14:49:18.000000000 -0400
68512 ++++ linux-2.6.24.5/include/linux/irqflags.h 2008-03-26 20:21:09.000000000 -0400
68513 +@@ -84,10 +84,10 @@
68514 +
68515 + #define irqs_disabled() \
68516 + ({ \
68517 +- unsigned long flags; \
68518 ++ unsigned long __flags; \
68519 + \
68520 +- raw_local_save_flags(flags); \
68521 +- raw_irqs_disabled_flags(flags); \
68522 ++ raw_local_save_flags(__flags); \
68523 ++ raw_irqs_disabled_flags(__flags); \
68524 + })
68525 +
68526 + #define irqs_disabled_flags(flags) raw_irqs_disabled_flags(flags)
68527 +diff -urNp linux-2.6.24.5/include/linux/jbd2.h linux-2.6.24.5/include/linux/jbd2.h
68528 +--- linux-2.6.24.5/include/linux/jbd2.h 2008-03-24 14:49:18.000000000 -0400
68529 ++++ linux-2.6.24.5/include/linux/jbd2.h 2008-03-26 20:21:09.000000000 -0400
68530 +@@ -68,7 +68,7 @@ extern u8 jbd2_journal_enable_debug;
68531 + } \
68532 + } while (0)
68533 + #else
68534 +-#define jbd_debug(f, a...) /**/
68535 ++#define jbd_debug(f, a...) do {} while (0)
68536 + #endif
68537 +
68538 + static inline void *jbd2_alloc(size_t size, gfp_t flags)
68539 +diff -urNp linux-2.6.24.5/include/linux/jbd.h linux-2.6.24.5/include/linux/jbd.h
68540 +--- linux-2.6.24.5/include/linux/jbd.h 2008-03-24 14:49:18.000000000 -0400
68541 ++++ linux-2.6.24.5/include/linux/jbd.h 2008-03-26 20:21:09.000000000 -0400
68542 +@@ -69,7 +69,7 @@ extern u8 journal_enable_debug;
68543 + } \
68544 + } while (0)
68545 + #else
68546 +-#define jbd_debug(f, a...) /**/
68547 ++#define jbd_debug(f, a...) do {} while (0)
68548 + #endif
68549 +
68550 + static inline void *jbd_alloc(size_t size, gfp_t flags)
68551 +diff -urNp linux-2.6.24.5/include/linux/libata.h linux-2.6.24.5/include/linux/libata.h
68552 +--- linux-2.6.24.5/include/linux/libata.h 2008-03-24 14:49:18.000000000 -0400
68553 ++++ linux-2.6.24.5/include/linux/libata.h 2008-03-26 20:21:09.000000000 -0400
68554 +@@ -62,11 +62,11 @@
68555 + #ifdef ATA_VERBOSE_DEBUG
68556 + #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __FUNCTION__, ## args)
68557 + #else
68558 +-#define VPRINTK(fmt, args...)
68559 ++#define VPRINTK(fmt, args...) do {} while (0)
68560 + #endif /* ATA_VERBOSE_DEBUG */
68561 + #else
68562 +-#define DPRINTK(fmt, args...)
68563 +-#define VPRINTK(fmt, args...)
68564 ++#define DPRINTK(fmt, args...) do {} while (0)
68565 ++#define VPRINTK(fmt, args...) do {} while (0)
68566 + #endif /* ATA_DEBUG */
68567 +
68568 + #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __FUNCTION__, ## args)
68569 +diff -urNp linux-2.6.24.5/include/linux/mm.h linux-2.6.24.5/include/linux/mm.h
68570 +--- linux-2.6.24.5/include/linux/mm.h 2008-03-24 14:49:18.000000000 -0400
68571 ++++ linux-2.6.24.5/include/linux/mm.h 2008-03-26 20:21:09.000000000 -0400
68572 +@@ -37,6 +37,7 @@ extern int sysctl_legacy_va_layout;
68573 + #include <asm/page.h>
68574 + #include <asm/pgtable.h>
68575 + #include <asm/processor.h>
68576 ++#include <asm/mman.h>
68577 +
68578 + #define nth_page(page,n) pfn_to_page(page_to_pfn((page)) + (n))
68579 +
68580 +@@ -107,6 +108,14 @@ extern unsigned int kobjsize(const void
68581 +
68582 + #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
68583 +
68584 ++#ifdef CONFIG_PAX_PAGEEXEC
68585 ++#define VM_PAGEEXEC 0x10000000 /* vma->vm_page_prot needs special handling */
68586 ++#endif
68587 ++
68588 ++#ifdef CONFIG_PAX_MPROTECT
68589 ++#define VM_MAYNOTWRITE 0x20000000 /* vma cannot be granted VM_WRITE any more */
68590 ++#endif
68591 ++
68592 + #ifndef VM_STACK_DEFAULT_FLAGS /* arch can override this */
68593 + #define VM_STACK_DEFAULT_FLAGS VM_DATA_DEFAULT_FLAGS
68594 + #endif
68595 +@@ -792,6 +801,8 @@ struct shrinker {
68596 + extern void register_shrinker(struct shrinker *);
68597 + extern void unregister_shrinker(struct shrinker *);
68598 +
68599 ++pgprot_t vm_get_page_prot(unsigned long vm_flags);
68600 ++
68601 + int vma_wants_writenotify(struct vm_area_struct *vma);
68602 +
68603 + extern pte_t *FASTCALL(get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl));
68604 +@@ -1018,6 +1029,7 @@ out:
68605 + }
68606 +
68607 + extern int do_munmap(struct mm_struct *, unsigned long, size_t);
68608 ++extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
68609 +
68610 + extern unsigned long do_brk(unsigned long, unsigned long);
68611 +
68612 +@@ -1070,6 +1082,10 @@ extern struct vm_area_struct * find_vma(
68613 + extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
68614 + struct vm_area_struct **pprev);
68615 +
68616 ++extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
68617 ++extern void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
68618 ++extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
68619 ++
68620 + /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
68621 + NULL if none. Assume start_addr < end_addr. */
68622 + static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
68623 +@@ -1086,7 +1102,6 @@ static inline unsigned long vma_pages(st
68624 + return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
68625 + }
68626 +
68627 +-pgprot_t vm_get_page_prot(unsigned long vm_flags);
68628 + struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
68629 + struct page *vmalloc_to_page(void *addr);
68630 + unsigned long vmalloc_to_pfn(void *addr);
68631 +@@ -1157,5 +1172,11 @@ int vmemmap_populate_basepages(struct pa
68632 + unsigned long pages, int node);
68633 + int vmemmap_populate(struct page *start_page, unsigned long pages, int node);
68634 +
68635 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
68636 ++extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
68637 ++#else
68638 ++static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
68639 ++#endif
68640 ++
68641 + #endif /* __KERNEL__ */
68642 + #endif /* _LINUX_MM_H */
68643 +diff -urNp linux-2.6.24.5/include/linux/mm_types.h linux-2.6.24.5/include/linux/mm_types.h
68644 +--- linux-2.6.24.5/include/linux/mm_types.h 2008-03-24 14:49:18.000000000 -0400
68645 ++++ linux-2.6.24.5/include/linux/mm_types.h 2008-03-26 20:21:09.000000000 -0400
68646 +@@ -151,6 +151,8 @@ struct vm_area_struct {
68647 + #ifdef CONFIG_NUMA
68648 + struct mempolicy *vm_policy; /* NUMA policy for the VMA */
68649 + #endif
68650 ++
68651 ++ struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
68652 + };
68653 +
68654 + struct mm_struct {
68655 +@@ -219,6 +221,24 @@ struct mm_struct {
68656 + /* aio bits */
68657 + rwlock_t ioctx_list_lock;
68658 + struct kioctx *ioctx_list;
68659 ++
68660 ++#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
68661 ++ unsigned long pax_flags;
68662 ++#endif
68663 ++
68664 ++#ifdef CONFIG_PAX_DLRESOLVE
68665 ++ unsigned long call_dl_resolve;
68666 ++#endif
68667 ++
68668 ++#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
68669 ++ unsigned long call_syscall;
68670 ++#endif
68671 ++
68672 ++#ifdef CONFIG_PAX_ASLR
68673 ++ unsigned long delta_mmap; /* randomized offset */
68674 ++ unsigned long delta_stack; /* randomized offset */
68675 ++#endif
68676 ++
68677 + };
68678 +
68679 + #endif /* _LINUX_MM_TYPES_H */
68680 +diff -urNp linux-2.6.24.5/include/linux/module.h linux-2.6.24.5/include/linux/module.h
68681 +--- linux-2.6.24.5/include/linux/module.h 2008-03-24 14:49:18.000000000 -0400
68682 ++++ linux-2.6.24.5/include/linux/module.h 2008-03-26 20:21:09.000000000 -0400
68683 +@@ -296,16 +296,16 @@ struct module
68684 + int (*init)(void);
68685 +
68686 + /* If this is non-NULL, vfree after init() returns */
68687 +- void *module_init;
68688 ++ void *module_init_rx, *module_init_rw;
68689 +
68690 + /* Here is the actual code + data, vfree'd on unload. */
68691 +- void *module_core;
68692 ++ void *module_core_rx, *module_core_rw;
68693 +
68694 + /* Here are the sizes of the init and core sections */
68695 +- unsigned long init_size, core_size;
68696 ++ unsigned long init_size_rw, core_size_rw;
68697 +
68698 + /* The size of the executable code in each section. */
68699 +- unsigned long init_text_size, core_text_size;
68700 ++ unsigned long init_size_rx, core_size_rx;
68701 +
68702 + /* The handle returned from unwind_add_table. */
68703 + void *unwind_info;
68704 +diff -urNp linux-2.6.24.5/include/linux/moduleloader.h linux-2.6.24.5/include/linux/moduleloader.h
68705 +--- linux-2.6.24.5/include/linux/moduleloader.h 2008-03-24 14:49:18.000000000 -0400
68706 ++++ linux-2.6.24.5/include/linux/moduleloader.h 2008-03-26 20:21:09.000000000 -0400
68707 +@@ -17,9 +17,21 @@ int module_frob_arch_sections(Elf_Ehdr *
68708 + sections. Returns NULL on failure. */
68709 + void *module_alloc(unsigned long size);
68710 +
68711 ++#ifdef CONFIG_PAX_KERNEXEC
68712 ++void *module_alloc_exec(unsigned long size);
68713 ++#else
68714 ++#define module_alloc_exec(x) module_alloc(x)
68715 ++#endif
68716 ++
68717 + /* Free memory returned from module_alloc. */
68718 + void module_free(struct module *mod, void *module_region);
68719 +
68720 ++#ifdef CONFIG_PAX_KERNEXEC
68721 ++void module_free_exec(struct module *mod, void *module_region);
68722 ++#else
68723 ++#define module_free_exec(x, y) module_free(x, y)
68724 ++#endif
68725 ++
68726 + /* Apply the given relocation to the (simplified) ELF. Return -error
68727 + or 0. */
68728 + int apply_relocate(Elf_Shdr *sechdrs,
68729 +diff -urNp linux-2.6.24.5/include/linux/namei.h linux-2.6.24.5/include/linux/namei.h
68730 +--- linux-2.6.24.5/include/linux/namei.h 2008-03-24 14:49:18.000000000 -0400
68731 ++++ linux-2.6.24.5/include/linux/namei.h 2008-03-26 20:21:09.000000000 -0400
68732 +@@ -21,7 +21,7 @@ struct nameidata {
68733 + unsigned int flags;
68734 + int last_type;
68735 + unsigned depth;
68736 +- char *saved_names[MAX_NESTED_LINKS + 1];
68737 ++ const char *saved_names[MAX_NESTED_LINKS + 1];
68738 +
68739 + /* Intent data */
68740 + union {
68741 +@@ -90,12 +90,12 @@ extern int follow_up(struct vfsmount **,
68742 + extern struct dentry *lock_rename(struct dentry *, struct dentry *);
68743 + extern void unlock_rename(struct dentry *, struct dentry *);
68744 +
68745 +-static inline void nd_set_link(struct nameidata *nd, char *path)
68746 ++static inline void nd_set_link(struct nameidata *nd, const char *path)
68747 + {
68748 + nd->saved_names[nd->depth] = path;
68749 + }
68750 +
68751 +-static inline char *nd_get_link(struct nameidata *nd)
68752 ++static inline const char *nd_get_link(struct nameidata *nd)
68753 + {
68754 + return nd->saved_names[nd->depth];
68755 + }
68756 +diff -urNp linux-2.6.24.5/include/linux/percpu.h linux-2.6.24.5/include/linux/percpu.h
68757 +--- linux-2.6.24.5/include/linux/percpu.h 2008-04-17 20:05:17.000000000 -0400
68758 ++++ linux-2.6.24.5/include/linux/percpu.h 2008-04-17 20:05:01.000000000 -0400
68759 +@@ -18,7 +18,7 @@
68760 + #endif
68761 +
68762 + #define PERCPU_ENOUGH_ROOM \
68763 +- (__per_cpu_end - __per_cpu_start + PERCPU_MODULE_RESERVE)
68764 ++ ((unsigned long)(__per_cpu_end - __per_cpu_start + PERCPU_MODULE_RESERVE))
68765 + #endif /* PERCPU_ENOUGH_ROOM */
68766 +
68767 + /*
68768 +diff -urNp linux-2.6.24.5/include/linux/poison.h linux-2.6.24.5/include/linux/poison.h
68769 +--- linux-2.6.24.5/include/linux/poison.h 2008-03-24 14:49:18.000000000 -0400
68770 ++++ linux-2.6.24.5/include/linux/poison.h 2008-03-26 20:21:09.000000000 -0400
68771 +@@ -7,8 +7,8 @@
68772 + * under normal circumstances, used to verify that nobody uses
68773 + * non-initialized list entries.
68774 + */
68775 +-#define LIST_POISON1 ((void *) 0x00100100)
68776 +-#define LIST_POISON2 ((void *) 0x00200200)
68777 ++#define LIST_POISON1 ((void *) 0xFF1001FFFF1001FFULL)
68778 ++#define LIST_POISON2 ((void *) 0xFF2002FFFF2002FFULL)
68779 +
68780 + /********** mm/slab.c **********/
68781 + /*
68782 +diff -urNp linux-2.6.24.5/include/linux/random.h linux-2.6.24.5/include/linux/random.h
68783 +--- linux-2.6.24.5/include/linux/random.h 2008-03-24 14:49:18.000000000 -0400
68784 ++++ linux-2.6.24.5/include/linux/random.h 2008-03-26 20:21:09.000000000 -0400
68785 +@@ -72,6 +72,11 @@ unsigned long randomize_range(unsigned l
68786 + u32 random32(void);
68787 + void srandom32(u32 seed);
68788 +
68789 ++static inline unsigned long pax_get_random_long(void)
68790 ++{
68791 ++ return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
68792 ++}
68793 ++
68794 + #endif /* __KERNEL___ */
68795 +
68796 + #endif /* _LINUX_RANDOM_H */
68797 +diff -urNp linux-2.6.24.5/include/linux/sched.h linux-2.6.24.5/include/linux/sched.h
68798 +--- linux-2.6.24.5/include/linux/sched.h 2008-04-17 20:05:17.000000000 -0400
68799 ++++ linux-2.6.24.5/include/linux/sched.h 2008-04-17 20:05:01.000000000 -0400
68800 +@@ -94,6 +94,7 @@ struct sched_param {
68801 + struct exec_domain;
68802 + struct futex_pi_state;
68803 + struct bio;
68804 ++struct linux_binprm;
68805 +
68806 + /*
68807 + * List of flags we want to share for kernel threads,
68808 +@@ -507,6 +508,15 @@ struct signal_struct {
68809 + unsigned audit_tty;
68810 + struct tty_audit_buf *tty_audit_buf;
68811 + #endif
68812 ++
68813 ++#ifdef CONFIG_GRKERNSEC
68814 ++ u32 curr_ip;
68815 ++ u32 gr_saddr;
68816 ++ u32 gr_daddr;
68817 ++ u16 gr_sport;
68818 ++ u16 gr_dport;
68819 ++ u8 used_accept:1;
68820 ++#endif
68821 + };
68822 +
68823 + /* Context switch must be unlocked if interrupts are to be enabled */
68824 +@@ -916,7 +926,7 @@ struct sched_entity {
68825 +
68826 + struct task_struct {
68827 + volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
68828 +- void *stack;
68829 ++ union thread_union *stack;
68830 + atomic_t usage;
68831 + unsigned int flags; /* per process flags, defined below */
68832 + unsigned int ptrace;
68833 +@@ -983,10 +993,9 @@ struct task_struct {
68834 + pid_t pid;
68835 + pid_t tgid;
68836 +
68837 +-#ifdef CONFIG_CC_STACKPROTECTOR
68838 + /* Canary value for the -fstack-protector gcc feature */
68839 + unsigned long stack_canary;
68840 +-#endif
68841 ++
68842 + /*
68843 + * pointers to (original) parent process, youngest child, younger sibling,
68844 + * older sibling, respectively. (p->father can be replaced with
68845 +@@ -1007,8 +1016,8 @@ struct task_struct {
68846 + struct list_head thread_group;
68847 +
68848 + struct completion *vfork_done; /* for vfork() */
68849 +- int __user *set_child_tid; /* CLONE_CHILD_SETTID */
68850 +- int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
68851 ++ pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
68852 ++ pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
68853 +
68854 + unsigned int rt_priority;
68855 + cputime_t utime, stime, utimescaled, stimescaled;
68856 +@@ -1178,8 +1187,60 @@ struct task_struct {
68857 + int make_it_fail;
68858 + #endif
68859 + struct prop_local_single dirties;
68860 ++
68861 ++#ifdef CONFIG_GRKERNSEC
68862 ++ /* grsecurity */
68863 ++ struct acl_subject_label *acl;
68864 ++ struct acl_role_label *role;
68865 ++ struct file *exec_file;
68866 ++ u16 acl_role_id;
68867 ++ u8 acl_sp_role;
68868 ++ u8 is_writable;
68869 ++ u8 brute;
68870 ++#endif
68871 ++
68872 + };
68873 +
68874 ++#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
68875 ++#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
68876 ++#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
68877 ++#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
68878 ++/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
68879 ++#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
68880 ++
68881 ++#ifdef CONFIG_PAX_SOFTMODE
68882 ++extern unsigned int pax_softmode;
68883 ++#endif
68884 ++
68885 ++extern int pax_check_flags(unsigned long *);
68886 ++
68887 ++/* if tsk != current then task_lock must be held on it */
68888 ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
68889 ++static inline unsigned long pax_get_flags(struct task_struct *tsk)
68890 ++{
68891 ++ if (likely(tsk->mm))
68892 ++ return tsk->mm->pax_flags;
68893 ++ else
68894 ++ return 0UL;
68895 ++}
68896 ++
68897 ++/* if tsk != current then task_lock must be held on it */
68898 ++static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
68899 ++{
68900 ++ if (likely(tsk->mm)) {
68901 ++ tsk->mm->pax_flags = flags;
68902 ++ return 0;
68903 ++ }
68904 ++ return -EINVAL;
68905 ++}
68906 ++#endif
68907 ++
68908 ++#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
68909 ++extern void pax_set_initial_flags(struct linux_binprm *bprm);
68910 ++#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
68911 ++extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
68912 ++#endif
68913 ++
68914 + /*
68915 + * Priority of a process goes from 0..MAX_PRIO-1, valid RT
68916 + * priority is 0..MAX_RT_PRIO-1, and SCHED_NORMAL/SCHED_BATCH
68917 +@@ -1683,7 +1744,7 @@ extern void __cleanup_signal(struct sign
68918 + extern void __cleanup_sighand(struct sighand_struct *);
68919 + extern void exit_itimers(struct signal_struct *);
68920 +
68921 +-extern NORET_TYPE void do_group_exit(int);
68922 ++extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
68923 +
68924 + extern void daemonize(const char *, ...);
68925 + extern int allow_signal(int);
68926 +@@ -1785,8 +1846,8 @@ static inline void unlock_task_sighand(s
68927 +
68928 + #ifndef __HAVE_THREAD_FUNCTIONS
68929 +
68930 +-#define task_thread_info(task) ((struct thread_info *)(task)->stack)
68931 +-#define task_stack_page(task) ((task)->stack)
68932 ++#define task_thread_info(task) (&(task)->stack->thread_info)
68933 ++#define task_stack_page(task) ((void *)(task)->stack)
68934 +
68935 + static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
68936 + {
68937 +@@ -1923,6 +1984,12 @@ extern void arch_pick_mmap_layout(struct
68938 + static inline void arch_pick_mmap_layout(struct mm_struct *mm)
68939 + {
68940 + mm->mmap_base = TASK_UNMAPPED_BASE;
68941 ++
68942 ++#ifdef CONFIG_PAX_RANDMMAP
68943 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
68944 ++ mm->mmap_base += mm->delta_mmap;
68945 ++#endif
68946 ++
68947 + mm->get_unmapped_area = arch_get_unmapped_area;
68948 + mm->unmap_area = arch_unmap_area;
68949 + }
68950 +diff -urNp linux-2.6.24.5/include/linux/screen_info.h linux-2.6.24.5/include/linux/screen_info.h
68951 +--- linux-2.6.24.5/include/linux/screen_info.h 2008-03-24 14:49:18.000000000 -0400
68952 ++++ linux-2.6.24.5/include/linux/screen_info.h 2008-03-26 20:21:09.000000000 -0400
68953 +@@ -42,7 +42,8 @@ struct screen_info {
68954 + __u16 pages; /* 0x32 */
68955 + __u16 vesa_attributes; /* 0x34 */
68956 + __u32 capabilities; /* 0x36 */
68957 +- __u8 _reserved[6]; /* 0x3a */
68958 ++ __u16 vesapm_size; /* 0x3a */
68959 ++ __u8 _reserved[4]; /* 0x3c */
68960 + } __attribute__((packed));
68961 +
68962 + #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
68963 +diff -urNp linux-2.6.24.5/include/linux/security.h linux-2.6.24.5/include/linux/security.h
68964 +--- linux-2.6.24.5/include/linux/security.h 2008-04-17 20:05:17.000000000 -0400
68965 ++++ linux-2.6.24.5/include/linux/security.h 2008-04-17 20:05:01.000000000 -0400
68966 +@@ -2265,7 +2265,7 @@ static inline struct dentry *securityfs_
68967 + mode_t mode,
68968 + struct dentry *parent,
68969 + void *data,
68970 +- struct file_operations *fops)
68971 ++ const struct file_operations *fops)
68972 + {
68973 + return ERR_PTR(-ENODEV);
68974 + }
68975 +diff -urNp linux-2.6.24.5/include/linux/shm.h linux-2.6.24.5/include/linux/shm.h
68976 +--- linux-2.6.24.5/include/linux/shm.h 2008-03-24 14:49:18.000000000 -0400
68977 ++++ linux-2.6.24.5/include/linux/shm.h 2008-03-26 20:21:09.000000000 -0400
68978 +@@ -87,6 +87,10 @@ struct shmid_kernel /* private to the ke
68979 + pid_t shm_cprid;
68980 + pid_t shm_lprid;
68981 + struct user_struct *mlock_user;
68982 ++#ifdef CONFIG_GRKERNSEC
68983 ++ time_t shm_createtime;
68984 ++ pid_t shm_lapid;
68985 ++#endif
68986 + };
68987 +
68988 + /* shm_mode upper byte flags */
68989 +diff -urNp linux-2.6.24.5/include/linux/sysctl.h linux-2.6.24.5/include/linux/sysctl.h
68990 +--- linux-2.6.24.5/include/linux/sysctl.h 2008-03-24 14:49:18.000000000 -0400
68991 ++++ linux-2.6.24.5/include/linux/sysctl.h 2008-03-26 20:21:09.000000000 -0400
68992 +@@ -164,9 +164,21 @@ enum
68993 + KERN_MAX_LOCK_DEPTH=74,
68994 + KERN_NMI_WATCHDOG=75, /* int: enable/disable nmi watchdog */
68995 + KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
68996 +-};
68997 ++#ifdef CONFIG_GRKERNSEC
68998 ++ KERN_GRSECURITY=98, /* grsecurity */
68999 ++#endif
69000 ++
69001 ++#ifdef CONFIG_PAX_SOFTMODE
69002 ++ KERN_PAX=99, /* PaX control */
69003 ++#endif
69004 +
69005 ++};
69006 +
69007 ++#ifdef CONFIG_PAX_SOFTMODE
69008 ++enum {
69009 ++ PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
69010 ++};
69011 ++#endif
69012 +
69013 + /* CTL_VM names: */
69014 + enum
69015 +diff -urNp linux-2.6.24.5/include/linux/uaccess.h linux-2.6.24.5/include/linux/uaccess.h
69016 +--- linux-2.6.24.5/include/linux/uaccess.h 2008-03-24 14:49:18.000000000 -0400
69017 ++++ linux-2.6.24.5/include/linux/uaccess.h 2008-03-26 20:21:09.000000000 -0400
69018 +@@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
69019 + long ret; \
69020 + mm_segment_t old_fs = get_fs(); \
69021 + \
69022 +- set_fs(KERNEL_DS); \
69023 + pagefault_disable(); \
69024 ++ set_fs(KERNEL_DS); \
69025 + ret = __get_user(retval, (__force typeof(retval) __user *)(addr)); \
69026 +- pagefault_enable(); \
69027 + set_fs(old_fs); \
69028 ++ pagefault_enable(); \
69029 + ret; \
69030 + })
69031 +
69032 +diff -urNp linux-2.6.24.5/include/linux/udf_fs.h linux-2.6.24.5/include/linux/udf_fs.h
69033 +--- linux-2.6.24.5/include/linux/udf_fs.h 2008-03-24 14:49:18.000000000 -0400
69034 ++++ linux-2.6.24.5/include/linux/udf_fs.h 2008-03-26 20:21:09.000000000 -0400
69035 +@@ -45,7 +45,7 @@
69036 + printk (f, ##a); \
69037 + }
69038 + #else
69039 +-#define udf_debug(f, a...) /**/
69040 ++#define udf_debug(f, a...) do {} while (0)
69041 + #endif
69042 +
69043 + #define udf_info(f, a...) \
69044 +diff -urNp linux-2.6.24.5/include/net/sctp/sctp.h linux-2.6.24.5/include/net/sctp/sctp.h
69045 +--- linux-2.6.24.5/include/net/sctp/sctp.h 2008-03-24 14:49:18.000000000 -0400
69046 ++++ linux-2.6.24.5/include/net/sctp/sctp.h 2008-03-26 20:21:09.000000000 -0400
69047 +@@ -316,8 +316,8 @@ extern int sctp_debug_flag;
69048 +
69049 + #else /* SCTP_DEBUG */
69050 +
69051 +-#define SCTP_DEBUG_PRINTK(whatever...)
69052 +-#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
69053 ++#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
69054 ++#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
69055 + #define SCTP_ENABLE_DEBUG
69056 + #define SCTP_DISABLE_DEBUG
69057 + #define SCTP_ASSERT(expr, str, func)
69058 +diff -urNp linux-2.6.24.5/include/sound/core.h linux-2.6.24.5/include/sound/core.h
69059 +--- linux-2.6.24.5/include/sound/core.h 2008-03-24 14:49:18.000000000 -0400
69060 ++++ linux-2.6.24.5/include/sound/core.h 2008-03-26 20:21:09.000000000 -0400
69061 +@@ -396,9 +396,9 @@ void snd_verbose_printd(const char *file
69062 +
69063 + #else /* !CONFIG_SND_DEBUG */
69064 +
69065 +-#define snd_printd(fmt, args...) /* nothing */
69066 ++#define snd_printd(fmt, args...) do {} while (0)
69067 + #define snd_assert(expr, args...) (void)(expr)
69068 +-#define snd_BUG() /* nothing */
69069 ++#define snd_BUG() do {} while (0)
69070 +
69071 + #endif /* CONFIG_SND_DEBUG */
69072 +
69073 +@@ -412,7 +412,7 @@ void snd_verbose_printd(const char *file
69074 + */
69075 + #define snd_printdd(format, args...) snd_printk(format, ##args)
69076 + #else
69077 +-#define snd_printdd(format, args...) /* nothing */
69078 ++#define snd_printdd(format, args...) do {} while (0)
69079 + #endif
69080 +
69081 +
69082 +diff -urNp linux-2.6.24.5/init/do_mounts.c linux-2.6.24.5/init/do_mounts.c
69083 +--- linux-2.6.24.5/init/do_mounts.c 2008-03-24 14:49:18.000000000 -0400
69084 ++++ linux-2.6.24.5/init/do_mounts.c 2008-03-26 20:21:09.000000000 -0400
69085 +@@ -68,11 +68,12 @@ static dev_t try_name(char *name, int pa
69086 +
69087 + /* read device number from .../dev */
69088 +
69089 +- sprintf(path, "/sys/block/%s/dev", name);
69090 +- fd = sys_open(path, 0, 0);
69091 ++ if (sizeof path <= snprintf(path, sizeof path, "/sys/block/%s/dev", name))
69092 ++ goto fail;
69093 ++ fd = sys_open((char __user *)path, 0, 0);
69094 + if (fd < 0)
69095 + goto fail;
69096 +- len = sys_read(fd, buf, 32);
69097 ++ len = sys_read(fd, (char __user *)buf, 32);
69098 + sys_close(fd);
69099 + if (len <= 0 || len == 32 || buf[len - 1] != '\n')
69100 + goto fail;
69101 +@@ -98,11 +99,12 @@ static dev_t try_name(char *name, int pa
69102 + return res;
69103 +
69104 + /* otherwise read range from .../range */
69105 +- sprintf(path, "/sys/block/%s/range", name);
69106 +- fd = sys_open(path, 0, 0);
69107 ++ if (sizeof path <= snprintf(path, sizeof path, "/sys/block/%s/range", name))
69108 ++ goto fail;
69109 ++ fd = sys_open((char __user *)path, 0, 0);
69110 + if (fd < 0)
69111 + goto fail;
69112 +- len = sys_read(fd, buf, 32);
69113 ++ len = sys_read(fd, (char __user *)buf, 32);
69114 + sys_close(fd);
69115 + if (len <= 0 || len == 32 || buf[len - 1] != '\n')
69116 + goto fail;
69117 +@@ -145,8 +147,8 @@ dev_t name_to_dev_t(char *name)
69118 + int part;
69119 +
69120 + #ifdef CONFIG_SYSFS
69121 +- int mkdir_err = sys_mkdir("/sys", 0700);
69122 +- if (sys_mount("sysfs", "/sys", "sysfs", 0, NULL) < 0)
69123 ++ int mkdir_err = sys_mkdir((char __user *)"/sys", 0700);
69124 ++ if (sys_mount((char __user *)"sysfs", (char __user *)"/sys", (char __user *)"sysfs", 0, NULL) < 0)
69125 + goto out;
69126 + #endif
69127 +
69128 +@@ -198,10 +200,10 @@ dev_t name_to_dev_t(char *name)
69129 + res = try_name(s, part);
69130 + done:
69131 + #ifdef CONFIG_SYSFS
69132 +- sys_umount("/sys", 0);
69133 ++ sys_umount((char __user *)"/sys", 0);
69134 + out:
69135 + if (!mkdir_err)
69136 +- sys_rmdir("/sys");
69137 ++ sys_rmdir((char __user *)"/sys");
69138 + #endif
69139 + return res;
69140 + fail:
69141 +@@ -281,11 +283,11 @@ static void __init get_fs_names(char *pa
69142 +
69143 + static int __init do_mount_root(char *name, char *fs, int flags, void *data)
69144 + {
69145 +- int err = sys_mount(name, "/root", fs, flags, data);
69146 ++ int err = sys_mount((char __user *)name, (char __user *)"/root", (char __user *)fs, flags, (void __user *)data);
69147 + if (err)
69148 + return err;
69149 +
69150 +- sys_chdir("/root");
69151 ++ sys_chdir((char __user *)"/root");
69152 + ROOT_DEV = current->fs->pwdmnt->mnt_sb->s_dev;
69153 + printk("VFS: Mounted root (%s filesystem)%s.\n",
69154 + current->fs->pwdmnt->mnt_sb->s_type->name,
69155 +@@ -371,18 +373,18 @@ void __init change_floppy(char *fmt, ...
69156 + va_start(args, fmt);
69157 + vsprintf(buf, fmt, args);
69158 + va_end(args);
69159 +- fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
69160 ++ fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
69161 + if (fd >= 0) {
69162 + sys_ioctl(fd, FDEJECT, 0);
69163 + sys_close(fd);
69164 + }
69165 + printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
69166 +- fd = sys_open("/dev/console", O_RDWR, 0);
69167 ++ fd = sys_open((char __user *)"/dev/console", O_RDWR, 0);
69168 + if (fd >= 0) {
69169 + sys_ioctl(fd, TCGETS, (long)&termios);
69170 + termios.c_lflag &= ~ICANON;
69171 + sys_ioctl(fd, TCSETSF, (long)&termios);
69172 +- sys_read(fd, &c, 1);
69173 ++ sys_read(fd, (char __user *)&c, 1);
69174 + termios.c_lflag |= ICANON;
69175 + sys_ioctl(fd, TCSETSF, (long)&termios);
69176 + sys_close(fd);
69177 +@@ -468,8 +470,8 @@ void __init prepare_namespace(void)
69178 +
69179 + mount_root();
69180 + out:
69181 +- sys_mount(".", "/", NULL, MS_MOVE, NULL);
69182 +- sys_chroot(".");
69183 ++ sys_mount((char __user *)".", (char __user *)"/", NULL, MS_MOVE, NULL);
69184 ++ sys_chroot((char __user *)".");
69185 + security_sb_post_mountroot();
69186 + }
69187 +
69188 +diff -urNp linux-2.6.24.5/init/do_mounts.h linux-2.6.24.5/init/do_mounts.h
69189 +--- linux-2.6.24.5/init/do_mounts.h 2008-03-24 14:49:18.000000000 -0400
69190 ++++ linux-2.6.24.5/init/do_mounts.h 2008-03-26 20:21:09.000000000 -0400
69191 +@@ -15,15 +15,15 @@ extern char *root_device_name;
69192 +
69193 + static inline int create_dev(char *name, dev_t dev)
69194 + {
69195 +- sys_unlink(name);
69196 +- return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
69197 ++ sys_unlink((char __user *)name);
69198 ++ return sys_mknod((char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
69199 + }
69200 +
69201 + #if BITS_PER_LONG == 32
69202 + static inline u32 bstat(char *name)
69203 + {
69204 + struct stat64 stat;
69205 +- if (sys_stat64(name, &stat) != 0)
69206 ++ if (sys_stat64((char __user *)name, (struct stat64 __user *)&stat) != 0)
69207 + return 0;
69208 + if (!S_ISBLK(stat.st_mode))
69209 + return 0;
69210 +diff -urNp linux-2.6.24.5/init/do_mounts_md.c linux-2.6.24.5/init/do_mounts_md.c
69211 +--- linux-2.6.24.5/init/do_mounts_md.c 2008-03-24 14:49:18.000000000 -0400
69212 ++++ linux-2.6.24.5/init/do_mounts_md.c 2008-03-26 20:21:09.000000000 -0400
69213 +@@ -167,7 +167,7 @@ static void __init md_setup_drive(void)
69214 + partitioned ? "_d" : "", minor,
69215 + md_setup_args[ent].device_names);
69216 +
69217 +- fd = sys_open(name, 0, 0);
69218 ++ fd = sys_open((char __user *)name, 0, 0);
69219 + if (fd < 0) {
69220 + printk(KERN_ERR "md: open failed - cannot start "
69221 + "array %s\n", name);
69222 +@@ -230,7 +230,7 @@ static void __init md_setup_drive(void)
69223 + * array without it
69224 + */
69225 + sys_close(fd);
69226 +- fd = sys_open(name, 0, 0);
69227 ++ fd = sys_open((char __user *)name, 0, 0);
69228 + sys_ioctl(fd, BLKRRPART, 0);
69229 + }
69230 + sys_close(fd);
69231 +@@ -271,7 +271,7 @@ void __init md_run_setup(void)
69232 + if (raid_noautodetect)
69233 + printk(KERN_INFO "md: Skipping autodetection of RAID arrays. (raid=noautodetect)\n");
69234 + else {
69235 +- int fd = sys_open("/dev/md0", 0, 0);
69236 ++ int fd = sys_open((char __user *)"/dev/md0", 0, 0);
69237 + if (fd >= 0) {
69238 + sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
69239 + sys_close(fd);
69240 +diff -urNp linux-2.6.24.5/init/initramfs.c linux-2.6.24.5/init/initramfs.c
69241 +--- linux-2.6.24.5/init/initramfs.c 2008-03-24 14:49:18.000000000 -0400
69242 ++++ linux-2.6.24.5/init/initramfs.c 2008-03-26 20:21:09.000000000 -0400
69243 +@@ -240,7 +240,7 @@ static int __init maybe_link(void)
69244 + if (nlink >= 2) {
69245 + char *old = find_link(major, minor, ino, mode, collected);
69246 + if (old)
69247 +- return (sys_link(old, collected) < 0) ? -1 : 1;
69248 ++ return (sys_link((char __user *)old, (char __user *)collected) < 0) ? -1 : 1;
69249 + }
69250 + return 0;
69251 + }
69252 +@@ -249,11 +249,11 @@ static void __init clean_path(char *path
69253 + {
69254 + struct stat st;
69255 +
69256 +- if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
69257 ++ if (!sys_newlstat((char __user *)path, (struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
69258 + if (S_ISDIR(st.st_mode))
69259 +- sys_rmdir(path);
69260 ++ sys_rmdir((char __user *)path);
69261 + else
69262 +- sys_unlink(path);
69263 ++ sys_unlink((char __user *)path);
69264 + }
69265 + }
69266 +
69267 +@@ -276,7 +276,7 @@ static int __init do_name(void)
69268 + int openflags = O_WRONLY|O_CREAT;
69269 + if (ml != 1)
69270 + openflags |= O_TRUNC;
69271 +- wfd = sys_open(collected, openflags, mode);
69272 ++ wfd = sys_open((char __user *)collected, openflags, mode);
69273 +
69274 + if (wfd >= 0) {
69275 + sys_fchown(wfd, uid, gid);
69276 +@@ -285,15 +285,15 @@ static int __init do_name(void)
69277 + }
69278 + }
69279 + } else if (S_ISDIR(mode)) {
69280 +- sys_mkdir(collected, mode);
69281 +- sys_chown(collected, uid, gid);
69282 +- sys_chmod(collected, mode);
69283 ++ sys_mkdir((char __user *)collected, mode);
69284 ++ sys_chown((char __user *)collected, uid, gid);
69285 ++ sys_chmod((char __user *)collected, mode);
69286 + } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
69287 + S_ISFIFO(mode) || S_ISSOCK(mode)) {
69288 + if (maybe_link() == 0) {
69289 +- sys_mknod(collected, mode, rdev);
69290 +- sys_chown(collected, uid, gid);
69291 +- sys_chmod(collected, mode);
69292 ++ sys_mknod((char __user *)collected, mode, rdev);
69293 ++ sys_chown((char __user *)collected, uid, gid);
69294 ++ sys_chmod((char __user *)collected, mode);
69295 + }
69296 + }
69297 + return 0;
69298 +@@ -302,13 +302,13 @@ static int __init do_name(void)
69299 + static int __init do_copy(void)
69300 + {
69301 + if (count >= body_len) {
69302 +- sys_write(wfd, victim, body_len);
69303 ++ sys_write(wfd, (char __user *)victim, body_len);
69304 + sys_close(wfd);
69305 + eat(body_len);
69306 + state = SkipIt;
69307 + return 0;
69308 + } else {
69309 +- sys_write(wfd, victim, count);
69310 ++ sys_write(wfd, (char __user *)victim, count);
69311 + body_len -= count;
69312 + eat(count);
69313 + return 1;
69314 +@@ -319,8 +319,8 @@ static int __init do_symlink(void)
69315 + {
69316 + collected[N_ALIGN(name_len) + body_len] = '\0';
69317 + clean_path(collected, 0);
69318 +- sys_symlink(collected + N_ALIGN(name_len), collected);
69319 +- sys_lchown(collected, uid, gid);
69320 ++ sys_symlink((char __user *)collected + N_ALIGN(name_len), (char __user *)collected);
69321 ++ sys_lchown((char __user *)collected, uid, gid);
69322 + state = SkipIt;
69323 + next_state = Reset;
69324 + return 0;
69325 +diff -urNp linux-2.6.24.5/init/Kconfig linux-2.6.24.5/init/Kconfig
69326 +--- linux-2.6.24.5/init/Kconfig 2008-03-24 14:49:18.000000000 -0400
69327 ++++ linux-2.6.24.5/init/Kconfig 2008-03-26 20:21:09.000000000 -0400
69328 +@@ -469,6 +469,7 @@ config SYSCTL_SYSCALL
69329 + config KALLSYMS
69330 + bool "Load all symbols for debugging/ksymoops" if EMBEDDED
69331 + default y
69332 ++ depends on !GRKERNSEC_HIDESYM
69333 + help
69334 + Say Y here to let the kernel print out symbolic crash information and
69335 + symbolic stack backtraces. This increases the size of the kernel
69336 +diff -urNp linux-2.6.24.5/init/main.c linux-2.6.24.5/init/main.c
69337 +--- linux-2.6.24.5/init/main.c 2008-03-24 14:49:18.000000000 -0400
69338 ++++ linux-2.6.24.5/init/main.c 2008-03-26 20:21:09.000000000 -0400
69339 +@@ -101,6 +101,7 @@ static inline void mark_rodata_ro(void)
69340 + #ifdef CONFIG_TC
69341 + extern void tc_init(void);
69342 + #endif
69343 ++extern void grsecurity_init(void);
69344 +
69345 + enum system_states system_state;
69346 + EXPORT_SYMBOL(system_state);
69347 +@@ -187,6 +188,17 @@ static int __init set_reset_devices(char
69348 +
69349 + __setup("reset_devices", set_reset_devices);
69350 +
69351 ++#ifdef CONFIG_PAX_SOFTMODE
69352 ++unsigned int pax_softmode;
69353 ++
69354 ++static int __init setup_pax_softmode(char *str)
69355 ++{
69356 ++ get_option(&str, &pax_softmode);
69357 ++ return 1;
69358 ++}
69359 ++__setup("pax_softmode=", setup_pax_softmode);
69360 ++#endif
69361 ++
69362 + static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
69363 + char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
69364 + static const char *panic_later, *panic_param;
69365 +@@ -847,6 +859,8 @@ static int __init kernel_init(void * unu
69366 + prepare_namespace();
69367 + }
69368 +
69369 ++ grsecurity_init();
69370 ++
69371 + /*
69372 + * Ok, we have completed the initial bootup, and
69373 + * we're essentially up and running. Get rid of the
69374 +diff -urNp linux-2.6.24.5/init/noinitramfs.c linux-2.6.24.5/init/noinitramfs.c
69375 +--- linux-2.6.24.5/init/noinitramfs.c 2008-03-24 14:49:18.000000000 -0400
69376 ++++ linux-2.6.24.5/init/noinitramfs.c 2008-03-26 20:21:09.000000000 -0400
69377 +@@ -29,7 +29,7 @@ static int __init default_rootfs(void)
69378 + {
69379 + int err;
69380 +
69381 +- err = sys_mkdir("/dev", 0755);
69382 ++ err = sys_mkdir((const char __user *)"/dev", 0755);
69383 + if (err < 0)
69384 + goto out;
69385 +
69386 +@@ -39,7 +39,7 @@ static int __init default_rootfs(void)
69387 + if (err < 0)
69388 + goto out;
69389 +
69390 +- err = sys_mkdir("/root", 0700);
69391 ++ err = sys_mkdir((const char __user *)"/root", 0700);
69392 + if (err < 0)
69393 + goto out;
69394 +
69395 +diff -urNp linux-2.6.24.5/ipc/ipc_sysctl.c linux-2.6.24.5/ipc/ipc_sysctl.c
69396 +--- linux-2.6.24.5/ipc/ipc_sysctl.c 2008-03-24 14:49:18.000000000 -0400
69397 ++++ linux-2.6.24.5/ipc/ipc_sysctl.c 2008-03-26 20:21:09.000000000 -0400
69398 +@@ -157,7 +157,7 @@ static struct ctl_table ipc_kern_table[]
69399 + .proc_handler = proc_ipc_dointvec,
69400 + .strategy = sysctl_ipc_data,
69401 + },
69402 +- {}
69403 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
69404 + };
69405 +
69406 + static struct ctl_table ipc_root_table[] = {
69407 +@@ -167,7 +167,7 @@ static struct ctl_table ipc_root_table[]
69408 + .mode = 0555,
69409 + .child = ipc_kern_table,
69410 + },
69411 +- {}
69412 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
69413 + };
69414 +
69415 + static int __init ipc_sysctl_init(void)
69416 +diff -urNp linux-2.6.24.5/ipc/msg.c linux-2.6.24.5/ipc/msg.c
69417 +--- linux-2.6.24.5/ipc/msg.c 2008-03-24 14:49:18.000000000 -0400
69418 ++++ linux-2.6.24.5/ipc/msg.c 2008-03-26 20:21:09.000000000 -0400
69419 +@@ -36,6 +36,7 @@
69420 + #include <linux/seq_file.h>
69421 + #include <linux/rwsem.h>
69422 + #include <linux/nsproxy.h>
69423 ++#include <linux/grsecurity.h>
69424 +
69425 + #include <asm/current.h>
69426 + #include <asm/uaccess.h>
69427 +@@ -315,6 +316,7 @@ asmlinkage long sys_msgget(key_t key, in
69428 + struct ipc_namespace *ns;
69429 + struct ipc_ops msg_ops;
69430 + struct ipc_params msg_params;
69431 ++ long err;
69432 +
69433 + ns = current->nsproxy->ipc_ns;
69434 +
69435 +@@ -325,7 +327,11 @@ asmlinkage long sys_msgget(key_t key, in
69436 + msg_params.key = key;
69437 + msg_params.flg = msgflg;
69438 +
69439 +- return ipcget(ns, &msg_ids(ns), &msg_ops, &msg_params);
69440 ++ err = ipcget(ns, &msg_ids(ns), &msg_ops, &msg_params);
69441 ++
69442 ++ gr_log_msgget(err, msgflg);
69443 ++
69444 ++ return err;
69445 + }
69446 +
69447 + static inline unsigned long
69448 +@@ -586,6 +592,7 @@ asmlinkage long sys_msgctl(int msqid, in
69449 + break;
69450 + }
69451 + case IPC_RMID:
69452 ++ gr_log_msgrm(ipcp->uid, ipcp->cuid);
69453 + freeque(ns, msq);
69454 + break;
69455 + }
69456 +diff -urNp linux-2.6.24.5/ipc/sem.c linux-2.6.24.5/ipc/sem.c
69457 +--- linux-2.6.24.5/ipc/sem.c 2008-03-24 14:49:18.000000000 -0400
69458 ++++ linux-2.6.24.5/ipc/sem.c 2008-03-26 20:21:09.000000000 -0400
69459 +@@ -82,6 +82,7 @@
69460 + #include <linux/seq_file.h>
69461 + #include <linux/rwsem.h>
69462 + #include <linux/nsproxy.h>
69463 ++#include <linux/grsecurity.h>
69464 +
69465 + #include <asm/uaccess.h>
69466 + #include "util.h"
69467 +@@ -334,6 +335,7 @@ asmlinkage long sys_semget(key_t key, in
69468 + struct ipc_namespace *ns;
69469 + struct ipc_ops sem_ops;
69470 + struct ipc_params sem_params;
69471 ++ long err;
69472 +
69473 + ns = current->nsproxy->ipc_ns;
69474 +
69475 +@@ -348,7 +350,11 @@ asmlinkage long sys_semget(key_t key, in
69476 + sem_params.flg = semflg;
69477 + sem_params.u.nsems = nsems;
69478 +
69479 +- return ipcget(ns, &sem_ids(ns), &sem_ops, &sem_params);
69480 ++ err = ipcget(ns, &sem_ids(ns), &sem_ops, &sem_params);
69481 ++
69482 ++ gr_log_semget(err, semflg);
69483 ++
69484 ++ return err;
69485 + }
69486 +
69487 + /* Manage the doubly linked list sma->sem_pending as a FIFO:
69488 +@@ -936,6 +942,7 @@ static int semctl_down(struct ipc_namesp
69489 +
69490 + switch(cmd){
69491 + case IPC_RMID:
69492 ++ gr_log_semrm(ipcp->uid, ipcp->cuid);
69493 + freeary(ns, sma);
69494 + err = 0;
69495 + break;
69496 +diff -urNp linux-2.6.24.5/ipc/shm.c linux-2.6.24.5/ipc/shm.c
69497 +--- linux-2.6.24.5/ipc/shm.c 2008-03-24 14:49:18.000000000 -0400
69498 ++++ linux-2.6.24.5/ipc/shm.c 2008-03-26 20:21:09.000000000 -0400
69499 +@@ -38,6 +38,7 @@
69500 + #include <linux/rwsem.h>
69501 + #include <linux/nsproxy.h>
69502 + #include <linux/mount.h>
69503 ++#include <linux/grsecurity.h>
69504 +
69505 + #include <asm/uaccess.h>
69506 +
69507 +@@ -71,6 +72,14 @@ static void shm_destroy (struct ipc_name
69508 + static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
69509 + #endif
69510 +
69511 ++#ifdef CONFIG_GRKERNSEC
69512 ++extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
69513 ++ const time_t shm_createtime, const uid_t cuid,
69514 ++ const int shmid);
69515 ++extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
69516 ++ const time_t shm_createtime);
69517 ++#endif
69518 ++
69519 + static void __shm_init_ns(struct ipc_namespace *ns, struct ipc_ids *ids)
69520 + {
69521 + ns->ids[IPC_SHM_IDS] = ids;
69522 +@@ -87,6 +96,8 @@ static void __shm_init_ns(struct ipc_nam
69523 + */
69524 + static void do_shm_rmid(struct ipc_namespace *ns, struct shmid_kernel *shp)
69525 + {
69526 ++ gr_log_shmrm(shp->shm_perm.uid, shp->shm_perm.cuid);
69527 ++
69528 + if (shp->shm_nattch){
69529 + shp->shm_perm.mode |= SHM_DEST;
69530 + /* Do not find it any more */
69531 +@@ -443,6 +454,14 @@ static int newseg(struct ipc_namespace *
69532 + shp->shm_lprid = 0;
69533 + shp->shm_atim = shp->shm_dtim = 0;
69534 + shp->shm_ctim = get_seconds();
69535 ++#ifdef CONFIG_GRKERNSEC
69536 ++ {
69537 ++ struct timespec timeval;
69538 ++ do_posix_clock_monotonic_gettime(&timeval);
69539 ++
69540 ++ shp->shm_createtime = timeval.tv_sec;
69541 ++ }
69542 ++#endif
69543 + shp->shm_segsz = size;
69544 + shp->shm_nattch = 0;
69545 + shp->shm_perm.id = shm_buildid(id, shp->shm_perm.seq);
69546 +@@ -497,6 +516,7 @@ asmlinkage long sys_shmget (key_t key, s
69547 + struct ipc_namespace *ns;
69548 + struct ipc_ops shm_ops;
69549 + struct ipc_params shm_params;
69550 ++ long err;
69551 +
69552 + ns = current->nsproxy->ipc_ns;
69553 +
69554 +@@ -508,7 +528,11 @@ asmlinkage long sys_shmget (key_t key, s
69555 + shm_params.flg = shmflg;
69556 + shm_params.u.size = size;
69557 +
69558 +- return ipcget(ns, &shm_ids(ns), &shm_ops, &shm_params);
69559 ++ err = ipcget(ns, &shm_ids(ns), &shm_ops, &shm_params);
69560 ++
69561 ++ gr_log_shmget(err, shmflg, size);
69562 ++
69563 ++ return err;
69564 + }
69565 +
69566 + static inline unsigned long copy_shmid_to_user(void __user *buf, struct shmid64_ds *in, int version)
69567 +@@ -974,9 +998,21 @@ long do_shmat(int shmid, char __user *sh
69568 + if (err)
69569 + goto out_unlock;
69570 +
69571 ++#ifdef CONFIG_GRKERNSEC
69572 ++ if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
69573 ++ shp->shm_perm.cuid, shmid) ||
69574 ++ !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
69575 ++ err = -EACCES;
69576 ++ goto out_unlock;
69577 ++ }
69578 ++#endif
69579 ++
69580 + path.dentry = dget(shp->shm_file->f_path.dentry);
69581 + path.mnt = shp->shm_file->f_path.mnt;
69582 + shp->shm_nattch++;
69583 ++#ifdef CONFIG_GRKERNSEC
69584 ++ shp->shm_lapid = current->pid;
69585 ++#endif
69586 + size = i_size_read(path.dentry->d_inode);
69587 + shm_unlock(shp);
69588 +
69589 +diff -urNp linux-2.6.24.5/kernel/acct.c linux-2.6.24.5/kernel/acct.c
69590 +--- linux-2.6.24.5/kernel/acct.c 2008-03-24 14:49:18.000000000 -0400
69591 ++++ linux-2.6.24.5/kernel/acct.c 2008-03-26 20:21:09.000000000 -0400
69592 +@@ -511,7 +511,7 @@ static void do_acct_process(struct file
69593 + */
69594 + flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
69595 + current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
69596 +- file->f_op->write(file, (char *)&ac,
69597 ++ file->f_op->write(file, (char __user *)&ac,
69598 + sizeof(acct_t), &file->f_pos);
69599 + current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
69600 + set_fs(fs);
69601 +diff -urNp linux-2.6.24.5/kernel/capability.c linux-2.6.24.5/kernel/capability.c
69602 +--- linux-2.6.24.5/kernel/capability.c 2008-03-24 14:49:18.000000000 -0400
69603 ++++ linux-2.6.24.5/kernel/capability.c 2008-03-26 20:21:09.000000000 -0400
69604 +@@ -13,6 +13,7 @@
69605 + #include <linux/security.h>
69606 + #include <linux/syscalls.h>
69607 + #include <linux/pid_namespace.h>
69608 ++#include <linux/grsecurity.h>
69609 + #include <asm/uaccess.h>
69610 +
69611 + /*
69612 +@@ -233,15 +234,25 @@ out:
69613 +
69614 + int __capable(struct task_struct *t, int cap)
69615 + {
69616 +- if (security_capable(t, cap) == 0) {
69617 ++ if ((security_capable(t, cap) == 0) && gr_task_is_capable(t, cap)) {
69618 + t->flags |= PF_SUPERPRIV;
69619 + return 1;
69620 + }
69621 + return 0;
69622 + }
69623 +
69624 ++int capable_nolog(int cap)
69625 ++{
69626 ++ if ((security_capable(current, cap) == 0) && gr_is_capable_nolog(cap)) {
69627 ++ current->flags |= PF_SUPERPRIV;
69628 ++ return 1;
69629 ++ }
69630 ++ return 0;
69631 ++}
69632 ++
69633 + int capable(int cap)
69634 + {
69635 + return __capable(current, cap);
69636 + }
69637 + EXPORT_SYMBOL(capable);
69638 ++EXPORT_SYMBOL(capable_nolog);
69639 +diff -urNp linux-2.6.24.5/kernel/configs.c linux-2.6.24.5/kernel/configs.c
69640 +--- linux-2.6.24.5/kernel/configs.c 2008-03-24 14:49:18.000000000 -0400
69641 ++++ linux-2.6.24.5/kernel/configs.c 2008-03-26 20:21:09.000000000 -0400
69642 +@@ -79,8 +79,16 @@ static int __init ikconfig_init(void)
69643 + struct proc_dir_entry *entry;
69644 +
69645 + /* create the current config file */
69646 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
69647 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
69648 ++ entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR, &proc_root);
69649 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
69650 ++ entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR | S_IRGRP, &proc_root);
69651 ++#endif
69652 ++#else
69653 + entry = create_proc_entry("config.gz", S_IFREG | S_IRUGO,
69654 + &proc_root);
69655 ++#endif
69656 + if (!entry)
69657 + return -ENOMEM;
69658 +
69659 +diff -urNp linux-2.6.24.5/kernel/cpu.c linux-2.6.24.5/kernel/cpu.c
69660 +--- linux-2.6.24.5/kernel/cpu.c 2008-03-24 14:49:18.000000000 -0400
69661 ++++ linux-2.6.24.5/kernel/cpu.c 2008-03-26 20:21:16.000000000 -0400
69662 +@@ -19,7 +19,7 @@
69663 + static DEFINE_MUTEX(cpu_add_remove_lock);
69664 + static DEFINE_MUTEX(cpu_bitmask_lock);
69665 +
69666 +-static __cpuinitdata RAW_NOTIFIER_HEAD(cpu_chain);
69667 ++static RAW_NOTIFIER_HEAD(cpu_chain);
69668 +
69669 + /* If set, cpu_up and cpu_down will return -EBUSY and do nothing.
69670 + * Should always be manipulated under cpu_add_remove_lock
69671 +@@ -66,7 +66,7 @@ EXPORT_SYMBOL_GPL(unlock_cpu_hotplug);
69672 + #endif /* CONFIG_HOTPLUG_CPU */
69673 +
69674 + /* Need to know about CPUs going up/down? */
69675 +-int __cpuinit register_cpu_notifier(struct notifier_block *nb)
69676 ++int register_cpu_notifier(struct notifier_block *nb)
69677 + {
69678 + int ret;
69679 + mutex_lock(&cpu_add_remove_lock);
69680 +diff -urNp linux-2.6.24.5/kernel/exit.c linux-2.6.24.5/kernel/exit.c
69681 +--- linux-2.6.24.5/kernel/exit.c 2008-03-24 14:49:18.000000000 -0400
69682 ++++ linux-2.6.24.5/kernel/exit.c 2008-03-26 20:21:09.000000000 -0400
69683 +@@ -44,6 +44,11 @@
69684 + #include <linux/resource.h>
69685 + #include <linux/blkdev.h>
69686 + #include <linux/task_io_accounting_ops.h>
69687 ++#include <linux/grsecurity.h>
69688 ++
69689 ++#ifdef CONFIG_GRKERNSEC
69690 ++extern rwlock_t grsec_exec_file_lock;
69691 ++#endif
69692 +
69693 + #include <asm/uaccess.h>
69694 + #include <asm/unistd.h>
69695 +@@ -122,6 +127,7 @@ static void __exit_signal(struct task_st
69696 +
69697 + __unhash_process(tsk);
69698 +
69699 ++ gr_del_task_from_ip_table(tsk);
69700 + tsk->signal = NULL;
69701 + tsk->sighand = NULL;
69702 + spin_unlock(&sighand->siglock);
69703 +@@ -273,12 +279,23 @@ static void reparent_to_kthreadd(void)
69704 + {
69705 + write_lock_irq(&tasklist_lock);
69706 +
69707 ++#ifdef CONFIG_GRKERNSEC
69708 ++ write_lock(&grsec_exec_file_lock);
69709 ++ if (current->exec_file) {
69710 ++ fput(current->exec_file);
69711 ++ current->exec_file = NULL;
69712 ++ }
69713 ++ write_unlock(&grsec_exec_file_lock);
69714 ++#endif
69715 ++
69716 + ptrace_unlink(current);
69717 + /* Reparent to init */
69718 + remove_parent(current);
69719 + current->real_parent = current->parent = kthreadd_task;
69720 + add_parent(current);
69721 +
69722 ++ gr_set_kernel_label(current);
69723 ++
69724 + /* Set the exit signal to SIGCHLD so we signal init on exit */
69725 + current->exit_signal = SIGCHLD;
69726 +
69727 +@@ -373,6 +390,17 @@ void daemonize(const char *name, ...)
69728 + vsnprintf(current->comm, sizeof(current->comm), name, args);
69729 + va_end(args);
69730 +
69731 ++#ifdef CONFIG_GRKERNSEC
69732 ++ write_lock(&grsec_exec_file_lock);
69733 ++ if (current->exec_file) {
69734 ++ fput(current->exec_file);
69735 ++ current->exec_file = NULL;
69736 ++ }
69737 ++ write_unlock(&grsec_exec_file_lock);
69738 ++#endif
69739 ++
69740 ++ gr_set_kernel_label(current);
69741 ++
69742 + /*
69743 + * If we were started as result of loading a module, close all of the
69744 + * user space pages. We don't need them, and if we didn't close them
69745 +@@ -990,6 +1018,9 @@ fastcall NORET_TYPE void do_exit(long co
69746 + tsk->exit_code = code;
69747 + taskstats_exit(tsk, group_dead);
69748 +
69749 ++ gr_acl_handle_psacct(tsk, code);
69750 ++ gr_acl_handle_exit();
69751 ++
69752 + exit_mm(tsk);
69753 +
69754 + if (group_dead)
69755 +@@ -1200,7 +1231,7 @@ static int wait_task_zombie(struct task_
69756 + pid_t pid = task_pid_nr_ns(p, ns);
69757 + uid_t uid = p->uid;
69758 + int exit_code = p->exit_code;
69759 +- int why, status;
69760 ++ int why;
69761 +
69762 + if (unlikely(p->exit_state != EXIT_ZOMBIE))
69763 + return 0;
69764 +diff -urNp linux-2.6.24.5/kernel/fork.c linux-2.6.24.5/kernel/fork.c
69765 +--- linux-2.6.24.5/kernel/fork.c 2008-03-24 14:49:18.000000000 -0400
69766 ++++ linux-2.6.24.5/kernel/fork.c 2008-03-26 20:21:09.000000000 -0400
69767 +@@ -51,6 +51,7 @@
69768 + #include <linux/random.h>
69769 + #include <linux/tty.h>
69770 + #include <linux/proc_fs.h>
69771 ++#include <linux/grsecurity.h>
69772 +
69773 + #include <asm/pgtable.h>
69774 + #include <asm/pgalloc.h>
69775 +@@ -180,7 +181,7 @@ static struct task_struct *dup_task_stru
69776 + }
69777 +
69778 + *tsk = *orig;
69779 +- tsk->stack = ti;
69780 ++ tsk->stack = (union thread_union *)ti;
69781 +
69782 + err = prop_local_init_single(&tsk->dirties);
69783 + if (err) {
69784 +@@ -192,7 +193,7 @@ static struct task_struct *dup_task_stru
69785 + setup_thread_stack(tsk, orig);
69786 +
69787 + #ifdef CONFIG_CC_STACKPROTECTOR
69788 +- tsk->stack_canary = get_random_int();
69789 ++ tsk->stack_canary = pax_get_random_long();
69790 + #endif
69791 +
69792 + /* One for us, one for whoever does the "release_task()" (usually parent) */
69793 +@@ -224,8 +225,8 @@ static int dup_mmap(struct mm_struct *mm
69794 + mm->locked_vm = 0;
69795 + mm->mmap = NULL;
69796 + mm->mmap_cache = NULL;
69797 +- mm->free_area_cache = oldmm->mmap_base;
69798 +- mm->cached_hole_size = ~0UL;
69799 ++ mm->free_area_cache = oldmm->free_area_cache;
69800 ++ mm->cached_hole_size = oldmm->cached_hole_size;
69801 + mm->map_count = 0;
69802 + cpus_clear(mm->cpu_vm_mask);
69803 + mm->mm_rb = RB_ROOT;
69804 +@@ -262,6 +263,7 @@ static int dup_mmap(struct mm_struct *mm
69805 + tmp->vm_flags &= ~VM_LOCKED;
69806 + tmp->vm_mm = mm;
69807 + tmp->vm_next = NULL;
69808 ++ tmp->vm_mirror = NULL;
69809 + anon_vma_link(tmp);
69810 + file = tmp->vm_file;
69811 + if (file) {
69812 +@@ -298,6 +300,31 @@ static int dup_mmap(struct mm_struct *mm
69813 + if (retval)
69814 + goto out;
69815 + }
69816 ++
69817 ++#ifdef CONFIG_PAX_SEGMEXEC
69818 ++ if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
69819 ++ struct vm_area_struct *mpnt_m;
69820 ++
69821 ++ for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
69822 ++ BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
69823 ++
69824 ++ if (!mpnt->vm_mirror)
69825 ++ continue;
69826 ++
69827 ++ if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
69828 ++ BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
69829 ++ mpnt->vm_mirror = mpnt_m;
69830 ++ } else {
69831 ++ BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
69832 ++ mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
69833 ++ mpnt_m->vm_mirror->vm_mirror = mpnt_m;
69834 ++ mpnt->vm_mirror->vm_mirror = mpnt;
69835 ++ }
69836 ++ }
69837 ++ BUG_ON(mpnt_m);
69838 ++ }
69839 ++#endif
69840 ++
69841 + /* a new mm has just been created */
69842 + arch_dup_mmap(oldmm, mm);
69843 + retval = 0;
69844 +@@ -475,7 +502,7 @@ void mm_release(struct task_struct *tsk,
69845 + if (tsk->clear_child_tid
69846 + && !(tsk->flags & PF_SIGNALED)
69847 + && atomic_read(&mm->mm_users) > 1) {
69848 +- u32 __user * tidptr = tsk->clear_child_tid;
69849 ++ pid_t __user * tidptr = tsk->clear_child_tid;
69850 + tsk->clear_child_tid = NULL;
69851 +
69852 + /*
69853 +@@ -483,7 +510,7 @@ void mm_release(struct task_struct *tsk,
69854 + * not set up a proper pointer then tough luck.
69855 + */
69856 + put_user(0, tidptr);
69857 +- sys_futex(tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);
69858 ++ sys_futex((u32 __user *)tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);
69859 + }
69860 + }
69861 +
69862 +@@ -1015,6 +1042,9 @@ static struct task_struct *copy_process(
69863 + DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
69864 + #endif
69865 + retval = -EAGAIN;
69866 ++
69867 ++ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0);
69868 ++
69869 + if (atomic_read(&p->user->processes) >=
69870 + p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
69871 + if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
69872 +@@ -1169,6 +1199,8 @@ static struct task_struct *copy_process(
69873 + if (clone_flags & CLONE_THREAD)
69874 + p->tgid = current->tgid;
69875 +
69876 ++ gr_copy_label(p);
69877 ++
69878 + p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
69879 + /*
69880 + * Clear TID on mm_release()?
69881 +@@ -1356,6 +1388,8 @@ bad_fork_cleanup_count:
69882 + bad_fork_free:
69883 + free_task(p);
69884 + fork_out:
69885 ++ gr_log_forkfail(retval);
69886 ++
69887 + return ERR_PTR(retval);
69888 + }
69889 +
69890 +@@ -1437,6 +1471,8 @@ long do_fork(unsigned long clone_flags,
69891 + if (clone_flags & CLONE_PARENT_SETTID)
69892 + put_user(nr, parent_tidptr);
69893 +
69894 ++ gr_handle_brute_check();
69895 ++
69896 + if (clone_flags & CLONE_VFORK) {
69897 + p->vfork_done = &vfork;
69898 + init_completion(&vfork);
69899 +diff -urNp linux-2.6.24.5/kernel/futex.c linux-2.6.24.5/kernel/futex.c
69900 +--- linux-2.6.24.5/kernel/futex.c 2008-03-24 14:49:18.000000000 -0400
69901 ++++ linux-2.6.24.5/kernel/futex.c 2008-03-26 20:21:09.000000000 -0400
69902 +@@ -192,6 +192,11 @@ static int get_futex_key(u32 __user *uad
69903 + struct page *page;
69904 + int err;
69905 +
69906 ++#ifdef CONFIG_PAX_SEGMEXEC
69907 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
69908 ++ return -EFAULT;
69909 ++#endif
69910 ++
69911 + /*
69912 + * The futex address must be "naturally" aligned.
69913 + */
69914 +@@ -218,8 +223,8 @@ static int get_futex_key(u32 __user *uad
69915 + * The futex is hashed differently depending on whether
69916 + * it's in a shared or private mapping. So check vma first.
69917 + */
69918 +- vma = find_extend_vma(mm, address);
69919 +- if (unlikely(!vma))
69920 ++ vma = find_vma(mm, address);
69921 ++ if (unlikely(!vma || address < vma->vm_start))
69922 + return -EFAULT;
69923 +
69924 + /*
69925 +@@ -1962,7 +1967,7 @@ retry:
69926 + */
69927 + static inline int fetch_robust_entry(struct robust_list __user **entry,
69928 + struct robust_list __user * __user *head,
69929 +- int *pi)
69930 ++ unsigned int *pi)
69931 + {
69932 + unsigned long uentry;
69933 +
69934 +diff -urNp linux-2.6.24.5/kernel/irq/handle.c linux-2.6.24.5/kernel/irq/handle.c
69935 +--- linux-2.6.24.5/kernel/irq/handle.c 2008-03-24 14:49:18.000000000 -0400
69936 ++++ linux-2.6.24.5/kernel/irq/handle.c 2008-03-26 20:21:09.000000000 -0400
69937 +@@ -55,7 +55,8 @@ struct irq_desc irq_desc[NR_IRQS] __cach
69938 + .depth = 1,
69939 + .lock = __SPIN_LOCK_UNLOCKED(irq_desc->lock),
69940 + #ifdef CONFIG_SMP
69941 +- .affinity = CPU_MASK_ALL
69942 ++ .affinity = CPU_MASK_ALL,
69943 ++ .cpu = 0,
69944 + #endif
69945 + }
69946 + };
69947 +diff -urNp linux-2.6.24.5/kernel/kallsyms.c linux-2.6.24.5/kernel/kallsyms.c
69948 +--- linux-2.6.24.5/kernel/kallsyms.c 2008-03-24 14:49:18.000000000 -0400
69949 ++++ linux-2.6.24.5/kernel/kallsyms.c 2008-03-26 20:21:09.000000000 -0400
69950 +@@ -70,6 +70,19 @@ static inline int is_kernel_text(unsigne
69951 +
69952 + static inline int is_kernel(unsigned long addr)
69953 + {
69954 ++
69955 ++#ifdef CONFIG_PAX_KERNEXEC
69956 ++
69957 ++#ifdef CONFIG_MODULES
69958 ++ if ((unsigned long)MODULES_VADDR <= ktla_ktva(addr) &&
69959 ++ ktla_ktva(addr) < (unsigned long)MODULES_END)
69960 ++ return 0;
69961 ++#endif
69962 ++
69963 ++ if (is_kernel_inittext(addr))
69964 ++ return 1;
69965 ++#endif
69966 ++
69967 + if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
69968 + return 1;
69969 + return in_gate_area_no_task(addr);
69970 +@@ -378,7 +391,6 @@ static unsigned long get_ksymbol_core(st
69971 +
69972 + static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
69973 + {
69974 +- iter->name[0] = '\0';
69975 + iter->nameoff = get_symbol_offset(new_pos);
69976 + iter->pos = new_pos;
69977 + }
69978 +@@ -462,7 +474,7 @@ static int kallsyms_open(struct inode *i
69979 + struct kallsym_iter *iter;
69980 + int ret;
69981 +
69982 +- iter = kmalloc(sizeof(*iter), GFP_KERNEL);
69983 ++ iter = kzalloc(sizeof(*iter), GFP_KERNEL);
69984 + if (!iter)
69985 + return -ENOMEM;
69986 + reset_iter(iter, 0);
69987 +@@ -486,7 +498,15 @@ static int __init kallsyms_init(void)
69988 + {
69989 + struct proc_dir_entry *entry;
69990 +
69991 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
69992 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
69993 ++ entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR, NULL);
69994 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
69995 ++ entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL);
69996 ++#endif
69997 ++#else
69998 + entry = create_proc_entry("kallsyms", 0444, NULL);
69999 ++#endif
70000 + if (entry)
70001 + entry->proc_fops = &kallsyms_operations;
70002 + return 0;
70003 +diff -urNp linux-2.6.24.5/kernel/kmod.c linux-2.6.24.5/kernel/kmod.c
70004 +--- linux-2.6.24.5/kernel/kmod.c 2008-03-24 14:49:18.000000000 -0400
70005 ++++ linux-2.6.24.5/kernel/kmod.c 2008-03-26 20:21:09.000000000 -0400
70006 +@@ -107,7 +107,7 @@ int request_module(const char *fmt, ...)
70007 + return -ENOMEM;
70008 + }
70009 +
70010 +- ret = call_usermodehelper(modprobe_path, argv, envp, 1);
70011 ++ ret = call_usermodehelper(modprobe_path, argv, envp, UMH_WAIT_PROC);
70012 + atomic_dec(&kmod_concurrent);
70013 + return ret;
70014 + }
70015 +diff -urNp linux-2.6.24.5/kernel/kprobes.c linux-2.6.24.5/kernel/kprobes.c
70016 +--- linux-2.6.24.5/kernel/kprobes.c 2008-03-24 14:49:18.000000000 -0400
70017 ++++ linux-2.6.24.5/kernel/kprobes.c 2008-03-26 20:21:09.000000000 -0400
70018 +@@ -162,7 +162,7 @@ kprobe_opcode_t __kprobes *get_insn_slot
70019 + * kernel image and loaded module images reside. This is required
70020 + * so x86_64 can correctly handle the %rip-relative fixups.
70021 + */
70022 +- kip->insns = module_alloc(PAGE_SIZE);
70023 ++ kip->insns = module_alloc_exec(PAGE_SIZE);
70024 + if (!kip->insns) {
70025 + kfree(kip);
70026 + return NULL;
70027 +@@ -194,7 +194,7 @@ static int __kprobes collect_one_slot(st
70028 + hlist_add_head(&kip->hlist,
70029 + &kprobe_insn_pages);
70030 + } else {
70031 +- module_free(NULL, kip->insns);
70032 ++ module_free_exec(NULL, kip->insns);
70033 + kfree(kip);
70034 + }
70035 + return 1;
70036 +diff -urNp linux-2.6.24.5/kernel/lockdep.c linux-2.6.24.5/kernel/lockdep.c
70037 +--- linux-2.6.24.5/kernel/lockdep.c 2008-03-24 14:49:18.000000000 -0400
70038 ++++ linux-2.6.24.5/kernel/lockdep.c 2008-03-26 20:21:16.000000000 -0400
70039 +@@ -598,6 +598,10 @@ static int static_obj(void *obj)
70040 + int i;
70041 + #endif
70042 +
70043 ++#ifdef CONFIG_PAX_KERNEXEC
70044 ++ start = (unsigned long )&_data;
70045 ++#endif
70046 ++
70047 + /*
70048 + * static variable?
70049 + */
70050 +diff -urNp linux-2.6.24.5/kernel/module.c linux-2.6.24.5/kernel/module.c
70051 +--- linux-2.6.24.5/kernel/module.c 2008-03-24 14:49:18.000000000 -0400
70052 ++++ linux-2.6.24.5/kernel/module.c 2008-03-26 20:21:09.000000000 -0400
70053 +@@ -45,6 +45,11 @@
70054 + #include <asm/uaccess.h>
70055 + #include <asm/semaphore.h>
70056 + #include <asm/cacheflush.h>
70057 ++
70058 ++#ifdef CONFIG_PAX_KERNEXEC
70059 ++#include <asm/desc.h>
70060 ++#endif
70061 ++
70062 + #include <linux/license.h>
70063 +
70064 + extern int module_sysfs_initialized;
70065 +@@ -69,6 +74,8 @@ static LIST_HEAD(modules);
70066 +
70067 + static BLOCKING_NOTIFIER_HEAD(module_notify_list);
70068 +
70069 ++extern int gr_check_modstop(void);
70070 ++
70071 + int register_module_notifier(struct notifier_block * nb)
70072 + {
70073 + return blocking_notifier_chain_register(&module_notify_list, nb);
70074 +@@ -349,7 +356,7 @@ static void *percpu_modalloc(unsigned lo
70075 + unsigned int i;
70076 + void *ptr;
70077 +
70078 +- if (align > PAGE_SIZE) {
70079 ++ if (align-1 >= PAGE_SIZE) {
70080 + printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
70081 + name, align, PAGE_SIZE);
70082 + align = PAGE_SIZE;
70083 +@@ -662,6 +669,9 @@ sys_delete_module(const char __user *nam
70084 + char name[MODULE_NAME_LEN];
70085 + int ret, forced = 0;
70086 +
70087 ++ if (gr_check_modstop())
70088 ++ return -EPERM;
70089 ++
70090 + if (!capable(CAP_SYS_MODULE))
70091 + return -EPERM;
70092 +
70093 +@@ -1310,16 +1320,19 @@ static void free_module(struct module *m
70094 + module_unload_free(mod);
70095 +
70096 + /* This may be NULL, but that's OK */
70097 +- module_free(mod, mod->module_init);
70098 ++ module_free(mod, mod->module_init_rw);
70099 ++ module_free_exec(mod, mod->module_init_rx);
70100 + kfree(mod->args);
70101 + if (mod->percpu)
70102 + percpu_modfree(mod->percpu);
70103 +
70104 + /* Free lock-classes: */
70105 +- lockdep_free_key_range(mod->module_core, mod->core_size);
70106 ++ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
70107 ++ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
70108 +
70109 + /* Finally, free the core (containing the module structure) */
70110 +- module_free(mod, mod->module_core);
70111 ++ module_free_exec(mod, mod->module_core_rx);
70112 ++ module_free(mod, mod->module_core_rw);
70113 + }
70114 +
70115 + void *__symbol_get(const char *symbol)
70116 +@@ -1380,10 +1393,14 @@ static int simplify_symbols(Elf_Shdr *se
70117 + struct module *mod)
70118 + {
70119 + Elf_Sym *sym = (void *)sechdrs[symindex].sh_addr;
70120 +- unsigned long secbase;
70121 ++ unsigned long secbase, symbol;
70122 + unsigned int i, n = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
70123 + int ret = 0;
70124 +
70125 ++#ifdef CONFIG_PAX_KERNEXEC
70126 ++ unsigned long cr0;
70127 ++#endif
70128 ++
70129 + for (i = 1; i < n; i++) {
70130 + switch (sym[i].st_shndx) {
70131 + case SHN_COMMON:
70132 +@@ -1402,10 +1419,19 @@ static int simplify_symbols(Elf_Shdr *se
70133 + break;
70134 +
70135 + case SHN_UNDEF:
70136 +- sym[i].st_value
70137 +- = resolve_symbol(sechdrs, versindex,
70138 ++ symbol = resolve_symbol(sechdrs, versindex,
70139 + strtab + sym[i].st_name, mod);
70140 +
70141 ++#ifdef CONFIG_PAX_KERNEXEC
70142 ++ pax_open_kernel(cr0);
70143 ++#endif
70144 ++
70145 ++ sym[i].st_value = symbol;
70146 ++
70147 ++#ifdef CONFIG_PAX_KERNEXEC
70148 ++ pax_close_kernel(cr0);
70149 ++#endif
70150 ++
70151 + /* Ok if resolved. */
70152 + if (sym[i].st_value != 0)
70153 + break;
70154 +@@ -1420,11 +1446,27 @@ static int simplify_symbols(Elf_Shdr *se
70155 +
70156 + default:
70157 + /* Divert to percpu allocation if a percpu var. */
70158 +- if (sym[i].st_shndx == pcpuindex)
70159 ++ if (sym[i].st_shndx == pcpuindex) {
70160 ++
70161 ++#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
70162 ++ secbase = (unsigned long)mod->percpu - (unsigned long)__per_cpu_start;
70163 ++#else
70164 + secbase = (unsigned long)mod->percpu;
70165 +- else
70166 ++#endif
70167 ++
70168 ++ } else
70169 + secbase = sechdrs[sym[i].st_shndx].sh_addr;
70170 ++
70171 ++#ifdef CONFIG_PAX_KERNEXEC
70172 ++ pax_open_kernel(cr0);
70173 ++#endif
70174 ++
70175 + sym[i].st_value += secbase;
70176 ++
70177 ++#ifdef CONFIG_PAX_KERNEXEC
70178 ++ pax_close_kernel(cr0);
70179 ++#endif
70180 ++
70181 + break;
70182 + }
70183 + }
70184 +@@ -1476,11 +1518,14 @@ static void layout_sections(struct modul
70185 + || strncmp(secstrings + s->sh_name,
70186 + ".init", 5) == 0)
70187 + continue;
70188 +- s->sh_entsize = get_offset(&mod->core_size, s);
70189 ++ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
70190 ++ s->sh_entsize = get_offset(&mod->core_size_rw, s);
70191 ++ else
70192 ++ s->sh_entsize = get_offset(&mod->core_size_rx, s);
70193 + DEBUGP("\t%s\n", secstrings + s->sh_name);
70194 + }
70195 + if (m == 0)
70196 +- mod->core_text_size = mod->core_size;
70197 ++ mod->core_size_rx = mod->core_size_rx;
70198 + }
70199 +
70200 + DEBUGP("Init section allocation order:\n");
70201 +@@ -1494,12 +1539,15 @@ static void layout_sections(struct modul
70202 + || strncmp(secstrings + s->sh_name,
70203 + ".init", 5) != 0)
70204 + continue;
70205 +- s->sh_entsize = (get_offset(&mod->init_size, s)
70206 +- | INIT_OFFSET_MASK);
70207 ++ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
70208 ++ s->sh_entsize = get_offset(&mod->init_size_rw, s);
70209 ++ else
70210 ++ s->sh_entsize = get_offset(&mod->init_size_rx, s);
70211 ++ s->sh_entsize |= INIT_OFFSET_MASK;
70212 + DEBUGP("\t%s\n", secstrings + s->sh_name);
70213 + }
70214 + if (m == 0)
70215 +- mod->init_text_size = mod->init_size;
70216 ++ mod->init_size_rx = mod->init_size_rx;
70217 + }
70218 + }
70219 +
70220 +@@ -1626,14 +1674,31 @@ static void add_kallsyms(struct module *
70221 + {
70222 + unsigned int i;
70223 +
70224 ++#ifdef CONFIG_PAX_KERNEXEC
70225 ++ unsigned long cr0;
70226 ++#endif
70227 ++
70228 + mod->symtab = (void *)sechdrs[symindex].sh_addr;
70229 + mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
70230 + mod->strtab = (void *)sechdrs[strindex].sh_addr;
70231 +
70232 + /* Set types up while we still have access to sections. */
70233 +- for (i = 0; i < mod->num_symtab; i++)
70234 +- mod->symtab[i].st_info
70235 +- = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
70236 ++
70237 ++ for (i = 0; i < mod->num_symtab; i++) {
70238 ++ char type = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
70239 ++
70240 ++#ifdef CONFIG_PAX_KERNEXEC
70241 ++ pax_open_kernel(cr0);
70242 ++#endif
70243 ++
70244 ++ mod->symtab[i].st_info = type;
70245 ++
70246 ++#ifdef CONFIG_PAX_KERNEXEC
70247 ++ pax_close_kernel(cr0);
70248 ++#endif
70249 ++
70250 ++ }
70251 ++
70252 + }
70253 + #else
70254 + static inline void add_kallsyms(struct module *mod,
70255 +@@ -1683,6 +1748,10 @@ static struct module *load_module(void _
70256 + struct exception_table_entry *extable;
70257 + mm_segment_t old_fs;
70258 +
70259 ++#ifdef CONFIG_PAX_KERNEXEC
70260 ++ unsigned long cr0;
70261 ++#endif
70262 ++
70263 + DEBUGP("load_module: umod=%p, len=%lu, uargs=%p\n",
70264 + umod, len, uargs);
70265 + if (len < sizeof(*hdr))
70266 +@@ -1841,21 +1910,57 @@ static struct module *load_module(void _
70267 + layout_sections(mod, hdr, sechdrs, secstrings);
70268 +
70269 + /* Do the allocs. */
70270 +- ptr = module_alloc(mod->core_size);
70271 ++ ptr = module_alloc(mod->core_size_rw);
70272 + if (!ptr) {
70273 + err = -ENOMEM;
70274 + goto free_percpu;
70275 + }
70276 +- memset(ptr, 0, mod->core_size);
70277 +- mod->module_core = ptr;
70278 ++ memset(ptr, 0, mod->core_size_rw);
70279 ++ mod->module_core_rw = ptr;
70280 +
70281 +- ptr = module_alloc(mod->init_size);
70282 +- if (!ptr && mod->init_size) {
70283 ++ ptr = module_alloc(mod->init_size_rw);
70284 ++ if (!ptr && mod->init_size_rw) {
70285 ++ err = -ENOMEM;
70286 ++ goto free_core_rw;
70287 ++ }
70288 ++ memset(ptr, 0, mod->init_size_rw);
70289 ++ mod->module_init_rw = ptr;
70290 ++
70291 ++ ptr = module_alloc_exec(mod->core_size_rx);
70292 ++ if (!ptr) {
70293 + err = -ENOMEM;
70294 +- goto free_core;
70295 ++ goto free_init_rw;
70296 + }
70297 +- memset(ptr, 0, mod->init_size);
70298 +- mod->module_init = ptr;
70299 ++
70300 ++#ifdef CONFIG_PAX_KERNEXEC
70301 ++ pax_open_kernel(cr0);
70302 ++#endif
70303 ++
70304 ++ memset(ptr, 0, mod->core_size_rx);
70305 ++
70306 ++#ifdef CONFIG_PAX_KERNEXEC
70307 ++ pax_close_kernel(cr0);
70308 ++#endif
70309 ++
70310 ++ mod->module_core_rx = ptr;
70311 ++
70312 ++ ptr = module_alloc_exec(mod->init_size_rx);
70313 ++ if (!ptr && mod->init_size_rx) {
70314 ++ err = -ENOMEM;
70315 ++ goto free_core_rx;
70316 ++ }
70317 ++
70318 ++#ifdef CONFIG_PAX_KERNEXEC
70319 ++ pax_open_kernel(cr0);
70320 ++#endif
70321 ++
70322 ++ memset(ptr, 0, mod->init_size_rx);
70323 ++
70324 ++#ifdef CONFIG_PAX_KERNEXEC
70325 ++ pax_close_kernel(cr0);
70326 ++#endif
70327 ++
70328 ++ mod->module_init_rx = ptr;
70329 +
70330 + /* Transfer each section which specifies SHF_ALLOC */
70331 + DEBUGP("final section addresses:\n");
70332 +@@ -1865,17 +1970,41 @@ static struct module *load_module(void _
70333 + if (!(sechdrs[i].sh_flags & SHF_ALLOC))
70334 + continue;
70335 +
70336 +- if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
70337 +- dest = mod->module_init
70338 +- + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
70339 +- else
70340 +- dest = mod->module_core + sechdrs[i].sh_entsize;
70341 ++ if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
70342 ++ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
70343 ++ dest = mod->module_init_rw
70344 ++ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
70345 ++ else
70346 ++ dest = mod->module_init_rx
70347 ++ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
70348 ++ } else {
70349 ++ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
70350 ++ dest = mod->module_core_rw + sechdrs[i].sh_entsize;
70351 ++ else
70352 ++ dest = mod->module_core_rx + sechdrs[i].sh_entsize;
70353 ++ }
70354 +
70355 +- if (sechdrs[i].sh_type != SHT_NOBITS)
70356 +- memcpy(dest, (void *)sechdrs[i].sh_addr,
70357 +- sechdrs[i].sh_size);
70358 ++ if (sechdrs[i].sh_type != SHT_NOBITS) {
70359 ++
70360 ++#ifdef CONFIG_PAX_KERNEXEC
70361 ++ if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
70362 ++ pax_open_kernel(cr0);
70363 ++ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
70364 ++ pax_close_kernel(cr0);
70365 ++ } else
70366 ++#endif
70367 ++
70368 ++ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
70369 ++ }
70370 + /* Update sh_addr to point to copy in image. */
70371 +- sechdrs[i].sh_addr = (unsigned long)dest;
70372 ++
70373 ++#ifdef CONFIG_PAX_KERNEXEC
70374 ++ if (sechdrs[i].sh_flags & SHF_EXECINSTR)
70375 ++ sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
70376 ++ else
70377 ++#endif
70378 ++
70379 ++ sechdrs[i].sh_addr = (unsigned long)dest;
70380 + DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
70381 + }
70382 + /* Module has been moved. */
70383 +@@ -2009,12 +2138,12 @@ static struct module *load_module(void _
70384 + * Do it before processing of module parameters, so the module
70385 + * can provide parameter accessor functions of its own.
70386 + */
70387 +- if (mod->module_init)
70388 +- flush_icache_range((unsigned long)mod->module_init,
70389 +- (unsigned long)mod->module_init
70390 +- + mod->init_size);
70391 +- flush_icache_range((unsigned long)mod->module_core,
70392 +- (unsigned long)mod->module_core + mod->core_size);
70393 ++ if (mod->module_init_rx)
70394 ++ flush_icache_range((unsigned long)mod->module_init_rx,
70395 ++ (unsigned long)mod->module_init_rx
70396 ++ + mod->init_size_rx);
70397 ++ flush_icache_range((unsigned long)mod->module_core_rx,
70398 ++ (unsigned long)mod->module_core_rx + mod->core_size_rx);
70399 +
70400 + set_fs(old_fs);
70401 +
70402 +@@ -2058,9 +2187,13 @@ static struct module *load_module(void _
70403 + module_arch_cleanup(mod);
70404 + cleanup:
70405 + module_unload_free(mod);
70406 +- module_free(mod, mod->module_init);
70407 +- free_core:
70408 +- module_free(mod, mod->module_core);
70409 ++ module_free_exec(mod, mod->module_init_rx);
70410 ++ free_core_rx:
70411 ++ module_free_exec(mod, mod->module_core_rx);
70412 ++ free_init_rw:
70413 ++ module_free(mod, mod->module_init_rw);
70414 ++ free_core_rw:
70415 ++ module_free(mod, mod->module_core_rw);
70416 + free_percpu:
70417 + if (percpu)
70418 + percpu_modfree(percpu);
70419 +@@ -2096,6 +2229,9 @@ sys_init_module(void __user *umod,
70420 + struct module *mod;
70421 + int ret = 0;
70422 +
70423 ++ if (gr_check_modstop())
70424 ++ return -EPERM;
70425 ++
70426 + /* Must have permission */
70427 + if (!capable(CAP_SYS_MODULE))
70428 + return -EPERM;
70429 +@@ -2142,10 +2278,12 @@ sys_init_module(void __user *umod,
70430 + /* Drop initial reference. */
70431 + module_put(mod);
70432 + unwind_remove_table(mod->unwind_info, 1);
70433 +- module_free(mod, mod->module_init);
70434 +- mod->module_init = NULL;
70435 +- mod->init_size = 0;
70436 +- mod->init_text_size = 0;
70437 ++ module_free(mod, mod->module_init_rw);
70438 ++ module_free_exec(mod, mod->module_init_rx);
70439 ++ mod->module_init_rw = NULL;
70440 ++ mod->module_init_rx = NULL;
70441 ++ mod->init_size_rw = 0;
70442 ++ mod->init_size_rx = 0;
70443 + mutex_unlock(&module_mutex);
70444 +
70445 + return 0;
70446 +@@ -2153,6 +2291,13 @@ sys_init_module(void __user *umod,
70447 +
70448 + static inline int within(unsigned long addr, void *start, unsigned long size)
70449 + {
70450 ++
70451 ++#ifdef CONFIG_PAX_KERNEXEC
70452 ++ if (ktla_ktva(addr) >= (unsigned long)start &&
70453 ++ ktla_ktva(addr) < (unsigned long)start + size)
70454 ++ return 1;
70455 ++#endif
70456 ++
70457 + return ((void *)addr >= start && (void *)addr < start + size);
70458 + }
70459 +
70460 +@@ -2176,10 +2321,14 @@ static const char *get_ksymbol(struct mo
70461 + unsigned long nextval;
70462 +
70463 + /* At worse, next value is at end of module */
70464 +- if (within(addr, mod->module_init, mod->init_size))
70465 +- nextval = (unsigned long)mod->module_init+mod->init_text_size;
70466 ++ if (within(addr, mod->module_init_rx, mod->init_size_rx))
70467 ++ nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
70468 ++ else if (within(addr, mod->module_init_rw, mod->init_size_rw))
70469 ++ nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
70470 ++ else if (within(addr, mod->module_core_rx, mod->core_size_rx))
70471 ++ nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
70472 + else
70473 +- nextval = (unsigned long)mod->module_core+mod->core_text_size;
70474 ++ nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
70475 +
70476 + /* Scan for closest preceeding symbol, and next symbol. (ELF
70477 + starts real symbols at 1). */
70478 +@@ -2225,8 +2374,10 @@ const char *module_address_lookup(unsign
70479 +
70480 + preempt_disable();
70481 + list_for_each_entry(mod, &modules, list) {
70482 +- if (within(addr, mod->module_init, mod->init_size)
70483 +- || within(addr, mod->module_core, mod->core_size)) {
70484 ++ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
70485 ++ within(addr, mod->module_init_rw, mod->init_size_rw) ||
70486 ++ within(addr, mod->module_core_rx, mod->core_size_rx) ||
70487 ++ within(addr, mod->module_core_rw, mod->core_size_rw)) {
70488 + if (modname)
70489 + *modname = mod->name;
70490 + ret = get_ksymbol(mod, addr, size, offset);
70491 +@@ -2243,8 +2394,10 @@ int lookup_module_symbol_name(unsigned l
70492 +
70493 + preempt_disable();
70494 + list_for_each_entry(mod, &modules, list) {
70495 +- if (within(addr, mod->module_init, mod->init_size) ||
70496 +- within(addr, mod->module_core, mod->core_size)) {
70497 ++ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
70498 ++ within(addr, mod->module_init_rw, mod->init_size_rw) ||
70499 ++ within(addr, mod->module_core_rx, mod->core_size_rx) ||
70500 ++ within(addr, mod->module_core_rw, mod->core_size_rw)) {
70501 + const char *sym;
70502 +
70503 + sym = get_ksymbol(mod, addr, NULL, NULL);
70504 +@@ -2267,8 +2420,10 @@ int lookup_module_symbol_attrs(unsigned
70505 +
70506 + preempt_disable();
70507 + list_for_each_entry(mod, &modules, list) {
70508 +- if (within(addr, mod->module_init, mod->init_size) ||
70509 +- within(addr, mod->module_core, mod->core_size)) {
70510 ++ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
70511 ++ within(addr, mod->module_init_rw, mod->init_size_rw) ||
70512 ++ within(addr, mod->module_core_rx, mod->core_size_rx) ||
70513 ++ within(addr, mod->module_core_rw, mod->core_size_rw)) {
70514 + const char *sym;
70515 +
70516 + sym = get_ksymbol(mod, addr, size, offset);
70517 +@@ -2390,7 +2545,7 @@ static int m_show(struct seq_file *m, vo
70518 + char buf[8];
70519 +
70520 + seq_printf(m, "%s %lu",
70521 +- mod->name, mod->init_size + mod->core_size);
70522 ++ mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
70523 + print_unload_info(m, mod);
70524 +
70525 + /* Informative for users. */
70526 +@@ -2399,7 +2554,7 @@ static int m_show(struct seq_file *m, vo
70527 + mod->state == MODULE_STATE_COMING ? "Loading":
70528 + "Live");
70529 + /* Used by oprofile and other similar tools. */
70530 +- seq_printf(m, " 0x%p", mod->module_core);
70531 ++ seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
70532 +
70533 + /* Taints info */
70534 + if (mod->taints)
70535 +@@ -2455,7 +2610,8 @@ int is_module_address(unsigned long addr
70536 + preempt_disable();
70537 +
70538 + list_for_each_entry(mod, &modules, list) {
70539 +- if (within(addr, mod->module_core, mod->core_size)) {
70540 ++ if (within(addr, mod->module_core_rx, mod->core_size_rx) ||
70541 ++ within(addr, mod->module_core_rw, mod->core_size_rw)) {
70542 + preempt_enable();
70543 + return 1;
70544 + }
70545 +@@ -2473,8 +2629,8 @@ struct module *__module_text_address(uns
70546 + struct module *mod;
70547 +
70548 + list_for_each_entry(mod, &modules, list)
70549 +- if (within(addr, mod->module_init, mod->init_text_size)
70550 +- || within(addr, mod->module_core, mod->core_text_size))
70551 ++ if (within(addr, mod->module_init_rx, mod->init_size_rx)
70552 ++ || within(addr, mod->module_core_rx, mod->core_size_rx))
70553 + return mod;
70554 + return NULL;
70555 + }
70556 +diff -urNp linux-2.6.24.5/kernel/mutex.c linux-2.6.24.5/kernel/mutex.c
70557 +--- linux-2.6.24.5/kernel/mutex.c 2008-03-24 14:49:18.000000000 -0400
70558 ++++ linux-2.6.24.5/kernel/mutex.c 2008-03-26 20:21:09.000000000 -0400
70559 +@@ -82,7 +82,7 @@ __mutex_lock_slowpath(atomic_t *lock_cou
70560 + *
70561 + * This function is similar to (but not equivalent to) down().
70562 + */
70563 +-void inline fastcall __sched mutex_lock(struct mutex *lock)
70564 ++inline void fastcall __sched mutex_lock(struct mutex *lock)
70565 + {
70566 + might_sleep();
70567 + /*
70568 +diff -urNp linux-2.6.24.5/kernel/panic.c linux-2.6.24.5/kernel/panic.c
70569 +--- linux-2.6.24.5/kernel/panic.c 2008-03-24 14:49:18.000000000 -0400
70570 ++++ linux-2.6.24.5/kernel/panic.c 2008-03-26 20:21:09.000000000 -0400
70571 +@@ -20,6 +20,7 @@
70572 + #include <linux/kexec.h>
70573 + #include <linux/debug_locks.h>
70574 + #include <linux/random.h>
70575 ++#include <linux/kallsyms.h>
70576 +
70577 + int panic_on_oops;
70578 + int tainted;
70579 +@@ -299,6 +300,8 @@ void oops_exit(void)
70580 + */
70581 + void __stack_chk_fail(void)
70582 + {
70583 ++ print_symbol("stack corrupted in: %s\n", (unsigned long)__builtin_return_address(0));
70584 ++ dump_stack();
70585 + panic("stack-protector: Kernel stack is corrupted");
70586 + }
70587 + EXPORT_SYMBOL(__stack_chk_fail);
70588 +diff -urNp linux-2.6.24.5/kernel/params.c linux-2.6.24.5/kernel/params.c
70589 +--- linux-2.6.24.5/kernel/params.c 2008-03-24 14:49:18.000000000 -0400
70590 ++++ linux-2.6.24.5/kernel/params.c 2008-03-26 20:21:09.000000000 -0400
70591 +@@ -272,7 +272,7 @@ static int param_array(const char *name,
70592 + unsigned int min, unsigned int max,
70593 + void *elem, int elemsize,
70594 + int (*set)(const char *, struct kernel_param *kp),
70595 +- int *num)
70596 ++ unsigned int *num)
70597 + {
70598 + int ret;
70599 + struct kernel_param kp;
70600 +diff -urNp linux-2.6.24.5/kernel/pid.c linux-2.6.24.5/kernel/pid.c
70601 +--- linux-2.6.24.5/kernel/pid.c 2008-03-24 14:49:18.000000000 -0400
70602 ++++ linux-2.6.24.5/kernel/pid.c 2008-03-26 20:21:09.000000000 -0400
70603 +@@ -35,6 +35,7 @@
70604 + #include <linux/pid_namespace.h>
70605 + #include <linux/init_task.h>
70606 + #include <linux/syscalls.h>
70607 ++#include <linux/grsecurity.h>
70608 +
70609 + #define pid_hashfn(nr, ns) \
70610 + hash_long((unsigned long)nr + (unsigned long)ns, pidhash_shift)
70611 +@@ -45,7 +46,7 @@ static struct kmem_cache *pid_ns_cachep;
70612 +
70613 + int pid_max = PID_MAX_DEFAULT;
70614 +
70615 +-#define RESERVED_PIDS 300
70616 ++#define RESERVED_PIDS 500
70617 +
70618 + int pid_max_min = RESERVED_PIDS + 1;
70619 + int pid_max_max = PID_MAX_LIMIT;
70620 +@@ -375,7 +376,14 @@ struct task_struct * fastcall pid_task(s
70621 + struct task_struct *find_task_by_pid_type_ns(int type, int nr,
70622 + struct pid_namespace *ns)
70623 + {
70624 +- return pid_task(find_pid_ns(nr, ns), type);
70625 ++ struct task_struct *task;
70626 ++
70627 ++ task = pid_task(find_pid_ns(nr, ns), type);
70628 ++
70629 ++ if (gr_pid_is_chrooted(task))
70630 ++ return NULL;
70631 ++
70632 ++ return task;
70633 + }
70634 +
70635 + EXPORT_SYMBOL(find_task_by_pid_type_ns);
70636 +diff -urNp linux-2.6.24.5/kernel/posix-cpu-timers.c linux-2.6.24.5/kernel/posix-cpu-timers.c
70637 +--- linux-2.6.24.5/kernel/posix-cpu-timers.c 2008-03-24 14:49:18.000000000 -0400
70638 ++++ linux-2.6.24.5/kernel/posix-cpu-timers.c 2008-03-26 20:21:09.000000000 -0400
70639 +@@ -6,6 +6,7 @@
70640 + #include <linux/posix-timers.h>
70641 + #include <asm/uaccess.h>
70642 + #include <linux/errno.h>
70643 ++#include <linux/grsecurity.h>
70644 +
70645 + static int check_clock(const clockid_t which_clock)
70646 + {
70647 +@@ -1144,6 +1145,7 @@ static void check_process_timers(struct
70648 + __group_send_sig_info(SIGKILL, SEND_SIG_PRIV, tsk);
70649 + return;
70650 + }
70651 ++ gr_learn_resource(tsk, RLIMIT_CPU, psecs, 1);
70652 + if (psecs >= sig->rlim[RLIMIT_CPU].rlim_cur) {
70653 + /*
70654 + * At the soft limit, send a SIGXCPU every second.
70655 +diff -urNp linux-2.6.24.5/kernel/power/poweroff.c linux-2.6.24.5/kernel/power/poweroff.c
70656 +--- linux-2.6.24.5/kernel/power/poweroff.c 2008-03-24 14:49:18.000000000 -0400
70657 ++++ linux-2.6.24.5/kernel/power/poweroff.c 2008-03-26 20:21:09.000000000 -0400
70658 +@@ -35,7 +35,7 @@ static struct sysrq_key_op sysrq_powerof
70659 + .enable_mask = SYSRQ_ENABLE_BOOT,
70660 + };
70661 +
70662 +-static int pm_sysrq_init(void)
70663 ++static int __init pm_sysrq_init(void)
70664 + {
70665 + register_sysrq_key('o', &sysrq_poweroff_op);
70666 + return 0;
70667 +diff -urNp linux-2.6.24.5/kernel/printk.c linux-2.6.24.5/kernel/printk.c
70668 +--- linux-2.6.24.5/kernel/printk.c 2008-03-24 14:49:18.000000000 -0400
70669 ++++ linux-2.6.24.5/kernel/printk.c 2008-03-26 20:21:09.000000000 -0400
70670 +@@ -33,6 +33,7 @@
70671 + #include <linux/bootmem.h>
70672 + #include <linux/syscalls.h>
70673 + #include <linux/jiffies.h>
70674 ++#include <linux/grsecurity.h>
70675 +
70676 + #include <asm/uaccess.h>
70677 +
70678 +@@ -293,6 +294,11 @@ int do_syslog(int type, char __user *buf
70679 + char c;
70680 + int error = 0;
70681 +
70682 ++#ifdef CONFIG_GRKERNSEC_DMESG
70683 ++ if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
70684 ++ return -EPERM;
70685 ++#endif
70686 ++
70687 + error = security_syslog(type);
70688 + if (error)
70689 + return error;
70690 +diff -urNp linux-2.6.24.5/kernel/ptrace.c linux-2.6.24.5/kernel/ptrace.c
70691 +--- linux-2.6.24.5/kernel/ptrace.c 2008-03-24 14:49:18.000000000 -0400
70692 ++++ linux-2.6.24.5/kernel/ptrace.c 2008-03-26 20:21:09.000000000 -0400
70693 +@@ -20,6 +20,7 @@
70694 + #include <linux/signal.h>
70695 + #include <linux/audit.h>
70696 + #include <linux/pid_namespace.h>
70697 ++#include <linux/grsecurity.h>
70698 +
70699 + #include <asm/pgtable.h>
70700 + #include <asm/uaccess.h>
70701 +@@ -139,12 +140,12 @@ int __ptrace_may_attach(struct task_stru
70702 + (current->uid != task->uid) ||
70703 + (current->gid != task->egid) ||
70704 + (current->gid != task->sgid) ||
70705 +- (current->gid != task->gid)) && !capable(CAP_SYS_PTRACE))
70706 ++ (current->gid != task->gid)) && !capable_nolog(CAP_SYS_PTRACE))
70707 + return -EPERM;
70708 + smp_rmb();
70709 + if (task->mm)
70710 + dumpable = get_dumpable(task->mm);
70711 +- if (!dumpable && !capable(CAP_SYS_PTRACE))
70712 ++ if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
70713 + return -EPERM;
70714 +
70715 + return security_ptrace(current, task);
70716 +@@ -203,7 +204,7 @@ repeat:
70717 + /* Go */
70718 + task->ptrace |= PT_PTRACED | ((task->real_parent != current)
70719 + ? PT_ATTACHED : 0);
70720 +- if (capable(CAP_SYS_PTRACE))
70721 ++ if (capable_nolog(CAP_SYS_PTRACE))
70722 + task->ptrace |= PT_PTRACE_CAP;
70723 +
70724 + __ptrace_link(task, current);
70725 +@@ -494,6 +495,11 @@ asmlinkage long sys_ptrace(long request,
70726 + if (ret < 0)
70727 + goto out_put_task_struct;
70728 +
70729 ++ if (gr_handle_ptrace(child, request)) {
70730 ++ ret = -EPERM;
70731 ++ goto out_put_task_struct;
70732 ++ }
70733 ++
70734 + ret = arch_ptrace(child, request, addr, data);
70735 + if (ret < 0)
70736 + goto out_put_task_struct;
70737 +diff -urNp linux-2.6.24.5/kernel/rcupdate.c linux-2.6.24.5/kernel/rcupdate.c
70738 +--- linux-2.6.24.5/kernel/rcupdate.c 2008-03-24 14:49:18.000000000 -0400
70739 ++++ linux-2.6.24.5/kernel/rcupdate.c 2008-03-26 20:21:09.000000000 -0400
70740 +@@ -70,11 +70,11 @@ static struct rcu_ctrlblk rcu_bh_ctrlblk
70741 + .cpumask = CPU_MASK_NONE,
70742 + };
70743 +
70744 +-DEFINE_PER_CPU(struct rcu_data, rcu_data) = { 0L };
70745 +-DEFINE_PER_CPU(struct rcu_data, rcu_bh_data) = { 0L };
70746 ++DEFINE_PER_CPU(struct rcu_data, rcu_data);
70747 ++DEFINE_PER_CPU(struct rcu_data, rcu_bh_data);
70748 +
70749 + /* Fake initialization required by compiler */
70750 +-static DEFINE_PER_CPU(struct tasklet_struct, rcu_tasklet) = {NULL};
70751 ++static DEFINE_PER_CPU(struct tasklet_struct, rcu_tasklet);
70752 + static int blimit = 10;
70753 + static int qhimark = 10000;
70754 + static int qlowmark = 100;
70755 +diff -urNp linux-2.6.24.5/kernel/relay.c linux-2.6.24.5/kernel/relay.c
70756 +--- linux-2.6.24.5/kernel/relay.c 2008-03-24 14:49:18.000000000 -0400
70757 ++++ linux-2.6.24.5/kernel/relay.c 2008-03-26 20:21:09.000000000 -0400
70758 +@@ -1141,7 +1141,7 @@ static int subbuf_splice_actor(struct fi
70759 + return 0;
70760 +
70761 + ret = *nonpad_ret = splice_to_pipe(pipe, &spd);
70762 +- if (ret < 0 || ret < total_len)
70763 ++ if ((int)ret < 0 || ret < total_len)
70764 + return ret;
70765 +
70766 + if (read_start + ret == nonpad_end)
70767 +diff -urNp linux-2.6.24.5/kernel/resource.c linux-2.6.24.5/kernel/resource.c
70768 +--- linux-2.6.24.5/kernel/resource.c 2008-03-24 14:49:18.000000000 -0400
70769 ++++ linux-2.6.24.5/kernel/resource.c 2008-03-26 20:21:09.000000000 -0400
70770 +@@ -133,10 +133,27 @@ static int __init ioresources_init(void)
70771 + {
70772 + struct proc_dir_entry *entry;
70773 +
70774 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
70775 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
70776 ++ entry = create_proc_entry("ioports", S_IRUSR, NULL);
70777 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
70778 ++ entry = create_proc_entry("ioports", S_IRUSR | S_IRGRP, NULL);
70779 ++#endif
70780 ++#else
70781 + entry = create_proc_entry("ioports", 0, NULL);
70782 ++#endif
70783 + if (entry)
70784 + entry->proc_fops = &proc_ioports_operations;
70785 ++
70786 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
70787 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
70788 ++ entry = create_proc_entry("iomem", S_IRUSR, NULL);
70789 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
70790 ++ entry = create_proc_entry("iomem", S_IRUSR | S_IRGRP, NULL);
70791 ++#endif
70792 ++#else
70793 + entry = create_proc_entry("iomem", 0, NULL);
70794 ++#endif
70795 + if (entry)
70796 + entry->proc_fops = &proc_iomem_operations;
70797 + return 0;
70798 +diff -urNp linux-2.6.24.5/kernel/sched.c linux-2.6.24.5/kernel/sched.c
70799 +--- linux-2.6.24.5/kernel/sched.c 2008-04-17 20:05:17.000000000 -0400
70800 ++++ linux-2.6.24.5/kernel/sched.c 2008-04-17 20:05:01.000000000 -0400
70801 +@@ -63,6 +63,7 @@
70802 + #include <linux/reciprocal_div.h>
70803 + #include <linux/unistd.h>
70804 + #include <linux/pagemap.h>
70805 ++#include <linux/grsecurity.h>
70806 +
70807 + #include <asm/tlb.h>
70808 + #include <asm/irq_regs.h>
70809 +@@ -3662,7 +3663,7 @@ pick_next_task(struct rq *rq, struct tas
70810 + asmlinkage void __sched schedule(void)
70811 + {
70812 + struct task_struct *prev, *next;
70813 +- long *switch_count;
70814 ++ unsigned long *switch_count;
70815 + struct rq *rq;
70816 + int cpu;
70817 +
70818 +@@ -4198,7 +4199,8 @@ asmlinkage long sys_nice(int increment)
70819 + if (nice > 19)
70820 + nice = 19;
70821 +
70822 +- if (increment < 0 && !can_nice(current, nice))
70823 ++ if (increment < 0 && (!can_nice(current, nice) ||
70824 ++ gr_handle_chroot_nice()))
70825 + return -EPERM;
70826 +
70827 + retval = security_task_setnice(current, nice);
70828 +@@ -5439,7 +5441,7 @@ static struct ctl_table sd_ctl_dir[] = {
70829 + .procname = "sched_domain",
70830 + .mode = 0555,
70831 + },
70832 +- {0, },
70833 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL },
70834 + };
70835 +
70836 + static struct ctl_table sd_ctl_root[] = {
70837 +@@ -5449,7 +5451,7 @@ static struct ctl_table sd_ctl_root[] =
70838 + .mode = 0555,
70839 + .child = sd_ctl_dir,
70840 + },
70841 +- {0, },
70842 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL },
70843 + };
70844 +
70845 + static struct ctl_table *sd_alloc_ctl_entry(int n)
70846 +diff -urNp linux-2.6.24.5/kernel/signal.c linux-2.6.24.5/kernel/signal.c
70847 +--- linux-2.6.24.5/kernel/signal.c 2008-03-24 14:49:18.000000000 -0400
70848 ++++ linux-2.6.24.5/kernel/signal.c 2008-03-26 20:21:09.000000000 -0400
70849 +@@ -25,6 +25,7 @@
70850 + #include <linux/capability.h>
70851 + #include <linux/freezer.h>
70852 + #include <linux/pid_namespace.h>
70853 ++#include <linux/grsecurity.h>
70854 + #include <linux/nsproxy.h>
70855 +
70856 + #include <asm/param.h>
70857 +@@ -540,7 +541,9 @@ static int check_kill_permission(int sig
70858 + && (current->euid ^ t->suid) && (current->euid ^ t->uid)
70859 + && (current->uid ^ t->suid) && (current->uid ^ t->uid)
70860 + && !capable(CAP_KILL))
70861 +- return error;
70862 ++ return error;
70863 ++ if (gr_handle_signal(t, sig))
70864 ++ return error;
70865 + }
70866 +
70867 + return security_task_kill(t, info, sig, 0);
70868 +@@ -757,7 +760,7 @@ static int __init setup_print_fatal_sign
70869 +
70870 + __setup("print-fatal-signals=", setup_print_fatal_signals);
70871 +
70872 +-static int
70873 ++int
70874 + specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
70875 + {
70876 + int ret = 0;
70877 +@@ -811,8 +814,12 @@ force_sig_info(int sig, struct siginfo *
70878 + }
70879 + }
70880 + ret = specific_send_sig_info(sig, info, t);
70881 ++
70882 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
70883 +
70884 ++ gr_log_signal(sig, t);
70885 ++ gr_handle_crash(t, sig);
70886 ++
70887 + return ret;
70888 + }
70889 +
70890 +diff -urNp linux-2.6.24.5/kernel/softirq.c linux-2.6.24.5/kernel/softirq.c
70891 +--- linux-2.6.24.5/kernel/softirq.c 2008-03-24 14:49:18.000000000 -0400
70892 ++++ linux-2.6.24.5/kernel/softirq.c 2008-03-26 20:21:09.000000000 -0400
70893 +@@ -467,9 +467,9 @@ void tasklet_kill(struct tasklet_struct
70894 + printk("Attempt to kill tasklet from interrupt\n");
70895 +
70896 + while (test_and_set_bit(TASKLET_STATE_SCHED, &t->state)) {
70897 +- do
70898 ++ do {
70899 + yield();
70900 +- while (test_bit(TASKLET_STATE_SCHED, &t->state));
70901 ++ } while (test_bit(TASKLET_STATE_SCHED, &t->state));
70902 + }
70903 + tasklet_unlock_wait(t);
70904 + clear_bit(TASKLET_STATE_SCHED, &t->state);
70905 +diff -urNp linux-2.6.24.5/kernel/sys.c linux-2.6.24.5/kernel/sys.c
70906 +--- linux-2.6.24.5/kernel/sys.c 2008-03-24 14:49:18.000000000 -0400
70907 ++++ linux-2.6.24.5/kernel/sys.c 2008-04-17 20:47:54.000000000 -0400
70908 +@@ -33,6 +33,7 @@
70909 + #include <linux/task_io_accounting_ops.h>
70910 + #include <linux/seccomp.h>
70911 + #include <linux/cpu.h>
70912 ++#include <linux/grsecurity.h>
70913 +
70914 + #include <linux/compat.h>
70915 + #include <linux/syscalls.h>
70916 +@@ -119,6 +120,12 @@ static int set_one_prio(struct task_stru
70917 + error = -EACCES;
70918 + goto out;
70919 + }
70920 ++
70921 ++ if (gr_handle_chroot_setpriority(p, niceval)) {
70922 ++ error = -EACCES;
70923 ++ goto out;
70924 ++ }
70925 ++
70926 + no_nice = security_task_setnice(p, niceval);
70927 + if (no_nice) {
70928 + error = no_nice;
70929 +@@ -175,10 +182,10 @@ asmlinkage long sys_setpriority(int whic
70930 + if ((who != current->uid) && !(user = find_user(who)))
70931 + goto out_unlock; /* No processes for this user */
70932 +
70933 +- do_each_thread(g, p)
70934 ++ do_each_thread(g, p) {
70935 + if (p->uid == who)
70936 + error = set_one_prio(p, niceval, error);
70937 +- while_each_thread(g, p);
70938 ++ } while_each_thread(g, p);
70939 + if (who != current->uid)
70940 + free_uid(user); /* For find_user() */
70941 + break;
70942 +@@ -237,13 +244,13 @@ asmlinkage long sys_getpriority(int whic
70943 + if ((who != current->uid) && !(user = find_user(who)))
70944 + goto out_unlock; /* No processes for this user */
70945 +
70946 +- do_each_thread(g, p)
70947 ++ do_each_thread(g, p) {
70948 + if (p->uid == who) {
70949 + niceval = 20 - task_nice(p);
70950 + if (niceval > retval)
70951 + retval = niceval;
70952 + }
70953 +- while_each_thread(g, p);
70954 ++ } while_each_thread(g, p);
70955 + if (who != current->uid)
70956 + free_uid(user); /* for find_user() */
70957 + break;
70958 +@@ -508,6 +515,10 @@ asmlinkage long sys_setregid(gid_t rgid,
70959 + else
70960 + return -EPERM;
70961 + }
70962 ++
70963 ++ if (gr_check_group_change(new_rgid, new_egid, -1))
70964 ++ return -EPERM;
70965 ++
70966 + if (new_egid != old_egid) {
70967 + set_dumpable(current->mm, suid_dumpable);
70968 + smp_wmb();
70969 +@@ -515,6 +526,9 @@ asmlinkage long sys_setregid(gid_t rgid,
70970 + if (rgid != (gid_t) -1 ||
70971 + (egid != (gid_t) -1 && egid != old_rgid))
70972 + current->sgid = new_egid;
70973 ++
70974 ++ gr_set_role_label(current, current->uid, new_rgid);
70975 ++
70976 + current->fsgid = new_egid;
70977 + current->egid = new_egid;
70978 + current->gid = new_rgid;
70979 +@@ -537,11 +551,17 @@ asmlinkage long sys_setgid(gid_t gid)
70980 + if (retval)
70981 + return retval;
70982 +
70983 ++ if (gr_check_group_change(gid, gid, gid))
70984 ++ return -EPERM;
70985 ++
70986 + if (capable(CAP_SETGID)) {
70987 + if (old_egid != gid) {
70988 + set_dumpable(current->mm, suid_dumpable);
70989 + smp_wmb();
70990 + }
70991 ++
70992 ++ gr_set_role_label(current, current->uid, gid);
70993 ++
70994 + current->gid = current->egid = current->sgid = current->fsgid = gid;
70995 + } else if ((gid == current->gid) || (gid == current->sgid)) {
70996 + if (old_egid != gid) {
70997 +@@ -579,6 +599,9 @@ static int set_user(uid_t new_ruid, int
70998 + set_dumpable(current->mm, suid_dumpable);
70999 + smp_wmb();
71000 + }
71001 ++
71002 ++ gr_set_role_label(current, new_ruid, current->gid);
71003 ++
71004 + current->uid = new_ruid;
71005 + return 0;
71006 + }
71007 +@@ -628,6 +651,9 @@ asmlinkage long sys_setreuid(uid_t ruid,
71008 + return -EPERM;
71009 + }
71010 +
71011 ++ if (gr_check_user_change(new_ruid, new_euid, -1))
71012 ++ return -EPERM;
71013 ++
71014 + if (new_ruid != old_ruid && set_user(new_ruid, new_euid != old_euid) < 0)
71015 + return -EAGAIN;
71016 +
71017 +@@ -674,6 +700,12 @@ asmlinkage long sys_setuid(uid_t uid)
71018 + old_suid = current->suid;
71019 + new_suid = old_suid;
71020 +
71021 ++ if (gr_check_crash_uid(uid))
71022 ++ return -EPERM;
71023 ++
71024 ++ if (gr_check_user_change(uid, uid, uid))
71025 ++ return -EPERM;
71026 ++
71027 + if (capable(CAP_SETUID)) {
71028 + if (uid != old_ruid && set_user(uid, old_euid != uid) < 0)
71029 + return -EAGAIN;
71030 +@@ -721,6 +753,10 @@ asmlinkage long sys_setresuid(uid_t ruid
71031 + (suid != current->euid) && (suid != current->suid))
71032 + return -EPERM;
71033 + }
71034 ++
71035 ++ if (gr_check_user_change(ruid, euid, -1))
71036 ++ return -EPERM;
71037 ++
71038 + if (ruid != (uid_t) -1) {
71039 + if (ruid != current->uid && set_user(ruid, euid != current->euid) < 0)
71040 + return -EAGAIN;
71041 +@@ -775,6 +811,10 @@ asmlinkage long sys_setresgid(gid_t rgid
71042 + (sgid != current->egid) && (sgid != current->sgid))
71043 + return -EPERM;
71044 + }
71045 ++
71046 ++ if (gr_check_group_change(rgid, egid, -1))
71047 ++ return -EPERM;
71048 ++
71049 + if (egid != (gid_t) -1) {
71050 + if (egid != current->egid) {
71051 + set_dumpable(current->mm, suid_dumpable);
71052 +@@ -783,8 +823,10 @@ asmlinkage long sys_setresgid(gid_t rgid
71053 + current->egid = egid;
71054 + }
71055 + current->fsgid = current->egid;
71056 +- if (rgid != (gid_t) -1)
71057 ++ if (rgid != (gid_t) -1) {
71058 ++ gr_set_role_label(current, current->uid, rgid);
71059 + current->gid = rgid;
71060 ++ }
71061 + if (sgid != (gid_t) -1)
71062 + current->sgid = sgid;
71063 +
71064 +@@ -819,6 +861,9 @@ asmlinkage long sys_setfsuid(uid_t uid)
71065 + if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS))
71066 + return old_fsuid;
71067 +
71068 ++ if (gr_check_user_change(-1, -1, uid))
71069 ++ return old_fsuid;
71070 ++
71071 + if (uid == current->uid || uid == current->euid ||
71072 + uid == current->suid || uid == current->fsuid ||
71073 + capable(CAP_SETUID)) {
71074 +@@ -851,6 +896,9 @@ asmlinkage long sys_setfsgid(gid_t gid)
71075 + if (gid == current->gid || gid == current->egid ||
71076 + gid == current->sgid || gid == current->fsgid ||
71077 + capable(CAP_SETGID)) {
71078 ++ if (gr_check_group_change(-1, -1, gid))
71079 ++ return old_fsgid;
71080 ++
71081 + if (gid != old_fsgid) {
71082 + set_dumpable(current->mm, suid_dumpable);
71083 + smp_wmb();
71084 +@@ -934,7 +982,10 @@ asmlinkage long sys_setpgid(pid_t pid, p
71085 + write_lock_irq(&tasklist_lock);
71086 +
71087 + err = -ESRCH;
71088 +- p = find_task_by_pid_ns(pid, ns);
71089 ++ /* grsec: replaced find_task_by_pid_ns with equivalent call which
71090 ++ lacks the chroot restriction
71091 ++ */
71092 ++ p = pid_task(find_pid_ns(pid, ns), PIDTYPE_PID);
71093 + if (!p)
71094 + goto out;
71095 +
71096 +@@ -962,7 +1013,10 @@ asmlinkage long sys_setpgid(pid_t pid, p
71097 + if (pgid != pid) {
71098 + struct task_struct *g;
71099 +
71100 +- g = find_task_by_pid_type_ns(PIDTYPE_PGID, pgid, ns);
71101 ++ /* grsec: replaced find_task_by_pid_type_ns with equivalent
71102 ++ call which lacks the chroot restriction
71103 ++ */
71104 ++ g = pid_task(find_pid_ns(pgid, ns), PIDTYPE_PGID);
71105 + if (!g || task_session(g) != task_session(group_leader))
71106 + goto out;
71107 + }
71108 +@@ -1662,7 +1716,7 @@ asmlinkage long sys_prctl(int option, un
71109 + error = get_dumpable(current->mm);
71110 + break;
71111 + case PR_SET_DUMPABLE:
71112 +- if (arg2 < 0 || arg2 > 1) {
71113 ++ if (arg2 > 1) {
71114 + error = -EINVAL;
71115 + break;
71116 + }
71117 +diff -urNp linux-2.6.24.5/kernel/sysctl.c linux-2.6.24.5/kernel/sysctl.c
71118 +--- linux-2.6.24.5/kernel/sysctl.c 2008-03-24 14:49:18.000000000 -0400
71119 ++++ linux-2.6.24.5/kernel/sysctl.c 2008-03-26 20:21:09.000000000 -0400
71120 +@@ -58,6 +58,13 @@
71121 + static int deprecated_sysctl_warning(struct __sysctl_args *args);
71122 +
71123 + #if defined(CONFIG_SYSCTL)
71124 ++#include <linux/grsecurity.h>
71125 ++#include <linux/grinternal.h>
71126 ++
71127 ++extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
71128 ++extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
71129 ++ const int op);
71130 ++extern int gr_handle_chroot_sysctl(const int op);
71131 +
71132 + /* External variables not in a header file. */
71133 + extern int C_A_D;
71134 +@@ -154,10 +161,11 @@ static int proc_do_cad_pid(struct ctl_ta
71135 + static int proc_dointvec_taint(struct ctl_table *table, int write, struct file *filp,
71136 + void __user *buffer, size_t *lenp, loff_t *ppos);
71137 + #endif
71138 ++extern ctl_table grsecurity_table[];
71139 +
71140 + static struct ctl_table root_table[];
71141 + static struct ctl_table_header root_table_header =
71142 +- { root_table, LIST_HEAD_INIT(root_table_header.ctl_entry) };
71143 ++ { root_table, LIST_HEAD_INIT(root_table_header.ctl_entry), 0, NULL };
71144 +
71145 + static struct ctl_table kern_table[];
71146 + static struct ctl_table vm_table[];
71147 +@@ -173,6 +181,21 @@ extern struct ctl_table inotify_table[];
71148 + int sysctl_legacy_va_layout;
71149 + #endif
71150 +
71151 ++#ifdef CONFIG_PAX_SOFTMODE
71152 ++static ctl_table pax_table[] = {
71153 ++ {
71154 ++ .ctl_name = CTL_UNNUMBERED,
71155 ++ .procname = "softmode",
71156 ++ .data = &pax_softmode,
71157 ++ .maxlen = sizeof(unsigned int),
71158 ++ .mode = 0600,
71159 ++ .proc_handler = &proc_dointvec,
71160 ++ },
71161 ++
71162 ++ { .ctl_name = 0 }
71163 ++};
71164 ++#endif
71165 ++
71166 + extern int prove_locking;
71167 + extern int lock_stat;
71168 +
71169 +@@ -217,6 +240,16 @@ static struct ctl_table root_table[] = {
71170 + .mode = 0555,
71171 + .child = dev_table,
71172 + },
71173 ++
71174 ++#ifdef CONFIG_PAX_SOFTMODE
71175 ++ {
71176 ++ .ctl_name = CTL_UNNUMBERED,
71177 ++ .procname = "pax",
71178 ++ .mode = 0500,
71179 ++ .child = pax_table,
71180 ++ },
71181 ++#endif
71182 ++
71183 + /*
71184 + * NOTE: do not add new entries to this table unless you have read
71185 + * Documentation/sysctl/ctl_unnumbered.txt
71186 +@@ -775,6 +808,14 @@ static struct ctl_table kern_table[] = {
71187 + .proc_handler = &proc_dostring,
71188 + .strategy = &sysctl_string,
71189 + },
71190 ++#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_MODSTOP)
71191 ++ {
71192 ++ .ctl_name = CTL_UNNUMBERED,
71193 ++ .procname = "grsecurity",
71194 ++ .mode = 0500,
71195 ++ .child = grsecurity_table,
71196 ++ },
71197 ++#endif
71198 + /*
71199 + * NOTE: do not add new entries to this table unless you have read
71200 + * Documentation/sysctl/ctl_unnumbered.txt
71201 +@@ -1394,6 +1435,25 @@ static int test_perm(int mode, int op)
71202 + int sysctl_perm(struct ctl_table *table, int op)
71203 + {
71204 + int error;
71205 ++ if (table->parent != NULL && table->parent->procname != NULL &&
71206 ++ table->procname != NULL &&
71207 ++ gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
71208 ++ return -EACCES;
71209 ++ if (gr_handle_chroot_sysctl(op))
71210 ++ return -EACCES;
71211 ++ error = gr_handle_sysctl(table, op);
71212 ++ if (error)
71213 ++ return error;
71214 ++ error = security_sysctl(table, op);
71215 ++ if (error)
71216 ++ return error;
71217 ++ return test_perm(table->mode, op);
71218 ++}
71219 ++
71220 ++int sysctl_perm_nochk(ctl_table *table, int op)
71221 ++{
71222 ++ int error;
71223 ++
71224 + error = security_sysctl(table, op);
71225 + if (error)
71226 + return error;
71227 +@@ -1418,13 +1478,14 @@ repeat:
71228 + if (n == table->ctl_name) {
71229 + int error;
71230 + if (table->child) {
71231 +- if (sysctl_perm(table, 001))
71232 ++ if (sysctl_perm_nochk(table, 001))
71233 + return -EPERM;
71234 + name++;
71235 + nlen--;
71236 + table = table->child;
71237 + goto repeat;
71238 + }
71239 ++
71240 + error = do_sysctl_strategy(table, name, nlen,
71241 + oldval, oldlenp,
71242 + newval, newlen);
71243 +diff -urNp linux-2.6.24.5/kernel/time.c linux-2.6.24.5/kernel/time.c
71244 +--- linux-2.6.24.5/kernel/time.c 2008-03-24 14:49:18.000000000 -0400
71245 ++++ linux-2.6.24.5/kernel/time.c 2008-03-26 20:21:09.000000000 -0400
71246 +@@ -35,6 +35,7 @@
71247 + #include <linux/syscalls.h>
71248 + #include <linux/security.h>
71249 + #include <linux/fs.h>
71250 ++#include <linux/grsecurity.h>
71251 +
71252 + #include <asm/uaccess.h>
71253 + #include <asm/unistd.h>
71254 +@@ -88,6 +89,9 @@ asmlinkage long sys_stime(time_t __user
71255 + return err;
71256 +
71257 + do_settimeofday(&tv);
71258 ++
71259 ++ gr_log_timechange();
71260 ++
71261 + return 0;
71262 + }
71263 +
71264 +@@ -194,6 +198,8 @@ asmlinkage long sys_settimeofday(struct
71265 + return -EFAULT;
71266 + }
71267 +
71268 ++ gr_log_timechange();
71269 ++
71270 + return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
71271 + }
71272 +
71273 +@@ -232,7 +238,7 @@ EXPORT_SYMBOL(current_fs_time);
71274 + * Avoid unnecessary multiplications/divisions in the
71275 + * two most common HZ cases:
71276 + */
71277 +-unsigned int inline jiffies_to_msecs(const unsigned long j)
71278 ++inline unsigned int jiffies_to_msecs(const unsigned long j)
71279 + {
71280 + #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
71281 + return (MSEC_PER_SEC / HZ) * j;
71282 +@@ -244,7 +250,7 @@ unsigned int inline jiffies_to_msecs(con
71283 + }
71284 + EXPORT_SYMBOL(jiffies_to_msecs);
71285 +
71286 +-unsigned int inline jiffies_to_usecs(const unsigned long j)
71287 ++inline unsigned int jiffies_to_usecs(const unsigned long j)
71288 + {
71289 + #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
71290 + return (USEC_PER_SEC / HZ) * j;
71291 +diff -urNp linux-2.6.24.5/kernel/utsname_sysctl.c linux-2.6.24.5/kernel/utsname_sysctl.c
71292 +--- linux-2.6.24.5/kernel/utsname_sysctl.c 2008-03-24 14:49:18.000000000 -0400
71293 ++++ linux-2.6.24.5/kernel/utsname_sysctl.c 2008-03-26 20:21:09.000000000 -0400
71294 +@@ -125,7 +125,7 @@ static struct ctl_table uts_kern_table[]
71295 + .proc_handler = proc_do_uts_string,
71296 + .strategy = sysctl_uts_string,
71297 + },
71298 +- {}
71299 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
71300 + };
71301 +
71302 + static struct ctl_table uts_root_table[] = {
71303 +@@ -135,7 +135,7 @@ static struct ctl_table uts_root_table[]
71304 + .mode = 0555,
71305 + .child = uts_kern_table,
71306 + },
71307 +- {}
71308 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
71309 + };
71310 +
71311 + static int __init utsname_sysctl_init(void)
71312 +diff -urNp linux-2.6.24.5/lib/radix-tree.c linux-2.6.24.5/lib/radix-tree.c
71313 +--- linux-2.6.24.5/lib/radix-tree.c 2008-03-24 14:49:18.000000000 -0400
71314 ++++ linux-2.6.24.5/lib/radix-tree.c 2008-03-26 20:21:09.000000000 -0400
71315 +@@ -81,7 +81,7 @@ struct radix_tree_preload {
71316 + int nr;
71317 + struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
71318 + };
71319 +-DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
71320 ++DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, {NULL} };
71321 +
71322 + static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
71323 + {
71324 +diff -urNp linux-2.6.24.5/localversion-grsec linux-2.6.24.5/localversion-grsec
71325 +--- linux-2.6.24.5/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
71326 ++++ linux-2.6.24.5/localversion-grsec 2008-03-26 20:21:09.000000000 -0400
71327 +@@ -0,0 +1 @@
71328 ++-grsec
71329 +diff -urNp linux-2.6.24.5/Makefile linux-2.6.24.5/Makefile
71330 +--- linux-2.6.24.5/Makefile 2008-04-17 20:05:17.000000000 -0400
71331 ++++ linux-2.6.24.5/Makefile 2008-04-17 20:05:00.000000000 -0400
71332 +@@ -214,7 +214,7 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
71333 +
71334 + HOSTCC = gcc
71335 + HOSTCXX = g++
71336 +-HOSTCFLAGS = -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer
71337 ++HOSTCFLAGS = -Wall -W -Wno-unused -Wno-sign-compare -Wstrict-prototypes -O2 -fomit-frame-pointer
71338 + HOSTCXXFLAGS = -O2
71339 +
71340 + # Decide whether to build built-in, modular, or both.
71341 +@@ -507,6 +507,9 @@ else
71342 + KBUILD_CFLAGS += -O2
71343 + endif
71344 +
71345 ++# Force gcc to behave correct even for buggy distributions
71346 ++KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
71347 ++
71348 + include $(srctree)/arch/$(SRCARCH)/Makefile
71349 +
71350 + ifdef CONFIG_FRAME_POINTER
71351 +@@ -520,9 +523,6 @@ KBUILD_CFLAGS += -g
71352 + KBUILD_AFLAGS += -gdwarf-2
71353 + endif
71354 +
71355 +-# Force gcc to behave correct even for buggy distributions
71356 +-KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
71357 +-
71358 + # arch Makefile may override CC so keep this after arch Makefile is included
71359 + NOSTDINC_FLAGS += -nostdinc -isystem $(shell $(CC) -print-file-name=include)
71360 + CHECKFLAGS += $(NOSTDINC_FLAGS)
71361 +@@ -597,7 +597,7 @@ export mod_strip_cmd
71362 +
71363 +
71364 + ifeq ($(KBUILD_EXTMOD),)
71365 +-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
71366 ++core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
71367 +
71368 + vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
71369 + $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
71370 +diff -urNp linux-2.6.24.5/mm/filemap.c linux-2.6.24.5/mm/filemap.c
71371 +--- linux-2.6.24.5/mm/filemap.c 2008-03-24 14:49:18.000000000 -0400
71372 ++++ linux-2.6.24.5/mm/filemap.c 2008-03-26 20:21:09.000000000 -0400
71373 +@@ -33,6 +33,7 @@
71374 + #include <linux/syscalls.h>
71375 + #include <linux/cpuset.h>
71376 + #include <linux/hardirq.h> /* for BUG_ON(!in_atomic()) only */
71377 ++#include <linux/grsecurity.h>
71378 + #include "internal.h"
71379 +
71380 + /*
71381 +@@ -1461,7 +1462,7 @@ int generic_file_mmap(struct file * file
71382 + struct address_space *mapping = file->f_mapping;
71383 +
71384 + if (!mapping->a_ops->readpage)
71385 +- return -ENOEXEC;
71386 ++ return -ENODEV;
71387 + file_accessed(file);
71388 + vma->vm_ops = &generic_file_vm_ops;
71389 + vma->vm_flags |= VM_CAN_NONLINEAR;
71390 +@@ -1810,6 +1811,7 @@ inline int generic_write_checks(struct f
71391 + *pos = i_size_read(inode);
71392 +
71393 + if (limit != RLIM_INFINITY) {
71394 ++ gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
71395 + if (*pos >= limit) {
71396 + send_sig(SIGXFSZ, current, 0);
71397 + return -EFBIG;
71398 +diff -urNp linux-2.6.24.5/mm/fremap.c linux-2.6.24.5/mm/fremap.c
71399 +--- linux-2.6.24.5/mm/fremap.c 2008-03-24 14:49:18.000000000 -0400
71400 ++++ linux-2.6.24.5/mm/fremap.c 2008-03-26 20:21:09.000000000 -0400
71401 +@@ -150,6 +150,13 @@ asmlinkage long sys_remap_file_pages(uns
71402 + retry:
71403 + vma = find_vma(mm, start);
71404 +
71405 ++#ifdef CONFIG_PAX_SEGMEXEC
71406 ++ if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC)) {
71407 ++ up_read(&mm->mmap_sem);
71408 ++ return err;
71409 ++ }
71410 ++#endif
71411 ++
71412 + /*
71413 + * Make sure the vma is shared, that it supports prefaulting,
71414 + * and that the remapped range is valid and fully within
71415 +diff -urNp linux-2.6.24.5/mm/hugetlb.c linux-2.6.24.5/mm/hugetlb.c
71416 +--- linux-2.6.24.5/mm/hugetlb.c 2008-03-24 14:49:18.000000000 -0400
71417 ++++ linux-2.6.24.5/mm/hugetlb.c 2008-03-26 20:21:09.000000000 -0400
71418 +@@ -797,6 +797,26 @@ void unmap_hugepage_range(struct vm_area
71419 + }
71420 + }
71421 +
71422 ++#ifdef CONFIG_PAX_SEGMEXEC
71423 ++static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
71424 ++{
71425 ++ struct mm_struct *mm = vma->vm_mm;
71426 ++ struct vm_area_struct *vma_m;
71427 ++ unsigned long address_m;
71428 ++ pte_t *ptep_m;
71429 ++
71430 ++ vma_m = pax_find_mirror_vma(vma);
71431 ++ if (!vma_m)
71432 ++ return;
71433 ++
71434 ++ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71435 ++ address_m = address + SEGMEXEC_TASK_SIZE;
71436 ++ ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
71437 ++ get_page(page_m);
71438 ++ set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
71439 ++}
71440 ++#endif
71441 ++
71442 + static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
71443 + unsigned long address, pte_t *ptep, pte_t pte)
71444 + {
71445 +@@ -830,6 +850,11 @@ static int hugetlb_cow(struct mm_struct
71446 + /* Break COW */
71447 + set_huge_pte_at(mm, address, ptep,
71448 + make_huge_pte(vma, new_page, 1));
71449 ++
71450 ++#ifdef CONFIG_PAX_SEGMEXEC
71451 ++ pax_mirror_huge_pte(vma, address, new_page);
71452 ++#endif
71453 ++
71454 + /* Make the old page be freed below */
71455 + new_page = old_page;
71456 + }
71457 +@@ -901,6 +926,10 @@ retry:
71458 + && (vma->vm_flags & VM_SHARED)));
71459 + set_huge_pte_at(mm, address, ptep, new_pte);
71460 +
71461 ++#ifdef CONFIG_PAX_SEGMEXEC
71462 ++ pax_mirror_huge_pte(vma, address, page);
71463 ++#endif
71464 ++
71465 + if (write_access && !(vma->vm_flags & VM_SHARED)) {
71466 + /* Optimization, do the COW without a second fault */
71467 + ret = hugetlb_cow(mm, vma, address, ptep, new_pte);
71468 +@@ -926,6 +955,27 @@ int hugetlb_fault(struct mm_struct *mm,
71469 + int ret;
71470 + static DEFINE_MUTEX(hugetlb_instantiation_mutex);
71471 +
71472 ++#ifdef CONFIG_PAX_SEGMEXEC
71473 ++ struct vm_area_struct *vma_m;
71474 ++
71475 ++ vma_m = pax_find_mirror_vma(vma);
71476 ++ if (vma_m) {
71477 ++ unsigned long address_m;
71478 ++
71479 ++ if (vma->vm_start > vma_m->vm_start) {
71480 ++ address_m = address;
71481 ++ address -= SEGMEXEC_TASK_SIZE;
71482 ++ vma = vma_m;
71483 ++ } else
71484 ++ address_m = address + SEGMEXEC_TASK_SIZE;
71485 ++
71486 ++ if (!huge_pte_alloc(mm, address_m))
71487 ++ return VM_FAULT_OOM;
71488 ++ address_m &= HPAGE_MASK;
71489 ++ unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE);
71490 ++ }
71491 ++#endif
71492 ++
71493 + ptep = huge_pte_alloc(mm, address);
71494 + if (!ptep)
71495 + return VM_FAULT_OOM;
71496 +diff -urNp linux-2.6.24.5/mm/madvise.c linux-2.6.24.5/mm/madvise.c
71497 +--- linux-2.6.24.5/mm/madvise.c 2008-03-24 14:49:18.000000000 -0400
71498 ++++ linux-2.6.24.5/mm/madvise.c 2008-03-26 20:21:09.000000000 -0400
71499 +@@ -43,6 +43,10 @@ static long madvise_behavior(struct vm_a
71500 + pgoff_t pgoff;
71501 + int new_flags = vma->vm_flags;
71502 +
71503 ++#ifdef CONFIG_PAX_SEGMEXEC
71504 ++ struct vm_area_struct *vma_m;
71505 ++#endif
71506 ++
71507 + switch (behavior) {
71508 + case MADV_NORMAL:
71509 + new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
71510 +@@ -92,6 +96,13 @@ success:
71511 + /*
71512 + * vm_flags is protected by the mmap_sem held in write mode.
71513 + */
71514 ++
71515 ++#ifdef CONFIG_PAX_SEGMEXEC
71516 ++ vma_m = pax_find_mirror_vma(vma);
71517 ++ if (vma_m)
71518 ++ vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
71519 ++#endif
71520 ++
71521 + vma->vm_flags = new_flags;
71522 +
71523 + out:
71524 +@@ -236,6 +247,17 @@ madvise_vma(struct vm_area_struct *vma,
71525 +
71526 + case MADV_DONTNEED:
71527 + error = madvise_dontneed(vma, prev, start, end);
71528 ++
71529 ++#ifdef CONFIG_PAX_SEGMEXEC
71530 ++ if (!error) {
71531 ++ struct vm_area_struct *vma_m, *prev_m;
71532 ++
71533 ++ vma_m = pax_find_mirror_vma(vma);
71534 ++ if (vma_m)
71535 ++ error = madvise_dontneed(vma_m, &prev_m, start + SEGMEXEC_TASK_SIZE, end + SEGMEXEC_TASK_SIZE);
71536 ++ }
71537 ++#endif
71538 ++
71539 + break;
71540 +
71541 + default:
71542 +@@ -308,6 +330,16 @@ asmlinkage long sys_madvise(unsigned lon
71543 + if (end < start)
71544 + goto out;
71545 +
71546 ++#ifdef CONFIG_PAX_SEGMEXEC
71547 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
71548 ++ if (end > SEGMEXEC_TASK_SIZE)
71549 ++ goto out;
71550 ++ } else
71551 ++#endif
71552 ++
71553 ++ if (end > TASK_SIZE)
71554 ++ goto out;
71555 ++
71556 + error = 0;
71557 + if (end == start)
71558 + goto out;
71559 +diff -urNp linux-2.6.24.5/mm/memory.c linux-2.6.24.5/mm/memory.c
71560 +--- linux-2.6.24.5/mm/memory.c 2008-03-24 14:49:18.000000000 -0400
71561 ++++ linux-2.6.24.5/mm/memory.c 2008-03-26 20:21:16.000000000 -0400
71562 +@@ -50,6 +50,7 @@
71563 + #include <linux/delayacct.h>
71564 + #include <linux/init.h>
71565 + #include <linux/writeback.h>
71566 ++#include <linux/grsecurity.h>
71567 +
71568 + #include <asm/pgalloc.h>
71569 + #include <asm/uaccess.h>
71570 +@@ -990,11 +991,11 @@ int get_user_pages(struct task_struct *t
71571 + vm_flags &= force ? (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
71572 + i = 0;
71573 +
71574 +- do {
71575 ++ while (len) {
71576 + struct vm_area_struct *vma;
71577 + unsigned int foll_flags;
71578 +
71579 +- vma = find_extend_vma(mm, start);
71580 ++ vma = find_vma(mm, start);
71581 + if (!vma && in_gate_area(tsk, start)) {
71582 + unsigned long pg = start & PAGE_MASK;
71583 + struct vm_area_struct *gate_vma = get_gate_vma(tsk);
71584 +@@ -1034,7 +1035,7 @@ int get_user_pages(struct task_struct *t
71585 + continue;
71586 + }
71587 +
71588 +- if (!vma || (vma->vm_flags & (VM_IO | VM_PFNMAP))
71589 ++ if (!vma || start < vma->vm_start || (vma->vm_flags & (VM_IO | VM_PFNMAP))
71590 + || !(vm_flags & vma->vm_flags))
71591 + return i ? : -EFAULT;
71592 +
71593 +@@ -1107,7 +1108,7 @@ int get_user_pages(struct task_struct *t
71594 + start += PAGE_SIZE;
71595 + len--;
71596 + } while (len && start < vma->vm_end);
71597 +- } while (len);
71598 ++ }
71599 + return i;
71600 + }
71601 + EXPORT_SYMBOL(get_user_pages);
71602 +@@ -1526,6 +1527,186 @@ static inline void cow_user_page(struct
71603 + copy_user_highpage(dst, src, va, vma);
71604 + }
71605 +
71606 ++#ifdef CONFIG_PAX_SEGMEXEC
71607 ++static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
71608 ++{
71609 ++ struct mm_struct *mm = vma->vm_mm;
71610 ++ spinlock_t *ptl;
71611 ++ pte_t *pte, entry;
71612 ++
71613 ++ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
71614 ++ entry = *pte;
71615 ++ if (!pte_present(entry)) {
71616 ++ if (!pte_none(entry)) {
71617 ++ BUG_ON(pte_file(entry));
71618 ++ free_swap_and_cache(pte_to_swp_entry(entry));
71619 ++ pte_clear_not_present_full(mm, address, pte, 0);
71620 ++ }
71621 ++ } else {
71622 ++ struct page *page;
71623 ++
71624 ++ flush_cache_page(vma, address, pte_pfn(entry));
71625 ++ entry = ptep_clear_flush(vma, address, pte);
71626 ++ BUG_ON(pte_dirty(entry));
71627 ++ page = vm_normal_page(vma, address, entry);
71628 ++ if (page) {
71629 ++ update_hiwater_rss(mm);
71630 ++ if (PageAnon(page))
71631 ++ dec_mm_counter(mm, anon_rss);
71632 ++ else
71633 ++ dec_mm_counter(mm, file_rss);
71634 ++ page_remove_rmap(page, vma);
71635 ++ page_cache_release(page);
71636 ++ }
71637 ++ }
71638 ++ pte_unmap_unlock(pte, ptl);
71639 ++}
71640 ++
71641 ++/* PaX: if vma is mirrored, synchronize the mirror's PTE
71642 ++ *
71643 ++ * the ptl of the lower mapped page is held on entry and is not released on exit
71644 ++ * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
71645 ++ */
71646 ++static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
71647 ++{
71648 ++ struct mm_struct *mm = vma->vm_mm;
71649 ++ unsigned long address_m;
71650 ++ spinlock_t *ptl_m;
71651 ++ struct vm_area_struct *vma_m;
71652 ++ pmd_t *pmd_m;
71653 ++ pte_t *pte_m, entry_m;
71654 ++
71655 ++ BUG_ON(!page_m || !PageAnon(page_m));
71656 ++
71657 ++ vma_m = pax_find_mirror_vma(vma);
71658 ++ if (!vma_m)
71659 ++ return;
71660 ++
71661 ++ BUG_ON(!PageLocked(page_m));
71662 ++ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71663 ++ address_m = address + SEGMEXEC_TASK_SIZE;
71664 ++ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
71665 ++ pte_m = pte_offset_map_nested(pmd_m, address_m);
71666 ++ ptl_m = pte_lockptr(mm, pmd_m);
71667 ++ if (ptl != ptl_m) {
71668 ++ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
71669 ++ if (!pte_none(*pte_m))
71670 ++ goto out;
71671 ++ }
71672 ++
71673 ++ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
71674 ++ page_cache_get(page_m);
71675 ++ page_add_anon_rmap(page_m, vma_m, address_m);
71676 ++ inc_mm_counter(mm, anon_rss);
71677 ++ set_pte_at(mm, address_m, pte_m, entry_m);
71678 ++ update_mmu_cache(vma_m, address_m, entry_m);
71679 ++out:
71680 ++ if (ptl != ptl_m)
71681 ++ spin_unlock(ptl_m);
71682 ++ pte_unmap_nested(pte_m);
71683 ++ unlock_page(page_m);
71684 ++}
71685 ++
71686 ++void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
71687 ++{
71688 ++ struct mm_struct *mm = vma->vm_mm;
71689 ++ unsigned long address_m;
71690 ++ spinlock_t *ptl_m;
71691 ++ struct vm_area_struct *vma_m;
71692 ++ pmd_t *pmd_m;
71693 ++ pte_t *pte_m, entry_m;
71694 ++
71695 ++ BUG_ON(!page_m || PageAnon(page_m));
71696 ++
71697 ++ vma_m = pax_find_mirror_vma(vma);
71698 ++ if (!vma_m)
71699 ++ return;
71700 ++
71701 ++ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71702 ++ address_m = address + SEGMEXEC_TASK_SIZE;
71703 ++ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
71704 ++ pte_m = pte_offset_map_nested(pmd_m, address_m);
71705 ++ ptl_m = pte_lockptr(mm, pmd_m);
71706 ++ if (ptl != ptl_m) {
71707 ++ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
71708 ++ if (!pte_none(*pte_m))
71709 ++ goto out;
71710 ++ }
71711 ++
71712 ++ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
71713 ++ page_cache_get(page_m);
71714 ++ page_add_file_rmap(page_m);
71715 ++ inc_mm_counter(mm, file_rss);
71716 ++ set_pte_at(mm, address_m, pte_m, entry_m);
71717 ++ update_mmu_cache(vma_m, address_m, entry_m);
71718 ++out:
71719 ++ if (ptl != ptl_m)
71720 ++ spin_unlock(ptl_m);
71721 ++ pte_unmap_nested(pte_m);
71722 ++}
71723 ++
71724 ++static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
71725 ++{
71726 ++ struct mm_struct *mm = vma->vm_mm;
71727 ++ unsigned long address_m;
71728 ++ spinlock_t *ptl_m;
71729 ++ struct vm_area_struct *vma_m;
71730 ++ pmd_t *pmd_m;
71731 ++ pte_t *pte_m, entry_m;
71732 ++
71733 ++ vma_m = pax_find_mirror_vma(vma);
71734 ++ if (!vma_m)
71735 ++ return;
71736 ++
71737 ++ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71738 ++ address_m = address + SEGMEXEC_TASK_SIZE;
71739 ++ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
71740 ++ pte_m = pte_offset_map_nested(pmd_m, address_m);
71741 ++ ptl_m = pte_lockptr(mm, pmd_m);
71742 ++ if (ptl != ptl_m) {
71743 ++ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
71744 ++ if (!pte_none(*pte_m))
71745 ++ goto out;
71746 ++ }
71747 ++
71748 ++ entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
71749 ++ set_pte_at(mm, address_m, pte_m, entry_m);
71750 ++out:
71751 ++ if (ptl != ptl_m)
71752 ++ spin_unlock(ptl_m);
71753 ++ pte_unmap_nested(pte_m);
71754 ++}
71755 ++
71756 ++static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
71757 ++{
71758 ++ struct page *page_m;
71759 ++ pte_t entry;
71760 ++
71761 ++ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
71762 ++ goto out;
71763 ++
71764 ++ entry = *pte;
71765 ++ page_m = vm_normal_page(vma, address, entry);
71766 ++ if (!page_m)
71767 ++ pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
71768 ++ else if (PageAnon(page_m)) {
71769 ++ if (pax_find_mirror_vma(vma)) {
71770 ++ pte_unmap_unlock(pte, ptl);
71771 ++ lock_page(page_m);
71772 ++ pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
71773 ++ if (pte_same(entry, *pte))
71774 ++ pax_mirror_anon_pte(vma, address, page_m, ptl);
71775 ++ else
71776 ++ unlock_page(page_m);
71777 ++ }
71778 ++ } else
71779 ++ pax_mirror_file_pte(vma, address, page_m, ptl);
71780 ++
71781 ++out:
71782 ++ pte_unmap_unlock(pte, ptl);
71783 ++}
71784 ++#endif
71785 ++
71786 + /*
71787 + * This routine handles present pages, when users try to write
71788 + * to a shared page. It is done by copying the page to a new address
71789 +@@ -1638,6 +1819,12 @@ gotten:
71790 + */
71791 + page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
71792 + if (likely(pte_same(*page_table, orig_pte))) {
71793 ++
71794 ++#ifdef CONFIG_PAX_SEGMEXEC
71795 ++ if (pax_find_mirror_vma(vma))
71796 ++ BUG_ON(TestSetPageLocked(new_page));
71797 ++#endif
71798 ++
71799 + if (old_page) {
71800 + page_remove_rmap(old_page, vma);
71801 + if (!PageAnon(old_page)) {
71802 +@@ -1661,6 +1848,10 @@ gotten:
71803 + lru_cache_add_active(new_page);
71804 + page_add_new_anon_rmap(new_page, vma, address);
71805 +
71806 ++#ifdef CONFIG_PAX_SEGMEXEC
71807 ++ pax_mirror_anon_pte(vma, address, new_page, ptl);
71808 ++#endif
71809 ++
71810 + /* Free the old page.. */
71811 + new_page = old_page;
71812 + ret |= VM_FAULT_WRITE;
71813 +@@ -1941,6 +2132,7 @@ int vmtruncate(struct inode * inode, lof
71814 +
71815 + do_expand:
71816 + limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
71817 ++ gr_learn_resource(current, RLIMIT_FSIZE, offset, 1);
71818 + if (limit != RLIM_INFINITY && offset > limit)
71819 + goto out_sig;
71820 + if (offset > inode->i_sb->s_maxbytes)
71821 +@@ -2123,6 +2315,11 @@ static int do_swap_page(struct mm_struct
71822 + swap_free(entry);
71823 + if (vm_swap_full())
71824 + remove_exclusive_swap_page(page);
71825 ++
71826 ++#ifdef CONFIG_PAX_SEGMEXEC
71827 ++ if (write_access || !pax_find_mirror_vma(vma))
71828 ++#endif
71829 ++
71830 + unlock_page(page);
71831 +
71832 + if (write_access) {
71833 +@@ -2135,6 +2332,11 @@ static int do_swap_page(struct mm_struct
71834 +
71835 + /* No need to invalidate - it was non-present before */
71836 + update_mmu_cache(vma, address, pte);
71837 ++
71838 ++#ifdef CONFIG_PAX_SEGMEXEC
71839 ++ pax_mirror_anon_pte(vma, address, page, ptl);
71840 ++#endif
71841 ++
71842 + unlock:
71843 + pte_unmap_unlock(page_table, ptl);
71844 + out:
71845 +@@ -2174,6 +2376,12 @@ static int do_anonymous_page(struct mm_s
71846 + page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
71847 + if (!pte_none(*page_table))
71848 + goto release;
71849 ++
71850 ++#ifdef CONFIG_PAX_SEGMEXEC
71851 ++ if (pax_find_mirror_vma(vma))
71852 ++ BUG_ON(TestSetPageLocked(page));
71853 ++#endif
71854 ++
71855 + inc_mm_counter(mm, anon_rss);
71856 + lru_cache_add_active(page);
71857 + page_add_new_anon_rmap(page, vma, address);
71858 +@@ -2181,6 +2389,11 @@ static int do_anonymous_page(struct mm_s
71859 +
71860 + /* No need to invalidate - it was non-present before */
71861 + update_mmu_cache(vma, address, entry);
71862 ++
71863 ++#ifdef CONFIG_PAX_SEGMEXEC
71864 ++ pax_mirror_anon_pte(vma, address, page, ptl);
71865 ++#endif
71866 ++
71867 + unlock:
71868 + pte_unmap_unlock(page_table, ptl);
71869 + return 0;
71870 +@@ -2313,6 +2526,12 @@ static int __do_fault(struct mm_struct *
71871 + */
71872 + /* Only go through if we didn't race with anybody else... */
71873 + if (likely(pte_same(*page_table, orig_pte))) {
71874 ++
71875 ++#ifdef CONFIG_PAX_SEGMEXEC
71876 ++ if (anon && pax_find_mirror_vma(vma))
71877 ++ BUG_ON(TestSetPageLocked(page));
71878 ++#endif
71879 ++
71880 + flush_icache_page(vma, page);
71881 + entry = mk_pte(page, vma->vm_page_prot);
71882 + if (flags & FAULT_FLAG_WRITE)
71883 +@@ -2333,6 +2552,14 @@ static int __do_fault(struct mm_struct *
71884 +
71885 + /* no need to invalidate: a not-present page won't be cached */
71886 + update_mmu_cache(vma, address, entry);
71887 ++
71888 ++#ifdef CONFIG_PAX_SEGMEXEC
71889 ++ if (anon)
71890 ++ pax_mirror_anon_pte(vma, address, page, ptl);
71891 ++ else
71892 ++ pax_mirror_file_pte(vma, address, page, ptl);
71893 ++#endif
71894 ++
71895 + } else {
71896 + if (anon)
71897 + page_cache_release(page);
71898 +@@ -2415,6 +2642,11 @@ static noinline int do_no_pfn(struct mm_
71899 + if (write_access)
71900 + entry = maybe_mkwrite(pte_mkdirty(entry), vma);
71901 + set_pte_at(mm, address, page_table, entry);
71902 ++
71903 ++#ifdef CONFIG_PAX_SEGMEXEC
71904 ++ pax_mirror_pfn_pte(vma, address, pfn, ptl);
71905 ++#endif
71906 ++
71907 + }
71908 + pte_unmap_unlock(page_table, ptl);
71909 + return 0;
71910 +@@ -2517,6 +2749,12 @@ static inline int handle_pte_fault(struc
71911 + if (write_access)
71912 + flush_tlb_page(vma, address);
71913 + }
71914 ++
71915 ++#ifdef CONFIG_PAX_SEGMEXEC
71916 ++ pax_mirror_pte(vma, address, pte, pmd, ptl);
71917 ++ return 0;
71918 ++#endif
71919 ++
71920 + unlock:
71921 + pte_unmap_unlock(pte, ptl);
71922 + return 0;
71923 +@@ -2533,6 +2771,10 @@ int handle_mm_fault(struct mm_struct *mm
71924 + pmd_t *pmd;
71925 + pte_t *pte;
71926 +
71927 ++#ifdef CONFIG_PAX_SEGMEXEC
71928 ++ struct vm_area_struct *vma_m;
71929 ++#endif
71930 ++
71931 + __set_current_state(TASK_RUNNING);
71932 +
71933 + count_vm_event(PGFAULT);
71934 +@@ -2540,6 +2782,34 @@ int handle_mm_fault(struct mm_struct *mm
71935 + if (unlikely(is_vm_hugetlb_page(vma)))
71936 + return hugetlb_fault(mm, vma, address, write_access);
71937 +
71938 ++#ifdef CONFIG_PAX_SEGMEXEC
71939 ++ vma_m = pax_find_mirror_vma(vma);
71940 ++ if (vma_m) {
71941 ++ unsigned long address_m;
71942 ++ pgd_t *pgd_m;
71943 ++ pud_t *pud_m;
71944 ++ pmd_t *pmd_m;
71945 ++
71946 ++ if (vma->vm_start > vma_m->vm_start) {
71947 ++ address_m = address;
71948 ++ address -= SEGMEXEC_TASK_SIZE;
71949 ++ vma = vma_m;
71950 ++ } else
71951 ++ address_m = address + SEGMEXEC_TASK_SIZE;
71952 ++
71953 ++ pgd_m = pgd_offset(mm, address_m);
71954 ++ pud_m = pud_alloc(mm, pgd_m, address_m);
71955 ++ if (!pud_m)
71956 ++ return VM_FAULT_OOM;
71957 ++ pmd_m = pmd_alloc(mm, pud_m, address_m);
71958 ++ if (!pmd_m)
71959 ++ return VM_FAULT_OOM;
71960 ++ if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
71961 ++ return VM_FAULT_OOM;
71962 ++ pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
71963 ++ }
71964 ++#endif
71965 ++
71966 + pgd = pgd_offset(mm, address);
71967 + pud = pud_alloc(mm, pgd, address);
71968 + if (!pud)
71969 +@@ -2673,7 +2943,7 @@ static int __init gate_vma_init(void)
71970 + gate_vma.vm_start = FIXADDR_USER_START;
71971 + gate_vma.vm_end = FIXADDR_USER_END;
71972 + gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
71973 +- gate_vma.vm_page_prot = __P101;
71974 ++ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
71975 + /*
71976 + * Make sure the vDSO gets into every core dump.
71977 + * Dumping its contents makes post-mortem fully interpretable later
71978 +diff -urNp linux-2.6.24.5/mm/mempolicy.c linux-2.6.24.5/mm/mempolicy.c
71979 +--- linux-2.6.24.5/mm/mempolicy.c 2008-03-24 14:49:18.000000000 -0400
71980 ++++ linux-2.6.24.5/mm/mempolicy.c 2008-03-26 20:21:09.000000000 -0400
71981 +@@ -406,6 +406,10 @@ static int mbind_range(struct vm_area_st
71982 + struct vm_area_struct *next;
71983 + int err;
71984 +
71985 ++#ifdef CONFIG_PAX_SEGMEXEC
71986 ++ struct vm_area_struct *vma_m;
71987 ++#endif
71988 ++
71989 + err = 0;
71990 + for (; vma && vma->vm_start < end; vma = next) {
71991 + next = vma->vm_next;
71992 +@@ -417,6 +421,16 @@ static int mbind_range(struct vm_area_st
71993 + err = policy_vma(vma, new);
71994 + if (err)
71995 + break;
71996 ++
71997 ++#ifdef CONFIG_PAX_SEGMEXEC
71998 ++ vma_m = pax_find_mirror_vma(vma);
71999 ++ if (vma_m) {
72000 ++ err = policy_vma(vma_m, new);
72001 ++ if (err)
72002 ++ break;
72003 ++ }
72004 ++#endif
72005 ++
72006 + }
72007 + return err;
72008 + }
72009 +@@ -794,6 +808,17 @@ static long do_mbind(unsigned long start
72010 +
72011 + if (end < start)
72012 + return -EINVAL;
72013 ++
72014 ++#ifdef CONFIG_PAX_SEGMEXEC
72015 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
72016 ++ if (end > SEGMEXEC_TASK_SIZE)
72017 ++ return -EINVAL;
72018 ++ } else
72019 ++#endif
72020 ++
72021 ++ if (end > TASK_SIZE)
72022 ++ return -EINVAL;
72023 ++
72024 + if (end == start)
72025 + return 0;
72026 +
72027 +diff -urNp linux-2.6.24.5/mm/mlock.c linux-2.6.24.5/mm/mlock.c
72028 +--- linux-2.6.24.5/mm/mlock.c 2008-03-24 14:49:18.000000000 -0400
72029 ++++ linux-2.6.24.5/mm/mlock.c 2008-03-26 20:21:09.000000000 -0400
72030 +@@ -12,6 +12,7 @@
72031 + #include <linux/syscalls.h>
72032 + #include <linux/sched.h>
72033 + #include <linux/module.h>
72034 ++#include <linux/grsecurity.h>
72035 +
72036 + int can_do_mlock(void)
72037 + {
72038 +@@ -95,6 +96,17 @@ static int do_mlock(unsigned long start,
72039 + return -EINVAL;
72040 + if (end == start)
72041 + return 0;
72042 ++
72043 ++#ifdef CONFIG_PAX_SEGMEXEC
72044 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
72045 ++ if (end > SEGMEXEC_TASK_SIZE)
72046 ++ return -EINVAL;
72047 ++ } else
72048 ++#endif
72049 ++
72050 ++ if (end > TASK_SIZE)
72051 ++ return -EINVAL;
72052 ++
72053 + vma = find_vma_prev(current->mm, start, &prev);
72054 + if (!vma || vma->vm_start > start)
72055 + return -ENOMEM;
72056 +@@ -152,6 +164,7 @@ asmlinkage long sys_mlock(unsigned long
72057 + lock_limit >>= PAGE_SHIFT;
72058 +
72059 + /* check against resource limits */
72060 ++ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
72061 + if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
72062 + error = do_mlock(start, len, 1);
72063 + up_write(&current->mm->mmap_sem);
72064 +@@ -173,10 +186,10 @@ asmlinkage long sys_munlock(unsigned lon
72065 + static int do_mlockall(int flags)
72066 + {
72067 + struct vm_area_struct * vma, * prev = NULL;
72068 +- unsigned int def_flags = 0;
72069 ++ unsigned int def_flags = current->mm->def_flags & ~VM_LOCKED;
72070 +
72071 + if (flags & MCL_FUTURE)
72072 +- def_flags = VM_LOCKED;
72073 ++ def_flags |= VM_LOCKED;
72074 + current->mm->def_flags = def_flags;
72075 + if (flags == MCL_FUTURE)
72076 + goto out;
72077 +@@ -184,6 +197,12 @@ static int do_mlockall(int flags)
72078 + for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
72079 + unsigned int newflags;
72080 +
72081 ++#ifdef CONFIG_PAX_SEGMEXEC
72082 ++ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
72083 ++ break;
72084 ++#endif
72085 ++
72086 ++ BUG_ON(vma->vm_end > TASK_SIZE);
72087 + newflags = vma->vm_flags | VM_LOCKED;
72088 + if (!(flags & MCL_CURRENT))
72089 + newflags &= ~VM_LOCKED;
72090 +@@ -213,6 +232,7 @@ asmlinkage long sys_mlockall(int flags)
72091 + lock_limit >>= PAGE_SHIFT;
72092 +
72093 + ret = -ENOMEM;
72094 ++ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
72095 + if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
72096 + capable(CAP_IPC_LOCK))
72097 + ret = do_mlockall(flags);
72098 +diff -urNp linux-2.6.24.5/mm/mmap.c linux-2.6.24.5/mm/mmap.c
72099 +--- linux-2.6.24.5/mm/mmap.c 2008-03-24 14:49:18.000000000 -0400
72100 ++++ linux-2.6.24.5/mm/mmap.c 2008-03-26 20:21:09.000000000 -0400
72101 +@@ -26,6 +26,7 @@
72102 + #include <linux/mount.h>
72103 + #include <linux/mempolicy.h>
72104 + #include <linux/rmap.h>
72105 ++#include <linux/grsecurity.h>
72106 +
72107 + #include <asm/uaccess.h>
72108 + #include <asm/cacheflush.h>
72109 +@@ -36,6 +37,16 @@
72110 + #define arch_mmap_check(addr, len, flags) (0)
72111 + #endif
72112 +
72113 ++static inline void verify_mm_writelocked(struct mm_struct *mm)
72114 ++{
72115 ++#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
72116 ++ if (unlikely(down_read_trylock(&mm->mmap_sem))) {
72117 ++ up_read(&mm->mmap_sem);
72118 ++ BUG();
72119 ++ }
72120 ++#endif
72121 ++}
72122 ++
72123 + static void unmap_region(struct mm_struct *mm,
72124 + struct vm_area_struct *vma, struct vm_area_struct *prev,
72125 + unsigned long start, unsigned long end);
72126 +@@ -61,15 +72,23 @@ static void unmap_region(struct mm_struc
72127 + * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
72128 + *
72129 + */
72130 +-pgprot_t protection_map[16] = {
72131 ++pgprot_t protection_map[16] __read_only = {
72132 + __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
72133 + __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
72134 + };
72135 +
72136 + pgprot_t vm_get_page_prot(unsigned long vm_flags)
72137 + {
72138 +- return protection_map[vm_flags &
72139 +- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
72140 ++ pgprot_t prot = protection_map[vm_flags & (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
72141 ++
72142 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
72143 ++ if (!nx_enabled &&
72144 ++ (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
72145 ++ (vm_flags & (VM_READ | VM_WRITE)))
72146 ++ prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
72147 ++#endif
72148 ++
72149 ++ return prot;
72150 + }
72151 + EXPORT_SYMBOL(vm_get_page_prot);
72152 +
72153 +@@ -224,6 +243,7 @@ static struct vm_area_struct *remove_vma
72154 + struct vm_area_struct *next = vma->vm_next;
72155 +
72156 + might_sleep();
72157 ++ BUG_ON(vma->vm_mirror);
72158 + if (vma->vm_ops && vma->vm_ops->close)
72159 + vma->vm_ops->close(vma);
72160 + if (vma->vm_file)
72161 +@@ -251,6 +271,7 @@ asmlinkage unsigned long sys_brk(unsigne
72162 + * not page aligned -Ram Gupta
72163 + */
72164 + rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
72165 ++ gr_learn_resource(current, RLIMIT_DATA, brk - mm->start_data, 1);
72166 + if (rlim < RLIM_INFINITY && brk - mm->start_data > rlim)
72167 + goto out;
72168 +
72169 +@@ -351,8 +372,12 @@ find_vma_prepare(struct mm_struct *mm, u
72170 +
72171 + if (vma_tmp->vm_end > addr) {
72172 + vma = vma_tmp;
72173 +- if (vma_tmp->vm_start <= addr)
72174 +- return vma;
72175 ++ if (vma_tmp->vm_start <= addr) {
72176 ++//printk("PAX: prep: %08lx-%08lx %08lx pr:%p l:%p pa:%p ",
72177 ++//vma->vm_start, vma->vm_end, addr, *pprev, *rb_link, *rb_parent);
72178 ++//__print_symbol("%s\n", __builtin_extract_return_addr(__builtin_return_address(0)));
72179 ++ break;
72180 ++ }
72181 + __rb_link = &__rb_parent->rb_left;
72182 + } else {
72183 + rb_prev = __rb_parent;
72184 +@@ -676,6 +701,12 @@ static int
72185 + can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
72186 + struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
72187 + {
72188 ++
72189 ++#ifdef CONFIG_PAX_SEGMEXEC
72190 ++ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
72191 ++ return 0;
72192 ++#endif
72193 ++
72194 + if (is_mergeable_vma(vma, file, vm_flags) &&
72195 + is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
72196 + if (vma->vm_pgoff == vm_pgoff)
72197 +@@ -695,6 +726,12 @@ static int
72198 + can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
72199 + struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
72200 + {
72201 ++
72202 ++#ifdef CONFIG_PAX_SEGMEXEC
72203 ++ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
72204 ++ return 0;
72205 ++#endif
72206 ++
72207 + if (is_mergeable_vma(vma, file, vm_flags) &&
72208 + is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
72209 + pgoff_t vm_pglen;
72210 +@@ -737,12 +774,19 @@ can_vma_merge_after(struct vm_area_struc
72211 + struct vm_area_struct *vma_merge(struct mm_struct *mm,
72212 + struct vm_area_struct *prev, unsigned long addr,
72213 + unsigned long end, unsigned long vm_flags,
72214 +- struct anon_vma *anon_vma, struct file *file,
72215 ++ struct anon_vma *anon_vma, struct file *file,
72216 + pgoff_t pgoff, struct mempolicy *policy)
72217 + {
72218 + pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
72219 + struct vm_area_struct *area, *next;
72220 +
72221 ++#ifdef CONFIG_PAX_SEGMEXEC
72222 ++ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
72223 ++ struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
72224 ++
72225 ++ BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
72226 ++#endif
72227 ++
72228 + /*
72229 + * We later require that vma->vm_flags == vm_flags,
72230 + * so this tests vma->vm_flags & VM_SPECIAL, too.
72231 +@@ -758,6 +802,15 @@ struct vm_area_struct *vma_merge(struct
72232 + if (next && next->vm_end == end) /* cases 6, 7, 8 */
72233 + next = next->vm_next;
72234 +
72235 ++#ifdef CONFIG_PAX_SEGMEXEC
72236 ++ if (prev)
72237 ++ prev_m = pax_find_mirror_vma(prev);
72238 ++ if (area)
72239 ++ area_m = pax_find_mirror_vma(area);
72240 ++ if (next)
72241 ++ next_m = pax_find_mirror_vma(next);
72242 ++#endif
72243 ++
72244 + /*
72245 + * Can it merge with the predecessor?
72246 + */
72247 +@@ -777,9 +830,24 @@ struct vm_area_struct *vma_merge(struct
72248 + /* cases 1, 6 */
72249 + vma_adjust(prev, prev->vm_start,
72250 + next->vm_end, prev->vm_pgoff, NULL);
72251 +- } else /* cases 2, 5, 7 */
72252 ++
72253 ++#ifdef CONFIG_PAX_SEGMEXEC
72254 ++ if (prev_m)
72255 ++ vma_adjust(prev_m, prev_m->vm_start,
72256 ++ next_m->vm_end, prev_m->vm_pgoff, NULL);
72257 ++#endif
72258 ++
72259 ++ } else { /* cases 2, 5, 7 */
72260 + vma_adjust(prev, prev->vm_start,
72261 + end, prev->vm_pgoff, NULL);
72262 ++
72263 ++#ifdef CONFIG_PAX_SEGMEXEC
72264 ++ if (prev_m)
72265 ++ vma_adjust(prev_m, prev_m->vm_start,
72266 ++ end_m, prev_m->vm_pgoff, NULL);
72267 ++#endif
72268 ++
72269 ++ }
72270 + return prev;
72271 + }
72272 +
72273 +@@ -790,12 +858,43 @@ struct vm_area_struct *vma_merge(struct
72274 + mpol_equal(policy, vma_policy(next)) &&
72275 + can_vma_merge_before(next, vm_flags,
72276 + anon_vma, file, pgoff+pglen)) {
72277 +- if (prev && addr < prev->vm_end) /* case 4 */
72278 ++ if (prev && addr < prev->vm_end) { /* case 4 */
72279 + vma_adjust(prev, prev->vm_start,
72280 + addr, prev->vm_pgoff, NULL);
72281 +- else /* cases 3, 8 */
72282 ++
72283 ++#ifdef CONFIG_PAX_SEGMEXEC
72284 ++ if (prev_m)
72285 ++ vma_adjust(prev_m, prev_m->vm_start,
72286 ++ addr_m, prev_m->vm_pgoff, NULL);
72287 ++#endif
72288 ++
72289 ++ } else { /* cases 3, 8 */
72290 + vma_adjust(area, addr, next->vm_end,
72291 + next->vm_pgoff - pglen, NULL);
72292 ++
72293 ++#ifdef CONFIG_PAX_SEGMEXEC
72294 ++ if (area_m)
72295 ++ vma_adjust(area_m, addr_m, next_m->vm_end,
72296 ++ next_m->vm_pgoff - pglen, NULL);
72297 ++ else if (next_m) {
72298 ++ vma_adjust(next_m, addr_m, next_m->vm_end,
72299 ++ next_m->vm_pgoff - pglen, NULL);
72300 ++ BUG_ON(area == next);
72301 ++ BUG_ON(area->vm_mirror);
72302 ++ BUG_ON(next_m->anon_vma && next_m->anon_vma != area->anon_vma);
72303 ++ BUG_ON(area->vm_file != next_m->vm_file);
72304 ++ BUG_ON(area->vm_end - area->vm_start != next_m->vm_end - next_m->vm_start);
72305 ++ BUG_ON(area->vm_pgoff != next_m->vm_pgoff);
72306 ++ area->vm_mirror = next_m;
72307 ++ next_m->vm_mirror = area;
72308 ++ if (area->anon_vma && !next_m->anon_vma) {
72309 ++ next_m->anon_vma = area->anon_vma;
72310 ++ anon_vma_link(next_m);
72311 ++ }
72312 ++ }
72313 ++#endif
72314 ++
72315 ++ }
72316 + return area;
72317 + }
72318 +
72319 +@@ -870,14 +969,11 @@ none:
72320 + void vm_stat_account(struct mm_struct *mm, unsigned long flags,
72321 + struct file *file, long pages)
72322 + {
72323 +- const unsigned long stack_flags
72324 +- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
72325 +-
72326 + if (file) {
72327 + mm->shared_vm += pages;
72328 + if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
72329 + mm->exec_vm += pages;
72330 +- } else if (flags & stack_flags)
72331 ++ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
72332 + mm->stack_vm += pages;
72333 + if (flags & (VM_RESERVED|VM_IO))
72334 + mm->reserved_vm += pages;
72335 +@@ -905,7 +1001,7 @@ unsigned long do_mmap_pgoff(struct file
72336 + * (the exception is when the underlying filesystem is noexec
72337 + * mounted, in which case we dont add PROT_EXEC.)
72338 + */
72339 +- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
72340 ++ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
72341 + if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
72342 + prot |= PROT_EXEC;
72343 +
72344 +@@ -915,15 +1011,15 @@ unsigned long do_mmap_pgoff(struct file
72345 + if (!(flags & MAP_FIXED))
72346 + addr = round_hint_to_min(addr);
72347 +
72348 +- error = arch_mmap_check(addr, len, flags);
72349 +- if (error)
72350 +- return error;
72351 +-
72352 + /* Careful about overflows.. */
72353 + len = PAGE_ALIGN(len);
72354 + if (!len || len > TASK_SIZE)
72355 + return -ENOMEM;
72356 +
72357 ++ error = arch_mmap_check(addr, len, flags);
72358 ++ if (error)
72359 ++ return error;
72360 ++
72361 + /* offset overflow? */
72362 + if ((pgoff + (len >> PAGE_SHIFT)) < pgoff)
72363 + return -EOVERFLOW;
72364 +@@ -935,7 +1031,7 @@ unsigned long do_mmap_pgoff(struct file
72365 + /* Obtain the address to map to. we verify (or select) it and ensure
72366 + * that it represents a valid section of the address space.
72367 + */
72368 +- addr = get_unmapped_area(file, addr, len, pgoff, flags);
72369 ++ addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
72370 + if (addr & ~PAGE_MASK)
72371 + return addr;
72372 +
72373 +@@ -946,6 +1042,26 @@ unsigned long do_mmap_pgoff(struct file
72374 + vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
72375 + mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
72376 +
72377 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
72378 ++ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
72379 ++
72380 ++#ifdef CONFIG_PAX_MPROTECT
72381 ++ if (mm->pax_flags & MF_PAX_MPROTECT) {
72382 ++ if ((prot & (PROT_WRITE | PROT_EXEC)) != PROT_EXEC)
72383 ++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
72384 ++ else
72385 ++ vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
72386 ++ }
72387 ++#endif
72388 ++
72389 ++ }
72390 ++#endif
72391 ++
72392 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
72393 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
72394 ++ vm_flags &= ~VM_PAGEEXEC;
72395 ++#endif
72396 ++
72397 + if (flags & MAP_LOCKED) {
72398 + if (!can_do_mlock())
72399 + return -EPERM;
72400 +@@ -958,6 +1074,7 @@ unsigned long do_mmap_pgoff(struct file
72401 + locked += mm->locked_vm;
72402 + lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
72403 + lock_limit >>= PAGE_SHIFT;
72404 ++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
72405 + if (locked > lock_limit && !capable(CAP_IPC_LOCK))
72406 + return -EAGAIN;
72407 + }
72408 +@@ -1026,6 +1143,9 @@ unsigned long do_mmap_pgoff(struct file
72409 + if (error)
72410 + return error;
72411 +
72412 ++ if (!gr_acl_handle_mmap(file, prot))
72413 ++ return -EACCES;
72414 ++
72415 + return mmap_region(file, addr, len, flags, vm_flags, pgoff,
72416 + accountable);
72417 + }
72418 +@@ -1039,10 +1159,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
72419 + */
72420 + int vma_wants_writenotify(struct vm_area_struct *vma)
72421 + {
72422 +- unsigned int vm_flags = vma->vm_flags;
72423 ++ unsigned long vm_flags = vma->vm_flags;
72424 +
72425 + /* If it was private or non-writable, the write bit is already clear */
72426 +- if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
72427 ++ if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
72428 + return 0;
72429 +
72430 + /* The backer wishes to know when pages are first written to? */
72431 +@@ -1077,14 +1197,24 @@ unsigned long mmap_region(struct file *f
72432 + unsigned long charged = 0;
72433 + struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
72434 +
72435 ++#ifdef CONFIG_PAX_SEGMEXEC
72436 ++ struct vm_area_struct *vma_m = NULL;
72437 ++#endif
72438 ++
72439 ++ /*
72440 ++ * mm->mmap_sem is required to protect against another thread
72441 ++ * changing the mappings in case we sleep.
72442 ++ */
72443 ++ verify_mm_writelocked(mm);
72444 ++
72445 + /* Clear old maps */
72446 + error = -ENOMEM;
72447 +-munmap_back:
72448 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
72449 + if (vma && vma->vm_start < addr + len) {
72450 + if (do_munmap(mm, addr, len))
72451 + return -ENOMEM;
72452 +- goto munmap_back;
72453 ++ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
72454 ++ BUG_ON(vma && vma->vm_start < addr + len);
72455 + }
72456 +
72457 + /* Check against address space limit. */
72458 +@@ -1128,6 +1258,16 @@ munmap_back:
72459 + goto unacct_error;
72460 + }
72461 +
72462 ++#ifdef CONFIG_PAX_SEGMEXEC
72463 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
72464 ++ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
72465 ++ if (!vma_m) {
72466 ++ error = -ENOMEM;
72467 ++ goto free_vma;
72468 ++ }
72469 ++ }
72470 ++#endif
72471 ++
72472 + vma->vm_mm = mm;
72473 + vma->vm_start = addr;
72474 + vma->vm_end = addr + len;
72475 +@@ -1150,6 +1290,27 @@ munmap_back:
72476 + error = file->f_op->mmap(file, vma);
72477 + if (error)
72478 + goto unmap_and_free_vma;
72479 ++
72480 ++#ifdef CONFIG_PAX_SEGMEXEC
72481 ++ if (vma_m) {
72482 ++ struct mempolicy *pol;
72483 ++
72484 ++ pol = mpol_copy(vma_policy(vma));
72485 ++ if (IS_ERR(pol)) {
72486 ++ mpol_free(vma_policy(vma));
72487 ++ goto unmap_and_free_vma;
72488 ++ }
72489 ++ vma_set_policy(vma_m, pol);
72490 ++ }
72491 ++#endif
72492 ++
72493 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
72494 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
72495 ++ vma->vm_flags |= VM_PAGEEXEC;
72496 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
72497 ++ }
72498 ++#endif
72499 ++
72500 + } else if (vm_flags & VM_SHARED) {
72501 + error = shmem_zero_setup(vma);
72502 + if (error)
72503 +@@ -1180,6 +1341,12 @@ munmap_back:
72504 + vma->vm_flags, NULL, file, pgoff, vma_policy(vma))) {
72505 + file = vma->vm_file;
72506 + vma_link(mm, vma, prev, rb_link, rb_parent);
72507 ++
72508 ++#ifdef CONFIG_PAX_SEGMEXEC
72509 ++ if (vma_m)
72510 ++ pax_mirror_vma(vma_m, vma);
72511 ++#endif
72512 ++
72513 + if (correct_wcount)
72514 + atomic_inc(&inode->i_writecount);
72515 + } else {
72516 +@@ -1190,10 +1357,20 @@ munmap_back:
72517 + }
72518 + mpol_free(vma_policy(vma));
72519 + kmem_cache_free(vm_area_cachep, vma);
72520 ++ vma = NULL;
72521 ++
72522 ++#ifdef CONFIG_PAX_SEGMEXEC
72523 ++ if (vma_m) {
72524 ++ mpol_free(vma_policy(vma_m));
72525 ++ kmem_cache_free(vm_area_cachep, vma_m);
72526 ++ }
72527 ++#endif
72528 ++
72529 + }
72530 + out:
72531 + mm->total_vm += len >> PAGE_SHIFT;
72532 + vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
72533 ++ track_exec_limit(mm, addr, addr + len, vm_flags);
72534 + if (vm_flags & VM_LOCKED) {
72535 + mm->locked_vm += len >> PAGE_SHIFT;
72536 + make_pages_present(addr, addr + len);
72537 +@@ -1212,6 +1389,12 @@ unmap_and_free_vma:
72538 + unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
72539 + charged = 0;
72540 + free_vma:
72541 ++
72542 ++#ifdef CONFIG_PAX_SEGMEXEC
72543 ++ if (vma_m)
72544 ++ kmem_cache_free(vm_area_cachep, vma_m);
72545 ++#endif
72546 ++
72547 + kmem_cache_free(vm_area_cachep, vma);
72548 + unacct_error:
72549 + if (charged)
72550 +@@ -1245,6 +1428,10 @@ arch_get_unmapped_area(struct file *filp
72551 + if (flags & MAP_FIXED)
72552 + return addr;
72553 +
72554 ++#ifdef CONFIG_PAX_RANDMMAP
72555 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
72556 ++#endif
72557 ++
72558 + if (addr) {
72559 + addr = PAGE_ALIGN(addr);
72560 + vma = find_vma(mm, addr);
72561 +@@ -1253,10 +1440,10 @@ arch_get_unmapped_area(struct file *filp
72562 + return addr;
72563 + }
72564 + if (len > mm->cached_hole_size) {
72565 +- start_addr = addr = mm->free_area_cache;
72566 ++ start_addr = addr = mm->free_area_cache;
72567 + } else {
72568 +- start_addr = addr = TASK_UNMAPPED_BASE;
72569 +- mm->cached_hole_size = 0;
72570 ++ start_addr = addr = mm->mmap_base;
72571 ++ mm->cached_hole_size = 0;
72572 + }
72573 +
72574 + full_search:
72575 +@@ -1267,9 +1454,8 @@ full_search:
72576 + * Start a new search - just in case we missed
72577 + * some holes.
72578 + */
72579 +- if (start_addr != TASK_UNMAPPED_BASE) {
72580 +- addr = TASK_UNMAPPED_BASE;
72581 +- start_addr = addr;
72582 ++ if (start_addr != mm->mmap_base) {
72583 ++ start_addr = addr = mm->mmap_base;
72584 + mm->cached_hole_size = 0;
72585 + goto full_search;
72586 + }
72587 +@@ -1291,10 +1477,16 @@ full_search:
72588 +
72589 + void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
72590 + {
72591 ++
72592 ++#ifdef CONFIG_PAX_SEGMEXEC
72593 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
72594 ++ return;
72595 ++#endif
72596 ++
72597 + /*
72598 + * Is this a new hole at the lowest possible address?
72599 + */
72600 +- if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
72601 ++ if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
72602 + mm->free_area_cache = addr;
72603 + mm->cached_hole_size = ~0UL;
72604 + }
72605 +@@ -1312,7 +1504,7 @@ arch_get_unmapped_area_topdown(struct fi
72606 + {
72607 + struct vm_area_struct *vma;
72608 + struct mm_struct *mm = current->mm;
72609 +- unsigned long addr = addr0;
72610 ++ unsigned long base = mm->mmap_base, addr = addr0;
72611 +
72612 + /* requested length too big for entire address space */
72613 + if (len > TASK_SIZE)
72614 +@@ -1321,6 +1513,10 @@ arch_get_unmapped_area_topdown(struct fi
72615 + if (flags & MAP_FIXED)
72616 + return addr;
72617 +
72618 ++#ifdef CONFIG_PAX_RANDMMAP
72619 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
72620 ++#endif
72621 ++
72622 + /* requesting a specific address */
72623 + if (addr) {
72624 + addr = PAGE_ALIGN(addr);
72625 +@@ -1378,13 +1574,21 @@ bottomup:
72626 + * can happen with large stack limits and large mmap()
72627 + * allocations.
72628 + */
72629 ++ mm->mmap_base = TASK_UNMAPPED_BASE;
72630 ++
72631 ++#ifdef CONFIG_PAX_RANDMMAP
72632 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
72633 ++ mm->mmap_base += mm->delta_mmap;
72634 ++#endif
72635 ++
72636 ++ mm->free_area_cache = mm->mmap_base;
72637 + mm->cached_hole_size = ~0UL;
72638 +- mm->free_area_cache = TASK_UNMAPPED_BASE;
72639 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
72640 + /*
72641 + * Restore the topdown base:
72642 + */
72643 +- mm->free_area_cache = mm->mmap_base;
72644 ++ mm->mmap_base = base;
72645 ++ mm->free_area_cache = base;
72646 + mm->cached_hole_size = ~0UL;
72647 +
72648 + return addr;
72649 +@@ -1393,6 +1597,12 @@ bottomup:
72650 +
72651 + void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
72652 + {
72653 ++
72654 ++#ifdef CONFIG_PAX_SEGMEXEC
72655 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
72656 ++ return;
72657 ++#endif
72658 ++
72659 + /*
72660 + * Is this a new hole at the highest possible address?
72661 + */
72662 +@@ -1400,8 +1610,10 @@ void arch_unmap_area_topdown(struct mm_s
72663 + mm->free_area_cache = addr;
72664 +
72665 + /* dont allow allocations above current base */
72666 +- if (mm->free_area_cache > mm->mmap_base)
72667 ++ if (mm->free_area_cache > mm->mmap_base) {
72668 + mm->free_area_cache = mm->mmap_base;
72669 ++ mm->cached_hole_size = ~0UL;
72670 ++ }
72671 + }
72672 +
72673 + unsigned long
72674 +@@ -1501,6 +1713,33 @@ out:
72675 + return prev ? prev->vm_next : vma;
72676 + }
72677 +
72678 ++#ifdef CONFIG_PAX_SEGMEXEC
72679 ++struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
72680 ++{
72681 ++ struct vm_area_struct *vma_m;
72682 ++
72683 ++ BUG_ON(!vma || vma->vm_start >= vma->vm_end);
72684 ++ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
72685 ++ BUG_ON(vma->vm_mirror);
72686 ++ return NULL;
72687 ++ }
72688 ++ BUG_ON(vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < vma->vm_start - SEGMEXEC_TASK_SIZE - 1);
72689 ++ vma_m = vma->vm_mirror;
72690 ++ BUG_ON(!vma_m || vma_m->vm_mirror != vma);
72691 ++ BUG_ON(vma->vm_file != vma_m->vm_file);
72692 ++ BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
72693 ++ BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff || vma->anon_vma != vma_m->anon_vma);
72694 ++
72695 ++#ifdef CONFIG_PAX_MPROTECT
72696 ++ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_MAYNOTWRITE));
72697 ++#else
72698 ++ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
72699 ++#endif
72700 ++
72701 ++ return vma_m;
72702 ++}
72703 ++#endif
72704 ++
72705 + /*
72706 + * Verify that the stack growth is acceptable and
72707 + * update accounting. This is shared with both the
72708 +@@ -1517,6 +1756,7 @@ static int acct_stack_growth(struct vm_a
72709 + return -ENOMEM;
72710 +
72711 + /* Stack limit test */
72712 ++ gr_learn_resource(current, RLIMIT_STACK, size, 1);
72713 + if (size > rlim[RLIMIT_STACK].rlim_cur)
72714 + return -ENOMEM;
72715 +
72716 +@@ -1526,6 +1766,7 @@ static int acct_stack_growth(struct vm_a
72717 + unsigned long limit;
72718 + locked = mm->locked_vm + grow;
72719 + limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
72720 ++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
72721 + if (locked > limit && !capable(CAP_IPC_LOCK))
72722 + return -ENOMEM;
72723 + }
72724 +@@ -1540,7 +1781,7 @@ static int acct_stack_growth(struct vm_a
72725 + * Overcommit.. This must be the final test, as it will
72726 + * update security statistics.
72727 + */
72728 +- if (security_vm_enough_memory(grow))
72729 ++ if (security_vm_enough_memory_mm(mm, grow))
72730 + return -ENOMEM;
72731 +
72732 + /* Ok, everything looks good - let it rip */
72733 +@@ -1561,35 +1802,40 @@ static inline
72734 + #endif
72735 + int expand_upwards(struct vm_area_struct *vma, unsigned long address)
72736 + {
72737 +- int error;
72738 ++ int error, locknext;
72739 +
72740 + if (!(vma->vm_flags & VM_GROWSUP))
72741 + return -EFAULT;
72742 +
72743 ++ /* Also guard against wrapping around to address 0. */
72744 ++ if (address < PAGE_ALIGN(address+1))
72745 ++ address = PAGE_ALIGN(address+1);
72746 ++ else
72747 ++ return -ENOMEM;
72748 ++
72749 + /*
72750 + * We must make sure the anon_vma is allocated
72751 + * so that the anon_vma locking is not a noop.
72752 + */
72753 + if (unlikely(anon_vma_prepare(vma)))
72754 + return -ENOMEM;
72755 ++ locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
72756 ++ if (locknext && unlikely(anon_vma_prepare(vma->vm_next)))
72757 ++ return -ENOMEM;
72758 + anon_vma_lock(vma);
72759 ++ if (locknext)
72760 ++ anon_vma_lock(vma->vm_next);
72761 +
72762 + /*
72763 + * vma->vm_start/vm_end cannot change under us because the caller
72764 + * is required to hold the mmap_sem in read mode. We need the
72765 +- * anon_vma lock to serialize against concurrent expand_stacks.
72766 +- * Also guard against wrapping around to address 0.
72767 ++ * anon_vma locks to serialize against concurrent expand_stacks
72768 ++ * and expand_upwards.
72769 + */
72770 +- if (address < PAGE_ALIGN(address+4))
72771 +- address = PAGE_ALIGN(address+4);
72772 +- else {
72773 +- anon_vma_unlock(vma);
72774 +- return -ENOMEM;
72775 +- }
72776 + error = 0;
72777 +
72778 + /* Somebody else might have raced and expanded it already */
72779 +- if (address > vma->vm_end) {
72780 ++ if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
72781 + unsigned long size, grow;
72782 +
72783 + size = address - vma->vm_start;
72784 +@@ -1599,6 +1845,8 @@ int expand_upwards(struct vm_area_struct
72785 + if (!error)
72786 + vma->vm_end = address;
72787 + }
72788 ++ if (locknext)
72789 ++ anon_vma_unlock(vma->vm_next);
72790 + anon_vma_unlock(vma);
72791 + return error;
72792 + }
72793 +@@ -1610,7 +1858,8 @@ int expand_upwards(struct vm_area_struct
72794 + static inline int expand_downwards(struct vm_area_struct *vma,
72795 + unsigned long address)
72796 + {
72797 +- int error;
72798 ++ int error, lockprev = 0;
72799 ++ struct vm_area_struct *prev = NULL;
72800 +
72801 + /*
72802 + * We must make sure the anon_vma is allocated
72803 +@@ -1624,6 +1873,15 @@ static inline int expand_downwards(struc
72804 + if (error)
72805 + return error;
72806 +
72807 ++#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
72808 ++ find_vma_prev(address, &prev);
72809 ++ lockprev = prev && (prev->vm_flags & VM_GROWSUP);
72810 ++#endif
72811 ++ if (lockprev && unlikely(anon_vma_prepare(prev)))
72812 ++ return -ENOMEM;
72813 ++ if (lockprev)
72814 ++ anon_vma_lock(prev);
72815 ++
72816 + anon_vma_lock(vma);
72817 +
72818 + /*
72819 +@@ -1633,9 +1891,15 @@ static inline int expand_downwards(struc
72820 + */
72821 +
72822 + /* Somebody else might have raced and expanded it already */
72823 +- if (address < vma->vm_start) {
72824 ++ if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
72825 + unsigned long size, grow;
72826 +
72827 ++#ifdef CONFIG_PAX_SEGMEXEC
72828 ++ struct vm_area_struct *vma_m;
72829 ++
72830 ++ vma_m = pax_find_mirror_vma(vma);
72831 ++#endif
72832 ++
72833 + size = vma->vm_end - address;
72834 + grow = (vma->vm_start - address) >> PAGE_SHIFT;
72835 +
72836 +@@ -1643,9 +1907,20 @@ static inline int expand_downwards(struc
72837 + if (!error) {
72838 + vma->vm_start = address;
72839 + vma->vm_pgoff -= grow;
72840 ++ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
72841 ++
72842 ++#ifdef CONFIG_PAX_SEGMEXEC
72843 ++ if (vma_m) {
72844 ++ vma_m->vm_start -= grow << PAGE_SHIFT;
72845 ++ vma_m->vm_pgoff -= grow;
72846 ++ }
72847 ++#endif
72848 ++
72849 + }
72850 + }
72851 + anon_vma_unlock(vma);
72852 ++ if (lockprev)
72853 ++ anon_vma_unlock(prev);
72854 + return error;
72855 + }
72856 +
72857 +@@ -1717,6 +1992,13 @@ static void remove_vma_list(struct mm_st
72858 + do {
72859 + long nrpages = vma_pages(vma);
72860 +
72861 ++#ifdef CONFIG_PAX_SEGMEXEC
72862 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
72863 ++ vma = remove_vma(vma);
72864 ++ continue;
72865 ++ }
72866 ++#endif
72867 ++
72868 + mm->total_vm -= nrpages;
72869 + if (vma->vm_flags & VM_LOCKED)
72870 + mm->locked_vm -= nrpages;
72871 +@@ -1763,6 +2045,16 @@ detach_vmas_to_be_unmapped(struct mm_str
72872 +
72873 + insertion_point = (prev ? &prev->vm_next : &mm->mmap);
72874 + do {
72875 ++
72876 ++#ifdef CONFIG_PAX_SEGMEXEC
72877 ++ if (vma->vm_mirror) {
72878 ++ BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
72879 ++ vma->vm_mirror->vm_mirror = NULL;
72880 ++ vma->vm_mirror->vm_flags &= ~VM_EXEC;
72881 ++ vma->vm_mirror = NULL;
72882 ++ }
72883 ++#endif
72884 ++
72885 + rb_erase(&vma->vm_rb, &mm->mm_rb);
72886 + mm->map_count--;
72887 + tail_vma = vma;
72888 +@@ -1782,6 +2074,112 @@ detach_vmas_to_be_unmapped(struct mm_str
72889 + * Split a vma into two pieces at address 'addr', a new vma is allocated
72890 + * either for the first part or the tail.
72891 + */
72892 ++
72893 ++#ifdef CONFIG_PAX_SEGMEXEC
72894 ++int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
72895 ++ unsigned long addr, int new_below)
72896 ++{
72897 ++ struct mempolicy *pol, *pol_m;
72898 ++ struct vm_area_struct *new, *vma_m, *new_m = NULL;
72899 ++ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
72900 ++
72901 ++ if (is_vm_hugetlb_page(vma) && (addr & ~HPAGE_MASK))
72902 ++ return -EINVAL;
72903 ++
72904 ++ vma_m = pax_find_mirror_vma(vma);
72905 ++ if (vma_m) {
72906 ++ BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
72907 ++ if (mm->map_count >= sysctl_max_map_count-1)
72908 ++ return -ENOMEM;
72909 ++ } else if (mm->map_count >= sysctl_max_map_count)
72910 ++ return -ENOMEM;
72911 ++
72912 ++ new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
72913 ++ if (!new)
72914 ++ return -ENOMEM;
72915 ++
72916 ++ if (vma_m) {
72917 ++ new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
72918 ++ if (!new_m) {
72919 ++ kmem_cache_free(vm_area_cachep, new);
72920 ++ return -ENOMEM;
72921 ++ }
72922 ++ }
72923 ++
72924 ++ /* most fields are the same, copy all, and then fixup */
72925 ++ *new = *vma;
72926 ++
72927 ++ if (new_below)
72928 ++ new->vm_end = addr;
72929 ++ else {
72930 ++ new->vm_start = addr;
72931 ++ new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
72932 ++ }
72933 ++
72934 ++ if (vma_m) {
72935 ++ *new_m = *vma_m;
72936 ++ new_m->vm_mirror = new;
72937 ++ new->vm_mirror = new_m;
72938 ++
72939 ++ if (new_below)
72940 ++ new_m->vm_end = addr_m;
72941 ++ else {
72942 ++ new_m->vm_start = addr_m;
72943 ++ new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
72944 ++ }
72945 ++ }
72946 ++
72947 ++ pol = mpol_copy(vma_policy(vma));
72948 ++ if (IS_ERR(pol)) {
72949 ++ if (new_m)
72950 ++ kmem_cache_free(vm_area_cachep, new_m);
72951 ++ kmem_cache_free(vm_area_cachep, new);
72952 ++ return PTR_ERR(pol);
72953 ++ }
72954 ++
72955 ++ if (vma_m) {
72956 ++ pol_m = mpol_copy(vma_policy(vma_m));
72957 ++ if (IS_ERR(pol_m)) {
72958 ++ mpol_free(pol);
72959 ++ kmem_cache_free(vm_area_cachep, new_m);
72960 ++ kmem_cache_free(vm_area_cachep, new);
72961 ++ return PTR_ERR(pol);
72962 ++ }
72963 ++ }
72964 ++
72965 ++ vma_set_policy(new, pol);
72966 ++
72967 ++ if (new->vm_file)
72968 ++ get_file(new->vm_file);
72969 ++
72970 ++ if (new->vm_ops && new->vm_ops->open)
72971 ++ new->vm_ops->open(new);
72972 ++
72973 ++ if (new_below)
72974 ++ vma_adjust(vma, addr, vma->vm_end, vma->vm_pgoff +
72975 ++ ((addr - new->vm_start) >> PAGE_SHIFT), new);
72976 ++ else
72977 ++ vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
72978 ++
72979 ++ if (vma_m) {
72980 ++ vma_set_policy(new_m, pol_m);
72981 ++
72982 ++ if (new_m->vm_file)
72983 ++ get_file(new_m->vm_file);
72984 ++
72985 ++ if (new_m->vm_ops && new_m->vm_ops->open)
72986 ++ new_m->vm_ops->open(new_m);
72987 ++
72988 ++ if (new_below)
72989 ++ vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
72990 ++ ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
72991 ++ else
72992 ++ vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
72993 ++ }
72994 ++
72995 ++ return 0;
72996 ++}
72997 ++#else
72998 + int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
72999 + unsigned long addr, int new_below)
73000 + {
73001 +@@ -1829,17 +2227,37 @@ int split_vma(struct mm_struct * mm, str
73002 +
73003 + return 0;
73004 + }
73005 ++#endif
73006 +
73007 + /* Munmap is split into 2 main parts -- this part which finds
73008 + * what needs doing, and the areas themselves, which do the
73009 + * work. This now handles partial unmappings.
73010 + * Jeremy Fitzhardinge <jeremy@××××.org>
73011 + */
73012 ++#ifdef CONFIG_PAX_SEGMEXEC
73013 ++int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73014 ++{
73015 ++ int ret = __do_munmap(mm, start, len);
73016 ++ if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
73017 ++ return ret;
73018 ++
73019 ++ return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
73020 ++}
73021 ++
73022 ++int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73023 ++#else
73024 + int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73025 ++#endif
73026 + {
73027 + unsigned long end;
73028 + struct vm_area_struct *vma, *prev, *last;
73029 +
73030 ++ /*
73031 ++ * mm->mmap_sem is required to protect against another thread
73032 ++ * changing the mappings in case we sleep.
73033 ++ */
73034 ++ verify_mm_writelocked(mm);
73035 ++
73036 + if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
73037 + return -EINVAL;
73038 +
73039 +@@ -1889,6 +2307,8 @@ int do_munmap(struct mm_struct *mm, unsi
73040 + /* Fix up all other VM information */
73041 + remove_vma_list(mm, vma);
73042 +
73043 ++ track_exec_limit(mm, start, end, 0UL);
73044 ++
73045 + return 0;
73046 + }
73047 +
73048 +@@ -1901,22 +2321,18 @@ asmlinkage long sys_munmap(unsigned long
73049 +
73050 + profile_munmap(addr);
73051 +
73052 ++#ifdef CONFIG_PAX_SEGMEXEC
73053 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
73054 ++ (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
73055 ++ return -EINVAL;
73056 ++#endif
73057 ++
73058 + down_write(&mm->mmap_sem);
73059 + ret = do_munmap(mm, addr, len);
73060 + up_write(&mm->mmap_sem);
73061 + return ret;
73062 + }
73063 +
73064 +-static inline void verify_mm_writelocked(struct mm_struct *mm)
73065 +-{
73066 +-#ifdef CONFIG_DEBUG_VM
73067 +- if (unlikely(down_read_trylock(&mm->mmap_sem))) {
73068 +- WARN_ON(1);
73069 +- up_read(&mm->mmap_sem);
73070 +- }
73071 +-#endif
73072 +-}
73073 +-
73074 + /*
73075 + * this is really a simplified "do_mmap". it only handles
73076 + * anonymous maps. eventually we may be able to do some
73077 +@@ -1930,6 +2346,11 @@ unsigned long do_brk(unsigned long addr,
73078 + struct rb_node ** rb_link, * rb_parent;
73079 + pgoff_t pgoff = addr >> PAGE_SHIFT;
73080 + int error;
73081 ++ unsigned long charged;
73082 ++
73083 ++#ifdef CONFIG_PAX_SEGMEXEC
73084 ++ struct vm_area_struct *vma_m = NULL;
73085 ++#endif
73086 +
73087 + len = PAGE_ALIGN(len);
73088 + if (!len)
73089 +@@ -1947,19 +2368,34 @@ unsigned long do_brk(unsigned long addr,
73090 +
73091 + flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
73092 +
73093 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
73094 ++ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
73095 ++ flags &= ~VM_EXEC;
73096 ++
73097 ++#ifdef CONFIG_PAX_MPROTECT
73098 ++ if (mm->pax_flags & MF_PAX_MPROTECT)
73099 ++ flags &= ~VM_MAYEXEC;
73100 ++#endif
73101 ++
73102 ++ }
73103 ++#endif
73104 ++
73105 + error = arch_mmap_check(addr, len, flags);
73106 + if (error)
73107 + return error;
73108 +
73109 ++ charged = len >> PAGE_SHIFT;
73110 ++
73111 + /*
73112 + * mlock MCL_FUTURE?
73113 + */
73114 + if (mm->def_flags & VM_LOCKED) {
73115 + unsigned long locked, lock_limit;
73116 +- locked = len >> PAGE_SHIFT;
73117 ++ locked = charged;
73118 + locked += mm->locked_vm;
73119 + lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
73120 + lock_limit >>= PAGE_SHIFT;
73121 ++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
73122 + if (locked > lock_limit && !capable(CAP_IPC_LOCK))
73123 + return -EAGAIN;
73124 + }
73125 +@@ -1973,22 +2409,22 @@ unsigned long do_brk(unsigned long addr,
73126 + /*
73127 + * Clear old maps. this also does some error checking for us
73128 + */
73129 +- munmap_back:
73130 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73131 + if (vma && vma->vm_start < addr + len) {
73132 + if (do_munmap(mm, addr, len))
73133 + return -ENOMEM;
73134 +- goto munmap_back;
73135 ++ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73136 ++ BUG_ON(vma && vma->vm_start < addr + len);
73137 + }
73138 +
73139 + /* Check against address space limits *after* clearing old maps... */
73140 +- if (!may_expand_vm(mm, len >> PAGE_SHIFT))
73141 ++ if (!may_expand_vm(mm, charged))
73142 + return -ENOMEM;
73143 +
73144 + if (mm->map_count > sysctl_max_map_count)
73145 + return -ENOMEM;
73146 +
73147 +- if (security_vm_enough_memory(len >> PAGE_SHIFT))
73148 ++ if (security_vm_enough_memory(charged))
73149 + return -ENOMEM;
73150 +
73151 + /* Can we just expand an old private anonymous mapping? */
73152 +@@ -2001,10 +2437,21 @@ unsigned long do_brk(unsigned long addr,
73153 + */
73154 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73155 + if (!vma) {
73156 +- vm_unacct_memory(len >> PAGE_SHIFT);
73157 ++ vm_unacct_memory(charged);
73158 + return -ENOMEM;
73159 + }
73160 +
73161 ++#ifdef CONFIG_PAX_SEGMEXEC
73162 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (flags & VM_EXEC)) {
73163 ++ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73164 ++ if (!vma_m) {
73165 ++ kmem_cache_free(vm_area_cachep, vma);
73166 ++ vm_unacct_memory(charged);
73167 ++ return -ENOMEM;
73168 ++ }
73169 ++ }
73170 ++#endif
73171 ++
73172 + vma->vm_mm = mm;
73173 + vma->vm_start = addr;
73174 + vma->vm_end = addr + len;
73175 +@@ -2012,12 +2459,19 @@ unsigned long do_brk(unsigned long addr,
73176 + vma->vm_flags = flags;
73177 + vma->vm_page_prot = vm_get_page_prot(flags);
73178 + vma_link(mm, vma, prev, rb_link, rb_parent);
73179 ++
73180 ++#ifdef CONFIG_PAX_SEGMEXEC
73181 ++ if (vma_m)
73182 ++ pax_mirror_vma(vma_m, vma);
73183 ++#endif
73184 ++
73185 + out:
73186 +- mm->total_vm += len >> PAGE_SHIFT;
73187 ++ mm->total_vm += charged;
73188 + if (flags & VM_LOCKED) {
73189 +- mm->locked_vm += len >> PAGE_SHIFT;
73190 ++ mm->locked_vm += charged;
73191 + make_pages_present(addr, addr + len);
73192 + }
73193 ++ track_exec_limit(mm, addr, addr + len, flags);
73194 + return addr;
73195 + }
73196 +
73197 +@@ -2048,8 +2502,10 @@ void exit_mmap(struct mm_struct *mm)
73198 + * Walk the list again, actually closing and freeing it,
73199 + * with preemption enabled, without holding any MM locks.
73200 + */
73201 +- while (vma)
73202 ++ while (vma) {
73203 ++ vma->vm_mirror = NULL;
73204 + vma = remove_vma(vma);
73205 ++ }
73206 +
73207 + BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
73208 + }
73209 +@@ -2063,6 +2519,10 @@ int insert_vm_struct(struct mm_struct *
73210 + struct vm_area_struct * __vma, * prev;
73211 + struct rb_node ** rb_link, * rb_parent;
73212 +
73213 ++#ifdef CONFIG_PAX_SEGMEXEC
73214 ++ struct vm_area_struct *vma_m = NULL;
73215 ++#endif
73216 ++
73217 + /*
73218 + * The vm_pgoff of a purely anonymous vma should be irrelevant
73219 + * until its first write fault, when page's anon_vma and index
73220 +@@ -2085,7 +2545,22 @@ int insert_vm_struct(struct mm_struct *
73221 + if ((vma->vm_flags & VM_ACCOUNT) &&
73222 + security_vm_enough_memory_mm(mm, vma_pages(vma)))
73223 + return -ENOMEM;
73224 ++
73225 ++#ifdef CONFIG_PAX_SEGMEXEC
73226 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
73227 ++ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73228 ++ if (!vma_m)
73229 ++ return -ENOMEM;
73230 ++ }
73231 ++#endif
73232 ++
73233 + vma_link(mm, vma, prev, rb_link, rb_parent);
73234 ++
73235 ++#ifdef CONFIG_PAX_SEGMEXEC
73236 ++ if (vma_m)
73237 ++ pax_mirror_vma(vma_m, vma);
73238 ++#endif
73239 ++
73240 + return 0;
73241 + }
73242 +
73243 +@@ -2103,6 +2578,8 @@ struct vm_area_struct *copy_vma(struct v
73244 + struct rb_node **rb_link, *rb_parent;
73245 + struct mempolicy *pol;
73246 +
73247 ++ BUG_ON(vma->vm_mirror);
73248 ++
73249 + /*
73250 + * If anonymous vma has not yet been faulted, update new pgoff
73251 + * to match new location, to increase its chance of merging.
73252 +@@ -2143,6 +2620,34 @@ struct vm_area_struct *copy_vma(struct v
73253 + return new_vma;
73254 + }
73255 +
73256 ++#ifdef CONFIG_PAX_SEGMEXEC
73257 ++void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
73258 ++{
73259 ++ struct vm_area_struct *prev_m;
73260 ++ struct rb_node **rb_link_m, *rb_parent_m;
73261 ++ struct mempolicy *pol_m;
73262 ++
73263 ++ BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
73264 ++ BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
73265 ++ BUG_ON(!vma_mpol_equal(vma, vma_m));
73266 ++ pol_m = vma_policy(vma_m);
73267 ++ *vma_m = *vma;
73268 ++ vma_set_policy(vma_m, pol_m);
73269 ++ vma_m->vm_start += SEGMEXEC_TASK_SIZE;
73270 ++ vma_m->vm_end += SEGMEXEC_TASK_SIZE;
73271 ++ vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
73272 ++ vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
73273 ++ if (vma_m->vm_file)
73274 ++ get_file(vma_m->vm_file);
73275 ++ if (vma_m->vm_ops && vma_m->vm_ops->open)
73276 ++ vma_m->vm_ops->open(vma_m);
73277 ++ find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
73278 ++ vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
73279 ++ vma_m->vm_mirror = vma;
73280 ++ vma->vm_mirror = vma_m;
73281 ++}
73282 ++#endif
73283 ++
73284 + /*
73285 + * Return true if the calling process may expand its vm space by the passed
73286 + * number of pages
73287 +@@ -2153,7 +2658,7 @@ int may_expand_vm(struct mm_struct *mm,
73288 + unsigned long lim;
73289 +
73290 + lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
73291 +-
73292 ++ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
73293 + if (cur + npages > lim)
73294 + return 0;
73295 + return 1;
73296 +@@ -2165,7 +2670,7 @@ static struct page *special_mapping_nopa
73297 + {
73298 + struct page **pages;
73299 +
73300 +- BUG_ON(address < vma->vm_start || address >= vma->vm_end);
73301 ++ BUG_ON(address < vma->vm_start || address >= vma->vm_end || (address & ~PAGE_MASK));
73302 +
73303 + address -= vma->vm_start;
73304 + for (pages = vma->vm_private_data; address > 0 && *pages; ++pages)
73305 +@@ -2215,6 +2720,15 @@ int install_special_mapping(struct mm_st
73306 + vma->vm_start = addr;
73307 + vma->vm_end = addr + len;
73308 +
73309 ++#ifdef CONFIG_PAX_MPROTECT
73310 ++ if (mm->pax_flags & MF_PAX_MPROTECT) {
73311 ++ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
73312 ++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
73313 ++ else
73314 ++ vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
73315 ++ }
73316 ++#endif
73317 ++
73318 + vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
73319 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
73320 +
73321 +diff -urNp linux-2.6.24.5/mm/mprotect.c linux-2.6.24.5/mm/mprotect.c
73322 +--- linux-2.6.24.5/mm/mprotect.c 2008-03-24 14:49:18.000000000 -0400
73323 ++++ linux-2.6.24.5/mm/mprotect.c 2008-03-26 20:21:09.000000000 -0400
73324 +@@ -21,10 +21,17 @@
73325 + #include <linux/syscalls.h>
73326 + #include <linux/swap.h>
73327 + #include <linux/swapops.h>
73328 ++#include <linux/grsecurity.h>
73329 ++
73330 ++#ifdef CONFIG_PAX_MPROTECT
73331 ++#include <linux/elf.h>
73332 ++#endif
73333 ++
73334 + #include <asm/uaccess.h>
73335 + #include <asm/pgtable.h>
73336 + #include <asm/cacheflush.h>
73337 + #include <asm/tlbflush.h>
73338 ++#include <asm/mmu_context.h>
73339 +
73340 + static void change_pte_range(struct mm_struct *mm, pmd_t *pmd,
73341 + unsigned long addr, unsigned long end, pgprot_t newprot,
73342 +@@ -127,6 +134,48 @@ static void change_protection(struct vm_
73343 + flush_tlb_range(vma, start, end);
73344 + }
73345 +
73346 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
73347 ++/* called while holding the mmap semaphor for writing except stack expansion */
73348 ++void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
73349 ++{
73350 ++ unsigned long oldlimit, newlimit = 0UL;
73351 ++
73352 ++ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || nx_enabled)
73353 ++ return;
73354 ++
73355 ++ spin_lock(&mm->page_table_lock);
73356 ++ oldlimit = mm->context.user_cs_limit;
73357 ++ if ((prot & VM_EXEC) && oldlimit < end)
73358 ++ /* USER_CS limit moved up */
73359 ++ newlimit = end;
73360 ++ else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
73361 ++ /* USER_CS limit moved down */
73362 ++ newlimit = start;
73363 ++
73364 ++ if (newlimit) {
73365 ++ mm->context.user_cs_limit = newlimit;
73366 ++
73367 ++#ifdef CONFIG_SMP
73368 ++ wmb();
73369 ++ cpus_clear(mm->context.cpu_user_cs_mask);
73370 ++ cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
73371 ++#endif
73372 ++
73373 ++ set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
73374 ++ }
73375 ++ spin_unlock(&mm->page_table_lock);
73376 ++ if (newlimit == end) {
73377 ++ struct vm_area_struct *vma = find_vma(mm, oldlimit);
73378 ++
73379 ++ for (; vma && vma->vm_start < end; vma = vma->vm_next)
73380 ++ if (is_vm_hugetlb_page(vma))
73381 ++ hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
73382 ++ else
73383 ++ change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
73384 ++ }
73385 ++}
73386 ++#endif
73387 ++
73388 + int
73389 + mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
73390 + unsigned long start, unsigned long end, unsigned long newflags)
73391 +@@ -139,11 +188,41 @@ mprotect_fixup(struct vm_area_struct *vm
73392 + int error;
73393 + int dirty_accountable = 0;
73394 +
73395 ++#ifdef CONFIG_PAX_SEGMEXEC
73396 ++ struct vm_area_struct *vma_m = NULL;
73397 ++ unsigned long start_m, end_m;
73398 ++
73399 ++ start_m = start + SEGMEXEC_TASK_SIZE;
73400 ++ end_m = end + SEGMEXEC_TASK_SIZE;
73401 ++#endif
73402 ++
73403 + if (newflags == oldflags) {
73404 + *pprev = vma;
73405 + return 0;
73406 + }
73407 +
73408 ++#ifdef CONFIG_PAX_SEGMEXEC
73409 ++ if (pax_find_mirror_vma(vma) && !(newflags & VM_EXEC)) {
73410 ++ if (start != vma->vm_start) {
73411 ++ error = split_vma(mm, vma, start, 1);
73412 ++ if (error)
73413 ++ return -ENOMEM;
73414 ++ BUG_ON(!*pprev || (*pprev)->vm_next == vma);
73415 ++ *pprev = (*pprev)->vm_next;
73416 ++ }
73417 ++
73418 ++ if (end != vma->vm_end) {
73419 ++ error = split_vma(mm, vma, end, 0);
73420 ++ if (error)
73421 ++ return -ENOMEM;
73422 ++ }
73423 ++
73424 ++ error = __do_munmap(mm, start_m, end_m - start_m);
73425 ++ if (error)
73426 ++ return -ENOMEM;
73427 ++ }
73428 ++#endif
73429 ++
73430 + /*
73431 + * If we make a private mapping writable we increase our commit;
73432 + * but (without finer accounting) cannot reduce our commit if we
73433 +@@ -186,6 +265,25 @@ mprotect_fixup(struct vm_area_struct *vm
73434 + goto fail;
73435 + }
73436 +
73437 ++#ifdef CONFIG_PAX_SEGMEXEC
73438 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(oldflags & VM_EXEC) && (newflags & VM_EXEC)) {
73439 ++ struct mempolicy *pol;
73440 ++
73441 ++ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73442 ++ if (!vma_m) {
73443 ++ error = -ENOMEM;
73444 ++ goto fail;
73445 ++ }
73446 ++ pol = mpol_copy(vma_policy(vma));
73447 ++ if (IS_ERR(pol)) {
73448 ++ kmem_cache_free(vm_area_cachep, vma_m);
73449 ++ error = -ENOMEM;
73450 ++ goto fail;
73451 ++ }
73452 ++ vma_set_policy(vma_m, pol);
73453 ++ }
73454 ++#endif
73455 ++
73456 + success:
73457 + /*
73458 + * vm_flags and vm_page_prot are protected by the mmap_sem
73459 +@@ -202,6 +300,12 @@ success:
73460 + hugetlb_change_protection(vma, start, end, vma->vm_page_prot);
73461 + else
73462 + change_protection(vma, start, end, vma->vm_page_prot, dirty_accountable);
73463 ++
73464 ++#ifdef CONFIG_PAX_SEGMEXEC
73465 ++ if (vma_m)
73466 ++ pax_mirror_vma(vma_m, vma);
73467 ++#endif
73468 ++
73469 + vm_stat_account(mm, oldflags, vma->vm_file, -nrpages);
73470 + vm_stat_account(mm, newflags, vma->vm_file, nrpages);
73471 + return 0;
73472 +@@ -211,6 +315,70 @@ fail:
73473 + return error;
73474 + }
73475 +
73476 ++#ifdef CONFIG_PAX_MPROTECT
73477 ++/* PaX: non-PIC ELF libraries need relocations on their executable segments
73478 ++ * therefore we'll grant them VM_MAYWRITE once during their life.
73479 ++ *
73480 ++ * The checks favour ld-linux.so behaviour which operates on a per ELF segment
73481 ++ * basis because we want to allow the common case and not the special ones.
73482 ++ */
73483 ++static inline void pax_handle_maywrite(struct vm_area_struct *vma, unsigned long start)
73484 ++{
73485 ++ struct elfhdr elf_h;
73486 ++ struct elf_phdr elf_p;
73487 ++ elf_addr_t dyn_offset = 0UL;
73488 ++ elf_dyn dyn;
73489 ++ unsigned long i, j = 65536UL / sizeof(struct elf_phdr);
73490 ++
73491 ++#ifndef CONFIG_PAX_NOELFRELOCS
73492 ++ if ((vma->vm_start != start) ||
73493 ++ !vma->vm_file ||
73494 ++ !(vma->vm_flags & VM_MAYEXEC) ||
73495 ++ (vma->vm_flags & VM_MAYNOTWRITE))
73496 ++#endif
73497 ++
73498 ++ return;
73499 ++
73500 ++ if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
73501 ++ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
73502 ++
73503 ++#ifdef CONFIG_PAX_ETEXECRELOCS
73504 ++ (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC) ||
73505 ++#else
73506 ++ elf_h.e_type != ET_DYN ||
73507 ++#endif
73508 ++
73509 ++ !elf_check_arch(&elf_h) ||
73510 ++ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
73511 ++ elf_h.e_phnum > j)
73512 ++ return;
73513 ++
73514 ++ for (i = 0UL; i < elf_h.e_phnum; i++) {
73515 ++ if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
73516 ++ return;
73517 ++ if (elf_p.p_type == PT_DYNAMIC) {
73518 ++ dyn_offset = elf_p.p_offset;
73519 ++ j = i;
73520 ++ }
73521 ++ }
73522 ++ if (elf_h.e_phnum <= j)
73523 ++ return;
73524 ++
73525 ++ i = 0UL;
73526 ++ do {
73527 ++ if (sizeof(dyn) != kernel_read(vma->vm_file, dyn_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
73528 ++ return;
73529 ++ if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
73530 ++ gr_log_textrel(vma);
73531 ++ vma->vm_flags |= VM_MAYWRITE | VM_MAYNOTWRITE;
73532 ++ return;
73533 ++ }
73534 ++ i++;
73535 ++ } while (dyn.d_tag != DT_NULL);
73536 ++ return;
73537 ++}
73538 ++#endif
73539 ++
73540 + asmlinkage long
73541 + sys_mprotect(unsigned long start, size_t len, unsigned long prot)
73542 + {
73543 +@@ -230,6 +398,17 @@ sys_mprotect(unsigned long start, size_t
73544 + end = start + len;
73545 + if (end <= start)
73546 + return -ENOMEM;
73547 ++
73548 ++#ifdef CONFIG_PAX_SEGMEXEC
73549 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
73550 ++ if (end > SEGMEXEC_TASK_SIZE)
73551 ++ return -EINVAL;
73552 ++ } else
73553 ++#endif
73554 ++
73555 ++ if (end > TASK_SIZE)
73556 ++ return -EINVAL;
73557 ++
73558 + if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC | PROT_SEM))
73559 + return -EINVAL;
73560 +
73561 +@@ -237,7 +416,7 @@ sys_mprotect(unsigned long start, size_t
73562 + /*
73563 + * Does the application expect PROT_READ to imply PROT_EXEC:
73564 + */
73565 +- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
73566 ++ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
73567 + prot |= PROT_EXEC;
73568 +
73569 + vm_flags = calc_vm_prot_bits(prot);
73570 +@@ -269,6 +448,16 @@ sys_mprotect(unsigned long start, size_t
73571 + if (start > vma->vm_start)
73572 + prev = vma;
73573 +
73574 ++ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
73575 ++ error = -EACCES;
73576 ++ goto out;
73577 ++ }
73578 ++
73579 ++#ifdef CONFIG_PAX_MPROTECT
73580 ++ if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && (prot & PROT_WRITE))
73581 ++ pax_handle_maywrite(vma, start);
73582 ++#endif
73583 ++
73584 + for (nstart = start ; ; ) {
73585 + unsigned long newflags;
73586 +
73587 +@@ -282,6 +471,12 @@ sys_mprotect(unsigned long start, size_t
73588 + goto out;
73589 + }
73590 +
73591 ++#ifdef CONFIG_PAX_MPROTECT
73592 ++ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
73593 ++ if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && !(prot & PROT_WRITE) && (vma->vm_flags & VM_MAYNOTWRITE))
73594 ++ newflags &= ~VM_MAYWRITE;
73595 ++#endif
73596 ++
73597 + error = security_file_mprotect(vma, reqprot, prot);
73598 + if (error)
73599 + goto out;
73600 +@@ -292,6 +487,9 @@ sys_mprotect(unsigned long start, size_t
73601 + error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
73602 + if (error)
73603 + goto out;
73604 ++
73605 ++ track_exec_limit(current->mm, nstart, tmp, vm_flags);
73606 ++
73607 + nstart = tmp;
73608 +
73609 + if (nstart < prev->vm_end)
73610 +diff -urNp linux-2.6.24.5/mm/mremap.c linux-2.6.24.5/mm/mremap.c
73611 +--- linux-2.6.24.5/mm/mremap.c 2008-03-24 14:49:18.000000000 -0400
73612 ++++ linux-2.6.24.5/mm/mremap.c 2008-03-26 20:21:09.000000000 -0400
73613 +@@ -106,6 +106,12 @@ static void move_ptes(struct vm_area_str
73614 + continue;
73615 + pte = ptep_clear_flush(vma, old_addr, old_pte);
73616 + pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
73617 ++
73618 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
73619 ++ if (!nx_enabled && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
73620 ++ pte = pte_exprotect(pte);
73621 ++#endif
73622 ++
73623 + set_pte_at(mm, new_addr, new_pte, pte);
73624 + }
73625 +
73626 +@@ -254,6 +260,7 @@ unsigned long do_mremap(unsigned long ad
73627 + struct vm_area_struct *vma;
73628 + unsigned long ret = -EINVAL;
73629 + unsigned long charged = 0;
73630 ++ unsigned long pax_task_size = TASK_SIZE;
73631 +
73632 + if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
73633 + goto out;
73634 +@@ -272,6 +279,15 @@ unsigned long do_mremap(unsigned long ad
73635 + if (!new_len)
73636 + goto out;
73637 +
73638 ++#ifdef CONFIG_PAX_SEGMEXEC
73639 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
73640 ++ pax_task_size = SEGMEXEC_TASK_SIZE;
73641 ++#endif
73642 ++
73643 ++ if (new_len > pax_task_size || addr > pax_task_size-new_len ||
73644 ++ old_len > pax_task_size || addr > pax_task_size-old_len)
73645 ++ goto out;
73646 ++
73647 + /* new_addr is only valid if MREMAP_FIXED is specified */
73648 + if (flags & MREMAP_FIXED) {
73649 + if (new_addr & ~PAGE_MASK)
73650 +@@ -279,16 +295,13 @@ unsigned long do_mremap(unsigned long ad
73651 + if (!(flags & MREMAP_MAYMOVE))
73652 + goto out;
73653 +
73654 +- if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
73655 ++ if (new_addr > pax_task_size - new_len)
73656 + goto out;
73657 +
73658 + /* Check if the location we're moving into overlaps the
73659 + * old location at all, and fail if it does.
73660 + */
73661 +- if ((new_addr <= addr) && (new_addr+new_len) > addr)
73662 +- goto out;
73663 +-
73664 +- if ((addr <= new_addr) && (addr+old_len) > new_addr)
73665 ++ if (addr + old_len > new_addr && new_addr + new_len > addr)
73666 + goto out;
73667 +
73668 + ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
73669 +@@ -326,6 +339,14 @@ unsigned long do_mremap(unsigned long ad
73670 + ret = -EINVAL;
73671 + goto out;
73672 + }
73673 ++
73674 ++#ifdef CONFIG_PAX_SEGMEXEC
73675 ++ if (pax_find_mirror_vma(vma)) {
73676 ++ ret = -EINVAL;
73677 ++ goto out;
73678 ++ }
73679 ++#endif
73680 ++
73681 + /* We can't remap across vm area boundaries */
73682 + if (old_len > vma->vm_end - addr)
73683 + goto out;
73684 +@@ -359,7 +380,7 @@ unsigned long do_mremap(unsigned long ad
73685 + if (old_len == vma->vm_end - addr &&
73686 + !((flags & MREMAP_FIXED) && (addr != new_addr)) &&
73687 + (old_len != new_len || !(flags & MREMAP_MAYMOVE))) {
73688 +- unsigned long max_addr = TASK_SIZE;
73689 ++ unsigned long max_addr = pax_task_size;
73690 + if (vma->vm_next)
73691 + max_addr = vma->vm_next->vm_start;
73692 + /* can we just expand the current mapping? */
73693 +@@ -377,6 +398,7 @@ unsigned long do_mremap(unsigned long ad
73694 + addr + new_len);
73695 + }
73696 + ret = addr;
73697 ++ track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
73698 + goto out;
73699 + }
73700 + }
73701 +@@ -387,8 +409,8 @@ unsigned long do_mremap(unsigned long ad
73702 + */
73703 + ret = -ENOMEM;
73704 + if (flags & MREMAP_MAYMOVE) {
73705 ++ unsigned long map_flags = 0;
73706 + if (!(flags & MREMAP_FIXED)) {
73707 +- unsigned long map_flags = 0;
73708 + if (vma->vm_flags & VM_MAYSHARE)
73709 + map_flags |= MAP_SHARED;
73710 +
73711 +@@ -403,7 +425,12 @@ unsigned long do_mremap(unsigned long ad
73712 + if (ret)
73713 + goto out;
73714 + }
73715 ++ map_flags = vma->vm_flags;
73716 + ret = move_vma(vma, addr, old_len, new_len, new_addr);
73717 ++ if (!(ret & ~PAGE_MASK)) {
73718 ++ track_exec_limit(current->mm, addr, addr + old_len, 0UL);
73719 ++ track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
73720 ++ }
73721 + }
73722 + out:
73723 + if (ret & ~PAGE_MASK)
73724 +diff -urNp linux-2.6.24.5/mm/nommu.c linux-2.6.24.5/mm/nommu.c
73725 +--- linux-2.6.24.5/mm/nommu.c 2008-03-24 14:49:18.000000000 -0400
73726 ++++ linux-2.6.24.5/mm/nommu.c 2008-03-26 20:21:09.000000000 -0400
73727 +@@ -377,15 +377,6 @@ struct vm_area_struct *find_vma(struct m
73728 + }
73729 + EXPORT_SYMBOL(find_vma);
73730 +
73731 +-/*
73732 +- * find a VMA
73733 +- * - we don't extend stack VMAs under NOMMU conditions
73734 +- */
73735 +-struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
73736 +-{
73737 +- return find_vma(mm, addr);
73738 +-}
73739 +-
73740 + int expand_stack(struct vm_area_struct *vma, unsigned long address)
73741 + {
73742 + return -ENOMEM;
73743 +diff -urNp linux-2.6.24.5/mm/page_alloc.c linux-2.6.24.5/mm/page_alloc.c
73744 +--- linux-2.6.24.5/mm/page_alloc.c 2008-03-24 14:49:18.000000000 -0400
73745 ++++ linux-2.6.24.5/mm/page_alloc.c 2008-03-26 20:21:09.000000000 -0400
73746 +@@ -505,9 +505,20 @@ static void free_pages_bulk(struct zone
73747 +
73748 + static void free_one_page(struct zone *zone, struct page *page, int order)
73749 + {
73750 ++
73751 ++#ifdef CONFIG_PAX_MEMORY_SANITIZE
73752 ++ unsigned long index = 1UL << order;
73753 ++#endif
73754 ++
73755 + spin_lock(&zone->lock);
73756 + zone_clear_flag(zone, ZONE_ALL_UNRECLAIMABLE);
73757 + zone->pages_scanned = 0;
73758 ++
73759 ++#ifdef CONFIG_PAX_MEMORY_SANITIZE
73760 ++ for (; index; --index)
73761 ++ sanitize_highpage(page + index - 1);
73762 ++#endif
73763 ++
73764 + __free_one_page(page, zone, order);
73765 + spin_unlock(&zone->lock);
73766 + }
73767 +@@ -631,8 +642,10 @@ static int prep_new_page(struct page *pa
73768 + arch_alloc_page(page, order);
73769 + kernel_map_pages(page, 1 << order, 1);
73770 +
73771 ++#ifndef CONFIG_PAX_MEMORY_SANITIZE
73772 + if (gfp_flags & __GFP_ZERO)
73773 + prep_zero_page(page, order, gfp_flags);
73774 ++#endif
73775 +
73776 + if (order && (gfp_flags & __GFP_COMP))
73777 + prep_compound_page(page, order);
73778 +@@ -1007,6 +1020,11 @@ static void fastcall free_hot_cold_page(
73779 + list_add(&page->lru, &pcp->list);
73780 + set_page_private(page, get_pageblock_migratetype(page));
73781 + pcp->count++;
73782 ++
73783 ++#ifdef CONFIG_PAX_MEMORY_SANITIZE
73784 ++ sanitize_highpage(page);
73785 ++#endif
73786 ++
73787 + if (pcp->count >= pcp->high) {
73788 + free_pages_bulk(zone, pcp->batch, &pcp->list, 0);
73789 + pcp->count -= pcp->batch;
73790 +diff -urNp linux-2.6.24.5/mm/rmap.c linux-2.6.24.5/mm/rmap.c
73791 +--- linux-2.6.24.5/mm/rmap.c 2008-03-24 14:49:18.000000000 -0400
73792 ++++ linux-2.6.24.5/mm/rmap.c 2008-03-26 20:21:09.000000000 -0400
73793 +@@ -64,6 +64,10 @@ int anon_vma_prepare(struct vm_area_stru
73794 + struct mm_struct *mm = vma->vm_mm;
73795 + struct anon_vma *allocated, *locked;
73796 +
73797 ++#ifdef CONFIG_PAX_SEGMEXEC
73798 ++ struct vm_area_struct *vma_m;
73799 ++#endif
73800 ++
73801 + anon_vma = find_mergeable_anon_vma(vma);
73802 + if (anon_vma) {
73803 + allocated = NULL;
73804 +@@ -80,6 +84,15 @@ int anon_vma_prepare(struct vm_area_stru
73805 + /* page_table_lock to protect against threads */
73806 + spin_lock(&mm->page_table_lock);
73807 + if (likely(!vma->anon_vma)) {
73808 ++
73809 ++#ifdef CONFIG_PAX_SEGMEXEC
73810 ++ vma_m = pax_find_mirror_vma(vma);
73811 ++ if (vma_m) {
73812 ++ vma_m->anon_vma = anon_vma;
73813 ++ __anon_vma_link(vma_m);
73814 ++ }
73815 ++#endif
73816 ++
73817 + vma->anon_vma = anon_vma;
73818 + list_add_tail(&vma->anon_vma_node, &anon_vma->head);
73819 + allocated = NULL;
73820 +diff -urNp linux-2.6.24.5/mm/shmem.c linux-2.6.24.5/mm/shmem.c
73821 +--- linux-2.6.24.5/mm/shmem.c 2008-03-24 14:49:18.000000000 -0400
73822 ++++ linux-2.6.24.5/mm/shmem.c 2008-03-26 20:21:09.000000000 -0400
73823 +@@ -2462,7 +2462,7 @@ static struct file_system_type tmpfs_fs_
73824 + .get_sb = shmem_get_sb,
73825 + .kill_sb = kill_litter_super,
73826 + };
73827 +-static struct vfsmount *shm_mnt;
73828 ++struct vfsmount *shm_mnt;
73829 +
73830 + static int __init init_tmpfs(void)
73831 + {
73832 +diff -urNp linux-2.6.24.5/mm/slab.c linux-2.6.24.5/mm/slab.c
73833 +--- linux-2.6.24.5/mm/slab.c 2008-04-17 20:05:17.000000000 -0400
73834 ++++ linux-2.6.24.5/mm/slab.c 2008-04-17 20:05:01.000000000 -0400
73835 +@@ -305,7 +305,7 @@ struct kmem_list3 {
73836 + * Need this for bootstrapping a per node allocator.
73837 + */
73838 + #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
73839 +-struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
73840 ++struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
73841 + #define CACHE_CACHE 0
73842 + #define SIZE_AC MAX_NUMNODES
73843 + #define SIZE_L3 (2 * MAX_NUMNODES)
73844 +@@ -654,14 +654,14 @@ struct cache_names {
73845 + static struct cache_names __initdata cache_names[] = {
73846 + #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
73847 + #include <linux/kmalloc_sizes.h>
73848 +- {NULL,}
73849 ++ {NULL, NULL}
73850 + #undef CACHE
73851 + };
73852 +
73853 + static struct arraycache_init initarray_cache __initdata =
73854 +- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
73855 ++ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
73856 + static struct arraycache_init initarray_generic =
73857 +- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
73858 ++ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
73859 +
73860 + /* internal cache of cache description objs */
73861 + static struct kmem_cache cache_cache = {
73862 +@@ -3004,7 +3004,7 @@ retry:
73863 + * there must be at least one object available for
73864 + * allocation.
73865 + */
73866 +- BUG_ON(slabp->inuse < 0 || slabp->inuse >= cachep->num);
73867 ++ BUG_ON(slabp->inuse >= cachep->num);
73868 +
73869 + while (slabp->inuse < cachep->num && batchcount--) {
73870 + STATS_INC_ALLOCED(cachep);
73871 +diff -urNp linux-2.6.24.5/mm/slub.c linux-2.6.24.5/mm/slub.c
73872 +--- linux-2.6.24.5/mm/slub.c 2008-03-24 14:49:18.000000000 -0400
73873 ++++ linux-2.6.24.5/mm/slub.c 2008-03-26 20:21:09.000000000 -0400
73874 +@@ -1539,7 +1539,7 @@ debug:
73875 + *
73876 + * Otherwise we can simply pick the next object from the lockless free list.
73877 + */
73878 +-static void __always_inline *slab_alloc(struct kmem_cache *s,
73879 ++static __always_inline void *slab_alloc(struct kmem_cache *s,
73880 + gfp_t gfpflags, int node, void *addr)
73881 + {
73882 + void **object;
73883 +@@ -1647,7 +1647,7 @@ debug:
73884 + * If fastpath is not possible then fall back to __slab_free where we deal
73885 + * with all sorts of special processing.
73886 + */
73887 +-static void __always_inline slab_free(struct kmem_cache *s,
73888 ++static __always_inline void slab_free(struct kmem_cache *s,
73889 + struct page *page, void *x, void *addr)
73890 + {
73891 + void **object = (void *)x;
73892 +diff -urNp linux-2.6.24.5/mm/swap.c linux-2.6.24.5/mm/swap.c
73893 +--- linux-2.6.24.5/mm/swap.c 2008-03-24 14:49:18.000000000 -0400
73894 ++++ linux-2.6.24.5/mm/swap.c 2008-03-26 20:21:09.000000000 -0400
73895 +@@ -33,9 +33,9 @@
73896 + /* How many pages do we try to swap or page in/out together? */
73897 + int page_cluster;
73898 +
73899 +-static DEFINE_PER_CPU(struct pagevec, lru_add_pvecs) = { 0, };
73900 +-static DEFINE_PER_CPU(struct pagevec, lru_add_active_pvecs) = { 0, };
73901 +-static DEFINE_PER_CPU(struct pagevec, lru_rotate_pvecs) = { 0, };
73902 ++static DEFINE_PER_CPU(struct pagevec, lru_add_pvecs) = { 0, 0, {NULL} };
73903 ++static DEFINE_PER_CPU(struct pagevec, lru_add_active_pvecs) = { 0, 0, {NULL} };
73904 ++static DEFINE_PER_CPU(struct pagevec, lru_rotate_pvecs) = { 0, 0, {NULL} };
73905 +
73906 + /*
73907 + * This path almost never happens for VM activity - pages are normally
73908 +diff -urNp linux-2.6.24.5/mm/tiny-shmem.c linux-2.6.24.5/mm/tiny-shmem.c
73909 +--- linux-2.6.24.5/mm/tiny-shmem.c 2008-03-24 14:49:18.000000000 -0400
73910 ++++ linux-2.6.24.5/mm/tiny-shmem.c 2008-03-26 20:21:09.000000000 -0400
73911 +@@ -26,7 +26,7 @@ static struct file_system_type tmpfs_fs_
73912 + .kill_sb = kill_litter_super,
73913 + };
73914 +
73915 +-static struct vfsmount *shm_mnt;
73916 ++struct vfsmount *shm_mnt;
73917 +
73918 + static int __init init_tmpfs(void)
73919 + {
73920 +diff -urNp linux-2.6.24.5/mm/vmalloc.c linux-2.6.24.5/mm/vmalloc.c
73921 +--- linux-2.6.24.5/mm/vmalloc.c 2008-03-24 14:49:18.000000000 -0400
73922 ++++ linux-2.6.24.5/mm/vmalloc.c 2008-03-26 20:21:09.000000000 -0400
73923 +@@ -202,6 +202,8 @@ static struct vm_struct *__get_vm_area_n
73924 +
73925 + write_lock(&vmlist_lock);
73926 + for (p = &vmlist; (tmp = *p) != NULL ;p = &tmp->next) {
73927 ++ if (addr > end - size)
73928 ++ goto out;
73929 + if ((unsigned long)tmp->addr < addr) {
73930 + if((unsigned long)tmp->addr + tmp->size >= addr)
73931 + addr = ALIGN(tmp->size +
73932 +@@ -213,8 +215,6 @@ static struct vm_struct *__get_vm_area_n
73933 + if (size + addr <= (unsigned long)tmp->addr)
73934 + goto found;
73935 + addr = ALIGN(tmp->size + (unsigned long)tmp->addr, align);
73936 +- if (addr > end - size)
73937 +- goto out;
73938 + }
73939 +
73940 + found:
73941 +diff -urNp linux-2.6.24.5/net/bridge/br_stp_if.c linux-2.6.24.5/net/bridge/br_stp_if.c
73942 +--- linux-2.6.24.5/net/bridge/br_stp_if.c 2008-03-24 14:49:18.000000000 -0400
73943 ++++ linux-2.6.24.5/net/bridge/br_stp_if.c 2008-03-26 20:21:09.000000000 -0400
73944 +@@ -148,7 +148,7 @@ static void br_stp_stop(struct net_bridg
73945 + char *envp[] = { NULL };
73946 +
73947 + if (br->stp_enabled == BR_USER_STP) {
73948 +- r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
73949 ++ r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
73950 + printk(KERN_INFO "%s: userspace STP stopped, return code %d\n",
73951 + br->dev->name, r);
73952 +
73953 +diff -urNp linux-2.6.24.5/net/core/flow.c linux-2.6.24.5/net/core/flow.c
73954 +--- linux-2.6.24.5/net/core/flow.c 2008-03-24 14:49:18.000000000 -0400
73955 ++++ linux-2.6.24.5/net/core/flow.c 2008-03-26 20:21:09.000000000 -0400
73956 +@@ -40,7 +40,7 @@ atomic_t flow_cache_genid = ATOMIC_INIT(
73957 +
73958 + static u32 flow_hash_shift;
73959 + #define flow_hash_size (1 << flow_hash_shift)
73960 +-static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables) = { NULL };
73961 ++static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables);
73962 +
73963 + #define flow_table(cpu) (per_cpu(flow_tables, cpu))
73964 +
73965 +@@ -53,7 +53,7 @@ struct flow_percpu_info {
73966 + u32 hash_rnd;
73967 + int count;
73968 + } ____cacheline_aligned;
73969 +-static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info) = { 0 };
73970 ++static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info);
73971 +
73972 + #define flow_hash_rnd_recalc(cpu) \
73973 + (per_cpu(flow_hash_info, cpu).hash_rnd_recalc)
73974 +@@ -70,7 +70,7 @@ struct flow_flush_info {
73975 + atomic_t cpuleft;
73976 + struct completion completion;
73977 + };
73978 +-static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets) = { NULL };
73979 ++static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets);
73980 +
73981 + #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
73982 +
73983 +diff -urNp linux-2.6.24.5/net/dccp/ccids/ccid3.c linux-2.6.24.5/net/dccp/ccids/ccid3.c
73984 +--- linux-2.6.24.5/net/dccp/ccids/ccid3.c 2008-03-24 14:49:18.000000000 -0400
73985 ++++ linux-2.6.24.5/net/dccp/ccids/ccid3.c 2008-03-26 20:21:09.000000000 -0400
73986 +@@ -46,7 +46,7 @@
73987 + static int ccid3_debug;
73988 + #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
73989 + #else
73990 +-#define ccid3_pr_debug(format, a...)
73991 ++#define ccid3_pr_debug(format, a...) do {} while (0)
73992 + #endif
73993 +
73994 + static struct dccp_tx_hist *ccid3_tx_hist;
73995 +diff -urNp linux-2.6.24.5/net/dccp/dccp.h linux-2.6.24.5/net/dccp/dccp.h
73996 +--- linux-2.6.24.5/net/dccp/dccp.h 2008-03-24 14:49:18.000000000 -0400
73997 ++++ linux-2.6.24.5/net/dccp/dccp.h 2008-03-26 20:21:09.000000000 -0400
73998 +@@ -43,8 +43,8 @@ extern int dccp_debug;
73999 + #define dccp_pr_debug(format, a...) DCCP_PR_DEBUG(dccp_debug, format, ##a)
74000 + #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
74001 + #else
74002 +-#define dccp_pr_debug(format, a...)
74003 +-#define dccp_pr_debug_cat(format, a...)
74004 ++#define dccp_pr_debug(format, a...) do {} while (0)
74005 ++#define dccp_pr_debug_cat(format, a...) do {} while (0)
74006 + #endif
74007 +
74008 + extern struct inet_hashinfo dccp_hashinfo;
74009 +diff -urNp linux-2.6.24.5/net/ipv4/inet_connection_sock.c linux-2.6.24.5/net/ipv4/inet_connection_sock.c
74010 +--- linux-2.6.24.5/net/ipv4/inet_connection_sock.c 2008-03-24 14:49:18.000000000 -0400
74011 ++++ linux-2.6.24.5/net/ipv4/inet_connection_sock.c 2008-03-26 20:21:09.000000000 -0400
74012 +@@ -15,6 +15,7 @@
74013 +
74014 + #include <linux/module.h>
74015 + #include <linux/jhash.h>
74016 ++#include <linux/grsecurity.h>
74017 +
74018 + #include <net/inet_connection_sock.h>
74019 + #include <net/inet_hashtables.h>
74020 +diff -urNp linux-2.6.24.5/net/ipv4/inet_hashtables.c linux-2.6.24.5/net/ipv4/inet_hashtables.c
74021 +--- linux-2.6.24.5/net/ipv4/inet_hashtables.c 2008-03-24 14:49:18.000000000 -0400
74022 ++++ linux-2.6.24.5/net/ipv4/inet_hashtables.c 2008-03-26 20:21:09.000000000 -0400
74023 +@@ -18,11 +18,14 @@
74024 + #include <linux/sched.h>
74025 + #include <linux/slab.h>
74026 + #include <linux/wait.h>
74027 ++#include <linux/grsecurity.h>
74028 +
74029 + #include <net/inet_connection_sock.h>
74030 + #include <net/inet_hashtables.h>
74031 + #include <net/ip.h>
74032 +
74033 ++extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
74034 ++
74035 + /*
74036 + * Allocate and initialize a new local port bind bucket.
74037 + * The bindhash mutex for snum's hash chain must be held here.
74038 +@@ -338,6 +341,8 @@ ok:
74039 + }
74040 + spin_unlock(&head->lock);
74041 +
74042 ++ gr_update_task_in_ip_table(current, inet_sk(sk));
74043 ++
74044 + if (tw) {
74045 + inet_twsk_deschedule(tw, death_row);
74046 + inet_twsk_put(tw);
74047 +diff -urNp linux-2.6.24.5/net/ipv4/netfilter/ipt_stealth.c linux-2.6.24.5/net/ipv4/netfilter/ipt_stealth.c
74048 +--- linux-2.6.24.5/net/ipv4/netfilter/ipt_stealth.c 1969-12-31 19:00:00.000000000 -0500
74049 ++++ linux-2.6.24.5/net/ipv4/netfilter/ipt_stealth.c 2008-03-26 20:21:09.000000000 -0400
74050 +@@ -0,0 +1,114 @@
74051 ++/* Kernel module to add stealth support.
74052 ++ *
74053 ++ * Copyright (C) 2002-2006 Brad Spengler <spender@××××××××××.net>
74054 ++ *
74055 ++ */
74056 ++
74057 ++#include <linux/kernel.h>
74058 ++#include <linux/module.h>
74059 ++#include <linux/skbuff.h>
74060 ++#include <linux/net.h>
74061 ++#include <linux/sched.h>
74062 ++#include <linux/inet.h>
74063 ++#include <linux/stddef.h>
74064 ++
74065 ++#include <net/ip.h>
74066 ++#include <net/sock.h>
74067 ++#include <net/tcp.h>
74068 ++#include <net/udp.h>
74069 ++#include <net/route.h>
74070 ++#include <net/inet_common.h>
74071 ++
74072 ++#include <linux/netfilter_ipv4/ip_tables.h>
74073 ++
74074 ++MODULE_LICENSE("GPL");
74075 ++
74076 ++extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
74077 ++
74078 ++static int
74079 ++match(const struct sk_buff *skb,
74080 ++ const struct net_device *in,
74081 ++ const struct net_device *out,
74082 ++ const struct xt_match *match,
74083 ++ const void *matchinfo,
74084 ++ int offset,
74085 ++ unsigned int protoff,
74086 ++ int *hotdrop)
74087 ++{
74088 ++ struct iphdr *ip = ip_hdr(skb);
74089 ++ struct tcphdr th;
74090 ++ struct udphdr uh;
74091 ++ struct sock *sk = NULL;
74092 ++
74093 ++ if (!ip || offset) return 0;
74094 ++
74095 ++ switch(ip->protocol) {
74096 ++ case IPPROTO_TCP:
74097 ++ if (skb_copy_bits(skb, (ip_hdr(skb))->ihl*4, &th, sizeof(th)) < 0) {
74098 ++ *hotdrop = 1;
74099 ++ return 0;
74100 ++ }
74101 ++ if (!(th.syn && !th.ack)) return 0;
74102 ++ sk = inet_lookup_listener(&tcp_hashinfo, ip->daddr, th.dest, inet_iif(skb));
74103 ++ break;
74104 ++ case IPPROTO_UDP:
74105 ++ if (skb_copy_bits(skb, (ip_hdr(skb))->ihl*4, &uh, sizeof(uh)) < 0) {
74106 ++ *hotdrop = 1;
74107 ++ return 0;
74108 ++ }
74109 ++ sk = udp_v4_lookup(ip->saddr, uh.source, ip->daddr, uh.dest, skb->dev->ifindex);
74110 ++ break;
74111 ++ default:
74112 ++ return 0;
74113 ++ }
74114 ++
74115 ++ if(!sk) // port is being listened on, match this
74116 ++ return 1;
74117 ++ else {
74118 ++ sock_put(sk);
74119 ++ return 0;
74120 ++ }
74121 ++}
74122 ++
74123 ++/* Called when user tries to insert an entry of this type. */
74124 ++static int
74125 ++checkentry(const char *tablename,
74126 ++ const void *nip,
74127 ++ const struct xt_match *match,
74128 ++ void *matchinfo,
74129 ++ unsigned int hook_mask)
74130 ++{
74131 ++ const struct ipt_ip *ip = (const struct ipt_ip *)nip;
74132 ++
74133 ++ if(((ip->proto == IPPROTO_TCP && !(ip->invflags & IPT_INV_PROTO)) ||
74134 ++ ((ip->proto == IPPROTO_UDP) && !(ip->invflags & IPT_INV_PROTO)))
74135 ++ && (hook_mask & (1 << NF_IP_LOCAL_IN)))
74136 ++ return 1;
74137 ++
74138 ++ printk("stealth: Only works on TCP and UDP for the INPUT chain.\n");
74139 ++
74140 ++ return 0;
74141 ++}
74142 ++
74143 ++
74144 ++static struct xt_match stealth_match = {
74145 ++ .name = "stealth",
74146 ++ .family = AF_INET,
74147 ++ .match = match,
74148 ++ .checkentry = checkentry,
74149 ++ .destroy = NULL,
74150 ++ .me = THIS_MODULE
74151 ++};
74152 ++
74153 ++static int __init init(void)
74154 ++{
74155 ++ return xt_register_match(&stealth_match);
74156 ++}
74157 ++
74158 ++static void __exit fini(void)
74159 ++{
74160 ++ xt_unregister_match(&stealth_match);
74161 ++}
74162 ++
74163 ++module_init(init);
74164 ++module_exit(fini);
74165 +diff -urNp linux-2.6.24.5/net/ipv4/netfilter/Kconfig linux-2.6.24.5/net/ipv4/netfilter/Kconfig
74166 +--- linux-2.6.24.5/net/ipv4/netfilter/Kconfig 2008-03-24 14:49:18.000000000 -0400
74167 ++++ linux-2.6.24.5/net/ipv4/netfilter/Kconfig 2008-03-26 20:21:09.000000000 -0400
74168 +@@ -130,6 +130,21 @@ config IP_NF_MATCH_ADDRTYPE
74169 + If you want to compile it as a module, say M here and read
74170 + <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
74171 +
74172 ++config IP_NF_MATCH_STEALTH
74173 ++ tristate "stealth match support"
74174 ++ depends on IP_NF_IPTABLES
74175 ++ help
74176 ++ Enabling this option will drop all syn packets coming to unserved tcp
74177 ++ ports as well as all packets coming to unserved udp ports. If you
74178 ++ are using your system to route any type of packets (ie. via NAT)
74179 ++ you should put this module at the end of your ruleset, since it will
74180 ++ drop packets that aren't going to ports that are listening on your
74181 ++ machine itself, it doesn't take into account that the packet might be
74182 ++ destined for someone on your internal network if you're using NAT for
74183 ++ instance.
74184 ++
74185 ++ To compile it as a module, choose M here. If unsure, say N.
74186 ++
74187 + # `filter', generic and specific targets
74188 + config IP_NF_FILTER
74189 + tristate "Packet filtering"
74190 +@@ -403,4 +418,3 @@ config IP_NF_ARP_MANGLE
74191 + hardware and network addresses.
74192 +
74193 + endmenu
74194 +-
74195 +diff -urNp linux-2.6.24.5/net/ipv4/netfilter/Makefile linux-2.6.24.5/net/ipv4/netfilter/Makefile
74196 +--- linux-2.6.24.5/net/ipv4/netfilter/Makefile 2008-03-24 14:49:18.000000000 -0400
74197 ++++ linux-2.6.24.5/net/ipv4/netfilter/Makefile 2008-03-26 20:21:09.000000000 -0400
74198 +@@ -47,6 +47,7 @@ obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn
74199 + obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
74200 + obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
74201 + obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
74202 ++obj-$(CONFIG_IP_NF_MATCH_STEALTH) += ipt_stealth.o
74203 + obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
74204 + obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
74205 +
74206 +diff -urNp linux-2.6.24.5/net/ipv4/tcp.c linux-2.6.24.5/net/ipv4/tcp.c
74207 +--- linux-2.6.24.5/net/ipv4/tcp.c 2008-04-17 20:05:17.000000000 -0400
74208 ++++ linux-2.6.24.5/net/ipv4/tcp.c 2008-04-17 20:05:01.000000000 -0400
74209 +@@ -1054,7 +1054,8 @@ int tcp_read_sock(struct sock *sk, read_
74210 + return -ENOTCONN;
74211 + while ((skb = tcp_recv_skb(sk, seq, &offset)) != NULL) {
74212 + if (offset < skb->len) {
74213 +- size_t used, len;
74214 ++ int used;
74215 ++ size_t len;
74216 +
74217 + len = skb->len - offset;
74218 + /* Stop reading if we hit a patch of urgent data */
74219 +diff -urNp linux-2.6.24.5/net/ipv4/tcp_ipv4.c linux-2.6.24.5/net/ipv4/tcp_ipv4.c
74220 +--- linux-2.6.24.5/net/ipv4/tcp_ipv4.c 2008-03-24 14:49:18.000000000 -0400
74221 ++++ linux-2.6.24.5/net/ipv4/tcp_ipv4.c 2008-03-26 20:21:09.000000000 -0400
74222 +@@ -61,6 +61,7 @@
74223 + #include <linux/jhash.h>
74224 + #include <linux/init.h>
74225 + #include <linux/times.h>
74226 ++#include <linux/grsecurity.h>
74227 +
74228 + #include <net/net_namespace.h>
74229 + #include <net/icmp.h>
74230 +diff -urNp linux-2.6.24.5/net/ipv4/udp.c linux-2.6.24.5/net/ipv4/udp.c
74231 +--- linux-2.6.24.5/net/ipv4/udp.c 2008-03-24 14:49:18.000000000 -0400
74232 ++++ linux-2.6.24.5/net/ipv4/udp.c 2008-03-26 20:21:09.000000000 -0400
74233 +@@ -98,6 +98,7 @@
74234 + #include <linux/skbuff.h>
74235 + #include <linux/proc_fs.h>
74236 + #include <linux/seq_file.h>
74237 ++#include <linux/grsecurity.h>
74238 + #include <net/net_namespace.h>
74239 + #include <net/icmp.h>
74240 + #include <net/route.h>
74241 +@@ -105,6 +106,11 @@
74242 + #include <net/xfrm.h>
74243 + #include "udp_impl.h"
74244 +
74245 ++extern int gr_search_udp_recvmsg(const struct sock *sk,
74246 ++ const struct sk_buff *skb);
74247 ++extern int gr_search_udp_sendmsg(const struct sock *sk,
74248 ++ const struct sockaddr_in *addr);
74249 ++
74250 + /*
74251 + * Snmp MIB for the UDP layer
74252 + */
74253 +@@ -295,6 +301,13 @@ static struct sock *__udp4_lib_lookup(__
74254 + return result;
74255 + }
74256 +
74257 ++struct sock *udp_v4_lookup(__be32 saddr, __be16 sport,
74258 ++ __be32 daddr, __be16 dport, int dif)
74259 ++{
74260 ++ return __udp4_lib_lookup(saddr, sport, daddr, dport, dif, udp_hash);
74261 ++}
74262 ++
74263 ++
74264 + static inline struct sock *udp_v4_mcast_next(struct sock *sk,
74265 + __be16 loc_port, __be32 loc_addr,
74266 + __be16 rmt_port, __be32 rmt_addr,
74267 +@@ -580,9 +593,16 @@ int udp_sendmsg(struct kiocb *iocb, stru
74268 + dport = usin->sin_port;
74269 + if (dport == 0)
74270 + return -EINVAL;
74271 ++
74272 ++ if (!gr_search_udp_sendmsg(sk, usin))
74273 ++ return -EPERM;
74274 + } else {
74275 + if (sk->sk_state != TCP_ESTABLISHED)
74276 + return -EDESTADDRREQ;
74277 ++
74278 ++ if (!gr_search_udp_sendmsg(sk, NULL))
74279 ++ return -EPERM;
74280 ++
74281 + daddr = inet->daddr;
74282 + dport = inet->dport;
74283 + /* Open fast path for connected socket.
74284 +@@ -842,6 +862,11 @@ try_again:
74285 + if (!skb)
74286 + goto out;
74287 +
74288 ++ if (!gr_search_udp_recvmsg(sk, skb)) {
74289 ++ err = -EPERM;
74290 ++ goto out_free;
74291 ++ }
74292 ++
74293 + ulen = skb->len - sizeof(struct udphdr);
74294 + copied = len;
74295 + if (copied > ulen)
74296 +diff -urNp linux-2.6.24.5/net/ipv6/exthdrs.c linux-2.6.24.5/net/ipv6/exthdrs.c
74297 +--- linux-2.6.24.5/net/ipv6/exthdrs.c 2008-03-24 14:49:18.000000000 -0400
74298 ++++ linux-2.6.24.5/net/ipv6/exthdrs.c 2008-03-26 20:21:09.000000000 -0400
74299 +@@ -621,7 +621,7 @@ static struct tlvtype_proc tlvprochopopt
74300 + .type = IPV6_TLV_JUMBO,
74301 + .func = ipv6_hop_jumbo,
74302 + },
74303 +- { -1, }
74304 ++ { -1, NULL }
74305 + };
74306 +
74307 + int ipv6_parse_hopopts(struct sk_buff *skb)
74308 +diff -urNp linux-2.6.24.5/net/ipv6/raw.c linux-2.6.24.5/net/ipv6/raw.c
74309 +--- linux-2.6.24.5/net/ipv6/raw.c 2008-03-24 14:49:18.000000000 -0400
74310 ++++ linux-2.6.24.5/net/ipv6/raw.c 2008-03-26 20:21:09.000000000 -0400
74311 +@@ -578,7 +578,7 @@ out:
74312 + return err;
74313 + }
74314 +
74315 +-static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
74316 ++static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
74317 + struct flowi *fl, struct rt6_info *rt,
74318 + unsigned int flags)
74319 + {
74320 +diff -urNp linux-2.6.24.5/net/irda/ircomm/ircomm_tty.c linux-2.6.24.5/net/irda/ircomm/ircomm_tty.c
74321 +--- linux-2.6.24.5/net/irda/ircomm/ircomm_tty.c 2008-03-24 14:49:18.000000000 -0400
74322 ++++ linux-2.6.24.5/net/irda/ircomm/ircomm_tty.c 2008-03-26 20:21:09.000000000 -0400
74323 +@@ -371,7 +371,7 @@ static int ircomm_tty_open(struct tty_st
74324 + IRDA_DEBUG(2, "%s()\n", __FUNCTION__ );
74325 +
74326 + line = tty->index;
74327 +- if ((line < 0) || (line >= IRCOMM_TTY_PORTS)) {
74328 ++ if (line >= IRCOMM_TTY_PORTS) {
74329 + return -ENODEV;
74330 + }
74331 +
74332 +diff -urNp linux-2.6.24.5/net/mac80211/regdomain.c linux-2.6.24.5/net/mac80211/regdomain.c
74333 +--- linux-2.6.24.5/net/mac80211/regdomain.c 2008-03-24 14:49:18.000000000 -0400
74334 ++++ linux-2.6.24.5/net/mac80211/regdomain.c 2008-03-26 20:21:09.000000000 -0400
74335 +@@ -61,14 +61,14 @@ static const struct ieee80211_channel_ra
74336 + { 5180, 5240, 17, 6 } /* IEEE 802.11a, channels 36..48 */,
74337 + { 5260, 5320, 23, 6 } /* IEEE 802.11a, channels 52..64 */,
74338 + { 5745, 5825, 30, 6 } /* IEEE 802.11a, channels 149..165, outdoor */,
74339 +- { 0 }
74340 ++ { 0, 0, 0, 0 }
74341 + };
74342 +
74343 + static const struct ieee80211_channel_range ieee80211_mkk_channels[] = {
74344 + { 2412, 2472, 20, 6 } /* IEEE 802.11b/g, channels 1..13 */,
74345 + { 5170, 5240, 20, 6 } /* IEEE 802.11a, channels 34..48 */,
74346 + { 5260, 5320, 20, 6 } /* IEEE 802.11a, channels 52..64 */,
74347 +- { 0 }
74348 ++ { 0, 0, 0, 0 }
74349 + };
74350 +
74351 +
74352 +diff -urNp linux-2.6.24.5/net/sctp/socket.c linux-2.6.24.5/net/sctp/socket.c
74353 +--- linux-2.6.24.5/net/sctp/socket.c 2008-03-24 14:49:18.000000000 -0400
74354 ++++ linux-2.6.24.5/net/sctp/socket.c 2008-03-26 20:21:09.000000000 -0400
74355 +@@ -1390,7 +1390,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
74356 + struct sctp_sndrcvinfo *sinfo;
74357 + struct sctp_initmsg *sinit;
74358 + sctp_assoc_t associd = 0;
74359 +- sctp_cmsgs_t cmsgs = { NULL };
74360 ++ sctp_cmsgs_t cmsgs = { NULL, NULL };
74361 + int err;
74362 + sctp_scope_t scope;
74363 + long timeo;
74364 +diff -urNp linux-2.6.24.5/net/socket.c linux-2.6.24.5/net/socket.c
74365 +--- linux-2.6.24.5/net/socket.c 2008-03-24 14:49:18.000000000 -0400
74366 ++++ linux-2.6.24.5/net/socket.c 2008-03-26 20:21:09.000000000 -0400
74367 +@@ -85,6 +85,7 @@
74368 + #include <linux/audit.h>
74369 + #include <linux/wireless.h>
74370 + #include <linux/nsproxy.h>
74371 ++#include <linux/in.h>
74372 +
74373 + #include <asm/uaccess.h>
74374 + #include <asm/unistd.h>
74375 +@@ -94,6 +95,21 @@
74376 + #include <net/sock.h>
74377 + #include <linux/netfilter.h>
74378 +
74379 ++extern void gr_attach_curr_ip(const struct sock *sk);
74380 ++extern int gr_handle_sock_all(const int family, const int type,
74381 ++ const int protocol);
74382 ++extern int gr_handle_sock_server(const struct sockaddr *sck);
74383 ++extern int gr_handle_sock_server_other(const struct socket *sck);
74384 ++extern int gr_handle_sock_client(const struct sockaddr *sck);
74385 ++extern int gr_search_connect(const struct socket * sock,
74386 ++ const struct sockaddr_in * addr);
74387 ++extern int gr_search_bind(const struct socket * sock,
74388 ++ const struct sockaddr_in * addr);
74389 ++extern int gr_search_listen(const struct socket * sock);
74390 ++extern int gr_search_accept(const struct socket * sock);
74391 ++extern int gr_search_socket(const int domain, const int type,
74392 ++ const int protocol);
74393 ++
74394 + static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
74395 + static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
74396 + unsigned long nr_segs, loff_t pos);
74397 +@@ -293,7 +309,7 @@ static int sockfs_get_sb(struct file_sys
74398 + mnt);
74399 + }
74400 +
74401 +-static struct vfsmount *sock_mnt __read_mostly;
74402 ++struct vfsmount *sock_mnt __read_mostly;
74403 +
74404 + static struct file_system_type sock_fs_type = {
74405 + .name = "sockfs",
74406 +@@ -1204,6 +1220,16 @@ asmlinkage long sys_socket(int family, i
74407 + int retval;
74408 + struct socket *sock;
74409 +
74410 ++ if(!gr_search_socket(family, type, protocol)) {
74411 ++ retval = -EACCES;
74412 ++ goto out;
74413 ++ }
74414 ++
74415 ++ if (gr_handle_sock_all(family, type, protocol)) {
74416 ++ retval = -EACCES;
74417 ++ goto out;
74418 ++ }
74419 ++
74420 + retval = sock_create(family, type, protocol, &sock);
74421 + if (retval < 0)
74422 + goto out;
74423 +@@ -1334,6 +1360,12 @@ asmlinkage long sys_bind(int fd, struct
74424 + if (sock) {
74425 + err = move_addr_to_kernel(umyaddr, addrlen, address);
74426 + if (err >= 0) {
74427 ++ if (!gr_search_bind(sock, (struct sockaddr_in *)address) ||
74428 ++ gr_handle_sock_server((struct sockaddr *)address)) {
74429 ++ err = -EACCES;
74430 ++ goto error;
74431 ++ }
74432 ++
74433 + err = security_socket_bind(sock,
74434 + (struct sockaddr *)address,
74435 + addrlen);
74436 +@@ -1342,6 +1374,7 @@ asmlinkage long sys_bind(int fd, struct
74437 + (struct sockaddr *)
74438 + address, addrlen);
74439 + }
74440 ++error:
74441 + fput_light(sock->file, fput_needed);
74442 + }
74443 + return err;
74444 +@@ -1365,10 +1398,17 @@ asmlinkage long sys_listen(int fd, int b
74445 + if ((unsigned)backlog > sysctl_somaxconn)
74446 + backlog = sysctl_somaxconn;
74447 +
74448 ++ if (gr_handle_sock_server_other(sock) ||
74449 ++ !gr_search_listen(sock)) {
74450 ++ err = -EPERM;
74451 ++ goto error;
74452 ++ }
74453 ++
74454 + err = security_socket_listen(sock, backlog);
74455 + if (!err)
74456 + err = sock->ops->listen(sock, backlog);
74457 +
74458 ++error:
74459 + fput_light(sock->file, fput_needed);
74460 + }
74461 + return err;
74462 +@@ -1405,6 +1445,13 @@ asmlinkage long sys_accept(int fd, struc
74463 + newsock->type = sock->type;
74464 + newsock->ops = sock->ops;
74465 +
74466 ++ if (gr_handle_sock_server_other(sock) ||
74467 ++ !gr_search_accept(sock)) {
74468 ++ err = -EPERM;
74469 ++ sock_release(newsock);
74470 ++ goto out_put;
74471 ++ }
74472 ++
74473 + /*
74474 + * We don't need try_module_get here, as the listening socket (sock)
74475 + * has the protocol module (sock->ops->owner) held.
74476 +@@ -1448,6 +1495,7 @@ asmlinkage long sys_accept(int fd, struc
74477 + err = newfd;
74478 +
74479 + security_socket_post_accept(sock, newsock);
74480 ++ gr_attach_curr_ip(newsock->sk);
74481 +
74482 + out_put:
74483 + fput_light(sock->file, fput_needed);
74484 +@@ -1481,6 +1529,7 @@ asmlinkage long sys_connect(int fd, stru
74485 + {
74486 + struct socket *sock;
74487 + char address[MAX_SOCK_ADDR];
74488 ++ struct sockaddr *sck;
74489 + int err, fput_needed;
74490 +
74491 + sock = sockfd_lookup_light(fd, &err, &fput_needed);
74492 +@@ -1490,6 +1539,13 @@ asmlinkage long sys_connect(int fd, stru
74493 + if (err < 0)
74494 + goto out_put;
74495 +
74496 ++ sck = (struct sockaddr *)address;
74497 ++ if (!gr_search_connect(sock, (struct sockaddr_in *)sck) ||
74498 ++ gr_handle_sock_client(sck)) {
74499 ++ err = -EACCES;
74500 ++ goto out_put;
74501 ++ }
74502 ++
74503 + err =
74504 + security_socket_connect(sock, (struct sockaddr *)address, addrlen);
74505 + if (err)
74506 +@@ -1767,6 +1823,7 @@ asmlinkage long sys_shutdown(int fd, int
74507 + err = sock->ops->shutdown(sock, how);
74508 + fput_light(sock->file, fput_needed);
74509 + }
74510 ++
74511 + return err;
74512 + }
74513 +
74514 +diff -urNp linux-2.6.24.5/net/unix/af_unix.c linux-2.6.24.5/net/unix/af_unix.c
74515 +--- linux-2.6.24.5/net/unix/af_unix.c 2008-03-24 14:49:18.000000000 -0400
74516 ++++ linux-2.6.24.5/net/unix/af_unix.c 2008-03-26 20:21:09.000000000 -0400
74517 +@@ -116,6 +116,7 @@
74518 + #include <linux/mount.h>
74519 + #include <net/checksum.h>
74520 + #include <linux/security.h>
74521 ++#include <linux/grsecurity.h>
74522 +
74523 + int sysctl_unix_max_dgram_qlen __read_mostly = 10;
74524 +
74525 +@@ -738,6 +739,11 @@ static struct sock *unix_find_other(stru
74526 + if (err)
74527 + goto put_fail;
74528 +
74529 ++ if (!gr_acl_handle_unix(nd.dentry, nd.mnt)) {
74530 ++ err = -EACCES;
74531 ++ goto put_fail;
74532 ++ }
74533 ++
74534 + err = -ECONNREFUSED;
74535 + if (!S_ISSOCK(nd.dentry->d_inode->i_mode))
74536 + goto put_fail;
74537 +@@ -761,6 +767,13 @@ static struct sock *unix_find_other(stru
74538 + if (u) {
74539 + struct dentry *dentry;
74540 + dentry = unix_sk(u)->dentry;
74541 ++
74542 ++ if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
74543 ++ err = -EPERM;
74544 ++ sock_put(u);
74545 ++ goto fail;
74546 ++ }
74547 ++
74548 + if (dentry)
74549 + touch_atime(unix_sk(u)->mnt, dentry);
74550 + } else
74551 +@@ -839,9 +852,18 @@ static int unix_bind(struct socket *sock
74552 + */
74553 + mode = S_IFSOCK |
74554 + (SOCK_INODE(sock)->i_mode & ~current->fs->umask);
74555 ++
74556 ++ if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
74557 ++ err = -EACCES;
74558 ++ goto out_mknod_dput;
74559 ++ }
74560 ++
74561 + err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0);
74562 + if (err)
74563 + goto out_mknod_dput;
74564 ++
74565 ++ gr_handle_create(dentry, nd.mnt);
74566 ++
74567 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
74568 + dput(nd.dentry);
74569 + nd.dentry = dentry;
74570 +@@ -859,6 +881,10 @@ static int unix_bind(struct socket *sock
74571 + goto out_unlock;
74572 + }
74573 +
74574 ++#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
74575 ++ sk->sk_peercred.pid = current->pid;
74576 ++#endif
74577 ++
74578 + list = &unix_socket_table[addr->hash];
74579 + } else {
74580 + list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
74581 +diff -urNp linux-2.6.24.5/scripts/pnmtologo.c linux-2.6.24.5/scripts/pnmtologo.c
74582 +--- linux-2.6.24.5/scripts/pnmtologo.c 2008-03-24 14:49:18.000000000 -0400
74583 ++++ linux-2.6.24.5/scripts/pnmtologo.c 2008-03-26 20:21:09.000000000 -0400
74584 +@@ -237,14 +237,14 @@ static void write_header(void)
74585 + fprintf(out, " * Linux logo %s\n", logoname);
74586 + fputs(" */\n\n", out);
74587 + fputs("#include <linux/linux_logo.h>\n\n", out);
74588 +- fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
74589 ++ fprintf(out, "static unsigned char %s_data[] = {\n",
74590 + logoname);
74591 + }
74592 +
74593 + static void write_footer(void)
74594 + {
74595 + fputs("\n};\n\n", out);
74596 +- fprintf(out, "struct linux_logo %s __initdata = {\n", logoname);
74597 ++ fprintf(out, "struct linux_logo %s = {\n", logoname);
74598 + fprintf(out, " .type\t= %s,\n", logo_types[logo_type]);
74599 + fprintf(out, " .width\t= %d,\n", logo_width);
74600 + fprintf(out, " .height\t= %d,\n", logo_height);
74601 +@@ -374,7 +374,7 @@ static void write_logo_clut224(void)
74602 + fputs("\n};\n\n", out);
74603 +
74604 + /* write logo clut */
74605 +- fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
74606 ++ fprintf(out, "static unsigned char %s_clut[] = {\n",
74607 + logoname);
74608 + write_hex_cnt = 0;
74609 + for (i = 0; i < logo_clutsize; i++) {
74610 +diff -urNp linux-2.6.24.5/security/commoncap.c linux-2.6.24.5/security/commoncap.c
74611 +--- linux-2.6.24.5/security/commoncap.c 2008-04-17 20:05:17.000000000 -0400
74612 ++++ linux-2.6.24.5/security/commoncap.c 2008-04-17 20:05:01.000000000 -0400
74613 +@@ -24,6 +24,7 @@
74614 + #include <linux/hugetlb.h>
74615 + #include <linux/mount.h>
74616 + #include <linux/sched.h>
74617 ++#include <linux/grsecurity.h>
74618 +
74619 + #ifdef CONFIG_SECURITY_FILE_CAPABILITIES
74620 + /*
74621 +@@ -44,9 +45,11 @@ EXPORT_SYMBOL(cap_bset);
74622 + unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */
74623 + EXPORT_SYMBOL(securebits);
74624 +
74625 ++extern __u32 gr_cap_rtnetlink(struct sock *sk);
74626 ++
74627 + int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
74628 + {
74629 +- NETLINK_CB(skb).eff_cap = current->cap_effective;
74630 ++ NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
74631 + return 0;
74632 + }
74633 +
74634 +@@ -68,7 +71,15 @@ EXPORT_SYMBOL(cap_netlink_recv);
74635 + int cap_capable (struct task_struct *tsk, int cap)
74636 + {
74637 + /* Derived from include/linux/sched.h:capable. */
74638 +- if (cap_raised(tsk->cap_effective, cap))
74639 ++ if (cap_raised (tsk->cap_effective, cap))
74640 ++ return 0;
74641 ++ return -EPERM;
74642 ++}
74643 ++
74644 ++int cap_capable_nolog (struct task_struct *tsk, int cap)
74645 ++{
74646 ++ /* tsk = current for all callers */
74647 ++ if (cap_raised(tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
74648 + return 0;
74649 + return -EPERM;
74650 + }
74651 +@@ -343,8 +354,11 @@ void cap_bprm_apply_creds (struct linux_
74652 + }
74653 + }
74654 +
74655 +- current->suid = current->euid = current->fsuid = bprm->e_uid;
74656 +- current->sgid = current->egid = current->fsgid = bprm->e_gid;
74657 ++ if (!gr_check_user_change(-1, bprm->e_uid, bprm->e_uid))
74658 ++ current->suid = current->euid = current->fsuid = bprm->e_uid;
74659 ++
74660 ++ if (!gr_check_group_change(-1, bprm->e_gid, bprm->e_gid))
74661 ++ current->sgid = current->egid = current->fsgid = bprm->e_gid;
74662 +
74663 + /* For init, we want to retain the capabilities set
74664 + * in the init_task struct. Thus we skip the usual
74665 +@@ -355,6 +369,8 @@ void cap_bprm_apply_creds (struct linux_
74666 + new_permitted : 0;
74667 + }
74668 +
74669 ++ gr_handle_chroot_caps(current);
74670 ++
74671 + /* AUD: Audit candidate if current->cap_effective is set */
74672 +
74673 + current->keep_capabilities = 0;
74674 +@@ -563,7 +579,7 @@ int cap_vm_enough_memory(struct mm_struc
74675 + {
74676 + int cap_sys_admin = 0;
74677 +
74678 +- if (cap_capable(current, CAP_SYS_ADMIN) == 0)
74679 ++ if (cap_capable_nolog(current, CAP_SYS_ADMIN) == 0)
74680 + cap_sys_admin = 1;
74681 + return __vm_enough_memory(mm, pages, cap_sys_admin);
74682 + }
74683 +diff -urNp linux-2.6.24.5/security/dummy.c linux-2.6.24.5/security/dummy.c
74684 +--- linux-2.6.24.5/security/dummy.c 2008-03-24 14:49:18.000000000 -0400
74685 ++++ linux-2.6.24.5/security/dummy.c 2008-03-26 20:21:09.000000000 -0400
74686 +@@ -27,6 +27,7 @@
74687 + #include <linux/hugetlb.h>
74688 + #include <linux/ptrace.h>
74689 + #include <linux/file.h>
74690 ++#include <linux/grsecurity.h>
74691 +
74692 + static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
74693 + {
74694 +@@ -135,8 +136,11 @@ static void dummy_bprm_apply_creds (stru
74695 + }
74696 + }
74697 +
74698 +- current->suid = current->euid = current->fsuid = bprm->e_uid;
74699 +- current->sgid = current->egid = current->fsgid = bprm->e_gid;
74700 ++ if (!gr_check_user_change(-1, bprm->e_uid, bprm->e_uid))
74701 ++ current->suid = current->euid = current->fsuid = bprm->e_uid;
74702 ++
74703 ++ if (!gr_check_group_change(-1, bprm->e_gid, bprm->e_gid))
74704 ++ current->sgid = current->egid = current->fsgid = bprm->e_gid;
74705 +
74706 + dummy_capget(current, &current->cap_effective, &current->cap_inheritable, &current->cap_permitted);
74707 + }
74708 +diff -urNp linux-2.6.24.5/security/Kconfig linux-2.6.24.5/security/Kconfig
74709 +--- linux-2.6.24.5/security/Kconfig 2008-03-24 14:49:18.000000000 -0400
74710 ++++ linux-2.6.24.5/security/Kconfig 2008-03-26 20:21:09.000000000 -0400
74711 +@@ -4,6 +4,429 @@
74712 +
74713 + menu "Security options"
74714 +
74715 ++source grsecurity/Kconfig
74716 ++
74717 ++menu "PaX"
74718 ++
74719 ++config PAX
74720 ++ bool "Enable various PaX features"
74721 ++ depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
74722 ++ help
74723 ++ This allows you to enable various PaX features. PaX adds
74724 ++ intrusion prevention mechanisms to the kernel that reduce
74725 ++ the risks posed by exploitable memory corruption bugs.
74726 ++
74727 ++menu "PaX Control"
74728 ++ depends on PAX
74729 ++
74730 ++config PAX_SOFTMODE
74731 ++ bool 'Support soft mode'
74732 ++ help
74733 ++ Enabling this option will allow you to run PaX in soft mode, that
74734 ++ is, PaX features will not be enforced by default, only on executables
74735 ++ marked explicitly. You must also enable PT_PAX_FLAGS support as it
74736 ++ is the only way to mark executables for soft mode use.
74737 ++
74738 ++ Soft mode can be activated by using the "pax_softmode=1" kernel command
74739 ++ line option on boot. Furthermore you can control various PaX features
74740 ++ at runtime via the entries in /proc/sys/kernel/pax.
74741 ++
74742 ++config PAX_EI_PAX
74743 ++ bool 'Use legacy ELF header marking'
74744 ++ help
74745 ++ Enabling this option will allow you to control PaX features on
74746 ++ a per executable basis via the 'chpax' utility available at
74747 ++ http://pax.grsecurity.net/. The control flags will be read from
74748 ++ an otherwise reserved part of the ELF header. This marking has
74749 ++ numerous drawbacks (no support for soft-mode, toolchain does not
74750 ++ know about the non-standard use of the ELF header) therefore it
74751 ++ has been deprecated in favour of PT_PAX_FLAGS support.
74752 ++
74753 ++ If you have applications not marked by the PT_PAX_FLAGS ELF
74754 ++ program header then you MUST enable this option otherwise they
74755 ++ will not get any protection.
74756 ++
74757 ++ Note that if you enable PT_PAX_FLAGS marking support as well,
74758 ++ the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
74759 ++
74760 ++config PAX_PT_PAX_FLAGS
74761 ++ bool 'Use ELF program header marking'
74762 ++ help
74763 ++ Enabling this option will allow you to control PaX features on
74764 ++ a per executable basis via the 'paxctl' utility available at
74765 ++ http://pax.grsecurity.net/. The control flags will be read from
74766 ++ a PaX specific ELF program header (PT_PAX_FLAGS). This marking
74767 ++ has the benefits of supporting both soft mode and being fully
74768 ++ integrated into the toolchain (the binutils patch is available
74769 ++ from http://pax.grsecurity.net).
74770 ++
74771 ++ If you have applications not marked by the PT_PAX_FLAGS ELF
74772 ++ program header then you MUST enable the EI_PAX marking support
74773 ++ otherwise they will not get any protection.
74774 ++
74775 ++ Note that if you enable the legacy EI_PAX marking support as well,
74776 ++ the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
74777 ++
74778 ++choice
74779 ++ prompt 'MAC system integration'
74780 ++ default PAX_HAVE_ACL_FLAGS
74781 ++ help
74782 ++ Mandatory Access Control systems have the option of controlling
74783 ++ PaX flags on a per executable basis, choose the method supported
74784 ++ by your particular system.
74785 ++
74786 ++ - "none": if your MAC system does not interact with PaX,
74787 ++ - "direct": if your MAC system defines pax_set_initial_flags() itself,
74788 ++ - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
74789 ++
74790 ++ NOTE: this option is for developers/integrators only.
74791 ++
74792 ++ config PAX_NO_ACL_FLAGS
74793 ++ bool 'none'
74794 ++
74795 ++ config PAX_HAVE_ACL_FLAGS
74796 ++ bool 'direct'
74797 ++
74798 ++ config PAX_HOOK_ACL_FLAGS
74799 ++ bool 'hook'
74800 ++endchoice
74801 ++
74802 ++endmenu
74803 ++
74804 ++menu "Non-executable pages"
74805 ++ depends on PAX
74806 ++
74807 ++config PAX_NOEXEC
74808 ++ bool "Enforce non-executable pages"
74809 ++ depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
74810 ++ help
74811 ++ By design some architectures do not allow for protecting memory
74812 ++ pages against execution or even if they do, Linux does not make
74813 ++ use of this feature. In practice this means that if a page is
74814 ++ readable (such as the stack or heap) it is also executable.
74815 ++
74816 ++ There is a well known exploit technique that makes use of this
74817 ++ fact and a common programming mistake where an attacker can
74818 ++ introduce code of his choice somewhere in the attacked program's
74819 ++ memory (typically the stack or the heap) and then execute it.
74820 ++
74821 ++ If the attacked program was running with different (typically
74822 ++ higher) privileges than that of the attacker, then he can elevate
74823 ++ his own privilege level (e.g. get a root shell, write to files for
74824 ++ which he does not have write access to, etc).
74825 ++
74826 ++ Enabling this option will let you choose from various features
74827 ++ that prevent the injection and execution of 'foreign' code in
74828 ++ a program.
74829 ++
74830 ++ This will also break programs that rely on the old behaviour and
74831 ++ expect that dynamically allocated memory via the malloc() family
74832 ++ of functions is executable (which it is not). Notable examples
74833 ++ are the XFree86 4.x server, the java runtime and wine.
74834 ++
74835 ++config PAX_PAGEEXEC
74836 ++ bool "Paging based non-executable pages"
74837 ++ depends on !COMPAT_VDSO && PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MPENTIUM4 || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2)
74838 ++ help
74839 ++ This implementation is based on the paging feature of the CPU.
74840 ++ On i386 without hardware non-executable bit support there is a
74841 ++ variable but usually low performance impact, however on Intel's
74842 ++ P4 core based CPUs it is very high so you should not enable this
74843 ++ for kernels meant to be used on such CPUs.
74844 ++
74845 ++ On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
74846 ++ with hardware non-executable bit support there is no performance
74847 ++ impact, on ppc the impact is negligible.
74848 ++
74849 ++ Note that several architectures require various emulations due to
74850 ++ badly designed userland ABIs, this will cause a performance impact
74851 ++ but will disappear as soon as userland is fixed (e.g., ppc users
74852 ++ can make use of the secure-plt feature found in binutils).
74853 ++
74854 ++config PAX_SEGMEXEC
74855 ++ bool "Segmentation based non-executable pages"
74856 ++ depends on !COMPAT_VDSO && PAX_NOEXEC && X86_32
74857 ++ help
74858 ++ This implementation is based on the segmentation feature of the
74859 ++ CPU and has a very small performance impact, however applications
74860 ++ will be limited to a 1.5 GB address space instead of the normal
74861 ++ 3 GB.
74862 ++
74863 ++config PAX_EMUTRAMP
74864 ++ bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || PPC32 || X86)
74865 ++ default y if PARISC || PPC32
74866 ++ help
74867 ++ There are some programs and libraries that for one reason or
74868 ++ another attempt to execute special small code snippets from
74869 ++ non-executable memory pages. Most notable examples are the
74870 ++ signal handler return code generated by the kernel itself and
74871 ++ the GCC trampolines.
74872 ++
74873 ++ If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
74874 ++ such programs will no longer work under your kernel.
74875 ++
74876 ++ As a remedy you can say Y here and use the 'chpax' or 'paxctl'
74877 ++ utilities to enable trampoline emulation for the affected programs
74878 ++ yet still have the protection provided by the non-executable pages.
74879 ++
74880 ++ On parisc and ppc you MUST enable this option and EMUSIGRT as
74881 ++ well, otherwise your system will not even boot.
74882 ++
74883 ++ Alternatively you can say N here and use the 'chpax' or 'paxctl'
74884 ++ utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
74885 ++ for the affected files.
74886 ++
74887 ++ NOTE: enabling this feature *may* open up a loophole in the
74888 ++ protection provided by non-executable pages that an attacker
74889 ++ could abuse. Therefore the best solution is to not have any
74890 ++ files on your system that would require this option. This can
74891 ++ be achieved by not using libc5 (which relies on the kernel
74892 ++ signal handler return code) and not using or rewriting programs
74893 ++ that make use of the nested function implementation of GCC.
74894 ++ Skilled users can just fix GCC itself so that it implements
74895 ++ nested function calls in a way that does not interfere with PaX.
74896 ++
74897 ++config PAX_EMUSIGRT
74898 ++ bool "Automatically emulate sigreturn trampolines"
74899 ++ depends on PAX_EMUTRAMP && (PARISC || PPC32)
74900 ++ default y
74901 ++ help
74902 ++ Enabling this option will have the kernel automatically detect
74903 ++ and emulate signal return trampolines executing on the stack
74904 ++ that would otherwise lead to task termination.
74905 ++
74906 ++ This solution is intended as a temporary one for users with
74907 ++ legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
74908 ++ Modula-3 runtime, etc) or executables linked to such, basically
74909 ++ everything that does not specify its own SA_RESTORER function in
74910 ++ normal executable memory like glibc 2.1+ does.
74911 ++
74912 ++ On parisc and ppc you MUST enable this option, otherwise your
74913 ++ system will not even boot.
74914 ++
74915 ++ NOTE: this feature cannot be disabled on a per executable basis
74916 ++ and since it *does* open up a loophole in the protection provided
74917 ++ by non-executable pages, the best solution is to not have any
74918 ++ files on your system that would require this option.
74919 ++
74920 ++config PAX_MPROTECT
74921 ++ bool "Restrict mprotect()"
74922 ++ depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && !PPC64
74923 ++ help
74924 ++ Enabling this option will prevent programs from
74925 ++ - changing the executable status of memory pages that were
74926 ++ not originally created as executable,
74927 ++ - making read-only executable pages writable again,
74928 ++ - creating executable pages from anonymous memory.
74929 ++
74930 ++ You should say Y here to complete the protection provided by
74931 ++ the enforcement of non-executable pages.
74932 ++
74933 ++ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
74934 ++ this feature on a per file basis.
74935 ++
74936 ++config PAX_NOELFRELOCS
74937 ++ bool "Disallow ELF text relocations"
74938 ++ depends on PAX_MPROTECT && !PAX_ETEXECRELOCS && (IA64 || X86 || X86_64)
74939 ++ help
74940 ++ Non-executable pages and mprotect() restrictions are effective
74941 ++ in preventing the introduction of new executable code into an
74942 ++ attacked task's address space. There remain only two venues
74943 ++ for this kind of attack: if the attacker can execute already
74944 ++ existing code in the attacked task then he can either have it
74945 ++ create and mmap() a file containing his code or have it mmap()
74946 ++ an already existing ELF library that does not have position
74947 ++ independent code in it and use mprotect() on it to make it
74948 ++ writable and copy his code there. While protecting against
74949 ++ the former approach is beyond PaX, the latter can be prevented
74950 ++ by having only PIC ELF libraries on one's system (which do not
74951 ++ need to relocate their code). If you are sure this is your case,
74952 ++ then enable this option otherwise be careful as you may not even
74953 ++ be able to boot or log on your system (for example, some PAM
74954 ++ modules are erroneously compiled as non-PIC by default).
74955 ++
74956 ++ NOTE: if you are using dynamic ELF executables (as suggested
74957 ++ when using ASLR) then you must have made sure that you linked
74958 ++ your files using the PIC version of crt1 (the et_dyn.tar.gz package
74959 ++ referenced there has already been updated to support this).
74960 ++
74961 ++config PAX_ETEXECRELOCS
74962 ++ bool "Allow ELF ET_EXEC text relocations"
74963 ++ depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
74964 ++ default y
74965 ++ help
74966 ++ On some architectures there are incorrectly created applications
74967 ++ that require text relocations and would not work without enabling
74968 ++ this option. If you are an alpha, ia64 or parisc user, you should
74969 ++ enable this option and disable it once you have made sure that
74970 ++ none of your applications need it.
74971 ++
74972 ++config PAX_EMUPLT
74973 ++ bool "Automatically emulate ELF PLT"
74974 ++ depends on PAX_MPROTECT && (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
74975 ++ default y
74976 ++ help
74977 ++ Enabling this option will have the kernel automatically detect
74978 ++ and emulate the Procedure Linkage Table entries in ELF files.
74979 ++ On some architectures such entries are in writable memory, and
74980 ++ become non-executable leading to task termination. Therefore
74981 ++ it is mandatory that you enable this option on alpha, parisc,
74982 ++ ppc (if secure-plt is not used throughout in userland), sparc
74983 ++ and sparc64, otherwise your system would not even boot.
74984 ++
74985 ++ NOTE: this feature *does* open up a loophole in the protection
74986 ++ provided by the non-executable pages, therefore the proper
74987 ++ solution is to modify the toolchain to produce a PLT that does
74988 ++ not need to be writable.
74989 ++
74990 ++config PAX_DLRESOLVE
74991 ++ bool
74992 ++ depends on PAX_EMUPLT && (SPARC32 || SPARC64)
74993 ++ default y
74994 ++
74995 ++config PAX_SYSCALL
74996 ++ bool
74997 ++ depends on PAX_PAGEEXEC && PPC32
74998 ++ default y
74999 ++
75000 ++config PAX_KERNEXEC
75001 ++ bool "Enforce non-executable kernel pages"
75002 ++ depends on PAX_NOEXEC && X86 && !EFI && !COMPAT_VDSO && (!X86_32 || X86_WP_WORKS_OK) && !PARAVIRT
75003 ++ help
75004 ++ This is the kernel land equivalent of PAGEEXEC and MPROTECT,
75005 ++ that is, enabling this option will make it harder to inject
75006 ++ and execute 'foreign' code in kernel memory itself.
75007 ++
75008 ++endmenu
75009 ++
75010 ++menu "Address Space Layout Randomization"
75011 ++ depends on PAX
75012 ++
75013 ++config PAX_ASLR
75014 ++ bool "Address Space Layout Randomization"
75015 ++ depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
75016 ++ help
75017 ++ Many if not most exploit techniques rely on the knowledge of
75018 ++ certain addresses in the attacked program. The following options
75019 ++ will allow the kernel to apply a certain amount of randomization
75020 ++ to specific parts of the program thereby forcing an attacker to
75021 ++ guess them in most cases. Any failed guess will most likely crash
75022 ++ the attacked program which allows the kernel to detect such attempts
75023 ++ and react on them. PaX itself provides no reaction mechanisms,
75024 ++ instead it is strongly encouraged that you make use of Nergal's
75025 ++ segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
75026 ++ (http://www.grsecurity.net/) built-in crash detection features or
75027 ++ develop one yourself.
75028 ++
75029 ++ By saying Y here you can choose to randomize the following areas:
75030 ++ - top of the task's kernel stack
75031 ++ - top of the task's userland stack
75032 ++ - base address for mmap() requests that do not specify one
75033 ++ (this includes all libraries)
75034 ++ - base address of the main executable
75035 ++
75036 ++ It is strongly recommended to say Y here as address space layout
75037 ++ randomization has negligible impact on performance yet it provides
75038 ++ a very effective protection.
75039 ++
75040 ++ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
75041 ++ this feature on a per file basis.
75042 ++
75043 ++config PAX_RANDKSTACK
75044 ++ bool "Randomize kernel stack base"
75045 ++ depends on PAX_ASLR && X86_TSC && X86_32
75046 ++ help
75047 ++ By saying Y here the kernel will randomize every task's kernel
75048 ++ stack on every system call. This will not only force an attacker
75049 ++ to guess it but also prevent him from making use of possible
75050 ++ leaked information about it.
75051 ++
75052 ++ Since the kernel stack is a rather scarce resource, randomization
75053 ++ may cause unexpected stack overflows, therefore you should very
75054 ++ carefully test your system. Note that once enabled in the kernel
75055 ++ configuration, this feature cannot be disabled on a per file basis.
75056 ++
75057 ++config PAX_RANDUSTACK
75058 ++ bool "Randomize user stack base"
75059 ++ depends on PAX_ASLR
75060 ++ help
75061 ++ By saying Y here the kernel will randomize every task's userland
75062 ++ stack. The randomization is done in two steps where the second
75063 ++ one may apply a big amount of shift to the top of the stack and
75064 ++ cause problems for programs that want to use lots of memory (more
75065 ++ than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
75066 ++ For this reason the second step can be controlled by 'chpax' or
75067 ++ 'paxctl' on a per file basis.
75068 ++
75069 ++config PAX_RANDMMAP
75070 ++ bool "Randomize mmap() base"
75071 ++ depends on PAX_ASLR
75072 ++ help
75073 ++ By saying Y here the kernel will use a randomized base address for
75074 ++ mmap() requests that do not specify one themselves. As a result
75075 ++ all dynamically loaded libraries will appear at random addresses
75076 ++ and therefore be harder to exploit by a technique where an attacker
75077 ++ attempts to execute library code for his purposes (e.g. spawn a
75078 ++ shell from an exploited program that is running at an elevated
75079 ++ privilege level).
75080 ++
75081 ++ Furthermore, if a program is relinked as a dynamic ELF file, its
75082 ++ base address will be randomized as well, completing the full
75083 ++ randomization of the address space layout. Attacking such programs
75084 ++ becomes a guess game. You can find an example of doing this at
75085 ++ http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
75086 ++ http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
75087 ++
75088 ++ NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
75089 ++ feature on a per file basis.
75090 ++
75091 ++endmenu
75092 ++
75093 ++menu "Miscellaneous hardening features"
75094 ++
75095 ++config PAX_MEMORY_SANITIZE
75096 ++ bool "Sanitize all freed memory"
75097 ++ help
75098 ++ By saying Y here the kernel will erase memory pages as soon as they
75099 ++ are freed. This in turn reduces the lifetime of data stored in the
75100 ++ pages, making it less likely that sensitive information such as
75101 ++ passwords, cryptographic secrets, etc stay in memory for too long.
75102 ++
75103 ++ This is especially useful for programs whose runtime is short, long
75104 ++ lived processes and the kernel itself benefit from this as long as
75105 ++ they operate on whole memory pages and ensure timely freeing of pages
75106 ++ that may hold sensitive information.
75107 ++
75108 ++ The tradeoff is performance impact, on a single CPU system kernel
75109 ++ compilation sees a 3% slowdown, other systems and workloads may vary
75110 ++ and you are advised to test this feature on your expected workload
75111 ++ before deploying it.
75112 ++
75113 ++ Note that this feature does not protect data stored in live pages,
75114 ++ e.g., process memory swapped to disk may stay there for a long time.
75115 ++
75116 ++config PAX_MEMORY_UDEREF
75117 ++ bool "Prevent invalid userland pointer dereference"
75118 ++ depends on X86_32 && !COMPAT_VDSO
75119 ++ help
75120 ++ By saying Y here the kernel will be prevented from dereferencing
75121 ++ userland pointers in contexts where the kernel expects only kernel
75122 ++ pointers. This is both a useful runtime debugging feature and a
75123 ++ security measure that prevents exploiting a class of kernel bugs.
75124 ++
75125 ++ The tradeoff is that some virtualization solutions may experience
75126 ++ a huge slowdown and therefore you should not enable this feature
75127 ++ for kernels meant to run in such environments. Whether a given VM
75128 ++ solution is affected or not is best determined by simply trying it
75129 ++ out, the performance impact will be obvious right on boot as this
75130 ++ mechanism engages from very early on. A good rule of thumb is that
75131 ++ VMs running on CPUs without hardware virtualization support (i.e.,
75132 ++ the majority of IA-32 CPUs) will likely experience the slowdown.
75133 ++
75134 ++endmenu
75135 ++
75136 ++endmenu
75137 ++
75138 + config KEYS
75139 + bool "Enable access key retention support"
75140 + help
75141 +diff -urNp linux-2.6.24.5/sound/core/oss/pcm_oss.c linux-2.6.24.5/sound/core/oss/pcm_oss.c
75142 +--- linux-2.6.24.5/sound/core/oss/pcm_oss.c 2008-03-24 14:49:18.000000000 -0400
75143 ++++ linux-2.6.24.5/sound/core/oss/pcm_oss.c 2008-03-26 20:21:09.000000000 -0400
75144 +@@ -2913,8 +2913,8 @@ static void snd_pcm_oss_proc_done(struct
75145 + }
75146 + }
75147 + #else /* !CONFIG_SND_VERBOSE_PROCFS */
75148 +-#define snd_pcm_oss_proc_init(pcm)
75149 +-#define snd_pcm_oss_proc_done(pcm)
75150 ++#define snd_pcm_oss_proc_init(pcm) do {} while (0)
75151 ++#define snd_pcm_oss_proc_done(pcm) do {} while (0)
75152 + #endif /* CONFIG_SND_VERBOSE_PROCFS */
75153 +
75154 + /*
75155 +diff -urNp linux-2.6.24.5/sound/core/seq/seq_lock.h linux-2.6.24.5/sound/core/seq/seq_lock.h
75156 +--- linux-2.6.24.5/sound/core/seq/seq_lock.h 2008-03-24 14:49:18.000000000 -0400
75157 ++++ linux-2.6.24.5/sound/core/seq/seq_lock.h 2008-03-26 20:21:09.000000000 -0400
75158 +@@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
75159 + #else /* SMP || CONFIG_SND_DEBUG */
75160 +
75161 + typedef spinlock_t snd_use_lock_t; /* dummy */
75162 +-#define snd_use_lock_init(lockp) /**/
75163 +-#define snd_use_lock_use(lockp) /**/
75164 +-#define snd_use_lock_free(lockp) /**/
75165 +-#define snd_use_lock_sync(lockp) /**/
75166 ++#define snd_use_lock_init(lockp) do {} while (0)
75167 ++#define snd_use_lock_use(lockp) do {} while (0)
75168 ++#define snd_use_lock_free(lockp) do {} while (0)
75169 ++#define snd_use_lock_sync(lockp) do {} while (0)
75170 +
75171 + #endif /* SMP || CONFIG_SND_DEBUG */
75172 +
75173 +diff -urNp linux-2.6.24.5/sound/pci/ac97/ac97_patch.c linux-2.6.24.5/sound/pci/ac97/ac97_patch.c
75174 +--- linux-2.6.24.5/sound/pci/ac97/ac97_patch.c 2008-03-24 14:49:18.000000000 -0400
75175 ++++ linux-2.6.24.5/sound/pci/ac97/ac97_patch.c 2008-03-26 20:21:09.000000000 -0400
75176 +@@ -1478,7 +1478,7 @@ static const struct snd_ac97_res_table a
75177 + { AC97_VIDEO, 0x9f1f },
75178 + { AC97_AUX, 0x9f1f },
75179 + { AC97_PCM, 0x9f1f },
75180 +- { } /* terminator */
75181 ++ { 0, 0 } /* terminator */
75182 + };
75183 +
75184 + static int patch_ad1819(struct snd_ac97 * ac97)
75185 +@@ -3537,7 +3537,7 @@ static struct snd_ac97_res_table lm4550_
75186 + { AC97_AUX, 0x1f1f },
75187 + { AC97_PCM, 0x1f1f },
75188 + { AC97_REC_GAIN, 0x0f0f },
75189 +- { } /* terminator */
75190 ++ { 0, 0 } /* terminator */
75191 + };
75192 +
75193 + static int patch_lm4550(struct snd_ac97 *ac97)
75194 +diff -urNp linux-2.6.24.5/sound/pci/ens1370.c linux-2.6.24.5/sound/pci/ens1370.c
75195 +--- linux-2.6.24.5/sound/pci/ens1370.c 2008-03-24 14:49:18.000000000 -0400
75196 ++++ linux-2.6.24.5/sound/pci/ens1370.c 2008-03-26 20:21:09.000000000 -0400
75197 +@@ -453,7 +453,7 @@ static struct pci_device_id snd_audiopci
75198 + { 0x1274, 0x5880, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0, }, /* ES1373 - CT5880 */
75199 + { 0x1102, 0x8938, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0, }, /* Ectiva EV1938 */
75200 + #endif
75201 +- { 0, }
75202 ++ { 0, 0, 0, 0, 0, 0, 0 }
75203 + };
75204 +
75205 + MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
75206 +diff -urNp linux-2.6.24.5/sound/pci/intel8x0.c linux-2.6.24.5/sound/pci/intel8x0.c
75207 +--- linux-2.6.24.5/sound/pci/intel8x0.c 2008-03-24 14:49:18.000000000 -0400
75208 ++++ linux-2.6.24.5/sound/pci/intel8x0.c 2008-03-26 20:21:09.000000000 -0400
75209 +@@ -436,7 +436,7 @@ static struct pci_device_id snd_intel8x0
75210 + { 0x1022, 0x746d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD8111 */
75211 + { 0x1022, 0x7445, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD768 */
75212 + { 0x10b9, 0x5455, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_ALI }, /* Ali5455 */
75213 +- { 0, }
75214 ++ { 0, 0, 0, 0, 0, 0, 0 }
75215 + };
75216 +
75217 + MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
75218 +@@ -2044,7 +2044,7 @@ static struct ac97_quirk ac97_quirks[] _
75219 + .type = AC97_TUNE_HP_ONLY
75220 + },
75221 + #endif
75222 +- { } /* terminator */
75223 ++ { 0, 0, 0, 0, NULL, 0 } /* terminator */
75224 + };
75225 +
75226 + static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
75227 +diff -urNp linux-2.6.24.5/sound/pci/intel8x0m.c linux-2.6.24.5/sound/pci/intel8x0m.c
75228 +--- linux-2.6.24.5/sound/pci/intel8x0m.c 2008-03-24 14:49:18.000000000 -0400
75229 ++++ linux-2.6.24.5/sound/pci/intel8x0m.c 2008-03-26 20:21:09.000000000 -0400
75230 +@@ -240,7 +240,7 @@ static struct pci_device_id snd_intel8x0
75231 + { 0x1022, 0x746d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD8111 */
75232 + { 0x10b9, 0x5455, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_ALI }, /* Ali5455 */
75233 + #endif
75234 +- { 0, }
75235 ++ { 0, 0, 0, 0, 0, 0, 0 }
75236 + };
75237 +
75238 + MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
75239 +@@ -1261,7 +1261,7 @@ static struct shortname_table {
75240 + { 0x5455, "ALi M5455" },
75241 + { 0x746d, "AMD AMD8111" },
75242 + #endif
75243 +- { 0 },
75244 ++ { 0, NULL },
75245 + };
75246 +
75247 + static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
75248
75249 Deleted: hardened-sources/2.6/tags/2.6.24-2/4425_alpha-sysctl-uac-for-hardened.patch
75250 ===================================================================
75251 --- hardened-sources/2.6/trunk/2.6.24/4425_alpha-sysctl-uac-for-hardened.patch 2008-04-07 12:57:31 UTC (rev 89)
75252 +++ hardened-sources/2.6/tags/2.6.24-2/4425_alpha-sysctl-uac-for-hardened.patch 2008-04-30 11:37:34 UTC (rev 93)
75253 @@ -1,181 +0,0 @@
75254 ---- a/arch/alpha/Kconfig
75255 -+++ b/arch/alpha/Kconfig
75256 -@@ -616,6 +616,32 @@ config VERBOSE_MCHECK_ON
75257 -
75258 - Take the default (1) unless you want more control or more info.
75259 -
75260 -+config ALPHA_UAC_SYSCTL
75261 -+ bool "Configure UAC policy via sysctl"
75262 -+ depends on SYSCTL
75263 -+ default y
75264 -+ ---help---
75265 -+ Configuring the UAC (unaligned access control) policy on a Linux
75266 -+ system usually involves setting a compile time define. If you say
75267 -+ Y here, you will be able to modify the UAC policy at runtime using
75268 -+ the /proc interface.
75269 -+
75270 -+ The UAC policy defines the action Linux should take when an
75271 -+ unaligned memory access occurs. The action can include printing a
75272 -+ warning message (NOPRINT), sending a signal to the offending
75273 -+ program to help developers debug their applications (SIGBUS), or
75274 -+ disabling the transparent fixing (NOFIX).
75275 -+
75276 -+ The sysctls will be initialized to the compile-time defined UAC
75277 -+ policy. You can change these manually, or with the sysctl(8)
75278 -+ userspace utility.
75279 -+
75280 -+ To disable the warning messages at runtime, you would use
75281 -+
75282 -+ echo 1 > /proc/sys/kernel/uac/noprint
75283 -+
75284 -+ This is pretty harmless. Say Y if you're not sure.
75285 -+
75286 - source "drivers/pci/Kconfig"
75287 - source "drivers/eisa/Kconfig"
75288 -
75289 ---- a/arch/alpha/kernel/traps.c
75290 -+++ b/arch/alpha/kernel/traps.c
75291 -@@ -14,6 +14,7 @@
75292 - #include <linux/delay.h>
75293 - #include <linux/smp_lock.h>
75294 - #include <linux/module.h>
75295 -+#include <linux/sysctl.h>
75296 - #include <linux/init.h>
75297 - #include <linux/kallsyms.h>
75298 -
75299 -@@ -102,6 +103,38 @@ static char * ireg_name[] = {"v0", "t0",
75300 - "t10", "t11", "ra", "pv", "at", "gp", "sp", "zero"};
75301 - #endif
75302 -
75303 -+#ifdef CONFIG_ALPHA_UAC_SYSCTL
75304 -+static struct ctl_table_header *uac_sysctl_header;
75305 -+
75306 -+static int enabled_noprint = 0;
75307 -+static int enabled_sigbus = 0;
75308 -+static int enabled_nofix = 0;
75309 -+
75310 -+ctl_table uac_table[] = {
75311 -+ {KERN_UAC_NOPRINT, "noprint", &enabled_noprint, sizeof (int), 0644, NULL, NULL, &proc_dointvec},
75312 -+ {KERN_UAC_SIGBUS, "sigbus", &enabled_sigbus, sizeof (int), 0644, NULL, NULL, &proc_dointvec},
75313 -+ {KERN_UAC_NOFIX, "nofix", &enabled_nofix, sizeof (int), 0644, NULL, NULL, &proc_dointvec},
75314 -+ {0}
75315 -+};
75316 -+
75317 -+static int __init init_uac_sysctl(void)
75318 -+{
75319 -+ /* Initialize sysctls with the #defined UAC policy */
75320 -+ enabled_noprint = (test_thread_flag (TIF_UAC_NOPRINT)) ? 1 : 0;
75321 -+ enabled_sigbus = (test_thread_flag (TIF_UAC_SIGBUS)) ? 1 : 0;
75322 -+ enabled_nofix = (test_thread_flag (TIF_UAC_NOFIX)) ? 1 : 0;
75323 -+
75324 -+ /* save this for later so we can clean up */
75325 -+ uac_sysctl_header = register_sysctl_table(uac_table);
75326 -+ return 0;
75327 -+}
75328 -+
75329 -+static void __exit exit_uac_sysctl(void)
75330 -+{
75331 -+ unregister_sysctl_table(uac_sysctl_header);
75332 -+}
75333 -+#endif
75334 -+
75335 - static void
75336 - dik_show_code(unsigned int *pc)
75337 - {
75338 -@@ -780,7 +813,11 @@ do_entUnaUser(void __user * va, unsigned
75339 - /* Check the UAC bits to decide what the user wants us to do
75340 - with the unaliged access. */
75341 -
75342 -+#ifndef CONFIG_ALPHA_UAC_SYSCTL
75343 - if (!test_thread_flag (TIF_UAC_NOPRINT)) {
75344 -+#else /* CONFIG_ALPHA_UAC_SYSCTL */
75345 -+ if (!(enabled_noprint)) {
75346 -+#endif /* CONFIG_ALPHA_UAC_SYSCTL */
75347 - if (cnt >= 5 && jiffies - last_time > 5*HZ) {
75348 - cnt = 0;
75349 - }
75350 -@@ -791,10 +828,18 @@ do_entUnaUser(void __user * va, unsigned
75351 - }
75352 - last_time = jiffies;
75353 - }
75354 -+#ifndef CONFIG_ALPHA_UAC_SYSCTL
75355 - if (test_thread_flag (TIF_UAC_SIGBUS))
75356 -+#else /* CONFIG_ALPHA_UAC_SYSCTL */
75357 -+ if (enabled_sigbus)
75358 -+#endif /* CONFIG_ALPHA_UAC_SYSCTL */
75359 - goto give_sigbus;
75360 - /* Not sure why you'd want to use this, but... */
75361 -+#ifndef CONFIG_ALPHA_UAC_SYSCTL
75362 - if (test_thread_flag (TIF_UAC_NOFIX))
75363 -+#else /* CONFIG_ALPHA_UAC_SYSCTL */
75364 -+ if (enabled_nofix)
75365 -+#endif /* CONFIG_ALPHA_UAC_SYSCTL */
75366 - return;
75367 -
75368 - /* Don't bother reading ds in the access check since we already
75369 -@@ -1089,3 +1134,7 @@ trap_init(void)
75370 - wrent(entSys, 5);
75371 - wrent(entDbg, 6);
75372 - }
75373 -+
75374 -+#ifdef CONFIG_ALPHA_UAC_SYSCTL
75375 -+__initcall(init_uac_sysctl);
75376 -+#endif
75377 ---- a/include/linux/sysctl.h
75378 -+++ b/include/linux/sysctl.h
75379 -@@ -164,6 +164,10 @@ enum
75380 - KERN_MAX_LOCK_DEPTH=74,
75381 - KERN_NMI_WATCHDOG=75, /* int: enable/disable nmi watchdog */
75382 - KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
75383 -+#ifdef CONFIG_ALPHA_UAC_SYSCTL
75384 -+ KERN_UAC_POLICY=77, /* int: Alpha unaligned access control policy flags */
75385 -+#endif /* CONFIG_ALPHA_UAC_SYSCTL */
75386 -+
75387 - #ifdef CONFIG_GRKERNSEC
75388 - KERN_GRSECURITY=98, /* grsecurity */
75389 - #endif
75390 -@@ -265,6 +269,17 @@ enum
75391 - PTY_NR=2
75392 - };
75393 -
75394 -+#ifdef CONFIG_ALPHA_UAC_SYSCTL
75395 -+/* /proc/sys/kernel/uac */
75396 -+enum
75397 -+{
75398 -+ /* UAC policy on Alpha */
75399 -+ KERN_UAC_NOPRINT=1, /* int: printk() on unaligned access */
75400 -+ KERN_UAC_SIGBUS=2, /* int: send SIGBUS on unaligned access */
75401 -+ KERN_UAC_NOFIX=3, /* int: don't fix the unaligned access */
75402 -+};
75403 -+#endif /* CONFIG_ALPHA_UAC_SYSCTL */
75404 -+
75405 - /* /proc/sys/bus/isa */
75406 - enum
75407 - {
75408 ---- a/kernel/sysctl.c
75409 -+++ b/kernel/sysctl.c
75410 -@@ -153,6 +153,9 @@ extern int max_lock_depth;
75411 - static int parse_table(int __user *, int, void __user *, size_t __user *,
75412 - void __user *, size_t, struct ctl_table *);
75413 - #endif
75414 -+#ifdef CONFIG_ALPHA_UAC_SYSCTL
75415 -+extern ctl_table uac_table[];
75416 -+#endif
75417 -
75418 -
75419 - #ifdef CONFIG_PROC_SYSCTL
75420 -@@ -254,6 +257,14 @@ static struct ctl_table root_table[] = {
75421 - * NOTE: do not add new entries to this table unless you have read
75422 - * Documentation/sysctl/ctl_unnumbered.txt
75423 - */
75424 -+#ifdef CONFIG_ALPHA_UAC_SYSCTL
75425 -+ {
75426 -+ .ctl_name = KERN_UAC_POLICY,
75427 -+ .procname = "uac",
75428 -+ .mode = 0555,
75429 -+ .child = uac_table,
75430 -+ },
75431 -+#endif /* CONFIG_ALPHA_UAC_SYSCTL */
75432 - { .ctl_name = 0 }
75433 - };
75434 -
75435
75436 Copied: hardened-sources/2.6/tags/2.6.24-2/4425_grsec-kconfig-default-gids.patch (from rev 92, hardened-sources/2.6/trunk/2.6.24/4425_grsec-kconfig-default-gids.patch)
75437 ===================================================================
75438 --- hardened-sources/2.6/tags/2.6.24-2/4425_grsec-kconfig-default-gids.patch (rev 0)
75439 +++ hardened-sources/2.6/tags/2.6.24-2/4425_grsec-kconfig-default-gids.patch 2008-04-30 11:37:34 UTC (rev 93)
75440 @@ -0,0 +1,76 @@
75441 +From: Kerin Millar <kerframil@×××××.com>
75442 +
75443 +grsecurity contains a number of options which allow certain protections
75444 +to be applied to or exempted from members of a given group. However, the
75445 +default GIDs specified in the upstream patch are entirely arbitrary and
75446 +there is no telling which (if any) groups the GIDs will correlate with
75447 +on an end-user's system. Because some users don't pay a great deal of
75448 +attention to the finer points of kernel configuration, it is probably
75449 +wise to specify some reasonable defaults so as to stop careless users
75450 +from shooting themselves in the foot.
75451 +
75452 +--- a/grsecurity/Kconfig
75453 ++++ b/grsecurity/Kconfig
75454 +@@ -352,7 +564,7 @@
75455 + config GRKERNSEC_PROC_GID
75456 + int "GID for special group"
75457 + depends on GRKERNSEC_PROC_USERGROUP
75458 +- default 1001
75459 ++ default 10
75460 +
75461 + config GRKERNSEC_PROC_ADD
75462 + bool "Additional restrictions"
75463 +@@ -547,7 +759,7 @@
75464 + config GRKERNSEC_AUDIT_GID
75465 + int "GID for auditing"
75466 + depends on GRKERNSEC_AUDIT_GROUP
75467 +- default 1007
75468 ++ default 100
75469 +
75470 + config GRKERNSEC_EXECLOG
75471 + bool "Exec logging"
75472 +@@ -700,7 +912,7 @@
75473 + config GRKERNSEC_TPE_GID
75474 + int "GID for untrusted users"
75475 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
75476 +- default 1005
75477 ++ default 100
75478 + help
75479 + If you have selected the "Invert GID option" above, setting this
75480 + GID determines what group TPE restrictions will be *disabled* for.
75481 +@@ -712,7 +924,7 @@
75482 + config GRKERNSEC_TPE_GID
75483 + int "GID for trusted users"
75484 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
75485 +- default 1005
75486 ++ default 10
75487 + help
75488 + If you have selected the "Invert GID option" above, setting this
75489 + GID determines what group TPE restrictions will be *disabled* for.
75490 +@@ -754,7 +966,7 @@
75491 + config GRKERNSEC_SOCKET_ALL_GID
75492 + int "GID to deny all sockets for"
75493 + depends on GRKERNSEC_SOCKET_ALL
75494 +- default 1004
75495 ++ default 65534
75496 + help
75497 + Here you can choose the GID to disable socket access for. Remember to
75498 + add the users you want socket access disabled for to the GID
75499 +@@ -775,7 +987,7 @@
75500 + config GRKERNSEC_SOCKET_CLIENT_GID
75501 + int "GID to deny client sockets for"
75502 + depends on GRKERNSEC_SOCKET_CLIENT
75503 +- default 1003
75504 ++ default 65534
75505 + help
75506 + Here you can choose the GID to disable client socket access for.
75507 + Remember to add the users you want client socket access disabled for to
75508 +@@ -793,7 +1005,7 @@
75509 + config GRKERNSEC_SOCKET_SERVER_GID
75510 + int "GID to deny server sockets for"
75511 + depends on GRKERNSEC_SOCKET_SERVER
75512 +- default 1002
75513 ++ default 65534
75514 + help
75515 + Here you can choose the GID to disable server socket access for.
75516 + Remember to add the users you want server socket access disabled for to
75517
75518 Deleted: hardened-sources/2.6/tags/2.6.24-2/4430_grsec-kconfig-default-gids.patch
75519 ===================================================================
75520 --- hardened-sources/2.6/trunk/2.6.24/4430_grsec-kconfig-default-gids.patch 2008-04-07 12:57:31 UTC (rev 89)
75521 +++ hardened-sources/2.6/tags/2.6.24-2/4430_grsec-kconfig-default-gids.patch 2008-04-30 11:37:34 UTC (rev 93)
75522 @@ -1,76 +0,0 @@
75523 -From: Kerin Millar <kerframil@×××××.com>
75524 -
75525 -grsecurity contains a number of options which allow certain protections
75526 -to be applied to or exempted from members of a given group. However, the
75527 -default GIDs specified in the upstream patch are entirely arbitrary and
75528 -there is no telling which (if any) groups the GIDs will correlate with
75529 -on an end-user's system. Because some users don't pay a great deal of
75530 -attention to the finer points of kernel configuration, it is probably
75531 -wise to specify some reasonable defaults so as to stop careless users
75532 -from shooting themselves in the foot.
75533 -
75534 ---- a/grsecurity/Kconfig
75535 -+++ b/grsecurity/Kconfig
75536 -@@ -352,7 +564,7 @@
75537 - config GRKERNSEC_PROC_GID
75538 - int "GID for special group"
75539 - depends on GRKERNSEC_PROC_USERGROUP
75540 -- default 1001
75541 -+ default 10
75542 -
75543 - config GRKERNSEC_PROC_ADD
75544 - bool "Additional restrictions"
75545 -@@ -547,7 +759,7 @@
75546 - config GRKERNSEC_AUDIT_GID
75547 - int "GID for auditing"
75548 - depends on GRKERNSEC_AUDIT_GROUP
75549 -- default 1007
75550 -+ default 100
75551 -
75552 - config GRKERNSEC_EXECLOG
75553 - bool "Exec logging"
75554 -@@ -700,7 +912,7 @@
75555 - config GRKERNSEC_TPE_GID
75556 - int "GID for untrusted users"
75557 - depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
75558 -- default 1005
75559 -+ default 100
75560 - help
75561 - If you have selected the "Invert GID option" above, setting this
75562 - GID determines what group TPE restrictions will be *disabled* for.
75563 -@@ -712,7 +924,7 @@
75564 - config GRKERNSEC_TPE_GID
75565 - int "GID for trusted users"
75566 - depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
75567 -- default 1005
75568 -+ default 10
75569 - help
75570 - If you have selected the "Invert GID option" above, setting this
75571 - GID determines what group TPE restrictions will be *disabled* for.
75572 -@@ -754,7 +966,7 @@
75573 - config GRKERNSEC_SOCKET_ALL_GID
75574 - int "GID to deny all sockets for"
75575 - depends on GRKERNSEC_SOCKET_ALL
75576 -- default 1004
75577 -+ default 65534
75578 - help
75579 - Here you can choose the GID to disable socket access for. Remember to
75580 - add the users you want socket access disabled for to the GID
75581 -@@ -775,7 +987,7 @@
75582 - config GRKERNSEC_SOCKET_CLIENT_GID
75583 - int "GID to deny client sockets for"
75584 - depends on GRKERNSEC_SOCKET_CLIENT
75585 -- default 1003
75586 -+ default 65534
75587 - help
75588 - Here you can choose the GID to disable client socket access for.
75589 - Remember to add the users you want client socket access disabled for to
75590 -@@ -793,7 +1005,7 @@
75591 - config GRKERNSEC_SOCKET_SERVER_GID
75592 - int "GID to deny server sockets for"
75593 - depends on GRKERNSEC_SOCKET_SERVER
75594 -- default 1002
75595 -+ default 65534
75596 - help
75597 - Here you can choose the GID to disable server socket access for.
75598 - Remember to add the users you want server socket access disabled for to
75599
75600 Copied: hardened-sources/2.6/tags/2.6.24-2/4430_grsec-kconfig-gentoo.patch (from rev 92, hardened-sources/2.6/trunk/2.6.24/4430_grsec-kconfig-gentoo.patch)
75601 ===================================================================
75602 --- hardened-sources/2.6/tags/2.6.24-2/4430_grsec-kconfig-gentoo.patch (rev 0)
75603 +++ hardened-sources/2.6/tags/2.6.24-2/4430_grsec-kconfig-gentoo.patch 2008-04-30 11:37:34 UTC (rev 93)
75604 @@ -0,0 +1,241 @@
75605 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
75606 +From: Kerin Millar <kerframil@×××××.com>
75607 +
75608 +Add Hardened Gentoo [server/workstation] predefined grsecurity
75609 +levels. They're designed to provide a comparitively high level of
75610 +security while remaining generally suitable for as great a majority
75611 +of the userbase as possible (particularly new users).
75612 +
75613 +Make Hardened Gentoo [workstation] predefined grsecurity level the
75614 +default. The Hardened Gentoo [server] level is more restrictive
75615 +and conflicts with some software and thus would be less suitable.
75616 +
75617 +The original version of this patch was conceived and created by:
75618 +Ned Ludd <solar@g.o>
75619 +
75620 +--- a/grsecurity/Kconfig
75621 ++++ b/grsecurity/Kconfig
75622 +@@ -20,7 +20,7 @@
75623 + choice
75624 + prompt "Security Level"
75625 + depends on GRKERNSEC
75626 +- default GRKERNSEC_CUSTOM
75627 ++ default GRKERNSEC_HARDENED_WORKSTATION
75628 +
75629 + config GRKERNSEC_LOW
75630 + bool "Low"
75631 +@@ -181,6 +181,214 @@
75632 + - Mount/unmount/remount logging
75633 + - Kernel symbol hiding
75634 + - Prevention of memory exhaustion-based exploits
75635 ++
75636 ++config GRKERNSEC_HARDENED_SERVER
75637 ++ bool "Hardened Gentoo [server]"
75638 ++ select GRKERNSEC_AUDIT_MOUNT
75639 ++ select GRKERNSEC_BRUTE
75640 ++ select GRKERNSEC_CHROOT
75641 ++ select GRKERNSEC_CHROOT_CAPS
75642 ++ select GRKERNSEC_CHROOT_CHDIR
75643 ++ select GRKERNSEC_CHROOT_CHMOD
75644 ++ select GRKERNSEC_CHROOT_DOUBLE
75645 ++ select GRKERNSEC_CHROOT_FCHDIR
75646 ++ select GRKERNSEC_CHROOT_FINDTASK
75647 ++ select GRKERNSEC_CHROOT_MKNOD
75648 ++ select GRKERNSEC_CHROOT_MOUNT
75649 ++ select GRKERNSEC_CHROOT_NICE
75650 ++ select GRKERNSEC_CHROOT_PIVOT
75651 ++ select GRKERNSEC_CHROOT_SHMAT
75652 ++ select GRKERNSEC_CHROOT_SYSCTL
75653 ++ select GRKERNSEC_CHROOT_UNIX
75654 ++ select GRKERNSEC_DMESG
75655 ++ select GRKERNSEC_EXECVE
75656 ++ select GRKERNSEC_FIFO
75657 ++ select GRKERNSEC_FORKFAIL
75658 ++ select GRKERNSEC_HIDESYM
75659 ++ select GRKERNSEC_IO if (X86)
75660 ++ select GRKERNSEC_KMEM
75661 ++ select GRKERNSEC_LINK
75662 ++ select GRKERNSEC_MODSTOP if (MODULES)
75663 ++ select GRKERNSEC_PROC
75664 ++ select GRKERNSEC_PROC_ADD
75665 ++ select GRKERNSEC_PROC_IPADDR
75666 ++ select GRKERNSEC_PROC_MEMMAP
75667 ++ select GRKERNSEC_PROC_USERGROUP
75668 ++ select GRKERNSEC_RANDNET
75669 ++ select GRKERNSEC_RESLOG
75670 ++ select GRKERNSEC_SIGNAL
75671 ++# select GRKERNSEC_SOCKET
75672 ++# select GRKERNSEC_SOCKET_SERVER
75673 ++ select GRKERNSEC_SYSCTL
75674 ++ select GRKERNSEC_SYSCTL_ON
75675 ++ select GRKERNSEC_TIME
75676 ++ select PAX
75677 ++ select PAX_ASLR
75678 ++ select PAX_DLRESOLVE if (SPARC32 || SPARC64)
75679 ++ select PAX_EI_PAX
75680 ++ select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
75681 ++ select PAX_EMUSIGRT if (PARISC || PPC32)
75682 ++ select PAX_EMUTRAMP if (PARISC || PPC32)
75683 ++ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
75684 ++ select PAX_KERNEXEC if (X86 && !EFI && !COMPAT_VDSO && !PARAVIRT && (!X86_32 || X86_WP_WORKS_OK))
75685 ++ select PAX_MEMORY_SANITIZE
75686 ++ select PAX_MEMORY_UDEREF if (X86_32 && !COMPAT_VDSO)
75687 ++ select PAX_MPROTECT if (!PPC64)
75688 ++ select PAX_HAVE_ACL_FLAGS
75689 ++ select PAX_NOELFRELOCS if (X86)
75690 ++ select PAX_NOEXEC
75691 ++ select PAX_PAGEEXEC
75692 ++ select PAX_PT_PAX_FLAGS
75693 ++ select PAX_RANDKSTACK if (X86_32 && X86_TSC)
75694 ++ select PAX_RANDMMAP
75695 ++ select PAX_RANDUSTACK
75696 ++ select PAX_SEGMEXEC if (X86_32)
75697 ++ select PAX_SYSCALL if (PPC32)
75698 ++ help
75699 ++ If you say Y here, a configuration will be used that is endorsed by
75700 ++ the Hardened Gentoo project. Therefore, many of the protections
75701 ++ made available by grsecurity and PaX will be enabled.
75702 ++
75703 ++ Hardened Gentoo's pre-defined security levels are designed to provide
75704 ++ a high level of security while minimizing incompatibilities with the
75705 ++ majority of available software. For further information, please
75706 ++ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
75707 ++ well as the Hardened Gentoo Primer at
75708 ++ <http://www.gentoo.org/proj/en/hardened/primer.xml>.
75709 ++
75710 ++ This Hardened Gentoo [server] level is identical to the
75711 ++ Hardened Gentoo [workstation] level, but with the GRKERNSEC_IO,
75712 ++ PAX_KERNEXEC and PAX_NOELFRELOCS security features enabled.
75713 ++ Accordingly, this is the preferred security level if the system will
75714 ++ not be utilizing software incompatible with the aforementioned
75715 ++ grsecurity/PaX features.
75716 ++
75717 ++ You may wish to emerge paxctl, a utility which allows you to toggle
75718 ++ PaX features on problematic binaries on an individual basis. Note that
75719 ++ this only works for ELF binaries that contain a PT_PAX_FLAGS header.
75720 ++ Translated, this means that if you wish to toggle PaX features on
75721 ++ binaries provided by applications that are distributed only in binary
75722 ++ format (rather than being built locally from sources), you will need to
75723 ++ run paxctl -C on the binaries beforehand so as to inject the missing
75724 ++ headers.
75725 ++
75726 ++ When this level is selected, some options cannot be changed. However,
75727 ++ you may opt to fully customize the options that are selected by
75728 ++ choosing "Custom" in the Security Level menu. You may find it helpful
75729 ++ to inherit the options selected by the "Hardened Gentoo [server]"
75730 ++ security level as a starting point for further configuration. To
75731 ++ accomplish this, select this security level then exit the menuconfig
75732 ++ interface, saving changes when prompted. Then, run make menuconfig
75733 ++ again and select the "Custom" level.
75734 ++
75735 ++ Note that this security level probably should not be used if the
75736 ++ target system is a 32bit x86 virtualized guest. If you intend to run
75737 ++ the kernel in a 32bit x86 virtualized guest you will likely need to
75738 ++ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
75739 ++ impact on performance.
75740 ++
75741 ++config GRKERNSEC_HARDENED_WORKSTATION
75742 ++ bool "Hardened Gentoo [workstation]"
75743 ++ select GRKERNSEC_AUDIT_MOUNT
75744 ++ select GRKERNSEC_BRUTE
75745 ++ select GRKERNSEC_CHROOT
75746 ++ select GRKERNSEC_CHROOT_CAPS
75747 ++ select GRKERNSEC_CHROOT_CHDIR
75748 ++ select GRKERNSEC_CHROOT_CHMOD
75749 ++ select GRKERNSEC_CHROOT_DOUBLE
75750 ++ select GRKERNSEC_CHROOT_FCHDIR
75751 ++ select GRKERNSEC_CHROOT_FINDTASK
75752 ++ select GRKERNSEC_CHROOT_MKNOD
75753 ++ select GRKERNSEC_CHROOT_MOUNT
75754 ++ select GRKERNSEC_CHROOT_NICE
75755 ++ select GRKERNSEC_CHROOT_PIVOT
75756 ++ select GRKERNSEC_CHROOT_SHMAT
75757 ++ select GRKERNSEC_CHROOT_SYSCTL
75758 ++ select GRKERNSEC_CHROOT_UNIX
75759 ++ select GRKERNSEC_DMESG
75760 ++ select GRKERNSEC_EXECVE
75761 ++ select GRKERNSEC_FIFO
75762 ++ select GRKERNSEC_FORKFAIL
75763 ++ select GRKERNSEC_HIDESYM
75764 ++ select GRKERNSEC_KMEM
75765 ++ select GRKERNSEC_LINK
75766 ++ select GRKERNSEC_MODSTOP if (MODULES)
75767 ++ select GRKERNSEC_PROC
75768 ++ select GRKERNSEC_PROC_ADD
75769 ++ select GRKERNSEC_PROC_IPADDR
75770 ++ select GRKERNSEC_PROC_MEMMAP
75771 ++ select GRKERNSEC_PROC_USERGROUP
75772 ++ select GRKERNSEC_RANDNET
75773 ++ select GRKERNSEC_RESLOG
75774 ++ select GRKERNSEC_SIGNAL
75775 ++# select GRKERNSEC_SOCKET
75776 ++# select GRKERNSEC_SOCKET_SERVER
75777 ++ select GRKERNSEC_SYSCTL
75778 ++ select GRKERNSEC_SYSCTL_ON
75779 ++ select GRKERNSEC_TIME
75780 ++ select PAX
75781 ++ select PAX_ASLR
75782 ++ select PAX_DLRESOLVE if (SPARC32 || SPARC64)
75783 ++ select PAX_EI_PAX
75784 ++ select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
75785 ++ select PAX_EMUSIGRT if (PARISC || PPC32)
75786 ++ select PAX_EMUTRAMP if (PARISC || PPC32)
75787 ++ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
75788 ++ select PAX_MEMORY_SANITIZE
75789 ++ select PAX_MEMORY_UDEREF if (X86_32 && !COMPAT_VDSO)
75790 ++ select PAX_MPROTECT if (!PPC64)
75791 ++ select PAX_HAVE_ACL_FLAGS
75792 ++ select PAX_NOEXEC
75793 ++ select PAX_PAGEEXEC
75794 ++ select PAX_PT_PAX_FLAGS
75795 ++ select PAX_RANDKSTACK if (X86_32 && X86_TSC)
75796 ++ select PAX_RANDMMAP
75797 ++ select PAX_RANDUSTACK
75798 ++ select PAX_SEGMEXEC if (X86_32)
75799 ++ select PAX_SYSCALL if (PPC32)
75800 ++ help
75801 ++ If you say Y here, a configuration will be used that is endorsed by
75802 ++ the Hardened Gentoo project. Therefore, many of the protections
75803 ++ made available by grsecurity and PaX will be enabled.
75804 ++
75805 ++ Hardened Gentoo's pre-defined security levels are designed to provide
75806 ++ a high level of security while minimizing incompatibilities with the
75807 ++ majority of available software. For further information, please
75808 ++ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
75809 ++ well as the Hardened Gentoo Primer at
75810 ++ <http://www.gentoo.org/proj/en/hardened/primer.xml>.
75811 ++
75812 ++ This Hardened Gentoo [workstation] level is designed for machines
75813 ++ which are intended to run software not compatible with the
75814 ++ GRKERNSEC_IO, PAX_KERNEXEC and PAX_NOELFRELOCS features of grsecurity.
75815 ++ Accordingly, this security level is suitable for use with the X server
75816 ++ "Xorg" and/or any system that will act as host OS to the virtualization
75817 ++ softwares vmware-server or virtualbox.
75818 ++
75819 ++ You may wish to emerge paxctl, a utility which allows you to toggle
75820 ++ PaX features on problematic binaries on an individual basis. Note that
75821 ++ this only works for ELF binaries that contain a PT_PAX_FLAGS header.
75822 ++ Translated, this means that if you wish to toggle PaX features on
75823 ++ binaries provided by applications that are distributed only in binary
75824 ++ format (rather than being built locally from sources), you will need to
75825 ++ run paxctl -C on the binaries beforehand so as to inject the missing
75826 ++ headers.
75827 ++
75828 ++ When this level is selected, some options cannot be changed. However,
75829 ++ you may opt to fully customize the options that are selected by
75830 ++ choosing "Custom" in the Security Level menu. You may find it helpful
75831 ++ to inherit the options selected by the "Hardened Gentoo [workstation]"
75832 ++ security level as a starting point for further configuration. To
75833 ++ accomplish this, select this security level then exit the menuconfig
75834 ++ interface, saving changes when prompted. Then, run make menuconfig
75835 ++ again and select the "Custom" level.
75836 ++
75837 ++ Note that this security level probably should not be used if the
75838 ++ target system is a 32bit x86 virtualized guest. If you intend to run
75839 ++ the kernel in a 32bit x86 virtualized guest you will likely need to
75840 ++ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
75841 ++ impact on performance.
75842 ++
75843 + config GRKERNSEC_CUSTOM
75844 + bool "Custom"
75845 + help
75846
75847 Deleted: hardened-sources/2.6/tags/2.6.24-2/4435_grsec-kconfig-gentoo.patch
75848 ===================================================================
75849 --- hardened-sources/2.6/trunk/2.6.24/4435_grsec-kconfig-gentoo.patch 2008-04-07 12:57:31 UTC (rev 89)
75850 +++ hardened-sources/2.6/tags/2.6.24-2/4435_grsec-kconfig-gentoo.patch 2008-04-30 11:37:34 UTC (rev 93)
75851 @@ -1,239 +0,0 @@
75852 -From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
75853 -From: Kerin Millar <kerframil@×××××.com>
75854 -
75855 -Add Hardened Gentoo [server/workstation] predefined grsecurity
75856 -levels. They're designed to provide a comparitively high level of
75857 -security while remaining generally suitable for as great a majority
75858 -of the userbase as possible (particularly new users).
75859 -
75860 -Make Hardened Gentoo [workstation] predefined grsecurity level the
75861 -default. The Hardened Gentoo [server] level is more restrictive
75862 -and conflicts with some software and thus would be less suitable.
75863 -
75864 -The original version of this patch was conceived and created by:
75865 -Ned Ludd <solar@g.o>
75866 -
75867 ---- a/grsecurity/Kconfig
75868 -+++ b/grsecurity/Kconfig
75869 -@@ -20,7 +20,7 @@
75870 - choice
75871 - prompt "Security Level"
75872 - depends on GRKERNSEC
75873 -- default GRKERNSEC_CUSTOM
75874 -+ default GRKERNSEC_HARDENED_WORKSTATION
75875 -
75876 - config GRKERNSEC_LOW
75877 - bool "Low"
75878 -@@ -181,6 +181,212 @@
75879 - - Mount/unmount/remount logging
75880 - - Kernel symbol hiding
75881 - - Prevention of memory exhaustion-based exploits
75882 -+
75883 -+config GRKERNSEC_HARDENED_SERVER
75884 -+ bool "Hardened Gentoo [server]"
75885 -+# select GRKERNSEC_AUDIT_MOUNT
75886 -+ select GRKERNSEC_BRUTE
75887 -+ select GRKERNSEC_CHROOT
75888 -+ select GRKERNSEC_CHROOT_CAPS
75889 -+ select GRKERNSEC_CHROOT_CHDIR
75890 -+ select GRKERNSEC_CHROOT_CHMOD
75891 -+ select GRKERNSEC_CHROOT_DOUBLE
75892 -+ select GRKERNSEC_CHROOT_FCHDIR
75893 -+ select GRKERNSEC_CHROOT_FINDTASK
75894 -+ select GRKERNSEC_CHROOT_MKNOD
75895 -+ select GRKERNSEC_CHROOT_MOUNT
75896 -+ select GRKERNSEC_CHROOT_NICE
75897 -+ select GRKERNSEC_CHROOT_PIVOT
75898 -+ select GRKERNSEC_CHROOT_SHMAT
75899 -+ select GRKERNSEC_CHROOT_SYSCTL
75900 -+ select GRKERNSEC_CHROOT_UNIX
75901 -+ select GRKERNSEC_DMESG
75902 -+ select GRKERNSEC_EXECVE
75903 -+ select GRKERNSEC_FIFO
75904 -+ select GRKERNSEC_FORKFAIL
75905 -+ select GRKERNSEC_HIDESYM
75906 -+ select GRKERNSEC_IO if (X86)
75907 -+ select GRKERNSEC_KMEM
75908 -+ select GRKERNSEC_LINK
75909 -+ select GRKERNSEC_MODSTOP if (MODULES)
75910 -+ select GRKERNSEC_PROC
75911 -+ select GRKERNSEC_PROC_ADD
75912 -+ select GRKERNSEC_PROC_IPADDR
75913 -+ select GRKERNSEC_PROC_MEMMAP
75914 -+ select GRKERNSEC_PROC_USERGROUP
75915 -+ select GRKERNSEC_RANDNET
75916 -+ select GRKERNSEC_RESLOG
75917 -+ select GRKERNSEC_SIGNAL
75918 -+# select GRKERNSEC_SOCKET
75919 -+# select GRKERNSEC_SOCKET_ALL
75920 -+ select GRKERNSEC_SYSCTL
75921 -+ select GRKERNSEC_SYSCTL_ON
75922 -+ select GRKERNSEC_TIME
75923 -+ select PAX
75924 -+ select PAX_ASLR
75925 -+ select PAX_DLRESOLVE if (SPARC32 || SPARC64)
75926 -+ select PAX_EI_PAX
75927 -+ select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
75928 -+ select PAX_EMUSIGRT if (PARISC || PPC32)
75929 -+ select PAX_EMUTRAMP if (PARISC || PPC32)
75930 -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
75931 -+ select PAX_KERNEXEC if (X86 && !EFI && !COMPAT_VDSO && !PARAVIRT && (!X86_32 || X86_WP_WORKS_OK))
75932 -+ select PAX_MEMORY_SANITIZE
75933 -+ select PAX_MEMORY_UDEREF if (X86_32 && !COMPAT_VDSO)
75934 -+ select PAX_MPROTECT if (!PPC64)
75935 -+ select PAX_HAVE_ACL_FLAGS
75936 -+ select PAX_NOEXEC
75937 -+ select PAX_PAGEEXEC
75938 -+ select PAX_PT_PAX_FLAGS
75939 -+ select PAX_RANDKSTACK if (X86_32 && X86_TSC)
75940 -+ select PAX_RANDMMAP
75941 -+ select PAX_RANDUSTACK
75942 -+ select PAX_SEGMEXEC if (X86_32)
75943 -+ select PAX_SYSCALL if (PPC32)
75944 -+ help
75945 -+ If you say Y here, a configuration will be used that is endorsed by
75946 -+ the Hardened Gentoo project. Therefore, many of the protections
75947 -+ made available by grsecurity and PaX will be enabled.
75948 -+
75949 -+ Hardened Gentoo's pre-defined security levels are designed to provide
75950 -+ a high level of security while minimizing incompatibilities with the
75951 -+ majority of available software. For further information, please
75952 -+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
75953 -+ well as the Hardened Gentoo Primer at
75954 -+ <http://www.gentoo.org/proj/en/hardened/primer.xml>.
75955 -+
75956 -+ This Hardened Gentoo [server] level is identical to the
75957 -+ Hardened Gentoo [workstation] level, but with the GRKERNSEC_IO and
75958 -+ PAX_KERNEXEC security features enabled. Accordingly, this is the
75959 -+ preferred security level if the system will not be utilizing software
75960 -+ incompatible with the aforementioned grsecurity/PaX features.
75961 -+
75962 -+ You may wish to emerge paxctl, a utility which allows you to toggle
75963 -+ PaX features on problematic binaries on an individual basis. Note that
75964 -+ this only works for ELF binaries that contain a PT_PAX_FLAGS header.
75965 -+ Translated, this means that if you wish to toggle PaX features on
75966 -+ binaries provided by applications that are distributed only in binary
75967 -+ format (rather than being built locally from sources), you will need to
75968 -+ run paxctl -C on the binaries beforehand so as to inject the missing
75969 -+ headers.
75970 -+
75971 -+ When this level is selected, some options cannot be changed. However,
75972 -+ you may opt to fully customize the options that are selected by
75973 -+ choosing "Custom" in the Security Level menu. You may find it helpful
75974 -+ to inherit the options selected by the "Hardened Gentoo [server]"
75975 -+ security level as a starting point for further configuration. To
75976 -+ accomplish this, select this security level then exit the menuconfig
75977 -+ interface, saving changes when prompted. Then, run make menuconfig
75978 -+ again and select the "Custom" level.
75979 -+
75980 -+ Note that this security level probably should not be used if the
75981 -+ target system is a 32bit x86 virtualized guest. If you intend to run
75982 -+ the kernel in a 32bit x86 virtualized guest you will likely need to
75983 -+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
75984 -+ impact on performance.
75985 -+
75986 -+config GRKERNSEC_HARDENED_WORKSTATION
75987 -+ bool "Hardened Gentoo [workstation]"
75988 -+# select GRKERNSEC_AUDIT_MOUNT
75989 -+ select GRKERNSEC_BRUTE
75990 -+ select GRKERNSEC_CHROOT
75991 -+ select GRKERNSEC_CHROOT_CAPS
75992 -+ select GRKERNSEC_CHROOT_CHDIR
75993 -+ select GRKERNSEC_CHROOT_CHMOD
75994 -+ select GRKERNSEC_CHROOT_DOUBLE
75995 -+ select GRKERNSEC_CHROOT_FCHDIR
75996 -+ select GRKERNSEC_CHROOT_FINDTASK
75997 -+ select GRKERNSEC_CHROOT_MKNOD
75998 -+ select GRKERNSEC_CHROOT_MOUNT
75999 -+ select GRKERNSEC_CHROOT_NICE
76000 -+ select GRKERNSEC_CHROOT_PIVOT
76001 -+ select GRKERNSEC_CHROOT_SHMAT
76002 -+ select GRKERNSEC_CHROOT_SYSCTL
76003 -+ select GRKERNSEC_CHROOT_UNIX
76004 -+ select GRKERNSEC_DMESG
76005 -+ select GRKERNSEC_EXECVE
76006 -+ select GRKERNSEC_FIFO
76007 -+ select GRKERNSEC_FORKFAIL
76008 -+ select GRKERNSEC_HIDESYM
76009 -+ select GRKERNSEC_KMEM
76010 -+ select GRKERNSEC_LINK
76011 -+ select GRKERNSEC_MODSTOP if (MODULES)
76012 -+ select GRKERNSEC_PROC
76013 -+ select GRKERNSEC_PROC_ADD
76014 -+ select GRKERNSEC_PROC_IPADDR
76015 -+ select GRKERNSEC_PROC_MEMMAP
76016 -+ select GRKERNSEC_PROC_USERGROUP
76017 -+ select GRKERNSEC_RANDNET
76018 -+ select GRKERNSEC_RESLOG
76019 -+ select GRKERNSEC_SIGNAL
76020 -+# select GRKERNSEC_SOCKET
76021 -+# select GRKERNSEC_SOCKET_ALL
76022 -+ select GRKERNSEC_SYSCTL
76023 -+ select GRKERNSEC_SYSCTL_ON
76024 -+ select GRKERNSEC_TIME
76025 -+ select PAX
76026 -+ select PAX_ASLR
76027 -+ select PAX_DLRESOLVE if (SPARC32 || SPARC64)
76028 -+ select PAX_EI_PAX
76029 -+ select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
76030 -+ select PAX_EMUSIGRT if (PARISC || PPC32)
76031 -+ select PAX_EMUTRAMP if (PARISC || PPC32)
76032 -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
76033 -+ select PAX_MEMORY_SANITIZE
76034 -+ select PAX_MEMORY_UDEREF if (X86_32 && !COMPAT_VDSO)
76035 -+ select PAX_MPROTECT if (!PPC64)
76036 -+ select PAX_HAVE_ACL_FLAGS
76037 -+ select PAX_NOEXEC
76038 -+ select PAX_PAGEEXEC
76039 -+ select PAX_PT_PAX_FLAGS
76040 -+ select PAX_RANDKSTACK if (X86_32 && X86_TSC)
76041 -+ select PAX_RANDMMAP
76042 -+ select PAX_RANDUSTACK
76043 -+ select PAX_SEGMEXEC if (X86_32)
76044 -+ select PAX_SYSCALL if (PPC32)
76045 -+ help
76046 -+ If you say Y here, a configuration will be used that is endorsed by
76047 -+ the Hardened Gentoo project. Therefore, many of the protections
76048 -+ made available by grsecurity and PaX will be enabled.
76049 -+
76050 -+ Hardened Gentoo's pre-defined security levels are designed to provide
76051 -+ a high level of security while minimizing incompatibilities with the
76052 -+ majority of available software. For further information, please
76053 -+ view <http://www.grsecurity.net> and <http://pax.grsecurity.net> as
76054 -+ well as the Hardened Gentoo Primer at
76055 -+ <http://www.gentoo.org/proj/en/hardened/primer.xml>.
76056 -+
76057 -+ This Hardened Gentoo [workstation] level is designed for machines
76058 -+ which are intended to run software not compatible with the GRKERNSEC_IO
76059 -+ and PAX_KERNEXEC features of grsecurity. Accordingly, this security
76060 -+ level is suitable for use with the X server "Xorg" and/or any system
76061 -+ that will act as host OS to the virtualization softwares vmware-server
76062 -+ or virtualbox.
76063 -+
76064 -+ You may wish to emerge paxctl, a utility which allows you to toggle
76065 -+ PaX features on problematic binaries on an individual basis. Note that
76066 -+ this only works for ELF binaries that contain a PT_PAX_FLAGS header.
76067 -+ Translated, this means that if you wish to toggle PaX features on
76068 -+ binaries provided by applications that are distributed only in binary
76069 -+ format (rather than being built locally from sources), you will need to
76070 -+ run paxctl -C on the binaries beforehand so as to inject the missing
76071 -+ headers.
76072 -+
76073 -+ When this level is selected, some options cannot be changed. However,
76074 -+ you may opt to fully customize the options that are selected by
76075 -+ choosing "Custom" in the Security Level menu. You may find it helpful
76076 -+ to inherit the options selected by the "Hardened Gentoo [workstation]"
76077 -+ security level as a starting point for further configuration. To
76078 -+ accomplish this, select this security level then exit the menuconfig
76079 -+ interface, saving changes when prompted. Then, run make menuconfig
76080 -+ again and select the "Custom" level.
76081 -+
76082 -+ Note that this security level probably should not be used if the
76083 -+ target system is a 32bit x86 virtualized guest. If you intend to run
76084 -+ the kernel in a 32bit x86 virtualized guest you will likely need to
76085 -+ disable the PAX_MEMORY_UDEREF option in order to avoid an unacceptable
76086 -+ impact on performance.
76087 -+
76088 - config GRKERNSEC_CUSTOM
76089 - bool "Custom"
76090 - help
76091
76092 Copied: hardened-sources/2.6/tags/2.6.24-2/4435_grsec-kconfig-pax-without-grsec.patch (from rev 92, hardened-sources/2.6/trunk/2.6.24/4435_grsec-kconfig-pax-without-grsec.patch)
76093 ===================================================================
76094 --- hardened-sources/2.6/tags/2.6.24-2/4435_grsec-kconfig-pax-without-grsec.patch (rev 0)
76095 +++ hardened-sources/2.6/tags/2.6.24-2/4435_grsec-kconfig-pax-without-grsec.patch 2008-04-30 11:37:34 UTC (rev 93)
76096 @@ -0,0 +1,11 @@
76097 +--- a/security/Kconfig
76098 ++++ b/security/Kconfig
76099 +@@ -10,7 +10,7 @@ menu "PaX"
76100 +
76101 + config PAX
76102 + bool "Enable various PaX features"
76103 +- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
76104 ++ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
76105 + help
76106 + This allows you to enable various PaX features. PaX adds
76107 + intrusion prevention mechanisms to the kernel that reduce
76108
76109 Copied: hardened-sources/2.6/tags/2.6.24-2/4440_disable-compat_vdso.patch (from rev 92, hardened-sources/2.6/trunk/2.6.24/4440_disable-compat_vdso.patch)
76110 ===================================================================
76111 --- hardened-sources/2.6/tags/2.6.24-2/4440_disable-compat_vdso.patch (rev 0)
76112 +++ hardened-sources/2.6/tags/2.6.24-2/4440_disable-compat_vdso.patch 2008-04-30 11:37:34 UTC (rev 93)
76113 @@ -0,0 +1,66 @@
76114 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
76115 +From: Kerin Millar <kerframil@×××××.com>
76116 +
76117 +COMPAT_VDSO is inappropriate for any modern Hardened Gentoo system. It
76118 +conflicts with various parts of PaX, crashing the system if enabled
76119 +while PaX's NOEXEC or UDEREF features are active. Moreover, it prevents
76120 +a number of important PaX options from appearing in the configuration
76121 +menu, including all PaX NOEXEC implementations. Unfortunately, the
76122 +reason for the disappearance of these PaX configuration options is
76123 +often far from obvious to inexperienced users.
76124 +
76125 +Therefore, we disable the COMPAT_VDSO menu entry entirely. However,
76126 +COMPAT_VDSO operation can still be enabled via bootparam and sysctl
76127 +interfaces. Consequently, we must also disable the ability to select
76128 +COMPAT_VDSO operation at boot or runtime. Here we patch the kernel so
76129 +that selecting COMPAT_VDSO operation at boot/runtime has no effect if
76130 +conflicting PaX options are enabled, leaving VDSO_ENABLED operation
76131 +intact.
76132 +
76133 +Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138
76134 +
76135 +--- a/arch/x86/Kconfig
76136 ++++ b/arch/x86/Kconfig
76137 +@@ -1188,17 +1188,9 @@ config HOTPLUG_CPU
76138 + suspend.
76139 +
76140 + config COMPAT_VDSO
76141 +- bool "Compat VDSO support"
76142 ++ bool
76143 + default n
76144 + depends on X86_32 && !PAX_NOEXEC
76145 +- help
76146 +- Map the VDSO to the predictable old-style address too.
76147 +- ---help---
76148 +- Say N here if you are running a sufficiently recent glibc
76149 +- version (2.3.3 or later), to remove the high-mapped
76150 +- VDSO mapping and to exclusively use the randomized VDSO.
76151 +-
76152 +- If unsure, say Y.
76153 +
76154 + endmenu
76155 +
76156 +--- a/arch/x86/kernel/sysenter_32.c
76157 ++++ b/arch/x86/kernel/sysenter_32.c
76158 +@@ -278,9 +278,11 @@ int arch_setup_additional_pages(struct l
76159 +
76160 + map_compat_vdso(compat);
76161 +
76162 ++#if !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
76163 + if (compat)
76164 + addr = VDSO_HIGH_BASE;
76165 + else {
76166 ++#endif
76167 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
76168 + if (IS_ERR_VALUE(addr)) {
76169 + ret = addr;
76170 +@@ -304,7 +306,9 @@ int arch_setup_additional_pages(struct l
76171 +
76172 + if (ret)
76173 + goto up_fail;
76174 ++#if !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
76175 + }
76176 ++#endif
76177 +
76178 + current->mm->context.vdso = addr;
76179 + current_thread_info()->sysenter_return =
76180
76181 Deleted: hardened-sources/2.6/tags/2.6.24-2/4440_grsec-kconfig-pax-without-grsec.patch
76182 ===================================================================
76183 --- hardened-sources/2.6/trunk/2.6.24/4440_grsec-kconfig-pax-without-grsec.patch 2008-04-07 12:57:31 UTC (rev 89)
76184 +++ hardened-sources/2.6/tags/2.6.24-2/4440_grsec-kconfig-pax-without-grsec.patch 2008-04-30 11:37:34 UTC (rev 93)
76185 @@ -1,11 +0,0 @@
76186 ---- a/security/Kconfig
76187 -+++ b/security/Kconfig
76188 -@@ -10,7 +10,7 @@ menu "PaX"
76189 -
76190 - config PAX
76191 - bool "Enable various PaX features"
76192 -- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
76193 -+ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
76194 - help
76195 - This allows you to enable various PaX features. PaX adds
76196 - intrusion prevention mechanisms to the kernel that reduce
76197
76198 Deleted: hardened-sources/2.6/tags/2.6.24-2/4445_disable-compat_vdso.patch
76199 ===================================================================
76200 --- hardened-sources/2.6/trunk/2.6.24/4445_disable-compat_vdso.patch 2008-04-07 12:57:31 UTC (rev 89)
76201 +++ hardened-sources/2.6/tags/2.6.24-2/4445_disable-compat_vdso.patch 2008-04-30 11:37:34 UTC (rev 93)
76202 @@ -1,66 +0,0 @@
76203 -From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
76204 -From: Kerin Millar <kerframil@×××××.com>
76205 -
76206 -COMPAT_VDSO is inappropriate for any modern Hardened Gentoo system. It
76207 -conflicts with various parts of PaX, crashing the system if enabled
76208 -while PaX's NOEXEC or UDEREF features are active. Moreover, it prevents
76209 -a number of important PaX options from appearing in the configuration
76210 -menu, including all PaX NOEXEC implementations. Unfortunately, the
76211 -reason for the disappearance of these PaX configuration options is
76212 -often far from obvious to inexperienced users.
76213 -
76214 -Therefore, we disable the COMPAT_VDSO menu entry entirely. However,
76215 -COMPAT_VDSO operation can still be enabled via bootparam and sysctl
76216 -interfaces. Consequently, we must also disable the ability to select
76217 -COMPAT_VDSO operation at boot or runtime. Here we patch the kernel so
76218 -that selecting COMPAT_VDSO operation at boot/runtime has no effect if
76219 -conflicting PaX options are enabled, leaving VDSO_ENABLED operation
76220 -intact.
76221 -
76222 -Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138
76223 -
76224 ---- a/arch/x86/Kconfig
76225 -+++ b/arch/x86/Kconfig
76226 -@@ -1188,17 +1188,9 @@ config HOTPLUG_CPU
76227 - suspend.
76228 -
76229 - config COMPAT_VDSO
76230 -- bool "Compat VDSO support"
76231 -+ bool
76232 - default n
76233 - depends on X86_32 && !PAX_NOEXEC
76234 -- help
76235 -- Map the VDSO to the predictable old-style address too.
76236 -- ---help---
76237 -- Say N here if you are running a sufficiently recent glibc
76238 -- version (2.3.3 or later), to remove the high-mapped
76239 -- VDSO mapping and to exclusively use the randomized VDSO.
76240 --
76241 -- If unsure, say Y.
76242 -
76243 - endmenu
76244 -
76245 ---- a/arch/x86/kernel/sysenter_32.c
76246 -+++ b/arch/x86/kernel/sysenter_32.c
76247 -@@ -278,9 +278,11 @@ int arch_setup_additional_pages(struct l
76248 -
76249 - map_compat_vdso(compat);
76250 -
76251 -+#if !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
76252 - if (compat)
76253 - addr = VDSO_HIGH_BASE;
76254 - else {
76255 -+#endif
76256 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
76257 - if (IS_ERR_VALUE(addr)) {
76258 - ret = addr;
76259 -@@ -304,7 +306,9 @@ int arch_setup_additional_pages(struct l
76260 -
76261 - if (ret)
76262 - goto up_fail;
76263 -+#if !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
76264 - }
76265 -+#endif
76266 -
76267 - current->mm->context.vdso = addr;
76268 - current_thread_info()->sysenter_return =
76269
76270 Copied: hardened-sources/2.6/tags/2.6.24-2/4445_grsec-2.1.11-mute-warnings.patch (from rev 92, hardened-sources/2.6/trunk/2.6.24/4445_grsec-2.1.11-mute-warnings.patch)
76271 ===================================================================
76272 --- hardened-sources/2.6/tags/2.6.24-2/4445_grsec-2.1.11-mute-warnings.patch (rev 0)
76273 +++ hardened-sources/2.6/tags/2.6.24-2/4445_grsec-2.1.11-mute-warnings.patch 2008-04-30 11:37:34 UTC (rev 93)
76274 @@ -0,0 +1,19 @@
76275 +From: Alexander Gabert <gaberta@××××××××.de>
76276 +
76277 +This patch removes the warnings introduced by grsec patch 2.1.11 and later.
76278 +It removes the -W options added by the patch and restores the original
76279 +warning flags of vanilla kernel versions.
76280 +
76281 +Acked-by: Christian Heim <phreak@g.o>
76282 +
76283 +--- a/Makefile
76284 ++++ b/Makefile
76285 +@@ -214,7 +214,7 @@
76286 +
76287 + HOSTCC = gcc
76288 + HOSTCXX = g++
76289 +-HOSTCFLAGS = -Wall -W -Wno-unused -Wno-sign-compare -Wstrict-prototypes -O2 -fomit-frame-pointer
76290 ++HOSTCFLAGS = -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer
76291 + HOSTCXXFLAGS = -O2
76292 +
76293 + # Decide whether to build built-in, modular, or both.
76294
76295 Deleted: hardened-sources/2.6/tags/2.6.24-2/4450_grsec-2.1.11-mute-warnings.patch
76296 ===================================================================
76297 --- hardened-sources/2.6/trunk/2.6.24/4450_grsec-2.1.11-mute-warnings.patch 2008-04-07 12:57:31 UTC (rev 89)
76298 +++ hardened-sources/2.6/tags/2.6.24-2/4450_grsec-2.1.11-mute-warnings.patch 2008-04-30 11:37:34 UTC (rev 93)
76299 @@ -1,19 +0,0 @@
76300 -From: Alexander Gabert <gaberta@××××××××.de>
76301 -
76302 -This patch removes the warnings introduced by grsec patch 2.1.11 and later.
76303 -It removes the -W options added by the patch and restores the original
76304 -warning flags of vanilla kernel versions.
76305 -
76306 -Acked-by: Christian Heim <phreak@g.o>
76307 -
76308 ---- a/Makefile
76309 -+++ b/Makefile
76310 -@@ -214,7 +214,7 @@
76311 -
76312 - HOSTCC = gcc
76313 - HOSTCXX = g++
76314 --HOSTCFLAGS = -Wall -W -Wno-unused -Wno-sign-compare -Wstrict-prototypes -O2 -fomit-frame-pointer
76315 -+HOSTCFLAGS = -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer
76316 - HOSTCXXFLAGS = -O2
76317 -
76318 - # Decide whether to build built-in, modular, or both.
76319
76320 Copied: hardened-sources/2.6/tags/2.6.24-2/4450_grsec-2.1.11-pax-curr_ip-fixes.patch (from rev 92, hardened-sources/2.6/trunk/2.6.24/4450_grsec-2.1.11-pax-curr_ip-fixes.patch)
76321 ===================================================================
76322 --- hardened-sources/2.6/tags/2.6.24-2/4450_grsec-2.1.11-pax-curr_ip-fixes.patch (rev 0)
76323 +++ hardened-sources/2.6/tags/2.6.24-2/4450_grsec-2.1.11-pax-curr_ip-fixes.patch 2008-04-30 11:37:34 UTC (rev 93)
76324 @@ -0,0 +1,29 @@
76325 +--- a/arch/x86/mm/fault_32.c
76326 ++++ b/arch/x86/mm/fault_32.c
76327 +@@ -730,10 +730,12 @@
76328 + #else
76329 + else if (init_mm.start_code <= address && address < init_mm.end_code)
76330 + #endif
76331 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
76332 + if (tsk->signal->curr_ip)
76333 + printk(KERN_ERR "PAX: From %u.%u.%u.%u: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
76334 + NIPQUAD(tsk->signal->curr_ip), tsk->comm, task_pid_nr(tsk), tsk->uid, tsk->euid);
76335 + else
76336 ++#endif
76337 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
76338 + tsk->comm, task_pid_nr(tsk), tsk->uid, tsk->euid);
76339 + #endif
76340 +--- a/fs/exec.c
76341 ++++ b/fs/exec.c
76342 +@@ -1695,9 +1695,11 @@ void pax_report_fault(struct pt_regs *re
76343 + }
76344 + up_read(&mm->mmap_sem);
76345 + }
76346 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
76347 + if (tsk->signal->curr_ip)
76348 + printk(KERN_ERR "PAX: From %u.%u.%u.%u: execution attempt in: %s, %08lx-%08lx %08lx\n", NIPQUAD(tsk->signal->curr_ip), path_fault, start, end, offset);
76349 + else
76350 ++#endif
76351 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
76352 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
76353 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
76354
76355 Deleted: hardened-sources/2.6/tags/2.6.24-2/4455_grsec-2.1.11-pax-curr_ip-fixes.patch
76356 ===================================================================
76357 --- hardened-sources/2.6/trunk/2.6.24/4455_grsec-2.1.11-pax-curr_ip-fixes.patch 2008-04-07 12:57:31 UTC (rev 89)
76358 +++ hardened-sources/2.6/tags/2.6.24-2/4455_grsec-2.1.11-pax-curr_ip-fixes.patch 2008-04-30 11:37:34 UTC (rev 93)
76359 @@ -1,29 +0,0 @@
76360 ---- a/arch/x86/mm/fault_32.c
76361 -+++ b/arch/x86/mm/fault_32.c
76362 -@@ -730,10 +730,12 @@
76363 - #else
76364 - else if (init_mm.start_code <= address && address < init_mm.end_code)
76365 - #endif
76366 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
76367 - if (tsk->signal->curr_ip)
76368 - printk(KERN_ERR "PAX: From %u.%u.%u.%u: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
76369 - NIPQUAD(tsk->signal->curr_ip), tsk->comm, task_pid_nr(tsk), tsk->uid, tsk->euid);
76370 - else
76371 -+#endif
76372 - printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
76373 - tsk->comm, task_pid_nr(tsk), tsk->uid, tsk->euid);
76374 - #endif
76375 ---- a/fs/exec.c
76376 -+++ b/fs/exec.c
76377 -@@ -1695,9 +1695,11 @@ void pax_report_fault(struct pt_regs *re
76378 - }
76379 - up_read(&mm->mmap_sem);
76380 - }
76381 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
76382 - if (tsk->signal->curr_ip)
76383 - printk(KERN_ERR "PAX: From %u.%u.%u.%u: execution attempt in: %s, %08lx-%08lx %08lx\n", NIPQUAD(tsk->signal->curr_ip), path_fault, start, end, offset);
76384 - else
76385 -+#endif
76386 - printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
76387 - printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
76388 - "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
76389
76390 Copied: hardened-sources/2.6/tags/2.6.24-2/4455_selinux-avc_audit-log-curr_ip.patch (from rev 92, hardened-sources/2.6/trunk/2.6.24/4455_selinux-avc_audit-log-curr_ip.patch)
76391 ===================================================================
76392 --- hardened-sources/2.6/tags/2.6.24-2/4455_selinux-avc_audit-log-curr_ip.patch (rev 0)
76393 +++ hardened-sources/2.6/tags/2.6.24-2/4455_selinux-avc_audit-log-curr_ip.patch 2008-04-30 11:37:34 UTC (rev 93)
76394 @@ -0,0 +1,25 @@
76395 +Provides support for a new field ipaddr within the SELinux
76396 +AVC audit log, relying in task_struct->curr_ip (ipv4 only)
76397 +provided by grSecurity patch to be applied before.
76398 +
76399 +Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>
76400 +---
76401 +
76402 + security/selinux/avc.c | 6 ++++++
76403 + 1 file changed, 6 insertions(+)
76404 +
76405 +--- a/security/selinux/avc.c
76406 ++++ b/security/selinux/avc.c
76407 +@@ -202,6 +202,12 @@ static void avc_dump_query(struct audit_
76408 + char *scontext;
76409 + u32 scontext_len;
76410 +
76411 ++/* CONFIG_PROC_IPADDR if task-signal-curr_ip patch from lorenzo@×××.org is present */
76412 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
76413 ++ if (current->signal->curr_ip)
76414 ++ audit_log_format(ab, "ipaddr=%u.%u.%u.%u ", NIPQUAD(current->signal->curr_ip));
76415 ++#endif /* CONFIG_GRKERNSEC_PROC_IPADDR */
76416 ++
76417 + rc = security_sid_to_context(ssid, &scontext, &scontext_len);
76418 + if (rc)
76419 + audit_log_format(ab, "ssid=%d", ssid);
76420
76421 Deleted: hardened-sources/2.6/tags/2.6.24-2/4460_selinux-avc_audit-log-curr_ip.patch
76422 ===================================================================
76423 --- hardened-sources/2.6/trunk/2.6.24/4460_selinux-avc_audit-log-curr_ip.patch 2008-04-07 12:57:31 UTC (rev 89)
76424 +++ hardened-sources/2.6/tags/2.6.24-2/4460_selinux-avc_audit-log-curr_ip.patch 2008-04-30 11:37:34 UTC (rev 93)
76425 @@ -1,25 +0,0 @@
76426 -Provides support for a new field ipaddr within the SELinux
76427 -AVC audit log, relying in task_struct->curr_ip (ipv4 only)
76428 -provided by grSecurity patch to be applied before.
76429 -
76430 -Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>
76431 ----
76432 -
76433 - security/selinux/avc.c | 6 ++++++
76434 - 1 file changed, 6 insertions(+)
76435 -
76436 ---- a/security/selinux/avc.c
76437 -+++ b/security/selinux/avc.c
76438 -@@ -202,6 +202,12 @@ static void avc_dump_query(struct audit_
76439 - char *scontext;
76440 - u32 scontext_len;
76441 -
76442 -+/* CONFIG_PROC_IPADDR if task-signal-curr_ip patch from lorenzo@×××.org is present */
76443 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
76444 -+ if (current->signal->curr_ip)
76445 -+ audit_log_format(ab, "ipaddr=%u.%u.%u.%u ", NIPQUAD(current->signal->curr_ip));
76446 -+#endif /* CONFIG_GRKERNSEC_PROC_IPADDR */
76447 -+
76448 - rc = security_sid_to_context(ssid, &scontext, &scontext_len);
76449 - if (rc)
76450 - audit_log_format(ab, "ssid=%d", ssid);
76451
76452 --
76453 gentoo-commits@l.g.o mailing list
Report Message
Find on MARC Find on Google Groups